From b4b2985a7ae7c5ccf1e1de9854ced0e2e96608e4 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Fri, 26 Jul 2024 18:12:16 +0800 Subject: [PATCH 001/523] chore: add resoure requirements for statsd exporter (#3957) add resoure requirements for statsd exporter Signed-off-by: Huabing Zhao --- internal/infrastructure/kubernetes/ratelimit/resource.go | 1 + .../kubernetes/ratelimit/testdata/deployments/custom.yaml | 5 ++++- .../ratelimit/testdata/deployments/default-env.yaml | 5 ++++- .../kubernetes/ratelimit/testdata/deployments/default.yaml | 5 ++++- .../testdata/deployments/enable-tracing-custom.yaml | 5 ++++- .../ratelimit/testdata/deployments/enable-tracing.yaml | 5 ++++- .../ratelimit/testdata/deployments/extension-env.yaml | 5 ++++- .../ratelimit/testdata/deployments/override-env.yaml | 5 ++++- .../ratelimit/testdata/deployments/patch-deployment.yaml | 5 ++++- .../ratelimit/testdata/deployments/redis-tls-settings.yaml | 5 ++++- .../ratelimit/testdata/deployments/tolerations.yaml | 5 ++++- .../kubernetes/ratelimit/testdata/deployments/volumes.yaml | 5 ++++- .../ratelimit/testdata/deployments/with-node-selector.yaml | 5 ++++- .../deployments/with-topology-spread-constraints.yaml | 5 ++++- 14 files changed, 53 insertions(+), 13 deletions(-) diff --git a/internal/infrastructure/kubernetes/ratelimit/resource.go b/internal/infrastructure/kubernetes/ratelimit/resource.go index 9353b0ced00..dc9a6f82e99 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource.go @@ -229,6 +229,7 @@ func promStatsdExporterContainer() corev1.Container { }, TerminationMessagePolicy: corev1.TerminationMessageReadFile, TerminationMessagePath: "/dev/termination-log", + Resources: *egv1a1.DefaultResourceRequirements(), } } diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml index bfd2c28cc6a..43117ea69f0 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml @@ -133,7 +133,10 @@ spec: - containerPort: 19001 name: metrics protocol: TCP - resources: {} + resources: + requests: + cpu: 100m + memory: 512Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml index bfd2c28cc6a..43117ea69f0 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml @@ -133,7 +133,10 @@ spec: - containerPort: 19001 name: metrics protocol: TCP - resources: {} + resources: + requests: + cpu: 100m + memory: 512Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml index db3b88ebaea..cab51913349 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml @@ -129,7 +129,10 @@ spec: - containerPort: 19001 name: metrics protocol: TCP - resources: {} + resources: + requests: + cpu: 100m + memory: 512Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml index 33d976d7766..782ad23b931 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml @@ -144,7 +144,10 @@ spec: - containerPort: 19001 name: metrics protocol: TCP - resources: {} + resources: + requests: + cpu: 100m + memory: 512Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml index 02ea3143bf6..1f2326eb6d9 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml @@ -144,7 +144,10 @@ spec: - containerPort: 19001 name: metrics protocol: TCP - resources: {} + resources: + requests: + cpu: 100m + memory: 512Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml index 95516ce6c46..45406b6922e 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml @@ -137,7 +137,10 @@ spec: - containerPort: 19001 name: metrics protocol: TCP - resources: {} + resources: + requests: + cpu: 100m + memory: 512Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml index 8a9cfb60c97..8e5fa6c80c9 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml @@ -133,7 +133,10 @@ spec: - containerPort: 19001 name: metrics protocol: TCP - resources: {} + resources: + requests: + cpu: 100m + memory: 512Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml index 971f019dd8d..b750f3f02ed 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml @@ -129,7 +129,10 @@ spec: - containerPort: 19001 name: metrics protocol: TCP - resources: {} + resources: + requests: + cpu: 100m + memory: 512Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml index 9854f37f4e2..98324dd2dc1 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml @@ -144,7 +144,10 @@ spec: - containerPort: 19001 name: metrics protocol: TCP - resources: {} + resources: + requests: + cpu: 100m + memory: 512Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml index 56fdb156dcf..611f60ad39e 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml @@ -144,7 +144,10 @@ spec: - containerPort: 19001 name: metrics protocol: TCP - resources: {} + resources: + requests: + cpu: 100m + memory: 512Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml index 01e779e9e49..6ba0ceb5d97 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml @@ -144,7 +144,10 @@ spec: - containerPort: 19001 name: metrics protocol: TCP - resources: {} + resources: + requests: + cpu: 100m + memory: 512Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml index b0325b6d835..baaea949e4e 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml @@ -129,7 +129,10 @@ spec: - containerPort: 19001 name: metrics protocol: TCP - resources: {} + resources: + requests: + cpu: 100m + memory: 512Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml index 7ad968464b7..f7aade39974 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml @@ -129,7 +129,10 @@ spec: - containerPort: 19001 name: metrics protocol: TCP - resources: {} + resources: + requests: + cpu: 100m + memory: 512Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: From 7b286d33df2227c4b99167ab5ce0da799bf27ecf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 20:06:31 +0800 Subject: [PATCH 002/523] build(deps): bump ossf/scorecard-action from 2.3.3 to 2.4.0 (#3964) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.3 to 2.4.0. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/dc50aa9510b46c811795eb24b2f1ba02a914e534...62b2cac7ed8198b15735ed49ab1e5cf35480ba46) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 91ba65f0069..d443b9e361b 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -26,7 +26,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 with: results_file: results.sarif results_format: sarif From f564b1657bc8c41bb034e2d14c6c6723f226cdf7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 20:06:57 +0800 Subject: [PATCH 003/523] build(deps): bump github.com/bufbuild/buf from 1.34.0 to 1.35.1 in /tools/src/buf (#3969) build(deps): bump github.com/bufbuild/buf in /tools/src/buf Bumps [github.com/bufbuild/buf](https://github.com/bufbuild/buf) from 1.34.0 to 1.35.1. - [Release notes](https://github.com/bufbuild/buf/releases) - [Changelog](https://github.com/bufbuild/buf/blob/main/CHANGELOG.md) - [Commits](https://github.com/bufbuild/buf/compare/v1.34.0...v1.35.1) --- updated-dependencies: - dependency-name: github.com/bufbuild/buf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/src/buf/go.mod | 6 +++--- tools/src/buf/go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index d2d02735a03..de4034e91b6 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -2,7 +2,7 @@ module local go 1.22.5 -require github.com/bufbuild/buf v1.34.0 +require github.com/bufbuild/buf v1.35.1 require ( buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240508200655-46a4cf4ba109.2 // indirect @@ -28,14 +28,14 @@ require ( github.com/docker/go-units v0.5.0 // indirect github.com/felixge/fgprof v0.9.4 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect - github.com/go-chi/chi/v5 v5.0.13 // indirect + github.com/go-chi/chi/v5 v5.0.14 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/gofrs/uuid/v5 v5.2.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/google/cel-go v0.20.1 // indirect github.com/google/go-containerregistry v0.19.2 // indirect - github.com/google/pprof v0.0.0-20240618054019-d3b898a103f8 // indirect + github.com/google/pprof v0.0.0-20240622144329-c177fd99eaa9 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jdx/go-netrc v1.0.0 // indirect diff --git a/tools/src/buf/go.sum b/tools/src/buf/go.sum index 6b67bac010b..c6d949c31f1 100644 --- a/tools/src/buf/go.sum +++ b/tools/src/buf/go.sum @@ -14,8 +14,8 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERo github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= -github.com/bufbuild/buf v1.34.0 h1:rZSVfYS5SakOe6ds9PDjbHVwOc+vBGVWNW9Ei+Rg/+c= -github.com/bufbuild/buf v1.34.0/go.mod h1:Fj+KBmY2ODYD2Ld02w4LH9Y3WiRH2203IjGJbKYK5Hc= +github.com/bufbuild/buf v1.35.1 h1:aiCi/YFOg7eXKZeveWb2ZhnmLFwUMM/FnDCM0roFp+M= +github.com/bufbuild/buf v1.35.1/go.mod h1:SM7b5QW3FkQPNkkqIa/9UWzLOoe51la+GGZpEgH9b68= github.com/bufbuild/protocompile v0.14.0 h1:z3DW4IvXE5G/uTOnSQn+qwQQxvhckkTWLS/0No/o7KU= github.com/bufbuild/protocompile v0.14.0/go.mod h1:N6J1NYzkspJo3ZwyL4Xjvli86XOj1xq4qAasUFxGups= github.com/bufbuild/protoplugin v0.0.0-20240323223605-e2735f6c31ee h1:E6ET8YUcYJ1lAe6ctR3as7yqzW2BNItDFnaB5zQq/8M= @@ -67,8 +67,8 @@ github.com/felixge/fgprof v0.9.4 h1:ocDNwMFlnA0NU0zSB3I52xkO4sFXk80VK9lXjLClu88= github.com/felixge/fgprof v0.9.4/go.mod h1:yKl+ERSa++RYOs32d8K6WEXCB4uXdLls4ZaZPpayhMM= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= -github.com/go-chi/chi/v5 v5.0.13 h1:JlH2F2M8qnwl0N1+JFFzlX9TlKJYas3aPXdiuTmJL+w= -github.com/go-chi/chi/v5 v5.0.13/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= +github.com/go-chi/chi/v5 v5.0.14 h1:PyEwo2Vudraa0x/Wl6eDRRW2NXBvekgfxyydcM0WGE0= +github.com/go-chi/chi/v5 v5.0.14/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= @@ -93,8 +93,8 @@ github.com/google/go-containerregistry v0.19.2 h1:TannFKE1QSajsP6hPWb5oJNgKe1IKj github.com/google/go-containerregistry v0.19.2/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI= github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg= github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= -github.com/google/pprof v0.0.0-20240618054019-d3b898a103f8 h1:ASJ/LAqdCHOyMYI+dwNxn7Rd8FscNkMyTr1KZU1JI/M= -github.com/google/pprof v0.0.0-20240618054019-d3b898a103f8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= +github.com/google/pprof v0.0.0-20240622144329-c177fd99eaa9 h1:ouFdLLCOyCfnxGpQTMZKHLyHr/D1GFbQzEsJxumO16E= +github.com/google/pprof v0.0.0-20240622144329-c177fd99eaa9/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0= github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k= github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w= From 9e4b88d508096fb914de38244dc31b8004c7eafb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 20:07:24 +0800 Subject: [PATCH 004/523] build(deps): bump github.com/docker/cli from 27.0.3+incompatible to 27.1.1+incompatible (#3968) build(deps): bump github.com/docker/cli Bumps [github.com/docker/cli](https://github.com/docker/cli) from 27.0.3+incompatible to 27.1.1+incompatible. - [Commits](https://github.com/docker/cli/compare/v27.0.3...v27.1.1) --- updated-dependencies: - dependency-name: github.com/docker/cli dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 1231fc39ee8..0c4a6874858 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/Masterminds/semver/v3 v3.2.1 github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc - github.com/docker/cli v27.0.3+incompatible + github.com/docker/cli v27.1.1+incompatible github.com/dominikbraun/graph v0.23.0 github.com/envoyproxy/go-control-plane v0.12.1-0.20240612043845-c54ec4ce422d github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 diff --git a/go.sum b/go.sum index 259c15915b6..71ccf632d9f 100644 --- a/go.sum +++ b/go.sum @@ -379,8 +379,8 @@ github.com/distribution/distribution/v3 v3.0.0-alpha.1 h1:jn7I1gvjOvmLztH1+1cLiU github.com/distribution/distribution/v3 v3.0.0-alpha.1/go.mod h1:LCp4JZp1ZalYg0W/TN05jarCQu+h4w7xc7ZfQF4Y/cY= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v27.0.3+incompatible h1:usGs0/BoBW8MWxGeEtqPMkzOY56jZ6kYlSN5BLDioCQ= -github.com/docker/cli v27.0.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE= +github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= From 0b52320ba6fb5d65796470cd367d1f8d5d27a191 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 21:58:34 +0800 Subject: [PATCH 005/523] build(deps): bump fortio.org/log from 1.15.0 to 1.16.0 (#3967) Bumps [fortio.org/log](https://github.com/fortio/log) from 1.15.0 to 1.16.0. - [Release notes](https://github.com/fortio/log/releases) - [Commits](https://github.com/fortio/log/compare/v1.15.0...v1.16.0) --- updated-dependencies: - dependency-name: fortio.org/log dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 0c4a6874858..389fb0cb9dd 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.16 require ( fortio.org/fortio v1.66.0 - fortio.org/log v1.15.0 + fortio.org/log v1.16.0 github.com/Masterminds/semver/v3 v3.2.1 github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc diff --git a/go.sum b/go.sum index 71ccf632d9f..559b865310d 100644 --- a/go.sum +++ b/go.sum @@ -197,8 +197,8 @@ fortio.org/dflag v1.7.2 h1:lUhXFvDlw4CJj/q7hPv/TC+n/wVoQylzQO6bUg5GQa0= fortio.org/dflag v1.7.2/go.mod h1:6yO/NIgrWfQH195WbHJ3Y45SCx11ffivQjfx2C/FS1U= fortio.org/fortio v1.66.0 h1:9F/200qIu136z847bxs/NeAoYdJaQlVofYlppi3qwcw= fortio.org/fortio v1.66.0/go.mod h1:eUl5MRscw6CiWAStai8aB3/8unxA9uNzJRXdhKEaq1s= -fortio.org/log v1.15.0 h1:DRbZzgZH4av3ZPz6yIcvBwMy4NLH8a5iznRXXEegvJQ= -fortio.org/log v1.15.0/go.mod h1:t58Spg9njjymvRioh5F6qKGSupEsnMjXLGWIS1i3khE= +fortio.org/log v1.16.0 h1:GhU8/9NkYZmEIzvTN/DTMedDAStLJraWUUVUA2EbNDc= +fortio.org/log v1.16.0/go.mod h1:t58Spg9njjymvRioh5F6qKGSupEsnMjXLGWIS1i3khE= fortio.org/scli v1.15.1 h1:Upza50brpEZwUk8Nn2gdP4BjgqJZY3J+z7KLrrAzPjY= fortio.org/scli v1.15.1/go.mod h1:9LOD4iPe9u73KeJGYC/Af1oFniOafO7oZ9VvwENMf/c= fortio.org/sets v1.1.1 h1:Q7Z1Ft2lpUc1N7bfI8HofIK0QskrOflfYRyKT2LzBng= From 87909aa0de3b233ebedb5ec5b633feb8cee0daba Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 10:16:31 -0700 Subject: [PATCH 006/523] build(deps): bump github.com/docker/docker from 27.0.3+incompatible to 27.1.1+incompatible (#3966) build(deps): bump github.com/docker/docker Bumps [github.com/docker/docker](https://github.com/docker/docker) from 27.0.3+incompatible to 27.1.1+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v27.0.3...v27.1.1) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 389fb0cb9dd..4234bf9541f 100644 --- a/go.mod +++ b/go.mod @@ -63,7 +63,7 @@ require ( ) require ( - github.com/docker/docker v27.0.3+incompatible + github.com/docker/docker v27.1.1+incompatible github.com/replicatedhq/troubleshoot v0.95.1 ) diff --git a/go.sum b/go.sum index 559b865310d..67d72d57a0e 100644 --- a/go.sum +++ b/go.sum @@ -384,8 +384,8 @@ github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvM github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v27.0.3+incompatible h1:aBGI9TeQ4MPlhquTQKq9XbK79rKFVwXNUAYz9aXyEBE= -github.com/docker/docker v27.0.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v27.1.1+incompatible h1:hO/M4MtV36kzKldqnA37IWhebRA+LnqqcqDja6kVaKY= +github.com/docker/docker v27.1.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= From 968709b92cd97bd4cd5d4aeba23d81f60d8fe9b3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Jul 2024 06:45:05 +0800 Subject: [PATCH 007/523] build(deps): bump docker/login-action from 3.2.0 to 3.3.0 (#3963) Bumps [docker/login-action](https://github.com/docker/login-action) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/0d4c9c5ea7693da7b068278f7b52bda2a190a446...9780b0c442fbb1117ed29e0efdff1e18412f7567) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build_and_test.yaml | 2 +- .github/workflows/release.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 0a367a06d65..e16a4bee57f 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -182,7 +182,7 @@ jobs: # build and push image - name: Login to DockerHub if: github.event_name == 'push' - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 3fc2409a90f..841b9aabf2e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -57,7 +57,7 @@ jobs: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV - name: Login to DockerHub - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} From f6b6bb813ac42e7da647a7ab0e1268a454efe3b0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Jul 2024 06:46:08 +0800 Subject: [PATCH 008/523] build(deps): bump github/codeql-action from 3.25.13 to 3.25.15 (#3962) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.13 to 3.25.15. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/2d790406f505036ef40ecba973cc774a50395aac...afb54ba388a7dca6ecae48f608c4ff05ff4cc77a) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 82d7ab684a7..d3e4cd0a458 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,14 +36,14 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 + uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 + uses: github/codeql-action/autobuild@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 + uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index d443b9e361b..99a10164ed7 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 + uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 with: sarif_file: results.sarif From 04c5ce230171ceea261eda354b14538675143614 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 16:28:05 -0700 Subject: [PATCH 009/523] build(deps): bump github.com/replicatedhq/troubleshoot from 0.95.1 to 0.98.0 (#3965) build(deps): bump github.com/replicatedhq/troubleshoot Bumps [github.com/replicatedhq/troubleshoot](https://github.com/replicatedhq/troubleshoot) from 0.95.1 to 0.98.0. - [Release notes](https://github.com/replicatedhq/troubleshoot/releases) - [Commits](https://github.com/replicatedhq/troubleshoot/compare/v0.95.1...v0.98.0) --- updated-dependencies: - dependency-name: github.com/replicatedhq/troubleshoot dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 10 ++++++---- go.sum | 28 +++++++++++++++------------- 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/go.mod b/go.mod index 4234bf9541f..21c1953f3d3 100644 --- a/go.mod +++ b/go.mod @@ -64,7 +64,7 @@ require ( require ( github.com/docker/docker v27.1.1+incompatible - github.com/replicatedhq/troubleshoot v0.95.1 + github.com/replicatedhq/troubleshoot v0.98.0 ) require ( @@ -95,6 +95,7 @@ require ( github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/c9s/goprocinfo v0.0.0-20170724085704-0010a05ce49f // indirect + github.com/cilium/ebpf v0.11.0 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect github.com/containerd/containerd v1.7.17 // indirect github.com/containerd/errdefs v0.1.0 // indirect @@ -104,8 +105,9 @@ require ( github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect github.com/containers/ocicrypt v1.1.10 // indirect github.com/containers/storage v1.54.0 // indirect + github.com/coreos/go-systemd/v22 v22.5.0 // indirect github.com/cyphar/filepath-securejoin v0.2.5 // indirect - github.com/distribution/distribution/v3 v3.0.0-alpha.1 // indirect + github.com/distribution/distribution/v3 v3.0.0-beta.1 // indirect github.com/distribution/reference v0.6.0 // indirect github.com/docker/distribution v2.8.3+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.2 // indirect @@ -209,7 +211,7 @@ require ( gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect k8s.io/apiserver v0.30.3 // indirect - k8s.io/kubelet v0.30.2 // indirect + k8s.io/kubelet v0.30.3 // indirect k8s.io/metrics v0.30.3 // indirect oras.land/oras-go v1.2.5 // indirect periph.io/x/host/v3 v3.8.2 // indirect @@ -272,7 +274,7 @@ require ( go.opentelemetry.io/otel/trace v1.28.0 // indirect go.starlark.net v0.0.0-20240520160348-046347dcd104 // indirect go.uber.org/multierr v1.11.0 // indirect - golang.org/x/mod v0.18.0 // indirect + golang.org/x/mod v0.19.0 // indirect golang.org/x/net v0.27.0 golang.org/x/oauth2 v0.21.0 // indirect golang.org/x/sync v0.7.0 // indirect diff --git a/go.sum b/go.sum index 67d72d57a0e..6328c42f379 100644 --- a/go.sum +++ b/go.sum @@ -213,10 +213,10 @@ github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2 h1:FDif4R1+UUR+00q6wquyX90K7A8dN+R5E8GEadoP7sU= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2/go.mod h1:aiYBYui4BJ/BJCAIKs92XiPyQfTaBWqvHujDwKb6CBU= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 h1:LqbJ/WzJUwBf8UiaSzgX7aMclParm9/5Vgp+TY51uBQ= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2/go.mod h1:yInRyqWXAuaPrgI7p70+lDDgh3mlBohis29jGMISnmc= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 h1:U2rTu3Ef+7w9FHKIAXM6ZyqF3UOWJZ12zIm8zECAFfg= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 h1:jBQA3cKT4L2rWMpgE7Yt3Hwh2aUj8KXjIGLxjHeYNNo= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0/go.mod h1:4OG6tQ9EOP/MT0NMjDlRzWoVFxfu9rN9B2X+tlSVktg= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 h1:MyVTgWR8qd/Jw1Le0NZebGBUCLbtak3bJ3z1OlqZBpw= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1/go.mod h1:GpPjLhVR9dnUoJMyHWSPy71xY9/lcmpzIPZXmF0FCVY= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80= @@ -310,6 +310,8 @@ github.com/cheggaaa/pb v1.0.27/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXH github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/cilium/ebpf v0.11.0 h1:V8gS/bTCCjX9uUnkUFUpPsksM8n1lXBAvHcpiFk1X2Y= +github.com/cilium/ebpf v0.11.0/go.mod h1:WE7CZAnqOL2RouJ4f1uyNhqr2P4CCvXFIqdRDUgWsVs= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= @@ -351,7 +353,6 @@ github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= -github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU= github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= @@ -375,8 +376,8 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZm github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78= github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= -github.com/distribution/distribution/v3 v3.0.0-alpha.1 h1:jn7I1gvjOvmLztH1+1cLiUFud7aeJCIQcgzugtwjyJo= -github.com/distribution/distribution/v3 v3.0.0-alpha.1/go.mod h1:LCp4JZp1ZalYg0W/TN05jarCQu+h4w7xc7ZfQF4Y/cY= +github.com/distribution/distribution/v3 v3.0.0-beta.1 h1:X+ELTxPuZ1Xe5MsD3kp2wfGUhc8I+MPfRis8dZ818Ic= +github.com/distribution/distribution/v3 v3.0.0-beta.1/go.mod h1:O9O8uamhHzWWQVTjuQpyYUVm/ShPHPUDgvQMpHGVBDs= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE= @@ -540,6 +541,7 @@ github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZ github.com/gobuffalo/flect v0.2.0/go.mod h1:W3K3X9ksuZfir8f/LrfVtWmCDQFfayuylOJ7sz/Fj80= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= +github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= @@ -983,8 +985,8 @@ github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb github.com/redis/go-redis/extra/redisotel/v9 v9.0.5/go.mod h1:WZjPDy7VNzn77AAfnAfVjZNvfJTYfPetfZk5yoSTLaQ= github.com/redis/go-redis/v9 v9.1.0 h1:137FnGdk+EQdCbye1FW+qOEcY5S+SpY9T0NiuqvtfMY= github.com/redis/go-redis/v9 v9.1.0/go.mod h1:urWj3He21Dj5k4TK1y59xH8Uj6ATueP8AH1cY3lZl4c= -github.com/replicatedhq/troubleshoot v0.95.1 h1:r7CQl4WuZrKNjMerG/ljCzHJY43oTQN0fpRP8GcBUEw= -github.com/replicatedhq/troubleshoot v0.95.1/go.mod h1:ghle+cwNow+SgGMGZ3jRouRbAbT22uVpKbJSxNvNc00= +github.com/replicatedhq/troubleshoot v0.98.0 h1:+R3rMV84sGr24/OOr9PHYt9NPXsZHB24/8N4IH1rJFI= +github.com/replicatedhq/troubleshoot v0.98.0/go.mod h1:L+ocOIFN2a65xiXHQT57ythmXXw4mWkWwH4dfZJPJ8g= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= @@ -1244,8 +1246,8 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= -golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8= +golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1860,8 +1862,8 @@ k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5 k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a/go.mod h1:UxDHUPsUwTOOxSU+oXURfFBcAS6JwiRXTYqYwfuGowc= k8s.io/kubectl v0.30.3 h1:YIBBvMdTW0xcDpmrOBzcpUVsn+zOgjMYIu7kAq+yqiI= k8s.io/kubectl v0.30.3/go.mod h1:IcR0I9RN2+zzTRUa1BzZCm4oM0NLOawE6RzlDvd1Fpo= -k8s.io/kubelet v0.30.2 h1:Ck4E/pHndI20IzDXxS57dElhDGASPO5pzXF7BcKfmCY= -k8s.io/kubelet v0.30.2/go.mod h1:DSwwTbLQmdNkebAU7ypIALR4P9aXZNFwgRmedojUE94= +k8s.io/kubelet v0.30.3 h1:KvGWDdhzD0vEyDyGTCjsDc8D+0+lwRMw3fJbfQgF7ys= +k8s.io/kubelet v0.30.3/go.mod h1:D9or45Vkzcqg55CEiqZ8dVbwP3Ksj7DruEVRS9oq3Ys= k8s.io/metrics v0.30.3 h1:gKCpte5zykrOmQhZ8qmsxyJslMdiLN+sqbBfIWNpbGM= k8s.io/metrics v0.30.3/go.mod h1:W06L2nXRhOwPkFYDJYWdEIS3u6JcJy3ebIPYbndRs6A= k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= From 36764c046db9967cd435764eafaf283af374f9e5 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 30 Jul 2024 13:53:06 +0800 Subject: [PATCH 010/523] chore: clean up cross ns checking for policies (#3961) * clean up cross ns checking for policies Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- internal/gatewayapi/backendtrafficpolicy.go | 29 ++---------------- internal/gatewayapi/clienttrafficpolicy.go | 15 +-------- internal/gatewayapi/envoyextensionpolicy.go | 30 ++---------------- internal/gatewayapi/envoypatchpolicy.go | 23 +------------- internal/gatewayapi/extensionserverpolicy.go | 31 +++---------------- internal/gatewayapi/securitypolicy.go | 32 ++------------------ 6 files changed, 13 insertions(+), 147 deletions(-) diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index 41cb02ce112..26d4a2a9b7c 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -221,11 +221,10 @@ func (t *Translator) ProcessBackendTrafficPolicies(backendTrafficPolicies []*egv } func resolveBTPolicyGatewayTargetRef(policy *egv1a1.BackendTrafficPolicy, target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, gateways map[types.NamespacedName]*policyGatewayTargetContext) (*GatewayContext, *status.PolicyResolveError) { - targetNs := policy.Namespace // Check if the gateway exists key := types.NamespacedName{ Name: string(target.Name), - Namespace: targetNs, + Namespace: policy.Namespace, } gateway, ok := gateways[key] @@ -234,17 +233,6 @@ func resolveBTPolicyGatewayTargetRef(policy *egv1a1.BackendTrafficPolicy, target return nil, nil } - // Ensure Policy and target are in the same namespace - if policy.Namespace != targetNs { - message := fmt.Sprintf("Namespace:%s TargetRef.Namespace:%s, BackendTrafficPolicy can only target a resource in the same namespace.", - policy.Namespace, targetNs) - - return gateway.GatewayContext, &status.PolicyResolveError{ - Reason: gwapiv1a2.PolicyReasonInvalid, - Message: message, - } - } - // Check if another policy targeting the same Gateway exists if gateway.attached { message := fmt.Sprintf("Unable to target Gateway %s, another BackendTrafficPolicy has already attached to it", @@ -264,13 +252,11 @@ func resolveBTPolicyGatewayTargetRef(policy *egv1a1.BackendTrafficPolicy, target } func resolveBTPolicyRouteTargetRef(policy *egv1a1.BackendTrafficPolicy, target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, routes map[policyTargetRouteKey]*policyRouteTargetContext) (RouteContext, *status.PolicyResolveError) { - targetNs := policy.Namespace - // Check if the route exists key := policyTargetRouteKey{ Kind: string(target.Kind), Name: string(target.Name), - Namespace: targetNs, + Namespace: policy.Namespace, } route, ok := routes[key] @@ -279,17 +265,6 @@ func resolveBTPolicyRouteTargetRef(policy *egv1a1.BackendTrafficPolicy, target g return nil, nil } - // Ensure Policy and target are in the same namespace - if policy.Namespace != targetNs { - message := fmt.Sprintf("Namespace:%s TargetRef.Namespace:%s, BackendTrafficPolicy can only target a resource in the same namespace.", - policy.Namespace, targetNs) - - return route.RouteContext, &status.PolicyResolveError{ - Reason: gwapiv1a2.PolicyReasonInvalid, - Message: message, - } - } - // Check if another policy targeting the same xRoute exists if route.attached { message := fmt.Sprintf("Unable to target %s %s, another BackendTrafficPolicy has already attached to it", diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go index e7e91dbcade..8462a0545c0 100644 --- a/internal/gatewayapi/clienttrafficpolicy.go +++ b/internal/gatewayapi/clienttrafficpolicy.go @@ -292,12 +292,10 @@ func resolveCTPolicyTargetRef( targetRef *gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, gateways map[types.NamespacedName]*policyGatewayTargetContext, ) (*GatewayContext, *status.PolicyResolveError) { - targetNs := policy.Namespace - // Check if the gateway exists key := types.NamespacedName{ Name: string(targetRef.Name), - Namespace: targetNs, + Namespace: policy.Namespace, } gateway, ok := gateways[key] @@ -306,17 +304,6 @@ func resolveCTPolicyTargetRef( return nil, nil } - // Ensure Policy and target Gateway are in the same namespace - if policy.Namespace != targetNs { - message := fmt.Sprintf("Namespace:%s TargetRef.Namespace:%s, ClientTrafficPolicy can only target a Gateway in the same namespace.", - policy.Namespace, targetNs) - - return gateway.GatewayContext, &status.PolicyResolveError{ - Reason: gwapiv1a2.PolicyReasonInvalid, - Message: message, - } - } - // If sectionName is set, make sure its valid sectionName := targetRef.SectionName if sectionName != nil { diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index a0882b2deba..5f871a6f8c0 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -222,12 +222,10 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(envoyExtensionPolicies []*egv } func resolveEEPolicyGatewayTargetRef(policy *egv1a1.EnvoyExtensionPolicy, target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, gateways map[types.NamespacedName]*policyGatewayTargetContext) (*GatewayContext, *status.PolicyResolveError) { - targetNs := policy.Namespace - // Check if the gateway exists key := types.NamespacedName{ Name: string(target.Name), - Namespace: targetNs, + Namespace: policy.Namespace, } gateway, ok := gateways[key] @@ -236,17 +234,6 @@ func resolveEEPolicyGatewayTargetRef(policy *egv1a1.EnvoyExtensionPolicy, target return nil, nil } - // Ensure Policy and target are in the same namespace - if policy.Namespace != targetNs { - message := fmt.Sprintf("Namespace:%s TargetRef.Namespace:%s, EnvoyExtensionPolicy can only target a resource in the same namespace.", - policy.Namespace, targetNs) - - return gateway.GatewayContext, &status.PolicyResolveError{ - Reason: gwapiv1a2.PolicyReasonInvalid, - Message: message, - } - } - // Check if another policy targeting the same Gateway exists if gateway.attached { message := fmt.Sprintf("Unable to target Gateway %s, another EnvoyExtensionPolicy has already attached to it", @@ -266,13 +253,11 @@ func resolveEEPolicyGatewayTargetRef(policy *egv1a1.EnvoyExtensionPolicy, target } func resolveEEPolicyRouteTargetRef(policy *egv1a1.EnvoyExtensionPolicy, target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, routes map[policyTargetRouteKey]*policyRouteTargetContext) (RouteContext, *status.PolicyResolveError) { - targetNs := policy.Namespace - // Check if the route exists key := policyTargetRouteKey{ Kind: string(target.Kind), Name: string(target.Name), - Namespace: targetNs, + Namespace: policy.Namespace, } route, ok := routes[key] @@ -281,17 +266,6 @@ func resolveEEPolicyRouteTargetRef(policy *egv1a1.EnvoyExtensionPolicy, target g return nil, nil } - // Ensure Policy and target are in the same namespace - if policy.Namespace != targetNs { - message := fmt.Sprintf("Namespace:%s TargetRef.Namespace:%s, EnvoyExtensionPolicy can only target a resource in the same namespace.", - policy.Namespace, targetNs) - - return route.RouteContext, &status.PolicyResolveError{ - Reason: gwapiv1a2.PolicyReasonInvalid, - Message: message, - } - } - // Check if another policy targeting the same xRoute exists if route.attached { message := fmt.Sprintf("Unable to target %s %s, another EnvoyExtensionPolicy has already attached to it", diff --git a/internal/gatewayapi/envoypatchpolicy.go b/internal/gatewayapi/envoypatchpolicy.go index d8558e2e579..9ea9102ac76 100644 --- a/internal/gatewayapi/envoypatchpolicy.go +++ b/internal/gatewayapi/envoypatchpolicy.go @@ -33,8 +33,6 @@ func (t *Translator) ProcessEnvoyPatchPolicies(envoyPatchPolicies []*egv1a1.Envo irKey string ) - targetNs := policy.Namespace - if t.MergeGateways { targetKind = KindGatewayClass irKey = string(t.GatewayClassName) @@ -49,7 +47,7 @@ func (t *Translator) ProcessEnvoyPatchPolicies(envoyPatchPolicies []*egv1a1.Envo } else { targetKind = KindGateway gatewayNN := types.NamespacedName{ - Namespace: targetNs, + Namespace: policy.Namespace, Name: string(policy.Spec.TargetRef.Name), } // It must exist since the gateways have already been processed @@ -109,25 +107,6 @@ func (t *Translator) ProcessEnvoyPatchPolicies(envoyPatchPolicies []*egv1a1.Envo continue } - // Ensure EnvoyPatchPolicy and target Gateway are in the same namespace - if policy.Namespace != targetNs { - message := fmt.Sprintf("Namespace:%s TargetRef.Namespace:%s, EnvoyPatchPolicy can only target a %s in the same namespace.", - policy.Namespace, targetNs, targetKind) - - resolveErr = &status.PolicyResolveError{ - Reason: gwapiv1a2.PolicyReasonInvalid, - Message: message, - } - status.SetResolveErrorForPolicyAncestors(&policy.Status, - ancestorRefs, - t.GatewayControllerName, - policy.Generation, - resolveErr, - ) - - continue - } - // Save the patch for _, patch := range policy.Spec.JSONPatches { irPatch := ir.JSONPatchConfig{} diff --git a/internal/gatewayapi/extensionserverpolicy.go b/internal/gatewayapi/extensionserverpolicy.go index 0f7c4f7524b..3843eb50355 100644 --- a/internal/gatewayapi/extensionserverpolicy.go +++ b/internal/gatewayapi/extensionserverpolicy.go @@ -14,9 +14,7 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/types" - "k8s.io/utils/ptr" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" - gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi/status" @@ -63,18 +61,12 @@ func (t *Translator) ProcessExtensionServerPolicies(policies []unstructured.Unst } // Negative statuses have already been assigned so its safe to skip - gateway, resolveErr := resolveExtServerPolicyGatewayTargetRef(policy, currTarget, gatewayMap) + gateway := resolveExtServerPolicyGatewayTargetRef(policy, currTarget, gatewayMap) if gateway == nil { // unable to find a matching Gateway for policy continue } - // Skip the gateway. Don't add anything to the policy status. - if resolveErr != nil { - // The targetRef part is somehow wrong, this policy can't be attached. - continue - } - // Set conditions for translation if it got any if t.translateExtServerPolicyForGateway(policy, gateway, currTarget, xdsIR) { // Set Accepted condition if it is unset @@ -125,33 +117,20 @@ func policyStatusToUnstructured(policyStatus gwapiv1a2.PolicyStatus) map[string] return ret } -func resolveExtServerPolicyGatewayTargetRef(policy *unstructured.Unstructured, target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, gateways map[types.NamespacedName]*policyGatewayTargetContext) (*GatewayContext, *status.PolicyResolveError) { - targetNs := ptr.To(gwapiv1b1.Namespace(policy.GetNamespace())) - +func resolveExtServerPolicyGatewayTargetRef(policy *unstructured.Unstructured, target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, gateways map[types.NamespacedName]*policyGatewayTargetContext) *GatewayContext { // Check if the gateway exists key := types.NamespacedName{ Name: string(target.Name), - Namespace: string(*targetNs), + Namespace: policy.GetNamespace(), } gateway, ok := gateways[key] // Gateway not found if !ok { - return nil, nil - } - - // Ensure Policy and target are in the same namespace - if policy.GetNamespace() != string(*targetNs) { - message := fmt.Sprintf("Namespace:%s TargetRef.Namespace:%s, extension server policies can only target a resource in the same namespace.", - policy.GetNamespace(), *targetNs) - - return gateway.GatewayContext, &status.PolicyResolveError{ - Reason: gwapiv1a2.PolicyReasonInvalid, - Message: message, - } + return nil } - return gateway.GatewayContext, nil + return gateway.GatewayContext } func (t *Translator) translateExtServerPolicyForGateway( diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 2aec807c7b7..d071e4ffdda 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -248,12 +248,10 @@ func resolveSecurityPolicyGatewayTargetRef( target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, gateways map[types.NamespacedName]*policyGatewayTargetContext, ) (*GatewayContext, *status.PolicyResolveError) { - targetNs := policy.Namespace - // Find the Gateway key := types.NamespacedName{ Name: string(target.Name), - Namespace: targetNs, + Namespace: policy.Namespace, } gateway, ok := gateways[key] @@ -265,18 +263,6 @@ func resolveSecurityPolicyGatewayTargetRef( return nil, nil } - // Ensure Policy and target are in the same namespace - if policy.Namespace != targetNs { - // TODO zhaohuabing use CEL to validate cross-namespace reference - message := fmt.Sprintf("Namespace:%s TargetRef.Namespace:%s, SecurityPolicy can only target a resource in the same namespace.", - policy.Namespace, targetNs) - - return gateway.GatewayContext, &status.PolicyResolveError{ - Reason: gwapiv1a2.PolicyReasonInvalid, - Message: message, - } - } - // Check if another policy targeting the same Gateway exists if gateway.attached { message := fmt.Sprintf("Unable to target Gateway %s, another SecurityPolicy has already attached to it", @@ -300,13 +286,11 @@ func resolveSecurityPolicyRouteTargetRef( target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, routes map[policyTargetRouteKey]*policyRouteTargetContext, ) (RouteContext, *status.PolicyResolveError) { - targetNs := policy.Namespace - // Check if the route exists key := policyTargetRouteKey{ Kind: string(target.Kind), Name: string(target.Name), - Namespace: targetNs, + Namespace: policy.Namespace, } route, ok := routes[key] @@ -318,18 +302,6 @@ func resolveSecurityPolicyRouteTargetRef( return nil, nil } - // Ensure Policy and target are in the same namespace - // TODO zhaohuabing use CEL to validate cross-namespace reference - if policy.Namespace != targetNs { - message := fmt.Sprintf("Namespace:%s TargetRef.Namespace:%s, SecurityPolicy can only target a resource in the same namespace.", - policy.Namespace, targetNs) - - return route.RouteContext, &status.PolicyResolveError{ - Reason: gwapiv1a2.PolicyReasonInvalid, - Message: message, - } - } - // Check if another policy targeting the same xRoute exists if route.attached { message := fmt.Sprintf("Unable to target %s %s, another SecurityPolicy has already attached to it", From ddf21783285d3632bfe0bc8acafc2a0273c6e930 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 30 Jul 2024 20:54:53 +0800 Subject: [PATCH 011/523] set default SecurityContext for EG components (#3940) * set SecurityContext Signed-off-by: Huabing Zhao * set SecurityContext for RateLimit container Signed-off-by: Huabing Zhao * set SecurityContext for shutdown manager Signed-off-by: Huabing Zhao * set SecurityContext for envoy proxy Signed-off-by: Huabing Zhao * use nobody user for rate limit image Signed-off-by: Huabing Zhao * fix shutdown test Signed-off-by: Huabing Zhao * add write permission to envoy Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- charts/gateway-helm/templates/certgen.yaml | 16 +++++++++--- .../templates/envoy-gateway-deployment.yaml | 9 +++++-- .../kubernetes/proxy/resource.go | 22 +++++++++++++++- .../testdata/daemonsets/component-level.yaml | 18 +++++++++++++ .../proxy/testdata/daemonsets/custom.yaml | 9 +++++++ .../testdata/daemonsets/default-env.yaml | 9 +++++++ .../proxy/testdata/daemonsets/default.yaml | 18 +++++++++++++ .../daemonsets/disable-prometheus.yaml | 18 +++++++++++++ .../testdata/daemonsets/extension-env.yaml | 9 +++++++ .../override-labels-and-annotations.yaml | 18 +++++++++++++ .../testdata/daemonsets/patch-daemonset.yaml | 18 +++++++++++++ .../testdata/daemonsets/shutdown-manager.yaml | 17 +++++++++++++ .../proxy/testdata/daemonsets/volumes.yaml | 9 +++++++ .../testdata/daemonsets/with-annotations.yaml | 18 +++++++++++++ .../testdata/daemonsets/with-concurrency.yaml | 18 +++++++++++++ .../testdata/daemonsets/with-extra-args.yaml | 18 +++++++++++++ .../daemonsets/with-image-pull-secrets.yaml | 18 +++++++++++++ .../proxy/testdata/daemonsets/with-name.yaml | 18 +++++++++++++ .../daemonsets/with-node-selector.yaml | 18 +++++++++++++ .../with-topology-spread-constraints.yaml | 18 +++++++++++++ .../proxy/testdata/deployments/bootstrap.yaml | 18 +++++++++++++ .../testdata/deployments/component-level.yaml | 18 +++++++++++++ .../proxy/testdata/deployments/custom.yaml | 9 +++++++ .../custom_with_initcontainers.yaml | 9 +++++++ .../testdata/deployments/default-env.yaml | 9 +++++++ .../proxy/testdata/deployments/default.yaml | 18 +++++++++++++ .../deployments/disable-prometheus.yaml | 18 +++++++++++++ .../testdata/deployments/extension-env.yaml | 9 +++++++ .../override-labels-and-annotations.yaml | 18 +++++++++++++ .../deployments/patch-deployment.yaml | 18 +++++++++++++ .../deployments/shutdown-manager.yaml | 17 +++++++++++++ .../proxy/testdata/deployments/volumes.yaml | 9 +++++++ .../deployments/with-annotations.yaml | 18 +++++++++++++ .../deployments/with-concurrency.yaml | 18 +++++++++++++ .../deployments/with-empty-memory-limits.yaml | 18 +++++++++++++ .../testdata/deployments/with-extra-args.yaml | 18 +++++++++++++ .../deployments/with-image-pull-secrets.yaml | 18 +++++++++++++ .../proxy/testdata/deployments/with-name.yaml | 18 +++++++++++++ .../deployments/with-node-selector.yaml | 18 +++++++++++++ .../with-topology-spread-constraints.yaml | 18 +++++++++++++ .../kubernetes/ratelimit/resource.go | 18 ++++++++++++- .../testdata/deployments/custom.yaml | 12 +++++++++ .../testdata/deployments/default-env.yaml | 12 +++++++++ .../testdata/deployments/default.yaml | 24 ++++++++++++++++++ .../deployments/disable-prometheus.yaml | 12 +++++++++ .../deployments/enable-tracing-custom.yaml | 24 ++++++++++++++++++ .../testdata/deployments/enable-tracing.yaml | 24 ++++++++++++++++++ .../testdata/deployments/extension-env.yaml | 12 +++++++++ .../testdata/deployments/override-env.yaml | 12 +++++++++ .../deployments/patch-deployment.yaml | 24 ++++++++++++++++++ .../deployments/redis-tls-settings.yaml | 12 +++++++++ .../testdata/deployments/tolerations.yaml | 12 +++++++++ .../testdata/deployments/volumes.yaml | 12 +++++++++ .../deployments/with-node-selector.yaml | 24 ++++++++++++++++++ .../with-topology-spread-constraints.yaml | 24 ++++++++++++++++++ .../kubernetes/resource/resource.go | 19 ++++++++++++++ .../control-plane-with-pdb.out.yaml | 25 ++++++++++++++----- .../helm/gateway-helm/default-config.out.yaml | 25 ++++++++++++++----- .../deployment-custom-topology.out.yaml | 25 ++++++++++++++----- .../deployment-images-config.out.yaml | 25 ++++++++++++++----- .../envoy-gateway-config.out.yaml | 25 ++++++++++++++----- .../global-images-config.out.yaml | 25 ++++++++++++++----- 62 files changed, 1013 insertions(+), 44 deletions(-) diff --git a/charts/gateway-helm/templates/certgen.yaml b/charts/gateway-helm/templates/certgen.yaml index f122f0a8e49..89f013e6a83 100644 --- a/charts/gateway-helm/templates/certgen.yaml +++ b/charts/gateway-helm/templates/certgen.yaml @@ -38,12 +38,20 @@ spec: resources: {{- toYaml . | nindent 10 }} {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 65534 + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault {{- include "eg.image.pullSecrets" . | nindent 6 }} restartPolicy: Never - securityContext: - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 serviceAccountName: {{ include "eg.fullname" . }}-certgen {{- if not ( kindIs "invalid" .Values.certgen.job.ttlSecondsAfterFinished) }} ttlSecondsAfterFinished: {{ .Values.certgen.job.ttlSecondsAfterFinished }} diff --git a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml index 597063e2852..b40c8dc5428 100644 --- a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml @@ -95,6 +95,13 @@ spec: }} securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /config name: envoy-gateway-config @@ -103,8 +110,6 @@ spec: name: certs readOnly: true {{- include "eg.image.pullSecrets" . | nindent 6 }} - securityContext: - runAsNonRoot: true serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: diff --git a/internal/infrastructure/kubernetes/proxy/resource.go b/internal/infrastructure/kubernetes/proxy/resource.go index f89491f4380..5045de6390a 100644 --- a/internal/infrastructure/kubernetes/proxy/resource.go +++ b/internal/infrastructure/kubernetes/proxy/resource.go @@ -199,7 +199,7 @@ func expectedProxyContainers(infra *ir.ProxyInfra, Args: args, Env: expectedContainerEnv(containerSpec), Resources: *containerSpec.Resources, - SecurityContext: containerSpec.SecurityContext, + SecurityContext: expectedEnvoySecurityContext(containerSpec), Ports: ports, VolumeMounts: expectedContainerVolumeMounts(containerSpec), TerminationMessagePolicy: corev1.TerminationMessageReadFile, @@ -296,6 +296,7 @@ func expectedProxyContainers(infra *ir.ProxyInfra, }, }, }, + SecurityContext: expectedShutdownManagerSecurityContext(), }, } @@ -435,3 +436,22 @@ func calculateMaxHeapSizeBytes(envoyResourceRequirements *corev1.ResourceRequire return 0 } + +func expectedEnvoySecurityContext(containerSpec *egv1a1.KubernetesContainerSpec) *corev1.SecurityContext { + if containerSpec != nil && containerSpec.SecurityContext != nil { + return containerSpec.SecurityContext + } + + sc := resource.DefaultSecurityContext() + // Envoy container needs to write to the log file/UDS socket. + sc.ReadOnlyRootFilesystem = nil + return sc +} + +func expectedShutdownManagerSecurityContext() *corev1.SecurityContext { + sc := resource.DefaultSecurityContext() + // ShutdownManger creates a file to indicate the connection drain process is completed, + // so it needs file write permission. + sc.ReadOnlyRootFilesystem = nil + return sc +} diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml index 99d32ac0a39..0622977315d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml @@ -86,6 +86,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -151,6 +160,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml index fc524284fb4..8f2752be07c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml @@ -340,6 +340,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml index fbeddc169b8..1d5a93c5ba2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml @@ -338,6 +338,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml index 12a23303837..7ee2909f896 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml @@ -253,6 +253,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -318,6 +327,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml index 8e0e734fead..7190df8f86f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml @@ -224,6 +224,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -289,6 +298,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml index 314e8bcea7a..3ceb7cee0ea 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml @@ -342,6 +342,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml index 1707fe03ff2..9b8a0fcaf4b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml @@ -264,6 +264,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -329,6 +338,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml index c830cff8176..970f58ba1ab 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml @@ -253,6 +253,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -318,6 +327,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml index 7c2c2755a70..3bb5ccbe620 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml @@ -254,6 +254,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -330,7 +339,15 @@ spec: cpu: 100m memory: 64Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true runAsUser: 1234 + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml index fc59ec6739b..060e0d42b92 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml @@ -342,6 +342,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml index a0ee70d91eb..ffc184f3fd8 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml @@ -258,6 +258,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -323,6 +332,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml index a0d51421ee0..850b8a2510e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml @@ -86,6 +86,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -151,6 +160,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml index 7c64e500cb6..e75a89be5bc 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml @@ -255,6 +255,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -320,6 +329,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml index 8be6632a3bf..424eae5f2a3 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml @@ -253,6 +253,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -318,6 +327,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml index 3847891f6ab..fb4fc761bb2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml @@ -253,6 +253,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -318,6 +327,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml index 71b63d6b311..96a1e21f963 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml @@ -253,6 +253,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -318,6 +327,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml index 91b9e52d325..7436383cc8e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml @@ -253,6 +253,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -318,6 +327,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml index 6cb7499b104..e98fd731131 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml @@ -89,6 +89,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -154,6 +163,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml index ff9605d9f18..edcfa7b5322 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml @@ -90,6 +90,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -155,6 +164,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml index 0434fb4cab4..88983936f25 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml @@ -345,6 +345,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml index 89c92870887..07ceadcfb6d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml @@ -347,6 +347,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml index c5e2d4ce3c1..4000dacbda3 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml @@ -343,6 +343,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml index 9ef09dd6828..44777d51a52 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml @@ -257,6 +257,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -322,6 +331,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml index cc33a09c7b3..bee1b53938a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml @@ -228,6 +228,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -293,6 +302,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml index 4ff157e8cd8..e84fd418ead 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml @@ -347,6 +347,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml index 7137ea49d8c..460de06f269 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml @@ -268,6 +268,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -333,6 +342,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml index 9d30812b114..5fe7b493015 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml @@ -257,6 +257,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -322,6 +331,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml index ddeaa935b97..9ab5e2cc0dd 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml @@ -258,6 +258,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -334,7 +343,15 @@ spec: cpu: 100m memory: 64Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true runAsUser: 1234 + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml index ea54e6252d5..51f0ccc3a8a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml @@ -347,6 +347,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml index 95190921010..cfc2685d49d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml @@ -262,6 +262,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -327,6 +336,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml index 98706e847c6..c01d19873f1 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml @@ -90,6 +90,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -155,6 +164,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml index 038362e546b..ef9f75cc636 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml @@ -256,6 +256,15 @@ spec: resources: limits: cpu: 400m + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -321,6 +330,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml index 62816f17104..81d0cbac111 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml @@ -259,6 +259,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -324,6 +333,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml index eb84fd39735..83f2881be23 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml @@ -257,6 +257,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -322,6 +331,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml index f212a6aa0ac..f1dc2a9bc6f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml @@ -257,6 +257,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -322,6 +331,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml index 6fbb69e7747..cc8f66c7e33 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml @@ -257,6 +257,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -322,6 +331,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml index 952b2ecf739..4083f99d3fe 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml @@ -257,6 +257,15 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -322,6 +331,15 @@ spec: requests: cpu: 10m memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/ratelimit/resource.go b/internal/infrastructure/kubernetes/ratelimit/resource.go index dc9a6f82e99..162396f62db 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource.go @@ -158,7 +158,7 @@ func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitDeploymen Env: expectedRateLimitContainerEnv(rateLimit, rateLimitDeployment, namespace), Ports: ports, Resources: *rateLimitDeployment.Container.Resources, - SecurityContext: rateLimitDeployment.Container.SecurityContext, + SecurityContext: expectedRateLimitContainerSecurityContext(rateLimitDeployment), VolumeMounts: expectedContainerVolumeMounts(rateLimit, rateLimitDeployment), TerminationMessagePolicy: corev1.TerminationMessageReadFile, TerminationMessagePath: "/dev/termination-log", @@ -229,6 +229,7 @@ func promStatsdExporterContainer() corev1.Container { }, TerminationMessagePolicy: corev1.TerminationMessageReadFile, TerminationMessagePath: "/dev/termination-log", + SecurityContext: defaultSecurityContext(), Resources: *egv1a1.DefaultResourceRequirements(), } } @@ -504,3 +505,18 @@ func checkTraceEndpointScheme(url string) string { return fmt.Sprintf("%s%s", httpScheme, url) } + +func expectedRateLimitContainerSecurityContext(rateLimitDeployment *egv1a1.KubernetesDeploymentSpec) *corev1.SecurityContext { + if rateLimitDeployment.Container.SecurityContext != nil { + return rateLimitDeployment.Container.SecurityContext + } + return defaultSecurityContext() +} + +func defaultSecurityContext() *corev1.SecurityContext { + defaultSC := resource.DefaultSecurityContext() + // run as non-root user + defaultSC.RunAsGroup = ptr.To(int64(65534)) + defaultSC.RunAsUser = ptr.To(int64(65534)) + return defaultSC +} diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml index 43117ea69f0..c750b09a0b9 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml @@ -137,6 +137,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml index 43117ea69f0..c750b09a0b9 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml @@ -137,6 +137,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml index cab51913349..277d5e649d9 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml @@ -100,6 +100,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -133,6 +145,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml index 091fe6edb38..0cbbd6dbbb8 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml @@ -96,6 +96,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml index 782ad23b931..1d53f34a9bc 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml @@ -115,6 +115,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -148,6 +160,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml index 1f2326eb6d9..56bd0a7dfe3 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml @@ -115,6 +115,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -148,6 +160,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml index 45406b6922e..4468e0df0e4 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml @@ -141,6 +141,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml index 8e5fa6c80c9..826deab69ba 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml @@ -137,6 +137,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml index b750f3f02ed..790de9e159a 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml @@ -100,6 +100,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -133,6 +145,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml index 98324dd2dc1..e3e723c1d40 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml @@ -148,6 +148,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml index 611f60ad39e..5cbedb98853 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml @@ -148,6 +148,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml index 6ba0ceb5d97..fcee6df457d 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml @@ -148,6 +148,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml index baaea949e4e..1365ac63f8f 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml @@ -100,6 +100,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -133,6 +145,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml index f7aade39974..1558a925c33 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml @@ -100,6 +100,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 30 httpGet: @@ -133,6 +145,18 @@ spec: requests: cpu: 100m memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: diff --git a/internal/infrastructure/kubernetes/resource/resource.go b/internal/infrastructure/kubernetes/resource/resource.go index cff49336c71..dbdc289eec3 100644 --- a/internal/infrastructure/kubernetes/resource/resource.go +++ b/internal/infrastructure/kubernetes/resource/resource.go @@ -10,6 +10,7 @@ import ( "github.com/google/go-cmp/cmp/cmpopts" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" ) @@ -115,3 +116,21 @@ func ExpectedContainerVolumeMounts(container *egv1a1.KubernetesContainerSpec, vo return volumeMounts } + +// DefaultSecurityContext returns a default security context with minimal privileges. +func DefaultSecurityContext() *corev1.SecurityContext { + return &corev1.SecurityContext{ + AllowPrivilegeEscalation: ptr.To(false), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{ + "ALL", + }, + }, + Privileged: ptr.To(false), + ReadOnlyRootFilesystem: ptr.To(true), + RunAsNonRoot: ptr.To(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, + } +} diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index 63d999c0b5c..3b9421d233c 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -437,6 +437,13 @@ spec: memory: 256Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /config name: envoy-gateway-config @@ -445,8 +452,6 @@ spec: name: certs readOnly: true imagePullSecrets: [] - securityContext: - runAsNonRoot: true serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -558,11 +563,19 @@ spec: image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: Always name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 65534 + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault imagePullSecrets: [] restartPolicy: Never - securityContext: - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index e01d1c025e4..4160bf26295 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -423,6 +423,13 @@ spec: memory: 256Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /config name: envoy-gateway-config @@ -431,8 +438,6 @@ spec: name: certs readOnly: true imagePullSecrets: [] - securityContext: - runAsNonRoot: true serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -544,11 +549,19 @@ spec: image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: Always name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 65534 + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault imagePullSecrets: [] restartPolicy: Never - securityContext: - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index 47b89266c24..e337496d744 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -451,6 +451,13 @@ spec: memory: 256Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /config name: envoy-gateway-config @@ -459,8 +466,6 @@ spec: name: certs readOnly: true imagePullSecrets: [] - securityContext: - runAsNonRoot: true serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -572,11 +577,19 @@ spec: image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: Always name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 65534 + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault imagePullSecrets: [] restartPolicy: Never - securityContext: - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index 3cba2b4a50b..8729a397ab8 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -423,6 +423,13 @@ spec: memory: 256Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /config name: envoy-gateway-config @@ -433,8 +440,6 @@ spec: imagePullSecrets: - name: secret1 - name: secret2 - securityContext: - runAsNonRoot: true serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -546,13 +551,21 @@ spec: image: private-hub/envoyproxy/gateway:abcdef12 imagePullPolicy: IfNotPresent name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 65534 + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault imagePullSecrets: - name: secret1 - name: secret2 restartPolicy: Never - securityContext: - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index b80001eb80b..a38a8f0c22a 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -425,6 +425,13 @@ spec: memory: 256Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /config name: envoy-gateway-config @@ -433,8 +440,6 @@ spec: name: certs readOnly: true imagePullSecrets: [] - securityContext: - runAsNonRoot: true serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -546,11 +551,19 @@ spec: image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: Always name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 65534 + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault imagePullSecrets: [] restartPolicy: Never - securityContext: - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index 4537cf99b49..f730bdafd43 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -427,6 +427,13 @@ spec: memory: 256Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /config name: envoy-gateway-config @@ -437,8 +444,6 @@ spec: imagePullSecrets: - name: secret1 - name: secret2 - securityContext: - runAsNonRoot: true serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: @@ -550,13 +555,21 @@ spec: image: private-hub/envoyproxy/gateway:abcdef12 imagePullPolicy: Always name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 65534 + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault imagePullSecrets: - name: secret1 - name: secret2 restartPolicy: Never - securityContext: - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 serviceAccountName: gateway-helm-certgen ttlSecondsAfterFinished: 30 From 3dfa931c049e76a2147fc61b071d2883219afc8f Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 31 Jul 2024 10:17:27 +0800 Subject: [PATCH 012/523] docs: fix dropdown (#3975) Signed-off-by: zirain --- site/hugo.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/hugo.toml b/site/hugo.toml index fe0678c3d8d..ce169c84f3b 100644 --- a/site/hugo.toml +++ b/site/hugo.toml @@ -279,11 +279,11 @@ enable = true [[params.versions]] version = "v1.1" - url = "/v1.1" + url = "/docs" [[params.versions]] version = "v1.0" - url = "/docs" + url = "/v1.0" [[params.versions]] version = "v0.6" From 847d554a7f60018d6a608fe1469c6016e6292a47 Mon Sep 17 00:00:00 2001 From: Xunzhuo Date: Thu, 1 Aug 2024 03:20:59 +0800 Subject: [PATCH 013/523] conformance(experimental): enable grpc conformance profile (#3976) Signed-off-by: bitliu --- .github/workflows/experimental_conformance.yaml | 3 ++- test/conformance/experimental_conformance_test.go | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/experimental_conformance.yaml b/.github/workflows/experimental_conformance.yaml index 4c2d2e60f06..a3e2fd894d3 100644 --- a/.github/workflows/experimental_conformance.yaml +++ b/.github/workflows/experimental_conformance.yaml @@ -3,10 +3,11 @@ on: push: paths: - 'charts/gateway-helm/crds/gatewayapi-crds.yaml' + - 'test/conformance/experimental_conformance_test.go' pull_request: paths: - 'charts/gateway-helm/crds/gatewayapi-crds.yaml' - - 'test/conformance/*.go' + - 'test/conformance/experimental_conformance_test.go' # Add workflow_dispatch to trigger this workflow manually by maintainers. workflow_dispatch: diff --git a/test/conformance/experimental_conformance_test.go b/test/conformance/experimental_conformance_test.go index 770abbc1c8a..d337dbfe526 100644 --- a/test/conformance/experimental_conformance_test.go +++ b/test/conformance/experimental_conformance_test.go @@ -35,6 +35,7 @@ func TestExperimentalConformance(t *testing.T) { opts.ConformanceProfiles = sets.New( suite.GatewayHTTPConformanceProfileName, suite.GatewayTLSConformanceProfileName, + suite.GatewayGRPCConformanceProfileName, ) t.Logf("Running experimental conformance tests with %s GatewayClass\n cleanup: %t\n debug: %t\n enable all features: %t \n conformance profiles: [%v]", From 8d82ea9748b57a0dada0bea133fbac018f9ba972 Mon Sep 17 00:00:00 2001 From: sh2 Date: Thu, 1 Aug 2024 04:28:05 +0800 Subject: [PATCH 014/523] add benchmark memory profiles into report (#3951) * add benchmark memory profile into report Signed-off-by: shawnh2 * setup graphviz in ci action Signed-off-by: shawnh2 * fix lint Signed-off-by: shawnh2 * reuse request with port-forwarder function Signed-off-by: shawnh2 --------- Signed-off-by: shawnh2 Co-authored-by: zirain --- .github/workflows/build_and_test.yaml | 3 + .github/workflows/latest_release.yaml | 3 + .github/workflows/release.yaml | 3 + internal/troubleshoot/collect/config_dump.go | 2 +- .../collect/prometheus_metrics.go | 4 +- test/benchmark/suite/render.go | 15 ++++ test/benchmark/suite/report.go | 77 ++++++++++++++++--- test/benchmark/suite/suite.go | 28 ++++--- tools/make/kube.mk | 7 ++ 9 files changed, 121 insertions(+), 21 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index e16a4bee57f..7f168d6ab91 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -144,6 +144,9 @@ jobs: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: ./tools/github-actions/setup-deps + - name: Setup Graphviz + uses: ts-graphviz/setup-graphviz@v2 + # Benchmark - name: Run Benchmark tests env: diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index c3f23909e37..be8af0ae824 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -25,6 +25,9 @@ jobs: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: ./tools/github-actions/setup-deps + - name: Setup Graphviz + uses: ts-graphviz/setup-graphviz@v2 + # Benchmark - name: Run Benchmark tests env: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 841b9aabf2e..7da0055d2b0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -18,6 +18,9 @@ jobs: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: ./tools/github-actions/setup-deps + - name: Setup Graphviz + uses: ts-graphviz/setup-graphviz@v2 + # Benchmark - name: Run Benchmark tests env: diff --git a/internal/troubleshoot/collect/config_dump.go b/internal/troubleshoot/collect/config_dump.go index fe9ff9558ad..7a5c9b38343 100644 --- a/internal/troubleshoot/collect/config_dump.go +++ b/internal/troubleshoot/collect/config_dump.go @@ -96,5 +96,5 @@ func configDump(cli kube.CLIClient, nn types.NamespacedName, includeEds bool) ([ if includeEds { reqPath = fmt.Sprintf("%s?include_eds", reqPath) } - return requestWithPortForwarder(cli, nn, 19000, reqPath) + return RequestWithPortForwarder(cli, nn, 19000, reqPath) } diff --git a/internal/troubleshoot/collect/prometheus_metrics.go b/internal/troubleshoot/collect/prometheus_metrics.go index 785b99719af..9f659a54a22 100644 --- a/internal/troubleshoot/collect/prometheus_metrics.go +++ b/internal/troubleshoot/collect/prometheus_metrics.go @@ -94,7 +94,7 @@ func (p PrometheusMetric) Collect(_ chan<- interface{}) (tbcollect.CollectorResu reqPath = v } - data, err := requestWithPortForwarder(cliClient, nn, port, reqPath) + data, err := RequestWithPortForwarder(cliClient, nn, port, reqPath) if err != nil { logs = append(logs, fmt.Sprintf("pod %s/%s is skipped because of err: %v", pod.Namespace, pod.Name, err)) continue @@ -121,7 +121,7 @@ func listPods(ctx context.Context, client kubernetes.Interface, namespace string return pods.Items, nil } -func requestWithPortForwarder(cli kube.CLIClient, nn types.NamespacedName, port int, reqPath string) ([]byte, error) { +func RequestWithPortForwarder(cli kube.CLIClient, nn types.NamespacedName, port int, reqPath string) ([]byte, error) { fw, err := kube.NewLocalPortForwarder(cli, nn, 0, port) if err != nil { return nil, err diff --git a/test/benchmark/suite/render.go b/test/benchmark/suite/render.go index dfe3f130ca4..199476f3e99 100644 --- a/test/benchmark/suite/render.go +++ b/test/benchmark/suite/render.go @@ -76,6 +76,10 @@ func RenderReport(writer io.Writer, name, description string, titleLevel int, re writeSection(writer, "Metrics", titleLevel+1, "") renderMetricsTable(writer, reports) + + writeSection(writer, "Profiles", titleLevel+1, "") + renderProfilesTable(writer, "Memory", "heap", titleLevel+2, reports) + return nil } @@ -145,6 +149,17 @@ func renderMetricsTable(writer io.Writer, reports []*BenchmarkReport) { _ = table.Flush() } +func renderProfilesTable(writer io.Writer, target, key string, titleLevel int, reports []*BenchmarkReport) { + writeSection(writer, target, titleLevel, "") + + for _, report := range reports { + // The image is not be rendered yet, so it is a placeholder for the path. + // The image will be rendered after the test has finished. + writeSection(writer, report.Name, titleLevel+1, + fmt.Sprintf("![%s-%s](%s.png)", key, report.Name, report.ProfilesPath[key])) + } +} + // writeSection writes one section in Markdown style, content is optional. func writeSection(writer io.Writer, title string, level int, content string) { md := fmt.Sprintf("\n%s %s\n", strings.Repeat("#", level), title) diff --git a/test/benchmark/suite/report.go b/test/benchmark/suite/report.go index d0176331ee4..b9ecbea9701 100644 --- a/test/benchmark/suite/report.go +++ b/test/benchmark/suite/report.go @@ -13,35 +13,51 @@ import ( "context" "fmt" "io" + "os" + "path" "strconv" + "strings" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" kube "github.com/envoyproxy/gateway/internal/kubernetes" + "github.com/envoyproxy/gateway/internal/troubleshoot/collect" prom "github.com/envoyproxy/gateway/test/utils/prometheus" ) type BenchmarkReport struct { - Name string - Result []byte - Metrics map[string]float64 // metricTableHeaderName:metricValue + Name string + Result []byte + Metrics map[string]float64 // metricTableHeaderName:metricValue + ProfilesPath map[string]string // profileKey:profileFilepath + ProfilesOutputDir string kubeClient kube.CLIClient promClient *prom.Client } -func NewBenchmarkReport(name string, kubeClient kube.CLIClient, promClient *prom.Client) *BenchmarkReport { - return &BenchmarkReport{ - Name: name, - Metrics: make(map[string]float64), - kubeClient: kubeClient, - promClient: promClient, +func NewBenchmarkReport(name, profilesOutputDir string, kubeClient kube.CLIClient, promClient *prom.Client) (*BenchmarkReport, error) { + if err := createDirIfNotExist(profilesOutputDir); err != nil { + return nil, err } + + return &BenchmarkReport{ + Name: name, + Metrics: make(map[string]float64), + ProfilesPath: make(map[string]string), + ProfilesOutputDir: profilesOutputDir, + kubeClient: kubeClient, + promClient: promClient, + }, nil } func (r *BenchmarkReport) Collect(ctx context.Context, job *types.NamespacedName) error { + if err := r.GetProfiles(ctx); err != nil { + return err + } + if err := r.GetMetrics(ctx); err != nil { return err } @@ -109,6 +125,33 @@ func (r *BenchmarkReport) GetMetrics(ctx context.Context) error { return nil } +func (r *BenchmarkReport) GetProfiles(ctx context.Context) error { + egPod, err := r.fetchEnvoyGatewayPod(ctx) + if err != nil { + return err + } + + // Memory heap profiles. + heapProf, err := collect.RequestWithPortForwarder( + r.kubeClient, types.NamespacedName{Name: egPod.Name, Namespace: egPod.Namespace}, 19000, "/debug/pprof/heap", + ) + if err != nil { + return err + } + + heapProfPath := path.Join(r.ProfilesOutputDir, fmt.Sprintf("heap.%s.pprof", r.Name)) + if err = os.WriteFile(heapProfPath, heapProf, 0o600); err != nil { + return fmt.Errorf("failed to write profiles %s: %w", heapProfPath, err) + } + + // Remove parent output report dir. + splits := strings.SplitN(heapProfPath, "/", 2)[0] + heapProfPath = strings.TrimPrefix(heapProfPath, splits+"/") + r.ProfilesPath["heap"] = heapProfPath + + return nil +} + // getLogsFromPod scrapes the logs directly from the pod (default container). func (r *BenchmarkReport) getLogsFromPod(ctx context.Context, pod *types.NamespacedName) ([]byte, error) { podLogOpts := corev1.PodLogOptions{} @@ -129,3 +172,19 @@ func (r *BenchmarkReport) getLogsFromPod(ctx context.Context, pod *types.Namespa return buf.Bytes(), nil } + +func (r *BenchmarkReport) fetchEnvoyGatewayPod(ctx context.Context) (*corev1.Pod, error) { + egPods, err := r.kubeClient.Kube().CoreV1(). + Pods("envoy-gateway-system"). + List(ctx, metav1.ListOptions{LabelSelector: "control-plane=envoy-gateway"}) + if err != nil { + return nil, err + } + + if len(egPods.Items) < 1 { + return nil, fmt.Errorf("failed to get any pods for envoy-gateway") + } + + // Using the first one pod as default envoy-gateway pod + return &egPods.Items[0], nil +} diff --git a/test/benchmark/suite/suite.go b/test/benchmark/suite/suite.go index 035ac68d5a8..58bbcce4cd2 100644 --- a/test/benchmark/suite/suite.go +++ b/test/benchmark/suite/suite.go @@ -104,14 +104,8 @@ func NewBenchmarkTestSuite(client client.Client, options BenchmarkOptions, // Ensure the report directory exist. if len(reportDir) > 0 { - if _, err = os.Stat(reportDir); err != nil { - if os.IsNotExist(err) { - if err = os.MkdirAll(reportDir, os.ModePerm); err != nil { - return nil, err - } - } else { - return nil, err - } + if err = createDirIfNotExist(reportDir); err != nil { + return nil, err } } @@ -232,7 +226,11 @@ func (b *BenchmarkTestSuite) Benchmark(t *testing.T, ctx context.Context, name, t.Logf("Running benchmark test: %s successfully", name) - report := NewBenchmarkReport(name, b.kubeClient, b.promClient) + report, err := NewBenchmarkReport(name, path.Join(b.ReportSaveDir, "profiles"), b.kubeClient, b.promClient) + if err != nil { + return nil, fmt.Errorf("failed to create benchmark report: %w", err) + } + // Get all the reports from this benchmark test run. if err = report.Collect(ctx, jobNN); err != nil { return nil, err @@ -392,3 +390,15 @@ func (b *BenchmarkTestSuite) RegisterCleanup(t *testing.T, ctx context.Context, t.Logf("Clean up complete!") }) } + +func createDirIfNotExist(dir string) (err error) { + if _, err = os.Stat(dir); err != nil { + if os.IsNotExist(err) { + if err = os.MkdirAll(dir, os.ModePerm); err == nil { + return nil + } + } + return err + } + return nil +} diff --git a/tools/make/kube.mk b/tools/make/kube.mk index 354781bd9fd..38a3d5b977c 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -79,6 +79,7 @@ kube-deploy-for-benchmark-test: manifests helm-generate ## Install Envoy Gateway helm install eg charts/gateway-helm --set deployment.envoyGateway.imagePullPolicy=$(IMAGE_PULL_POLICY) \ --set deployment.envoyGateway.resources.limits.cpu=$(BENCHMARK_CPU_LIMITS) \ --set deployment.envoyGateway.resources.limits.memory=$(BENCHMARK_MEMORY_LIMITS) \ + --set config.envoyGateway.admin.enablePprof=true \ -n envoy-gateway-system --create-namespace --debug --timeout='$(WAIT_TIMEOUT)' --wait --wait-for-jobs # Install Prometheus-server only helm install eg-addons charts/gateway-addons-helm --set loki.enabled=false \ @@ -169,6 +170,12 @@ run-benchmark: install-benchmark-server ## Run benchmark tests kubectl wait --timeout=$(WAIT_TIMEOUT) -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available kubectl apply -f test/benchmark/config/gatewayclass.yaml go test -v -tags benchmark -timeout $(BENCHMARK_TIMEOUT) ./test/benchmark --rps=$(BENCHMARK_RPS) --connections=$(BENCHMARK_CONNECTIONS) --duration=$(BENCHMARK_DURATION) --report-save-dir=$(BENCHMARK_REPORT_DIR) + # render benchmark profiles into image + dot -V + @for profile in $(wildcard test/benchmark/$(BENCHMARK_REPORT_DIR)/profiles/*.pprof); do \ + $(call log, "Rendering profile image for: $${profile}"); \ + go tool pprof -png $${profile} > $${profile}.png; \ + done .PHONY: install-benchmark-server install-benchmark-server: ## Install nighthawk server for benchmark test From 5d9f58787398e0a9d26610e997e59c9b3201bd33 Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Thu, 1 Aug 2024 11:29:30 -0500 Subject: [PATCH 015/523] chore: udpate release mgmt docs and upgrade test (#3979) * udpate release mgmt docs and upgrade test Signed-off-by: Guy Daich * revert test version change Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich --- site/content/en/news/releases/_index.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/site/content/en/news/releases/_index.md b/site/content/en/news/releases/_index.md index cff55283750..e8282654b7f 100644 --- a/site/content/en/news/releases/_index.md +++ b/site/content/en/news/releases/_index.md @@ -36,6 +36,7 @@ communications with the Envoy Gateway community, and the mechanics of the releas | 2023 Q3 | Arko Dasgupta ([arkodg](https://github.com/arkodg)) | | 2023 Q4 | Arko Dasgupta ([arkodg](https://github.com/arkodg)) | | 2024 Q1 | Xunzhuo Liu ([Xunzhuo](https://github.com/Xunzhuo)) | +| 2024 Q2 | Guy Daich ([guydc](https://github.com/guydc)) | ## Release Schedule @@ -49,6 +50,8 @@ In order to align with the Envoy Proxy [release schedule][], Envoy Gateway relea | 0.4.0 | 2023/04/22 | 2023/04/24 | +2 days | 2023/10/24 | | 0.5.0 | 2023/07/22 | 2023/08/02 | +10 days | 2024/01/02 | | 0.6.0 | 2023/10/22 | 2023/11/02 | +10 days | 2024/05/02 | +| 1.0.0 | 2024/03/06 | 2023/03/13 | +7 days | 2024/09/13 | +| 1.1.0 | 2024/07/16 | 2024/07/22 | +6 days | 2024/01/22 | [v2.0.0 spec]: https://semver.org/spec/v2.0.0.html [release guide]: ../../contributions/releasing From f4c53f4899b543a6461e7bf666a9bfa3b476e6b4 Mon Sep 17 00:00:00 2001 From: Alex Volchok Date: Thu, 1 Aug 2024 19:02:52 +0200 Subject: [PATCH 016/523] feat: Support DNS resolution settings (#3974) * Support DNS resolution settings Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * regenerate Signed-off-by: Alexander Volchok * add a nil cluster settings check Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating as per code review feedback Signed-off-by: Alexander Volchok * adding tcp / udp route translations Signed-off-by: Alexander Volchok * use processXdsCluster with udp,tcp and http route types Signed-off-by: Alexander Volchok * fixing lint Signed-off-by: Alexander Volchok * fix respect dnsTTL setting Signed-off-by: Alexander Volchok --------- Signed-off-by: Alexander Volchok --- api/v1alpha1/backendtrafficpolicy_types.go | 4 + api/v1alpha1/dns_types.go | 18 + api/v1alpha1/zz_generated.deepcopy.go | 30 ++ ....envoyproxy.io_backendtrafficpolicies.yaml | 15 + internal/gatewayapi/backendtrafficpolicy.go | 36 ++ ...endtrafficpolicy-with-dns-settings.in.yaml | 127 ++++++ ...ndtrafficpolicy-with-dns-settings.out.yaml | 427 ++++++++++++++++++ internal/ir/xds.go | 14 + internal/ir/zz_generated.deepcopy.go | 40 ++ internal/xds/translator/cluster.go | 93 ++++ internal/xds/translator/translator.go | 63 +-- site/content/en/latest/api/extension_types.md | 16 + site/content/zh/latest/api/extension_types.md | 16 + 13 files changed, 846 insertions(+), 53 deletions(-) create mode 100644 api/v1alpha1/dns_types.go create mode 100644 internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.in.yaml create mode 100644 internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.out.yaml diff --git a/api/v1alpha1/backendtrafficpolicy_types.go b/api/v1alpha1/backendtrafficpolicy_types.go index f484f44b409..a8c39e9dfcc 100644 --- a/api/v1alpha1/backendtrafficpolicy_types.go +++ b/api/v1alpha1/backendtrafficpolicy_types.go @@ -110,6 +110,10 @@ type BackendTrafficPolicySpec struct { // // +optional Connection *BackendConnection `json:"connection,omitempty"` + // DNS includes dns resolution settings. + // + // +optional + DNS *DNS `json:"dns,omitempty"` } // +kubebuilder:object:root=true diff --git a/api/v1alpha1/dns_types.go b/api/v1alpha1/dns_types.go new file mode 100644 index 00000000000..62108a934a9 --- /dev/null +++ b/api/v1alpha1/dns_types.go @@ -0,0 +1,18 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +type DNS struct { + // DNSRefreshRate specifies the rate at which DNS records should be refreshed. + // Defaults to 30 seconds. + DNSRefreshRate *metav1.Duration `json:"dnsRefreshRate,omitempty"` + // RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected. + // If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL. + // Defaults to true. + RespectDNSTTL *bool `json:"respectDnsTtl,omitempty"` +} diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 3ea39b669c6..e6c4da29aee 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -569,6 +569,11 @@ func (in *BackendTrafficPolicySpec) DeepCopyInto(out *BackendTrafficPolicySpec) *out = new(BackendConnection) (*in).DeepCopyInto(*out) } + if in.DNS != nil { + in, out := &in.DNS, &out.DNS + *out = new(DNS) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTrafficPolicySpec. @@ -1097,6 +1102,31 @@ func (in *CustomTag) DeepCopy() *CustomTag { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DNS) DeepCopyInto(out *DNS) { + *out = *in + if in.DNSRefreshRate != nil { + in, out := &in.DNSRefreshRate, &out.DNSRefreshRate + *out = new(v1.Duration) + **out = **in + } + if in.RespectDNSTTL != nil { + in, out := &in.RespectDNSTTL, &out.RespectDNSTTL + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNS. +func (in *DNS) DeepCopy() *DNS { + if in == nil { + return nil + } + out := new(DNS) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *EnvironmentCustomTag) DeepCopyInto(out *EnvironmentCustomTag) { *out = *in diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index 20ffe833923..2ddf8c841cc 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -138,6 +138,21 @@ spec: rule: 'type(self) == string ? self.matches(r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") : type(self) == int' type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: |- + DNSRefreshRate specifies the rate at which DNS records should be refreshed. + Defaults to 30 seconds. + type: string + respectDnsTtl: + description: |- + RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected. + If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL. + Defaults to true. + type: boolean + type: object faultInjection: description: |- FaultInjection defines the fault injection policy to be applied. This configuration can be used to diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index 26d4a2a9b7c..65d4404dfb9 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -295,6 +295,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen ka *ir.TCPKeepalive rt *ir.Retry bc *ir.BackendConnection + ds *ir.DNS err, errs error ) @@ -349,6 +350,10 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen } } + if policy.Spec.DNS != nil { + ds = t.translateDNS(policy) + } + // Early return if got any errors if errs != nil { return errs @@ -368,6 +373,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen r.TCPKeepalive = ka r.Timeout = to r.BackendConnection = bc + r.DNS = ds } } } @@ -380,6 +386,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen r.LoadBalancer = lb r.Timeout = to r.BackendConnection = bc + r.DNS = ds } } } @@ -400,6 +407,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen BackendConnection: bc, } + r.DNS = ds // Update the Host field in HealthCheck, now that we have access to the Route Hostname. r.Traffic.HealthCheck.SetHTTPHostIfAbsent(r.Hostname) @@ -432,6 +440,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back ct *ir.Timeout ka *ir.TCPKeepalive rt *ir.Retry + ds *ir.DNS err, errs error ) @@ -479,6 +488,10 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back } } + if policy.Spec.DNS != nil { + ds = t.translateDNS(policy) + } + // Early return if got any errors if errs != nil { return errs @@ -516,6 +529,10 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back if r.Timeout == nil { r.Timeout = ct } + + if r.DNS == nil { + r.DNS = ds + } } } @@ -540,6 +557,10 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back if route.Timeout == nil { route.Timeout = ct } + + if route.DNS == nil { + route.DNS = ds + } } for _, http := range x.HTTP { @@ -568,6 +589,10 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back Retry: rt, } + if r.DNS == nil { + r.DNS = ds + } + // Update the Host field in HealthCheck, now that we have access to the Route Hostname. r.Traffic.HealthCheck.SetHTTPHostIfAbsent(r.Hostname) @@ -847,6 +872,17 @@ func (t *Translator) buildConsistentHashLoadBalancer(policy *egv1a1.BackendTraff return consistentHash, nil } +func (t *Translator) translateDNS(policy *egv1a1.BackendTrafficPolicy) *ir.DNS { + ds := &ir.DNS{} + if policy.Spec.DNS.RespectDNSTTL != nil { + ds.RespectDNSTTL = policy.Spec.DNS.RespectDNSTTL + } + if policy.Spec.DNS.DNSRefreshRate != nil { + ds.DNSRefreshRate = policy.Spec.DNS.DNSRefreshRate + } + return ds +} + func (t *Translator) buildProxyProtocol(policy *egv1a1.BackendTrafficPolicy) *ir.ProxyProtocol { var pp *ir.ProxyProtocol switch policy.Spec.ProxyProtocol.Version { diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.in.yaml new file mode 100644 index 00000000000..f1d48c4d31d --- /dev/null +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.in.yaml @@ -0,0 +1,127 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-2 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-2 + sectionName: http + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-1 + port: 8080 +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-2 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-2 + sectionName: http + rules: + - matches: + - path: + value: "/v2" + backendRefs: + - name: service-2 + port: 8080 +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-3 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/v3" + backendRefs: + - name: service-3 + port: 8080 +backendTrafficPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: default + name: policy-for-route-1 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + dns: + dnsRefreshRate: "1s" + respectDnsTtl: true +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: default + name: policy-for-route-2 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-2 + dns: + dnsRefreshRate: "5s" + respectDnsTtl: false +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: envoy-gateway + name: policy-for-all-routes-in-gateway-1 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + dns: + dnsRefreshRate: "10s" + respectDnsTtl: true diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.out.yaml new file mode 100644 index 00000000000..89d9902328f --- /dev/null +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.out.yaml @@ -0,0 +1,427 @@ +backendTrafficPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: policy-for-route-1 + namespace: default + spec: + dns: + dnsRefreshRate: 1s + respectDnsTtl: true + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-2 + namespace: envoy-gateway + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: policy-for-route-2 + namespace: default + spec: + dns: + dnsRefreshRate: 5s + respectDnsTtl: false + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-2 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-2 + namespace: envoy-gateway + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: policy-for-all-routes-in-gateway-1 + namespace: envoy-gateway + spec: + dns: + dnsRefreshRate: 10s + respectDnsTtl: true + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-2 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 2 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-2 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-2 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-2 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-2 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-2 + port: 8080 + matches: + - path: + value: /v2 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-2 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-3 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-3 + port: 8080 + matches: + - path: + value: /v3 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 + envoy-gateway/gateway-2: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-2/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-2 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-2 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-3/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + dns: + dnsRefreshRate: 10s + respectDnsTtl: true + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-3 + namespace: default + name: httproute/default/httproute-3/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /v3 + traffic: {} + envoy-gateway/gateway-2: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-2 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-2/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + dns: + dnsRefreshRate: 5s + respectDnsTtl: false + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /v2 + traffic: {} + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + dns: + dnsRefreshRate: 1s + respectDnsTtl: true + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / + traffic: {} diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 3d300f1a539..f4f059a2af6 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -563,6 +563,17 @@ type HTTPRoute struct { UseClientProtocol *bool `json:"useClientProtocol,omitempty" yaml:"useClientProtocol,omitempty"` // Metadata is used to enrich envoy route metadata with user and provider-specific information Metadata *ResourceMetadata `json:"metadata,omitempty" yaml:"metadata,omitempty"` + // DNS is used to configure how DNS resolution is handled for the route + DNS *DNS `json:"dns,omitempty" yaml:"dns,omitempty"` +} + +// DNS contains configuration options for DNS resolution. +// +k8s:deepcopy-gen=true +type DNS struct { + // DNSRefreshRate specifies the rate at which DNS records should be refreshed. + DNSRefreshRate *metav1.Duration `json:"dnsRefreshRate,omitempty"` + // RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected. + RespectDNSTTL *bool `json:"respectDnsTtl,omitempty"` } // TrafficFeatures holds the information associated with the Backend Traffic Policy. @@ -1386,6 +1397,8 @@ type TCPRoute struct { ProxyProtocol *ProxyProtocol `json:"proxyProtocol,omitempty" yaml:"proxyProtocol,omitempty"` // settings of upstream connection BackendConnection *BackendConnection `json:"backendConnection,omitempty" yaml:"backendConnection,omitempty"` + // DNS is used to configure how DNS resolution is handled for the route + DNS *DNS `json:"dns,omitempty" yaml:"dns,omitempty"` } // TLS holds information for configuring TLS on a listener @@ -1496,6 +1509,7 @@ type UDPRoute struct { Timeout *Timeout `json:"timeout,omitempty" yaml:"timeout,omitempty"` // settings of upstream connection BackendConnection *BackendConnection `json:"backendConnection,omitempty" yaml:"backendConnection,omitempty"` + DNS *DNS `json:"dns,omitempty" yaml:"dns,omitempty"` } // Validate the fields within the UDPListener structure diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 273eeb1c3ca..e0a7b45571a 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -562,6 +562,31 @@ func (in *CoreListenerDetails) DeepCopy() *CoreListenerDetails { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DNS) DeepCopyInto(out *DNS) { + *out = *in + if in.DNSRefreshRate != nil { + in, out := &in.DNSRefreshRate, &out.DNSRefreshRate + *out = new(v1.Duration) + **out = **in + } + if in.RespectDNSTTL != nil { + in, out := &in.RespectDNSTTL, &out.RespectDNSTTL + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNS. +func (in *DNS) DeepCopy() *DNS { + if in == nil { + return nil + } + out := new(DNS) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *DestinationEndpoint) DeepCopyInto(out *DestinationEndpoint) { *out = *in @@ -1318,6 +1343,11 @@ func (in *HTTPRoute) DeepCopyInto(out *HTTPRoute) { *out = new(ResourceMetadata) (*in).DeepCopyInto(*out) } + if in.DNS != nil { + in, out := &in.DNS, &out.DNS + *out = new(DNS) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRoute. @@ -2524,6 +2554,11 @@ func (in *TCPRoute) DeepCopyInto(out *TCPRoute) { *out = new(BackendConnection) (*in).DeepCopyInto(*out) } + if in.DNS != nil { + in, out := &in.DNS, &out.DNS + *out = new(DNS) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPRoute. @@ -2914,6 +2949,11 @@ func (in *UDPRoute) DeepCopyInto(out *UDPRoute) { *out = new(BackendConnection) (*in).DeepCopyInto(*out) } + if in.DNS != nil { + in, out := &in.DNS, &out.DNS + *out = new(DNS) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UDPRoute. diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index e646f410944..9a7819a597f 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -52,6 +52,7 @@ type xdsClusterArgs struct { tcpkeepalive *ir.TCPKeepalive metrics *ir.Metrics backendConnection *ir.BackendConnection + dns *ir.DNS useClientProtocol bool } @@ -144,6 +145,16 @@ func buildXdsCluster(args *xdsClusterArgs) *clusterv3.Cluster { cluster.ClusterDiscoveryType = &clusterv3.Cluster_Type{Type: clusterv3.Cluster_STRICT_DNS} cluster.DnsRefreshRate = durationpb.New(30 * time.Second) cluster.RespectDnsTtl = true + if args.dns != nil { + if args.dns.DNSRefreshRate != nil { + if args.dns.DNSRefreshRate.Duration > 0 { + cluster.DnsRefreshRate = durationpb.New(args.dns.DNSRefreshRate.Duration) + } + } + if args.dns.RespectDNSTTL != nil { + cluster.RespectDnsTtl = ptr.Deref(args.dns.RespectDNSTTL, true) + } + } } // build common, HTTP/1 and HTTP/2 protocol options for cluster @@ -649,3 +660,85 @@ func buildBackandConnectionBufferLimitBytes(bc *ir.BackendConnection) *wrappers. return wrapperspb.UInt32(tcpClusterPerConnectionBufferLimitBytes) } + +type ExtraArgs struct { + metrics *ir.Metrics + http1Settings *ir.HTTP1Settings +} + +type clusterArgs interface { + asClusterArgs(extras *ExtraArgs) *xdsClusterArgs +} + +type UDPRouteTranslator struct { + *ir.UDPRoute +} + +func (route *UDPRouteTranslator) asClusterArgs(extra *ExtraArgs) *xdsClusterArgs { + return &xdsClusterArgs{ + name: route.Destination.Name, + settings: route.Destination.Settings, + loadBalancer: route.LoadBalancer, + timeout: route.Timeout, + tSocket: nil, + endpointType: buildEndpointType(route.Destination.Settings), + metrics: extra.metrics, + backendConnection: route.BackendConnection, + dns: route.DNS, + } +} + +type TCPRouteTranslator struct { + *ir.TCPRoute +} + +func (route *TCPRouteTranslator) asClusterArgs(extra *ExtraArgs) *xdsClusterArgs { + return &xdsClusterArgs{ + name: route.Destination.Name, + settings: route.Destination.Settings, + loadBalancer: route.LoadBalancer, + proxyProtocol: route.ProxyProtocol, + circuitBreaker: route.CircuitBreaker, + tcpkeepalive: route.TCPKeepalive, + healthCheck: route.HealthCheck, + timeout: route.Timeout, + endpointType: buildEndpointType(route.Destination.Settings), + metrics: extra.metrics, + backendConnection: route.BackendConnection, + dns: route.DNS, + } +} + +type HTTPRouteTranslator struct { + *ir.HTTPRoute +} + +func (httpRoute *HTTPRouteTranslator) asClusterArgs(extra *ExtraArgs) *xdsClusterArgs { + clusterArgs := &xdsClusterArgs{ + name: httpRoute.Destination.Name, + settings: httpRoute.Destination.Settings, + tSocket: nil, + endpointType: buildEndpointType(httpRoute.Destination.Settings), + metrics: extra.metrics, + http1Settings: extra.http1Settings, + useClientProtocol: ptr.Deref(httpRoute.UseClientProtocol, false), + } + + // Populate traffic features. + bt := httpRoute.Traffic + if bt != nil { + clusterArgs.loadBalancer = bt.LoadBalancer + clusterArgs.proxyProtocol = bt.ProxyProtocol + clusterArgs.circuitBreaker = bt.CircuitBreaker + clusterArgs.healthCheck = bt.HealthCheck + clusterArgs.timeout = bt.Timeout + clusterArgs.tcpkeepalive = bt.TCPKeepalive + clusterArgs.backendConnection = bt.BackendConnection + } + + if httpRoute.DNS != nil { + clusterArgs.dns = httpRoute.DNS + } + + return clusterArgs +} diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index a58903e88ad..861e36ca8f1 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -24,7 +24,6 @@ import ( "google.golang.org/protobuf/proto" "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/wrapperspb" - "k8s.io/utils/ptr" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" extensionTypes "github.com/envoyproxy/gateway/internal/extension/types" @@ -453,9 +452,11 @@ func (t *Translator) addRouteToRouteConfig( if httpRoute.Destination != nil { if err = processXdsCluster( tCtx, - httpRoute, - httpListener.HTTP1, - metrics, + &HTTPRouteTranslator{httpRoute}, + &ExtraArgs{ + metrics: metrics, + http1Settings: httpListener.HTTP1, + }, ); err != nil { errs = errors.Join(errs, err) } @@ -573,19 +574,7 @@ func (t *Translator) processTCPListenerXdsTranslation( patchProxyProtocolFilter(xdsListener, tcpListener.EnableProxyProtocol) for _, route := range tcpListener.Routes { - if err := addXdsCluster(tCtx, &xdsClusterArgs{ - name: route.Destination.Name, - settings: route.Destination.Settings, - loadBalancer: route.LoadBalancer, - proxyProtocol: route.ProxyProtocol, - circuitBreaker: route.CircuitBreaker, - tcpkeepalive: route.TCPKeepalive, - healthCheck: route.HealthCheck, - timeout: route.Timeout, - endpointType: buildEndpointType(route.Destination.Settings), - metrics: metrics, - backendConnection: route.BackendConnection, - }); err != nil && !errors.Is(err, ErrXdsClusterExists) { + if err := processXdsCluster(tCtx, &TCPRouteTranslator{route}, &ExtraArgs{metrics: metrics}); err != nil && !errors.Is(err, ErrXdsClusterExists) { errs = errors.Join(errs, err) } if route.TLS != nil && route.TLS.Terminate != nil { @@ -647,16 +636,7 @@ func processUDPListenerXdsTranslation( } // 1:1 between IR UDPRoute and xDS Cluster - if err := addXdsCluster(tCtx, &xdsClusterArgs{ - name: route.Destination.Name, - settings: route.Destination.Settings, - loadBalancer: route.LoadBalancer, - timeout: route.Timeout, - tSocket: nil, - endpointType: buildEndpointType(route.Destination.Settings), - metrics: metrics, - backendConnection: route.BackendConnection, - }); err != nil && !errors.Is(err, ErrXdsClusterExists) { + if err := processXdsCluster(tCtx, &UDPRouteTranslator{route}, &ExtraArgs{metrics: metrics}); err != nil && !errors.Is(err, ErrXdsClusterExists) { errs = errors.Join(errs, err) } } @@ -748,34 +728,11 @@ func findXdsEndpoint(tCtx *types.ResourceVersionTable, name string) *endpointv3. return nil } -// processXdsCluster processes a xds cluster by its endpoint address type. -func processXdsCluster(tCtx *types.ResourceVersionTable, httpRoute *ir.HTTPRoute, http1Settings *ir.HTTP1Settings, metrics *ir.Metrics) error { - clusterArgs := &xdsClusterArgs{ - name: httpRoute.Destination.Name, - settings: httpRoute.Destination.Settings, - tSocket: nil, - endpointType: buildEndpointType(httpRoute.Destination.Settings), - http1Settings: http1Settings, - metrics: metrics, - useClientProtocol: ptr.Deref(httpRoute.UseClientProtocol, false), - } - - // Populate traffic features. - bt := httpRoute.Traffic - if bt != nil { - clusterArgs.loadBalancer = bt.LoadBalancer - clusterArgs.proxyProtocol = bt.ProxyProtocol - clusterArgs.circuitBreaker = bt.CircuitBreaker - clusterArgs.healthCheck = bt.HealthCheck - clusterArgs.timeout = bt.Timeout - clusterArgs.tcpkeepalive = bt.TCPKeepalive - clusterArgs.backendConnection = bt.BackendConnection - } - - if err := addXdsCluster(tCtx, clusterArgs); err != nil && !errors.Is(err, ErrXdsClusterExists) { +// processXdsCluster processes xds cluster with args per route. +func processXdsCluster(tCtx *types.ResourceVersionTable, route clusterArgs, extras *ExtraArgs) error { + if err := addXdsCluster(tCtx, route.asClusterArgs(extras)); err != nil && !errors.Is(err, ErrXdsClusterExists) { return err } - return nil } diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 9a2cd961a63..b0e85833110 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -460,6 +460,7 @@ _Appears in:_ | `useClientProtocol` | _boolean_ | false | UseClientProtocol configures Envoy to prefer sending requests to backends using
the same HTTP protocol that the incoming request used. Defaults to false, which means
that Envoy will use the protocol indicated by the attached BackendRef. | | `timeout` | _[Timeout](#timeout)_ | false | Timeout settings for the backend connections. | | `connection` | _[BackendConnection](#backendconnection)_ | false | Connection includes backend connection settings. | +| `dns` | _[DNS](#dns)_ | false | DNS includes dns resolution settings. | #### BasicAuth @@ -845,6 +846,21 @@ _Appears in:_ | `RequestHeader` | CustomTagTypeRequestHeader adds value from request header to each span.
| +#### DNS + + + + + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `dnsRefreshRate` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds. | +| `respectDnsTtl` | _boolean_ | true | RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
Defaults to true. | + + #### EnvironmentCustomTag diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 9a2cd961a63..b0e85833110 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -460,6 +460,7 @@ _Appears in:_ | `useClientProtocol` | _boolean_ | false | UseClientProtocol configures Envoy to prefer sending requests to backends using
the same HTTP protocol that the incoming request used. Defaults to false, which means
that Envoy will use the protocol indicated by the attached BackendRef. | | `timeout` | _[Timeout](#timeout)_ | false | Timeout settings for the backend connections. | | `connection` | _[BackendConnection](#backendconnection)_ | false | Connection includes backend connection settings. | +| `dns` | _[DNS](#dns)_ | false | DNS includes dns resolution settings. | #### BasicAuth @@ -845,6 +846,21 @@ _Appears in:_ | `RequestHeader` | CustomTagTypeRequestHeader adds value from request header to each span.
| +#### DNS + + + + + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `dnsRefreshRate` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds. | +| `respectDnsTtl` | _boolean_ | true | RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
Defaults to true. | + + #### EnvironmentCustomTag From a43cc6c96ac147ce58db9714283e77d237c3d1e3 Mon Sep 17 00:00:00 2001 From: Dingkang Li Date: Fri, 2 Aug 2024 21:29:57 +0800 Subject: [PATCH 017/523] feat(translator): Set statPrefix for HCM and TCPProxy (#3728) * Set statPrefix for hcm and tcpproxy Signed-off-by: Dingkang Li * Add port as suffix of statPrefix Signed-off-by: Dingkang Li * Undo irrelevant change Signed-off-by: Dingkang Li * add tls prefix on passthrough and terminate statPrefix Signed-off-by: Dingkang Li * regenerate testdata Signed-off-by: Dingkang Li * regenerate testdata Signed-off-by: Dingkang Li * set right prefix in connection limit e2e case Signed-off-by: Dingkang Li --------- Signed-off-by: Dingkang Li Co-authored-by: zirain Co-authored-by: Guy Daich --- .../translate/out/default-resources.all.yaml | 8 ++++---- .../translate/out/from-gateway-api-to-xds.all.json | 8 ++++---- .../translate/out/from-gateway-api-to-xds.all.yaml | 8 ++++---- .../out/from-gateway-api-to-xds.listener.yaml | 8 ++++---- .../jwt-single-route-single-match-to-xds.all.json | 2 +- .../jwt-single-route-single-match-to-xds.all.yaml | 2 +- ...wt-single-route-single-match-to-xds.listener.yaml | 2 +- .../translate/out/no-service-cluster-ip.all.yaml | 2 +- internal/xds/translator/listener.go | 12 ++++++++++-- .../extensionpolicy-tcp-udp-http.listeners.yaml | 2 +- .../http-route-extension-filter.listeners.yaml | 2 +- .../out/extension-xds-ir/http-route.listeners.yaml | 2 +- .../extension-xds-ir/listener-policy.listeners.yaml | 2 +- .../testdata/out/xds-ir/accesslog-cel.listeners.yaml | 2 +- .../xds-ir/accesslog-endpoint-stats.listeners.yaml | 2 +- .../out/xds-ir/accesslog-formatters.listeners.yaml | 2 +- .../out/xds-ir/accesslog-multi-cel.listeners.yaml | 2 +- .../xds-ir/accesslog-without-format.listeners.yaml | 2 +- .../testdata/out/xds-ir/accesslog.listeners.yaml | 2 +- .../testdata/out/xds-ir/authorization.listeners.yaml | 2 +- .../out/xds-ir/backend-buffer-limit.listeners.yaml | 4 ++-- .../testdata/out/xds-ir/basic-auth.listeners.yaml | 2 +- .../out/xds-ir/circuit-breaker.listeners.yaml | 2 +- .../out/xds-ir/client-buffer-limit.listeners.yaml | 4 ++-- .../out/xds-ir/client-ip-detection.listeners.yaml | 6 +++--- .../out/xds-ir/client-timeout.listeners.yaml | 4 ++-- .../testdata/out/xds-ir/cors.listeners.yaml | 2 +- .../out/xds-ir/custom-filter-order.listeners.yaml | 2 +- .../testdata/out/xds-ir/ext-auth.listeners.yaml | 2 +- .../testdata/out/xds-ir/ext-proc.listeners.yaml | 2 +- .../out/xds-ir/fault-injection.listeners.yaml | 2 +- ...headers-with-preserve-x-request-id.listeners.yaml | 4 ++-- .../headers-with-underscores-action.listeners.yaml | 8 ++++---- .../testdata/out/xds-ir/health-check.listeners.yaml | 2 +- .../out/xds-ir/http-endpoint-stats.listeners.yaml | 2 +- .../out/xds-ir/http-health-check.listeners.yaml | 2 +- .../http-preserve-client-protocol.listeners.yaml | 2 +- .../xds-ir/http-route-direct-response.listeners.yaml | 2 +- .../out/xds-ir/http-route-dns-cluster.listeners.yaml | 2 +- .../out/xds-ir/http-route-mirror.listeners.yaml | 2 +- .../http-route-multiple-matches.listeners.yaml | 2 +- .../http-route-multiple-mirrors.listeners.yaml | 2 +- .../xds-ir/http-route-partial-invalid.listeners.yaml | 2 +- .../out/xds-ir/http-route-redirect.listeners.yaml | 2 +- .../out/xds-ir/http-route-regex.listeners.yaml | 2 +- .../xds-ir/http-route-request-headers.listeners.yaml | 2 +- .../http-route-response-add-headers.listeners.yaml | 2 +- ...-route-response-add-remove-headers.listeners.yaml | 2 +- ...http-route-response-remove-headers.listeners.yaml | 2 +- ...route-rewrite-root-path-url-prefix.listeners.yaml | 2 +- .../http-route-rewrite-url-fullpath.listeners.yaml | 2 +- .../http-route-rewrite-url-host.listeners.yaml | 2 +- .../http-route-rewrite-url-prefix.listeners.yaml | 2 +- .../out/xds-ir/http-route-timeout.listeners.yaml | 2 +- ...http-route-weighted-backend-uds-ip.listeners.yaml | 2 +- ...oute-weighted-backend-with-filters.listeners.yaml | 2 +- .../http-route-weighted-backend.listeners.yaml | 2 +- ...ttp-route-weighted-invalid-backend.listeners.yaml | 2 +- .../xds-ir/http-route-with-clientcert.listeners.yaml | 2 +- .../xds-ir/http-route-with-metadata.listeners.yaml | 2 +- ...p-route-with-tls-system-truststore.listeners.yaml | 2 +- ...oute-with-tlsbundle-multiple-certs.listeners.yaml | 4 ++-- .../xds-ir/http-route-with-tlsbundle.listeners.yaml | 2 +- .../testdata/out/xds-ir/http-route.listeners.yaml | 2 +- .../out/xds-ir/http1-preserve-case.listeners.yaml | 4 ++-- .../out/xds-ir/http1-trailers.listeners.yaml | 2 +- .../testdata/out/xds-ir/http10.listeners.yaml | 2 +- .../testdata/out/xds-ir/http2-route.listeners.yaml | 2 +- .../testdata/out/xds-ir/http2.listeners.yaml | 2 +- .../testdata/out/xds-ir/http3.listeners.yaml | 4 ++-- .../xds-ir/jsonpatch-missing-resource.listeners.yaml | 2 +- .../testdata/out/xds-ir/jsonpatch.listeners.yaml | 2 +- .../out/xds-ir/jwt-custom-extractor.listeners.yaml | 2 +- .../jwt-multi-route-multi-provider.listeners.yaml | 2 +- .../jwt-multi-route-single-provider.listeners.yaml | 2 +- .../testdata/out/xds-ir/jwt-optional.listeners.yaml | 2 +- .../testdata/out/xds-ir/jwt-ratelimit.listeners.yaml | 2 +- .../jwt-single-route-single-match.listeners.yaml | 2 +- .../xds-ir/listener-connection-limit.listeners.yaml | 6 +++--- .../xds-ir/listener-proxy-protocol.listeners.yaml | 4 ++-- .../out/xds-ir/listener-tcp-keepalive.listeners.yaml | 4 ++-- .../testdata/out/xds-ir/load-balancer.listeners.yaml | 2 +- .../out/xds-ir/local-ratelimit.listeners.yaml | 2 +- .../out/xds-ir/metrics-virtual-host.listeners.yaml | 2 +- .../out/xds-ir/mixed-tls-jwt-authn.listeners.yaml | 2 +- ...s-same-port-with-different-filters.listeners.yaml | 4 ++-- .../multiple-listeners-same-port.listeners.yaml | 10 +++++----- ...ultiple-simple-tcp-route-same-port.listeners.yaml | 10 +++++----- ...lient-certificate-with-custom-data.listeners.yaml | 10 +++++----- ...ual-tls-forward-client-certificate.listeners.yaml | 10 +++++----- ...quired-client-certificate-disabled.listeners.yaml | 4 ++-- .../testdata/out/xds-ir/mutual-tls.listeners.yaml | 4 ++-- .../testdata/out/xds-ir/oidc.listeners.yaml | 2 +- .../testdata/out/xds-ir/path-settings.listeners.yaml | 2 +- .../xds-ir/proxy-protocol-upstream.listeners.yaml | 2 +- .../xds-ir/ratelimit-custom-domain.listeners.yaml | 2 +- .../xds-ir/ratelimit-disable-headers.listeners.yaml | 2 +- .../xds-ir/ratelimit-endpoint-stats.listeners.yaml | 2 +- .../out/xds-ir/ratelimit-sourceip.listeners.yaml | 2 +- .../testdata/out/xds-ir/ratelimit.listeners.yaml | 2 +- .../out/xds-ir/retry-partial-invalid.listeners.yaml | 2 +- .../testdata/out/xds-ir/simple-tls.listeners.yaml | 2 +- .../out/xds-ir/suppress-envoy-headers.listeners.yaml | 2 +- .../out/xds-ir/tcp-route-complex.listeners.yaml | 2 +- .../out/xds-ir/tcp-route-simple.listeners.yaml | 2 +- .../xds-ir/tcp-route-tls-terminate.listeners.yaml | 4 ++-- .../xds-ir/tcp-route-weighted-backend.listeners.yaml | 2 +- .../testdata/out/xds-ir/timeout.listeners.yaml | 2 +- .../out/xds-ir/tls-route-passthrough.listeners.yaml | 4 ++-- .../tls-with-ciphers-versions-alpn.listeners.yaml | 4 ++-- .../out/xds-ir/tracing-endpoint-stats.listeners.yaml | 2 +- .../out/xds-ir/tracing-zipkin.listeners.yaml | 2 +- .../testdata/out/xds-ir/tracing.listeners.yaml | 2 +- .../out/xds-ir/upstream-tcpkeepalive.listeners.yaml | 2 +- .../testdata/out/xds-ir/wasm.listeners.yaml | 2 +- test/e2e/tests/connection_limit.go | 2 +- 116 files changed, 175 insertions(+), 167 deletions(-) diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index 86df2f9de4c..d1872e3f56e 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -918,7 +918,7 @@ xds: resourceApiVersion: V3 routeConfigName: default/eg/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: default/eg/http drainType: MODIFY_ONLY @@ -986,7 +986,7 @@ xds: resourceApiVersion: V3 routeConfigName: default/eg/grpc serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-8080 useRemoteAddress: true name: default/eg/grpc drainType: MODIFY_ONLY @@ -1028,7 +1028,7 @@ xds: {"start_time":"%START_TIME%","method":"%REQ(:METHOD)%","x-envoy-origin-path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","response_code_details":"%RESPONSE_CODE_DETAILS%","connection_termination_details":"%CONNECTION_TERMINATION_DETAILS%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","duration":"%DURATION%","x-envoy-upstream-service-time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","x-forwarded-for":"%REQ(X-FORWARDED-FOR)%","user-agent":"%REQ(USER-AGENT)%","x-request-id":"%REQ(X-REQUEST-ID)%",":authority":"%REQ(:AUTHORITY)%","upstream_host":"%UPSTREAM_HOST%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","requested_server_name":"%REQUESTED_SERVER_NAME%","route_name":"%ROUTE_NAME%"} path: /dev/stdout cluster: tcproute/default/backend/rule/-1 - statPrefix: tcp + statPrefix: tcp-1234 name: tcproute/default/backend name: default/eg/tcp perConnectionBufferLimitBytes: 32768 @@ -1071,7 +1071,7 @@ xds: {"start_time":"%START_TIME%","method":"%REQ(:METHOD)%","x-envoy-origin-path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","response_code_details":"%RESPONSE_CODE_DETAILS%","connection_termination_details":"%CONNECTION_TERMINATION_DETAILS%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","duration":"%DURATION%","x-envoy-upstream-service-time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","x-forwarded-for":"%REQ(X-FORWARDED-FOR)%","user-agent":"%REQ(USER-AGENT)%","x-request-id":"%REQ(X-REQUEST-ID)%",":authority":"%REQ(:AUTHORITY)%","upstream_host":"%UPSTREAM_HOST%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","requested_server_name":"%REQUESTED_SERVER_NAME%","route_name":"%ROUTE_NAME%"} path: /dev/stdout cluster: tlsroute/default/backend/rule/-1 - statPrefix: passthrough + statPrefix: tls-passthrough-8443 name: tlsroute/default/backend listenerFilters: - name: envoy.filters.listener.tls_inspector diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index 14d29a32be2..56952759bce 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -681,7 +681,7 @@ "routeConfigName": "default/eg/http" }, "serverHeaderTransformation": "PASS_THROUGH", - "statPrefix": "http", + "statPrefix": "http-10080", "useRemoteAddress": true } } @@ -787,7 +787,7 @@ "routeConfigName": "default/eg/grpc" }, "serverHeaderTransformation": "PASS_THROUGH", - "statPrefix": "http", + "statPrefix": "http-8080", "useRemoteAddress": true } } @@ -854,7 +854,7 @@ } ], "cluster": "tcproute/default/backend/rule/-1", - "statPrefix": "tcp" + "statPrefix": "tcp-1234" } } ], @@ -925,7 +925,7 @@ } ], "cluster": "tlsroute/default/backend/rule/-1", - "statPrefix": "passthrough" + "statPrefix": "tls-passthrough-8443" } } ], diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index a8fb322e28b..6f0229789e0 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -399,7 +399,7 @@ xds: resourceApiVersion: V3 routeConfigName: default/eg/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: default/eg/http drainType: MODIFY_ONLY @@ -467,7 +467,7 @@ xds: resourceApiVersion: V3 routeConfigName: default/eg/grpc serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-8080 useRemoteAddress: true name: default/eg/grpc drainType: MODIFY_ONLY @@ -509,7 +509,7 @@ xds: {"start_time":"%START_TIME%","method":"%REQ(:METHOD)%","x-envoy-origin-path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","response_code_details":"%RESPONSE_CODE_DETAILS%","connection_termination_details":"%CONNECTION_TERMINATION_DETAILS%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","duration":"%DURATION%","x-envoy-upstream-service-time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","x-forwarded-for":"%REQ(X-FORWARDED-FOR)%","user-agent":"%REQ(USER-AGENT)%","x-request-id":"%REQ(X-REQUEST-ID)%",":authority":"%REQ(:AUTHORITY)%","upstream_host":"%UPSTREAM_HOST%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","requested_server_name":"%REQUESTED_SERVER_NAME%","route_name":"%ROUTE_NAME%"} path: /dev/stdout cluster: tcproute/default/backend/rule/-1 - statPrefix: tcp + statPrefix: tcp-1234 name: tcproute/default/backend name: default/eg/tcp perConnectionBufferLimitBytes: 32768 @@ -552,7 +552,7 @@ xds: {"start_time":"%START_TIME%","method":"%REQ(:METHOD)%","x-envoy-origin-path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","response_code_details":"%RESPONSE_CODE_DETAILS%","connection_termination_details":"%CONNECTION_TERMINATION_DETAILS%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","duration":"%DURATION%","x-envoy-upstream-service-time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","x-forwarded-for":"%REQ(X-FORWARDED-FOR)%","user-agent":"%REQ(USER-AGENT)%","x-request-id":"%REQ(X-REQUEST-ID)%",":authority":"%REQ(:AUTHORITY)%","upstream_host":"%UPSTREAM_HOST%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","requested_server_name":"%REQUESTED_SERVER_NAME%","route_name":"%ROUTE_NAME%"} path: /dev/stdout cluster: tlsroute/default/backend/rule/-1 - statPrefix: passthrough + statPrefix: tls-passthrough-8443 name: tlsroute/default/backend listenerFilters: - name: envoy.filters.listener.tls_inspector diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml index c151e22c7cc..5a0c626162a 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml @@ -56,7 +56,7 @@ xds: resourceApiVersion: V3 routeConfigName: default/eg/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: default/eg/http drainType: MODIFY_ONLY @@ -124,7 +124,7 @@ xds: resourceApiVersion: V3 routeConfigName: default/eg/grpc serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-8080 useRemoteAddress: true name: default/eg/grpc drainType: MODIFY_ONLY @@ -166,7 +166,7 @@ xds: {"start_time":"%START_TIME%","method":"%REQ(:METHOD)%","x-envoy-origin-path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","response_code_details":"%RESPONSE_CODE_DETAILS%","connection_termination_details":"%CONNECTION_TERMINATION_DETAILS%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","duration":"%DURATION%","x-envoy-upstream-service-time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","x-forwarded-for":"%REQ(X-FORWARDED-FOR)%","user-agent":"%REQ(USER-AGENT)%","x-request-id":"%REQ(X-REQUEST-ID)%",":authority":"%REQ(:AUTHORITY)%","upstream_host":"%UPSTREAM_HOST%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","requested_server_name":"%REQUESTED_SERVER_NAME%","route_name":"%ROUTE_NAME%"} path: /dev/stdout cluster: tcproute/default/backend/rule/-1 - statPrefix: tcp + statPrefix: tcp-1234 name: tcproute/default/backend name: default/eg/tcp perConnectionBufferLimitBytes: 32768 @@ -209,7 +209,7 @@ xds: {"start_time":"%START_TIME%","method":"%REQ(:METHOD)%","x-envoy-origin-path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","response_code_details":"%RESPONSE_CODE_DETAILS%","connection_termination_details":"%CONNECTION_TERMINATION_DETAILS%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","duration":"%DURATION%","x-envoy-upstream-service-time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","x-forwarded-for":"%REQ(X-FORWARDED-FOR)%","user-agent":"%REQ(USER-AGENT)%","x-request-id":"%REQ(X-REQUEST-ID)%",":authority":"%REQ(:AUTHORITY)%","upstream_host":"%UPSTREAM_HOST%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","requested_server_name":"%REQUESTED_SERVER_NAME%","route_name":"%ROUTE_NAME%"} path: /dev/stdout cluster: tlsroute/default/backend/rule/-1 - statPrefix: passthrough + statPrefix: tls-passthrough-8443 name: tlsroute/default/backend listenerFilters: - name: envoy.filters.listener.tls_inspector diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json index 3d786413e60..f58e4d6932f 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json @@ -537,7 +537,7 @@ "routeConfigName": "envoy-gateway-system/eg/http" }, "serverHeaderTransformation": "PASS_THROUGH", - "statPrefix": "http", + "statPrefix": "http-10080", "useRemoteAddress": true } } diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml index 9f54fcc5d1b..121d5b6e16e 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml @@ -317,7 +317,7 @@ xds: resourceApiVersion: V3 routeConfigName: envoy-gateway-system/eg/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway-system/eg/http drainType: MODIFY_ONLY diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml index 3d2efd91270..692be7fec9e 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml @@ -73,7 +73,7 @@ xds: resourceApiVersion: V3 routeConfigName: envoy-gateway-system/eg/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway-system/eg/http drainType: MODIFY_ONLY diff --git a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml index 73ea76b01e6..854b6b3388b 100644 --- a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml @@ -262,7 +262,7 @@ xds: resourceApiVersion: V3 routeConfigName: envoy-gateway-system/eg/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway-system/eg/http drainType: MODIFY_ONLY diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go index ee1f5c7d133..c3dc05ebceb 100644 --- a/internal/xds/translator/listener.go +++ b/internal/xds/translator/listener.go @@ -7,6 +7,8 @@ package translator import ( "errors" + "strconv" + "strings" xdscore "github.com/cncf/xds/go/xds/core/v3" matcher "github.com/cncf/xds/go/xds/type/matcher/v3" @@ -226,6 +228,9 @@ func (t *Translator) addHCMToXDSListener(xdsListener *listenerv3.Listener, irLis statPrefix = "http" } + // Append port to the statPrefix. + statPrefix = strings.Join([]string{statPrefix, strconv.Itoa(int(irListener.Port))}, "-") + // Client IP detection useRemoteAddress := true originalIPDetectionExtensions := originalIPDetectionExtensions(irListener.ClientIPDetection) @@ -403,13 +408,16 @@ func addXdsTCPFilterChain(xdsListener *listenerv3.Listener, irRoute *ir.TCPRoute isTLSTerminate := irRoute.TLS != nil && irRoute.TLS.Terminate != nil statPrefix := "tcp" if isTLSPassthrough { - statPrefix = "passthrough" + statPrefix = "tls-passthrough" } if isTLSTerminate { - statPrefix = "terminate" + statPrefix = "tls-terminate" } + // Append port to the statPrefix. + statPrefix = strings.Join([]string{statPrefix, strconv.Itoa(int(xdsListener.Address.GetSocketAddress().GetPortValue()))}, "-") + mgr := &tcpv3.TcpProxy{ AccessLog: buildXdsAccessLog(accesslog, false), StatPrefix: statPrefix, diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml index 3d5d41d69ff..cbb8238986c 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: envoy-gateway/gateway-1/http1 serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-1/http1 drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.listeners.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.listeners.yaml index 2f7f43464c0..e40dcfab7e4 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.listeners.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: extension-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: extension-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.listeners.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.listeners.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/listener-policy.listeners.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/listener-policy.listeners.yaml index 759e1ffb857..17ca0e60e44 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/listener-policy.listeners.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/listener-policy.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: policyextension-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10081 useRemoteAddress: true name: policyextension-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.listeners.yaml index 2ccfca8ce50..cb390f213f1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.listeners.yaml @@ -176,7 +176,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.listeners.yaml index 8e582b05b7e..04b183a2885 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.listeners.yaml @@ -137,7 +137,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.listeners.yaml index 4bc751c2eca..2ebf9f68a48 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.listeners.yaml @@ -221,7 +221,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.listeners.yaml index 0bca441a443..972bd4682b9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.listeners.yaml @@ -212,7 +212,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml index 4eec559618e..d715eeac8c8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml @@ -169,7 +169,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml index 16609de576c..748055a4755 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml @@ -169,7 +169,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization.listeners.yaml index 0fa87744bf1..40b9a52ec49 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization.listeners.yaml @@ -30,7 +30,7 @@ resourceApiVersion: V3 routeConfigName: envoy-gateway/gateway-1/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-1/http drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.listeners.yaml index a7a16c3b3e9..df10f0a95c5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY @@ -44,7 +44,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tcp-route-dest - statPrefix: tcp + statPrefix: tcp-10081 name: tcp-route-dest name: second-listener perConnectionBufferLimitBytes: 1500 diff --git a/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml index 4127a7acbf3..2e7dbd6cd55 100644 --- a/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml @@ -33,7 +33,7 @@ resourceApiVersion: V3 routeConfigName: default/gateway-1/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: default/gateway-1/http drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.listeners.yaml index 095074165f3..1ea06ebb07e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY @@ -44,7 +44,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tcp-route-dest - statPrefix: tcp + statPrefix: tcp-10081 name: tcp-route-dest name: second-listener perConnectionBufferLimitBytes: 1500 diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml index 21f93d68a49..47b25f2a79f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml @@ -25,7 +25,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-8081 useRemoteAddress: true xffNumTrustedHops: 2 name: first-listener @@ -65,7 +65,7 @@ resourceApiVersion: V3 routeConfigName: second-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-8082 useRemoteAddress: false name: second-listener drainType: MODIFY_ONLY @@ -106,7 +106,7 @@ resourceApiVersion: V3 routeConfigName: third-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-8083 useRemoteAddress: false name: third-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml index 2d1a3e61e38..3e4fa111bcc 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml @@ -29,7 +29,7 @@ routeConfigName: first-listener requestTimeout: 5s serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY @@ -47,7 +47,7 @@ '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: second-route-dest idleTimeout: 1200s - statPrefix: tcp + statPrefix: tcp-10081 name: second-route name: second-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/cors.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/cors.listeners.yaml index e8299cdce42..baac8ead6b3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/cors.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/cors.listeners.yaml @@ -30,7 +30,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml index 5f54802ba05..ffaab04f70e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml @@ -118,7 +118,7 @@ resourceApiVersion: V3 routeConfigName: envoy-gateway/gateway-1/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-1/http drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml index c8b861fe1a7..f387ff8da8e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml @@ -62,7 +62,7 @@ resourceApiVersion: V3 routeConfigName: default/gateway-1/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: default/gateway-1/http drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml index 8e85e79cf9e..9f76729fd78 100755 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml @@ -91,7 +91,7 @@ resourceApiVersion: V3 routeConfigName: envoy-gateway/gateway-1/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-1/http drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml index e74a1df4287..0ea771b2bd1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml @@ -30,7 +30,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.listeners.yaml index c6a46e0f9c1..1ad2086d20b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.listeners.yaml @@ -26,7 +26,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-8081 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY @@ -59,7 +59,7 @@ resourceApiVersion: V3 routeConfigName: second-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-8082 useRemoteAddress: true name: second-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.listeners.yaml index 2a31352ab37..a0b19ef7b8b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.listeners.yaml @@ -25,7 +25,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-8081 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY @@ -57,7 +57,7 @@ resourceApiVersion: V3 routeConfigName: second-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-8082 useRemoteAddress: true name: second-listener drainType: MODIFY_ONLY @@ -90,7 +90,7 @@ resourceApiVersion: V3 routeConfigName: third-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-8083 useRemoteAddress: true name: third-listener drainType: MODIFY_ONLY @@ -123,7 +123,7 @@ resourceApiVersion: V3 routeConfigName: fourth-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-8084 useRemoteAddress: true name: fourth-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/health-check.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/health-check.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/health-check.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/health-check.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.listeners.yaml index 7400b59665a..fe7d2da356b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: listener-enable-endpoint-stats serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: listener-enable-endpoint-stats drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-health-check.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-health-check.listeners.yaml index 048ff7cd4a5..f11b0c1c300 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-health-check.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-health-check.listeners.yaml @@ -35,7 +35,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.listeners.yaml index c5665623154..a1964fb2306 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: envoy-gateway/gateway-1/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-1/http drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.listeners.yaml index ff5431da747..0f567a3db50 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: envoy-gateway/gateway-btls/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-btls/http drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml index ff5431da747..0f567a3db50 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: envoy-gateway/gateway-btls/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-btls/http drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.listeners.yaml index b227eccb031..d887b321dc5 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: envoy-gateway/gateway-btls/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-btls/http drainType: MODIFY_ONLY @@ -62,7 +62,7 @@ resourceApiVersion: V3 routeConfigName: envoy-gateway/gateway-btls-2/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10081 useRemoteAddress: true name: envoy-gateway/gateway-btls-2/http drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml index ff5431da747..0f567a3db50 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: envoy-gateway/gateway-btls/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-btls/http drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.listeners.yaml index 60f8750a290..b3fa2acefdb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.listeners.yaml @@ -33,7 +33,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY @@ -75,7 +75,7 @@ resourceApiVersion: V3 routeConfigName: second-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10081 useRemoteAddress: true name: second-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.listeners.yaml index d6cb3b5d2c6..f6b29f1548e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.listeners.yaml @@ -29,7 +29,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http10.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http10.listeners.yaml index 5eded6a4653..8affd1661ba 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http10.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http10.listeners.yaml @@ -30,7 +30,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml index f7ab1ba34a0..3780fc90f94 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml @@ -35,7 +35,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http2.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http2.listeners.yaml index 1d2cc2574ae..6c4250c78db 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http2.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml index fdfdb3bbdf5..c1961247566 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml @@ -31,7 +31,7 @@ resourceApiVersion: V3 routeConfigName: envoy-gateway/gateway-1/tls serverHeaderTransformation: PASS_THROUGH - statPrefix: https + statPrefix: https-10443 useRemoteAddress: true name: envoy-gateway/gateway-1/tls transportSocket: @@ -81,7 +81,7 @@ resourceApiVersion: V3 routeConfigName: envoy-gateway/gateway-1/tls serverHeaderTransformation: PASS_THROUGH - statPrefix: https + statPrefix: https-10443 useRemoteAddress: true name: envoy-gateway/gateway-1/tls transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml index dbc5b4b25a2..08b5d410df5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml @@ -40,7 +40,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: https + statPrefix: https-10080 useRemoteAddress: true name: first-listener transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml index 1f89b694bb6..e251ecac040 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml @@ -55,7 +55,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml index 5803c41968c..bd76886759b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml @@ -112,7 +112,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml index 367f5fa529f..a79d197ba5e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml @@ -89,7 +89,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml index a4303573e3e..de1f56ed4d4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml @@ -58,7 +58,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml index 4e52213f3af..3f55977b503 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml @@ -58,7 +58,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml index b1ccf1a70cd..3406eeda2fa 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml @@ -48,7 +48,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml index 66faa259661..9a7954f8970 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY @@ -43,7 +43,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit maxConnections: "5" - statPrefix: http + statPrefix: http-10081 - name: envoy.filters.network.http_connection_manager typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager @@ -67,7 +67,7 @@ resourceApiVersion: V3 routeConfigName: second-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10081 useRemoteAddress: true name: second-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml index d8ea3aaf802..3a981aca309 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml @@ -31,7 +31,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: https + statPrefix: https-10080 useRemoteAddress: true name: first-listener transportSocket: @@ -71,7 +71,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tls-route-dest - statPrefix: tcp + statPrefix: tcp-10081 name: tcp-route-dest listenerFilters: - name: envoy.filters.listener.proxy_protocol diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml index 610086b57ab..79e4d5a82d0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY @@ -67,7 +67,7 @@ resourceApiVersion: V3 routeConfigName: second-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10081 useRemoteAddress: true name: second-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/load-balancer.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/load-balancer.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/load-balancer.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/load-balancer.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.listeners.yaml index 0f578bca015..01049c90267 100644 --- a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.listeners.yaml @@ -31,7 +31,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml index f81185b04b4..b1a9e2c3720 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml @@ -28,7 +28,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: https + statPrefix: https-10080 useRemoteAddress: true name: first-listener transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml index 2242bb6a8a7..9612460ed7a 100755 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml @@ -55,7 +55,7 @@ resourceApiVersion: V3 routeConfigName: default/gateway-1/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: default/gateway-1/http drainType: MODIFY_ONLY @@ -159,7 +159,7 @@ resourceApiVersion: V3 routeConfigName: default/gateway-1/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: default/gateway-1/http drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml index 181bb255cdb..a1731a1de8c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: third-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: third-listener drainType: MODIFY_ONLY @@ -59,7 +59,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: https + statPrefix: https-10080 useRemoteAddress: true name: first-listener transportSocket: @@ -102,7 +102,7 @@ resourceApiVersion: V3 routeConfigName: second-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: https + statPrefix: https-10080 useRemoteAddress: true name: second-listener transportSocket: @@ -126,7 +126,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tcp-route-dest - statPrefix: passthrough + statPrefix: tls-passthrough-10080 name: fifth-route - filterChainMatch: serverNames: @@ -136,7 +136,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tls-route-dest - statPrefix: passthrough + statPrefix: tls-passthrough-10080 name: sixth-route listenerFilters: - name: envoy.filters.listener.tls_inspector diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml index 962a960656f..73bc084eda1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml @@ -9,35 +9,35 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tcp-route-simple-dest - statPrefix: tcp + statPrefix: tcp-10080 name: tcp-route-simple - filters: - name: envoy.filters.network.tcp_proxy typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tcp-route-simple-1-dest - statPrefix: tcp + statPrefix: tcp-10080 name: tcp-route-simple-1 - filters: - name: envoy.filters.network.tcp_proxy typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tcp-route-simple-2-dest - statPrefix: tcp + statPrefix: tcp-10080 name: tcp-route-simple-2 - filters: - name: envoy.filters.network.tcp_proxy typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tcp-route-simple-3-dest - statPrefix: tcp + statPrefix: tcp-10080 name: tcp-route-simple-3 - filters: - name: envoy.filters.network.tcp_proxy typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tcp-route-simple-4-dest - statPrefix: tcp + statPrefix: tcp-10080 name: tcp-route-simple-4 name: tcp-listener-simple perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml index 8471bb28b4f..e10f6a9ed5b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml @@ -28,7 +28,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: https + statPrefix: https-10001 useRemoteAddress: true name: first-listener transportSocket: @@ -87,7 +87,7 @@ resourceApiVersion: V3 routeConfigName: second-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: https + statPrefix: https-10002 useRemoteAddress: true name: second-listener transportSocket: @@ -148,7 +148,7 @@ serverHeaderTransformation: PASS_THROUGH setCurrentClientCertDetails: subject: true - statPrefix: https + statPrefix: https-10003 useRemoteAddress: true name: third-listener transportSocket: @@ -211,7 +211,7 @@ dns: true subject: true uri: true - statPrefix: https + statPrefix: https-10004 useRemoteAddress: true name: fourth-listener transportSocket: @@ -276,7 +276,7 @@ dns: true subject: true uri: true - statPrefix: https + statPrefix: https-10005 useRemoteAddress: true name: fifth-listener transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml index 6b3b6acded4..5f1f7372126 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml @@ -28,7 +28,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: https + statPrefix: https-10001 useRemoteAddress: true name: first-listener transportSocket: @@ -87,7 +87,7 @@ resourceApiVersion: V3 routeConfigName: second-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: https + statPrefix: https-10002 useRemoteAddress: true name: second-listener transportSocket: @@ -146,7 +146,7 @@ resourceApiVersion: V3 routeConfigName: third-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: https + statPrefix: https-10003 useRemoteAddress: true name: third-listener transportSocket: @@ -205,7 +205,7 @@ resourceApiVersion: V3 routeConfigName: fourth-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: https + statPrefix: https-10004 useRemoteAddress: true name: fourth-listener transportSocket: @@ -264,7 +264,7 @@ resourceApiVersion: V3 routeConfigName: fifth-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: https + statPrefix: https-10005 useRemoteAddress: true name: fifth-listener transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml index 5c396e30fe3..75430179b51 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml @@ -28,7 +28,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: https + statPrefix: https-10080 useRemoteAddress: true name: first-listener transportSocket: @@ -67,7 +67,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tls-terminate-dest - statPrefix: terminate + statPrefix: tls-terminate-10081 name: tls-route-terminate transportSocket: name: envoy.transport_sockets.tls diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml index b1bdae764ff..2448feb80be 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml @@ -28,7 +28,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: https + statPrefix: https-10080 useRemoteAddress: true name: first-listener transportSocket: @@ -67,7 +67,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tls-terminate-dest - statPrefix: terminate + statPrefix: tls-terminate-10081 name: tls-route-terminate transportSocket: name: envoy.transport_sockets.tls diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml index a182efcbd8c..bc4956b285a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml @@ -117,7 +117,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/path-settings.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/path-settings.listeners.yaml index 836cbde04b6..4934acbee1e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/path-settings.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/path-settings.listeners.yaml @@ -26,7 +26,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml index 4e74648095d..3486155cda8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml @@ -37,7 +37,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml index 7840bfa0104..b1d7de26ff9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml @@ -36,7 +36,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml index 4e74648095d..3486155cda8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml @@ -37,7 +37,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml index 4e74648095d..3486155cda8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml @@ -37,7 +37,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml index 4e74648095d..3486155cda8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml @@ -37,7 +37,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml index 30b2c8f660e..51c022c26f3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml @@ -28,7 +28,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: https + statPrefix: https-10080 useRemoteAddress: true name: first-listener transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml index 4111a2f7c1e..0598759f776 100644 --- a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml @@ -30,7 +30,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: https + statPrefix: https-10080 useRemoteAddress: true name: first-listener transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml index a02d5e7cfe3..a6072e34b20 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml @@ -14,7 +14,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tcp-route-complex-dest - statPrefix: passthrough + statPrefix: tls-passthrough-10080 name: tcp-route-complex listenerFilters: - name: envoy.filters.listener.tls_inspector diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml index 10d02ab47e3..1bed88c6882 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml @@ -9,7 +9,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tcp-route-simple-dest - statPrefix: tcp + statPrefix: tcp-10080 name: tcp-route-simple name: tcp-listener-simple perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml index c3726babf21..cc74c19ed91 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml @@ -9,7 +9,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tls-terminate-dest - statPrefix: terminate + statPrefix: tls-terminate-10080 name: tls-route-terminate transportSocket: name: envoy.transport_sockets.tls @@ -33,7 +33,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tls-terminate-hostname-dest - statPrefix: terminate + statPrefix: tls-terminate-10080 name: tls-terminate-hostname transportSocket: name: envoy.transport_sockets.tls diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml index 0736b932151..f38ddc66108 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml @@ -14,7 +14,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tcp-route-weighted-backend-dest - statPrefix: passthrough + statPrefix: tls-passthrough-10080 name: tcp-route-weighted-backend listenerFilters: - name: envoy.filters.listener.tls_inspector diff --git a/internal/xds/translator/testdata/out/xds-ir/timeout.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/timeout.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/timeout.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/timeout.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml index be0e5ea7e82..5d20f177934 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml @@ -12,7 +12,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tls-passthrough-foo-dest - statPrefix: passthrough + statPrefix: tls-passthrough-10080 name: tls-route-passthrough-foo listenerFilters: - name: envoy.filters.listener.tls_inspector @@ -34,7 +34,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tls-passthrough-bar-dest - statPrefix: passthrough + statPrefix: tls-passthrough-10081 name: tls-route-passthrough-bar listenerFilters: - name: envoy.filters.listener.tls_inspector diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml index f3f8deebcb7..d5c31c5021a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml @@ -31,7 +31,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: https + statPrefix: https-10080 useRemoteAddress: true name: first-listener transportSocket: @@ -88,7 +88,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy cluster: tls-terminate-dest - statPrefix: terminate + statPrefix: tls-terminate-10081 name: tls-route-terminate transportSocket: name: envoy.transport_sockets.tls diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.listeners.yaml index 760955a8da0..dcfd967ecb8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 tracing: clientSampling: value: 100 diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.listeners.yaml index 25b3e9e4d40..e169de7eb0d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 tracing: clientSampling: value: 100 diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing.listeners.yaml index 7e5a19bcca1..3f76ab8e616 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 tracing: clientSampling: value: 100 diff --git a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml index e5ecdbb8156..c04f247fd68 100755 --- a/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml @@ -105,7 +105,7 @@ resourceApiVersion: V3 routeConfigName: envoy-gateway/gateway-1/http serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-1/http drainType: MODIFY_ONLY diff --git a/test/e2e/tests/connection_limit.go b/test/e2e/tests/connection_limit.go index 97594c97774..d27b087ba53 100644 --- a/test/e2e/tests/connection_limit.go +++ b/test/e2e/tests/connection_limit.go @@ -84,7 +84,7 @@ var ConnectionLimitTest = suite.ConformanceTest{ } } - prefix := "http" + prefix := "http-10080" gtwName := "connection-limit-gateway" promQL := fmt.Sprintf(`envoy_connection_limit_limited_connections{envoy_connection_limit_prefix="%s",gateway_envoyproxy_io_owning_gateway_name="%s"}`, prefix, gtwName) From c2c705bd8a027ede944fd134b50e7e61e23b12c5 Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 3 Aug 2024 09:50:20 +0800 Subject: [PATCH 018/523] docs: fix missing heading self-links (#3991) --- site/hugo.toml | 5 +---- site/layouts/_default/_markup/render-heading.html | 1 + 2 files changed, 2 insertions(+), 4 deletions(-) create mode 100644 site/layouts/_default/_markup/render-heading.html diff --git a/site/hugo.toml b/site/hugo.toml index ce169c84f3b..90dddd05e26 100644 --- a/site/hugo.toml +++ b/site/hugo.toml @@ -134,9 +134,6 @@ github_branch= "main" # Google Custom Search Engine ID. Remove or comment out to disable search. # gcs_engine_id = "d72aa9b2712488cc3" -# Enable Algolia DocSearch -algolia_docsearch = false - # Enable Lunr.js offline search offlineSearch = true @@ -148,7 +145,7 @@ prism_syntax_highlighting = false # Set to true to disable breadcrumb navigation. breadcrumb_disable = false # Set to true to disable the About link in the site footer -footer_about_disable = false +footer_about_enable = true # Set to false if you don't want to display a logo (/assets/icons/logo.svg) in the top navbar navbar_logo = true # Set to true if you don't want the top navbar to be translucent when over a `block/cover`, like on the homepage. diff --git a/site/layouts/_default/_markup/render-heading.html b/site/layouts/_default/_markup/render-heading.html new file mode 100644 index 00000000000..7f8e97424d6 --- /dev/null +++ b/site/layouts/_default/_markup/render-heading.html @@ -0,0 +1 @@ +{{ template "_default/_markup/td-render-heading.html" . }} From b77f6a4e654786d1f8c9b3ee2c351472dd71209d Mon Sep 17 00:00:00 2001 From: qi Date: Mon, 5 Aug 2024 14:46:51 +0800 Subject: [PATCH 019/523] bugfix: fix upstream get unwanted /. (#3990) * bugfix: fix upstream get unwanted /. Signed-off-by: qicz * ut for bugfix Signed-off-by: qicz --------- Signed-off-by: qicz Co-authored-by: Xunzhuo --- internal/xds/translator/route.go | 5 ++- ...-rewrite-sufixx-with-slash-url-prefix.yaml | 27 ++++++++++++++ ...sufixx-with-slash-url-prefix.clusters.yaml | 17 +++++++++ ...ufixx-with-slash-url-prefix.endpoints.yaml | 12 +++++++ ...ufixx-with-slash-url-prefix.listeners.yaml | 35 +++++++++++++++++++ ...e-sufixx-with-slash-url-prefix.routes.yaml | 19 ++++++++++ 6 files changed, 114 insertions(+), 1 deletion(-) create mode 100644 internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.routes.yaml diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go index 2b9c75a2e91..8a56e9e42b1 100644 --- a/internal/xds/translator/route.go +++ b/internal/xds/translator/route.go @@ -401,7 +401,10 @@ func buildXdsURLRewriteAction(destName string, urlRewrite *ir.URLRewrite, pathMa if useRegexRewriteForPrefixMatchReplace(pathMatch, *urlRewrite.Path.PrefixMatchReplace) { routeAction.RegexRewrite = prefix2RegexRewrite(*pathMatch.Prefix) } else { - routeAction.PrefixRewrite = *urlRewrite.Path.PrefixMatchReplace + // remove trailing / to fix #3989 + // when the pathMath.Prefix has suffix / but EG has removed it, + // and the urlRewrite.Path.PrefixMatchReplace suffix with / the upstream will get unwanted / + routeAction.PrefixRewrite = strings.TrimSuffix(*urlRewrite.Path.PrefixMatchReplace, "/") } } } diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.yaml new file mode 100644 index 00000000000..97d0b5457cd --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.yaml @@ -0,0 +1,27 @@ +name: "http-route" +http: +- name: "first-listener" + address: "0.0.0.0" + port: 10080 + hostnames: + - "*" + path: + mergeSlashes: true + escapedSlashesAction: UnescapeAndRedirect + routes: + - name: "rewrite-route" + pathMatch: + prefix: "/origin/" + hostname: gateway.envoyproxy.io + headerMatches: + - name: ":authority" + exact: gateway.envoyproxy.io + destination: + name: "rewrite-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + urlRewrite: + path: + prefixMatchReplace: /rewrite/ diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml new file mode 100644 index 00000000000..027db39fb29 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml @@ -0,0 +1,17 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: rewrite-route-dest + lbPolicy: LEAST_REQUEST + name: rewrite-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.endpoints.yaml new file mode 100644 index 00000000000..256dda09089 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.endpoints.yaml @@ -0,0 +1,12 @@ +- clusterName: rewrite-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: rewrite-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml new file mode 100644 index 00000000000..67922c7444f --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml @@ -0,0 +1,35 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: first-listener + serverHeaderTransformation: PASS_THROUGH + statPrefix: http + useRemoteAddress: true + name: first-listener + drainType: MODIFY_ONLY + name: first-listener + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.routes.yaml new file mode 100644 index 00000000000..84bc70f04bd --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.routes.yaml @@ -0,0 +1,19 @@ +- ignorePortInHostMatching: true + name: first-listener + virtualHosts: + - domains: + - gateway.envoyproxy.io + name: first-listener/gateway_envoyproxy_io + routes: + - match: + headers: + - name: :authority + stringMatch: + exact: gateway.envoyproxy.io + pathSeparatedPrefix: /origin + name: rewrite-route + route: + cluster: rewrite-route-dest + prefixRewrite: /rewrite + upgradeConfigs: + - upgradeType: websocket From 0f751736334bd76b6c4fa8be754354856f34aebc Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Mon, 5 Aug 2024 13:44:28 -0500 Subject: [PATCH 020/523] feat(translator): http2 upstream settings (#3682) * implement BTP HTTP2 Signed-off-by: Guy Daich * fix lint Signed-off-by: Guy Daich * api change Signed-off-by: Guy Daich * fix gen Signed-off-by: Guy Daich * change naming Signed-off-by: Guy Daich * fix api doc Signed-off-by: Guy Daich * make connection termination an enum Signed-off-by: Guy Daich * fix gen Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich --- api/v1alpha1/backendtrafficpolicy_types.go | 5 + api/v1alpha1/clienttrafficpolicy_types.go | 25 -- api/v1alpha1/shared_types.go | 39 ++ api/v1alpha1/zz_generated.deepcopy.go | 10 + ....envoyproxy.io_backendtrafficpolicies.yaml | 45 +++ ...y.envoyproxy.io_clienttrafficpolicies.yaml | 7 + .../translate/out/default-resources.all.yaml | 4 +- .../out/from-gateway-api-to-xds.all.json | 5 +- .../out/from-gateway-api-to-xds.all.yaml | 4 +- .../out/from-gateway-api-to-xds.cluster.yaml | 4 +- internal/gatewayapi/backendtrafficpolicy.go | 17 + internal/gatewayapi/clienttrafficpolicy.go | 6 +- internal/gatewayapi/http.go | 73 ++++ .../backendtrafficpolicy-with-http2.in.yaml | 95 +++++ .../backendtrafficpolicy-with-http2.out.yaml | 336 ++++++++++++++++++ internal/ir/xds.go | 5 + internal/ir/zz_generated.deepcopy.go | 10 + internal/xds/translator/cluster.go | 39 +- internal/xds/translator/listener.go | 10 +- .../testdata/in/xds-ir/http2-route.yaml | 56 +++ .../xds-ir/accesslog-als-tcp.clusters.yaml | 4 +- .../out/xds-ir/accesslog-cel.clusters.yaml | 4 +- .../accesslog-endpoint-stats.clusters.yaml | 4 +- .../xds-ir/accesslog-formatters.clusters.yaml | 4 +- .../xds-ir/accesslog-multi-cel.clusters.yaml | 4 +- .../accesslog-without-format.clusters.yaml | 8 +- .../out/xds-ir/accesslog.clusters.yaml | 8 +- .../out/xds-ir/ext-auth.clusters.yaml | 4 +- .../out/xds-ir/ext-proc.clusters.yaml | 16 +- ...ttp-preserve-client-protocol.clusters.yaml | 4 +- ...ufixx-with-slash-url-prefix.listeners.yaml | 2 +- .../out/xds-ir/http2-route.clusters.yaml | 74 +++- .../out/xds-ir/http2-route.endpoints.yaml | 36 ++ .../out/xds-ir/http2-route.routes.yaml | 21 ++ .../out/xds-ir/jwt-ratelimit.clusters.yaml | 4 +- .../ratelimit-custom-domain.clusters.yaml | 4 +- .../ratelimit-disable-headers.clusters.yaml | 4 +- .../ratelimit-endpoint-stats.clusters.yaml | 4 +- .../xds-ir/ratelimit-sourceip.clusters.yaml | 4 +- .../out/xds-ir/ratelimit.clusters.yaml | 4 +- .../tracing-endpoint-stats.clusters.yaml | 4 +- .../testdata/out/xds-ir/tracing.clusters.yaml | 4 +- internal/xds/translator/translator.go | 14 +- site/content/en/latest/api/extension_types.md | 20 +- site/content/zh/latest/api/extension_types.md | 20 +- 45 files changed, 1006 insertions(+), 68 deletions(-) create mode 100644 internal/gatewayapi/http.go create mode 100644 internal/gatewayapi/testdata/backendtrafficpolicy-with-http2.in.yaml create mode 100644 internal/gatewayapi/testdata/backendtrafficpolicy-with-http2.out.yaml diff --git a/api/v1alpha1/backendtrafficpolicy_types.go b/api/v1alpha1/backendtrafficpolicy_types.go index a8c39e9dfcc..80e4561507e 100644 --- a/api/v1alpha1/backendtrafficpolicy_types.go +++ b/api/v1alpha1/backendtrafficpolicy_types.go @@ -114,6 +114,11 @@ type BackendTrafficPolicySpec struct { // // +optional DNS *DNS `json:"dns,omitempty"` + + // HTTP2 provides HTTP/2 configuration for backend connections. + // + // +optional + HTTP2 *HTTP2Settings `json:"http2,omitempty"` } // +kubebuilder:object:root=true diff --git a/api/v1alpha1/clienttrafficpolicy_types.go b/api/v1alpha1/clienttrafficpolicy_types.go index 397535ebf43..347eb946353 100644 --- a/api/v1alpha1/clienttrafficpolicy_types.go +++ b/api/v1alpha1/clienttrafficpolicy_types.go @@ -6,7 +6,6 @@ package v1alpha1 import ( - "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" ) @@ -289,30 +288,6 @@ type HTTP10Settings struct { UseDefaultHost *bool `json:"useDefaultHost,omitempty"` } -// HTTP2Settings provides HTTP/2 configuration on the listener. -type HTTP2Settings struct { - // InitialStreamWindowSize sets the initial window size for HTTP/2 streams. - // If not set, the default value is 64 KiB(64*1024). - // - // +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="initialStreamWindowSize must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"" - // +optional - InitialStreamWindowSize *resource.Quantity `json:"initialStreamWindowSize,omitempty"` - - // InitialConnectionWindowSize sets the initial window size for HTTP/2 connections. - // If not set, the default value is 1 MiB. - // - // +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="initialConnectionWindowSize must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"" - // +optional - InitialConnectionWindowSize *resource.Quantity `json:"initialConnectionWindowSize,omitempty"` - - // MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection. - // If not set, the default value is 100. - // +kubebuilder:validation:Minimum=1 - // +kubebuilder:validation:Maximum=2147483647 - // +optional - MaxConcurrentStreams *uint32 `json:"maxConcurrentStreams,omitempty"` -} - // HealthCheckSettings provides HealthCheck configuration on the HTTP/HTTPS listener. type HealthCheckSettings struct { // Path specifies the HTTP path to match on for health check requests. diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index 6ad310859bc..c151fcd8b17 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -10,6 +10,7 @@ import ( autoscalingv2 "k8s.io/api/autoscaling/v2" corev1 "k8s.io/api/core/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + "k8s.io/apimachinery/pkg/api/resource" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" ) @@ -478,3 +479,41 @@ type BackendRef struct { // A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64". // +kubebuilder:validation:Pattern=`((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+))` type CIDR string + +type InvalidMessageAction string + +const ( + InvalidMessageActionTerminateConnection InvalidMessageAction = "TerminateConnection" + InvalidMessageActionTerminateStream InvalidMessageAction = "TerminateStream" +) + +// HTTP2Settings provides HTTP/2 configuration for listeners and backends. +type HTTP2Settings struct { + // InitialStreamWindowSize sets the initial window size for HTTP/2 streams. + // If not set, the default value is 64 KiB(64*1024). + // + // +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="initialStreamWindowSize must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"" + // +optional + InitialStreamWindowSize *resource.Quantity `json:"initialStreamWindowSize,omitempty"` + + // InitialConnectionWindowSize sets the initial window size for HTTP/2 connections. + // If not set, the default value is 1 MiB. + // + // +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="initialConnectionWindowSize must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"" + // +optional + InitialConnectionWindowSize *resource.Quantity `json:"initialConnectionWindowSize,omitempty"` + + // MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection. + // If not set, the default value is 100. + // +kubebuilder:validation:Minimum=1 + // +kubebuilder:validation:Maximum=2147483647 + // +optional + MaxConcurrentStreams *uint32 `json:"maxConcurrentStreams,omitempty"` + + // OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error + // It's recommended for L2 Envoy deployments to set this value to TerminateStream. + // https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + // Default: TerminateConnection + // +optional + OnInvalidMessage *InvalidMessageAction `json:"onInvalidMessage,omitempty"` +} diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index e6c4da29aee..958025f1ddb 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -574,6 +574,11 @@ func (in *BackendTrafficPolicySpec) DeepCopyInto(out *BackendTrafficPolicySpec) *out = new(DNS) (*in).DeepCopyInto(*out) } + if in.HTTP2 != nil { + in, out := &in.HTTP2, &out.HTTP2 + *out = new(HTTP2Settings) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTrafficPolicySpec. @@ -2448,6 +2453,11 @@ func (in *HTTP2Settings) DeepCopyInto(out *HTTP2Settings) { *out = new(uint32) **out = **in } + if in.OnInvalidMessage != nil { + in, out := &in.OnInvalidMessage, &out.OnInvalidMessage + *out = new(InvalidMessageAction) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTP2Settings. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index 2ddf8c841cc..7678f5eaf52 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -436,6 +436,51 @@ spec: type: boolean type: object type: object + http2: + description: HTTP2 provides HTTP/2 configuration for backend connections. + properties: + initialConnectionWindowSize: + anyOf: + - type: integer + - type: string + description: |- + InitialConnectionWindowSize sets the initial window size for HTTP/2 connections. + If not set, the default value is 1 MiB. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + x-kubernetes-validations: + - message: initialConnectionWindowSize must be of the format "^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" + rule: 'type(self) == string ? self.matches(r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") + : type(self) == int' + initialStreamWindowSize: + anyOf: + - type: integer + - type: string + description: |- + InitialStreamWindowSize sets the initial window size for HTTP/2 streams. + If not set, the default value is 64 KiB(64*1024). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + x-kubernetes-validations: + - message: initialStreamWindowSize must be of the format "^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" + rule: 'type(self) == string ? self.matches(r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") + : type(self) == int' + maxConcurrentStreams: + description: |- + MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection. + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: |- + OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error + It's recommended for L2 Envoy deployments to set this value to TerminateStream. + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + Default: TerminateConnection + type: string + type: object loadBalancer: description: |- LoadBalancer policy to apply when routing traffic from the gateway to diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml index 48cfb9f3aad..36a05061fc5 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -300,6 +300,13 @@ spec: maximum: 2147483647 minimum: 1 type: integer + onInvalidMessage: + description: |- + OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error + It's recommended for L2 Envoy deployments to set this value to TerminateStream. + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + Default: TerminateConnection + type: string type: object http3: description: HTTP3 provides HTTP/3 configuration on the listener. diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index d1872e3f56e..4f2d2892174 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -804,7 +804,9 @@ xds: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 - cluster: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster circuitBreakers: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index 56952759bce..aa5af990807 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -504,7 +504,10 @@ "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", "explicitHttpConfig": { - "http2ProtocolOptions": {} + "http2ProtocolOptions": { + "initialConnectionWindowSize": 1048576, + "initialStreamWindowSize": 65536 + } } } } diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index 6f0229789e0..1c53aef7e90 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -285,7 +285,9 @@ xds: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 - cluster: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster circuitBreakers: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml index 3d9bce8ad21..c9f782804a4 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml @@ -44,7 +44,9 @@ xds: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 - cluster: '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster circuitBreakers: diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index 65d4404dfb9..120918a8f6a 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -296,6 +296,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen rt *ir.Retry bc *ir.BackendConnection ds *ir.DNS + h2 *ir.HTTP2Settings err, errs error ) @@ -350,6 +351,13 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen } } + if policy.Spec.HTTP2 != nil { + if h2, err = buildIRHTTP2Settings(policy.Spec.HTTP2); err != nil { + err = perr.WithMessage(err, "HTTP2") + errs = errors.Join(errs, err) + } + } + if policy.Spec.DNS != nil { ds = t.translateDNS(policy) } @@ -405,6 +413,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen TCPKeepalive: ka, Retry: rt, BackendConnection: bc, + HTTP2: h2, } r.DNS = ds @@ -441,6 +450,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back ka *ir.TCPKeepalive rt *ir.Retry ds *ir.DNS + h2 *ir.HTTP2Settings err, errs error ) @@ -487,6 +497,12 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back errs = errors.Join(errs, err) } } + if policy.Spec.HTTP2 != nil { + if h2, err = buildIRHTTP2Settings(policy.Spec.HTTP2); err != nil { + err = perr.WithMessage(err, "HTTP2") + errs = errors.Join(errs, err) + } + } if policy.Spec.DNS != nil { ds = t.translateDNS(policy) @@ -587,6 +603,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back FaultInjection: fi, TCPKeepalive: ka, Retry: rt, + HTTP2: h2, } if r.DNS == nil { diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go index 8462a0545c0..1d7e8e89a84 100644 --- a/internal/gatewayapi/clienttrafficpolicy.go +++ b/internal/gatewayapi/clienttrafficpolicy.go @@ -28,11 +28,7 @@ import ( const ( // Use an invalid string to represent all sections (listeners) within a Gateway - AllSections = "/" - MinHTTP2InitialStreamWindowSize = 65535 // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size - MaxHTTP2InitialStreamWindowSize = 2147483647 // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size - MinHTTP2InitialConnectionWindowSize = MinHTTP2InitialStreamWindowSize - MaxHTTP2InitialConnectionWindowSize = MaxHTTP2InitialStreamWindowSize + AllSections = "/" ) func hasSectionName(target *gwapiv1a2.LocalPolicyTargetReferenceWithSectionName) bool { diff --git a/internal/gatewayapi/http.go b/internal/gatewayapi/http.go new file mode 100644 index 00000000000..95b0cd6310e --- /dev/null +++ b/internal/gatewayapi/http.go @@ -0,0 +1,73 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package gatewayapi + +import ( + "errors" + "fmt" + + "k8s.io/utils/ptr" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/ir" +) + +const ( + MinHTTP2InitialStreamWindowSize = 65535 // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size + MaxHTTP2InitialStreamWindowSize = 2147483647 // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size + MinHTTP2InitialConnectionWindowSize = MinHTTP2InitialStreamWindowSize + MaxHTTP2InitialConnectionWindowSize = MaxHTTP2InitialStreamWindowSize +) + +func buildIRHTTP2Settings(http2Settings *egv1a1.HTTP2Settings) (*ir.HTTP2Settings, error) { + var ( + http2 = &ir.HTTP2Settings{} + errs error + ) + + if http2Settings.InitialStreamWindowSize != nil { + initialStreamWindowSize, ok := http2Settings.InitialStreamWindowSize.AsInt64() + switch { + case !ok: + errs = errors.Join(errs, fmt.Errorf("invalid InitialStreamWindowSize value %s", http2Settings.InitialStreamWindowSize.String())) + case initialStreamWindowSize < MinHTTP2InitialStreamWindowSize || initialStreamWindowSize > MaxHTTP2InitialStreamWindowSize: + errs = errors.Join(errs, fmt.Errorf("InitialStreamWindowSize value %s is out of range, must be between %d and %d", + http2Settings.InitialStreamWindowSize.String(), + MinHTTP2InitialStreamWindowSize, + MaxHTTP2InitialStreamWindowSize)) + default: + http2.InitialStreamWindowSize = ptr.To(uint32(initialStreamWindowSize)) + } + } + + if http2Settings.InitialConnectionWindowSize != nil { + initialConnectionWindowSize, ok := http2Settings.InitialConnectionWindowSize.AsInt64() + switch { + case !ok: + errs = errors.Join(errs, fmt.Errorf("invalid InitialConnectionWindowSize value %s", http2Settings.InitialConnectionWindowSize.String())) + case initialConnectionWindowSize < MinHTTP2InitialConnectionWindowSize || initialConnectionWindowSize > MaxHTTP2InitialConnectionWindowSize: + errs = errors.Join(errs, fmt.Errorf("InitialConnectionWindowSize value %s is out of range, must be between %d and %d", + http2Settings.InitialConnectionWindowSize.String(), + MinHTTP2InitialConnectionWindowSize, + MaxHTTP2InitialConnectionWindowSize)) + default: + http2.InitialConnectionWindowSize = ptr.To(uint32(initialConnectionWindowSize)) + } + } + + http2.MaxConcurrentStreams = http2Settings.MaxConcurrentStreams + + if http2Settings.OnInvalidMessage != nil { + switch *http2Settings.OnInvalidMessage { + case egv1a1.InvalidMessageActionTerminateStream: + http2.ResetStreamOnError = ptr.To(true) + case egv1a1.InvalidMessageActionTerminateConnection: + http2.ResetStreamOnError = ptr.To(false) + } + } + + return http2, errs +} diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-http2.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-http2.in.yaml new file mode 100644 index 00000000000..f8962194199 --- /dev/null +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-http2.in.yaml @@ -0,0 +1,95 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-2 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +grpcRoutes: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: GRPCRoute + metadata: + namespace: default + name: grpcroute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-2 + sectionName: http + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-1 + port: 8080 +backendTrafficPolicies: + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: envoy-gateway + name: policy-for-gateway + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + http2: + initialStreamWindowSize: 2Mi + initialConnectionWindowSize: 1Gi + maxConcurrentStreams: 500 + onInvalidMessage: TerminateConnection + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: default + name: policy-for-route + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + http2: + initialStreamWindowSize: 1Mi + initialConnectionWindowSize: 500Mi + maxConcurrentStreams: 200 + onInvalidMessage: TerminateStream diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-http2.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-http2.out.yaml new file mode 100644 index 00000000000..35dbb164bf1 --- /dev/null +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-http2.out.yaml @@ -0,0 +1,336 @@ +backendTrafficPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: policy-for-route + namespace: default + spec: + http2: + initialConnectionWindowSize: 500Mi + initialStreamWindowSize: 1Mi + maxConcurrentStreams: 200 + onInvalidMessage: TerminateStream + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-2 + namespace: envoy-gateway + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: policy-for-gateway + namespace: envoy-gateway + spec: + http2: + initialConnectionWindowSize: 1Gi + initialStreamWindowSize: 2Mi + maxConcurrentStreams: 500 + onInvalidMessage: TerminateConnection + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-2 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +grpcRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: GRPCRoute + metadata: + creationTimestamp: null + name: grpcroute-1 + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-2 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-2 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 + envoy-gateway/gateway-2: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-2/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-2 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-2 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: true + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: grpcroute/default/grpcroute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: GRPC + weight: 1 + hostname: '*' + isHTTP2: true + metadata: + kind: GRPCRoute + name: grpcroute-1 + namespace: default + name: grpcroute/default/grpcroute-1/rule/0/match/-1/* + traffic: + http2: + initialConnectionWindowSize: 2097152 + initialStreamWindowSize: 1073741824 + maxConcurrentStreams: 500 + resetStreamOnError: false + envoy-gateway/gateway-2: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-2 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-2/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / + traffic: + http2: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 524288000 + maxConcurrentStreams: 200 + resetStreamOnError: true diff --git a/internal/ir/xds.go b/internal/ir/xds.go index f4f059a2af6..7cc5ed8f354 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -456,6 +456,8 @@ type HTTP2Settings struct { InitialConnectionWindowSize *uint32 `json:"initialStreamWindowSize,omitempty" yaml:"initialStreamWindowSize,omitempty"` // MaxConcurrentStreams is the maximum number of concurrent streams that can be opened on a connection. MaxConcurrentStreams *uint32 `json:"maxConcurrentStreams,omitempty" yaml:"maxConcurrentStreams,omitempty"` + // ResetStreamOnError determines if a stream or connection is reset on messaging error. + ResetStreamOnError *bool `json:"resetStreamOnError,omitempty" yaml:"resetStreamOnError,omitempty"` } // HealthCheckSettings provides HealthCheck configuration on the HTTP/HTTPS listener. @@ -600,6 +602,9 @@ type TrafficFeatures struct { Retry *Retry `json:"retry,omitempty" yaml:"retry,omitempty"` // settings of upstream connection BackendConnection *BackendConnection `json:"backendConnection,omitempty" yaml:"backendConnection,omitempty"` + // HTTP2 provides HTTP/2 configuration for clusters + // +optional + HTTP2 *HTTP2Settings `json:"http2,omitempty" yaml:"http2,omitempty"` } func (b *TrafficFeatures) Validate() error { diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index e0a7b45571a..dabb7af5afd 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -1030,6 +1030,11 @@ func (in *HTTP2Settings) DeepCopyInto(out *HTTP2Settings) { *out = new(uint32) **out = **in } + if in.ResetStreamOnError != nil { + in, out := &in.ResetStreamOnError, &out.ResetStreamOnError + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTP2Settings. @@ -2893,6 +2898,11 @@ func (in *TrafficFeatures) DeepCopyInto(out *TrafficFeatures) { *out = new(BackendConnection) (*in).DeepCopyInto(*out) } + if in.HTTP2 != nil { + in, out := &in.HTTP2, &out.HTTP2 + *out = new(HTTP2Settings) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrafficFeatures. diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index 9a7819a597f..697736dbc4d 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -48,6 +48,7 @@ type xdsClusterArgs struct { circuitBreaker *ir.CircuitBreaker healthCheck *ir.HealthCheck http1Settings *ir.HTTP1Settings + http2Settings *ir.HTTP2Settings timeout *ir.Timeout tcpkeepalive *ir.TCPKeepalive metrics *ir.Metrics @@ -515,13 +516,15 @@ func buildTypedExtensionProtocolOptions(args *xdsClusterArgs) map[string]*anypb. protocolOptions.UpstreamProtocolOptions = &httpv3.HttpProtocolOptions_UseDownstreamProtocolConfig{ UseDownstreamProtocolConfig: &httpv3.HttpProtocolOptions_UseDownstreamHttpConfig{ HttpProtocolOptions: http1opts, - Http2ProtocolOptions: &corev3.Http2ProtocolOptions{}, + Http2ProtocolOptions: buildHTTP2Settings(args.http2Settings), }, } case requiresHTTP2Options: protocolOptions.UpstreamProtocolOptions = &httpv3.HttpProtocolOptions_ExplicitHttpConfig_{ ExplicitHttpConfig: &httpv3.HttpProtocolOptions_ExplicitHttpConfig{ - ProtocolConfig: &httpv3.HttpProtocolOptions_ExplicitHttpConfig_Http2ProtocolOptions{}, + ProtocolConfig: &httpv3.HttpProtocolOptions_ExplicitHttpConfig_Http2ProtocolOptions{ + Http2ProtocolOptions: buildHTTP2Settings(args.http2Settings), + }, }, } case requiresHTTP1Options: @@ -664,6 +667,7 @@ func buildBackandConnectionBufferLimitBytes(bc *ir.BackendConnection) *wrappers. type ExtraArgs struct { metrics *ir.Metrics http1Settings *ir.HTTP1Settings + http2Settings *ir.HTTP2Settings } type clusterArgs interface { @@ -721,6 +725,7 @@ func (httpRoute *HTTPRouteTranslator) asClusterArgs(extra *ExtraArgs) *xdsCluste endpointType: buildEndpointType(httpRoute.Destination.Settings), metrics: extra.metrics, http1Settings: extra.http1Settings, + http2Settings: extra.http2Settings, useClientProtocol: ptr.Deref(httpRoute.UseClientProtocol, false), } @@ -742,3 +747,33 @@ func (httpRoute *HTTPRouteTranslator) asClusterArgs(extra *ExtraArgs) *xdsCluste return clusterArgs } + +func buildHTTP2Settings(opts *ir.HTTP2Settings) *corev3.Http2ProtocolOptions { + if opts == nil { + opts = &ir.HTTP2Settings{} + } + + // defaults based on https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge + out := &corev3.Http2ProtocolOptions{ + InitialStreamWindowSize: &wrapperspb.UInt32Value{ + Value: ptr.Deref(opts.InitialStreamWindowSize, http2InitialStreamWindowSize), + }, + InitialConnectionWindowSize: &wrapperspb.UInt32Value{ + Value: ptr.Deref(opts.InitialConnectionWindowSize, http2InitialConnectionWindowSize), + }, + } + + if opts.MaxConcurrentStreams != nil { + out.MaxConcurrentStreams = &wrapperspb.UInt32Value{ + Value: *opts.MaxConcurrentStreams, + } + } + + if opts.ResetStreamOnError != nil { + out.OverrideStreamErrorOnInvalidHttpMessage = &wrapperspb.BoolValue{ + Value: *opts.ResetStreamOnError, + } + } + + return out +} diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go index c3dc05ebceb..0812010ade1 100644 --- a/internal/xds/translator/listener.go +++ b/internal/xds/translator/listener.go @@ -86,7 +86,7 @@ func http2ProtocolOptions(opts *ir.HTTP2Settings) *corev3.Http2ProtocolOptions { opts = &ir.HTTP2Settings{} } - return &corev3.Http2ProtocolOptions{ + out := &corev3.Http2ProtocolOptions{ MaxConcurrentStreams: &wrapperspb.UInt32Value{ Value: ptr.Deref(opts.MaxConcurrentStreams, http2MaxConcurrentStreamsLimit), }, @@ -97,6 +97,14 @@ func http2ProtocolOptions(opts *ir.HTTP2Settings) *corev3.Http2ProtocolOptions { Value: ptr.Deref(opts.InitialConnectionWindowSize, http2InitialConnectionWindowSize), }, } + + if opts.ResetStreamOnError != nil { + out.OverrideStreamErrorOnInvalidHttpMessage = &wrapperspb.BoolValue{ + Value: *opts.ResetStreamOnError, + } + } + + return out } func xffNumTrustedHops(clientIPDetection *ir.ClientIPDetectionSettings) uint32 { diff --git a/internal/xds/translator/testdata/in/xds-ir/http2-route.yaml b/internal/xds/translator/testdata/in/xds-ir/http2-route.yaml index f3dc12c5aae..5d271080918 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http2-route.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http2-route.yaml @@ -28,3 +28,59 @@ http: - host: "1.2.3.4" port: 50000 protocol: GRPC + traffic: + http2: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 524288000 + maxConcurrentStreams: 200 + resetStreamOnError: true + - name: "second-route" + hostname: "*" + pathMatch: + name: "test" + exact: "bar/foo" + destination: + name: "second-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + protocol: GRPC + traffic: + http2: {} + - name: "third-route-use-client" + hostname: "*" + pathMatch: + name: "test" + exact: "bar/bar" + destination: + name: "third-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + protocol: HTTP + useClientProtocol: true + traffic: + http2: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 524288000 + maxConcurrentStreams: 200 + resetStreamOnError: false + - name: "fourth-route-not-http2" + hostname: "*" + pathMatch: + name: "test" + exact: "foo/foo" + destination: + name: "fourth-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + traffic: + http2: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 524288000 + maxConcurrentStreams: 200 + resetStreamOnError: true diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml index 18b309bb74d..9603f302b73 100755 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml @@ -19,4 +19,6 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml index b8874bf24f9..6d040000dbb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml @@ -46,4 +46,6 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml index cbf453a1f17..ea9ef9405ee 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml @@ -50,4 +50,6 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml index b8874bf24f9..6d040000dbb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml @@ -46,4 +46,6 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml index b8874bf24f9..6d040000dbb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml @@ -46,4 +46,6 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml index 6ba4705c13f..d9c561cee48 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml @@ -36,7 +36,9 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 - circuitBreakers: thresholds: - maxRetries: 1024 @@ -68,4 +70,6 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml index 6ba4705c13f..d9c561cee48 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml @@ -36,7 +36,9 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 - circuitBreakers: thresholds: - maxRetries: 1024 @@ -68,4 +70,6 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml index cf4fbc9b274..e478c2054cd 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml @@ -70,7 +70,9 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 - circuitBreakers: thresholds: - maxRetries: 1024 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml index 08b38495e69..6ea0615cb31 100755 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml @@ -53,7 +53,9 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 - circuitBreakers: thresholds: - maxRetries: 1024 @@ -75,7 +77,9 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 - circuitBreakers: thresholds: - maxRetries: 1024 @@ -97,7 +101,9 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 - circuitBreakers: thresholds: - maxRetries: 1024 @@ -119,4 +125,6 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml index 5de1d1cce34..f8cfa834cdd 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml @@ -19,5 +19,7 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions useDownstreamProtocolConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 httpProtocolOptions: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml index 67922c7444f..586f3fa82df 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml @@ -27,7 +27,7 @@ resourceApiVersion: V3 routeConfigName: first-listener serverHeaderTransformation: PASS_THROUGH - statPrefix: http + statPrefix: http-10080 useRemoteAddress: true name: first-listener drainType: MODIFY_ONLY diff --git a/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml index 6086cfbb86f..05cf41776c6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml @@ -19,4 +19,76 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 524288000 + initialStreamWindowSize: 1048576 + maxConcurrentStreams: 200 + overrideStreamErrorOnInvalidHttpMessage: true +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: second-route-dest + lbPolicy: LEAST_REQUEST + name: second-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: third-route-dest + lbPolicy: LEAST_REQUEST + name: third-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + useDownstreamProtocolConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 524288000 + initialStreamWindowSize: 1048576 + maxConcurrentStreams: 200 + overrideStreamErrorOnInvalidHttpMessage: false + httpProtocolOptions: {} +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: fourth-route-dest + lbPolicy: LEAST_REQUEST + name: fourth-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http2-route.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/http2-route.endpoints.yaml index 3b3f2d09076..f185af17da7 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http2-route.endpoints.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2-route.endpoints.yaml @@ -10,3 +10,39 @@ loadBalancingWeight: 1 locality: region: first-route-dest/backend/0 +- clusterName: second-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: second-route-dest/backend/0 +- clusterName: third-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: third-route-dest/backend/0 +- clusterName: fourth-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: fourth-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/http2-route.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http2-route.routes.yaml index a32852fcd88..4fdedfabf67 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http2-route.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2-route.routes.yaml @@ -20,3 +20,24 @@ cluster: first-route-dest upgradeConfigs: - upgradeType: websocket + - match: + path: bar/foo + name: second-route + route: + cluster: second-route-dest + upgradeConfigs: + - upgradeType: websocket + - match: + path: bar/bar + name: third-route-use-client + route: + cluster: third-route-dest + upgradeConfigs: + - upgradeType: websocket + - match: + path: foo/foo + name: fourth-route-not-http2 + route: + cluster: fourth-route-dest + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml index d4e9db34e33..e75a68919d1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml @@ -119,4 +119,6 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml index bd23f61ee21..45e8e0898ce 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml @@ -93,4 +93,6 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml index 9f9bc9f1dff..0ba1749076a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml @@ -93,4 +93,6 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml index 21ea0681611..a3c9b6623c9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml @@ -101,4 +101,6 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml index 33fc01336b8..427f6d15340 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml @@ -110,4 +110,6 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml index 9f9bc9f1dff..0ba1749076a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml @@ -93,4 +93,6 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml index 0936f4b459a..9e7469dd278 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml @@ -50,4 +50,6 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml index 35bc81158da..dce48b2c083 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml @@ -46,4 +46,6 @@ envoy.extensions.upstreams.http.v3.HttpProtocolOptions: '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions explicitHttpConfig: - http2ProtocolOptions: {} + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index 861e36ca8f1..9fa5e700986 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -450,13 +450,19 @@ func (t *Translator) addRouteToRouteConfig( vHost.Routes = append(vHost.Routes, xdsRoute) if httpRoute.Destination != nil { + ea := &ExtraArgs{ + metrics: metrics, + http1Settings: httpListener.HTTP1, + } + + if httpRoute.Traffic != nil && httpRoute.Traffic.HTTP2 != nil { + ea.http2Settings = httpRoute.Traffic.HTTP2 + } + if err = processXdsCluster( tCtx, &HTTPRouteTranslator{httpRoute}, - &ExtraArgs{ - metrics: metrics, - http1Settings: httpListener.HTTP1, - }, + ea, ); err != nil { errs = errors.Join(errs, err) } diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index b0e85833110..a9f4f2bdbc7 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -461,6 +461,7 @@ _Appears in:_ | `timeout` | _[Timeout](#timeout)_ | false | Timeout settings for the backend connections. | | `connection` | _[BackendConnection](#backendconnection)_ | false | Connection includes backend connection settings. | | `dns` | _[DNS](#dns)_ | false | DNS includes dns resolution settings. | +| `http2` | _[HTTP2Settings](#http2settings)_ | false | HTTP2 provides HTTP/2 configuration for backend connections. | #### BasicAuth @@ -1789,9 +1790,10 @@ _Appears in:_ -HTTP2Settings provides HTTP/2 configuration on the listener. +HTTP2Settings provides HTTP/2 configuration for listeners and backends. _Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) - [ClientTrafficPolicySpec](#clienttrafficpolicyspec) | Field | Type | Required | Description | @@ -1799,6 +1801,7 @@ _Appears in:_ | `initialStreamWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
If not set, the default value is 64 KiB(64*1024). | | `initialConnectionWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
If not set, the default value is 1 MiB. | | `maxConcurrentStreams` | _integer_ | false | MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
If not set, the default value is 100. | +| `onInvalidMessage` | _[InvalidMessageAction](#invalidmessageaction)_ | false | OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
It's recommended for L2 Envoy deployments to set this value to TerminateStream.
https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
Default: TerminateConnection | #### HTTP3Settings @@ -2047,6 +2050,21 @@ _Appears in:_ | `Host` | InfrastructureProviderTypeHost defines the "Host" provider.
| +#### InvalidMessageAction + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [HTTP2Settings](#http2settings) + +| Value | Description | +| ----- | ----------- | +| `TerminateConnection` | | +| `TerminateStream` | | + + #### JSONPatchOperation diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index b0e85833110..a9f4f2bdbc7 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -461,6 +461,7 @@ _Appears in:_ | `timeout` | _[Timeout](#timeout)_ | false | Timeout settings for the backend connections. | | `connection` | _[BackendConnection](#backendconnection)_ | false | Connection includes backend connection settings. | | `dns` | _[DNS](#dns)_ | false | DNS includes dns resolution settings. | +| `http2` | _[HTTP2Settings](#http2settings)_ | false | HTTP2 provides HTTP/2 configuration for backend connections. | #### BasicAuth @@ -1789,9 +1790,10 @@ _Appears in:_ -HTTP2Settings provides HTTP/2 configuration on the listener. +HTTP2Settings provides HTTP/2 configuration for listeners and backends. _Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) - [ClientTrafficPolicySpec](#clienttrafficpolicyspec) | Field | Type | Required | Description | @@ -1799,6 +1801,7 @@ _Appears in:_ | `initialStreamWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
If not set, the default value is 64 KiB(64*1024). | | `initialConnectionWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
If not set, the default value is 1 MiB. | | `maxConcurrentStreams` | _integer_ | false | MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
If not set, the default value is 100. | +| `onInvalidMessage` | _[InvalidMessageAction](#invalidmessageaction)_ | false | OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
It's recommended for L2 Envoy deployments to set this value to TerminateStream.
https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
Default: TerminateConnection | #### HTTP3Settings @@ -2047,6 +2050,21 @@ _Appears in:_ | `Host` | InfrastructureProviderTypeHost defines the "Host" provider.
| +#### InvalidMessageAction + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [HTTP2Settings](#http2settings) + +| Value | Description | +| ----- | ----------- | +| `TerminateConnection` | | +| `TerminateStream` | | + + #### JSONPatchOperation From afbc5e2f99ca2cbb938af77b196f91c3a005262b Mon Sep 17 00:00:00 2001 From: sh2 Date: Tue, 6 Aug 2024 07:42:07 +0800 Subject: [PATCH 021/523] refactor: clean envoygateway validate methods (#3997) --- .../validation/envoygateway_validate.go | 231 +++++++++++------- 1 file changed, 144 insertions(+), 87 deletions(-) diff --git a/api/v1alpha1/validation/envoygateway_validate.go b/api/v1alpha1/validation/envoygateway_validate.go index 91d61bcc80d..8d7c97dc94a 100644 --- a/api/v1alpha1/validation/envoygateway_validate.go +++ b/api/v1alpha1/validation/envoygateway_validate.go @@ -6,115 +6,172 @@ package validation import ( - "errors" "fmt" "net/url" - gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" - egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" ) // ValidateEnvoyGateway validates the provided EnvoyGateway. func ValidateEnvoyGateway(eg *egv1a1.EnvoyGateway) error { - switch { - case eg == nil: - return errors.New("envoy gateway config is unspecified") - case eg.Gateway == nil: - return errors.New("gateway is unspecified") - case len(eg.Gateway.ControllerName) == 0: - return errors.New("gateway controllerName is unspecified") - case eg.Provider == nil: - return errors.New("provider is unspecified") - case eg.Provider.Type != egv1a1.ProviderTypeKubernetes: - return fmt.Errorf("unsupported provider %v", eg.Provider.Type) - case eg.Provider.Kubernetes != nil && eg.Provider.Kubernetes.Watch != nil: - watch := eg.Provider.Kubernetes.Watch - switch watch.Type { - case egv1a1.KubernetesWatchModeTypeNamespaces: - if len(watch.Namespaces) == 0 { - return errors.New("namespaces should be specified when envoy gateway watch mode is 'Namespaces'") - } - case egv1a1.KubernetesWatchModeTypeNamespaceSelector: - if watch.NamespaceSelector == nil { - return errors.New("namespaceSelector should be specified when envoy gateway watch mode is 'NamespaceSelector'") - } - default: - return errors.New("envoy gateway watch mode invalid, should be 'Namespaces' or 'NamespaceSelector'") - } - case eg.Logging != nil && len(eg.Logging.Level) != 0: - level := eg.Logging.Level - for component, logLevel := range level { - switch component { - case egv1a1.LogComponentGatewayDefault, - egv1a1.LogComponentProviderRunner, - egv1a1.LogComponentGatewayAPIRunner, - egv1a1.LogComponentXdsTranslatorRunner, - egv1a1.LogComponentXdsServerRunner, - egv1a1.LogComponentInfrastructureRunner, - egv1a1.LogComponentGlobalRateLimitRunner: - switch logLevel { - case egv1a1.LogLevelDebug, egv1a1.LogLevelError, egv1a1.LogLevelWarn, egv1a1.LogLevelInfo: - default: - return errors.New("envoy gateway logging level invalid. valid options: info/debug/warn/error") - } - default: - return errors.New("envoy gateway logging components invalid. valid options: system/provider/gateway-api/xds-translator/xds-server/infrastructure") - } - } - case eg.RateLimit != nil: - if eg.RateLimit.Backend.Type != egv1a1.RedisBackendType { - return fmt.Errorf("unsupported ratelimit backend %v", eg.RateLimit.Backend.Type) - } - if eg.RateLimit.Backend.Redis == nil || eg.RateLimit.Backend.Redis.URL == "" { - return fmt.Errorf("empty ratelimit redis settings") + if eg == nil { + return fmt.Errorf("envoy gateway config is unspecified") + } + + if eg.Gateway == nil { + return fmt.Errorf("gateway is unspecified") + } + + if len(eg.Gateway.ControllerName) == 0 { + return fmt.Errorf("gateway controllerName is unspecified") + } + + if eg.Provider == nil { + return fmt.Errorf("provider is unspecified") + } + + switch eg.Provider.Type { + case egv1a1.ProviderTypeKubernetes: + if err := validateEnvoyGatewayKubernetesProvider(eg.Provider.Kubernetes); err != nil { + return err } - if _, err := url.Parse(eg.RateLimit.Backend.Redis.URL); err != nil { - return fmt.Errorf("unknown ratelimit redis url format: %w", err) + default: + return fmt.Errorf("unsupported provider type") + } + + if err := validateEnvoyGatewayLogging(eg.Logging); err != nil { + return err + } + + if err := validateEnvoyGatewayRateLimit(eg.RateLimit); err != nil { + return err + } + + if err := validateEnvoyGatewayExtensionManager(eg.ExtensionManager); err != nil { + return err + } + + if err := validateEnvoyGatewayTelemetry(eg.Telemetry); err != nil { + return err + } + + return nil +} + +func validateEnvoyGatewayKubernetesProvider(provider *egv1a1.EnvoyGatewayKubernetesProvider) error { + if provider == nil || provider.Watch == nil { + return nil + } + + watch := provider.Watch + switch watch.Type { + case egv1a1.KubernetesWatchModeTypeNamespaces: + if len(watch.Namespaces) == 0 { + return fmt.Errorf("namespaces should be specified when envoy gateway watch mode is 'Namespaces'") } - case eg.ExtensionManager != nil: - if eg.ExtensionManager.Hooks == nil || eg.ExtensionManager.Hooks.XDSTranslator == nil { - return fmt.Errorf("registered extension has no hooks specified") + case egv1a1.KubernetesWatchModeTypeNamespaceSelector: + if watch.NamespaceSelector == nil { + return fmt.Errorf("namespaceSelector should be specified when envoy gateway watch mode is 'NamespaceSelector'") } + default: + return fmt.Errorf("envoy gateway watch mode invalid, should be 'Namespaces' or 'NamespaceSelector'") + } + return nil +} - if len(eg.ExtensionManager.Hooks.XDSTranslator.Pre) == 0 && len(eg.ExtensionManager.Hooks.XDSTranslator.Post) == 0 { - return fmt.Errorf("registered extension has no hooks specified") - } +func validateEnvoyGatewayLogging(logging *egv1a1.EnvoyGatewayLogging) error { + if logging == nil || len(logging.Level) == 0 { + return nil + } - if eg.ExtensionManager.Service == nil { - return fmt.Errorf("extension service config is empty") + for component, logLevel := range logging.Level { + switch component { + case egv1a1.LogComponentGatewayDefault, + egv1a1.LogComponentProviderRunner, + egv1a1.LogComponentGatewayAPIRunner, + egv1a1.LogComponentXdsTranslatorRunner, + egv1a1.LogComponentXdsServerRunner, + egv1a1.LogComponentInfrastructureRunner, + egv1a1.LogComponentGlobalRateLimitRunner: + switch logLevel { + case egv1a1.LogLevelDebug, egv1a1.LogLevelError, egv1a1.LogLevelWarn, egv1a1.LogLevelInfo: + default: + return fmt.Errorf("envoy gateway logging level invalid. valid options: info/debug/warn/error") + } + default: + return fmt.Errorf("envoy gateway logging components invalid. valid options: system/provider/gateway-api/xds-translator/xds-server/infrastructure") } + } + return nil +} - switch { - case eg.ExtensionManager.Service.Host == "" && eg.ExtensionManager.Service.FQDN == nil && eg.ExtensionManager.Service.Unix == nil && eg.ExtensionManager.Service.IP == nil: - return fmt.Errorf("extension service must contain a configured target") +func validateEnvoyGatewayRateLimit(rateLimit *egv1a1.RateLimit) error { + if rateLimit == nil { + return nil + } + if rateLimit.Backend.Type != egv1a1.RedisBackendType { + return fmt.Errorf("unsupported ratelimit backend %v", rateLimit.Backend.Type) + } + if rateLimit.Backend.Redis == nil || rateLimit.Backend.Redis.URL == "" { + return fmt.Errorf("empty ratelimit redis settings") + } + if _, err := url.Parse(rateLimit.Backend.Redis.URL); err != nil { + return fmt.Errorf("unknown ratelimit redis url format: %w", err) + } + return nil +} - case eg.ExtensionManager.Service.FQDN != nil && (eg.ExtensionManager.Service.IP != nil || eg.ExtensionManager.Service.Unix != nil || eg.ExtensionManager.Service.Host != ""), - eg.ExtensionManager.Service.IP != nil && (eg.ExtensionManager.Service.FQDN != nil || eg.ExtensionManager.Service.Unix != nil || eg.ExtensionManager.Service.Host != ""), - eg.ExtensionManager.Service.Unix != nil && (eg.ExtensionManager.Service.IP != nil || eg.ExtensionManager.Service.FQDN != nil || eg.ExtensionManager.Service.Host != ""): +func validateEnvoyGatewayExtensionManager(extensionManager *egv1a1.ExtensionManager) error { + if extensionManager == nil { + return nil + } - return fmt.Errorf("only one backend target can be configured for the extension manager") + if extensionManager.Hooks == nil || extensionManager.Hooks.XDSTranslator == nil { + return fmt.Errorf("registered extension has no hooks specified") + } - } + if len(extensionManager.Hooks.XDSTranslator.Pre) == 0 && len(extensionManager.Hooks.XDSTranslator.Post) == 0 { + return fmt.Errorf("registered extension has no hooks specified") + } - if eg.ExtensionManager.Service.TLS != nil { - certificateRefKind := eg.ExtensionManager.Service.TLS.CertificateRef.Kind + if extensionManager.Service == nil { + return fmt.Errorf("extension service config is empty") + } - if certificateRefKind == nil { - return fmt.Errorf("certificateRef empty in extension service server TLS settings") - } + switch { + case extensionManager.Service.Host == "" && extensionManager.Service.FQDN == nil && extensionManager.Service.Unix == nil && extensionManager.Service.IP == nil: + return fmt.Errorf("extension service must contain a configured target") - if *certificateRefKind != gwapiv1.Kind("Secret") { - return fmt.Errorf("unsupported extension server TLS certificateRef %v", certificateRefKind) - } + case extensionManager.Service.FQDN != nil && (extensionManager.Service.IP != nil || extensionManager.Service.Unix != nil || extensionManager.Service.Host != ""), + extensionManager.Service.IP != nil && (extensionManager.Service.FQDN != nil || extensionManager.Service.Unix != nil || extensionManager.Service.Host != ""), + extensionManager.Service.Unix != nil && (extensionManager.Service.IP != nil || extensionManager.Service.FQDN != nil || extensionManager.Service.Host != ""): + return fmt.Errorf("only one backend target can be configured for the extension manager") + } + + if extensionManager.Service.TLS != nil { + certificateRefKind := extensionManager.Service.TLS.CertificateRef.Kind + + if certificateRefKind == nil { + return fmt.Errorf("certificateRef empty in extension service server TLS settings") } - case eg.Telemetry != nil: - if eg.Telemetry.Metrics != nil { - for _, sink := range eg.Telemetry.Metrics.Sinks { - if sink.Type == egv1a1.MetricSinkTypeOpenTelemetry { - if sink.OpenTelemetry == nil { - return fmt.Errorf("OpenTelemetry is required when sink Type is OpenTelemetry") - } + + if *certificateRefKind != "Secret" { + return fmt.Errorf("unsupported extension server TLS certificateRef %v", certificateRefKind) + } + } + return nil +} + +func validateEnvoyGatewayTelemetry(telemetry *egv1a1.EnvoyGatewayTelemetry) error { + if telemetry == nil { + return nil + } + + if telemetry.Metrics != nil { + for _, sink := range telemetry.Metrics.Sinks { + if sink.Type == egv1a1.MetricSinkTypeOpenTelemetry { + if sink.OpenTelemetry == nil { + return fmt.Errorf("OpenTelemetry is required when sink Type is OpenTelemetry") } } } From 194a7ea98906cbf34a0b1f85c94f3e920ee3fbcf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 6 Aug 2024 09:30:13 +0800 Subject: [PATCH 022/523] build(deps): bump github.com/google/cel-go from 0.20.1 to 0.21.0 (#3999) Bumps [github.com/google/cel-go](https://github.com/google/cel-go) from 0.20.1 to 0.21.0. - [Release notes](https://github.com/google/cel-go/releases) - [Commits](https://github.com/google/cel-go/compare/v0.20.1...v0.21.0) --- updated-dependencies: - dependency-name: github.com/google/cel-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Huabing Zhao --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 21c1953f3d3..e66adb8a3db 100644 --- a/go.mod +++ b/go.mod @@ -21,7 +21,7 @@ require ( github.com/go-logr/zapr v1.3.0 github.com/gogo/protobuf v1.3.2 github.com/golang/protobuf v1.5.4 - github.com/google/cel-go v0.20.1 + github.com/google/cel-go v0.21.0 github.com/google/go-cmp v0.6.0 github.com/google/go-containerregistry v0.20.1 github.com/grafana/tempo v1.5.0 diff --git a/go.sum b/go.sum index 6328c42f379..ed3fe16fab6 100644 --- a/go.sum +++ b/go.sum @@ -597,8 +597,8 @@ github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Z github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= -github.com/google/cel-go v0.20.1 h1:nDx9r8S3L4pE61eDdt8igGj8rf5kjYR3ILxWIpWNi84= -github.com/google/cel-go v0.20.1/go.mod h1:kWcIzTsPX0zmQ+H3TirHstLLf9ep5QTsZBN9u4dOYLg= +github.com/google/cel-go v0.21.0 h1:cl6uW/gxN+Hy50tNYvI691+sXxioCnstFzLp2WO4GCI= +github.com/google/cel-go v0.21.0/go.mod h1:rHUlWCcBKgyEk+eV03RPdZUekPp6YcJwV0FxuUksYxc= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= From 349760029d5ea70c003e291e8d1c9d0ddedc3e96 Mon Sep 17 00:00:00 2001 From: Dingkang Li Date: Tue, 6 Aug 2024 11:39:17 +0800 Subject: [PATCH 023/523] api: add socket buffer limit field in ClientTrafficPolicy and BackendTrafficPolicy (#3724) * Define socket buffer limit api for both listener and backend Signed-off-by: Dingkang Li * update manifests Signed-off-by: Dingkang Li * comment on bufferLimit and socketBufferLimit API Signed-off-by: Dingkang Li * comment on bufferLimit and socketBufferLimit API in BackendConnection Signed-off-by: Dingkang Li * fix statPrefix testdata Signed-off-by: Dingkang Li --------- Signed-off-by: Dingkang Li Co-authored-by: sh2 --- api/v1alpha1/connection_types.go | 21 +++++++++++++++++++ api/v1alpha1/zz_generated.deepcopy.go | 10 +++++++++ ....envoyproxy.io_backendtrafficpolicies.yaml | 17 +++++++++++++++ ...y.envoyproxy.io_clienttrafficpolicies.yaml | 16 ++++++++++++++ site/content/en/latest/api/extension_types.md | 4 ++-- site/content/zh/latest/api/extension_types.md | 4 ++-- 6 files changed, 68 insertions(+), 4 deletions(-) diff --git a/api/v1alpha1/connection_types.go b/api/v1alpha1/connection_types.go index 758a22fddc7..ff24c8edd4d 100644 --- a/api/v1alpha1/connection_types.go +++ b/api/v1alpha1/connection_types.go @@ -17,6 +17,7 @@ type ClientConnection struct { // +optional ConnectionLimit *ConnectionLimit `json:"connectionLimit,omitempty"` // BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection. + // BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space. // For example, 20Mi, 1Gi, 256Ki etc. // Note that when the suffix is not provided, the value is interpreted as bytes. // Default: 32768 bytes. @@ -24,11 +25,21 @@ type ClientConnection struct { // +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="bufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"" // +optional BufferLimit *resource.Quantity `json:"bufferLimit,omitempty"` + // SocketBufferLimit provides configuration for the maximum buffer size in bytes for each incoming socket. + // SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space. + // For example, 20Mi, 1Gi, 256Ki etc. + // Note that when the suffix is not provided, the value is interpreted as bytes. + // + // +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="socketBufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"" + // +optional + // +notImplementedHide + SocketBufferLimit *resource.Quantity `json:"socketBufferLimit,omitempty"` } // BackendConnection allows users to configure connection-level settings of backend type BackendConnection struct { // BufferLimit Soft limit on size of the cluster’s connections read and write buffers. + // BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space. // If unspecified, an implementation defined default is applied (32768 bytes). // For example, 20Mi, 1Gi, 256Ki etc. // Note: that when the suffix is not provided, the value is interpreted as bytes. @@ -36,6 +47,16 @@ type BackendConnection struct { // +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="BufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"" // +optional BufferLimit *resource.Quantity `json:"bufferLimit,omitempty"` + // SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket + // to backend. + // SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space. + // For example, 20Mi, 1Gi, 256Ki etc. + // Note that when the suffix is not provided, the value is interpreted as bytes. + // + // +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="socketBufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"" + // +optional + // +notImplementedHide + SocketBufferLimit *resource.Quantity `json:"socketBufferLimit,omitempty"` } type ConnectionLimit struct { diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 958025f1ddb..b5bac63fc50 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -260,6 +260,11 @@ func (in *BackendConnection) DeepCopyInto(out *BackendConnection) { x := (*in).DeepCopy() *out = &x } + if in.SocketBufferLimit != nil { + in, out := &in.SocketBufferLimit, &out.SocketBufferLimit + x := (*in).DeepCopy() + *out = &x + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendConnection. @@ -720,6 +725,11 @@ func (in *ClientConnection) DeepCopyInto(out *ClientConnection) { x := (*in).DeepCopy() *out = &x } + if in.SocketBufferLimit != nil { + in, out := &in.SocketBufferLimit, &out.SocketBufferLimit + x := (*in).DeepCopy() + *out = &x + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientConnection. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index 7678f5eaf52..d94bd0fa0d3 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -128,6 +128,7 @@ spec: - type: string description: |- BufferLimit Soft limit on size of the cluster’s connections read and write buffers. + BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space. If unspecified, an implementation defined default is applied (32768 bytes). For example, 20Mi, 1Gi, 256Ki etc. Note: that when the suffix is not provided, the value is interpreted as bytes. @@ -137,6 +138,22 @@ spec: - message: BufferLimit must be of the format "^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" rule: 'type(self) == string ? self.matches(r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") : type(self) == int' + socketBufferLimit: + anyOf: + - type: integer + - type: string + description: |- + SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket + to backend. + SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space. + For example, 20Mi, 1Gi, 256Ki etc. + Note that when the suffix is not provided, the value is interpreted as bytes. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + x-kubernetes-validations: + - message: socketBufferLimit must be of the format "^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" + rule: 'type(self) == string ? self.matches(r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") + : type(self) == int' type: object dns: description: DNS includes dns resolution settings. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml index 36a05061fc5..43443bf28cc 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -103,6 +103,7 @@ spec: - type: string description: |- BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection. + BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space. For example, 20Mi, 1Gi, 256Ki etc. Note that when the suffix is not provided, the value is interpreted as bytes. Default: 32768 bytes. @@ -131,6 +132,21 @@ spec: minimum: 0 type: integer type: object + socketBufferLimit: + anyOf: + - type: integer + - type: string + description: |- + SocketBufferLimit provides configuration for the maximum buffer size in bytes for each incoming socket. + SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space. + For example, 20Mi, 1Gi, 256Ki etc. + Note that when the suffix is not provided, the value is interpreted as bytes. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + x-kubernetes-validations: + - message: socketBufferLimit must be of the format "^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" + rule: 'type(self) == string ? self.matches(r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") + : type(self) == int' type: object enableProxyProtocol: description: |- diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index a9f4f2bdbc7..255c84a77af 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -288,7 +288,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes. | +| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes. | #### BackendEndpoint @@ -569,7 +569,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `connectionLimit` | _[ConnectionLimit](#connectionlimit)_ | false | ConnectionLimit defines limits related to connections | -| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
For example, 20Mi, 1Gi, 256Ki etc.
Note that when the suffix is not provided, the value is interpreted as bytes.
Default: 32768 bytes. | +| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
For example, 20Mi, 1Gi, 256Ki etc.
Note that when the suffix is not provided, the value is interpreted as bytes.
Default: 32768 bytes. | #### ClientIPDetectionSettings diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index a9f4f2bdbc7..255c84a77af 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -288,7 +288,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes. | +| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes. | #### BackendEndpoint @@ -569,7 +569,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `connectionLimit` | _[ConnectionLimit](#connectionlimit)_ | false | ConnectionLimit defines limits related to connections | -| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
For example, 20Mi, 1Gi, 256Ki etc.
Note that when the suffix is not provided, the value is interpreted as bytes.
Default: 32768 bytes. | +| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
For example, 20Mi, 1Gi, 256Ki etc.
Note that when the suffix is not provided, the value is interpreted as bytes.
Default: 32768 bytes. | #### ClientIPDetectionSettings From 866a6cea1af29e0bfbe761fc25b9baddc409ef80 Mon Sep 17 00:00:00 2001 From: Lior Okman Date: Tue, 6 Aug 2024 22:02:17 +0300 Subject: [PATCH 024/523] feat: add support for cluster-level settings for non xRoute-generated backend refs (#3954) * Add support for traffic management features for non xRoute-generated clusters. Signed-off-by: Lior Okman * Make gen-check happy Signed-off-by: Lior Okman * Update the CEL configuration and tests to make the required tests be installable. Unlimited arrays cause CEL validation costs to be higher than what the API server will accept. Signed-off-by: Lior Okman * Added some tests Signed-off-by: Lior Okman * DNS is also a feature that can be enabled for extProc and extAuth clusters, so treat it as such. Signed-off-by: Lior Okman * Renamed BackendConfig to BackendSettings Signed-off-by: Lior Okman * make gen-check happy Signed-off-by: Lior Okman * Rebase to make gen-check happy again. Signed-off-by: Lior Okman * Translate DNS settings correctly. Signed-off-by: Lior Okman * Rebased to include upstream changes. Update the PR to include HTTP2 settings as well. Signed-off-by: Lior Okman * Fix a typo. Signed-off-by: Lior Okman --------- Signed-off-by: Lior Okman --- api/v1alpha1/backendtrafficpolicy_types.go | 94 +- api/v1alpha1/connection_types.go | 12 +- api/v1alpha1/ext_auth_types.go | 42 +- api/v1alpha1/ext_proc_types.go | 12 +- api/v1alpha1/shared_types.go | 30 +- api/v1alpha1/zz_generated.deepcopy.go | 172 +-- ....envoyproxy.io_backendtrafficpolicies.yaml | 32 +- ...y.envoyproxy.io_clienttrafficpolicies.yaml | 32 +- ....envoyproxy.io_envoyextensionpolicies.yaml | 689 +++++++++- ...ateway.envoyproxy.io_securitypolicies.yaml | 1206 ++++++++++++++++- internal/gatewayapi/backendtrafficpolicy.go | 593 +------- internal/gatewayapi/clienttrafficpolicy.go | 10 +- internal/gatewayapi/clustersettings.go | 500 +++++++ internal/gatewayapi/envoyextensionpolicy.go | 6 + internal/gatewayapi/helpers.go | 7 + internal/gatewayapi/http.go | 3 + internal/gatewayapi/securitypolicy.go | 8 + ...ndtrafficpolicy-with-dns-settings.out.yaml | 24 +- ...with-extproc-with-traffic-features.in.yaml | 262 ++++ ...ith-extproc-with-traffic-features.out.yaml | 431 ++++++ internal/ir/xds.go | 13 +- internal/ir/zz_generated.deepcopy.go | 20 +- .../provider/kubernetes/predicates_test.go | 40 +- internal/xds/translator/cluster.go | 5 +- internal/xds/translator/extauth.go | 4 +- internal/xds/translator/extproc.go | 3 +- .../ext-proc-with-traffic-settings.yaml | 124 ++ ...t-proc-with-traffic-settings.clusters.yaml | 135 ++ ...-proc-with-traffic-settings.endpoints.yaml | 63 + ...-proc-with-traffic-settings.listeners.yaml | 49 + ...ext-proc-with-traffic-settings.routes.yaml | 59 + ...xt-proc-with-traffic-settings.secrets.yaml | 8 + internal/xds/translator/utils.go | 24 +- site/content/en/latest/api/extension_types.md | 99 +- site/content/zh/latest/api/extension_types.md | 99 +- .../backendtrafficpolicy_test.go | 372 +++-- .../clienttrafficpolicy_test.go | 6 +- .../envoyextensionpolicy_test.go | 56 +- test/cel-validation/securitypolicy_test.go | 128 +- 39 files changed, 4362 insertions(+), 1110 deletions(-) create mode 100644 internal/gatewayapi/clustersettings.go create mode 100644 internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.in.yaml create mode 100644 internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml create mode 100644 internal/xds/translator/testdata/in/xds-ir/ext-proc-with-traffic-settings.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.routes.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.secrets.yaml diff --git a/api/v1alpha1/backendtrafficpolicy_types.go b/api/v1alpha1/backendtrafficpolicy_types.go index 80e4561507e..3f014b28285 100644 --- a/api/v1alpha1/backendtrafficpolicy_types.go +++ b/api/v1alpha1/backendtrafficpolicy_types.go @@ -46,12 +46,61 @@ type BackendTrafficPolicy struct { // BackendTrafficPolicySpec defines the desired state of BackendTrafficPolicy. type BackendTrafficPolicySpec struct { PolicyTargetReferences `json:",inline"` + ClusterSettings `json:",inline"` // RateLimit allows the user to limit the number of incoming requests // to a predefined value based on attributes within the traffic flow. // +optional RateLimit *RateLimitSpec `json:"rateLimit,omitempty"` + // FaultInjection defines the fault injection policy to be applied. This configuration can be used to + // inject delays and abort requests to mimic failure scenarios such as service failures and overloads + // +optional + FaultInjection *FaultInjection `json:"faultInjection,omitempty"` + + // Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions. + // If not set, retry will be disabled. + // +optional + Retry *Retry `json:"retry,omitempty"` + + // UseClientProtocol configures Envoy to prefer sending requests to backends using + // the same HTTP protocol that the incoming request used. Defaults to false, which means + // that Envoy will use the protocol indicated by the attached BackendRef. + // + // +optional + UseClientProtocol *bool `json:"useClientProtocol,omitempty"` + + // The compression config for the http streams. + // + // +optional + // +notImplementedHide + Compression []*Compression `json:"compression,omitempty"` +} + +// +kubebuilder:object:root=true + +// BackendTrafficPolicyList contains a list of BackendTrafficPolicy resources. +type BackendTrafficPolicyList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []BackendTrafficPolicy `json:"items"` +} + +// BackendTrafficPolicyConnection allows users to configure connection-level settings of backend +type BackendTrafficPolicyConnection struct { + // BufferLimit Soft limit on size of the cluster’s connections read and write buffers. + // If unspecified, an implementation defined default is applied (32768 bytes). + // For example, 20Mi, 1Gi, 256Ki etc. + // Note: that when the suffix is not provided, the value is interpreted as bytes. + // + // +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="BufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"" + // +optional + BufferLimit *resource.Quantity `json:"bufferLimit,omitempty"` +} + +// ClusterSettings provides the various knobs that can be set to control how traffic to a given +// backend will be configured. +type ClusterSettings struct { // LoadBalancer policy to apply when routing traffic from the gateway to // the backend endpoints // +optional @@ -72,44 +121,22 @@ type BackendTrafficPolicySpec struct { // +optional HealthCheck *HealthCheck `json:"healthCheck,omitempty"` - // FaultInjection defines the fault injection policy to be applied. This configuration can be used to - // inject delays and abort requests to mimic failure scenarios such as service failures and overloads - // +optional - FaultInjection *FaultInjection `json:"faultInjection,omitempty"` - // Circuit Breaker settings for the upstream connections and requests. // If not set, circuit breakers will be enabled with the default thresholds // // +optional CircuitBreaker *CircuitBreaker `json:"circuitBreaker,omitempty"` - // Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions. - // If not set, retry will be disabled. - // +optional - Retry *Retry `json:"retry,omitempty"` - - // UseClientProtocol configures Envoy to prefer sending requests to backends using - // the same HTTP protocol that the incoming request used. Defaults to false, which means - // that Envoy will use the protocol indicated by the attached BackendRef. - // - // +optional - UseClientProtocol *bool `json:"useClientProtocol,omitempty"` - // Timeout settings for the backend connections. // // +optional Timeout *Timeout `json:"timeout,omitempty"` - // The compression config for the http streams. - // - // +optional - // +notImplementedHide - Compression []*Compression `json:"compression,omitempty"` - // Connection includes backend connection settings. // // +optional Connection *BackendConnection `json:"connection,omitempty"` + // DNS includes dns resolution settings. // // +optional @@ -121,27 +148,6 @@ type BackendTrafficPolicySpec struct { HTTP2 *HTTP2Settings `json:"http2,omitempty"` } -// +kubebuilder:object:root=true - -// BackendTrafficPolicyList contains a list of BackendTrafficPolicy resources. -type BackendTrafficPolicyList struct { - metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata,omitempty"` - Items []BackendTrafficPolicy `json:"items"` -} - -// BackendTrafficPolicyConnection allows users to configure connection-level settings of backend -type BackendTrafficPolicyConnection struct { - // BufferLimit Soft limit on size of the cluster’s connections read and write buffers. - // If unspecified, an implementation defined default is applied (32768 bytes). - // For example, 20Mi, 1Gi, 256Ki etc. - // Note: that when the suffix is not provided, the value is interpreted as bytes. - // - // +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="BufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"" - // +optional - BufferLimit *resource.Quantity `json:"bufferLimit,omitempty"` -} - func init() { SchemeBuilder.Register(&BackendTrafficPolicy{}, &BackendTrafficPolicyList{}) } diff --git a/api/v1alpha1/connection_types.go b/api/v1alpha1/connection_types.go index ff24c8edd4d..6f27794748b 100644 --- a/api/v1alpha1/connection_types.go +++ b/api/v1alpha1/connection_types.go @@ -22,7 +22,8 @@ type ClientConnection struct { // Note that when the suffix is not provided, the value is interpreted as bytes. // Default: 32768 bytes. // - // +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="bufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"" + // +kubebuilder:validation:XIntOrString + // +kubebuilder:validation:Pattern="^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" // +optional BufferLimit *resource.Quantity `json:"bufferLimit,omitempty"` // SocketBufferLimit provides configuration for the maximum buffer size in bytes for each incoming socket. @@ -30,7 +31,8 @@ type ClientConnection struct { // For example, 20Mi, 1Gi, 256Ki etc. // Note that when the suffix is not provided, the value is interpreted as bytes. // - // +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="socketBufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"" + // +kubebuilder:validation:XIntOrString + // +kubebuilder:validation:Pattern="^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" // +optional // +notImplementedHide SocketBufferLimit *resource.Quantity `json:"socketBufferLimit,omitempty"` @@ -44,7 +46,8 @@ type BackendConnection struct { // For example, 20Mi, 1Gi, 256Ki etc. // Note: that when the suffix is not provided, the value is interpreted as bytes. // - // +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="BufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"" + // +kubebuilder:validation:XIntOrString + // +kubebuilder:validation:Pattern="^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" // +optional BufferLimit *resource.Quantity `json:"bufferLimit,omitempty"` // SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket @@ -53,7 +56,8 @@ type BackendConnection struct { // For example, 20Mi, 1Gi, 256Ki etc. // Note that when the suffix is not provided, the value is interpreted as bytes. // - // +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="socketBufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"" + // +kubebuilder:validation:XIntOrString + // +kubebuilder:validation:Pattern="^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" // +optional // +notImplementedHide SocketBufferLimit *resource.Quantity `json:"socketBufferLimit,omitempty"` diff --git a/api/v1alpha1/ext_auth_types.go b/api/v1alpha1/ext_auth_types.go index 13de5f9f6ac..e258ad82e44 100644 --- a/api/v1alpha1/ext_auth_types.go +++ b/api/v1alpha1/ext_auth_types.go @@ -5,10 +5,6 @@ package v1alpha1 -import ( - gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" -) - // ExtAuth defines the configuration for External Authorization. // // +kubebuilder:validation:XValidation:rule="(has(self.grpc) || has(self.http))",message="one of grpc or http must be specified" @@ -56,45 +52,23 @@ type ExtAuth struct { // The authorization request message is defined in // https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto // +kubebuilder:validation:XValidation:message="backendRef or backendRefs needs to be set",rule="has(self.backendRef) || self.backendRefs.size() > 0" +// +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.group == \"\") : true" +// +kubebuilder:validation:XValidation:message="only support Service kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service') : true" +// +kubebuilder:validation:XValidation:message="only one backendRef can be specified.",rule="has(self.backendRefs) ? self.backendRefs.size() == 1 : true" type GRPCExtAuthService struct { - // BackendRef references a Kubernetes object that represents the - // backend server to which the authorization request will be sent. - // Only Service kind is supported for now. - // - // Deprecated: Use BackendRefs instead. - BackendRef *gwapiv1.BackendObjectReference `json:"backendRef,omitempty"` - - // BackendRefs references a Kubernetes object that represents the - // backend server to which the authorization request will be sent. // Only Service kind is supported for now. - // - // +optional - // +kubebuilder:validation:MaxItems=1 - // +kubebuilder:validation:XValidation:message="only support Service kind.",rule="self.all(f, f.kind == 'Service')" - // +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="self.all(f, f.group == '')" - BackendRefs []BackendRef `json:"backendRefs,omitempty"` + BackendCluster `json:",inline"` } // HTTPExtAuthService defines the HTTP External Authorization service // // +kubebuilder:validation:XValidation:message="backendRef or backendRefs needs to be set",rule="has(self.backendRef) || self.backendRefs.size() > 0" +// +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.group == \"\") : true" +// +kubebuilder:validation:XValidation:message="only support Service kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service') : true" +// +kubebuilder:validation:XValidation:message="only one backendRef can be specified.",rule="has(self.backendRefs) ? self.backendRefs.size() == 1 : true" type HTTPExtAuthService struct { - // BackendRef references a Kubernetes object that represents the - // backend server to which the authorization request will be sent. // Only Service kind is supported for now. - // - // Deprecated: Use BackendRefs instead. - BackendRef *gwapiv1.BackendObjectReference `json:"backendRef,omitempty"` - - // BackendRefs references a Kubernetes object that represents the - // backend server to which the authorization request will be sent. - // Only Service kind is supported for now. - // - // +optional - // +kubebuilder:validation:MaxItems=1 - // +kubebuilder:validation:XValidation:message="only support Service kind.",rule="self.all(f, f.kind == 'Service')" - // +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="self.all(f, f.group == '')" - BackendRefs []BackendRef `json:"backendRefs,omitempty"` + BackendCluster `json:",inline"` // Path is the path of the HTTP External Authorization service. // If path is specified, the authorization request will be sent to that path, diff --git a/api/v1alpha1/ext_proc_types.go b/api/v1alpha1/ext_proc_types.go index 27be5e6318d..9f19d92b48f 100644 --- a/api/v1alpha1/ext_proc_types.go +++ b/api/v1alpha1/ext_proc_types.go @@ -46,14 +46,12 @@ type ExtProcProcessingMode struct { } // ExtProc defines the configuration for External Processing filter. +// +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)" +// +kubebuilder:validation:XValidation:message="Exactly one backendRef can be specified in backendRefs.",rule="has(self.backendRefs) && self.backendRefs.size()==1" +// +kubebuilder:validation:XValidation:message="BackendRefs only supports Service and Backend kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service' || f.kind == 'Backend') : true" +// +kubebuilder:validation:XValidation:message="BackendRefs only supports Core and gateway.envoyproxy.io group.",rule="has(self.backendRefs) ? (self.backendRefs.all(f, f.group == \"\" || f.group == 'gateway.envoyproxy.io')) : true" type ExtProc struct { - // BackendRefs defines the configuration of the external processing service - // - // +kubebuilder:validation:MinItems=1 - // +kubebuilder:validation:MaxItems=1 - // +kubebuilder:validation:XValidation:message="BackendRefs only supports Service and Backend kind.",rule="self.all(f, f.kind == 'Service' || f.kind == 'Backend')" - // +kubebuilder:validation:XValidation:message="BackendRefs only supports Core and gateway.envoyproxy.io group.",rule="self.all(f, f.group == '' || f.group == 'gateway.envoyproxy.io')" - BackendRefs []BackendRef `json:"backendRefs"` + BackendCluster `json:",inline"` // MessageTimeout is the timeout for a response to be returned from the external processor // Default: 200ms diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index c151fcd8b17..89aef19c37b 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -475,6 +475,30 @@ type BackendRef struct { gwapiv1.BackendObjectReference `json:",inline"` } +// BackendCluster contains all the configuration required for configuring access +// to a backend. This can include multiple endpoints, and settings that apply for +// managing the connection to all these endpoints. +type BackendCluster struct { + // BackendRef references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + // + // Deprecated: Use BackendRefs instead. + BackendRef *gwapiv1.BackendObjectReference `json:"backendRef,omitempty"` + + // BackendRefs references a Kubernetes object that represents the + // backend server to which the authorization request will be sent. + // + // +kubebuilder:validation:MaxItems=16 + // +optional + BackendRefs []BackendRef `json:"backendRefs,omitempty"` + + // BackendSettings holds configuration for managing the connection + // to the backend. + // + // +optional + BackendSettings *ClusterSettings `json:"backendSettings,omitempty"` +} + // CIDR defines a CIDR Address range. // A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64". // +kubebuilder:validation:Pattern=`((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+))` @@ -492,14 +516,16 @@ type HTTP2Settings struct { // InitialStreamWindowSize sets the initial window size for HTTP/2 streams. // If not set, the default value is 64 KiB(64*1024). // - // +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="initialStreamWindowSize must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"" + // +kubebuilder:validation:XIntOrString + // +kubebuilder:validation:Pattern="^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" // +optional InitialStreamWindowSize *resource.Quantity `json:"initialStreamWindowSize,omitempty"` // InitialConnectionWindowSize sets the initial window size for HTTP/2 connections. // If not set, the default value is 1 MiB. // - // +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="initialConnectionWindowSize must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"" + // +kubebuilder:validation:XIntOrString + // +kubebuilder:validation:Pattern="^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" // +optional InitialConnectionWindowSize *resource.Quantity `json:"initialConnectionWindowSize,omitempty"` diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index b5bac63fc50..c8f7a5711fa 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -252,6 +252,38 @@ func (in *Backend) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BackendCluster) DeepCopyInto(out *BackendCluster) { + *out = *in + if in.BackendRef != nil { + in, out := &in.BackendRef, &out.BackendRef + *out = new(apisv1.BackendObjectReference) + (*in).DeepCopyInto(*out) + } + if in.BackendRefs != nil { + in, out := &in.BackendRefs, &out.BackendRefs + *out = make([]BackendRef, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.BackendSettings != nil { + in, out := &in.BackendSettings, &out.BackendSettings + *out = new(ClusterSettings) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendCluster. +func (in *BackendCluster) DeepCopy() *BackendCluster { + if in == nil { + return nil + } + out := new(BackendCluster) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BackendConnection) DeepCopyInto(out *BackendConnection) { *out = *in @@ -508,41 +540,17 @@ func (in *BackendTrafficPolicyList) DeepCopyObject() runtime.Object { func (in *BackendTrafficPolicySpec) DeepCopyInto(out *BackendTrafficPolicySpec) { *out = *in in.PolicyTargetReferences.DeepCopyInto(&out.PolicyTargetReferences) + in.ClusterSettings.DeepCopyInto(&out.ClusterSettings) if in.RateLimit != nil { in, out := &in.RateLimit, &out.RateLimit *out = new(RateLimitSpec) (*in).DeepCopyInto(*out) } - if in.LoadBalancer != nil { - in, out := &in.LoadBalancer, &out.LoadBalancer - *out = new(LoadBalancer) - (*in).DeepCopyInto(*out) - } - if in.ProxyProtocol != nil { - in, out := &in.ProxyProtocol, &out.ProxyProtocol - *out = new(ProxyProtocol) - **out = **in - } - if in.TCPKeepalive != nil { - in, out := &in.TCPKeepalive, &out.TCPKeepalive - *out = new(TCPKeepalive) - (*in).DeepCopyInto(*out) - } - if in.HealthCheck != nil { - in, out := &in.HealthCheck, &out.HealthCheck - *out = new(HealthCheck) - (*in).DeepCopyInto(*out) - } if in.FaultInjection != nil { in, out := &in.FaultInjection, &out.FaultInjection *out = new(FaultInjection) (*in).DeepCopyInto(*out) } - if in.CircuitBreaker != nil { - in, out := &in.CircuitBreaker, &out.CircuitBreaker - *out = new(CircuitBreaker) - (*in).DeepCopyInto(*out) - } if in.Retry != nil { in, out := &in.Retry, &out.Retry *out = new(Retry) @@ -553,11 +561,6 @@ func (in *BackendTrafficPolicySpec) DeepCopyInto(out *BackendTrafficPolicySpec) *out = new(bool) **out = **in } - if in.Timeout != nil { - in, out := &in.Timeout, &out.Timeout - *out = new(Timeout) - (*in).DeepCopyInto(*out) - } if in.Compression != nil { in, out := &in.Compression, &out.Compression *out = make([]*Compression, len(*in)) @@ -569,21 +572,6 @@ func (in *BackendTrafficPolicySpec) DeepCopyInto(out *BackendTrafficPolicySpec) } } } - if in.Connection != nil { - in, out := &in.Connection, &out.Connection - *out = new(BackendConnection) - (*in).DeepCopyInto(*out) - } - if in.DNS != nil { - in, out := &in.DNS, &out.DNS - *out = new(DNS) - (*in).DeepCopyInto(*out) - } - if in.HTTP2 != nil { - in, out := &in.HTTP2, &out.HTTP2 - *out = new(HTTP2Settings) - (*in).DeepCopyInto(*out) - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTrafficPolicySpec. @@ -970,6 +958,66 @@ func (in *ClientValidationContext) DeepCopy() *ClientValidationContext { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterSettings) DeepCopyInto(out *ClusterSettings) { + *out = *in + if in.LoadBalancer != nil { + in, out := &in.LoadBalancer, &out.LoadBalancer + *out = new(LoadBalancer) + (*in).DeepCopyInto(*out) + } + if in.ProxyProtocol != nil { + in, out := &in.ProxyProtocol, &out.ProxyProtocol + *out = new(ProxyProtocol) + **out = **in + } + if in.TCPKeepalive != nil { + in, out := &in.TCPKeepalive, &out.TCPKeepalive + *out = new(TCPKeepalive) + (*in).DeepCopyInto(*out) + } + if in.HealthCheck != nil { + in, out := &in.HealthCheck, &out.HealthCheck + *out = new(HealthCheck) + (*in).DeepCopyInto(*out) + } + if in.CircuitBreaker != nil { + in, out := &in.CircuitBreaker, &out.CircuitBreaker + *out = new(CircuitBreaker) + (*in).DeepCopyInto(*out) + } + if in.Timeout != nil { + in, out := &in.Timeout, &out.Timeout + *out = new(Timeout) + (*in).DeepCopyInto(*out) + } + if in.Connection != nil { + in, out := &in.Connection, &out.Connection + *out = new(BackendConnection) + (*in).DeepCopyInto(*out) + } + if in.DNS != nil { + in, out := &in.DNS, &out.DNS + *out = new(DNS) + (*in).DeepCopyInto(*out) + } + if in.HTTP2 != nil { + in, out := &in.HTTP2, &out.HTTP2 + *out = new(HTTP2Settings) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSettings. +func (in *ClusterSettings) DeepCopy() *ClusterSettings { + if in == nil { + return nil + } + out := new(ClusterSettings) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Compression) DeepCopyInto(out *Compression) { *out = *in @@ -2000,13 +2048,7 @@ func (in *ExtAuth) DeepCopy() *ExtAuth { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExtProc) DeepCopyInto(out *ExtProc) { *out = *in - if in.BackendRefs != nil { - in, out := &in.BackendRefs, &out.BackendRefs - *out = make([]BackendRef, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } + in.BackendCluster.DeepCopyInto(&out.BackendCluster) if in.MessageTimeout != nil { in, out := &in.MessageTimeout, &out.MessageTimeout *out = new(apisv1.Duration) @@ -2304,18 +2346,7 @@ func (in *FilterPosition) DeepCopy() *FilterPosition { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GRPCExtAuthService) DeepCopyInto(out *GRPCExtAuthService) { *out = *in - if in.BackendRef != nil { - in, out := &in.BackendRef, &out.BackendRef - *out = new(apisv1.BackendObjectReference) - (*in).DeepCopyInto(*out) - } - if in.BackendRefs != nil { - in, out := &in.BackendRefs, &out.BackendRefs - *out = make([]BackendRef, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } + in.BackendCluster.DeepCopyInto(&out.BackendCluster) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GRPCExtAuthService. @@ -2553,18 +2584,7 @@ func (in *HTTPClientTimeout) DeepCopy() *HTTPClientTimeout { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HTTPExtAuthService) DeepCopyInto(out *HTTPExtAuthService) { *out = *in - if in.BackendRef != nil { - in, out := &in.BackendRef, &out.BackendRef - *out = new(apisv1.BackendObjectReference) - (*in).DeepCopyInto(*out) - } - if in.BackendRefs != nil { - in, out := &in.BackendRefs, &out.BackendRefs - *out = make([]BackendRef, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } + in.BackendCluster.DeepCopyInto(&out.BackendCluster) if in.Path != nil { in, out := &in.Path, &out.Path *out = new(string) diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index d94bd0fa0d3..daf4175fc3b 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -123,6 +123,9 @@ spec: description: Connection includes backend connection settings. properties: bufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ anyOf: - type: integer - type: string @@ -132,13 +135,11 @@ spec: If unspecified, an implementation defined default is applied (32768 bytes). For example, 20Mi, 1Gi, 256Ki etc. Note: that when the suffix is not provided, the value is interpreted as bytes. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: BufferLimit must be of the format "^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" - rule: 'type(self) == string ? self.matches(r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") - : type(self) == int' socketBufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ anyOf: - type: integer - type: string @@ -148,12 +149,7 @@ spec: SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space. For example, 20Mi, 1Gi, 256Ki etc. Note that when the suffix is not provided, the value is interpreted as bytes. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: socketBufferLimit must be of the format "^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" - rule: 'type(self) == string ? self.matches(r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") - : type(self) == int' type: object dns: description: DNS includes dns resolution settings. @@ -457,31 +453,27 @@ spec: description: HTTP2 provides HTTP/2 configuration for backend connections. properties: initialConnectionWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ anyOf: - type: integer - type: string description: |- InitialConnectionWindowSize sets the initial window size for HTTP/2 connections. If not set, the default value is 1 MiB. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: initialConnectionWindowSize must be of the format "^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" - rule: 'type(self) == string ? self.matches(r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") - : type(self) == int' initialStreamWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ anyOf: - type: integer - type: string description: |- InitialStreamWindowSize sets the initial window size for HTTP/2 streams. If not set, the default value is 64 KiB(64*1024). - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: initialStreamWindowSize must be of the format "^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" - rule: 'type(self) == string ? self.matches(r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") - : type(self) == int' maxConcurrentStreams: description: |- MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml index 43443bf28cc..0dd5ac6a980 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -98,6 +98,9 @@ spec: description: Connection includes client connection settings. properties: bufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ anyOf: - type: integer - type: string @@ -107,12 +110,7 @@ spec: For example, 20Mi, 1Gi, 256Ki etc. Note that when the suffix is not provided, the value is interpreted as bytes. Default: 32768 bytes. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: bufferLimit must be of the format "^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" - rule: 'type(self) == string ? self.matches(r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") - : type(self) == int' connectionLimit: description: ConnectionLimit defines limits related to connections properties: @@ -133,6 +131,9 @@ spec: type: integer type: object socketBufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ anyOf: - type: integer - type: string @@ -141,12 +142,7 @@ spec: SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space. For example, 20Mi, 1Gi, 256Ki etc. Note that when the suffix is not provided, the value is interpreted as bytes. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: socketBufferLimit must be of the format "^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" - rule: 'type(self) == string ? self.matches(r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") - : type(self) == int' type: object enableProxyProtocol: description: |- @@ -283,31 +279,27 @@ spec: description: HTTP2 provides HTTP/2 configuration on the listener. properties: initialConnectionWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ anyOf: - type: integer - type: string description: |- InitialConnectionWindowSize sets the initial window size for HTTP/2 connections. If not set, the default value is 1 MiB. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: initialConnectionWindowSize must be of the format "^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" - rule: 'type(self) == string ? self.matches(r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") - : type(self) == int' initialStreamWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ anyOf: - type: integer - type: string description: |- InitialStreamWindowSize sets the initial window size for HTTP/2 streams. If not set, the default value is 64 KiB(64*1024). - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: initialStreamWindowSize must be of the format "^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$" - rule: 'type(self) == string ? self.matches(r"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$") - : type(self) == int' maxConcurrentStreams: description: |- MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml index 61827ee1205..8712a6b13a2 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml @@ -54,9 +54,91 @@ spec: description: ExtProc defines the configuration for External Processing filter. properties: + backendRef: + description: |- + BackendRef references a Kubernetes object that represents the + backend server to which the authorization request will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' backendRefs: - description: BackendRefs defines the configuration of the external - processing service + description: |- + BackendRefs references a Kubernetes object that represents the + backend server to which the authorization request will be sent. items: description: BackendRef defines how an ObjectReference that is specific to BackendRef. @@ -134,15 +216,588 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' - maxItems: 1 - minItems: 1 + maxItems: 16 type: array - x-kubernetes-validations: - - message: BackendRefs only supports Service and Backend kind. - rule: self.all(f, f.kind == 'Service' || f.kind == 'Backend') - - message: BackendRefs only supports Core and gateway.envoyproxy.io - group. - rule: self.all(f, f.group == '' || f.group == 'gateway.envoyproxy.io') + backendSettings: + description: |- + BackendSettings holds configuration for managing the connection + to the backend. + properties: + circuitBreaker: + description: |- + Circuit Breaker settings for the upstream connections and requests. + If not set, circuit breakers will be enabled with the default thresholds + properties: + maxConnections: + default: 1024 + description: The maximum number of connections that + Envoy will establish to the referenced backend defined + within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: The maximum number of parallel requests + that Envoy will make to the referenced backend defined + within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: The maximum number of parallel retries + that Envoy will make to the referenced backend defined + within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: The maximum number of pending requests + that Envoy will queue to the referenced backend defined + within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: |- + The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule. + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + connection: + description: Connection includes backend connection settings. + properties: + bufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + BufferLimit Soft limit on size of the cluster’s connections read and write buffers. + BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space. + If unspecified, an implementation defined default is applied (32768 bytes). + For example, 20Mi, 1Gi, 256Ki etc. + Note: that when the suffix is not provided, the value is interpreted as bytes. + x-kubernetes-int-or-string: true + socketBufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket + to backend. + SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space. + For example, 20Mi, 1Gi, 256Ki etc. + Note that when the suffix is not provided, the value is interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: |- + DNSRefreshRate specifies the rate at which DNS records should be refreshed. + Defaults to 30 seconds. + type: string + respectDnsTtl: + description: |- + RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected. + If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL. + Defaults to true. + type: boolean + type: object + healthCheck: + description: HealthCheck allows gateway to perform active + health checking on backends. + properties: + active: + description: Active health check configuration + properties: + healthyThreshold: + default: 1 + description: HealthyThreshold defines the number + of healthy health checks required before a backend + host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: |- + HTTP defines the configuration of http health checker. + It's required while the health checker type is HTTP. + properties: + expectedResponse: + description: ExpectedResponse defines a list + of HTTP expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the + payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type is Text, text field + needs to be set. + rule: 'self.type == ''Text'' ? has(self.text) + : !has(self.text)' + - message: If payload type is Binary, binary + field needs to be set. + rule: 'self.type == ''Binary'' ? has(self.binary) + : !has(self.binary)' + expectedStatuses: + description: |- + ExpectedStatuses defines a list of HTTP response statuses considered healthy. + Defaults to 200 only + items: + description: HTTPStatus defines the http status + code. + exclusiveMaximum: true + maximum: 600 + minimum: 100 + type: integer + type: array + method: + description: |- + Method defines the HTTP method used for health checking. + Defaults to GET + type: string + path: + description: Path defines the HTTP path that + will be requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + interval: + default: 3s + description: Interval defines the time between active + health checks. + format: duration + type: string + tcp: + description: |- + TCP defines the configuration of tcp health checker. + It's required while the health checker type is TCP. + properties: + receive: + description: Receive defines the expected response + payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the + payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type is Text, text field + needs to be set. + rule: 'self.type == ''Text'' ? has(self.text) + : !has(self.text)' + - message: If payload type is Binary, binary + field needs to be set. + rule: 'self.type == ''Binary'' ? has(self.binary) + : !has(self.binary)' + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of the + payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type is Text, text field + needs to be set. + rule: 'self.type == ''Text'' ? has(self.text) + : !has(self.text)' + - message: If payload type is Binary, binary + field needs to be set. + rule: 'self.type == ''Binary'' ? has(self.binary) + : !has(self.binary)' + type: object + timeout: + default: 1s + description: Timeout defines the time to wait for + a health check response. + format: duration + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - enum: + - HTTP + - TCP + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: UnhealthyThreshold defines the number + of unhealthy health checks required before a backend + host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: If Health Checker type is HTTP, http field + needs to be set. + rule: 'self.type == ''HTTP'' ? has(self.http) : !has(self.http)' + - message: If Health Checker type is TCP, tcp field + needs to be set. + rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)' + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: BaseEjectionTime defines the base duration + for which a host will be ejected on consecutive + failures. + format: duration + type: string + consecutive5XxErrors: + default: 5 + description: Consecutive5xxErrors sets the number + of consecutive 5xx errors triggering ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + default: 0 + description: ConsecutiveGatewayErrors sets the number + of consecutive gateway errors triggering ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: |- + ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection. + Parameter takes effect only when split_external_local_origin_errors is set to true. + format: int32 + type: integer + interval: + default: 3s + description: Interval defines the time between passive + health checks. + format: duration + type: string + maxEjectionPercent: + default: 10 + description: MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: SplitExternalLocalOriginErrors enables + splitting of errors between external and local + origin. + type: boolean + type: object + type: object + http2: + description: HTTP2 provides HTTP/2 configuration for backend + connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + InitialConnectionWindowSize sets the initial window size for HTTP/2 connections. + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + InitialStreamWindowSize sets the initial window size for HTTP/2 streams. + If not set, the default value is 64 KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: |- + MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection. + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: |- + OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error + It's recommended for L2 Envoy deployments to set this value to TerminateStream. + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: |- + LoadBalancer policy to apply when routing traffic from the gateway to + the backend endpoints + properties: + consistentHash: + description: |- + ConsistentHash defines the configuration when the load balancer type is + set to ConsistentHash + properties: + cookie: + description: Cookie configures the cookie hash policy + when the consistent hash type is set to Cookie. + properties: + attributes: + additionalProperties: + type: string + description: Additional Attributes to set for + the generated cookie. + type: object + name: + description: |- + Name of the cookie to hash. + If this cookie does not exist in the request, Envoy will generate a cookie and set + the TTL on the response back to the client based on Layer 4 + attributes of the backend endpoint, to ensure that these future requests + go to the same backend endpoint. Make sure to set the TTL field for this case. + type: string + ttl: + description: |- + TTL of the generated cookie if the cookie is not present. This value sets the + Max-Age attribute value. + type: string + required: + - name + type: object + header: + description: Header configures the header hash policy + when the consistent hash type is set to Header. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + tableSize: + default: 65537 + description: The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: |- + ConsistentHashType defines the type of input to hash on. Valid Type values are + "SourceIP", + "Header", + "Cookie". + enum: + - SourceIP + - Header + - Cookie + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If consistent hash type is header, the header + field must be set. + rule: 'self.type == ''Header'' ? has(self.header) + : !has(self.header)' + - message: If consistent hash type is cookie, the cookie + field must be set. + rule: 'self.type == ''Cookie'' ? has(self.cookie) + : !has(self.cookie)' + slowStart: + description: |- + SlowStart defines the configuration related to the slow start load balancer policy. + If set, during slow start window, traffic sent to the newly added hosts will gradually increase. + Currently this is only supported for RoundRobin and LeastRequest load balancers + properties: + window: + description: |- + Window defines the duration of the warm up period for newly added host. + During slow start window, traffic sent to the newly added hosts will gradually increase. + Currently only supports linear growth of traffic. For additional details, + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + type: string + required: + - window + type: object + type: + description: |- + Type decides the type of Load Balancer policy. + Valid LoadBalancerType values are + "ConsistentHash", + "LeastRequest", + "Random", + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If LoadBalancer type is consistentHash, consistentHash + field needs to be set. + rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash) + : !has(self.consistentHash)' + - message: Currently SlowStart is only supported for RoundRobin + and LeastRequest load balancers. + rule: 'self.type in [''Random'', ''ConsistentHash''] ? + !has(self.slowStart) : true ' + proxyProtocol: + description: ProxyProtocol enables the Proxy Protocol when + communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + tcpKeepalive: + description: |- + TcpKeepalive settings associated with the upstream client connection. + Disabled by default. + properties: + idleTime: + description: |- + The duration a connection needs to be idle before keep-alive + probes start being sent. + The duration format is + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: |- + The total number of unacknowledged probes to send before deciding + the connection is dead. + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: Timeout settings for the backend connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: |- + The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection. + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: |- + The maximum duration of an HTTP connection. + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: |- + The timeout for network connection establishment, including TCP and TLS handshakes. + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object failOpen: description: |- FailOpen defines if requests or responses that cannot be processed due to connectivity to the @@ -187,9 +842,19 @@ spec: type: string type: object type: object - required: - - backendRefs type: object + x-kubernetes-validations: + - message: BackendRefs must be used, backendRef is not supported. + rule: '!has(self.backendRef)' + - message: Exactly one backendRef can be specified in backendRefs. + rule: has(self.backendRefs) && self.backendRefs.size()==1 + - message: BackendRefs only supports Service and Backend kind. + rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind + == ''Service'' || f.kind == ''Backend'') : true' + - message: BackendRefs only supports Core and gateway.envoyproxy.io + group. + rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, f.group + == "" || f.group == ''gateway.envoyproxy.io'')) : true' maxItems: 16 type: array targetRef: diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 3906b325b3d..30c1b406d91 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -260,7 +260,6 @@ spec: description: |- BackendRef references a Kubernetes object that represents the backend server to which the authorization request will be sent. - Only Service kind is supported for now. Deprecated: Use BackendRefs instead. @@ -342,7 +341,6 @@ spec: description: |- BackendRefs references a Kubernetes object that represents the backend server to which the authorization request will be sent. - Only Service kind is supported for now. items: description: BackendRef defines how an ObjectReference that is specific to BackendRef. @@ -420,17 +418,606 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' - maxItems: 1 + maxItems: 16 type: array - x-kubernetes-validations: - - message: only support Service kind. - rule: self.all(f, f.kind == 'Service') - - message: BackendRefs only supports Core group. - rule: self.all(f, f.group == '') + backendSettings: + description: |- + BackendSettings holds configuration for managing the connection + to the backend. + properties: + circuitBreaker: + description: |- + Circuit Breaker settings for the upstream connections and requests. + If not set, circuit breakers will be enabled with the default thresholds + properties: + maxConnections: + default: 1024 + description: The maximum number of connections that + Envoy will establish to the referenced backend defined + within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: The maximum number of parallel requests + that Envoy will make to the referenced backend defined + within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: The maximum number of parallel retries + that Envoy will make to the referenced backend defined + within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: The maximum number of pending requests + that Envoy will queue to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: |- + The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule. + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + connection: + description: Connection includes backend connection settings. + properties: + bufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + BufferLimit Soft limit on size of the cluster’s connections read and write buffers. + BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space. + If unspecified, an implementation defined default is applied (32768 bytes). + For example, 20Mi, 1Gi, 256Ki etc. + Note: that when the suffix is not provided, the value is interpreted as bytes. + x-kubernetes-int-or-string: true + socketBufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket + to backend. + SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space. + For example, 20Mi, 1Gi, 256Ki etc. + Note that when the suffix is not provided, the value is interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: |- + DNSRefreshRate specifies the rate at which DNS records should be refreshed. + Defaults to 30 seconds. + type: string + respectDnsTtl: + description: |- + RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected. + If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL. + Defaults to true. + type: boolean + type: object + healthCheck: + description: HealthCheck allows gateway to perform active + health checking on backends. + properties: + active: + description: Active health check configuration + properties: + healthyThreshold: + default: 1 + description: HealthyThreshold defines the number + of healthy health checks required before a backend + host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: |- + HTTP defines the configuration of http health checker. + It's required while the health checker type is HTTP. + properties: + expectedResponse: + description: ExpectedResponse defines a list + of HTTP expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of + the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type is Text, text field + needs to be set. + rule: 'self.type == ''Text'' ? has(self.text) + : !has(self.text)' + - message: If payload type is Binary, binary + field needs to be set. + rule: 'self.type == ''Binary'' ? has(self.binary) + : !has(self.binary)' + expectedStatuses: + description: |- + ExpectedStatuses defines a list of HTTP response statuses considered healthy. + Defaults to 200 only + items: + description: HTTPStatus defines the http + status code. + exclusiveMaximum: true + maximum: 600 + minimum: 100 + type: integer + type: array + method: + description: |- + Method defines the HTTP method used for health checking. + Defaults to GET + type: string + path: + description: Path defines the HTTP path that + will be requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + interval: + default: 3s + description: Interval defines the time between + active health checks. + format: duration + type: string + tcp: + description: |- + TCP defines the configuration of tcp health checker. + It's required while the health checker type is TCP. + properties: + receive: + description: Receive defines the expected + response payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of + the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type is Text, text field + needs to be set. + rule: 'self.type == ''Text'' ? has(self.text) + : !has(self.text)' + - message: If payload type is Binary, binary + field needs to be set. + rule: 'self.type == ''Binary'' ? has(self.binary) + : !has(self.binary)' + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of + the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type is Text, text field + needs to be set. + rule: 'self.type == ''Text'' ? has(self.text) + : !has(self.text)' + - message: If payload type is Binary, binary + field needs to be set. + rule: 'self.type == ''Binary'' ? has(self.binary) + : !has(self.binary)' + type: object + timeout: + default: 1s + description: Timeout defines the time to wait + for a health check response. + format: duration + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - enum: + - HTTP + - TCP + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: UnhealthyThreshold defines the number + of unhealthy health checks required before a + backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: If Health Checker type is HTTP, http field + needs to be set. + rule: 'self.type == ''HTTP'' ? has(self.http) : + !has(self.http)' + - message: If Health Checker type is TCP, tcp field + needs to be set. + rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)' + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: BaseEjectionTime defines the base + duration for which a host will be ejected on + consecutive failures. + format: duration + type: string + consecutive5XxErrors: + default: 5 + description: Consecutive5xxErrors sets the number + of consecutive 5xx errors triggering ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + default: 0 + description: ConsecutiveGatewayErrors sets the + number of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: |- + ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection. + Parameter takes effect only when split_external_local_origin_errors is set to true. + format: int32 + type: integer + interval: + default: 3s + description: Interval defines the time between + passive health checks. + format: duration + type: string + maxEjectionPercent: + default: 10 + description: MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that can be + ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: SplitExternalLocalOriginErrors enables + splitting of errors between external and local + origin. + type: boolean + type: object + type: object + http2: + description: HTTP2 provides HTTP/2 configuration for backend + connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + InitialConnectionWindowSize sets the initial window size for HTTP/2 connections. + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + InitialStreamWindowSize sets the initial window size for HTTP/2 streams. + If not set, the default value is 64 KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: |- + MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection. + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: |- + OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error + It's recommended for L2 Envoy deployments to set this value to TerminateStream. + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: |- + LoadBalancer policy to apply when routing traffic from the gateway to + the backend endpoints + properties: + consistentHash: + description: |- + ConsistentHash defines the configuration when the load balancer type is + set to ConsistentHash + properties: + cookie: + description: Cookie configures the cookie hash + policy when the consistent hash type is set + to Cookie. + properties: + attributes: + additionalProperties: + type: string + description: Additional Attributes to set + for the generated cookie. + type: object + name: + description: |- + Name of the cookie to hash. + If this cookie does not exist in the request, Envoy will generate a cookie and set + the TTL on the response back to the client based on Layer 4 + attributes of the backend endpoint, to ensure that these future requests + go to the same backend endpoint. Make sure to set the TTL field for this case. + type: string + ttl: + description: |- + TTL of the generated cookie if the cookie is not present. This value sets the + Max-Age attribute value. + type: string + required: + - name + type: object + header: + description: Header configures the header hash + policy when the consistent hash type is set + to Header. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + tableSize: + default: 65537 + description: The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: |- + ConsistentHashType defines the type of input to hash on. Valid Type values are + "SourceIP", + "Header", + "Cookie". + enum: + - SourceIP + - Header + - Cookie + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If consistent hash type is header, the + header field must be set. + rule: 'self.type == ''Header'' ? has(self.header) + : !has(self.header)' + - message: If consistent hash type is cookie, the + cookie field must be set. + rule: 'self.type == ''Cookie'' ? has(self.cookie) + : !has(self.cookie)' + slowStart: + description: |- + SlowStart defines the configuration related to the slow start load balancer policy. + If set, during slow start window, traffic sent to the newly added hosts will gradually increase. + Currently this is only supported for RoundRobin and LeastRequest load balancers + properties: + window: + description: |- + Window defines the duration of the warm up period for newly added host. + During slow start window, traffic sent to the newly added hosts will gradually increase. + Currently only supports linear growth of traffic. For additional details, + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + type: string + required: + - window + type: object + type: + description: |- + Type decides the type of Load Balancer policy. + Valid LoadBalancerType values are + "ConsistentHash", + "LeastRequest", + "Random", + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If LoadBalancer type is consistentHash, consistentHash + field needs to be set. + rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash) + : !has(self.consistentHash)' + - message: Currently SlowStart is only supported for RoundRobin + and LeastRequest load balancers. + rule: 'self.type in [''Random'', ''ConsistentHash''] + ? !has(self.slowStart) : true ' + proxyProtocol: + description: ProxyProtocol enables the Proxy Protocol + when communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + tcpKeepalive: + description: |- + TcpKeepalive settings associated with the upstream client connection. + Disabled by default. + properties: + idleTime: + description: |- + The duration a connection needs to be idle before keep-alive + probes start being sent. + The duration format is + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: |- + The total number of unacknowledged probes to send before deciding + the connection is dead. + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: Timeout settings for the backend connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: |- + The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection. + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: |- + The maximum duration of an HTTP connection. + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: |- + The timeout for network connection establishment, including TCP and TLS handshakes. + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object type: object x-kubernetes-validations: - message: backendRef or backendRefs needs to be set rule: has(self.backendRef) || self.backendRefs.size() > 0 + - message: BackendRefs only supports Core group. + rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.group + == "") : true' + - message: only support Service kind. + rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind + == ''Service'') : true' + - message: only one backendRef can be specified. + rule: 'has(self.backendRefs) ? self.backendRefs.size() == 1 + : true' headersToExtAuth: description: |- HeadersToExtAuth defines the client request headers that will be included @@ -456,7 +1043,6 @@ spec: description: |- BackendRef references a Kubernetes object that represents the backend server to which the authorization request will be sent. - Only Service kind is supported for now. Deprecated: Use BackendRefs instead. @@ -538,7 +1124,6 @@ spec: description: |- BackendRefs references a Kubernetes object that represents the backend server to which the authorization request will be sent. - Only Service kind is supported for now. items: description: BackendRef defines how an ObjectReference that is specific to BackendRef. @@ -616,13 +1201,593 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' - maxItems: 1 + maxItems: 16 type: array - x-kubernetes-validations: - - message: only support Service kind. - rule: self.all(f, f.kind == 'Service') - - message: BackendRefs only supports Core group. - rule: self.all(f, f.group == '') + backendSettings: + description: |- + BackendSettings holds configuration for managing the connection + to the backend. + properties: + circuitBreaker: + description: |- + Circuit Breaker settings for the upstream connections and requests. + If not set, circuit breakers will be enabled with the default thresholds + properties: + maxConnections: + default: 1024 + description: The maximum number of connections that + Envoy will establish to the referenced backend defined + within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: The maximum number of parallel requests + that Envoy will make to the referenced backend defined + within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: The maximum number of parallel retries + that Envoy will make to the referenced backend defined + within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: The maximum number of pending requests + that Envoy will queue to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: |- + The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule. + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + connection: + description: Connection includes backend connection settings. + properties: + bufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + BufferLimit Soft limit on size of the cluster’s connections read and write buffers. + BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space. + If unspecified, an implementation defined default is applied (32768 bytes). + For example, 20Mi, 1Gi, 256Ki etc. + Note: that when the suffix is not provided, the value is interpreted as bytes. + x-kubernetes-int-or-string: true + socketBufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket + to backend. + SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space. + For example, 20Mi, 1Gi, 256Ki etc. + Note that when the suffix is not provided, the value is interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: |- + DNSRefreshRate specifies the rate at which DNS records should be refreshed. + Defaults to 30 seconds. + type: string + respectDnsTtl: + description: |- + RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected. + If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL. + Defaults to true. + type: boolean + type: object + healthCheck: + description: HealthCheck allows gateway to perform active + health checking on backends. + properties: + active: + description: Active health check configuration + properties: + healthyThreshold: + default: 1 + description: HealthyThreshold defines the number + of healthy health checks required before a backend + host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: |- + HTTP defines the configuration of http health checker. + It's required while the health checker type is HTTP. + properties: + expectedResponse: + description: ExpectedResponse defines a list + of HTTP expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of + the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type is Text, text field + needs to be set. + rule: 'self.type == ''Text'' ? has(self.text) + : !has(self.text)' + - message: If payload type is Binary, binary + field needs to be set. + rule: 'self.type == ''Binary'' ? has(self.binary) + : !has(self.binary)' + expectedStatuses: + description: |- + ExpectedStatuses defines a list of HTTP response statuses considered healthy. + Defaults to 200 only + items: + description: HTTPStatus defines the http + status code. + exclusiveMaximum: true + maximum: 600 + minimum: 100 + type: integer + type: array + method: + description: |- + Method defines the HTTP method used for health checking. + Defaults to GET + type: string + path: + description: Path defines the HTTP path that + will be requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + interval: + default: 3s + description: Interval defines the time between + active health checks. + format: duration + type: string + tcp: + description: |- + TCP defines the configuration of tcp health checker. + It's required while the health checker type is TCP. + properties: + receive: + description: Receive defines the expected + response payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of + the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type is Text, text field + needs to be set. + rule: 'self.type == ''Text'' ? has(self.text) + : !has(self.text)' + - message: If payload type is Binary, binary + field needs to be set. + rule: 'self.type == ''Binary'' ? has(self.binary) + : !has(self.binary)' + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of + the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type is Text, text field + needs to be set. + rule: 'self.type == ''Text'' ? has(self.text) + : !has(self.text)' + - message: If payload type is Binary, binary + field needs to be set. + rule: 'self.type == ''Binary'' ? has(self.binary) + : !has(self.binary)' + type: object + timeout: + default: 1s + description: Timeout defines the time to wait + for a health check response. + format: duration + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - enum: + - HTTP + - TCP + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: UnhealthyThreshold defines the number + of unhealthy health checks required before a + backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: If Health Checker type is HTTP, http field + needs to be set. + rule: 'self.type == ''HTTP'' ? has(self.http) : + !has(self.http)' + - message: If Health Checker type is TCP, tcp field + needs to be set. + rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)' + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: BaseEjectionTime defines the base + duration for which a host will be ejected on + consecutive failures. + format: duration + type: string + consecutive5XxErrors: + default: 5 + description: Consecutive5xxErrors sets the number + of consecutive 5xx errors triggering ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + default: 0 + description: ConsecutiveGatewayErrors sets the + number of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: |- + ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection. + Parameter takes effect only when split_external_local_origin_errors is set to true. + format: int32 + type: integer + interval: + default: 3s + description: Interval defines the time between + passive health checks. + format: duration + type: string + maxEjectionPercent: + default: 10 + description: MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that can be + ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: SplitExternalLocalOriginErrors enables + splitting of errors between external and local + origin. + type: boolean + type: object + type: object + http2: + description: HTTP2 provides HTTP/2 configuration for backend + connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + InitialConnectionWindowSize sets the initial window size for HTTP/2 connections. + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + InitialStreamWindowSize sets the initial window size for HTTP/2 streams. + If not set, the default value is 64 KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: |- + MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection. + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: |- + OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error + It's recommended for L2 Envoy deployments to set this value to TerminateStream. + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: |- + LoadBalancer policy to apply when routing traffic from the gateway to + the backend endpoints + properties: + consistentHash: + description: |- + ConsistentHash defines the configuration when the load balancer type is + set to ConsistentHash + properties: + cookie: + description: Cookie configures the cookie hash + policy when the consistent hash type is set + to Cookie. + properties: + attributes: + additionalProperties: + type: string + description: Additional Attributes to set + for the generated cookie. + type: object + name: + description: |- + Name of the cookie to hash. + If this cookie does not exist in the request, Envoy will generate a cookie and set + the TTL on the response back to the client based on Layer 4 + attributes of the backend endpoint, to ensure that these future requests + go to the same backend endpoint. Make sure to set the TTL field for this case. + type: string + ttl: + description: |- + TTL of the generated cookie if the cookie is not present. This value sets the + Max-Age attribute value. + type: string + required: + - name + type: object + header: + description: Header configures the header hash + policy when the consistent hash type is set + to Header. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + tableSize: + default: 65537 + description: The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: |- + ConsistentHashType defines the type of input to hash on. Valid Type values are + "SourceIP", + "Header", + "Cookie". + enum: + - SourceIP + - Header + - Cookie + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If consistent hash type is header, the + header field must be set. + rule: 'self.type == ''Header'' ? has(self.header) + : !has(self.header)' + - message: If consistent hash type is cookie, the + cookie field must be set. + rule: 'self.type == ''Cookie'' ? has(self.cookie) + : !has(self.cookie)' + slowStart: + description: |- + SlowStart defines the configuration related to the slow start load balancer policy. + If set, during slow start window, traffic sent to the newly added hosts will gradually increase. + Currently this is only supported for RoundRobin and LeastRequest load balancers + properties: + window: + description: |- + Window defines the duration of the warm up period for newly added host. + During slow start window, traffic sent to the newly added hosts will gradually increase. + Currently only supports linear growth of traffic. For additional details, + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + type: string + required: + - window + type: object + type: + description: |- + Type decides the type of Load Balancer policy. + Valid LoadBalancerType values are + "ConsistentHash", + "LeastRequest", + "Random", + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If LoadBalancer type is consistentHash, consistentHash + field needs to be set. + rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash) + : !has(self.consistentHash)' + - message: Currently SlowStart is only supported for RoundRobin + and LeastRequest load balancers. + rule: 'self.type in [''Random'', ''ConsistentHash''] + ? !has(self.slowStart) : true ' + proxyProtocol: + description: ProxyProtocol enables the Proxy Protocol + when communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + tcpKeepalive: + description: |- + TcpKeepalive settings associated with the upstream client connection. + Disabled by default. + properties: + idleTime: + description: |- + The duration a connection needs to be idle before keep-alive + probes start being sent. + The duration format is + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: |- + The total number of unacknowledged probes to send before deciding + the connection is dead. + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: Timeout settings for the backend connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: |- + The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection. + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: |- + The maximum duration of an HTTP connection. + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: |- + The timeout for network connection establishment, including TCP and TLS handshakes. + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object headersToBackend: description: |- HeadersToBackend are the authorization response headers that will be added @@ -643,6 +1808,15 @@ spec: x-kubernetes-validations: - message: backendRef or backendRefs needs to be set rule: has(self.backendRef) || self.backendRefs.size() > 0 + - message: BackendRefs only supports Core group. + rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.group + == "") : true' + - message: only support Service kind. + rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind + == ''Service'') : true' + - message: only one backendRef can be specified. + rule: 'has(self.backendRefs) ? self.backendRefs.size() == 1 + : true' type: object x-kubernetes-validations: - message: one of grpc or http must be specified diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index 120918a8f6a..d5e66e6e7c0 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -9,10 +9,8 @@ import ( "errors" "fmt" "math" - "math/big" "sort" "strings" - "time" perr "github.com/pkg/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -307,60 +305,42 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen errs = errors.Join(errs, err) } } - if policy.Spec.LoadBalancer != nil { - if lb, err = t.buildLoadBalancer(policy); err != nil { - err = perr.WithMessage(err, "LoadBalancer") - errs = errors.Join(errs, err) - } + if lb, err = buildLoadBalancer(policy.Spec.ClusterSettings); err != nil { + err = perr.WithMessage(err, "LoadBalancer") + errs = errors.Join(errs, err) } - if policy.Spec.ProxyProtocol != nil { - pp = t.buildProxyProtocol(policy) - } - if policy.Spec.HealthCheck != nil { - hc = t.buildHealthCheck(policy) - } - if policy.Spec.CircuitBreaker != nil { - if cb, err = t.buildCircuitBreaker(policy); err != nil { - err = perr.WithMessage(err, "CircuitBreaker") - errs = errors.Join(errs, err) - } + pp = buildProxyProtocol(policy.Spec.ClusterSettings) + hc = buildHealthCheck(policy.Spec.ClusterSettings) + if cb, err = buildCircuitBreaker(policy.Spec.ClusterSettings); err != nil { + err = perr.WithMessage(err, "CircuitBreaker") + errs = errors.Join(errs, err) } if policy.Spec.FaultInjection != nil { fi = t.buildFaultInjection(policy) } - if policy.Spec.TCPKeepalive != nil { - if ka, err = t.buildTCPKeepAlive(policy); err != nil { - err = perr.WithMessage(err, "TCPKeepalive") - errs = errors.Join(errs, err) - } + if ka, err = buildTCPKeepAlive(policy.Spec.ClusterSettings); err != nil { + err = perr.WithMessage(err, "TCPKeepalive") + errs = errors.Join(errs, err) } if policy.Spec.Retry != nil { rt = t.buildRetry(policy) } - if policy.Spec.Timeout != nil { - if to, err = t.buildTimeout(policy, nil); err != nil { - err = perr.WithMessage(err, "Timeout") - errs = errors.Join(errs, err) - } + if to, err = buildTimeout(policy.Spec.ClusterSettings, nil); err != nil { + err = perr.WithMessage(err, "Timeout") + errs = errors.Join(errs, err) } - if policy.Spec.Connection != nil { - if bc, err = t.buildBackendConnection(policy); err != nil { - err = perr.WithMessage(err, "BackendConnection") - errs = errors.Join(errs, err) - } + if bc, err = buildBackendConnection(policy.Spec.ClusterSettings); err != nil { + err = perr.WithMessage(err, "BackendConnection") + errs = errors.Join(errs, err) } - if policy.Spec.HTTP2 != nil { - if h2, err = buildIRHTTP2Settings(policy.Spec.HTTP2); err != nil { - err = perr.WithMessage(err, "HTTP2") - errs = errors.Join(errs, err) - } + if h2, err = buildIRHTTP2Settings(policy.Spec.HTTP2); err != nil { + err = perr.WithMessage(err, "HTTP2") + errs = errors.Join(errs, err) } - if policy.Spec.DNS != nil { - ds = t.translateDNS(policy) - } + ds = translateDNS(policy.Spec.ClusterSettings) // Early return if got any errors if errs != nil { @@ -414,17 +394,15 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen Retry: rt, BackendConnection: bc, HTTP2: h2, + DNS: ds, } - r.DNS = ds // Update the Host field in HealthCheck, now that we have access to the Route Hostname. r.Traffic.HealthCheck.SetHTTPHostIfAbsent(r.Hostname) // Some timeout setting originate from the route. - if policy.Spec.Timeout != nil { - if to, err = t.buildTimeout(policy, r); err == nil { - r.Traffic.Timeout = to - } + if to, err = buildTimeout(policy.Spec.ClusterSettings, r); err == nil { + r.Traffic.Timeout = to } if policy.Spec.UseClientProtocol != nil { @@ -461,52 +439,36 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back errs = errors.Join(errs, err) } } - if policy.Spec.LoadBalancer != nil { - if lb, err = t.buildLoadBalancer(policy); err != nil { - err = perr.WithMessage(err, "LoadBalancer") - errs = errors.Join(errs, err) - } - } - if policy.Spec.ProxyProtocol != nil { - pp = t.buildProxyProtocol(policy) + if lb, err = buildLoadBalancer(policy.Spec.ClusterSettings); err != nil { + err = perr.WithMessage(err, "LoadBalancer") + errs = errors.Join(errs, err) } - if policy.Spec.HealthCheck != nil { - hc = t.buildHealthCheck(policy) - } - if policy.Spec.CircuitBreaker != nil { - if cb, err = t.buildCircuitBreaker(policy); err != nil { - err = perr.WithMessage(err, "CircuitBreaker") - errs = errors.Join(errs, err) - } + pp = buildProxyProtocol(policy.Spec.ClusterSettings) + hc = buildHealthCheck(policy.Spec.ClusterSettings) + if cb, err = buildCircuitBreaker(policy.Spec.ClusterSettings); err != nil { + err = perr.WithMessage(err, "CircuitBreaker") + errs = errors.Join(errs, err) } if policy.Spec.FaultInjection != nil { fi = t.buildFaultInjection(policy) } - if policy.Spec.TCPKeepalive != nil { - if ka, err = t.buildTCPKeepAlive(policy); err != nil { - err = perr.WithMessage(err, "TCPKeepalive") - errs = errors.Join(errs, err) - } + if ka, err = buildTCPKeepAlive(policy.Spec.ClusterSettings); err != nil { + err = perr.WithMessage(err, "TCPKeepalive") + errs = errors.Join(errs, err) } if policy.Spec.Retry != nil { rt = t.buildRetry(policy) } - if policy.Spec.Timeout != nil { - if ct, err = t.buildTimeout(policy, nil); err != nil { - err = perr.WithMessage(err, "Timeout") - errs = errors.Join(errs, err) - } + if ct, err = buildTimeout(policy.Spec.ClusterSettings, nil); err != nil { + err = perr.WithMessage(err, "Timeout") + errs = errors.Join(errs, err) } - if policy.Spec.HTTP2 != nil { - if h2, err = buildIRHTTP2Settings(policy.Spec.HTTP2); err != nil { - err = perr.WithMessage(err, "HTTP2") - errs = errors.Join(errs, err) - } + if h2, err = buildIRHTTP2Settings(policy.Spec.HTTP2); err != nil { + err = perr.WithMessage(err, "HTTP2") + errs = errors.Join(errs, err) } - if policy.Spec.DNS != nil { - ds = t.translateDNS(policy) - } + ds = translateDNS(policy.Spec.ClusterSettings) // Early return if got any errors if errs != nil { @@ -529,26 +491,15 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back } for _, r := range tcp.Routes { - // policy(targeting xRoute) has already set it, so we skip it. - if r.LoadBalancer != nil || r.ProxyProtocol != nil || - r.HealthCheck != nil || r.CircuitBreaker != nil || - r.TCPKeepalive != nil || r.Timeout != nil { - continue - } - - r.LoadBalancer = lb - r.ProxyProtocol = pp - r.HealthCheck = hc - r.CircuitBreaker = cb - r.TCPKeepalive = ka - - if r.Timeout == nil { - r.Timeout = ct - } - - if r.DNS == nil { - r.DNS = ds - } + // only set attributes which weren't already set by a more + // specific policy + setIfNil(&r.LoadBalancer, lb) + setIfNil(&r.ProxyProtocol, pp) + setIfNil(&r.HealthCheck, hc) + setIfNil(&r.CircuitBreaker, cb) + setIfNil(&r.TCPKeepalive, ka) + setIfNil(&r.Timeout, ct) + setIfNil(&r.DNS, ds) } } @@ -564,19 +515,11 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back route := udp.Route - // policy(targeting xRoute) has already set it, so we skip it. - if route.LoadBalancer != nil || route.Timeout != nil { - continue - } - - route.LoadBalancer = lb - if route.Timeout == nil { - route.Timeout = ct - } - - if route.DNS == nil { - route.DNS = ds - } + // only set attributes which weren't already set by a more + // specific policy + setIfNil(&route.LoadBalancer, lb) + setIfNil(&route.Timeout, ct) + setIfNil(&route.DNS, ds) } for _, http := range x.HTTP { @@ -604,25 +547,18 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back TCPKeepalive: ka, Retry: rt, HTTP2: h2, - } - - if r.DNS == nil { - r.DNS = ds + DNS: ds, } // Update the Host field in HealthCheck, now that we have access to the Route Hostname. r.Traffic.HealthCheck.SetHTTPHostIfAbsent(r.Hostname) - if policy.Spec.Timeout != nil { - if ct, err = t.buildTimeout(policy, r); err == nil { - r.Traffic.Timeout = ct - } + if ct, err = buildTimeout(policy.Spec.ClusterSettings, r); err == nil { + r.Traffic.Timeout = ct } if policy.Spec.UseClientProtocol != nil { - if r.UseClientProtocol == nil { - r.UseClientProtocol = policy.Spec.UseClientProtocol - } + setIfNil(&r.UseClientProtocol, policy.Spec.UseClientProtocol) } } } @@ -815,222 +751,6 @@ func buildRateLimitRule(rule egv1a1.RateLimitRule) (*ir.RateLimitRule, error) { return irRule, nil } -func (t *Translator) buildLoadBalancer(policy *egv1a1.BackendTrafficPolicy) (*ir.LoadBalancer, error) { - var lb *ir.LoadBalancer - switch policy.Spec.LoadBalancer.Type { - case egv1a1.ConsistentHashLoadBalancerType: - consistentHash, err := t.buildConsistentHashLoadBalancer(policy) - if err != nil { - return nil, perr.WithMessage(err, "ConsistentHash") - } - - lb = &ir.LoadBalancer{ - ConsistentHash: consistentHash, - } - case egv1a1.LeastRequestLoadBalancerType: - lb = &ir.LoadBalancer{} - if policy.Spec.LoadBalancer.SlowStart != nil { - if policy.Spec.LoadBalancer.SlowStart.Window != nil { - lb.LeastRequest = &ir.LeastRequest{ - SlowStart: &ir.SlowStart{ - Window: policy.Spec.LoadBalancer.SlowStart.Window, - }, - } - } - } - case egv1a1.RandomLoadBalancerType: - lb = &ir.LoadBalancer{ - Random: &ir.Random{}, - } - case egv1a1.RoundRobinLoadBalancerType: - lb = &ir.LoadBalancer{ - RoundRobin: &ir.RoundRobin{ - SlowStart: &ir.SlowStart{}, - }, - } - if policy.Spec.LoadBalancer.SlowStart != nil { - if policy.Spec.LoadBalancer.SlowStart.Window != nil { - lb.RoundRobin = &ir.RoundRobin{ - SlowStart: &ir.SlowStart{ - Window: policy.Spec.LoadBalancer.SlowStart.Window, - }, - } - } - } - } - - return lb, nil -} - -func (t *Translator) buildConsistentHashLoadBalancer(policy *egv1a1.BackendTrafficPolicy) (*ir.ConsistentHash, error) { - consistentHash := &ir.ConsistentHash{} - - if policy.Spec.LoadBalancer.ConsistentHash.TableSize != nil { - tableSize := policy.Spec.LoadBalancer.ConsistentHash.TableSize - - if *tableSize > MaxConsistentHashTableSize || !big.NewInt(int64(*tableSize)).ProbablyPrime(0) { - return nil, fmt.Errorf("invalid TableSize value %d", *tableSize) - } - - consistentHash.TableSize = tableSize - } - - switch policy.Spec.LoadBalancer.ConsistentHash.Type { - case egv1a1.SourceIPConsistentHashType: - consistentHash.SourceIP = ptr.To(true) - case egv1a1.HeaderConsistentHashType: - consistentHash.Header = &ir.Header{ - Name: policy.Spec.LoadBalancer.ConsistentHash.Header.Name, - } - case egv1a1.CookieConsistentHashType: - consistentHash.Cookie = policy.Spec.LoadBalancer.ConsistentHash.Cookie - } - - return consistentHash, nil -} - -func (t *Translator) translateDNS(policy *egv1a1.BackendTrafficPolicy) *ir.DNS { - ds := &ir.DNS{} - if policy.Spec.DNS.RespectDNSTTL != nil { - ds.RespectDNSTTL = policy.Spec.DNS.RespectDNSTTL - } - if policy.Spec.DNS.DNSRefreshRate != nil { - ds.DNSRefreshRate = policy.Spec.DNS.DNSRefreshRate - } - return ds -} - -func (t *Translator) buildProxyProtocol(policy *egv1a1.BackendTrafficPolicy) *ir.ProxyProtocol { - var pp *ir.ProxyProtocol - switch policy.Spec.ProxyProtocol.Version { - case egv1a1.ProxyProtocolVersionV1: - pp = &ir.ProxyProtocol{ - Version: ir.ProxyProtocolVersionV1, - } - case egv1a1.ProxyProtocolVersionV2: - pp = &ir.ProxyProtocol{ - Version: ir.ProxyProtocolVersionV2, - } - } - - return pp -} - -func (t *Translator) buildHealthCheck(policy *egv1a1.BackendTrafficPolicy) *ir.HealthCheck { - if policy.Spec.HealthCheck == nil { - return nil - } - - irhc := &ir.HealthCheck{} - if policy.Spec.HealthCheck.Passive != nil { - irhc.Passive = t.buildPassiveHealthCheck(policy) - } - - if policy.Spec.HealthCheck.Active != nil { - irhc.Active = t.buildActiveHealthCheck(policy) - } - - return irhc -} - -func (t *Translator) buildPassiveHealthCheck(policy *egv1a1.BackendTrafficPolicy) *ir.OutlierDetection { - if policy.Spec.HealthCheck == nil || policy.Spec.HealthCheck.Passive == nil { - return nil - } - - hc := policy.Spec.HealthCheck.Passive - irOD := &ir.OutlierDetection{ - Interval: hc.Interval, - SplitExternalLocalOriginErrors: hc.SplitExternalLocalOriginErrors, - ConsecutiveLocalOriginFailures: hc.ConsecutiveLocalOriginFailures, - ConsecutiveGatewayErrors: hc.ConsecutiveGatewayErrors, - Consecutive5xxErrors: hc.Consecutive5xxErrors, - BaseEjectionTime: hc.BaseEjectionTime, - MaxEjectionPercent: hc.MaxEjectionPercent, - } - return irOD -} - -func (t *Translator) buildActiveHealthCheck(policy *egv1a1.BackendTrafficPolicy) *ir.ActiveHealthCheck { - if policy.Spec.HealthCheck == nil || policy.Spec.HealthCheck.Active == nil { - return nil - } - - hc := policy.Spec.HealthCheck.Active - irHC := &ir.ActiveHealthCheck{ - Timeout: hc.Timeout, - Interval: hc.Interval, - UnhealthyThreshold: hc.UnhealthyThreshold, - HealthyThreshold: hc.HealthyThreshold, - } - switch hc.Type { - case egv1a1.ActiveHealthCheckerTypeHTTP: - irHC.HTTP = t.buildHTTPActiveHealthChecker(hc.HTTP) - case egv1a1.ActiveHealthCheckerTypeTCP: - irHC.TCP = t.buildTCPActiveHealthChecker(hc.TCP) - } - - return irHC -} - -func (t *Translator) buildHTTPActiveHealthChecker(h *egv1a1.HTTPActiveHealthChecker) *ir.HTTPHealthChecker { - if h == nil { - return nil - } - - irHTTP := &ir.HTTPHealthChecker{ - Path: h.Path, - Method: h.Method, - } - if irHTTP.Method != nil { - *irHTTP.Method = strings.ToUpper(*irHTTP.Method) - } - - // deduplicate http statuses - statusSet := sets.NewInt() - for _, r := range h.ExpectedStatuses { - statusSet.Insert(int(r)) - } - irStatuses := make([]ir.HTTPStatus, 0, statusSet.Len()) - - for _, r := range statusSet.List() { - irStatuses = append(irStatuses, ir.HTTPStatus(r)) - } - irHTTP.ExpectedStatuses = irStatuses - - irHTTP.ExpectedResponse = translateActiveHealthCheckPayload(h.ExpectedResponse) - return irHTTP -} - -func (t *Translator) buildTCPActiveHealthChecker(h *egv1a1.TCPActiveHealthChecker) *ir.TCPHealthChecker { - if h == nil { - return nil - } - - irTCP := &ir.TCPHealthChecker{ - Send: translateActiveHealthCheckPayload(h.Send), - Receive: translateActiveHealthCheckPayload(h.Receive), - } - return irTCP -} - -func translateActiveHealthCheckPayload(p *egv1a1.ActiveHealthCheckPayload) *ir.HealthCheckPayload { - if p == nil { - return nil - } - - irPayload := &ir.HealthCheckPayload{} - switch p.Type { - case egv1a1.ActiveHealthCheckPayloadTypeText: - irPayload.Text = p.Text - case egv1a1.ActiveHealthCheckPayloadTypeBinary: - irPayload.Binary = make([]byte, len(p.Binary)) - copy(irPayload.Binary, p.Binary) - } - - return irPayload -} - func ratelimitUnitToDuration(unit egv1a1.RateLimitUnit) int64 { var seconds int64 @@ -1047,144 +767,6 @@ func ratelimitUnitToDuration(unit egv1a1.RateLimitUnit) int64 { return seconds } -func (t *Translator) buildCircuitBreaker(policy *egv1a1.BackendTrafficPolicy) (*ir.CircuitBreaker, error) { - var cb *ir.CircuitBreaker - pcb := policy.Spec.CircuitBreaker - - if pcb != nil { - cb = &ir.CircuitBreaker{} - - if pcb.MaxConnections != nil { - if ui32, ok := int64ToUint32(*pcb.MaxConnections); ok { - cb.MaxConnections = &ui32 - } else { - return nil, fmt.Errorf("invalid MaxConnections value %d", *pcb.MaxConnections) - } - } - - if pcb.MaxParallelRequests != nil { - if ui32, ok := int64ToUint32(*pcb.MaxParallelRequests); ok { - cb.MaxParallelRequests = &ui32 - } else { - return nil, fmt.Errorf("invalid MaxParallelRequests value %d", *pcb.MaxParallelRequests) - } - } - - if pcb.MaxPendingRequests != nil { - if ui32, ok := int64ToUint32(*pcb.MaxPendingRequests); ok { - cb.MaxPendingRequests = &ui32 - } else { - return nil, fmt.Errorf("invalid MaxPendingRequests value %d", *pcb.MaxPendingRequests) - } - } - - if pcb.MaxParallelRetries != nil { - if ui32, ok := int64ToUint32(*pcb.MaxParallelRetries); ok { - cb.MaxParallelRetries = &ui32 - } else { - return nil, fmt.Errorf("invalid MaxParallelRetries value %d", *pcb.MaxParallelRetries) - } - } - - if pcb.MaxRequestsPerConnection != nil { - if ui32, ok := int64ToUint32(*pcb.MaxRequestsPerConnection); ok { - cb.MaxRequestsPerConnection = &ui32 - } else { - return nil, fmt.Errorf("invalid MaxRequestsPerConnection value %d", *pcb.MaxRequestsPerConnection) - } - } - - } - - return cb, nil -} - -func (t *Translator) buildTimeout(policy *egv1a1.BackendTrafficPolicy, r *ir.HTTPRoute) (*ir.Timeout, error) { - var ( - tto *ir.TCPTimeout - hto *ir.HTTPTimeout - terr bool - errs error - ) - - pto := policy.Spec.Timeout - - if pto.TCP != nil && pto.TCP.ConnectTimeout != nil { - d, err := time.ParseDuration(string(*pto.TCP.ConnectTimeout)) - if err != nil { - terr = true - errs = errors.Join(errs, fmt.Errorf("invalid ConnectTimeout value %s", *pto.TCP.ConnectTimeout)) - } else { - tto = &ir.TCPTimeout{ - ConnectTimeout: ptr.To(metav1.Duration{Duration: d}), - } - } - } - - if pto.HTTP != nil { - var cit *metav1.Duration - var mcd *metav1.Duration - - if pto.HTTP.ConnectionIdleTimeout != nil { - d, err := time.ParseDuration(string(*pto.HTTP.ConnectionIdleTimeout)) - if err != nil { - terr = true - errs = errors.Join(errs, fmt.Errorf("invalid ConnectionIdleTimeout value %s", *pto.HTTP.ConnectionIdleTimeout)) - } else { - cit = ptr.To(metav1.Duration{Duration: d}) - } - } - - if pto.HTTP.MaxConnectionDuration != nil { - d, err := time.ParseDuration(string(*pto.HTTP.MaxConnectionDuration)) - if err != nil { - terr = true - errs = errors.Join(errs, fmt.Errorf("invalid MaxConnectionDuration value %s", *pto.HTTP.MaxConnectionDuration)) - } else { - mcd = ptr.To(metav1.Duration{Duration: d}) - } - } - - hto = &ir.HTTPTimeout{ - ConnectionIdleTimeout: cit, - MaxConnectionDuration: mcd, - } - } - - // http request timeout is translated during the gateway-api route resource translation - // merge route timeout setting with backendtrafficpolicy timeout settings - if terr { - if r != nil && r.Traffic != nil && r.Traffic.Timeout != nil { - return r.Traffic.Timeout.DeepCopy(), errs - } - } else { - // http request timeout is translated during the gateway-api route resource translation - // merge route timeout setting with backendtrafficpolicy timeout settings - if r != nil && - r.Traffic != nil && - r.Traffic.Timeout != nil && - r.Traffic.Timeout.HTTP != nil && - r.Traffic.Timeout.HTTP.RequestTimeout != nil { - if hto == nil { - hto = &ir.HTTPTimeout{ - RequestTimeout: r.Traffic.Timeout.HTTP.RequestTimeout, - } - } else { - hto.RequestTimeout = r.Traffic.Timeout.HTTP.RequestTimeout - } - } - - if hto != nil || tto != nil { - return &ir.Timeout{ - TCP: tto, - HTTP: hto, - }, nil - } - } - - return nil, errs -} - func int64ToUint32(in int64) (uint32, bool) { if in >= 0 && in <= math.MaxUint32 { return uint32(in), true @@ -1192,31 +774,6 @@ func int64ToUint32(in int64) (uint32, bool) { return 0, false } -func (t *Translator) buildBackendConnection(policy *egv1a1.BackendTrafficPolicy) (*ir.BackendConnection, error) { - var ( - bcIR = &ir.BackendConnection{} - bc = &egv1a1.BackendConnection{} - ) - - if policy.Spec.Connection != nil { - bc = policy.Spec.Connection - - if bc.BufferLimit != nil { - bf, ok := bc.BufferLimit.AsInt64() - if !ok { - return nil, fmt.Errorf("invalid BufferLimit value %s", bc.BufferLimit.String()) - } - if bf < 0 || bf > math.MaxUint32 { - return nil, fmt.Errorf("BufferLimit value %s is out of range", bc.BufferLimit.String()) - } - - bcIR.BufferLimitBytes = ptr.To(uint32(bf)) - } - } - - return bcIR, nil -} - func (t *Translator) buildFaultInjection(policy *egv1a1.BackendTrafficPolicy) *ir.FaultInjection { var fi *ir.FaultInjection if policy.Spec.FaultInjection != nil { @@ -1244,36 +801,6 @@ func (t *Translator) buildFaultInjection(policy *egv1a1.BackendTrafficPolicy) *i return fi } -func (t *Translator) buildTCPKeepAlive(policy *egv1a1.BackendTrafficPolicy) (*ir.TCPKeepalive, error) { - var ka *ir.TCPKeepalive - if policy.Spec.TCPKeepalive != nil { - pka := policy.Spec.TCPKeepalive - ka = &ir.TCPKeepalive{} - - if pka.Probes != nil { - ka.Probes = pka.Probes - } - - if pka.IdleTime != nil { - d, err := time.ParseDuration(string(*pka.IdleTime)) - if err != nil { - return nil, fmt.Errorf("invalid IdleTime value %s", *pka.IdleTime) - } - ka.IdleTime = ptr.To(uint32(d.Seconds())) - } - - if pka.Interval != nil { - d, err := time.ParseDuration(string(*pka.Interval)) - if err != nil { - return nil, fmt.Errorf("invalid Interval value %s", *pka.Interval) - } - ka.Interval = ptr.To(uint32(d.Seconds())) - } - - } - return ka, nil -} - func (t *Translator) buildRetry(policy *egv1a1.BackendTrafficPolicy) *ir.Retry { var rt *ir.Retry if policy.Spec.Retry != nil { diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go index 1d7e8e89a84..c1877ffa653 100644 --- a/internal/gatewayapi/clienttrafficpolicy.go +++ b/internal/gatewayapi/clienttrafficpolicy.go @@ -417,7 +417,7 @@ func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.Clie } // Translate Proxy Protocol - enableProxyProtocol = buildProxyProtocol(policy.Spec.EnableProxyProtocol) + enableProxyProtocol = ptr.Deref(policy.Spec.EnableProxyProtocol, false) // Translate Client Timeout Settings timeout, err = buildClientTimeout(policy.Spec.Timeout) @@ -604,14 +604,6 @@ func buildClientTimeout(clientTimeout *egv1a1.ClientTimeout) (*ir.ClientTimeout, return irClientTimeout, nil } -func buildProxyProtocol(enableProxyProtocol *bool) bool { - if enableProxyProtocol != nil && *enableProxyProtocol { - return true - } - - return false -} - func translateClientIPDetection(clientIPDetection *egv1a1.ClientIPDetectionSettings, httpIR *ir.HTTPListener) { // Return early if not set if clientIPDetection == nil { diff --git a/internal/gatewayapi/clustersettings.go b/internal/gatewayapi/clustersettings.go new file mode 100644 index 00000000000..3034fed1324 --- /dev/null +++ b/internal/gatewayapi/clustersettings.go @@ -0,0 +1,500 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package gatewayapi + +import ( + "errors" + "fmt" + "math" + "math/big" + "strings" + "time" + + perr "github.com/pkg/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/utils/ptr" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/ir" +) + +func translateTrafficFeatures(policy *egv1a1.ClusterSettings) (*ir.TrafficFeatures, error) { + if policy == nil { + return nil, nil + } + ret := &ir.TrafficFeatures{} + + if timeout, err := buildTimeout(*policy, nil); err != nil { + return nil, err + } else { + ret.Timeout = timeout + } + + if bc, err := buildBackendConnection(*policy); err != nil { + return nil, err + } else { + ret.BackendConnection = bc + } + + if ka, err := buildTCPKeepAlive(*policy); err != nil { + return nil, err + } else { + ret.TCPKeepalive = ka + } + + if cb, err := buildCircuitBreaker(*policy); err != nil { + return nil, err + } else { + ret.CircuitBreaker = cb + } + + if lb, err := buildLoadBalancer(*policy); err != nil { + return nil, err + } else { + ret.LoadBalancer = lb + } + + ret.ProxyProtocol = buildProxyProtocol(*policy) + + ret.HealthCheck = buildHealthCheck(*policy) + + ret.DNS = translateDNS(*policy) + + if h2, err := buildIRHTTP2Settings(policy.HTTP2); err != nil { + return nil, err + } else { + ret.HTTP2 = h2 + } + + // If nothing was set in any of the above calls, return nil instead of an empty + // container + var empty ir.TrafficFeatures + if empty == *ret { + ret = nil + } + + return ret, nil +} + +func buildTimeout(policy egv1a1.ClusterSettings, r *ir.HTTPRoute) (*ir.Timeout, error) { + if policy.Timeout == nil { + return nil, nil + } + var ( + tto *ir.TCPTimeout + hto *ir.HTTPTimeout + terr bool + errs error + ) + + pto := policy.Timeout + + if pto.TCP != nil && pto.TCP.ConnectTimeout != nil { + d, err := time.ParseDuration(string(*pto.TCP.ConnectTimeout)) + if err != nil { + terr = true + errs = errors.Join(errs, fmt.Errorf("invalid ConnectTimeout value %s", *pto.TCP.ConnectTimeout)) + } else { + tto = &ir.TCPTimeout{ + ConnectTimeout: ptr.To(metav1.Duration{Duration: d}), + } + } + } + + if pto.HTTP != nil { + var cit *metav1.Duration + var mcd *metav1.Duration + + if pto.HTTP.ConnectionIdleTimeout != nil { + d, err := time.ParseDuration(string(*pto.HTTP.ConnectionIdleTimeout)) + if err != nil { + terr = true + errs = errors.Join(errs, fmt.Errorf("invalid ConnectionIdleTimeout value %s", *pto.HTTP.ConnectionIdleTimeout)) + } else { + cit = ptr.To(metav1.Duration{Duration: d}) + } + } + + if pto.HTTP.MaxConnectionDuration != nil { + d, err := time.ParseDuration(string(*pto.HTTP.MaxConnectionDuration)) + if err != nil { + terr = true + errs = errors.Join(errs, fmt.Errorf("invalid MaxConnectionDuration value %s", *pto.HTTP.MaxConnectionDuration)) + } else { + mcd = ptr.To(metav1.Duration{Duration: d}) + } + } + + hto = &ir.HTTPTimeout{ + ConnectionIdleTimeout: cit, + MaxConnectionDuration: mcd, + } + } + + // http request timeout is translated during the gateway-api route resource translation + // merge route timeout setting with backendtrafficpolicy timeout settings + if terr { + if r != nil && r.Traffic != nil && r.Traffic.Timeout != nil { + return r.Traffic.Timeout.DeepCopy(), errs + } + } else { + // http request timeout is translated during the gateway-api route resource translation + // merge route timeout setting with backendtrafficpolicy timeout settings + if r != nil && + r.Traffic != nil && + r.Traffic.Timeout != nil && + r.Traffic.Timeout.HTTP != nil && + r.Traffic.Timeout.HTTP.RequestTimeout != nil { + if hto == nil { + hto = &ir.HTTPTimeout{ + RequestTimeout: r.Traffic.Timeout.HTTP.RequestTimeout, + } + } else { + hto.RequestTimeout = r.Traffic.Timeout.HTTP.RequestTimeout + } + } + + if hto != nil || tto != nil { + return &ir.Timeout{ + TCP: tto, + HTTP: hto, + }, nil + } + } + + return nil, errs +} + +func buildBackendConnection(policy egv1a1.ClusterSettings) (*ir.BackendConnection, error) { + if policy.Connection == nil { + return nil, nil + } + var ( + bcIR = &ir.BackendConnection{} + bc = &egv1a1.BackendConnection{} + ) + + if policy.Connection != nil { + bc = policy.Connection + + if bc.BufferLimit != nil { + bf, ok := bc.BufferLimit.AsInt64() + if !ok { + return nil, fmt.Errorf("invalid BufferLimit value %s", bc.BufferLimit.String()) + } + if bf < 0 || bf > math.MaxUint32 { + return nil, fmt.Errorf("BufferLimit value %s is out of range", bc.BufferLimit.String()) + } + + bcIR.BufferLimitBytes = ptr.To(uint32(bf)) + } + } + + return bcIR, nil +} + +func buildTCPKeepAlive(policy egv1a1.ClusterSettings) (*ir.TCPKeepalive, error) { + if policy.TCPKeepalive == nil { + return nil, nil + } + + pka := policy.TCPKeepalive + ka := &ir.TCPKeepalive{} + + if pka.Probes != nil { + ka.Probes = pka.Probes + } + + if pka.IdleTime != nil { + d, err := time.ParseDuration(string(*pka.IdleTime)) + if err != nil { + return nil, fmt.Errorf("invalid IdleTime value %s", *pka.IdleTime) + } + ka.IdleTime = ptr.To(uint32(d.Seconds())) + } + + if pka.Interval != nil { + d, err := time.ParseDuration(string(*pka.Interval)) + if err != nil { + return nil, fmt.Errorf("invalid Interval value %s", *pka.Interval) + } + ka.Interval = ptr.To(uint32(d.Seconds())) + } + return ka, nil +} + +func buildCircuitBreaker(policy egv1a1.ClusterSettings) (*ir.CircuitBreaker, error) { + if policy.CircuitBreaker == nil { + return nil, nil + } + + var cb *ir.CircuitBreaker + pcb := policy.CircuitBreaker + + if pcb != nil { + cb = &ir.CircuitBreaker{} + + if pcb.MaxConnections != nil { + if ui32, ok := int64ToUint32(*pcb.MaxConnections); ok { + cb.MaxConnections = &ui32 + } else { + return nil, fmt.Errorf("invalid MaxConnections value %d", *pcb.MaxConnections) + } + } + + if pcb.MaxParallelRequests != nil { + if ui32, ok := int64ToUint32(*pcb.MaxParallelRequests); ok { + cb.MaxParallelRequests = &ui32 + } else { + return nil, fmt.Errorf("invalid MaxParallelRequests value %d", *pcb.MaxParallelRequests) + } + } + + if pcb.MaxPendingRequests != nil { + if ui32, ok := int64ToUint32(*pcb.MaxPendingRequests); ok { + cb.MaxPendingRequests = &ui32 + } else { + return nil, fmt.Errorf("invalid MaxPendingRequests value %d", *pcb.MaxPendingRequests) + } + } + + if pcb.MaxParallelRetries != nil { + if ui32, ok := int64ToUint32(*pcb.MaxParallelRetries); ok { + cb.MaxParallelRetries = &ui32 + } else { + return nil, fmt.Errorf("invalid MaxParallelRetries value %d", *pcb.MaxParallelRetries) + } + } + + if pcb.MaxRequestsPerConnection != nil { + if ui32, ok := int64ToUint32(*pcb.MaxRequestsPerConnection); ok { + cb.MaxRequestsPerConnection = &ui32 + } else { + return nil, fmt.Errorf("invalid MaxRequestsPerConnection value %d", *pcb.MaxRequestsPerConnection) + } + } + + } + + return cb, nil +} + +func buildLoadBalancer(policy egv1a1.ClusterSettings) (*ir.LoadBalancer, error) { + if policy.LoadBalancer == nil { + return nil, nil + } + var lb *ir.LoadBalancer + switch policy.LoadBalancer.Type { + case egv1a1.ConsistentHashLoadBalancerType: + consistentHash, err := buildConsistentHashLoadBalancer(*policy.LoadBalancer) + if err != nil { + return nil, perr.WithMessage(err, "ConsistentHash") + } + + lb = &ir.LoadBalancer{ + ConsistentHash: consistentHash, + } + case egv1a1.LeastRequestLoadBalancerType: + lb = &ir.LoadBalancer{} + if policy.LoadBalancer.SlowStart != nil { + if policy.LoadBalancer.SlowStart.Window != nil { + lb.LeastRequest = &ir.LeastRequest{ + SlowStart: &ir.SlowStart{ + Window: policy.LoadBalancer.SlowStart.Window, + }, + } + } + } + case egv1a1.RandomLoadBalancerType: + lb = &ir.LoadBalancer{ + Random: &ir.Random{}, + } + case egv1a1.RoundRobinLoadBalancerType: + lb = &ir.LoadBalancer{ + RoundRobin: &ir.RoundRobin{ + SlowStart: &ir.SlowStart{}, + }, + } + if policy.LoadBalancer.SlowStart != nil { + if policy.LoadBalancer.SlowStart.Window != nil { + lb.RoundRobin = &ir.RoundRobin{ + SlowStart: &ir.SlowStart{ + Window: policy.LoadBalancer.SlowStart.Window, + }, + } + } + } + } + + return lb, nil +} + +func buildConsistentHashLoadBalancer(policy egv1a1.LoadBalancer) (*ir.ConsistentHash, error) { + consistentHash := &ir.ConsistentHash{} + + if policy.ConsistentHash.TableSize != nil { + tableSize := policy.ConsistentHash.TableSize + + if *tableSize > MaxConsistentHashTableSize || !big.NewInt(int64(*tableSize)).ProbablyPrime(0) { + return nil, fmt.Errorf("invalid TableSize value %d", *tableSize) + } + + consistentHash.TableSize = tableSize + } + + switch policy.ConsistentHash.Type { + case egv1a1.SourceIPConsistentHashType: + consistentHash.SourceIP = ptr.To(true) + case egv1a1.HeaderConsistentHashType: + consistentHash.Header = &ir.Header{ + Name: policy.ConsistentHash.Header.Name, + } + case egv1a1.CookieConsistentHashType: + consistentHash.Cookie = policy.ConsistentHash.Cookie + } + + return consistentHash, nil +} + +func buildProxyProtocol(policy egv1a1.ClusterSettings) *ir.ProxyProtocol { + if policy.ProxyProtocol == nil { + return nil + } + var pp *ir.ProxyProtocol + switch policy.ProxyProtocol.Version { + case egv1a1.ProxyProtocolVersionV1: + pp = &ir.ProxyProtocol{ + Version: ir.ProxyProtocolVersionV1, + } + case egv1a1.ProxyProtocolVersionV2: + pp = &ir.ProxyProtocol{ + Version: ir.ProxyProtocolVersionV2, + } + } + + return pp +} + +func buildHealthCheck(policy egv1a1.ClusterSettings) *ir.HealthCheck { + if policy.HealthCheck == nil { + return nil + } + + irhc := &ir.HealthCheck{} + irhc.Passive = buildPassiveHealthCheck(*policy.HealthCheck) + irhc.Active = buildActiveHealthCheck(*policy.HealthCheck) + + return irhc +} + +func buildPassiveHealthCheck(policy egv1a1.HealthCheck) *ir.OutlierDetection { + if policy.Passive == nil { + return nil + } + + hc := policy.Passive + irOD := &ir.OutlierDetection{ + Interval: hc.Interval, + SplitExternalLocalOriginErrors: hc.SplitExternalLocalOriginErrors, + ConsecutiveLocalOriginFailures: hc.ConsecutiveLocalOriginFailures, + ConsecutiveGatewayErrors: hc.ConsecutiveGatewayErrors, + Consecutive5xxErrors: hc.Consecutive5xxErrors, + BaseEjectionTime: hc.BaseEjectionTime, + MaxEjectionPercent: hc.MaxEjectionPercent, + } + return irOD +} + +func buildActiveHealthCheck(policy egv1a1.HealthCheck) *ir.ActiveHealthCheck { + if policy.Active == nil { + return nil + } + + hc := policy.Active + irHC := &ir.ActiveHealthCheck{ + Timeout: hc.Timeout, + Interval: hc.Interval, + UnhealthyThreshold: hc.UnhealthyThreshold, + HealthyThreshold: hc.HealthyThreshold, + } + switch hc.Type { + case egv1a1.ActiveHealthCheckerTypeHTTP: + irHC.HTTP = buildHTTPActiveHealthChecker(hc.HTTP) + case egv1a1.ActiveHealthCheckerTypeTCP: + irHC.TCP = buildTCPActiveHealthChecker(hc.TCP) + } + + return irHC +} + +func buildHTTPActiveHealthChecker(h *egv1a1.HTTPActiveHealthChecker) *ir.HTTPHealthChecker { + if h == nil { + return nil + } + + irHTTP := &ir.HTTPHealthChecker{ + Path: h.Path, + Method: h.Method, + } + if irHTTP.Method != nil { + *irHTTP.Method = strings.ToUpper(*irHTTP.Method) + } + + // deduplicate http statuses + statusSet := sets.NewInt() + for _, r := range h.ExpectedStatuses { + statusSet.Insert(int(r)) + } + irStatuses := make([]ir.HTTPStatus, 0, statusSet.Len()) + + for _, r := range statusSet.List() { + irStatuses = append(irStatuses, ir.HTTPStatus(r)) + } + irHTTP.ExpectedStatuses = irStatuses + + irHTTP.ExpectedResponse = translateActiveHealthCheckPayload(h.ExpectedResponse) + return irHTTP +} + +func buildTCPActiveHealthChecker(h *egv1a1.TCPActiveHealthChecker) *ir.TCPHealthChecker { + if h == nil { + return nil + } + + irTCP := &ir.TCPHealthChecker{ + Send: translateActiveHealthCheckPayload(h.Send), + Receive: translateActiveHealthCheckPayload(h.Receive), + } + return irTCP +} + +func translateActiveHealthCheckPayload(p *egv1a1.ActiveHealthCheckPayload) *ir.HealthCheckPayload { + if p == nil { + return nil + } + + irPayload := &ir.HealthCheckPayload{} + switch p.Type { + case egv1a1.ActiveHealthCheckPayloadTypeText: + irPayload.Text = p.Text + case egv1a1.ActiveHealthCheckPayloadTypeBinary: + irPayload.Binary = make([]byte, len(p.Binary)) + copy(irPayload.Binary, p.Binary) + } + + return irPayload +} + +func translateDNS(policy egv1a1.ClusterSettings) *ir.DNS { + if policy.DNS == nil { + return nil + } + return &ir.DNS{ + RespectDNSTTL: policy.DNS.RespectDNSTTL, + DNSRefreshRate: policy.DNS.DNSRefreshRate, + } +} diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index 5f871a6f8c0..2bf37c576b5 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -471,9 +471,15 @@ func (t *Translator) buildExtProc( NamespaceDerefOr(extProc.BackendRefs[0].Namespace, policyNamespacedName.Namespace)) } + traffic, err := translateTrafficFeatures(extProc.BackendCluster.BackendSettings) + if err != nil { + return nil, err + } + extProcIR := &ir.ExtProc{ Name: name, Destination: rd, + Traffic: traffic, Authority: authority, } diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index 22c81032ebb..a29736216bc 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -560,3 +560,10 @@ func getPolicyTargetRefs[T client.Object](policy egv1a1.PolicyTargetReferences, return ret } + +// Sets *target to value if and only if *target is nil +func setIfNil[T any](target **T, value *T) { + if *target == nil { + *target = value + } +} diff --git a/internal/gatewayapi/http.go b/internal/gatewayapi/http.go index 95b0cd6310e..e54b3f761d7 100644 --- a/internal/gatewayapi/http.go +++ b/internal/gatewayapi/http.go @@ -23,6 +23,9 @@ const ( ) func buildIRHTTP2Settings(http2Settings *egv1a1.HTTP2Settings) (*ir.HTTP2Settings, error) { + if http2Settings == nil { + return nil, nil + } var ( http2 = &ir.HTTP2Settings{} errs error diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index d071e4ffdda..124d2d6c1d4 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -813,6 +813,7 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *Reso ds *ir.DestinationSetting authority string err error + traffic *ir.TrafficFeatures ) switch { @@ -826,12 +827,18 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *Reso backendRef = egv1a1.ToBackendObjectReference(http.BackendRefs[0]) } protocol = ir.HTTP + if traffic, err = translateTrafficFeatures(http.BackendSettings); err != nil { + return nil, err + } case grpc != nil: backendRef = grpc.BackendRef if len(grpc.BackendRefs) != 0 { backendRef = egv1a1.ToBackendObjectReference(grpc.BackendRefs[0]) } protocol = ir.GRPC + if traffic, err = translateTrafficFeatures(grpc.BackendSettings); err != nil { + return nil, err + } // These are sanity checks, they should never happen because the API server // should have caught them default: // http == nil && grpc == nil: @@ -866,6 +873,7 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *Reso Name: irConfigName(policy), HeadersToExtAuth: policy.Spec.ExtAuth.HeadersToExtAuth, FailOpen: policy.Spec.ExtAuth.FailOpen, + Traffic: traffic, } if http != nil { diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.out.yaml index 89d9902328f..12bbf12dbe7 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.out.yaml @@ -342,9 +342,6 @@ xdsIR: port: 8080 protocol: HTTP weight: 1 - dns: - dnsRefreshRate: 10s - respectDnsTtl: true hostname: gateway.envoyproxy.io isHTTP2: false metadata: @@ -356,7 +353,10 @@ xdsIR: distinct: false name: "" prefix: /v3 - traffic: {} + traffic: + dns: + dnsRefreshRate: 10s + respectDnsTtl: true envoy-gateway/gateway-2: accessLog: text: @@ -386,9 +386,6 @@ xdsIR: port: 8080 protocol: HTTP weight: 1 - dns: - dnsRefreshRate: 5s - respectDnsTtl: false hostname: gateway.envoyproxy.io isHTTP2: false metadata: @@ -400,7 +397,10 @@ xdsIR: distinct: false name: "" prefix: /v2 - traffic: {} + traffic: + dns: + dnsRefreshRate: 5s + respectDnsTtl: false - destination: name: httproute/default/httproute-1/rule/0 settings: @@ -410,9 +410,6 @@ xdsIR: port: 8080 protocol: HTTP weight: 1 - dns: - dnsRefreshRate: 1s - respectDnsTtl: true hostname: gateway.envoyproxy.io isHTTP2: false metadata: @@ -424,4 +421,7 @@ xdsIR: distinct: false name: "" prefix: / - traffic: {} + traffic: + dns: + dnsRefreshRate: 1s + respectDnsTtl: true diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.in.yaml new file mode 100644 index 00000000000..1f25d8f7e0b --- /dev/null +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.in.yaml @@ -0,0 +1,262 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: default + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - www.foo.com + parentRefs: + - namespace: default + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: /foo + backendRefs: + - name: service-1 + port: 8080 +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-2 + spec: + hostnames: + - www.bar.com + parentRefs: + - namespace: default + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: /bar + backendRefs: + - name: service-1 + port: 8080 +services: +- apiVersion: v1 + kind: Service + metadata: + namespace: envoy-gateway + name: grpc-backend + spec: + ports: + - port: 8000 + name: grpc + protocol: TCP +- apiVersion: v1 + kind: Service + metadata: + namespace: default + name: grpc-backend-2 + spec: + ports: + - port: 9000 + name: grpc + protocol: TCP +endpointSlices: +- apiVersion: discovery.k8s.io/v1 + kind: EndpointSlice + metadata: + name: endpointslice-grpc-backend + namespace: envoy-gateway + labels: + kubernetes.io/service-name: grpc-backend + addressType: IPv4 + ports: + - name: http + protocol: TCP + port: 8000 + endpoints: + - addresses: + - 7.7.7.7 + conditions: + ready: true +- apiVersion: discovery.k8s.io/v1 + kind: EndpointSlice + metadata: + name: endpointslice-grpc-backend-2 + namespace: default + labels: + kubernetes.io/service-name: grpc-backend-2 + addressType: IPv4 + ports: + - name: grpc + protocol: TCP + port: 9000 + endpoints: + - addresses: + - 8.8.8.8 + conditions: + ready: true +referenceGrants: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: ReferenceGrant + metadata: + namespace: envoy-gateway + name: referencegrant-1 + spec: + from: + - group: gateway.envoyproxy.io + kind: EnvoyExtensionPolicy + namespace: default + to: + - group: '' + kind: Service + - group: gateway.envoyproxy.io + kind: Backend +configMaps: +- apiVersion: v1 + kind: ConfigMap + metadata: + name: ca-cmap + namespace: default + data: + ca.crt: | + -----BEGIN CERTIFICATE----- + MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL + BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw + MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G + A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc + 1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM + yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b + kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU + Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq + ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR + bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48 + 6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/ + BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz + 2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J + i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE + A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg + d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1 + 3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q== + -----END CERTIFICATE----- +backendTLSPolicies: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + name: policy-btls-grpc + namespace: envoy-gateway + spec: + targetRefs: + - group: '' + kind: Service + name: grpc-backend + sectionName: "8000" + validation: + caCertificateRefs: + - name: ca-cmap + group: '' + kind: ConfigMap + hostname: grpc-backend +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + name: policy-btls-backend-ip + namespace: envoy-gateway + spec: + targetRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-ip-tls + validation: + caCertificateRefs: + - name: ca-cmap + group: '' + kind: ConfigMap + hostname: ip-backend +envoyExtensionPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyExtensionPolicy + metadata: + namespace: default + name: policy-for-http-route + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + extProc: + - backendRefs: + - Name: grpc-backend + Namespace: envoy-gateway + Port: 8000 + - Name: grpc-backend-2 + Port: 9000 + - Name: backend-ip + Kind: Backend + Group: gateway.envoyproxy.io + - Name: backend-ip-tls + Namespace: envoy-gateway + Kind: Backend + Group: gateway.envoyproxy.io + backendSettings: + dns: + respectDnsTtl: true + http2: + initialStreamWindowSize: 128Ki + initialConnectionWindowSize: 2Mi + maxConcurrentStreams: 200 + onInvalidMessage: TerminateStream + loadBalancer: + type: ConsistentHash + consistentHash: + type: Header + header: + name: X-some-header + proxyProtocol: + version: V2 + tcpKeepalive: + probes: 7 + healthCheck: + passive: + consecutiveGatewayErrors: 4 + interval: 5s + circuitBreaker: + maxConnections: 2048 + timeout: + tcp: + connectTimeout: 15s + connection: + bufferLimit: 20Mi +backends: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + name: backend-ip + namespace: default + spec: + endpoints: + - ip: + address: 1.1.1.1 + port: 3001 +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + name: backend-ip-tls + namespace: envoy-gateway + spec: + endpoints: + - ip: + address: 2.2.2.2 + port: 3443 diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml new file mode 100644 index 00000000000..17f9e8c15a6 --- /dev/null +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml @@ -0,0 +1,431 @@ +backendTLSPolicies: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + creationTimestamp: null + name: policy-btls-grpc + namespace: envoy-gateway + spec: + targetRefs: + - group: "" + kind: Service + name: grpc-backend + sectionName: "8000" + validation: + caCertificateRefs: + - group: "" + kind: ConfigMap + name: ca-cmap + hostname: grpc-backend + status: + ancestors: + - ancestorRef: + group: gateway.envoyproxy.io + kind: EnvoyExtensionPolicy + name: policy-for-http-route + namespace: default + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + creationTimestamp: null + name: policy-btls-backend-ip + namespace: envoy-gateway + spec: + targetRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-ip-tls + validation: + caCertificateRefs: + - group: "" + kind: ConfigMap + name: ca-cmap + hostname: ip-backend + status: + ancestors: + - ancestorRef: + group: gateway.envoyproxy.io + kind: EnvoyExtensionPolicy + name: policy-for-http-route + namespace: default + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +backends: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + creationTimestamp: null + name: backend-ip + namespace: default + spec: + endpoints: + - ip: + address: 1.1.1.1 + port: 3001 + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Invalid +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + creationTimestamp: null + name: backend-ip-tls + namespace: envoy-gateway + spec: + endpoints: + - ip: + address: 2.2.2.2 + port: 3443 + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Invalid +envoyExtensionPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyExtensionPolicy + metadata: + creationTimestamp: null + name: policy-for-http-route + namespace: default + spec: + extProc: + - backendRefs: + - name: grpc-backend + namespace: envoy-gateway + port: 8000 + - name: grpc-backend-2 + port: 9000 + - group: gateway.envoyproxy.io + kind: Backend + name: backend-ip + - group: gateway.envoyproxy.io + kind: Backend + name: backend-ip-tls + namespace: envoy-gateway + backendSettings: + circuitBreaker: + maxConnections: 2048 + connection: + bufferLimit: 20Mi + dns: + respectDnsTtl: true + healthCheck: + passive: + consecutiveGatewayErrors: 4 + interval: 5s + http2: + initialConnectionWindowSize: 2Mi + initialStreamWindowSize: 128Ki + maxConcurrentStreams: 200 + onInvalidMessage: TerminateStream + loadBalancer: + consistentHash: + header: + name: X-some-header + type: Header + type: ConsistentHash + proxyProtocol: + version: V2 + tcpKeepalive: + probes: 7 + timeout: + tcp: + connectTimeout: 15s + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: default + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 2 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - www.foo.com + parentRefs: + - name: gateway-1 + namespace: default + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: /foo + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: default + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-2 + namespace: default + spec: + hostnames: + - www.bar.com + parentRefs: + - name: gateway-1 + namespace: default + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: /bar + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: default + sectionName: http +infraIR: + default/gateway-1: + proxy: + listeners: + - address: null + name: default/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: default + name: default/gateway-1 +xdsIR: + default/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + name: default/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + envoyExtensions: + extProcs: + - authority: grpc-backend.envoy-gateway:8000 + destination: + name: envoyextensionpolicy/default/policy-for-http-route/0 + settings: + - addressType: IP + protocol: GRPC + tls: + caCertificate: + certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: policy-btls-grpc/envoy-gateway-ca + sni: grpc-backend + weight: 1 + - addressType: IP + endpoints: + - host: 8.8.8.8 + port: 9000 + protocol: GRPC + weight: 1 + - addressType: IP + endpoints: + - host: 1.1.1.1 + port: 3001 + protocol: GRPC + weight: 1 + - addressType: IP + endpoints: + - host: 2.2.2.2 + port: 3443 + protocol: GRPC + tls: + caCertificate: + certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: policy-btls-backend-ip/envoy-gateway-ca + sni: ip-backend + weight: 1 + name: envoyextensionpolicy/default/policy-for-http-route/extproc/0 + traffic: + backendConnection: + bufferLimit: 20971520 + circuitBreaker: + maxConnections: 2048 + dns: + respectDnsTtl: true + healthCheck: + passive: + consecutiveGatewayErrors: 4 + interval: 5s + http2: + initialConnectionWindowSize: 131072 + initialStreamWindowSize: 2097152 + maxConcurrentStreams: 200 + resetStreamOnError: true + loadBalancer: + consistentHash: + header: + name: X-some-header + proxyProtocol: + version: V2 + tcpKeepalive: + probes: 7 + timeout: + tcp: + connectTimeout: 15s + hostname: www.foo.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + pathMatch: + distinct: false + name: "" + prefix: /foo + - destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.bar.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + pathMatch: + distinct: false + name: "" + prefix: /bar diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 7cc5ed8f354..5e9cb6ac40e 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -565,8 +565,6 @@ type HTTPRoute struct { UseClientProtocol *bool `json:"useClientProtocol,omitempty" yaml:"useClientProtocol,omitempty"` // Metadata is used to enrich envoy route metadata with user and provider-specific information Metadata *ResourceMetadata `json:"metadata,omitempty" yaml:"metadata,omitempty"` - // DNS is used to configure how DNS resolution is handled for the route - DNS *DNS `json:"dns,omitempty" yaml:"dns,omitempty"` } // DNS contains configuration options for DNS resolution. @@ -605,6 +603,8 @@ type TrafficFeatures struct { // HTTP2 provides HTTP/2 configuration for clusters // +optional HTTP2 *HTTP2Settings `json:"http2,omitempty" yaml:"http2,omitempty"` + // DNS is used to configure how DNS resolution is handled by the Envoy Proxy cluster + DNS *DNS `json:"dns,omitempty" yaml:"dns,omitempty"` } func (b *TrafficFeatures) Validate() error { @@ -817,6 +817,9 @@ type ExtAuth struct { // Only one of GRPCService or HTTPService may be specified. HTTP *HTTPExtAuthService `json:"http,omitempty"` + // Traffic contains configuration for traffic features for the ExtAuth service + Traffic *TrafficFeatures `json:"traffic,omitempty"` + // HeadersToExtAuth defines the client request headers that will be included // in the request to the external authorization service. // Note: If not specified, the default behavior for gRPC and HTTP external @@ -1514,7 +1517,8 @@ type UDPRoute struct { Timeout *Timeout `json:"timeout,omitempty" yaml:"timeout,omitempty"` // settings of upstream connection BackendConnection *BackendConnection `json:"backendConnection,omitempty" yaml:"backendConnection,omitempty"` - DNS *DNS `json:"dns,omitempty" yaml:"dns,omitempty"` + // DNS is used to configure how DNS resolution is handled by the Envoy Proxy cluster + DNS *DNS `json:"dns,omitempty" yaml:"dns,omitempty"` } // Validate the fields within the UDPListener structure @@ -2230,6 +2234,9 @@ type ExtProc struct { // Destination defines the destination for the gRPC External Processing service. Destination RouteDestination `json:"destination" yaml:"destination"` + // Traffic holds the features associated with traffic management + Traffic *TrafficFeatures `json:"traffic,omitempty" yaml:"traffic,omitempty"` + // Authority is the hostname:port of the HTTP External Processing service. Authority string `json:"authority" yaml:"authority"` diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index dabb7af5afd..7d453c5f522 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -792,6 +792,11 @@ func (in *ExtAuth) DeepCopyInto(out *ExtAuth) { *out = new(HTTPExtAuthService) (*in).DeepCopyInto(*out) } + if in.Traffic != nil { + in, out := &in.Traffic, &out.Traffic + *out = new(TrafficFeatures) + (*in).DeepCopyInto(*out) + } if in.HeadersToExtAuth != nil { in, out := &in.HeadersToExtAuth, &out.HeadersToExtAuth *out = make([]string, len(*in)) @@ -818,6 +823,11 @@ func (in *ExtAuth) DeepCopy() *ExtAuth { func (in *ExtProc) DeepCopyInto(out *ExtProc) { *out = *in in.Destination.DeepCopyInto(&out.Destination) + if in.Traffic != nil { + in, out := &in.Traffic, &out.Traffic + *out = new(TrafficFeatures) + (*in).DeepCopyInto(*out) + } if in.MessageTimeout != nil { in, out := &in.MessageTimeout, &out.MessageTimeout *out = new(v1.Duration) @@ -1348,11 +1358,6 @@ func (in *HTTPRoute) DeepCopyInto(out *HTTPRoute) { *out = new(ResourceMetadata) (*in).DeepCopyInto(*out) } - if in.DNS != nil { - in, out := &in.DNS, &out.DNS - *out = new(DNS) - (*in).DeepCopyInto(*out) - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRoute. @@ -2903,6 +2908,11 @@ func (in *TrafficFeatures) DeepCopyInto(out *TrafficFeatures) { *out = new(HTTP2Settings) (*in).DeepCopyInto(*out) } + if in.DNS != nil { + in, out := &in.DNS, &out.DNS + *out = new(DNS) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrafficFeatures. diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go index 6379263bdb0..3f097f3f9cd 100644 --- a/internal/provider/kubernetes/predicates_test.go +++ b/internal/provider/kubernetes/predicates_test.go @@ -675,10 +675,12 @@ func TestValidateServiceForReconcile(t *testing.T) { }, ExtAuth: &egv1a1.ExtAuth{ HTTP: &egv1a1.HTTPExtAuthService{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "ext-auth-http-service", + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "ext-auth-http-service", + }, }, }, }, @@ -708,10 +710,12 @@ func TestValidateServiceForReconcile(t *testing.T) { }, ExtAuth: &egv1a1.ExtAuth{ GRPC: &egv1a1.GRPCExtAuthService{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "ext-auth-grpc-service", + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "ext-auth-grpc-service", + }, }, }, }, @@ -741,10 +745,12 @@ func TestValidateServiceForReconcile(t *testing.T) { }, ExtProc: []egv1a1.ExtProc{ { - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "ext-proc-service", + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "ext-proc-service", + }, }, }, }, @@ -774,10 +780,12 @@ func TestValidateServiceForReconcile(t *testing.T) { }, ExtProc: []egv1a1.ExtProc{ { - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "ext-proc-service", + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "ext-proc-service", + }, }, }, }, diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index 697736dbc4d..e0f8b3ceba1 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -739,10 +739,7 @@ func (httpRoute *HTTPRouteTranslator) asClusterArgs(extra *ExtraArgs) *xdsCluste clusterArgs.timeout = bt.Timeout clusterArgs.tcpkeepalive = bt.TCPKeepalive clusterArgs.backendConnection = bt.BackendConnection - } - - if httpRoute.DNS != nil { - clusterArgs.dns = httpRoute.DNS + clusterArgs.dns = bt.DNS } return clusterArgs diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go index 35ca41e79f6..3b64326c4c3 100644 --- a/internal/xds/translator/extauth.go +++ b/internal/xds/translator/extauth.go @@ -222,13 +222,13 @@ func (*extAuth) patchResources(tCtx *types.ResourceVersionTable, } if route.Security.ExtAuth.HTTP != nil { if err := createExtServiceXDSCluster( - &route.Security.ExtAuth.HTTP.Destination, tCtx); err != nil && !errors.Is( + &route.Security.ExtAuth.HTTP.Destination, route.Security.ExtAuth.Traffic, tCtx); err != nil && !errors.Is( err, ErrXdsClusterExists) { errs = errors.Join(errs, err) } } else { if err := createExtServiceXDSCluster( - &route.Security.ExtAuth.GRPC.Destination, tCtx); err != nil && !errors.Is( + &route.Security.ExtAuth.GRPC.Destination, route.Security.ExtAuth.Traffic, tCtx); err != nil && !errors.Is( err, ErrXdsClusterExists) { errs = errors.Join(errs, err) } diff --git a/internal/xds/translator/extproc.go b/internal/xds/translator/extproc.go index 6f4db53a08b..2bc6c4b6ba6 100644 --- a/internal/xds/translator/extproc.go +++ b/internal/xds/translator/extproc.go @@ -173,12 +173,11 @@ func (*extProc) patchResources(tCtx *types.ResourceVersionTable, for i := range route.EnvoyExtensions.ExtProcs { ep := route.EnvoyExtensions.ExtProcs[i] if err := createExtServiceXDSCluster( - &ep.Destination, tCtx); err != nil && !errors.Is( + &ep.Destination, ep.Traffic, tCtx); err != nil && !errors.Is( err, ErrXdsClusterExists) { errs = errors.Join(errs, err) } } - } return errs diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-proc-with-traffic-settings.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-proc-with-traffic-settings.yaml new file mode 100644 index 00000000000..136fd53ff6a --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/ext-proc-with-traffic-settings.yaml @@ -0,0 +1,124 @@ +http: +- address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + name: default/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + envoyExtensions: + extProcs: + - authority: grpc-backend.envoy-gateway:8000 + destination: + name: envoyextensionpolicy/default/policy-for-http-route/0 + settings: + - addressType: IP + protocol: GRPC + tls: + caCertificate: + certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: policy-btls-grpc/envoy-gateway-ca + sni: grpc-backend + weight: 1 + - addressType: IP + endpoints: + - host: 8.8.8.8 + port: 9000 + protocol: GRPC + weight: 1 + - addressType: IP + endpoints: + - host: 1.1.1.1 + port: 3001 + protocol: GRPC + weight: 1 + - addressType: IP + endpoints: + - host: 2.2.2.2 + port: 3443 + protocol: GRPC + tls: + caCertificate: + certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: policy-btls-backend-ip/envoy-gateway-ca + sni: ip-backend + weight: 1 + name: envoyextensionpolicy/default/policy-for-http-route/extproc/0 + traffic: + backendConnection: + bufferLimit: 20971520 + circuitBreaker: + maxConnections: 2048 + healthCheck: + passive: + baseEjectionTime: 30s + consecutiveGatewayErrors: 4 + consecutive5XxErrors: 5 + consecutiveLocalOriginFailures: 5 + interval: 5s + maxEjectionPercent: 10 + splitExternalLocalOriginErrors: false + http2: + initialConnectionWindowSize: 131072 + initialStreamWindowSize: 2097152 + maxConcurrentStreams: 200 + resetStreamOnError: true + loadBalancer: + roundRobin: + slowStart: + window: 5s + proxyProtocol: + version: V2 + tcpKeepalive: + probes: 7 + timeout: + tcp: + connectTimeout: 15s + hostname: www.foo.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + pathMatch: + distinct: false + name: "" + prefix: /foo + - destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.bar.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + pathMatch: + distinct: false + name: "" + prefix: /bar diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml new file mode 100644 index 00000000000..4e73328fa8e --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml @@ -0,0 +1,135 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-2/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-2/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxConnections: 2048 + maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 15s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: envoyextensionpolicy/default/policy-for-http-route/0 + name: envoyextensionpolicy/default/policy-for-http-route/0 + outlierDetection: + baseEjectionTime: 30s + consecutive5xx: 5 + consecutiveGatewayFailure: 4 + consecutiveLocalOriginFailure: 5 + interval: 5s + maxEjectionPercent: 10 + perConnectionBufferLimitBytes: 20971520 + roundRobinLbConfig: + slowStartConfig: + slowStartWindow: 5s + transportSocket: + name: envoy.transport_sockets.upstream_proxy_protocol + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport + config: + version: V2 + transportSocket: + name: envoy.transport_sockets.raw_buffer + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer + transportSocketMatches: + - match: + name: envoyextensionpolicy/default/policy-for-http-route/0/tls/0 + name: envoyextensionpolicy/default/policy-for-http-route/0/tls/0 + transportSocket: + name: envoy.transport_sockets.upstream_proxy_protocol + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport + config: + version: V2 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: grpc-backend + sanType: DNS + validationContextSdsSecretConfig: + name: policy-btls-grpc/envoy-gateway-ca + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: grpc-backend + - match: + name: envoyextensionpolicy/default/policy-for-http-route/0/tls/3 + name: envoyextensionpolicy/default/policy-for-http-route/0/tls/3 + transportSocket: + name: envoy.transport_sockets.upstream_proxy_protocol + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport + config: + version: V2 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: ip-backend + sanType: DNS + validationContextSdsSecretConfig: + name: policy-btls-backend-ip/envoy-gateway-ca + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: ip-backend + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 2097152 + initialStreamWindowSize: 131072 + maxConcurrentStreams: 200 + overrideStreamErrorOnInvalidHttpMessage: true + upstreamConnectionOptions: + tcpKeepalive: + keepaliveProbes: 7 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.endpoints.yaml new file mode 100644 index 00000000000..a3d4fd4dc11 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.endpoints.yaml @@ -0,0 +1,63 @@ +- clusterName: httproute/default/httproute-1/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/0/backend/0 +- clusterName: httproute/default/httproute-2/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-2/rule/0/backend/0 +- clusterName: envoyextensionpolicy/default/policy-for-http-route/0 + endpoints: + - loadBalancingWeight: 1 + locality: + region: envoyextensionpolicy/default/policy-for-http-route/0/backend/0 + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 8.8.8.8 + portValue: 9000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: envoyextensionpolicy/default/policy-for-http-route/0/backend/1 + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.1.1.1 + portValue: 3001 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: envoyextensionpolicy/default/policy-for-http-route/0/backend/2 + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 2.2.2.2 + portValue: 3443 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.transport_socket_match: + name: envoyextensionpolicy/default/policy-for-http-route/0/tls/3 + loadBalancingWeight: 1 + locality: + region: envoyextensionpolicy/default/policy-for-http-route/0/backend/3 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml new file mode 100644 index 00000000000..7ed44e9e2bf --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml @@ -0,0 +1,49 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - disabled: true + name: envoy.filters.http.ext_proc/envoyextensionpolicy/default/policy-for-http-route/extproc/0 + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor + grpcService: + envoyGrpc: + authority: grpc-backend.envoy-gateway:8000 + clusterName: envoyextensionpolicy/default/policy-for-http-route/0 + timeout: 10s + processingMode: + requestHeaderMode: SKIP + requestTrailerMode: SKIP + responseHeaderMode: SKIP + responseTrailerMode: SKIP + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: default/gateway-1/http + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: default/gateway-1/http + drainType: MODIFY_ONLY + name: default/gateway-1/http + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.routes.yaml new file mode 100644 index 00000000000..e5e50ccde27 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.routes.yaml @@ -0,0 +1,59 @@ +- ignorePortInHostMatching: true + name: default/gateway-1/http + virtualHosts: + - domains: + - www.foo.com + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + name: default/gateway-1/http/www_foo_com + routes: + - match: + pathSeparatedPrefix: /foo + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + route: + cluster: httproute/default/httproute-1/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.ext_proc/envoyextensionpolicy/default/policy-for-http-route/extproc/0: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} + - domains: + - www.bar.com + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + name: default/gateway-1/http/www_bar_com + routes: + - match: + pathSeparatedPrefix: /bar + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + route: + cluster: httproute/default/httproute-2/rule/0 + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.secrets.yaml new file mode 100644 index 00000000000..387926a79f3 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.secrets.yaml @@ -0,0 +1,8 @@ +- name: policy-btls-grpc/envoy-gateway-ca + validationContext: + trustedCa: + inlineBytes: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K +- name: policy-btls-backend-ip/envoy-gateway-ca + validationContext: + trustedCa: + inlineBytes: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K diff --git a/internal/xds/translator/utils.go b/internal/xds/translator/utils.go index 10148150865..23d455edd9c 100644 --- a/internal/xds/translator/utils.go +++ b/internal/xds/translator/utils.go @@ -129,13 +129,17 @@ func hcmContainsFilter(mgr *hcmv3.HttpConnectionManager, filterName string) bool return false } -func createExtServiceXDSCluster(rd *ir.RouteDestination, tCtx *types.ResourceVersionTable) error { +func createExtServiceXDSCluster(rd *ir.RouteDestination, traffic *ir.TrafficFeatures, tCtx *types.ResourceVersionTable) error { var ( endpointType EndpointType tSocket *corev3.TransportSocket err error ) + // Make sure that there are safe defaults for the traffic + if traffic == nil { + traffic = &ir.TrafficFeatures{} + } // Get the address type from the first setting. // This is safe because no mixed address types in the settings. addrTypeState := rd.Settings[0].AddressType @@ -144,12 +148,20 @@ func createExtServiceXDSCluster(rd *ir.RouteDestination, tCtx *types.ResourceVer } else { endpointType = EndpointTypeStatic } - if err = addXdsCluster(tCtx, &xdsClusterArgs{ - name: rd.Name, - settings: rd.Settings, - tSocket: tSocket, - endpointType: endpointType, + name: rd.Name, + settings: rd.Settings, + tSocket: tSocket, + loadBalancer: traffic.LoadBalancer, + proxyProtocol: traffic.ProxyProtocol, + circuitBreaker: traffic.CircuitBreaker, + healthCheck: traffic.HealthCheck, + timeout: traffic.Timeout, + tcpkeepalive: traffic.TCPKeepalive, + backendConnection: traffic.BackendConnection, + endpointType: endpointType, + dns: traffic.DNS, + http2Settings: traffic.HTTP2, }); err != nil && !errors.Is(err, ErrXdsClusterExists) { return err } diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 255c84a77af..6ff3e2ed4c7 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -128,7 +128,7 @@ _Appears in:_ #### ActiveHealthCheckPayload - +_Underlying type:_ _[struct{Type ActiveHealthCheckPayloadType "json:\"type\" yaml:\"type\""; Text *string "json:\"text,omitempty\" yaml:\"text,omitempty\""; Binary []byte "json:\"binary,omitempty\" yaml:\"binary,omitempty\""}](#struct{type-activehealthcheckpayloadtype-"json:\"type\"-yaml:\"type\"";-text-*string-"json:\"text,omitempty\"-yaml:\"text,omitempty\"";-binary-[]byte-"json:\"binary,omitempty\"-yaml:\"binary,omitempty\""})_ ActiveHealthCheckPayload defines the encoding of the payload bytes in the payload. @@ -136,26 +136,8 @@ _Appears in:_ - [HTTPActiveHealthChecker](#httpactivehealthchecker) - [TCPActiveHealthChecker](#tcpactivehealthchecker) -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `type` | _[ActiveHealthCheckPayloadType](#activehealthcheckpayloadtype)_ | true | Type defines the type of the payload. | -| `text` | _string_ | false | Text payload in plain text. | -| `binary` | _integer array_ | false | Binary payload base64 encoded. | - - -#### ActiveHealthCheckPayloadType - -_Underlying type:_ _string_ - -ActiveHealthCheckPayloadType is the type of the payload. -_Appears in:_ -- [ActiveHealthCheckPayload](#activehealthcheckpayload) -| Value | Description | -| ----- | ----------- | -| `Text` | ActiveHealthCheckPayloadTypeText defines the Text type payload.
| -| `Binary` | ActiveHealthCheckPayloadTypeBinary defines the Binary type payload.
| #### ActiveHealthCheckerType @@ -273,6 +255,26 @@ _Appears in:_ | `status` | _[BackendStatus](#backendstatus)_ | true | Status defines the current status of Backend. | +#### BackendCluster + + + +BackendCluster contains all the configuration required for configuring access +to a backend. This can include multiple endpoints, and settings that apply for +managing the connection to all these endpoints. + +_Appears in:_ +- [ExtProc](#extproc) +- [GRPCExtAuthService](#grpcextauthservice) +- [HTTPExtAuthService](#httpextauthservice) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | + + @@ -285,6 +287,7 @@ BackendConnection allows users to configure connection-level settings of backend _Appears in:_ - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -333,6 +336,7 @@ BackendRef defines how an ObjectReference that is specific to BackendRef. _Appears in:_ - [ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog) +- [BackendCluster](#backendcluster) - [ExtProc](#extproc) - [GRPCExtAuthService](#grpcextauthservice) - [HTTPExtAuthService](#httpextauthservice) @@ -449,19 +453,19 @@ _Appears in:_ | `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect

Deprecated: use targetRefs/targetSelectors instead | | `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. | | `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels | -| `rateLimit` | _[RateLimitSpec](#ratelimitspec)_ | false | RateLimit allows the user to limit the number of incoming requests
to a predefined value based on attributes within the traffic flow. | | `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints | | `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. | | `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. | | `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. | -| `faultInjection` | _[FaultInjection](#faultinjection)_ | false | FaultInjection defines the fault injection policy to be applied. This configuration can be used to
inject delays and abort requests to mimic failure scenarios such as service failures and overloads | | `circuitBreaker` | _[CircuitBreaker](#circuitbreaker)_ | false | Circuit Breaker settings for the upstream connections and requests.
If not set, circuit breakers will be enabled with the default thresholds | -| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. | -| `useClientProtocol` | _boolean_ | false | UseClientProtocol configures Envoy to prefer sending requests to backends using
the same HTTP protocol that the incoming request used. Defaults to false, which means
that Envoy will use the protocol indicated by the attached BackendRef. | | `timeout` | _[Timeout](#timeout)_ | false | Timeout settings for the backend connections. | | `connection` | _[BackendConnection](#backendconnection)_ | false | Connection includes backend connection settings. | | `dns` | _[DNS](#dns)_ | false | DNS includes dns resolution settings. | | `http2` | _[HTTP2Settings](#http2settings)_ | false | HTTP2 provides HTTP/2 configuration for backend connections. | +| `rateLimit` | _[RateLimitSpec](#ratelimitspec)_ | false | RateLimit allows the user to limit the number of incoming requests
to a predefined value based on attributes within the traffic flow. | +| `faultInjection` | _[FaultInjection](#faultinjection)_ | false | FaultInjection defines the fault injection policy to be applied. This configuration can be used to
inject delays and abort requests to mimic failure scenarios such as service failures and overloads | +| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. | +| `useClientProtocol` | _boolean_ | false | UseClientProtocol configures Envoy to prefer sending requests to backends using
the same HTTP protocol that the incoming request used. Defaults to false, which means
that Envoy will use the protocol indicated by the attached BackendRef. | #### BasicAuth @@ -532,6 +536,7 @@ CircuitBreaker defines the Circuit Breaker configuration. _Appears in:_ - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -702,6 +707,33 @@ _Appears in:_ | `caCertificateRefs` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference) array_ | false | CACertificateRefs contains one or more references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the client.

A single reference to a Kubernetes ConfigMap or a Kubernetes Secret,
with the CA certificate in a key named `ca.crt` is currently supported.

References to a resource in different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. | +#### ClusterSettings + + + +ClusterSettings provides the various knobs that can be set to control how traffic to a given +backend will be configured. + +_Appears in:_ +- [BackendCluster](#backendcluster) +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ExtProc](#extproc) +- [GRPCExtAuthService](#grpcextauthservice) +- [HTTPExtAuthService](#httpextauthservice) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints | +| `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. | +| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. | +| `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. | +| `circuitBreaker` | _[CircuitBreaker](#circuitbreaker)_ | false | Circuit Breaker settings for the upstream connections and requests.
If not set, circuit breakers will be enabled with the default thresholds | +| `timeout` | _[Timeout](#timeout)_ | false | Timeout settings for the backend connections. | +| `connection` | _[BackendConnection](#backendconnection)_ | false | Connection includes backend connection settings. | +| `dns` | _[DNS](#dns)_ | false | DNS includes dns resolution settings. | +| `http2` | _[HTTP2Settings](#http2settings)_ | false | HTTP2 provides HTTP/2 configuration for backend connections. | + + #### Compression @@ -855,6 +887,7 @@ _Appears in:_ _Appears in:_ - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -1466,7 +1499,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRefs` | _[BackendRef](#backendref) array_ | true | BackendRefs defines the configuration of the external processing service | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `messageTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | MessageTimeout is the timeout for a response to be returned from the external processor
Default: 200ms | | `failOpen` | _boolean_ | false | FailOpen defines if requests or responses that cannot be processed due to connectivity to the
external processor are terminated or passed-through.
Default: false | | `processingMode` | _[ExtProcProcessingMode](#extprocprocessingmode)_ | false | ProcessingMode defines how request and response body is processed
Default: header and body are not sent to the external processor | @@ -1693,8 +1728,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Only Service kind is supported for now.

Deprecated: Use BackendRefs instead. | -| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Only Service kind is supported for now. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | #### Gateway @@ -1795,6 +1831,7 @@ HTTP2Settings provides HTTP/2 configuration for listeners and backends. _Appears in:_ - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) - [ClientTrafficPolicySpec](#clienttrafficpolicyspec) +- [ClusterSettings](#clustersettings) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -1858,8 +1895,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Only Service kind is supported for now.

Deprecated: Use BackendRefs instead. | -| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Only Service kind is supported for now. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `path` | _string_ | true | Path is the path of the HTTP External Authorization service.
If path is specified, the authorization request will be sent to that path,
or else the authorization request will be sent to the root path. | | `headersToBackend` | _string array_ | false | HeadersToBackend are the authorization response headers that will be added
to the original client request before sending it to the backend server.
Note that coexisting headers will be overridden.
If not specified, no authorization response headers will be added to the
original client request. | @@ -1967,6 +2005,7 @@ are healthy and can be used for routing. _Appears in:_ - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -2394,6 +2433,7 @@ LoadBalancer defines the load balancer policy to be applied. _Appears in:_ - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -2921,6 +2961,7 @@ when communicating with the backend. _Appears in:_ - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -3539,6 +3580,7 @@ TCPKeepalive define the TCP Keepalive configuration. _Appears in:_ - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) - [ClientTrafficPolicySpec](#clienttrafficpolicyspec) +- [ClusterSettings](#clustersettings) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -3629,6 +3671,7 @@ Timeout defines configuration for timeouts related to connections. _Appears in:_ - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) | Field | Type | Required | Description | | --- | --- | --- | --- | diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 255c84a77af..6ff3e2ed4c7 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -128,7 +128,7 @@ _Appears in:_ #### ActiveHealthCheckPayload - +_Underlying type:_ _[struct{Type ActiveHealthCheckPayloadType "json:\"type\" yaml:\"type\""; Text *string "json:\"text,omitempty\" yaml:\"text,omitempty\""; Binary []byte "json:\"binary,omitempty\" yaml:\"binary,omitempty\""}](#struct{type-activehealthcheckpayloadtype-"json:\"type\"-yaml:\"type\"";-text-*string-"json:\"text,omitempty\"-yaml:\"text,omitempty\"";-binary-[]byte-"json:\"binary,omitempty\"-yaml:\"binary,omitempty\""})_ ActiveHealthCheckPayload defines the encoding of the payload bytes in the payload. @@ -136,26 +136,8 @@ _Appears in:_ - [HTTPActiveHealthChecker](#httpactivehealthchecker) - [TCPActiveHealthChecker](#tcpactivehealthchecker) -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `type` | _[ActiveHealthCheckPayloadType](#activehealthcheckpayloadtype)_ | true | Type defines the type of the payload. | -| `text` | _string_ | false | Text payload in plain text. | -| `binary` | _integer array_ | false | Binary payload base64 encoded. | - - -#### ActiveHealthCheckPayloadType - -_Underlying type:_ _string_ - -ActiveHealthCheckPayloadType is the type of the payload. -_Appears in:_ -- [ActiveHealthCheckPayload](#activehealthcheckpayload) -| Value | Description | -| ----- | ----------- | -| `Text` | ActiveHealthCheckPayloadTypeText defines the Text type payload.
| -| `Binary` | ActiveHealthCheckPayloadTypeBinary defines the Binary type payload.
| #### ActiveHealthCheckerType @@ -273,6 +255,26 @@ _Appears in:_ | `status` | _[BackendStatus](#backendstatus)_ | true | Status defines the current status of Backend. | +#### BackendCluster + + + +BackendCluster contains all the configuration required for configuring access +to a backend. This can include multiple endpoints, and settings that apply for +managing the connection to all these endpoints. + +_Appears in:_ +- [ExtProc](#extproc) +- [GRPCExtAuthService](#grpcextauthservice) +- [HTTPExtAuthService](#httpextauthservice) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | + + @@ -285,6 +287,7 @@ BackendConnection allows users to configure connection-level settings of backend _Appears in:_ - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -333,6 +336,7 @@ BackendRef defines how an ObjectReference that is specific to BackendRef. _Appears in:_ - [ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog) +- [BackendCluster](#backendcluster) - [ExtProc](#extproc) - [GRPCExtAuthService](#grpcextauthservice) - [HTTPExtAuthService](#httpextauthservice) @@ -449,19 +453,19 @@ _Appears in:_ | `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect

Deprecated: use targetRefs/targetSelectors instead | | `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. | | `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels | -| `rateLimit` | _[RateLimitSpec](#ratelimitspec)_ | false | RateLimit allows the user to limit the number of incoming requests
to a predefined value based on attributes within the traffic flow. | | `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints | | `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. | | `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. | | `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. | -| `faultInjection` | _[FaultInjection](#faultinjection)_ | false | FaultInjection defines the fault injection policy to be applied. This configuration can be used to
inject delays and abort requests to mimic failure scenarios such as service failures and overloads | | `circuitBreaker` | _[CircuitBreaker](#circuitbreaker)_ | false | Circuit Breaker settings for the upstream connections and requests.
If not set, circuit breakers will be enabled with the default thresholds | -| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. | -| `useClientProtocol` | _boolean_ | false | UseClientProtocol configures Envoy to prefer sending requests to backends using
the same HTTP protocol that the incoming request used. Defaults to false, which means
that Envoy will use the protocol indicated by the attached BackendRef. | | `timeout` | _[Timeout](#timeout)_ | false | Timeout settings for the backend connections. | | `connection` | _[BackendConnection](#backendconnection)_ | false | Connection includes backend connection settings. | | `dns` | _[DNS](#dns)_ | false | DNS includes dns resolution settings. | | `http2` | _[HTTP2Settings](#http2settings)_ | false | HTTP2 provides HTTP/2 configuration for backend connections. | +| `rateLimit` | _[RateLimitSpec](#ratelimitspec)_ | false | RateLimit allows the user to limit the number of incoming requests
to a predefined value based on attributes within the traffic flow. | +| `faultInjection` | _[FaultInjection](#faultinjection)_ | false | FaultInjection defines the fault injection policy to be applied. This configuration can be used to
inject delays and abort requests to mimic failure scenarios such as service failures and overloads | +| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. | +| `useClientProtocol` | _boolean_ | false | UseClientProtocol configures Envoy to prefer sending requests to backends using
the same HTTP protocol that the incoming request used. Defaults to false, which means
that Envoy will use the protocol indicated by the attached BackendRef. | #### BasicAuth @@ -532,6 +536,7 @@ CircuitBreaker defines the Circuit Breaker configuration. _Appears in:_ - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -702,6 +707,33 @@ _Appears in:_ | `caCertificateRefs` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference) array_ | false | CACertificateRefs contains one or more references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the client.

A single reference to a Kubernetes ConfigMap or a Kubernetes Secret,
with the CA certificate in a key named `ca.crt` is currently supported.

References to a resource in different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. | +#### ClusterSettings + + + +ClusterSettings provides the various knobs that can be set to control how traffic to a given +backend will be configured. + +_Appears in:_ +- [BackendCluster](#backendcluster) +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ExtProc](#extproc) +- [GRPCExtAuthService](#grpcextauthservice) +- [HTTPExtAuthService](#httpextauthservice) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints | +| `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. | +| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. | +| `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. | +| `circuitBreaker` | _[CircuitBreaker](#circuitbreaker)_ | false | Circuit Breaker settings for the upstream connections and requests.
If not set, circuit breakers will be enabled with the default thresholds | +| `timeout` | _[Timeout](#timeout)_ | false | Timeout settings for the backend connections. | +| `connection` | _[BackendConnection](#backendconnection)_ | false | Connection includes backend connection settings. | +| `dns` | _[DNS](#dns)_ | false | DNS includes dns resolution settings. | +| `http2` | _[HTTP2Settings](#http2settings)_ | false | HTTP2 provides HTTP/2 configuration for backend connections. | + + #### Compression @@ -855,6 +887,7 @@ _Appears in:_ _Appears in:_ - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -1466,7 +1499,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRefs` | _[BackendRef](#backendref) array_ | true | BackendRefs defines the configuration of the external processing service | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `messageTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | MessageTimeout is the timeout for a response to be returned from the external processor
Default: 200ms | | `failOpen` | _boolean_ | false | FailOpen defines if requests or responses that cannot be processed due to connectivity to the
external processor are terminated or passed-through.
Default: false | | `processingMode` | _[ExtProcProcessingMode](#extprocprocessingmode)_ | false | ProcessingMode defines how request and response body is processed
Default: header and body are not sent to the external processor | @@ -1693,8 +1728,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Only Service kind is supported for now.

Deprecated: Use BackendRefs instead. | -| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Only Service kind is supported for now. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | #### Gateway @@ -1795,6 +1831,7 @@ HTTP2Settings provides HTTP/2 configuration for listeners and backends. _Appears in:_ - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) - [ClientTrafficPolicySpec](#clienttrafficpolicyspec) +- [ClusterSettings](#clustersettings) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -1858,8 +1895,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Only Service kind is supported for now.

Deprecated: Use BackendRefs instead. | -| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Only Service kind is supported for now. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `path` | _string_ | true | Path is the path of the HTTP External Authorization service.
If path is specified, the authorization request will be sent to that path,
or else the authorization request will be sent to the root path. | | `headersToBackend` | _string array_ | false | HeadersToBackend are the authorization response headers that will be added
to the original client request before sending it to the backend server.
Note that coexisting headers will be overridden.
If not specified, no authorization response headers will be added to the
original client request. | @@ -1967,6 +2005,7 @@ are healthy and can be used for routing. _Appears in:_ - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -2394,6 +2433,7 @@ LoadBalancer defines the load balancer policy to be applied. _Appears in:_ - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -2921,6 +2961,7 @@ when communicating with the backend. _Appears in:_ - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -3539,6 +3580,7 @@ TCPKeepalive define the TCP Keepalive configuration. _Appears in:_ - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) - [ClientTrafficPolicySpec](#clienttrafficpolicyspec) +- [ClusterSettings](#clustersettings) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -3629,6 +3671,7 @@ Timeout defines configuration for timeouts related to connections. _Appears in:_ - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) | Field | Type | Required | Description | | --- | --- | --- | --- | diff --git a/test/cel-validation/backendtrafficpolicy_test.go b/test/cel-validation/backendtrafficpolicy_test.go index 903d3fa19f1..90ea4c3f473 100644 --- a/test/cel-validation/backendtrafficpolicy_test.go +++ b/test/cel-validation/backendtrafficpolicy_test.go @@ -197,10 +197,12 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - LoadBalancer: &egv1a1.LoadBalancer{ - Type: egv1a1.ConsistentHashLoadBalancerType, - ConsistentHash: &egv1a1.ConsistentHash{ - Type: "SourceIP", + ClusterSettings: egv1a1.ClusterSettings{ + LoadBalancer: &egv1a1.LoadBalancer{ + Type: egv1a1.ConsistentHashLoadBalancerType, + ConsistentHash: &egv1a1.ConsistentHash{ + Type: "SourceIP", + }, }, }, } @@ -220,8 +222,10 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - LoadBalancer: &egv1a1.LoadBalancer{ - Type: egv1a1.ConsistentHashLoadBalancerType, + ClusterSettings: egv1a1.ClusterSettings{ + LoadBalancer: &egv1a1.LoadBalancer{ + Type: egv1a1.ConsistentHashLoadBalancerType, + }, }, } }, @@ -242,12 +246,14 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - LoadBalancer: &egv1a1.LoadBalancer{ - Type: egv1a1.ConsistentHashLoadBalancerType, - ConsistentHash: &egv1a1.ConsistentHash{ - Type: "Header", - Header: &egv1a1.Header{ - Name: "name", + ClusterSettings: egv1a1.ClusterSettings{ + LoadBalancer: &egv1a1.LoadBalancer{ + Type: egv1a1.ConsistentHashLoadBalancerType, + ConsistentHash: &egv1a1.ConsistentHash{ + Type: "Header", + Header: &egv1a1.Header{ + Name: "name", + }, }, }, }, @@ -268,10 +274,12 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - LoadBalancer: &egv1a1.LoadBalancer{ - Type: egv1a1.ConsistentHashLoadBalancerType, - ConsistentHash: &egv1a1.ConsistentHash{ - Type: "Header", + ClusterSettings: egv1a1.ClusterSettings{ + LoadBalancer: &egv1a1.LoadBalancer{ + Type: egv1a1.ConsistentHashLoadBalancerType, + ConsistentHash: &egv1a1.ConsistentHash{ + Type: "Header", + }, }, }, } @@ -293,12 +301,14 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - LoadBalancer: &egv1a1.LoadBalancer{ - Type: egv1a1.ConsistentHashLoadBalancerType, - ConsistentHash: &egv1a1.ConsistentHash{ - Type: "Cookie", - Cookie: &egv1a1.Cookie{ - Name: "name", + ClusterSettings: egv1a1.ClusterSettings{ + LoadBalancer: &egv1a1.LoadBalancer{ + Type: egv1a1.ConsistentHashLoadBalancerType, + ConsistentHash: &egv1a1.ConsistentHash{ + Type: "Cookie", + Cookie: &egv1a1.Cookie{ + Name: "name", + }, }, }, }, @@ -319,10 +329,12 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - LoadBalancer: &egv1a1.LoadBalancer{ - Type: egv1a1.ConsistentHashLoadBalancerType, - ConsistentHash: &egv1a1.ConsistentHash{ - Type: "Cookie", + ClusterSettings: egv1a1.ClusterSettings{ + LoadBalancer: &egv1a1.LoadBalancer{ + Type: egv1a1.ConsistentHashLoadBalancerType, + ConsistentHash: &egv1a1.ConsistentHash{ + Type: "Cookie", + }, }, }, } @@ -345,8 +357,10 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - LoadBalancer: &egv1a1.LoadBalancer{ - Type: egv1a1.LeastRequestLoadBalancerType, + ClusterSettings: egv1a1.ClusterSettings{ + LoadBalancer: &egv1a1.LoadBalancer{ + Type: egv1a1.LeastRequestLoadBalancerType, + }, }, } }, @@ -365,11 +379,13 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - LoadBalancer: &egv1a1.LoadBalancer{ - Type: egv1a1.LeastRequestLoadBalancerType, - SlowStart: &egv1a1.SlowStart{ - Window: &metav1.Duration{ - Duration: 10000000, + ClusterSettings: egv1a1.ClusterSettings{ + LoadBalancer: &egv1a1.LoadBalancer{ + Type: egv1a1.LeastRequestLoadBalancerType, + SlowStart: &egv1a1.SlowStart{ + Window: &metav1.Duration{ + Duration: 10000000, + }, }, }, }, @@ -390,11 +406,13 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - LoadBalancer: &egv1a1.LoadBalancer{ - Type: egv1a1.RoundRobinLoadBalancerType, - SlowStart: &egv1a1.SlowStart{ - Window: &metav1.Duration{ - Duration: 10000000, + ClusterSettings: egv1a1.ClusterSettings{ + LoadBalancer: &egv1a1.LoadBalancer{ + Type: egv1a1.RoundRobinLoadBalancerType, + SlowStart: &egv1a1.SlowStart{ + Window: &metav1.Duration{ + Duration: 10000000, + }, }, }, }, @@ -415,11 +433,13 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - LoadBalancer: &egv1a1.LoadBalancer{ - Type: egv1a1.RandomLoadBalancerType, - SlowStart: &egv1a1.SlowStart{ - Window: &metav1.Duration{ - Duration: 10000000, + ClusterSettings: egv1a1.ClusterSettings{ + LoadBalancer: &egv1a1.LoadBalancer{ + Type: egv1a1.RandomLoadBalancerType, + SlowStart: &egv1a1.SlowStart{ + Window: &metav1.Duration{ + Duration: 10000000, + }, }, }, }, @@ -442,11 +462,13 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - LoadBalancer: &egv1a1.LoadBalancer{ - Type: egv1a1.ConsistentHashLoadBalancerType, - SlowStart: &egv1a1.SlowStart{ - Window: &metav1.Duration{ - Duration: 10000000, + ClusterSettings: egv1a1.ClusterSettings{ + LoadBalancer: &egv1a1.LoadBalancer{ + Type: egv1a1.ConsistentHashLoadBalancerType, + SlowStart: &egv1a1.SlowStart{ + Window: &metav1.Duration{ + Duration: 10000000, + }, }, }, }, @@ -606,11 +628,13 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - CircuitBreaker: &egv1a1.CircuitBreaker{ - MaxConnections: valMax, - MaxPendingRequests: valMin, - MaxParallelRequests: nil, - MaxParallelRetries: nil, + ClusterSettings: egv1a1.ClusterSettings{ + CircuitBreaker: &egv1a1.CircuitBreaker{ + MaxConnections: valMax, + MaxPendingRequests: valMin, + MaxParallelRequests: nil, + MaxParallelRetries: nil, + }, }, } }, @@ -631,12 +655,14 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - CircuitBreaker: &egv1a1.CircuitBreaker{ - MaxConnections: valOverMax, - MaxPendingRequests: valUnderMin, - MaxParallelRequests: valOverMax, - MaxRequestsPerConnection: valUnderMin, - MaxParallelRetries: valOverMax, + ClusterSettings: egv1a1.ClusterSettings{ + CircuitBreaker: &egv1a1.CircuitBreaker{ + MaxConnections: valOverMax, + MaxPendingRequests: valUnderMin, + MaxParallelRequests: valOverMax, + MaxRequestsPerConnection: valUnderMin, + MaxParallelRetries: valOverMax, + }, }, } }, @@ -661,11 +687,13 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - HealthCheck: &egv1a1.HealthCheck{ - Active: &egv1a1.ActiveHealthCheck{ - Type: egv1a1.ActiveHealthCheckerTypeHTTP, - HTTP: &egv1a1.HTTPActiveHealthChecker{ - Path: "", + ClusterSettings: egv1a1.ClusterSettings{ + HealthCheck: &egv1a1.HealthCheck{ + Active: &egv1a1.ActiveHealthCheck{ + Type: egv1a1.ActiveHealthCheckerTypeHTTP, + HTTP: &egv1a1.HTTPActiveHealthChecker{ + Path: "", + }, }, }, }, @@ -688,12 +716,14 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - HealthCheck: &egv1a1.HealthCheck{ - Active: &egv1a1.ActiveHealthCheck{ - UnhealthyThreshold: ptr.To[uint32](0), - Type: egv1a1.ActiveHealthCheckerTypeHTTP, - HTTP: &egv1a1.HTTPActiveHealthChecker{ - Path: "/healthz", + ClusterSettings: egv1a1.ClusterSettings{ + HealthCheck: &egv1a1.HealthCheck{ + Active: &egv1a1.ActiveHealthCheck{ + UnhealthyThreshold: ptr.To[uint32](0), + Type: egv1a1.ActiveHealthCheckerTypeHTTP, + HTTP: &egv1a1.HTTPActiveHealthChecker{ + Path: "/healthz", + }, }, }, }, @@ -716,12 +746,14 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - HealthCheck: &egv1a1.HealthCheck{ - Active: &egv1a1.ActiveHealthCheck{ - HealthyThreshold: ptr.To[uint32](0), - Type: egv1a1.ActiveHealthCheckerTypeHTTP, - HTTP: &egv1a1.HTTPActiveHealthChecker{ - Path: "/healthz", + ClusterSettings: egv1a1.ClusterSettings{ + HealthCheck: &egv1a1.HealthCheck{ + Active: &egv1a1.ActiveHealthCheck{ + HealthyThreshold: ptr.To[uint32](0), + Type: egv1a1.ActiveHealthCheckerTypeHTTP, + HTTP: &egv1a1.HTTPActiveHealthChecker{ + Path: "/healthz", + }, }, }, }, @@ -744,10 +776,12 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - HealthCheck: &egv1a1.HealthCheck{ - Active: &egv1a1.ActiveHealthCheck{ - Type: egv1a1.ActiveHealthCheckerTypeHTTP, - TCP: &egv1a1.TCPActiveHealthChecker{}, + ClusterSettings: egv1a1.ClusterSettings{ + HealthCheck: &egv1a1.HealthCheck{ + Active: &egv1a1.ActiveHealthCheck{ + Type: egv1a1.ActiveHealthCheckerTypeHTTP, + TCP: &egv1a1.TCPActiveHealthChecker{}, + }, }, }, } @@ -769,12 +803,14 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - HealthCheck: &egv1a1.HealthCheck{ - Active: &egv1a1.ActiveHealthCheck{ - Type: egv1a1.ActiveHealthCheckerTypeHTTP, - HTTP: &egv1a1.HTTPActiveHealthChecker{ - Path: "/healthz", - ExpectedStatuses: []egv1a1.HTTPStatus{99, 200}, + ClusterSettings: egv1a1.ClusterSettings{ + HealthCheck: &egv1a1.HealthCheck{ + Active: &egv1a1.ActiveHealthCheck{ + Type: egv1a1.ActiveHealthCheckerTypeHTTP, + HTTP: &egv1a1.HTTPActiveHealthChecker{ + Path: "/healthz", + ExpectedStatuses: []egv1a1.HTTPStatus{99, 200}, + }, }, }, }, @@ -797,12 +833,14 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - HealthCheck: &egv1a1.HealthCheck{ - Active: &egv1a1.ActiveHealthCheck{ - Type: egv1a1.ActiveHealthCheckerTypeHTTP, - HTTP: &egv1a1.HTTPActiveHealthChecker{ - Path: "/healthz", - ExpectedStatuses: []egv1a1.HTTPStatus{100, 200, 201}, + ClusterSettings: egv1a1.ClusterSettings{ + HealthCheck: &egv1a1.HealthCheck{ + Active: &egv1a1.ActiveHealthCheck{ + Type: egv1a1.ActiveHealthCheckerTypeHTTP, + HTTP: &egv1a1.HTTPActiveHealthChecker{ + Path: "/healthz", + ExpectedStatuses: []egv1a1.HTTPStatus{100, 200, 201}, + }, }, }, }, @@ -823,12 +861,14 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - HealthCheck: &egv1a1.HealthCheck{ - Active: &egv1a1.ActiveHealthCheck{ - Type: egv1a1.ActiveHealthCheckerTypeHTTP, - HTTP: &egv1a1.HTTPActiveHealthChecker{ - Path: "/healthz", - ExpectedStatuses: []egv1a1.HTTPStatus{200, 300, 601}, + ClusterSettings: egv1a1.ClusterSettings{ + HealthCheck: &egv1a1.HealthCheck{ + Active: &egv1a1.ActiveHealthCheck{ + Type: egv1a1.ActiveHealthCheckerTypeHTTP, + HTTP: &egv1a1.HTTPActiveHealthChecker{ + Path: "/healthz", + ExpectedStatuses: []egv1a1.HTTPStatus{200, 300, 601}, + }, }, }, }, @@ -851,14 +891,16 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - HealthCheck: &egv1a1.HealthCheck{ - Active: &egv1a1.ActiveHealthCheck{ - Type: egv1a1.ActiveHealthCheckerTypeHTTP, - HTTP: &egv1a1.HTTPActiveHealthChecker{ - Path: "/healthz", - ExpectedResponse: &egv1a1.ActiveHealthCheckPayload{ - Type: egv1a1.ActiveHealthCheckPayloadTypeText, - Binary: []byte{'f', 'o', 'o'}, + ClusterSettings: egv1a1.ClusterSettings{ + HealthCheck: &egv1a1.HealthCheck{ + Active: &egv1a1.ActiveHealthCheck{ + Type: egv1a1.ActiveHealthCheckerTypeHTTP, + HTTP: &egv1a1.HTTPActiveHealthChecker{ + Path: "/healthz", + ExpectedResponse: &egv1a1.ActiveHealthCheckPayload{ + Type: egv1a1.ActiveHealthCheckPayloadTypeText, + Binary: []byte{'f', 'o', 'o'}, + }, }, }, }, @@ -882,14 +924,16 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - HealthCheck: &egv1a1.HealthCheck{ - Active: &egv1a1.ActiveHealthCheck{ - Type: egv1a1.ActiveHealthCheckerTypeHTTP, - HTTP: &egv1a1.HTTPActiveHealthChecker{ - Path: "/healthz", - ExpectedResponse: &egv1a1.ActiveHealthCheckPayload{ - Type: egv1a1.ActiveHealthCheckPayloadTypeBinary, - Text: ptr.To("foo"), + ClusterSettings: egv1a1.ClusterSettings{ + HealthCheck: &egv1a1.HealthCheck{ + Active: &egv1a1.ActiveHealthCheck{ + Type: egv1a1.ActiveHealthCheckerTypeHTTP, + HTTP: &egv1a1.HTTPActiveHealthChecker{ + Path: "/healthz", + ExpectedResponse: &egv1a1.ActiveHealthCheckPayload{ + Type: egv1a1.ActiveHealthCheckPayloadTypeBinary, + Text: ptr.To("foo"), + }, }, }, }, @@ -913,17 +957,19 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - HealthCheck: &egv1a1.HealthCheck{ - Active: &egv1a1.ActiveHealthCheck{ - Type: egv1a1.ActiveHealthCheckerTypeTCP, - TCP: &egv1a1.TCPActiveHealthChecker{ - Send: &egv1a1.ActiveHealthCheckPayload{ - Type: egv1a1.ActiveHealthCheckPayloadTypeText, - Binary: []byte{'f', 'o', 'o'}, - }, - Receive: &egv1a1.ActiveHealthCheckPayload{ - Type: egv1a1.ActiveHealthCheckPayloadTypeText, - Text: ptr.To("foo"), + ClusterSettings: egv1a1.ClusterSettings{ + HealthCheck: &egv1a1.HealthCheck{ + Active: &egv1a1.ActiveHealthCheck{ + Type: egv1a1.ActiveHealthCheckerTypeTCP, + TCP: &egv1a1.TCPActiveHealthChecker{ + Send: &egv1a1.ActiveHealthCheckPayload{ + Type: egv1a1.ActiveHealthCheckPayloadTypeText, + Binary: []byte{'f', 'o', 'o'}, + }, + Receive: &egv1a1.ActiveHealthCheckPayload{ + Type: egv1a1.ActiveHealthCheckPayloadTypeText, + Text: ptr.To("foo"), + }, }, }, }, @@ -947,17 +993,19 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - HealthCheck: &egv1a1.HealthCheck{ - Active: &egv1a1.ActiveHealthCheck{ - Type: egv1a1.ActiveHealthCheckerTypeTCP, - TCP: &egv1a1.TCPActiveHealthChecker{ - Send: &egv1a1.ActiveHealthCheckPayload{ - Type: egv1a1.ActiveHealthCheckPayloadTypeText, - Text: ptr.To("foo"), - }, - Receive: &egv1a1.ActiveHealthCheckPayload{ - Type: egv1a1.ActiveHealthCheckPayloadTypeText, - Binary: []byte{'f', 'o', 'o'}, + ClusterSettings: egv1a1.ClusterSettings{ + HealthCheck: &egv1a1.HealthCheck{ + Active: &egv1a1.ActiveHealthCheck{ + Type: egv1a1.ActiveHealthCheckerTypeTCP, + TCP: &egv1a1.TCPActiveHealthChecker{ + Send: &egv1a1.ActiveHealthCheckPayload{ + Type: egv1a1.ActiveHealthCheckPayloadTypeText, + Text: ptr.To("foo"), + }, + Receive: &egv1a1.ActiveHealthCheckPayload{ + Type: egv1a1.ActiveHealthCheckPayloadTypeText, + Binary: []byte{'f', 'o', 'o'}, + }, }, }, }, @@ -982,13 +1030,15 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - Timeout: &egv1a1.Timeout{ - TCP: &egv1a1.TCPTimeout{ - ConnectTimeout: &d, - }, - HTTP: &egv1a1.HTTPTimeout{ - ConnectionIdleTimeout: &d, - MaxConnectionDuration: &d, + ClusterSettings: egv1a1.ClusterSettings{ + Timeout: &egv1a1.Timeout{ + TCP: &egv1a1.TCPTimeout{ + ConnectTimeout: &d, + }, + HTTP: &egv1a1.HTTPTimeout{ + ConnectionIdleTimeout: &d, + MaxConnectionDuration: &d, + }, }, }, } @@ -1078,11 +1128,35 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - Connection: &egv1a1.BackendConnection{ - BufferLimit: ptr.To(resource.MustParse("1Mi")), + ClusterSettings: egv1a1.ClusterSettings{ + Connection: &egv1a1.BackendConnection{ + BufferLimit: ptr.To(resource.MustParse("1Mi")), + }, + }, + } + }, + }, + { + desc: "connectionBufferLimitBytes given as a number", + mutate: func(btp *egv1a1.BackendTrafficPolicy) { + btp.Spec = egv1a1.BackendTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + ClusterSettings: egv1a1.ClusterSettings{ + Connection: &egv1a1.BackendConnection{ + BufferLimit: ptr.To(resource.MustParse("12345678")), + }, }, } }, + wantErrors: []string{}, }, { desc: "invalid connectionBufferLimitBytes format", @@ -1097,13 +1171,15 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, }, }, - Connection: &egv1a1.BackendConnection{ - BufferLimit: ptr.To(resource.MustParse("1m")), + ClusterSettings: egv1a1.ClusterSettings{ + Connection: &egv1a1.BackendConnection{ + BufferLimit: ptr.To(resource.MustParse("1m")), + }, }, } }, wantErrors: []string{ - "spec.connection.bufferLimit: Invalid value: \"\": BufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"", + "spec.connection.bufferLimit: Invalid value: \"1m\": spec.connection.bufferLimit in body should match '^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$', : Invalid value: \"\"", }, }, { diff --git a/test/cel-validation/clienttrafficpolicy_test.go b/test/cel-validation/clienttrafficpolicy_test.go index 4d98efd0aa2..b57adf7d025 100644 --- a/test/cel-validation/clienttrafficpolicy_test.go +++ b/test/cel-validation/clienttrafficpolicy_test.go @@ -312,7 +312,7 @@ func TestClientTrafficPolicyTarget(t *testing.T) { } }, wantErrors: []string{ - "spec.connection.bufferLimit: Invalid value: \"\": bufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"", + "spec.connection.bufferLimit: Invalid value: \"15m\": spec.connection.bufferLimit in body should match '^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$', : Invalid value: \"\"", }, }, { @@ -334,7 +334,7 @@ func TestClientTrafficPolicyTarget(t *testing.T) { } }, wantErrors: []string{ - "spec.http2.initialStreamWindowSize: Invalid value: \"\": initialStreamWindowSize must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"", + "spec.http2.initialStreamWindowSize: Invalid value: \"15m\": spec.http2.initialStreamWindowSize in body should match '^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$'", }, }, { @@ -356,7 +356,7 @@ func TestClientTrafficPolicyTarget(t *testing.T) { } }, wantErrors: []string{ - "spec.http2.InitialConnectionWindowSize: Invalid value: \"\": initialConnectionWindowSize must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"", + "spec.http2.initialConnectionWindowSize: Invalid value: \"15m\": spec.http2.initialConnectionWindowSize in body should match '^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$'", }, }, { diff --git a/test/cel-validation/envoyextensionpolicy_test.go b/test/cel-validation/envoyextensionpolicy_test.go index b199ed49d72..5e0e1f37ad9 100644 --- a/test/cel-validation/envoyextensionpolicy_test.go +++ b/test/cel-validation/envoyextensionpolicy_test.go @@ -284,11 +284,13 @@ func TestEnvoyExtensionPolicyTarget(t *testing.T) { sp.Spec = egv1a1.EnvoyExtensionPolicySpec{ ExtProc: []egv1a1.ExtProc{ { - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "grpc-proc-service", - Port: ptr.To(gwapiv1.PortNumber(80)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "grpc-proc-service", + Port: ptr.To(gwapiv1.PortNumber(80)), + }, }, }, }, @@ -313,12 +315,14 @@ func TestEnvoyExtensionPolicyTarget(t *testing.T) { sp.Spec = egv1a1.EnvoyExtensionPolicySpec{ ExtProc: []egv1a1.ExtProc{ { - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Group: ptr.To(gwapiv1.Group("unsupported")), - Name: "grpc-proc-service", - Port: ptr.To(gwapiv1.PortNumber(80)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Group: ptr.To(gwapiv1.Group("unsupported")), + Name: "grpc-proc-service", + Port: ptr.To(gwapiv1.PortNumber(80)), + }, }, }, }, @@ -335,7 +339,7 @@ func TestEnvoyExtensionPolicyTarget(t *testing.T) { }, } }, - wantErrors: []string{"spec.extProc[0].backendRefs: Invalid value: \"array\": BackendRefs only supports Core and gateway.envoyproxy.io group"}, + wantErrors: []string{"spec.extProc[0]: Invalid value: \"object\": BackendRefs only supports Core and gateway.envoyproxy.io group"}, }, { desc: "ExtProc with invalid BackendRef Kind", @@ -343,12 +347,14 @@ func TestEnvoyExtensionPolicyTarget(t *testing.T) { sp.Spec = egv1a1.EnvoyExtensionPolicySpec{ ExtProc: []egv1a1.ExtProc{ { - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Kind: ptr.To(gwapiv1.Kind("unsupported")), - Name: "grpc-proc-service", - Port: ptr.To(gwapiv1.PortNumber(80)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Kind: ptr.To(gwapiv1.Kind("unsupported")), + Name: "grpc-proc-service", + Port: ptr.To(gwapiv1.PortNumber(80)), + }, }, }, }, @@ -365,7 +371,7 @@ func TestEnvoyExtensionPolicyTarget(t *testing.T) { }, } }, - wantErrors: []string{"spec.extProc[0].backendRefs: Invalid value: \"array\": BackendRefs only supports Service and Backend kind"}, + wantErrors: []string{"spec.extProc[0]: Invalid value: \"object\": BackendRefs only supports Service and Backend kind"}, }, { desc: "ExtProc with invalid fields", @@ -373,11 +379,13 @@ func TestEnvoyExtensionPolicyTarget(t *testing.T) { sp.Spec = egv1a1.EnvoyExtensionPolicySpec{ ExtProc: []egv1a1.ExtProc{ { - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "grpc-proc-service", - Port: ptr.To(gwapiv1.PortNumber(80)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "grpc-proc-service", + Port: ptr.To(gwapiv1.PortNumber(80)), + }, }, }, }, diff --git a/test/cel-validation/securitypolicy_test.go b/test/cel-validation/securitypolicy_test.go index 24f229dd6f1..12760562029 100644 --- a/test/cel-validation/securitypolicy_test.go +++ b/test/cel-validation/securitypolicy_test.go @@ -426,9 +426,11 @@ func TestSecurityPolicyTarget(t *testing.T) { sp.Spec = egv1a1.SecurityPolicySpec{ ExtAuth: &egv1a1.ExtAuth{ GRPC: &egv1a1.GRPCExtAuthService{ - BackendRef: &gwapiv1.BackendObjectReference{ - Name: "grpc-auth-service", - Port: ptr.To(gwapiv1.PortNumber(80)), + BackendCluster: egv1a1.BackendCluster{ + BackendRef: &gwapiv1.BackendObjectReference{ + Name: "grpc-auth-service", + Port: ptr.To(gwapiv1.PortNumber(80)), + }, }, }, }, @@ -451,12 +453,14 @@ func TestSecurityPolicyTarget(t *testing.T) { sp.Spec = egv1a1.SecurityPolicySpec{ ExtAuth: &egv1a1.ExtAuth{ GRPC: &egv1a1.GRPCExtAuthService{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "grpc-auth-service", - Kind: ptr.To(gwapiv1a2.Kind("Service")), - Port: ptr.To(gwapiv1.PortNumber(80)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "grpc-auth-service", + Kind: ptr.To(gwapiv1a2.Kind("Service")), + Port: ptr.To(gwapiv1.PortNumber(80)), + }, }, }, }, @@ -501,9 +505,11 @@ func TestSecurityPolicyTarget(t *testing.T) { sp.Spec = egv1a1.SecurityPolicySpec{ ExtAuth: &egv1a1.ExtAuth{ HTTP: &egv1a1.HTTPExtAuthService{ - BackendRef: &gwapiv1.BackendObjectReference{ - Name: "http-auth-service", - Port: ptr.To(gwapiv1.PortNumber(15001)), + BackendCluster: egv1a1.BackendCluster{ + BackendRef: &gwapiv1.BackendObjectReference{ + Name: "http-auth-service", + Port: ptr.To(gwapiv1.PortNumber(15001)), + }, }, }, }, @@ -526,12 +532,14 @@ func TestSecurityPolicyTarget(t *testing.T) { sp.Spec = egv1a1.SecurityPolicySpec{ ExtAuth: &egv1a1.ExtAuth{ HTTP: &egv1a1.HTTPExtAuthService{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "grpc-auth-service", - Kind: ptr.To(gwapiv1a2.Kind("Service")), - Port: ptr.To(gwapiv1.PortNumber(80)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "grpc-auth-service", + Kind: ptr.To(gwapiv1a2.Kind("Service")), + Port: ptr.To(gwapiv1.PortNumber(80)), + }, }, }, }, @@ -576,15 +584,19 @@ func TestSecurityPolicyTarget(t *testing.T) { sp.Spec = egv1a1.SecurityPolicySpec{ ExtAuth: &egv1a1.ExtAuth{ GRPC: &egv1a1.GRPCExtAuthService{ - BackendRef: &gwapiv1.BackendObjectReference{ - Name: "grpc-auth-service", - Port: ptr.To(gwapiv1.PortNumber(80)), + BackendCluster: egv1a1.BackendCluster{ + BackendRef: &gwapiv1.BackendObjectReference{ + Name: "grpc-auth-service", + Port: ptr.To(gwapiv1.PortNumber(80)), + }, }, }, HTTP: &egv1a1.HTTPExtAuthService{ - BackendRef: &gwapiv1.BackendObjectReference{ - Name: "http-auth-service", - Port: ptr.To(gwapiv1.PortNumber(15001)), + BackendCluster: egv1a1.BackendCluster{ + BackendRef: &gwapiv1.BackendObjectReference{ + Name: "http-auth-service", + Port: ptr.To(gwapiv1.PortNumber(15001)), + }, }, }, }, @@ -609,10 +621,12 @@ func TestSecurityPolicyTarget(t *testing.T) { sp.Spec = egv1a1.SecurityPolicySpec{ ExtAuth: &egv1a1.ExtAuth{ HTTP: &egv1a1.HTTPExtAuthService{ - BackendRef: &gwapiv1.BackendObjectReference{ - Group: ptr.To(gwapiv1.Group("unsupported")), - Name: "http-auth-service", - Port: ptr.To(gwapiv1.PortNumber(15001)), + BackendCluster: egv1a1.BackendCluster{ + BackendRef: &gwapiv1.BackendObjectReference{ + Group: ptr.To(gwapiv1.Group("unsupported")), + Name: "http-auth-service", + Port: ptr.To(gwapiv1.PortNumber(15001)), + }, }, }, }, @@ -637,10 +651,12 @@ func TestSecurityPolicyTarget(t *testing.T) { sp.Spec = egv1a1.SecurityPolicySpec{ ExtAuth: &egv1a1.ExtAuth{ HTTP: &egv1a1.HTTPExtAuthService{ - BackendRef: &gwapiv1.BackendObjectReference{ - Kind: ptr.To(gwapiv1.Kind("unsupported")), - Name: "http-auth-service", - Port: ptr.To(gwapiv1.PortNumber(15001)), + BackendCluster: egv1a1.BackendCluster{ + BackendRef: &gwapiv1.BackendObjectReference{ + Kind: ptr.To(gwapiv1.Kind("unsupported")), + Name: "http-auth-service", + Port: ptr.To(gwapiv1.PortNumber(15001)), + }, }, }, }, @@ -665,12 +681,14 @@ func TestSecurityPolicyTarget(t *testing.T) { sp.Spec = egv1a1.SecurityPolicySpec{ ExtAuth: &egv1a1.ExtAuth{ HTTP: &egv1a1.HTTPExtAuthService{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "grpc-auth-service", - Kind: ptr.To(gwapiv1a2.Kind("unsupported")), - Port: ptr.To(gwapiv1.PortNumber(80)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "grpc-auth-service", + Kind: ptr.To(gwapiv1a2.Kind("unsupported")), + Port: ptr.To(gwapiv1.PortNumber(80)), + }, }, }, }, @@ -695,10 +713,12 @@ func TestSecurityPolicyTarget(t *testing.T) { sp.Spec = egv1a1.SecurityPolicySpec{ ExtAuth: &egv1a1.ExtAuth{ GRPC: &egv1a1.GRPCExtAuthService{ - BackendRef: &gwapiv1.BackendObjectReference{ - Group: ptr.To(gwapiv1.Group("unsupported")), - Name: "http-auth-service", - Port: ptr.To(gwapiv1.PortNumber(15001)), + BackendCluster: egv1a1.BackendCluster{ + BackendRef: &gwapiv1.BackendObjectReference{ + Group: ptr.To(gwapiv1.Group("unsupported")), + Name: "http-auth-service", + Port: ptr.To(gwapiv1.PortNumber(15001)), + }, }, }, }, @@ -723,10 +743,12 @@ func TestSecurityPolicyTarget(t *testing.T) { sp.Spec = egv1a1.SecurityPolicySpec{ ExtAuth: &egv1a1.ExtAuth{ GRPC: &egv1a1.GRPCExtAuthService{ - BackendRef: &gwapiv1.BackendObjectReference{ - Kind: ptr.To(gwapiv1.Kind("unsupported")), - Name: "http-auth-service", - Port: ptr.To(gwapiv1.PortNumber(15001)), + BackendCluster: egv1a1.BackendCluster{ + BackendRef: &gwapiv1.BackendObjectReference{ + Kind: ptr.To(gwapiv1.Kind("unsupported")), + Name: "http-auth-service", + Port: ptr.To(gwapiv1.PortNumber(15001)), + }, }, }, }, @@ -751,12 +773,14 @@ func TestSecurityPolicyTarget(t *testing.T) { sp.Spec = egv1a1.SecurityPolicySpec{ ExtAuth: &egv1a1.ExtAuth{ GRPC: &egv1a1.GRPCExtAuthService{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "grpc-auth-service", - Kind: ptr.To(gwapiv1a2.Kind("unsupported")), - Port: ptr.To(gwapiv1.PortNumber(80)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "grpc-auth-service", + Kind: ptr.To(gwapiv1a2.Kind("unsupported")), + Port: ptr.To(gwapiv1.PortNumber(80)), + }, }, }, }, From 975b1e82a4c0fd64298096a5109ebb4ed345f5cb Mon Sep 17 00:00:00 2001 From: Lior Okman Date: Thu, 8 Aug 2024 15:30:40 +0300 Subject: [PATCH 025/523] fix: change the wasm download URL to point to the envoy examples repository (#4014) Fix the wasm download URL to point to the envoy examples repository. Signed-off-by: Lior Okman --- test/e2e/testdata/wasm-http.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/testdata/wasm-http.yaml b/test/e2e/testdata/wasm-http.yaml index d251d5943e9..2bc1aae0ab3 100644 --- a/test/e2e/testdata/wasm-http.yaml +++ b/test/e2e/testdata/wasm-http.yaml @@ -51,5 +51,5 @@ spec: code: type: HTTP http: - url: https://raw.githubusercontent.com/envoyproxy/envoy/main/examples/wasm-cc/lib/envoy_filter_http_wasm_example.wasm + url: https://raw.githubusercontent.com/envoyproxy/examples/main/wasm-cc/lib/envoy_filter_http_wasm_example.wasm sha256: 79c9f85128bb0177b6511afa85d587224efded376ac0ef76df56595f1e6315c0 From b82f4b24791ea5fdf9e498da6d35cd123d7846bf Mon Sep 17 00:00:00 2001 From: Ardika Date: Fri, 9 Aug 2024 06:38:33 +0700 Subject: [PATCH 026/523] fix: multiple reference grants in same namespace (#4008) * fix: multiple reference grants in same namespace Signed-off-by: Ardika Bagus * test: add e2e test Signed-off-by: Ardika Bagus * chore: wrong service port Signed-off-by: Ardika Bagus --------- Signed-off-by: Ardika Bagus --- internal/provider/kubernetes/controller.go | 32 +++- ...ferencegrants-same-namespace-services.yaml | 148 ++++++++++++++++++ .../multi-referencegrants-same-namespace.yaml | 92 +++++++++++ test/e2e/tests/referencegrants.go | 79 ++++++++++ 4 files changed, 346 insertions(+), 5 deletions(-) create mode 100644 test/e2e/testdata/multi-referencegrants-same-namespace-services.yaml create mode 100644 test/e2e/testdata/multi-referencegrants-same-namespace.yaml create mode 100644 test/e2e/tests/referencegrants.go diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index f7e88da222d..73d8799e900 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -769,13 +769,35 @@ func (r *gatewayAPIReconciler) findReferenceGrant(ctx context.Context, from, to } for _, refGrant := range refGrants { - if refGrant.Namespace == to.namespace { - for _, src := range refGrant.Spec.From { - if src.Kind == gwapiv1a2.Kind(from.kind) && string(src.Namespace) == from.namespace { - return &refGrant, nil - } + if refGrant.Namespace != to.namespace { + continue + } + + var fromAllowed bool + for _, refGrantFrom := range refGrant.Spec.From { + if string(refGrantFrom.Kind) == from.kind && string(refGrantFrom.Namespace) == from.namespace { + fromAllowed = true + break } } + + if !fromAllowed { + continue + } + + var toAllowed bool + for _, refGrantTo := range refGrant.Spec.To { + if string(refGrantTo.Kind) == to.kind && (refGrantTo.Name == nil || *refGrantTo.Name == "" || string(*refGrantTo.Name) == to.name) { + toAllowed = true + break + } + } + + if !toAllowed { + continue + } + + return &refGrant, nil } // No ReferenceGrant found. diff --git a/test/e2e/testdata/multi-referencegrants-same-namespace-services.yaml b/test/e2e/testdata/multi-referencegrants-same-namespace-services.yaml new file mode 100644 index 00000000000..948503bea3d --- /dev/null +++ b/test/e2e/testdata/multi-referencegrants-same-namespace-services.yaml @@ -0,0 +1,148 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: multireferencegrants-ns +--- +apiVersion: v1 +kind: Service +metadata: + name: app-backend-v1 + namespace: multireferencegrants-ns +spec: + selector: + app: app-backend-v1 + ports: + - protocol: TCP + port: 8080 + targetPort: 3000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-backend-v1 + namespace: multireferencegrants-ns + labels: + app: app-backend-v1 +spec: + replicas: 1 + selector: + matchLabels: + app: app-backend-v1 + template: + metadata: + labels: + app: app-backend-v1 + spec: + containers: + - name: app-backend-v1 + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SERVICE_NAME + value: app-backend-v1 + resources: + requests: + cpu: 10m +--- +apiVersion: v1 +kind: Service +metadata: + name: app-backend-v2 + namespace: multireferencegrants-ns +spec: + selector: + app: app-backend-v2 + ports: + - protocol: TCP + port: 8080 + targetPort: 3000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-backend-v2 + namespace: multireferencegrants-ns + labels: + app: app-backend-v2 +spec: + replicas: 1 + selector: + matchLabels: + app: app-backend-v2 + template: + metadata: + labels: + app: app-backend-v2 + spec: + containers: + - name: app-backend-v2 + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SERVICE_NAME + value: app-backend-v2 + resources: + requests: + cpu: 10m +--- +apiVersion: v1 +kind: Service +metadata: + name: app-backend-v3 + namespace: multireferencegrants-ns +spec: + selector: + app: app-backend-v3 + ports: + - protocol: TCP + port: 8080 + targetPort: 3000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-backend-v3 + namespace: multireferencegrants-ns + labels: + app: app-backend-v3 +spec: + replicas: 1 + selector: + matchLabels: + app: app-backend-v3 + template: + metadata: + labels: + app: app-backend-v3 + spec: + containers: + - name: app-backend-v3 + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SERVICE_NAME + value: app-backend-v3 + resources: + requests: + cpu: 10m diff --git a/test/e2e/testdata/multi-referencegrants-same-namespace.yaml b/test/e2e/testdata/multi-referencegrants-same-namespace.yaml new file mode 100644 index 00000000000..f9940185e5c --- /dev/null +++ b/test/e2e/testdata/multi-referencegrants-same-namespace.yaml @@ -0,0 +1,92 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: multi-referencegrant-same-namespace + namespace: gateway-conformance-infra +spec: + hostnames: + - multireferencegrant.local + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: same-namespace + namespace: gateway-conformance-infra + rules: + - backendRefs: + - group: "" + kind: Service + name: app-backend-v3 + namespace: multireferencegrants-ns + port: 8080 + weight: 1 + matches: + - path: + type: PathPrefix + value: /v3/echo + - backendRefs: + - group: "" + kind: Service + name: app-backend-v2 + namespace: multireferencegrants-ns + port: 8080 + weight: 1 + matches: + - path: + type: PathPrefix + value: /v2/echo + - backendRefs: + - group: "" + kind: Service + name: app-backend-v1 + namespace: multireferencegrants-ns + port: 8080 + weight: 1 + matches: + - path: + type: PathPrefix + value: /v1/echo +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: ReferenceGrant +metadata: + name: app-backend-v1-rg + namespace: multireferencegrants-ns +spec: + from: + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: gateway-conformance-infra + to: + - group: "" + kind: Service + name: app-backend-v1 +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: ReferenceGrant +metadata: + name: app-backend-v2-rg + namespace: multireferencegrants-ns +spec: + from: + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: gateway-conformance-infra + to: + - group: "" + kind: Service + name: app-backend-v2 +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: ReferenceGrant +metadata: + name: app-backend-v3-rg + namespace: multireferencegrants-ns +spec: + from: + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: gateway-conformance-infra + to: + - group: "" + kind: Service + name: app-backend-v3 diff --git a/test/e2e/tests/referencegrants.go b/test/e2e/tests/referencegrants.go new file mode 100644 index 00000000000..903e64598bc --- /dev/null +++ b/test/e2e/tests/referencegrants.go @@ -0,0 +1,79 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e +// +build e2e + +package tests + +import ( + "testing" + + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" +) + +func init() { + ConformanceTests = append(ConformanceTests, MultiReferenceGrantsSameNamespaceTest) +} + +var MultiReferenceGrantsSameNamespaceTest = suite.ConformanceTest{ + ShortName: "MultiReferenceGrantsSameNamespace", + Description: "Test for multiple reference grants in the same namespace", + Manifests: []string{"testdata/multi-referencegrants-same-namespace-services.yaml", "testdata/multi-referencegrants-same-namespace.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + resourceNS := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "multi-referencegrant-same-namespace", Namespace: resourceNS} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: resourceNS} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + targetHost := "multireferencegrant.local" + targetNS := "multireferencegrants-ns" + testcases := []http.ExpectedResponse{ + { + Request: http.Request{ + Host: targetHost, + Path: "/v1/echo", + }, + Response: http.Response{ + StatusCode: 200, + }, + Backend: "app-backend-v1", + Namespace: targetNS, + }, + { + Request: http.Request{ + Host: targetHost, + Path: "/v2/echo", + }, + Response: http.Response{ + StatusCode: 200, + }, + Backend: "app-backend-v2", + Namespace: targetNS, + }, + { + Request: http.Request{ + Host: targetHost, + Path: "/v3/echo", + }, + Response: http.Response{ + StatusCode: 200, + }, + Backend: "app-backend-v3", + Namespace: targetNS, + }, + } + + for i, tc := range testcases { + t.Run(tc.GetTestCaseName(i), func(t *testing.T) { + t.Parallel() + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, tc) + }) + } + }, +} From d2eecc4eb78743fab0fec3ccf4ef8cb97b38e772 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Fri, 9 Aug 2024 00:27:43 -0700 Subject: [PATCH 027/523] move upgrade notes to install section (#4013) * also add the `--server-side` and `--force-conflicts` flag * also updated min supported k8s version to v1.27 Signed-off-by: Arko Dasgupta Co-authored-by: Abhishek Kumar --- site/content/en/docs/install/install-yaml.md | 30 ++++++++++++++++++- site/content/en/docs/tasks/quickstart.md | 28 ----------------- .../content/en/latest/install/install-yaml.md | 30 ++++++++++++++++++- site/content/en/latest/tasks/quickstart.md | 28 ----------------- site/content/en/v1.1/install/install-yaml.md | 30 ++++++++++++++++++- site/content/en/v1.1/tasks/quickstart.md | 28 ----------------- 6 files changed, 87 insertions(+), 87 deletions(-) diff --git a/site/content/en/docs/install/install-yaml.md b/site/content/en/docs/install/install-yaml.md index e675f15fbec..c0a8d1caa72 100644 --- a/site/content/en/docs/install/install-yaml.md +++ b/site/content/en/docs/install/install-yaml.md @@ -13,7 +13,7 @@ installation, it is recommended that you use helm. Envoy Gateway is designed to run in Kubernetes for production. The most essential requirements are: -* Kubernetes 1.25 or later +* Kubernetes 1.27 or later * The `kubectl` command-line tool {{% alert title="Compatibility Matrix" color="warning" %}} @@ -37,3 +37,31 @@ Refer to the [Developer Guide](../../contributions/develop) to learn more. 2. Next Steps Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [Tasks](/latest/tasks). + +## Upgrading from v1.0 + +Due to breaking changes in Gateway API v1.1, some manual migration steps are required to upgrade Envoy Gateway to v1.1. + +1. Delete `BackendTLSPolicy` CRD (and resources): + +```shell +kubectl delete crd backendtlspolicies.gateway.networking.k8s.io +``` + +2. Update Gateway-API and Envoy Gateway CRDs: + +```shell +helm pull oci://docker.io/envoyproxy/gateway-helm --version {{< yaml-version >}} --untar +kubectl apply --force-conflicts --server-side -f ./gateway-helm/crds/gatewayapi-crds.yaml +kubectl apply --force-conflicts --server-side -f ./gateway-helm/crds/generated +``` + +3. Update your `BackendTLSPolicy` and `GRPCRoute` resources according to Gateway-API [v1.1 Upgrade Notes](https://gateway-api.sigs.k8s.io/guides/#v11-upgrade-notes) + +4. Update your Envoy Gateway xPolicy resources: remove the namespace section from targetRef. + +5. Install Envoy Gateway {{< yaml-version >}}: + +```shell +helm upgrade eg oci://docker.io/envoyproxy/gateway-helm --version {{< yaml-version >}} -n envoy-gateway-system +``` diff --git a/site/content/en/docs/tasks/quickstart.md b/site/content/en/docs/tasks/quickstart.md index 03d7b6de842..802b7989a88 100644 --- a/site/content/en/docs/tasks/quickstart.md +++ b/site/content/en/docs/tasks/quickstart.md @@ -92,34 +92,6 @@ curl --verbose --header "Host: www.example.com" http://localhost:8888/get {{% /tab %}} {{< /tabpane >}} -## v1.1 Upgrade Notes - -Due to breaking changes in the Gateway API v1.1, some manual migration steps are required to upgrade Envoy Gateway to v1.1. - -Delete `BackendTLSPolicy` CRD (and resources): - -```shell -kubectl delete crd backendtlspolicies.gateway.networking.k8s.io -``` - -Update Gateway-API and Envoy Gateway CRDs: - -```shell -helm pull oci://docker.io/envoyproxy/gateway-helm --version v1.1.0 --untar -kubectl apply -f ./gateway-helm/crds/gatewayapi-crds.yaml -kubectl apply -f ./gateway-helm/crds/generated -``` - -Update your `BackendTLSPolicy` and `GRPCRoute` resources according to Gateway-API [v1.1 Upgrade Notes](https://gateway-api.sigs.k8s.io/guides/#v11-upgrade-notes) - -Update your Envoy Gateway xPolicy resources: remove the namespace section from targetRef. - -Install Envoy Gateway v1.1.0: - -```shell -helm upgrade eg oci://docker.io/envoyproxy/gateway-helm --version v1.1.0 -n envoy-gateway-system -``` - ## What to explore next? In this quickstart, you have: diff --git a/site/content/en/latest/install/install-yaml.md b/site/content/en/latest/install/install-yaml.md index e675f15fbec..c0a8d1caa72 100644 --- a/site/content/en/latest/install/install-yaml.md +++ b/site/content/en/latest/install/install-yaml.md @@ -13,7 +13,7 @@ installation, it is recommended that you use helm. Envoy Gateway is designed to run in Kubernetes for production. The most essential requirements are: -* Kubernetes 1.25 or later +* Kubernetes 1.27 or later * The `kubectl` command-line tool {{% alert title="Compatibility Matrix" color="warning" %}} @@ -37,3 +37,31 @@ Refer to the [Developer Guide](../../contributions/develop) to learn more. 2. Next Steps Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [Tasks](/latest/tasks). + +## Upgrading from v1.0 + +Due to breaking changes in Gateway API v1.1, some manual migration steps are required to upgrade Envoy Gateway to v1.1. + +1. Delete `BackendTLSPolicy` CRD (and resources): + +```shell +kubectl delete crd backendtlspolicies.gateway.networking.k8s.io +``` + +2. Update Gateway-API and Envoy Gateway CRDs: + +```shell +helm pull oci://docker.io/envoyproxy/gateway-helm --version {{< yaml-version >}} --untar +kubectl apply --force-conflicts --server-side -f ./gateway-helm/crds/gatewayapi-crds.yaml +kubectl apply --force-conflicts --server-side -f ./gateway-helm/crds/generated +``` + +3. Update your `BackendTLSPolicy` and `GRPCRoute` resources according to Gateway-API [v1.1 Upgrade Notes](https://gateway-api.sigs.k8s.io/guides/#v11-upgrade-notes) + +4. Update your Envoy Gateway xPolicy resources: remove the namespace section from targetRef. + +5. Install Envoy Gateway {{< yaml-version >}}: + +```shell +helm upgrade eg oci://docker.io/envoyproxy/gateway-helm --version {{< yaml-version >}} -n envoy-gateway-system +``` diff --git a/site/content/en/latest/tasks/quickstart.md b/site/content/en/latest/tasks/quickstart.md index 03d7b6de842..802b7989a88 100644 --- a/site/content/en/latest/tasks/quickstart.md +++ b/site/content/en/latest/tasks/quickstart.md @@ -92,34 +92,6 @@ curl --verbose --header "Host: www.example.com" http://localhost:8888/get {{% /tab %}} {{< /tabpane >}} -## v1.1 Upgrade Notes - -Due to breaking changes in the Gateway API v1.1, some manual migration steps are required to upgrade Envoy Gateway to v1.1. - -Delete `BackendTLSPolicy` CRD (and resources): - -```shell -kubectl delete crd backendtlspolicies.gateway.networking.k8s.io -``` - -Update Gateway-API and Envoy Gateway CRDs: - -```shell -helm pull oci://docker.io/envoyproxy/gateway-helm --version v1.1.0 --untar -kubectl apply -f ./gateway-helm/crds/gatewayapi-crds.yaml -kubectl apply -f ./gateway-helm/crds/generated -``` - -Update your `BackendTLSPolicy` and `GRPCRoute` resources according to Gateway-API [v1.1 Upgrade Notes](https://gateway-api.sigs.k8s.io/guides/#v11-upgrade-notes) - -Update your Envoy Gateway xPolicy resources: remove the namespace section from targetRef. - -Install Envoy Gateway v1.1.0: - -```shell -helm upgrade eg oci://docker.io/envoyproxy/gateway-helm --version v1.1.0 -n envoy-gateway-system -``` - ## What to explore next? In this quickstart, you have: diff --git a/site/content/en/v1.1/install/install-yaml.md b/site/content/en/v1.1/install/install-yaml.md index e675f15fbec..c0a8d1caa72 100644 --- a/site/content/en/v1.1/install/install-yaml.md +++ b/site/content/en/v1.1/install/install-yaml.md @@ -13,7 +13,7 @@ installation, it is recommended that you use helm. Envoy Gateway is designed to run in Kubernetes for production. The most essential requirements are: -* Kubernetes 1.25 or later +* Kubernetes 1.27 or later * The `kubectl` command-line tool {{% alert title="Compatibility Matrix" color="warning" %}} @@ -37,3 +37,31 @@ Refer to the [Developer Guide](../../contributions/develop) to learn more. 2. Next Steps Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [Tasks](/latest/tasks). + +## Upgrading from v1.0 + +Due to breaking changes in Gateway API v1.1, some manual migration steps are required to upgrade Envoy Gateway to v1.1. + +1. Delete `BackendTLSPolicy` CRD (and resources): + +```shell +kubectl delete crd backendtlspolicies.gateway.networking.k8s.io +``` + +2. Update Gateway-API and Envoy Gateway CRDs: + +```shell +helm pull oci://docker.io/envoyproxy/gateway-helm --version {{< yaml-version >}} --untar +kubectl apply --force-conflicts --server-side -f ./gateway-helm/crds/gatewayapi-crds.yaml +kubectl apply --force-conflicts --server-side -f ./gateway-helm/crds/generated +``` + +3. Update your `BackendTLSPolicy` and `GRPCRoute` resources according to Gateway-API [v1.1 Upgrade Notes](https://gateway-api.sigs.k8s.io/guides/#v11-upgrade-notes) + +4. Update your Envoy Gateway xPolicy resources: remove the namespace section from targetRef. + +5. Install Envoy Gateway {{< yaml-version >}}: + +```shell +helm upgrade eg oci://docker.io/envoyproxy/gateway-helm --version {{< yaml-version >}} -n envoy-gateway-system +``` diff --git a/site/content/en/v1.1/tasks/quickstart.md b/site/content/en/v1.1/tasks/quickstart.md index 03d7b6de842..802b7989a88 100644 --- a/site/content/en/v1.1/tasks/quickstart.md +++ b/site/content/en/v1.1/tasks/quickstart.md @@ -92,34 +92,6 @@ curl --verbose --header "Host: www.example.com" http://localhost:8888/get {{% /tab %}} {{< /tabpane >}} -## v1.1 Upgrade Notes - -Due to breaking changes in the Gateway API v1.1, some manual migration steps are required to upgrade Envoy Gateway to v1.1. - -Delete `BackendTLSPolicy` CRD (and resources): - -```shell -kubectl delete crd backendtlspolicies.gateway.networking.k8s.io -``` - -Update Gateway-API and Envoy Gateway CRDs: - -```shell -helm pull oci://docker.io/envoyproxy/gateway-helm --version v1.1.0 --untar -kubectl apply -f ./gateway-helm/crds/gatewayapi-crds.yaml -kubectl apply -f ./gateway-helm/crds/generated -``` - -Update your `BackendTLSPolicy` and `GRPCRoute` resources according to Gateway-API [v1.1 Upgrade Notes](https://gateway-api.sigs.k8s.io/guides/#v11-upgrade-notes) - -Update your Envoy Gateway xPolicy resources: remove the namespace section from targetRef. - -Install Envoy Gateway v1.1.0: - -```shell -helm upgrade eg oci://docker.io/envoyproxy/gateway-helm --version v1.1.0 -n envoy-gateway-system -``` - ## What to explore next? In this quickstart, you have: From 3b734a41e1deec2b7438896337f21a3bc181a69d Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Fri, 9 Aug 2024 23:25:42 +0800 Subject: [PATCH 028/523] bump golang.org/x/sys from 0.22.0 to 0.23.0 (#4007) * bump golang.org/x/sys from 0.22.0 to 0.23.0 Signed-off-by: Huabing Zhao * fix gen check Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao Co-authored-by: zirain Co-authored-by: Arko Dasgupta --- examples/extension-server/go.mod | 2 +- examples/extension-server/go.sum | 4 ++-- go.mod | 2 +- go.sum | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index a1c8e2fc44c..f20e9f23ba5 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -30,7 +30,7 @@ require ( github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect golang.org/x/net v0.27.0 // indirect - golang.org/x/sys v0.22.0 // indirect + golang.org/x/sys v0.23.0 // indirect golang.org/x/text v0.16.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index e6a6ba81bb1..2b8472bc0a1 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -84,8 +84,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= -golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM= +golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= diff --git a/go.mod b/go.mod index e66adb8a3db..e23ce14fff6 100644 --- a/go.mod +++ b/go.mod @@ -44,7 +44,7 @@ require ( go.opentelemetry.io/proto/otlp v1.3.1 go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 - golang.org/x/sys v0.22.0 + golang.org/x/sys v0.23.0 google.golang.org/grpc v1.65.0 google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v3 v3.0.1 diff --git a/go.sum b/go.sum index ed3fe16fab6..cdfd32616df 100644 --- a/go.sum +++ b/go.sum @@ -1447,8 +1447,8 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= -golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM= +golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= From 176811d5e701096749b16616f5fe594b17280cdb Mon Sep 17 00:00:00 2001 From: Lior Okman Date: Fri, 9 Aug 2024 20:23:16 +0300 Subject: [PATCH 029/523] feat: support cluster settings for tracing and accesslog backends (#4012) * Support cluster settings for tracing and accesslog backends Signed-off-by: Lior Okman * make the yaml linter happy Signed-off-by: Lior Okman --------- Signed-off-by: Lior Okman --- api/v1alpha1/accesslogging_types.go | 27 +- api/v1alpha1/envoyproxy_metric_types.go | 14 +- api/v1alpha1/tracing_types.go | 13 +- api/v1alpha1/zz_generated.deepcopy.go | 32 +- .../gateway.envoyproxy.io_envoyproxies.yaml | 3004 ++++++++++++++++- internal/gatewayapi/listener.go | 46 +- .../envoyproxy-accesslog-with-traffic.in.yaml | 196 ++ ...envoyproxy-accesslog-with-traffic.out.yaml | 326 ++ .../envoyproxy-tracing-backend.in.yaml | 27 + .../envoyproxy-tracing-backend.out.yaml | 79 + internal/ir/xds.go | 3 + internal/ir/zz_generated.deepcopy.go | 15 + .../provider/kubernetes/predicates_test.go | 42 +- internal/xds/bootstrap/bootstrap_test.go | 14 +- internal/xds/translator/accesslog.go | 48 +- .../testdata/in/xds-ir/accesslog-als-tcp.yaml | 21 + .../testdata/in/xds-ir/tracing.yaml | 21 + .../xds-ir/accesslog-als-tcp.clusters.yaml | 28 +- .../testdata/out/xds-ir/tracing.clusters.yaml | 28 +- internal/xds/translator/tracing.go | 24 +- internal/xds/translator/translator_test.go | 1 - site/content/en/latest/api/extension_types.md | 179 +- site/content/zh/latest/api/extension_types.md | 179 +- test/cel-validation/envoyproxy_test.go | 345 +- 24 files changed, 3973 insertions(+), 739 deletions(-) create mode 100644 internal/gatewayapi/testdata/envoyproxy-accesslog-with-traffic.in.yaml create mode 100644 internal/gatewayapi/testdata/envoyproxy-accesslog-with-traffic.out.yaml diff --git a/api/v1alpha1/accesslogging_types.go b/api/v1alpha1/accesslogging_types.go index 24272564488..78b78a485d6 100644 --- a/api/v1alpha1/accesslogging_types.go +++ b/api/v1alpha1/accesslogging_types.go @@ -123,15 +123,13 @@ const ( // - `x-accesslog-attr` - JSON encoded key/value pairs when a JSON format is used. // // +kubebuilder:validation:XValidation:rule="self.type == 'HTTP' || !has(self.http)",message="The http field may only be set when type is HTTP." +// +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)" +// +kubebuilder:validation:XValidation:message="must have at least one backend in backendRefs",rule="has(self.backendRefs) && self.backendRefs.size() > 0" +// +kubebuilder:validation:XValidation:message="BackendRefs only supports Service kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service') : true" +// +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="has(self.backendRefs) ? (self.backendRefs.all(f, f.group == \"\")) : true" type ALSEnvoyProxyAccessLog struct { - // BackendRefs references a Kubernetes object that represents the gRPC service to which - // the access logs will be sent. Currently only Service is supported. - // - // +kubebuilder:validation:MinItems=1 - // +kubebuilder:validation:MaxItems=1 - // +kubebuilder:validation:XValidation:message="BackendRefs only supports Service kind.",rule="self.all(f, f.kind == 'Service')" - // +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="self.all(f, f.group == '')" - BackendRefs []BackendRef `json:"backendRefs"` + BackendCluster `json:",inline"` + // LogName defines the friendly name of the access log to be returned in // StreamAccessLogsMessage.Identifier. This allows the access log server // to differentiate between different access logs coming from the same Envoy. @@ -167,7 +165,11 @@ type FileEnvoyProxyAccessLog struct { // OpenTelemetryEnvoyProxyAccessLog defines the OpenTelemetry access log sink. // // +kubebuilder:validation:XValidation:message="host or backendRefs needs to be set",rule="has(self.host) || self.backendRefs.size() > 0" +// +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)" +// +kubebuilder:validation:XValidation:message="BackendRefs only supports Service kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service') : true" +// +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="has(self.backendRefs) ? (self.backendRefs.all(f, f.group == \"\")) : true" type OpenTelemetryEnvoyProxyAccessLog struct { + BackendCluster `json:",inline"` // Host define the extension service hostname. // Deprecated: Use BackendRefs instead. // @@ -180,15 +182,6 @@ type OpenTelemetryEnvoyProxyAccessLog struct { // +kubebuilder:validation:Minimum=0 // +kubebuilder:default=4317 Port int32 `json:"port,omitempty"` - // BackendRefs references a Kubernetes object that represents the - // backend server to which the access log will be sent. - // Only Service kind is supported for now. - // - // +optional - // +kubebuilder:validation:MaxItems=1 - // +kubebuilder:validation:XValidation:message="only support Service kind.",rule="self.all(f, f.kind == 'Service')" - // +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="self.all(f, f.group == '')" - BackendRefs []BackendRef `json:"backendRefs,omitempty"` // Resources is a set of labels that describe the source of a log entry, including envoy node info. // It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). // +optional diff --git a/api/v1alpha1/envoyproxy_metric_types.go b/api/v1alpha1/envoyproxy_metric_types.go index 8791ddbd490..0e571ef23c9 100644 --- a/api/v1alpha1/envoyproxy_metric_types.go +++ b/api/v1alpha1/envoyproxy_metric_types.go @@ -15,6 +15,7 @@ type ProxyMetrics struct { // Prometheus defines the configuration for Admin endpoint `/stats/prometheus`. Prometheus *ProxyPrometheusProvider `json:"prometheus,omitempty"` // Sinks defines the metric sinks where metrics are sent to. + // +kubebuilder:validation:MaxItems=16 Sinks []ProxyMetricSink `json:"sinks,omitempty"` // Matches defines configuration for selecting specific metrics instead of generating all metrics stats // that are enabled by default. This helps reduce CPU and memory overhead in Envoy, but eliminating some stats @@ -54,7 +55,11 @@ type ProxyMetricSink struct { // ProxyOpenTelemetrySink defines the configuration for OpenTelemetry sink. // // +kubebuilder:validation:XValidation:message="host or backendRefs needs to be set",rule="has(self.host) || self.backendRefs.size() > 0" +// +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)" +// +kubebuilder:validation:XValidation:message="only supports Service kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service') : true" +// +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="has(self.backendRefs) ? (self.backendRefs.all(f, f.group == \"\")) : true" type ProxyOpenTelemetrySink struct { + BackendCluster `json:",inline"` // Host define the service hostname. // Deprecated: Use BackendRefs instead. // @@ -68,15 +73,6 @@ type ProxyOpenTelemetrySink struct { // +kubebuilder:validation:Maximum=65535 // +kubebuilder:default=4317 Port int32 `json:"port,omitempty"` - // BackendRefs references a Kubernetes object that represents the - // backend server to which the metric will be sent. - // Only Service kind is supported for now. - // - // +optional - // +kubebuilder:validation:MaxItems=1 - // +kubebuilder:validation:XValidation:message="only support Service kind.",rule="self.all(f, f.kind == 'Service')" - // +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="self.all(f, f.group == '')" - BackendRefs []BackendRef `json:"backendRefs,omitempty"` // TODO: add support for customizing OpenTelemetry sink in https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/stat_sinks/open_telemetry/v3/open_telemetry.proto#envoy-v3-api-msg-extensions-stat-sinks-open-telemetry-v3-sinkconfig } diff --git a/api/v1alpha1/tracing_types.go b/api/v1alpha1/tracing_types.go index b7be478de15..55fd63ef4e9 100644 --- a/api/v1alpha1/tracing_types.go +++ b/api/v1alpha1/tracing_types.go @@ -31,7 +31,11 @@ const ( // TracingProvider defines the tracing provider configuration. // // +kubebuilder:validation:XValidation:message="host or backendRefs needs to be set",rule="has(self.host) || self.backendRefs.size() > 0" +// +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)" +// +kubebuilder:validation:XValidation:message="only supports Service kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service') : true" +// +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="has(self.backendRefs) ? (self.backendRefs.all(f, f.group == \"\")) : true" type TracingProvider struct { + BackendCluster `json:",inline"` // Type defines the tracing provider type. // +kubebuilder:validation:Enum=OpenTelemetry;Zipkin // +kubebuilder:default=OpenTelemetry @@ -48,15 +52,6 @@ type TracingProvider struct { // +kubebuilder:validation:Minimum=0 // +kubebuilder:default=4317 Port int32 `json:"port,omitempty"` - // BackendRefs references a Kubernetes object that represents the - // backend server to which the trace will be sent. - // Only Service kind is supported for now. - // - // +optional - // +kubebuilder:validation:MaxItems=1 - // +kubebuilder:validation:XValidation:message="only support Service kind.",rule="self.all(f, f.kind == 'Service')" - // +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="self.all(f, f.group == '')" - BackendRefs []BackendRef `json:"backendRefs,omitempty"` // Zipkin defines the Zipkin tracing provider configuration // +optional Zipkin *ZipkinTracingProvider `json:"zipkin,omitempty"` diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index c8f7a5711fa..ad72365802a 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -23,13 +23,7 @@ import ( // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ALSEnvoyProxyAccessLog) DeepCopyInto(out *ALSEnvoyProxyAccessLog) { *out = *in - if in.BackendRefs != nil { - in, out := &in.BackendRefs, &out.BackendRefs - *out = make([]BackendRef, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } + in.BackendCluster.DeepCopyInto(&out.BackendCluster) if in.LogName != nil { in, out := &in.LogName, &out.LogName *out = new(string) @@ -3552,18 +3546,12 @@ func (in *OIDCProvider) DeepCopy() *OIDCProvider { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OpenTelemetryEnvoyProxyAccessLog) DeepCopyInto(out *OpenTelemetryEnvoyProxyAccessLog) { *out = *in + in.BackendCluster.DeepCopyInto(&out.BackendCluster) if in.Host != nil { in, out := &in.Host, &out.Host *out = new(string) **out = **in } - if in.BackendRefs != nil { - in, out := &in.BackendRefs, &out.BackendRefs - *out = make([]BackendRef, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } if in.Resources != nil { in, out := &in.Resources, &out.Resources *out = make(map[string]string, len(*in)) @@ -3967,18 +3955,12 @@ func (in *ProxyMetrics) DeepCopy() *ProxyMetrics { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ProxyOpenTelemetrySink) DeepCopyInto(out *ProxyOpenTelemetrySink) { *out = *in + in.BackendCluster.DeepCopyInto(&out.BackendCluster) if in.Host != nil { in, out := &in.Host, &out.Host *out = new(string) **out = **in } - if in.BackendRefs != nil { - in, out := &in.BackendRefs, &out.BackendRefs - *out = make([]BackendRef, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyOpenTelemetrySink. @@ -4860,18 +4842,12 @@ func (in *Timeout) DeepCopy() *Timeout { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TracingProvider) DeepCopyInto(out *TracingProvider) { *out = *in + in.BackendCluster.DeepCopyInto(&out.BackendCluster) if in.Host != nil { in, out := &in.Host, &out.Host *out = new(string) **out = **in } - if in.BackendRefs != nil { - in, out := &in.BackendRefs, &out.BackendRefs - *out = make([]BackendRef, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } if in.Zipkin != nil { in, out := &in.Zipkin, &out.Zipkin *out = new(ZipkinTracingProvider) diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 74438fea24c..0743318409c 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -10303,10 +10303,91 @@ spec: description: ALS defines the gRPC Access Log Service (ALS) sink. properties: + backendRef: + description: |- + BackendRef references a Kubernetes object that represents the + backend server to which the authorization request will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' backendRefs: description: |- - BackendRefs references a Kubernetes object that represents the gRPC service to which - the access logs will be sent. Currently only Service is supported. + BackendRefs references a Kubernetes object that represents the + backend server to which the authorization request will be sent. items: description: BackendRef defines how an ObjectReference that is specific to BackendRef. @@ -10385,16 +10466,642 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' - maxItems: 1 - minItems: 1 + maxItems: 16 type: array - x-kubernetes-validations: - - message: BackendRefs only supports Service - kind. - rule: self.all(f, f.kind == 'Service') - - message: BackendRefs only supports Core - group. - rule: self.all(f, f.group == '') + backendSettings: + description: |- + BackendSettings holds configuration for managing the connection + to the backend. + properties: + circuitBreaker: + description: |- + Circuit Breaker settings for the upstream connections and requests. + If not set, circuit breakers will be enabled with the default thresholds + properties: + maxConnections: + default: 1024 + description: The maximum number of + connections that Envoy will establish + to the referenced backend defined + within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: The maximum number of + parallel requests that Envoy will + make to the referenced backend defined + within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: The maximum number of + parallel retries that Envoy will + make to the referenced backend defined + within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: The maximum number of + pending requests that Envoy will + queue to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: |- + The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule. + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + connection: + description: Connection includes backend + connection settings. + properties: + bufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + BufferLimit Soft limit on size of the cluster’s connections read and write buffers. + BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space. + If unspecified, an implementation defined default is applied (32768 bytes). + For example, 20Mi, 1Gi, 256Ki etc. + Note: that when the suffix is not provided, the value is interpreted as bytes. + x-kubernetes-int-or-string: true + socketBufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket + to backend. + SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space. + For example, 20Mi, 1Gi, 256Ki etc. + Note that when the suffix is not provided, the value is interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution + settings. + properties: + dnsRefreshRate: + description: |- + DNSRefreshRate specifies the rate at which DNS records should be refreshed. + Defaults to 30 seconds. + type: string + respectDnsTtl: + description: |- + RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected. + If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL. + Defaults to true. + type: boolean + type: object + healthCheck: + description: HealthCheck allows gateway + to perform active health checking on + backends. + properties: + active: + description: Active health check configuration + properties: + healthyThreshold: + default: 1 + description: HealthyThreshold + defines the number of healthy + health checks required before + a backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: |- + HTTP defines the configuration of http health checker. + It's required while the health checker type is HTTP. + properties: + expectedResponse: + description: ExpectedResponse + defines a list of HTTP expected + responses to match. + properties: + binary: + description: Binary payload + base64 encoded. + format: byte + type: string + text: + description: Text payload + in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines + the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type + is Text, text field needs + to be set. + rule: 'self.type == ''Text'' + ? has(self.text) : !has(self.text)' + - message: If payload type + is Binary, binary field + needs to be set. + rule: 'self.type == ''Binary'' + ? has(self.binary) : !has(self.binary)' + expectedStatuses: + description: |- + ExpectedStatuses defines a list of HTTP response statuses considered healthy. + Defaults to 200 only + items: + description: HTTPStatus + defines the http status + code. + exclusiveMaximum: true + maximum: 600 + minimum: 100 + type: integer + type: array + method: + description: |- + Method defines the HTTP method used for health checking. + Defaults to GET + type: string + path: + description: Path defines + the HTTP path that will + be requested during health + checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + interval: + default: 3s + description: Interval defines + the time between active health + checks. + format: duration + type: string + tcp: + description: |- + TCP defines the configuration of tcp health checker. + It's required while the health checker type is TCP. + properties: + receive: + description: Receive defines + the expected response payload. + properties: + binary: + description: Binary payload + base64 encoded. + format: byte + type: string + text: + description: Text payload + in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines + the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type + is Text, text field needs + to be set. + rule: 'self.type == ''Text'' + ? has(self.text) : !has(self.text)' + - message: If payload type + is Binary, binary field + needs to be set. + rule: 'self.type == ''Binary'' + ? has(self.binary) : !has(self.binary)' + send: + description: Send defines + the request payload. + properties: + binary: + description: Binary payload + base64 encoded. + format: byte + type: string + text: + description: Text payload + in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines + the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type + is Text, text field needs + to be set. + rule: 'self.type == ''Text'' + ? has(self.text) : !has(self.text)' + - message: If payload type + is Binary, binary field + needs to be set. + rule: 'self.type == ''Binary'' + ? has(self.binary) : !has(self.binary)' + type: object + timeout: + default: 1s + description: Timeout defines the + time to wait for a health check + response. + format: duration + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - enum: + - HTTP + - TCP + description: Type defines the + type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: UnhealthyThreshold + defines the number of unhealthy + health checks required before + a backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: If Health Checker type + is HTTP, http field needs to be + set. + rule: 'self.type == ''HTTP'' ? has(self.http) + : !has(self.http)' + - message: If Health Checker type + is TCP, tcp field needs to be + set. + rule: 'self.type == ''TCP'' ? has(self.tcp) + : !has(self.tcp)' + passive: + description: Passive passive check + configuration + properties: + baseEjectionTime: + default: 30s + description: BaseEjectionTime + defines the base duration for + which a host will be ejected + on consecutive failures. + format: duration + type: string + consecutive5XxErrors: + default: 5 + description: Consecutive5xxErrors + sets the number of consecutive + 5xx errors triggering ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + default: 0 + description: ConsecutiveGatewayErrors + sets the number of consecutive + gateway errors triggering ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: |- + ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection. + Parameter takes effect only when split_external_local_origin_errors is set to true. + format: int32 + type: integer + interval: + default: 3s + description: Interval defines + the time between passive health + checks. + format: duration + type: string + maxEjectionPercent: + default: 10 + description: MaxEjectionPercent + sets the maximum percentage + of hosts in a cluster that can + be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: SplitExternalLocalOriginErrors + enables splitting of errors + between external and local origin. + type: boolean + type: object + type: object + http2: + description: HTTP2 provides HTTP/2 configuration + for backend connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + InitialConnectionWindowSize sets the initial window size for HTTP/2 connections. + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + InitialStreamWindowSize sets the initial window size for HTTP/2 streams. + If not set, the default value is 64 KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: |- + MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection. + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: |- + OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error + It's recommended for L2 Envoy deployments to set this value to TerminateStream. + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: |- + LoadBalancer policy to apply when routing traffic from the gateway to + the backend endpoints + properties: + consistentHash: + description: |- + ConsistentHash defines the configuration when the load balancer type is + set to ConsistentHash + properties: + cookie: + description: Cookie configures + the cookie hash policy when + the consistent hash type is + set to Cookie. + properties: + attributes: + additionalProperties: + type: string + description: Additional Attributes + to set for the generated + cookie. + type: object + name: + description: |- + Name of the cookie to hash. + If this cookie does not exist in the request, Envoy will generate a cookie and set + the TTL on the response back to the client based on Layer 4 + attributes of the backend endpoint, to ensure that these future requests + go to the same backend endpoint. Make sure to set the TTL field for this case. + type: string + ttl: + description: |- + TTL of the generated cookie if the cookie is not present. This value sets the + Max-Age attribute value. + type: string + required: + - name + type: object + header: + description: Header configures + the header hash policy when + the consistent hash type is + set to Header. + properties: + name: + description: Name of the header + to hash. + type: string + required: + - name + type: object + tableSize: + default: 65537 + description: The table size for + consistent hashing, must be + prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: |- + ConsistentHashType defines the type of input to hash on. Valid Type values are + "SourceIP", + "Header", + "Cookie". + enum: + - SourceIP + - Header + - Cookie + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If consistent hash type + is header, the header field must + be set. + rule: 'self.type == ''Header'' ? + has(self.header) : !has(self.header)' + - message: If consistent hash type + is cookie, the cookie field must + be set. + rule: 'self.type == ''Cookie'' ? + has(self.cookie) : !has(self.cookie)' + slowStart: + description: |- + SlowStart defines the configuration related to the slow start load balancer policy. + If set, during slow start window, traffic sent to the newly added hosts will gradually increase. + Currently this is only supported for RoundRobin and LeastRequest load balancers + properties: + window: + description: |- + Window defines the duration of the warm up period for newly added host. + During slow start window, traffic sent to the newly added hosts will gradually increase. + Currently only supports linear growth of traffic. For additional details, + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + type: string + required: + - window + type: object + type: + description: |- + Type decides the type of Load Balancer policy. + Valid LoadBalancerType values are + "ConsistentHash", + "LeastRequest", + "Random", + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: 'self.type == ''ConsistentHash'' + ? has(self.consistentHash) : !has(self.consistentHash)' + - message: Currently SlowStart is only + supported for RoundRobin and LeastRequest + load balancers. + rule: 'self.type in [''Random'', ''ConsistentHash''] + ? !has(self.slowStart) : true ' + proxyProtocol: + description: ProxyProtocol enables the + Proxy Protocol when communicating with + the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + tcpKeepalive: + description: |- + TcpKeepalive settings associated with the upstream client connection. + Disabled by default. + properties: + idleTime: + description: |- + The duration a connection needs to be idle before keep-alive + probes start being sent. + The duration format is + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: |- + The total number of unacknowledged probes to send before deciding + the connection is dead. + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: Timeout settings for the + backend connections. + properties: + http: + description: Timeout settings for + HTTP. + properties: + connectionIdleTimeout: + description: |- + The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection. + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: |- + The maximum duration of an HTTP connection. + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for + TCP. + properties: + connectTimeout: + description: |- + The timeout for network connection establishment, including TCP and TLS handshakes. + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object http: description: HTTP defines additional configuration specific to HTTP access logs. @@ -10436,13 +11143,24 @@ spec: - TCP type: string required: - - backendRefs - type type: object x-kubernetes-validations: - message: The http field may only be set when type is HTTP. rule: self.type == 'HTTP' || !has(self.http) + - message: BackendRefs must be used, backendRef + is not supported. + rule: '!has(self.backendRef)' + - message: must have at least one backend in backendRefs + rule: has(self.backendRefs) && self.backendRefs.size() + > 0 + - message: BackendRefs only supports Service kind. + rule: 'has(self.backendRefs) ? self.backendRefs.all(f, + f.kind == ''Service'') : true' + - message: BackendRefs only supports Core group. + rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, + f.group == "")) : true' file: description: File defines the file accesslog sink. properties: @@ -10456,11 +11174,91 @@ spec: description: OpenTelemetry defines the OpenTelemetry accesslog sink. properties: + backendRef: + description: |- + BackendRef references a Kubernetes object that represents the + backend server to which the authorization request will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' backendRefs: description: |- BackendRefs references a Kubernetes object that represents the - backend server to which the access log will be sent. - Only Service kind is supported for now. + backend server to which the authorization request will be sent. items: description: BackendRef defines how an ObjectReference that is specific to BackendRef. @@ -10539,45 +11337,682 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' - maxItems: 1 + maxItems: 16 type: array - x-kubernetes-validations: - - message: only support Service kind. - rule: self.all(f, f.kind == 'Service') - - message: BackendRefs only supports Core - group. - rule: self.all(f, f.group == '') - host: - description: |- - Host define the extension service hostname. - Deprecated: Use BackendRefs instead. - type: string - port: - default: 4317 - description: |- - Port defines the port the extension service is exposed on. - Deprecated: Use BackendRefs instead. - format: int32 - minimum: 0 - type: integer - resources: - additionalProperties: - type: string + backendSettings: description: |- - Resources is a set of labels that describe the source of a log entry, including envoy node info. - It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). - type: object - type: object - x-kubernetes-validations: - - message: host or backendRefs needs to be set - rule: has(self.host) || self.backendRefs.size() - > 0 - type: - description: Type defines the type of accesslog - sink. - enum: - - ALS - - File + BackendSettings holds configuration for managing the connection + to the backend. + properties: + circuitBreaker: + description: |- + Circuit Breaker settings for the upstream connections and requests. + If not set, circuit breakers will be enabled with the default thresholds + properties: + maxConnections: + default: 1024 + description: The maximum number of + connections that Envoy will establish + to the referenced backend defined + within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: The maximum number of + parallel requests that Envoy will + make to the referenced backend defined + within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: The maximum number of + parallel retries that Envoy will + make to the referenced backend defined + within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: The maximum number of + pending requests that Envoy will + queue to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: |- + The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule. + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + connection: + description: Connection includes backend + connection settings. + properties: + bufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + BufferLimit Soft limit on size of the cluster’s connections read and write buffers. + BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space. + If unspecified, an implementation defined default is applied (32768 bytes). + For example, 20Mi, 1Gi, 256Ki etc. + Note: that when the suffix is not provided, the value is interpreted as bytes. + x-kubernetes-int-or-string: true + socketBufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket + to backend. + SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space. + For example, 20Mi, 1Gi, 256Ki etc. + Note that when the suffix is not provided, the value is interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution + settings. + properties: + dnsRefreshRate: + description: |- + DNSRefreshRate specifies the rate at which DNS records should be refreshed. + Defaults to 30 seconds. + type: string + respectDnsTtl: + description: |- + RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected. + If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL. + Defaults to true. + type: boolean + type: object + healthCheck: + description: HealthCheck allows gateway + to perform active health checking on + backends. + properties: + active: + description: Active health check configuration + properties: + healthyThreshold: + default: 1 + description: HealthyThreshold + defines the number of healthy + health checks required before + a backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: |- + HTTP defines the configuration of http health checker. + It's required while the health checker type is HTTP. + properties: + expectedResponse: + description: ExpectedResponse + defines a list of HTTP expected + responses to match. + properties: + binary: + description: Binary payload + base64 encoded. + format: byte + type: string + text: + description: Text payload + in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines + the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type + is Text, text field needs + to be set. + rule: 'self.type == ''Text'' + ? has(self.text) : !has(self.text)' + - message: If payload type + is Binary, binary field + needs to be set. + rule: 'self.type == ''Binary'' + ? has(self.binary) : !has(self.binary)' + expectedStatuses: + description: |- + ExpectedStatuses defines a list of HTTP response statuses considered healthy. + Defaults to 200 only + items: + description: HTTPStatus + defines the http status + code. + exclusiveMaximum: true + maximum: 600 + minimum: 100 + type: integer + type: array + method: + description: |- + Method defines the HTTP method used for health checking. + Defaults to GET + type: string + path: + description: Path defines + the HTTP path that will + be requested during health + checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + interval: + default: 3s + description: Interval defines + the time between active health + checks. + format: duration + type: string + tcp: + description: |- + TCP defines the configuration of tcp health checker. + It's required while the health checker type is TCP. + properties: + receive: + description: Receive defines + the expected response payload. + properties: + binary: + description: Binary payload + base64 encoded. + format: byte + type: string + text: + description: Text payload + in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines + the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type + is Text, text field needs + to be set. + rule: 'self.type == ''Text'' + ? has(self.text) : !has(self.text)' + - message: If payload type + is Binary, binary field + needs to be set. + rule: 'self.type == ''Binary'' + ? has(self.binary) : !has(self.binary)' + send: + description: Send defines + the request payload. + properties: + binary: + description: Binary payload + base64 encoded. + format: byte + type: string + text: + description: Text payload + in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines + the type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type + is Text, text field needs + to be set. + rule: 'self.type == ''Text'' + ? has(self.text) : !has(self.text)' + - message: If payload type + is Binary, binary field + needs to be set. + rule: 'self.type == ''Binary'' + ? has(self.binary) : !has(self.binary)' + type: object + timeout: + default: 1s + description: Timeout defines the + time to wait for a health check + response. + format: duration + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - enum: + - HTTP + - TCP + description: Type defines the + type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: UnhealthyThreshold + defines the number of unhealthy + health checks required before + a backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: If Health Checker type + is HTTP, http field needs to be + set. + rule: 'self.type == ''HTTP'' ? has(self.http) + : !has(self.http)' + - message: If Health Checker type + is TCP, tcp field needs to be + set. + rule: 'self.type == ''TCP'' ? has(self.tcp) + : !has(self.tcp)' + passive: + description: Passive passive check + configuration + properties: + baseEjectionTime: + default: 30s + description: BaseEjectionTime + defines the base duration for + which a host will be ejected + on consecutive failures. + format: duration + type: string + consecutive5XxErrors: + default: 5 + description: Consecutive5xxErrors + sets the number of consecutive + 5xx errors triggering ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + default: 0 + description: ConsecutiveGatewayErrors + sets the number of consecutive + gateway errors triggering ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: |- + ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection. + Parameter takes effect only when split_external_local_origin_errors is set to true. + format: int32 + type: integer + interval: + default: 3s + description: Interval defines + the time between passive health + checks. + format: duration + type: string + maxEjectionPercent: + default: 10 + description: MaxEjectionPercent + sets the maximum percentage + of hosts in a cluster that can + be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: SplitExternalLocalOriginErrors + enables splitting of errors + between external and local origin. + type: boolean + type: object + type: object + http2: + description: HTTP2 provides HTTP/2 configuration + for backend connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + InitialConnectionWindowSize sets the initial window size for HTTP/2 connections. + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + InitialStreamWindowSize sets the initial window size for HTTP/2 streams. + If not set, the default value is 64 KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: |- + MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection. + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: |- + OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error + It's recommended for L2 Envoy deployments to set this value to TerminateStream. + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: |- + LoadBalancer policy to apply when routing traffic from the gateway to + the backend endpoints + properties: + consistentHash: + description: |- + ConsistentHash defines the configuration when the load balancer type is + set to ConsistentHash + properties: + cookie: + description: Cookie configures + the cookie hash policy when + the consistent hash type is + set to Cookie. + properties: + attributes: + additionalProperties: + type: string + description: Additional Attributes + to set for the generated + cookie. + type: object + name: + description: |- + Name of the cookie to hash. + If this cookie does not exist in the request, Envoy will generate a cookie and set + the TTL on the response back to the client based on Layer 4 + attributes of the backend endpoint, to ensure that these future requests + go to the same backend endpoint. Make sure to set the TTL field for this case. + type: string + ttl: + description: |- + TTL of the generated cookie if the cookie is not present. This value sets the + Max-Age attribute value. + type: string + required: + - name + type: object + header: + description: Header configures + the header hash policy when + the consistent hash type is + set to Header. + properties: + name: + description: Name of the header + to hash. + type: string + required: + - name + type: object + tableSize: + default: 65537 + description: The table size for + consistent hashing, must be + prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: |- + ConsistentHashType defines the type of input to hash on. Valid Type values are + "SourceIP", + "Header", + "Cookie". + enum: + - SourceIP + - Header + - Cookie + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If consistent hash type + is header, the header field must + be set. + rule: 'self.type == ''Header'' ? + has(self.header) : !has(self.header)' + - message: If consistent hash type + is cookie, the cookie field must + be set. + rule: 'self.type == ''Cookie'' ? + has(self.cookie) : !has(self.cookie)' + slowStart: + description: |- + SlowStart defines the configuration related to the slow start load balancer policy. + If set, during slow start window, traffic sent to the newly added hosts will gradually increase. + Currently this is only supported for RoundRobin and LeastRequest load balancers + properties: + window: + description: |- + Window defines the duration of the warm up period for newly added host. + During slow start window, traffic sent to the newly added hosts will gradually increase. + Currently only supports linear growth of traffic. For additional details, + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + type: string + required: + - window + type: object + type: + description: |- + Type decides the type of Load Balancer policy. + Valid LoadBalancerType values are + "ConsistentHash", + "LeastRequest", + "Random", + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: 'self.type == ''ConsistentHash'' + ? has(self.consistentHash) : !has(self.consistentHash)' + - message: Currently SlowStart is only + supported for RoundRobin and LeastRequest + load balancers. + rule: 'self.type in [''Random'', ''ConsistentHash''] + ? !has(self.slowStart) : true ' + proxyProtocol: + description: ProxyProtocol enables the + Proxy Protocol when communicating with + the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + tcpKeepalive: + description: |- + TcpKeepalive settings associated with the upstream client connection. + Disabled by default. + properties: + idleTime: + description: |- + The duration a connection needs to be idle before keep-alive + probes start being sent. + The duration format is + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: |- + The total number of unacknowledged probes to send before deciding + the connection is dead. + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: Timeout settings for the + backend connections. + properties: + http: + description: Timeout settings for + HTTP. + properties: + connectionIdleTimeout: + description: |- + The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection. + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: |- + The maximum duration of an HTTP connection. + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for + TCP. + properties: + connectTimeout: + description: |- + The timeout for network connection establishment, including TCP and TLS handshakes. + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + host: + description: |- + Host define the extension service hostname. + Deprecated: Use BackendRefs instead. + type: string + port: + default: 4317 + description: |- + Port defines the port the extension service is exposed on. + Deprecated: Use BackendRefs instead. + format: int32 + minimum: 0 + type: integer + resources: + additionalProperties: + type: string + description: |- + Resources is a set of labels that describe the source of a log entry, including envoy node info. + It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). + type: object + type: object + x-kubernetes-validations: + - message: host or backendRefs needs to be set + rule: has(self.host) || self.backendRefs.size() + > 0 + - message: BackendRefs must be used, backendRef + is not supported. + rule: '!has(self.backendRef)' + - message: BackendRefs only supports Service kind. + rule: 'has(self.backendRefs) ? self.backendRefs.all(f, + f.kind == ''Service'') : true' + - message: BackendRefs only supports Core group. + rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, + f.group == "")) : true' + type: + description: Type defines the type of accesslog + sink. + enum: + - ALS + - File - OpenTelemetry type: string type: object @@ -10688,11 +12123,91 @@ spec: OpenTelemetry defines the configuration for OpenTelemetry sink. It's required if the sink type is OpenTelemetry. properties: + backendRef: + description: |- + BackendRef references a Kubernetes object that represents the + backend server to which the authorization request will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == + ''Service'') ? has(self.port) : true' backendRefs: description: |- BackendRefs references a Kubernetes object that represents the - backend server to which the metric will be sent. - Only Service kind is supported for now. + backend server to which the authorization request will be sent. items: description: BackendRef defines how an ObjectReference that is specific to BackendRef. @@ -10770,48 +12285,657 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' - maxItems: 1 + maxItems: 16 type: array - x-kubernetes-validations: - - message: only support Service kind. - rule: self.all(f, f.kind == 'Service') - - message: BackendRefs only supports Core group. - rule: self.all(f, f.group == '') - host: - description: |- - Host define the service hostname. - Deprecated: Use BackendRefs instead. - type: string - port: - default: 4317 + backendSettings: description: |- - Port defines the port the service is exposed on. - Deprecated: Use BackendRefs instead. - format: int32 - maximum: 65535 - minimum: 0 - type: integer - type: object - x-kubernetes-validations: - - message: host or backendRefs needs to be set - rule: has(self.host) || self.backendRefs.size() > - 0 - type: - default: OpenTelemetry - description: |- - Type defines the metric sink type. - EG currently only supports OpenTelemetry. - enum: - - OpenTelemetry - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: If MetricSink type is OpenTelemetry, openTelemetry - field needs to be set. + BackendSettings holds configuration for managing the connection + to the backend. + properties: + circuitBreaker: + description: |- + Circuit Breaker settings for the upstream connections and requests. + If not set, circuit breakers will be enabled with the default thresholds + properties: + maxConnections: + default: 1024 + description: The maximum number of connections + that Envoy will establish to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: The maximum number of parallel + requests that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: The maximum number of parallel + retries that Envoy will make to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: The maximum number of pending + requests that Envoy will queue to the + referenced backend defined within a xRoute + rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: |- + The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule. + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + connection: + description: Connection includes backend connection + settings. + properties: + bufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + BufferLimit Soft limit on size of the cluster’s connections read and write buffers. + BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space. + If unspecified, an implementation defined default is applied (32768 bytes). + For example, 20Mi, 1Gi, 256Ki etc. + Note: that when the suffix is not provided, the value is interpreted as bytes. + x-kubernetes-int-or-string: true + socketBufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket + to backend. + SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space. + For example, 20Mi, 1Gi, 256Ki etc. + Note that when the suffix is not provided, the value is interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: |- + DNSRefreshRate specifies the rate at which DNS records should be refreshed. + Defaults to 30 seconds. + type: string + respectDnsTtl: + description: |- + RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected. + If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL. + Defaults to true. + type: boolean + type: object + healthCheck: + description: HealthCheck allows gateway to perform + active health checking on backends. + properties: + active: + description: Active health check configuration + properties: + healthyThreshold: + default: 1 + description: HealthyThreshold defines + the number of healthy health checks + required before a backend host is + marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: |- + HTTP defines the configuration of http health checker. + It's required while the health checker type is HTTP. + properties: + expectedResponse: + description: ExpectedResponse defines + a list of HTTP expected responses + to match. + properties: + binary: + description: Binary payload + base64 encoded. + format: byte + type: string + text: + description: Text payload in + plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the + type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type is Text, + text field needs to be set. + rule: 'self.type == ''Text'' ? + has(self.text) : !has(self.text)' + - message: If payload type is Binary, + binary field needs to be set. + rule: 'self.type == ''Binary'' + ? has(self.binary) : !has(self.binary)' + expectedStatuses: + description: |- + ExpectedStatuses defines a list of HTTP response statuses considered healthy. + Defaults to 200 only + items: + description: HTTPStatus defines + the http status code. + exclusiveMaximum: true + maximum: 600 + minimum: 100 + type: integer + type: array + method: + description: |- + Method defines the HTTP method used for health checking. + Defaults to GET + type: string + path: + description: Path defines the HTTP + path that will be requested during + health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + interval: + default: 3s + description: Interval defines the time + between active health checks. + format: duration + type: string + tcp: + description: |- + TCP defines the configuration of tcp health checker. + It's required while the health checker type is TCP. + properties: + receive: + description: Receive defines the + expected response payload. + properties: + binary: + description: Binary payload + base64 encoded. + format: byte + type: string + text: + description: Text payload in + plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the + type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type is Text, + text field needs to be set. + rule: 'self.type == ''Text'' ? + has(self.text) : !has(self.text)' + - message: If payload type is Binary, + binary field needs to be set. + rule: 'self.type == ''Binary'' + ? has(self.binary) : !has(self.binary)' + send: + description: Send defines the request + payload. + properties: + binary: + description: Binary payload + base64 encoded. + format: byte + type: string + text: + description: Text payload in + plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the + type of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type is Text, + text field needs to be set. + rule: 'self.type == ''Text'' ? + has(self.text) : !has(self.text)' + - message: If payload type is Binary, + binary field needs to be set. + rule: 'self.type == ''Binary'' + ? has(self.binary) : !has(self.binary)' + type: object + timeout: + default: 1s + description: Timeout defines the time + to wait for a health check response. + format: duration + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - enum: + - HTTP + - TCP + description: Type defines the type of + health checker. + type: string + unhealthyThreshold: + default: 3 + description: UnhealthyThreshold defines + the number of unhealthy health checks + required before a backend host is + marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: If Health Checker type is HTTP, + http field needs to be set. + rule: 'self.type == ''HTTP'' ? has(self.http) + : !has(self.http)' + - message: If Health Checker type is TCP, + tcp field needs to be set. + rule: 'self.type == ''TCP'' ? has(self.tcp) + : !has(self.tcp)' + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: BaseEjectionTime defines + the base duration for which a host + will be ejected on consecutive failures. + format: duration + type: string + consecutive5XxErrors: + default: 5 + description: Consecutive5xxErrors sets + the number of consecutive 5xx errors + triggering ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + default: 0 + description: ConsecutiveGatewayErrors + sets the number of consecutive gateway + errors triggering ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: |- + ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection. + Parameter takes effect only when split_external_local_origin_errors is set to true. + format: int32 + type: integer + interval: + default: 3s + description: Interval defines the time + between passive health checks. + format: duration + type: string + maxEjectionPercent: + default: 10 + description: MaxEjectionPercent sets + the maximum percentage of hosts in + a cluster that can be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: SplitExternalLocalOriginErrors + enables splitting of errors between + external and local origin. + type: boolean + type: object + type: object + http2: + description: HTTP2 provides HTTP/2 configuration + for backend connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + InitialConnectionWindowSize sets the initial window size for HTTP/2 connections. + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + InitialStreamWindowSize sets the initial window size for HTTP/2 streams. + If not set, the default value is 64 KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: |- + MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection. + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: |- + OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error + It's recommended for L2 Envoy deployments to set this value to TerminateStream. + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: |- + LoadBalancer policy to apply when routing traffic from the gateway to + the backend endpoints + properties: + consistentHash: + description: |- + ConsistentHash defines the configuration when the load balancer type is + set to ConsistentHash + properties: + cookie: + description: Cookie configures the cookie + hash policy when the consistent hash + type is set to Cookie. + properties: + attributes: + additionalProperties: + type: string + description: Additional Attributes + to set for the generated cookie. + type: object + name: + description: |- + Name of the cookie to hash. + If this cookie does not exist in the request, Envoy will generate a cookie and set + the TTL on the response back to the client based on Layer 4 + attributes of the backend endpoint, to ensure that these future requests + go to the same backend endpoint. Make sure to set the TTL field for this case. + type: string + ttl: + description: |- + TTL of the generated cookie if the cookie is not present. This value sets the + Max-Age attribute value. + type: string + required: + - name + type: object + header: + description: Header configures the header + hash policy when the consistent hash + type is set to Header. + properties: + name: + description: Name of the header + to hash. + type: string + required: + - name + type: object + tableSize: + default: 65537 + description: The table size for consistent + hashing, must be prime number limited + to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: |- + ConsistentHashType defines the type of input to hash on. Valid Type values are + "SourceIP", + "Header", + "Cookie". + enum: + - SourceIP + - Header + - Cookie + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If consistent hash type is header, + the header field must be set. + rule: 'self.type == ''Header'' ? has(self.header) + : !has(self.header)' + - message: If consistent hash type is cookie, + the cookie field must be set. + rule: 'self.type == ''Cookie'' ? has(self.cookie) + : !has(self.cookie)' + slowStart: + description: |- + SlowStart defines the configuration related to the slow start load balancer policy. + If set, during slow start window, traffic sent to the newly added hosts will gradually increase. + Currently this is only supported for RoundRobin and LeastRequest load balancers + properties: + window: + description: |- + Window defines the duration of the warm up period for newly added host. + During slow start window, traffic sent to the newly added hosts will gradually increase. + Currently only supports linear growth of traffic. For additional details, + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + type: string + required: + - window + type: object + type: + description: |- + Type decides the type of Load Balancer policy. + Valid LoadBalancerType values are + "ConsistentHash", + "LeastRequest", + "Random", + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash) + : !has(self.consistentHash)' + - message: Currently SlowStart is only supported + for RoundRobin and LeastRequest load balancers. + rule: 'self.type in [''Random'', ''ConsistentHash''] + ? !has(self.slowStart) : true ' + proxyProtocol: + description: ProxyProtocol enables the Proxy + Protocol when communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + tcpKeepalive: + description: |- + TcpKeepalive settings associated with the upstream client connection. + Disabled by default. + properties: + idleTime: + description: |- + The duration a connection needs to be idle before keep-alive + probes start being sent. + The duration format is + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: |- + The total number of unacknowledged probes to send before deciding + the connection is dead. + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: Timeout settings for the backend + connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: |- + The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection. + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: |- + The maximum duration of an HTTP connection. + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: |- + The timeout for network connection establishment, including TCP and TLS handshakes. + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + host: + description: |- + Host define the service hostname. + Deprecated: Use BackendRefs instead. + type: string + port: + default: 4317 + description: |- + Port defines the port the service is exposed on. + Deprecated: Use BackendRefs instead. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: host or backendRefs needs to be set + rule: has(self.host) || self.backendRefs.size() > + 0 + - message: BackendRefs must be used, backendRef is not + supported. + rule: '!has(self.backendRef)' + - message: only supports Service kind. + rule: 'has(self.backendRefs) ? self.backendRefs.all(f, + f.kind == ''Service'') : true' + - message: BackendRefs only supports Core group. + rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, + f.group == "")) : true' + type: + default: OpenTelemetry + description: |- + Type defines the metric sink type. + EG currently only supports OpenTelemetry. + enum: + - OpenTelemetry + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If MetricSink type is OpenTelemetry, openTelemetry + field needs to be set. rule: 'self.type == ''OpenTelemetry'' ? has(self.openTelemetry) : !has(self.openTelemetry)' + maxItems: 16 type: array type: object tracing: @@ -10884,11 +13008,91 @@ spec: provider: description: Provider defines the tracing provider. properties: + backendRef: + description: |- + BackendRef references a Kubernetes object that represents the + backend server to which the authorization request will be sent. + + + Deprecated: Use BackendRefs instead. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' backendRefs: description: |- BackendRefs references a Kubernetes object that represents the - backend server to which the trace will be sent. - Only Service kind is supported for now. + backend server to which the authorization request will be sent. items: description: BackendRef defines how an ObjectReference that is specific to BackendRef. @@ -10966,13 +13170,607 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' - maxItems: 1 + maxItems: 16 type: array - x-kubernetes-validations: - - message: only support Service kind. - rule: self.all(f, f.kind == 'Service') - - message: BackendRefs only supports Core group. - rule: self.all(f, f.group == '') + backendSettings: + description: |- + BackendSettings holds configuration for managing the connection + to the backend. + properties: + circuitBreaker: + description: |- + Circuit Breaker settings for the upstream connections and requests. + If not set, circuit breakers will be enabled with the default thresholds + properties: + maxConnections: + default: 1024 + description: The maximum number of connections + that Envoy will establish to the referenced + backend defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: The maximum number of parallel requests + that Envoy will make to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: The maximum number of parallel retries + that Envoy will make to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: The maximum number of pending requests + that Envoy will queue to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: |- + The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule. + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + connection: + description: Connection includes backend connection + settings. + properties: + bufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + BufferLimit Soft limit on size of the cluster’s connections read and write buffers. + BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space. + If unspecified, an implementation defined default is applied (32768 bytes). + For example, 20Mi, 1Gi, 256Ki etc. + Note: that when the suffix is not provided, the value is interpreted as bytes. + x-kubernetes-int-or-string: true + socketBufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket + to backend. + SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space. + For example, 20Mi, 1Gi, 256Ki etc. + Note that when the suffix is not provided, the value is interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: |- + DNSRefreshRate specifies the rate at which DNS records should be refreshed. + Defaults to 30 seconds. + type: string + respectDnsTtl: + description: |- + RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected. + If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL. + Defaults to true. + type: boolean + type: object + healthCheck: + description: HealthCheck allows gateway to perform + active health checking on backends. + properties: + active: + description: Active health check configuration + properties: + healthyThreshold: + default: 1 + description: HealthyThreshold defines the + number of healthy health checks required + before a backend host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: |- + HTTP defines the configuration of http health checker. + It's required while the health checker type is HTTP. + properties: + expectedResponse: + description: ExpectedResponse defines + a list of HTTP expected responses to + match. + properties: + binary: + description: Binary payload base64 + encoded. + format: byte + type: string + text: + description: Text payload in plain + text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type + of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type is Text, text + field needs to be set. + rule: 'self.type == ''Text'' ? has(self.text) + : !has(self.text)' + - message: If payload type is Binary, + binary field needs to be set. + rule: 'self.type == ''Binary'' ? has(self.binary) + : !has(self.binary)' + expectedStatuses: + description: |- + ExpectedStatuses defines a list of HTTP response statuses considered healthy. + Defaults to 200 only + items: + description: HTTPStatus defines the + http status code. + exclusiveMaximum: true + maximum: 600 + minimum: 100 + type: integer + type: array + method: + description: |- + Method defines the HTTP method used for health checking. + Defaults to GET + type: string + path: + description: Path defines the HTTP path + that will be requested during health + checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + interval: + default: 3s + description: Interval defines the time between + active health checks. + format: duration + type: string + tcp: + description: |- + TCP defines the configuration of tcp health checker. + It's required while the health checker type is TCP. + properties: + receive: + description: Receive defines the expected + response payload. + properties: + binary: + description: Binary payload base64 + encoded. + format: byte + type: string + text: + description: Text payload in plain + text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type + of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type is Text, text + field needs to be set. + rule: 'self.type == ''Text'' ? has(self.text) + : !has(self.text)' + - message: If payload type is Binary, + binary field needs to be set. + rule: 'self.type == ''Binary'' ? has(self.binary) + : !has(self.binary)' + send: + description: Send defines the request + payload. + properties: + binary: + description: Binary payload base64 + encoded. + format: byte + type: string + text: + description: Text payload in plain + text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type + of the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type is Text, text + field needs to be set. + rule: 'self.type == ''Text'' ? has(self.text) + : !has(self.text)' + - message: If payload type is Binary, + binary field needs to be set. + rule: 'self.type == ''Binary'' ? has(self.binary) + : !has(self.binary)' + type: object + timeout: + default: 1s + description: Timeout defines the time to wait + for a health check response. + format: duration + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - enum: + - HTTP + - TCP + description: Type defines the type of health + checker. + type: string + unhealthyThreshold: + default: 3 + description: UnhealthyThreshold defines the + number of unhealthy health checks required + before a backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: If Health Checker type is HTTP, http + field needs to be set. + rule: 'self.type == ''HTTP'' ? has(self.http) + : !has(self.http)' + - message: If Health Checker type is TCP, tcp + field needs to be set. + rule: 'self.type == ''TCP'' ? has(self.tcp) + : !has(self.tcp)' + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: BaseEjectionTime defines the + base duration for which a host will be ejected + on consecutive failures. + format: duration + type: string + consecutive5XxErrors: + default: 5 + description: Consecutive5xxErrors sets the + number of consecutive 5xx errors triggering + ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + default: 0 + description: ConsecutiveGatewayErrors sets + the number of consecutive gateway errors + triggering ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: |- + ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection. + Parameter takes effect only when split_external_local_origin_errors is set to true. + format: int32 + type: integer + interval: + default: 3s + description: Interval defines the time between + passive health checks. + format: duration + type: string + maxEjectionPercent: + default: 10 + description: MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that can + be ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: SplitExternalLocalOriginErrors + enables splitting of errors between external + and local origin. + type: boolean + type: object + type: object + http2: + description: HTTP2 provides HTTP/2 configuration for + backend connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + InitialConnectionWindowSize sets the initial window size for HTTP/2 connections. + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + InitialStreamWindowSize sets the initial window size for HTTP/2 streams. + If not set, the default value is 64 KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: |- + MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection. + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: |- + OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error + It's recommended for L2 Envoy deployments to set this value to TerminateStream. + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: |- + LoadBalancer policy to apply when routing traffic from the gateway to + the backend endpoints + properties: + consistentHash: + description: |- + ConsistentHash defines the configuration when the load balancer type is + set to ConsistentHash + properties: + cookie: + description: Cookie configures the cookie + hash policy when the consistent hash type + is set to Cookie. + properties: + attributes: + additionalProperties: + type: string + description: Additional Attributes to + set for the generated cookie. + type: object + name: + description: |- + Name of the cookie to hash. + If this cookie does not exist in the request, Envoy will generate a cookie and set + the TTL on the response back to the client based on Layer 4 + attributes of the backend endpoint, to ensure that these future requests + go to the same backend endpoint. Make sure to set the TTL field for this case. + type: string + ttl: + description: |- + TTL of the generated cookie if the cookie is not present. This value sets the + Max-Age attribute value. + type: string + required: + - name + type: object + header: + description: Header configures the header + hash policy when the consistent hash type + is set to Header. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + tableSize: + default: 65537 + description: The table size for consistent + hashing, must be prime number limited to + 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: |- + ConsistentHashType defines the type of input to hash on. Valid Type values are + "SourceIP", + "Header", + "Cookie". + enum: + - SourceIP + - Header + - Cookie + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If consistent hash type is header, + the header field must be set. + rule: 'self.type == ''Header'' ? has(self.header) + : !has(self.header)' + - message: If consistent hash type is cookie, + the cookie field must be set. + rule: 'self.type == ''Cookie'' ? has(self.cookie) + : !has(self.cookie)' + slowStart: + description: |- + SlowStart defines the configuration related to the slow start load balancer policy. + If set, during slow start window, traffic sent to the newly added hosts will gradually increase. + Currently this is only supported for RoundRobin and LeastRequest load balancers + properties: + window: + description: |- + Window defines the duration of the warm up period for newly added host. + During slow start window, traffic sent to the newly added hosts will gradually increase. + Currently only supports linear growth of traffic. For additional details, + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + type: string + required: + - window + type: object + type: + description: |- + Type decides the type of Load Balancer policy. + Valid LoadBalancerType values are + "ConsistentHash", + "LeastRequest", + "Random", + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If LoadBalancer type is consistentHash, + consistentHash field needs to be set. + rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash) + : !has(self.consistentHash)' + - message: Currently SlowStart is only supported for + RoundRobin and LeastRequest load balancers. + rule: 'self.type in [''Random'', ''ConsistentHash''] + ? !has(self.slowStart) : true ' + proxyProtocol: + description: ProxyProtocol enables the Proxy Protocol + when communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + tcpKeepalive: + description: |- + TcpKeepalive settings associated with the upstream client connection. + Disabled by default. + properties: + idleTime: + description: |- + The duration a connection needs to be idle before keep-alive + probes start being sent. + The duration format is + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: |- + The total number of unacknowledged probes to send before deciding + the connection is dead. + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: Timeout settings for the backend connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: |- + The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection. + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: |- + The maximum duration of an HTTP connection. + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: |- + The timeout for network connection establishment, including TCP and TLS handshakes. + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object host: description: |- Host define the provider service hostname. @@ -11015,6 +13813,14 @@ spec: x-kubernetes-validations: - message: host or backendRefs needs to be set rule: has(self.host) || self.backendRefs.size() > 0 + - message: BackendRefs must be used, backendRef is not supported. + rule: '!has(self.backendRef)' + - message: only supports Service kind. + rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind + == ''Service'') : true' + - message: BackendRefs only supports Core group. + rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, + f.group == "")) : true' samplingRate: default: 100 description: |- diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index adbd302b957..b63645a85e1 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -313,7 +313,7 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources * } // TODO: how to get authority from the backendRefs? - ds, err := t.processBackendRefs(sink.ALS.BackendRefs, envoyproxy.Namespace, resources, envoyproxy) + ds, traffic, err := t.processBackendRefs(sink.ALS.BackendCluster, envoyproxy.Namespace, resources, envoyproxy) if err != nil { return nil, err } @@ -324,6 +324,7 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources * Name: fmt.Sprintf("accesslog_als_%d_%d", i, j), // TODO: rename this, so that we can share backend with tracing? Settings: ds, }, + Traffic: traffic, Type: sink.ALS.Type, CELMatches: validExprs, } @@ -350,20 +351,20 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources * continue } - // TODO: remove support for Host/Port in v1.2 - al := &ir.OpenTelemetryAccessLog{ - CELMatches: validExprs, - Resources: sink.OpenTelemetry.Resources, - } - // TODO: how to get authority from the backendRefs? - ds, err := t.processBackendRefs(sink.OpenTelemetry.BackendRefs, envoyproxy.Namespace, resources, envoyproxy) + ds, traffic, err := t.processBackendRefs(sink.OpenTelemetry.BackendCluster, envoyproxy.Namespace, resources, envoyproxy) if err != nil { return nil, err } - al.Destination = ir.RouteDestination{ - Name: fmt.Sprintf("accesslog_otel_%d_%d", i, j), // TODO: rename this, so that we can share backend with tracing? - Settings: ds, + // TODO: remove support for Host/Port in v1.2 + al := &ir.OpenTelemetryAccessLog{ + CELMatches: validExprs, + Resources: sink.OpenTelemetry.Resources, + Destination: ir.RouteDestination{ + Name: fmt.Sprintf("accesslog_otel_%d_%d", i, j), // TODO: rename this, so that we can share backend with tracing? + Settings: ds, + }, + Traffic: traffic, } if len(ds) == 0 { @@ -401,7 +402,7 @@ func (t *Translator) processTracing(gw *gwapiv1.Gateway, envoyproxy *egv1a1.Envo tracing := envoyproxy.Spec.Telemetry.Tracing // TODO: how to get authority from the backendRefs? - ds, err := t.processBackendRefs(tracing.Provider.BackendRefs, envoyproxy.Namespace, resources, envoyproxy) + ds, traffic, err := t.processBackendRefs(tracing.Provider.BackendCluster, envoyproxy.Namespace, resources, envoyproxy) if err != nil { return nil, err } @@ -440,6 +441,7 @@ func (t *Translator) processTracing(gw *gwapiv1.Gateway, envoyproxy *egv1a1.Envo Settings: ds, }, Provider: tracing.Provider, + Traffic: traffic, }, nil } @@ -455,7 +457,7 @@ func (t *Translator) processMetrics(envoyproxy *egv1a1.EnvoyProxy, resources *Re continue } - _, err := t.processBackendRefs(sink.OpenTelemetry.BackendRefs, envoyproxy.Namespace, resources, envoyproxy) + _, _, err := t.processBackendRefs(sink.OpenTelemetry.BackendCluster, envoyproxy.Namespace, resources, envoyproxy) if err != nil { return nil, err } @@ -467,25 +469,29 @@ func (t *Translator) processMetrics(envoyproxy *egv1a1.EnvoyProxy, resources *Re }, nil } -func (t *Translator) processBackendRefs(backendRefs []egv1a1.BackendRef, namespace string, resources *Resources, envoyProxy *egv1a1.EnvoyProxy) ([]*ir.DestinationSetting, error) { - result := make([]*ir.DestinationSetting, 0, len(backendRefs)) - for _, ref := range backendRefs { +func (t *Translator) processBackendRefs(backendCluster egv1a1.BackendCluster, namespace string, resources *Resources, envoyProxy *egv1a1.EnvoyProxy) ([]*ir.DestinationSetting, *ir.TrafficFeatures, error) { + traffic, err := translateTrafficFeatures(backendCluster.BackendSettings) + if err != nil { + return nil, nil, err + } + result := make([]*ir.DestinationSetting, 0, len(backendCluster.BackendRefs)) + for _, ref := range backendCluster.BackendRefs { ns := NamespaceDerefOr(ref.Namespace, namespace) kind := KindDerefOr(ref.Kind, KindService) if kind != KindService { - return nil, errors.New("only service kind is supported for backendRefs") + return nil, nil, errors.New("only service kind is supported for backendRefs") } if err := validateBackendService(ref.BackendObjectReference, resources, ns, corev1.ProtocolTCP); err != nil { - return nil, err + return nil, nil, err } ds := t.processServiceDestinationSetting(ref.BackendObjectReference, ns, ir.TCP, resources, envoyProxy) result = append(result, ds) } if len(result) == 0 { - return nil, nil + return nil, traffic, nil } - return result, nil + return result, traffic, nil } func destinationSettingFromHostAndPort(host string, port uint32) []*ir.DestinationSetting { diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-with-traffic.in.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-with-traffic.in.yaml new file mode 100644 index 00000000000..72d40451a1f --- /dev/null +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-with-traffic.in.yaml @@ -0,0 +1,196 @@ +envoyProxyForGatewayClass: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + namespace: envoy-gateway-system + name: test + spec: + telemetry: + accessLog: + settings: + - format: + type: Text + text: | + [%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n + sinks: + - type: File + file: + path: /dev/stdout + - type: ALS + als: + logName: accesslog + backendSettings: + http2: + initialStreamWindowSize: 128Ki + initialConnectionWindowSize: 2Mi + maxConcurrentStreams: 200 + onInvalidMessage: TerminateStream + loadBalancer: + type: ConsistentHash + consistentHash: + type: Header + header: + name: X-some-header + proxyProtocol: + version: V2 + tcpKeepalive: + probes: 7 + healthCheck: + passive: + consecutiveGatewayErrors: 4 + interval: 5s + circuitBreaker: + maxConnections: 2048 + timeout: + tcp: + connectTimeout: 15s + connection: + bufferLimit: 20Mi + backendRefs: + - name: envoy-als + namespace: monitoring + port: 9000 + http: + requestHeaders: + - x-client-ip-address + responseHeaders: + - cache-control + responseTrailers: + - expires + type: HTTP + - type: ALS + als: + backendRefs: + - name: envoy-als + namespace: monitoring + port: 9000 + type: TCP + - type: OpenTelemetry + openTelemetry: + backendSettings: + http2: + initialStreamWindowSize: 128Ki + initialConnectionWindowSize: 2Mi + maxConcurrentStreams: 200 + onInvalidMessage: TerminateStream + loadBalancer: + type: ConsistentHash + consistentHash: + type: Header + header: + name: X-some-header + proxyProtocol: + version: V2 + tcpKeepalive: + probes: 7 + healthCheck: + passive: + consecutiveGatewayErrors: 4 + interval: 5s + circuitBreaker: + maxConnections: 2048 + timeout: + tcp: + connectTimeout: 15s + connection: + bufferLimit: 20Mi + host: otel-collector.monitoring.svc.cluster.local + port: 4317 + resources: + k8s.cluster.name: "cluster-1" + provider: + type: Kubernetes + kubernetes: + envoyService: + type: LoadBalancer + envoyDeployment: + replicas: 2 + container: + env: + - name: env_a + value: env_a_value + - name: env_b + value: env_b_name + image: "envoyproxy/envoy:distroless-dev" + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + runAsUser: 2000 + allowPrivilegeEscalation: false + pod: + annotations: + key1: val1 + key2: val2 + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cloud.google.com/gke-nodepool + operator: In + values: + - router-node + tolerations: + - effect: NoSchedule + key: node-type + operator: Exists + value: "router" + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + fsGroupChangePolicy: "OnRootMismatch" + volumes: + - name: certs + secret: + secretName: envoy-cert +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: Same +services: +- apiVersion: v1 + kind: Service + metadata: + name: envoy-als + namespace: monitoring + spec: + type: ClusterIP + ports: + - name: grpc + port: 9000 + appProtocol: grpc + protocol: TCP + targetPort: 9000 +endpointSlices: +- apiVersion: discovery.k8s.io/v1 + kind: EndpointSlice + metadata: + name: endpointslice-envoy-als + namespace: monitoring + labels: + kubernetes.io/service-name: envoy-als + addressType: IPv4 + ports: + - name: grpc + protocol: TCP + appProtocol: grpc + port: 9090 + endpoints: + - addresses: + - "10.240.0.10" + conditions: + ready: true diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-with-traffic.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-with-traffic.out.yaml new file mode 100644 index 00000000000..28ef831b03a --- /dev/null +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-with-traffic.out.yaml @@ -0,0 +1,326 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: Same + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +infraIR: + envoy-gateway/gateway-1: + proxy: + config: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + creationTimestamp: null + name: test + namespace: envoy-gateway-system + spec: + logging: {} + provider: + kubernetes: + envoyDeployment: + container: + env: + - name: env_a + value: env_a_value + - name: env_b + value: env_b_name + image: envoyproxy/envoy:distroless-dev + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + runAsUser: 2000 + pod: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cloud.google.com/gke-nodepool + operator: In + values: + - router-node + annotations: + key1: val1 + key2: val2 + securityContext: + fsGroup: 2000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 3000 + runAsUser: 1000 + tolerations: + - effect: NoSchedule + key: node-type + operator: Exists + value: router + volumes: + - name: certs + secret: + secretName: envoy-cert + replicas: 2 + envoyService: + type: LoadBalancer + type: Kubernetes + telemetry: + accessLog: + settings: + - format: + text: | + [%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n + type: Text + sinks: + - file: + path: /dev/stdout + type: File + - als: + backendRefs: + - name: envoy-als + namespace: monitoring + port: 9000 + backendSettings: + circuitBreaker: + maxConnections: 2048 + connection: + bufferLimit: 20Mi + healthCheck: + passive: + consecutiveGatewayErrors: 4 + interval: 5s + http2: + initialConnectionWindowSize: 2Mi + initialStreamWindowSize: 128Ki + maxConcurrentStreams: 200 + onInvalidMessage: TerminateStream + loadBalancer: + consistentHash: + header: + name: X-some-header + type: Header + type: ConsistentHash + proxyProtocol: + version: V2 + tcpKeepalive: + probes: 7 + timeout: + tcp: + connectTimeout: 15s + http: + requestHeaders: + - x-client-ip-address + responseHeaders: + - cache-control + responseTrailers: + - expires + logName: accesslog + type: HTTP + type: ALS + - als: + backendRefs: + - name: envoy-als + namespace: monitoring + port: 9000 + type: TCP + type: ALS + - openTelemetry: + backendSettings: + circuitBreaker: + maxConnections: 2048 + connection: + bufferLimit: 20Mi + healthCheck: + passive: + consecutiveGatewayErrors: 4 + interval: 5s + http2: + initialConnectionWindowSize: 2Mi + initialStreamWindowSize: 128Ki + maxConcurrentStreams: 200 + onInvalidMessage: TerminateStream + loadBalancer: + consistentHash: + header: + name: X-some-header + type: Header + type: ConsistentHash + proxyProtocol: + version: V2 + tcpKeepalive: + probes: 7 + timeout: + tcp: + connectTimeout: 15s + host: otel-collector.monitoring.svc.cluster.local + port: 4317 + resources: + k8s.cluster.name: cluster-1 + type: OpenTelemetry + status: {} + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + als: + - destination: + name: accesslog_als_0_1 + settings: + - addressType: IP + endpoints: + - host: 10.240.0.10 + port: 9090 + protocol: GRPC + http: + requestHeaders: + - x-client-ip-address + responseHeaders: + - cache-control + responseTrailers: + - expires + name: accesslog + text: | + [%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n + traffic: + backendConnection: + bufferLimit: 20971520 + circuitBreaker: + maxConnections: 2048 + healthCheck: + passive: + consecutiveGatewayErrors: 4 + interval: 5s + http2: + initialConnectionWindowSize: 131072 + initialStreamWindowSize: 2097152 + maxConcurrentStreams: 200 + resetStreamOnError: true + loadBalancer: + consistentHash: + header: + name: X-some-header + proxyProtocol: + version: V2 + tcpKeepalive: + probes: 7 + timeout: + tcp: + connectTimeout: 15s + type: HTTP + - destination: + name: accesslog_als_0_2 + settings: + - addressType: IP + endpoints: + - host: 10.240.0.10 + port: 9090 + protocol: GRPC + name: envoy-gateway-system/test + text: | + [%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n + type: TCP + openTelemetry: + - authority: otel-collector.monitoring.svc.cluster.local + destination: + name: accesslog_otel_0_3 + settings: + - endpoints: + - host: otel-collector.monitoring.svc.cluster.local + port: 4317 + protocol: GRPC + weight: 1 + resources: + k8s.cluster.name: cluster-1 + text: | + [%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n + traffic: + backendConnection: + bufferLimit: 20971520 + circuitBreaker: + maxConnections: 2048 + healthCheck: + passive: + consecutiveGatewayErrors: 4 + interval: 5s + http2: + initialConnectionWindowSize: 131072 + initialStreamWindowSize: 2097152 + maxConcurrentStreams: 200 + resetStreamOnError: true + loadBalancer: + consistentHash: + header: + name: X-some-header + proxyProtocol: + version: V2 + tcpKeepalive: + probes: 7 + timeout: + tcp: + connectTimeout: 15s + text: + - format: | + [%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n + path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 diff --git a/internal/gatewayapi/testdata/envoyproxy-tracing-backend.in.yaml b/internal/gatewayapi/testdata/envoyproxy-tracing-backend.in.yaml index 9cd3485cec3..4c06c534135 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tracing-backend.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tracing-backend.in.yaml @@ -9,6 +9,33 @@ envoyProxyForGatewayClass: tracing: samplingRate: 100 provider: + backendSettings: + http2: + initialStreamWindowSize: 128Ki + initialConnectionWindowSize: 2Mi + maxConcurrentStreams: 200 + onInvalidMessage: TerminateStream + loadBalancer: + type: ConsistentHash + consistentHash: + type: Header + header: + name: X-some-header + proxyProtocol: + version: V2 + tcpKeepalive: + probes: 7 + healthCheck: + passive: + consecutiveGatewayErrors: 4 + interval: 5s + circuitBreaker: + maxConnections: 2048 + timeout: + tcp: + connectTimeout: 15s + connection: + bufferLimit: 20Mi backendRefs: - name: otel-collector namespace: monitoring diff --git a/internal/gatewayapi/testdata/envoyproxy-tracing-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tracing-backend.out.yaml index 70e07bd18f2..b3a44d78fdc 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tracing-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tracing-backend.out.yaml @@ -106,6 +106,33 @@ infraIR: - name: otel-collector namespace: monitoring port: 4317 + backendSettings: + circuitBreaker: + maxConnections: 2048 + connection: + bufferLimit: 20Mi + healthCheck: + passive: + consecutiveGatewayErrors: 4 + interval: 5s + http2: + initialConnectionWindowSize: 2Mi + initialStreamWindowSize: 128Ki + maxConcurrentStreams: 200 + onInvalidMessage: TerminateStream + loadBalancer: + consistentHash: + header: + name: X-some-header + type: Header + type: ConsistentHash + proxyProtocol: + version: V2 + tcpKeepalive: + probes: 7 + timeout: + tcp: + connectTimeout: 15s type: OpenTelemetry samplingRate: 100 status: {} @@ -156,6 +183,58 @@ xdsIR: - name: otel-collector namespace: monitoring port: 4317 + backendSettings: + circuitBreaker: + maxConnections: 2048 + connection: + bufferLimit: 20Mi + healthCheck: + passive: + consecutiveGatewayErrors: 4 + interval: 5s + http2: + initialConnectionWindowSize: 2Mi + initialStreamWindowSize: 128Ki + maxConcurrentStreams: 200 + onInvalidMessage: TerminateStream + loadBalancer: + consistentHash: + header: + name: X-some-header + type: Header + type: ConsistentHash + proxyProtocol: + version: V2 + tcpKeepalive: + probes: 7 + timeout: + tcp: + connectTimeout: 15s type: OpenTelemetry samplingRate: 100 serviceName: gateway-1.envoy-gateway + traffic: + backendConnection: + bufferLimit: 20971520 + circuitBreaker: + maxConnections: 2048 + healthCheck: + passive: + consecutiveGatewayErrors: 4 + interval: 5s + http2: + initialConnectionWindowSize: 131072 + initialStreamWindowSize: 2097152 + maxConcurrentStreams: 200 + resetStreamOnError: true + loadBalancer: + consistentHash: + header: + name: X-some-header + proxyProtocol: + version: V2 + tcpKeepalive: + probes: 7 + timeout: + tcp: + connectTimeout: 15s diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 5e9cb6ac40e..6ba04e5e20e 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -1657,6 +1657,7 @@ type ALSAccessLog struct { CELMatches []string `json:"celMatches,omitempty" yaml:"celMatches,omitempty"` LogName string `json:"name" yaml:"name"` Destination RouteDestination `json:"destination,omitempty" yaml:"destination,omitempty"` + Traffic *TrafficFeatures `json:"traffic,omitempty" yaml:"traffic,omitempty"` Type egv1a1.ALSEnvoyProxyAccessLogType `json:"type" yaml:"type"` Text *string `json:"text,omitempty" yaml:"text,omitempty"` Attributes map[string]string `json:"attributes,omitempty" yaml:"attributes,omitempty"` @@ -1680,6 +1681,7 @@ type OpenTelemetryAccessLog struct { Attributes map[string]string `json:"attributes,omitempty" yaml:"attributes,omitempty"` Resources map[string]string `json:"resources,omitempty" yaml:"resources,omitempty"` Destination RouteDestination `json:"destination,omitempty" yaml:"destination,omitempty"` + Traffic *TrafficFeatures `json:"traffic,omitempty" yaml:"traffic,omitempty"` } // EnvoyPatchPolicy defines the intermediate representation of the EnvoyPatchPolicy resource. @@ -1738,6 +1740,7 @@ type Tracing struct { SamplingRate float64 `json:"samplingRate,omitempty"` CustomTags map[string]egv1a1.CustomTag `json:"customTags,omitempty"` Destination RouteDestination `json:"destination,omitempty"` + Traffic *TrafficFeatures `json:"traffic,omitempty"` Provider egv1a1.TracingProvider `json:"provider"` } diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 7d453c5f522..c51c386ee82 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -25,6 +25,11 @@ func (in *ALSAccessLog) DeepCopyInto(out *ALSAccessLog) { copy(*out, *in) } in.Destination.DeepCopyInto(&out.Destination) + if in.Traffic != nil { + in, out := &in.Traffic, &out.Traffic + *out = new(TrafficFeatures) + (*in).DeepCopyInto(*out) + } if in.Text != nil { in, out := &in.Text, &out.Text *out = new(string) @@ -1830,6 +1835,11 @@ func (in *OpenTelemetryAccessLog) DeepCopyInto(out *OpenTelemetryAccessLog) { } } in.Destination.DeepCopyInto(&out.Destination) + if in.Traffic != nil { + in, out := &in.Traffic, &out.Traffic + *out = new(TrafficFeatures) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenTelemetryAccessLog. @@ -2837,6 +2847,11 @@ func (in *Tracing) DeepCopyInto(out *Tracing) { } } in.Destination.DeepCopyInto(&out.Destination) + if in.Traffic != nil { + in, out := &in.Traffic, &out.Traffic + *out = new(TrafficFeatures) + (*in).DeepCopyInto(*out) + } in.Provider.DeepCopyInto(&out.Provider) } diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go index 3f097f3f9cd..d5ac876f4b2 100644 --- a/internal/provider/kubernetes/predicates_test.go +++ b/internal/provider/kubernetes/predicates_test.go @@ -471,12 +471,14 @@ func TestValidateServiceForReconcile(t *testing.T) { { Type: egv1a1.ProxyAccessLogSinkTypeOpenTelemetry, OpenTelemetry: &egv1a1.OpenTelemetryEnvoyProxyAccessLog{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "otel-collector", - Namespace: ptr.To(gwapiv1.Namespace("default")), - Port: ptr.To(gwapiv1.PortNumber(4317)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "otel-collector", + Namespace: ptr.To(gwapiv1.Namespace("default")), + Port: ptr.To(gwapiv1.PortNumber(4317)), + }, }, }, }, @@ -491,12 +493,14 @@ func TestValidateServiceForReconcile(t *testing.T) { { Type: egv1a1.MetricSinkTypeOpenTelemetry, OpenTelemetry: &egv1a1.ProxyOpenTelemetrySink{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "otel-collector", - Namespace: ptr.To(gwapiv1.Namespace("default")), - Port: ptr.To(gwapiv1.PortNumber(4317)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "otel-collector", + Namespace: ptr.To(gwapiv1.Namespace("default")), + Port: ptr.To(gwapiv1.PortNumber(4317)), + }, }, }, }, @@ -507,12 +511,14 @@ func TestValidateServiceForReconcile(t *testing.T) { Tracing: &egv1a1.ProxyTracing{ Provider: egv1a1.TracingProvider{ Type: egv1a1.TracingProviderTypeOpenTelemetry, - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "otel-collector", - Namespace: ptr.To(gwapiv1.Namespace("default")), - Port: ptr.To(gwapiv1.PortNumber(4317)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "otel-collector", + Namespace: ptr.To(gwapiv1.Namespace("default")), + Port: ptr.To(gwapiv1.PortNumber(4317)), + }, }, }, }, diff --git a/internal/xds/bootstrap/bootstrap_test.go b/internal/xds/bootstrap/bootstrap_test.go index 19e020c499e..2023a7096bd 100644 --- a/internal/xds/bootstrap/bootstrap_test.go +++ b/internal/xds/bootstrap/bootstrap_test.go @@ -86,12 +86,14 @@ func TestGetRenderedBootstrapConfig(t *testing.T) { OpenTelemetry: &egv1a1.ProxyOpenTelemetrySink{ Host: ptr.To("otel-collector.monitoring.svc"), Port: 4317, - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "otel-collector", - Namespace: ptr.To(gwapiv1.Namespace("monitoring")), - Port: ptr.To(gwapiv1.PortNumber(4317)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "otel-collector", + Namespace: ptr.To(gwapiv1.Namespace("monitoring")), + Port: ptr.To(gwapiv1.PortNumber(4317)), + }, }, }, }, diff --git a/internal/xds/translator/accesslog.go b/internal/xds/translator/accesslog.go index 01c448b65e9..8acb6e4b005 100644 --- a/internal/xds/translator/accesslog.go +++ b/internal/xds/translator/accesslog.go @@ -478,14 +478,27 @@ func processClusterForAccessLog(tCtx *types.ResourceVersionTable, al *ir.AccessL if al == nil { return nil } - // add clusters for ALS access logs for _, als := range al.ALS { + traffic := als.Traffic + // Make sure that there are safe defaults for the traffic + if traffic == nil { + traffic = &ir.TrafficFeatures{} + } if err := addXdsCluster(tCtx, &xdsClusterArgs{ - name: als.Destination.Name, - settings: als.Destination.Settings, - tSocket: nil, - endpointType: EndpointTypeStatic, + name: als.Destination.Name, + settings: als.Destination.Settings, + tSocket: nil, + endpointType: EndpointTypeStatic, + loadBalancer: traffic.LoadBalancer, + proxyProtocol: traffic.ProxyProtocol, + circuitBreaker: traffic.CircuitBreaker, + healthCheck: traffic.HealthCheck, + timeout: traffic.Timeout, + tcpkeepalive: traffic.TCPKeepalive, + backendConnection: traffic.BackendConnection, + dns: traffic.DNS, + http2Settings: traffic.HTTP2, }); err != nil && !errors.Is(err, ErrXdsClusterExists) { return err } @@ -493,12 +506,27 @@ func processClusterForAccessLog(tCtx *types.ResourceVersionTable, al *ir.AccessL // add clusters for Open Telemetry access logs for _, otel := range al.OpenTelemetry { + traffic := otel.Traffic + // Make sure that there are safe defaults for the traffic + if traffic == nil { + traffic = &ir.TrafficFeatures{} + } + if err := addXdsCluster(tCtx, &xdsClusterArgs{ - name: otel.Destination.Name, - settings: otel.Destination.Settings, - tSocket: nil, - endpointType: EndpointTypeDNS, - metrics: metrics, + name: otel.Destination.Name, + settings: otel.Destination.Settings, + tSocket: nil, + endpointType: EndpointTypeDNS, + metrics: metrics, + loadBalancer: traffic.LoadBalancer, + proxyProtocol: traffic.ProxyProtocol, + circuitBreaker: traffic.CircuitBreaker, + healthCheck: traffic.HealthCheck, + timeout: traffic.Timeout, + tcpkeepalive: traffic.TCPKeepalive, + backendConnection: traffic.BackendConnection, + dns: traffic.DNS, + http2Settings: traffic.HTTP2, }); err != nil && !errors.Is(err, ErrXdsClusterExists) { return err } diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog-als-tcp.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog-als-tcp.yaml index 2d8f0c6aa48..4b437f443e8 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog-als-tcp.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog-als-tcp.yaml @@ -17,6 +17,27 @@ accesslog: port: 9000 protocol: GRPC weight: 1 + traffic: + backendConnection: + bufferLimit: 20971520 + circuitBreaker: + maxConnections: 2048 + healthCheck: + passive: + baseEjectionTime: 30s + consecutiveGatewayErrors: 4 + consecutive5XxErrors: 5 + consecutiveLocalOriginFailures: 5 + interval: 5s + maxEjectionPercent: 10 + splitExternalLocalOriginErrors: false + proxyProtocol: + version: V2 + tcpKeepalive: + probes: 7 + timeout: + tcp: + connectTimeout: 15s attributes: attr1: value1 attr2: value2 diff --git a/internal/xds/translator/testdata/in/xds-ir/tracing.yaml b/internal/xds/translator/testdata/in/xds-ir/tracing.yaml index 0f3555524ff..2bd8aff1b7d 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tracing.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tracing.yaml @@ -25,6 +25,27 @@ tracing: - host: "otel-collector.default.svc.cluster.local" port: 4317 protocol: "GRPC" + traffic: + backendConnection: + bufferLimit: 20971520 + circuitBreaker: + maxConnections: 2048 + healthCheck: + passive: + baseEjectionTime: 30s + consecutiveGatewayErrors: 4 + consecutive5XxErrors: 5 + consecutiveLocalOriginFailures: 5 + interval: 5s + maxEjectionPercent: 10 + splitExternalLocalOriginErrors: false + proxyProtocol: + version: V2 + tcpKeepalive: + probes: 7 + timeout: + tcp: + connectTimeout: 15s provider: host: otel-collector.monitoring.svc.cluster.local port: 4317 diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml index 9603f302b73..be515fc1afb 100755 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml @@ -1,9 +1,10 @@ - circuitBreakers: thresholds: - - maxRetries: 1024 + - maxConnections: 2048 + maxRetries: 1024 commonLbConfig: localityWeightedLbConfig: {} - connectTimeout: 10s + connectTimeout: 15s dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: @@ -12,8 +13,24 @@ serviceName: accesslog/monitoring/envoy-als/port/9000 lbPolicy: LEAST_REQUEST name: accesslog/monitoring/envoy-als/port/9000 - outlierDetection: {} - perConnectionBufferLimitBytes: 32768 + outlierDetection: + baseEjectionTime: 30s + consecutive5xx: 5 + consecutiveGatewayFailure: 4 + consecutiveLocalOriginFailure: 5 + interval: 5s + maxEjectionPercent: 10 + perConnectionBufferLimitBytes: 20971520 + transportSocket: + name: envoy.transport_sockets.upstream_proxy_protocol + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport + config: + version: V2 + transportSocket: + name: envoy.transport_sockets.raw_buffer + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer type: EDS typedExtensionProtocolOptions: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: @@ -22,3 +39,6 @@ http2ProtocolOptions: initialConnectionWindowSize: 1048576 initialStreamWindowSize: 65536 + upstreamConnectionOptions: + tcpKeepalive: + keepaliveProbes: 7 diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml index dce48b2c083..4d419611516 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml @@ -17,10 +17,11 @@ type: EDS - circuitBreakers: thresholds: - - maxRetries: 1024 + - maxConnections: 2048 + maxRetries: 1024 commonLbConfig: localityWeightedLbConfig: {} - connectTimeout: 10s + connectTimeout: 15s dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST @@ -38,9 +39,25 @@ locality: region: tracing-0/backend/0 name: tracing-0 - outlierDetection: {} - perConnectionBufferLimitBytes: 32768 + outlierDetection: + baseEjectionTime: 30s + consecutive5xx: 5 + consecutiveGatewayFailure: 4 + consecutiveLocalOriginFailure: 5 + interval: 5s + maxEjectionPercent: 10 + perConnectionBufferLimitBytes: 20971520 respectDnsTtl: true + transportSocket: + name: envoy.transport_sockets.upstream_proxy_protocol + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.proxy_protocol.v3.ProxyProtocolUpstreamTransport + config: + version: V2 + transportSocket: + name: envoy.transport_sockets.raw_buffer + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer type: STRICT_DNS typedExtensionProtocolOptions: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: @@ -49,3 +66,6 @@ http2ProtocolOptions: initialConnectionWindowSize: 1048576 initialStreamWindowSize: 65536 + upstreamConnectionOptions: + tcpKeepalive: + keepaliveProbes: 7 diff --git a/internal/xds/translator/tracing.go b/internal/xds/translator/tracing.go index b2a52ec6a18..ad9a3ecc0e1 100644 --- a/internal/xds/translator/tracing.go +++ b/internal/xds/translator/tracing.go @@ -160,12 +160,26 @@ func processClusterForTracing(tCtx *types.ResourceVersionTable, tracing *ir.Trac return nil } + traffic := tracing.Traffic + // Make sure that there are safe defaults for the traffic + if traffic == nil { + traffic = &ir.TrafficFeatures{} + } if err := addXdsCluster(tCtx, &xdsClusterArgs{ - name: tracing.Destination.Name, - settings: tracing.Destination.Settings, - tSocket: nil, - endpointType: EndpointTypeDNS, - metrics: metrics, + name: tracing.Destination.Name, + settings: tracing.Destination.Settings, + tSocket: nil, + endpointType: EndpointTypeDNS, + metrics: metrics, + loadBalancer: traffic.LoadBalancer, + proxyProtocol: traffic.ProxyProtocol, + circuitBreaker: traffic.CircuitBreaker, + healthCheck: traffic.HealthCheck, + timeout: traffic.Timeout, + tcpkeepalive: traffic.TCPKeepalive, + backendConnection: traffic.BackendConnection, + dns: traffic.DNS, + http2Settings: traffic.HTTP2, }); err != nil && !errors.Is(err, ErrXdsClusterExists) { return err } diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go index 44d6d127bca..f5918b4bc8c 100644 --- a/internal/xds/translator/translator_test.go +++ b/internal/xds/translator/translator_test.go @@ -127,7 +127,6 @@ func TestTranslateXds(t *testing.T) { }, FilterOrder: x.FilterOrder, } - tCtx, err := tr.Translate(x) if !strings.HasSuffix(inputFileName, "partial-invalid") && len(cfg.errMsg) == 0 { t.Logf(inputFileName) diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 6ff3e2ed4c7..516864db274 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -68,7 +68,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRefs` | _[BackendRef](#backendref) array_ | true | BackendRefs references a Kubernetes object that represents the gRPC service to which
the access logs will be sent. Currently only Service is supported. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `logName` | _string_ | false | LogName defines the friendly name of the access log to be returned in
StreamAccessLogsMessage.Identifier. This allows the access log server
to differentiate between different access logs coming from the same Envoy. | | `type` | _[ALSEnvoyProxyAccessLogType](#alsenvoyproxyaccesslogtype)_ | true | Type defines the type of accesslog. Supported types are "HTTP" and "TCP". | | `http` | _[ALSEnvoyProxyHTTPAccessLogConfig](#alsenvoyproxyhttpaccesslogconfig)_ | false | HTTP defines additional configuration specific to HTTP access logs. | @@ -128,7 +130,7 @@ _Appears in:_ #### ActiveHealthCheckPayload -_Underlying type:_ _[struct{Type ActiveHealthCheckPayloadType "json:\"type\" yaml:\"type\""; Text *string "json:\"text,omitempty\" yaml:\"text,omitempty\""; Binary []byte "json:\"binary,omitempty\" yaml:\"binary,omitempty\""}](#struct{type-activehealthcheckpayloadtype-"json:\"type\"-yaml:\"type\"";-text-*string-"json:\"text,omitempty\"-yaml:\"text,omitempty\"";-binary-[]byte-"json:\"binary,omitempty\"-yaml:\"binary,omitempty\""})_ + ActiveHealthCheckPayload defines the encoding of the payload bytes in the payload. @@ -136,8 +138,26 @@ _Appears in:_ - [HTTPActiveHealthChecker](#httpactivehealthchecker) - [TCPActiveHealthChecker](#tcpactivehealthchecker) +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[ActiveHealthCheckPayloadType](#activehealthcheckpayloadtype)_ | true | Type defines the type of the payload. | +| `text` | _string_ | false | Text payload in plain text. | +| `binary` | _integer array_ | false | Binary payload base64 encoded. | +#### ActiveHealthCheckPayloadType + +_Underlying type:_ _string_ + +ActiveHealthCheckPayloadType is the type of the payload. + +_Appears in:_ +- [ActiveHealthCheckPayload](#activehealthcheckpayload) + +| Value | Description | +| ----- | ----------- | +| `Text` | ActiveHealthCheckPayloadTypeText defines the Text type payload.
| +| `Binary` | ActiveHealthCheckPayloadTypeBinary defines the Binary type payload.
| #### ActiveHealthCheckerType @@ -264,9 +284,13 @@ to a backend. This can include multiple endpoints, and settings that apply for managing the connection to all these endpoints. _Appears in:_ +- [ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog) - [ExtProc](#extproc) - [GRPCExtAuthService](#grpcextauthservice) - [HTTPExtAuthService](#httpextauthservice) +- [OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog) +- [ProxyOpenTelemetrySink](#proxyopentelemetrysink) +- [TracingProvider](#tracingprovider) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -279,19 +303,6 @@ _Appears in:_ -#### BackendConnection - - - -BackendConnection allows users to configure connection-level settings of backend - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -- [ClusterSettings](#clustersettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes. | #### BackendEndpoint @@ -528,23 +539,6 @@ _Appears in:_ | `allowCredentials` | _boolean_ | true | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates. | -#### CircuitBreaker - - - -CircuitBreaker defines the Circuit Breaker configuration. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -- [ClusterSettings](#clustersettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `maxConnections` | _integer_ | false | The maximum number of connections that Envoy will establish to the referenced backend defined within a xRoute rule. | -| `maxPendingRequests` | _integer_ | false | The maximum number of pending requests that Envoy will queue to the referenced backend defined within a xRoute rule. | -| `maxParallelRequests` | _integer_ | false | The maximum number of parallel requests that Envoy will make to the referenced backend defined within a xRoute rule. | -| `maxParallelRetries` | _integer_ | false | The maximum number of parallel retries that Envoy will make to the referenced backend defined within a xRoute rule. | -| `maxRequestsPerConnection` | _integer_ | false | The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
Default: unlimited. | #### ClaimToHeader @@ -715,11 +709,15 @@ ClusterSettings provides the various knobs that can be set to control how traffi backend will be configured. _Appears in:_ +- [ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog) - [BackendCluster](#backendcluster) - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) - [ExtProc](#extproc) - [GRPCExtAuthService](#grpcextauthservice) - [HTTPExtAuthService](#httpextauthservice) +- [OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog) +- [ProxyOpenTelemetrySink](#proxyopentelemetrysink) +- [TracingProvider](#tracingprovider) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -879,20 +877,6 @@ _Appears in:_ | `RequestHeader` | CustomTagTypeRequestHeader adds value from request header to each span.
| -#### DNS - - - - - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -- [ClusterSettings](#clustersettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `dnsRefreshRate` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds. | -| `respectDnsTtl` | _boolean_ | true | RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
Defaults to true. | #### EnvironmentCustomTag @@ -1822,23 +1806,6 @@ _Appears in:_ | `http10` | _[HTTP10Settings](#http10settings)_ | false | HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 requests. | -#### HTTP2Settings - - - -HTTP2Settings provides HTTP/2 configuration for listeners and backends. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) -- [ClusterSettings](#clustersettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `initialStreamWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
If not set, the default value is 64 KiB(64*1024). | -| `initialConnectionWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
If not set, the default value is 1 MiB. | -| `maxConcurrentStreams` | _integer_ | false | MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
If not set, the default value is 100. | -| `onInvalidMessage` | _[InvalidMessageAction](#invalidmessageaction)_ | false | OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
It's recommended for L2 Envoy deployments to set this value to TerminateStream.
https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
Default: TerminateConnection | #### HTTP3Settings @@ -1996,21 +1963,6 @@ _Appears in:_ | `preserveXRequestID` | _boolean_ | false | PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge
(Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour.
It defaults to false. | -#### HealthCheck - - - -HealthCheck configuration to decide which endpoints -are healthy and can be used for routing. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -- [ClusterSettings](#clustersettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `active` | _[ActiveHealthCheck](#activehealthcheck)_ | false | Active health check configuration | -| `passive` | _[PassiveHealthCheck](#passivehealthcheck)_ | false | Passive passive check configuration | #### HealthCheckSettings @@ -2425,21 +2377,6 @@ _Appears in:_ | `value` | _string_ | true | Value defines the hard-coded value to add to each span. | -#### LoadBalancer - - - -LoadBalancer defines the load balancer policy to be applied. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -- [ClusterSettings](#clustersettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `type` | _[LoadBalancerType](#loadbalancertype)_ | true | Type decides the type of Load Balancer policy.
Valid LoadBalancerType values are
"ConsistentHash",
"LeastRequest",
"Random",
"RoundRobin". | -| `consistentHash` | _[ConsistentHash](#consistenthash)_ | false | ConsistentHash defines the configuration when the load balancer type is
set to ConsistentHash | -| `slowStart` | _[SlowStart](#slowstart)_ | false | SlowStart defines the configuration related to the slow start load balancer policy.
If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
Currently this is only supported for RoundRobin and LeastRequest load balancers | #### LoadBalancerType @@ -2575,9 +2512,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `host` | _string_ | false | Host define the extension service hostname.
Deprecated: Use BackendRefs instead. | | `port` | _integer_ | false | Port defines the port the extension service is exposed on.
Deprecated: Use BackendRefs instead. | -| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the access log will be sent.
Only Service kind is supported for now. | | `resources` | _object (keys:string, values:string)_ | false | Resources is a set of labels that describe the source of a log entry, including envoy node info.
It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). | @@ -2932,9 +2871,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `host` | _string_ | false | Host define the service hostname.
Deprecated: Use BackendRefs instead. | | `port` | _integer_ | false | Port defines the port the service is exposed on.
Deprecated: Use BackendRefs instead. | -| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the metric will be sent.
Only Service kind is supported for now. | #### ProxyPrometheusProvider @@ -2952,20 +2893,6 @@ _Appears in:_ | `compression` | _[Compression](#compression)_ | false | Configure the compression on Prometheus endpoint. Compression is useful in situations when bandwidth is scarce and large payloads can be effectively compressed at the expense of higher CPU load. | -#### ProxyProtocol - - - -ProxyProtocol defines the configuration related to the proxy protocol -when communicating with the backend. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -- [ClusterSettings](#clustersettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `version` | _[ProxyProtocolVersion](#proxyprotocolversion)_ | true | Version of ProxyProtol
Valid ProxyProtocolVersion values are
"V1"
"V2" | #### ProxyProtocolVersion @@ -3571,22 +3498,6 @@ _Appears in:_ | `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | IdleTimeout for a TCP connection. Idle time is defined as a period in which there are no
bytes sent or received on either the upstream or downstream connection.
Default: 1 hour. | -#### TCPKeepalive - - - -TCPKeepalive define the TCP Keepalive configuration. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) -- [ClusterSettings](#clustersettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `probes` | _integer_ | false | The total number of unacknowledged probes to send before deciding
the connection is dead.
Defaults to 9. | -| `idleTime` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The duration a connection needs to be idle before keep-alive
probes start being sent.
The duration format is
Defaults to `7200s`. | -| `interval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The duration between keep-alive probes.
Defaults to `75s`. | #### TCPTimeout @@ -3663,20 +3574,6 @@ _Appears in:_ | `matchLabels` | _object (keys:string, values:string)_ | true | MatchLabels are the set of label selectors for identifying the targeted resource | -#### Timeout - - - -Timeout defines configuration for timeouts related to connections. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -- [ClusterSettings](#clustersettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `tcp` | _[TCPTimeout](#tcptimeout)_ | false | Timeout settings for TCP. | -| `http` | _[HTTPTimeout](#httptimeout)_ | false | Timeout settings for HTTP. | #### TracingProvider @@ -3690,10 +3587,12 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `type` | _[TracingProviderType](#tracingprovidertype)_ | true | Type defines the tracing provider type. | | `host` | _string_ | false | Host define the provider service hostname.
Deprecated: Use BackendRefs instead. | | `port` | _integer_ | false | Port defines the port the provider service is exposed on.
Deprecated: Use BackendRefs instead. | -| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the trace will be sent.
Only Service kind is supported for now. | | `zipkin` | _[ZipkinTracingProvider](#zipkintracingprovider)_ | false | Zipkin defines the Zipkin tracing provider configuration | diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 6ff3e2ed4c7..516864db274 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -68,7 +68,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRefs` | _[BackendRef](#backendref) array_ | true | BackendRefs references a Kubernetes object that represents the gRPC service to which
the access logs will be sent. Currently only Service is supported. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `logName` | _string_ | false | LogName defines the friendly name of the access log to be returned in
StreamAccessLogsMessage.Identifier. This allows the access log server
to differentiate between different access logs coming from the same Envoy. | | `type` | _[ALSEnvoyProxyAccessLogType](#alsenvoyproxyaccesslogtype)_ | true | Type defines the type of accesslog. Supported types are "HTTP" and "TCP". | | `http` | _[ALSEnvoyProxyHTTPAccessLogConfig](#alsenvoyproxyhttpaccesslogconfig)_ | false | HTTP defines additional configuration specific to HTTP access logs. | @@ -128,7 +130,7 @@ _Appears in:_ #### ActiveHealthCheckPayload -_Underlying type:_ _[struct{Type ActiveHealthCheckPayloadType "json:\"type\" yaml:\"type\""; Text *string "json:\"text,omitempty\" yaml:\"text,omitempty\""; Binary []byte "json:\"binary,omitempty\" yaml:\"binary,omitempty\""}](#struct{type-activehealthcheckpayloadtype-"json:\"type\"-yaml:\"type\"";-text-*string-"json:\"text,omitempty\"-yaml:\"text,omitempty\"";-binary-[]byte-"json:\"binary,omitempty\"-yaml:\"binary,omitempty\""})_ + ActiveHealthCheckPayload defines the encoding of the payload bytes in the payload. @@ -136,8 +138,26 @@ _Appears in:_ - [HTTPActiveHealthChecker](#httpactivehealthchecker) - [TCPActiveHealthChecker](#tcpactivehealthchecker) +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[ActiveHealthCheckPayloadType](#activehealthcheckpayloadtype)_ | true | Type defines the type of the payload. | +| `text` | _string_ | false | Text payload in plain text. | +| `binary` | _integer array_ | false | Binary payload base64 encoded. | +#### ActiveHealthCheckPayloadType + +_Underlying type:_ _string_ + +ActiveHealthCheckPayloadType is the type of the payload. + +_Appears in:_ +- [ActiveHealthCheckPayload](#activehealthcheckpayload) + +| Value | Description | +| ----- | ----------- | +| `Text` | ActiveHealthCheckPayloadTypeText defines the Text type payload.
| +| `Binary` | ActiveHealthCheckPayloadTypeBinary defines the Binary type payload.
| #### ActiveHealthCheckerType @@ -264,9 +284,13 @@ to a backend. This can include multiple endpoints, and settings that apply for managing the connection to all these endpoints. _Appears in:_ +- [ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog) - [ExtProc](#extproc) - [GRPCExtAuthService](#grpcextauthservice) - [HTTPExtAuthService](#httpextauthservice) +- [OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog) +- [ProxyOpenTelemetrySink](#proxyopentelemetrysink) +- [TracingProvider](#tracingprovider) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -279,19 +303,6 @@ _Appears in:_ -#### BackendConnection - - - -BackendConnection allows users to configure connection-level settings of backend - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -- [ClusterSettings](#clustersettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes. | #### BackendEndpoint @@ -528,23 +539,6 @@ _Appears in:_ | `allowCredentials` | _boolean_ | true | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates. | -#### CircuitBreaker - - - -CircuitBreaker defines the Circuit Breaker configuration. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -- [ClusterSettings](#clustersettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `maxConnections` | _integer_ | false | The maximum number of connections that Envoy will establish to the referenced backend defined within a xRoute rule. | -| `maxPendingRequests` | _integer_ | false | The maximum number of pending requests that Envoy will queue to the referenced backend defined within a xRoute rule. | -| `maxParallelRequests` | _integer_ | false | The maximum number of parallel requests that Envoy will make to the referenced backend defined within a xRoute rule. | -| `maxParallelRetries` | _integer_ | false | The maximum number of parallel retries that Envoy will make to the referenced backend defined within a xRoute rule. | -| `maxRequestsPerConnection` | _integer_ | false | The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
Default: unlimited. | #### ClaimToHeader @@ -715,11 +709,15 @@ ClusterSettings provides the various knobs that can be set to control how traffi backend will be configured. _Appears in:_ +- [ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog) - [BackendCluster](#backendcluster) - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) - [ExtProc](#extproc) - [GRPCExtAuthService](#grpcextauthservice) - [HTTPExtAuthService](#httpextauthservice) +- [OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog) +- [ProxyOpenTelemetrySink](#proxyopentelemetrysink) +- [TracingProvider](#tracingprovider) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -879,20 +877,6 @@ _Appears in:_ | `RequestHeader` | CustomTagTypeRequestHeader adds value from request header to each span.
| -#### DNS - - - - - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -- [ClusterSettings](#clustersettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `dnsRefreshRate` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds. | -| `respectDnsTtl` | _boolean_ | true | RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
Defaults to true. | #### EnvironmentCustomTag @@ -1822,23 +1806,6 @@ _Appears in:_ | `http10` | _[HTTP10Settings](#http10settings)_ | false | HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 requests. | -#### HTTP2Settings - - - -HTTP2Settings provides HTTP/2 configuration for listeners and backends. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) -- [ClusterSettings](#clustersettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `initialStreamWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
If not set, the default value is 64 KiB(64*1024). | -| `initialConnectionWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
If not set, the default value is 1 MiB. | -| `maxConcurrentStreams` | _integer_ | false | MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
If not set, the default value is 100. | -| `onInvalidMessage` | _[InvalidMessageAction](#invalidmessageaction)_ | false | OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
It's recommended for L2 Envoy deployments to set this value to TerminateStream.
https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
Default: TerminateConnection | #### HTTP3Settings @@ -1996,21 +1963,6 @@ _Appears in:_ | `preserveXRequestID` | _boolean_ | false | PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge
(Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour.
It defaults to false. | -#### HealthCheck - - - -HealthCheck configuration to decide which endpoints -are healthy and can be used for routing. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -- [ClusterSettings](#clustersettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `active` | _[ActiveHealthCheck](#activehealthcheck)_ | false | Active health check configuration | -| `passive` | _[PassiveHealthCheck](#passivehealthcheck)_ | false | Passive passive check configuration | #### HealthCheckSettings @@ -2425,21 +2377,6 @@ _Appears in:_ | `value` | _string_ | true | Value defines the hard-coded value to add to each span. | -#### LoadBalancer - - - -LoadBalancer defines the load balancer policy to be applied. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -- [ClusterSettings](#clustersettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `type` | _[LoadBalancerType](#loadbalancertype)_ | true | Type decides the type of Load Balancer policy.
Valid LoadBalancerType values are
"ConsistentHash",
"LeastRequest",
"Random",
"RoundRobin". | -| `consistentHash` | _[ConsistentHash](#consistenthash)_ | false | ConsistentHash defines the configuration when the load balancer type is
set to ConsistentHash | -| `slowStart` | _[SlowStart](#slowstart)_ | false | SlowStart defines the configuration related to the slow start load balancer policy.
If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
Currently this is only supported for RoundRobin and LeastRequest load balancers | #### LoadBalancerType @@ -2575,9 +2512,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `host` | _string_ | false | Host define the extension service hostname.
Deprecated: Use BackendRefs instead. | | `port` | _integer_ | false | Port defines the port the extension service is exposed on.
Deprecated: Use BackendRefs instead. | -| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the access log will be sent.
Only Service kind is supported for now. | | `resources` | _object (keys:string, values:string)_ | false | Resources is a set of labels that describe the source of a log entry, including envoy node info.
It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). | @@ -2932,9 +2871,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `host` | _string_ | false | Host define the service hostname.
Deprecated: Use BackendRefs instead. | | `port` | _integer_ | false | Port defines the port the service is exposed on.
Deprecated: Use BackendRefs instead. | -| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the metric will be sent.
Only Service kind is supported for now. | #### ProxyPrometheusProvider @@ -2952,20 +2893,6 @@ _Appears in:_ | `compression` | _[Compression](#compression)_ | false | Configure the compression on Prometheus endpoint. Compression is useful in situations when bandwidth is scarce and large payloads can be effectively compressed at the expense of higher CPU load. | -#### ProxyProtocol - - - -ProxyProtocol defines the configuration related to the proxy protocol -when communicating with the backend. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -- [ClusterSettings](#clustersettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `version` | _[ProxyProtocolVersion](#proxyprotocolversion)_ | true | Version of ProxyProtol
Valid ProxyProtocolVersion values are
"V1"
"V2" | #### ProxyProtocolVersion @@ -3571,22 +3498,6 @@ _Appears in:_ | `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | IdleTimeout for a TCP connection. Idle time is defined as a period in which there are no
bytes sent or received on either the upstream or downstream connection.
Default: 1 hour. | -#### TCPKeepalive - - - -TCPKeepalive define the TCP Keepalive configuration. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) -- [ClusterSettings](#clustersettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `probes` | _integer_ | false | The total number of unacknowledged probes to send before deciding
the connection is dead.
Defaults to 9. | -| `idleTime` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The duration a connection needs to be idle before keep-alive
probes start being sent.
The duration format is
Defaults to `7200s`. | -| `interval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The duration between keep-alive probes.
Defaults to `75s`. | #### TCPTimeout @@ -3663,20 +3574,6 @@ _Appears in:_ | `matchLabels` | _object (keys:string, values:string)_ | true | MatchLabels are the set of label selectors for identifying the targeted resource | -#### Timeout - - - -Timeout defines configuration for timeouts related to connections. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -- [ClusterSettings](#clustersettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `tcp` | _[TCPTimeout](#tcptimeout)_ | false | Timeout settings for TCP. | -| `http` | _[HTTPTimeout](#httptimeout)_ | false | Timeout settings for HTTP. | #### TracingProvider @@ -3690,10 +3587,12 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `type` | _[TracingProviderType](#tracingprovidertype)_ | true | Type defines the tracing provider type. | | `host` | _string_ | false | Host define the provider service hostname.
Deprecated: Use BackendRefs instead. | | `port` | _integer_ | false | Port defines the port the provider service is exposed on.
Deprecated: Use BackendRefs instead. | -| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the trace will be sent.
Only Service kind is supported for now. | | `zipkin` | _[ZipkinTracingProvider](#zipkintracingprovider)_ | false | Zipkin defines the Zipkin tracing provider configuration | diff --git a/test/cel-validation/envoyproxy_test.go b/test/cel-validation/envoyproxy_test.go index 4d914a7e9a6..76ba7434048 100644 --- a/test/cel-validation/envoyproxy_test.go +++ b/test/cel-validation/envoyproxy_test.go @@ -488,11 +488,13 @@ func TestEnvoyProxyProvider(t *testing.T) { { Type: egv1a1.ProxyAccessLogSinkTypeALS, ALS: &egv1a1.ALSEnvoyProxyAccessLog{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Port: ptr.To(gwapiv1.PortNumber(9000)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "fake-service", + Port: ptr.To(gwapiv1.PortNumber(9000)), + }, }, }, }, @@ -519,11 +521,13 @@ func TestEnvoyProxyProvider(t *testing.T) { { Type: egv1a1.ProxyAccessLogSinkTypeALS, ALS: &egv1a1.ALSEnvoyProxyAccessLog{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Port: ptr.To(gwapiv1.PortNumber(9000)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "fake-service", + Port: ptr.To(gwapiv1.PortNumber(9000)), + }, }, }, }, @@ -552,11 +556,13 @@ func TestEnvoyProxyProvider(t *testing.T) { { Type: egv1a1.ProxyAccessLogSinkTypeALS, ALS: &egv1a1.ALSEnvoyProxyAccessLog{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Kind: ptr.To(gwapiv1.Kind("foo")), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "fake-service", + Kind: ptr.To(gwapiv1.Kind("foo")), + }, }, }, }, @@ -584,11 +590,13 @@ func TestEnvoyProxyProvider(t *testing.T) { { Type: egv1a1.ProxyAccessLogSinkTypeALS, ALS: &egv1a1.ALSEnvoyProxyAccessLog{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Group: ptr.To(gwapiv1.Group("foo")), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "fake-service", + Group: ptr.To(gwapiv1.Group("foo")), + }, }, }, }, @@ -626,7 +634,7 @@ func TestEnvoyProxyProvider(t *testing.T) { }, } }, - wantErrors: []string{"Invalid value: \"null\""}, + wantErrors: []string{"Invalid value: \"object\": must have at least one backend in backendRefs"}, }, { desc: "invalid-accesslog-ALS-empty-backendrefs", @@ -640,44 +648,8 @@ func TestEnvoyProxyProvider(t *testing.T) { { Type: egv1a1.ProxyAccessLogSinkTypeALS, ALS: &egv1a1.ALSEnvoyProxyAccessLog{ - BackendRefs: []egv1a1.BackendRef{}, - Type: egv1a1.ALSEnvoyProxyAccessLogTypeHTTP, - }, - }, - }, - }, - }, - }, - }, - } - }, - wantErrors: []string{"should have at least 1 items"}, - }, - { - desc: "invalid-accesslog-ALS-multi-backendrefs", - mutate: func(envoy *egv1a1.EnvoyProxy) { - envoy.Spec = egv1a1.EnvoyProxySpec{ - Telemetry: &egv1a1.ProxyTelemetry{ - AccessLog: &egv1a1.ProxyAccessLog{ - Settings: []egv1a1.ProxyAccessLogSetting{ - { - Sinks: []egv1a1.ProxyAccessLogSink{ - { - Type: egv1a1.ProxyAccessLogSinkTypeALS, - ALS: &egv1a1.ALSEnvoyProxyAccessLog{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Port: ptr.To(gwapiv1.PortNumber(8080)), - }, - }, - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Port: ptr.To(gwapiv1.PortNumber(8080)), - }, - }, + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{}, }, Type: egv1a1.ALSEnvoyProxyAccessLogTypeHTTP, }, @@ -689,7 +661,7 @@ func TestEnvoyProxyProvider(t *testing.T) { }, } }, - wantErrors: []string{"must have at most 1 items"}, + wantErrors: []string{"must have at least one backend in backendRefs"}, }, { desc: "accesslog-OpenTelemetry", @@ -735,11 +707,13 @@ func TestEnvoyProxyProvider(t *testing.T) { { Type: egv1a1.ProxyAccessLogSinkTypeOpenTelemetry, OpenTelemetry: &egv1a1.OpenTelemetryEnvoyProxyAccessLog{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Kind: ptr.To(gwapiv1.Kind("foo")), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "fake-service", + Kind: ptr.To(gwapiv1.Kind("foo")), + }, }, }, }, @@ -752,7 +726,7 @@ func TestEnvoyProxyProvider(t *testing.T) { }, } }, - wantErrors: []string{"only support Service Kind."}, + wantErrors: []string{"Invalid value: \"object\": BackendRefs only supports Service kind."}, }, { desc: "invalid-accesslog-backendref-group", @@ -770,11 +744,13 @@ func TestEnvoyProxyProvider(t *testing.T) { { Type: egv1a1.ProxyAccessLogSinkTypeOpenTelemetry, OpenTelemetry: &egv1a1.OpenTelemetryEnvoyProxyAccessLog{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Group: ptr.To(gwapiv1.Group("foo")), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "fake-service", + Group: ptr.To(gwapiv1.Group("foo")), + }, }, }, }, @@ -805,12 +781,14 @@ func TestEnvoyProxyProvider(t *testing.T) { { Type: egv1a1.ProxyAccessLogSinkTypeOpenTelemetry, OpenTelemetry: &egv1a1.OpenTelemetryEnvoyProxyAccessLog{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Kind: ptr.To(gwapiv1.Kind("Service")), - Port: ptr.To(gwapiv1.PortNumber(8080)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "fake-service", + Kind: ptr.To(gwapiv1.Kind("Service")), + Port: ptr.To(gwapiv1.PortNumber(8080)), + }, }, }, }, @@ -824,49 +802,6 @@ func TestEnvoyProxyProvider(t *testing.T) { } }, }, - { - desc: "multi-accesslog-backendref", - mutate: func(envoy *egv1a1.EnvoyProxy) { - envoy.Spec = egv1a1.EnvoyProxySpec{ - Telemetry: &egv1a1.ProxyTelemetry{ - AccessLog: &egv1a1.ProxyAccessLog{ - Settings: []egv1a1.ProxyAccessLogSetting{ - { - Format: &egv1a1.ProxyAccessLogFormat{ - Type: "Text", - Text: ptr.To("[%START_TIME%]"), - }, - Sinks: []egv1a1.ProxyAccessLogSink{ - { - Type: egv1a1.ProxyAccessLogSinkTypeOpenTelemetry, - OpenTelemetry: &egv1a1.OpenTelemetryEnvoyProxyAccessLog{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Kind: ptr.To(gwapiv1.Kind("Service")), - Port: ptr.To(gwapiv1.PortNumber(8080)), - }, - }, - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Kind: ptr.To(gwapiv1.Kind("Service")), - Port: ptr.To(gwapiv1.PortNumber(8080)), - }, - }, - }, - }, - }, - }, - }, - }, - }, - }, - } - }, - wantErrors: []string{"must have at most 1 items"}, - }, { desc: "accesslog-backendref-empty-kind", mutate: func(envoy *egv1a1.EnvoyProxy) { @@ -883,11 +818,13 @@ func TestEnvoyProxyProvider(t *testing.T) { { Type: egv1a1.ProxyAccessLogSinkTypeOpenTelemetry, OpenTelemetry: &egv1a1.OpenTelemetryEnvoyProxyAccessLog{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Port: ptr.To(gwapiv1.PortNumber(8080)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "fake-service", + Port: ptr.To(gwapiv1.PortNumber(8080)), + }, }, }, }, @@ -993,11 +930,13 @@ func TestEnvoyProxyProvider(t *testing.T) { { Type: egv1a1.MetricSinkTypeOpenTelemetry, OpenTelemetry: &egv1a1.ProxyOpenTelemetrySink{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Port: ptr.To(gwapiv1.PortNumber(8080)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "fake-service", + Port: ptr.To(gwapiv1.PortNumber(8080)), + }, }, }, }, @@ -1010,39 +949,6 @@ func TestEnvoyProxyProvider(t *testing.T) { }, wantErrors: []string{}, }, - { - desc: "ProxyMetrics-sinks-multi-backendref", - mutate: func(envoy *egv1a1.EnvoyProxy) { - envoy.Spec = egv1a1.EnvoyProxySpec{ - Telemetry: &egv1a1.ProxyTelemetry{ - Metrics: &egv1a1.ProxyMetrics{ - Sinks: []egv1a1.ProxyMetricSink{ - { - Type: egv1a1.MetricSinkTypeOpenTelemetry, - OpenTelemetry: &egv1a1.ProxyOpenTelemetrySink{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Port: ptr.To(gwapiv1.PortNumber(8080)), - }, - }, - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Port: ptr.To(gwapiv1.PortNumber(8080)), - }, - }, - }, - }, - }, - }, - }, - }, - } - }, - wantErrors: []string{"must have at most 1 items"}, - }, { desc: "ProxyMetrics-sinks-backendref-empty-kind", mutate: func(envoy *egv1a1.EnvoyProxy) { @@ -1053,11 +959,13 @@ func TestEnvoyProxyProvider(t *testing.T) { { Type: egv1a1.MetricSinkTypeOpenTelemetry, OpenTelemetry: &egv1a1.ProxyOpenTelemetrySink{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Port: ptr.To(gwapiv1.PortNumber(8080)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "fake-service", + Port: ptr.To(gwapiv1.PortNumber(8080)), + }, }, }, }, @@ -1080,12 +988,14 @@ func TestEnvoyProxyProvider(t *testing.T) { { Type: egv1a1.MetricSinkTypeOpenTelemetry, OpenTelemetry: &egv1a1.ProxyOpenTelemetrySink{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Kind: ptr.To(gwapiv1.Kind("foo")), - Port: ptr.To(gwapiv1.PortNumber(8080)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "fake-service", + Kind: ptr.To(gwapiv1.Kind("foo")), + Port: ptr.To(gwapiv1.PortNumber(8080)), + }, }, }, }, @@ -1096,7 +1006,7 @@ func TestEnvoyProxyProvider(t *testing.T) { }, } }, - wantErrors: []string{"only support Service Kind."}, + wantErrors: []string{"only supports Service Kind."}, }, { desc: "ProxyMetrics-sinks-invalid-backendref-group", @@ -1108,12 +1018,14 @@ func TestEnvoyProxyProvider(t *testing.T) { { Type: egv1a1.MetricSinkTypeOpenTelemetry, OpenTelemetry: &egv1a1.ProxyOpenTelemetrySink{ - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Group: ptr.To(gwapiv1.Group("foo")), - Port: ptr.To(gwapiv1.PortNumber(8080)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "fake-service", + Group: ptr.To(gwapiv1.Group("foo")), + Port: ptr.To(gwapiv1.PortNumber(8080)), + }, }, }, }, @@ -1134,11 +1046,13 @@ func TestEnvoyProxyProvider(t *testing.T) { Tracing: &egv1a1.ProxyTracing{ Provider: egv1a1.TracingProvider{ Type: egv1a1.TracingProviderTypeOpenTelemetry, - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Kind: ptr.To(gwapiv1.Kind("foo")), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "fake-service", + Kind: ptr.To(gwapiv1.Kind("foo")), + }, }, }, }, @@ -1147,7 +1061,7 @@ func TestEnvoyProxyProvider(t *testing.T) { }, } }, - wantErrors: []string{"only support Service Kind."}, + wantErrors: []string{"only supports Service Kind."}, }, { desc: "tracing-backendref-empty-kind", @@ -1157,11 +1071,13 @@ func TestEnvoyProxyProvider(t *testing.T) { Tracing: &egv1a1.ProxyTracing{ Provider: egv1a1.TracingProvider{ Type: egv1a1.TracingProviderTypeOpenTelemetry, - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Port: ptr.To(gwapiv1.PortNumber(8080)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "fake-service", + Port: ptr.To(gwapiv1.PortNumber(8080)), + }, }, }, }, @@ -1179,42 +1095,14 @@ func TestEnvoyProxyProvider(t *testing.T) { Tracing: &egv1a1.ProxyTracing{ Provider: egv1a1.TracingProvider{ Type: egv1a1.TracingProviderTypeOpenTelemetry, - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Kind: ptr.To(gwapiv1.Kind("Service")), - Port: ptr.To(gwapiv1.PortNumber(8080)), - }, - }, - }, - }, - }, - }, - } - }, - }, - { - desc: "tracing-multi-backendref", - mutate: func(envoy *egv1a1.EnvoyProxy) { - envoy.Spec = egv1a1.EnvoyProxySpec{ - Telemetry: &egv1a1.ProxyTelemetry{ - Tracing: &egv1a1.ProxyTracing{ - Provider: egv1a1.TracingProvider{ - Type: egv1a1.TracingProviderTypeOpenTelemetry, - BackendRefs: []egv1a1.BackendRef{ - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Kind: ptr.To(gwapiv1.Kind("Service")), - Port: ptr.To(gwapiv1.PortNumber(8080)), - }, - }, - { - BackendObjectReference: gwapiv1.BackendObjectReference{ - Name: "fake-service", - Kind: ptr.To(gwapiv1.Kind("Service")), - Port: ptr.To(gwapiv1.PortNumber(8080)), + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "fake-service", + Kind: ptr.To(gwapiv1.Kind("Service")), + Port: ptr.To(gwapiv1.PortNumber(8080)), + }, }, }, }, @@ -1223,7 +1111,6 @@ func TestEnvoyProxyProvider(t *testing.T) { }, } }, - wantErrors: []string{"must have at most 1 items"}, }, { desc: "tracing-empty-backend", From 67575b8b7be29ce3ccbf8b20bea18201f6b45a0e Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Fri, 9 Aug 2024 15:13:17 -0700 Subject: [PATCH 030/523] reduce readinessProbe failureThreshold and periodSeconds (#4021) * Reduces time for the endpoint to be removed from the endpointSlice from `30s` (3 * 10) to `5s` (1 * 5) * Since kube-proxy and CNIs rely on this info and so do external LBs like GKE https://cloud.google.com/kubernetes-engine/docs/concepts/service-load-balancer Signed-off-by: Arko Dasgupta --- internal/infrastructure/kubernetes/proxy/resource.go | 4 ++-- .../kubernetes/proxy/testdata/daemonsets/component-level.yaml | 4 ++-- .../kubernetes/proxy/testdata/daemonsets/custom.yaml | 4 ++-- .../kubernetes/proxy/testdata/daemonsets/default-env.yaml | 4 ++-- .../kubernetes/proxy/testdata/daemonsets/default.yaml | 4 ++-- .../proxy/testdata/daemonsets/disable-prometheus.yaml | 4 ++-- .../kubernetes/proxy/testdata/daemonsets/extension-env.yaml | 4 ++-- .../testdata/daemonsets/override-labels-and-annotations.yaml | 4 ++-- .../kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml | 4 ++-- .../proxy/testdata/daemonsets/shutdown-manager.yaml | 4 ++-- .../kubernetes/proxy/testdata/daemonsets/volumes.yaml | 4 ++-- .../proxy/testdata/daemonsets/with-annotations.yaml | 4 ++-- .../proxy/testdata/daemonsets/with-concurrency.yaml | 4 ++-- .../kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml | 4 ++-- .../proxy/testdata/daemonsets/with-image-pull-secrets.yaml | 4 ++-- .../kubernetes/proxy/testdata/daemonsets/with-name.yaml | 4 ++-- .../proxy/testdata/daemonsets/with-node-selector.yaml | 4 ++-- .../testdata/daemonsets/with-topology-spread-constraints.yaml | 4 ++-- .../kubernetes/proxy/testdata/deployments/bootstrap.yaml | 4 ++-- .../proxy/testdata/deployments/component-level.yaml | 4 ++-- .../kubernetes/proxy/testdata/deployments/custom.yaml | 4 ++-- .../testdata/deployments/custom_with_initcontainers.yaml | 4 ++-- .../kubernetes/proxy/testdata/deployments/default-env.yaml | 4 ++-- .../kubernetes/proxy/testdata/deployments/default.yaml | 4 ++-- .../proxy/testdata/deployments/disable-prometheus.yaml | 4 ++-- .../kubernetes/proxy/testdata/deployments/extension-env.yaml | 4 ++-- .../testdata/deployments/override-labels-and-annotations.yaml | 4 ++-- .../proxy/testdata/deployments/patch-deployment.yaml | 4 ++-- .../proxy/testdata/deployments/shutdown-manager.yaml | 4 ++-- .../kubernetes/proxy/testdata/deployments/volumes.yaml | 4 ++-- .../proxy/testdata/deployments/with-annotations.yaml | 4 ++-- .../proxy/testdata/deployments/with-concurrency.yaml | 4 ++-- .../proxy/testdata/deployments/with-empty-memory-limits.yaml | 4 ++-- .../proxy/testdata/deployments/with-extra-args.yaml | 4 ++-- .../proxy/testdata/deployments/with-image-pull-secrets.yaml | 4 ++-- .../kubernetes/proxy/testdata/deployments/with-name.yaml | 4 ++-- .../proxy/testdata/deployments/with-node-selector.yaml | 4 ++-- .../deployments/with-topology-spread-constraints.yaml | 4 ++-- internal/infrastructure/kubernetes/ratelimit/resource.go | 4 ++-- .../kubernetes/ratelimit/testdata/deployments/custom.yaml | 4 ++-- .../ratelimit/testdata/deployments/default-env.yaml | 4 ++-- .../kubernetes/ratelimit/testdata/deployments/default.yaml | 4 ++-- .../ratelimit/testdata/deployments/disable-prometheus.yaml | 4 ++-- .../ratelimit/testdata/deployments/enable-tracing-custom.yaml | 4 ++-- .../ratelimit/testdata/deployments/enable-tracing.yaml | 4 ++-- .../ratelimit/testdata/deployments/extension-env.yaml | 4 ++-- .../ratelimit/testdata/deployments/override-env.yaml | 4 ++-- .../ratelimit/testdata/deployments/patch-deployment.yaml | 4 ++-- .../ratelimit/testdata/deployments/redis-tls-settings.yaml | 4 ++-- .../ratelimit/testdata/deployments/tolerations.yaml | 4 ++-- .../kubernetes/ratelimit/testdata/deployments/volumes.yaml | 4 ++-- .../ratelimit/testdata/deployments/with-node-selector.yaml | 4 ++-- .../deployments/with-topology-spread-constraints.yaml | 4 ++-- 53 files changed, 106 insertions(+), 106 deletions(-) diff --git a/internal/infrastructure/kubernetes/proxy/resource.go b/internal/infrastructure/kubernetes/proxy/resource.go index 5045de6390a..406694be9bb 100644 --- a/internal/infrastructure/kubernetes/proxy/resource.go +++ b/internal/infrastructure/kubernetes/proxy/resource.go @@ -226,9 +226,9 @@ func expectedProxyContainers(infra *ir.ProxyInfra, }, }, TimeoutSeconds: 1, - PeriodSeconds: 10, + PeriodSeconds: 5, SuccessThreshold: 1, - FailureThreshold: 3, + FailureThreshold: 1, }, Lifecycle: &corev1.Lifecycle{ PreStop: &corev1.LifecycleHandler{ diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml index 0622977315d..7f1bc6c41ab 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml @@ -74,12 +74,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml index 8f2752be07c..99232820298 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml @@ -258,12 +258,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml index 1d5a93c5ba2..b59b07a086c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml @@ -256,12 +256,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml index 7ee2909f896..0808d5c0180 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml @@ -241,12 +241,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml index 7190df8f86f..73bc606336c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml @@ -212,12 +212,12 @@ spec: name: EnvoyHTTPSPort protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml index 3ceb7cee0ea..4f2f396b763 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml @@ -260,12 +260,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml index 9b8a0fcaf4b..5391a49388b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml @@ -252,12 +252,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml index 970f58ba1ab..169eeb59394 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml @@ -241,12 +241,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml index 3bb5ccbe620..725055a9f4d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml @@ -242,12 +242,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml index 060e0d42b92..b993f3bfbc1 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml @@ -260,12 +260,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml index ffc184f3fd8..c43c64302f3 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml @@ -246,12 +246,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml index 850b8a2510e..568aa4164ad 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml @@ -74,12 +74,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml index e75a89be5bc..612363ca2e6 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml @@ -243,12 +243,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml index 424eae5f2a3..a0324cb54e4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml @@ -241,12 +241,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml index fb4fc761bb2..c31ea245056 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml @@ -241,12 +241,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml index 96a1e21f963..a0ebcf2e918 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml @@ -241,12 +241,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml index 7436383cc8e..e1d7c76a069 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml @@ -241,12 +241,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml index e98fd731131..b985e8d0f02 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml @@ -77,12 +77,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml index edcfa7b5322..445bf70d28c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml @@ -78,12 +78,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml index 88983936f25..8af199519a4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml @@ -263,12 +263,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml index 07ceadcfb6d..902de504983 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml @@ -263,12 +263,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml index 4000dacbda3..992d976f40e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml @@ -261,12 +261,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml index 44777d51a52..3bd69459a53 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml @@ -245,12 +245,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml index bee1b53938a..fa7078ae684 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml @@ -216,12 +216,12 @@ spec: name: EnvoyHTTPSPort protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml index e84fd418ead..21ddbb9e6fc 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml @@ -265,12 +265,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml index 460de06f269..f3fca2808d7 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml @@ -256,12 +256,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml index 5fe7b493015..8d70d4d85cd 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml @@ -245,12 +245,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml index 9ab5e2cc0dd..9f70f8bb642 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml @@ -246,12 +246,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml index 51f0ccc3a8a..1395e60cba7 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml @@ -265,12 +265,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml index cfc2685d49d..1bb027eacc5 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml @@ -250,12 +250,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml index c01d19873f1..44e6370811c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml @@ -78,12 +78,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml index ef9f75cc636..397b43b9753 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml @@ -245,12 +245,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml index 81d0cbac111..a1aa0917bfd 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml @@ -247,12 +247,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml index 83f2881be23..57258870015 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml @@ -245,12 +245,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml index f1dc2a9bc6f..2dd83e8e3d6 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml @@ -245,12 +245,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml index cc8f66c7e33..72d297ca12a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml @@ -245,12 +245,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml index 4083f99d3fe..20fcb8589a2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml @@ -245,12 +245,12 @@ spec: name: metrics protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /ready port: 19001 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/ratelimit/resource.go b/internal/infrastructure/kubernetes/ratelimit/resource.go index 162396f62db..b2fd1c3f6c3 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource.go @@ -184,9 +184,9 @@ func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitDeploymen }, }, TimeoutSeconds: 1, - PeriodSeconds: 10, + PeriodSeconds: 5, SuccessThreshold: 1, - FailureThreshold: 3, + FailureThreshold: 1, }, }, } diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml index c750b09a0b9..ebde9a4c436 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml @@ -87,12 +87,12 @@ spec: name: grpc protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /healthcheck port: 8080 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml index c750b09a0b9..ebde9a4c436 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml @@ -87,12 +87,12 @@ spec: name: grpc protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /healthcheck port: 8080 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml index 277d5e649d9..b010414bd90 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml @@ -88,12 +88,12 @@ spec: name: grpc protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /healthcheck port: 8080 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml index 0cbbd6dbbb8..449ed2c1d70 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml @@ -84,12 +84,12 @@ spec: name: grpc protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /healthcheck port: 8080 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml index 1d53f34a9bc..cbb129feb51 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml @@ -103,12 +103,12 @@ spec: name: grpc protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /healthcheck port: 8080 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml index 56bd0a7dfe3..867c5df1b1e 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml @@ -103,12 +103,12 @@ spec: name: grpc protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /healthcheck port: 8080 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml index 4468e0df0e4..e0bf55b5d8a 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml @@ -91,12 +91,12 @@ spec: name: grpc protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /healthcheck port: 8080 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml index 826deab69ba..03ff65426d8 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml @@ -87,12 +87,12 @@ spec: name: grpc protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /healthcheck port: 8080 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml index 790de9e159a..b7dea3664e2 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml @@ -88,12 +88,12 @@ spec: name: grpc protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /healthcheck port: 8080 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml index e3e723c1d40..9af52d675b7 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml @@ -95,12 +95,12 @@ spec: name: grpc protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /healthcheck port: 8080 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml index 5cbedb98853..7c965aa04b0 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml @@ -95,12 +95,12 @@ spec: name: grpc protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /healthcheck port: 8080 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml index fcee6df457d..4f69dea329c 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml @@ -95,12 +95,12 @@ spec: name: grpc protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /healthcheck port: 8080 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml index 1365ac63f8f..5d525b44d1f 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml @@ -88,12 +88,12 @@ spec: name: grpc protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /healthcheck port: 8080 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml index 1558a925c33..e9a5fdd66a7 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml @@ -88,12 +88,12 @@ spec: name: grpc protocol: TCP readinessProbe: - failureThreshold: 3 + failureThreshold: 1 httpGet: path: /healthcheck port: 8080 scheme: HTTP - periodSeconds: 10 + periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 resources: From fd25ad663278d968bbbdf4660674e2bf85091796 Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 10 Aug 2024 08:25:14 +0800 Subject: [PATCH 031/523] feat: Support the Backend resource for Ext-Auth (#4016) * extAuth support Backend API Signed-off-by: zirain * add xds translator test case Signed-off-by: zirain * lint Signed-off-by: zirain * add e2e test Signed-off-by: zirain * yamllint Signed-off-by: zirain --------- Signed-off-by: zirain --- api/v1alpha1/ext_auth_types.go | 18 +- ...ateway.envoyproxy.io_securitypolicies.yaml | 54 ++- internal/gatewayapi/securitypolicy.go | 30 +- ...ecuritypolicy-with-extauth-backend.in.yaml | 107 ++++++ ...curitypolicy-with-extauth-backend.out.yaml | 314 ++++++++++++++++++ .../testdata/in/xds-ir/ext-auth-backend.yaml | 123 +++++++ .../out/xds-ir/ext-auth-backend.clusters.yaml | 112 +++++++ .../xds-ir/ext-auth-backend.endpoints.yaml | 36 ++ .../xds-ir/ext-auth-backend.listeners.yaml | 70 ++++ .../out/xds-ir/ext-auth-backend.routes.yaml | 44 +++ test/cel-validation/securitypolicy_test.go | 130 ++++++-- .../ext-auth-http-backend-securitypolicy.yaml | 56 ++++ test/e2e/testdata/ext-auth-http-backend.yaml | 103 ++++++ test/e2e/tests/ext_auth_http_backend.go | 155 +++++++++ 14 files changed, 1284 insertions(+), 68 deletions(-) create mode 100644 internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml create mode 100644 internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml create mode 100644 internal/xds/translator/testdata/in/xds-ir/ext-auth-backend.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.routes.yaml create mode 100644 test/e2e/testdata/ext-auth-http-backend-securitypolicy.yaml create mode 100644 test/e2e/testdata/ext-auth-http-backend.yaml create mode 100644 test/e2e/tests/ext_auth_http_backend.go diff --git a/api/v1alpha1/ext_auth_types.go b/api/v1alpha1/ext_auth_types.go index e258ad82e44..2ecb8674aad 100644 --- a/api/v1alpha1/ext_auth_types.go +++ b/api/v1alpha1/ext_auth_types.go @@ -9,10 +9,6 @@ package v1alpha1 // // +kubebuilder:validation:XValidation:rule="(has(self.grpc) || has(self.http))",message="one of grpc or http must be specified" // +kubebuilder:validation:XValidation:rule="(has(self.grpc) && !has(self.http)) || (!has(self.grpc) && has(self.http))",message="only one of grpc or http can be specified" -// +kubebuilder:validation:XValidation:rule="has(self.grpc) ? (!has(self.grpc.backendRef) || !has(self.grpc.backendRef.group) || self.grpc.backendRef.group == \"\") : true", message="group is invalid, only the core API group (specified by omitting the group field or setting it to an empty string) is supported" -// +kubebuilder:validation:XValidation:rule="has(self.grpc) ? (!has(self.grpc.backendRef) || !has(self.grpc.backendRef.kind) || self.grpc.backendRef.kind == 'Service') : true", message="kind is invalid, only Service (specified by omitting the kind field or setting it to 'Service') is supported" -// +kubebuilder:validation:XValidation:rule="has(self.http) ? (!has(self.http.backendRef) || !has(self.http.backendRef.group) || self.http.backendRef.group == \"\") : true", message="group is invalid, only the core API group (specified by omitting the group field or setting it to an empty string) is supported" -// +kubebuilder:validation:XValidation:rule="has(self.http) ? (!has(self.http.backendRef) || !has(self.http.backendRef.kind) || self.http.backendRef.kind == 'Service') : true", message="kind is invalid, only Service (specified by omitting the kind field or setting it to 'Service') is supported" type ExtAuth struct { // GRPC defines the gRPC External Authorization service. // Either GRPCService or HTTPService must be specified, @@ -52,9 +48,10 @@ type ExtAuth struct { // The authorization request message is defined in // https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto // +kubebuilder:validation:XValidation:message="backendRef or backendRefs needs to be set",rule="has(self.backendRef) || self.backendRefs.size() > 0" -// +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.group == \"\") : true" -// +kubebuilder:validation:XValidation:message="only support Service kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service') : true" -// +kubebuilder:validation:XValidation:message="only one backendRef can be specified.",rule="has(self.backendRefs) ? self.backendRefs.size() == 1 : true" +// +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)" +// +kubebuilder:validation:XValidation:message="Exactly one backendRef can be specified in backendRefs.",rule="has(self.backendRefs) && self.backendRefs.size()==1" +// +kubebuilder:validation:XValidation:message="BackendRefs only supports Service and Backend kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service' || f.kind == 'Backend') : true" +// +kubebuilder:validation:XValidation:message="BackendRefs only supports Core and gateway.envoyproxy.io group.",rule="has(self.backendRefs) ? (self.backendRefs.all(f, f.group == \"\" || f.group == 'gateway.envoyproxy.io')) : true" type GRPCExtAuthService struct { // Only Service kind is supported for now. BackendCluster `json:",inline"` @@ -63,9 +60,10 @@ type GRPCExtAuthService struct { // HTTPExtAuthService defines the HTTP External Authorization service // // +kubebuilder:validation:XValidation:message="backendRef or backendRefs needs to be set",rule="has(self.backendRef) || self.backendRefs.size() > 0" -// +kubebuilder:validation:XValidation:message="BackendRefs only supports Core group.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.group == \"\") : true" -// +kubebuilder:validation:XValidation:message="only support Service kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service') : true" -// +kubebuilder:validation:XValidation:message="only one backendRef can be specified.",rule="has(self.backendRefs) ? self.backendRefs.size() == 1 : true" +// +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)" +// +kubebuilder:validation:XValidation:message="Exactly one backendRef can be specified in backendRefs.",rule="has(self.backendRefs) && self.backendRefs.size()==1" +// +kubebuilder:validation:XValidation:message="BackendRefs only supports Service and Backend kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service' || f.kind == 'Backend') : true" +// +kubebuilder:validation:XValidation:message="BackendRefs only supports Core and gateway.envoyproxy.io group.",rule="has(self.backendRefs) ? (self.backendRefs.all(f, f.group == \"\" || f.group == 'gateway.envoyproxy.io')) : true" type HTTPExtAuthService struct { // Only Service kind is supported for now. BackendCluster `json:",inline"` diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 30c1b406d91..da8c50015d2 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -1009,15 +1009,17 @@ spec: x-kubernetes-validations: - message: backendRef or backendRefs needs to be set rule: has(self.backendRef) || self.backendRefs.size() > 0 - - message: BackendRefs only supports Core group. - rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.group - == "") : true' - - message: only support Service kind. + - message: BackendRefs must be used, backendRef is not supported. + rule: '!has(self.backendRef)' + - message: Exactly one backendRef can be specified in backendRefs. + rule: has(self.backendRefs) && self.backendRefs.size()==1 + - message: BackendRefs only supports Service and Backend kind. rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind - == ''Service'') : true' - - message: only one backendRef can be specified. - rule: 'has(self.backendRefs) ? self.backendRefs.size() == 1 - : true' + == ''Service'' || f.kind == ''Backend'') : true' + - message: BackendRefs only supports Core and gateway.envoyproxy.io + group. + rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, f.group + == "" || f.group == ''gateway.envoyproxy.io'')) : true' headersToExtAuth: description: |- HeadersToExtAuth defines the client request headers that will be included @@ -1808,15 +1810,17 @@ spec: x-kubernetes-validations: - message: backendRef or backendRefs needs to be set rule: has(self.backendRef) || self.backendRefs.size() > 0 - - message: BackendRefs only supports Core group. - rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.group - == "") : true' - - message: only support Service kind. + - message: BackendRefs must be used, backendRef is not supported. + rule: '!has(self.backendRef)' + - message: Exactly one backendRef can be specified in backendRefs. + rule: has(self.backendRefs) && self.backendRefs.size()==1 + - message: BackendRefs only supports Service and Backend kind. rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind - == ''Service'') : true' - - message: only one backendRef can be specified. - rule: 'has(self.backendRefs) ? self.backendRefs.size() == 1 - : true' + == ''Service'' || f.kind == ''Backend'') : true' + - message: BackendRefs only supports Core and gateway.envoyproxy.io + group. + rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, f.group + == "" || f.group == ''gateway.envoyproxy.io'')) : true' type: object x-kubernetes-validations: - message: one of grpc or http must be specified @@ -1824,24 +1828,6 @@ spec: - message: only one of grpc or http can be specified rule: (has(self.grpc) && !has(self.http)) || (!has(self.grpc) && has(self.http)) - - message: group is invalid, only the core API group (specified by - omitting the group field or setting it to an empty string) is - supported - rule: 'has(self.grpc) ? (!has(self.grpc.backendRef) || !has(self.grpc.backendRef.group) - || self.grpc.backendRef.group == "") : true' - - message: kind is invalid, only Service (specified by omitting the - kind field or setting it to 'Service') is supported - rule: 'has(self.grpc) ? (!has(self.grpc.backendRef) || !has(self.grpc.backendRef.kind) - || self.grpc.backendRef.kind == ''Service'') : true' - - message: group is invalid, only the core API group (specified by - omitting the group field or setting it to an empty string) is - supported - rule: 'has(self.http) ? (!has(self.http.backendRef) || !has(self.http.backendRef.group) - || self.http.backendRef.group == "") : true' - - message: kind is invalid, only Service (specified by omitting the - kind field or setting it to 'Service') is supported - rule: 'has(self.http) ? (!has(self.http.backendRef) || !has(self.http.backendRef.kind) - || self.http.backendRef.kind == ''Service'') : true' jwt: description: JWT defines the configuration for JSON Web Token (JWT) authentication. diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 124d2d6c1d4..125505aa5ad 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -848,11 +848,8 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *Reso if err = t.validateExtServiceBackendReference(backendRef, policy.Namespace, policy.Kind, resources); err != nil { return nil, err } - authority = fmt.Sprintf("%s.%s:%d", - backendRef.Name, - NamespaceDerefOr(backendRef.Namespace, policy.Namespace), - *backendRef.Port) + authority = backendRefAuthority(resources, backendRef, policy) pnn := utils.NamespacedName(policy) if ds, err = t.processExtServiceDestination( backendRef, @@ -892,6 +889,31 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *Reso return extAuth, nil } +func backendRefAuthority(resources *Resources, backendRef *gwapiv1.BackendObjectReference, policy *egv1a1.SecurityPolicy) string { + if backendRef == nil { + return "" + } + + backendNamespace := NamespaceDerefOr(backendRef.Namespace, policy.Namespace) + backendKind := KindDerefOr(backendRef.Kind, KindService) + if backendKind == egv1a1.KindBackend { + backend := resources.GetBackend(backendNamespace, string(backendRef.Name)) + if backend != nil { + // TODO: exists multi FQDN endpoints? + for _, ep := range backend.Spec.Endpoints { + if ep.FQDN != nil { + return fmt.Sprintf("%s:%d", ep.FQDN.Hostname, ep.FQDN.Port) + } + } + } + } + + return fmt.Sprintf("%s.%s:%d", + backendRef.Name, + backendNamespace, + *backendRef.Port) +} + func irExtServiceDestinationName(policy *egv1a1.SecurityPolicy, backendRef *gwapiv1.BackendObjectReference) string { nn := types.NamespacedName{ Name: string(backendRef.Name), diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml new file mode 100644 index 00000000000..e1f50e75b2d --- /dev/null +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml @@ -0,0 +1,107 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: default + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - www.foo.com + parentRefs: + - namespace: default + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: /foo1 + backendRefs: + - name: service-1 + port: 8080 + - matches: + - path: + value: /foo2 + backendRefs: + - name: service-2 + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-2 + spec: + hostnames: + - www.bar.com + parentRefs: + - namespace: default + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: /bar + backendRefs: + - name: service-3 + port: 8080 +backends: + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + name: backend-fqdn + namespace: default + spec: + endpoints: + - fqdn: + hostname: 'primary.foo.com' + port: 3000 +referenceGrants: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: ReferenceGrant + metadata: + namespace: envoy-gateway + name: referencegrant-1 + spec: + from: + - group: gateway.envoyproxy.io + kind: SecurityPolicy + namespace: default + to: + - group: "" + kind: Service +securityPolicies: + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + namespace: default + name: policy-for-http-route-1 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + extAuth: + failOpen: true + headersToExtAuth: + - header1 + - header2 + grpc: + backendRefs: + - name: backend-fqdn + kind: Backend + group: gateway.envoyproxy.io + port: 3000 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml new file mode 100644 index 00000000000..a89bf53a8cf --- /dev/null +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml @@ -0,0 +1,314 @@ +backends: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + creationTimestamp: null + name: backend-fqdn + namespace: default + spec: + endpoints: + - fqdn: + hostname: primary.foo.com + port: 3000 + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Invalid +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: default + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 2 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - www.foo.com + parentRefs: + - name: gateway-1 + namespace: default + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: /foo1 + - backendRefs: + - name: service-2 + port: 8080 + matches: + - path: + value: /foo2 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: default + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-2 + namespace: default + spec: + hostnames: + - www.bar.com + parentRefs: + - name: gateway-1 + namespace: default + sectionName: http + rules: + - backendRefs: + - name: service-3 + port: 8080 + matches: + - path: + value: /bar + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: default + sectionName: http +infraIR: + default/gateway-1: + proxy: + listeners: + - address: null + name: default/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: default + name: default/gateway-1 +securityPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + creationTimestamp: null + name: policy-for-http-route-1 + namespace: default + spec: + extAuth: + failOpen: true + grpc: + backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-fqdn + port: 3000 + headersToExtAuth: + - header1 + - header2 + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +xdsIR: + default/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + name: default/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.foo.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + pathMatch: + distinct: false + name: "" + prefix: /foo1 + security: + extAuth: + failOpen: true + grpc: + authority: primary.foo.com:3000 + destination: + name: securitypolicy/default/policy-for-http-route-1/default/backend-fqdn + settings: + - addressType: FQDN + endpoints: + - host: primary.foo.com + port: 3000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + name: securitypolicy/default/policy-for-http-route-1 + - destination: + name: httproute/default/httproute-1/rule/1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.foo.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/1/match/0/www_foo_com + pathMatch: + distinct: false + name: "" + prefix: /foo2 + security: + extAuth: + failOpen: true + grpc: + authority: primary.foo.com:3000 + destination: + name: securitypolicy/default/policy-for-http-route-1/default/backend-fqdn + settings: + - addressType: FQDN + endpoints: + - host: primary.foo.com + port: 3000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + name: securitypolicy/default/policy-for-http-route-1 + - destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.bar.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + pathMatch: + distinct: false + name: "" + prefix: /bar diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-auth-backend.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-auth-backend.yaml new file mode 100644 index 00000000000..4f93e2e7734 --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/ext-auth-backend.yaml @@ -0,0 +1,123 @@ +http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + name: default/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + hostname: www.foo.com + isHTTP2: false + pathMatch: + distinct: false + name: "" + prefix: /foo1 + backendWeights: + invalid: 0 + valid: 0 + destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + security: + extAuth: + name: securitypolicy/default/policy-for-http-route-1 + failOpen: false + grpc: + authority: primary.foo.com + destination: + name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + settings: + - addressType: FQDN + endpoints: + - host: primary.foo.com + port: 9000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + - name: httproute/default/httproute-1/rule/1/match/0/www_foo_com + hostname: www.foo.com + isHTTP2: false + pathMatch: + distinct: false + name: "" + prefix: /foo2 + backendWeights: + invalid: 0 + valid: 0 + destination: + name: httproute/default/httproute-1/rule/1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + security: + extAuth: + name: securitypolicy/default/policy-for-http-route-1 + failOpen: false + grpc: + authority: primary.foo.com + destination: + name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + settings: + - addressType: IP + endpoints: + - host: primary.foo.com + port: 3000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + - name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + hostname: www.bar.com + isHTTP2: false + pathMatch: + distinct: false + name: "" + prefix: /bar + backendWeights: + invalid: 0 + valid: 0 + destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + security: + extAuth: + name: securitypolicy/default/policy-for-gateway-1 + failOpen: true + http: + authority: primary.foo.com + destination: + name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + settings: + - addressType: FQDN + endpoints: + - host: primary.foo.com + port: 80 + protocol: HTTP + weight: 1 + headersToBackend: + - header1 + - header2 + path: /auth diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml new file mode 100644 index 00000000000..880f77a06f0 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml @@ -0,0 +1,112 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/1 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/1 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-2/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-2/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: primary.foo.com + portValue: 9000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: securitypolicy/default/policy-for-http-route-1/default/grpc-backend/backend/0 + name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: primary.foo.com + portValue: 80 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend/backend/0 + name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.endpoints.yaml new file mode 100644 index 00000000000..bf9f0023789 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.endpoints.yaml @@ -0,0 +1,36 @@ +- clusterName: httproute/default/httproute-1/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/0/backend/0 +- clusterName: httproute/default/httproute-1/rule/1 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/1/backend/0 +- clusterName: httproute/default/httproute-2/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-2/rule/0/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.listeners.yaml new file mode 100644 index 00000000000..c60348a3b91 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.listeners.yaml @@ -0,0 +1,70 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - disabled: true + name: envoy.filters.http.ext_authz/securitypolicy/default/policy-for-http-route-1 + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + allowedHeaders: + patterns: + - exact: header1 + ignoreCase: true + - exact: header2 + ignoreCase: true + grpcService: + envoyGrpc: + authority: primary.foo.com + clusterName: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + timeout: 10s + transportApiVersion: V3 + - disabled: true + name: envoy.filters.http.ext_authz/securitypolicy/default/policy-for-gateway-1 + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + failureModeAllow: true + httpService: + authorizationResponse: + allowedUpstreamHeaders: + patterns: + - exact: header1 + ignoreCase: true + - exact: header2 + ignoreCase: true + pathPrefix: /auth + serverUri: + cluster: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + timeout: 10s + uri: http://primary.foo.com/auth + transportApiVersion: V3 + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: default/gateway-1/http + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: default/gateway-1/http + drainType: MODIFY_ONLY + name: default/gateway-1/http + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.routes.yaml new file mode 100644 index 00000000000..08edfc3c406 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.routes.yaml @@ -0,0 +1,44 @@ +- ignorePortInHostMatching: true + name: default/gateway-1/http + virtualHosts: + - domains: + - www.foo.com + name: default/gateway-1/http/www_foo_com + routes: + - match: + pathSeparatedPrefix: /foo1 + name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + route: + cluster: httproute/default/httproute-1/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.ext_authz/securitypolicy/default/policy-for-http-route-1: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} + - match: + pathSeparatedPrefix: /foo2 + name: httproute/default/httproute-1/rule/1/match/0/www_foo_com + route: + cluster: httproute/default/httproute-1/rule/1 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.ext_authz/securitypolicy/default/policy-for-http-route-1: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} + - domains: + - www.bar.com + name: default/gateway-1/http/www_bar_com + routes: + - match: + pathSeparatedPrefix: /bar + name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + route: + cluster: httproute/default/httproute-2/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.ext_authz/securitypolicy/default/policy-for-gateway-1: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} diff --git a/test/cel-validation/securitypolicy_test.go b/test/cel-validation/securitypolicy_test.go index 12760562029..2ca001cd0c2 100644 --- a/test/cel-validation/securitypolicy_test.go +++ b/test/cel-validation/securitypolicy_test.go @@ -427,9 +427,13 @@ func TestSecurityPolicyTarget(t *testing.T) { ExtAuth: &egv1a1.ExtAuth{ GRPC: &egv1a1.GRPCExtAuthService{ BackendCluster: egv1a1.BackendCluster{ - BackendRef: &gwapiv1.BackendObjectReference{ - Name: "grpc-auth-service", - Port: ptr.To(gwapiv1.PortNumber(80)), + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "grpc-auth-service", + Port: ptr.To(gwapiv1.PortNumber(15001)), + }, + }, }, }, }, @@ -506,9 +510,13 @@ func TestSecurityPolicyTarget(t *testing.T) { ExtAuth: &egv1a1.ExtAuth{ HTTP: &egv1a1.HTTPExtAuthService{ BackendCluster: egv1a1.BackendCluster{ - BackendRef: &gwapiv1.BackendObjectReference{ - Name: "http-auth-service", - Port: ptr.To(gwapiv1.PortNumber(15001)), + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "http-auth-service", + Port: ptr.To(gwapiv1.PortNumber(15001)), + }, + }, }, }, }, @@ -622,10 +630,14 @@ func TestSecurityPolicyTarget(t *testing.T) { ExtAuth: &egv1a1.ExtAuth{ HTTP: &egv1a1.HTTPExtAuthService{ BackendCluster: egv1a1.BackendCluster{ - BackendRef: &gwapiv1.BackendObjectReference{ - Group: ptr.To(gwapiv1.Group("unsupported")), - Name: "http-auth-service", - Port: ptr.To(gwapiv1.PortNumber(15001)), + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Group: ptr.To(gwapiv1.Group("unsupported")), + Name: "http-auth-service", + Port: ptr.To(gwapiv1.PortNumber(15001)), + }, + }, }, }, }, @@ -642,7 +654,7 @@ func TestSecurityPolicyTarget(t *testing.T) { } }, wantErrors: []string{ - "spec.extAuth: Invalid value: \"object\": group is invalid, only the core API group (specified by omitting the group field or setting it to an empty string) is supported", + " BackendRefs only supports Core and gateway.envoyproxy.io group.", }, }, { @@ -672,7 +684,8 @@ func TestSecurityPolicyTarget(t *testing.T) { } }, wantErrors: []string{ - "spec.extAuth: Invalid value: \"object\": kind is invalid, only Service (specified by omitting the kind field or setting it to 'Service') is supported", + "BackendRefs must be used, backendRef is not supported.", + "Exactly one backendRef can be specified in backendRefs.", }, }, { @@ -705,7 +718,7 @@ func TestSecurityPolicyTarget(t *testing.T) { }, } }, - wantErrors: []string{" only support Service kind"}, + wantErrors: []string{"BackendRefs only supports Service and Backend kind."}, }, { desc: "grpc extAuth service invalid Group", @@ -714,10 +727,14 @@ func TestSecurityPolicyTarget(t *testing.T) { ExtAuth: &egv1a1.ExtAuth{ GRPC: &egv1a1.GRPCExtAuthService{ BackendCluster: egv1a1.BackendCluster{ - BackendRef: &gwapiv1.BackendObjectReference{ - Group: ptr.To(gwapiv1.Group("unsupported")), - Name: "http-auth-service", - Port: ptr.To(gwapiv1.PortNumber(15001)), + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Group: ptr.To(gwapiv1.Group("unsupported")), + Name: "http-auth-service", + Port: ptr.To(gwapiv1.PortNumber(15001)), + }, + }, }, }, }, @@ -734,7 +751,7 @@ func TestSecurityPolicyTarget(t *testing.T) { } }, wantErrors: []string{ - "spec.extAuth: Invalid value: \"object\": group is invalid, only the core API group (specified by omitting the group field or setting it to an empty string) is supported", + "BackendRefs only supports Core and gateway.envoyproxy.io group.", }, }, { @@ -764,7 +781,8 @@ func TestSecurityPolicyTarget(t *testing.T) { } }, wantErrors: []string{ - "spec.extAuth: Invalid value: \"object\": kind is invalid, only Service (specified by omitting the kind field or setting it to 'Service') is supported", + "BackendRefs must be used, backendRef is not supported.", + "Exactly one backendRef can be specified in backendRefs.", }, }, { @@ -797,7 +815,9 @@ func TestSecurityPolicyTarget(t *testing.T) { }, } }, - wantErrors: []string{" only support Service kind"}, + wantErrors: []string{ + "spec.extAuth.grpc: Invalid value: \"object\": BackendRefs only supports Service and Backend kind.", + }, }, // JWT @@ -942,6 +962,76 @@ func TestSecurityPolicyTarget(t *testing.T) { }, wantErrors: []string{}, }, + { + desc: "ext-auth-grpc-backend", + mutate: func(sp *egv1a1.SecurityPolicy) { + sp.Spec = egv1a1.SecurityPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetSelectors: []egv1a1.TargetSelector{ + { + Group: ptr.To(gwapiv1a2.Group("gateway.networking.k8s.io")), + Kind: "HTTPRoute", + MatchLabels: map[string]string{ + "eg/namespace": "reference-apps", + }, + }, + }, + }, + ExtAuth: &egv1a1.ExtAuth{ + GRPC: &egv1a1.GRPCExtAuthService{ + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "grpc-auth-backend", + Kind: ptr.To(gwapiv1a2.Kind("Backend")), + Port: ptr.To(gwapiv1.PortNumber(8080)), + Group: ptr.To(gwapiv1a2.Group("gateway.envoyproxy.io")), + }, + }, + }, + }, + }, + }, + } + }, + wantErrors: []string{}, + }, + { + desc: "ext-auth-http-backend", + mutate: func(sp *egv1a1.SecurityPolicy) { + sp.Spec = egv1a1.SecurityPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetSelectors: []egv1a1.TargetSelector{ + { + Group: ptr.To(gwapiv1a2.Group("gateway.networking.k8s.io")), + Kind: "HTTPRoute", + MatchLabels: map[string]string{ + "eg/namespace": "reference-apps", + }, + }, + }, + }, + ExtAuth: &egv1a1.ExtAuth{ + HTTP: &egv1a1.HTTPExtAuthService{ + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "http-auth-backend", + Kind: ptr.To(gwapiv1a2.Kind("Backend")), + Port: ptr.To(gwapiv1.PortNumber(80)), + Group: ptr.To(gwapiv1a2.Group("gateway.envoyproxy.io")), + }, + }, + }, + }, + }, + }, + } + }, + wantErrors: []string{}, + }, } for _, tc := range cases { diff --git a/test/e2e/testdata/ext-auth-http-backend-securitypolicy.yaml b/test/e2e/testdata/ext-auth-http-backend-securitypolicy.yaml new file mode 100644 index 00000000000..ebee7ce0c1e --- /dev/null +++ b/test/e2e/testdata/ext-auth-http-backend-securitypolicy.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-ext-auth-backend + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + hostnames: ["www.example.com"] + rules: + - matches: + - path: + type: PathPrefix + value: /myapp # This is the path that will be protected by ext auth + backendRefs: + - name: infra-backend-v1 + port: 8080 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-without-ext-auth-backend + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + hostnames: ["www.example.com"] + rules: + - matches: + - path: + type: PathPrefix + value: /public # This is the path that will be public + backendRefs: + - name: infra-backend-v1 + port: 8080 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: ext-auth-backend + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: http-ext-auth-backend + extAuth: + http: + backendRefs: + - name: backend-fqdn # should add namespace here because envoy will locate in envoy-gateway-system namespace + kind: Backend + group: gateway.envoyproxy.io + namespace: gateway-conformance-infra + port: 9002 + headersToBackend: ["x-current-user"] diff --git a/test/e2e/testdata/ext-auth-http-backend.yaml b/test/e2e/testdata/ext-auth-http-backend.yaml new file mode 100644 index 00000000000..fe5185a7e11 --- /dev/null +++ b/test/e2e/testdata/ext-auth-http-backend.yaml @@ -0,0 +1,103 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: http-ext-auth-backend + namespace: gateway-conformance-infra +data: + http-ext-auth.js: | + const Http = require("http"); + const path = require("path"); + + const tokens = { + "token1": "user1", + "token2": "user2", + "token3": "user3" + }; + + const server = new Http.Server((req, res) => { + const authorization = req.headers["authorization"] || ""; + const extracted = authorization.split(" "); + if (extracted.length === 2 && extracted[0] === "Bearer") { + const user = checkToken(extracted[1]); + console.log(`token: "${extracted[1]}" user: "${user}`); + if (user !== undefined) { + // The authorization server returns a response with "x-current-user" header for a successful + // request. + res.writeHead(200, { "x-current-user": user }); + return res.end(); + } + } + res.writeHead(403); + res.end(); + }); + + const port = process.env.PORT || 9002; + server.listen(port); + console.log(`starting HTTP server on: ${port}`); + + function checkToken(token) { + return tokens[token]; + } +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: http-ext-auth-backend + namespace: gateway-conformance-infra +spec: + replicas: 1 + selector: + matchLabels: + app: http-ext-auth-backend + template: + metadata: + labels: + app: http-ext-auth-backend + spec: + containers: + - name: http-ext-auth-backend + command: + - node + - /usr/src/app/http-ext-auth.js + image: node:19-bullseye + ports: + - containerPort: 9002 + volumeMounts: + - name: http-ext-auth-backend + mountPath: /usr/src/app + readinessProbe: + httpGet: + httpHeaders: + - name: authorization + value: "Bearer token1" + port: 9002 + volumes: + - name: http-ext-auth-backend + configMap: + name: http-ext-auth-backend +--- +apiVersion: v1 +kind: Service +metadata: + name: http-ext-auth-backend + namespace: gateway-conformance-infra +spec: + selector: + app: http-ext-auth-backend + ports: + - protocol: TCP + port: 9002 + targetPort: 9002 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend-fqdn + namespace: gateway-conformance-infra +spec: + endpoints: + - fqdn: + # should add namespace here because envoy will locate in envoy-gateway-system namespace + hostname: http-ext-auth-backend.gateway-conformance-infra + port: 9002 diff --git a/test/e2e/tests/ext_auth_http_backend.go b/test/e2e/tests/ext_auth_http_backend.go new file mode 100644 index 00000000000..7032bdc2ae0 --- /dev/null +++ b/test/e2e/tests/ext_auth_http_backend.go @@ -0,0 +1,155 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e +// +build e2e + +package tests + +import ( + "testing" + + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" + gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" + + "github.com/envoyproxy/gateway/internal/gatewayapi" +) + +func init() { + ConformanceTests = append(ConformanceTests, HTTPBackendExtAuthTest) +} + +// HTTPBackendExtAuthTest tests ExtAuth authentication for a http route with ExtAuth configured. +// Almost like HTTPExtAuthTest, but the security policy reference to the backend service. +var HTTPBackendExtAuthTest = suite.ConformanceTest{ + ShortName: "HTTPBackendExtAuth", + Description: "Test ExtAuth authentication with backend", + Manifests: []string{"testdata/ext-auth-http-backend.yaml", "testdata/ext-auth-http-backend-securitypolicy.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "http-ext-auth-backend", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + ancestorRef := gwapiv1a2.ParentReference{ + Group: gatewayapi.GroupPtr(gwapiv1.GroupName), + Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), + Name: gwapiv1.ObjectName(gwNN.Name), + } + SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "ext-auth-backend", Namespace: ns}, suite.ControllerName, ancestorRef) + + podReady := corev1.PodCondition{Type: corev1.PodReady, Status: corev1.ConditionTrue} + + // Wait for the http ext auth service pod to be ready + WaitForPods(t, suite.Client, ns, map[string]string{"app": "http-ext-auth-backend"}, corev1.PodRunning, podReady) + + t.Run("http route with ext auth backend ref", func(t *testing.T) { + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Host: "www.example.com", + Path: "/myapp", + Headers: map[string]string{ + "Authorization": "Bearer token2", + }, + }, + // Verify that the http headers returned by the ext auth service + // are added to the original request before sending it to the backend + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Host: "www.example.com", + Path: "/myapp", + Headers: map[string]string{ + "x-current-user": "user2", + }, + }, + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) + + t.Run("without Authorization header", func(t *testing.T) { + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Host: "www.example.com", + Path: "/myapp", + }, + Response: http.Response{ + StatusCode: 403, + }, + Namespace: ns, + } + + req := http.MakeRequest(t, &expectedResponse, gwAddr, "HTTP", "http") + cReq, cResp, err := suite.RoundTripper.CaptureRoundTrip(req) + if err != nil { + t.Errorf("failed to get expected response: %v", err) + } + + if err := http.CompareRequest(t, &req, cReq, cResp, expectedResponse); err != nil { + t.Errorf("failed to compare request and response: %v", err) + } + }) + + t.Run("invalid credential", func(t *testing.T) { + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Host: "www.example.com", + Path: "/myapp", + Headers: map[string]string{ + "Authorization": "Bearer invalid-token", + }, + }, + Response: http.Response{ + StatusCode: 403, + }, + Namespace: ns, + } + + req := http.MakeRequest(t, &expectedResponse, gwAddr, "HTTP", "http") + cReq, cResp, err := suite.RoundTripper.CaptureRoundTrip(req) + if err != nil { + t.Errorf("failed to get expected response: %v", err) + } + + if err := http.CompareRequest(t, &req, cReq, cResp, expectedResponse); err != nil { + t.Errorf("failed to compare request and response: %v", err) + } + }) + + t.Run("http route without ext auth authentication", func(t *testing.T) { + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Host: "www.example.com", + Path: "/public", + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + + req := http.MakeRequest(t, &expectedResponse, gwAddr, "HTTP", "http") + cReq, cResp, err := suite.RoundTripper.CaptureRoundTrip(req) + if err != nil { + t.Errorf("failed to get expected response: %v", err) + } + + if err := http.CompareRequest(t, &req, cReq, cResp, expectedResponse); err != nil { + t.Errorf("failed to compare request and response: %v", err) + } + }) + }, +} From bd26a419dfc059ee10f5c22b31c8ed8523f94a70 Mon Sep 17 00:00:00 2001 From: Kensei Nakada Date: Sat, 10 Aug 2024 09:55:40 +0900 Subject: [PATCH 032/523] feat: support session persistence in HTTPRouteRule (#3841) * feat: support session persistence in HTTPRouteRule Signed-off-by: sanposhiho <44139130+sanposhiho@users.noreply.github.com> * fix: add yaml tags Signed-off-by: Kensei Nakada * fix: implement a file based test for session persistence Signed-off-by: Kensei Nakada * chore: add a new line Signed-off-by: Kensei Nakada * feat: error out an unsupported field Signed-off-by: Kensei Nakada * chore: move SessionName field within ir Signed-off-by: Kensei Nakada * fix: move stateful session filter to per-route Signed-off-by: Kensei Nakada * fix: remove incorrect sessionPersistence declare Signed-off-by: Kensei Nakada * fix: configure stateful_session config correctly Signed-off-by: Kensei Nakada * test: add an e2e test for session persistence Signed-off-by: Kensei Nakada * chore: move the filter name to api level Signed-off-by: Kensei Nakada * address lint issue Signed-off-by: Kensei Nakada * fix: skip adding filter if already existing Signed-off-by: Kensei Nakada * fix: generate the session name when it's empty Signed-off-by: Kensei Nakada * chore: ignore TTL when it's session cookie Signed-off-by: Kensei Nakada * chore: update the test case per the upstream update Signed-off-by: Kensei Nakada * fix: update the test case Signed-off-by: Kensei Nakada * fix: unique session name per route Signed-off-by: Kensei Nakada * chore: update wordings in test cases Signed-off-by: Kensei Nakada --------- Signed-off-by: sanposhiho <44139130+sanposhiho@users.noreply.github.com> Signed-off-by: Kensei Nakada Co-authored-by: Arko Dasgupta --- api/v1alpha1/envoyproxy_types.go | 7 +- .../gateway.envoyproxy.io_envoyproxies.yaml | 6 + .../cmd/extension-server/main.go | 4 +- .../internal/extensionserver/server.go | 4 +- internal/gatewayapi/route.go | 51 ++++- internal/ir/xds.go | 29 +++ internal/ir/zz_generated.deepcopy.go | 65 ++++++ internal/xds/translator/httpfilters.go | 4 +- .../xds/translator/session_persistence.go | 169 ++++++++++++++++ .../http-route-session-persistence.yaml | 66 ++++++ ...tp-route-session-persistence.clusters.yaml | 17 ++ ...p-route-session-persistence.endpoints.yaml | 12 ++ ...p-route-session-persistence.listeners.yaml | 80 ++++++++ ...http-route-session-persistence.routes.yaml | 53 +++++ site/content/en/latest/api/extension_types.md | 3 +- site/content/zh/latest/api/extension_types.md | 3 +- .../cookie-based-session-persistence.yaml | 29 +++ .../header-based-session-persistence.yaml | 30 +++ test/e2e/tests/session_persistence.go | 189 ++++++++++++++++++ 19 files changed, 812 insertions(+), 9 deletions(-) create mode 100644 internal/xds/translator/session_persistence.go create mode 100644 internal/xds/translator/testdata/in/xds-ir/http-route-session-persistence.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.routes.yaml create mode 100644 test/e2e/testdata/cookie-based-session-persistence.yaml create mode 100644 test/e2e/testdata/header-based-session-persistence.yaml create mode 100644 test/e2e/tests/session_persistence.go diff --git a/api/v1alpha1/envoyproxy_types.go b/api/v1alpha1/envoyproxy_types.go index 910c6d1503a..e2ada31c3fc 100644 --- a/api/v1alpha1/envoyproxy_types.go +++ b/api/v1alpha1/envoyproxy_types.go @@ -112,6 +112,8 @@ type EnvoyProxySpec struct { // // - envoy.filters.http.jwt_authn // + // - envoy.filters.http.stateful_session + // // - envoy.filters.http.ext_proc // // - envoy.filters.http.wasm @@ -172,7 +174,7 @@ type FilterPosition struct { } // EnvoyFilter defines the type of Envoy HTTP filter. -// +kubebuilder:validation:Enum=envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.ext_authz;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit +// +kubebuilder:validation:Enum=envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.ext_authz;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.stateful_session;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit type EnvoyFilter string const ( @@ -197,6 +199,9 @@ const ( // EnvoyFilterJWTAuthn defines the Envoy HTTP JWT authentication filter. EnvoyFilterJWTAuthn EnvoyFilter = "envoy.filters.http.jwt_authn" + // EnvoyFilterSessionPersistence defines the Envoy HTTP session persistence filter. + EnvoyFilterSessionPersistence EnvoyFilter = "envoy.filters.http.stateful_session" + // EnvoyFilterExtProc defines the Envoy HTTP external process filter. EnvoyFilterExtProc EnvoyFilter = "envoy.filters.http.ext_proc" diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 0743318409c..874dc98d4a7 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -251,6 +251,9 @@ spec: - envoy.filters.http.jwt_authn + - envoy.filters.http.stateful_session + + - envoy.filters.http.ext_proc @@ -286,6 +289,7 @@ spec: - envoy.filters.http.basic_auth - envoy.filters.http.oauth2 - envoy.filters.http.jwt_authn + - envoy.filters.http.stateful_session - envoy.filters.http.ext_proc - envoy.filters.http.wasm - envoy.filters.http.rbac @@ -304,6 +308,7 @@ spec: - envoy.filters.http.basic_auth - envoy.filters.http.oauth2 - envoy.filters.http.jwt_authn + - envoy.filters.http.stateful_session - envoy.filters.http.ext_proc - envoy.filters.http.wasm - envoy.filters.http.rbac @@ -320,6 +325,7 @@ spec: - envoy.filters.http.basic_auth - envoy.filters.http.oauth2 - envoy.filters.http.jwt_authn + - envoy.filters.http.stateful_session - envoy.filters.http.ext_proc - envoy.filters.http.wasm - envoy.filters.http.rbac diff --git a/examples/extension-server/cmd/extension-server/main.go b/examples/extension-server/cmd/extension-server/main.go index 33e08ddc914..9df1f4a885c 100644 --- a/examples/extension-server/cmd/extension-server/main.go +++ b/examples/extension-server/cmd/extension-server/main.go @@ -13,11 +13,11 @@ import ( "os/signal" "syscall" - pb "github.com/envoyproxy/gateway/proto/extension" + "github.com/exampleorg/envoygateway-extension/internal/extensionserver" "github.com/urfave/cli/v2" "google.golang.org/grpc" - "github.com/exampleorg/envoygateway-extension/internal/extensionserver" + pb "github.com/envoyproxy/gateway/proto/extension" ) func main() { diff --git a/examples/extension-server/internal/extensionserver/server.go b/examples/extension-server/internal/extensionserver/server.go index a2776a9f966..2c060869b88 100644 --- a/examples/extension-server/internal/extensionserver/server.go +++ b/examples/extension-server/internal/extensionserver/server.go @@ -11,15 +11,15 @@ import ( "fmt" "log/slog" - pb "github.com/envoyproxy/gateway/proto/extension" corev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" listenerv3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3" bav3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/basic_auth/v3" hcm "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" "github.com/envoyproxy/go-control-plane/pkg/wellknown" + "github.com/exampleorg/envoygateway-extension/api/v1alpha1" "google.golang.org/protobuf/types/known/anypb" - "github.com/exampleorg/envoygateway-extension/api/v1alpha1" + pb "github.com/envoyproxy/gateway/proto/extension" ) type Server struct { diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 336e931cfce..8a3c0272276 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -314,12 +314,60 @@ func (t *Translator) processHTTPRouteRule(httpRoute *HTTPRouteContext, ruleIdx i ruleRoutes = append(ruleRoutes, irRoute) } + var sessionPersistence *ir.SessionPersistence + if rule.SessionPersistence != nil { + if rule.SessionPersistence.IdleTimeout != nil { + return nil, fmt.Errorf("idle timeout is not supported in envoy gateway") + } + + var sessionName string + if rule.SessionPersistence.SessionName == nil { + // SessionName is optional on the gateway-api, but envoy requires it + // so we generate the one here. + + // We generate a unique session name per route. + // `/` isn't allowed in the header key, so we just replace it with `-`. + sessionName = strings.ReplaceAll(irRouteDestinationName(httpRoute, ruleIdx), "/", "-") + } else { + sessionName = *rule.SessionPersistence.SessionName + } + + switch { + case rule.SessionPersistence.Type == nil || // Cookie-based session persistence is default. + *rule.SessionPersistence.Type == gwapiv1.CookieBasedSessionPersistence: + sessionPersistence = &ir.SessionPersistence{ + Cookie: &ir.CookieBasedSessionPersistence{ + Name: sessionName, + }, + } + if rule.SessionPersistence.AbsoluteTimeout != nil && + rule.SessionPersistence.CookieConfig != nil && rule.SessionPersistence.CookieConfig.LifetimeType != nil && + *rule.SessionPersistence.CookieConfig.LifetimeType == gwapiv1.PermanentCookieLifetimeType { + ttl, err := time.ParseDuration(string(*rule.SessionPersistence.AbsoluteTimeout)) + if err != nil { + return nil, err + } + sessionPersistence.Cookie.TTL = &metav1.Duration{Duration: ttl} + } + case *rule.SessionPersistence.Type == gwapiv1.HeaderBasedSessionPersistence: + sessionPersistence = &ir.SessionPersistence{ + Header: &ir.HeaderBasedSessionPersistence{ + Name: sessionName, + }, + } + default: + // Unknown session persistence type is specified. + return nil, fmt.Errorf("unknown session persistence type %s", *rule.SessionPersistence.Type) + } + } + // A rule is matched if any one of its matches // is satisfied (i.e. a logical "OR"), so generate // a unique Xds IR HTTPRoute per match. for matchIdx, match := range rule.Matches { irRoute := &ir.HTTPRoute{ - Name: irRouteName(httpRoute, ruleIdx, matchIdx), + Name: irRouteName(httpRoute, ruleIdx, matchIdx), + SessionPersistence: sessionPersistence, } processTimeout(irRoute, rule) @@ -699,6 +747,7 @@ func (t *Translator) processHTTPRouteParentRefListener(route RouteContext, route Mirrors: routeRoute.Mirrors, ExtensionRefs: routeRoute.ExtensionRefs, IsHTTP2: routeRoute.IsHTTP2, + SessionPersistence: routeRoute.SessionPersistence, } if routeRoute.Traffic != nil { hostRoute.Traffic = &ir.TrafficFeatures{ diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 6ba04e5e20e..f2807da484a 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -565,6 +565,8 @@ type HTTPRoute struct { UseClientProtocol *bool `json:"useClientProtocol,omitempty" yaml:"useClientProtocol,omitempty"` // Metadata is used to enrich envoy route metadata with user and provider-specific information Metadata *ResourceMetadata `json:"metadata,omitempty" yaml:"metadata,omitempty"` + // SessionPersistence holds the configuration for session persistence. + SessionPersistence *SessionPersistence `json:"sessionPersistence,omitempty" yaml:"sessionPersistence,omitempty"` } // DNS contains configuration options for DNS resolution. @@ -576,6 +578,33 @@ type DNS struct { RespectDNSTTL *bool `json:"respectDnsTtl,omitempty"` } +// SessionPersistence defines the desired state of SessionPersistence. +// +k8s:deepcopy-gen=true +type SessionPersistence struct { + // Cookie defines the configuration for cookie-based session persistence. + // Either Cookie or Header must be non-empty. + Cookie *CookieBasedSessionPersistence `json:"cookie,omitempty" yaml:"cookie,omitempty"` + // Header defines the configuration for header-based session persistence. + // Either Cookie or Header must be non-empty. + Header *HeaderBasedSessionPersistence `json:"header,omitempty" yaml:"header,omitempty"` +} + +// CookieBasedSessionPersistence defines the configuration for cookie-based session persistence. +// +k8s:deepcopy-gen=true +type CookieBasedSessionPersistence struct { + // Name defines the name of the persistent session token. + Name string `json:"name"` + + TTL *metav1.Duration `json:"ttl,omitempty" yaml:"ttl,omitempty"` +} + +// HeaderBasedSessionPersistence defines the configuration for header-based session persistence. +// +k8s:deepcopy-gen=true +type HeaderBasedSessionPersistence struct { + // Name defines the name of the persistent session token. + Name string `json:"name"` +} + // TrafficFeatures holds the information associated with the Backend Traffic Policy. // +k8s:deepcopy-gen=true type TrafficFeatures struct { diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index c51c386ee82..5e3398a0678 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -536,6 +536,26 @@ func (in *ConsistentHash) DeepCopy() *ConsistentHash { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CookieBasedSessionPersistence) DeepCopyInto(out *CookieBasedSessionPersistence) { + *out = *in + if in.TTL != nil { + in, out := &in.TTL, &out.TTL + *out = new(v1.Duration) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CookieBasedSessionPersistence. +func (in *CookieBasedSessionPersistence) DeepCopy() *CookieBasedSessionPersistence { + if in == nil { + return nil + } + out := new(CookieBasedSessionPersistence) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CoreListenerDetails) DeepCopyInto(out *CoreListenerDetails) { *out = *in @@ -1363,6 +1383,11 @@ func (in *HTTPRoute) DeepCopyInto(out *HTTPRoute) { *out = new(ResourceMetadata) (*in).DeepCopyInto(*out) } + if in.SessionPersistence != nil { + in, out := &in.SessionPersistence, &out.SessionPersistence + *out = new(SessionPersistence) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRoute. @@ -1420,6 +1445,21 @@ func (in *HTTPWasmCode) DeepCopy() *HTTPWasmCode { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HeaderBasedSessionPersistence) DeepCopyInto(out *HeaderBasedSessionPersistence) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderBasedSessionPersistence. +func (in *HeaderBasedSessionPersistence) DeepCopy() *HeaderBasedSessionPersistence { + if in == nil { + return nil + } + out := new(HeaderBasedSessionPersistence) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HeaderSettings) DeepCopyInto(out *HeaderSettings) { *out = *in @@ -2349,6 +2389,31 @@ func (in *SecurityFeatures) DeepCopy() *SecurityFeatures { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SessionPersistence) DeepCopyInto(out *SessionPersistence) { + *out = *in + if in.Cookie != nil { + in, out := &in.Cookie, &out.Cookie + *out = new(CookieBasedSessionPersistence) + (*in).DeepCopyInto(*out) + } + if in.Header != nil { + in, out := &in.Header, &out.Header + *out = new(HeaderBasedSessionPersistence) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SessionPersistence. +func (in *SessionPersistence) DeepCopy() *SessionPersistence { + if in == nil { + return nil + } + out := new(SessionPersistence) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SlowStart) DeepCopyInto(out *SlowStart) { *out = *in diff --git a/internal/xds/translator/httpfilters.go b/internal/xds/translator/httpfilters.go index ad5789fb6ff..1b994fba669 100644 --- a/internal/xds/translator/httpfilters.go +++ b/internal/xds/translator/httpfilters.go @@ -114,8 +114,10 @@ func newOrderedHTTPFilter(filter *hcmv3.HttpFilter) *OrderedHTTPFilter { order = 5 case isFilterType(filter, egv1a1.EnvoyFilterJWTAuthn): order = 6 + case isFilterType(filter, egv1a1.EnvoyFilterSessionPersistence): + order = 7 case isFilterType(filter, egv1a1.EnvoyFilterExtProc): - order = 7 + mustGetFilterIndex(filter.Name) + order = 8 + mustGetFilterIndex(filter.Name) case isFilterType(filter, egv1a1.EnvoyFilterWasm): order = 100 + mustGetFilterIndex(filter.Name) case isFilterType(filter, egv1a1.EnvoyFilterRBAC): diff --git a/internal/xds/translator/session_persistence.go b/internal/xds/translator/session_persistence.go new file mode 100644 index 00000000000..703e553ce47 --- /dev/null +++ b/internal/xds/translator/session_persistence.go @@ -0,0 +1,169 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package translator + +import ( + "errors" + "fmt" + "strings" + + corev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" + statefulsessionv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/stateful_session/v3" + hcmv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" + cookiev3 "github.com/envoyproxy/go-control-plane/envoy/extensions/http/stateful_session/cookie/v3" + headerv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/http/stateful_session/header/v3" + httpv3 "github.com/envoyproxy/go-control-plane/envoy/type/http/v3" + "google.golang.org/protobuf/proto" + "google.golang.org/protobuf/types/known/anypb" + "google.golang.org/protobuf/types/known/durationpb" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/xds/types" +) + +const ( + cookieConfigName = "envoy.http.stateful_session.cookie" + headerConfigName = "envoy.http.stateful_session.header" +) + +type sessionPersistence struct{} + +func init() { + registerHTTPFilter(&sessionPersistence{}) +} + +var _ httpFilter = &sessionPersistence{} + +// patchHCM patches the HttpConnectionManager with the filter. +// Note: this method may be called multiple times for the same filter, please +// make sure to avoid duplicate additions of the same filter. +func (s *sessionPersistence) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPListener) error { + if mgr == nil { + return errors.New("hcm is nil") + } + + if irListener == nil { + return errors.New("ir listener is nil") + } + + for _, route := range irListener.Routes { + sp := route.SessionPersistence + if sp == nil { + continue + } + + if hcmContainsFilter(mgr, perRouteFilterName(egv1a1.EnvoyFilterSessionPersistence, route.Name)) { + continue + } + + var sessionCfg proto.Message + var configName string + switch { + case sp.Cookie != nil: + configName = cookieConfigName + sessionCfg = &cookiev3.CookieBasedSessionState{ + Cookie: &httpv3.Cookie{ + Name: sp.Cookie.Name, + Path: routePathToCookiePath(route.PathMatch), + Ttl: durationpb.New(sp.Cookie.TTL.Duration), + }, + } + case sp.Header != nil: + configName = headerConfigName + sessionCfg = &headerv3.HeaderBasedSessionState{ + Name: sp.Header.Name, + } + } + + sessionCfgAny, err := anypb.New(sessionCfg) + if err != nil { + return fmt.Errorf("failed to marshal %s config: %w", egv1a1.EnvoyFilterSessionPersistence.String(), err) + } + + cfg := &statefulsessionv3.StatefulSession{ + SessionState: &corev3.TypedExtensionConfig{ + Name: configName, + TypedConfig: sessionCfgAny, + }, + } + + cfgAny, err := anypb.New(cfg) + if err != nil { + return fmt.Errorf("failed to marshal %s config: %w", egv1a1.EnvoyFilterSessionPersistence.String(), err) + } + + mgr.HttpFilters = append(mgr.HttpFilters, &hcmv3.HttpFilter{ + Name: perRouteFilterName(egv1a1.EnvoyFilterSessionPersistence, route.Name), + Disabled: true, + ConfigType: &hcmv3.HttpFilter_TypedConfig{ + TypedConfig: cfgAny, + }, + }) + } + + return nil +} + +func routePathToCookiePath(path *ir.StringMatch) string { + if path == nil { + return "/" + } + switch { + case path.Exact != nil: + return *path.Exact + case path.Prefix != nil: + return *path.Prefix + case path.SafeRegex != nil: + return getLongestNonRegexPrefix(*path.SafeRegex) + } + + // Shouldn't reach here because the path should be either of the above three kinds. + return "/" +} + +// getLongestNonRegexPrefix takes a regex path and returns the longest non-regex prefix. +// > 3. For an xRoute using a path that is a regex, the Path should be set to the longest non-regex prefix +// (.e.g. if the path is /p1/p2/*/p3 and the request path was /p1/p2/foo/p3, then the cookie path would be /p1/p2). +// https://gateway-api.sigs.k8s.io/geps/gep-1619/#path +func getLongestNonRegexPrefix(path string) string { + parts := strings.Split(path, "/") + var longestNonRegexPrefix []string + for _, part := range parts { + if part == "*" || strings.Contains(part, "*") { + break + } + longestNonRegexPrefix = append(longestNonRegexPrefix, part) + } + + return strings.Join(longestNonRegexPrefix, "/") +} + +// patchRoute patches the provide Route with a filter's Route level configuration. +func (s *sessionPersistence) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { + if route == nil { + return errors.New("xds route is nil") + } + if irRoute == nil { + return errors.New("ir route is nil") + } + if irRoute.SessionPersistence == nil { + return nil + } + + if err := enableFilterOnRoute(route, perRouteFilterName(egv1a1.EnvoyFilterSessionPersistence, route.Name)); err != nil { + return err + } + + return nil +} + +// patchResources adds all the other needed resources referenced by this +// filter to the resource version table. +func (s *sessionPersistence) patchResources(tCtx *types.ResourceVersionTable, routes []*ir.HTTPRoute) error { + return nil +} diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-session-persistence.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-session-persistence.yaml new file mode 100644 index 00000000000..536c5ad50cb --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-session-persistence.yaml @@ -0,0 +1,66 @@ +http: +- name: "first-listener" + address: "0.0.0.0" + port: 10080 + hostnames: + - "*" + path: + mergeSlashes: true + escapedSlashesAction: UnescapeAndRedirect + routes: + - name: "header-based-session-persistence-route" + hostname: "*" + pathMatch: + safeRegex: "/v1/.*" + sessionPersistence: + header: { + name: "session-header" + } + destination: + name: "regex-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - name: "cookie-based-session-persistence-route-regex" + hostname: "*" + pathMatch: + safeRegex: "/v1/.*/hoge" + sessionPersistence: + cookie: + name: "session-header" + ttl: "1h" + destination: + name: "regex-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - name: "cookie-based-session-persistence-route-prefix" + hostname: "*" + pathMatch: + prefix: "/v2/" + sessionPersistence: + cookie: + name: "session-header" + ttl: "1h" + destination: + name: "regex-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - name: "cookie-based-session-persistence-route-exact" + hostname: "*" + pathMatch: + exact: "/v3/user" + sessionPersistence: + cookie: + name: "session-cookie" + ttl: "1h" + destination: + name: "regex-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml new file mode 100644 index 00000000000..0f75e67e278 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml @@ -0,0 +1,17 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: regex-route-dest + lbPolicy: LEAST_REQUEST + name: regex-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.endpoints.yaml new file mode 100644 index 00000000000..b36ee450059 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.endpoints.yaml @@ -0,0 +1,12 @@ +- clusterName: regex-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: regex-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.listeners.yaml new file mode 100644 index 00000000000..f29e11a27a4 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.listeners.yaml @@ -0,0 +1,80 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - disabled: true + name: envoy.filters.http.stateful_session/header-based-session-persistence-route + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.stateful_session.v3.StatefulSession + sessionState: + name: envoy.http.stateful_session.header + typedConfig: + '@type': type.googleapis.com/envoy.extensions.http.stateful_session.header.v3.HeaderBasedSessionState + name: session-header + - disabled: true + name: envoy.filters.http.stateful_session/cookie-based-session-persistence-route-regex + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.stateful_session.v3.StatefulSession + sessionState: + name: envoy.http.stateful_session.cookie + typedConfig: + '@type': type.googleapis.com/envoy.extensions.http.stateful_session.cookie.v3.CookieBasedSessionState + cookie: + name: session-header + path: /v1 + ttl: 3600s + - disabled: true + name: envoy.filters.http.stateful_session/cookie-based-session-persistence-route-prefix + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.stateful_session.v3.StatefulSession + sessionState: + name: envoy.http.stateful_session.cookie + typedConfig: + '@type': type.googleapis.com/envoy.extensions.http.stateful_session.cookie.v3.CookieBasedSessionState + cookie: + name: session-header + path: /v2/ + ttl: 3600s + - disabled: true + name: envoy.filters.http.stateful_session/cookie-based-session-persistence-route-exact + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.stateful_session.v3.StatefulSession + sessionState: + name: envoy.http.stateful_session.cookie + typedConfig: + '@type': type.googleapis.com/envoy.extensions.http.stateful_session.cookie.v3.CookieBasedSessionState + cookie: + name: session-cookie + path: /v3/user + ttl: 3600s + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: first-listener + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: first-listener + drainType: MODIFY_ONLY + name: first-listener + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.routes.yaml new file mode 100644 index 00000000000..c5450601be4 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.routes.yaml @@ -0,0 +1,53 @@ +- ignorePortInHostMatching: true + name: first-listener + virtualHosts: + - domains: + - '*' + name: first-listener/* + routes: + - match: + safeRegex: + regex: /v1/.* + name: header-based-session-persistence-route + route: + cluster: regex-route-dest + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.stateful_session/header-based-session-persistence-route: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} + - match: + safeRegex: + regex: /v1/.*/hoge + name: cookie-based-session-persistence-route-regex + route: + cluster: regex-route-dest + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.stateful_session/cookie-based-session-persistence-route-regex: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} + - match: + pathSeparatedPrefix: /v2 + name: cookie-based-session-persistence-route-prefix + route: + cluster: regex-route-dest + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.stateful_session/cookie-based-session-persistence-route-prefix: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} + - match: + path: /v3/user + name: cookie-based-session-persistence-route-exact + route: + cluster: regex-route-dest + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.stateful_session/cookie-based-session-persistence-route-exact: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 516864db274..2d2b75a3da3 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -964,6 +964,7 @@ _Appears in:_ | `envoy.filters.http.basic_auth` | EnvoyFilterBasicAuth defines the Envoy HTTP basic authentication filter.
| | `envoy.filters.http.oauth2` | EnvoyFilterOAuth2 defines the Envoy HTTP OAuth2 filter.
| | `envoy.filters.http.jwt_authn` | EnvoyFilterJWTAuthn defines the Envoy HTTP JWT authentication filter.
| +| `envoy.filters.http.stateful_session` | EnvoyFilterSessionPersistence defines the Envoy HTTP session persistence filter.
| | `envoy.filters.http.ext_proc` | EnvoyFilterExtProc defines the Envoy HTTP external process filter.
| | `envoy.filters.http.wasm` | EnvoyFilterWasm defines the Envoy HTTP WebAssembly filter.
| | `envoy.filters.http.rbac` | EnvoyFilterRBAC defines the Envoy RBAC filter.
| @@ -1422,7 +1423,7 @@ _Appears in:_ | `extraArgs` | _string array_ | false | ExtraArgs defines additional command line options that are provided to Envoy.
More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options
Note: some command line options are used internally(e.g. --log-level) so they cannot be provided here. | | `mergeGateways` | _boolean_ | false | MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.
Setting this field to true would merge all Gateway Listeners under the parent Gateway Class.
This means that the port, protocol and hostname tuple must be unique for every listener.
If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition. | | `shutdown` | _[ShutdownConfig](#shutdownconfig)_ | false | Shutdown defines configuration for graceful envoy shutdown process. | -| `filterOrder` | _[FilterPosition](#filterposition) array_ | false | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
The FilterPosition in the list will be applied in the order they are defined.
If unspecified, the default filter order is applied.
Default filter order is:

- envoy.filters.http.health_check

- envoy.filters.http.fault

- envoy.filters.http.cors

- envoy.filters.http.ext_authz

- envoy.filters.http.basic_auth

- envoy.filters.http.oauth2

- envoy.filters.http.jwt_authn

- envoy.filters.http.ext_proc

- envoy.filters.http.wasm

- envoy.filters.http.rbac

- envoy.filters.http.local_ratelimit

- envoy.filters.http.ratelimit

- envoy.filters.http.router

Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. | +| `filterOrder` | _[FilterPosition](#filterposition) array_ | false | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
The FilterPosition in the list will be applied in the order they are defined.
If unspecified, the default filter order is applied.
Default filter order is:

- envoy.filters.http.health_check

- envoy.filters.http.fault

- envoy.filters.http.cors

- envoy.filters.http.ext_authz

- envoy.filters.http.basic_auth

- envoy.filters.http.oauth2

- envoy.filters.http.jwt_authn

- envoy.filters.http.stateful_session

- envoy.filters.http.ext_proc

- envoy.filters.http.wasm

- envoy.filters.http.rbac

- envoy.filters.http.local_ratelimit

- envoy.filters.http.ratelimit

- envoy.filters.http.router

Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. | | `backendTLS` | _[BackendTLSConfig](#backendtlsconfig)_ | false | BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.
These settings are applied on backends for which TLS policies are specified. | diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 516864db274..2d2b75a3da3 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -964,6 +964,7 @@ _Appears in:_ | `envoy.filters.http.basic_auth` | EnvoyFilterBasicAuth defines the Envoy HTTP basic authentication filter.
| | `envoy.filters.http.oauth2` | EnvoyFilterOAuth2 defines the Envoy HTTP OAuth2 filter.
| | `envoy.filters.http.jwt_authn` | EnvoyFilterJWTAuthn defines the Envoy HTTP JWT authentication filter.
| +| `envoy.filters.http.stateful_session` | EnvoyFilterSessionPersistence defines the Envoy HTTP session persistence filter.
| | `envoy.filters.http.ext_proc` | EnvoyFilterExtProc defines the Envoy HTTP external process filter.
| | `envoy.filters.http.wasm` | EnvoyFilterWasm defines the Envoy HTTP WebAssembly filter.
| | `envoy.filters.http.rbac` | EnvoyFilterRBAC defines the Envoy RBAC filter.
| @@ -1422,7 +1423,7 @@ _Appears in:_ | `extraArgs` | _string array_ | false | ExtraArgs defines additional command line options that are provided to Envoy.
More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options
Note: some command line options are used internally(e.g. --log-level) so they cannot be provided here. | | `mergeGateways` | _boolean_ | false | MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.
Setting this field to true would merge all Gateway Listeners under the parent Gateway Class.
This means that the port, protocol and hostname tuple must be unique for every listener.
If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition. | | `shutdown` | _[ShutdownConfig](#shutdownconfig)_ | false | Shutdown defines configuration for graceful envoy shutdown process. | -| `filterOrder` | _[FilterPosition](#filterposition) array_ | false | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
The FilterPosition in the list will be applied in the order they are defined.
If unspecified, the default filter order is applied.
Default filter order is:

- envoy.filters.http.health_check

- envoy.filters.http.fault

- envoy.filters.http.cors

- envoy.filters.http.ext_authz

- envoy.filters.http.basic_auth

- envoy.filters.http.oauth2

- envoy.filters.http.jwt_authn

- envoy.filters.http.ext_proc

- envoy.filters.http.wasm

- envoy.filters.http.rbac

- envoy.filters.http.local_ratelimit

- envoy.filters.http.ratelimit

- envoy.filters.http.router

Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. | +| `filterOrder` | _[FilterPosition](#filterposition) array_ | false | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
The FilterPosition in the list will be applied in the order they are defined.
If unspecified, the default filter order is applied.
Default filter order is:

- envoy.filters.http.health_check

- envoy.filters.http.fault

- envoy.filters.http.cors

- envoy.filters.http.ext_authz

- envoy.filters.http.basic_auth

- envoy.filters.http.oauth2

- envoy.filters.http.jwt_authn

- envoy.filters.http.stateful_session

- envoy.filters.http.ext_proc

- envoy.filters.http.wasm

- envoy.filters.http.rbac

- envoy.filters.http.local_ratelimit

- envoy.filters.http.ratelimit

- envoy.filters.http.router

Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. | | `backendTLS` | _[BackendTLSConfig](#backendtlsconfig)_ | false | BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.
These settings are applied on backends for which TLS policies are specified. | diff --git a/test/e2e/testdata/cookie-based-session-persistence.yaml b/test/e2e/testdata/cookie-based-session-persistence.yaml new file mode 100644 index 00000000000..60819e18098 --- /dev/null +++ b/test/e2e/testdata/cookie-based-session-persistence.yaml @@ -0,0 +1,29 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: cookie-based-session-persistence + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: PathPrefix + value: /v1 + backendRefs: + - name: infra-backend-v1 + port: 8080 + - matches: + - path: + type: PathPrefix + value: /v2 + backendRefs: + - name: infra-backend-v1 + port: 8080 + sessionPersistence: + sessionName: Session-A + type: Cookie + absoluteTimeout: 10s + cookieConfig: + lifetimeType: Permanent diff --git a/test/e2e/testdata/header-based-session-persistence.yaml b/test/e2e/testdata/header-based-session-persistence.yaml new file mode 100644 index 00000000000..4c6030a99df --- /dev/null +++ b/test/e2e/testdata/header-based-session-persistence.yaml @@ -0,0 +1,30 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: header-based-session-persistence + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: PathPrefix + value: /v1 + backendRefs: + - name: infra-backend-v1 + port: 8080 + - matches: + - path: + type: PathPrefix + value: /v2 + backendRefs: + - name: infra-backend-v1 + port: 8080 + sessionPersistence: + sessionName: Session-A + type: Header + # Actually, absoluteTimeout is not necessary for Header based session persistence. + # But, we have to add it, otherwise the gateway-api validation (mistakenly) rejects it. + # https://github.com/kubernetes-sigs/gateway-api/issues/3214 + absoluteTimeout: 10s diff --git a/test/e2e/tests/session_persistence.go b/test/e2e/tests/session_persistence.go new file mode 100644 index 00000000000..7c1d90880ab --- /dev/null +++ b/test/e2e/tests/session_persistence.go @@ -0,0 +1,189 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e +// +build e2e + +package tests + +import ( + "fmt" + "net/http" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + "k8s.io/apimachinery/pkg/types" + httputils "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" +) + +func init() { + ConformanceTests = append(ConformanceTests, HeaderBasedSessionPersistenceTest) + ConformanceTests = append(ConformanceTests, CookieBasedSessionPersistenceTest) +} + +var HeaderBasedSessionPersistenceTest = suite.ConformanceTest{ + ShortName: "HeaderBasedSessionPersistence", + Description: "Test that the session persistence filter is correctly configured with header based session persistence", + Manifests: []string{"testdata/header-based-session-persistence.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Run("traffic is routed based on header based session persistence", func(t *testing.T) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "header-based-session-persistence", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + req := httputils.MakeRequest(t, &httputils.ExpectedResponse{ + Request: httputils.Request{ + Path: "/v2", + }, + }, gwAddr, "HTTP", "http") + + pod := "" + // We make 10 requests to the gateway and expect them to be routed to the same pod. + for i := 0; i < 10; i++ { + captReq, res, err := suite.RoundTripper.CaptureRoundTrip(req) + if err != nil { + t.Fatalf("failed to make request: %v", err) + } + + if i == 0 { + // First request, capture the pod name and header. + sessionHeader, ok := res.Headers["Session-A"] + if !ok { + t.Fatalf("expected header Session-A to be set: %v", res.Headers) + } + + if captReq.Pod == "" { + t.Fatalf("expected pod to be set") + } + pod = captReq.Pod + req.Headers["Session-A"] = sessionHeader + continue + } + + t.Logf("request is received from pod %s", captReq.Pod) + + if captReq.Pod != pod { + t.Fatalf("expected pod to be the same as previous requests") + } + } + }) + t.Run("session persistence is configured per route", func(t *testing.T) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "header-based-session-persistence", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + req := httputils.MakeRequest(t, &httputils.ExpectedResponse{ + Request: httputils.Request{ + // /v1 path does not have the session persistence. + Path: "/v1", + }, + }, gwAddr, "HTTP", "http") + + _, res, err := suite.RoundTripper.CaptureRoundTrip(req) + if err != nil { + t.Fatalf("failed to make request: %v", err) + } + + if h, ok := res.Headers["Session-A"]; ok { + t.Fatalf("expected header Session-A to not be set: %v", h) + } + }) + }, +} + +var CookieBasedSessionPersistenceTest = suite.ConformanceTest{ + ShortName: "CookieBasedSessionPersistence", + Description: "Test that the session persistence filter is correctly configured with cookie based session persistence", + Manifests: []string{"testdata/cookie-based-session-persistence.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Run("traffic is routed based on cookie based session persistence", func(t *testing.T) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "cookie-based-session-persistence", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + req := httputils.MakeRequest(t, &httputils.ExpectedResponse{ + Request: httputils.Request{ + Path: "/v2", + }, + }, gwAddr, "HTTP", "http") + + pod := "" + // We make 10 requests to the gateway and expect them to be routed to the same pod. + for i := 0; i < 10; i++ { + captReq, res, err := suite.RoundTripper.CaptureRoundTrip(req) + if err != nil { + t.Fatalf("failed to make request: %v", err) + } + + if i == 0 { + // First request, capture the pod name and cookie. + if captReq.Pod == "" { + t.Fatalf("expected pod to be set") + } + + cookie, err := parseCookie(res.Headers, "Session-A") + if err != nil { + t.Fatalf("failed to parse cookie: %v", err) + } + + // Check the cookie is set correctly. + if diff := cmp.Diff(cookie, &http.Cookie{ + Name: "Session-A", + MaxAge: 10, + Path: "/v2", + HttpOnly: true, + }, cmpopts.IgnoreFields(http.Cookie{}, "Value", "Raw"), // Ignore the value as it is random. + ); diff != "" { + t.Fatalf("unexpected cookie: %v", diff) + } + + pod = captReq.Pod + req.Headers["Cookie"] = []string{fmt.Sprintf("Session-A=%s", cookie.Value)} + continue + } + + t.Logf("request is received from pod %s", captReq.Pod) + + if captReq.Pod != pod { + t.Fatalf("expected pod to be the same as previous requests") + } + } + }) + t.Run("session persistence is configured per route", func(t *testing.T) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "cookie-based-session-persistence", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + req := httputils.MakeRequest(t, &httputils.ExpectedResponse{ + Request: httputils.Request{ + // /v1 path does not have the session persistence. + Path: "/v1", + }, + }, gwAddr, "HTTP", "http") + + _, res, err := suite.RoundTripper.CaptureRoundTrip(req) + if err != nil { + t.Fatalf("failed to make request: %v", err) + } + + if _, ok := res.Headers["Set-Cookie"]; ok { + t.Fatal("expected the envoy not to response set-cookie back") + } + }) + }, +} + +func parseCookie(headers map[string][]string, cookieName string) (*http.Cookie, error) { + parser := &http.Response{Header: headers} + for _, c := range parser.Cookies() { + if c.Name == cookieName { + return c, nil + } + } + return nil, fmt.Errorf("cookie %s not found: headers: %v", cookieName, headers) +} From eeb62c88f8949f8da8a1278ec5515ffa1a004444 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Sat, 10 Aug 2024 01:46:44 -0700 Subject: [PATCH 033/523] docs: Attach EnvoyProxy to Gateway (#4020) --- .../en/docs/boilerplates/prerequisites.md | 24 ++++ .../tasks/operations/customize-envoyproxy.md | 117 +++++++++++++----- .../tasks/operations/customize-envoyproxy.md | 114 ++++++++++++----- .../en/v1.1/boilerplates/prerequisites.md | 24 ++++ .../tasks/operations/customize-envoyproxy.md | 117 +++++++++++++----- 5 files changed, 302 insertions(+), 94 deletions(-) create mode 100644 site/content/en/docs/boilerplates/prerequisites.md create mode 100644 site/content/en/v1.1/boilerplates/prerequisites.md diff --git a/site/content/en/docs/boilerplates/prerequisites.md b/site/content/en/docs/boilerplates/prerequisites.md new file mode 100644 index 00000000000..064238e4d13 --- /dev/null +++ b/site/content/en/docs/boilerplates/prerequisites.md @@ -0,0 +1,24 @@ +--- +--- + +Follow the steps from the [Quickstart](../tasks/quickstart) task to install Envoy Gateway and the example manifest. +Before proceeding, you should be able to query the example backend using HTTP. + +Verify the Gateway status: + +{{< tabpane text=true >}} +{{% tab header="kubectl" %}} + +```shell +kubectl get gateway/eg -o yaml +``` + +{{% /tab %}} +{{% tab header="egctl (experimental)" %}} + +```shell +egctl x status gateway -v +``` + +{{% /tab %}} +{{< /tabpane >}} diff --git a/site/content/en/docs/tasks/operations/customize-envoyproxy.md b/site/content/en/docs/tasks/operations/customize-envoyproxy.md index 562237bfc43..892c3496ff0 100644 --- a/site/content/en/docs/tasks/operations/customize-envoyproxy.md +++ b/site/content/en/docs/tasks/operations/customize-envoyproxy.md @@ -3,15 +3,68 @@ title: "Customize EnvoyProxy" --- Envoy Gateway provides an [EnvoyProxy][] CRD that can be linked to the ParametersRef -in GatewayClass, allowing cluster admins to customize the managed EnvoyProxy Deployment and +in a Gateway and GatewayClass, allowing cluster admins to customize the managed EnvoyProxy Deployment and Service. To learn more about GatewayClass and ParametersRef, please refer to [Gateway API documentation][]. ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} -Before you start, you need to add `ParametersRef` in GatewayClass, and refer to EnvoyProxy Config: +Before you start, you need to add `Infrastructure.ParametersRef` in Gateway, and refer to EnvoyProxy Config: +**Note**: `MergeGateways` cannot be set to `true` in your EnvoyProxy config if attaching to the Gateway. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +You can also attach the EnvoyProxy resource to the GatewayClass using the `parametersRef` field. +This configuration is discouraged if you plan on creating multiple Gateways linking to the same +GatewayClass and would like different infrastructure configurations for each of them. {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} @@ -28,7 +81,7 @@ spec: group: gateway.envoyproxy.io kind: EnvoyProxy name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default EOF ``` @@ -48,7 +101,7 @@ spec: group: gateway.envoyproxy.io kind: EnvoyProxy name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default ``` {{% /tab %}} @@ -67,7 +120,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -87,7 +140,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -119,7 +172,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -140,7 +193,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -168,7 +221,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -191,7 +244,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -221,7 +274,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -248,7 +301,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -280,7 +333,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -305,7 +358,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -339,7 +392,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -368,7 +421,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -404,7 +457,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -426,7 +479,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -459,7 +512,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: bootstrap: type: Replace @@ -547,7 +600,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: bootstrap: type: Replace @@ -649,7 +702,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -677,7 +730,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -713,7 +766,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: extraArgs: - --disable-extensions envoy.access_loggers/envoy.access_loggers.wasm @@ -730,7 +783,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: extraArgs: - --disable-extensions envoy.access_loggers/envoy.access_loggers.wasm @@ -756,7 +809,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: eg - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -792,7 +845,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: eg - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -835,7 +888,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: eg - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -860,7 +913,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: eg - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -918,7 +971,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: filterOrder: - name: envoy.filters.http.wasm @@ -938,7 +991,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: filterOrder: - name: envoy.filters.http.wasm diff --git a/site/content/en/latest/tasks/operations/customize-envoyproxy.md b/site/content/en/latest/tasks/operations/customize-envoyproxy.md index bfcc3d6e07a..892c3496ff0 100644 --- a/site/content/en/latest/tasks/operations/customize-envoyproxy.md +++ b/site/content/en/latest/tasks/operations/customize-envoyproxy.md @@ -3,14 +3,68 @@ title: "Customize EnvoyProxy" --- Envoy Gateway provides an [EnvoyProxy][] CRD that can be linked to the ParametersRef -in GatewayClass, allowing cluster admins to customize the managed EnvoyProxy Deployment and +in a Gateway and GatewayClass, allowing cluster admins to customize the managed EnvoyProxy Deployment and Service. To learn more about GatewayClass and ParametersRef, please refer to [Gateway API documentation][]. ## Prerequisites {{< boilerplate prerequisites >}} -Before you start, you need to add `ParametersRef` in GatewayClass, and refer to EnvoyProxy Config: +Before you start, you need to add `Infrastructure.ParametersRef` in Gateway, and refer to EnvoyProxy Config: +**Note**: `MergeGateways` cannot be set to `true` in your EnvoyProxy config if attaching to the Gateway. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +You can also attach the EnvoyProxy resource to the GatewayClass using the `parametersRef` field. +This configuration is discouraged if you plan on creating multiple Gateways linking to the same +GatewayClass and would like different infrastructure configurations for each of them. {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} @@ -27,7 +81,7 @@ spec: group: gateway.envoyproxy.io kind: EnvoyProxy name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default EOF ``` @@ -47,7 +101,7 @@ spec: group: gateway.envoyproxy.io kind: EnvoyProxy name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default ``` {{% /tab %}} @@ -66,7 +120,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -86,7 +140,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -118,7 +172,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -139,7 +193,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -167,7 +221,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -190,7 +244,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -220,7 +274,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -247,7 +301,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -279,7 +333,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -304,7 +358,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -338,7 +392,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -367,7 +421,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -403,7 +457,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -425,7 +479,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -458,7 +512,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: bootstrap: type: Replace @@ -546,7 +600,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: bootstrap: type: Replace @@ -648,7 +702,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -676,7 +730,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -712,7 +766,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: extraArgs: - --disable-extensions envoy.access_loggers/envoy.access_loggers.wasm @@ -729,7 +783,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: extraArgs: - --disable-extensions envoy.access_loggers/envoy.access_loggers.wasm @@ -755,7 +809,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: eg - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -791,7 +845,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: eg - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -834,7 +888,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: eg - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -859,7 +913,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: eg - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -917,7 +971,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: filterOrder: - name: envoy.filters.http.wasm @@ -937,7 +991,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: filterOrder: - name: envoy.filters.http.wasm diff --git a/site/content/en/v1.1/boilerplates/prerequisites.md b/site/content/en/v1.1/boilerplates/prerequisites.md new file mode 100644 index 00000000000..064238e4d13 --- /dev/null +++ b/site/content/en/v1.1/boilerplates/prerequisites.md @@ -0,0 +1,24 @@ +--- +--- + +Follow the steps from the [Quickstart](../tasks/quickstart) task to install Envoy Gateway and the example manifest. +Before proceeding, you should be able to query the example backend using HTTP. + +Verify the Gateway status: + +{{< tabpane text=true >}} +{{% tab header="kubectl" %}} + +```shell +kubectl get gateway/eg -o yaml +``` + +{{% /tab %}} +{{% tab header="egctl (experimental)" %}} + +```shell +egctl x status gateway -v +``` + +{{% /tab %}} +{{< /tabpane >}} diff --git a/site/content/en/v1.1/tasks/operations/customize-envoyproxy.md b/site/content/en/v1.1/tasks/operations/customize-envoyproxy.md index 562237bfc43..892c3496ff0 100644 --- a/site/content/en/v1.1/tasks/operations/customize-envoyproxy.md +++ b/site/content/en/v1.1/tasks/operations/customize-envoyproxy.md @@ -3,15 +3,68 @@ title: "Customize EnvoyProxy" --- Envoy Gateway provides an [EnvoyProxy][] CRD that can be linked to the ParametersRef -in GatewayClass, allowing cluster admins to customize the managed EnvoyProxy Deployment and +in a Gateway and GatewayClass, allowing cluster admins to customize the managed EnvoyProxy Deployment and Service. To learn more about GatewayClass and ParametersRef, please refer to [Gateway API documentation][]. ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} -Before you start, you need to add `ParametersRef` in GatewayClass, and refer to EnvoyProxy Config: +Before you start, you need to add `Infrastructure.ParametersRef` in Gateway, and refer to EnvoyProxy Config: +**Note**: `MergeGateways` cannot be set to `true` in your EnvoyProxy config if attaching to the Gateway. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +You can also attach the EnvoyProxy resource to the GatewayClass using the `parametersRef` field. +This configuration is discouraged if you plan on creating multiple Gateways linking to the same +GatewayClass and would like different infrastructure configurations for each of them. {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} @@ -28,7 +81,7 @@ spec: group: gateway.envoyproxy.io kind: EnvoyProxy name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default EOF ``` @@ -48,7 +101,7 @@ spec: group: gateway.envoyproxy.io kind: EnvoyProxy name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default ``` {{% /tab %}} @@ -67,7 +120,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -87,7 +140,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -119,7 +172,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -140,7 +193,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -168,7 +221,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -191,7 +244,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -221,7 +274,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -248,7 +301,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -280,7 +333,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -305,7 +358,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -339,7 +392,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -368,7 +421,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -404,7 +457,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -426,7 +479,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -459,7 +512,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: bootstrap: type: Replace @@ -547,7 +600,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: bootstrap: type: Replace @@ -649,7 +702,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -677,7 +730,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -713,7 +766,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: extraArgs: - --disable-extensions envoy.access_loggers/envoy.access_loggers.wasm @@ -730,7 +783,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: extraArgs: - --disable-extensions envoy.access_loggers/envoy.access_loggers.wasm @@ -756,7 +809,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: eg - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -792,7 +845,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: eg - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -835,7 +888,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: eg - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -860,7 +913,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: eg - namespace: envoy-gateway-system + namespace: default spec: provider: type: Kubernetes @@ -918,7 +971,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: filterOrder: - name: envoy.filters.http.wasm @@ -938,7 +991,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config - namespace: envoy-gateway-system + namespace: default spec: filterOrder: - name: envoy.filters.http.wasm From 229bf9137f23ef318d6b038b22d23c72227d2e85 Mon Sep 17 00:00:00 2001 From: Manoramsharma <84619980+Manoramsharma@users.noreply.github.com> Date: Tue, 13 Aug 2024 07:39:24 +0530 Subject: [PATCH 034/523] docs: Steps for migrating to Envoy Gateway (#3973) * Doc enhancement supporting migration to envoy Signed-off-by: Manoramsharma * Added ingress config example Signed-off-by: Manoramsharma * Updated steps to configure the gatewayClass Signed-off-by: Manoramsharma * Fixed hugo lint Signed-off-by: Manoramsharma --------- Signed-off-by: Manoramsharma Co-authored-by: zirain --- .../en/latest/install/migrating-to-envoy.md | 143 ++++++++++++++++++ 1 file changed, 143 insertions(+) create mode 100644 site/content/en/latest/install/migrating-to-envoy.md diff --git a/site/content/en/latest/install/migrating-to-envoy.md b/site/content/en/latest/install/migrating-to-envoy.md new file mode 100644 index 00000000000..470c759ab7e --- /dev/null +++ b/site/content/en/latest/install/migrating-to-envoy.md @@ -0,0 +1,143 @@ +--- +title: Migrating from Ingress Resources +--- + +## Introduction + +Migrating from Ingress to Envoy Gateway involves converting existing Ingress resources into resources compatible with Envoy Gateway. The `ingress2gateway` tool simplifies this migration by transforming Ingress resources into Gateway API resources that Envoy Gateway can use. This guide will walk you through the prerequisites, installation of the `ingress2gateway` tool, and provide an example migration process. + +## Prerequisites + +Before you start the migration, ensure you have the following: + +1. **Envoy Gateway Installed**: You need Envoy Gateway set up in your Kubernetes cluster. Follow the [Envoy Gateway installation guide](../install) for details. +2. **Kubernetes Cluster Access**: Ensure you have access to your Kubernetes cluster and necessary permissions to manage resources. +3. **Installation of `ingress2gateway` Tool**: You need to install the `ingress2gateway` tool in your Kubernetes cluster and configure it accordingly. Follow the [ingress2gateway tool installation guide](https://github.com/kubernetes-sigs/ingress2gateway/blob/main/README.md#installation) for details. + +## Example Migration + +Here’s a step-by-step example of migrating from Ingress to Envoy Gateway using `ingress2gateway`: + +### 1. Install and Configure Envoy Gateway + +Ensure that Envoy Gateway is installed and running in your cluster. Follow the [official Envoy Gateway installation guide](../install) for setup instructions. + +### 2. Create a GatewayClass + +To ensure the generated HTTPRoutes are programmed correctly in the Envoy Gateway data plane, create a GatewayClass that links to the Envoy Gateway controller. + +Create a `GatewayClass` resource: + +```yaml +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: GatewayClass +metadata: + name: envoy-gateway-class +spec: + controllerName: gateway.envoyproxy.io/controller +``` + +Apply this resource: + +```sh +kubectl apply -f gatewayclass.yaml +``` + +### 3. Install Ingress2gateway + +Ensure you have the Ingress2gateway package installed. If not, follow the package’s installation instructions. + +### 4. Run Ingress2gateway + +Use Ingress2gateway to read your existing Ingress resources and translate them into Gateway API resources. + +```sh +./ingress2gateway print +``` + +This command will: +1. Read your Kube config file to extract the cluster credentials and the current active namespace. +2. Search for Ingress and provider-specific resources in that namespace. +3. Convert them to Gateway API resources (Gateways and HTTPRoutes). + +#### Example Ingress Configuration + +```yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: example-ingress + namespace: default + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / +spec: + rules: + - host: example.com + http: + paths: + - path: /foo + pathType: Prefix + backend: + service: + name: foo-service + port: + number: 80 +``` + +### 5. Save the Output + +The command will output the equivalent Gateway API resources in YAML/JSON format to stdout. Save this output to a file for further use. + +```sh +./ingress2gateway print > gateway-resources.yaml +``` + +### 6. Apply the Translated Resources + +Apply the translated Gateway API resources to your cluster. + +```sh +kubectl apply -f gateway-resources.yaml +``` + +### 7. Create a Gateway Resource + +Create a `Gateway` resource specifying the `GatewayClass` created earlier and including the necessary listeners. + +```yaml +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: Gateway +metadata: + name: example-gateway + namespace: default +spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + hostname: example.com +``` + +Apply this resource: + +```sh +kubectl apply -f gateway.yaml +``` + +### 8. Validate the Migration + +Ensure the HTTPRoutes and Gateways are correctly set up and that traffic is being routed as expected. Validate the new configuration by checking the status of the Gateway and HTTPRoute resources. + +```sh +kubectl get gateways +kubectl get httproutes +``` + +### 9. Monitor and Troubleshoot + +Monitor the Envoy Gateway logs and metrics to ensure everything is functioning correctly. Troubleshoot any issues by reviewing the Gateway and HTTPRoute statuses and Envoy Gateway controller logs. + +## Summary + +By following this guide, users can effectively migrate their existing Ingress resources to Envoy Gateway using the Ingress2gateway package. Creating a GatewayClass and linking it to the Envoy Gateway controller ensures that the translated resources are properly programmed in the data plane, providing a seamless transition to the Envoy Gateway environment. \ No newline at end of file From eac30d6002dd4ccf7240a0eab66799b020ff560c Mon Sep 17 00:00:00 2001 From: Lior Okman Date: Tue, 13 Aug 2024 05:26:07 +0300 Subject: [PATCH 035/523] fix: add header values as described in the documentation (#4031) Add header values after splitting the provided value string on ',', like described in the documentation. Signed-off-by: Lior Okman --- internal/gatewayapi/filters.go | 8 ++--- ...route-with-request-header-modifier.in.yaml | 5 +++ ...oute-with-request-header-modifier.out.yaml | 13 ++++++- ...h-backendref-add-multiple-filters.out.yaml | 9 +++-- ...er-duplicate-add-multiple-filters.out.yaml | 9 +++-- ...with-header-filter-duplicate-adds.out.yaml | 15 +++++--- ...header-filter-empty-header-values.out.yaml | 6 ++-- ...route-with-mirror-filter-multiple.out.yaml | 9 +++-- ...-with-response-header-filter-adds.out.yaml | 15 +++++--- ...er-duplicate-add-multiple-filters.out.yaml | 9 +++-- ...onse-header-filter-duplicate-adds.out.yaml | 15 +++++--- ...header-filter-empty-header-values.out.yaml | 6 ++-- internal/ir/xds.go | 6 ++-- internal/ir/xds_test.go | 22 ++++++------ internal/ir/zz_generated.deepcopy.go | 21 +++++++++--- internal/xds/translator/route.go | 34 ++++++++++++------- .../in/xds-ir/http-route-request-headers.yaml | 20 ++++++++--- .../http-route-response-add-headers.yaml | 15 +++++--- ...ttp-route-response-add-remove-headers.yaml | 15 +++++--- ...p-route-weighted-backend-with-filters.yaml | 9 +++-- .../http-route-request-headers.routes.yaml | 6 ++++ 21 files changed, 181 insertions(+), 86 deletions(-) diff --git a/internal/gatewayapi/filters.go b/internal/gatewayapi/filters.go index b3d2ddb4074..aecc2e81131 100644 --- a/internal/gatewayapi/filters.go +++ b/internal/gatewayapi/filters.go @@ -445,7 +445,7 @@ func (t *Translator) processRequestHeaderModifierFilter( newHeader := ir.AddHeader{ Name: headerKey, Append: true, - Value: addHeader.Value, + Value: strings.Split(addHeader.Value, ","), } filterContext.AddRequestHeaders = append(filterContext.AddRequestHeaders, newHeader) @@ -500,7 +500,7 @@ func (t *Translator) processRequestHeaderModifierFilter( newHeader := ir.AddHeader{ Name: string(setHeader.Name), Append: false, - Value: setHeader.Value, + Value: strings.Split(setHeader.Value, ","), } filterContext.AddRequestHeaders = append(filterContext.AddRequestHeaders, newHeader) @@ -617,7 +617,7 @@ func (t *Translator) processResponseHeaderModifierFilter( newHeader := ir.AddHeader{ Name: headerKey, Append: true, - Value: addHeader.Value, + Value: strings.Split(addHeader.Value, ","), } filterContext.AddResponseHeaders = append(filterContext.AddResponseHeaders, newHeader) @@ -672,7 +672,7 @@ func (t *Translator) processResponseHeaderModifierFilter( newHeader := ir.AddHeader{ Name: string(setHeader.Name), Append: false, - Value: setHeader.Value, + Value: strings.Split(setHeader.Value, ","), } filterContext.AddResponseHeaders = append(filterContext.AddResponseHeaders, newHeader) diff --git a/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.in.yaml b/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.in.yaml index 2c48dad582e..29fcb5a75a1 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.in.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.in.yaml @@ -26,6 +26,11 @@ grpcRoutes: sectionName: http rules: - filters: + - type: "RequestHeaderModifier" + requestHeaderModifier: + add: + - name: "my-header-multi-value" + value: "foo,bar" - type: "RequestHeaderModifier" requestHeaderModifier: add: diff --git a/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml index f36c9c969cc..110d404c44f 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml @@ -56,6 +56,11 @@ grpcRoutes: - name: service-1 port: 8080 filters: + - requestHeaderModifier: + add: + - name: my-header-multi-value + value: foo,bar + type: RequestHeaderModifier - requestHeaderModifier: add: - name: my-header @@ -117,9 +122,15 @@ xdsIR: port: 10080 routes: - addRequestHeaders: + - append: true + name: my-header-multi-value + value: + - foo + - bar - append: true name: my-header - value: foo + value: + - foo destination: name: grpcroute/default/grpcroute-1/rule/0 settings: diff --git a/internal/gatewayapi/testdata/httproute-with-backendref-add-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-backendref-add-multiple-filters.out.yaml index 78655fc8476..122d09efdeb 100644 --- a/internal/gatewayapi/testdata/httproute-with-backendref-add-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-backendref-add-multiple-filters.out.yaml @@ -147,7 +147,8 @@ xdsIR: addRequestHeaders: - append: false name: add-header-3 - value: some-value + value: + - some-value protocol: HTTP weight: 1 hostname: '*' @@ -172,10 +173,12 @@ xdsIR: addRequestHeaders: - append: true name: add-header-1 - value: some-value + value: + - some-value - append: true name: add-header-2 - value: some-value + value: + - some-value protocol: HTTP weight: 8 - addressType: IP diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml index a86e71b4534..605aa384f3e 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml @@ -134,13 +134,16 @@ xdsIR: - addRequestHeaders: - append: true name: add-header-1 - value: some-value + value: + - some-value - append: true name: add-header-2 - value: some-value + value: + - some-value - append: true name: add-header-3 - value: some-value + value: + - some-value destination: name: httproute/default/httproute-1/rule/0 settings: diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml index 39cc44429f6..f122fc17d5b 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml @@ -144,19 +144,24 @@ xdsIR: - addRequestHeaders: - append: true name: Set-Header-1 - value: some-value + value: + - some-value - append: true name: set-header-2 - value: some-value + value: + - some-value - append: true name: set-header-3 - value: some-value + value: + - some-value - append: true name: set-header-5 - value: some-value + value: + - some-value - append: false name: set-header-4 - value: some-value + value: + - some-value destination: name: httproute/default/httproute-1/rule/0 settings: diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml index b3814e2d41d..67c14e133a7 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml @@ -128,10 +128,12 @@ xdsIR: - addRequestHeaders: - append: true name: example-header-2 - value: "" + value: + - "" - append: false name: example-header-1 - value: "" + value: + - "" destination: name: httproute/default/httproute-1/rule/0 settings: diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml index 9aa6f0bf23b..c6e534c9c63 100644 --- a/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml @@ -144,13 +144,16 @@ xdsIR: - addRequestHeaders: - append: true name: X-Header-Add - value: header-val-1 + value: + - header-val-1 - append: true name: X-Header-Add-Append - value: header-val-2 + value: + - header-val-2 - append: false name: X-Header-Set - value: set-overwrites-values + value: + - set-overwrites-values destination: name: httproute/default/httproute-1/rule/0 settings: diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml index 7b53542bdfa..6dcb4b28779 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml @@ -140,19 +140,24 @@ xdsIR: - addResponseHeaders: - append: true name: Set-Header-1 - value: some-value + value: + - some-value - append: true name: set-header-2 - value: some-value + value: + - some-value - append: true name: set-header-3 - value: some-value + value: + - some-value - append: true name: set-header-5 - value: some-value + value: + - some-value - append: false name: set-header-4 - value: some-value + value: + - some-value destination: name: httproute/default/httproute-1/rule/0 settings: diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml index 459c4264740..47d61c9fcfa 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml @@ -134,13 +134,16 @@ xdsIR: - addResponseHeaders: - append: true name: add-header-1 - value: some-value + value: + - some-value - append: true name: add-header-2 - value: some-value + value: + - some-value - append: true name: add-header-3 - value: some-value + value: + - some-value destination: name: httproute/default/httproute-1/rule/0 settings: diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml index d2b4ffbe3f2..1d2f4f7124c 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml @@ -144,19 +144,24 @@ xdsIR: - addResponseHeaders: - append: true name: Set-Header-1 - value: some-value + value: + - some-value - append: true name: set-header-2 - value: some-value + value: + - some-value - append: true name: set-header-3 - value: some-value + value: + - some-value - append: true name: set-header-5 - value: some-value + value: + - some-value - append: false name: set-header-4 - value: some-value + value: + - some-value destination: name: httproute/default/httproute-1/rule/0 settings: diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml index 9d188a03dc0..723cabbe6f7 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml @@ -128,10 +128,12 @@ xdsIR: - addResponseHeaders: - append: true name: example-header-2 - value: "" + value: + - "" - append: false name: example-header-1 - value: "" + value: + - "" destination: name: httproute/default/httproute-1/rule/0 settings: diff --git a/internal/ir/xds.go b/internal/ir/xds.go index f2807da484a..41dd93b3bff 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -1226,9 +1226,9 @@ func NewDestEndpoint(host string, port uint32) *DestinationEndpoint { // AddHeader configures a header to be added to a request or response. // +k8s:deepcopy-gen=true type AddHeader struct { - Name string `json:"name" yaml:"name"` - Value string `json:"value" yaml:"value"` - Append bool `json:"append" yaml:"append"` + Name string `json:"name" yaml:"name"` + Value []string `json:"value" yaml:"value"` + Append bool `json:"append" yaml:"append"` } // Validate the fields within the AddHeader structure diff --git a/internal/ir/xds_test.go b/internal/ir/xds_test.go index 9492c378344..6724549e39f 100644 --- a/internal/ir/xds_test.go +++ b/internal/ir/xds_test.go @@ -338,17 +338,16 @@ var ( AddRequestHeaders: []AddHeader{ { Name: "example-header", - Value: "example-value", + Value: []string{"example-value"}, Append: true, }, { Name: "example-header-2", - Value: "example-value-2", + Value: []string{"example-value-2"}, Append: false, }, { Name: "empty-header", - Value: "", Append: false, }, }, @@ -376,12 +375,12 @@ var ( AddRequestHeaders: []AddHeader{ { Name: "example-header", - Value: "example-value", + Value: []string{"example-value"}, Append: true, }, { Name: "example-header", - Value: "example-value-2", + Value: []string{"example-value-2"}, Append: false, }, }, @@ -401,7 +400,7 @@ var ( AddRequestHeaders: []AddHeader{ { Name: "", - Value: "example-value", + Value: []string{"example-value"}, Append: true, }, }, @@ -416,17 +415,16 @@ var ( AddResponseHeaders: []AddHeader{ { Name: "example-header", - Value: "example-value", + Value: []string{"example-value"}, Append: true, }, { Name: "example-header-2", - Value: "example-value-2", + Value: []string{"example-value-2"}, Append: false, }, { Name: "empty-header", - Value: "", Append: false, }, }, @@ -454,12 +452,12 @@ var ( AddResponseHeaders: []AddHeader{ { Name: "example-header", - Value: "example-value", + Value: []string{"example-value"}, Append: true, }, { Name: "example-header", - Value: "example-value-2", + Value: []string{"example-value-2"}, Append: false, }, }, @@ -479,7 +477,7 @@ var ( AddResponseHeaders: []AddHeader{ { Name: "", - Value: "example-value", + Value: []string{"example-value"}, Append: true, }, }, diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 5e3398a0678..f0d5e29658f 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -196,6 +196,11 @@ func (in *ActiveHealthCheck) DeepCopy() *ActiveHealthCheck { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AddHeader) DeepCopyInto(out *AddHeader) { *out = *in + if in.Value != nil { + in, out := &in.Value, &out.Value + *out = make([]string, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AddHeader. @@ -638,7 +643,9 @@ func (in *DestinationFilters) DeepCopyInto(out *DestinationFilters) { if in.AddRequestHeaders != nil { in, out := &in.AddRequestHeaders, &out.AddRequestHeaders *out = make([]AddHeader, len(*in)) - copy(*out, *in) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } } if in.RemoveRequestHeaders != nil { in, out := &in.RemoveRequestHeaders, &out.RemoveRequestHeaders @@ -648,7 +655,9 @@ func (in *DestinationFilters) DeepCopyInto(out *DestinationFilters) { if in.AddResponseHeaders != nil { in, out := &in.AddResponseHeaders, &out.AddResponseHeaders *out = make([]AddHeader, len(*in)) - copy(*out, *in) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } } if in.RemoveResponseHeaders != nil { in, out := &in.RemoveResponseHeaders, &out.RemoveResponseHeaders @@ -1299,7 +1308,9 @@ func (in *HTTPRoute) DeepCopyInto(out *HTTPRoute) { if in.AddRequestHeaders != nil { in, out := &in.AddRequestHeaders, &out.AddRequestHeaders *out = make([]AddHeader, len(*in)) - copy(*out, *in) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } } if in.RemoveRequestHeaders != nil { in, out := &in.RemoveRequestHeaders, &out.RemoveRequestHeaders @@ -1309,7 +1320,9 @@ func (in *HTTPRoute) DeepCopyInto(out *HTTPRoute) { if in.AddResponseHeaders != nil { in, out := &in.AddResponseHeaders, &out.AddResponseHeaders *out = make([]AddHeader, len(*in)) - copy(*out, *in) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } } if in.RemoveResponseHeaders != nil { in, out := &in.RemoveResponseHeaders, &out.RemoveResponseHeaders diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go index 8a56e9e42b1..6a9e72f498c 100644 --- a/internal/xds/translator/route.go +++ b/internal/xds/translator/route.go @@ -438,9 +438,9 @@ func buildXdsRequestMirrorPolicies(mirrorDestinations []*ir.RouteDestination) [] } func buildXdsAddedHeaders(headersToAdd []ir.AddHeader) []*corev3.HeaderValueOption { - headerValueOptions := make([]*corev3.HeaderValueOption, len(headersToAdd)) + headerValueOptions := []*corev3.HeaderValueOption{} - for i, header := range headersToAdd { + for _, header := range headersToAdd { var appendAction corev3.HeaderValueOption_HeaderAppendAction if header.Append { @@ -448,18 +448,26 @@ func buildXdsAddedHeaders(headersToAdd []ir.AddHeader) []*corev3.HeaderValueOpti } else { appendAction = corev3.HeaderValueOption_OVERWRITE_IF_EXISTS_OR_ADD } - - headerValueOptions[i] = &corev3.HeaderValueOption{ - Header: &corev3.HeaderValue{ - Key: header.Name, - Value: header.Value, - }, - AppendAction: appendAction, - } - // Allow empty headers to be set, but don't add the config to do so unless necessary - if header.Value == "" { - headerValueOptions[i].KeepEmptyValue = true + if len(header.Value) == 0 { + headerValueOptions = append(headerValueOptions, &corev3.HeaderValueOption{ + Header: &corev3.HeaderValue{ + Key: header.Name, + }, + AppendAction: appendAction, + KeepEmptyValue: true, + }) + } else { + for _, val := range header.Value { + headerValueOptions = append(headerValueOptions, &corev3.HeaderValueOption{ + Header: &corev3.HeaderValue{ + Key: header.Name, + Value: val, + }, + AppendAction: appendAction, + KeepEmptyValue: val == "", + }) + } } } diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-request-headers.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-request-headers.yaml index c3dc4417dcc..fb45b8db724 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-request-headers.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-request-headers.yaml @@ -18,20 +18,30 @@ http: - host: "1.2.3.4" port: 50000 addRequestHeaders: + - name: "some-header-multi-value" + value: + - "some-value" + - "some-additional-value" + append: true - name: "some-header" - value: "some-value" + value: + - "some-value" append: true - name: "some-header-2" - value: "some-value" + value: + - "some-value" append: true - name: "some-header3" - value: "some-value" + value: + - "some-value" append: false - name: "some-header4" - value: "some-value" + value: + - "some-value" append: false - name: "empty-header" - value: "" + value: + - "" append: false removeRequestHeaders: - "some-header5" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-response-add-headers.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-response-add-headers.yaml index e3114e2d252..3cfaf5e4945 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-response-add-headers.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-response-add-headers.yaml @@ -19,17 +19,22 @@ http: port: 50000 addResponseHeaders: - name: "some-header" - value: "some-value" + value: + - "some-value" append: true - name: "some-header-2" - value: "some-value" + value: + - "some-value" append: true - name: "some-header3" - value: "some-value" + value: + - "some-value" append: false - name: "some-header4" - value: "some-value" + value: + - "some-value" append: false - name: "empty-header" - value: "" + value: + - "" append: false diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-response-add-remove-headers.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-response-add-remove-headers.yaml index 0e59f8f124d..c97d927dff6 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-response-add-remove-headers.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-response-add-remove-headers.yaml @@ -19,19 +19,24 @@ http: port: 50000 addResponseHeaders: - name: "some-header" - value: "some-value" + value: + - "some-value" append: true - name: "some-header-2" - value: "some-value" + value: + - "some-value" append: true - name: "some-header3" - value: "some-value" + value: + - "some-value" append: false - name: "some-header4" - value: "some-value" + value: + - "some-value" append: false - name: "empty-header" - value: "" + value: + - "" append: false removeResponseHeaders: - "some-header5" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-backend-with-filters.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-backend-with-filters.yaml index f8943d07f01..8745e9893bc 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-backend-with-filters.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-backend-with-filters.yaml @@ -19,7 +19,8 @@ http: addRequestHeaders: - append: false name: add-header-3 - value: some-value + value: + - some-value protocol: HTTP weight: 1 hostname: '*' @@ -37,10 +38,12 @@ http: addRequestHeaders: - append: true name: add-header-1 - value: some-value + value: + - some-value - append: true name: add-header-2 - value: some-value + value: + - some-value protocol: HTTP weight: 8 - addressType: IP diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.routes.yaml index f91a70cb2ee..1f2c6be4057 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.routes.yaml @@ -9,6 +9,12 @@ prefix: / name: request-header-route requestHeadersToAdd: + - header: + key: some-header-multi-value + value: some-value + - header: + key: some-header-multi-value + value: some-additional-value - header: key: some-header value: some-value From c86eb5a94ca0012388aed4f73662e9a17b996d92 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 13 Aug 2024 06:50:27 -0700 Subject: [PATCH 036/523] build(deps): bump github/codeql-action from 3.25.15 to 3.26.0 (#4030) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.15 to 3.26.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/afb54ba388a7dca6ecae48f608c4ff05ff4cc77a...eb055d739abdc2e8de2e5f4ba1a8b246daa779aa) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d3e4cd0a458..7cb7462e0e3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,14 +36,14 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 + uses: github/codeql-action/init@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 + uses: github/codeql-action/autobuild@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 + uses: github/codeql-action/analyze@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 99a10164ed7..2af996a99e5 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 + uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0 with: sarif_file: results.sarif From 6f7abe4e4bd9a684e0d01030863920f8ee4cbefc Mon Sep 17 00:00:00 2001 From: qi Date: Tue, 13 Aug 2024 22:12:54 +0800 Subject: [PATCH 037/523] bugfix: fatal error: concurrent map writes (#3986) Signed-off-by: qicz --- internal/metrics/otel_metric_gauge.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/internal/metrics/otel_metric_gauge.go b/internal/metrics/otel_metric_gauge.go index 49e02395b67..7fe0ac3dc5d 100644 --- a/internal/metrics/otel_metric_gauge.go +++ b/internal/metrics/otel_metric_gauge.go @@ -29,15 +29,19 @@ type GaugeValues struct { func (f *Gauge) Record(value float64) { f.mutex.Lock() + defer f.mutex.Unlock() + if f.current == nil { f.current = &GaugeValues{} f.stores[attribute.NewSet()] = f.current } f.current.val = value - f.mutex.Unlock() } func (f *Gauge) With(labelValues ...LabelValue) *Gauge { + f.mutex.Lock() + defer f.mutex.Unlock() + attrs, set := mergeLabelValues(f.attrs, labelValues) m := &Gauge{ g: f.g, From eb83fb7dbd760ce3da6dc6962d8bd396f8cddc6e Mon Sep 17 00:00:00 2001 From: qi Date: Wed, 14 Aug 2024 01:48:42 +0800 Subject: [PATCH 038/523] bugfix: fix egctl experimental translate with error ns. (#3984) * bugfix: fix egctl experimental translate with error ns. Signed-off-by: qicz * Update internal/cmd/egctl/translate.go Co-authored-by: Arko Dasgupta Signed-off-by: qi --------- Signed-off-by: qicz Signed-off-by: qi Co-authored-by: Arko Dasgupta Co-authored-by: zirain --- internal/cmd/egctl/translate.go | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/internal/cmd/egctl/translate.go b/internal/cmd/egctl/translate.go index 2bf4cda177f..ceb4e9deee3 100644 --- a/internal/cmd/egctl/translate.go +++ b/internal/cmd/egctl/translate.go @@ -63,47 +63,48 @@ func newTranslateCommand() *cobra.Command { addMissingResources bool outTypes []string dnsDomain string + namespace string ) translateCommand := &cobra.Command{ Use: "translate", Short: "Translate Configuration from an input type to an output type", Example: ` # Translate Gateway API Resources into All xDS Resources. - egctl experimental translate --from gateway-api --to xds --file + egctl experimental translate --from gateway-api --to xds --file -n # Translate Gateway API Resources into All xDS Resources in JSON output. - egctl experimental translate --from gateway-api --to xds --type all --output json --file + egctl experimental translate --from gateway-api --to xds --type all --output json --file -n # Translate Gateway API Resources into All xDS Resources in YAML output. - egctl experimental translate --from gateway-api --to xds --type all --output yaml --file + egctl experimental translate --from gateway-api --to xds --type all --output yaml --file -n # Translate Gateway API Resources into Bootstrap xDS Resources. - egctl experimental translate --from gateway-api --to xds --type bootstrap --file + egctl experimental translate --from gateway-api --to xds --type bootstrap --file -n # Translate Gateway API Resources into Cluster xDS Resources. - egctl experimental translate --from gateway-api --to xds --type cluster --file + egctl experimental translate --from gateway-api --to xds --type cluster --file -n # Translate Gateway API Resources into Listener xDS Resources. - egctl experimental translate --from gateway-api --to xds --type listener --file + egctl experimental translate --from gateway-api --to xds --type listener --file -n # Translate Gateway API Resources into Route xDS Resources. - egctl experimental translate --from gateway-api --to xds --type route --file + egctl experimental translate --from gateway-api --to xds --type route --file -n # Translate Gateway API Resources into Cluster xDS Resources with short syntax. - egctl x translate --from gateway-api --to xds -t cluster -o yaml -f + egctl x translate --from gateway-api --to xds -t cluster -o yaml -f -n # Translate Gateway API Resources into All xDS Resources with dummy resources added. - egctl x translate --from gateway-api --to xds -t cluster --add-missing-resources -f + egctl x translate --from gateway-api --to xds -t cluster --add-missing-resources -f -n # Translate Gateway API Resources into All xDS Resources in YAML output, # also print the Gateway API Resources with updated status in the same output. - egctl experimental translate --from gateway-api --to gateway-api,xds --type all --output yaml --file + egctl experimental translate --from gateway-api --to gateway-api,xds --type all --output yaml --file -n # Translate Gateway API Resources into IR in YAML output, egctl experimental translate --from gateway-api --to ir --output yaml --file `, RunE: func(cmd *cobra.Command, args []string) error { - return translate(cmd.OutOrStdout(), inFile, inType, outTypes, output, resourceType, addMissingResources, dnsDomain) + return translate(cmd.OutOrStdout(), inFile, inType, outTypes, output, resourceType, addMissingResources, namespace, dnsDomain) }, } @@ -117,6 +118,8 @@ func newTranslateCommand() *cobra.Command { translateCommand.PersistentFlags().StringVarP(&resourceType, "type", "t", string(AllEnvoyConfigType), getValidResourceTypesStr()) translateCommand.PersistentFlags().BoolVarP(&addMissingResources, "add-missing-resources", "", false, "Provides dummy resources if missed") translateCommand.PersistentFlags().StringVarP(&dnsDomain, "dns-domain", "", "cluster.local", "DNS domain used by k8s services, default is cluster.local") + translateCommand.PersistentFlags().StringVarP(&namespace, "namespace", "n", "envoy-gateway-system", "Namespace where envoy gateway is installed.") + return translateCommand } @@ -220,7 +223,7 @@ func validate(inFile, inType string, outTypes []string, resourceType string) err return nil } -func translate(w io.Writer, inFile, inType string, outTypes []string, output, resourceType string, addMissingResources bool, dnsDomain string) error { +func translate(w io.Writer, inFile, inType string, outTypes []string, output, resourceType string, addMissingResources bool, namespace, dnsDomain string) error { if err := validate(inFile, inType, outTypes, resourceType); err != nil { return err } @@ -247,7 +250,7 @@ func translate(w io.Writer, inFile, inType string, outTypes []string, output, re } } if outType == xdsType { - res, err := translateGatewayAPIToXds(dnsDomain, resourceType, resources) + res, err := translateGatewayAPIToXds(namespace, dnsDomain, resourceType, resources) if err != nil { return err } @@ -333,7 +336,7 @@ func translateGatewayAPIToGatewayAPI(resources *gatewayapi.Resources) (gatewayap return gRes.Resources, nil } -func translateGatewayAPIToXds(dnsDomain string, resourceType string, resources *gatewayapi.Resources) (map[string]any, error) { +func translateGatewayAPIToXds(namespace, dnsDomain string, resourceType string, resources *gatewayapi.Resources) (map[string]any, error) { if resources.GatewayClass == nil { return nil, fmt.Errorf("the GatewayClass resource is required") } @@ -363,7 +366,7 @@ func translateGatewayAPIToXds(dnsDomain string, resourceType string, resources * xTranslator := &translator.Translator{ // Set some default settings for translation GlobalRateLimit: &translator.GlobalRateLimitSettings{ - ServiceURL: ratelimit.GetServiceURL("envoy-gateway", dnsDomain), + ServiceURL: ratelimit.GetServiceURL(namespace, dnsDomain), }, } if resources.EnvoyProxyForGatewayClass != nil { From 1178f7dfb948ce55664c5227db5002ff8472136a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 13 Aug 2024 11:10:18 -0700 Subject: [PATCH 039/523] build(deps): bump google/osv-scanner-action from 1.8.2 to 1.8.3 (#4029) Bumps [google/osv-scanner-action](https://github.com/google/osv-scanner-action) from 1.8.2 to 1.8.3. - [Release notes](https://github.com/google/osv-scanner-action/releases) - [Commits](https://github.com/google/osv-scanner-action/compare/7ac94f9d40028db4cacf8d53adec6626f5d3d2f7...c615bb556a9a61495d218c7d439e7c8abbbfb151) --- updated-dependencies: - dependency-name: google/osv-scanner-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/license-scan.yml | 2 +- .github/workflows/osv-scanner.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index 31014adf8a5..68143314ecc 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -18,7 +18,7 @@ jobs: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Run scanner - uses: google/osv-scanner-action/osv-scanner-action@7ac94f9d40028db4cacf8d53adec6626f5d3d2f7 # v1.8.2 + uses: google/osv-scanner-action/osv-scanner-action@c615bb556a9a61495d218c7d439e7c8abbbfb151 # v1.8.3 with: scan-args: |- --skip-git diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 424ff41a189..8e2117a97e1 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -16,7 +16,7 @@ on: jobs: scan-scheduled: if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@7ac94f9d40028db4cacf8d53adec6626f5d3d2f7" # v1.8.2 + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c615bb556a9a61495d218c7d439e7c8abbbfb151" # v1.8.3 permissions: actions: read contents: read @@ -32,7 +32,7 @@ jobs: scan-pr: if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@7ac94f9d40028db4cacf8d53adec6626f5d3d2f7" # v1.8.2 + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c615bb556a9a61495d218c7d439e7c8abbbfb151" # v1.8.3 permissions: actions: read contents: read From d6ad7de157c46fc503a07dc31423d2cb5c7fbaf0 Mon Sep 17 00:00:00 2001 From: Dennis Kniep Date: Tue, 13 Aug 2024 20:11:04 +0200 Subject: [PATCH 040/523] feat(translator): JsonPath in PatchPolicy (#3757) JsonPath can be utilized to select elements for JSONPatch in EnvoyPatchPolicy Signed-off-by: Dennis Kniep --- api/v1alpha1/envoypatchpolicy_types.go | 7 +- api/v1alpha1/zz_generated.deepcopy.go | 10 + ...eway.envoyproxy.io_envoypatchpolicies.yaml | 6 +- go.mod | 1 + go.sum | 2 + internal/gatewayapi/envoypatchpolicy.go | 1 + internal/ir/xds.go | 19 +- internal/ir/zz_generated.deepcopy.go | 10 + internal/xds/translator/jsonpatch.go | 233 ++++++----- internal/xds/translator/jsonpathtopointer.go | 120 ++++++ .../xds/translator/jsonpathtopointer_test.go | 395 ++++++++++++++++++ .../jsonpatch-add-op-empty-jsonpath.yaml | 63 +++ .../in/xds-ir/jsonpatch-with-jsonpath.yaml | 172 ++++++++ ...npatch-add-op-empty-jsonpath.clusters.yaml | 17 + ...patch-add-op-empty-jsonpath.endpoints.yaml | 24 ++ ...-op-empty-jsonpath.envoypatchpolicies.yaml | 16 + ...patch-add-op-empty-jsonpath.listeners.yaml | 52 +++ ...sonpatch-add-op-empty-jsonpath.routes.yaml | 18 + ...onpatch-add-op-empty-jsonpath.secrets.yaml | 12 + .../jsonpatch-with-jsonpath.clusters.yaml | 47 +++ .../jsonpatch-with-jsonpath.endpoints.yaml | 32 ++ ...atch-with-jsonpath.envoypatchpolicies.yaml | 16 + .../jsonpatch-with-jsonpath.listeners.yaml | 64 +++ .../jsonpatch-with-jsonpath.routes.yaml | 36 ++ .../jsonpatch-with-jsonpath.secrets.yaml | 16 + internal/xds/translator/translator_test.go | 6 + site/content/en/latest/api/extension_types.md | 3 +- site/content/zh/latest/api/extension_types.md | 3 +- 28 files changed, 1292 insertions(+), 109 deletions(-) create mode 100644 internal/xds/translator/jsonpathtopointer.go create mode 100644 internal/xds/translator/jsonpathtopointer_test.go create mode 100644 internal/xds/translator/testdata/in/xds-ir/jsonpatch-add-op-empty-jsonpath.yaml create mode 100644 internal/xds/translator/testdata/in/xds-ir/jsonpatch-with-jsonpath.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.envoypatchpolicies.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.routes.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.secrets.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.envoypatchpolicies.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.routes.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.secrets.yaml diff --git a/api/v1alpha1/envoypatchpolicy_types.go b/api/v1alpha1/envoypatchpolicy_types.go index 22effb69756..b23002e678f 100644 --- a/api/v1alpha1/envoypatchpolicy_types.go +++ b/api/v1alpha1/envoypatchpolicy_types.go @@ -111,7 +111,12 @@ type JSONPatchOperation struct { Op JSONPatchOperationType `json:"op"` // Path is the location of the target document/field where the operation will be performed // Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. - Path string `json:"path"` + // +optional + Path *string `json:"path,omitempty"` + // JSONPath specifies the locations of the target document/field where the operation will be performed + // Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details. + // +optional + JSONPath *string `json:"jsonPath,omitempty"` // From is the source location of the value to be copied or moved. Only valid // for move or copy operations // Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index ad72365802a..79c8e98a525 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -2809,6 +2809,16 @@ func (in *ImageWasmCodeSource) DeepCopy() *ImageWasmCodeSource { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *JSONPatchOperation) DeepCopyInto(out *JSONPatchOperation) { *out = *in + if in.Path != nil { + in, out := &in.Path, &out.Path + *out = new(string) + **out = **in + } + if in.JSONPath != nil { + in, out := &in.JSONPath, &out.JSONPath + *out = new(string) + **out = **in + } if in.From != nil { in, out := &in.From, &out.From *out = new(string) diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml index e385b0d4bb0..f57a644066f 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml @@ -71,6 +71,11 @@ spec: for move or copy operations Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. type: string + jsonPath: + description: |- + JSONPath specifies the locations of the target document/field where the operation will be performed + Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details. + type: string op: description: Op is the type of operation to perform enum: @@ -93,7 +98,6 @@ spec: x-kubernetes-preserve-unknown-fields: true required: - op - - path type: object type: description: Type is the typed URL of the Envoy xDS Resource diff --git a/go.mod b/go.mod index e23ce14fff6..6fbae3f4dbe 100644 --- a/go.mod +++ b/go.mod @@ -27,6 +27,7 @@ require ( github.com/grafana/tempo v1.5.0 github.com/hashicorp/go-multierror v1.1.1 github.com/miekg/dns v1.1.61 + github.com/ohler55/ojg v1.22.1 github.com/prometheus/client_golang v1.19.1 github.com/prometheus/common v0.55.0 github.com/spf13/cobra v1.8.1 diff --git a/go.sum b/go.sum index cdfd32616df..1b08c27c204 100644 --- a/go.sum +++ b/go.sum @@ -899,6 +899,8 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+ github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= +github.com/ohler55/ojg v1.22.1 h1:MvUieaWTwksoYk47GYyP9kzXIAkxHYX6rxeLjUEeq/8= +github.com/ohler55/ojg v1.22.1/go.mod h1:gQhDVpQLqrmnd2eqGAvJtn+NfKoYJbe/A4Sj3/Vro4o= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= diff --git a/internal/gatewayapi/envoypatchpolicy.go b/internal/gatewayapi/envoypatchpolicy.go index 9ea9102ac76..5d2480f5d23 100644 --- a/internal/gatewayapi/envoypatchpolicy.go +++ b/internal/gatewayapi/envoypatchpolicy.go @@ -114,6 +114,7 @@ func (t *Translator) ProcessEnvoyPatchPolicies(envoyPatchPolicies []*egv1a1.Envo irPatch.Name = patch.Name irPatch.Operation.Op = string(patch.Operation.Op) irPatch.Operation.Path = patch.Operation.Path + irPatch.Operation.JSONPath = patch.Operation.JSONPath irPatch.Operation.From = patch.Operation.From irPatch.Operation.Value = patch.Operation.Value diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 41dd93b3bff..56c1bef0958 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -25,6 +25,10 @@ import ( egv1a1validation "github.com/envoyproxy/gateway/api/v1alpha1/validation" ) +const ( + EmptyPath = "" +) + var ( ErrListenerNameEmpty = errors.New("field Name must be specified") ErrListenerAddressInvalid = errors.New("field Address must be a valid IP address") @@ -1751,7 +1755,12 @@ type JSONPatchOperation struct { Op string `json:"op" yaml:"op"` // Path is the location of the target document/field where the operation will be performed // Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. - Path string `json:"path" yaml:"path"` + // +optional + Path *string `json:"path,omitempty" yaml:"path,omitempty"` + // JSONPath specifies the locations of the target document/field where the operation will be performed + // Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details. + // +optional + JSONPath *string `json:"jsonPath,omitempty" yaml:"jsonPath,omitempty"` // From is the source location of the value to be copied or moved. Only valid // for move or copy operations // Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. @@ -1761,6 +1770,14 @@ type JSONPatchOperation struct { Value *apiextensionsv1.JSON `json:"value,omitempty" yaml:"value,omitempty"` } +func (o *JSONPatchOperation) IsPathNilOrEmpty() bool { + return o.Path == nil || *o.Path == EmptyPath +} + +func (o *JSONPatchOperation) IsJSONPathNilOrEmpty() bool { + return o.JSONPath == nil || *o.JSONPath == EmptyPath +} + // Tracing defines the configuration for tracing a Envoy xDS Resource // +k8s:deepcopy-gen=true type Tracing struct { diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index f0d5e29658f..5f8f879e6a0 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -1653,6 +1653,16 @@ func (in *JSONPatchConfig) DeepCopy() *JSONPatchConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *JSONPatchOperation) DeepCopyInto(out *JSONPatchOperation) { *out = *in + if in.Path != nil { + in, out := &in.Path, &out.Path + *out = new(string) + **out = **in + } + if in.JSONPath != nil { + in, out := &in.JSONPath, &out.JSONPath + *out = new(string) + **out = **in + } if in.From != nil { in, out := &in.From, &out.From *out = new(string) diff --git a/internal/xds/translator/jsonpatch.go b/internal/xds/translator/jsonpatch.go index e7808abe0c5..83db9103b06 100644 --- a/internal/xds/translator/jsonpatch.go +++ b/internal/xds/translator/jsonpatch.go @@ -84,9 +84,9 @@ func processJSONPatches(tCtx *types.ResourceVersionTable, envoyPatchPolicies []* } } - // If Path is "" and op is "add", unmarshal and add the patch as a complete + // If Path and JSONPath is "" and op is "add", unmarshal and add the patch as a complete // resource - if p.Operation.Op == AddOperation && p.Operation.Path == EmptyPath { + if p.Operation.Op == AddOperation && p.Operation.IsPathNilOrEmpty() && p.Operation.IsJSONPathNilOrEmpty() { // Convert patch to JSON // The patch library expects an array so convert it into one y, err := yaml.Marshal(p.Operation.Value) @@ -240,125 +240,150 @@ func processJSONPatches(tCtx *types.ResourceVersionTable, envoyPatchPolicies []* } } - // Convert patch to JSON - // The patch library expects an array so convert it into one - y, err := yaml.Marshal([]ir.JSONPatchOperation{p.Operation}) - if err != nil { - tErr := fmt.Errorf("unable to marshal patch %+v, err: %s", p.Operation, err.Error()) - tErrs = errors.Join(tErrs, tErr) - continue - } - jsonBytes, err := yaml.YAMLToJSON(y) - if err != nil { - tErr := fmt.Errorf("unable to convert patch to json %s, err: %s", string(y), err.Error()) - tErrs = errors.Join(tErrs, tErr) - continue - } - patchObj, err := jsonpatchv5.DecodePatch(jsonBytes) - if err != nil { - tErr := fmt.Errorf("unable to decode patch %s, err: %s", string(jsonBytes), err.Error()) - tErrs = errors.Join(tErrs, tErr) - continue - } - - // Apply patch - opts := jsonpatchv5.NewApplyOptions() - opts.EnsurePathExistsOnAdd = true - modifiedJSON, err := patchObj.ApplyWithOptions(resourceJSON, opts) - if err != nil { - tErr := fmt.Errorf("unable to apply patch:\n%s on resource:\n%s, err: %s", string(jsonBytes), string(resourceJSON), err.Error()) - tErrs = errors.Join(tErrs, tErr) - continue - } - - // Unmarshal back to typed resource - // Use a temp staging variable that can be marshalled - // into and validated before saving it into the xds output resource - switch p.Type { - case resourcev3.ListenerType: - temp := &listenerv3.Listener{} - if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { - tErr := fmt.Errorf(unmarshalErrorMessage(err, string(modifiedJSON))) - tErrs = errors.Join(tErrs, tErr) - continue + var jsonPointers []string + if p.Operation.JSONPath != nil { + path := "" + if p.Operation.Path != nil { + path = *p.Operation.Path } - if err = temp.Validate(); err != nil { - tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) - tErrs = errors.Join(tErrs, tErr) - continue - } - if err = deepCopyPtr(temp, listener); err != nil { - tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) - tErrs = errors.Join(tErrs, tErr) - continue - } - case resourcev3.RouteType: - temp := &routev3.RouteConfiguration{} - if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { - tErr := fmt.Errorf(unmarshalErrorMessage(err, string(modifiedJSON))) - tErrs = errors.Join(tErrs, tErr) - continue - } - if err = temp.Validate(); err != nil { - tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) - tErrs = errors.Join(tErrs, tErr) - continue - } - if err = deepCopyPtr(temp, routeConfig); err != nil { - tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) - tErrs = errors.Join(tErrs, tErr) - continue - } - case resourcev3.ClusterType: - temp := &clusterv3.Cluster{} - if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { - tErr := fmt.Errorf(unmarshalErrorMessage(err, string(modifiedJSON))) - tErrs = errors.Join(tErrs, tErr) - continue - } - if err = temp.Validate(); err != nil { - tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) - tErrs = errors.Join(tErrs, tErr) - continue - } - if err = deepCopyPtr(temp, cluster); err != nil { - tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) + jsonPointers, err = ConvertPathToPointers(resourceJSON, *p.Operation.JSONPath, path) + if err != nil { + tErr := fmt.Errorf("unable to convert jsonPath: '%s' into jsonPointers, err: %s", *p.Operation.JSONPath, err.Error()) tErrs = errors.Join(tErrs, tErr) continue } - case resourcev3.EndpointType: - temp := &endpointv3.ClusterLoadAssignment{} - if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { - tErr := fmt.Errorf(unmarshalErrorMessage(err, string(modifiedJSON))) - tErrs = errors.Join(tErrs, tErr) - continue + } else { + jsonPointers = []string{*p.Operation.Path} + } + + for _, path := range jsonPointers { + op := ir.JSONPatchOperation{ + Path: &path, + Op: p.Operation.Op, + Value: p.Operation.Value, + From: p.Operation.From, } - if err = temp.Validate(); err != nil { - tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) + + // Convert patch to JSON + // The patch library expects an array so convert it into one + y, err := yaml.Marshal([]ir.JSONPatchOperation{op}) + if err != nil { + tErr := fmt.Errorf("unable to marshal patch %+v, err: %s", op, err.Error()) tErrs = errors.Join(tErrs, tErr) continue } - if err = deepCopyPtr(temp, endpoint); err != nil { - tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) + jsonBytes, err := yaml.YAMLToJSON(y) + if err != nil { + tErr := fmt.Errorf("unable to convert patch to json %s, err: %s", string(y), err.Error()) tErrs = errors.Join(tErrs, tErr) continue } - case resourcev3.SecretType: - temp := &tlsv3.Secret{} - if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { - tErr := fmt.Errorf(unmarshalErrorMessage(err, string(modifiedJSON))) + patchObj, err := jsonpatchv5.DecodePatch(jsonBytes) + if err != nil { + tErr := fmt.Errorf("unable to decode patch %s, err: %s", string(jsonBytes), err.Error()) tErrs = errors.Join(tErrs, tErr) continue } - if err = temp.Validate(); err != nil { - tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) + + // Apply patch + opts := jsonpatchv5.NewApplyOptions() + opts.EnsurePathExistsOnAdd = true + modifiedJSON, err := patchObj.ApplyWithOptions(resourceJSON, opts) + if err != nil { + tErr := fmt.Errorf("unable to apply patch:\n%s on resource:\n%s, err: %s", string(jsonBytes), string(resourceJSON), err.Error()) tErrs = errors.Join(tErrs, tErr) continue } - if err = deepCopyPtr(temp, secret); err != nil { - tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) - tErrs = errors.Join(tErrs, tErr) - continue + + // Unmarshal back to typed resource + // Use a temp staging variable that can be marshalled + // into and validated before saving it into the xds output resource + switch p.Type { + case resourcev3.ListenerType: + temp := &listenerv3.Listener{} + if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { + tErr := fmt.Errorf(unmarshalErrorMessage(err, string(modifiedJSON))) + tErrs = errors.Join(tErrs, tErr) + continue + } + if err = temp.Validate(); err != nil { + tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) + tErrs = errors.Join(tErrs, tErr) + continue + } + if err = deepCopyPtr(temp, listener); err != nil { + tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) + tErrs = errors.Join(tErrs, tErr) + continue + } + case resourcev3.RouteType: + temp := &routev3.RouteConfiguration{} + if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { + tErr := fmt.Errorf(unmarshalErrorMessage(err, string(modifiedJSON))) + tErrs = errors.Join(tErrs, tErr) + continue + } + if err = temp.Validate(); err != nil { + tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) + tErrs = errors.Join(tErrs, tErr) + continue + } + if err = deepCopyPtr(temp, routeConfig); err != nil { + tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) + tErrs = errors.Join(tErrs, tErr) + continue + } + case resourcev3.ClusterType: + temp := &clusterv3.Cluster{} + if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { + tErr := fmt.Errorf(unmarshalErrorMessage(err, string(modifiedJSON))) + tErrs = errors.Join(tErrs, tErr) + continue + } + if err = temp.Validate(); err != nil { + tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) + tErrs = errors.Join(tErrs, tErr) + continue + } + if err = deepCopyPtr(temp, cluster); err != nil { + tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) + tErrs = errors.Join(tErrs, tErr) + continue + } + case resourcev3.EndpointType: + temp := &endpointv3.ClusterLoadAssignment{} + if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { + tErr := fmt.Errorf(unmarshalErrorMessage(err, string(modifiedJSON))) + tErrs = errors.Join(tErrs, tErr) + continue + } + if err = temp.Validate(); err != nil { + tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) + tErrs = errors.Join(tErrs, tErr) + continue + } + if err = deepCopyPtr(temp, endpoint); err != nil { + tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) + tErrs = errors.Join(tErrs, tErr) + continue + } + case resourcev3.SecretType: + temp := &tlsv3.Secret{} + if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { + tErr := fmt.Errorf(unmarshalErrorMessage(err, string(modifiedJSON))) + tErrs = errors.Join(tErrs, tErr) + continue + } + if err = temp.Validate(); err != nil { + tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) + tErrs = errors.Join(tErrs, tErr) + continue + } + if err = deepCopyPtr(temp, secret); err != nil { + tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) + tErrs = errors.Join(tErrs, tErr) + continue + } } } } diff --git a/internal/xds/translator/jsonpathtopointer.go b/internal/xds/translator/jsonpathtopointer.go new file mode 100644 index 00000000000..89d7fdf1c77 --- /dev/null +++ b/internal/xds/translator/jsonpathtopointer.go @@ -0,0 +1,120 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package translator + +import ( + "reflect" + "strings" + + "github.com/ohler55/ojg/jp" + "github.com/ohler55/ojg/oj" + "github.com/pkg/errors" +) + +func ConvertPathToPointers(jsonDoc []byte, jsonPath string, path string) ([]string, error) { + var jsonPointers []string + + jObj, err := oj.Parse(jsonDoc) + if err != nil { + return nil, errors.Wrap(err, "Error during parsing json") + } + + jPath, err := jp.ParseString(jsonPath) + if err != nil { + return nil, errors.Wrap(err, "Error during parsing jpath") + } + + if len(jPath) == 1 { + _, isRoot := jPath[0].(jp.Root) + if isRoot { + return nil, errors.New("Using only Root ('$') in json path expression is not allowed!") + } + } + + locations := jPath.Locate(jObj, 0) + for _, l := range locations { + jsonPointer, err := expToPointer(l) + if err != nil { + return nil, errors.Wrap(err, "Error during converting path to pointer") + } + jsonPointers = append(jsonPointers, concat(jsonPointer, path)) + } + return jsonPointers, nil +} + +func concat(jsonPointer string, path string) string { + if path == "" { + return jsonPointer + } + const separator string = "/" + parts := []string{ + strings.TrimSuffix(jsonPointer, separator), + strings.TrimPrefix(path, separator), + } + return strings.Join(parts, separator) +} + +func expToPointer(e jp.Expr) (string, error) { + var buf []byte + for _, f := range e { + v, err := fragToPointer(f) + if err != nil { + return "", err + } + if v != nil { + buf = append(buf, '/') + } + + buf = append(buf, v...) + } + + return string(buf), nil +} + +func fragToPointer(f jp.Frag) ([]byte, error) { + switch v := f.(type) { + case jp.Root: + return rootToPointer() + case jp.Nth: + return nthToPointer(v) + case jp.Child: + return toPointer(v) + default: + return nil, errors.New("There is no conversion implemented for " + reflect.TypeOf(v).Name()) + } +} + +func rootToPointer() ([]byte, error) { + return nil, nil +} + +func nthToPointer(f jp.Nth) ([]byte, error) { + var buf []byte + i := int(f) + if i < 0 { + buf = append(buf, '-') + i = -i + } + num := [20]byte{} + cnt := 0 + for ; i != 0; cnt++ { + num[cnt] = byte(i%10) + '0' + i /= 10 + } + if 0 < cnt { + cnt-- + for ; 0 <= cnt; cnt-- { + buf = append(buf, num[cnt]) + } + } else { + buf = append(buf, '0') + } + return buf, nil +} + +func toPointer(f jp.Frag) ([]byte, error) { + return f.Append(nil, false, true), nil +} diff --git a/internal/xds/translator/jsonpathtopointer_test.go b/internal/xds/translator/jsonpathtopointer_test.go new file mode 100644 index 00000000000..cefb5925869 --- /dev/null +++ b/internal/xds/translator/jsonpathtopointer_test.go @@ -0,0 +1,395 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package translator + +import ( + "sort" + "strconv" + "testing" + + "github.com/ohler55/ojg/jp" + "github.com/stretchr/testify/require" +) + +const case1Simple string = `{ + "a": "b" + }` + +const case2Nested string = `{ + "a": "b", + "v": [{ + "x": "test1", + "y": "hello" + }, + { + "x": "test2", + "y": "world" + }], + "f":{ + "w": "hi", + "q": "welcome", + "y": "ciao" + }, + "y": "c" + }` + +const case3Route string = `{ + "name": "default/eg/http", + "virtual_hosts": [ + { + "name": "default/eg/http/www_test_com", + "domains": [ + "www.test.com" + ], + "routes": [ + { + "name": "httproute/default/backend/rule/0/match/0/www_test_com", + "match": { + "prefix": "/" + }, + "route": { + "cluster": "httproute/default/backend/rule/0", + "upgrade_configs": [ + { + "upgrade_type": "websocket" + } + ] + } + } + ] + }, + { + "name": "default/eg/http/www_example_com", + "domains": [ + "www.example.com" + ], + "routes": [ + { + "name": "httproute/default/backend/rule/1/match/1/www_example_com", + "match": { + "prefix": "/" + }, + "route": { + "cluster": "httproute/default/backend/rule/1", + "upgrade_configs": [ + { + "upgrade_type": "websocket" + } + ] + } + } + ] + } + ], + "ignore_port_in_host_matching": true +}` + +func Test(t *testing.T) { + tests := []struct { + // Json Document + doc string + + // JSONPath + jsonPath string + + // path + path string + + // List of expected pointers + expected []string + }{ + { + doc: case1Simple, + jsonPath: "$.a", + expected: []string{ + "/a", + }, + }, + { + doc: case2Nested, + jsonPath: "$.v[?(@.x=='test2')]", + expected: []string{ + "/v/1", + }, + }, + { + doc: case2Nested, + jsonPath: "..v[?(@.x=='test1')].y", + expected: []string{ + "/v/0/y", + }, + }, + { + doc: case2Nested, + jsonPath: "$.v[?(@.x=='test2')].y", + expected: []string{ + "/v/1/y", + }, + }, + { + doc: case2Nested, + jsonPath: "$.v[?(@.x=='test1')].y", + expected: []string{ + "/v/0/y", + }, + }, + { + doc: case2Nested, + jsonPath: "$.v[*].y", + expected: []string{ + "/v/0/y", + "/v/1/y", + }, + }, + { + doc: case2Nested, + jsonPath: "$.v[?(@.x=='UNKNOWN')].y", + expected: []string{}, + }, + { + doc: case1Simple, + jsonPath: ".a", + expected: []string{ + "/a", + }, + }, + { + doc: case1Simple, + jsonPath: "a", + expected: []string{ + "/a", + }, + }, + { + doc: case2Nested, + jsonPath: "f.w", + expected: []string{ + "/f/w", + }, + }, + { + doc: case2Nested, + jsonPath: "f.*", + expected: []string{ + "/f/w", + "/f/q", + "/f/y", + }, + }, + { + doc: case2Nested, + jsonPath: "v.*", + expected: []string{ + "/v/0", + "/v/1", + }, + }, + { + doc: case2Nested, + jsonPath: "v.**", + expected: []string{ + "/v/0/x", + "/v/0/y", + "/v/1/x", + "/v/1/y", + }, + }, + { + doc: case2Nested, + jsonPath: "$..y", + expected: []string{ + "/f/y", + "/v/0/y", + "/v/1/y", + "/y", + }, + }, + { + doc: case2Nested, + jsonPath: "..y", + expected: []string{ + "/f/y", + "/v/0/y", + "/v/1/y", + "/y", + }, + }, + { + doc: case2Nested, + jsonPath: "**.y", + expected: []string{ + "/v/0/y", + "/v/1/y", + }, + }, + { + doc: case3Route, + jsonPath: "..routes[?(@.name =~ 'www_example_com')]", + expected: []string{ + "/virtual_hosts/1/routes/0", + }, + }, + { + doc: case3Route, + jsonPath: "..routes[?(@.name =~ 'www_test_com')]", + expected: []string{ + "/virtual_hosts/0/routes/0", + }, + }, + { + doc: case3Route, + jsonPath: "..routes[?(@.name =~ 'www')]", + expected: []string{ + "/virtual_hosts/0/routes/0", + "/virtual_hosts/1/routes/0", + }, + }, + { + doc: case3Route, + jsonPath: "..routes[?(@.name =~ 'www')].route.cluster", + expected: []string{ + "/virtual_hosts/0/routes/0/route/cluster", + "/virtual_hosts/1/routes/0/route/cluster", + }, + }, + { + doc: case3Route, + jsonPath: "..routes[?(@.name =~ 'www')]['route']['cluster']", + expected: []string{ + "/virtual_hosts/0/routes/0/route/cluster", + "/virtual_hosts/1/routes/0/route/cluster", + }, + }, + { + doc: case3Route, + jsonPath: "..routes[?(@.name=='httproute/default/backend/rule/1/match/1/www_example_com')].route.upgrade_configs", + expected: []string{ + "/virtual_hosts/1/routes/0/route/upgrade_configs", + }, + }, + { + doc: case3Route, + jsonPath: "..routes[?(@.name =~ 'www')]", + path: "/abc", + expected: []string{ + "/virtual_hosts/0/routes/0/abc", + "/virtual_hosts/1/routes/0/abc", + }, + }, + { + doc: case3Route, + jsonPath: "..routes[?(@.name =~ 'www')]", + path: "abc", + expected: []string{ + "/virtual_hosts/0/routes/0/abc", + "/virtual_hosts/1/routes/0/abc", + }, + }, + { + doc: case3Route, + jsonPath: "..routes[?(@.name =~ 'www')]", + path: "/", + expected: []string{ + "/virtual_hosts/0/routes/0/", + "/virtual_hosts/1/routes/0/", + }, + }, + } + + for i, test := range tests { + + testCasePrefix := "TestCase " + strconv.Itoa(i+1) + pointers, err := ConvertPathToPointers([]byte(test.doc), test.jsonPath, test.path) + if err != nil { + t.Error(testCasePrefix + ": Error during conversion:\n" + err.Error()) + continue + } + + expectedAsString := asString(test.expected) + pointersAsString := asString(pointers) + + require.Equal(t, expectedAsString, pointersAsString) + } +} + +func TestException(t *testing.T) { + tests := []struct { + // Json Document + doc string + + // JSONPath + jsonPath string + + // path + path string + + // expected exception + expected string + }{ + { + doc: case1Simple, + jsonPath: ".$", + expected: "Error during parsing jpath", + }, + { + doc: case1Simple, + jsonPath: "$", + expected: "only Root", + }, + { + doc: "{", + jsonPath: ".$", + expected: "Error during parsing json", + }, + } + + for i, test := range tests { + + testCasePrefix := "TestCase " + strconv.Itoa(i+1) + _, err := ConvertPathToPointers([]byte(test.doc), test.jsonPath, test.path) + if err == nil { + t.Error(testCasePrefix + ": Error expected, but no error found!") + continue + } + + require.ErrorContains(t, err, test.expected) + } +} + +func TestUnexpectedFrag(t *testing.T) { + expr := jp.Expr{} + expr = append(expr, jp.Union{}) + + _, err := expToPointer(expr) + if err == nil { + t.Error("Error expected, but no error found!") + } + + require.ErrorContains(t, err, "There is no conversion implemented for Union") +} + +func TestNegativeNth(t *testing.T) { + result, err := nthToPointer(jp.Nth(-1)) + if err != nil { + t.Error(err) + } + test := string(result) + if test != "-1" { + t.Error("expected -1, but was " + test + "!") + } +} + +func asString(values []string) string { + var buf []byte + + sort.Strings(values) + for _, v := range values { + buf = append(buf, []byte(v)...) + buf = append(buf, []byte("\n")...) + } + + return string(buf) +} diff --git a/internal/xds/translator/testdata/in/xds-ir/jsonpatch-add-op-empty-jsonpath.yaml b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-add-op-empty-jsonpath.yaml new file mode 100644 index 00000000000..9c248772920 --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-add-op-empty-jsonpath.yaml @@ -0,0 +1,63 @@ +envoyPatchPolicies: +- status: + ancestors: + - ancestorRef: + group: "gateway.networking.k8s.io" + kind: "Gateway" + namespace: "default" + name: "foobar" + name: "first-policy" + namespace: "default" + jsonPatches: + - type: "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment" + name: second-listener + operation: + op: add + value: + clusterName: second-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 4.5.6.7 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: second-route-dest/backend/0 +http: +- name: "first-listener" + address: "0.0.0.0" + port: 10080 + hostnames: + - "*" + path: + mergeSlashes: true + escapedSlashesAction: UnescapeAndRedirect + tls: + alpnProtocols: + - h2 + - http/1.1 + certificates: + - name: secret-1 + # byte slice representation of "key-data" + serverCertificate: [99, 101, 114, 116, 45, 100, 97, 116, 97] + # byte slice representation of "key-data" + privateKey: [107, 101, 121, 45, 100, 97, 116, 97] + - name: secret-2 + serverCertificate: [99, 101, 114, 116, 45, 100, 97, 116, 97] + privateKey: [107, 101, 121, 45, 100, 97, 116, 97] + routes: + - name: "first-route" + hostname: "*" + headerMatches: + - name: user + stringMatch: + exact: "jason" + destination: + name: "first-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 diff --git a/internal/xds/translator/testdata/in/xds-ir/jsonpatch-with-jsonpath.yaml b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-with-jsonpath.yaml new file mode 100644 index 00000000000..a02cad99d67 --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-with-jsonpath.yaml @@ -0,0 +1,172 @@ +envoyPatchPolicies: +- status: + ancestors: + - ancestorRef: + group: "gateway.networking.k8s.io" + kind: "Gateway" + namespace: "default" + name: "foobar" + name: "first-policy" + namespace: "default" + jsonPatches: + - type: "type.googleapis.com/envoy.config.listener.v3.Listener" + name: first-listener + operation: + op: "add" + jsonPath: "$.filter_chains[0].filters[0].typed_config" + path: "/preserve_external_request_id" + value: true + - type: "type.googleapis.com/envoy.config.listener.v3.Listener" + name: "first-listener" + operation: + op: "add" + jsonPath: "filter_chains[0].filters[0].typed_config.http_filters[0]" + value: + name: "envoy.filters.http.ratelimit" + typed_config: + "@type": "type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit" + domain: "eg-ratelimit" + failure_mode_deny: true + timeout: 1s + rate_limit_service: + grpc_service: + envoy_grpc: + cluster_name: rate-limit-cluster + transport_api_version: V3 + - type: "type.googleapis.com/envoy.config.route.v3.RouteConfiguration" + name: "first-listener" + operation: + op: "add" + jsonPath: "virtual_hosts[0]" + path: "rate_limits" + value: + - actions: + - remote_address: {} + - type: "type.googleapis.com/envoy.config.route.v3.RouteConfiguration" + name: "first-listener" + operation: + op: "replace" + jsonPath: "..routes[?(@.name=='second-route')].route.upgrade_configs" + value: + - upgrade_type: CONNECT + connect_config: + {} + - type: "type.googleapis.com/envoy.config.cluster.v3.Cluster" + name: rate-limit-cluster + operation: + op: add + path: "" + value: + name: rate-limit-cluster + type: STRICT_DNS + connect_timeout: 10s + lb_policy: ROUND_ROBIN + http2_protocol_options: {} + load_assignment: + cluster_name: rate-limit-cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: ratelimit.svc.cluster.local + port_value: 8081 + - type: "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment" + name: "first-route-dest" + operation: + op: "replace" + jsonPath: "..endpoints[*].load_balancing_weight" + value: "50" + - type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" + name: "secret-1" + operation: + op: "replace" + jsonPath: "$.tls_certificate.certificate_chain.inline_bytes" + value: "a2V5LWRhdGE=" + - type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" + name: "test-secret" + operation: + op: "add" + path: "" + value: + name: test_secret + tls_certificate: + certificate_chain: + inline_bytes: Y2VydC1kYXRh + - type: "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment" + name: "first-route-dest" + operation: + op: add + jsonPath: "endpoints" + path: "/1" + value: + lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + - type: "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment" + name: "first-route-dest" + operation: + op: "move" + from: "/endpoints/0/load_balancing_weight" + path: "/endpoints/1/load_balancing_weight" + - type: "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment" + name: "first-route-dest" + operation: + op: copy + from: "/endpoints/1/load_balancing_weight" + path: "/endpoints/0/load_balancing_weight" +http: +- name: "first-listener" + address: "0.0.0.0" + port: 10080 + hostnames: + - "*" + path: + mergeSlashes: true + escapedSlashesAction: UnescapeAndRedirect + tls: + alpnProtocols: + - h2 + - http/1.1 + certificates: + - name: secret-1 + # byte slice representation of "key-data" + serverCertificate: [99, 101, 114, 116, 45, 100, 97, 116, 97] + # byte slice representation of "key-data" + privateKey: [107, 101, 121, 45, 100, 97, 116, 97] + - name: secret-2 + serverCertificate: [99, 101, 114, 116, 45, 100, 97, 116, 97] + privateKey: [107, 101, 121, 45, 100, 97, 116, 97] + routes: + - name: "first-route" + hostname: "*" + headerMatches: + - name: user + stringMatch: + exact: "jason" + destination: + name: "first-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - name: "second-route" + hostname: "*" + headerMatches: + - name: user + stringMatch: + exact: "james" + - name: country + stringMatch: + exact: "US" + destination: + name: "second-route-dest" + settings: + - endpoints: + - host: "4.5.6.7" + port: 60000 + diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.clusters.yaml new file mode 100644 index 00000000000..d53a7a1b2ce --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.clusters.yaml @@ -0,0 +1,17 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: first-route-dest + lbPolicy: LEAST_REQUEST + name: first-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.endpoints.yaml new file mode 100644 index 00000000000..9a6f5a46c91 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.endpoints.yaml @@ -0,0 +1,24 @@ +- clusterName: first-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: first-route-dest/backend/0 +- clusterName: second-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 4.5.6.7 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: second-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.envoypatchpolicies.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.envoypatchpolicies.yaml new file mode 100644 index 00000000000..9508dd3e7b3 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.envoypatchpolicies.yaml @@ -0,0 +1,16 @@ +- name: first-policy + namespace: default + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: foobar + namespace: default + conditions: + - lastTransitionTime: null + message: Patches have been successfully applied. + reason: Programmed + status: "True" + type: Programmed + controllerName: "" diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.listeners.yaml new file mode 100644 index 00000000000..51c022c26f3 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.listeners.yaml @@ -0,0 +1,52 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + drainType: MODIFY_ONLY + filterChains: + - filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: first-listener + serverHeaderTransformation: PASS_THROUGH + statPrefix: https-10080 + useRemoteAddress: true + name: first-listener + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + alpnProtocols: + - h2 + - http/1.1 + tlsCertificateSdsSecretConfigs: + - name: secret-1 + sdsConfig: + ads: {} + resourceApiVersion: V3 + - name: secret-2 + sdsConfig: + ads: {} + resourceApiVersion: V3 + name: first-listener + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.routes.yaml new file mode 100644 index 00000000000..4a412b3576a --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.routes.yaml @@ -0,0 +1,18 @@ +- ignorePortInHostMatching: true + name: first-listener + virtualHosts: + - domains: + - '*' + name: first-listener/* + routes: + - match: + headers: + - name: user + stringMatch: + exact: jason + prefix: / + name: first-route + route: + cluster: first-route-dest + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.secrets.yaml new file mode 100644 index 00000000000..ad88ffe43cd --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.secrets.yaml @@ -0,0 +1,12 @@ +- name: secret-1 + tlsCertificate: + certificateChain: + inlineBytes: Y2VydC1kYXRh + privateKey: + inlineBytes: a2V5LWRhdGE= +- name: secret-2 + tlsCertificate: + certificateChain: + inlineBytes: Y2VydC1kYXRh + privateKey: + inlineBytes: a2V5LWRhdGE= diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml new file mode 100644 index 00000000000..b3842b6e52e --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml @@ -0,0 +1,47 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: first-route-dest + lbPolicy: LEAST_REQUEST + name: first-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: second-route-dest + lbPolicy: LEAST_REQUEST + name: second-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- connectTimeout: 10s + http2ProtocolOptions: {} + loadAssignment: + clusterName: rate-limit-cluster + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: ratelimit.svc.cluster.local + portValue: 8081 + name: rate-limit-cluster + type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.endpoints.yaml new file mode 100644 index 00000000000..131cd47c730 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.endpoints.yaml @@ -0,0 +1,32 @@ +- clusterName: first-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 50 + locality: + region: first-route-dest/backend/0 + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 50 +- clusterName: second-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 4.5.6.7 + portValue: 60000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: second-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.envoypatchpolicies.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.envoypatchpolicies.yaml new file mode 100644 index 00000000000..9508dd3e7b3 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.envoypatchpolicies.yaml @@ -0,0 +1,16 @@ +- name: first-policy + namespace: default + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: foobar + namespace: default + conditions: + - lastTransitionTime: null + message: Patches have been successfully applied. + reason: Programmed + status: "True" + type: Programmed + controllerName: "" diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml new file mode 100644 index 00000000000..08b5d410df5 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml @@ -0,0 +1,64 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + drainType: MODIFY_ONLY + filterChains: + - filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + domain: eg-ratelimit + failureModeDeny: true + rateLimitService: + grpcService: + envoyGrpc: + clusterName: rate-limit-cluster + transportApiVersion: V3 + timeout: 1s + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + preserveExternalRequestId: true + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: first-listener + serverHeaderTransformation: PASS_THROUGH + statPrefix: https-10080 + useRemoteAddress: true + name: first-listener + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext + commonTlsContext: + alpnProtocols: + - h2 + - http/1.1 + tlsCertificateSdsSecretConfigs: + - name: secret-1 + sdsConfig: + ads: {} + resourceApiVersion: V3 + - name: secret-2 + sdsConfig: + ads: {} + resourceApiVersion: V3 + name: first-listener + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.routes.yaml new file mode 100644 index 00000000000..a7273c7a1b8 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.routes.yaml @@ -0,0 +1,36 @@ +- ignorePortInHostMatching: true + name: first-listener + virtualHosts: + - domains: + - '*' + name: first-listener/* + rateLimits: + - actions: + - remoteAddress: {} + routes: + - match: + headers: + - name: user + stringMatch: + exact: jason + prefix: / + name: first-route + route: + cluster: first-route-dest + upgradeConfigs: + - upgradeType: websocket + - match: + headers: + - name: user + stringMatch: + exact: james + - name: country + stringMatch: + exact: US + prefix: / + name: second-route + route: + cluster: second-route-dest + upgradeConfigs: + - connectConfig: {} + upgradeType: CONNECT diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.secrets.yaml new file mode 100644 index 00000000000..d1c4b32fd5f --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.secrets.yaml @@ -0,0 +1,16 @@ +- name: secret-1 + tlsCertificate: + certificateChain: + inlineBytes: a2V5LWRhdGE= + privateKey: + inlineBytes: a2V5LWRhdGE= +- name: secret-2 + tlsCertificate: + certificateChain: + inlineBytes: Y2VydC1kYXRh + privateKey: + inlineBytes: a2V5LWRhdGE= +- name: test_secret + tlsCertificate: + certificateChain: + inlineBytes: Y2VydC1kYXRh diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go index f5918b4bc8c..ec5e01c473c 100644 --- a/internal/xds/translator/translator_test.go +++ b/internal/xds/translator/translator_test.go @@ -55,6 +55,12 @@ func TestTranslateXds(t *testing.T) { "jsonpatch": { requireEnvoyPatchPolicies: true, }, + "jsonpatch-with-jsonpath": { + requireEnvoyPatchPolicies: true, + }, + "jsonpatch-add-op-empty-jsonpath": { + requireEnvoyPatchPolicies: true, + }, "jsonpatch-missing-resource": { requireEnvoyPatchPolicies: true, }, diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 2d2b75a3da3..99caabc363e 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -2070,7 +2070,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `op` | _[JSONPatchOperationType](#jsonpatchoperationtype)_ | true | Op is the type of operation to perform | -| `path` | _string_ | true | Path is the location of the target document/field where the operation will be performed
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. | +| `path` | _string_ | false | Path is the location of the target document/field where the operation will be performed
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. | +| `jsonPath` | _string_ | false | JSONPath specifies the locations of the target document/field where the operation will be performed
Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details. | | `from` | _string_ | false | From is the source location of the value to be copied or moved. Only valid
for move or copy operations
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. | | `value` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | Value is the new value of the path location. The value is only used by
the `add` and `replace` operations. | diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 2d2b75a3da3..99caabc363e 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -2070,7 +2070,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `op` | _[JSONPatchOperationType](#jsonpatchoperationtype)_ | true | Op is the type of operation to perform | -| `path` | _string_ | true | Path is the location of the target document/field where the operation will be performed
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. | +| `path` | _string_ | false | Path is the location of the target document/field where the operation will be performed
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. | +| `jsonPath` | _string_ | false | JSONPath specifies the locations of the target document/field where the operation will be performed
Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details. | | `from` | _string_ | false | From is the source location of the value to be copied or moved. Only valid
for move or copy operations
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. | | `value` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | Value is the new value of the path location. The value is only used by
the `add` and `replace` operations. | From 22dde3f8ed0754bc38803843da984b3b0471dc1c Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Tue, 13 Aug 2024 17:40:31 -0500 Subject: [PATCH 041/523] fix: backend tls docs (#4039) * fix btls docs Signed-off-by: Guy Daich * rm redundant char Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich --- .../en/docs/tasks/security/backend-tls.md | 25 ++++++++++++++++--- .../en/latest/tasks/security/backend-tls.md | 25 ++++++++++++++++--- .../en/v1.0/tasks/security/backend-tls.md | 25 ++++++++++++++++--- .../en/v1.1/tasks/security/backend-tls.md | 25 ++++++++++++++++--- 4 files changed, 88 insertions(+), 12 deletions(-) diff --git a/site/content/en/docs/tasks/security/backend-tls.md b/site/content/en/docs/tasks/security/backend-tls.md index 53e9ccbd44a..3aadbc34714 100644 --- a/site/content/en/docs/tasks/security/backend-tls.md +++ b/site/content/en/docs/tasks/security/backend-tls.md @@ -25,11 +25,30 @@ Create a root certificate and private key to sign certificates: openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout ca.key -out ca.crt ``` -Create a certificate and a private key for `www.example.com`: +Create a certificate and a private key for `www.example.com`. + +First, create an openssl configuration file: + +```shell +cat > openssl.conf < openssl.conf < openssl.conf < openssl.conf < Date: Wed, 14 Aug 2024 08:53:47 +0800 Subject: [PATCH 042/523] build(deps): bump github.com/bufbuild/buf from 1.35.1 to 1.36.0 in /tools/src/buf (#4028) build(deps): bump github.com/bufbuild/buf in /tools/src/buf Bumps [github.com/bufbuild/buf](https://github.com/bufbuild/buf) from 1.35.1 to 1.36.0. - [Release notes](https://github.com/bufbuild/buf/releases) - [Changelog](https://github.com/bufbuild/buf/blob/main/CHANGELOG.md) - [Commits](https://github.com/bufbuild/buf/compare/v1.35.1...v1.36.0) --- updated-dependencies: - dependency-name: github.com/bufbuild/buf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- tools/src/buf/go.mod | 2 +- tools/src/buf/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index de4034e91b6..ec8edf567c4 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -2,7 +2,7 @@ module local go 1.22.5 -require github.com/bufbuild/buf v1.35.1 +require github.com/bufbuild/buf v1.36.0 require ( buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240508200655-46a4cf4ba109.2 // indirect diff --git a/tools/src/buf/go.sum b/tools/src/buf/go.sum index c6d949c31f1..3bdf925f2ee 100644 --- a/tools/src/buf/go.sum +++ b/tools/src/buf/go.sum @@ -14,8 +14,8 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERo github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= -github.com/bufbuild/buf v1.35.1 h1:aiCi/YFOg7eXKZeveWb2ZhnmLFwUMM/FnDCM0roFp+M= -github.com/bufbuild/buf v1.35.1/go.mod h1:SM7b5QW3FkQPNkkqIa/9UWzLOoe51la+GGZpEgH9b68= +github.com/bufbuild/buf v1.36.0 h1:sC/MRgAhwvcbLbUXlTY+zgLUT4PzHm19BnnEsgu/rgU= +github.com/bufbuild/buf v1.36.0/go.mod h1:SM7b5QW3FkQPNkkqIa/9UWzLOoe51la+GGZpEgH9b68= github.com/bufbuild/protocompile v0.14.0 h1:z3DW4IvXE5G/uTOnSQn+qwQQxvhckkTWLS/0No/o7KU= github.com/bufbuild/protocompile v0.14.0/go.mod h1:N6J1NYzkspJo3ZwyL4Xjvli86XOj1xq4qAasUFxGups= github.com/bufbuild/protoplugin v0.0.0-20240323223605-e2735f6c31ee h1:E6ET8YUcYJ1lAe6ctR3as7yqzW2BNItDFnaB5zQq/8M= From ef91a6c7595a652ce9581dd4278e727febd19b01 Mon Sep 17 00:00:00 2001 From: Kensei Nakada Date: Wed, 14 Aug 2024 11:34:17 +0900 Subject: [PATCH 043/523] fix: not generate selector of deployment/daemonset based on the custom label configuration of EnvoyProxy (#3995) * fix: not generate selector of deployment/daemonset based on the custom label configuration of EnvoyProxy Signed-off-by: Kensei Nakada * chore: fix the import orders Signed-off-by: Kensei Nakada * fix: fix the testdata Signed-off-by: Kensei Nakada --------- Signed-off-by: Kensei Nakada Co-authored-by: zirain --- .../kubernetes/infra_resource.go | 91 ++++++ .../kubernetes/proxy/resource_provider.go | 36 +-- .../proxy/testdata/daemonsets/custom.yaml | 1 - .../override-labels-and-annotations.yaml | 2 - .../proxy/testdata/deployments/custom.yaml | 1 - .../custom_with_initcontainers.yaml | 1 - .../override-labels-and-annotations.yaml | 2 - .../kubernetes/proxy_daemonset_test.go | 267 ++++++++++++++++++ .../kubernetes/proxy_deployment_test.go | 124 ++++++++ 9 files changed, 502 insertions(+), 23 deletions(-) create mode 100644 internal/infrastructure/kubernetes/proxy_daemonset_test.go diff --git a/internal/infrastructure/kubernetes/infra_resource.go b/internal/infrastructure/kubernetes/infra_resource.go index fc471f8af33..bf32ecfd127 100644 --- a/internal/infrastructure/kubernetes/infra_resource.go +++ b/internal/infrastructure/kubernetes/infra_resource.go @@ -7,13 +7,18 @@ package kubernetes import ( "context" + "fmt" "time" appsv1 "k8s.io/api/apps/v1" autoscalingv2 "k8s.io/api/autoscaling/v2" corev1 "k8s.io/api/core/v1" policyv1 "k8s.io/api/policy/v1" + "k8s.io/apimachinery/pkg/api/equality" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/apimachinery/pkg/types" "github.com/envoyproxy/gateway/internal/metrics" ) @@ -116,6 +121,45 @@ func (i *Infra) createOrUpdateDeployment(ctx context.Context, r ResourceRender) } }() + old := &appsv1.Deployment{} + err = i.Client.Get(ctx, types.NamespacedName{Name: deployment.Name, Namespace: deployment.Namespace}, old) + if err != nil { + if apierrors.IsNotFound(err) { + // It's the deployment creation. + return i.Client.ServerSideApply(ctx, deployment) + } + return err + } + + if !equality.Semantic.DeepEqual(old.Spec.Selector, deployment.Spec.Selector) { + // Note: Deployment created by the old gateway controller may have a different selector generated based on a custom label feature, + // and it caused the issue that the gateway controller cannot update the deployment when users change the custom labels. + // Therefore, we changed the gateway to always use the same selector, independent of the custom labels - + // https://github.com/envoyproxy/gateway/issues/1818 + // + // But, the change could break an existing deployment with custom labels initiated by the old gateway controller + // because the selector would be different. + // + // Here, as a workaround, we always copy the selector from the old deployment to the new deployment + // so that the update can be always applied successfully. + deployment.Spec.Selector = old.Spec.Selector + + match, err := isSelectorMatch(deployment.Spec.Selector, deployment.Spec.Template.Labels) + if err != nil { + return err + } + if !match { + // If the selector now doesn't match with labels of the pod template, return an error. + // It could happen, for example, when users changed the custom label from {"foo": "bar"} to {"foo": "barv2"} + // because the pod's labels have {"foo": "barv2"} while the selector keeps {"foo": "bar"}. + // We cannot help this case, and just error it out. + // In this case, users should recreate the envoy proxy with the new custom label, instead of upgrading it. + // Once they recreate the envoy proxy, the envoy gateway of this version doesn't generate the selector based on the custom label, + // and the issue won't happen again, even if they have to the custom label again. + return fmt.Errorf("an illegal change in a custom label of EnvoyProxy is detected when updating %s/%s. The custom label config of deployment in EnvoyProxy, which is initiated with the envoy gateway of v1.1 or earlier, is immutable. Please recreate an envoy proxy with a new custom label if you need to change the custom label. This issue won't happen with the envoy proxy resource initialized by the envoygateway v1.2 or later", deployment.Namespace, deployment.Name) + } + } + return i.Client.ServerSideApply(ctx, deployment) } @@ -153,9 +197,56 @@ func (i *Infra) createOrUpdateDaemonSet(ctx context.Context, r ResourceRender) ( } }() + old := &appsv1.DaemonSet{} + err = i.Client.Get(ctx, types.NamespacedName{Name: daemonSet.Name, Namespace: daemonSet.Namespace}, old) + if err != nil { + if apierrors.IsNotFound(err) { + // It's the daemonset creation. + return i.Client.ServerSideApply(ctx, daemonSet) + } + return err + } + + if !equality.Semantic.DeepEqual(old.Spec.Selector, daemonSet.Spec.Selector) { + // Note: Daemonset created by the old gateway controller may have a different selector generated based on a custom label feature, + // and it caused the issue that the gateway controller cannot update the daemonset when users change the custom labels. + // Therefore, we changed the gateway to always use the same selector, independent of the custom labels - + // https://github.com/envoyproxy/gateway/issues/1818 + // + // But, the change could break an existing daemonset with custom labels initiated by the old gateway controller + // because the selector would be different. + // + // Here, as a workaround, we always copy the selector from the old daemonset to the new daemonset + // so that the update can be always applied successfully. + daemonSet.Spec.Selector = old.Spec.Selector + match, err := isSelectorMatch(daemonSet.Spec.Selector, daemonSet.Spec.Template.Labels) + if err != nil { + return err + } + if !match { + // If the selector now doesn't match with labels of the pod template, return an error. + // It could happen, for example, when users changed the custom label from {"foo": "bar"} to {"foo": "barv2"} + // because the pod's labels have {"foo": "barv2"} while the selector keeps {"foo": "bar"}. + // We cannot help this case, and just error it out. + // In this case, users should recreate the envoy proxy with the new custom label, instead of upgrading it. + // Once they recreate the envoy proxy, the envoy gateway of this version doesn't generate the selector based on the custom label, + // and the issue won't happen again, even if they have to the custom label again. + return fmt.Errorf("an illegal change in a custom label of EnvoyProxy is detected when updating %s/%s. The custom label config of daemonset in EnvoyProxy, which is initiated with the envoy gateway of v1.1 or earlier, is immutable. Please recreate an envoy proxy with a new custom label if you need to change the custom label. This issue won't happen with the envoy proxy resource initialized by the envoygateway v1.2 or later", daemonSet.Namespace, daemonSet.Name) + } + } + return i.Client.ServerSideApply(ctx, daemonSet) } +func isSelectorMatch(labelselector *metav1.LabelSelector, l map[string]string) (bool, error) { + selector, err := metav1.LabelSelectorAsSelector(labelselector) + if err != nil { + return false, fmt.Errorf("invalid label selector is generated: %w", err) + } + + return selector.Matches(labels.Set(l)), nil +} + func (i *Infra) createOrUpdatePodDisruptionBudget(ctx context.Context, r ResourceRender) (err error) { var ( pdb *policyv1.PodDisruptionBudget diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider.go b/internal/infrastructure/kubernetes/proxy/resource_provider.go index e48122b62ea..dd5907b7d9b 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider.go @@ -192,6 +192,19 @@ func (r *ResourceRender) ConfigMap() (*corev1.ConfigMap, error) { }, nil } +// stableSelector returns a stable selector based on the owning gateway labels. +// "stable" here means the selector doesn't change when the infra is updated. +func (r *ResourceRender) stableSelector() *metav1.LabelSelector { + labels := map[string]string{} + for k, v := range r.infra.GetProxyMetadata().Labels { + if k == gatewayapi.OwningGatewayNameLabel || k == gatewayapi.OwningGatewayNamespaceLabel || k == gatewayapi.OwningGatewayClassLabel { + labels[k] = v + } + } + + return resource.GetSelector(envoyLabels(labels)) +} + // Deployment returns the expected Deployment based on the provided infra. func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { proxyConfig := r.infra.GetProxyConfig() @@ -222,8 +235,6 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { if err != nil { return nil, err } - podLabels := r.getPodLabels(deploymentConfig.Pod) - selector := resource.GetSelector(podLabels) deployment := &appsv1.Deployment{ TypeMeta: metav1.TypeMeta{ @@ -238,10 +249,11 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { Spec: appsv1.DeploymentSpec{ Replicas: deploymentConfig.Replicas, Strategy: *deploymentConfig.Strategy, - Selector: selector, + // Deployment's selector is immutable. + Selector: r.stableSelector(), Template: corev1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ - Labels: selector.MatchLabels, + Labels: r.getPodLabels(deploymentConfig.Pod), Annotations: podAnnotations, }, Spec: corev1.PodSpec{ @@ -317,8 +329,6 @@ func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) { if err != nil { return nil, err } - podLabels := r.getPodLabels(daemonSetConfig.Pod) - selector := resource.GetSelector(podLabels) daemonSet := &appsv1.DaemonSet{ TypeMeta: metav1.TypeMeta{ @@ -331,11 +341,12 @@ func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) { Annotations: dsAnnotations, }, Spec: appsv1.DaemonSetSpec{ - Selector: selector, + // Daemonset's selector is immutable. + Selector: r.stableSelector(), UpdateStrategy: *daemonSetConfig.Strategy, Template: corev1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ - Labels: selector.MatchLabels, + Labels: r.getPodLabels(daemonSetConfig.Pod), Annotations: podAnnotations, }, Spec: r.getPodSpec(containers, nil, daemonSetConfig.Pod, proxyConfig), @@ -369,11 +380,6 @@ func (r *ResourceRender) PodDisruptionBudget() (*policyv1.PodDisruptionBudget, e return nil, nil } - labels, err := r.getLabels() - if err != nil { - return nil, err - } - return &policyv1.PodDisruptionBudget{ ObjectMeta: metav1.ObjectMeta{ Name: r.Name(), @@ -385,9 +391,7 @@ func (r *ResourceRender) PodDisruptionBudget() (*policyv1.PodDisruptionBudget, e }, Spec: policyv1.PodDisruptionBudgetSpec{ MinAvailable: &intstr.IntOrString{IntVal: ptr.Deref(podDisruptionBudget.MinAvailable, 0)}, - Selector: &metav1.LabelSelector{ - MatchLabels: labels, - }, + Selector: r.stableSelector(), }, }, nil } diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml index 99232820298..72c5d026b9b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml @@ -16,7 +16,6 @@ spec: app.kubernetes.io/component: proxy app.kubernetes.io/managed-by: envoy-gateway app.kubernetes.io/name: envoy - foo.bar: custom-label gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default template: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml index 5391a49388b..2088c4cb3ce 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml @@ -23,8 +23,6 @@ spec: app.kubernetes.io/name: envoy gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default - label1: value1-override - label2: value2 template: metadata: annotations: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml index 8af199519a4..7628caffe1d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml @@ -19,7 +19,6 @@ spec: app.kubernetes.io/component: proxy app.kubernetes.io/managed-by: envoy-gateway app.kubernetes.io/name: envoy - foo.bar: custom-label gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default strategy: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml index 902de504983..f017b2d26ed 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml @@ -19,7 +19,6 @@ spec: app.kubernetes.io/component: proxy app.kubernetes.io/managed-by: envoy-gateway app.kubernetes.io/name: envoy - foo.bar: custom-label gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default strategy: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml index f3fca2808d7..0fb0d414016 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml @@ -25,8 +25,6 @@ spec: app.kubernetes.io/name: envoy gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default - label1: value1-override - label2: value2 strategy: type: RollingUpdate template: diff --git a/internal/infrastructure/kubernetes/proxy_daemonset_test.go b/internal/infrastructure/kubernetes/proxy_daemonset_test.go new file mode 100644 index 00000000000..4901caec8cc --- /dev/null +++ b/internal/infrastructure/kubernetes/proxy_daemonset_test.go @@ -0,0 +1,267 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package kubernetes + +import ( + "context" + "testing" + + "github.com/stretchr/testify/require" + appsv1 "k8s.io/api/apps/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" + "sigs.k8s.io/controller-runtime/pkg/client" + fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/envoygateway" + "github.com/envoyproxy/gateway/internal/envoygateway/config" + "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/proxy" + resource2 "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/resource" + "github.com/envoyproxy/gateway/internal/ir" +) + +func daemonsetWithImage(ds *appsv1.DaemonSet, image string) *appsv1.DaemonSet { + dCopy := ds.DeepCopy() + for i, c := range dCopy.Spec.Template.Spec.Containers { + if c.Name == envoyContainerName { + dCopy.Spec.Template.Spec.Containers[i].Image = image + } + } + return dCopy +} + +func daemonsetWithSelectorAndLabel(ds *appsv1.DaemonSet, selector *metav1.LabelSelector, additionalLabel map[string]string) *appsv1.DaemonSet { + dCopy := ds.DeepCopy() + if selector != nil { + dCopy.Spec.Selector = selector + } + for k, v := range additionalLabel { + dCopy.Spec.Template.Labels[k] = v + } + return dCopy +} + +func TestCreateOrUpdateProxyDaemonSet(t *testing.T) { + cfg, err := config.New() + require.NoError(t, err) + + infra := ir.NewInfra() + infra.Proxy.GetProxyMetadata().Labels[gatewayapi.OwningGatewayNamespaceLabel] = "default" + infra.Proxy.GetProxyMetadata().Labels[gatewayapi.OwningGatewayNameLabel] = infra.Proxy.Name + infra.Proxy.Config = &egv1a1.EnvoyProxy{ + Spec: egv1a1.EnvoyProxySpec{ + Provider: &egv1a1.EnvoyProxyProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ + // Use daemonset, instead of deployment. + EnvoyDaemonSet: egv1a1.DefaultKubernetesDaemonSet(egv1a1.DefaultEnvoyProxyImage), + EnvoyService: egv1a1.DefaultKubernetesService(), + }, + }, + }, + } + + r := proxy.NewResourceRender(cfg.Namespace, infra.GetProxyInfra(), cfg.EnvoyGateway) + ds, err := r.DaemonSet() + require.NoError(t, err) + + testCases := []struct { + name string + in *ir.Infra + current *appsv1.DaemonSet + want *appsv1.DaemonSet + wantErr bool + }{ + { + name: "create daemonset", + in: infra, + want: ds, + }, + { + name: "daemonset exists", + in: infra, + current: ds, + want: ds, + }, + { + name: "update daemonset image", + in: &ir.Infra{ + Proxy: &ir.ProxyInfra{ + Metadata: &ir.InfraMetadata{ + Labels: map[string]string{ + gatewayapi.OwningGatewayNamespaceLabel: "default", + gatewayapi.OwningGatewayNameLabel: infra.Proxy.Name, + }, + }, + Config: &egv1a1.EnvoyProxy{ + Spec: egv1a1.EnvoyProxySpec{ + Provider: &egv1a1.EnvoyProxyProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ + EnvoyDaemonSet: &egv1a1.KubernetesDaemonSetSpec{ + Container: &egv1a1.KubernetesContainerSpec{ + Image: ptr.To("envoyproxy/envoy-dev:v1.2.3"), + }, + }, + }, + }, + }, + }, + Name: ir.DefaultProxyName, + Listeners: ir.NewProxyListeners(), + }, + }, + current: ds, + want: daemonsetWithImage(ds, "envoyproxy/envoy-dev:v1.2.3"), + }, + { + name: "update daemonset label", + in: &ir.Infra{ + Proxy: &ir.ProxyInfra{ + Metadata: &ir.InfraMetadata{ + Labels: map[string]string{ + gatewayapi.OwningGatewayNamespaceLabel: "default", + gatewayapi.OwningGatewayNameLabel: infra.Proxy.Name, + }, + }, + Config: &egv1a1.EnvoyProxy{ + Spec: egv1a1.EnvoyProxySpec{ + Provider: &egv1a1.EnvoyProxyProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ + EnvoyDaemonSet: &egv1a1.KubernetesDaemonSetSpec{ + Pod: &egv1a1.KubernetesPodSpec{ + Labels: map[string]string{ + // Add a new label to the custom label config. + // It wouldn't break the daemonset because the selector would still match after this label update. + "custom-label": "version1", + }, + }, + }, + }, + }, + }, + }, + Name: ir.DefaultProxyName, + Listeners: ir.NewProxyListeners(), + }, + }, + current: ds, + // Selector is not updated with a custom label, only pod's label is updated. + want: daemonsetWithSelectorAndLabel(ds, nil, map[string]string{"custom-label": "version1"}), + }, + { + name: "the daemonset originally has a selector and label, and an user add a new label to the custom label config", + in: &ir.Infra{ + Proxy: &ir.ProxyInfra{ + Metadata: &ir.InfraMetadata{ + Labels: map[string]string{ + gatewayapi.OwningGatewayNamespaceLabel: "default", + gatewayapi.OwningGatewayNameLabel: infra.Proxy.Name, + }, + }, + Config: &egv1a1.EnvoyProxy{ + Spec: egv1a1.EnvoyProxySpec{ + Provider: &egv1a1.EnvoyProxyProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ + EnvoyDaemonSet: &egv1a1.KubernetesDaemonSetSpec{ + Pod: &egv1a1.KubernetesPodSpec{ + Labels: map[string]string{ + "custom-label": "version1", + "another-custom-label": "version1", // added. + }, + }, + }, + }, + }, + }, + }, + Name: ir.DefaultProxyName, + Listeners: ir.NewProxyListeners(), + }, + }, + current: daemonsetWithSelectorAndLabel(ds, resource2.GetSelector(map[string]string{"custom-label": "version1"}), map[string]string{"custom-label": "version1"}), + // Only label is updated, selector is not updated. + want: daemonsetWithSelectorAndLabel(ds, resource2.GetSelector(map[string]string{"custom-label": "version1"}), map[string]string{"custom-label": "version1", "another-custom-label": "version1"}), + }, + { + name: "the daemonset originally has a selector and label, and an user update an existing custom label", + in: &ir.Infra{ + Proxy: &ir.ProxyInfra{ + Metadata: &ir.InfraMetadata{ + Labels: map[string]string{ + gatewayapi.OwningGatewayNamespaceLabel: "default", + gatewayapi.OwningGatewayNameLabel: infra.Proxy.Name, + }, + }, + Config: &egv1a1.EnvoyProxy{ + Spec: egv1a1.EnvoyProxySpec{ + Provider: &egv1a1.EnvoyProxyProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ + EnvoyDaemonSet: &egv1a1.KubernetesDaemonSetSpec{ + Pod: &egv1a1.KubernetesPodSpec{ + Labels: map[string]string{ + // Update the label value which will break the daemonset + // because the selector cannot be updated while the user wants to update the label value. + // We cannot help this case, just emit an error and let the user recreate the envoy proxy by themselves. + "custom-label": "version2", + }, + }, + }, + }, + }, + }, + }, + Name: ir.DefaultProxyName, + Listeners: ir.NewProxyListeners(), + }, + }, + current: daemonsetWithSelectorAndLabel(ds, resource2.GetSelector(map[string]string{"custom-label": "version1"}), map[string]string{"custom-label": "version1"}), + wantErr: true, + }, + } + + for _, tc := range testCases { + tc := tc + t.Run(tc.name, func(t *testing.T) { + var cli client.Client + if tc.current != nil { + cli = fakeclient.NewClientBuilder(). + WithScheme(envoygateway.GetScheme()). + WithObjects(tc.current). + WithInterceptorFuncs(interceptorFunc). + Build() + } else { + cli = fakeclient.NewClientBuilder(). + WithScheme(envoygateway.GetScheme()). + WithInterceptorFuncs(interceptorFunc). + Build() + } + + kube := NewInfra(cli, cfg) + r := proxy.NewResourceRender(kube.Namespace, tc.in.GetProxyInfra(), cfg.EnvoyGateway) + err := kube.createOrUpdateDaemonSet(context.Background(), r) + if tc.wantErr { + require.Error(t, err) + return + } + require.NoError(t, err) + + actual := &appsv1.DaemonSet{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: kube.Namespace, + Name: proxy.ExpectedResourceHashedName(tc.in.Proxy.Name), + }, + } + require.NoError(t, kube.Client.Get(context.Background(), client.ObjectKeyFromObject(actual), actual)) + require.Equal(t, tc.want.Spec, actual.Spec) + }) + } +} diff --git a/internal/infrastructure/kubernetes/proxy_deployment_test.go b/internal/infrastructure/kubernetes/proxy_deployment_test.go index a1d595b750d..88537981b7d 100644 --- a/internal/infrastructure/kubernetes/proxy_deployment_test.go +++ b/internal/infrastructure/kubernetes/proxy_deployment_test.go @@ -21,6 +21,7 @@ import ( "github.com/envoyproxy/gateway/internal/envoygateway/config" "github.com/envoyproxy/gateway/internal/gatewayapi" "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/proxy" + resource2 "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/resource" "github.com/envoyproxy/gateway/internal/ir" ) @@ -39,6 +40,17 @@ func deploymentWithImage(deploy *appsv1.Deployment, image string) *appsv1.Deploy return dCopy } +func deploymentWithSelectorAndLabel(deploy *appsv1.Deployment, selector *metav1.LabelSelector, additionalLabel map[string]string) *appsv1.Deployment { + dCopy := deploy.DeepCopy() + if selector != nil { + dCopy.Spec.Selector = selector + } + for k, v := range additionalLabel { + dCopy.Spec.Template.Labels[k] = v + } + return dCopy +} + func TestCreateOrUpdateProxyDeployment(t *testing.T) { cfg, err := config.New() require.NoError(t, err) @@ -56,6 +68,7 @@ func TestCreateOrUpdateProxyDeployment(t *testing.T) { in *ir.Infra current *appsv1.Deployment want *appsv1.Deployment + wantErr bool }{ { name: "create deployment", @@ -99,6 +112,113 @@ func TestCreateOrUpdateProxyDeployment(t *testing.T) { current: deploy, want: deploymentWithImage(deploy, "envoyproxy/envoy-dev:v1.2.3"), }, + { + name: "update deployment label", + in: &ir.Infra{ + Proxy: &ir.ProxyInfra{ + Metadata: &ir.InfraMetadata{ + Labels: map[string]string{ + gatewayapi.OwningGatewayNamespaceLabel: "default", + gatewayapi.OwningGatewayNameLabel: infra.Proxy.Name, + }, + }, + Config: &egv1a1.EnvoyProxy{ + Spec: egv1a1.EnvoyProxySpec{ + Provider: &egv1a1.EnvoyProxyProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ + EnvoyDeployment: &egv1a1.KubernetesDeploymentSpec{ + Pod: &egv1a1.KubernetesPodSpec{ + Labels: map[string]string{ + "custom-label": "version1", // added. + }, + }, + }, + }, + }, + }, + }, + Name: ir.DefaultProxyName, + Listeners: ir.NewProxyListeners(), + }, + }, + current: deploy, + // Selector is not updated with a custom label, only pod's label is updated. + want: deploymentWithSelectorAndLabel(deploy, nil, map[string]string{"custom-label": "version1"}), + }, + { + name: "the daemonset originally has a selector and label, and an user add a new label to the custom label config", + in: &ir.Infra{ + Proxy: &ir.ProxyInfra{ + Metadata: &ir.InfraMetadata{ + Labels: map[string]string{ + gatewayapi.OwningGatewayNamespaceLabel: "default", + gatewayapi.OwningGatewayNameLabel: infra.Proxy.Name, + }, + }, + Config: &egv1a1.EnvoyProxy{ + Spec: egv1a1.EnvoyProxySpec{ + Provider: &egv1a1.EnvoyProxyProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ + EnvoyDeployment: &egv1a1.KubernetesDeploymentSpec{ + Pod: &egv1a1.KubernetesPodSpec{ + Labels: map[string]string{ + "custom-label": "version1", + // Add a new label to the custom label config. + // It wouldn't break the deployment because the selector would still match after this label update. + "another-custom-label": "version1", // added. + }, + }, + }, + }, + }, + }, + }, + Name: ir.DefaultProxyName, + Listeners: ir.NewProxyListeners(), + }, + }, + current: deploymentWithSelectorAndLabel(deploy, resource2.GetSelector(map[string]string{"custom-label": "version1"}), map[string]string{"custom-label": "version1"}), + // Only label is updated, selector is not updated. + want: deploymentWithSelectorAndLabel(deploy, resource2.GetSelector(map[string]string{"custom-label": "version1"}), map[string]string{"custom-label": "version1", "another-custom-label": "version1"}), + }, + { + name: "the deployment originally has a selector and label, and an user update an existing custom label", + in: &ir.Infra{ + Proxy: &ir.ProxyInfra{ + Metadata: &ir.InfraMetadata{ + Labels: map[string]string{ + gatewayapi.OwningGatewayNamespaceLabel: "default", + gatewayapi.OwningGatewayNameLabel: infra.Proxy.Name, + }, + }, + Config: &egv1a1.EnvoyProxy{ + Spec: egv1a1.EnvoyProxySpec{ + Provider: &egv1a1.EnvoyProxyProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ + EnvoyDeployment: &egv1a1.KubernetesDeploymentSpec{ + Pod: &egv1a1.KubernetesPodSpec{ + Labels: map[string]string{ + // Update the label value which will break the deployment + // because the selector cannot be updated while the user wants to update the label value. + // We cannot help this case, just emit an error and let the user recreate the envoy proxy by themselves. + "custom-label": "version2", + }, + }, + }, + }, + }, + }, + }, + Name: ir.DefaultProxyName, + Listeners: ir.NewProxyListeners(), + }, + }, + current: deploymentWithSelectorAndLabel(deploy, resource2.GetSelector(map[string]string{"custom-label": "version1"}), map[string]string{"custom-label": "version1"}), + wantErr: true, + }, } for _, tc := range testCases { @@ -121,6 +241,10 @@ func TestCreateOrUpdateProxyDeployment(t *testing.T) { kube := NewInfra(cli, cfg) r := proxy.NewResourceRender(kube.Namespace, tc.in.GetProxyInfra(), cfg.EnvoyGateway) err := kube.createOrUpdateDeployment(context.Background(), r) + if tc.wantErr { + require.Error(t, err) + return + } require.NoError(t, err) actual := &appsv1.Deployment{ From 7078a03f1d480de738a327bfc8d8ff7ba345904c Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 14 Aug 2024 19:55:26 +0800 Subject: [PATCH 044/523] docs: correct concepts page (#4040) --- site/content/en/docs/concepts/concepts_overview.md | 7 +++---- site/content/en/latest/concepts/concepts_overview.md | 7 +++---- site/content/en/v1.1/concepts/concepts_overview.md | 7 +++---- 3 files changed, 9 insertions(+), 12 deletions(-) diff --git a/site/content/en/docs/concepts/concepts_overview.md b/site/content/en/docs/concepts/concepts_overview.md index 31838b520f2..9af9a3fff10 100644 --- a/site/content/en/docs/concepts/concepts_overview.md +++ b/site/content/en/docs/concepts/concepts_overview.md @@ -10,13 +10,12 @@ There are several resources that play a part in enabling you to meet your Kubern There are several resources that play a part in enabling you to meet your Kubernetes ingress traffic handling needs. This page provides a brief overview of the resources you’ll be working with. -# Overview - -## Kubernetes Gateway API Resources +### Kubernetes Gateway API Resources - **GatewayClass:** Defines a class of Gateways with common configuration. - **Gateway:** Specifies how traffic can enter the cluster. - **Routes:** **HTTPRoute, GRPCRoute, TLSRoute, TCPRoute, UDPRoute:** Define routing rules for different types of traffic. -## Envoy Gateway (EG) API Resources + +### Envoy Gateway (EG) API Resources - **EnvoyProxy:** Represents the deployment and configuration of the Envoy proxy within a Kubernetes cluster, managing its lifecycle and settings. - **EnvoyPatchPolicy, ClientTrafficPolicy, SecurityPolicy, BackendTrafficPolicy, EnvoyExtensionPolicy, BackendTLSPolicy:** Additional policies and configurations specific to Envoy Gateway. - **Backend:** A resource that makes routing to cluster-external backends easier and makes access to external processes via Unix Domain Sockets possible. diff --git a/site/content/en/latest/concepts/concepts_overview.md b/site/content/en/latest/concepts/concepts_overview.md index 31838b520f2..9af9a3fff10 100644 --- a/site/content/en/latest/concepts/concepts_overview.md +++ b/site/content/en/latest/concepts/concepts_overview.md @@ -10,13 +10,12 @@ There are several resources that play a part in enabling you to meet your Kubern There are several resources that play a part in enabling you to meet your Kubernetes ingress traffic handling needs. This page provides a brief overview of the resources you’ll be working with. -# Overview - -## Kubernetes Gateway API Resources +### Kubernetes Gateway API Resources - **GatewayClass:** Defines a class of Gateways with common configuration. - **Gateway:** Specifies how traffic can enter the cluster. - **Routes:** **HTTPRoute, GRPCRoute, TLSRoute, TCPRoute, UDPRoute:** Define routing rules for different types of traffic. -## Envoy Gateway (EG) API Resources + +### Envoy Gateway (EG) API Resources - **EnvoyProxy:** Represents the deployment and configuration of the Envoy proxy within a Kubernetes cluster, managing its lifecycle and settings. - **EnvoyPatchPolicy, ClientTrafficPolicy, SecurityPolicy, BackendTrafficPolicy, EnvoyExtensionPolicy, BackendTLSPolicy:** Additional policies and configurations specific to Envoy Gateway. - **Backend:** A resource that makes routing to cluster-external backends easier and makes access to external processes via Unix Domain Sockets possible. diff --git a/site/content/en/v1.1/concepts/concepts_overview.md b/site/content/en/v1.1/concepts/concepts_overview.md index 31838b520f2..9af9a3fff10 100644 --- a/site/content/en/v1.1/concepts/concepts_overview.md +++ b/site/content/en/v1.1/concepts/concepts_overview.md @@ -10,13 +10,12 @@ There are several resources that play a part in enabling you to meet your Kubern There are several resources that play a part in enabling you to meet your Kubernetes ingress traffic handling needs. This page provides a brief overview of the resources you’ll be working with. -# Overview - -## Kubernetes Gateway API Resources +### Kubernetes Gateway API Resources - **GatewayClass:** Defines a class of Gateways with common configuration. - **Gateway:** Specifies how traffic can enter the cluster. - **Routes:** **HTTPRoute, GRPCRoute, TLSRoute, TCPRoute, UDPRoute:** Define routing rules for different types of traffic. -## Envoy Gateway (EG) API Resources + +### Envoy Gateway (EG) API Resources - **EnvoyProxy:** Represents the deployment and configuration of the Envoy proxy within a Kubernetes cluster, managing its lifecycle and settings. - **EnvoyPatchPolicy, ClientTrafficPolicy, SecurityPolicy, BackendTrafficPolicy, EnvoyExtensionPolicy, BackendTLSPolicy:** Additional policies and configurations specific to Envoy Gateway. - **Backend:** A resource that makes routing to cluster-external backends easier and makes access to external processes via Unix Domain Sockets possible. From a555a96a92b59ca6d2d87138e8d33c4916184b0b Mon Sep 17 00:00:00 2001 From: zirain Date: Thu, 15 Aug 2024 02:58:09 +0800 Subject: [PATCH 045/523] update dependabot configuration (#4041) * update dependabot configuration Signed-off-by: zirain * use directories Signed-off-by: zirain * lint Signed-off-by: zirain --------- Signed-off-by: zirain --- .github/dependabot.yml | 59 ++++++++++++++++-------------------------- 1 file changed, 22 insertions(+), 37 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c7a5bee84ff..938a0fa2c49 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,26 +6,24 @@ version: 2 updates: - package-ecosystem: docker - directory: /tools/docker/envoy-gateway/ - schedule: - interval: weekly - - package-ecosystem: docker - directory: /site + directories: + - /tools/docker/envoy-gateway/ + - /site schedule: interval: weekly - package-ecosystem: github-actions - directory: / + directories: + - / + - /tools/github-actions/setup-deps schedule: interval: weekly ignore: # skip to update retest, because it won't work with the latest version - dependency-name: "envoyproxy/toolshed/gh-actions/retest" - - package-ecosystem: github-actions - directory: /tools/github-actions/setup-deps - schedule: - interval: weekly - package-ecosystem: gomod - directory: / + directories: + - "/" + - "examples/extension-server" schedule: interval: weekly groups: @@ -35,35 +33,22 @@ updates: go.opentelemetry.io: patterns: - "go.opentelemetry.io/*" + golang.org: + patterns: + - "golang.org/*" - package-ecosystem: pip - directory: /tools/src/codespell - schedule: - interval: weekly - - package-ecosystem: gomod - directory: /tools/src/helm-docs - schedule: - interval: weekly - - package-ecosystem: gomod - directory: /tools/src/buf + directories: + - /tools/src/codespell + - /tools/src/sphinx-build + - /tools/src/yamllint schedule: interval: weekly - package-ecosystem: gomod - directory: /tools/src/golangci-lint - schedule: - interval: weekly - - package-ecosystem: gomod - directory: /tools/src/kind - schedule: - interval: weekly - - package-ecosystem: gomod - directory: /tools/src/setup-envtest - schedule: - interval: weekly - - package-ecosystem: pip - directory: /tools/src/sphinx-build - schedule: - interval: weekly - - package-ecosystem: pip - directory: /tools/src/yamllint + directories: + - /tools/src/helm-docs + - /tools/src/buf + - /tools/src/golangci-lint + - /tools/src/kind + - /tools/src/setup-envtest schedule: interval: weekly From 8be7e695c51989ef0a1d1b084fbfe49e435ff97a Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Wed, 14 Aug 2024 16:45:50 -0500 Subject: [PATCH 046/523] feat(translator): early request header modifier (#4004) * feat(translator): early request header modifier Signed-off-by: Guy Daich * fix tests Signed-off-by: Guy Daich * use containsany Signed-off-by: Guy Daich * header values Signed-off-by: Guy Daich * rename api, add docs Signed-off-by: Guy Daich * really add docs Signed-off-by: Guy Daich * fix lint Signed-off-by: Guy Daich * fix doc tabs Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich --- api/v1alpha1/clienttrafficpolicy_types.go | 7 + api/v1alpha1/zz_generated.deepcopy.go | 5 + ...y.envoyproxy.io_clienttrafficpolicies.yaml | 142 +++++++++++++++ internal/gatewayapi/clienttrafficpolicy.go | 147 ++++++++++++++- .../clienttrafficpolicy-headers-error.in.yaml | 43 +++++ ...clienttrafficpolicy-headers-error.out.yaml | 127 +++++++++++++ .../clienttrafficpolicy-headers.in.yaml | 14 ++ .../clienttrafficpolicy-headers.out.yaml | 36 ++++ internal/ir/xds.go | 6 + internal/ir/zz_generated.deepcopy.go | 12 ++ internal/xds/translator/listener.go | 76 +++++++- .../in/xds-ir/http-early-header-mutation.yaml | 59 ++++++ .../http-early-header-mutation.clusters.yaml | 44 +++++ .../http-early-header-mutation.endpoints.yaml | 24 +++ .../http-early-header-mutation.listeners.yaml | 108 +++++++++++ .../http-early-header-mutation.routes.yaml | 28 +++ site/content/en/latest/api/extension_types.md | 1 + .../tasks/traffic/http-request-headers.md | 172 ++++++++++++++++++ site/content/zh/latest/api/extension_types.md | 1 + test/e2e/testdata/header-settings.yaml | 47 +++++ test/e2e/tests/header_settings.go | 75 ++++++++ 21 files changed, 1168 insertions(+), 6 deletions(-) create mode 100644 internal/gatewayapi/testdata/clienttrafficpolicy-headers-error.in.yaml create mode 100644 internal/gatewayapi/testdata/clienttrafficpolicy-headers-error.out.yaml create mode 100644 internal/xds/translator/testdata/in/xds-ir/http-early-header-mutation.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.routes.yaml create mode 100644 test/e2e/testdata/header-settings.yaml create mode 100644 test/e2e/tests/header_settings.go diff --git a/api/v1alpha1/clienttrafficpolicy_types.go b/api/v1alpha1/clienttrafficpolicy_types.go index 347eb946353..63b2c91fb2e 100644 --- a/api/v1alpha1/clienttrafficpolicy_types.go +++ b/api/v1alpha1/clienttrafficpolicy_types.go @@ -7,6 +7,7 @@ package v1alpha1 import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" ) @@ -134,6 +135,12 @@ type HeaderSettings struct { // // +optional PreserveXRequestID *bool `json:"preserveXRequestID,omitempty"` + + // EarlyRequestHeaders defines settings for early request header modification, before envoy performs + // routing, tracing and built-in header manipulation. + // + // +optional + EarlyRequestHeaders *gwapiv1.HTTPHeaderFilter `json:"earlyRequestHeaders,omitempty"` } // WithUnderscoresAction configures the action to take when an HTTP header with underscores diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 79c8e98a525..62fa950a3e8 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -2714,6 +2714,11 @@ func (in *HeaderSettings) DeepCopyInto(out *HeaderSettings) { *out = new(bool) **out = **in } + if in.EarlyRequestHeaders != nil { + in, out := &in.EarlyRequestHeaders, &out.EarlyRequestHeaders + *out = new(apisv1.HTTPHeaderFilter) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderSettings. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml index 0dd5ac6a980..5483ff78e64 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -159,6 +159,148 @@ spec: DisableRateLimitHeaders configures Envoy Proxy to omit the "X-RateLimit-" response headers when rate limiting is enabled. type: boolean + earlyRequestHeaders: + description: |- + EarlyRequestHeaders defines settings for early request header modification, before envoy performs + routing, tracing and built-in header manipulation. + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header name and + value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header name and + value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be + matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object enableEnvoyHeaders: description: |- EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go index c1877ffa653..44d813c255c 100644 --- a/internal/gatewayapi/clienttrafficpolicy.go +++ b/internal/gatewayapi/clienttrafficpolicy.go @@ -18,6 +18,7 @@ import ( "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/utils/ptr" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" @@ -432,7 +433,10 @@ func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.Clie translateClientIPDetection(policy.Spec.ClientIPDetection, httpIR) // Translate Header Settings - translateListenerHeaderSettings(policy.Spec.Headers, httpIR) + if err = translateListenerHeaderSettings(policy.Spec.Headers, httpIR); err != nil { + err = perr.WithMessage(err, "Headers") + errs = errors.Join(errs, err) + } // Translate Path Settings translatePathSettings(policy.Spec.Path, httpIR) @@ -613,9 +617,9 @@ func translateClientIPDetection(clientIPDetection *egv1a1.ClientIPDetectionSetti httpIR.ClientIPDetection = (*ir.ClientIPDetectionSettings)(clientIPDetection) } -func translateListenerHeaderSettings(headerSettings *egv1a1.HeaderSettings, httpIR *ir.HTTPListener) { +func translateListenerHeaderSettings(headerSettings *egv1a1.HeaderSettings, httpIR *ir.HTTPListener) error { if headerSettings == nil { - return + return nil } httpIR.Headers = &ir.HeaderSettings{ EnableEnvoyHeaders: ptr.Deref(headerSettings.EnableEnvoyHeaders, false), @@ -634,6 +638,16 @@ func translateListenerHeaderSettings(headerSettings *egv1a1.HeaderSettings, http httpIR.Headers.XForwardedClientCert.CertDetailsToAdd = headerSettings.XForwardedClientCert.CertDetailsToAdd } } + + if headerSettings.EarlyRequestHeaders != nil { + headersToAdd, headersToRemove, err := translateEarlyRequestHeaders(headerSettings.EarlyRequestHeaders) + if err != nil { + return err + } + httpIR.Headers.EarlyAddRequestHeaders = headersToAdd + httpIR.Headers.EarlyRemoveRequestHeaders = headersToRemove + } + return nil } func translateHTTP1Settings(http1Settings *egv1a1.HTTP1Settings, httpIR *ir.HTTPListener) error { @@ -869,3 +883,130 @@ func buildConnection(connection *egv1a1.ClientConnection) (*ir.ClientConnection, return irConnection, nil } + +func translateEarlyRequestHeaders(headerModifier *gwapiv1.HTTPHeaderFilter) ([]ir.AddHeader, []string, error) { + // Make sure the header modifier config actually exists + if headerModifier == nil { + return nil, nil, nil + } + var errs error + emptyFilterConfig := true // keep track of whether the provided config is empty or not + + var AddRequestHeaders []ir.AddHeader + var RemoveRequestHeaders []string + + // Add request headers + if headersToAdd := headerModifier.Add; headersToAdd != nil { + if len(headersToAdd) > 0 { + emptyFilterConfig = false + } + for _, addHeader := range headersToAdd { + emptyFilterConfig = false + if addHeader.Name == "" { + errs = errors.Join(errs, fmt.Errorf("EarlyRequestHeaders cannot add a header with an empty name")) + // try to process the rest of the headers and produce a valid config. + continue + } + // Per Gateway API specification on HTTPHeaderName, : and / are invalid characters in header names + if strings.ContainsAny(string(addHeader.Name), "/:") { + errs = errors.Join(errs, fmt.Errorf("EarlyRequestHeaders Filter cannot set headers with a '/' or ':' character in them. Header: %q", string(addHeader.Name))) + continue + } + // Check if the header is a duplicate + headerKey := string(addHeader.Name) + canAddHeader := true + for _, h := range AddRequestHeaders { + if strings.EqualFold(h.Name, headerKey) { + canAddHeader = false + break + } + } + + if !canAddHeader { + continue + } + + newHeader := ir.AddHeader{ + Name: headerKey, + Append: true, + Value: strings.Split(addHeader.Value, ","), + } + + AddRequestHeaders = append(AddRequestHeaders, newHeader) + } + } + + // Set headers + if headersToSet := headerModifier.Set; headersToSet != nil { + if len(headersToSet) > 0 { + emptyFilterConfig = false + } + for _, setHeader := range headersToSet { + + if setHeader.Name == "" { + errs = errors.Join(errs, fmt.Errorf("EarlyRequestHeaders cannot set a header with an empty name")) + continue + } + // Per Gateway API specification on HTTPHeaderName, : and / are invalid characters in header names + if strings.ContainsAny(string(setHeader.Name), "/:") { + errs = errors.Join(errs, fmt.Errorf("EarlyRequestHeaders cannot set headers with a '/' or ':' character in them. Header: '%s'", string(setHeader.Name))) + continue + } + + // Check if the header to be set has already been configured + headerKey := string(setHeader.Name) + canAddHeader := true + for _, h := range AddRequestHeaders { + if strings.EqualFold(h.Name, headerKey) { + canAddHeader = false + break + } + } + if !canAddHeader { + continue + } + newHeader := ir.AddHeader{ + Name: string(setHeader.Name), + Append: false, + Value: strings.Split(setHeader.Value, ","), + } + + AddRequestHeaders = append(AddRequestHeaders, newHeader) + } + } + + // Remove request headers + // As far as Envoy is concerned, it is ok to configure a header to be added/set and also in the list of + // headers to remove. It will remove the original header if present and then add/set the header after. + if headersToRemove := headerModifier.Remove; headersToRemove != nil { + if len(headersToRemove) > 0 { + emptyFilterConfig = false + } + for _, removedHeader := range headersToRemove { + if removedHeader == "" { + errs = errors.Join(errs, fmt.Errorf("EarlyRequestHeaders cannot remove a header with an empty name")) + continue + } + + canRemHeader := true + for _, h := range RemoveRequestHeaders { + if strings.EqualFold(h, removedHeader) { + canRemHeader = false + break + } + } + if !canRemHeader { + continue + } + + RemoveRequestHeaders = append(RemoveRequestHeaders, removedHeader) + } + } + + // Update the status if the filter failed to configure any valid headers to add/remove + if len(AddRequestHeaders) == 0 && len(RemoveRequestHeaders) == 0 && !emptyFilterConfig { + errs = errors.Join(errs, fmt.Errorf("EarlyRequestHeaders did not provide valid configuration to add/set/remove any headers")) + } + + return AddRequestHeaders, RemoveRequestHeaders, errs +} diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-headers-error.in.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-headers-error.in.yaml new file mode 100644 index 00000000000..3b2331bba7f --- /dev/null +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-headers-error.in.yaml @@ -0,0 +1,43 @@ +clientTrafficPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: ClientTrafficPolicy + metadata: + namespace: envoy-gateway + name: target-gateway-1 + spec: + headers: + enableEnvoyHeaders: true + withUnderscoresAction: Allow + preserveXRequestID: true + earlyRequestHeaders: + add: + - name: "" + value: "empty" + - name: "invalid" + value: ":/" + set: + - name: "" + value: "empty" + - name: "invalid" + value: ":/" + remove: + - "" + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http-1 + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: Same diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-headers-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-headers-error.out.yaml new file mode 100644 index 00000000000..9eee58d7df7 --- /dev/null +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-headers-error.out.yaml @@ -0,0 +1,127 @@ +clientTrafficPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: ClientTrafficPolicy + metadata: + creationTimestamp: null + name: target-gateway-1 + namespace: envoy-gateway + spec: + headers: + earlyRequestHeaders: + add: + - name: "" + value: empty + - name: invalid + value: :/ + remove: + - "" + set: + - name: "" + value: empty + - name: invalid + value: :/ + enableEnvoyHeaders: true + preserveXRequestID: true + withUnderscoresAction: Allow + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + conditions: + - lastTransitionTime: null + message: |- + Headers: EarlyRequestHeaders cannot add a header with an empty name + EarlyRequestHeaders cannot set a header with an empty name + EarlyRequestHeaders cannot remove a header with an empty name. + reason: Invalid + status: "False" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: Same + name: http-1 + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http-1 + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http-1 + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + headers: + enableEnvoyHeaders: true + preserveXRequestID: true + withUnderscoresAction: Allow + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http-1 + name: envoy-gateway/gateway-1/http-1 + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-headers.in.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-headers.in.yaml index 6d73bee1a16..3234aed7da8 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-headers.in.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-headers.in.yaml @@ -9,6 +9,20 @@ clientTrafficPolicies: enableEnvoyHeaders: true withUnderscoresAction: Allow preserveXRequestID: true + earlyRequestHeaders: + add: + - name: "my-added-header" + value: "my-added-header-value" + - name: "my-added-header" + value: "my-added-header-value" + set: + - name: "my-set-header" + value: "my-set-header-value" + - name: "my-set-header" + value: "my-set-header-value" + remove: + - "my-removed-header" + - "my-removed-header" targetRef: group: gateway.networking.k8s.io kind: Gateway diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-headers.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-headers.out.yaml index 8b32bb192da..4e66bd91c64 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-headers.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-headers.out.yaml @@ -7,6 +7,20 @@ clientTrafficPolicies: namespace: envoy-gateway spec: headers: + earlyRequestHeaders: + add: + - name: my-added-header + value: my-added-header-value + - name: my-added-header + value: my-added-header-value + remove: + - my-removed-header + - my-removed-header + set: + - name: my-set-header + value: my-set-header-value + - name: my-set-header + value: my-set-header-value enableEnvoyHeaders: true preserveXRequestID: true withUnderscoresAction: Allow @@ -129,6 +143,17 @@ xdsIR: http: - address: 0.0.0.0 headers: + earlyAddRequestHeaders: + - append: true + name: my-added-header + value: + - my-added-header-value + - append: false + name: my-set-header + value: + - my-set-header-value + earlyRemoveRequestHeaders: + - my-removed-header enableEnvoyHeaders: true preserveXRequestID: true withUnderscoresAction: Allow @@ -147,6 +172,17 @@ xdsIR: port: 10080 - address: 0.0.0.0 headers: + earlyAddRequestHeaders: + - append: true + name: my-added-header + value: + - my-added-header-value + - append: false + name: my-set-header + value: + - my-set-header-value + earlyRemoveRequestHeaders: + - my-removed-header enableEnvoyHeaders: true preserveXRequestID: true withUnderscoresAction: Allow diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 56c1bef0958..821d4bd1c70 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -494,6 +494,12 @@ type HeaderSettings struct { // (Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour. // It defaults to false. PreserveXRequestID bool `json:"preserveXRequestID,omitempty" yaml:"preserveXRequestID,omitempty"` + + // EarlyAddRequestHeaders defines headers that would be added before envoy request processing. + EarlyAddRequestHeaders []AddHeader `json:"earlyAddRequestHeaders,omitempty" yaml:"earlyAddRequestHeaders,omitempty"` + + // EarlyRemoveRequestHeaders defines headers that would be removed before envoy request processing. + EarlyRemoveRequestHeaders []string `json:"earlyRemoveRequestHeaders,omitempty" yaml:"earlyRemoveRequestHeaders,omitempty"` } // ClientTimeout sets the timeout configuration for downstream connections diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 5f8f879e6a0..d38cd3b825c 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -1481,6 +1481,18 @@ func (in *HeaderSettings) DeepCopyInto(out *HeaderSettings) { *out = new(XForwardedClientCert) (*in).DeepCopyInto(*out) } + if in.EarlyAddRequestHeaders != nil { + in, out := &in.EarlyAddRequestHeaders, &out.EarlyAddRequestHeaders + *out = make([]AddHeader, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.EarlyRemoveRequestHeaders != nil { + in, out := &in.EarlyRemoveRequestHeaders, &out.EarlyRemoveRequestHeaders + *out = make([]string, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderSettings. diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go index 0812010ade1..9b442c75105 100644 --- a/internal/xds/translator/listener.go +++ b/internal/xds/translator/listener.go @@ -12,6 +12,7 @@ import ( xdscore "github.com/cncf/xds/go/xds/core/v3" matcher "github.com/cncf/xds/go/xds/type/matcher/v3" + mutation_rulesv3 "github.com/envoyproxy/go-control-plane/envoy/config/common/mutation_rules/v3" corev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" listenerv3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3" tls_inspectorv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/tls_inspector/v3" @@ -19,6 +20,7 @@ import ( hcmv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" tcpv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/tcp_proxy/v3" udpv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/udp/udp_proxy/v3" + early_header_mutationv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/http/early_header_mutation/header_mutation/v3" preservecasev3 "github.com/envoyproxy/go-control-plane/envoy/extensions/http/header_formatters/preserve_case/v3" customheaderv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/http/original_ip_detection/custom_header/v3" quicv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/quic/v3" @@ -274,9 +276,10 @@ func (t *Translator) addHCMToXDSListener(xdsListener *listenerv3.Listener, irLis CommonHttpProtocolOptions: &corev3.HttpProtocolOptions{ HeadersWithUnderscoresAction: buildHeadersWithUnderscoresAction(irListener.Headers), }, - Tracing: hcmTracing, - ForwardClientCertDetails: buildForwardClientCertDetailsAction(irListener.Headers), - PreserveExternalRequestId: ptr.Deref(irListener.Headers, ir.HeaderSettings{}).PreserveXRequestID, + Tracing: hcmTracing, + ForwardClientCertDetails: buildForwardClientCertDetailsAction(irListener.Headers), + PreserveExternalRequestId: ptr.Deref(irListener.Headers, ir.HeaderSettings{}).PreserveXRequestID, + EarlyHeaderMutationExtensions: buildEarlyHeaderMutation(irListener.Headers), } if mgr.ForwardClientCertDetails == hcmv3.HttpConnectionManager_APPEND_FORWARD || mgr.ForwardClientCertDetails == hcmv3.HttpConnectionManager_SANITIZE_SET { @@ -365,6 +368,73 @@ func (t *Translator) addHCMToXDSListener(xdsListener *listenerv3.Listener, irLis return nil } +func buildEarlyHeaderMutation(headers *ir.HeaderSettings) []*corev3.TypedExtensionConfig { + if headers == nil || (len(headers.EarlyAddRequestHeaders) == 0 && len(headers.EarlyRemoveRequestHeaders) == 0) { + return nil + } + + var mutationRules []*mutation_rulesv3.HeaderMutation + + for _, header := range headers.EarlyAddRequestHeaders { + var appendAction corev3.HeaderValueOption_HeaderAppendAction + if header.Append { + appendAction = corev3.HeaderValueOption_APPEND_IF_EXISTS_OR_ADD + } else { + appendAction = corev3.HeaderValueOption_OVERWRITE_IF_EXISTS_OR_ADD + } + // Allow empty headers to be set, but don't add the config to do so unless necessary + if len(header.Value) == 0 { + mutationRules = append(mutationRules, &mutation_rulesv3.HeaderMutation{ + Action: &mutation_rulesv3.HeaderMutation_Append{ + Append: &corev3.HeaderValueOption{ + Header: &corev3.HeaderValue{ + Key: header.Name, + }, + AppendAction: appendAction, + KeepEmptyValue: true, + }, + }, + }) + } else { + for _, val := range header.Value { + mutationRules = append(mutationRules, &mutation_rulesv3.HeaderMutation{ + Action: &mutation_rulesv3.HeaderMutation_Append{ + Append: &corev3.HeaderValueOption{ + Header: &corev3.HeaderValue{ + Key: header.Name, + Value: val, + }, + AppendAction: appendAction, + KeepEmptyValue: val == "", + }, + }, + }) + } + } + } + + for _, header := range headers.EarlyRemoveRequestHeaders { + mr := &mutation_rulesv3.HeaderMutation{ + Action: &mutation_rulesv3.HeaderMutation_Remove{ + Remove: header, + }, + } + + mutationRules = append(mutationRules, mr) + } + + earlyHeaderMutationAny, _ := anypb.New(&early_header_mutationv3.HeaderMutation{ + Mutations: mutationRules, + }) + + return []*corev3.TypedExtensionConfig{ + { + Name: "envoy.http.early_header_mutation.header_mutation", + TypedConfig: earlyHeaderMutationAny, + }, + } +} + func addServerNamesMatch(xdsListener *listenerv3.Listener, filterChain *listenerv3.FilterChain, hostnames []string) error { // Dont add a filter chain match if the hostname is a wildcard character. if len(hostnames) > 0 && hostnames[0] != "*" { diff --git a/internal/xds/translator/testdata/in/xds-ir/http-early-header-mutation.yaml b/internal/xds/translator/testdata/in/xds-ir/http-early-header-mutation.yaml new file mode 100644 index 00000000000..6301153cd1c --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/http-early-header-mutation.yaml @@ -0,0 +1,59 @@ +http: +- name: "first-listener" + address: "0.0.0.0" + port: 10080 + hostnames: + - "*" + http1: + preserveHeaderCase: true + path: + mergeSlashes: true + escapedSlashesAction: UnescapeAndRedirect + routes: + - name: "first-route" + hostname: "*" + destination: + name: "first-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 +- name: "second-listener" + address: "0.0.0.0" + port: 10081 + hostnames: + - "*" + headers: + earlyAddRequestHeaders: + - name: "some-header" + value: + - "some-value1" + - "some-value2" + append: true + - name: "some-header-2" + value: + - "some-value" + append: true + - name: "some-header3" + value: + - "some-value" + append: false + - name: "some-header4" + value: + - "some-value" + append: false + - name: "empty-header" + value: + append: false + earlyRemoveRequestHeaders: + - "some-header5" + - "some-header6" + routes: + - name: "second-route" + hostname: "*" + destination: + name: "second-route-dest" + settings: + - endpoints: + - host: "1.2.3.5" + port: 50000 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml new file mode 100644 index 00000000000..22e6727066a --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml @@ -0,0 +1,44 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: first-route-dest + lbPolicy: LEAST_REQUEST + name: first-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + httpProtocolOptions: + headerKeyFormat: + statefulFormatter: + name: preserve_case + typedConfig: + '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: second-route-dest + lbPolicy: LEAST_REQUEST + name: second-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.endpoints.yaml new file mode 100644 index 00000000000..28a57caf3b5 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.endpoints.yaml @@ -0,0 +1,24 @@ +- clusterName: first-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: first-route-dest/backend/0 +- clusterName: second-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.5 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: second-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.listeners.yaml new file mode 100644 index 00000000000..69c2612a5f8 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.listeners.yaml @@ -0,0 +1,108 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + httpProtocolOptions: + headerKeyFormat: + statefulFormatter: + name: preserve_case + typedConfig: + '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: first-listener + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: first-listener + drainType: MODIFY_ONLY + name: first-listener + perConnectionBufferLimitBytes: 32768 +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10081 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + earlyHeaderMutationExtensions: + - name: envoy.http.early_header_mutation.header_mutation + typedConfig: + '@type': type.googleapis.com/envoy.extensions.http.early_header_mutation.header_mutation.v3.HeaderMutation + mutations: + - append: + header: + key: some-header + value: some-value1 + - append: + header: + key: some-header + value: some-value2 + - append: + header: + key: some-header-2 + value: some-value + - append: + appendAction: OVERWRITE_IF_EXISTS_OR_ADD + header: + key: some-header3 + value: some-value + - append: + appendAction: OVERWRITE_IF_EXISTS_OR_ADD + header: + key: some-header4 + value: some-value + - append: + appendAction: OVERWRITE_IF_EXISTS_OR_ADD + header: + key: empty-header + keepEmptyValue: true + - remove: some-header5 + - remove: some-header6 + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + normalizePath: true + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: second-listener + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10081 + useRemoteAddress: true + name: second-listener + drainType: MODIFY_ONLY + name: second-listener + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.routes.yaml new file mode 100644 index 00000000000..ff93cfff360 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.routes.yaml @@ -0,0 +1,28 @@ +- ignorePortInHostMatching: true + name: first-listener + virtualHosts: + - domains: + - '*' + name: first-listener/* + routes: + - match: + prefix: / + name: first-route + route: + cluster: first-route-dest + upgradeConfigs: + - upgradeType: websocket +- ignorePortInHostMatching: true + name: second-listener + virtualHosts: + - domains: + - '*' + name: second-listener/* + routes: + - match: + prefix: / + name: second-route + route: + cluster: second-route-dest + upgradeConfigs: + - upgradeType: websocket diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 99caabc363e..3e6f75d074a 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -1962,6 +1962,7 @@ _Appears in:_ | `xForwardedClientCert` | _[XForwardedClientCert](#xforwardedclientcert)_ | false | XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-cert (XFCC) HTTP header.

x-forwarded-client-cert (XFCC) is an HTTP header used to forward the certificate
information of part or all of the clients or proxies that a request has flowed through,
on its way from the client to the server.

Envoy proxy may choose to sanitize/append/forward the XFCC header before proxying the request.

If not set, the default behavior is sanitizing the XFCC header. | | `withUnderscoresAction` | _[WithUnderscoresAction](#withunderscoresaction)_ | false | WithUnderscoresAction configures the action to take when an HTTP header with underscores
is encountered. The default action is to reject the request. | | `preserveXRequestID` | _boolean_ | false | PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge
(Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour.
It defaults to false. | +| `earlyRequestHeaders` | _[HTTPHeaderFilter](#httpheaderfilter)_ | false | EarlyRequestHeaders defines settings for early request header modification, before envoy performs
routing, tracing and built-in header manipulation. | diff --git a/site/content/en/latest/tasks/traffic/http-request-headers.md b/site/content/en/latest/tasks/traffic/http-request-headers.md index 9cd60281cdf..5b73bfaf8d3 100644 --- a/site/content/en/latest/tasks/traffic/http-request-headers.md +++ b/site/content/en/latest/tasks/traffic/http-request-headers.md @@ -442,7 +442,179 @@ spec: {{% /tab %}} {{< /tabpane >}} +## Early Header Modification + +In some cases, it could be necessary to modify headers before the proxy performs any sort of processing, routing or tracing. Envoy Gateway supports this functionality using the [ClientTrafficPolicy][] API. + +A ClientTrafficPolicy resource can be attached to a Gateway resource to configure early header modifications for all its routes. In the following example we will demonstrate how early header modification can be configured. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + + +Querying `headers.example/get` should result in a `200` response from the example Gateway and the output from the +example app should indicate that the upstream example app received the following headers: +- `early-added-header` contains early (ClientTrafficPolicy) and late (RouteFilter) values +- `early-set-header` contains only early (ClientTrafficPolicy) and late (RouteFilter) values, since the early modification overwritten the client value. +- `early-removed-header` contains only the late (RouteFilter) value, since the early modification deleted the client value. + +```console +$ curl -vvv --header "Host: headers.example" "http://${GATEWAY_HOST}/get" --header "early-added-header: client" --header "early-set-header: client" --header "early-removed-header: client" +... +> GET /get HTTP/1.1 +> Host: headers.example +> User-Agent: curl/7.81.0 +> Accept: */* +> add-header: something +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< content-length: 474 +< x-envoy-upstream-service-time: 0 +< server: envoy +< + + "headers": { + "Accept": [ + "*/*" + ], + "Early-Added-Header": [ + "client", + "early", + "late" + ], + "Early-Set-Header": [ + "early", + "late" + ], + "Early-removed-Header": [ + "late" + ] +... +``` + [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ [HTTPRoute filters]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteFilter [Gateway API documentation]: https://gateway-api.sigs.k8s.io/ [req_filter]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPHeaderFilter +[ClientTrafficPolicy]: ../../../api/extension_types#clienttrafficpolicy diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 99caabc363e..3e6f75d074a 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -1962,6 +1962,7 @@ _Appears in:_ | `xForwardedClientCert` | _[XForwardedClientCert](#xforwardedclientcert)_ | false | XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-cert (XFCC) HTTP header.

x-forwarded-client-cert (XFCC) is an HTTP header used to forward the certificate
information of part or all of the clients or proxies that a request has flowed through,
on its way from the client to the server.

Envoy proxy may choose to sanitize/append/forward the XFCC header before proxying the request.

If not set, the default behavior is sanitizing the XFCC header. | | `withUnderscoresAction` | _[WithUnderscoresAction](#withunderscoresaction)_ | false | WithUnderscoresAction configures the action to take when an HTTP header with underscores
is encountered. The default action is to reject the request. | | `preserveXRequestID` | _boolean_ | false | PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge
(Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour.
It defaults to false. | +| `earlyRequestHeaders` | _[HTTPHeaderFilter](#httpheaderfilter)_ | false | EarlyRequestHeaders defines settings for early request header modification, before envoy performs
routing, tracing and built-in header manipulation. | diff --git a/test/e2e/testdata/header-settings.yaml b/test/e2e/testdata/header-settings.yaml new file mode 100644 index 00000000000..dab686f29c7 --- /dev/null +++ b/test/e2e/testdata/header-settings.yaml @@ -0,0 +1,47 @@ +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: ClientTrafficPolicy +metadata: + name: early-header-modifier-ctp + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: same-namespace + headers: + earlyRequestHeaders: + add: + - name: "early-added-header" + value: "early" + set: + - name: "early-set-header" + value: "early" + remove: + - "early-removed-header" +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-with-early-headers + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: PathPrefix + value: /early-header + filters: + - type: RequestHeaderModifier + requestHeaderModifier: + add: + - name: early-added-header + value: late + - name: early-set-header + value: late + - name: early-removed-header + value: late + backendRefs: + - name: infra-backend-v1 + port: 8080 diff --git a/test/e2e/tests/header_settings.go b/test/e2e/tests/header_settings.go new file mode 100644 index 00000000000..32f0d731089 --- /dev/null +++ b/test/e2e/tests/header_settings.go @@ -0,0 +1,75 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e +// +build e2e + +package tests + +import ( + "testing" + + "k8s.io/apimachinery/pkg/types" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" + gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" + + "github.com/envoyproxy/gateway/internal/gatewayapi" +) + +func init() { + ConformanceTests = append(ConformanceTests, HeaderSettingsTest) +} + +var HeaderSettingsTest = suite.ConformanceTest{ + ShortName: "HeaderSettings", + Description: "Modify headers before regular processing", + Manifests: []string{"testdata/header-settings.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Run("Early header modifications should apply", func(t *testing.T) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "http-with-early-headers", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + ancestorRef := gwapiv1a2.ParentReference{ + Group: gatewayapi.GroupPtr(gwapiv1.GroupName), + Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), + Name: gwapiv1.ObjectName(gwNN.Name), + } + ClientTrafficPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "early-header-modifier-ctp", Namespace: ns}, suite.ControllerName, ancestorRef) + + expected := http.ExpectedResponse{ + Request: http.Request{ + Path: "/early-header", + Headers: map[string]string{ + "early-added-header": "client", + "early-set-header": "client", + "early-removed-header": "client", + }, + }, + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Path: "/early-header", + Headers: map[string]string{ + "early-added-header": "client,early,late", // client, early and late are all added to header + "early-set-header": "early,late", // early set overwrites client value + "early-removed-header": "late", // removed by early, so only late value exists + }, + }, + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expected) + }) + }, +} From 5dc4a14c9c1b4f59da91d2fe045c4a6858ef8987 Mon Sep 17 00:00:00 2001 From: Md Sahil <85174511+MdSahil-oss@users.noreply.github.com> Date: Thu, 15 Aug 2024 19:17:11 +0530 Subject: [PATCH 047/523] docs: mark BackendRef in shared_types.go optional (#4058) Signed-off-by: MdSahil-oss --- api/v1alpha1/shared_types.go | 1 + site/content/en/latest/api/extension_types.md | 16 ++++++++-------- site/content/zh/latest/api/extension_types.md | 16 ++++++++-------- 3 files changed, 17 insertions(+), 16 deletions(-) diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index 89aef19c37b..c24db0ee547 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -483,6 +483,7 @@ type BackendCluster struct { // backend server to which the authorization request will be sent. // // Deprecated: Use BackendRefs instead. + // +optional BackendRef *gwapiv1.BackendObjectReference `json:"backendRef,omitempty"` // BackendRefs references a Kubernetes object that represents the diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 3e6f75d074a..0530e43898c 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -68,7 +68,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | | `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | | `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `logName` | _string_ | false | LogName defines the friendly name of the access log to be returned in
StreamAccessLogsMessage.Identifier. This allows the access log server
to differentiate between different access logs coming from the same Envoy. | @@ -294,7 +294,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | | `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | | `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | @@ -1484,7 +1484,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | | `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | | `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `messageTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | MessageTimeout is the timeout for a response to be returned from the external processor
Default: 200ms | @@ -1713,7 +1713,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | | `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | | `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | @@ -1863,7 +1863,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | | `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | | `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `path` | _string_ | true | Path is the path of the HTTP External Authorization service.
If path is specified, the authorization request will be sent to that path,
or else the authorization request will be sent to the root path. | @@ -2515,7 +2515,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | | `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | | `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `host` | _string_ | false | Host define the extension service hostname.
Deprecated: Use BackendRefs instead. | @@ -2874,7 +2874,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | | `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | | `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `host` | _string_ | false | Host define the service hostname.
Deprecated: Use BackendRefs instead. | @@ -3590,7 +3590,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | | `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | | `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `type` | _[TracingProviderType](#tracingprovidertype)_ | true | Type defines the tracing provider type. | diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 3e6f75d074a..0530e43898c 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -68,7 +68,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | | `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | | `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `logName` | _string_ | false | LogName defines the friendly name of the access log to be returned in
StreamAccessLogsMessage.Identifier. This allows the access log server
to differentiate between different access logs coming from the same Envoy. | @@ -294,7 +294,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | | `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | | `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | @@ -1484,7 +1484,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | | `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | | `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `messageTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | MessageTimeout is the timeout for a response to be returned from the external processor
Default: 200ms | @@ -1713,7 +1713,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | | `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | | `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | @@ -1863,7 +1863,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | | `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | | `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `path` | _string_ | true | Path is the path of the HTTP External Authorization service.
If path is specified, the authorization request will be sent to that path,
or else the authorization request will be sent to the root path. | @@ -2515,7 +2515,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | | `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | | `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `host` | _string_ | false | Host define the extension service hostname.
Deprecated: Use BackendRefs instead. | @@ -2874,7 +2874,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | | `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | | `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `host` | _string_ | false | Host define the service hostname.
Deprecated: Use BackendRefs instead. | @@ -3590,7 +3590,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | | `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | | `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `type` | _[TracingProviderType](#tracingprovidertype)_ | true | Type defines the tracing provider type. | From 90d989488d173013951ea166fbb3db3cb26e32d5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 15 Aug 2024 10:50:53 -0700 Subject: [PATCH 048/523] build(deps): bump github/codeql-action from 3.26.0 to 3.26.2 (#4051) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.0 to 3.26.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/eb055d739abdc2e8de2e5f4ba1a8b246daa779aa...429e1977040da7a23b6822b13c129cd1ba93dbb2) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7cb7462e0e3..5cde7a2c549 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,14 +36,14 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0 + uses: github/codeql-action/init@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0 + uses: github/codeql-action/autobuild@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0 + uses: github/codeql-action/analyze@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 2af996a99e5..5cb58c15398 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0 + uses: github/codeql-action/upload-sarif@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 with: sarif_file: results.sarif From 1daa088f686b6bd491bb51b5c84a4f1ce95206bb Mon Sep 17 00:00:00 2001 From: sh2 Date: Fri, 16 Aug 2024 03:18:42 +0800 Subject: [PATCH 049/523] chore: replace `targetRef` with `targetRefs` in doc (#4048) * replace targetRef with targetRefs in doc Signed-off-by: shawnh2 * replace targetRef with targetRefs in doc v1.1 Signed-off-by: shawnh2 --------- Signed-off-by: shawnh2 --- .../tasks/extensibility/envoy-patch-policy.md | 5 - .../en/docs/tasks/extensibility/ext-proc.md | 16 ++-- .../en/docs/tasks/extensibility/wasm.md | 36 +++---- .../en/docs/tasks/security/basic-auth.md | 16 ++-- site/content/en/docs/tasks/security/cors.md | 8 +- .../en/docs/tasks/security/ext-auth.md | 56 +++++------ .../en/docs/tasks/security/mutual-tls.md | 10 +- site/content/en/docs/tasks/security/oidc.md | 32 +++---- .../tasks/security/private-key-provider.md | 4 - .../docs/tasks/security/restrict-ip-access.md | 32 +++---- .../en/docs/tasks/traffic/circuit-breaker.md | 16 ++-- .../tasks/traffic/client-traffic-policy.md | 96 +++++++++---------- .../en/docs/tasks/traffic/connection-limit.md | 16 ++-- .../en/docs/tasks/traffic/fault-injection.md | 24 ++--- .../docs/tasks/traffic/global-rate-limit.md | 48 +++++----- .../en/docs/tasks/traffic/http-routing.md | 16 ++-- site/content/en/docs/tasks/traffic/http3.md | 16 ++-- .../en/docs/tasks/traffic/local-rate-limit.md | 16 ++-- site/content/en/docs/tasks/traffic/retry.md | 16 ++-- .../tasks/extensibility/envoy-patch-policy.md | 5 - .../en/latest/tasks/extensibility/ext-proc.md | 16 ++-- .../en/latest/tasks/extensibility/wasm.md | 42 ++++---- .../en/latest/tasks/security/basic-auth.md | 16 ++-- site/content/en/latest/tasks/security/cors.md | 8 +- .../en/latest/tasks/security/ext-auth.md | 56 +++++------ .../en/latest/tasks/security/mutual-tls.md | 10 +- site/content/en/latest/tasks/security/oidc.md | 32 +++---- .../tasks/security/private-key-provider.md | 4 - .../tasks/security/restrict-ip-access.md | 32 +++---- .../latest/tasks/traffic/circuit-breaker.md | 16 ++-- .../tasks/traffic/client-traffic-policy.md | 92 +++++++++--------- .../latest/tasks/traffic/connection-limit.md | 16 ++-- .../latest/tasks/traffic/fault-injection.md | 24 ++--- .../latest/tasks/traffic/global-rate-limit.md | 48 +++++----- .../en/latest/tasks/traffic/http-routing.md | 16 ++-- site/content/en/latest/tasks/traffic/http3.md | 16 ++-- .../latest/tasks/traffic/local-rate-limit.md | 16 ++-- site/content/en/latest/tasks/traffic/retry.md | 16 ++-- .../tasks/extensibility/envoy-patch-policy.md | 5 - .../en/v1.1/tasks/extensibility/ext-proc.md | 16 ++-- .../en/v1.1/tasks/extensibility/wasm.md | 36 +++---- .../en/v1.1/tasks/security/basic-auth.md | 16 ++-- site/content/en/v1.1/tasks/security/cors.md | 8 +- .../en/v1.1/tasks/security/ext-auth.md | 56 +++++------ .../en/v1.1/tasks/security/mutual-tls.md | 10 +- site/content/en/v1.1/tasks/security/oidc.md | 32 +++---- .../tasks/security/private-key-provider.md | 4 - .../v1.1/tasks/security/restrict-ip-access.md | 32 +++---- .../en/v1.1/tasks/traffic/circuit-breaker.md | 16 ++-- .../tasks/traffic/client-traffic-policy.md | 96 +++++++++---------- .../en/v1.1/tasks/traffic/connection-limit.md | 16 ++-- .../en/v1.1/tasks/traffic/fault-injection.md | 24 ++--- .../v1.1/tasks/traffic/global-rate-limit.md | 48 +++++----- .../en/v1.1/tasks/traffic/http-routing.md | 16 ++-- site/content/en/v1.1/tasks/traffic/http3.md | 16 ++-- .../en/v1.1/tasks/traffic/local-rate-limit.md | 16 ++-- site/content/en/v1.1/tasks/traffic/retry.md | 16 ++-- 57 files changed, 703 insertions(+), 736 deletions(-) diff --git a/site/content/en/docs/tasks/extensibility/envoy-patch-policy.md b/site/content/en/docs/tasks/extensibility/envoy-patch-policy.md index ff819754d1f..7fe84762189 100644 --- a/site/content/en/docs/tasks/extensibility/envoy-patch-policy.md +++ b/site/content/en/docs/tasks/extensibility/envoy-patch-policy.md @@ -111,7 +111,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.config.listener.v3.Listener" @@ -151,7 +150,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.config.listener.v3.Listener" @@ -195,7 +193,6 @@ spec: group: gateway.networking.k8s.io kind: GatewayClass name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.config.listener.v3.Listener" @@ -235,7 +232,6 @@ spec: group: gateway.networking.k8s.io kind: GatewayClass name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.config.listener.v3.Listener" @@ -322,7 +318,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch status: conditions: diff --git a/site/content/en/docs/tasks/extensibility/ext-proc.md b/site/content/en/docs/tasks/extensibility/ext-proc.md index 9028447ab09..31ad551c63b 100644 --- a/site/content/en/docs/tasks/extensibility/ext-proc.md +++ b/site/content/en/docs/tasks/extensibility/ext-proc.md @@ -113,10 +113,10 @@ kind: EnvoyExtensionPolicy metadata: name: ext-proc-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp extProc: - backendRefs: - name: grpc-ext-proc @@ -139,10 +139,10 @@ kind: EnvoyExtensionPolicy metadata: name: ext-proc-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp extProc: - backendRefs: - name: grpc-ext-proc diff --git a/site/content/en/docs/tasks/extensibility/wasm.md b/site/content/en/docs/tasks/extensibility/wasm.md index d973de77950..cb2e013dd80 100644 --- a/site/content/en/docs/tasks/extensibility/wasm.md +++ b/site/content/en/docs/tasks/extensibility/wasm.md @@ -44,10 +44,10 @@ kind: EnvoyExtensionPolicy metadata: name: wasm-test spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend wasm: - name: wasm-filter rootID: my_root_id @@ -70,10 +70,10 @@ kind: EnvoyExtensionPolicy metadata: name: wasm-test spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend wasm: - name: wasm-filter rootID: my_root_id @@ -107,8 +107,8 @@ kind: EnvoyExtensionPolicy metadata: name: wasm-test spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: backend wasm: @@ -132,17 +132,17 @@ kind: EnvoyExtensionPolicy metadata: name: wasm-test spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: backend wasm: - - name: wasm-filter - rootID: my_root_id - code: - type: Image - image: - url: zhaohuabing/testwasm:v0.0.1 + - name: wasm-filter + rootID: my_root_id + code: + type: Image + image: + url: zhaohuabing/testwasm:v0.0.1 ``` {{% /tab %}} diff --git a/site/content/en/docs/tasks/security/basic-auth.md b/site/content/en/docs/tasks/security/basic-auth.md index 956963b6da5..0cd2b92a9a5 100644 --- a/site/content/en/docs/tasks/security/basic-auth.md +++ b/site/content/en/docs/tasks/security/basic-auth.md @@ -110,10 +110,10 @@ kind: SecurityPolicy metadata: name: basic-auth-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend basicAuth: users: name: "basic-auth" @@ -131,10 +131,10 @@ kind: SecurityPolicy metadata: name: basic-auth-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend basicAuth: users: name: "basic-auth" diff --git a/site/content/en/docs/tasks/security/cors.md b/site/content/en/docs/tasks/security/cors.md index cfbe979cd22..fe711041449 100644 --- a/site/content/en/docs/tasks/security/cors.md +++ b/site/content/en/docs/tasks/security/cors.md @@ -32,8 +32,8 @@ kind: SecurityPolicy metadata: name: cors-example spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: backend cors: @@ -63,8 +63,8 @@ kind: SecurityPolicy metadata: name: cors-example spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: backend cors: diff --git a/site/content/en/docs/tasks/security/ext-auth.md b/site/content/en/docs/tasks/security/ext-auth.md index 5fc73321106..8b048016a29 100644 --- a/site/content/en/docs/tasks/security/ext-auth.md +++ b/site/content/en/docs/tasks/security/ext-auth.md @@ -110,15 +110,15 @@ kind: SecurityPolicy metadata: name: ext-auth-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp extAuth: http: - backendRef: - name: http-ext-auth - port: 9002 + backendRefs: + - name: http-ext-auth + port: 9002 headersToBackend: ["x-current-user"] EOF ``` @@ -134,15 +134,15 @@ kind: SecurityPolicy metadata: name: ext-auth-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp extAuth: http: - backendRef: - name: http-ext-auth - port: 9002 + backendRefs: + - name: http-ext-auth + port: 9002 headersToBackend: ["x-current-user"] ``` @@ -296,15 +296,15 @@ kind: SecurityPolicy metadata: name: ext-auth-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp extAuth: grpc: - backendRef: - name: grpc-ext-auth - port: 9002 + backendRefs: + - name: grpc-ext-auth + port: 9002 EOF ``` @@ -319,15 +319,15 @@ kind: SecurityPolicy metadata: name: ext-auth-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp extAuth: grpc: - backendRef: - name: grpc-ext-auth - port: 9002 + backendRefs: + - name: grpc-ext-auth + port: 9002 ``` {{% /tab %}} diff --git a/site/content/en/docs/tasks/security/mutual-tls.md b/site/content/en/docs/tasks/security/mutual-tls.md index 64f471ba19d..8a28d0d3603 100644 --- a/site/content/en/docs/tasks/security/mutual-tls.md +++ b/site/content/en/docs/tasks/security/mutual-tls.md @@ -89,11 +89,10 @@ metadata: name: enable-mtls namespace: default spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default tls: clientValidation: caCertificateRefs: @@ -115,11 +114,10 @@ metadata: name: enable-mtls namespace: default spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default tls: clientValidation: caCertificateRefs: diff --git a/site/content/en/docs/tasks/security/oidc.md b/site/content/en/docs/tasks/security/oidc.md index ac7d6d60ba9..5110cc9745d 100644 --- a/site/content/en/docs/tasks/security/oidc.md +++ b/site/content/en/docs/tasks/security/oidc.md @@ -135,10 +135,10 @@ kind: SecurityPolicy metadata: name: oidc-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp oidc: provider: issuer: "https://accounts.google.com" @@ -161,10 +161,10 @@ kind: SecurityPolicy metadata: name: oidc-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp oidc: provider: issuer: "https://accounts.google.com" @@ -239,10 +239,10 @@ kind: SecurityPolicy metadata: name: oidc-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg oidc: provider: issuer: "https://accounts.google.com" @@ -265,10 +265,10 @@ kind: SecurityPolicy metadata: name: oidc-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg oidc: provider: issuer: "https://accounts.google.com" diff --git a/site/content/en/docs/tasks/security/private-key-provider.md b/site/content/en/docs/tasks/security/private-key-provider.md index cf40a96e9e1..79f992aa599 100644 --- a/site/content/en/docs/tasks/security/private-key-provider.md +++ b/site/content/en/docs/tasks/security/private-key-provider.md @@ -433,7 +433,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" @@ -475,7 +474,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" @@ -520,7 +518,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" @@ -562,7 +559,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" diff --git a/site/content/en/docs/tasks/security/restrict-ip-access.md b/site/content/en/docs/tasks/security/restrict-ip-access.md index ba6af118252..9eded4e7197 100644 --- a/site/content/en/docs/tasks/security/restrict-ip-access.md +++ b/site/content/en/docs/tasks/security/restrict-ip-access.md @@ -33,10 +33,10 @@ kind: SecurityPolicy metadata: name: authorization-client-ip spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend authorization: defaultAction: Deny rules: @@ -58,10 +58,10 @@ kind: SecurityPolicy metadata: name: authorization-client-ip spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend authorization: defaultAction: Deny rules: @@ -102,10 +102,10 @@ spec: clientIPDetection: xForwardedFor: numTrustedHops: 1 - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg EOF ``` @@ -123,10 +123,10 @@ spec: clientIPDetection: xForwardedFor: numTrustedHops: 1 - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg ``` {{% /tab %}} diff --git a/site/content/en/docs/tasks/traffic/circuit-breaker.md b/site/content/en/docs/tasks/traffic/circuit-breaker.md index d3631739549..267bb05cce0 100644 --- a/site/content/en/docs/tasks/traffic/circuit-breaker.md +++ b/site/content/en/docs/tasks/traffic/circuit-breaker.md @@ -72,10 +72,10 @@ kind: BackendTrafficPolicy metadata: name: circuitbreaker-for-route spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend circuitBreaker: maxPendingRequests: 0 maxParallelRequests: 10 @@ -93,10 +93,10 @@ kind: BackendTrafficPolicy metadata: name: circuitbreaker-for-route spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend circuitBreaker: maxPendingRequests: 0 maxParallelRequests: 10 diff --git a/site/content/en/docs/tasks/traffic/client-traffic-policy.md b/site/content/en/docs/tasks/traffic/client-traffic-policy.md index 894770116ab..42ee63ac43f 100644 --- a/site/content/en/docs/tasks/traffic/client-traffic-policy.md +++ b/site/content/en/docs/tasks/traffic/client-traffic-policy.md @@ -34,10 +34,10 @@ metadata: name: enable-tcp-keepalive-policy namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg tcpKeepalive: idleTime: 20m interval: 60s @@ -57,10 +57,10 @@ metadata: name: enable-tcp-keepalive-policy namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg tcpKeepalive: idleTime: 20m interval: 60s @@ -214,10 +214,10 @@ metadata: name: enable-proxy-protocol-policy namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg enableProxyProtocol: true EOF ``` @@ -234,10 +234,10 @@ metadata: name: enable-proxy-protocol-policy namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg enableProxyProtocol: true ``` @@ -351,10 +351,10 @@ metadata: name: http-client-ip-detection namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg clientIPDetection: xForwardedFor: numTrustedHops: 2 @@ -373,10 +373,10 @@ metadata: name: http-client-ip-detection namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg clientIPDetection: xForwardedFor: numTrustedHops: 2 @@ -502,10 +502,10 @@ kind: ClientTrafficPolicy metadata: name: client-timeout spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg timeout: http: requestReceivedTimeout: 2s @@ -523,10 +523,10 @@ kind: ClientTrafficPolicy metadata: name: client-timeout spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg timeout: http: requestReceivedTimeout: 2s @@ -582,10 +582,10 @@ kind: ClientTrafficPolicy metadata: name: client-timeout spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg timeout: http: idleTimeout: 5s @@ -603,10 +603,10 @@ kind: ClientTrafficPolicy metadata: name: client-timeout spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg timeout: http: idleTimeout: 5s @@ -647,10 +647,10 @@ kind: ClientTrafficPolicy metadata: name: client-timeout spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg connection: bufferLimit: 1024 EOF @@ -667,10 +667,10 @@ kind: ClientTrafficPolicy metadata: name: client-timeout spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg connection: bufferLimit: 1024 ``` diff --git a/site/content/en/docs/tasks/traffic/connection-limit.md b/site/content/en/docs/tasks/traffic/connection-limit.md index 55b0e005f8a..e754d1dba81 100644 --- a/site/content/en/docs/tasks/traffic/connection-limit.md +++ b/site/content/en/docs/tasks/traffic/connection-limit.md @@ -68,10 +68,10 @@ metadata: name: connection-limit-ctp namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg connection: connectionLimit: value: 5 @@ -90,10 +90,10 @@ metadata: name: connection-limit-ctp namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg connection: connectionLimit: value: 5 diff --git a/site/content/en/docs/tasks/traffic/fault-injection.md b/site/content/en/docs/tasks/traffic/fault-injection.md index d4f536dbb33..4e0bd62223e 100644 --- a/site/content/en/docs/tasks/traffic/fault-injection.md +++ b/site/content/en/docs/tasks/traffic/fault-injection.md @@ -36,8 +36,8 @@ kind: BackendTrafficPolicy metadata: name: fault-injection-50-percent-abort spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: foo faultInjection: @@ -50,8 +50,8 @@ kind: BackendTrafficPolicy metadata: name: fault-injection-delay spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: bar faultInjection: @@ -113,8 +113,8 @@ kind: BackendTrafficPolicy metadata: name: fault-injection-50-percent-abort spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: foo faultInjection: @@ -127,8 +127,8 @@ kind: BackendTrafficPolicy metadata: name: fault-injection-delay spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: bar faultInjection: @@ -210,8 +210,8 @@ kind: BackendTrafficPolicy metadata: name: fault-injection-abort spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: GRPCRoute name: yages faultInjection: @@ -250,8 +250,8 @@ kind: BackendTrafficPolicy metadata: name: fault-injection-abort spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: GRPCRoute name: yages faultInjection: diff --git a/site/content/en/docs/tasks/traffic/global-rate-limit.md b/site/content/en/docs/tasks/traffic/global-rate-limit.md index 83c61861247..3d80caa2e2e 100644 --- a/site/content/en/docs/tasks/traffic/global-rate-limit.md +++ b/site/content/en/docs/tasks/traffic/global-rate-limit.md @@ -236,8 +236,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -265,8 +265,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -454,8 +454,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -483,8 +483,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -655,8 +655,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -680,8 +680,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -811,8 +811,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -860,8 +860,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -951,8 +951,8 @@ kind: SecurityPolicy metadata: name: jwt-example spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: example jwt: @@ -969,8 +969,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: example rateLimit: @@ -1019,8 +1019,8 @@ kind: SecurityPolicy metadata: name: jwt-example spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: example jwt: @@ -1037,8 +1037,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: example rateLimit: diff --git a/site/content/en/docs/tasks/traffic/http-routing.md b/site/content/en/docs/tasks/traffic/http-routing.md index aba57adc9b2..da6e3debfc3 100644 --- a/site/content/en/docs/tasks/traffic/http-routing.md +++ b/site/content/en/docs/tasks/traffic/http-routing.md @@ -141,10 +141,10 @@ kind: SecurityPolicy metadata: name: jwt-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: jwt-claim-routing + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: jwt-claim-routing jwt: providers: - name: example @@ -209,10 +209,10 @@ kind: SecurityPolicy metadata: name: jwt-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: jwt-claim-routing + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: jwt-claim-routing jwt: providers: - name: example diff --git a/site/content/en/docs/tasks/traffic/http3.md b/site/content/en/docs/tasks/traffic/http3.md index 4fe660ddf7e..1a65339c56c 100644 --- a/site/content/en/docs/tasks/traffic/http3.md +++ b/site/content/en/docs/tasks/traffic/http3.md @@ -70,10 +70,10 @@ metadata: name: enable-http3 spec: http3: {} - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg EOF ``` @@ -89,10 +89,10 @@ metadata: name: enable-http3 spec: http3: {} - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg ``` {{% /tab %}} diff --git a/site/content/en/docs/tasks/traffic/local-rate-limit.md b/site/content/en/docs/tasks/traffic/local-rate-limit.md index 4284c7e4fe1..15ec9d2f2b5 100644 --- a/site/content/en/docs/tasks/traffic/local-rate-limit.md +++ b/site/content/en/docs/tasks/traffic/local-rate-limit.md @@ -46,8 +46,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -75,8 +75,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -262,8 +262,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -287,8 +287,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: diff --git a/site/content/en/docs/tasks/traffic/retry.md b/site/content/en/docs/tasks/traffic/retry.md index 83429f35ed7..a0e1eff5767 100644 --- a/site/content/en/docs/tasks/traffic/retry.md +++ b/site/content/en/docs/tasks/traffic/retry.md @@ -56,10 +56,10 @@ kind: BackendTrafficPolicy metadata: name: retry-for-route spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend retry: numRetries: 5 perRetry: @@ -87,10 +87,10 @@ kind: BackendTrafficPolicy metadata: name: retry-for-route spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend retry: numRetries: 5 perRetry: diff --git a/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md b/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md index 9626dc93752..36930d73785 100644 --- a/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md +++ b/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md @@ -110,7 +110,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.config.listener.v3.Listener" @@ -150,7 +149,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.config.listener.v3.Listener" @@ -194,7 +192,6 @@ spec: group: gateway.networking.k8s.io kind: GatewayClass name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.config.listener.v3.Listener" @@ -234,7 +231,6 @@ spec: group: gateway.networking.k8s.io kind: GatewayClass name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.config.listener.v3.Listener" @@ -321,7 +317,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch status: conditions: diff --git a/site/content/en/latest/tasks/extensibility/ext-proc.md b/site/content/en/latest/tasks/extensibility/ext-proc.md index f6b8b5c741a..910332f4740 100644 --- a/site/content/en/latest/tasks/extensibility/ext-proc.md +++ b/site/content/en/latest/tasks/extensibility/ext-proc.md @@ -106,10 +106,10 @@ kind: EnvoyExtensionPolicy metadata: name: ext-proc-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp extProc: - backendRefs: - name: grpc-ext-proc @@ -132,10 +132,10 @@ kind: EnvoyExtensionPolicy metadata: name: ext-proc-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp extProc: - backendRefs: - name: grpc-ext-proc diff --git a/site/content/en/latest/tasks/extensibility/wasm.md b/site/content/en/latest/tasks/extensibility/wasm.md index 6cb3d1092df..8a640471ee1 100644 --- a/site/content/en/latest/tasks/extensibility/wasm.md +++ b/site/content/en/latest/tasks/extensibility/wasm.md @@ -37,8 +37,8 @@ kind: EnvoyExtensionPolicy metadata: name: wasm-test spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: backend wasm: @@ -63,18 +63,18 @@ kind: EnvoyExtensionPolicy metadata: name: wasm-test spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: backend wasm: - - name: wasm-filter - rootID: my_root_id - code: - type: HTTP - http: - url: https://raw.githubusercontent.com/envoyproxy/envoy/main/examples/wasm-cc/lib/envoy_filter_http_wasm_example.wasm - sha256: 79c9f85128bb0177b6511afa85d587224efded376ac0ef76df56595f1e6315c0 + - name: wasm-filter + rootID: my_root_id + code: + type: HTTP + http: + url: https://raw.githubusercontent.com/envoyproxy/envoy/main/examples/wasm-cc/lib/envoy_filter_http_wasm_example.wasm + sha256: 79c9f85128bb0177b6511afa85d587224efded376ac0ef76df56595f1e6315c0 ``` {{% /tab %}} @@ -100,8 +100,8 @@ kind: EnvoyExtensionPolicy metadata: name: wasm-test spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: backend wasm: @@ -125,17 +125,17 @@ kind: EnvoyExtensionPolicy metadata: name: wasm-test spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: backend wasm: - - name: wasm-filter - rootID: my_root_id - code: - type: Image - image: - url: zhaohuabing/testwasm:v0.0.1 + - name: wasm-filter + rootID: my_root_id + code: + type: Image + image: + url: zhaohuabing/testwasm:v0.0.1 ``` {{% /tab %}} diff --git a/site/content/en/latest/tasks/security/basic-auth.md b/site/content/en/latest/tasks/security/basic-auth.md index 79e48156056..38fa436f086 100644 --- a/site/content/en/latest/tasks/security/basic-auth.md +++ b/site/content/en/latest/tasks/security/basic-auth.md @@ -109,10 +109,10 @@ kind: SecurityPolicy metadata: name: basic-auth-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend basicAuth: users: name: "basic-auth" @@ -130,10 +130,10 @@ kind: SecurityPolicy metadata: name: basic-auth-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend basicAuth: users: name: "basic-auth" diff --git a/site/content/en/latest/tasks/security/cors.md b/site/content/en/latest/tasks/security/cors.md index 129e318cc6c..90a972ce4ca 100644 --- a/site/content/en/latest/tasks/security/cors.md +++ b/site/content/en/latest/tasks/security/cors.md @@ -31,8 +31,8 @@ kind: SecurityPolicy metadata: name: cors-example spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: backend cors: @@ -62,8 +62,8 @@ kind: SecurityPolicy metadata: name: cors-example spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: backend cors: diff --git a/site/content/en/latest/tasks/security/ext-auth.md b/site/content/en/latest/tasks/security/ext-auth.md index e0f30e0310f..1d1625d5780 100644 --- a/site/content/en/latest/tasks/security/ext-auth.md +++ b/site/content/en/latest/tasks/security/ext-auth.md @@ -103,15 +103,15 @@ kind: SecurityPolicy metadata: name: ext-auth-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp extAuth: http: - backendRef: - name: http-ext-auth - port: 9002 + backendRefs: + - name: http-ext-auth + port: 9002 headersToBackend: ["x-current-user"] EOF ``` @@ -127,15 +127,15 @@ kind: SecurityPolicy metadata: name: ext-auth-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp extAuth: http: - backendRef: - name: http-ext-auth - port: 9002 + backendRefs: + - name: http-ext-auth + port: 9002 headersToBackend: ["x-current-user"] ``` @@ -289,15 +289,15 @@ kind: SecurityPolicy metadata: name: ext-auth-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp extAuth: grpc: - backendRef: - name: grpc-ext-auth - port: 9002 + backendRefs: + - name: grpc-ext-auth + port: 9002 EOF ``` @@ -312,15 +312,15 @@ kind: SecurityPolicy metadata: name: ext-auth-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp extAuth: grpc: - backendRef: - name: grpc-ext-auth - port: 9002 + backendRefs: + - name: grpc-ext-auth + port: 9002 ``` {{% /tab %}} diff --git a/site/content/en/latest/tasks/security/mutual-tls.md b/site/content/en/latest/tasks/security/mutual-tls.md index 4eed29a1c39..4ac9f96430a 100644 --- a/site/content/en/latest/tasks/security/mutual-tls.md +++ b/site/content/en/latest/tasks/security/mutual-tls.md @@ -88,11 +88,10 @@ metadata: name: enable-mtls namespace: default spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default tls: clientValidation: caCertificateRefs: @@ -114,11 +113,10 @@ metadata: name: enable-mtls namespace: default spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default tls: clientValidation: caCertificateRefs: diff --git a/site/content/en/latest/tasks/security/oidc.md b/site/content/en/latest/tasks/security/oidc.md index f7890b5d198..8add22bfbc3 100644 --- a/site/content/en/latest/tasks/security/oidc.md +++ b/site/content/en/latest/tasks/security/oidc.md @@ -134,10 +134,10 @@ kind: SecurityPolicy metadata: name: oidc-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp oidc: provider: issuer: "https://accounts.google.com" @@ -160,10 +160,10 @@ kind: SecurityPolicy metadata: name: oidc-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp oidc: provider: issuer: "https://accounts.google.com" @@ -238,10 +238,10 @@ kind: SecurityPolicy metadata: name: oidc-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg oidc: provider: issuer: "https://accounts.google.com" @@ -264,10 +264,10 @@ kind: SecurityPolicy metadata: name: oidc-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg oidc: provider: issuer: "https://accounts.google.com" diff --git a/site/content/en/latest/tasks/security/private-key-provider.md b/site/content/en/latest/tasks/security/private-key-provider.md index cf40a96e9e1..79f992aa599 100644 --- a/site/content/en/latest/tasks/security/private-key-provider.md +++ b/site/content/en/latest/tasks/security/private-key-provider.md @@ -433,7 +433,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" @@ -475,7 +474,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" @@ -520,7 +518,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" @@ -562,7 +559,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" diff --git a/site/content/en/latest/tasks/security/restrict-ip-access.md b/site/content/en/latest/tasks/security/restrict-ip-access.md index cfc0fca5050..ab8965d7966 100644 --- a/site/content/en/latest/tasks/security/restrict-ip-access.md +++ b/site/content/en/latest/tasks/security/restrict-ip-access.md @@ -32,8 +32,8 @@ kind: SecurityPolicy metadata: name: authorization-client-ip spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: backend authorization: @@ -57,17 +57,17 @@ kind: SecurityPolicy metadata: name: authorization-client-ip spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: backend authorization: defaultAction: Deny rules: - - action: Allow - principal: - clientCIDRs: - - 10.0.1.0/24 + - action: Allow + principal: + clientCIDRs: + - 10.0.1.0/24 ``` {{% /tab %}} @@ -101,10 +101,10 @@ spec: clientIPDetection: xForwardedFor: numTrustedHops: 1 - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg EOF ``` @@ -122,10 +122,10 @@ spec: clientIPDetection: xForwardedFor: numTrustedHops: 1 - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg ``` {{% /tab %}} diff --git a/site/content/en/latest/tasks/traffic/circuit-breaker.md b/site/content/en/latest/tasks/traffic/circuit-breaker.md index 99887dabae9..6a359c5e0dc 100644 --- a/site/content/en/latest/tasks/traffic/circuit-breaker.md +++ b/site/content/en/latest/tasks/traffic/circuit-breaker.md @@ -73,10 +73,10 @@ kind: BackendTrafficPolicy metadata: name: circuitbreaker-for-route spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend circuitBreaker: maxPendingRequests: 0 maxParallelRequests: 10 @@ -94,10 +94,10 @@ kind: BackendTrafficPolicy metadata: name: circuitbreaker-for-route spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend circuitBreaker: maxPendingRequests: 0 maxParallelRequests: 10 diff --git a/site/content/en/latest/tasks/traffic/client-traffic-policy.md b/site/content/en/latest/tasks/traffic/client-traffic-policy.md index a6b4a7f9f12..2099ea13685 100644 --- a/site/content/en/latest/tasks/traffic/client-traffic-policy.md +++ b/site/content/en/latest/tasks/traffic/client-traffic-policy.md @@ -33,9 +33,9 @@ metadata: namespace: default spec: targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + - group: gateway.networking.k8s.io + kind: Gateway + name: eg tcpKeepalive: idleTime: 20m interval: 60s @@ -55,10 +55,10 @@ metadata: name: enable-tcp-keepalive-policy namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg tcpKeepalive: idleTime: 20m interval: 60s @@ -212,10 +212,10 @@ metadata: name: enable-proxy-protocol-policy namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg enableProxyProtocol: true EOF ``` @@ -232,10 +232,10 @@ metadata: name: enable-proxy-protocol-policy namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg enableProxyProtocol: true ``` @@ -350,9 +350,9 @@ metadata: namespace: default spec: targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + - group: gateway.networking.k8s.io + kind: Gateway + name: eg clientIPDetection: xForwardedFor: numTrustedHops: 2 @@ -371,10 +371,10 @@ metadata: name: http-client-ip-detection namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg clientIPDetection: xForwardedFor: numTrustedHops: 2 @@ -500,10 +500,10 @@ kind: ClientTrafficPolicy metadata: name: client-timeout spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg timeout: http: requestReceivedTimeout: 2s @@ -521,10 +521,10 @@ kind: ClientTrafficPolicy metadata: name: client-timeout spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg timeout: http: requestReceivedTimeout: 2s @@ -580,10 +580,10 @@ kind: ClientTrafficPolicy metadata: name: client-timeout spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg timeout: http: idleTimeout: 5s @@ -601,10 +601,10 @@ kind: ClientTrafficPolicy metadata: name: client-timeout spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg timeout: http: idleTimeout: 5s @@ -645,10 +645,10 @@ kind: ClientTrafficPolicy metadata: name: client-timeout spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg connection: bufferLimit: 1024 EOF @@ -665,10 +665,10 @@ kind: ClientTrafficPolicy metadata: name: client-timeout spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg connection: bufferLimit: 1024 ``` diff --git a/site/content/en/latest/tasks/traffic/connection-limit.md b/site/content/en/latest/tasks/traffic/connection-limit.md index 21f679e73f3..9c0e9bbc1fc 100644 --- a/site/content/en/latest/tasks/traffic/connection-limit.md +++ b/site/content/en/latest/tasks/traffic/connection-limit.md @@ -68,10 +68,10 @@ metadata: name: connection-limit-ctp namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg connection: connectionLimit: value: 5 @@ -90,10 +90,10 @@ metadata: name: connection-limit-ctp namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg connection: connectionLimit: value: 5 diff --git a/site/content/en/latest/tasks/traffic/fault-injection.md b/site/content/en/latest/tasks/traffic/fault-injection.md index 040dc18121f..82068c4cf55 100644 --- a/site/content/en/latest/tasks/traffic/fault-injection.md +++ b/site/content/en/latest/tasks/traffic/fault-injection.md @@ -37,8 +37,8 @@ kind: BackendTrafficPolicy metadata: name: fault-injection-50-percent-abort spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: foo faultInjection: @@ -51,8 +51,8 @@ kind: BackendTrafficPolicy metadata: name: fault-injection-delay spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: bar faultInjection: @@ -114,8 +114,8 @@ kind: BackendTrafficPolicy metadata: name: fault-injection-50-percent-abort spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: foo faultInjection: @@ -128,8 +128,8 @@ kind: BackendTrafficPolicy metadata: name: fault-injection-delay spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: bar faultInjection: @@ -211,8 +211,8 @@ kind: BackendTrafficPolicy metadata: name: fault-injection-abort spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: GRPCRoute name: yages faultInjection: @@ -251,8 +251,8 @@ kind: BackendTrafficPolicy metadata: name: fault-injection-abort spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: GRPCRoute name: yages faultInjection: diff --git a/site/content/en/latest/tasks/traffic/global-rate-limit.md b/site/content/en/latest/tasks/traffic/global-rate-limit.md index 9dd732a81ca..41286f80e7d 100644 --- a/site/content/en/latest/tasks/traffic/global-rate-limit.md +++ b/site/content/en/latest/tasks/traffic/global-rate-limit.md @@ -235,8 +235,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -264,8 +264,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -453,8 +453,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -482,8 +482,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -654,8 +654,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -679,8 +679,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -810,8 +810,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -859,8 +859,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -950,8 +950,8 @@ kind: SecurityPolicy metadata: name: jwt-example spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: example jwt: @@ -968,8 +968,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: example rateLimit: @@ -1018,8 +1018,8 @@ kind: SecurityPolicy metadata: name: jwt-example spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: example jwt: @@ -1036,8 +1036,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: example rateLimit: diff --git a/site/content/en/latest/tasks/traffic/http-routing.md b/site/content/en/latest/tasks/traffic/http-routing.md index 705846c6ec9..0f1f3c688fb 100644 --- a/site/content/en/latest/tasks/traffic/http-routing.md +++ b/site/content/en/latest/tasks/traffic/http-routing.md @@ -140,10 +140,10 @@ kind: SecurityPolicy metadata: name: jwt-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: jwt-claim-routing + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: jwt-claim-routing jwt: providers: - name: example @@ -208,10 +208,10 @@ kind: SecurityPolicy metadata: name: jwt-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: jwt-claim-routing + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: jwt-claim-routing jwt: providers: - name: example diff --git a/site/content/en/latest/tasks/traffic/http3.md b/site/content/en/latest/tasks/traffic/http3.md index cb5034284c1..a0fb1594295 100644 --- a/site/content/en/latest/tasks/traffic/http3.md +++ b/site/content/en/latest/tasks/traffic/http3.md @@ -69,10 +69,10 @@ metadata: name: enable-http3 spec: http3: {} - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg EOF ``` @@ -88,10 +88,10 @@ metadata: name: enable-http3 spec: http3: {} - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg ``` {{% /tab %}} diff --git a/site/content/en/latest/tasks/traffic/local-rate-limit.md b/site/content/en/latest/tasks/traffic/local-rate-limit.md index a7b920db1c4..62e369044a5 100644 --- a/site/content/en/latest/tasks/traffic/local-rate-limit.md +++ b/site/content/en/latest/tasks/traffic/local-rate-limit.md @@ -43,8 +43,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -72,8 +72,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -259,8 +259,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -284,8 +284,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: diff --git a/site/content/en/latest/tasks/traffic/retry.md b/site/content/en/latest/tasks/traffic/retry.md index 25b7e2519ec..75d151bdff6 100644 --- a/site/content/en/latest/tasks/traffic/retry.md +++ b/site/content/en/latest/tasks/traffic/retry.md @@ -56,10 +56,10 @@ kind: BackendTrafficPolicy metadata: name: retry-for-route spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend retry: numRetries: 5 perRetry: @@ -87,10 +87,10 @@ kind: BackendTrafficPolicy metadata: name: retry-for-route spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend retry: numRetries: 5 perRetry: diff --git a/site/content/en/v1.1/tasks/extensibility/envoy-patch-policy.md b/site/content/en/v1.1/tasks/extensibility/envoy-patch-policy.md index ff819754d1f..7fe84762189 100644 --- a/site/content/en/v1.1/tasks/extensibility/envoy-patch-policy.md +++ b/site/content/en/v1.1/tasks/extensibility/envoy-patch-policy.md @@ -111,7 +111,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.config.listener.v3.Listener" @@ -151,7 +150,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.config.listener.v3.Listener" @@ -195,7 +193,6 @@ spec: group: gateway.networking.k8s.io kind: GatewayClass name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.config.listener.v3.Listener" @@ -235,7 +232,6 @@ spec: group: gateway.networking.k8s.io kind: GatewayClass name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.config.listener.v3.Listener" @@ -322,7 +318,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch status: conditions: diff --git a/site/content/en/v1.1/tasks/extensibility/ext-proc.md b/site/content/en/v1.1/tasks/extensibility/ext-proc.md index 9028447ab09..31ad551c63b 100644 --- a/site/content/en/v1.1/tasks/extensibility/ext-proc.md +++ b/site/content/en/v1.1/tasks/extensibility/ext-proc.md @@ -113,10 +113,10 @@ kind: EnvoyExtensionPolicy metadata: name: ext-proc-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp extProc: - backendRefs: - name: grpc-ext-proc @@ -139,10 +139,10 @@ kind: EnvoyExtensionPolicy metadata: name: ext-proc-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp extProc: - backendRefs: - name: grpc-ext-proc diff --git a/site/content/en/v1.1/tasks/extensibility/wasm.md b/site/content/en/v1.1/tasks/extensibility/wasm.md index d973de77950..cb2e013dd80 100644 --- a/site/content/en/v1.1/tasks/extensibility/wasm.md +++ b/site/content/en/v1.1/tasks/extensibility/wasm.md @@ -44,10 +44,10 @@ kind: EnvoyExtensionPolicy metadata: name: wasm-test spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend wasm: - name: wasm-filter rootID: my_root_id @@ -70,10 +70,10 @@ kind: EnvoyExtensionPolicy metadata: name: wasm-test spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend wasm: - name: wasm-filter rootID: my_root_id @@ -107,8 +107,8 @@ kind: EnvoyExtensionPolicy metadata: name: wasm-test spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: backend wasm: @@ -132,17 +132,17 @@ kind: EnvoyExtensionPolicy metadata: name: wasm-test spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: backend wasm: - - name: wasm-filter - rootID: my_root_id - code: - type: Image - image: - url: zhaohuabing/testwasm:v0.0.1 + - name: wasm-filter + rootID: my_root_id + code: + type: Image + image: + url: zhaohuabing/testwasm:v0.0.1 ``` {{% /tab %}} diff --git a/site/content/en/v1.1/tasks/security/basic-auth.md b/site/content/en/v1.1/tasks/security/basic-auth.md index 956963b6da5..0cd2b92a9a5 100644 --- a/site/content/en/v1.1/tasks/security/basic-auth.md +++ b/site/content/en/v1.1/tasks/security/basic-auth.md @@ -110,10 +110,10 @@ kind: SecurityPolicy metadata: name: basic-auth-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend basicAuth: users: name: "basic-auth" @@ -131,10 +131,10 @@ kind: SecurityPolicy metadata: name: basic-auth-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend basicAuth: users: name: "basic-auth" diff --git a/site/content/en/v1.1/tasks/security/cors.md b/site/content/en/v1.1/tasks/security/cors.md index cfbe979cd22..fe711041449 100644 --- a/site/content/en/v1.1/tasks/security/cors.md +++ b/site/content/en/v1.1/tasks/security/cors.md @@ -32,8 +32,8 @@ kind: SecurityPolicy metadata: name: cors-example spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: backend cors: @@ -63,8 +63,8 @@ kind: SecurityPolicy metadata: name: cors-example spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: backend cors: diff --git a/site/content/en/v1.1/tasks/security/ext-auth.md b/site/content/en/v1.1/tasks/security/ext-auth.md index 5fc73321106..8b048016a29 100644 --- a/site/content/en/v1.1/tasks/security/ext-auth.md +++ b/site/content/en/v1.1/tasks/security/ext-auth.md @@ -110,15 +110,15 @@ kind: SecurityPolicy metadata: name: ext-auth-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp extAuth: http: - backendRef: - name: http-ext-auth - port: 9002 + backendRefs: + - name: http-ext-auth + port: 9002 headersToBackend: ["x-current-user"] EOF ``` @@ -134,15 +134,15 @@ kind: SecurityPolicy metadata: name: ext-auth-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp extAuth: http: - backendRef: - name: http-ext-auth - port: 9002 + backendRefs: + - name: http-ext-auth + port: 9002 headersToBackend: ["x-current-user"] ``` @@ -296,15 +296,15 @@ kind: SecurityPolicy metadata: name: ext-auth-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp extAuth: grpc: - backendRef: - name: grpc-ext-auth - port: 9002 + backendRefs: + - name: grpc-ext-auth + port: 9002 EOF ``` @@ -319,15 +319,15 @@ kind: SecurityPolicy metadata: name: ext-auth-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp extAuth: grpc: - backendRef: - name: grpc-ext-auth - port: 9002 + backendRefs: + - name: grpc-ext-auth + port: 9002 ``` {{% /tab %}} diff --git a/site/content/en/v1.1/tasks/security/mutual-tls.md b/site/content/en/v1.1/tasks/security/mutual-tls.md index 64f471ba19d..8a28d0d3603 100644 --- a/site/content/en/v1.1/tasks/security/mutual-tls.md +++ b/site/content/en/v1.1/tasks/security/mutual-tls.md @@ -89,11 +89,10 @@ metadata: name: enable-mtls namespace: default spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default tls: clientValidation: caCertificateRefs: @@ -115,11 +114,10 @@ metadata: name: enable-mtls namespace: default spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default tls: clientValidation: caCertificateRefs: diff --git a/site/content/en/v1.1/tasks/security/oidc.md b/site/content/en/v1.1/tasks/security/oidc.md index ac7d6d60ba9..5110cc9745d 100644 --- a/site/content/en/v1.1/tasks/security/oidc.md +++ b/site/content/en/v1.1/tasks/security/oidc.md @@ -135,10 +135,10 @@ kind: SecurityPolicy metadata: name: oidc-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp oidc: provider: issuer: "https://accounts.google.com" @@ -161,10 +161,10 @@ kind: SecurityPolicy metadata: name: oidc-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: myapp + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: myapp oidc: provider: issuer: "https://accounts.google.com" @@ -239,10 +239,10 @@ kind: SecurityPolicy metadata: name: oidc-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg oidc: provider: issuer: "https://accounts.google.com" @@ -265,10 +265,10 @@ kind: SecurityPolicy metadata: name: oidc-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg oidc: provider: issuer: "https://accounts.google.com" diff --git a/site/content/en/v1.1/tasks/security/private-key-provider.md b/site/content/en/v1.1/tasks/security/private-key-provider.md index cf40a96e9e1..79f992aa599 100644 --- a/site/content/en/v1.1/tasks/security/private-key-provider.md +++ b/site/content/en/v1.1/tasks/security/private-key-provider.md @@ -433,7 +433,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" @@ -475,7 +474,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" @@ -520,7 +518,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" @@ -562,7 +559,6 @@ spec: group: gateway.networking.k8s.io kind: Gateway name: eg - namespace: default type: JSONPatch jsonPatches: - type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" diff --git a/site/content/en/v1.1/tasks/security/restrict-ip-access.md b/site/content/en/v1.1/tasks/security/restrict-ip-access.md index ba6af118252..9eded4e7197 100644 --- a/site/content/en/v1.1/tasks/security/restrict-ip-access.md +++ b/site/content/en/v1.1/tasks/security/restrict-ip-access.md @@ -33,10 +33,10 @@ kind: SecurityPolicy metadata: name: authorization-client-ip spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend authorization: defaultAction: Deny rules: @@ -58,10 +58,10 @@ kind: SecurityPolicy metadata: name: authorization-client-ip spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend authorization: defaultAction: Deny rules: @@ -102,10 +102,10 @@ spec: clientIPDetection: xForwardedFor: numTrustedHops: 1 - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg EOF ``` @@ -123,10 +123,10 @@ spec: clientIPDetection: xForwardedFor: numTrustedHops: 1 - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg ``` {{% /tab %}} diff --git a/site/content/en/v1.1/tasks/traffic/circuit-breaker.md b/site/content/en/v1.1/tasks/traffic/circuit-breaker.md index d3631739549..267bb05cce0 100644 --- a/site/content/en/v1.1/tasks/traffic/circuit-breaker.md +++ b/site/content/en/v1.1/tasks/traffic/circuit-breaker.md @@ -72,10 +72,10 @@ kind: BackendTrafficPolicy metadata: name: circuitbreaker-for-route spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend circuitBreaker: maxPendingRequests: 0 maxParallelRequests: 10 @@ -93,10 +93,10 @@ kind: BackendTrafficPolicy metadata: name: circuitbreaker-for-route spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend circuitBreaker: maxPendingRequests: 0 maxParallelRequests: 10 diff --git a/site/content/en/v1.1/tasks/traffic/client-traffic-policy.md b/site/content/en/v1.1/tasks/traffic/client-traffic-policy.md index 894770116ab..42ee63ac43f 100644 --- a/site/content/en/v1.1/tasks/traffic/client-traffic-policy.md +++ b/site/content/en/v1.1/tasks/traffic/client-traffic-policy.md @@ -34,10 +34,10 @@ metadata: name: enable-tcp-keepalive-policy namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg tcpKeepalive: idleTime: 20m interval: 60s @@ -57,10 +57,10 @@ metadata: name: enable-tcp-keepalive-policy namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg tcpKeepalive: idleTime: 20m interval: 60s @@ -214,10 +214,10 @@ metadata: name: enable-proxy-protocol-policy namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg enableProxyProtocol: true EOF ``` @@ -234,10 +234,10 @@ metadata: name: enable-proxy-protocol-policy namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg enableProxyProtocol: true ``` @@ -351,10 +351,10 @@ metadata: name: http-client-ip-detection namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg clientIPDetection: xForwardedFor: numTrustedHops: 2 @@ -373,10 +373,10 @@ metadata: name: http-client-ip-detection namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg clientIPDetection: xForwardedFor: numTrustedHops: 2 @@ -502,10 +502,10 @@ kind: ClientTrafficPolicy metadata: name: client-timeout spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg timeout: http: requestReceivedTimeout: 2s @@ -523,10 +523,10 @@ kind: ClientTrafficPolicy metadata: name: client-timeout spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg timeout: http: requestReceivedTimeout: 2s @@ -582,10 +582,10 @@ kind: ClientTrafficPolicy metadata: name: client-timeout spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg timeout: http: idleTimeout: 5s @@ -603,10 +603,10 @@ kind: ClientTrafficPolicy metadata: name: client-timeout spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg timeout: http: idleTimeout: 5s @@ -647,10 +647,10 @@ kind: ClientTrafficPolicy metadata: name: client-timeout spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg connection: bufferLimit: 1024 EOF @@ -667,10 +667,10 @@ kind: ClientTrafficPolicy metadata: name: client-timeout spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg connection: bufferLimit: 1024 ``` diff --git a/site/content/en/v1.1/tasks/traffic/connection-limit.md b/site/content/en/v1.1/tasks/traffic/connection-limit.md index 55b0e005f8a..e754d1dba81 100644 --- a/site/content/en/v1.1/tasks/traffic/connection-limit.md +++ b/site/content/en/v1.1/tasks/traffic/connection-limit.md @@ -68,10 +68,10 @@ metadata: name: connection-limit-ctp namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg connection: connectionLimit: value: 5 @@ -90,10 +90,10 @@ metadata: name: connection-limit-ctp namespace: default spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg connection: connectionLimit: value: 5 diff --git a/site/content/en/v1.1/tasks/traffic/fault-injection.md b/site/content/en/v1.1/tasks/traffic/fault-injection.md index d4f536dbb33..4e0bd62223e 100644 --- a/site/content/en/v1.1/tasks/traffic/fault-injection.md +++ b/site/content/en/v1.1/tasks/traffic/fault-injection.md @@ -36,8 +36,8 @@ kind: BackendTrafficPolicy metadata: name: fault-injection-50-percent-abort spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: foo faultInjection: @@ -50,8 +50,8 @@ kind: BackendTrafficPolicy metadata: name: fault-injection-delay spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: bar faultInjection: @@ -113,8 +113,8 @@ kind: BackendTrafficPolicy metadata: name: fault-injection-50-percent-abort spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: foo faultInjection: @@ -127,8 +127,8 @@ kind: BackendTrafficPolicy metadata: name: fault-injection-delay spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: bar faultInjection: @@ -210,8 +210,8 @@ kind: BackendTrafficPolicy metadata: name: fault-injection-abort spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: GRPCRoute name: yages faultInjection: @@ -250,8 +250,8 @@ kind: BackendTrafficPolicy metadata: name: fault-injection-abort spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: GRPCRoute name: yages faultInjection: diff --git a/site/content/en/v1.1/tasks/traffic/global-rate-limit.md b/site/content/en/v1.1/tasks/traffic/global-rate-limit.md index 83c61861247..3d80caa2e2e 100644 --- a/site/content/en/v1.1/tasks/traffic/global-rate-limit.md +++ b/site/content/en/v1.1/tasks/traffic/global-rate-limit.md @@ -236,8 +236,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -265,8 +265,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -454,8 +454,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -483,8 +483,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -655,8 +655,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -680,8 +680,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -811,8 +811,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -860,8 +860,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -951,8 +951,8 @@ kind: SecurityPolicy metadata: name: jwt-example spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: example jwt: @@ -969,8 +969,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: example rateLimit: @@ -1019,8 +1019,8 @@ kind: SecurityPolicy metadata: name: jwt-example spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: example jwt: @@ -1037,8 +1037,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: example rateLimit: diff --git a/site/content/en/v1.1/tasks/traffic/http-routing.md b/site/content/en/v1.1/tasks/traffic/http-routing.md index aba57adc9b2..da6e3debfc3 100644 --- a/site/content/en/v1.1/tasks/traffic/http-routing.md +++ b/site/content/en/v1.1/tasks/traffic/http-routing.md @@ -141,10 +141,10 @@ kind: SecurityPolicy metadata: name: jwt-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: jwt-claim-routing + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: jwt-claim-routing jwt: providers: - name: example @@ -209,10 +209,10 @@ kind: SecurityPolicy metadata: name: jwt-example spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: jwt-claim-routing + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: jwt-claim-routing jwt: providers: - name: example diff --git a/site/content/en/v1.1/tasks/traffic/http3.md b/site/content/en/v1.1/tasks/traffic/http3.md index 4fe660ddf7e..1a65339c56c 100644 --- a/site/content/en/v1.1/tasks/traffic/http3.md +++ b/site/content/en/v1.1/tasks/traffic/http3.md @@ -70,10 +70,10 @@ metadata: name: enable-http3 spec: http3: {} - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg EOF ``` @@ -89,10 +89,10 @@ metadata: name: enable-http3 spec: http3: {} - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: eg ``` {{% /tab %}} diff --git a/site/content/en/v1.1/tasks/traffic/local-rate-limit.md b/site/content/en/v1.1/tasks/traffic/local-rate-limit.md index 4284c7e4fe1..15ec9d2f2b5 100644 --- a/site/content/en/v1.1/tasks/traffic/local-rate-limit.md +++ b/site/content/en/v1.1/tasks/traffic/local-rate-limit.md @@ -46,8 +46,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -75,8 +75,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -262,8 +262,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: @@ -287,8 +287,8 @@ kind: BackendTrafficPolicy metadata: name: policy-httproute spec: - targetRef: - group: gateway.networking.k8s.io + targetRefs: + - group: gateway.networking.k8s.io kind: HTTPRoute name: http-ratelimit rateLimit: diff --git a/site/content/en/v1.1/tasks/traffic/retry.md b/site/content/en/v1.1/tasks/traffic/retry.md index 83429f35ed7..a0e1eff5767 100644 --- a/site/content/en/v1.1/tasks/traffic/retry.md +++ b/site/content/en/v1.1/tasks/traffic/retry.md @@ -56,10 +56,10 @@ kind: BackendTrafficPolicy metadata: name: retry-for-route spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend retry: numRetries: 5 perRetry: @@ -87,10 +87,10 @@ kind: BackendTrafficPolicy metadata: name: retry-for-route spec: - targetRef: - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend retry: numRetries: 5 perRetry: From 20f31960dc3b0fe3df9d3f362ddc31402cf12125 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 16 Aug 2024 03:18:58 +0800 Subject: [PATCH 050/523] chore: bump deps (#4045) * chore: bump deps Signed-off-by: zirain * more Signed-off-by: zirain * lint Signed-off-by: zirain --------- Signed-off-by: zirain --- examples/extension-server/go.mod | 8 ++--- examples/extension-server/go.sum | 20 ++++++------ go.mod | 28 ++++++++-------- go.sum | 56 ++++++++++++++++---------------- 4 files changed, 56 insertions(+), 56 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index f20e9f23ba5..1a7b930780a 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -29,11 +29,11 @@ require ( github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect - golang.org/x/net v0.27.0 // indirect - golang.org/x/sys v0.23.0 // indirect - golang.org/x/text v0.16.0 // indirect + golang.org/x/net v0.28.0 // indirect + golang.org/x/sys v0.24.0 // indirect + golang.org/x/text v0.17.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240805194559-2c9e96a0b5d4 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/klog/v2 v2.130.1 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 2b8472bc0a1..e797c4d018d 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -76,34 +76,34 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= -golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM= -golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA= -golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c= +golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg= +golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 h1:0+ozOGcrp+Y8Aq8TLNN2Aliibms5LEzsq99ZZmAGYm0= google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094/go.mod h1:fJ/e3If/Q67Mj99hin0hMhiNyCRmt6BQ2aWIJshUSJw= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240805194559-2c9e96a0b5d4 h1:OsSGQeIIsyOEOimVxLEIL4rwGcnrjOydQaiA2bOnZUM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240805194559-2c9e96a0b5d4/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= diff --git a/go.mod b/go.mod index 6fbae3f4dbe..4e510a60edf 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.22.5 replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.16 require ( - fortio.org/fortio v1.66.0 + fortio.org/fortio v1.66.1 fortio.org/log v1.16.0 github.com/Masterminds/semver/v3 v3.2.1 github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b @@ -23,7 +23,7 @@ require ( github.com/golang/protobuf v1.5.4 github.com/google/cel-go v0.21.0 github.com/google/go-cmp v0.6.0 - github.com/google/go-containerregistry v0.20.1 + github.com/google/go-containerregistry v0.20.2 github.com/grafana/tempo v1.5.0 github.com/hashicorp/go-multierror v1.1.1 github.com/miekg/dns v1.1.61 @@ -44,8 +44,8 @@ require ( go.opentelemetry.io/otel/sdk/metric v1.28.0 go.opentelemetry.io/proto/otlp v1.3.1 go.uber.org/zap v1.27.0 - golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 - golang.org/x/sys v0.23.0 + golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 + golang.org/x/sys v0.24.0 google.golang.org/grpc v1.65.0 google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v3 v3.0.1 @@ -76,10 +76,10 @@ require ( cloud.google.com/go/storage v1.40.0 // indirect dario.cat/mergo v1.0.0 // indirect filippo.io/edwards25519 v1.1.0 // indirect - fortio.org/cli v1.7.0 // indirect + fortio.org/cli v1.8.0 // indirect fortio.org/dflag v1.7.2 // indirect fortio.org/scli v1.15.1 // indirect - fortio.org/sets v1.1.1 // indirect + fortio.org/sets v1.2.0 // indirect fortio.org/struct2env v0.4.1 // indirect fortio.org/version v1.0.4 // indirect github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect @@ -205,8 +205,8 @@ require ( go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect - golang.org/x/crypto v0.25.0 // indirect - golang.org/x/crypto/x509roots/fallback v0.0.0-20240626151235-a6a393ffd658 // indirect + golang.org/x/crypto v0.26.0 // indirect + golang.org/x/crypto/x509roots/fallback v0.0.0-20240806160748-b2d3a6a4b4d3 // indirect google.golang.org/api v0.172.0 // indirect google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect @@ -276,16 +276,16 @@ require ( go.starlark.net v0.0.0-20240520160348-046347dcd104 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/mod v0.19.0 // indirect - golang.org/x/net v0.27.0 + golang.org/x/net v0.28.0 golang.org/x/oauth2 v0.21.0 // indirect - golang.org/x/sync v0.7.0 // indirect - golang.org/x/term v0.22.0 // indirect - golang.org/x/text v0.16.0 // indirect + golang.org/x/sync v0.8.0 // indirect + golang.org/x/term v0.23.0 // indirect + golang.org/x/text v0.17.0 // indirect golang.org/x/time v0.5.0 // indirect - golang.org/x/tools v0.22.0 // indirect + golang.org/x/tools v0.23.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240805194559-2c9e96a0b5d4 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/component-base v0.30.3 // indirect diff --git a/go.sum b/go.sum index 1b08c27c204..33c25103e3a 100644 --- a/go.sum +++ b/go.sum @@ -191,18 +191,18 @@ filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= fortio.org/assert v1.2.1 h1:48I39urpeDj65RP1KguF7akCjILNeu6vICiYMEysR7Q= fortio.org/assert v1.2.1/go.mod h1:039mG+/iYDPO8Ibx8TrNuJCm2T2SuhwRI3uL9nHTTls= -fortio.org/cli v1.7.0 h1:w+uXZLGi4t3Vn/BvbeMuSw84Z1pvNPG9HqeGfpP68cc= -fortio.org/cli v1.7.0/go.mod h1:s4vxWz7P7T4cYOWdMF0NA693Nu1gK9OW4KoDj54/Do4= +fortio.org/cli v1.8.0 h1:Mz1phmUwkQaXESGb1nIWBY+CHli/GYIlhwpktorh9sY= +fortio.org/cli v1.8.0/go.mod h1:pk/JBE8LcXtNuo5Yj2bLsVbwPaHo8NWdbstSN0cpbFk= fortio.org/dflag v1.7.2 h1:lUhXFvDlw4CJj/q7hPv/TC+n/wVoQylzQO6bUg5GQa0= fortio.org/dflag v1.7.2/go.mod h1:6yO/NIgrWfQH195WbHJ3Y45SCx11ffivQjfx2C/FS1U= -fortio.org/fortio v1.66.0 h1:9F/200qIu136z847bxs/NeAoYdJaQlVofYlppi3qwcw= -fortio.org/fortio v1.66.0/go.mod h1:eUl5MRscw6CiWAStai8aB3/8unxA9uNzJRXdhKEaq1s= +fortio.org/fortio v1.66.1 h1:NiVVHUy/DkMoOA/oLJHs0slsTnm/h3ocLbSfvP6NXIc= +fortio.org/fortio v1.66.1/go.mod h1:3qkJSza2B2PC8TVen78wIupHgnsXvlzUnSvgQfiKfUM= fortio.org/log v1.16.0 h1:GhU8/9NkYZmEIzvTN/DTMedDAStLJraWUUVUA2EbNDc= fortio.org/log v1.16.0/go.mod h1:t58Spg9njjymvRioh5F6qKGSupEsnMjXLGWIS1i3khE= fortio.org/scli v1.15.1 h1:Upza50brpEZwUk8Nn2gdP4BjgqJZY3J+z7KLrrAzPjY= fortio.org/scli v1.15.1/go.mod h1:9LOD4iPe9u73KeJGYC/Af1oFniOafO7oZ9VvwENMf/c= -fortio.org/sets v1.1.1 h1:Q7Z1Ft2lpUc1N7bfI8HofIK0QskrOflfYRyKT2LzBng= -fortio.org/sets v1.1.1/go.mod h1:J2BwIxNOLWsSU7IMZUg541kh3Au4JEKHrghVwXs68tE= +fortio.org/sets v1.2.0 h1:FBfC7R2xrOJtkcioUbY6WqEzdujuBoZRbSdp1fYF4Kk= +fortio.org/sets v1.2.0/go.mod h1:J2BwIxNOLWsSU7IMZUg541kh3Au4JEKHrghVwXs68tE= fortio.org/struct2env v0.4.1 h1:rJludAMO5eBvpWplWEQNqoVDFZr4RWMQX7RUapgZyc0= fortio.org/struct2env v0.4.1/go.mod h1:lENUe70UwA1zDUCX+8AsO663QCFqYaprk5lnPhjD410= fortio.org/version v1.0.4 h1:FWUMpJ+hVTNc4RhvvOJzb0xesrlRmG/a+D6bjbQ4+5U= @@ -618,8 +618,8 @@ github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.20.1 h1:eTgx9QNYugV4DN5mz4U8hiAGTi1ybXn0TPi4Smd8du0= -github.com/google/go-containerregistry v0.20.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI= +github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo= +github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/go-intervals v0.0.2 h1:FGrVEiUnTRKR8yE04qzXYaJMtnIYqobR5QbblK3ixcM= github.com/google/go-intervals v0.0.2/go.mod h1:MkaR3LNRfeKLPmqgJYs4E66z5InYjmCjbbr4TQlcT6Y= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -1206,10 +1206,10 @@ golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= -golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= -golang.org/x/crypto/x509roots/fallback v0.0.0-20240626151235-a6a393ffd658 h1:i7K6wQLN/0oxF7FT3tKkfMCstxoT4VGG36YIB9ZKLzI= -golang.org/x/crypto/x509roots/fallback v0.0.0-20240626151235-a6a393ffd658/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8= +golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= +golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= +golang.org/x/crypto/x509roots/fallback v0.0.0-20240806160748-b2d3a6a4b4d3 h1:oWb21rU9Q9XrRwXLB7jHc1rbp6EiiimZZv5MLxpu4T0= +golang.org/x/crypto/x509roots/fallback v0.0.0-20240806160748-b2d3a6a4b4d3/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1220,8 +1220,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 h1:yixxcjnhBmY0nkL253HFVIm0JsFHwrHdT3Yh6szTnfY= -golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8/go.mod h1:jj3sYF3dwk5D+ghuXyeI3r5MFf+NT2An6/9dOA95KSI= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -1311,8 +1311,8 @@ golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfS golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= -golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1354,8 +1354,8 @@ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1449,14 +1449,14 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM= -golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= -golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= +golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU= +golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1468,8 +1468,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1537,8 +1537,8 @@ golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA= -golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c= +golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg= +golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1714,8 +1714,8 @@ google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUE google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:VUhTRKeHn9wwcdrk73nvdC9gF178Tzhmt/qyaFcPLSo= google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 h1:0+ozOGcrp+Y8Aq8TLNN2Aliibms5LEzsq99ZZmAGYm0= google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094/go.mod h1:fJ/e3If/Q67Mj99hin0hMhiNyCRmt6BQ2aWIJshUSJw= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240805194559-2c9e96a0b5d4 h1:OsSGQeIIsyOEOimVxLEIL4rwGcnrjOydQaiA2bOnZUM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240805194559-2c9e96a0b5d4/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= From 8ba1e0a16690f549b969088905a1185696dc6d4a Mon Sep 17 00:00:00 2001 From: sh2 Date: Fri, 16 Aug 2024 03:19:13 +0800 Subject: [PATCH 051/523] chore: enable copyloopvar lint (#4047) enable copyloopvar lint Signed-off-by: shawnh2 --- .../validation/envoygateway_validate_test.go | 1 - internal/cmd/egctl/config.go | 2 -- internal/cmd/egctl/translate_test.go | 2 -- internal/cmd/egctl/version.go | 1 - internal/cmd/server_test.go | 1 - internal/envoygateway/config/config_test.go | 1 - internal/envoygateway/config/decoder_test.go | 1 - .../registry/extension_manager_test.go | 1 - .../gatewayapi/backendtrafficpolicy_test.go | 1 - internal/gatewayapi/helpers_test.go | 3 --- internal/gatewayapi/route.go | 4 --- internal/gatewayapi/runner/runner.go | 3 --- internal/gatewayapi/runner/runner_test.go | 1 - internal/gatewayapi/securitypolicy.go | 1 - internal/gatewayapi/status/gateway_test.go | 1 - internal/gatewayapi/tls_test.go | 2 -- internal/gatewayapi/translator_test.go | 4 --- .../globalratelimit/runner/runner_test.go | 1 - .../kubernetes/proxy/resource_test.go | 1 - .../kubernetes/proxy_configmap_test.go | 2 -- .../kubernetes/proxy_daemonset_test.go | 1 - .../kubernetes/proxy_deployment_test.go | 2 -- .../kubernetes/proxy_infra_test.go | 2 -- .../kubernetes/proxy_service_test.go | 1 - .../kubernetes/proxy_serviceaccount_test.go | 1 - .../ratelimit/resource_provider_test.go | 2 -- .../kubernetes/ratelimit_deployment_test.go | 2 -- .../kubernetes/ratelimit_infra_test.go | 2 -- .../kubernetes/ratelimit_service_test.go | 1 - .../ratelimit_serviceaccount_test.go | 1 - .../kubernetes/resource/resource_test.go | 1 - internal/ir/infra_test.go | 4 --- internal/ir/xds_test.go | 10 -------- internal/metrics/otel_label.go | 3 +-- internal/provider/kubernetes/controller.go | 25 +++++++------------ .../provider/kubernetes/controller_test.go | 2 -- internal/provider/kubernetes/filters.go | 1 - internal/provider/kubernetes/helpers_test.go | 2 -- internal/provider/kubernetes/predicates.go | 2 -- .../provider/kubernetes/predicates_test.go | 9 ------- internal/provider/kubernetes/routes.go | 15 ++++------- internal/provider/kubernetes/routes_test.go | 1 - internal/provider/runner/runner_test.go | 1 - internal/utils/misc_test.go | 1 - internal/xds/server/runner/runner_test.go | 1 - internal/xds/translator/translator_test.go | 3 --- .../xds/types/resourceversiontable_test.go | 3 --- tools/linter/golangci-lint/.golangci.yml | 3 +++ 48 files changed, 18 insertions(+), 118 deletions(-) diff --git a/api/v1alpha1/validation/envoygateway_validate_test.go b/api/v1alpha1/validation/envoygateway_validate_test.go index 004a5ac8298..7bc6bbf3b23 100644 --- a/api/v1alpha1/validation/envoygateway_validate_test.go +++ b/api/v1alpha1/validation/envoygateway_validate_test.go @@ -662,7 +662,6 @@ func TestValidateEnvoyGateway(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { err := ValidateEnvoyGateway(tc.eg) if !tc.expect { diff --git a/internal/cmd/egctl/config.go b/internal/cmd/egctl/config.go index 13a0f6bed21..501146676e0 100644 --- a/internal/cmd/egctl/config.go +++ b/internal/cmd/egctl/config.go @@ -79,7 +79,6 @@ func retrieveConfigDump(args []string, includeEds bool, configType envoyConfigTy var wg sync.WaitGroup wg.Add(len(pods)) for _, pod := range pods { - pod := pod go func() { fw, err := portForwarder(cli, pod, adminPort) if err != nil { @@ -170,7 +169,6 @@ func fetchRunningEnvoyPods(c kube.CLIClient, nn types.NamespacedName, labelSelec podsNamespacedNames := []types.NamespacedName{} for _, pod := range pods { - pod := pod podNsName := utils.NamespacedName(&pod) if pod.Status.Phase != "Running" { return podsNamespacedNames, fmt.Errorf("pod %s is not running", podNsName) diff --git a/internal/cmd/egctl/translate_test.go b/internal/cmd/egctl/translate_test.go index 43fac41ebdd..9207c8bb75b 100644 --- a/internal/cmd/egctl/translate_test.go +++ b/internal/cmd/egctl/translate_test.go @@ -292,8 +292,6 @@ func TestTranslate(t *testing.T) { flag.Parse() for _, tc := range testCases { - tc := tc - t.Run(tc.name+"|"+tc.resourceType, func(t *testing.T) { b := bytes.NewBufferString("") root := newTranslateCommand() diff --git a/internal/cmd/egctl/version.go b/internal/cmd/egctl/version.go index 5cab0035358..7492effeee6 100644 --- a/internal/cmd/egctl/version.go +++ b/internal/cmd/egctl/version.go @@ -99,7 +99,6 @@ func versions(w io.Writer, containerName, output string, remote bool) error { } for _, pod := range pods.Items { - pod := pod if pod.Status.Phase != "Running" { fmt.Fprintf(w, "WARN: pod %s/%s is not running, skipping it.", pod.Namespace, pod.Name) diff --git a/internal/cmd/server_test.go b/internal/cmd/server_test.go index dffe10670c9..4ce4178dbfd 100644 --- a/internal/cmd/server_test.go +++ b/internal/cmd/server_test.go @@ -52,7 +52,6 @@ func TestGetConfigValidate(t *testing.T) { }, } for _, test := range tests { - test := test t.Run(test.name, func(t *testing.T) { file, err := os.CreateTemp("", "config") require.NoError(t, err) diff --git a/internal/envoygateway/config/config_test.go b/internal/envoygateway/config/config_test.go index 2b3f461f762..59bba129434 100644 --- a/internal/envoygateway/config/config_test.go +++ b/internal/envoygateway/config/config_test.go @@ -63,7 +63,6 @@ func TestValidate(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { err := tc.cfg.Validate() if !tc.expect { diff --git a/internal/envoygateway/config/decoder_test.go b/internal/envoygateway/config/decoder_test.go index 67520f2e5dd..5bbbb959ed7 100644 --- a/internal/envoygateway/config/decoder_test.go +++ b/internal/envoygateway/config/decoder_test.go @@ -347,7 +347,6 @@ func TestDecode(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.in, func(t *testing.T) { eg, err := Decode(tc.in) if tc.expect { diff --git a/internal/extension/registry/extension_manager_test.go b/internal/extension/registry/extension_manager_test.go index f64160ed5ca..a6cd9751d2e 100644 --- a/internal/extension/registry/extension_manager_test.go +++ b/internal/extension/registry/extension_manager_test.go @@ -65,7 +65,6 @@ func TestGetExtensionServerAddress(t *testing.T) { } for _, tc := range tests { - tc := tc t.Run(tc.Name, func(t *testing.T) { out := getExtensionServerAddress(tc.Service) require.Equal(t, tc.Expected, out) diff --git a/internal/gatewayapi/backendtrafficpolicy_test.go b/internal/gatewayapi/backendtrafficpolicy_test.go index d40d1e68c76..ebf721fb07d 100644 --- a/internal/gatewayapi/backendtrafficpolicy_test.go +++ b/internal/gatewayapi/backendtrafficpolicy_test.go @@ -46,7 +46,6 @@ func TestInt64ToUint32(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.Name, func(t *testing.T) { out, success := int64ToUint32(tc.In) require.Equal(t, tc.Out, out) diff --git a/internal/gatewayapi/helpers_test.go b/internal/gatewayapi/helpers_test.go index a6469715f4d..5698867c3ca 100644 --- a/internal/gatewayapi/helpers_test.go +++ b/internal/gatewayapi/helpers_test.go @@ -97,7 +97,6 @@ func TestValidateGRPCFilterRef(t *testing.T) { }, } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { err := ValidateGRPCRouteFilter(tc.filter, schema.GroupKind{Group: "example.io", Kind: "Foo"}) if tc.expected { @@ -189,7 +188,6 @@ func TestValidateHTTPFilterRef(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { err := ValidateHTTPRouteFilter(tc.filter, schema.GroupKind{Group: "example.io", Kind: "Foo"}) if tc.expected { @@ -479,7 +477,6 @@ func TestGetPolicyTargetRefs(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { results := getPolicyTargetRefs(tc.policy, tc.targets) require.ElementsMatch(t, results, tc.results) diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 8a3c0272276..67f35f2a4d5 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -196,7 +196,6 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe dstAddrTypeMap := make(map[ir.DestinationAddressType]int) for _, backendRef := range rule.BackendRefs { - backendRef := backendRef ds := t.processDestination(backendRef, parentRef, httpRoute, resources) if !t.IsEnvoyServiceRouting(envoyProxy) && ds != nil && len(ds.Endpoints) > 0 && ds.AddressType != nil { @@ -552,7 +551,6 @@ func (t *Translator) processGRPCRouteRules(grpcRoute *GRPCRouteContext, parentRe } for _, backendRef := range rule.BackendRefs { - backendRef := backendRef ds := t.processDestination(backendRef, parentRef, grpcRoute, resources) if ds == nil { continue @@ -833,7 +831,6 @@ func (t *Translator) processTLSRouteParentRefs(tlsRoute *TLSRouteContext, resour // compute backends for _, rule := range tlsRoute.Spec.Rules { for _, backendRef := range rule.BackendRefs { - backendRef := backendRef ds := t.processDestination(backendRef, parentRef, tlsRoute, resources) if ds != nil { destSettings = append(destSettings, ds) @@ -1107,7 +1104,6 @@ func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resour } for _, backendRef := range tcpRoute.Spec.Rules[0].BackendRefs { - backendRef := backendRef ds := t.processDestination(backendRef, parentRef, tcpRoute, resources) if ds == nil { continue diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index 8b9b57fc839..c9bdead8236 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -227,7 +227,6 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { // their target is not found (not relevant) for _, backendTLSPolicy := range result.BackendTLSPolicies { - backendTLSPolicy := backendTLSPolicy key := utils.NamespacedName(backendTLSPolicy) if !(reflect.ValueOf(backendTLSPolicy.Status).IsZero()) { r.ProviderResources.BackendTLSPolicyStatuses.Store(key, &backendTLSPolicy.Status) @@ -257,7 +256,6 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { delete(statusesToDelete.SecurityPolicyStatusKeys, key) } for _, envoyExtensionPolicy := range result.EnvoyExtensionPolicies { - envoyExtensionPolicy := envoyExtensionPolicy key := utils.NamespacedName(envoyExtensionPolicy) if !(reflect.ValueOf(envoyExtensionPolicy.Status).IsZero()) { r.ProviderResources.EnvoyExtensionPolicyStatuses.Store(key, &envoyExtensionPolicy.Status) @@ -265,7 +263,6 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { delete(statusesToDelete.EnvoyExtensionPolicyStatusKeys, key) } for _, extServerPolicy := range result.ExtensionServerPolicies { - extServerPolicy := extServerPolicy key := message.NamespacedNameAndGVK{ NamespacedName: utils.NamespacedName(&extServerPolicy), GroupVersionKind: extServerPolicy.GroupVersionKind(), diff --git a/internal/gatewayapi/runner/runner_test.go b/internal/gatewayapi/runner/runner_test.go index 5f3bc2a6544..502a96950fa 100644 --- a/internal/gatewayapi/runner/runner_test.go +++ b/internal/gatewayapi/runner/runner_test.go @@ -105,7 +105,6 @@ func TestGetIRKeysToDelete(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { assert.ElementsMatch(t, tc.delKeys, getIRKeysToDelete(tc.curKeys, tc.newKeys)) }) diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 125505aa5ad..84fac382aa2 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -523,7 +523,6 @@ func (t *Translator) buildCORS(cors *egv1a1.CORS) *ir.CORS { var allowOrigins []*ir.StringMatch for _, origin := range cors.AllowOrigins { - origin := origin if isWildcard(string(origin)) { regexStr := wildcard2regex(string(origin)) allowOrigins = append(allowOrigins, &ir.StringMatch{ diff --git a/internal/gatewayapi/status/gateway_test.go b/internal/gatewayapi/status/gateway_test.go index 0be99b7d4bf..8c87c16190a 100644 --- a/internal/gatewayapi/status/gateway_test.go +++ b/internal/gatewayapi/status/gateway_test.go @@ -250,7 +250,6 @@ func TestUpdateGatewayProgrammedCondition(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { t.Parallel() gtw := &gwapiv1.Gateway{} diff --git a/internal/gatewayapi/tls_test.go b/internal/gatewayapi/tls_test.go index d97824382ce..87e8b27cad6 100644 --- a/internal/gatewayapi/tls_test.go +++ b/internal/gatewayapi/tls_test.go @@ -159,7 +159,6 @@ func TestValidateTLSSecretsData(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.Name, func(t *testing.T) { secrets := createTestSecrets(t, tc.CertFile, tc.KeyFile) require.NotNil(t, secrets) @@ -204,7 +203,6 @@ func TestValidateCertificate(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.Name, func(t *testing.T) { certData, err := os.ReadFile(filepath.Join("testdata", "tls", tc.CertFile)) require.NoError(t, err) diff --git a/internal/gatewayapi/translator_test.go b/internal/gatewayapi/translator_test.go index 357f6586bee..42bb1ca37b7 100644 --- a/internal/gatewayapi/translator_test.go +++ b/internal/gatewayapi/translator_test.go @@ -64,7 +64,6 @@ func TestTranslate(t *testing.T) { require.NoError(t, err) for _, inputFile := range inputFiles { - inputFile := inputFile t.Run(testName(inputFile), func(t *testing.T) { input, err := os.ReadFile(inputFile) require.NoError(t, err) @@ -331,7 +330,6 @@ func TestTranslateWithExtensionKinds(t *testing.T) { require.NoError(t, err) for _, inputFile := range inputFiles { - inputFile := inputFile t.Run(testName(inputFile), func(t *testing.T) { input, err := os.ReadFile(inputFile) require.NoError(t, err) @@ -625,7 +623,6 @@ func TestIsValidHostname(t *testing.T) { } for _, tc := range testcases { - tc := tc t.Run(tc.name, func(t *testing.T) { err := translator.validateHostname(tc.hostname) if tc.err == "" { @@ -745,7 +742,6 @@ func TestIsValidCrossNamespaceRef(t *testing.T) { testcases = append(testcases, modified) for _, tc := range testcases { - tc := tc t.Run(tc.name, func(t *testing.T) { var referenceGrants []*gwapiv1b1.ReferenceGrant if tc.referenceGrant != nil { diff --git a/internal/globalratelimit/runner/runner_test.go b/internal/globalratelimit/runner/runner_test.go index e25f714792b..80598f7906e 100644 --- a/internal/globalratelimit/runner/runner_test.go +++ b/internal/globalratelimit/runner/runner_test.go @@ -202,7 +202,6 @@ func Test_subscribeAndTranslate(t *testing.T) { } for _, tt := range testCases { - tt := tt t.Run(tt.name, func(t *testing.T) { t.Parallel() diff --git a/internal/infrastructure/kubernetes/proxy/resource_test.go b/internal/infrastructure/kubernetes/proxy/resource_test.go index 3cf71f2aea2..31054b1ef1d 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_test.go +++ b/internal/infrastructure/kubernetes/proxy/resource_test.go @@ -30,7 +30,6 @@ func TestEnvoyPodSelector(t *testing.T) { } for _, tc := range cases { - tc := tc t.Run("", func(t *testing.T) { got := envoyLabels(tc.in) require.Equal(t, tc.expected, got) diff --git a/internal/infrastructure/kubernetes/proxy_configmap_test.go b/internal/infrastructure/kubernetes/proxy_configmap_test.go index b16a0f61bbf..a761b569498 100644 --- a/internal/infrastructure/kubernetes/proxy_configmap_test.go +++ b/internal/infrastructure/kubernetes/proxy_configmap_test.go @@ -95,7 +95,6 @@ func TestCreateOrUpdateProxyConfigMap(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { var cli client.Client if tc.current != nil { @@ -162,7 +161,6 @@ func TestDeleteConfigProxyMap(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { cli := fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).WithObjects(tc.current).Build() kube := NewInfra(cli, cfg) diff --git a/internal/infrastructure/kubernetes/proxy_daemonset_test.go b/internal/infrastructure/kubernetes/proxy_daemonset_test.go index 4901caec8cc..e9fef86470c 100644 --- a/internal/infrastructure/kubernetes/proxy_daemonset_test.go +++ b/internal/infrastructure/kubernetes/proxy_daemonset_test.go @@ -229,7 +229,6 @@ func TestCreateOrUpdateProxyDaemonSet(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { var cli client.Client if tc.current != nil { diff --git a/internal/infrastructure/kubernetes/proxy_deployment_test.go b/internal/infrastructure/kubernetes/proxy_deployment_test.go index 88537981b7d..616101e18a2 100644 --- a/internal/infrastructure/kubernetes/proxy_deployment_test.go +++ b/internal/infrastructure/kubernetes/proxy_deployment_test.go @@ -222,7 +222,6 @@ func TestCreateOrUpdateProxyDeployment(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { var cli client.Client if tc.current != nil { @@ -279,7 +278,6 @@ func TestDeleteProxyDeployment(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { kube := NewInfra(cli, cfg) diff --git a/internal/infrastructure/kubernetes/proxy_infra_test.go b/internal/infrastructure/kubernetes/proxy_infra_test.go index 5c8a8d34695..de0690e82c8 100644 --- a/internal/infrastructure/kubernetes/proxy_infra_test.go +++ b/internal/infrastructure/kubernetes/proxy_infra_test.go @@ -143,7 +143,6 @@ func TestCreateProxyInfra(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { t.Parallel() kube := newTestInfra(t) @@ -210,7 +209,6 @@ func TestDeleteProxyInfra(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { t.Parallel() kube := newTestInfra(t) diff --git a/internal/infrastructure/kubernetes/proxy_service_test.go b/internal/infrastructure/kubernetes/proxy_service_test.go index 0c1c0cc6b89..ffc8e4912e6 100644 --- a/internal/infrastructure/kubernetes/proxy_service_test.go +++ b/internal/infrastructure/kubernetes/proxy_service_test.go @@ -26,7 +26,6 @@ func TestDeleteProxyService(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { kube := newTestInfra(t) infra := ir.NewInfra() diff --git a/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go b/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go index 2b92fc53417..9aed62b6e6b 100644 --- a/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go +++ b/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go @@ -166,7 +166,6 @@ func TestCreateOrUpdateProxyServiceAccount(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { cfg, err := config.New() require.NoError(t, err) diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go index 4ee3a144bd9..47c4901e198 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go @@ -56,7 +56,6 @@ func TestRateLimitLabelSelector(t *testing.T) { } for _, tc := range cases { - tc := tc t.Run(tc.name, func(t *testing.T) { got := LabelSelector() require.ElementsMatch(t, tc.expected, got) @@ -80,7 +79,6 @@ func TestRateLimitLabels(t *testing.T) { } for _, tc := range cases { - tc := tc t.Run(tc.name, func(t *testing.T) { got := rateLimitLabels() require.Equal(t, tc.expected, got) diff --git a/internal/infrastructure/kubernetes/ratelimit_deployment_test.go b/internal/infrastructure/kubernetes/ratelimit_deployment_test.go index d57e003d383..ea0e5017fd3 100644 --- a/internal/infrastructure/kubernetes/ratelimit_deployment_test.go +++ b/internal/infrastructure/kubernetes/ratelimit_deployment_test.go @@ -64,7 +64,6 @@ func TestCreateOrUpdateRateLimitDeployment(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { var cli client.Client if tc.current != nil { @@ -120,7 +119,6 @@ func TestDeleteRateLimitDeployment(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { kube := newTestInfra(t) kube.EnvoyGateway.RateLimit = rl diff --git a/internal/infrastructure/kubernetes/ratelimit_infra_test.go b/internal/infrastructure/kubernetes/ratelimit_infra_test.go index a5934b12086..1b4976ac361 100644 --- a/internal/infrastructure/kubernetes/ratelimit_infra_test.go +++ b/internal/infrastructure/kubernetes/ratelimit_infra_test.go @@ -127,7 +127,6 @@ func TestCreateRateLimitInfra(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { t.Parallel() kube := newTestInfra(t) @@ -193,7 +192,6 @@ func TestDeleteRateLimitInfra(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { t.Parallel() kube := newTestInfra(t) diff --git a/internal/infrastructure/kubernetes/ratelimit_service_test.go b/internal/infrastructure/kubernetes/ratelimit_service_test.go index d117d9d57bf..db6578e2a31 100644 --- a/internal/infrastructure/kubernetes/ratelimit_service_test.go +++ b/internal/infrastructure/kubernetes/ratelimit_service_test.go @@ -34,7 +34,6 @@ func TestDeleteRateLimitService(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { kube := newTestInfra(t) diff --git a/internal/infrastructure/kubernetes/ratelimit_serviceaccount_test.go b/internal/infrastructure/kubernetes/ratelimit_serviceaccount_test.go index 53084f6620d..630fa2e330a 100644 --- a/internal/infrastructure/kubernetes/ratelimit_serviceaccount_test.go +++ b/internal/infrastructure/kubernetes/ratelimit_serviceaccount_test.go @@ -88,7 +88,6 @@ func TestCreateOrUpdateRateLimitServiceAccount(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { var cli client.Client if tc.current != nil { diff --git a/internal/infrastructure/kubernetes/resource/resource_test.go b/internal/infrastructure/kubernetes/resource/resource_test.go index b65549911c7..52c1d73f6da 100644 --- a/internal/infrastructure/kubernetes/resource/resource_test.go +++ b/internal/infrastructure/kubernetes/resource/resource_test.go @@ -156,7 +156,6 @@ func TestGetSelector(t *testing.T) { } for _, tc := range cases { - tc := tc t.Run("", func(t *testing.T) { got := GetSelector(tc.in) require.Equal(t, tc.expected, got.MatchLabels) diff --git a/internal/ir/infra_test.go b/internal/ir/infra_test.go index dcc1e0324d5..92781e06c61 100644 --- a/internal/ir/infra_test.go +++ b/internal/ir/infra_test.go @@ -116,7 +116,6 @@ func TestValidateInfra(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { err := tc.infra.Validate() if !tc.expect { @@ -142,7 +141,6 @@ func TestNewInfra(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { actual := NewInfra() require.Equal(t, tc.expected, actual) @@ -165,7 +163,6 @@ func TestNewProxyInfra(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { actual := NewProxyInfra() require.Equal(t, tc.expected, actual) @@ -205,7 +202,6 @@ func TestObjectName(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { actual := tc.infra.Proxy.ObjectName() require.Equal(t, tc.expected, actual) diff --git a/internal/ir/xds_test.go b/internal/ir/xds_test.go index 6724549e39f..876e37f9e13 100644 --- a/internal/ir/xds_test.go +++ b/internal/ir/xds_test.go @@ -577,7 +577,6 @@ func TestValidateXds(t *testing.T) { }, } for _, test := range tests { - test := test t.Run(test.name, func(t *testing.T) { if test.want == nil { require.NoError(t, test.input.Validate()) @@ -632,7 +631,6 @@ func TestValidateHTTPListener(t *testing.T) { }, } for _, test := range tests { - test := test t.Run(test.name, func(t *testing.T) { if test.want == nil { require.NoError(t, test.input.Validate()) @@ -684,7 +682,6 @@ func TestValidateTCPListener(t *testing.T) { }, } for _, test := range tests { - test := test t.Run(test.name, func(t *testing.T) { if test.want == nil { require.NoError(t, test.input.Validate()) @@ -734,7 +731,6 @@ func TestValidateTLSListenerConfig(t *testing.T) { }, } for _, test := range tests { - test := test t.Run(test.name, func(t *testing.T) { if test.want == nil { require.NoError(t, test.input.Validate()) @@ -847,7 +843,6 @@ func TestValidateUDPListener(t *testing.T) { }, } for _, test := range tests { - test := test t.Run(test.name, func(t *testing.T) { if test.want == nil { require.NoError(t, test.input.Validate()) @@ -999,7 +994,6 @@ func TestValidateHTTPRoute(t *testing.T) { }, } for _, test := range tests { - test := test t.Run(test.name, func(t *testing.T) { if test.want == nil { require.NoError(t, test.input.Validate()) @@ -1041,7 +1035,6 @@ func TestValidateTCPRoute(t *testing.T) { }, } for _, test := range tests { - test := test t.Run(test.name, func(t *testing.T) { if test.want == nil { require.NoError(t, test.input.Validate()) @@ -1167,7 +1160,6 @@ func TestValidateRouteDestination(t *testing.T) { }, } for _, test := range tests { - test := test t.Run(test.name, func(t *testing.T) { if test.want == nil { require.NoError(t, test.input.Validate()) @@ -1207,7 +1199,6 @@ func TestValidateStringMatch(t *testing.T) { }, } for _, test := range tests { - test := test t.Run(test.name, func(t *testing.T) { if test.want == nil { require.NoError(t, test.input.Validate()) @@ -1345,7 +1336,6 @@ func TestPrintable(t *testing.T) { }, } for _, test := range tests { - test := test t.Run(test.name, func(t *testing.T) { assert.Equal(t, *test.want, *test.input.Printable()) }) diff --git a/internal/metrics/otel_label.go b/internal/metrics/otel_label.go index bcf4c472209..8c4c54c339c 100644 --- a/internal/metrics/otel_label.go +++ b/internal/metrics/otel_label.go @@ -58,8 +58,7 @@ func mergeLabelValues(attrs []attribute.KeyValue, labelValues []LabelValue) ([]a mergedAttrs := make([]attribute.KeyValue, 0, len(attrs)+len(labelValues)) mergedAttrs = append(mergedAttrs, attrs...) for _, v := range labelValues { - kv := v - mergedAttrs = append(mergedAttrs, kv.keyValue) + mergedAttrs = append(mergedAttrs, v.keyValue) } return mergedAttrs, attribute.NewSet(mergedAttrs...) diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 73d8799e900..8078e767f8a 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -190,7 +190,6 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques gwcResources := make(gatewayapi.ControllerResources, 0, len(managedGCs)) for _, managedGC := range managedGCs { // Initialize resource types. - managedGC := managedGC gwcResource := gatewayapi.NewResources() gwcResource.GatewayClass = managedGC gwcResources = append(gwcResources, gwcResource) @@ -348,7 +347,6 @@ func (r *gatewayAPIReconciler) managedGatewayClasses(ctx context.Context) ([]*gw var cc controlledClasses for _, gwClass := range gatewayClasses.Items { - gwClass := gwClass if gwClass.Spec.ControllerName == r.classController { // The gatewayclass was marked for deletion and the finalizer removed, // so clean-up dependents. @@ -435,7 +433,7 @@ func (r *gatewayAPIReconciler) processBackendRefs(ctx context.Context, gwcResour backendRefKind, string(backendRef.Name)) } else { for _, endpointSlice := range endpointSliceList.Items { - endpointSlice := endpointSlice + endpointSlice := endpointSlice //nolint:copyloopvar r.log.Info("added EndpointSlice to resource tree", "namespace", endpointSlice.Namespace, "name", endpointSlice.Name) gwcResource.EndpointSlices = append(gwcResource.EndpointSlices, &endpointSlice) @@ -756,7 +754,6 @@ func (r *gatewayAPIReconciler) findReferenceGrant(ctx context.Context, from, to if r.namespaceLabel != nil { var rgs []gwapiv1b1.ReferenceGrant for _, refGrant := range refGrants { - refGrant := refGrant if ok, err := r.checkObjectNamespaceLabels(&refGrant); err != nil { r.log.Error(err, "failed to check namespace labels for ReferenceGrant %s in namespace %s: %w", refGrant.GetName(), refGrant.GetNamespace()) continue @@ -816,7 +813,7 @@ func (r *gatewayAPIReconciler) processGateways(ctx context.Context, managedGC *g } for _, gtw := range gatewayList.Items { - gtw := gtw + gtw := gtw //nolint:copyloopvar if r.namespaceLabel != nil { if ok, err := r.checkObjectNamespaceLabels(>w); err != nil { r.log.Error(err, "failed to check namespace labels for gateway %s in namespace %s: %w", gtw.GetName(), gtw.GetNamespace()) @@ -833,11 +830,9 @@ func (r *gatewayAPIReconciler) processGateways(ctx context.Context, managedGC *g } for _, listener := range gtw.Spec.Listeners { - listener := listener // Get Secret for gateway if it exists. if terminatesTLS(&listener) { for _, certRef := range listener.TLS.CertificateRefs { - certRef := certRef if refsSecret(&certRef) { if err := r.processSecretRef( ctx, @@ -899,7 +894,7 @@ func (r *gatewayAPIReconciler) processEnvoyPatchPolicies(ctx context.Context, re } for _, policy := range envoyPatchPolicies.Items { - policy := policy + policy := policy //nolint:copyloopvar // Discard Status to reduce memory consumption in watchable // It will be recomputed by the gateway-api layer policy.Status = gwapiv1a2.PolicyStatus{} @@ -919,7 +914,7 @@ func (r *gatewayAPIReconciler) processClientTrafficPolicies( } for _, policy := range clientTrafficPolicies.Items { - policy := policy + policy := policy //nolint:copyloopvar // Discard Status to reduce memory consumption in watchable // It will be recomputed by the gateway-api layer policy.Status = gwapiv1a2.PolicyStatus{} @@ -939,7 +934,7 @@ func (r *gatewayAPIReconciler) processBackendTrafficPolicies(ctx context.Context } for _, policy := range backendTrafficPolicies.Items { - policy := policy + policy := policy //nolint:copyloopvar // Discard Status to reduce memory consumption in watchable // It will be recomputed by the gateway-api layer policy.Status = gwapiv1a2.PolicyStatus{} @@ -958,7 +953,7 @@ func (r *gatewayAPIReconciler) processSecurityPolicies( } for _, policy := range securityPolicies.Items { - policy := policy + policy := policy //nolint:copyloopvar // Discard Status to reduce memory consumption in watchable // It will be recomputed by the gateway-api layer policy.Status = gwapiv1a2.PolicyStatus{} @@ -983,7 +978,7 @@ func (r *gatewayAPIReconciler) processBackendTLSPolicies( } for _, policy := range backendTLSPolicies.Items { - policy := policy + policy := policy //nolint:copyloopvar // Discard Status to reduce memory consumption in watchable // It will be recomputed by the gateway-api layer policy.Status = gwapiv1a2.PolicyStatus{} @@ -1003,7 +998,7 @@ func (r *gatewayAPIReconciler) processBackends(ctx context.Context, resourceTree } for _, backend := range backends.Items { - backend := backend + backend := backend //nolint:copyloopvar // Discard Status to reduce memory consumption in watchable // It will be recomputed by the gateway-api layer backend.Status = egv1a1.BackendStatus{} @@ -1789,7 +1784,7 @@ func (r *gatewayAPIReconciler) processEnvoyExtensionPolicies( } for _, policy := range envoyExtensionPolicies.Items { - policy := policy + policy := policy //nolint:copyloopvar // Discard Status to reduce memory consumption in watchable // It will be recomputed by the gateway-api layer policy.Status = gwapiv1a2.PolicyStatus{} @@ -1816,8 +1811,6 @@ func (r *gatewayAPIReconciler) processExtensionServerPolicies( } for _, policy := range polList.Items { - policy := policy - policySpec, found := policy.Object["spec"].(map[string]any) if !found { return fmt.Errorf("no spec found in %s.%s %s", policy.GetAPIVersion(), policy.GetKind(), policy.GetName()) diff --git a/internal/provider/kubernetes/controller_test.go b/internal/provider/kubernetes/controller_test.go index e3b63360163..b2fb1c3d791 100644 --- a/internal/provider/kubernetes/controller_test.go +++ b/internal/provider/kubernetes/controller_test.go @@ -73,7 +73,6 @@ func TestAddGatewayClassFinalizer(t *testing.T) { ctx := context.Background() for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { r.client = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).WithObjects(tc.gc).Build() err := r.addFinalizer(ctx, tc.gc) @@ -137,7 +136,6 @@ func TestRemoveGatewayClassFinalizer(t *testing.T) { ctx := context.Background() for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { r.client = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).WithObjects(tc.gc).Build() err := r.removeFinalizer(ctx, tc.gc) diff --git a/internal/provider/kubernetes/filters.go b/internal/provider/kubernetes/filters.go index 8ef8dc1ede1..985990fef14 100644 --- a/internal/provider/kubernetes/filters.go +++ b/internal/provider/kubernetes/filters.go @@ -26,7 +26,6 @@ func (r *gatewayAPIReconciler) getExtensionRefFilters(ctx context.Context) ([]un if r.namespaceLabel != nil { var extRs []unstructured.Unstructured for _, extR := range uExtResources { - extR := extR ok, err := r.checkObjectNamespaceLabels(&extR) if err != nil { r.log.Error(err, "failed to check namespace labels for ExtensionRefFilter %s in namespace %s: %w", extR.GetName(), extR.GetNamespace()) diff --git a/internal/provider/kubernetes/helpers_test.go b/internal/provider/kubernetes/helpers_test.go index 0d5deb0d5d3..38a634f9c7b 100644 --- a/internal/provider/kubernetes/helpers_test.go +++ b/internal/provider/kubernetes/helpers_test.go @@ -103,7 +103,6 @@ func TestGatewaysOfClass(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { gwList := &gwapiv1.GatewayList{Items: tc.gws} actual := gatewaysOfClass(gc, gwList) @@ -185,7 +184,6 @@ func TestIsGatewayClassAccepted(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { actual := isAccepted(tc.gc) require.Equal(t, tc.expect, actual) diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index e64c08619db..e606138fa09 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -208,7 +208,6 @@ func (r *gatewayAPIReconciler) isGatewayReferencingSecret(nsName *types.Namespac } for _, gw := range gwList.Items { - gw := gw if !r.validateGatewayForReconcile(&gw) { return false } @@ -549,7 +548,6 @@ func (r *gatewayAPIReconciler) updateStatusForGatewaysUnderGatewayClass(ctx cont } for _, gateway := range gateways.Items { - gateway := gateway r.updateStatusForGateway(ctx, &gateway) } diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go index d5ac876f4b2..054de1e5395 100644 --- a/internal/provider/kubernetes/predicates_test.go +++ b/internal/provider/kubernetes/predicates_test.go @@ -59,7 +59,6 @@ func TestGatewayClassHasMatchingController(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { res := r.hasMatchingController(tc.gc) require.Equal(t, tc.expect, res) @@ -107,8 +106,6 @@ func TestGatewayClassHasMatchingNamespaceLabels(t *testing.T) { logger := logging.DefaultLogger(egv1a1.LogLevelInfo) for _, tc := range testCases { - tc := tc - r := gatewayAPIReconciler{ classController: egv1a1.GatewayControllerName, namespaceLabel: &metav1.LabelSelector{MatchExpressions: matchExpressions(tc.namespaceLabels, metav1.LabelSelectorOpExists, []string{})}, @@ -172,7 +169,6 @@ func TestValidateGatewayForReconcile(t *testing.T) { } for _, tc := range testCases { - tc := tc r.client = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).WithObjects(tc.configs...).Build() t.Run(tc.name, func(t *testing.T) { res := r.validateGatewayForReconcile(tc.gateway) @@ -368,7 +364,6 @@ func TestValidateSecretForReconcile(t *testing.T) { } for _, tc := range testCases { - tc := tc r.client = fakeclient.NewClientBuilder(). WithScheme(envoygateway.GetScheme()). WithObjects(tc.configs...). @@ -435,7 +430,6 @@ func TestValidateEndpointSliceForReconcile(t *testing.T) { } for _, tc := range testCases { - tc := tc r.client = fakeclient.NewClientBuilder(). WithScheme(envoygateway.GetScheme()). WithObjects(tc.configs...). @@ -850,7 +844,6 @@ func TestValidateServiceForReconcile(t *testing.T) { } for _, tc := range testCases { - tc := tc r.client = fakeclient.NewClientBuilder(). WithScheme(envoygateway.GetScheme()). WithObjects(tc.configs...). @@ -947,7 +940,6 @@ func TestValidateDeploymentForReconcile(t *testing.T) { } for _, tc := range testCases { - tc := tc r.client = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).WithObjects(tc.configs...).Build() t.Run(tc.name, func(t *testing.T) { res := r.validateDeploymentForReconcile(tc.deployment) @@ -1053,7 +1045,6 @@ func TestCheckObjectNamespaceLabels(t *testing.T) { } for _, tc := range testCases { - tc := tc r.client = fakeclient.NewClientBuilder().WithObjects(tc.ns).Build() r.namespaceLabel = &metav1.LabelSelector{MatchExpressions: matchExpressions(tc.reconcileLabels, metav1.LabelSelectorOpExists, []string{})} ok, err := r.checkObjectNamespaceLabels(tc.object) diff --git a/internal/provider/kubernetes/routes.go b/internal/provider/kubernetes/routes.go index ad2638684cd..c52e39ef349 100644 --- a/internal/provider/kubernetes/routes.go +++ b/internal/provider/kubernetes/routes.go @@ -34,7 +34,7 @@ func (r *gatewayAPIReconciler) processTLSRoutes(ctx context.Context, gatewayName } for _, tlsRoute := range tlsRouteList.Items { - tlsRoute := tlsRoute + tlsRoute := tlsRoute //nolint:copyloopvar if r.namespaceLabel != nil { if ok, err := r.checkObjectNamespaceLabels(&tlsRoute); err != nil { r.log.Error(err, "failed to check namespace labels for TLSRoute %s in namespace %s: %w", tlsRoute.GetName(), tlsRoute.GetNamespace()) @@ -54,7 +54,6 @@ func (r *gatewayAPIReconciler) processTLSRoutes(ctx context.Context, gatewayName for _, rule := range tlsRoute.Spec.Rules { for _, backendRef := range rule.BackendRefs { - backendRef := backendRef ref := gatewayapi.UpgradeBackendRef(backendRef) if err := validateBackendRef(&ref); err != nil { r.log.Error(err, "invalid backendRef") @@ -114,7 +113,7 @@ func (r *gatewayAPIReconciler) processGRPCRoutes(ctx context.Context, gatewayNam } for _, grpcRoute := range grpcRouteList.Items { - grpcRoute := grpcRoute + grpcRoute := grpcRoute //nolint:copyloopvar if r.namespaceLabel != nil { if ok, err := r.checkObjectNamespaceLabels(&grpcRoute); err != nil { r.log.Error(err, "failed to check namespace labels for GRPCRoute %s in namespace %s: %w", grpcRoute.GetName(), grpcRoute.GetNamespace()) @@ -134,7 +133,6 @@ func (r *gatewayAPIReconciler) processGRPCRoutes(ctx context.Context, gatewayNam for _, rule := range grpcRoute.Spec.Rules { for _, backendRef := range rule.BackendRefs { - backendRef := backendRef if err := validateBackendRef(&backendRef.BackendRef); err != nil { r.log.Error(err, "invalid backendRef") continue @@ -249,7 +247,7 @@ func (r *gatewayAPIReconciler) processHTTPRoutes(ctx context.Context, gatewayNam } for _, httpRoute := range httpRouteList.Items { - httpRoute := httpRoute + httpRoute := httpRoute //nolint:copyloopvar if r.namespaceLabel != nil { if ok, err := r.checkObjectNamespaceLabels(&httpRoute); err != nil { r.log.Error(err, "failed to check namespace labels for HTTPRoute %s in namespace %s: %w", httpRoute.GetName(), httpRoute.GetNamespace()) @@ -269,7 +267,6 @@ func (r *gatewayAPIReconciler) processHTTPRoutes(ctx context.Context, gatewayNam for _, rule := range httpRoute.Spec.Rules { for _, backendRef := range rule.BackendRefs { - backendRef := backendRef if err := validateBackendRef(&backendRef.BackendRef); err != nil { r.log.Error(err, "invalid backendRef") continue @@ -427,7 +424,7 @@ func (r *gatewayAPIReconciler) processTCPRoutes(ctx context.Context, gatewayName } for _, tcpRoute := range tcpRouteList.Items { - tcpRoute := tcpRoute + tcpRoute := tcpRoute //nolint:copyloopvar if r.namespaceLabel != nil { if ok, err := r.checkObjectNamespaceLabels(&tcpRoute); err != nil { r.log.Error(err, "failed to check namespace labels for TCPRoute %s in namespace %s: %w", tcpRoute.GetName(), tcpRoute.GetNamespace()) @@ -447,7 +444,6 @@ func (r *gatewayAPIReconciler) processTCPRoutes(ctx context.Context, gatewayName for _, rule := range tcpRoute.Spec.Rules { for _, backendRef := range rule.BackendRefs { - backendRef := backendRef ref := gatewayapi.UpgradeBackendRef(backendRef) if err := validateBackendRef(&ref); err != nil { r.log.Error(err, "invalid backendRef") @@ -506,7 +502,7 @@ func (r *gatewayAPIReconciler) processUDPRoutes(ctx context.Context, gatewayName } for _, udpRoute := range udpRouteList.Items { - udpRoute := udpRoute + udpRoute := udpRoute //nolint:copyloopvar if r.namespaceLabel != nil { if ok, err := r.checkObjectNamespaceLabels(&udpRoute); err != nil { r.log.Error(err, "failed to check namespace labels for UDPRoute %s in namespace %s: %w", udpRoute.GetName(), udpRoute.GetNamespace()) @@ -526,7 +522,6 @@ func (r *gatewayAPIReconciler) processUDPRoutes(ctx context.Context, gatewayName for _, rule := range udpRoute.Spec.Rules { for _, backendRef := range rule.BackendRefs { - backendRef := backendRef ref := gatewayapi.UpgradeBackendRef(backendRef) if err := validateBackendRef(&ref); err != nil { r.log.Error(err, "invalid backendRef") diff --git a/internal/provider/kubernetes/routes_test.go b/internal/provider/kubernetes/routes_test.go index be6769589a1..9bd4126d325 100644 --- a/internal/provider/kubernetes/routes_test.go +++ b/internal/provider/kubernetes/routes_test.go @@ -851,7 +851,6 @@ func TestValidateHTTPRouteParentRefs(t *testing.T) { ctx := context.Background() for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { var objs []client.Object for i := range tc.classes { diff --git a/internal/provider/runner/runner_test.go b/internal/provider/runner/runner_test.go index a393462da94..8252bb407ca 100644 --- a/internal/provider/runner/runner_test.go +++ b/internal/provider/runner/runner_test.go @@ -47,7 +47,6 @@ func TestStart(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { runner := &Runner{ Config: Config{ diff --git a/internal/utils/misc_test.go b/internal/utils/misc_test.go index 5955f28aecd..f1b10bcec63 100644 --- a/internal/utils/misc_test.go +++ b/internal/utils/misc_test.go @@ -24,7 +24,6 @@ func TestGetHashedName(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { result := GetHashedName(tc.nsName, tc.length) require.Equal(t, tc.expected, result, "Result does not match expected string") diff --git a/internal/xds/server/runner/runner_test.go b/internal/xds/server/runner/runner_test.go index 45f59da0edc..74bf30f2caf 100644 --- a/internal/xds/server/runner/runner_test.go +++ b/internal/xds/server/runner/runner_test.go @@ -131,7 +131,6 @@ func TestTLSConfig(t *testing.T) { defer g.GracefulStop() for name, tc := range tests { - tc := tc t.Run(name, func(t *testing.T) { // Store certificate and key to temp dir used by serveContext. err = tc.serverCredentials.WritePEM(certFile, keyFile) diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go index ec5e01c473c..9e327e3eb6d 100644 --- a/internal/xds/translator/translator_test.go +++ b/internal/xds/translator/translator_test.go @@ -109,7 +109,6 @@ func TestTranslateXds(t *testing.T) { require.NoError(t, err) for _, inputFile := range inputFiles { - inputFile := inputFile inputFileName := testName(inputFile) t.Run(inputFileName, func(t *testing.T) { cfg, ok := testConfigs[inputFileName] @@ -192,7 +191,6 @@ func TestTranslateRateLimitConfig(t *testing.T) { require.NoError(t, err) for _, inputFile := range inputFiles { - inputFile := inputFile inputFileName := testName(inputFile) t.Run(inputFileName, func(t *testing.T) { in := requireXdsIRListenerFromInputTestData(t, inputFile) @@ -222,7 +220,6 @@ func TestTranslateXdsWithExtension(t *testing.T) { require.NoError(t, err) for _, inputFile := range inputFiles { - inputFile := inputFile inputFileName := testName(inputFile) t.Run(inputFileName, func(t *testing.T) { cfg, ok := testConfigs[inputFileName] diff --git a/internal/xds/types/resourceversiontable_test.go b/internal/xds/types/resourceversiontable_test.go index 8da1c0cc7ca..5fe96253bc8 100644 --- a/internal/xds/types/resourceversiontable_test.go +++ b/internal/xds/types/resourceversiontable_test.go @@ -71,7 +71,6 @@ func TestDeepCopy(t *testing.T) { }, } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { if tc.out == nil { require.Nil(t, tc.in.DeepCopy()) @@ -531,7 +530,6 @@ func TestAddOrReplaceXdsResource(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { err := tc.tableIn.AddOrReplaceXdsResource(tc.typeIn, tc.resourceIn, tc.funcIn) require.NoError(t, err) @@ -887,7 +885,6 @@ func TestInvalidAddXdsResource(t *testing.T) { }, } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { err := tc.tableIn.AddOrReplaceXdsResource(tc.typeIn, tc.resourceIn, tc.funcIn) require.Error(t, err) diff --git a/tools/linter/golangci-lint/.golangci.yml b/tools/linter/golangci-lint/.golangci.yml index 3a83d0841a4..c0155b32447 100644 --- a/tools/linter/golangci-lint/.golangci.yml +++ b/tools/linter/golangci-lint/.golangci.yml @@ -4,6 +4,7 @@ run: linters: enable: - bodyclose + - copyloopvar - depguard - errorlint - exportloopref @@ -114,6 +115,8 @@ linters-settings: - suite-extra-assert-call unparam: check-exported: false + copyloopvar: + check-alias: true issues: exclude-rules: From 97830e99556745f6003208b2ad33b30e9c711988 Mon Sep 17 00:00:00 2001 From: Kobi Levi <56400138+levikobi@users.noreply.github.com> Date: Thu, 15 Aug 2024 22:19:40 +0300 Subject: [PATCH 052/523] feat: gateway http listener isolation (#4000) Signed-off-by: Kobi Levi --- internal/gatewayapi/conformance/suite.go | 1 - internal/gatewayapi/helpers.go | 45 +++- internal/gatewayapi/route.go | 4 +- ...istener-with-hostname-intersection.in.yaml | 65 +++++ ...stener-with-hostname-intersection.out.yaml | 238 ++++++++++++++++++ internal/gatewayapi/tls.go | 7 +- 6 files changed, 345 insertions(+), 15 deletions(-) create mode 100644 internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.in.yaml create mode 100644 internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.out.yaml diff --git a/internal/gatewayapi/conformance/suite.go b/internal/gatewayapi/conformance/suite.go index 4637e023779..4fafa008983 100644 --- a/internal/gatewayapi/conformance/suite.go +++ b/internal/gatewayapi/conformance/suite.go @@ -15,7 +15,6 @@ import ( // SkipTests is a list of tests that are skipped in the conformance suite. var SkipTests = []suite.ConformanceTest{ tests.GatewayStaticAddresses, - tests.GatewayHTTPListenerIsolation, // https://github.com/envoyproxy/gateway/issues/3352 } func skipTestsShortNames(skipTests []suite.ConformanceTest) []string { diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index a29736216bc..31428c5e13d 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -262,12 +262,12 @@ func servicePortToContainerPort(servicePort int32, envoyProxy *egv1a1.EnvoyProxy return servicePort } -// computeHosts returns a list of the intersecting hostnames between the route -// and the listener. -func computeHosts(routeHostnames []string, listenerHostname *gwapiv1.Hostname) []string { +// computeHosts returns a list of intersecting listener hostnames and route hostnames +// that don't intersect with other listener hostnames. +func computeHosts(routeHostnames []string, listenerContext *ListenerContext) []string { var listenerHostnameVal string - if listenerHostname != nil { - listenerHostnameVal = string(*listenerHostname) + if listenerContext != nil && listenerContext.Hostname != nil { + listenerHostnameVal = string(*listenerContext.Hostname) } // No route hostnames specified: use the listener hostname if specified, @@ -280,8 +280,9 @@ func computeHosts(routeHostnames []string, listenerHostname *gwapiv1.Hostname) [ return []string{"*"} } - var hostnames []string + hostnamesSet := map[string]struct{}{} + // Find intersecting hostnames for i := range routeHostnames { routeHostname := routeHostnames[i] @@ -290,27 +291,51 @@ func computeHosts(routeHostnames []string, listenerHostname *gwapiv1.Hostname) [ switch { // No listener hostname: use the route hostname. case len(listenerHostnameVal) == 0: - hostnames = append(hostnames, routeHostname) + hostnamesSet[routeHostname] = struct{}{} // Listener hostname matches the route hostname: use it. case listenerHostnameVal == routeHostname: - hostnames = append(hostnames, routeHostname) + hostnamesSet[routeHostname] = struct{}{} // Listener has a wildcard hostname: check if the route hostname matches. case strings.HasPrefix(listenerHostnameVal, "*"): if hostnameMatchesWildcardHostname(routeHostname, listenerHostnameVal) { - hostnames = append(hostnames, routeHostname) + hostnamesSet[routeHostname] = struct{}{} } // Route has a wildcard hostname: check if the listener hostname matches. case strings.HasPrefix(routeHostname, "*"): if hostnameMatchesWildcardHostname(listenerHostnameVal, routeHostname) { - hostnames = append(hostnames, listenerHostnameVal) + hostnamesSet[listenerHostnameVal] = struct{}{} } } } + // Filter out route hostnames that intersect with other listener hostnames + var listeners []*ListenerContext + if listenerContext != nil && listenerContext.gateway != nil { + listeners = listenerContext.gateway.listeners + } + + for _, listener := range listeners { + if listenerContext == listener { + continue + } + if listenerContext != nil && listenerContext.Port != listener.Port { + continue + } + if listener.Hostname == nil { + continue + } + delete(hostnamesSet, string(*listener.Hostname)) + } + + var hostnames []string + for host := range hostnamesSet { + hostnames = append(hostnames, host) + } + return hostnames } diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 67f35f2a4d5..9325621468e 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -697,7 +697,7 @@ func (t *Translator) processHTTPRouteParentRefListener(route RouteContext, route var hasHostnameIntersection bool for _, listener := range parentRef.listeners { - hosts := computeHosts(GetHostnames(route), listener.Hostname) + hosts := computeHosts(GetHostnames(route), listener) if len(hosts) == 0 { continue } @@ -864,7 +864,7 @@ func (t *Translator) processTLSRouteParentRefs(tlsRoute *TLSRouteContext, resour var hasHostnameIntersection bool for _, listener := range parentRef.listeners { - hosts := computeHosts(GetHostnames(tlsRoute), listener.Hostname) + hosts := computeHosts(GetHostnames(tlsRoute), listener) if len(hosts) == 0 { continue } diff --git a/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.in.yaml b/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.in.yaml new file mode 100644 index 00000000000..267fcbba54b --- /dev/null +++ b/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.in.yaml @@ -0,0 +1,65 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: empty-hostname + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: All + - name: wildcard-example-com + port: 80 + protocol: HTTP + hostname: "*.example.com" + allowedRoutes: + namespaces: + from: All +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: httproute-1 + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: empty-hostname + hostnames: + - "bar.com" + - "*.example.com" # request matching is prevented by the isolation wildcard-example-com listener + rules: + - matches: + - path: + type: PathPrefix + value: /empty-hostname + backendRefs: + - name: service-1 + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: httproute-2 + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: wildcard-example-com + hostnames: + - "bar.com" # doesn't match wildcard-example-com listener + - "*.example.com" + rules: + - matches: + - path: + type: PathPrefix + value: /wildcard-example-com + backendRefs: + - name: service-1 + port: 8080 diff --git a/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.out.yaml b/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.out.yaml new file mode 100644 index 00000000000..cb47542a1c7 --- /dev/null +++ b/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.out.yaml @@ -0,0 +1,238 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: empty-hostname + port: 80 + protocol: HTTP + - allowedRoutes: + namespaces: + from: All + hostname: '*.example.com' + name: wildcard-example-com + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: empty-hostname + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: wildcard-example-com + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: envoy-gateway + spec: + hostnames: + - bar.com + - '*.example.com' + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: empty-hostname + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + type: PathPrefix + value: /empty-hostname + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Service envoy-gateway/service-1 not found + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: empty-hostname +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-2 + namespace: envoy-gateway + spec: + hostnames: + - bar.com + - '*.example.com' + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: wildcard-example-com + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + type: PathPrefix + value: /wildcard-example-com + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Service envoy-gateway/service-1 not found + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: wildcard-example-com +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/empty-hostname + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: empty-hostname + name: envoy-gateway/gateway-1/empty-hostname + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/envoy-gateway/httproute-1/rule/0 + settings: + - weight: 1 + directResponse: + statusCode: 500 + hostname: bar.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: envoy-gateway + name: httproute/envoy-gateway/httproute-1/rule/0/match/0/bar_com + pathMatch: + distinct: false + name: "" + prefix: /empty-hostname + - address: 0.0.0.0 + hostnames: + - '*.example.com' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: wildcard-example-com + name: envoy-gateway/gateway-1/wildcard-example-com + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/envoy-gateway/httproute-2/rule/0 + settings: + - weight: 1 + directResponse: + statusCode: 500 + hostname: '*.example.com' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: envoy-gateway + name: httproute/envoy-gateway/httproute-2/rule/0/match/0/*_example_com + pathMatch: + distinct: false + name: "" + prefix: /wildcard-example-com diff --git a/internal/gatewayapi/tls.go b/internal/gatewayapi/tls.go index 1d38897ed26..acde9bed339 100644 --- a/internal/gatewayapi/tls.go +++ b/internal/gatewayapi/tls.go @@ -88,10 +88,13 @@ func validateTLSSecretsData(secrets []*corev1.Secret, host *gwapiv1.Hostname) er func verifyHostname(cert *x509.Certificate, host *gwapiv1.Hostname) ([]string, error) { var matchedHosts []string + listenerContext := ListenerContext{ + Listener: &gwapiv1.Listener{Hostname: host}, + } if len(cert.DNSNames) > 0 { - matchedHosts = computeHosts(cert.DNSNames, host) + matchedHosts = computeHosts(cert.DNSNames, &listenerContext) } else { - matchedHosts = computeHosts([]string{cert.Subject.CommonName}, host) + matchedHosts = computeHosts([]string{cert.Subject.CommonName}, &listenerContext) } if len(matchedHosts) > 0 { From 27de4b1e19ad56a759db9d1c8ac8f8b88c51a806 Mon Sep 17 00:00:00 2001 From: Lior Okman Date: Thu, 15 Aug 2024 22:37:53 +0300 Subject: [PATCH 053/523] feat(translator): add support for configuring the GRPC Health Checker (#4046) * Add support for configuring the GRPC Health Checker Signed-off-by: Lior Okman * Add GRPC to the validated values available for active health check type. Signed-off-by: Lior Okman * Make it possible to provide the gRPC health checker with a service name to be checked. This is an optional configuration. If a specific service name is not provided, then the entire gRPC server's health is requested. Signed-off-by: Lior Okman --------- Signed-off-by: Lior Okman Co-authored-by: zirain --- api/v1alpha1/healthcheck_types.go | 21 +- api/v1alpha1/zz_generated.deepcopy.go | 25 +++ ....envoyproxy.io_backendtrafficpolicies.yaml | 17 ++ ....envoyproxy.io_envoyextensionpolicies.yaml | 17 ++ .../gateway.envoyproxy.io_envoyproxies.yaml | 74 +++++++ ...ateway.envoyproxy.io_securitypolicies.yaml | 36 ++++ internal/gatewayapi/clustersettings.go | 4 + ...kendtrafficpolicy-with-healthcheck.in.yaml | 65 ++++++ ...endtrafficpolicy-with-healthcheck.out.yaml | 191 +++++++++++++++++- internal/ir/xds.go | 14 ++ internal/ir/zz_generated.deepcopy.go | 25 +++ internal/xds/translator/cluster.go | 12 +- .../testdata/in/xds-ir/health-check.yaml | 18 ++ .../out/xds-ir/health-check.clusters.yaml | 24 +++ .../out/xds-ir/health-check.endpoints.yaml | 12 ++ .../out/xds-ir/health-check.routes.yaml | 7 + site/content/en/latest/api/extension_types.md | 16 ++ site/content/zh/latest/api/extension_types.md | 16 ++ .../backendtrafficpolicy_test.go | 29 +++ 19 files changed, 617 insertions(+), 6 deletions(-) diff --git a/api/v1alpha1/healthcheck_types.go b/api/v1alpha1/healthcheck_types.go index cea83d2f5a1..d8e8339e22a 100644 --- a/api/v1alpha1/healthcheck_types.go +++ b/api/v1alpha1/healthcheck_types.go @@ -74,6 +74,7 @@ type PassiveHealthCheck struct { // // +kubebuilder:validation:XValidation:rule="self.type == 'HTTP' ? has(self.http) : !has(self.http)",message="If Health Checker type is HTTP, http field needs to be set." // +kubebuilder:validation:XValidation:rule="self.type == 'TCP' ? has(self.tcp) : !has(self.tcp)",message="If Health Checker type is TCP, tcp field needs to be set." +// +kubebuilder:validation:XValidation:rule="has(self.grpc) ? self.type == 'GRPC' : true", message="The grpc field can only be set if the Health Checker type is GRPC." type ActiveHealthCheck struct { // Timeout defines the time to wait for a health check response. // @@ -104,7 +105,7 @@ type ActiveHealthCheck struct { HealthyThreshold *uint32 `json:"healthyThreshold"` // Type defines the type of health checker. - // +kubebuilder:validation:Enum=HTTP;TCP + // +kubebuilder:validation:Enum=HTTP;TCP;GRPC // +unionDiscriminator Type ActiveHealthCheckerType `json:"type" yaml:"type"` @@ -117,10 +118,15 @@ type ActiveHealthCheck struct { // It's required while the health checker type is TCP. // +optional TCP *TCPActiveHealthChecker `json:"tcp,omitempty" yaml:"tcp,omitempty"` + + // GRPC defines the configuration of the GRPC health checker. + // It's optional, and can only be used if the specified type is GRPC. + // +optional + GRPC *GRPCActiveHealthChecker `json:"grpc,omitempty" yaml:"grpc,omitempty"` } // ActiveHealthCheckerType is the type of health checker. -// +kubebuilder:validation:Enum=HTTP;TCP +// +kubebuilder:validation:Enum=HTTP;TCP;GRPC type ActiveHealthCheckerType string const ( @@ -128,6 +134,8 @@ const ( ActiveHealthCheckerTypeHTTP ActiveHealthCheckerType = "HTTP" // ActiveHealthCheckerTypeTCP defines the TCP type of health checking. ActiveHealthCheckerTypeTCP ActiveHealthCheckerType = "TCP" + // ActiveHealthCheckerTypeGRPC defines the GRPC type of health checking. + ActiveHealthCheckerTypeGRPC ActiveHealthCheckerType = "GRPC" ) // HTTPActiveHealthChecker defines the settings of http health check. @@ -159,6 +167,15 @@ type TCPActiveHealthChecker struct { Receive *ActiveHealthCheckPayload `json:"receive,omitempty" yaml:"receive,omitempty"` } +// GRPCActiveHealthChecker defines the settings of the GRPC health check. +type GRPCActiveHealthChecker struct { + // ServiceName to send in the health check request. + // If this is not specified, then the health check request applies to the entire + // server and not to a specific service. + // +optional + ServiceName *string `json:"serviceName,omitempty" yaml:"serviceName,omitempty"` +} + // ActiveHealthCheckPayloadType is the type of the payload. // +kubebuilder:validation:Enum=Text;Binary type ActiveHealthCheckPayloadType string diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 62fa950a3e8..af9983b6455 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -109,6 +109,11 @@ func (in *ActiveHealthCheck) DeepCopyInto(out *ActiveHealthCheck) { *out = new(TCPActiveHealthChecker) (*in).DeepCopyInto(*out) } + if in.GRPC != nil { + in, out := &in.GRPC, &out.GRPC + *out = new(GRPCActiveHealthChecker) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveHealthCheck. @@ -2337,6 +2342,26 @@ func (in *FilterPosition) DeepCopy() *FilterPosition { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GRPCActiveHealthChecker) DeepCopyInto(out *GRPCActiveHealthChecker) { + *out = *in + if in.ServiceName != nil { + in, out := &in.ServiceName, &out.ServiceName + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GRPCActiveHealthChecker. +func (in *GRPCActiveHealthChecker) DeepCopy() *GRPCActiveHealthChecker { + if in == nil { + return nil + } + out := new(GRPCActiveHealthChecker) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GRPCExtAuthService) DeepCopyInto(out *GRPCExtAuthService) { *out = *in diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index daf4175fc3b..6867e0285d9 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -226,6 +226,18 @@ spec: active: description: Active health check configuration properties: + grpc: + description: |- + GRPC defines the configuration of the GRPC health checker. + It's optional, and can only be used if the specified type is GRPC. + properties: + serviceName: + description: |- + ServiceName to send in the health check request. + If this is not specified, then the health check request applies to the entire + server and not to a specific service. + type: string + type: object healthyThreshold: default: 1 description: HealthyThreshold defines the number of healthy @@ -380,9 +392,11 @@ spec: - enum: - HTTP - TCP + - GRPC - enum: - HTTP - TCP + - GRPC description: Type defines the type of health checker. type: string unhealthyThreshold: @@ -402,6 +416,9 @@ spec: - message: If Health Checker type is TCP, tcp field needs to be set. rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)' + - message: The grpc field can only be set if the Health Checker + type is GRPC. + rule: 'has(self.grpc) ? self.type == ''GRPC'' : true' passive: description: Passive passive check configuration properties: diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml index 8712a6b13a2..a4e83c8dcc1 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml @@ -327,6 +327,18 @@ spec: active: description: Active health check configuration properties: + grpc: + description: |- + GRPC defines the configuration of the GRPC health checker. + It's optional, and can only be used if the specified type is GRPC. + properties: + serviceName: + description: |- + ServiceName to send in the health check request. + If this is not specified, then the health check request applies to the entire + server and not to a specific service. + type: string + type: object healthyThreshold: default: 1 description: HealthyThreshold defines the number @@ -490,9 +502,11 @@ spec: - enum: - HTTP - TCP + - GRPC - enum: - HTTP - TCP + - GRPC description: Type defines the type of health checker. type: string unhealthyThreshold: @@ -513,6 +527,9 @@ spec: - message: If Health Checker type is TCP, tcp field needs to be set. rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)' + - message: The grpc field can only be set if the Health + Checker type is GRPC. + rule: 'has(self.grpc) ? self.type == ''GRPC'' : true' passive: description: Passive passive check configuration properties: diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 874dc98d4a7..99a445558f0 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -10590,6 +10590,18 @@ spec: active: description: Active health check configuration properties: + grpc: + description: |- + GRPC defines the configuration of the GRPC health checker. + It's optional, and can only be used if the specified type is GRPC. + properties: + serviceName: + description: |- + ServiceName to send in the health check request. + If this is not specified, then the health check request applies to the entire + server and not to a specific service. + type: string + type: object healthyThreshold: default: 1 description: HealthyThreshold @@ -10773,9 +10785,11 @@ spec: - enum: - HTTP - TCP + - GRPC - enum: - HTTP - TCP + - GRPC description: Type defines the type of health checker. type: string @@ -10802,6 +10816,11 @@ spec: set. rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)' + - message: The grpc field can only + be set if the Health Checker type + is GRPC. + rule: 'has(self.grpc) ? self.type + == ''GRPC'' : true' passive: description: Passive passive check configuration @@ -11461,6 +11480,18 @@ spec: active: description: Active health check configuration properties: + grpc: + description: |- + GRPC defines the configuration of the GRPC health checker. + It's optional, and can only be used if the specified type is GRPC. + properties: + serviceName: + description: |- + ServiceName to send in the health check request. + If this is not specified, then the health check request applies to the entire + server and not to a specific service. + type: string + type: object healthyThreshold: default: 1 description: HealthyThreshold @@ -11644,9 +11675,11 @@ spec: - enum: - HTTP - TCP + - GRPC - enum: - HTTP - TCP + - GRPC description: Type defines the type of health checker. type: string @@ -11673,6 +11706,11 @@ spec: set. rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)' + - message: The grpc field can only + be set if the Health Checker type + is GRPC. + rule: 'has(self.grpc) ? self.type + == ''GRPC'' : true' passive: description: Passive passive check configuration @@ -12404,6 +12442,18 @@ spec: active: description: Active health check configuration properties: + grpc: + description: |- + GRPC defines the configuration of the GRPC health checker. + It's optional, and can only be used if the specified type is GRPC. + properties: + serviceName: + description: |- + ServiceName to send in the health check request. + If this is not specified, then the health check request applies to the entire + server and not to a specific service. + type: string + type: object healthyThreshold: default: 1 description: HealthyThreshold defines @@ -12577,9 +12627,11 @@ spec: - enum: - HTTP - TCP + - GRPC - enum: - HTTP - TCP + - GRPC description: Type defines the type of health checker. type: string @@ -12604,6 +12656,10 @@ spec: tcp field needs to be set. rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)' + - message: The grpc field can only be set + if the Health Checker type is GRPC. + rule: 'has(self.grpc) ? self.type == ''GRPC'' + : true' passive: description: Passive passive check configuration properties: @@ -13288,6 +13344,18 @@ spec: active: description: Active health check configuration properties: + grpc: + description: |- + GRPC defines the configuration of the GRPC health checker. + It's optional, and can only be used if the specified type is GRPC. + properties: + serviceName: + description: |- + ServiceName to send in the health check request. + If this is not specified, then the health check request applies to the entire + server and not to a specific service. + type: string + type: object healthyThreshold: default: 1 description: HealthyThreshold defines the @@ -13460,9 +13528,11 @@ spec: - enum: - HTTP - TCP + - GRPC - enum: - HTTP - TCP + - GRPC description: Type defines the type of health checker. type: string @@ -13486,6 +13556,10 @@ spec: field needs to be set. rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)' + - message: The grpc field can only be set if the + Health Checker type is GRPC. + rule: 'has(self.grpc) ? self.type == ''GRPC'' + : true' passive: description: Passive passive check configuration properties: diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index da8c50015d2..fd6a6e8932b 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -529,6 +529,18 @@ spec: active: description: Active health check configuration properties: + grpc: + description: |- + GRPC defines the configuration of the GRPC health checker. + It's optional, and can only be used if the specified type is GRPC. + properties: + serviceName: + description: |- + ServiceName to send in the health check request. + If this is not specified, then the health check request applies to the entire + server and not to a specific service. + type: string + type: object healthyThreshold: default: 1 description: HealthyThreshold defines the number @@ -692,9 +704,11 @@ spec: - enum: - HTTP - TCP + - GRPC - enum: - HTTP - TCP + - GRPC description: Type defines the type of health checker. type: string unhealthyThreshold: @@ -716,6 +730,10 @@ spec: - message: If Health Checker type is TCP, tcp field needs to be set. rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)' + - message: The grpc field can only be set if the Health + Checker type is GRPC. + rule: 'has(self.grpc) ? self.type == ''GRPC'' : + true' passive: description: Passive passive check configuration properties: @@ -1314,6 +1332,18 @@ spec: active: description: Active health check configuration properties: + grpc: + description: |- + GRPC defines the configuration of the GRPC health checker. + It's optional, and can only be used if the specified type is GRPC. + properties: + serviceName: + description: |- + ServiceName to send in the health check request. + If this is not specified, then the health check request applies to the entire + server and not to a specific service. + type: string + type: object healthyThreshold: default: 1 description: HealthyThreshold defines the number @@ -1477,9 +1507,11 @@ spec: - enum: - HTTP - TCP + - GRPC - enum: - HTTP - TCP + - GRPC description: Type defines the type of health checker. type: string unhealthyThreshold: @@ -1501,6 +1533,10 @@ spec: - message: If Health Checker type is TCP, tcp field needs to be set. rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)' + - message: The grpc field can only be set if the Health + Checker type is GRPC. + rule: 'has(self.grpc) ? self.type == ''GRPC'' : + true' passive: description: Passive passive check configuration properties: diff --git a/internal/gatewayapi/clustersettings.go b/internal/gatewayapi/clustersettings.go index 3034fed1324..2c3d8f7b773 100644 --- a/internal/gatewayapi/clustersettings.go +++ b/internal/gatewayapi/clustersettings.go @@ -426,6 +426,10 @@ func buildActiveHealthCheck(policy egv1a1.HealthCheck) *ir.ActiveHealthCheck { irHC.HTTP = buildHTTPActiveHealthChecker(hc.HTTP) case egv1a1.ActiveHealthCheckerTypeTCP: irHC.TCP = buildTCPActiveHealthChecker(hc.TCP) + case egv1a1.ActiveHealthCheckerTypeGRPC: + irHC.GRPC = &ir.GRPCHealthChecker{ + ServiceName: ptr.Deref(hc.GRPC, egv1a1.GRPCActiveHealthChecker{}).ServiceName, + } } return irHC diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.in.yaml index 5cb832646b3..ee872009751 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.in.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.in.yaml @@ -42,6 +42,34 @@ grpcRoutes: - backendRefs: - name: service-1 port: 8080 +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: GRPCRoute + metadata: + namespace: default + name: grpcroute-3 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - backendRefs: + - name: service-3 + port: 8080 +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: GRPCRoute + metadata: + namespace: default + name: grpcroute-2 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - backendRefs: + - name: service-2 + port: 8080 httpRoutes: - apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute @@ -233,3 +261,40 @@ backendTrafficPolicies: consecutiveGatewayErrors: 0 consecutiveLocalOriginFailures: 5 splitExternalLocalOriginErrors: false +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: default + name: policy-for-grpc-route + spec: + targetRef: + group: gateway.networking.k8s.io + kind: GRPCRoute + name: grpcroute-2 + healthCheck: + active: + timeout: 1s + interval: 3s + unhealthyThreshold: 3 + healthyThreshold: 1 + type: GRPC +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: default + name: policy-for-grpc-route-3 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: GRPCRoute + name: grpcroute-3 + healthCheck: + active: + timeout: 1s + interval: 3s + unhealthyThreshold: 3 + healthyThreshold: 1 + type: GRPC + grpc: + serviceName: foo-service + diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml index 447a7df485e..c9bf22910fc 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml @@ -145,6 +145,74 @@ backendTrafficPolicies: status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: policy-for-grpc-route + namespace: default + spec: + healthCheck: + active: + healthyThreshold: 1 + interval: 3s + timeout: 1s + type: GRPC + unhealthyThreshold: 3 + targetRef: + group: gateway.networking.k8s.io + kind: GRPCRoute + name: grpcroute-2 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: policy-for-grpc-route-3 + namespace: default + spec: + healthCheck: + active: + grpc: + serviceName: foo-service + healthyThreshold: 1 + interval: 3s + timeout: 1s + type: GRPC + unhealthyThreshold: 3 + targetRef: + group: gateway.networking.k8s.io + kind: GRPCRoute + name: grpcroute-3 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: BackendTrafficPolicy metadata: @@ -193,6 +261,12 @@ backendTrafficPolicies: reason: Accepted status: "True" type: Accepted + - lastTransitionTime: null + message: 'This policy is being overridden by other backendTrafficPolicies + for these routes: [default/grpcroute-2 default/grpcroute-3]' + reason: Overridden + status: "True" + type: Overridden controllerName: gateway.envoyproxy.io/gatewayclass-controller gateways: - apiVersion: gateway.networking.k8s.io/v1 @@ -212,7 +286,7 @@ gateways: protocol: HTTP status: listeners: - - attachedRoutes: 1 + - attachedRoutes: 3 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane @@ -309,6 +383,72 @@ grpcRoutes: name: gateway-1 namespace: envoy-gateway sectionName: http +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: GRPCRoute + metadata: + creationTimestamp: null + name: grpcroute-3 + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-3 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: GRPCRoute + metadata: + creationTimestamp: null + name: grpcroute-2 + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-2 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http httpRoutes: - apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute @@ -516,6 +656,55 @@ xdsIR: interval: 2s maxEjectionPercent: 100 splitExternalLocalOriginErrors: false + - destination: + name: grpcroute/default/grpcroute-3/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: GRPC + weight: 1 + hostname: '*' + isHTTP2: true + metadata: + kind: GRPCRoute + name: grpcroute-3 + namespace: default + name: grpcroute/default/grpcroute-3/rule/0/match/-1/* + traffic: + healthCheck: + active: + grpc: + serviceName: foo-service + healthyThreshold: 1 + interval: 3s + timeout: 1s + unhealthyThreshold: 3 + - destination: + name: grpcroute/default/grpcroute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: GRPC + weight: 1 + hostname: '*' + isHTTP2: true + metadata: + kind: GRPCRoute + name: grpcroute-2 + namespace: default + name: grpcroute/default/grpcroute-2/rule/0/match/-1/* + traffic: + healthCheck: + active: + grpc: {} + healthyThreshold: 1 + interval: 3s + timeout: 1s + unhealthyThreshold: 3 envoy-gateway/gateway-2: accessLog: text: diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 821d4bd1c70..ea1d18b6cbb 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -1974,6 +1974,8 @@ type ActiveHealthCheck struct { HTTP *HTTPHealthChecker `json:"http,omitempty" yaml:"http,omitempty"` // TCP defines the configuration of tcp health checker. TCP *TCPHealthChecker `json:"tcp,omitempty" yaml:"tcp,omitempty"` + // GRPC defines if the GRPC healthcheck service should be used + GRPC *GRPCHealthChecker `json:"grpc,omitempty" yaml:"grpc,omitempty"` } func (h *HealthCheck) SetHTTPHostIfAbsent(host string) { @@ -2006,6 +2008,9 @@ func (h *HealthCheck) Validate() error { if h.Active.TCP != nil { matchCount++ } + if h.Active.GRPC != nil { + matchCount++ + } if matchCount > 1 { errs = errors.Join(errs, ErrHealthCheckerInvalid) } @@ -2100,6 +2105,15 @@ func (h HTTPStatus) Validate() error { return nil } +// GRPCHealthChecker defines the settings of the gRPC health check. +// +k8s:deepcopy-gen=true +type GRPCHealthChecker struct { + // ServiceName is the name of a specific service hosted by the server for + // which the health check should be requested. If not specified, then the default + // is to send a health check request for the entire server. + ServiceName *string `json:"serviceName,omitempty" yaml:"serviceName,omitempty"` +} + // TCPHealthChecker defines the settings of tcp health check. // +k8s:deepcopy-gen=true type TCPHealthChecker struct { diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index d38cd3b825c..1065ddf8f0c 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -181,6 +181,11 @@ func (in *ActiveHealthCheck) DeepCopyInto(out *ActiveHealthCheck) { *out = new(TCPHealthChecker) (*in).DeepCopyInto(*out) } + if in.GRPC != nil { + in, out := &in.GRPC, &out.GRPC + *out = new(GRPCHealthChecker) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveHealthCheck. @@ -990,6 +995,26 @@ func (in *GRPCExtAuthService) DeepCopy() *GRPCExtAuthService { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GRPCHealthChecker) DeepCopyInto(out *GRPCHealthChecker) { + *out = *in + if in.ServiceName != nil { + in, out := &in.ServiceName, &out.ServiceName + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GRPCHealthChecker. +func (in *GRPCHealthChecker) DeepCopy() *GRPCHealthChecker { + if in == nil { + return nil + } + out := new(GRPCHealthChecker) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GlobalRateLimit) DeepCopyInto(out *GlobalRateLimit) { *out = *in diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index e0f8b3ceba1..e229caedc63 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -235,7 +235,8 @@ func buildXdsHealthCheck(healthcheck *ir.ActiveHealthCheck) []*corev3.HealthChec if healthcheck.HealthyThreshold != nil { hc.HealthyThreshold = wrapperspb.UInt32(*healthcheck.HealthyThreshold) } - if healthcheck.HTTP != nil { + switch { + case healthcheck.HTTP != nil: httpChecker := &corev3.HealthCheck_HttpHealthCheck{ Host: healthcheck.HTTP.Host, Path: healthcheck.HTTP.Path, @@ -250,8 +251,7 @@ func buildXdsHealthCheck(healthcheck *ir.ActiveHealthCheck) []*corev3.HealthChec hc.HealthChecker = &corev3.HealthCheck_HttpHealthCheck_{ HttpHealthCheck: httpChecker, } - } - if healthcheck.TCP != nil { + case healthcheck.TCP != nil: tcpChecker := &corev3.HealthCheck_TcpHealthCheck{ Send: buildHealthCheckPayload(healthcheck.TCP.Send), } @@ -261,6 +261,12 @@ func buildXdsHealthCheck(healthcheck *ir.ActiveHealthCheck) []*corev3.HealthChec hc.HealthChecker = &corev3.HealthCheck_TcpHealthCheck_{ TcpHealthCheck: tcpChecker, } + case healthcheck.GRPC != nil: + hc.HealthChecker = &corev3.HealthCheck_GrpcHealthCheck_{ + GrpcHealthCheck: &corev3.HealthCheck_GrpcHealthCheck{ + ServiceName: ptr.Deref(healthcheck.GRPC.ServiceName, ""), + }, + } } return []*corev3.HealthCheck{hc} } diff --git a/internal/xds/translator/testdata/in/xds-ir/health-check.yaml b/internal/xds/translator/testdata/in/xds-ir/health-check.yaml index 30ecd2da792..769a3b3dc59 100644 --- a/internal/xds/translator/testdata/in/xds-ir/health-check.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/health-check.yaml @@ -126,3 +126,21 @@ http: - endpoints: - host: "1.2.3.4" port: 50000 + - name: "fifth-route" + hostname: "*" + traffic: + healthCheck: + active: + timeout: "1s" + interval: "5s" + unhealthyThreshold: 3 + healthyThreshold: 3 + grpc: + serviceName: my-service + destination: + name: "fifth-route-dest" + protocol: GRPC + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 diff --git a/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml index b789b876c3c..485139eb2c8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml @@ -139,3 +139,27 @@ splitExternalLocalOriginErrors: true perConnectionBufferLimitBytes: 32768 type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: fifth-route-dest + healthChecks: + - grpcHealthCheck: + serviceName: my-service + healthyThreshold: 3 + interval: 5s + timeout: 1s + unhealthyThreshold: 3 + lbPolicy: LEAST_REQUEST + name: fifth-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/health-check.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/health-check.endpoints.yaml index f185af17da7..b93d9b43bde 100644 --- a/internal/xds/translator/testdata/out/xds-ir/health-check.endpoints.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/health-check.endpoints.yaml @@ -46,3 +46,15 @@ loadBalancingWeight: 1 locality: region: fourth-route-dest/backend/0 +- clusterName: fifth-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: fifth-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/health-check.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/health-check.routes.yaml index de4249178e4..2f5c4977b24 100644 --- a/internal/xds/translator/testdata/out/xds-ir/health-check.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/health-check.routes.yaml @@ -33,3 +33,10 @@ cluster: fourth-route-dest upgradeConfigs: - upgradeType: websocket + - match: + prefix: / + name: fifth-route + route: + cluster: fifth-route-dest + upgradeConfigs: + - upgradeType: websocket diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 0530e43898c..fa525ea8282 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -126,6 +126,7 @@ _Appears in:_ | `type` | _[ActiveHealthCheckerType](#activehealthcheckertype)_ | true | Type defines the type of health checker. | | `http` | _[HTTPActiveHealthChecker](#httpactivehealthchecker)_ | false | HTTP defines the configuration of http health checker.
It's required while the health checker type is HTTP. | | `tcp` | _[TCPActiveHealthChecker](#tcpactivehealthchecker)_ | false | TCP defines the configuration of tcp health checker.
It's required while the health checker type is TCP. | +| `grpc` | _[GRPCActiveHealthChecker](#grpcactivehealthchecker)_ | false | GRPC defines the configuration of the GRPC health checker.
It's optional, and can only be used if the specified type is GRPC. | #### ActiveHealthCheckPayload @@ -173,6 +174,7 @@ _Appears in:_ | ----- | ----------- | | `HTTP` | ActiveHealthCheckerTypeHTTP defines the HTTP type of health checking.
| | `TCP` | ActiveHealthCheckerTypeTCP defines the TCP type of health checking.
| +| `GRPC` | ActiveHealthCheckerTypeGRPC defines the GRPC type of health checking.
| #### AppProtocolType @@ -1700,6 +1702,20 @@ _Appears in:_ | `after` | _[EnvoyFilter](#envoyfilter)_ | true | After defines the filter that should come after the filter.
Only one of Before or After must be set. | +#### GRPCActiveHealthChecker + + + +GRPCActiveHealthChecker defines the settings of the GRPC health check. + +_Appears in:_ +- [ActiveHealthCheck](#activehealthcheck) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `serviceName` | _string_ | false | ServiceName to send in the health check request.
If this is not specified, then the health check request applies to the entire
server and not to a specific service. | + + #### GRPCExtAuthService diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 0530e43898c..fa525ea8282 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -126,6 +126,7 @@ _Appears in:_ | `type` | _[ActiveHealthCheckerType](#activehealthcheckertype)_ | true | Type defines the type of health checker. | | `http` | _[HTTPActiveHealthChecker](#httpactivehealthchecker)_ | false | HTTP defines the configuration of http health checker.
It's required while the health checker type is HTTP. | | `tcp` | _[TCPActiveHealthChecker](#tcpactivehealthchecker)_ | false | TCP defines the configuration of tcp health checker.
It's required while the health checker type is TCP. | +| `grpc` | _[GRPCActiveHealthChecker](#grpcactivehealthchecker)_ | false | GRPC defines the configuration of the GRPC health checker.
It's optional, and can only be used if the specified type is GRPC. | #### ActiveHealthCheckPayload @@ -173,6 +174,7 @@ _Appears in:_ | ----- | ----------- | | `HTTP` | ActiveHealthCheckerTypeHTTP defines the HTTP type of health checking.
| | `TCP` | ActiveHealthCheckerTypeTCP defines the TCP type of health checking.
| +| `GRPC` | ActiveHealthCheckerTypeGRPC defines the GRPC type of health checking.
| #### AppProtocolType @@ -1700,6 +1702,20 @@ _Appears in:_ | `after` | _[EnvoyFilter](#envoyfilter)_ | true | After defines the filter that should come after the filter.
Only one of Before or After must be set. | +#### GRPCActiveHealthChecker + + + +GRPCActiveHealthChecker defines the settings of the GRPC health check. + +_Appears in:_ +- [ActiveHealthCheck](#activehealthcheck) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `serviceName` | _string_ | false | ServiceName to send in the health check request.
If this is not specified, then the health check request applies to the entire
server and not to a specific service. | + + #### GRPCExtAuthService diff --git a/test/cel-validation/backendtrafficpolicy_test.go b/test/cel-validation/backendtrafficpolicy_test.go index 90ea4c3f473..2755295336d 100644 --- a/test/cel-validation/backendtrafficpolicy_test.go +++ b/test/cel-validation/backendtrafficpolicy_test.go @@ -790,6 +790,35 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { `spec.HealthCheck.active: Invalid value: "object": If Health Checker type is HTTP, http field needs to be set., spec.HealthCheck.active: Invalid value: "object": If Health Checker type is TCP, tcp field needs to be set`, }, }, + { + desc: "grpc settings with non-gRPC health checker type", + mutate: func(btp *egv1a1.BackendTrafficPolicy) { + btp.Spec = egv1a1.BackendTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + ClusterSettings: egv1a1.ClusterSettings{ + HealthCheck: &egv1a1.HealthCheck{ + Active: &egv1a1.ActiveHealthCheck{ + Type: egv1a1.ActiveHealthCheckerTypeHTTP, + GRPC: &egv1a1.GRPCActiveHealthChecker{}, + }, + }, + }, + } + }, + wantErrors: []string{ + `If Health Checker type is HTTP, http field needs to be set.`, + `The grpc field can only be set if the Health Checker type is GRPC.`, + }, + }, + { desc: "invalid http expected statuses", mutate: func(btp *egv1a1.BackendTrafficPolicy) { From cf6b3257208144d3445fb7da1fe7e4af9496832f Mon Sep 17 00:00:00 2001 From: Lior Okman Date: Fri, 16 Aug 2024 10:43:39 +0300 Subject: [PATCH 054/523] fix: rename ServiceName to Service in the gRPC active health check structure. (#4063) * Rename ServiceName to Service in the gRPC active health check structure. Signed-off-by: Lior Okman * Make gen-check happy. Signed-off-by: Lior Okman --------- Signed-off-by: Lior Okman --- api/v1alpha1/healthcheck_types.go | 4 ++-- api/v1alpha1/zz_generated.deepcopy.go | 4 ++-- ...way.envoyproxy.io_backendtrafficpolicies.yaml | 4 ++-- ...way.envoyproxy.io_envoyextensionpolicies.yaml | 4 ++-- .../gateway.envoyproxy.io_envoyproxies.yaml | 16 ++++++++-------- .../gateway.envoyproxy.io_securitypolicies.yaml | 8 ++++---- internal/gatewayapi/clustersettings.go | 2 +- ...backendtrafficpolicy-with-healthcheck.in.yaml | 2 +- ...ackendtrafficpolicy-with-healthcheck.out.yaml | 4 ++-- internal/ir/xds.go | 4 ++-- internal/ir/zz_generated.deepcopy.go | 4 ++-- internal/xds/translator/cluster.go | 2 +- .../testdata/in/xds-ir/health-check.yaml | 2 +- site/content/en/latest/api/extension_types.md | 2 +- site/content/zh/latest/api/extension_types.md | 2 +- 15 files changed, 32 insertions(+), 32 deletions(-) diff --git a/api/v1alpha1/healthcheck_types.go b/api/v1alpha1/healthcheck_types.go index d8e8339e22a..990c95f141a 100644 --- a/api/v1alpha1/healthcheck_types.go +++ b/api/v1alpha1/healthcheck_types.go @@ -169,11 +169,11 @@ type TCPActiveHealthChecker struct { // GRPCActiveHealthChecker defines the settings of the GRPC health check. type GRPCActiveHealthChecker struct { - // ServiceName to send in the health check request. + // Service to send in the health check request. // If this is not specified, then the health check request applies to the entire // server and not to a specific service. // +optional - ServiceName *string `json:"serviceName,omitempty" yaml:"serviceName,omitempty"` + Service *string `json:"service,omitempty" yaml:"service,omitempty"` } // ActiveHealthCheckPayloadType is the type of the payload. diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index af9983b6455..6e9f41f7723 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -2345,8 +2345,8 @@ func (in *FilterPosition) DeepCopy() *FilterPosition { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GRPCActiveHealthChecker) DeepCopyInto(out *GRPCActiveHealthChecker) { *out = *in - if in.ServiceName != nil { - in, out := &in.ServiceName, &out.ServiceName + if in.Service != nil { + in, out := &in.Service, &out.Service *out = new(string) **out = **in } diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index 6867e0285d9..2190e623502 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -231,9 +231,9 @@ spec: GRPC defines the configuration of the GRPC health checker. It's optional, and can only be used if the specified type is GRPC. properties: - serviceName: + service: description: |- - ServiceName to send in the health check request. + Service to send in the health check request. If this is not specified, then the health check request applies to the entire server and not to a specific service. type: string diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml index a4e83c8dcc1..5b88ec4827c 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml @@ -332,9 +332,9 @@ spec: GRPC defines the configuration of the GRPC health checker. It's optional, and can only be used if the specified type is GRPC. properties: - serviceName: + service: description: |- - ServiceName to send in the health check request. + Service to send in the health check request. If this is not specified, then the health check request applies to the entire server and not to a specific service. type: string diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 99a445558f0..436a3331430 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -10595,9 +10595,9 @@ spec: GRPC defines the configuration of the GRPC health checker. It's optional, and can only be used if the specified type is GRPC. properties: - serviceName: + service: description: |- - ServiceName to send in the health check request. + Service to send in the health check request. If this is not specified, then the health check request applies to the entire server and not to a specific service. type: string @@ -11485,9 +11485,9 @@ spec: GRPC defines the configuration of the GRPC health checker. It's optional, and can only be used if the specified type is GRPC. properties: - serviceName: + service: description: |- - ServiceName to send in the health check request. + Service to send in the health check request. If this is not specified, then the health check request applies to the entire server and not to a specific service. type: string @@ -12447,9 +12447,9 @@ spec: GRPC defines the configuration of the GRPC health checker. It's optional, and can only be used if the specified type is GRPC. properties: - serviceName: + service: description: |- - ServiceName to send in the health check request. + Service to send in the health check request. If this is not specified, then the health check request applies to the entire server and not to a specific service. type: string @@ -13349,9 +13349,9 @@ spec: GRPC defines the configuration of the GRPC health checker. It's optional, and can only be used if the specified type is GRPC. properties: - serviceName: + service: description: |- - ServiceName to send in the health check request. + Service to send in the health check request. If this is not specified, then the health check request applies to the entire server and not to a specific service. type: string diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index fd6a6e8932b..da5eed2969a 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -534,9 +534,9 @@ spec: GRPC defines the configuration of the GRPC health checker. It's optional, and can only be used if the specified type is GRPC. properties: - serviceName: + service: description: |- - ServiceName to send in the health check request. + Service to send in the health check request. If this is not specified, then the health check request applies to the entire server and not to a specific service. type: string @@ -1337,9 +1337,9 @@ spec: GRPC defines the configuration of the GRPC health checker. It's optional, and can only be used if the specified type is GRPC. properties: - serviceName: + service: description: |- - ServiceName to send in the health check request. + Service to send in the health check request. If this is not specified, then the health check request applies to the entire server and not to a specific service. type: string diff --git a/internal/gatewayapi/clustersettings.go b/internal/gatewayapi/clustersettings.go index 2c3d8f7b773..1d5c1a3d6f8 100644 --- a/internal/gatewayapi/clustersettings.go +++ b/internal/gatewayapi/clustersettings.go @@ -428,7 +428,7 @@ func buildActiveHealthCheck(policy egv1a1.HealthCheck) *ir.ActiveHealthCheck { irHC.TCP = buildTCPActiveHealthChecker(hc.TCP) case egv1a1.ActiveHealthCheckerTypeGRPC: irHC.GRPC = &ir.GRPCHealthChecker{ - ServiceName: ptr.Deref(hc.GRPC, egv1a1.GRPCActiveHealthChecker{}).ServiceName, + Service: ptr.Deref(hc.GRPC, egv1a1.GRPCActiveHealthChecker{}).Service, } } diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.in.yaml index ee872009751..0ea537711d9 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.in.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.in.yaml @@ -296,5 +296,5 @@ backendTrafficPolicies: healthyThreshold: 1 type: GRPC grpc: - serviceName: foo-service + service: foo-service diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml index c9bf22910fc..4d1cc89bc55 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml @@ -188,7 +188,7 @@ backendTrafficPolicies: healthCheck: active: grpc: - serviceName: foo-service + service: foo-service healthyThreshold: 1 interval: 3s timeout: 1s @@ -676,7 +676,7 @@ xdsIR: healthCheck: active: grpc: - serviceName: foo-service + service: foo-service healthyThreshold: 1 interval: 3s timeout: 1s diff --git a/internal/ir/xds.go b/internal/ir/xds.go index ea1d18b6cbb..ec3441e3bab 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -2108,10 +2108,10 @@ func (h HTTPStatus) Validate() error { // GRPCHealthChecker defines the settings of the gRPC health check. // +k8s:deepcopy-gen=true type GRPCHealthChecker struct { - // ServiceName is the name of a specific service hosted by the server for + // Service is the name of a specific service hosted by the server for // which the health check should be requested. If not specified, then the default // is to send a health check request for the entire server. - ServiceName *string `json:"serviceName,omitempty" yaml:"serviceName,omitempty"` + Service *string `json:"service,omitempty" yaml:"service,omitempty"` } // TCPHealthChecker defines the settings of tcp health check. diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 1065ddf8f0c..8fd97960904 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -998,8 +998,8 @@ func (in *GRPCExtAuthService) DeepCopy() *GRPCExtAuthService { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GRPCHealthChecker) DeepCopyInto(out *GRPCHealthChecker) { *out = *in - if in.ServiceName != nil { - in, out := &in.ServiceName, &out.ServiceName + if in.Service != nil { + in, out := &in.Service, &out.Service *out = new(string) **out = **in } diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index e229caedc63..90d005a8b99 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -264,7 +264,7 @@ func buildXdsHealthCheck(healthcheck *ir.ActiveHealthCheck) []*corev3.HealthChec case healthcheck.GRPC != nil: hc.HealthChecker = &corev3.HealthCheck_GrpcHealthCheck_{ GrpcHealthCheck: &corev3.HealthCheck_GrpcHealthCheck{ - ServiceName: ptr.Deref(healthcheck.GRPC.ServiceName, ""), + ServiceName: ptr.Deref(healthcheck.GRPC.Service, ""), }, } } diff --git a/internal/xds/translator/testdata/in/xds-ir/health-check.yaml b/internal/xds/translator/testdata/in/xds-ir/health-check.yaml index 769a3b3dc59..12f62f86414 100644 --- a/internal/xds/translator/testdata/in/xds-ir/health-check.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/health-check.yaml @@ -136,7 +136,7 @@ http: unhealthyThreshold: 3 healthyThreshold: 3 grpc: - serviceName: my-service + service: my-service destination: name: "fifth-route-dest" protocol: GRPC diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index fa525ea8282..b7d7b76078c 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -1713,7 +1713,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `serviceName` | _string_ | false | ServiceName to send in the health check request.
If this is not specified, then the health check request applies to the entire
server and not to a specific service. | +| `service` | _string_ | false | Service to send in the health check request.
If this is not specified, then the health check request applies to the entire
server and not to a specific service. | #### GRPCExtAuthService diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index fa525ea8282..b7d7b76078c 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -1713,7 +1713,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `serviceName` | _string_ | false | ServiceName to send in the health check request.
If this is not specified, then the health check request applies to the entire
server and not to a specific service. | +| `service` | _string_ | false | Service to send in the health check request.
If this is not specified, then the health check request applies to the entire
server and not to a specific service. | #### GRPCExtAuthService From 62e39163d87ae379604097450cdc352cacc5380e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 16 Aug 2024 21:29:08 +0800 Subject: [PATCH 055/523] build(deps): bump github.com/prometheus/client_golang from 1.19.1 to 1.20.0 (#4056) build(deps): bump github.com/prometheus/client_golang Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.19.1 to 1.20.0. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.19.1...v1.20.0) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 4e510a60edf..125844ad6cd 100644 --- a/go.mod +++ b/go.mod @@ -28,7 +28,7 @@ require ( github.com/hashicorp/go-multierror v1.1.1 github.com/miekg/dns v1.1.61 github.com/ohler55/ojg v1.22.1 - github.com/prometheus/client_golang v1.19.1 + github.com/prometheus/client_golang v1.20.0 github.com/prometheus/common v0.55.0 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 @@ -143,7 +143,7 @@ require ( github.com/jackc/pgx/v5 v5.6.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/jmoiron/sqlx v1.3.5 // indirect - github.com/klauspost/compress v1.17.8 // indirect + github.com/klauspost/compress v1.17.9 // indirect github.com/klauspost/pgzip v1.2.6 // indirect github.com/kortschak/goroutine v1.1.2 // indirect github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect diff --git a/go.sum b/go.sum index 33c25103e3a..16540435eb8 100644 --- a/go.sum +++ b/go.sum @@ -777,8 +777,8 @@ github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQL github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM= -github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU= -github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= +github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU= github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -959,8 +959,8 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= -github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= -github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= +github.com/prometheus/client_golang v1.20.0 h1:jBzTZ7B099Rg24tny+qngoynol8LtVYlA2bqx3vEloI= +github.com/prometheus/client_golang v1.20.0/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= From 595a44ac593bd27e22e8bd0042cdd89a5865469c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 16 Aug 2024 21:29:23 +0800 Subject: [PATCH 056/523] build(deps): bump github.com/google/go-containerregistry from 0.20.1 to 0.20.2 (#4026) build(deps): bump github.com/google/go-containerregistry Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.20.1 to 0.20.2. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](https://github.com/google/go-containerregistry/compare/v0.20.1...v0.20.2) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> From addb86a3197be91c1187d9d01c19f56558d37028 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 16 Aug 2024 12:04:05 -0700 Subject: [PATCH 057/523] build(deps): bump helm.sh/helm/v3 from 3.15.3 to 3.15.4 (#4057) Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.15.3 to 3.15.4. - [Release notes](https://github.com/helm/helm/releases) - [Commits](https://github.com/helm/helm/compare/v3.15.3...v3.15.4) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 125844ad6cd..affe7ce6afa 100644 --- a/go.mod +++ b/go.mod @@ -49,7 +49,7 @@ require ( google.golang.org/grpc v1.65.0 google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v3 v3.0.1 - helm.sh/helm/v3 v3.15.3 + helm.sh/helm/v3 v3.15.4 k8s.io/api v0.30.3 k8s.io/apiextensions-apiserver v0.30.3 k8s.io/apimachinery v0.30.3 diff --git a/go.sum b/go.sum index 16540435eb8..87524601312 100644 --- a/go.sum +++ b/go.sum @@ -1813,8 +1813,8 @@ gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= -helm.sh/helm/v3 v3.15.3 h1:HcZDaVFe9uHa6hpsR54mJjYyRy4uz/pc6csg27nxFOc= -helm.sh/helm/v3 v3.15.3/go.mod h1:FzSIP8jDQaa6WAVg9F+OkKz7J0ZmAga4MABtTbsb9WQ= +helm.sh/helm/v3 v3.15.4 h1:UFHd6oZ1IN3FsUZ7XNhOQDyQ2QYknBNWRHH57e9cbHY= +helm.sh/helm/v3 v3.15.4/go.mod h1:phOwlxqGSgppCY/ysWBNRhG3MtnpsttOzxaTK+Mt40E= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From 1af136bd242620628f6ef57dd0e70c0918b78585 Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 17 Aug 2024 09:44:49 +0800 Subject: [PATCH 058/523] bump github.com/golangci/golangci-lint from 1.59.1 to 1.60.1 (#4067) --- internal/gatewayapi/backendtrafficpolicy.go | 2 +- .../kubernetes/resource/resource.go | 2 +- internal/wasm/cache.go | 4 +- internal/wasm/imagefetcher.go | 2 +- internal/xds/translator/jsonpatch.go | 20 ++-- internal/xds/translator/route.go | 4 +- internal/xds/translator/translator_test.go | 2 +- tools/src/golangci-lint/go.mod | 47 ++++---- tools/src/golangci-lint/go.sum | 104 +++++++++--------- 9 files changed, 89 insertions(+), 98 deletions(-) diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index d5e66e6e7c0..466f889167a 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -589,7 +589,7 @@ func (t *Translator) buildLocalRateLimit(policy *egv1a1.BackendTrafficPolicy) (* // limit. If no such rule is found, EG uses a default limit of uint32 max. var defaultLimit *ir.RateLimitValue for _, rule := range local.Rules { - if rule.ClientSelectors == nil || len(rule.ClientSelectors) == 0 { + if len(rule.ClientSelectors) == 0 { if defaultLimit != nil { return nil, fmt.Errorf("local rateLimit can not have more than one rule without clientSelectors") } diff --git a/internal/infrastructure/kubernetes/resource/resource.go b/internal/infrastructure/kubernetes/resource/resource.go index dbdc289eec3..dcbbadadb40 100644 --- a/internal/infrastructure/kubernetes/resource/resource.go +++ b/internal/infrastructure/kubernetes/resource/resource.go @@ -38,7 +38,7 @@ func ExpectedServiceSpec(service *egv1a1.KubernetesServiceSpec) corev1.ServiceSp if service.AllocateLoadBalancerNodePorts != nil { serviceSpec.AllocateLoadBalancerNodePorts = service.AllocateLoadBalancerNodePorts } - if service.LoadBalancerSourceRanges != nil && len(service.LoadBalancerSourceRanges) > 0 { + if len(service.LoadBalancerSourceRanges) > 0 { serviceSpec.LoadBalancerSourceRanges = service.LoadBalancerSourceRanges } if service.LoadBalancerIP != nil { diff --git a/internal/wasm/cache.go b/internal/wasm/cache.go index 6082a078855..785d8d3701a 100644 --- a/internal/wasm/cache.go +++ b/internal/wasm/cache.go @@ -247,7 +247,7 @@ func (c *localFileCache) getOrFetch(key cacheKey, opts GetOptions) (*cacheEntry, sha := sha256.Sum256(b) dChecksum = hex.EncodeToString(sha[:]) case "oci": - if opts.PullSecret != nil && len(opts.PullSecret) > 0 { + if len(opts.PullSecret) > 0 { isPrivate = true } if imageBinaryFetcher, dChecksum, err = c.prepareFetch(ctx, u, insecure, opts); err != nil { @@ -303,7 +303,7 @@ func (c *localFileCache) prepareFetch( imgFetcherOps := ImageFetcherOption{ Insecure: insecure, } - if opts.PullSecret != nil && len(opts.PullSecret) > 0 { + if len(opts.PullSecret) > 0 { imgFetcherOps.PullSecret = opts.PullSecret } fetcher := NewImageFetcher(ctx, imgFetcherOps, c.logger) diff --git a/internal/wasm/imagefetcher.go b/internal/wasm/imagefetcher.go index 5c97ad5f4a4..1b8c40fcd25 100644 --- a/internal/wasm/imagefetcher.go +++ b/internal/wasm/imagefetcher.go @@ -54,7 +54,7 @@ type ImageFetcherOption struct { } func (o *ImageFetcherOption) useAnonymous() bool { - return o.PullSecret == nil || len(o.PullSecret) == 0 + return len(o.PullSecret) == 0 } func (o *ImageFetcherOption) String() string { diff --git a/internal/xds/translator/jsonpatch.go b/internal/xds/translator/jsonpatch.go index 83db9103b06..bb8ed8bef2b 100644 --- a/internal/xds/translator/jsonpatch.go +++ b/internal/xds/translator/jsonpatch.go @@ -106,7 +106,7 @@ func processJSONPatches(tCtx *types.ResourceVersionTable, envoyPatchPolicies []* case resourcev3.ListenerType: temp := &listenerv3.Listener{} if err = protojson.Unmarshal(jsonBytes, temp); err != nil { - tErr := fmt.Errorf(unmarshalErrorMessage(err, p.Operation.Value)) + tErr := errors.New(unmarshalErrorMessage(err, p.Operation.Value)) tErrs = errors.Join(tErrs, tErr) continue } @@ -119,7 +119,7 @@ func processJSONPatches(tCtx *types.ResourceVersionTable, envoyPatchPolicies []* case resourcev3.RouteType: temp := &routev3.RouteConfiguration{} if err = protojson.Unmarshal(jsonBytes, temp); err != nil { - tErr := fmt.Errorf(unmarshalErrorMessage(err, p.Operation.Value)) + tErr := errors.New(unmarshalErrorMessage(err, p.Operation.Value)) tErrs = errors.Join(tErrs, tErr) continue } @@ -132,7 +132,7 @@ func processJSONPatches(tCtx *types.ResourceVersionTable, envoyPatchPolicies []* case resourcev3.ClusterType: temp := &clusterv3.Cluster{} if err = protojson.Unmarshal(jsonBytes, temp); err != nil { - tErr := fmt.Errorf(unmarshalErrorMessage(err, p.Operation.Value)) + tErr := errors.New(unmarshalErrorMessage(err, p.Operation.Value)) tErrs = errors.Join(tErrs, tErr) continue } @@ -145,7 +145,7 @@ func processJSONPatches(tCtx *types.ResourceVersionTable, envoyPatchPolicies []* case resourcev3.EndpointType: temp := &endpointv3.ClusterLoadAssignment{} if err = protojson.Unmarshal(jsonBytes, temp); err != nil { - tErr := fmt.Errorf(unmarshalErrorMessage(err, p.Operation.Value)) + tErr := errors.New(unmarshalErrorMessage(err, p.Operation.Value)) tErrs = errors.Join(tErrs, tErr) continue } @@ -158,7 +158,7 @@ func processJSONPatches(tCtx *types.ResourceVersionTable, envoyPatchPolicies []* case resourcev3.SecretType: temp := &tlsv3.Secret{} if err = protojson.Unmarshal(jsonBytes, temp); err != nil { - tErr := fmt.Errorf(unmarshalErrorMessage(err, p.Operation.Value)) + tErr := errors.New(unmarshalErrorMessage(err, p.Operation.Value)) tErrs = errors.Join(tErrs, tErr) continue } @@ -302,7 +302,7 @@ func processJSONPatches(tCtx *types.ResourceVersionTable, envoyPatchPolicies []* case resourcev3.ListenerType: temp := &listenerv3.Listener{} if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { - tErr := fmt.Errorf(unmarshalErrorMessage(err, string(modifiedJSON))) + tErr := errors.New(unmarshalErrorMessage(err, string(modifiedJSON))) tErrs = errors.Join(tErrs, tErr) continue } @@ -319,7 +319,7 @@ func processJSONPatches(tCtx *types.ResourceVersionTable, envoyPatchPolicies []* case resourcev3.RouteType: temp := &routev3.RouteConfiguration{} if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { - tErr := fmt.Errorf(unmarshalErrorMessage(err, string(modifiedJSON))) + tErr := errors.New(unmarshalErrorMessage(err, string(modifiedJSON))) tErrs = errors.Join(tErrs, tErr) continue } @@ -336,7 +336,7 @@ func processJSONPatches(tCtx *types.ResourceVersionTable, envoyPatchPolicies []* case resourcev3.ClusterType: temp := &clusterv3.Cluster{} if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { - tErr := fmt.Errorf(unmarshalErrorMessage(err, string(modifiedJSON))) + tErr := errors.New(unmarshalErrorMessage(err, string(modifiedJSON))) tErrs = errors.Join(tErrs, tErr) continue } @@ -353,7 +353,7 @@ func processJSONPatches(tCtx *types.ResourceVersionTable, envoyPatchPolicies []* case resourcev3.EndpointType: temp := &endpointv3.ClusterLoadAssignment{} if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { - tErr := fmt.Errorf(unmarshalErrorMessage(err, string(modifiedJSON))) + tErr := errors.New(unmarshalErrorMessage(err, string(modifiedJSON))) tErrs = errors.Join(tErrs, tErr) continue } @@ -370,7 +370,7 @@ func processJSONPatches(tCtx *types.ResourceVersionTable, envoyPatchPolicies []* case resourcev3.SecretType: temp := &tlsv3.Secret{} if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { - tErr := fmt.Errorf(unmarshalErrorMessage(err, string(modifiedJSON))) + tErr := errors.New(unmarshalErrorMessage(err, string(modifiedJSON))) tErrs = errors.Join(tErrs, tErr) continue } diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go index 6a9e72f498c..42f17ff94f1 100644 --- a/internal/xds/translator/route.go +++ b/internal/xds/translator/route.go @@ -556,7 +556,7 @@ func buildRetryPolicy(route *ir.HTTPRoute) (*routev3.RetryPolicy, error) { } if rr.RetryOn != nil { - if rr.RetryOn.Triggers != nil && len(rr.RetryOn.Triggers) > 0 { + if len(rr.RetryOn.Triggers) > 0 { if ro, err := buildRetryOn(rr.RetryOn.Triggers); err == nil { rp.RetryOn = ro } else { @@ -564,7 +564,7 @@ func buildRetryPolicy(route *ir.HTTPRoute) (*routev3.RetryPolicy, error) { } } - if rr.RetryOn.HTTPStatusCodes != nil && len(rr.RetryOn.HTTPStatusCodes) > 0 { + if len(rr.RetryOn.HTTPStatusCodes) > 0 { rp.RetriableStatusCodes = buildRetryStatusCodes(rr.RetryOn.HTTPStatusCodes) } } diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go index 9e327e3eb6d..08ab0d24b3b 100644 --- a/internal/xds/translator/translator_test.go +++ b/internal/xds/translator/translator_test.go @@ -134,7 +134,7 @@ func TestTranslateXds(t *testing.T) { } tCtx, err := tr.Translate(x) if !strings.HasSuffix(inputFileName, "partial-invalid") && len(cfg.errMsg) == 0 { - t.Logf(inputFileName) + t.Log(inputFileName) require.NoError(t, err) } else if len(cfg.errMsg) > 0 { require.Error(t, err) diff --git a/tools/src/golangci-lint/go.mod b/tools/src/golangci-lint/go.mod index 9442b7aa814..ce5cce24914 100644 --- a/tools/src/golangci-lint/go.mod +++ b/tools/src/golangci-lint/go.mod @@ -2,7 +2,7 @@ module local go 1.22.5 -require github.com/golangci/golangci-lint v1.59.1 +require github.com/golangci/golangci-lint v1.60.1 require ( 4d63.com/gocheckcompilerdirectives v1.2.1 // indirect @@ -11,11 +11,11 @@ require ( github.com/Abirdcfly/dupword v0.0.14 // indirect github.com/Antonboom/errname v0.1.13 // indirect github.com/Antonboom/nilnil v0.1.9 // indirect - github.com/Antonboom/testifylint v1.3.1 // indirect - github.com/BurntSushi/toml v1.4.0 // indirect - github.com/Crocmagnon/fatcontext v0.2.2 // indirect + github.com/Antonboom/testifylint v1.4.3 // indirect + github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c // indirect + github.com/Crocmagnon/fatcontext v0.4.0 // indirect github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 // indirect - github.com/GaijinEntertainment/go-exhaustruct/v3 v3.2.0 // indirect + github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0 // indirect github.com/Masterminds/semver/v3 v3.2.1 // indirect github.com/OpenPeeDeeP/depguard/v2 v2.2.0 // indirect github.com/alecthomas/go-check-sumtype v0.1.4 // indirect @@ -27,7 +27,7 @@ require ( github.com/beorn7/perks v1.0.1 // indirect github.com/bkielbasa/cyclop v1.2.1 // indirect github.com/blizzy78/varnamelen v0.8.0 // indirect - github.com/bombsimon/wsl/v4 v4.2.1 // indirect + github.com/bombsimon/wsl/v4 v4.4.1 // indirect github.com/breml/bidichk v0.2.7 // indirect github.com/breml/errchkjson v0.3.6 // indirect github.com/butuzov/ireturn v0.3.0 // indirect @@ -60,7 +60,7 @@ require ( github.com/go-viper/mapstructure/v2 v2.0.0 // indirect github.com/go-xmlfmt/xmlfmt v1.1.2 // indirect github.com/gobwas/glob v0.2.3 // indirect - github.com/gofrs/flock v0.8.1 // indirect + github.com/gofrs/flock v0.12.1 // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a // indirect github.com/golangci/gofmt v0.0.0-20231018234816-f50ced29576e // indirect @@ -82,7 +82,7 @@ require ( github.com/jgautheron/goconst v1.7.1 // indirect github.com/jingyugao/rowserrcheck v1.1.1 // indirect github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af // indirect - github.com/jjti/go-spancheck v0.6.1 // indirect + github.com/jjti/go-spancheck v0.6.2 // indirect github.com/julz/importas v0.1.0 // indirect github.com/karamaru-alpha/copyloopvar v1.1.0 // indirect github.com/kisielk/errcheck v1.7.0 // indirect @@ -104,12 +104,11 @@ require ( github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-runewidth v0.0.9 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect - github.com/mgechev/revive v1.3.7 // indirect + github.com/mgechev/revive v1.3.9 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect - github.com/moricho/tparallel v0.3.1 // indirect + github.com/moricho/tparallel v0.3.2 // indirect github.com/nakabonne/nestif v0.3.1 // indirect - github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect github.com/nishanths/exhaustive v0.12.0 // indirect github.com/nishanths/predeclared v0.2.2 // indirect github.com/nunnatsa/ginkgolinter v0.16.2 // indirect @@ -117,7 +116,7 @@ require ( github.com/pelletier/go-toml v1.9.5 // indirect github.com/pelletier/go-toml/v2 v2.2.2 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - github.com/polyfloyd/go-errorlint v1.5.2 // indirect + github.com/polyfloyd/go-errorlint v1.6.0 // indirect github.com/prometheus/client_golang v1.12.1 // indirect github.com/prometheus/client_model v0.2.0 // indirect github.com/prometheus/common v0.32.1 // indirect @@ -127,22 +126,22 @@ require ( github.com/quasilyte/gogrep v0.5.0 // indirect github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 // indirect github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 // indirect - github.com/ryancurrah/gomodguard v1.3.2 // indirect + github.com/ryancurrah/gomodguard v1.3.3 // indirect github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect github.com/sanposhiho/wastedassign/v2 v2.0.7 // indirect github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect github.com/sashamelentyev/interfacebloat v1.1.0 // indirect - github.com/sashamelentyev/usestdlibvars v1.26.0 // indirect + github.com/sashamelentyev/usestdlibvars v1.27.0 // indirect github.com/securego/gosec/v2 v2.20.1-0.20240525090044-5f0084eb01a9 // indirect github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/sivchari/containedctx v1.0.3 // indirect - github.com/sivchari/tenv v1.7.1 // indirect + github.com/sivchari/tenv v1.10.0 // indirect github.com/sonatard/noctx v0.0.2 // indirect github.com/sourcegraph/go-diff v0.7.0 // indirect github.com/spf13/afero v1.11.0 // indirect github.com/spf13/cast v1.5.0 // indirect - github.com/spf13/cobra v1.7.0 // indirect + github.com/spf13/cobra v1.8.1 // indirect github.com/spf13/jwalterweatherman v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/spf13/viper v1.12.0 // indirect @@ -151,7 +150,6 @@ require ( github.com/stretchr/objx v0.5.2 // indirect github.com/stretchr/testify v1.9.0 // indirect github.com/subosito/gotenv v1.4.1 // indirect - github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c // indirect github.com/tdakkota/asciicheck v0.2.0 // indirect github.com/tetafro/godot v1.4.16 // indirect github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966 // indirect @@ -160,31 +158,30 @@ require ( github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect github.com/ultraware/funlen v0.1.0 // indirect github.com/ultraware/whitespace v0.1.1 // indirect - github.com/uudashr/gocognit v1.1.2 // indirect + github.com/uudashr/gocognit v1.1.3 // indirect github.com/xen0n/gosmopolitan v1.2.2 // indirect github.com/yagipy/maintidx v1.0.0 // indirect github.com/yeya24/promlinter v0.3.0 // indirect github.com/ykadowak/zerologlint v0.1.5 // indirect gitlab.com/bosi/decorder v0.4.2 // indirect go-simpler.org/musttag v0.12.2 // indirect - go-simpler.org/sloglint v0.7.1 // indirect + go-simpler.org/sloglint v0.7.2 // indirect go.uber.org/atomic v1.7.0 // indirect go.uber.org/automaxprocs v1.5.3 // indirect go.uber.org/multierr v1.6.0 // indirect go.uber.org/zap v1.24.0 // indirect golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc // indirect golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect - golang.org/x/mod v0.18.0 // indirect - golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.21.0 // indirect + golang.org/x/mod v0.20.0 // indirect + golang.org/x/sync v0.8.0 // indirect + golang.org/x/sys v0.23.0 // indirect golang.org/x/text v0.15.0 // indirect - golang.org/x/tools v0.22.0 // indirect + golang.org/x/tools v0.24.0 // indirect google.golang.org/protobuf v1.33.0 // indirect - gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - honnef.co/go/tools v0.4.7 // indirect + honnef.co/go/tools v0.5.0 // indirect mvdan.cc/gofumpt v0.6.0 // indirect mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f // indirect ) diff --git a/tools/src/golangci-lint/go.sum b/tools/src/golangci-lint/go.sum index d5558afe589..81ac837888f 100644 --- a/tools/src/golangci-lint/go.sum +++ b/tools/src/golangci-lint/go.sum @@ -43,18 +43,18 @@ github.com/Antonboom/errname v0.1.13 h1:JHICqsewj/fNckzrfVSe+T33svwQxmjC+1ntDsHO github.com/Antonboom/errname v0.1.13/go.mod h1:uWyefRYRN54lBg6HseYCFhs6Qjcy41Y3Jl/dVhA87Ns= github.com/Antonboom/nilnil v0.1.9 h1:eKFMejSxPSA9eLSensFmjW2XTgTwJMjZ8hUHtV4s/SQ= github.com/Antonboom/nilnil v0.1.9/go.mod h1:iGe2rYwCq5/Me1khrysB4nwI7swQvjclR8/YRPl5ihQ= -github.com/Antonboom/testifylint v1.3.1 h1:Uam4q1Q+2b6H7gvk9RQFw6jyVDdpzIirFOOrbs14eG4= -github.com/Antonboom/testifylint v1.3.1/go.mod h1:NV0hTlteCkViPW9mSR4wEMfwp+Hs1T3dY60bkvSfhpM= +github.com/Antonboom/testifylint v1.4.3 h1:ohMt6AHuHgttaQ1xb6SSnxCeK4/rnK7KKzbvs7DmEck= +github.com/Antonboom/testifylint v1.4.3/go.mod h1:+8Q9+AOLsz5ZiQiiYujJKs9mNz398+M6UgslP4qgJLA= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0= -github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= +github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c h1:pxW6RcqyfI9/kWtOwnv/G+AzdKuy2ZrqINhenH4HyNs= +github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/Crocmagnon/fatcontext v0.2.2 h1:OrFlsDdOj9hW/oBEJBNSuH7QWf+E9WPVHw+x52bXVbk= -github.com/Crocmagnon/fatcontext v0.2.2/go.mod h1:WSn/c/+MMNiD8Pri0ahRj0o9jVpeowzavOQplBJw6u0= +github.com/Crocmagnon/fatcontext v0.4.0 h1:4ykozu23YHA0JB6+thiuEv7iT6xq995qS1vcuWZq0tg= +github.com/Crocmagnon/fatcontext v0.4.0/go.mod h1:ZtWrXkgyfsYPzS6K3O88va6t2GEglG93vnII/F94WC0= github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 h1:sHglBQTwgx+rWPdisA5ynNEsoARbiCBOyGcJM4/OzsM= github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs= -github.com/GaijinEntertainment/go-exhaustruct/v3 v3.2.0 h1:sATXp1x6/axKxz2Gjxv8MALP0bXaNRfQinEwyfMcx8c= -github.com/GaijinEntertainment/go-exhaustruct/v3 v3.2.0/go.mod h1:Nl76DrGNJTA1KJ0LePKBw/vznBX1EHbAZX8mwjR82nI= +github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0 h1:/fTUt5vmbkAcMBt4YQiuC23cV0kEsN1MVMNqeOW43cU= +github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0/go.mod h1:ONJg5sxcbsdQQ4pOW8TGdTidT2TMAUy/2Xhr8mrYaao= github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0= github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= github.com/OpenPeeDeeP/depguard/v2 v2.2.0 h1:vDfG60vDtIuf0MEOhmLlLLSzqaRM8EMcgJPdp74zmpA= @@ -90,8 +90,8 @@ github.com/bkielbasa/cyclop v1.2.1 h1:AeF71HZDob1P2/pRm1so9cd1alZnrpyc4q2uP2l0gJ github.com/bkielbasa/cyclop v1.2.1/go.mod h1:K/dT/M0FPAiYjBgQGau7tz+3TMh4FWAEqlMhzFWCrgM= github.com/blizzy78/varnamelen v0.8.0 h1:oqSblyuQvFsW1hbBHh1zfwrKe3kcSj0rnXkKzsQ089M= github.com/blizzy78/varnamelen v0.8.0/go.mod h1:V9TzQZ4fLJ1DSrjVDfl89H7aMnTvKkApdHeyESmyR7k= -github.com/bombsimon/wsl/v4 v4.2.1 h1:Cxg6u+XDWff75SIFFmNsqnIOgob+Q9hG6y/ioKbRFiM= -github.com/bombsimon/wsl/v4 v4.2.1/go.mod h1:Xu/kDxGZTofQcDGCtQe9KCzhHphIe0fDuyWTxER9Feo= +github.com/bombsimon/wsl/v4 v4.4.1 h1:jfUaCkN+aUpobrMO24zwyAMwMAV5eSziCkOKEauOLdw= +github.com/bombsimon/wsl/v4 v4.4.1/go.mod h1:Xu/kDxGZTofQcDGCtQe9KCzhHphIe0fDuyWTxER9Feo= github.com/breml/bidichk v0.2.7 h1:dAkKQPLl/Qrk7hnP6P+E0xOodrq8Us7+U0o4UBOAlQY= github.com/breml/bidichk v0.2.7/go.mod h1:YodjipAGI9fGcYM7II6wFvGhdMYsC5pHDlGzqvEW3tQ= github.com/breml/errchkjson v0.3.6 h1:VLhVkqSBH96AvXEyclMR37rZslRrY2kcyq+31HCsVrA= @@ -119,7 +119,7 @@ github.com/ckaznocha/intrange v0.1.2 h1:3Y4JAxcMntgb/wABQ6e8Q8leMd26JbX2790lIss9 github.com/ckaznocha/intrange v0.1.2/go.mod h1:RWffCw/vKBwHeOEwWdCikAtY0q4gGt8VhJZEEA5n+RE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/curioswitch/go-reassign v0.2.0 h1:G9UZyOcpk/d7Gd6mqYgd8XYWFMw/znxwGDUstnC9DIo= github.com/curioswitch/go-reassign v0.2.0/go.mod h1:x6OpXuWvgfQaMGks2BZybTngWjT84hqJfKoO8Tt/Roc= github.com/daixiang0/gci v0.13.4 h1:61UGkmpoAcxHM2hhNkZEf5SzwQtWJXTSws7jaPyqwlw= @@ -190,8 +190,8 @@ github.com/go-xmlfmt/xmlfmt v1.1.2 h1:Nea7b4icn8s57fTx1M5AI4qQT5HEM3rVUO8MuE6g80 github.com/go-xmlfmt/xmlfmt v1.1.2/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= -github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw= -github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= +github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E= +github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -226,8 +226,8 @@ github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a h1:w8hkcTqaFpzKqonE9 github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a/go.mod h1:ryS0uhF+x9jgbj/N71xsEqODy9BN81/GonCZiOzirOk= github.com/golangci/gofmt v0.0.0-20231018234816-f50ced29576e h1:ULcKCDV1LOZPFxGZaA6TlQbiM3J2GCPnkx/bGF6sX/g= github.com/golangci/gofmt v0.0.0-20231018234816-f50ced29576e/go.mod h1:Pm5KhLPA8gSnQwrQ6ukebRcapGb/BG9iUkdaiCcGHJM= -github.com/golangci/golangci-lint v1.59.1 h1:CRRLu1JbhK5avLABFJ/OHVSQ0Ie5c4ulsOId1h3TTks= -github.com/golangci/golangci-lint v1.59.1/go.mod h1:jX5Oif4C7P0j9++YB2MMJmoNrb01NJ8ITqKWNLewThg= +github.com/golangci/golangci-lint v1.60.1 h1:DRKNqNTQRLBJZ1il5u4fvgLQCjQc7QFs0DbhksJtVJE= +github.com/golangci/golangci-lint v1.60.1/go.mod h1:jDIPN1rYaIA+ijp9OZcUmUCoQOtZ76pOlFbi15FlLJY= github.com/golangci/misspell v0.6.0 h1:JCle2HUTNWirNlDIAUO44hUsKhOFqGPoC4LZxlaSXDs= github.com/golangci/misspell v0.6.0/go.mod h1:keMNyY6R9isGaSAu+4Q8NMBwMPkh15Gtc8UCVoDtAWo= github.com/golangci/modinfo v0.3.4 h1:oU5huX3fbxqQXdfspamej74DFX0kyGLkw1ppvXoJ8GA= @@ -301,8 +301,8 @@ github.com/jingyugao/rowserrcheck v1.1.1 h1:zibz55j/MJtLsjP1OF4bSdgXxwL1b+Vn7Tjz github.com/jingyugao/rowserrcheck v1.1.1/go.mod h1:4yvlZSDb3IyDTUZJUmpZfm2Hwok+Dtp+nu2qOq+er9c= github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af h1:KA9BjwUk7KlCh6S9EAGWBt1oExIUv9WyNCiRz5amv48= github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af/go.mod h1:HEWGJkRDzjJY2sqdDwxccsGicWEf9BQOZsq2tV+xzM0= -github.com/jjti/go-spancheck v0.6.1 h1:ZK/wE5Kyi1VX3PJpUO2oEgeoI4FWOUm7Shb2Gbv5obI= -github.com/jjti/go-spancheck v0.6.1/go.mod h1:vF1QkOO159prdo6mHRxak2CpzDpHAfKiPUDP/NeRnX8= +github.com/jjti/go-spancheck v0.6.2 h1:iYtoxqPMzHUPp7St+5yA8+cONdyXD3ug6KK15n7Pklk= +github.com/jjti/go-spancheck v0.6.2/go.mod h1:+X7lvIrR5ZdUTkxFYqzJ0abr8Sb5LOo80uOhWNqIrYA= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= @@ -368,8 +368,8 @@ github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/Qd github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/mgechev/revive v1.3.7 h1:502QY0vQGe9KtYJ9FpxMz9rL+Fc/P13CI5POL4uHCcE= -github.com/mgechev/revive v1.3.7/go.mod h1:RJ16jUbF0OWC3co/+XTxmFNgEpUPwnnA0BRllX2aDNA= +github.com/mgechev/revive v1.3.9 h1:18Y3R4a2USSBF+QZKFQwVkBROUda7uoBlkEuBD+YD1A= +github.com/mgechev/revive v1.3.9/go.mod h1:+uxEIr5UH0TjXWHTno3xh4u7eg6jDpXKzQccA9UGhHU= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= @@ -379,14 +379,12 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJ github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= -github.com/moricho/tparallel v0.3.1 h1:fQKD4U1wRMAYNngDonW5XupoB/ZGJHdpzrWqgyg9krA= -github.com/moricho/tparallel v0.3.1/go.mod h1:leENX2cUv7Sv2qDgdi0D0fCftN8fRC67Bcn8pqzeYNI= +github.com/moricho/tparallel v0.3.2 h1:odr8aZVFA3NZrNybggMkYO3rgPRcqjeQUlBBFVxKHTI= +github.com/moricho/tparallel v0.3.2/go.mod h1:OQ+K3b4Ln3l2TZveGCywybl68glfLEwFGqvnjok8b+U= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/nakabonne/nestif v0.3.1 h1:wm28nZjhQY5HyYPx+weN3Q65k6ilSBxDb8v5S81B81U= github.com/nakabonne/nestif v0.3.1/go.mod h1:9EtoZochLn5iUprVDmDjqGKPofoUEBL8U4Ngq6aY7OE= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nishanths/exhaustive v0.12.0 h1:vIY9sALmw6T/yxiASewa4TQcFsVYZQQRUQJhKRf3Swg= github.com/nishanths/exhaustive v0.12.0/go.mod h1:mEZ95wPIZW+x8kC4TgC+9YCUgiST7ecevsVDTgc2obs= github.com/nishanths/predeclared v0.2.2 h1:V2EPdZPliZymNAn79T8RkNApBjMmVKh5XRpLm/w98Vk= @@ -416,8 +414,8 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/polyfloyd/go-errorlint v1.5.2 h1:SJhVik3Umsjh7mte1vE0fVZ5T1gznasQG3PV7U5xFdA= -github.com/polyfloyd/go-errorlint v1.5.2/go.mod h1:sH1QC1pxxi0fFecsVIzBmxtrgd9IF/SkJpA6wqyKAJs= +github.com/polyfloyd/go-errorlint v1.6.0 h1:tftWV9DE7txiFzPpztTAwyoRLKNj9gpVm2cg8/OwcYY= +github.com/polyfloyd/go-errorlint v1.6.0/go.mod h1:HR7u8wuP1kb1NeN1zqTd1ZMlqUKPPHF+Id4vIPvDqVw= github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g= github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= @@ -456,8 +454,8 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/ryancurrah/gomodguard v1.3.2 h1:CuG27ulzEB1Gu5Dk5gP8PFxSOZ3ptSdP5iI/3IXxM18= -github.com/ryancurrah/gomodguard v1.3.2/go.mod h1:LqdemiFomEjcxOqirbQCb3JFvSxH2JUYMerTFd3sF2o= +github.com/ryancurrah/gomodguard v1.3.3 h1:eiSQdJVNr9KTNxY2Niij8UReSwR8Xrte3exBrAZfqpg= +github.com/ryancurrah/gomodguard v1.3.3/go.mod h1:rsKQjj4l3LXe8N344Ow7agAy5p9yjsWOtRzUMYmA0QY= github.com/ryanrolds/sqlclosecheck v0.5.1 h1:dibWW826u0P8jNLsLN+En7+RqWWTYrjCB9fJfSfdyCU= github.com/ryanrolds/sqlclosecheck v0.5.1/go.mod h1:2g3dUjoS6AL4huFdv6wn55WpLIDjY7ZgUR4J8HOO/XQ= github.com/sanposhiho/wastedassign/v2 v2.0.7 h1:J+6nrY4VW+gC9xFzUc+XjPD3g3wF3je/NsJFwFK7Uxc= @@ -466,8 +464,8 @@ github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6Ng github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY= github.com/sashamelentyev/interfacebloat v1.1.0 h1:xdRdJp0irL086OyW1H/RTZTr1h/tMEOsumirXcOJqAw= github.com/sashamelentyev/interfacebloat v1.1.0/go.mod h1:+Y9yU5YdTkrNvoX0xHc84dxiN1iBi9+G8zZIhPVoNjQ= -github.com/sashamelentyev/usestdlibvars v1.26.0 h1:LONR2hNVKxRmzIrZR0PhSF3mhCAzvnr+DcUiHgREfXE= -github.com/sashamelentyev/usestdlibvars v1.26.0/go.mod h1:9nl0jgOfHKWNFS43Ojw0i7aRoS4j6EBye3YBhmAIRF8= +github.com/sashamelentyev/usestdlibvars v1.27.0 h1:t/3jZpSXtRPRf2xr0m63i32ZrusyurIGT9E5wAvXQnI= +github.com/sashamelentyev/usestdlibvars v1.27.0/go.mod h1:9nl0jgOfHKWNFS43Ojw0i7aRoS4j6EBye3YBhmAIRF8= github.com/securego/gosec/v2 v2.20.1-0.20240525090044-5f0084eb01a9 h1:rnO6Zp1YMQwv8AyxzuwsVohljJgp4L0ZqiCgtACsPsc= github.com/securego/gosec/v2 v2.20.1-0.20240525090044-5f0084eb01a9/go.mod h1:dg7lPlu/xK/Ut9SedURCoZbVCR4yC7fM65DtH9/CDHs= github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c h1:W65qqJCIOVP4jpqPQ0YvHYKwcMEMVWIzWC5iNQQfBTU= @@ -481,8 +479,8 @@ github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/sivchari/containedctx v1.0.3 h1:x+etemjbsh2fB5ewm5FeLNi5bUjK0V8n0RB+Wwfd0XE= github.com/sivchari/containedctx v1.0.3/go.mod h1:c1RDvCbnJLtH4lLcYD/GqwiBSSf4F5Qk0xld2rBqzJ4= -github.com/sivchari/tenv v1.7.1 h1:PSpuD4bu6fSmtWMxSGWcvqUUgIn7k3yOJhOIzVWn8Ak= -github.com/sivchari/tenv v1.7.1/go.mod h1:64yStXKSOxDfX47NlhVwND4dHwfZDdbp2Lyl018Icvg= +github.com/sivchari/tenv v1.10.0 h1:g/hzMA+dBCKqGXgW8AV/1xIWhAvDrx0zFKNR48NFMg0= +github.com/sivchari/tenv v1.10.0/go.mod h1:tdY24masnVoZFxYrHv/nD6Tc8FbkEtAQEEziXpyMgqY= github.com/sonatard/noctx v0.0.2 h1:L7Dz4De2zDQhW8S0t+KUjY0MAQJd6SgVwhzNIc4ok00= github.com/sonatard/noctx v0.0.2/go.mod h1:kzFz+CzWSjQ2OzIm46uJZoXuBpa2+0y3T36U18dWqIo= github.com/sourcegraph/go-diff v0.7.0 h1:9uLlrd5T46OXs5qpp8L/MTltk0zikUGi0sNNyCpA8G0= @@ -491,8 +489,8 @@ github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w= github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU= -github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= -github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -521,8 +519,6 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs= github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0= -github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c h1:+aPplBwWcHBo6q9xrfWdMrT9o4kltkmmvpemgIjep/8= -github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c/go.mod h1:SbErYREK7xXdsRiigaQiQkI9McGRzYMvlKYaP3Nimdk= github.com/tdakkota/asciicheck v0.2.0 h1:o8jvnUANo0qXtnslk2d3nMKTFNlOnJjRrNcj0j9qkHM= github.com/tdakkota/asciicheck v0.2.0/go.mod h1:Qb7Y9EgjCLJGup51gDHFzbI08/gbGhL/UVhYIPWG2rg= github.com/tenntenn/modver v1.0.1 h1:2klLppGhDgzJrScMpkj9Ujy3rXPUspSjAcev9tSEBgA= @@ -543,8 +539,8 @@ github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81v github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4= github.com/ultraware/whitespace v0.1.1 h1:bTPOGejYFulW3PkcrqkeQwOd6NKOOXvmGD9bo/Gk8VQ= github.com/ultraware/whitespace v0.1.1/go.mod h1:XcP1RLD81eV4BW8UhQlpaR+SDc2givTvyI8a586WjW8= -github.com/uudashr/gocognit v1.1.2 h1:l6BAEKJqQH2UpKAPKdMfZf5kE4W/2xk8pfU1OVLvniI= -github.com/uudashr/gocognit v1.1.2/go.mod h1:aAVdLURqcanke8h3vg35BC++eseDm66Z7KmchI5et4k= +github.com/uudashr/gocognit v1.1.3 h1:l+a111VcDbKfynh+airAy/DJQKaXh2m9vkoysMPSZyM= +github.com/uudashr/gocognit v1.1.3/go.mod h1:aKH8/e8xbTRBwjbCkwZ8qt4l2EpKXl31KMHgSS+lZ2U= github.com/xen0n/gosmopolitan v1.2.2 h1:/p2KTnMzwRexIW8GlKawsTWOxn7UHA+jCMF/V8HHtvU= github.com/xen0n/gosmopolitan v1.2.2/go.mod h1:7XX7Mj61uLYrj0qmeN0zi7XDon9JRAEhYQqAPLVNTeg= github.com/yagipy/maintidx v1.0.0 h1:h5NvIsCz+nRDapQ0exNv4aJ0yXSI0420omVANTv3GJM= @@ -566,8 +562,8 @@ go-simpler.org/assert v0.9.0 h1:PfpmcSvL7yAnWyChSjOz6Sp6m9j5lyK8Ok9pEL31YkQ= go-simpler.org/assert v0.9.0/go.mod h1:74Eqh5eI6vCK6Y5l3PI8ZYFXG4Sa+tkr70OIPJAUr28= go-simpler.org/musttag v0.12.2 h1:J7lRc2ysXOq7eM8rwaTYnNrHd5JwjppzB6mScysB2Cs= go-simpler.org/musttag v0.12.2/go.mod h1:uN1DVIasMTQKk6XSik7yrJoEysGtR2GRqvWnI9S7TYM= -go-simpler.org/sloglint v0.7.1 h1:qlGLiqHbN5islOxjeLXoPtUdZXb669RW+BDQ+xOSNoU= -go-simpler.org/sloglint v0.7.1/go.mod h1:OlaVDRh/FKKd4X4sIMbsz8st97vomydceL146Fthh/c= +go-simpler.org/sloglint v0.7.2 h1:Wc9Em/Zeuu7JYpl+oKoYOsQSy2X560aVueCW/m6IijY= +go-simpler.org/sloglint v0.7.2/go.mod h1:US+9C80ppl7VsThQclkM7BkCHQAzuz8kHLsW3ppuluo= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= @@ -635,8 +631,8 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91 golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= -golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= +golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -675,8 +671,8 @@ golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= -golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -696,8 +692,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -743,7 +739,6 @@ golang.org/x/sys v0.0.0-20211105183446-c75c47738b0c/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220702020025-31831981b65f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -752,8 +747,8 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= -golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM= +golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -830,14 +825,13 @@ golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU= golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= -golang.org/x/tools v0.1.11/go.mod h1:SgwaegtQh8clINPpECJMqnxLv9I09HLqnW3RMqW0CA4= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA= golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k= golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA= -golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c= +golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= +golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -923,8 +917,8 @@ gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLks gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= @@ -945,8 +939,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -honnef.co/go/tools v0.4.7 h1:9MDAWxMoSnB6QoSqiVr7P5mtkT9pOc1kSxchzPCnqJs= -honnef.co/go/tools v0.4.7/go.mod h1:+rnGS1THNh8zMwnd2oVOTL9QF6vmfyG6ZXBULae2uc0= +honnef.co/go/tools v0.5.0 h1:29uoiIormS3Z6R+t56STz/oI4v+mB51TSmEOdJPgRnE= +honnef.co/go/tools v0.5.0/go.mod h1:e9irvo83WDG9/irijV44wr3tbhcFeRnfpVlRqVwpzMs= mvdan.cc/gofumpt v0.6.0 h1:G3QvahNDmpD+Aek/bNOLrFR2XC6ZAdo62dZu65gmwGo= mvdan.cc/gofumpt v0.6.0/go.mod h1:4L0wf+kgIPZtcCWXynNS2e6bhmj73umwnuXSZarixzA= mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f h1:lMpcwN6GxNbWtbpI1+xzFLSW8XzX0u72NttUGVFjO3U= From 683b5b5c5ecb9bf9be6fa689fc011a51ea8a65fe Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 17 Aug 2024 09:46:35 +0800 Subject: [PATCH 059/523] bump github.com/replicatedhq/troubleshoot from 0.98.0 to 0.99.0 (#4065) --- examples/extension-server/go.mod | 2 +- examples/extension-server/go.sum | 4 +- go.mod | 33 +++++++------- go.sum | 76 ++++++++++++++++++-------------- 4 files changed, 64 insertions(+), 51 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 1a7b930780a..df377d5e338 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -9,7 +9,7 @@ require ( google.golang.org/grpc v1.65.0 google.golang.org/protobuf v1.34.2 k8s.io/apimachinery v0.30.3 - sigs.k8s.io/controller-runtime v0.18.4 + sigs.k8s.io/controller-runtime v0.18.5 sigs.k8s.io/gateway-api v1.1.0 ) diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index e797c4d018d..fc7d8df4b19 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -126,8 +126,8 @@ k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak= k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.18.4 h1:87+guW1zhvuPLh1PHybKdYFLU0YJp4FhJRmiHvm5BZw= -sigs.k8s.io/controller-runtime v0.18.4/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= +sigs.k8s.io/controller-runtime v0.18.5 h1:nTHio/W+Q4aBlQMgbnC5hZb4IjIidyrizMai9P6n4Rk= +sigs.k8s.io/controller-runtime v0.18.5/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= diff --git a/go.mod b/go.mod index affe7ce6afa..d475039da7e 100644 --- a/go.mod +++ b/go.mod @@ -57,7 +57,7 @@ require ( k8s.io/client-go v0.30.3 k8s.io/kubectl v0.30.3 k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 - sigs.k8s.io/controller-runtime v0.18.4 + sigs.k8s.io/controller-runtime v0.18.5 sigs.k8s.io/gateway-api v1.1.0 sigs.k8s.io/mcs-api v0.1.0 sigs.k8s.io/yaml v1.4.0 @@ -65,7 +65,7 @@ require ( require ( github.com/docker/docker v27.1.1+incompatible - github.com/replicatedhq/troubleshoot v0.98.0 + github.com/replicatedhq/troubleshoot v0.99.0 ) require ( @@ -88,7 +88,7 @@ require ( github.com/Masterminds/sprig/v3 v3.2.3 // indirect github.com/Masterminds/squirrel v1.5.4 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect - github.com/Microsoft/hcsshim v0.12.3 // indirect + github.com/Microsoft/hcsshim v0.12.5 // indirect github.com/antlr4-go/antlr/v4 v4.13.0 // indirect github.com/apparentlymart/go-cidr v1.1.0 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect @@ -96,18 +96,19 @@ require ( github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/c9s/goprocinfo v0.0.0-20170724085704-0010a05ce49f // indirect - github.com/cilium/ebpf v0.11.0 // indirect + github.com/cilium/ebpf v0.16.0 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect - github.com/containerd/containerd v1.7.17 // indirect + github.com/containerd/containerd v1.7.20 // indirect github.com/containerd/errdefs v0.1.0 // indirect github.com/containerd/log v0.1.0 // indirect + github.com/containerd/platforms v0.2.1 // indirect github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect - github.com/containers/image/v5 v5.31.1 // indirect + github.com/containers/image/v5 v5.32.1 // indirect github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect - github.com/containers/ocicrypt v1.1.10 // indirect - github.com/containers/storage v1.54.0 // indirect + github.com/containers/ocicrypt v1.2.0 // indirect + github.com/containers/storage v1.55.0 // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect - github.com/cyphar/filepath-securejoin v0.2.5 // indirect + github.com/cyphar/filepath-securejoin v0.3.1 // indirect github.com/distribution/distribution/v3 v3.0.0-beta.1 // indirect github.com/distribution/reference v0.6.0 // indirect github.com/docker/distribution v2.8.3+incompatible // indirect @@ -154,7 +155,7 @@ require ( github.com/magiconair/properties v1.8.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect - github.com/mattn/go-runewidth v0.0.15 // indirect + github.com/mattn/go-runewidth v0.0.16 // indirect github.com/microsoft/go-mssqldb v1.7.2 // indirect github.com/mistifyio/go-zfs/v3 v3.0.1 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect @@ -165,9 +166,9 @@ require ( github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/locker v1.0.1 // indirect github.com/moby/patternmatcher v0.6.0 // indirect - github.com/moby/sys/mountinfo v0.7.1 // indirect + github.com/moby/sys/mountinfo v0.7.2 // indirect github.com/moby/sys/sequential v0.5.0 // indirect - github.com/moby/sys/user v0.1.0 // indirect + github.com/moby/sys/user v0.2.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect github.com/opencontainers/runtime-spec v1.2.0 // indirect @@ -190,7 +191,7 @@ require ( github.com/spf13/viper v1.19.0 // indirect github.com/stoewer/go-strcase v1.2.0 // indirect github.com/subosito/gotenv v1.6.0 // indirect - github.com/sylabs/sif/v2 v2.16.0 // indirect + github.com/sylabs/sif/v2 v2.18.0 // indirect github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/tklauser/go-sysconf v0.3.12 // indirect @@ -214,7 +215,7 @@ require ( k8s.io/apiserver v0.30.3 // indirect k8s.io/kubelet v0.30.3 // indirect k8s.io/metrics v0.30.3 // indirect - oras.land/oras-go v1.2.5 // indirect + oras.land/oras-go v1.2.6 // indirect periph.io/x/host/v3 v3.8.2 // indirect ) @@ -275,9 +276,9 @@ require ( go.opentelemetry.io/otel/trace v1.28.0 // indirect go.starlark.net v0.0.0-20240520160348-046347dcd104 // indirect go.uber.org/multierr v1.11.0 // indirect - golang.org/x/mod v0.19.0 // indirect + golang.org/x/mod v0.20.0 // indirect golang.org/x/net v0.28.0 - golang.org/x/oauth2 v0.21.0 // indirect + golang.org/x/oauth2 v0.22.0 // indirect golang.org/x/sync v0.8.0 // indirect golang.org/x/term v0.23.0 // indirect golang.org/x/text v0.17.0 // indirect diff --git a/go.sum b/go.sum index 87524601312..48a655ca58b 100644 --- a/go.sum +++ b/go.sum @@ -252,8 +252,8 @@ github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8 github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= -github.com/Microsoft/hcsshim v0.12.3 h1:LS9NXqXhMoqNCplK1ApmVSfB4UnVLRDWRapB6EIlxE0= -github.com/Microsoft/hcsshim v0.12.3/go.mod h1:Iyl1WVpZzr+UkzjekHZbV8o5Z9ZkxNGx6CtY2Qg/JVQ= +github.com/Microsoft/hcsshim v0.12.5 h1:bpTInLlDy/nDRWFVcefDZZ1+U8tS+rz3MxjKgu9boo0= +github.com/Microsoft/hcsshim v0.12.5/go.mod h1:tIUGego4G1EN5Hb6KC90aDYiUI2dqLSTTOCjVNpOgZ8= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= @@ -310,8 +310,8 @@ github.com/cheggaaa/pb v1.0.27/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXH github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/cilium/ebpf v0.11.0 h1:V8gS/bTCCjX9uUnkUFUpPsksM8n1lXBAvHcpiFk1X2Y= -github.com/cilium/ebpf v0.11.0/go.mod h1:WE7CZAnqOL2RouJ4f1uyNhqr2P4CCvXFIqdRDUgWsVs= +github.com/cilium/ebpf v0.16.0 h1:+BiEnHL6Z7lXnlGUsXQPPAE7+kenAd4ES8MQ5min0Ok= +github.com/cilium/ebpf v0.16.0/go.mod h1:L7u2Blt2jMM/vLAVgjxluxtBKlz3/GWjB0dMOEngfwE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= @@ -327,24 +327,26 @@ github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b/go.mod h1:W+zGtBO5Y1Ig github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= -github.com/containerd/containerd v1.7.17 h1:KjNnn0+tAVQHAoaWRjmdak9WlvnFR/8rU1CHHy8Rm2A= -github.com/containerd/containerd v1.7.17/go.mod h1:vK+hhT4TIv2uejlcDlbVIc8+h/BqtKLIyNrtCZol8lI= +github.com/containerd/containerd v1.7.20 h1:Sl6jQYk3TRavaU83h66QMbI2Nqg9Jm6qzwX57Vsn1SQ= +github.com/containerd/containerd v1.7.20/go.mod h1:52GsS5CwquuqPuLncsXwG0t2CiUce+KsNHJZQJvAgR0= github.com/containerd/continuity v0.4.2 h1:v3y/4Yz5jwnvqPKJJ+7Wf93fyWoCB3F5EclWG023MDM= github.com/containerd/continuity v0.4.2/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ= github.com/containerd/errdefs v0.1.0 h1:m0wCRBiu1WJT/Fr+iOoQHMQS/eP5myQ8lCv4Dz5ZURM= github.com/containerd/errdefs v0.1.0/go.mod h1:YgWiiHtLmSeBrvpw+UfPijzbLaB77mEG1WwJTDETIV0= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= +github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= +github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw= github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G/ZW/0kEe2oEKCdS/ZxIyoCU= github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk= -github.com/containers/image/v5 v5.31.1 h1:3x9soI6Biml/GiDLpkSmKrkRSwVGctxu/vONpoUdklA= -github.com/containers/image/v5 v5.31.1/go.mod h1:5QfOqSackPkSbF7Qxc1DnVNnPJKQ+KWLkfEfDpK590Q= +github.com/containers/image/v5 v5.32.1 h1:fVa7GxRC4BCPGsfSRs4JY12WyeY26SUYQ0NuANaCFrI= +github.com/containers/image/v5 v5.32.1/go.mod h1:v1l73VeMugfj/QtKI+jhYbwnwFCFnNGckvbST3rQ5Hk= github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA= github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY= -github.com/containers/ocicrypt v1.1.10 h1:r7UR6o8+lyhkEywetubUUgcKFjOWOaWz8cEBrCPX0ic= -github.com/containers/ocicrypt v1.1.10/go.mod h1:YfzSSr06PTHQwSTUKqDSjish9BeW1E4HUmreluQcMd8= -github.com/containers/storage v1.54.0 h1:xwYAlf6n9OnIlURQLLg3FYHbO74fQ/2W2N6EtQEUM4I= -github.com/containers/storage v1.54.0/go.mod h1:PlMOoinRrBSnhYODLxt4EXl0nmJt+X0kjG0Xdt9fMTw= +github.com/containers/ocicrypt v1.2.0 h1:X14EgRK3xNFvJEfI5O4Qn4T3E25ANudSOZz/sirVuPM= +github.com/containers/ocicrypt v1.2.0/go.mod h1:ZNviigQajtdlxIZGibvblVuIFBKIuUI2M0QM12SD31U= +github.com/containers/storage v1.55.0 h1:wTWZ3YpcQf1F+dSP4KxG9iqDfpQY1otaUXjPpffuhgg= +github.com/containers/storage v1.55.0/go.mod h1:28cB81IDk+y7ok60Of6u52RbCeBRucbFOeLunhER1RQ= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= @@ -364,8 +366,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= -github.com/cyphar/filepath-securejoin v0.2.5 h1:6iR5tXJ/e6tJZzzdMc1km3Sa7RRIVBKAK32O2s7AYfo= -github.com/cyphar/filepath-securejoin v0.2.5/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/cyphar/filepath-securejoin v0.3.1 h1:1V7cHiaW+C+39wEfpH6XlLBQo3j/PciWFrgfCLS8XrE= +github.com/cyphar/filepath-securejoin v0.3.1/go.mod h1:F7i41x/9cBF7lzCrVsYs9fuzwRZm4NQsGTBdpp6mETc= github.com/datawire/dlib v1.3.0 h1:KkmyXU1kwm3oPBk1ypR70YbcOlEXWzEbx5RE0iRXTGk= github.com/datawire/dlib v1.3.0/go.mod h1:NiGDmetmbkBvtznpWSx6C0vA0s0LK9aHna3LJDqjruk= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -529,6 +531,8 @@ github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4= github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA= github.com/go-openapi/validate v0.19.5/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4= +github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI= +github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow= github.com/go-redis/redis/v7 v7.4.1 h1:PASvf36gyUpr2zdOUS/9Zqc80GbM+9BDyiJSJDDOrTI= github.com/go-redis/redis/v7 v7.4.1/go.mod h1:JDNMw23GTyLNC4GZu9njt15ctBQVn7xjRfnwdHj/Dcg= github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= @@ -759,8 +763,12 @@ github.com/jmoiron/sqlx v1.3.5/go.mod h1:nRVWtLre0KfCLJvgxzCsLVMogSvQ1zNJtpYr2Cc github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA= +github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w= github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= +github.com/jsimonetti/rtnetlink/v2 v2.0.1 h1:xda7qaHDSVOsADNouv7ukSuicKZO7GgVUCXxpaIEIlM= +github.com/jsimonetti/rtnetlink/v2 v2.0.1/go.mod h1:7MoNYNbb3UaDHtF8udiJo/RH6VsTKP1pqKLUTVCvToE= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= @@ -834,12 +842,16 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= -github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U= -github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= +github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc= +github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU= github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g= +github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw= +github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U= +github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA= github.com/microsoft/go-mssqldb v1.7.2 h1:CHkFJiObW7ItKTJfHo1QX7QBBD1iV+mn1eOyRP3b/PA= github.com/microsoft/go-mssqldb v1.7.2/go.mod h1:kOvZKUdrhhFQmxLZqbwUV0rHkNkZpthMITIb2Ko1IoA= github.com/miekg/dns v1.1.61 h1:nLxbwF3XxhwVSm8g9Dghm9MHPaUZuqhPiGL+675ZmEs= @@ -869,12 +881,12 @@ github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkV github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc= github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8= github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= -github.com/moby/sys/mountinfo v0.7.1 h1:/tTvQaSJRr2FshkhXiIpux6fQ2Zvc4j7tAhMTStAG2g= -github.com/moby/sys/mountinfo v0.7.1/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI= +github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg= +github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4= github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc= github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo= -github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg= -github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU= +github.com/moby/sys/user v0.2.0 h1:OnpapJsRp25vkhw8TFG6OLJODNh/3rEwRWtJ3kakwRM= +github.com/moby/sys/user v0.2.0/go.mod h1:RYstrcWOJpVh+6qzUqp2bU3eaRpdiQeKGlKitaH0PM8= github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -987,8 +999,8 @@ github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb github.com/redis/go-redis/extra/redisotel/v9 v9.0.5/go.mod h1:WZjPDy7VNzn77AAfnAfVjZNvfJTYfPetfZk5yoSTLaQ= github.com/redis/go-redis/v9 v9.1.0 h1:137FnGdk+EQdCbye1FW+qOEcY5S+SpY9T0NiuqvtfMY= github.com/redis/go-redis/v9 v9.1.0/go.mod h1:urWj3He21Dj5k4TK1y59xH8Uj6ATueP8AH1cY3lZl4c= -github.com/replicatedhq/troubleshoot v0.98.0 h1:+R3rMV84sGr24/OOr9PHYt9NPXsZHB24/8N4IH1rJFI= -github.com/replicatedhq/troubleshoot v0.98.0/go.mod h1:L+ocOIFN2a65xiXHQT57ythmXXw4mWkWwH4dfZJPJ8g= +github.com/replicatedhq/troubleshoot v0.99.0 h1:KtsCe/8EL1VPQrokZw3bcKo8HcCTRUMEtUb2+SJ5l1k= +github.com/replicatedhq/troubleshoot v0.99.0/go.mod h1:5rRx3kCUCX9Adl3ST1mzo57FICjIJMaIrkj3rTrzvv4= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= @@ -1079,8 +1091,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= -github.com/sylabs/sif/v2 v2.16.0 h1:2eqaBaQQsn5DZTzm3QZm0HupZQEjNXfxRnCmtyCihEU= -github.com/sylabs/sif/v2 v2.16.0/go.mod h1:d5TxgD/mhMUU3kWLmZmWJQ99Wg0asaTP0bq3ezR1xpg= +github.com/sylabs/sif/v2 v2.18.0 h1:eXugsS1qx7St2Wu/AJ21KnsQiVCpouPlTigABh+6KYI= +github.com/sylabs/sif/v2 v2.18.0/go.mod h1:GOQj7LIBqp15fjqH5i8ZEbLp8SXJi9S+xbRO+QQAdRo= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= @@ -1248,8 +1260,8 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8= -golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= +golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1338,8 +1350,8 @@ golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A= -golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= -golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA= +golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1872,8 +1884,8 @@ k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl k8s.io/utils v0.0.0-20200603063816-c1c6865ac451/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak= k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo= -oras.land/oras-go v1.2.5/go.mod h1:PuAwRShRZCsZb7g8Ar3jKKQR/2A/qN+pkYxIOd/FAoo= +oras.land/oras-go v1.2.6 h1:z8cmxQXBU8yZ4mkytWqXfo6tZcamPwjsuxYU81xJ8Lk= +oras.land/oras-go v1.2.6/go.mod h1:OVPc1PegSEe/K8YiLfosrlqlqTN9PUyFvOw5Y9gwrT8= periph.io/x/host/v3 v3.8.2 h1:ayKUDzgUCN0g8+/xM9GTkWaOBhSLVcVHGTfjAOi8OsQ= periph.io/x/host/v3 v3.8.2/go.mod h1:yFL76AesNHR68PboofSWYaQTKmvPXsQH2Apvp/ls/K4= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= @@ -1881,8 +1893,8 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0= sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gEORz0efEja7A= -sigs.k8s.io/controller-runtime v0.18.4 h1:87+guW1zhvuPLh1PHybKdYFLU0YJp4FhJRmiHvm5BZw= -sigs.k8s.io/controller-runtime v0.18.4/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= +sigs.k8s.io/controller-runtime v0.18.5 h1:nTHio/W+Q4aBlQMgbnC5hZb4IjIidyrizMai9P6n4Rk= +sigs.k8s.io/controller-runtime v0.18.5/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI= sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs= From 7f2c151487844c269a3b74fa3ac8fa27b2204581 Mon Sep 17 00:00:00 2001 From: Alex Volchok Date: Sat, 17 Aug 2024 11:01:16 +0200 Subject: [PATCH 060/523] feat: support LB priority for non xRoute endpoints (#4033) * add priority support for backend refs Signed-off-by: Alexander Volchok * fixing lint adding generate Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * readd generates Signed-off-by: Alexander Volchok * format and style fixes Signed-off-by: Alexander Volchok * updating gen Signed-off-by: Alexander Volchok * updating gen Signed-off-by: Alexander Volchok * adding translation tests Signed-off-by: Alexander Volchok * adding translation tests Signed-off-by: Alexander Volchok * adding nl Signed-off-by: Alexander Volchok * Update api/v1alpha1/shared_types.go Co-authored-by: zirain Signed-off-by: Alex Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok --------- Signed-off-by: Alexander Volchok Signed-off-by: Alex Volchok Co-authored-by: zirain --- api/v1alpha1/shared_types.go | 8 + api/v1alpha1/zz_generated.deepcopy.go | 5 + ....envoyproxy.io_envoyextensionpolicies.yaml | 9 + .../gateway.envoyproxy.io_envoyproxies.yaml | 36 ++ ...ateway.envoyproxy.io_securitypolicies.yaml | 18 + internal/gatewayapi/envoyextensionpolicy.go | 2 +- internal/gatewayapi/ext_service.go | 15 +- internal/gatewayapi/securitypolicy.go | 5 +- .../envoyproxy-priority-backend.in.yaml | 236 +++++++++++ .../envoyproxy-priority-backend.out.yaml | 381 ++++++++++++++++++ internal/ir/xds.go | 4 + internal/ir/zz_generated.deepcopy.go | 5 + internal/xds/translator/cluster.go | 2 +- .../testdata/in/xds-ir/backend-priority.yaml | 97 +++++ .../out/xds-ir/backend-priority.clusters.yaml | 99 +++++ .../xds-ir/backend-priority.endpoints.yaml | 66 +++ .../xds-ir/backend-priority.listeners.yaml | 49 +++ .../out/xds-ir/backend-priority.routes.yaml | 59 +++ .../out/xds-ir/backend-priority.secrets.yaml | 8 + site/content/en/latest/api/extension_types.md | 1 + site/content/zh/latest/api/extension_types.md | 1 + 21 files changed, 1098 insertions(+), 8 deletions(-) create mode 100644 internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml create mode 100644 internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml create mode 100644 internal/xds/translator/testdata/in/xds-ir/backend-priority.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/backend-priority.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/backend-priority.routes.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/backend-priority.secrets.yaml diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index c24db0ee547..ec29fb5f292 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -473,6 +473,14 @@ type BackendRef struct { // BackendObjectReference references a Kubernetes object that represents the backend. // Only Service kind is supported for now. gwapiv1.BackendObjectReference `json:",inline"` + // Failover This indicates whether the backend is designated as a failover. + // Multiple failover backends can be configured. + // It is highly recommended to configure active or passive health checks to ensure that failover can be detected + // when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. + // The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + // the health of the active backends falls below 72%. + // +optional + Failover *bool `json:"failover,omitempty"` } // BackendCluster contains all the configuration required for configuring access diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 6e9f41f7723..0e43f4cf493 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -374,6 +374,11 @@ func (in *BackendList) DeepCopyObject() runtime.Object { func (in *BackendRef) DeepCopyInto(out *BackendRef) { *out = *in in.BackendObjectReference.DeepCopyInto(&out.BackendObjectReference) + if in.Failover != nil { + in, out := &in.Failover, &out.Failover + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendRef. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml index 5b88ec4827c..af7bfdefa5a 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml @@ -143,6 +143,15 @@ spec: description: BackendRef defines how an ObjectReference that is specific to BackendRef. properties: + failover: + description: |- + Failover This indicates whether the backend is designated as a failover. + Multiple failover backends can be configured. + It is highly recommended to configure active or passive health checks to ensure that failover can be detected + when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. + The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + the health of the active backends falls below 72%. + type: boolean group: default: "" description: |- diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 436a3331430..aaa55135e0b 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -10398,6 +10398,15 @@ spec: description: BackendRef defines how an ObjectReference that is specific to BackendRef. properties: + failover: + description: |- + Failover This indicates whether the backend is designated as a failover. + Multiple failover backends can be configured. + It is highly recommended to configure active or passive health checks to ensure that failover can be detected + when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. + The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + the health of the active backends falls below 72%. + type: boolean group: default: "" description: |- @@ -11288,6 +11297,15 @@ spec: description: BackendRef defines how an ObjectReference that is specific to BackendRef. properties: + failover: + description: |- + Failover This indicates whether the backend is designated as a failover. + Multiple failover backends can be configured. + It is highly recommended to configure active or passive health checks to ensure that failover can be detected + when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. + The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + the health of the active backends falls below 72%. + type: boolean group: default: "" description: |- @@ -12256,6 +12274,15 @@ spec: description: BackendRef defines how an ObjectReference that is specific to BackendRef. properties: + failover: + description: |- + Failover This indicates whether the backend is designated as a failover. + Multiple failover backends can be configured. + It is highly recommended to configure active or passive health checks to ensure that failover can be detected + when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. + The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + the health of the active backends falls below 72%. + type: boolean group: default: "" description: |- @@ -13159,6 +13186,15 @@ spec: description: BackendRef defines how an ObjectReference that is specific to BackendRef. properties: + failover: + description: |- + Failover This indicates whether the backend is designated as a failover. + Multiple failover backends can be configured. + It is highly recommended to configure active or passive health checks to ensure that failover can be detected + when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. + The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + the health of the active backends falls below 72%. + type: boolean group: default: "" description: |- diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index da5eed2969a..207ebb8c68b 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -345,6 +345,15 @@ spec: description: BackendRef defines how an ObjectReference that is specific to BackendRef. properties: + failover: + description: |- + Failover This indicates whether the backend is designated as a failover. + Multiple failover backends can be configured. + It is highly recommended to configure active or passive health checks to ensure that failover can be detected + when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. + The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + the health of the active backends falls below 72%. + type: boolean group: default: "" description: |- @@ -1148,6 +1157,15 @@ spec: description: BackendRef defines how an ObjectReference that is specific to BackendRef. properties: + failover: + description: |- + Failover This indicates whether the backend is designated as a failover. + Multiple failover backends can be configured. + It is highly recommended to configure active or passive health checks to ensure that failover can be detected + when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. + The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + the health of the active backends falls below 72%. + type: boolean group: default: "" description: |- diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index 2bf37c576b5..5cbe148db2c 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -439,7 +439,7 @@ func (t *Translator) buildExtProc( } ds, err = t.processExtServiceDestination( - &extProc.BackendRefs[i].BackendObjectReference, + &extProc.BackendRefs[i], policyNamespacedName, egv1a1.KindEnvoyExtensionPolicy, ir.GRPC, diff --git a/internal/gatewayapi/ext_service.go b/internal/gatewayapi/ext_service.go index d0c50e5f97e..65cf4c2cce8 100644 --- a/internal/gatewayapi/ext_service.go +++ b/internal/gatewayapi/ext_service.go @@ -21,7 +21,7 @@ import ( // TODO: zhaohuabing combine this function with the one in the route translator func (t *Translator) processExtServiceDestination( - backendRef *gwapiv1.BackendObjectReference, + backendRef *egv1a1.BackendRef, policyNamespacedName types.NamespacedName, policyKind string, protocol ir.AppProtocol, @@ -37,12 +37,12 @@ func (t *Translator) processExtServiceDestination( switch KindDerefOr(backendRef.Kind, KindService) { case KindService: - ds = t.processServiceDestinationSetting(*backendRef, backendNamespace, protocol, resources, envoyProxy) + ds = t.processServiceDestinationSetting(backendRef.BackendObjectReference, backendNamespace, protocol, resources, envoyProxy) case egv1a1.KindBackend: if !t.BackendEnabled { return nil, fmt.Errorf("resource %s of type Backend cannot be used since Backend is disabled in Envoy Gateway configuration", string(backendRef.Name)) } - ds = t.processBackendDestinationSetting(*backendRef, backendNamespace, resources) + ds = t.processBackendDestinationSetting(backendRef.BackendObjectReference, backendNamespace, resources) ds.Protocol = protocol } @@ -58,7 +58,7 @@ func (t *Translator) processExtServiceDestination( } backendTLS = t.applyBackendTLSSetting( - *backendRef, + backendRef.BackendObjectReference, backendNamespace, // Gateway is not the appropriate parent reference here because the owner // of the BackendRef is the policy, and there is no hierarchy @@ -78,7 +78,12 @@ func (t *Translator) processExtServiceDestination( // TODO: support weighted non-xRoute backends ds.Weight = ptr.To(uint32(1)) - + if backendRef.Failover != nil { + // set only the secondary priority, the backend defaults to a primary priority if unset. + if ptr.Deref(backendRef.Failover, false) { + ds.Priority = ptr.To(uint32(1)) + } + } return ds, nil } diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 84fac382aa2..9940dbabefc 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -813,6 +813,7 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *Reso authority string err error traffic *ir.TrafficFeatures + failover *bool ) switch { @@ -824,6 +825,7 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *Reso backendRef = http.BackendRef if len(http.BackendRefs) != 0 { backendRef = egv1a1.ToBackendObjectReference(http.BackendRefs[0]) + failover = http.BackendRefs[0].Failover } protocol = ir.HTTP if traffic, err = translateTrafficFeatures(http.BackendSettings); err != nil { @@ -833,6 +835,7 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *Reso backendRef = grpc.BackendRef if len(grpc.BackendRefs) != 0 { backendRef = egv1a1.ToBackendObjectReference(grpc.BackendRefs[0]) + failover = grpc.BackendRefs[0].Failover } protocol = ir.GRPC if traffic, err = translateTrafficFeatures(grpc.BackendSettings); err != nil { @@ -851,7 +854,7 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *Reso authority = backendRefAuthority(resources, backendRef, policy) pnn := utils.NamespacedName(policy) if ds, err = t.processExtServiceDestination( - backendRef, + &egv1a1.BackendRef{BackendObjectReference: *backendRef, Failover: failover}, pnn, KindSecurityPolicy, protocol, diff --git a/internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml b/internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml new file mode 100644 index 00000000000..f44174b6d62 --- /dev/null +++ b/internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml @@ -0,0 +1,236 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: default + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - www.foo.com + parentRefs: + - namespace: default + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: /foo + backendRefs: + - name: service-1 + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-2 + spec: + hostnames: + - www.bar.com + parentRefs: + - namespace: default + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: /bar + backendRefs: + - name: service-1 + port: 8080 +services: + - apiVersion: v1 + kind: Service + metadata: + namespace: envoy-gateway + name: grpc-backend + spec: + ports: + - port: 8000 + name: grpc + protocol: TCP + - apiVersion: v1 + kind: Service + metadata: + namespace: default + name: grpc-backend-2 + spec: + ports: + - port: 9000 + name: grpc + protocol: TCP +endpointSlices: + - apiVersion: discovery.k8s.io/v1 + kind: EndpointSlice + metadata: + name: endpointslice-grpc-backend + namespace: envoy-gateway + labels: + kubernetes.io/service-name: grpc-backend + addressType: IPv4 + ports: + - name: http + protocol: TCP + port: 8000 + endpoints: + - addresses: + - 7.7.7.7 + conditions: + ready: true + - apiVersion: discovery.k8s.io/v1 + kind: EndpointSlice + metadata: + name: endpointslice-grpc-backend-2 + namespace: default + labels: + kubernetes.io/service-name: grpc-backend-2 + addressType: IPv4 + ports: + - name: grpc + protocol: TCP + port: 9000 + endpoints: + - addresses: + - 8.8.8.8 + conditions: + ready: true +referenceGrants: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: ReferenceGrant + metadata: + namespace: envoy-gateway + name: referencegrant-1 + spec: + from: + - group: gateway.envoyproxy.io + kind: EnvoyExtensionPolicy + namespace: default + to: + - group: '' + kind: Service + - group: gateway.envoyproxy.io + kind: Backend +configMaps: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: ca-cmap + namespace: default + data: + ca.crt: | + -----BEGIN CERTIFICATE----- + MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL + BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw + MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G + A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc + 1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM + yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b + kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU + Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq + ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR + bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48 + 6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/ + BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz + 2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J + i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE + A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg + d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1 + 3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q== + -----END CERTIFICATE----- +backendTLSPolicies: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + name: policy-btls-grpc + namespace: envoy-gateway + spec: + targetRefs: + - group: '' + kind: Service + name: grpc-backend + sectionName: "8000" + validation: + caCertificateRefs: + - name: ca-cmap + group: '' + kind: ConfigMap + hostname: grpc-backend + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + name: policy-btls-backend-ip + namespace: envoy-gateway + spec: + targetRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-ip-tls + validation: + caCertificateRefs: + - name: ca-cmap + group: '' + kind: ConfigMap + hostname: ip-backend +envoyExtensionPolicies: + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyExtensionPolicy + metadata: + namespace: default + name: policy-for-http-route + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + extProc: + - backendRefs: + - Name: grpc-backend + Namespace: envoy-gateway + Port: 8000 + - Name: grpc-backend-2 + Port: 9000 + failover: true + - Name: backend-ip + Kind: Backend + Group: gateway.envoyproxy.io + failover: true + - Name: backend-ip-tls + Namespace: envoy-gateway + Kind: Backend + Group: gateway.envoyproxy.io + failover: true +backends: + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + name: backend-ip + namespace: default + spec: + endpoints: + - ip: + address: 1.1.1.1 + port: 3001 + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + name: backend-ip-tls + namespace: envoy-gateway + spec: + endpoints: + - ip: + address: 2.2.2.2 + port: 3443 diff --git a/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml new file mode 100644 index 00000000000..9933d77c563 --- /dev/null +++ b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml @@ -0,0 +1,381 @@ +backendTLSPolicies: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + creationTimestamp: null + name: policy-btls-grpc + namespace: envoy-gateway + spec: + targetRefs: + - group: "" + kind: Service + name: grpc-backend + sectionName: "8000" + validation: + caCertificateRefs: + - group: "" + kind: ConfigMap + name: ca-cmap + hostname: grpc-backend + status: + ancestors: + - ancestorRef: + group: gateway.envoyproxy.io + kind: EnvoyExtensionPolicy + name: policy-for-http-route + namespace: default + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + creationTimestamp: null + name: policy-btls-backend-ip + namespace: envoy-gateway + spec: + targetRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-ip-tls + validation: + caCertificateRefs: + - group: "" + kind: ConfigMap + name: ca-cmap + hostname: ip-backend + status: + ancestors: + - ancestorRef: + group: gateway.envoyproxy.io + kind: EnvoyExtensionPolicy + name: policy-for-http-route + namespace: default + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +backends: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + creationTimestamp: null + name: backend-ip + namespace: default + spec: + endpoints: + - ip: + address: 1.1.1.1 + port: 3001 + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Invalid +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + creationTimestamp: null + name: backend-ip-tls + namespace: envoy-gateway + spec: + endpoints: + - ip: + address: 2.2.2.2 + port: 3443 + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Invalid +envoyExtensionPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyExtensionPolicy + metadata: + creationTimestamp: null + name: policy-for-http-route + namespace: default + spec: + extProc: + - backendRefs: + - name: grpc-backend + namespace: envoy-gateway + port: 8000 + - failover: true + name: grpc-backend-2 + port: 9000 + - failover: true + group: gateway.envoyproxy.io + kind: Backend + name: backend-ip + - failover: true + group: gateway.envoyproxy.io + kind: Backend + name: backend-ip-tls + namespace: envoy-gateway + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: default + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 2 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - www.foo.com + parentRefs: + - name: gateway-1 + namespace: default + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: /foo + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: default + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-2 + namespace: default + spec: + hostnames: + - www.bar.com + parentRefs: + - name: gateway-1 + namespace: default + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: /bar + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: default + sectionName: http +infraIR: + default/gateway-1: + proxy: + listeners: + - address: null + name: default/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: default + name: default/gateway-1 +xdsIR: + default/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + name: default/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + envoyExtensions: + extProcs: + - authority: grpc-backend.envoy-gateway:8000 + destination: + name: envoyextensionpolicy/default/policy-for-http-route/0 + settings: + - addressType: IP + protocol: GRPC + tls: + caCertificate: + certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: policy-btls-grpc/envoy-gateway-ca + sni: grpc-backend + weight: 1 + - addressType: IP + endpoints: + - host: 8.8.8.8 + port: 9000 + priority: 1 + protocol: GRPC + weight: 1 + - addressType: IP + endpoints: + - host: 1.1.1.1 + port: 3001 + priority: 1 + protocol: GRPC + weight: 1 + - addressType: IP + endpoints: + - host: 2.2.2.2 + port: 3443 + priority: 1 + protocol: GRPC + tls: + caCertificate: + certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: policy-btls-backend-ip/envoy-gateway-ca + sni: ip-backend + weight: 1 + name: envoyextensionpolicy/default/policy-for-http-route/extproc/0 + hostname: www.foo.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + pathMatch: + distinct: false + name: "" + prefix: /foo + - destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.bar.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + pathMatch: + distinct: false + name: "" + prefix: /bar diff --git a/internal/ir/xds.go b/internal/ir/xds.go index ec3441e3bab..c698bea626d 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -1155,6 +1155,10 @@ type DestinationSetting struct { // invalid endpoints are represents with a // non-zero weight with an empty endpoints list Weight *uint32 `json:"weight,omitempty" yaml:"weight,omitempty"` + // Priority default to priority 0, the highest level. + // If multiple destinations share the same priority, they will all be utilized. + // Lower priority endpoints will be used only if higher priority levels are unavailable. + Priority *uint32 `json:"priority,omitempty"` // Protocol associated with this destination/port. Protocol AppProtocol `json:"protocol,omitempty" yaml:"protocol,omitempty"` Endpoints []*DestinationEndpoint `json:"endpoints,omitempty" yaml:"endpoints,omitempty"` diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 8fd97960904..4423f71ba0c 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -689,6 +689,11 @@ func (in *DestinationSetting) DeepCopyInto(out *DestinationSetting) { *out = new(uint32) **out = **in } + if in.Priority != nil { + in, out := &in.Priority, &out.Priority + *out = new(uint32) + **out = **in + } if in.Endpoints != nil { in, out := &in.Endpoints, &out.Endpoints *out = make([]*DestinationEndpoint, len(*in)) diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index 90d005a8b99..9786ed972c6 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -444,7 +444,7 @@ func buildXdsClusterLoadAssignment(clusterName string, destSettings []*ir.Destin weight = 1 } locality.LoadBalancingWeight = &wrapperspb.UInt32Value{Value: weight} - + locality.Priority = ptr.Deref(ds.Priority, 0) localities = append(localities, locality) } return &endpointv3.ClusterLoadAssignment{ClusterName: clusterName, Endpoints: localities} diff --git a/internal/xds/translator/testdata/in/xds-ir/backend-priority.yaml b/internal/xds/translator/testdata/in/xds-ir/backend-priority.yaml new file mode 100644 index 00000000000..b18671d7879 --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/backend-priority.yaml @@ -0,0 +1,97 @@ +http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + name: default/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + envoyExtensions: + extProcs: + - authority: grpc-backend.envoy-gateway:8000 + destination: + name: envoyextensionpolicy/default/policy-for-http-route/0 + settings: + - addressType: IP + protocol: GRPC + tls: + caCertificate: + certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: policy-btls-grpc/envoy-gateway-ca + sni: grpc-backend + weight: 1 + - addressType: IP + endpoints: + - host: 8.8.8.8 + port: 9000 + priority: 1 + protocol: GRPC + weight: 1 + - addressType: IP + endpoints: + - host: 1.1.1.1 + port: 3001 + priority: 1 + protocol: GRPC + weight: 1 + - addressType: IP + endpoints: + - host: 2.2.2.2 + port: 3443 + priority: 1 + protocol: GRPC + tls: + caCertificate: + certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: policy-btls-backend-ip/envoy-gateway-ca + sni: ip-backend + weight: 1 + name: envoyextensionpolicy/default/policy-for-http-route/extproc/0 + hostname: www.foo.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + pathMatch: + distinct: false + name: "" + prefix: /foo + - destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.bar.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + pathMatch: + distinct: false + name: "" + prefix: /bar diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml new file mode 100644 index 00000000000..b6f2821b650 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml @@ -0,0 +1,99 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-2/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-2/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: envoyextensionpolicy/default/policy-for-http-route/0 + lbPolicy: LEAST_REQUEST + name: envoyextensionpolicy/default/policy-for-http-route/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + transportSocketMatches: + - match: + name: envoyextensionpolicy/default/policy-for-http-route/0/tls/0 + name: envoyextensionpolicy/default/policy-for-http-route/0/tls/0 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: grpc-backend + sanType: DNS + validationContextSdsSecretConfig: + name: policy-btls-grpc/envoy-gateway-ca + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: grpc-backend + - match: + name: envoyextensionpolicy/default/policy-for-http-route/0/tls/3 + name: envoyextensionpolicy/default/policy-for-http-route/0/tls/3 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: ip-backend + sanType: DNS + validationContextSdsSecretConfig: + name: policy-btls-backend-ip/envoy-gateway-ca + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: ip-backend + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-priority.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-priority.endpoints.yaml new file mode 100644 index 00000000000..30f113b0a73 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/backend-priority.endpoints.yaml @@ -0,0 +1,66 @@ +- clusterName: httproute/default/httproute-1/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/0/backend/0 +- clusterName: httproute/default/httproute-2/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-2/rule/0/backend/0 +- clusterName: envoyextensionpolicy/default/policy-for-http-route/0 + endpoints: + - loadBalancingWeight: 1 + locality: + region: envoyextensionpolicy/default/policy-for-http-route/0/backend/0 + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 8.8.8.8 + portValue: 9000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: envoyextensionpolicy/default/policy-for-http-route/0/backend/1 + priority: 1 + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.1.1.1 + portValue: 3001 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: envoyextensionpolicy/default/policy-for-http-route/0/backend/2 + priority: 1 + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 2.2.2.2 + portValue: 3443 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.transport_socket_match: + name: envoyextensionpolicy/default/policy-for-http-route/0/tls/3 + loadBalancingWeight: 1 + locality: + region: envoyextensionpolicy/default/policy-for-http-route/0/backend/3 + priority: 1 diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml new file mode 100644 index 00000000000..7ed44e9e2bf --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml @@ -0,0 +1,49 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - disabled: true + name: envoy.filters.http.ext_proc/envoyextensionpolicy/default/policy-for-http-route/extproc/0 + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor + grpcService: + envoyGrpc: + authority: grpc-backend.envoy-gateway:8000 + clusterName: envoyextensionpolicy/default/policy-for-http-route/0 + timeout: 10s + processingMode: + requestHeaderMode: SKIP + requestTrailerMode: SKIP + responseHeaderMode: SKIP + responseTrailerMode: SKIP + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: default/gateway-1/http + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: default/gateway-1/http + drainType: MODIFY_ONLY + name: default/gateway-1/http + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-priority.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-priority.routes.yaml new file mode 100644 index 00000000000..e5e50ccde27 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/backend-priority.routes.yaml @@ -0,0 +1,59 @@ +- ignorePortInHostMatching: true + name: default/gateway-1/http + virtualHosts: + - domains: + - www.foo.com + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + name: default/gateway-1/http/www_foo_com + routes: + - match: + pathSeparatedPrefix: /foo + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + route: + cluster: httproute/default/httproute-1/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.ext_proc/envoyextensionpolicy/default/policy-for-http-route/extproc/0: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} + - domains: + - www.bar.com + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + name: default/gateway-1/http/www_bar_com + routes: + - match: + pathSeparatedPrefix: /bar + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + route: + cluster: httproute/default/httproute-2/rule/0 + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-priority.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-priority.secrets.yaml new file mode 100644 index 00000000000..387926a79f3 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/backend-priority.secrets.yaml @@ -0,0 +1,8 @@ +- name: policy-btls-grpc/envoy-gateway-ca + validationContext: + trustedCa: + inlineBytes: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K +- name: policy-btls-backend-ip/envoy-gateway-ca + validationContext: + trustedCa: + inlineBytes: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index b7d7b76078c..e63397b0d8b 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -364,6 +364,7 @@ _Appears in:_ | `name` | _[ObjectName](#objectname)_ | true | Name is the name of the referent. | | `namespace` | _[Namespace](#namespace)_ | false | Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.

Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.

Support: Core | | `port` | _[PortNumber](#portnumber)_ | false | Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field. | +| `failover` | _boolean_ | false | Failover This indicates whether the backend is designated as a failover.
Multiple failover backends can be configured.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when
the health of the active backends falls below 72%. | #### BackendSpec diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index b7d7b76078c..e63397b0d8b 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -364,6 +364,7 @@ _Appears in:_ | `name` | _[ObjectName](#objectname)_ | true | Name is the name of the referent. | | `namespace` | _[Namespace](#namespace)_ | false | Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.

Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.

Support: Core | | `port` | _[PortNumber](#portnumber)_ | false | Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field. | +| `failover` | _boolean_ | false | Failover This indicates whether the backend is designated as a failover.
Multiple failover backends can be configured.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when
the health of the active backends falls below 72%. | #### BackendSpec From 4dcfea4246b0e34a2fe8ca276a39ac3f54b7b37e Mon Sep 17 00:00:00 2001 From: Luv Date: Sat, 17 Aug 2024 19:02:38 +0530 Subject: [PATCH 061/523] docs: added defaults for load balancing (#4071) * docs: added defaults for load balancing Signed-off-by: Luv * doc change in backendtrafficpolicy_types.go and generate Signed-off-by: Luv * make gen-check auto changes Signed-off-by: Luv --------- Signed-off-by: Luv --- api/v1alpha1/backendtrafficpolicy_types.go | 2 +- .../gateway.envoyproxy.io_backendtrafficpolicies.yaml | 2 +- .../gateway.envoyproxy.io_envoyextensionpolicies.yaml | 2 +- .../generated/gateway.envoyproxy.io_envoyproxies.yaml | 8 ++++---- .../generated/gateway.envoyproxy.io_securitypolicies.yaml | 4 ++-- site/content/en/docs/tasks/traffic/load-balancing.md | 2 +- site/content/en/latest/api/extension_types.md | 4 ++-- site/content/en/latest/tasks/traffic/load-balancing.md | 2 +- site/content/en/v1.1/tasks/traffic/load-balancing.md | 2 +- site/content/zh/latest/api/extension_types.md | 4 ++-- 10 files changed, 16 insertions(+), 16 deletions(-) diff --git a/api/v1alpha1/backendtrafficpolicy_types.go b/api/v1alpha1/backendtrafficpolicy_types.go index 3f014b28285..63e9767070e 100644 --- a/api/v1alpha1/backendtrafficpolicy_types.go +++ b/api/v1alpha1/backendtrafficpolicy_types.go @@ -102,7 +102,7 @@ type BackendTrafficPolicyConnection struct { // backend will be configured. type ClusterSettings struct { // LoadBalancer policy to apply when routing traffic from the gateway to - // the backend endpoints + // the backend endpoints. Defaults to `LeastRequest`. // +optional LoadBalancer *LoadBalancer `json:"loadBalancer,omitempty"` diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index 2190e623502..a23e656788b 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -510,7 +510,7 @@ spec: loadBalancer: description: |- LoadBalancer policy to apply when routing traffic from the gateway to - the backend endpoints + the backend endpoints. Defaults to `LeastRequest`. properties: consistentHash: description: |- diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml index af7bfdefa5a..2778aa85a0b 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml @@ -633,7 +633,7 @@ spec: loadBalancer: description: |- LoadBalancer policy to apply when routing traffic from the gateway to - the backend endpoints + the backend endpoints. Defaults to `LeastRequest`. properties: consistentHash: description: |- diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index aaa55135e0b..82865b93d50 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -10931,7 +10931,7 @@ spec: loadBalancer: description: |- LoadBalancer policy to apply when routing traffic from the gateway to - the backend endpoints + the backend endpoints. Defaults to `LeastRequest`. properties: consistentHash: description: |- @@ -11830,7 +11830,7 @@ spec: loadBalancer: description: |- LoadBalancer policy to apply when routing traffic from the gateway to - the backend endpoints + the backend endpoints. Defaults to `LeastRequest`. properties: consistentHash: description: |- @@ -12784,7 +12784,7 @@ spec: loadBalancer: description: |- LoadBalancer policy to apply when routing traffic from the gateway to - the backend endpoints + the backend endpoints. Defaults to `LeastRequest`. properties: consistentHash: description: |- @@ -13693,7 +13693,7 @@ spec: loadBalancer: description: |- LoadBalancer policy to apply when routing traffic from the gateway to - the backend endpoints + the backend endpoints. Defaults to `LeastRequest`. properties: consistentHash: description: |- diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 207ebb8c68b..da6c3ae25fc 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -839,7 +839,7 @@ spec: loadBalancer: description: |- LoadBalancer policy to apply when routing traffic from the gateway to - the backend endpoints + the backend endpoints. Defaults to `LeastRequest`. properties: consistentHash: description: |- @@ -1651,7 +1651,7 @@ spec: loadBalancer: description: |- LoadBalancer policy to apply when routing traffic from the gateway to - the backend endpoints + the backend endpoints. Defaults to `LeastRequest`. properties: consistentHash: description: |- diff --git a/site/content/en/docs/tasks/traffic/load-balancing.md b/site/content/en/docs/tasks/traffic/load-balancing.md index 90a816e7bc3..89f6ee94b87 100644 --- a/site/content/en/docs/tasks/traffic/load-balancing.md +++ b/site/content/en/docs/tasks/traffic/load-balancing.md @@ -13,7 +13,7 @@ Envoy Gateway supports the following load balancing policies: - **Consistent Hash**: load balancer implements consistent hashing to upstream hosts. Envoy Gateway introduces a new CRD called [BackendTrafficPolicy][] that allows the user to describe their desired load balancing polices. -This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRPCRoute][] resource. +This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRPCRoute][] resource. If `loadBalancer` is not specified in [BackendTrafficPolicy][], the default load balancing policy is `Least Request`. ## Prerequisites diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index e63397b0d8b..db902e65878 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -467,7 +467,7 @@ _Appears in:_ | `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect

Deprecated: use targetRefs/targetSelectors instead | | `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. | | `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels | -| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints | +| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. | | `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. | | `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. | | `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. | @@ -724,7 +724,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints | +| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. | | `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. | | `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. | | `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. | diff --git a/site/content/en/latest/tasks/traffic/load-balancing.md b/site/content/en/latest/tasks/traffic/load-balancing.md index b8bdff01af2..3c9a78450b5 100644 --- a/site/content/en/latest/tasks/traffic/load-balancing.md +++ b/site/content/en/latest/tasks/traffic/load-balancing.md @@ -13,7 +13,7 @@ Envoy Gateway supports the following load balancing policies: - **Consistent Hash**: load balancer implements consistent hashing to upstream hosts. Envoy Gateway introduces a new CRD called [BackendTrafficPolicy][] that allows the user to describe their desired load balancing polices. -This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRPCRoute][] resource. +This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRPCRoute][] resource. If `loadBalancer` is not specified in [BackendTrafficPolicy][], the default load balancing policy is `Least Request`. ## Prerequisites diff --git a/site/content/en/v1.1/tasks/traffic/load-balancing.md b/site/content/en/v1.1/tasks/traffic/load-balancing.md index 90a816e7bc3..89f6ee94b87 100644 --- a/site/content/en/v1.1/tasks/traffic/load-balancing.md +++ b/site/content/en/v1.1/tasks/traffic/load-balancing.md @@ -13,7 +13,7 @@ Envoy Gateway supports the following load balancing policies: - **Consistent Hash**: load balancer implements consistent hashing to upstream hosts. Envoy Gateway introduces a new CRD called [BackendTrafficPolicy][] that allows the user to describe their desired load balancing polices. -This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRPCRoute][] resource. +This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRPCRoute][] resource. If `loadBalancer` is not specified in [BackendTrafficPolicy][], the default load balancing policy is `Least Request`. ## Prerequisites diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index e63397b0d8b..db902e65878 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -467,7 +467,7 @@ _Appears in:_ | `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect

Deprecated: use targetRefs/targetSelectors instead | | `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. | | `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels | -| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints | +| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. | | `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. | | `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. | | `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. | @@ -724,7 +724,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints | +| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. | | `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. | | `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. | | `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. | From 6066f5a6ad65d30f5d2327b03de04361bb6de004 Mon Sep 17 00:00:00 2001 From: zirain Date: Mon, 19 Aug 2024 01:27:02 +0800 Subject: [PATCH 062/523] use sets and return stable result (#4074) Signed-off-by: zirain --- internal/gatewayapi/helpers.go | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index 31428c5e13d..52df40f4736 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -280,7 +280,7 @@ func computeHosts(routeHostnames []string, listenerContext *ListenerContext) []s return []string{"*"} } - hostnamesSet := map[string]struct{}{} + hostnamesSet := sets.NewString() // Find intersecting hostnames for i := range routeHostnames { @@ -291,22 +291,22 @@ func computeHosts(routeHostnames []string, listenerContext *ListenerContext) []s switch { // No listener hostname: use the route hostname. case len(listenerHostnameVal) == 0: - hostnamesSet[routeHostname] = struct{}{} + hostnamesSet.Insert(routeHostname) // Listener hostname matches the route hostname: use it. case listenerHostnameVal == routeHostname: - hostnamesSet[routeHostname] = struct{}{} + hostnamesSet.Insert(routeHostname) // Listener has a wildcard hostname: check if the route hostname matches. case strings.HasPrefix(listenerHostnameVal, "*"): if hostnameMatchesWildcardHostname(routeHostname, listenerHostnameVal) { - hostnamesSet[routeHostname] = struct{}{} + hostnamesSet.Insert(routeHostname) } // Route has a wildcard hostname: check if the listener hostname matches. case strings.HasPrefix(routeHostname, "*"): if hostnameMatchesWildcardHostname(listenerHostnameVal, routeHostname) { - hostnamesSet[listenerHostnameVal] = struct{}{} + hostnamesSet.Insert(listenerHostnameVal) } } @@ -328,15 +328,10 @@ func computeHosts(routeHostnames []string, listenerContext *ListenerContext) []s if listener.Hostname == nil { continue } - delete(hostnamesSet, string(*listener.Hostname)) + hostnamesSet.Delete(string(*listener.Hostname)) } - var hostnames []string - for host := range hostnamesSet { - hostnames = append(hostnames, host) - } - - return hostnames + return hostnamesSet.List() } // hostnameMatchesWildcardHostname returns true if hostname has the non-wildcard From 7c1d50991deacf6619ca776912cd445e35266f61 Mon Sep 17 00:00:00 2001 From: Lior Lieberman Date: Mon, 19 Aug 2024 01:38:31 +0100 Subject: [PATCH 063/523] docs: fix basic-auth.md formatting (#4034) * Update basic-auth.md Signed-off-by: Lior Lieberman * address feedback Signed-off-by: Lior Lieberman * fix basic-auth.md Signed-off-by: Lior Lieberman --------- Signed-off-by: Lior Lieberman --- site/content/en/docs/tasks/security/basic-auth.md | 1 - site/content/en/latest/tasks/security/basic-auth.md | 1 - site/content/en/v1.0/tasks/security/basic-auth.md | 1 - site/content/en/v1.1/tasks/security/basic-auth.md | 1 - 4 files changed, 4 deletions(-) diff --git a/site/content/en/docs/tasks/security/basic-auth.md b/site/content/en/docs/tasks/security/basic-auth.md index 0cd2b92a9a5..9fc969affb7 100644 --- a/site/content/en/docs/tasks/security/basic-auth.md +++ b/site/content/en/docs/tasks/security/basic-auth.md @@ -195,7 +195,6 @@ curl -kv -H "Host: www.example.com" -u 'foo:bar' "https://${GATEWAY_HOST}/" The request should be allowed and you should see the response from the backend service. -```shell ## Clean-Up diff --git a/site/content/en/latest/tasks/security/basic-auth.md b/site/content/en/latest/tasks/security/basic-auth.md index 38fa436f086..cc0ec54ada1 100644 --- a/site/content/en/latest/tasks/security/basic-auth.md +++ b/site/content/en/latest/tasks/security/basic-auth.md @@ -194,7 +194,6 @@ curl -kv -H "Host: www.example.com" -u 'foo:bar' "https://${GATEWAY_HOST}/" The request should be allowed and you should see the response from the backend service. -```shell ## Clean-Up diff --git a/site/content/en/v1.0/tasks/security/basic-auth.md b/site/content/en/v1.0/tasks/security/basic-auth.md index e162e4f9879..fdc95014103 100644 --- a/site/content/en/v1.0/tasks/security/basic-auth.md +++ b/site/content/en/v1.0/tasks/security/basic-auth.md @@ -169,7 +169,6 @@ curl -kv -H "Host: www.example.com" -u 'foo:bar' "https://${GATEWAY_HOST}/" The request should be allowed and you should see the response from the backend service. -```shell ## Clean-Up diff --git a/site/content/en/v1.1/tasks/security/basic-auth.md b/site/content/en/v1.1/tasks/security/basic-auth.md index 0cd2b92a9a5..9fc969affb7 100644 --- a/site/content/en/v1.1/tasks/security/basic-auth.md +++ b/site/content/en/v1.1/tasks/security/basic-auth.md @@ -195,7 +195,6 @@ curl -kv -H "Host: www.example.com" -u 'foo:bar' "https://${GATEWAY_HOST}/" The request should be allowed and you should see the response from the backend service. -```shell ## Clean-Up From e83097c890fd7c1bf5b55a8dd6444363512ffdfe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Aug 2024 10:59:20 -0700 Subject: [PATCH 064/523] build(deps): bump sigs.k8s.io/kind from 0.23.0 to 0.24.0 in /tools/src/kind (#4077) build(deps): bump sigs.k8s.io/kind in /tools/src/kind Bumps [sigs.k8s.io/kind](https://github.com/kubernetes-sigs/kind) from 0.23.0 to 0.24.0. - [Release notes](https://github.com/kubernetes-sigs/kind/releases) - [Commits](https://github.com/kubernetes-sigs/kind/compare/v0.23.0...v0.24.0) --- updated-dependencies: - dependency-name: sigs.k8s.io/kind dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/src/kind/go.mod | 17 ++++++++--------- tools/src/kind/go.sum | 42 ++++++++++++++++++++---------------------- 2 files changed, 28 insertions(+), 31 deletions(-) diff --git a/tools/src/kind/go.mod b/tools/src/kind/go.mod index ee24990f491..0d7c7342b1e 100644 --- a/tools/src/kind/go.mod +++ b/tools/src/kind/go.mod @@ -2,21 +2,20 @@ module github.com/envoyproxy/gateway/tools/src/kind go 1.22.5 -require sigs.k8s.io/kind v0.23.0 +require sigs.k8s.io/kind v0.24.0 require ( - github.com/BurntSushi/toml v1.0.0 // indirect - github.com/alessio/shellescape v1.4.1 // indirect + github.com/BurntSushi/toml v1.4.0 // indirect + github.com/alessio/shellescape v1.4.2 // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 // indirect - github.com/inconshreveable/mousetrap v1.0.0 // indirect - github.com/mattn/go-isatty v0.0.14 // indirect - github.com/pelletier/go-toml v1.9.4 // indirect + github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/mattn/go-isatty v0.0.20 // indirect + github.com/pelletier/go-toml v1.9.5 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/spf13/cobra v1.4.0 // indirect + github.com/spf13/cobra v1.8.0 // indirect github.com/spf13/pflag v1.0.5 // indirect golang.org/x/sys v0.16.0 // indirect - gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - sigs.k8s.io/yaml v1.3.0 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/tools/src/kind/go.sum b/tools/src/kind/go.sum index 2a0488c95c2..e811249cb1e 100644 --- a/tools/src/kind/go.sum +++ b/tools/src/kind/go.sum @@ -1,44 +1,42 @@ -github.com/BurntSushi/toml v1.0.0 h1:dtDWrepsVPfW9H/4y7dDgFc2MBUSeJhlaDtK13CxFlU= -github.com/BurntSushi/toml v1.0.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= -github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0= -github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30= -github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0= +github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= +github.com/alessio/shellescape v1.4.2 h1:MHPfaU+ddJ0/bYWpgIeUnQUqKrlJ1S7BfEYPM4uEoM0= +github.com/alessio/shellescape v1.4.2/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30= +github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 h1:SJ+NtwL6QaZ21U+IrK7d0gGgpjGGvd2kz+FzTHVzdqI= github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2/go.mod h1:Tv1PlzqC9t8wNnpPdctvtSUOPUUg4SHeE6vR1Ir2hmg= -github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= -github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= +github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y= -github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= -github.com/pelletier/go-toml v1.9.4 h1:tjENF6MfZAg8e4ZmZTeWaWiT2vXtsoO6+iuOjFhECwM= -github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= +github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8= +github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/spf13/cobra v1.4.0 h1:y+wJpx64xcgO1V+RcnwW0LEHxTKRi2ZDPSBjWnrg88Q= -github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g= +github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= +github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U= gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= -gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -sigs.k8s.io/kind v0.23.0 h1:8fyDGWbWTeCcCTwA04v4Nfr45KKxbSPH1WO9K+jVrBg= -sigs.k8s.io/kind v0.23.0/go.mod h1:ZQ1iZuJLh3T+O8fzhdi3VWcFTzsdXtNv2ppsHc8JQ7s= -sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= -sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= +sigs.k8s.io/kind v0.24.0 h1:g4y4eu0qa+SCeKESLpESgMmVFBebL0BDa6f777OIWrg= +sigs.k8s.io/kind v0.24.0/go.mod h1:t7ueEpzPYJvHA8aeLtI52rtFftNgUYUaCwvxjk7phfw= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= From 822c4cd75e90c9233710d2664af74bb236a703b4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Aug 2024 11:05:31 -0700 Subject: [PATCH 065/523] build(deps): bump github.com/docker/cli from 27.1.1+incompatible to 27.1.2+incompatible (#4082) build(deps): bump github.com/docker/cli Bumps [github.com/docker/cli](https://github.com/docker/cli) from 27.1.1+incompatible to 27.1.2+incompatible. - [Commits](https://github.com/docker/cli/compare/v27.1.1...v27.1.2) --- updated-dependencies: - dependency-name: github.com/docker/cli dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index d475039da7e..b9c57450848 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/Masterminds/semver/v3 v3.2.1 github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc - github.com/docker/cli v27.1.1+incompatible + github.com/docker/cli v27.1.2+incompatible github.com/dominikbraun/graph v0.23.0 github.com/envoyproxy/go-control-plane v0.12.1-0.20240612043845-c54ec4ce422d github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 diff --git a/go.sum b/go.sum index 48a655ca58b..0686beeef3a 100644 --- a/go.sum +++ b/go.sum @@ -382,8 +382,8 @@ github.com/distribution/distribution/v3 v3.0.0-beta.1 h1:X+ELTxPuZ1Xe5MsD3kp2wfG github.com/distribution/distribution/v3 v3.0.0-beta.1/go.mod h1:O9O8uamhHzWWQVTjuQpyYUVm/ShPHPUDgvQMpHGVBDs= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE= -github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.1.2+incompatible h1:nYviRv5Y+YAKx3dFrTvS1ErkyVVunKOhoweCTE1BsnI= +github.com/docker/cli v27.1.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= From 8b38d63ab56010e8dced7b337faf3c804e1ebdb7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Aug 2024 11:05:53 -0700 Subject: [PATCH 066/523] build(deps): bump github.com/ohler55/ojg from 1.22.1 to 1.24.0 (#4080) Bumps [github.com/ohler55/ojg](https://github.com/ohler55/ojg) from 1.22.1 to 1.24.0. - [Release notes](https://github.com/ohler55/ojg/releases) - [Changelog](https://github.com/ohler55/ojg/blob/develop/CHANGELOG.md) - [Commits](https://github.com/ohler55/ojg/compare/v1.22.1...v1.24.0) --- updated-dependencies: - dependency-name: github.com/ohler55/ojg dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index b9c57450848..b6a37be1e63 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,7 @@ require ( github.com/grafana/tempo v1.5.0 github.com/hashicorp/go-multierror v1.1.1 github.com/miekg/dns v1.1.61 - github.com/ohler55/ojg v1.22.1 + github.com/ohler55/ojg v1.24.0 github.com/prometheus/client_golang v1.20.0 github.com/prometheus/common v0.55.0 github.com/spf13/cobra v1.8.1 diff --git a/go.sum b/go.sum index 0686beeef3a..42ae9448cf4 100644 --- a/go.sum +++ b/go.sum @@ -911,8 +911,8 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+ github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= -github.com/ohler55/ojg v1.22.1 h1:MvUieaWTwksoYk47GYyP9kzXIAkxHYX6rxeLjUEeq/8= -github.com/ohler55/ojg v1.22.1/go.mod h1:gQhDVpQLqrmnd2eqGAvJtn+NfKoYJbe/A4Sj3/Vro4o= +github.com/ohler55/ojg v1.24.0 h1:y2AVez6fPTszK/jPhaAYMCAzAoSleConMqSDD5wJKJg= +github.com/ohler55/ojg v1.24.0/go.mod h1:gQhDVpQLqrmnd2eqGAvJtn+NfKoYJbe/A4Sj3/Vro4o= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= From 912934aade1c05564618f70b8edce7acac915b49 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Aug 2024 11:08:10 -0700 Subject: [PATCH 067/523] build(deps): bump github.com/bufbuild/buf from 1.36.0 to 1.37.0 in /tools/src/buf (#4076) build(deps): bump github.com/bufbuild/buf in /tools/src/buf Bumps [github.com/bufbuild/buf](https://github.com/bufbuild/buf) from 1.36.0 to 1.37.0. - [Release notes](https://github.com/bufbuild/buf/releases) - [Changelog](https://github.com/bufbuild/buf/blob/main/CHANGELOG.md) - [Commits](https://github.com/bufbuild/buf/compare/v1.36.0...v1.37.0) --- updated-dependencies: - dependency-name: github.com/bufbuild/buf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/src/buf/go.mod | 80 ++++++++----- tools/src/buf/go.sum | 262 +++++++++++++++++++++++++++++++------------ 2 files changed, 239 insertions(+), 103 deletions(-) diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index ec8edf567c4..639ff08144c 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -2,51 +2,71 @@ module local go 1.22.5 -require github.com/bufbuild/buf v1.36.0 +require github.com/bufbuild/buf v1.37.0 require ( - buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240508200655-46a4cf4ba109.2 // indirect - buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240610164129-660609bc46d3.1 // indirect - buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240610164129-660609bc46d3.2 // indirect + buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240717164558-a6c49f84cc0f.2 // indirect + buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240801134127-09fbc17f7c9e.1 // indirect + buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240801134127-09fbc17f7c9e.2 // indirect connectrpc.com/connect v1.16.2 // indirect - connectrpc.com/otelconnect v0.7.0 // indirect + connectrpc.com/otelconnect v0.7.1 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect + github.com/Microsoft/hcsshim v0.12.5 // indirect github.com/antlr4-go/antlr/v4 v4.13.0 // indirect github.com/bufbuild/protocompile v0.14.0 // indirect github.com/bufbuild/protoplugin v0.0.0-20240323223605-e2735f6c31ee // indirect - github.com/bufbuild/protovalidate-go v0.6.2 // indirect - github.com/bufbuild/protoyaml-go v0.1.9 // indirect + github.com/bufbuild/protovalidate-go v0.6.3 // indirect + github.com/bufbuild/protoyaml-go v0.1.10 // indirect + github.com/containerd/cgroups/v3 v3.0.3 // indirect + github.com/containerd/containerd v1.7.20 // indirect + github.com/containerd/continuity v0.4.3 // indirect + github.com/containerd/errdefs v0.1.0 // indirect + github.com/containerd/log v0.1.0 // indirect + github.com/containerd/platforms v0.2.1 // indirect github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect + github.com/containerd/ttrpc v1.2.5 // indirect + github.com/containerd/typeurl/v2 v2.2.0 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect github.com/distribution/reference v0.6.0 // indirect - github.com/docker/cli v26.1.4+incompatible // indirect + github.com/docker/cli v27.1.2+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v27.0.0+incompatible // indirect + github.com/docker/docker v27.1.2+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-units v0.5.0 // indirect github.com/felixge/fgprof v0.9.4 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect - github.com/go-chi/chi/v5 v5.0.14 // indirect + github.com/go-chi/chi/v5 v5.1.0 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect - github.com/gofrs/uuid/v5 v5.2.0 // indirect + github.com/gofrs/uuid/v5 v5.3.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/google/cel-go v0.20.1 // indirect - github.com/google/go-containerregistry v0.19.2 // indirect - github.com/google/pprof v0.0.0-20240622144329-c177fd99eaa9 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect + github.com/google/cel-go v0.21.0 // indirect + github.com/google/go-containerregistry v0.20.2 // indirect + github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 // indirect + github.com/google/uuid v1.6.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jdx/go-netrc v1.0.0 // indirect github.com/klauspost/compress v1.17.9 // indirect github.com/klauspost/pgzip v1.2.6 // indirect + github.com/kr/pretty v0.3.1 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect + github.com/moby/locker v1.0.1 // indirect + github.com/moby/patternmatcher v0.6.0 // indirect + github.com/moby/sys/mount v0.3.4 // indirect + github.com/moby/sys/mountinfo v0.7.2 // indirect + github.com/moby/sys/sequential v0.6.0 // indirect + github.com/moby/sys/user v0.3.0 // indirect + github.com/moby/sys/userns v0.1.0 // indirect github.com/moby/term v0.5.0 // indirect github.com/morikuni/aec v1.0.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect + github.com/opencontainers/runtime-spec v1.2.0 // indirect github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pkg/profile v1.7.0 // indirect @@ -57,25 +77,27 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/stoewer/go-strcase v1.3.0 // indirect github.com/vbatts/tar-split v0.11.5 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 // indirect - go.opentelemetry.io/otel v1.25.0 // indirect + go.opencensus.io v0.24.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect + go.opentelemetry.io/otel v1.28.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 // indirect - go.opentelemetry.io/otel/metric v1.25.0 // indirect - go.opentelemetry.io/otel/sdk v1.25.0 // indirect - go.opentelemetry.io/otel/trace v1.25.0 // indirect + go.opentelemetry.io/otel/metric v1.28.0 // indirect + go.opentelemetry.io/otel/sdk v1.28.0 // indirect + go.opentelemetry.io/otel/trace v1.28.0 // indirect go.uber.org/atomic v1.11.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/crypto v0.24.0 // indirect - golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 // indirect - golang.org/x/mod v0.18.0 // indirect - golang.org/x/net v0.26.0 // indirect - golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.21.0 // indirect - golang.org/x/term v0.21.0 // indirect - golang.org/x/text v0.16.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240617180043-68d350f18fd4 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240617180043-68d350f18fd4 // indirect + golang.org/x/crypto v0.26.0 // indirect + golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa // indirect + golang.org/x/mod v0.20.0 // indirect + golang.org/x/net v0.28.0 // indirect + golang.org/x/sync v0.8.0 // indirect + golang.org/x/sys v0.24.0 // indirect + golang.org/x/term v0.23.0 // indirect + golang.org/x/text v0.17.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240812133136-8ffd90a71988 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240812133136-8ffd90a71988 // indirect + google.golang.org/grpc v1.65.0 // indirect google.golang.org/protobuf v1.34.2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/tools/src/buf/go.sum b/tools/src/buf/go.sum index 3bdf925f2ee..3dbec1398c9 100644 --- a/tools/src/buf/go.sum +++ b/tools/src/buf/go.sum @@ -1,31 +1,38 @@ -buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240508200655-46a4cf4ba109.2 h1:cFrEG/pJch6t62+jqndcPXeTNkYcztS4tBRgNkR+drw= -buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240508200655-46a4cf4ba109.2/go.mod h1:ylS4c28ACSI59oJrOdW4pHS4n0Hw4TgSPHn8rpHl4Yw= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240610164129-660609bc46d3.1 h1:PmSlGbLLyhKIAm46ROmzdGVaaYgDdFsQNA+VftjuCLs= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240610164129-660609bc46d3.1/go.mod h1:4ptL49VoWyYwajT6j4zu5vmQ/k/om4tGMB9atY2FhEo= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240610164129-660609bc46d3.2 h1:y1+UxFIWzj/eF2RCPqt9egR7Rt9vgQkXNUzSdmR6iEU= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240610164129-660609bc46d3.2/go.mod h1:psseUmlKRo9v5LZJtR/aTpdTLuyp9o3X7rnLT87SZEo= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240717164558-a6c49f84cc0f.2 h1:SZRVx928rbYZ6hEKUIN+vtGDkl7uotABRWGY4OAg5gM= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240717164558-a6c49f84cc0f.2/go.mod h1:ylS4c28ACSI59oJrOdW4pHS4n0Hw4TgSPHn8rpHl4Yw= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240801134127-09fbc17f7c9e.1 h1:IV4si5SvDJSGQ/kpcnmOFKDKh8erG6zPy+NhmxlYdxM= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240801134127-09fbc17f7c9e.1/go.mod h1:4isTSbIhQ6wERY99Kvds0UuOcFMUoPDBPZfaAKrUnSE= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240801134127-09fbc17f7c9e.2 h1:7fUEOBrfNd50BMAls2tLn9RhttbDIfxRXML99YaLqKY= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240801134127-09fbc17f7c9e.2/go.mod h1:psseUmlKRo9v5LZJtR/aTpdTLuyp9o3X7rnLT87SZEo= +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= connectrpc.com/connect v1.16.2 h1:ybd6y+ls7GOlb7Bh5C8+ghA6SvCBajHwxssO2CGFjqE= connectrpc.com/connect v1.16.2/go.mod h1:n2kgwskMHXC+lVqb18wngEpF95ldBHXjZYJussz5FRc= -connectrpc.com/otelconnect v0.7.0 h1:ZH55ZZtcJOTKWWLy3qmL4Pam4RzRWBJFOqTPyAqCXkY= -connectrpc.com/otelconnect v0.7.0/go.mod h1:Bt2ivBymHZHqxvo4HkJ0EwHuUzQN6k2l0oH+mp/8nwc= +connectrpc.com/otelconnect v0.7.1 h1:scO5pOb0i4yUE66CnNrHeK1x51yq0bE0ehPg6WvzXJY= +connectrpc.com/otelconnect v0.7.1/go.mod h1:dh3bFgHBTb2bkqGCeVVOtHJreSns7uu9wwL2Tbz17ms= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= +github.com/Microsoft/hcsshim v0.12.5 h1:bpTInLlDy/nDRWFVcefDZZ1+U8tS+rz3MxjKgu9boo0= +github.com/Microsoft/hcsshim v0.12.5/go.mod h1:tIUGego4G1EN5Hb6KC90aDYiUI2dqLSTTOCjVNpOgZ8= github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= -github.com/bufbuild/buf v1.36.0 h1:sC/MRgAhwvcbLbUXlTY+zgLUT4PzHm19BnnEsgu/rgU= -github.com/bufbuild/buf v1.36.0/go.mod h1:SM7b5QW3FkQPNkkqIa/9UWzLOoe51la+GGZpEgH9b68= +github.com/bufbuild/buf v1.37.0 h1:lKQ2LahOOMzLFFAg1IMQj12gPhAfLWGr6z6jfP6p7Bw= +github.com/bufbuild/buf v1.37.0/go.mod h1:uFHazPjAiKVpyK9Td/4FeMzQb8v5X7M4fo255kw/W6U= github.com/bufbuild/protocompile v0.14.0 h1:z3DW4IvXE5G/uTOnSQn+qwQQxvhckkTWLS/0No/o7KU= github.com/bufbuild/protocompile v0.14.0/go.mod h1:N6J1NYzkspJo3ZwyL4Xjvli86XOj1xq4qAasUFxGups= github.com/bufbuild/protoplugin v0.0.0-20240323223605-e2735f6c31ee h1:E6ET8YUcYJ1lAe6ctR3as7yqzW2BNItDFnaB5zQq/8M= github.com/bufbuild/protoplugin v0.0.0-20240323223605-e2735f6c31ee/go.mod h1:HjGFxsck9RObrTJp2hXQZfWhPgZqnR6sR1U5fCA/Kus= -github.com/bufbuild/protovalidate-go v0.6.2 h1:U/V3CGF0kPlR12v41rjO4DrYZtLcS4ZONLmWN+rJVCQ= -github.com/bufbuild/protovalidate-go v0.6.2/go.mod h1:4BR3rKEJiUiTy+sqsusFn2ladOf0kYmA2Reo6BHSBgQ= -github.com/bufbuild/protoyaml-go v0.1.9 h1:anV5UtF1Mlvkkgp4NWA6U/zOnJFng8Orq4Vf3ZUQHBU= -github.com/bufbuild/protoyaml-go v0.1.9/go.mod h1:KCBItkvZOK/zwGueLdH1Wx1RLyFn5rCH7YjQrdty2Wc= -github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= -github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/bufbuild/protovalidate-go v0.6.3 h1:wxQyzW035zM16Binbaz/nWAzS12dRIXhZdSUWRY7Fv0= +github.com/bufbuild/protovalidate-go v0.6.3/go.mod h1:J4PtwP9Z2YAGgB0+o+tTWEDtLtXvz/gfhFZD8pbzM/U= +github.com/bufbuild/protoyaml-go v0.1.10 h1:gMwDSHNoInt0D6vvTUxAJSWvp87MJraTN7dxsR7C2z4= +github.com/bufbuild/protoyaml-go v0.1.10/go.mod h1:KCBItkvZOK/zwGueLdH1Wx1RLyFn5rCH7YjQrdty2Wc= +github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= +github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/chromedp/cdproto v0.0.0-20230802225258-3cf4e6d46a89/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs= github.com/chromedp/chromedp v0.9.2/go.mod h1:LkSXJKONWTCHAfQasKFUZI+mxqS4tZqhmtGzzhLsnLs= github.com/chromedp/sysutil v1.0.0/go.mod h1:kgWmDdq8fTzXYcKIBqIYvRRTnYb9aNS9moAV0xufSww= @@ -35,12 +42,29 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObkaSkeBlk= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= +github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= +github.com/containerd/containerd v1.7.20 h1:Sl6jQYk3TRavaU83h66QMbI2Nqg9Jm6qzwX57Vsn1SQ= +github.com/containerd/containerd v1.7.20/go.mod h1:52GsS5CwquuqPuLncsXwG0t2CiUce+KsNHJZQJvAgR0= +github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8= +github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ= +github.com/containerd/errdefs v0.1.0 h1:m0wCRBiu1WJT/Fr+iOoQHMQS/eP5myQ8lCv4Dz5ZURM= +github.com/containerd/errdefs v0.1.0/go.mod h1:YgWiiHtLmSeBrvpw+UfPijzbLaB77mEG1WwJTDETIV0= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= +github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= +github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw= github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G/ZW/0kEe2oEKCdS/ZxIyoCU= github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk= +github.com/containerd/ttrpc v1.2.5 h1:IFckT1EFQoFBMG4c3sMdT8EP3/aKfumK1msY+Ze4oLU= +github.com/containerd/ttrpc v1.2.5/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o= +github.com/containerd/typeurl/v2 v2.2.0 h1:6NBDbQzr7I5LHgp34xAXYF5DOTQDn05X58lsPEmzLso= +github.com/containerd/typeurl/v2 v2.2.0/go.mod h1:8XOOxnyatxSWuG8OfsZXVnAF4iZfedjS/8UHSPJnX4g= github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -48,18 +72,22 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v26.1.4+incompatible h1:I8PHdc0MtxEADqYJZvhBrW9bo8gawKwwenxRM7/rLu8= -github.com/docker/cli v26.1.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.1.2+incompatible h1:nYviRv5Y+YAKx3dFrTvS1ErkyVVunKOhoweCTE1BsnI= +github.com/docker/cli v27.1.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v27.0.0+incompatible h1:JRugTYuelmWlW0M3jakcIadDx2HUoUO6+Tf2C5jVfwA= -github.com/docker/docker v27.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v27.1.2+incompatible h1:AhGzR1xaQIy53qCkxARaFluI00WPGtXn0AJuoQsVYTY= +github.com/docker/docker v27.1.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw= @@ -67,8 +95,8 @@ github.com/felixge/fgprof v0.9.4 h1:ocDNwMFlnA0NU0zSB3I52xkO4sFXk80VK9lXjLClu88= github.com/felixge/fgprof v0.9.4/go.mod h1:yKl+ERSa++RYOs32d8K6WEXCB4uXdLls4ZaZPpayhMM= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= -github.com/go-chi/chi/v5 v5.0.14 h1:PyEwo2Vudraa0x/Wl6eDRRW2NXBvekgfxyydcM0WGE0= -github.com/go-chi/chi/v5 v5.0.14/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= +github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw= +github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= @@ -77,24 +105,47 @@ github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM= github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw= github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY= -github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw= -github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= -github.com/gofrs/uuid/v5 v5.2.0 h1:qw1GMx6/y8vhVsx626ImfKMuS5CvJmhIKKtuyvfajMM= -github.com/gofrs/uuid/v5 v5.2.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8= +github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E= +github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0= +github.com/gofrs/uuid/v5 v5.3.0 h1:m0mUMr+oVYUdxpMLgSYCZiXe7PuVPnI94+OMeVBNedk= +github.com/gofrs/uuid/v5 v5.3.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= -github.com/google/cel-go v0.20.1 h1:nDx9r8S3L4pE61eDdt8igGj8rf5kjYR3ILxWIpWNi84= -github.com/google/cel-go v0.20.1/go.mod h1:kWcIzTsPX0zmQ+H3TirHstLLf9ep5QTsZBN9u4dOYLg= +github.com/google/cel-go v0.21.0 h1:cl6uW/gxN+Hy50tNYvI691+sXxioCnstFzLp2WO4GCI= +github.com/google/cel-go v0.21.0/go.mod h1:rHUlWCcBKgyEk+eV03RPdZUekPp6YcJwV0FxuUksYxc= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.19.2 h1:TannFKE1QSajsP6hPWb5oJNgKe1IKjHukIKDUmvsV6w= -github.com/google/go-containerregistry v0.19.2/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI= +github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo= +github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg= github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= -github.com/google/pprof v0.0.0-20240622144329-c177fd99eaa9 h1:ouFdLLCOyCfnxGpQTMZKHLyHr/D1GFbQzEsJxumO16E= -github.com/google/pprof v0.0.0-20240622144329-c177fd99eaa9/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= +github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 h1:FKHo8hFI3A+7w0aUQuYXQ+6EN5stWmeY/AZqtM8xk9k= +github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= +github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0= github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k= github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w= @@ -122,6 +173,20 @@ github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= +github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= +github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= +github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk= +github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc= +github.com/moby/sys/mount v0.3.4 h1:yn5jq4STPztkkzSKpZkLcmjue+bZJ0u2AuQY1iNI1Ww= +github.com/moby/sys/mount v0.3.4/go.mod h1:KcQJMbQdJHPlq5lcYT+/CjatWM4PuxKe+XLSVS4J6Os= +github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg= +github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4= +github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU= +github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko= +github.com/moby/sys/user v0.3.0 h1:9ni5DlcW5an3SvRSx4MouotOygvzaXbaSrc/wGDFWPo= +github.com/moby/sys/user v0.3.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs= +github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g= +github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28= github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= @@ -130,17 +195,26 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= +github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk= +github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU= +github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec= github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= +github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA= github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDjvNo= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= -github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo= +github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= +github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/rs/cors v1.11.0 h1:0B9GE/r9Bc2UxRMMtymBkHTenPkHDv0CW4Y98GBY+po= github.com/rs/cors v1.11.0/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= @@ -166,24 +240,26 @@ github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinC github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 h1:cEPbyTSEHlQR89XVlyo78gqluF8Y3oMeBkXGWzQsfXY= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0/go.mod h1:DKdbWcT4GH1D0Y3Sqt/PFXt2naRKDWtU+eE6oLdFNA8= -go.opentelemetry.io/otel v1.25.0 h1:gldB5FfhRl7OJQbUHt/8s0a7cE8fbsPAtdpRaApKy4k= -go.opentelemetry.io/otel v1.25.0/go.mod h1:Wa2ds5NOXEMkCmUou1WA7ZBfLTHWIsp034OVD7AO+Vg= +go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= +go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= +go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 h1:9M3+rhx7kZCIQQhQRYaZCdNu1V73tm4TvXs2ntl98C4= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0/go.mod h1:noq80iT8rrHP1SfybmPiRGc9dc5M8RPmGvtwo7Oo7tc= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0 h1:Xw8U6u2f8DK2XAkGRFV7BBLENgnTGX9i4rQRxJf+/vs= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0/go.mod h1:6KW1Fm6R/s6Z3PGXwSJN2K4eT6wQB3vXX6CVnYX9NmM= -go.opentelemetry.io/otel/metric v1.25.0 h1:LUKbS7ArpFL/I2jJHdJcqMGxkRdxpPHE0VU/D4NuEwA= -go.opentelemetry.io/otel/metric v1.25.0/go.mod h1:rkDLUSd2lC5lq2dFNrX9LGAbINP5B7WBkC78RXCpH5s= -go.opentelemetry.io/otel/sdk v1.25.0 h1:PDryEJPC8YJZQSyLY5eqLeafHtG+X7FWnf3aXMtxbqo= -go.opentelemetry.io/otel/sdk v1.25.0/go.mod h1:oFgzCM2zdsxKzz6zwpTZYLLQsFwc+K0daArPdIhuxkw= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU= +go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q= +go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s= +go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE= +go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg= go.opentelemetry.io/otel/sdk/metric v1.19.0 h1:EJoTO5qysMsYCa+w4UghwFV/ptQgqSL/8Ni+hx+8i1k= go.opentelemetry.io/otel/sdk/metric v1.19.0/go.mod h1:XjG0jQyFJrv2PbMvwND7LwCEhsJzCzV5210euduKcKY= -go.opentelemetry.io/otel/trace v1.25.0 h1:tqukZGLwQYRIFtSQM2u2+yfMVTgGVeqRLPUYx1Dq6RM= -go.opentelemetry.io/otel/trace v1.25.0/go.mod h1:hCCs70XM/ljO+BeQkyFnbK28SBIJ/Emuha+ccrCRT7I= -go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= -go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= +go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g= +go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI= +go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= +go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -195,25 +271,38 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= -golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= -golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 h1:yixxcjnhBmY0nkL253HFVIm0JsFHwrHdT3Yh6szTnfY= -golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8/go.mod h1:jj3sYF3dwk5D+ghuXyeI3r5MFf+NT2An6/9dOA95KSI= +golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= +golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa h1:ELnwvuAXPNtPk1TJRuGkI9fDTwym6AYBu0qzT8AcHdI= +golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= -golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= +golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= -golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -223,32 +312,55 @@ golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= -golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA= -golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU= +golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= -golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac h1:7zkz7BUtwNFFqcowJ+RIgu2MaV/MapERkDIy+mwPyjs= -golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44= +golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA= -golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c= +golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= +golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/genproto/googleapis/api v0.0.0-20240617180043-68d350f18fd4 h1:MuYw1wJzT+ZkybKfaOXKp5hJiZDn2iHaXRw0mRYdHSc= -google.golang.org/genproto/googleapis/api v0.0.0-20240617180043-68d350f18fd4/go.mod h1:px9SlOOZBg1wM1zdnr8jEL4CNGUBZ+ZKYtNPApNQc4c= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240617180043-68d350f18fd4 h1:Di6ANFilr+S60a4S61ZM00vLdw0IrQOSMS2/6mrnOU0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240617180043-68d350f18fd4/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= -google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY= -google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto/googleapis/api v0.0.0-20240812133136-8ffd90a71988 h1:+/tmTy5zAieooKIXfzDm9KiA3Bv6JBwriRN9LY+yayk= +google.golang.org/genproto/googleapis/api v0.0.0-20240812133136-8ffd90a71988/go.mod h1:4+X6GvPs+25wZKbQq9qyAXrwIRExv7w0Ea6MgZLZiDM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240812133136-8ffd90a71988 h1:V71AcdLZr2p8dC9dbOIMCpqi4EmRl8wUwnJzXXLmbmc= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240812133136-8ffd90a71988/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= +google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= +google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -259,3 +371,5 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From ae6630a43acb33d9052366766e84a3a7675772c8 Mon Sep 17 00:00:00 2001 From: zirain Date: Tue, 20 Aug 2024 02:10:22 +0800 Subject: [PATCH 068/523] chore: fix Unchanged files with check annotations (#4075) Signed-off-by: zirain --- .../gateway-http-listener-with-hostname-intersection.in.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.in.yaml b/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.in.yaml index 267fcbba54b..8fba772492e 100644 --- a/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.in.yaml +++ b/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.in.yaml @@ -33,7 +33,7 @@ httpRoutes: sectionName: empty-hostname hostnames: - "bar.com" - - "*.example.com" # request matching is prevented by the isolation wildcard-example-com listener + - "*.example.com" # request matching is prevented by the isolation wildcard-example-com listener rules: - matches: - path: @@ -53,7 +53,7 @@ httpRoutes: namespace: envoy-gateway sectionName: wildcard-example-com hostnames: - - "bar.com" # doesn't match wildcard-example-com listener + - "bar.com" # doesn't match wildcard-example-com listener - "*.example.com" rules: - matches: From 6ab6482dd7c807e64d4e87d78dfb06c0a1e16731 Mon Sep 17 00:00:00 2001 From: zirain Date: Tue, 20 Aug 2024 06:31:11 +0800 Subject: [PATCH 069/523] fix ratelimit statsd not working (#4073) fix ratelimit statd not working Signed-off-by: zirain --- internal/infrastructure/kubernetes/ratelimit/resource.go | 6 +++++- .../kubernetes/ratelimit/testdata/deployments/custom.yaml | 4 +++- .../ratelimit/testdata/deployments/default-env.yaml | 4 +++- .../kubernetes/ratelimit/testdata/deployments/default.yaml | 4 +++- .../ratelimit/testdata/deployments/disable-prometheus.yaml | 4 +++- .../testdata/deployments/enable-tracing-custom.yaml | 4 +++- .../ratelimit/testdata/deployments/enable-tracing.yaml | 4 +++- .../ratelimit/testdata/deployments/extension-env.yaml | 4 +++- .../ratelimit/testdata/deployments/override-env.yaml | 2 ++ .../ratelimit/testdata/deployments/patch-deployment.yaml | 4 +++- .../ratelimit/testdata/deployments/redis-tls-settings.yaml | 2 ++ .../ratelimit/testdata/deployments/tolerations.yaml | 2 ++ .../kubernetes/ratelimit/testdata/deployments/volumes.yaml | 2 ++ .../ratelimit/testdata/deployments/with-node-selector.yaml | 4 +++- .../deployments/with-topology-spread-constraints.yaml | 4 +++- 15 files changed, 43 insertions(+), 11 deletions(-) diff --git a/internal/infrastructure/kubernetes/ratelimit/resource.go b/internal/infrastructure/kubernetes/ratelimit/resource.go index b2fd1c3f6c3..9747be33b52 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource.go @@ -329,7 +329,11 @@ func expectedRateLimitContainerEnv(rateLimit *egv1a1.RateLimit, rateLimitDeploym }, { Name: UseStatsdEnvVar, - Value: "false", + Value: "true", + }, + { + Name: "STATSD_PORT", + Value: "9125", }, { Name: ConfigTypeEnvVar, diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml index ebde9a4c436..c6c0bb1a696 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml @@ -50,7 +50,9 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "false" + value: "true" + - name: STATSD_PORT + value: "9125" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml index ebde9a4c436..c6c0bb1a696 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml @@ -50,7 +50,9 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "false" + value: "true" + - name: STATSD_PORT + value: "9125" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml index b010414bd90..26c21e23653 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml @@ -51,7 +51,9 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "false" + value: "true" + - name: STATSD_PORT + value: "9125" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml index 449ed2c1d70..0dcbfb3f209 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml @@ -47,7 +47,9 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "false" + value: "true" + - name: STATSD_PORT + value: "9125" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml index cbb129feb51..78cdd0c784d 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml @@ -51,7 +51,9 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "false" + value: "true" + - name: STATSD_PORT + value: "9125" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml index 867c5df1b1e..f0396c5aa44 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml @@ -51,7 +51,9 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "false" + value: "true" + - name: STATSD_PORT + value: "9125" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml index e0bf55b5d8a..9bf03106f2d 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml @@ -50,7 +50,9 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "false" + value: "true" + - name: STATSD_PORT + value: "9125" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml index 03ff65426d8..c6c0bb1a696 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml @@ -51,6 +51,8 @@ spec: value: info - name: USE_STATSD value: "true" + - name: STATSD_PORT + value: "9125" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml index b7dea3664e2..8482050ec25 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml @@ -51,7 +51,9 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "false" + value: "true" + - name: STATSD_PORT + value: "9125" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml index 9af52d675b7..2e223af79c4 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml @@ -51,6 +51,8 @@ spec: value: info - name: USE_STATSD value: "true" + - name: STATSD_PORT + value: "9125" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml index 7c965aa04b0..525c2b1f75d 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml @@ -51,6 +51,8 @@ spec: value: info - name: USE_STATSD value: "true" + - name: STATSD_PORT + value: "9125" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml index 4f69dea329c..165a6819288 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml @@ -51,6 +51,8 @@ spec: value: info - name: USE_STATSD value: "true" + - name: STATSD_PORT + value: "9125" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml index 5d525b44d1f..44ea2f4b856 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml @@ -51,7 +51,9 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "false" + value: "true" + - name: STATSD_PORT + value: "9125" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml index e9a5fdd66a7..9ca2c8e53e9 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml @@ -51,7 +51,9 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "false" + value: "true" + - name: STATSD_PORT + value: "9125" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL From 9ec2a40108a5ed9cbf57bcb16ce8b409204de698 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 20 Aug 2024 22:00:08 +0800 Subject: [PATCH 070/523] chore: remove BackendTrafficPolicyConnection (#4010) * remove BackendTrafficPolicyConnection Signed-off-by: Huabing Zhao * remove BackendTrafficPolicyConnection Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- api/v1alpha1/backendtrafficpolicy_types.go | 13 ------------ api/v1alpha1/zz_generated.deepcopy.go | 20 ------------------- site/content/en/latest/api/extension_types.md | 2 -- site/content/zh/latest/api/extension_types.md | 2 -- 4 files changed, 37 deletions(-) diff --git a/api/v1alpha1/backendtrafficpolicy_types.go b/api/v1alpha1/backendtrafficpolicy_types.go index 63e9767070e..9d15ccd6896 100644 --- a/api/v1alpha1/backendtrafficpolicy_types.go +++ b/api/v1alpha1/backendtrafficpolicy_types.go @@ -6,7 +6,6 @@ package v1alpha1 import ( - "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" ) @@ -86,18 +85,6 @@ type BackendTrafficPolicyList struct { Items []BackendTrafficPolicy `json:"items"` } -// BackendTrafficPolicyConnection allows users to configure connection-level settings of backend -type BackendTrafficPolicyConnection struct { - // BufferLimit Soft limit on size of the cluster’s connections read and write buffers. - // If unspecified, an implementation defined default is applied (32768 bytes). - // For example, 20Mi, 1Gi, 256Ki etc. - // Note: that when the suffix is not provided, the value is interpreted as bytes. - // - // +kubebuilder:validation:XValidation:rule="type(self) == string ? self.matches(r\"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\") : type(self) == int",message="BufferLimit must be of the format \"^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$\"" - // +optional - BufferLimit *resource.Quantity `json:"bufferLimit,omitempty"` -} - // ClusterSettings provides the various knobs that can be set to control how traffic to a given // backend will be configured. type ClusterSettings struct { diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 0e43f4cf493..1680d26cca4 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -488,26 +488,6 @@ func (in *BackendTrafficPolicy) DeepCopyObject() runtime.Object { return nil } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *BackendTrafficPolicyConnection) DeepCopyInto(out *BackendTrafficPolicyConnection) { - *out = *in - if in.BufferLimit != nil { - in, out := &in.BufferLimit, &out.BufferLimit - x := (*in).DeepCopy() - *out = &x - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTrafficPolicyConnection. -func (in *BackendTrafficPolicyConnection) DeepCopy() *BackendTrafficPolicyConnection { - if in == nil { - return nil - } - out := new(BackendTrafficPolicyConnection) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BackendTrafficPolicyList) DeepCopyInto(out *BackendTrafficPolicyList) { *out = *in diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index db902e65878..7807853c8e0 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -435,8 +435,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | status defines the current status of BackendTrafficPolicy. | - - #### BackendTrafficPolicyList diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index db902e65878..7807853c8e0 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -435,8 +435,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | status defines the current status of BackendTrafficPolicy. | - - #### BackendTrafficPolicyList From 3ec3ff655d2373460521c29e7e59cde29ab62131 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 20 Aug 2024 07:58:11 -0700 Subject: [PATCH 071/523] build(deps): bump github.com/docker/docker from 27.1.1+incompatible to 27.1.2+incompatible (#4079) build(deps): bump github.com/docker/docker Bumps [github.com/docker/docker](https://github.com/docker/docker) from 27.1.1+incompatible to 27.1.2+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v27.1.1...v27.1.2) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 3 ++- go.sum | 6 ++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index b6a37be1e63..a5ef3315af6 100644 --- a/go.mod +++ b/go.mod @@ -64,7 +64,7 @@ require ( ) require ( - github.com/docker/docker v27.1.1+incompatible + github.com/docker/docker v27.1.2+incompatible github.com/replicatedhq/troubleshoot v0.99.0 ) @@ -169,6 +169,7 @@ require ( github.com/moby/sys/mountinfo v0.7.2 // indirect github.com/moby/sys/sequential v0.5.0 // indirect github.com/moby/sys/user v0.2.0 // indirect + github.com/moby/sys/userns v0.1.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect github.com/opencontainers/runtime-spec v1.2.0 // indirect diff --git a/go.sum b/go.sum index 42ae9448cf4..3dfb0f9369c 100644 --- a/go.sum +++ b/go.sum @@ -387,8 +387,8 @@ github.com/docker/cli v27.1.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvM github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v27.1.1+incompatible h1:hO/M4MtV36kzKldqnA37IWhebRA+LnqqcqDja6kVaKY= -github.com/docker/docker v27.1.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v27.1.2+incompatible h1:AhGzR1xaQIy53qCkxARaFluI00WPGtXn0AJuoQsVYTY= +github.com/docker/docker v27.1.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= @@ -887,6 +887,8 @@ github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5 github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo= github.com/moby/sys/user v0.2.0 h1:OnpapJsRp25vkhw8TFG6OLJODNh/3rEwRWtJ3kakwRM= github.com/moby/sys/user v0.2.0/go.mod h1:RYstrcWOJpVh+6qzUqp2bU3eaRpdiQeKGlKitaH0PM8= +github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g= +github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28= github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= From 0926b38a5abff4d19546bbe780136db5cba2a80a Mon Sep 17 00:00:00 2001 From: Lior Okman Date: Wed, 21 Aug 2024 17:55:39 +0300 Subject: [PATCH 072/523] fix: active http healthcheck documents a default for expected status, but doesn't use it (#4090) If no expected status was explicitly set, use the default value as described in the documentation. Signed-off-by: Lior Okman --- internal/gatewayapi/clustersettings.go | 5 + ...kendtrafficpolicy-with-healthcheck.in.yaml | 42 +++++++ ...endtrafficpolicy-with-healthcheck.out.yaml | 114 +++++++++++++++++- 3 files changed, 160 insertions(+), 1 deletion(-) diff --git a/internal/gatewayapi/clustersettings.go b/internal/gatewayapi/clustersettings.go index 1d5c1a3d6f8..a0e8dcb32d6 100644 --- a/internal/gatewayapi/clustersettings.go +++ b/internal/gatewayapi/clustersettings.go @@ -10,6 +10,7 @@ import ( "fmt" "math" "math/big" + "net/http" "strings" "time" @@ -453,6 +454,10 @@ func buildHTTPActiveHealthChecker(h *egv1a1.HTTPActiveHealthChecker) *ir.HTTPHea for _, r := range h.ExpectedStatuses { statusSet.Insert(int(r)) } + // If no ExpectedStatus was set, use the default value (200) + if statusSet.Len() == 0 { + statusSet.Insert(http.StatusOK) + } irStatuses := make([]ir.HTTPStatus, 0, statusSet.Len()) for _, r := range statusSet.List() { diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.in.yaml index 0ea537711d9..fc324a70a9b 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.in.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.in.yaml @@ -128,6 +128,25 @@ httpRoutes: backendRefs: - name: service-3 port: 8080 +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-4 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-2 + sectionName: http + rules: + - matches: + - path: + value: "/v2" + backendRefs: + - name: service-2 + port: 8080 backendTrafficPolicies: - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: BackendTrafficPolicy @@ -197,6 +216,29 @@ backendTrafficPolicies: consecutiveGatewayErrors: 0 consecutiveLocalOriginFailures: 5 splitExternalLocalOriginErrors: false +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: default + name: policy-for-route-4 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-4 + healthCheck: + active: + timeout: "1s" + interval: "5s" + unhealthyThreshold: 3 + healthyThreshold: 3 + type: HTTP + http: + path: "/healthz" + method: "GET" + expectedResponse: + type: Text + text: pong - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: BackendTrafficPolicy metadata: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml index 4d1cc89bc55..4f964492673 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml @@ -49,6 +49,45 @@ backendTrafficPolicies: status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: policy-for-route-4 + namespace: default + spec: + healthCheck: + active: + healthyThreshold: 3 + http: + expectedResponse: + text: pong + type: Text + method: GET + path: /healthz + interval: 5s + timeout: 1s + type: HTTP + unhealthyThreshold: 3 + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-4 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-2 + namespace: envoy-gateway + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: BackendTrafficPolicy metadata: @@ -326,7 +365,7 @@ gateways: protocol: HTTP status: listeners: - - attachedRoutes: 3 + - attachedRoutes: 4 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane @@ -564,6 +603,44 @@ httpRoutes: name: gateway-2 namespace: envoy-gateway sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-4 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-2 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-2 + port: 8080 + matches: + - path: + value: /v2 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-2 + namespace: envoy-gateway + sectionName: http infraIR: envoy-gateway/gateway-1: proxy: @@ -805,6 +882,41 @@ xdsIR: interval: 8ms maxEjectionPercent: 11 splitExternalLocalOriginErrors: false + - destination: + name: httproute/default/httproute-4/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-4 + namespace: default + name: httproute/default/httproute-4/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /v2 + traffic: + healthCheck: + active: + healthyThreshold: 3 + http: + expectedResponse: + text: pong + expectedStatuses: + - 200 + host: gateway.envoyproxy.io + method: GET + path: /healthz + interval: 5s + timeout: 1s + unhealthyThreshold: 3 - destination: name: httproute/default/httproute-1/rule/0 settings: From 2c54de2ae85cc6f4e149458fa6b551345fc362da Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Wed, 21 Aug 2024 21:23:50 -0700 Subject: [PATCH 073/523] support custom name for ratelimit deployment (#4094) --- .../kubernetes/ratelimit/resource_provider.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go index 14d2a3d830b..e7519bb2569 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go @@ -208,7 +208,6 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { }, ObjectMeta: metav1.ObjectMeta{ Namespace: r.Namespace, - Name: InfraName, Labels: labels, }, Spec: appsv1.DeploymentSpec{ @@ -242,6 +241,13 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { }, } + // set name + if r.rateLimitDeployment.Name != nil { + deployment.ObjectMeta.Name = *r.rateLimitDeployment.Name + } else { + deployment.ObjectMeta.Name = r.Name() + } + if r.ownerReferenceUID != nil { if uid, ok := r.ownerReferenceUID[ResourceKindDeployment]; ok { deployment.OwnerReferences = []metav1.OwnerReference{ From ada279e082485846709ae1250dd2c6b466325626 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Thu, 22 Aug 2024 22:05:45 +0800 Subject: [PATCH 074/523] chore: remove tcp options from the UDPRoute IR (#4084) * remove tcp options from the UDPRoute IR Signed-off-by: Huabing Zhao * fix check Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- internal/gatewayapi/backendtrafficpolicy.go | 3 --- ...th-tcp-udp-listeners-apply-on-gateway.out.yaml | 6 ------ ...with-tcp-udp-listeners-apply-on-route.out.yaml | 6 ------ internal/ir/xds.go | 4 ---- internal/ir/zz_generated.deepcopy.go | 10 ---------- internal/xds/translator/cluster.go | 15 ++++++--------- .../out/xds-ir/backend-buffer-limit.clusters.yaml | 2 +- 7 files changed, 7 insertions(+), 39 deletions(-) diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index 466f889167a..b2f0ffa6ece 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -372,8 +372,6 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen if strings.HasPrefix(r.Destination.Name, prefix) { r.LoadBalancer = lb - r.Timeout = to - r.BackendConnection = bc r.DNS = ds } } @@ -518,7 +516,6 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back // only set attributes which weren't already set by a more // specific policy setIfNil(&route.LoadBalancer, lb) - setIfNil(&route.Timeout, ct) setIfNil(&route.DNS, ds) } diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml index 660c8d7d800..9fa8e7235c9 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml @@ -309,9 +309,3 @@ xdsIR: consistentHash: sourceIP: true name: udproute/default/udp-app-1 - timeout: - http: - connectionIdleTimeout: 16s - maxConnectionDuration: 17s - tcp: - connectTimeout: 15s diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml index 8f5fcbe4b03..5b1707b6f1a 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml @@ -382,9 +382,3 @@ xdsIR: consistentHash: sourceIP: true name: udproute/default/udp-app-1 - timeout: - http: - connectionIdleTimeout: 16s - maxConnectionDuration: 17s - tcp: - connectTimeout: 15s diff --git a/internal/ir/xds.go b/internal/ir/xds.go index c698bea626d..1b5b5971b8c 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -1556,10 +1556,6 @@ type UDPRoute struct { Destination *RouteDestination `json:"destination,omitempty" yaml:"destination,omitempty"` // load balancer policy to use when routing to the backend endpoints. LoadBalancer *LoadBalancer `json:"loadBalancer,omitempty" yaml:"loadBalancer,omitempty"` - // Request and connection timeout settings - Timeout *Timeout `json:"timeout,omitempty" yaml:"timeout,omitempty"` - // settings of upstream connection - BackendConnection *BackendConnection `json:"backendConnection,omitempty" yaml:"backendConnection,omitempty"` // DNS is used to configure how DNS resolution is handled by the Envoy Proxy cluster DNS *DNS `json:"dns,omitempty" yaml:"dns,omitempty"` } diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 4423f71ba0c..28507722207 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -3104,16 +3104,6 @@ func (in *UDPRoute) DeepCopyInto(out *UDPRoute) { *out = new(LoadBalancer) (*in).DeepCopyInto(*out) } - if in.Timeout != nil { - in, out := &in.Timeout, &out.Timeout - *out = new(Timeout) - (*in).DeepCopyInto(*out) - } - if in.BackendConnection != nil { - in, out := &in.BackendConnection, &out.BackendConnection - *out = new(BackendConnection) - (*in).DeepCopyInto(*out) - } if in.DNS != nil { in, out := &in.DNS, &out.DNS *out = new(DNS) diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index 9786ed972c6..4ac9979f363 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -686,15 +686,12 @@ type UDPRouteTranslator struct { func (route *UDPRouteTranslator) asClusterArgs(extra *ExtraArgs) *xdsClusterArgs { return &xdsClusterArgs{ - name: route.Destination.Name, - settings: route.Destination.Settings, - loadBalancer: route.LoadBalancer, - timeout: route.Timeout, - tSocket: nil, - endpointType: buildEndpointType(route.Destination.Settings), - metrics: extra.metrics, - backendConnection: route.BackendConnection, - dns: route.DNS, + name: route.Destination.Name, + settings: route.Destination.Settings, + loadBalancer: route.LoadBalancer, + endpointType: buildEndpointType(route.Destination.Settings), + metrics: extra.metrics, + dns: route.DNS, } } diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml index 8b9fea6228f..33c8f6a68a4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml @@ -47,5 +47,5 @@ lbPolicy: LEAST_REQUEST name: udp-route-dest outlierDetection: {} - perConnectionBufferLimitBytes: 100000000 + perConnectionBufferLimitBytes: 32768 type: EDS From 8efec5ef24ddedfef99945e644c1e892dc90ae8f Mon Sep 17 00:00:00 2001 From: zirain Date: Mon, 26 Aug 2024 09:05:04 +0800 Subject: [PATCH 075/523] bump the k8s-io group to v0.31.0 (#4066) * build(deps): bump the k8s-io group across 2 directories with 6 updates Bumps the k8s-io group with 3 updates in the / directory: [k8s.io/api](https://github.com/kubernetes/api), [k8s.io/cli-runtime](https://github.com/kubernetes/cli-runtime) and [k8s.io/kubectl](https://github.com/kubernetes/kubectl). Bumps the k8s-io group with 1 update in the /examples/extension-server directory: [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery). Updates `k8s.io/api` from 0.30.3 to 0.31.0 - [Commits](https://github.com/kubernetes/api/compare/v0.30.3...v0.31.0) Updates `k8s.io/apimachinery` from 0.30.3 to 0.31.0 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.30.3...v0.31.0) Updates `k8s.io/cli-runtime` from 0.30.3 to 0.31.0 - [Commits](https://github.com/kubernetes/cli-runtime/compare/v0.30.3...v0.31.0) Updates `k8s.io/client-go` from 0.30.3 to 0.31.0 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.30.3...v0.31.0) Updates `k8s.io/kubectl` from 0.30.3 to 0.31.0 - [Commits](https://github.com/kubernetes/kubectl/compare/v0.30.3...v0.31.0) Updates `k8s.io/utils` from 0.0.0-20240502163921-fe8a2dddb1d0 to 0.0.0-20240711033017-18e509b52bc8 - [Commits](https://github.com/kubernetes/utils/commits) Updates `k8s.io/apimachinery` from 0.30.3 to 0.31.0 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.30.3...v0.31.0) Updates `k8s.io/utils` from 0.0.0-20240502163921-fe8a2dddb1d0 to 0.0.0-20240711033017-18e509b52bc8 - [Commits](https://github.com/kubernetes/utils/commits) --- updated-dependencies: - dependency-name: k8s.io/api dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-io - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-io - dependency-name: k8s.io/cli-runtime dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-io - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-io - dependency-name: k8s.io/kubectl dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-io - dependency-name: k8s.io/utils dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-io - dependency-name: k8s.io/utils dependency-type: indirect update-type: version-update:semver-patch dependency-group: k8s-io ... Signed-off-by: dependabot[bot] * bump controller-runtime and fix gen Signed-off-by: zirain * fix Signed-off-by: zirain * bump sigs.k8s.io/controller-tools Signed-off-by: zirain * computeHosts should return a stable result Signed-off-by: zirain * fix log Signed-off-by: zirain * skipNameValidation Signed-off-by: zirain * Revert "computeHosts should return a stable result" This reverts commit d51d823a05058bbf51fc8ac742614fa7be784758. Signed-off-by: zirain --------- Signed-off-by: dependabot[bot] Signed-off-by: zirain Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .../gateway.envoyproxy.io_backends.yaml | 21 +- ....envoyproxy.io_backendtrafficpolicies.yaml | 66 +-- ...y.envoyproxy.io_clienttrafficpolicies.yaml | 83 +--- ....envoyproxy.io_envoyextensionpolicies.yaml | 85 +--- ...eway.envoyproxy.io_envoypatchpolicies.yaml | 55 +-- .../gateway.envoyproxy.io_envoyproxies.yaml | 436 +++++++----------- ...ateway.envoyproxy.io_securitypolicies.yaml | 101 +--- examples/extension-server/go.mod | 8 +- examples/extension-server/go.sum | 40 +- go.mod | 34 +- go.sum | 82 ++-- internal/provider/kubernetes/controller.go | 18 +- .../provider/kubernetes/kubernetes_test.go | 9 + internal/provider/kubernetes/predicates.go | 11 +- internal/provider/kubernetes/sources.go | 3 +- internal/provider/kubernetes/sources_test.go | 6 +- tools/src/controller-gen/go.mod | 32 +- tools/src/controller-gen/go.sum | 86 ++-- 18 files changed, 381 insertions(+), 795 deletions(-) diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml index 8e83322e140..8c5ca5ebc48 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 name: backends.gateway.envoyproxy.io spec: group: gateway.envoyproxy.io @@ -144,16 +144,8 @@ spec: conditions: description: Conditions describe the current conditions of the Backend. items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -194,12 +186,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index a23e656788b..eb41bae8b0f 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 name: backendtrafficpolicies.gateway.envoyproxy.io spec: group: gateway.envoyproxy.io @@ -671,11 +671,9 @@ spec: All individual select conditions must hold True for this rule and its limit to be applied. - If no client selectors are specified, the rule applies to all traffic of the targeted Route. - If the policy targets a Gateway, the rule applies to each Route of the Gateway. Please note that each Route has its own rate limit counters. For example, if a Gateway has two Routes, and the policy has a rule with limit 10rps, @@ -804,11 +802,9 @@ spec: All individual select conditions must hold True for this rule and its limit to be applied. - If no client selectors are specified, the rule applies to all traffic of the targeted Route. - If the policy targets a Gateway, the rule applies to each Route of the Gateway. Please note that each Route has its own rate limit counters. For example, if a Gateway has two Routes, and the policy has a rule with limit 10rps, @@ -968,7 +964,6 @@ spec: description: |- RetryOn specifies the retry trigger condition. - If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). properties: httpStatusCodes: @@ -1010,7 +1005,6 @@ spec: This policy and the TargetRef MUST be in the same namespace for this Policy to have effect - Deprecated: use targetRefs/targetSelectors instead properties: group: @@ -1035,12 +1029,10 @@ spec: unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name * HTTPRoute: HTTPRouteRule name * Service: Port name - If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a `ResolvedRefs` or similar Condition in the Policy's status. @@ -1065,7 +1057,6 @@ spec: mode works, and a sample Policy resource, refer to the policy attachment documentation for Gateway API. - Note: This should only be used for direct policy attachment when references to SectionName are actually needed. In all other cases, LocalPolicyTargetReference should be used. @@ -1092,12 +1083,10 @@ spec: unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name * HTTPRoute: HTTPRouteRule name * Service: Port name - If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a `ResolvedRefs` or similar Condition in the Policy's status. @@ -1243,27 +1232,22 @@ spec: the controller first sees the policy and SHOULD update the entry as appropriate when the relevant ancestor is modified. - Note that choosing the relevant ancestor is left to the Policy designers; an important part of Policy design is designing the right object level at which to namespace this status. - Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. Implementations MUST use the ControllerName field to uniquely identify the entries in this list that they are responsible for. - Note that to achieve this, the list of PolicyAncestorStatus structs MUST be treated as a map with a composite key, made up of the AncestorRef and ControllerName fields combined. - A maximum of 16 ancestors will be represented in this list. An empty list means the Policy is not relevant for any ancestors. - If this slice is full, implementations MUST NOT add further entries. Instead they MUST consider the policy unimplementable and signal that on any related resources such as the ancestor that would be referenced @@ -1275,7 +1259,6 @@ spec: PolicyAncestorStatus describes the status of a route with respect to an associated Ancestor. - Ancestors refer to objects that are either the Target of a policy or above it in terms of object hierarchy. For example, if a policy targets a Service, the Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and @@ -1284,28 +1267,23 @@ spec: SHOULD use Gateway as the PolicyAncestorStatus object unless the designers have a _very_ good reason otherwise. - In the context of policy attachment, the Ancestor is used to distinguish which resource results in a distinct application of this policy. For example, if a policy targets a Service, it may have a distinct result per attached Gateway. - Policies targeting the same resource may have different effects depending on the ancestors of those resources. For example, different Gateways targeting the same Service may have different capabilities, especially if they have different underlying implementations. - For example, in BackendTLSPolicy, the Policy attaches to a Service that is used as a backend in a HTTPRoute that is itself attached to a Gateway. In this case, the relevant object for status is the Gateway, and that is the ancestor object referred to in this status. - Note that a parent is also an ancestor, so for objects where the parent is the relevant object for status, this struct SHOULD still be used. - This struct is intended to be used in a slice that's effectively a map, with a composite key made up of the AncestorRef and the ControllerName. properties: @@ -1322,7 +1300,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -1332,14 +1309,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -1349,7 +1323,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -1359,20 +1332,17 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -1380,7 +1350,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -1391,7 +1360,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -1400,19 +1368,16 @@ spec: and SectionName are specified, the name and port of the selected listener must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -1421,7 +1386,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -1432,7 +1396,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -1440,12 +1403,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -1455,7 +1416,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -1468,18 +1428,8 @@ spec: description: Conditions describes the status of the Policy with respect to the given Ancestor. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -1521,12 +1471,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1549,15 +1494,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml index 5483ff78e64..81f449b8860 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 name: clienttrafficpolicies.gateway.envoyproxy.io spec: group: gateway.envoyproxy.io @@ -170,18 +170,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -194,7 +191,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -226,18 +222,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -251,18 +244,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -275,7 +265,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -325,26 +314,21 @@ spec: description: |- XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-cert (XFCC) HTTP header. - x-forwarded-client-cert (XFCC) is an HTTP header used to forward the certificate information of part or all of the clients or proxies that a request has flowed through, on its way from the client to the server. - Envoy proxy may choose to sanitize/append/forward the XFCC header before proxying the request. - If not set, the default behavior is sanitizing the XFCC header. properties: certDetailsToAdd: description: |- CertDetailsToAdd specifies the fields in the client certificate to be forwarded in the XFCC header. - Hash(the SHA 256 digest of the current client certificate) and By(the Subject Alternative Name) are always included if the client certificate is forwarded. - This field is only applicable when the mode is set to `AppendForward` or `SanitizeSet` and the client connection is mTLS. items: @@ -489,7 +473,6 @@ spec: This policy and the TargetRef MUST be in the same namespace for this Policy to have effect - Deprecated: use targetRefs/targetSelectors instead properties: group: @@ -514,12 +497,10 @@ spec: unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name * HTTPRoute: HTTPRouteRule name * Service: Port name - If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a `ResolvedRefs` or similar Condition in the Policy's status. @@ -544,7 +525,6 @@ spec: mode works, and a sample Policy resource, refer to the policy attachment documentation for Gateway API. - Note: This should only be used for direct policy attachment when references to SectionName are actually needed. In all other cases, LocalPolicyTargetReference should be used. @@ -571,12 +551,10 @@ spec: unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name * HTTPRoute: HTTPRouteRule name * Service: Port name - If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a `ResolvedRefs` or similar Condition in the Policy's status. @@ -732,11 +710,9 @@ spec: the Certificate Authorities that can be used as a trust anchor to validate the certificates presented by the client. - A single reference to a Kubernetes ConfigMap or a Kubernetes Secret, with the CA certificate in a key named `ca.crt` is currently supported. - References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. @@ -745,11 +721,9 @@ spec: SecretObjectReference identifies an API object including its namespace, defaulting to Secret. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. - References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object. @@ -780,13 +754,11 @@ spec: Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -883,27 +855,22 @@ spec: the controller first sees the policy and SHOULD update the entry as appropriate when the relevant ancestor is modified. - Note that choosing the relevant ancestor is left to the Policy designers; an important part of Policy design is designing the right object level at which to namespace this status. - Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. Implementations MUST use the ControllerName field to uniquely identify the entries in this list that they are responsible for. - Note that to achieve this, the list of PolicyAncestorStatus structs MUST be treated as a map with a composite key, made up of the AncestorRef and ControllerName fields combined. - A maximum of 16 ancestors will be represented in this list. An empty list means the Policy is not relevant for any ancestors. - If this slice is full, implementations MUST NOT add further entries. Instead they MUST consider the policy unimplementable and signal that on any related resources such as the ancestor that would be referenced @@ -915,7 +882,6 @@ spec: PolicyAncestorStatus describes the status of a route with respect to an associated Ancestor. - Ancestors refer to objects that are either the Target of a policy or above it in terms of object hierarchy. For example, if a policy targets a Service, the Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and @@ -924,28 +890,23 @@ spec: SHOULD use Gateway as the PolicyAncestorStatus object unless the designers have a _very_ good reason otherwise. - In the context of policy attachment, the Ancestor is used to distinguish which resource results in a distinct application of this policy. For example, if a policy targets a Service, it may have a distinct result per attached Gateway. - Policies targeting the same resource may have different effects depending on the ancestors of those resources. For example, different Gateways targeting the same Service may have different capabilities, especially if they have different underlying implementations. - For example, in BackendTLSPolicy, the Policy attaches to a Service that is used as a backend in a HTTPRoute that is itself attached to a Gateway. In this case, the relevant object for status is the Gateway, and that is the ancestor object referred to in this status. - Note that a parent is also an ancestor, so for objects where the parent is the relevant object for status, this struct SHOULD still be used. - This struct is intended to be used in a slice that's effectively a map, with a composite key made up of the AncestorRef and the ControllerName. properties: @@ -962,7 +923,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -972,14 +932,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -989,7 +946,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -999,20 +955,17 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -1020,7 +973,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -1031,7 +983,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -1040,19 +991,16 @@ spec: and SectionName are specified, the name and port of the selected listener must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -1061,7 +1009,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -1072,7 +1019,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -1080,12 +1026,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -1095,7 +1039,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -1108,18 +1051,8 @@ spec: description: Conditions describes the status of the Policy with respect to the given Ancestor. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -1161,12 +1094,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1189,15 +1117,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml index 2778aa85a0b..00fd69c5701 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 name: envoyextensionpolicies.gateway.envoyproxy.io spec: group: gateway.envoyproxy.io @@ -59,7 +59,6 @@ spec: BackendRef references a Kubernetes object that represents the backend server to which the authorization request will be sent. - Deprecated: Use BackendRefs instead. properties: group: @@ -76,20 +75,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -105,13 +100,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -166,20 +159,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -195,13 +184,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -889,7 +876,6 @@ spec: This policy and the TargetRef MUST be in the same namespace for this Policy to have effect - Deprecated: use targetRefs/targetSelectors instead properties: group: @@ -914,12 +900,10 @@ spec: unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name * HTTPRoute: HTTPRouteRule name * Service: Port name - If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a `ResolvedRefs` or similar Condition in the Policy's status. @@ -944,7 +928,6 @@ spec: mode works, and a sample Policy resource, refer to the policy attachment documentation for Gateway API. - Note: This should only be used for direct policy attachment when references to SectionName are actually needed. In all other cases, LocalPolicyTargetReference should be used. @@ -971,12 +954,10 @@ spec: unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name * HTTPRoute: HTTPRouteRule name * Service: Port name - If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a `ResolvedRefs` or similar Condition in the Policy's status. @@ -1032,7 +1013,6 @@ spec: description: |- Wasm defines a Wasm extension. - Note: at the moment, Envoy Gateway does not support configuring Wasm runtime. v8 is used as the VM runtime for the Wasm extensions. properties: @@ -1043,14 +1023,12 @@ spec: description: |- HTTP is the HTTP URL containing the Wasm code. - Note that the HTTP server must be accessible from the Envoy proxy. properties: sha256: description: |- SHA256 checksum that will be used to verify the Wasm code. - If not specified, Envoy Gateway will not verify the downloaded Wasm code. kubebuilder:validation:Pattern=`^[a-f0-9]{64}$` type: string @@ -1065,7 +1043,6 @@ spec: description: |- Image is the OCI image containing the Wasm code. - Note that the image must be accessible from the Envoy Gateway. properties: pullSecretRef: @@ -1099,13 +1076,11 @@ spec: Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -1121,10 +1096,8 @@ spec: description: |- SHA256 checksum that will be used to verify the OCI image. - It must match the digest of the OCI image. - If not specified, Envoy Gateway will not verify the downloaded OCI image. kubebuilder:validation:Pattern=`^[a-f0-9]{64}$` type: string @@ -1141,10 +1114,8 @@ spec: PullPolicy is the policy to use when pulling the Wasm module by either the HTTP or Image source. This field is only applicable when the SHA256 field is not set. - If not specified, the default policy is IfNotPresent except for OCI images whose tag is latest. - Note: EG does not update the Wasm module every time an Envoy proxy requests the Wasm module even if the pull policy is set to Always. It only updates the Wasm module when the EnvoyExtension resource version changes. @@ -1201,7 +1172,6 @@ spec: RootContext and Contexts if applicable (e.g., an Wasm HttpFilter and an Wasm AccessLog). If left blank, all extensions with a blank root_id with the same vm_id will share Context(s). - Note: RootID must match the root_id parameter used to register the Context in the Wasm code. type: string required: @@ -1245,27 +1215,22 @@ spec: the controller first sees the policy and SHOULD update the entry as appropriate when the relevant ancestor is modified. - Note that choosing the relevant ancestor is left to the Policy designers; an important part of Policy design is designing the right object level at which to namespace this status. - Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. Implementations MUST use the ControllerName field to uniquely identify the entries in this list that they are responsible for. - Note that to achieve this, the list of PolicyAncestorStatus structs MUST be treated as a map with a composite key, made up of the AncestorRef and ControllerName fields combined. - A maximum of 16 ancestors will be represented in this list. An empty list means the Policy is not relevant for any ancestors. - If this slice is full, implementations MUST NOT add further entries. Instead they MUST consider the policy unimplementable and signal that on any related resources such as the ancestor that would be referenced @@ -1277,7 +1242,6 @@ spec: PolicyAncestorStatus describes the status of a route with respect to an associated Ancestor. - Ancestors refer to objects that are either the Target of a policy or above it in terms of object hierarchy. For example, if a policy targets a Service, the Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and @@ -1286,28 +1250,23 @@ spec: SHOULD use Gateway as the PolicyAncestorStatus object unless the designers have a _very_ good reason otherwise. - In the context of policy attachment, the Ancestor is used to distinguish which resource results in a distinct application of this policy. For example, if a policy targets a Service, it may have a distinct result per attached Gateway. - Policies targeting the same resource may have different effects depending on the ancestors of those resources. For example, different Gateways targeting the same Service may have different capabilities, especially if they have different underlying implementations. - For example, in BackendTLSPolicy, the Policy attaches to a Service that is used as a backend in a HTTPRoute that is itself attached to a Gateway. In this case, the relevant object for status is the Gateway, and that is the ancestor object referred to in this status. - Note that a parent is also an ancestor, so for objects where the parent is the relevant object for status, this struct SHOULD still be used. - This struct is intended to be used in a slice that's effectively a map, with a composite key made up of the AncestorRef and the ControllerName. properties: @@ -1324,7 +1283,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -1334,14 +1292,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -1351,7 +1306,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -1361,20 +1315,17 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -1382,7 +1333,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -1393,7 +1343,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -1402,19 +1351,16 @@ spec: and SectionName are specified, the name and port of the selected listener must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -1423,7 +1369,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -1434,7 +1379,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -1442,12 +1386,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -1457,7 +1399,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -1470,18 +1411,8 @@ spec: description: Conditions describes the status of the Policy with respect to the given Ancestor. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -1523,12 +1454,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1551,15 +1477,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml index f57a644066f..d9729ab138c 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 name: envoypatchpolicies.gateway.envoyproxy.io spec: group: gateway.envoyproxy.io @@ -178,27 +178,22 @@ spec: the controller first sees the policy and SHOULD update the entry as appropriate when the relevant ancestor is modified. - Note that choosing the relevant ancestor is left to the Policy designers; an important part of Policy design is designing the right object level at which to namespace this status. - Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. Implementations MUST use the ControllerName field to uniquely identify the entries in this list that they are responsible for. - Note that to achieve this, the list of PolicyAncestorStatus structs MUST be treated as a map with a composite key, made up of the AncestorRef and ControllerName fields combined. - A maximum of 16 ancestors will be represented in this list. An empty list means the Policy is not relevant for any ancestors. - If this slice is full, implementations MUST NOT add further entries. Instead they MUST consider the policy unimplementable and signal that on any related resources such as the ancestor that would be referenced @@ -210,7 +205,6 @@ spec: PolicyAncestorStatus describes the status of a route with respect to an associated Ancestor. - Ancestors refer to objects that are either the Target of a policy or above it in terms of object hierarchy. For example, if a policy targets a Service, the Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and @@ -219,28 +213,23 @@ spec: SHOULD use Gateway as the PolicyAncestorStatus object unless the designers have a _very_ good reason otherwise. - In the context of policy attachment, the Ancestor is used to distinguish which resource results in a distinct application of this policy. For example, if a policy targets a Service, it may have a distinct result per attached Gateway. - Policies targeting the same resource may have different effects depending on the ancestors of those resources. For example, different Gateways targeting the same Service may have different capabilities, especially if they have different underlying implementations. - For example, in BackendTLSPolicy, the Policy attaches to a Service that is used as a backend in a HTTPRoute that is itself attached to a Gateway. In this case, the relevant object for status is the Gateway, and that is the ancestor object referred to in this status. - Note that a parent is also an ancestor, so for objects where the parent is the relevant object for status, this struct SHOULD still be used. - This struct is intended to be used in a slice that's effectively a map, with a composite key made up of the AncestorRef and the ControllerName. properties: @@ -257,7 +246,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -267,14 +255,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -284,7 +269,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -294,20 +278,17 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -315,7 +296,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -326,7 +306,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -335,19 +314,16 @@ spec: and SectionName are specified, the name and port of the selected listener must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -356,7 +332,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -367,7 +342,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -375,12 +349,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -390,7 +362,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -403,18 +374,8 @@ spec: description: Conditions describes the status of the Policy with respect to the given Ancestor. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -456,12 +417,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -484,15 +440,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 82865b93d50..7bd4b930608 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 name: envoyproxies.gateway.envoyproxy.io spec: group: gateway.envoyproxy.io @@ -114,13 +114,11 @@ spec: Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -229,49 +227,34 @@ spec: If unspecified, the default filter order is applied. Default filter order is: - - envoy.filters.http.health_check - - envoy.filters.http.fault - - envoy.filters.http.cors - - envoy.filters.http.ext_authz - - envoy.filters.http.basic_auth - - envoy.filters.http.oauth2 - - envoy.filters.http.jwt_authn - - envoy.filters.http.stateful_session - - envoy.filters.http.ext_proc - - envoy.filters.http.wasm - - envoy.filters.http.rbac - - envoy.filters.http.local_ratelimit - - envoy.filters.http.ratelimit - - envoy.filters.http.router - Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. items: description: FilterPosition defines the position of an Envoy HTTP @@ -434,9 +417,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap @@ -506,9 +487,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret @@ -537,11 +516,9 @@ spec: Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. - This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. - This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry @@ -553,6 +530,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -658,7 +641,7 @@ spec: procMount: description: |- procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for + The default value is Default which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows. @@ -740,7 +723,6 @@ spec: type indicates which kind of seccomp profile will be applied. Valid options are: - Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied. @@ -816,10 +798,8 @@ spec: RecursiveReadOnly specifies whether read-only mounts should be handled recursively. - If ReadOnly is false, this field has no meaning and must be unspecified. - If ReadOnly is true, and this field is set to Disabled, the mount is not made recursively read-only. If this field is set to IfPossible, the mount is made recursively read-only, if it is supported by the container runtime. If this @@ -827,11 +807,9 @@ spec: supported by the container runtime, otherwise the pod will not be started and an error will be generated to indicate the reason. - If this field is set to IfPossible or Enabled, MountPropagation must be set to None (or be unspecified, which defaults to None). - If this field is not specified, it is treated as an equivalent of Disabled. type: string subPath: @@ -865,7 +843,6 @@ spec: description: |- Type is the type of merge operation to perform - By default, StrategicMerge is used as the patch type. type: string value: @@ -1173,7 +1150,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -1188,7 +1165,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -1358,7 +1335,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -1373,7 +1350,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -1542,7 +1519,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -1557,7 +1534,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -1727,7 +1704,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -1742,7 +1719,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -1850,9 +1827,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -1906,12 +1881,10 @@ spec: Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: - 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- - If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows. format: int64 @@ -1998,7 +1971,6 @@ spec: type indicates which kind of seccomp profile will be applied. Valid options are: - Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied. @@ -2008,18 +1980,28 @@ spec: type: object supplementalGroups: description: |- - A list of groups applied to the first process run in each container, in addition - to the container's primary GID, the fsGroup (if specified), and group memberships - defined in the container image for the uid of the container process. If unspecified, - no additional groups are added to any container. Note that group memberships - defined in the container image for the uid of the container process are still effective, - even if they are not included in this list. + A list of groups applied to the first process run in each container, in + addition to the container's primary GID and fsGroup (if specified). If + the SupplementalGroupsPolicy feature is enabled, the + supplementalGroupsPolicy field determines whether these are in addition + to or instead of any group memberships defined in the container image. + If unspecified, no additional groups are added, though group memberships + defined in the container image may still be used, depending on the + supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows. items: format: int64 type: integer type: array x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + description: |- + Defines how supplemental groups of the first container processes are calculated. + Valid values are "Merge" and "Strict". If not specified, "Merge" is used. + (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled + and the container runtime must implement support for this feature. + Note that this field cannot be set when spec.os.name is windows. + type: string sysctls: description: |- Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported @@ -2183,7 +2165,6 @@ spec: Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector. - This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). items: type: string @@ -2223,7 +2204,6 @@ spec: Valid values are integers greater than 0. When value is not nil, WhenUnsatisfiable must be DoNotSchedule. - For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same labelSelector spread as 2/2/2: | zone1 | zone2 | zone3 | @@ -2241,7 +2221,6 @@ spec: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. - If this value is nil, the behavior is equivalent to the Honor policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. type: string @@ -2253,7 +2232,6 @@ spec: has a toleration, are included. - Ignore: node taints are ignored. All nodes are included. - If this value is nil, the behavior is equivalent to the Ignore policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. type: string @@ -2318,7 +2296,6 @@ spec: Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - TODO: how do we prevent errors in the filesystem from compromising the machine type: string partition: description: |- @@ -2359,6 +2336,7 @@ spec: disk in the blob storage type: string fsType: + default: ext4 description: |- fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -2372,6 +2350,7 @@ spec: availability set). defaults to shared' type: string readOnly: + default: false description: |- readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. @@ -2443,9 +2422,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -2487,9 +2464,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -2562,9 +2537,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: optional specify whether the @@ -2603,9 +2576,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -2753,7 +2724,6 @@ spec: The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, and deleted when the pod is removed. - Use this if: a) the volume is only needed while the pod runs, b) features of normal volumes like restoring from snapshot or capacity @@ -2764,17 +2734,14 @@ spec: information on the connection between this volume type and PersistentVolumeClaim). - Use PersistentVolumeClaim or one of the vendor-specific APIs for volumes that persist for longer than the lifecycle of an individual pod. - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to be used that way - see the documentation of the driver for more information. - A pod can use both types of ephemeral volumes and persistent volumes at the same time. properties: @@ -2788,7 +2755,6 @@ spec: entry. Pod validation will reject the pod if the concatenated name is not valid for a PVC (for example, too long). - An existing PVC with that name that is not owned by the pod will *not* be used for the pod to avoid using an unrelated volume by mistake. Starting the pod is then blocked until @@ -2798,11 +2764,9 @@ spec: this should not be necessary, but it may be useful when manually reconstructing a broken cluster. - This field is read-only and no changes will be made by Kubernetes to the PVC after it has been created. - Required, must not be nil. properties: metadata: @@ -3008,7 +2972,7 @@ spec: set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -3035,7 +2999,6 @@ spec: fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - TODO: how do we prevent errors in the filesystem from compromising the machine type: string lun: description: 'lun is Optional: FC target @@ -3104,9 +3067,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -3142,7 +3103,6 @@ spec: Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - TODO: how do we prevent errors in the filesystem from compromising the machine type: string partition: description: |- @@ -3223,9 +3183,6 @@ spec: used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- - TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not - mount host directories as read/write. properties: path: description: |- @@ -3242,6 +3199,41 @@ spec: required: - path type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object iscsi: description: |- iscsi represents an ISCSI Disk resource that is attached to a @@ -3262,7 +3254,6 @@ spec: Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - TODO: how do we prevent errors in the filesystem from compromising the machine type: string initiatorName: description: |- @@ -3275,6 +3266,7 @@ spec: Name. type: string iscsiInterface: + default: default description: |- iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp). @@ -3308,9 +3300,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -3431,25 +3421,24 @@ spec: format: int32 type: integer sources: - description: sources is the list of volume - projections + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. items: - description: Projection that may be projected - along with other supported volume types + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. properties: clusterTrustBundle: description: |- ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field of ClusterTrustBundle objects in an auto-updating file. - Alpha, gated by the ClusterTrustBundleProjection feature gate. - ClusterTrustBundle objects can either be selected by name, or by the combination of signer name and a label selector. - Kubelet performs aggressive normalization of the PEM contents written into the pod filesystem. Esoteric PEM features such as inter-block comments and block headers are stripped. Certificates are deduplicated. @@ -3588,9 +3577,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: optional specify @@ -3744,9 +3731,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: optional field specify @@ -3838,7 +3823,6 @@ spec: Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - TODO: how do we prevent errors in the filesystem from compromising the machine type: string image: description: |- @@ -3846,6 +3830,7 @@ spec: More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: + default: /etc/ceph/keyring description: |- keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. @@ -3860,6 +3845,7 @@ spec: type: array x-kubernetes-list-type: atomic pool: + default: rbd description: |- pool is the rados pool name. Default is rbd. @@ -3885,13 +3871,12 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic user: + default: admin description: |- user is the rados user name. Default is admin. @@ -3907,6 +3892,7 @@ spec: nodes. properties: fsType: + default: xfs description: |- fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -3939,9 +3925,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -3951,6 +3935,7 @@ spec: false type: boolean storageMode: + default: ThinProvisioned description: |- storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. @@ -4067,9 +4052,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -4126,12 +4109,8 @@ spec: existing pods with new ones. properties: rollingUpdate: - description: |- - Rolling update config params. Present only if type = "RollingUpdate". - --- - TODO: Update this to follow our convention for oneOf, whatever we decide it - to be. Same as Deployment `strategy.rollingUpdate`. - See https://github.com/kubernetes/kubernetes/issues/35345 + description: Rolling update config params. Present + only if type = "RollingUpdate". properties: maxSurge: anyOf: @@ -4234,9 +4213,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap @@ -4306,9 +4283,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret @@ -4337,11 +4312,9 @@ spec: Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. - This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. - This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry @@ -4353,6 +4326,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -4458,7 +4437,7 @@ spec: procMount: description: |- procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for + The default value is Default which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows. @@ -4540,7 +4519,6 @@ spec: type indicates which kind of seccomp profile will be applied. Valid options are: - Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied. @@ -4616,10 +4594,8 @@ spec: RecursiveReadOnly specifies whether read-only mounts should be handled recursively. - If ReadOnly is false, this field has no meaning and must be unspecified. - If ReadOnly is true, and this field is set to Disabled, the mount is not made recursively read-only. If this field is set to IfPossible, the mount is made recursively read-only, if it is supported by the container runtime. If this @@ -4627,11 +4603,9 @@ spec: supported by the container runtime, otherwise the pod will not be started and an error will be generated to indicate the reason. - If this field is set to IfPossible or Enabled, MountPropagation must be set to None (or be unspecified, which defaults to None). - If this field is not specified, it is treated as an equivalent of Disabled. type: string subPath: @@ -4729,9 +4703,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap @@ -4801,9 +4773,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret @@ -4843,9 +4813,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap @@ -4868,9 +4836,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret @@ -5171,11 +5137,11 @@ spec: format: int32 type: integer service: + default: "" description: |- Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - If this is not specified, the default behavior is defined by gRPC. type: string required: @@ -5387,11 +5353,11 @@ spec: format: int32 type: integer service: + default: "" description: |- Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - If this is not specified, the default behavior is defined by gRPC. type: string required: @@ -5541,11 +5507,9 @@ spec: Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. - This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. - This field is immutable. It can only be set for containers. items: description: ResourceClaim references one @@ -5557,6 +5521,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -5680,7 +5650,7 @@ spec: procMount: description: |- procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for + The default value is Default which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows. @@ -5762,7 +5732,6 @@ spec: type indicates which kind of seccomp profile will be applied. Valid options are: - Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied. @@ -5844,11 +5813,11 @@ spec: format: int32 type: integer service: + default: "" description: |- Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - If this is not specified, the default behavior is defined by gRPC. type: string required: @@ -6066,10 +6035,8 @@ spec: RecursiveReadOnly specifies whether read-only mounts should be handled recursively. - If ReadOnly is false, this field has no meaning and must be unspecified. - If ReadOnly is true, and this field is set to Disabled, the mount is not made recursively read-only. If this field is set to IfPossible, the mount is made recursively read-only, if it is supported by the container runtime. If this @@ -6077,11 +6044,9 @@ spec: supported by the container runtime, otherwise the pod will not be started and an error will be generated to indicate the reason. - If this field is set to IfPossible or Enabled, MountPropagation must be set to None (or be unspecified, which defaults to None). - If this field is not specified, it is treated as an equivalent of Disabled. type: string subPath: @@ -6128,7 +6093,6 @@ spec: description: |- Type is the type of merge operation to perform - By default, StrategicMerge is used as the patch type. type: string value: @@ -6436,7 +6400,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -6451,7 +6415,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -6621,7 +6585,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -6636,7 +6600,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -6805,7 +6769,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -6820,7 +6784,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -6990,7 +6954,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -7005,7 +6969,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -7113,9 +7077,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -7169,12 +7131,10 @@ spec: Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: - 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- - If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows. format: int64 @@ -7261,7 +7221,6 @@ spec: type indicates which kind of seccomp profile will be applied. Valid options are: - Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied. @@ -7271,18 +7230,28 @@ spec: type: object supplementalGroups: description: |- - A list of groups applied to the first process run in each container, in addition - to the container's primary GID, the fsGroup (if specified), and group memberships - defined in the container image for the uid of the container process. If unspecified, - no additional groups are added to any container. Note that group memberships - defined in the container image for the uid of the container process are still effective, - even if they are not included in this list. + A list of groups applied to the first process run in each container, in + addition to the container's primary GID and fsGroup (if specified). If + the SupplementalGroupsPolicy feature is enabled, the + supplementalGroupsPolicy field determines whether these are in addition + to or instead of any group memberships defined in the container image. + If unspecified, no additional groups are added, though group memberships + defined in the container image may still be used, depending on the + supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows. items: format: int64 type: integer type: array x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + description: |- + Defines how supplemental groups of the first container processes are calculated. + Valid values are "Merge" and "Strict". If not specified, "Merge" is used. + (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled + and the container runtime must implement support for this feature. + Note that this field cannot be set when spec.os.name is windows. + type: string sysctls: description: |- Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported @@ -7446,7 +7415,6 @@ spec: Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector. - This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). items: type: string @@ -7486,7 +7454,6 @@ spec: Valid values are integers greater than 0. When value is not nil, WhenUnsatisfiable must be DoNotSchedule. - For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same labelSelector spread as 2/2/2: | zone1 | zone2 | zone3 | @@ -7504,7 +7471,6 @@ spec: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. - If this value is nil, the behavior is equivalent to the Honor policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. type: string @@ -7516,7 +7482,6 @@ spec: has a toleration, are included. - Ignore: node taints are ignored. All nodes are included. - If this value is nil, the behavior is equivalent to the Ignore policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. type: string @@ -7581,7 +7546,6 @@ spec: Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - TODO: how do we prevent errors in the filesystem from compromising the machine type: string partition: description: |- @@ -7622,6 +7586,7 @@ spec: disk in the blob storage type: string fsType: + default: ext4 description: |- fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -7635,6 +7600,7 @@ spec: availability set). defaults to shared' type: string readOnly: + default: false description: |- readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. @@ -7706,9 +7672,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -7750,9 +7714,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -7825,9 +7787,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: optional specify whether the @@ -7866,9 +7826,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -8016,7 +7974,6 @@ spec: The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, and deleted when the pod is removed. - Use this if: a) the volume is only needed while the pod runs, b) features of normal volumes like restoring from snapshot or capacity @@ -8027,17 +7984,14 @@ spec: information on the connection between this volume type and PersistentVolumeClaim). - Use PersistentVolumeClaim or one of the vendor-specific APIs for volumes that persist for longer than the lifecycle of an individual pod. - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to be used that way - see the documentation of the driver for more information. - A pod can use both types of ephemeral volumes and persistent volumes at the same time. properties: @@ -8051,7 +8005,6 @@ spec: entry. Pod validation will reject the pod if the concatenated name is not valid for a PVC (for example, too long). - An existing PVC with that name that is not owned by the pod will *not* be used for the pod to avoid using an unrelated volume by mistake. Starting the pod is then blocked until @@ -8061,11 +8014,9 @@ spec: this should not be necessary, but it may be useful when manually reconstructing a broken cluster. - This field is read-only and no changes will be made by Kubernetes to the PVC after it has been created. - Required, must not be nil. properties: metadata: @@ -8271,7 +8222,7 @@ spec: set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -8298,7 +8249,6 @@ spec: fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - TODO: how do we prevent errors in the filesystem from compromising the machine type: string lun: description: 'lun is Optional: FC target @@ -8367,9 +8317,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -8405,7 +8353,6 @@ spec: Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - TODO: how do we prevent errors in the filesystem from compromising the machine type: string partition: description: |- @@ -8486,9 +8433,6 @@ spec: used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- - TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not - mount host directories as read/write. properties: path: description: |- @@ -8505,6 +8449,41 @@ spec: required: - path type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object iscsi: description: |- iscsi represents an ISCSI Disk resource that is attached to a @@ -8525,7 +8504,6 @@ spec: Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - TODO: how do we prevent errors in the filesystem from compromising the machine type: string initiatorName: description: |- @@ -8538,6 +8516,7 @@ spec: Name. type: string iscsiInterface: + default: default description: |- iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp). @@ -8571,9 +8550,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -8694,25 +8671,24 @@ spec: format: int32 type: integer sources: - description: sources is the list of volume - projections + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. items: - description: Projection that may be projected - along with other supported volume types + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. properties: clusterTrustBundle: description: |- ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field of ClusterTrustBundle objects in an auto-updating file. - Alpha, gated by the ClusterTrustBundleProjection feature gate. - ClusterTrustBundle objects can either be selected by name, or by the combination of signer name and a label selector. - Kubelet performs aggressive normalization of the PEM contents written into the pod filesystem. Esoteric PEM features such as inter-block comments and block headers are stripped. Certificates are deduplicated. @@ -8851,9 +8827,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: optional specify @@ -9007,9 +8981,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: optional field specify @@ -9101,7 +9073,6 @@ spec: Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - TODO: how do we prevent errors in the filesystem from compromising the machine type: string image: description: |- @@ -9109,6 +9080,7 @@ spec: More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: + default: /etc/ceph/keyring description: |- keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. @@ -9123,6 +9095,7 @@ spec: type: array x-kubernetes-list-type: atomic pool: + default: rbd description: |- pool is the rados pool name. Default is rbd. @@ -9148,13 +9121,12 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic user: + default: admin description: |- user is the rados user name. Default is admin. @@ -9170,6 +9142,7 @@ spec: nodes. properties: fsType: + default: xfs description: |- fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -9202,9 +9175,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -9214,6 +9185,7 @@ spec: false type: boolean storageMode: + default: ThinProvisioned description: |- storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. @@ -9330,9 +9302,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -9397,9 +9367,6 @@ spec: description: |- Rolling update config params. Present only if DeploymentStrategyType = RollingUpdate. - --- - TODO: Update this to follow our convention for oneOf, whatever we decide it - to be. properties: maxSurge: anyOf: @@ -10153,7 +10120,6 @@ spec: description: |- Type is the type of merge operation to perform - By default, StrategicMerge is used as the patch type. type: string value: @@ -10314,7 +10280,6 @@ spec: BackendRef references a Kubernetes object that represents the backend server to which the authorization request will be sent. - Deprecated: Use BackendRefs instead. properties: group: @@ -10331,20 +10296,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -10360,13 +10321,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -10421,20 +10380,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -10451,13 +10406,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -11213,7 +11166,6 @@ spec: BackendRef references a Kubernetes object that represents the backend server to which the authorization request will be sent. - Deprecated: Use BackendRefs instead. properties: group: @@ -11230,20 +11182,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -11259,13 +11207,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -11320,20 +11266,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -11350,13 +11292,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -12190,7 +12130,6 @@ spec: BackendRef references a Kubernetes object that represents the backend server to which the authorization request will be sent. - Deprecated: Use BackendRefs instead. properties: group: @@ -12207,20 +12146,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -12236,13 +12171,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -12297,20 +12230,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -12326,13 +12255,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -13102,7 +13029,6 @@ spec: BackendRef references a Kubernetes object that represents the backend server to which the authorization request will be sent. - Deprecated: Use BackendRefs instead. properties: group: @@ -13119,20 +13045,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -13148,13 +13070,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -13209,20 +13129,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -13238,13 +13154,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index da6c3ae25fc..15faec671eb 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.1 name: securitypolicies.gateway.envoyproxy.io spec: group: gateway.envoyproxy.io @@ -66,7 +66,6 @@ spec: These rules are evaluated in order, the first matching rule will be applied, and the rest will be skipped. - For example, if there are two rules: the first rule allows the request and the second rule denies it, when a request matches both rules, it will be allowed. items: @@ -94,7 +93,6 @@ spec: ClientCIDRs are the IP CIDR ranges of the client. Valid examples are "192.168.1.0/24" or "2001:db8::/64" - The client IP is inferred from the X-Forwarded-For header, a custom header, or the proxy protocol. You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in @@ -126,7 +124,6 @@ spec: htpasswd format, used to verify user credentials in the "Authorization" header. - This is an Opaque secret. The username-password pairs should be stored in the key ".htpasswd". As the key name indicates, the value needs to be the htpasswd format, for example: "user1:{SHA}hashed_user1_password". @@ -134,7 +131,6 @@ spec: Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html for more details. - Note: The secret must be in the same namespace as the SecurityPolicy. properties: group: @@ -162,13 +158,11 @@ spec: Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -214,7 +208,6 @@ spec: In addition to that a single wildcard (with or without scheme) can be configured to match any origin. - For example, the following are valid origins: - https://foo.example.com - https://*.example.com @@ -261,7 +254,6 @@ spec: BackendRef references a Kubernetes object that represents the backend server to which the authorization request will be sent. - Deprecated: Use BackendRefs instead. properties: group: @@ -278,20 +270,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -307,13 +295,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -368,20 +354,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -397,13 +379,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -1073,7 +1053,6 @@ spec: BackendRef references a Kubernetes object that represents the backend server to which the authorization request will be sent. - Deprecated: Use BackendRefs instead. properties: group: @@ -1090,20 +1069,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -1119,13 +1094,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -1180,20 +1153,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -1209,13 +1178,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -2041,7 +2008,6 @@ spec: The Kubernetes secret which contains the OIDC client secret to be used in the [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). - This is an Opaque secret. The client secret should be stored in the key "client-secret". properties: @@ -2070,13 +2036,11 @@ spec: Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -2110,7 +2074,6 @@ spec: This field is only used when the exp (expiration time) claim is omitted in the refresh token or the refresh token is not JWT. - If not specified, defaults to 604800s (one week). Note: this field is only applicable when the "refreshToken" field is set to true. type: string @@ -2121,7 +2084,6 @@ spec: of the authorization server if it is provided. This field is only used when the expiry time is not provided by the authorization. - If not specified, defaults to 0. In this case, the "expires_in" field in the authorization response must be set by the authorization server, or the OAuth flow will fail. @@ -2136,7 +2098,6 @@ spec: description: |- The path to log a user out, clearing their credential cookies. - If not specified, uses a default logout path "/logout" type: string provider: @@ -2176,7 +2137,6 @@ spec: When set to true, the Envoy will use the refresh token to get a new id token and access token when they expire. - If not specified, defaults to false. type: boolean resources: @@ -2206,7 +2166,6 @@ spec: This policy and the TargetRef MUST be in the same namespace for this Policy to have effect - Deprecated: use targetRefs/targetSelectors instead properties: group: @@ -2231,12 +2190,10 @@ spec: unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name * HTTPRoute: HTTPRouteRule name * Service: Port name - If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a `ResolvedRefs` or similar Condition in the Policy's status. @@ -2261,7 +2218,6 @@ spec: mode works, and a sample Policy resource, refer to the policy attachment documentation for Gateway API. - Note: This should only be used for direct policy attachment when references to SectionName are actually needed. In all other cases, LocalPolicyTargetReference should be used. @@ -2288,12 +2244,10 @@ spec: unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name * HTTPRoute: HTTPRouteRule name * Service: Port name - If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a `ResolvedRefs` or similar Condition in the Policy's status. @@ -2375,27 +2329,22 @@ spec: the controller first sees the policy and SHOULD update the entry as appropriate when the relevant ancestor is modified. - Note that choosing the relevant ancestor is left to the Policy designers; an important part of Policy design is designing the right object level at which to namespace this status. - Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. Implementations MUST use the ControllerName field to uniquely identify the entries in this list that they are responsible for. - Note that to achieve this, the list of PolicyAncestorStatus structs MUST be treated as a map with a composite key, made up of the AncestorRef and ControllerName fields combined. - A maximum of 16 ancestors will be represented in this list. An empty list means the Policy is not relevant for any ancestors. - If this slice is full, implementations MUST NOT add further entries. Instead they MUST consider the policy unimplementable and signal that on any related resources such as the ancestor that would be referenced @@ -2407,7 +2356,6 @@ spec: PolicyAncestorStatus describes the status of a route with respect to an associated Ancestor. - Ancestors refer to objects that are either the Target of a policy or above it in terms of object hierarchy. For example, if a policy targets a Service, the Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and @@ -2416,28 +2364,23 @@ spec: SHOULD use Gateway as the PolicyAncestorStatus object unless the designers have a _very_ good reason otherwise. - In the context of policy attachment, the Ancestor is used to distinguish which resource results in a distinct application of this policy. For example, if a policy targets a Service, it may have a distinct result per attached Gateway. - Policies targeting the same resource may have different effects depending on the ancestors of those resources. For example, different Gateways targeting the same Service may have different capabilities, especially if they have different underlying implementations. - For example, in BackendTLSPolicy, the Policy attaches to a Service that is used as a backend in a HTTPRoute that is itself attached to a Gateway. In this case, the relevant object for status is the Gateway, and that is the ancestor object referred to in this status. - Note that a parent is also an ancestor, so for objects where the parent is the relevant object for status, this struct SHOULD still be used. - This struct is intended to be used in a slice that's effectively a map, with a composite key made up of the AncestorRef and the ControllerName. properties: @@ -2454,7 +2397,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -2464,14 +2406,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -2481,7 +2420,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -2491,20 +2429,17 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -2512,7 +2447,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -2523,7 +2457,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -2532,19 +2465,16 @@ spec: and SectionName are specified, the name and port of the selected listener must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -2553,7 +2483,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -2564,7 +2493,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -2572,12 +2500,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -2587,7 +2513,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -2600,18 +2525,8 @@ spec: description: Conditions describes the status of the Policy with respect to the given Ancestor. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -2653,12 +2568,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -2681,15 +2591,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index df377d5e338..4e61e8ed0bb 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -8,8 +8,8 @@ require ( github.com/urfave/cli/v2 v2.27.2 google.golang.org/grpc v1.65.0 google.golang.org/protobuf v1.34.2 - k8s.io/apimachinery v0.30.3 - sigs.k8s.io/controller-runtime v0.18.5 + k8s.io/apimachinery v0.31.0 + sigs.k8s.io/controller-runtime v0.19.0 sigs.k8s.io/gateway-api v1.1.0 ) @@ -19,6 +19,7 @@ require ( github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b // indirect github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/google/gofuzz v1.2.0 // indirect @@ -28,6 +29,7 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect + github.com/x448/float16 v0.8.4 // indirect github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect golang.org/x/net v0.28.0 // indirect golang.org/x/sys v0.24.0 // indirect @@ -37,7 +39,7 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect + k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect ) diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index fc7d8df4b19..b9d535f8cc3 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -15,10 +15,12 @@ github.com/envoyproxy/go-control-plane v0.12.1-0.20240612043845-c54ec4ce422d h1: github.com/envoyproxy/go-control-plane v0.12.1-0.20240612043845-c54ec4ce422d/go.mod h1:5Wkq+JduFtdAXihLmeTJf+tRYIT4KBc2vPXDhwVo1pA= github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -27,8 +29,8 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2Rrd27c3VGxi6a/6HNq8QmHRKM= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= @@ -42,17 +44,17 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= -github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8= -github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs= -github.com/onsi/gomega v1.32.0 h1:JRYU78fJ1LPxlckP6Txi/EYqJvjtMrDC04/MM5XRHPk= -github.com/onsi/gomega v1.32.0/go.mod h1:a4x4gW6Pz2yK1MAmvluYme5lvYTn61afQ2ETw/8n4Lg= +github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= +github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= +github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= +github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= -github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -63,6 +65,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/urfave/cli/v2 v2.27.2 h1:6e0H+AkS+zDckwPCUrZkKX38mRaau4nL2uipkJpbkcI= github.com/urfave/cli/v2 v2.27.2/go.mod h1:g0+79LmHHATl7DAcHO99smiR/T7uGLw84w8Y42x+4eM= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 h1:+qGGcbkzsfDQNPPe9UDgpxAWQrhbbBXOYJFQDq/dtJw= github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913/go.mod h1:4aEEwZQutDLsQv2Deui4iYQ6DWTxR14g6m8Wv88+Xqk= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -118,16 +122,16 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ= -k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04= -k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc= -k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/api v0.31.0 h1:b9LiSjR2ym/SzTOlfMHm1tr7/21aD7fSkqgD/CVJBCo= +k8s.io/api v0.31.0/go.mod h1:0YiFF+JfFxMM6+1hQei8FY8M7s1Mth+z/q7eF1aJkTE= +k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc= +k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak= -k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.18.5 h1:nTHio/W+Q4aBlQMgbnC5hZb4IjIidyrizMai9P6n4Rk= -sigs.k8s.io/controller-runtime v0.18.5/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= +sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= diff --git a/go.mod b/go.mod index a5ef3315af6..04178c46c71 100644 --- a/go.mod +++ b/go.mod @@ -46,18 +46,17 @@ require ( go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 golang.org/x/sys v0.24.0 - google.golang.org/grpc v1.65.0 google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v3 v3.0.1 - helm.sh/helm/v3 v3.15.4 - k8s.io/api v0.30.3 - k8s.io/apiextensions-apiserver v0.30.3 - k8s.io/apimachinery v0.30.3 - k8s.io/cli-runtime v0.30.3 - k8s.io/client-go v0.30.3 - k8s.io/kubectl v0.30.3 - k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 - sigs.k8s.io/controller-runtime v0.18.5 + helm.sh/helm/v3 v3.15.3 + k8s.io/api v0.31.0 + k8s.io/apiextensions-apiserver v0.31.0 + k8s.io/apimachinery v0.31.0 + k8s.io/cli-runtime v0.31.0 + k8s.io/client-go v0.31.0 + k8s.io/kubectl v0.31.0 + k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 + sigs.k8s.io/controller-runtime v0.19.0 sigs.k8s.io/gateway-api v1.1.0 sigs.k8s.io/mcs-api v0.1.0 sigs.k8s.io/yaml v1.4.0 @@ -66,6 +65,7 @@ require ( require ( github.com/docker/docker v27.1.2+incompatible github.com/replicatedhq/troubleshoot v0.99.0 + google.golang.org/grpc v1.65.0 ) require ( @@ -117,6 +117,7 @@ require ( github.com/docker/go-metrics v0.0.1 // indirect github.com/docker/go-units v0.5.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-gorp/gorp/v3 v3.1.0 // indirect github.com/go-ole/go-ole v1.3.0 // indirect github.com/go-redis/redis/v7 v7.4.1 // indirect @@ -200,22 +201,23 @@ require ( github.com/ulikunitz/xz v0.5.12 // indirect github.com/vbatts/tar-split v0.11.5 // indirect github.com/vmware-tanzu/velero v1.14.0 // indirect + github.com/x448/float16 v0.8.4 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect golang.org/x/crypto v0.26.0 // indirect golang.org/x/crypto/x509roots/fallback v0.0.0-20240806160748-b2d3a6a4b4d3 // indirect google.golang.org/api v0.172.0 // indirect google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect - k8s.io/apiserver v0.30.3 // indirect + k8s.io/apiserver v0.31.0 // indirect k8s.io/kubelet v0.30.3 // indirect - k8s.io/metrics v0.30.3 // indirect + k8s.io/metrics v0.31.0 // indirect oras.land/oras-go v1.2.6 // indirect periph.io/x/host/v3 v3.8.2 // indirect ) @@ -257,7 +259,7 @@ require ( github.com/lyft/gostats v0.4.14 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mitchellh/go-wordwrap v1.0.1 // indirect - github.com/moby/spdystream v0.2.0 // indirect + github.com/moby/spdystream v0.4.0 // indirect github.com/moby/term v0.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect @@ -290,7 +292,7 @@ require ( google.golang.org/genproto/googleapis/rpc v0.0.0-20240805194559-2c9e96a0b5d4 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - k8s.io/component-base v0.30.3 // indirect + k8s.io/component-base v0.31.0 // indirect k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect diff --git a/go.sum b/go.sum index 3dfb0f9369c..8fd065bd114 100644 --- a/go.sum +++ b/go.sum @@ -452,6 +452,8 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= @@ -539,7 +541,6 @@ github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LB github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y= github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gobuffalo/flect v0.2.0/go.mod h1:W3K3X9ksuZfir8f/LrfVtWmCDQFfayuylOJ7sz/Fj80= @@ -651,8 +652,8 @@ github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= -github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2Rrd27c3VGxi6a/6HNq8QmHRKM= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= @@ -692,7 +693,6 @@ github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= -github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY= github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY= github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= @@ -879,8 +879,8 @@ github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk= github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc= -github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8= -github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= +github.com/moby/spdystream v0.4.0 h1:Vy79D6mHeJJjiPdFEL2yku1kl0chZpJfZcPpb16BRl8= +github.com/moby/spdystream v0.4.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI= github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg= github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4= github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc= @@ -925,8 +925,8 @@ github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108 github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.17.2 h1:7eMhcy3GimbsA3hEnVKdw/PQM9XN9krpKVXsZdph0/g= -github.com/onsi/ginkgo/v2 v2.17.2/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= +github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= +github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= @@ -1125,6 +1125,8 @@ github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8ok github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw= github.com/vmware-tanzu/velero v1.14.0 h1:ZYy9TLtokdHInIdWTfwHYIZhRr+xLd0nGzHyQrXMCIM= github.com/vmware-tanzu/velero v1.14.0/go.mod h1:yeGs7/xq35yOGDPCV0ryxoybQBsTLXmrxwzXBXtiwp8= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= @@ -1161,20 +1163,20 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib/exporters/autoexport v0.46.1 h1:ysCfPZB9AjUlMa1UHYup3c9dAOCMQX/6sxSfPBUoxHw= go.opentelemetry.io/contrib/exporters/autoexport v0.46.1/go.mod h1:ha0aiYm+DOPsLHjh0zoQ8W8sLT+LJ58J3j47lGpSLrU= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 h1:9G6E0TXzGFVfTnawRzrPl83iHOAV7L8NJiR8RSGYV1g= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.28.0 h1:U2guen0GhqH8o/G2un8f/aG/y++OuW6MyCo6hT9prXk= go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.28.0/go.mod h1:yeGZANgEcpdx/WK0IvvRFC+2oLiMS2u4L/0Rj2M2Qr0= go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.28.0 h1:aLmmtjRke7LPDQ3lvpFz+kNEH43faFhzW7v8BFIEydg= go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.28.0/go.mod h1:TC1pyCt6G9Sjb4bQpShH+P5R53pO6ZuGnHuuln9xMeE= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 h1:cl5P5/GIfFh4t6xyruOgJP5QiA1pw4fYYdv6nc6CBWw= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0/go.mod h1:zgBdWWAu7oEEMC06MMKc5NLbA/1YDXV1sMpSqEeLQLg= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 h1:tIqheXEFWAZ7O8A7m+J0aPTmpJN3YQ7qetUAdkkkKpk= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0/go.mod h1:nUeKExfxAQVbiVFn32YXpXZZHZ61Cc3s3Rn1pDBGAb0= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0 h1:digkEZCJWobwBqMwC0cwCq8/wkkRy/OowZg5OArWZrM= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0/go.mod h1:/OpE/y70qVkndM0TrxT4KBoN3RsFZP0QaofcfYrj76I= go.opentelemetry.io/otel/exporters/prometheus v0.50.0 h1:2Ewsda6hejmbhGFyUvWZjUThC98Cf8Zy6g0zkIimOng= @@ -1827,8 +1829,8 @@ gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= -helm.sh/helm/v3 v3.15.4 h1:UFHd6oZ1IN3FsUZ7XNhOQDyQ2QYknBNWRHH57e9cbHY= -helm.sh/helm/v3 v3.15.4/go.mod h1:phOwlxqGSgppCY/ysWBNRhG3MtnpsttOzxaTK+Mt40E= +helm.sh/helm/v3 v3.15.3 h1:HcZDaVFe9uHa6hpsR54mJjYyRy4uz/pc6csg27nxFOc= +helm.sh/helm/v3 v3.15.3/go.mod h1:FzSIP8jDQaa6WAVg9F+OkKz7J0ZmAga4MABtTbsb9WQ= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -1838,32 +1840,32 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78= k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4= -k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ= -k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04= +k8s.io/api v0.31.0 h1:b9LiSjR2ym/SzTOlfMHm1tr7/21aD7fSkqgD/CVJBCo= +k8s.io/api v0.31.0/go.mod h1:0YiFF+JfFxMM6+1hQei8FY8M7s1Mth+z/q7eF1aJkTE= k8s.io/apiextensions-apiserver v0.18.2/go.mod h1:q3faSnRGmYimiocj6cHQ1I3WpLqmDgJFlKL37fC4ZvY= k8s.io/apiextensions-apiserver v0.18.4/go.mod h1:NYeyeYq4SIpFlPxSAB6jHPIdvu3hL0pc36wuRChybio= -k8s.io/apiextensions-apiserver v0.30.3 h1:oChu5li2vsZHx2IvnGP3ah8Nj3KyqG3kRSaKmijhB9U= -k8s.io/apiextensions-apiserver v0.30.3/go.mod h1:uhXxYDkMAvl6CJw4lrDN4CPbONkF3+XL9cacCT44kV4= +k8s.io/apiextensions-apiserver v0.31.0 h1:fZgCVhGwsclj3qCw1buVXCV6khjRzKC5eCFt24kyLSk= +k8s.io/apiextensions-apiserver v0.31.0/go.mod h1:b9aMDEYaEe5sdK+1T0KU78ApR/5ZVp4i56VacZYEHxk= k8s.io/apimachinery v0.18.2/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftcA= k8s.io/apimachinery v0.18.4/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko= -k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc= -k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc= +k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= k8s.io/apiserver v0.18.2/go.mod h1:Xbh066NqrZO8cbsoenCwyDJ1OSi8Ag8I2lezeHxzwzw= k8s.io/apiserver v0.18.4/go.mod h1:q+zoFct5ABNnYkGIaGQ3bcbUNdmPyOCoEBcg51LChY8= -k8s.io/apiserver v0.30.3 h1:QZJndA9k2MjFqpnyYv/PH+9PE0SHhx3hBho4X0vE65g= -k8s.io/apiserver v0.30.3/go.mod h1:6Oa88y1CZqnzetd2JdepO0UXzQX4ZnOekx2/PtEjrOg= -k8s.io/cli-runtime v0.30.3 h1:aG69oRzJuP2Q4o8dm+f5WJIX4ZBEwrvdID0+MXyUY6k= -k8s.io/cli-runtime v0.30.3/go.mod h1:hwrrRdd9P84CXSKzhHxrOivAR9BRnkMt0OeP5mj7X30= +k8s.io/apiserver v0.31.0 h1:p+2dgJjy+bk+B1Csz+mc2wl5gHwvNkC9QJV+w55LVrY= +k8s.io/apiserver v0.31.0/go.mod h1:KI9ox5Yu902iBnnyMmy7ajonhKnkeZYJhTZ/YI+WEMk= +k8s.io/cli-runtime v0.31.0 h1:V2Q1gj1u3/WfhD475HBQrIYsoryg/LrhhK4RwpN+DhA= +k8s.io/cli-runtime v0.31.0/go.mod h1:vg3H94wsubuvWfSmStDbekvbla5vFGC+zLWqcf+bGDw= k8s.io/client-go v0.18.2/go.mod h1:Xcm5wVGXX9HAA2JJ2sSBUn3tCJ+4SVlCbl2MNNv+CIU= k8s.io/client-go v0.18.4/go.mod h1:f5sXwL4yAZRkAtzOxRWUhA/N8XzGCb+nPZI8PfobZ9g= -k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k= -k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U= +k8s.io/client-go v0.31.0 h1:QqEJzNjbN2Yv1H79SsS+SWnXkBgVu4Pj3CJQgbx0gI8= +k8s.io/client-go v0.31.0/go.mod h1:Y9wvC76g4fLjmU0BA+rV+h2cncoadjvjjkkIGoTLcGU= k8s.io/code-generator v0.18.2/go.mod h1:+UHX5rSbxmR8kzS+FAv7um6dtYrZokQvjHpDSYRVkTc= k8s.io/code-generator v0.18.4/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c= k8s.io/component-base v0.18.2/go.mod h1:kqLlMuhJNHQ9lz8Z7V5bxUUtjFZnrypArGl58gmDfUM= k8s.io/component-base v0.18.4/go.mod h1:7jr/Ef5PGmKwQhyAz/pjByxJbC58mhKAhiaDu0vXfPk= -k8s.io/component-base v0.30.3 h1:Ci0UqKWf4oiwy8hr1+E3dsnliKnkMLZMVbWzeorlk7s= -k8s.io/component-base v0.30.3/go.mod h1:C1SshT3rGPCuNtBs14RmVD2xW0EhRSeLvBh7AGk1quA= +k8s.io/component-base v0.31.0 h1:/KIzGM5EvPNQcYgwq5NwoQBaOlVFrghoVGr8lG6vNRs= +k8s.io/component-base v0.31.0/go.mod h1:TYVuzI1QmN4L5ItVdMSXKvH7/DtvIuas5/mm8YT3rTo= k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= @@ -1876,16 +1878,16 @@ k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5TxDkI7OGJjBNBzq5fJtLA= k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a/go.mod h1:UxDHUPsUwTOOxSU+oXURfFBcAS6JwiRXTYqYwfuGowc= -k8s.io/kubectl v0.30.3 h1:YIBBvMdTW0xcDpmrOBzcpUVsn+zOgjMYIu7kAq+yqiI= -k8s.io/kubectl v0.30.3/go.mod h1:IcR0I9RN2+zzTRUa1BzZCm4oM0NLOawE6RzlDvd1Fpo= +k8s.io/kubectl v0.31.0 h1:kANwAAPVY02r4U4jARP/C+Q1sssCcN/1p9Nk+7BQKVg= +k8s.io/kubectl v0.31.0/go.mod h1:pB47hhFypGsaHAPjlwrNbvhXgmuAr01ZBvAIIUaI8d4= k8s.io/kubelet v0.30.3 h1:KvGWDdhzD0vEyDyGTCjsDc8D+0+lwRMw3fJbfQgF7ys= k8s.io/kubelet v0.30.3/go.mod h1:D9or45Vkzcqg55CEiqZ8dVbwP3Ksj7DruEVRS9oq3Ys= -k8s.io/metrics v0.30.3 h1:gKCpte5zykrOmQhZ8qmsxyJslMdiLN+sqbBfIWNpbGM= -k8s.io/metrics v0.30.3/go.mod h1:W06L2nXRhOwPkFYDJYWdEIS3u6JcJy3ebIPYbndRs6A= +k8s.io/metrics v0.31.0 h1:s7Vu7W0oEZPTN8jgcoiWIXIZBmVxt7YP9MRVyIgMdOc= +k8s.io/metrics v0.31.0/go.mod h1:UNsz6swyX8FWkDoKN9ixPF75TBREMbHZIKjD7fydaOY= k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= k8s.io/utils v0.0.0-20200603063816-c1c6865ac451/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak= -k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= oras.land/oras-go v1.2.6 h1:z8cmxQXBU8yZ4mkytWqXfo6tZcamPwjsuxYU81xJ8Lk= oras.land/oras-go v1.2.6/go.mod h1:OVPc1PegSEe/K8YiLfosrlqlqTN9PUyFvOw5Y9gwrT8= periph.io/x/host/v3 v3.8.2 h1:ayKUDzgUCN0g8+/xM9GTkWaOBhSLVcVHGTfjAOi8OsQ= @@ -1895,8 +1897,8 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0= sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gEORz0efEja7A= -sigs.k8s.io/controller-runtime v0.18.5 h1:nTHio/W+Q4aBlQMgbnC5hZb4IjIidyrizMai9P6n4Rk= -sigs.k8s.io/controller-runtime v0.18.5/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= +sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= +sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI= sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs= diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 8078e767f8a..eafe29b4497 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -20,6 +20,7 @@ import ( "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/client-go/discovery" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/controller" "sigs.k8s.io/controller-runtime/pkg/handler" @@ -44,6 +45,10 @@ import ( "github.com/envoyproxy/gateway/internal/utils/slice" ) +var skipNameValidation = func() *bool { + return ptr.To(false) +} + type gatewayAPIReconciler struct { client client.Client log logging.Logger @@ -104,9 +109,9 @@ func newGatewayAPIController(mgr manager.Manager, cfg *config.Server, su Updater r.namespaceLabel = cfg.EnvoyGateway.Provider.Kubernetes.Watch.NamespaceSelector } - c, err := controller.New("gatewayapi", mgr, controller.Options{Reconciler: r}) + c, err := controller.New("gatewayapi", mgr, controller.Options{Reconciler: r, SkipNameValidation: skipNameValidation()}) if err != nil { - return err + return fmt.Errorf("error creating controller: %w", err) } r.log.Info("created gatewayapi controller") @@ -115,7 +120,7 @@ func newGatewayAPIController(mgr manager.Manager, cfg *config.Server, su Updater // Watch resources if err := r.watchResources(ctx, mgr, c); err != nil { - return err + return fmt.Errorf("error watching resources: %w", err) } return nil } @@ -1038,7 +1043,7 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M // process status updates and infrastructure changes. This step is crucial for synchronizing resources // that may have been altered or introduced while there was no elected leader. if err := c.Watch(NewWatchAndReconcileSource(mgr.Elected(), &gwapiv1.GatewayClass{}, handler.EnqueueRequestsFromMapFunc(r.enqueueClass))); err != nil { - return err + return fmt.Errorf("failed to watch GatewayClass: %w", err) } if err := c.Watch( @@ -1048,7 +1053,7 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M }), &predicate.TypedGenerationChangedPredicate[*gwapiv1.GatewayClass]{}, predicate.NewTypedPredicateFuncs[*gwapiv1.GatewayClass](r.hasMatchingController))); err != nil { - return err + return fmt.Errorf("failed to watch GatewayClass: %w", err) } epPredicates := []predicate.TypedPredicate[*egv1a1.EnvoyProxy]{ @@ -1220,12 +1225,11 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return err } + // Watch ServiceImport CRUDs and process affected *Route objects. serviceImportCRDExists := r.serviceImportCRDExists(mgr) if !serviceImportCRDExists { r.log.Info("ServiceImport CRD not found, skipping ServiceImport watch") } - - // Watch ServiceImport CRUDs and process affected *Route objects. if serviceImportCRDExists { if err := c.Watch( source.Kind(mgr.GetCache(), &mcsapiv1a1.ServiceImport{}, diff --git a/internal/provider/kubernetes/kubernetes_test.go b/internal/provider/kubernetes/kubernetes_test.go index da58fcd4188..b82836ef8c1 100644 --- a/internal/provider/kubernetes/kubernetes_test.go +++ b/internal/provider/kubernetes/kubernetes_test.go @@ -45,6 +45,15 @@ const ( defaultTick = time.Millisecond * 20 ) +func TestMain(m *testing.M) { + // related to https://github.com/kubernetes-sigs/controller-runtime/pull/2902 + // this is a workaround to skip the name validation for the test + skipNameValidation = func() *bool { + return ptr.To(true) + } + os.Exit(m.Run()) +} + func TestProvider(t *testing.T) { // Setup the test environment. testEnv, cliCfg, err := startEnv() diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index e606138fa09..d14fceacb38 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -103,7 +103,7 @@ func matchLabelsAndExpressions(ls *metav1.LabelSelector, objLabels map[string]st } // validateGatewayForReconcile returns true if the provided object is a Gateway -// using a GatewayClass matching the configured gatewayclass controller name. +// using a GatewayClass matching the configured GatewayClass controller name. func (r *gatewayAPIReconciler) validateGatewayForReconcile(obj client.Object) bool { gw, ok := obj.(*gwapiv1.Gateway) if !ok { @@ -114,14 +114,15 @@ func (r *gatewayAPIReconciler) validateGatewayForReconcile(obj client.Object) bo gc := &gwapiv1.GatewayClass{} key := types.NamespacedName{Name: string(gw.Spec.GatewayClassName)} if err := r.client.Get(context.Background(), key, gc); err != nil { - r.log.Error(err, "failed to get gatewayclass", "name", gw.Spec.GatewayClassName) + r.log.Error(err, "failed to get GatewayClass", "name", gw.Spec.GatewayClassName) return false } if gc.Spec.ControllerName != r.classController { - r.log.Info("gatewayclass controller name", string(gc.Spec.ControllerName), "class controller name", string(r.classController)) - r.log.Info("gatewayclass name for gateway doesn't match configured name", - "namespace", gw.Namespace, "name", gw.Name) + r.log.Info("GatewayClass name for gateway doesn't match configured name", + "namespace", gw.Namespace, "name", gw.Name, + "GatewayClass controller name", string(gc.Spec.ControllerName), + "class controller name", string(r.classController)) return false } diff --git a/internal/provider/kubernetes/sources.go b/internal/provider/kubernetes/sources.go index e19259f77ca..4c76820fdc2 100644 --- a/internal/provider/kubernetes/sources.go +++ b/internal/provider/kubernetes/sources.go @@ -13,6 +13,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/event" "sigs.k8s.io/controller-runtime/pkg/handler" + "sigs.k8s.io/controller-runtime/pkg/reconcile" "sigs.k8s.io/controller-runtime/pkg/source" ) @@ -28,7 +29,7 @@ func NewWatchAndReconcileSource(cond <-chan struct{}, obj client.Object, eh hand } // Start implements the Source interface. It registers the EventHandler with the Informer. -func (s *watchAndReconcileSource) Start(ctx context.Context, queue workqueue.RateLimitingInterface) error { +func (s *watchAndReconcileSource) Start(ctx context.Context, queue workqueue.TypedRateLimitingInterface[reconcile.Request]) error { if s.object == nil { return errors.New("object to queue is required") } diff --git a/internal/provider/kubernetes/sources_test.go b/internal/provider/kubernetes/sources_test.go index aafc74bd2b6..18c5be0be8e 100644 --- a/internal/provider/kubernetes/sources_test.go +++ b/internal/provider/kubernetes/sources_test.go @@ -32,7 +32,7 @@ func TestSources(t *testing.T) { expectedAddresses []string handler handler.EventHandler mapFunc handler.MapFunc - queue workqueue.RateLimitingInterface + queue workqueue.TypedRateLimitingInterface[reconcile.Request] expected bool obj client.Object }{ @@ -40,7 +40,7 @@ func TestSources(t *testing.T) { name: "Queue size should increase by one after the condition event triggered", expectedAddresses: []string{}, handler: handler.EnqueueRequestsFromMapFunc(enqueueClass), - queue: workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()), + queue: workqueue.NewTypedRateLimitingQueue(workqueue.DefaultTypedControllerRateLimiter[reconcile.Request]()), ctx: context.Background(), obj: &gwapiv1.GatewayClass{}, expected: true, @@ -49,7 +49,7 @@ func TestSources(t *testing.T) { name: "Confirm object is required", expectedAddresses: []string{}, handler: handler.EnqueueRequestsFromMapFunc(enqueueClass), - queue: workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()), + queue: workqueue.NewTypedRateLimitingQueue(workqueue.DefaultTypedControllerRateLimiter[reconcile.Request]()), ctx: context.Background(), obj: nil, expected: false, diff --git a/tools/src/controller-gen/go.mod b/tools/src/controller-gen/go.mod index 3b5da982d27..6df70b8d49a 100644 --- a/tools/src/controller-gen/go.mod +++ b/tools/src/controller-gen/go.mod @@ -2,11 +2,12 @@ module local go 1.22.5 -require sigs.k8s.io/controller-tools v0.15.0 +require sigs.k8s.io/controller-tools v0.16.1 require ( - github.com/fatih/color v1.16.0 // indirect - github.com/go-logr/logr v1.4.1 // indirect + github.com/fatih/color v1.17.0 // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect + github.com/go-logr/logr v1.4.2 // indirect github.com/gobuffalo/flect v1.0.2 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/google/gofuzz v1.2.0 // indirect @@ -16,22 +17,23 @@ require ( github.com/mattn/go-isatty v0.0.20 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect - github.com/spf13/cobra v1.8.0 // indirect + github.com/spf13/cobra v1.8.1 // indirect github.com/spf13/pflag v1.0.5 // indirect - golang.org/x/mod v0.17.0 // indirect - golang.org/x/net v0.24.0 // indirect - golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.19.0 // indirect - golang.org/x/text v0.14.0 // indirect - golang.org/x/tools v0.20.0 // indirect + github.com/x448/float16 v0.8.4 // indirect + golang.org/x/mod v0.20.0 // indirect + golang.org/x/net v0.28.0 // indirect + golang.org/x/sync v0.8.0 // indirect + golang.org/x/sys v0.23.0 // indirect + golang.org/x/text v0.17.0 // indirect + golang.org/x/tools v0.24.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/api v0.30.0 // indirect - k8s.io/apiextensions-apiserver v0.30.0 // indirect - k8s.io/apimachinery v0.30.0 // indirect - k8s.io/klog/v2 v2.120.1 // indirect - k8s.io/utils v0.0.0-20240423183400-0849a56e8f22 // indirect + k8s.io/api v0.31.0 // indirect + k8s.io/apiextensions-apiserver v0.31.0 // indirect + k8s.io/apimachinery v0.31.0 // indirect + k8s.io/klog/v2 v2.130.1 // indirect + k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.4.0 // indirect diff --git a/tools/src/controller-gen/go.sum b/tools/src/controller-gen/go.sum index 797074f310a..2356d590cc7 100644 --- a/tools/src/controller-gen/go.sum +++ b/tools/src/controller-gen/go.sum @@ -1,13 +1,16 @@ -github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= -github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= +github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= -github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= -github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA= github.com/gobuffalo/flect v1.0.2/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= @@ -42,15 +45,16 @@ github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/gomega v1.33.0 h1:snPCflnZrpMsy94p4lXVEkHo12lmPnc3vY5XBbreexE= -github.com/onsi/gomega v1.33.0/go.mod h1:+925n5YtiFsLzzafLUHzVMBpvvRAzrydIBiSIxjX3wY= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k= +github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= -github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= -github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -60,45 +64,49 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= -golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= +golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= -golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= -golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM= +golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.20.0 h1:hz/CVckiOxybQvFw6h7b/q80NTr9IUQb4s1IIzW7KNY= -golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg= +golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= +golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -116,18 +124,18 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA= -k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE= -k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs= -k8s.io/apiextensions-apiserver v0.30.0/go.mod h1:N9ogQFGcrbWqAY9p2mUAL5mGxsLqwgtUce127VtRX5Y= -k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA= -k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= -k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= -k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/utils v0.0.0-20240423183400-0849a56e8f22 h1:ao5hUqGhsqdm+bYbjH/pRkCs0unBGe9UyDahzs9zQzQ= -k8s.io/utils v0.0.0-20240423183400-0849a56e8f22/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-tools v0.15.0 h1:4dxdABXGDhIa68Fiwaif0vcu32xfwmgQ+w8p+5CxoAI= -sigs.k8s.io/controller-tools v0.15.0/go.mod h1:8zUSS2T8Hx0APCNRhJWbS3CAQEbIxLa07khzh7pZmXM= +k8s.io/api v0.31.0 h1:b9LiSjR2ym/SzTOlfMHm1tr7/21aD7fSkqgD/CVJBCo= +k8s.io/api v0.31.0/go.mod h1:0YiFF+JfFxMM6+1hQei8FY8M7s1Mth+z/q7eF1aJkTE= +k8s.io/apiextensions-apiserver v0.31.0 h1:fZgCVhGwsclj3qCw1buVXCV6khjRzKC5eCFt24kyLSk= +k8s.io/apiextensions-apiserver v0.31.0/go.mod h1:b9aMDEYaEe5sdK+1T0KU78ApR/5ZVp4i56VacZYEHxk= +k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc= +k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/controller-tools v0.16.1 h1:gvIsZm+2aimFDIBiDKumR7EBkc+oLxljoUVfRbDI6RI= +sigs.k8s.io/controller-tools v0.16.1/go.mod h1:0I0xqjR65YTfoO12iR+mZR6s6UAVcUARgXRlsu0ljB0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= From 8ae9b09398c692fb9af36f61e1289f2c81f80dbc Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Mon, 26 Aug 2024 09:29:56 +0800 Subject: [PATCH 076/523] API: api for setting OIDC token cookie domain (#4093) * api for oidc token cookie domain Signed-off-by: Huabing Zhao * minor wording Signed-off-by: Huabing Zhao * add regex validation Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- api/v1alpha1/oidc_types.go | 9 +++++++++ api/v1alpha1/zz_generated.deepcopy.go | 5 +++++ .../gateway.envoyproxy.io_securitypolicies.yaml | 8 ++++++++ 3 files changed, 22 insertions(+) diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go index 53490a1f109..8951fbe63e6 100644 --- a/api/v1alpha1/oidc_types.go +++ b/api/v1alpha1/oidc_types.go @@ -37,6 +37,15 @@ type OIDC struct { // +optional CookieNames *OIDCCookieNames `json:"cookieNames,omitempty"` + // The optional domain to set the access and ID token cookies on. + // If not set, the cookies will default to the host of the request, not including the subdomains. + // If set, the cookies will be set on the specified domain and all subdomains. + // This means that requests to any subdomain will not require reauthentication after users log in to the parent domain. + // +optional + // +notImplementedHide + // +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$` + CookieDomain *string `json:"cookieDomain,omitempty"` + // The OIDC scopes to be used in the // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). // The "openid" scope is always added to the list of scopes if not already diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 1680d26cca4..752317aea97 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -3466,6 +3466,11 @@ func (in *OIDC) DeepCopyInto(out *OIDC) { *out = new(OIDCCookieNames) (*in).DeepCopyInto(*out) } + if in.CookieDomain != nil { + in, out := &in.CookieDomain, &out.CookieDomain + *out = new(string) + **out = **in + } if in.Scopes != nil { in, out := &in.Scopes, &out.Scopes *out = make([]string, len(*in)) diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 15faec671eb..d436d38734d 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -2049,6 +2049,14 @@ spec: required: - name type: object + cookieDomain: + description: |- + The optional domain to set the access and ID token cookies on. + If not set, the cookies will default to the host of the request, not including the subdomains. + If set, the cookies will be set on the specified domain and all subdomains. + This means that requests to any subdomain will not require reauthentication after users log in to the parent domain. + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$ + type: string cookieNames: description: |- The optional cookie name overrides to be used for Bearer and IdToken cookies in the From fe6d24bc712a092c8a89550b09d31e65bc42dcdb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Aug 2024 14:13:29 -0700 Subject: [PATCH 077/523] build(deps): bump google/osv-scanner-action from 1.8.3 to 1.8.4 (#4110) Bumps [google/osv-scanner-action](https://github.com/google/osv-scanner-action) from 1.8.3 to 1.8.4. - [Release notes](https://github.com/google/osv-scanner-action/releases) - [Commits](https://github.com/google/osv-scanner-action/compare/c615bb556a9a61495d218c7d439e7c8abbbfb151...678a866dcba398c8ed0124a09928d250f187b52a) --- updated-dependencies: - dependency-name: google/osv-scanner-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/license-scan.yml | 2 +- .github/workflows/osv-scanner.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index 68143314ecc..a754e0130fd 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -18,7 +18,7 @@ jobs: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Run scanner - uses: google/osv-scanner-action/osv-scanner-action@c615bb556a9a61495d218c7d439e7c8abbbfb151 # v1.8.3 + uses: google/osv-scanner-action/osv-scanner-action@678a866dcba398c8ed0124a09928d250f187b52a # v1.8.4 with: scan-args: |- --skip-git diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 8e2117a97e1..0ca78e136d0 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -16,7 +16,7 @@ on: jobs: scan-scheduled: if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@c615bb556a9a61495d218c7d439e7c8abbbfb151" # v1.8.3 + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@678a866dcba398c8ed0124a09928d250f187b52a" # v1.8.4 permissions: actions: read contents: read @@ -32,7 +32,7 @@ jobs: scan-pr: if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c615bb556a9a61495d218c7d439e7c8abbbfb151" # v1.8.3 + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@678a866dcba398c8ed0124a09928d250f187b52a" # v1.8.4 permissions: actions: read contents: read From cc8acbdeb3a21f5950649c68450b12255e19cead Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Aug 2024 14:28:40 -0700 Subject: [PATCH 078/523] build(deps): bump github/codeql-action from 3.26.2 to 3.26.5 (#4109) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.2 to 3.26.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/429e1977040da7a23b6822b13c129cd1ba93dbb2...2c779ab0d087cd7fe7b826087247c2c81f27bfa6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5cde7a2c549..3ebfface8b6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,14 +36,14 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 + uses: github/codeql-action/init@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 + uses: github/codeql-action/autobuild@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 + uses: github/codeql-action/analyze@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 5cb58c15398..a0c332c8d22 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 + uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 with: sarif_file: results.sarif From b7f811a28ecb15d14112ac03c96bf2768ed4eb35 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Aug 2024 09:50:41 +0800 Subject: [PATCH 079/523] build(deps): bump github.com/bufbuild/buf from 1.37.0 to 1.38.0 in /tools/src/buf (#4111) build(deps): bump github.com/bufbuild/buf in /tools/src/buf Bumps [github.com/bufbuild/buf](https://github.com/bufbuild/buf) from 1.37.0 to 1.38.0. - [Release notes](https://github.com/bufbuild/buf/releases) - [Changelog](https://github.com/bufbuild/buf/blob/main/CHANGELOG.md) - [Commits](https://github.com/bufbuild/buf/compare/v1.37.0...v1.38.0) --- updated-dependencies: - dependency-name: github.com/bufbuild/buf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/src/buf/go.mod | 18 +++++++++++------ tools/src/buf/go.sum | 48 ++++++++++++++++++++++++++------------------ 2 files changed, 41 insertions(+), 25 deletions(-) diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index 639ff08144c..f85dafa2238 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -2,7 +2,7 @@ module local go 1.22.5 -require github.com/bufbuild/buf v1.37.0 +require github.com/bufbuild/buf v1.38.0 require ( buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240717164558-a6c49f84cc0f.2 // indirect @@ -16,8 +16,8 @@ require ( github.com/antlr4-go/antlr/v4 v4.13.0 // indirect github.com/bufbuild/protocompile v0.14.0 // indirect github.com/bufbuild/protoplugin v0.0.0-20240323223605-e2735f6c31ee // indirect - github.com/bufbuild/protovalidate-go v0.6.3 // indirect - github.com/bufbuild/protoyaml-go v0.1.10 // indirect + github.com/bufbuild/protovalidate-go v0.6.4 // indirect + github.com/bufbuild/protoyaml-go v0.1.11 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect github.com/containerd/containerd v1.7.20 // indirect github.com/containerd/continuity v0.4.3 // indirect @@ -40,6 +40,8 @@ require ( github.com/go-chi/chi/v5 v5.1.0 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect + github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect + github.com/gofrs/flock v0.12.1 // indirect github.com/gofrs/uuid/v5 v5.3.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect @@ -52,7 +54,6 @@ require ( github.com/jdx/go-netrc v1.0.0 // indirect github.com/klauspost/compress v1.17.9 // indirect github.com/klauspost/pgzip v1.2.6 // indirect - github.com/kr/pretty v0.3.1 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/locker v1.0.1 // indirect @@ -64,12 +65,15 @@ require ( github.com/moby/sys/userns v0.1.0 // indirect github.com/moby/term v0.5.0 // indirect github.com/morikuni/aec v1.0.0 // indirect + github.com/onsi/ginkgo/v2 v2.9.5 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect github.com/opencontainers/runtime-spec v1.2.0 // indirect github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pkg/profile v1.7.0 // indirect + github.com/quic-go/qpack v0.4.0 // indirect + github.com/quic-go/quic-go v0.45.1 // indirect github.com/rs/cors v1.11.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/sirupsen/logrus v1.9.3 // indirect @@ -85,6 +89,7 @@ require ( go.opentelemetry.io/otel/sdk v1.28.0 // indirect go.opentelemetry.io/otel/trace v1.28.0 // indirect go.uber.org/atomic v1.11.0 // indirect + go.uber.org/mock v0.4.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect golang.org/x/crypto v0.26.0 // indirect @@ -95,8 +100,9 @@ require ( golang.org/x/sys v0.24.0 // indirect golang.org/x/term v0.23.0 // indirect golang.org/x/text v0.17.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240812133136-8ffd90a71988 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240812133136-8ffd90a71988 // indirect + golang.org/x/tools v0.24.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect google.golang.org/grpc v1.65.0 // indirect google.golang.org/protobuf v1.34.2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/tools/src/buf/go.sum b/tools/src/buf/go.sum index 3dbec1398c9..e22f175caaf 100644 --- a/tools/src/buf/go.sum +++ b/tools/src/buf/go.sum @@ -20,16 +20,16 @@ github.com/Microsoft/hcsshim v0.12.5 h1:bpTInLlDy/nDRWFVcefDZZ1+U8tS+rz3MxjKgu9b github.com/Microsoft/hcsshim v0.12.5/go.mod h1:tIUGego4G1EN5Hb6KC90aDYiUI2dqLSTTOCjVNpOgZ8= github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= -github.com/bufbuild/buf v1.37.0 h1:lKQ2LahOOMzLFFAg1IMQj12gPhAfLWGr6z6jfP6p7Bw= -github.com/bufbuild/buf v1.37.0/go.mod h1:uFHazPjAiKVpyK9Td/4FeMzQb8v5X7M4fo255kw/W6U= +github.com/bufbuild/buf v1.38.0 h1:k9zDnhemPC4E0h4BRshCL6mmQji6qzSHOJTG0iGW11o= +github.com/bufbuild/buf v1.38.0/go.mod h1:GNSjEtwLmhq6A3oCFu4De4ov8RtAvxM1H1x2BUjjnk8= github.com/bufbuild/protocompile v0.14.0 h1:z3DW4IvXE5G/uTOnSQn+qwQQxvhckkTWLS/0No/o7KU= github.com/bufbuild/protocompile v0.14.0/go.mod h1:N6J1NYzkspJo3ZwyL4Xjvli86XOj1xq4qAasUFxGups= github.com/bufbuild/protoplugin v0.0.0-20240323223605-e2735f6c31ee h1:E6ET8YUcYJ1lAe6ctR3as7yqzW2BNItDFnaB5zQq/8M= github.com/bufbuild/protoplugin v0.0.0-20240323223605-e2735f6c31ee/go.mod h1:HjGFxsck9RObrTJp2hXQZfWhPgZqnR6sR1U5fCA/Kus= -github.com/bufbuild/protovalidate-go v0.6.3 h1:wxQyzW035zM16Binbaz/nWAzS12dRIXhZdSUWRY7Fv0= -github.com/bufbuild/protovalidate-go v0.6.3/go.mod h1:J4PtwP9Z2YAGgB0+o+tTWEDtLtXvz/gfhFZD8pbzM/U= -github.com/bufbuild/protoyaml-go v0.1.10 h1:gMwDSHNoInt0D6vvTUxAJSWvp87MJraTN7dxsR7C2z4= -github.com/bufbuild/protoyaml-go v0.1.10/go.mod h1:KCBItkvZOK/zwGueLdH1Wx1RLyFn5rCH7YjQrdty2Wc= +github.com/bufbuild/protovalidate-go v0.6.4 h1:QtNIz4LGclM3UArQv/R1AKNF7MO8wriT9v7b8Gnmqak= +github.com/bufbuild/protovalidate-go v0.6.4/go.mod h1:HlkVnkE/zVYZvHIG/a7QZuzqC9bSqHaOOTeRomYF0Q8= +github.com/bufbuild/protoyaml-go v0.1.11 h1:Iyixd6Y5dx6ws6Uh8APgC1lMyvXt710NayoY8cY0Vj8= +github.com/bufbuild/protoyaml-go v0.1.11/go.mod h1:KCBItkvZOK/zwGueLdH1Wx1RLyFn5rCH7YjQrdty2Wc= github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -64,7 +64,6 @@ github.com/containerd/typeurl/v2 v2.2.0 h1:6NBDbQzr7I5LHgp34xAXYF5DOTQDn05X58lsP github.com/containerd/typeurl/v2 v2.2.0/go.mod h1:8XOOxnyatxSWuG8OfsZXVnAF4iZfedjS/8UHSPJnX4g= github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= -github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -88,8 +87,8 @@ github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymF github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= -github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= +github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= +github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw= github.com/felixge/fgprof v0.9.4 h1:ocDNwMFlnA0NU0zSB3I52xkO4sFXk80VK9lXjLClu88= github.com/felixge/fgprof v0.9.4/go.mod h1:yKl+ERSa++RYOs32d8K6WEXCB4uXdLls4ZaZPpayhMM= @@ -102,6 +101,8 @@ github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM= github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw= github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY= @@ -191,6 +192,10 @@ github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q= +github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k= +github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE= +github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= @@ -202,7 +207,6 @@ github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M5 github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= -github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA= @@ -210,9 +214,12 @@ github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDj github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo= -github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= -github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= +github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= +github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo= +github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A= +github.com/quic-go/quic-go v0.45.1 h1:tPfeYCk+uZHjmDRwHHQmvHRYL2t44ROTujLeFVBmjCA= +github.com/quic-go/quic-go v0.45.1/go.mod h1:1dLehS7TIR64+vxGR70GDcatWTOtMX2PUtnKsjbTurI= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/rs/cors v1.11.0 h1:0B9GE/r9Bc2UxRMMtymBkHTenPkHDv0CW4Y98GBY+po= @@ -230,6 +237,7 @@ github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8w github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= @@ -264,6 +272,8 @@ go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU= +go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= @@ -320,8 +330,8 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= -golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44= -golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= +golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -341,10 +351,10 @@ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto/googleapis/api v0.0.0-20240812133136-8ffd90a71988 h1:+/tmTy5zAieooKIXfzDm9KiA3Bv6JBwriRN9LY+yayk= -google.golang.org/genproto/googleapis/api v0.0.0-20240812133136-8ffd90a71988/go.mod h1:4+X6GvPs+25wZKbQq9qyAXrwIRExv7w0Ea6MgZLZiDM= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240812133136-8ffd90a71988 h1:V71AcdLZr2p8dC9dbOIMCpqi4EmRl8wUwnJzXXLmbmc= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240812133136-8ffd90a71988/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= +google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 h1:wKguEg1hsxI2/L3hUYrpo1RVi48K+uTyzKqprwLXsb8= +google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142/go.mod h1:d6be+8HhtEtucleCbxpPW9PA9XwISACu8nvpPqF0BVo= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 h1:e7S5W7MGGLaSu8j3YjdezkZ+m1/Nm0uRVRMEMGk26Xs= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= From bf0397590a75706fff7d8cb48696182db8576230 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Mon, 26 Aug 2024 18:53:16 -0700 Subject: [PATCH 080/523] docs: removes unimplemented attributes in the extproc example (#4115) Signed-off-by: Takeshi Yoneda --- .../en/contributions/design/envoy-extension-policy.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/site/content/en/contributions/design/envoy-extension-policy.md b/site/content/en/contributions/design/envoy-extension-policy.md index 67af7cd6ef1..9ecf2598829 100644 --- a/site/content/en/contributions/design/envoy-extension-policy.md +++ b/site/content/en/contributions/design/envoy-extension-policy.md @@ -96,12 +96,6 @@ spec: response: headers: SKIP body: STREAMED - attributes: - request: - - xds.route_metadata - - connection.requested_server_name - response: - - request.path messageTimeout: 5s targetRef: group: gateway.networking.k8s.io From 277b646ec0c3cfa1e1b11de1ed4fd8d2e2c8db8e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Aug 2024 11:31:32 +0800 Subject: [PATCH 081/523] build(deps): bump github.com/miekg/dns from 1.1.61 to 1.1.62 (#4104) Bumps [github.com/miekg/dns](https://github.com/miekg/dns) from 1.1.61 to 1.1.62. - [Changelog](https://github.com/miekg/dns/blob/master/Makefile.release) - [Commits](https://github.com/miekg/dns/compare/v1.1.61...v1.1.62) --- updated-dependencies: - dependency-name: github.com/miekg/dns dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 04178c46c71..9ccb28a0ace 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/google/go-containerregistry v0.20.2 github.com/grafana/tempo v1.5.0 github.com/hashicorp/go-multierror v1.1.1 - github.com/miekg/dns v1.1.61 + github.com/miekg/dns v1.1.62 github.com/ohler55/ojg v1.24.0 github.com/prometheus/client_golang v1.20.0 github.com/prometheus/common v0.55.0 diff --git a/go.sum b/go.sum index 8fd065bd114..e623174f299 100644 --- a/go.sum +++ b/go.sum @@ -854,8 +854,8 @@ github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA= github.com/microsoft/go-mssqldb v1.7.2 h1:CHkFJiObW7ItKTJfHo1QX7QBBD1iV+mn1eOyRP3b/PA= github.com/microsoft/go-mssqldb v1.7.2/go.mod h1:kOvZKUdrhhFQmxLZqbwUV0rHkNkZpthMITIb2Ko1IoA= -github.com/miekg/dns v1.1.61 h1:nLxbwF3XxhwVSm8g9Dghm9MHPaUZuqhPiGL+675ZmEs= -github.com/miekg/dns v1.1.61/go.mod h1:mnAarhS3nWaW+NVP2wTkYVIZyHNJ098SJZUki3eykwQ= +github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ= +github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ= github.com/mistifyio/go-zfs/v3 v3.0.1 h1:YaoXgBePoMA12+S1u/ddkv+QqxcfiZK4prI6HPnkFiU= github.com/mistifyio/go-zfs/v3 v3.0.1/go.mod h1:CzVgeB0RvF2EGzQnytKVvVSDwmKJXxkOTUGbNrTja/k= github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= From 08b03fad1eeb9eb93d60562b3eb95e146ddbb634 Mon Sep 17 00:00:00 2001 From: zirain Date: Tue, 27 Aug 2024 16:00:03 +0800 Subject: [PATCH 082/523] deps: Bump go control plane to 0.13.0 (#4113) --- examples/extension-server/go.mod | 2 +- examples/extension-server/go.sum | 4 ++-- go.mod | 2 +- go.sum | 4 ++-- internal/xds/extensions/extensions.gen.go | 13 +++++++------ 5 files changed, 13 insertions(+), 12 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 4e61e8ed0bb..23a9d134572 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -4,7 +4,7 @@ go 1.22.5 require ( github.com/envoyproxy/gateway v1.0.2 - github.com/envoyproxy/go-control-plane v0.12.1-0.20240612043845-c54ec4ce422d + github.com/envoyproxy/go-control-plane v0.13.0 github.com/urfave/cli/v2 v2.27.2 google.golang.org/grpc v1.65.0 google.golang.org/protobuf v1.34.2 diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index b9d535f8cc3..4ee04f537f8 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -11,8 +11,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/envoyproxy/go-control-plane v0.12.1-0.20240612043845-c54ec4ce422d h1:RopQsG28t61pLLZRkwzwBsi60yDsOP8RvW47A3eAcGo= -github.com/envoyproxy/go-control-plane v0.12.1-0.20240612043845-c54ec4ce422d/go.mod h1:5Wkq+JduFtdAXihLmeTJf+tRYIT4KBc2vPXDhwVo1pA= +github.com/envoyproxy/go-control-plane v0.13.0 h1:HzkeUz1Knt+3bK+8LG1bxOO/jzWZmdxpwC51i202les= +github.com/envoyproxy/go-control-plane v0.13.0/go.mod h1:GRaKG3dwvFoTg4nj7aXdZnvMg4d7nvT/wl9WgVXn3Q8= github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= diff --git a/go.mod b/go.mod index 9ccb28a0ace..676d89bb005 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/docker/cli v27.1.2+incompatible github.com/dominikbraun/graph v0.23.0 - github.com/envoyproxy/go-control-plane v0.12.1-0.20240612043845-c54ec4ce422d + github.com/envoyproxy/go-control-plane v0.13.0 github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 github.com/evanphx/json-patch/v5 v5.9.0 github.com/fatih/color v1.17.0 diff --git a/go.sum b/go.sum index e623174f299..b656e492000 100644 --- a/go.sum +++ b/go.sum @@ -423,8 +423,8 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.m github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= -github.com/envoyproxy/go-control-plane v0.12.1-0.20240612043845-c54ec4ce422d h1:RopQsG28t61pLLZRkwzwBsi60yDsOP8RvW47A3eAcGo= -github.com/envoyproxy/go-control-plane v0.12.1-0.20240612043845-c54ec4ce422d/go.mod h1:5Wkq+JduFtdAXihLmeTJf+tRYIT4KBc2vPXDhwVo1pA= +github.com/envoyproxy/go-control-plane v0.13.0 h1:HzkeUz1Knt+3bK+8LG1bxOO/jzWZmdxpwC51i202les= +github.com/envoyproxy/go-control-plane v0.13.0/go.mod h1:GRaKG3dwvFoTg4nj7aXdZnvMg4d7nvT/wl9WgVXn3Q8= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= diff --git a/internal/xds/extensions/extensions.gen.go b/internal/xds/extensions/extensions.gen.go index 811bc2ab444..09713ea43df 100644 --- a/internal/xds/extensions/extensions.gen.go +++ b/internal/xds/extensions/extensions.gen.go @@ -18,13 +18,7 @@ import ( _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/http/squash/v3" _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/http/sxg/v3alpha" _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/client_ssl_auth/v3" - _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/action/v3" - _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3" - _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/codecs/http1/v3" _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/codecs/kafka/v3" - _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/matcher/v3" - _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/router/v3" - _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/generic_proxy/v3" _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/golang/v3alpha" _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/kafka_broker/v3" _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/kafka_mesh/v3alpha" @@ -161,6 +155,12 @@ import ( _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/dubbo_proxy/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/echo/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/ext_authz/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/action/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/codecs/http1/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/matcher/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/router/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/generic_proxy/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/local_ratelimit/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/mongo_proxy/v3" @@ -223,6 +223,7 @@ import ( _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/ssl/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/consistent_hashing/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/ip/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/metadata/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/runtime_fraction/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/network/dns_resolver/apple/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/network/dns_resolver/cares/v3" From d25b15347473dc2f978d3342146a97439350aec6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Aug 2024 16:01:10 +0800 Subject: [PATCH 083/523] build(deps): bump helm.sh/helm/v3 from 3.15.3 to 3.15.4 (#4105) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 676d89bb005..83c983f4a39 100644 --- a/go.mod +++ b/go.mod @@ -48,7 +48,7 @@ require ( golang.org/x/sys v0.24.0 google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v3 v3.0.1 - helm.sh/helm/v3 v3.15.3 + helm.sh/helm/v3 v3.15.4 k8s.io/api v0.31.0 k8s.io/apiextensions-apiserver v0.31.0 k8s.io/apimachinery v0.31.0 diff --git a/go.sum b/go.sum index b656e492000..804dfb6dd67 100644 --- a/go.sum +++ b/go.sum @@ -1829,8 +1829,8 @@ gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= -helm.sh/helm/v3 v3.15.3 h1:HcZDaVFe9uHa6hpsR54mJjYyRy4uz/pc6csg27nxFOc= -helm.sh/helm/v3 v3.15.3/go.mod h1:FzSIP8jDQaa6WAVg9F+OkKz7J0ZmAga4MABtTbsb9WQ= +helm.sh/helm/v3 v3.15.4 h1:UFHd6oZ1IN3FsUZ7XNhOQDyQ2QYknBNWRHH57e9cbHY= +helm.sh/helm/v3 v3.15.4/go.mod h1:phOwlxqGSgppCY/ysWBNRhG3MtnpsttOzxaTK+Mt40E= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From 834619a88d4a2446ccfdbfb3bf8c257948422b7f Mon Sep 17 00:00:00 2001 From: Lior Okman Date: Tue, 27 Aug 2024 16:02:54 +0300 Subject: [PATCH 084/523] fix: remove the limitation for only one backendRef from ext-auth and ext-proc (#4086) Remove the limitation for only one backendRef from ext-auth and ext-proc. Signed-off-by: Lior Okman --- api/v1alpha1/ext_auth_types.go | 2 - api/v1alpha1/ext_proc_types.go | 1 - ....envoyproxy.io_envoyextensionpolicies.yaml | 2 - ...ateway.envoyproxy.io_securitypolicies.yaml | 4 - internal/gatewayapi/securitypolicy.go | 102 ++++++++---------- ...ecuritypolicy-with-extauth-backend.in.yaml | 3 + ...curitypolicy-with-extauth-backend.out.yaml | 23 +++- ...ritypolicy-with-extauth-backendref.in.yaml | 14 +-- ...itypolicy-with-extauth-backendref.out.yaml | 14 +-- ...ith-extauth-with-backendtlspolicy.out.yaml | 4 +- .../securitypolicy-with-extauth.out.yaml | 6 +- .../testdata/in/xds-ir/ext-auth.yaml | 6 ++ .../out/xds-ir/ext-auth.endpoints.yaml | 12 ++- test/cel-validation/securitypolicy_test.go | 2 - 14 files changed, 102 insertions(+), 93 deletions(-) diff --git a/api/v1alpha1/ext_auth_types.go b/api/v1alpha1/ext_auth_types.go index 2ecb8674aad..2d49a9df3d6 100644 --- a/api/v1alpha1/ext_auth_types.go +++ b/api/v1alpha1/ext_auth_types.go @@ -49,7 +49,6 @@ type ExtAuth struct { // https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto // +kubebuilder:validation:XValidation:message="backendRef or backendRefs needs to be set",rule="has(self.backendRef) || self.backendRefs.size() > 0" // +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)" -// +kubebuilder:validation:XValidation:message="Exactly one backendRef can be specified in backendRefs.",rule="has(self.backendRefs) && self.backendRefs.size()==1" // +kubebuilder:validation:XValidation:message="BackendRefs only supports Service and Backend kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service' || f.kind == 'Backend') : true" // +kubebuilder:validation:XValidation:message="BackendRefs only supports Core and gateway.envoyproxy.io group.",rule="has(self.backendRefs) ? (self.backendRefs.all(f, f.group == \"\" || f.group == 'gateway.envoyproxy.io')) : true" type GRPCExtAuthService struct { @@ -61,7 +60,6 @@ type GRPCExtAuthService struct { // // +kubebuilder:validation:XValidation:message="backendRef or backendRefs needs to be set",rule="has(self.backendRef) || self.backendRefs.size() > 0" // +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)" -// +kubebuilder:validation:XValidation:message="Exactly one backendRef can be specified in backendRefs.",rule="has(self.backendRefs) && self.backendRefs.size()==1" // +kubebuilder:validation:XValidation:message="BackendRefs only supports Service and Backend kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service' || f.kind == 'Backend') : true" // +kubebuilder:validation:XValidation:message="BackendRefs only supports Core and gateway.envoyproxy.io group.",rule="has(self.backendRefs) ? (self.backendRefs.all(f, f.group == \"\" || f.group == 'gateway.envoyproxy.io')) : true" type HTTPExtAuthService struct { diff --git a/api/v1alpha1/ext_proc_types.go b/api/v1alpha1/ext_proc_types.go index 9f19d92b48f..cbdaf97ba45 100644 --- a/api/v1alpha1/ext_proc_types.go +++ b/api/v1alpha1/ext_proc_types.go @@ -47,7 +47,6 @@ type ExtProcProcessingMode struct { // ExtProc defines the configuration for External Processing filter. // +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)" -// +kubebuilder:validation:XValidation:message="Exactly one backendRef can be specified in backendRefs.",rule="has(self.backendRefs) && self.backendRefs.size()==1" // +kubebuilder:validation:XValidation:message="BackendRefs only supports Service and Backend kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service' || f.kind == 'Backend') : true" // +kubebuilder:validation:XValidation:message="BackendRefs only supports Core and gateway.envoyproxy.io group.",rule="has(self.backendRefs) ? (self.backendRefs.all(f, f.group == \"\" || f.group == 'gateway.envoyproxy.io')) : true" type ExtProc struct { diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml index 00fd69c5701..9c65b25f043 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml @@ -859,8 +859,6 @@ spec: x-kubernetes-validations: - message: BackendRefs must be used, backendRef is not supported. rule: '!has(self.backendRef)' - - message: Exactly one backendRef can be specified in backendRefs. - rule: has(self.backendRefs) && self.backendRefs.size()==1 - message: BackendRefs only supports Service and Backend kind. rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind == ''Service'' || f.kind == ''Backend'') : true' diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index d436d38734d..202f9b56743 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -1018,8 +1018,6 @@ spec: rule: has(self.backendRef) || self.backendRefs.size() > 0 - message: BackendRefs must be used, backendRef is not supported. rule: '!has(self.backendRef)' - - message: Exactly one backendRef can be specified in backendRefs. - rule: has(self.backendRefs) && self.backendRefs.size()==1 - message: BackendRefs only supports Service and Backend kind. rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind == ''Service'' || f.kind == ''Backend'') : true' @@ -1833,8 +1831,6 @@ spec: rule: has(self.backendRef) || self.backendRefs.size() > 0 - message: BackendRefs must be used, backendRef is not supported. rule: '!has(self.backendRef)' - - message: Exactly one backendRef can be specified in backendRefs. - rule: has(self.backendRefs) && self.backendRefs.size()==1 - message: BackendRefs only supports Service and Backend kind. rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind == ''Service'' || f.kind == ''Backend'') : true' diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 9940dbabefc..276a63c8bc6 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -805,69 +805,67 @@ func (t *Translator) buildBasicAuth( func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *Resources, envoyProxy *egv1a1.EnvoyProxy) (*ir.ExtAuth, error) { var ( - http = policy.Spec.ExtAuth.HTTP - grpc = policy.Spec.ExtAuth.GRPC - backendRef *gwapiv1.BackendObjectReference - protocol ir.AppProtocol - ds *ir.DestinationSetting - authority string - err error - traffic *ir.TrafficFeatures - failover *bool + http = policy.Spec.ExtAuth.HTTP + grpc = policy.Spec.ExtAuth.GRPC + backends *egv1a1.BackendCluster + protocol ir.AppProtocol + ds []*ir.DestinationSetting + authority string + err error + traffic *ir.TrafficFeatures ) - switch { // These are sanity checks, they should never happen because the API server // should have caught them - case http != nil && grpc != nil: + if http == nil && grpc == nil { + return nil, errors.New("one of grpc or http must be specified") + } else if http != nil && grpc != nil { return nil, errors.New("only one of grpc or http can be specified") + } + + switch { case http != nil: - backendRef = http.BackendRef - if len(http.BackendRefs) != 0 { - backendRef = egv1a1.ToBackendObjectReference(http.BackendRefs[0]) - failover = http.BackendRefs[0].Failover - } + backends = &http.BackendCluster protocol = ir.HTTP - if traffic, err = translateTrafficFeatures(http.BackendSettings); err != nil { - return nil, err - } case grpc != nil: - backendRef = grpc.BackendRef - if len(grpc.BackendRefs) != 0 { - backendRef = egv1a1.ToBackendObjectReference(grpc.BackendRefs[0]) - failover = grpc.BackendRefs[0].Failover - } + backends = &grpc.BackendCluster protocol = ir.GRPC - if traffic, err = translateTrafficFeatures(grpc.BackendSettings); err != nil { + } + pnn := utils.NamespacedName(policy) + for _, backendRef := range backends.BackendRefs { + if err = t.validateExtServiceBackendReference(&backendRef.BackendObjectReference, policy.Namespace, policy.Kind, resources); err != nil { return nil, err } - // These are sanity checks, they should never happen because the API server - // should have caught them - default: // http == nil && grpc == nil: - return nil, errors.New("one of grpc or http must be specified") - } - if err = t.validateExtServiceBackendReference(backendRef, policy.Namespace, policy.Kind, resources); err != nil { - return nil, err - } + // Authority is the calculated hostname that will be used as the Authority header. + // If there are multiple backend referenced, simply use the first one - there are no good answers here. + // When translated to XDS, the authority is used on the filter level not on the cluster level. + // There's no way to translate to XDS and use a different authority for each backendref + if authority == "" { + authority = backendRefAuthority(resources, &backendRef.BackendObjectReference, policy) + } - authority = backendRefAuthority(resources, backendRef, policy) - pnn := utils.NamespacedName(policy) - if ds, err = t.processExtServiceDestination( - &egv1a1.BackendRef{BackendObjectReference: *backendRef, Failover: failover}, - pnn, - KindSecurityPolicy, - protocol, - resources, - envoyProxy, - ); err != nil { - return nil, err + extServiceDest, err := t.processExtServiceDestination( + &backendRef, + pnn, + KindSecurityPolicy, + protocol, + resources, + envoyProxy, + ) + if err != nil { + return nil, err + } + ds = append(ds, extServiceDest) } rd := ir.RouteDestination{ - Name: irExtServiceDestinationName(policy, backendRef), - Settings: []*ir.DestinationSetting{ds}, + Name: irIndexedExtServiceDestinationName(pnn, egv1a1.KindSecurityPolicy, 0), + Settings: ds, } + if traffic, err = translateTrafficFeatures(backends.BackendSettings); err != nil { + return nil, err + } extAuth := &ir.ExtAuth{ Name: irConfigName(policy), HeadersToExtAuth: policy.Spec.ExtAuth.HeadersToExtAuth, @@ -916,18 +914,6 @@ func backendRefAuthority(resources *Resources, backendRef *gwapiv1.BackendObject *backendRef.Port) } -func irExtServiceDestinationName(policy *egv1a1.SecurityPolicy, backendRef *gwapiv1.BackendObjectReference) string { - nn := types.NamespacedName{ - Name: string(backendRef.Name), - Namespace: NamespaceDerefOr(backendRef.Namespace, policy.Namespace), - } - - return strings.ToLower(fmt.Sprintf( - "%s/%s", - irConfigName(policy), - nn.String())) -} - func (t *Translator) buildAuthorization(policy *egv1a1.SecurityPolicy) (*ir.Authorization, error) { var ( authorization = policy.Spec.Authorization diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml index e1f50e75b2d..78529bf6d73 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml @@ -101,6 +101,9 @@ securityPolicies: - header2 grpc: backendRefs: + - name: service-2 + kind: Service + port: 8080 - name: backend-fqdn kind: Backend group: gateway.envoyproxy.io diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml index a89bf53a8cf..2957475fbda 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml @@ -169,6 +169,9 @@ securityPolicies: failOpen: true grpc: backendRefs: + - kind: Service + name: service-2 + port: 8080 - group: gateway.envoyproxy.io kind: Backend name: backend-fqdn @@ -240,10 +243,16 @@ xdsIR: extAuth: failOpen: true grpc: - authority: primary.foo.com:3000 + authority: service-2.default:8080 destination: - name: securitypolicy/default/policy-for-http-route-1/default/backend-fqdn + name: securitypolicy/default/policy-for-http-route-1/0 settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: GRPC + weight: 1 - addressType: FQDN endpoints: - host: primary.foo.com @@ -278,10 +287,16 @@ xdsIR: extAuth: failOpen: true grpc: - authority: primary.foo.com:3000 + authority: service-2.default:8080 destination: - name: securitypolicy/default/policy-for-http-route-1/default/backend-fqdn + name: securitypolicy/default/policy-for-http-route-1/0 settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: GRPC + weight: 1 - addressType: FQDN endpoints: - host: primary.foo.com diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.in.yaml index e362583125b..1c24de65efe 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.in.yaml @@ -145,9 +145,9 @@ securityPolicies: - header1 - header2 grpc: - backendRef: - name: grpc-backend - port: 9000 + backendRefs: + - name: grpc-backend + port: 9000 - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: SecurityPolicy metadata: @@ -161,10 +161,10 @@ securityPolicies: extAuth: failOpen: false http: - backendRef: - Name: http-backend - Namespace: envoy-gateway - Port: 80 + backendRefs: + - Name: http-backend + Namespace: envoy-gateway + Port: 80 Path: /auth headersToBackend: - header1 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml index 089e5092072..905b81b3cba 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml @@ -149,8 +149,8 @@ securityPolicies: extAuth: failOpen: true grpc: - backendRef: - name: grpc-backend + backendRefs: + - name: grpc-backend port: 9000 headersToExtAuth: - header1 @@ -184,8 +184,8 @@ securityPolicies: extAuth: failOpen: false http: - backendRef: - name: http-backend + backendRefs: + - name: http-backend namespace: envoy-gateway port: 80 headersToBackend: @@ -263,7 +263,7 @@ xdsIR: grpc: authority: grpc-backend.default:9000 destination: - name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + name: securitypolicy/default/policy-for-http-route-1/0 settings: - addressType: IP endpoints: @@ -301,7 +301,7 @@ xdsIR: grpc: authority: grpc-backend.default:9000 destination: - name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + name: securitypolicy/default/policy-for-http-route-1/0 settings: - addressType: IP endpoints: @@ -339,7 +339,7 @@ xdsIR: http: authority: http-backend.envoy-gateway:80 destination: - name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + name: securitypolicy/default/policy-for-gateway-1/0 settings: - addressType: IP endpoints: diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml index a878d1aac62..ac1b52a58ea 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml @@ -322,7 +322,7 @@ xdsIR: grpc: authority: grpc-backend.default:9000 destination: - name: securitypolicy/default/policy-for-http-route/default/grpc-backend + name: securitypolicy/default/policy-for-http-route/0 settings: - addressType: IP endpoints: @@ -365,7 +365,7 @@ xdsIR: http: authority: http-backend.envoy-gateway:80 destination: - name: securitypolicy/default/policy-for-gateway/envoy-gateway/http-backend + name: securitypolicy/default/policy-for-gateway/0 settings: - addressType: IP endpoints: diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml index f8395d24137..905b81b3cba 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml @@ -263,7 +263,7 @@ xdsIR: grpc: authority: grpc-backend.default:9000 destination: - name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + name: securitypolicy/default/policy-for-http-route-1/0 settings: - addressType: IP endpoints: @@ -301,7 +301,7 @@ xdsIR: grpc: authority: grpc-backend.default:9000 destination: - name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + name: securitypolicy/default/policy-for-http-route-1/0 settings: - addressType: IP endpoints: @@ -339,7 +339,7 @@ xdsIR: http: authority: http-backend.envoy-gateway:80 destination: - name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + name: securitypolicy/default/policy-for-gateway-1/0 settings: - addressType: IP endpoints: diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml index bedbbae996c..0453e1341f5 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml @@ -37,6 +37,12 @@ http: destination: name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend settings: + - addressType: IP + endpoints: + - host: 8.8.4.4 + port: 9001 + protocol: GRPC + weight: 1 - addressType: IP endpoints: - host: 8.8.8.8 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.endpoints.yaml index 2c0f91a63f3..701d34b9675 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.endpoints.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.endpoints.yaml @@ -36,6 +36,16 @@ region: httproute/default/httproute-2/rule/0/backend/0 - clusterName: securitypolicy/default/policy-for-http-route-1/default/grpc-backend endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 8.8.4.4 + portValue: 9001 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: securitypolicy/default/policy-for-http-route-1/default/grpc-backend/backend/0 - lbEndpoints: - endpoint: address: @@ -45,7 +55,7 @@ loadBalancingWeight: 1 loadBalancingWeight: 1 locality: - region: securitypolicy/default/policy-for-http-route-1/default/grpc-backend/backend/0 + region: securitypolicy/default/policy-for-http-route-1/default/grpc-backend/backend/1 - clusterName: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend endpoints: - lbEndpoints: diff --git a/test/cel-validation/securitypolicy_test.go b/test/cel-validation/securitypolicy_test.go index 2ca001cd0c2..cbc0145aa05 100644 --- a/test/cel-validation/securitypolicy_test.go +++ b/test/cel-validation/securitypolicy_test.go @@ -685,7 +685,6 @@ func TestSecurityPolicyTarget(t *testing.T) { }, wantErrors: []string{ "BackendRefs must be used, backendRef is not supported.", - "Exactly one backendRef can be specified in backendRefs.", }, }, { @@ -782,7 +781,6 @@ func TestSecurityPolicyTarget(t *testing.T) { }, wantErrors: []string{ "BackendRefs must be used, backendRef is not supported.", - "Exactly one backendRef can be specified in backendRefs.", }, }, { From 31195499f8c7080b3a10b929eb9b6aa537452a97 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Tue, 27 Aug 2024 07:52:36 -0700 Subject: [PATCH 085/523] [api] Add Failover field to Backend (#4099) * [api] Add Failover field to Backend Adds a `failover` field to Backend API so we can support Active/Passive Failove backends within xRoutes similar to https://github.com/envoyproxy/gateway/pull/4033 Relates to https://github.com/envoyproxy/gateway/issues/3055 Signed-off-by: Arko Dasgupta * fix doc string Signed-off-by: Arko Dasgupta * notImplementedHide Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta --- api/v1alpha1/backend_types.go | 10 ++++++++++ api/v1alpha1/shared_types.go | 3 ++- api/v1alpha1/zz_generated.deepcopy.go | 5 +++++ .../crds/generated/gateway.envoyproxy.io_backends.yaml | 8 ++++++++ .../gateway.envoyproxy.io_envoyextensionpolicies.yaml | 2 +- .../generated/gateway.envoyproxy.io_envoyproxies.yaml | 8 ++++---- .../gateway.envoyproxy.io_securitypolicies.yaml | 4 ++-- site/content/en/latest/api/extension_types.md | 2 +- site/content/zh/latest/api/extension_types.md | 2 +- 9 files changed, 34 insertions(+), 10 deletions(-) diff --git a/api/v1alpha1/backend_types.go b/api/v1alpha1/backend_types.go index 9e28a341ce1..6a039a5b470 100644 --- a/api/v1alpha1/backend_types.go +++ b/api/v1alpha1/backend_types.go @@ -123,6 +123,16 @@ type BackendSpec struct { // // +optional AppProtocols []AppProtocolType `json:"appProtocols,omitempty"` + + // Failover indicates whether the backend is designated as a failover. + // It is highly recommended to configure active or passive health checks to ensure that failover can be detected + // when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. + // The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + // the health of the active backends falls below 72%. + // + // +optional + // +notImplementedHide + Failover *bool `json:"failover,omitempty"` } // BackendConditionType is a type of condition for a backend. This type should be diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index ec29fb5f292..d1e6e01e2ea 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -473,12 +473,13 @@ type BackendRef struct { // BackendObjectReference references a Kubernetes object that represents the backend. // Only Service kind is supported for now. gwapiv1.BackendObjectReference `json:",inline"` - // Failover This indicates whether the backend is designated as a failover. + // Failover indicates whether the backend is designated as a failover. // Multiple failover backends can be configured. // It is highly recommended to configure active or passive health checks to ensure that failover can be detected // when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. // The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when // the health of the active backends falls below 72%. + // // +optional Failover *bool `json:"failover,omitempty"` } diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 752317aea97..b58bc5a20ed 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -406,6 +406,11 @@ func (in *BackendSpec) DeepCopyInto(out *BackendSpec) { *out = make([]AppProtocolType, len(*in)) copy(*out, *in) } + if in.Failover != nil { + in, out := &in.Failover, &out.Failover + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendSpec. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml index 8c5ca5ebc48..d45b3076e51 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml @@ -137,6 +137,14 @@ spec: x-kubernetes-validations: - message: fqdn addresses cannot be mixed with other address types rule: self.all(f, has(f.fqdn)) || !self.exists(f, has(f.fqdn)) + failover: + description: |- + Failover indicates whether the backend is designated as a failover. + It is highly recommended to configure active or passive health checks to ensure that failover can be detected + when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. + The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + the health of the active backends falls below 72%. + type: boolean type: object status: description: Status defines the current status of Backend. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml index 9c65b25f043..1e095c05564 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml @@ -138,7 +138,7 @@ spec: properties: failover: description: |- - Failover This indicates whether the backend is designated as a failover. + Failover indicates whether the backend is designated as a failover. Multiple failover backends can be configured. It is highly recommended to configure active or passive health checks to ensure that failover can be detected when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 7bd4b930608..46fb3818e81 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -10359,7 +10359,7 @@ spec: properties: failover: description: |- - Failover This indicates whether the backend is designated as a failover. + Failover indicates whether the backend is designated as a failover. Multiple failover backends can be configured. It is highly recommended to configure active or passive health checks to ensure that failover can be detected when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. @@ -11245,7 +11245,7 @@ spec: properties: failover: description: |- - Failover This indicates whether the backend is designated as a failover. + Failover indicates whether the backend is designated as a failover. Multiple failover backends can be configured. It is highly recommended to configure active or passive health checks to ensure that failover can be detected when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. @@ -12209,7 +12209,7 @@ spec: properties: failover: description: |- - Failover This indicates whether the backend is designated as a failover. + Failover indicates whether the backend is designated as a failover. Multiple failover backends can be configured. It is highly recommended to configure active or passive health checks to ensure that failover can be detected when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. @@ -13108,7 +13108,7 @@ spec: properties: failover: description: |- - Failover This indicates whether the backend is designated as a failover. + Failover indicates whether the backend is designated as a failover. Multiple failover backends can be configured. It is highly recommended to configure active or passive health checks to ensure that failover can be detected when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 202f9b56743..4256957a6c9 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -333,7 +333,7 @@ spec: properties: failover: description: |- - Failover This indicates whether the backend is designated as a failover. + Failover indicates whether the backend is designated as a failover. Multiple failover backends can be configured. It is highly recommended to configure active or passive health checks to ensure that failover can be detected when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. @@ -1130,7 +1130,7 @@ spec: properties: failover: description: |- - Failover This indicates whether the backend is designated as a failover. + Failover indicates whether the backend is designated as a failover. Multiple failover backends can be configured. It is highly recommended to configure active or passive health checks to ensure that failover can be detected when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 7807853c8e0..39a7e955c32 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -364,7 +364,7 @@ _Appears in:_ | `name` | _[ObjectName](#objectname)_ | true | Name is the name of the referent. | | `namespace` | _[Namespace](#namespace)_ | false | Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.

Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.

Support: Core | | `port` | _[PortNumber](#portnumber)_ | false | Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field. | -| `failover` | _boolean_ | false | Failover This indicates whether the backend is designated as a failover.
Multiple failover backends can be configured.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when
the health of the active backends falls below 72%. | +| `failover` | _boolean_ | false | Failover indicates whether the backend is designated as a failover.
Multiple failover backends can be configured.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when
the health of the active backends falls below 72%. | #### BackendSpec diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 7807853c8e0..39a7e955c32 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -364,7 +364,7 @@ _Appears in:_ | `name` | _[ObjectName](#objectname)_ | true | Name is the name of the referent. | | `namespace` | _[Namespace](#namespace)_ | false | Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.

Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.

Support: Core | | `port` | _[PortNumber](#portnumber)_ | false | Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field. | -| `failover` | _boolean_ | false | Failover This indicates whether the backend is designated as a failover.
Multiple failover backends can be configured.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when
the health of the active backends falls below 72%. | +| `failover` | _boolean_ | false | Failover indicates whether the backend is designated as a failover.
Multiple failover backends can be configured.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when
the health of the active backends falls below 72%. | #### BackendSpec From 6e709811adcb0d047df9cf017318524b3e92518a Mon Sep 17 00:00:00 2001 From: Md Sahil <85174511+MdSahil-oss@users.noreply.github.com> Date: Tue, 27 Aug 2024 20:27:20 +0530 Subject: [PATCH 086/523] refactor: Return 500 when BackendTrafficPolicy translation fails (#4092) --- internal/gatewayapi/backendtrafficpolicy.go | 30 +++++---- ...y-buffer-limit-out-of-range-error.out.yaml | 2 + ...y-buffer-limit-with-invalid-value.out.yaml | 2 + ...policy-with-circuitbreakers-error.out.yaml | 6 ++ ...nvalid-consistent-hash-table-size.out.yaml | 4 ++ ...ocal-ratelimit-invalid-limit-unit.out.yaml | 2 + ...ocal-ratelimit-invalid-match-type.out.yaml | 2 + ...valid-multiple-route-level-limits.out.yaml | 2 + ...licy-with-ratelimit-invalid-regex.out.yaml | 2 + ...dtrafficpolicy-with-timeout-error.out.yaml | 2 + ...dtrafficpolicy-with-timeout-error.out.yaml | 2 + ...ckendtrafficpolicy-translation-failed.yaml | 42 +++++++++++++ ...backendtrafficpolicy_translation_failed.go | 62 +++++++++++++++++++ test/e2e/tests/utils.go | 27 ++++++++ 14 files changed, 175 insertions(+), 12 deletions(-) create mode 100644 test/e2e/testdata/backendtrafficpolicy-translation-failed.yaml create mode 100644 test/e2e/tests/backendtrafficpolicy_translation_failed.go diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index b2f0ffa6ece..586d422a74f 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -342,11 +342,6 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen ds = translateDNS(policy.Spec.ClusterSettings) - // Early return if got any errors - if errs != nil { - return errs - } - // Apply IR to all relevant routes prefix := irRoutePrefix(route) @@ -381,6 +376,14 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen for _, r := range http.Routes { // Apply if there is a match if strings.HasPrefix(r.Name, prefix) { + if errs != nil { + // Return a 500 direct response + r.DirectResponse = &ir.DirectResponse{ + StatusCode: 500, + } + continue + } + r.Traffic = &ir.TrafficFeatures{ RateLimit: rl, LoadBalancer: lb, @@ -411,7 +414,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen } } - return nil + return errs } func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.BackendTrafficPolicy, target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, gateway *GatewayContext, xdsIR XdsIRMap) error { @@ -468,11 +471,6 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back ds = translateDNS(policy.Spec.ClusterSettings) - // Early return if got any errors - if errs != nil { - return errs - } - // Apply IR to all the routes within the specific Gateway // If the feature is already set, then skip it, since it must be have // set by a policy attaching to the route @@ -534,6 +532,14 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back continue } + if errs != nil { + // Return a 500 direct response + r.DirectResponse = &ir.DirectResponse{ + StatusCode: 500, + } + continue + } + r.Traffic = &ir.TrafficFeatures{ RateLimit: rl, LoadBalancer: lb, @@ -560,7 +566,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back } } - return nil + return errs } func (t *Translator) buildRateLimit(policy *egv1a1.BackendTrafficPolicy) (*ir.RateLimit, error) { diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-out-of-range-error.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-out-of-range-error.out.yaml index 67e8dd5620c..bb171e01da7 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-out-of-range-error.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-out-of-range-error.out.yaml @@ -316,6 +316,8 @@ xdsIR: port: 8080 protocol: HTTP weight: 1 + directResponse: + statusCode: 500 hostname: gateway.envoyproxy.io isHTTP2: false metadata: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-with-invalid-value.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-with-invalid-value.out.yaml index cb0037b75bf..654c9bdab4a 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-with-invalid-value.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-with-invalid-value.out.yaml @@ -316,6 +316,8 @@ xdsIR: port: 8080 protocol: HTTP weight: 1 + directResponse: + statusCode: 500 hostname: gateway.envoyproxy.io isHTTP2: false metadata: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml index 969005436cb..2b49ea23741 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml @@ -335,6 +335,8 @@ xdsIR: port: 8080 protocol: GRPC weight: 1 + directResponse: + statusCode: 500 hostname: '*' isHTTP2: true metadata: @@ -371,6 +373,8 @@ xdsIR: port: 8080 protocol: HTTP weight: 1 + directResponse: + statusCode: 500 hostname: gateway.envoyproxy.io isHTTP2: false metadata: @@ -391,6 +395,8 @@ xdsIR: port: 8080 protocol: HTTP weight: 1 + directResponse: + statusCode: 500 hostname: gateway.envoyproxy.io isHTTP2: false metadata: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer-invalid-consistent-hash-table-size.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer-invalid-consistent-hash-table-size.out.yaml index 05e6140a298..dc2ba7fb3d3 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer-invalid-consistent-hash-table-size.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer-invalid-consistent-hash-table-size.out.yaml @@ -225,6 +225,8 @@ xdsIR: port: 8080 protocol: HTTP weight: 1 + directResponse: + statusCode: 500 hostname: gateway.envoyproxy.io isHTTP2: false metadata: @@ -245,6 +247,8 @@ xdsIR: port: 8080 protocol: HTTP weight: 1 + directResponse: + statusCode: 500 hostname: gateway.envoyproxy.io isHTTP2: false metadata: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml index ebce8acb474..0be116e1ebf 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml @@ -178,6 +178,8 @@ xdsIR: port: 8080 protocol: HTTP weight: 1 + directResponse: + statusCode: 500 hostname: gateway.envoyproxy.io isHTTP2: false metadata: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml index e5298e279a4..21cae9b09f3 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml @@ -174,6 +174,8 @@ xdsIR: port: 8080 protocol: HTTP weight: 1 + directResponse: + statusCode: 500 hostname: gateway.envoyproxy.io isHTTP2: false metadata: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml index 80e55671513..0fd1f442bd8 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml @@ -181,6 +181,8 @@ xdsIR: port: 8080 protocol: HTTP weight: 1 + directResponse: + statusCode: 500 hostname: gateway.envoyproxy.io isHTTP2: false metadata: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml index 74ced58453e..8b20cbc59c9 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml @@ -160,6 +160,8 @@ xdsIR: port: 8080 protocol: GRPC weight: 1 + directResponse: + statusCode: 500 hostname: '*' isHTTP2: true metadata: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml index 8ddcdf83cdb..dc80d9e73a8 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml @@ -151,6 +151,8 @@ xdsIR: port: 8080 protocol: GRPC weight: 1 + directResponse: + statusCode: 500 hostname: '*' isHTTP2: true metadata: diff --git a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml index 8a7e9838848..bda6f990dda 100644 --- a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml +++ b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml @@ -158,6 +158,8 @@ xdsIR: port: 8080 protocol: HTTP weight: 1 + directResponse: + statusCode: 500 hostname: gateway.envoyproxy.io isHTTP2: false metadata: diff --git a/test/e2e/testdata/backendtrafficpolicy-translation-failed.yaml b/test/e2e/testdata/backendtrafficpolicy-translation-failed.yaml new file mode 100644 index 00000000000..a5a6a7af32b --- /dev/null +++ b/test/e2e/testdata/backendtrafficpolicy-translation-failed.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-ratelimit + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + hostnames: ["www.example.com"] + rules: + - matches: + - path: + type: PathPrefix + value: /myapp # This is the path that will be protected by OIDC + backendRefs: + - name: infra-backend-v1 + port: 8080 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: policy-httproute + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: http-ratelimit + rateLimit: + type: Global + global: + rules: + - clientSelectors: + - headers: + - name: x-user-id + type: RegularExpression + value: "*.illegal.regex" + limit: + requests: 10 + unit: Hour + type: Global diff --git a/test/e2e/tests/backendtrafficpolicy_translation_failed.go b/test/e2e/tests/backendtrafficpolicy_translation_failed.go new file mode 100644 index 00000000000..9701596de0f --- /dev/null +++ b/test/e2e/tests/backendtrafficpolicy_translation_failed.go @@ -0,0 +1,62 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e +// +build e2e + +package tests + +import ( + "testing" + + "k8s.io/apimachinery/pkg/types" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" + gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" + + "github.com/envoyproxy/gateway/internal/gatewayapi" +) + +func init() { + ConformanceTests = append(ConformanceTests, FailedBackendTrafficPolicyDirectResponseTest) +} + +// FailedBackendTrafficPolicyDirectResponseTest tests the direct 500 response for HTTPRoute targeted by a failed BackendTrafficPolicy. +var FailedBackendTrafficPolicyDirectResponseTest = suite.ConformanceTest{ + ShortName: "FailedBackendTrafficPolicyDirectResponse", + Description: "Test direct 500 response when failed to translate BackendTrafficPolicy", + Manifests: []string{"testdata/backendtrafficpolicy-translation-failed.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Run("http route with failed BackendTrafficPolicy", func(t *testing.T) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "http-ratelimit", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + ancestorRef := gwapiv1a2.ParentReference{ + Group: gatewayapi.GroupPtr(gwapiv1.GroupName), + Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), + Name: gwapiv1.ObjectName(gwNN.Name), + } + BackendTrafficPolicyMustFail(t, suite.Client, types.NamespacedName{Name: "policy-httproute", Namespace: ns}, suite.ControllerName, ancestorRef, "") + + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Host: "www.example.com", + Path: "/myapp", + }, + Response: http.Response{ + StatusCode: 500, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) + }, +} diff --git a/test/e2e/tests/utils.go b/test/e2e/tests/utils.go index c08b17685a3..c7b3fa3819e 100644 --- a/test/e2e/tests/utils.go +++ b/test/e2e/tests/utils.go @@ -161,6 +161,33 @@ func BackendTrafficPolicyMustBeAccepted(t *testing.T, client client.Client, poli require.NoErrorf(t, waitErr, "error waiting for BackendTrafficPolicy to be accepted") } +// BackendTrafficPolicyMustFail waits for an BackendTrafficPolicy to fail with the specified reason. +func BackendTrafficPolicyMustFail( + t *testing.T, client client.Client, policyName types.NamespacedName, + controllerName string, ancestorRef gwapiv1a2.ParentReference, message string, +) { + t.Helper() + + policy := &egv1a1.BackendTrafficPolicy{} + waitErr := wait.PollUntilContextTimeout( + context.Background(), 1*time.Second, 60*time.Second, + true, func(ctx context.Context) (bool, error) { + err := client.Get(ctx, policyName, policy) + if err != nil { + return false, fmt.Errorf("error fetching BackendTrafficPolicy: %w", err) + } + + if policyFailAcceptedByAncestor(policy.Status.Ancestors, controllerName, ancestorRef, message) { + t.Logf("BackendTrafficPolicy has been failed: %v", policy) + return true, nil + } + + return false, nil + }) + + require.NoErrorf(t, waitErr, "error waiting for BackendTrafficPolicy to fail with message: %s policy %v", message, policy) +} + // ClientTrafficPolicyMustBeAccepted waits for the specified ClientTrafficPolicy to be accepted. func ClientTrafficPolicyMustBeAccepted(t *testing.T, client client.Client, policyName types.NamespacedName, controllerName string, ancestorRef gwapiv1a2.ParentReference) { t.Helper() From 8e6adbfe6bb6e55fe3f39c432e34acf1ce42bf6a Mon Sep 17 00:00:00 2001 From: Matthieu MOREL Date: Wed, 28 Aug 2024 16:31:11 +0200 Subject: [PATCH 087/523] ossf: fix pinned-dependencies (#4119) Signed-off-by: Matthieu MOREL --- .github/workflows/build_and_test.yaml | 2 +- .github/workflows/latest_release.yaml | 6 +++--- .github/workflows/release.yaml | 6 +++--- tools/docker/envoy-gateway/Dockerfile | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 7f168d6ab91..a8dd94a8a37 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -145,7 +145,7 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz - uses: ts-graphviz/setup-graphviz@v2 + uses: ts-graphviz/setup-graphviz@b1de5da23ed0a6d14e0aeee8ed52fdd87af2363c # v2.0.2 # Benchmark - name: Run Benchmark tests diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index be8af0ae824..94dbd6cea92 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -26,7 +26,7 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz - uses: ts-graphviz/setup-graphviz@v2 + uses: ts-graphviz/setup-graphviz@b1de5da23ed0a6d14e0aeee8ed52fdd87af2363c # v2.0.2 # Benchmark - name: Run Benchmark tests @@ -46,7 +46,7 @@ jobs: run: cd test/benchmark && zip -r benchmark_report.zip benchmark_report - name: Upload Benchmark Report - uses: actions/upload-artifact@v4 # version is better be consistent with actions/download-artifact + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 with: name: benchmark_report path: test/benchmark/benchmark_report.zip @@ -65,7 +65,7 @@ jobs: run: IMAGE_PULL_POLICY=Always make generate-manifests IMAGE=envoyproxy/gateway-dev TAG=latest OUTPUT_DIR=release-artifacts - name: Download Benchmark Report - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: benchmark_report path: release-artifacts diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 7da0055d2b0..bc4bb1b15ee 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -19,7 +19,7 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz - uses: ts-graphviz/setup-graphviz@v2 + uses: ts-graphviz/setup-graphviz@b1de5da23ed0a6d14e0aeee8ed52fdd87af2363c # v2.0.2 # Benchmark - name: Run Benchmark tests @@ -39,7 +39,7 @@ jobs: run: cd test/benchmark && zip -r benchmark_report.zip benchmark_report - name: Upload Benchmark Report - uses: actions/upload-artifact@v4 # version is better be consistent with actions/download-artifact + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 with: name: benchmark_report path: test/benchmark/benchmark_report.zip @@ -75,7 +75,7 @@ jobs: run: IMAGE_PULL_POLICY=IfNotPresent OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=${{ env.release_tag }} IMAGE=docker.io/envoyproxy/gateway TAG=${{ env.release_tag }} make helm-package helm-push - name: Download Benchmark Report - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: benchmark_report path: release-artifacts diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index 9d018cbf0e7..af75ba6ca53 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -1,4 +1,4 @@ -FROM busybox as source +FROM busybox@sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7 as source # Create the data directory for eg RUN mkdir -p /var/lib/eg From 2395f7f99f59d1d33d2984e91174f119f77bc1d3 Mon Sep 17 00:00:00 2001 From: KathyMagor Date: Wed, 28 Aug 2024 17:36:23 +0300 Subject: [PATCH 088/523] add-nodeSelector (#4017) * add nodeSelector Signed-off-by: Kathy Magor * add nodeSelector Signed-off-by: Kathy Magor --------- Signed-off-by: Kathy Magor --- charts/gateway-helm/README.md | 1 + charts/gateway-helm/templates/envoy-gateway-deployment.yaml | 4 ++++ charts/gateway-helm/values.tmpl.yaml | 1 + site/content/en/latest/install/gateway-helm-api.md | 1 + site/content/zh/latest/install/gateway-helm-api.md | 1 + 5 files changed, 8 insertions(+) diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md index da3f7572bd1..4274b890bdc 100644 --- a/charts/gateway-helm/README.md +++ b/charts/gateway-helm/README.md @@ -76,6 +76,7 @@ To uninstall the chart: | deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | | | deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | | | deployment.pod.labels | object | `{}` | | +| deployment.pod.nodeSelector | object | `{}` | | | deployment.pod.tolerations | list | `[]` | | | deployment.pod.topologySpreadConstraints | list | `[]` | | | deployment.ports[0].name | string | `"grpc"` | | diff --git a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml index b40c8dc5428..7bf62e582fb 100644 --- a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml @@ -51,6 +51,10 @@ spec: affinity: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.deployment.pod.nodeSelector }} + nodeSelector: + {{ toYaml . | nindent 8 }} + {{- end }} {{- with .Values.deployment.pod.topologySpreadConstraints }} topologySpreadConstraints: {{- toYaml . | nindent 6 }} diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index 9240c4c2c13..87d3aed774c 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -56,6 +56,7 @@ deployment: labels: {} topologySpreadConstraints: [] tolerations: [] + nodeSelector: {} config: envoyGateway: diff --git a/site/content/en/latest/install/gateway-helm-api.md b/site/content/en/latest/install/gateway-helm-api.md index 9f2046a537f..04167b4eb9e 100644 --- a/site/content/en/latest/install/gateway-helm-api.md +++ b/site/content/en/latest/install/gateway-helm-api.md @@ -40,6 +40,7 @@ The Helm chart for Envoy Gateway | deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | | | deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | | | deployment.pod.labels | object | `{}` | | +| deployment.pod.nodeSelector | object | `{}` | | | deployment.pod.tolerations | list | `[]` | | | deployment.pod.topologySpreadConstraints | list | `[]` | | | deployment.ports[0].name | string | `"grpc"` | | diff --git a/site/content/zh/latest/install/gateway-helm-api.md b/site/content/zh/latest/install/gateway-helm-api.md index 9f2046a537f..04167b4eb9e 100644 --- a/site/content/zh/latest/install/gateway-helm-api.md +++ b/site/content/zh/latest/install/gateway-helm-api.md @@ -40,6 +40,7 @@ The Helm chart for Envoy Gateway | deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | | | deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | | | deployment.pod.labels | object | `{}` | | +| deployment.pod.nodeSelector | object | `{}` | | | deployment.pod.tolerations | list | `[]` | | | deployment.pod.topologySpreadConstraints | list | `[]` | | | deployment.ports[0].name | string | `"grpc"` | | From fe070932a1db0fca8c1539620e0f8a9a1f7f6f17 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 28 Aug 2024 13:13:00 -0700 Subject: [PATCH 089/523] build(deps): bump github.com/prometheus/client_golang from 1.20.0 to 1.20.2 (#4107) build(deps): bump github.com/prometheus/client_golang Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.20.0 to 1.20.2. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.20.0...v1.20.2) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 83c983f4a39..2007e84e9f9 100644 --- a/go.mod +++ b/go.mod @@ -28,7 +28,7 @@ require ( github.com/hashicorp/go-multierror v1.1.1 github.com/miekg/dns v1.1.62 github.com/ohler55/ojg v1.24.0 - github.com/prometheus/client_golang v1.20.0 + github.com/prometheus/client_golang v1.20.2 github.com/prometheus/common v0.55.0 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 diff --git a/go.sum b/go.sum index 804dfb6dd67..10520973685 100644 --- a/go.sum +++ b/go.sum @@ -973,8 +973,8 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= -github.com/prometheus/client_golang v1.20.0 h1:jBzTZ7B099Rg24tny+qngoynol8LtVYlA2bqx3vEloI= -github.com/prometheus/client_golang v1.20.0/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_golang v1.20.2 h1:5ctymQzZlyOON1666svgwn3s6IKWgfbjsejTMiXIyjg= +github.com/prometheus/client_golang v1.20.2/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= From 10441710540e14440002db47cde0863af9f986b9 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Thu, 29 Aug 2024 02:08:26 -0700 Subject: [PATCH 090/523] rename `failover` to `fallback` backend (#4121) `fallback` has been historically used for more to descibe a backend / server, which `failover` has been used to describe the operation of handling the case when the primary has failed Signed-off-by: Arko Dasgupta --- api/v1alpha1/backend_types.go | 6 ++-- api/v1alpha1/shared_types.go | 8 ++--- api/v1alpha1/zz_generated.deepcopy.go | 8 ++--- .../gateway.envoyproxy.io_backends.yaml | 6 ++-- ....envoyproxy.io_envoyextensionpolicies.yaml | 8 ++--- .../gateway.envoyproxy.io_envoyproxies.yaml | 32 +++++++++---------- ...ateway.envoyproxy.io_securitypolicies.yaml | 16 +++++----- internal/gatewayapi/ext_service.go | 4 +-- .../envoyproxy-priority-backend.in.yaml | 6 ++-- .../envoyproxy-priority-backend.out.yaml | 6 ++-- site/content/en/latest/api/extension_types.md | 2 +- site/content/zh/latest/api/extension_types.md | 2 +- 12 files changed, 52 insertions(+), 52 deletions(-) diff --git a/api/v1alpha1/backend_types.go b/api/v1alpha1/backend_types.go index 6a039a5b470..a2022c2c5ef 100644 --- a/api/v1alpha1/backend_types.go +++ b/api/v1alpha1/backend_types.go @@ -124,15 +124,15 @@ type BackendSpec struct { // +optional AppProtocols []AppProtocolType `json:"appProtocols,omitempty"` - // Failover indicates whether the backend is designated as a failover. + // Fallback indicates whether the backend is designated as a fallback. // It is highly recommended to configure active or passive health checks to ensure that failover can be detected // when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. - // The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + // The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when // the health of the active backends falls below 72%. // // +optional // +notImplementedHide - Failover *bool `json:"failover,omitempty"` + Fallback *bool `json:"fallback,omitempty"` } // BackendConditionType is a type of condition for a backend. This type should be diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index d1e6e01e2ea..a94ca2d53a6 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -473,15 +473,15 @@ type BackendRef struct { // BackendObjectReference references a Kubernetes object that represents the backend. // Only Service kind is supported for now. gwapiv1.BackendObjectReference `json:",inline"` - // Failover indicates whether the backend is designated as a failover. - // Multiple failover backends can be configured. + // Fallback indicates whether the backend is designated as a fallback. + // Multiple fallback backends can be configured. // It is highly recommended to configure active or passive health checks to ensure that failover can be detected // when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. - // The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + // The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when // the health of the active backends falls below 72%. // // +optional - Failover *bool `json:"failover,omitempty"` + Fallback *bool `json:"fallback,omitempty"` } // BackendCluster contains all the configuration required for configuring access diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index b58bc5a20ed..c0b8e8c657a 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -374,8 +374,8 @@ func (in *BackendList) DeepCopyObject() runtime.Object { func (in *BackendRef) DeepCopyInto(out *BackendRef) { *out = *in in.BackendObjectReference.DeepCopyInto(&out.BackendObjectReference) - if in.Failover != nil { - in, out := &in.Failover, &out.Failover + if in.Fallback != nil { + in, out := &in.Fallback, &out.Fallback *out = new(bool) **out = **in } @@ -406,8 +406,8 @@ func (in *BackendSpec) DeepCopyInto(out *BackendSpec) { *out = make([]AppProtocolType, len(*in)) copy(*out, *in) } - if in.Failover != nil { - in, out := &in.Failover, &out.Failover + if in.Fallback != nil { + in, out := &in.Fallback, &out.Fallback *out = new(bool) **out = **in } diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml index d45b3076e51..be16ceff86f 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml @@ -137,12 +137,12 @@ spec: x-kubernetes-validations: - message: fqdn addresses cannot be mixed with other address types rule: self.all(f, has(f.fqdn)) || !self.exists(f, has(f.fqdn)) - failover: + fallback: description: |- - Failover indicates whether the backend is designated as a failover. + Fallback indicates whether the backend is designated as a fallback. It is highly recommended to configure active or passive health checks to ensure that failover can be detected when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. - The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when the health of the active backends falls below 72%. type: boolean type: object diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml index 1e095c05564..92a538cf440 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml @@ -136,13 +136,13 @@ spec: description: BackendRef defines how an ObjectReference that is specific to BackendRef. properties: - failover: + fallback: description: |- - Failover indicates whether the backend is designated as a failover. - Multiple failover backends can be configured. + Fallback indicates whether the backend is designated as a fallback. + Multiple fallback backends can be configured. It is highly recommended to configure active or passive health checks to ensure that failover can be detected when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. - The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when the health of the active backends falls below 72%. type: boolean group: diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 46fb3818e81..40590f37988 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -10357,13 +10357,13 @@ spec: description: BackendRef defines how an ObjectReference that is specific to BackendRef. properties: - failover: + fallback: description: |- - Failover indicates whether the backend is designated as a failover. - Multiple failover backends can be configured. + Fallback indicates whether the backend is designated as a fallback. + Multiple fallback backends can be configured. It is highly recommended to configure active or passive health checks to ensure that failover can be detected when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. - The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when the health of the active backends falls below 72%. type: boolean group: @@ -11243,13 +11243,13 @@ spec: description: BackendRef defines how an ObjectReference that is specific to BackendRef. properties: - failover: + fallback: description: |- - Failover indicates whether the backend is designated as a failover. - Multiple failover backends can be configured. + Fallback indicates whether the backend is designated as a fallback. + Multiple fallback backends can be configured. It is highly recommended to configure active or passive health checks to ensure that failover can be detected when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. - The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when the health of the active backends falls below 72%. type: boolean group: @@ -12207,13 +12207,13 @@ spec: description: BackendRef defines how an ObjectReference that is specific to BackendRef. properties: - failover: + fallback: description: |- - Failover indicates whether the backend is designated as a failover. - Multiple failover backends can be configured. + Fallback indicates whether the backend is designated as a fallback. + Multiple fallback backends can be configured. It is highly recommended to configure active or passive health checks to ensure that failover can be detected when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. - The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when the health of the active backends falls below 72%. type: boolean group: @@ -13106,13 +13106,13 @@ spec: description: BackendRef defines how an ObjectReference that is specific to BackendRef. properties: - failover: + fallback: description: |- - Failover indicates whether the backend is designated as a failover. - Multiple failover backends can be configured. + Fallback indicates whether the backend is designated as a fallback. + Multiple fallback backends can be configured. It is highly recommended to configure active or passive health checks to ensure that failover can be detected when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. - The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when the health of the active backends falls below 72%. type: boolean group: diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 4256957a6c9..7631ed68fd0 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -331,13 +331,13 @@ spec: description: BackendRef defines how an ObjectReference that is specific to BackendRef. properties: - failover: + fallback: description: |- - Failover indicates whether the backend is designated as a failover. - Multiple failover backends can be configured. + Fallback indicates whether the backend is designated as a fallback. + Multiple fallback backends can be configured. It is highly recommended to configure active or passive health checks to ensure that failover can be detected when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. - The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when the health of the active backends falls below 72%. type: boolean group: @@ -1128,13 +1128,13 @@ spec: description: BackendRef defines how an ObjectReference that is specific to BackendRef. properties: - failover: + fallback: description: |- - Failover indicates whether the backend is designated as a failover. - Multiple failover backends can be configured. + Fallback indicates whether the backend is designated as a fallback. + Multiple fallback backends can be configured. It is highly recommended to configure active or passive health checks to ensure that failover can be detected when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. - The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when + The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when the health of the active backends falls below 72%. type: boolean group: diff --git a/internal/gatewayapi/ext_service.go b/internal/gatewayapi/ext_service.go index 65cf4c2cce8..aa38008abfa 100644 --- a/internal/gatewayapi/ext_service.go +++ b/internal/gatewayapi/ext_service.go @@ -78,9 +78,9 @@ func (t *Translator) processExtServiceDestination( // TODO: support weighted non-xRoute backends ds.Weight = ptr.To(uint32(1)) - if backendRef.Failover != nil { + if backendRef.Fallback != nil { // set only the secondary priority, the backend defaults to a primary priority if unset. - if ptr.Deref(backendRef.Failover, false) { + if ptr.Deref(backendRef.Fallback, false) { ds.Priority = ptr.To(uint32(1)) } } diff --git a/internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml b/internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml index f44174b6d62..64b0b7a3ae9 100644 --- a/internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml @@ -203,16 +203,16 @@ envoyExtensionPolicies: Port: 8000 - Name: grpc-backend-2 Port: 9000 - failover: true + fallback: true - Name: backend-ip Kind: Backend Group: gateway.envoyproxy.io - failover: true + fallback: true - Name: backend-ip-tls Namespace: envoy-gateway Kind: Backend Group: gateway.envoyproxy.io - failover: true + fallback: true backends: - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend diff --git a/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml index 9933d77c563..33ee9240234 100644 --- a/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml @@ -112,14 +112,14 @@ envoyExtensionPolicies: - name: grpc-backend namespace: envoy-gateway port: 8000 - - failover: true + - fallback: true name: grpc-backend-2 port: 9000 - - failover: true + - fallback: true group: gateway.envoyproxy.io kind: Backend name: backend-ip - - failover: true + - fallback: true group: gateway.envoyproxy.io kind: Backend name: backend-ip-tls diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 39a7e955c32..ae48e513e85 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -364,7 +364,7 @@ _Appears in:_ | `name` | _[ObjectName](#objectname)_ | true | Name is the name of the referent. | | `namespace` | _[Namespace](#namespace)_ | false | Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.

Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.

Support: Core | | `port` | _[PortNumber](#portnumber)_ | false | Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field. | -| `failover` | _boolean_ | false | Failover indicates whether the backend is designated as a failover.
Multiple failover backends can be configured.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when
the health of the active backends falls below 72%. | +| `fallback` | _boolean_ | false | Fallback indicates whether the backend is designated as a fallback.
Multiple fallback backends can be configured.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
the health of the active backends falls below 72%. | #### BackendSpec diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 39a7e955c32..ae48e513e85 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -364,7 +364,7 @@ _Appears in:_ | `name` | _[ObjectName](#objectname)_ | true | Name is the name of the referent. | | `namespace` | _[Namespace](#namespace)_ | false | Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.

Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.

Support: Core | | `port` | _[PortNumber](#portnumber)_ | false | Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field. | -| `failover` | _boolean_ | false | Failover indicates whether the backend is designated as a failover.
Multiple failover backends can be configured.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the failover backends will only start receiving traffic when
the health of the active backends falls below 72%. | +| `fallback` | _boolean_ | false | Fallback indicates whether the backend is designated as a fallback.
Multiple fallback backends can be configured.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
the health of the active backends falls below 72%. | #### BackendSpec From 262e0466f14dace834f1b0d712c2492c27e9bb03 Mon Sep 17 00:00:00 2001 From: Lior Okman Date: Thu, 29 Aug 2024 15:46:59 +0300 Subject: [PATCH 091/523] fix: don't lose timeout settings that originate from the route when translating the backend traffic policy (#4095) * Don't lose timeout settings that originate from the route when translating the backend traffic policy Signed-off-by: Lior Okman * Improve the readability of the timeout processing code. Signed-off-by: Lior Okman * Removed some logically unreachable code. Signed-off-by: Lior Okman --------- Signed-off-by: Lior Okman --- internal/gatewayapi/backendtrafficpolicy.go | 17 +- internal/gatewayapi/clustersettings.go | 79 ++++---- internal/gatewayapi/route.go | 15 +- ...afficpolicy-with-httproute-timeout.in.yaml | 50 +++++ ...fficpolicy-with-httproute-timeout.out.yaml | 172 ++++++++++++++++++ ...backendtrafficpolicy-with-timeout.out.yaml | 1 + 6 files changed, 275 insertions(+), 59 deletions(-) create mode 100644 internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.in.yaml create mode 100644 internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.out.yaml diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index 586d422a74f..3fbf5fb25f8 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -325,7 +325,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen if policy.Spec.Retry != nil { rt = t.buildRetry(policy) } - if to, err = buildTimeout(policy.Spec.ClusterSettings, nil); err != nil { + if to, err = buildClusterSettingsTimeout(policy.Spec.ClusterSettings, nil); err != nil { err = perr.WithMessage(err, "Timeout") errs = errors.Join(errs, err) } @@ -384,6 +384,11 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen continue } + // Some timeout setting originate from the route. + if localTo, err := buildClusterSettingsTimeout(policy.Spec.ClusterSettings, r.Traffic); err == nil { + to = localTo + } + r.Traffic = &ir.TrafficFeatures{ RateLimit: rl, LoadBalancer: lb, @@ -396,16 +401,12 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen BackendConnection: bc, HTTP2: h2, DNS: ds, + Timeout: to, } // Update the Host field in HealthCheck, now that we have access to the Route Hostname. r.Traffic.HealthCheck.SetHTTPHostIfAbsent(r.Hostname) - // Some timeout setting originate from the route. - if to, err = buildTimeout(policy.Spec.ClusterSettings, r); err == nil { - r.Traffic.Timeout = to - } - if policy.Spec.UseClientProtocol != nil { r.UseClientProtocol = policy.Spec.UseClientProtocol } @@ -460,7 +461,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back if policy.Spec.Retry != nil { rt = t.buildRetry(policy) } - if ct, err = buildTimeout(policy.Spec.ClusterSettings, nil); err != nil { + if ct, err = buildClusterSettingsTimeout(policy.Spec.ClusterSettings, nil); err != nil { err = perr.WithMessage(err, "Timeout") errs = errors.Join(errs, err) } @@ -556,7 +557,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back // Update the Host field in HealthCheck, now that we have access to the Route Hostname. r.Traffic.HealthCheck.SetHTTPHostIfAbsent(r.Hostname) - if ct, err = buildTimeout(policy.Spec.ClusterSettings, r); err == nil { + if ct, err = buildClusterSettingsTimeout(policy.Spec.ClusterSettings, r.Traffic); err == nil { r.Traffic.Timeout = ct } diff --git a/internal/gatewayapi/clustersettings.go b/internal/gatewayapi/clustersettings.go index a0e8dcb32d6..4b295ea5bfa 100644 --- a/internal/gatewayapi/clustersettings.go +++ b/internal/gatewayapi/clustersettings.go @@ -29,7 +29,7 @@ func translateTrafficFeatures(policy *egv1a1.ClusterSettings) (*ir.TrafficFeatur } ret := &ir.TrafficFeatures{} - if timeout, err := buildTimeout(*policy, nil); err != nil { + if timeout, err := buildClusterSettingsTimeout(*policy, nil); err != nil { return nil, err } else { ret.Timeout = timeout @@ -81,26 +81,26 @@ func translateTrafficFeatures(policy *egv1a1.ClusterSettings) (*ir.TrafficFeatur return ret, nil } -func buildTimeout(policy egv1a1.ClusterSettings, r *ir.HTTPRoute) (*ir.Timeout, error) { +func buildClusterSettingsTimeout(policy egv1a1.ClusterSettings, traffic *ir.TrafficFeatures) (*ir.Timeout, error) { if policy.Timeout == nil { + if traffic != nil { + // Don't lose any existing timeout definitions. + return mergeTimeoutSettings(nil, traffic.Timeout), nil + } return nil, nil } var ( - tto *ir.TCPTimeout - hto *ir.HTTPTimeout - terr bool errs error + to = &ir.Timeout{} + pto = policy.Timeout ) - pto := policy.Timeout - if pto.TCP != nil && pto.TCP.ConnectTimeout != nil { d, err := time.ParseDuration(string(*pto.TCP.ConnectTimeout)) if err != nil { - terr = true errs = errors.Join(errs, fmt.Errorf("invalid ConnectTimeout value %s", *pto.TCP.ConnectTimeout)) } else { - tto = &ir.TCPTimeout{ + to.TCP = &ir.TCPTimeout{ ConnectTimeout: ptr.To(metav1.Duration{Duration: d}), } } @@ -113,7 +113,6 @@ func buildTimeout(policy egv1a1.ClusterSettings, r *ir.HTTPRoute) (*ir.Timeout, if pto.HTTP.ConnectionIdleTimeout != nil { d, err := time.ParseDuration(string(*pto.HTTP.ConnectionIdleTimeout)) if err != nil { - terr = true errs = errors.Join(errs, fmt.Errorf("invalid ConnectionIdleTimeout value %s", *pto.HTTP.ConnectionIdleTimeout)) } else { cit = ptr.To(metav1.Duration{Duration: d}) @@ -123,51 +122,51 @@ func buildTimeout(policy egv1a1.ClusterSettings, r *ir.HTTPRoute) (*ir.Timeout, if pto.HTTP.MaxConnectionDuration != nil { d, err := time.ParseDuration(string(*pto.HTTP.MaxConnectionDuration)) if err != nil { - terr = true errs = errors.Join(errs, fmt.Errorf("invalid MaxConnectionDuration value %s", *pto.HTTP.MaxConnectionDuration)) } else { mcd = ptr.To(metav1.Duration{Duration: d}) } } - hto = &ir.HTTPTimeout{ + to.HTTP = &ir.HTTPTimeout{ ConnectionIdleTimeout: cit, MaxConnectionDuration: mcd, } } // http request timeout is translated during the gateway-api route resource translation - // merge route timeout setting with backendtrafficpolicy timeout settings - if terr { - if r != nil && r.Traffic != nil && r.Traffic.Timeout != nil { - return r.Traffic.Timeout.DeepCopy(), errs - } - } else { - // http request timeout is translated during the gateway-api route resource translation - // merge route timeout setting with backendtrafficpolicy timeout settings - if r != nil && - r.Traffic != nil && - r.Traffic.Timeout != nil && - r.Traffic.Timeout.HTTP != nil && - r.Traffic.Timeout.HTTP.RequestTimeout != nil { - if hto == nil { - hto = &ir.HTTPTimeout{ - RequestTimeout: r.Traffic.Timeout.HTTP.RequestTimeout, - } - } else { - hto.RequestTimeout = r.Traffic.Timeout.HTTP.RequestTimeout - } - } + // merge route timeout setting with backendtrafficpolicy timeout settings. + // Merging is done after the clustersettings definitions are translated so that + // clustersettings will override previous settings. + if traffic != nil { + to = mergeTimeoutSettings(to, traffic.Timeout) + } + return to, errs +} - if hto != nil || tto != nil { - return &ir.Timeout{ - TCP: tto, - HTTP: hto, - }, nil +// merge secondary into main if both are not nil, otherwise return the +// one that is not nil. If both are nil, returns nil +func mergeTimeoutSettings(main, secondary *ir.Timeout) *ir.Timeout { + switch { + case main == nil && secondary == nil: + return nil + case main == nil: + return secondary.DeepCopy() + case secondary == nil: + return main + default: // Neither main nor secondary are nil here + if secondary.HTTP != nil { + setIfNil(&main.HTTP, &ir.HTTPTimeout{}) + setIfNil(&main.HTTP.RequestTimeout, secondary.HTTP.RequestTimeout) + setIfNil(&main.HTTP.ConnectionIdleTimeout, secondary.HTTP.ConnectionIdleTimeout) + setIfNil(&main.HTTP.MaxConnectionDuration, secondary.HTTP.MaxConnectionDuration) + } + if secondary.TCP != nil { + setIfNil(&main.TCP, &ir.TCPTimeout{}) + setIfNil(&main.TCP.ConnectTimeout, secondary.TCP.ConnectTimeout) } + return main } - - return nil, errs } func buildBackendConnection(policy egv1a1.ClusterSettings) (*ir.BackendConnection, error) { diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 9325621468e..0e567824745 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -254,16 +254,9 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe return routeRoutes, nil } -func processTimeout(irRoute *ir.HTTPRoute, rule gwapiv1.HTTPRouteRule) { +func processRouteTimeout(irRoute *ir.HTTPRoute, rule gwapiv1.HTTPRouteRule) { if rule.Timeouts != nil { - var rto *ir.Timeout - - // Timeout is translated from multiple resources and may already be partially set - if irRoute.Traffic != nil && irRoute.Traffic.Timeout != nil { - rto = irRoute.Traffic.Timeout.DeepCopy() - } else { - rto = &ir.Timeout{} - } + rto := &ir.Timeout{} if rule.Timeouts.Request != nil { d, err := time.ParseDuration(string(*rule.Timeouts.Request)) @@ -308,7 +301,7 @@ func (t *Translator) processHTTPRouteRule(httpRoute *HTTPRouteContext, ruleIdx i irRoute := &ir.HTTPRoute{ Name: irRouteName(httpRoute, ruleIdx, -1), } - processTimeout(irRoute, rule) + processRouteTimeout(irRoute, rule) applyHTTPFiltersContextToIRRoute(httpFiltersContext, irRoute) ruleRoutes = append(ruleRoutes, irRoute) } @@ -368,7 +361,7 @@ func (t *Translator) processHTTPRouteRule(httpRoute *HTTPRouteContext, ruleIdx i Name: irRouteName(httpRoute, ruleIdx, matchIdx), SessionPersistence: sessionPersistence, } - processTimeout(irRoute, rule) + processRouteTimeout(irRoute, rule) if match.Path != nil { switch PathMatchTypeDerefOr(match.Path.Type, gwapiv1.PathMatchPathPrefix) { diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.in.yaml new file mode 100644 index 00000000000..e26f10c353f --- /dev/null +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.in.yaml @@ -0,0 +1,50 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-1 + port: 8080 + timeouts: + request: 130s +backendTrafficPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: default + name: policy-for-http-route-1 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + useClientProtocol: true + diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.out.yaml new file mode 100644 index 00000000000..245739ca233 --- /dev/null +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.out.yaml @@ -0,0 +1,172 @@ +backendTrafficPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: policy-for-http-route-1 + namespace: default + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + useClientProtocol: true + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: / + timeouts: + request: 130s + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / + traffic: + timeout: + http: + requestTimeout: 2m10s + useClientProtocol: true diff --git a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml index 8852171648d..04843eba9aa 100644 --- a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml +++ b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml @@ -336,5 +336,6 @@ xdsIR: timeout: http: maxConnectionDuration: 22s + requestTimeout: 1s tcp: connectTimeout: 20s From 2314729b0e4b71154866f99c579203362bee32ca Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 30 Aug 2024 16:30:31 +0800 Subject: [PATCH 092/523] chore: use sets (#4123) * chore: use sets Signed-off-by: zirain * lint Signed-off-by: zirain --------- Signed-off-by: zirain --- internal/xds/translator/translator.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index 9fa5e700986..67878736f26 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -24,6 +24,7 @@ import ( "google.golang.org/protobuf/proto" "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/wrapperspb" + "k8s.io/apimachinery/pkg/util/sets" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" extensionTypes "github.com/envoyproxy/gateway/internal/extension/types" @@ -167,13 +168,13 @@ func (t *Translator) notifyExtensionServerAboutListeners( for _, l := range tCtx.XdsResources[resourcev3.ListenerType] { listener := l.(*listenerv3.Listener) policies := []*ir.UnstructuredRef{} - alreadyIncludedPolicies := map[utils.NamespacedNameWithGroupKind]bool{} + alreadyIncludedPolicies := sets.New[utils.NamespacedNameWithGroupKind]() for _, irListener := range findIRListenersByXDSListener(xdsIR, listener) { for _, pol := range irListener.GetExtensionRefs() { key := utils.GetNamespacedNameWithGroupKind(pol.Object) - if _, found := alreadyIncludedPolicies[key]; !found { + if !alreadyIncludedPolicies.Has(key) { policies = append(policies, pol) - alreadyIncludedPolicies[key] = true + alreadyIncludedPolicies.Insert(key) } } } From 2b8c739619ad2a9033345a3359a218c419f7da63 Mon Sep 17 00:00:00 2001 From: Matt Turner Date: Sat, 31 Aug 2024 12:14:54 +0100 Subject: [PATCH 093/523] docs: Clarification for type which calls itself "JSON" but actually cannot be. (#4117) Clarification for type which calls itself "JSON" but actually cannot be. Signed-off-by: Matt Turner --- api/v1alpha1/shared_types.go | 4 +++- site/content/en/latest/api/extension_types.md | 4 +++- site/content/zh/latest/api/extension_types.md | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index a94ca2d53a6..adfddff135a 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -456,7 +456,9 @@ const ( JSONMerge MergeType = "JSONMerge" ) -// KubernetesPatchSpec defines how to perform the patch operation +// KubernetesPatchSpec defines how to perform the patch operation. +// Note that `value` can be an in-line YAML document, as can be seen in e.g. (the example of patching the Envoy proxy Deployment)[https://gateway.envoyproxy.io/docs/tasks/operations/customize-envoyproxy/#patching-deployment-for-envoyproxy]. +// Note also that, currently, strings containing literal JSON are _rejected_. type KubernetesPatchSpec struct { // Type is the type of merge operation to perform // diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index ae48e513e85..1dca75a33db 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -2265,7 +2265,9 @@ _Appears in:_ -KubernetesPatchSpec defines how to perform the patch operation +KubernetesPatchSpec defines how to perform the patch operation. +Note that `value` can be an in-line YAML document, as can be seen in e.g. (the example of patching the Envoy proxy Deployment)[https://gateway.envoyproxy.io/docs/tasks/operations/customize-envoyproxy/#patching-deployment-for-envoyproxy]. +Note also that, currently, strings containing literal JSON are _rejected_. _Appears in:_ - [KubernetesDaemonSetSpec](#kubernetesdaemonsetspec) diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index ae48e513e85..1dca75a33db 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -2265,7 +2265,9 @@ _Appears in:_ -KubernetesPatchSpec defines how to perform the patch operation +KubernetesPatchSpec defines how to perform the patch operation. +Note that `value` can be an in-line YAML document, as can be seen in e.g. (the example of patching the Envoy proxy Deployment)[https://gateway.envoyproxy.io/docs/tasks/operations/customize-envoyproxy/#patching-deployment-for-envoyproxy]. +Note also that, currently, strings containing literal JSON are _rejected_. _Appears in:_ - [KubernetesDaemonSetSpec](#kubernetesdaemonsetspec) From c20315f554e9522b9f98f337dcb5747b1e8f3495 Mon Sep 17 00:00:00 2001 From: Tasdidur Rahman <52253951+TasdidurRahman@users.noreply.github.com> Date: Sun, 1 Sep 2024 06:47:41 +0600 Subject: [PATCH 094/523] Fix IsNotFound check for secret and configmap (#4126) fix IsNotFound check for secret and configmap Signed-off-by: TasdidurRahman --- internal/provider/kubernetes/controller.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index eafe29b4497..05cb0fa5528 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -600,7 +600,7 @@ func (r *gatewayAPIReconciler) processSecretRef( types.NamespacedName{Namespace: secretNS, Name: string(secretRef.Name)}, secret, ) - if err != nil && !kerrors.IsNotFound(err) { + if err != nil && kerrors.IsNotFound(err) { return fmt.Errorf("unable to find the Secret: %s/%s", secretNS, string(secretRef.Name)) } @@ -702,7 +702,7 @@ func (r *gatewayAPIReconciler) processConfigMapRef( types.NamespacedName{Namespace: configMapNS, Name: string(configMapRef.Name)}, configMap, ) - if err != nil && !kerrors.IsNotFound(err) { + if err != nil && kerrors.IsNotFound(err) { return fmt.Errorf("unable to find the ConfigMap: %s/%s", configMapNS, string(configMapRef.Name)) } From 71519afe106178f97066e777fcbfc6879edbf439 Mon Sep 17 00:00:00 2001 From: zirain Date: Mon, 2 Sep 2024 11:15:19 +0800 Subject: [PATCH 095/523] chore: bump deps (#4122) * build(deps): bump github.com/golangci/golangci-lint Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.60.1 to 1.60.3. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](https://github.com/golangci/golangci-lint/compare/v1.60.1...v1.60.3) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * build(deps): bump the go-opentelemetry-io group across 1 directory with 8 updates Bumps the go-opentelemetry-io group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go) | `1.28.0` | `1.29.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc](https://github.com/open-telemetry/opentelemetry-go) | `1.28.0` | `1.29.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp](https://github.com/open-telemetry/opentelemetry-go) | `1.28.0` | `1.29.0` | | [go.opentelemetry.io/otel/exporters/prometheus](https://github.com/open-telemetry/opentelemetry-go) | `0.50.0` | `0.51.0` | | [go.opentelemetry.io/otel/exporters/stdout/stdoutmetric](https://github.com/open-telemetry/opentelemetry-go) | `1.28.0` | `1.29.0` | Updates `go.opentelemetry.io/otel` from 1.28.0 to 1.29.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.28.0...v1.29.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc` from 1.28.0 to 1.29.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.28.0...v1.29.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp` from 1.28.0 to 1.29.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.28.0...v1.29.0) Updates `go.opentelemetry.io/otel/exporters/prometheus` from 0.50.0 to 0.51.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/example/prometheus/v0.50.0...example/prometheus/v0.51.0) Updates `go.opentelemetry.io/otel/exporters/stdout/stdoutmetric` from 1.28.0 to 1.29.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.28.0...v1.29.0) Updates `go.opentelemetry.io/otel/metric` from 1.28.0 to 1.29.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.28.0...v1.29.0) Updates `go.opentelemetry.io/otel/sdk/metric` from 1.28.0 to 1.29.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.28.0...v1.29.0) Updates `go.opentelemetry.io/otel/sdk` from 1.28.0 to 1.29.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.28.0...v1.29.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/prometheus dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/stdout/stdoutmetric dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/metric dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/sdk/metric dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/sdk dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io ... Signed-off-by: dependabot[bot] * fix gosum Signed-off-by: zirain * bump go 1.23 Signed-off-by: zirain * fix lint Signed-off-by: zirain * revert go 1.23 Signed-off-by: zirain --------- Signed-off-by: dependabot[bot] Signed-off-by: zirain Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/extension-server/go.mod | 4 +- examples/extension-server/go.sum | 8 +-- go.mod | 24 ++++----- go.sum | 48 ++++++++--------- internal/gatewayapi/backendtrafficpolicy.go | 2 +- internal/gatewayapi/clienttrafficpolicy.go | 6 +-- internal/gatewayapi/clustersettings.go | 4 +- internal/gatewayapi/filters.go | 2 +- internal/gatewayapi/helpers.go | 2 +- internal/gatewayapi/http.go | 4 +- internal/xds/translator/local_ratelimit.go | 8 +-- internal/xds/translator/ratelimit.go | 8 +-- internal/xds/translator/route.go | 2 +- internal/xds/translator/utils.go | 4 +- test/e2e/tests/backend_tls_settings.go | 2 +- test/e2e/tests/envoy_shutdown.go | 2 +- tools/linter/golangci-lint/.golangci.yml | 2 +- tools/src/golangci-lint/go.mod | 18 +++---- tools/src/golangci-lint/go.sum | 58 +++++++++++---------- 19 files changed, 105 insertions(+), 103 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 23a9d134572..9f6ebfa9296 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -34,8 +34,8 @@ require ( golang.org/x/net v0.28.0 // indirect golang.org/x/sys v0.24.0 // indirect golang.org/x/text v0.17.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240805194559-2c9e96a0b5d4 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/klog/v2 v2.130.1 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 4ee04f537f8..aea9da5b41f 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -104,10 +104,10 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 h1:0+ozOGcrp+Y8Aq8TLNN2Aliibms5LEzsq99ZZmAGYm0= -google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094/go.mod h1:fJ/e3If/Q67Mj99hin0hMhiNyCRmt6BQ2aWIJshUSJw= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240805194559-2c9e96a0b5d4 h1:OsSGQeIIsyOEOimVxLEIL4rwGcnrjOydQaiA2bOnZUM= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240805194559-2c9e96a0b5d4/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= +google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd h1:BBOTEWLuuEGQy9n1y9MhVJ9Qt0BDu21X8qZs71/uPZo= +google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:fO8wJzT2zbQbAjbIoos1285VfEIYKDDY+Dt+WpTkh6g= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd h1:6TEm2ZxXoQmFWFlt1vNxvVOa1Q0dXFQD1m/rYjXmS0E= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= diff --git a/go.mod b/go.mod index 2007e84e9f9..996abeafd75 100644 --- a/go.mod +++ b/go.mod @@ -35,13 +35,13 @@ require ( github.com/stretchr/testify v1.9.0 github.com/telepresenceio/watchable v0.0.0-20220726211108-9bb86f92afa7 github.com/tsaarni/certyaml v0.9.3 - go.opentelemetry.io/otel v1.28.0 - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.28.0 - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.28.0 - go.opentelemetry.io/otel/exporters/prometheus v0.50.0 - go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.28.0 - go.opentelemetry.io/otel/metric v1.28.0 - go.opentelemetry.io/otel/sdk/metric v1.28.0 + go.opentelemetry.io/otel v1.29.0 + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.29.0 + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.29.0 + go.opentelemetry.io/otel/exporters/prometheus v0.51.0 + go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0 + go.opentelemetry.io/otel/metric v1.29.0 + go.opentelemetry.io/otel/sdk/metric v1.29.0 go.opentelemetry.io/proto/otlp v1.3.1 go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 @@ -249,7 +249,7 @@ require ( github.com/google/uuid v1.6.0 // indirect github.com/gorilla/websocket v1.5.1 // indirect github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 // indirect github.com/imdario/mergo v1.0.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect @@ -275,8 +275,8 @@ require ( github.com/sirupsen/logrus v1.9.3 // indirect github.com/tsaarni/x500dn v1.0.0 // indirect github.com/xlab/treeprint v1.2.0 // indirect - go.opentelemetry.io/otel/sdk v1.28.0 - go.opentelemetry.io/otel/trace v1.28.0 // indirect + go.opentelemetry.io/otel/sdk v1.29.0 + go.opentelemetry.io/otel/trace v1.29.0 // indirect go.starlark.net v0.0.0-20240520160348-046347dcd104 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/mod v0.20.0 // indirect @@ -288,8 +288,8 @@ require ( golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.23.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240805194559-2c9e96a0b5d4 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/component-base v0.31.0 // indirect diff --git a/go.sum b/go.sum index 10520973685..b8b6ffb0fcb 100644 --- a/go.sum +++ b/go.sum @@ -708,8 +708,8 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgf github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -1167,32 +1167,32 @@ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.5 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= -go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= -go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.28.0 h1:U2guen0GhqH8o/G2un8f/aG/y++OuW6MyCo6hT9prXk= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.28.0/go.mod h1:yeGZANgEcpdx/WK0IvvRFC+2oLiMS2u4L/0Rj2M2Qr0= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.28.0 h1:aLmmtjRke7LPDQ3lvpFz+kNEH43faFhzW7v8BFIEydg= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.28.0/go.mod h1:TC1pyCt6G9Sjb4bQpShH+P5R53pO6ZuGnHuuln9xMeE= +go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw= +go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.29.0 h1:k6fQVDQexDE+3jG2SfCQjnHS7OamcP73YMoxEVq5B6k= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.29.0/go.mod h1:t4BrYLHU450Zo9fnydWlIuswB1bm7rM8havDpWOJeDo= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.29.0 h1:xvhQxJ/C9+RTnAj5DpTg7LSM1vbbMTiXt7e9hsfqHNw= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.29.0/go.mod h1:Fcvs2Bz1jkDM+Wf5/ozBGmi3tQ/c9zPKLnsipnfhGAo= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0 h1:digkEZCJWobwBqMwC0cwCq8/wkkRy/OowZg5OArWZrM= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0/go.mod h1:/OpE/y70qVkndM0TrxT4KBoN3RsFZP0QaofcfYrj76I= -go.opentelemetry.io/otel/exporters/prometheus v0.50.0 h1:2Ewsda6hejmbhGFyUvWZjUThC98Cf8Zy6g0zkIimOng= -go.opentelemetry.io/otel/exporters/prometheus v0.50.0/go.mod h1:pMm5PkUo5YwbLiuEf7t2xg4wbP0/eSJrMxIMxKosynY= -go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.28.0 h1:BJee2iLkfRfl9lc7aFmBwkWxY/RI1RDdXepSF6y8TPE= -go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.28.0/go.mod h1:DIzlHs3DRscCIBU3Y9YSzPfScwnYnzfnCd4g8zA7bZc= +go.opentelemetry.io/otel/exporters/prometheus v0.51.0 h1:G7uexXb/K3T+T9fNLCCKncweEtNEBMTO+46hKX5EdKw= +go.opentelemetry.io/otel/exporters/prometheus v0.51.0/go.mod h1:v0mFe5Kk7woIh938mrZBJBmENYquyA0IICrlYm4Y0t4= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0 h1:WDdP9acbMYjbKIyJUhTvtzj601sVJOqgWdUxSdR/Ysc= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0/go.mod h1:BLbf7zbNIONBLPwvFnwNHGj4zge8uTCM/UPIVW1Mq2I= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.21.0 h1:VhlEQAPp9R1ktYfrPk5SOryw1e9LDDTZCbIPFrho0ec= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.21.0/go.mod h1:kB3ufRbfU+CQ4MlUcqtW8Z7YEOBeK2DJ6CmR5rYYF3E= -go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q= -go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s= -go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE= -go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg= -go.opentelemetry.io/otel/sdk/metric v1.28.0 h1:OkuaKgKrgAbYrrY0t92c+cC+2F6hsFNnCQArXCKlg08= -go.opentelemetry.io/otel/sdk/metric v1.28.0/go.mod h1:cWPjykihLAPvXKi4iZc1dpER3Jdq2Z0YLse3moQUCpg= -go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g= -go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI= +go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc= +go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8= +go.opentelemetry.io/otel/sdk v1.29.0 h1:vkqKjk7gwhS8VaWb0POZKmIEDimRCMsopNYnriHyryo= +go.opentelemetry.io/otel/sdk v1.29.0/go.mod h1:pM8Dx5WKnvxLCb+8lG1PRNIDxu9g9b9g59Qr7hfAAok= +go.opentelemetry.io/otel/sdk/metric v1.29.0 h1:K2CfmJohnRgvZ9UAj2/FhIf/okdWcNdBwe1m8xFXiSY= +go.opentelemetry.io/otel/sdk/metric v1.29.0/go.mod h1:6zZLdCl2fkauYoZIOn/soQIDSWFmNSRcICarHfuhNJQ= +go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4= +go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= @@ -1728,10 +1728,10 @@ google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz google.golang.org/genproto v0.0.0-20221025140454-527a21cfbd71/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s= google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY= google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:VUhTRKeHn9wwcdrk73nvdC9gF178Tzhmt/qyaFcPLSo= -google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 h1:0+ozOGcrp+Y8Aq8TLNN2Aliibms5LEzsq99ZZmAGYm0= -google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094/go.mod h1:fJ/e3If/Q67Mj99hin0hMhiNyCRmt6BQ2aWIJshUSJw= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240805194559-2c9e96a0b5d4 h1:OsSGQeIIsyOEOimVxLEIL4rwGcnrjOydQaiA2bOnZUM= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240805194559-2c9e96a0b5d4/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= +google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd h1:BBOTEWLuuEGQy9n1y9MhVJ9Qt0BDu21X8qZs71/uPZo= +google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:fO8wJzT2zbQbAjbIoos1285VfEIYKDDY+Dt+WpTkh6g= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd h1:6TEm2ZxXoQmFWFlt1vNxvVOa1Q0dXFQD1m/rYjXmS0E= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index 3fbf5fb25f8..b9ac448e708 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -773,7 +773,7 @@ func ratelimitUnitToDuration(unit egv1a1.RateLimitUnit) int64 { func int64ToUint32(in int64) (uint32, bool) { if in >= 0 && in <= math.MaxUint32 { - return uint32(in), true + return uint32(in), true // nolint: gosec } return 0, false } diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go index 44d813c255c..b0294a14351 100644 --- a/internal/gatewayapi/clienttrafficpolicy.go +++ b/internal/gatewayapi/clienttrafficpolicy.go @@ -703,7 +703,7 @@ func translateHTTP2Settings(http2Settings *egv1a1.HTTP2Settings, httpIR *ir.HTTP MinHTTP2InitialStreamWindowSize, MaxHTTP2InitialStreamWindowSize)) default: - http2.InitialStreamWindowSize = ptr.To(uint32(initialStreamWindowSize)) + http2.InitialStreamWindowSize = ptr.To(uint32(initialStreamWindowSize)) // nolint: gosec } } @@ -718,7 +718,7 @@ func translateHTTP2Settings(http2Settings *egv1a1.HTTP2Settings, httpIR *ir.HTTP MinHTTP2InitialConnectionWindowSize, MaxHTTP2InitialConnectionWindowSize)) default: - http2.InitialConnectionWindowSize = ptr.To(uint32(initialConnectionWindowSize)) + http2.InitialConnectionWindowSize = ptr.To(uint32(initialConnectionWindowSize)) // nolint: gosec } } @@ -878,7 +878,7 @@ func buildConnection(connection *egv1a1.ClientConnection) (*ir.ClientConnection, return nil, fmt.Errorf("BufferLimit value %s is out of range, must be between 0 and %d", connection.BufferLimit.String(), math.MaxUint32) } - irConnection.BufferLimitBytes = ptr.To(uint32(bufferLimit)) + irConnection.BufferLimitBytes = ptr.To(uint32(bufferLimit)) // nolint: gosec } return irConnection, nil diff --git a/internal/gatewayapi/clustersettings.go b/internal/gatewayapi/clustersettings.go index 4b295ea5bfa..a05ad60ff26 100644 --- a/internal/gatewayapi/clustersettings.go +++ b/internal/gatewayapi/clustersettings.go @@ -190,7 +190,7 @@ func buildBackendConnection(policy egv1a1.ClusterSettings) (*ir.BackendConnectio return nil, fmt.Errorf("BufferLimit value %s is out of range", bc.BufferLimit.String()) } - bcIR.BufferLimitBytes = ptr.To(uint32(bf)) + bcIR.BufferLimitBytes = ptr.To(uint32(bf)) // nolint: gosec } } @@ -339,7 +339,7 @@ func buildConsistentHashLoadBalancer(policy egv1a1.LoadBalancer) (*ir.Consistent if policy.ConsistentHash.TableSize != nil { tableSize := policy.ConsistentHash.TableSize - if *tableSize > MaxConsistentHashTableSize || !big.NewInt(int64(*tableSize)).ProbablyPrime(0) { + if *tableSize > MaxConsistentHashTableSize || !big.NewInt(int64(*tableSize)).ProbablyPrime(0) { // nolint: gosec return nil, fmt.Errorf("invalid TableSize value %d", *tableSize) } diff --git a/internal/gatewayapi/filters.go b/internal/gatewayapi/filters.go index aecc2e81131..f3484c6d9b6 100644 --- a/internal/gatewayapi/filters.go +++ b/internal/gatewayapi/filters.go @@ -358,7 +358,7 @@ func (t *Translator) processRedirectFilter( } if redirect.StatusCode != nil { - redirectCode := int32(*redirect.StatusCode) + redirectCode := int32(*redirect.StatusCode) // nolint: gosec // Envoy supports 302, 303, 307, and 308, but gateway API only includes 301 and 302 if redirectCode == 301 || redirectCode == 302 { redir.StatusCode = &redirectCode diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index 52df40f4736..7e0cf05de26 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -513,7 +513,7 @@ func parseCIDR(cidr string) (*ir.CIDRMatch, error) { return &ir.CIDRMatch{ CIDR: ipn.String(), IP: ip.String(), - MaskLen: uint32(mask), + MaskLen: uint32(mask), // nolint: gosec IsIPv6: ip.To4() == nil, }, nil } diff --git a/internal/gatewayapi/http.go b/internal/gatewayapi/http.go index e54b3f761d7..eed3145eb81 100644 --- a/internal/gatewayapi/http.go +++ b/internal/gatewayapi/http.go @@ -42,7 +42,7 @@ func buildIRHTTP2Settings(http2Settings *egv1a1.HTTP2Settings) (*ir.HTTP2Setting MinHTTP2InitialStreamWindowSize, MaxHTTP2InitialStreamWindowSize)) default: - http2.InitialStreamWindowSize = ptr.To(uint32(initialStreamWindowSize)) + http2.InitialStreamWindowSize = ptr.To(uint32(initialStreamWindowSize)) // nolint: gosec } } @@ -57,7 +57,7 @@ func buildIRHTTP2Settings(http2Settings *egv1a1.HTTP2Settings) (*ir.HTTP2Setting MinHTTP2InitialConnectionWindowSize, MaxHTTP2InitialConnectionWindowSize)) default: - http2.InitialConnectionWindowSize = ptr.To(uint32(initialConnectionWindowSize)) + http2.InitialConnectionWindowSize = ptr.To(uint32(initialConnectionWindowSize)) // nolint: gosec } } diff --git a/internal/xds/translator/local_ratelimit.go b/internal/xds/translator/local_ratelimit.go index 1503758dfb4..2aad87852a2 100644 --- a/internal/xds/translator/local_ratelimit.go +++ b/internal/xds/translator/local_ratelimit.go @@ -147,9 +147,9 @@ func (*localRateLimit) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) e localRl := &localrlv3.LocalRateLimit{ StatPrefix: localRateLimitFilterStatPrefix, TokenBucket: &typev3.TokenBucket{ - MaxTokens: uint32(local.Default.Requests), + MaxTokens: uint32(local.Default.Requests), // nolint: gosec TokensPerFill: &wrapperspb.UInt32Value{ - Value: uint32(local.Default.Requests), + Value: uint32(local.Default.Requests), // nolint: gosec }, FillInterval: ratelimitUnitToDuration(local.Default.Unit), }, @@ -273,9 +273,9 @@ func buildRouteLocalRateLimits(local *ir.LocalRateLimit) ( descriptor := &rlv3.LocalRateLimitDescriptor{ Entries: descriptorEntries, TokenBucket: &typev3.TokenBucket{ - MaxTokens: uint32(rule.Limit.Requests), + MaxTokens: uint32(rule.Limit.Requests), // nolint: gosec TokensPerFill: &wrapperspb.UInt32Value{ - Value: uint32(rule.Limit.Requests), + Value: uint32(rule.Limit.Requests), // nolint: gosec }, FillInterval: ratelimitUnitToDuration(rule.Limit.Unit), }, diff --git a/internal/xds/translator/ratelimit.go b/internal/xds/translator/ratelimit.go index 8e3e661f9d7..1641ee0f1dd 100644 --- a/internal/xds/translator/ratelimit.go +++ b/internal/xds/translator/ratelimit.go @@ -337,7 +337,7 @@ func buildRateLimitServiceDescriptors(global *ir.GlobalRateLimit) []*rlsconfv3.R pbDesc.Key = getRouteRuleDescriptor(rIdx, -1) pbDesc.Value = getRouteRuleDescriptor(rIdx, -1) rateLimit := rlsconfv3.RateLimitPolicy{ - RequestsPerUnit: uint32(rule.Limit.Requests), + RequestsPerUnit: uint32(rule.Limit.Requests), // nolint: gosec Unit: rlsconfv3.RateLimitUnit(rlsconfv3.RateLimitUnit_value[strings.ToUpper(string(rule.Limit.Unit))]), } pbDesc.RateLimit = &rateLimit @@ -360,7 +360,7 @@ func buildRateLimitServiceDescriptors(global *ir.GlobalRateLimit) []*rlsconfv3.R // Add the ratelimit values to the last descriptor if mIdx == len(rule.HeaderMatches)-1 { rateLimit := rlsconfv3.RateLimitPolicy{ - RequestsPerUnit: uint32(rule.Limit.Requests), + RequestsPerUnit: uint32(rule.Limit.Requests), // nolint: gosec Unit: rlsconfv3.RateLimitUnit(rlsconfv3.RateLimitUnit_value[strings.ToUpper(string(rule.Limit.Unit))]), } pbDesc.RateLimit = &rateLimit @@ -402,7 +402,7 @@ func buildRateLimitServiceDescriptors(global *ir.GlobalRateLimit) []*rlsconfv3.R pbDesc.Key = "masked_remote_address" pbDesc.Value = rule.CIDRMatch.CIDR rateLimit := rlsconfv3.RateLimitPolicy{ - RequestsPerUnit: uint32(rule.Limit.Requests), + RequestsPerUnit: uint32(rule.Limit.Requests), // nolint: gosec Unit: rlsconfv3.RateLimitUnit(rlsconfv3.RateLimitUnit_value[strings.ToUpper(string(rule.Limit.Unit))]), } @@ -522,5 +522,5 @@ func (t *Translator) getRateLimitServiceGrpcHostPort() (string, uint32) { if err != nil { panic(err) } - return u.Hostname(), uint32(p) + return u.Hostname(), uint32(p) // nolint: gosec } diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go index 42f17ff94f1..a23657a8349 100644 --- a/internal/xds/translator/route.go +++ b/internal/xds/translator/route.go @@ -598,7 +598,7 @@ func buildRetryPolicy(route *ir.HTTPRoute) (*routev3.RetryPolicy, error) { func buildRetryStatusCodes(codes []ir.HTTPStatus) []uint32 { ret := make([]uint32, len(codes)) for i, c := range codes { - ret[i] = uint32(c) + ret[i] = uint32(c) // nolint: gosec } return ret } diff --git a/internal/xds/translator/utils.go b/internal/xds/translator/utils.go index 23d455edd9c..a31a4a160f6 100644 --- a/internal/xds/translator/utils.go +++ b/internal/xds/translator/utils.go @@ -63,7 +63,7 @@ func url2Cluster(strURL string) (*urlCluster, error) { } } - name := clusterName(u.Hostname(), uint32(port)) + name := clusterName(u.Hostname(), uint32(port)) // nolint: gosec if ip, err := netip.ParseAddr(u.Hostname()); err == nil { if ip.Unmap().Is4() { @@ -74,7 +74,7 @@ func url2Cluster(strURL string) (*urlCluster, error) { return &urlCluster{ name: name, hostname: u.Hostname(), - port: uint32(port), + port: uint32(port), // nolint: gosec endpointType: epType, tls: u.Scheme == "https", }, nil diff --git a/test/e2e/tests/backend_tls_settings.go b/test/e2e/tests/backend_tls_settings.go index 0fdbdf10d62..404b50e6d5c 100644 --- a/test/e2e/tests/backend_tls_settings.go +++ b/test/e2e/tests/backend_tls_settings.go @@ -301,7 +301,7 @@ func restartDeploymentAndWaitForRollout(t *testing.T, timeoutConfig config.Timeo } // all pods are rolled - if rolled == int32(len(podList.Items)) && rolled >= *dp.Spec.Replicas { + if rolled == int32(len(podList.Items)) && rolled >= *dp.Spec.Replicas { // nolint: gosec return true, nil } diff --git a/test/e2e/tests/envoy_shutdown.go b/test/e2e/tests/envoy_shutdown.go index 6b5a35f490a..58b3cdae413 100644 --- a/test/e2e/tests/envoy_shutdown.go +++ b/test/e2e/tests/envoy_shutdown.go @@ -163,7 +163,7 @@ func restartProxyAndWaitForRollout(t *testing.T, timeoutConfig config.TimeoutCon } // all pods are rolled - if rolled == int32(len(podList.Items)) && rolled >= *dp.Spec.Replicas { + if rolled == int32(len(podList.Items)) && rolled >= *dp.Spec.Replicas { // nolint: gosec return true, nil } diff --git a/tools/linter/golangci-lint/.golangci.yml b/tools/linter/golangci-lint/.golangci.yml index c0155b32447..962075c1c1e 100644 --- a/tools/linter/golangci-lint/.golangci.yml +++ b/tools/linter/golangci-lint/.golangci.yml @@ -7,7 +7,7 @@ linters: - copyloopvar - depguard - errorlint - - exportloopref + - copyloopvar - importas - gci - gofmt diff --git a/tools/src/golangci-lint/go.mod b/tools/src/golangci-lint/go.mod index ce5cce24914..02da603587c 100644 --- a/tools/src/golangci-lint/go.mod +++ b/tools/src/golangci-lint/go.mod @@ -2,7 +2,7 @@ module local go 1.22.5 -require github.com/golangci/golangci-lint v1.60.1 +require github.com/golangci/golangci-lint v1.60.3 require ( 4d63.com/gocheckcompilerdirectives v1.2.1 // indirect @@ -63,7 +63,7 @@ require ( github.com/gofrs/flock v0.12.1 // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a // indirect - github.com/golangci/gofmt v0.0.0-20231018234816-f50ced29576e // indirect + github.com/golangci/gofmt v0.0.0-20240816233607-d8596aa466a9 // indirect github.com/golangci/misspell v0.6.0 // indirect github.com/golangci/modinfo v0.3.4 // indirect github.com/golangci/plugin-module-register v0.1.1 // indirect @@ -132,7 +132,7 @@ require ( github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect github.com/sashamelentyev/interfacebloat v1.1.0 // indirect github.com/sashamelentyev/usestdlibvars v1.27.0 // indirect - github.com/securego/gosec/v2 v2.20.1-0.20240525090044-5f0084eb01a9 // indirect + github.com/securego/gosec/v2 v2.20.1-0.20240822074752-ab3f6c1c83a0 // indirect github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/sivchari/containedctx v1.0.3 // indirect @@ -154,7 +154,7 @@ require ( github.com/tetafro/godot v1.4.16 // indirect github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966 // indirect github.com/timonwong/loggercheck v0.9.4 // indirect - github.com/tomarrell/wrapcheck/v2 v2.8.3 // indirect + github.com/tomarrell/wrapcheck/v2 v2.9.0 // indirect github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect github.com/ultraware/funlen v0.1.0 // indirect github.com/ultraware/whitespace v0.1.1 // indirect @@ -170,18 +170,18 @@ require ( go.uber.org/automaxprocs v1.5.3 // indirect go.uber.org/multierr v1.6.0 // indirect go.uber.org/zap v1.24.0 // indirect - golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc // indirect + golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect golang.org/x/mod v0.20.0 // indirect golang.org/x/sync v0.8.0 // indirect golang.org/x/sys v0.23.0 // indirect - golang.org/x/text v0.15.0 // indirect + golang.org/x/text v0.17.0 // indirect golang.org/x/tools v0.24.0 // indirect - google.golang.org/protobuf v1.33.0 // indirect + google.golang.org/protobuf v1.34.2 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - honnef.co/go/tools v0.5.0 // indirect - mvdan.cc/gofumpt v0.6.0 // indirect + honnef.co/go/tools v0.5.1 // indirect + mvdan.cc/gofumpt v0.7.0 // indirect mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f // indirect ) diff --git a/tools/src/golangci-lint/go.sum b/tools/src/golangci-lint/go.sum index 81ac837888f..750b93716f9 100644 --- a/tools/src/golangci-lint/go.sum +++ b/tools/src/golangci-lint/go.sum @@ -141,8 +141,8 @@ github.com/fatih/structtag v1.2.0 h1:/OdNE99OxoI/PqaW/SuSK9uxxT3f/tcSZgon/ssNSx4 github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94= github.com/firefart/nonamedreturns v1.0.5 h1:tM+Me2ZaXs8tfdDw3X6DOX++wMCOqzYUho6tUTYIdRA= github.com/firefart/nonamedreturns v1.0.5/go.mod h1:gHJjDqhGM4WyPt639SOZs+G89Ko7QKH5R5BhnO6xJhw= -github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= -github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= +github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE= +github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps= github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI= github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= github.com/fzipp/gocyclo v0.6.0 h1:lsblElZG7d3ALtGMx9fmxeTKZaLLpU8mET09yN4BBLo= @@ -160,8 +160,10 @@ github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vb github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= -github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= -github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI= +github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= @@ -224,10 +226,10 @@ github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a h1:w8hkcTqaFpzKqonE9uMCefW1WDie15eSP/4MssdenaM= github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a/go.mod h1:ryS0uhF+x9jgbj/N71xsEqODy9BN81/GonCZiOzirOk= -github.com/golangci/gofmt v0.0.0-20231018234816-f50ced29576e h1:ULcKCDV1LOZPFxGZaA6TlQbiM3J2GCPnkx/bGF6sX/g= -github.com/golangci/gofmt v0.0.0-20231018234816-f50ced29576e/go.mod h1:Pm5KhLPA8gSnQwrQ6ukebRcapGb/BG9iUkdaiCcGHJM= -github.com/golangci/golangci-lint v1.60.1 h1:DRKNqNTQRLBJZ1il5u4fvgLQCjQc7QFs0DbhksJtVJE= -github.com/golangci/golangci-lint v1.60.1/go.mod h1:jDIPN1rYaIA+ijp9OZcUmUCoQOtZ76pOlFbi15FlLJY= +github.com/golangci/gofmt v0.0.0-20240816233607-d8596aa466a9 h1:/1322Qns6BtQxUZDTAT4SdcoxknUki7IAoK4SAXr8ME= +github.com/golangci/gofmt v0.0.0-20240816233607-d8596aa466a9/go.mod h1:Oesb/0uFAyWoaw1U1qS5zyjCg5NP9C9iwjnI4tIsXEE= +github.com/golangci/golangci-lint v1.60.3 h1:l38A5de24ZeDlcFF+EB7m3W5joPD99/hS5SIHJPyZa0= +github.com/golangci/golangci-lint v1.60.3/go.mod h1:J4vOpcjzRI+lDL2DKNGBZVB3EQSBfCBCMpaydWLtJNo= github.com/golangci/misspell v0.6.0 h1:JCle2HUTNWirNlDIAUO44hUsKhOFqGPoC4LZxlaSXDs= github.com/golangci/misspell v0.6.0/go.mod h1:keMNyY6R9isGaSAu+4Q8NMBwMPkh15Gtc8UCVoDtAWo= github.com/golangci/modinfo v0.3.4 h1:oU5huX3fbxqQXdfspamej74DFX0kyGLkw1ppvXoJ8GA= @@ -264,8 +266,8 @@ github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= -github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= +github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 h1:FKHo8hFI3A+7w0aUQuYXQ+6EN5stWmeY/AZqtM8xk9k= +github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= @@ -393,10 +395,10 @@ github.com/nunnatsa/ginkgolinter v0.16.2 h1:8iLqHIZvN4fTLDC0Ke9tbSZVcyVHoBs0HIbn github.com/nunnatsa/ginkgolinter v0.16.2/go.mod h1:4tWRinDN1FeJgU+iJANW/kz7xKN5nYRAOfJDQUS9dOQ= github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= -github.com/onsi/ginkgo/v2 v2.17.3 h1:oJcvKpIb7/8uLpDDtnQuf18xVnwKp8DTD7DQ6gTd/MU= -github.com/onsi/ginkgo/v2 v2.17.3/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= -github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= -github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= +github.com/onsi/ginkgo/v2 v2.20.0 h1:PE84V2mHqoT1sglvHc8ZdQtPcwmvvt29WLEEO3xmdZw= +github.com/onsi/ginkgo/v2 v2.20.0/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI= +github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k= +github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY= github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw= github.com/otiai10/copy v1.14.0 h1:dCI/t1iTdYGtkvCuBG2BgR6KZa83PTclw4U5n2wAllU= github.com/otiai10/copy v1.14.0/go.mod h1:ECfuL02W+/FkTWZWgQqXPWZgW9oeKCSQ5qVfSc4qc4w= @@ -466,8 +468,8 @@ github.com/sashamelentyev/interfacebloat v1.1.0 h1:xdRdJp0irL086OyW1H/RTZTr1h/tM github.com/sashamelentyev/interfacebloat v1.1.0/go.mod h1:+Y9yU5YdTkrNvoX0xHc84dxiN1iBi9+G8zZIhPVoNjQ= github.com/sashamelentyev/usestdlibvars v1.27.0 h1:t/3jZpSXtRPRf2xr0m63i32ZrusyurIGT9E5wAvXQnI= github.com/sashamelentyev/usestdlibvars v1.27.0/go.mod h1:9nl0jgOfHKWNFS43Ojw0i7aRoS4j6EBye3YBhmAIRF8= -github.com/securego/gosec/v2 v2.20.1-0.20240525090044-5f0084eb01a9 h1:rnO6Zp1YMQwv8AyxzuwsVohljJgp4L0ZqiCgtACsPsc= -github.com/securego/gosec/v2 v2.20.1-0.20240525090044-5f0084eb01a9/go.mod h1:dg7lPlu/xK/Ut9SedURCoZbVCR4yC7fM65DtH9/CDHs= +github.com/securego/gosec/v2 v2.20.1-0.20240822074752-ab3f6c1c83a0 h1:VqD4JMoqwuuCz8GZlBDsIDyE6K4YUsWJpbNtuOWHoFk= +github.com/securego/gosec/v2 v2.20.1-0.20240822074752-ab3f6c1c83a0/go.mod h1:iyeMMRw8QEmueUSZ2VqmkQMiDyDcobfPnG00CV/NWdE= github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c h1:W65qqJCIOVP4jpqPQ0YvHYKwcMEMVWIzWC5iNQQfBTU= github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAxekIXwN8qQyfc5gl2NlkB3CQlkizAbOkeBs= github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk= @@ -531,8 +533,8 @@ github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966 h1:quvGphlmUVU+n github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966/go.mod h1:27bSVNWSBOHm+qRp1T9qzaIpsWEP6TbUnei/43HK+PQ= github.com/timonwong/loggercheck v0.9.4 h1:HKKhqrjcVj8sxL7K77beXh0adEm6DLjV/QOGeMXEVi4= github.com/timonwong/loggercheck v0.9.4/go.mod h1:caz4zlPcgvpEkXgVnAJGowHAMW2NwHaNlpS8xDbVhTg= -github.com/tomarrell/wrapcheck/v2 v2.8.3 h1:5ov+Cbhlgi7s/a42BprYoxsr73CbdMUTzE3bRDFASUs= -github.com/tomarrell/wrapcheck/v2 v2.8.3/go.mod h1:g9vNIyhb5/9TQgumxQyOEqDHsmGYcGsVMOx/xGkqdMo= +github.com/tomarrell/wrapcheck/v2 v2.9.0 h1:801U2YCAjLhdN8zhZ/7tdjB3EnAoRlJHt/s+9hijLQ4= +github.com/tomarrell/wrapcheck/v2 v2.9.0/go.mod h1:g9vNIyhb5/9TQgumxQyOEqDHsmGYcGsVMOx/xGkqdMo= github.com/tommy-muehle/go-mnd/v2 v2.5.1 h1:NowYhSdyE/1zwK9QCLeRb6USWdoif80Ie+v+yU8u1Zw= github.com/tommy-muehle/go-mnd/v2 v2.5.1/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw= github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI= @@ -597,8 +599,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc h1:ao2WRsKSzW6KuUY9IWPwWahcHCgR0s52IfwutMfEbdM= -golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= golang.org/x/exp/typeparams v0.0.0-20220428152302-39d4317da171/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk= golang.org/x/exp/typeparams v0.0.0-20230203172020-98cc5a0785f9/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk= golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f h1:phY1HzDcf18Aq9A8KkmRtY9WvOFIxN8wgfvy6Zm1DV8= @@ -765,8 +767,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= -golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -911,8 +913,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= -google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -939,10 +941,10 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -honnef.co/go/tools v0.5.0 h1:29uoiIormS3Z6R+t56STz/oI4v+mB51TSmEOdJPgRnE= -honnef.co/go/tools v0.5.0/go.mod h1:e9irvo83WDG9/irijV44wr3tbhcFeRnfpVlRqVwpzMs= -mvdan.cc/gofumpt v0.6.0 h1:G3QvahNDmpD+Aek/bNOLrFR2XC6ZAdo62dZu65gmwGo= -mvdan.cc/gofumpt v0.6.0/go.mod h1:4L0wf+kgIPZtcCWXynNS2e6bhmj73umwnuXSZarixzA= +honnef.co/go/tools v0.5.1 h1:4bH5o3b5ZULQ4UrBmP+63W9r7qIkqJClEA9ko5YKx+I= +honnef.co/go/tools v0.5.1/go.mod h1:e9irvo83WDG9/irijV44wr3tbhcFeRnfpVlRqVwpzMs= +mvdan.cc/gofumpt v0.7.0 h1:bg91ttqXmi9y2xawvkuMXyvAA/1ZGJqYAEGjXuP0JXU= +mvdan.cc/gofumpt v0.7.0/go.mod h1:txVFJy/Sc/mvaycET54pV8SW8gWxTlUuGHVEcncmNUo= mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f h1:lMpcwN6GxNbWtbpI1+xzFLSW8XzX0u72NttUGVFjO3U= mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f/go.mod h1:RSLa7mKKCNeTTMHBw5Hsy2rfJmd6O2ivt9Dw9ZqCQpQ= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= From 88e60644bb3ff70b7fda735d3cf3f333a534a6b8 Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 4 Sep 2024 04:20:03 +0800 Subject: [PATCH 096/523] chore: remove test package (#4148) Signed-off-by: zirain --- internal/globalratelimit/runner/runner.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/internal/globalratelimit/runner/runner.go b/internal/globalratelimit/runner/runner.go index 0a2d987c182..ffccb1ab3a3 100644 --- a/internal/globalratelimit/runner/runner.go +++ b/internal/globalratelimit/runner/runner.go @@ -21,7 +21,6 @@ import ( cachev3 "github.com/envoyproxy/go-control-plane/pkg/cache/v3" resourcev3 "github.com/envoyproxy/go-control-plane/pkg/resource/v3" serverv3 "github.com/envoyproxy/go-control-plane/pkg/server/v3" - testv3 "github.com/envoyproxy/go-control-plane/pkg/test/v3" "google.golang.org/grpc" "google.golang.org/grpc/credentials" @@ -78,8 +77,7 @@ func (r *Runner) Start(ctx context.Context) (err error) { r.cache = cachev3.NewSnapshotCache(false, cachev3.IDHash{}, r.Logger.Sugar()) // Register xDS Config server. - cb := &testv3.Callbacks{} - discoveryv3.RegisterAggregatedDiscoveryServiceServer(r.grpc, serverv3.NewServer(ctx, r.cache, cb)) + discoveryv3.RegisterAggregatedDiscoveryServiceServer(r.grpc, serverv3.NewServer(ctx, r.cache, serverv3.CallbackFuncs{})) // Start and listen xDS gRPC config Server. go r.serveXdsConfigServer(ctx) From bf398aadd27e703f73c30dc45343a92cfa08433d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 13:51:10 -0700 Subject: [PATCH 097/523] build(deps): bump actions/upload-artifact from 4.3.4 to 4.4.0 (#4131) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.4 to 4.4.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v4.3.4...50769540e7f4bd5e21e526ee35c689e35e0d6874) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build_and_test.yaml | 2 +- .github/workflows/experimental_conformance.yaml | 2 +- .github/workflows/latest_release.yaml | 2 +- .github/workflows/release.yaml | 2 +- .github/workflows/scorecard.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index a8dd94a8a37..430ab107eda 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -74,7 +74,7 @@ jobs: run: make build-multiarch PLATFORMS="linux_amd64 linux_arm64" - name: Upload EG Binaries - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: envoy-gateway path: bin/ diff --git a/.github/workflows/experimental_conformance.yaml b/.github/workflows/experimental_conformance.yaml index a3e2fd894d3..7a3c98c1573 100644 --- a/.github/workflows/experimental_conformance.yaml +++ b/.github/workflows/experimental_conformance.yaml @@ -33,7 +33,7 @@ jobs: run: make experimental-conformance - name: Upload Conformance Report - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: conformance-report-k8s-${{ matrix.version }} path: ./test/conformance/conformance-report-k8s-${{ matrix.version }}.yaml diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index 94dbd6cea92..aba1486f4ba 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -46,7 +46,7 @@ jobs: run: cd test/benchmark && zip -r benchmark_report.zip benchmark_report - name: Upload Benchmark Report - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: benchmark_report path: test/benchmark/benchmark_report.zip diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index bc4bb1b15ee..864e27e2edf 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -39,7 +39,7 @@ jobs: run: cd test/benchmark && zip -r benchmark_report.zip benchmark_report - name: Upload Benchmark Report - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: benchmark_report path: test/benchmark/benchmark_report.zip diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index a0c332c8d22..54e166b346b 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -33,7 +33,7 @@ jobs: publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: SARIF file path: results.sarif From b290665df697f5b5147ec0b57bc75a699086a591 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 14:06:03 -0700 Subject: [PATCH 098/523] build(deps): bump github/codeql-action from 3.26.5 to 3.26.6 (#4130) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.5 to 3.26.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/2c779ab0d087cd7fe7b826087247c2c81f27bfa6...4dd16135b69a43b6c8efb853346f8437d92d3c93) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3ebfface8b6..7bc5b35a3b7 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,14 +36,14 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 + uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 + uses: github/codeql-action/autobuild@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 + uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 54e166b346b..4d327f0cfb6 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 + uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 with: sarif_file: results.sarif From 04026bdf4366f4e67ef8af3f72ca3cce0b164b22 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 14:08:04 -0700 Subject: [PATCH 099/523] build(deps): bump google.golang.org/grpc from 1.65.0 to 1.66.0 in /examples/extension-server (#4139) build(deps): bump google.golang.org/grpc in /examples/extension-server Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.65.0 to 1.66.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.65.0...v1.66.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/extension-server/go.mod | 2 +- examples/extension-server/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 9f6ebfa9296..6a9f7f98d55 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -6,7 +6,7 @@ require ( github.com/envoyproxy/gateway v1.0.2 github.com/envoyproxy/go-control-plane v0.13.0 github.com/urfave/cli/v2 v2.27.2 - google.golang.org/grpc v1.65.0 + google.golang.org/grpc v1.66.0 google.golang.org/protobuf v1.34.2 k8s.io/apimachinery v0.31.0 sigs.k8s.io/controller-runtime v0.19.0 diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index aea9da5b41f..425c27ef608 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -108,8 +108,8 @@ google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd h1: google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:fO8wJzT2zbQbAjbIoos1285VfEIYKDDY+Dt+WpTkh6g= google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd h1:6TEm2ZxXoQmFWFlt1vNxvVOa1Q0dXFQD1m/rYjXmS0E= google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= -google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= -google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= +google.golang.org/grpc v1.66.0 h1:DibZuoBznOxbDQxRINckZcUvnCEvrW9pcWIE2yF9r1c= +google.golang.org/grpc v1.66.0/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From c155d674d0e6510ed3c5a173bcfa75b9f603b706 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 14:09:08 -0700 Subject: [PATCH 100/523] build(deps): bump github.com/docker/docker from 27.1.2+incompatible to 27.2.0+incompatible (#4137) build(deps): bump github.com/docker/docker Bumps [github.com/docker/docker](https://github.com/docker/docker) from 27.1.2+incompatible to 27.2.0+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v27.1.2...v27.2.0) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 996abeafd75..c90814dafaf 100644 --- a/go.mod +++ b/go.mod @@ -63,7 +63,7 @@ require ( ) require ( - github.com/docker/docker v27.1.2+incompatible + github.com/docker/docker v27.2.0+incompatible github.com/replicatedhq/troubleshoot v0.99.0 google.golang.org/grpc v1.65.0 ) diff --git a/go.sum b/go.sum index b8b6ffb0fcb..125c82a06de 100644 --- a/go.sum +++ b/go.sum @@ -387,8 +387,8 @@ github.com/docker/cli v27.1.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvM github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v27.1.2+incompatible h1:AhGzR1xaQIy53qCkxARaFluI00WPGtXn0AJuoQsVYTY= -github.com/docker/docker v27.1.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v27.2.0+incompatible h1:Rk9nIVdfH3+Vz4cyI/uhbINhEZ/oLmc+CBXmH6fbNk4= +github.com/docker/docker v27.2.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= From 9e56d6abc9b4580e771f9676fb171275e24cf7d7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 14:35:20 -0700 Subject: [PATCH 101/523] build(deps): bump github.com/bufbuild/buf from 1.38.0 to 1.39.0 in /tools/src/buf (#4133) build(deps): bump github.com/bufbuild/buf in /tools/src/buf Bumps [github.com/bufbuild/buf](https://github.com/bufbuild/buf) from 1.38.0 to 1.39.0. - [Release notes](https://github.com/bufbuild/buf/releases) - [Changelog](https://github.com/bufbuild/buf/blob/main/CHANGELOG.md) - [Commits](https://github.com/bufbuild/buf/compare/v1.38.0...v1.39.0) --- updated-dependencies: - dependency-name: github.com/bufbuild/buf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/src/buf/go.mod | 30 +++++++++---------- tools/src/buf/go.sum | 69 ++++++++++++++++++++++---------------------- 2 files changed, 49 insertions(+), 50 deletions(-) diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index f85dafa2238..1e68fe4dc13 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -2,17 +2,17 @@ module local go 1.22.5 -require github.com/bufbuild/buf v1.38.0 +require github.com/bufbuild/buf v1.39.0 require ( buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240717164558-a6c49f84cc0f.2 // indirect - buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240801134127-09fbc17f7c9e.1 // indirect - buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240801134127-09fbc17f7c9e.2 // indirect + buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240821192916-45ba72cdd479.1 // indirect + buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240821192916-45ba72cdd479.2 // indirect connectrpc.com/connect v1.16.2 // indirect connectrpc.com/otelconnect v0.7.1 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect - github.com/Microsoft/hcsshim v0.12.5 // indirect + github.com/Microsoft/hcsshim v0.12.6 // indirect github.com/antlr4-go/antlr/v4 v4.13.0 // indirect github.com/bufbuild/protocompile v0.14.0 // indirect github.com/bufbuild/protoplugin v0.0.0-20240323223605-e2735f6c31ee // indirect @@ -40,7 +40,7 @@ require ( github.com/go-chi/chi/v5 v5.1.0 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect - github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect + github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/gofrs/flock v0.12.1 // indirect github.com/gofrs/uuid/v5 v5.3.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect @@ -65,7 +65,7 @@ require ( github.com/moby/sys/userns v0.1.0 // indirect github.com/moby/term v0.5.0 // indirect github.com/morikuni/aec v1.0.0 // indirect - github.com/onsi/ginkgo/v2 v2.9.5 // indirect + github.com/onsi/ginkgo/v2 v2.20.1 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect github.com/opencontainers/runtime-spec v1.2.0 // indirect @@ -73,7 +73,7 @@ require ( github.com/pkg/errors v0.9.1 // indirect github.com/pkg/profile v1.7.0 // indirect github.com/quic-go/qpack v0.4.0 // indirect - github.com/quic-go/quic-go v0.45.1 // indirect + github.com/quic-go/quic-go v0.46.0 // indirect github.com/rs/cors v1.11.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/sirupsen/logrus v1.9.3 // indirect @@ -82,18 +82,18 @@ require ( github.com/stoewer/go-strcase v1.3.0 // indirect github.com/vbatts/tar-split v0.11.5 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect - go.opentelemetry.io/otel v1.28.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect + go.opentelemetry.io/otel v1.29.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 // indirect - go.opentelemetry.io/otel/metric v1.28.0 // indirect - go.opentelemetry.io/otel/sdk v1.28.0 // indirect - go.opentelemetry.io/otel/trace v1.28.0 // indirect + go.opentelemetry.io/otel/metric v1.29.0 // indirect + go.opentelemetry.io/otel/sdk v1.29.0 // indirect + go.opentelemetry.io/otel/trace v1.29.0 // indirect go.uber.org/atomic v1.11.0 // indirect go.uber.org/mock v0.4.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect golang.org/x/crypto v0.26.0 // indirect - golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa // indirect + golang.org/x/exp v0.0.0-20240823005443-9b4947da3948 // indirect golang.org/x/mod v0.20.0 // indirect golang.org/x/net v0.28.0 // indirect golang.org/x/sync v0.8.0 // indirect @@ -101,8 +101,8 @@ require ( golang.org/x/term v0.23.0 // indirect golang.org/x/text v0.17.0 // indirect golang.org/x/tools v0.24.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240823204242-4ba0660f739c // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240823204242-4ba0660f739c // indirect google.golang.org/grpc v1.65.0 // indirect google.golang.org/protobuf v1.34.2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/tools/src/buf/go.sum b/tools/src/buf/go.sum index e22f175caaf..444adc35957 100644 --- a/tools/src/buf/go.sum +++ b/tools/src/buf/go.sum @@ -1,9 +1,9 @@ buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240717164558-a6c49f84cc0f.2 h1:SZRVx928rbYZ6hEKUIN+vtGDkl7uotABRWGY4OAg5gM= buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240717164558-a6c49f84cc0f.2/go.mod h1:ylS4c28ACSI59oJrOdW4pHS4n0Hw4TgSPHn8rpHl4Yw= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240801134127-09fbc17f7c9e.1 h1:IV4si5SvDJSGQ/kpcnmOFKDKh8erG6zPy+NhmxlYdxM= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240801134127-09fbc17f7c9e.1/go.mod h1:4isTSbIhQ6wERY99Kvds0UuOcFMUoPDBPZfaAKrUnSE= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240801134127-09fbc17f7c9e.2 h1:7fUEOBrfNd50BMAls2tLn9RhttbDIfxRXML99YaLqKY= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240801134127-09fbc17f7c9e.2/go.mod h1:psseUmlKRo9v5LZJtR/aTpdTLuyp9o3X7rnLT87SZEo= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240821192916-45ba72cdd479.1 h1:QaJ6UkpvlGo4dBXR41vLRfPiKungbg7brjmbBC/k6Ig= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240821192916-45ba72cdd479.1/go.mod h1:oQsMFNU3YzxxjRS6O68UkcF/A+pXdXqQNcUfQEBTWcw= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240821192916-45ba72cdd479.2 h1:C3CTZTucEUm7i0O2tAM8GSlg23GnQYcljX1b1Jcpsro= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240821192916-45ba72cdd479.2/go.mod h1:psseUmlKRo9v5LZJtR/aTpdTLuyp9o3X7rnLT87SZEo= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= connectrpc.com/connect v1.16.2 h1:ybd6y+ls7GOlb7Bh5C8+ghA6SvCBajHwxssO2CGFjqE= connectrpc.com/connect v1.16.2/go.mod h1:n2kgwskMHXC+lVqb18wngEpF95ldBHXjZYJussz5FRc= @@ -16,12 +16,12 @@ github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg6 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= -github.com/Microsoft/hcsshim v0.12.5 h1:bpTInLlDy/nDRWFVcefDZZ1+U8tS+rz3MxjKgu9boo0= -github.com/Microsoft/hcsshim v0.12.5/go.mod h1:tIUGego4G1EN5Hb6KC90aDYiUI2dqLSTTOCjVNpOgZ8= +github.com/Microsoft/hcsshim v0.12.6 h1:qEnZjoHXv+4/s0LmKZWE0/AiZmMWEIkFfWBSf1a0wlU= +github.com/Microsoft/hcsshim v0.12.6/go.mod h1:ZABCLVcvLMjIkzr9rUGcQ1QA0p0P3Ps+d3N1g2DsFfk= github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= -github.com/bufbuild/buf v1.38.0 h1:k9zDnhemPC4E0h4BRshCL6mmQji6qzSHOJTG0iGW11o= -github.com/bufbuild/buf v1.38.0/go.mod h1:GNSjEtwLmhq6A3oCFu4De4ov8RtAvxM1H1x2BUjjnk8= +github.com/bufbuild/buf v1.39.0 h1:f8bpK/8+cpgbppSyK4RKe0L1FxLqWcbgnHnWgXpVM7s= +github.com/bufbuild/buf v1.39.0/go.mod h1:1P0U+x/ky1KhpK7o7mGraDAYjQUG7710wk5lEZFWsTA= github.com/bufbuild/protocompile v0.14.0 h1:z3DW4IvXE5G/uTOnSQn+qwQQxvhckkTWLS/0No/o7KU= github.com/bufbuild/protocompile v0.14.0/go.mod h1:N6J1NYzkspJo3ZwyL4Xjvli86XOj1xq4qAasUFxGups= github.com/bufbuild/protoplugin v0.0.0-20240323223605-e2735f6c31ee h1:E6ET8YUcYJ1lAe6ctR3as7yqzW2BNItDFnaB5zQq/8M= @@ -30,8 +30,8 @@ github.com/bufbuild/protovalidate-go v0.6.4 h1:QtNIz4LGclM3UArQv/R1AKNF7MO8wriT9 github.com/bufbuild/protovalidate-go v0.6.4/go.mod h1:HlkVnkE/zVYZvHIG/a7QZuzqC9bSqHaOOTeRomYF0Q8= github.com/bufbuild/protoyaml-go v0.1.11 h1:Iyixd6Y5dx6ws6Uh8APgC1lMyvXt710NayoY8cY0Vj8= github.com/bufbuild/protoyaml-go v0.1.11/go.mod h1:KCBItkvZOK/zwGueLdH1Wx1RLyFn5rCH7YjQrdty2Wc= -github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= -github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/chromedp/cdproto v0.0.0-20230802225258-3cf4e6d46a89/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs= github.com/chromedp/chromedp v0.9.2/go.mod h1:LkSXJKONWTCHAfQasKFUZI+mxqS4tZqhmtGzzhLsnLs= @@ -101,8 +101,8 @@ github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM= github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw= github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY= @@ -192,10 +192,10 @@ github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= -github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q= -github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k= -github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE= -github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg= +github.com/onsi/ginkgo/v2 v2.20.1 h1:YlVIbqct+ZmnEph770q9Q7NVAz4wwIiVNahee6JyUzo= +github.com/onsi/ginkgo/v2 v2.20.1/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI= +github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k= +github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= @@ -218,8 +218,8 @@ github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo= github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A= -github.com/quic-go/quic-go v0.45.1 h1:tPfeYCk+uZHjmDRwHHQmvHRYL2t44ROTujLeFVBmjCA= -github.com/quic-go/quic-go v0.45.1/go.mod h1:1dLehS7TIR64+vxGR70GDcatWTOtMX2PUtnKsjbTurI= +github.com/quic-go/quic-go v0.46.0 h1:uuwLClEEyk1DNvchH8uCByQVjo3yKL9opKulExNDs7Y= +github.com/quic-go/quic-go v0.46.0/go.mod h1:1dLehS7TIR64+vxGR70GDcatWTOtMX2PUtnKsjbTurI= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/rs/cors v1.11.0 h1:0B9GE/r9Bc2UxRMMtymBkHTenPkHDv0CW4Y98GBY+po= @@ -237,7 +237,6 @@ github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8w github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= -github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= @@ -250,22 +249,22 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= -go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= -go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8= +go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw= +go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 h1:9M3+rhx7kZCIQQhQRYaZCdNu1V73tm4TvXs2ntl98C4= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0/go.mod h1:noq80iT8rrHP1SfybmPiRGc9dc5M8RPmGvtwo7Oo7tc= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU= -go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q= -go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s= -go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE= -go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg= +go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc= +go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8= +go.opentelemetry.io/otel/sdk v1.29.0 h1:vkqKjk7gwhS8VaWb0POZKmIEDimRCMsopNYnriHyryo= +go.opentelemetry.io/otel/sdk v1.29.0/go.mod h1:pM8Dx5WKnvxLCb+8lG1PRNIDxu9g9b9g59Qr7hfAAok= go.opentelemetry.io/otel/sdk/metric v1.19.0 h1:EJoTO5qysMsYCa+w4UghwFV/ptQgqSL/8Ni+hx+8i1k= go.opentelemetry.io/otel/sdk/metric v1.19.0/go.mod h1:XjG0jQyFJrv2PbMvwND7LwCEhsJzCzV5210euduKcKY= -go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g= -go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI= +go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4= +go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= @@ -284,8 +283,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa h1:ELnwvuAXPNtPk1TJRuGkI9fDTwym6AYBu0qzT8AcHdI= -golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= +golang.org/x/exp v0.0.0-20240823005443-9b4947da3948 h1:kx6Ds3MlpiUHKj7syVnbp57++8WpuKPcR5yjLBjvLEA= +golang.org/x/exp v0.0.0-20240823005443-9b4947da3948/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= @@ -351,10 +350,10 @@ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 h1:wKguEg1hsxI2/L3hUYrpo1RVi48K+uTyzKqprwLXsb8= -google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142/go.mod h1:d6be+8HhtEtucleCbxpPW9PA9XwISACu8nvpPqF0BVo= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 h1:e7S5W7MGGLaSu8j3YjdezkZ+m1/Nm0uRVRMEMGk26Xs= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/genproto/googleapis/api v0.0.0-20240823204242-4ba0660f739c h1:e0zB268kOca6FbuJkYUGxfwG4DKFZG/8DLyv9Zv66cE= +google.golang.org/genproto/googleapis/api v0.0.0-20240823204242-4ba0660f739c/go.mod h1:fO8wJzT2zbQbAjbIoos1285VfEIYKDDY+Dt+WpTkh6g= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240823204242-4ba0660f739c h1:Kqjm4WpoWvwhMPcrAczoTyMySQmYa9Wy2iL6Con4zn8= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240823204242-4ba0660f739c/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= From bfe6c2f0e4a3ed1329b83cc32831357327d7b1d5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Sep 2024 07:49:35 +0800 Subject: [PATCH 102/523] build(deps): bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#4134) Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.55.0 to 0.57.0. - [Release notes](https://github.com/prometheus/common/releases) - [Changelog](https://github.com/prometheus/common/blob/main/RELEASE.md) - [Commits](https://github.com/prometheus/common/compare/v0.55.0...v0.57.0) --- updated-dependencies: - dependency-name: github.com/prometheus/common dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index c90814dafaf..c2d2b8475c1 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,7 @@ require ( github.com/miekg/dns v1.1.62 github.com/ohler55/ojg v1.24.0 github.com/prometheus/client_golang v1.20.2 - github.com/prometheus/common v0.55.0 + github.com/prometheus/common v0.57.0 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.9.0 diff --git a/go.sum b/go.sum index 125c82a06de..35aa27c1436 100644 --- a/go.sum +++ b/go.sum @@ -985,8 +985,8 @@ github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7q github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= -github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= -github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/common v0.57.0 h1:Ro/rKjwdq9mZn1K5QPctzh+MA4Lp0BuYk5ZZEVhoNcY= +github.com/prometheus/common v0.57.0/go.mod h1:7uRPFSUTbfZWsJ7MHY56sqt7hLQu3bxXHDnNhl8E9qI= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= From 07a6ca46dad7069b87f82772997cddc3c118f9b9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Sep 2024 07:51:02 +0800 Subject: [PATCH 103/523] build(deps): bump github.com/replicatedhq/troubleshoot from 0.99.0 to 0.100.0 (#4135) build(deps): bump github.com/replicatedhq/troubleshoot Bumps [github.com/replicatedhq/troubleshoot](https://github.com/replicatedhq/troubleshoot) from 0.99.0 to 0.100.0. - [Release notes](https://github.com/replicatedhq/troubleshoot/releases) - [Commits](https://github.com/replicatedhq/troubleshoot/compare/v0.99.0...v0.100.0) --- updated-dependencies: - dependency-name: github.com/replicatedhq/troubleshoot dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index c2d2b8475c1..5e3c93c3ae8 100644 --- a/go.mod +++ b/go.mod @@ -64,7 +64,7 @@ require ( require ( github.com/docker/docker v27.2.0+incompatible - github.com/replicatedhq/troubleshoot v0.99.0 + github.com/replicatedhq/troubleshoot v0.100.0 google.golang.org/grpc v1.65.0 ) diff --git a/go.sum b/go.sum index 35aa27c1436..5887628a133 100644 --- a/go.sum +++ b/go.sum @@ -1001,8 +1001,8 @@ github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb github.com/redis/go-redis/extra/redisotel/v9 v9.0.5/go.mod h1:WZjPDy7VNzn77AAfnAfVjZNvfJTYfPetfZk5yoSTLaQ= github.com/redis/go-redis/v9 v9.1.0 h1:137FnGdk+EQdCbye1FW+qOEcY5S+SpY9T0NiuqvtfMY= github.com/redis/go-redis/v9 v9.1.0/go.mod h1:urWj3He21Dj5k4TK1y59xH8Uj6ATueP8AH1cY3lZl4c= -github.com/replicatedhq/troubleshoot v0.99.0 h1:KtsCe/8EL1VPQrokZw3bcKo8HcCTRUMEtUb2+SJ5l1k= -github.com/replicatedhq/troubleshoot v0.99.0/go.mod h1:5rRx3kCUCX9Adl3ST1mzo57FICjIJMaIrkj3rTrzvv4= +github.com/replicatedhq/troubleshoot v0.100.0 h1:efRc3M91Dnnvv66oSX5vs+GF2MjHS6O1OriBikox15Y= +github.com/replicatedhq/troubleshoot v0.100.0/go.mod h1:5rRx3kCUCX9Adl3ST1mzo57FICjIJMaIrkj3rTrzvv4= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= From b50f5fa0273f410dc9270a9c23698110a4266822 Mon Sep 17 00:00:00 2001 From: qi Date: Wed, 4 Sep 2024 12:43:54 +0800 Subject: [PATCH 104/523] fix: assign sugar logger name. (#4144) Signed-off-by: qicz Co-authored-by: zirain --- internal/logging/log.go | 2 +- internal/logging/log_test.go | 29 +++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/internal/logging/log.go b/internal/logging/log.go index a4fb787f9c2..274f11f05a4 100644 --- a/internal/logging/log.go +++ b/internal/logging/log.go @@ -72,7 +72,7 @@ func (l Logger) WithName(name string) Logger { return Logger{ Logger: zapr.NewLogger(logger).WithName(name), logging: l.logging, - sugaredLogger: logger.Sugar(), + sugaredLogger: logger.Sugar().Named(name), } } diff --git a/internal/logging/log_test.go b/internal/logging/log_test.go index 999f922759c..0942910f71c 100644 --- a/internal/logging/log_test.go +++ b/internal/logging/log_test.go @@ -75,3 +75,32 @@ func TestLoggerWithName(t *testing.T) { assert.Contains(t, capturedOutput, "info message") assert.Contains(t, capturedOutput, "debug message") } + +func TestLoggerSugarName(t *testing.T) { + originalStdout := os.Stdout + r, w, _ := os.Pipe() + os.Stdout = w + + defer func() { + // Restore the original stdout and close the pipe + os.Stdout = originalStdout + err := w.Close() + require.NoError(t, err) + }() + + const logName = "loggerName" + + config := egv1a1.DefaultEnvoyGatewayLogging() + config.Level[logName] = egv1a1.LogLevelDebug + + logger := NewLogger(config).WithName(logName) + + logger.Sugar().Debugf("debugging message") + + // Read from the pipe (captured stdout) + outputBytes := make([]byte, 200) + _, err := r.Read(outputBytes) + require.NoError(t, err) + capturedOutput := string(outputBytes) + assert.Contains(t, capturedOutput, "debugging message", logName) +} From 37659dc27341f4e0e2e4bbd5347814149a9e4863 Mon Sep 17 00:00:00 2001 From: qi Date: Wed, 4 Sep 2024 12:44:12 +0800 Subject: [PATCH 105/523] chore: code polish & ratelimit env optimize (#4142) Signed-off-by: qicz --- .../infrastructure/kubernetes/proxy/resource_provider.go | 2 +- internal/infrastructure/kubernetes/ratelimit/resource.go | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider.go b/internal/infrastructure/kubernetes/proxy/resource_provider.go index dd5907b7d9b..7795c145c77 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider.go @@ -259,7 +259,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { Spec: corev1.PodSpec{ Containers: containers, InitContainers: deploymentConfig.InitContainers, - ServiceAccountName: ExpectedResourceHashedName(r.infra.Name), + ServiceAccountName: r.Name(), AutomountServiceAccountToken: ptr.To(false), TerminationGracePeriodSeconds: expectedTerminationGracePeriodSeconds(proxyConfig.Spec.Shutdown), DNSPolicy: corev1.DNSClusterFirst, diff --git a/internal/infrastructure/kubernetes/ratelimit/resource.go b/internal/infrastructure/kubernetes/ratelimit/resource.go index 9747be33b52..129d69bdd37 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource.go @@ -71,6 +71,8 @@ const ( LogLevelEnvVar = "LOG_LEVEL" // UseStatsdEnvVar is the use statsd. UseStatsdEnvVar = "USE_STATSD" + // StatsdPortEnvVar is the use statsd port. + StatsdPortEnvVar = "STATSD_PORT" // ForceStartWithoutInitialConfigEnvVar enables start the ratelimit server without initial config. ForceStartWithoutInitialConfigEnvVar = "FORCE_START_WITHOUT_INITIAL_CONFIG" // ConfigTypeEnvVar is the configuration loading method for ratelimit. @@ -332,8 +334,8 @@ func expectedRateLimitContainerEnv(rateLimit *egv1a1.RateLimit, rateLimitDeploym Value: "true", }, { - Name: "STATSD_PORT", - Value: "9125", + Name: StatsdPortEnvVar, + Value: strconv.Itoa(StatsdPort), }, { Name: ConfigTypeEnvVar, From f86eda72c3e5c15a20940761ef8e5f450ae99cd8 Mon Sep 17 00:00:00 2001 From: qi Date: Wed, 4 Sep 2024 14:18:55 +0800 Subject: [PATCH 106/523] fix: controller-runtime logger (#4146) * fix: [controller-runtime] log.SetLogger(...) was never called; logs will not be displayed. Signed-off-by: qicz * rm code comment Signed-off-by: qicz --------- Signed-off-by: qicz Co-authored-by: zirain --- internal/provider/kubernetes/kubernetes.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/internal/provider/kubernetes/kubernetes.go b/internal/provider/kubernetes/kubernetes.go index df1c0d534b2..bd805fd3048 100644 --- a/internal/provider/kubernetes/kubernetes.go +++ b/internal/provider/kubernetes/kubernetes.go @@ -17,6 +17,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/config" "sigs.k8s.io/controller-runtime/pkg/healthz" + "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/manager" "github.com/envoyproxy/gateway/internal/envoygateway" @@ -44,6 +45,8 @@ func New(cfg *rest.Config, svr *ec.Server, resources *message.ProviderResources) LeaderElectionNamespace: svr.Namespace, } + log.SetLogger(mgrOpts.Logger) + if !ptr.Deref(svr.EnvoyGateway.Provider.Kubernetes.LeaderElection.Disable, false) { mgrOpts.LeaderElection = true if svr.EnvoyGateway.Provider.Kubernetes.LeaderElection.LeaseDuration != nil { From 0ef91193fa3fea99ae54d95263e05f45814ee432 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Sep 2024 14:19:33 +0800 Subject: [PATCH 107/523] build(deps): bump busybox from `9ae97d3` to `8274294` in /tools/docker/envoy-gateway (#4132) build(deps): bump busybox in /tools/docker/envoy-gateway Bumps busybox from `9ae97d3` to `8274294`. --- updated-dependencies: - dependency-name: busybox dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- tools/docker/envoy-gateway/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index af75ba6ca53..33d874be409 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -1,4 +1,4 @@ -FROM busybox@sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7 as source +FROM busybox@sha256:82742949a3709938cbeb9cec79f5eaf3e48b255389f2dcedf2de29ef96fd841c as source # Create the data directory for eg RUN mkdir -p /var/lib/eg From 8b6b26872d996d61cd4b42d9751602987c509069 Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 4 Sep 2024 17:27:45 +0800 Subject: [PATCH 108/523] chore: add ExtensionGroupKinds debug log (#4124) * chore: add debug log Signed-off-by: zirain * use len Signed-off-by: zirain --------- Signed-off-by: zirain --- internal/gatewayapi/runner/runner.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index c9bdead8236..eba70f96739 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -159,6 +159,7 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { extGKs = append(extGKs, schema.GroupKind{Group: gvk.Group, Kind: gvk.Kind}) } t.ExtensionGroupKinds = extGKs + r.Logger.Info("extension resources", "GVKs count", len(extGKs)) } // Translate to IR result, err := t.Translate(resources) From 301eeddfa4c2f7e4e612874a9c5b13a976156c3e Mon Sep 17 00:00:00 2001 From: qi Date: Wed, 4 Sep 2024 17:28:13 +0800 Subject: [PATCH 109/523] chore: concurrent map write in internal/metric test. (#4141) * chore: concurrent map write in internal/metric test. Signed-off-by: qicz * fix lint Signed-off-by: qicz --------- Signed-off-by: qicz --- internal/metrics/metrics_test.go | 55 +++++++++++++++++++++----------- 1 file changed, 37 insertions(+), 18 deletions(-) diff --git a/internal/metrics/metrics_test.go b/internal/metrics/metrics_test.go index 9b1aafcd5e2..55b682aff79 100644 --- a/internal/metrics/metrics_test.go +++ b/internal/metrics/metrics_test.go @@ -16,6 +16,7 @@ import ( "os" "reflect" "strings" + "sync" "testing" "time" @@ -95,24 +96,7 @@ func TestGauge(t *testing.T) { // simulate a function that builds an indicator and changes its value metricsFunc := []func(){ - func() { - metricName := "current_irs_queue_num" - description := "current number of ir in queue, by ir type" - - currentIRsNum := NewGauge( - metricName, - description, - ) - - // only the last recorded value (2) will be exported for this gauge - currentIRsNum.With(NewLabel("ir-type").Value("xds")).Record(1) - currentIRsNum.With(NewLabel("ir-type").Value("xds")).Record(3) - currentIRsNum.With(NewLabel("ir-type").Value("xds")).Record(2) - - currentIRsNum.With(NewLabel("ir-type").Value("xds")).Record(1) - currentIRsNum.With(NewLabel("ir-type").Value("xds")).Record(3) - currentIRsNum.With(NewLabel("ir-type").Value("xds")).Record(2) - }, + metricFunc, } for _, f := range metricsFunc { f() @@ -125,6 +109,25 @@ func TestGauge(t *testing.T) { loadMetricsFile(t, name, writer) } +func metricFunc() { + metricName := "current_irs_queue_num" + description := "current number of ir in queue, by ir type" + + currentIRsNum := NewGauge( + metricName, + description, + ) + + // only the last recorded value (2) will be exported for this gauge + currentIRsNum.With(NewLabel("ir-type").Value("xds")).Record(1) + currentIRsNum.With(NewLabel("ir-type").Value("xds")).Record(3) + currentIRsNum.With(NewLabel("ir-type").Value("xds")).Record(2) + + currentIRsNum.With(NewLabel("ir-type").Value("xds")).Record(1) + currentIRsNum.With(NewLabel("ir-type").Value("xds")).Record(3) + currentIRsNum.With(NewLabel("ir-type").Value("xds")).Record(2) +} + func TestHistogram(t *testing.T) { name := "histogram_metric" @@ -165,6 +168,22 @@ func TestHistogram(t *testing.T) { loadMetricsFile(t, name, writer) } +func TestConcurrentMetricAccess(t *testing.T) { + var wg sync.WaitGroup + const concurrency = 100 + + for i := 0; i < concurrency; i++ { + wg.Add(1) + go func(idx int) { + defer wg.Done() + t.Logf("concurrency metric access at %d", idx) + metricFunc() + }(i) + } + + wg.Wait() +} + // newTestMetricsProvider Create an OTEL Metrics Provider for testing use only func newTestMetricsProvider(metricType string, writer io.Writer) (*metric.MeterProvider, error) { enc := json.NewEncoder(writer) From 52eb0a48e0c3778976d6207e316d3df55cc28447 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 5 Sep 2024 07:54:34 +0800 Subject: [PATCH 110/523] build(deps): bump github.com/docker/cli from 27.1.2+incompatible to 27.2.0+incompatible (#4138) build(deps): bump github.com/docker/cli Bumps [github.com/docker/cli](https://github.com/docker/cli) from 27.1.2+incompatible to 27.2.0+incompatible. - [Commits](https://github.com/docker/cli/compare/v27.1.2...v27.2.0) --- updated-dependencies: - dependency-name: github.com/docker/cli dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 5e3c93c3ae8..1fd769930a2 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/Masterminds/semver/v3 v3.2.1 github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc - github.com/docker/cli v27.1.2+incompatible + github.com/docker/cli v27.2.0+incompatible github.com/dominikbraun/graph v0.23.0 github.com/envoyproxy/go-control-plane v0.13.0 github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 diff --git a/go.sum b/go.sum index 5887628a133..3cd86735591 100644 --- a/go.sum +++ b/go.sum @@ -382,8 +382,8 @@ github.com/distribution/distribution/v3 v3.0.0-beta.1 h1:X+ELTxPuZ1Xe5MsD3kp2wfG github.com/distribution/distribution/v3 v3.0.0-beta.1/go.mod h1:O9O8uamhHzWWQVTjuQpyYUVm/ShPHPUDgvQMpHGVBDs= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v27.1.2+incompatible h1:nYviRv5Y+YAKx3dFrTvS1ErkyVVunKOhoweCTE1BsnI= -github.com/docker/cli v27.1.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.2.0+incompatible h1:yHD1QEB1/0vr5eBNpu8tncu8gWxg8EydFPOSKHzXSMM= +github.com/docker/cli v27.2.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= From 2ceaea1cbea3e0c9adb8f9b6596d81fe400d113e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 5 Sep 2024 18:11:07 +0800 Subject: [PATCH 111/523] build(deps): bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#4136) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.65.0 to 1.66.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.65.0...v1.66.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 1fd769930a2..18b53fa5131 100644 --- a/go.mod +++ b/go.mod @@ -65,7 +65,7 @@ require ( require ( github.com/docker/docker v27.2.0+incompatible github.com/replicatedhq/troubleshoot v0.100.0 - google.golang.org/grpc v1.65.0 + google.golang.org/grpc v1.66.0 ) require ( diff --git a/go.sum b/go.sum index 3cd86735591..95178635498 100644 --- a/go.sum +++ b/go.sum @@ -1769,8 +1769,8 @@ google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACu google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= -google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= -google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= +google.golang.org/grpc v1.66.0 h1:DibZuoBznOxbDQxRINckZcUvnCEvrW9pcWIE2yF9r1c= +google.golang.org/grpc v1.66.0/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= From ccff7488a5fea44e15d9a098aaa71503e1c4279c Mon Sep 17 00:00:00 2001 From: Alex Volchok Date: Thu, 5 Sep 2024 15:04:46 +0200 Subject: [PATCH 112/523] refactor: return 500 when EnvoyExtensionTrafficPolicy translation fails (#4154) * refactor: return 500 when EnvoyExtensionTrafficPolicy translation fails Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok --------- Signed-off-by: Alexander Volchok --- internal/gatewayapi/envoyextensionpolicy.go | 27 +++++++++++-------- .../backend-invalid-feature-disabled.out.yaml | 1 - ...-extproc-invalid-no-matching-port.out.yaml | 2 ++ ...licy-with-extproc-invalid-no-port.out.yaml | 2 ++ ...xtproc-invalid-no-reference-grant.out.yaml | 2 ++ ...y-with-extproc-invalid-no-service.out.yaml | 2 ++ 6 files changed, 24 insertions(+), 12 deletions(-) diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index 5cbe148db2c..f8c06ed0c44 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -300,11 +300,6 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute( errs = errors.Join(errs, err) } - // Early return if got any errors - if errs != nil { - return errs - } - // Apply IR to all relevant routes prefix := irRoutePrefix(route) parentRefs := GetParentReferences(route) @@ -326,6 +321,13 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute( if irListener != nil { for _, r := range irListener.Routes { if strings.HasPrefix(r.Name, prefix) { + // return 500 and do not configure EnvoyExtensions in this case + if errs != nil { + r.DirectResponse = &ir.DirectResponse{ + StatusCode: 500, + } + continue + } r.EnvoyExtensions = &ir.EnvoyExtensionFeatures{ ExtProcs: extProcs, Wasms: wasms, @@ -361,11 +363,6 @@ func (t *Translator) translateEnvoyExtensionPolicyForGateway( errs = errors.Join(errs, err) } - // Early return if got any errors - if errs != nil { - return errs - } - irKey := t.getIRKey(gateway.Gateway) // Should exist since we've validated this x := xdsIR[irKey] @@ -386,6 +383,14 @@ func (t *Translator) translateEnvoyExtensionPolicyForGateway( continue } + // return 500 and do not configure EnvoyExtensions in this case + if errs != nil { + r.DirectResponse = &ir.DirectResponse{ + StatusCode: 500, + } + continue + } + r.EnvoyExtensions = &ir.EnvoyExtensionFeatures{ ExtProcs: extProcs, Wasms: wasms, @@ -393,7 +398,7 @@ func (t *Translator) translateEnvoyExtensionPolicyForGateway( } } - return nil + return errs } func (t *Translator) buildExtProcs(policy *egv1a1.EnvoyExtensionPolicy, resources *Resources, envoyProxy *egv1a1.EnvoyProxy) ([]ir.ExtProc, error) { diff --git a/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml b/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml index 643df05037b..c1425425b20 100644 --- a/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml +++ b/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml @@ -174,7 +174,6 @@ xdsIR: - weight: 1 directResponse: statusCode: 500 - envoyExtensions: {} hostname: '*' isHTTP2: false metadata: diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml index 6c7cfa25607..beac28da518 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml @@ -154,6 +154,8 @@ xdsIR: port: 8080 protocol: HTTP weight: 1 + directResponse: + statusCode: 500 hostname: www.foo.com isHTTP2: false metadata: diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml index c5c71bb503c..efd62e1e0ea 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml @@ -154,6 +154,8 @@ xdsIR: port: 8080 protocol: HTTP weight: 1 + directResponse: + statusCode: 500 hostname: www.foo.com isHTTP2: false metadata: diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml index a8a19dffa49..ba93c2decdc 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml @@ -156,6 +156,8 @@ xdsIR: port: 8080 protocol: HTTP weight: 1 + directResponse: + statusCode: 500 hostname: www.foo.com isHTTP2: false metadata: diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml index 4405c28c05d..066917dd152 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml @@ -155,6 +155,8 @@ xdsIR: port: 8080 protocol: HTTP weight: 1 + directResponse: + statusCode: 500 hostname: www.foo.com isHTTP2: false metadata: From 9bb1601be206fb3983b13af070716ac836fc777c Mon Sep 17 00:00:00 2001 From: Lior Okman Date: Thu, 5 Sep 2024 16:06:51 +0300 Subject: [PATCH 113/523] feat: support JSONPatches for proxy bootstrap modifications (#4116) * Modify the API to support expressing JSONPatches Signed-off-by: Lior Okman * Support JSONPatch in the bootstrap proxy flow Signed-off-by: Lior Okman * Accept JSONPatches in a YAML format for unit-tests to be consistent with other unit tests. Signed-off-by: Lior Okman * Reduce the runtime imports, move imports needed for tests into the test code. Signed-off-by: Lior Okman * Moved validation code that requires access to internal/xds out of the api/v1alpha1/validation package. Signed-off-by: Lior Okman * Cleanup and make the linter happy Signed-off-by: Lior Okman * Added another test for the JSONPatch code Signed-off-by: Lior Okman * Make the linter happy Signed-off-by: Lior Okman * More unit-tests. Signed-off-by: Lior Okman --------- Signed-off-by: Lior Okman --- api/v1alpha1/envoyproxy_types.go | 17 +- .../validation/envoyproxy_validate.go | 72 +----- .../validation/envoyproxy_validate_test.go | 92 ------- api/v1alpha1/zz_generated.deepcopy.go | 12 + .../gateway.envoyproxy.io_envoyproxies.yaml | 54 +++- internal/cmd/egctl/translate.go | 7 +- internal/gatewayapi/envoypatchpolicy.go | 2 +- .../proxy/resource_provider_test.go | 6 +- internal/ir/xds.go | 64 ++++- internal/ir/xds_test.go | 121 +++++++++ internal/provider/kubernetes/controller.go | 4 + .../jsonpatch}/jsonpathtopointer.go | 2 +- .../jsonpatch}/jsonpathtopointer_test.go | 2 +- internal/utils/jsonpatch/patch.go | 92 +++++++ internal/utils/jsonpatch/patch_test.go | 124 ++++++++++ .../merge/merge-user-bootstrap.in.yaml | 0 .../merge/merge-user-bootstrap.out.yaml | 178 ++++++++++++++ .../merge/patch-global-config.in.yaml | 6 + .../merge/patch-global-config.out.yaml | 169 +++++++++++++ ...rent-dynamic-resources-user-bootstrap.yaml | 0 ...fferent-xds-cluster-address-bootstrap.yaml | 0 .../missing-admin-address-user-bootstrap.yaml | 0 .../validate}/valid-user-bootstrap.yaml | 0 internal/xds/bootstrap/util.go | 55 ++++- internal/xds/bootstrap/util_test.go | 24 +- internal/xds/bootstrap/validate.go | 89 +++++++ internal/xds/bootstrap/validate_test.go | 76 ++++++ internal/xds/translator/jsonpatch.go | 232 +++++++----------- internal/xds/translator/translator_test.go | 3 +- site/content/en/latest/api/extension_types.md | 7 +- site/content/zh/latest/api/extension_types.md | 7 +- test/cel-validation/envoyproxy_test.go | 59 +++++ 32 files changed, 1243 insertions(+), 333 deletions(-) rename internal/{xds/translator => utils/jsonpatch}/jsonpathtopointer.go (99%) rename internal/{xds/translator => utils/jsonpatch}/jsonpathtopointer_test.go (99%) create mode 100644 internal/utils/jsonpatch/patch.go create mode 100644 internal/utils/jsonpatch/patch_test.go rename api/v1alpha1/validation/testdata/merge-user-bootstrap.yaml => internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.in.yaml (100%) create mode 100644 internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.out.yaml create mode 100644 internal/xds/bootstrap/testdata/merge/patch-global-config.in.yaml create mode 100644 internal/xds/bootstrap/testdata/merge/patch-global-config.out.yaml rename {api/v1alpha1/validation/testdata => internal/xds/bootstrap/testdata/validate}/different-dynamic-resources-user-bootstrap.yaml (100%) rename {api/v1alpha1/validation/testdata => internal/xds/bootstrap/testdata/validate}/different-xds-cluster-address-bootstrap.yaml (100%) rename {api/v1alpha1/validation/testdata => internal/xds/bootstrap/testdata/validate}/missing-admin-address-user-bootstrap.yaml (100%) rename {api/v1alpha1/validation/testdata => internal/xds/bootstrap/testdata/validate}/valid-user-bootstrap.yaml (100%) create mode 100644 internal/xds/bootstrap/validate.go create mode 100644 internal/xds/bootstrap/validate_test.go diff --git a/api/v1alpha1/envoyproxy_types.go b/api/v1alpha1/envoyproxy_types.go index e2ada31c3fc..74218aad20b 100644 --- a/api/v1alpha1/envoyproxy_types.go +++ b/api/v1alpha1/envoyproxy_types.go @@ -358,19 +358,27 @@ const ( ) // ProxyBootstrap defines Envoy Bootstrap configuration. +// +union +// +kubebuilder:validation:XValidation:rule="self.type == 'JSONPatch' ? self.jsonPatches.size() > 0 : has(self.value)", message="provided bootstrap patch doesn't match the configured patch type" type ProxyBootstrap struct { - // Type is the type of the bootstrap configuration, it should be either Replace or Merge. + // Type is the type of the bootstrap configuration, it should be either Replace, Merge, or JSONPatch. // If unspecified, it defaults to Replace. // +optional // +kubebuilder:default=Replace + // +unionDiscriminator Type *BootstrapType `json:"type"` // Value is a YAML string of the bootstrap. - Value string `json:"value"` + // +optional + Value *string `json:"value,omitempty"` + + // JSONPatches is an array of JSONPatches to be applied to the default bootstrap. Patches are + // applied in the order in which they are defined. + JSONPatches []JSONPatchOperation `json:"jsonPatches,omitempty"` } // BootstrapType defines the types of bootstrap supported by Envoy Gateway. -// +kubebuilder:validation:Enum=Merge;Replace +// +kubebuilder:validation:Enum=Merge;Replace;JSONPatch type BootstrapType string const ( @@ -381,6 +389,9 @@ const ( // Replace replaces the default bootstrap with the provided one. BootstrapTypeReplace BootstrapType = "Replace" + + // JSONPatch applies the provided JSONPatches to the default bootstrap. + BootstrapTypeJSONPatch BootstrapType = "JSONPatch" ) // EnvoyProxyStatus defines the observed state of EnvoyProxy. This type is not implemented diff --git a/api/v1alpha1/validation/envoyproxy_validate.go b/api/v1alpha1/validation/envoyproxy_validate.go index b4d8b6b7392..74ce4e0451c 100644 --- a/api/v1alpha1/validation/envoyproxy_validate.go +++ b/api/v1alpha1/validation/envoyproxy_validate.go @@ -12,16 +12,9 @@ import ( "net/netip" "github.com/dominikbraun/graph" - bootstrapv3 "github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3" - clusterv3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3" - "github.com/google/go-cmp/cmp" - "google.golang.org/protobuf/testing/protocmp" utilerrors "k8s.io/apimachinery/pkg/util/errors" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" - "github.com/envoyproxy/gateway/internal/utils/proto" - "github.com/envoyproxy/gateway/internal/xds/bootstrap" - _ "github.com/envoyproxy/gateway/internal/xds/extensions" // register the generated types to support protojson unmarshalling ) // ValidateEnvoyProxy validates the provided EnvoyProxy. @@ -38,6 +31,8 @@ func ValidateEnvoyProxy(proxy *egv1a1.EnvoyProxy) error { } // validateEnvoyProxySpec validates the provided EnvoyProxy spec. +// This method validates everything except for the bootstrap section, because validating the bootstrap +// section in this method would require calling into the internal apis, and would cause an import cycle. func validateEnvoyProxySpec(spec *egv1a1.EnvoyProxySpec) error { var errs []error @@ -51,13 +46,6 @@ func validateEnvoyProxySpec(spec *egv1a1.EnvoyProxySpec) error { errs = append(errs, validateProviderErrs...) } - // validate bootstrap - if spec != nil && spec.Bootstrap != nil { - if err := validateBootstrap(spec.Bootstrap); err != nil { - errs = append(errs, err) - } - } - validateProxyTelemetryErrs := validateProxyTelemetry(spec) if len(validateProxyTelemetryErrs) != 0 { errs = append(errs, validateProxyTelemetryErrs...) @@ -156,62 +144,6 @@ func validateService(spec *egv1a1.EnvoyProxySpec) []error { return errs } -func validateBootstrap(boostrapConfig *egv1a1.ProxyBootstrap) error { - // Validate user bootstrap config - defaultBootstrap := &bootstrapv3.Bootstrap{} - // TODO: need validate when enable prometheus? - defaultBootstrapStr, err := bootstrap.GetRenderedBootstrapConfig(nil) - if err != nil { - return err - } - if err := proto.FromYAML([]byte(defaultBootstrapStr), defaultBootstrap); err != nil { - return fmt.Errorf("unable to unmarshal default bootstrap: %w", err) - } - if err := defaultBootstrap.Validate(); err != nil { - return fmt.Errorf("default bootstrap validation failed: %w", err) - } - - // Validate user bootstrap config - userBootstrapStr, err := bootstrap.ApplyBootstrapConfig(boostrapConfig, defaultBootstrapStr) - if err != nil { - return err - } - userBootstrap := &bootstrapv3.Bootstrap{} - if err := proto.FromYAML([]byte(userBootstrapStr), userBootstrap); err != nil { - return fmt.Errorf("failed to parse default bootstrap config: %w", err) - } - if err := userBootstrap.Validate(); err != nil { - return fmt.Errorf("validation failed for user bootstrap: %w", err) - } - - // Ensure dynamic resources config is same - if userBootstrap.DynamicResources == nil || - cmp.Diff(userBootstrap.DynamicResources, defaultBootstrap.DynamicResources, protocmp.Transform()) != "" { - return fmt.Errorf("dynamic_resources cannot be modified") - } - - // Ensure that the xds_cluster config is same - var userXdsCluster, defaultXdsCluster *clusterv3.Cluster - for _, cluster := range userBootstrap.StaticResources.Clusters { - if cluster.Name == "xds_cluster" { - userXdsCluster = cluster - break - } - } - for _, cluster := range defaultBootstrap.StaticResources.Clusters { - if cluster.Name == "xds_cluster" { - defaultXdsCluster = cluster - break - } - } - if userXdsCluster == nil || - cmp.Diff(userXdsCluster.LoadAssignment, defaultXdsCluster.LoadAssignment, protocmp.Transform()) != "" { - return fmt.Errorf("xds_cluster's loadAssigntment cannot be modified") - } - - return nil -} - func validateProxyTelemetry(spec *egv1a1.EnvoyProxySpec) []error { var errs []error diff --git a/api/v1alpha1/validation/envoyproxy_validate_test.go b/api/v1alpha1/validation/envoyproxy_validate_test.go index 591c184fdd5..bd7e4bc18e0 100644 --- a/api/v1alpha1/validation/envoyproxy_validate_test.go +++ b/api/v1alpha1/validation/envoyproxy_validate_test.go @@ -6,8 +6,6 @@ package validation import ( - // Register embed - _ "embed" "reflect" "testing" @@ -21,19 +19,6 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" ) -var ( - //go:embed testdata/valid-user-bootstrap.yaml - validUserBootstrap string - //go:embed testdata/merge-user-bootstrap.yaml - mergeUserBootstrap string - //go:embed testdata/missing-admin-address-user-bootstrap.yaml - missingAdminAddressUserBootstrap string - //go:embed testdata/different-dynamic-resources-user-bootstrap.yaml - differentDynamicResourcesUserBootstrap string - //go:embed testdata/different-xds-cluster-address-bootstrap.yaml - differentXdsClusterAddressBootstrap string -) - func TestValidateEnvoyProxy(t *testing.T) { testCases := []struct { name string @@ -319,83 +304,6 @@ func TestValidateEnvoyProxy(t *testing.T) { }, expected: false, }, - - { - name: "valid user bootstrap replace type", - proxy: &egv1a1.EnvoyProxy{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: "test", - Name: "test", - }, - Spec: egv1a1.EnvoyProxySpec{ - Bootstrap: &egv1a1.ProxyBootstrap{ - Value: validUserBootstrap, - }, - }, - }, - expected: true, - }, - { - name: "valid user bootstrap merge type", - proxy: &egv1a1.EnvoyProxy{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: "test", - Name: "test", - }, - Spec: egv1a1.EnvoyProxySpec{ - Bootstrap: &egv1a1.ProxyBootstrap{ - Type: ptr.To(egv1a1.BootstrapTypeMerge), - Value: mergeUserBootstrap, - }, - }, - }, - expected: true, - }, - { - name: "user bootstrap with missing admin address", - proxy: &egv1a1.EnvoyProxy{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: "test", - Name: "test", - }, - Spec: egv1a1.EnvoyProxySpec{ - Bootstrap: &egv1a1.ProxyBootstrap{ - Value: missingAdminAddressUserBootstrap, - }, - }, - }, - expected: false, - }, - { - name: "user bootstrap with different dynamic resources", - proxy: &egv1a1.EnvoyProxy{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: "test", - Name: "test", - }, - Spec: egv1a1.EnvoyProxySpec{ - Bootstrap: &egv1a1.ProxyBootstrap{ - Value: differentDynamicResourcesUserBootstrap, - }, - }, - }, - expected: false, - }, - { - name: "user bootstrap with different xds_cluster endpoint", - proxy: &egv1a1.EnvoyProxy{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: "test", - Name: "test", - }, - Spec: egv1a1.EnvoyProxySpec{ - Bootstrap: &egv1a1.ProxyBootstrap{ - Value: differentXdsClusterAddressBootstrap, - }, - }, - }, - expected: false, - }, { name: "should invalid when accesslog enabled using Text format, but `text` field being empty", proxy: &egv1a1.EnvoyProxy{ diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index c0b8e8c657a..9afe197fc97 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -3899,6 +3899,18 @@ func (in *ProxyBootstrap) DeepCopyInto(out *ProxyBootstrap) { *out = new(BootstrapType) **out = **in } + if in.Value != nil { + in, out := &in.Value, &out.Value + *out = new(string) + **out = **in + } + if in.JSONPatches != nil { + in, out := &in.JSONPatches, &out.JSONPatches + *out = make([]JSONPatchOperation, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyBootstrap. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 40590f37988..6baf2056ec3 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -191,21 +191,69 @@ spec: We strongly recommend using `egctl x translate` to generate a `EnvoyProxy` resource with the `Bootstrap` field set to the default Bootstrap configuration used. You can edit this configuration, and rerun `egctl x translate` to ensure there are no validation errors. properties: + jsonPatches: + description: |- + JSONPatches is an array of JSONPatches to be applied to the default bootstrap. Patches are + applied in the order in which they are defined. + items: + description: |- + JSONPatchOperation defines the JSON Patch Operation as defined in + https://datatracker.ietf.org/doc/html/rfc6902 + properties: + from: + description: |- + From is the source location of the value to be copied or moved. Only valid + for move or copy operations + Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. + type: string + jsonPath: + description: |- + JSONPath specifies the locations of the target document/field where the operation will be performed + Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details. + type: string + op: + description: Op is the type of operation to perform + enum: + - add + - remove + - replace + - move + - copy + - test + type: string + path: + description: |- + Path is the location of the target document/field where the operation will be performed + Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. + type: string + value: + description: |- + Value is the new value of the path location. The value is only used by + the `add` and `replace` operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + type: object + type: array type: default: Replace description: |- - Type is the type of the bootstrap configuration, it should be either Replace or Merge. + Type is the type of the bootstrap configuration, it should be either Replace, Merge, or JSONPatch. If unspecified, it defaults to Replace. enum: - Merge - Replace + - JSONPatch type: string value: description: Value is a YAML string of the bootstrap. type: string - required: - - value type: object + x-kubernetes-validations: + - message: provided bootstrap patch doesn't match the configured patch + type + rule: 'self.type == ''JSONPatch'' ? self.jsonPatches.size() > 0 + : has(self.value)' concurrency: description: |- Concurrency defines the number of worker threads to run. If unset, it defaults to diff --git a/internal/cmd/egctl/translate.go b/internal/cmd/egctl/translate.go index ceb4e9deee3..045d4733e47 100644 --- a/internal/cmd/egctl/translate.go +++ b/internal/cmd/egctl/translate.go @@ -326,6 +326,11 @@ func translateGatewayAPIToGatewayAPI(resources *gatewayapi.Resources) (gatewayap msg := fmt.Sprintf("%s: %v", status.MsgGatewayClassInvalidParams, err) status.SetGatewayClassAccepted(resources.GatewayClass, false, string(gwapiv1.GatewayClassReasonInvalidParameters), msg) } + if err := bootstrap.Validate(resources.EnvoyProxyForGatewayClass.Spec.Bootstrap); err != nil { + epInvalid = true + msg := fmt.Sprintf("%s: %v", status.MsgGatewayClassInvalidParams, err) + status.SetGatewayClassAccepted(resources.GatewayClass, false, string(gwapiv1.GatewayClassReasonInvalidParameters), msg) + } gRes.EnvoyProxyForGatewayClass = resources.EnvoyProxyForGatewayClass } if !epInvalid { @@ -959,7 +964,7 @@ func addDefaultEnvoyProxy(resources *gatewayapi.Resources) error { }, Spec: egv1a1.EnvoyProxySpec{ Bootstrap: &egv1a1.ProxyBootstrap{ - Value: defaultBootstrapStr, + Value: &defaultBootstrapStr, }, }, } diff --git a/internal/gatewayapi/envoypatchpolicy.go b/internal/gatewayapi/envoypatchpolicy.go index 5d2480f5d23..c2dd5480362 100644 --- a/internal/gatewayapi/envoypatchpolicy.go +++ b/internal/gatewayapi/envoypatchpolicy.go @@ -112,7 +112,7 @@ func (t *Translator) ProcessEnvoyPatchPolicies(envoyPatchPolicies []*egv1a1.Envo irPatch := ir.JSONPatchConfig{} irPatch.Type = string(patch.Type) irPatch.Name = patch.Name - irPatch.Operation.Op = string(patch.Operation.Op) + irPatch.Operation.Op = ir.JSONPatchOp(patch.Operation.Op) irPatch.Operation.Path = patch.Operation.Path irPatch.Operation.JSONPath = patch.Operation.JSONPath irPatch.Operation.From = patch.Operation.From diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go index 16c94d037a4..c92d94d4b42 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go @@ -529,9 +529,10 @@ func TestDeployment(t *testing.T) { replace := egv1a1.BootstrapTypeReplace if tc.bootstrap != "" { + bsValue := tc.bootstrap tc.infra.Proxy.Config.Spec.Bootstrap = &egv1a1.ProxyBootstrap{ Type: &replace, - Value: tc.bootstrap, + Value: &bsValue, } } @@ -963,9 +964,10 @@ func TestDaemonSet(t *testing.T) { replace := egv1a1.BootstrapTypeReplace if tc.bootstrap != "" { + bsValue := tc.bootstrap tc.infra.Proxy.Config.Spec.Bootstrap = &egv1a1.ProxyBootstrap{ Type: &replace, - Value: tc.bootstrap, + Value: &bsValue, } } diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 1b5b5971b8c..9a3af5efefb 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -8,6 +8,7 @@ package ir import ( "cmp" "errors" + "fmt" "net/http" "net/netip" "reflect" @@ -1753,12 +1754,42 @@ type JSONPatchConfig struct { Operation JSONPatchOperation `json:"operation" yaml:"operation"` } +type JSONPatchOp string + +const ( + JSONPatchOpAdd JSONPatchOp = "add" + JSONPatchOpRemove JSONPatchOp = "remove" + JSONPatchOpReplace JSONPatchOp = "replace" + JSONPatchOpCopy JSONPatchOp = "copy" + JSONPatchOpMove JSONPatchOp = "move" + JSONPatchOpTest JSONPatchOp = "test" +) + +func TranslateJSONPatchOp(op egv1a1.JSONPatchOperationType) JSONPatchOp { + switch op { + case "add": + return JSONPatchOpAdd + case "remove": + return JSONPatchOpRemove + case "replace": + return JSONPatchOpReplace + case "move": + return JSONPatchOpMove + case "copy": + return JSONPatchOpCopy + case "test": + return JSONPatchOpTest + default: + return "" + } +} + // JSONPatchOperation defines the JSON Patch Operation as defined in // https://datatracker.ietf.org/doc/html/rfc6902 // +k8s:deepcopy-gen=true type JSONPatchOperation struct { // Op is the type of operation to perform - Op string `json:"op" yaml:"op"` + Op JSONPatchOp `json:"op" yaml:"op"` // Path is the location of the target document/field where the operation will be performed // Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. // +optional @@ -1784,6 +1815,37 @@ func (o *JSONPatchOperation) IsJSONPathNilOrEmpty() bool { return o.JSONPath == nil || *o.JSONPath == EmptyPath } +// Validate ensures that the appropriate fields are set for each operation type according to RFC 6902: +// https://www.rfc-editor.org/rfc/rfc6902.html +func (o *JSONPatchOperation) Validate() error { + if o.Path == nil && o.JSONPath == nil { + return fmt.Errorf("a patch operation must specify a path or jsonPath") + } + switch o.Op { + case JSONPatchOpAdd, JSONPatchOpReplace, JSONPatchOpTest: + if o.Value == nil { + return fmt.Errorf("the %s operation requires a value", o.Op) + } + if o.From != nil { + return fmt.Errorf("the %s operation doesn't support a from attribute", o.Op) + } + case JSONPatchOpRemove: + if o.From != nil || o.Value != nil { + return fmt.Errorf("value and from can't be specified with the remove operation") + } + case JSONPatchOpMove, JSONPatchOpCopy: + if o.From == nil { + return fmt.Errorf("the %s operation requires a valid from attribute", o.Op) + } + if o.Value != nil { + return fmt.Errorf("the %s operation doesn't support a value attribute", o.Op) + } + default: + return fmt.Errorf("unsupported JSONPatch operation") + } + return nil +} + // Tracing defines the configuration for tracing a Envoy xDS Resource // +k8s:deepcopy-gen=true type Tracing struct { diff --git a/internal/ir/xds_test.go b/internal/ir/xds_test.go index 876e37f9e13..882aa090e55 100644 --- a/internal/ir/xds_test.go +++ b/internal/ir/xds_test.go @@ -13,6 +13,7 @@ import ( "github.com/google/go-cmp/cmp" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/ptr" @@ -1618,3 +1619,123 @@ func TestValidateHealthCheck(t *testing.T) { }) } } + +func TestJSONPatchOperationValidation(t *testing.T) { + tests := []struct { + name string + input JSONPatchOperation + want *string + }{ + { + name: "no path or jsonpath", + input: JSONPatchOperation{ + Op: TranslateJSONPatchOp(egv1a1.JSONPatchOperationType("remove")), + }, + want: ptr.To("a patch operation must specify a path or jsonPath"), + }, + { + name: "replace with from", + input: JSONPatchOperation{ + Op: TranslateJSONPatchOp(egv1a1.JSONPatchOperationType("replace")), + JSONPath: ptr.To("$.some.json[@?name=='lala'].key"), + Value: &apiextensionsv1.JSON{ + Raw: []byte{}, + }, + From: ptr.To("/some/from"), + }, + want: ptr.To("the replace operation doesn't support a from attribute"), + }, + { + name: "add with no value", + input: JSONPatchOperation{ + Op: TranslateJSONPatchOp(egv1a1.JSONPatchOperationType("add")), + JSONPath: ptr.To("$.some.json[@?name=='lala'].key"), + }, + want: ptr.To("the add operation requires a value"), + }, + { + name: "remove with from", + input: JSONPatchOperation{ + Op: TranslateJSONPatchOp(egv1a1.JSONPatchOperationType("remove")), + JSONPath: ptr.To("$.some.json[@?name=='lala'].key"), + From: ptr.To("/some/from"), + }, + want: ptr.To("value and from can't be specified with the remove operation"), + }, + { + name: "remove with value", + input: JSONPatchOperation{ + Op: TranslateJSONPatchOp(egv1a1.JSONPatchOperationType("remove")), + JSONPath: ptr.To("$.some.json[@?name=='lala'].key"), + Value: &apiextensionsv1.JSON{ + Raw: []byte{}, + }, + }, + want: ptr.To("value and from can't be specified with the remove operation"), + }, + { + name: "move without from", + input: JSONPatchOperation{ + Op: TranslateJSONPatchOp(egv1a1.JSONPatchOperationType("move")), + JSONPath: ptr.To("$.some.json[@?name=='lala'].key"), + }, + want: ptr.To("the move operation requires a valid from attribute"), + }, + { + name: "copy with value", + input: JSONPatchOperation{ + Op: TranslateJSONPatchOp(egv1a1.JSONPatchOperationType("copy")), + JSONPath: ptr.To("$.some.json[@?name=='lala'].key"), + From: ptr.To("/some/from"), + Value: &apiextensionsv1.JSON{ + Raw: []byte{}, + }, + }, + want: ptr.To("the copy operation doesn't support a value attribute"), + }, + { + name: "invalid operation", + input: JSONPatchOperation{ + Op: TranslateJSONPatchOp(egv1a1.JSONPatchOperationType("invalid")), + Path: ptr.To("/some/path"), + }, + want: ptr.To("unsupported JSONPatch operation"), + }, + { + name: "valid test operation", + input: JSONPatchOperation{ + Op: TranslateJSONPatchOp(egv1a1.JSONPatchOperationType("test")), + Path: ptr.To("/some/path"), + Value: &apiextensionsv1.JSON{ + Raw: []byte{}, + }, + }, + }, + { + name: "valid remove operation", + input: JSONPatchOperation{ + Op: TranslateJSONPatchOp(egv1a1.JSONPatchOperationType("remove")), + Path: ptr.To("/some/path"), + }, + }, + { + name: "valid copy operation", + input: JSONPatchOperation{ + Op: TranslateJSONPatchOp(egv1a1.JSONPatchOperationType("copy")), + Path: ptr.To("/some/path"), + From: ptr.To("/some/other/path"), + }, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + err := tc.input.Validate() + if tc.want != nil { + require.EqualError(t, err, *tc.want) + } else { + require.NoError(t, err) + } + }) + } +} diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 05cb0fa5528..1c0555c0772 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -43,6 +43,7 @@ import ( "github.com/envoyproxy/gateway/internal/message" "github.com/envoyproxy/gateway/internal/utils" "github.com/envoyproxy/gateway/internal/utils/slice" + "github.com/envoyproxy/gateway/internal/xds/bootstrap" ) var skipNameValidation = func() *bool { @@ -1651,6 +1652,9 @@ func (r *gatewayAPIReconciler) processEnvoyProxy(ep *egv1a1.EnvoyProxy, resource if err := validation.ValidateEnvoyProxy(ep); err != nil { return fmt.Errorf("invalid envoyproxy: %w", err) } + if err := bootstrap.Validate(ep.Spec.Bootstrap); err != nil { + return fmt.Errorf("invalid envoyproxy: %w", err) + } if ep.Spec.Telemetry != nil { var backendRefs []egv1a1.BackendRef diff --git a/internal/xds/translator/jsonpathtopointer.go b/internal/utils/jsonpatch/jsonpathtopointer.go similarity index 99% rename from internal/xds/translator/jsonpathtopointer.go rename to internal/utils/jsonpatch/jsonpathtopointer.go index 89d7fdf1c77..730baa94ee2 100644 --- a/internal/xds/translator/jsonpathtopointer.go +++ b/internal/utils/jsonpatch/jsonpathtopointer.go @@ -3,7 +3,7 @@ // The full text of the Apache license is available in the LICENSE file at // the root of the repo. -package translator +package jsonpatch import ( "reflect" diff --git a/internal/xds/translator/jsonpathtopointer_test.go b/internal/utils/jsonpatch/jsonpathtopointer_test.go similarity index 99% rename from internal/xds/translator/jsonpathtopointer_test.go rename to internal/utils/jsonpatch/jsonpathtopointer_test.go index cefb5925869..4b57424562d 100644 --- a/internal/xds/translator/jsonpathtopointer_test.go +++ b/internal/utils/jsonpatch/jsonpathtopointer_test.go @@ -3,7 +3,7 @@ // The full text of the Apache license is available in the LICENSE file at // the root of the repo. -package translator +package jsonpatch import ( "sort" diff --git a/internal/utils/jsonpatch/patch.go b/internal/utils/jsonpatch/patch.go new file mode 100644 index 00000000000..15cac85a308 --- /dev/null +++ b/internal/utils/jsonpatch/patch.go @@ -0,0 +1,92 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package jsonpatch + +import ( + "encoding/json" + "errors" + "fmt" + + jsonpatchv5 "github.com/evanphx/json-patch/v5" + "sigs.k8s.io/yaml" + + "github.com/envoyproxy/gateway/internal/ir" +) + +// ApplyJSONPatches applies a series of JSONPatches to a provided JSON document. +// Patches are applied in order, and any errors are aggregated into the return value. +// An error with a specific patch just means that this specific patch is skipped, the document +// will still be modified with any other provided patch operation. +// If a patch is applied to a JSONPath, then that JSONPath is first exploded to standard paths +// and the patch is applied to all matching paths. +func ApplyJSONPatches(document json.RawMessage, patches ...ir.JSONPatchOperation) (json.RawMessage, error) { + opts := jsonpatchv5.NewApplyOptions() + opts.EnsurePathExistsOnAdd = true + + var tErrs, err error + for _, p := range patches { + + if err := p.Validate(); err != nil { + tErrs = errors.Join(tErrs, err) + continue + } + + var jsonPointers []string + if p.JSONPath != nil { + path := "" + if p.Path != nil { + path = *p.Path + } + jsonPointers, err = ConvertPathToPointers(document, *p.JSONPath, path) + if err != nil { + tErr := fmt.Errorf("unable to convert jsonPath: '%s' into jsonPointers, err: %s", *p.JSONPath, err.Error()) + tErrs = errors.Join(tErrs, tErr) + continue + } + } else { + jsonPointers = []string{*p.Path} + } + + for _, path := range jsonPointers { + op := ir.JSONPatchOperation{ + Path: &path, + Op: p.Op, + Value: p.Value, + From: p.From, + } + + // Convert patch to JSON + // The patch library expects an array so convert it into one + y, err := yaml.Marshal([]ir.JSONPatchOperation{op}) + if err != nil { + tErr := fmt.Errorf("unable to marshal patch %+v, err: %s", op, err.Error()) + tErrs = errors.Join(tErrs, tErr) + continue + } + jsonBytes, err := yaml.YAMLToJSON(y) + if err != nil { + tErr := fmt.Errorf("unable to convert patch to json %s, err: %s", string(y), err.Error()) + tErrs = errors.Join(tErrs, tErr) + continue + } + patchObj, err := jsonpatchv5.DecodePatch(jsonBytes) + if err != nil { + tErr := fmt.Errorf("unable to decode patch %s, err: %s", string(jsonBytes), err.Error()) + tErrs = errors.Join(tErrs, tErr) + continue + } + + // Apply patch + document, err = patchObj.ApplyWithOptions(document, opts) + if err != nil { + tErr := fmt.Errorf("unable to apply patch:\n%s on resource:\n%s, err: %s", string(jsonBytes), string(document), err.Error()) + tErrs = errors.Join(tErrs, tErr) + continue + } + } + } + return document, tErrs +} diff --git a/internal/utils/jsonpatch/patch_test.go b/internal/utils/jsonpatch/patch_test.go new file mode 100644 index 00000000000..ace677124e0 --- /dev/null +++ b/internal/utils/jsonpatch/patch_test.go @@ -0,0 +1,124 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package jsonpatch + +import ( + "testing" + + "github.com/stretchr/testify/require" + apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + "k8s.io/utils/ptr" + + "github.com/envoyproxy/gateway/internal/ir" +) + +const sourceDocument = ` +{ + "topLevel" : { + "mapContainer" : { + "key": "value", + "other": "key" + }, + "arrayContainer": [ + "str1", + "str2" + ], + "mapArray" : [ + { + "name": "first", + "key" : "value" + }, + { + "name": "second", + "key" : "other value" + } + ] + } +} +` + +func TestApplyJSONPatches(t *testing.T) { + testCases := []struct { + name string + patchOperation []ir.JSONPatchOperation + errorExpected bool + }{ + { + name: "simple add with single patch", + patchOperation: []ir.JSONPatchOperation{ + { + Op: "add", + Path: ptr.To("/topLevel/newKey"), + Value: &apiextensionsv1.JSON{ + Raw: []byte("true"), + }, + }, + }, + errorExpected: false, + }, + { + name: "two operations in a set", + patchOperation: []ir.JSONPatchOperation{ + { + Op: "add", + Path: ptr.To("/topLevel/newKey"), + Value: &apiextensionsv1.JSON{ + Raw: []byte("true"), + }, + }, + { + Op: "remove", + Path: ptr.To("/topLevel/arrayContainer/1"), + }, + }, + errorExpected: false, + }, + { + name: "invalid operation", + patchOperation: []ir.JSONPatchOperation{ + { + Op: "badbadbad", + Path: ptr.To("/topLevel/newKey"), + Value: &apiextensionsv1.JSON{ + Raw: []byte("true"), + }, + }, + }, + errorExpected: true, + }, + { + name: "jsonpath affecting two places", + patchOperation: []ir.JSONPatchOperation{ + { + Op: "remove", + JSONPath: ptr.To("$.topLevel.mapArray[*].key"), + }, + }, + errorExpected: false, + }, + { + name: "invalid jsonpath", + patchOperation: []ir.JSONPatchOperation{ + { + Op: "remove", + JSONPath: ptr.To("i'm not a json path string"), + }, + }, + errorExpected: true, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + _, err := ApplyJSONPatches([]byte(sourceDocument), tc.patchOperation...) + if tc.errorExpected { + require.Error(t, err) + } else { + require.NoError(t, err) + } + }) + } +} diff --git a/api/v1alpha1/validation/testdata/merge-user-bootstrap.yaml b/internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.in.yaml similarity index 100% rename from api/v1alpha1/validation/testdata/merge-user-bootstrap.yaml rename to internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.in.yaml diff --git a/internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.out.yaml b/internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.out.yaml new file mode 100644 index 00000000000..7fcb292368a --- /dev/null +++ b/internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.out.yaml @@ -0,0 +1,178 @@ +admin: + accessLog: + - name: envoy.access_loggers.file + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + path: /dev/null + address: + socketAddress: + address: 127.0.0.1 + portValue: 8080 +dynamicResources: + adsConfig: + apiType: DELTA_GRPC + grpcServices: + - envoyGrpc: + clusterName: xds_cluster + setNodeOnFirstMessageOnly: true + transportApiVersion: V3 + cdsConfig: + ads: {} + resourceApiVersion: V3 + ldsConfig: + ads: {} + resourceApiVersion: V3 +layeredRuntime: + layers: + - name: global_config + staticLayer: + envoy.restart_features.use_eds_cache_for_ads: true + re2.max_program_size.error_level: 4294967295 + re2.max_program_size.warn_level: 1000 +overloadManager: + refreshInterval: 0.250s + resourceMonitors: + - name: envoy.resource_monitors.global_downstream_max_connections + typedConfig: + '@type': type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig + maxActiveDownstreamConnections: "50000" +staticResources: + clusters: + - connectTimeout: 0.250s + loadAssignment: + clusterName: prometheus_stats + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 127.0.0.1 + portValue: 19000 + name: prometheus_stats + type: STATIC + - connectTimeout: 10s + loadAssignment: + clusterName: xds_cluster + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: envoy-gateway + portValue: 18000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + name: xds_cluster + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + tlsCertificateSdsSecretConfigs: + - name: xds_certificate + sdsConfig: + pathConfigSource: + path: /sds/xds-certificate.json + resourceApiVersion: V3 + tlsParams: + tlsMaximumProtocolVersion: TLSv1_3 + validationContextSdsSecretConfig: + name: xds_trusted_ca + sdsConfig: + pathConfigSource: + path: /sds/xds-trusted-ca.json + resourceApiVersion: V3 + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: + connectionKeepalive: + interval: 30s + timeout: 5s + - connectTimeout: 10s + loadAssignment: + clusterName: wasm_cluster + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: envoy-gateway + portValue: 18002 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + name: wasm_cluster + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + tlsCertificateSdsSecretConfigs: + - name: xds_certificate + sdsConfig: + pathConfigSource: + path: /sds/xds-certificate.json + resourceApiVersion: V3 + tlsParams: + tlsMaximumProtocolVersion: TLSv1_3 + validationContextSdsSecretConfig: + name: xds_trusted_ca + sdsConfig: + pathConfigSource: + path: /sds/xds-trusted-ca.json + resourceApiVersion: V3 + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: {} + - connectTimeout: 0.250s + loadAssignment: + clusterName: prometheus_stats + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 127.0.0.1 + portValue: 19000 + name: prometheus_stats + type: STATIC + listeners: + - address: + socketAddress: + address: 0.0.0.0 + portValue: 19001 + filterChains: + - filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + httpFilters: + - name: envoy.filters.http.health_check + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck + headers: + - name: :path + stringMatch: + exact: /ready + passThroughMode: false + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + routeConfig: + name: local_route + virtualHosts: + - domains: + - '*' + name: prometheus_stats + routes: + - match: + prefix: /stats/prometheus + route: + cluster: prometheus_stats + statPrefix: eg-ready-http + name: envoy-gateway-proxy-ready-0.0.0.0-19001 diff --git a/internal/xds/bootstrap/testdata/merge/patch-global-config.in.yaml b/internal/xds/bootstrap/testdata/merge/patch-global-config.in.yaml new file mode 100644 index 00000000000..2035e5f3433 --- /dev/null +++ b/internal/xds/bootstrap/testdata/merge/patch-global-config.in.yaml @@ -0,0 +1,6 @@ +- op: add + path: /layered_runtime/layers/0/static_layer/envoy.restart_features.use_eds_cache_for_ads + value: false +- op: add + path: /layered_runtime/layers/0/static_layer/envoy.something.completely.made.up + value: arbitrary string diff --git a/internal/xds/bootstrap/testdata/merge/patch-global-config.out.yaml b/internal/xds/bootstrap/testdata/merge/patch-global-config.out.yaml new file mode 100644 index 00000000000..63915cc277a --- /dev/null +++ b/internal/xds/bootstrap/testdata/merge/patch-global-config.out.yaml @@ -0,0 +1,169 @@ +admin: + access_log: + - name: envoy.access_loggers.file + typed_config: + '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + path: /dev/null + address: + socket_address: + address: 127.0.0.1 + port_value: 19000 +dynamic_resources: + ads_config: + api_type: DELTA_GRPC + grpc_services: + - envoy_grpc: + cluster_name: xds_cluster + set_node_on_first_message_only: true + transport_api_version: V3 + cds_config: + ads: {} + resource_api_version: V3 + lds_config: + ads: {} + resource_api_version: V3 +layered_runtime: + layers: + - name: global_config + static_layer: + envoy.restart_features.use_eds_cache_for_ads: false + envoy.something.completely.made.up: arbitrary string + re2.max_program_size.error_level: 4294967295 + re2.max_program_size.warn_level: 1000 +overload_manager: + refresh_interval: 0.25s + resource_monitors: + - name: envoy.resource_monitors.global_downstream_max_connections + typed_config: + '@type': type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig + max_active_downstream_connections: 50000 +static_resources: + clusters: + - connect_timeout: 0.250s + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: prometheus_stats + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 19000 + name: prometheus_stats + type: STATIC + - connect_timeout: 10s + load_assignment: + cluster_name: xds_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: envoy-gateway + port_value: 18000 + load_balancing_weight: 1 + load_balancing_weight: 1 + name: xds_cluster + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + common_tls_context: + tls_certificate_sds_secret_configs: + - name: xds_certificate + sds_config: + path_config_source: + path: /sds/xds-certificate.json + resource_api_version: V3 + tls_params: + tls_maximum_protocol_version: TLSv1_3 + validation_context_sds_secret_config: + name: xds_trusted_ca + sds_config: + path_config_source: + path: /sds/xds-trusted-ca.json + resource_api_version: V3 + type: STRICT_DNS + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s + - connect_timeout: 10s + load_assignment: + cluster_name: wasm_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: envoy-gateway + port_value: 18002 + load_balancing_weight: 1 + load_balancing_weight: 1 + name: wasm_cluster + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + common_tls_context: + tls_certificate_sds_secret_configs: + - name: xds_certificate + sds_config: + path_config_source: + path: /sds/xds-certificate.json + resource_api_version: V3 + tls_params: + tls_maximum_protocol_version: TLSv1_3 + validation_context_sds_secret_config: + name: xds_trusted_ca + sds_config: + path_config_source: + path: /sds/xds-trusted-ca.json + resource_api_version: V3 + type: STRICT_DNS + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: {} + listeners: + - address: + socket_address: + address: 0.0.0.0 + port_value: 19001 + protocol: TCP + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + http_filters: + - name: envoy.filters.http.health_check + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck + headers: + - name: :path + string_match: + exact: /ready + pass_through_mode: false + - name: envoy.filters.http.router + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + route_config: + name: local_route + virtual_hosts: + - domains: + - '*' + name: prometheus_stats + routes: + - match: + prefix: /stats/prometheus + route: + cluster: prometheus_stats + stat_prefix: eg-ready-http + name: envoy-gateway-proxy-ready-0.0.0.0-19001 diff --git a/api/v1alpha1/validation/testdata/different-dynamic-resources-user-bootstrap.yaml b/internal/xds/bootstrap/testdata/validate/different-dynamic-resources-user-bootstrap.yaml similarity index 100% rename from api/v1alpha1/validation/testdata/different-dynamic-resources-user-bootstrap.yaml rename to internal/xds/bootstrap/testdata/validate/different-dynamic-resources-user-bootstrap.yaml diff --git a/api/v1alpha1/validation/testdata/different-xds-cluster-address-bootstrap.yaml b/internal/xds/bootstrap/testdata/validate/different-xds-cluster-address-bootstrap.yaml similarity index 100% rename from api/v1alpha1/validation/testdata/different-xds-cluster-address-bootstrap.yaml rename to internal/xds/bootstrap/testdata/validate/different-xds-cluster-address-bootstrap.yaml diff --git a/api/v1alpha1/validation/testdata/missing-admin-address-user-bootstrap.yaml b/internal/xds/bootstrap/testdata/validate/missing-admin-address-user-bootstrap.yaml similarity index 100% rename from api/v1alpha1/validation/testdata/missing-admin-address-user-bootstrap.yaml rename to internal/xds/bootstrap/testdata/validate/missing-admin-address-user-bootstrap.yaml diff --git a/api/v1alpha1/validation/testdata/valid-user-bootstrap.yaml b/internal/xds/bootstrap/testdata/validate/valid-user-bootstrap.yaml similarity index 100% rename from api/v1alpha1/validation/testdata/valid-user-bootstrap.yaml rename to internal/xds/bootstrap/testdata/validate/valid-user-bootstrap.yaml diff --git a/internal/xds/bootstrap/util.go b/internal/xds/bootstrap/util.go index e00294e2715..701da1f102a 100644 --- a/internal/xds/bootstrap/util.go +++ b/internal/xds/bootstrap/util.go @@ -9,33 +9,57 @@ import ( "fmt" bootstrapv3 "github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3" + "k8s.io/utils/ptr" + "sigs.k8s.io/yaml" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/jsonpatch" "github.com/envoyproxy/gateway/internal/utils/proto" _ "github.com/envoyproxy/gateway/internal/xds/extensions" // DON'T REMOVE: import of all extensions ) // ApplyBootstrapConfig applies the bootstrap config to the default bootstrap config and return the result config. +// The defaultBootstrap is expected to be a YAML string func ApplyBootstrapConfig(boostrapConfig *egv1a1.ProxyBootstrap, defaultBootstrap string) (string, error) { bootstrapType := boostrapConfig.Type - if bootstrapType != nil && *bootstrapType == egv1a1.BootstrapTypeMerge { + if bootstrapType == nil { + // The documentation defines that a nil bootstrapType defaults to the "Replace" operation + bootstrapType = ptr.To(egv1a1.BootstrapTypeReplace) + } + switch *bootstrapType { + case egv1a1.BootstrapTypeMerge: mergedBootstrap, err := mergeBootstrap(defaultBootstrap, boostrapConfig.Value) if err != nil { return "", err } return mergedBootstrap, nil + case egv1a1.BootstrapTypeReplace: + // CEL validates that Value will not be nil + return *boostrapConfig.Value, nil + case egv1a1.BootstrapTypeJSONPatch: + patchedBootstrap, err := jsonPatchBootstrap(defaultBootstrap, boostrapConfig.JSONPatches) + if err != nil { + return "", err + } + return patchedBootstrap, nil + default: + // This is unreachable code due to the CEL validation on egv1a1.ProxyBootstrap + return defaultBootstrap, fmt.Errorf("unsupported bootstrap patch type %s", *bootstrapType) } - return boostrapConfig.Value, nil } -func mergeBootstrap(base, override string) (string, error) { +func mergeBootstrap(base string, override *string) (string, error) { + if override == nil { + return base, nil + } dst := &bootstrapv3.Bootstrap{} if err := proto.FromYAML([]byte(base), dst); err != nil { return "", fmt.Errorf("failed to parse default bootstrap config: %w", err) } src := &bootstrapv3.Bootstrap{} - if err := proto.FromYAML([]byte(override), src); err != nil { + if err := proto.FromYAML([]byte(*override), src); err != nil { return "", fmt.Errorf("failed to parse override bootstrap config: %w", err) } @@ -52,3 +76,26 @@ func mergeBootstrap(base, override string) (string, error) { return string(data), nil } + +func jsonPatchBootstrap(baseYAML string, patches []egv1a1.JSONPatchOperation) (string, error) { + jsonBytes, err := yaml.YAMLToJSON([]byte(baseYAML)) + if err != nil { + return baseYAML, err + } + translatedPatches := []ir.JSONPatchOperation{} + for _, p := range patches { + translatedPatches = append(translatedPatches, ir.JSONPatchOperation{ + Op: ir.TranslateJSONPatchOp(p.Op), + Path: p.Path, + JSONPath: p.JSONPath, + From: p.From, + Value: p.Value, + }) + } + jsonBytes, err = jsonpatch.ApplyJSONPatches(jsonBytes, translatedPatches...) + if err != nil { + return baseYAML, err + } + yamlBytes, err := yaml.JSONToYAML(jsonBytes) + return string(yamlBytes), err +} diff --git a/internal/xds/bootstrap/util_test.go b/internal/xds/bootstrap/util_test.go index 5591d0e4f53..bfa5d191c46 100644 --- a/internal/xds/bootstrap/util_test.go +++ b/internal/xds/bootstrap/util_test.go @@ -14,6 +14,7 @@ import ( "github.com/stretchr/testify/require" "k8s.io/utils/ptr" + "sigs.k8s.io/yaml" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" ) @@ -34,6 +35,13 @@ func TestApplyBootstrapConfig(t *testing.T) { }, defaultBootstrap: str, }, + { + name: "merge-user-bootstrap", + boostrapConfig: &egv1a1.ProxyBootstrap{ + Type: ptr.To(egv1a1.BootstrapTypeMerge), + }, + defaultBootstrap: str, + }, { name: "stats_sinks", boostrapConfig: &egv1a1.ProxyBootstrap{ @@ -41,6 +49,13 @@ func TestApplyBootstrapConfig(t *testing.T) { }, defaultBootstrap: str, }, + { + name: "patch-global-config", + boostrapConfig: &egv1a1.ProxyBootstrap{ + Type: ptr.To(egv1a1.BootstrapTypeJSONPatch), + }, + defaultBootstrap: str, + }, } for _, tc := range cases { @@ -48,7 +63,14 @@ func TestApplyBootstrapConfig(t *testing.T) { in, err := loadData(tc.name, "in") require.NoError(t, err) - tc.boostrapConfig.Value = in + switch *tc.boostrapConfig.Type { + case egv1a1.BootstrapTypeJSONPatch: + err = yaml.Unmarshal([]byte(in), &tc.boostrapConfig.JSONPatches) + require.NoError(t, err) + default: + tc.boostrapConfig.Value = &in + } + data, err := ApplyBootstrapConfig(tc.boostrapConfig, tc.defaultBootstrap) require.NoError(t, err) diff --git a/internal/xds/bootstrap/validate.go b/internal/xds/bootstrap/validate.go new file mode 100644 index 00000000000..5e08db72957 --- /dev/null +++ b/internal/xds/bootstrap/validate.go @@ -0,0 +1,89 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package bootstrap + +import ( + "fmt" + + bootstrapv3 "github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3" + clusterv3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3" + "github.com/google/go-cmp/cmp" + "google.golang.org/protobuf/testing/protocmp" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/utils/proto" + _ "github.com/envoyproxy/gateway/internal/xds/extensions" // DON'T REMOVE: import of all extensions +) + +func fetchAndPatchBootstrap(boostrapConfig *egv1a1.ProxyBootstrap) (*bootstrapv3.Bootstrap, *bootstrapv3.Bootstrap, error) { + defaultBootstrapStr, err := GetRenderedBootstrapConfig(nil) + if err != nil { + return nil, nil, err + } + defaultBootstrap := &bootstrapv3.Bootstrap{} + if err := proto.FromYAML([]byte(defaultBootstrapStr), defaultBootstrap); err != nil { + return nil, nil, fmt.Errorf("unable to unmarshal default bootstrap: %w", err) + } + if err := defaultBootstrap.Validate(); err != nil { + return nil, nil, fmt.Errorf("default bootstrap validation failed: %w", err) + } + // Validate user bootstrap config + patchedYaml, err := ApplyBootstrapConfig(boostrapConfig, defaultBootstrapStr) + if err != nil { + return nil, nil, err + } + patchedBootstrap := &bootstrapv3.Bootstrap{} + if err := proto.FromYAML([]byte(patchedYaml), patchedBootstrap); err != nil { + return nil, nil, fmt.Errorf("unable to unmarshal user bootstrap: %w", err) + } + if err := patchedBootstrap.Validate(); err != nil { + return nil, nil, fmt.Errorf("validation failed for user bootstrap: %w", err) + } + return patchedBootstrap, defaultBootstrap, err +} + +// Validate ensures that after applying the provided bootstrap configuration, the resulting +// bootstrap is still OK. +// This code previously was part of the validate logic in api/v1alpha1/validate, but was moved +// here to prevent code in the api packages from accessing code from the internal packages. +func Validate(boostrapConfig *egv1a1.ProxyBootstrap) error { + if boostrapConfig == nil { + return nil + } + // Validate user bootstrap config + // TODO: need validate when enable prometheus? + userBootstrap, defaultBootstrap, err := fetchAndPatchBootstrap(boostrapConfig) + if err != nil { + return err + } + + // Ensure dynamic resources config is same + if userBootstrap.DynamicResources == nil || + cmp.Diff(userBootstrap.DynamicResources, defaultBootstrap.DynamicResources, protocmp.Transform()) != "" { + return fmt.Errorf("dynamic_resources cannot be modified") + } + + // Ensure that the xds_cluster config is same + var userXdsCluster, defaultXdsCluster *clusterv3.Cluster + for _, cluster := range userBootstrap.StaticResources.Clusters { + if cluster.Name == "xds_cluster" { + userXdsCluster = cluster + break + } + } + for _, cluster := range defaultBootstrap.StaticResources.Clusters { + if cluster.Name == "xds_cluster" { + defaultXdsCluster = cluster + break + } + } + if userXdsCluster == nil || + cmp.Diff(userXdsCluster.LoadAssignment, defaultXdsCluster.LoadAssignment, protocmp.Transform()) != "" { + return fmt.Errorf("xds_cluster's loadAssigntment cannot be modified") + } + + return nil +} diff --git a/internal/xds/bootstrap/validate_test.go b/internal/xds/bootstrap/validate_test.go new file mode 100644 index 00000000000..9c6791fea3b --- /dev/null +++ b/internal/xds/bootstrap/validate_test.go @@ -0,0 +1,76 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package bootstrap + +import ( + // Register embed + _ "embed" + "testing" + + "github.com/stretchr/testify/require" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" +) + +var ( + //go:embed testdata/validate/valid-user-bootstrap.yaml + validUserBootstrap string + //go:embed testdata/validate/missing-admin-address-user-bootstrap.yaml + missingAdminAddressUserBootstrap string + //go:embed testdata/validate/different-dynamic-resources-user-bootstrap.yaml + differentDynamicResourcesUserBootstrap string + //go:embed testdata/validate/different-xds-cluster-address-bootstrap.yaml + differentXdsClusterAddressBootstrap string +) + +func TestValidateBootstrap(t *testing.T) { + testCases := []struct { + name string + bootstrap *egv1a1.ProxyBootstrap + expected bool + }{ + { + name: "valid user bootstrap replace type", + bootstrap: &egv1a1.ProxyBootstrap{ + Value: &validUserBootstrap, + }, + expected: true, + }, + { + name: "user bootstrap with missing admin address", + bootstrap: &egv1a1.ProxyBootstrap{ + Value: &missingAdminAddressUserBootstrap, + }, + expected: false, + }, + { + name: "user bootstrap with different dynamic resources", + bootstrap: &egv1a1.ProxyBootstrap{ + Value: &differentDynamicResourcesUserBootstrap, + }, + expected: false, + }, + { + name: "user bootstrap with different xds_cluster endpoint", + bootstrap: &egv1a1.ProxyBootstrap{ + Value: &differentXdsClusterAddressBootstrap, + }, + expected: false, + }, + } + + for i := range testCases { + tc := testCases[i] + t.Run(tc.name, func(t *testing.T) { + err := Validate(tc.bootstrap) + if tc.expected { + require.NoError(t, err) + } else { + require.Error(t, err) + } + }) + } +} diff --git a/internal/xds/translator/jsonpatch.go b/internal/xds/translator/jsonpatch.go index bb8ed8bef2b..8a56ed689e4 100644 --- a/internal/xds/translator/jsonpatch.go +++ b/internal/xds/translator/jsonpatch.go @@ -16,23 +16,18 @@ import ( routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" tlsv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" resourcev3 "github.com/envoyproxy/go-control-plane/pkg/resource/v3" - jsonpatchv5 "github.com/evanphx/json-patch/v5" "google.golang.org/protobuf/encoding/protojson" "sigs.k8s.io/yaml" "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/jsonpatch" _ "github.com/envoyproxy/gateway/internal/xds/extensions" // register the generated types to support protojson unmarshalling "github.com/envoyproxy/gateway/internal/xds/types" ) const ( - AddOperation = "add" - RemoveOperation = "remove" - ReplaceOperation = "replace" - CopyOperation = "copy" - MoveOperation = "move" - EmptyPath = "" + EmptyPath = "" ) type typedName struct { @@ -69,24 +64,14 @@ func processJSONPatches(tCtx *types.ResourceVersionTable, envoyPatchPolicies []* err error ) - switch p.Operation.Op { - case AddOperation, ReplaceOperation: - if p.Operation.Value == nil { - tErr := fmt.Errorf("the %s operation requires a value", p.Operation.Op) - tErrs = errors.Join(tErrs, tErr) - continue - } - default: - if p.Operation.Value != nil { - tErr := fmt.Errorf("the value field can not be set for the %s operation", p.Operation.Op) - tErrs = errors.Join(tErrs, tErr) - continue - } + if err := p.Operation.Validate(); err != nil { + tErrs = errors.Join(tErrs, err) + continue } // If Path and JSONPath is "" and op is "add", unmarshal and add the patch as a complete // resource - if p.Operation.Op == AddOperation && p.Operation.IsPathNilOrEmpty() && p.Operation.IsJSONPathNilOrEmpty() { + if p.Operation.Op == ir.JSONPatchOpAdd && p.Operation.IsPathNilOrEmpty() && p.Operation.IsJSONPathNilOrEmpty() { // Convert patch to JSON // The patch library expects an array so convert it into one y, err := yaml.Marshal(p.Operation.Value) @@ -240,152 +225,103 @@ func processJSONPatches(tCtx *types.ResourceVersionTable, envoyPatchPolicies []* } } - var jsonPointers []string - if p.Operation.JSONPath != nil { - path := "" - if p.Operation.Path != nil { - path = *p.Operation.Path + modifiedJSON, err := jsonpatch.ApplyJSONPatches(resourceJSON, p.Operation) + if err != nil { + tErrs = errors.Join(tErrs, err) + continue + } + + // Unmarshal back to typed resource + // Use a temp staging variable that can be marshalled + // into and validated before saving it into the xds output resource + switch p.Type { + case resourcev3.ListenerType: + temp := &listenerv3.Listener{} + if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { + tErr := errors.New(unmarshalErrorMessage(err, string(modifiedJSON))) + tErrs = errors.Join(tErrs, tErr) + continue } - jsonPointers, err = ConvertPathToPointers(resourceJSON, *p.Operation.JSONPath, path) - if err != nil { - tErr := fmt.Errorf("unable to convert jsonPath: '%s' into jsonPointers, err: %s", *p.Operation.JSONPath, err.Error()) + if err = temp.Validate(); err != nil { + tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) tErrs = errors.Join(tErrs, tErr) continue } - } else { - jsonPointers = []string{*p.Operation.Path} - } - - for _, path := range jsonPointers { - op := ir.JSONPatchOperation{ - Path: &path, - Op: p.Operation.Op, - Value: p.Operation.Value, - From: p.Operation.From, + if err = deepCopyPtr(temp, listener); err != nil { + tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) + tErrs = errors.Join(tErrs, tErr) + continue } - - // Convert patch to JSON - // The patch library expects an array so convert it into one - y, err := yaml.Marshal([]ir.JSONPatchOperation{op}) - if err != nil { - tErr := fmt.Errorf("unable to marshal patch %+v, err: %s", op, err.Error()) + case resourcev3.RouteType: + temp := &routev3.RouteConfiguration{} + if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { + tErr := errors.New(unmarshalErrorMessage(err, string(modifiedJSON))) tErrs = errors.Join(tErrs, tErr) continue } - jsonBytes, err := yaml.YAMLToJSON(y) - if err != nil { - tErr := fmt.Errorf("unable to convert patch to json %s, err: %s", string(y), err.Error()) + if err = temp.Validate(); err != nil { + tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) tErrs = errors.Join(tErrs, tErr) continue } - patchObj, err := jsonpatchv5.DecodePatch(jsonBytes) - if err != nil { - tErr := fmt.Errorf("unable to decode patch %s, err: %s", string(jsonBytes), err.Error()) + if err = deepCopyPtr(temp, routeConfig); err != nil { + tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) tErrs = errors.Join(tErrs, tErr) continue } - - // Apply patch - opts := jsonpatchv5.NewApplyOptions() - opts.EnsurePathExistsOnAdd = true - modifiedJSON, err := patchObj.ApplyWithOptions(resourceJSON, opts) - if err != nil { - tErr := fmt.Errorf("unable to apply patch:\n%s on resource:\n%s, err: %s", string(jsonBytes), string(resourceJSON), err.Error()) + case resourcev3.ClusterType: + temp := &clusterv3.Cluster{} + if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { + tErr := errors.New(unmarshalErrorMessage(err, string(modifiedJSON))) tErrs = errors.Join(tErrs, tErr) continue } - - // Unmarshal back to typed resource - // Use a temp staging variable that can be marshalled - // into and validated before saving it into the xds output resource - switch p.Type { - case resourcev3.ListenerType: - temp := &listenerv3.Listener{} - if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { - tErr := errors.New(unmarshalErrorMessage(err, string(modifiedJSON))) - tErrs = errors.Join(tErrs, tErr) - continue - } - if err = temp.Validate(); err != nil { - tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) - tErrs = errors.Join(tErrs, tErr) - continue - } - if err = deepCopyPtr(temp, listener); err != nil { - tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) - tErrs = errors.Join(tErrs, tErr) - continue - } - case resourcev3.RouteType: - temp := &routev3.RouteConfiguration{} - if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { - tErr := errors.New(unmarshalErrorMessage(err, string(modifiedJSON))) - tErrs = errors.Join(tErrs, tErr) - continue - } - if err = temp.Validate(); err != nil { - tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) - tErrs = errors.Join(tErrs, tErr) - continue - } - if err = deepCopyPtr(temp, routeConfig); err != nil { - tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) - tErrs = errors.Join(tErrs, tErr) - continue - } - case resourcev3.ClusterType: - temp := &clusterv3.Cluster{} - if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { - tErr := errors.New(unmarshalErrorMessage(err, string(modifiedJSON))) - tErrs = errors.Join(tErrs, tErr) - continue - } - if err = temp.Validate(); err != nil { - tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) - tErrs = errors.Join(tErrs, tErr) - continue - } - if err = deepCopyPtr(temp, cluster); err != nil { - tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) - tErrs = errors.Join(tErrs, tErr) - continue - } - case resourcev3.EndpointType: - temp := &endpointv3.ClusterLoadAssignment{} - if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { - tErr := errors.New(unmarshalErrorMessage(err, string(modifiedJSON))) - tErrs = errors.Join(tErrs, tErr) - continue - } - if err = temp.Validate(); err != nil { - tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) - tErrs = errors.Join(tErrs, tErr) - continue - } - if err = deepCopyPtr(temp, endpoint); err != nil { - tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) - tErrs = errors.Join(tErrs, tErr) - continue - } - case resourcev3.SecretType: - temp := &tlsv3.Secret{} - if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { - tErr := errors.New(unmarshalErrorMessage(err, string(modifiedJSON))) - tErrs = errors.Join(tErrs, tErr) - continue - } - if err = temp.Validate(); err != nil { - tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) - tErrs = errors.Join(tErrs, tErr) - continue - } - if err = deepCopyPtr(temp, secret); err != nil { - tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) - tErrs = errors.Join(tErrs, tErr) - continue - } + if err = temp.Validate(); err != nil { + tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) + tErrs = errors.Join(tErrs, tErr) + continue + } + if err = deepCopyPtr(temp, cluster); err != nil { + tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) + tErrs = errors.Join(tErrs, tErr) + continue + } + case resourcev3.EndpointType: + temp := &endpointv3.ClusterLoadAssignment{} + if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { + tErr := errors.New(unmarshalErrorMessage(err, string(modifiedJSON))) + tErrs = errors.Join(tErrs, tErr) + continue + } + if err = temp.Validate(); err != nil { + tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) + tErrs = errors.Join(tErrs, tErr) + continue + } + if err = deepCopyPtr(temp, endpoint); err != nil { + tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) + tErrs = errors.Join(tErrs, tErr) + continue + } + case resourcev3.SecretType: + temp := &tlsv3.Secret{} + if err = protojson.Unmarshal(modifiedJSON, temp); err != nil { + tErr := errors.New(unmarshalErrorMessage(err, string(modifiedJSON))) + tErrs = errors.Join(tErrs, tErr) + continue + } + if err = temp.Validate(); err != nil { + tErr := fmt.Errorf("validation failed for xds resource %s, err:%s", string(modifiedJSON), err.Error()) + tErrs = errors.Join(tErrs, tErr) + continue + } + if err = deepCopyPtr(temp, secret); err != nil { + tErr := fmt.Errorf("unable to copy xds resource %s, err: %w", string(modifiedJSON), err) + tErrs = errors.Join(tErrs, tErr) + continue } } + } // Set translation errors for every policy ancestor references diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go index 08ab0d24b3b..06a9a86131b 100644 --- a/internal/xds/translator/translator_test.go +++ b/internal/xds/translator/translator_test.go @@ -60,6 +60,7 @@ func TestTranslateXds(t *testing.T) { }, "jsonpatch-add-op-empty-jsonpath": { requireEnvoyPatchPolicies: true, + errMsg: "a patch operation must specify a path or jsonPath", }, "jsonpatch-missing-resource": { requireEnvoyPatchPolicies: true, @@ -74,7 +75,7 @@ func TestTranslateXds(t *testing.T) { }, "jsonpatch-move-op-with-value": { requireEnvoyPatchPolicies: true, - errMsg: "the value field can not be set for the remove operation", + errMsg: "value and from can't be specified with the remove operation", }, "http-route-invalid": { errMsg: "validation failed for xds resource", diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 1dca75a33db..94fad9c157e 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -507,6 +507,7 @@ _Appears in:_ | ----- | ----------- | | `Merge` | Merge merges the provided bootstrap with the default one. The provided bootstrap can add or override a value
within a map, or add a new value to a list.
Please note that the provided bootstrap can't override a value within a list.
| | `Replace` | Replace replaces the default bootstrap with the provided one.
| +| `JSONPatch` | JSONPatch applies the provided JSONPatches to the default bootstrap.
| #### CIDR @@ -2082,6 +2083,7 @@ https://datatracker.ietf.org/doc/html/rfc6902 _Appears in:_ - [EnvoyJSONPatchConfig](#envoyjsonpatchconfig) +- [ProxyBootstrap](#proxybootstrap) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -2805,8 +2807,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `type` | _[BootstrapType](#bootstraptype)_ | false | Type is the type of the bootstrap configuration, it should be either Replace or Merge.
If unspecified, it defaults to Replace. | -| `value` | _string_ | true | Value is a YAML string of the bootstrap. | +| `type` | _[BootstrapType](#bootstraptype)_ | false | Type is the type of the bootstrap configuration, it should be either Replace, Merge, or JSONPatch.
If unspecified, it defaults to Replace. | +| `value` | _string_ | false | Value is a YAML string of the bootstrap. | +| `jsonPatches` | _[JSONPatchOperation](#jsonpatchoperation) array_ | true | JSONPatches is an array of JSONPatches to be applied to the default bootstrap. Patches are
applied in the order in which they are defined. | #### ProxyLogComponent diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 1dca75a33db..94fad9c157e 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -507,6 +507,7 @@ _Appears in:_ | ----- | ----------- | | `Merge` | Merge merges the provided bootstrap with the default one. The provided bootstrap can add or override a value
within a map, or add a new value to a list.
Please note that the provided bootstrap can't override a value within a list.
| | `Replace` | Replace replaces the default bootstrap with the provided one.
| +| `JSONPatch` | JSONPatch applies the provided JSONPatches to the default bootstrap.
| #### CIDR @@ -2082,6 +2083,7 @@ https://datatracker.ietf.org/doc/html/rfc6902 _Appears in:_ - [EnvoyJSONPatchConfig](#envoyjsonpatchconfig) +- [ProxyBootstrap](#proxybootstrap) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -2805,8 +2807,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `type` | _[BootstrapType](#bootstraptype)_ | false | Type is the type of the bootstrap configuration, it should be either Replace or Merge.
If unspecified, it defaults to Replace. | -| `value` | _string_ | true | Value is a YAML string of the bootstrap. | +| `type` | _[BootstrapType](#bootstraptype)_ | false | Type is the type of the bootstrap configuration, it should be either Replace, Merge, or JSONPatch.
If unspecified, it defaults to Replace. | +| `value` | _string_ | false | Value is a YAML string of the bootstrap. | +| `jsonPatches` | _[JSONPatchOperation](#jsonpatchoperation) array_ | true | JSONPatches is an array of JSONPatches to be applied to the default bootstrap. Patches are
applied in the order in which they are defined. | #### ProxyLogComponent diff --git a/test/cel-validation/envoyproxy_test.go b/test/cel-validation/envoyproxy_test.go index 76ba7434048..865da4ac306 100644 --- a/test/cel-validation/envoyproxy_test.go +++ b/test/cel-validation/envoyproxy_test.go @@ -1346,6 +1346,65 @@ func TestEnvoyProxyProvider(t *testing.T) { }, wantErrors: []string{"cannot use envoyHpa if envoyDaemonSet is used"}, }, + { + desc: "mismatched bootstrap patch configured - one", + mutate: func(envoy *egv1a1.EnvoyProxy) { + envoy.Spec = egv1a1.EnvoyProxySpec{ + Bootstrap: &egv1a1.ProxyBootstrap{ + Type: ptr.To(egv1a1.BootstrapType("Merge")), + JSONPatches: []egv1a1.JSONPatchOperation{ + { + Op: egv1a1.JSONPatchOperationType("remove"), + Path: ptr.To("/some/path"), + }, + }, + }, + } + }, + wantErrors: []string{ + "provided bootstrap patch doesn't match the configured patch type", + }, + }, + { + desc: "mismatched bootstrap patch configured - two", + mutate: func(envoy *egv1a1.EnvoyProxy) { + envoy.Spec = egv1a1.EnvoyProxySpec{ + Bootstrap: &egv1a1.ProxyBootstrap{ + Type: ptr.To(egv1a1.BootstrapType("JSONPatch")), + Value: ptr.To("some value"), + }, + } + }, + wantErrors: []string{ + "provided bootstrap patch doesn't match the configured patch type", + }, + }, + { + desc: "missing bootstrap patch - one", + mutate: func(envoy *egv1a1.EnvoyProxy) { + envoy.Spec = egv1a1.EnvoyProxySpec{ + Bootstrap: &egv1a1.ProxyBootstrap{ + Type: ptr.To(egv1a1.BootstrapType("JSONPatch")), + }, + } + }, + wantErrors: []string{ + "provided bootstrap patch doesn't match the configured patch type", + }, + }, + { + desc: "missing bootstrap patch - two", + mutate: func(envoy *egv1a1.EnvoyProxy) { + envoy.Spec = egv1a1.EnvoyProxySpec{ + Bootstrap: &egv1a1.ProxyBootstrap{ + Type: ptr.To(egv1a1.BootstrapType("Merge")), + }, + } + }, + wantErrors: []string{ + "provided bootstrap patch doesn't match the configured patch type", + }, + }, } for _, tc := range cases { From 5998980787d73895b6523d573c809ea76264720e Mon Sep 17 00:00:00 2001 From: shahar-h Date: Thu, 5 Sep 2024 16:43:28 +0300 Subject: [PATCH 114/523] ci: fix osv vulnerability and license scans and add license overrides (#4157) * ci: fix osv vulnerability and license scans Signed-off-by: Shahar Harari * fix lint issue Signed-off-by: Shahar Harari * unknown -> unidentified Signed-off-by: Shahar Harari * revert collect.go Signed-off-by: Shahar Harari * revert go.mod and go.sum Signed-off-by: Shahar Harari --------- Signed-off-by: Shahar Harari --- .github/workflows/license-scan.yml | 6 +- .github/workflows/osv-scanner.yml | 6 +- osv-scanner.toml | 122 +++++++++++++++++++++++++++++ tools/osv-scanner/config.toml | 3 - 4 files changed, 130 insertions(+), 7 deletions(-) create mode 100644 osv-scanner.toml delete mode 100644 tools/osv-scanner/config.toml diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index a754e0130fd..8be0962d2a1 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -20,8 +20,12 @@ jobs: - name: Run scanner uses: google/osv-scanner-action/osv-scanner-action@678a866dcba398c8ed0124a09928d250f187b52a # v1.8.4 with: + # TODO enable call analysis once https://github.com/google/osv-scanner/issues/1220 is resolved scan-args: |- --skip-git --experimental-licenses=Apache-2.0,BSD-2-Clause,BSD-2-Clause-FreeBSD,BSD-3-Clause,MIT,ISC,Python-2.0,PostgreSQL,X11,Zlib + --no-call-analysis=go ./ - continue-on-error: true # TODO remove once all issues are resolved + # TODO remove once github.com/hashicorp/go-getter gets license exception in CNCF or removed from the project + # See https://github.com/cncf/foundation/issues/624 + continue-on-error: true diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 0ca78e136d0..6810220c670 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -26,9 +26,9 @@ jobs: scan-args: |- --skip-git --recursive - ./ --config tools/osv-scanner/config.toml + ./ scan-pr: if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} @@ -38,9 +38,9 @@ jobs: contents: read security-events: write with: + # TODO enable call analysis once https://github.com/google/osv-scanner/issues/1220 is resolved scan-args: |- --skip-git --recursive + --no-call-analysis=go ./ - --config - tools/osv-scanner/config.toml diff --git a/osv-scanner.toml b/osv-scanner.toml new file mode 100644 index 00000000000..e338d0da1b9 --- /dev/null +++ b/osv-scanner.toml @@ -0,0 +1,122 @@ +[[IgnoredVulns]] +id = "GO-2022-0646" +reason = "No a real issue, just a warning about third party package." + +[[PackageOverrides]] +name = "github.com/AdaLogics/go-fuzz-headers" +version = "0.0.0-20230811130428-ced1acdcaa24" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "Unidentified license since package version is missing in pkg.go.dev" + +[[PackageOverrides]] +name = "github.com/asaskevich/govalidator" +version = "0.0.0-20230301143203-a9d515a09cc2" +ecosystem = "Go" +license.override = ["MIT"] +reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/87 is resolved" + +[[PackageOverrides]] +name = "github.com/containers/storage" +version = "1.55.0" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/104 is resolved" + +[[PackageOverrides]] +name = "github.com/distribution/distribution/v3" +version = "3.0.0-beta.1" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/105 is resolved" + +[[PackageOverrides]] +name = "github.com/docker/go-metrics" +version = "0.0.1" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "This package has dual license - the code is licensed under the Apache 2.0 license and the docs under CC-BY-SA-4.0 license" + +[[PackageOverrides]] +name = "github.com/go-sql-driver/mysql" +version = "1.8.1" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/hashicorp/errwrap" +version = "1.1.0" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/hashicorp/go-cleanhttp" +version = "0.5.2" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/hashicorp/go-multierror" +version = "1.1.1" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/hashicorp/go-version" +version = "1.7.0" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/hashicorp/hcl" +version = "1.0.0" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/moby/patternmatcher" +version = "0.6.0" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/106 is resolved" + +[[PackageOverrides]] +name = "github.com/opencontainers/go-digest" +version = "1.0.0" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "This package has dual license - the code is licensed under the Apache 2.0 license and the docs under CC-BY-SA-4.0 license" + +[[PackageOverrides]] +name = "github.com/shoenig/go-m1cpu" +version = "0.1.6" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/cncf-exceptions-2023-08-31.spdx" + +[[PackageOverrides]] +name = "stdlib" +ecosystem = "Go" +license.override = ["BSD-3-Clause"] +reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/86 is resolved" + +[[PackageOverrides]] +name = "github.com/grafana/tempo" +version = "1.5.0" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package is only used in e2e tests so we can ignore its license" \ No newline at end of file diff --git a/tools/osv-scanner/config.toml b/tools/osv-scanner/config.toml deleted file mode 100644 index 873ec8599d9..00000000000 --- a/tools/osv-scanner/config.toml +++ /dev/null @@ -1,3 +0,0 @@ -[[IgnoredVulns]] -id = "GO-2022-0646 " -reason = "No a real issue, just a warning about third party package." From 4ed16f2637fd012a8940476f1dc0381164a84885 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Fri, 6 Sep 2024 12:06:46 +0800 Subject: [PATCH 115/523] API: authorization api for jwt claims (#4009) * authorization api for jwt claims Signed-off-by: Huabing Zhao * fix gen check Signed-off-by: Huabing Zhao * add comments Signed-off-by: Huabing Zhao * change claim type to value type Signed-off-by: Huabing Zhao * add well-known claims to API Signed-off-by: Huabing Zhao * update api Signed-off-by: Huabing Zhao * update comments Signed-off-by: Huabing Zhao * Update api/v1alpha1/authorization_types.go Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao * Update api/v1alpha1/authorization_types.go Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao * Update api/v1alpha1/authorization_types.go Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao * address comments Signed-off-by: Huabing Zhao * add CEL validation Signed-off-by: Huabing Zhao * fix cel test Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao Co-authored-by: Arko Dasgupta Co-authored-by: zirain --- api/v1alpha1/authorization_types.go | 73 ++++++++++++++- api/v1alpha1/securitypolicy_types.go | 1 + api/v1alpha1/zz_generated.deepcopy.go | 57 ++++++++++++ ...ateway.envoyproxy.io_securitypolicies.yaml | 84 ++++++++++++++++- site/content/en/latest/api/extension_types.md | 52 ++++++++++- site/content/zh/latest/api/extension_types.md | 52 ++++++++++- test/cel-validation/securitypolicy_test.go | 92 +++++++++++++++++++ 7 files changed, 399 insertions(+), 12 deletions(-) diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go index 3a589daef9f..2851cecf6d7 100644 --- a/api/v1alpha1/authorization_types.go +++ b/api/v1alpha1/authorization_types.go @@ -36,6 +36,9 @@ type AuthorizationRule struct { Action AuthorizationAction `json:"action"` // Principal specifies the client identity of a request. + // If there are multiple principal types, all principals must match for the rule to match. + // For example, if there are two principals: one for client IP and one for JWT claim, + // the rule will match only if both the client IP and the JWT claim match. Principal Principal `json:"principal"` } @@ -43,21 +46,85 @@ type AuthorizationRule struct { // A client identity can be a client IP, a JWT claim, username from the Authorization header, // or any other identity that can be extracted from a custom header. // Currently, only the client IP is supported. +// +// +kubebuilder:validation:XValidation:rule="(has(self.clientCIDRs) || has(self.jwt))",message="at least one of clientCIDRs or jwt must be specified" type Principal struct { // ClientCIDRs are the IP CIDR ranges of the client. // Valid examples are "192.168.1.0/24" or "2001:db8::/64" // + // If multiple CIDR ranges are specified, one of the CIDR ranges must match + // the client IP for the rule to match. + // // The client IP is inferred from the X-Forwarded-For header, a custom header, // or the proxy protocol. // You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in // the `ClientTrafficPolicy` to configure how the client IP is detected. - // +kubebuilder:validation:MinItems=1 + // +optional ClientCIDRs []CIDR `json:"clientCIDRs"` - // TODO: Zhaohuabing the MinItems=1 validation can be relaxed to allow empty list - // after other principal types are supported. However, at least one principal is required + // JWT authorize the request based on the JWT claims and scopes. + // Note: in order to use JWT claims for authorization, you must configure the + // JWT authentication in the same `SecurityPolicy`. + // +optional + // +notImplementedHide + JWT *JWTPrincipal `json:"jwt,omitempty"` +} + +// JWTPrincipal specifies the client identity of a request based on the JWT claims and scopes. +// At least one of the claims or scopes must be specified. +// Claims and scopes are And-ed together if both are specified. +// +// +kubebuilder:validation:XValidation:rule="(has(self.claims) || has(self.scopes))",message="at least one of claims or scopes must be specified" +type JWTPrincipal struct { + // Claims are the claims in a JWT token. + // + // If multiple claims are specified, all claims must match for the rule to match. + // For example, if there are two claims: one for the audience and one for the issuer, + // the rule will match only if both the audience and the issuer match. + // +optional + Claims []JWTClaim `json:"claims,omitempty"` + + // Scopes are a special type of claim in a JWT token that represents the permissions of the client. + // + // The value of the scopes field should be a space delimited string that is expected in the scope parameter, + // as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23. + // + // If multiple scopes are specified, all scopes must match for the rule to match. + // +optional + Scopes []string `json:"scopes,omitempty"` +} + +// JWTClaim specifies a claim in a JWT token. +type JWTClaim struct { + // Name is the name of the claim. + // If it is a nested claim, use a dot (.) separated string as the name to + // represent the full path to the claim. + // For example, if the claim is in the "department" field in the "organization" field, + // the name should be "organization.department". + Name string `json:"name"` + + // ValueType is the type of the claim value. + // Only String and StringArray types are supported for now. + // +kubebuilder:validation:Enum=String;StringArray + // +kubebuilder:default=String + // +unionDiscriminator + // +optional + ValueType *JWTClaimValueType `json:"valueType,omitempty"` + + // Values are the values that the claim must match. + // If the claim is a string type, the specified value must match exactly. + // If the claim is a string array type, the specified value must match one of the values in the array. + // If multiple values are specified, one of the values must match for the rule to match. + Values []string `json:"values"` } +type JWTClaimValueType string + +const ( + JWTClaimValueTypeString JWTClaimValueType = "String" + JWTClaimValueTypeStringArray JWTClaimValueType = "StringArray" +) + // AuthorizationAction defines the action to be taken if a rule matches. // +kubebuilder:validation:Enum=Allow;Deny type AuthorizationAction string diff --git a/api/v1alpha1/securitypolicy_types.go b/api/v1alpha1/securitypolicy_types.go index 1720d0561a5..542971ec1d6 100644 --- a/api/v1alpha1/securitypolicy_types.go +++ b/api/v1alpha1/securitypolicy_types.go @@ -41,6 +41,7 @@ type SecurityPolicy struct { // +kubebuilder:validation:XValidation:rule="has(self.targetRefs) ? self.targetRefs.all(ref, ref.group == 'gateway.networking.k8s.io') : true ", message="this policy can only have a targetRefs[*].group of gateway.networking.k8s.io" // +kubebuilder:validation:XValidation:rule="has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute']) : true ", message="this policy can only have a targetRefs[*].kind of Gateway/HTTPRoute/GRPCRoute" // +kubebuilder:validation:XValidation:rule="has(self.targetRefs) ? self.targetRefs.all(ref, !has(ref.sectionName)) : true",message="this policy does not yet support the sectionName field" +// +kubebuilder:validation:XValidation:rule="(has(self.authorization) && has(self.authorization.rules) && self.authorization.rules.exists(r, has(r.principal.jwt))) ? has(self.jwt) : true", message="if authorization.rules.principal.jwt is used, jwt must be defined" // // SecurityPolicySpec defines the desired state of SecurityPolicy. type SecurityPolicySpec struct { diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 9afe197fc97..cde4e3b90d7 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -2888,6 +2888,31 @@ func (in *JWT) DeepCopy() *JWT { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *JWTClaim) DeepCopyInto(out *JWTClaim) { + *out = *in + if in.ValueType != nil { + in, out := &in.ValueType, &out.ValueType + *out = new(JWTClaimValueType) + **out = **in + } + if in.Values != nil { + in, out := &in.Values, &out.Values + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTClaim. +func (in *JWTClaim) DeepCopy() *JWTClaim { + if in == nil { + return nil + } + out := new(JWTClaim) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *JWTExtractor) DeepCopyInto(out *JWTExtractor) { *out = *in @@ -2940,6 +2965,33 @@ func (in *JWTHeaderExtractor) DeepCopy() *JWTHeaderExtractor { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *JWTPrincipal) DeepCopyInto(out *JWTPrincipal) { + *out = *in + if in.Claims != nil { + in, out := &in.Claims, &out.Claims + *out = make([]JWTClaim, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JWTPrincipal. +func (in *JWTPrincipal) DeepCopy() *JWTPrincipal { + if in == nil { + return nil + } + out := new(JWTPrincipal) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *JWTProvider) DeepCopyInto(out *JWTProvider) { *out = *in @@ -3748,6 +3800,11 @@ func (in *Principal) DeepCopyInto(out *Principal) { *out = make([]CIDR, len(*in)) copy(*out, *in) } + if in.JWT != nil { + in, out := &in.JWT, &out.JWT + *out = new(JWTPrincipal) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Principal. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 7631ed68fd0..f0fc4379a75 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -85,14 +85,20 @@ spec: If not specified, Envoy Gateway will generate a unique name for the rule.n type: string principal: - description: Principal specifies the client identity of - a request. + description: |- + Principal specifies the client identity of a request. + If there are multiple principal types, all principals must match for the rule to match. + For example, if there are two principals: one for client IP and one for JWT claim, + the rule will match only if both the client IP and the JWT claim match. properties: clientCIDRs: description: |- ClientCIDRs are the IP CIDR ranges of the client. Valid examples are "192.168.1.0/24" or "2001:db8::/64" + If multiple CIDR ranges are specified, one of the CIDR ranges must match + the client IP for the rule to match. + The client IP is inferred from the X-Forwarded-For header, a custom header, or the proxy protocol. You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in @@ -103,11 +109,75 @@ spec: A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64". pattern: ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+)) type: string - minItems: 1 type: array - required: - - clientCIDRs + jwt: + description: |- + JWT authorize the request based on the JWT claims and scopes. + Note: in order to use JWT claims for authorization, you must configure the + JWT authentication in the same `SecurityPolicy`. + properties: + claims: + description: |- + Claims are the claims in a JWT token. + + If multiple claims are specified, all claims must match for the rule to match. + For example, if there are two claims: one for the audience and one for the issuer, + the rule will match only if both the audience and the issuer match. + items: + description: JWTClaim specifies a claim in a JWT + token. + properties: + name: + description: |- + Name is the name of the claim. + If it is a nested claim, use a dot (.) separated string as the name to + represent the full path to the claim. + For example, if the claim is in the "department" field in the "organization" field, + the name should be "organization.department". + type: string + valueType: + default: String + description: |- + ValueType is the type of the claim value. + Only String and StringArray types are supported for now. + enum: + - String + - StringArray + type: string + values: + description: |- + Values are the values that the claim must match. + If the claim is a string type, the specified value must match exactly. + If the claim is a string array type, the specified value must match one of the values in the array. + If multiple values are specified, one of the values must match for the rule to match. + items: + type: string + type: array + required: + - name + - values + type: object + type: array + scopes: + description: |- + Scopes are a special type of claim in a JWT token that represents the permissions of the client. + + The value of the scopes field should be a space delimited string that is expected in the scope parameter, + as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23. + + If multiple scopes are specified, all scopes must match for the rule to match. + items: + type: string + type: array + type: object + x-kubernetes-validations: + - message: at least one of claims or scopes must be + specified + rule: (has(self.claims) || has(self.scopes)) type: object + x-kubernetes-validations: + - message: at least one of clientCIDRs or jwt must be specified + rule: (has(self.clientCIDRs) || has(self.jwt)) required: - action - principal @@ -2321,6 +2391,10 @@ spec: - message: this policy does not yet support the sectionName field rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, !has(ref.sectionName)) : true' + - message: if authorization.rules.principal.jwt is used, jwt must be defined + rule: '(has(self.authorization) && has(self.authorization.rules) && + self.authorization.rules.exists(r, has(r.principal.jwt))) ? has(self.jwt) + : true' status: description: Status defines the current status of SecurityPolicy. properties: diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 94fad9c157e..802efac5828 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -240,7 +240,7 @@ _Appears in:_ | --- | --- | --- | --- | | `name` | _string_ | false | Name is a user-friendly name for the rule.
If not specified, Envoy Gateway will generate a unique name for the rule.n | | `action` | _[AuthorizationAction](#authorizationaction)_ | true | Action defines the action to be taken if the rule matches. | -| `principal` | _[Principal](#principal)_ | true | Principal specifies the client identity of a request. | +| `principal` | _[Principal](#principal)_ | true | Principal specifies the client identity of a request.
If there are multiple principal types, all principals must match for the rule to match.
For example, if there are two principals: one for client IP and one for JWT claim,
the rule will match only if both the client IP and the JWT claim match. | #### BackOffPolicy @@ -2120,6 +2120,37 @@ _Appears in:_ | `providers` | _[JWTProvider](#jwtprovider) array_ | true | Providers defines the JSON Web Token (JWT) authentication provider type.
When multiple JWT providers are specified, the JWT is considered valid if
any of the providers successfully validate the JWT. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. | +#### JWTClaim + + + +JWTClaim specifies a claim in a JWT token. + +_Appears in:_ +- [JWTPrincipal](#jwtprincipal) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `name` | _string_ | true | Name is the name of the claim.
If it is a nested claim, use a dot (.) separated string as the name to
represent the full path to the claim.
For example, if the claim is in the "department" field in the "organization" field,
the name should be "organization.department". | +| `valueType` | _[JWTClaimValueType](#jwtclaimvaluetype)_ | false | ValueType is the type of the claim value.
Only String and StringArray types are supported for now. | +| `values` | _string array_ | true | Values are the values that the claim must match.
If the claim is a string type, the specified value must match exactly.
If the claim is a string array type, the specified value must match one of the values in the array.
If multiple values are specified, one of the values must match for the rule to match. | + + +#### JWTClaimValueType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [JWTClaim](#jwtclaim) + +| Value | Description | +| ----- | ----------- | +| `String` | | +| `StringArray` | | + + #### JWTExtractor @@ -2153,6 +2184,23 @@ _Appears in:_ | `valuePrefix` | _string_ | false | ValuePrefix is the prefix that should be stripped before extracting the token.
The format would be used by Envoy like "\{ValuePrefix\}".
For example, "Authorization: Bearer ", then the ValuePrefix="Bearer " with a space at the end. | +#### JWTPrincipal + + + +JWTPrincipal specifies the client identity of a request based on the JWT claims and scopes. +At least one of the claims or scopes must be specified. +Claims and scopes are And-ed together if both are specified. + +_Appears in:_ +- [Principal](#principal) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `claims` | _[JWTClaim](#jwtclaim) array_ | false | Claims are the claims in a JWT token.

If multiple claims are specified, all claims must match for the rule to match.
For example, if there are two claims: one for the audience and one for the issuer,
the rule will match only if both the audience and the issuer match. | +| `scopes` | _string array_ | false | Scopes are a special type of claim in a JWT token that represents the permissions of the client.

The value of the scopes field should be a space delimited string that is expected in the scope parameter,
as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.

If multiple scopes are specified, all scopes must match for the rule to match. | + + #### JWTProvider @@ -2668,7 +2716,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `clientCIDRs` | _[CIDR](#cidr) array_ | true | ClientCIDRs are the IP CIDR ranges of the client.
Valid examples are "192.168.1.0/24" or "2001:db8::/64"

The client IP is inferred from the X-Forwarded-For header, a custom header,
or the proxy protocol.
You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
the `ClientTrafficPolicy` to configure how the client IP is detected. | +| `clientCIDRs` | _[CIDR](#cidr) array_ | false | ClientCIDRs are the IP CIDR ranges of the client.
Valid examples are "192.168.1.0/24" or "2001:db8::/64"

If multiple CIDR ranges are specified, one of the CIDR ranges must match
the client IP for the rule to match.

The client IP is inferred from the X-Forwarded-For header, a custom header,
or the proxy protocol.
You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
the `ClientTrafficPolicy` to configure how the client IP is detected. | #### ProcessingModeOptions diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 94fad9c157e..802efac5828 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -240,7 +240,7 @@ _Appears in:_ | --- | --- | --- | --- | | `name` | _string_ | false | Name is a user-friendly name for the rule.
If not specified, Envoy Gateway will generate a unique name for the rule.n | | `action` | _[AuthorizationAction](#authorizationaction)_ | true | Action defines the action to be taken if the rule matches. | -| `principal` | _[Principal](#principal)_ | true | Principal specifies the client identity of a request. | +| `principal` | _[Principal](#principal)_ | true | Principal specifies the client identity of a request.
If there are multiple principal types, all principals must match for the rule to match.
For example, if there are two principals: one for client IP and one for JWT claim,
the rule will match only if both the client IP and the JWT claim match. | #### BackOffPolicy @@ -2120,6 +2120,37 @@ _Appears in:_ | `providers` | _[JWTProvider](#jwtprovider) array_ | true | Providers defines the JSON Web Token (JWT) authentication provider type.
When multiple JWT providers are specified, the JWT is considered valid if
any of the providers successfully validate the JWT. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. | +#### JWTClaim + + + +JWTClaim specifies a claim in a JWT token. + +_Appears in:_ +- [JWTPrincipal](#jwtprincipal) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `name` | _string_ | true | Name is the name of the claim.
If it is a nested claim, use a dot (.) separated string as the name to
represent the full path to the claim.
For example, if the claim is in the "department" field in the "organization" field,
the name should be "organization.department". | +| `valueType` | _[JWTClaimValueType](#jwtclaimvaluetype)_ | false | ValueType is the type of the claim value.
Only String and StringArray types are supported for now. | +| `values` | _string array_ | true | Values are the values that the claim must match.
If the claim is a string type, the specified value must match exactly.
If the claim is a string array type, the specified value must match one of the values in the array.
If multiple values are specified, one of the values must match for the rule to match. | + + +#### JWTClaimValueType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [JWTClaim](#jwtclaim) + +| Value | Description | +| ----- | ----------- | +| `String` | | +| `StringArray` | | + + #### JWTExtractor @@ -2153,6 +2184,23 @@ _Appears in:_ | `valuePrefix` | _string_ | false | ValuePrefix is the prefix that should be stripped before extracting the token.
The format would be used by Envoy like "\{ValuePrefix\}".
For example, "Authorization: Bearer ", then the ValuePrefix="Bearer " with a space at the end. | +#### JWTPrincipal + + + +JWTPrincipal specifies the client identity of a request based on the JWT claims and scopes. +At least one of the claims or scopes must be specified. +Claims and scopes are And-ed together if both are specified. + +_Appears in:_ +- [Principal](#principal) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `claims` | _[JWTClaim](#jwtclaim) array_ | false | Claims are the claims in a JWT token.

If multiple claims are specified, all claims must match for the rule to match.
For example, if there are two claims: one for the audience and one for the issuer,
the rule will match only if both the audience and the issuer match. | +| `scopes` | _string array_ | false | Scopes are a special type of claim in a JWT token that represents the permissions of the client.

The value of the scopes field should be a space delimited string that is expected in the scope parameter,
as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.

If multiple scopes are specified, all scopes must match for the rule to match. | + + #### JWTProvider @@ -2668,7 +2716,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `clientCIDRs` | _[CIDR](#cidr) array_ | true | ClientCIDRs are the IP CIDR ranges of the client.
Valid examples are "192.168.1.0/24" or "2001:db8::/64"

The client IP is inferred from the X-Forwarded-For header, a custom header,
or the proxy protocol.
You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
the `ClientTrafficPolicy` to configure how the client IP is detected. | +| `clientCIDRs` | _[CIDR](#cidr) array_ | false | ClientCIDRs are the IP CIDR ranges of the client.
Valid examples are "192.168.1.0/24" or "2001:db8::/64"

If multiple CIDR ranges are specified, one of the CIDR ranges must match
the client IP for the rule to match.

The client IP is inferred from the X-Forwarded-For header, a custom header,
or the proxy protocol.
You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
the `ClientTrafficPolicy` to configure how the client IP is detected. | #### ProcessingModeOptions diff --git a/test/cel-validation/securitypolicy_test.go b/test/cel-validation/securitypolicy_test.go index cbc0145aa05..92d179fec6d 100644 --- a/test/cel-validation/securitypolicy_test.go +++ b/test/cel-validation/securitypolicy_test.go @@ -1030,6 +1030,98 @@ func TestSecurityPolicyTarget(t *testing.T) { }, wantErrors: []string{}, }, + { + desc: "authorization-missing principal", + mutate: func(sp *egv1a1.SecurityPolicy) { + sp.Spec = egv1a1.SecurityPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetSelectors: []egv1a1.TargetSelector{ + { + Group: ptr.To(gwapiv1a2.Group("gateway.networking.k8s.io")), + Kind: "HTTPRoute", + MatchLabels: map[string]string{ + "eg/namespace": "reference-apps", + }, + }, + }, + }, + Authorization: &egv1a1.Authorization{ + Rules: []egv1a1.AuthorizationRule{ + { + Action: egv1a1.AuthorizationActionAllow, + Principal: egv1a1.Principal{}, + }, + }, + }, + } + }, + wantErrors: []string{"at least one of clientCIDRs or jwt must be specified"}, + }, + { + desc: "authorization-jwt-claims-without-jwt-authn", + mutate: func(sp *egv1a1.SecurityPolicy) { + sp.Spec = egv1a1.SecurityPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetSelectors: []egv1a1.TargetSelector{ + { + Group: ptr.To(gwapiv1a2.Group("gateway.networking.k8s.io")), + Kind: "HTTPRoute", + MatchLabels: map[string]string{ + "eg/namespace": "reference-apps", + }, + }, + }, + }, + Authorization: &egv1a1.Authorization{ + Rules: []egv1a1.AuthorizationRule{ + { + Action: egv1a1.AuthorizationActionAllow, + Principal: egv1a1.Principal{ + JWT: &egv1a1.JWTPrincipal{ + Claims: []egv1a1.JWTClaim{ + { + Name: "iss", + Values: []string{"https://example.com"}, + }, + }, + }, + }, + }, + }, + }, + } + }, + wantErrors: []string{"if authorization.rules.principal.jwt is used, jwt must be defined"}, + }, + { + desc: "authorization-jwt-empty-principal", + mutate: func(sp *egv1a1.SecurityPolicy) { + sp.Spec = egv1a1.SecurityPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetSelectors: []egv1a1.TargetSelector{ + { + Group: ptr.To(gwapiv1a2.Group("gateway.networking.k8s.io")), + Kind: "HTTPRoute", + MatchLabels: map[string]string{ + "eg/namespace": "reference-apps", + }, + }, + }, + }, + Authorization: &egv1a1.Authorization{ + Rules: []egv1a1.AuthorizationRule{ + { + Action: egv1a1.AuthorizationActionAllow, + Principal: egv1a1.Principal{ + JWT: &egv1a1.JWTPrincipal{}, + }, + }, + }, + }, + } + }, + wantErrors: []string{"at least one of claims or scopes must be specified"}, + }, } for _, tc := range cases { From 358427167d2aac6a8219198943d1c445c843dc5b Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Sat, 7 Sep 2024 09:08:43 +0800 Subject: [PATCH 116/523] impl for setting OIDC token cookie domain (#4102) * subdomain impl Signed-off-by: Huabing Zhao * add test Signed-off-by: Huabing Zhao * docs Signed-off-by: Huabing Zhao * update doc Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * upgrade go control plane Signed-off-by: Huabing Zhao * docs Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- examples/extension-server/go.mod | 4 +- examples/extension-server/go.sum | 8 +- go.mod | 4 +- go.sum | 8 +- internal/gatewayapi/securitypolicy.go | 1 + .../testdata/securitypolicy-with-oidc.in.yaml | 1 + .../securitypolicy-with-oidc.out.yaml | 2 + internal/ir/xds.go | 3 + internal/ir/zz_generated.deepcopy.go | 5 + internal/xds/extensions/extensions.gen.go | 3 +- internal/xds/translator/oidc.go | 4 + .../translator/testdata/in/xds-ir/oidc.yaml | 1 + .../testdata/out/xds-ir/oidc.listeners.yaml | 1 + site/content/en/latest/tasks/security/oidc.md | 105 +++++++++++++++++- 14 files changed, 131 insertions(+), 19 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 6a9f7f98d55..53f4ad7c0a6 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -4,7 +4,7 @@ go 1.22.5 require ( github.com/envoyproxy/gateway v1.0.2 - github.com/envoyproxy/go-control-plane v0.13.0 + github.com/envoyproxy/go-control-plane v0.13.1-0.20240903155423-c0847bf34c89 github.com/urfave/cli/v2 v2.27.2 google.golang.org/grpc v1.66.0 google.golang.org/protobuf v1.34.2 @@ -18,7 +18,7 @@ require ( github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b // indirect github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect - github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect + github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/gogo/protobuf v1.3.2 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 425c27ef608..de267cce47d 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -11,10 +11,10 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/envoyproxy/go-control-plane v0.13.0 h1:HzkeUz1Knt+3bK+8LG1bxOO/jzWZmdxpwC51i202les= -github.com/envoyproxy/go-control-plane v0.13.0/go.mod h1:GRaKG3dwvFoTg4nj7aXdZnvMg4d7nvT/wl9WgVXn3Q8= -github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= -github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= +github.com/envoyproxy/go-control-plane v0.13.1-0.20240903155423-c0847bf34c89 h1:ZY5uB8jkNV3rhhzDI0+B9g5RISAOwazjjGqkP1sQ2HI= +github.com/envoyproxy/go-control-plane v0.13.1-0.20240903155423-c0847bf34c89/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= +github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= +github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= diff --git a/go.mod b/go.mod index 18b53fa5131..038fc907316 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/docker/cli v27.2.0+incompatible github.com/dominikbraun/graph v0.23.0 - github.com/envoyproxy/go-control-plane v0.13.0 + github.com/envoyproxy/go-control-plane v0.13.1-0.20240903155423-c0847bf34c89 github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 github.com/evanphx/json-patch/v5 v5.9.0 github.com/fatih/color v1.17.0 @@ -231,7 +231,7 @@ require ( github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/chai2010/gettext-go v1.0.3 // indirect github.com/emicklei/go-restful/v3 v3.12.1 // indirect - github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect + github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect github.com/evanphx/json-patch v5.9.0+incompatible github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect diff --git a/go.sum b/go.sum index 95178635498..943742dcf47 100644 --- a/go.sum +++ b/go.sum @@ -423,11 +423,11 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.m github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= -github.com/envoyproxy/go-control-plane v0.13.0 h1:HzkeUz1Knt+3bK+8LG1bxOO/jzWZmdxpwC51i202les= -github.com/envoyproxy/go-control-plane v0.13.0/go.mod h1:GRaKG3dwvFoTg4nj7aXdZnvMg4d7nvT/wl9WgVXn3Q8= +github.com/envoyproxy/go-control-plane v0.13.1-0.20240903155423-c0847bf34c89 h1:ZY5uB8jkNV3rhhzDI0+B9g5RISAOwazjjGqkP1sQ2HI= +github.com/envoyproxy/go-control-plane v0.13.1-0.20240903155423-c0847bf34c89/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= -github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= +github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= +github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 h1:yz9/p/8QVPuEjPqRfZDXJmRaURKpKkxCZXUhl22i+cU= github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7/go.mod h1:NmJBO+gDMvSQWvcSWq8wmlgkDmHHAkx1SCxEGva5hKU= github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 276a63c8bc6..6590311d103 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -662,6 +662,7 @@ func (t *Translator) buildOIDC( DefaultRefreshTokenTTL: oidc.DefaultRefreshTokenTTL, CookieSuffix: suffix, CookieNameOverrides: policy.Spec.OIDC.CookieNames, + CookieDomain: policy.Spec.OIDC.CookieDomain, HMACSecret: hmacData, }, nil } diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml index d97cf0469df..b5031e6aa50 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml @@ -132,3 +132,4 @@ securityPolicies: defaultTokenTTL: 1h refreshToken: true defaultRefreshTokenTTL: 48h + cookieDomain: "example.com" diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml index 9d27209dbe3..5f327af8752 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml @@ -147,6 +147,7 @@ securityPolicies: group: null kind: null name: client2-secret + cookieDomain: example.com defaultRefreshTokenTTL: 48h0m0s defaultTokenTTL: 1h0m0s forwardAccessToken: true @@ -273,6 +274,7 @@ xdsIR: oidc: clientID: client2.oauth.foo.com clientSecret: Y2xpZW50MTpzZWNyZXQK + cookieDomain: example.com cookieSuffix: 5f93c2e4 defaultRefreshTokenTTL: 48h0m0s defaultTokenTTL: 1h0m0s diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 9a3af5efefb..5d90b6816fd 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -819,6 +819,9 @@ type OIDC struct { // CookieNameOverrides can optionally override the generated name of the cookies set by the oauth filter. CookieNameOverrides *egv1a1.OIDCCookieNames `json:"cookieNameOverrides,omitempty"` + + // CookieDomain sets the domain of the cookies set by the oauth filter. + CookieDomain *string `json:"cookieDomain,omitempty"` } type OIDCProvider struct { diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 28507722207..c16028999e0 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -1900,6 +1900,11 @@ func (in *OIDC) DeepCopyInto(out *OIDC) { *out = new(v1alpha1.OIDCCookieNames) (*in).DeepCopyInto(*out) } + if in.CookieDomain != nil { + in, out := &in.CookieDomain, &out.CookieDomain + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDC. diff --git a/internal/xds/extensions/extensions.gen.go b/internal/xds/extensions/extensions.gen.go index 09713ea43df..18a0eeb1c35 100644 --- a/internal/xds/extensions/extensions.gen.go +++ b/internal/xds/extensions/extensions.gen.go @@ -131,7 +131,7 @@ import ( _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/oauth2/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/on_demand/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/original_src/v3" - _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/proto_message_logging/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/proto_message_extraction/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/rate_limit_quota/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ratelimit/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/rbac/v3" @@ -292,6 +292,7 @@ import ( _ "github.com/envoyproxy/go-control-plane/envoy/service/metrics/v3" _ "github.com/envoyproxy/go-control-plane/envoy/service/rate_limit_quota/v3" _ "github.com/envoyproxy/go-control-plane/envoy/service/ratelimit/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/service/redis_auth/v3" _ "github.com/envoyproxy/go-control-plane/envoy/service/route/v3" _ "github.com/envoyproxy/go-control-plane/envoy/service/runtime/v3" _ "github.com/envoyproxy/go-control-plane/envoy/service/secret/v3" diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go index e04b601a24a..2102851958c 100644 --- a/internal/xds/translator/oidc.go +++ b/internal/xds/translator/oidc.go @@ -205,6 +205,10 @@ func oauth2Config(oidc *ir.OIDC) (*oauth2v3.OAuth2, error) { oauth2.Config.Credentials.CookieNames.IdToken = *oidc.CookieNameOverrides.IDToken } + if oidc.CookieDomain != nil { + oauth2.Config.Credentials.CookieDomain = *oidc.CookieDomain + } + return oauth2, nil } diff --git a/internal/xds/translator/testdata/in/xds-ir/oidc.yaml b/internal/xds/translator/testdata/in/xds-ir/oidc.yaml index 4775fa9676d..828da7c2fb1 100644 --- a/internal/xds/translator/testdata/in/xds-ir/oidc.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/oidc.yaml @@ -73,3 +73,4 @@ http: cookieNameOverrides: idToken: "CustomIdTokenOverride" accessToken: "CustomAccessTokenOverride" + cookieDomain: "example.com" diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml index bc4956b285a..f1defaf5d1b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml @@ -73,6 +73,7 @@ authorizationEndpoint: https://oauth.bar.com/oauth2/v2/auth credentials: clientId: client.oauth.bar.com + cookieDomain: example.com cookieNames: bearerToken: CustomAccessTokenOverride idToken: CustomIdTokenOverride diff --git a/site/content/en/latest/tasks/security/oidc.md b/site/content/en/latest/tasks/security/oidc.md index 8add22bfbc3..45adc554a90 100644 --- a/site/content/en/latest/tasks/security/oidc.md +++ b/site/content/en/latest/tasks/security/oidc.md @@ -97,7 +97,7 @@ providers, including Auth0, Azure AD, Keycloak, Okta, OneLogin, Salesforce, UAA, Follow the steps in the [Google OIDC documentation][google-oidc] to register an OIDC application. Please make sure the redirect URL is set to the one you configured in the SecurityPolicy that you will create in the step below. In this example, -the redirect URL is `http://www.example.com:8443/myapp/oauth2/callback`. +the redirect URL is `https://www.example.com:8443/myapp/oauth2/callback`. After registering the application, you should have the following information: * Client ID: The client ID of the OIDC application. @@ -221,12 +221,78 @@ If you haven't registered an OIDC application, follow the steps in the previous If you haven't created a kubernetes secret, follow the steps in the previous section to create a kubernetes secret. +### Create an HTTPRoute with a different subdomain + +Let's create another HTTPRoute in the same Gateway, but with a different subdomain. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the HTTPRoute status: + +```shell +kubectl get httproute/foo -o yaml +``` + ### Create a SecurityPolicy Create or update the SecurityPolicy to target the Gateway instead of the HTTPRoute. **Please notice that the `redirectURL` and `logoutPath` must match one of the HTTPRoutes associated with the Gateway.** In this example, the target Gateway has -two HTTPRoutes associated with it, one with the host `www.example.com` and the path `/myapp`, and the other with the host -`www.example.com` and the path `/`. Either one of the HTTPRoutes can be used to match the `redirectURL` and `logoutPath`. +three HTTPRoutes associated with it, one with the host `www.example.com` and the path `/myapp`, one with the host +`www.example.com` and the path `/`, and one with the host `foo.example.com` and the path `/`. Any of these HTTPRoutes +can be used to match the `redirectURL` and `logoutPath`. + +By default, the access token and ID token cookies are set to the host of the request, excluding subdomains. To allow the +token cookies to be shared across subdomains and prevent users from having to log in again when switching between subdomains, +the `cookieDomain` field needs to be set to the root domain. In this example, the root domain is `example.com`. {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} @@ -250,6 +316,7 @@ spec: name: "my-app-client-secret" redirectURL: "https://www.example.com:8443/myapp/oauth2/callback" logoutPath: "/myapp/logout" + cookieDomain: "example.com" EOF ``` @@ -276,6 +343,7 @@ spec: name: "my-app-client-secret" redirectURL: "https://www.example.com:8443/myapp/oauth2/callback" logoutPath: "/myapp/logout" + cookieDomain: "example.com" ``` {{% /tab %}} @@ -287,16 +355,40 @@ Verify the SecurityPolicy configuration: kubectl get securitypolicy/oidc-example -o yaml ``` +### Update the Listener TLS certificate to support multiple subdomains + +Create a multi-domain wildcard certificate for `*.example.com`. + +```shell +openssl req -out wildcard.csr -newkey rsa:2048 -nodes -keyout wildcard.key -subj "/CN=*.example.com/O=example organization" +openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in wildcard.csr -out wildcard.crt +``` + +Replace the TLS certificate of the Gateway with the wildcard certificate. + +```shell +kubectl delete secret example-cert +kubectl create secret tls example-cert --key=wildcard.key --cert=wildcard.crt +``` + ### Testing If you haven't done so, follow the steps in the previous section to port forward gateway port to localhost and put www.example.com in the /etc/hosts file in your test machine. -Open a browser and navigate to the `https://www.example.com:8443/foo` address. You should be redirected to the Google +Also, put foo.example.com in the /etc/hosts file in your test machine. + +```shell +... +127.0.0.1 foo.example.com +``` + +Open a browser and navigate to the `https://www.example.com:8443/myapp` address. You should be redirected to the Google login page. After you successfully login, you should see the response from the backend service. -You can also try to access `https://www.example.com:8443/myapp` address. You should be able to see this page since the -path `/myapp` is protected by the same OIDC policy. +You can also try to access `https://foo.example.com:8443` and `https://www.example.com:8443/bar` addresses. You should +be able to see the response from the backend service since these HTTPRoutes are also protected by the same OIDC config, +and the cookies are shared across subdomains. ## Clean-Up @@ -308,6 +400,7 @@ Delete the SecurityPolicy, the secret and the HTTPRoute: kubectl delete securitypolicy/oidc-example kubectl delete secret/my-app-client-secret kubectl delete httproute/myapp +kubectl delete httproute/foo ``` ## Next Steps From a5fc16228e7721a65bd71ea112465909b93aacad Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 7 Sep 2024 11:33:43 +0800 Subject: [PATCH 117/523] remove MPL packages (#4161) * remove grafana tempo pkg Signed-off-by: zirain * fix hashicorp/go-getter Signed-off-by: zirain * fix ut Signed-off-by: zirain * update github action Signed-off-by: zirain * more fix Signed-off-by: zirain * nit Signed-off-by: zirain * remove more Signed-off-by: zirain * fix unmarshal Signed-off-by: zirain * remove tempopb Signed-off-by: zirain * address comment Signed-off-by: zirain --------- Signed-off-by: zirain --- .github/workflows/license-scan.yml | 3 - .github/workflows/osv-scanner.yml | 3 +- examples/extension-server/go.sum | 1 + go.mod | 24 +- go.sum | 717 +---------------------------- internal/cmd/egctl/collect.go | 4 +- internal/utils/path/path.go | 24 + osv-scanner.toml | 34 +- test/e2e/tests/utils.go | 22 +- 9 files changed, 55 insertions(+), 777 deletions(-) create mode 100644 internal/utils/path/path.go diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index 8be0962d2a1..234b018ddc9 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -26,6 +26,3 @@ jobs: --experimental-licenses=Apache-2.0,BSD-2-Clause,BSD-2-Clause-FreeBSD,BSD-3-Clause,MIT,ISC,Python-2.0,PostgreSQL,X11,Zlib --no-call-analysis=go ./ - # TODO remove once github.com/hashicorp/go-getter gets license exception in CNCF or removed from the project - # See https://github.com/cncf/foundation/issues/624 - continue-on-error: true diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 6810220c670..750460e860a 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -26,8 +26,7 @@ jobs: scan-args: |- --skip-git --recursive - --config - tools/osv-scanner/config.toml + --no-call-analysis=go ./ scan-pr: diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index de267cce47d..122562b5540 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -44,6 +44,7 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= diff --git a/go.mod b/go.mod index 038fc907316..762328fd704 100644 --- a/go.mod +++ b/go.mod @@ -19,12 +19,11 @@ require ( github.com/go-logfmt/logfmt v0.6.0 github.com/go-logr/logr v1.4.2 github.com/go-logr/zapr v1.3.0 - github.com/gogo/protobuf v1.3.2 + github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/protobuf v1.5.4 github.com/google/cel-go v0.21.0 github.com/google/go-cmp v0.6.0 github.com/google/go-containerregistry v0.20.2 - github.com/grafana/tempo v1.5.0 github.com/hashicorp/go-multierror v1.1.1 github.com/miekg/dns v1.1.62 github.com/ohler55/ojg v1.24.0 @@ -70,10 +69,6 @@ require ( require ( cel.dev/expr v0.15.0 // indirect - cloud.google.com/go v0.112.1 // indirect - cloud.google.com/go/compute/metadata v0.3.0 // indirect - cloud.google.com/go/iam v1.1.7 // indirect - cloud.google.com/go/storage v1.40.0 // indirect dario.cat/mergo v1.0.0 // indirect filippo.io/edwards25519 v1.1.0 // indirect fortio.org/cli v1.8.0 // indirect @@ -92,8 +87,6 @@ require ( github.com/antlr4-go/antlr/v4 v4.13.0 // indirect github.com/apparentlymart/go-cidr v1.1.0 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect - github.com/aws/aws-sdk-go v1.48.10 // indirect - github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/c9s/goprocinfo v0.0.0-20170724085704-0010a05ce49f // indirect github.com/cilium/ebpf v0.16.0 // indirect @@ -127,23 +120,15 @@ require ( github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect github.com/golang-sql/sqlexp v0.1.0 // indirect github.com/google/go-intervals v0.0.2 // indirect - github.com/google/s2a-go v0.1.7 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect - github.com/googleapis/gax-go/v2 v2.12.3 // indirect github.com/gorilla/handlers v1.5.2 // indirect github.com/gorilla/mux v1.8.1 // indirect github.com/gosuri/uitable v0.0.4 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect - github.com/hashicorp/go-cleanhttp v0.5.2 // indirect - github.com/hashicorp/go-getter v1.7.5 // indirect - github.com/hashicorp/go-safetemp v1.0.0 // indirect - github.com/hashicorp/go-version v1.7.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/huandu/xstrings v1.4.0 // indirect github.com/jackc/pgpassfile v1.0.0 // indirect github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect github.com/jackc/pgx/v5 v5.6.0 // indirect - github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/jmoiron/sqlx v1.3.5 // indirect github.com/klauspost/compress v1.17.9 // indirect github.com/klauspost/pgzip v1.2.6 // indirect @@ -161,7 +146,6 @@ require ( github.com/mistifyio/go-zfs/v3 v3.0.1 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect - github.com/mitchellh/go-testing-interface v1.14.1 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect @@ -171,6 +155,7 @@ require ( github.com/moby/sys/sequential v0.5.0 // indirect github.com/moby/sys/user v0.2.0 // indirect github.com/moby/sys/userns v0.1.0 // indirect + github.com/onsi/ginkgo v1.16.5 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect github.com/opencontainers/runtime-spec v1.2.0 // indirect @@ -200,23 +185,18 @@ require ( github.com/tklauser/numcpus v0.6.1 // indirect github.com/ulikunitz/xz v0.5.12 // indirect github.com/vbatts/tar-split v0.11.5 // indirect - github.com/vmware-tanzu/velero v1.14.0 // indirect github.com/x448/float16 v0.8.4 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect golang.org/x/crypto v0.26.0 // indirect golang.org/x/crypto/x509roots/fallback v0.0.0-20240806160748-b2d3a6a4b4d3 // indirect - google.golang.org/api v0.172.0 // indirect - google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect k8s.io/apiserver v0.31.0 // indirect - k8s.io/kubelet v0.30.3 // indirect k8s.io/metrics v0.31.0 // indirect oras.land/oras-go v1.2.6 // indirect periph.io/x/host/v3 v3.8.2 // indirect diff --git a/go.sum b/go.sum index 943742dcf47..c8e26b75b93 100644 --- a/go.sum +++ b/go.sum @@ -3,190 +3,8 @@ cel.dev/expr v0.15.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= -cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= -cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= -cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= -cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= -cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= -cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= -cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= -cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= -cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= -cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= -cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= -cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= -cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= -cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= -cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= -cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= -cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= -cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY= -cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM= -cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY= -cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ= -cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= -cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4= -cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc= -cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA= -cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A= -cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc= -cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU= -cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRYtA= -cloud.google.com/go v0.112.1 h1:uJSeirPke5UNZHIb4SxfZklVSiWWVqW4oXlETwZziwM= -cloud.google.com/go v0.112.1/go.mod h1:+Vbu+Y1UU+I1rjmzeMOb/8RfkKJK2Gyxi1X6jJCZLo4= -cloud.google.com/go/aiplatform v1.22.0/go.mod h1:ig5Nct50bZlzV6NvKaTwmplLLddFx0YReh9WfTO5jKw= -cloud.google.com/go/aiplatform v1.24.0/go.mod h1:67UUvRBKG6GTayHKV8DBv2RtR1t93YRu5B1P3x99mYY= -cloud.google.com/go/analytics v0.11.0/go.mod h1:DjEWCu41bVbYcKyvlws9Er60YE4a//bK6mnhWvQeFNI= -cloud.google.com/go/analytics v0.12.0/go.mod h1:gkfj9h6XRf9+TS4bmuhPEShsh3hH8PAZzm/41OOhQd4= -cloud.google.com/go/area120 v0.5.0/go.mod h1:DE/n4mp+iqVyvxHN41Vf1CR602GiHQjFPusMFW6bGR4= -cloud.google.com/go/area120 v0.6.0/go.mod h1:39yFJqWVgm0UZqWTOdqkLhjoC7uFfgXRC8g/ZegeAh0= -cloud.google.com/go/artifactregistry v1.6.0/go.mod h1:IYt0oBPSAGYj/kprzsBjZ/4LnG/zOcHyFHjWPCi6SAQ= -cloud.google.com/go/artifactregistry v1.7.0/go.mod h1:mqTOFOnGZx8EtSqK/ZWcsm/4U8B77rbcLP6ruDU2Ixk= -cloud.google.com/go/asset v1.5.0/go.mod h1:5mfs8UvcM5wHhqtSv8J1CtxxaQq3AdBxxQi2jGW/K4o= -cloud.google.com/go/asset v1.7.0/go.mod h1:YbENsRK4+xTiL+Ofoj5Ckf+O17kJtgp3Y3nn4uzZz5s= -cloud.google.com/go/asset v1.8.0/go.mod h1:mUNGKhiqIdbr8X7KNayoYvyc4HbbFO9URsjbytpUaW0= -cloud.google.com/go/assuredworkloads v1.5.0/go.mod h1:n8HOZ6pff6re5KYfBXcFvSViQjDwxFkAkmUFffJRbbY= -cloud.google.com/go/assuredworkloads v1.6.0/go.mod h1:yo2YOk37Yc89Rsd5QMVECvjaMKymF9OP+QXWlKXUkXw= -cloud.google.com/go/assuredworkloads v1.7.0/go.mod h1:z/736/oNmtGAyU47reJgGN+KVoYoxeLBoj4XkKYscNI= -cloud.google.com/go/automl v1.5.0/go.mod h1:34EjfoFGMZ5sgJ9EoLsRtdPSNZLcfflJR39VbVNS2M0= -cloud.google.com/go/automl v1.6.0/go.mod h1:ugf8a6Fx+zP0D59WLhqgTDsQI9w07o64uf/Is3Nh5p8= -cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= -cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= -cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= -cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= -cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= -cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/bigquery v1.42.0/go.mod h1:8dRTJxhtG+vwBKzE5OseQn/hiydoQN3EedCaOdYmxRA= -cloud.google.com/go/billing v1.4.0/go.mod h1:g9IdKBEFlItS8bTtlrZdVLWSSdSyFUZKXNS02zKMOZY= -cloud.google.com/go/billing v1.5.0/go.mod h1:mztb1tBc3QekhjSgmpf/CV4LzWXLzCArwpLmP2Gm88s= -cloud.google.com/go/binaryauthorization v1.1.0/go.mod h1:xwnoWu3Y84jbuHa0zd526MJYmtnVXn0syOjaJgy4+dM= -cloud.google.com/go/binaryauthorization v1.2.0/go.mod h1:86WKkJHtRcv5ViNABtYMhhNWRrD1Vpi//uKEy7aYEfI= -cloud.google.com/go/cloudtasks v1.5.0/go.mod h1:fD92REy1x5woxkKEkLdvavGnPJGEn8Uic9nWuLzqCpY= -cloud.google.com/go/cloudtasks v1.6.0/go.mod h1:C6Io+sxuke9/KNRkbQpihnW93SWDU3uXt92nu85HkYI= -cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow= -cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM= -cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M= -cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s= -cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU= -cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U= -cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU= -cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc= -cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= -cloud.google.com/go/containeranalysis v0.5.1/go.mod h1:1D92jd8gRR/c0fGMlymRgxWD3Qw9C1ff6/T7mLgVL8I= -cloud.google.com/go/containeranalysis v0.6.0/go.mod h1:HEJoiEIu+lEXM+k7+qLCci0h33lX3ZqoYFdmPcoO7s4= -cloud.google.com/go/datacatalog v1.3.0/go.mod h1:g9svFY6tuR+j+hrTw3J2dNcmI0dzmSiyOzm8kpLq0a0= -cloud.google.com/go/datacatalog v1.5.0/go.mod h1:M7GPLNQeLfWqeIm3iuiruhPzkt65+Bx8dAKvScX8jvs= -cloud.google.com/go/datacatalog v1.6.0/go.mod h1:+aEyF8JKg+uXcIdAmmaMUmZ3q1b/lKLtXCmXdnc0lbc= -cloud.google.com/go/dataflow v0.6.0/go.mod h1:9QwV89cGoxjjSR9/r7eFDqqjtvbKxAK2BaYU6PVk9UM= -cloud.google.com/go/dataflow v0.7.0/go.mod h1:PX526vb4ijFMesO1o202EaUmouZKBpjHsTlCtB4parQ= -cloud.google.com/go/dataform v0.3.0/go.mod h1:cj8uNliRlHpa6L3yVhDOBrUXH+BPAO1+KFMQQNSThKo= -cloud.google.com/go/dataform v0.4.0/go.mod h1:fwV6Y4Ty2yIFL89huYlEkwUPtS7YZinZbzzj5S9FzCE= -cloud.google.com/go/datalabeling v0.5.0/go.mod h1:TGcJ0G2NzcsXSE/97yWjIZO0bXj0KbVlINXMG9ud42I= -cloud.google.com/go/datalabeling v0.6.0/go.mod h1:WqdISuk/+WIGeMkpw/1q7bK/tFEZxsrFJOJdY2bXvTQ= -cloud.google.com/go/dataqna v0.5.0/go.mod h1:90Hyk596ft3zUQ8NkFfvICSIfHFh1Bc7C4cK3vbhkeo= -cloud.google.com/go/dataqna v0.6.0/go.mod h1:1lqNpM7rqNLVgWBJyk5NF6Uen2PHym0jtVJonplVsDA= -cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= -cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= -cloud.google.com/go/datastream v1.2.0/go.mod h1:i/uTP8/fZwgATHS/XFu0TcNUhuA0twZxxQ3EyCUQMwo= -cloud.google.com/go/datastream v1.3.0/go.mod h1:cqlOX8xlyYF/uxhiKn6Hbv6WjwPPuI9W2M9SAXwaLLQ= -cloud.google.com/go/dialogflow v1.15.0/go.mod h1:HbHDWs33WOGJgn6rfzBW1Kv807BE3O1+xGbn59zZWI4= -cloud.google.com/go/dialogflow v1.16.1/go.mod h1:po6LlzGfK+smoSmTBnbkIZY2w8ffjz/RcGSS+sh1el0= -cloud.google.com/go/dialogflow v1.17.0/go.mod h1:YNP09C/kXA1aZdBgC/VtXX74G/TKn7XVCcVumTflA+8= -cloud.google.com/go/documentai v1.7.0/go.mod h1:lJvftZB5NRiFSX4moiye1SMxHx0Bc3x1+p9e/RfXYiU= -cloud.google.com/go/documentai v1.8.0/go.mod h1:xGHNEB7CtsnySCNrCFdCyyMz44RhFEEX2Q7UD0c5IhU= -cloud.google.com/go/domains v0.6.0/go.mod h1:T9Rz3GasrpYk6mEGHh4rymIhjlnIuB4ofT1wTxDeT4Y= -cloud.google.com/go/domains v0.7.0/go.mod h1:PtZeqS1xjnXuRPKE/88Iru/LdfoRyEHYA9nFQf4UKpg= -cloud.google.com/go/edgecontainer v0.1.0/go.mod h1:WgkZ9tp10bFxqO8BLPqv2LlfmQF1X8lZqwW4r1BTajk= -cloud.google.com/go/edgecontainer v0.2.0/go.mod h1:RTmLijy+lGpQ7BXuTDa4C4ssxyXT34NIuHIgKuP4s5w= -cloud.google.com/go/functions v1.6.0/go.mod h1:3H1UA3qiIPRWD7PeZKLvHZ9SaQhR26XIJcC0A5GbvAk= -cloud.google.com/go/functions v1.7.0/go.mod h1:+d+QBcWM+RsrgZfV9xo6KfA1GlzJfxcfZcRPEhDDfzg= -cloud.google.com/go/gaming v1.5.0/go.mod h1:ol7rGcxP/qHTRQE/RO4bxkXq+Fix0j6D4LFPzYTIrDM= -cloud.google.com/go/gaming v1.6.0/go.mod h1:YMU1GEvA39Qt3zWGyAVA9bpYz/yAhTvaQ1t2sK4KPUA= -cloud.google.com/go/gkeconnect v0.5.0/go.mod h1:c5lsNAg5EwAy7fkqX/+goqFsU1Da/jQFqArp+wGNr/o= -cloud.google.com/go/gkeconnect v0.6.0/go.mod h1:Mln67KyU/sHJEBY8kFZ0xTeyPtzbq9StAVvEULYK16A= -cloud.google.com/go/gkehub v0.9.0/go.mod h1:WYHN6WG8w9bXU0hqNxt8rm5uxnk8IH+lPY9J2TV7BK0= -cloud.google.com/go/gkehub v0.10.0/go.mod h1:UIPwxI0DsrpsVoWpLB0stwKCP+WFVG9+y977wO+hBH0= -cloud.google.com/go/grafeas v0.2.0/go.mod h1:KhxgtF2hb0P191HlY5besjYm6MqTSTj3LSI+M+ByZHc= -cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= -cloud.google.com/go/iam v0.5.0/go.mod h1:wPU9Vt0P4UmCux7mqtRu6jcpPAb74cP1fh50J3QpkUc= -cloud.google.com/go/iam v1.1.7 h1:z4VHOhwKLF/+UYXAJDFwGtNF0b6gjsW1Pk9Ml0U/IoM= -cloud.google.com/go/iam v1.1.7/go.mod h1:J4PMPg8TtyurAUvSmPj8FF3EDgY1SPRZxcUGrn7WXGA= -cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic= -cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI= -cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8= -cloud.google.com/go/lifesciences v0.6.0/go.mod h1:ddj6tSX/7BOnhxCSd3ZcETvtNr8NZ6t/iPhY2Tyfu08= -cloud.google.com/go/mediatranslation v0.5.0/go.mod h1:jGPUhGTybqsPQn91pNXw0xVHfuJ3leR1wj37oU3y1f4= -cloud.google.com/go/mediatranslation v0.6.0/go.mod h1:hHdBCTYNigsBxshbznuIMFNe5QXEowAuNmmC7h8pu5w= -cloud.google.com/go/memcache v1.4.0/go.mod h1:rTOfiGZtJX1AaFUrOgsMHX5kAzaTQ8azHiuDoTPzNsE= -cloud.google.com/go/memcache v1.5.0/go.mod h1:dk3fCK7dVo0cUU2c36jKb4VqKPS22BTkf81Xq617aWM= -cloud.google.com/go/metastore v1.5.0/go.mod h1:2ZNrDcQwghfdtCwJ33nM0+GrBGlVuh8rakL3vdPY3XY= -cloud.google.com/go/metastore v1.6.0/go.mod h1:6cyQTls8CWXzk45G55x57DVQ9gWg7RiH65+YgPsNh9s= -cloud.google.com/go/networkconnectivity v1.4.0/go.mod h1:nOl7YL8odKyAOtzNX73/M5/mGZgqqMeryi6UPZTk/rA= -cloud.google.com/go/networkconnectivity v1.5.0/go.mod h1:3GzqJx7uhtlM3kln0+x5wyFvuVH1pIBJjhCpjzSt75o= -cloud.google.com/go/networksecurity v0.5.0/go.mod h1:xS6fOCoqpVC5zx15Z/MqkfDwH4+m/61A3ODiDV1xmiQ= -cloud.google.com/go/networksecurity v0.6.0/go.mod h1:Q5fjhTr9WMI5mbpRYEbiexTzROf7ZbDzvzCrNl14nyU= -cloud.google.com/go/notebooks v1.2.0/go.mod h1:9+wtppMfVPUeJ8fIWPOq1UnATHISkGXGqTkxeieQ6UY= -cloud.google.com/go/notebooks v1.3.0/go.mod h1:bFR5lj07DtCPC7YAAJ//vHskFBxA5JzYlH68kXVdk34= -cloud.google.com/go/osconfig v1.7.0/go.mod h1:oVHeCeZELfJP7XLxcBGTMBvRO+1nQ5tFG9VQTmYS2Fs= -cloud.google.com/go/osconfig v1.8.0/go.mod h1:EQqZLu5w5XA7eKizepumcvWx+m8mJUhEwiPqWiZeEdg= -cloud.google.com/go/oslogin v1.4.0/go.mod h1:YdgMXWRaElXz/lDk1Na6Fh5orF7gvmJ0FGLIs9LId4E= -cloud.google.com/go/oslogin v1.5.0/go.mod h1:D260Qj11W2qx/HVF29zBg+0fd6YCSjSqLUkY/qEenQU= -cloud.google.com/go/phishingprotection v0.5.0/go.mod h1:Y3HZknsK9bc9dMi+oE8Bim0lczMU6hrX0UpADuMefr0= -cloud.google.com/go/phishingprotection v0.6.0/go.mod h1:9Y3LBLgy0kDTcYET8ZH3bq/7qni15yVUoAxiFxnlSUA= -cloud.google.com/go/privatecatalog v0.5.0/go.mod h1:XgosMUvvPyxDjAVNDYxJ7wBW8//hLDDYmnsNcMGq1K0= -cloud.google.com/go/privatecatalog v0.6.0/go.mod h1:i/fbkZR0hLN29eEWiiwue8Pb+GforiEIBnV9yrRUOKI= -cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= -cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= -cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= -cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= -cloud.google.com/go/recaptchaenterprise v1.3.1/go.mod h1:OdD+q+y4XGeAlxRaMn1Y7/GveP6zmq76byL6tjPE7d4= -cloud.google.com/go/recaptchaenterprise/v2 v2.1.0/go.mod h1:w9yVqajwroDNTfGuhmOjPDN//rZGySaf6PtFVcSCa7o= -cloud.google.com/go/recaptchaenterprise/v2 v2.2.0/go.mod h1:/Zu5jisWGeERrd5HnlS3EUGb/D335f9k51B/FVil0jk= -cloud.google.com/go/recaptchaenterprise/v2 v2.3.0/go.mod h1:O9LwGCjrhGHBQET5CA7dd5NwwNQUErSgEDit1DLNTdo= -cloud.google.com/go/recommendationengine v0.5.0/go.mod h1:E5756pJcVFeVgaQv3WNpImkFP8a+RptV6dDLGPILjvg= -cloud.google.com/go/recommendationengine v0.6.0/go.mod h1:08mq2umu9oIqc7tDy8sx+MNJdLG0fUi3vaSVbztHgJ4= -cloud.google.com/go/recommender v1.5.0/go.mod h1:jdoeiBIVrJe9gQjwd759ecLJbxCDED4A6p+mqoqDvTg= -cloud.google.com/go/recommender v1.6.0/go.mod h1:+yETpm25mcoiECKh9DEScGzIRyDKpZ0cEhWGo+8bo+c= -cloud.google.com/go/redis v1.7.0/go.mod h1:V3x5Jq1jzUcg+UNsRvdmsfuFnit1cfe3Z/PGyq/lm4Y= -cloud.google.com/go/redis v1.8.0/go.mod h1:Fm2szCDavWzBk2cDKxrkmWBqoCiL1+Ctwq7EyqBCA/A= -cloud.google.com/go/retail v1.8.0/go.mod h1:QblKS8waDmNUhghY2TI9O3JLlFk8jybHeV4BF19FrE4= -cloud.google.com/go/retail v1.9.0/go.mod h1:g6jb6mKuCS1QKnH/dpu7isX253absFl6iE92nHwlBUY= -cloud.google.com/go/scheduler v1.4.0/go.mod h1:drcJBmxF3aqZJRhmkHQ9b3uSSpQoltBPGPxGAWROx6s= -cloud.google.com/go/scheduler v1.5.0/go.mod h1:ri073ym49NW3AfT6DZi21vLZrG07GXr5p3H1KxN5QlI= -cloud.google.com/go/secretmanager v1.6.0/go.mod h1:awVa/OXF6IiyaU1wQ34inzQNc4ISIDIrId8qE5QGgKA= -cloud.google.com/go/security v1.5.0/go.mod h1:lgxGdyOKKjHL4YG3/YwIL2zLqMFCKs0UbQwgyZmfJl4= -cloud.google.com/go/security v1.7.0/go.mod h1:mZklORHl6Bg7CNnnjLH//0UlAlaXqiG7Lb9PsPXLfD0= -cloud.google.com/go/security v1.8.0/go.mod h1:hAQOwgmaHhztFhiQ41CjDODdWP0+AE1B3sX4OFlq+GU= -cloud.google.com/go/securitycenter v1.13.0/go.mod h1:cv5qNAqjY84FCN6Y9z28WlkKXyWsgLO832YiWwkCWcU= -cloud.google.com/go/securitycenter v1.14.0/go.mod h1:gZLAhtyKv85n52XYWt6RmeBdydyxfPeTrpToDPw4Auc= -cloud.google.com/go/servicedirectory v1.4.0/go.mod h1:gH1MUaZCgtP7qQiI+F+A+OpeKF/HQWgtAddhTbhL2bs= -cloud.google.com/go/servicedirectory v1.5.0/go.mod h1:QMKFL0NUySbpZJ1UZs3oFAmdvVxhhxB6eJ/Vlp73dfg= -cloud.google.com/go/speech v1.6.0/go.mod h1:79tcr4FHCimOp56lwC01xnt/WPJZc4v3gzyT7FoBkCM= -cloud.google.com/go/speech v1.7.0/go.mod h1:KptqL+BAQIhMsj1kOP2la5DSEEerPDuOP/2mmkhHhZQ= -cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= -cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= -cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= -cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= -cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= -cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= -cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeLgDvXzfIXc= -cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s= -cloud.google.com/go/storage v1.40.0 h1:VEpDQV5CJxFmJ6ueWNsKxcr1QAYOXEgxDa+sBbJahPw= -cloud.google.com/go/storage v1.40.0/go.mod h1:Rrj7/hKlG87BLqDJYtwR0fbPld8uJPbQ2ucUMY7Ir0g= -cloud.google.com/go/talent v1.1.0/go.mod h1:Vl4pt9jiHKvOgF9KoZo6Kob9oV4lwd/ZD5Cto54zDRw= -cloud.google.com/go/talent v1.2.0/go.mod h1:MoNF9bhFQbiJ6eFD3uSsg0uBALw4n4gaCaEjBw9zo8g= -cloud.google.com/go/videointelligence v1.6.0/go.mod h1:w0DIDlVRKtwPCn/C4iwZIJdvC69yInhW0cfi+p546uU= -cloud.google.com/go/videointelligence v1.7.0/go.mod h1:k8pI/1wAhjznARtVT9U1llUaFNPh7muw8QyOUpavru4= -cloud.google.com/go/vision v1.2.0/go.mod h1:SmNwgObm5DpFBme2xpyOyasvBc1aPdjvMk2bBk0tKD0= -cloud.google.com/go/vision/v2 v2.2.0/go.mod h1:uCdV4PpN1S0jyCyq8sIM42v2Y6zOLkZs+4R9LrGYwFo= -cloud.google.com/go/vision/v2 v2.3.0/go.mod h1:UO61abBx9QRMFkNBbf1D8B1LXdS2cGiiCRx0vSpZoUo= -cloud.google.com/go/webrisk v1.4.0/go.mod h1:Hn8X6Zr+ziE2aNd8SliSDWpEnSS1u4R9+xXZmFiHmGE= -cloud.google.com/go/webrisk v1.5.0/go.mod h1:iPG6fr52Tv7sGk0H6qUFzmL3HHZev1htXuWDEEsqMTg= -cloud.google.com/go/workflows v1.6.0/go.mod h1:6t9F5h/unJz41YqfBmqSASJSXccBLtD1Vwf+KmJENM0= -cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoISEXH2bcHC3M= dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= -dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= fortio.org/assert v1.2.1 h1:48I39urpeDj65RP1KguF7akCjILNeu6vICiYMEysR7Q= @@ -236,7 +54,6 @@ github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0= github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= -github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU= github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU= github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= @@ -266,7 +83,6 @@ github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuy github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alessio/shellescape v1.2.2/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= -github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= github.com/apparentlymart/go-cidr v1.1.0 h1:2mAhrMoF+nhXqxTzSZMUzDHkLjmIHC+Zzn4tdgBZjnU= @@ -278,15 +94,10 @@ github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:l github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aws/aws-sdk-go v1.44.122/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= -github.com/aws/aws-sdk-go v1.48.10 h1:0LIFG3wp2Dt6PsxKWCg1Y1xRrn2vZnW5/gWdgaBalKg= -github.com/aws/aws-sdk-go v1.48.10/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= -github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas= -github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= @@ -301,27 +112,14 @@ github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g= github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= -github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chai2010/gettext-go v1.0.3 h1:9liNh8t+u26xl5ddmWLmsOsdNLwkdRTg5AG+JnTiM80= github.com/chai2010/gettext-go v1.0.3/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= -github.com/cheggaaa/pb v1.0.27/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXHm81s= -github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= -github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= -github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/cilium/ebpf v0.16.0 h1:+BiEnHL6Z7lXnlGUsXQPPAE7+kenAd4ES8MQ5min0Ok= github.com/cilium/ebpf v0.16.0/go.mod h1:L7u2Blt2jMM/vLAVgjxluxtBKlz3/GWjB0dMOEngfwE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= -github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b h1:ga8SEFjZ60pxLcmhnThWgvH2wg8376yUJmPhEH4H3kw= github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= @@ -417,12 +215,6 @@ github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRr github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= -github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= -github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= -github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= -github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= -github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= -github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= github.com/envoyproxy/go-control-plane v0.13.1-0.20240903155423-c0847bf34c89 h1:ZY5uB8jkNV3rhhzDI0+B9g5RISAOwazjjGqkP1sQ2HI= github.com/envoyproxy/go-control-plane v0.13.1-0.20240903155423-c0847bf34c89/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= @@ -462,9 +254,6 @@ github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk= github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= -github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= -github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs= github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= @@ -541,6 +330,8 @@ github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LB github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y= github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gobuffalo/flect v0.2.0/go.mod h1:W3K3X9ksuZfir8f/LrfVtWmCDQFfayuylOJ7sz/Fj80= @@ -563,27 +354,15 @@ github.com/golang-sql/sqlexp v0.1.0/go.mod h1:J4ad9Vo8ZCWQ2GMrC4UCQy1JpCbwU9m3EO github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= -github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= -github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= -github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= -github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= @@ -592,12 +371,8 @@ github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvq github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= -github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= @@ -610,16 +385,9 @@ github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5a github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= -github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -631,61 +399,22 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/ github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= -github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= -github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= -github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= -github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw= -github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2Rrd27c3VGxi6a/6HNq8QmHRKM= github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= -github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= -github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= -github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= -github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= -github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg= -github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs= -github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= -github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= -github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM= -github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM= -github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM= -github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c= -github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqEF02fYlzkUCyo= -github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY= -github.com/googleapis/gax-go/v2 v2.12.3 h1:5/zPPDvw8Q1SuXjrqrZslrqT7dL/uJT2CQii/cLCKqA= -github.com/googleapis/gax-go/v2 v2.12.3/go.mod h1:AKloxT6GtNbaLm8QTNSidHUVsHYcBHwWRvkNFJUQcS4= github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= github.com/googleapis/gnostic v0.3.1/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU= -github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE= github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w= @@ -697,8 +426,6 @@ github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/ github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY= github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo= -github.com/grafana/tempo v1.5.0 h1:JSwulLVtXvUw2MyuUPcvRg3MJiwTUs5XWnbG6fOKatc= -github.com/grafana/tempo v1.5.0/go.mod h1:IB52YU6zkGL+3t0eNrY8kAExx0lLa4LH20wGu3c4wD8= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= @@ -707,23 +434,13 @@ github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= -github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys= github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= -github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= -github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= -github.com/hashicorp/go-getter v1.7.5 h1:dT58k9hQ/vbxNMwoI5+xFYAJuv6152UNvdHokfI5wE4= -github.com/hashicorp/go-getter v1.7.5/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= -github.com/hashicorp/go-safetemp v1.0.0 h1:2HR189eFNrjHQyENnQMMpCiBAsRxzbTMIgBhEyExpmo= -github.com/hashicorp/go-safetemp v1.0.0/go.mod h1:oaerMy3BhqiTbVye6QuFhFtIceqFoDHxNAB65b+Rj1I= -github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= -github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY= -github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= @@ -738,8 +455,6 @@ github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpO github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU= github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= -github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= @@ -754,10 +469,6 @@ github.com/jackc/pgx/v5 v5.6.0/go.mod h1:DNZ/vlrUnhWCoFGxHAG8U2ljioxukquj7utPDgt github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk= github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= -github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= -github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= -github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= -github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/jmoiron/sqlx v1.3.5 h1:vFFPA71p1o5gAeqtEAwLU4dnX2napprKtHr7PYIcN3g= github.com/jmoiron/sqlx v1.3.5/go.mod h1:nRVWtLre0KfCLJvgxzCsLVMogSvQ1zNJtpYr2Ccp0mQ= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= @@ -776,7 +487,6 @@ github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= -github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8= github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg= @@ -784,7 +494,6 @@ github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvW github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM= github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU= @@ -841,7 +550,6 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= -github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc= github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= @@ -863,8 +571,6 @@ github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa1 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= -github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU= -github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8= github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= @@ -1007,8 +713,6 @@ github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJ github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= -github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= -github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/rubenv/sql-migrate v1.6.1 h1:bo6/sjsan9HaXAsNxYP/jCEDUGibHp8JmOBw7NTGRos= @@ -1116,15 +820,12 @@ github.com/tsaarni/x500dn v1.0.0 h1:LvaWTkqRpse4VHBhB5uwf3wytokK4vF9IOyNAEyiA+U= github.com/tsaarni/x500dn v1.0.0/go.mod h1:QaHa3EcUKC4dfCAZmj8+ZRGLKukWgpGv9H3oOCsAbcE= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= -github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc= github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts= github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk= github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw= -github.com/vmware-tanzu/velero v1.14.0 h1:ZYy9TLtokdHInIdWTfwHYIZhRr+xLd0nGzHyQrXMCIM= -github.com/vmware-tanzu/velero v1.14.0/go.mod h1:yeGs7/xq35yOGDPCV0ryxoybQBsTLXmrxwzXBXtiwp8= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= @@ -1138,11 +839,8 @@ github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= -github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0= github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= @@ -1153,18 +851,10 @@ go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qL go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= -go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= -go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= -go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= -go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib/exporters/autoexport v0.46.1 h1:ysCfPZB9AjUlMa1UHYup3c9dAOCMQX/6sxSfPBUoxHw= go.opentelemetry.io/contrib/exporters/autoexport v0.46.1/go.mod h1:ha0aiYm+DOPsLHjh0zoQ8W8sLT+LJ58J3j47lGpSLrU= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 h1:9G6E0TXzGFVfTnawRzrPl83iHOAV7L8NJiR8RSGYV1g= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw= @@ -1193,7 +883,6 @@ go.opentelemetry.io/otel/sdk/metric v1.29.0 h1:K2CfmJohnRgvZ9UAj2/FhIf/okdWcNdBw go.opentelemetry.io/otel/sdk/metric v1.29.0/go.mod h1:6zZLdCl2fkauYoZIOn/soQIDSWFmNSRcICarHfuhNJQ= go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4= go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= -go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= go.starlark.net v0.0.0-20240520160348-046347dcd104 h1:3qhteRISupnJvaWshOmeqEUs2y9oc/+/ePPvDh3Eygg= @@ -1213,8 +902,6 @@ golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnf golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= @@ -1227,42 +914,14 @@ golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn5 golang.org/x/crypto/x509roots/fallback v0.0.0-20240806160748-b2d3a6a4b4d3 h1:oWb21rU9Q9XrRwXLB7jHc1rbp6EiiimZZv5MLxpu4T0= golang.org/x/crypto/x509roots/fallback v0.0.0-20240806160748-b2d3a6a4b4d3/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= -golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= -golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= -golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= -golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= -golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= -golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= -golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= -golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= -golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= -golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= -golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= -golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= -golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= @@ -1278,82 +937,25 @@ golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73r golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190320064053-1272bf9dcd53/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= -golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= -golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.0.0-20220617184016-355a448f1bc9/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= -golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= -golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= -golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= -golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= -golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= -golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= -golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= -golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= -golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= -golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A= golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA= golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1362,14 +964,8 @@ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1382,83 +978,32 @@ golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190524152521-dbbf3f1254d4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1469,19 +1014,14 @@ golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU= golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= @@ -1489,7 +1029,6 @@ golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -1500,58 +1039,15 @@ golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/tools v0.0.0-20190125232054-d66bd3c5d5a6/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190617190820-da514acc4774/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= -golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= -golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= -golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= -golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= -golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= -golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg= golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= @@ -1559,219 +1055,32 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU= -golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90= gomodules.xyz/jsonpatch/v2 v2.0.1/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= -google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= -google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= -google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= -google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= -google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= -google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= -google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= -google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= -google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= -google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= -google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= -google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= -google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= -google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= -google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= -google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= -google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU= -google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k= -google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= -google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= -google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI= -google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I= -google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo= -google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g= -google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/SkfA= -google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8= -google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs= -google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA= -google.golang.org/api v0.77.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA= -google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw= -google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg= -google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o= -google.golang.org/api v0.85.0/go.mod h1:AqZf8Ep9uZ2pyTvgL+x0D3Zt0eoT9b5E8fmzfu6FO2g= -google.golang.org/api v0.90.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= -google.golang.org/api v0.93.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= -google.golang.org/api v0.95.0/go.mod h1:eADj+UBuxkh5zlrSntJghuNeg8HwQ1w5lTKkuqaETEI= -google.golang.org/api v0.96.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= -google.golang.org/api v0.97.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= -google.golang.org/api v0.98.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= -google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70= -google.golang.org/api v0.172.0 h1:/1OcMZGPmW1rX2LCu2CmGUD1KXK1+pfzxotxyRUCCdk= -google.golang.org/api v0.172.0/go.mod h1:+fJZq6QXWfa9pXhnIzsjx4yI22d4aI9ZpLb58gvXjis= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= -google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= -google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= -google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= -google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= -google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210329143202-679c6ae281ee/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= -google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= -google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= -google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= -google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= -google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= -google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24= -google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= -google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= -google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= -google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= -google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w= -google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= -google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20220207164111-0872dc986b00/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20220218161850-94dd64e39d7c/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= -google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= -google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= -google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= -google.golang.org/genproto v0.0.0-20220324131243-acbaeb5b85eb/go.mod h1:hAL49I2IFola2sVEjAn7MEwsja0xp51I0tlGAf9hz4E= -google.golang.org/genproto v0.0.0-20220407144326-9054f6ed7bac/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220413183235-5e96e2839df9/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= -google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= -google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= -google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= -google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= -google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20220722212130-b98a9ff5e252/go.mod h1:GkXuJDJ6aQ7lnJcRF+SJVgFdQhypqgl3LB1C9vabdRE= -google.golang.org/genproto v0.0.0-20220801145646-83ce21fca29f/go.mod h1:iHe1svFLAZg9VWz891+QbRMwUv9O/1Ww+/mngYeThbc= -google.golang.org/genproto v0.0.0-20220815135757-37a418bb8959/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= -google.golang.org/genproto v0.0.0-20220817144833-d7fd3f11b9b1/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= -google.golang.org/genproto v0.0.0-20220822174746-9e6da59bd2fc/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= -google.golang.org/genproto v0.0.0-20220829144015-23454907ede3/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= -google.golang.org/genproto v0.0.0-20220829175752-36a9c930ecbf/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= -google.golang.org/genproto v0.0.0-20220913154956-18f8339a66a5/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= -google.golang.org/genproto v0.0.0-20220914142337-ca0e39ece12f/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= -google.golang.org/genproto v0.0.0-20220915135415-7fd63a7952de/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= -google.golang.org/genproto v0.0.0-20220916172020-2692e8806bfa/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= -google.golang.org/genproto v0.0.0-20220919141832-68c03719ef51/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= -google.golang.org/genproto v0.0.0-20220920201722-2b89144ce006/go.mod h1:ht8XFiar2npT/g4vkk7O0WYS1sHOHbdujxbEp7CJWbw= -google.golang.org/genproto v0.0.0-20220926165614-551eb538f295/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI= -google.golang.org/genproto v0.0.0-20220926220553-6981cbe3cfce/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI= -google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e/go.mod h1:3526vdqwhZAwq4wsRUaVG555sVgsNmIjRtO7t/JH29U= -google.golang.org/genproto v0.0.0-20221014173430-6e2ab493f96b/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= -google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= -google.golang.org/genproto v0.0.0-20221025140454-527a21cfbd71/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s= -google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY= -google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:VUhTRKeHn9wwcdrk73nvdC9gF178Tzhmt/qyaFcPLSo= google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd h1:BBOTEWLuuEGQy9n1y9MhVJ9Qt0BDu21X8qZs71/uPZo= google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:fO8wJzT2zbQbAjbIoos1285VfEIYKDDY+Dt+WpTkh6g= google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd h1:6TEm2ZxXoQmFWFlt1vNxvVOa1Q0dXFQD1m/rYjXmS0E= google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= -google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= -google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= -google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= -google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= -google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= -google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= -google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= -google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= -google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= -google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= -google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= -google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= -google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= -google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= -google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= -google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= -google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= -google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= google.golang.org/grpc v1.66.0 h1:DibZuoBznOxbDQxRINckZcUvnCEvrW9pcWIE2yF9r1c= google.golang.org/grpc v1.66.0/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= -google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -1780,13 +1089,7 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= @@ -1797,8 +1100,6 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= -gopkg.in/cheggaaa/pb.v1 v1.0.27/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= -gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= @@ -1814,7 +1115,6 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWD gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -1833,11 +1133,7 @@ helm.sh/helm/v3 v3.15.4 h1:UFHd6oZ1IN3FsUZ7XNhOQDyQ2QYknBNWRHH57e9cbHY= helm.sh/helm/v3 v3.15.4/go.mod h1:phOwlxqGSgppCY/ysWBNRhG3MtnpsttOzxaTK+Mt40E= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= -honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78= k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4= k8s.io/api v0.31.0 h1:b9LiSjR2ym/SzTOlfMHm1tr7/21aD7fSkqgD/CVJBCo= @@ -1880,8 +1176,6 @@ k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5 k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a/go.mod h1:UxDHUPsUwTOOxSU+oXURfFBcAS6JwiRXTYqYwfuGowc= k8s.io/kubectl v0.31.0 h1:kANwAAPVY02r4U4jARP/C+Q1sssCcN/1p9Nk+7BQKVg= k8s.io/kubectl v0.31.0/go.mod h1:pB47hhFypGsaHAPjlwrNbvhXgmuAr01ZBvAIIUaI8d4= -k8s.io/kubelet v0.30.3 h1:KvGWDdhzD0vEyDyGTCjsDc8D+0+lwRMw3fJbfQgF7ys= -k8s.io/kubelet v0.30.3/go.mod h1:D9or45Vkzcqg55CEiqZ8dVbwP3Ksj7DruEVRS9oq3Ys= k8s.io/metrics v0.31.0 h1:s7Vu7W0oEZPTN8jgcoiWIXIZBmVxt7YP9MRVyIgMdOc= k8s.io/metrics v0.31.0/go.mod h1:UNsz6swyX8FWkDoKN9ixPF75TBREMbHZIKjD7fydaOY= k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= @@ -1892,9 +1186,6 @@ oras.land/oras-go v1.2.6 h1:z8cmxQXBU8yZ4mkytWqXfo6tZcamPwjsuxYU81xJ8Lk= oras.land/oras-go v1.2.6/go.mod h1:OVPc1PegSEe/K8YiLfosrlqlqTN9PUyFvOw5Y9gwrT8= periph.io/x/host/v3 v3.8.2 h1:ayKUDzgUCN0g8+/xM9GTkWaOBhSLVcVHGTfjAOi8OsQ= periph.io/x/host/v3 v3.8.2/go.mod h1:yFL76AesNHR68PboofSWYaQTKmvPXsQH2Apvp/ls/K4= -rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= -rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= -rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0= sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gEORz0efEja7A= sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= diff --git a/internal/cmd/egctl/collect.go b/internal/cmd/egctl/collect.go index e4eece22e53..e95db983eb3 100644 --- a/internal/cmd/egctl/collect.go +++ b/internal/cmd/egctl/collect.go @@ -15,12 +15,12 @@ import ( "syscall" "time" - "github.com/replicatedhq/troubleshoot/pkg/convert" "github.com/spf13/cobra" cmdutil "k8s.io/kubectl/pkg/cmd/util" "github.com/envoyproxy/gateway/internal/cmd/options" tb "github.com/envoyproxy/gateway/internal/troubleshoot" + "github.com/envoyproxy/gateway/internal/utils/path" ) type collectOptions struct { @@ -74,7 +74,7 @@ func runCollect(collectOpts collectOptions) error { basename := "" if collectOpts.outPath != "" { // use override output path - overridePath, err := convert.ValidateOutputPath(collectOpts.outPath) + overridePath, err := path.ValidateOutputPath(collectOpts.outPath) if err != nil { return fmt.Errorf("override output file path: %w", err) } diff --git a/internal/utils/path/path.go b/internal/utils/path/path.go new file mode 100644 index 00000000000..e333a7f5971 --- /dev/null +++ b/internal/utils/path/path.go @@ -0,0 +1,24 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package path + +import ( + "os" + "path/filepath" +) + +// ValidateOutputPath takes an output file path and returns it as an absolute path. +// It returns an error if the absolute path cannot be determined or if the parent directory does not exist. +func ValidateOutputPath(outputPath string) (string, error) { + outputPath, err := filepath.Abs(outputPath) + if err != nil { + return "", err + } + if _, err := os.Stat(filepath.Dir(outputPath)); err != nil { + return "", err + } + return outputPath, nil +} diff --git a/osv-scanner.toml b/osv-scanner.toml index e338d0da1b9..32cde45a456 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -41,7 +41,7 @@ reason = "This package has dual license - the code is licensed under the Apache name = "github.com/go-sql-driver/mysql" version = "1.8.1" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead license.override = ["Apache-2.0"] reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" @@ -49,15 +49,7 @@ reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but name = "github.com/hashicorp/errwrap" version = "1.1.0" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead -license.override = ["Apache-2.0"] -reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" - -[[PackageOverrides]] -name = "github.com/hashicorp/go-cleanhttp" -version = "0.5.2" -ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead license.override = ["Apache-2.0"] reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" @@ -65,15 +57,7 @@ reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but name = "github.com/hashicorp/go-multierror" version = "1.1.1" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead -license.override = ["Apache-2.0"] -reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" - -[[PackageOverrides]] -name = "github.com/hashicorp/go-version" -version = "1.7.0" -ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead license.override = ["Apache-2.0"] reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" @@ -81,7 +65,7 @@ reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but name = "github.com/hashicorp/hcl" version = "1.0.0" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead license.override = ["Apache-2.0"] reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" @@ -103,7 +87,7 @@ reason = "This package has dual license - the code is licensed under the Apache name = "github.com/shoenig/go-m1cpu" version = "0.1.6" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead license.override = ["Apache-2.0"] reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/cncf-exceptions-2023-08-31.spdx" @@ -112,11 +96,3 @@ name = "stdlib" ecosystem = "Go" license.override = ["BSD-3-Clause"] reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/86 is resolved" - -[[PackageOverrides]] -name = "github.com/grafana/tempo" -version = "1.5.0" -ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead -license.override = ["Apache-2.0"] -reason = "This package is only used in e2e tests so we can ignore its license" \ No newline at end of file diff --git a/test/e2e/tests/utils.go b/test/e2e/tests/utils.go index c7b3fa3819e..8da7728517a 100644 --- a/test/e2e/tests/utils.go +++ b/test/e2e/tests/utils.go @@ -22,9 +22,7 @@ import ( "fortio.org/fortio/periodic" flog "fortio.org/log" "github.com/go-logfmt/logfmt" - "github.com/gogo/protobuf/jsonpb" // nolint: depguard // tempopb use gogo/protobuf "github.com/google/go-cmp/cmp" - "github.com/grafana/tempo/pkg/tempopb" dto "github.com/prometheus/client_model/go" "github.com/prometheus/common/expfmt" "github.com/stretchr/testify/require" @@ -573,21 +571,33 @@ func QueryTraceFromTempo(t *testing.T, c client.Client, tags map[string]string) if err != nil { return -1, err } + defer func() { + _ = res.Body.Close() + }() if res.StatusCode != http.StatusOK { return -1, fmt.Errorf("failed to query tempo, url=%s, status=%s", tempoURL.String(), res.Status) } - tempoResponse := &tempopb.SearchResponse{} - if err := jsonpb.Unmarshal(res.Body, tempoResponse); err != nil { + resp := &tempoResponse{} + data, err := io.ReadAll(res.Body) + if err != nil { + return -1, err + } + if err := json.Unmarshal(data, &resp); err != nil { + t.Logf("Failed to unmarshall response: %s", string(data)) return -1, err } - total := len(tempoResponse.Traces) - tlog.Logf(t, "get response from tempo, url=%s, response=%v, total=%d", tempoURL.String(), tempoResponse, total) + total := len(resp.Traces) + tlog.Logf(t, "get response from tempo, url=%s, response=%v, total=%d", tempoURL.String(), string(data), total) return total, nil } +type tempoResponse struct { + Traces []map[string]interface{} `json:"traces,omitempty"` +} + // copy from https://github.com/grafana/tempo/blob/c0127c78c368319433c7c67ca8967adbfed2259e/cmd/tempo-query/tempo/plugin.go#L361 func createTagsQueryParam(tags map[string]string) (string, error) { tagsBuilder := &strings.Builder{} From cca170980e43d36a1e8d89d5444edb3ac851a2d7 Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 7 Sep 2024 13:07:26 +0800 Subject: [PATCH 118/523] ci: bump support Kubernetes version (#4169) Signed-off-by: zirain --- .github/workflows/build_and_test.yaml | 6 +++--- .github/workflows/experimental_conformance.yaml | 2 +- .github/workflows/latest_release.yaml | 2 +- .github/workflows/release.yaml | 2 +- site/content/en/news/releases/matrix.md | 2 +- tools/hack/create-cluster.sh | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 430ab107eda..a7ef580da69 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -84,7 +84,7 @@ jobs: needs: [build] strategy: matrix: - version: [ v1.27.13, v1.28.9, v1.29.4, v1.30.0 ] + version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: ./tools/github-actions/setup-deps @@ -112,7 +112,7 @@ jobs: needs: [build] strategy: matrix: - version: [ v1.27.13, v1.28.9, v1.29.4, v1.30.0 ] + version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: ./tools/github-actions/setup-deps @@ -150,7 +150,7 @@ jobs: # Benchmark - name: Run Benchmark tests env: - KIND_NODE_TAG: v1.28.9 + KIND_NODE_TAG: v1.28.13 IMAGE_PULL_POLICY: IfNotPresent # Args for benchmark test BENCHMARK_RPS: 10000 diff --git a/.github/workflows/experimental_conformance.yaml b/.github/workflows/experimental_conformance.yaml index 7a3c98c1573..b45c7b8bf97 100644 --- a/.github/workflows/experimental_conformance.yaml +++ b/.github/workflows/experimental_conformance.yaml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - version: [ v1.27.13, v1.28.9, v1.29.4, v1.30.0 ] + version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: ./tools/github-actions/setup-deps diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index aba1486f4ba..09a88ab41d5 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -31,7 +31,7 @@ jobs: # Benchmark - name: Run Benchmark tests env: - KIND_NODE_TAG: v1.28.9 + KIND_NODE_TAG: v1.28.13 IMAGE_PULL_POLICY: IfNotPresent # Args for benchmark test BENCHMARK_RPS: 10000 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 864e27e2edf..d173a875bf0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -24,7 +24,7 @@ jobs: # Benchmark - name: Run Benchmark tests env: - KIND_NODE_TAG: v1.28.9 + KIND_NODE_TAG: v1.28.13 IMAGE_PULL_POLICY: IfNotPresent # Args for benchmark test BENCHMARK_RPS: 10000 diff --git a/site/content/en/news/releases/matrix.md b/site/content/en/news/releases/matrix.md index 337b26d1262..c4911f317e5 100644 --- a/site/content/en/news/releases/matrix.md +++ b/site/content/en/news/releases/matrix.md @@ -7,6 +7,7 @@ Envoy Gateway relies on the Envoy Proxy and the Gateway API, and runs within a K | Envoy Gateway version | Envoy Proxy version | Rate Limit version | Gateway API version | Kubernetes version | |-----------------------|-----------------------------|--------------------|---------------------|----------------------------| +| latest | **dev-latest** | **master** | **v1.0.0** | v1.28, v1.29, v1.30, v1.31 | | v1.1 | **distroless-v1.31.0** | **91484c59** | **v1.1.0** | v1.27, v1.28, v1.29, v1.30 | | v1.0 | **distroless-v1.29.2** | **19f2079f** | **v1.0.0** | v1.26, v1.27, v1.28, v1.29 | | v0.6 | **distroless-v1.28-latest** | **b9796237** | **v1.0.0** | v1.26, v1.27, v1.28 | @@ -14,4 +15,3 @@ Envoy Gateway relies on the Envoy Proxy and the Gateway API, and runs within a K | v0.4 | **v1.26-latest** | **542a6047** | **v0.6.2** | v1.25, v1.26, v1.27 | | v0.3 | **v1.25-latest** | **f28024e3** | **v0.6.1** | v1.24, v1.25, v1.26 | | v0.2 | **v1.23-latest** | | **v0.5.1** | v1.24 | -| latest | **dev-latest** | **master** | **v1.0.0** | v1.27, v1.28, v1.29, v1.30 | diff --git a/tools/hack/create-cluster.sh b/tools/hack/create-cluster.sh index 93160727cbf..16e1477b56f 100755 --- a/tools/hack/create-cluster.sh +++ b/tools/hack/create-cluster.sh @@ -5,7 +5,7 @@ set -euo pipefail # Setup default values CLUSTER_NAME=${CLUSTER_NAME:-"envoy-gateway"} METALLB_VERSION=${METALLB_VERSION:-"v0.13.10"} -KIND_NODE_TAG=${KIND_NODE_TAG:-"v1.28.0"} +KIND_NODE_TAG=${KIND_NODE_TAG:-"v1.31.0"} NUM_WORKERS=${NUM_WORKERS:-""} From 69bf8825422db0cb7b34097b8db5dfca19b8d477 Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 7 Sep 2024 16:09:28 +0800 Subject: [PATCH 119/523] bump to go1.22.7 (#4175) * bump to go1.22.6 Signed-off-by: zirain * bump to 1.22.7 Signed-off-by: zirain --------- Signed-off-by: zirain --- examples/extension-server/go.mod | 2 +- examples/extension-server/tools/src/controller-gen/go.mod | 2 +- examples/kubernetes/ext-proc-grpc-service.yaml | 2 +- go.mod | 2 +- site/go.mod | 2 +- tools/src/buf/go.mod | 2 +- tools/src/controller-gen/go.mod | 2 +- tools/src/crd-ref-docs/go.mod | 2 +- tools/src/gci/go.mod | 2 +- tools/src/golangci-lint/go.mod | 2 +- tools/src/helm-docs/go.mod | 2 +- tools/src/jb/go.mod | 2 +- tools/src/jsonnet/go.mod | 2 +- tools/src/kind/go.mod | 2 +- tools/src/protoc-gen-go-grpc/go.mod | 2 +- tools/src/protoc-gen-go/go.mod | 2 +- tools/src/setup-envtest/go.mod | 2 +- 17 files changed, 17 insertions(+), 17 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 53f4ad7c0a6..7fee44cb49b 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -1,6 +1,6 @@ module github.com/exampleorg/envoygateway-extension -go 1.22.5 +go 1.22.7 require ( github.com/envoyproxy/gateway v1.0.2 diff --git a/examples/extension-server/tools/src/controller-gen/go.mod b/examples/extension-server/tools/src/controller-gen/go.mod index 3b5da982d27..e1eab3409bc 100644 --- a/examples/extension-server/tools/src/controller-gen/go.mod +++ b/examples/extension-server/tools/src/controller-gen/go.mod @@ -1,6 +1,6 @@ module local -go 1.22.5 +go 1.22.7 require sigs.k8s.io/controller-tools v0.15.0 diff --git a/examples/kubernetes/ext-proc-grpc-service.yaml b/examples/kubernetes/ext-proc-grpc-service.yaml index 23b90b104cb..de94ccf905c 100644 --- a/examples/kubernetes/ext-proc-grpc-service.yaml +++ b/examples/kubernetes/ext-proc-grpc-service.yaml @@ -361,7 +361,7 @@ spec: - sh - "-c" - "cp -a /app /app-live && cd /app-live && go run . --certPath=/app-live/certs/ " - image: golang:1.22.5-alpine + image: golang:1.22.7-alpine ports: - containerPort: 8000 volumeMounts: diff --git a/go.mod b/go.mod index 762328fd704..4a9e67f46c3 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway -go 1.22.5 +go 1.22.7 replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.16 diff --git a/site/go.mod b/site/go.mod index 29d91dd00e8..c6b0df811f3 100644 --- a/site/go.mod +++ b/site/go.mod @@ -1,6 +1,6 @@ module github.com/google/docsy-example -go 1.22.5 +go 1.22.7 require ( github.com/FortAwesome/Font-Awesome v0.0.0-20240402185447-c0f460dca7f7 // indirect diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index 1e68fe4dc13..78355ec355d 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -1,6 +1,6 @@ module local -go 1.22.5 +go 1.22.7 require github.com/bufbuild/buf v1.39.0 diff --git a/tools/src/controller-gen/go.mod b/tools/src/controller-gen/go.mod index 6df70b8d49a..f6d85a9431c 100644 --- a/tools/src/controller-gen/go.mod +++ b/tools/src/controller-gen/go.mod @@ -1,6 +1,6 @@ module local -go 1.22.5 +go 1.22.7 require sigs.k8s.io/controller-tools v0.16.1 diff --git a/tools/src/crd-ref-docs/go.mod b/tools/src/crd-ref-docs/go.mod index a664f856efc..23b3153de03 100644 --- a/tools/src/crd-ref-docs/go.mod +++ b/tools/src/crd-ref-docs/go.mod @@ -1,6 +1,6 @@ module local -go 1.22.5 +go 1.22.7 require github.com/elastic/crd-ref-docs v0.0.13-0.20240723135120-56876bccac3a diff --git a/tools/src/gci/go.mod b/tools/src/gci/go.mod index dfb21a706d3..7d4fd7ca6d3 100644 --- a/tools/src/gci/go.mod +++ b/tools/src/gci/go.mod @@ -1,6 +1,6 @@ module local -go 1.22.5 +go 1.22.7 require github.com/daixiang0/gci v0.13.4 diff --git a/tools/src/golangci-lint/go.mod b/tools/src/golangci-lint/go.mod index 02da603587c..4f356da5578 100644 --- a/tools/src/golangci-lint/go.mod +++ b/tools/src/golangci-lint/go.mod @@ -1,6 +1,6 @@ module local -go 1.22.5 +go 1.22.7 require github.com/golangci/golangci-lint v1.60.3 diff --git a/tools/src/helm-docs/go.mod b/tools/src/helm-docs/go.mod index f90603ca8cb..84484217b90 100644 --- a/tools/src/helm-docs/go.mod +++ b/tools/src/helm-docs/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway/tools/src/helm-docs -go 1.22.5 +go 1.22.7 require github.com/norwoodj/helm-docs v1.14.2 diff --git a/tools/src/jb/go.mod b/tools/src/jb/go.mod index f781b6f98f7..4b500d8ac15 100644 --- a/tools/src/jb/go.mod +++ b/tools/src/jb/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway/tools/src/jb -go 1.22.5 +go 1.22.7 require github.com/jsonnet-bundler/jsonnet-bundler v0.5.1 diff --git a/tools/src/jsonnet/go.mod b/tools/src/jsonnet/go.mod index 2abb020097d..27537f28221 100644 --- a/tools/src/jsonnet/go.mod +++ b/tools/src/jsonnet/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway/tools/src/jsonnet -go 1.22.5 +go 1.22.7 require github.com/google/go-jsonnet v0.20.0 diff --git a/tools/src/kind/go.mod b/tools/src/kind/go.mod index 0d7c7342b1e..f09cbf32196 100644 --- a/tools/src/kind/go.mod +++ b/tools/src/kind/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway/tools/src/kind -go 1.22.5 +go 1.22.7 require sigs.k8s.io/kind v0.24.0 diff --git a/tools/src/protoc-gen-go-grpc/go.mod b/tools/src/protoc-gen-go-grpc/go.mod index f55603269c3..1e73e1c5269 100644 --- a/tools/src/protoc-gen-go-grpc/go.mod +++ b/tools/src/protoc-gen-go-grpc/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway/tools/src/protoc-gen-go-grpc -go 1.22.5 +go 1.22.7 require google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0 diff --git a/tools/src/protoc-gen-go/go.mod b/tools/src/protoc-gen-go/go.mod index 8f65aeda683..e24ee052913 100644 --- a/tools/src/protoc-gen-go/go.mod +++ b/tools/src/protoc-gen-go/go.mod @@ -1,5 +1,5 @@ module github.com/envoyproxy/gateway/tools/src/protoc-gen-go -go 1.22.5 +go 1.22.7 require google.golang.org/protobuf v1.33.0 diff --git a/tools/src/setup-envtest/go.mod b/tools/src/setup-envtest/go.mod index cef388c9cfd..53668dc72b2 100644 --- a/tools/src/setup-envtest/go.mod +++ b/tools/src/setup-envtest/go.mod @@ -1,6 +1,6 @@ module local -go 1.22.5 +go 1.22.7 require sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20240423173400-ed81fa696dea From 939e6f4092e5206655c961bb608efa3d62823294 Mon Sep 17 00:00:00 2001 From: zirain Date: Mon, 9 Sep 2024 21:52:16 +0800 Subject: [PATCH 120/523] docs: improve Private Key Provider page layout (#4179) Signed-off-by: zirain --- .github/markdown_lint_config.json | 4 +- .../tasks/security/private-key-provider.md | 66 +++++++++++++++---- tools/make/lint.mk | 4 ++ 3 files changed, 60 insertions(+), 14 deletions(-) diff --git a/.github/markdown_lint_config.json b/.github/markdown_lint_config.json index 85aaabec0e9..8c62b98bfd3 100644 --- a/.github/markdown_lint_config.json +++ b/.github/markdown_lint_config.json @@ -49,5 +49,7 @@ "MD048": false, "MD049": false, "MD050": false, - "MD051": false + "MD051": false, + "MD055": false, + "MD056": false } diff --git a/site/content/en/latest/tasks/security/private-key-provider.md b/site/content/en/latest/tasks/security/private-key-provider.md index 79f992aa599..529056b33e1 100644 --- a/site/content/en/latest/tasks/security/private-key-provider.md +++ b/site/content/en/latest/tasks/security/private-key-provider.md @@ -14,7 +14,9 @@ This task will walk you through the steps required to configure TLS Termination ## Prerequisites -### For QAT +{{< tabpane text=true >}} + +{{% tab header="QAT (Intel QuickAssist Technology)" %}} - Install Linux kernel 5.17 or similar - Ensure the node has QAT devices by checking the QAT physical function devices presented. [Supported Devices](https://intel.github.io/quickassist/qatlib/requirements.html#qat2-0-qatlib-supported-devices) @@ -88,7 +90,9 @@ This task will walk you through the steps required to configure TLS Termination kubectl get node -o yaml| grep qat.intel.com ``` -### For CryptoMB: +{{% /tab %}} + +{{% tab header="CryptoMB" %}} It required the node with 3rd generation Intel Xeon Scalable processor server processors, or later. - For kubernetes Cluster, if not all nodes that support Intel® AVX-512 in Kubernetes cluster, you need to add some labels to divide these two kinds of nodes manually or using [NFD](https://github.com/kubernetes-sigs/node-feature-discovery). @@ -110,6 +114,10 @@ It required the node with 3rd generation Intel Xeon Scalable processor server pr cat /proc/cpuinfo |grep avx512f|grep avx512dq|grep avx512bw|grep avx512_vbmi2|grep avx512ifma ``` +{{% /tab %}} + +{{< /tabpane >}} + ## Installation * Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway. @@ -214,10 +222,14 @@ spec: {{% /tab %}} {{< /tabpane >}} -### Change EnvoyProxy configuration for QAT +## Change EnvoyProxy configuration Using the envoyproxy image with contrib extensions and add qat resources requesting, ensure the k8s scheduler find out a machine with required resource. +{{< tabpane text=true >}} + +{{% tab header="QAT (Intel QuickAssist Technology)" %}} + {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} @@ -285,7 +297,9 @@ spec: {{% /tab %}} {{< /tabpane >}} -### Change EnvoyProxy configuration for CryptoMB +{{% /tab %}} + +{{% tab header="CryptoMB" %}} Using the envoyproxy image with contrib extensions and add the node affinity to scheduling the Envoy Gateway pod on the machine with required CPU instructions. @@ -386,9 +400,11 @@ spec: Or using `preferredDuringSchedulingIgnoredDuringExecution` for best effort scheduling, or not doing any node affinity, just doing the random scheduling. The CryptoMB private key provider supports software fallback if the required CPU instructions aren't here. -## Apply EnvoyPatchPolicy to enable private key provider +{{% /tab %}} -### Benchmark before enabling private key provider +{{< /tabpane >}} + +## Benchmark before enabling private key provider First follow the instructions in [TLS Termination for TCP](./tls-termination) to do the functionality test. @@ -416,7 +432,11 @@ Benchmark the gateway with fortio. fortio load -c 10 -k -qps 0 -t 30s -keepalive=false https://www.example.com:${NODE_PORT} ``` -### For QAT +## Apply EnvoyPatchPolicy to enable private key provider + +{{< tabpane text=true >}} + +{{% tab header="QAT (Intel QuickAssist Technology)" %}} {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} @@ -501,7 +521,9 @@ spec: {{% /tab %}} {{< /tabpane >}} -### For CryptoMB +{{% /tab %}} + +{{% tab header="CryptoMB" %}} {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} @@ -586,7 +608,11 @@ spec: {{% /tab %}} {{< /tabpane >}} -### Benchmark after enabling private key provider +{{% /tab %}} + +{{< /tabpane >}} + +## Benchmark after enabling private key provider First follow the instructions in [TLS Termination for TCP](./tls-termination) to do the functionality test again. @@ -596,6 +622,8 @@ Benchmark the gateway with fortio. fortio load -c 64 -k -qps 0 -t 30s -keepalive=false https://www.example.com:${NODE_PORT} ``` +## Benchmark Result + You will see a performance boost after private key provider enabled. For example, you will get results as below. Without private key provider: @@ -604,14 +632,26 @@ Without private key provider: All done 43069 calls (plus 10 warmup) 6.966 ms avg, 1435.4 qps ``` -With CryptoMB private key provider, the QPS is over 2 times than without private key provider. +{{< tabpane text=true >}} -```shell -All done 93983 calls (plus 128 warmup) 40.880 ms avg, 3130.5 qps -``` +{{% tab header="QAT (Intel QuickAssist Technology)" %}} With QAT private key provider, the QPS is over 3 times than without private key provider ```shell All done 134746 calls (plus 128 warmup) 28.505 ms avg, 4489.6 qps ``` + +{{% /tab %}} + +{{% tab header="CryptoMB" %}} + +With CryptoMB private key provider, the QPS is over 2 times than without private key provider. + +```shell +All done 93983 calls (plus 128 warmup) 40.880 ms avg, 3130.5 qps +``` + +{{% /tab %}} + +{{< /tabpane >}} diff --git a/tools/make/lint.mk b/tools/make/lint.mk index 8f9b306d05d..7bd8231a139 100644 --- a/tools/make/lint.mk +++ b/tools/make/lint.mk @@ -93,3 +93,7 @@ licensecheck: ## Check license headers are present. latest-release-check: ## Check if latest release and tag are created properly. @$(LOG_TARGET) sh tools/hack/check-latest-release.sh + +.PHONY: lint.markdown +lint.markdown: + markdownlint -c .github/markdown_lint_config.json site/content/* \ No newline at end of file From d8da16300d0e6c146439e32d6a40cf5c874f0a2a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Sep 2024 08:55:15 -0500 Subject: [PATCH 121/523] build(deps): bump distroless/static from `8dd8d3c` to `42d15c6` in /tools/docker/envoy-gateway (#4191) build(deps): bump distroless/static in /tools/docker/envoy-gateway Bumps distroless/static from `8dd8d3c` to `42d15c6`. --- updated-dependencies: - dependency-name: distroless/static dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/docker/envoy-gateway/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index 33d874be409..e25c4cc792f 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -4,7 +4,7 @@ RUN mkdir -p /var/lib/eg # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:nonroot@sha256:8dd8d3ca2cf283383304fd45a5c9c74d5f2cd9da8d3b077d720e264880077c65 +FROM gcr.io/distroless/static:nonroot@sha256:42d15c647a762d3ce3a67eab394220f5268915d6ddba9006871e16e4698c3a24 ARG TARGETPLATFORM COPY $TARGETPLATFORM/envoy-gateway /usr/local/bin/ COPY --from=source --chown=65532:65532 /var/lib /var/lib From ab43e39911933df67c54f15c7735ea56cee86c5d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Sep 2024 08:57:05 -0500 Subject: [PATCH 122/523] build(deps): bump github.com/bufbuild/buf from 1.39.0 to 1.40.1 in /tools/src/buf (#4185) build(deps): bump github.com/bufbuild/buf in /tools/src/buf Bumps [github.com/bufbuild/buf](https://github.com/bufbuild/buf) from 1.39.0 to 1.40.1. - [Release notes](https://github.com/bufbuild/buf/releases) - [Changelog](https://github.com/bufbuild/buf/blob/main/CHANGELOG.md) - [Commits](https://github.com/bufbuild/buf/compare/v1.39.0...v1.40.1) --- updated-dependencies: - dependency-name: github.com/bufbuild/buf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/src/buf/go.mod | 47 ++++++++++++---------- tools/src/buf/go.sum | 94 ++++++++++++++++++++++++-------------------- 2 files changed, 78 insertions(+), 63 deletions(-) diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index 78355ec355d..182b2697b0d 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -2,24 +2,27 @@ module local go 1.22.7 -require github.com/bufbuild/buf v1.39.0 +require github.com/bufbuild/buf v1.40.1 require ( + buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240904181154-a0be11449112.2 // indirect buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240717164558-a6c49f84cc0f.2 // indirect buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240821192916-45ba72cdd479.1 // indirect buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240821192916-45ba72cdd479.2 // indirect + buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2 // indirect connectrpc.com/connect v1.16.2 // indirect connectrpc.com/otelconnect v0.7.1 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/Microsoft/hcsshim v0.12.6 // indirect - github.com/antlr4-go/antlr/v4 v4.13.0 // indirect - github.com/bufbuild/protocompile v0.14.0 // indirect + github.com/antlr4-go/antlr/v4 v4.13.1 // indirect + github.com/bufbuild/bufplugin-go v0.1.0 // indirect + github.com/bufbuild/protocompile v0.14.1 // indirect github.com/bufbuild/protoplugin v0.0.0-20240323223605-e2735f6c31ee // indirect - github.com/bufbuild/protovalidate-go v0.6.4 // indirect - github.com/bufbuild/protoyaml-go v0.1.11 // indirect + github.com/bufbuild/protovalidate-go v0.6.5 // indirect + github.com/bufbuild/protoyaml-go v0.1.12 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect - github.com/containerd/containerd v1.7.20 // indirect + github.com/containerd/containerd v1.7.21 // indirect github.com/containerd/continuity v0.4.3 // indirect github.com/containerd/errdefs v0.1.0 // indirect github.com/containerd/log v0.1.0 // indirect @@ -29,13 +32,13 @@ require ( github.com/containerd/typeurl/v2 v2.2.0 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect github.com/distribution/reference v0.6.0 // indirect - github.com/docker/cli v27.1.2+incompatible // indirect + github.com/docker/cli v27.2.0+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v27.1.2+incompatible // indirect + github.com/docker/docker v27.2.0+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-units v0.5.0 // indirect - github.com/felixge/fgprof v0.9.4 // indirect + github.com/felixge/fgprof v0.9.5 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/go-chi/chi/v5 v5.1.0 // indirect github.com/go-logr/logr v1.4.2 // indirect @@ -47,13 +50,14 @@ require ( github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/google/cel-go v0.21.0 // indirect github.com/google/go-containerregistry v0.20.2 // indirect - github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 // indirect + github.com/google/pprof v0.0.0-20240903155634-a8630aee4ab9 // indirect github.com/google/uuid v1.6.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jdx/go-netrc v1.0.0 // indirect github.com/klauspost/compress v1.17.9 // indirect github.com/klauspost/pgzip v1.2.6 // indirect + github.com/mattn/go-isatty v0.0.20 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/locker v1.0.1 // indirect @@ -65,16 +69,16 @@ require ( github.com/moby/sys/userns v0.1.0 // indirect github.com/moby/term v0.5.0 // indirect github.com/morikuni/aec v1.0.0 // indirect - github.com/onsi/ginkgo/v2 v2.20.1 // indirect + github.com/onsi/ginkgo/v2 v2.20.2 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect github.com/opencontainers/runtime-spec v1.2.0 // indirect github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pkg/profile v1.7.0 // indirect - github.com/quic-go/qpack v0.4.0 // indirect + github.com/quic-go/qpack v0.5.0 // indirect github.com/quic-go/quic-go v0.46.0 // indirect - github.com/rs/cors v1.11.0 // indirect + github.com/rs/cors v1.11.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/spf13/cobra v1.8.1 // indirect @@ -94,16 +98,17 @@ require ( go.uber.org/zap v1.27.0 // indirect golang.org/x/crypto v0.26.0 // indirect golang.org/x/exp v0.0.0-20240823005443-9b4947da3948 // indirect - golang.org/x/mod v0.20.0 // indirect + golang.org/x/mod v0.21.0 // indirect golang.org/x/net v0.28.0 // indirect golang.org/x/sync v0.8.0 // indirect - golang.org/x/sys v0.24.0 // indirect - golang.org/x/term v0.23.0 // indirect - golang.org/x/text v0.17.0 // indirect + golang.org/x/sys v0.25.0 // indirect + golang.org/x/term v0.24.0 // indirect + golang.org/x/text v0.18.0 // indirect golang.org/x/tools v0.24.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240823204242-4ba0660f739c // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240823204242-4ba0660f739c // indirect - google.golang.org/grpc v1.65.0 // indirect - google.golang.org/protobuf v1.34.2 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect + google.golang.org/grpc v1.66.0 // indirect + google.golang.org/protobuf v1.34.3-0.20240816073751-94ecbc261689 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect + pluginrpc.com/pluginrpc v0.2.0 // indirect ) diff --git a/tools/src/buf/go.sum b/tools/src/buf/go.sum index 444adc35957..e611b0b9681 100644 --- a/tools/src/buf/go.sum +++ b/tools/src/buf/go.sum @@ -1,9 +1,13 @@ +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240904181154-a0be11449112.2 h1:X9qBPcvWGOJs/CeRVLoxxLJwC/eKyWDS/G4nj+3KGMY= +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240904181154-a0be11449112.2/go.mod h1:B+9TKHRYqoAUW57pLjhkLOnBCu0DQYMV+f7imQ9nXwI= buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240717164558-a6c49f84cc0f.2 h1:SZRVx928rbYZ6hEKUIN+vtGDkl7uotABRWGY4OAg5gM= buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240717164558-a6c49f84cc0f.2/go.mod h1:ylS4c28ACSI59oJrOdW4pHS4n0Hw4TgSPHn8rpHl4Yw= buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240821192916-45ba72cdd479.1 h1:QaJ6UkpvlGo4dBXR41vLRfPiKungbg7brjmbBC/k6Ig= buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240821192916-45ba72cdd479.1/go.mod h1:oQsMFNU3YzxxjRS6O68UkcF/A+pXdXqQNcUfQEBTWcw= buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240821192916-45ba72cdd479.2 h1:C3CTZTucEUm7i0O2tAM8GSlg23GnQYcljX1b1Jcpsro= buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240821192916-45ba72cdd479.2/go.mod h1:psseUmlKRo9v5LZJtR/aTpdTLuyp9o3X7rnLT87SZEo= +buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2 h1:oSi+Adw4xvIjXrW8eY8QGR3sBdfWeY5HN/RefnRt52M= +buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2/go.mod h1:GjH0gjlY/ns16X8d6eaXV2W+6IFwsO5Ly9WVnzyd1E0= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= connectrpc.com/connect v1.16.2 h1:ybd6y+ls7GOlb7Bh5C8+ghA6SvCBajHwxssO2CGFjqE= connectrpc.com/connect v1.16.2/go.mod h1:n2kgwskMHXC+lVqb18wngEpF95ldBHXjZYJussz5FRc= @@ -18,18 +22,20 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERo github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= github.com/Microsoft/hcsshim v0.12.6 h1:qEnZjoHXv+4/s0LmKZWE0/AiZmMWEIkFfWBSf1a0wlU= github.com/Microsoft/hcsshim v0.12.6/go.mod h1:ZABCLVcvLMjIkzr9rUGcQ1QA0p0P3Ps+d3N1g2DsFfk= -github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= -github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= -github.com/bufbuild/buf v1.39.0 h1:f8bpK/8+cpgbppSyK4RKe0L1FxLqWcbgnHnWgXpVM7s= -github.com/bufbuild/buf v1.39.0/go.mod h1:1P0U+x/ky1KhpK7o7mGraDAYjQUG7710wk5lEZFWsTA= -github.com/bufbuild/protocompile v0.14.0 h1:z3DW4IvXE5G/uTOnSQn+qwQQxvhckkTWLS/0No/o7KU= -github.com/bufbuild/protocompile v0.14.0/go.mod h1:N6J1NYzkspJo3ZwyL4Xjvli86XOj1xq4qAasUFxGups= +github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ= +github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw= +github.com/bufbuild/buf v1.40.1 h1:u99ME/yC6zzZH5yGfwmcTt46bxFqDfuvFuif/W9F3Qo= +github.com/bufbuild/buf v1.40.1/go.mod h1:PMkhwcFMP8d/aBJsvJL7GZq/CdeT7jwTS96RwFyKSU8= +github.com/bufbuild/bufplugin-go v0.1.0 h1:3LmgSHaSf8mPvwoFunimgm8uKJFLg+YePdi7NQgnfdY= +github.com/bufbuild/bufplugin-go v0.1.0/go.mod h1:gIbsJlcYJRLylxxNN3FPNd91fYxJmGVQgbZ67xLVrXk= +github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/FBatYVw= +github.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c= github.com/bufbuild/protoplugin v0.0.0-20240323223605-e2735f6c31ee h1:E6ET8YUcYJ1lAe6ctR3as7yqzW2BNItDFnaB5zQq/8M= github.com/bufbuild/protoplugin v0.0.0-20240323223605-e2735f6c31ee/go.mod h1:HjGFxsck9RObrTJp2hXQZfWhPgZqnR6sR1U5fCA/Kus= -github.com/bufbuild/protovalidate-go v0.6.4 h1:QtNIz4LGclM3UArQv/R1AKNF7MO8wriT9v7b8Gnmqak= -github.com/bufbuild/protovalidate-go v0.6.4/go.mod h1:HlkVnkE/zVYZvHIG/a7QZuzqC9bSqHaOOTeRomYF0Q8= -github.com/bufbuild/protoyaml-go v0.1.11 h1:Iyixd6Y5dx6ws6Uh8APgC1lMyvXt710NayoY8cY0Vj8= -github.com/bufbuild/protoyaml-go v0.1.11/go.mod h1:KCBItkvZOK/zwGueLdH1Wx1RLyFn5rCH7YjQrdty2Wc= +github.com/bufbuild/protovalidate-go v0.6.5 h1:WucDKXIbK22WjkO8A8J6Yyxxy0jl91Oe9LSMduq3YEE= +github.com/bufbuild/protovalidate-go v0.6.5/go.mod h1:LHDiGCWSM3GagZEnyEZ1sPtFwi6Ja4tVTi/DCc+iDFI= +github.com/bufbuild/protoyaml-go v0.1.12 h1:tIJrwvGxumVpNwLsw/AevT1QnkPDBuAObBSuBAdmAWY= +github.com/bufbuild/protoyaml-go v0.1.12/go.mod h1:Xmz3wct+08Va+g9gjIuLTAmxW2w6sre5Wrgw7K3gn0I= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -46,8 +52,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= -github.com/containerd/containerd v1.7.20 h1:Sl6jQYk3TRavaU83h66QMbI2Nqg9Jm6qzwX57Vsn1SQ= -github.com/containerd/containerd v1.7.20/go.mod h1:52GsS5CwquuqPuLncsXwG0t2CiUce+KsNHJZQJvAgR0= +github.com/containerd/containerd v1.7.21 h1:USGXRK1eOC/SX0L195YgxTHb0a00anxajOzgfN0qrCA= +github.com/containerd/containerd v1.7.21/go.mod h1:e3Jz1rYRUZ2Lt51YrH9Rz0zPyJBOlSvB3ghr2jbVD8g= github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8= github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ= github.com/containerd/errdefs v0.1.0 h1:m0wCRBiu1WJT/Fr+iOoQHMQS/eP5myQ8lCv4Dz5ZURM= @@ -71,12 +77,12 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v27.1.2+incompatible h1:nYviRv5Y+YAKx3dFrTvS1ErkyVVunKOhoweCTE1BsnI= -github.com/docker/cli v27.1.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.2.0+incompatible h1:yHD1QEB1/0vr5eBNpu8tncu8gWxg8EydFPOSKHzXSMM= +github.com/docker/cli v27.2.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v27.1.2+incompatible h1:AhGzR1xaQIy53qCkxARaFluI00WPGtXn0AJuoQsVYTY= -github.com/docker/docker v27.1.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v27.2.0+incompatible h1:Rk9nIVdfH3+Vz4cyI/uhbINhEZ/oLmc+CBXmH6fbNk4= +github.com/docker/docker v27.2.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= @@ -90,8 +96,8 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7 github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw= -github.com/felixge/fgprof v0.9.4 h1:ocDNwMFlnA0NU0zSB3I52xkO4sFXk80VK9lXjLClu88= -github.com/felixge/fgprof v0.9.4/go.mod h1:yKl+ERSa++RYOs32d8K6WEXCB4uXdLls4ZaZPpayhMM= +github.com/felixge/fgprof v0.9.5 h1:8+vR6yu2vvSKn08urWyEuxx75NWPEvybbkBirEpsbVY= +github.com/felixge/fgprof v0.9.5/go.mod h1:yKl+ERSa++RYOs32d8K6WEXCB4uXdLls4ZaZPpayhMM= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw= @@ -142,8 +148,8 @@ github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg= github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= -github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 h1:FKHo8hFI3A+7w0aUQuYXQ+6EN5stWmeY/AZqtM8xk9k= -github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= +github.com/google/pprof v0.0.0-20240903155634-a8630aee4ab9 h1:q5g0N9eal4bmJwXHC5z0QCKs8qhS35hFfq0BAYsIwZI= +github.com/google/pprof v0.0.0-20240903155634-a8630aee4ab9/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -170,6 +176,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80/go.mod h1:imJHygn/1yfhB7XSJJKlFZKl/J+dCPAknuiaGOshXAs= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= @@ -192,8 +200,8 @@ github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= -github.com/onsi/ginkgo/v2 v2.20.1 h1:YlVIbqct+ZmnEph770q9Q7NVAz4wwIiVNahee6JyUzo= -github.com/onsi/ginkgo/v2 v2.20.1/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI= +github.com/onsi/ginkgo/v2 v2.20.2 h1:7NVCeyIWROIAheY21RLS+3j2bb52W0W82tkberYytp4= +github.com/onsi/ginkgo/v2 v2.20.2/go.mod h1:K9gyxPIlb+aIvnZ8bd9Ak+YP18w3APlR+5coaZoE2ag= github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k= github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= @@ -216,14 +224,14 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= -github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo= -github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A= +github.com/quic-go/qpack v0.5.0 h1:jldbr38Ef/swDfxtvNvvUIYNg5LNm3Oa9W+IZvCm4q0= +github.com/quic-go/qpack v0.5.0/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg= github.com/quic-go/quic-go v0.46.0 h1:uuwLClEEyk1DNvchH8uCByQVjo3yKL9opKulExNDs7Y= github.com/quic-go/quic-go v0.46.0/go.mod h1:1dLehS7TIR64+vxGR70GDcatWTOtMX2PUtnKsjbTurI= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= -github.com/rs/cors v1.11.0 h1:0B9GE/r9Bc2UxRMMtymBkHTenPkHDv0CW4Y98GBY+po= -github.com/rs/cors v1.11.0/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= +github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA= +github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= @@ -290,8 +298,8 @@ golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvx golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= -golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0= +golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -321,14 +329,14 @@ golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= -golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU= -golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk= +golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= +golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= +golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= -golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= +golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -350,17 +358,17 @@ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto/googleapis/api v0.0.0-20240823204242-4ba0660f739c h1:e0zB268kOca6FbuJkYUGxfwG4DKFZG/8DLyv9Zv66cE= -google.golang.org/genproto/googleapis/api v0.0.0-20240823204242-4ba0660f739c/go.mod h1:fO8wJzT2zbQbAjbIoos1285VfEIYKDDY+Dt+WpTkh6g= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240823204242-4ba0660f739c h1:Kqjm4WpoWvwhMPcrAczoTyMySQmYa9Wy2iL6Con4zn8= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240823204242-4ba0660f739c/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc= +google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= -google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= +google.golang.org/grpc v1.66.0 h1:DibZuoBznOxbDQxRINckZcUvnCEvrW9pcWIE2yF9r1c= +google.golang.org/grpc v1.66.0/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -370,8 +378,8 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= -google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= +google.golang.org/protobuf v1.34.3-0.20240816073751-94ecbc261689 h1:hNwajDgT0MlsxZzlUajZVmUYFpts8/CYe4BSNx503ZE= +google.golang.org/protobuf v1.34.3-0.20240816073751-94ecbc261689/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= @@ -382,3 +390,5 @@ gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +pluginrpc.com/pluginrpc v0.2.0 h1:mUuxA2Vtt1/buDsnR1HscuAu56Y/3ax5oPPy+9q/Zr4= +pluginrpc.com/pluginrpc v0.2.0/go.mod h1:rX3qwV56YEwfayfyfEovbQ+KMVDjgJ8icHy0WTaUXRY= From 3c857b574b32071f6d5f7d42e54abf4c1f364b27 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Sep 2024 23:49:29 +0800 Subject: [PATCH 123/523] build(deps): bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#4187) Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.57.0 to 0.59.1. - [Release notes](https://github.com/prometheus/common/releases) - [Changelog](https://github.com/prometheus/common/blob/main/RELEASE.md) - [Commits](https://github.com/prometheus/common/compare/v0.57.0...v0.59.1) --- updated-dependencies: - dependency-name: github.com/prometheus/common dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Huabing Zhao --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 4a9e67f46c3..b1162ecaba8 100644 --- a/go.mod +++ b/go.mod @@ -28,7 +28,7 @@ require ( github.com/miekg/dns v1.1.62 github.com/ohler55/ojg v1.24.0 github.com/prometheus/client_golang v1.20.2 - github.com/prometheus/common v0.57.0 + github.com/prometheus/common v0.59.1 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.9.0 diff --git a/go.sum b/go.sum index c8e26b75b93..caeda801133 100644 --- a/go.sum +++ b/go.sum @@ -691,8 +691,8 @@ github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7q github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= -github.com/prometheus/common v0.57.0 h1:Ro/rKjwdq9mZn1K5QPctzh+MA4Lp0BuYk5ZZEVhoNcY= -github.com/prometheus/common v0.57.0/go.mod h1:7uRPFSUTbfZWsJ7MHY56sqt7hLQu3bxXHDnNhl8E9qI= +github.com/prometheus/common v0.59.1 h1:LXb1quJHWm1P6wq/U824uxYi4Sg0oGvNeUm1z5dJoX0= +github.com/prometheus/common v0.59.1/go.mod h1:GpWM7dewqmVYcd7SmRaiWVe9SSqjf0UrwnYnpEZNuT0= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= From e717c23f3cd94a3490dbdbce4dda2d09b725c62a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Sep 2024 09:45:31 -0700 Subject: [PATCH 124/523] build(deps): bump github.com/Masterminds/semver/v3 from 3.2.1 to 3.3.0 (#4190) Bumps [github.com/Masterminds/semver/v3](https://github.com/Masterminds/semver) from 3.2.1 to 3.3.0. - [Release notes](https://github.com/Masterminds/semver/releases) - [Changelog](https://github.com/Masterminds/semver/blob/master/CHANGELOG.md) - [Commits](https://github.com/Masterminds/semver/compare/v3.2.1...v3.3.0) --- updated-dependencies: - dependency-name: github.com/Masterminds/semver/v3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index b1162ecaba8..bffd160ecbc 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.16 require ( fortio.org/fortio v1.66.1 fortio.org/log v1.16.0 - github.com/Masterminds/semver/v3 v3.2.1 + github.com/Masterminds/semver/v3 v3.3.0 github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/docker/cli v27.2.0+incompatible diff --git a/go.sum b/go.sum index caeda801133..b6fda81ad4b 100644 --- a/go.sum +++ b/go.sum @@ -61,8 +61,8 @@ github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= -github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0= -github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= +github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0= +github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA= github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM= github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8afzqM= From 13e67e725b1f786383f991fbf04ba65d6ceae53b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Sep 2024 13:06:19 -0700 Subject: [PATCH 125/523] build(deps): bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 (#4189) build(deps): bump github.com/prometheus/client_golang Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.20.2 to 1.20.3. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/v1.20.3/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.20.2...v1.20.3) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index bffd160ecbc..22782dbd16e 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,7 @@ require ( github.com/hashicorp/go-multierror v1.1.1 github.com/miekg/dns v1.1.62 github.com/ohler55/ojg v1.24.0 - github.com/prometheus/client_golang v1.20.2 + github.com/prometheus/client_golang v1.20.3 github.com/prometheus/common v0.59.1 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 diff --git a/go.sum b/go.sum index b6fda81ad4b..2372b8262b1 100644 --- a/go.sum +++ b/go.sum @@ -679,8 +679,8 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= -github.com/prometheus/client_golang v1.20.2 h1:5ctymQzZlyOON1666svgwn3s6IKWgfbjsejTMiXIyjg= -github.com/prometheus/client_golang v1.20.2/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_golang v1.20.3 h1:oPksm4K8B+Vt35tUhw6GbSNSgVlVSBH0qELP/7u83l4= +github.com/prometheus/client_golang v1.20.3/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= From 55c2779dc0e3c19d7785460616bbedf34286058e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Sep 2024 08:19:31 +0800 Subject: [PATCH 126/523] build(deps): bump the golang-org group across 2 directories with 2 updates (#4186) Bumps the golang-org group with 2 updates in the / directory: [golang.org/x/sys](https://github.com/golang/sys) and [golang.org/x/net](https://github.com/golang/net). Bumps the golang-org group with 2 updates in the /examples/extension-server directory: [golang.org/x/sys](https://github.com/golang/sys) and [golang.org/x/net](https://github.com/golang/net). Updates `golang.org/x/sys` from 0.24.0 to 0.25.0 - [Commits](https://github.com/golang/sys/compare/v0.24.0...v0.25.0) Updates `golang.org/x/net` from 0.28.0 to 0.29.0 - [Commits](https://github.com/golang/net/compare/v0.28.0...v0.29.0) Updates `golang.org/x/sys` from 0.24.0 to 0.25.0 - [Commits](https://github.com/golang/sys/compare/v0.24.0...v0.25.0) Updates `golang.org/x/net` from 0.28.0 to 0.29.0 - [Commits](https://github.com/golang/net/compare/v0.28.0...v0.29.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org - dependency-name: golang.org/x/net dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org - dependency-name: golang.org/x/sys dependency-type: indirect update-type: version-update:semver-minor dependency-group: golang-org - dependency-name: golang.org/x/net dependency-type: indirect update-type: version-update:semver-minor dependency-group: golang-org ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Huabing Zhao --- examples/extension-server/go.mod | 6 +++--- examples/extension-server/go.sum | 12 ++++++------ go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 7fee44cb49b..6fa30d74202 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -31,9 +31,9 @@ require ( github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect - golang.org/x/net v0.28.0 // indirect - golang.org/x/sys v0.24.0 // indirect - golang.org/x/text v0.17.0 // indirect + golang.org/x/net v0.29.0 // indirect + golang.org/x/sys v0.25.0 // indirect + golang.org/x/text v0.18.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 122562b5540..6e267eb113a 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -81,20 +81,20 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= -golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= +golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= -golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= +golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= -golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= +golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= diff --git a/go.mod b/go.mod index 22782dbd16e..cc1e8bb745c 100644 --- a/go.mod +++ b/go.mod @@ -44,7 +44,7 @@ require ( go.opentelemetry.io/proto/otlp v1.3.1 go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 - golang.org/x/sys v0.24.0 + golang.org/x/sys v0.25.0 google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.15.4 @@ -192,7 +192,7 @@ require ( github.com/yusufpapurcu/wmi v1.2.4 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect - golang.org/x/crypto v0.26.0 // indirect + golang.org/x/crypto v0.27.0 // indirect golang.org/x/crypto/x509roots/fallback v0.0.0-20240806160748-b2d3a6a4b4d3 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect @@ -260,11 +260,11 @@ require ( go.starlark.net v0.0.0-20240520160348-046347dcd104 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/mod v0.20.0 // indirect - golang.org/x/net v0.28.0 + golang.org/x/net v0.29.0 golang.org/x/oauth2 v0.22.0 // indirect golang.org/x/sync v0.8.0 // indirect - golang.org/x/term v0.23.0 // indirect - golang.org/x/text v0.17.0 // indirect + golang.org/x/term v0.24.0 // indirect + golang.org/x/text v0.18.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.23.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum index 2372b8262b1..cc359a97751 100644 --- a/go.sum +++ b/go.sum @@ -909,8 +909,8 @@ golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= -golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= +golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= +golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= golang.org/x/crypto/x509roots/fallback v0.0.0-20240806160748-b2d3a6a4b4d3 h1:oWb21rU9Q9XrRwXLB7jHc1rbp6EiiimZZv5MLxpu4T0= golang.org/x/crypto/x509roots/fallback v0.0.0-20240806160748-b2d3a6a4b4d3/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -951,8 +951,8 @@ golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= -golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= +golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1010,13 +1010,13 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= -golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= +golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU= -golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk= +golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= +golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1024,8 +1024,8 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= -golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= +golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From f4037f8f96996218762a95030dc306f79d99808e Mon Sep 17 00:00:00 2001 From: zirain Date: Tue, 10 Sep 2024 09:20:58 +0800 Subject: [PATCH 127/523] feat: support `RecomputeRoute` for ExtAuth (#4178) * add RecomputeRoute in ExtAuth Signed-off-by: zirain * IR and XDS Signed-off-by: zirain * address comment Signed-off-by: zirain --------- Signed-off-by: zirain --- api/v1alpha1/ext_auth_types.go | 8 + api/v1alpha1/zz_generated.deepcopy.go | 5 + ...ateway.envoyproxy.io_securitypolicies.yaml | 7 + internal/gatewayapi/securitypolicy.go | 1 + ...ypolicy-with-extauth-recomputation.in.yaml | 111 ++++++ ...policy-with-extauth-recomputation.out.yaml | 332 ++++++++++++++++++ internal/ir/xds.go | 7 + internal/ir/zz_generated.deepcopy.go | 5 + internal/xds/translator/extauth.go | 4 + .../in/xds-ir/ext-auth-recomputation.yaml | 124 +++++++ .../ext-auth-recomputation.clusters.yaml | 112 ++++++ .../ext-auth-recomputation.endpoints.yaml | 36 ++ .../ext-auth-recomputation.listeners.yaml | 71 ++++ .../xds-ir/ext-auth-recomputation.routes.yaml | 44 +++ site/content/en/latest/api/extension_types.md | 1 + site/content/zh/latest/api/extension_types.md | 1 + 16 files changed, 869 insertions(+) create mode 100644 internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.in.yaml create mode 100644 internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml create mode 100644 internal/xds/translator/testdata/in/xds-ir/ext-auth-recomputation.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.routes.yaml diff --git a/api/v1alpha1/ext_auth_types.go b/api/v1alpha1/ext_auth_types.go index 2d49a9df3d6..0670ed4b676 100644 --- a/api/v1alpha1/ext_auth_types.go +++ b/api/v1alpha1/ext_auth_types.go @@ -42,6 +42,14 @@ type ExtAuth struct { // +optional // +kubebuilder:default=false FailOpen *bool `json:"failOpen,omitempty"` + + // RecomputeRoute clears the route cache and recalculates the routing decision. + // This field must be enabled if the headers added or modified by the ExtAuth are used for + // route matching decisions. If the recomputation selects a new route, features targeting + // the new matched route will be applied. + // + // +optional + RecomputeRoute *bool `json:"recomputeRoute,omitempty"` } // GRPCExtAuthService defines the gRPC External Authorization service diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index cde4e3b90d7..f2e3ce24085 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -2022,6 +2022,11 @@ func (in *ExtAuth) DeepCopyInto(out *ExtAuth) { *out = new(bool) **out = **in } + if in.RecomputeRoute != nil { + in, out := &in.RecomputeRoute, &out.RecomputeRoute + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtAuth. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index f0fc4379a75..f00722dc40e 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -1908,6 +1908,13 @@ spec: group. rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, f.group == "" || f.group == ''gateway.envoyproxy.io'')) : true' + recomputeRoute: + description: |- + RecomputeRoute clears the route cache and recalculates the routing decision. + This field must be enabled if the headers added or modified by the ExtAuth are used for + route matching decisions. If the recomputation selects a new route, features targeting + the new matched route will be applied. + type: boolean type: object x-kubernetes-validations: - message: one of grpc or http must be specified diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 6590311d103..887b63386fe 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -872,6 +872,7 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *Reso HeadersToExtAuth: policy.Spec.ExtAuth.HeadersToExtAuth, FailOpen: policy.Spec.ExtAuth.FailOpen, Traffic: traffic, + RecomputeRoute: policy.Spec.ExtAuth.RecomputeRoute, } if http != nil { diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.in.yaml new file mode 100644 index 00000000000..5cab33ed672 --- /dev/null +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.in.yaml @@ -0,0 +1,111 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: default + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - www.foo.com + parentRefs: + - namespace: default + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: /foo1 + backendRefs: + - name: service-1 + port: 8080 + - matches: + - path: + value: /foo2 + backendRefs: + - name: service-2 + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-2 + spec: + hostnames: + - www.bar.com + parentRefs: + - namespace: default + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: /bar + backendRefs: + - name: service-3 + port: 8080 +backends: + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + name: backend-fqdn + namespace: default + spec: + endpoints: + - fqdn: + hostname: 'primary.foo.com' + port: 3000 +referenceGrants: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: ReferenceGrant + metadata: + namespace: envoy-gateway + name: referencegrant-1 + spec: + from: + - group: gateway.envoyproxy.io + kind: SecurityPolicy + namespace: default + to: + - group: "" + kind: Service +securityPolicies: + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + namespace: default + name: policy-for-http-route-1 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + extAuth: + failOpen: true + recomputeRoute: true + headersToExtAuth: + - header1 + - header2 + grpc: + backendRefs: + - name: service-2 + kind: Service + port: 8080 + - name: backend-fqdn + kind: Backend + group: gateway.envoyproxy.io + port: 3000 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml new file mode 100644 index 00000000000..bc18a9b536a --- /dev/null +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml @@ -0,0 +1,332 @@ +backends: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + creationTimestamp: null + name: backend-fqdn + namespace: default + spec: + endpoints: + - fqdn: + hostname: primary.foo.com + port: 3000 + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Invalid +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: default + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 2 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - www.foo.com + parentRefs: + - name: gateway-1 + namespace: default + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: /foo1 + - backendRefs: + - name: service-2 + port: 8080 + matches: + - path: + value: /foo2 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: default + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-2 + namespace: default + spec: + hostnames: + - www.bar.com + parentRefs: + - name: gateway-1 + namespace: default + sectionName: http + rules: + - backendRefs: + - name: service-3 + port: 8080 + matches: + - path: + value: /bar + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: default + sectionName: http +infraIR: + default/gateway-1: + proxy: + listeners: + - address: null + name: default/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: default + name: default/gateway-1 +securityPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + creationTimestamp: null + name: policy-for-http-route-1 + namespace: default + spec: + extAuth: + failOpen: true + grpc: + backendRefs: + - kind: Service + name: service-2 + port: 8080 + - group: gateway.envoyproxy.io + kind: Backend + name: backend-fqdn + port: 3000 + headersToExtAuth: + - header1 + - header2 + recomputeRoute: true + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +xdsIR: + default/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + name: default/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.foo.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + pathMatch: + distinct: false + name: "" + prefix: /foo1 + security: + extAuth: + failOpen: true + grpc: + authority: service-2.default:8080 + destination: + name: securitypolicy/default/policy-for-http-route-1/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: GRPC + weight: 1 + - addressType: FQDN + endpoints: + - host: primary.foo.com + port: 3000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + name: securitypolicy/default/policy-for-http-route-1 + recomputeRoute: true + - destination: + name: httproute/default/httproute-1/rule/1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.foo.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/1/match/0/www_foo_com + pathMatch: + distinct: false + name: "" + prefix: /foo2 + security: + extAuth: + failOpen: true + grpc: + authority: service-2.default:8080 + destination: + name: securitypolicy/default/policy-for-http-route-1/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: GRPC + weight: 1 + - addressType: FQDN + endpoints: + - host: primary.foo.com + port: 3000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + name: securitypolicy/default/policy-for-http-route-1 + recomputeRoute: true + - destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.bar.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + pathMatch: + distinct: false + name: "" + prefix: /bar diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 5d90b6816fd..3465645e69a 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -883,6 +883,13 @@ type ExtAuth struct { // This setting determines whether to prioritize accessibility over strict security in case of authorization service failure. // +optional FailOpen *bool `json:"failOpen,omitempty"` + + // RecomputeRoute clears the route cache and recalculates the routing decision. + // This field must be enabled if the headers generated from the claim are used for + // route matching decisions. If the recomputation selects a new route, features targeting + // the new matched route will be applied. + // +optional + RecomputeRoute *bool `json:"recomputeRoute,omitempty"` } // HTTPExtAuthService defines the HTTP External Authorization service diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index c16028999e0..1639262be2e 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -851,6 +851,11 @@ func (in *ExtAuth) DeepCopyInto(out *ExtAuth) { *out = new(bool) **out = **in } + if in.RecomputeRoute != nil { + in, out := &in.RecomputeRoute, &out.RecomputeRoute + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtAuth. diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go index 3b64326c4c3..7d7cc6a7227 100644 --- a/internal/xds/translator/extauth.go +++ b/internal/xds/translator/extauth.go @@ -103,6 +103,10 @@ func extAuthConfig(extAuth *ir.ExtAuth) *extauthv3.ExtAuthz { config.FailureModeAllow = *extAuth.FailOpen } + if extAuth.RecomputeRoute != nil { + config.ClearRouteCache = *extAuth.RecomputeRoute + } + var headersToExtAuth []*matcherv3.StringMatcher for _, header := range extAuth.HeadersToExtAuth { headersToExtAuth = append(headersToExtAuth, &matcherv3.StringMatcher{ diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-auth-recomputation.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-auth-recomputation.yaml new file mode 100644 index 00000000000..fb0451b9835 --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/ext-auth-recomputation.yaml @@ -0,0 +1,124 @@ +http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + name: default/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + hostname: www.foo.com + isHTTP2: false + pathMatch: + distinct: false + name: "" + prefix: /foo1 + backendWeights: + invalid: 0 + valid: 0 + destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + security: + extAuth: + name: securitypolicy/default/policy-for-http-route-1 + failOpen: false + grpc: + authority: primary.foo.com + destination: + name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + settings: + - addressType: FQDN + endpoints: + - host: primary.foo.com + port: 9000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + - name: httproute/default/httproute-1/rule/1/match/0/www_foo_com + hostname: www.foo.com + isHTTP2: false + pathMatch: + distinct: false + name: "" + prefix: /foo2 + backendWeights: + invalid: 0 + valid: 0 + destination: + name: httproute/default/httproute-1/rule/1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + security: + extAuth: + name: securitypolicy/default/policy-for-http-route-1 + failOpen: false + grpc: + authority: primary.foo.com + destination: + name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + settings: + - addressType: IP + endpoints: + - host: primary.foo.com + port: 3000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + - name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + hostname: www.bar.com + isHTTP2: false + pathMatch: + distinct: false + name: "" + prefix: /bar + backendWeights: + invalid: 0 + valid: 0 + destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + security: + extAuth: + name: securitypolicy/default/policy-for-gateway-1 + failOpen: true + recomputeRoute: true + http: + authority: primary.foo.com + destination: + name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + settings: + - addressType: FQDN + endpoints: + - host: primary.foo.com + port: 80 + protocol: HTTP + weight: 1 + headersToBackend: + - header1 + - header2 + path: /auth diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml new file mode 100644 index 00000000000..880f77a06f0 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml @@ -0,0 +1,112 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/1 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/1 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-2/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-2/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: primary.foo.com + portValue: 9000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: securitypolicy/default/policy-for-http-route-1/default/grpc-backend/backend/0 + name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: primary.foo.com + portValue: 80 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend/backend/0 + name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.endpoints.yaml new file mode 100644 index 00000000000..bf9f0023789 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.endpoints.yaml @@ -0,0 +1,36 @@ +- clusterName: httproute/default/httproute-1/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/0/backend/0 +- clusterName: httproute/default/httproute-1/rule/1 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/1/backend/0 +- clusterName: httproute/default/httproute-2/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-2/rule/0/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.listeners.yaml new file mode 100644 index 00000000000..56cfa9ea51a --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.listeners.yaml @@ -0,0 +1,71 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - disabled: true + name: envoy.filters.http.ext_authz/securitypolicy/default/policy-for-http-route-1 + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + allowedHeaders: + patterns: + - exact: header1 + ignoreCase: true + - exact: header2 + ignoreCase: true + grpcService: + envoyGrpc: + authority: primary.foo.com + clusterName: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + timeout: 10s + transportApiVersion: V3 + - disabled: true + name: envoy.filters.http.ext_authz/securitypolicy/default/policy-for-gateway-1 + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + clearRouteCache: true + failureModeAllow: true + httpService: + authorizationResponse: + allowedUpstreamHeaders: + patterns: + - exact: header1 + ignoreCase: true + - exact: header2 + ignoreCase: true + pathPrefix: /auth + serverUri: + cluster: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + timeout: 10s + uri: http://primary.foo.com/auth + transportApiVersion: V3 + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: default/gateway-1/http + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: default/gateway-1/http + drainType: MODIFY_ONLY + name: default/gateway-1/http + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.routes.yaml new file mode 100644 index 00000000000..08edfc3c406 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.routes.yaml @@ -0,0 +1,44 @@ +- ignorePortInHostMatching: true + name: default/gateway-1/http + virtualHosts: + - domains: + - www.foo.com + name: default/gateway-1/http/www_foo_com + routes: + - match: + pathSeparatedPrefix: /foo1 + name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + route: + cluster: httproute/default/httproute-1/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.ext_authz/securitypolicy/default/policy-for-http-route-1: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} + - match: + pathSeparatedPrefix: /foo2 + name: httproute/default/httproute-1/rule/1/match/0/www_foo_com + route: + cluster: httproute/default/httproute-1/rule/1 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.ext_authz/securitypolicy/default/policy-for-http-route-1: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} + - domains: + - www.bar.com + name: default/gateway-1/http/www_bar_com + routes: + - match: + pathSeparatedPrefix: /bar + name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + route: + cluster: httproute/default/httproute-2/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.ext_authz/securitypolicy/default/policy-for-gateway-1: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 802efac5828..bd74b7b640c 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -1473,6 +1473,7 @@ _Appears in:_ | `http` | _[HTTPExtAuthService](#httpextauthservice)_ | true | HTTP defines the HTTP External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. | | `headersToExtAuth` | _string array_ | false | HeadersToExtAuth defines the client request headers that will be included
in the request to the external authorization service.
Note: If not specified, the default behavior for gRPC and HTTP external
authorization services is different due to backward compatibility reasons.
All headers will be included in the check request to a gRPC authorization server.
Only the following headers will be included in the check request to an HTTP
authorization server: Host, Method, Path, Content-Length, and Authorization.
And these headers will always be included to the check request to an HTTP
authorization server by default, no matter whether they are specified
in HeadersToExtAuth or not. | | `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
If FailOpen is set to true, the system allows the traffic to pass through.
Otherwise, if it is set to false or not set (defaulting to false),
the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
This setting determines whether to prioritize accessibility over strict security in case of authorization service failure. | +| `recomputeRoute` | _boolean_ | false | RecomputeRoute clears the route cache and recalculates the routing decision.
This field must be enabled if the headers added or modified by the ExtAuth are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied. | #### ExtProc diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 802efac5828..bd74b7b640c 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -1473,6 +1473,7 @@ _Appears in:_ | `http` | _[HTTPExtAuthService](#httpextauthservice)_ | true | HTTP defines the HTTP External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. | | `headersToExtAuth` | _string array_ | false | HeadersToExtAuth defines the client request headers that will be included
in the request to the external authorization service.
Note: If not specified, the default behavior for gRPC and HTTP external
authorization services is different due to backward compatibility reasons.
All headers will be included in the check request to a gRPC authorization server.
Only the following headers will be included in the check request to an HTTP
authorization server: Host, Method, Path, Content-Length, and Authorization.
And these headers will always be included to the check request to an HTTP
authorization server by default, no matter whether they are specified
in HeadersToExtAuth or not. | | `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
If FailOpen is set to true, the system allows the traffic to pass through.
Otherwise, if it is set to false or not set (defaulting to false),
the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
This setting determines whether to prioritize accessibility over strict security in case of authorization service failure. | +| `recomputeRoute` | _boolean_ | false | RecomputeRoute clears the route cache and recalculates the routing decision.
This field must be enabled if the headers added or modified by the ExtAuth are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied. | #### ExtProc From 9416efb2f17b6469e6252d5a613df78e9d2e008c Mon Sep 17 00:00:00 2001 From: zirain Date: Tue, 10 Sep 2024 10:07:53 +0800 Subject: [PATCH 128/523] lint: ignore gosec G115 (#4184) Signed-off-by: zirain --- internal/gatewayapi/backendtrafficpolicy.go | 2 +- internal/gatewayapi/clienttrafficpolicy.go | 6 +++--- internal/gatewayapi/clustersettings.go | 4 ++-- internal/gatewayapi/filters.go | 2 +- internal/gatewayapi/helpers.go | 2 +- internal/gatewayapi/http.go | 4 ++-- internal/xds/translator/local_ratelimit.go | 8 ++++---- internal/xds/translator/ratelimit.go | 8 ++++---- internal/xds/translator/route.go | 2 +- internal/xds/translator/utils.go | 4 ++-- test/e2e/tests/backend_tls_settings.go | 2 +- test/e2e/tests/envoy_shutdown.go | 2 +- tools/linter/golangci-lint/.golangci.yml | 3 +++ 13 files changed, 26 insertions(+), 23 deletions(-) diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index b9ac448e708..3fbf5fb25f8 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -773,7 +773,7 @@ func ratelimitUnitToDuration(unit egv1a1.RateLimitUnit) int64 { func int64ToUint32(in int64) (uint32, bool) { if in >= 0 && in <= math.MaxUint32 { - return uint32(in), true // nolint: gosec + return uint32(in), true } return 0, false } diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go index b0294a14351..44d813c255c 100644 --- a/internal/gatewayapi/clienttrafficpolicy.go +++ b/internal/gatewayapi/clienttrafficpolicy.go @@ -703,7 +703,7 @@ func translateHTTP2Settings(http2Settings *egv1a1.HTTP2Settings, httpIR *ir.HTTP MinHTTP2InitialStreamWindowSize, MaxHTTP2InitialStreamWindowSize)) default: - http2.InitialStreamWindowSize = ptr.To(uint32(initialStreamWindowSize)) // nolint: gosec + http2.InitialStreamWindowSize = ptr.To(uint32(initialStreamWindowSize)) } } @@ -718,7 +718,7 @@ func translateHTTP2Settings(http2Settings *egv1a1.HTTP2Settings, httpIR *ir.HTTP MinHTTP2InitialConnectionWindowSize, MaxHTTP2InitialConnectionWindowSize)) default: - http2.InitialConnectionWindowSize = ptr.To(uint32(initialConnectionWindowSize)) // nolint: gosec + http2.InitialConnectionWindowSize = ptr.To(uint32(initialConnectionWindowSize)) } } @@ -878,7 +878,7 @@ func buildConnection(connection *egv1a1.ClientConnection) (*ir.ClientConnection, return nil, fmt.Errorf("BufferLimit value %s is out of range, must be between 0 and %d", connection.BufferLimit.String(), math.MaxUint32) } - irConnection.BufferLimitBytes = ptr.To(uint32(bufferLimit)) // nolint: gosec + irConnection.BufferLimitBytes = ptr.To(uint32(bufferLimit)) } return irConnection, nil diff --git a/internal/gatewayapi/clustersettings.go b/internal/gatewayapi/clustersettings.go index a05ad60ff26..4b295ea5bfa 100644 --- a/internal/gatewayapi/clustersettings.go +++ b/internal/gatewayapi/clustersettings.go @@ -190,7 +190,7 @@ func buildBackendConnection(policy egv1a1.ClusterSettings) (*ir.BackendConnectio return nil, fmt.Errorf("BufferLimit value %s is out of range", bc.BufferLimit.String()) } - bcIR.BufferLimitBytes = ptr.To(uint32(bf)) // nolint: gosec + bcIR.BufferLimitBytes = ptr.To(uint32(bf)) } } @@ -339,7 +339,7 @@ func buildConsistentHashLoadBalancer(policy egv1a1.LoadBalancer) (*ir.Consistent if policy.ConsistentHash.TableSize != nil { tableSize := policy.ConsistentHash.TableSize - if *tableSize > MaxConsistentHashTableSize || !big.NewInt(int64(*tableSize)).ProbablyPrime(0) { // nolint: gosec + if *tableSize > MaxConsistentHashTableSize || !big.NewInt(int64(*tableSize)).ProbablyPrime(0) { return nil, fmt.Errorf("invalid TableSize value %d", *tableSize) } diff --git a/internal/gatewayapi/filters.go b/internal/gatewayapi/filters.go index f3484c6d9b6..aecc2e81131 100644 --- a/internal/gatewayapi/filters.go +++ b/internal/gatewayapi/filters.go @@ -358,7 +358,7 @@ func (t *Translator) processRedirectFilter( } if redirect.StatusCode != nil { - redirectCode := int32(*redirect.StatusCode) // nolint: gosec + redirectCode := int32(*redirect.StatusCode) // Envoy supports 302, 303, 307, and 308, but gateway API only includes 301 and 302 if redirectCode == 301 || redirectCode == 302 { redir.StatusCode = &redirectCode diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index 7e0cf05de26..52df40f4736 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -513,7 +513,7 @@ func parseCIDR(cidr string) (*ir.CIDRMatch, error) { return &ir.CIDRMatch{ CIDR: ipn.String(), IP: ip.String(), - MaskLen: uint32(mask), // nolint: gosec + MaskLen: uint32(mask), IsIPv6: ip.To4() == nil, }, nil } diff --git a/internal/gatewayapi/http.go b/internal/gatewayapi/http.go index eed3145eb81..e54b3f761d7 100644 --- a/internal/gatewayapi/http.go +++ b/internal/gatewayapi/http.go @@ -42,7 +42,7 @@ func buildIRHTTP2Settings(http2Settings *egv1a1.HTTP2Settings) (*ir.HTTP2Setting MinHTTP2InitialStreamWindowSize, MaxHTTP2InitialStreamWindowSize)) default: - http2.InitialStreamWindowSize = ptr.To(uint32(initialStreamWindowSize)) // nolint: gosec + http2.InitialStreamWindowSize = ptr.To(uint32(initialStreamWindowSize)) } } @@ -57,7 +57,7 @@ func buildIRHTTP2Settings(http2Settings *egv1a1.HTTP2Settings) (*ir.HTTP2Setting MinHTTP2InitialConnectionWindowSize, MaxHTTP2InitialConnectionWindowSize)) default: - http2.InitialConnectionWindowSize = ptr.To(uint32(initialConnectionWindowSize)) // nolint: gosec + http2.InitialConnectionWindowSize = ptr.To(uint32(initialConnectionWindowSize)) } } diff --git a/internal/xds/translator/local_ratelimit.go b/internal/xds/translator/local_ratelimit.go index 2aad87852a2..1503758dfb4 100644 --- a/internal/xds/translator/local_ratelimit.go +++ b/internal/xds/translator/local_ratelimit.go @@ -147,9 +147,9 @@ func (*localRateLimit) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) e localRl := &localrlv3.LocalRateLimit{ StatPrefix: localRateLimitFilterStatPrefix, TokenBucket: &typev3.TokenBucket{ - MaxTokens: uint32(local.Default.Requests), // nolint: gosec + MaxTokens: uint32(local.Default.Requests), TokensPerFill: &wrapperspb.UInt32Value{ - Value: uint32(local.Default.Requests), // nolint: gosec + Value: uint32(local.Default.Requests), }, FillInterval: ratelimitUnitToDuration(local.Default.Unit), }, @@ -273,9 +273,9 @@ func buildRouteLocalRateLimits(local *ir.LocalRateLimit) ( descriptor := &rlv3.LocalRateLimitDescriptor{ Entries: descriptorEntries, TokenBucket: &typev3.TokenBucket{ - MaxTokens: uint32(rule.Limit.Requests), // nolint: gosec + MaxTokens: uint32(rule.Limit.Requests), TokensPerFill: &wrapperspb.UInt32Value{ - Value: uint32(rule.Limit.Requests), // nolint: gosec + Value: uint32(rule.Limit.Requests), }, FillInterval: ratelimitUnitToDuration(rule.Limit.Unit), }, diff --git a/internal/xds/translator/ratelimit.go b/internal/xds/translator/ratelimit.go index 1641ee0f1dd..8e3e661f9d7 100644 --- a/internal/xds/translator/ratelimit.go +++ b/internal/xds/translator/ratelimit.go @@ -337,7 +337,7 @@ func buildRateLimitServiceDescriptors(global *ir.GlobalRateLimit) []*rlsconfv3.R pbDesc.Key = getRouteRuleDescriptor(rIdx, -1) pbDesc.Value = getRouteRuleDescriptor(rIdx, -1) rateLimit := rlsconfv3.RateLimitPolicy{ - RequestsPerUnit: uint32(rule.Limit.Requests), // nolint: gosec + RequestsPerUnit: uint32(rule.Limit.Requests), Unit: rlsconfv3.RateLimitUnit(rlsconfv3.RateLimitUnit_value[strings.ToUpper(string(rule.Limit.Unit))]), } pbDesc.RateLimit = &rateLimit @@ -360,7 +360,7 @@ func buildRateLimitServiceDescriptors(global *ir.GlobalRateLimit) []*rlsconfv3.R // Add the ratelimit values to the last descriptor if mIdx == len(rule.HeaderMatches)-1 { rateLimit := rlsconfv3.RateLimitPolicy{ - RequestsPerUnit: uint32(rule.Limit.Requests), // nolint: gosec + RequestsPerUnit: uint32(rule.Limit.Requests), Unit: rlsconfv3.RateLimitUnit(rlsconfv3.RateLimitUnit_value[strings.ToUpper(string(rule.Limit.Unit))]), } pbDesc.RateLimit = &rateLimit @@ -402,7 +402,7 @@ func buildRateLimitServiceDescriptors(global *ir.GlobalRateLimit) []*rlsconfv3.R pbDesc.Key = "masked_remote_address" pbDesc.Value = rule.CIDRMatch.CIDR rateLimit := rlsconfv3.RateLimitPolicy{ - RequestsPerUnit: uint32(rule.Limit.Requests), // nolint: gosec + RequestsPerUnit: uint32(rule.Limit.Requests), Unit: rlsconfv3.RateLimitUnit(rlsconfv3.RateLimitUnit_value[strings.ToUpper(string(rule.Limit.Unit))]), } @@ -522,5 +522,5 @@ func (t *Translator) getRateLimitServiceGrpcHostPort() (string, uint32) { if err != nil { panic(err) } - return u.Hostname(), uint32(p) // nolint: gosec + return u.Hostname(), uint32(p) } diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go index a23657a8349..42f17ff94f1 100644 --- a/internal/xds/translator/route.go +++ b/internal/xds/translator/route.go @@ -598,7 +598,7 @@ func buildRetryPolicy(route *ir.HTTPRoute) (*routev3.RetryPolicy, error) { func buildRetryStatusCodes(codes []ir.HTTPStatus) []uint32 { ret := make([]uint32, len(codes)) for i, c := range codes { - ret[i] = uint32(c) // nolint: gosec + ret[i] = uint32(c) } return ret } diff --git a/internal/xds/translator/utils.go b/internal/xds/translator/utils.go index a31a4a160f6..23d455edd9c 100644 --- a/internal/xds/translator/utils.go +++ b/internal/xds/translator/utils.go @@ -63,7 +63,7 @@ func url2Cluster(strURL string) (*urlCluster, error) { } } - name := clusterName(u.Hostname(), uint32(port)) // nolint: gosec + name := clusterName(u.Hostname(), uint32(port)) if ip, err := netip.ParseAddr(u.Hostname()); err == nil { if ip.Unmap().Is4() { @@ -74,7 +74,7 @@ func url2Cluster(strURL string) (*urlCluster, error) { return &urlCluster{ name: name, hostname: u.Hostname(), - port: uint32(port), // nolint: gosec + port: uint32(port), endpointType: epType, tls: u.Scheme == "https", }, nil diff --git a/test/e2e/tests/backend_tls_settings.go b/test/e2e/tests/backend_tls_settings.go index 404b50e6d5c..0fdbdf10d62 100644 --- a/test/e2e/tests/backend_tls_settings.go +++ b/test/e2e/tests/backend_tls_settings.go @@ -301,7 +301,7 @@ func restartDeploymentAndWaitForRollout(t *testing.T, timeoutConfig config.Timeo } // all pods are rolled - if rolled == int32(len(podList.Items)) && rolled >= *dp.Spec.Replicas { // nolint: gosec + if rolled == int32(len(podList.Items)) && rolled >= *dp.Spec.Replicas { return true, nil } diff --git a/test/e2e/tests/envoy_shutdown.go b/test/e2e/tests/envoy_shutdown.go index 58b3cdae413..6b5a35f490a 100644 --- a/test/e2e/tests/envoy_shutdown.go +++ b/test/e2e/tests/envoy_shutdown.go @@ -163,7 +163,7 @@ func restartProxyAndWaitForRollout(t *testing.T, timeoutConfig config.TimeoutCon } // all pods are rolled - if rolled == int32(len(podList.Items)) && rolled >= *dp.Spec.Replicas { // nolint: gosec + if rolled == int32(len(podList.Items)) && rolled >= *dp.Spec.Replicas { return true, nil } diff --git a/tools/linter/golangci-lint/.golangci.yml b/tools/linter/golangci-lint/.golangci.yml index 962075c1c1e..7877f56cd29 100644 --- a/tools/linter/golangci-lint/.golangci.yml +++ b/tools/linter/golangci-lint/.golangci.yml @@ -25,6 +25,9 @@ linters: - unparam linters-settings: + gosec: + excludes: + - G115 depguard: rules: Main: From 61dcc6472e964d9d7781a2d130c172dc00136a95 Mon Sep 17 00:00:00 2001 From: shahar-h Date: Tue, 10 Sep 2024 05:48:05 +0300 Subject: [PATCH 129/523] ci: fix openssf-scorecard permission issue (#4198) Signed-off-by: Shahar Harari --- .github/workflows/osv-scanner.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 750460e860a..dc5833b0010 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -13,6 +13,9 @@ on: schedule: - cron: '44 15 * * 5' +permissions: + contents: read + jobs: scan-scheduled: if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} From 75fa107d3d985ced40dc777a9118909938cfe230 Mon Sep 17 00:00:00 2001 From: Lior Okman Date: Tue, 10 Sep 2024 14:16:15 +0300 Subject: [PATCH 130/523] feat: choose a default HTTP1.0 route based on HTTPRoutes if possible. (#4183) * Choose a default HTTP1.0 route based on HTTPRoutes if possible. Signed-off-by: Lior Okman * Make the linter happy Signed-off-by: Lior Okman * Simplified the logic slightly. Signed-off-by: Lior Okman --------- Signed-off-by: Lior Okman --- internal/gatewayapi/clienttrafficpolicy.go | 22 +- ...nttrafficpolicy-http-health-check.out.yaml | 0 .../clienttrafficpolicy-http10.in.yaml | 82 +++++ .../clienttrafficpolicy-http10.out.yaml | 314 ++++++++++++++++++ .../envoyproxy-accesslog-als-json.out.yaml | 0 ...roxy-endpoint-routing-for-gateway.out.yaml | 0 .../envoyproxy-endpoint-routing.out.yaml | 0 ...proxy-service-routing-for-gateway.out.yaml | 0 .../envoyproxy-service-routing.out.yaml | 0 .../testdata/httproute-with-metadata.out.yaml | 0 internal/gatewayapi/translator.go | 6 +- 11 files changed, 420 insertions(+), 4 deletions(-) mode change 100755 => 100644 internal/gatewayapi/testdata/clienttrafficpolicy-http-health-check.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/envoyproxy-accesslog-als-json.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/envoyproxy-endpoint-routing-for-gateway.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/envoyproxy-endpoint-routing.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/envoyproxy-service-routing-for-gateway.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/envoyproxy-service-routing.out.yaml mode change 100755 => 100644 internal/gatewayapi/testdata/httproute-with-metadata.out.yaml diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go index 44d813c255c..7d4c95e6e4c 100644 --- a/internal/gatewayapi/clienttrafficpolicy.go +++ b/internal/gatewayapi/clienttrafficpolicy.go @@ -661,6 +661,7 @@ func translateHTTP1Settings(http1Settings *egv1a1.HTTP1Settings, httpIR *ir.HTTP if http1Settings.HTTP10 != nil { var defaultHost *string if ptr.Deref(http1Settings.HTTP10.UseDefaultHost, false) { + // First level of precedence - the first non-wildcard hostname associated with the listener for _, hostname := range httpIR.Hostnames { if !strings.Contains(hostname, "*") { // make linter happy @@ -669,8 +670,27 @@ func translateHTTP1Settings(http1Settings *egv1a1.HTTP1Settings, httpIR *ir.HTTP break } } + // second level of precedence - try to get a hostname from the HTTPRoutes + numMatchingRoutes := 0 if defaultHost == nil { - return fmt.Errorf("cannot set http10 default host on listener with only wildcard hostnames") + // When taken from the routes, a default hostname can only be chosen if there + // is exactly one HTTPRoute with a non-wildcard hostname configured. + for _, route := range httpIR.Routes { + if route.Hostname != "" && !strings.Contains(route.Hostname, "*") { + numMatchingRoutes++ + // make the linter happy + theHost := route.Hostname + defaultHost = ptr.To(theHost) + } + if numMatchingRoutes > 1 { + break + } + } + if numMatchingRoutes == 0 { + return fmt.Errorf("cannot set http10 default host on listener with only wildcard hostnames") + } else if numMatchingRoutes > 1 { + return fmt.Errorf("cannot set http10 default host on listener with only wildcard hostnames and more than one possible default route") + } } } // If useDefaultHost was set, then defaultHost will have the hostname to use. diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http-health-check.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http-health-check.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http10.in.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http10.in.yaml index 5ea01c15336..c4f16d4a2a1 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http10.in.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http10.in.yaml @@ -40,6 +40,34 @@ clientTrafficPolicies: kind: Gateway name: gateway-1 sectionName: http-3 +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: ClientTrafficPolicy + metadata: + namespace: envoy-gateway + name: target-gateway-1-section-http-4 + spec: + http1: + http10: + useDefaultHost: true + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + sectionName: http-4 +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: ClientTrafficPolicy + metadata: + namespace: envoy-gateway + name: target-gateway-1-section-http-5 + spec: + http1: + http10: + useDefaultHost: true + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + sectionName: http-5 gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway @@ -68,3 +96,57 @@ gateways: allowedRoutes: namespaces: from: Same + - name: http-4 + protocol: HTTP + port: 8082 + allowedRoutes: + namespaces: + from: Same + - name: http-5 + protocol: HTTP + port: 8083 + allowedRoutes: + namespaces: + from: Same +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: envoy-gateway + name: httproute-1 + spec: + hostnames: + - route.example.com + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http-4 + - namespace: envoy-gateway + name: gateway-1 + sectionName: http-5 + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-1 + port: 8080 +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: envoy-gateway + name: httproute-2 + spec: + hostnames: + - route2.example.com + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http-5 + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-1 + port: 8080 diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml index d0d0a8975e4..8561d93004a 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml @@ -89,6 +89,67 @@ clientTrafficPolicies: status: "False" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: ClientTrafficPolicy + metadata: + creationTimestamp: null + name: target-gateway-1-section-http-4 + namespace: envoy-gateway + spec: + http1: + http10: + useDefaultHost: true + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + sectionName: http-4 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http-4 + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: ClientTrafficPolicy + metadata: + creationTimestamp: null + name: target-gateway-1-section-http-5 + namespace: envoy-gateway + spec: + http1: + http10: + useDefaultHost: true + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + sectionName: http-5 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http-5 + conditions: + - lastTransitionTime: null + message: 'HTTP1: cannot set http10 default host on listener with only wildcard + hostnames and more than one possible default route.' + reason: Invalid + status: "False" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway @@ -118,6 +179,18 @@ gateways: name: http-3 port: 8081 protocol: HTTP + - allowedRoutes: + namespaces: + from: Same + name: http-4 + port: 8082 + protocol: HTTP + - allowedRoutes: + namespaces: + from: Same + name: http-5 + port: 8083 + protocol: HTTP status: listeners: - attachedRoutes: 0 @@ -189,6 +262,148 @@ gateways: kind: HTTPRoute - group: gateway.networking.k8s.io kind: GRPCRoute + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http-4 + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute + - attachedRoutes: 2 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http-5 + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: envoy-gateway + spec: + hostnames: + - route.example.com + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http-4 + - name: gateway-1 + namespace: envoy-gateway + sectionName: http-5 + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Service envoy-gateway/service-1 not found + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http-4 + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Service envoy-gateway/service-1 not found + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http-5 +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-2 + namespace: envoy-gateway + spec: + hostnames: + - route2.example.com + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http-5 + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Service envoy-gateway/service-1 not found + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http-5 infraIR: envoy-gateway/gateway-1: proxy: @@ -214,6 +429,20 @@ infraIR: name: http-8081 protocol: HTTP servicePort: 8081 + - address: null + name: envoy-gateway/gateway-1/http-4 + ports: + - containerPort: 8082 + name: http-8082 + protocol: HTTP + servicePort: 8082 + - address: null + name: envoy-gateway/gateway-1/http-5 + ports: + - containerPort: 8083 + name: http-8083 + protocol: HTTP + servicePort: 8083 metadata: labels: gateway.envoyproxy.io/owning-gateway-name: gateway-1 @@ -273,3 +502,88 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8081 + - address: 0.0.0.0 + hostnames: + - '*' + http1: + http10: + defaultHost: route.example.com + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http-4 + name: envoy-gateway/gateway-1/http-4 + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 8082 + routes: + - destination: + name: httproute/envoy-gateway/httproute-1/rule/0 + settings: + - weight: 1 + directResponse: + statusCode: 500 + hostname: route.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: envoy-gateway + name: httproute/envoy-gateway/httproute-1/rule/0/match/0/route_example_com + pathMatch: + distinct: false + name: "" + prefix: / + - address: 0.0.0.0 + hostnames: + - '*' + http1: {} + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http-5 + name: envoy-gateway/gateway-1/http-5 + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 8083 + routes: + - destination: + name: httproute/envoy-gateway/httproute-1/rule/0 + settings: + - weight: 1 + directResponse: + statusCode: 500 + hostname: route.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: envoy-gateway + name: httproute/envoy-gateway/httproute-1/rule/0/match/0/route_example_com + pathMatch: + distinct: false + name: "" + prefix: / + - destination: + name: httproute/envoy-gateway/httproute-2/rule/0 + settings: + - weight: 1 + directResponse: + statusCode: 500 + hostname: route2.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: envoy-gateway + name: httproute/envoy-gateway/httproute-2/rule/0/match/0/route2_example_com + pathMatch: + distinct: false + name: "" + prefix: / diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-als-json.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-als-json.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/testdata/envoyproxy-endpoint-routing-for-gateway.out.yaml b/internal/gatewayapi/testdata/envoyproxy-endpoint-routing-for-gateway.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/testdata/envoyproxy-endpoint-routing.out.yaml b/internal/gatewayapi/testdata/envoyproxy-endpoint-routing.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/testdata/envoyproxy-service-routing-for-gateway.out.yaml b/internal/gatewayapi/testdata/envoyproxy-service-routing-for-gateway.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/testdata/envoyproxy-service-routing.out.yaml b/internal/gatewayapi/testdata/envoyproxy-service-routing.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/testdata/httproute-with-metadata.out.yaml b/internal/gatewayapi/testdata/httproute-with-metadata.out.yaml old mode 100755 new mode 100644 diff --git a/internal/gatewayapi/translator.go b/internal/gatewayapi/translator.go index 1be3f59f229..6346bb1a48c 100644 --- a/internal/gatewayapi/translator.go +++ b/internal/gatewayapi/translator.go @@ -186,9 +186,6 @@ func (t *Translator) Translate(resources *Resources) (*TranslateResult, error) { // Process EnvoyPatchPolicies t.ProcessEnvoyPatchPolicies(resources.EnvoyPatchPolicies, xdsIR) - // Process ClientTrafficPolicies - clientTrafficPolicies := t.ProcessClientTrafficPolicies(resources, gateways, xdsIR, infraIR) - // Process all Addresses for all relevant Gateways. t.ProcessAddresses(gateways, xdsIR, infraIR, resources) @@ -210,6 +207,9 @@ func (t *Translator) Translate(resources *Resources) (*TranslateResult, error) { // Process all relevant UDPRoutes. udpRoutes := t.ProcessUDPRoutes(resources.UDPRoutes, gateways, resources, xdsIR) + // Process ClientTrafficPolicies + clientTrafficPolicies := t.ProcessClientTrafficPolicies(resources, gateways, xdsIR, infraIR) + // Process BackendTrafficPolicies routes := []RouteContext{} for _, h := range httpRoutes { From abae1aca25be20c53f0ecaded1802e2e7c299b30 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Sep 2024 15:18:02 -0700 Subject: [PATCH 131/523] build(deps): bump busybox from `8274294` to `34b191d` in /tools/docker/envoy-gateway (#4192) build(deps): bump busybox in /tools/docker/envoy-gateway Bumps busybox from `8274294` to `34b191d`. --- updated-dependencies: - dependency-name: busybox dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- tools/docker/envoy-gateway/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index e25c4cc792f..4b40efa93d7 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -1,4 +1,4 @@ -FROM busybox@sha256:82742949a3709938cbeb9cec79f5eaf3e48b255389f2dcedf2de29ef96fd841c as source +FROM busybox@sha256:34b191d63fbc93e25e275bfccf1b5365664e5ac28f06d974e8d50090fbb49f41 as source # Create the data directory for eg RUN mkdir -p /var/lib/eg From 8e18b612e236b3755e0d057b00260ee51e8642da Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 11 Sep 2024 06:34:19 +0800 Subject: [PATCH 132/523] chore: add a jwks public private key pair for testing (#4200) * add a jwks public private key pair for testing Signed-off-by: Huabing Zhao * minor woriding Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- examples/kubernetes/jwt/README.md | 3 +++ examples/kubernetes/jwt/jwks.json | 23 ++++++++++++++++++++++- examples/kubernetes/jwt/key.json | 17 +++++++++++++++++ 3 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 examples/kubernetes/jwt/README.md create mode 100644 examples/kubernetes/jwt/key.json diff --git a/examples/kubernetes/jwt/README.md b/examples/kubernetes/jwt/README.md new file mode 100644 index 00000000000..cc4d6eacaff --- /dev/null +++ b/examples/kubernetes/jwt/README.md @@ -0,0 +1,3 @@ +The JWKS and private key in this directory are for testing purposes only and should not be considered confidential. Please do not use them in a production environment. + +A new JWT token can be generated using tools like https://www.scottbrady91.com/tools/jwt . \ No newline at end of file diff --git a/examples/kubernetes/jwt/jwks.json b/examples/kubernetes/jwt/jwks.json index 6cd882726be..b58d8e04fb3 100644 --- a/examples/kubernetes/jwt/jwks.json +++ b/examples/kubernetes/jwt/jwks.json @@ -1 +1,22 @@ -{"keys":[{"kty":"RSA","n":"u1SU1LfVLPHCozMxH2Mo4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0_IzW7yWR7QkrmBL7jTKEn5u-qKhbwKfBstIs-bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyehkd3qqGElvW_VDL5AaWTg0nLVkjRo9z-40RQzuVaE8AkAFmxZzow3x-VJYKdjykkJ0iT9wCS0DRTXu269V264Vf_3jvredZiKRkgwlL9xNAwxXFg0x_XFw005UWVRIkdgcKWTjpBP2dPwVZ4WWC-9aGVd-Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbcmw","e":"AQAB","alg":"RS256","use":"sig"}]} +{ + "keys": [ + { + "kty": "RSA", + "n": "u1SU1LfVLPHCozMxH2Mo4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0_IzW7yWR7QkrmBL7jTKEn5u-qKhbwKfBstIs-bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyehkd3qqGElvW_VDL5AaWTg0nLVkjRo9z-40RQzuVaE8AkAFmxZzow3x-VJYKdjykkJ0iT9wCS0DRTXu269V264Vf_3jvredZiKRkgwlL9xNAwxXFg0x_XFw005UWVRIkdgcKWTjpBP2dPwVZ4WWC-9aGVd-Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbcmw", + "e": "AQAB", + "alg": "RS256", + "use": "sig" + }, + { + "alg": "RS256", + "e": "AQAB", + "key_ops": [ + "verify" + ], + "kty": "RSA", + "n": "xOHb-i1WDfeAvsbXTSOtosl3hCUDHQ8fRDqX_Rt998-hZDJmAoPOu4J-wcwq5aZtSn_iWUYLcK2WmC_1n-p1eyc-Pl4CBnxF7LUjCk-WGhniaCzXC5I5RON6c5N-MdE0UfukK0PM0zD3iQonZq0fIsnOYyFdYdWvQ5XW-C2aLlq2FUKrjmhAav10jIC0KGd2dHRzauzfLMUmt_iMnpU84Xrur1zRYzBO4D90rN0ypC2HH7o_zI8Osx4o1L8BScW78545sWyVbaprhBV1I2Sa4SH3NAc25ej3RIh-f13Yu97FVfO0AIG4VfFiaMmsTqNTCiBkM20tXD2Z-cHJTKemXzFgInJoqFLAkHLzJ0lPvAkKOgAOufLHa7RA-C276OXd72IXPsL1UOLN4sjhGqTtaynVa00yuHdi3f4-aoy9F9SUJeWfPg--nZNLzuI0eyufsTFywnx1bTQ_kdYlEr0dRE5sujlMk3cZ7FmOQRvcjA9MxFzoVKMmlZc6LMCgqw-P", + "use": "sig", + "kid": "b520b3c2c4bd75a10e9cebc9576933dc" + } + ] +} \ No newline at end of file diff --git a/examples/kubernetes/jwt/key.json b/examples/kubernetes/jwt/key.json new file mode 100644 index 00000000000..6fbf5bb2231 --- /dev/null +++ b/examples/kubernetes/jwt/key.json @@ -0,0 +1,17 @@ +{ + "alg": "RS256", + "d": "URyb_B3hbi-hovdYjDc-ueo2iwKUncw1HW7mXyiMZSPtYdJBpJeY_Ddu8Xij06kVLbQyFIV_ARUDDf_0OcXmUK6CPj-Mpg9c34Bgx0aymF5BoJmYnvPHFFKDiEojm3KNE5mQsSJlqDxsPtEoGm0IftSVatG8Hyph4n5A6k4fTymgCnJFK45Xu7xf3-LGVj8J1kCDrHGaIF-46-JCTLM_OcXjv-uFeE_Wrxx1fSJEUs9O9AtPbX8ilzi9qahnZ3VGmG1sSv0IPy1zUcRqF0nHVi4FP4yK-jZNbGvYobqlf-CpW6FKRNwKzc9a8QfnJB-bA4DQkHZBqKOLpMlPgGQj4Sgp4OnaBrJhXO4gLkXlhLpQNjr74qZr0KYR34MsVJIbCT0m6P1HrH1Yz-k8PIWE1LfY4Ku5ECpJOP9PCqd4vcUM4ErON08MozvSvALkuzgvWC7jjkHECSaRvRKhA6cEuBPLlzwUSWPRiso6BC9TvaEmbg2zk-xBtMfiKdtc9NPB", + "dp": "vAzERP3CMHHpBMK_0--UPaoTcfTDlcR6-2oRfjkbb3sfbryZJkoCrnlBBbFAnbSkCIrJL9Ig2lfEpK44OQJJ48AYja5z2APQyTgoOQMpp61OH8AWgvnupLNtWdhwYQgDkb276pAcPBkgRxXt29qW_Tvbcq-vcmV9NrqEWrJj_Os7gQvVDTgagaQZ3eH7eHqKCoAcAEwKL1SOH7DEh-LSX9N2G54tU11RFSmuiGMZ_XzU-hFmQN210sRckjHivCvR", + "dq": "yT4AWazCtcgW44VdhSlpebeMnz591P9KA41_l8vDALCBIjbom0wX5BZaaLaPsUPvfGkIOduCs7cJWzBPwOrd_BLenqd7rsHlhAz5aBVj0aXenUGwYQ8DaZzrB_wmPrJHkyzT9HOJ1jmiC5op-igcNSHrPfwFJ5K-bjUHJE4zIMmsMzi8XoWIj52uyRdXAq1u1t12Hc3_g_Fy5PugufrNIh8bMBw8wsEfTnMc21Y5s7xTTFouf4RUgVP5oBCe12Lh", + "e": "AQAB", + "key_ops": [ + "sign" + ], + "kty": "RSA", + "n": "xOHb-i1WDfeAvsbXTSOtosl3hCUDHQ8fRDqX_Rt998-hZDJmAoPOu4J-wcwq5aZtSn_iWUYLcK2WmC_1n-p1eyc-Pl4CBnxF7LUjCk-WGhniaCzXC5I5RON6c5N-MdE0UfukK0PM0zD3iQonZq0fIsnOYyFdYdWvQ5XW-C2aLlq2FUKrjmhAav10jIC0KGd2dHRzauzfLMUmt_iMnpU84Xrur1zRYzBO4D90rN0ypC2HH7o_zI8Osx4o1L8BScW78545sWyVbaprhBV1I2Sa4SH3NAc25ej3RIh-f13Yu97FVfO0AIG4VfFiaMmsTqNTCiBkM20tXD2Z-cHJTKemXzFgInJoqFLAkHLzJ0lPvAkKOgAOufLHa7RA-C276OXd72IXPsL1UOLN4sjhGqTtaynVa00yuHdi3f4-aoy9F9SUJeWfPg--nZNLzuI0eyufsTFywnx1bTQ_kdYlEr0dRE5sujlMk3cZ7FmOQRvcjA9MxFzoVKMmlZc6LMCgqw-P", + "p": "7m9XI2SOtfdUd-BTKSoot9bgo5oKHcG3pilZtNlqgf5o47rHeSQj8Js85PL-2IXGDuRkTA08uTzQtoPEwsGb8aB96KhSw3SSqtEN_hNFCUQ4AuxWtXj5nTEudqhyFHyYb5U-6_iVrKk_rJYI4l1dRSe0ePuIgmHJOSJUBnPFHiYURKmI3F2MCLXD3PQKbtBYx24QP0bvsTl6uz_uh5_EvPLBgtCJf0ey6D2DHt-4NQxp-_13PCBxt_ARi6lAYG8D", + "q": "02Lf5WZuXf0ZBvnug8lwkZ1a2pe0MG_-b6KHMaUN3su3uyqvB8x6b9wEl3UN-4z8OgDfWewYFxU5v3DMPY6ecMoMFfOzSApTEimLsJ_4i3qqxFvVeG5w0jX7nyGBvCdIuqjQYGd03P2BpXQwiFzJ7Sai4Dj_IOPUBM59TCR3R-fk8I9PoTXDXG1di6DwpXRvfYoUypxufvhQcmvBELB-sNgbX2LjVwJ4ZjniMFSkjvGNm88BH32SMRMuh3oSFiGF", + "qi": "wh-Gs9spzz9ogGpj_XSkHguvHayVqLzDK9GVbdXUO-bOYvZkvQO37GDBBRv39drYQrpgivT-iwgtWn6ESQ1atxcx1I6IXtAi9CZUJeBH7ipuOi5GPr_igphr0Z9O2a7Bwv3ZwwnuoseGYIW4ybPj93D1P2nHKcoh4u5dpSpXuy3qh4urAtVkivEXtxPPQdTkoizwGPAa19-Tyzv8Xrt3W6M2rCBQa8mpLkBHYhkgxfDx8olrerXxT11kMLlqFcwN", + "use": "sig", + "kid": "b520b3c2c4bd75a10e9cebc9576933dc" + } \ No newline at end of file From 646da88131e078517c1f97bb8b82ee09583b6ff7 Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Tue, 10 Sep 2024 20:38:14 -0500 Subject: [PATCH 133/523] fix: reject invalid backends in route validation (#4209) fix: rejected invalid backends in route validation Signed-off-by: Guy Daich --- ...-listener-with-backend-backendref.out.yaml | 30 +++++++++---------- internal/gatewayapi/validate.go | 13 ++++++++ 2 files changed, 27 insertions(+), 16 deletions(-) diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml index b25d2af5d90..25ee9e8ba3d 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml @@ -272,9 +272,10 @@ httpRoutes: status: "True" type: Accepted - lastTransitionTime: null - message: Resolved all the Object references for the Route - reason: ResolvedRefs - status: "True" + message: Invalid Backend reference to Backend default/backend-ip-localhost + found + reason: UnsupportedRefAddressFound + status: "False" type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: @@ -309,9 +310,10 @@ httpRoutes: status: "True" type: Accepted - lastTransitionTime: null - message: Resolved all the Object references for the Route - reason: ResolvedRefs - status: "True" + message: Invalid Backend reference to Backend default/backend-fqdn-localhost + found + reason: UnsupportedRefAddressFound + status: "False" type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: @@ -413,11 +415,9 @@ xdsIR: - destination: name: httproute/default/httproute-4/rule/0 settings: - - addressType: IP - endpoints: - - host: 127.0.0.1 - port: 3001 - weight: 1 + - weight: 1 + directResponse: + statusCode: 500 hostname: '*' isHTTP2: false metadata: @@ -432,11 +432,9 @@ xdsIR: - destination: name: httproute/default/httproute-5/rule/0 settings: - - addressType: FQDN - endpoints: - - host: localhost - port: 3001 - weight: 1 + - weight: 1 + directResponse: + statusCode: 500 hostname: '*' isHTTP2: false metadata: diff --git a/internal/gatewayapi/validate.go b/internal/gatewayapi/validate.go index 5c442812d8b..d92dee3bcc0 100644 --- a/internal/gatewayapi/validate.go +++ b/internal/gatewayapi/validate.go @@ -314,6 +314,19 @@ func (t *Translator) validateBackendRefBackend(backendRef *gwapiv1a2.BackendRef, return false } + if err := validateBackend(backend); err != nil { + status.SetRouteStatusCondition(routeStatus, + parentRef.routeParentStatusIdx, + route.GetGeneration(), + gwapiv1.RouteConditionResolvedRefs, + metav1.ConditionFalse, + "UnsupportedRefAddressFound", + fmt.Sprintf("Invalid Backend reference to Backend %s/%s found", backendNamespace, + string(backendRef.Name)), + ) + return false + } + for _, bep := range backend.Spec.Endpoints { if bep.Unix != nil { status.SetRouteStatusCondition(routeStatus, From a2ba2fbfdaa7bc7a24cc30627024649fbb805d58 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 11 Sep 2024 10:05:39 +0800 Subject: [PATCH 134/523] API: use BackendCluster to represent OIDCProvider (#4128) * upgrade go control plane Signed-off-by: Huabing Zhao * add retry policy to the OIDC configuration Signed-off-by: Huabing Zhao * adjust retry condition Signed-off-by: Huabing Zhao * use BackendCluster for OIDC provider Signed-off-by: Huabing Zhao * minor wording Signed-off-by: Huabing Zhao * address comments Signed-off-by: Huabing Zhao * move retry to the ClusterSetting Signed-off-by: Huabing Zhao * move ClusterSettings to shared type Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- api/v1alpha1/backendtrafficpolicy_types.go | 55 - api/v1alpha1/oidc_types.go | 14 + api/v1alpha1/shared_types.go | 55 + api/v1alpha1/zz_generated.deepcopy.go | 11 +- ....envoyproxy.io_envoyextensionpolicies.yaml | 80 ++ .../gateway.envoyproxy.io_envoyproxies.yaml | 330 ++++++ ...ateway.envoyproxy.io_securitypolicies.yaml | 1040 ++++++++++++++++- site/content/en/latest/api/extension_types.md | 23 +- site/content/zh/latest/api/extension_types.md | 23 +- 9 files changed, 1527 insertions(+), 104 deletions(-) diff --git a/api/v1alpha1/backendtrafficpolicy_types.go b/api/v1alpha1/backendtrafficpolicy_types.go index 9d15ccd6896..70a400015e9 100644 --- a/api/v1alpha1/backendtrafficpolicy_types.go +++ b/api/v1alpha1/backendtrafficpolicy_types.go @@ -57,11 +57,6 @@ type BackendTrafficPolicySpec struct { // +optional FaultInjection *FaultInjection `json:"faultInjection,omitempty"` - // Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions. - // If not set, retry will be disabled. - // +optional - Retry *Retry `json:"retry,omitempty"` - // UseClientProtocol configures Envoy to prefer sending requests to backends using // the same HTTP protocol that the incoming request used. Defaults to false, which means // that Envoy will use the protocol indicated by the attached BackendRef. @@ -85,56 +80,6 @@ type BackendTrafficPolicyList struct { Items []BackendTrafficPolicy `json:"items"` } -// ClusterSettings provides the various knobs that can be set to control how traffic to a given -// backend will be configured. -type ClusterSettings struct { - // LoadBalancer policy to apply when routing traffic from the gateway to - // the backend endpoints. Defaults to `LeastRequest`. - // +optional - LoadBalancer *LoadBalancer `json:"loadBalancer,omitempty"` - - // ProxyProtocol enables the Proxy Protocol when communicating with the backend. - // +optional - ProxyProtocol *ProxyProtocol `json:"proxyProtocol,omitempty"` - - // TcpKeepalive settings associated with the upstream client connection. - // Disabled by default. - // - // +optional - TCPKeepalive *TCPKeepalive `json:"tcpKeepalive,omitempty"` - - // HealthCheck allows gateway to perform active health checking on backends. - // - // +optional - HealthCheck *HealthCheck `json:"healthCheck,omitempty"` - - // Circuit Breaker settings for the upstream connections and requests. - // If not set, circuit breakers will be enabled with the default thresholds - // - // +optional - CircuitBreaker *CircuitBreaker `json:"circuitBreaker,omitempty"` - - // Timeout settings for the backend connections. - // - // +optional - Timeout *Timeout `json:"timeout,omitempty"` - - // Connection includes backend connection settings. - // - // +optional - Connection *BackendConnection `json:"connection,omitempty"` - - // DNS includes dns resolution settings. - // - // +optional - DNS *DNS `json:"dns,omitempty"` - - // HTTP2 provides HTTP/2 configuration for backend connections. - // - // +optional - HTTP2 *HTTP2Settings `json:"http2,omitempty"` -} - func init() { SchemeBuilder.Register(&BackendTrafficPolicy{}, &BackendTrafficPolicyList{}) } diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go index 8951fbe63e6..73e1dea8c6e 100644 --- a/api/v1alpha1/oidc_types.go +++ b/api/v1alpha1/oidc_types.go @@ -106,7 +106,21 @@ type OIDC struct { } // OIDCProvider defines the OIDC Provider configuration. +// +kubebuilder:validation:XValidation:rule="!has(self.backendRef)",message="BackendRefs must be used, backendRef is not supported." +// +kubebuilder:validation:XValidation:rule="has(self.backendRefs)? self.backendRefs.size() > 1 : true",message="Only one backendRefs is allowed." type OIDCProvider struct { + // BackendRefs is used to specify the address of the OIDC Provider. + // If the BackendRefs is not specified, The host and port of the OIDC Provider's token endpoint + // will be used as the address of the OIDC Provider. + // + // TLS configuration can be specified in a BackendTLSConfig resource and target the BackendRefs. + // + // Other settings for the connection to the OIDC Provider can be specified in the BackendSettings resource. + // + // +optional + // +notImplementedHide + BackendCluster `json:",inline"` + // The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery). // Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST // be https, a host component, and optionally, port and path components and diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index adfddff135a..c74504a6138 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -511,6 +511,61 @@ type BackendCluster struct { BackendSettings *ClusterSettings `json:"backendSettings,omitempty"` } +// ClusterSettings provides the various knobs that can be set to control how traffic to a given +// backend will be configured. +type ClusterSettings struct { + // LoadBalancer policy to apply when routing traffic from the gateway to + // the backend endpoints. Defaults to `LeastRequest`. + // +optional + LoadBalancer *LoadBalancer `json:"loadBalancer,omitempty"` + + // Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions. + // If not set, retry will be disabled. + // +optional + Retry *Retry `json:"retry,omitempty"` + + // ProxyProtocol enables the Proxy Protocol when communicating with the backend. + // +optional + ProxyProtocol *ProxyProtocol `json:"proxyProtocol,omitempty"` + + // TcpKeepalive settings associated with the upstream client connection. + // Disabled by default. + // + // +optional + TCPKeepalive *TCPKeepalive `json:"tcpKeepalive,omitempty"` + + // HealthCheck allows gateway to perform active health checking on backends. + // + // +optional + HealthCheck *HealthCheck `json:"healthCheck,omitempty"` + + // Circuit Breaker settings for the upstream connections and requests. + // If not set, circuit breakers will be enabled with the default thresholds + // + // +optional + CircuitBreaker *CircuitBreaker `json:"circuitBreaker,omitempty"` + + // Timeout settings for the backend connections. + // + // +optional + Timeout *Timeout `json:"timeout,omitempty"` + + // Connection includes backend connection settings. + // + // +optional + Connection *BackendConnection `json:"connection,omitempty"` + + // DNS includes dns resolution settings. + // + // +optional + DNS *DNS `json:"dns,omitempty"` + + // HTTP2 provides HTTP/2 configuration for backend connections. + // + // +optional + HTTP2 *HTTP2Settings `json:"http2,omitempty"` +} + // CIDR defines a CIDR Address range. // A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64". // +kubebuilder:validation:Pattern=`((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+))` diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index f2e3ce24085..56b3332f2db 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -540,11 +540,6 @@ func (in *BackendTrafficPolicySpec) DeepCopyInto(out *BackendTrafficPolicySpec) *out = new(FaultInjection) (*in).DeepCopyInto(*out) } - if in.Retry != nil { - in, out := &in.Retry, &out.Retry - *out = new(Retry) - (*in).DeepCopyInto(*out) - } if in.UseClientProtocol != nil { in, out := &in.UseClientProtocol, &out.UseClientProtocol *out = new(bool) @@ -955,6 +950,11 @@ func (in *ClusterSettings) DeepCopyInto(out *ClusterSettings) { *out = new(LoadBalancer) (*in).DeepCopyInto(*out) } + if in.Retry != nil { + in, out := &in.Retry, &out.Retry + *out = new(Retry) + (*in).DeepCopyInto(*out) + } if in.ProxyProtocol != nil { in, out := &in.ProxyProtocol, &out.ProxyProtocol *out = new(ProxyProtocol) @@ -3613,6 +3613,7 @@ func (in *OIDCCookieNames) DeepCopy() *OIDCCookieNames { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) { *out = *in + in.BackendCluster.DeepCopyInto(&out.BackendCluster) if in.AuthorizationEndpoint != nil { in, out := &in.AuthorizationEndpoint, &out.AuthorizationEndpoint *out = new(string) diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml index 92a538cf440..867b8933c0c 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml @@ -753,6 +753,86 @@ spec: required: - version type: object + retry: + description: |- + Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions. + If not set, retry will be disabled. + properties: + numRetries: + default: 2 + description: NumRetries is the number of retries to + be attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: PerRetry is the retry policy to be applied + per retry attempt. + properties: + backOff: + description: |- + Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential + back-off algorithm for retries. For additional details, + see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: BaseInterval is the base interval + between retries. + format: duration + type: string + maxInterval: + description: |- + MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. + The default is 10 times the base_interval + format: duration + type: string + type: object + timeout: + description: Timeout is the timeout per retry attempt. + format: duration + type: string + type: object + retryOn: + description: |- + RetryOn specifies the retry trigger condition. + + If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: |- + HttpStatusCodes specifies the http status codes to be retried. + The retriable-status-codes trigger must also be configured for these status codes to trigger a retry. + items: + description: HTTPStatus defines the http status + code. + exclusiveMaximum: true + maximum: 600 + minimum: 100 + type: integer + type: array + triggers: + description: Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object tcpKeepalive: description: |- TcpKeepalive settings associated with the upstream client connection. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 6baf2056ec3..c227b546cb0 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -11076,6 +11076,90 @@ spec: required: - version type: object + retry: + description: |- + Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions. + If not set, retry will be disabled. + properties: + numRetries: + default: 2 + description: NumRetries is the number + of retries to be attempted. Defaults + to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: PerRetry is the retry + policy to be applied per retry attempt. + properties: + backOff: + description: |- + Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential + back-off algorithm for retries. For additional details, + see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: BaseInterval + is the base interval between + retries. + format: duration + type: string + maxInterval: + description: |- + MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. + The default is 10 times the base_interval + format: duration + type: string + type: object + timeout: + description: Timeout is the timeout + per retry attempt. + format: duration + type: string + type: object + retryOn: + description: |- + RetryOn specifies the retry trigger condition. + + If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: |- + HttpStatusCodes specifies the http status codes to be retried. + The retriable-status-codes trigger must also be configured for these status codes to trigger a retry. + items: + description: HTTPStatus defines + the http status code. + exclusiveMaximum: true + maximum: 600 + minimum: 100 + type: integer + type: array + triggers: + description: Triggers specifies + the retry trigger condition(Http/Grpc). + items: + description: TriggerEnum specifies + the conditions that trigger + retries. + enum: + - 5xx + - gateway-error + - reset + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object tcpKeepalive: description: |- TcpKeepalive settings associated with the upstream client connection. @@ -11962,6 +12046,90 @@ spec: required: - version type: object + retry: + description: |- + Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions. + If not set, retry will be disabled. + properties: + numRetries: + default: 2 + description: NumRetries is the number + of retries to be attempted. Defaults + to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: PerRetry is the retry + policy to be applied per retry attempt. + properties: + backOff: + description: |- + Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential + back-off algorithm for retries. For additional details, + see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: BaseInterval + is the base interval between + retries. + format: duration + type: string + maxInterval: + description: |- + MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. + The default is 10 times the base_interval + format: duration + type: string + type: object + timeout: + description: Timeout is the timeout + per retry attempt. + format: duration + type: string + type: object + retryOn: + description: |- + RetryOn specifies the retry trigger condition. + + If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: |- + HttpStatusCodes specifies the http status codes to be retried. + The retriable-status-codes trigger must also be configured for these status codes to trigger a retry. + items: + description: HTTPStatus defines + the http status code. + exclusiveMaximum: true + maximum: 600 + minimum: 100 + type: integer + type: array + triggers: + description: Triggers specifies + the retry trigger condition(Http/Grpc). + items: + description: TriggerEnum specifies + the conditions that trigger + retries. + enum: + - 5xx + - gateway-error + - reset + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object tcpKeepalive: description: |- TcpKeepalive settings associated with the upstream client connection. @@ -12896,6 +13064,87 @@ spec: required: - version type: object + retry: + description: |- + Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions. + If not set, retry will be disabled. + properties: + numRetries: + default: 2 + description: NumRetries is the number of + retries to be attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: PerRetry is the retry policy + to be applied per retry attempt. + properties: + backOff: + description: |- + Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential + back-off algorithm for retries. For additional details, + see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: BaseInterval is the + base interval between retries. + format: duration + type: string + maxInterval: + description: |- + MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. + The default is 10 times the base_interval + format: duration + type: string + type: object + timeout: + description: Timeout is the timeout + per retry attempt. + format: duration + type: string + type: object + retryOn: + description: |- + RetryOn specifies the retry trigger condition. + + If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: |- + HttpStatusCodes specifies the http status codes to be retried. + The retriable-status-codes trigger must also be configured for these status codes to trigger a retry. + items: + description: HTTPStatus defines the + http status code. + exclusiveMaximum: true + maximum: 600 + minimum: 100 + type: integer + type: array + triggers: + description: Triggers specifies the + retry trigger condition(Http/Grpc). + items: + description: TriggerEnum specifies + the conditions that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object tcpKeepalive: description: |- TcpKeepalive settings associated with the upstream client connection. @@ -13791,6 +14040,87 @@ spec: required: - version type: object + retry: + description: |- + Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions. + If not set, retry will be disabled. + properties: + numRetries: + default: 2 + description: NumRetries is the number of retries + to be attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: PerRetry is the retry policy to be + applied per retry attempt. + properties: + backOff: + description: |- + Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential + back-off algorithm for retries. For additional details, + see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: BaseInterval is the base + interval between retries. + format: duration + type: string + maxInterval: + description: |- + MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. + The default is 10 times the base_interval + format: duration + type: string + type: object + timeout: + description: Timeout is the timeout per retry + attempt. + format: duration + type: string + type: object + retryOn: + description: |- + RetryOn specifies the retry trigger condition. + + If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: |- + HttpStatusCodes specifies the http status codes to be retried. + The retriable-status-codes trigger must also be configured for these status codes to trigger a retry. + items: + description: HTTPStatus defines the http + status code. + exclusiveMaximum: true + maximum: 600 + minimum: 100 + type: integer + type: array + triggers: + description: Triggers specifies the retry + trigger condition(Http/Grpc). + items: + description: TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object tcpKeepalive: description: |- TcpKeepalive settings associated with the upstream client connection. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index f00722dc40e..f2c08a230d2 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -1024,6 +1024,87 @@ spec: required: - version type: object + retry: + description: |- + Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions. + If not set, retry will be disabled. + properties: + numRetries: + default: 2 + description: NumRetries is the number of retries to + be attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: PerRetry is the retry policy to be applied + per retry attempt. + properties: + backOff: + description: |- + Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential + back-off algorithm for retries. For additional details, + see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: BaseInterval is the base interval + between retries. + format: duration + type: string + maxInterval: + description: |- + MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. + The default is 10 times the base_interval + format: duration + type: string + type: object + timeout: + description: Timeout is the timeout per retry + attempt. + format: duration + type: string + type: object + retryOn: + description: |- + RetryOn specifies the retry trigger condition. + + If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: |- + HttpStatusCodes specifies the http status codes to be retried. + The retriable-status-codes trigger must also be configured for these status codes to trigger a retry. + items: + description: HTTPStatus defines the http status + code. + exclusiveMaximum: true + maximum: 600 + minimum: 100 + type: integer + type: array + triggers: + description: Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object tcpKeepalive: description: |- TcpKeepalive settings associated with the upstream client connection. @@ -1821,6 +1902,87 @@ spec: required: - version type: object + retry: + description: |- + Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions. + If not set, retry will be disabled. + properties: + numRetries: + default: 2 + description: NumRetries is the number of retries to + be attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: PerRetry is the retry policy to be applied + per retry attempt. + properties: + backOff: + description: |- + Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential + back-off algorithm for retries. For additional details, + see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: BaseInterval is the base interval + between retries. + format: duration + type: string + maxInterval: + description: |- + MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. + The default is 10 times the base_interval + format: duration + type: string + type: object + timeout: + description: Timeout is the timeout per retry + attempt. + format: duration + type: string + type: object + retryOn: + description: |- + RetryOn specifies the retry trigger condition. + + If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: |- + HttpStatusCodes specifies the http status codes to be retried. + The retriable-status-codes trigger must also be configured for these status codes to trigger a retry. + items: + description: HTTPStatus defines the http status + code. + exclusiveMaximum: true + maximum: 600 + minimum: 100 + type: integer + type: array + triggers: + description: Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object tcpKeepalive: description: |- TcpKeepalive settings associated with the upstream client connection. @@ -2189,22 +2351,872 @@ spec: The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint). If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). type: string - issuer: + backendRef: description: |- - The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery). - Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST - be https, a host component, and optionally, port and path components and - no query or fragment components. - minLength: 1 - type: string - tokenEndpoint: + BackendRef references a Kubernetes object that represents the + backend server to which the authorization request will be sent. + + Deprecated: Use BackendRefs instead. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + backendRefs: description: |- - The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint). - If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). - type: string - required: - - issuer - type: object + BackendRefs references a Kubernetes object that represents the + backend server to which the authorization request will be sent. + items: + description: BackendRef defines how an ObjectReference that + is specific to BackendRef. + properties: + fallback: + description: |- + Fallback indicates whether the backend is designated as a fallback. + Multiple fallback backends can be configured. + It is highly recommended to configure active or passive health checks to ensure that failover can be detected + when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. + The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when + the health of the active backends falls below 72%. + type: boolean + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + backendSettings: + description: |- + BackendSettings holds configuration for managing the connection + to the backend. + properties: + circuitBreaker: + description: |- + Circuit Breaker settings for the upstream connections and requests. + If not set, circuit breakers will be enabled with the default thresholds + properties: + maxConnections: + default: 1024 + description: The maximum number of connections that + Envoy will establish to the referenced backend defined + within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRequests: + default: 1024 + description: The maximum number of parallel requests + that Envoy will make to the referenced backend defined + within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxParallelRetries: + default: 1024 + description: The maximum number of parallel retries + that Envoy will make to the referenced backend defined + within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxPendingRequests: + default: 1024 + description: The maximum number of pending requests + that Envoy will queue to the referenced backend + defined within a xRoute rule. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + maxRequestsPerConnection: + description: |- + The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule. + Default: unlimited. + format: int64 + maximum: 4294967295 + minimum: 0 + type: integer + type: object + connection: + description: Connection includes backend connection settings. + properties: + bufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + BufferLimit Soft limit on size of the cluster’s connections read and write buffers. + BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space. + If unspecified, an implementation defined default is applied (32768 bytes). + For example, 20Mi, 1Gi, 256Ki etc. + Note: that when the suffix is not provided, the value is interpreted as bytes. + x-kubernetes-int-or-string: true + socketBufferLimit: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket + to backend. + SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space. + For example, 20Mi, 1Gi, 256Ki etc. + Note that when the suffix is not provided, the value is interpreted as bytes. + x-kubernetes-int-or-string: true + type: object + dns: + description: DNS includes dns resolution settings. + properties: + dnsRefreshRate: + description: |- + DNSRefreshRate specifies the rate at which DNS records should be refreshed. + Defaults to 30 seconds. + type: string + respectDnsTtl: + description: |- + RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected. + If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL. + Defaults to true. + type: boolean + type: object + healthCheck: + description: HealthCheck allows gateway to perform active + health checking on backends. + properties: + active: + description: Active health check configuration + properties: + grpc: + description: |- + GRPC defines the configuration of the GRPC health checker. + It's optional, and can only be used if the specified type is GRPC. + properties: + service: + description: |- + Service to send in the health check request. + If this is not specified, then the health check request applies to the entire + server and not to a specific service. + type: string + type: object + healthyThreshold: + default: 1 + description: HealthyThreshold defines the number + of healthy health checks required before a backend + host is marked healthy. + format: int32 + minimum: 1 + type: integer + http: + description: |- + HTTP defines the configuration of http health checker. + It's required while the health checker type is HTTP. + properties: + expectedResponse: + description: ExpectedResponse defines a list + of HTTP expected responses to match. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of + the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type is Text, text field + needs to be set. + rule: 'self.type == ''Text'' ? has(self.text) + : !has(self.text)' + - message: If payload type is Binary, binary + field needs to be set. + rule: 'self.type == ''Binary'' ? has(self.binary) + : !has(self.binary)' + expectedStatuses: + description: |- + ExpectedStatuses defines a list of HTTP response statuses considered healthy. + Defaults to 200 only + items: + description: HTTPStatus defines the http + status code. + exclusiveMaximum: true + maximum: 600 + minimum: 100 + type: integer + type: array + method: + description: |- + Method defines the HTTP method used for health checking. + Defaults to GET + type: string + path: + description: Path defines the HTTP path that + will be requested during health checking. + maxLength: 1024 + minLength: 1 + type: string + required: + - path + type: object + interval: + default: 3s + description: Interval defines the time between + active health checks. + format: duration + type: string + tcp: + description: |- + TCP defines the configuration of tcp health checker. + It's required while the health checker type is TCP. + properties: + receive: + description: Receive defines the expected + response payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of + the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type is Text, text field + needs to be set. + rule: 'self.type == ''Text'' ? has(self.text) + : !has(self.text)' + - message: If payload type is Binary, binary + field needs to be set. + rule: 'self.type == ''Binary'' ? has(self.binary) + : !has(self.binary)' + send: + description: Send defines the request payload. + properties: + binary: + description: Binary payload base64 encoded. + format: byte + type: string + text: + description: Text payload in plain text. + type: string + type: + allOf: + - enum: + - Text + - Binary + - enum: + - Text + - Binary + description: Type defines the type of + the payload. + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If payload type is Text, text field + needs to be set. + rule: 'self.type == ''Text'' ? has(self.text) + : !has(self.text)' + - message: If payload type is Binary, binary + field needs to be set. + rule: 'self.type == ''Binary'' ? has(self.binary) + : !has(self.binary)' + type: object + timeout: + default: 1s + description: Timeout defines the time to wait + for a health check response. + format: duration + type: string + type: + allOf: + - enum: + - HTTP + - TCP + - GRPC + - enum: + - HTTP + - TCP + - GRPC + description: Type defines the type of health checker. + type: string + unhealthyThreshold: + default: 3 + description: UnhealthyThreshold defines the number + of unhealthy health checks required before a + backend host is marked unhealthy. + format: int32 + minimum: 1 + type: integer + required: + - type + type: object + x-kubernetes-validations: + - message: If Health Checker type is HTTP, http field + needs to be set. + rule: 'self.type == ''HTTP'' ? has(self.http) : + !has(self.http)' + - message: If Health Checker type is TCP, tcp field + needs to be set. + rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)' + - message: The grpc field can only be set if the Health + Checker type is GRPC. + rule: 'has(self.grpc) ? self.type == ''GRPC'' : + true' + passive: + description: Passive passive check configuration + properties: + baseEjectionTime: + default: 30s + description: BaseEjectionTime defines the base + duration for which a host will be ejected on + consecutive failures. + format: duration + type: string + consecutive5XxErrors: + default: 5 + description: Consecutive5xxErrors sets the number + of consecutive 5xx errors triggering ejection. + format: int32 + type: integer + consecutiveGatewayErrors: + default: 0 + description: ConsecutiveGatewayErrors sets the + number of consecutive gateway errors triggering + ejection. + format: int32 + type: integer + consecutiveLocalOriginFailures: + default: 5 + description: |- + ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection. + Parameter takes effect only when split_external_local_origin_errors is set to true. + format: int32 + type: integer + interval: + default: 3s + description: Interval defines the time between + passive health checks. + format: duration + type: string + maxEjectionPercent: + default: 10 + description: MaxEjectionPercent sets the maximum + percentage of hosts in a cluster that can be + ejected. + format: int32 + type: integer + splitExternalLocalOriginErrors: + default: false + description: SplitExternalLocalOriginErrors enables + splitting of errors between external and local + origin. + type: boolean + type: object + type: object + http2: + description: HTTP2 provides HTTP/2 configuration for backend + connections. + properties: + initialConnectionWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + InitialConnectionWindowSize sets the initial window size for HTTP/2 connections. + If not set, the default value is 1 MiB. + x-kubernetes-int-or-string: true + initialStreamWindowSize: + allOf: + - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$ + anyOf: + - type: integer + - type: string + description: |- + InitialStreamWindowSize sets the initial window size for HTTP/2 streams. + If not set, the default value is 64 KiB(64*1024). + x-kubernetes-int-or-string: true + maxConcurrentStreams: + description: |- + MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection. + If not set, the default value is 100. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + onInvalidMessage: + description: |- + OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error + It's recommended for L2 Envoy deployments to set this value to TerminateStream. + https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two + Default: TerminateConnection + type: string + type: object + loadBalancer: + description: |- + LoadBalancer policy to apply when routing traffic from the gateway to + the backend endpoints. Defaults to `LeastRequest`. + properties: + consistentHash: + description: |- + ConsistentHash defines the configuration when the load balancer type is + set to ConsistentHash + properties: + cookie: + description: Cookie configures the cookie hash + policy when the consistent hash type is set + to Cookie. + properties: + attributes: + additionalProperties: + type: string + description: Additional Attributes to set + for the generated cookie. + type: object + name: + description: |- + Name of the cookie to hash. + If this cookie does not exist in the request, Envoy will generate a cookie and set + the TTL on the response back to the client based on Layer 4 + attributes of the backend endpoint, to ensure that these future requests + go to the same backend endpoint. Make sure to set the TTL field for this case. + type: string + ttl: + description: |- + TTL of the generated cookie if the cookie is not present. This value sets the + Max-Age attribute value. + type: string + required: + - name + type: object + header: + description: Header configures the header hash + policy when the consistent hash type is set + to Header. + properties: + name: + description: Name of the header to hash. + type: string + required: + - name + type: object + tableSize: + default: 65537 + description: The table size for consistent hashing, + must be prime number limited to 5000011. + format: int64 + maximum: 5000011 + minimum: 2 + type: integer + type: + description: |- + ConsistentHashType defines the type of input to hash on. Valid Type values are + "SourceIP", + "Header", + "Cookie". + enum: + - SourceIP + - Header + - Cookie + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If consistent hash type is header, the + header field must be set. + rule: 'self.type == ''Header'' ? has(self.header) + : !has(self.header)' + - message: If consistent hash type is cookie, the + cookie field must be set. + rule: 'self.type == ''Cookie'' ? has(self.cookie) + : !has(self.cookie)' + slowStart: + description: |- + SlowStart defines the configuration related to the slow start load balancer policy. + If set, during slow start window, traffic sent to the newly added hosts will gradually increase. + Currently this is only supported for RoundRobin and LeastRequest load balancers + properties: + window: + description: |- + Window defines the duration of the warm up period for newly added host. + During slow start window, traffic sent to the newly added hosts will gradually increase. + Currently only supports linear growth of traffic. For additional details, + see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig + type: string + required: + - window + type: object + type: + description: |- + Type decides the type of Load Balancer policy. + Valid LoadBalancerType values are + "ConsistentHash", + "LeastRequest", + "Random", + "RoundRobin". + enum: + - ConsistentHash + - LeastRequest + - Random + - RoundRobin + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: If LoadBalancer type is consistentHash, consistentHash + field needs to be set. + rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash) + : !has(self.consistentHash)' + - message: Currently SlowStart is only supported for RoundRobin + and LeastRequest load balancers. + rule: 'self.type in [''Random'', ''ConsistentHash''] + ? !has(self.slowStart) : true ' + proxyProtocol: + description: ProxyProtocol enables the Proxy Protocol + when communicating with the backend. + properties: + version: + description: |- + Version of ProxyProtol + Valid ProxyProtocolVersion values are + "V1" + "V2" + enum: + - V1 + - V2 + type: string + required: + - version + type: object + retry: + description: |- + Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions. + If not set, retry will be disabled. + properties: + numRetries: + default: 2 + description: NumRetries is the number of retries to + be attempted. Defaults to 2. + format: int32 + minimum: 0 + type: integer + perRetry: + description: PerRetry is the retry policy to be applied + per retry attempt. + properties: + backOff: + description: |- + Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential + back-off algorithm for retries. For additional details, + see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries + properties: + baseInterval: + description: BaseInterval is the base interval + between retries. + format: duration + type: string + maxInterval: + description: |- + MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. + The default is 10 times the base_interval + format: duration + type: string + type: object + timeout: + description: Timeout is the timeout per retry + attempt. + format: duration + type: string + type: object + retryOn: + description: |- + RetryOn specifies the retry trigger condition. + + If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). + properties: + httpStatusCodes: + description: |- + HttpStatusCodes specifies the http status codes to be retried. + The retriable-status-codes trigger must also be configured for these status codes to trigger a retry. + items: + description: HTTPStatus defines the http status + code. + exclusiveMaximum: true + maximum: 600 + minimum: 100 + type: integer + type: array + triggers: + description: Triggers specifies the retry trigger + condition(Http/Grpc). + items: + description: TriggerEnum specifies the conditions + that trigger retries. + enum: + - 5xx + - gateway-error + - reset + - connect-failure + - retriable-4xx + - refused-stream + - retriable-status-codes + - cancelled + - deadline-exceeded + - internal + - resource-exhausted + - unavailable + type: string + type: array + type: object + type: object + tcpKeepalive: + description: |- + TcpKeepalive settings associated with the upstream client connection. + Disabled by default. + properties: + idleTime: + description: |- + The duration a connection needs to be idle before keep-alive + probes start being sent. + The duration format is + Defaults to `7200s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + interval: + description: |- + The duration between keep-alive probes. + Defaults to `75s`. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + probes: + description: |- + The total number of unacknowledged probes to send before deciding + the connection is dead. + Defaults to 9. + format: int32 + type: integer + type: object + timeout: + description: Timeout settings for the backend connections. + properties: + http: + description: Timeout settings for HTTP. + properties: + connectionIdleTimeout: + description: |- + The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection. + Default: 1 hour. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + maxConnectionDuration: + description: |- + The maximum duration of an HTTP connection. + Default: unlimited. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + tcp: + description: Timeout settings for TCP. + properties: + connectTimeout: + description: |- + The timeout for network connection establishment, including TCP and TLS handshakes. + Default: 10 seconds. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + type: object + type: object + issuer: + description: |- + The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery). + Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST + be https, a host component, and optionally, port and path components and + no query or fragment components. + minLength: 1 + type: string + tokenEndpoint: + description: |- + The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint). + If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). + type: string + required: + - issuer + type: object + x-kubernetes-validations: + - message: BackendRefs must be used, backendRef is not supported. + rule: '!has(self.backendRef)' + - message: Only one backendRefs is allowed. + rule: 'has(self.backendRefs)? self.backendRefs.size() > 1 : + true' redirectURL: description: |- The redirect URL to be used in the OIDC diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index bd74b7b640c..4dc8b30f31b 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -290,6 +290,7 @@ _Appears in:_ - [ExtProc](#extproc) - [GRPCExtAuthService](#grpcextauthservice) - [HTTPExtAuthService](#httpextauthservice) +- [OIDCProvider](#oidcprovider) - [OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog) - [ProxyOpenTelemetrySink](#proxyopentelemetrysink) - [TracingProvider](#tracingprovider) @@ -353,6 +354,7 @@ _Appears in:_ - [ExtProc](#extproc) - [GRPCExtAuthService](#grpcextauthservice) - [HTTPExtAuthService](#httpextauthservice) +- [OIDCProvider](#oidcprovider) - [OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog) - [ProxyOpenTelemetrySink](#proxyopentelemetrysink) - [TracingProvider](#tracingprovider) @@ -466,6 +468,7 @@ _Appears in:_ | `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. | | `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels | | `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. | +| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. | | `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. | | `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. | | `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. | @@ -476,7 +479,6 @@ _Appears in:_ | `http2` | _[HTTP2Settings](#http2settings)_ | false | HTTP2 provides HTTP/2 configuration for backend connections. | | `rateLimit` | _[RateLimitSpec](#ratelimitspec)_ | false | RateLimit allows the user to limit the number of incoming requests
to a predefined value based on attributes within the traffic flow. | | `faultInjection` | _[FaultInjection](#faultinjection)_ | false | FaultInjection defines the fault injection policy to be applied. This configuration can be used to
inject delays and abort requests to mimic failure scenarios such as service failures and overloads | -| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. | | `useClientProtocol` | _boolean_ | false | UseClientProtocol configures Envoy to prefer sending requests to backends using
the same HTTP protocol that the incoming request used. Defaults to false, which means
that Envoy will use the protocol indicated by the attached BackendRef. | @@ -717,6 +719,7 @@ _Appears in:_ - [ExtProc](#extproc) - [GRPCExtAuthService](#grpcextauthservice) - [HTTPExtAuthService](#httpextauthservice) +- [OIDCProvider](#oidcprovider) - [OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog) - [ProxyOpenTelemetrySink](#proxyopentelemetrysink) - [TracingProvider](#tracingprovider) @@ -724,6 +727,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. | +| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. | | `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. | | `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. | | `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. | @@ -2567,6 +2571,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `issuer` | _string_ | true | The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST
be https, a host component, and optionally, port and path components and
no query or fragment components. | | `authorizationEndpoint` | _string_ | false | The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). | | `tokenEndpoint` | _string_ | false | The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). | @@ -3310,20 +3317,6 @@ _Appears in:_ | `File` | ResourceProviderTypeFile defines the "File" provider.
| -#### Retry - - - -Retry defines the retry strategy to be applied. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `numRetries` | _integer_ | false | NumRetries is the number of retries to be attempted. Defaults to 2. | -| `retryOn` | _[RetryOn](#retryon)_ | false | RetryOn specifies the retry trigger condition.

If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). | -| `perRetry` | _[PerRetryPolicy](#perretrypolicy)_ | false | PerRetry is the retry policy to be applied per retry attempt. | #### RetryOn diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index bd74b7b640c..4dc8b30f31b 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -290,6 +290,7 @@ _Appears in:_ - [ExtProc](#extproc) - [GRPCExtAuthService](#grpcextauthservice) - [HTTPExtAuthService](#httpextauthservice) +- [OIDCProvider](#oidcprovider) - [OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog) - [ProxyOpenTelemetrySink](#proxyopentelemetrysink) - [TracingProvider](#tracingprovider) @@ -353,6 +354,7 @@ _Appears in:_ - [ExtProc](#extproc) - [GRPCExtAuthService](#grpcextauthservice) - [HTTPExtAuthService](#httpextauthservice) +- [OIDCProvider](#oidcprovider) - [OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog) - [ProxyOpenTelemetrySink](#proxyopentelemetrysink) - [TracingProvider](#tracingprovider) @@ -466,6 +468,7 @@ _Appears in:_ | `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. | | `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels | | `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. | +| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. | | `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. | | `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. | | `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. | @@ -476,7 +479,6 @@ _Appears in:_ | `http2` | _[HTTP2Settings](#http2settings)_ | false | HTTP2 provides HTTP/2 configuration for backend connections. | | `rateLimit` | _[RateLimitSpec](#ratelimitspec)_ | false | RateLimit allows the user to limit the number of incoming requests
to a predefined value based on attributes within the traffic flow. | | `faultInjection` | _[FaultInjection](#faultinjection)_ | false | FaultInjection defines the fault injection policy to be applied. This configuration can be used to
inject delays and abort requests to mimic failure scenarios such as service failures and overloads | -| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. | | `useClientProtocol` | _boolean_ | false | UseClientProtocol configures Envoy to prefer sending requests to backends using
the same HTTP protocol that the incoming request used. Defaults to false, which means
that Envoy will use the protocol indicated by the attached BackendRef. | @@ -717,6 +719,7 @@ _Appears in:_ - [ExtProc](#extproc) - [GRPCExtAuthService](#grpcextauthservice) - [HTTPExtAuthService](#httpextauthservice) +- [OIDCProvider](#oidcprovider) - [OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog) - [ProxyOpenTelemetrySink](#proxyopentelemetrysink) - [TracingProvider](#tracingprovider) @@ -724,6 +727,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. | +| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. | | `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. | | `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. | | `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. | @@ -2567,6 +2571,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `issuer` | _string_ | true | The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST
be https, a host component, and optionally, port and path components and
no query or fragment components. | | `authorizationEndpoint` | _string_ | false | The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). | | `tokenEndpoint` | _string_ | false | The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). | @@ -3310,20 +3317,6 @@ _Appears in:_ | `File` | ResourceProviderTypeFile defines the "File" provider.
| -#### Retry - - - -Retry defines the retry strategy to be applied. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `numRetries` | _integer_ | false | NumRetries is the number of retries to be attempted. Defaults to 2. | -| `retryOn` | _[RetryOn](#retryon)_ | false | RetryOn specifies the retry trigger condition.

If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). | -| `perRetry` | _[PerRetryPolicy](#perretrypolicy)_ | false | PerRetry is the retry policy to be applied per retry attempt. | #### RetryOn From 1b2be3c5dc2c092d44a4015fa70d39f819217b76 Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 11 Sep 2024 10:09:04 +0800 Subject: [PATCH 135/523] fix: allow empty slowStart when using LeastRequest (#4204) * fix: allow empty slowStart when using LeastRequest Signed-off-by: zirain * update logic Signed-off-by: zirain * update Signed-off-by: zirain --------- Signed-off-by: zirain --- internal/gatewayapi/clustersettings.go | 28 +++++++++----------------- internal/xds/translator/cluster.go | 14 ++++++------- 2 files changed, 16 insertions(+), 26 deletions(-) diff --git a/internal/gatewayapi/clustersettings.go b/internal/gatewayapi/clustersettings.go index 4b295ea5bfa..cf8221d277d 100644 --- a/internal/gatewayapi/clustersettings.go +++ b/internal/gatewayapi/clustersettings.go @@ -299,14 +299,12 @@ func buildLoadBalancer(policy egv1a1.ClusterSettings) (*ir.LoadBalancer, error) ConsistentHash: consistentHash, } case egv1a1.LeastRequestLoadBalancerType: - lb = &ir.LoadBalancer{} - if policy.LoadBalancer.SlowStart != nil { - if policy.LoadBalancer.SlowStart.Window != nil { - lb.LeastRequest = &ir.LeastRequest{ - SlowStart: &ir.SlowStart{ - Window: policy.LoadBalancer.SlowStart.Window, - }, - } + lb = &ir.LoadBalancer{ + LeastRequest: &ir.LeastRequest{}, + } + if policy.LoadBalancer.SlowStart != nil && policy.LoadBalancer.SlowStart.Window != nil { + lb.LeastRequest.SlowStart = &ir.SlowStart{ + Window: policy.LoadBalancer.SlowStart.Window, } } case egv1a1.RandomLoadBalancerType: @@ -315,17 +313,11 @@ func buildLoadBalancer(policy egv1a1.ClusterSettings) (*ir.LoadBalancer, error) } case egv1a1.RoundRobinLoadBalancerType: lb = &ir.LoadBalancer{ - RoundRobin: &ir.RoundRobin{ - SlowStart: &ir.SlowStart{}, - }, + RoundRobin: &ir.RoundRobin{}, } - if policy.LoadBalancer.SlowStart != nil { - if policy.LoadBalancer.SlowStart.Window != nil { - lb.RoundRobin = &ir.RoundRobin{ - SlowStart: &ir.SlowStart{ - Window: policy.LoadBalancer.SlowStart.Window, - }, - } + if policy.LoadBalancer.SlowStart != nil && policy.LoadBalancer.SlowStart.Window != nil { + lb.RoundRobin.SlowStart = &ir.SlowStart{ + Window: policy.LoadBalancer.SlowStart.Window, } } } diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index 4ac9979f363..75bfc532b61 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -183,15 +183,13 @@ func buildXdsCluster(args *xdsClusterArgs) *clusterv3.Cluster { } } else if args.loadBalancer.RoundRobin != nil { cluster.LbPolicy = clusterv3.Cluster_ROUND_ROBIN - if args.loadBalancer.RoundRobin.SlowStart != nil { - if args.loadBalancer.RoundRobin.SlowStart.Window != nil { - cluster.LbConfig = &clusterv3.Cluster_RoundRobinLbConfig_{ - RoundRobinLbConfig: &clusterv3.Cluster_RoundRobinLbConfig{ - SlowStartConfig: &clusterv3.Cluster_SlowStartConfig{ - SlowStartWindow: durationpb.New(args.loadBalancer.RoundRobin.SlowStart.Window.Duration), - }, + if args.loadBalancer.RoundRobin.SlowStart != nil && args.loadBalancer.RoundRobin.SlowStart.Window != nil { + cluster.LbConfig = &clusterv3.Cluster_RoundRobinLbConfig_{ + RoundRobinLbConfig: &clusterv3.Cluster_RoundRobinLbConfig{ + SlowStartConfig: &clusterv3.Cluster_SlowStartConfig{ + SlowStartWindow: durationpb.New(args.loadBalancer.RoundRobin.SlowStart.Window.Duration), }, - } + }, } } } else if args.loadBalancer.Random != nil { From c109131615b0e33385edbe3d861cb124de88aa8d Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 11 Sep 2024 10:09:35 +0800 Subject: [PATCH 136/523] bump ENVTEST_K8S_VERSION (#4201) * bump ENVTEST_K8S_VERSION Signed-off-by: zirain * update Signed-off-by: zirain * add mroe comment Signed-off-by: zirain * bump minor versions Signed-off-by: zirain --------- Signed-off-by: zirain --- tools/make/kube.mk | 6 ++- tools/src/setup-envtest/go.mod | 9 ++-- tools/src/setup-envtest/go.sum | 97 ++++++++++++---------------------- 3 files changed, 42 insertions(+), 70 deletions(-) diff --git a/tools/make/kube.mk b/tools/make/kube.mk index 38a3d5b977c..dd5cd74c6d6 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -1,7 +1,9 @@ # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. -ENVTEST_K8S_VERSION ?= 1.28.0 +# To know the available versions check: +# - https://github.com/kubernetes-sigs/controller-tools/blob/main/envtest-releases.yaml +ENVTEST_K8S_VERSION ?= 1.28.3 # Need run cel validation across multiple versions of k8s -ENVTEST_K8S_VERSIONS ?= 1.27.1 1.28.0 1.29.0 +ENVTEST_K8S_VERSIONS ?= 1.28.3 1.29.5 1.30.3 1.31.0 # GATEWAY_API_VERSION refers to the version of Gateway API CRDs. # For more details, see https://gateway-api.sigs.k8s.io/guides/getting-started/#installing-gateway-api GATEWAY_API_VERSION ?= $(shell go list -m -f '{{.Version}}' sigs.k8s.io/gateway-api) diff --git a/tools/src/setup-envtest/go.mod b/tools/src/setup-envtest/go.mod index 53668dc72b2..0c710903b2e 100644 --- a/tools/src/setup-envtest/go.mod +++ b/tools/src/setup-envtest/go.mod @@ -2,14 +2,15 @@ module local go 1.22.7 -require sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20240423173400-ed81fa696dea +require sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20240813183042-b901db121e1f require ( - github.com/go-logr/logr v1.2.4 // indirect - github.com/go-logr/zapr v1.2.4 // indirect + github.com/go-logr/logr v1.4.2 // indirect + github.com/go-logr/zapr v1.3.0 // indirect github.com/spf13/afero v1.6.0 // indirect github.com/spf13/pflag v1.0.5 // indirect go.uber.org/multierr v1.10.0 // indirect go.uber.org/zap v1.26.0 // indirect - golang.org/x/text v0.12.0 // indirect + golang.org/x/text v0.16.0 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/tools/src/setup-envtest/go.sum b/tools/src/setup-envtest/go.sum index 42182a05c06..e0e71ae4eb4 100644 --- a/tools/src/setup-envtest/go.sum +++ b/tools/src/setup-envtest/go.sum @@ -1,29 +1,23 @@ -github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= -github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= -github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 h1:yAJXTCF9TqKcTiHJAE8dj7HMvPfh66eeA2JYW7eFpSE= -github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2Rrd27c3VGxi6a/6HNq8QmHRKM= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= -github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/onsi/ginkgo/v2 v2.12.1 h1:uHNEO1RP2SpuZApSkel9nEh1/Mu+hmQe7Q+Pepg5OYA= -github.com/onsi/ginkgo/v2 v2.12.1/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= -github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= -github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= +github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= +github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= +github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= +github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -32,66 +26,41 @@ github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= -github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= -github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= -go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= -go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk= go.uber.org/goleak v1.2.0/go.mod h1:XJYK+MuIchqpmGmUSAzotztawfKvYLUIgg7guXrwVUo= -go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ= go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14= -golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= +golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o= -golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= +golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc= -golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.12.0 h1:YW6HUoUmYBpwSgyaGaZq1fHjrBjX1rlpZ54T6mu2kss= -golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= -google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20240423173400-ed81fa696dea h1:DHNmuXblCDcQ9DoxnUWcqsSeFneWU2SxvGUnOOqUcZE= -sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20240423173400-ed81fa696dea/go.mod h1:B2xTzIWVko5xZLWDkXFS7Zo9hxX+ecdMzZ8oiTPJoRI= +k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc= +k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20240813183042-b901db121e1f h1:RIqUbZQO5yizUt9nozxQdzyLRD1sG6s2oi/QZrlg/hs= +sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20240813183042-b901db121e1f/go.mod h1:IaDsO8xSPRxRG1/rm9CP7+jPmj0nMNAuNi/yiHnLX8k= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= From f5693f6bc1bba4d770e0fea9d9e2b64617f2140b Mon Sep 17 00:00:00 2001 From: sh2 Date: Wed, 11 Sep 2024 10:22:35 +0800 Subject: [PATCH 137/523] feat: add file resource provider for EG standalone mode (#3159) * add validations for envoy-gateway file resource type Signed-off-by: shawnh2 * improve eg validation and add resource provider interface for various provider Signed-off-by: shawnh2 * extract common gatewayapi layer translate logic in egctl translate Signed-off-by: shawnh2 * add notifier support Signed-off-by: shawnh2 * fix lint and move read yaml bytes function back to translate Signed-off-by: shawnh2 * add resources store support Signed-off-by: shawnh2 * fix lint Signed-off-by: shawnh2 * fix ci Signed-off-by: shawnh2 * update infra provider api and address comments Signed-off-by: shawnh2 * update custom provider comments and validate method test Signed-off-by: shawnh2 * restore extension manager and add health probe server for file provider Signed-off-by: shawnh2 * update envoy gateway helper functions Signed-off-by: shawnh2 * add some unit tests Signed-off-by: shawnh2 * properly handle the remove event for the file provider Signed-off-by: shawnh2 * fix lint Signed-off-by: shawnh2 * no default to k8s for infra provider Signed-off-by: shawnh2 * fix runner Signed-off-by: shawnh2 --------- Signed-off-by: shawnh2 Co-authored-by: Xunzhuo --- api/v1alpha1/envoygateway_helpers.go | 1 + api/v1alpha1/envoygateway_types.go | 12 +- api/v1alpha1/shared_types.go | 7 +- .../validation/envoygateway_validate.go | 52 +++ .../validation/envoygateway_validate_test.go | 168 ++++++++- .../validation/envoyproxy_validate_test.go | 2 +- api/v1alpha1/zz_generated.deepcopy.go | 6 +- .../gateway.envoyproxy.io_envoyproxies.yaml | 1 + go.mod | 2 +- internal/cmd/server.go | 35 +- internal/infrastructure/manager.go | 16 +- internal/infrastructure/runner/runner.go | 9 +- internal/provider/file/file.go | 131 +++++++ internal/provider/file/notifier.go | 316 +++++++++++++++++ internal/provider/file/path.go | 47 +++ internal/provider/file/path_test.go | 54 +++ internal/provider/file/resources.go | 335 ++++++++++++++++++ internal/provider/file/store.go | 78 ++++ internal/provider/file/testdata/paths/dir/bar | 1 + internal/provider/file/testdata/paths/foo | 1 + internal/provider/kubernetes/kubernetes.go | 5 + internal/provider/resource_provider.go | 20 ++ internal/provider/runner/runner.go | 69 +++- internal/provider/runner/runner_test.go | 67 ---- site/content/en/latest/api/extension_types.md | 10 +- site/content/zh/latest/api/extension_types.md | 10 +- 26 files changed, 1330 insertions(+), 125 deletions(-) create mode 100644 internal/provider/file/file.go create mode 100644 internal/provider/file/notifier.go create mode 100644 internal/provider/file/path.go create mode 100644 internal/provider/file/path_test.go create mode 100644 internal/provider/file/resources.go create mode 100644 internal/provider/file/store.go create mode 100644 internal/provider/file/testdata/paths/dir/bar create mode 100644 internal/provider/file/testdata/paths/foo create mode 100644 internal/provider/resource_provider.go delete mode 100644 internal/provider/runner/runner_test.go diff --git a/api/v1alpha1/envoygateway_helpers.go b/api/v1alpha1/envoygateway_helpers.go index 0b1faf7e66a..fed2f6fa075 100644 --- a/api/v1alpha1/envoygateway_helpers.go +++ b/api/v1alpha1/envoygateway_helpers.go @@ -237,6 +237,7 @@ func (r *EnvoyGatewayProvider) GetEnvoyGatewayKubeProvider() *EnvoyGatewayKubern if r.Kubernetes.ShutdownManager == nil { r.Kubernetes.ShutdownManager = &ShutdownManager{Image: ptr.To(DefaultShutdownManagerImage)} } + return r.Kubernetes } diff --git a/api/v1alpha1/envoygateway_types.go b/api/v1alpha1/envoygateway_types.go index 6e84d07ba7e..6cf8e334182 100644 --- a/api/v1alpha1/envoygateway_types.go +++ b/api/v1alpha1/envoygateway_types.go @@ -174,7 +174,7 @@ type ExtensionAPISettings struct { // EnvoyGatewayProvider defines the desired configuration of a provider. // +union type EnvoyGatewayProvider struct { - // Type is the type of provider to use. Supported types are "Kubernetes". + // Type is the type of provider to use. Supported types are "Kubernetes", "Custom". // // +unionDiscriminator Type ProviderType `json:"type"` @@ -186,7 +186,7 @@ type EnvoyGatewayProvider struct { Kubernetes *EnvoyGatewayKubernetesProvider `json:"kubernetes,omitempty"` // Custom defines the configuration for the Custom provider. This provider - // allows you to define a specific resource provider and a infrastructure + // allows you to define a specific resource provider and an infrastructure // provider. // // +optional @@ -271,7 +271,11 @@ type EnvoyGatewayCustomProvider struct { // This provider is used to specify the provider to be used // to provide an environment to deploy the out resources like // the Envoy Proxy data plane. - Infrastructure EnvoyGatewayInfrastructureProvider `json:"infrastructure"` + // + // Infrastructure is optional, if provider is not specified, + // No infrastructure provider is available. + // +optional + Infrastructure *EnvoyGatewayInfrastructureProvider `json:"infrastructure,omitempty"` } // ResourceProviderType defines the types of custom resource providers supported by Envoy Gateway. @@ -300,7 +304,7 @@ type EnvoyGatewayResourceProvider struct { // EnvoyGatewayFileResourceProvider defines configuration for the File Resource provider. type EnvoyGatewayFileResourceProvider struct { // Paths are the paths to a directory or file containing the resource configuration. - // Recursive sub directories are not currently supported. + // Recursive subdirectories are not currently supported. Paths []string `json:"paths"` } diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index c74504a6138..56440f096ca 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -47,16 +47,15 @@ type GroupVersionKind struct { // ProviderType defines the types of providers supported by Envoy Gateway. // -// +kubebuilder:validation:Enum=Kubernetes +// +kubebuilder:validation:Enum=Kubernetes;Custom type ProviderType string const ( // ProviderTypeKubernetes defines the "Kubernetes" provider. ProviderTypeKubernetes ProviderType = "Kubernetes" - // ProviderTypeFile defines the "File" provider. This type is not implemented - // until https://github.com/envoyproxy/gateway/issues/1001 is fixed. - ProviderTypeFile ProviderType = "File" + // ProviderTypeCustom defines the "Custom" provider. + ProviderTypeCustom ProviderType = "Custom" ) // KubernetesDeploymentSpec defines the desired state of the Kubernetes deployment resource. diff --git a/api/v1alpha1/validation/envoygateway_validate.go b/api/v1alpha1/validation/envoygateway_validate.go index 8d7c97dc94a..d27e2e1e416 100644 --- a/api/v1alpha1/validation/envoygateway_validate.go +++ b/api/v1alpha1/validation/envoygateway_validate.go @@ -35,6 +35,10 @@ func ValidateEnvoyGateway(eg *egv1a1.EnvoyGateway) error { if err := validateEnvoyGatewayKubernetesProvider(eg.Provider.Kubernetes); err != nil { return err } + case egv1a1.ProviderTypeCustom: + if err := validateEnvoyGatewayCustomProvider(eg.Provider.Custom); err != nil { + return err + } default: return fmt.Errorf("unsupported provider type") } @@ -79,6 +83,54 @@ func validateEnvoyGatewayKubernetesProvider(provider *egv1a1.EnvoyGatewayKuberne return nil } +func validateEnvoyGatewayCustomProvider(provider *egv1a1.EnvoyGatewayCustomProvider) error { + if provider == nil { + return fmt.Errorf("empty custom provider settings") + } + + if err := validateEnvoyGatewayCustomResourceProvider(provider.Resource); err != nil { + return err + } + + if err := validateEnvoyGatewayCustomInfrastructureProvider(provider.Infrastructure); err != nil { + return err + } + + return nil +} + +func validateEnvoyGatewayCustomResourceProvider(resource egv1a1.EnvoyGatewayResourceProvider) error { + switch resource.Type { + case egv1a1.ResourceProviderTypeFile: + if resource.File == nil { + return fmt.Errorf("field 'file' should be specified when resource type is 'File'") + } + + if len(resource.File.Paths) == 0 { + return fmt.Errorf("no paths were assigned for file resource provider to watch") + } + default: + return fmt.Errorf("unsupported resource provider: %s", resource.Type) + } + return nil +} + +func validateEnvoyGatewayCustomInfrastructureProvider(infra *egv1a1.EnvoyGatewayInfrastructureProvider) error { + if infra == nil { + return nil + } + + switch infra.Type { + case egv1a1.InfrastructureProviderTypeHost: + if infra.Host == nil { + return fmt.Errorf("field 'host' should be specified when infrastructure type is 'Host'") + } + default: + return fmt.Errorf("unsupported infrastructure provdier: %s", infra.Type) + } + return nil +} + func validateEnvoyGatewayLogging(logging *egv1a1.EnvoyGatewayLogging) error { if logging == nil || len(logging.Level) == 0 { return nil diff --git a/api/v1alpha1/validation/envoygateway_validate_test.go b/api/v1alpha1/validation/envoygateway_validate_test.go index 7bc6bbf3b23..a0cbc7b059e 100644 --- a/api/v1alpha1/validation/envoygateway_validate_test.go +++ b/api/v1alpha1/validation/envoygateway_validate_test.go @@ -68,11 +68,173 @@ func TestValidateEnvoyGateway(t *testing.T) { expect: false, }, { - name: "unsupported provider", + name: "nil custom provider", eg: &egv1a1.EnvoyGateway{ EnvoyGatewaySpec: egv1a1.EnvoyGatewaySpec{ - Gateway: egv1a1.DefaultGateway(), - Provider: &egv1a1.EnvoyGatewayProvider{Type: egv1a1.ProviderTypeFile}, + Gateway: egv1a1.DefaultGateway(), + Provider: &egv1a1.EnvoyGatewayProvider{ + Type: egv1a1.ProviderTypeCustom, + Custom: nil, + }, + }, + }, + expect: false, + }, + { + name: "empty custom provider", + eg: &egv1a1.EnvoyGateway{ + EnvoyGatewaySpec: egv1a1.EnvoyGatewaySpec{ + Gateway: egv1a1.DefaultGateway(), + Provider: &egv1a1.EnvoyGatewayProvider{ + Type: egv1a1.ProviderTypeCustom, + Custom: &egv1a1.EnvoyGatewayCustomProvider{}, + }, + }, + }, + expect: false, + }, + { + name: "custom provider with file resource provider and host infra provider", + eg: &egv1a1.EnvoyGateway{ + EnvoyGatewaySpec: egv1a1.EnvoyGatewaySpec{ + Gateway: egv1a1.DefaultGateway(), + Provider: &egv1a1.EnvoyGatewayProvider{ + Type: egv1a1.ProviderTypeCustom, + Custom: &egv1a1.EnvoyGatewayCustomProvider{ + Resource: egv1a1.EnvoyGatewayResourceProvider{ + Type: egv1a1.ResourceProviderTypeFile, + File: &egv1a1.EnvoyGatewayFileResourceProvider{ + Paths: []string{"foo", "bar"}, + }, + }, + Infrastructure: &egv1a1.EnvoyGatewayInfrastructureProvider{ + Type: egv1a1.InfrastructureProviderTypeHost, + Host: &egv1a1.EnvoyGatewayHostInfrastructureProvider{}, + }, + }, + }, + }, + }, + expect: true, + }, + { + name: "custom provider with file provider and k8s infra provider", + eg: &egv1a1.EnvoyGateway{ + EnvoyGatewaySpec: egv1a1.EnvoyGatewaySpec{ + Gateway: egv1a1.DefaultGateway(), + Provider: &egv1a1.EnvoyGatewayProvider{ + Type: egv1a1.ProviderTypeCustom, + Custom: &egv1a1.EnvoyGatewayCustomProvider{ + Resource: egv1a1.EnvoyGatewayResourceProvider{ + Type: egv1a1.ResourceProviderTypeFile, + File: &egv1a1.EnvoyGatewayFileResourceProvider{ + Paths: []string{"foo", "bar"}, + }, + }, + }, + }, + }, + }, + expect: true, + }, + { + name: "custom provider with unsupported resource provider", + eg: &egv1a1.EnvoyGateway{ + EnvoyGatewaySpec: egv1a1.EnvoyGatewaySpec{ + Gateway: egv1a1.DefaultGateway(), + Provider: &egv1a1.EnvoyGatewayProvider{ + Type: egv1a1.ProviderTypeCustom, + Custom: &egv1a1.EnvoyGatewayCustomProvider{ + Resource: egv1a1.EnvoyGatewayResourceProvider{ + Type: "foobar", + }, + }, + }, + }, + }, + expect: false, + }, + { + name: "custom provider with file provider but no file struct", + eg: &egv1a1.EnvoyGateway{ + EnvoyGatewaySpec: egv1a1.EnvoyGatewaySpec{ + Gateway: egv1a1.DefaultGateway(), + Provider: &egv1a1.EnvoyGatewayProvider{ + Type: egv1a1.ProviderTypeCustom, + Custom: &egv1a1.EnvoyGatewayCustomProvider{ + Resource: egv1a1.EnvoyGatewayResourceProvider{ + Type: egv1a1.ResourceProviderTypeFile, + }, + }, + }, + }, + }, + expect: false, + }, + { + name: "custom provider with file provider and host infra provider but no host struct", + eg: &egv1a1.EnvoyGateway{ + EnvoyGatewaySpec: egv1a1.EnvoyGatewaySpec{ + Gateway: egv1a1.DefaultGateway(), + Provider: &egv1a1.EnvoyGatewayProvider{ + Type: egv1a1.ProviderTypeCustom, + Custom: &egv1a1.EnvoyGatewayCustomProvider{ + Resource: egv1a1.EnvoyGatewayResourceProvider{ + Type: egv1a1.ResourceProviderTypeFile, + File: &egv1a1.EnvoyGatewayFileResourceProvider{ + Paths: []string{"a", "b"}, + }, + }, + Infrastructure: &egv1a1.EnvoyGatewayInfrastructureProvider{ + Type: egv1a1.InfrastructureProviderTypeHost, + }, + }, + }, + }, + }, + expect: false, + }, + { + name: "custom provider with file provider and unsupported infra provider", + eg: &egv1a1.EnvoyGateway{ + EnvoyGatewaySpec: egv1a1.EnvoyGatewaySpec{ + Gateway: egv1a1.DefaultGateway(), + Provider: &egv1a1.EnvoyGatewayProvider{ + Type: egv1a1.ProviderTypeCustom, + Custom: &egv1a1.EnvoyGatewayCustomProvider{ + Resource: egv1a1.EnvoyGatewayResourceProvider{ + Type: egv1a1.ResourceProviderTypeFile, + File: &egv1a1.EnvoyGatewayFileResourceProvider{ + Paths: []string{"a", "b"}, + }, + }, + Infrastructure: &egv1a1.EnvoyGatewayInfrastructureProvider{ + Type: "foobar", + }, + }, + }, + }, + }, + expect: false, + }, + { + name: "custom provider with file provider and host infra provider but no paths assign in resource", + eg: &egv1a1.EnvoyGateway{ + EnvoyGatewaySpec: egv1a1.EnvoyGatewaySpec{ + Gateway: egv1a1.DefaultGateway(), + Provider: &egv1a1.EnvoyGatewayProvider{ + Type: egv1a1.ProviderTypeCustom, + Custom: &egv1a1.EnvoyGatewayCustomProvider{ + Resource: egv1a1.EnvoyGatewayResourceProvider{ + Type: egv1a1.ResourceProviderTypeFile, + File: &egv1a1.EnvoyGatewayFileResourceProvider{}, + }, + Infrastructure: &egv1a1.EnvoyGatewayInfrastructureProvider{ + Type: egv1a1.InfrastructureProviderTypeHost, + Host: &egv1a1.EnvoyGatewayHostInfrastructureProvider{}, + }, + }, + }, }, }, expect: false, diff --git a/api/v1alpha1/validation/envoyproxy_validate_test.go b/api/v1alpha1/validation/envoyproxy_validate_test.go index bd7e4bc18e0..e4b400b34dd 100644 --- a/api/v1alpha1/validation/envoyproxy_validate_test.go +++ b/api/v1alpha1/validation/envoyproxy_validate_test.go @@ -52,7 +52,7 @@ func TestValidateEnvoyProxy(t *testing.T) { }, Spec: egv1a1.EnvoyProxySpec{ Provider: &egv1a1.EnvoyProxyProvider{ - Type: egv1a1.ProviderTypeFile, + Type: egv1a1.ProviderTypeCustom, }, }, }, diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 56b3332f2db..f2c88ae0c29 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -1352,7 +1352,11 @@ func (in *EnvoyGatewayAdminAddress) DeepCopy() *EnvoyGatewayAdminAddress { func (in *EnvoyGatewayCustomProvider) DeepCopyInto(out *EnvoyGatewayCustomProvider) { *out = *in in.Resource.DeepCopyInto(&out.Resource) - in.Infrastructure.DeepCopyInto(&out.Infrastructure) + if in.Infrastructure != nil { + in, out := &in.Infrastructure, &out.Infrastructure + *out = new(EnvoyGatewayInfrastructureProvider) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvoyGatewayCustomProvider. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index c227b546cb0..4211599adf8 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -10227,6 +10227,7 @@ spec: optional auxiliary control planes. Supported types are "Kubernetes". enum: - Kubernetes + - Custom type: string required: - type diff --git a/go.mod b/go.mod index cc1e8bb745c..45f69e52768 100644 --- a/go.mod +++ b/go.mod @@ -214,7 +214,7 @@ require ( github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect github.com/evanphx/json-patch v5.9.0+incompatible github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect - github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fsnotify/fsnotify v1.7.0 github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect github.com/go-errors/errors v1.5.1 // indirect github.com/go-logr/stdr v1.2.2 // indirect diff --git a/internal/cmd/server.go b/internal/cmd/server.go index e4bf36a5ae5..25add4c8541 100644 --- a/internal/cmd/server.go +++ b/internal/cmd/server.go @@ -9,9 +9,11 @@ import ( "github.com/spf13/cobra" ctrl "sigs.k8s.io/controller-runtime" + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/admin" "github.com/envoyproxy/gateway/internal/envoygateway/config" extensionregistry "github.com/envoyproxy/gateway/internal/extension/registry" + "github.com/envoyproxy/gateway/internal/extension/types" gatewayapirunner "github.com/envoyproxy/gateway/internal/gatewayapi/runner" ratelimitrunner "github.com/envoyproxy/gateway/internal/globalratelimit/runner" infrarunner "github.com/envoyproxy/gateway/internal/infrastructure/runner" @@ -108,28 +110,31 @@ func getConfigByPath(cfgPath string) (*config.Server, error) { // setupRunners starts all the runners required for the Envoy Gateway to // fulfill its tasks. -func setupRunners(cfg *config.Server) error { +func setupRunners(cfg *config.Server) (err error) { // TODO - Setup a Config Manager // https://github.com/envoyproxy/gateway/issues/43 ctx := ctrl.SetupSignalHandler() // Setup the Extension Manager - extMgr, err := extensionregistry.NewManager(cfg) - if err != nil { - return err + var extMgr types.Manager + if cfg.EnvoyGateway.Provider.Type == egv1a1.ProviderTypeKubernetes { + extMgr, err = extensionregistry.NewManager(cfg) + if err != nil { + return err + } } pResources := new(message.ProviderResources) // Start the Provider Service // It fetches the resources from the configured provider type - // and publishes it + // and publishes it. // It also subscribes to status resources and once it receives // a status resource back, it writes it out. providerRunner := providerrunner.New(&providerrunner.Config{ Server: *cfg, ProviderResources: pResources, }) - if err := providerRunner.Start(ctx); err != nil { + if err = providerRunner.Start(ctx); err != nil { return err } @@ -145,7 +150,7 @@ func setupRunners(cfg *config.Server) error { InfraIR: infraIR, ExtensionManager: extMgr, }) - if err := gwRunner.Start(ctx); err != nil { + if err = gwRunner.Start(ctx); err != nil { return err } @@ -160,7 +165,7 @@ func setupRunners(cfg *config.Server) error { ExtensionManager: extMgr, ProviderResources: pResources, }) - if err := xdsTranslatorRunner.Start(ctx); err != nil { + if err = xdsTranslatorRunner.Start(ctx); err != nil { return err } @@ -171,7 +176,7 @@ func setupRunners(cfg *config.Server) error { Server: *cfg, InfraIR: infraIR, }) - if err := infraRunner.Start(ctx); err != nil { + if err = infraRunner.Start(ctx); err != nil { return err } @@ -182,7 +187,7 @@ func setupRunners(cfg *config.Server) error { Server: *cfg, Xds: xds, }) - if err := xdsServerRunner.Start(ctx); err != nil { + if err = xdsServerRunner.Start(ctx); err != nil { return err } @@ -194,7 +199,7 @@ func setupRunners(cfg *config.Server) error { Server: *cfg, XdsIR: xdsIR, }) - if err := rateLimitRunner.Start(ctx); err != nil { + if err = rateLimitRunner.Start(ctx); err != nil { return err } } @@ -209,9 +214,11 @@ func setupRunners(cfg *config.Server) error { cfg.Logger.Info("shutting down") - // Close connections to extension services - if mgr, ok := extMgr.(*extensionregistry.Manager); ok { - mgr.CleanupHookConns() + if extMgr != nil { + // Close connections to extension services + if mgr, ok := extMgr.(*extensionregistry.Manager); ok { + mgr.CleanupHookConns() + } } return nil diff --git a/internal/infrastructure/manager.go b/internal/infrastructure/manager.go index 34fc1b24b12..198acef8708 100644 --- a/internal/infrastructure/manager.go +++ b/internal/infrastructure/manager.go @@ -36,15 +36,23 @@ type Manager interface { // NewManager returns a new infrastructure Manager. func NewManager(cfg *config.Server) (Manager, error) { var mgr Manager - if cfg.EnvoyGateway.Provider.Type == egv1a1.ProviderTypeKubernetes { + + switch cfg.EnvoyGateway.Provider.Type { + case egv1a1.ProviderTypeKubernetes: cli, err := client.New(clicfg.GetConfigOrDie(), client.Options{Scheme: envoygateway.GetScheme()}) if err != nil { return nil, err } mgr = kubernetes.NewInfra(cli, cfg) - } else { - // Kube is the only supported provider type for now. - return nil, fmt.Errorf("unsupported provider type %v", cfg.EnvoyGateway.Provider.Type) + case egv1a1.ProviderTypeCustom: + infra := cfg.EnvoyGateway.Provider.Custom.Infrastructure + switch infra.Type { + case egv1a1.InfrastructureProviderTypeHost: + // TODO(sh2): implement host provider + return nil, fmt.Errorf("host provider is not available yet") + default: + return nil, fmt.Errorf("unsupported provider type: %s", infra.Type) + } } return mgr, nil diff --git a/internal/infrastructure/runner/runner.go b/internal/infrastructure/runner/runner.go index 7574c493090..6c261aff3f3 100644 --- a/internal/infrastructure/runner/runner.go +++ b/internal/infrastructure/runner/runner.go @@ -38,6 +38,12 @@ func New(cfg *Config) *Runner { // Start starts the infrastructure runner func (r *Runner) Start(ctx context.Context) (err error) { r.Logger = r.Logger.WithName(r.Name()).WithValues("runner", r.Name()) + if r.EnvoyGateway.Provider.Type == egv1a1.ProviderTypeCustom && + r.EnvoyGateway.Provider.Custom.Infrastructure == nil { + r.Logger.Info("provider is not specified, no provider is available") + return nil + } + r.mgr, err = infrastructure.NewManager(&r.Config.Server) if err != nil { r.Logger.Error(err, "failed to create new manager") @@ -56,7 +62,8 @@ func (r *Runner) Start(ctx context.Context) (err error) { // When leader election is active, infrastructure initialization occurs only upon acquiring leadership // to avoid multiple EG instances processing envoy proxy infra resources. - if !ptr.Deref(r.EnvoyGateway.Provider.Kubernetes.LeaderElection.Disable, false) { + if r.EnvoyGateway.Provider.Type == egv1a1.ProviderTypeKubernetes && + !ptr.Deref(r.EnvoyGateway.Provider.Kubernetes.LeaderElection.Disable, false) { go func() { select { case <-ctx.Done(): diff --git a/internal/provider/file/file.go b/internal/provider/file/file.go new file mode 100644 index 00000000000..79ccd04e763 --- /dev/null +++ b/internal/provider/file/file.go @@ -0,0 +1,131 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package file + +import ( + "context" + "fmt" + "net/http" + "time" + + "github.com/fsnotify/fsnotify" + "github.com/go-logr/logr" + "sigs.k8s.io/controller-runtime/pkg/healthz" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/envoygateway/config" + "github.com/envoyproxy/gateway/internal/message" +) + +type Provider struct { + paths []string + logger logr.Logger + notifier *Notifier + resourcesStore *resourcesStore +} + +func New(svr *config.Server, resources *message.ProviderResources) (*Provider, error) { + logger := svr.Logger.Logger + + notifier, err := NewNotifier(logger) + if err != nil { + return nil, err + } + + return &Provider{ + paths: svr.EnvoyGateway.Provider.Custom.Resource.File.Paths, + logger: logger, + notifier: notifier, + resourcesStore: newResourcesStore(svr.EnvoyGateway.Gateway.ControllerName, resources, logger), + }, nil +} + +func (p *Provider) Type() egv1a1.ProviderType { + return egv1a1.ProviderTypeCustom +} + +func (p *Provider) Start(ctx context.Context) error { + dirs, files, err := getDirsAndFilesForWatcher(p.paths) + if err != nil { + return fmt.Errorf("failed to get directories and files for the watcher: %w", err) + } + + // Start runnable servers. + go p.startHealthProbeServer(ctx) + + // Initially load resources from paths on host. + if err = p.resourcesStore.LoadAndStore(files.UnsortedList(), dirs.UnsortedList()); err != nil { + return fmt.Errorf("failed to load resources into store: %w", err) + } + + // Start watchers in notifier. + p.notifier.Watch(ctx, dirs, files) + defer p.notifier.Close() + + for { + select { + case <-ctx.Done(): + return nil + case event := <-p.notifier.Events: + switch event.Op { + case fsnotify.Create: + dirs.Insert(event.Name) + files.Insert(event.Name) + case fsnotify.Remove: + dirs.Delete(event.Name) + files.Delete(event.Name) + } + + p.resourcesStore.HandleEvent(event, files.UnsortedList(), dirs.UnsortedList()) + } + } +} + +func (p *Provider) startHealthProbeServer(ctx context.Context) { + const ( + readyzEndpoint = "/readyz" + healthzEndpoint = "/healthz" + ) + + mux := http.NewServeMux() + srv := &http.Server{ + Addr: ":8081", + Handler: mux, + MaxHeaderBytes: 1 << 20, + IdleTimeout: 90 * time.Second, // matches http.DefaultTransport keep-alive timeout + ReadHeaderTimeout: 32 * time.Second, + } + + readyzHandler := &healthz.Handler{ + Checks: map[string]healthz.Checker{ + readyzEndpoint: healthz.Ping, + }, + } + mux.Handle(readyzEndpoint, http.StripPrefix(readyzEndpoint, readyzHandler)) + // Append '/' suffix to handle subpaths. + mux.Handle(readyzEndpoint+"/", http.StripPrefix(readyzEndpoint, readyzHandler)) + + healthzHandler := &healthz.Handler{ + Checks: map[string]healthz.Checker{ + healthzEndpoint: healthz.Ping, + }, + } + mux.Handle(healthzEndpoint, http.StripPrefix(healthzEndpoint, healthzHandler)) + // Append '/' suffix to handle subpaths. + mux.Handle(healthzEndpoint+"/", http.StripPrefix(healthzEndpoint, readyzHandler)) + + go func() { + <-ctx.Done() + if err := srv.Close(); err != nil { + p.logger.Error(err, "failed to close health probe server") + } + }() + + p.logger.Info("starting health probe server", "address", srv.Addr) + if err := srv.ListenAndServe(); err != nil { + p.logger.Error(err, "failed to start health probe server") + } +} diff --git a/internal/provider/file/notifier.go b/internal/provider/file/notifier.go new file mode 100644 index 00000000000..fca8465e3af --- /dev/null +++ b/internal/provider/file/notifier.go @@ -0,0 +1,316 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package file + +import ( + "context" + "os" + "path/filepath" + "strings" + "time" + + "github.com/fsnotify/fsnotify" + "github.com/go-logr/logr" + "k8s.io/apimachinery/pkg/util/sets" +) + +const ( + defaultCleanUpRemoveEventsPeriod = 300 * time.Millisecond +) + +type Notifier struct { + // Events record events used to update ResourcesStore, + // which only include two types of events: Write/Remove. + Events chan fsnotify.Event + + filesWatcher *fsnotify.Watcher + dirsWatcher *fsnotify.Watcher + cleanUpRemoveEventsPeriod time.Duration + + logger logr.Logger +} + +func NewNotifier(logger logr.Logger) (*Notifier, error) { + fw, err := fsnotify.NewBufferedWatcher(10) + if err != nil { + return nil, err + } + + dw, err := fsnotify.NewBufferedWatcher(10) + if err != nil { + return nil, err + } + + return &Notifier{ + Events: make(chan fsnotify.Event), + filesWatcher: fw, + dirsWatcher: dw, + cleanUpRemoveEventsPeriod: defaultCleanUpRemoveEventsPeriod, + logger: logger, + }, nil +} + +func (n *Notifier) Watch(ctx context.Context, dirs, files sets.Set[string]) { + n.watchDirs(ctx, dirs) + n.watchFiles(ctx, files) +} + +func (n *Notifier) Close() error { + if err := n.filesWatcher.Close(); err != nil { + return err + } + if err := n.dirsWatcher.Close(); err != nil { + return err + } + return nil +} + +// watchFiles watches one or more files, but instead of watching the file directly, +// it watches its parent directory. This solves various issues where files are +// frequently renamed. +func (n *Notifier) watchFiles(ctx context.Context, files sets.Set[string]) { + if len(files) < 1 { + return + } + + go n.runFilesWatcher(ctx, files) + + for p := range files { + if err := n.filesWatcher.Add(filepath.Dir(p)); err != nil { + n.logger.Error(err, "error adding file to notifier", "path", p) + + continue + } + } +} + +func (n *Notifier) runFilesWatcher(ctx context.Context, files sets.Set[string]) { + var ( + cleanUpTicker = time.NewTicker(n.cleanUpRemoveEventsPeriod) + + // This map records the exact previous Op of one event. + preEventOp = make(map[string]fsnotify.Op) + // This set records the name of event that related to Remove Op. + curRemoveEvents = sets.NewString() + ) + + for { + select { + case <-ctx.Done(): + return + + case err, ok := <-n.filesWatcher.Errors: + if !ok { + return + } + n.logger.Error(err, "error from files watcher in notifier") + + case event, ok := <-n.filesWatcher.Events: + if !ok { + return + } + + // Ignore file and operation the watcher not interested in. + if !files.Has(event.Name) || event.Has(fsnotify.Chmod) { + continue + } + + // This logic is trying to avoid files be removed and then created + // frequently by considering Remove/Rename and the follow Create + // Op as one Write Notifier.Event. + // + // Actually, this approach is also suitable for commands like vi/vim. + // It creates a temporary file, removes the existing one and replace + // it with the temporary file when file is saved. So instead of Write + // Op, the watcher will receive Rename and Create Op. + + var writeEvent bool + switch event.Op { + case fsnotify.Create: + if op, ok := preEventOp[event.Name]; ok && + op.Has(fsnotify.Rename) || op.Has(fsnotify.Remove) { + writeEvent = true + // If the exact previous Op of Create is Rename/Remove, + // then consider them as a Write Notifier.Event instead of Remove. + curRemoveEvents.Delete(event.Name) + } + case fsnotify.Write: + writeEvent = true + case fsnotify.Remove, fsnotify.Rename: + curRemoveEvents.Insert(event.Name) + } + + if writeEvent { + n.logger.Info("sending write event", + "name", event.Name, "watcher", "files") + + n.Events <- fsnotify.Event{ + Name: event.Name, + Op: fsnotify.Write, + } + } + preEventOp[event.Name] = event.Op + + case <-cleanUpTicker.C: + // As for collected Remove Notifier.Event, clean them up + // in a period of time to avoid neglect of dealing with + // Remove/Rename Op. + for e := range curRemoveEvents { + n.logger.Info("sending remove event", + "name", e, "watcher", "files") + + n.Events <- fsnotify.Event{ + Name: e, + Op: fsnotify.Remove, + } + } + curRemoveEvents = sets.NewString() + } + } +} + +// watchDirs watches one or more directories. +func (n *Notifier) watchDirs(ctx context.Context, dirs sets.Set[string]) { + if len(dirs) < 1 { + return + } + + // This map maintains the subdirectories ignored by each directory. + ignoredSubDirs := make(map[string]sets.Set[string]) + + for p := range dirs { + if err := n.dirsWatcher.Add(p); err != nil { + n.logger.Error(err, "error adding dir to notifier", "path", p) + + continue + } + + // Find current exist subdirectories to init ignored subdirectories set. + entries, err := os.ReadDir(p) + if err != nil { + n.logger.Error(err, "error reading dir in notifier", "path", p) + + if err = n.dirsWatcher.Remove(p); err != nil { + n.logger.Error(err, "error removing dir from notifier", "path", p) + } + + continue + } + + ignoredSubDirs[p] = sets.New[string]() + for _, entry := range entries { + if entry.IsDir() { + // The entry name is dir name, not dir path. + ignoredSubDirs[p].Insert(entry.Name()) + } + } + } + + go n.runDirsWatcher(ctx, ignoredSubDirs) +} + +func (n *Notifier) runDirsWatcher(ctx context.Context, ignoredSubDirs map[string]sets.Set[string]) { + var ( + cleanUpTicker = time.NewTicker(n.cleanUpRemoveEventsPeriod) + + // This map records the exact previous Op of one event. + preEventOp = make(map[string]fsnotify.Op) + // This set records the name of event that related to Remove Op. + curRemoveEvents = sets.NewString() + ) + + for { + select { + case <-ctx.Done(): + return + + case err, ok := <-n.dirsWatcher.Errors: + if !ok { + return + } + n.logger.Error(err, "error from dirs watcher in notifier") + + case event, ok := <-n.dirsWatcher.Events: + if !ok { + return + } + + // Ignore the hidden or temporary file related event. + _, name := filepath.Split(event.Name) + if event.Has(fsnotify.Chmod) || + strings.HasPrefix(name, ".") || + strings.HasSuffix(name, "~") { + continue + } + + // Ignore any subdirectory related event. + switch event.Op { + case fsnotify.Create: + if fi, err := os.Lstat(event.Name); err == nil && fi.IsDir() { + parentDir := filepath.Dir(event.Name) + if _, ok := ignoredSubDirs[parentDir]; ok { + ignoredSubDirs[parentDir].Insert(name) + continue + } + } + case fsnotify.Remove, fsnotify.Rename: + parentDir := filepath.Dir(event.Name) + if sub, ok := ignoredSubDirs[parentDir]; ok && sub.Has(name) { + ignoredSubDirs[parentDir].Delete(name) + continue + } + } + + // Share the similar logic as in files watcher. + var writeEvent bool + switch event.Op { + case fsnotify.Create: + if op, ok := preEventOp[event.Name]; ok && + op.Has(fsnotify.Rename) || op.Has(fsnotify.Remove) { + curRemoveEvents.Delete(event.Name) + } + // Since the watcher watches the whole dir, the creation of file + // should also be able to trigger the Write event. + writeEvent = true + case fsnotify.Write: + writeEvent = true + case fsnotify.Remove, fsnotify.Rename: + curRemoveEvents.Insert(event.Name) + } + + if writeEvent { + n.logger.Info("sending write event", + "name", event.Name, "watcher", "dirs") + + n.Events <- fsnotify.Event{ + Name: event.Name, + Op: fsnotify.Write, + } + } + preEventOp[event.Name] = event.Op + + case <-cleanUpTicker.C: + // Merge files to be removed in the same parent directory + // to suppress events, because the file has already been + // removed and is unnecessary to send event for each of them. + parentDirs := sets.NewString() + for e := range curRemoveEvents { + parentDirs.Insert(filepath.Dir(e)) + } + + for parentDir := range parentDirs { + n.logger.Info("sending remove event", + "name", parentDir, "watcher", "dirs") + + n.Events <- fsnotify.Event{ + Name: parentDir, + Op: fsnotify.Remove, + } + } + curRemoveEvents = sets.NewString() + } + } +} diff --git a/internal/provider/file/path.go b/internal/provider/file/path.go new file mode 100644 index 00000000000..fe3ad7539f6 --- /dev/null +++ b/internal/provider/file/path.go @@ -0,0 +1,47 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package file + +import ( + "os" + "path/filepath" + + "k8s.io/apimachinery/pkg/util/sets" +) + +// getDirsAndFilesForWatcher prepares dirs and files for the watcher in notifier. +func getDirsAndFilesForWatcher(paths []string) ( + dirs sets.Set[string], files sets.Set[string], err error, +) { + dirs, files = sets.New[string](), sets.New[string]() + + // Separate paths by whether is a directory or not. + paths = sets.NewString(paths...).List() + for _, path := range paths { + var p os.FileInfo + p, err = os.Lstat(path) + if err != nil { + return + } + + if p.IsDir() { + dirs.Insert(path) + } else { + files.Insert(path) + } + } + + // Ignore filepath if its parent directory is also be watched. + var ignoreFiles []string + for fp := range files { + if dirs.Has(filepath.Dir(fp)) { + ignoreFiles = append(ignoreFiles, fp) + } + } + files.Delete(ignoreFiles...) + + return +} diff --git a/internal/provider/file/path_test.go b/internal/provider/file/path_test.go new file mode 100644 index 00000000000..183c24efa97 --- /dev/null +++ b/internal/provider/file/path_test.go @@ -0,0 +1,54 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package file + +import ( + "path" + "testing" + + "github.com/stretchr/testify/require" +) + +func TestGetDirsAndFilesForWatcher(t *testing.T) { + testPath := path.Join("testdata", "paths") + testCases := []struct { + name string + paths []string + expectDirs []string + expectFiles []string + }{ + { + name: "get file and dir path", + paths: []string{ + path.Join(testPath, "dir"), path.Join(testPath, "foo"), + }, + expectDirs: []string{ + path.Join(testPath, "dir"), + }, + expectFiles: []string{ + path.Join(testPath, "foo"), + }, + }, + { + name: "overlap file path will be ignored", + paths: []string{ + path.Join(testPath, "dir"), path.Join(testPath, "dir", "bar"), + }, + expectDirs: []string{ + path.Join(testPath, "dir"), + }, + expectFiles: []string{}, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + dirs, paths, _ := getDirsAndFilesForWatcher(tc.paths) + require.ElementsMatch(t, dirs.UnsortedList(), tc.expectDirs) + require.ElementsMatch(t, paths.UnsortedList(), tc.expectFiles) + }) + } +} diff --git a/internal/provider/file/resources.go b/internal/provider/file/resources.go new file mode 100644 index 00000000000..8dcd60ac78a --- /dev/null +++ b/internal/provider/file/resources.go @@ -0,0 +1,335 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package file + +import ( + "fmt" + "os" + "path/filepath" + "reflect" + "strings" + + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/util/sets" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" + gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + "sigs.k8s.io/yaml" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/envoygateway" + "github.com/envoyproxy/gateway/internal/envoygateway/config" + "github.com/envoyproxy/gateway/internal/gatewayapi" +) + +// loadFromFilesAndDirs loads resources from specific files and directories. +func loadFromFilesAndDirs(files, dirs []string) ([]*gatewayapi.Resources, error) { + var rs []*gatewayapi.Resources + + for _, file := range files { + r, err := loadFromFile(file) + if err != nil { + return nil, err + } + rs = append(rs, r) + } + + for _, dir := range dirs { + r, err := loadFromDir(dir) + if err != nil { + return nil, err + } + rs = append(rs, r...) + } + + return rs, nil +} + +// loadFromFile loads resources from a specific file. +func loadFromFile(path string) (*gatewayapi.Resources, error) { + if _, err := os.Stat(path); err != nil { + if os.IsNotExist(err) { + return nil, fmt.Errorf("file %s is not exist", path) + } + return nil, err + } + + bytes, err := os.ReadFile(path) + if err != nil { + return nil, err + } + + return convertKubernetesYAMLToResources(string(bytes)) +} + +// loadFromDir loads resources from all the files under a specific directory excluding subdirectories. +func loadFromDir(path string) ([]*gatewayapi.Resources, error) { + entries, err := os.ReadDir(path) + if err != nil { + return nil, err + } + + var rs []*gatewayapi.Resources + for _, entry := range entries { + // Ignoring subdirectories and all hidden files and directories. + if entry.IsDir() || strings.HasPrefix(entry.Name(), ".") { + continue + } + + r, err := loadFromFile(filepath.Join(path, entry.Name())) + if err != nil { + return nil, err + } + + rs = append(rs, r) + } + + return rs, nil +} + +// TODO(sh2): This function is copied and updated from internal/cmd/egctl/translate.go. +// This function should be able to process arbitrary number of resources, so we +// need to come up with a way to extend the GatewayClass and EnvoyProxy field to array +// instead of single variable in gatewayapi.Resources structure. +// +// - This issue is tracked by https://github.com/envoyproxy/gateway/issues/3207 +// +// convertKubernetesYAMLToResources converts a Kubernetes YAML string into GatewayAPI Resources. +func convertKubernetesYAMLToResources(str string) (*gatewayapi.Resources, error) { + resources := gatewayapi.NewResources() + var useDefaultNamespace bool + providedNamespaceMap := sets.New[string]() + requiredNamespaceMap := sets.New[string]() + yamls := strings.Split(str, "\n---") + combinedScheme := envoygateway.GetScheme() + for _, y := range yamls { + if strings.TrimSpace(y) == "" { + continue + } + var obj map[string]interface{} + err := yaml.Unmarshal([]byte(y), &obj) + if err != nil { + return nil, err + } + un := unstructured.Unstructured{Object: obj} + gvk := un.GroupVersionKind() + name, namespace := un.GetName(), un.GetNamespace() + if namespace == "" { + // When kubectl applies a resource in yaml which doesn't have a namespace, + // the current namespace is applied. Here we do the same thing before translating + // the GatewayAPI resource. Otherwise, the resource can't pass the namespace validation + useDefaultNamespace = true + namespace = config.DefaultNamespace + } + requiredNamespaceMap.Insert(namespace) + kobj, err := combinedScheme.New(gvk) + if err != nil { + return nil, err + } + err = combinedScheme.Convert(&un, kobj, nil) + if err != nil { + return nil, err + } + + objType := reflect.TypeOf(kobj) + if objType.Kind() != reflect.Ptr { + return nil, fmt.Errorf("expected pointer type, but got %s", objType.Kind().String()) + } + kobjVal := reflect.ValueOf(kobj).Elem() + spec := kobjVal.FieldByName("Spec") + + switch gvk.Kind { + case gatewayapi.KindEnvoyProxy: + typedSpec := spec.Interface() + envoyProxy := &egv1a1.EnvoyProxy{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(egv1a1.EnvoyProxySpec), + } + resources.EnvoyProxyForGatewayClass = envoyProxy + case gatewayapi.KindGatewayClass: + typedSpec := spec.Interface() + gatewayClass := &gwapiv1.GatewayClass{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(gwapiv1.GatewayClassSpec), + } + // fill controller name by default controller name when gatewayclass controller name empty. + if gatewayClass.Spec.ControllerName == "" { + gatewayClass.Spec.ControllerName = egv1a1.GatewayControllerName + } + resources.GatewayClass = gatewayClass + case gatewayapi.KindGateway: + typedSpec := spec.Interface() + gateway := &gwapiv1.Gateway{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(gwapiv1.GatewaySpec), + } + resources.Gateways = append(resources.Gateways, gateway) + case gatewayapi.KindTCPRoute: + typedSpec := spec.Interface() + tcpRoute := &gwapiv1a2.TCPRoute{ + TypeMeta: metav1.TypeMeta{ + Kind: gatewayapi.KindTCPRoute, + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(gwapiv1a2.TCPRouteSpec), + } + resources.TCPRoutes = append(resources.TCPRoutes, tcpRoute) + case gatewayapi.KindUDPRoute: + typedSpec := spec.Interface() + udpRoute := &gwapiv1a2.UDPRoute{ + TypeMeta: metav1.TypeMeta{ + Kind: gatewayapi.KindUDPRoute, + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(gwapiv1a2.UDPRouteSpec), + } + resources.UDPRoutes = append(resources.UDPRoutes, udpRoute) + case gatewayapi.KindTLSRoute: + typedSpec := spec.Interface() + tlsRoute := &gwapiv1a2.TLSRoute{ + TypeMeta: metav1.TypeMeta{ + Kind: gatewayapi.KindTLSRoute, + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(gwapiv1a2.TLSRouteSpec), + } + resources.TLSRoutes = append(resources.TLSRoutes, tlsRoute) + case gatewayapi.KindHTTPRoute: + typedSpec := spec.Interface() + httpRoute := &gwapiv1.HTTPRoute{ + TypeMeta: metav1.TypeMeta{ + Kind: gatewayapi.KindHTTPRoute, + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(gwapiv1.HTTPRouteSpec), + } + resources.HTTPRoutes = append(resources.HTTPRoutes, httpRoute) + case gatewayapi.KindGRPCRoute: + typedSpec := spec.Interface() + grpcRoute := &gwapiv1.GRPCRoute{ + TypeMeta: metav1.TypeMeta{ + Kind: gatewayapi.KindGRPCRoute, + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(gwapiv1.GRPCRouteSpec), + } + resources.GRPCRoutes = append(resources.GRPCRoutes, grpcRoute) + case gatewayapi.KindNamespace: + namespace := &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + } + resources.Namespaces = append(resources.Namespaces, namespace) + providedNamespaceMap.Insert(name) + case gatewayapi.KindService: + typedSpec := spec.Interface() + service := &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(corev1.ServiceSpec), + } + resources.Services = append(resources.Services, service) + case egv1a1.KindEnvoyPatchPolicy: + typedSpec := spec.Interface() + envoyPatchPolicy := &egv1a1.EnvoyPatchPolicy{ + TypeMeta: metav1.TypeMeta{ + Kind: egv1a1.KindEnvoyPatchPolicy, + APIVersion: egv1a1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Name: name, + }, + Spec: typedSpec.(egv1a1.EnvoyPatchPolicySpec), + } + resources.EnvoyPatchPolicies = append(resources.EnvoyPatchPolicies, envoyPatchPolicy) + case egv1a1.KindClientTrafficPolicy: + typedSpec := spec.Interface() + clientTrafficPolicy := &egv1a1.ClientTrafficPolicy{ + TypeMeta: metav1.TypeMeta{ + Kind: egv1a1.KindClientTrafficPolicy, + APIVersion: egv1a1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Name: name, + }, + Spec: typedSpec.(egv1a1.ClientTrafficPolicySpec), + } + resources.ClientTrafficPolicies = append(resources.ClientTrafficPolicies, clientTrafficPolicy) + case egv1a1.KindBackendTrafficPolicy: + typedSpec := spec.Interface() + backendTrafficPolicy := &egv1a1.BackendTrafficPolicy{ + TypeMeta: metav1.TypeMeta{ + Kind: egv1a1.KindBackendTrafficPolicy, + APIVersion: egv1a1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Name: name, + }, + Spec: typedSpec.(egv1a1.BackendTrafficPolicySpec), + } + resources.BackendTrafficPolicies = append(resources.BackendTrafficPolicies, backendTrafficPolicy) + case egv1a1.KindSecurityPolicy: + typedSpec := spec.Interface() + securityPolicy := &egv1a1.SecurityPolicy{ + TypeMeta: metav1.TypeMeta{ + Kind: egv1a1.KindSecurityPolicy, + APIVersion: egv1a1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Name: name, + }, + Spec: typedSpec.(egv1a1.SecurityPolicySpec), + } + resources.SecurityPolicies = append(resources.SecurityPolicies, securityPolicy) + } + } + + if useDefaultNamespace { + if !providedNamespaceMap.Has(config.DefaultNamespace) { + namespace := &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: config.DefaultNamespace, + }, + } + resources.Namespaces = append(resources.Namespaces, namespace) + providedNamespaceMap.Insert(config.DefaultNamespace) + } + } + + return resources, nil +} diff --git a/internal/provider/file/store.go b/internal/provider/file/store.go new file mode 100644 index 00000000000..5a45f1fd638 --- /dev/null +++ b/internal/provider/file/store.go @@ -0,0 +1,78 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package file + +import ( + "github.com/fsnotify/fsnotify" + "github.com/go-logr/logr" + + "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/message" +) + +type resourcesStore struct { + name string + resources *message.ProviderResources + + logger logr.Logger +} + +func newResourcesStore(name string, resources *message.ProviderResources, logger logr.Logger) *resourcesStore { + return &resourcesStore{ + name: name, + resources: resources, + logger: logger, + } +} + +func (r *resourcesStore) HandleEvent(event fsnotify.Event, files, dirs []string) { + r.logger.Info("receive an event", "name", event.Name, "op", event.Op.String()) + + // TODO(sh2): Support multiple GatewayClass. + switch event.Op { + case fsnotify.Write: + if err := r.LoadAndStore(files, dirs); err != nil { + r.logger.Error(err, "failed to load and store resources") + } + case fsnotify.Remove: + // Under our current assumption, one file only contains one GatewayClass and + // all its other related resources, so we can remove them safely. + r.resources.GatewayAPIResources.Delete(r.name) + } +} + +// LoadAndStore loads and stores all resources from files and directories. +func (r *resourcesStore) LoadAndStore(files, dirs []string) error { + rs, err := loadFromFilesAndDirs(files, dirs) + if err != nil { + return err + } + + // TODO(sh2): For now, we assume that one file only contains one GatewayClass and all its other + // related resources, like Gateway, HTTPRoute, etc. If we managed to extend Resources structure, + // we also need to process all the resources and its relationship, like what is done in + // Kubernetes provider. However, this will cause us to maintain two places of the same logic + // in each provider. The ideal case is two different providers share the same resources process logic. + // + // - This issue is tracked by https://github.com/envoyproxy/gateway/issues/3213 + + // We cannot make sure by the time the Write event was triggered, whether the GatewayClass exist, + // so here we just simply Store the first gatewayapi.Resources that has GatewayClass. + gwcResources := make(gatewayapi.ControllerResources, 0, 1) + for _, resource := range rs { + if resource.GatewayClass != nil { + gwcResources = append(gwcResources, resource) + } + } + if len(gwcResources) == 0 { + return nil + } + + r.resources.GatewayAPIResources.Store(r.name, &gwcResources) + r.logger.Info("loaded and stored resources successfully") + + return nil +} diff --git a/internal/provider/file/testdata/paths/dir/bar b/internal/provider/file/testdata/paths/dir/bar new file mode 100644 index 00000000000..e1878797a7c --- /dev/null +++ b/internal/provider/file/testdata/paths/dir/bar @@ -0,0 +1 @@ +THIS FILE IS FOR TEST ONLY \ No newline at end of file diff --git a/internal/provider/file/testdata/paths/foo b/internal/provider/file/testdata/paths/foo new file mode 100644 index 00000000000..e1878797a7c --- /dev/null +++ b/internal/provider/file/testdata/paths/foo @@ -0,0 +1 @@ +THIS FILE IS FOR TEST ONLY \ No newline at end of file diff --git a/internal/provider/kubernetes/kubernetes.go b/internal/provider/kubernetes/kubernetes.go index bd805fd3048..b909eced608 100644 --- a/internal/provider/kubernetes/kubernetes.go +++ b/internal/provider/kubernetes/kubernetes.go @@ -20,6 +20,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/manager" + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway" ec "github.com/envoyproxy/gateway/internal/envoygateway/config" "github.com/envoyproxy/gateway/internal/message" @@ -118,6 +119,10 @@ func New(cfg *rest.Config, svr *ec.Server, resources *message.ProviderResources) }, nil } +func (p *Provider) Type() egv1a1.ProviderType { + return egv1a1.ProviderTypeKubernetes +} + // Start starts the Provider synchronously until a message is received from ctx. func (p *Provider) Start(ctx context.Context) error { errChan := make(chan error) diff --git a/internal/provider/resource_provider.go b/internal/provider/resource_provider.go new file mode 100644 index 00000000000..d14f95d158d --- /dev/null +++ b/internal/provider/resource_provider.go @@ -0,0 +1,20 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package provider + +import ( + "context" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" +) + +type Provider interface { + // Start starts the resource provider. + Start(ctx context.Context) error + + // Type returns the type of resource provider. + Type() egv1a1.ProviderType +} diff --git a/internal/provider/runner/runner.go b/internal/provider/runner/runner.go index 32f5a30fe8c..94488489376 100644 --- a/internal/provider/runner/runner.go +++ b/internal/provider/runner/runner.go @@ -14,6 +14,8 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway/config" "github.com/envoyproxy/gateway/internal/message" + "github.com/envoyproxy/gateway/internal/provider" + "github.com/envoyproxy/gateway/internal/provider/file" "github.com/envoyproxy/gateway/internal/provider/kubernetes" ) @@ -37,24 +39,61 @@ func (r *Runner) Name() string { // Start the provider runner func (r *Runner) Start(ctx context.Context) (err error) { r.Logger = r.Logger.WithName(r.Name()).WithValues("runner", r.Name()) - if r.EnvoyGateway.Provider.Type == egv1a1.ProviderTypeKubernetes { - r.Logger.Info("Using provider", "type", egv1a1.ProviderTypeKubernetes) - cfg, err := ctrl.GetConfig() + + var p provider.Provider + switch r.EnvoyGateway.Provider.Type { + case egv1a1.ProviderTypeKubernetes: + p, err = r.createKubernetesProvider() if err != nil { - return fmt.Errorf("failed to get kubeconfig: %w", err) + return fmt.Errorf("failed to create kubernetes provider: %w", err) } - p, err := kubernetes.New(cfg, &r.Config.Server, r.ProviderResources) + + case egv1a1.ProviderTypeCustom: + p, err = r.createCustomResourceProvider() if err != nil { - return fmt.Errorf("failed to create provider %s: %w", egv1a1.ProviderTypeKubernetes, err) + return fmt.Errorf("failed to create custom provider: %w", err) + } + + default: + // Unsupported provider. + return fmt.Errorf("unsupported provider type %v", r.EnvoyGateway.Provider.Type) + } + + r.Logger.Info("Running provider", "type", p.Type()) + go func() { + if err = p.Start(ctx); err != nil { + r.Logger.Error(err, "unable to start provider") } - go func() { - err := p.Start(ctx) - if err != nil { - r.Logger.Error(err, "unable to start provider") - } - }() - return nil + }() + + return nil +} + +func (r *Runner) createKubernetesProvider() (*kubernetes.Provider, error) { + cfg, err := ctrl.GetConfig() + if err != nil { + return nil, fmt.Errorf("failed to get kubeconfig: %w", err) } - // Unsupported provider. - return fmt.Errorf("unsupported provider type %v", r.EnvoyGateway.Provider.Type) + + p, err := kubernetes.New(cfg, &r.Config.Server, r.ProviderResources) + if err != nil { + return nil, fmt.Errorf("failed to create provider %s: %w", egv1a1.ProviderTypeKubernetes, err) + } + + return p, err +} + +func (r *Runner) createCustomResourceProvider() (p provider.Provider, err error) { + switch r.EnvoyGateway.Provider.Custom.Resource.Type { + case egv1a1.ResourceProviderTypeFile: + p, err = file.New(&r.Config.Server, r.ProviderResources) + if err != nil { + return nil, fmt.Errorf("failed to create provider %s: %w", egv1a1.ProviderTypeCustom, err) + } + + default: + return nil, fmt.Errorf("unsupported resource provider type") + } + + return } diff --git a/internal/provider/runner/runner_test.go b/internal/provider/runner/runner_test.go deleted file mode 100644 index 8252bb407ca..00000000000 --- a/internal/provider/runner/runner_test.go +++ /dev/null @@ -1,67 +0,0 @@ -// Copyright Envoy Gateway Authors -// SPDX-License-Identifier: Apache-2.0 -// The full text of the Apache license is available in the LICENSE file at -// the root of the repo. - -package runner - -import ( - "context" - "testing" - - "github.com/stretchr/testify/require" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" - "github.com/envoyproxy/gateway/internal/envoygateway/config" - "github.com/envoyproxy/gateway/internal/logging" - "github.com/envoyproxy/gateway/internal/message" -) - -func TestStart(t *testing.T) { - logger := logging.DefaultLogger(egv1a1.LogLevelInfo) - - testCases := []struct { - name string - cfg *config.Server - expect bool - }{ - { - name: "file provider", - cfg: &config.Server{ - EnvoyGateway: &egv1a1.EnvoyGateway{ - TypeMeta: metav1.TypeMeta{ - APIVersion: egv1a1.GroupVersion.String(), - Kind: egv1a1.KindEnvoyGateway, - }, - EnvoyGatewaySpec: egv1a1.EnvoyGatewaySpec{ - Provider: &egv1a1.EnvoyGatewayProvider{ - Type: egv1a1.ProviderTypeFile, - }, - }, - }, - Logger: logger, - }, - expect: false, - }, - } - - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - runner := &Runner{ - Config: Config{ - Server: *tc.cfg, - ProviderResources: new(message.ProviderResources), - }, - } - ctx, cancel := context.WithCancel(context.Background()) - t.Cleanup(cancel) - err := runner.Start(ctx) - if tc.expect { - require.NoError(t, err) - } else { - require.Error(t, err, "An error was expected") - } - }) - } -} diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 4dc8b30f31b..fa46214800b 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -1045,7 +1045,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `resource` | _[EnvoyGatewayResourceProvider](#envoygatewayresourceprovider)_ | true | Resource defines the desired resource provider.
This provider is used to specify the provider to be used
to retrieve the resource configurations such as Gateway API
resources | -| `infrastructure` | _[EnvoyGatewayInfrastructureProvider](#envoygatewayinfrastructureprovider)_ | true | Infrastructure defines the desired infrastructure provider.
This provider is used to specify the provider to be used
to provide an environment to deploy the out resources like
the Envoy Proxy data plane. | +| `infrastructure` | _[EnvoyGatewayInfrastructureProvider](#envoygatewayinfrastructureprovider)_ | false | Infrastructure defines the desired infrastructure provider.
This provider is used to specify the provider to be used
to provide an environment to deploy the out resources like
the Envoy Proxy data plane.

Infrastructure is optional, if provider is not specified,
No infrastructure provider is available. | #### EnvoyGatewayFileResourceProvider @@ -1059,7 +1059,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `paths` | _string array_ | true | Paths are the paths to a directory or file containing the resource configuration.
Recursive sub directories are not currently supported. | +| `paths` | _string array_ | true | Paths are the paths to a directory or file containing the resource configuration.
Recursive subdirectories are not currently supported. | #### EnvoyGatewayHostInfrastructureProvider @@ -1217,9 +1217,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `type` | _[ProviderType](#providertype)_ | true | Type is the type of provider to use. Supported types are "Kubernetes". | +| `type` | _[ProviderType](#providertype)_ | true | Type is the type of provider to use. Supported types are "Kubernetes", "Custom". | | `kubernetes` | _[EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)_ | false | Kubernetes defines the configuration of the Kubernetes provider. Kubernetes
provides runtime configuration via the Kubernetes API. | -| `custom` | _[EnvoyGatewayCustomProvider](#envoygatewaycustomprovider)_ | false | Custom defines the configuration for the Custom provider. This provider
allows you to define a specific resource provider and a infrastructure
provider. | +| `custom` | _[EnvoyGatewayCustomProvider](#envoygatewaycustomprovider)_ | false | Custom defines the configuration for the Custom provider. This provider
allows you to define a specific resource provider and an infrastructure
provider. | #### EnvoyGatewayResourceProvider @@ -2754,7 +2754,7 @@ _Appears in:_ | Value | Description | | ----- | ----------- | | `Kubernetes` | ProviderTypeKubernetes defines the "Kubernetes" provider.
| -| `File` | ProviderTypeFile defines the "File" provider. This type is not implemented
until https://github.com/envoyproxy/gateway/issues/1001 is fixed.
| +| `Custom` | ProviderTypeCustom defines the "Custom" provider.
| #### ProxyAccessLog diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 4dc8b30f31b..fa46214800b 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -1045,7 +1045,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `resource` | _[EnvoyGatewayResourceProvider](#envoygatewayresourceprovider)_ | true | Resource defines the desired resource provider.
This provider is used to specify the provider to be used
to retrieve the resource configurations such as Gateway API
resources | -| `infrastructure` | _[EnvoyGatewayInfrastructureProvider](#envoygatewayinfrastructureprovider)_ | true | Infrastructure defines the desired infrastructure provider.
This provider is used to specify the provider to be used
to provide an environment to deploy the out resources like
the Envoy Proxy data plane. | +| `infrastructure` | _[EnvoyGatewayInfrastructureProvider](#envoygatewayinfrastructureprovider)_ | false | Infrastructure defines the desired infrastructure provider.
This provider is used to specify the provider to be used
to provide an environment to deploy the out resources like
the Envoy Proxy data plane.

Infrastructure is optional, if provider is not specified,
No infrastructure provider is available. | #### EnvoyGatewayFileResourceProvider @@ -1059,7 +1059,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `paths` | _string array_ | true | Paths are the paths to a directory or file containing the resource configuration.
Recursive sub directories are not currently supported. | +| `paths` | _string array_ | true | Paths are the paths to a directory or file containing the resource configuration.
Recursive subdirectories are not currently supported. | #### EnvoyGatewayHostInfrastructureProvider @@ -1217,9 +1217,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `type` | _[ProviderType](#providertype)_ | true | Type is the type of provider to use. Supported types are "Kubernetes". | +| `type` | _[ProviderType](#providertype)_ | true | Type is the type of provider to use. Supported types are "Kubernetes", "Custom". | | `kubernetes` | _[EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)_ | false | Kubernetes defines the configuration of the Kubernetes provider. Kubernetes
provides runtime configuration via the Kubernetes API. | -| `custom` | _[EnvoyGatewayCustomProvider](#envoygatewaycustomprovider)_ | false | Custom defines the configuration for the Custom provider. This provider
allows you to define a specific resource provider and a infrastructure
provider. | +| `custom` | _[EnvoyGatewayCustomProvider](#envoygatewaycustomprovider)_ | false | Custom defines the configuration for the Custom provider. This provider
allows you to define a specific resource provider and an infrastructure
provider. | #### EnvoyGatewayResourceProvider @@ -2754,7 +2754,7 @@ _Appears in:_ | Value | Description | | ----- | ----------- | | `Kubernetes` | ProviderTypeKubernetes defines the "Kubernetes" provider.
| -| `File` | ProviderTypeFile defines the "File" provider. This type is not implemented
until https://github.com/envoyproxy/gateway/issues/1001 is fixed.
| +| `Custom` | ProviderTypeCustom defines the "Custom" provider.
| #### ProxyAccessLog From 27113bff3ed0ff697d32f5e24a8ab90ca920fa07 Mon Sep 17 00:00:00 2001 From: NCSham Date: Wed, 11 Sep 2024 20:01:49 +0530 Subject: [PATCH 138/523] affinity and toleration patch for certgen (#4195) * affinity and toleration patch for certgen Signed-off-by: NCSham Signed-off-by: NCSham * adds empty values for certgen job tolerations and affinity Signed-off-by: NCSham Signed-off-by: NCSham * adds helm test cases for certgen custom scheduling Signed-off-by: NCSham Signed-off-by: NCSham * updates docs and fixes the indendation in test case Signed-off-by: NCSham Signed-off-by: NCSham * fix gen-check fail Signed-off-by: NCSham Signed-off-by: NCSham * moves tols and affi of certgen from under pod to job Signed-off-by: NCSham --------- Signed-off-by: NCSham Signed-off-by: NCSham Co-authored-by: NCSham --- charts/gateway-helm/README.md | 2 +- charts/gateway-helm/templates/certgen.yaml | 12 + charts/gateway-helm/values.tmpl.yaml | 3 + .../en/latest/install/gateway-helm-api.md | 2 +- .../zh/latest/install/gateway-helm-api.md | 2 +- .../certjen-custom-scheduling.in.yaml | 21 + .../certjen-custom-scheduling.out.yaml | 581 ++++++++++++++++++ 7 files changed, 620 insertions(+), 3 deletions(-) create mode 100644 test/helm/gateway-helm/certjen-custom-scheduling.in.yaml create mode 100644 test/helm/gateway-helm/certjen-custom-scheduling.out.yaml diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md index 4274b890bdc..2ef1455c1dc 100644 --- a/charts/gateway-helm/README.md +++ b/charts/gateway-helm/README.md @@ -59,7 +59,7 @@ To uninstall the chart: | Key | Type | Default | Description | |-----|------|---------|-------------| -| certgen | object | `{"job":{"annotations":{},"resources":{},"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | | | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | diff --git a/charts/gateway-helm/templates/certgen.yaml b/charts/gateway-helm/templates/certgen.yaml index 89f013e6a83..00b7b6f8dca 100644 --- a/charts/gateway-helm/templates/certgen.yaml +++ b/charts/gateway-helm/templates/certgen.yaml @@ -51,6 +51,18 @@ spec: seccompProfile: type: RuntimeDefault {{- include "eg.image.pullSecrets" . | nindent 6 }} + {{- with .Values.certgen.job.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.certgen.job.nodeSelector }} + nodeSelector: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.certgen.job.tolerations }} + tolerations: + {{- toYaml . | nindent 6 }} + {{- end }} restartPolicy: Never serviceAccountName: {{ include "eg.fullname" . }}-certgen {{- if not ( kindIs "invalid" .Values.certgen.job.ttlSecondsAfterFinished) }} diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index 87d3aed774c..50c4eaeb0a9 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -77,6 +77,9 @@ certgen: job: annotations: {} resources: {} + affinity: {} + tolerations: [] + nodeSelector: {} ttlSecondsAfterFinished: 30 rbac: annotations: {} diff --git a/site/content/en/latest/install/gateway-helm-api.md b/site/content/en/latest/install/gateway-helm-api.md index 04167b4eb9e..2b0f8e24d6a 100644 --- a/site/content/en/latest/install/gateway-helm-api.md +++ b/site/content/en/latest/install/gateway-helm-api.md @@ -23,7 +23,7 @@ The Helm chart for Envoy Gateway | Key | Type | Default | Description | |-----|------|---------|-------------| -| certgen | object | `{"job":{"annotations":{},"resources":{},"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | | | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | diff --git a/site/content/zh/latest/install/gateway-helm-api.md b/site/content/zh/latest/install/gateway-helm-api.md index 04167b4eb9e..2b0f8e24d6a 100644 --- a/site/content/zh/latest/install/gateway-helm-api.md +++ b/site/content/zh/latest/install/gateway-helm-api.md @@ -23,7 +23,7 @@ The Helm chart for Envoy Gateway | Key | Type | Default | Description | |-----|------|---------|-------------| -| certgen | object | `{"job":{"annotations":{},"resources":{},"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | | | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.in.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.in.yaml new file mode 100644 index 00000000000..c579310e0d6 --- /dev/null +++ b/test/helm/gateway-helm/certjen-custom-scheduling.in.yaml @@ -0,0 +1,21 @@ +global: + images: + envoyGateway: + image: "docker.io/envoyproxy/gateway-dev:latest" + pullPolicy: Always +certgen: + job: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: label1 + operator: In + values: + - value1 + tolerations: + - effect: NoSchedule + key: taint1 + operator: Equal + value: tol1 \ No newline at end of file diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml new file mode 100644 index 00000000000..2e111b7062c --- /dev/null +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -0,0 +1,581 @@ +--- +# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +--- +# Source: gateway-helm/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:master + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway-dev:latest + type: Kubernetes +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: gateway-helm-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-helm-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-helm-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + verbs: + - create + - get + - delete + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - delete + - patch +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-leader-election-role + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-leader-election-rolebinding + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 +--- +# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-certgen' +subjects: +- kind: ServiceAccount + name: 'gateway-helm-certgen' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 65534 + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: [] + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: label1 + operator: In + values: + - value1 + tolerations: + - effect: NoSchedule + key: taint1 + operator: Equal + value: tol1 + restartPolicy: Never + serviceAccountName: gateway-helm-certgen + ttlSecondsAfterFinished: 30 From 74ec52d05e88132034a93a3138e05e63a835ab10 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 11 Sep 2024 23:16:51 +0800 Subject: [PATCH 139/523] chore: set fail-fast: false to continue testing as e2e tests are flaky (#4210) set fail-fast: false to continue testing as e2e tests are flaky Signed-off-by: Huabing Zhao --- .github/workflows/build_and_test.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index a7ef580da69..c00cb2e3211 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -83,6 +83,7 @@ jobs: runs-on: ubuntu-latest needs: [build] strategy: + fail-fast: false matrix: version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: @@ -111,6 +112,7 @@ jobs: runs-on: ubuntu-latest needs: [build] strategy: + fail-fast: false matrix: version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: From e26c162a22c63be7753dbabda8cd3e072c6ca2b5 Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 11 Sep 2024 23:26:01 +0800 Subject: [PATCH 140/523] ci: bump to golang1.23.1 (#4206) * ci: bump go 1.23 Signed-off-by: zirain * revert crd-ref-docs and controller-gen Signed-off-by: zirain * fix CookieBasedSessionPersistence Signed-off-by: zirain --------- Signed-off-by: zirain --- examples/extension-server/go.mod | 2 +- examples/kubernetes/ext-proc-grpc-service.yaml | 2 +- go.mod | 2 +- site/go.mod | 2 +- test/e2e/tests/session_persistence.go | 1 + tools/github-actions/setup-deps/action.yaml | 2 +- tools/src/buf/go.mod | 2 +- tools/src/gci/go.mod | 2 +- tools/src/golangci-lint/go.mod | 2 +- tools/src/helm-docs/go.mod | 2 +- tools/src/jb/go.mod | 2 +- tools/src/jsonnet/go.mod | 2 +- tools/src/kind/go.mod | 2 +- tools/src/protoc-gen-go-grpc/go.mod | 2 +- tools/src/protoc-gen-go/go.mod | 2 +- tools/src/setup-envtest/go.mod | 2 +- 16 files changed, 16 insertions(+), 15 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 6fa30d74202..b6c5df7c5d9 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -1,6 +1,6 @@ module github.com/exampleorg/envoygateway-extension -go 1.22.7 +go 1.23.1 require ( github.com/envoyproxy/gateway v1.0.2 diff --git a/examples/kubernetes/ext-proc-grpc-service.yaml b/examples/kubernetes/ext-proc-grpc-service.yaml index de94ccf905c..b52625d6a01 100644 --- a/examples/kubernetes/ext-proc-grpc-service.yaml +++ b/examples/kubernetes/ext-proc-grpc-service.yaml @@ -361,7 +361,7 @@ spec: - sh - "-c" - "cp -a /app /app-live && cd /app-live && go run . --certPath=/app-live/certs/ " - image: golang:1.22.7-alpine + image: golang:1.23.1-alpine ports: - containerPort: 8000 volumeMounts: diff --git a/go.mod b/go.mod index 45f69e52768..c176fe1d881 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway -go 1.22.7 +go 1.23.1 replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.16 diff --git a/site/go.mod b/site/go.mod index c6b0df811f3..4a41d4d7f70 100644 --- a/site/go.mod +++ b/site/go.mod @@ -1,6 +1,6 @@ module github.com/google/docsy-example -go 1.22.7 +go 1.23.1 require ( github.com/FortAwesome/Font-Awesome v0.0.0-20240402185447-c0f460dca7f7 // indirect diff --git a/test/e2e/tests/session_persistence.go b/test/e2e/tests/session_persistence.go index 7c1d90880ab..0e6e9f73907 100644 --- a/test/e2e/tests/session_persistence.go +++ b/test/e2e/tests/session_persistence.go @@ -137,6 +137,7 @@ var CookieBasedSessionPersistenceTest = suite.ConformanceTest{ MaxAge: 10, Path: "/v2", HttpOnly: true, + Quoted: true, }, cmpopts.IgnoreFields(http.Cookie{}, "Value", "Raw"), // Ignore the value as it is random. ); diff != "" { t.Fatalf("unexpected cookie: %v", diff) diff --git a/tools/github-actions/setup-deps/action.yaml b/tools/github-actions/setup-deps/action.yaml index 16bd7db1c0c..7de23aac7ec 100644 --- a/tools/github-actions/setup-deps/action.yaml +++ b/tools/github-actions/setup-deps/action.yaml @@ -8,5 +8,5 @@ runs: run: sudo apt-get install libbtrfs-dev -y - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.1 with: - go-version: 1.22.x + go-version: 1.23.x cache: true diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index 182b2697b0d..3df7032229f 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -1,6 +1,6 @@ module local -go 1.22.7 +go 1.23.1 require github.com/bufbuild/buf v1.40.1 diff --git a/tools/src/gci/go.mod b/tools/src/gci/go.mod index 7d4fd7ca6d3..382ffae2274 100644 --- a/tools/src/gci/go.mod +++ b/tools/src/gci/go.mod @@ -1,6 +1,6 @@ module local -go 1.22.7 +go 1.23.1 require github.com/daixiang0/gci v0.13.4 diff --git a/tools/src/golangci-lint/go.mod b/tools/src/golangci-lint/go.mod index 4f356da5578..729ea86717c 100644 --- a/tools/src/golangci-lint/go.mod +++ b/tools/src/golangci-lint/go.mod @@ -1,6 +1,6 @@ module local -go 1.22.7 +go 1.23.1 require github.com/golangci/golangci-lint v1.60.3 diff --git a/tools/src/helm-docs/go.mod b/tools/src/helm-docs/go.mod index 84484217b90..2f61f2bf33a 100644 --- a/tools/src/helm-docs/go.mod +++ b/tools/src/helm-docs/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway/tools/src/helm-docs -go 1.22.7 +go 1.23.1 require github.com/norwoodj/helm-docs v1.14.2 diff --git a/tools/src/jb/go.mod b/tools/src/jb/go.mod index 4b500d8ac15..fb8807bab20 100644 --- a/tools/src/jb/go.mod +++ b/tools/src/jb/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway/tools/src/jb -go 1.22.7 +go 1.23.1 require github.com/jsonnet-bundler/jsonnet-bundler v0.5.1 diff --git a/tools/src/jsonnet/go.mod b/tools/src/jsonnet/go.mod index 27537f28221..2cf5cfd4c7b 100644 --- a/tools/src/jsonnet/go.mod +++ b/tools/src/jsonnet/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway/tools/src/jsonnet -go 1.22.7 +go 1.23.1 require github.com/google/go-jsonnet v0.20.0 diff --git a/tools/src/kind/go.mod b/tools/src/kind/go.mod index f09cbf32196..969589cce84 100644 --- a/tools/src/kind/go.mod +++ b/tools/src/kind/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway/tools/src/kind -go 1.22.7 +go 1.23.1 require sigs.k8s.io/kind v0.24.0 diff --git a/tools/src/protoc-gen-go-grpc/go.mod b/tools/src/protoc-gen-go-grpc/go.mod index 1e73e1c5269..11e0bc567bd 100644 --- a/tools/src/protoc-gen-go-grpc/go.mod +++ b/tools/src/protoc-gen-go-grpc/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway/tools/src/protoc-gen-go-grpc -go 1.22.7 +go 1.23.1 require google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0 diff --git a/tools/src/protoc-gen-go/go.mod b/tools/src/protoc-gen-go/go.mod index e24ee052913..588c433426f 100644 --- a/tools/src/protoc-gen-go/go.mod +++ b/tools/src/protoc-gen-go/go.mod @@ -1,5 +1,5 @@ module github.com/envoyproxy/gateway/tools/src/protoc-gen-go -go 1.22.7 +go 1.23.1 require google.golang.org/protobuf v1.33.0 diff --git a/tools/src/setup-envtest/go.mod b/tools/src/setup-envtest/go.mod index 0c710903b2e..33e82a774e7 100644 --- a/tools/src/setup-envtest/go.mod +++ b/tools/src/setup-envtest/go.mod @@ -1,6 +1,6 @@ module local -go 1.22.7 +go 1.23.1 require sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20240813183042-b901db121e1f From 7cddd95dccd8b93408dc789fcdf916c482223dda Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Wed, 11 Sep 2024 18:17:51 -0500 Subject: [PATCH 141/523] fix: write backend status (#4219) Signed-off-by: Guy Daich --- internal/gatewayapi/runner/runner.go | 21 ++++++++++++ internal/gatewayapi/runner/runner_test.go | 16 ++++++++++ internal/gatewayapi/status/backend.go | 4 +-- .../backend-invalid-feature-disabled.out.yaml | 2 +- .../backend-invalid-hostname-address.out.yaml | 8 ++--- ...ndtlspolicy-default-ns-targetrefs.out.yaml | 2 +- .../backendtlspolicy-default-ns.out.yaml | 2 +- ...extproc-with-multiple-backendrefs.out.yaml | 4 +-- ...ith-extproc-with-traffic-features.out.yaml | 4 +-- .../envoyproxy-priority-backend.out.yaml | 4 +-- .../testdata/grpcroute-with-backend.out.yaml | 2 +- ...with-backend-and-core-backendrefs.out.yaml | 6 ++-- ...end-backendref-mixed-address-type.out.yaml | 8 ++--- ...-listener-with-backend-backendref.out.yaml | 10 +++--- ...end-backendrefs-diff-address-type.out.yaml | 6 ++-- ...end-backendrefs-same-address-type.out.yaml | 12 +++---- ...ervice-backends-and-app-protocols.out.yaml | 4 +-- ...-non-service-backends-and-weights.out.yaml | 4 +-- ...curitypolicy-with-extauth-backend.out.yaml | 2 +- ...policy-with-extauth-recomputation.out.yaml | 2 +- .../testdata/tcproute-with-backend.out.yaml | 2 +- .../testdata/tlsroute-with-backend.out.yaml | 2 +- internal/message/types.go | 9 ++++++ internal/provider/kubernetes/status.go | 32 +++++++++++++++++++ test/e2e/tests/route_with_backend.go | 4 +++ test/e2e/tests/utils.go | 24 ++++++++++++++ 26 files changed, 151 insertions(+), 45 deletions(-) diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index eba70f96739..651e1635286 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -263,6 +263,13 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { } delete(statusesToDelete.EnvoyExtensionPolicyStatusKeys, key) } + for _, backend := range result.Backends { + key := utils.NamespacedName(backend) + if !(reflect.ValueOf(backend.Status).IsZero()) { + r.ProviderResources.BackendStatuses.Store(key, &backend.Status) + } + delete(statusesToDelete.BackendStatusKeys, key) + } for _, extServerPolicy := range result.ExtensionServerPolicies { key := message.NamespacedNameAndGVK{ NamespacedName: utils.NamespacedName(&extServerPolicy), @@ -323,6 +330,8 @@ type StatusesToDelete struct { SecurityPolicyStatusKeys map[types.NamespacedName]bool EnvoyExtensionPolicyStatusKeys map[types.NamespacedName]bool ExtensionServerPolicyStatusKeys map[message.NamespacedNameAndGVK]bool + + BackendStatusKeys map[types.NamespacedName]bool } func (r *Runner) getAllStatuses() *StatusesToDelete { @@ -341,6 +350,8 @@ func (r *Runner) getAllStatuses() *StatusesToDelete { BackendTLSPolicyStatusKeys: make(map[types.NamespacedName]bool), EnvoyExtensionPolicyStatusKeys: make(map[types.NamespacedName]bool), ExtensionServerPolicyStatusKeys: make(map[message.NamespacedNameAndGVK]bool), + + BackendStatusKeys: make(map[types.NamespacedName]bool), } // Get current status keys @@ -378,6 +389,9 @@ func (r *Runner) getAllStatuses() *StatusesToDelete { for key := range r.ProviderResources.EnvoyExtensionPolicyStatuses.LoadAll() { ds.EnvoyExtensionPolicyStatusKeys[key] = true } + for key := range r.ProviderResources.BackendStatuses.LoadAll() { + ds.BackendStatusKeys[key] = true + } return ds } @@ -431,6 +445,10 @@ func (r *Runner) deleteStatusKeys(ds *StatusesToDelete) { r.ProviderResources.ExtensionPolicyStatuses.Delete(key) delete(ds.ExtensionServerPolicyStatusKeys, key) } + for key := range ds.BackendStatusKeys { + r.ProviderResources.BackendStatuses.Delete(key) + delete(ds.BackendStatusKeys, key) + } } // deleteAllStatusKeys deletes all status keys stored by the subscriber. @@ -474,6 +492,9 @@ func (r *Runner) deleteAllStatusKeys() { for key := range r.ProviderResources.ExtensionPolicyStatuses.LoadAll() { r.ProviderResources.ExtensionPolicyStatuses.Delete(key) } + for key := range r.ProviderResources.BackendStatuses.LoadAll() { + r.ProviderResources.BackendStatuses.Delete(key) + } } // getIRKeysToDelete returns the list of IR keys to delete diff --git a/internal/gatewayapi/runner/runner_test.go b/internal/gatewayapi/runner/runner_test.go index 502a96950fa..58515da7e16 100644 --- a/internal/gatewayapi/runner/runner_test.go +++ b/internal/gatewayapi/runner/runner_test.go @@ -164,6 +164,10 @@ func TestDeleteStatusKeys(t *testing.T) { Name: "test7", Namespace: "test-namespace", }, + { + Name: "test8", + Namespace: "test-namespace", + }, } r.ProviderResources.GatewayStatuses.Store(keys[0], &gwapiv1.GatewayStatus{}) @@ -173,6 +177,7 @@ func TestDeleteStatusKeys(t *testing.T) { r.ProviderResources.TCPRouteStatuses.Store(keys[4], &gwapiv1a2.TCPRouteStatus{}) r.ProviderResources.UDPRouteStatuses.Store(keys[5], &gwapiv1a2.UDPRouteStatus{}) r.ProviderResources.UDPRouteStatuses.Store(keys[6], &gwapiv1a2.UDPRouteStatus{}) + r.ProviderResources.BackendStatuses.Store(keys[7], &egv1a1.BackendStatus{}) // Checks that the keys are successfully stored to DeletableStatus and watchable maps ds := r.getAllStatuses() @@ -184,6 +189,7 @@ func TestDeleteStatusKeys(t *testing.T) { require.True(t, ds.TCPRouteStatusKeys[keys[4]]) require.True(t, ds.UDPRouteStatusKeys[keys[5]]) require.True(t, ds.UDPRouteStatusKeys[keys[6]]) + require.True(t, ds.BackendStatusKeys[keys[7]]) require.Equal(t, 1, r.ProviderResources.GatewayStatuses.Len()) require.Equal(t, 1, r.ProviderResources.HTTPRouteStatuses.Len()) @@ -191,6 +197,7 @@ func TestDeleteStatusKeys(t *testing.T) { require.Equal(t, 1, r.ProviderResources.TLSRouteStatuses.Len()) require.Equal(t, 1, r.ProviderResources.TCPRouteStatuses.Len()) require.Equal(t, 2, r.ProviderResources.UDPRouteStatuses.Len()) + require.Equal(t, 1, r.ProviderResources.BackendStatuses.Len()) // Delete all keys except the last UDPRouteStatus key delete(ds.UDPRouteStatusKeys, keys[6]) @@ -202,6 +209,7 @@ func TestDeleteStatusKeys(t *testing.T) { require.Equal(t, 0, r.ProviderResources.TLSRouteStatuses.Len()) require.Equal(t, 0, r.ProviderResources.TCPRouteStatuses.Len()) require.Equal(t, 1, r.ProviderResources.UDPRouteStatuses.Len()) + require.Equal(t, 0, r.ProviderResources.BackendStatuses.Len()) } func TestDeleteAllStatusKeys(t *testing.T) { @@ -253,6 +261,10 @@ func TestDeleteAllStatusKeys(t *testing.T) { Name: "test6", Namespace: "test-namespace", }, + { + Name: "test7", + Namespace: "test-namespace", + }, } r.ProviderResources.GatewayStatuses.Store(keys[0], &gwapiv1.GatewayStatus{}) @@ -261,6 +273,7 @@ func TestDeleteAllStatusKeys(t *testing.T) { r.ProviderResources.TLSRouteStatuses.Store(keys[3], &gwapiv1a2.TLSRouteStatus{}) r.ProviderResources.TCPRouteStatuses.Store(keys[4], &gwapiv1a2.TCPRouteStatus{}) r.ProviderResources.UDPRouteStatuses.Store(keys[5], &gwapiv1a2.UDPRouteStatus{}) + r.ProviderResources.BackendStatuses.Store(keys[6], &egv1a1.BackendStatus{}) // Checks that the keys are successfully stored to DeletableStatus and watchable maps ds := r.getAllStatuses() @@ -271,6 +284,7 @@ func TestDeleteAllStatusKeys(t *testing.T) { require.True(t, ds.TLSRouteStatusKeys[keys[3]]) require.True(t, ds.TCPRouteStatusKeys[keys[4]]) require.True(t, ds.UDPRouteStatusKeys[keys[5]]) + require.True(t, ds.BackendStatusKeys[keys[6]]) require.Equal(t, 1, r.ProviderResources.GatewayStatuses.Len()) require.Equal(t, 1, r.ProviderResources.HTTPRouteStatuses.Len()) @@ -278,6 +292,7 @@ func TestDeleteAllStatusKeys(t *testing.T) { require.Equal(t, 1, r.ProviderResources.TLSRouteStatuses.Len()) require.Equal(t, 1, r.ProviderResources.TCPRouteStatuses.Len()) require.Equal(t, 1, r.ProviderResources.UDPRouteStatuses.Len()) + require.Equal(t, 1, r.ProviderResources.BackendStatuses.Len()) // Delete all keys r.deleteAllStatusKeys() @@ -287,4 +302,5 @@ func TestDeleteAllStatusKeys(t *testing.T) { require.Equal(t, 0, r.ProviderResources.TLSRouteStatuses.Len()) require.Equal(t, 0, r.ProviderResources.TCPRouteStatuses.Len()) require.Equal(t, 0, r.ProviderResources.UDPRouteStatuses.Len()) + require.Equal(t, 0, r.ProviderResources.BackendStatuses.Len()) } diff --git a/internal/gatewayapi/status/backend.go b/internal/gatewayapi/status/backend.go index 7b841baaa8a..16c0139cae4 100644 --- a/internal/gatewayapi/status/backend.go +++ b/internal/gatewayapi/status/backend.go @@ -31,11 +31,11 @@ func UpdateBackendStatusAcceptedCondition(be *egv1a1.Backend, accepted bool, msg func computeBackendAcceptedCondition(be *egv1a1.Backend, accepted bool, msg string) metav1.Condition { switch accepted { case true: - return newCondition(string(egv1a1.BackendReasonInvalid), metav1.ConditionTrue, + return newCondition(string(egv1a1.BackendReasonAccepted), metav1.ConditionTrue, string(egv1a1.BackendConditionAccepted), "The Backend was accepted", time.Now(), be.Generation) default: - return newCondition(string(egv1a1.BackendReasonAccepted), metav1.ConditionFalse, + return newCondition(string(egv1a1.BackendReasonInvalid), metav1.ConditionFalse, string(egv1a1.BackendConditionAccepted), msg, time.Now(), be.Generation) } diff --git a/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml b/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml index c1425425b20..49d35c60700 100644 --- a/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml +++ b/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml @@ -17,7 +17,7 @@ backends: Gateway Config reason: Accepted status: "False" - type: Accepted + type: Invalid envoyExtensionPolicies: - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyExtensionPolicy diff --git a/internal/gatewayapi/testdata/backend-invalid-hostname-address.out.yaml b/internal/gatewayapi/testdata/backend-invalid-hostname-address.out.yaml index e917d9cb2b8..0c022cc4cae 100644 --- a/internal/gatewayapi/testdata/backend-invalid-hostname-address.out.yaml +++ b/internal/gatewayapi/testdata/backend-invalid-hostname-address.out.yaml @@ -16,7 +16,7 @@ backends: message: 'The Backend was not accepted: hostname *.foo.com is not a valid FQDN' reason: Accepted status: "False" - type: Accepted + type: Invalid - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -35,7 +35,7 @@ backends: with at least two segments separated by dots' reason: Accepted status: "False" - type: Accepted + type: Invalid - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -54,7 +54,7 @@ backends: range is not supported' reason: Accepted status: "False" - type: Accepted + type: Invalid - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -72,6 +72,6 @@ backends: message: 'The Backend was not accepted: IP address example.com is invalid' reason: Accepted status: "False" - type: Accepted + type: Invalid infraIR: {} xdsIR: {} diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml index 6f82b206f7c..5791f607119 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml @@ -62,7 +62,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml index cf416e9726f..66dfad1a10a 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml @@ -78,7 +78,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml index fda8a8185fc..b8b810a3d50 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml @@ -80,7 +80,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -98,7 +98,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted envoyExtensionPolicies: - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyExtensionPolicy diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml index 17f9e8c15a6..bae507b4d75 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml @@ -80,7 +80,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -98,7 +98,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted envoyExtensionPolicies: - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyExtensionPolicy diff --git a/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml index 33ee9240234..cdb84b46915 100644 --- a/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml @@ -80,7 +80,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -98,7 +98,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted envoyExtensionPolicies: - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyExtensionPolicy diff --git a/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml index 12bc6d3e1db..ba9f13c3136 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml @@ -16,7 +16,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-and-core-backendrefs.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-and-core-backendrefs.out.yaml index 735622c4041..484fe119154 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-and-core-backendrefs.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-and-core-backendrefs.out.yaml @@ -15,7 +15,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -33,7 +33,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -51,7 +51,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml index c93f3cbe72d..80b6f6627b2 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml @@ -18,7 +18,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -38,7 +38,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -59,7 +59,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -80,7 +80,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml index 25ee9e8ba3d..cdbbe788086 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml @@ -15,7 +15,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -33,7 +33,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -51,7 +51,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -70,7 +70,7 @@ backends: range is not supported' reason: Accepted status: "False" - type: Accepted + type: Invalid - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -89,7 +89,7 @@ backends: with at least two segments separated by dots' reason: Accepted status: "False" - type: Accepted + type: Invalid gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml index 68dd071124b..3b5ddfa6298 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml @@ -15,7 +15,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -33,7 +33,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -51,7 +51,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-same-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-same-address-type.out.yaml index 7f481247516..5a413ae4630 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-same-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-same-address-type.out.yaml @@ -15,7 +15,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -33,7 +33,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -51,7 +51,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -68,7 +68,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -86,7 +86,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -104,7 +104,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-app-protocols.out.yaml b/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-app-protocols.out.yaml index c02aa5200b4..4c5fcd5e8e2 100644 --- a/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-app-protocols.out.yaml +++ b/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-app-protocols.out.yaml @@ -18,7 +18,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -38,7 +38,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-weights.out.yaml b/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-weights.out.yaml index 195f13d09a4..d56407b0dd9 100644 --- a/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-weights.out.yaml +++ b/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-weights.out.yaml @@ -16,7 +16,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: @@ -34,7 +34,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml index 2957475fbda..05086bae4c8 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml @@ -16,7 +16,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml index bc18a9b536a..94012ec739a 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml @@ -16,7 +16,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/internal/gatewayapi/testdata/tcproute-with-backend.out.yaml b/internal/gatewayapi/testdata/tcproute-with-backend.out.yaml index c82e53e39e0..29a124844e5 100644 --- a/internal/gatewayapi/testdata/tcproute-with-backend.out.yaml +++ b/internal/gatewayapi/testdata/tcproute-with-backend.out.yaml @@ -16,7 +16,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/internal/gatewayapi/testdata/tlsroute-with-backend.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-backend.out.yaml index f5839c370d4..13c3ef41cae 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-backend.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-backend.out.yaml @@ -16,7 +16,7 @@ backends: message: The Backend was accepted reason: Accepted status: "True" - type: Invalid + type: Accepted gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/internal/message/types.go b/internal/message/types.go index fb82aa1401a..6a39685a813 100644 --- a/internal/message/types.go +++ b/internal/message/types.go @@ -12,6 +12,7 @@ import ( gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi" "github.com/envoyproxy/gateway/internal/ir" xdstypes "github.com/envoyproxy/gateway/internal/xds/types" @@ -29,6 +30,9 @@ type ProviderResources struct { // PolicyStatuses is a group of policy statuses maps. PolicyStatuses + + // ExtensionStatuses is a group of gw-api extension resource statuses map. + ExtensionStatuses } func (p *ProviderResources) GetResources() []*gatewayapi.Resources { @@ -104,6 +108,11 @@ type PolicyStatuses struct { ExtensionPolicyStatuses watchable.Map[NamespacedNameAndGVK, *gwapiv1a2.PolicyStatus] } +// ExtensionStatuses contains statuses related to gw-api extension resources +type ExtensionStatuses struct { + BackendStatuses watchable.Map[types.NamespacedName, *egv1a1.BackendStatus] +} + func (p *PolicyStatuses) Close() { p.ClientTrafficPolicyStatuses.Close() p.SecurityPolicyStatuses.Close() diff --git a/internal/provider/kubernetes/status.go b/internal/provider/kubernetes/status.go index 85e9ff99310..c94ad2bc556 100644 --- a/internal/provider/kubernetes/status.go +++ b/internal/provider/kubernetes/status.go @@ -399,6 +399,38 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, ext r.log.Info("envoyExtensionPolicy status subscriber shutting down") }() + // Backend object status updater + go func() { + message.HandleSubscription( + message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: "backend-status"}, + r.resources.BackendStatuses.Subscribe(ctx), + func(update message.Update[types.NamespacedName, *egv1a1.BackendStatus], errChan chan error) { + // skip delete updates. + if update.Delete { + return + } + key := update.Key + val := update.Value + r.statusUpdater.Send(Update{ + NamespacedName: key, + Resource: new(egv1a1.Backend), + Mutator: MutatorFunc(func(obj client.Object) client.Object { + t, ok := obj.(*egv1a1.Backend) + if !ok { + err := fmt.Errorf("unsupported object type %T", obj) + errChan <- err + panic(err) + } + tCopy := t.DeepCopy() + tCopy.Status = *val + return tCopy + }), + }) + }, + ) + r.log.Info("backend status subscriber shutting down") + }() + if extensionManagerEnabled { // EnvoyExtensionPolicy object status updater go func() { diff --git a/test/e2e/tests/route_with_backend.go b/test/e2e/tests/route_with_backend.go index fadb195c3d9..692764ccae5 100644 --- a/test/e2e/tests/route_with_backend.go +++ b/test/e2e/tests/route_with_backend.go @@ -36,6 +36,7 @@ var EnvoyGatewayBackendTest = suite.ConformanceTest{ routeNN := types.NamespacedName{Name: "httproute-to-backend-fqdn", Namespace: ns} gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + BackendMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "backend-fqdn", Namespace: ns}) expectedResponse := http.ExpectedResponse{ Request: http.Request{ @@ -55,6 +56,7 @@ var EnvoyGatewayBackendTest = suite.ConformanceTest{ routeNN := types.NamespacedName{Name: "httproute-to-backend-ip", Namespace: ns} gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + BackendMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "backend-ip", Namespace: ns}) expectedResponse := http.ExpectedResponse{ Request: http.Request{ @@ -74,6 +76,7 @@ var EnvoyGatewayBackendTest = suite.ConformanceTest{ routeNN := types.NamespacedName{Name: "httproute-to-backend-fqdn-http2", Namespace: ns} gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + BackendMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "backend-fqdn-http2", Namespace: ns}) expectedResponse := http.ExpectedResponse{ Request: http.Request{ @@ -93,6 +96,7 @@ var EnvoyGatewayBackendTest = suite.ConformanceTest{ routeNN := types.NamespacedName{Name: "httproute-to-fqdn-backend-tls", Namespace: ns} gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + BackendMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "backend-fqdn-tls", Namespace: ns}) expectedResponse := http.ExpectedResponse{ Request: http.Request{ diff --git a/test/e2e/tests/utils.go b/test/e2e/tests/utils.go index 8da7728517a..e6c6ed85c04 100644 --- a/test/e2e/tests/utils.go +++ b/test/e2e/tests/utils.go @@ -336,6 +336,30 @@ func EnvoyExtensionPolicyMustBeAccepted(t *testing.T, client client.Client, poli require.NoErrorf(t, waitErr, "error waiting for EnvoyExtensionPolicy to be accepted") } +// BackendMustBeAccepted waits for the specified Backend to be accepted. +func BackendMustBeAccepted(t *testing.T, client client.Client, backendName types.NamespacedName) { + t.Helper() + + waitErr := wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 60*time.Second, true, func(ctx context.Context) (bool, error) { + backend := &egv1a1.Backend{} + err := client.Get(ctx, backendName, backend) + if err != nil { + return false, fmt.Errorf("error fetching Backend: %w", err) + } + + for _, condition := range backend.Status.Conditions { + if condition.Type == string(egv1a1.BackendConditionAccepted) && condition.Status == metav1.ConditionTrue { + return true, nil + } + } + + tlog.Logf(t, "Backend not yet accepted: %v", backend) + return false, nil + }) + + require.NoErrorf(t, waitErr, "error waiting for Backend to be accepted") +} + func ScrapeMetrics(t *testing.T, c client.Client, nn types.NamespacedName, port int32, path string) error { url, err := RetrieveURL(c, nn, port, path) if err != nil { From d77ee9dc90854a2c498e152630c8d7c9b359c948 Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Wed, 11 Sep 2024 18:37:05 -0500 Subject: [PATCH 142/523] release: v1.1.1 (#4207) * release: v1.1.1 Signed-off-by: Guy Daich * update notes Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich --- VERSION | 2 +- release-notes/v1.1.1.yaml | 42 +++++++++++++++++++ site/content/en/news/releases/notes/v1.1.1.md | 35 ++++++++++++++++ 3 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 release-notes/v1.1.1.yaml create mode 100644 site/content/en/news/releases/notes/v1.1.1.md diff --git a/VERSION b/VERSION index 795460fcec8..56130fb3a19 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v1.1.0 +v1.1.1 diff --git a/release-notes/v1.1.1.yaml b/release-notes/v1.1.1.yaml new file mode 100644 index 00000000000..ac5f40ea678 --- /dev/null +++ b/release-notes/v1.1.1.yaml @@ -0,0 +1,42 @@ +date: September 11, 2024 + +changes: + - area: documentation + change: | + Bumped Golang version to 1.22.7 + + + - area: conformance + change: | + Enabled GatewayHTTPListenerIsolation test + + + - area: testing + change: | + Fix download URL of envoy proxy WASM examples used in tests + + + - area: translator + change: | + Fixed url rewrite to remove trailing slash + Isolate HTTP route tables to listener according to Gateway-API specifications + Fixed identification of ReferenceGrant when multiple ReferenceGrants exist in a namespace + Fixed added header values as a command and space delimited list + Fixed assertion on expected status in active HTTP healthcheck + Fixed rejection of invalid Backends referenced by xRoutes + Fixed support for empty SlowStart configuration when using LeastRequest loadbalancing + Fixed update of status for Backends + + + - area: infra-manager + change: | + Pin ratelimit version to 26f28d78 + Reduce readinessProbe failureThreshold and periodSeconds of proxy + Expose ratelimit statsd + + + - area: providers + change: | + Fixed error returned when referenced Configmap or Secret is not found + Use component name in Envoy Gateway logs + diff --git a/site/content/en/news/releases/notes/v1.1.1.md b/site/content/en/news/releases/notes/v1.1.1.md new file mode 100644 index 00000000000..5f5cda1c142 --- /dev/null +++ b/site/content/en/news/releases/notes/v1.1.1.md @@ -0,0 +1,35 @@ +--- +title: "v1.1.1" +publishdate: 2024-09-11 +--- + +Date: September 11, 2024 + +## Documentation +- Bumped Golang version to 1.22.7 + +## Conformance +- Enabled GatewayHTTPListenerIsolation test + +## Testing +- Fix download URL of envoy proxy WASM examples used in tests + +## Translator +- Fixed url rewrite to remove trailing slash +- Isolate HTTP route tables to listener according to Gateway-API specifications +- Fixed identification of ReferenceGrant when multiple ReferenceGrants exist in a namespace +- Fixed added header values as a command and space delimited list +- Fixed assertion on expected status in active HTTP healthcheck +- Fixed rejection of invalid Backends referenced by xRoutes +- Fixed support for empty SlowStart configuration when using LeastRequest loadbalancing +- Fixed update of status for Backends + +## Infra-manager +- Pin ratelimit version to 26f28d78 +- Reduce readinessProbe failureThreshold and periodSeconds of proxy +- Expose ratelimit statsd + +## Providers +- Fixed error returned when referenced Configmap or Secret is not found +- Use component name in Envoy Gateway logs + From eae287070dcb49914ae7d7d873dd3933f3e7e0d5 Mon Sep 17 00:00:00 2001 From: zirain Date: Thu, 12 Sep 2024 13:41:15 +0800 Subject: [PATCH 143/523] e2e: increase timeout for FileAccessLog (#4215) --- test/e2e/tests/accesslog.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/e2e/tests/accesslog.go b/test/e2e/tests/accesslog.go index 2e1ee205b8c..4d7fbd11844 100644 --- a/test/e2e/tests/accesslog.go +++ b/test/e2e/tests/accesslog.go @@ -202,7 +202,7 @@ var ALSTest = suite.ConformanceTest{ func runLogTest(t *testing.T, suite *suite.ConformanceTestSuite, gwAddr string, expectedResponse httputils.ExpectedResponse, expectedLabels map[string]string, expectedMatch string, expectedDelta int, ) { - if err := wait.PollUntilContextTimeout(context.TODO(), time.Second, time.Minute, true, + if err := wait.PollUntilContextTimeout(context.TODO(), time.Second, 3*time.Minute, true, func(ctx context.Context) (bool, error) { // query log count from loki preCount, err := QueryLogCountFromLoki(t, suite.Client, expectedLabels, expectedMatch) @@ -215,7 +215,7 @@ func runLogTest(t *testing.T, suite *suite.ConformanceTestSuite, gwAddr string, // it will take some time for fluent-bit to collect the log and send to loki // let's wait for a while - if err := wait.PollUntilContextTimeout(ctx, 500*time.Millisecond, 15*time.Second, true, func(_ context.Context) (bool, error) { + if err := wait.PollUntilContextTimeout(ctx, time.Second, 1*time.Minute, true, func(_ context.Context) (bool, error) { count, err := QueryLogCountFromLoki(t, suite.Client, expectedLabels, expectedMatch) if err != nil { tlog.Logf(t, "failed to get log count from loki: %v", err) From 480b387197953f17595bdaa736470e5e584f39ab Mon Sep 17 00:00:00 2001 From: zirain Date: Thu, 12 Sep 2024 23:57:53 +0800 Subject: [PATCH 144/523] build(deps): bump fortio.org/fortio from 1.66.1 to 1.66.2 (#4223) Bumps [fortio.org/fortio](https://github.com/fortio/fortio) from 1.66.1 to 1.66.2. - [Release notes](https://github.com/fortio/fortio/releases) - [Commits](https://github.com/fortio/fortio/compare/v1.66.1...v1.66.2) --- updated-dependencies: - dependency-name: fortio.org/fortio dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/extension-server/go.mod | 2 +- examples/extension-server/go.sum | 8 ++++---- go.mod | 14 +++++++------- go.sum | 28 ++++++++++++++-------------- 4 files changed, 26 insertions(+), 26 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index b6c5df7c5d9..26de98575ff 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -35,7 +35,7 @@ require ( golang.org/x/sys v0.25.0 // indirect golang.org/x/text v0.18.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/klog/v2 v2.130.1 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 6e267eb113a..7e8a17a7de8 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -99,16 +99,16 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg= -golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= +golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= +golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd h1:BBOTEWLuuEGQy9n1y9MhVJ9Qt0BDu21X8qZs71/uPZo= google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:fO8wJzT2zbQbAjbIoos1285VfEIYKDDY+Dt+WpTkh6g= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd h1:6TEm2ZxXoQmFWFlt1vNxvVOa1Q0dXFQD1m/rYjXmS0E= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.66.0 h1:DibZuoBznOxbDQxRINckZcUvnCEvrW9pcWIE2yF9r1c= google.golang.org/grpc v1.66.0/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= diff --git a/go.mod b/go.mod index c176fe1d881..2a5e6390358 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.23.1 replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.16 require ( - fortio.org/fortio v1.66.1 + fortio.org/fortio v1.66.2 fortio.org/log v1.16.0 github.com/Masterminds/semver/v3 v3.3.0 github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b @@ -43,7 +43,7 @@ require ( go.opentelemetry.io/otel/sdk/metric v1.29.0 go.opentelemetry.io/proto/otlp v1.3.1 go.uber.org/zap v1.27.0 - golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 + golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e golang.org/x/sys v0.25.0 google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v3 v3.0.1 @@ -71,9 +71,9 @@ require ( cel.dev/expr v0.15.0 // indirect dario.cat/mergo v1.0.0 // indirect filippo.io/edwards25519 v1.1.0 // indirect - fortio.org/cli v1.8.0 // indirect + fortio.org/cli v1.9.0 // indirect fortio.org/dflag v1.7.2 // indirect - fortio.org/scli v1.15.1 // indirect + fortio.org/scli v1.15.2 // indirect fortio.org/sets v1.2.0 // indirect fortio.org/struct2env v0.4.1 // indirect fortio.org/version v1.0.4 // indirect @@ -193,7 +193,7 @@ require ( go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect golang.org/x/crypto v0.27.0 // indirect - golang.org/x/crypto/x509roots/fallback v0.0.0-20240806160748-b2d3a6a4b4d3 // indirect + golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect k8s.io/apiserver v0.31.0 // indirect @@ -266,10 +266,10 @@ require ( golang.org/x/term v0.24.0 // indirect golang.org/x/text v0.18.0 // indirect golang.org/x/time v0.5.0 // indirect - golang.org/x/tools v0.23.0 // indirect + golang.org/x/tools v0.24.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/component-base v0.31.0 // indirect diff --git a/go.sum b/go.sum index cc359a97751..1be33caef9f 100644 --- a/go.sum +++ b/go.sum @@ -9,16 +9,16 @@ filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= fortio.org/assert v1.2.1 h1:48I39urpeDj65RP1KguF7akCjILNeu6vICiYMEysR7Q= fortio.org/assert v1.2.1/go.mod h1:039mG+/iYDPO8Ibx8TrNuJCm2T2SuhwRI3uL9nHTTls= -fortio.org/cli v1.8.0 h1:Mz1phmUwkQaXESGb1nIWBY+CHli/GYIlhwpktorh9sY= -fortio.org/cli v1.8.0/go.mod h1:pk/JBE8LcXtNuo5Yj2bLsVbwPaHo8NWdbstSN0cpbFk= +fortio.org/cli v1.9.0 h1:cPgNHvrjxznmbmwuXSwPqQLKZ+RMW8i0iAOESLjt1aI= +fortio.org/cli v1.9.0/go.mod h1:pk/JBE8LcXtNuo5Yj2bLsVbwPaHo8NWdbstSN0cpbFk= fortio.org/dflag v1.7.2 h1:lUhXFvDlw4CJj/q7hPv/TC+n/wVoQylzQO6bUg5GQa0= fortio.org/dflag v1.7.2/go.mod h1:6yO/NIgrWfQH195WbHJ3Y45SCx11ffivQjfx2C/FS1U= -fortio.org/fortio v1.66.1 h1:NiVVHUy/DkMoOA/oLJHs0slsTnm/h3ocLbSfvP6NXIc= -fortio.org/fortio v1.66.1/go.mod h1:3qkJSza2B2PC8TVen78wIupHgnsXvlzUnSvgQfiKfUM= +fortio.org/fortio v1.66.2 h1:yA++v1Kzm5mkDZWqNcGYDvKSzQza3pJCiUdatpatkq8= +fortio.org/fortio v1.66.2/go.mod h1:mDwof93Qw2zg8xKARMXO4BhW9/ypX3cw2IrGUkENjDc= fortio.org/log v1.16.0 h1:GhU8/9NkYZmEIzvTN/DTMedDAStLJraWUUVUA2EbNDc= fortio.org/log v1.16.0/go.mod h1:t58Spg9njjymvRioh5F6qKGSupEsnMjXLGWIS1i3khE= -fortio.org/scli v1.15.1 h1:Upza50brpEZwUk8Nn2gdP4BjgqJZY3J+z7KLrrAzPjY= -fortio.org/scli v1.15.1/go.mod h1:9LOD4iPe9u73KeJGYC/Af1oFniOafO7oZ9VvwENMf/c= +fortio.org/scli v1.15.2 h1:vWXt4QOViXNWy4Gdm7d2FDfptzWD00QiWzYAM/IUF7c= +fortio.org/scli v1.15.2/go.mod h1:XvY2JglgCeeZOIc5CrfBTtcsxkVV8xmGL5ykAcBjEHI= fortio.org/sets v1.2.0 h1:FBfC7R2xrOJtkcioUbY6WqEzdujuBoZRbSdp1fYF4Kk= fortio.org/sets v1.2.0/go.mod h1:J2BwIxNOLWsSU7IMZUg541kh3Au4JEKHrghVwXs68tE= fortio.org/struct2env v0.4.1 h1:rJludAMO5eBvpWplWEQNqoVDFZr4RWMQX7RUapgZyc0= @@ -911,11 +911,11 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= -golang.org/x/crypto/x509roots/fallback v0.0.0-20240806160748-b2d3a6a4b4d3 h1:oWb21rU9Q9XrRwXLB7jHc1rbp6EiiimZZv5MLxpu4T0= -golang.org/x/crypto/x509roots/fallback v0.0.0-20240806160748-b2d3a6a4b4d3/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8= +golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 h1:vKHSxFhPLnBEYu9R8DcQ4gXq9EqU0VVhC9pq9wmtYsg= +golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= -golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= +golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e h1:I88y4caeGeuDQxgdoFPUq097j7kNfw6uvuiNxUBfcBk= +golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -1049,8 +1049,8 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg= -golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= +golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= +golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1069,8 +1069,8 @@ google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd h1:BBOTEWLuuEGQy9n1y9MhVJ9Qt0BDu21X8qZs71/uPZo= google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:fO8wJzT2zbQbAjbIoos1285VfEIYKDDY+Dt+WpTkh6g= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd h1:6TEm2ZxXoQmFWFlt1vNxvVOa1Q0dXFQD1m/rYjXmS0E= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= From 6b8e37abfd9313356b5304afe596d8fdfe54de56 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Thu, 12 Sep 2024 15:08:56 -0700 Subject: [PATCH 145/523] Fix website version (#4229) * Point current docs to v1.1.1 Signed-off-by: Arko Dasgupta --- site/layouts/shortcodes/helm-version.html | 6 +++--- site/layouts/shortcodes/yaml-version.html | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/site/layouts/shortcodes/helm-version.html b/site/layouts/shortcodes/helm-version.html index a9b2eb0c745..7e0b44a81b9 100644 --- a/site/layouts/shortcodes/helm-version.html +++ b/site/layouts/shortcodes/helm-version.html @@ -3,8 +3,8 @@ {{- "v0.0.0-latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.0" -}} +{{- "v1.1.1" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.1.0" -}} -{{- end -}} \ No newline at end of file +{{- "v1.1.1" -}} +{{- end -}} diff --git a/site/layouts/shortcodes/yaml-version.html b/site/layouts/shortcodes/yaml-version.html index 12b243e12bb..a033e6ce1ca 100644 --- a/site/layouts/shortcodes/yaml-version.html +++ b/site/layouts/shortcodes/yaml-version.html @@ -3,8 +3,8 @@ {{- "latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.0" -}} +{{- "v1.1.1" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.1.0" -}} -{{- end -}} \ No newline at end of file +{{- "v1.1.1" -}} +{{- end -}} From 14f687fb4fd18b98de654d22119f4e4bd10a71e2 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Thu, 12 Sep 2024 17:33:16 -0700 Subject: [PATCH 146/523] fix: Switch to an immediate drain strategy (#4230) Switch to a immediate drain strategy * Ensures clients immediately receive a `connection: close` / `GOAWAY` instead of a probabilistic approach of receiving one b/w drain start and drain end (defaults to 600s). This should speed up shutdown with clients reconnecting to newer upgraded proxies. Fixes: https://github.com/envoyproxy/gateway/issues/4205 Signed-off-by: Arko Dasgupta --- .../translate/out/default-resources.all.yaml | 4 ---- .../translate/out/from-gateway-api-to-xds.all.json | 4 ---- .../translate/out/from-gateway-api-to-xds.all.yaml | 4 ---- .../out/from-gateway-api-to-xds.listener.yaml | 4 ---- .../jwt-single-route-single-match-to-xds.all.json | 1 - .../jwt-single-route-single-match-to-xds.all.yaml | 1 - ...t-single-route-single-match-to-xds.listener.yaml | 1 - .../translate/out/no-service-cluster-ip.all.yaml | 1 - internal/cmd/envoy/shutdown_manager.go | 13 ++++--------- .../infrastructure/kubernetes/proxy/resource.go | 1 + .../proxy/testdata/daemonsets/component-level.yaml | 1 + .../proxy/testdata/daemonsets/custom.yaml | 1 + .../proxy/testdata/daemonsets/default-env.yaml | 1 + .../proxy/testdata/daemonsets/default.yaml | 1 + .../testdata/daemonsets/disable-prometheus.yaml | 1 + .../proxy/testdata/daemonsets/extension-env.yaml | 1 + .../daemonsets/override-labels-and-annotations.yaml | 1 + .../proxy/testdata/daemonsets/patch-daemonset.yaml | 1 + .../proxy/testdata/daemonsets/shutdown-manager.yaml | 1 + .../proxy/testdata/daemonsets/volumes.yaml | 1 + .../proxy/testdata/daemonsets/with-annotations.yaml | 1 + .../proxy/testdata/daemonsets/with-concurrency.yaml | 1 + .../proxy/testdata/daemonsets/with-extra-args.yaml | 1 + .../daemonsets/with-image-pull-secrets.yaml | 1 + .../proxy/testdata/daemonsets/with-name.yaml | 1 + .../testdata/daemonsets/with-node-selector.yaml | 1 + .../with-topology-spread-constraints.yaml | 1 + .../proxy/testdata/deployments/bootstrap.yaml | 1 + .../proxy/testdata/deployments/component-level.yaml | 1 + .../proxy/testdata/deployments/custom.yaml | 1 + .../deployments/custom_with_initcontainers.yaml | 1 + .../proxy/testdata/deployments/default-env.yaml | 1 + .../proxy/testdata/deployments/default.yaml | 1 + .../testdata/deployments/disable-prometheus.yaml | 1 + .../proxy/testdata/deployments/extension-env.yaml | 1 + .../override-labels-and-annotations.yaml | 1 + .../testdata/deployments/patch-deployment.yaml | 1 + .../testdata/deployments/shutdown-manager.yaml | 1 + .../proxy/testdata/deployments/volumes.yaml | 1 + .../testdata/deployments/with-annotations.yaml | 1 + .../testdata/deployments/with-concurrency.yaml | 1 + .../deployments/with-empty-memory-limits.yaml | 1 + .../proxy/testdata/deployments/with-extra-args.yaml | 1 + .../deployments/with-image-pull-secrets.yaml | 1 + .../proxy/testdata/deployments/with-name.yaml | 1 + .../testdata/deployments/with-node-selector.yaml | 1 + .../with-topology-spread-constraints.yaml | 1 + internal/xds/translator/listener.go | 3 --- .../extensionpolicy-tcp-udp-http.listeners.yaml | 1 - .../http-route-extension-filter.listeners.yaml | 1 - .../out/extension-xds-ir/http-route.listeners.yaml | 1 - .../extension-xds-ir/listener-policy.listeners.yaml | 1 - .../out/xds-ir/accesslog-cel.listeners.yaml | 1 - .../xds-ir/accesslog-endpoint-stats.listeners.yaml | 1 - .../out/xds-ir/accesslog-formatters.listeners.yaml | 1 - .../out/xds-ir/accesslog-multi-cel.listeners.yaml | 1 - .../xds-ir/accesslog-without-format.listeners.yaml | 1 - .../testdata/out/xds-ir/accesslog.listeners.yaml | 1 - .../out/xds-ir/authorization.listeners.yaml | 1 - .../out/xds-ir/backend-buffer-limit.listeners.yaml | 2 -- .../out/xds-ir/backend-priority.listeners.yaml | 1 - .../testdata/out/xds-ir/basic-auth.listeners.yaml | 1 - .../out/xds-ir/circuit-breaker.listeners.yaml | 1 - .../out/xds-ir/client-buffer-limit.listeners.yaml | 2 -- .../out/xds-ir/client-ip-detection.listeners.yaml | 3 --- .../out/xds-ir/client-timeout.listeners.yaml | 2 -- .../testdata/out/xds-ir/cors.listeners.yaml | 1 - .../out/xds-ir/custom-filter-order.listeners.yaml | 1 - .../out/xds-ir/ext-auth-backend.listeners.yaml | 1 - .../xds-ir/ext-auth-recomputation.listeners.yaml | 1 - .../testdata/out/xds-ir/ext-auth.listeners.yaml | 1 - .../ext-proc-with-traffic-settings.listeners.yaml | 1 - .../testdata/out/xds-ir/ext-proc.listeners.yaml | 1 - .../out/xds-ir/fault-injection.listeners.yaml | 1 - ...eaders-with-preserve-x-request-id.listeners.yaml | 2 -- .../headers-with-underscores-action.listeners.yaml | 4 ---- .../testdata/out/xds-ir/health-check.listeners.yaml | 1 - .../http-early-header-mutation.listeners.yaml | 2 -- .../out/xds-ir/http-endpoint-stats.listeners.yaml | 1 - .../out/xds-ir/http-health-check.listeners.yaml | 1 - .../http-preserve-client-protocol.listeners.yaml | 1 - .../http-route-direct-response.listeners.yaml | 1 - .../xds-ir/http-route-dns-cluster.listeners.yaml | 1 - .../out/xds-ir/http-route-mirror.listeners.yaml | 1 - .../http-route-multiple-matches.listeners.yaml | 1 - .../http-route-multiple-mirrors.listeners.yaml | 1 - .../http-route-partial-invalid.listeners.yaml | 1 - .../out/xds-ir/http-route-redirect.listeners.yaml | 1 - .../out/xds-ir/http-route-regex.listeners.yaml | 1 - .../http-route-request-headers.listeners.yaml | 1 - .../http-route-response-add-headers.listeners.yaml | 1 - ...route-response-add-remove-headers.listeners.yaml | 1 - ...ttp-route-response-remove-headers.listeners.yaml | 1 - ...oute-rewrite-root-path-url-prefix.listeners.yaml | 1 - ...rite-sufixx-with-slash-url-prefix.listeners.yaml | 1 - .../http-route-rewrite-url-fullpath.listeners.yaml | 1 - .../http-route-rewrite-url-host.listeners.yaml | 1 - .../http-route-rewrite-url-prefix.listeners.yaml | 1 - .../http-route-session-persistence.listeners.yaml | 1 - .../out/xds-ir/http-route-timeout.listeners.yaml | 1 - ...ttp-route-weighted-backend-uds-ip.listeners.yaml | 1 - ...ute-weighted-backend-with-filters.listeners.yaml | 1 - .../http-route-weighted-backend.listeners.yaml | 1 - ...tp-route-weighted-invalid-backend.listeners.yaml | 1 - .../http-route-with-clientcert.listeners.yaml | 1 - .../xds-ir/http-route-with-metadata.listeners.yaml | 1 - ...-route-with-tls-system-truststore.listeners.yaml | 1 - ...ute-with-tlsbundle-multiple-certs.listeners.yaml | 2 -- .../xds-ir/http-route-with-tlsbundle.listeners.yaml | 1 - .../testdata/out/xds-ir/http-route.listeners.yaml | 1 - .../out/xds-ir/http1-preserve-case.listeners.yaml | 2 -- .../out/xds-ir/http1-trailers.listeners.yaml | 1 - .../testdata/out/xds-ir/http10.listeners.yaml | 1 - .../testdata/out/xds-ir/http2-route.listeners.yaml | 1 - .../testdata/out/xds-ir/http2.listeners.yaml | 1 - .../testdata/out/xds-ir/http3.listeners.yaml | 1 - .../jsonpatch-missing-resource.listeners.yaml | 1 - .../xds-ir/jsonpatch-with-jsonpath.listeners.yaml | 1 - .../testdata/out/xds-ir/jsonpatch.listeners.yaml | 1 - .../out/xds-ir/jwt-custom-extractor.listeners.yaml | 1 - .../jwt-multi-route-multi-provider.listeners.yaml | 1 - .../jwt-multi-route-single-provider.listeners.yaml | 1 - .../testdata/out/xds-ir/jwt-optional.listeners.yaml | 1 - .../out/xds-ir/jwt-ratelimit.listeners.yaml | 1 - .../jwt-single-route-single-match.listeners.yaml | 1 - .../xds-ir/listener-connection-limit.listeners.yaml | 4 ---- .../xds-ir/listener-proxy-protocol.listeners.yaml | 2 -- .../xds-ir/listener-tcp-keepalive.listeners.yaml | 4 ---- .../out/xds-ir/load-balancer.listeners.yaml | 1 - .../out/xds-ir/local-ratelimit.listeners.yaml | 1 - .../out/xds-ir/metrics-virtual-host.listeners.yaml | 1 - .../out/xds-ir/mixed-tls-jwt-authn.listeners.yaml | 1 - ...-same-port-with-different-filters.listeners.yaml | 1 - .../multiple-listeners-same-port.listeners.yaml | 1 - ...ltiple-simple-tcp-route-same-port.listeners.yaml | 1 - ...ient-certificate-with-custom-data.listeners.yaml | 5 ----- ...al-tls-forward-client-certificate.listeners.yaml | 5 ----- ...uired-client-certificate-disabled.listeners.yaml | 2 -- .../testdata/out/xds-ir/mutual-tls.listeners.yaml | 2 -- .../testdata/out/xds-ir/oidc.listeners.yaml | 1 - .../out/xds-ir/path-settings.listeners.yaml | 1 - .../xds-ir/proxy-protocol-upstream.listeners.yaml | 1 - .../xds-ir/ratelimit-custom-domain.listeners.yaml | 1 - .../xds-ir/ratelimit-disable-headers.listeners.yaml | 1 - .../xds-ir/ratelimit-endpoint-stats.listeners.yaml | 1 - .../out/xds-ir/ratelimit-sourceip.listeners.yaml | 1 - .../testdata/out/xds-ir/ratelimit.listeners.yaml | 1 - .../out/xds-ir/retry-partial-invalid.listeners.yaml | 1 - .../testdata/out/xds-ir/simple-tls.listeners.yaml | 1 - .../xds-ir/suppress-envoy-headers.listeners.yaml | 1 - .../out/xds-ir/tcp-endpoint-stats.listeners.yaml | 1 - .../out/xds-ir/tcp-route-complex.listeners.yaml | 1 - .../out/xds-ir/tcp-route-simple.listeners.yaml | 1 - .../xds-ir/tcp-route-tls-terminate.listeners.yaml | 1 - .../tcp-route-weighted-backend.listeners.yaml | 1 - .../testdata/out/xds-ir/timeout.listeners.yaml | 1 - .../out/xds-ir/tls-route-passthrough.listeners.yaml | 2 -- .../tls-with-ciphers-versions-alpn.listeners.yaml | 2 -- .../xds-ir/tracing-endpoint-stats.listeners.yaml | 1 - .../out/xds-ir/tracing-zipkin.listeners.yaml | 1 - .../testdata/out/xds-ir/tracing.listeners.yaml | 1 - .../out/xds-ir/upstream-tcpkeepalive.listeners.yaml | 1 - .../testdata/out/xds-ir/wasm.listeners.yaml | 1 - 163 files changed, 42 insertions(+), 178 deletions(-) diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index 4f2d2892174..963a856e5bf 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -923,7 +923,6 @@ xds: statPrefix: http-10080 useRemoteAddress: true name: default/eg/http - drainType: MODIFY_ONLY name: default/eg/http perConnectionBufferLimitBytes: 32768 - activeState: @@ -991,7 +990,6 @@ xds: statPrefix: http-8080 useRemoteAddress: true name: default/eg/grpc - drainType: MODIFY_ONLY name: default/eg/grpc perConnectionBufferLimitBytes: 32768 - activeState: @@ -1014,7 +1012,6 @@ xds: socketAddress: address: 0.0.0.0 portValue: 1234 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.tcp_proxy @@ -1054,7 +1051,6 @@ xds: socketAddress: address: 0.0.0.0 portValue: 8443 - drainType: MODIFY_ONLY filterChains: - filterChainMatch: serverNames: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index aa5af990807..55437eba8ab 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -691,7 +691,6 @@ ], "name": "default/eg/http" }, - "drainType": "MODIFY_ONLY", "name": "default/eg/http", "perConnectionBufferLimitBytes": 32768 } @@ -797,7 +796,6 @@ ], "name": "default/eg/grpc" }, - "drainType": "MODIFY_ONLY", "name": "default/eg/grpc", "perConnectionBufferLimitBytes": 32768 } @@ -834,7 +832,6 @@ "portValue": 1234 } }, - "drainType": "MODIFY_ONLY", "filterChains": [ { "filters": [ @@ -900,7 +897,6 @@ "portValue": 8443 } }, - "drainType": "MODIFY_ONLY", "filterChains": [ { "filterChainMatch": { diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index 1c53aef7e90..1bad66a8512 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -404,7 +404,6 @@ xds: statPrefix: http-10080 useRemoteAddress: true name: default/eg/http - drainType: MODIFY_ONLY name: default/eg/http perConnectionBufferLimitBytes: 32768 - activeState: @@ -472,7 +471,6 @@ xds: statPrefix: http-8080 useRemoteAddress: true name: default/eg/grpc - drainType: MODIFY_ONLY name: default/eg/grpc perConnectionBufferLimitBytes: 32768 - activeState: @@ -495,7 +493,6 @@ xds: socketAddress: address: 0.0.0.0 portValue: 1234 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.tcp_proxy @@ -535,7 +532,6 @@ xds: socketAddress: address: 0.0.0.0 portValue: 8443 - drainType: MODIFY_ONLY filterChains: - filterChainMatch: serverNames: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml index 5a0c626162a..b6c94a95ae8 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml @@ -59,7 +59,6 @@ xds: statPrefix: http-10080 useRemoteAddress: true name: default/eg/http - drainType: MODIFY_ONLY name: default/eg/http perConnectionBufferLimitBytes: 32768 - activeState: @@ -127,7 +126,6 @@ xds: statPrefix: http-8080 useRemoteAddress: true name: default/eg/grpc - drainType: MODIFY_ONLY name: default/eg/grpc perConnectionBufferLimitBytes: 32768 - activeState: @@ -150,7 +148,6 @@ xds: socketAddress: address: 0.0.0.0 portValue: 1234 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.tcp_proxy @@ -190,7 +187,6 @@ xds: socketAddress: address: 0.0.0.0 portValue: 8443 - drainType: MODIFY_ONLY filterChains: - filterChainMatch: serverNames: diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json index f58e4d6932f..bac479d41d6 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json @@ -544,7 +544,6 @@ ], "name": "envoy-gateway-system/eg/http" }, - "drainType": "MODIFY_ONLY", "name": "envoy-gateway-system/eg/http", "perConnectionBufferLimitBytes": 32768 } diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml index 121d5b6e16e..651c46f8f76 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml @@ -320,7 +320,6 @@ xds: statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway-system/eg/http - drainType: MODIFY_ONLY name: envoy-gateway-system/eg/http perConnectionBufferLimitBytes: 32768 - '@type': type.googleapis.com/envoy.admin.v3.RoutesConfigDump diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml index 692be7fec9e..7fdd4a247e3 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml @@ -76,6 +76,5 @@ xds: statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway-system/eg/http - drainType: MODIFY_ONLY name: envoy-gateway-system/eg/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml index 854b6b3388b..0ed9f3e6893 100644 --- a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml @@ -265,7 +265,6 @@ xds: statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway-system/eg/http - drainType: MODIFY_ONLY name: envoy-gateway-system/eg/http perConnectionBufferLimitBytes: 32768 - '@type': type.googleapis.com/envoy.admin.v3.RoutesConfigDump diff --git a/internal/cmd/envoy/shutdown_manager.go b/internal/cmd/envoy/shutdown_manager.go index 9f2702cff33..48f624bb67a 100644 --- a/internal/cmd/envoy/shutdown_manager.go +++ b/internal/cmd/envoy/shutdown_manager.go @@ -114,7 +114,7 @@ func shutdownReadyHandler(w http.ResponseWriter, readyTimeout time.Duration, rea } // Shutdown is called from a preStop hook on the shutdown-manager container where -// it will initiate a graceful drain sequence on the Envoy proxy and block until +// it will initiate a drain sequence on the Envoy proxy and block until // connections are drained or a timeout is exceeded. func Shutdown(drainTimeout time.Duration, minDrainDuration time.Duration, exitAtConnections int) error { startTime := time.Now() @@ -125,7 +125,7 @@ func Shutdown(drainTimeout time.Duration, minDrainDuration time.Duration, exitAt logger = logging.FileLogger("/proc/1/fd/1", "shutdown-manager", egv1a1.LogLevelInfo) } - logger.Info(fmt.Sprintf("initiating graceful drain with %.0f second minimum drain period and %.0f second timeout", + logger.Info(fmt.Sprintf("initiating drain with %.0f second minimum drain period and %.0f second timeout", minDrainDuration.Seconds(), drainTimeout.Seconds())) // Start failing active health checks @@ -133,11 +133,6 @@ func Shutdown(drainTimeout time.Duration, minDrainDuration time.Duration, exitAt logger.Error(err, "error failing active health checks") } - // Initiate graceful drain sequence - if err := postEnvoyAdminAPI("drain_listeners?graceful&skip_exit"); err != nil { - logger.Error(err, "error initiating graceful drain") - } - // Poll total connections from Envoy admin API until minimum drain period has // been reached and total connections reaches threshold or timeout is exceeded for { @@ -154,10 +149,10 @@ func Shutdown(drainTimeout time.Duration, minDrainDuration time.Duration, exitAt } if elapsedTime > drainTimeout { - logger.Info("graceful drain sequence timeout exceeded") + logger.Info("drain sequence timeout exceeded") break } else if allowedToExit && conn != nil && *conn <= exitAtConnections { - logger.Info("graceful drain sequence completed") + logger.Info("drain sequence completed") break } diff --git a/internal/infrastructure/kubernetes/proxy/resource.go b/internal/infrastructure/kubernetes/proxy/resource.go index 406694be9bb..f689910bfda 100644 --- a/internal/infrastructure/kubernetes/proxy/resource.go +++ b/internal/infrastructure/kubernetes/proxy/resource.go @@ -171,6 +171,7 @@ func expectedProxyContainers(infra *ir.ProxyInfra, fmt.Sprintf("--config-yaml %s", bootstrapConfigurations), fmt.Sprintf("--log-level %s", logging.DefaultEnvoyProxyLoggingLevel()), "--cpuset-threads", + "--drain-strategy immediate", } if infra.Config != nil && diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml index 7f1bc6c41ab..e707811b725 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml @@ -40,6 +40,7 @@ spec: - --config-yaml test bootstrap config - --log-level error - --cpuset-threads + - --drain-strategy immediate - --component-log-level filter:info command: - envoy diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml index 72c5d026b9b..0f6a997d4c6 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml @@ -224,6 +224,7 @@ spec: value: 0.98 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml index b59b07a086c..6fdf1da0e60 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml @@ -223,6 +223,7 @@ spec: value: 0.98 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml index 0808d5c0180..a72d157d29c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml @@ -208,6 +208,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml index 73bc606336c..4ce178c3702 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml @@ -182,6 +182,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml index 4f2f396b763..c79f727f345 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml @@ -223,6 +223,7 @@ spec: value: 0.98 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml index 2088c4cb3ce..1ad3c6a3e60 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml @@ -217,6 +217,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml index 169eeb59394..fb0fd20619a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml @@ -208,6 +208,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml index 725055a9f4d..04230b2f453 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml @@ -208,6 +208,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate - --drain-time-s 30 command: - envoy diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml index b993f3bfbc1..1e0c7f755e7 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml @@ -223,6 +223,7 @@ spec: value: 0.98 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml index c43c64302f3..208984e9e67 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml @@ -213,6 +213,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml index 568aa4164ad..0f5de423806 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml @@ -40,6 +40,7 @@ spec: - --config-yaml test bootstrap config - --log-level warn - --cpuset-threads + - --drain-strategy immediate - --concurrency 4 command: - envoy diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml index 612363ca2e6..4ac38c0a96e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml @@ -208,6 +208,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate - --key1 val1 - --key2 val2 command: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml index a0324cb54e4..62f40dc8db9 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml @@ -208,6 +208,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml index c31ea245056..9fee30ccc12 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml @@ -208,6 +208,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml index a0ebcf2e918..d5afd458ecd 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml @@ -208,6 +208,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml index e1d7c76a069..2299126ab97 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml @@ -208,6 +208,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml index b985e8d0f02..74f15989fe5 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml @@ -44,6 +44,7 @@ spec: - --config-yaml test bootstrap config - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml index 445bf70d28c..25a181a6c75 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml @@ -44,6 +44,7 @@ spec: - --config-yaml test bootstrap config - --log-level error - --cpuset-threads + - --drain-strategy immediate - --component-log-level filter:info command: - envoy diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml index 7628caffe1d..a723d5e5e2f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml @@ -229,6 +229,7 @@ spec: value: 0.98 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml index f017b2d26ed..3a86964c926 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml @@ -229,6 +229,7 @@ spec: value: 0.98 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml index 992d976f40e..98dfc7fd8a4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml @@ -228,6 +228,7 @@ spec: value: 0.98 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml index 3bd69459a53..d1ce99db4be 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml @@ -212,6 +212,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml index fa7078ae684..0687d1f12e4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml @@ -186,6 +186,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml index 21ddbb9e6fc..e23b1bf1c24 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml @@ -228,6 +228,7 @@ spec: value: 0.98 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml index 0fb0d414016..575869b3c10 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml @@ -221,6 +221,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml index 8d70d4d85cd..470b6fcd926 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml @@ -212,6 +212,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml index 9f70f8bb642..4c6726cb54e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml @@ -212,6 +212,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate - --drain-time-s 30 command: - envoy diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml index 1395e60cba7..121b7efbc68 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml @@ -228,6 +228,7 @@ spec: value: 0.98 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml index 1bb027eacc5..b3b7c2cd4bd 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml @@ -217,6 +217,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml index 44e6370811c..e678283368c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml @@ -44,6 +44,7 @@ spec: - --config-yaml test bootstrap config - --log-level warn - --cpuset-threads + - --drain-strategy immediate - --concurrency 4 command: - envoy diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml index 397b43b9753..d7e3740acd2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml @@ -212,6 +212,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml index a1aa0917bfd..254055d791f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml @@ -212,6 +212,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate - --key1 val1 - --key2 val2 command: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml index 57258870015..956d8ab72ec 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml @@ -212,6 +212,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml index 2dd83e8e3d6..291429e724a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml @@ -212,6 +212,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml index 72d297ca12a..844489965e1 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml @@ -212,6 +212,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml index 20fcb8589a2..26ede99c55a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml @@ -212,6 +212,7 @@ spec: max_active_downstream_connections: 50000 - --log-level warn - --cpuset-threads + - --drain-strategy immediate command: - envoy env: diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go index 9b442c75105..98f7c28e372 100644 --- a/internal/xds/translator/listener.go +++ b/internal/xds/translator/listener.go @@ -169,9 +169,6 @@ func buildXdsTCPListener(name, address string, port uint32, keepalive *ir.TCPKee }, }, }, - // Remove /healthcheck/fail from endpoints that trigger a drain of listeners for better control - // over the drain process while still allowing the healthcheck to be failed during pod shutdown. - DrainType: listenerv3.Listener_MODIFY_ONLY, } } diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml index cbb8238986c..6901c9c7810 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml @@ -30,7 +30,6 @@ statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-1/http1 - drainType: MODIFY_ONLY name: envoy-gateway/gateway-1/http1 perConnectionBufferLimitBytes: 32768 statPrefix: envoy-gateway/gateway-1/http1 diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.listeners.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.listeners.yaml index e40dcfab7e4..e6777ebece3 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.listeners.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.listeners.yaml @@ -30,7 +30,6 @@ statPrefix: http-10080 useRemoteAddress: true name: extension-listener - drainType: MODIFY_ONLY name: extension-listener perConnectionBufferLimitBytes: 32768 statPrefix: mock-extension-inserted-prefix diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.listeners.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.listeners.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/listener-policy.listeners.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/listener-policy.listeners.yaml index 17ca0e60e44..7837e1509fc 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/listener-policy.listeners.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/listener-policy.listeners.yaml @@ -30,7 +30,6 @@ statPrefix: http-10081 useRemoteAddress: true name: policyextension-listener - drainType: MODIFY_ONLY name: policyextension-listener perConnectionBufferLimitBytes: 32768 statPrefix: from-the-policy diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.listeners.yaml index cb390f213f1..d9795d2be43 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.listeners.yaml @@ -179,6 +179,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.listeners.yaml index 04b183a2885..6a7ebeda5c3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.listeners.yaml @@ -140,6 +140,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.listeners.yaml index 2ebf9f68a48..cb6e3ef7759 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.listeners.yaml @@ -224,6 +224,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.listeners.yaml index 972bd4682b9..3677e6bec6b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.listeners.yaml @@ -215,6 +215,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml index d715eeac8c8..fecb2076871 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml @@ -172,6 +172,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml index 748055a4755..3b52d45e8e8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml @@ -172,6 +172,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization.listeners.yaml index 40b9a52ec49..907d28f78b7 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization.listeners.yaml @@ -33,6 +33,5 @@ statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-1/http - drainType: MODIFY_ONLY name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.listeners.yaml index df10f0a95c5..1fadbe977d8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.listeners.yaml @@ -30,14 +30,12 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 - address: socketAddress: address: 0.0.0.0 portValue: 10081 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.tcp_proxy diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml index 7ed44e9e2bf..55e2fde715b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml @@ -44,6 +44,5 @@ statPrefix: http-10080 useRemoteAddress: true name: default/gateway-1/http - drainType: MODIFY_ONLY name: default/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml index 2e7dbd6cd55..a7accc0ef6c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml @@ -36,6 +36,5 @@ statPrefix: http-10080 useRemoteAddress: true name: default/gateway-1/http - drainType: MODIFY_ONLY name: default/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.listeners.yaml index 1ea06ebb07e..96f06388ed3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.listeners.yaml @@ -30,14 +30,12 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 1500 - address: socketAddress: address: 0.0.0.0 portValue: 10081 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.tcp_proxy diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml index 47b25f2a79f..885e958a3e6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml @@ -29,7 +29,6 @@ useRemoteAddress: true xffNumTrustedHops: 2 name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 - address: @@ -68,7 +67,6 @@ statPrefix: http-8082 useRemoteAddress: false name: second-listener - drainType: MODIFY_ONLY name: second-listener perConnectionBufferLimitBytes: 32768 - address: @@ -109,6 +107,5 @@ statPrefix: http-8083 useRemoteAddress: false name: third-listener - drainType: MODIFY_ONLY name: third-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml index 3e4fa111bcc..03fe43687b2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml @@ -32,14 +32,12 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 - address: socketAddress: address: 0.0.0.0 portValue: 10081 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.tcp_proxy diff --git a/internal/xds/translator/testdata/out/xds-ir/cors.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/cors.listeners.yaml index baac8ead6b3..03c1932b68e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/cors.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/cors.listeners.yaml @@ -33,6 +33,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml index ffaab04f70e..46157814e38 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml @@ -121,6 +121,5 @@ statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-1/http - drainType: MODIFY_ONLY name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.listeners.yaml index c60348a3b91..0ccea8c2bcb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.listeners.yaml @@ -65,6 +65,5 @@ statPrefix: http-10080 useRemoteAddress: true name: default/gateway-1/http - drainType: MODIFY_ONLY name: default/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.listeners.yaml index 56cfa9ea51a..e2054562760 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.listeners.yaml @@ -66,6 +66,5 @@ statPrefix: http-10080 useRemoteAddress: true name: default/gateway-1/http - drainType: MODIFY_ONLY name: default/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml index f387ff8da8e..84b95081c80 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml @@ -65,6 +65,5 @@ statPrefix: http-10080 useRemoteAddress: true name: default/gateway-1/http - drainType: MODIFY_ONLY name: default/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml index 7ed44e9e2bf..55e2fde715b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml @@ -44,6 +44,5 @@ statPrefix: http-10080 useRemoteAddress: true name: default/gateway-1/http - drainType: MODIFY_ONLY name: default/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml index 9f76729fd78..acf4c0a40f6 100755 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml @@ -94,6 +94,5 @@ statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-1/http - drainType: MODIFY_ONLY name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml index 0ea771b2bd1..5053c959bfc 100644 --- a/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml @@ -33,6 +33,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.listeners.yaml index 1ad2086d20b..5041136d090 100644 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.listeners.yaml @@ -29,7 +29,6 @@ statPrefix: http-8081 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 - address: @@ -62,6 +61,5 @@ statPrefix: http-8082 useRemoteAddress: true name: second-listener - drainType: MODIFY_ONLY name: second-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.listeners.yaml index a0b19ef7b8b..f9b4ee27bf6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.listeners.yaml @@ -28,7 +28,6 @@ statPrefix: http-8081 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 - address: @@ -60,7 +59,6 @@ statPrefix: http-8082 useRemoteAddress: true name: second-listener - drainType: MODIFY_ONLY name: second-listener perConnectionBufferLimitBytes: 32768 - address: @@ -93,7 +91,6 @@ statPrefix: http-8083 useRemoteAddress: true name: third-listener - drainType: MODIFY_ONLY name: third-listener perConnectionBufferLimitBytes: 32768 - address: @@ -126,6 +123,5 @@ statPrefix: http-8084 useRemoteAddress: true name: fourth-listener - drainType: MODIFY_ONLY name: fourth-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/health-check.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/health-check.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/health-check.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/health-check.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.listeners.yaml index 69c2612a5f8..4a3daf7b5eb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.listeners.yaml @@ -36,7 +36,6 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 - address: @@ -103,6 +102,5 @@ statPrefix: http-10081 useRemoteAddress: true name: second-listener - drainType: MODIFY_ONLY name: second-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.listeners.yaml index fe7d2da356b..cc61653cdf6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: listener-enable-endpoint-stats - drainType: MODIFY_ONLY name: listener-enable-endpoint-stats perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-health-check.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-health-check.listeners.yaml index f11b0c1c300..13b18487b29 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-health-check.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-health-check.listeners.yaml @@ -38,6 +38,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.listeners.yaml index a1964fb2306..09426a31773 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-1/http - drainType: MODIFY_ONLY name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.listeners.yaml index f29e11a27a4..3c8062f0a29 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.listeners.yaml @@ -75,6 +75,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.listeners.yaml index 0f567a3db50..657d2b42a82 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-btls/http - drainType: MODIFY_ONLY name: envoy-gateway/gateway-btls/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml index 0f567a3db50..657d2b42a82 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-btls/http - drainType: MODIFY_ONLY name: envoy-gateway/gateway-btls/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.listeners.yaml index d887b321dc5..5a43997887d 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.listeners.yaml @@ -30,7 +30,6 @@ statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-btls/http - drainType: MODIFY_ONLY name: envoy-gateway/gateway-btls/http perConnectionBufferLimitBytes: 32768 - address: @@ -65,6 +64,5 @@ statPrefix: http-10081 useRemoteAddress: true name: envoy-gateway/gateway-btls-2/http - drainType: MODIFY_ONLY name: envoy-gateway/gateway-btls-2/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml index 0f567a3db50..657d2b42a82 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-btls/http - drainType: MODIFY_ONLY name: envoy-gateway/gateway-btls/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.listeners.yaml index b3fa2acefdb..87cd9f2a9d7 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.listeners.yaml @@ -36,7 +36,6 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 - address: @@ -78,6 +77,5 @@ statPrefix: http-10081 useRemoteAddress: true name: second-listener - drainType: MODIFY_ONLY name: second-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.listeners.yaml index f6b29f1548e..7efdb2940f8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.listeners.yaml @@ -32,6 +32,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http10.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http10.listeners.yaml index 8affd1661ba..7935c97f7f4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http10.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http10.listeners.yaml @@ -33,6 +33,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml index 3780fc90f94..fc499431884 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml @@ -38,6 +38,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http2.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http2.listeners.yaml index 6c4250c78db..25230ccd9b5 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http2.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml index c1961247566..56a11c58a99 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml @@ -55,7 +55,6 @@ socketAddress: address: 0.0.0.0 portValue: 10443 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml index 08b5d410df5..6fe14b03f97 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml @@ -2,7 +2,6 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml index 08b5d410df5..6fe14b03f97 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml @@ -2,7 +2,6 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml index e251ecac040..524800c6480 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml @@ -58,6 +58,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml index bd76886759b..4c45106ab61 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml @@ -115,6 +115,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml index a79d197ba5e..f247baa83b5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml @@ -92,6 +92,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml index de1f56ed4d4..9906e8df615 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml @@ -61,6 +61,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml index 3f55977b503..a4520c65b4f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml @@ -61,6 +61,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml index 3406eeda2fa..91280606bf5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml @@ -51,6 +51,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml index 9a7954f8970..49a4bf7dc21 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml @@ -30,7 +30,6 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 - address: @@ -70,20 +69,17 @@ statPrefix: http-10081 useRemoteAddress: true name: second-listener - drainType: MODIFY_ONLY name: second-listener perConnectionBufferLimitBytes: 32768 - address: socketAddress: address: 0.0.0.0 portValue: 10082 - drainType: MODIFY_ONLY name: third-listener perConnectionBufferLimitBytes: 32768 - address: socketAddress: address: 0.0.0.0 portValue: 10083 - drainType: MODIFY_ONLY name: fourth-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml index 3a981aca309..89d57c725f0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml @@ -2,7 +2,6 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - drainType: MODIFY_ONLY filterChains: - filterChainMatch: serverNames: @@ -64,7 +63,6 @@ socketAddress: address: 0.0.0.0 portValue: 10081 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.tcp_proxy diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml index 79e4d5a82d0..11f91b65a34 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml @@ -30,7 +30,6 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 socketOptions: @@ -70,7 +69,6 @@ statPrefix: http-10081 useRemoteAddress: true name: second-listener - drainType: MODIFY_ONLY name: second-listener perConnectionBufferLimitBytes: 32768 socketOptions: @@ -94,7 +92,6 @@ socketAddress: address: 0.0.0.0 portValue: 10082 - drainType: MODIFY_ONLY name: third-listener perConnectionBufferLimitBytes: 32768 socketOptions: @@ -106,7 +103,6 @@ socketAddress: address: 0.0.0.0 portValue: 10083 - drainType: MODIFY_ONLY name: fourth-listener perConnectionBufferLimitBytes: 32768 socketOptions: diff --git a/internal/xds/translator/testdata/out/xds-ir/load-balancer.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/load-balancer.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/load-balancer.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/load-balancer.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.listeners.yaml index 01049c90267..1f27366aa32 100644 --- a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.listeners.yaml @@ -34,6 +34,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml index b1a9e2c3720..b7967da1cc0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml @@ -2,7 +2,6 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml index 9612460ed7a..d6ec7d08951 100755 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml @@ -162,6 +162,5 @@ statPrefix: http-10080 useRemoteAddress: true name: default/gateway-1/http - drainType: MODIFY_ONLY name: default/gateway-1/http perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml index a1731a1de8c..1e62e5ca424 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml @@ -30,7 +30,6 @@ statPrefix: http-10080 useRemoteAddress: true name: third-listener - drainType: MODIFY_ONLY filterChains: - filterChainMatch: serverNames: diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml index 73bc084eda1..2df07dabd56 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml @@ -2,7 +2,6 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.tcp_proxy diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml index e10f6a9ed5b..baaca0e4fb6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml @@ -2,7 +2,6 @@ socketAddress: address: 0.0.0.0 portValue: 10001 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.http_connection_manager @@ -60,7 +59,6 @@ socketAddress: address: 0.0.0.0 portValue: 10002 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.http_connection_manager @@ -119,7 +117,6 @@ socketAddress: address: 0.0.0.0 portValue: 10003 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.http_connection_manager @@ -180,7 +177,6 @@ socketAddress: address: 0.0.0.0 portValue: 10004 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.http_connection_manager @@ -243,7 +239,6 @@ socketAddress: address: 0.0.0.0 portValue: 10005 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml index 5f1f7372126..a99d3fd3906 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml @@ -2,7 +2,6 @@ socketAddress: address: 0.0.0.0 portValue: 10001 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.http_connection_manager @@ -60,7 +59,6 @@ socketAddress: address: 0.0.0.0 portValue: 10002 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.http_connection_manager @@ -119,7 +117,6 @@ socketAddress: address: 0.0.0.0 portValue: 10003 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.http_connection_manager @@ -178,7 +175,6 @@ socketAddress: address: 0.0.0.0 portValue: 10004 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.http_connection_manager @@ -237,7 +233,6 @@ socketAddress: address: 0.0.0.0 portValue: 10005 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml index 75430179b51..28836be314c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml @@ -2,7 +2,6 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.http_connection_manager @@ -60,7 +59,6 @@ socketAddress: address: 0.0.0.0 portValue: 10081 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.tcp_proxy diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml index 2448feb80be..490cfa0f9d9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml @@ -2,7 +2,6 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.http_connection_manager @@ -60,7 +59,6 @@ socketAddress: address: 0.0.0.0 portValue: 10081 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.tcp_proxy diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml index f1defaf5d1b..751bc4dee2e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml @@ -121,6 +121,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/path-settings.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/path-settings.listeners.yaml index 4934acbee1e..c8eda3875ed 100644 --- a/internal/xds/translator/testdata/out/xds-ir/path-settings.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/path-settings.listeners.yaml @@ -29,6 +29,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml index 3486155cda8..a80f448f017 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml @@ -40,6 +40,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml index b1d7de26ff9..973d90913b4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml @@ -39,6 +39,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml index 3486155cda8..a80f448f017 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml @@ -40,6 +40,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml index 3486155cda8..a80f448f017 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml @@ -40,6 +40,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml index 3486155cda8..a80f448f017 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml @@ -40,6 +40,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml index 51c022c26f3..54f30d4c445 100644 --- a/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml @@ -2,7 +2,6 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml index 0598759f776..bcc936863ca 100644 --- a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml @@ -2,7 +2,6 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - drainType: MODIFY_ONLY filterChains: - filterChainMatch: serverNames: diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.listeners.yaml index f0aad4ff2da..2e300bdfaad 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.listeners.yaml @@ -2,6 +2,5 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - drainType: MODIFY_ONLY name: tcp-route-enable-endpoint-stats perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml index a6072e34b20..336e84c9eab 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml @@ -2,7 +2,6 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - drainType: MODIFY_ONLY filterChains: - filterChainMatch: serverNames: diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml index 1bed88c6882..4dc8055463a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml @@ -2,7 +2,6 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.tcp_proxy diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml index cc74c19ed91..f27dc1b2123 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml @@ -2,7 +2,6 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.tcp_proxy diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml index f38ddc66108..7c84083a0ba 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml @@ -2,7 +2,6 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - drainType: MODIFY_ONLY filterChains: - filterChainMatch: serverNames: diff --git a/internal/xds/translator/testdata/out/xds-ir/timeout.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/timeout.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/timeout.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/timeout.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml index 5d20f177934..d5d32d6ee55 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml @@ -2,7 +2,6 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - drainType: MODIFY_ONLY filterChains: - filterChainMatch: serverNames: @@ -24,7 +23,6 @@ socketAddress: address: 0.0.0.0 portValue: 10081 - drainType: MODIFY_ONLY filterChains: - filterChainMatch: serverNames: diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml index d5c31c5021a..dd12bc2b988 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml @@ -2,7 +2,6 @@ socketAddress: address: 0.0.0.0 portValue: 10080 - drainType: MODIFY_ONLY filterChains: - filterChainMatch: serverNames: @@ -81,7 +80,6 @@ socketAddress: address: 0.0.0.0 portValue: 10081 - drainType: MODIFY_ONLY filterChains: - filters: - name: envoy.filters.network.tcp_proxy diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.listeners.yaml index dcfd967ecb8..a98dfd0d9d4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.listeners.yaml @@ -58,6 +58,5 @@ spawnUpstreamSpan: true useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.listeners.yaml index e169de7eb0d..6efe38a6b12 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.listeners.yaml @@ -59,6 +59,5 @@ spawnUpstreamSpan: true useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing.listeners.yaml index 3f76ab8e616..599eb3b58af 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing.listeners.yaml @@ -59,6 +59,5 @@ spawnUpstreamSpan: true useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.listeners.yaml index 586f3fa82df..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.listeners.yaml @@ -30,6 +30,5 @@ statPrefix: http-10080 useRemoteAddress: true name: first-listener - drainType: MODIFY_ONLY name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml index c04f247fd68..a4545e62e2c 100755 --- a/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml @@ -108,6 +108,5 @@ statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-1/http - drainType: MODIFY_ONLY name: envoy-gateway/gateway-1/http perConnectionBufferLimitBytes: 32768 From b867c29795bb95afc0bda6f226f44aaa1c5662e6 Mon Sep 17 00:00:00 2001 From: Kevin Date: Sat, 14 Sep 2024 02:31:25 +0900 Subject: [PATCH 147/523] docs: fix make command from benchmark-test to benchmark (#4237) Signed-off-by: Juwon Hwang (Kevin) --- site/content/en/contributions/DEVELOP.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/en/contributions/DEVELOP.md b/site/content/en/contributions/DEVELOP.md index c953048a4aa..f972c547f57 100644 --- a/site/content/en/contributions/DEVELOP.md +++ b/site/content/en/contributions/DEVELOP.md @@ -156,7 +156,7 @@ The performance and scalability concerns come from several aspects for control-p - The rate of configuration changes. The benchmark test is running on a [Kind][Kind] cluster, you can start a Kind cluster and -run benchmark test on it by executing `make benchmark-test`. +run benchmark test on it by executing `make benchmark`. The benchmark report will be included in the release artifacts, you can learn more by downloading the detailed benchmark report, namely `benchmark_report.zip`. From 4b8cd95ba33b1515682ee97fd295ff0ea713bed7 Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Fri, 13 Sep 2024 19:04:52 -0500 Subject: [PATCH 148/523] api: HTTPRouteFilter (#4171) * api: httpfilter Signed-off-by: Guy Daich * rename to httproutefilter, use pointer Signed-off-by: Guy Daich * use ptr, remove template rewrite from enum Signed-off-by: Guy Daich * rename, add examples Signed-off-by: Guy Daich * remove old crd Signed-off-by: Guy Daich * fix shortname Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich --- api/v1alpha1/httproutefilter_types.go | 101 +++++++++++++ api/v1alpha1/zz_generated.deepcopy.go | 133 ++++++++++++++++++ ...ateway.envoyproxy.io_httproutefilters.yaml | 111 +++++++++++++++ site/content/en/latest/api/extension_types.md | 108 ++++++++++++++ site/content/zh/latest/api/extension_types.md | 108 ++++++++++++++ 5 files changed, 561 insertions(+) create mode 100644 api/v1alpha1/httproutefilter_types.go create mode 100644 charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml diff --git a/api/v1alpha1/httproutefilter_types.go b/api/v1alpha1/httproutefilter_types.go new file mode 100644 index 00000000000..b8fe13f5296 --- /dev/null +++ b/api/v1alpha1/httproutefilter_types.go @@ -0,0 +1,101 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +const ( + // KindHTTPRouteFilter is the name of the HTTPRouteFilter kind. + KindHTTPRouteFilter = "HTTPRouteFilter" +) + +// +kubebuilder:object:root=true +// +kubebuilder:resource:categories=envoy-gateway,shortName=hrf +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` + +// HTTPRouteFilter is a custom Envoy Gateway HTTPRouteFilter which provides extended +// traffic processing options such as path regex rewrite, direct response and more. +type HTTPRouteFilter struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec defines the desired state of HTTPRouteFilter. + Spec HTTPRouteFilterSpec `json:"spec"` +} + +// HTTPRouteFilterSpec defines the desired state of HTTPRouteFilter. +// +union +type HTTPRouteFilterSpec struct { + // +optional + URLRewrite *HTTPURLRewriteFilter `json:"urlRewrite,omitempty"` +} + +// HTTPURLRewriteFilter define rewrites of HTTP URL components such as path and host +type HTTPURLRewriteFilter struct { + // Path defines a path rewrite. + // + // +optional + Path *HTTPPathModifier `json:"path,omitempty"` +} + +// HTTPPathModifierType defines the type of path redirect or rewrite. +type HTTPPathModifierType string + +const ( + // RegexHTTPPathModifier This type of modifier indicates that the portions of the path that match the specified + // regex would be substituted with the specified substitution value + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/type/matcher/v3/regex.proto#type-matcher-v3-regexmatchandsubstitute + RegexHTTPPathModifier HTTPPathModifierType = "ReplaceRegexMatch" +) + +type ReplaceRegexMatch struct { + // Pattern matches a regular expression against the value of the HTTP Path.The regex string must + // adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax. + Pattern string `json:"pattern"` + // Substitution is an expression that replaces the matched portion.The expression may include numbered + // capture groups that adhere to syntax documented in https://github.com/google/re2/wiki/Syntax. + Substitution string `json:"substitution"` +} + +type HTTPPathModifier struct { + // +kubebuilder:validation:Enum=RegexHTTPPathModifier + Type HTTPPathModifierType `json:"type"` + // ReplaceRegexMatch defines a path regex rewrite. The path portions matched by the regex pattern are replaced by the defined substitution. + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite + // Some examples: + // (1) replaceRegexMatch: + // pattern: ^/service/([^/]+)(/.*)$ + // substitution: \2/instance/\1 + // Would transform /service/foo/v1/api into /v1/api/instance/foo. + // (2) replaceRegexMatch: + // pattern: one + // substitution: two + // Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz. + // (3) replaceRegexMatch: + // pattern: ^(.*?)one(.*)$ + // substitution: \1two\2 + // Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz. + // (3) replaceRegexMatch: + // pattern: (?i)/xxx/ + // substitution: /yyy/ + // Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive). + ReplaceRegexMatch *ReplaceRegexMatch `json:"replaceRegexMatch,omitempty"` +} + +//+kubebuilder:object:root=true + +// HTTPRouteFilterList contains a list of HTTPRouteFilter resources. +type HTTPRouteFilterList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []HTTPRouteFilter `json:"items"` +} + +func init() { + SchemeBuilder.Register(&HTTPRouteFilter{}, &HTTPRouteFilterList{}) +} diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index f2c88ae0c29..7ee438d5b14 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -2625,6 +2625,104 @@ func (in *HTTPExtAuthService) DeepCopy() *HTTPExtAuthService { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HTTPPathModifier) DeepCopyInto(out *HTTPPathModifier) { + *out = *in + if in.ReplaceRegexMatch != nil { + in, out := &in.ReplaceRegexMatch, &out.ReplaceRegexMatch + *out = new(ReplaceRegexMatch) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPPathModifier. +func (in *HTTPPathModifier) DeepCopy() *HTTPPathModifier { + if in == nil { + return nil + } + out := new(HTTPPathModifier) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HTTPRouteFilter) DeepCopyInto(out *HTTPRouteFilter) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRouteFilter. +func (in *HTTPRouteFilter) DeepCopy() *HTTPRouteFilter { + if in == nil { + return nil + } + out := new(HTTPRouteFilter) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *HTTPRouteFilter) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HTTPRouteFilterList) DeepCopyInto(out *HTTPRouteFilterList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]HTTPRouteFilter, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRouteFilterList. +func (in *HTTPRouteFilterList) DeepCopy() *HTTPRouteFilterList { + if in == nil { + return nil + } + out := new(HTTPRouteFilterList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *HTTPRouteFilterList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HTTPRouteFilterSpec) DeepCopyInto(out *HTTPRouteFilterSpec) { + *out = *in + if in.URLRewrite != nil { + in, out := &in.URLRewrite, &out.URLRewrite + *out = new(HTTPURLRewriteFilter) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRouteFilterSpec. +func (in *HTTPRouteFilterSpec) DeepCopy() *HTTPRouteFilterSpec { + if in == nil { + return nil + } + out := new(HTTPRouteFilterSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HTTPTimeout) DeepCopyInto(out *HTTPTimeout) { *out = *in @@ -2650,6 +2748,26 @@ func (in *HTTPTimeout) DeepCopy() *HTTPTimeout { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HTTPURLRewriteFilter) DeepCopyInto(out *HTTPURLRewriteFilter) { + *out = *in + if in.Path != nil { + in, out := &in.Path, &out.Path + *out = new(HTTPPathModifier) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPURLRewriteFilter. +func (in *HTTPURLRewriteFilter) DeepCopy() *HTTPURLRewriteFilter { + if in == nil { + return nil + } + out := new(HTTPURLRewriteFilter) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HTTPWasmCodeSource) DeepCopyInto(out *HTTPWasmCodeSource) { *out = *in @@ -4476,6 +4594,21 @@ func (in *RemoteJWKS) DeepCopy() *RemoteJWKS { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ReplaceRegexMatch) DeepCopyInto(out *ReplaceRegexMatch) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplaceRegexMatch. +func (in *ReplaceRegexMatch) DeepCopy() *ReplaceRegexMatch { + if in == nil { + return nil + } + out := new(ReplaceRegexMatch) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RequestHeaderCustomTag) DeepCopyInto(out *RequestHeaderCustomTag) { *out = *in diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml new file mode 100644 index 00000000000..2bba4d20ff1 --- /dev/null +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml @@ -0,0 +1,111 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: httproutefilters.gateway.envoyproxy.io +spec: + group: gateway.envoyproxy.io + names: + categories: + - envoy-gateway + kind: HTTPRouteFilter + listKind: HTTPRouteFilterList + plural: httproutefilters + shortNames: + - hrf + singular: httproutefilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + HTTPRouteFilter is a custom Envoy Gateway HTTPRouteFilter which provides extended + traffic processing options such as path regex rewrite, direct response and more. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRouteFilter. + properties: + urlRewrite: + description: HTTPURLRewriteFilter define rewrites of HTTP URL components + such as path and host + properties: + path: + description: Path defines a path rewrite. + properties: + replaceRegexMatch: + description: |- + ReplaceRegexMatch defines a path regex rewrite. The path portions matched by the regex pattern are replaced by the defined substitution. + https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite + Some examples: + (1) replaceRegexMatch: + pattern: ^/service/([^/]+)(/.*)$ + substitution: \2/instance/\1 + Would transform /service/foo/v1/api into /v1/api/instance/foo. + (2) replaceRegexMatch: + pattern: one + substitution: two + Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz. + (3) replaceRegexMatch: + pattern: ^(.*?)one(.*)$ + substitution: \1two\2 + Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz. + (3) replaceRegexMatch: + pattern: (?i)/xxx/ + substitution: /yyy/ + Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive). + properties: + pattern: + description: |- + Pattern matches a regular expression against the value of the HTTP Path.The regex string must + adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax. + type: string + substitution: + description: |- + Substitution is an expression that replaces the matched portion.The expression may include numbered + capture groups that adhere to syntax documented in https://github.com/google/re2/wiki/Syntax. + type: string + required: + - pattern + - substitution + type: object + type: + description: HTTPPathModifierType defines the type of path + redirect or rewrite. + enum: + - RegexHTTPPathModifier + type: string + required: + - type + type: object + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index fa46214800b..0d1be81fc72 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -26,6 +26,8 @@ API group. - [EnvoyPatchPolicy](#envoypatchpolicy) - [EnvoyPatchPolicyList](#envoypatchpolicylist) - [EnvoyProxy](#envoyproxy) +- [HTTPRouteFilter](#httproutefilter) +- [HTTPRouteFilterList](#httproutefilterlist) - [SecurityPolicy](#securitypolicy) - [SecurityPolicyList](#securitypolicylist) @@ -1891,6 +1893,83 @@ _Appears in:_ | `headersToBackend` | _string array_ | false | HeadersToBackend are the authorization response headers that will be added
to the original client request before sending it to the backend server.
Note that coexisting headers will be overridden.
If not specified, no authorization response headers will be added to the
original client request. | +#### HTTPPathModifier + + + + + +_Appears in:_ +- [HTTPURLRewriteFilter](#httpurlrewritefilter) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[HTTPPathModifierType](#httppathmodifiertype)_ | true | | +| `replaceRegexMatch` | _[ReplaceRegexMatch](#replaceregexmatch)_ | true | ReplaceRegexMatch defines a path regex rewrite. The path portions matched by the regex pattern are replaced by the defined substitution.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite
Some examples:
(1) replaceRegexMatch:
pattern: ^/service/([^/]+)(/.*)$
substitution: \2/instance/\1
Would transform /service/foo/v1/api into /v1/api/instance/foo.
(2) replaceRegexMatch:
pattern: one
substitution: two
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz.
(3) replaceRegexMatch:
pattern: ^(.*?)one(.*)$
substitution: \1two\2
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz.
(3) replaceRegexMatch:
pattern: (?i)/xxx/
substitution: /yyy/
Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive). | + + +#### HTTPPathModifierType + +_Underlying type:_ _string_ + +HTTPPathModifierType defines the type of path redirect or rewrite. + +_Appears in:_ +- [HTTPPathModifier](#httppathmodifier) + +| Value | Description | +| ----- | ----------- | +| `ReplaceRegexMatch` | RegexHTTPPathModifier This type of modifier indicates that the portions of the path that match the specified
regex would be substituted with the specified substitution value
https://www.envoyproxy.io/docs/envoy/latest/api-v3/type/matcher/v3/regex.proto#type-matcher-v3-regexmatchandsubstitute
| + + +#### HTTPRouteFilter + + + +HTTPRouteFilter is a custom Envoy Gateway HTTPRouteFilter which provides extended +traffic processing options such as path regex rewrite, direct response and more. + +_Appears in:_ +- [HTTPRouteFilterList](#httproutefilterlist) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` +| `kind` | _string_ | |`HTTPRouteFilter` +| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | +| `spec` | _[HTTPRouteFilterSpec](#httproutefilterspec)_ | true | Spec defines the desired state of HTTPRouteFilter. | + + +#### HTTPRouteFilterList + + + +HTTPRouteFilterList contains a list of HTTPRouteFilter resources. + + + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` +| `kind` | _string_ | |`HTTPRouteFilterList` +| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | +| `items` | _[HTTPRouteFilter](#httproutefilter) array_ | true | | + + +#### HTTPRouteFilterSpec + + + +HTTPRouteFilterSpec defines the desired state of HTTPRouteFilter. + +_Appears in:_ +- [HTTPRouteFilter](#httproutefilter) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `urlRewrite` | _[HTTPURLRewriteFilter](#httpurlrewritefilter)_ | false | | + + #### HTTPStatus _Underlying type:_ _integer_ @@ -1918,6 +1997,20 @@ _Appears in:_ | `maxConnectionDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The maximum duration of an HTTP connection.
Default: unlimited. | +#### HTTPURLRewriteFilter + + + +HTTPURLRewriteFilter define rewrites of HTTP URL components such as path and host + +_Appears in:_ +- [HTTPRouteFilterSpec](#httproutefilterspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `path` | _[HTTPPathModifier](#httppathmodifier)_ | false | Path defines a path rewrite. | + + #### HTTPWasmCodeSource @@ -3288,6 +3381,21 @@ _Appears in:_ | `uri` | _string_ | true | URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to
validate the server certificate. | +#### ReplaceRegexMatch + + + + + +_Appears in:_ +- [HTTPPathModifier](#httppathmodifier) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `pattern` | _string_ | true | Pattern matches a regular expression against the value of the HTTP Path.The regex string must
adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax. | +| `substitution` | _string_ | true | Substitution is an expression that replaces the matched portion.The expression may include numbered
capture groups that adhere to syntax documented in https://github.com/google/re2/wiki/Syntax. | + + #### RequestHeaderCustomTag diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index fa46214800b..0d1be81fc72 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -26,6 +26,8 @@ API group. - [EnvoyPatchPolicy](#envoypatchpolicy) - [EnvoyPatchPolicyList](#envoypatchpolicylist) - [EnvoyProxy](#envoyproxy) +- [HTTPRouteFilter](#httproutefilter) +- [HTTPRouteFilterList](#httproutefilterlist) - [SecurityPolicy](#securitypolicy) - [SecurityPolicyList](#securitypolicylist) @@ -1891,6 +1893,83 @@ _Appears in:_ | `headersToBackend` | _string array_ | false | HeadersToBackend are the authorization response headers that will be added
to the original client request before sending it to the backend server.
Note that coexisting headers will be overridden.
If not specified, no authorization response headers will be added to the
original client request. | +#### HTTPPathModifier + + + + + +_Appears in:_ +- [HTTPURLRewriteFilter](#httpurlrewritefilter) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[HTTPPathModifierType](#httppathmodifiertype)_ | true | | +| `replaceRegexMatch` | _[ReplaceRegexMatch](#replaceregexmatch)_ | true | ReplaceRegexMatch defines a path regex rewrite. The path portions matched by the regex pattern are replaced by the defined substitution.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite
Some examples:
(1) replaceRegexMatch:
pattern: ^/service/([^/]+)(/.*)$
substitution: \2/instance/\1
Would transform /service/foo/v1/api into /v1/api/instance/foo.
(2) replaceRegexMatch:
pattern: one
substitution: two
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz.
(3) replaceRegexMatch:
pattern: ^(.*?)one(.*)$
substitution: \1two\2
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz.
(3) replaceRegexMatch:
pattern: (?i)/xxx/
substitution: /yyy/
Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive). | + + +#### HTTPPathModifierType + +_Underlying type:_ _string_ + +HTTPPathModifierType defines the type of path redirect or rewrite. + +_Appears in:_ +- [HTTPPathModifier](#httppathmodifier) + +| Value | Description | +| ----- | ----------- | +| `ReplaceRegexMatch` | RegexHTTPPathModifier This type of modifier indicates that the portions of the path that match the specified
regex would be substituted with the specified substitution value
https://www.envoyproxy.io/docs/envoy/latest/api-v3/type/matcher/v3/regex.proto#type-matcher-v3-regexmatchandsubstitute
| + + +#### HTTPRouteFilter + + + +HTTPRouteFilter is a custom Envoy Gateway HTTPRouteFilter which provides extended +traffic processing options such as path regex rewrite, direct response and more. + +_Appears in:_ +- [HTTPRouteFilterList](#httproutefilterlist) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` +| `kind` | _string_ | |`HTTPRouteFilter` +| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | +| `spec` | _[HTTPRouteFilterSpec](#httproutefilterspec)_ | true | Spec defines the desired state of HTTPRouteFilter. | + + +#### HTTPRouteFilterList + + + +HTTPRouteFilterList contains a list of HTTPRouteFilter resources. + + + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` +| `kind` | _string_ | |`HTTPRouteFilterList` +| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | +| `items` | _[HTTPRouteFilter](#httproutefilter) array_ | true | | + + +#### HTTPRouteFilterSpec + + + +HTTPRouteFilterSpec defines the desired state of HTTPRouteFilter. + +_Appears in:_ +- [HTTPRouteFilter](#httproutefilter) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `urlRewrite` | _[HTTPURLRewriteFilter](#httpurlrewritefilter)_ | false | | + + #### HTTPStatus _Underlying type:_ _integer_ @@ -1918,6 +1997,20 @@ _Appears in:_ | `maxConnectionDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The maximum duration of an HTTP connection.
Default: unlimited. | +#### HTTPURLRewriteFilter + + + +HTTPURLRewriteFilter define rewrites of HTTP URL components such as path and host + +_Appears in:_ +- [HTTPRouteFilterSpec](#httproutefilterspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `path` | _[HTTPPathModifier](#httppathmodifier)_ | false | Path defines a path rewrite. | + + #### HTTPWasmCodeSource @@ -3288,6 +3381,21 @@ _Appears in:_ | `uri` | _string_ | true | URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to
validate the server certificate. | +#### ReplaceRegexMatch + + + + + +_Appears in:_ +- [HTTPPathModifier](#httppathmodifier) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `pattern` | _string_ | true | Pattern matches a regular expression against the value of the HTTP Path.The regex string must
adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax. | +| `substitution` | _string_ | true | Substitution is an expression that replaces the matched portion.The expression may include numbered
capture groups that adhere to syntax documented in https://github.com/google/re2/wiki/Syntax. | + + #### RequestHeaderCustomTag From 3567496287c6657c9106827977e62999a60d817d Mon Sep 17 00:00:00 2001 From: sh2 Date: Sat, 14 Sep 2024 08:05:08 +0800 Subject: [PATCH 149/523] refactor: add gatewayapi/resource pkg (#4235) * move gatewayapi resource to a separate pkg Signed-off-by: shawnh2 * move gatewayapi kind into resource pkg Signed-off-by: shawnh2 * move shared kubernetesYAMLToResources into resource pkg as a common func Signed-off-by: shawnh2 --------- Signed-off-by: shawnh2 --- internal/cmd/egctl/status.go | 38 +- internal/cmd/egctl/status_test.go | 51 +- internal/cmd/egctl/translate.go | 455 +---------------- internal/gatewayapi/address.go | 6 +- internal/gatewayapi/backendtlspolicy.go | 13 +- internal/gatewayapi/backendtrafficpolicy.go | 13 +- internal/gatewayapi/clienttrafficpolicy.go | 17 +- internal/gatewayapi/contexts.go | 7 +- internal/gatewayapi/contexts_test.go | 5 +- internal/gatewayapi/envoyextensionpolicy.go | 29 +- internal/gatewayapi/envoypatchpolicy.go | 7 +- internal/gatewayapi/ext_service.go | 7 +- internal/gatewayapi/extensionserverpolicy.go | 7 +- internal/gatewayapi/filters.go | 19 +- internal/gatewayapi/helpers.go | 7 +- internal/gatewayapi/listener.go | 35 +- internal/gatewayapi/resource/load.go | 468 ++++++++++++++++++ .../gatewayapi/{ => resource}/resource.go | 2 +- .../{ => resource}/resource_test.go | 2 +- .../gatewayapi/resource/supported_kind.go | 29 ++ .../{ => resource}/zz_generated.deepcopy.go | 2 +- internal/gatewayapi/route.go | 81 +-- internal/gatewayapi/runner/runner.go | 3 +- internal/gatewayapi/securitypolicy.go | 37 +- internal/gatewayapi/sort.go | 3 +- internal/gatewayapi/translator.go | 47 +- internal/gatewayapi/translator_test.go | 5 +- internal/gatewayapi/validate.go | 69 +-- internal/kubernetes/secret.go | 4 +- internal/message/types.go | 8 +- internal/provider/file/resources.go | 269 +--------- internal/provider/file/store.go | 12 +- internal/provider/kubernetes/controller.go | 101 ++-- .../provider/kubernetes/controller_test.go | 3 +- .../kubernetes/extensionpolicies_test.go | 4 +- internal/provider/kubernetes/helpers.go | 7 +- internal/provider/kubernetes/indexers.go | 37 +- .../provider/kubernetes/kubernetes_test.go | 3 +- .../provider/kubernetes/predicates_test.go | 5 +- internal/provider/kubernetes/routes.go | 35 +- internal/provider/kubernetes/routes_test.go | 15 +- .../provider/kubernetes/status_updater.go | 30 +- test/e2e/tests/authorization_client_ip.go | 3 +- .../e2e/tests/authorization_default_action.go | 3 +- test/e2e/tests/backend_health_check.go | 3 +- ...backendtrafficpolicy_translation_failed.go | 3 +- test/e2e/tests/basic_auth.go | 11 +- test/e2e/tests/connection_limit.go | 3 +- test/e2e/tests/ext_auth_grpc_service.go | 9 +- test/e2e/tests/ext_auth_http_backend.go | 3 +- test/e2e/tests/ext_auth_http_service.go | 9 +- test/e2e/tests/ext_proc.go | 7 +- test/e2e/tests/header_settings.go | 3 +- test/e2e/tests/listener_health_check.go | 3 +- test/e2e/tests/load_balancing.go | 9 +- test/e2e/tests/local_ratelimit.go | 5 +- test/e2e/tests/merge_gateways.go | 11 +- test/e2e/tests/oidc.go | 5 +- .../securitypolicy_transaltion_failed.go | 3 +- test/e2e/tests/wasm_http.go | 5 +- test/e2e/tests/wasm_oci.go | 7 +- 61 files changed, 969 insertions(+), 1133 deletions(-) create mode 100644 internal/gatewayapi/resource/load.go rename internal/gatewayapi/{ => resource}/resource.go (99%) rename internal/gatewayapi/{ => resource}/resource_test.go (99%) create mode 100644 internal/gatewayapi/resource/supported_kind.go rename internal/gatewayapi/{ => resource}/zz_generated.deepcopy.go (99%) diff --git a/internal/cmd/egctl/status.go b/internal/cmd/egctl/status.go index a19fdd978d4..814bd159339 100644 --- a/internal/cmd/egctl/status.go +++ b/internal/cmd/egctl/status.go @@ -23,22 +23,22 @@ import ( gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" - "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) var ( supportedXRouteTypes = []string{ - gatewayapi.KindHTTPRoute, gatewayapi.KindGRPCRoute, gatewayapi.KindTCPRoute, - gatewayapi.KindUDPRoute, gatewayapi.KindTLSRoute, + resource.KindHTTPRoute, resource.KindGRPCRoute, resource.KindTCPRoute, + resource.KindUDPRoute, resource.KindTLSRoute, } supportedXPolicyTypes = []string{ - gatewayapi.KindBackendTLSPolicy, gatewayapi.KindBackendTrafficPolicy, gatewayapi.KindClientTrafficPolicy, - gatewayapi.KindSecurityPolicy, gatewayapi.KindEnvoyPatchPolicy, gatewayapi.KindEnvoyExtensionPolicy, + resource.KindBackendTLSPolicy, resource.KindBackendTrafficPolicy, resource.KindClientTrafficPolicy, + resource.KindSecurityPolicy, resource.KindEnvoyPatchPolicy, resource.KindEnvoyExtensionPolicy, } supportedAllTypes = []string{ - gatewayapi.KindGatewayClass, gatewayapi.KindGateway, + resource.KindGatewayClass, resource.KindGateway, } ) @@ -156,7 +156,7 @@ func runStatus(ctx context.Context, cli client.Client, inputResourceType, namesp return err } resourcesList = &gc - resourceKind = gatewayapi.KindGatewayClass + resourceKind = resource.KindGatewayClass case "gtw", "gateway": gtw := gwapiv1.GatewayList{} @@ -164,7 +164,7 @@ func runStatus(ctx context.Context, cli client.Client, inputResourceType, namesp return err } resourcesList = >w - resourceKind = gatewayapi.KindGateway + resourceKind = resource.KindGateway case "httproute": httproute := gwapiv1.HTTPRouteList{} @@ -172,7 +172,7 @@ func runStatus(ctx context.Context, cli client.Client, inputResourceType, namesp return err } resourcesList = &httproute - resourceKind = gatewayapi.KindHTTPRoute + resourceKind = resource.KindHTTPRoute case "grpcroute": grpcroute := gwapiv1.GRPCRouteList{} @@ -180,7 +180,7 @@ func runStatus(ctx context.Context, cli client.Client, inputResourceType, namesp return err } resourcesList = &grpcroute - resourceKind = gatewayapi.KindGRPCRoute + resourceKind = resource.KindGRPCRoute case "tcproute": tcproute := gwapiv1a2.TCPRouteList{} @@ -188,7 +188,7 @@ func runStatus(ctx context.Context, cli client.Client, inputResourceType, namesp return err } resourcesList = &tcproute - resourceKind = gatewayapi.KindTCPRoute + resourceKind = resource.KindTCPRoute case "udproute": udproute := gwapiv1a2.UDPRouteList{} @@ -196,7 +196,7 @@ func runStatus(ctx context.Context, cli client.Client, inputResourceType, namesp return err } resourcesList = &udproute - resourceKind = gatewayapi.KindUDPRoute + resourceKind = resource.KindUDPRoute case "tlsroute": tlsroute := gwapiv1a2.TLSRouteList{} @@ -204,7 +204,7 @@ func runStatus(ctx context.Context, cli client.Client, inputResourceType, namesp return err } resourcesList = &tlsroute - resourceKind = gatewayapi.KindTLSRoute + resourceKind = resource.KindTLSRoute case "btlspolicy", "backendtlspolicy": btlspolicy := gwapiv1a3.BackendTLSPolicyList{} @@ -212,7 +212,7 @@ func runStatus(ctx context.Context, cli client.Client, inputResourceType, namesp return err } resourcesList = &btlspolicy - resourceKind = gatewayapi.KindBackendTLSPolicy + resourceKind = resource.KindBackendTLSPolicy case "btp", "backendtrafficpolicy": btp := egv1a1.BackendTrafficPolicyList{} @@ -220,7 +220,7 @@ func runStatus(ctx context.Context, cli client.Client, inputResourceType, namesp return err } resourcesList = &btp - resourceKind = gatewayapi.KindBackendTrafficPolicy + resourceKind = resource.KindBackendTrafficPolicy case "ctp", "clienttrafficpolicy": ctp := egv1a1.ClientTrafficPolicyList{} @@ -228,7 +228,7 @@ func runStatus(ctx context.Context, cli client.Client, inputResourceType, namesp return err } resourcesList = &ctp - resourceKind = gatewayapi.KindClientTrafficPolicy + resourceKind = resource.KindClientTrafficPolicy case "epp", "envoypatchpolicy": epp := egv1a1.EnvoyPatchPolicyList{} @@ -236,7 +236,7 @@ func runStatus(ctx context.Context, cli client.Client, inputResourceType, namesp return err } resourcesList = &epp - resourceKind = gatewayapi.KindEnvoyPatchPolicy + resourceKind = resource.KindEnvoyPatchPolicy case "eep", "envoyextensionpolicy": eep := egv1a1.EnvoyExtensionPolicyList{} @@ -244,7 +244,7 @@ func runStatus(ctx context.Context, cli client.Client, inputResourceType, namesp return err } resourcesList = &eep - resourceKind = gatewayapi.KindEnvoyExtensionPolicy + resourceKind = resource.KindEnvoyExtensionPolicy case "sp", "securitypolicy": sp := egv1a1.SecurityPolicyList{} @@ -252,7 +252,7 @@ func runStatus(ctx context.Context, cli client.Client, inputResourceType, namesp return err } resourcesList = &sp - resourceKind = gatewayapi.KindSecurityPolicy + resourceKind = resource.KindSecurityPolicy default: return fmt.Errorf("unknown input resource type: %s, supported input types are: %s", diff --git a/internal/cmd/egctl/status_test.go b/internal/cmd/egctl/status_test.go index 68123a6962b..2d2b6ad611c 100644 --- a/internal/cmd/egctl/status_test.go +++ b/internal/cmd/egctl/status_test.go @@ -19,6 +19,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) func TestWriteStatus(t *testing.T) { @@ -40,7 +41,7 @@ func TestWriteStatus(t *testing.T) { name: "egctl x status gc -v, but no resources", resourceList: &gwapiv1.GatewayClassList{}, resourceNamespaced: false, - resourceKind: gatewayapi.KindGatewayClass, + resourceKind: resource.KindGatewayClass, quiet: false, verbose: true, allNamespaces: false, @@ -80,7 +81,7 @@ func TestWriteStatus(t *testing.T) { }, }, resourceNamespaced: false, - resourceKind: gatewayapi.KindGatewayClass, + resourceKind: resource.KindGatewayClass, quiet: false, verbose: false, allNamespaces: false, @@ -122,7 +123,7 @@ gc foobar2 test-status-2 test reason 2 }, }, resourceNamespaced: false, - resourceKind: gatewayapi.KindGatewayClass, + resourceKind: resource.KindGatewayClass, quiet: false, verbose: true, allNamespaces: false, @@ -164,7 +165,7 @@ gc foobar2 test-status-2 test reason 2 test message 2 123457 }, }, resourceNamespaced: false, - resourceKind: gatewayapi.KindGatewayClass, + resourceKind: resource.KindGatewayClass, quiet: true, verbose: true, allNamespaces: false, @@ -177,7 +178,7 @@ gc foobar2 test-status-2 test reason 2 test message 2 123457 name: "egctl x status gtw -v -A, no resources", resourceList: &gwapiv1.GatewayList{}, resourceNamespaced: true, - resourceKind: gatewayapi.KindGateway, + resourceKind: resource.KindGateway, quiet: false, verbose: true, allNamespaces: true, @@ -218,7 +219,7 @@ gc foobar2 test-status-2 test reason 2 test message 2 123457 }, }, resourceNamespaced: true, - resourceKind: gatewayapi.KindGateway, + resourceKind: resource.KindGateway, quiet: false, verbose: true, allNamespaces: true, @@ -287,7 +288,7 @@ default gtw foobar2 test-status-2 test reason 2 test message 2 }, }, resourceNamespaced: true, - resourceKind: gatewayapi.KindGateway, + resourceKind: resource.KindGateway, quiet: true, verbose: true, allNamespaces: true, @@ -311,7 +312,7 @@ default2 gtw2 foobar4 test-status-4 test reason 4 test message 4 Parents: []gwapiv1.RouteParentStatus{ { ParentRef: gwapiv1.ParentReference{ - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Name: gwapiv1.ObjectName("test-1"), }, Conditions: []metav1.Condition{ @@ -347,7 +348,7 @@ default2 gtw2 foobar4 test-status-4 test reason 4 test message 4 Parents: []gwapiv1.RouteParentStatus{ { ParentRef: gwapiv1.ParentReference{ - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Name: gwapiv1.ObjectName("test-2"), }, Conditions: []metav1.Condition{ @@ -376,7 +377,7 @@ default2 gtw2 foobar4 test-status-4 test reason 4 test message 4 }, }, resourceNamespaced: true, - resourceKind: gatewayapi.KindHTTPRoute, + resourceKind: resource.KindHTTPRoute, quiet: false, verbose: false, allNamespaces: true, @@ -402,7 +403,7 @@ default2 http2 gateway/test-2 foobar4 test-status-4 test reason 4 Parents: []gwapiv1.RouteParentStatus{ { ParentRef: gwapiv1.ParentReference{ - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Name: gwapiv1.ObjectName("test-1"), }, Conditions: []metav1.Condition{ @@ -438,7 +439,7 @@ default2 http2 gateway/test-2 foobar4 test-status-4 test reason 4 Parents: []gwapiv1.RouteParentStatus{ { ParentRef: gwapiv1.ParentReference{ - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Name: gwapiv1.ObjectName("test-2"), }, Conditions: []metav1.Condition{ @@ -467,7 +468,7 @@ default2 http2 gateway/test-2 foobar4 test-status-4 test reason 4 }, }, resourceNamespaced: true, - resourceKind: gatewayapi.KindHTTPRoute, + resourceKind: resource.KindHTTPRoute, quiet: true, verbose: false, allNamespaces: false, @@ -491,7 +492,7 @@ http2 gateway/test-2 foobar4 test-status-4 test reason 4 Ancestors: []gwapiv1a2.PolicyAncestorStatus{ { AncestorRef: gwapiv1.ParentReference{ - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Name: gwapiv1.ObjectName("test"), }, Conditions: []metav1.Condition{ @@ -519,7 +520,7 @@ http2 gateway/test-2 foobar4 test-status-4 test reason 4 }, }, resourceNamespaced: true, - resourceKind: gatewayapi.KindBackendTLSPolicy, + resourceKind: resource.KindBackendTLSPolicy, quiet: false, verbose: false, allNamespaces: false, @@ -543,7 +544,7 @@ btls gateway/test foobar2 test-status-2 test reason 2 Parents: []gwapiv1.RouteParentStatus{ { ParentRef: gwapiv1.ParentReference{ - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Name: gwapiv1.ObjectName("test-1"), }, Conditions: []metav1.Condition{ @@ -567,7 +568,7 @@ btls gateway/test foobar2 test-status-2 test reason 2 }, { ParentRef: gwapiv1.ParentReference{ - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Name: gwapiv1.ObjectName("test-2"), }, Conditions: []metav1.Condition{ @@ -603,7 +604,7 @@ btls gateway/test foobar2 test-status-2 test reason 2 Parents: []gwapiv1.RouteParentStatus{ { ParentRef: gwapiv1.ParentReference{ - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Name: gwapiv1.ObjectName("test-3"), }, Conditions: []metav1.Condition{ @@ -627,7 +628,7 @@ btls gateway/test foobar2 test-status-2 test reason 2 }, { ParentRef: gwapiv1.ParentReference{ - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Name: gwapiv1.ObjectName("test-4"), }, Conditions: []metav1.Condition{ @@ -656,7 +657,7 @@ btls gateway/test foobar2 test-status-2 test reason 2 }, }, resourceNamespaced: true, - resourceKind: gatewayapi.KindHTTPRoute, + resourceKind: resource.KindHTTPRoute, quiet: false, verbose: false, allNamespaces: true, @@ -685,7 +686,7 @@ default2 http2 gateway/test-3 foobar6 test-status-6 test reason 6 Ancestors: []gwapiv1a2.PolicyAncestorStatus{ { AncestorRef: gwapiv1.ParentReference{ - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Name: gwapiv1.ObjectName("test-1"), }, Conditions: []metav1.Condition{ @@ -709,7 +710,7 @@ default2 http2 gateway/test-3 foobar6 test-status-6 test reason 6 }, { AncestorRef: gwapiv1.ParentReference{ - Kind: gatewayapi.KindPtr(gatewayapi.KindHTTPRoute), + Kind: gatewayapi.KindPtr(resource.KindHTTPRoute), Name: gwapiv1.ObjectName("test-2"), }, Conditions: []metav1.Condition{ @@ -743,7 +744,7 @@ default2 http2 gateway/test-3 foobar6 test-status-6 test reason 6 Ancestors: []gwapiv1a2.PolicyAncestorStatus{ { AncestorRef: gwapiv1.ParentReference{ - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Name: gwapiv1.ObjectName("test-3"), }, Conditions: []metav1.Condition{ @@ -767,7 +768,7 @@ default2 http2 gateway/test-3 foobar6 test-status-6 test reason 6 }, { AncestorRef: gwapiv1.ParentReference{ - Kind: gatewayapi.KindPtr(gatewayapi.KindGRPCRoute), + Kind: gatewayapi.KindPtr(resource.KindGRPCRoute), Name: gwapiv1.ObjectName("test-4"), }, Conditions: []metav1.Condition{ @@ -795,7 +796,7 @@ default2 http2 gateway/test-3 foobar6 test-status-6 test reason 6 }, }, resourceNamespaced: true, - resourceKind: gatewayapi.KindBackendTrafficPolicy, + resourceKind: resource.KindBackendTrafficPolicy, quiet: false, verbose: false, allNamespaces: false, diff --git a/internal/cmd/egctl/translate.go b/internal/cmd/egctl/translate.go index 045d4733e47..25811d600c3 100644 --- a/internal/cmd/egctl/translate.go +++ b/internal/cmd/egctl/translate.go @@ -11,9 +11,7 @@ import ( "fmt" "io" "os" - "reflect" "sort" - "strings" adminv3 "github.com/envoyproxy/go-control-plane/envoy/admin/v3" bootstrapv3 "github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3" @@ -22,19 +20,12 @@ import ( "google.golang.org/protobuf/encoding/protojson" "google.golang.org/protobuf/reflect/protoreflect" "google.golang.org/protobuf/types/known/anypb" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/apimachinery/pkg/util/sets" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" - gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" "sigs.k8s.io/yaml" - egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/api/v1alpha1/validation" - "github.com/envoyproxy/gateway/internal/envoygateway" - "github.com/envoyproxy/gateway/internal/envoygateway/config" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/ratelimit" "github.com/envoyproxy/gateway/internal/xds/bootstrap" @@ -46,14 +37,12 @@ const ( gatewayAPIType = "gateway-api" xdsType = "xds" irType = "ir" - - dummyClusterIP = "1.2.3.4" ) type TranslationResult struct { - gatewayapi.Resources - XdsIR gatewayapi.XdsIRMap `json:"xdsIR,omitempty" yaml:"xdsIR,omitempty"` - InfraIR gatewayapi.InfraIRMap `json:"infraIR,omitempty" yaml:"infraIR,omitempty"` + resource.Resources + XdsIR resource.XdsIRMap `json:"xdsIR,omitempty" yaml:"xdsIR,omitempty"` + InfraIR resource.InfraIRMap `json:"infraIR,omitempty" yaml:"infraIR,omitempty"` Xds map[string]interface{} `json:"xds,omitempty"` } @@ -235,7 +224,7 @@ func translate(w io.Writer, inFile, inType string, outTypes []string, output, re if inType == gatewayAPIType { // Unmarshal input - resources, err := kubernetesYAMLToResources(string(inBytes), addMissingResources) + resources, err := resource.LoadResourcesFromYAMLString(string(inBytes), addMissingResources) if err != nil { return fmt.Errorf("unable to unmarshal input: %w", err) } @@ -276,7 +265,7 @@ func translate(w io.Writer, inFile, inType string, outTypes []string, output, re return fmt.Errorf("unable to find translate from input type %s to output type %s", inType, outTypes) } -func translateGatewayAPIToIR(resources *gatewayapi.Resources) (*gatewayapi.TranslateResult, error) { +func translateGatewayAPIToIR(resources *resource.Resources) (*gatewayapi.TranslateResult, error) { if resources.GatewayClass == nil { return nil, fmt.Errorf("the GatewayClass resource is required") } @@ -303,9 +292,9 @@ func translateGatewayAPIToIR(resources *gatewayapi.Resources) (*gatewayapi.Trans return result, nil } -func translateGatewayAPIToGatewayAPI(resources *gatewayapi.Resources) (gatewayapi.Resources, error) { +func translateGatewayAPIToGatewayAPI(resources *resource.Resources) (resource.Resources, error) { if resources.GatewayClass == nil { - return gatewayapi.Resources{}, fmt.Errorf("the GatewayClass resource is required") + return resource.Resources{}, fmt.Errorf("the GatewayClass resource is required") } // Translate from Gateway API to Xds IR @@ -341,7 +330,7 @@ func translateGatewayAPIToGatewayAPI(resources *gatewayapi.Resources) (gatewayap return gRes.Resources, nil } -func translateGatewayAPIToXds(namespace, dnsDomain string, resourceType string, resources *gatewayapi.Resources) (map[string]any, error) { +func translateGatewayAPIToXds(namespace, dnsDomain string, resourceType string, resources *resource.Resources) (map[string]any, error) { if resources.GatewayClass == nil { return nil, fmt.Errorf("the GatewayClass resource is required") } @@ -437,7 +426,7 @@ func printOutput(w io.Writer, result TranslationResult, output string) error { } // constructConfigDump constructs configDump from ResourceVersionTable and BootstrapConfig -func constructConfigDump(resources *gatewayapi.Resources, tCtx *xds_types.ResourceVersionTable) (*adminv3.ConfigDump, error) { +func constructConfigDump(resources *resource.Resources, tCtx *xds_types.ResourceVersionTable) (*adminv3.ConfigDump, error) { globalConfigs := &adminv3.ConfigDump{} bootstrapConfigs := &adminv3.BootstrapConfigDump{} proxyBootstrap := &bootstrapv3.Bootstrap{} @@ -554,427 +543,3 @@ func constructConfigDump(resources *gatewayapi.Resources, tCtx *xds_types.Resour return globalConfigs, nil } - -func addMissingServices(requiredServices map[string]*corev1.Service, obj interface{}) { - var objNamespace string - protocol := corev1.Protocol(gatewayapi.TCPProtocol) - - refs := []gwapiv1.BackendRef{} - switch route := obj.(type) { - case *gwapiv1.HTTPRoute: - objNamespace = route.Namespace - for _, rule := range route.Spec.Rules { - for _, httpBakcendRef := range rule.BackendRefs { - refs = append(refs, httpBakcendRef.BackendRef) - } - } - case *gwapiv1.GRPCRoute: - objNamespace = route.Namespace - for _, rule := range route.Spec.Rules { - for _, gRPCBakcendRef := range rule.BackendRefs { - refs = append(refs, gRPCBakcendRef.BackendRef) - } - } - case *gwapiv1a2.TLSRoute: - objNamespace = route.Namespace - for _, rule := range route.Spec.Rules { - refs = append(refs, rule.BackendRefs...) - } - case *gwapiv1a2.TCPRoute: - objNamespace = route.Namespace - for _, rule := range route.Spec.Rules { - refs = append(refs, rule.BackendRefs...) - } - case *gwapiv1a2.UDPRoute: - protocol = gatewayapi.UDPProtocol - objNamespace = route.Namespace - for _, rule := range route.Spec.Rules { - refs = append(refs, rule.BackendRefs...) - } - } - - for _, ref := range refs { - if ref.Kind == nil || *ref.Kind != gatewayapi.KindService { - continue - } - - ns := objNamespace - if ref.Namespace != nil { - ns = string(*ref.Namespace) - } - name := string(ref.Name) - key := ns + "/" + name - - port := int32(*ref.Port) - servicePort := corev1.ServicePort{ - Name: fmt.Sprintf("%s-%d", protocol, port), - Protocol: protocol, - Port: port, - } - if service, found := requiredServices[key]; !found { - service := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: ns, - }, - Spec: corev1.ServiceSpec{ - // Just a dummy IP - ClusterIP: dummyClusterIP, - Ports: []corev1.ServicePort{servicePort}, - }, - } - requiredServices[key] = service - } else { - inserted := false - for _, port := range service.Spec.Ports { - if port.Protocol == servicePort.Protocol && port.Port == servicePort.Port { - inserted = true - break - } - } - - if !inserted { - service.Spec.Ports = append(service.Spec.Ports, servicePort) - } - } - } -} - -// kubernetesYAMLToResources converts a Kubernetes YAML string into GatewayAPI Resources -func kubernetesYAMLToResources(str string, addMissingResources bool) (*gatewayapi.Resources, error) { - resources := gatewayapi.NewResources() - var useDefaultNamespace bool - providedNamespaceMap := sets.New[string]() - requiredNamespaceMap := sets.New[string]() - yamls := strings.Split(str, "\n---") - combinedScheme := envoygateway.GetScheme() - for _, y := range yamls { - if strings.TrimSpace(y) == "" { - continue - } - var obj map[string]interface{} - err := yaml.Unmarshal([]byte(y), &obj) - if err != nil { - return nil, err - } - un := unstructured.Unstructured{Object: obj} - gvk := un.GroupVersionKind() - name, namespace := un.GetName(), un.GetNamespace() - if namespace == "" { - // When kubectl applies a resource in yaml which doesn't have a namespace, - // the current namespace is applied. Here we do the same thing before translating - // the GatewayAPI resource. Otherwise, the resource can't pass the namespace validation - useDefaultNamespace = true - namespace = config.DefaultNamespace - } - requiredNamespaceMap.Insert(namespace) - kobj, err := combinedScheme.New(gvk) - if err != nil { - return nil, err - } - err = combinedScheme.Convert(&un, kobj, nil) - if err != nil { - return nil, err - } - - objType := reflect.TypeOf(kobj) - if objType.Kind() != reflect.Ptr { - return nil, fmt.Errorf("expected pointer type, but got %s", objType.Kind().String()) - } - kobjVal := reflect.ValueOf(kobj).Elem() - spec := kobjVal.FieldByName("Spec") - - switch gvk.Kind { - case gatewayapi.KindEnvoyProxy: - typedSpec := spec.Interface() - envoyProxy := &egv1a1.EnvoyProxy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: typedSpec.(egv1a1.EnvoyProxySpec), - } - resources.EnvoyProxyForGatewayClass = envoyProxy - case gatewayapi.KindGatewayClass: - typedSpec := spec.Interface() - gatewayClass := &gwapiv1.GatewayClass{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: typedSpec.(gwapiv1.GatewayClassSpec), - } - // fill controller name by default controller name when gatewayclass controller name empty. - if gatewayClass.Spec.ControllerName == "" { - gatewayClass.Spec.ControllerName = egv1a1.GatewayControllerName - } - resources.GatewayClass = gatewayClass - case gatewayapi.KindGateway: - typedSpec := spec.Interface() - gateway := &gwapiv1.Gateway{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: typedSpec.(gwapiv1.GatewaySpec), - } - resources.Gateways = append(resources.Gateways, gateway) - case gatewayapi.KindTCPRoute: - typedSpec := spec.Interface() - tcpRoute := &gwapiv1a2.TCPRoute{ - TypeMeta: metav1.TypeMeta{ - Kind: gatewayapi.KindTCPRoute, - }, - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: typedSpec.(gwapiv1a2.TCPRouteSpec), - } - resources.TCPRoutes = append(resources.TCPRoutes, tcpRoute) - case gatewayapi.KindUDPRoute: - typedSpec := spec.Interface() - udpRoute := &gwapiv1a2.UDPRoute{ - TypeMeta: metav1.TypeMeta{ - Kind: gatewayapi.KindUDPRoute, - }, - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: typedSpec.(gwapiv1a2.UDPRouteSpec), - } - resources.UDPRoutes = append(resources.UDPRoutes, udpRoute) - case gatewayapi.KindTLSRoute: - typedSpec := spec.Interface() - tlsRoute := &gwapiv1a2.TLSRoute{ - TypeMeta: metav1.TypeMeta{ - Kind: gatewayapi.KindTLSRoute, - }, - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: typedSpec.(gwapiv1a2.TLSRouteSpec), - } - resources.TLSRoutes = append(resources.TLSRoutes, tlsRoute) - case gatewayapi.KindHTTPRoute: - typedSpec := spec.Interface() - httpRoute := &gwapiv1.HTTPRoute{ - TypeMeta: metav1.TypeMeta{ - Kind: gatewayapi.KindHTTPRoute, - }, - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: typedSpec.(gwapiv1.HTTPRouteSpec), - } - resources.HTTPRoutes = append(resources.HTTPRoutes, httpRoute) - case gatewayapi.KindGRPCRoute: - typedSpec := spec.Interface() - grpcRoute := &gwapiv1.GRPCRoute{ - TypeMeta: metav1.TypeMeta{ - Kind: gatewayapi.KindGRPCRoute, - }, - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: typedSpec.(gwapiv1.GRPCRouteSpec), - } - resources.GRPCRoutes = append(resources.GRPCRoutes, grpcRoute) - case gatewayapi.KindNamespace: - namespace := &corev1.Namespace{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - } - resources.Namespaces = append(resources.Namespaces, namespace) - providedNamespaceMap.Insert(name) - case gatewayapi.KindService: - typedSpec := spec.Interface() - service := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: typedSpec.(corev1.ServiceSpec), - } - if addMissingResources && len(service.Spec.ClusterIP) == 0 { - // fill with dummy IP when service clusterIP is empty - service.Spec.ClusterIP = dummyClusterIP - } - resources.Services = append(resources.Services, service) - case egv1a1.KindEnvoyPatchPolicy: - typedSpec := spec.Interface() - envoyPatchPolicy := &egv1a1.EnvoyPatchPolicy{ - TypeMeta: metav1.TypeMeta{ - Kind: egv1a1.KindEnvoyPatchPolicy, - APIVersion: egv1a1.GroupVersion.String(), - }, - ObjectMeta: metav1.ObjectMeta{ - Namespace: namespace, - Name: name, - }, - Spec: typedSpec.(egv1a1.EnvoyPatchPolicySpec), - } - resources.EnvoyPatchPolicies = append(resources.EnvoyPatchPolicies, envoyPatchPolicy) - case egv1a1.KindClientTrafficPolicy: - typedSpec := spec.Interface() - clientTrafficPolicy := &egv1a1.ClientTrafficPolicy{ - TypeMeta: metav1.TypeMeta{ - Kind: egv1a1.KindClientTrafficPolicy, - APIVersion: egv1a1.GroupVersion.String(), - }, - ObjectMeta: metav1.ObjectMeta{ - Namespace: namespace, - Name: name, - }, - Spec: typedSpec.(egv1a1.ClientTrafficPolicySpec), - } - resources.ClientTrafficPolicies = append(resources.ClientTrafficPolicies, clientTrafficPolicy) - case egv1a1.KindBackendTrafficPolicy: - typedSpec := spec.Interface() - backendTrafficPolicy := &egv1a1.BackendTrafficPolicy{ - TypeMeta: metav1.TypeMeta{ - Kind: egv1a1.KindBackendTrafficPolicy, - APIVersion: egv1a1.GroupVersion.String(), - }, - ObjectMeta: metav1.ObjectMeta{ - Namespace: namespace, - Name: name, - }, - Spec: typedSpec.(egv1a1.BackendTrafficPolicySpec), - } - resources.BackendTrafficPolicies = append(resources.BackendTrafficPolicies, backendTrafficPolicy) - case egv1a1.KindSecurityPolicy: - typedSpec := spec.Interface() - securityPolicy := &egv1a1.SecurityPolicy{ - TypeMeta: metav1.TypeMeta{ - Kind: egv1a1.KindSecurityPolicy, - APIVersion: egv1a1.GroupVersion.String(), - }, - ObjectMeta: metav1.ObjectMeta{ - Namespace: namespace, - Name: name, - }, - Spec: typedSpec.(egv1a1.SecurityPolicySpec), - } - resources.SecurityPolicies = append(resources.SecurityPolicies, securityPolicy) - } - } - - if useDefaultNamespace { - if !providedNamespaceMap.Has(config.DefaultNamespace) { - namespace := &corev1.Namespace{ - ObjectMeta: metav1.ObjectMeta{ - Name: config.DefaultNamespace, - }, - } - resources.Namespaces = append(resources.Namespaces, namespace) - providedNamespaceMap.Insert(config.DefaultNamespace) - } - } - - if addMissingResources { - for ns := range requiredNamespaceMap { - if !providedNamespaceMap.Has(ns) { - namespace := &corev1.Namespace{ - ObjectMeta: metav1.ObjectMeta{ - Name: ns, - }, - } - resources.Namespaces = append(resources.Namespaces, namespace) - } - } - - requiredServiceMap := map[string]*corev1.Service{} - for _, route := range resources.TCPRoutes { - addMissingServices(requiredServiceMap, route) - } - for _, route := range resources.UDPRoutes { - addMissingServices(requiredServiceMap, route) - } - for _, route := range resources.TLSRoutes { - addMissingServices(requiredServiceMap, route) - } - for _, route := range resources.HTTPRoutes { - addMissingServices(requiredServiceMap, route) - } - for _, route := range resources.GRPCRoutes { - addMissingServices(requiredServiceMap, route) - } - - providedServiceMap := map[string]*corev1.Service{} - for _, service := range resources.Services { - providedServiceMap[service.Namespace+"/"+service.Name] = service - } - - for key, service := range requiredServiceMap { - if provided, found := providedServiceMap[key]; !found { - resources.Services = append(resources.Services, service) - } else { - providedPorts := sets.NewString() - for _, port := range provided.Spec.Ports { - portKey := fmt.Sprintf("%s-%d", port.Protocol, port.Port) - providedPorts.Insert(portKey) - } - - for _, port := range service.Spec.Ports { - name := fmt.Sprintf("%s-%d", port.Protocol, port.Port) - if !providedPorts.Has(name) { - servicePort := corev1.ServicePort{ - Name: name, - Protocol: port.Protocol, - Port: port.Port, - } - provided.Spec.Ports = append(provided.Spec.Ports, servicePort) - } - } - } - } - - // Add EnvoyProxy if it does not exist - if resources.EnvoyProxyForGatewayClass == nil { - if err := addDefaultEnvoyProxy(resources); err != nil { - return nil, err - } - } - } - - return resources, nil -} - -func addDefaultEnvoyProxy(resources *gatewayapi.Resources) error { - if resources.GatewayClass == nil { - return fmt.Errorf("the GatewayClass resource is required") - } - - defaultEnvoyProxyName := "default-envoy-proxy" - namespace := resources.GatewayClass.Namespace - defaultBootstrapStr, err := bootstrap.GetRenderedBootstrapConfig(nil) - if err != nil { - return err - } - ep := &egv1a1.EnvoyProxy{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: namespace, - Name: defaultEnvoyProxyName, - }, - Spec: egv1a1.EnvoyProxySpec{ - Bootstrap: &egv1a1.ProxyBootstrap{ - Value: &defaultBootstrapStr, - }, - }, - } - resources.EnvoyProxyForGatewayClass = ep - ns := gwapiv1.Namespace(namespace) - resources.GatewayClass.Spec.ParametersRef = &gwapiv1.ParametersReference{ - Group: gwapiv1.Group(egv1a1.GroupVersion.Group), - Kind: gatewayapi.KindEnvoyProxy, - Name: defaultEnvoyProxyName, - Namespace: &ns, - } - return nil -} diff --git a/internal/gatewayapi/address.go b/internal/gatewayapi/address.go index fea4aeae7db..40b5106f42c 100644 --- a/internal/gatewayapi/address.go +++ b/internal/gatewayapi/address.go @@ -7,15 +7,17 @@ package gatewayapi import ( gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" + + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) var _ AddressesTranslator = (*Translator)(nil) type AddressesTranslator interface { - ProcessAddresses(gateways []*GatewayContext, xdsIR XdsIRMap, infraIR InfraIRMap, resources *Resources) + ProcessAddresses(gateways []*GatewayContext, xdsIR resource.XdsIRMap, infraIR resource.InfraIRMap) } -func (t *Translator) ProcessAddresses(gateways []*GatewayContext, xdsIR XdsIRMap, infraIR InfraIRMap, resources *Resources) { +func (t *Translator) ProcessAddresses(gateways []*GatewayContext, xdsIR resource.XdsIRMap, infraIR resource.InfraIRMap) { for _, gateway := range gateways { // Infra IR already exist irKey := t.getIRKey(gateway.Gateway) diff --git a/internal/gatewayapi/backendtlspolicy.go b/internal/gatewayapi/backendtlspolicy.go index 28f77bf825b..d58f2789c8b 100644 --- a/internal/gatewayapi/backendtlspolicy.go +++ b/internal/gatewayapi/backendtlspolicy.go @@ -14,11 +14,12 @@ import ( gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/ir" ) -func (t *Translator) applyBackendTLSSetting(backendRef gwapiv1.BackendObjectReference, backendNamespace string, parent gwapiv1a2.ParentReference, resources *Resources, envoyProxy *egv1a1.EnvoyProxy) *ir.TLSUpstreamConfig { +func (t *Translator) applyBackendTLSSetting(backendRef gwapiv1.BackendObjectReference, backendNamespace string, parent gwapiv1a2.ParentReference, resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy) *ir.TLSUpstreamConfig { upstreamConfig, policy := t.processBackendTLSPolicy(backendRef, backendNamespace, parent, resources, envoyProxy) return t.applyEnvoyProxyBackendTLSSetting(policy, upstreamConfig, resources, parent, envoyProxy) } @@ -27,7 +28,7 @@ func (t *Translator) processBackendTLSPolicy( backendRef gwapiv1.BackendObjectReference, backendNamespace string, parent gwapiv1a2.ParentReference, - resources *Resources, + resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy, ) (*ir.TLSUpstreamConfig, *gwapiv1a3.BackendTLSPolicy) { policy := getBackendTLSPolicy(resources.BackendTLSPolicies, backendRef, backendNamespace) @@ -83,7 +84,7 @@ func (t *Translator) processBackendTLSPolicy( return tlsBundle, policy } -func (t *Translator) applyEnvoyProxyBackendTLSSetting(policy *gwapiv1a3.BackendTLSPolicy, tlsConfig *ir.TLSUpstreamConfig, resources *Resources, parent gwapiv1a2.ParentReference, ep *egv1a1.EnvoyProxy) *ir.TLSUpstreamConfig { +func (t *Translator) applyEnvoyProxyBackendTLSSetting(policy *gwapiv1a3.BackendTLSPolicy, tlsConfig *ir.TLSUpstreamConfig, resources *resource.Resources, parent gwapiv1a2.ParentReference, ep *egv1a1.EnvoyProxy) *ir.TLSUpstreamConfig { if ep == nil || ep.Spec.BackendTLS == nil || tlsConfig == nil { return tlsConfig } @@ -163,7 +164,7 @@ func getBackendTLSPolicy(policies []*gwapiv1a3.BackendTLSPolicy, backendRef gwap return nil } -func getBackendTLSBundle(backendTLSPolicy *gwapiv1a3.BackendTLSPolicy, resources *Resources) (*ir.TLSUpstreamConfig, error) { +func getBackendTLSBundle(backendTLSPolicy *gwapiv1a3.BackendTLSPolicy, resources *resource.Resources) (*ir.TLSUpstreamConfig, error) { tlsBundle := &ir.TLSUpstreamConfig{ SNI: string(backendTLSPolicy.Spec.Validation.Hostname), UseSystemTrustStore: ptr.Deref(backendTLSPolicy.Spec.Validation.WellKnownCACertificates, "") == gwapiv1a3.WellKnownCACertificatesSystem, @@ -177,7 +178,7 @@ func getBackendTLSBundle(backendTLSPolicy *gwapiv1a3.BackendTLSPolicy, resources kind := string(caRef.Kind) switch kind { - case KindConfigMap: + case resource.KindConfigMap: for _, cmap := range resources.ConfigMaps { if cmap.Name == string(caRef.Name) { if crt, dataOk := cmap.Data["ca.crt"]; dataOk { @@ -190,7 +191,7 @@ func getBackendTLSBundle(backendTLSPolicy *gwapiv1a3.BackendTLSPolicy, resources } } } - case KindSecret: + case resource.KindSecret: for _, secret := range resources.Secrets { if secret.Name == string(caRef.Name) { if crt, dataOk := secret.Data["ca.crt"]; dataOk { diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index 3fbf5fb25f8..d71d49f32ca 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -20,6 +20,7 @@ import ( gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/utils" @@ -33,7 +34,7 @@ const ( func (t *Translator) ProcessBackendTrafficPolicies(backendTrafficPolicies []*egv1a1.BackendTrafficPolicy, gateways []*GatewayContext, routes []RouteContext, - xdsIR XdsIRMap, + xdsIR resource.XdsIRMap, ) []*egv1a1.BackendTrafficPolicy { res := []*egv1a1.BackendTrafficPolicy{} @@ -73,7 +74,7 @@ func (t *Translator) ProcessBackendTrafficPolicies(backendTrafficPolicies []*egv policyName := utils.NamespacedName(currPolicy) targetRefs := getPolicyTargetRefs(currPolicy.Spec.PolicyTargetReferences, routes) for _, currTarget := range targetRefs { - if currTarget.Kind != KindGateway { + if currTarget.Kind != resource.KindGateway { policy, found := handledPolicies[policyName] if !found { policy = currPolicy.DeepCopy() @@ -93,7 +94,7 @@ func (t *Translator) ProcessBackendTrafficPolicies(backendTrafficPolicies []*egv parentRefs := GetParentReferences(route) ancestorRefs := make([]gwapiv1a2.ParentReference, 0, len(parentRefs)) for _, p := range parentRefs { - if p.Kind == nil || *p.Kind == KindGateway { + if p.Kind == nil || *p.Kind == resource.KindGateway { namespace := route.GetNamespace() if p.Namespace != nil { namespace = string(*p.Namespace) @@ -147,7 +148,7 @@ func (t *Translator) ProcessBackendTrafficPolicies(backendTrafficPolicies []*egv policyName := utils.NamespacedName(currPolicy) targetRefs := getPolicyTargetRefs(currPolicy.Spec.PolicyTargetReferences, gateways) for _, currTarget := range targetRefs { - if currTarget.Kind == KindGateway { + if currTarget.Kind == resource.KindGateway { policy, found := handledPolicies[policyName] if !found { policy = currPolicy.DeepCopy() @@ -281,7 +282,7 @@ func resolveBTPolicyRouteTargetRef(policy *egv1a1.BackendTrafficPolicy, target g return route.RouteContext, nil } -func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.BackendTrafficPolicy, route RouteContext, xdsIR XdsIRMap) error { +func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.BackendTrafficPolicy, route RouteContext, xdsIR resource.XdsIRMap) error { var ( rl *ir.RateLimit lb *ir.LoadBalancer @@ -418,7 +419,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen return errs } -func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.BackendTrafficPolicy, target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, gateway *GatewayContext, xdsIR XdsIRMap) error { +func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.BackendTrafficPolicy, target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, gateway *GatewayContext, xdsIR resource.XdsIRMap) error { var ( rl *ir.RateLimit lb *ir.LoadBalancer diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go index 7d4c95e6e4c..67cd60ad679 100644 --- a/internal/gatewayapi/clienttrafficpolicy.go +++ b/internal/gatewayapi/clienttrafficpolicy.go @@ -22,6 +22,7 @@ import ( gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/utils" @@ -37,10 +38,10 @@ func hasSectionName(target *gwapiv1a2.LocalPolicyTargetReferenceWithSectionName) } func (t *Translator) ProcessClientTrafficPolicies( - resources *Resources, + resources *resource.Resources, gateways []*GatewayContext, - xdsIR XdsIRMap, - infraIR InfraIRMap, + xdsIR resource.XdsIRMap, + infraIR resource.InfraIRMap, ) []*egv1a1.ClientTrafficPolicy { var res []*egv1a1.ClientTrafficPolicy @@ -366,7 +367,7 @@ func validatePortOverlapForClientTrafficPolicy(l *ListenerContext, xds *ir.Xds, } func (t *Translator) translateClientTrafficPolicyForListener(policy *egv1a1.ClientTrafficPolicy, l *ListenerContext, - xdsIR XdsIRMap, infraIR InfraIRMap, resources *Resources, + xdsIR resource.XdsIRMap, infraIR resource.InfraIRMap, resources *resource.Resources, ) error { // Find IR irKey := t.getIRKey(l.gateway.Gateway) @@ -758,7 +759,7 @@ func translateHealthCheckSettings(healthCheckSettings *egv1a1.HealthCheckSetting } func (t *Translator) buildListenerTLSParameters(policy *egv1a1.ClientTrafficPolicy, - irTLSConfig *ir.TLSConfig, resources *Resources, + irTLSConfig *ir.TLSConfig, resources *resource.Resources, ) (*ir.TLSConfig, error) { // Return if this listener isn't a TLS listener. There has to be // at least one certificate defined, which would cause httpIR/tcpIR to @@ -805,7 +806,7 @@ func (t *Translator) buildListenerTLSParameters(policy *egv1a1.ClientTrafficPoli if tlsParams.ClientValidation != nil { from := crossNamespaceFrom{ group: egv1a1.GroupName, - kind: KindClientTrafficPolicy, + kind: resource.KindClientTrafficPolicy, namespace: policy.Namespace, } @@ -814,7 +815,7 @@ func (t *Translator) buildListenerTLSParameters(policy *egv1a1.ClientTrafficPoli } for _, caCertRef := range tlsParams.ClientValidation.CACertificateRefs { - if caCertRef.Kind == nil || string(*caCertRef.Kind) == KindSecret { // nolint + if caCertRef.Kind == nil || string(*caCertRef.Kind) == resource.KindSecret { // nolint secret, err := t.validateSecretRef(false, from, caCertRef, resources) if err != nil { return irTLSConfig, err @@ -833,7 +834,7 @@ func (t *Translator) buildListenerTLSParameters(policy *egv1a1.ClientTrafficPoli irCACert.Certificate = append(irCACert.Certificate, secretBytes...) - } else if string(*caCertRef.Kind) == KindConfigMap { + } else if string(*caCertRef.Kind) == resource.KindConfigMap { configMap, err := t.validateConfigMapRef(false, from, caCertRef, resources) if err != nil { return irTLSConfig, err diff --git a/internal/gatewayapi/contexts.go b/internal/gatewayapi/contexts.go index 6ecb2cf7318..7d6aee73d99 100644 --- a/internal/gatewayapi/contexts.go +++ b/internal/gatewayapi/contexts.go @@ -16,6 +16,7 @@ import ( gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) // GatewayContext wraps a Gateway and provides helper methods for @@ -29,7 +30,7 @@ type GatewayContext struct { // ResetListeners resets the listener statuses and re-generates the GatewayContext // ListenerContexts from the Gateway spec. -func (g *GatewayContext) ResetListeners(resource *Resources) { +func (g *GatewayContext) ResetListeners(resource *resource.Resources) { numListeners := len(g.Spec.Listeners) g.Status.Listeners = make([]gwapiv1.ListenerStatus, numListeners) g.listeners = make([]*ListenerContext, numListeners) @@ -46,7 +47,7 @@ func (g *GatewayContext) ResetListeners(resource *Resources) { g.attachEnvoyProxy(resource) } -func (g *GatewayContext) attachEnvoyProxy(resources *Resources) { +func (g *GatewayContext) attachEnvoyProxy(resources *resource.Resources) { if g.Spec.Infrastructure != nil && g.Spec.Infrastructure.ParametersRef != nil && !IsMergeGatewaysEnabled(resources) { ref := g.Spec.Infrastructure.ParametersRef if string(ref.Group) == egv1a1.GroupVersion.Group && ref.Kind == egv1a1.KindEnvoyProxy { @@ -210,7 +211,7 @@ func GetRouteType(route RouteContext) gwapiv1.Kind { func GetHostnames(route RouteContext) []string { rv := reflect.ValueOf(route).Elem() kind := rv.FieldByName("Kind").String() - if kind == KindTCPRoute || kind == KindUDPRoute { + if kind == resource.KindTCPRoute || kind == resource.KindUDPRoute { return nil } diff --git a/internal/gatewayapi/contexts_test.go b/internal/gatewayapi/contexts_test.go index b594dc92e7a..ec6bfe6e109 100644 --- a/internal/gatewayapi/contexts_test.go +++ b/internal/gatewayapi/contexts_test.go @@ -12,11 +12,12 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/gatewayapi/status" ) func TestContexts(t *testing.T) { - r := &Resources{ + r := &resource.Resources{ GatewayClass: &gwapiv1.GatewayClass{ ObjectMeta: metav1.ObjectMeta{ Name: "foo", @@ -68,7 +69,7 @@ func TestContexts(t *testing.T) { } func TestContextsStaleListener(t *testing.T) { - r := &Resources{ + r := &resource.Resources{ GatewayClass: &gwapiv1.GatewayClass{ ObjectMeta: metav1.ObjectMeta{ Name: "foo", diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index f8c06ed0c44..47394587529 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -23,6 +23,7 @@ import ( gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/utils" @@ -35,8 +36,8 @@ const ociURLPrefix = "oci://" func (t *Translator) ProcessEnvoyExtensionPolicies(envoyExtensionPolicies []*egv1a1.EnvoyExtensionPolicy, gateways []*GatewayContext, routes []RouteContext, - resources *Resources, - xdsIR XdsIRMap, + resources *resource.Resources, + xdsIR resource.XdsIRMap, ) []*egv1a1.EnvoyExtensionPolicy { var res []*egv1a1.EnvoyExtensionPolicy @@ -76,7 +77,7 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(envoyExtensionPolicies []*egv policyName := utils.NamespacedName(currPolicy) targetRefs := getPolicyTargetRefs(currPolicy.Spec.PolicyTargetReferences, routes) for _, currTarget := range targetRefs { - if currTarget.Kind != KindGateway { + if currTarget.Kind != resource.KindGateway { policy, found := handledPolicies[policyName] if !found { policy = currPolicy.DeepCopy() @@ -96,7 +97,7 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(envoyExtensionPolicies []*egv parentRefs := GetParentReferences(route) ancestorRefs := make([]gwapiv1a2.ParentReference, 0, len(parentRefs)) for _, p := range parentRefs { - if p.Kind == nil || *p.Kind == KindGateway { + if p.Kind == nil || *p.Kind == resource.KindGateway { namespace := route.GetNamespace() if p.Namespace != nil { namespace = string(*p.Namespace) @@ -150,7 +151,7 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(envoyExtensionPolicies []*egv policyName := utils.NamespacedName(currPolicy) targetRefs := getPolicyTargetRefs(currPolicy.Spec.PolicyTargetReferences, gateways) for _, currTarget := range targetRefs { - if currTarget.Kind == KindGateway { + if currTarget.Kind == resource.KindGateway { policy, found := handledPolicies[policyName] if !found { policy = currPolicy.DeepCopy() @@ -287,8 +288,8 @@ func resolveEEPolicyRouteTargetRef(policy *egv1a1.EnvoyExtensionPolicy, target g func (t *Translator) translateEnvoyExtensionPolicyForRoute( policy *egv1a1.EnvoyExtensionPolicy, route RouteContext, - xdsIR XdsIRMap, - resources *Resources, + xdsIR resource.XdsIRMap, + resources *resource.Resources, ) error { var ( wasms []ir.Wasm @@ -345,8 +346,8 @@ func (t *Translator) translateEnvoyExtensionPolicyForGateway( policy *egv1a1.EnvoyExtensionPolicy, target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, gateway *GatewayContext, - xdsIR XdsIRMap, - resources *Resources, + xdsIR resource.XdsIRMap, + resources *resource.Resources, ) error { var ( extProcs []ir.ExtProc @@ -401,7 +402,7 @@ func (t *Translator) translateEnvoyExtensionPolicyForGateway( return errs } -func (t *Translator) buildExtProcs(policy *egv1a1.EnvoyExtensionPolicy, resources *Resources, envoyProxy *egv1a1.EnvoyProxy) ([]ir.ExtProc, error) { +func (t *Translator) buildExtProcs(policy *egv1a1.EnvoyExtensionPolicy, resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy) ([]ir.ExtProc, error) { var extProcIRList []ir.ExtProc if policy == nil { @@ -424,7 +425,7 @@ func (t *Translator) buildExtProc( policyNamespacedName types.NamespacedName, extProc egv1a1.ExtProc, extProcIdx int, - resources *Resources, + resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy, ) (*ir.ExtProc, error) { var ( @@ -528,7 +529,7 @@ func irConfigNameForExtProc(policy *egv1a1.EnvoyExtensionPolicy, index int) stri func (t *Translator) buildWasms( policy *egv1a1.EnvoyExtensionPolicy, - resources *Resources, + resources *resource.Resources, ) ([]ir.Wasm, error) { if t.WasmCache == nil { return nil, fmt.Errorf("wasm cache is not initialized") @@ -556,7 +557,7 @@ func (t *Translator) buildWasm( config egv1a1.Wasm, policy *egv1a1.EnvoyExtensionPolicy, idx int, - resources *Resources, + resources *resource.Resources, ) (*ir.Wasm, error) { var ( failOpen = false @@ -630,7 +631,7 @@ func (t *Translator) buildWasm( if image.PullSecretRef != nil { from := crossNamespaceFrom{ group: egv1a1.GroupName, - kind: KindEnvoyExtensionPolicy, + kind: resource.KindEnvoyExtensionPolicy, namespace: policy.Namespace, } diff --git a/internal/gatewayapi/envoypatchpolicy.go b/internal/gatewayapi/envoypatchpolicy.go index c2dd5480362..599108012c3 100644 --- a/internal/gatewayapi/envoypatchpolicy.go +++ b/internal/gatewayapi/envoypatchpolicy.go @@ -14,11 +14,12 @@ import ( gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/ir" ) -func (t *Translator) ProcessEnvoyPatchPolicies(envoyPatchPolicies []*egv1a1.EnvoyPatchPolicy, xdsIR XdsIRMap) { +func (t *Translator) ProcessEnvoyPatchPolicies(envoyPatchPolicies []*egv1a1.EnvoyPatchPolicy, xdsIR resource.XdsIRMap) { // Sort based on priority sort.Slice(envoyPatchPolicies, func(i, j int) bool { return envoyPatchPolicies[i].Spec.Priority < envoyPatchPolicies[j].Spec.Priority @@ -34,7 +35,7 @@ func (t *Translator) ProcessEnvoyPatchPolicies(envoyPatchPolicies []*egv1a1.Envo ) if t.MergeGateways { - targetKind = KindGatewayClass + targetKind = resource.KindGatewayClass irKey = string(t.GatewayClassName) ancestorRefs = []gwapiv1a2.ParentReference{ @@ -45,7 +46,7 @@ func (t *Translator) ProcessEnvoyPatchPolicies(envoyPatchPolicies []*egv1a1.Envo }, } } else { - targetKind = KindGateway + targetKind = resource.KindGateway gatewayNN := types.NamespacedName{ Namespace: policy.Namespace, Name: string(policy.Spec.TargetRef.Name), diff --git a/internal/gatewayapi/ext_service.go b/internal/gatewayapi/ext_service.go index aa38008abfa..7e13b101011 100644 --- a/internal/gatewayapi/ext_service.go +++ b/internal/gatewayapi/ext_service.go @@ -16,6 +16,7 @@ import ( gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/ir" ) @@ -25,7 +26,7 @@ func (t *Translator) processExtServiceDestination( policyNamespacedName types.NamespacedName, policyKind string, protocol ir.AppProtocol, - resources *Resources, + resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy, ) (*ir.DestinationSetting, error) { var ( @@ -35,8 +36,8 @@ func (t *Translator) processExtServiceDestination( backendNamespace := NamespaceDerefOr(backendRef.Namespace, policyNamespacedName.Namespace) - switch KindDerefOr(backendRef.Kind, KindService) { - case KindService: + switch KindDerefOr(backendRef.Kind, resource.KindService) { + case resource.KindService: ds = t.processServiceDestinationSetting(backendRef.BackendObjectReference, backendNamespace, protocol, resources, envoyProxy) case egv1a1.KindBackend: if !t.BackendEnabled { diff --git a/internal/gatewayapi/extensionserverpolicy.go b/internal/gatewayapi/extensionserverpolicy.go index 3843eb50355..395a30ef33d 100644 --- a/internal/gatewayapi/extensionserverpolicy.go +++ b/internal/gatewayapi/extensionserverpolicy.go @@ -17,6 +17,7 @@ import ( gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/utils" @@ -24,7 +25,7 @@ import ( func (t *Translator) ProcessExtensionServerPolicies(policies []unstructured.Unstructured, gateways []*GatewayContext, - xdsIR XdsIRMap, + xdsIR resource.XdsIRMap, ) ([]unstructured.Unstructured, error) { res := []unstructured.Unstructured{} @@ -55,7 +56,7 @@ func (t *Translator) ProcessExtensionServerPolicies(policies []unstructured.Unst continue } for _, currTarget := range targetRefs { - if currTarget.Kind != KindGateway { + if currTarget.Kind != resource.KindGateway { errs = errors.Join(errs, fmt.Errorf("extension policy %s doesn't target a Gateway", policy.GetName())) continue } @@ -137,7 +138,7 @@ func (t *Translator) translateExtServerPolicyForGateway( policy *unstructured.Unstructured, gateway *GatewayContext, target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, - xdsIR XdsIRMap, + xdsIR resource.XdsIRMap, ) bool { irKey := t.getIRKey(gateway.Gateway) gwIR := xdsIR[irKey] diff --git a/internal/gatewayapi/filters.go b/internal/gatewayapi/filters.go index aecc2e81131..de6be352815 100644 --- a/internal/gatewayapi/filters.go +++ b/internal/gatewayapi/filters.go @@ -12,6 +12,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/ir" ) @@ -27,8 +28,8 @@ type HTTPFiltersTranslator interface { processRedirectFilter(redirect *gwapiv1.HTTPRequestRedirectFilter, filterContext *HTTPFiltersContext) processRequestHeaderModifierFilter(headerModifier *gwapiv1.HTTPHeaderFilter, filterContext *HTTPFiltersContext) processResponseHeaderModifierFilter(headerModifier *gwapiv1.HTTPHeaderFilter, filterContext *HTTPFiltersContext) - processRequestMirrorFilter(filterIdx int, mirror *gwapiv1.HTTPRequestMirrorFilter, filterContext *HTTPFiltersContext, resources *Resources) - processExtensionRefHTTPFilter(extRef *gwapiv1.LocalObjectReference, filterContext *HTTPFiltersContext, resources *Resources) + processRequestMirrorFilter(filterIdx int, mirror *gwapiv1.HTTPRequestMirrorFilter, filterContext *HTTPFiltersContext, resources *resource.Resources) + processExtensionRefHTTPFilter(extRef *gwapiv1.LocalObjectReference, filterContext *HTTPFiltersContext, resources *resource.Resources) processUnsupportedHTTPFilter(filterType string, filterContext *HTTPFiltersContext) } @@ -64,7 +65,7 @@ func (t *Translator) ProcessHTTPFilters(parentRef *RouteParentContext, route RouteContext, filters []gwapiv1.HTTPRouteFilter, ruleIdx int, - resources *Resources, + resources *resource.Resources, ) *HTTPFiltersContext { httpFiltersContext := &HTTPFiltersContext{ ParentRef: parentRef, @@ -108,7 +109,7 @@ func (t *Translator) ProcessHTTPFilters(parentRef *RouteParentContext, func (t *Translator) ProcessGRPCFilters(parentRef *RouteParentContext, route RouteContext, filters []gwapiv1.GRPCRouteFilter, - resources *Resources, + resources *resource.Resources, ) *HTTPFiltersContext { httpFiltersContext := &HTTPFiltersContext{ ParentRef: parentRef, @@ -730,7 +731,7 @@ func (t *Translator) processResponseHeaderModifierFilter( } } -func (t *Translator) processExtensionRefHTTPFilter(extFilter *gwapiv1.LocalObjectReference, filterContext *HTTPFiltersContext, resources *Resources) { +func (t *Translator) processExtensionRefHTTPFilter(extFilter *gwapiv1.LocalObjectReference, filterContext *HTTPFiltersContext, resources *resource.Resources) { // Make sure the config actually exists. if extFilter == nil { return @@ -752,9 +753,9 @@ func (t *Translator) processExtensionRefHTTPFilter(extFilter *gwapiv1.LocalObjec } group := apiVers[:idx] if group == string(extFilter.Group) { - resource := res // Capture loop variable + res := res // Capture loop variable filterContext.ExtensionRefs = append(filterContext.ExtensionRefs, &ir.UnstructuredRef{ - Object: &resource, + Object: &res, }) return } @@ -771,7 +772,7 @@ func (t *Translator) processRequestMirrorFilter( filterIdx int, mirrorFilter *gwapiv1.HTTPRequestMirrorFilter, filterContext *HTTPFiltersContext, - resources *Resources, + resources *resource.Resources, ) { // Make sure the config actually exists if mirrorFilter == nil { @@ -793,7 +794,7 @@ func (t *Translator) processRequestMirrorFilter( filterNs := filterContext.Route.GetNamespace() serviceNamespace := NamespaceDerefOr(mirrorBackend.Namespace, filterNs) if !t.validateBackendRef(mirrorBackendRef, filterContext.ParentRef, filterContext.Route, - resources, serviceNamespace, KindHTTPRoute) { + resources, serviceNamespace, resource.KindHTTPRoute) { return } diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index 52df40f4736..885077f5cc3 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -24,6 +24,7 @@ import ( gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/utils" ) @@ -114,7 +115,7 @@ func IsRefToGateway(routeNamespace gwapiv1.Namespace, parentRef gwapiv1.ParentRe return false } - if parentRef.Kind != nil && string(*parentRef.Kind) != KindGateway { + if parentRef.Kind != nil && string(*parentRef.Kind) != resource.KindGateway { return false } @@ -442,7 +443,7 @@ func irTLSCACertName(namespace, name string) string { return fmt.Sprintf("%s/%s/%s", namespace, name, caCertKey) } -func IsMergeGatewaysEnabled(resources *Resources) bool { +func IsMergeGatewaysEnabled(resources *resource.Resources) bool { return resources.EnvoyProxyForGatewayClass != nil && resources.EnvoyProxyForGatewayClass.Spec.MergeGateways != nil && *resources.EnvoyProxyForGatewayClass.Spec.MergeGateways } @@ -458,7 +459,7 @@ func protocolSliceToStringSlice(protocols []gwapiv1.ProtocolType) []string { func getAncestorRefForPolicy(gatewayNN types.NamespacedName, sectionName *gwapiv1a2.SectionName) gwapiv1a2.ParentReference { return gwapiv1a2.ParentReference{ Group: GroupPtr(gwapiv1.GroupName), - Kind: KindPtr(KindGateway), + Kind: KindPtr(resource.KindGateway), Namespace: NamespacePtr(gatewayNN.Namespace), Name: gwapiv1.ObjectName(gatewayNN.Name), SectionName: sectionName, diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index b63645a85e1..88667b8ef6d 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -17,6 +17,7 @@ import ( gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/utils" @@ -26,10 +27,10 @@ import ( var _ ListenersTranslator = (*Translator)(nil) type ListenersTranslator interface { - ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap, infraIR InfraIRMap, resources *Resources) + ProcessListeners(gateways []*GatewayContext, xdsIR resource.XdsIRMap, infraIR resource.InfraIRMap, resources *resource.Resources) } -func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap, infraIR InfraIRMap, resources *Resources) { +func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource.XdsIRMap, infraIR resource.InfraIRMap, resources *resource.Resources) { // Infra IR proxy ports must be unique. foundPorts := make(map[string][]*protocolPort) t.validateConflictedLayer7Listeners(gateways) @@ -57,21 +58,21 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR XdsIRMap if listener.TLS != nil { switch *listener.TLS.Mode { case gwapiv1.TLSModePassthrough: - t.validateAllowedRoutes(listener, KindTLSRoute) + t.validateAllowedRoutes(listener, resource.KindTLSRoute) case gwapiv1.TLSModeTerminate: - t.validateAllowedRoutes(listener, KindTCPRoute) + t.validateAllowedRoutes(listener, resource.KindTCPRoute) default: - t.validateAllowedRoutes(listener, KindTCPRoute, KindTLSRoute) + t.validateAllowedRoutes(listener, resource.KindTCPRoute, resource.KindTLSRoute) } } else { - t.validateAllowedRoutes(listener, KindTCPRoute, KindTLSRoute) + t.validateAllowedRoutes(listener, resource.KindTCPRoute, resource.KindTLSRoute) } case gwapiv1.HTTPProtocolType, gwapiv1.HTTPSProtocolType: - t.validateAllowedRoutes(listener, KindHTTPRoute, KindGRPCRoute) + t.validateAllowedRoutes(listener, resource.KindHTTPRoute, resource.KindGRPCRoute) case gwapiv1.TCPProtocolType: - t.validateAllowedRoutes(listener, KindTCPRoute) + t.validateAllowedRoutes(listener, resource.KindTCPRoute) case gwapiv1.UDPProtocolType: - t.validateAllowedRoutes(listener, KindUDPRoute) + t.validateAllowedRoutes(listener, resource.KindUDPRoute) default: status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, @@ -170,7 +171,7 @@ func buildListenerMetadata(listener *ListenerContext, gateway *GatewayContext) * } } -func (t *Translator) processProxyObservability(gwCtx *GatewayContext, xdsIR *ir.Xds, envoyProxy *egv1a1.EnvoyProxy, resources *Resources) { +func (t *Translator) processProxyObservability(gwCtx *GatewayContext, xdsIR *ir.Xds, envoyProxy *egv1a1.EnvoyProxy, resources *resource.Resources) { var err error xdsIR.AccessLog, err = t.processAccessLog(envoyProxy, resources) @@ -195,7 +196,7 @@ func (t *Translator) processProxyObservability(gwCtx *GatewayContext, xdsIR *ir. } } -func (t *Translator) processInfraIRListener(listener *ListenerContext, infraIR InfraIRMap, irKey string, servicePort *protocolPort, containerPort int32) { +func (t *Translator) processInfraIRListener(listener *ListenerContext, infraIR resource.InfraIRMap, irKey string, servicePort *protocolPort, containerPort int32) { var proto ir.ProtocolType switch listener.Protocol { case gwapiv1.HTTPProtocolType: @@ -225,7 +226,7 @@ func (t *Translator) processInfraIRListener(listener *ListenerContext, infraIR I infraIR[irKey].Proxy.Listeners = append(infraIR[irKey].Proxy.Listeners, proxyListener) } -func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources *Resources) (*ir.AccessLog, error) { +func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources *resource.Resources) (*ir.AccessLog, error) { if envoyproxy == nil || envoyproxy.Spec.Telemetry == nil || envoyproxy.Spec.Telemetry.AccessLog == nil || @@ -393,7 +394,7 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources * return irAccessLog, nil } -func (t *Translator) processTracing(gw *gwapiv1.Gateway, envoyproxy *egv1a1.EnvoyProxy, mergeGateways bool, resources *Resources) (*ir.Tracing, error) { +func (t *Translator) processTracing(gw *gwapiv1.Gateway, envoyproxy *egv1a1.EnvoyProxy, mergeGateways bool, resources *resource.Resources) (*ir.Tracing, error) { if envoyproxy == nil || envoyproxy.Spec.Telemetry == nil || envoyproxy.Spec.Telemetry.Tracing == nil { @@ -445,7 +446,7 @@ func (t *Translator) processTracing(gw *gwapiv1.Gateway, envoyproxy *egv1a1.Envo }, nil } -func (t *Translator) processMetrics(envoyproxy *egv1a1.EnvoyProxy, resources *Resources) (*ir.Metrics, error) { +func (t *Translator) processMetrics(envoyproxy *egv1a1.EnvoyProxy, resources *resource.Resources) (*ir.Metrics, error) { if envoyproxy == nil || envoyproxy.Spec.Telemetry == nil || envoyproxy.Spec.Telemetry.Metrics == nil { @@ -469,7 +470,7 @@ func (t *Translator) processMetrics(envoyproxy *egv1a1.EnvoyProxy, resources *Re }, nil } -func (t *Translator) processBackendRefs(backendCluster egv1a1.BackendCluster, namespace string, resources *Resources, envoyProxy *egv1a1.EnvoyProxy) ([]*ir.DestinationSetting, *ir.TrafficFeatures, error) { +func (t *Translator) processBackendRefs(backendCluster egv1a1.BackendCluster, namespace string, resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy) ([]*ir.DestinationSetting, *ir.TrafficFeatures, error) { traffic, err := translateTrafficFeatures(backendCluster.BackendSettings) if err != nil { return nil, nil, err @@ -477,8 +478,8 @@ func (t *Translator) processBackendRefs(backendCluster egv1a1.BackendCluster, na result := make([]*ir.DestinationSetting, 0, len(backendCluster.BackendRefs)) for _, ref := range backendCluster.BackendRefs { ns := NamespaceDerefOr(ref.Namespace, namespace) - kind := KindDerefOr(ref.Kind, KindService) - if kind != KindService { + kind := KindDerefOr(ref.Kind, resource.KindService) + if kind != resource.KindService { return nil, nil, errors.New("only service kind is supported for backendRefs") } if err := validateBackendService(ref.BackendObjectReference, resources, ns, corev1.ProtocolTCP); err != nil { diff --git a/internal/gatewayapi/resource/load.go b/internal/gatewayapi/resource/load.go new file mode 100644 index 00000000000..cacc3ebe61a --- /dev/null +++ b/internal/gatewayapi/resource/load.go @@ -0,0 +1,468 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package resource + +import ( + "fmt" + "reflect" + "strings" + + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/util/sets" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" + gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + "sigs.k8s.io/yaml" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/envoygateway" + "github.com/envoyproxy/gateway/internal/envoygateway/config" + "github.com/envoyproxy/gateway/internal/xds/bootstrap" +) + +const dummyClusterIP = "1.2.3.4" + +// LoadResourcesFromYAMLString will load Resources from given Kubernetes YAML string. +// TODO: This function should be able to process arbitrary number of resources, +// +// tracked by https://github.com/envoyproxy/gateway/issues/3207 +func LoadResourcesFromYAMLString(yamlStr string, addMissingResources bool) (*Resources, error) { + // TODO(sh2): Add local validations + r, err := kubernetesYAMLToResources(yamlStr, addMissingResources) + if err != nil { + return nil, err + } + + return r, nil +} + +// kubernetesYAMLToResources converts a Kubernetes YAML string into GatewayAPI Resources. +func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources, error) { + resources := NewResources() + var useDefaultNamespace bool + providedNamespaceMap := sets.New[string]() + requiredNamespaceMap := sets.New[string]() + yamls := strings.Split(str, "\n---") + combinedScheme := envoygateway.GetScheme() + for _, y := range yamls { + if strings.TrimSpace(y) == "" { + continue + } + var obj map[string]interface{} + err := yaml.Unmarshal([]byte(y), &obj) + if err != nil { + return nil, err + } + + un := unstructured.Unstructured{Object: obj} + gvk := un.GroupVersionKind() + name, namespace := un.GetName(), un.GetNamespace() + if namespace == "" { + // When kubectl applies a resource in yaml which doesn't have a namespace, + // the current namespace is applied. Here we do the same thing before translating + // the GatewayAPI resource. Otherwise, the resource can't pass the namespace validation + useDefaultNamespace = true + namespace = config.DefaultNamespace + } + + requiredNamespaceMap.Insert(namespace) + kobj, err := combinedScheme.New(gvk) + if err != nil { + return nil, err + } + err = combinedScheme.Convert(&un, kobj, nil) + if err != nil { + return nil, err + } + + objType := reflect.TypeOf(kobj) + if objType.Kind() != reflect.Ptr { + return nil, fmt.Errorf("expected pointer type, but got %s", objType.Kind().String()) + } + kobjVal := reflect.ValueOf(kobj).Elem() + spec := kobjVal.FieldByName("Spec") + + switch gvk.Kind { + case KindEnvoyProxy: + typedSpec := spec.Interface() + envoyProxy := &egv1a1.EnvoyProxy{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(egv1a1.EnvoyProxySpec), + } + // TODO: only support loading one envoyproxy for now. + resources.EnvoyProxyForGatewayClass = envoyProxy + case KindGatewayClass: + typedSpec := spec.Interface() + gatewayClass := &gwapiv1.GatewayClass{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(gwapiv1.GatewayClassSpec), + } + // fill controller name by default controller name when gatewayclass controller name empty. + if addMissingResources && len(gatewayClass.Spec.ControllerName) == 0 { + gatewayClass.Spec.ControllerName = egv1a1.GatewayControllerName + } + resources.GatewayClass = gatewayClass + case KindGateway: + typedSpec := spec.Interface() + gateway := &gwapiv1.Gateway{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(gwapiv1.GatewaySpec), + } + resources.Gateways = append(resources.Gateways, gateway) + case KindTCPRoute: + typedSpec := spec.Interface() + tcpRoute := &gwapiv1a2.TCPRoute{ + TypeMeta: metav1.TypeMeta{ + Kind: KindTCPRoute, + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(gwapiv1a2.TCPRouteSpec), + } + resources.TCPRoutes = append(resources.TCPRoutes, tcpRoute) + case KindUDPRoute: + typedSpec := spec.Interface() + udpRoute := &gwapiv1a2.UDPRoute{ + TypeMeta: metav1.TypeMeta{ + Kind: KindUDPRoute, + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(gwapiv1a2.UDPRouteSpec), + } + resources.UDPRoutes = append(resources.UDPRoutes, udpRoute) + case KindTLSRoute: + typedSpec := spec.Interface() + tlsRoute := &gwapiv1a2.TLSRoute{ + TypeMeta: metav1.TypeMeta{ + Kind: KindTLSRoute, + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(gwapiv1a2.TLSRouteSpec), + } + resources.TLSRoutes = append(resources.TLSRoutes, tlsRoute) + case KindHTTPRoute: + typedSpec := spec.Interface() + httpRoute := &gwapiv1.HTTPRoute{ + TypeMeta: metav1.TypeMeta{ + Kind: KindHTTPRoute, + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(gwapiv1.HTTPRouteSpec), + } + resources.HTTPRoutes = append(resources.HTTPRoutes, httpRoute) + case KindGRPCRoute: + typedSpec := spec.Interface() + grpcRoute := &gwapiv1.GRPCRoute{ + TypeMeta: metav1.TypeMeta{ + Kind: KindGRPCRoute, + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(gwapiv1.GRPCRouteSpec), + } + resources.GRPCRoutes = append(resources.GRPCRoutes, grpcRoute) + case KindNamespace: + namespace := &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + } + resources.Namespaces = append(resources.Namespaces, namespace) + providedNamespaceMap.Insert(name) + case KindService: + typedSpec := spec.Interface() + service := &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(corev1.ServiceSpec), + } + if addMissingResources && len(service.Spec.ClusterIP) == 0 { + // fill with dummy IP when service clusterIP is empty + service.Spec.ClusterIP = dummyClusterIP + } + resources.Services = append(resources.Services, service) + case KindEnvoyPatchPolicy: + typedSpec := spec.Interface() + envoyPatchPolicy := &egv1a1.EnvoyPatchPolicy{ + TypeMeta: metav1.TypeMeta{ + Kind: egv1a1.KindEnvoyPatchPolicy, + APIVersion: egv1a1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Name: name, + }, + Spec: typedSpec.(egv1a1.EnvoyPatchPolicySpec), + } + resources.EnvoyPatchPolicies = append(resources.EnvoyPatchPolicies, envoyPatchPolicy) + case KindClientTrafficPolicy: + typedSpec := spec.Interface() + clientTrafficPolicy := &egv1a1.ClientTrafficPolicy{ + TypeMeta: metav1.TypeMeta{ + Kind: KindClientTrafficPolicy, + APIVersion: egv1a1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Name: name, + }, + Spec: typedSpec.(egv1a1.ClientTrafficPolicySpec), + } + resources.ClientTrafficPolicies = append(resources.ClientTrafficPolicies, clientTrafficPolicy) + case KindBackendTrafficPolicy: + typedSpec := spec.Interface() + backendTrafficPolicy := &egv1a1.BackendTrafficPolicy{ + TypeMeta: metav1.TypeMeta{ + Kind: KindBackendTrafficPolicy, + APIVersion: egv1a1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Name: name, + }, + Spec: typedSpec.(egv1a1.BackendTrafficPolicySpec), + } + resources.BackendTrafficPolicies = append(resources.BackendTrafficPolicies, backendTrafficPolicy) + case KindSecurityPolicy: + typedSpec := spec.Interface() + securityPolicy := &egv1a1.SecurityPolicy{ + TypeMeta: metav1.TypeMeta{ + Kind: KindSecurityPolicy, + APIVersion: egv1a1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Name: name, + }, + Spec: typedSpec.(egv1a1.SecurityPolicySpec), + } + resources.SecurityPolicies = append(resources.SecurityPolicies, securityPolicy) + } + } + + if useDefaultNamespace { + if !providedNamespaceMap.Has(config.DefaultNamespace) { + namespace := &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: config.DefaultNamespace, + }, + } + resources.Namespaces = append(resources.Namespaces, namespace) + providedNamespaceMap.Insert(config.DefaultNamespace) + } + } + + if addMissingResources { + for ns := range requiredNamespaceMap { + if !providedNamespaceMap.Has(ns) { + namespace := &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: ns, + }, + } + resources.Namespaces = append(resources.Namespaces, namespace) + } + } + + requiredServiceMap := map[string]*corev1.Service{} + for _, route := range resources.TCPRoutes { + addMissingServices(requiredServiceMap, route) + } + for _, route := range resources.UDPRoutes { + addMissingServices(requiredServiceMap, route) + } + for _, route := range resources.TLSRoutes { + addMissingServices(requiredServiceMap, route) + } + for _, route := range resources.HTTPRoutes { + addMissingServices(requiredServiceMap, route) + } + for _, route := range resources.GRPCRoutes { + addMissingServices(requiredServiceMap, route) + } + + providedServiceMap := map[string]*corev1.Service{} + for _, service := range resources.Services { + providedServiceMap[service.Namespace+"/"+service.Name] = service + } + + for key, service := range requiredServiceMap { + if provided, found := providedServiceMap[key]; !found { + resources.Services = append(resources.Services, service) + } else { + providedPorts := sets.NewString() + for _, port := range provided.Spec.Ports { + portKey := fmt.Sprintf("%s-%d", port.Protocol, port.Port) + providedPorts.Insert(portKey) + } + + for _, port := range service.Spec.Ports { + name := fmt.Sprintf("%s-%d", port.Protocol, port.Port) + if !providedPorts.Has(name) { + servicePort := corev1.ServicePort{ + Name: name, + Protocol: port.Protocol, + Port: port.Port, + } + provided.Spec.Ports = append(provided.Spec.Ports, servicePort) + } + } + } + } + + // Add EnvoyProxy if it does not exist + if resources.EnvoyProxyForGatewayClass == nil { + if err := addDefaultEnvoyProxy(resources); err != nil { + return nil, err + } + } + } + + return resources, nil +} + +func addMissingServices(requiredServices map[string]*corev1.Service, obj interface{}) { + var objNamespace string + protocol := corev1.Protocol("TCP") + + var refs []gwapiv1.BackendRef + switch route := obj.(type) { + case *gwapiv1.HTTPRoute: + objNamespace = route.Namespace + for _, rule := range route.Spec.Rules { + for _, httpBakcendRef := range rule.BackendRefs { + refs = append(refs, httpBakcendRef.BackendRef) + } + } + case *gwapiv1.GRPCRoute: + objNamespace = route.Namespace + for _, rule := range route.Spec.Rules { + for _, gRPCBakcendRef := range rule.BackendRefs { + refs = append(refs, gRPCBakcendRef.BackendRef) + } + } + case *gwapiv1a2.TLSRoute: + objNamespace = route.Namespace + for _, rule := range route.Spec.Rules { + refs = append(refs, rule.BackendRefs...) + } + case *gwapiv1a2.TCPRoute: + objNamespace = route.Namespace + for _, rule := range route.Spec.Rules { + refs = append(refs, rule.BackendRefs...) + } + case *gwapiv1a2.UDPRoute: + protocol = "UDP" + objNamespace = route.Namespace + for _, rule := range route.Spec.Rules { + refs = append(refs, rule.BackendRefs...) + } + } + + for _, ref := range refs { + if ref.Kind == nil || *ref.Kind != KindService { + continue + } + + ns := objNamespace + if ref.Namespace != nil { + ns = string(*ref.Namespace) + } + name := string(ref.Name) + key := ns + "/" + name + + port := int32(*ref.Port) + servicePort := corev1.ServicePort{ + Name: fmt.Sprintf("%s-%d", protocol, port), + Protocol: protocol, + Port: port, + } + if service, found := requiredServices[key]; !found { + service := &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: ns, + }, + Spec: corev1.ServiceSpec{ + // Just a dummy IP + ClusterIP: dummyClusterIP, + Ports: []corev1.ServicePort{servicePort}, + }, + } + requiredServices[key] = service + } else { + inserted := false + for _, port := range service.Spec.Ports { + if port.Protocol == servicePort.Protocol && port.Port == servicePort.Port { + inserted = true + break + } + } + + if !inserted { + service.Spec.Ports = append(service.Spec.Ports, servicePort) + } + } + } +} + +func addDefaultEnvoyProxy(resources *Resources) error { + if resources.GatewayClass == nil { + return fmt.Errorf("the GatewayClass resource is required") + } + + defaultEnvoyProxyName := "default-envoy-proxy" + namespace := resources.GatewayClass.Namespace + defaultBootstrapStr, err := bootstrap.GetRenderedBootstrapConfig(nil) + if err != nil { + return err + } + ep := &egv1a1.EnvoyProxy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Name: defaultEnvoyProxyName, + }, + Spec: egv1a1.EnvoyProxySpec{ + Bootstrap: &egv1a1.ProxyBootstrap{ + Value: &defaultBootstrapStr, + }, + }, + } + resources.EnvoyProxyForGatewayClass = ep + ns := gwapiv1.Namespace(namespace) + resources.GatewayClass.Spec.ParametersRef = &gwapiv1.ParametersReference{ + Group: gwapiv1.Group(egv1a1.GroupVersion.Group), + Kind: KindEnvoyProxy, + Name: defaultEnvoyProxyName, + Namespace: &ns, + } + return nil +} diff --git a/internal/gatewayapi/resource.go b/internal/gatewayapi/resource/resource.go similarity index 99% rename from internal/gatewayapi/resource.go rename to internal/gatewayapi/resource/resource.go index 3595e9c1c60..a5d9e6fffb5 100644 --- a/internal/gatewayapi/resource.go +++ b/internal/gatewayapi/resource/resource.go @@ -3,7 +3,7 @@ // The full text of the Apache license is available in the LICENSE file at // the root of the repo. -package gatewayapi +package resource import ( "cmp" diff --git a/internal/gatewayapi/resource_test.go b/internal/gatewayapi/resource/resource_test.go similarity index 99% rename from internal/gatewayapi/resource_test.go rename to internal/gatewayapi/resource/resource_test.go index 8b9fddc0fcd..3255cb6b07e 100644 --- a/internal/gatewayapi/resource_test.go +++ b/internal/gatewayapi/resource/resource_test.go @@ -3,7 +3,7 @@ // The full text of the Apache license is available in the LICENSE file at // the root of the repo. -package gatewayapi +package resource import ( "testing" diff --git a/internal/gatewayapi/resource/supported_kind.go b/internal/gatewayapi/resource/supported_kind.go new file mode 100644 index 00000000000..5c2c21954a9 --- /dev/null +++ b/internal/gatewayapi/resource/supported_kind.go @@ -0,0 +1,29 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package resource + +const ( + KindConfigMap = "ConfigMap" + KindClientTrafficPolicy = "ClientTrafficPolicy" + KindBackendTrafficPolicy = "BackendTrafficPolicy" + KindBackendTLSPolicy = "BackendTLSPolicy" + KindBackend = "Backend" + KindEnvoyPatchPolicy = "EnvoyPatchPolicy" + KindEnvoyExtensionPolicy = "EnvoyExtensionPolicy" + KindSecurityPolicy = "SecurityPolicy" + KindEnvoyProxy = "EnvoyProxy" + KindGateway = "Gateway" + KindGatewayClass = "GatewayClass" + KindGRPCRoute = "GRPCRoute" + KindHTTPRoute = "HTTPRoute" + KindNamespace = "Namespace" + KindTLSRoute = "TLSRoute" + KindTCPRoute = "TCPRoute" + KindUDPRoute = "UDPRoute" + KindService = "Service" + KindServiceImport = "ServiceImport" + KindSecret = "Secret" +) diff --git a/internal/gatewayapi/zz_generated.deepcopy.go b/internal/gatewayapi/resource/zz_generated.deepcopy.go similarity index 99% rename from internal/gatewayapi/zz_generated.deepcopy.go rename to internal/gatewayapi/resource/zz_generated.deepcopy.go index 0ed43eea39d..61cf9dfb46e 100644 --- a/internal/gatewayapi/zz_generated.deepcopy.go +++ b/internal/gatewayapi/resource/zz_generated.deepcopy.go @@ -7,7 +7,7 @@ // Code generated by controller-gen. DO NOT EDIT. -package gatewayapi +package resource import ( "github.com/envoyproxy/gateway/api/v1alpha1" diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 0e567824745..743337591bb 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -21,6 +21,7 @@ import ( mcsapiv1a1 "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/utils/regex" @@ -42,14 +43,14 @@ var ( ) type RoutesTranslator interface { - ProcessHTTPRoutes(httpRoutes []*gwapiv1.HTTPRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*HTTPRouteContext - ProcessGRPCRoutes(grpcRoutes []*gwapiv1.GRPCRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*GRPCRouteContext - ProcessTLSRoutes(tlsRoutes []*gwapiv1a2.TLSRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*TLSRouteContext - ProcessTCPRoutes(tcpRoutes []*gwapiv1a2.TCPRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*TCPRouteContext - ProcessUDPRoutes(udpRoutes []*gwapiv1a2.UDPRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*UDPRouteContext + ProcessHTTPRoutes(httpRoutes []*gwapiv1.HTTPRoute, gateways []*GatewayContext, resources *resource.Resources, xdsIR resource.XdsIRMap) []*HTTPRouteContext + ProcessGRPCRoutes(grpcRoutes []*gwapiv1.GRPCRoute, gateways []*GatewayContext, resources *resource.Resources, xdsIR resource.XdsIRMap) []*GRPCRouteContext + ProcessTLSRoutes(tlsRoutes []*gwapiv1a2.TLSRoute, gateways []*GatewayContext, resources *resource.Resources, xdsIR resource.XdsIRMap) []*TLSRouteContext + ProcessTCPRoutes(tcpRoutes []*gwapiv1a2.TCPRoute, gateways []*GatewayContext, resources *resource.Resources, xdsIR resource.XdsIRMap) []*TCPRouteContext + ProcessUDPRoutes(udpRoutes []*gwapiv1a2.UDPRoute, gateways []*GatewayContext, resources *resource.Resources, xdsIR resource.XdsIRMap) []*UDPRouteContext } -func (t *Translator) ProcessHTTPRoutes(httpRoutes []*gwapiv1.HTTPRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*HTTPRouteContext { +func (t *Translator) ProcessHTTPRoutes(httpRoutes []*gwapiv1.HTTPRoute, gateways []*GatewayContext, resources *resource.Resources, xdsIR resource.XdsIRMap) []*HTTPRouteContext { var relevantHTTPRoutes []*HTTPRouteContext for _, h := range httpRoutes { @@ -77,7 +78,7 @@ func (t *Translator) ProcessHTTPRoutes(httpRoutes []*gwapiv1.HTTPRoute, gateways return relevantHTTPRoutes } -func (t *Translator) ProcessGRPCRoutes(grpcRoutes []*gwapiv1.GRPCRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*GRPCRouteContext { +func (t *Translator) ProcessGRPCRoutes(grpcRoutes []*gwapiv1.GRPCRoute, gateways []*GatewayContext, resources *resource.Resources, xdsIR resource.XdsIRMap) []*GRPCRouteContext { var relevantGRPCRoutes []*GRPCRouteContext for _, g := range grpcRoutes { @@ -105,7 +106,7 @@ func (t *Translator) ProcessGRPCRoutes(grpcRoutes []*gwapiv1.GRPCRoute, gateways return relevantGRPCRoutes } -func (t *Translator) processHTTPRouteParentRefs(httpRoute *HTTPRouteContext, resources *Resources, xdsIR XdsIRMap) { +func (t *Translator) processHTTPRouteParentRefs(httpRoute *HTTPRouteContext, resources *resource.Resources, xdsIR resource.XdsIRMap) { for _, parentRef := range httpRoute.ParentRefs { // Need to compute Route rules within the parentRef loop because // any conditions that come out of it have to go on each RouteParentStatus, @@ -172,7 +173,7 @@ func (t *Translator) processHTTPRouteParentRefs(httpRoute *HTTPRouteContext, res } } -func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRef *RouteParentContext, resources *Resources) ([]*ir.HTTPRoute, error) { +func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRef *RouteParentContext, resources *resource.Resources) ([]*ir.HTTPRoute, error) { var routeRoutes []*ir.HTTPRoute var envoyProxy *egv1a1.EnvoyProxy @@ -462,7 +463,7 @@ func applyHTTPFiltersContextToIRRoute(httpFiltersContext *HTTPFiltersContext, ir } } -func (t *Translator) processGRPCRouteParentRefs(grpcRoute *GRPCRouteContext, resources *Resources, xdsIR XdsIRMap) { +func (t *Translator) processGRPCRouteParentRefs(grpcRoute *GRPCRouteContext, resources *resource.Resources, xdsIR resource.XdsIRMap) { for _, parentRef := range grpcRoute.ParentRefs { // Need to compute Route rules within the parentRef loop because @@ -528,7 +529,7 @@ func (t *Translator) processGRPCRouteParentRefs(grpcRoute *GRPCRouteContext, res } } -func (t *Translator) processGRPCRouteRules(grpcRoute *GRPCRouteContext, parentRef *RouteParentContext, resources *Resources) ([]*ir.HTTPRoute, error) { +func (t *Translator) processGRPCRouteRules(grpcRoute *GRPCRouteContext, parentRef *RouteParentContext, resources *resource.Resources) ([]*ir.HTTPRoute, error) { var routeRoutes []*ir.HTTPRoute // compute matches, filters, backends @@ -686,7 +687,7 @@ func (t *Translator) processGRPCRouteMethodRegularExpression(method *gwapiv1.GRP } } -func (t *Translator) processHTTPRouteParentRefListener(route RouteContext, routeRoutes []*ir.HTTPRoute, parentRef *RouteParentContext, xdsIR XdsIRMap) bool { +func (t *Translator) processHTTPRouteParentRefListener(route RouteContext, routeRoutes []*ir.HTTPRoute, parentRef *RouteParentContext, xdsIR resource.XdsIRMap) bool { var hasHostnameIntersection bool for _, listener := range parentRef.listeners { @@ -753,7 +754,7 @@ func (t *Translator) processHTTPRouteParentRefListener(route RouteContext, route irListener := xdsIR[irKey].GetHTTPListener(irListenerName(listener)) if irListener != nil { - if GetRouteType(route) == KindGRPCRoute { + if GetRouteType(route) == resource.KindGRPCRoute { irListener.IsHTTP2 = true } irListener.Routes = append(irListener.Routes, perHostRoutes...) @@ -785,7 +786,7 @@ func filterEGPrefix(in map[string]string) map[string]string { return out } -func (t *Translator) ProcessTLSRoutes(tlsRoutes []*gwapiv1a2.TLSRoute, gateways []*GatewayContext, resources *Resources, xdsIR XdsIRMap) []*TLSRouteContext { +func (t *Translator) ProcessTLSRoutes(tlsRoutes []*gwapiv1a2.TLSRoute, gateways []*GatewayContext, resources *resource.Resources, xdsIR resource.XdsIRMap) []*TLSRouteContext { var relevantTLSRoutes []*TLSRouteContext for _, tls := range tlsRoutes { @@ -813,7 +814,7 @@ func (t *Translator) ProcessTLSRoutes(tlsRoutes []*gwapiv1a2.TLSRoute, gateways return relevantTLSRoutes } -func (t *Translator) processTLSRouteParentRefs(tlsRoute *TLSRouteContext, resources *Resources, xdsIR XdsIRMap) { +func (t *Translator) processTLSRouteParentRefs(tlsRoute *TLSRouteContext, resources *resource.Resources, xdsIR resource.XdsIRMap) { for _, parentRef := range tlsRoute.ParentRefs { // Need to compute Route rules within the parentRef loop because @@ -912,8 +913,8 @@ func (t *Translator) processTLSRouteParentRefs(tlsRoute *TLSRouteContext, resour } } -func (t *Translator) ProcessUDPRoutes(udpRoutes []*gwapiv1a2.UDPRoute, gateways []*GatewayContext, resources *Resources, - xdsIR XdsIRMap, +func (t *Translator) ProcessUDPRoutes(udpRoutes []*gwapiv1a2.UDPRoute, gateways []*GatewayContext, resources *resource.Resources, + xdsIR resource.XdsIRMap, ) []*UDPRouteContext { var relevantUDPRoutes []*UDPRouteContext @@ -942,7 +943,7 @@ func (t *Translator) ProcessUDPRoutes(udpRoutes []*gwapiv1a2.UDPRoute, gateways return relevantUDPRoutes } -func (t *Translator) processUDPRouteParentRefs(udpRoute *UDPRouteContext, resources *Resources, xdsIR XdsIRMap) { +func (t *Translator) processUDPRouteParentRefs(udpRoute *UDPRouteContext, resources *resource.Resources, xdsIR resource.XdsIRMap) { for _, parentRef := range udpRoute.ParentRefs { // Need to compute Route rules within the parentRef loop because // any conditions that come out of it have to go on each RouteParentStatus, @@ -1045,8 +1046,8 @@ func (t *Translator) processUDPRouteParentRefs(udpRoute *UDPRouteContext, resour } } -func (t *Translator) ProcessTCPRoutes(tcpRoutes []*gwapiv1a2.TCPRoute, gateways []*GatewayContext, resources *Resources, - xdsIR XdsIRMap, +func (t *Translator) ProcessTCPRoutes(tcpRoutes []*gwapiv1a2.TCPRoute, gateways []*GatewayContext, resources *resource.Resources, + xdsIR resource.XdsIRMap, ) []*TCPRouteContext { var relevantTCPRoutes []*TCPRouteContext @@ -1075,7 +1076,7 @@ func (t *Translator) ProcessTCPRoutes(tcpRoutes []*gwapiv1a2.TCPRoute, gateways return relevantTCPRoutes } -func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resources *Resources, xdsIR XdsIRMap) { +func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resources *resource.Resources, xdsIR resource.XdsIRMap) { for _, parentRef := range tcpRoute.ParentRefs { // Need to compute Route rules within the parentRef loop because // any conditions that come out of it have to go on each RouteParentStatus, @@ -1194,7 +1195,7 @@ func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resour // returns the weight for the backend so that 500 error responses can be returned for invalid backends in // the same proportion as the backend would have otherwise received func (t *Translator) processDestination(backendRefContext BackendRefContext, - parentRef *RouteParentContext, route RouteContext, resources *Resources, + parentRef *RouteParentContext, route RouteContext, resources *resource.Resources, ) (ds *ir.DestinationSetting) { routeType := GetRouteType(route) weight := uint32(1) @@ -1225,8 +1226,8 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, addrType *ir.DestinationAddressType ) protocol := inspectAppProtocolByRouteKind(routeType) - switch KindDerefOr(backendRef.Kind, KindService) { - case KindServiceImport: + switch KindDerefOr(backendRef.Kind, resource.KindService) { + case resource.KindServiceImport: serviceImport := resources.GetServiceImport(backendNamespace, string(backendRef.Name)) var servicePort mcsapiv1a1.ServicePort for _, port := range serviceImport.Spec.Ports { @@ -1237,7 +1238,7 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, } if !t.IsEnvoyServiceRouting(envoyProxy) { - endpointSlices := resources.GetEndpointSlicesForBackend(backendNamespace, string(backendRef.Name), KindDerefOr(backendRef.Kind, KindService)) + endpointSlices := resources.GetEndpointSlicesForBackend(backendNamespace, string(backendRef.Name), KindDerefOr(backendRef.Kind, resource.KindService)) endpoints, addrType = getIREndpointsFromEndpointSlices(endpointSlices, servicePort.Name, servicePort.Protocol) } else { backendIps := resources.GetServiceImport(backendNamespace, string(backendRef.Name)).Spec.IPs @@ -1255,7 +1256,7 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, Endpoints: endpoints, AddressType: addrType, } - case KindService: + case resource.KindService: ds = t.processServiceDestinationSetting(backendRef.BackendObjectReference, backendNamespace, protocol, resources, envoyProxy) ds.TLS = t.applyBackendTLSSetting( @@ -1310,12 +1311,12 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, func validateDestinationSettings(destinationSettings *ir.DestinationSetting, endpointRoutingDisabled bool, kind *gwapiv1.Kind) error { // TODO: support mixed endpointslice address type for the same backendRef - switch KindDerefOr(kind, KindService) { + switch KindDerefOr(kind, resource.KindService) { case egv1a1.KindBackend: if destinationSettings.AddressType != nil && *destinationSettings.AddressType == ir.MIXED { return fmt.Errorf("mixed FQDN and IP or Unix address type for the same backendRef is not supported") } - case KindService, KindServiceImport: + case resource.KindService, resource.KindServiceImport: if !endpointRoutingDisabled && destinationSettings.AddressType != nil && *destinationSettings.AddressType == ir.MIXED { return fmt.Errorf("mixed endpointslice address type for the same backendRef is not supported") } @@ -1328,7 +1329,7 @@ func (t *Translator) processServiceDestinationSetting( backendRef gwapiv1.BackendObjectReference, backendNamespace string, protocol ir.AppProtocol, - resources *Resources, + resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy, ) *ir.DestinationSetting { var ( @@ -1357,7 +1358,7 @@ func (t *Translator) processServiceDestinationSetting( // Route to endpoints by default if !t.IsEnvoyServiceRouting(envoyProxy) { - endpointSlices := resources.GetEndpointSlicesForBackend(backendNamespace, string(backendRef.Name), KindDerefOr(backendRef.Kind, KindService)) + endpointSlices := resources.GetEndpointSlicesForBackend(backendNamespace, string(backendRef.Name), KindDerefOr(backendRef.Kind, resource.KindService)) endpoints, addrType = getIREndpointsFromEndpointSlices(endpointSlices, servicePort.Name, servicePort.Protocol) } else { // Fall back to Service ClusterIP routing @@ -1377,11 +1378,11 @@ func (t *Translator) processServiceDestinationSetting( func getBackendFilters(routeType gwapiv1.Kind, backendRefContext BackendRefContext) (backendFilters any) { filters := GetFilters(backendRefContext) switch routeType { - case KindHTTPRoute: + case resource.KindHTTPRoute: if len(filters.([]gwapiv1.HTTPRouteFilter)) > 0 { return filters.([]gwapiv1.HTTPRouteFilter) } - case KindGRPCRoute: + case resource.KindGRPCRoute: if len(filters.([]gwapiv1.GRPCRouteFilter)) > 0 { return filters.([]gwapiv1.GRPCRouteFilter) } @@ -1390,7 +1391,7 @@ func getBackendFilters(routeType gwapiv1.Kind, backendRefContext BackendRefConte return nil } -func (t *Translator) processDestinationFilters(routeType gwapiv1.Kind, backendRefContext BackendRefContext, parentRef *RouteParentContext, route RouteContext, resources *Resources) *ir.DestinationFilters { +func (t *Translator) processDestinationFilters(routeType gwapiv1.Kind, backendRefContext BackendRefContext, parentRef *RouteParentContext, route RouteContext, resources *resource.Resources) *ir.DestinationFilters { backendFilters := getBackendFilters(routeType, backendRefContext) if backendFilters == nil { return nil @@ -1428,15 +1429,15 @@ func applyHTTPFiltersContextToDestinationFilters(httpFiltersContext *HTTPFilters func inspectAppProtocolByRouteKind(kind gwapiv1.Kind) ir.AppProtocol { switch kind { - case KindUDPRoute: + case resource.KindUDPRoute: return ir.UDP - case KindHTTPRoute: + case resource.KindHTTPRoute: return ir.HTTP - case KindTCPRoute: + case resource.KindTCPRoute: return ir.TCP - case KindGRPCRoute: + case resource.KindGRPCRoute: return ir.GRPC - case KindTLSRoute: + case resource.KindTLSRoute: return ir.HTTPS } return ir.TCP @@ -1445,7 +1446,7 @@ func inspectAppProtocolByRouteKind(kind gwapiv1.Kind) ir.AppProtocol { // processAllowedListenersForParentRefs finds out if the route attaches to one of our // Gateways' listeners, and if so, gets the list of listeners that allow it to // attach for each parentRef. -func (t *Translator) processAllowedListenersForParentRefs(routeContext RouteContext, gateways []*GatewayContext, resources *Resources) bool { +func (t *Translator) processAllowedListenersForParentRefs(routeContext RouteContext, gateways []*GatewayContext, resources *resource.Resources) bool { var relevantRoute bool ns := gwapiv1.Namespace(routeContext.GetNamespace()) for _, parentRef := range GetParentReferences(routeContext) { @@ -1615,7 +1616,7 @@ func getTargetBackendReference(backendRef gwapiv1a2.BackendObjectReference) gwap return ref } -func (t *Translator) processBackendDestinationSetting(backendRef gwapiv1.BackendObjectReference, backendNamespace string, resources *Resources) *ir.DestinationSetting { +func (t *Translator) processBackendDestinationSetting(backendRef gwapiv1.BackendObjectReference, backendNamespace string, resources *resource.Resources) *ir.DestinationSetting { var ( dstEndpoints []*ir.DestinationEndpoint dstAddrType *ir.DestinationAddressType diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index 651e1635286..3f1605c11bf 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -30,6 +30,7 @@ import ( "github.com/envoyproxy/gateway/internal/envoygateway/config" extension "github.com/envoyproxy/gateway/internal/extension/types" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/message" "github.com/envoyproxy/gateway/internal/utils" "github.com/envoyproxy/gateway/internal/wasm" @@ -115,7 +116,7 @@ func (r *Runner) startWasmCache(ctx context.Context) { func (r *Runner) subscribeAndTranslate(ctx context.Context) { message.HandleSubscription(message.Metadata{Runner: string(egv1a1.LogComponentGatewayAPIRunner), Message: "provider-resources"}, r.ProviderResources.GatewayAPIResources.Subscribe(ctx), - func(update message.Update[string, *gatewayapi.ControllerResources], errChan chan error) { + func(update message.Update[string, *resource.ControllerResources], errChan chan error) { r.Logger.Info("received an update") val := update.Value // There is only 1 key which is the controller name diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 887b63386fe..86d39602f01 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -26,6 +26,7 @@ import ( gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/utils" @@ -46,8 +47,8 @@ const ( func (t *Translator) ProcessSecurityPolicies(securityPolicies []*egv1a1.SecurityPolicy, gateways []*GatewayContext, routes []RouteContext, - resources *Resources, - xdsIR XdsIRMap, + resources *resource.Resources, + xdsIR resource.XdsIRMap, ) []*egv1a1.SecurityPolicy { var res []*egv1a1.SecurityPolicy @@ -87,7 +88,7 @@ func (t *Translator) ProcessSecurityPolicies(securityPolicies []*egv1a1.Security policyName := utils.NamespacedName(currPolicy) targetRefs := getPolicyTargetRefs(currPolicy.Spec.PolicyTargetReferences, routes) for _, currTarget := range targetRefs { - if currTarget.Kind != KindGateway { + if currTarget.Kind != resource.KindGateway { var ( targetedRoute RouteContext parentGateways []gwapiv1a2.ParentReference @@ -114,7 +115,7 @@ func (t *Translator) ProcessSecurityPolicies(securityPolicies []*egv1a1.Security // The parent gateways are also used to set the status of the policy. parentRefs := GetParentReferences(targetedRoute) for _, p := range parentRefs { - if p.Kind == nil || *p.Kind == KindGateway { + if p.Kind == nil || *p.Kind == resource.KindGateway { namespace := targetedRoute.GetNamespace() if p.Namespace != nil { namespace = string(*p.Namespace) @@ -165,7 +166,7 @@ func (t *Translator) ProcessSecurityPolicies(securityPolicies []*egv1a1.Security policyName := utils.NamespacedName(currPolicy) targetRefs := getPolicyTargetRefs(currPolicy.Spec.PolicyTargetReferences, gateways) for _, currTarget := range targetRefs { - if currTarget.Kind == KindGateway { + if currTarget.Kind == resource.KindGateway { var ( targetedGateway *GatewayContext resolveErr *status.PolicyResolveError @@ -322,7 +323,7 @@ func resolveSecurityPolicyRouteTargetRef( func (t *Translator) translateSecurityPolicyForRoute( policy *egv1a1.SecurityPolicy, route RouteContext, - resources *Resources, xdsIR XdsIRMap, + resources *resource.Resources, xdsIR resource.XdsIRMap, ) error { // Build IR var ( @@ -419,8 +420,8 @@ func (t *Translator) translateSecurityPolicyForGateway( policy *egv1a1.SecurityPolicy, gateway *GatewayContext, target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, - resources *Resources, - xdsIR XdsIRMap, + resources *resource.Resources, + xdsIR resource.XdsIRMap, ) error { // Build IR var ( @@ -564,7 +565,7 @@ func (t *Translator) buildJWT(jwt *egv1a1.JWT) *ir.JWT { func (t *Translator) buildOIDC( policy *egv1a1.SecurityPolicy, - resources *Resources, + resources *resource.Resources, ) (*ir.OIDC, error) { var ( oidc = policy.Spec.OIDC @@ -575,7 +576,7 @@ func (t *Translator) buildOIDC( from := crossNamespaceFrom{ group: egv1a1.GroupName, - kind: KindSecurityPolicy, + kind: resource.KindSecurityPolicy, namespace: policy.Namespace, } if clientSecret, err = t.validateSecretRef( @@ -773,7 +774,7 @@ func validateTokenEndpoint(tokenEndpoint string) error { func (t *Translator) buildBasicAuth( policy *egv1a1.SecurityPolicy, - resources *Resources, + resources *resource.Resources, ) (*ir.BasicAuth, error) { var ( basicAuth = policy.Spec.BasicAuth @@ -783,7 +784,7 @@ func (t *Translator) buildBasicAuth( from := crossNamespaceFrom{ group: egv1a1.GroupName, - kind: KindSecurityPolicy, + kind: resource.KindSecurityPolicy, namespace: policy.Namespace, } if usersSecret, err = t.validateSecretRef( @@ -804,7 +805,7 @@ func (t *Translator) buildBasicAuth( }, nil } -func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *Resources, envoyProxy *egv1a1.EnvoyProxy) (*ir.ExtAuth, error) { +func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy) (*ir.ExtAuth, error) { var ( http = policy.Spec.ExtAuth.HTTP grpc = policy.Spec.ExtAuth.GRPC @@ -849,7 +850,7 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *Reso extServiceDest, err := t.processExtServiceDestination( &backendRef, pnn, - KindSecurityPolicy, + resource.KindSecurityPolicy, protocol, resources, envoyProxy, @@ -860,7 +861,7 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *Reso ds = append(ds, extServiceDest) } rd := ir.RouteDestination{ - Name: irIndexedExtServiceDestinationName(pnn, egv1a1.KindSecurityPolicy, 0), + Name: irIndexedExtServiceDestinationName(pnn, resource.KindSecurityPolicy, 0), Settings: ds, } @@ -891,14 +892,14 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *Reso return extAuth, nil } -func backendRefAuthority(resources *Resources, backendRef *gwapiv1.BackendObjectReference, policy *egv1a1.SecurityPolicy) string { +func backendRefAuthority(resources *resource.Resources, backendRef *gwapiv1.BackendObjectReference, policy *egv1a1.SecurityPolicy) string { if backendRef == nil { return "" } backendNamespace := NamespaceDerefOr(backendRef.Namespace, policy.Namespace) - backendKind := KindDerefOr(backendRef.Kind, KindService) - if backendKind == egv1a1.KindBackend { + backendKind := KindDerefOr(backendRef.Kind, resource.KindService) + if backendKind == resource.KindBackend { backend := resources.GetBackend(backendNamespace, string(backendRef.Name)) if backend != nil { // TODO: exists multi FQDN endpoints? diff --git a/internal/gatewayapi/sort.go b/internal/gatewayapi/sort.go index c11787a60dc..95643a9e154 100644 --- a/internal/gatewayapi/sort.go +++ b/internal/gatewayapi/sort.go @@ -8,6 +8,7 @@ package gatewayapi import ( "sort" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/ir" ) @@ -81,7 +82,7 @@ func (x XdsIRRoutes) Less(i, j int) bool { // sortXdsIR sorts the xdsIR based on the match precedence // defined in the Gateway API spec. // https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.HTTPRouteRule -func sortXdsIRMap(xdsIR XdsIRMap) { +func sortXdsIRMap(xdsIR resource.XdsIRMap) { for _, irItem := range xdsIR { for _, http := range irItem.HTTP { // descending order diff --git a/internal/gatewayapi/translator.go b/internal/gatewayapi/translator.go index 6346bb1a48c..0e6d683d855 100644 --- a/internal/gatewayapi/translator.go +++ b/internal/gatewayapi/translator.go @@ -16,31 +16,12 @@ import ( gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/wasm" ) const ( - KindConfigMap = "ConfigMap" - KindClientTrafficPolicy = "ClientTrafficPolicy" - KindBackendTrafficPolicy = "BackendTrafficPolicy" - KindBackendTLSPolicy = "BackendTLSPolicy" - KindEnvoyPatchPolicy = "EnvoyPatchPolicy" - KindEnvoyExtensionPolicy = "EnvoyExtensionPolicy" - KindSecurityPolicy = "SecurityPolicy" - KindEnvoyProxy = "EnvoyProxy" - KindGateway = "Gateway" - KindGatewayClass = "GatewayClass" - KindGRPCRoute = "GRPCRoute" - KindHTTPRoute = "HTTPRoute" - KindNamespace = "Namespace" - KindTLSRoute = "TLSRoute" - KindTCPRoute = "TCPRoute" - KindUDPRoute = "UDPRoute" - KindService = "Service" - KindServiceImport = "ServiceImport" - KindSecret = "Secret" - GroupMultiClusterService = "multicluster.x-k8s.io" // OwningGatewayNamespaceLabel is the owner reference label used for managed infra. // The value should be the namespace of the accepted Envoy Gateway. @@ -61,8 +42,8 @@ const ( var _ TranslatorManager = (*Translator)(nil) type TranslatorManager interface { - Translate(resources *Resources) (*TranslateResult, error) - GetRelevantGateways(resources *Resources) []*GatewayContext + Translate(resources *resource.Resources) (*TranslateResult, error) + GetRelevantGateways(resources *resource.Resources) []*GatewayContext RoutesTranslator ListenersTranslator @@ -113,9 +94,9 @@ type Translator struct { } type TranslateResult struct { - Resources - XdsIR XdsIRMap `json:"xdsIR" yaml:"xdsIR"` - InfraIR InfraIRMap `json:"infraIR" yaml:"infraIR"` + resource.Resources + XdsIR resource.XdsIRMap `json:"xdsIR" yaml:"xdsIR"` + InfraIR resource.InfraIRMap `json:"infraIR" yaml:"infraIR"` } func newTranslateResult(gateways []*GatewayContext, @@ -131,7 +112,7 @@ func newTranslateResult(gateways []*GatewayContext, envoyExtensionPolicies []*egv1a1.EnvoyExtensionPolicy, extPolicies []unstructured.Unstructured, backends []*egv1a1.Backend, - xdsIR XdsIRMap, infraIR InfraIRMap, + xdsIR resource.XdsIRMap, infraIR resource.InfraIRMap, ) *TranslateResult { translateResult := &TranslateResult{ XdsIR: xdsIR, @@ -168,7 +149,7 @@ func newTranslateResult(gateways []*GatewayContext, return translateResult } -func (t *Translator) Translate(resources *Resources) (*TranslateResult, error) { +func (t *Translator) Translate(resources *resource.Resources) (*TranslateResult, error) { // Get Gateways belonging to our GatewayClass. gateways := t.GetRelevantGateways(resources) @@ -178,7 +159,7 @@ func (t *Translator) Translate(resources *Resources) (*TranslateResult, error) { }) // Build IR maps. - xdsIR, infraIR := t.InitIRs(gateways, resources) + xdsIR, infraIR := t.InitIRs(gateways) // Process all Listeners for all relevant Gateways. t.ProcessListeners(gateways, xdsIR, infraIR, resources) @@ -187,7 +168,7 @@ func (t *Translator) Translate(resources *Resources) (*TranslateResult, error) { t.ProcessEnvoyPatchPolicies(resources.EnvoyPatchPolicies, xdsIR) // Process all Addresses for all relevant Gateways. - t.ProcessAddresses(gateways, xdsIR, infraIR, resources) + t.ProcessAddresses(gateways, xdsIR, infraIR) // process all Backends backends := t.ProcessBackends(resources.Backends) @@ -263,7 +244,7 @@ func (t *Translator) Translate(resources *Resources) (*TranslateResult, error) { // GetRelevantGateways returns GatewayContexts, containing a copy of the original // Gateway with the Listener statuses reset. -func (t *Translator) GetRelevantGateways(resources *Resources) []*GatewayContext { +func (t *Translator) GetRelevantGateways(resources *resource.Resources) []*GatewayContext { var relevant []*GatewayContext for _, gateway := range resources.Gateways { @@ -285,9 +266,9 @@ func (t *Translator) GetRelevantGateways(resources *Resources) []*GatewayContext } // InitIRs checks if mergeGateways is enabled in EnvoyProxy config and initializes XdsIR and InfraIR maps with adequate keys. -func (t *Translator) InitIRs(gateways []*GatewayContext, resources *Resources) (map[string]*ir.Xds, map[string]*ir.Infra) { - xdsIR := make(XdsIRMap) - infraIR := make(InfraIRMap) +func (t *Translator) InitIRs(gateways []*GatewayContext) (map[string]*ir.Xds, map[string]*ir.Infra) { + xdsIR := make(resource.XdsIRMap) + infraIR := make(resource.InfraIRMap) var irKey string for _, gateway := range gateways { diff --git a/internal/gatewayapi/translator_test.go b/internal/gatewayapi/translator_test.go index 42bb1ca37b7..7184326fd62 100644 --- a/internal/gatewayapi/translator_test.go +++ b/internal/gatewayapi/translator_test.go @@ -33,6 +33,7 @@ import ( "sigs.k8s.io/yaml" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/utils/field" "github.com/envoyproxy/gateway/internal/utils/file" "github.com/envoyproxy/gateway/internal/wasm" @@ -68,7 +69,7 @@ func TestTranslate(t *testing.T) { input, err := os.ReadFile(inputFile) require.NoError(t, err) - resources := &Resources{} + resources := &resource.Resources{} mustUnmarshal(t, input, resources) envoyPatchPolicyEnabled := true backendEnabled := true @@ -334,7 +335,7 @@ func TestTranslateWithExtensionKinds(t *testing.T) { input, err := os.ReadFile(inputFile) require.NoError(t, err) - resources := &Resources{} + resources := &resource.Resources{} mustUnmarshal(t, input, resources) translator := &Translator{ diff --git a/internal/gatewayapi/validate.go b/internal/gatewayapi/validate.go index d92dee3bcc0..87020d7f6ec 100644 --- a/internal/gatewayapi/validate.go +++ b/internal/gatewayapi/validate.go @@ -20,11 +20,12 @@ import ( gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/gatewayapi/status" ) func (t *Translator) validateBackendRef(backendRefContext BackendRefContext, parentRef *RouteParentContext, route RouteContext, - resources *Resources, backendNamespace string, routeKind gwapiv1.Kind, + resources *resource.Resources, backendNamespace string, routeKind gwapiv1.Kind, ) bool { backendRef := GetBackendRef(backendRefContext) @@ -44,12 +45,12 @@ func (t *Translator) validateBackendRef(backendRefContext BackendRefContext, par return false } protocol := corev1.ProtocolTCP - if routeKind == KindUDPRoute { + if routeKind == resource.KindUDPRoute { protocol = corev1.ProtocolUDP } - backendRefKind := KindDerefOr(backendRef.Kind, KindService) + backendRefKind := KindDerefOr(backendRef.Kind, resource.KindService) switch backendRefKind { - case KindService: + case resource.KindService: if err := validateBackendService(backendRef.BackendObjectReference, resources, backendNamespace, protocol); err != nil { routeStatus := GetRouteStatus(route) status.SetRouteStatusCondition(routeStatus, @@ -62,7 +63,7 @@ func (t *Translator) validateBackendRef(backendRefContext BackendRefContext, par ) return false } - case KindServiceImport: + case resource.KindServiceImport: if !t.validateBackendServiceImport(backendRef, parentRef, resources, backendNamespace, route, protocol) { return false } @@ -91,7 +92,7 @@ func (t *Translator) validateBackendRefGroup(backendRef *gwapiv1a2.BackendRef, p } func (t *Translator) validateBackendRefKind(backendRef *gwapiv1a2.BackendRef, parentRef *RouteParentContext, route RouteContext) bool { - if backendRef.Kind != nil && *backendRef.Kind != KindService && *backendRef.Kind != KindServiceImport && *backendRef.Kind != egv1a1.KindBackend { + if backendRef.Kind != nil && *backendRef.Kind != resource.KindService && *backendRef.Kind != resource.KindServiceImport && *backendRef.Kind != egv1a1.KindBackend { routeStatus := GetRouteStatus(route) status.SetRouteStatusCondition(routeStatus, parentRef.routeParentStatusIdx, @@ -111,13 +112,13 @@ func (t *Translator) validateBackendRefFilters(backendRef BackendRefContext, par var unsupportedFilters bool switch routeKind { - case KindHTTPRoute: + case resource.KindHTTPRoute: for _, filter := range filters.([]gwapiv1.HTTPRouteFilter) { if filter.Type != gwapiv1.HTTPRouteFilterRequestHeaderModifier && filter.Type != gwapiv1.HTTPRouteFilterResponseHeaderModifier { unsupportedFilters = true } } - case KindGRPCRoute: + case resource.KindGRPCRoute: for _, filter := range filters.([]gwapiv1.GRPCRouteFilter) { if filter.Type != gwapiv1.GRPCRouteFilterRequestHeaderModifier && filter.Type != gwapiv1.GRPCRouteFilterResponseHeaderModifier { unsupportedFilters = true @@ -144,7 +145,7 @@ func (t *Translator) validateBackendRefFilters(backendRef BackendRefContext, par } func (t *Translator) validateBackendNamespace(backendRef *gwapiv1a2.BackendRef, parentRef *RouteParentContext, route RouteContext, - resources *Resources, routeKind gwapiv1.Kind, + resources *resource.Resources, routeKind gwapiv1.Kind, ) bool { if backendRef.Namespace != nil && string(*backendRef.Namespace) != "" && string(*backendRef.Namespace) != route.GetNamespace() { if !t.validateCrossNamespaceRef( @@ -155,7 +156,7 @@ func (t *Translator) validateBackendNamespace(backendRef *gwapiv1a2.BackendRef, }, crossNamespaceTo{ group: GroupDerefOr(backendRef.Group, ""), - kind: KindDerefOr(backendRef.Kind, KindService), + kind: KindDerefOr(backendRef.Kind, resource.KindService), namespace: string(*backendRef.Namespace), name: string(backendRef.Name), }, @@ -168,7 +169,7 @@ func (t *Translator) validateBackendNamespace(backendRef *gwapiv1a2.BackendRef, gwapiv1.RouteConditionResolvedRefs, metav1.ConditionFalse, gwapiv1.RouteReasonRefNotPermitted, - fmt.Sprintf("Backend ref to %s %s/%s not permitted by any ReferenceGrant.", KindDerefOr(backendRef.Kind, KindService), *backendRef.Namespace, backendRef.Name), + fmt.Sprintf("Backend ref to %s %s/%s not permitted by any ReferenceGrant.", KindDerefOr(backendRef.Kind, resource.KindService), *backendRef.Namespace, backendRef.Name), ) return false } @@ -196,7 +197,7 @@ func (t *Translator) validateBackendPort(backendRef *gwapiv1a2.BackendRef, paren return true } -func validateBackendService(backendRef gwapiv1a2.BackendObjectReference, resources *Resources, +func validateBackendService(backendRef gwapiv1a2.BackendObjectReference, resources *resource.Resources, serviceNamespace string, protocol corev1.Protocol, ) error { service := resources.GetService(serviceNamespace, string(backendRef.Name)) @@ -223,7 +224,7 @@ func validateBackendService(backendRef gwapiv1a2.BackendObjectReference, resourc return nil } -func (t *Translator) validateBackendServiceImport(backendRef *gwapiv1a2.BackendRef, parentRef *RouteParentContext, resources *Resources, +func (t *Translator) validateBackendServiceImport(backendRef *gwapiv1a2.BackendRef, parentRef *RouteParentContext, resources *resource.Resources, serviceImportNamespace string, route RouteContext, protocol corev1.Protocol, ) bool { serviceImport := resources.GetServiceImport(serviceImportNamespace, string(backendRef.Name)) @@ -268,7 +269,7 @@ func (t *Translator) validateBackendServiceImport(backendRef *gwapiv1a2.BackendR return true } -func (t *Translator) validateBackendRefBackend(backendRef *gwapiv1a2.BackendRef, parentRef *RouteParentContext, resources *Resources, +func (t *Translator) validateBackendRefBackend(backendRef *gwapiv1a2.BackendRef, parentRef *RouteParentContext, resources *resource.Resources, backendNamespace string, route RouteContext, kind gwapiv1.Kind, ) bool { // TODO: support additional route kinds @@ -287,7 +288,7 @@ func (t *Translator) validateBackendRefBackend(backendRef *gwapiv1a2.BackendRef, return false } - if kind != KindHTTPRoute { + if kind != resource.KindHTTPRoute { status.SetRouteStatusCondition(routeStatus, parentRef.routeParentStatusIdx, route.GetGeneration(), @@ -428,7 +429,7 @@ func (t *Translator) validateAllowedNamespaces(listener *ListenerContext) { } } -func (t *Translator) validateTerminateModeAndGetTLSSecrets(listener *ListenerContext, resources *Resources) []*corev1.Secret { +func (t *Translator) validateTerminateModeAndGetTLSSecrets(listener *ListenerContext, resources *resource.Resources) []*corev1.Secret { if len(listener.TLS.CertificateRefs) == 0 { status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, @@ -454,13 +455,13 @@ func (t *Translator) validateTerminateModeAndGetTLSSecrets(listener *ListenerCon break } - if certificateRef.Kind != nil && string(*certificateRef.Kind) != KindSecret { + if certificateRef.Kind != nil && string(*certificateRef.Kind) != resource.KindSecret { status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionResolvedRefs, metav1.ConditionFalse, gwapiv1.ListenerReasonInvalidCertificateRef, - fmt.Sprintf("Listener's TLS certificate ref kind must be %s.", KindSecret), + fmt.Sprintf("Listener's TLS certificate ref kind must be %s.", resource.KindSecret), ) break } @@ -471,12 +472,12 @@ func (t *Translator) validateTerminateModeAndGetTLSSecrets(listener *ListenerCon if !t.validateCrossNamespaceRef( crossNamespaceFrom{ group: gwapiv1.GroupName, - kind: KindGateway, + kind: resource.KindGateway, namespace: listener.gateway.Namespace, }, crossNamespaceTo{ group: "", - kind: KindSecret, + kind: resource.KindSecret, namespace: string(*certificateRef.Namespace), name: string(certificateRef.Name), }, @@ -547,7 +548,7 @@ func (t *Translator) validateTerminateModeAndGetTLSSecrets(listener *ListenerCon return secrets } -func (t *Translator) validateTLSConfiguration(listener *ListenerContext, resources *Resources) { +func (t *Translator) validateTLSConfiguration(listener *ListenerContext, resources *resource.Resources) { switch listener.Protocol { case gwapiv1.HTTPProtocolType, gwapiv1.UDPProtocolType, gwapiv1.TCPProtocolType: if listener.TLS != nil { @@ -914,7 +915,7 @@ func (t *Translator) validateSecretRef( allowCrossNamespace bool, from crossNamespaceFrom, secretObjRef gwapiv1b1.SecretObjectReference, - resources *Resources, + resources *resource.Resources, ) (*corev1.Secret, error) { if err := t.validateSecretObjectRef(allowCrossNamespace, from, secretObjRef, resources); err != nil { return nil, err @@ -938,7 +939,7 @@ func (t *Translator) validateConfigMapRef( allowCrossNamespace bool, from crossNamespaceFrom, secretObjRef gwapiv1b1.SecretObjectReference, - resources *Resources, + resources *resource.Resources, ) (*corev1.ConfigMap, error) { if err := t.validateSecretObjectRef(allowCrossNamespace, from, secretObjRef, resources); err != nil { return nil, err @@ -962,7 +963,7 @@ func (t *Translator) validateSecretObjectRef( allowCrossNamespace bool, from crossNamespaceFrom, secretRef gwapiv1b1.SecretObjectReference, - resources *Resources, + resources *resource.Resources, ) error { var kind string if secretRef.Group != nil && string(*secretRef.Group) != "" { @@ -970,13 +971,13 @@ func (t *Translator) validateSecretObjectRef( } if secretRef.Kind == nil { // nolint - kind = KindSecret - } else if string(*secretRef.Kind) == KindSecret { - kind = KindSecret - } else if string(*secretRef.Kind) == KindConfigMap { - kind = KindConfigMap + kind = resource.KindSecret + } else if string(*secretRef.Kind) == resource.KindSecret { + kind = resource.KindSecret + } else if string(*secretRef.Kind) == resource.KindConfigMap { + kind = resource.KindConfigMap } else { - return fmt.Errorf("secret ref kind must be %s", KindSecret) + return fmt.Errorf("secret ref kind must be %s", resource.KindSecret) } if secretRef.Namespace != nil && @@ -1024,7 +1025,7 @@ func (t *Translator) validateExtServiceBackendReference( backendRef *gwapiv1.BackendObjectReference, ownerNamespace string, policyKind string, - resources *Resources, + resources *resource.Resources, ) error { // These are sanity checks, they should never happen because the API server // should have caught them @@ -1034,7 +1035,7 @@ func (t *Translator) validateExtServiceBackendReference( " the group field or setting it to an empty string) and the" + " gateway.envoyproxy.io API group are supported") } - if backendRef.Kind != nil && *backendRef.Kind != KindService && *backendRef.Kind != egv1a1.KindBackend { + if backendRef.Kind != nil && *backendRef.Kind != resource.KindService && *backendRef.Kind != egv1a1.KindBackend { return errors.New("kind is invalid, only Service (specified by omitting " + "the kind field or setting it to 'Service') and Backend are supported") } @@ -1042,9 +1043,9 @@ func (t *Translator) validateExtServiceBackendReference( return errors.New("a valid port number corresponding to a port on the Service must be specified") } - backendRefKind := KindDerefOr(backendRef.Kind, KindService) + backendRefKind := KindDerefOr(backendRef.Kind, resource.KindService) switch backendRefKind { - case KindService: + case resource.KindService: // check if the service is valid serviceNamespace := NamespaceDerefOr(backendRef.Namespace, ownerNamespace) service := resources.GetService(serviceNamespace, string(backendRef.Name)) diff --git a/internal/kubernetes/secret.go b/internal/kubernetes/secret.go index ff98d61874b..f2774dce4d8 100644 --- a/internal/kubernetes/secret.go +++ b/internal/kubernetes/secret.go @@ -15,13 +15,13 @@ import ( k8sclient "sigs.k8s.io/controller-runtime/pkg/client" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" - "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) // ValidateSecretObjectReference validate secret object reference for extension tls and ratelimit tls settings. func ValidateSecretObjectReference(ctx context.Context, client k8sclient.Client, secretObjRef *gwapiv1.SecretObjectReference, namespace string) (*corev1.Secret, string, error) { if (secretObjRef.Group == nil || *secretObjRef.Group == corev1.GroupName) && - (secretObjRef.Kind == nil || *secretObjRef.Kind == gatewayapi.KindSecret) { + (secretObjRef.Kind == nil || *secretObjRef.Kind == resource.KindSecret) { secret := &corev1.Secret{} secretNamespace := namespace if secretObjRef.Namespace != nil && string(*secretObjRef.Namespace) != "" { diff --git a/internal/message/types.go b/internal/message/types.go index 6a39685a813..3e3923e6cb2 100644 --- a/internal/message/types.go +++ b/internal/message/types.go @@ -13,7 +13,7 @@ import ( gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" - "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/ir" xdstypes "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -22,7 +22,7 @@ import ( type ProviderResources struct { // GatewayAPIResources is a map from a GatewayClass name to // a group of gateway API and other related resources. - GatewayAPIResources watchable.Map[string, *gatewayapi.ControllerResources] + GatewayAPIResources watchable.Map[string, *resource.ControllerResources] // GatewayAPIStatuses is a group of gateway api // resource statuses maps. @@ -35,7 +35,7 @@ type ProviderResources struct { ExtensionStatuses } -func (p *ProviderResources) GetResources() []*gatewayapi.Resources { +func (p *ProviderResources) GetResources() []*resource.Resources { if p.GatewayAPIResources.Len() == 0 { return nil } @@ -47,7 +47,7 @@ func (p *ProviderResources) GetResources() []*gatewayapi.Resources { return nil } -func (p *ProviderResources) GetResourcesByGatewayClass(name string) *gatewayapi.Resources { +func (p *ProviderResources) GetResourcesByGatewayClass(name string) *resource.Resources { for _, r := range p.GetResources() { if r != nil && r.GatewayClass != nil && r.GatewayClass.Name == name { return r diff --git a/internal/provider/file/resources.go b/internal/provider/file/resources.go index 8dcd60ac78a..a89f3ae1686 100644 --- a/internal/provider/file/resources.go +++ b/internal/provider/file/resources.go @@ -9,26 +9,14 @@ import ( "fmt" "os" "path/filepath" - "reflect" "strings" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/apimachinery/pkg/util/sets" - gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" - gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" - "sigs.k8s.io/yaml" - - egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" - "github.com/envoyproxy/gateway/internal/envoygateway" - "github.com/envoyproxy/gateway/internal/envoygateway/config" - "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) // loadFromFilesAndDirs loads resources from specific files and directories. -func loadFromFilesAndDirs(files, dirs []string) ([]*gatewayapi.Resources, error) { - var rs []*gatewayapi.Resources +func loadFromFilesAndDirs(files, dirs []string) ([]*resource.Resources, error) { + var rs []*resource.Resources for _, file := range files { r, err := loadFromFile(file) @@ -50,7 +38,7 @@ func loadFromFilesAndDirs(files, dirs []string) ([]*gatewayapi.Resources, error) } // loadFromFile loads resources from a specific file. -func loadFromFile(path string) (*gatewayapi.Resources, error) { +func loadFromFile(path string) (*resource.Resources, error) { if _, err := os.Stat(path); err != nil { if os.IsNotExist(err) { return nil, fmt.Errorf("file %s is not exist", path) @@ -63,17 +51,17 @@ func loadFromFile(path string) (*gatewayapi.Resources, error) { return nil, err } - return convertKubernetesYAMLToResources(string(bytes)) + return resource.LoadResourcesFromYAMLString(string(bytes), false) } // loadFromDir loads resources from all the files under a specific directory excluding subdirectories. -func loadFromDir(path string) ([]*gatewayapi.Resources, error) { +func loadFromDir(path string) ([]*resource.Resources, error) { entries, err := os.ReadDir(path) if err != nil { return nil, err } - var rs []*gatewayapi.Resources + var rs []*resource.Resources for _, entry := range entries { // Ignoring subdirectories and all hidden files and directories. if entry.IsDir() || strings.HasPrefix(entry.Name(), ".") { @@ -90,246 +78,3 @@ func loadFromDir(path string) ([]*gatewayapi.Resources, error) { return rs, nil } - -// TODO(sh2): This function is copied and updated from internal/cmd/egctl/translate.go. -// This function should be able to process arbitrary number of resources, so we -// need to come up with a way to extend the GatewayClass and EnvoyProxy field to array -// instead of single variable in gatewayapi.Resources structure. -// -// - This issue is tracked by https://github.com/envoyproxy/gateway/issues/3207 -// -// convertKubernetesYAMLToResources converts a Kubernetes YAML string into GatewayAPI Resources. -func convertKubernetesYAMLToResources(str string) (*gatewayapi.Resources, error) { - resources := gatewayapi.NewResources() - var useDefaultNamespace bool - providedNamespaceMap := sets.New[string]() - requiredNamespaceMap := sets.New[string]() - yamls := strings.Split(str, "\n---") - combinedScheme := envoygateway.GetScheme() - for _, y := range yamls { - if strings.TrimSpace(y) == "" { - continue - } - var obj map[string]interface{} - err := yaml.Unmarshal([]byte(y), &obj) - if err != nil { - return nil, err - } - un := unstructured.Unstructured{Object: obj} - gvk := un.GroupVersionKind() - name, namespace := un.GetName(), un.GetNamespace() - if namespace == "" { - // When kubectl applies a resource in yaml which doesn't have a namespace, - // the current namespace is applied. Here we do the same thing before translating - // the GatewayAPI resource. Otherwise, the resource can't pass the namespace validation - useDefaultNamespace = true - namespace = config.DefaultNamespace - } - requiredNamespaceMap.Insert(namespace) - kobj, err := combinedScheme.New(gvk) - if err != nil { - return nil, err - } - err = combinedScheme.Convert(&un, kobj, nil) - if err != nil { - return nil, err - } - - objType := reflect.TypeOf(kobj) - if objType.Kind() != reflect.Ptr { - return nil, fmt.Errorf("expected pointer type, but got %s", objType.Kind().String()) - } - kobjVal := reflect.ValueOf(kobj).Elem() - spec := kobjVal.FieldByName("Spec") - - switch gvk.Kind { - case gatewayapi.KindEnvoyProxy: - typedSpec := spec.Interface() - envoyProxy := &egv1a1.EnvoyProxy{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: typedSpec.(egv1a1.EnvoyProxySpec), - } - resources.EnvoyProxyForGatewayClass = envoyProxy - case gatewayapi.KindGatewayClass: - typedSpec := spec.Interface() - gatewayClass := &gwapiv1.GatewayClass{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: typedSpec.(gwapiv1.GatewayClassSpec), - } - // fill controller name by default controller name when gatewayclass controller name empty. - if gatewayClass.Spec.ControllerName == "" { - gatewayClass.Spec.ControllerName = egv1a1.GatewayControllerName - } - resources.GatewayClass = gatewayClass - case gatewayapi.KindGateway: - typedSpec := spec.Interface() - gateway := &gwapiv1.Gateway{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: typedSpec.(gwapiv1.GatewaySpec), - } - resources.Gateways = append(resources.Gateways, gateway) - case gatewayapi.KindTCPRoute: - typedSpec := spec.Interface() - tcpRoute := &gwapiv1a2.TCPRoute{ - TypeMeta: metav1.TypeMeta{ - Kind: gatewayapi.KindTCPRoute, - }, - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: typedSpec.(gwapiv1a2.TCPRouteSpec), - } - resources.TCPRoutes = append(resources.TCPRoutes, tcpRoute) - case gatewayapi.KindUDPRoute: - typedSpec := spec.Interface() - udpRoute := &gwapiv1a2.UDPRoute{ - TypeMeta: metav1.TypeMeta{ - Kind: gatewayapi.KindUDPRoute, - }, - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: typedSpec.(gwapiv1a2.UDPRouteSpec), - } - resources.UDPRoutes = append(resources.UDPRoutes, udpRoute) - case gatewayapi.KindTLSRoute: - typedSpec := spec.Interface() - tlsRoute := &gwapiv1a2.TLSRoute{ - TypeMeta: metav1.TypeMeta{ - Kind: gatewayapi.KindTLSRoute, - }, - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: typedSpec.(gwapiv1a2.TLSRouteSpec), - } - resources.TLSRoutes = append(resources.TLSRoutes, tlsRoute) - case gatewayapi.KindHTTPRoute: - typedSpec := spec.Interface() - httpRoute := &gwapiv1.HTTPRoute{ - TypeMeta: metav1.TypeMeta{ - Kind: gatewayapi.KindHTTPRoute, - }, - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: typedSpec.(gwapiv1.HTTPRouteSpec), - } - resources.HTTPRoutes = append(resources.HTTPRoutes, httpRoute) - case gatewayapi.KindGRPCRoute: - typedSpec := spec.Interface() - grpcRoute := &gwapiv1.GRPCRoute{ - TypeMeta: metav1.TypeMeta{ - Kind: gatewayapi.KindGRPCRoute, - }, - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: typedSpec.(gwapiv1.GRPCRouteSpec), - } - resources.GRPCRoutes = append(resources.GRPCRoutes, grpcRoute) - case gatewayapi.KindNamespace: - namespace := &corev1.Namespace{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - } - resources.Namespaces = append(resources.Namespaces, namespace) - providedNamespaceMap.Insert(name) - case gatewayapi.KindService: - typedSpec := spec.Interface() - service := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: typedSpec.(corev1.ServiceSpec), - } - resources.Services = append(resources.Services, service) - case egv1a1.KindEnvoyPatchPolicy: - typedSpec := spec.Interface() - envoyPatchPolicy := &egv1a1.EnvoyPatchPolicy{ - TypeMeta: metav1.TypeMeta{ - Kind: egv1a1.KindEnvoyPatchPolicy, - APIVersion: egv1a1.GroupVersion.String(), - }, - ObjectMeta: metav1.ObjectMeta{ - Namespace: namespace, - Name: name, - }, - Spec: typedSpec.(egv1a1.EnvoyPatchPolicySpec), - } - resources.EnvoyPatchPolicies = append(resources.EnvoyPatchPolicies, envoyPatchPolicy) - case egv1a1.KindClientTrafficPolicy: - typedSpec := spec.Interface() - clientTrafficPolicy := &egv1a1.ClientTrafficPolicy{ - TypeMeta: metav1.TypeMeta{ - Kind: egv1a1.KindClientTrafficPolicy, - APIVersion: egv1a1.GroupVersion.String(), - }, - ObjectMeta: metav1.ObjectMeta{ - Namespace: namespace, - Name: name, - }, - Spec: typedSpec.(egv1a1.ClientTrafficPolicySpec), - } - resources.ClientTrafficPolicies = append(resources.ClientTrafficPolicies, clientTrafficPolicy) - case egv1a1.KindBackendTrafficPolicy: - typedSpec := spec.Interface() - backendTrafficPolicy := &egv1a1.BackendTrafficPolicy{ - TypeMeta: metav1.TypeMeta{ - Kind: egv1a1.KindBackendTrafficPolicy, - APIVersion: egv1a1.GroupVersion.String(), - }, - ObjectMeta: metav1.ObjectMeta{ - Namespace: namespace, - Name: name, - }, - Spec: typedSpec.(egv1a1.BackendTrafficPolicySpec), - } - resources.BackendTrafficPolicies = append(resources.BackendTrafficPolicies, backendTrafficPolicy) - case egv1a1.KindSecurityPolicy: - typedSpec := spec.Interface() - securityPolicy := &egv1a1.SecurityPolicy{ - TypeMeta: metav1.TypeMeta{ - Kind: egv1a1.KindSecurityPolicy, - APIVersion: egv1a1.GroupVersion.String(), - }, - ObjectMeta: metav1.ObjectMeta{ - Namespace: namespace, - Name: name, - }, - Spec: typedSpec.(egv1a1.SecurityPolicySpec), - } - resources.SecurityPolicies = append(resources.SecurityPolicies, securityPolicy) - } - } - - if useDefaultNamespace { - if !providedNamespaceMap.Has(config.DefaultNamespace) { - namespace := &corev1.Namespace{ - ObjectMeta: metav1.ObjectMeta{ - Name: config.DefaultNamespace, - }, - } - resources.Namespaces = append(resources.Namespaces, namespace) - providedNamespaceMap.Insert(config.DefaultNamespace) - } - } - - return resources, nil -} diff --git a/internal/provider/file/store.go b/internal/provider/file/store.go index 5a45f1fd638..90c520564b6 100644 --- a/internal/provider/file/store.go +++ b/internal/provider/file/store.go @@ -9,7 +9,7 @@ import ( "github.com/fsnotify/fsnotify" "github.com/go-logr/logr" - "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/message" ) @@ -46,7 +46,7 @@ func (r *resourcesStore) HandleEvent(event fsnotify.Event, files, dirs []string) // LoadAndStore loads and stores all resources from files and directories. func (r *resourcesStore) LoadAndStore(files, dirs []string) error { - rs, err := loadFromFilesAndDirs(files, dirs) + resources, err := loadFromFilesAndDirs(files, dirs) if err != nil { return err } @@ -61,10 +61,10 @@ func (r *resourcesStore) LoadAndStore(files, dirs []string) error { // We cannot make sure by the time the Write event was triggered, whether the GatewayClass exist, // so here we just simply Store the first gatewayapi.Resources that has GatewayClass. - gwcResources := make(gatewayapi.ControllerResources, 0, 1) - for _, resource := range rs { - if resource.GatewayClass != nil { - gwcResources = append(gwcResources, resource) + gwcResources := make(resource.ControllerResources, 0, 1) + for _, res := range resources { + if res.GatewayClass != nil { + gwcResources = append(gwcResources, res) } } if len(gwcResources) == 0 { diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 1c0555c0772..a07ca6ab120 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -38,6 +38,7 @@ import ( "github.com/envoyproxy/gateway/api/v1alpha1/validation" "github.com/envoyproxy/gateway/internal/envoygateway/config" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/logging" "github.com/envoyproxy/gateway/internal/message" @@ -193,10 +194,10 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques // - Gateway API resources: Gateways, xRoutes ... // - Envoy Gateway customized resources: EnvoyPatchPolicies, ClientTrafficPolicies, BackendTrafficPolicies ... // - Referenced resources: Services, ServiceImports, EndpointSlices, Secrets, ConfigMaps ... - gwcResources := make(gatewayapi.ControllerResources, 0, len(managedGCs)) + gwcResources := make(resource.ControllerResources, 0, len(managedGCs)) for _, managedGC := range managedGCs { // Initialize resource types. - gwcResource := gatewayapi.NewResources() + gwcResource := resource.NewResources() gwcResource.GatewayClass = managedGC gwcResources = append(gwcResources, gwcResource) resourceMappings := newResourceMapping() @@ -322,7 +323,7 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques return reconcile.Result{}, nil } -func (r *gatewayAPIReconciler) processEnvoyProxySecretRef(ctx context.Context, gwcResource *gatewayapi.Resources) { +func (r *gatewayAPIReconciler) processEnvoyProxySecretRef(ctx context.Context, gwcResource *resource.Resources) { if gwcResource.EnvoyProxyForGatewayClass == nil || gwcResource.EnvoyProxyForGatewayClass.Spec.BackendTLS == nil || gwcResource.EnvoyProxyForGatewayClass.Spec.BackendTLS.ClientCertificateRef == nil { return } @@ -332,9 +333,9 @@ func (r *gatewayAPIReconciler) processEnvoyProxySecretRef(ctx context.Context, g ctx, newResourceMapping(), gwcResource, - gatewayapi.KindGateway, + resource.KindGateway, gwcResource.EnvoyProxyForGatewayClass.Namespace, - gatewayapi.KindEnvoyProxy, + resource.KindEnvoyProxy, *certRef); err != nil { r.log.Error(err, "failed to process TLS SecretRef for EnvoyProxy", @@ -375,15 +376,15 @@ func (r *gatewayAPIReconciler) managedGatewayClasses(ctx context.Context) ([]*gw // - ServiceImports // - EndpointSlices // - Backends -func (r *gatewayAPIReconciler) processBackendRefs(ctx context.Context, gwcResource *gatewayapi.Resources, resourceMappings *resourceMappings) { +func (r *gatewayAPIReconciler) processBackendRefs(ctx context.Context, gwcResource *resource.Resources, resourceMappings *resourceMappings) { for backendRef := range resourceMappings.allAssociatedBackendRefs { - backendRefKind := gatewayapi.KindDerefOr(backendRef.Kind, gatewayapi.KindService) + backendRefKind := gatewayapi.KindDerefOr(backendRef.Kind, resource.KindService) r.log.Info("processing Backend", "kind", backendRefKind, "namespace", string(*backendRef.Namespace), "name", string(backendRef.Name)) var endpointSliceLabelKey string switch backendRefKind { - case gatewayapi.KindService: + case resource.KindService: service := new(corev1.Service) err := r.client.Get(ctx, types.NamespacedName{Namespace: string(*backendRef.Namespace), Name: string(backendRef.Name)}, service) if err != nil { @@ -397,7 +398,7 @@ func (r *gatewayAPIReconciler) processBackendRefs(ctx context.Context, gwcResour } endpointSliceLabelKey = discoveryv1.LabelServiceName - case gatewayapi.KindServiceImport: + case resource.KindServiceImport: serviceImport := new(mcsapiv1a1.ServiceImport) err := r.client.Get(ctx, types.NamespacedName{Namespace: string(*backendRef.Namespace), Name: string(backendRef.Name)}, serviceImport) if err != nil { @@ -454,7 +455,7 @@ func (r *gatewayAPIReconciler) processBackendRefs(ctx context.Context, gwcResour // - Secrets for OIDC and BasicAuth // - BackendRefs for ExAuth func (r *gatewayAPIReconciler) processSecurityPolicyObjectRefs( - ctx context.Context, resourceTree *gatewayapi.Resources, resourceMap *resourceMappings, + ctx context.Context, resourceTree *resource.Resources, resourceMap *resourceMappings, ) { // we don't return errors from this method, because we want to continue reconciling // the rest of the SecurityPolicies despite that one reference is invalid. This @@ -472,7 +473,7 @@ func (r *gatewayAPIReconciler) processSecurityPolicyObjectRefs( ctx, resourceMap, resourceTree, - gatewayapi.KindSecurityPolicy, + resource.KindSecurityPolicy, policy.Namespace, policy.Name, oidc.ClientSecret); err != nil { @@ -489,7 +490,7 @@ func (r *gatewayAPIReconciler) processSecurityPolicyObjectRefs( ctx, resourceMap, resourceTree, - gatewayapi.KindSecurityPolicy, + resource.KindSecurityPolicy, policy.Namespace, policy.Name, basicAuth.Users); err != nil { @@ -529,12 +530,12 @@ func (r *gatewayAPIReconciler) processSecurityPolicyObjectRefs( if backendNamespace != policy.Namespace { from := ObjectKindNamespacedName{ - kind: gatewayapi.KindSecurityPolicy, + kind: resource.KindSecurityPolicy, namespace: policy.Namespace, name: policy.Name, } to := ObjectKindNamespacedName{ - kind: gatewayapi.KindDerefOr(backendRef.Kind, gatewayapi.KindService), + kind: gatewayapi.KindDerefOr(backendRef.Kind, resource.KindService), namespace: backendNamespace, name: string(backendRef.Name), } @@ -558,7 +559,7 @@ func (r *gatewayAPIReconciler) processSecurityPolicyObjectRefs( // processOIDCHMACSecret adds the OIDC HMAC Secret to the resourceTree. // The OIDC HMAC Secret is created by the CertGen job and is used by SecurityPolicy // to configure OAuth2 filters. -func (r *gatewayAPIReconciler) processOIDCHMACSecret(ctx context.Context, resourceTree *gatewayapi.Resources) { +func (r *gatewayAPIReconciler) processOIDCHMACSecret(ctx context.Context, resourceTree *resource.Resources) { var ( secret corev1.Secret err error @@ -589,7 +590,7 @@ func (r *gatewayAPIReconciler) processOIDCHMACSecret(ctx context.Context, resour func (r *gatewayAPIReconciler) processSecretRef( ctx context.Context, resourceMap *resourceMappings, - resourceTree *gatewayapi.Resources, + resourceTree *resource.Resources, ownerKind string, ownerNS string, ownerName string, @@ -612,7 +613,7 @@ func (r *gatewayAPIReconciler) processSecretRef( name: ownerName, } to := ObjectKindNamespacedName{ - kind: gatewayapi.KindSecret, + kind: resource.KindSecret, namespace: secretNS, name: secret.Name, } @@ -640,19 +641,19 @@ func (r *gatewayAPIReconciler) processSecretRef( // processCtpConfigMapRefs adds the referenced ConfigMaps in ClientTrafficPolicies // to the resourceTree func (r *gatewayAPIReconciler) processCtpConfigMapRefs( - ctx context.Context, resourceTree *gatewayapi.Resources, resourceMap *resourceMappings, + ctx context.Context, resourceTree *resource.Resources, resourceMap *resourceMappings, ) { for _, policy := range resourceTree.ClientTrafficPolicies { tls := policy.Spec.TLS if tls != nil && tls.ClientValidation != nil { for _, caCertRef := range tls.ClientValidation.CACertificateRefs { - if caCertRef.Kind != nil && string(*caCertRef.Kind) == gatewayapi.KindConfigMap { + if caCertRef.Kind != nil && string(*caCertRef.Kind) == resource.KindConfigMap { if err := r.processConfigMapRef( ctx, resourceMap, resourceTree, - gatewayapi.KindClientTrafficPolicy, + resource.KindClientTrafficPolicy, policy.Namespace, policy.Name, caCertRef); err != nil { @@ -666,12 +667,12 @@ func (r *gatewayAPIReconciler) processCtpConfigMapRefs( "failed to process CACertificateRef for ClientTrafficPolicy", "policy", policy, "caCertificateRef", caCertRef.Name) } - } else if caCertRef.Kind == nil || string(*caCertRef.Kind) == gatewayapi.KindSecret { + } else if caCertRef.Kind == nil || string(*caCertRef.Kind) == resource.KindSecret { if err := r.processSecretRef( ctx, resourceMap, resourceTree, - gatewayapi.KindClientTrafficPolicy, + resource.KindClientTrafficPolicy, policy.Namespace, policy.Name, caCertRef); err != nil { @@ -691,7 +692,7 @@ func (r *gatewayAPIReconciler) processCtpConfigMapRefs( func (r *gatewayAPIReconciler) processConfigMapRef( ctx context.Context, resourceMap *resourceMappings, - resourceTree *gatewayapi.Resources, + resourceTree *resource.Resources, ownerKind string, ownerNS string, ownerName string, @@ -714,7 +715,7 @@ func (r *gatewayAPIReconciler) processConfigMapRef( name: ownerName, } to := ObjectKindNamespacedName{ - kind: gatewayapi.KindConfigMap, + kind: resource.KindConfigMap, namespace: configMapNS, name: configMap.Name, } @@ -807,7 +808,7 @@ func (r *gatewayAPIReconciler) findReferenceGrant(ctx context.Context, from, to return nil, nil } -func (r *gatewayAPIReconciler) processGateways(ctx context.Context, managedGC *gwapiv1.GatewayClass, resourceMap *resourceMappings, resourceTree *gatewayapi.Resources) error { +func (r *gatewayAPIReconciler) processGateways(ctx context.Context, managedGC *gwapiv1.GatewayClass, resourceMap *resourceMappings, resourceTree *resource.Resources) error { // Find gateways for the managedGC // Find the Gateways that reference this Class. gatewayList := &gwapiv1.GatewayList{} @@ -844,7 +845,7 @@ func (r *gatewayAPIReconciler) processGateways(ctx context.Context, managedGC *g ctx, resourceMap, resourceTree, - gatewayapi.KindGateway, + resource.KindGateway, gtw.Namespace, gtw.Name, certRef); err != nil { @@ -893,7 +894,7 @@ func (r *gatewayAPIReconciler) processGateways(ctx context.Context, managedGC *g } // processEnvoyPatchPolicies adds EnvoyPatchPolicies to the resourceTree -func (r *gatewayAPIReconciler) processEnvoyPatchPolicies(ctx context.Context, resourceTree *gatewayapi.Resources) error { +func (r *gatewayAPIReconciler) processEnvoyPatchPolicies(ctx context.Context, resourceTree *resource.Resources) error { envoyPatchPolicies := egv1a1.EnvoyPatchPolicyList{} if err := r.client.List(ctx, &envoyPatchPolicies); err != nil { return fmt.Errorf("error listing EnvoyPatchPolicies: %w", err) @@ -912,7 +913,7 @@ func (r *gatewayAPIReconciler) processEnvoyPatchPolicies(ctx context.Context, re // processClientTrafficPolicies adds ClientTrafficPolicies to the resourceTree func (r *gatewayAPIReconciler) processClientTrafficPolicies( - ctx context.Context, resourceTree *gatewayapi.Resources, resourceMap *resourceMappings, + ctx context.Context, resourceTree *resource.Resources, resourceMap *resourceMappings, ) error { clientTrafficPolicies := egv1a1.ClientTrafficPolicyList{} if err := r.client.List(ctx, &clientTrafficPolicies); err != nil { @@ -933,7 +934,7 @@ func (r *gatewayAPIReconciler) processClientTrafficPolicies( } // processBackendTrafficPolicies adds BackendTrafficPolicies to the resourceTree -func (r *gatewayAPIReconciler) processBackendTrafficPolicies(ctx context.Context, resourceTree *gatewayapi.Resources) error { +func (r *gatewayAPIReconciler) processBackendTrafficPolicies(ctx context.Context, resourceTree *resource.Resources) error { backendTrafficPolicies := egv1a1.BackendTrafficPolicyList{} if err := r.client.List(ctx, &backendTrafficPolicies); err != nil { return fmt.Errorf("error listing BackendTrafficPolicies: %w", err) @@ -951,7 +952,7 @@ func (r *gatewayAPIReconciler) processBackendTrafficPolicies(ctx context.Context // processSecurityPolicies adds SecurityPolicies and their referenced resources to the resourceTree func (r *gatewayAPIReconciler) processSecurityPolicies( - ctx context.Context, resourceTree *gatewayapi.Resources, resourceMap *resourceMappings, + ctx context.Context, resourceTree *resource.Resources, resourceMap *resourceMappings, ) error { securityPolicies := egv1a1.SecurityPolicyList{} if err := r.client.List(ctx, &securityPolicies); err != nil { @@ -976,7 +977,7 @@ func (r *gatewayAPIReconciler) processSecurityPolicies( // processBackendTLSPolicies adds BackendTLSPolicies and their referenced resources to the resourceTree func (r *gatewayAPIReconciler) processBackendTLSPolicies( - ctx context.Context, resourceTree *gatewayapi.Resources, resourceMap *resourceMappings, + ctx context.Context, resourceTree *resource.Resources, resourceMap *resourceMappings, ) error { backendTLSPolicies := gwapiv1a3.BackendTLSPolicyList{} if err := r.client.List(ctx, &backendTLSPolicies); err != nil { @@ -997,7 +998,7 @@ func (r *gatewayAPIReconciler) processBackendTLSPolicies( } // processBackends adds Backends to the resourceTree -func (r *gatewayAPIReconciler) processBackends(ctx context.Context, resourceTree *gatewayapi.Resources) error { +func (r *gatewayAPIReconciler) processBackends(ctx context.Context, resourceTree *resource.Resources) error { backends := egv1a1.BackendList{} if err := r.client.List(ctx, &backends); err != nil { return fmt.Errorf("error listing Backends: %w", err) @@ -1571,7 +1572,7 @@ func (r *gatewayAPIReconciler) enqueueClass(_ context.Context, _ client.Object) } // processGatewayParamsRef processes the infrastructure.parametersRef of the provided Gateway. -func (r *gatewayAPIReconciler) processGatewayParamsRef(ctx context.Context, gtw *gwapiv1.Gateway, resourceMap *resourceMappings, resourceTree *gatewayapi.Resources) error { +func (r *gatewayAPIReconciler) processGatewayParamsRef(ctx context.Context, gtw *gwapiv1.Gateway, resourceMap *resourceMappings, resourceTree *resource.Resources) error { if gtw == nil || gtw.Spec.Infrastructure == nil || gtw.Spec.Infrastructure.ParametersRef == nil { return nil } @@ -1603,7 +1604,7 @@ func (r *gatewayAPIReconciler) processGatewayParamsRef(ctx context.Context, gtw ctx, resourceMap, resourceTree, - gatewayapi.KindGateway, + resource.KindGateway, gtw.Namespace, gtw.Name, *certRef); err != nil { @@ -1619,7 +1620,7 @@ func (r *gatewayAPIReconciler) processGatewayParamsRef(ctx context.Context, gtw } // processGatewayClassParamsRef processes the parametersRef of the provided GatewayClass. -func (r *gatewayAPIReconciler) processGatewayClassParamsRef(ctx context.Context, gc *gwapiv1.GatewayClass, resourceMap *resourceMappings, resourceTree *gatewayapi.Resources) error { +func (r *gatewayAPIReconciler) processGatewayClassParamsRef(ctx context.Context, gc *gwapiv1.GatewayClass, resourceMap *resourceMappings, resourceTree *resource.Resources) error { if !refsEnvoyProxy(gc) { return fmt.Errorf("unsupported parametersRef for gatewayclass %s", gc.Name) } @@ -1712,8 +1713,8 @@ func (r *gatewayAPIReconciler) serviceImportCRDExists(mgr manager.Manager) bool } serviceImportFound := false for _, list := range apiResourceList { - for _, resource := range list.APIResources { - if list.GroupVersion == mcsapiv1a1.GroupVersion.String() && resource.Kind == gatewayapi.KindServiceImport { + for _, res := range list.APIResources { + if list.GroupVersion == mcsapiv1a1.GroupVersion.String() && res.Kind == resource.KindServiceImport { serviceImportFound = true break } @@ -1725,7 +1726,7 @@ func (r *gatewayAPIReconciler) serviceImportCRDExists(mgr manager.Manager) bool func (r *gatewayAPIReconciler) processBackendTLSPolicyRefs( ctx context.Context, - resourceTree *gatewayapi.Resources, + resourceTree *resource.Resources, resourceMap *resourceMappings, ) { for _, policy := range resourceTree.BackendTLSPolicies { @@ -1734,8 +1735,8 @@ func (r *gatewayAPIReconciler) processBackendTLSPolicyRefs( if tls.CACertificateRefs != nil { for _, caCertRef := range tls.CACertificateRefs { // if kind is not Secret or ConfigMap, we skip early to avoid further calculation overhead - if string(caCertRef.Kind) == gatewayapi.KindConfigMap || - string(caCertRef.Kind) == gatewayapi.KindSecret { + if string(caCertRef.Kind) == resource.KindConfigMap || + string(caCertRef.Kind) == resource.KindSecret { var err error caRefNew := gwapiv1b1.SecretObjectReference{ @@ -1745,22 +1746,22 @@ func (r *gatewayAPIReconciler) processBackendTLSPolicyRefs( Namespace: gatewayapi.NamespacePtr(policy.Namespace), } switch string(caCertRef.Kind) { - case gatewayapi.KindConfigMap: + case resource.KindConfigMap: err = r.processConfigMapRef( ctx, resourceMap, resourceTree, - gatewayapi.KindBackendTLSPolicy, + resource.KindBackendTLSPolicy, policy.Namespace, policy.Name, caRefNew) - case gatewayapi.KindSecret: + case resource.KindSecret: err = r.processSecretRef( ctx, resourceMap, resourceTree, - gatewayapi.KindBackendTLSPolicy, + resource.KindBackendTLSPolicy, policy.Namespace, policy.Name, caRefNew) @@ -1784,7 +1785,7 @@ func (r *gatewayAPIReconciler) processBackendTLSPolicyRefs( // processEnvoyExtensionPolicies adds EnvoyExtensionPolicies and their referenced resources to the resourceTree func (r *gatewayAPIReconciler) processEnvoyExtensionPolicies( - ctx context.Context, resourceTree *gatewayapi.Resources, resourceMap *resourceMappings, + ctx context.Context, resourceTree *resource.Resources, resourceMap *resourceMappings, ) error { envoyExtensionPolicies := egv1a1.EnvoyExtensionPolicyList{} if err := r.client.List(ctx, &envoyExtensionPolicies); err != nil { @@ -1807,7 +1808,7 @@ func (r *gatewayAPIReconciler) processEnvoyExtensionPolicies( // processExtensionServerPolicies adds directly attached policies intended for the extension server func (r *gatewayAPIReconciler) processExtensionServerPolicies( - ctx context.Context, resourceTree *gatewayapi.Resources, + ctx context.Context, resourceTree *resource.Resources, ) error { for _, gvk := range r.extServerPolicies { polList := unstructured.UnstructuredList{} @@ -1843,7 +1844,7 @@ func (r *gatewayAPIReconciler) processExtensionServerPolicies( // - BackendRefs for ExtProcs // - SecretRefs for Wasms func (r *gatewayAPIReconciler) processEnvoyExtensionPolicyObjectRefs( - ctx context.Context, resourceTree *gatewayapi.Resources, resourceMap *resourceMappings, + ctx context.Context, resourceTree *resource.Resources, resourceMap *resourceMappings, ) { // we don't return errors from this method, because we want to continue reconciling // the rest of the EnvoyExtensionPolicies despite that one reference is invalid. This @@ -1868,12 +1869,12 @@ func (r *gatewayAPIReconciler) processEnvoyExtensionPolicyObjectRefs( if backendNamespace != policy.Namespace { from := ObjectKindNamespacedName{ - kind: gatewayapi.KindHTTPRoute, + kind: resource.KindHTTPRoute, namespace: policy.Namespace, name: policy.Name, } to := ObjectKindNamespacedName{ - kind: gatewayapi.KindDerefOr(backendRef.Kind, gatewayapi.KindService), + kind: gatewayapi.KindDerefOr(backendRef.Kind, resource.KindService), namespace: backendNamespace, name: string(backendRef.Name), } @@ -1900,7 +1901,7 @@ func (r *gatewayAPIReconciler) processEnvoyExtensionPolicyObjectRefs( ctx, resourceMap, resourceTree, - gatewayapi.KindSecurityPolicy, + resource.KindSecurityPolicy, policy.Namespace, policy.Name, *wasm.Code.Image.PullSecretRef); err != nil { diff --git a/internal/provider/kubernetes/controller_test.go b/internal/provider/kubernetes/controller_test.go index b2fb1c3d791..c1cece27733 100644 --- a/internal/provider/kubernetes/controller_test.go +++ b/internal/provider/kubernetes/controller_test.go @@ -19,6 +19,7 @@ import ( "github.com/envoyproxy/gateway/internal/envoygateway" "github.com/envoyproxy/gateway/internal/envoygateway/config" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/logging" ) @@ -274,7 +275,7 @@ func TestProcessGatewayClassParamsRef(t *testing.T) { } // Process the test case gatewayclasses. - resourceTree := gatewayapi.NewResources() + resourceTree := resource.NewResources() resourceMap := newResourceMapping() err := r.processGatewayClassParamsRef(context.Background(), tc.gc, resourceMap, resourceTree) if tc.expected { diff --git a/internal/provider/kubernetes/extensionpolicies_test.go b/internal/provider/kubernetes/extensionpolicies_test.go index dbfb2904ffa..3d74ff270df 100644 --- a/internal/provider/kubernetes/extensionpolicies_test.go +++ b/internal/provider/kubernetes/extensionpolicies_test.go @@ -17,7 +17,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway" - "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/logging" ) @@ -226,7 +226,7 @@ func TestProcessExtensionPolicies(t *testing.T) { WithObjects(objs...). Build() - resourceTree := gatewayapi.NewResources() + resourceTree := resource.NewResources() err := r.processExtensionServerPolicies(ctx, resourceTree) if !tc.errorExpected { require.NoError(t, err) diff --git a/internal/provider/kubernetes/helpers.go b/internal/provider/kubernetes/helpers.go index 847bdc35261..0069aba5c3c 100644 --- a/internal/provider/kubernetes/helpers.go +++ b/internal/provider/kubernetes/helpers.go @@ -18,6 +18,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) const ( @@ -141,7 +142,7 @@ func terminatesTLS(listener *gwapiv1.Listener) bool { // refsSecret returns true if ref refers to a Secret. func refsSecret(ref *gwapiv1.SecretObjectReference) bool { return (ref.Group == nil || *ref.Group == corev1.GroupName) && - (ref.Kind == nil || *ref.Kind == gatewayapi.KindSecret) + (ref.Kind == nil || *ref.Kind == resource.KindSecret) } // validateBackendRef validates that ref is a reference to a local Service. @@ -155,9 +156,9 @@ func validateBackendRef(ref *gwapiv1.BackendRef) error { return nil case gatewayapi.GroupDerefOr(ref.Group, corev1.GroupName) != corev1.GroupName && gatewayapi.GroupDerefOr(ref.Group, corev1.GroupName) != mcsapiv1a1.GroupName && gatewayapi.GroupDerefOr(ref.Group, corev1.GroupName) != egv1a1.GroupName: return fmt.Errorf("invalid group; must be nil, empty string %q or %q", mcsapiv1a1.GroupName, egv1a1.GroupName) - case gatewayapi.KindDerefOr(ref.Kind, gatewayapi.KindService) != gatewayapi.KindService && gatewayapi.KindDerefOr(ref.Kind, gatewayapi.KindService) != gatewayapi.KindServiceImport && gatewayapi.KindDerefOr(ref.Kind, gatewayapi.KindService) != egv1a1.KindBackend: + case gatewayapi.KindDerefOr(ref.Kind, resource.KindService) != resource.KindService && gatewayapi.KindDerefOr(ref.Kind, resource.KindService) != resource.KindServiceImport && gatewayapi.KindDerefOr(ref.Kind, resource.KindService) != egv1a1.KindBackend: return fmt.Errorf("invalid kind %q; must be %q, %q or %q", - *ref.BackendObjectReference.Kind, gatewayapi.KindService, gatewayapi.KindServiceImport, egv1a1.KindBackend) + *ref.BackendObjectReference.Kind, resource.KindService, resource.KindServiceImport, egv1a1.KindBackend) } return nil diff --git a/internal/provider/kubernetes/indexers.go b/internal/provider/kubernetes/indexers.go index 443c667e349..395b1c6809d 100644 --- a/internal/provider/kubernetes/indexers.go +++ b/internal/provider/kubernetes/indexers.go @@ -19,6 +19,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) const ( @@ -79,7 +80,7 @@ func gatewayHTTPRouteIndexFunc(rawObj client.Object) []string { httproute := rawObj.(*gwapiv1.HTTPRoute) var gateways []string for _, parent := range httproute.Spec.ParentRefs { - if parent.Kind == nil || string(*parent.Kind) == gatewayapi.KindGateway { + if parent.Kind == nil || string(*parent.Kind) == resource.KindGateway { // If an explicit Gateway namespace is not provided, use the HTTPRoute namespace to // lookup the provided Gateway Name. gateways = append(gateways, @@ -98,7 +99,7 @@ func backendHTTPRouteIndexFunc(rawObj client.Object) []string { var backendRefs []string for _, rule := range httproute.Spec.Rules { for _, backend := range rule.BackendRefs { - if backend.Kind == nil || string(*backend.Kind) == gatewayapi.KindService || string(*backend.Kind) == egv1a1.KindBackend { + if backend.Kind == nil || string(*backend.Kind) == resource.KindService || string(*backend.Kind) == egv1a1.KindBackend { // If an explicit Backend namespace is not provided, use the HTTPRoute namespace to // lookup the provided Gateway Name. backendRefs = append(backendRefs, @@ -118,7 +119,7 @@ func secretEnvoyProxyIndexFunc(rawObj client.Object) []string { var secretReferences []string if ep.Spec.BackendTLS != nil { if ep.Spec.BackendTLS.ClientCertificateRef != nil { - if *ep.Spec.BackendTLS.ClientCertificateRef.Kind == gatewayapi.KindSecret { + if *ep.Spec.BackendTLS.ClientCertificateRef.Kind == resource.KindSecret { secretReferences = append(secretReferences, types.NamespacedName{ Namespace: gatewayapi.NamespaceDerefOr(ep.Spec.BackendTLS.ClientCertificateRef.Namespace, ep.Namespace), @@ -172,7 +173,7 @@ func accessLogRefs(ep *egv1a1.EnvoyProxy) []string { } for _, ref := range backendRefs { - if ref.Kind == nil || string(*ref.Kind) == gatewayapi.KindService { + if ref.Kind == nil || string(*ref.Kind) == resource.KindService { refs = append(refs, types.NamespacedName{ Namespace: gatewayapi.NamespaceDerefOr(ref.Namespace, ep.Namespace), @@ -197,7 +198,7 @@ func metricRefs(ep *egv1a1.EnvoyProxy) []string { for _, sink := range ep.Spec.Telemetry.Metrics.Sinks { if sink.OpenTelemetry != nil { for _, backend := range sink.OpenTelemetry.BackendRefs { - if backend.Kind == nil || string(*backend.Kind) == gatewayapi.KindService { + if backend.Kind == nil || string(*backend.Kind) == resource.KindService { refs = append(refs, types.NamespacedName{ Namespace: gatewayapi.NamespaceDerefOr(backend.Namespace, ep.Namespace), @@ -220,7 +221,7 @@ func traceRefs(ep *egv1a1.EnvoyProxy) []string { } for _, ref := range ep.Spec.Telemetry.Tracing.Provider.BackendRefs { - if ref.Kind == nil || string(*ref.Kind) == gatewayapi.KindService { + if ref.Kind == nil || string(*ref.Kind) == resource.KindService { refs = append(refs, types.NamespacedName{ Namespace: gatewayapi.NamespaceDerefOr(ref.Namespace, ep.Namespace), @@ -252,7 +253,7 @@ func gatewayGRPCRouteIndexFunc(rawObj client.Object) []string { grpcroute := rawObj.(*gwapiv1.GRPCRoute) var gateways []string for _, parent := range grpcroute.Spec.ParentRefs { - if parent.Kind == nil || string(*parent.Kind) == gatewayapi.KindGateway { + if parent.Kind == nil || string(*parent.Kind) == resource.KindGateway { // If an explicit Gateway namespace is not provided, use the GRPCRoute namespace to // lookup the provided Gateway Name. gateways = append(gateways, @@ -271,7 +272,7 @@ func backendGRPCRouteIndexFunc(rawObj client.Object) []string { var backendRefs []string for _, rule := range grpcroute.Spec.Rules { for _, backend := range rule.BackendRefs { - if backend.Kind == nil || string(*backend.Kind) == gatewayapi.KindService || string(*backend.Kind) == egv1a1.KindBackend { + if backend.Kind == nil || string(*backend.Kind) == resource.KindService || string(*backend.Kind) == egv1a1.KindBackend { // If an explicit Backend namespace is not provided, use the GRPCRoute namespace to // lookup the provided Gateway Name. backendRefs = append(backendRefs, @@ -294,7 +295,7 @@ func addTLSRouteIndexers(ctx context.Context, mgr manager.Manager) error { tlsRoute := rawObj.(*gwapiv1a2.TLSRoute) var gateways []string for _, parent := range tlsRoute.Spec.ParentRefs { - if string(*parent.Kind) == gatewayapi.KindGateway { + if string(*parent.Kind) == resource.KindGateway { // If an explicit Gateway namespace is not provided, use the TLSRoute namespace to // lookup the provided Gateway Name. gateways = append(gateways, @@ -321,7 +322,7 @@ func backendTLSRouteIndexFunc(rawObj client.Object) []string { var backendRefs []string for _, rule := range tlsroute.Spec.Rules { for _, backend := range rule.BackendRefs { - if backend.Kind == nil || string(*backend.Kind) == gatewayapi.KindService || string(*backend.Kind) == egv1a1.KindBackend { + if backend.Kind == nil || string(*backend.Kind) == resource.KindService || string(*backend.Kind) == egv1a1.KindBackend { // If an explicit Backend namespace is not provided, use the TLSRoute namespace to // lookup the provided Gateway Name. backendRefs = append(backendRefs, @@ -344,7 +345,7 @@ func addTCPRouteIndexers(ctx context.Context, mgr manager.Manager) error { tcpRoute := rawObj.(*gwapiv1a2.TCPRoute) var gateways []string for _, parent := range tcpRoute.Spec.ParentRefs { - if string(*parent.Kind) == gatewayapi.KindGateway { + if string(*parent.Kind) == resource.KindGateway { // If an explicit Gateway namespace is not provided, use the TCPRoute namespace to // lookup the provided Gateway Name. gateways = append(gateways, @@ -371,7 +372,7 @@ func backendTCPRouteIndexFunc(rawObj client.Object) []string { var backendRefs []string for _, rule := range tcpRoute.Spec.Rules { for _, backend := range rule.BackendRefs { - if backend.Kind == nil || string(*backend.Kind) == gatewayapi.KindService || string(*backend.Kind) == egv1a1.KindBackend { + if backend.Kind == nil || string(*backend.Kind) == resource.KindService || string(*backend.Kind) == egv1a1.KindBackend { // If an explicit Backend namespace is not provided, use the TCPRoute namespace to // lookup the provided Gateway Name. backendRefs = append(backendRefs, @@ -396,7 +397,7 @@ func addUDPRouteIndexers(ctx context.Context, mgr manager.Manager) error { udpRoute := rawObj.(*gwapiv1a2.UDPRoute) var gateways []string for _, parent := range udpRoute.Spec.ParentRefs { - if string(*parent.Kind) == gatewayapi.KindGateway { + if string(*parent.Kind) == resource.KindGateway { // If an explicit Gateway namespace is not provided, use the UDPRoute namespace to // lookup the provided Gateway Name. gateways = append(gateways, @@ -423,7 +424,7 @@ func backendUDPRouteIndexFunc(rawObj client.Object) []string { var backendRefs []string for _, rule := range udproute.Spec.Rules { for _, backend := range rule.BackendRefs { - if backend.Kind == nil || string(*backend.Kind) == gatewayapi.KindService || string(*backend.Kind) == egv1a1.KindBackend { + if backend.Kind == nil || string(*backend.Kind) == resource.KindService || string(*backend.Kind) == egv1a1.KindBackend { // If an explicit Backend namespace is not provided, use the UDPRoute namespace to // lookup the provided Gateway Name. backendRefs = append(backendRefs, @@ -463,7 +464,7 @@ func secretGatewayIndexFunc(rawObj client.Object) []string { continue } for _, cert := range listener.TLS.CertificateRefs { - if *cert.Kind == gatewayapi.KindSecret { + if *cert.Kind == resource.KindSecret { // If an explicit Secret namespace is not provided, use the Gateway namespace to // lookup the provided Secret Name. secretReferences = append(secretReferences, @@ -582,7 +583,7 @@ func configMapCtpIndexFunc(rawObj client.Object) []string { var configMapReferences []string if ctp.Spec.TLS != nil && ctp.Spec.TLS.ClientValidation != nil { for _, caCertRef := range ctp.Spec.TLS.ClientValidation.CACertificateRefs { - if caCertRef.Kind != nil && string(*caCertRef.Kind) == gatewayapi.KindConfigMap { + if caCertRef.Kind != nil && string(*caCertRef.Kind) == resource.KindConfigMap { // If an explicit configmap namespace is not provided, use the ctp namespace to // lookup the provided config map Name. configMapReferences = append(configMapReferences, @@ -602,7 +603,7 @@ func secretCtpIndexFunc(rawObj client.Object) []string { var secretReferences []string if ctp.Spec.TLS != nil && ctp.Spec.TLS.ClientValidation != nil { for _, caCertRef := range ctp.Spec.TLS.ClientValidation.CACertificateRefs { - if caCertRef.Kind == nil || (string(*caCertRef.Kind) == gatewayapi.KindSecret) { + if caCertRef.Kind == nil || (string(*caCertRef.Kind) == resource.KindSecret) { // If an explicit namespace is not provided, use the ctp namespace to // lookup the provided secrent Name. secretReferences = append(secretReferences, @@ -633,7 +634,7 @@ func configMapBtlsIndexFunc(rawObj client.Object) []string { var configMapReferences []string if btls.Spec.Validation.CACertificateRefs != nil { for _, caCertRef := range btls.Spec.Validation.CACertificateRefs { - if string(caCertRef.Kind) == gatewayapi.KindConfigMap { + if string(caCertRef.Kind) == resource.KindConfigMap { configMapReferences = append(configMapReferences, types.NamespacedName{ Namespace: btls.Namespace, diff --git a/internal/provider/kubernetes/kubernetes_test.go b/internal/provider/kubernetes/kubernetes_test.go index b82836ef8c1..d673def5c88 100644 --- a/internal/provider/kubernetes/kubernetes_test.go +++ b/internal/provider/kubernetes/kubernetes_test.go @@ -35,6 +35,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway/config" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/message" "github.com/envoyproxy/gateway/internal/provider/kubernetes/test" "github.com/envoyproxy/gateway/internal/utils" @@ -1600,7 +1601,7 @@ func TestNamespaceSelectorProvider(t *testing.T) { }, defaultWait, defaultTick) } -func waitUntilGatewayClassResourcesAreReady(resources *message.ProviderResources, gatewayClassName string) (*gatewayapi.Resources, bool) { +func waitUntilGatewayClassResourcesAreReady(resources *message.ProviderResources, gatewayClassName string) (*resource.Resources, bool) { res := resources.GetResourcesByGatewayClass(gatewayClassName) if res == nil { return nil, false diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go index 054de1e5395..a442ddcf2a4 100644 --- a/internal/provider/kubernetes/predicates_test.go +++ b/internal/provider/kubernetes/predicates_test.go @@ -24,6 +24,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/proxy" "github.com/envoyproxy/gateway/internal/logging" "github.com/envoyproxy/gateway/internal/provider/kubernetes/test" @@ -221,7 +222,7 @@ func TestValidateSecretForReconcile(t *testing.T) { configs: []client.Object{ test.GetGatewayClass("test-gc", egv1a1.GatewayControllerName, nil), test.GetSecureGateway(types.NamespacedName{Name: "scheduled-status-test"}, "test-gc", test.GroupKindNamespacedName{ - Kind: gatewayapi.KindSecret, + Kind: resource.KindSecret, Name: "secret", }), }, @@ -233,7 +234,7 @@ func TestValidateSecretForReconcile(t *testing.T) { configs: []client.Object{ test.GetGatewayClass("test-gc", "not.configured/controller", nil), test.GetSecureGateway(types.NamespacedName{Name: "scheduled-status-test"}, "test-gc", test.GroupKindNamespacedName{ - Kind: gatewayapi.KindSecret, + Kind: resource.KindSecret, Name: "secret", }), }, diff --git a/internal/provider/kubernetes/routes.go b/internal/provider/kubernetes/routes.go index c52e39ef349..d298e7e0e46 100644 --- a/internal/provider/kubernetes/routes.go +++ b/internal/provider/kubernetes/routes.go @@ -17,13 +17,14 @@ import ( gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/utils" ) // processTLSRoutes finds TLSRoutes corresponding to a gatewayNamespaceName, further checks for // the backend references and pushes the TLSRoutes to the resourceTree. func (r *gatewayAPIReconciler) processTLSRoutes(ctx context.Context, gatewayNamespaceName string, - resourceMap *resourceMappings, resourceTree *gatewayapi.Resources, + resourceMap *resourceMappings, resourceTree *resource.Resources, ) error { tlsRouteList := &gwapiv1a2.TLSRouteList{} if err := r.client.List(ctx, tlsRouteList, &client.ListOptions{ @@ -69,8 +70,8 @@ func (r *gatewayAPIReconciler) processTLSRoutes(ctx context.Context, gatewayName }) if backendNamespace != tlsRoute.Namespace { - from := ObjectKindNamespacedName{kind: gatewayapi.KindTLSRoute, namespace: tlsRoute.Namespace, name: tlsRoute.Name} - to := ObjectKindNamespacedName{kind: gatewayapi.KindDerefOr(backendRef.Kind, gatewayapi.KindService), namespace: backendNamespace, name: string(backendRef.Name)} + from := ObjectKindNamespacedName{kind: resource.KindTLSRoute, namespace: tlsRoute.Namespace, name: tlsRoute.Name} + to := ObjectKindNamespacedName{kind: gatewayapi.KindDerefOr(backendRef.Kind, resource.KindService), namespace: backendNamespace, name: string(backendRef.Name)} refGrant, err := r.findReferenceGrant(ctx, from, to) switch { case err != nil: @@ -101,7 +102,7 @@ func (r *gatewayAPIReconciler) processTLSRoutes(ctx context.Context, gatewayName // processGRPCRoutes finds GRPCRoutes corresponding to a gatewayNamespaceName, further checks for // the backend references and pushes the GRPCRoutes to the resourceTree. func (r *gatewayAPIReconciler) processGRPCRoutes(ctx context.Context, gatewayNamespaceName string, - resourceMap *resourceMappings, resourceTree *gatewayapi.Resources, + resourceMap *resourceMappings, resourceTree *resource.Resources, ) error { grpcRouteList := &gwapiv1.GRPCRouteList{} @@ -148,12 +149,12 @@ func (r *gatewayAPIReconciler) processGRPCRoutes(ctx context.Context, gatewayNam if backendNamespace != grpcRoute.Namespace { from := ObjectKindNamespacedName{ - kind: gatewayapi.KindGRPCRoute, + kind: resource.KindGRPCRoute, namespace: grpcRoute.Namespace, name: grpcRoute.Name, } to := ObjectKindNamespacedName{ - kind: gatewayapi.KindDerefOr(backendRef.Kind, gatewayapi.KindService), + kind: gatewayapi.KindDerefOr(backendRef.Kind, resource.KindService), namespace: backendNamespace, name: string(backendRef.Name), } @@ -226,7 +227,7 @@ func (r *gatewayAPIReconciler) processGRPCRoutes(ctx context.Context, gatewayNam // processHTTPRoutes finds HTTPRoutes corresponding to a gatewayNamespaceName, further checks for // the backend references and pushes the HTTPRoutes to the resourceTree. func (r *gatewayAPIReconciler) processHTTPRoutes(ctx context.Context, gatewayNamespaceName string, - resourceMap *resourceMappings, resourceTree *gatewayapi.Resources, + resourceMap *resourceMappings, resourceTree *resource.Resources, ) error { httpRouteList := &gwapiv1.HTTPRouteList{} @@ -282,12 +283,12 @@ func (r *gatewayAPIReconciler) processHTTPRoutes(ctx context.Context, gatewayNam if backendNamespace != httpRoute.Namespace { from := ObjectKindNamespacedName{ - kind: gatewayapi.KindHTTPRoute, + kind: resource.KindHTTPRoute, namespace: httpRoute.Namespace, name: httpRoute.Name, } to := ObjectKindNamespacedName{ - kind: gatewayapi.KindDerefOr(backendRef.Kind, gatewayapi.KindService), + kind: gatewayapi.KindDerefOr(backendRef.Kind, resource.KindService), namespace: backendNamespace, name: string(backendRef.Name), } @@ -349,12 +350,12 @@ func (r *gatewayAPIReconciler) processHTTPRoutes(ctx context.Context, gatewayNam if backendNamespace != httpRoute.Namespace { from := ObjectKindNamespacedName{ - kind: gatewayapi.KindHTTPRoute, + kind: resource.KindHTTPRoute, namespace: httpRoute.Namespace, name: httpRoute.Name, } to := ObjectKindNamespacedName{ - kind: gatewayapi.KindDerefOr(mirrorBackendRef.Kind, gatewayapi.KindService), + kind: gatewayapi.KindDerefOr(mirrorBackendRef.Kind, resource.KindService), namespace: backendNamespace, name: string(mirrorBackendRef.Name), } @@ -413,7 +414,7 @@ func (r *gatewayAPIReconciler) processHTTPRoutes(ctx context.Context, gatewayNam // processTCPRoutes finds TCPRoutes corresponding to a gatewayNamespaceName, further checks for // the backend references and pushes the TCPRoutes to the resourceTree. func (r *gatewayAPIReconciler) processTCPRoutes(ctx context.Context, gatewayNamespaceName string, - resourceMap *resourceMappings, resourceTree *gatewayapi.Resources, + resourceMap *resourceMappings, resourceTree *resource.Resources, ) error { tcpRouteList := &gwapiv1a2.TCPRouteList{} if err := r.client.List(ctx, tcpRouteList, &client.ListOptions{ @@ -459,8 +460,8 @@ func (r *gatewayAPIReconciler) processTCPRoutes(ctx context.Context, gatewayName }) if backendNamespace != tcpRoute.Namespace { - from := ObjectKindNamespacedName{kind: gatewayapi.KindTCPRoute, namespace: tcpRoute.Namespace, name: tcpRoute.Name} - to := ObjectKindNamespacedName{kind: gatewayapi.KindDerefOr(backendRef.Kind, gatewayapi.KindService), namespace: backendNamespace, name: string(backendRef.Name)} + from := ObjectKindNamespacedName{kind: resource.KindTCPRoute, namespace: tcpRoute.Namespace, name: tcpRoute.Name} + to := ObjectKindNamespacedName{kind: gatewayapi.KindDerefOr(backendRef.Kind, resource.KindService), namespace: backendNamespace, name: string(backendRef.Name)} refGrant, err := r.findReferenceGrant(ctx, from, to) switch { case err != nil: @@ -491,7 +492,7 @@ func (r *gatewayAPIReconciler) processTCPRoutes(ctx context.Context, gatewayName // processUDPRoutes finds UDPRoutes corresponding to a gatewayNamespaceName, further checks for // the backend references and pushes the UDPRoutes to the resourceTree. func (r *gatewayAPIReconciler) processUDPRoutes(ctx context.Context, gatewayNamespaceName string, - resourceMap *resourceMappings, resourceTree *gatewayapi.Resources, + resourceMap *resourceMappings, resourceTree *resource.Resources, ) error { udpRouteList := &gwapiv1a2.UDPRouteList{} if err := r.client.List(ctx, udpRouteList, &client.ListOptions{ @@ -537,8 +538,8 @@ func (r *gatewayAPIReconciler) processUDPRoutes(ctx context.Context, gatewayName }) if backendNamespace != udpRoute.Namespace { - from := ObjectKindNamespacedName{kind: gatewayapi.KindUDPRoute, namespace: udpRoute.Namespace, name: udpRoute.Name} - to := ObjectKindNamespacedName{kind: gatewayapi.KindDerefOr(backendRef.Kind, gatewayapi.KindService), namespace: backendNamespace, name: string(backendRef.Name)} + from := ObjectKindNamespacedName{kind: resource.KindUDPRoute, namespace: udpRoute.Namespace, name: udpRoute.Name} + to := ObjectKindNamespacedName{kind: gatewayapi.KindDerefOr(backendRef.Kind, resource.KindService), namespace: backendNamespace, name: string(backendRef.Name)} refGrant, err := r.findReferenceGrant(ctx, from, to) switch { case err != nil: diff --git a/internal/provider/kubernetes/routes_test.go b/internal/provider/kubernetes/routes_test.go index 9bd4126d325..5fc3654657b 100644 --- a/internal/provider/kubernetes/routes_test.go +++ b/internal/provider/kubernetes/routes_test.go @@ -25,6 +25,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/logging" "github.com/envoyproxy/gateway/internal/utils" ) @@ -107,7 +108,7 @@ func TestProcessHTTPRoutes(t *testing.T) { BackendRef: gwapiv1.BackendRef{ BackendObjectReference: gwapiv1.BackendObjectReference{ Group: gatewayapi.GroupPtr(corev1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindService), + Kind: gatewayapi.KindPtr(resource.KindService), Name: "test", }, }, @@ -169,7 +170,7 @@ func TestProcessHTTPRoutes(t *testing.T) { BackendRef: gwapiv1.BackendRef{ BackendObjectReference: gwapiv1.BackendObjectReference{ Group: gatewayapi.GroupPtr(corev1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindService), + Kind: gatewayapi.KindPtr(resource.KindService), Name: "test", }, }, @@ -257,7 +258,7 @@ func TestProcessHTTPRoutes(t *testing.T) { BackendRef: gwapiv1.BackendRef{ BackendObjectReference: gwapiv1.BackendObjectReference{ Group: gatewayapi.GroupPtr(corev1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindService), + Kind: gatewayapi.KindPtr(resource.KindService), Name: "test", }, }, @@ -320,7 +321,7 @@ func TestProcessHTTPRoutes(t *testing.T) { BackendRef: gwapiv1.BackendRef{ BackendObjectReference: gwapiv1.BackendObjectReference{ Group: gatewayapi.GroupPtr(corev1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindService), + Kind: gatewayapi.KindPtr(resource.KindService), Name: "test", }, }, @@ -382,7 +383,7 @@ func TestProcessHTTPRoutes(t *testing.T) { }, defaultWait, defaultTick) // Process the test case httproutes. - resourceTree := gatewayapi.NewResources() + resourceTree := resource.NewResources() resourceMap := newResourceMapping() err := r.processHTTPRoutes(ctx, gwNsName, resourceMap, resourceTree) if tc.expected { @@ -478,7 +479,7 @@ func TestProcessGRPCRoutes(t *testing.T) { BackendRef: gwapiv1.BackendRef{ BackendObjectReference: gwapiv1.BackendObjectReference{ Group: gatewayapi.GroupPtr(corev1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindService), + Kind: gatewayapi.KindPtr(resource.KindService), Name: "test", }, }, @@ -524,7 +525,7 @@ func TestProcessGRPCRoutes(t *testing.T) { Build() // Process the test case httproutes. - resourceTree := gatewayapi.NewResources() + resourceTree := resource.NewResources() resourceMap := newResourceMapping() err := r.processGRPCRoutes(ctx, gwNsName, resourceMap, resourceTree) if tc.expected { diff --git a/internal/provider/kubernetes/status_updater.go b/internal/provider/kubernetes/status_updater.go index 59ff64d3352..9da708f1b02 100644 --- a/internal/provider/kubernetes/status_updater.go +++ b/internal/provider/kubernetes/status_updater.go @@ -23,7 +23,7 @@ import ( gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" - "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/metrics" ) @@ -318,35 +318,35 @@ func kindOf(obj interface{}) string { var kind string switch o := obj.(type) { case *gwapiv1.GatewayClass: - kind = gatewayapi.KindGatewayClass + kind = resource.KindGatewayClass case *gwapiv1.Gateway: - kind = gatewayapi.KindGateway + kind = resource.KindGateway case *gwapiv1.HTTPRoute: - kind = gatewayapi.KindHTTPRoute + kind = resource.KindHTTPRoute case *gwapiv1a2.TLSRoute: - kind = gatewayapi.KindTLSRoute + kind = resource.KindTLSRoute case *gwapiv1a2.TCPRoute: - kind = gatewayapi.KindTCPRoute + kind = resource.KindTCPRoute case *gwapiv1a2.UDPRoute: - kind = gatewayapi.KindUDPRoute + kind = resource.KindUDPRoute case *gwapiv1.GRPCRoute: - kind = gatewayapi.KindGRPCRoute + kind = resource.KindGRPCRoute case *egv1a1.EnvoyPatchPolicy: - kind = gatewayapi.KindEnvoyPatchPolicy + kind = resource.KindEnvoyPatchPolicy case *egv1a1.ClientTrafficPolicy: - kind = gatewayapi.KindClientTrafficPolicy + kind = resource.KindClientTrafficPolicy case *egv1a1.BackendTrafficPolicy: - kind = gatewayapi.KindBackendTrafficPolicy + kind = resource.KindBackendTrafficPolicy case *egv1a1.SecurityPolicy: - kind = gatewayapi.KindSecurityPolicy + kind = resource.KindSecurityPolicy case *egv1a1.EnvoyExtensionPolicy: - kind = gatewayapi.KindEnvoyExtensionPolicy + kind = resource.KindEnvoyExtensionPolicy case *gwapiv1a3.BackendTLSPolicy: - kind = gatewayapi.KindBackendTLSPolicy + kind = resource.KindBackendTLSPolicy case *unstructured.Unstructured: kind = o.GetKind() case *egv1a1.Backend: - kind = egv1a1.KindBackend + kind = resource.KindBackend default: kind = "Unknown" } diff --git a/test/e2e/tests/authorization_client_ip.go b/test/e2e/tests/authorization_client_ip.go index 98c44705435..8ac95845c4a 100644 --- a/test/e2e/tests/authorization_client_ip.go +++ b/test/e2e/tests/authorization_client_ip.go @@ -19,6 +19,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) func init() { @@ -38,7 +39,7 @@ var AuthorizationClientIPTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } diff --git a/test/e2e/tests/authorization_default_action.go b/test/e2e/tests/authorization_default_action.go index 820a0e09950..7eaed07b306 100644 --- a/test/e2e/tests/authorization_default_action.go +++ b/test/e2e/tests/authorization_default_action.go @@ -19,6 +19,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) func init() { @@ -38,7 +39,7 @@ var AuthorizationDefaultActionTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } diff --git a/test/e2e/tests/backend_health_check.go b/test/e2e/tests/backend_health_check.go index 4936d372079..e2fc3d7d27c 100644 --- a/test/e2e/tests/backend_health_check.go +++ b/test/e2e/tests/backend_health_check.go @@ -24,6 +24,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/tlog" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/test/utils/prometheus" ) @@ -46,7 +47,7 @@ var BackendHealthCheckActiveHTTPTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } diff --git a/test/e2e/tests/backendtrafficpolicy_translation_failed.go b/test/e2e/tests/backendtrafficpolicy_translation_failed.go index 9701596de0f..f76eee15710 100644 --- a/test/e2e/tests/backendtrafficpolicy_translation_failed.go +++ b/test/e2e/tests/backendtrafficpolicy_translation_failed.go @@ -19,6 +19,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) func init() { @@ -39,7 +40,7 @@ var FailedBackendTrafficPolicyDirectResponseTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } diff --git a/test/e2e/tests/basic_auth.go b/test/e2e/tests/basic_auth.go index 20c2e1b6a50..bcedeb21db9 100644 --- a/test/e2e/tests/basic_auth.go +++ b/test/e2e/tests/basic_auth.go @@ -19,6 +19,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) func init() { @@ -38,7 +39,7 @@ var BasicAuthTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -69,7 +70,7 @@ var BasicAuthTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -97,7 +98,7 @@ var BasicAuthTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -128,7 +129,7 @@ var BasicAuthTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -160,7 +161,7 @@ var BasicAuthTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } diff --git a/test/e2e/tests/connection_limit.go b/test/e2e/tests/connection_limit.go index d27b087ba53..fca62d3a9e6 100644 --- a/test/e2e/tests/connection_limit.go +++ b/test/e2e/tests/connection_limit.go @@ -26,6 +26,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/tlog" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/test/utils/prometheus" ) @@ -51,7 +52,7 @@ var ConnectionLimitTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } diff --git a/test/e2e/tests/ext_auth_grpc_service.go b/test/e2e/tests/ext_auth_grpc_service.go index 0618dc3a387..430496675ea 100644 --- a/test/e2e/tests/ext_auth_grpc_service.go +++ b/test/e2e/tests/ext_auth_grpc_service.go @@ -20,6 +20,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) func init() { @@ -42,7 +43,7 @@ var GRPCExtAuthTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -86,7 +87,7 @@ var GRPCExtAuthTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -127,7 +128,7 @@ var GRPCExtAuthTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -169,7 +170,7 @@ var GRPCExtAuthTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } diff --git a/test/e2e/tests/ext_auth_http_backend.go b/test/e2e/tests/ext_auth_http_backend.go index 7032bdc2ae0..326d7343708 100644 --- a/test/e2e/tests/ext_auth_http_backend.go +++ b/test/e2e/tests/ext_auth_http_backend.go @@ -20,6 +20,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) func init() { @@ -40,7 +41,7 @@ var HTTPBackendExtAuthTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } diff --git a/test/e2e/tests/ext_auth_http_service.go b/test/e2e/tests/ext_auth_http_service.go index f610898abbd..d7415590485 100644 --- a/test/e2e/tests/ext_auth_http_service.go +++ b/test/e2e/tests/ext_auth_http_service.go @@ -20,6 +20,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) func init() { @@ -42,7 +43,7 @@ var HTTPExtAuthTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -89,7 +90,7 @@ var HTTPExtAuthTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -130,7 +131,7 @@ var HTTPExtAuthTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -174,7 +175,7 @@ var HTTPExtAuthTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } diff --git a/test/e2e/tests/ext_proc.go b/test/e2e/tests/ext_proc.go index b4bd96d453e..dbbb4defaec 100644 --- a/test/e2e/tests/ext_proc.go +++ b/test/e2e/tests/ext_proc.go @@ -20,6 +20,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) func init() { @@ -40,7 +41,7 @@ var ExtProcTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -89,7 +90,7 @@ var ExtProcTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -134,7 +135,7 @@ var ExtProcTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } diff --git a/test/e2e/tests/header_settings.go b/test/e2e/tests/header_settings.go index 32f0d731089..ee5be4c3dfc 100644 --- a/test/e2e/tests/header_settings.go +++ b/test/e2e/tests/header_settings.go @@ -19,6 +19,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) func init() { @@ -38,7 +39,7 @@ var HeaderSettingsTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } diff --git a/test/e2e/tests/listener_health_check.go b/test/e2e/tests/listener_health_check.go index 2e640e15bad..483a54caab1 100644 --- a/test/e2e/tests/listener_health_check.go +++ b/test/e2e/tests/listener_health_check.go @@ -19,6 +19,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) func init() { @@ -38,7 +39,7 @@ var ListenerHealthCheckTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } diff --git a/test/e2e/tests/load_balancing.go b/test/e2e/tests/load_balancing.go index 346a25965aa..9f368dc0106 100644 --- a/test/e2e/tests/load_balancing.go +++ b/test/e2e/tests/load_balancing.go @@ -32,6 +32,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/tlog" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) func init() { @@ -60,7 +61,7 @@ var RoundRobinLoadBalancingTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -148,7 +149,7 @@ var ConsistentHashSourceIPLoadBalancingTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -196,7 +197,7 @@ var ConsistentHashHeaderLoadBalancingTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -243,7 +244,7 @@ var ConsistentHashCookieLoadBalancingTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } diff --git a/test/e2e/tests/local_ratelimit.go b/test/e2e/tests/local_ratelimit.go index 896ecbba5ee..a4c1accee6f 100644 --- a/test/e2e/tests/local_ratelimit.go +++ b/test/e2e/tests/local_ratelimit.go @@ -19,6 +19,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) func init() { @@ -40,7 +41,7 @@ var LocalRateLimitSpecificUserTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -125,7 +126,7 @@ var LocalRateLimitAllTrafficTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } diff --git a/test/e2e/tests/merge_gateways.go b/test/e2e/tests/merge_gateways.go index fee4fd7180b..c00cb3e84b7 100644 --- a/test/e2e/tests/merge_gateways.go +++ b/test/e2e/tests/merge_gateways.go @@ -22,6 +22,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) func init() { @@ -103,7 +104,7 @@ var MergeGatewaysTest = suite.ConformanceTest{ // Create Gateway first to make sure there's no HTTPRoute attach to it. conflictedGateway := gwapiv1.Gateway{ TypeMeta: metav1.TypeMeta{ - Kind: gatewayapi.KindGateway, + Kind: resource.KindGateway, APIVersion: gwapiv1.GroupVersion.String(), }, ObjectMeta: metav1.ObjectMeta{ @@ -136,11 +137,11 @@ var MergeGatewaysTest = suite.ConformanceTest{ SupportedKinds: []gwapiv1.RouteGroupKind{ { Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindHTTPRoute, + Kind: resource.KindHTTPRoute, }, { Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindGRPCRoute, + Kind: resource.KindGRPCRoute, }, }, Conditions: []metav1.Condition{{ @@ -155,7 +156,7 @@ var MergeGatewaysTest = suite.ConformanceTest{ // Create HTTPRoute at last to make sure it will be referenced by the conflicted listener in Gateway. conflictedHTTPRoute := gwapiv1.HTTPRoute{ TypeMeta: metav1.TypeMeta{ - Kind: gatewayapi.KindHTTPRoute, + Kind: resource.KindHTTPRoute, APIVersion: gwapiv1.GroupVersion.String(), }, ObjectMeta: metav1.ObjectMeta{ @@ -180,7 +181,7 @@ var MergeGatewaysTest = suite.ConformanceTest{ BackendRef: gwapiv1.BackendRef{ BackendObjectReference: gwapiv1.BackendObjectReference{ Group: gatewayapi.GroupPtr(""), - Kind: gatewayapi.KindPtr(gatewayapi.KindService), + Kind: gatewayapi.KindPtr(resource.KindService), Name: "infra-backend-v3", Port: gatewayapi.PortNumPtr(8080), }, diff --git a/test/e2e/tests/oidc.go b/test/e2e/tests/oidc.go index 2bc40d3eba9..4fcbabdc445 100644 --- a/test/e2e/tests/oidc.go +++ b/test/e2e/tests/oidc.go @@ -28,6 +28,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/tlog" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) const ( @@ -61,7 +62,7 @@ var OIDCTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -153,7 +154,7 @@ var OIDCTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } diff --git a/test/e2e/tests/securitypolicy_transaltion_failed.go b/test/e2e/tests/securitypolicy_transaltion_failed.go index 539fd4f726a..57cf4c397cf 100644 --- a/test/e2e/tests/securitypolicy_transaltion_failed.go +++ b/test/e2e/tests/securitypolicy_transaltion_failed.go @@ -19,6 +19,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) func init() { @@ -39,7 +40,7 @@ var FailedSecurityPolicyDirectResponseTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } diff --git a/test/e2e/tests/wasm_http.go b/test/e2e/tests/wasm_http.go index 6ce3078f3ab..3dee419be19 100644 --- a/test/e2e/tests/wasm_http.go +++ b/test/e2e/tests/wasm_http.go @@ -19,6 +19,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) func init() { @@ -39,7 +40,7 @@ var HTTPWasmTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -85,7 +86,7 @@ var HTTPWasmTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } diff --git a/test/e2e/tests/wasm_oci.go b/test/e2e/tests/wasm_oci.go index 69c6b0ad6c1..b0d664469fa 100644 --- a/test/e2e/tests/wasm_oci.go +++ b/test/e2e/tests/wasm_oci.go @@ -41,6 +41,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) const ( @@ -85,7 +86,7 @@ var OCIWasmTest = suite.ConformanceTest{ // Wait for the EnvoyExtensionPolicy to be accepted ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(testNS), Name: gwapiv1.ObjectName(testGW), } @@ -188,7 +189,7 @@ var OCIWasmTest = suite.ConformanceTest{ // Wait for the EnvoyExtensionPolicy to be failed due to missing pull secret ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(testNS), Name: gwapiv1.ObjectName(testGW), } @@ -223,7 +224,7 @@ var OCIWasmTest = suite.ConformanceTest{ // Wait for the EnvoyExtensionPolicy to be failed due to missing pull secret ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(testNS), Name: gwapiv1.ObjectName(testGW), } From 5d406d2a9c6ada08cc0e8124129fff5c2b5782cd Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 14 Sep 2024 10:12:31 +0800 Subject: [PATCH 150/523] api: unhide `Matches` in ProxyAccessLog (#4224) * api: unhide in ProxyAccessLog Signed-off-by: zirain * sync to v1.1 Signed-off-by: zirain * fix gen Signed-off-by: zirain --------- Signed-off-by: zirain --- api/v1alpha1/accesslogging_types.go | 2 +- .../crds/generated/gateway.envoyproxy.io_envoyproxies.yaml | 1 + site/content/en/docs/api/extension_types.md | 1 + site/content/en/latest/api/extension_types.md | 1 + site/content/en/v1.1/api/extension_types.md | 1 + site/content/zh/latest/api/extension_types.md | 1 + 6 files changed, 6 insertions(+), 1 deletion(-) diff --git a/api/v1alpha1/accesslogging_types.go b/api/v1alpha1/accesslogging_types.go index 78b78a485d6..3a3628e985f 100644 --- a/api/v1alpha1/accesslogging_types.go +++ b/api/v1alpha1/accesslogging_types.go @@ -24,7 +24,7 @@ type ProxyAccessLogSetting struct { // Matches defines the match conditions for accesslog in CEL expression. // An accesslog will be emitted only when one or more match conditions are evaluated to true. // Invalid [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) expressions will be ignored. - // +notImplementedHide + // +kubebuilder:validation:MaxItems=10 Matches []string `json:"matches,omitempty"` // Sinks defines the sinks of accesslog. // +kubebuilder:validation:MinItems=1 diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 4211599adf8..deee471aa4f 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -10313,6 +10313,7 @@ spec: Invalid [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) expressions will be ignored. items: type: string + maxItems: 10 type: array sinks: description: Sinks defines the sinks of accesslog. diff --git a/site/content/en/docs/api/extension_types.md b/site/content/en/docs/api/extension_types.md index 02f5755075d..2079770c76f 100644 --- a/site/content/en/docs/api/extension_types.md +++ b/site/content/en/docs/api/extension_types.md @@ -2725,6 +2725,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `format` | _[ProxyAccessLogFormat](#proxyaccesslogformat)_ | false | Format defines the format of accesslog.
This will be ignored if sink type is ALS. | +| `matches` | _string array_ | true | Matches defines the match conditions for accesslog in CEL expression.
An accesslog will be emitted only when one or more match conditions are evaluated to true.
Invalid [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) expressions will be ignored. | | `sinks` | _[ProxyAccessLogSink](#proxyaccesslogsink) array_ | true | Sinks defines the sinks of accesslog. | diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 0d1be81fc72..ee535e23b90 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -2909,6 +2909,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `format` | _[ProxyAccessLogFormat](#proxyaccesslogformat)_ | false | Format defines the format of accesslog.
This will be ignored if sink type is ALS. | +| `matches` | _string array_ | true | Matches defines the match conditions for accesslog in CEL expression.
An accesslog will be emitted only when one or more match conditions are evaluated to true.
Invalid [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) expressions will be ignored. | | `sinks` | _[ProxyAccessLogSink](#proxyaccesslogsink) array_ | true | Sinks defines the sinks of accesslog. | diff --git a/site/content/en/v1.1/api/extension_types.md b/site/content/en/v1.1/api/extension_types.md index 02f5755075d..2079770c76f 100644 --- a/site/content/en/v1.1/api/extension_types.md +++ b/site/content/en/v1.1/api/extension_types.md @@ -2725,6 +2725,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `format` | _[ProxyAccessLogFormat](#proxyaccesslogformat)_ | false | Format defines the format of accesslog.
This will be ignored if sink type is ALS. | +| `matches` | _string array_ | true | Matches defines the match conditions for accesslog in CEL expression.
An accesslog will be emitted only when one or more match conditions are evaluated to true.
Invalid [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) expressions will be ignored. | | `sinks` | _[ProxyAccessLogSink](#proxyaccesslogsink) array_ | true | Sinks defines the sinks of accesslog. | diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 0d1be81fc72..ee535e23b90 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -2909,6 +2909,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `format` | _[ProxyAccessLogFormat](#proxyaccesslogformat)_ | false | Format defines the format of accesslog.
This will be ignored if sink type is ALS. | +| `matches` | _string array_ | true | Matches defines the match conditions for accesslog in CEL expression.
An accesslog will be emitted only when one or more match conditions are evaluated to true.
Invalid [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) expressions will be ignored. | | `sinks` | _[ProxyAccessLogSink](#proxyaccesslogsink) array_ | true | Sinks defines the sinks of accesslog. | From c127b376d7fd5149fafc19b05b6f98e7a9f7062e Mon Sep 17 00:00:00 2001 From: Rudrakh Panigrahi Date: Sat, 14 Sep 2024 07:42:59 +0530 Subject: [PATCH 151/523] api: support inverting matches in rate limit (#4176) --- api/v1alpha1/ratelimit_types.go | 16 +++++++++++++ api/v1alpha1/zz_generated.deepcopy.go | 10 ++++++++ ....envoyproxy.io_backendtrafficpolicies.yaml | 24 +++++++++++++++++++ 3 files changed, 50 insertions(+) diff --git a/api/v1alpha1/ratelimit_types.go b/api/v1alpha1/ratelimit_types.go index 9228e7d4b87..deb859400f8 100644 --- a/api/v1alpha1/ratelimit_types.go +++ b/api/v1alpha1/ratelimit_types.go @@ -138,6 +138,13 @@ type SourceMatch struct { // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=256 Value string `json:"value"` + + // Invert specifies whether the value match result will be inverted. + // + // +optional + // +kubebuilder:default=false + // +notImplementedHide + Invert *bool `json:"invert,omitempty"` } // HeaderMatch defines the match attributes within the HTTP Headers of the request. @@ -161,6 +168,15 @@ type HeaderMatch struct { // TODO: zhaohuabing this type could be replaced with // +optional // +kubebuilder:validation:MaxLength=1024 Value *string `json:"value,omitempty"` + + // Invert specifies whether the value match result will be inverted. + // Do not set this field when Type="Distinct", implying matching on any/all unique + // values within the header. + // + // +optional + // +kubebuilder:default=false + // +notImplementedHide + Invert *bool `json:"invert,omitempty"` } // HeaderMatchType specifies the semantics of how HTTP header values should be compared. diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 7ee438d5b14..d1c42376011 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -2816,6 +2816,11 @@ func (in *HeaderMatch) DeepCopyInto(out *HeaderMatch) { *out = new(string) **out = **in } + if in.Invert != nil { + in, out := &in.Invert, &out.Invert + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderMatch. @@ -4862,6 +4867,11 @@ func (in *SourceMatch) DeepCopyInto(out *SourceMatch) { *out = new(SourceMatchType) **out = **in } + if in.Invert != nil { + in, out := &in.Invert, &out.Invert + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceMatch. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index eb41bae8b0f..77133a803fc 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -693,6 +693,13 @@ spec: description: HeaderMatch defines the match attributes within the HTTP Headers of the request. properties: + invert: + default: false + description: |- + Invert specifies whether the value match result will be inverted. + Do not set this field when Type="Distinct", implying matching on any/all unique + values within the header. + type: boolean name: description: Name of the HTTP header. maxLength: 256 @@ -728,6 +735,11 @@ spec: SourceCIDR is the client IP Address range to match on. At least one of headers or sourceCIDR condition must be specified. properties: + invert: + default: false + description: Invert specifies whether the + value match result will be inverted. + type: boolean type: default: Exact enum: @@ -824,6 +836,13 @@ spec: description: HeaderMatch defines the match attributes within the HTTP Headers of the request. properties: + invert: + default: false + description: |- + Invert specifies whether the value match result will be inverted. + Do not set this field when Type="Distinct", implying matching on any/all unique + values within the header. + type: boolean name: description: Name of the HTTP header. maxLength: 256 @@ -859,6 +878,11 @@ spec: SourceCIDR is the client IP Address range to match on. At least one of headers or sourceCIDR condition must be specified. properties: + invert: + default: false + description: Invert specifies whether the + value match result will be inverted. + type: boolean type: default: Exact enum: From 1fbbe98f8c9d4a51fc388e588bba34b4bc1c79e7 Mon Sep 17 00:00:00 2001 From: Kevin Date: Sat, 14 Sep 2024 20:05:46 +0900 Subject: [PATCH 152/523] docs: fix incorrect decoding command in developer documentation (#4241) --- site/content/en/docs/tasks/security/jwt-authentication.md | 4 ++-- site/content/en/docs/tasks/traffic/global-rate-limit.md | 4 ++-- site/content/en/docs/tasks/traffic/http-routing.md | 4 ++-- site/content/en/latest/tasks/security/jwt-authentication.md | 4 ++-- site/content/en/latest/tasks/traffic/global-rate-limit.md | 4 ++-- site/content/en/latest/tasks/traffic/http-routing.md | 4 ++-- site/content/en/v0.3/user/authn.md | 2 +- site/content/en/v0.4/user/authn.md | 2 +- site/content/en/v0.5/user/authn.md | 2 +- site/content/en/v0.5/user/rate-limit.md | 4 ++-- site/content/en/v0.6/user/jwt-authentication.md | 4 ++-- site/content/en/v0.6/user/rate-limit.md | 4 ++-- site/content/en/v1.0/tasks/security/jwt-authentication.md | 4 ++-- site/content/en/v1.0/tasks/traffic/global-rate-limit.md | 4 ++-- site/content/en/v1.0/tasks/traffic/http-routing.md | 4 ++-- site/content/en/v1.1/tasks/security/jwt-authentication.md | 4 ++-- site/content/en/v1.1/tasks/traffic/global-rate-limit.md | 4 ++-- site/content/en/v1.1/tasks/traffic/http-routing.md | 4 ++-- site/content/zh/latest/tasks/security/jwt-authentication.md | 4 ++-- 19 files changed, 35 insertions(+), 35 deletions(-) diff --git a/site/content/en/docs/tasks/security/jwt-authentication.md b/site/content/en/docs/tasks/security/jwt-authentication.md index 8b160403882..14024e18c95 100644 --- a/site/content/en/docs/tasks/security/jwt-authentication.md +++ b/site/content/en/docs/tasks/security/jwt-authentication.md @@ -91,7 +91,7 @@ A `401` HTTP response code should be returned. Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` __Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's @@ -128,7 +128,7 @@ Error invoking method "yages.Echo/Ping": rpc error: code = Unauthenticated desc Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` __Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's diff --git a/site/content/en/docs/tasks/traffic/global-rate-limit.md b/site/content/en/docs/tasks/traffic/global-rate-limit.md index 3d80caa2e2e..bb87c47de49 100644 --- a/site/content/en/docs/tasks/traffic/global-rate-limit.md +++ b/site/content/en/docs/tasks/traffic/global-rate-limit.md @@ -1081,11 +1081,11 @@ spec: Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` ```shell -TOKEN1=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN1" | cut -d '.' -f2 - | base64 --decode - +TOKEN1=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN1" | cut -d '.' -f2 - | base64 --decode ``` ### Rate limit by carrying `TOKEN` diff --git a/site/content/en/docs/tasks/traffic/http-routing.md b/site/content/en/docs/tasks/traffic/http-routing.md index da6e3debfc3..f9fcfaffdde 100644 --- a/site/content/en/docs/tasks/traffic/http-routing.md +++ b/site/content/en/docs/tasks/traffic/http-routing.md @@ -271,7 +271,7 @@ spec: Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` Test routing to the `foo-svc` backend by specifying a JWT Token with a claim `name: John Doe`. @@ -284,7 +284,7 @@ curl -sS -H "Host: foo.example.com" -H "Authorization: Bearer $TOKEN" "http://${ Get another JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` Test HTTP routing to the `bar-svc` backend by specifying a JWT Token with a claim `name: Tom`. diff --git a/site/content/en/latest/tasks/security/jwt-authentication.md b/site/content/en/latest/tasks/security/jwt-authentication.md index 0468d572f2b..e4361b6354f 100644 --- a/site/content/en/latest/tasks/security/jwt-authentication.md +++ b/site/content/en/latest/tasks/security/jwt-authentication.md @@ -91,7 +91,7 @@ A `401` HTTP response code should be returned. Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` __Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's @@ -128,7 +128,7 @@ Error invoking method "yages.Echo/Ping": rpc error: code = Unauthenticated desc Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` __Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's diff --git a/site/content/en/latest/tasks/traffic/global-rate-limit.md b/site/content/en/latest/tasks/traffic/global-rate-limit.md index 41286f80e7d..f105de880cd 100644 --- a/site/content/en/latest/tasks/traffic/global-rate-limit.md +++ b/site/content/en/latest/tasks/traffic/global-rate-limit.md @@ -1080,11 +1080,11 @@ spec: Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` ```shell -TOKEN1=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN1" | cut -d '.' -f2 - | base64 --decode - +TOKEN1=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN1" | cut -d '.' -f2 - | base64 --decode ``` ### Rate limit by carrying `TOKEN` diff --git a/site/content/en/latest/tasks/traffic/http-routing.md b/site/content/en/latest/tasks/traffic/http-routing.md index 0f1f3c688fb..bb9eba88157 100644 --- a/site/content/en/latest/tasks/traffic/http-routing.md +++ b/site/content/en/latest/tasks/traffic/http-routing.md @@ -270,7 +270,7 @@ spec: Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` Test routing to the `foo-svc` backend by specifying a JWT Token with a claim `name: John Doe`. @@ -283,7 +283,7 @@ curl -sS -H "Host: foo.example.com" -H "Authorization: Bearer $TOKEN" "http://${ Get another JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` Test HTTP routing to the `bar-svc` backend by specifying a JWT Token with a claim `name: Tom`. diff --git a/site/content/en/v0.3/user/authn.md b/site/content/en/v0.3/user/authn.md index a4887d57438..127269592c4 100644 --- a/site/content/en/v0.3/user/authn.md +++ b/site/content/en/v0.3/user/authn.md @@ -57,7 +57,7 @@ A `401` HTTP response code should be returned. Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` __Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's diff --git a/site/content/en/v0.4/user/authn.md b/site/content/en/v0.4/user/authn.md index 907e16f752e..50cd89e8112 100644 --- a/site/content/en/v0.4/user/authn.md +++ b/site/content/en/v0.4/user/authn.md @@ -57,7 +57,7 @@ A `401` HTTP response code should be returned. Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` __Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's diff --git a/site/content/en/v0.5/user/authn.md b/site/content/en/v0.5/user/authn.md index 77954272288..d7f7bc2187a 100644 --- a/site/content/en/v0.5/user/authn.md +++ b/site/content/en/v0.5/user/authn.md @@ -57,7 +57,7 @@ A `401` HTTP response code should be returned. Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` __Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's diff --git a/site/content/en/v0.5/user/rate-limit.md b/site/content/en/v0.5/user/rate-limit.md index 5f97900c494..1c2dc5c1490 100644 --- a/site/content/en/v0.5/user/rate-limit.md +++ b/site/content/en/v0.5/user/rate-limit.md @@ -648,11 +648,11 @@ EOF Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` ```shell -TOKEN1=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/with-different-claim.jwt -s) && echo "$TOKEN1" | cut -d '.' -f2 - | base64 --decode - +TOKEN1=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/with-different-claim.jwt -s) && echo "$TOKEN1" | cut -d '.' -f2 - | base64 --decode ``` ### Rate limit by carrying `TOKEN` diff --git a/site/content/en/v0.6/user/jwt-authentication.md b/site/content/en/v0.6/user/jwt-authentication.md index 6c04873a10f..d2918a285bc 100644 --- a/site/content/en/v0.6/user/jwt-authentication.md +++ b/site/content/en/v0.6/user/jwt-authentication.md @@ -91,7 +91,7 @@ A `401` HTTP response code should be returned. Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` __Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's @@ -128,7 +128,7 @@ Error invoking method "yages.Echo/Ping": rpc error: code = Unauthenticated desc Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` __Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's diff --git a/site/content/en/v0.6/user/rate-limit.md b/site/content/en/v0.6/user/rate-limit.md index 5a8cf305bbd..23fb394aa2b 100644 --- a/site/content/en/v0.6/user/rate-limit.md +++ b/site/content/en/v0.6/user/rate-limit.md @@ -663,11 +663,11 @@ EOF Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` ```shell -TOKEN1=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN1" | cut -d '.' -f2 - | base64 --decode - +TOKEN1=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN1" | cut -d '.' -f2 - | base64 --decode ``` ### Rate limit by carrying `TOKEN` diff --git a/site/content/en/v1.0/tasks/security/jwt-authentication.md b/site/content/en/v1.0/tasks/security/jwt-authentication.md index 26caabf3ad7..bb3f58eb3d3 100644 --- a/site/content/en/v1.0/tasks/security/jwt-authentication.md +++ b/site/content/en/v1.0/tasks/security/jwt-authentication.md @@ -91,7 +91,7 @@ A `401` HTTP response code should be returned. Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` __Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's @@ -128,7 +128,7 @@ Error invoking method "yages.Echo/Ping": rpc error: code = Unauthenticated desc Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` __Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's diff --git a/site/content/en/v1.0/tasks/traffic/global-rate-limit.md b/site/content/en/v1.0/tasks/traffic/global-rate-limit.md index d65d972678b..8df5ecd4858 100644 --- a/site/content/en/v1.0/tasks/traffic/global-rate-limit.md +++ b/site/content/en/v1.0/tasks/traffic/global-rate-limit.md @@ -669,11 +669,11 @@ EOF Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` ```shell -TOKEN1=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN1" | cut -d '.' -f2 - | base64 --decode - +TOKEN1=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN1" | cut -d '.' -f2 - | base64 --decode ``` ### Rate limit by carrying `TOKEN` diff --git a/site/content/en/v1.0/tasks/traffic/http-routing.md b/site/content/en/v1.0/tasks/traffic/http-routing.md index 39a3c733f40..919747922b3 100644 --- a/site/content/en/v1.0/tasks/traffic/http-routing.md +++ b/site/content/en/v1.0/tasks/traffic/http-routing.md @@ -198,7 +198,7 @@ EOF Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` Test routing to the `foo-svc` backend by specifying a JWT Token with a claim `name: John Doe`. @@ -211,7 +211,7 @@ curl -sS -H "Host: foo.example.com" -H "Authorization: Bearer $TOKEN" "http://${ Get another JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` Test HTTP routing to the `bar-svc` backend by specifying a JWT Token with a claim `name: Tom`. diff --git a/site/content/en/v1.1/tasks/security/jwt-authentication.md b/site/content/en/v1.1/tasks/security/jwt-authentication.md index 8b160403882..14024e18c95 100644 --- a/site/content/en/v1.1/tasks/security/jwt-authentication.md +++ b/site/content/en/v1.1/tasks/security/jwt-authentication.md @@ -91,7 +91,7 @@ A `401` HTTP response code should be returned. Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` __Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's @@ -128,7 +128,7 @@ Error invoking method "yages.Echo/Ping": rpc error: code = Unauthenticated desc Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` __Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's diff --git a/site/content/en/v1.1/tasks/traffic/global-rate-limit.md b/site/content/en/v1.1/tasks/traffic/global-rate-limit.md index 3d80caa2e2e..bb87c47de49 100644 --- a/site/content/en/v1.1/tasks/traffic/global-rate-limit.md +++ b/site/content/en/v1.1/tasks/traffic/global-rate-limit.md @@ -1081,11 +1081,11 @@ spec: Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` ```shell -TOKEN1=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN1" | cut -d '.' -f2 - | base64 --decode - +TOKEN1=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN1" | cut -d '.' -f2 - | base64 --decode ``` ### Rate limit by carrying `TOKEN` diff --git a/site/content/en/v1.1/tasks/traffic/http-routing.md b/site/content/en/v1.1/tasks/traffic/http-routing.md index da6e3debfc3..f9fcfaffdde 100644 --- a/site/content/en/v1.1/tasks/traffic/http-routing.md +++ b/site/content/en/v1.1/tasks/traffic/http-routing.md @@ -271,7 +271,7 @@ spec: Get the JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` Test routing to the `foo-svc` backend by specifying a JWT Token with a claim `name: John Doe`. @@ -284,7 +284,7 @@ curl -sS -H "Host: foo.example.com" -H "Authorization: Bearer $TOKEN" "http://${ Get another JWT used for testing request authentication: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` Test HTTP routing to the `bar-svc` backend by specifying a JWT Token with a claim `name: Tom`. diff --git a/site/content/zh/latest/tasks/security/jwt-authentication.md b/site/content/zh/latest/tasks/security/jwt-authentication.md index a06399bc33f..81b2f0e1767 100644 --- a/site/content/zh/latest/tasks/security/jwt-authentication.md +++ b/site/content/zh/latest/tasks/security/jwt-authentication.md @@ -87,7 +87,7 @@ curl -sS -o /dev/null -H "Host: www.example.com" -w "%{http_code}\n" http://$GAT 获取用于测试请求身份验证的 JWT: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` **注意:**上述命令解码并返回令牌的有效内容。您可以将 `f2` 替换为 `f1` 来查看令牌的标头。 @@ -123,7 +123,7 @@ Error invoking method "yages.Echo/Ping": rpc error: code = Unauthenticated desc 获取用于测试请求身份验证的 JWT: ```shell -TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode - +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode ``` **注意:**上述命令解码并返回令牌的有效内容。您可以将 `f2` 替换为 `f1` 来查看令牌的标头。 From 210b97ce9bc049c6503ffcbdccd5849a248d610a Mon Sep 17 00:00:00 2001 From: Isaac <10012479+jukie@users.noreply.github.com> Date: Mon, 16 Sep 2024 10:52:35 -0600 Subject: [PATCH 153/523] feat: Add maxUnavailable PDB support to helm chart (#4239) * Helm: maxUnavailable PDB support Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> * Allow both Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> * helm-generate Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --------- Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> Co-authored-by: zirain --- .../templates/envoy-gateway-deployment.yaml | 22 ------------------- .../envoy-gateway-poddisruptionbudget.yaml | 18 +++++++++++++++ .../envoy-gateway-serviceaccount.yaml | 7 ++++++ charts/gateway-helm/values.tmpl.yaml | 2 ++ .../certjen-custom-scheduling.out.yaml | 2 +- .../control-plane-with-pdb.in.yaml | 1 + .../control-plane-with-pdb.out.yaml | 5 +++-- .../helm/gateway-helm/default-config.out.yaml | 2 +- .../deployment-custom-topology.out.yaml | 2 +- .../deployment-images-config.out.yaml | 2 +- .../envoy-gateway-config.out.yaml | 2 +- .../global-images-config.out.yaml | 2 +- 12 files changed, 37 insertions(+), 30 deletions(-) create mode 100644 charts/gateway-helm/templates/envoy-gateway-poddisruptionbudget.yaml create mode 100644 charts/gateway-helm/templates/envoy-gateway-serviceaccount.yaml diff --git a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml index 7bf62e582fb..7d631f17289 100644 --- a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml @@ -1,25 +1,3 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: envoy-gateway - namespace: '{{ .Release.Namespace }}' - labels: - {{- include "eg.labels" . | nindent 4 }} ---- -{{- if and .Values.podDisruptionBudget.minAvailable (ge (int .Values.podDisruptionBudget.minAvailable) 1) }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: envoy-gateway - namespace: '{{ .Release.Namespace }}' -spec: - minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} - selector: - matchLabels: - control-plane: envoy-gateway - {{- include "eg.selectorLabels" . | nindent 6 }} ---- -{{- end }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/gateway-helm/templates/envoy-gateway-poddisruptionbudget.yaml b/charts/gateway-helm/templates/envoy-gateway-poddisruptionbudget.yaml new file mode 100644 index 00000000000..8e0bca0f1d8 --- /dev/null +++ b/charts/gateway-helm/templates/envoy-gateway-poddisruptionbudget.yaml @@ -0,0 +1,18 @@ +{{- if or (and .Values.podDisruptionBudget.minAvailable (ge (int .Values.podDisruptionBudget.minAvailable) 1) ) (and .Values.podDisruptionBudget.maxUnavailable (ge (int .Values.podDisruptionBudget.maxUnavailable) 1) )}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: envoy-gateway + namespace: '{{ .Release.Namespace }}' +spec: + {{- if and .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + {{- end }} + selector: + matchLabels: + control-plane: envoy-gateway + {{- include "eg.selectorLabels" . | nindent 6 }} +{{- end }} \ No newline at end of file diff --git a/charts/gateway-helm/templates/envoy-gateway-serviceaccount.yaml b/charts/gateway-helm/templates/envoy-gateway-serviceaccount.yaml new file mode 100644 index 00000000000..23af6fee1f1 --- /dev/null +++ b/charts/gateway-helm/templates/envoy-gateway-serviceaccount.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: '{{ .Release.Namespace }}' + labels: + {{- include "eg.labels" . | nindent 4 }} diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index 50c4eaeb0a9..2bce089d2dc 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -20,6 +20,8 @@ global: pullSecrets: [] podDisruptionBudget: minAvailable: 0 + # maxUnavailable: 1 + deployment: envoyGateway: image: diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index 2e111b7062c..0bd873a34b9 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -1,5 +1,5 @@ --- -# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: diff --git a/test/helm/gateway-helm/control-plane-with-pdb.in.yaml b/test/helm/gateway-helm/control-plane-with-pdb.in.yaml index a4594d64474..ef71656e57f 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.in.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.in.yaml @@ -5,3 +5,4 @@ global: pullPolicy: Always podDisruptionBudget: minAvailable: 1 + maxUnavailable: 1 diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index 3b9421d233c..cd7ff1a53dc 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -1,5 +1,5 @@ --- -# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +# Source: gateway-helm/templates/envoy-gateway-poddisruptionbudget.yaml apiVersion: policy/v1 kind: PodDisruptionBudget metadata: @@ -7,13 +7,14 @@ metadata: namespace: 'envoy-gateway-system' spec: minAvailable: 1 + maxUnavailable: 1 selector: matchLabels: control-plane: envoy-gateway app.kubernetes.io/name: gateway-helm app.kubernetes.io/instance: gateway-helm --- -# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index 4160bf26295..147c0f8ba70 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -1,5 +1,5 @@ --- -# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index e337496d744..7fdfef5e53e 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -1,5 +1,5 @@ --- -# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index 8729a397ab8..5a2df408fe5 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -1,5 +1,5 @@ --- -# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index a38a8f0c22a..233334d5972 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -1,5 +1,5 @@ --- -# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index f730bdafd43..95b98165d12 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -1,5 +1,5 @@ --- -# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: From 21975c46b7c8dfb877f4c6abd92e7339a9ce0d06 Mon Sep 17 00:00:00 2001 From: zirain Date: Tue, 17 Sep 2024 00:53:29 +0800 Subject: [PATCH 154/523] chore: bump deps (#4255) * build(deps): bump fortio.org/fortio from 1.66.2 to 1.66.3 Bumps [fortio.org/fortio](https://github.com/fortio/fortio) from 1.66.2 to 1.66.3. - [Release notes](https://github.com/fortio/fortio/releases) - [Commits](https://github.com/fortio/fortio/compare/v1.66.2...v1.66.3) --- updated-dependencies: - dependency-name: fortio.org/fortio dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * build(deps): bump the go-opentelemetry-io group across 1 directory with 8 updates Bumps the go-opentelemetry-io group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go) | `1.29.0` | `1.30.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc](https://github.com/open-telemetry/opentelemetry-go) | `1.29.0` | `1.30.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp](https://github.com/open-telemetry/opentelemetry-go) | `1.29.0` | `1.30.0` | | [go.opentelemetry.io/otel/exporters/prometheus](https://github.com/open-telemetry/opentelemetry-go) | `0.51.0` | `0.52.0` | | [go.opentelemetry.io/otel/exporters/stdout/stdoutmetric](https://github.com/open-telemetry/opentelemetry-go) | `1.29.0` | `1.30.0` | Updates `go.opentelemetry.io/otel` from 1.29.0 to 1.30.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.29.0...v1.30.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc` from 1.29.0 to 1.30.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.29.0...v1.30.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp` from 1.29.0 to 1.30.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.29.0...v1.30.0) Updates `go.opentelemetry.io/otel/exporters/prometheus` from 0.51.0 to 0.52.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/example/prometheus/v0.51.0...example/prometheus/v0.52.0) Updates `go.opentelemetry.io/otel/exporters/stdout/stdoutmetric` from 1.29.0 to 1.30.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.29.0...v1.30.0) Updates `go.opentelemetry.io/otel/metric` from 1.29.0 to 1.30.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.29.0...v1.30.0) Updates `go.opentelemetry.io/otel/sdk/metric` from 1.29.0 to 1.30.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.29.0...v1.30.0) Updates `go.opentelemetry.io/otel/sdk` from 1.29.0 to 1.30.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.29.0...v1.30.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/prometheus dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/stdout/stdoutmetric dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/metric dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/sdk/metric dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/sdk dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io ... Signed-off-by: dependabot[bot] * build(deps): bump the k8s-io group across 2 directories with 6 updates Bumps the k8s-io group with 4 updates in the / directory: [k8s.io/api](https://github.com/kubernetes/api), [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver), [k8s.io/cli-runtime](https://github.com/kubernetes/cli-runtime) and [k8s.io/kubectl](https://github.com/kubernetes/kubectl). Bumps the k8s-io group with 1 update in the /examples/extension-server directory: [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery). Updates `k8s.io/api` from 0.31.0 to 0.31.1 - [Commits](https://github.com/kubernetes/api/compare/v0.31.0...v0.31.1) Updates `k8s.io/apiextensions-apiserver` from 0.31.0 to 0.31.1 - [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases) - [Commits](https://github.com/kubernetes/apiextensions-apiserver/compare/v0.31.0...v0.31.1) Updates `k8s.io/apimachinery` from 0.31.0 to 0.31.1 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.31.0...v0.31.1) Updates `k8s.io/cli-runtime` from 0.31.0 to 0.31.1 - [Commits](https://github.com/kubernetes/cli-runtime/compare/v0.31.0...v0.31.1) Updates `k8s.io/client-go` from 0.31.0 to 0.31.1 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.31.0...v0.31.1) Updates `k8s.io/kubectl` from 0.31.0 to 0.31.1 - [Commits](https://github.com/kubernetes/kubectl/compare/v0.31.0...v0.31.1) Updates `k8s.io/apimachinery` from 0.31.0 to 0.31.1 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.31.0...v0.31.1) --- updated-dependencies: - dependency-name: k8s.io/api dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/apiextensions-apiserver dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/cli-runtime dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kubectl dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io ... Signed-off-by: dependabot[bot] * fix g en Signed-off-by: zirain --------- Signed-off-by: dependabot[bot] Signed-off-by: zirain Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/extension-server/go.mod | 6 +-- examples/extension-server/go.sum | 16 +++--- go.mod | 42 ++++++++-------- go.sum | 84 ++++++++++++++++---------------- 4 files changed, 74 insertions(+), 74 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 26de98575ff..86f5fb64f0f 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -6,9 +6,9 @@ require ( github.com/envoyproxy/gateway v1.0.2 github.com/envoyproxy/go-control-plane v0.13.1-0.20240903155423-c0847bf34c89 github.com/urfave/cli/v2 v2.27.2 - google.golang.org/grpc v1.66.0 + google.golang.org/grpc v1.66.2 google.golang.org/protobuf v1.34.2 - k8s.io/apimachinery v0.31.0 + k8s.io/apimachinery v0.31.1 sigs.k8s.io/controller-runtime v0.19.0 sigs.k8s.io/gateway-api v1.1.0 ) @@ -34,7 +34,7 @@ require ( golang.org/x/net v0.29.0 // indirect golang.org/x/sys v0.25.0 // indirect golang.org/x/text v0.18.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 7e8a17a7de8..878c8da7578 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -105,12 +105,12 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd h1:BBOTEWLuuEGQy9n1y9MhVJ9Qt0BDu21X8qZs71/uPZo= -google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:fO8wJzT2zbQbAjbIoos1285VfEIYKDDY+Dt+WpTkh6g= +google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc= +google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I= google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= -google.golang.org/grpc v1.66.0 h1:DibZuoBznOxbDQxRINckZcUvnCEvrW9pcWIE2yF9r1c= -google.golang.org/grpc v1.66.0/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= +google.golang.org/grpc v1.66.2 h1:3QdXkuq3Bkh7w+ywLdLvM56cmGvQHUMZpiCzt6Rqaoo= +google.golang.org/grpc v1.66.2/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -123,10 +123,10 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.31.0 h1:b9LiSjR2ym/SzTOlfMHm1tr7/21aD7fSkqgD/CVJBCo= -k8s.io/api v0.31.0/go.mod h1:0YiFF+JfFxMM6+1hQei8FY8M7s1Mth+z/q7eF1aJkTE= -k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc= -k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= +k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= +k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= +k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= diff --git a/go.mod b/go.mod index 2a5e6390358..e2a3d39a8fa 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.23.1 replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.16 require ( - fortio.org/fortio v1.66.2 + fortio.org/fortio v1.66.3 fortio.org/log v1.16.0 github.com/Masterminds/semver/v3 v3.3.0 github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b @@ -34,13 +34,13 @@ require ( github.com/stretchr/testify v1.9.0 github.com/telepresenceio/watchable v0.0.0-20220726211108-9bb86f92afa7 github.com/tsaarni/certyaml v0.9.3 - go.opentelemetry.io/otel v1.29.0 - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.29.0 - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.29.0 - go.opentelemetry.io/otel/exporters/prometheus v0.51.0 - go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0 - go.opentelemetry.io/otel/metric v1.29.0 - go.opentelemetry.io/otel/sdk/metric v1.29.0 + go.opentelemetry.io/otel v1.30.0 + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.30.0 + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.30.0 + go.opentelemetry.io/otel/exporters/prometheus v0.52.0 + go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.30.0 + go.opentelemetry.io/otel/metric v1.30.0 + go.opentelemetry.io/otel/sdk/metric v1.30.0 go.opentelemetry.io/proto/otlp v1.3.1 go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e @@ -48,12 +48,12 @@ require ( google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.15.4 - k8s.io/api v0.31.0 - k8s.io/apiextensions-apiserver v0.31.0 - k8s.io/apimachinery v0.31.0 - k8s.io/cli-runtime v0.31.0 - k8s.io/client-go v0.31.0 - k8s.io/kubectl v0.31.0 + k8s.io/api v0.31.1 + k8s.io/apiextensions-apiserver v0.31.1 + k8s.io/apimachinery v0.31.1 + k8s.io/cli-runtime v0.31.1 + k8s.io/client-go v0.31.1 + k8s.io/kubectl v0.31.1 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 sigs.k8s.io/controller-runtime v0.19.0 sigs.k8s.io/gateway-api v1.1.0 @@ -64,7 +64,7 @@ require ( require ( github.com/docker/docker v27.2.0+incompatible github.com/replicatedhq/troubleshoot v0.100.0 - google.golang.org/grpc v1.66.0 + google.golang.org/grpc v1.66.2 ) require ( @@ -196,8 +196,8 @@ require ( golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect - k8s.io/apiserver v0.31.0 // indirect - k8s.io/metrics v0.31.0 // indirect + k8s.io/apiserver v0.31.1 // indirect + k8s.io/metrics v0.31.1 // indirect oras.land/oras-go v1.2.6 // indirect periph.io/x/host/v3 v3.8.2 // indirect ) @@ -255,8 +255,8 @@ require ( github.com/sirupsen/logrus v1.9.3 // indirect github.com/tsaarni/x500dn v1.0.0 // indirect github.com/xlab/treeprint v1.2.0 // indirect - go.opentelemetry.io/otel/sdk v1.29.0 - go.opentelemetry.io/otel/trace v1.29.0 // indirect + go.opentelemetry.io/otel/sdk v1.30.0 + go.opentelemetry.io/otel/trace v1.30.0 // indirect go.starlark.net v0.0.0-20240520160348-046347dcd104 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/mod v0.20.0 // indirect @@ -268,11 +268,11 @@ require ( golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.24.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - k8s.io/component-base v0.31.0 // indirect + k8s.io/component-base v0.31.1 // indirect k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect diff --git a/go.sum b/go.sum index 1be33caef9f..e55e7b89c35 100644 --- a/go.sum +++ b/go.sum @@ -13,8 +13,8 @@ fortio.org/cli v1.9.0 h1:cPgNHvrjxznmbmwuXSwPqQLKZ+RMW8i0iAOESLjt1aI= fortio.org/cli v1.9.0/go.mod h1:pk/JBE8LcXtNuo5Yj2bLsVbwPaHo8NWdbstSN0cpbFk= fortio.org/dflag v1.7.2 h1:lUhXFvDlw4CJj/q7hPv/TC+n/wVoQylzQO6bUg5GQa0= fortio.org/dflag v1.7.2/go.mod h1:6yO/NIgrWfQH195WbHJ3Y45SCx11ffivQjfx2C/FS1U= -fortio.org/fortio v1.66.2 h1:yA++v1Kzm5mkDZWqNcGYDvKSzQza3pJCiUdatpatkq8= -fortio.org/fortio v1.66.2/go.mod h1:mDwof93Qw2zg8xKARMXO4BhW9/ypX3cw2IrGUkENjDc= +fortio.org/fortio v1.66.3 h1:N/Ic9W2tVoJ5LAcr8ZjcF3mNb2ftCw77ZtKF02jwf8Q= +fortio.org/fortio v1.66.3/go.mod h1:+W7ooyLn/Fp3h0UF9JclFEJN50EOvelO6c+VhCYGwnM= fortio.org/log v1.16.0 h1:GhU8/9NkYZmEIzvTN/DTMedDAStLJraWUUVUA2EbNDc= fortio.org/log v1.16.0/go.mod h1:t58Spg9njjymvRioh5F6qKGSupEsnMjXLGWIS1i3khE= fortio.org/scli v1.15.2 h1:vWXt4QOViXNWy4Gdm7d2FDfptzWD00QiWzYAM/IUF7c= @@ -857,32 +857,32 @@ go.opentelemetry.io/contrib/exporters/autoexport v0.46.1 h1:ysCfPZB9AjUlMa1UHYup go.opentelemetry.io/contrib/exporters/autoexport v0.46.1/go.mod h1:ha0aiYm+DOPsLHjh0zoQ8W8sLT+LJ58J3j47lGpSLrU= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= -go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw= -go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.29.0 h1:k6fQVDQexDE+3jG2SfCQjnHS7OamcP73YMoxEVq5B6k= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.29.0/go.mod h1:t4BrYLHU450Zo9fnydWlIuswB1bm7rM8havDpWOJeDo= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.29.0 h1:xvhQxJ/C9+RTnAj5DpTg7LSM1vbbMTiXt7e9hsfqHNw= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.29.0/go.mod h1:Fcvs2Bz1jkDM+Wf5/ozBGmi3tQ/c9zPKLnsipnfhGAo= +go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= +go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.30.0 h1:WypxHH02KX2poqqbaadmkMYalGyy/vil4HE4PM4nRJc= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.30.0/go.mod h1:U79SV99vtvGSEBeeHnpgGJfTsnsdkWLpPN/CcHAzBSI= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.30.0 h1:VrMAbeJz4gnVDg2zEzjHG4dEH86j4jO6VYB+NgtGD8s= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.30.0/go.mod h1:qqN/uFdpeitTvm+JDqqnjm517pmQRYxTORbETHq5tOc= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0 h1:digkEZCJWobwBqMwC0cwCq8/wkkRy/OowZg5OArWZrM= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0/go.mod h1:/OpE/y70qVkndM0TrxT4KBoN3RsFZP0QaofcfYrj76I= -go.opentelemetry.io/otel/exporters/prometheus v0.51.0 h1:G7uexXb/K3T+T9fNLCCKncweEtNEBMTO+46hKX5EdKw= -go.opentelemetry.io/otel/exporters/prometheus v0.51.0/go.mod h1:v0mFe5Kk7woIh938mrZBJBmENYquyA0IICrlYm4Y0t4= -go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0 h1:WDdP9acbMYjbKIyJUhTvtzj601sVJOqgWdUxSdR/Ysc= -go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0/go.mod h1:BLbf7zbNIONBLPwvFnwNHGj4zge8uTCM/UPIVW1Mq2I= +go.opentelemetry.io/otel/exporters/prometheus v0.52.0 h1:kmU3H0b9ufFSi8IQCcxack+sWUblKkFbqWYs6YiACGQ= +go.opentelemetry.io/otel/exporters/prometheus v0.52.0/go.mod h1:+wsAp2+JhuGXX7YRkjlkx6hyWY3ogFPfNA4x3nyiAh0= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.30.0 h1:IyFlqNsi8VT/nwYlLJfdM0y1gavxGpEvnf6FtVfZ6X4= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.30.0/go.mod h1:bxiX8eUeKoAEQmbq/ecUT8UqZwCjZW52yJrXJUSozsk= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.21.0 h1:VhlEQAPp9R1ktYfrPk5SOryw1e9LDDTZCbIPFrho0ec= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.21.0/go.mod h1:kB3ufRbfU+CQ4MlUcqtW8Z7YEOBeK2DJ6CmR5rYYF3E= -go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc= -go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8= -go.opentelemetry.io/otel/sdk v1.29.0 h1:vkqKjk7gwhS8VaWb0POZKmIEDimRCMsopNYnriHyryo= -go.opentelemetry.io/otel/sdk v1.29.0/go.mod h1:pM8Dx5WKnvxLCb+8lG1PRNIDxu9g9b9g59Qr7hfAAok= -go.opentelemetry.io/otel/sdk/metric v1.29.0 h1:K2CfmJohnRgvZ9UAj2/FhIf/okdWcNdBwe1m8xFXiSY= -go.opentelemetry.io/otel/sdk/metric v1.29.0/go.mod h1:6zZLdCl2fkauYoZIOn/soQIDSWFmNSRcICarHfuhNJQ= -go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4= -go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= +go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w= +go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= +go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE= +go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg= +go.opentelemetry.io/otel/sdk/metric v1.30.0 h1:QJLT8Pe11jyHBHfSAgYH7kEmT24eX792jZO1bo4BXkM= +go.opentelemetry.io/otel/sdk/metric v1.30.0/go.mod h1:waS6P3YqFNzeP01kuo/MBBYqaoBJl7efRQHOaydhy1Y= +go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= +go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= go.starlark.net v0.0.0-20240520160348-046347dcd104 h1:3qhteRISupnJvaWshOmeqEUs2y9oc/+/ePPvDh3Eygg= @@ -1067,8 +1067,8 @@ google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRn google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd h1:BBOTEWLuuEGQy9n1y9MhVJ9Qt0BDu21X8qZs71/uPZo= -google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:fO8wJzT2zbQbAjbIoos1285VfEIYKDDY+Dt+WpTkh6g= +google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc= +google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I= google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= @@ -1079,8 +1079,8 @@ google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQ google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.66.0 h1:DibZuoBznOxbDQxRINckZcUvnCEvrW9pcWIE2yF9r1c= -google.golang.org/grpc v1.66.0/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= +google.golang.org/grpc v1.66.2 h1:3QdXkuq3Bkh7w+ywLdLvM56cmGvQHUMZpiCzt6Rqaoo= +google.golang.org/grpc v1.66.2/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -1136,32 +1136,32 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78= k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4= -k8s.io/api v0.31.0 h1:b9LiSjR2ym/SzTOlfMHm1tr7/21aD7fSkqgD/CVJBCo= -k8s.io/api v0.31.0/go.mod h1:0YiFF+JfFxMM6+1hQei8FY8M7s1Mth+z/q7eF1aJkTE= +k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= +k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= k8s.io/apiextensions-apiserver v0.18.2/go.mod h1:q3faSnRGmYimiocj6cHQ1I3WpLqmDgJFlKL37fC4ZvY= k8s.io/apiextensions-apiserver v0.18.4/go.mod h1:NYeyeYq4SIpFlPxSAB6jHPIdvu3hL0pc36wuRChybio= -k8s.io/apiextensions-apiserver v0.31.0 h1:fZgCVhGwsclj3qCw1buVXCV6khjRzKC5eCFt24kyLSk= -k8s.io/apiextensions-apiserver v0.31.0/go.mod h1:b9aMDEYaEe5sdK+1T0KU78ApR/5ZVp4i56VacZYEHxk= +k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= +k8s.io/apiextensions-apiserver v0.31.1/go.mod h1:tWMPR3sgW+jsl2xm9v7lAyRF1rYEK71i9G5dRtkknoQ= k8s.io/apimachinery v0.18.2/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftcA= k8s.io/apimachinery v0.18.4/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko= -k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc= -k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= +k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= k8s.io/apiserver v0.18.2/go.mod h1:Xbh066NqrZO8cbsoenCwyDJ1OSi8Ag8I2lezeHxzwzw= k8s.io/apiserver v0.18.4/go.mod h1:q+zoFct5ABNnYkGIaGQ3bcbUNdmPyOCoEBcg51LChY8= -k8s.io/apiserver v0.31.0 h1:p+2dgJjy+bk+B1Csz+mc2wl5gHwvNkC9QJV+w55LVrY= -k8s.io/apiserver v0.31.0/go.mod h1:KI9ox5Yu902iBnnyMmy7ajonhKnkeZYJhTZ/YI+WEMk= -k8s.io/cli-runtime v0.31.0 h1:V2Q1gj1u3/WfhD475HBQrIYsoryg/LrhhK4RwpN+DhA= -k8s.io/cli-runtime v0.31.0/go.mod h1:vg3H94wsubuvWfSmStDbekvbla5vFGC+zLWqcf+bGDw= +k8s.io/apiserver v0.31.1 h1:Sars5ejQDCRBY5f7R3QFHdqN3s61nhkpaX8/k1iEw1c= +k8s.io/apiserver v0.31.1/go.mod h1:lzDhpeToamVZJmmFlaLwdYZwd7zB+WYRYIboqA1kGxM= +k8s.io/cli-runtime v0.31.1 h1:/ZmKhmZ6hNqDM+yf9s3Y4KEYakNXUn5sod2LWGGwCuk= +k8s.io/cli-runtime v0.31.1/go.mod h1:pKv1cDIaq7ehWGuXQ+A//1OIF+7DI+xudXtExMCbe9U= k8s.io/client-go v0.18.2/go.mod h1:Xcm5wVGXX9HAA2JJ2sSBUn3tCJ+4SVlCbl2MNNv+CIU= k8s.io/client-go v0.18.4/go.mod h1:f5sXwL4yAZRkAtzOxRWUhA/N8XzGCb+nPZI8PfobZ9g= -k8s.io/client-go v0.31.0 h1:QqEJzNjbN2Yv1H79SsS+SWnXkBgVu4Pj3CJQgbx0gI8= -k8s.io/client-go v0.31.0/go.mod h1:Y9wvC76g4fLjmU0BA+rV+h2cncoadjvjjkkIGoTLcGU= +k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0= +k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg= k8s.io/code-generator v0.18.2/go.mod h1:+UHX5rSbxmR8kzS+FAv7um6dtYrZokQvjHpDSYRVkTc= k8s.io/code-generator v0.18.4/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c= k8s.io/component-base v0.18.2/go.mod h1:kqLlMuhJNHQ9lz8Z7V5bxUUtjFZnrypArGl58gmDfUM= k8s.io/component-base v0.18.4/go.mod h1:7jr/Ef5PGmKwQhyAz/pjByxJbC58mhKAhiaDu0vXfPk= -k8s.io/component-base v0.31.0 h1:/KIzGM5EvPNQcYgwq5NwoQBaOlVFrghoVGr8lG6vNRs= -k8s.io/component-base v0.31.0/go.mod h1:TYVuzI1QmN4L5ItVdMSXKvH7/DtvIuas5/mm8YT3rTo= +k8s.io/component-base v0.31.1 h1:UpOepcrX3rQ3ab5NB6g5iP0tvsgJWzxTyAo20sgYSy8= +k8s.io/component-base v0.31.1/go.mod h1:WGeaw7t/kTsqpVTaCoVEtillbqAhF2/JgvO0LDOMa0w= k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= @@ -1174,10 +1174,10 @@ k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5TxDkI7OGJjBNBzq5fJtLA= k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a/go.mod h1:UxDHUPsUwTOOxSU+oXURfFBcAS6JwiRXTYqYwfuGowc= -k8s.io/kubectl v0.31.0 h1:kANwAAPVY02r4U4jARP/C+Q1sssCcN/1p9Nk+7BQKVg= -k8s.io/kubectl v0.31.0/go.mod h1:pB47hhFypGsaHAPjlwrNbvhXgmuAr01ZBvAIIUaI8d4= -k8s.io/metrics v0.31.0 h1:s7Vu7W0oEZPTN8jgcoiWIXIZBmVxt7YP9MRVyIgMdOc= -k8s.io/metrics v0.31.0/go.mod h1:UNsz6swyX8FWkDoKN9ixPF75TBREMbHZIKjD7fydaOY= +k8s.io/kubectl v0.31.1 h1:ih4JQJHxsEggFqDJEHSOdJ69ZxZftgeZvYo7M/cpp24= +k8s.io/kubectl v0.31.1/go.mod h1:aNuQoR43W6MLAtXQ/Bu4GDmoHlbhHKuyD49lmTC8eJM= +k8s.io/metrics v0.31.1 h1:h4I4dakgh/zKflWYAOQhwf0EXaqy8LxAIyE/GBvxqRc= +k8s.io/metrics v0.31.1/go.mod h1:JuH1S9tJiH9q1VCY0yzSCawi7kzNLsDzlWDJN4xR+iA= k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= k8s.io/utils v0.0.0-20200603063816-c1c6865ac451/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= From eb5128b82949d92b799431df6e45904d8d41ac67 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 11:08:30 -0700 Subject: [PATCH 155/523] build(deps): bump github/codeql-action from 3.26.6 to 3.26.7 (#4252) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.6 to 3.26.7. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/4dd16135b69a43b6c8efb853346f8437d92d3c93...8214744c546c1e5c8f03dde8fab3a7353211988d) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7bc5b35a3b7..50911789367 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,14 +36,14 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 + uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 + uses: github/codeql-action/autobuild@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 + uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 4d327f0cfb6..3a03313309d 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 + uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7 with: sarif_file: results.sarif From 1ce642db1fbc270ed6d9b5e1b2c28d508b6774bd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 11:08:53 -0700 Subject: [PATCH 156/523] build(deps): bump github.com/golangci/golangci-lint from 1.60.3 to 1.61.0 in /tools/src/golangci-lint (#4247) build(deps): bump github.com/golangci/golangci-lint Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.60.3 to 1.61.0. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](https://github.com/golangci/golangci-lint/compare/v1.60.3...v1.61.0) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/src/golangci-lint/go.mod | 32 +++++++------- tools/src/golangci-lint/go.sum | 76 +++++++++++++++++----------------- 2 files changed, 54 insertions(+), 54 deletions(-) diff --git a/tools/src/golangci-lint/go.mod b/tools/src/golangci-lint/go.mod index 729ea86717c..e73d754d4b9 100644 --- a/tools/src/golangci-lint/go.mod +++ b/tools/src/golangci-lint/go.mod @@ -2,21 +2,21 @@ module local go 1.23.1 -require github.com/golangci/golangci-lint v1.60.3 +require github.com/golangci/golangci-lint v1.61.0 require ( 4d63.com/gocheckcompilerdirectives v1.2.1 // indirect 4d63.com/gochecknoglobals v0.2.1 // indirect github.com/4meepo/tagalign v1.3.4 // indirect - github.com/Abirdcfly/dupword v0.0.14 // indirect + github.com/Abirdcfly/dupword v0.1.1 // indirect github.com/Antonboom/errname v0.1.13 // indirect github.com/Antonboom/nilnil v0.1.9 // indirect github.com/Antonboom/testifylint v1.4.3 // indirect github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c // indirect - github.com/Crocmagnon/fatcontext v0.4.0 // indirect + github.com/Crocmagnon/fatcontext v0.5.2 // indirect github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 // indirect github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0 // indirect - github.com/Masterminds/semver/v3 v3.2.1 // indirect + github.com/Masterminds/semver/v3 v3.3.0 // indirect github.com/OpenPeeDeeP/depguard/v2 v2.2.0 // indirect github.com/alecthomas/go-check-sumtype v0.1.4 // indirect github.com/alexkohler/nakedret/v2 v2.0.4 // indirect @@ -37,9 +37,9 @@ require ( github.com/cespare/xxhash/v2 v2.1.2 // indirect github.com/charithe/durationcheck v0.0.10 // indirect github.com/chavacava/garif v0.1.0 // indirect - github.com/ckaznocha/intrange v0.1.2 // indirect + github.com/ckaznocha/intrange v0.2.0 // indirect github.com/curioswitch/go-reassign v0.2.0 // indirect - github.com/daixiang0/gci v0.13.4 // indirect + github.com/daixiang0/gci v0.13.5 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/denis-tingaikin/go-header v0.5.0 // indirect github.com/ettle/strcase v0.2.0 // indirect @@ -57,7 +57,7 @@ require ( github.com/go-toolsmith/astp v1.1.0 // indirect github.com/go-toolsmith/strparse v1.1.0 // indirect github.com/go-toolsmith/typep v1.1.0 // indirect - github.com/go-viper/mapstructure/v2 v2.0.0 // indirect + github.com/go-viper/mapstructure/v2 v2.1.0 // indirect github.com/go-xmlfmt/xmlfmt v1.1.2 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gofrs/flock v0.12.1 // indirect @@ -114,25 +114,25 @@ require ( github.com/nunnatsa/ginkgolinter v0.16.2 // indirect github.com/olekukonko/tablewriter v0.0.5 // indirect github.com/pelletier/go-toml v1.9.5 // indirect - github.com/pelletier/go-toml/v2 v2.2.2 // indirect + github.com/pelletier/go-toml/v2 v2.2.3 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/polyfloyd/go-errorlint v1.6.0 // indirect github.com/prometheus/client_golang v1.12.1 // indirect github.com/prometheus/client_model v0.2.0 // indirect github.com/prometheus/common v0.32.1 // indirect github.com/prometheus/procfs v0.7.3 // indirect - github.com/quasilyte/go-ruleguard v0.4.2 // indirect + github.com/quasilyte/go-ruleguard v0.4.3-0.20240823090925-0fe6f58b47b1 // indirect github.com/quasilyte/go-ruleguard/dsl v0.3.22 // indirect github.com/quasilyte/gogrep v0.5.0 // indirect github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 // indirect github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 // indirect - github.com/ryancurrah/gomodguard v1.3.3 // indirect + github.com/ryancurrah/gomodguard v1.3.5 // indirect github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect github.com/sanposhiho/wastedassign/v2 v2.0.7 // indirect github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect github.com/sashamelentyev/interfacebloat v1.1.0 // indirect github.com/sashamelentyev/usestdlibvars v1.27.0 // indirect - github.com/securego/gosec/v2 v2.20.1-0.20240822074752-ab3f6c1c83a0 // indirect + github.com/securego/gosec/v2 v2.21.2 // indirect github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/sivchari/containedctx v1.0.3 // indirect @@ -151,7 +151,7 @@ require ( github.com/stretchr/testify v1.9.0 // indirect github.com/subosito/gotenv v1.4.1 // indirect github.com/tdakkota/asciicheck v0.2.0 // indirect - github.com/tetafro/godot v1.4.16 // indirect + github.com/tetafro/godot v1.4.17 // indirect github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966 // indirect github.com/timonwong/loggercheck v0.9.4 // indirect github.com/tomarrell/wrapcheck/v2 v2.9.0 // indirect @@ -170,12 +170,12 @@ require ( go.uber.org/automaxprocs v1.5.3 // indirect go.uber.org/multierr v1.6.0 // indirect go.uber.org/zap v1.24.0 // indirect - golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect + golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e // indirect golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect - golang.org/x/mod v0.20.0 // indirect + golang.org/x/mod v0.21.0 // indirect golang.org/x/sync v0.8.0 // indirect - golang.org/x/sys v0.23.0 // indirect - golang.org/x/text v0.17.0 // indirect + golang.org/x/sys v0.25.0 // indirect + golang.org/x/text v0.18.0 // indirect golang.org/x/tools v0.24.0 // indirect google.golang.org/protobuf v1.34.2 // indirect gopkg.in/ini.v1 v1.67.0 // indirect diff --git a/tools/src/golangci-lint/go.sum b/tools/src/golangci-lint/go.sum index 750b93716f9..de6bd9d31a7 100644 --- a/tools/src/golangci-lint/go.sum +++ b/tools/src/golangci-lint/go.sum @@ -37,8 +37,8 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/4meepo/tagalign v1.3.4 h1:P51VcvBnf04YkHzjfclN6BbsopfJR5rxs1n+5zHt+w8= github.com/4meepo/tagalign v1.3.4/go.mod h1:M+pnkHH2vG8+qhE5bVc/zeP7HS/j910Fwa9TUSyZVI0= -github.com/Abirdcfly/dupword v0.0.14 h1:3U4ulkc8EUo+CaT105/GJ1BQwtgyj6+VaBVbAX11Ba8= -github.com/Abirdcfly/dupword v0.0.14/go.mod h1:VKDAbxdY8YbKUByLGg8EETzYSuC4crm9WwI6Y3S0cLI= +github.com/Abirdcfly/dupword v0.1.1 h1:Bsxe0fIw6OwBtXMIncaTxCLHYO5BB+3mcsR5E8VXloY= +github.com/Abirdcfly/dupword v0.1.1/go.mod h1:B49AcJdTYYkpd4HjgAcutNGG9HZ2JWwKunH9Y2BA6sM= github.com/Antonboom/errname v0.1.13 h1:JHICqsewj/fNckzrfVSe+T33svwQxmjC+1ntDsHOVvM= github.com/Antonboom/errname v0.1.13/go.mod h1:uWyefRYRN54lBg6HseYCFhs6Qjcy41Y3Jl/dVhA87Ns= github.com/Antonboom/nilnil v0.1.9 h1:eKFMejSxPSA9eLSensFmjW2XTgTwJMjZ8hUHtV4s/SQ= @@ -49,14 +49,14 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03 github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c h1:pxW6RcqyfI9/kWtOwnv/G+AzdKuy2ZrqINhenH4HyNs= github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/Crocmagnon/fatcontext v0.4.0 h1:4ykozu23YHA0JB6+thiuEv7iT6xq995qS1vcuWZq0tg= -github.com/Crocmagnon/fatcontext v0.4.0/go.mod h1:ZtWrXkgyfsYPzS6K3O88va6t2GEglG93vnII/F94WC0= +github.com/Crocmagnon/fatcontext v0.5.2 h1:vhSEg8Gqng8awhPju2w7MKHqMlg4/NI+gSDHtR3xgwA= +github.com/Crocmagnon/fatcontext v0.5.2/go.mod h1:87XhRMaInHP44Q7Tlc7jkgKKB7kZAOPiDkFMdKCC+74= github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 h1:sHglBQTwgx+rWPdisA5ynNEsoARbiCBOyGcJM4/OzsM= github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs= github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0 h1:/fTUt5vmbkAcMBt4YQiuC23cV0kEsN1MVMNqeOW43cU= github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0/go.mod h1:ONJg5sxcbsdQQ4pOW8TGdTidT2TMAUy/2Xhr8mrYaao= -github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0= -github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= +github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0= +github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= github.com/OpenPeeDeeP/depguard/v2 v2.2.0 h1:vDfG60vDtIuf0MEOhmLlLLSzqaRM8EMcgJPdp74zmpA= github.com/OpenPeeDeeP/depguard/v2 v2.2.0/go.mod h1:CIzddKRvLBC4Au5aYP/i3nyaWQ+ClszLIuVocRiCYFQ= github.com/alecthomas/assert/v2 v2.2.2 h1:Z/iVC0xZfWTaFNE6bA3z07T86hd45Xe2eLt6WVy2bbk= @@ -115,15 +115,15 @@ github.com/chavacava/garif v0.1.0/go.mod h1:XMyYCkEL58DF0oyW4qDjjnPWONs2HBqYKI+U github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/ckaznocha/intrange v0.1.2 h1:3Y4JAxcMntgb/wABQ6e8Q8leMd26JbX2790lIss9MTI= -github.com/ckaznocha/intrange v0.1.2/go.mod h1:RWffCw/vKBwHeOEwWdCikAtY0q4gGt8VhJZEEA5n+RE= +github.com/ckaznocha/intrange v0.2.0 h1:FykcZuJ8BD7oX93YbO1UY9oZtkRbp+1/kJcDjkefYLs= +github.com/ckaznocha/intrange v0.2.0/go.mod h1:r5I7nUlAAG56xmkOpw4XVr16BXhwYTUdcuRFeevn1oE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/curioswitch/go-reassign v0.2.0 h1:G9UZyOcpk/d7Gd6mqYgd8XYWFMw/znxwGDUstnC9DIo= github.com/curioswitch/go-reassign v0.2.0/go.mod h1:x6OpXuWvgfQaMGks2BZybTngWjT84hqJfKoO8Tt/Roc= -github.com/daixiang0/gci v0.13.4 h1:61UGkmpoAcxHM2hhNkZEf5SzwQtWJXTSws7jaPyqwlw= -github.com/daixiang0/gci v0.13.4/go.mod h1:12etP2OniiIdP4q+kjUGrC/rUagga7ODbqsom5Eo5Yk= +github.com/daixiang0/gci v0.13.5 h1:kThgmH1yBmZSBCh1EJVxQ7JsHpm5Oms0AMed/0LaH4c= +github.com/daixiang0/gci v0.13.5/go.mod h1:12etP2OniiIdP4q+kjUGrC/rUagga7ODbqsom5Eo5Yk= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -186,8 +186,8 @@ github.com/go-toolsmith/strparse v1.1.0 h1:GAioeZUK9TGxnLS+qfdqNbA4z0SSm5zVNtCQi github.com/go-toolsmith/strparse v1.1.0/go.mod h1:7ksGy58fsaQkGQlY8WVoBFNyEPMGuJin1rfoPS4lBSQ= github.com/go-toolsmith/typep v1.1.0 h1:fIRYDyF+JywLfqzyhdiHzRop/GQDxxNhLGQ6gFUNHus= github.com/go-toolsmith/typep v1.1.0/go.mod h1:fVIw+7zjdsMxDA3ITWnH1yOiw1rnTQKCsF/sk2H/qig= -github.com/go-viper/mapstructure/v2 v2.0.0 h1:dhn8MZ1gZ0mzeodTG3jt5Vj/o87xZKuNAprG2mQfMfc= -github.com/go-viper/mapstructure/v2 v2.0.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= +github.com/go-viper/mapstructure/v2 v2.1.0 h1:gHnMa2Y/pIxElCH2GlZZ1lZSsn6XMtufpGyP1XxdC/w= +github.com/go-viper/mapstructure/v2 v2.1.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= github.com/go-xmlfmt/xmlfmt v1.1.2 h1:Nea7b4icn8s57fTx1M5AI4qQT5HEM3rVUO8MuE6g80U= github.com/go-xmlfmt/xmlfmt v1.1.2/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= @@ -228,8 +228,8 @@ github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a h1:w8hkcTqaFpzKqonE9 github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a/go.mod h1:ryS0uhF+x9jgbj/N71xsEqODy9BN81/GonCZiOzirOk= github.com/golangci/gofmt v0.0.0-20240816233607-d8596aa466a9 h1:/1322Qns6BtQxUZDTAT4SdcoxknUki7IAoK4SAXr8ME= github.com/golangci/gofmt v0.0.0-20240816233607-d8596aa466a9/go.mod h1:Oesb/0uFAyWoaw1U1qS5zyjCg5NP9C9iwjnI4tIsXEE= -github.com/golangci/golangci-lint v1.60.3 h1:l38A5de24ZeDlcFF+EB7m3W5joPD99/hS5SIHJPyZa0= -github.com/golangci/golangci-lint v1.60.3/go.mod h1:J4vOpcjzRI+lDL2DKNGBZVB3EQSBfCBCMpaydWLtJNo= +github.com/golangci/golangci-lint v1.61.0 h1:VvbOLaRVWmyxCnUIMTbf1kDsaJbTzH20FAMXTAlQGu8= +github.com/golangci/golangci-lint v1.61.0/go.mod h1:e4lztIrJJgLPhWvFPDkhiMwEFRrWlmFbrZea3FsJyN8= github.com/golangci/misspell v0.6.0 h1:JCle2HUTNWirNlDIAUO44hUsKhOFqGPoC4LZxlaSXDs= github.com/golangci/misspell v0.6.0/go.mod h1:keMNyY6R9isGaSAu+4Q8NMBwMPkh15Gtc8UCVoDtAWo= github.com/golangci/modinfo v0.3.4 h1:oU5huX3fbxqQXdfspamej74DFX0kyGLkw1ppvXoJ8GA= @@ -266,8 +266,8 @@ github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 h1:FKHo8hFI3A+7w0aUQuYXQ+6EN5stWmeY/AZqtM8xk9k= -github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= +github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 h1:5iH8iuqE5apketRbSFBy+X1V0o+l+8NF1avt4HWl7cA= +github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= @@ -395,10 +395,10 @@ github.com/nunnatsa/ginkgolinter v0.16.2 h1:8iLqHIZvN4fTLDC0Ke9tbSZVcyVHoBs0HIbn github.com/nunnatsa/ginkgolinter v0.16.2/go.mod h1:4tWRinDN1FeJgU+iJANW/kz7xKN5nYRAOfJDQUS9dOQ= github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= -github.com/onsi/ginkgo/v2 v2.20.0 h1:PE84V2mHqoT1sglvHc8ZdQtPcwmvvt29WLEEO3xmdZw= -github.com/onsi/ginkgo/v2 v2.20.0/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI= -github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k= -github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY= +github.com/onsi/ginkgo/v2 v2.20.2 h1:7NVCeyIWROIAheY21RLS+3j2bb52W0W82tkberYytp4= +github.com/onsi/ginkgo/v2 v2.20.2/go.mod h1:K9gyxPIlb+aIvnZ8bd9Ak+YP18w3APlR+5coaZoE2ag= +github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8= +github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc= github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw= github.com/otiai10/copy v1.14.0 h1:dCI/t1iTdYGtkvCuBG2BgR6KZa83PTclw4U5n2wAllU= github.com/otiai10/copy v1.14.0/go.mod h1:ECfuL02W+/FkTWZWgQqXPWZgW9oeKCSQ5qVfSc4qc4w= @@ -408,8 +408,8 @@ github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT9 github.com/otiai10/mint v1.3.1/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc= github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8= github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= -github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM= -github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs= +github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M= +github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -442,8 +442,8 @@ github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4O github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.7.3 h1:4jVXhlkAyzOScmCkXBTOLRLTz8EeU+eyjrwB/EPq0VU= github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= -github.com/quasilyte/go-ruleguard v0.4.2 h1:htXcXDK6/rO12kiTHKfHuqR4kr3Y4M0J0rOL6CH/BYs= -github.com/quasilyte/go-ruleguard v0.4.2/go.mod h1:GJLgqsLeo4qgavUoL8JeGFNS7qcisx3awV/w9eWTmNI= +github.com/quasilyte/go-ruleguard v0.4.3-0.20240823090925-0fe6f58b47b1 h1:+Wl/0aFp0hpuHM3H//KMft64WQ1yX9LdJY64Qm/gFCo= +github.com/quasilyte/go-ruleguard v0.4.3-0.20240823090925-0fe6f58b47b1/go.mod h1:GJLgqsLeo4qgavUoL8JeGFNS7qcisx3awV/w9eWTmNI= github.com/quasilyte/go-ruleguard/dsl v0.3.22 h1:wd8zkOhSNr+I+8Qeciml08ivDt1pSXe60+5DqOpCjPE= github.com/quasilyte/go-ruleguard/dsl v0.3.22/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU= github.com/quasilyte/gogrep v0.5.0 h1:eTKODPXbI8ffJMN+W2aE0+oL0z/nh8/5eNdiO34SOAo= @@ -456,8 +456,8 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/ryancurrah/gomodguard v1.3.3 h1:eiSQdJVNr9KTNxY2Niij8UReSwR8Xrte3exBrAZfqpg= -github.com/ryancurrah/gomodguard v1.3.3/go.mod h1:rsKQjj4l3LXe8N344Ow7agAy5p9yjsWOtRzUMYmA0QY= +github.com/ryancurrah/gomodguard v1.3.5 h1:cShyguSwUEeC0jS7ylOiG/idnd1TpJ1LfHGpV3oJmPU= +github.com/ryancurrah/gomodguard v1.3.5/go.mod h1:MXlEPQRxgfPQa62O8wzK3Ozbkv9Rkqr+wKjSxTdsNJE= github.com/ryanrolds/sqlclosecheck v0.5.1 h1:dibWW826u0P8jNLsLN+En7+RqWWTYrjCB9fJfSfdyCU= github.com/ryanrolds/sqlclosecheck v0.5.1/go.mod h1:2g3dUjoS6AL4huFdv6wn55WpLIDjY7ZgUR4J8HOO/XQ= github.com/sanposhiho/wastedassign/v2 v2.0.7 h1:J+6nrY4VW+gC9xFzUc+XjPD3g3wF3je/NsJFwFK7Uxc= @@ -468,8 +468,8 @@ github.com/sashamelentyev/interfacebloat v1.1.0 h1:xdRdJp0irL086OyW1H/RTZTr1h/tM github.com/sashamelentyev/interfacebloat v1.1.0/go.mod h1:+Y9yU5YdTkrNvoX0xHc84dxiN1iBi9+G8zZIhPVoNjQ= github.com/sashamelentyev/usestdlibvars v1.27.0 h1:t/3jZpSXtRPRf2xr0m63i32ZrusyurIGT9E5wAvXQnI= github.com/sashamelentyev/usestdlibvars v1.27.0/go.mod h1:9nl0jgOfHKWNFS43Ojw0i7aRoS4j6EBye3YBhmAIRF8= -github.com/securego/gosec/v2 v2.20.1-0.20240822074752-ab3f6c1c83a0 h1:VqD4JMoqwuuCz8GZlBDsIDyE6K4YUsWJpbNtuOWHoFk= -github.com/securego/gosec/v2 v2.20.1-0.20240822074752-ab3f6c1c83a0/go.mod h1:iyeMMRw8QEmueUSZ2VqmkQMiDyDcobfPnG00CV/NWdE= +github.com/securego/gosec/v2 v2.21.2 h1:deZp5zmYf3TWwU7A7cR2+SolbTpZ3HQiwFqnzQyEl3M= +github.com/securego/gosec/v2 v2.21.2/go.mod h1:au33kg78rNseF5PwPnTWhuYBFf534bvJRvOrgZ/bFzU= github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c h1:W65qqJCIOVP4jpqPQ0YvHYKwcMEMVWIzWC5iNQQfBTU= github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAxekIXwN8qQyfc5gl2NlkB3CQlkizAbOkeBs= github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk= @@ -527,8 +527,8 @@ github.com/tenntenn/modver v1.0.1 h1:2klLppGhDgzJrScMpkj9Ujy3rXPUspSjAcev9tSEBgA github.com/tenntenn/modver v1.0.1/go.mod h1:bePIyQPb7UeioSRkw3Q0XeMhYZSMx9B8ePqg6SAMGH0= github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3 h1:f+jULpRQGxTSkNYKJ51yaw6ChIqO+Je8UqsTKN/cDag= github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3/go.mod h1:ON8b8w4BN/kE1EOhwT0o+d62W65a6aPw1nouo9LMgyY= -github.com/tetafro/godot v1.4.16 h1:4ChfhveiNLk4NveAZ9Pu2AN8QZ2nkUGFuadM9lrr5D0= -github.com/tetafro/godot v1.4.16/go.mod h1:2oVxTBSftRTh4+MVfUaUXR6bn2GDXCaMcOG4Dk3rfio= +github.com/tetafro/godot v1.4.17 h1:pGzu+Ye7ZUEFx7LHU0dAKmCOXWsPjl7qA6iMGndsjPs= +github.com/tetafro/godot v1.4.17/go.mod h1:2oVxTBSftRTh4+MVfUaUXR6bn2GDXCaMcOG4Dk3rfio= github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966 h1:quvGphlmUVU+nhpFa4gg4yJyTRJ13reZMDHrKwYw53M= github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966/go.mod h1:27bSVNWSBOHm+qRp1T9qzaIpsWEP6TbUnei/43HK+PQ= github.com/timonwong/loggercheck v0.9.4 h1:HKKhqrjcVj8sxL7K77beXh0adEm6DLjV/QOGeMXEVi4= @@ -599,8 +599,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= -golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= +golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e h1:I88y4caeGeuDQxgdoFPUq097j7kNfw6uvuiNxUBfcBk= +golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= golang.org/x/exp/typeparams v0.0.0-20220428152302-39d4317da171/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk= golang.org/x/exp/typeparams v0.0.0-20230203172020-98cc5a0785f9/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk= golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f h1:phY1HzDcf18Aq9A8KkmRtY9WvOFIxN8wgfvy6Zm1DV8= @@ -633,8 +633,8 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91 golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= -golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0= +golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -749,8 +749,8 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM= -golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= +golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -767,8 +767,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= -golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= +golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From 4656be4a4dcb41516a196adcdc34d1e4e61ef017 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 11:09:18 -0700 Subject: [PATCH 157/523] build(deps): bump busybox from `34b191d` to `c230832` in /tools/docker/envoy-gateway (#4244) build(deps): bump busybox in /tools/docker/envoy-gateway Bumps busybox from `34b191d` to `c230832`. --- updated-dependencies: - dependency-name: busybox dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/docker/envoy-gateway/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index 4b40efa93d7..73eece8b990 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -1,4 +1,4 @@ -FROM busybox@sha256:34b191d63fbc93e25e275bfccf1b5365664e5ac28f06d974e8d50090fbb49f41 as source +FROM busybox@sha256:c230832bd3b0be59a6c47ed64294f9ce71e91b327957920b6929a0caa8353140 as source # Create the data directory for eg RUN mkdir -p /var/lib/eg From 84e348f3b90c9f0d7c690b38e8d355eb9b30d7ba Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 11:33:20 -0700 Subject: [PATCH 158/523] build(deps): bump github.com/bufbuild/buf from 1.40.1 to 1.41.0 in /tools/src/buf (#4245) build(deps): bump github.com/bufbuild/buf in /tools/src/buf Bumps [github.com/bufbuild/buf](https://github.com/bufbuild/buf) from 1.40.1 to 1.41.0. - [Release notes](https://github.com/bufbuild/buf/releases) - [Changelog](https://github.com/bufbuild/buf/blob/main/CHANGELOG.md) - [Commits](https://github.com/bufbuild/buf/compare/v1.40.1...v1.41.0) --- updated-dependencies: - dependency-name: github.com/bufbuild/buf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/src/buf/go.mod | 40 ++++++++++----------- tools/src/buf/go.sum | 84 ++++++++++++++++++++++---------------------- 2 files changed, 62 insertions(+), 62 deletions(-) diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index 3df7032229f..e719faa3857 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -2,7 +2,7 @@ module local go 1.23.1 -require github.com/bufbuild/buf v1.40.1 +require github.com/bufbuild/buf v1.41.0 require ( buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240904181154-a0be11449112.2 // indirect @@ -10,21 +10,21 @@ require ( buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240821192916-45ba72cdd479.1 // indirect buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240821192916-45ba72cdd479.2 // indirect buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2 // indirect + buf.build/go/bufplugin v0.2.0 // indirect connectrpc.com/connect v1.16.2 // indirect connectrpc.com/otelconnect v0.7.1 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/Microsoft/hcsshim v0.12.6 // indirect github.com/antlr4-go/antlr/v4 v4.13.1 // indirect - github.com/bufbuild/bufplugin-go v0.1.0 // indirect github.com/bufbuild/protocompile v0.14.1 // indirect - github.com/bufbuild/protoplugin v0.0.0-20240323223605-e2735f6c31ee // indirect + github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a // indirect github.com/bufbuild/protovalidate-go v0.6.5 // indirect github.com/bufbuild/protoyaml-go v0.1.12 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect - github.com/containerd/containerd v1.7.21 // indirect + github.com/containerd/containerd v1.7.22 // indirect github.com/containerd/continuity v0.4.3 // indirect - github.com/containerd/errdefs v0.1.0 // indirect + github.com/containerd/errdefs v0.2.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect @@ -32,9 +32,9 @@ require ( github.com/containerd/typeurl/v2 v2.2.0 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect github.com/distribution/reference v0.6.0 // indirect - github.com/docker/cli v27.2.0+incompatible // indirect + github.com/docker/cli v27.2.1+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v27.2.0+incompatible // indirect + github.com/docker/docker v27.2.1+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-units v0.5.0 // indirect @@ -50,7 +50,7 @@ require ( github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/google/cel-go v0.21.0 // indirect github.com/google/go-containerregistry v0.20.2 // indirect - github.com/google/pprof v0.0.0-20240903155634-a8630aee4ab9 // indirect + github.com/google/pprof v0.0.0-20240910150728-a0b0bb1d4134 // indirect github.com/google/uuid v1.6.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect @@ -76,8 +76,8 @@ require ( github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pkg/profile v1.7.0 // indirect - github.com/quic-go/qpack v0.5.0 // indirect - github.com/quic-go/quic-go v0.46.0 // indirect + github.com/quic-go/qpack v0.5.1 // indirect + github.com/quic-go/quic-go v0.47.0 // indirect github.com/rs/cors v1.11.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/sirupsen/logrus v1.9.3 // indirect @@ -87,28 +87,28 @@ require ( github.com/vbatts/tar-split v0.11.5 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect - go.opentelemetry.io/otel v1.29.0 // indirect + go.opentelemetry.io/otel v1.30.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 // indirect - go.opentelemetry.io/otel/metric v1.29.0 // indirect - go.opentelemetry.io/otel/sdk v1.29.0 // indirect - go.opentelemetry.io/otel/trace v1.29.0 // indirect + go.opentelemetry.io/otel/metric v1.30.0 // indirect + go.opentelemetry.io/otel/sdk v1.30.0 // indirect + go.opentelemetry.io/otel/trace v1.30.0 // indirect go.uber.org/atomic v1.11.0 // indirect go.uber.org/mock v0.4.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/crypto v0.26.0 // indirect - golang.org/x/exp v0.0.0-20240823005443-9b4947da3948 // indirect + golang.org/x/crypto v0.27.0 // indirect + golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect golang.org/x/mod v0.21.0 // indirect - golang.org/x/net v0.28.0 // indirect + golang.org/x/net v0.29.0 // indirect golang.org/x/sync v0.8.0 // indirect golang.org/x/sys v0.25.0 // indirect golang.org/x/term v0.24.0 // indirect golang.org/x/text v0.18.0 // indirect - golang.org/x/tools v0.24.0 // indirect + golang.org/x/tools v0.25.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect - google.golang.org/grpc v1.66.0 // indirect + google.golang.org/grpc v1.66.1 // indirect google.golang.org/protobuf v1.34.3-0.20240816073751-94ecbc261689 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - pluginrpc.com/pluginrpc v0.2.0 // indirect + pluginrpc.com/pluginrpc v0.3.0 // indirect ) diff --git a/tools/src/buf/go.sum b/tools/src/buf/go.sum index e611b0b9681..49fa12e2c0a 100644 --- a/tools/src/buf/go.sum +++ b/tools/src/buf/go.sum @@ -8,6 +8,8 @@ buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240821192916-45b buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240821192916-45ba72cdd479.2/go.mod h1:psseUmlKRo9v5LZJtR/aTpdTLuyp9o3X7rnLT87SZEo= buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2 h1:oSi+Adw4xvIjXrW8eY8QGR3sBdfWeY5HN/RefnRt52M= buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2/go.mod h1:GjH0gjlY/ns16X8d6eaXV2W+6IFwsO5Ly9WVnzyd1E0= +buf.build/go/bufplugin v0.2.0 h1:nnNvWzUgQXitRDmjWWIkuXj9klreAAE94sVCsL+0v5g= +buf.build/go/bufplugin v0.2.0/go.mod h1:ZZYGt6PDcjbBSywdz/G8NdXkIuWi2rzR8CduGzbCPdk= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= connectrpc.com/connect v1.16.2 h1:ybd6y+ls7GOlb7Bh5C8+ghA6SvCBajHwxssO2CGFjqE= connectrpc.com/connect v1.16.2/go.mod h1:n2kgwskMHXC+lVqb18wngEpF95ldBHXjZYJussz5FRc= @@ -24,14 +26,12 @@ github.com/Microsoft/hcsshim v0.12.6 h1:qEnZjoHXv+4/s0LmKZWE0/AiZmMWEIkFfWBSf1a0 github.com/Microsoft/hcsshim v0.12.6/go.mod h1:ZABCLVcvLMjIkzr9rUGcQ1QA0p0P3Ps+d3N1g2DsFfk= github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ= github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw= -github.com/bufbuild/buf v1.40.1 h1:u99ME/yC6zzZH5yGfwmcTt46bxFqDfuvFuif/W9F3Qo= -github.com/bufbuild/buf v1.40.1/go.mod h1:PMkhwcFMP8d/aBJsvJL7GZq/CdeT7jwTS96RwFyKSU8= -github.com/bufbuild/bufplugin-go v0.1.0 h1:3LmgSHaSf8mPvwoFunimgm8uKJFLg+YePdi7NQgnfdY= -github.com/bufbuild/bufplugin-go v0.1.0/go.mod h1:gIbsJlcYJRLylxxNN3FPNd91fYxJmGVQgbZ67xLVrXk= +github.com/bufbuild/buf v1.41.0 h1:4z4r7bysUZ8EAseRjQ/AWQNpOP3M1v15N+vhLe8U1WU= +github.com/bufbuild/buf v1.41.0/go.mod h1:4fMd9FF67dUbuzMFg5rIJy+6Iu6oKldAG2Z9A8zAlEk= github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/FBatYVw= github.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c= -github.com/bufbuild/protoplugin v0.0.0-20240323223605-e2735f6c31ee h1:E6ET8YUcYJ1lAe6ctR3as7yqzW2BNItDFnaB5zQq/8M= -github.com/bufbuild/protoplugin v0.0.0-20240323223605-e2735f6c31ee/go.mod h1:HjGFxsck9RObrTJp2hXQZfWhPgZqnR6sR1U5fCA/Kus= +github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a h1:l3RhVoG0RtC61h6TVWnkniGj4TgBebuyPQRdleFAmTg= +github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a/go.mod h1:c5D8gWRIZ2HLWO3gXYTtUfw/hbJyD8xikv2ooPxnklQ= github.com/bufbuild/protovalidate-go v0.6.5 h1:WucDKXIbK22WjkO8A8J6Yyxxy0jl91Oe9LSMduq3YEE= github.com/bufbuild/protovalidate-go v0.6.5/go.mod h1:LHDiGCWSM3GagZEnyEZ1sPtFwi6Ja4tVTi/DCc+iDFI= github.com/bufbuild/protoyaml-go v0.1.12 h1:tIJrwvGxumVpNwLsw/AevT1QnkPDBuAObBSuBAdmAWY= @@ -52,12 +52,12 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= -github.com/containerd/containerd v1.7.21 h1:USGXRK1eOC/SX0L195YgxTHb0a00anxajOzgfN0qrCA= -github.com/containerd/containerd v1.7.21/go.mod h1:e3Jz1rYRUZ2Lt51YrH9Rz0zPyJBOlSvB3ghr2jbVD8g= +github.com/containerd/containerd v1.7.22 h1:nZuNnNRA6T6jB975rx2RRNqqH2k6ELYKDZfqTHqwyy0= +github.com/containerd/containerd v1.7.22/go.mod h1:e3Jz1rYRUZ2Lt51YrH9Rz0zPyJBOlSvB3ghr2jbVD8g= github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8= github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ= -github.com/containerd/errdefs v0.1.0 h1:m0wCRBiu1WJT/Fr+iOoQHMQS/eP5myQ8lCv4Dz5ZURM= -github.com/containerd/errdefs v0.1.0/go.mod h1:YgWiiHtLmSeBrvpw+UfPijzbLaB77mEG1WwJTDETIV0= +github.com/containerd/errdefs v0.2.0 h1:XllDESRfJtVrMwMmR2mCabxyvBK4UlbyyiWI3MvRw0o= +github.com/containerd/errdefs v0.2.0/go.mod h1:C28ixlj3dKhQS9hsQ13b+HIb4X7+s2G4FYhbSPcRDLM= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= @@ -77,12 +77,12 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v27.2.0+incompatible h1:yHD1QEB1/0vr5eBNpu8tncu8gWxg8EydFPOSKHzXSMM= -github.com/docker/cli v27.2.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.2.1+incompatible h1:U5BPtiD0viUzjGAjV1p0MGB8eVA3L3cbIrnyWmSJI70= +github.com/docker/cli v27.2.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v27.2.0+incompatible h1:Rk9nIVdfH3+Vz4cyI/uhbINhEZ/oLmc+CBXmH6fbNk4= -github.com/docker/docker v27.2.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v27.2.1+incompatible h1:fQdiLfW7VLscyoeYEBz7/J8soYFDZV1u6VW6gJEjNMI= +github.com/docker/docker v27.2.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= @@ -148,8 +148,8 @@ github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg= github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= -github.com/google/pprof v0.0.0-20240903155634-a8630aee4ab9 h1:q5g0N9eal4bmJwXHC5z0QCKs8qhS35hFfq0BAYsIwZI= -github.com/google/pprof v0.0.0-20240903155634-a8630aee4ab9/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= +github.com/google/pprof v0.0.0-20240910150728-a0b0bb1d4134 h1:c5FlPPgxOn7kJz3VoPLkQYQXGBS3EklQ4Zfi57uOuqQ= +github.com/google/pprof v0.0.0-20240910150728-a0b0bb1d4134/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -161,8 +161,8 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jdx/go-netrc v1.0.0 h1:QbLMLyCZGj0NA8glAhxUpf1zDg6cxnWgMBbjq40W0gQ= github.com/jdx/go-netrc v1.0.0/go.mod h1:Gh9eFQJnoTNIRHXl2j5bJXA1u84hQWJWgGh569zF3v8= -github.com/jhump/protoreflect v1.16.0 h1:54fZg+49widqXYQ0b+usAFHbMkBGR4PpXrsHc8+TBDg= -github.com/jhump/protoreflect v1.16.0/go.mod h1:oYPd7nPvcBw/5wlDfm/AVmU9zH9BgqGCI469pGxfj/8= +github.com/jhump/protoreflect v1.17.0 h1:qOEr613fac2lOuTgWN4tPAtLL7fUSbuJL5X5XumQh94= +github.com/jhump/protoreflect v1.17.0/go.mod h1:h9+vUUL38jiBzck8ck+6G/aeMX8Z4QUY/NiJPwPNi+8= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= @@ -224,10 +224,10 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= -github.com/quic-go/qpack v0.5.0 h1:jldbr38Ef/swDfxtvNvvUIYNg5LNm3Oa9W+IZvCm4q0= -github.com/quic-go/qpack v0.5.0/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg= -github.com/quic-go/quic-go v0.46.0 h1:uuwLClEEyk1DNvchH8uCByQVjo3yKL9opKulExNDs7Y= -github.com/quic-go/quic-go v0.46.0/go.mod h1:1dLehS7TIR64+vxGR70GDcatWTOtMX2PUtnKsjbTurI= +github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI= +github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg= +github.com/quic-go/quic-go v0.47.0 h1:yXs3v7r2bm1wmPTYNLKAAJTHMYkPEsfYJmTazXrCZ7Y= +github.com/quic-go/quic-go v0.47.0/go.mod h1:3bCapYsJvXGZcipOHuu7plYtaV6tnF+z7wIFsU0WK9E= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA= @@ -259,20 +259,20 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8= -go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw= -go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8= +go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= +go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 h1:9M3+rhx7kZCIQQhQRYaZCdNu1V73tm4TvXs2ntl98C4= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0/go.mod h1:noq80iT8rrHP1SfybmPiRGc9dc5M8RPmGvtwo7Oo7tc= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU= -go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc= -go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8= -go.opentelemetry.io/otel/sdk v1.29.0 h1:vkqKjk7gwhS8VaWb0POZKmIEDimRCMsopNYnriHyryo= -go.opentelemetry.io/otel/sdk v1.29.0/go.mod h1:pM8Dx5WKnvxLCb+8lG1PRNIDxu9g9b9g59Qr7hfAAok= +go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w= +go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= +go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE= +go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg= go.opentelemetry.io/otel/sdk/metric v1.19.0 h1:EJoTO5qysMsYCa+w4UghwFV/ptQgqSL/8Ni+hx+8i1k= go.opentelemetry.io/otel/sdk/metric v1.19.0/go.mod h1:XjG0jQyFJrv2PbMvwND7LwCEhsJzCzV5210euduKcKY= -go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4= -go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= +go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= +go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= @@ -288,11 +288,11 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= -golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= +golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= +golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20240823005443-9b4947da3948 h1:kx6Ds3MlpiUHKj7syVnbp57++8WpuKPcR5yjLBjvLEA= -golang.org/x/exp v0.0.0-20240823005443-9b4947da3948/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= +golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk= +golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= @@ -309,8 +309,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= -golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= +golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -347,8 +347,8 @@ golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBn golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= -golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= +golang.org/x/tools v0.25.0 h1:oFU9pkj/iJgs+0DT+VMHrx+oBKs/LJMV+Uvg78sl+fE= +golang.org/x/tools v0.25.0/go.mod h1:/vtpO8WL1N9cQC3FN5zPqb//fRXskFHbLKk4OW1Q7rg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -367,8 +367,8 @@ google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyac google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.66.0 h1:DibZuoBznOxbDQxRINckZcUvnCEvrW9pcWIE2yF9r1c= -google.golang.org/grpc v1.66.0/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= +google.golang.org/grpc v1.66.1 h1:hO5qAXR19+/Z44hmvIM4dQFMSYX9XcWsByfoxutBpAM= +google.golang.org/grpc v1.66.1/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -390,5 +390,5 @@ gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -pluginrpc.com/pluginrpc v0.2.0 h1:mUuxA2Vtt1/buDsnR1HscuAu56Y/3ax5oPPy+9q/Zr4= -pluginrpc.com/pluginrpc v0.2.0/go.mod h1:rX3qwV56YEwfayfyfEovbQ+KMVDjgJ8icHy0WTaUXRY= +pluginrpc.com/pluginrpc v0.3.0 h1:9BSGRIdNLf/+EU3JrkISLwgIAuYxBrMEzSfNyeQ/Gp0= +pluginrpc.com/pluginrpc v0.3.0/go.mod h1:UNWZ941hcVAoOZUn8YZsMmOZBzbUjQa3XMns8RQLp9o= From ab122dbe2d5ee0306a8c158c76724e97d83434fd Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 17 Sep 2024 10:50:11 +0800 Subject: [PATCH 159/523] CORS: support wildcard matching for AllowMethods and AllowHeaders (#4168) * set reasonable validation and field types for cors Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao * fix gen check Signed-off-by: Huabing Zhao * fixt test Signed-off-by: Huabing Zhao * support wildcard Signed-off-by: Huabing Zhao * add e2e tests Signed-off-by: Huabing Zhao * add e2e tests Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao * fix e2e Signed-off-by: Huabing Zhao * fix e2e Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * add comments Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- api/v1alpha1/cors_types.go | 48 +++++- ...ateway.envoyproxy.io_securitypolicies.yaml | 33 ++-- internal/xds/translator/cors.go | 23 ++- .../translator/testdata/in/xds-ir/cors.yaml | 1 + .../testdata/out/xds-ir/cors.routes.yaml | 2 +- site/content/en/latest/api/extension_types.md | 12 +- site/content/zh/latest/api/extension_types.md | 12 +- test/e2e/testdata/cors.yaml | 45 ++++- test/e2e/tests/cors.go | 155 ++++++++++++++++-- 9 files changed, 279 insertions(+), 52 deletions(-) diff --git a/api/v1alpha1/cors_types.go b/api/v1alpha1/cors_types.go index 2c2fb50f681..26c87bd8a05 100644 --- a/api/v1alpha1/cors_types.go +++ b/api/v1alpha1/cors_types.go @@ -29,18 +29,48 @@ type Origin string // CORS defines the configuration for Cross-Origin Resource Sharing (CORS). type CORS struct { // AllowOrigins defines the origins that are allowed to make requests. - // +kubebuilder:validation:MinItems=1 - AllowOrigins []Origin `json:"allowOrigins,omitempty" yaml:"allowOrigins"` + // It specifies the allowed origins in the Access-Control-Allow-Origin CORS response header. + // The value "*" allows any origin to make requests. + // + // +optional + AllowOrigins []Origin `json:"allowOrigins,omitempty"` + // AllowMethods defines the methods that are allowed to make requests. - // +kubebuilder:validation:MinItems=1 - AllowMethods []string `json:"allowMethods,omitempty" yaml:"allowMethods"` + // It specifies the allowed methods in the Access-Control-Allow-Methods CORS response header.. + // The value "*" allows any method to be used. + // + // +optional + AllowMethods []string `json:"allowMethods,omitempty"` + // AllowHeaders defines the headers that are allowed to be sent with requests. - AllowHeaders []string `json:"allowHeaders,omitempty" yaml:"allowHeaders,omitempty"` - // ExposeHeaders defines the headers that can be exposed in the responses. - ExposeHeaders []string `json:"exposeHeaders,omitempty" yaml:"exposeHeaders,omitempty"` + // It specifies the allowed headers in the Access-Control-Allow-Headers CORS response header.. + // The value "*" allows any header to be sent. + // + // +optional + AllowHeaders []string `json:"allowHeaders,omitempty"` + + // ExposeHeaders defines which response headers should be made accessible to + // scripts running in the browser. + // It specifies the headers in the Access-Control-Expose-Headers CORS response header.. + // The value "*" allows any header to be exposed. + // + // +optional + ExposeHeaders []string `json:"exposeHeaders,omitempty"` + // MaxAge defines how long the results of a preflight request can be cached. - MaxAge *metav1.Duration `json:"maxAge,omitempty" yaml:"maxAge,omitempty"` + // It specifies the value in the Access-Control-Max-Age CORS response header.. + // + // +optional + MaxAge *metav1.Duration `json:"maxAge,omitempty"` + // AllowCredentials indicates whether a request can include user credentials // like cookies, authentication headers, or TLS client certificates. - AllowCredentials *bool `json:"allowCredentials,omitempty" yaml:"allowCredentials,omitempty"` + // It specifies the value in the Access-Control-Allow-Credentials CORS response header. + // + // +optional + AllowCredentials *bool `json:"allowCredentials,omitempty"` + + // TODO zhaohuabing: according to CORS spec, wildcard should be treated as a literal value + // for CORS requests with credentials. + // This needs to be supported in the Envoy CORS filter. } diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index f2c08a230d2..d3d18a0089f 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -252,23 +252,29 @@ spec: description: |- AllowCredentials indicates whether a request can include user credentials like cookies, authentication headers, or TLS client certificates. + It specifies the value in the Access-Control-Allow-Credentials CORS response header. type: boolean allowHeaders: - description: AllowHeaders defines the headers that are allowed - to be sent with requests. + description: |- + AllowHeaders defines the headers that are allowed to be sent with requests. + It specifies the allowed headers in the Access-Control-Allow-Headers CORS response header.. + The value "*" allows any header to be sent. items: type: string type: array allowMethods: - description: AllowMethods defines the methods that are allowed - to make requests. + description: |- + AllowMethods defines the methods that are allowed to make requests. + It specifies the allowed methods in the Access-Control-Allow-Methods CORS response header.. + The value "*" allows any method to be used. items: type: string - minItems: 1 type: array allowOrigins: - description: AllowOrigins defines the origins that are allowed - to make requests. + description: |- + AllowOrigins defines the origins that are allowed to make requests. + It specifies the allowed origins in the Access-Control-Allow-Origin CORS response header. + The value "*" allows any origin to make requests. items: description: |- Origin is defined by the scheme (protocol), hostname (domain), and port of @@ -288,17 +294,20 @@ spec: minLength: 1 pattern: ^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:\d{1,5})?)$ type: string - minItems: 1 type: array exposeHeaders: - description: ExposeHeaders defines the headers that can be exposed - in the responses. + description: |- + ExposeHeaders defines which response headers should be made accessible to + scripts running in the browser. + It specifies the headers in the Access-Control-Expose-Headers CORS response header.. + The value "*" allows any header to be exposed. items: type: string type: array maxAge: - description: MaxAge defines how long the results of a preflight - request can be cached. + description: |- + MaxAge defines how long the results of a preflight request can be cached. + It specifies the value in the Access-Control-Max-Age CORS response header.. type: string type: object extAuth: diff --git a/internal/xds/translator/cors.go b/internal/xds/translator/cors.go index cda5ae8a40a..542b9aa680c 100644 --- a/internal/xds/translator/cors.go +++ b/internal/xds/translator/cors.go @@ -134,8 +134,18 @@ func (*cors) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { allowOrigins = append(allowOrigins, buildXdsStringMatcher(origin)) } - allowMethods = strings.Join(c.AllowMethods, ", ") - allowHeaders = strings.Join(c.AllowHeaders, ", ") + // Envoy only supports a single "*" for matching all, and treats the "*" in "*, GET" as a literal. + // https://github.com/envoyproxy/envoy/blob/eb61f368690cae173502f80549b7e2169ec24766/source/extensions/filters/http/cors/cors_filter.cc#L140-L159 + if hasWildcard(c.AllowMethods) { + allowMethods = "*" + } else { + allowMethods = strings.Join(c.AllowMethods, ", ") + } + if hasWildcard(c.AllowHeaders) { + allowHeaders = "*" + } else { + allowHeaders = strings.Join(c.AllowHeaders, ", ") + } exposeHeaders = strings.Join(c.ExposeHeaders, ", ") if c.MaxAge != nil { maxAge = strconv.Itoa(int(c.MaxAge.Seconds())) @@ -166,6 +176,15 @@ func (*cors) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { return nil } +func hasWildcard(array []string) bool { + for _, s := range array { + if s == "*" { + return true + } + } + return false +} + func (c *cors) patchResources(*types.ResourceVersionTable, []*ir.HTTPRoute) error { return nil } diff --git a/internal/xds/translator/testdata/in/xds-ir/cors.yaml b/internal/xds/translator/testdata/in/xds-ir/cors.yaml index dd9eff3418f..0e046110a00 100644 --- a/internal/xds/translator/testdata/in/xds-ir/cors.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/cors.yaml @@ -30,6 +30,7 @@ http: allowMethods: - GET - POST + - "*" allowHeaders: - "x-header-1" - "x-header-2" diff --git a/internal/xds/translator/testdata/out/xds-ir/cors.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/cors.routes.yaml index 93bfb4d3c15..12c4fce7778 100644 --- a/internal/xds/translator/testdata/out/xds-ir/cors.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/cors.routes.yaml @@ -17,7 +17,7 @@ '@type': type.googleapis.com/envoy.extensions.filters.http.cors.v3.CorsPolicy allowCredentials: true allowHeaders: x-header-1, x-header-2 - allowMethods: GET, POST + allowMethods: '*' allowOriginStringMatch: - safeRegex: regex: '*.example.com' diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index ee535e23b90..4599c3214c4 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -537,12 +537,12 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `allowOrigins` | _[Origin](#origin) array_ | true | AllowOrigins defines the origins that are allowed to make requests. | -| `allowMethods` | _string array_ | true | AllowMethods defines the methods that are allowed to make requests. | -| `allowHeaders` | _string array_ | true | AllowHeaders defines the headers that are allowed to be sent with requests. | -| `exposeHeaders` | _string array_ | true | ExposeHeaders defines the headers that can be exposed in the responses. | -| `maxAge` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | MaxAge defines how long the results of a preflight request can be cached. | -| `allowCredentials` | _boolean_ | true | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates. | +| `allowOrigins` | _[Origin](#origin) array_ | false | AllowOrigins defines the origins that are allowed to make requests.
It specifies the allowed origins in the Access-Control-Allow-Origin CORS response header.
The value "*" allows any origin to make requests. | +| `allowMethods` | _string array_ | false | AllowMethods defines the methods that are allowed to make requests.
It specifies the allowed methods in the Access-Control-Allow-Methods CORS response header..
The value "*" allows any method to be used. | +| `allowHeaders` | _string array_ | false | AllowHeaders defines the headers that are allowed to be sent with requests.
It specifies the allowed headers in the Access-Control-Allow-Headers CORS response header..
The value "*" allows any header to be sent. | +| `exposeHeaders` | _string array_ | false | ExposeHeaders defines which response headers should be made accessible to
scripts running in the browser.
It specifies the headers in the Access-Control-Expose-Headers CORS response header..
The value "*" allows any header to be exposed. | +| `maxAge` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | MaxAge defines how long the results of a preflight request can be cached.
It specifies the value in the Access-Control-Max-Age CORS response header.. | +| `allowCredentials` | _boolean_ | false | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates.
It specifies the value in the Access-Control-Allow-Credentials CORS response header. | diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index ee535e23b90..4599c3214c4 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -537,12 +537,12 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `allowOrigins` | _[Origin](#origin) array_ | true | AllowOrigins defines the origins that are allowed to make requests. | -| `allowMethods` | _string array_ | true | AllowMethods defines the methods that are allowed to make requests. | -| `allowHeaders` | _string array_ | true | AllowHeaders defines the headers that are allowed to be sent with requests. | -| `exposeHeaders` | _string array_ | true | ExposeHeaders defines the headers that can be exposed in the responses. | -| `maxAge` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | MaxAge defines how long the results of a preflight request can be cached. | -| `allowCredentials` | _boolean_ | true | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates. | +| `allowOrigins` | _[Origin](#origin) array_ | false | AllowOrigins defines the origins that are allowed to make requests.
It specifies the allowed origins in the Access-Control-Allow-Origin CORS response header.
The value "*" allows any origin to make requests. | +| `allowMethods` | _string array_ | false | AllowMethods defines the methods that are allowed to make requests.
It specifies the allowed methods in the Access-Control-Allow-Methods CORS response header..
The value "*" allows any method to be used. | +| `allowHeaders` | _string array_ | false | AllowHeaders defines the headers that are allowed to be sent with requests.
It specifies the allowed headers in the Access-Control-Allow-Headers CORS response header..
The value "*" allows any header to be sent. | +| `exposeHeaders` | _string array_ | false | ExposeHeaders defines which response headers should be made accessible to
scripts running in the browser.
It specifies the headers in the Access-Control-Expose-Headers CORS response header..
The value "*" allows any header to be exposed. | +| `maxAge` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | MaxAge defines how long the results of a preflight request can be cached.
It specifies the value in the Access-Control-Max-Age CORS response header.. | +| `allowCredentials` | _boolean_ | false | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates.
It specifies the value in the Access-Control-Allow-Credentials CORS response header. | diff --git a/test/e2e/testdata/cors.yaml b/test/e2e/testdata/cors.yaml index 0c20bfa1998..3875223a961 100644 --- a/test/e2e/testdata/cors.yaml +++ b/test/e2e/testdata/cors.yaml @@ -1,13 +1,30 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-with-cors-exact + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: PathPrefix + value: /cors-exact + backendRefs: + - name: infra-backend-v1 + port: 8080 +--- apiVersion: gateway.envoyproxy.io/v1alpha1 kind: SecurityPolicy metadata: - name: cors-example + name: cors-exact namespace: gateway-conformance-infra spec: targetRefs: - group: gateway.networking.k8s.io kind: HTTPRoute - name: http-with-cors + name: http-with-cors-exact cors: allowOrigins: - "https://www.foo.com" @@ -30,7 +47,7 @@ spec: apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: - name: http-with-cors + name: http-with-cors-wildcard namespace: gateway-conformance-infra spec: parentRefs: @@ -39,7 +56,27 @@ spec: - matches: - path: type: PathPrefix - value: /cors + value: /cors-wildcard backendRefs: - name: infra-backend-v1 port: 8080 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: cors-wildcard + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: http-with-cors-wildcard + cors: + allowOrigins: + - "*" + allowMethods: + - "*" + allowHeaders: + - "*" + exposeHeaders: + - "*" diff --git a/test/e2e/tests/cors.go b/test/e2e/tests/cors.go index 8377d00453f..4b516ad3314 100644 --- a/test/e2e/tests/cors.go +++ b/test/e2e/tests/cors.go @@ -12,9 +12,13 @@ import ( "testing" "k8s.io/apimachinery/pkg/types" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" + gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" "sigs.k8s.io/gateway-api/conformance/utils/http" "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" "sigs.k8s.io/gateway-api/conformance/utils/suite" + + "github.com/envoyproxy/gateway/internal/gatewayapi" ) func init() { @@ -28,25 +32,49 @@ var CorsTest = suite.ConformanceTest{ Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { t.Run("should enable cors with Allow Origin Exact", func(t *testing.T) { ns := "gateway-conformance-infra" - routeNN := types.NamespacedName{Name: "http-with-cors", Namespace: ns} + routeNN := types.NamespacedName{Name: "http-with-cors-exact", Namespace: ns} gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + ancestorRef := gwapiv1a2.ParentReference{ + Group: gatewayapi.GroupPtr(gwapiv1.GroupName), + Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), + Name: gwapiv1.ObjectName(gwNN.Name), + } + SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "cors-exact", Namespace: ns}, suite.ControllerName, ancestorRef) + expectedResponse := http.ExpectedResponse{ Request: http.Request{ - Path: "/cors", + Path: "/cors-exact", + Method: "OPTIONS", Headers: map[string]string{ - "Origin": "https://www.foo.com", + "Origin": "https://www.foo.com", + "access-control-request-method": "GET", + "access-control-request-headers": "x-header-1, x-header-2", + }, + }, + // Set the expected request properties to empty strings. + // This is a workaround to avoid the test failure. + // The response body is empty because the request is a preflight request. + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Host: "", + Method: "OPTIONS", + Path: "", + Headers: nil, }, }, Response: http.Response{ StatusCode: 200, Headers: map[string]string{ "access-control-allow-origin": "https://www.foo.com", + "access-control-allow-methods": "GET, POST, PUT, PATCH, DELETE, OPTIONS", + "access-control-allow-headers": "x-header-1, x-header-2", "access-control-expose-headers": "x-header-3, x-header-4", }, }, - Namespace: ns, + Namespace: "", } req := http.MakeRequest(t, &expectedResponse, gwAddr, "HTTP", "http") @@ -62,26 +90,49 @@ var CorsTest = suite.ConformanceTest{ t.Run("should enable cors with Allow Origin Regex", func(t *testing.T) { ns := "gateway-conformance-infra" - routeNN := types.NamespacedName{Name: "http-with-cors", Namespace: ns} + routeNN := types.NamespacedName{Name: "http-with-cors-exact", Namespace: ns} gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + ancestorRef := gwapiv1a2.ParentReference{ + Group: gatewayapi.GroupPtr(gwapiv1.GroupName), + Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), + Name: gwapiv1.ObjectName(gwNN.Name), + } + SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "cors-exact", Namespace: ns}, suite.ControllerName, ancestorRef) + expectedResponse := http.ExpectedResponse{ Request: http.Request{ - Path: "/cors", + Path: "/cors-exact", Method: "OPTIONS", Headers: map[string]string{ - "Origin": "https://anydomain.foobar.com", + "Origin": "https://anydomain.foobar.com", + "access-control-request-method": "GET", + "access-control-request-headers": "x-header-1, x-header-2", + }, + }, + // Set the expected request properties to empty strings. + // This is a workaround to avoid the test failure. + // The response body is empty because the request is a preflight request. + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Host: "", + Method: "OPTIONS", + Path: "", + Headers: nil, }, }, Response: http.Response{ StatusCode: 200, Headers: map[string]string{ "access-control-allow-origin": "https://anydomain.foobar.com", + "access-control-allow-methods": "GET, POST, PUT, PATCH, DELETE, OPTIONS", + "access-control-allow-headers": "x-header-1, x-header-2", "access-control-expose-headers": "x-header-3, x-header-4", }, }, - Namespace: ns, + Namespace: "", } req := http.MakeRequest(t, &expectedResponse, gwAddr, "HTTP", "http") @@ -97,21 +148,101 @@ var CorsTest = suite.ConformanceTest{ t.Run("should not contain cors headers when Origin not registered", func(t *testing.T) { ns := "gateway-conformance-infra" - routeNN := types.NamespacedName{Name: "http-with-cors", Namespace: ns} + routeNN := types.NamespacedName{Name: "http-with-cors-exact", Namespace: ns} gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + ancestorRef := gwapiv1a2.ParentReference{ + Group: gatewayapi.GroupPtr(gwapiv1.GroupName), + Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), + Name: gwapiv1.ObjectName(gwNN.Name), + } + SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "cors-exact", Namespace: ns}, suite.ControllerName, ancestorRef) + expectedResponse := http.ExpectedResponse{ Request: http.Request{ - Path: "/cors", + Path: "/cors-exact", + Method: "OPTIONS", Headers: map[string]string{ - "Origin": "https://unknown.foo.com", + "Origin": "https://unknown.foo.com", + "access-control-request-method": "GET", + "access-control-request-headers": "x-header-1, x-header-2", + }, + }, + // Set the expected request properties to empty strings. + // This is a workaround to avoid the test failure. + // The response body is empty because the request is a preflight request. + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Host: "", + Method: "OPTIONS", + Path: "", + Headers: nil, }, }, Response: http.Response{ AbsentHeaders: []string{"access-control-allow-origin"}, }, - Namespace: ns, + Namespace: "", + } + + req := http.MakeRequest(t, &expectedResponse, gwAddr, "HTTP", "http") + cReq, cResp, err := suite.RoundTripper.CaptureRoundTrip(req) + if err != nil { + t.Errorf("failed to get expected response: %v", err) + } + + if err := http.CompareRequest(t, &req, cReq, cResp, expectedResponse); err != nil { + t.Errorf("failed to compare request and response: %v", err) + } + }) + + t.Run("should enable cors with wildcard matching", func(t *testing.T) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "http-with-cors-wildcard", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + ancestorRef := gwapiv1a2.ParentReference{ + Group: gatewayapi.GroupPtr(gwapiv1.GroupName), + Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), + Name: gwapiv1.ObjectName(gwNN.Name), + } + SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "cors-wildcard", Namespace: ns}, suite.ControllerName, ancestorRef) + + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/cors-wildcard", + Method: "OPTIONS", + Headers: map[string]string{ + "Origin": "https://foo.bar.com", + "access-control-request-method": "GET", + "access-control-request-headers": "x-header-1, x-header-2", + }, + }, + // Set the expected request properties to empty strings. + // This is a workaround to avoid the test failure. + // The response body is empty because the request is a preflight request. + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Host: "", + Method: "OPTIONS", + Path: "", + Headers: nil, + }, + }, + Response: http.Response{ + StatusCode: 200, + Headers: map[string]string{ + "access-control-allow-origin": "https://foo.bar.com", + "access-control-allow-methods": "GET", + "access-control-allow-headers": "x-header-1, x-header-2", + "access-control-expose-headers": "*", + }, + }, + Namespace: "", } req := http.MakeRequest(t, &expectedResponse, gwAddr, "HTTP", "http") From eea61cc5bcca90c1bf8521d02d00c732a04296d0 Mon Sep 17 00:00:00 2001 From: zirain Date: Tue, 17 Sep 2024 12:32:56 +0800 Subject: [PATCH 160/523] chore: fix merge nit (#4260) Signed-off-by: zirain --- test/e2e/tests/cors.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/test/e2e/tests/cors.go b/test/e2e/tests/cors.go index 4b516ad3314..50063f5cd3f 100644 --- a/test/e2e/tests/cors.go +++ b/test/e2e/tests/cors.go @@ -19,6 +19,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) func init() { @@ -38,7 +39,7 @@ var CorsTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -96,7 +97,7 @@ var CorsTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -154,7 +155,7 @@ var CorsTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } @@ -206,7 +207,7 @@ var CorsTest = suite.ConformanceTest{ ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(gatewayapi.KindGateway), + Kind: gatewayapi.KindPtr(resource.KindGateway), Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } From a8b0d2b46bea278d3db863f8fe8713a248c2ec32 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 12:33:13 +0800 Subject: [PATCH 161/523] build(deps): bump helm.sh/helm/v3 from 3.15.4 to 3.16.1 (#4251) Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.15.4 to 3.16.1. - [Release notes](https://github.com/helm/helm/releases) - [Commits](https://github.com/helm/helm/compare/v3.15.4...v3.16.1) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- go.mod | 14 +++++++------- go.sum | 60 ++++++++++++++++------------------------------------------ 2 files changed, 23 insertions(+), 51 deletions(-) diff --git a/go.mod b/go.mod index e2a3d39a8fa..ea73125acd9 100644 --- a/go.mod +++ b/go.mod @@ -47,7 +47,7 @@ require ( golang.org/x/sys v0.25.0 google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v3 v3.0.1 - helm.sh/helm/v3 v3.15.4 + helm.sh/helm/v3 v3.16.1 k8s.io/api v0.31.1 k8s.io/apiextensions-apiserver v0.31.1 k8s.io/apimachinery v0.31.1 @@ -69,7 +69,7 @@ require ( require ( cel.dev/expr v0.15.0 // indirect - dario.cat/mergo v1.0.0 // indirect + dario.cat/mergo v1.0.1 // indirect filippo.io/edwards25519 v1.1.0 // indirect fortio.org/cli v1.9.0 // indirect fortio.org/dflag v1.7.2 // indirect @@ -80,7 +80,7 @@ require ( github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect github.com/BurntSushi/toml v1.4.0 // indirect github.com/Masterminds/goutils v1.1.1 // indirect - github.com/Masterminds/sprig/v3 v3.2.3 // indirect + github.com/Masterminds/sprig/v3 v3.3.0 // indirect github.com/Masterminds/squirrel v1.5.4 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/Microsoft/hcsshim v0.12.5 // indirect @@ -125,11 +125,11 @@ require ( github.com/gosuri/uitable v0.0.4 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect - github.com/huandu/xstrings v1.4.0 // indirect + github.com/huandu/xstrings v1.5.0 // indirect github.com/jackc/pgpassfile v1.0.0 // indirect github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect github.com/jackc/pgx/v5 v5.6.0 // indirect - github.com/jmoiron/sqlx v1.3.5 // indirect + github.com/jmoiron/sqlx v1.4.0 // indirect github.com/klauspost/compress v1.17.9 // indirect github.com/klauspost/pgzip v1.2.6 // indirect github.com/kortschak/goroutine v1.1.2 // indirect @@ -165,7 +165,7 @@ require ( github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect github.com/rivo/uniseg v0.4.7 // indirect - github.com/rubenv/sql-migrate v1.6.1 // indirect + github.com/rubenv/sql-migrate v1.7.0 // indirect github.com/sagikazarmark/locafero v0.4.0 // indirect github.com/sagikazarmark/slog-shim v0.1.0 // indirect github.com/segmentio/ksuid v1.0.4 // indirect @@ -174,7 +174,7 @@ require ( github.com/shopspring/decimal v1.4.0 // indirect github.com/sourcegraph/conc v0.3.0 // indirect github.com/spf13/afero v1.11.0 // indirect - github.com/spf13/cast v1.6.0 // indirect + github.com/spf13/cast v1.7.0 // indirect github.com/spf13/viper v1.19.0 // indirect github.com/stoewer/go-strcase v1.2.0 // indirect github.com/subosito/gotenv v1.6.0 // indirect diff --git a/go.sum b/go.sum index e55e7b89c35..c9fadbdcc67 100644 --- a/go.sum +++ b/go.sum @@ -3,8 +3,8 @@ cel.dev/expr v0.15.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= -dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= -dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= +dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= +dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= fortio.org/assert v1.2.1 h1:48I39urpeDj65RP1KguF7akCjILNeu6vICiYMEysR7Q= @@ -60,11 +60,10 @@ github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= -github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0= github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= -github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA= -github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM= +github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs= +github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0= github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8afzqM= github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= @@ -236,8 +235,8 @@ github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= -github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= -github.com/foxcpp/go-mockdns v1.0.0/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4= +github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI= +github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= @@ -326,7 +325,6 @@ github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7 github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow= github.com/go-redis/redis/v7 v7.4.1 h1:PASvf36gyUpr2zdOUS/9Zqc80GbM+9BDyiJSJDDOrTI= github.com/go-redis/redis/v7 v7.4.1/go.mod h1:JDNMw23GTyLNC4GZu9njt15ctBQVn7xjRfnwdHj/Dcg= -github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y= github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= @@ -452,9 +450,8 @@ github.com/hashicorp/golang-lru/v2 v2.0.5/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyf github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= -github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= -github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU= -github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= +github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= +github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= @@ -469,8 +466,8 @@ github.com/jackc/pgx/v5 v5.6.0/go.mod h1:DNZ/vlrUnhWCoFGxHAG8U2ljioxukquj7utPDgt github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk= github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= -github.com/jmoiron/sqlx v1.3.5 h1:vFFPA71p1o5gAeqtEAwLU4dnX2napprKtHr7PYIcN3g= -github.com/jmoiron/sqlx v1.3.5/go.mod h1:nRVWtLre0KfCLJvgxzCsLVMogSvQ1zNJtpYr2Ccp0mQ= +github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o= +github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= @@ -516,7 +513,6 @@ github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o= github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk= github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6FmdpVm2joNMFikkuWg0EoCKLGUMNw= -github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= @@ -552,7 +548,6 @@ github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc= github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= -github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU= github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= @@ -566,7 +561,6 @@ github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ= github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ= github.com/mistifyio/go-zfs/v3 v3.0.1 h1:YaoXgBePoMA12+S1u/ddkv+QqxcfiZK4prI6HPnkFiU= github.com/mistifyio/go-zfs/v3 v3.0.1/go.mod h1:CzVgeB0RvF2EGzQnytKVvVSDwmKJXxkOTUGbNrTja/k= -github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= @@ -576,7 +570,6 @@ github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTS github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= @@ -715,8 +708,8 @@ github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUc github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= -github.com/rubenv/sql-migrate v1.6.1 h1:bo6/sjsan9HaXAsNxYP/jCEDUGibHp8JmOBw7NTGRos= -github.com/rubenv/sql-migrate v1.6.1/go.mod h1:tPzespupJS0jacLfhbwto/UjSX+8h2FdWB7ar+QlHa0= +github.com/rubenv/sql-migrate v1.7.0 h1:HtQq1xyTN2ISmQDggnh0c9U3JlP8apWh8YO2jzlXpTI= +github.com/rubenv/sql-migrate v1.7.0/go.mod h1:S4wtDEG1CKn+0ShpTtzWhFpHHI5PvCUtiGI+C+Z2THE= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= @@ -738,7 +731,6 @@ github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFt github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ= github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU= github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k= -github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k= github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= @@ -756,9 +748,8 @@ github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTd github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0= -github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= +github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w= +github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= @@ -841,7 +832,6 @@ github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0= github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= @@ -907,8 +897,6 @@ golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 h1:vKHSxFhPLnBEYu9R8DcQ4gXq9EqU0VVhC9pq9wmtYsg= @@ -922,7 +910,6 @@ golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTk golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -948,9 +935,6 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -965,7 +949,6 @@ golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -996,25 +979,17 @@ golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1022,8 +997,6 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1048,7 +1021,6 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1129,8 +1101,8 @@ gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= -helm.sh/helm/v3 v3.15.4 h1:UFHd6oZ1IN3FsUZ7XNhOQDyQ2QYknBNWRHH57e9cbHY= -helm.sh/helm/v3 v3.15.4/go.mod h1:phOwlxqGSgppCY/ysWBNRhG3MtnpsttOzxaTK+Mt40E= +helm.sh/helm/v3 v3.16.1 h1:cER6tI/8PgUAsaJaQCVBUg3VI9KN4oVaZJgY60RIc0c= +helm.sh/helm/v3 v3.16.1/go.mod h1:r+xBHHP20qJeEqtvBXMf7W35QDJnzY/eiEBzt+TfHps= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From 7d772b1175de4e31a38aaa81aab4363e19b1ee72 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 10:12:21 -0700 Subject: [PATCH 162/523] build(deps): bump github.com/replicatedhq/troubleshoot from 0.100.0 to 0.102.0 (#4261) build(deps): bump github.com/replicatedhq/troubleshoot Bumps [github.com/replicatedhq/troubleshoot](https://github.com/replicatedhq/troubleshoot) from 0.100.0 to 0.102.0. - [Release notes](https://github.com/replicatedhq/troubleshoot/releases) - [Commits](https://github.com/replicatedhq/troubleshoot/compare/v0.100.0...v0.102.0) --- updated-dependencies: - dependency-name: github.com/replicatedhq/troubleshoot dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index ea73125acd9..b883e1d7a85 100644 --- a/go.mod +++ b/go.mod @@ -63,7 +63,7 @@ require ( require ( github.com/docker/docker v27.2.0+incompatible - github.com/replicatedhq/troubleshoot v0.100.0 + github.com/replicatedhq/troubleshoot v0.102.0 google.golang.org/grpc v1.66.2 ) @@ -96,7 +96,7 @@ require ( github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect - github.com/containers/image/v5 v5.32.1 // indirect + github.com/containers/image/v5 v5.32.2 // indirect github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect github.com/containers/ocicrypt v1.2.0 // indirect github.com/containers/storage v1.55.0 // indirect @@ -127,8 +127,8 @@ require ( github.com/hashicorp/hcl v1.0.0 // indirect github.com/huandu/xstrings v1.5.0 // indirect github.com/jackc/pgpassfile v1.0.0 // indirect - github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect - github.com/jackc/pgx/v5 v5.6.0 // indirect + github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect + github.com/jackc/pgx/v5 v5.7.0 // indirect github.com/jmoiron/sqlx v1.4.0 // indirect github.com/klauspost/compress v1.17.9 // indirect github.com/klauspost/pgzip v1.2.6 // indirect @@ -259,7 +259,7 @@ require ( go.opentelemetry.io/otel/trace v1.30.0 // indirect go.starlark.net v0.0.0-20240520160348-046347dcd104 // indirect go.uber.org/multierr v1.11.0 // indirect - golang.org/x/mod v0.20.0 // indirect + golang.org/x/mod v0.21.0 // indirect golang.org/x/net v0.29.0 golang.org/x/oauth2 v0.22.0 // indirect golang.org/x/sync v0.8.0 // indirect diff --git a/go.sum b/go.sum index c9fadbdcc67..ab5b97d09b8 100644 --- a/go.sum +++ b/go.sum @@ -136,8 +136,8 @@ github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpS github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw= github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G/ZW/0kEe2oEKCdS/ZxIyoCU= github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk= -github.com/containers/image/v5 v5.32.1 h1:fVa7GxRC4BCPGsfSRs4JY12WyeY26SUYQ0NuANaCFrI= -github.com/containers/image/v5 v5.32.1/go.mod h1:v1l73VeMugfj/QtKI+jhYbwnwFCFnNGckvbST3rQ5Hk= +github.com/containers/image/v5 v5.32.2 h1:SzNE2Y6sf9b1GJoC8qjCuMBXwQrACFp4p0RK15+4gmQ= +github.com/containers/image/v5 v5.32.2/go.mod h1:v1l73VeMugfj/QtKI+jhYbwnwFCFnNGckvbST3rQ5Hk= github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA= github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY= github.com/containers/ocicrypt v1.2.0 h1:X14EgRK3xNFvJEfI5O4Qn4T3E25ANudSOZz/sirVuPM= @@ -459,10 +459,10 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM= github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= -github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk= -github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= -github.com/jackc/pgx/v5 v5.6.0 h1:SWJzexBzPL5jb0GEsrPMLIsi/3jOo7RHlzTjcAeDrPY= -github.com/jackc/pgx/v5 v5.6.0/go.mod h1:DNZ/vlrUnhWCoFGxHAG8U2ljioxukquj7utPDgtQdTw= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= +github.com/jackc/pgx/v5 v5.7.0 h1:FG6VLIdzvAPhnYqP14sQ2xhFLkiUQHCs6ySqO91kF4g= +github.com/jackc/pgx/v5 v5.7.0/go.mod h1:awP1KNnjylvpxHuHP63gzjhnGkI1iw+PMoIwvoleN/8= github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk= github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= @@ -700,8 +700,8 @@ github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb github.com/redis/go-redis/extra/redisotel/v9 v9.0.5/go.mod h1:WZjPDy7VNzn77AAfnAfVjZNvfJTYfPetfZk5yoSTLaQ= github.com/redis/go-redis/v9 v9.1.0 h1:137FnGdk+EQdCbye1FW+qOEcY5S+SpY9T0NiuqvtfMY= github.com/redis/go-redis/v9 v9.1.0/go.mod h1:urWj3He21Dj5k4TK1y59xH8Uj6ATueP8AH1cY3lZl4c= -github.com/replicatedhq/troubleshoot v0.100.0 h1:efRc3M91Dnnvv66oSX5vs+GF2MjHS6O1OriBikox15Y= -github.com/replicatedhq/troubleshoot v0.100.0/go.mod h1:5rRx3kCUCX9Adl3ST1mzo57FICjIJMaIrkj3rTrzvv4= +github.com/replicatedhq/troubleshoot v0.102.0 h1:qPuLdio9JnZHXQ+ah1uJDbkZyh5gR9NEM88aZBkQyq0= +github.com/replicatedhq/troubleshoot v0.102.0/go.mod h1:zw25eyvPPj6SUnoVGEUjFzWOlhH097UeJgakWLDYo9k= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= @@ -910,8 +910,8 @@ golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTk golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= -golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0= +golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= From 051d5a43a49daf1bf759b756048abcaa176a4dcc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 10:46:26 -0700 Subject: [PATCH 163/523] build(deps): bump google/osv-scanner-action from 1.8.4 to 1.8.5 (#4253) Bumps [google/osv-scanner-action](https://github.com/google/osv-scanner-action) from 1.8.4 to 1.8.5. - [Release notes](https://github.com/google/osv-scanner-action/releases) - [Commits](https://github.com/google/osv-scanner-action/compare/678a866dcba398c8ed0124a09928d250f187b52a...f0e6719deb666cd19a0b56bc56d01161bd848b4f) --- updated-dependencies: - dependency-name: google/osv-scanner-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/license-scan.yml | 2 +- .github/workflows/osv-scanner.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index 234b018ddc9..fcd22a05a92 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -18,7 +18,7 @@ jobs: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Run scanner - uses: google/osv-scanner-action/osv-scanner-action@678a866dcba398c8ed0124a09928d250f187b52a # v1.8.4 + uses: google/osv-scanner-action/osv-scanner-action@f0e6719deb666cd19a0b56bc56d01161bd848b4f # v1.8.5 with: # TODO enable call analysis once https://github.com/google/osv-scanner/issues/1220 is resolved scan-args: |- diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index dc5833b0010..9f6882992f8 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -19,7 +19,7 @@ permissions: jobs: scan-scheduled: if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@678a866dcba398c8ed0124a09928d250f187b52a" # v1.8.4 + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@f0e6719deb666cd19a0b56bc56d01161bd848b4f" # v1.8.5 permissions: actions: read contents: read @@ -34,7 +34,7 @@ jobs: scan-pr: if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@678a866dcba398c8ed0124a09928d250f187b52a" # v1.8.4 + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@f0e6719deb666cd19a0b56bc56d01161bd848b4f" # v1.8.5 permissions: actions: read contents: read From ecd48171152719b98d94363c8fde96920d4a591b Mon Sep 17 00:00:00 2001 From: shahar-h Date: Wed, 18 Sep 2024 08:39:36 +0300 Subject: [PATCH 164/523] ci: remove license override for github.com/moby/patternmatcher (#4274) Signed-off-by: Shahar Harari --- osv-scanner.toml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/osv-scanner.toml b/osv-scanner.toml index 32cde45a456..61e02d0ceb8 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -69,13 +69,6 @@ ecosystem = "Go" license.override = ["Apache-2.0"] reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" -[[PackageOverrides]] -name = "github.com/moby/patternmatcher" -version = "0.6.0" -ecosystem = "Go" -license.override = ["Apache-2.0"] -reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/106 is resolved" - [[PackageOverrides]] name = "github.com/opencontainers/go-digest" version = "1.0.0" From eff9611195511887a4017dad113f0f0a14d94e28 Mon Sep 17 00:00:00 2001 From: shahar-h Date: Wed, 18 Sep 2024 08:40:37 +0300 Subject: [PATCH 165/523] ci: enable osv-scanner call analysis (#4273) Signed-off-by: Shahar Harari --- .github/workflows/license-scan.yml | 1 - .github/workflows/osv-scanner.yml | 2 -- 2 files changed, 3 deletions(-) diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index fcd22a05a92..055050bcec0 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -24,5 +24,4 @@ jobs: scan-args: |- --skip-git --experimental-licenses=Apache-2.0,BSD-2-Clause,BSD-2-Clause-FreeBSD,BSD-3-Clause,MIT,ISC,Python-2.0,PostgreSQL,X11,Zlib - --no-call-analysis=go ./ diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 9f6882992f8..5c50d8f1a82 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -29,7 +29,6 @@ jobs: scan-args: |- --skip-git --recursive - --no-call-analysis=go ./ scan-pr: @@ -44,5 +43,4 @@ jobs: scan-args: |- --skip-git --recursive - --no-call-analysis=go ./ From d00737b69766460ae97c3bc451baa43b9b5fa85a Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 18 Sep 2024 21:45:28 +0800 Subject: [PATCH 166/523] OIDC: add nonce support to the oauth2 filter (#4271) * add nonce support to the oidc Signed-off-by: Huabing Zhao * fix gen Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao Co-authored-by: zirain --- examples/extension-server/go.mod | 2 +- examples/extension-server/go.sum | 4 ++-- go.mod | 2 +- go.sum | 4 ++-- internal/xds/extensions/extensions.gen.go | 1 + internal/xds/translator/oidc.go | 1 + ...-listeners-same-port-with-different-filters.listeners.yaml | 1 + .../xds/translator/testdata/out/xds-ir/oidc.listeners.yaml | 2 ++ 8 files changed, 11 insertions(+), 6 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 86f5fb64f0f..c023ad3e216 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -4,7 +4,7 @@ go 1.23.1 require ( github.com/envoyproxy/gateway v1.0.2 - github.com/envoyproxy/go-control-plane v0.13.1-0.20240903155423-c0847bf34c89 + github.com/envoyproxy/go-control-plane v0.13.1-0.20240917224354-20d038a70568 github.com/urfave/cli/v2 v2.27.2 google.golang.org/grpc v1.66.2 google.golang.org/protobuf v1.34.2 diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 878c8da7578..920c977fbca 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -11,8 +11,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/envoyproxy/go-control-plane v0.13.1-0.20240903155423-c0847bf34c89 h1:ZY5uB8jkNV3rhhzDI0+B9g5RISAOwazjjGqkP1sQ2HI= -github.com/envoyproxy/go-control-plane v0.13.1-0.20240903155423-c0847bf34c89/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= +github.com/envoyproxy/go-control-plane v0.13.1-0.20240917224354-20d038a70568 h1:bUMUmkPtm/z62/8WiVbxtqTK8I7AzXGYn+qB8JAzAXw= +github.com/envoyproxy/go-control-plane v0.13.1-0.20240917224354-20d038a70568/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= diff --git a/go.mod b/go.mod index b883e1d7a85..0fe4eb4422e 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/docker/cli v27.2.0+incompatible github.com/dominikbraun/graph v0.23.0 - github.com/envoyproxy/go-control-plane v0.13.1-0.20240903155423-c0847bf34c89 + github.com/envoyproxy/go-control-plane v0.13.1-0.20240917224354-20d038a70568 github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 github.com/evanphx/json-patch/v5 v5.9.0 github.com/fatih/color v1.17.0 diff --git a/go.sum b/go.sum index ab5b97d09b8..50c9631fe33 100644 --- a/go.sum +++ b/go.sum @@ -214,8 +214,8 @@ github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRr github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= -github.com/envoyproxy/go-control-plane v0.13.1-0.20240903155423-c0847bf34c89 h1:ZY5uB8jkNV3rhhzDI0+B9g5RISAOwazjjGqkP1sQ2HI= -github.com/envoyproxy/go-control-plane v0.13.1-0.20240903155423-c0847bf34c89/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= +github.com/envoyproxy/go-control-plane v0.13.1-0.20240917224354-20d038a70568 h1:bUMUmkPtm/z62/8WiVbxtqTK8I7AzXGYn+qB8JAzAXw= +github.com/envoyproxy/go-control-plane v0.13.1-0.20240917224354-20d038a70568/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= diff --git a/internal/xds/extensions/extensions.gen.go b/internal/xds/extensions/extensions.gen.go index 18a0eeb1c35..08ac37d8e58 100644 --- a/internal/xds/extensions/extensions.gen.go +++ b/internal/xds/extensions/extensions.gen.go @@ -243,6 +243,7 @@ import ( _ "github.com/envoyproxy/go-control-plane/envoy/extensions/rbac/matchers/upstream_ip_port/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/regex_engines/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/request_id/uuid/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/resource_monitors/cpu_utilization/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/resource_monitors/downstream_connections/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/resource_monitors/fixed_heap/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/resource_monitors/injected_resource/v3" diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go index 2102851958c..41228a1d209 100644 --- a/internal/xds/translator/oidc.go +++ b/internal/xds/translator/oidc.go @@ -172,6 +172,7 @@ func oauth2Config(oidc *ir.OIDC) (*oauth2v3.OAuth2, error) { OauthExpires: fmt.Sprintf("OauthExpires-%s", oidc.CookieSuffix), IdToken: fmt.Sprintf("IdToken-%s", oidc.CookieSuffix), RefreshToken: fmt.Sprintf("RefreshToken-%s", oidc.CookieSuffix), + OauthNonce: fmt.Sprintf("OauthNonce-%s", oidc.CookieSuffix), }, }, // every OIDC provider supports basic auth diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml index d6ec7d08951..39bfe9f587b 100755 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml @@ -122,6 +122,7 @@ idToken: IdToken-5F93C2E4 oauthExpires: OauthExpires-5F93C2E4 oauthHmac: OauthHMAC-5F93C2E4 + oauthNonce: OauthNonce-5F93C2E4 refreshToken: RefreshToken-5F93C2E4 hmacSecret: name: oauth2/hmac_secret/securitypolicy/default/policy-for-gateway-2 diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml index 751bc4dee2e..37178ddfe5f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml @@ -32,6 +32,7 @@ idToken: IdToken-5F93C2E4 oauthExpires: OauthExpires-5F93C2E4 oauthHmac: OauthHMAC-5F93C2E4 + oauthNonce: OauthNonce-5F93C2E4 refreshToken: RefreshToken-5F93C2E4 hmacSecret: name: oauth2/hmac_secret/securitypolicy/default/policy-for-first-route @@ -79,6 +80,7 @@ idToken: CustomIdTokenOverride oauthExpires: OauthExpires-5f93c2e4 oauthHmac: OauthHMAC-5f93c2e4 + oauthNonce: OauthNonce-5f93c2e4 refreshToken: RefreshToken-5f93c2e4 hmacSecret: name: oauth2/hmac_secret/securitypolicy/default/policy-for-second-route From e0439782d8eadf3913fffa7f041dd5800357dc6f Mon Sep 17 00:00:00 2001 From: zirain Date: Thu, 19 Sep 2024 14:23:07 +0800 Subject: [PATCH 167/523] moving away from promStatsdExporterContainer (#4272) * moving away from promStatsdExporterContainer Signed-off-by: zirain * check metric Signed-off-by: zirain * fix gen Signed-off-by: zirain * use PortForwarder Signed-off-by: zirain * lint Signed-off-by: zirain * fix Signed-off-by: zirain * protocol Signed-off-by: zirain * wait Signed-off-by: zirain * fix test Signed-off-by: zirain --------- Signed-off-by: zirain --- .../kubernetes/ratelimit/resource.go | 67 ++++++------------- .../testdata/deployments/custom.yaml | 43 ++---------- .../testdata/deployments/default-env.yaml | 43 ++---------- .../testdata/deployments/default.yaml | 43 ++---------- .../deployments/disable-prometheus.yaml | 4 +- .../deployments/enable-tracing-custom.yaml | 43 ++---------- .../testdata/deployments/enable-tracing.yaml | 43 ++---------- .../testdata/deployments/extension-env.yaml | 43 ++---------- .../testdata/deployments/override-env.yaml | 41 ++---------- .../deployments/patch-deployment.yaml | 43 ++---------- .../deployments/redis-tls-settings.yaml | 47 +++---------- .../testdata/deployments/tolerations.yaml | 47 +++---------- .../testdata/deployments/volumes.yaml | 47 +++---------- .../deployments/with-node-selector.yaml | 43 ++---------- .../with-topology-spread-constraints.yaml | 43 ++---------- test/e2e/tests/ratelimit.go | 15 +++++ test/e2e/tests/utils.go | 48 +++++++++++++ 17 files changed, 182 insertions(+), 521 deletions(-) diff --git a/internal/infrastructure/kubernetes/ratelimit/resource.go b/internal/infrastructure/kubernetes/ratelimit/resource.go index 129d69bdd37..4785a700d40 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource.go @@ -193,49 +193,9 @@ func expectedRateLimitContainers(rateLimit *egv1a1.RateLimit, rateLimitDeploymen }, } - if enablePrometheus(rateLimit) { - containers = append(containers, promStatsdExporterContainer()) - } - return containers } -func promStatsdExporterContainer() corev1.Container { - return corev1.Container{ - Name: "prom-statsd-exporter", - Image: "prom/statsd-exporter:v0.18.0", - ImagePullPolicy: corev1.PullIfNotPresent, - Command: []string{ - "/bin/statsd_exporter", - fmt.Sprintf("--web.listen-address=:%d", PrometheusPort), - "--statsd.mapping-config=/etc/statsd-exporter/conf.yaml", - }, - Ports: []corev1.ContainerPort{ - { - Name: "statsd", - ContainerPort: StatsdPort, - Protocol: corev1.ProtocolTCP, - }, - { - Name: "metrics", - ContainerPort: PrometheusPort, - Protocol: corev1.ProtocolTCP, - }, - }, - VolumeMounts: []corev1.VolumeMount{ - { - Name: "statsd-exporter-config", - ReadOnly: true, - MountPath: "/etc/statsd-exporter", - }, - }, - TerminationMessagePolicy: corev1.TerminationMessageReadFile, - TerminationMessagePath: "/dev/termination-log", - SecurityContext: defaultSecurityContext(), - Resources: *egv1a1.DefaultResourceRequirements(), - } -} - // expectedContainerVolumeMounts returns expected rateLimit container volume mounts. func expectedContainerVolumeMounts(rateLimit *egv1a1.RateLimit, rateLimitDeployment *egv1a1.KubernetesDeploymentSpec) []corev1.VolumeMount { var volumeMounts []corev1.VolumeMount @@ -247,6 +207,14 @@ func expectedContainerVolumeMounts(rateLimit *egv1a1.RateLimit, rateLimitDeploym ReadOnly: true, }) + if enablePrometheus(rateLimit) { + volumeMounts = append(volumeMounts, corev1.VolumeMount{ + Name: "statsd-exporter-config", + MountPath: "/etc/statsd-exporter", + ReadOnly: true, + }) + } + if rateLimit.Backend.Redis.TLS != nil { volumeMounts = append(volumeMounts, corev1.VolumeMount{ Name: "redis-certs", @@ -331,11 +299,7 @@ func expectedRateLimitContainerEnv(rateLimit *egv1a1.RateLimit, rateLimitDeploym }, { Name: UseStatsdEnvVar, - Value: "true", - }, - { - Name: StatsdPortEnvVar, - Value: strconv.Itoa(StatsdPort), + Value: "false", }, { Name: ConfigTypeEnvVar, @@ -420,6 +384,19 @@ func expectedRateLimitContainerEnv(rateLimit *egv1a1.RateLimit, rateLimitDeploym } } + if enablePrometheus(rateLimit) { + env = append(env, corev1.EnvVar{ + Name: "USE_PROMETHEUS", + Value: "true", + }, corev1.EnvVar{ + Name: "PROMETHEUS_ADDR", + Value: ":19001", + }, corev1.EnvVar{ + Name: "PROMETHEUS_MAPPER_YAML", + Value: "/etc/statsd-exporter/conf.yaml", + }) + } + if enableTracing(rateLimit) { sampleRate := 1.0 if rateLimit.Telemetry.Tracing.SamplingRate != nil { diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml index c6c0bb1a696..bd75907c7af 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml @@ -50,9 +50,7 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "true" - - name: STATSD_PORT - value: "9125" + value: "false" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL @@ -81,6 +79,12 @@ spec: value: tcp - name: REDIS_URL value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml image: custom-image imagePullPolicy: IfNotPresent name: envoy-ratelimit @@ -121,39 +125,6 @@ spec: - mountPath: /certs name: certs readOnly: true - - command: - - /bin/statsd_exporter - - --web.listen-address=:19001 - - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml - image: prom/statsd-exporter:v0.18.0 - imagePullPolicy: IfNotPresent - name: prom-statsd-exporter - ports: - - containerPort: 9125 - name: statsd - protocol: TCP - - containerPort: 19001 - name: metrics - protocol: TCP - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - mountPath: /etc/statsd-exporter name: statsd-exporter-config readOnly: true diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml index c6c0bb1a696..bd75907c7af 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml @@ -50,9 +50,7 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "true" - - name: STATSD_PORT - value: "9125" + value: "false" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL @@ -81,6 +79,12 @@ spec: value: tcp - name: REDIS_URL value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml image: custom-image imagePullPolicy: IfNotPresent name: envoy-ratelimit @@ -121,39 +125,6 @@ spec: - mountPath: /certs name: certs readOnly: true - - command: - - /bin/statsd_exporter - - --web.listen-address=:19001 - - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml - image: prom/statsd-exporter:v0.18.0 - imagePullPolicy: IfNotPresent - name: prom-statsd-exporter - ports: - - containerPort: 9125 - name: statsd - protocol: TCP - - containerPort: 19001 - name: metrics - protocol: TCP - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - mountPath: /etc/statsd-exporter name: statsd-exporter-config readOnly: true diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml index 26c21e23653..32e56a1ea5c 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml @@ -51,9 +51,7 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "true" - - name: STATSD_PORT - value: "9125" + value: "false" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL @@ -82,6 +80,12 @@ spec: value: tcp - name: REDIS_URL value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml image: envoyproxy/ratelimit:master imagePullPolicy: IfNotPresent name: envoy-ratelimit @@ -129,39 +133,6 @@ spec: - mountPath: /certs name: certs readOnly: true - - command: - - /bin/statsd_exporter - - --web.listen-address=:19001 - - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml - image: prom/statsd-exporter:v0.18.0 - imagePullPolicy: IfNotPresent - name: prom-statsd-exporter - ports: - - containerPort: 9125 - name: statsd - protocol: TCP - - containerPort: 19001 - name: metrics - protocol: TCP - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - mountPath: /etc/statsd-exporter name: statsd-exporter-config readOnly: true diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml index 0dcbfb3f209..449ed2c1d70 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml @@ -47,9 +47,7 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "true" - - name: STATSD_PORT - value: "9125" + value: "false" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml index 78cdd0c784d..320497017f7 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml @@ -51,9 +51,7 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "true" - - name: STATSD_PORT - value: "9125" + value: "false" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL @@ -82,6 +80,12 @@ spec: value: tcp - name: REDIS_URL value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml - name: TRACING_ENABLED value: "true" - name: TRACING_SERVICE_NAME @@ -144,39 +148,6 @@ spec: - mountPath: /certs name: certs readOnly: true - - command: - - /bin/statsd_exporter - - --web.listen-address=:19001 - - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml - image: prom/statsd-exporter:v0.18.0 - imagePullPolicy: IfNotPresent - name: prom-statsd-exporter - ports: - - containerPort: 9125 - name: statsd - protocol: TCP - - containerPort: 19001 - name: metrics - protocol: TCP - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - mountPath: /etc/statsd-exporter name: statsd-exporter-config readOnly: true diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml index f0396c5aa44..5b01b9ef319 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml @@ -51,9 +51,7 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "true" - - name: STATSD_PORT - value: "9125" + value: "false" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL @@ -82,6 +80,12 @@ spec: value: tcp - name: REDIS_URL value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml - name: TRACING_ENABLED value: "true" - name: TRACING_SERVICE_NAME @@ -144,39 +148,6 @@ spec: - mountPath: /certs name: certs readOnly: true - - command: - - /bin/statsd_exporter - - --web.listen-address=:19001 - - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml - image: prom/statsd-exporter:v0.18.0 - imagePullPolicy: IfNotPresent - name: prom-statsd-exporter - ports: - - containerPort: 9125 - name: statsd - protocol: TCP - - containerPort: 19001 - name: metrics - protocol: TCP - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - mountPath: /etc/statsd-exporter name: statsd-exporter-config readOnly: true diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml index 9bf03106f2d..972dd635a38 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml @@ -50,9 +50,7 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "true" - - name: STATSD_PORT - value: "9125" + value: "false" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL @@ -81,6 +79,12 @@ spec: value: tcp - name: REDIS_URL value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml - name: env_a value: env_a_value - name: env_b @@ -125,39 +129,6 @@ spec: - mountPath: /certs name: certs readOnly: true - - command: - - /bin/statsd_exporter - - --web.listen-address=:19001 - - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml - image: prom/statsd-exporter:v0.18.0 - imagePullPolicy: IfNotPresent - name: prom-statsd-exporter - ports: - - containerPort: 9125 - name: statsd - protocol: TCP - - containerPort: 19001 - name: metrics - protocol: TCP - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - mountPath: /etc/statsd-exporter name: statsd-exporter-config readOnly: true diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml index c6c0bb1a696..8d076381d71 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml @@ -51,8 +51,6 @@ spec: value: info - name: USE_STATSD value: "true" - - name: STATSD_PORT - value: "9125" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL @@ -81,6 +79,12 @@ spec: value: tcp - name: REDIS_URL value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml image: custom-image imagePullPolicy: IfNotPresent name: envoy-ratelimit @@ -121,39 +125,6 @@ spec: - mountPath: /certs name: certs readOnly: true - - command: - - /bin/statsd_exporter - - --web.listen-address=:19001 - - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml - image: prom/statsd-exporter:v0.18.0 - imagePullPolicy: IfNotPresent - name: prom-statsd-exporter - ports: - - containerPort: 9125 - name: statsd - protocol: TCP - - containerPort: 19001 - name: metrics - protocol: TCP - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - mountPath: /etc/statsd-exporter name: statsd-exporter-config readOnly: true diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml index 8482050ec25..773607b225a 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml @@ -51,9 +51,7 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "true" - - name: STATSD_PORT - value: "9125" + value: "false" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL @@ -82,6 +80,12 @@ spec: value: tcp - name: REDIS_URL value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml image: envoyproxy/ratelimit:master imagePullPolicy: IfNotPresent name: envoy-ratelimit @@ -129,39 +133,6 @@ spec: - mountPath: /certs name: certs readOnly: true - - command: - - /bin/statsd_exporter - - --web.listen-address=:19001 - - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml - image: prom/statsd-exporter:v0.18.0 - imagePullPolicy: IfNotPresent - name: prom-statsd-exporter - ports: - - containerPort: 9125 - name: statsd - protocol: TCP - - containerPort: 19001 - name: metrics - protocol: TCP - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - mountPath: /etc/statsd-exporter name: statsd-exporter-config readOnly: true diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml index 2e223af79c4..7fc4a4ec4ca 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml @@ -51,8 +51,6 @@ spec: value: info - name: USE_STATSD value: "true" - - name: STATSD_PORT - value: "9125" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL @@ -87,6 +85,12 @@ spec: value: /redis-certs/tls.crt - name: REDIS_TLS_CLIENT_KEY value: /redis-certs/tls.key + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml - name: REDIS_AUTH value: redis_auth_password image: custom-image @@ -129,45 +133,12 @@ spec: - mountPath: /certs name: certs readOnly: true - - mountPath: /redis-certs - name: redis-certs - readOnly: true - - command: - - /bin/statsd_exporter - - --web.listen-address=:19001 - - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml - image: prom/statsd-exporter:v0.18.0 - imagePullPolicy: IfNotPresent - name: prom-statsd-exporter - ports: - - containerPort: 9125 - name: statsd - protocol: TCP - - containerPort: 19001 - name: metrics - protocol: TCP - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - mountPath: /etc/statsd-exporter name: statsd-exporter-config readOnly: true + - mountPath: /redis-certs + name: redis-certs + readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml index 525c2b1f75d..685f5a76385 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml @@ -51,8 +51,6 @@ spec: value: info - name: USE_STATSD value: "true" - - name: STATSD_PORT - value: "9125" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL @@ -87,6 +85,12 @@ spec: value: /redis-certs/tls.crt - name: REDIS_TLS_CLIENT_KEY value: /redis-certs/tls.key + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml - name: REDIS_AUTH value: redis_auth_password image: custom-image @@ -129,45 +133,12 @@ spec: - mountPath: /certs name: certs readOnly: true - - mountPath: /redis-certs - name: redis-certs - readOnly: true - - command: - - /bin/statsd_exporter - - --web.listen-address=:19001 - - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml - image: prom/statsd-exporter:v0.18.0 - imagePullPolicy: IfNotPresent - name: prom-statsd-exporter - ports: - - containerPort: 9125 - name: statsd - protocol: TCP - - containerPort: 19001 - name: metrics - protocol: TCP - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - mountPath: /etc/statsd-exporter name: statsd-exporter-config readOnly: true + - mountPath: /redis-certs + name: redis-certs + readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml index 165a6819288..3659647a89a 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml @@ -51,8 +51,6 @@ spec: value: info - name: USE_STATSD value: "true" - - name: STATSD_PORT - value: "9125" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL @@ -87,6 +85,12 @@ spec: value: /redis-certs/tls.crt - name: REDIS_TLS_CLIENT_KEY value: /redis-certs/tls.key + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml - name: REDIS_AUTH value: redis_auth_password image: custom-image @@ -129,45 +133,12 @@ spec: - mountPath: /certs name: certs readOnly: true - - mountPath: /redis-certs - name: redis-certs - readOnly: true - - command: - - /bin/statsd_exporter - - --web.listen-address=:19001 - - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml - image: prom/statsd-exporter:v0.18.0 - imagePullPolicy: IfNotPresent - name: prom-statsd-exporter - ports: - - containerPort: 9125 - name: statsd - protocol: TCP - - containerPort: 19001 - name: metrics - protocol: TCP - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - mountPath: /etc/statsd-exporter name: statsd-exporter-config readOnly: true + - mountPath: /redis-certs + name: redis-certs + readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml index 44ea2f4b856..9cf4e01fbff 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml @@ -51,9 +51,7 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "true" - - name: STATSD_PORT - value: "9125" + value: "false" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL @@ -82,6 +80,12 @@ spec: value: tcp - name: REDIS_URL value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml image: envoyproxy/ratelimit:master imagePullPolicy: IfNotPresent name: envoy-ratelimit @@ -129,39 +133,6 @@ spec: - mountPath: /certs name: certs readOnly: true - - command: - - /bin/statsd_exporter - - --web.listen-address=:19001 - - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml - image: prom/statsd-exporter:v0.18.0 - imagePullPolicy: IfNotPresent - name: prom-statsd-exporter - ports: - - containerPort: 9125 - name: statsd - protocol: TCP - - containerPort: 19001 - name: metrics - protocol: TCP - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - mountPath: /etc/statsd-exporter name: statsd-exporter-config readOnly: true diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml index 9ca2c8e53e9..5625daf61a0 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml @@ -51,9 +51,7 @@ spec: - name: LOG_LEVEL value: info - name: USE_STATSD - value: "true" - - name: STATSD_PORT - value: "9125" + value: "false" - name: CONFIG_TYPE value: GRPC_XDS_SOTW - name: CONFIG_GRPC_XDS_SERVER_URL @@ -82,6 +80,12 @@ spec: value: tcp - name: REDIS_URL value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml image: envoyproxy/ratelimit:master imagePullPolicy: IfNotPresent name: envoy-ratelimit @@ -129,39 +133,6 @@ spec: - mountPath: /certs name: certs readOnly: true - - command: - - /bin/statsd_exporter - - --web.listen-address=:19001 - - --statsd.mapping-config=/etc/statsd-exporter/conf.yaml - image: prom/statsd-exporter:v0.18.0 - imagePullPolicy: IfNotPresent - name: prom-statsd-exporter - ports: - - containerPort: 9125 - name: statsd - protocol: TCP - - containerPort: 19001 - name: metrics - protocol: TCP - resources: - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 65534 - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - mountPath: /etc/statsd-exporter name: statsd-exporter-config readOnly: true diff --git a/test/e2e/tests/ratelimit.go b/test/e2e/tests/ratelimit.go index 058c466171b..f564eec6dd4 100644 --- a/test/e2e/tests/ratelimit.go +++ b/test/e2e/tests/ratelimit.go @@ -9,12 +9,15 @@ package tests import ( + "context" "fmt" "net" "testing" + "time" "github.com/stretchr/testify/require" "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/wait" "sigs.k8s.io/gateway-api/conformance/utils/http" "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" "sigs.k8s.io/gateway-api/conformance/utils/roundtripper" @@ -267,6 +270,9 @@ var RateLimitBasedJwtClaimsTest = suite.ConformanceTest{ gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + preCount, err := OverLimitCount(suite) + require.NoError(t, err) + expectOkResp := http.ExpectedResponse{ Request: http.Request{ Path: "/foo", @@ -373,6 +379,15 @@ var RateLimitBasedJwtClaimsTest = suite.ConformanceTest{ if err := GotExactExpectedResponse(t, 1, suite.RoundTripper, noTokenReq, noTokenResp); err != nil { t.Errorf("failed to get expected response: %v", err) } + + err = wait.PollUntilContextTimeout(context.TODO(), time.Second, 1*time.Minute, true, func(_ context.Context) (bool, error) { + curCount, err := OverLimitCount(suite) + if err != nil { + return false, err + } + return curCount > preCount, nil + }) + require.NoError(t, err) }) }, } diff --git a/test/e2e/tests/utils.go b/test/e2e/tests/utils.go index e6c6ed85c04..4196172246a 100644 --- a/test/e2e/tests/utils.go +++ b/test/e2e/tests/utils.go @@ -39,6 +39,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/tlog" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/kubernetes" tb "github.com/envoyproxy/gateway/internal/troubleshoot" ) @@ -483,6 +484,53 @@ func ALSLogCount(suite *suite.ConformanceTestSuite) (int, error) { return total, nil } +func OverLimitCount(suite *suite.ConformanceTestSuite) (int, error) { + cli, err := kubernetes.NewForRestConfig(suite.RestConfig) + if err != nil { + return -1, err + } + + pods, err := cli.PodsForSelector("envoy-gateway-system", "app.kubernetes.io/name=envoy-ratelimit") + if err != nil { + return -1, err + } + + if len(pods.Items) == 0 { + return -1, fmt.Errorf("no envoy-ratelimit pod found") + } + + fwd, err := kubernetes.NewLocalPortForwarder(cli, types.NamespacedName{ + Namespace: "envoy-gateway-system", + Name: pods.Items[0].Name, + }, 0, 19001) + if err != nil { + return -1, err + } + if err := fwd.Start(); err != nil { + return -1, err + } + defer fwd.Stop() + + countMetric, err := RetrieveMetric(fmt.Sprintf("http://%s/metrics", fwd.Address()), "ratelimit_service_rate_limit_over_limit", time.Second) + if err != nil { + return -1, err + } + + // metric not found or empty + if countMetric == nil { + return 0, nil + } + + total := 0 + for _, m := range countMetric.Metric { + if m.Counter != nil && m.Counter.Value != nil { + total += int(*m.Counter.Value) + } + } + + return total, nil +} + // QueryLogCountFromLoki queries log count from loki func QueryLogCountFromLoki(t *testing.T, c client.Client, keyValues map[string]string, match string) (int, error) { svc := corev1.Service{} From d5eb231953fe2d0b78fc229ee9d15c03d9e3e2c6 Mon Sep 17 00:00:00 2001 From: sh2 Date: Thu, 19 Sep 2024 19:41:48 +0800 Subject: [PATCH 168/523] performance: changing Infra and Xds IR log values to JSONString (#4263) changing infra and xds IR from YAMLString to JSONString Signed-off-by: shawnh2 --- internal/gatewayapi/runner/runner.go | 4 ++-- internal/ir/infra.go | 6 ++++++ internal/ir/xds.go | 6 ++++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index 3f1605c11bf..f9068b68dcf 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -172,7 +172,7 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { // Publish the IRs. // Also validate the ir before sending it. for key, val := range result.InfraIR { - r.Logger.WithValues("infra-ir", key).Info(val.YAMLString()) + r.Logger.WithValues("infra-ir", key).Info(val.JSONString()) if err := val.Validate(); err != nil { r.Logger.Error(err, "unable to validate infra ir, skipped sending it") errChan <- err @@ -183,7 +183,7 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { } for key, val := range result.XdsIR { - r.Logger.WithValues("xds-ir", key).Info(val.YAMLString()) + r.Logger.WithValues("xds-ir", key).Info(val.JSONString()) if err := val.Validate(); err != nil { r.Logger.Error(err, "unable to validate xds ir, skipped sending it") errChan <- err diff --git a/internal/ir/infra.go b/internal/ir/infra.go index 532c7b079e8..ae46560d534 100644 --- a/internal/ir/infra.go +++ b/internal/ir/infra.go @@ -7,6 +7,7 @@ package ir import ( "cmp" + "encoding/json" "errors" "fmt" "reflect" @@ -34,6 +35,11 @@ func (i Infra) YAMLString() string { return string(y) } +func (i Infra) JSONString() string { + j, _ := json.MarshalIndent(&i, "", "\t") + return string(j) +} + // ProxyInfra defines managed proxy infrastructure. // +k8s:deepcopy-gen=true type ProxyInfra struct { diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 3465645e69a..a40cd854766 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -7,6 +7,7 @@ package ir import ( "cmp" + "encoding/json" "errors" "fmt" "net/http" @@ -176,6 +177,11 @@ func (x Xds) YAMLString() string { return string(y) } +func (x Xds) JSONString() string { + j, _ := json.MarshalIndent(x.Printable(), "", "\t") + return string(j) +} + // Printable returns a deep copy of the resource that can be safely logged. func (x Xds) Printable() *Xds { out := x.DeepCopy() From 9cf7828d678135f8da9cac97a0b14a6b71077467 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 20 Sep 2024 02:25:17 +0800 Subject: [PATCH 169/523] e2e: add test for RecomputeRoute in ExtAuth (#4222) Signed-off-by: zirain --- .../ext-auth-http-backend-securitypolicy.yaml | 74 +++++++++++++------ test/e2e/tests/ext_auth_http_backend.go | 56 ++++++++++++++ 2 files changed, 106 insertions(+), 24 deletions(-) diff --git a/test/e2e/testdata/ext-auth-http-backend-securitypolicy.yaml b/test/e2e/testdata/ext-auth-http-backend-securitypolicy.yaml index ebee7ce0c1e..557a2e99ed5 100644 --- a/test/e2e/testdata/ext-auth-http-backend-securitypolicy.yaml +++ b/test/e2e/testdata/ext-auth-http-backend-securitypolicy.yaml @@ -6,16 +6,39 @@ metadata: namespace: gateway-conformance-infra spec: parentRefs: - - name: same-namespace + - name: same-namespace hostnames: ["www.example.com"] rules: - - matches: - - path: - type: PathPrefix - value: /myapp # This is the path that will be protected by ext auth - backendRefs: - - name: infra-backend-v1 - port: 8080 + - matches: + - path: + type: PathPrefix + # This is the path that will be protected by ext auth + value: /myapp + headers: + - name: x-current-user + value: user2 + backendRefs: + - name: infra-backend-v2 + port: 8080 + - matches: + - path: + type: PathPrefix + # This is the path that will be protected by ext auth + value: /myapp + headers: + - name: x-current-user + value: user3 + backendRefs: + - name: infra-backend-v3 + port: 8080 + - matches: + - path: + type: PathPrefix + # This is the path that will be protected by ext auth + value: /myapp + backendRefs: + - name: infra-backend-v1 + port: 8080 --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute @@ -24,16 +47,17 @@ metadata: namespace: gateway-conformance-infra spec: parentRefs: - - name: same-namespace + - name: same-namespace hostnames: ["www.example.com"] rules: - - matches: - - path: - type: PathPrefix - value: /public # This is the path that will be public - backendRefs: - - name: infra-backend-v1 - port: 8080 + - matches: + - path: + type: PathPrefix + # This is the path that will be public + value: /public + backendRefs: + - name: infra-backend-v1 + port: 8080 --- apiVersion: gateway.envoyproxy.io/v1alpha1 kind: SecurityPolicy @@ -42,15 +66,17 @@ metadata: namespace: gateway-conformance-infra spec: targetRefs: - - group: gateway.networking.k8s.io - kind: HTTPRoute - name: http-ext-auth-backend + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: http-ext-auth-backend extAuth: + recomputeRoute: true http: backendRefs: - - name: backend-fqdn # should add namespace here because envoy will locate in envoy-gateway-system namespace - kind: Backend - group: gateway.envoyproxy.io - namespace: gateway-conformance-infra - port: 9002 + # should add namespace here because envoy will locate in envoy-gateway-system namespace + - name: backend-fqdn + kind: Backend + group: gateway.envoyproxy.io + namespace: gateway-conformance-infra + port: 9002 headersToBackend: ["x-current-user"] diff --git a/test/e2e/tests/ext_auth_http_backend.go b/test/e2e/tests/ext_auth_http_backend.go index 326d7343708..dd0e24c86c3 100644 --- a/test/e2e/tests/ext_auth_http_backend.go +++ b/test/e2e/tests/ext_auth_http_backend.go @@ -152,5 +152,61 @@ var HTTPBackendExtAuthTest = suite.ConformanceTest{ t.Errorf("failed to compare request and response: %v", err) } }) + + t.Run("route base on headersToBackend", func(t *testing.T) { + v2ExpectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Host: "www.example.com", + Path: "/myapp", + Headers: map[string]string{ + "Authorization": "Bearer token2", + }, + }, + Backend: "infra-backend-v2", + // Verify that the http headers returned by the ext auth service + // are added to the original request before sending it to the backend + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Host: "www.example.com", + Path: "/myapp", + Headers: map[string]string{ + "x-current-user": "user2", + }, + }, + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, v2ExpectedResponse) + + v3ExpectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Host: "www.example.com", + Path: "/myapp", + Headers: map[string]string{ + "Authorization": "Bearer token3", + }, + }, + // Verify that the http headers returned by the ext auth service + // are added to the original request before sending it to the backend + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Host: "www.example.com", + Path: "/myapp", + Headers: map[string]string{ + "x-current-user": "user3", + }, + }, + }, + Backend: "infra-backend-v3", + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, v3ExpectedResponse) + }) }, } From 1b56edad0f2453fd9c0f360e046a7b64ce9e55dc Mon Sep 17 00:00:00 2001 From: Dennis Kniep Date: Thu, 19 Sep 2024 22:34:19 +0200 Subject: [PATCH 170/523] EnvoyPatchPolicy JsonPath docs & fixes (#4256) * fix: jsonPath escape chars & api docs (#4162) Signed-off-by: Dennis Kniep * fix: throw error if jsonPath returns no jsonPointers (#4162) Signed-off-by: Dennis Kniep * docs: JSONPath usage in EnvoyPatchPolicy (#4043) Signed-off-by: Dennis Kniep --------- Signed-off-by: Dennis Kniep --- api/v1alpha1/envoypatchpolicy_types.go | 12 +- ...eway.envoyproxy.io_envoypatchpolicies.yaml | 12 +- .../gateway.envoyproxy.io_envoyproxies.yaml | 12 +- internal/utils/jsonpatch/jsonpathtopointer.go | 18 ++- .../utils/jsonpatch/jsonpathtopointer_test.go | 151 +++++++++++++++--- internal/utils/jsonpatch/patch.go | 7 + internal/utils/jsonpatch/patch_test.go | 141 +++++++++++++++- .../jsonpatch-with-jsonpath-invalid.yaml | 68 ++++++++ internal/xds/translator/translator_test.go | 4 + site/content/en/latest/api/extension_types.md | 4 +- .../tasks/extensibility/envoy-patch-policy.md | 79 +++++++++ site/content/zh/latest/api/extension_types.md | 4 +- 12 files changed, 470 insertions(+), 42 deletions(-) create mode 100644 internal/xds/translator/testdata/in/xds-ir/jsonpatch-with-jsonpath-invalid.yaml diff --git a/api/v1alpha1/envoypatchpolicy_types.go b/api/v1alpha1/envoypatchpolicy_types.go index b23002e678f..a7ac8992dbc 100644 --- a/api/v1alpha1/envoypatchpolicy_types.go +++ b/api/v1alpha1/envoypatchpolicy_types.go @@ -109,12 +109,16 @@ type JSONPatchOperationType string type JSONPatchOperation struct { // Op is the type of operation to perform Op JSONPatchOperationType `json:"op"` - // Path is the location of the target document/field where the operation will be performed - // Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. + // Path is a JSONPointer expression. Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. + // It specifies the location of the target document/field where the operation will be performed // +optional Path *string `json:"path,omitempty"` - // JSONPath specifies the locations of the target document/field where the operation will be performed - // Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details. + // JSONPath is a JSONPath expression. Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details. + // It produces one or more JSONPointer expressions based on the given JSON document. + // If no JSONPointer is found, it will result in an error. + // If the 'Path' property is also set, it will be appended to the resulting JSONPointer expressions from the JSONPath evaluation. + // This is useful when creating a property that does not yet exist in the JSON document. + // The final JSONPointer expressions specifies the locations in the target document/field where the operation will be applied. // +optional JSONPath *string `json:"jsonPath,omitempty"` // From is the source location of the value to be copied or moved. Only valid diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml index d9729ab138c..591e61a4e53 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml @@ -73,8 +73,12 @@ spec: type: string jsonPath: description: |- - JSONPath specifies the locations of the target document/field where the operation will be performed - Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details. + JSONPath is a JSONPath expression. Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details. + It produces one or more JSONPointer expressions based on the given JSON document. + If no JSONPointer is found, it will result in an error. + If the 'Path' property is also set, it will be appended to the resulting JSONPointer expressions from the JSONPath evaluation. + This is useful when creating a property that does not yet exist in the JSON document. + The final JSONPointer expressions specifies the locations in the target document/field where the operation will be applied. type: string op: description: Op is the type of operation to perform @@ -88,8 +92,8 @@ spec: type: string path: description: |- - Path is the location of the target document/field where the operation will be performed - Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. + Path is a JSONPointer expression. Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. + It specifies the location of the target document/field where the operation will be performed type: string value: description: |- diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index deee471aa4f..145a3e4d41a 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -208,8 +208,12 @@ spec: type: string jsonPath: description: |- - JSONPath specifies the locations of the target document/field where the operation will be performed - Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details. + JSONPath is a JSONPath expression. Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details. + It produces one or more JSONPointer expressions based on the given JSON document. + If no JSONPointer is found, it will result in an error. + If the 'Path' property is also set, it will be appended to the resulting JSONPointer expressions from the JSONPath evaluation. + This is useful when creating a property that does not yet exist in the JSON document. + The final JSONPointer expressions specifies the locations in the target document/field where the operation will be applied. type: string op: description: Op is the type of operation to perform @@ -223,8 +227,8 @@ spec: type: string path: description: |- - Path is the location of the target document/field where the operation will be performed - Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. + Path is a JSONPointer expression. Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. + It specifies the location of the target document/field where the operation will be performed type: string value: description: |- diff --git a/internal/utils/jsonpatch/jsonpathtopointer.go b/internal/utils/jsonpatch/jsonpathtopointer.go index 730baa94ee2..18bfb569335 100644 --- a/internal/utils/jsonpatch/jsonpathtopointer.go +++ b/internal/utils/jsonpatch/jsonpathtopointer.go @@ -115,6 +115,20 @@ func nthToPointer(f jp.Nth) ([]byte, error) { return buf, nil } -func toPointer(f jp.Frag) ([]byte, error) { - return f.Append(nil, false, true), nil +func toPointer(f jp.Child) ([]byte, error) { + var buf []byte + + // JSONPointer escaping https://datatracker.ietf.org/doc/html/rfc6901#section-3 + for _, b := range []byte(string(f)) { + switch b { + case '~': + buf = append(buf, "~0"...) + case '/': + buf = append(buf, "~1"...) + default: + buf = append(buf, b) + } + } + + return buf, nil } diff --git a/internal/utils/jsonpatch/jsonpathtopointer_test.go b/internal/utils/jsonpatch/jsonpathtopointer_test.go index 4b57424562d..03bc25dd8c4 100644 --- a/internal/utils/jsonpatch/jsonpathtopointer_test.go +++ b/internal/utils/jsonpatch/jsonpathtopointer_test.go @@ -7,7 +7,6 @@ package jsonpatch import ( "sort" - "strconv" "testing" "github.com/ohler55/ojg/jp" @@ -87,8 +86,33 @@ const case3Route string = `{ "ignore_port_in_host_matching": true }` +const case4Escaping string = `{ + "values": [{ + "name": "test1", + "dotted.key": "Hello" + }, + { + "name": "test2", + "dotted.key": "there" + }, + { + "name": "test3", + "~abc": "tilde" + }, + { + "name": "test4", + "//abc": "slash" + }, + { + "name": "test5", + "~/abc/~": "mixed" + }] +}` + func Test(t *testing.T) { - tests := []struct { + testCases := []struct { + name string + // Json Document doc string @@ -102,6 +126,20 @@ func Test(t *testing.T) { expected []string }{ { + name: "TestCase-01", + doc: case1Simple, + jsonPath: "$.xyz", + expected: []string{}, + }, + { + name: "TestCase-02", + doc: case1Simple, + jsonPath: "$.xyz", + path: "doesnotexist", + expected: []string{}, + }, + { + name: "TestCase-03", doc: case1Simple, jsonPath: "$.a", expected: []string{ @@ -109,6 +147,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-04", doc: case2Nested, jsonPath: "$.v[?(@.x=='test2')]", expected: []string{ @@ -116,6 +155,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-05", doc: case2Nested, jsonPath: "..v[?(@.x=='test1')].y", expected: []string{ @@ -123,6 +163,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-06", doc: case2Nested, jsonPath: "$.v[?(@.x=='test2')].y", expected: []string{ @@ -130,6 +171,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-07", doc: case2Nested, jsonPath: "$.v[?(@.x=='test1')].y", expected: []string{ @@ -137,6 +179,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-08", doc: case2Nested, jsonPath: "$.v[*].y", expected: []string{ @@ -145,11 +188,13 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-09", doc: case2Nested, jsonPath: "$.v[?(@.x=='UNKNOWN')].y", expected: []string{}, }, { + name: "TestCase-10", doc: case1Simple, jsonPath: ".a", expected: []string{ @@ -157,6 +202,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-11", doc: case1Simple, jsonPath: "a", expected: []string{ @@ -164,6 +210,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-12", doc: case2Nested, jsonPath: "f.w", expected: []string{ @@ -171,6 +218,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-13", doc: case2Nested, jsonPath: "f.*", expected: []string{ @@ -180,6 +228,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-14", doc: case2Nested, jsonPath: "v.*", expected: []string{ @@ -188,6 +237,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-15", doc: case2Nested, jsonPath: "v.**", expected: []string{ @@ -198,6 +248,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-16", doc: case2Nested, jsonPath: "$..y", expected: []string{ @@ -208,6 +259,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-17", doc: case2Nested, jsonPath: "..y", expected: []string{ @@ -218,6 +270,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-18", doc: case2Nested, jsonPath: "**.y", expected: []string{ @@ -226,6 +279,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-19", doc: case3Route, jsonPath: "..routes[?(@.name =~ 'www_example_com')]", expected: []string{ @@ -233,6 +287,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-20", doc: case3Route, jsonPath: "..routes[?(@.name =~ 'www_test_com')]", expected: []string{ @@ -240,6 +295,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-21", doc: case3Route, jsonPath: "..routes[?(@.name =~ 'www')]", expected: []string{ @@ -248,6 +304,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-22", doc: case3Route, jsonPath: "..routes[?(@.name =~ 'www')].route.cluster", expected: []string{ @@ -256,6 +313,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-23", doc: case3Route, jsonPath: "..routes[?(@.name =~ 'www')]['route']['cluster']", expected: []string{ @@ -264,6 +322,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-24", doc: case3Route, jsonPath: "..routes[?(@.name=='httproute/default/backend/rule/1/match/1/www_example_com')].route.upgrade_configs", expected: []string{ @@ -271,6 +330,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-25", doc: case3Route, jsonPath: "..routes[?(@.name =~ 'www')]", path: "/abc", @@ -280,6 +340,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-26", doc: case3Route, jsonPath: "..routes[?(@.name =~ 'www')]", path: "abc", @@ -289,6 +350,7 @@ func Test(t *testing.T) { }, }, { + name: "TestCase-27", doc: case3Route, jsonPath: "..routes[?(@.name =~ 'www')]", path: "/", @@ -297,26 +359,68 @@ func Test(t *testing.T) { "/virtual_hosts/1/routes/0/", }, }, + { + name: "TestCase-28", + doc: case4Escaping, + jsonPath: "$.values[?(@.name =~ 'test2')]", + path: "dotted.key", + expected: []string{ + "/values/1/dotted.key", + }, + }, + { + name: "TestCase-29", + doc: case4Escaping, + jsonPath: "$.values[?(@.name =~ 'test2')]['dotted.key']", + expected: []string{ + "/values/1/dotted.key", + }, + }, + { + name: "TestCase-30", + doc: case4Escaping, + jsonPath: "$.values[?(@.name =~ 'test3')].~abc", + expected: []string{ + "/values/2/~0abc", + }, + }, + { + name: "TestCase-31", + doc: case4Escaping, + jsonPath: "$.values[?(@.name =~ 'test4')]['//abc']", + expected: []string{ + "/values/3/~1~1abc", + }, + }, + { + name: "TestCase-32", + doc: case4Escaping, + jsonPath: "$.values[?(@.name =~ 'test5')]['~/abc/~']", + expected: []string{ + "/values/4/~0~1abc~1~0", + }, + }, } - for i, test := range tests { + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + pointers, err := ConvertPathToPointers([]byte(tc.doc), tc.jsonPath, tc.path) + if err != nil { + require.NoError(t, err) + } - testCasePrefix := "TestCase " + strconv.Itoa(i+1) - pointers, err := ConvertPathToPointers([]byte(test.doc), test.jsonPath, test.path) - if err != nil { - t.Error(testCasePrefix + ": Error during conversion:\n" + err.Error()) - continue - } + expectedAsString := asString(tc.expected) + pointersAsString := asString(pointers) - expectedAsString := asString(test.expected) - pointersAsString := asString(pointers) - - require.Equal(t, expectedAsString, pointersAsString) + require.Equal(t, expectedAsString, pointersAsString) + }) } } func TestException(t *testing.T) { tests := []struct { + name string + // Json Document doc string @@ -330,32 +434,33 @@ func TestException(t *testing.T) { expected string }{ { + name: "TestCaseEx-01", doc: case1Simple, jsonPath: ".$", expected: "Error during parsing jpath", }, { + name: "TestCaseEx-02", doc: case1Simple, jsonPath: "$", expected: "only Root", }, { + name: "TestCaseEx-03", doc: "{", jsonPath: ".$", expected: "Error during parsing json", }, } - for i, test := range tests { - - testCasePrefix := "TestCase " + strconv.Itoa(i+1) - _, err := ConvertPathToPointers([]byte(test.doc), test.jsonPath, test.path) - if err == nil { - t.Error(testCasePrefix + ": Error expected, but no error found!") - continue - } - - require.ErrorContains(t, err, test.expected) + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + _, err := ConvertPathToPointers([]byte(test.doc), test.jsonPath, test.path) + if err == nil { + require.Error(t, err) + } + require.ErrorContains(t, err, test.expected) + }) } } diff --git a/internal/utils/jsonpatch/patch.go b/internal/utils/jsonpatch/patch.go index 15cac85a308..8c14ae19f46 100644 --- a/internal/utils/jsonpatch/patch.go +++ b/internal/utils/jsonpatch/patch.go @@ -46,6 +46,13 @@ func ApplyJSONPatches(document json.RawMessage, patches ...ir.JSONPatchOperation tErrs = errors.Join(tErrs, tErr) continue } + if len(jsonPointers) == 0 { + tErr := fmt.Errorf("no jsonPointers were found while evaluating the jsonPath: '%s'. "+ + "Ensure the elements you are trying to select with the jsonPath exist in the document. "+ + "If you need to add a non-existing property, use the 'path' attribute", *p.JSONPath) + tErrs = errors.Join(tErrs, tErr) + continue + } } else { jsonPointers = []string{*p.Path} } diff --git a/internal/utils/jsonpatch/patch_test.go b/internal/utils/jsonpatch/patch_test.go index ace677124e0..dbdd63fc527 100644 --- a/internal/utils/jsonpatch/patch_test.go +++ b/internal/utils/jsonpatch/patch_test.go @@ -6,6 +6,7 @@ package jsonpatch import ( + "encoding/json" "testing" "github.com/stretchr/testify/require" @@ -40,14 +41,44 @@ const sourceDocument = ` } ` +const sourceDotEscape = ` + { + "otherLevel": { + "dot.key": "oldValue", + "~my": "file", + "/other/": "zip" + } + } +` + +var expectedDotEscapeCase1 = `{ + "otherLevel": { + "dot.key": "newValue", + "~my": "file", + "/other/": "zip" + } +}` + +var expectedDotEscapeCase2 = `{ + "otherLevel": { + "dot.key": "oldValue", + "~my": "folder", + "/other/": "tar" + } +}` + func TestApplyJSONPatches(t *testing.T) { testCases := []struct { + doc string name string patchOperation []ir.JSONPatchOperation errorExpected bool + errorContains *string + expectedDoc *string }{ { name: "simple add with single patch", + doc: sourceDocument, patchOperation: []ir.JSONPatchOperation{ { Op: "add", @@ -61,6 +92,7 @@ func TestApplyJSONPatches(t *testing.T) { }, { name: "two operations in a set", + doc: sourceDocument, patchOperation: []ir.JSONPatchOperation{ { Op: "add", @@ -78,6 +110,7 @@ func TestApplyJSONPatches(t *testing.T) { }, { name: "invalid operation", + doc: sourceDocument, patchOperation: []ir.JSONPatchOperation{ { Op: "badbadbad", @@ -88,9 +121,11 @@ func TestApplyJSONPatches(t *testing.T) { }, }, errorExpected: true, + errorContains: ptr.To("unsupported JSONPatch operation"), }, { name: "jsonpath affecting two places", + doc: sourceDocument, patchOperation: []ir.JSONPatchOperation{ { Op: "remove", @@ -101,6 +136,7 @@ func TestApplyJSONPatches(t *testing.T) { }, { name: "invalid jsonpath", + doc: sourceDocument, patchOperation: []ir.JSONPatchOperation{ { Op: "remove", @@ -108,17 +144,120 @@ func TestApplyJSONPatches(t *testing.T) { }, }, errorExpected: true, + errorContains: ptr.To("unable to convert jsonPath"), + }, + { + name: "dot escaped json path", + doc: sourceDotEscape, + patchOperation: []ir.JSONPatchOperation{ + { + Op: "replace", + JSONPath: ptr.To("$.otherLevel['dot.key']"), + Value: &apiextensionsv1.JSON{ + Raw: []byte("\"newValue\""), + }, + }, + }, + expectedDoc: &expectedDotEscapeCase1, + errorExpected: false, + }, + { + name: "dot escaped json path combined with path", + doc: sourceDotEscape, + patchOperation: []ir.JSONPatchOperation{ + { + Op: "replace", + Path: ptr.To("dot.key"), + JSONPath: ptr.To("$.otherLevel"), + Value: &apiextensionsv1.JSON{ + Raw: []byte("\"newValue\""), + }, + }, + }, + expectedDoc: &expectedDotEscapeCase1, + errorExpected: false, + }, + { + name: "json pointer chars which need to be escaped", + doc: sourceDotEscape, + patchOperation: []ir.JSONPatchOperation{ + { + Op: "replace", + JSONPath: ptr.To("$.otherLevel['~my']"), + Value: &apiextensionsv1.JSON{ + Raw: []byte("\"folder\""), + }, + }, + { + Op: "replace", + JSONPath: ptr.To("$.otherLevel['/other/']"), + Value: &apiextensionsv1.JSON{ + Raw: []byte("\"tar\""), + }, + }, + }, + expectedDoc: &expectedDotEscapeCase2, + errorExpected: false, + }, + { + name: "jsonPath returns no jsonPointer", + doc: sourceDocument, + patchOperation: []ir.JSONPatchOperation{ + { + Op: "replace", + JSONPath: ptr.To("$.secondLevel.doesNotExist"), + Value: &apiextensionsv1.JSON{ + Raw: []byte("\"folder\""), + }, + }, + }, + errorExpected: true, + errorContains: ptr.To("no jsonPointers were found"), }, } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { - _, err := ApplyJSONPatches([]byte(sourceDocument), tc.patchOperation...) + jDoc, err := ApplyJSONPatches([]byte(tc.doc), tc.patchOperation...) if tc.errorExpected { require.Error(t, err) + if tc.errorContains != nil { + require.ErrorContains(t, err, *tc.errorContains) + } } else { + if tc.expectedDoc != nil { + resultData, err := jDoc.MarshalJSON() + if err != nil { + t.Error(err) + } + + resultJSON, err := formatJSON(resultData) + if err != nil { + t.Error(err) + } + + expectedJSON, err := formatJSON([]byte(*tc.expectedDoc)) + if err != nil { + t.Error(err) + } + + require.Equal(t, expectedJSON, resultJSON) + } require.NoError(t, err) } }) } } + +func formatJSON(s []byte) (string, error) { + var obj map[string]interface{} + err := json.Unmarshal(s, &obj) + if err != nil { + return "", err + } + buf, err := json.MarshalIndent(obj, "", " ") + if err != nil { + return "", err + } + return string(buf), nil +} diff --git a/internal/xds/translator/testdata/in/xds-ir/jsonpatch-with-jsonpath-invalid.yaml b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-with-jsonpath-invalid.yaml new file mode 100644 index 00000000000..5b677788a22 --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-with-jsonpath-invalid.yaml @@ -0,0 +1,68 @@ +envoyPatchPolicies: +- status: + ancestors: + - ancestorRef: + group: "gateway.networking.k8s.io" + kind: "Gateway" + namespace: "default" + name: "foobar" + name: "first-policy" + namespace: "default" + jsonPatches: + - type: "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment" + name: "first-route-dest" + operation: + op: "replace" + jsonPath: "..doesNotExists" + value: "50" +http: +- name: "first-listener" + address: "0.0.0.0" + port: 10080 + hostnames: + - "*" + path: + mergeSlashes: true + escapedSlashesAction: UnescapeAndRedirect + tls: + alpnProtocols: + - h2 + - http/1.1 + certificates: + - name: secret-1 + # byte slice representation of "key-data" + serverCertificate: [99, 101, 114, 116, 45, 100, 97, 116, 97] + # byte slice representation of "key-data" + privateKey: [107, 101, 121, 45, 100, 97, 116, 97] + - name: secret-2 + serverCertificate: [99, 101, 114, 116, 45, 100, 97, 116, 97] + privateKey: [107, 101, 121, 45, 100, 97, 116, 97] + routes: + - name: "first-route" + hostname: "*" + headerMatches: + - name: user + stringMatch: + exact: "jason" + destination: + name: "first-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - name: "second-route" + hostname: "*" + headerMatches: + - name: user + stringMatch: + exact: "james" + - name: country + stringMatch: + exact: "US" + destination: + name: "second-route-dest" + settings: + - endpoints: + - host: "4.5.6.7" + port: 60000 + diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go index 06a9a86131b..e939ffb2b8b 100644 --- a/internal/xds/translator/translator_test.go +++ b/internal/xds/translator/translator_test.go @@ -58,6 +58,10 @@ func TestTranslateXds(t *testing.T) { "jsonpatch-with-jsonpath": { requireEnvoyPatchPolicies: true, }, + "jsonpatch-with-jsonpath-invalid": { + requireEnvoyPatchPolicies: true, + errMsg: "no jsonPointers were found while evaluating the jsonPath", + }, "jsonpatch-add-op-empty-jsonpath": { requireEnvoyPatchPolicies: true, errMsg: "a patch operation must specify a path or jsonPath", diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 4599c3214c4..70b7608406e 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -2186,8 +2186,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `op` | _[JSONPatchOperationType](#jsonpatchoperationtype)_ | true | Op is the type of operation to perform | -| `path` | _string_ | false | Path is the location of the target document/field where the operation will be performed
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. | -| `jsonPath` | _string_ | false | JSONPath specifies the locations of the target document/field where the operation will be performed
Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details. | +| `path` | _string_ | false | Path is a JSONPointer expression. Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
It specifies the location of the target document/field where the operation will be performed | +| `jsonPath` | _string_ | false | JSONPath is a JSONPath expression. Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details.
It produces one or more JSONPointer expressions based on the given JSON document.
If no JSONPointer is found, it will result in an error.
If the 'Path' property is also set, it will be appended to the resulting JSONPointer expressions from the JSONPath evaluation.
This is useful when creating a property that does not yet exist in the JSON document.
The final JSONPointer expressions specifies the locations in the target document/field where the operation will be applied. | | `from` | _string_ | false | From is the source location of the value to be copied or moved. Only valid
for move or copy operations
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. | | `value` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | Value is the new value of the path location. The value is only used by
the `add` and `replace` operations. | diff --git a/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md b/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md index 36930d73785..e503244c503 100644 --- a/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md +++ b/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md @@ -274,6 +274,85 @@ Handling connection for 8888 could not find what you are looking for ``` +### Customize VirtualHost by name + +* Use EnvoyProxy's `include_attempt_count_in_response` feature to include the attempt count as header in the downstream response. +* Apply the configuration + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <// + name: default/eg/http + operation: + op: add + # Every virtual_host that ends with 'www_example_com' (using RegEx Filter) + jsonPath: "..virtual_hosts[?match(@.name, '.*www_example_com')]" + # If the property does not exists, it can not be selected with jsonPath + # Therefore the new property must be set in path + path: "include_attempt_count_in_response" + value: true +EOF +``` + +{{% /tab %}} +{{% tab header="Apply from file" %}} +Save and apply the following resource to your cluster: + +```yaml +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyPatchPolicy +metadata: + name: include-attempts + namespace: default +spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: eg + type: JSONPatch + jsonPatches: + - type: "type.googleapis.com/envoy.config.route.v3.RouteConfiguration" + # The RouteConfiguration name is of the form // + name: default/eg/http + operation: + op: add + # Every virtual_host that ends with 'www_example_com' (using RegEx Filter) + jsonPath: "..virtual_hosts[?match(@.name, '.*www_example_com')]" + # If the property does not exists, it can not be selected with jsonPath + # Therefore the new property must be set in path + path: "include_attempt_count_in_response" + value: true +``` + +{{% /tab %}} +{{< /tabpane >}} + +* Test it out by looking at the response headers + +``` +$ curl -v --header "Host: www.example.com" http://localhost:8888/ +... +< x-envoy-attempt-count: 1 +... +``` + ## Debugging ### Runtime diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 4599c3214c4..70b7608406e 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -2186,8 +2186,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `op` | _[JSONPatchOperationType](#jsonpatchoperationtype)_ | true | Op is the type of operation to perform | -| `path` | _string_ | false | Path is the location of the target document/field where the operation will be performed
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. | -| `jsonPath` | _string_ | false | JSONPath specifies the locations of the target document/field where the operation will be performed
Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details. | +| `path` | _string_ | false | Path is a JSONPointer expression. Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
It specifies the location of the target document/field where the operation will be performed | +| `jsonPath` | _string_ | false | JSONPath is a JSONPath expression. Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details.
It produces one or more JSONPointer expressions based on the given JSON document.
If no JSONPointer is found, it will result in an error.
If the 'Path' property is also set, it will be appended to the resulting JSONPointer expressions from the JSONPath evaluation.
This is useful when creating a property that does not yet exist in the JSON document.
The final JSONPointer expressions specifies the locations in the target document/field where the operation will be applied. | | `from` | _string_ | false | From is the source location of the value to be copied or moved. Only valid
for move or copy operations
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. | | `value` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | Value is the new value of the path location. The value is only used by
the `add` and `replace` operations. | From 91bea68d1611cb2b083f98c4dcd62a86d183eb09 Mon Sep 17 00:00:00 2001 From: sh2 Date: Fri, 20 Sep 2024 08:37:13 +0800 Subject: [PATCH 171/523] chore: include heap profile into benchmark report and add notes for profiles (#4284) include heap profile into benchmark report and add notes for profiles Signed-off-by: shawnh2 --- test/benchmark/suite/render.go | 17 +++++++++++++++-- tools/make/kube.mk | 5 +---- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/test/benchmark/suite/render.go b/test/benchmark/suite/render.go index 199476f3e99..69992fb69ee 100644 --- a/test/benchmark/suite/render.go +++ b/test/benchmark/suite/render.go @@ -77,7 +77,7 @@ func RenderReport(writer io.Writer, name, description string, titleLevel int, re writeSection(writer, "Metrics", titleLevel+1, "") renderMetricsTable(writer, reports) - writeSection(writer, "Profiles", titleLevel+1, "") + writeSection(writer, "Profiles", titleLevel+1, renderProfilesNote()) renderProfilesTable(writer, "Memory", "heap", titleLevel+2, reports) return nil @@ -149,6 +149,18 @@ func renderMetricsTable(writer io.Writer, reports []*BenchmarkReport) { _ = table.Flush() } +func renderProfilesNote() string { + return fmt.Sprintf(`The profiles at different scales are stored under %s directory in report, with name %s. + +You can visualize them in a web page by running: + +%s + +Currently, the supported profile types are: +- heap +`, "`/profiles`", "`{ProfileType}.{TestCase}.pprof`", "```shell\ngo tool pprof -http=: path/to/your.pprof\n```") +} + func renderProfilesTable(writer io.Writer, target, key string, titleLevel int, reports []*BenchmarkReport) { writeSection(writer, target, titleLevel, "") @@ -156,7 +168,8 @@ func renderProfilesTable(writer io.Writer, target, key string, titleLevel int, r // The image is not be rendered yet, so it is a placeholder for the path. // The image will be rendered after the test has finished. writeSection(writer, report.Name, titleLevel+1, - fmt.Sprintf("![%s-%s](%s.png)", key, report.Name, report.ProfilesPath[key])) + fmt.Sprintf("![%s-%s](%s.png)", key, report.Name, + strings.TrimSuffix(report.ProfilesPath[key], ".pprof"))) } } diff --git a/tools/make/kube.mk b/tools/make/kube.mk index dd5cd74c6d6..2344a3b868d 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -174,10 +174,7 @@ run-benchmark: install-benchmark-server ## Run benchmark tests go test -v -tags benchmark -timeout $(BENCHMARK_TIMEOUT) ./test/benchmark --rps=$(BENCHMARK_RPS) --connections=$(BENCHMARK_CONNECTIONS) --duration=$(BENCHMARK_DURATION) --report-save-dir=$(BENCHMARK_REPORT_DIR) # render benchmark profiles into image dot -V - @for profile in $(wildcard test/benchmark/$(BENCHMARK_REPORT_DIR)/profiles/*.pprof); do \ - $(call log, "Rendering profile image for: $${profile}"); \ - go tool pprof -png $${profile} > $${profile}.png; \ - done + find test/benchmark/$(BENCHMARK_REPORT_DIR)/profiles -name "*.pprof" -type f -exec sh -c 'go tool pprof -png "$$1" > "$${1%.pprof}.png"' _ {} \; .PHONY: install-benchmark-server install-benchmark-server: ## Install nighthawk server for benchmark test From 0d1ccae0f546271f25765594d7f7ab79dcc96977 Mon Sep 17 00:00:00 2001 From: Luv Date: Sat, 21 Sep 2024 05:16:17 +0530 Subject: [PATCH 172/523] fix: Reconcile on HTTPRoute labels change (#4279) * added label change predicate Signed-off-by: Luv * added labels predicate for xroute and gw Signed-off-by: Luv * changed predicate to use .Or Signed-off-by: Luv --------- Signed-off-by: Luv Co-authored-by: zirain --- internal/provider/kubernetes/controller.go | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index a07ca6ab120..877723fa682 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -1080,7 +1080,8 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M // Watch Gateway CRUDs and reconcile affected GatewayClass. gPredicates := []predicate.TypedPredicate[*gwapiv1.Gateway]{ - predicate.TypedGenerationChangedPredicate[*gwapiv1.Gateway]{}, + predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1.Gateway]{}, + predicate.TypedLabelChangedPredicate[*gwapiv1.Gateway]{}), predicate.NewTypedPredicateFuncs(func(gtw *gwapiv1.Gateway) bool { return r.validateGatewayForReconcile(gtw) }), @@ -1104,7 +1105,8 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M // Watch HTTPRoute CRUDs and process affected Gateways. httprPredicates := []predicate.TypedPredicate[*gwapiv1.HTTPRoute]{ - predicate.TypedGenerationChangedPredicate[*gwapiv1.HTTPRoute]{}, + predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1.HTTPRoute]{}, + predicate.TypedLabelChangedPredicate[*gwapiv1.HTTPRoute]{}), } if r.namespaceLabel != nil { httprPredicates = append(httprPredicates, predicate.NewTypedPredicateFuncs(func(hr *gwapiv1.HTTPRoute) bool { @@ -1113,8 +1115,8 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M } if err := c.Watch( source.Kind(mgr.GetCache(), &gwapiv1.HTTPRoute{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, t *gwapiv1.HTTPRoute) []reconcile.Request { - return r.enqueueClass(ctx, t) + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, route *gwapiv1.HTTPRoute) []reconcile.Request { + return r.enqueueClass(ctx, route) }), httprPredicates...)); err != nil { return err @@ -1125,7 +1127,8 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M // Watch GRPCRoute CRUDs and process affected Gateways. grpcrPredicates := []predicate.TypedPredicate[*gwapiv1.GRPCRoute]{ - predicate.TypedGenerationChangedPredicate[*gwapiv1.GRPCRoute]{}, + predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1.GRPCRoute]{}, + predicate.TypedLabelChangedPredicate[*gwapiv1.GRPCRoute]{}), } if r.namespaceLabel != nil { grpcrPredicates = append(grpcrPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1.GRPCRoute](func(grpc *gwapiv1.GRPCRoute) bool { @@ -1146,7 +1149,8 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M // Watch TLSRoute CRUDs and process affected Gateways. tlsrPredicates := []predicate.TypedPredicate[*gwapiv1a2.TLSRoute]{ - predicate.TypedGenerationChangedPredicate[*gwapiv1a2.TLSRoute]{}, + predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.TLSRoute]{}, + predicate.TypedLabelChangedPredicate[*gwapiv1a2.TLSRoute]{}), } if r.namespaceLabel != nil { tlsrPredicates = append(tlsrPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.TLSRoute](func(route *gwapiv1a2.TLSRoute) bool { @@ -1167,7 +1171,8 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M // Watch UDPRoute CRUDs and process affected Gateways. udprPredicates := []predicate.TypedPredicate[*gwapiv1a2.UDPRoute]{ - predicate.TypedGenerationChangedPredicate[*gwapiv1a2.UDPRoute]{}, + predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.UDPRoute]{}, + predicate.TypedLabelChangedPredicate[*gwapiv1a2.UDPRoute]{}), } if r.namespaceLabel != nil { udprPredicates = append(udprPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.UDPRoute](func(route *gwapiv1a2.UDPRoute) bool { @@ -1188,7 +1193,8 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M // Watch TCPRoute CRUDs and process affected Gateways. tcprPredicates := []predicate.TypedPredicate[*gwapiv1a2.TCPRoute]{ - predicate.TypedGenerationChangedPredicate[*gwapiv1a2.TCPRoute]{}, + predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.TCPRoute]{}, + predicate.TypedLabelChangedPredicate[*gwapiv1a2.TCPRoute]{}), } if r.namespaceLabel != nil { tcprPredicates = append(tcprPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.TCPRoute](func(route *gwapiv1a2.TCPRoute) bool { From 73c223e5ef8e12ad2ddafae0f3a1e5df00aa0373 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Fri, 20 Sep 2024 18:03:43 -0700 Subject: [PATCH 173/523] fix: handle invalid sectionName in BackendTLSPolicy for Backend (#4296) --- internal/gatewayapi/backendtlspolicy.go | 5 +- .../backendtlspolicy-default-ns.in.yaml | 39 +++++++++++-- .../backendtlspolicy-default-ns.out.yaml | 57 +++++++++++++++++-- 3 files changed, 91 insertions(+), 10 deletions(-) diff --git a/internal/gatewayapi/backendtlspolicy.go b/internal/gatewayapi/backendtlspolicy.go index d58f2789c8b..a04f93c9c19 100644 --- a/internal/gatewayapi/backendtlspolicy.go +++ b/internal/gatewayapi/backendtlspolicy.go @@ -145,7 +145,10 @@ func backendTLSTargetMatched(policy gwapiv1a3.BackendTLSPolicy, target gwapiv1a2 target.Kind == currTarget.Kind && backendNamespace == policy.Namespace && target.Name == currTarget.Name { - if currTarget.SectionName != nil && *currTarget.SectionName != *target.SectionName { + if currTarget.SectionName != nil { + if target.SectionName != nil && *currTarget.SectionName == *target.SectionName { + return true + } return false } return true diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml index a92a6be6023..5a13fba2fc2 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml @@ -33,7 +33,11 @@ httpRoutes: - name: http-backend namespace: default port: 8080 - - name: backend-ip-tls + - name: backend-ip-tls-1 + namespace: default + kind: Backend + group: gateway.envoyproxy.io + - name: backend-ip-tls-2 namespace: default kind: Backend group: gateway.envoyproxy.io @@ -140,13 +144,30 @@ backendTLSPolicies: - apiVersion: gateway.networking.k8s.io/v1alpha2 kind: BackendTLSPolicy metadata: - name: policy-btls-backend-ip + name: policy-btls-backend-ip-1 namespace: default spec: targetRefs: - group: gateway.envoyproxy.io kind: Backend - name: backend-ip-tls + name: backend-ip-tls-1 + validation: + caCertificateRefs: + - name: ca-cmap + group: '' + kind: ConfigMap + hostname: ip-backend + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + name: policy-btls-backend-ip-2 + namespace: default + spec: + targetRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-ip-tls-2 + sectionName: 3443 validation: caCertificateRefs: - name: ca-cmap @@ -157,10 +178,20 @@ backends: - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: - name: backend-ip-tls + name: backend-ip-tls-1 namespace: default spec: endpoints: - ip: address: 2.2.2.2 port: 3443 + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + name: backend-ip-tls-2 + namespace: default + spec: + endpoints: + - ip: + address: 3.3.3.3 + port: 3443 diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml index 66dfad1a10a..d07083f26cf 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml @@ -34,13 +34,13 @@ backendTLSPolicies: kind: BackendTLSPolicy metadata: creationTimestamp: null - name: policy-btls-backend-ip + name: policy-btls-backend-ip-1 namespace: default spec: targetRefs: - group: gateway.envoyproxy.io kind: Backend - name: backend-ip-tls + name: backend-ip-tls-1 validation: caCertificateRefs: - group: "" @@ -60,12 +60,32 @@ backendTLSPolicies: status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + creationTimestamp: null + name: policy-btls-backend-ip-2 + namespace: default + spec: + targetRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-ip-tls-2 + sectionName: "3443" + validation: + caCertificateRefs: + - group: "" + kind: ConfigMap + name: ca-cmap + hostname: ip-backend + status: + ancestors: null backends: - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend metadata: creationTimestamp: null - name: backend-ip-tls + name: backend-ip-tls-1 namespace: default spec: endpoints: @@ -79,6 +99,24 @@ backends: reason: Accepted status: "True" type: Accepted +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + creationTimestamp: null + name: backend-ip-tls-2 + namespace: default + spec: + endpoints: + - ip: + address: 3.3.3.3 + port: 3443 + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Accepted gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway @@ -139,7 +177,11 @@ httpRoutes: port: 8080 - group: gateway.envoyproxy.io kind: Backend - name: backend-ip-tls + name: backend-ip-tls-1 + namespace: default + - group: gateway.envoyproxy.io + kind: Backend + name: backend-ip-tls-2 namespace: default matches: - path: @@ -221,9 +263,14 @@ xdsIR: tls: caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - name: policy-btls-backend-ip/default-ca + name: policy-btls-backend-ip-1/default-ca sni: ip-backend weight: 1 + - addressType: IP + endpoints: + - host: 3.3.3.3 + port: 3443 + weight: 1 hostname: '*' isHTTP2: false metadata: From f4ae934ba34090de887f3491623ef83b40d0d660 Mon Sep 17 00:00:00 2001 From: Qiu Yu Date: Fri, 20 Sep 2024 18:10:42 -0700 Subject: [PATCH 174/523] chore: e2e: expose --allow-crds-mismatch from conformace test (#4297) e2e: expose --allow-crds-mismatch from conformace test This is to align `test/e2e` package with `test/conformance` package for consistency (i.e. --allow-crds-mismatch for both test suites). This is needed to run e2e test in cluster with pre-installed Gateway API CRDs. Signed-off-by: Qiu Yu --- test/e2e/e2e_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index e0e71f95173..ef186153eef 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -50,6 +50,7 @@ func TestE2E(t *testing.T) { SkipTests: []string{ tests.GatewayInfraResourceTest.ShortName, // https://github.com/envoyproxy/gateway/issues/3191 }, + AllowCRDsMismatch: *flags.AllowCRDsMismatch, }) if err != nil { t.Fatalf("Failed to create ConformanceTestSuite: %v", err) From 475cd61389c2f71e6fce8b9cc81c29ee5e18cc29 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Fri, 20 Sep 2024 18:33:19 -0700 Subject: [PATCH 175/523] revisit envoy shutdown settings (#4288) * Set default minDrainDuration to `10s` . Since the default `readinessProbe.periodSeconds` is `5s`, this gives any LB controller `5s` to update its endpoint pool if its basing it off the k8s API server * Set default `drainTimeout` to `60s`. This ensures clients holding persistent connections, can be closed sooner. Fixes: https://github.com/envoyproxy/gateway/issues/4125 * Updates the default `terminationGracePeriodSeconds` to `360s` which is `300s` more than the default drain timeout Signed-off-by: Arko Dasgupta Co-authored-by: zirain --- api/v1alpha1/envoyproxy_types.go | 4 ++-- .../crds/generated/gateway.envoyproxy.io_envoyproxies.yaml | 4 ++-- internal/cmd/envoy.go | 4 ++-- internal/infrastructure/kubernetes/proxy/resource.go | 5 ++++- .../infrastructure/kubernetes/proxy/resource_provider.go | 2 +- .../proxy/testdata/daemonsets/component-level.yaml | 3 ++- .../kubernetes/proxy/testdata/daemonsets/custom.yaml | 3 ++- .../kubernetes/proxy/testdata/daemonsets/default-env.yaml | 3 ++- .../kubernetes/proxy/testdata/daemonsets/default.yaml | 3 ++- .../proxy/testdata/daemonsets/disable-prometheus.yaml | 3 ++- .../kubernetes/proxy/testdata/daemonsets/extension-env.yaml | 3 ++- .../testdata/daemonsets/override-labels-and-annotations.yaml | 3 ++- .../proxy/testdata/daemonsets/patch-daemonset.yaml | 3 ++- .../kubernetes/proxy/testdata/daemonsets/volumes.yaml | 3 ++- .../proxy/testdata/daemonsets/with-annotations.yaml | 3 ++- .../proxy/testdata/daemonsets/with-concurrency.yaml | 3 ++- .../proxy/testdata/daemonsets/with-extra-args.yaml | 3 ++- .../proxy/testdata/daemonsets/with-image-pull-secrets.yaml | 3 ++- .../kubernetes/proxy/testdata/daemonsets/with-name.yaml | 3 ++- .../proxy/testdata/daemonsets/with-node-selector.yaml | 3 ++- .../daemonsets/with-topology-spread-constraints.yaml | 3 ++- .../kubernetes/proxy/testdata/deployments/bootstrap.yaml | 3 ++- .../proxy/testdata/deployments/component-level.yaml | 3 ++- .../kubernetes/proxy/testdata/deployments/custom.yaml | 3 ++- .../testdata/deployments/custom_with_initcontainers.yaml | 3 ++- .../kubernetes/proxy/testdata/deployments/default-env.yaml | 3 ++- .../kubernetes/proxy/testdata/deployments/default.yaml | 3 ++- .../proxy/testdata/deployments/disable-prometheus.yaml | 3 ++- .../kubernetes/proxy/testdata/deployments/extension-env.yaml | 3 ++- .../deployments/override-labels-and-annotations.yaml | 3 ++- .../proxy/testdata/deployments/patch-deployment.yaml | 3 ++- .../kubernetes/proxy/testdata/deployments/volumes.yaml | 3 ++- .../proxy/testdata/deployments/with-annotations.yaml | 3 ++- .../proxy/testdata/deployments/with-concurrency.yaml | 3 ++- .../proxy/testdata/deployments/with-empty-memory-limits.yaml | 3 ++- .../proxy/testdata/deployments/with-extra-args.yaml | 3 ++- .../proxy/testdata/deployments/with-image-pull-secrets.yaml | 3 ++- .../kubernetes/proxy/testdata/deployments/with-name.yaml | 3 ++- .../proxy/testdata/deployments/with-node-selector.yaml | 3 ++- .../deployments/with-topology-spread-constraints.yaml | 3 ++- site/content/en/latest/api/extension_types.md | 4 ++-- site/content/zh/latest/api/extension_types.md | 4 ++-- 42 files changed, 85 insertions(+), 47 deletions(-) diff --git a/api/v1alpha1/envoyproxy_types.go b/api/v1alpha1/envoyproxy_types.go index 74218aad20b..d7a2a73abe8 100644 --- a/api/v1alpha1/envoyproxy_types.go +++ b/api/v1alpha1/envoyproxy_types.go @@ -256,12 +256,12 @@ type EnvoyProxyProvider struct { // ShutdownConfig defines configuration for graceful envoy shutdown process. type ShutdownConfig struct { // DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds. - // If unspecified, defaults to 600 seconds. + // If unspecified, defaults to 60 seconds. // // +optional DrainTimeout *metav1.Duration `json:"drainTimeout,omitempty"` // MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete. - // If unspecified, defaults to 5 seconds. + // If unspecified, defaults to 10 seconds. // // +optional MinDrainDuration *metav1.Duration `json:"minDrainDuration,omitempty"` diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 145a3e4d41a..e5488fd636b 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -10248,12 +10248,12 @@ spec: drainTimeout: description: |- DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds. - If unspecified, defaults to 600 seconds. + If unspecified, defaults to 60 seconds. type: string minDrainDuration: description: |- MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete. - If unspecified, defaults to 5 seconds. + If unspecified, defaults to 10 seconds. type: string type: object telemetry: diff --git a/internal/cmd/envoy.go b/internal/cmd/envoy.go index 20cf95bb412..87eccf8a520 100644 --- a/internal/cmd/envoy.go +++ b/internal/cmd/envoy.go @@ -40,10 +40,10 @@ func getShutdownCommand() *cobra.Command { }, } - cmd.PersistentFlags().DurationVar(&drainTimeout, "drain-timeout", 600*time.Second, + cmd.PersistentFlags().DurationVar(&drainTimeout, "drain-timeout", 60*time.Second, "Graceful shutdown timeout. This should be less than the pod's terminationGracePeriodSeconds.") - cmd.PersistentFlags().DurationVar(&minDrainDuration, "min-drain-duration", 5*time.Second, + cmd.PersistentFlags().DurationVar(&minDrainDuration, "min-drain-duration", 10*time.Second, "Minimum drain duration allowing time for endpoint deprogramming to complete.") cmd.PersistentFlags().IntVar(&exitAtConnections, "exit-at-connections", 0, diff --git a/internal/infrastructure/kubernetes/proxy/resource.go b/internal/infrastructure/kubernetes/proxy/resource.go index f689910bfda..32ca695e5da 100644 --- a/internal/infrastructure/kubernetes/proxy/resource.go +++ b/internal/infrastructure/kubernetes/proxy/resource.go @@ -183,9 +183,12 @@ func expectedProxyContainers(infra *ir.ProxyInfra, args = append(args, fmt.Sprintf("--component-log-level %s", componentsLogLevel)) } + // Default + drainTimeout := 60.0 if shutdownConfig != nil && shutdownConfig.DrainTimeout != nil { - args = append(args, fmt.Sprintf("--drain-time-s %.0f", shutdownConfig.DrainTimeout.Seconds())) + drainTimeout = shutdownConfig.DrainTimeout.Seconds() } + args = append(args, fmt.Sprintf("--drain-time-s %.0f", drainTimeout)) if infra.Config != nil { args = append(args, infra.Config.Spec.ExtraArgs...) diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider.go b/internal/infrastructure/kubernetes/proxy/resource_provider.go index 7795c145c77..27edd2949b3 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider.go @@ -442,7 +442,7 @@ func (r *ResourceRender) HorizontalPodAutoscaler() (*autoscalingv2.HorizontalPod } func expectedTerminationGracePeriodSeconds(cfg *egv1a1.ShutdownConfig) *int64 { - s := 900 // default + s := 360 // default if cfg != nil && cfg.DrainTimeout != nil { s = int(cfg.DrainTimeout.Seconds() + 300) // 5 minutes longer than drain timeout } diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml index e707811b725..b81eac520be 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml @@ -42,6 +42,7 @@ spec: - --cpuset-threads - --drain-strategy immediate - --component-log-level filter:info + - --drain-time-s 60 command: - envoy env: @@ -185,7 +186,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml index 0f6a997d4c6..dd3d30cb87c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml @@ -225,6 +225,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -366,7 +367,7 @@ spec: securityContext: runAsUser: 1000 serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml index 6fdf1da0e60..2756e0ac667 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml @@ -224,6 +224,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -365,7 +366,7 @@ spec: securityContext: runAsUser: 1000 serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml index a72d157d29c..cdecbf11acc 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml @@ -209,6 +209,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -352,7 +353,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml index 4ce178c3702..cb14c7d0102 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml @@ -183,6 +183,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -323,7 +324,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml index c79f727f345..844e8c38b8a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml @@ -224,6 +224,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -369,7 +370,7 @@ spec: securityContext: runAsUser: 1000 serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml index 1ad3c6a3e60..3e2631cf7a2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml @@ -218,6 +218,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -361,7 +362,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml index fb0fd20619a..894bd9597d4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml @@ -209,6 +209,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -353,7 +354,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml index 1e0c7f755e7..74555834ecf 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml @@ -224,6 +224,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -369,7 +370,7 @@ spec: securityContext: runAsUser: 1000 serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml index 208984e9e67..708f586ffc2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml @@ -214,6 +214,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -357,7 +358,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml index 0f5de423806..10911bdec5d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml @@ -42,6 +42,7 @@ spec: - --cpuset-threads - --drain-strategy immediate - --concurrency 4 + - --drain-time-s 60 command: - envoy env: @@ -185,7 +186,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml index 4ac38c0a96e..558e51410c0 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml @@ -209,6 +209,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 - --key1 val1 - --key2 val2 command: @@ -354,7 +355,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml index 62f40dc8db9..bb6d7bcebc5 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml @@ -209,6 +209,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -355,7 +356,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml index 9fee30ccc12..7df24d4b5c4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml @@ -209,6 +209,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -352,7 +353,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml index d5afd458ecd..6fb612dad30 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml @@ -209,6 +209,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -355,7 +356,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml index 2299126ab97..cc863ceb2cd 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml @@ -209,6 +209,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -352,7 +353,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 topologySpreadConstraints: - labelSelector: matchLabels: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml index 74f15989fe5..7c979810084 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml @@ -45,6 +45,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -188,7 +189,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml index 25a181a6c75..b9076bc915f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml @@ -46,6 +46,7 @@ spec: - --cpuset-threads - --drain-strategy immediate - --component-log-level filter:info + - --drain-time-s 60 command: - envoy env: @@ -189,7 +190,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml index a723d5e5e2f..b770e10c5ab 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml @@ -230,6 +230,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -371,7 +372,7 @@ spec: securityContext: runAsUser: 1000 serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml index 3a86964c926..3b7f4c13131 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml @@ -230,6 +230,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -386,7 +387,7 @@ spec: securityContext: runAsUser: 1000 serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml index 98dfc7fd8a4..11fc90e2e6f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml @@ -229,6 +229,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -370,7 +371,7 @@ spec: securityContext: runAsUser: 1000 serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml index d1ce99db4be..a1efff9d450 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml @@ -213,6 +213,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -356,7 +357,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml index 0687d1f12e4..cf2503cc142 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml @@ -187,6 +187,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -327,7 +328,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml index e23b1bf1c24..97f116c0620 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml @@ -229,6 +229,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -374,7 +375,7 @@ spec: securityContext: runAsUser: 1000 serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml index 575869b3c10..3f5c31be439 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml @@ -222,6 +222,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -365,7 +366,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml index 470b6fcd926..725c4994a52 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml @@ -213,6 +213,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -357,7 +358,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml index 121b7efbc68..4c5819a8786 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml @@ -229,6 +229,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -374,7 +375,7 @@ spec: securityContext: runAsUser: 1000 serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml index b3b7c2cd4bd..f0a9014ec9f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml @@ -218,6 +218,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -361,7 +362,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml index e678283368c..2902e865bf2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml @@ -46,6 +46,7 @@ spec: - --cpuset-threads - --drain-strategy immediate - --concurrency 4 + - --drain-time-s 60 command: - envoy env: @@ -189,7 +190,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml index d7e3740acd2..cc950e452e9 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml @@ -213,6 +213,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -355,7 +356,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml index 254055d791f..d31d189e616 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml @@ -213,6 +213,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 - --key1 val1 - --key2 val2 command: @@ -358,7 +359,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml index 956d8ab72ec..a60b4d2169e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml @@ -213,6 +213,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -359,7 +360,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml index 291429e724a..2dd44b08dd9 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml @@ -213,6 +213,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -356,7 +357,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml index 844489965e1..235b1e992f9 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml @@ -213,6 +213,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -359,7 +360,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 volumes: - name: certs secret: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml index 26ede99c55a..60fb354d5a7 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml @@ -213,6 +213,7 @@ spec: - --log-level warn - --cpuset-threads - --drain-strategy immediate + - --drain-time-s 60 command: - envoy env: @@ -356,7 +357,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler serviceAccountName: envoy-default-37a8eec1 - terminationGracePeriodSeconds: 900 + terminationGracePeriodSeconds: 360 topologySpreadConstraints: - labelSelector: matchLabels: diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 70b7608406e..d02a1686171 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -3559,8 +3559,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `drainTimeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
If unspecified, defaults to 600 seconds. | -| `minDrainDuration` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
If unspecified, defaults to 5 seconds. | +| `drainTimeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
If unspecified, defaults to 60 seconds. | +| `minDrainDuration` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
If unspecified, defaults to 10 seconds. | #### ShutdownManager diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 70b7608406e..d02a1686171 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -3559,8 +3559,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `drainTimeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
If unspecified, defaults to 600 seconds. | -| `minDrainDuration` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
If unspecified, defaults to 5 seconds. | +| `drainTimeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
If unspecified, defaults to 60 seconds. | +| `minDrainDuration` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
If unspecified, defaults to 10 seconds. | #### ShutdownManager From 697fbed6d49c4a513a2e1d3848c56d086a6a5051 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 14:01:05 +0800 Subject: [PATCH 176/523] build(deps): bump github/codeql-action from 3.26.7 to 3.26.8 (#4310) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.7 to 3.26.8. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/8214744c546c1e5c8f03dde8fab3a7353211988d...294a9d92911152fe08befb9ec03e240add280cb3) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 50911789367..90ad9f95da5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,14 +36,14 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7 + uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7 + uses: github/codeql-action/autobuild@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7 + uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 3a03313309d..9c574f263df 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7 + uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8 with: sarif_file: results.sarif From 2bd27ddecaf5d92e447cd1d3cf6d5c83ecfb6d48 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 18:13:41 +0800 Subject: [PATCH 177/523] build(deps): bump github.com/ohler55/ojg from 1.24.0 to 1.24.1 (#4302) Bumps [github.com/ohler55/ojg](https://github.com/ohler55/ojg) from 1.24.0 to 1.24.1. - [Release notes](https://github.com/ohler55/ojg/releases) - [Changelog](https://github.com/ohler55/ojg/blob/develop/CHANGELOG.md) - [Commits](https://github.com/ohler55/ojg/compare/v1.24.0...v1.24.1) --- updated-dependencies: - dependency-name: github.com/ohler55/ojg dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Huabing Zhao --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 0fe4eb4422e..ed12f773dc1 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/google/go-containerregistry v0.20.2 github.com/hashicorp/go-multierror v1.1.1 github.com/miekg/dns v1.1.62 - github.com/ohler55/ojg v1.24.0 + github.com/ohler55/ojg v1.24.1 github.com/prometheus/client_golang v1.20.3 github.com/prometheus/common v0.59.1 github.com/spf13/cobra v1.8.1 diff --git a/go.sum b/go.sum index 50c9631fe33..b89829f41ac 100644 --- a/go.sum +++ b/go.sum @@ -612,8 +612,8 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+ github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= -github.com/ohler55/ojg v1.24.0 h1:y2AVez6fPTszK/jPhaAYMCAzAoSleConMqSDD5wJKJg= -github.com/ohler55/ojg v1.24.0/go.mod h1:gQhDVpQLqrmnd2eqGAvJtn+NfKoYJbe/A4Sj3/Vro4o= +github.com/ohler55/ojg v1.24.1 h1:PaVLelrNgT5/0ppPaUtey54tOVp245z33fkhL2jljjY= +github.com/ohler55/ojg v1.24.1/go.mod h1:gQhDVpQLqrmnd2eqGAvJtn+NfKoYJbe/A4Sj3/Vro4o= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= From 13b1fd848f74fe6fc1d542408784163db20db498 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 10:44:08 -0700 Subject: [PATCH 178/523] build(deps): bump distroless/static from `42d15c6` to `dcd3f1f` in /tools/docker/envoy-gateway (#4311) build(deps): bump distroless/static in /tools/docker/envoy-gateway Bumps distroless/static from `42d15c6` to `dcd3f1f`. --- updated-dependencies: - dependency-name: distroless/static dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/docker/envoy-gateway/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index 73eece8b990..2f30eec5468 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -4,7 +4,7 @@ RUN mkdir -p /var/lib/eg # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:nonroot@sha256:42d15c647a762d3ce3a67eab394220f5268915d6ddba9006871e16e4698c3a24 +FROM gcr.io/distroless/static:nonroot@sha256:dcd3f1f09adef5689088c9c4d96a8d98c889d8281d3946145074f89eafe7e1af ARG TARGETPLATFORM COPY $TARGETPLATFORM/envoy-gateway /usr/local/bin/ COPY --from=source --chown=65532:65532 /var/lib /var/lib From c37657eae9ea034def5547035352f078720dd785 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 10:44:39 -0700 Subject: [PATCH 179/523] build(deps): bump github.com/docker/cli from 27.2.0+incompatible to 27.3.1+incompatible (#4306) build(deps): bump github.com/docker/cli Bumps [github.com/docker/cli](https://github.com/docker/cli) from 27.2.0+incompatible to 27.3.1+incompatible. - [Commits](https://github.com/docker/cli/compare/v27.2.0...v27.3.1) --- updated-dependencies: - dependency-name: github.com/docker/cli dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index ed12f773dc1..e699b776d3e 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/Masterminds/semver/v3 v3.3.0 github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc - github.com/docker/cli v27.2.0+incompatible + github.com/docker/cli v27.3.1+incompatible github.com/dominikbraun/graph v0.23.0 github.com/envoyproxy/go-control-plane v0.13.1-0.20240917224354-20d038a70568 github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 diff --git a/go.sum b/go.sum index b89829f41ac..0ed7d5b1a99 100644 --- a/go.sum +++ b/go.sum @@ -179,8 +179,8 @@ github.com/distribution/distribution/v3 v3.0.0-beta.1 h1:X+ELTxPuZ1Xe5MsD3kp2wfG github.com/distribution/distribution/v3 v3.0.0-beta.1/go.mod h1:O9O8uamhHzWWQVTjuQpyYUVm/ShPHPUDgvQMpHGVBDs= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v27.2.0+incompatible h1:yHD1QEB1/0vr5eBNpu8tncu8gWxg8EydFPOSKHzXSMM= -github.com/docker/cli v27.2.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.3.1+incompatible h1:qEGdFBF3Xu6SCvCYhc7CzaQTlBmqDuzxPDpigSyeKQQ= +github.com/docker/cli v27.3.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= From 19b6119ab88689f802b33b047c4b13b7273011dc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 10:45:27 -0700 Subject: [PATCH 180/523] build(deps): bump google.golang.org/grpc from 1.66.2 to 1.67.0 in /examples/extension-server (#4307) build(deps): bump google.golang.org/grpc in /examples/extension-server Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.66.2 to 1.67.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.66.2...v1.67.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/extension-server/go.mod | 6 +++--- examples/extension-server/go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index c023ad3e216..c4d2cbcf728 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -6,7 +6,7 @@ require ( github.com/envoyproxy/gateway v1.0.2 github.com/envoyproxy/go-control-plane v0.13.1-0.20240917224354-20d038a70568 github.com/urfave/cli/v2 v2.27.2 - google.golang.org/grpc v1.66.2 + google.golang.org/grpc v1.67.0 google.golang.org/protobuf v1.34.2 k8s.io/apimachinery v0.31.1 sigs.k8s.io/controller-runtime v0.19.0 @@ -14,9 +14,9 @@ require ( ) require ( - cel.dev/expr v0.15.0 // indirect + cel.dev/expr v0.16.0 // indirect github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect - github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b // indirect + github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 920c977fbca..99b3fb50e28 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -1,9 +1,9 @@ -cel.dev/expr v0.15.0 h1:O1jzfJCQBfL5BFoYktaxwIhuttaQPsVWerH9/EEKx0w= -cel.dev/expr v0.15.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg= +cel.dev/expr v0.16.0 h1:yloc84fytn4zmJX2GU3TkXGsaieaV7dQ057Qs4sIG2Y= +cel.dev/expr v0.16.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg= github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g= github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= -github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b h1:ga8SEFjZ60pxLcmhnThWgvH2wg8376yUJmPhEH4H3kw= -github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 h1:N+3sFI5GUjRKBi+i0TxYVST9h4Ie192jJWpHvthBBgg= +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= @@ -109,8 +109,8 @@ google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1: google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I= google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= -google.golang.org/grpc v1.66.2 h1:3QdXkuq3Bkh7w+ywLdLvM56cmGvQHUMZpiCzt6Rqaoo= -google.golang.org/grpc v1.66.2/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= +google.golang.org/grpc v1.67.0 h1:IdH9y6PF5MPSdAntIcpjQ+tXO41pcQsfZV2RxtQgVcw= +google.golang.org/grpc v1.67.0/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From 4c31efae289dc3306e692c620412770e8dce2481 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 10:45:48 -0700 Subject: [PATCH 181/523] build(deps): bump github.com/bufbuild/buf from 1.41.0 to 1.42.0 in /tools/src/buf (#4308) build(deps): bump github.com/bufbuild/buf in /tools/src/buf Bumps [github.com/bufbuild/buf](https://github.com/bufbuild/buf) from 1.41.0 to 1.42.0. - [Release notes](https://github.com/bufbuild/buf/releases) - [Changelog](https://github.com/bufbuild/buf/blob/main/CHANGELOG.md) - [Commits](https://github.com/bufbuild/buf/compare/v1.41.0...v1.42.0) --- updated-dependencies: - dependency-name: github.com/bufbuild/buf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/src/buf/go.mod | 9 +++++---- tools/src/buf/go.sum | 26 ++++++++++++-------------- 2 files changed, 17 insertions(+), 18 deletions(-) diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index e719faa3857..7dcf60d5c51 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -2,7 +2,7 @@ module local go 1.23.1 -require github.com/bufbuild/buf v1.41.0 +require github.com/bufbuild/buf v1.42.0 require ( buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240904181154-a0be11449112.2 // indirect @@ -11,6 +11,7 @@ require ( buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240821192916-45ba72cdd479.2 // indirect buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2 // indirect buf.build/go/bufplugin v0.2.0 // indirect + buf.build/go/protoyaml v0.2.0 // indirect connectrpc.com/connect v1.16.2 // indirect connectrpc.com/otelconnect v0.7.1 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect @@ -20,7 +21,6 @@ require ( github.com/bufbuild/protocompile v0.14.1 // indirect github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a // indirect github.com/bufbuild/protovalidate-go v0.6.5 // indirect - github.com/bufbuild/protoyaml-go v0.1.12 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect github.com/containerd/containerd v1.7.22 // indirect github.com/containerd/continuity v0.4.3 // indirect @@ -78,6 +78,7 @@ require ( github.com/pkg/profile v1.7.0 // indirect github.com/quic-go/qpack v0.5.1 // indirect github.com/quic-go/quic-go v0.47.0 // indirect + github.com/rogpeppe/go-internal v1.10.0 // indirect github.com/rs/cors v1.11.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/sirupsen/logrus v1.9.3 // indirect @@ -86,7 +87,7 @@ require ( github.com/stoewer/go-strcase v1.3.0 // indirect github.com/vbatts/tar-split v0.11.5 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 // indirect go.opentelemetry.io/otel v1.30.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 // indirect go.opentelemetry.io/otel/metric v1.30.0 // indirect @@ -107,7 +108,7 @@ require ( golang.org/x/tools v0.25.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect - google.golang.org/grpc v1.66.1 // indirect + google.golang.org/grpc v1.66.2 // indirect google.golang.org/protobuf v1.34.3-0.20240816073751-94ecbc261689 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect pluginrpc.com/pluginrpc v0.3.0 // indirect diff --git a/tools/src/buf/go.sum b/tools/src/buf/go.sum index 49fa12e2c0a..e76ce65da22 100644 --- a/tools/src/buf/go.sum +++ b/tools/src/buf/go.sum @@ -10,6 +10,8 @@ buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5 buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2/go.mod h1:GjH0gjlY/ns16X8d6eaXV2W+6IFwsO5Ly9WVnzyd1E0= buf.build/go/bufplugin v0.2.0 h1:nnNvWzUgQXitRDmjWWIkuXj9klreAAE94sVCsL+0v5g= buf.build/go/bufplugin v0.2.0/go.mod h1:ZZYGt6PDcjbBSywdz/G8NdXkIuWi2rzR8CduGzbCPdk= +buf.build/go/protoyaml v0.2.0 h1:2g3OHjtLDqXBREIOjpZGHmQ+U/4mkN1YiQjxNB68Ip8= +buf.build/go/protoyaml v0.2.0/go.mod h1:L/9QvTDkTWcDTzAL6HMfN+mYC6CmZRm2KnsUA054iL0= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= connectrpc.com/connect v1.16.2 h1:ybd6y+ls7GOlb7Bh5C8+ghA6SvCBajHwxssO2CGFjqE= connectrpc.com/connect v1.16.2/go.mod h1:n2kgwskMHXC+lVqb18wngEpF95ldBHXjZYJussz5FRc= @@ -26,16 +28,14 @@ github.com/Microsoft/hcsshim v0.12.6 h1:qEnZjoHXv+4/s0LmKZWE0/AiZmMWEIkFfWBSf1a0 github.com/Microsoft/hcsshim v0.12.6/go.mod h1:ZABCLVcvLMjIkzr9rUGcQ1QA0p0P3Ps+d3N1g2DsFfk= github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ= github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw= -github.com/bufbuild/buf v1.41.0 h1:4z4r7bysUZ8EAseRjQ/AWQNpOP3M1v15N+vhLe8U1WU= -github.com/bufbuild/buf v1.41.0/go.mod h1:4fMd9FF67dUbuzMFg5rIJy+6Iu6oKldAG2Z9A8zAlEk= +github.com/bufbuild/buf v1.42.0 h1:awh6dZ1qjC468Wq9FN/3WAeBLoe6LV8GeFSHlL3ltvE= +github.com/bufbuild/buf v1.42.0/go.mod h1:AKKOqvsTLjeFXTEc7h9KsxsVBY/hETalmy7k8e0FVEo= github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/FBatYVw= github.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c= github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a h1:l3RhVoG0RtC61h6TVWnkniGj4TgBebuyPQRdleFAmTg= github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a/go.mod h1:c5D8gWRIZ2HLWO3gXYTtUfw/hbJyD8xikv2ooPxnklQ= github.com/bufbuild/protovalidate-go v0.6.5 h1:WucDKXIbK22WjkO8A8J6Yyxxy0jl91Oe9LSMduq3YEE= github.com/bufbuild/protovalidate-go v0.6.5/go.mod h1:LHDiGCWSM3GagZEnyEZ1sPtFwi6Ja4tVTi/DCc+iDFI= -github.com/bufbuild/protoyaml-go v0.1.12 h1:tIJrwvGxumVpNwLsw/AevT1QnkPDBuAObBSuBAdmAWY= -github.com/bufbuild/protoyaml-go v0.1.12/go.mod h1:Xmz3wct+08Va+g9gjIuLTAmxW2w6sre5Wrgw7K3gn0I= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -132,8 +132,6 @@ github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:W github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= -github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/cel-go v0.21.0 h1:cl6uW/gxN+Hy50tNYvI691+sXxioCnstFzLp2WO4GCI= github.com/google/cel-go v0.21.0/go.mod h1:rHUlWCcBKgyEk+eV03RPdZUekPp6YcJwV0FxuUksYxc= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -161,8 +159,8 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jdx/go-netrc v1.0.0 h1:QbLMLyCZGj0NA8glAhxUpf1zDg6cxnWgMBbjq40W0gQ= github.com/jdx/go-netrc v1.0.0/go.mod h1:Gh9eFQJnoTNIRHXl2j5bJXA1u84hQWJWgGh569zF3v8= -github.com/jhump/protoreflect v1.17.0 h1:qOEr613fac2lOuTgWN4tPAtLL7fUSbuJL5X5XumQh94= -github.com/jhump/protoreflect v1.17.0/go.mod h1:h9+vUUL38jiBzck8ck+6G/aeMX8Z4QUY/NiJPwPNi+8= +github.com/jhump/protoreflect/v2 v2.0.0-beta.2 h1:qZU+rEZUOYTz1Bnhi3xbwn+VxdXkLVeEpAeZzVXLY88= +github.com/jhump/protoreflect/v2 v2.0.0-beta.2/go.mod h1:4tnOYkB/mq7QTyS3YKtVtNrJv4Psqout8HA1U+hZtgM= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= @@ -228,8 +226,8 @@ github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI= github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg= github.com/quic-go/quic-go v0.47.0 h1:yXs3v7r2bm1wmPTYNLKAAJTHMYkPEsfYJmTazXrCZ7Y= github.com/quic-go/quic-go v0.47.0/go.mod h1:3bCapYsJvXGZcipOHuu7plYtaV6tnF+z7wIFsU0WK9E= -github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= -github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA= github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= @@ -257,8 +255,8 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 h1:ZIg3ZT/aQ7AfKqdwp7ECpOK6vHqquXXuyTjIO8ZdmPs= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0/go.mod h1:DQAwmETtZV00skUwgD6+0U89g80NKsJE3DCKeLLPQMI= go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 h1:9M3+rhx7kZCIQQhQRYaZCdNu1V73tm4TvXs2ntl98C4= @@ -367,8 +365,8 @@ google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyac google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.66.1 h1:hO5qAXR19+/Z44hmvIM4dQFMSYX9XcWsByfoxutBpAM= -google.golang.org/grpc v1.66.1/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= +google.golang.org/grpc v1.66.2 h1:3QdXkuq3Bkh7w+ywLdLvM56cmGvQHUMZpiCzt6Rqaoo= +google.golang.org/grpc v1.66.2/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= From 7f24294d7ee9278341cc83a7aefe9bf91cb55dea Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 10:46:18 -0700 Subject: [PATCH 182/523] build(deps): bump actions/setup-node from 4.0.3 to 4.0.4 (#4309) Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.0.3 to 4.0.4. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/1e60f620b9541d16bece96c5465dc8ee9832be0b...0a44ba7841725637a19e28fa30b79a866c81b0a6) --- updated-dependencies: - dependency-name: actions/setup-node dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/docs.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 0b4cb36ecf6..c30624a0493 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -62,7 +62,7 @@ jobs: extended: true - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.1.0 + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.1.0 with: node-version: '18' From e5fe8496a97d81d8cf4540005b08005123956c9a Mon Sep 17 00:00:00 2001 From: Dean Coakley Date: Mon, 23 Sep 2024 21:25:10 +0100 Subject: [PATCH 183/523] docs: fix patch command for adding TLS gateway listener (#4316) docs: fix patch command adding TLS gateway listener Signed-off-by: Dean Coakley --- site/content/en/docs/tasks/security/tls-cert-manager.md | 4 ++-- site/content/en/latest/tasks/security/tls-cert-manager.md | 4 ++-- site/content/en/v0.5/user/tls-cert-manager.md | 4 ++-- site/content/en/v0.6/user/tls-cert-manager.md | 4 ++-- site/content/en/v1.0/tasks/security/tls-cert-manager.md | 4 ++-- site/content/en/v1.1/tasks/security/tls-cert-manager.md | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/site/content/en/docs/tasks/security/tls-cert-manager.md b/site/content/en/docs/tasks/security/tls-cert-manager.md index d51fa469e8c..d2b217d0545 100644 --- a/site/content/en/docs/tasks/security/tls-cert-manager.md +++ b/site/content/en/docs/tasks/security/tls-cert-manager.md @@ -76,7 +76,7 @@ EOF We now have to patch the example Gateway to reference cert-manager: ```console -$ kubectl patch gateway/eg --patch-file - < Date: Mon, 23 Sep 2024 19:20:30 -0500 Subject: [PATCH 184/523] feat(translator): implement httproutefilter and path regex rewrite (#4258) * impl: httpfilter Signed-off-by: Guy Daich * fix review comments Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich --- api/v1alpha1/httproutefilter_types.go | 6 +- ...ateway.envoyproxy.io_httproutefilters.yaml | 8 +- charts/gateway-helm/templates/_rbac.tpl | 1 + internal/gatewayapi/filters.go | 116 +++++- internal/gatewayapi/helpers.go | 3 + internal/gatewayapi/resource/load.go | 14 + internal/gatewayapi/resource/resource.go | 2 + .../gatewayapi/resource/supported_kind.go | 1 + .../resource/zz_generated.deepcopy.go | 11 + ...te-filter-regex-match-replace-http.in.yaml | 147 +++++++ ...e-filter-regex-match-replace-http.out.yaml | 366 +++++++++++++++++ ...filter-regex-match-replace-invalid.in.yaml | 230 +++++++++++ ...ilter-regex-match-replace-invalid.out.yaml | 383 ++++++++++++++++++ internal/ir/xds.go | 55 ++- internal/ir/xds_test.go | 14 +- internal/ir/zz_generated.deepcopy.go | 38 +- internal/provider/kubernetes/controller.go | 25 ++ internal/provider/kubernetes/filters.go | 11 + internal/provider/kubernetes/indexers.go | 27 +- .../provider/kubernetes/kubernetes_test.go | 22 +- internal/provider/kubernetes/predicates.go | 26 ++ .../provider/kubernetes/predicates_test.go | 120 ++++-- internal/provider/kubernetes/routes.go | 42 +- internal/provider/kubernetes/test/utils.go | 40 +- internal/xds/translator/route.go | 12 +- .../xds-ir/http-route-rewrite-url-regex.yaml | 26 ++ ...http-route-rewrite-url-regex.clusters.yaml | 17 + ...ttp-route-rewrite-url-regex.endpoints.yaml | 12 + ...ttp-route-rewrite-url-regex.listeners.yaml | 34 ++ .../http-route-rewrite-url-regex.routes.yaml | 18 + site/content/en/latest/api/extension_types.md | 2 +- .../latest/tasks/traffic/http-urlrewrite.md | 156 +++++++ site/content/zh/latest/api/extension_types.md | 2 +- test/cel-validation/httproutefilter_test.go | 120 ++++++ .../httproute-rewrite-regex-path.yaml | 35 ++ .../e2e/tests/httproute_rewrite_regex_path.go | 59 +++ .../certjen-custom-scheduling.out.yaml | 1 + .../control-plane-with-pdb.out.yaml | 1 + .../helm/gateway-helm/default-config.out.yaml | 1 + .../deployment-custom-topology.out.yaml | 1 + .../deployment-images-config.out.yaml | 1 + .../envoy-gateway-config.out.yaml | 1 + .../global-images-config.out.yaml | 1 + 43 files changed, 2114 insertions(+), 94 deletions(-) create mode 100644 internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.in.yaml create mode 100644 internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.out.yaml create mode 100644 internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.in.yaml create mode 100644 internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml create mode 100644 internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-regex.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.routes.yaml create mode 100644 test/cel-validation/httproutefilter_test.go create mode 100644 test/e2e/testdata/httproute-rewrite-regex-path.yaml create mode 100644 test/e2e/tests/httproute_rewrite_regex_path.go diff --git a/api/v1alpha1/httproutefilter_types.go b/api/v1alpha1/httproutefilter_types.go index b8fe13f5296..e0e4755f214 100644 --- a/api/v1alpha1/httproutefilter_types.go +++ b/api/v1alpha1/httproutefilter_types.go @@ -56,14 +56,17 @@ const ( type ReplaceRegexMatch struct { // Pattern matches a regular expression against the value of the HTTP Path.The regex string must // adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax. + // +kubebuilder:validation:MinLength=1 Pattern string `json:"pattern"` // Substitution is an expression that replaces the matched portion.The expression may include numbered // capture groups that adhere to syntax documented in https://github.com/google/re2/wiki/Syntax. Substitution string `json:"substitution"` } +// +kubebuilder:validation:XValidation:rule="self.type == 'ReplaceRegexMatch' ? has(self.replaceRegexMatch) : !has(self.replaceRegexMatch)",message="If HTTPPathModifier type is ReplaceRegexMatch, replaceRegexMatch field needs to be set." type HTTPPathModifier struct { - // +kubebuilder:validation:Enum=RegexHTTPPathModifier + // +kubebuilder:validation:Enum=ReplaceRegexMatch + // +kubebuilder:validation:Required Type HTTPPathModifierType `json:"type"` // ReplaceRegexMatch defines a path regex rewrite. The path portions matched by the regex pattern are replaced by the defined substitution. // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite @@ -84,6 +87,7 @@ type HTTPPathModifier struct { // pattern: (?i)/xxx/ // substitution: /yyy/ // Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive). + // +optional ReplaceRegexMatch *ReplaceRegexMatch `json:"replaceRegexMatch,omitempty"` } diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml index 2bba4d20ff1..11447cc470e 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml @@ -82,6 +82,7 @@ spec: description: |- Pattern matches a regular expression against the value of the HTTP Path.The regex string must adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax. + minLength: 1 type: string substitution: description: |- @@ -96,11 +97,16 @@ spec: description: HTTPPathModifierType defines the type of path redirect or rewrite. enum: - - RegexHTTPPathModifier + - ReplaceRegexMatch type: string required: - type type: object + x-kubernetes-validations: + - message: If HTTPPathModifier type is ReplaceRegexMatch, replaceRegexMatch + field needs to be set. + rule: 'self.type == ''ReplaceRegexMatch'' ? has(self.replaceRegexMatch) + : !has(self.replaceRegexMatch)' type: object type: object required: diff --git a/charts/gateway-helm/templates/_rbac.tpl b/charts/gateway-helm/templates/_rbac.tpl index fb9304e7d89..27e90061b0c 100644 --- a/charts/gateway-helm/templates/_rbac.tpl +++ b/charts/gateway-helm/templates/_rbac.tpl @@ -71,6 +71,7 @@ resources: - securitypolicies - envoyextensionpolicies - backends +- httproutefilters verbs: - get - list diff --git a/internal/gatewayapi/filters.go b/internal/gatewayapi/filters.go index de6be352815..41acc4c76ba 100644 --- a/internal/gatewayapi/filters.go +++ b/internal/gatewayapi/filters.go @@ -7,11 +7,13 @@ package gatewayapi import ( "fmt" + "regexp" "strings" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/ir" @@ -150,16 +152,20 @@ func (t *Translator) processURLRewriteFilter( filterContext *HTTPFiltersContext, ) { if filterContext.URLRewrite != nil { - routeStatus := GetRouteStatus(filterContext.Route) - status.SetRouteStatusCondition(routeStatus, - filterContext.ParentRef.routeParentStatusIdx, - filterContext.Route.GetGeneration(), - gwapiv1.RouteConditionAccepted, - metav1.ConditionFalse, - gwapiv1.RouteReasonUnsupportedValue, - "Cannot configure multiple urlRewrite filters for a single HTTPRouteRule", - ) - return + if filterContext.URLRewrite.Hostname != nil || + filterContext.URLRewrite.Path.FullReplace != nil || + filterContext.URLRewrite.Path.PrefixMatchReplace != nil { + routeStatus := GetRouteStatus(filterContext.Route) + status.SetRouteStatusCondition(routeStatus, + filterContext.ParentRef.routeParentStatusIdx, + filterContext.Route.GetGeneration(), + gwapiv1.RouteConditionAccepted, + metav1.ConditionFalse, + gwapiv1.RouteReasonUnsupportedValue, + "Cannot configure multiple urlRewrite filters for a single HTTPRouteRule", + ) + return + } } if rewrite == nil { @@ -215,8 +221,10 @@ func (t *Translator) processURLRewriteFilter( return } if rewrite.Path.ReplaceFullPath != nil { - newURLRewrite.Path = &ir.HTTPPathModifier{ - FullReplace: rewrite.Path.ReplaceFullPath, + newURLRewrite.Path = &ir.ExtendedHTTPPathModifier{ + HTTPPathModifier: ir.HTTPPathModifier{ + FullReplace: rewrite.Path.ReplaceFullPath, + }, } } case gwapiv1.PrefixMatchHTTPPathModifier: @@ -247,8 +255,10 @@ func (t *Translator) processURLRewriteFilter( return } if rewrite.Path.ReplacePrefixMatch != nil { - newURLRewrite.Path = &ir.HTTPPathModifier{ - PrefixMatchReplace: rewrite.Path.ReplacePrefixMatch, + newURLRewrite.Path = &ir.ExtendedHTTPPathModifier{ + HTTPPathModifier: ir.HTTPPathModifier{ + PrefixMatchReplace: rewrite.Path.ReplacePrefixMatch, + }, } } default: @@ -738,6 +748,84 @@ func (t *Translator) processExtensionRefHTTPFilter(extFilter *gwapiv1.LocalObjec } filterNs := filterContext.Route.GetNamespace() + + if string(extFilter.Kind) == egv1a1.KindHTTPRouteFilter { + for _, hrf := range resources.HTTPRouteFilters { + if hrf.Namespace == filterNs && hrf.Name == string(extFilter.Name) && + hrf.Spec.URLRewrite.Path.Type == egv1a1.RegexHTTPPathModifier { + + if hrf.Spec.URLRewrite.Path.ReplaceRegexMatch == nil || + hrf.Spec.URLRewrite.Path.ReplaceRegexMatch.Pattern == "" { + errMsg := "ReplaceRegexMatch Pattern must be set when rewrite path type is \"ReplaceRegexMatch\"" + routeStatus := GetRouteStatus(filterContext.Route) + status.SetRouteStatusCondition(routeStatus, + filterContext.ParentRef.routeParentStatusIdx, + filterContext.Route.GetGeneration(), + gwapiv1.RouteConditionAccepted, + metav1.ConditionFalse, + gwapiv1.RouteReasonUnsupportedValue, + errMsg, + ) + return + } else if _, err := regexp.Compile(hrf.Spec.URLRewrite.Path.ReplaceRegexMatch.Pattern); err != nil { + // Avoid envoy NACKs due to invalid regex. + // Golang's regexp is almost identical to RE2: https://pkg.go.dev/regexp/syntax + errMsg := "ReplaceRegexMatch must be a valid RE2 regular expression" + routeStatus := GetRouteStatus(filterContext.Route) + status.SetRouteStatusCondition(routeStatus, + filterContext.ParentRef.routeParentStatusIdx, + filterContext.Route.GetGeneration(), + gwapiv1.RouteConditionAccepted, + metav1.ConditionFalse, + gwapiv1.RouteReasonUnsupportedValue, + errMsg, + ) + return + } + + rmr := &ir.RegexMatchReplace{ + Pattern: hrf.Spec.URLRewrite.Path.ReplaceRegexMatch.Pattern, + Substitution: hrf.Spec.URLRewrite.Path.ReplaceRegexMatch.Substitution, + } + + if filterContext.HTTPFilterIR.URLRewrite != nil { + // If path IR is already set - check for a conflict + if filterContext.HTTPFilterIR.URLRewrite.Path != nil { + path := filterContext.HTTPFilterIR.URLRewrite.Path + if path.RegexMatchReplace != nil || path.PrefixMatchReplace != nil || path.FullReplace != nil { + routeStatus := GetRouteStatus(filterContext.Route) + status.SetRouteStatusCondition(routeStatus, + filterContext.ParentRef.routeParentStatusIdx, + filterContext.Route.GetGeneration(), + gwapiv1.RouteConditionAccepted, + metav1.ConditionFalse, + gwapiv1.RouteReasonUnsupportedValue, + "Cannot configure multiple urlRewrite filters for a single HTTPRouteRule", + ) + return + } + } else { // no path + filterContext.HTTPFilterIR.URLRewrite.Path = &ir.ExtendedHTTPPathModifier{ + RegexMatchReplace: rmr, + } + return + } + } else { // no url rewrite + filterContext.HTTPFilterIR.URLRewrite = &ir.URLRewrite{ + Path: &ir.ExtendedHTTPPathModifier{ + RegexMatchReplace: rmr, + }, + } + return + } + } + } + errMsg := fmt.Sprintf("Unable to translate HTTPRouteFilter: %s/%s", filterNs, + extFilter.Name) + t.processUnresolvedHTTPFilter(errMsg, filterContext) + return + } + // This list of resources will be empty unless an extension is loaded (and introduces resources) for _, res := range resources.ExtensionRefFilters { if res.GetKind() == string(extFilter.Kind) && res.GetName() == string(extFilter.Name) && res.GetNamespace() == filterNs { diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index 885077f5cc3..9c5626d7524 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -179,6 +179,9 @@ func ValidateHTTPRouteFilter(filter *gwapiv1.HTTPRouteFilter, extGKs ...schema.G switch { case filter.ExtensionRef == nil: return errors.New("extensionRef field must be specified for an extended filter") + case string(filter.ExtensionRef.Group) == egv1a1.GroupVersion.Group && + string(filter.ExtensionRef.Kind) == egv1a1.KindHTTPRouteFilter: + return nil default: for _, gk := range extGKs { if filter.ExtensionRef.Group == gwapiv1.Group(gk.Group) && diff --git a/internal/gatewayapi/resource/load.go b/internal/gatewayapi/resource/load.go index cacc3ebe61a..317ad93418c 100644 --- a/internal/gatewayapi/resource/load.go +++ b/internal/gatewayapi/resource/load.go @@ -265,6 +265,20 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources Spec: typedSpec.(egv1a1.SecurityPolicySpec), } resources.SecurityPolicies = append(resources.SecurityPolicies, securityPolicy) + case KindHTTPRouteFilter: + typedSpec := spec.Interface() + httpRouteFilter := &egv1a1.HTTPRouteFilter{ + TypeMeta: metav1.TypeMeta{ + Kind: KindHTTPRouteFilter, + APIVersion: egv1a1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: namespace, + Name: name, + }, + Spec: typedSpec.(egv1a1.HTTPRouteFilterSpec), + } + resources.HTTPRouteFilters = append(resources.HTTPRouteFilters, httpRouteFilter) } } diff --git a/internal/gatewayapi/resource/resource.go b/internal/gatewayapi/resource/resource.go index a5d9e6fffb5..97468511fa8 100644 --- a/internal/gatewayapi/resource/resource.go +++ b/internal/gatewayapi/resource/resource.go @@ -63,6 +63,7 @@ type Resources struct { EnvoyExtensionPolicies []*egv1a1.EnvoyExtensionPolicy `json:"envoyExtensionPolicies,omitempty" yaml:"envoyExtensionPolicies,omitempty"` ExtensionServerPolicies []unstructured.Unstructured `json:"extensionServerPolicies,omitempty" yaml:"extensionServerPolicies,omitempty"` Backends []*egv1a1.Backend `json:"backends,omitempty" yaml:"backends,omitempty"` + HTTPRouteFilters []*egv1a1.HTTPRouteFilter `json:"httpFilters,omitempty" yaml:"httpFilters,omitempty"` } func NewResources() *Resources { @@ -86,6 +87,7 @@ func NewResources() *Resources { EnvoyExtensionPolicies: []*egv1a1.EnvoyExtensionPolicy{}, ExtensionServerPolicies: []unstructured.Unstructured{}, Backends: []*egv1a1.Backend{}, + HTTPRouteFilters: []*egv1a1.HTTPRouteFilter{}, } } diff --git a/internal/gatewayapi/resource/supported_kind.go b/internal/gatewayapi/resource/supported_kind.go index 5c2c21954a9..e9d76e66c3d 100644 --- a/internal/gatewayapi/resource/supported_kind.go +++ b/internal/gatewayapi/resource/supported_kind.go @@ -26,4 +26,5 @@ const ( KindService = "Service" KindServiceImport = "ServiceImport" KindSecret = "Secret" + KindHTTPRouteFilter = "HTTPRouteFilter" ) diff --git a/internal/gatewayapi/resource/zz_generated.deepcopy.go b/internal/gatewayapi/resource/zz_generated.deepcopy.go index 61cf9dfb46e..06925b1467d 100644 --- a/internal/gatewayapi/resource/zz_generated.deepcopy.go +++ b/internal/gatewayapi/resource/zz_generated.deepcopy.go @@ -279,6 +279,17 @@ func (in *Resources) DeepCopyInto(out *Resources) { } } } + if in.HTTPRouteFilters != nil { + in, out := &in.HTTPRouteFilters, &out.HTTPRouteFilters + *out = make([]*v1alpha1.HTTPRouteFilter, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(v1alpha1.HTTPRouteFilter) + (*in).DeepCopyInto(*out) + } + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Resources. diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.in.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.in.yaml new file mode 100644 index 00000000000..fd0fea29fd4 --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.in.yaml @@ -0,0 +1,147 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + hostname: "*.envoyproxy.io" + allowedRoutes: + namespaces: + from: All +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/valid" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-2 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/host-and-regex-path" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: URLRewrite + urlRewrite: + hostname: "rewrite.com" + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-3 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/regex-path-and-host" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid + - type: URLRewrite + urlRewrite: + hostname: "rewrite.com" +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-missing-substitution + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/missing-substitution" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: missing-substitution +httpFilters: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: valid + namespace: default + spec: + urlRewrite: + path: + type: ReplaceRegexMatch + replaceRegexMatch: + pattern: '.*' + substitution: foo +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: missing-substitution + namespace: default + spec: + urlRewrite: + path: + type: ReplaceRegexMatch + replaceRegexMatch: + pattern: '.*' diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.out.yaml new file mode 100644 index 00000000000..5c8d2527a1f --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.out.yaml @@ -0,0 +1,366 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.envoyproxy.io' + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 4 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid + type: ExtensionRef + matches: + - path: + value: /valid + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-2 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - type: URLRewrite + urlRewrite: + hostname: rewrite.com + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid + type: ExtensionRef + matches: + - path: + value: /host-and-regex-path + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-3 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid + type: ExtensionRef + - type: URLRewrite + urlRewrite: + hostname: rewrite.com + matches: + - path: + value: /regex-path-and-host + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-missing-substitution + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: missing-substitution + type: ExtensionRef + matches: + - path: + value: /missing-substitution + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.envoyproxy.io' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-missing-substitution/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-missing-substitution + namespace: default + name: httproute/default/httproute-missing-substitution/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /missing-substitution + urlRewrite: + path: + fullReplace: null + prefixMatchReplace: null + regexMatchReplace: + pattern: .* + substitution: "" + - destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /host-and-regex-path + urlRewrite: + hostname: rewrite.com + path: + fullReplace: null + prefixMatchReplace: null + regexMatchReplace: + pattern: .* + substitution: foo + - destination: + name: httproute/default/httproute-3/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-3 + namespace: default + name: httproute/default/httproute-3/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /regex-path-and-host + urlRewrite: + hostname: rewrite.com + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /valid + urlRewrite: + path: + fullReplace: null + prefixMatchReplace: null + regexMatchReplace: + pattern: .* + substitution: foo diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.in.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.in.yaml new file mode 100644 index 00000000000..1ad75975b56 --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.in.yaml @@ -0,0 +1,230 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + hostname: "*.envoyproxy.io" + allowedRoutes: + namespaces: + from: All +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-invalid-pattern + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/invalid-pattern" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: invalid-pattern +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-missing-pattern + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/missing-pattern" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: missing-pattern +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-multiple-path-rewrites-1 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/ext-first" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid + - type: URLRewrite + urlRewrite: + path: + type: ReplacePrefixMatch + replacePrefixMatch: /rewrite +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-multiple-path-rewrites-2 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/inline-first" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: URLRewrite + urlRewrite: + path: + type: ReplacePrefixMatch + replacePrefixMatch: /rewrite + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-multiple-regex-path-rewrites + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/two-regex" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-2 +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-not-found + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/notfound" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: notfound +httpFilters: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: valid + namespace: default + spec: + urlRewrite: + path: + type: ReplaceRegexMatch + replaceRegexMatch: + pattern: '.*' + substitution: foo +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: valid-2 + namespace: default + spec: + urlRewrite: + path: + type: ReplaceRegexMatch + replaceRegexMatch: + pattern: '.*' + substitution: foo +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: invalid-pattern + namespace: default + spec: + urlRewrite: + path: + type: ReplaceRegexMatch + replaceRegexMatch: + pattern: '"([a-z]+)"*+?' + substitution: foo +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: missing-pattern + namespace: default + spec: + urlRewrite: + path: + type: ReplaceRegexMatch + replaceRegexMatch: + substitution: foo diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml new file mode 100644 index 00000000000..fb9e85a632d --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml @@ -0,0 +1,383 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.envoyproxy.io' + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 6 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-invalid-pattern + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: invalid-pattern + type: ExtensionRef + matches: + - path: + value: /invalid-pattern + status: + parents: + - conditions: + - lastTransitionTime: null + message: ReplaceRegexMatch must be a valid RE2 regular expression + reason: UnsupportedValue + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-missing-pattern + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: missing-pattern + type: ExtensionRef + matches: + - path: + value: /missing-pattern + status: + parents: + - conditions: + - lastTransitionTime: null + message: ReplaceRegexMatch Pattern must be set when rewrite path type is "ReplaceRegexMatch" + reason: UnsupportedValue + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-multiple-path-rewrites-1 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid + type: ExtensionRef + - type: URLRewrite + urlRewrite: + path: + replacePrefixMatch: /rewrite + type: ReplacePrefixMatch + matches: + - path: + value: /ext-first + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-multiple-path-rewrites-2 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - type: URLRewrite + urlRewrite: + path: + replacePrefixMatch: /rewrite + type: ReplacePrefixMatch + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid + type: ExtensionRef + matches: + - path: + value: /inline-first + status: + parents: + - conditions: + - lastTransitionTime: null + message: Cannot configure multiple urlRewrite filters for a single HTTPRouteRule + reason: UnsupportedValue + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-multiple-regex-path-rewrites + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid + type: ExtensionRef + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-2 + type: ExtensionRef + matches: + - path: + value: /two-regex + status: + parents: + - conditions: + - lastTransitionTime: null + message: Cannot configure multiple urlRewrite filters for a single HTTPRouteRule + reason: UnsupportedValue + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-not-found + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: notfound + type: ExtensionRef + matches: + - path: + value: /notfound + status: + parents: + - conditions: + - lastTransitionTime: null + message: 'Unable to translate HTTPRouteFilter: default/notfound' + reason: UnsupportedValue + status: "False" + type: Accepted + - lastTransitionTime: null + message: 'Unable to translate HTTPRouteFilter: default/notfound' + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.envoyproxy.io' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-multiple-path-rewrites-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-multiple-path-rewrites-1 + namespace: default + name: httproute/default/httproute-multiple-path-rewrites-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /ext-first + urlRewrite: + path: + fullReplace: null + prefixMatchReplace: /rewrite diff --git a/internal/ir/xds.go b/internal/ir/xds.go index a40cd854766..86a2d39569f 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -51,8 +51,9 @@ var ( ErrDirectResponseStatusInvalid = errors.New("only HTTP status codes 100 - 599 are supported for DirectResponse") ErrRedirectUnsupportedStatus = errors.New("only HTTP status codes 301 and 302 are supported for redirect filters") ErrRedirectUnsupportedScheme = errors.New("only http and https are supported for the scheme in redirect filters") - ErrHTTPPathModifierDoubleReplace = errors.New("redirect filter cannot have a path modifier that supplies both fullPathReplace and prefixMatchReplace") - ErrHTTPPathModifierNoReplace = errors.New("redirect filter cannot have a path modifier that does not supply either fullPathReplace or prefixMatchReplace") + ErrHTTPPathModifierDoubleReplace = errors.New("redirect filter cannot have a path modifier that supplies more than one of fullPathReplace, prefixMatchReplace and regexMatchReplace") + ErrHTTPPathModifierNoReplace = errors.New("redirect filter cannot have a path modifier that does not supply either fullPathReplace, prefixMatchReplace or regexMatchReplace") + ErrHTTPPathRegexModifierNoSetting = errors.New("redirect filter cannot have a path modifier that does not supply either fullPathReplace, prefixMatchReplace or regexMatchReplace") ErrAddHeaderEmptyName = errors.New("header modifier filter cannot configure a header without a name to be added") ErrAddHeaderDuplicate = errors.New("header modifier filter attempts to add the same header more than once (case insensitive)") ErrRemoveHeaderDuplicate = errors.New("header modifier filter attempts to remove the same header more than once (case insensitive)") @@ -729,6 +730,18 @@ type UnstructuredRef struct { Object *unstructured.Unstructured `json:"object,omitempty" yaml:"object,omitempty"` } +// RegexMatchReplace defines the schema for modifying HTTP request path using regex. +// +// +k8s:deepcopy-gen=true +type RegexMatchReplace struct { + // Pattern matches a regular expression against the value of the HTTP Path.The regex string must + // adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax. + Pattern string `json:"pattern" yaml:"pattern"` + // Substitution is an expression that replaces the matched portion.The expression may include numbered + // capture groups that adhere to syntax documented in https://github.com/google/re2/wiki/Syntax. + Substitution string `json:"substitution" yaml:"substitution"` +} + // CORS holds the Cross-Origin Resource Sharing (CORS) policy for the route. // // +k8s:deepcopy-gen=true @@ -1293,7 +1306,7 @@ func (r DirectResponse) Validate() error { // +k8s:deepcopy-gen=true type URLRewrite struct { // Path contains config for rewriting the path of the request. - Path *HTTPPathModifier `json:"path,omitempty" yaml:"path,omitempty"` + Path *ExtendedHTTPPathModifier `json:"path,omitempty" yaml:"path,omitempty"` // Hostname configures the replacement of the request's hostname. Hostname *string `json:"hostname,omitempty" yaml:"hostname,omitempty"` } @@ -1375,6 +1388,42 @@ func (r HTTPPathModifier) Validate() error { return errs } +// ExtendedHTTPPathModifier holds instructions for how to modify the path of a request on a redirect response +// with both core gateway-api and extended envoy gateway capabilities +// +k8s:deepcopy-gen=true +type ExtendedHTTPPathModifier struct { + HTTPPathModifier `json:",inline" yaml:",inline"` + // RegexMatchReplace provides a regex to match an a replacement to perform on the path. + RegexMatchReplace *RegexMatchReplace `json:"regexMatchReplace,omitempty" yaml:"regexMatchReplace,omitempty"` +} + +// Validate the fields within the HTTPPathModifier structure +func (r ExtendedHTTPPathModifier) Validate() error { + var errs error + + rewrites := []bool{r.RegexMatchReplace != nil, r.PrefixMatchReplace != nil, r.FullReplace != nil} + rwc := 0 + for _, rw := range rewrites { + if rw { + rwc++ + } + } + + if rwc > 1 { + errs = errors.Join(errs, ErrHTTPPathModifierDoubleReplace) + } + + if r.FullReplace == nil && r.PrefixMatchReplace == nil && r.RegexMatchReplace == nil { + errs = errors.Join(errs, ErrHTTPPathModifierNoReplace) + } + + if r.RegexMatchReplace != nil && (r.RegexMatchReplace.Pattern == "" || r.RegexMatchReplace.Substitution == "") { + errs = errors.Join(errs, ErrHTTPPathModifierNoReplace) + } + + return errs +} + // StringMatch holds the various match conditions. // Only one of Exact, Prefix, SafeRegex or Distinct can be set. // +k8s:deepcopy-gen=true diff --git a/internal/ir/xds_test.go b/internal/ir/xds_test.go index 882aa090e55..14b624f22f3 100644 --- a/internal/ir/xds_test.go +++ b/internal/ir/xds_test.go @@ -309,8 +309,10 @@ var ( }, URLRewrite: &URLRewrite{ Hostname: ptr.To("rewrite.example.com"), - Path: &HTTPPathModifier{ - FullReplace: ptr.To("/rewrite"), + Path: &ExtendedHTTPPathModifier{ + HTTPPathModifier: HTTPPathModifier{ + FullReplace: ptr.To("/rewrite"), + }, }, }, } @@ -323,9 +325,11 @@ var ( }, URLRewrite: &URLRewrite{ Hostname: ptr.To("rewrite.example.com"), - Path: &HTTPPathModifier{ - FullReplace: ptr.To("/rewrite"), - PrefixMatchReplace: ptr.To("/rewrite"), + Path: &ExtendedHTTPPathModifier{ + HTTPPathModifier: HTTPPathModifier{ + FullReplace: ptr.To("/rewrite"), + PrefixMatchReplace: ptr.To("/rewrite"), + }, }, }, } diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 1639262be2e..0b964d5fc41 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -909,6 +909,27 @@ func (in *ExtProc) DeepCopy() *ExtProc { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExtendedHTTPPathModifier) DeepCopyInto(out *ExtendedHTTPPathModifier) { + *out = *in + in.HTTPPathModifier.DeepCopyInto(&out.HTTPPathModifier) + if in.RegexMatchReplace != nil { + in, out := &in.RegexMatchReplace, &out.RegexMatchReplace + *out = new(RegexMatchReplace) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtendedHTTPPathModifier. +func (in *ExtendedHTTPPathModifier) DeepCopy() *ExtendedHTTPPathModifier { + if in == nil { + return nil + } + out := new(ExtendedHTTPPathModifier) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FaultInjection) DeepCopyInto(out *FaultInjection) { *out = *in @@ -2296,6 +2317,21 @@ func (in *Redirect) DeepCopy() *Redirect { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RegexMatchReplace) DeepCopyInto(out *RegexMatchReplace) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RegexMatchReplace. +func (in *RegexMatchReplace) DeepCopy() *RegexMatchReplace { + if in == nil { + return nil + } + out := new(RegexMatchReplace) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ResourceMetadata) DeepCopyInto(out *ResourceMetadata) { *out = *in @@ -3136,7 +3172,7 @@ func (in *URLRewrite) DeepCopyInto(out *URLRewrite) { *out = *in if in.Path != nil { in, out := &in.Path, &out.Path - *out = new(HTTPPathModifier) + *out = new(ExtendedHTTPPathModifier) (*in).DeepCopyInto(*out) } if in.Hostname != nil { diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 877723fa682..dac8f1780a8 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -148,6 +148,9 @@ type resourceMappings struct { // The key is the namespaced name, group and kind of the filter and the value is the // unstructured form of the resource. extensionRefFilters map[utils.NamespacedNameWithGroupKind]unstructured.Unstructured + // httpRouteFilters is a map of HTTPRouteFilters, where the key is the namespaced name, + // group and kind of the HTTPFilter. + httpRouteFilters map[utils.NamespacedNameWithGroupKind]*egv1a1.HTTPRouteFilter } func newResourceMapping() *resourceMappings { @@ -161,6 +164,7 @@ func newResourceMapping() *resourceMappings { allAssociatedUDPRoutes: sets.New[string](), allAssociatedBackendRefs: sets.New[gwapiv1.BackendObjectReference](), extensionRefFilters: map[utils.NamespacedNameWithGroupKind]unstructured.Unstructured{}, + httpRouteFilters: map[utils.NamespacedNameWithGroupKind]*egv1a1.HTTPRouteFilter{}, } } @@ -1568,6 +1572,27 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M r.log.Info("Watching additional policy resource", "resource", gvk.String()) } + // Watch HTTPRouteFilter CRUDs and process affected HTTPRoute objects. + httpRouteFilter := []predicate.TypedPredicate[*egv1a1.HTTPRouteFilter]{ + predicate.TypedGenerationChangedPredicate[*egv1a1.HTTPRouteFilter]{}, + predicate.NewTypedPredicateFuncs[*egv1a1.HTTPRouteFilter](func(be *egv1a1.HTTPRouteFilter) bool { + return r.validateHTTPRouteFilterForReconcile(be) + }), + } + if r.namespaceLabel != nil { + httpRouteFilter = append(httpRouteFilter, predicate.NewTypedPredicateFuncs[*egv1a1.HTTPRouteFilter](func(be *egv1a1.HTTPRouteFilter) bool { + return r.hasMatchingNamespaceLabels(be) + })) + } + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.HTTPRouteFilter{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, be *egv1a1.HTTPRouteFilter) []reconcile.Request { + return r.enqueueClass(ctx, be) + }), + httpRouteFilter...)); err != nil { + return err + } + return nil } diff --git a/internal/provider/kubernetes/filters.go b/internal/provider/kubernetes/filters.go index 985990fef14..109c0314dd0 100644 --- a/internal/provider/kubernetes/filters.go +++ b/internal/provider/kubernetes/filters.go @@ -10,6 +10,8 @@ import ( "fmt" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" ) func (r *gatewayAPIReconciler) getExtensionRefFilters(ctx context.Context) ([]unstructured.Unstructured, error) { @@ -43,3 +45,12 @@ func (r *gatewayAPIReconciler) getExtensionRefFilters(ctx context.Context) ([]un return resourceItems, nil } + +func (r *gatewayAPIReconciler) getHTTPRouteFilters(ctx context.Context) ([]egv1a1.HTTPRouteFilter, error) { + httpFilterList := new(egv1a1.HTTPRouteFilterList) + if err := r.client.List(ctx, httpFilterList); err != nil { + return nil, fmt.Errorf("failed to list HTTPRouteFilters: %w", err) + } + + return httpFilterList.Items, nil +} diff --git a/internal/provider/kubernetes/indexers.go b/internal/provider/kubernetes/indexers.go index 395b1c6809d..68a58dd872d 100644 --- a/internal/provider/kubernetes/indexers.go +++ b/internal/provider/kubernetes/indexers.go @@ -45,6 +45,7 @@ const ( backendEnvoyProxyTelemetryIndex = "backendEnvoyProxyTelemetryIndex" secretEnvoyProxyIndex = "secretEnvoyProxyIndex" secretEnvoyExtensionPolicyIndex = "secretEnvoyExtensionPolicyIndex" + httpRouteFilterHTTPRouteIndex = "httpRouteFilterHTTPRouteIndex" ) func addReferenceGrantIndexers(ctx context.Context, mgr manager.Manager) error { @@ -73,6 +74,10 @@ func addHTTPRouteIndexers(ctx context.Context, mgr manager.Manager) error { return err } + if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1.HTTPRoute{}, httpRouteFilterHTTPRouteIndex, httpRouteFilterHTTPRouteIndexFunc); err != nil { + return err + } + return nil } @@ -100,8 +105,6 @@ func backendHTTPRouteIndexFunc(rawObj client.Object) []string { for _, rule := range httproute.Spec.Rules { for _, backend := range rule.BackendRefs { if backend.Kind == nil || string(*backend.Kind) == resource.KindService || string(*backend.Kind) == egv1a1.KindBackend { - // If an explicit Backend namespace is not provided, use the HTTPRoute namespace to - // lookup the provided Gateway Name. backendRefs = append(backendRefs, types.NamespacedName{ Namespace: gatewayapi.NamespaceDerefOr(backend.Namespace, httproute.Namespace), @@ -114,6 +117,26 @@ func backendHTTPRouteIndexFunc(rawObj client.Object) []string { return backendRefs } +func httpRouteFilterHTTPRouteIndexFunc(rawObj client.Object) []string { + httproute := rawObj.(*gwapiv1.HTTPRoute) + var httpRouteFilterRefs []string + for _, rule := range httproute.Spec.Rules { + for _, filter := range rule.Filters { + if filter.ExtensionRef != nil && string(filter.ExtensionRef.Kind) == resource.KindHTTPRouteFilter { + // If an explicit Backend namespace is not provided, use the HTTPRoute namespace to + // lookup the provided Gateway Name. + httpRouteFilterRefs = append(httpRouteFilterRefs, + types.NamespacedName{ + Namespace: httproute.Namespace, + Name: string(filter.ExtensionRef.Name), + }.String(), + ) + } + } + } + return httpRouteFilterRefs +} + func secretEnvoyProxyIndexFunc(rawObj client.Object) []string { ep := rawObj.(*egv1a1.EnvoyProxy) var secretReferences []string diff --git a/internal/provider/kubernetes/kubernetes_test.go b/internal/provider/kubernetes/kubernetes_test.go index d673def5c88..669a790af55 100644 --- a/internal/provider/kubernetes/kubernetes_test.go +++ b/internal/provider/kubernetes/kubernetes_test.go @@ -1430,26 +1430,20 @@ func TestNamespaceSelectorProvider(t *testing.T) { require.NoError(t, cli.Delete(ctx, nonWatchedSvc)) }() - watchedHTTPRoute := test.GetHTTPRoute( - types.NamespacedName{ - Namespace: watchedNS.Name, - Name: "watched-http-route", - }, - watchedGateway.Name, - types.NamespacedName{Name: watchedSvc.Name}, 80) + watchedHTTPRoute := test.GetHTTPRoute(types.NamespacedName{ + Namespace: watchedNS.Name, + Name: "watched-http-route", + }, watchedGateway.Name, types.NamespacedName{Name: watchedSvc.Name}, 80, "") require.NoError(t, cli.Create(ctx, watchedHTTPRoute)) defer func() { require.NoError(t, cli.Delete(ctx, watchedHTTPRoute)) }() - nonWatchedHTTPRoute := test.GetHTTPRoute( - types.NamespacedName{ - Namespace: nonWatchedNS.Name, - Name: "non-watched-http-route", - }, - nonWatchedGateway.Name, - types.NamespacedName{Name: nonWatchedSvc.Name}, 8001) + nonWatchedHTTPRoute := test.GetHTTPRoute(types.NamespacedName{ + Namespace: nonWatchedNS.Name, + Name: "non-watched-http-route", + }, nonWatchedGateway.Name, types.NamespacedName{Name: nonWatchedSvc.Name}, 8001, "") require.NoError(t, cli.Create(ctx, nonWatchedHTTPRoute)) defer func() { require.NoError(t, cli.Delete(ctx, nonWatchedHTTPRoute)) diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index d14fceacb38..9fb3fe86fd1 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -647,3 +647,29 @@ func (r *gatewayAPIReconciler) isExtensionPolicyReferencingSecret(nsName *types. return len(eepList.Items) > 0 } + +// isRouteReferencingHTTPRouteFilter returns true if the HTTPRouteFilter is referenced by an HTTPRoute +func (r *gatewayAPIReconciler) isRouteReferencingHTTPRouteFilter(nsName *types.NamespacedName) bool { + ctx := context.Background() + httpRouteList := &gwapiv1.HTTPRouteList{} + if err := r.client.List(ctx, httpRouteList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(httpRouteFilterHTTPRouteIndex, nsName.String()), + }); err != nil { + r.log.Error(err, "unable to find associated HTTPRoutes") + return false + } + + return len(httpRouteList.Items) != 0 +} + +// validateHTTPRouteFilterForReconcile tries finding the referencing HTTPRoute of the filter +func (r *gatewayAPIReconciler) validateHTTPRouteFilterForReconcile(obj client.Object) bool { + hrf, ok := obj.(*egv1a1.HTTPRouteFilter) + if !ok { + r.log.Info("unexpected object type, bypassing reconciliation", "object", obj) + return false + } + + nsName := utils.NamespacedName(hrf) + return r.isRouteReferencingHTTPRouteFilter(&nsName) +} diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go index a442ddcf2a4..61a09ffb8ae 100644 --- a/internal/provider/kubernetes/predicates_test.go +++ b/internal/provider/kubernetes/predicates_test.go @@ -124,15 +124,10 @@ func TestGatewayClassHasMatchingNamespaceLabels(t *testing.T) { } t.Run(tc.name, func(t *testing.T) { res := r.hasMatchingNamespaceLabels( - test.GetHTTPRoute( - types.NamespacedName{ - Namespace: ns, - Name: "httproute-test", - }, - "scheduled-status-test", - types.NamespacedName{Name: "service"}, - 80, - )) + test.GetHTTPRoute(types.NamespacedName{ + Namespace: ns, + Name: "httproute-test", + }, "scheduled-status-test", types.NamespacedName{Name: "service"}, 80, "")) require.Equal(t, tc.expect, res) }) } @@ -405,7 +400,7 @@ func TestValidateEndpointSliceForReconcile(t *testing.T) { configs: []client.Object{ test.GetGatewayClass("test-gc", egv1a1.GatewayControllerName, nil), sampleGateway, - test.GetHTTPRoute(types.NamespacedName{Name: "httproute-test"}, "scheduled-status-test", types.NamespacedName{Name: "service"}, 80), + test.GetHTTPRoute(types.NamespacedName{Name: "httproute-test"}, "scheduled-status-test", types.NamespacedName{Name: "service"}, 80, ""), }, endpointSlice: test.GetEndpointSlice(types.NamespacedName{Name: "endpointslice"}, "other-service"), expect: false, @@ -415,7 +410,7 @@ func TestValidateEndpointSliceForReconcile(t *testing.T) { configs: []client.Object{ test.GetGatewayClass("test-gc", egv1a1.GatewayControllerName, nil), sampleGateway, - test.GetHTTPRoute(types.NamespacedName{Name: "httproute-test"}, "scheduled-status-test", types.NamespacedName{Name: "service"}, 80), + test.GetHTTPRoute(types.NamespacedName{Name: "httproute-test"}, "scheduled-status-test", types.NamespacedName{Name: "service"}, 80, ""), }, endpointSlice: test.GetEndpointSlice(types.NamespacedName{Name: "endpointslice"}, "service"), expect: true, @@ -570,7 +565,7 @@ func TestValidateServiceForReconcile(t *testing.T) { configs: []client.Object{ test.GetGatewayClass("test-gc", egv1a1.GatewayControllerName, nil), sampleGateway, - test.GetHTTPRoute(types.NamespacedName{Name: "httproute-test"}, "scheduled-status-test", types.NamespacedName{Name: "service"}, 80), + test.GetHTTPRoute(types.NamespacedName{Name: "httproute-test"}, "scheduled-status-test", types.NamespacedName{Name: "service"}, 80, ""), }, service: test.GetService(types.NamespacedName{Name: "service"}, nil, nil), expect: true, @@ -582,7 +577,7 @@ func TestValidateServiceForReconcile(t *testing.T) { name: "route service routes exist but with non-existing gateway reference", configs: []client.Object{ test.GetGatewayClass("test-gc", egv1a1.GatewayControllerName, nil), - test.GetHTTPRoute(types.NamespacedName{Name: "httproute-test"}, "scheduled-status-test", types.NamespacedName{Name: "service"}, 80), + test.GetHTTPRoute(types.NamespacedName{Name: "httproute-test"}, "scheduled-status-test", types.NamespacedName{Name: "service"}, 80, ""), }, service: test.GetService(types.NamespacedName{Name: "service"}, nil, nil), expect: true, @@ -966,18 +961,13 @@ func TestCheckObjectNamespaceLabels(t *testing.T) { }{ { name: "matching labels of namespace of the object is a subset of namespaceLabels", - object: test.GetHTTPRoute( - types.NamespacedName{ - Name: "foo-route", - Namespace: "foo", - }, - "eg", - types.NamespacedName{ - Name: "foo-svc", - Namespace: "foo", - }, - 8080, - ), + object: test.GetHTTPRoute(types.NamespacedName{ + Name: "foo-route", + Namespace: "foo", + }, "eg", types.NamespacedName{ + Name: "foo-svc", + Namespace: "foo", + }, 8080, ""), ns: &corev1.Namespace{ ObjectMeta: metav1.ObjectMeta{ Name: "foo", @@ -991,18 +981,13 @@ func TestCheckObjectNamespaceLabels(t *testing.T) { }, { name: "non-matching labels of namespace of the object is a subset of namespaceLabels", - object: test.GetHTTPRoute( - types.NamespacedName{ - Name: "bar-route", - Namespace: "bar", - }, - "eg", - types.NamespacedName{ - Name: "bar-svc", - Namespace: "bar", - }, - 8080, - ), + object: test.GetHTTPRoute(types.NamespacedName{ + Name: "bar-route", + Namespace: "bar", + }, "eg", types.NamespacedName{ + Name: "bar-svc", + Namespace: "bar", + }, 8080, ""), ns: &corev1.Namespace{ ObjectMeta: metav1.ObjectMeta{ Name: "bar", @@ -1149,3 +1134,64 @@ func TestMatchLabelsAndExpressions(t *testing.T) { }) } } + +// TestValidateHTTPRouteFilerForReconcile tests the vlidateHTTPRouteFilerForReconcile +// predicate function. +func TestValidateHTTPRouteFilerForReconcile(t *testing.T) { + sampleGWC := test.GetGatewayClass("test-gc", egv1a1.GatewayControllerName, nil) + sampleGateway := test.GetGateway(types.NamespacedName{Namespace: "default", Name: "scheduled-status-test"}, "test-gc", 8080) + sampleService := test.GetService(types.NamespacedName{Name: "service"}, nil, nil) + sampleHTTPRouteFilter := test.GetHTTPRouteFilter(types.NamespacedName{Name: "httproutefilter"}) + + testCases := []struct { + name string + configs []client.Object + httpRouteFilter client.Object + expect bool + }{ + { + name: "httproutefilter but not referenced by route", + configs: []client.Object{ + sampleGWC, + sampleGateway, + sampleService, + sampleHTTPRouteFilter, + }, + httpRouteFilter: sampleHTTPRouteFilter, + expect: false, + }, + { + name: "httproutefitler referenced by route", + configs: []client.Object{ + sampleGWC, + sampleGateway, + sampleService, + sampleHTTPRouteFilter, + test.GetHTTPRoute(types.NamespacedName{Name: "httproute-test"}, "scheduled-status-test", types.NamespacedName{Name: "service"}, 80, "httproutefilter"), + }, + httpRouteFilter: sampleHTTPRouteFilter, + expect: true, + }, + } + + // Create the reconciler. + logger := logging.DefaultLogger(egv1a1.LogLevelInfo) + + r := gatewayAPIReconciler{ + classController: egv1a1.GatewayControllerName, + log: logger, + } + + for _, tc := range testCases { + r.client = fakeclient.NewClientBuilder(). + WithScheme(envoygateway.GetScheme()). + WithObjects(tc.configs...). + WithIndex(&gwapiv1.HTTPRoute{}, backendHTTPRouteIndex, backendHTTPRouteIndexFunc). + WithIndex(&gwapiv1.HTTPRoute{}, httpRouteFilterHTTPRouteIndex, httpRouteFilterHTTPRouteIndexFunc). + Build() + t.Run(tc.name, func(t *testing.T) { + res := r.validateHTTPRouteFilterForReconcile(tc.httpRouteFilter) + require.Equal(t, tc.expect, res) + }) + } +} diff --git a/internal/provider/kubernetes/routes.go b/internal/provider/kubernetes/routes.go index d298e7e0e46..3a0a9f8131e 100644 --- a/internal/provider/kubernetes/routes.go +++ b/internal/provider/kubernetes/routes.go @@ -16,6 +16,7 @@ import ( gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi" "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/utils" @@ -231,6 +232,15 @@ func (r *gatewayAPIReconciler) processHTTPRoutes(ctx context.Context, gatewayNam ) error { httpRouteList := &gwapiv1.HTTPRouteList{} + httpFilters, err := r.getHTTPRouteFilters(ctx) + if err != nil { + return err + } + for i := range httpFilters { + filter := httpFilters[i] + resourceMap.httpRouteFilters[utils.GetNamespacedNameWithGroupKind(&filter)] = &filter + } + extensionRefFilters, err := r.getExtensionRefFilters(ctx) if err != nil { return err @@ -385,17 +395,29 @@ func (r *gatewayAPIReconciler) processHTTPRoutes(ctx context.Context, gatewayNam Kind: string(filter.ExtensionRef.Kind), }, } - extRefFilter, ok := resourceMap.extensionRefFilters[key] - if !ok { - r.log.Error( - errors.New("filter not found; bypassing rule"), - "Filter not found; bypassing rule", - "name", filter.ExtensionRef.Name, - "index", i) - continue - } - resourceTree.ExtensionRefFilters = append(resourceTree.ExtensionRefFilters, extRefFilter) + switch string(filter.ExtensionRef.Kind) { + case egv1a1.KindHTTPRouteFilter: + httpFilter, ok := resourceMap.httpRouteFilters[key] + if !ok { + r.log.Error(err, "HTTPRouteFilters not found; bypassing rule", "index", i) + continue + } + + resourceTree.HTTPRouteFilters = append(resourceTree.HTTPRouteFilters, httpFilter) + default: + extRefFilter, ok := resourceMap.extensionRefFilters[key] + if !ok { + r.log.Error( + errors.New("filter not found; bypassing rule"), + "Filter not found; bypassing rule", + "name", filter.ExtensionRef.Name, + "index", i) + continue + } + + resourceTree.ExtensionRefFilters = append(resourceTree.ExtensionRefFilters, extRefFilter) + } } } } diff --git a/internal/provider/kubernetes/test/utils.go b/internal/provider/kubernetes/test/utils.go index ae798b57d77..6fe50fa75bd 100644 --- a/internal/provider/kubernetes/test/utils.go +++ b/internal/provider/kubernetes/test/utils.go @@ -107,8 +107,8 @@ func GetSecret(nsName types.NamespacedName) *corev1.Secret { } // GetHTTPRoute returns a sample HTTPRoute with a parent reference. -func GetHTTPRoute(nsName types.NamespacedName, parent string, serviceName types.NamespacedName, port int32) *gwapiv1.HTTPRoute { - return &gwapiv1.HTTPRoute{ +func GetHTTPRoute(nsName types.NamespacedName, parent string, serviceName types.NamespacedName, port int32, httpRouteFilterName string) *gwapiv1.HTTPRoute { + httpRoute := &gwapiv1.HTTPRoute{ ObjectMeta: metav1.ObjectMeta{ Namespace: nsName.Namespace, Name: nsName.Name, @@ -135,6 +135,21 @@ func GetHTTPRoute(nsName types.NamespacedName, parent string, serviceName types. }, }, } + + if httpRouteFilterName != "" { + httpRoute.Spec.Rules[0].Filters = []gwapiv1.HTTPRouteFilter{ + { + Type: gwapiv1.HTTPRouteFilterExtensionRef, + ExtensionRef: &gwapiv1.LocalObjectReference{ + Group: egv1a1.GroupName, + Kind: egv1a1.KindHTTPRouteFilter, + Name: gwapiv1.ObjectName(httpRouteFilterName), + }, + }, + } + } + + return httpRoute } // GetGRPCRoute returns a sample GRPCRoute with a parent reference. @@ -329,3 +344,24 @@ func GetEndpointSlice(nsName types.NamespacedName, svcName string) *discoveryv1. }, } } + +// GetHTTPRouteFilter returns a sample Service with labels and ports. +func GetHTTPRouteFilter(nsName types.NamespacedName) *egv1a1.HTTPRouteFilter { + return &egv1a1.HTTPRouteFilter{ + ObjectMeta: metav1.ObjectMeta{ + Name: nsName.Name, + Namespace: nsName.Namespace, + }, + Spec: egv1a1.HTTPRouteFilterSpec{ + URLRewrite: &egv1a1.HTTPURLRewriteFilter{ + Path: &egv1a1.HTTPPathModifier{ + Type: egv1a1.RegexHTTPPathModifier, + ReplaceRegexMatch: &egv1a1.ReplaceRegexMatch{ + Pattern: "foo", + Substitution: "bar", + }, + }, + }, + }, + } +} diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go index 42f17ff94f1..a8ec4a291d5 100644 --- a/internal/xds/translator/route.go +++ b/internal/xds/translator/route.go @@ -386,14 +386,15 @@ func buildXdsURLRewriteAction(destName string, urlRewrite *ir.URLRewrite, pathMa } if urlRewrite.Path != nil { - if urlRewrite.Path.FullReplace != nil { + switch { + case urlRewrite.Path.FullReplace != nil: routeAction.RegexRewrite = &matcherv3.RegexMatchAndSubstitute{ Pattern: &matcherv3.RegexMatcher{ Regex: "^/.*$", }, Substitution: *urlRewrite.Path.FullReplace, } - } else if urlRewrite.Path.PrefixMatchReplace != nil { + case urlRewrite.Path.PrefixMatchReplace != nil: // Circumvent the case of "//" when the replace string is "/" // An empty replace string does not seem to solve the issue so we are using // a regex match and replace instead @@ -406,6 +407,13 @@ func buildXdsURLRewriteAction(destName string, urlRewrite *ir.URLRewrite, pathMa // and the urlRewrite.Path.PrefixMatchReplace suffix with / the upstream will get unwanted / routeAction.PrefixRewrite = strings.TrimSuffix(*urlRewrite.Path.PrefixMatchReplace, "/") } + case urlRewrite.Path.RegexMatchReplace != nil: + routeAction.RegexRewrite = &matcherv3.RegexMatchAndSubstitute{ + Pattern: &matcherv3.RegexMatcher{ + Regex: urlRewrite.Path.RegexMatchReplace.Pattern, + }, + Substitution: urlRewrite.Path.RegexMatchReplace.Substitution, + } } } diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-regex.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-regex.yaml new file mode 100644 index 00000000000..0389201186e --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-regex.yaml @@ -0,0 +1,26 @@ +name: "http-route" +http: +- name: "first-listener" + address: "0.0.0.0" + port: 10080 + hostnames: + - "*" + path: + mergeSlashes: true + escapedSlashesAction: UnescapeAndRedirect + routes: + - name: "rewrite-route" + pathMatch: + prefix: "/origin" + hostname: gateway.envoyproxy.io + destination: + name: "rewrite-route" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + urlRewrite: + path: + regexMatchReplace: + pattern: '^/service/([^/]+)(/.*)$' + substitution: '\2/instance/\1' diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml new file mode 100644 index 00000000000..3a2b7308d8e --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml @@ -0,0 +1,17 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: rewrite-route + lbPolicy: LEAST_REQUEST + name: rewrite-route + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.endpoints.yaml new file mode 100644 index 00000000000..ca1ef21c989 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.endpoints.yaml @@ -0,0 +1,12 @@ +- clusterName: rewrite-route + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: rewrite-route/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.listeners.yaml new file mode 100644 index 00000000000..c3fb113017a --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.listeners.yaml @@ -0,0 +1,34 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: first-listener + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: first-listener + name: first-listener + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.routes.yaml new file mode 100644 index 00000000000..20d4e99ef68 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.routes.yaml @@ -0,0 +1,18 @@ +- ignorePortInHostMatching: true + name: first-listener + virtualHosts: + - domains: + - gateway.envoyproxy.io + name: first-listener/gateway_envoyproxy_io + routes: + - match: + pathSeparatedPrefix: /origin + name: rewrite-route + route: + cluster: rewrite-route + regexRewrite: + pattern: + regex: ^/service/([^/]+)(/.*)$ + substitution: \2/instance/\1 + upgradeConfigs: + - upgradeType: websocket diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index d02a1686171..b716d7ad3f0 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -1905,7 +1905,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `type` | _[HTTPPathModifierType](#httppathmodifiertype)_ | true | | -| `replaceRegexMatch` | _[ReplaceRegexMatch](#replaceregexmatch)_ | true | ReplaceRegexMatch defines a path regex rewrite. The path portions matched by the regex pattern are replaced by the defined substitution.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite
Some examples:
(1) replaceRegexMatch:
pattern: ^/service/([^/]+)(/.*)$
substitution: \2/instance/\1
Would transform /service/foo/v1/api into /v1/api/instance/foo.
(2) replaceRegexMatch:
pattern: one
substitution: two
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz.
(3) replaceRegexMatch:
pattern: ^(.*?)one(.*)$
substitution: \1two\2
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz.
(3) replaceRegexMatch:
pattern: (?i)/xxx/
substitution: /yyy/
Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive). | +| `replaceRegexMatch` | _[ReplaceRegexMatch](#replaceregexmatch)_ | false | ReplaceRegexMatch defines a path regex rewrite. The path portions matched by the regex pattern are replaced by the defined substitution.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite
Some examples:
(1) replaceRegexMatch:
pattern: ^/service/([^/]+)(/.*)$
substitution: \2/instance/\1
Would transform /service/foo/v1/api into /v1/api/instance/foo.
(2) replaceRegexMatch:
pattern: one
substitution: two
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz.
(3) replaceRegexMatch:
pattern: ^(.*?)one(.*)$
substitution: \1two\2
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz.
(3) replaceRegexMatch:
pattern: (?i)/xxx/
substitution: /yyy/
Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive). | #### HTTPPathModifierType diff --git a/site/content/en/latest/tasks/traffic/http-urlrewrite.md b/site/content/en/latest/tasks/traffic/http-urlrewrite.md index 67915f93fcf..a643d775a57 100644 --- a/site/content/en/latest/tasks/traffic/http-urlrewrite.md +++ b/site/content/en/latest/tasks/traffic/http-urlrewrite.md @@ -275,6 +275,160 @@ $ curl -L -vvv --header "Host: path.rewrite.example" "http://${GATEWAY_HOST}/get You can see that the `X-Envoy-Original-Path` is `/get/origin/path/extra`, but the actual path is `/force/replace/fullpath`. +## Rewrite URL Path with Regex + +In addition to core Gateway-API rewrite options, Envoy Gateway supports extended rewrite options through the [HTTPRouteFilter][] API. +The `HTTPRouteFilter` API can be configured to use [RE2][]-compatible regex matchers and substitutions to rewrite a portion of the url. +In the example below, requests sent to `http://${GATEWAY_HOST}/service/xxx/yyy` (where `xxx` is a single path portion and `yyy` is one or more path portions) +are rewritten to `http://${GATEWAY_HOST}/yyy/instance/xxx`. The entire path is matched and rewritten using capture groups. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-filter-url-rewrite -o yaml +``` + +Querying `http://${GATEWAY_HOST}/get/origin/path/extra` should rewrite the request to +`http://${GATEWAY_HOST}/force/replace/fullpath`. + +```console +$ curl -L -vvv --header "Host: path.regex.rewrite.example" "http://${GATEWAY_HOST}/get/origin/path/extra" +... +> GET /service/foo/v1/api HTTP/1.1 +> Host: path.regex.rewrite.example +> User-Agent: curl/8.7.1 +> Accept: */* +> +* Request completely sent off +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< date: Mon, 16 Sep 2024 18:49:48 GMT +< content-length: 482 +< +{ + "path": "/v1/api/instance/foo", + "host": "path.regex.rewrite.example", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "Accept": [ + "*/*" + ], + "User-Agent": [ + "curl/8.7.1" + ], + "X-Envoy-Internal": [ + "true" + ], + "X-Forwarded-For": [ + "10.244.0.37" + ], + "X-Forwarded-Proto": [ + "http" + ], + "X-Request-Id": [ + "24a5958f-1bfa-4694-a9c1-807d5139a18a" + ] + }, + "namespace": "default", + "ingress": "", + "service": "", + "pod": "backend-765694d47f-lzmpm" +... +``` + +You can see that the path is rewritten from `/service/foo/v1/api`, to `/v1/api/instance/foo`. + ## Rewrite Host Name You can configure to rewrite the hostname like below. In this example, any requests sent to @@ -402,3 +556,5 @@ $ curl -L -vvv --header "Host: path.rewrite.example" "http://${GATEWAY_HOST}/get You can see that the `X-Forwarded-Host` is `path.rewrite.example`, but the actual host is `envoygateway.io`. [HTTPURLRewriteFilter]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPURLRewriteFilter +[HTTPRouteFilter]: ../../../api/extension_types#httproutefilter +[RE2]: https://github.com/google/re2/wiki/Syntax \ No newline at end of file diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index d02a1686171..b716d7ad3f0 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -1905,7 +1905,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `type` | _[HTTPPathModifierType](#httppathmodifiertype)_ | true | | -| `replaceRegexMatch` | _[ReplaceRegexMatch](#replaceregexmatch)_ | true | ReplaceRegexMatch defines a path regex rewrite. The path portions matched by the regex pattern are replaced by the defined substitution.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite
Some examples:
(1) replaceRegexMatch:
pattern: ^/service/([^/]+)(/.*)$
substitution: \2/instance/\1
Would transform /service/foo/v1/api into /v1/api/instance/foo.
(2) replaceRegexMatch:
pattern: one
substitution: two
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz.
(3) replaceRegexMatch:
pattern: ^(.*?)one(.*)$
substitution: \1two\2
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz.
(3) replaceRegexMatch:
pattern: (?i)/xxx/
substitution: /yyy/
Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive). | +| `replaceRegexMatch` | _[ReplaceRegexMatch](#replaceregexmatch)_ | false | ReplaceRegexMatch defines a path regex rewrite. The path portions matched by the regex pattern are replaced by the defined substitution.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite
Some examples:
(1) replaceRegexMatch:
pattern: ^/service/([^/]+)(/.*)$
substitution: \2/instance/\1
Would transform /service/foo/v1/api into /v1/api/instance/foo.
(2) replaceRegexMatch:
pattern: one
substitution: two
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz.
(3) replaceRegexMatch:
pattern: ^(.*?)one(.*)$
substitution: \1two\2
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz.
(3) replaceRegexMatch:
pattern: (?i)/xxx/
substitution: /yyy/
Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive). | #### HTTPPathModifierType diff --git a/test/cel-validation/httproutefilter_test.go b/test/cel-validation/httproutefilter_test.go new file mode 100644 index 00000000000..e9ebf380fb6 --- /dev/null +++ b/test/cel-validation/httproutefilter_test.go @@ -0,0 +1,120 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build celvalidation +// +build celvalidation + +package celvalidation + +import ( + "context" + "fmt" + "strings" + "testing" + "time" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" +) + +func TestHTTPRouteFilter(t *testing.T) { + ctx := context.Background() + baseHTTPRouteFilter := egv1a1.HTTPRouteFilter{ + ObjectMeta: metav1.ObjectMeta{ + Name: "hrf", + Namespace: metav1.NamespaceDefault, + }, + Spec: egv1a1.HTTPRouteFilterSpec{}, + } + + cases := []struct { + desc string + mutate func(httproutefilter *egv1a1.HTTPRouteFilter) + mutateStatus func(httproutefilter *egv1a1.HTTPRouteFilter) + wantErrors []string + }{ + { + desc: "Valid RegexHTTPPathModifier", + mutate: func(httproutefilter *egv1a1.HTTPRouteFilter) { + httproutefilter.Spec = egv1a1.HTTPRouteFilterSpec{ + URLRewrite: &egv1a1.HTTPURLRewriteFilter{ + Path: &egv1a1.HTTPPathModifier{ + Type: egv1a1.RegexHTTPPathModifier, + ReplaceRegexMatch: &egv1a1.ReplaceRegexMatch{ + Pattern: "foo", + Substitution: "bar", + }, + }, + }, + } + }, + wantErrors: []string{}, + }, + { + desc: "invalid RegexHTTPPathModifier missing settings", + mutate: func(httproutefilter *egv1a1.HTTPRouteFilter) { + httproutefilter.Spec = egv1a1.HTTPRouteFilterSpec{ + URLRewrite: &egv1a1.HTTPURLRewriteFilter{ + Path: &egv1a1.HTTPPathModifier{ + Type: egv1a1.RegexHTTPPathModifier, + }, + }, + } + }, + wantErrors: []string{"spec.urlRewrite.path: Invalid value: \"object\": If HTTPPathModifier type is ReplaceRegexMatch, replaceRegexMatch field needs to be set."}, + }, + { + desc: "invalid RegexHTTPPathModifier missing pattern and substitution", + mutate: func(httproutefilter *egv1a1.HTTPRouteFilter) { + httproutefilter.Spec = egv1a1.HTTPRouteFilterSpec{ + URLRewrite: &egv1a1.HTTPURLRewriteFilter{ + Path: &egv1a1.HTTPPathModifier{ + Type: egv1a1.RegexHTTPPathModifier, + ReplaceRegexMatch: &egv1a1.ReplaceRegexMatch{ + Pattern: "", + Substitution: "", + }, + }, + }, + } + }, + wantErrors: []string{ + "spec.urlRewrite.path.replaceRegexMatch.pattern: Invalid value: \"\": spec.urlRewrite.path.replaceRegexMatch.pattern in body should be at least 1 chars long", + }, + }, + } + + for _, tc := range cases { + t.Run(tc.desc, func(t *testing.T) { + httpRouteFilter := baseHTTPRouteFilter.DeepCopy() + httpRouteFilter.Name = fmt.Sprintf("hrf-%v", time.Now().UnixNano()) + + if tc.mutate != nil { + tc.mutate(httpRouteFilter) + } + err := c.Create(ctx, httpRouteFilter) + + if tc.mutateStatus != nil { + tc.mutateStatus(httpRouteFilter) + err = c.Status().Update(ctx, httpRouteFilter) + } + + if (len(tc.wantErrors) != 0) != (err != nil) { + t.Fatalf("Unexpected response while creating HTTPRouteFilter; got err=\n%v\n;want error=%v", err, tc.wantErrors) + } + + var missingErrorStrings []string + for _, wantError := range tc.wantErrors { + if !strings.Contains(strings.ToLower(err.Error()), strings.ToLower(wantError)) { + missingErrorStrings = append(missingErrorStrings, wantError) + } + } + if len(missingErrorStrings) != 0 { + t.Errorf("Unexpected response while creating HTTPRouteFilter; got err=\n%v\n;missing strings within error=%q", err, missingErrorStrings) + } + }) + } +} diff --git a/test/e2e/testdata/httproute-rewrite-regex-path.yaml b/test/e2e/testdata/httproute-rewrite-regex-path.yaml new file mode 100644 index 00000000000..821550d7375 --- /dev/null +++ b/test/e2e/testdata/httproute-rewrite-regex-path.yaml @@ -0,0 +1,35 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: rewrite-regex-path + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: PathPrefix + value: / + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: regex-path-rewrite + backendRefs: + - name: infra-backend-v1 + port: 8080 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: HTTPRouteFilter +metadata: + name: regex-path-rewrite + namespace: gateway-conformance-infra +spec: + urlRewrite: + path: + type: ReplaceRegexMatch + replaceRegexMatch: + pattern: '^/service/([^/]+)(/.*)$' + substitution: '\2/instance/\1' diff --git a/test/e2e/tests/httproute_rewrite_regex_path.go b/test/e2e/tests/httproute_rewrite_regex_path.go new file mode 100644 index 00000000000..975d2ec8868 --- /dev/null +++ b/test/e2e/tests/httproute_rewrite_regex_path.go @@ -0,0 +1,59 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e +// +build e2e + +package tests + +import ( + "testing" + + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" +) + +func init() { + ConformanceTests = append(ConformanceTests, HTTPRouteRewriteRegexPath) +} + +var HTTPRouteRewriteRegexPath = suite.ConformanceTest{ + ShortName: "HTTPRouteRewriteRegexPath", + Description: "An HTTPRoute with path rewrite filter to replace a regex match", + Manifests: []string{"testdata/httproute-rewrite-regex-path.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "rewrite-regex-path", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + kubernetes.HTTPRouteMustHaveResolvedRefsConditionsTrue(t, suite.Client, suite.TimeoutConfig, routeNN, gwNN) + + testCases := []http.ExpectedResponse{ + { + Request: http.Request{ + Path: "/service/foo/v1/api", + }, + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Path: "/v1/api/instance/foo", + }, + }, + Backend: "infra-backend-v1", + Namespace: ns, + }, + } + for i := range testCases { + // Declare tc here to avoid loop variable + // reuse issues across parallel tests. + tc := testCases[i] + t.Run(tc.GetTestCaseName(i), func(t *testing.T) { + t.Parallel() + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, tc) + }) + } + }, +} diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index 0bd873a34b9..c280e54ca94 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -127,6 +127,7 @@ rules: - securitypolicies - envoyextensionpolicies - backends + - httproutefilters verbs: - get - list diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index cd7ff1a53dc..3db52f2bcbe 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -142,6 +142,7 @@ rules: - securitypolicies - envoyextensionpolicies - backends + - httproutefilters verbs: - get - list diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index 147c0f8ba70..0dd66b5c209 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -127,6 +127,7 @@ rules: - securitypolicies - envoyextensionpolicies - backends + - httproutefilters verbs: - get - list diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index 7fdfef5e53e..b9fc662515f 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -127,6 +127,7 @@ rules: - securitypolicies - envoyextensionpolicies - backends + - httproutefilters verbs: - get - list diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index 5a2df408fe5..4da6c9a57f3 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -127,6 +127,7 @@ rules: - securitypolicies - envoyextensionpolicies - backends + - httproutefilters verbs: - get - list diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index 233334d5972..056a0bde7d0 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -129,6 +129,7 @@ rules: - securitypolicies - envoyextensionpolicies - backends + - httproutefilters verbs: - get - list diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index 95b98165d12..5eea2055070 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -131,6 +131,7 @@ rules: - securitypolicies - envoyextensionpolicies - backends + - httproutefilters verbs: - get - list From 2cd2195a574034c6c729a9f13926dce2351c4aa6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 19:08:07 -0700 Subject: [PATCH 185/523] build(deps): bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 (#4304) build(deps): bump github.com/prometheus/client_golang Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.20.3 to 1.20.4. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.20.3...v1.20.4) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Huabing Zhao --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index e699b776d3e..dad0ae80fba 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,7 @@ require ( github.com/hashicorp/go-multierror v1.1.1 github.com/miekg/dns v1.1.62 github.com/ohler55/ojg v1.24.1 - github.com/prometheus/client_golang v1.20.3 + github.com/prometheus/client_golang v1.20.4 github.com/prometheus/common v0.59.1 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 diff --git a/go.sum b/go.sum index 0ed7d5b1a99..f80de23324e 100644 --- a/go.sum +++ b/go.sum @@ -672,8 +672,8 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= -github.com/prometheus/client_golang v1.20.3 h1:oPksm4K8B+Vt35tUhw6GbSNSgVlVSBH0qELP/7u83l4= -github.com/prometheus/client_golang v1.20.3/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_golang v1.20.4 h1:Tgh3Yr67PaOv/uTqloMsCEdeuFTatm5zIq5+qNN23vI= +github.com/prometheus/client_golang v1.20.4/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= From cd4e9b155d875f8a23e247b016bf028f7127bca0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Sep 2024 10:21:55 +0800 Subject: [PATCH 186/523] build(deps): bump github.com/docker/docker from 27.2.0+incompatible to 27.3.1+incompatible (#4303) build(deps): bump github.com/docker/docker Bumps [github.com/docker/docker](https://github.com/docker/docker) from 27.2.0+incompatible to 27.3.1+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v27.2.0...v27.3.1) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Huabing Zhao --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index dad0ae80fba..bbe504923c8 100644 --- a/go.mod +++ b/go.mod @@ -62,7 +62,7 @@ require ( ) require ( - github.com/docker/docker v27.2.0+incompatible + github.com/docker/docker v27.3.1+incompatible github.com/replicatedhq/troubleshoot v0.102.0 google.golang.org/grpc v1.66.2 ) diff --git a/go.sum b/go.sum index f80de23324e..603355075db 100644 --- a/go.sum +++ b/go.sum @@ -184,8 +184,8 @@ github.com/docker/cli v27.3.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvM github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v27.2.0+incompatible h1:Rk9nIVdfH3+Vz4cyI/uhbINhEZ/oLmc+CBXmH6fbNk4= -github.com/docker/docker v27.2.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v27.3.1+incompatible h1:KttF0XoteNTicmUtBO0L2tP+J7FGRFTjaEF4k6WdhfI= +github.com/docker/docker v27.3.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= From 3a94e6791a016d2b18c0984224e81828f78b87c0 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Mon, 23 Sep 2024 19:42:29 -0700 Subject: [PATCH 187/523] chore: update release page (#4319) Signed-off-by: Arko Dasgupta --- site/content/en/news/releases/_index.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/site/content/en/news/releases/_index.md b/site/content/en/news/releases/_index.md index e8282654b7f..367fb17d21b 100644 --- a/site/content/en/news/releases/_index.md +++ b/site/content/en/news/releases/_index.md @@ -8,8 +8,7 @@ type = "docs" +++ This document provides details for Envoy Gateway releases. Envoy Gateway follows the Semantic Versioning [v2.0.0 spec][] -for release versioning. Since Envoy Gateway is a new project, minor releases are the only defined releases. Envoy -Gateway maintainers will establish additional release details, e.g. patch releases, at a future date. +for release versioning. ## Stable Releases From 2c8655b8b6427fcd0bc9f5553e28527935cb1d7c Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Mon, 23 Sep 2024 19:43:00 -0700 Subject: [PATCH 188/523] chore: update roadmap page (#4318) * chore: update roadmap page Signed-off-by: Arko Dasgupta * fix link Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta --- site/content/en/contributions/roadmap.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/site/content/en/contributions/roadmap.md b/site/content/en/contributions/roadmap.md index 955af2a9623..54b808587f9 100644 --- a/site/content/en/contributions/roadmap.md +++ b/site/content/en/contributions/roadmap.md @@ -63,6 +63,10 @@ contributing to the project. - Add TrafficPolicy APIs for advanced features [Issue #1492][1492]. - Envoy Gateway meets readiness criteria [Issue #1160][1160]. +### [v1.0.0][v1.0.0]: Envoy Gateway goes GA + +Visit the [milestones][milestones] page to learn more about the future roadmap. + [issue]: https://github.com/envoyproxy/gateway/issues [meeting]: https://docs.google.com/document/d/1leqwsHX8N-XxNEyTflYjRur462ukFxd19Rnk3Uzy55I/edit?usp=sharing [pr]: https://github.com/envoyproxy/gateway/compare @@ -72,6 +76,7 @@ contributing to the project. [v0.4.0]: https://github.com/envoyproxy/gateway/milestone/12 [v0.5.0]: https://github.com/envoyproxy/gateway/milestone/13 [v0.6.0]: https://github.com/envoyproxy/gateway/milestone/15 +[v1.0.0]: https://github.com/envoyproxy/gateway/milestone/18 [17]: https://github.com/envoyproxy/gateway/issues/17 [20]: https://github.com/envoyproxy/gateway/issues/20 [24]: https://github.com/envoyproxy/gateway/issues/24 From cbcc1fd5b3f8c54adce42cb26ad01c3f3e5f65fb Mon Sep 17 00:00:00 2001 From: Kevin Date: Tue, 24 Sep 2024 11:43:30 +0900 Subject: [PATCH 189/523] ci: dual-stack support for kind cluster (#4301) * feat: dual-stack support for kind cluster Signed-off-by: Juwon Hwang (Kevin) * feat: add ip_family support to create-cluster.sh Signed-off-by: Juwon Hwang (Kevin) * chore: address_range_v6 to hex Signed-off-by: Juwon Hwang (Kevin) --------- Signed-off-by: Juwon Hwang (Kevin) --- tools/hack/create-cluster.sh | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/tools/hack/create-cluster.sh b/tools/hack/create-cluster.sh index 16e1477b56f..ad3cff1cd92 100755 --- a/tools/hack/create-cluster.sh +++ b/tools/hack/create-cluster.sh @@ -7,11 +7,13 @@ CLUSTER_NAME=${CLUSTER_NAME:-"envoy-gateway"} METALLB_VERSION=${METALLB_VERSION:-"v0.13.10"} KIND_NODE_TAG=${KIND_NODE_TAG:-"v1.31.0"} NUM_WORKERS=${NUM_WORKERS:-""} - +IP_FAMILY=${IP_FAMILY:-"ipv4"} KIND_CFG=$(cat <<-EOM kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 +networking: + ipFamily: ${IP_FAMILY} nodes: - role: control-plane EOM @@ -53,10 +55,31 @@ kubectl rollout status -n metallb-system deployment/controller --timeout 5m kubectl rollout status -n metallb-system daemonset/speaker --timeout 5m # Apply config with addresses based on docker network IPAM. -subnet=$(docker network inspect kind | jq -r '.[].IPAM.Config[].Subnet | select(contains(":") | not)') -# Assume default kind network subnet prefix of 16, and choose addresses in that range. -address_first_octets=$(echo "${subnet}" | awk -F. '{printf "%s.%s",$1,$2}') -address_range="${address_first_octets}.255.200-${address_first_octets}.255.250" +address_ranges="" + +if [ "${IP_FAMILY}" = "ipv4" ] || [ "${IP_FAMILY}" = "dual" ]; then + subnet_v4=$(docker network inspect kind | jq -r '.[].IPAM.Config[] | select(.Subnet | contains(":") | not) | .Subnet') + address_prefix_v4=$(echo "${subnet_v4}" | awk -F. '{print $1"."$2"."$3}') + address_range_v4="${address_prefix_v4}.200-${address_prefix_v4}.250" + echo "IPv4 address range: ${address_range_v4}" + address_ranges+="- ${address_range_v4}" +fi + +if [ "${IP_FAMILY}" = "ipv6" ] || [ "${IP_FAMILY}" = "dual" ]; then + subnet_v6=$(docker network inspect kind | jq -r '.[].IPAM.Config[] | select(.Subnet | contains(":")) | .Subnet') + ipv6_prefix="${subnet_v6%::*}" + address_range_v6="${ipv6_prefix}::c8-${ipv6_prefix}::fa" + echo "IPv6 address range: ${address_range_v6}" + [ -n "${address_ranges}" ] && address_ranges+="\n" + address_ranges+="- ${address_range_v6}" +fi + +if [ -z "${address_ranges}" ]; then + echo "Error: No valid IP ranges found for IP_FAMILY=${IP_FAMILY}" + exit 1 +fi + +# Apply MetalLB IPAddressPool and L2Advertisement kubectl apply -f - < Date: Mon, 23 Sep 2024 21:43:48 -0500 Subject: [PATCH 190/523] [release/v1.1] release: v1.1.2 (#4320) release: v1.1.2 Signed-off-by: Guy Daich --- VERSION | 2 +- release-notes/v1.1.2.yaml | 16 ++++++++++++++++ site/content/en/news/releases/notes/v1.1.2.md | 17 +++++++++++++++++ site/layouts/shortcodes/helm-version.html | 4 ++-- site/layouts/shortcodes/yaml-version.html | 4 ++-- 5 files changed, 38 insertions(+), 5 deletions(-) create mode 100644 release-notes/v1.1.2.yaml create mode 100644 site/content/en/news/releases/notes/v1.1.2.md diff --git a/VERSION b/VERSION index 56130fb3a19..0f1acbd5656 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v1.1.1 +v1.1.2 diff --git a/release-notes/v1.1.2.yaml b/release-notes/v1.1.2.yaml new file mode 100644 index 00000000000..a257ea677f6 --- /dev/null +++ b/release-notes/v1.1.2.yaml @@ -0,0 +1,16 @@ +date: September 24, 2024 + +changes: + - area: translator + change: | + Fixed handling of sectionName in BackendTLSPolicy for Backend resource + + + - area: infra-manager + change: | + Pin Envoy Proxy version to v1.32.2 + Change Envoy listener drain strategy from gradual to immediate + + - area: providers + change: | + Fixed reconciliation of HTTPRoutes when labels change diff --git a/site/content/en/news/releases/notes/v1.1.2.md b/site/content/en/news/releases/notes/v1.1.2.md new file mode 100644 index 00000000000..b47371addce --- /dev/null +++ b/site/content/en/news/releases/notes/v1.1.2.md @@ -0,0 +1,17 @@ +--- +title: "v1.1.2" +publishdate: 2024-09-24 +--- + +Date: September 24, 2024 + +## Translator +- Fixed handling of sectionName in BackendTLSPolicy for Backend resource + +## Infra-manager +- Pin Envoy Proxy version to v1.32.2 +- Change Envoy listener drain strategy from gradual to immediate + +## Providers +- Fixed reconciliation of HTTPRoutes when labels change + diff --git a/site/layouts/shortcodes/helm-version.html b/site/layouts/shortcodes/helm-version.html index 7e0b44a81b9..704c3dfde80 100644 --- a/site/layouts/shortcodes/helm-version.html +++ b/site/layouts/shortcodes/helm-version.html @@ -3,8 +3,8 @@ {{- "v0.0.0-latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.1" -}} +{{- "v1.1.2" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.1.1" -}} +{{- "v1.1.2" -}} {{- end -}} diff --git a/site/layouts/shortcodes/yaml-version.html b/site/layouts/shortcodes/yaml-version.html index a033e6ce1ca..eced902814a 100644 --- a/site/layouts/shortcodes/yaml-version.html +++ b/site/layouts/shortcodes/yaml-version.html @@ -3,8 +3,8 @@ {{- "latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.1" -}} +{{- "v1.1.2" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.1.1" -}} +{{- "v1.1.2" -}} {{- end -}} From 7dfa8570b66229956b7d53a1055b47f9305db652 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 24 Sep 2024 15:58:13 +0800 Subject: [PATCH 191/523] chore: add the exptected date for 1.2.0 (#4321) * add the exptected date for 1.2.0 Signed-off-by: Huabing Zhao * add release manager for v1.2 Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- site/content/en/news/releases/_index.md | 2 ++ site/content/zh/news/releases/_index.md | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/site/content/en/news/releases/_index.md b/site/content/en/news/releases/_index.md index 367fb17d21b..71ff48fd392 100644 --- a/site/content/en/news/releases/_index.md +++ b/site/content/en/news/releases/_index.md @@ -36,6 +36,7 @@ communications with the Envoy Gateway community, and the mechanics of the releas | 2023 Q4 | Arko Dasgupta ([arkodg](https://github.com/arkodg)) | | 2024 Q1 | Xunzhuo Liu ([Xunzhuo](https://github.com/Xunzhuo)) | | 2024 Q2 | Guy Daich ([guydc](https://github.com/guydc)) | +| 2024 Q3 | Huabing Zhao ([zhaohuabing](https://github.com/zhaohuabing))| ## Release Schedule @@ -51,6 +52,7 @@ In order to align with the Envoy Proxy [release schedule][], Envoy Gateway relea | 0.6.0 | 2023/10/22 | 2023/11/02 | +10 days | 2024/05/02 | | 1.0.0 | 2024/03/06 | 2023/03/13 | +7 days | 2024/09/13 | | 1.1.0 | 2024/07/16 | 2024/07/22 | +6 days | 2024/01/22 | +| 1.2.0 | 2024/10/22 | | | | [v2.0.0 spec]: https://semver.org/spec/v2.0.0.html [release guide]: ../../contributions/releasing diff --git a/site/content/zh/news/releases/_index.md b/site/content/zh/news/releases/_index.md index 9512bbc7260..8afc5916c6e 100644 --- a/site/content/zh/news/releases/_index.md +++ b/site/content/zh/news/releases/_index.md @@ -36,6 +36,8 @@ Envoy Gateway 的稳定版本包括: | 2023 Q3 | Arko Dasgupta ([arkodg](https://github.com/arkodg)) | | 2023 Q4 | Arko Dasgupta ([arkodg](https://github.com/arkodg)) | | 2024 Q1 | Xunzhuo Liu ([Xunzhuo](https://github.com/Xunzhuo)) | +| 2024 Q2 | Guy Daich ([guydc](https://github.com/guydc)) | +| 2024 Q3 | Huabing Zhao ([zhaohuabing](https://github.com/zhaohuabing))| ## 发布时间表 {#release-schedule} @@ -50,6 +52,9 @@ Envoy Gateway 版本按固定时间表(每个季度的第 22 天)生成, | 0.4.0 | 2023/04/22 | 2023/04/24 | +2 天 | 2023/10/24 | | 0.5.0 | 2023/07/22 | 2023/08/02 | +10 天 | 2024/01/02 | | 0.6.0 | 2023/10/22 | 2023/11/02 | +10 天 | 2024/05/02 | +| 1.0.0 | 2024/03/06 | 2023/03/13 | +7 天 | 2024/09/13 | +| 1.1.0 | 2024/07/16 | 2024/07/22 | +6 天 | 2024/01/22 | +| 1.2.0 | 2024/10/22 | | | | [v2.0.0 规范]: https://semver.org/lang/zh-CN/ [发布指南]: ../../contributions/releasing From bd966b895553435e0eef3460a0313ee0bdf97c7c Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 24 Sep 2024 16:00:03 +0800 Subject: [PATCH 192/523] set user group and user id for the default SecurityContext (#4313) set user group and user id Signed-off-by: Huabing Zhao --- .../templates/envoy-gateway-deployment.yaml | 2 ++ internal/infrastructure/kubernetes/proxy/resource.go | 10 ++++++++++ .../proxy/testdata/daemonsets/component-level.yaml | 4 ++++ .../kubernetes/proxy/testdata/daemonsets/custom.yaml | 2 ++ .../proxy/testdata/daemonsets/default-env.yaml | 2 ++ .../kubernetes/proxy/testdata/daemonsets/default.yaml | 4 ++++ .../proxy/testdata/daemonsets/disable-prometheus.yaml | 4 ++++ .../proxy/testdata/daemonsets/extension-env.yaml | 2 ++ .../daemonsets/override-labels-and-annotations.yaml | 4 ++++ .../proxy/testdata/daemonsets/patch-daemonset.yaml | 4 ++++ .../proxy/testdata/daemonsets/shutdown-manager.yaml | 3 +++ .../kubernetes/proxy/testdata/daemonsets/volumes.yaml | 2 ++ .../proxy/testdata/daemonsets/with-annotations.yaml | 4 ++++ .../proxy/testdata/daemonsets/with-concurrency.yaml | 4 ++++ .../proxy/testdata/daemonsets/with-extra-args.yaml | 4 ++++ .../testdata/daemonsets/with-image-pull-secrets.yaml | 4 ++++ .../proxy/testdata/daemonsets/with-name.yaml | 4 ++++ .../proxy/testdata/daemonsets/with-node-selector.yaml | 4 ++++ .../daemonsets/with-topology-spread-constraints.yaml | 4 ++++ .../proxy/testdata/deployments/bootstrap.yaml | 4 ++++ .../proxy/testdata/deployments/component-level.yaml | 4 ++++ .../kubernetes/proxy/testdata/deployments/custom.yaml | 2 ++ .../deployments/custom_with_initcontainers.yaml | 2 ++ .../proxy/testdata/deployments/default-env.yaml | 2 ++ .../kubernetes/proxy/testdata/deployments/default.yaml | 4 ++++ .../proxy/testdata/deployments/disable-prometheus.yaml | 4 ++++ .../proxy/testdata/deployments/extension-env.yaml | 2 ++ .../deployments/override-labels-and-annotations.yaml | 4 ++++ .../proxy/testdata/deployments/patch-deployment.yaml | 4 ++++ .../proxy/testdata/deployments/shutdown-manager.yaml | 3 +++ .../kubernetes/proxy/testdata/deployments/volumes.yaml | 2 ++ .../proxy/testdata/deployments/with-annotations.yaml | 4 ++++ .../proxy/testdata/deployments/with-concurrency.yaml | 4 ++++ .../testdata/deployments/with-empty-memory-limits.yaml | 4 ++++ .../proxy/testdata/deployments/with-extra-args.yaml | 4 ++++ .../testdata/deployments/with-image-pull-secrets.yaml | 4 ++++ .../proxy/testdata/deployments/with-name.yaml | 4 ++++ .../proxy/testdata/deployments/with-node-selector.yaml | 4 ++++ .../deployments/with-topology-spread-constraints.yaml | 4 ++++ .../gateway-helm/certjen-custom-scheduling.out.yaml | 2 ++ test/helm/gateway-helm/control-plane-with-pdb.out.yaml | 2 ++ test/helm/gateway-helm/default-config.out.yaml | 2 ++ .../gateway-helm/deployment-custom-topology.out.yaml | 2 ++ .../gateway-helm/deployment-images-config.out.yaml | 2 ++ test/helm/gateway-helm/envoy-gateway-config.out.yaml | 2 ++ test/helm/gateway-helm/global-images-config.out.yaml | 2 ++ 46 files changed, 154 insertions(+) diff --git a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml index 7d631f17289..af5cd116961 100644 --- a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml @@ -82,6 +82,8 @@ spec: - ALL privileged: false runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 seccompProfile: type: RuntimeDefault volumeMounts: diff --git a/internal/infrastructure/kubernetes/proxy/resource.go b/internal/infrastructure/kubernetes/proxy/resource.go index 32ca695e5da..d4d210418b7 100644 --- a/internal/infrastructure/kubernetes/proxy/resource.go +++ b/internal/infrastructure/kubernetes/proxy/resource.go @@ -447,6 +447,11 @@ func expectedEnvoySecurityContext(containerSpec *egv1a1.KubernetesContainerSpec) } sc := resource.DefaultSecurityContext() + + // run as non-root user + sc.RunAsGroup = ptr.To(int64(65532)) + sc.RunAsUser = ptr.To(int64(65532)) + // Envoy container needs to write to the log file/UDS socket. sc.ReadOnlyRootFilesystem = nil return sc @@ -454,6 +459,11 @@ func expectedEnvoySecurityContext(containerSpec *egv1a1.KubernetesContainerSpec) func expectedShutdownManagerSecurityContext() *corev1.SecurityContext { sc := resource.DefaultSecurityContext() + + // run as non-root user + sc.RunAsGroup = ptr.To(int64(65532)) + sc.RunAsUser = ptr.To(int64(65532)) + // ShutdownManger creates a file to indicate the connection drain process is completed, // so it needs file write permission. sc.ReadOnlyRootFilesystem = nil diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml index b81eac520be..4f9107fb4d7 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml @@ -94,7 +94,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -168,7 +170,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml index dd3d30cb87c..a3bad89951a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml @@ -347,7 +347,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml index 2756e0ac667..6afaa48eb50 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml @@ -346,7 +346,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml index cdecbf11acc..c55efd9a651 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml @@ -261,7 +261,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -335,7 +337,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml index cb14c7d0102..0190a032347 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml @@ -232,7 +232,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -306,7 +308,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml index 844e8c38b8a..59abefc9f7e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml @@ -350,7 +350,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml index 3e2631cf7a2..acf981d6eaf 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml @@ -270,7 +270,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -344,7 +346,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml index 894bd9597d4..6eaf679f35b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml @@ -261,7 +261,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -335,7 +337,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml index 04230b2f453..b4ff0f41c3b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml @@ -261,7 +261,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -345,6 +347,7 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true runAsUser: 1234 seccompProfile: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml index 74555834ecf..8707cd1289b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml @@ -350,7 +350,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml index 708f586ffc2..1288195935a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml @@ -266,7 +266,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -340,7 +342,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml index 10911bdec5d..aceabd683a3 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml @@ -94,7 +94,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -168,7 +170,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml index 558e51410c0..c4e4ef57509 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml @@ -263,7 +263,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -337,7 +339,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml index bb6d7bcebc5..a368ec3334e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml @@ -261,7 +261,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -335,7 +337,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml index 7df24d4b5c4..34d8438df3d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml @@ -261,7 +261,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -335,7 +337,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml index 6fb612dad30..aa6aba8b813 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml @@ -261,7 +261,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -335,7 +337,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml index cc863ceb2cd..a69ed0181ee 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml @@ -261,7 +261,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -335,7 +337,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml index 7c979810084..edbcf01d06f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml @@ -97,7 +97,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -171,7 +173,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml index b9076bc915f..6ac7da41299 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml @@ -98,7 +98,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -172,7 +174,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml index b770e10c5ab..7825fe6a5d4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml @@ -352,7 +352,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml index 3b7f4c13131..7c19b8404b4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml @@ -354,7 +354,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml index 11fc90e2e6f..608be7b1164 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml @@ -351,7 +351,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml index a1efff9d450..7ab09dccee7 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml @@ -265,7 +265,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -339,7 +341,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml index cf2503cc142..8eba24a439e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml @@ -236,7 +236,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -310,7 +312,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml index 97f116c0620..2cb179ea5ce 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml @@ -355,7 +355,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml index 3f5c31be439..a2ad5c78026 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml @@ -274,7 +274,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -348,7 +350,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml index 725c4994a52..7e742ac47f0 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml @@ -265,7 +265,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -339,7 +341,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml index 4c6726cb54e..9abe8a6cae2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml @@ -265,7 +265,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -349,6 +351,7 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true runAsUser: 1234 seccompProfile: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml index 4c5819a8786..b5fca7f2c29 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml @@ -355,7 +355,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml index f0a9014ec9f..c96b3d7a3da 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml @@ -270,7 +270,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -344,7 +346,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml index 2902e865bf2..3cafba40548 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml @@ -98,7 +98,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -172,7 +174,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml index cc950e452e9..001c2c627be 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml @@ -264,7 +264,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -338,7 +340,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml index d31d189e616..3a44833a244 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml @@ -267,7 +267,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -341,7 +343,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml index a60b4d2169e..ba938efc580 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml @@ -265,7 +265,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -339,7 +341,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml index 2dd44b08dd9..3b4404c54e4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml @@ -265,7 +265,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -339,7 +341,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml index 235b1e992f9..f8288066623 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml @@ -265,7 +265,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -339,7 +341,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml index 60fb354d5a7..1b3a530ce53 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml @@ -265,7 +265,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -339,7 +341,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index c280e54ca94..096e1eb5561 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -429,6 +429,8 @@ spec: - ALL privileged: false runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 seccompProfile: type: RuntimeDefault volumeMounts: diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index 3db52f2bcbe..4c9a3d6cfdf 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -444,6 +444,8 @@ spec: - ALL privileged: false runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 seccompProfile: type: RuntimeDefault volumeMounts: diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index 0dd66b5c209..c830348f012 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -429,6 +429,8 @@ spec: - ALL privileged: false runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 seccompProfile: type: RuntimeDefault volumeMounts: diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index b9fc662515f..fd468b505f0 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -457,6 +457,8 @@ spec: - ALL privileged: false runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 seccompProfile: type: RuntimeDefault volumeMounts: diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index 4da6c9a57f3..aa5a36ff23d 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -429,6 +429,8 @@ spec: - ALL privileged: false runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 seccompProfile: type: RuntimeDefault volumeMounts: diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index 056a0bde7d0..aa91dacecc8 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -431,6 +431,8 @@ spec: - ALL privileged: false runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 seccompProfile: type: RuntimeDefault volumeMounts: diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index 5eea2055070..e18eecd7bc7 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -433,6 +433,8 @@ spec: - ALL privileged: false runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 seccompProfile: type: RuntimeDefault volumeMounts: From 4a3e324a7185c4b2cbb0c0dcc5da60e2c6f7bd54 Mon Sep 17 00:00:00 2001 From: Sven Schliesing Date: Tue, 24 Sep 2024 22:14:26 +0200 Subject: [PATCH 193/523] docs: remove comma (#4300) Remove comma Signed-off-by: Sven Schliesing --- site/content/en/docs/tasks/quickstart.md | 2 +- site/content/en/latest/tasks/quickstart.md | 2 +- site/content/en/v1.1/tasks/quickstart.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/site/content/en/docs/tasks/quickstart.md b/site/content/en/docs/tasks/quickstart.md index 802b7989a88..e1943c21e92 100644 --- a/site/content/en/docs/tasks/quickstart.md +++ b/site/content/en/docs/tasks/quickstart.md @@ -12,7 +12,7 @@ A Kubernetes cluster. __Note:__ Refer to the [Compatibility Matrix](/news/releases/matrix) for supported Kubernetes versions. -__Note:__ In case your Kubernetes cluster, does not have a LoadBalancer implementation, we recommend installing one +__Note:__ In case your Kubernetes cluster does not have a LoadBalancer implementation, we recommend installing one so the `Gateway` resource has an Address associated with it. We recommend using [MetalLB](https://metallb.universe.tf/installation/). __Note:__ For Mac user, you need install and run [Docker Mac Net Connect](https://github.com/chipmk/docker-mac-net-connect) to make the Docker network work. diff --git a/site/content/en/latest/tasks/quickstart.md b/site/content/en/latest/tasks/quickstart.md index 802b7989a88..e1943c21e92 100644 --- a/site/content/en/latest/tasks/quickstart.md +++ b/site/content/en/latest/tasks/quickstart.md @@ -12,7 +12,7 @@ A Kubernetes cluster. __Note:__ Refer to the [Compatibility Matrix](/news/releases/matrix) for supported Kubernetes versions. -__Note:__ In case your Kubernetes cluster, does not have a LoadBalancer implementation, we recommend installing one +__Note:__ In case your Kubernetes cluster does not have a LoadBalancer implementation, we recommend installing one so the `Gateway` resource has an Address associated with it. We recommend using [MetalLB](https://metallb.universe.tf/installation/). __Note:__ For Mac user, you need install and run [Docker Mac Net Connect](https://github.com/chipmk/docker-mac-net-connect) to make the Docker network work. diff --git a/site/content/en/v1.1/tasks/quickstart.md b/site/content/en/v1.1/tasks/quickstart.md index 802b7989a88..e1943c21e92 100644 --- a/site/content/en/v1.1/tasks/quickstart.md +++ b/site/content/en/v1.1/tasks/quickstart.md @@ -12,7 +12,7 @@ A Kubernetes cluster. __Note:__ Refer to the [Compatibility Matrix](/news/releases/matrix) for supported Kubernetes versions. -__Note:__ In case your Kubernetes cluster, does not have a LoadBalancer implementation, we recommend installing one +__Note:__ In case your Kubernetes cluster does not have a LoadBalancer implementation, we recommend installing one so the `Gateway` resource has an Address associated with it. We recommend using [MetalLB](https://metallb.universe.tf/installation/). __Note:__ For Mac user, you need install and run [Docker Mac Net Connect](https://github.com/chipmk/docker-mac-net-connect) to make the Docker network work. From 8dfd151ef32f7f840165f82bb721463a1fdf2db1 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 25 Sep 2024 07:32:23 +0800 Subject: [PATCH 194/523] Impl: JWT claim authorization (#4167) * set reasonable length validation Signed-off-by: Huabing Zhao * Gateway API Signed-off-by: Huabing Zhao * generate xds Signed-off-by: Huabing Zhao * e2e test Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * fix e2e Signed-off-by: Huabing Zhao * add test Signed-off-by: Huabing Zhao * add more e2e tests Signed-off-by: Huabing Zhao * fix gen Signed-off-by: Huabing Zhao * fix typo Signed-off-by: Huabing Zhao * Use provider name as the PayloadInMetada sinde issuer is optional Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * address comments Signed-off-by: Huabing Zhao * Normalize the scopes to facilitate matching in Authorization Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao * fix e2e Signed-off-by: Huabing Zhao * fix e2e Signed-off-by: Huabing Zhao * minor wording Signed-off-by: Huabing Zhao * add test for nested claims and StringArray value type Signed-off-by: Huabing Zhao * add xds translator test for nested claim Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- api/v1alpha1/authorization_types.go | 38 +- api/v1alpha1/zz_generated.deepcopy.go | 2 +- ...ateway.envoyproxy.io_securitypolicies.yaml | 25 +- ...-single-route-single-match-to-xds.all.json | 6 + ...-single-route-single-match-to-xds.all.yaml | 4 + ...le-route-single-match-to-xds.listener.yaml | 4 + internal/gatewayapi/securitypolicy.go | 2 + ...icy-with-authoriztion-client-cidr.in.yaml} | 0 ...cy-with-authoriztion-client-cidr.out.yaml} | 0 ...policy-with-authoriztion-jwt-claim.in.yaml | 74 ++++ ...olicy-with-authoriztion-jwt-claim.out.yaml | 220 ++++++++++ internal/ir/xds.go | 2 + internal/ir/zz_generated.deepcopy.go | 5 + internal/xds/translator/authorization.go | 388 +++++++++++++++--- internal/xds/translator/jwt.go | 6 +- ...on.yaml => authorization-client-cidr.yaml} | 0 .../in/xds-ir/authorization-jwt-claim.yaml | 99 +++++ .../in/xds-ir/authorization-jwt-scope.yaml | 95 +++++ .../authorization-multiple-principals.yaml | 80 ++++ .../authorization-client-cidr.clusters.yaml | 51 +++ .../authorization-client-cidr.endpoints.yaml | 36 ++ .../authorization-client-cidr.listeners.yaml | 37 ++ .../authorization-client-cidr.routes.yaml | 135 ++++++ .../authorization-jwt-claim.clusters.yaml | 106 +++++ .../authorization-jwt-claim.endpoints.yaml | 24 ++ .../authorization-jwt-claim.listeners.yaml | 80 ++++ .../authorization-jwt-claim.routes.yaml | 185 +++++++++ .../authorization-jwt-scope.clusters.yaml | 106 +++++ .../authorization-jwt-scope.endpoints.yaml | 24 ++ .../authorization-jwt-scope.listeners.yaml | 80 ++++ .../authorization-jwt-scope.routes.yaml | 149 +++++++ ...rization-multiple-principals.clusters.yaml | 17 + ...ization-multiple-principals.endpoints.yaml | 12 + ...ization-multiple-principals.listeners.yaml | 37 ++ ...horization-multiple-principals.routes.yaml | 256 ++++++++++++ .../xds-ir/custom-filter-order.listeners.yaml | 10 +- .../jwt-custom-extractor.listeners.yaml | 5 +- ...-multi-route-multi-provider.listeners.yaml | 20 +- ...multi-route-single-provider.listeners.yaml | 10 +- .../out/xds-ir/jwt-optional.listeners.yaml | 5 +- .../out/xds-ir/jwt-ratelimit.listeners.yaml | 5 +- ...t-single-route-single-match.listeners.yaml | 5 +- site/content/en/latest/api/extension_types.md | 21 +- site/content/zh/latest/api/extension_types.md | 21 +- test/e2e/testdata/authorization-jwt.yaml | 143 +++++++ test/e2e/tests/authorization_jwt.go | 186 +++++++++ 46 files changed, 2730 insertions(+), 86 deletions(-) rename internal/gatewayapi/testdata/{securitypolicy-with-authoriztion.in.yaml => securitypolicy-with-authoriztion-client-cidr.in.yaml} (100%) rename internal/gatewayapi/testdata/{securitypolicy-with-authoriztion.out.yaml => securitypolicy-with-authoriztion-client-cidr.out.yaml} (100%) create mode 100644 internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.in.yaml create mode 100644 internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.out.yaml rename internal/xds/translator/testdata/in/xds-ir/{authorization.yaml => authorization-client-cidr.yaml} (100%) create mode 100644 internal/xds/translator/testdata/in/xds-ir/authorization-jwt-claim.yaml create mode 100644 internal/xds/translator/testdata/in/xds-ir/authorization-jwt-scope.yaml create mode 100644 internal/xds/translator/testdata/in/xds-ir/authorization-multiple-principals.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.routes.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.routes.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.routes.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.routes.yaml create mode 100644 test/e2e/testdata/authorization-jwt.yaml create mode 100644 test/e2e/tests/authorization_jwt.go diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go index 2851cecf6d7..56e8d44e1b3 100644 --- a/api/v1alpha1/authorization_types.go +++ b/api/v1alpha1/authorization_types.go @@ -28,8 +28,11 @@ type Authorization struct { // AuthorizationRule defines a single authorization rule. type AuthorizationRule struct { // Name is a user-friendly name for the rule. - // If not specified, Envoy Gateway will generate a unique name for the rule.n + // If not specified, Envoy Gateway will generate a unique name for the rule. + // // +optional + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 Name *string `json:"name,omitempty"` // Action defines the action to be taken if the rule matches. @@ -45,7 +48,8 @@ type AuthorizationRule struct { // Principal specifies the client identity of a request. // A client identity can be a client IP, a JWT claim, username from the Authorization header, // or any other identity that can be extracted from a custom header. -// Currently, only the client IP is supported. + +// If there are multiple principal types, all principals must match for the rule to match. // // +kubebuilder:validation:XValidation:rule="(has(self.clientCIDRs) || has(self.jwt))",message="at least one of clientCIDRs or jwt must be specified" type Principal struct { @@ -60,7 +64,8 @@ type Principal struct { // You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in // the `ClientTrafficPolicy` to configure how the client IP is detected. // +optional - ClientCIDRs []CIDR `json:"clientCIDRs"` + // +kubebuilder:validation:MinItems=1 + ClientCIDRs []CIDR `json:"clientCIDRs,omitempty"` // JWT authorize the request based on the JWT claims and scopes. // Note: in order to use JWT claims for authorization, you must configure the @@ -76,12 +81,23 @@ type Principal struct { // // +kubebuilder:validation:XValidation:rule="(has(self.claims) || has(self.scopes))",message="at least one of claims or scopes must be specified" type JWTPrincipal struct { + // Provider is the name of the JWT provider that used to verify the JWT token. + // In order to use JWT claims for authorization, you must configure the JWT + // authentication with the same provider in the same `SecurityPolicy`. + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + Provider string `json:"provider"` + // Claims are the claims in a JWT token. // // If multiple claims are specified, all claims must match for the rule to match. // For example, if there are two claims: one for the audience and one for the issuer, // the rule will match only if both the audience and the issuer match. + // // +optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 Claims []JWTClaim `json:"claims,omitempty"` // Scopes are a special type of claim in a JWT token that represents the permissions of the client. @@ -90,8 +106,11 @@ type JWTPrincipal struct { // as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23. // // If multiple scopes are specified, all scopes must match for the rule to match. + // // +optional - Scopes []string `json:"scopes,omitempty"` + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 + Scopes []JWTScope `json:"scopes,omitempty"` } // JWTClaim specifies a claim in a JWT token. @@ -101,10 +120,14 @@ type JWTClaim struct { // represent the full path to the claim. // For example, if the claim is in the "department" field in the "organization" field, // the name should be "organization.department". + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 Name string `json:"name"` // ValueType is the type of the claim value. // Only String and StringArray types are supported for now. + // // +kubebuilder:validation:Enum=String;StringArray // +kubebuilder:default=String // +unionDiscriminator @@ -115,9 +138,16 @@ type JWTClaim struct { // If the claim is a string type, the specified value must match exactly. // If the claim is a string array type, the specified value must match one of the values in the array. // If multiple values are specified, one of the values must match for the rule to match. + // + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 Values []string `json:"values"` } +// +kubebuilder:validation:MinLength=1 +// +kubebuilder:validation:MaxLength=253 +type JWTScope string + type JWTClaimValueType string const ( diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index d1c42376011..953aef0206c 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -3109,7 +3109,7 @@ func (in *JWTPrincipal) DeepCopyInto(out *JWTPrincipal) { } if in.Scopes != nil { in, out := &in.Scopes, &out.Scopes - *out = make([]string, len(*in)) + *out = make([]JWTScope, len(*in)) copy(*out, *in) } } diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index d3d18a0089f..8c4debcef0a 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -82,7 +82,9 @@ spec: name: description: |- Name is a user-friendly name for the rule. - If not specified, Envoy Gateway will generate a unique name for the rule.n + If not specified, Envoy Gateway will generate a unique name for the rule. + maxLength: 253 + minLength: 1 type: string principal: description: |- @@ -109,6 +111,7 @@ spec: A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64". pattern: ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+)) type: string + minItems: 1 type: array jwt: description: |- @@ -134,6 +137,8 @@ spec: represent the full path to the claim. For example, if the claim is in the "department" field in the "organization" field, the name should be "organization.department". + maxLength: 253 + minLength: 1 type: string valueType: default: String @@ -152,12 +157,24 @@ spec: If multiple values are specified, one of the values must match for the rule to match. items: type: string + maxItems: 16 + minItems: 1 type: array required: - name - values type: object + maxItems: 16 + minItems: 1 type: array + provider: + description: |- + Provider is the name of the JWT provider that used to verify the JWT token. + In order to use JWT claims for authorization, you must configure the JWT + authentication with the same provider in the same `SecurityPolicy`. + maxLength: 253 + minLength: 1 + type: string scopes: description: |- Scopes are a special type of claim in a JWT token that represents the permissions of the client. @@ -167,8 +184,14 @@ spec: If multiple scopes are specified, all scopes must match for the rule to match. items: + maxLength: 253 + minLength: 1 type: string + maxItems: 16 + minItems: 1 type: array + required: + - provider type: object x-kubernetes-validations: - message: at least one of claims or scopes must be diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json index bac479d41d6..d79048a75cc 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json @@ -499,6 +499,12 @@ "providers": { "httproute/envoy-gateway-system/backend/rule/0/match/0/www_example_com/example": { "forward": true, + "normalizePayloadInMetadata": { + "spaceDelimitedClaims": [ + "scope" + ] + }, + "payloadInMetadata": "example", "remoteJwks": { "asyncFetch": {}, "cacheDuration": "300s", diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml index 651c46f8f76..bed4d0036ea 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml @@ -293,6 +293,10 @@ xds: providers: httproute/envoy-gateway-system/backend/rule/0/match/0/www_example_com/example: forward: true + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml index 7fdd4a247e3..347f3302124 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml @@ -49,6 +49,10 @@ xds: providers: httproute/envoy-gateway-system/backend/rule/0/match/0/www_example_com/example: forward: true + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 86d39602f01..2ab9670d501 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -942,6 +942,8 @@ func (t *Translator) buildAuthorization(policy *egv1a1.SecurityPolicy) (*ir.Auth principal.ClientCIDRs = append(principal.ClientCIDRs, cidrMatch) } + principal.JWT = rule.Principal.JWT + var name string if rule.Name != nil && *rule.Name != "" { name = *rule.Name diff --git a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-client-cidr.in.yaml similarity index 100% rename from internal/gatewayapi/testdata/securitypolicy-with-authoriztion.in.yaml rename to internal/gatewayapi/testdata/securitypolicy-with-authoriztion-client-cidr.in.yaml diff --git a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-client-cidr.out.yaml similarity index 100% rename from internal/gatewayapi/testdata/securitypolicy-with-authoriztion.out.yaml rename to internal/gatewayapi/testdata/securitypolicy-with-authoriztion-client-cidr.out.yaml diff --git a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.in.yaml new file mode 100644 index 00000000000..b9aec9c8fd8 --- /dev/null +++ b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.in.yaml @@ -0,0 +1,74 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - www.example.com + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/foo" + backendRefs: + - name: service-1 + port: 8080 +securityPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + namespace: envoy-gateway + name: policy-for-gateway # This policy should attach httproute-2 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + jwt: + providers: + - name: example1 + issuer: https://two.example.com + audiences: + - two.foo.com + remoteJWKS: + uri: https://two.example.com/jwt/public-key/jwks.json + authorization: + defaultAction: Deny + rules: + - name: "allow-jwt-claim" + action: Deny + principal: + jwt: + provider: example1 + scopes: + - "foo" + - "bar" + claims: + - name: "sub" + values: + - "1234567890" + - name: "roles" + valueType: "StringArray" + values: + - "admin" + - "superuser" diff --git a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.out.yaml new file mode 100644 index 00000000000..ed422e70031 --- /dev/null +++ b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.out.yaml @@ -0,0 +1,220 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - www.example.com + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: /foo + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +securityPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + creationTimestamp: null + name: policy-for-gateway + namespace: envoy-gateway + spec: + authorization: + defaultAction: Deny + rules: + - action: Deny + name: allow-jwt-claim + principal: + jwt: + claims: + - name: sub + values: + - "1234567890" + - name: roles + valueType: StringArray + values: + - admin + - superuser + provider: example1 + scopes: + - foo + - bar + jwt: + providers: + - audiences: + - two.foo.com + issuer: https://two.example.com + name: example1 + remoteJWKS: + uri: https://two.example.com/jwt/public-key/jwks.json + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + pathMatch: + distinct: false + name: "" + prefix: /foo + security: + authorization: + defaultAction: Deny + rules: + - action: Deny + name: allow-jwt-claim + principal: + jwt: + claims: + - name: sub + values: + - "1234567890" + - name: roles + valueType: StringArray + values: + - admin + - superuser + provider: example1 + scopes: + - foo + - bar + jwt: + providers: + - audiences: + - two.foo.com + issuer: https://two.example.com + name: example1 + remoteJWKS: + uri: https://two.example.com/jwt/public-key/jwks.json diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 86a2d39569f..399d1f0dbd3 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -978,6 +978,8 @@ type AuthorizationRule struct { type Principal struct { // ClientCIDRs defines the client CIDRs to be matched. ClientCIDRs []*CIDRMatch `json:"clientCIDRs,omitempty"` + // JWT defines the JWT principal to be matched. + JWT *egv1a1.JWTPrincipal `json:"jwt,omitempty"` } // FaultInjection defines the schema for injecting faults into requests. diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 0b964d5fc41..5afb29d12ce 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -2092,6 +2092,11 @@ func (in *Principal) DeepCopyInto(out *Principal) { } } } + if in.JWT != nil { + in, out := &in.JWT, &out.JWT + *out = new(v1alpha1.JWTPrincipal) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Principal. diff --git a/internal/xds/translator/authorization.go b/internal/xds/translator/authorization.go index e3a61b1641e..0d2d19dc571 100644 --- a/internal/xds/translator/authorization.go +++ b/internal/xds/translator/authorization.go @@ -8,6 +8,7 @@ package translator import ( "errors" "fmt" + "strings" cncfv3 "github.com/cncf/xds/go/xds/core/v3" matcherv3 "github.com/cncf/xds/go/xds/type/matcher/v3" @@ -18,6 +19,8 @@ import ( hcmv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" networkinput "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/network/v3" ipmatcherv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/ip/v3" + metadatav3 "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/metadata/v3" + envoymatcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/wrapperspb" @@ -121,13 +124,35 @@ func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { } var ( - authorization = irRoute.Security.Authorization - allowAction *anypb.Any - denyAction *anypb.Any - sourceIPInput *anypb.Any - ipMatcher *anypb.Any - matcherList []*matcherv3.Matcher_MatcherList_FieldMatcher - err error + rbacPerRoute *rbacv3.RBACPerRoute + cfgAny *anypb.Any + err error + ) + + if rbacPerRoute, err = buildRBACPerRoute(irRoute.Security.Authorization); err != nil { + return err + } + + if cfgAny, err = anypb.New(rbacPerRoute); err != nil { + return err + } + + if filterCfg == nil { + route.TypedPerFilterConfig = make(map[string]*anypb.Any) + } + + route.TypedPerFilterConfig[egv1a1.EnvoyFilterRBAC.String()] = cfgAny + + return nil +} + +func buildRBACPerRoute(authorization *ir.Authorization) (*rbacv3.RBACPerRoute, error) { + var ( + rbac *rbacv3.RBACPerRoute + allowAction *anypb.Any + denyAction *anypb.Any + matcherList []*matcherv3.Matcher_MatcherList_FieldMatcher + err error ) allow := &rbacconfigv3.Action{ @@ -135,7 +160,7 @@ func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { Action: rbacconfigv3.RBAC_ALLOW, } if allowAction, err = anypb.New(allow); err != nil { - return err + return nil, err } deny := &rbacconfigv3.Action{ @@ -143,7 +168,7 @@ func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { Action: rbacconfigv3.RBAC_DENY, } if denyAction, err = anypb.New(deny); err != nil { - return err + return nil, err } // Build a list of matchers based on the rules. @@ -152,52 +177,71 @@ func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { // skipped. // If no matcher matches, the default action will be used. for _, rule := range authorization.Rules { - // Build the IPMatcher based on the client CIDRs. - ipRangeMatcher := &ipmatcherv3.Ip{ - StatPrefix: "client_ip", - } + var ( + ipPredicate *matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_ + jwtPredicate []*matcherv3.Matcher_MatcherList_Predicate + predicate *matcherv3.Matcher_MatcherList_Predicate + ) - for _, cidr := range rule.Principal.ClientCIDRs { - ipRangeMatcher.CidrRanges = append(ipRangeMatcher.CidrRanges, &configv3.CidrRange{ - AddressPrefix: cidr.IP, - PrefixLen: &wrapperspb.UInt32Value{ - Value: cidr.MaskLen, - }, - }) + // Determine the action for the current rule. + ruleAction := allowAction + if rule.Action == egv1a1.AuthorizationActionDeny { + ruleAction = denyAction } - if ipMatcher, err = anypb.New(ipRangeMatcher); err != nil { - return err + if len(rule.Principal.ClientCIDRs) > 0 { + if ipPredicate, err = buildIPPredicate(rule.Principal.ClientCIDRs); err != nil { + return nil, err + } } - if sourceIPInput, err = anypb.New(&networkinput.SourceIPInput{}); err != nil { - return err + if rule.Principal.JWT != nil { + if jwtPredicate, err = buildJWTPredicate(*rule.Principal.JWT); err != nil { + return nil, err + } } - // Determine the action for the current rule. - ruleAction := allowAction - if rule.Action == egv1a1.AuthorizationActionDeny { - ruleAction = denyAction + // Build the predicate for the current rule. + switch { + // If both IP and JWT predicates are present, AND them together. + case ipPredicate != nil && jwtPredicate != nil: + predicates := []*matcherv3.Matcher_MatcherList_Predicate{ + { + MatchType: ipPredicate, + }, + } + predicates = append(predicates, jwtPredicate...) + + predicate = &matcherv3.Matcher_MatcherList_Predicate{ + MatchType: &matcherv3.Matcher_MatcherList_Predicate_AndMatcher{ + AndMatcher: &matcherv3.Matcher_MatcherList_Predicate_PredicateList{ + Predicate: predicates, + }, + }, + } + case ipPredicate != nil: + predicate = &matcherv3.Matcher_MatcherList_Predicate{ + MatchType: ipPredicate, + } + case jwtPredicate != nil: + // If there are multiple JWT predicates, AND them together. + if len(jwtPredicate) > 1 { + predicate = &matcherv3.Matcher_MatcherList_Predicate{ + MatchType: &matcherv3.Matcher_MatcherList_Predicate_AndMatcher{ + AndMatcher: &matcherv3.Matcher_MatcherList_Predicate_PredicateList{ + Predicate: jwtPredicate, + }, + }, + } + } else if len(jwtPredicate) == 1 { + predicate = jwtPredicate[0] + } } // Add the matcher generated with the current rule to the matcher list. + // The first matcher that matches will be used to determine the action. matcherList = append(matcherList, &matcherv3.Matcher_MatcherList_FieldMatcher{ - Predicate: &matcherv3.Matcher_MatcherList_Predicate{ - MatchType: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_{ - SinglePredicate: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate{ - Input: &cncfv3.TypedExtensionConfig{ - Name: "client_ip", - TypedConfig: sourceIPInput, - }, - Matcher: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_CustomMatch{ - CustomMatch: &cncfv3.TypedExtensionConfig{ - Name: "ip_matcher", - TypedConfig: ipMatcher, - }, - }, - }, - }, - }, + Predicate: predicate, OnMatch: &matcherv3.Matcher_OnMatch{ OnMatch: &matcherv3.Matcher_OnMatch_Action{ Action: &cncfv3.TypedExtensionConfig{ @@ -215,7 +259,7 @@ func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { defaultAction = allowAction } - routeCfgProto := &rbacv3.RBACPerRoute{ + rbac = &rbacv3.RBACPerRoute{ Rbac: &rbacv3.RBAC{ Matcher: &matcherv3.Matcher{ MatcherType: &matcherv3.Matcher_MatcherList_{ @@ -240,26 +284,260 @@ func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { // Setting the matcher type to nil since Proto validation will fail if the list // is empty. if len(matcherList) == 0 { - routeCfgProto.Rbac.Matcher.MatcherType = nil + rbac.Rbac.Matcher.MatcherType = nil } // We need to validate the RBACPerRoute message before converting it to an Any. - if err = routeCfgProto.ValidateAll(); err != nil { - return err + if err = rbac.ValidateAll(); err != nil { + return nil, err } - routeCfgAny, err := anypb.New(routeCfgProto) - if err != nil { - return err + return rbac, nil +} + +func buildIPPredicate(clientCIDRs []*ir.CIDRMatch) (*matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_, error) { + var ( + sourceIPInput *anypb.Any + ipMatcher *anypb.Any + err error + ) + + // Build the IPMatcher based on the client CIDRs. + ipRangeMatcher := &ipmatcherv3.Ip{ + StatPrefix: "client_ip", } - if filterCfg == nil { - route.TypedPerFilterConfig = make(map[string]*anypb.Any) + for _, cidr := range clientCIDRs { + ipRangeMatcher.CidrRanges = append(ipRangeMatcher.CidrRanges, &configv3.CidrRange{ + AddressPrefix: cidr.IP, + PrefixLen: &wrapperspb.UInt32Value{ + Value: cidr.MaskLen, + }, + }) } - route.TypedPerFilterConfig[egv1a1.EnvoyFilterRBAC.String()] = routeCfgAny + if ipMatcher, err = anypb.New(ipRangeMatcher); err != nil { + return nil, err + } - return nil + if sourceIPInput, err = anypb.New(&networkinput.SourceIPInput{}); err != nil { + return nil, err + } + + return &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_{ + SinglePredicate: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate{ + Input: &cncfv3.TypedExtensionConfig{ + Name: "client_ip", + TypedConfig: sourceIPInput, + }, + Matcher: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_CustomMatch{ + CustomMatch: &cncfv3.TypedExtensionConfig{ + Name: "ip_matcher", + TypedConfig: ipMatcher, + }, + }, + }, + }, nil +} + +func buildJWTPredicate(jwt egv1a1.JWTPrincipal) ([]*matcherv3.Matcher_MatcherList_Predicate, error) { + jwtPredicate := []*matcherv3.Matcher_MatcherList_Predicate{} + + // Build the scope matchers. + // Multiple scopes are ANDed together. + for _, scope := range jwt.Scopes { + var ( + inputPb *anypb.Any + matcherPb *anypb.Any + err error + ) + + input := &networkinput.DynamicMetadataInput{ + Filter: "envoy.filters.http.jwt_authn", + Path: []*networkinput.DynamicMetadataInput_PathSegment{ + { + Segment: &networkinput.DynamicMetadataInput_PathSegment_Key{ + Key: jwt.Provider, // The name of the jwt provider is used as the `payload_in_metadata` in the JWT Authn filter. + }, + }, + { + Segment: &networkinput.DynamicMetadataInput_PathSegment_Key{ + Key: "scope", + }, + }, + }, + } + + // The scope has already been normalized to a string array in the JWT Authn filter. + scopeMatcher := &metadatav3.Metadata{ + Value: &envoymatcherv3.ValueMatcher{ + MatchPattern: &envoymatcherv3.ValueMatcher_ListMatch{ + ListMatch: &envoymatcherv3.ListMatcher{ + MatchPattern: &envoymatcherv3.ListMatcher_OneOf{ + OneOf: &envoymatcherv3.ValueMatcher{ + MatchPattern: &envoymatcherv3.ValueMatcher_StringMatch{ + StringMatch: &envoymatcherv3.StringMatcher{ + MatchPattern: &envoymatcherv3.StringMatcher_Exact{ + Exact: string(scope), + }, + }, + }, + }, + }, + }, + }, + }, + } + + if inputPb, err = anypb.New(input); err != nil { + return nil, err + } + + if matcherPb, err = anypb.New(scopeMatcher); err != nil { + return nil, err + } + + scopePredicate := matcherv3.Matcher_MatcherList_Predicate_SinglePredicate{ + Input: &cncfv3.TypedExtensionConfig{ + Name: "scope", + TypedConfig: inputPb, + }, + Matcher: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_CustomMatch{ + CustomMatch: &cncfv3.TypedExtensionConfig{ + Name: "scope_matcher", + TypedConfig: matcherPb, + }, + }, + } + + jwtPredicate = append(jwtPredicate, + &matcherv3.Matcher_MatcherList_Predicate{ + MatchType: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_{ + SinglePredicate: &scopePredicate, + }, + }, + ) + } + + // Build the claim matchers. + // Multiple claims are ANDed together. + // Multiple values for a claim are ORed together. + // For example, if we have two claims: "claim1" with values ["value1", "value2"], and "claim2" with values ["value3", "value4"], + // the resulting matcher will be: (claim1 == value1 OR claim1 == value2) AND (claim2 == value3 OR claim2 == value4). + predicateForAllClaims := []*matcherv3.Matcher_MatcherList_Predicate{} + for _, claim := range jwt.Claims { + var ( + inputPb *anypb.Any + matcherPb *anypb.Any + err error + ) + + path := []*networkinput.DynamicMetadataInput_PathSegment{ + { + Segment: &networkinput.DynamicMetadataInput_PathSegment_Key{ + Key: jwt.Provider, // The name of the jwt provider is used as the `payload_in_metadata` in the JWT Authn filter. + }, + }, + } + + // A nested claim is represented as a dot-separated string, e.g., "user.email". + for _, segment := range strings.Split(claim.Name, ".") { + path = append(path, &networkinput.DynamicMetadataInput_PathSegment{ + Segment: &networkinput.DynamicMetadataInput_PathSegment_Key{ + Key: segment, + }, + }) + } + + input := &networkinput.DynamicMetadataInput{ + Filter: "envoy.filters.http.jwt_authn", + Path: path, + } + + if inputPb, err = anypb.New(input); err != nil { + return nil, err + } + + predicateForOneClaim := []*matcherv3.Matcher_MatcherList_Predicate{} + for _, value := range claim.Values { + var valueMatcher *envoymatcherv3.ValueMatcher + + if claim.ValueType != nil && *claim.ValueType == egv1a1.JWTClaimValueTypeStringArray { + valueMatcher = &envoymatcherv3.ValueMatcher{ + MatchPattern: &envoymatcherv3.ValueMatcher_ListMatch{ + ListMatch: &envoymatcherv3.ListMatcher{ + MatchPattern: &envoymatcherv3.ListMatcher_OneOf{ + OneOf: &envoymatcherv3.ValueMatcher{ + MatchPattern: &envoymatcherv3.ValueMatcher_StringMatch{ + StringMatch: &envoymatcherv3.StringMatcher{ + MatchPattern: &envoymatcherv3.StringMatcher_Exact{ + Exact: value, + }, + }, + }, + }, + }, + }, + }, + } + } else { + valueMatcher = &envoymatcherv3.ValueMatcher{ + MatchPattern: &envoymatcherv3.ValueMatcher_StringMatch{ + StringMatch: &envoymatcherv3.StringMatcher{ + MatchPattern: &envoymatcherv3.StringMatcher_Exact{ + Exact: value, + }, + }, + }, + } + } + + if matcherPb, err = anypb.New(&metadatav3.Metadata{ + Value: valueMatcher, + }); err != nil { + return nil, err + } + + predicateForOneClaim = append(predicateForOneClaim, &matcherv3.Matcher_MatcherList_Predicate{ + MatchType: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_{ + SinglePredicate: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate{ + Input: &cncfv3.TypedExtensionConfig{ + Name: "claim", + TypedConfig: inputPb, + }, + Matcher: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_CustomMatch{ + CustomMatch: &cncfv3.TypedExtensionConfig{ + Name: "claim_matcher", + TypedConfig: matcherPb, + }, + }, + }, + }, + }) + } + + // For a claim to match, one of the values must match. + // If there are multiple values for a claim, OR them together. + if len(predicateForOneClaim) > 1 { + predicateForAllClaims = append(predicateForAllClaims, &matcherv3.Matcher_MatcherList_Predicate{ + MatchType: &matcherv3.Matcher_MatcherList_Predicate_OrMatcher{ + OrMatcher: &matcherv3.Matcher_MatcherList_Predicate_PredicateList{ + Predicate: predicateForOneClaim, + }, + }, + }) + } else if len(predicateForOneClaim) == 1 { + predicateForAllClaims = append(predicateForAllClaims, &matcherv3.Matcher_MatcherList_Predicate{ + MatchType: predicateForOneClaim[0].MatchType.(*matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_), + }) + } + } + + // For a JWT principal to match, all the specified claims and scopes must match. + // And all the claims and scopes together. + jwtPredicate = append(jwtPredicate, predicateForAllClaims...) + + return jwtPredicate, nil } func (c *rbac) patchResources(*types.ResourceVersionTable, []*ir.HTTPRoute) error { diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go index 4d3a8583756..53a20808ff6 100644 --- a/internal/xds/translator/jwt.go +++ b/internal/xds/translator/jwt.go @@ -139,9 +139,13 @@ func buildJWTAuthn(irListener *ir.HTTPListener) (*jwtauthnv3.JwtAuthentication, Issuer: irProvider.Issuer, Audiences: irProvider.Audiences, JwksSourceSpecifier: remote, - PayloadInMetadata: irProvider.Issuer, + PayloadInMetadata: irProvider.Name, ClaimToHeaders: claimToHeaders, Forward: true, + NormalizePayloadInMetadata: &jwtauthnv3.JwtProvider_NormalizePayload{ + // Normalize the scopes to facilitate matching in Authorization. + SpaceDelimitedClaims: []string{"scope"}, + }, } if irProvider.RecomputeRoute != nil { diff --git a/internal/xds/translator/testdata/in/xds-ir/authorization.yaml b/internal/xds/translator/testdata/in/xds-ir/authorization-client-cidr.yaml similarity index 100% rename from internal/xds/translator/testdata/in/xds-ir/authorization.yaml rename to internal/xds/translator/testdata/in/xds-ir/authorization-client-cidr.yaml diff --git a/internal/xds/translator/testdata/in/xds-ir/authorization-jwt-claim.yaml b/internal/xds/translator/testdata/in/xds-ir/authorization-jwt-claim.yaml new file mode 100644 index 00000000000..f952f20cc26 --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/authorization-jwt-claim.yaml @@ -0,0 +1,99 @@ +http: +- address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + pathMatch: + distinct: false + name: "" + prefix: /foo + security: + authorization: + defaultAction: Deny + rules: + - action: Deny + name: allow-claim-roles + principal: + jwt: + provider: example1 + claims: + - name: user.name + values: ["alice", "bob"] + jwt: + providers: + - audiences: + - two.foo.com + issuer: https://two.example.com + name: example1 + remoteJWKS: + uri: https://two.example.com/jwt/public-key/jwks.json + - destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_example_com + pathMatch: + distinct: false + name: "" + prefix: /bar + security: + authorization: + defaultAction: Deny + rules: + - action: Deny + name: allow-claim-roles + principal: + jwt: + provider: example1 + claims: + - name: roles + valueType: StringArray + values: ["admin", "superuser"] + - name: department + values: ["engineering"] + jwt: + providers: + - audiences: + - one.foo.com + issuer: https://one.example.com + name: example1 + remoteJWKS: + uri: https://one.example.com/jwt/public-key/jwks.json diff --git a/internal/xds/translator/testdata/in/xds-ir/authorization-jwt-scope.yaml b/internal/xds/translator/testdata/in/xds-ir/authorization-jwt-scope.yaml new file mode 100644 index 00000000000..332060147c4 --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/authorization-jwt-scope.yaml @@ -0,0 +1,95 @@ +http: +- address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + pathMatch: + distinct: false + name: "" + prefix: /foo + security: + authorization: + defaultAction: Deny + rules: + - action: Deny + name: allow-scope-foo-bar + principal: + jwt: + provider: example1 + scopes: + - foo + - bar + jwt: + providers: + - audiences: + - two.foo.com + issuer: https://two.example.com + name: example1 + remoteJWKS: + uri: https://two.example.com/jwt/public-key/jwks.json + - destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_example_com + pathMatch: + distinct: false + name: "" + prefix: /bar + security: + authorization: + defaultAction: Deny + rules: + - action: Deny + name: allow-scope-foo + principal: + jwt: + provider: example1 + scopes: + - foo + jwt: + providers: + - audiences: + - one.foo.com + issuer: https://one.example.com + name: example1 + remoteJWKS: + uri: https://one.example.com/jwt/public-key/jwks.json diff --git a/internal/xds/translator/testdata/in/xds-ir/authorization-multiple-principals.yaml b/internal/xds/translator/testdata/in/xds-ir/authorization-multiple-principals.yaml new file mode 100644 index 00000000000..c93708b4c8a --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/authorization-multiple-principals.yaml @@ -0,0 +1,80 @@ +http: +- address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.example.com + isHTTP2: false + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + pathMatch: + distinct: false + name: "" + prefix: /foo + security: + authorization: + defaultAction: Deny + rules: + - action: Allow + name: allow-rule-1 + principal: + clientCIDRs: + - cidr: 192.168.1.0/24 + distinct: false + ip: 192.168.1.0 + isIPv6: false + maskLen: 24 + - cidr: 192.168.2.0/24 + distinct: false + ip: 192.168.2.0 + isIPv6: false + maskLen: 24 + jwt: + issuer: https://one.example.com + scopes: + - foo + claims: + - name: roles + valueType: StringArray + values: ["admin", "superuser"] + - name: department + values: ["engineering"] + - action: Allow + name: allow-rule-2 + principal: + clientCIDRs: + - cidr: 10.0.1.0/24 + distinct: false + ip: 10.0.1.0 + isIPv6: false + maskLen: 24 + - cidr: 10.0.2.0/24 + distinct: false + ip: 10.0.2.0 + isIPv6: false + maskLen: 24 + jwt: + issuer: https://two.example.com + scopes: + - for + - bar + claims: + - name: roles + valueType: StringArray + values: ["admin", "superuser"] + - name: name + values: ["alice", "bob"] diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml new file mode 100644 index 00000000000..b3f75f0e04e --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml @@ -0,0 +1,51 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-3/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-3/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-2/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-2/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.endpoints.yaml new file mode 100644 index 00000000000..24596d841a3 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.endpoints.yaml @@ -0,0 +1,36 @@ +- clusterName: httproute/default/httproute-3/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-3/rule/0/backend/0 +- clusterName: httproute/default/httproute-1/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/0/backend/0 +- clusterName: httproute/default/httproute-2/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-2/rule/0/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.listeners.yaml new file mode 100644 index 00000000000..907d28f78b7 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.listeners.yaml @@ -0,0 +1,37 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.rbac + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: envoy-gateway/gateway-1/http + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: envoy-gateway/gateway-1/http + name: envoy-gateway/gateway-1/http + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.routes.yaml new file mode 100644 index 00000000000..141d60a15dd --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.routes.yaml @@ -0,0 +1,135 @@ +- ignorePortInHostMatching: true + name: envoy-gateway/gateway-1/http + virtualHosts: + - domains: + - www.example.com + name: envoy-gateway/gateway-1/http/www_example_com + routes: + - match: + pathSeparatedPrefix: /test + name: httproute/default/httproute-3/rule/0/match/0/www_example_com + route: + cluster: httproute/default/httproute-3/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.rbac: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute + rbac: + matcher: + onNoMatch: + action: + name: default + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY + - match: + pathSeparatedPrefix: /foo + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + route: + cluster: httproute/default/httproute-1/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.rbac: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute + rbac: + matcher: + matcherList: + matchers: + - onMatch: + action: + name: deny-location-1 + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY + predicate: + singlePredicate: + customMatch: + name: ip_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.ip.v3.Ip + cidrRanges: + - addressPrefix: 192.168.1.0 + prefixLen: 24 + - addressPrefix: 192.168.2.0 + prefixLen: 24 + statPrefix: client_ip + input: + name: client_ip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.SourceIPInput + - onMatch: + action: + name: deny-location-2 + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY + predicate: + singlePredicate: + customMatch: + name: ip_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.ip.v3.Ip + cidrRanges: + - addressPrefix: 10.75.1.0 + prefixLen: 24 + - addressPrefix: 10.75.2.0 + prefixLen: 24 + statPrefix: client_ip + input: + name: client_ip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.SourceIPInput + onNoMatch: + action: + name: default + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + name: ALLOW + - match: + pathSeparatedPrefix: /bar + name: httproute/default/httproute-2/rule/0/match/0/www_example_com + route: + cluster: httproute/default/httproute-2/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.rbac: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute + rbac: + matcher: + matcherList: + matchers: + - onMatch: + action: + name: securitypolicy/envoy-gateway/policy-for-gateway/authorization/rule/0 + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + name: ALLOW + predicate: + singlePredicate: + customMatch: + name: ip_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.ip.v3.Ip + cidrRanges: + - addressPrefix: 10.0.1.0 + prefixLen: 24 + - addressPrefix: 10.0.2.0 + prefixLen: 24 + statPrefix: client_ip + input: + name: client_ip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.SourceIPInput + onNoMatch: + action: + name: default + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml new file mode 100644 index 00000000000..660d4f6b224 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml @@ -0,0 +1,106 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-2/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-2/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: two_example_com_443 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: two.example.com + portValue: 443 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: two_example_com_443/backend/0 + name: two_example_com_443 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + validationContext: + trustedCa: + filename: /etc/ssl/certs/ca-certificates.crt + sni: two.example.com + type: STRICT_DNS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: one_example_com_443 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: one.example.com + portValue: 443 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: one_example_com_443/backend/0 + name: one_example_com_443 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + validationContext: + trustedCa: + filename: /etc/ssl/certs/ca-certificates.crt + sni: one.example.com + type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.endpoints.yaml new file mode 100644 index 00000000000..05442a9a15b --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.endpoints.yaml @@ -0,0 +1,24 @@ +- clusterName: httproute/default/httproute-1/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/0/backend/0 +- clusterName: httproute/default/httproute-2/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-2/rule/0/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml new file mode 100644 index 00000000000..f34bcbe362f --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml @@ -0,0 +1,80 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.jwt_authn + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication + providers: + httproute/default/httproute-1/rule/0/match/0/www_example_com/example1: + audiences: + - two.foo.com + forward: true + issuer: https://two.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example1 + remoteJwks: + asyncFetch: {} + cacheDuration: 300s + httpUri: + cluster: two_example_com_443 + timeout: 10s + uri: https://two.example.com/jwt/public-key/jwks.json + retryPolicy: {} + httproute/default/httproute-2/rule/0/match/0/www_example_com/example1: + audiences: + - one.foo.com + forward: true + issuer: https://one.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example1 + remoteJwks: + asyncFetch: {} + cacheDuration: 300s + httpUri: + cluster: one_example_com_443 + timeout: 10s + uri: https://one.example.com/jwt/public-key/jwks.json + retryPolicy: {} + requirementMap: + httproute/default/httproute-1/rule/0/match/0/www_example_com: + providerName: httproute/default/httproute-1/rule/0/match/0/www_example_com/example1 + httproute/default/httproute-2/rule/0/match/0/www_example_com: + providerName: httproute/default/httproute-2/rule/0/match/0/www_example_com/example1 + - name: envoy.filters.http.rbac + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: envoy-gateway/gateway-1/http + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: envoy-gateway/gateway-1/http + name: envoy-gateway/gateway-1/http + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.routes.yaml new file mode 100644 index 00000000000..5a465cded12 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.routes.yaml @@ -0,0 +1,185 @@ +- ignorePortInHostMatching: true + name: envoy-gateway/gateway-1/http + virtualHosts: + - domains: + - www.example.com + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http/www_example_com + routes: + - match: + pathSeparatedPrefix: /foo + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + route: + cluster: httproute/default/httproute-1/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.jwt_authn: + '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig + requirementName: httproute/default/httproute-1/rule/0/match/0/www_example_com + envoy.filters.http.rbac: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute + rbac: + matcher: + matcherList: + matchers: + - onMatch: + action: + name: allow-claim-roles + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY + predicate: + orMatcher: + predicate: + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + stringMatch: + exact: alice + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: example1 + - key: user + - key: name + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + stringMatch: + exact: bob + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: example1 + - key: user + - key: name + onNoMatch: + action: + name: default + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY + - match: + pathSeparatedPrefix: /bar + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_example_com + route: + cluster: httproute/default/httproute-2/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.jwt_authn: + '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig + requirementName: httproute/default/httproute-2/rule/0/match/0/www_example_com + envoy.filters.http.rbac: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute + rbac: + matcher: + matcherList: + matchers: + - onMatch: + action: + name: allow-claim-roles + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY + predicate: + andMatcher: + predicate: + - orMatcher: + predicate: + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: admin + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: example1 + - key: roles + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: superuser + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: example1 + - key: roles + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + stringMatch: + exact: engineering + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: example1 + - key: department + onNoMatch: + action: + name: default + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml new file mode 100644 index 00000000000..660d4f6b224 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml @@ -0,0 +1,106 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-2/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-2/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: two_example_com_443 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: two.example.com + portValue: 443 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: two_example_com_443/backend/0 + name: two_example_com_443 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + validationContext: + trustedCa: + filename: /etc/ssl/certs/ca-certificates.crt + sni: two.example.com + type: STRICT_DNS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: one_example_com_443 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: one.example.com + portValue: 443 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: one_example_com_443/backend/0 + name: one_example_com_443 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + validationContext: + trustedCa: + filename: /etc/ssl/certs/ca-certificates.crt + sni: one.example.com + type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.endpoints.yaml new file mode 100644 index 00000000000..05442a9a15b --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.endpoints.yaml @@ -0,0 +1,24 @@ +- clusterName: httproute/default/httproute-1/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/0/backend/0 +- clusterName: httproute/default/httproute-2/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-2/rule/0/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml new file mode 100644 index 00000000000..f34bcbe362f --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml @@ -0,0 +1,80 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.jwt_authn + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication + providers: + httproute/default/httproute-1/rule/0/match/0/www_example_com/example1: + audiences: + - two.foo.com + forward: true + issuer: https://two.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example1 + remoteJwks: + asyncFetch: {} + cacheDuration: 300s + httpUri: + cluster: two_example_com_443 + timeout: 10s + uri: https://two.example.com/jwt/public-key/jwks.json + retryPolicy: {} + httproute/default/httproute-2/rule/0/match/0/www_example_com/example1: + audiences: + - one.foo.com + forward: true + issuer: https://one.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example1 + remoteJwks: + asyncFetch: {} + cacheDuration: 300s + httpUri: + cluster: one_example_com_443 + timeout: 10s + uri: https://one.example.com/jwt/public-key/jwks.json + retryPolicy: {} + requirementMap: + httproute/default/httproute-1/rule/0/match/0/www_example_com: + providerName: httproute/default/httproute-1/rule/0/match/0/www_example_com/example1 + httproute/default/httproute-2/rule/0/match/0/www_example_com: + providerName: httproute/default/httproute-2/rule/0/match/0/www_example_com/example1 + - name: envoy.filters.http.rbac + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: envoy-gateway/gateway-1/http + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: envoy-gateway/gateway-1/http + name: envoy-gateway/gateway-1/http + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.routes.yaml new file mode 100644 index 00000000000..cfb4a62ec65 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.routes.yaml @@ -0,0 +1,149 @@ +- ignorePortInHostMatching: true + name: envoy-gateway/gateway-1/http + virtualHosts: + - domains: + - www.example.com + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http/www_example_com + routes: + - match: + pathSeparatedPrefix: /foo + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + route: + cluster: httproute/default/httproute-1/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.jwt_authn: + '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig + requirementName: httproute/default/httproute-1/rule/0/match/0/www_example_com + envoy.filters.http.rbac: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute + rbac: + matcher: + matcherList: + matchers: + - onMatch: + action: + name: allow-scope-foo-bar + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY + predicate: + andMatcher: + predicate: + - singlePredicate: + customMatch: + name: scope_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: foo + input: + name: scope + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: example1 + - key: scope + - singlePredicate: + customMatch: + name: scope_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: bar + input: + name: scope + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: example1 + - key: scope + onNoMatch: + action: + name: default + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY + - match: + pathSeparatedPrefix: /bar + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_example_com + route: + cluster: httproute/default/httproute-2/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.jwt_authn: + '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig + requirementName: httproute/default/httproute-2/rule/0/match/0/www_example_com + envoy.filters.http.rbac: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute + rbac: + matcher: + matcherList: + matchers: + - onMatch: + action: + name: allow-scope-foo + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY + predicate: + singlePredicate: + customMatch: + name: scope_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: foo + input: + name: scope + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: example1 + - key: scope + onNoMatch: + action: + name: default + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml new file mode 100644 index 00000000000..9714612e3de --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml @@ -0,0 +1,17 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.endpoints.yaml new file mode 100644 index 00000000000..29bb6b4e444 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.endpoints.yaml @@ -0,0 +1,12 @@ +- clusterName: httproute/default/httproute-1/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/0/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.listeners.yaml new file mode 100644 index 00000000000..907d28f78b7 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.listeners.yaml @@ -0,0 +1,37 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.rbac + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: envoy-gateway/gateway-1/http + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: envoy-gateway/gateway-1/http + name: envoy-gateway/gateway-1/http + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.routes.yaml new file mode 100644 index 00000000000..c6510f63778 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.routes.yaml @@ -0,0 +1,256 @@ +- ignorePortInHostMatching: true + name: envoy-gateway/gateway-1/http + virtualHosts: + - domains: + - www.example.com + name: envoy-gateway/gateway-1/http/www_example_com + routes: + - match: + pathSeparatedPrefix: /foo + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + route: + cluster: httproute/default/httproute-1/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.rbac: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute + rbac: + matcher: + matcherList: + matchers: + - onMatch: + action: + name: allow-rule-1 + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + name: ALLOW + predicate: + andMatcher: + predicate: + - singlePredicate: + customMatch: + name: ip_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.ip.v3.Ip + cidrRanges: + - addressPrefix: 192.168.1.0 + prefixLen: 24 + - addressPrefix: 192.168.2.0 + prefixLen: 24 + statPrefix: client_ip + input: + name: client_ip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.SourceIPInput + - singlePredicate: + customMatch: + name: scope_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: foo + input: + name: scope + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: scope + - orMatcher: + predicate: + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: admin + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: roles + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: superuser + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: roles + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + stringMatch: + exact: engineering + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: department + - onMatch: + action: + name: allow-rule-2 + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + name: ALLOW + predicate: + andMatcher: + predicate: + - singlePredicate: + customMatch: + name: ip_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.ip.v3.Ip + cidrRanges: + - addressPrefix: 10.0.1.0 + prefixLen: 24 + - addressPrefix: 10.0.2.0 + prefixLen: 24 + statPrefix: client_ip + input: + name: client_ip + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.SourceIPInput + - singlePredicate: + customMatch: + name: scope_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: for + input: + name: scope + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: scope + - singlePredicate: + customMatch: + name: scope_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: bar + input: + name: scope + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: scope + - orMatcher: + predicate: + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: admin + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: roles + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: superuser + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: roles + - orMatcher: + predicate: + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + stringMatch: + exact: alice + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: name + - singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + stringMatch: + exact: bob + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: "" + - key: name + onNoMatch: + action: + name: default + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml index 46157814e38..0a50c1bb280 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml @@ -73,7 +73,10 @@ headerName: one-route-example-key forward: true issuer: https://one.example.com - payloadInMetadata: https://one.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example1 remoteJwks: asyncFetch: {} cacheDuration: 300s @@ -90,7 +93,10 @@ headerName: two-route-example-key forward: true issuer: http://two.example.com - payloadInMetadata: http://two.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example2 remoteJwks: asyncFetch: {} cacheDuration: 300s diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml index 524800c6480..9172af8519b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml @@ -30,7 +30,10 @@ fromParams: - token issuer: https://www.example.com - payloadInMetadata: https://www.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml index 4c45106ab61..bbfa00a53ea 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml @@ -26,7 +26,10 @@ headerName: one-route-example-key1 forward: true issuer: https://www.example.com - payloadInMetadata: https://www.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s @@ -47,7 +50,10 @@ clearRouteCache: true forward: true issuer: https://www.two.example.com - payloadInMetadata: https://www.two.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example2 remoteJwks: asyncFetch: {} cacheDuration: 300s @@ -64,7 +70,10 @@ headerName: second-route-example-key1 forward: true issuer: https://www.example.com - payloadInMetadata: https://www.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s @@ -79,7 +88,10 @@ - two.foo.com forward: true issuer: https://www.two.example.com - payloadInMetadata: https://www.two.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example2 remoteJwks: asyncFetch: {} cacheDuration: 300s diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml index f247baa83b5..a48a09b2dd7 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml @@ -48,7 +48,10 @@ headerName: first-route-key forward: true issuer: https://www.example.com - payloadInMetadata: https://www.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s @@ -62,7 +65,10 @@ - foo.com forward: true issuer: https://www.example.com - payloadInMetadata: https://www.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml index 9906e8df615..51d778b9cea 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml @@ -30,7 +30,10 @@ fromParams: - token issuer: https://www.example.com - payloadInMetadata: https://www.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml index a4520c65b4f..ead8b20d402 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml @@ -23,7 +23,10 @@ - foo.com forward: true issuer: https://www.example.com - payloadInMetadata: https://www.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml index 91280606bf5..c839763d975 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml @@ -23,7 +23,10 @@ - foo.com forward: true issuer: https://www.example.com - payloadInMetadata: https://www.example.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: example remoteJwks: asyncFetch: {} cacheDuration: 300s diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index b716d7ad3f0..cbc5f9a9a57 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -240,7 +240,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `name` | _string_ | false | Name is a user-friendly name for the rule.
If not specified, Envoy Gateway will generate a unique name for the rule.n | +| `name` | _string_ | false | Name is a user-friendly name for the rule.
If not specified, Envoy Gateway will generate a unique name for the rule. | | `action` | _[AuthorizationAction](#authorizationaction)_ | true | Action defines the action to be taken if the rule matches. | | `principal` | _[Principal](#principal)_ | true | Principal specifies the client identity of a request.
If there are multiple principal types, all principals must match for the rule to match.
For example, if there are two principals: one for client IP and one for JWT claim,
the rule will match only if both the client IP and the JWT claim match. | @@ -2295,8 +2295,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | +| `provider` | _string_ | true | Provider is the name of the JWT provider that used to verify the JWT token.
In order to use JWT claims for authorization, you must configure the JWT
authentication with the same provider in the same `SecurityPolicy`. | | `claims` | _[JWTClaim](#jwtclaim) array_ | false | Claims are the claims in a JWT token.

If multiple claims are specified, all claims must match for the rule to match.
For example, if there are two claims: one for the audience and one for the issuer,
the rule will match only if both the audience and the issuer match. | -| `scopes` | _string array_ | false | Scopes are a special type of claim in a JWT token that represents the permissions of the client.

The value of the scopes field should be a space delimited string that is expected in the scope parameter,
as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.

If multiple scopes are specified, all scopes must match for the rule to match. | +| `scopes` | _[JWTScope](#jwtscope) array_ | false | Scopes are a special type of claim in a JWT token that represents the permissions of the client.

The value of the scopes field should be a space delimited string that is expected in the scope parameter,
as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.

If multiple scopes are specified, all scopes must match for the rule to match. | #### JWTProvider @@ -2319,6 +2320,17 @@ _Appears in:_ | `extractFrom` | _[JWTExtractor](#jwtextractor)_ | false | ExtractFrom defines different ways to extract the JWT token from HTTP request.
If empty, it defaults to extract JWT token from the Authorization HTTP request header using Bearer schema
or access_token from query parameters. | +#### JWTScope + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [JWTPrincipal](#jwtprincipal) + + + #### KubernetesContainerSpec @@ -2807,10 +2819,7 @@ _Appears in:_ -Principal specifies the client identity of a request. -A client identity can be a client IP, a JWT claim, username from the Authorization header, -or any other identity that can be extracted from a custom header. -Currently, only the client IP is supported. +If there are multiple principal types, all principals must match for the rule to match. _Appears in:_ - [AuthorizationRule](#authorizationrule) diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index b716d7ad3f0..cbc5f9a9a57 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -240,7 +240,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `name` | _string_ | false | Name is a user-friendly name for the rule.
If not specified, Envoy Gateway will generate a unique name for the rule.n | +| `name` | _string_ | false | Name is a user-friendly name for the rule.
If not specified, Envoy Gateway will generate a unique name for the rule. | | `action` | _[AuthorizationAction](#authorizationaction)_ | true | Action defines the action to be taken if the rule matches. | | `principal` | _[Principal](#principal)_ | true | Principal specifies the client identity of a request.
If there are multiple principal types, all principals must match for the rule to match.
For example, if there are two principals: one for client IP and one for JWT claim,
the rule will match only if both the client IP and the JWT claim match. | @@ -2295,8 +2295,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | +| `provider` | _string_ | true | Provider is the name of the JWT provider that used to verify the JWT token.
In order to use JWT claims for authorization, you must configure the JWT
authentication with the same provider in the same `SecurityPolicy`. | | `claims` | _[JWTClaim](#jwtclaim) array_ | false | Claims are the claims in a JWT token.

If multiple claims are specified, all claims must match for the rule to match.
For example, if there are two claims: one for the audience and one for the issuer,
the rule will match only if both the audience and the issuer match. | -| `scopes` | _string array_ | false | Scopes are a special type of claim in a JWT token that represents the permissions of the client.

The value of the scopes field should be a space delimited string that is expected in the scope parameter,
as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.

If multiple scopes are specified, all scopes must match for the rule to match. | +| `scopes` | _[JWTScope](#jwtscope) array_ | false | Scopes are a special type of claim in a JWT token that represents the permissions of the client.

The value of the scopes field should be a space delimited string that is expected in the scope parameter,
as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.

If multiple scopes are specified, all scopes must match for the rule to match. | #### JWTProvider @@ -2319,6 +2320,17 @@ _Appears in:_ | `extractFrom` | _[JWTExtractor](#jwtextractor)_ | false | ExtractFrom defines different ways to extract the JWT token from HTTP request.
If empty, it defaults to extract JWT token from the Authorization HTTP request header using Bearer schema
or access_token from query parameters. | +#### JWTScope + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [JWTPrincipal](#jwtprincipal) + + + #### KubernetesContainerSpec @@ -2807,10 +2819,7 @@ _Appears in:_ -Principal specifies the client identity of a request. -A client identity can be a client IP, a JWT claim, username from the Authorization header, -or any other identity that can be extracted from a custom header. -Currently, only the client IP is supported. +If there are multiple principal types, all principals must match for the rule to match. _Appears in:_ - [AuthorizationRule](#authorizationrule) diff --git a/test/e2e/testdata/authorization-jwt.yaml b/test/e2e/testdata/authorization-jwt.yaml new file mode 100644 index 00000000000..5d3e31ea12e --- /dev/null +++ b/test/e2e/testdata/authorization-jwt.yaml @@ -0,0 +1,143 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-with-authorization-jwt-claim + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: Exact + value: /claim-test + backendRefs: + - name: infra-backend-v1 + port: 8080 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-with-authorization-jwt-scope + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: Exact + value: /scope-test + backendRefs: + - name: infra-backend-v1 + port: 8080 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-with-authorization-jwt-combined + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: Exact + value: /combined-test + backendRefs: + - name: infra-backend-v1 + port: 8080 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: authorization-jwt-claim + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: http-with-authorization-jwt-claim + jwt: + providers: + - name: example + issuer: https://foo.bar.com + remoteJWKS: + uri: https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/examples/kubernetes/jwt/jwks.json + authorization: + defaultAction: Deny + rules: + - name: "allow" + action: Allow + principal: + jwt: + provider: example + claims: + - name: user.name + values: ["John Doe"] + - name: sub + values: ["1234567890"] + - name: user.roles + valueType: StringArray + values: ["admin"] +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: authorization-jwt-scope + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: http-with-authorization-jwt-scope + jwt: + providers: + - name: example + issuer: https://foo.bar.com + remoteJWKS: + uri: https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/examples/kubernetes/jwt/jwks.json + authorization: + defaultAction: Deny + rules: + - name: "allow" + action: Allow + principal: + jwt: + provider: example + scopes: ["read", "add", "modify"] +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: authorization-jwt-combined + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: http-with-authorization-jwt-combined + jwt: + providers: + - name: example + issuer: https://foo.bar.com + remoteJWKS: + uri: https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/examples/kubernetes/jwt/jwks.json + authorization: + defaultAction: Deny + rules: + - name: "allow" + action: Allow + principal: + jwt: + provider: example + scopes: ["read", "add", "modify"] + claims: + - name: user.name + values: ["John Doe"] + - name: sub + values: ["1234567890"] + - name: user.roles + valueType: StringArray + values: ["admin"] diff --git a/test/e2e/tests/authorization_jwt.go b/test/e2e/tests/authorization_jwt.go new file mode 100644 index 00000000000..ff6872bc802 --- /dev/null +++ b/test/e2e/tests/authorization_jwt.go @@ -0,0 +1,186 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e +// +build e2e + +package tests + +import ( + "testing" + + "k8s.io/apimachinery/pkg/types" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" + gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" + + "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" +) + +// { +// "iss": "https://foo.bar.com", +// "sub": "1234567890", +// "user": { +// "name": "John Doe", +// "email": "john.doe@example.com", +// "roles": ["admin", "editor"] +// }, +// "premium_user": true, +// "iat": 1516239022, +// "scope": "read add delete modify" +// } +// +// nolint: gosec +const ( + jwtToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImI1MjBiM2MyYzRiZDc1YTEwZTljZWJjOTU3NjkzM2RjIn0.eyJpc3MiOiJodHRwczovL2Zvby5iYXIuY29tIiwic3ViIjoiMTIzNDU2Nzg5MCIsInVzZXIiOnsibmFtZSI6IkpvaG4gRG9lIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsInJvbGVzIjpbImFkbWluIiwiZWRpdG9yIl19LCJwcmVtaXVtX3VzZXIiOnRydWUsImlhdCI6MTUxNjIzOTAyMiwic2NvcGUiOiJyZWFkIGFkZCBkZWxldGUgbW9kaWZ5In0.P36iAlmiRCC79OiB3vstF5Q_9OqUYAMGF3a3H492GlojbV6DcuOz8YIEYGsRSWc-BNJaBKlyvUKsKsGVPtYbbF8ajwZTs64wyO-zhd2R8riPkg_HsW7iwGswV12f5iVRpfQ4AG2owmdOToIaoch0aym89He1ZzEjcShr9olgqlAbbmhnk-namd1rP-xpzPnWhhIVI3mCz5hYYgDTMcM7qbokM5FzFttTRXAn5_Luor23U1062Ct_K53QArwxBvwJ-QYiqcBycHf-hh6sMx_941cUswrZucCpa-EwA3piATf9PKAyeeWHfHV9X-y8ipGOFg3mYMMVBuUZ1lBkJCik9f9kboRY6QzpOISARQj9PKMXfxZdIPNuGmA7msSNAXQgqkvbx04jMwb9U7eCEdGZztH4C8LhlRjgj0ZdD7eNbRjeH2F6zrWyMUpGWaWyq6rMuP98W2DWM5ZflK6qvT1c7FuFsWPvWLkgxQwTWQKrHdKwdbsu32Sj8VtUBJ0-ddEb" + // { + // "iss": "https://foo.bar.com", + // "sub": "1234567890", + // "user": { + // "name": "Alice Smith", + // "email": "alice.smith@example.com", + // "roles": ["developer"] + // }, + // "premium_user": false, + // "iat": 1516239022, + // "scope": "read add delete" + // } + // + // nolint: gosec + jwtTokenWithoutRequiredValues = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImI1MjBiM2MyYzRiZDc1YTEwZTljZWJjOTU3NjkzM2RjIn0.eyJpc3MiOiJodHRwczovL2Zvby5iYXIuY29tIiwic3ViIjoiMTIzNDU2Nzg5MCIsInVzZXIiOnsibmFtZSI6IkFsaWNlIFNtaXRoIiwiZW1haWwiOiJhbGljZS5zbWl0aEBleGFtcGxlLmNvbSIsInJvbGVzIjpbImRldmVsb3BlciJdfSwicHJlbWl1bV91c2VyIjpmYWxzZSwiaWF0IjoxNTE2MjM5MDIyLCJzY29wZSI6InJlYWQgYWRkIGRlbGV0ZSJ9.Da547nNXzuQXm5E7LuLAiyFswXsW4RDhuitD_rpadtR7PTwzzOsJoqrVWJ_u1jJDaOTWIpLF4gwxDoY-Aoz_couzXzlAbECLs45ZFoc_UdffpfIbGKqTZx8VtwKuDLFsAeDDDqqx1flxFhvXHftJJdZYr1FgFz9u-absMmRU90DLmEZX3Hnyc8k8eBgeiu6vsWUD0-aNy8cWkFRbwRggkGmucFyUTG8Z1MY3iyH5E66W-ISoX8G9bzE9PTxVAAPDTvefD5iLJPSDJ8qV69OuMCJ8Dczq0L9Dd_w0sF-D1s9MTvexmGg4zBWluJ3r-pU9NHEdhqBypehp_yH8xF5Rt9AE7stZ4oPFZNyfrtkE-4IOnSEkMmzcC65g_rscn0ycerv4N5ZNpkr0x2IYYM4iGuo-ULv5Htnli3rffST45kx1XA8cdsrT1D0K3aPxdIxDIk8sTJf5-WVqRyo-bwxXXltwQLB9jCM_7QbTWQBYAJwUpi-0RW4jCl44-42gZnXf" +) + +func init() { + ConformanceTests = append(ConformanceTests, AuthorizationJWTTest) +} + +var AuthorizationJWTTest = suite.ConformanceTest{ + ShortName: "Authorization with jwt claims and scopes", + Description: "Authorization with jwt claims and scopes", + Manifests: []string{"testdata/authorization-jwt.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + ns := "gateway-conformance-infra" + route1NN := types.NamespacedName{Name: "http-with-authorization-jwt-claim", Namespace: ns} + route2NN := types.NamespacedName{Name: "http-with-authorization-jwt-scope", Namespace: ns} + route3NN := types.NamespacedName{Name: "http-with-authorization-jwt-combined", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), route1NN, route2NN, route3NN) + + ancestorRef := gwapiv1a2.ParentReference{ + Group: gatewayapi.GroupPtr(gwapiv1.GroupName), + Kind: gatewayapi.KindPtr(resource.KindGateway), + Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), + Name: gwapiv1.ObjectName(gwNN.Name), + } + SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "authorization-jwt-claim", Namespace: ns}, suite.ControllerName, ancestorRef) + SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "authorization-jwt-scope", Namespace: ns}, suite.ControllerName, ancestorRef) + SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "authorization-jwt-combined", Namespace: ns}, suite.ControllerName, ancestorRef) + + t.Run("allow requests with jwt claims", func(t *testing.T) { + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/claim-test", + Headers: map[string]string{ + "Authorization": "Bearer " + jwtToken, + }, + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) + + t.Run("deny requests with jwt claims that do not match the required claim value", func(t *testing.T) { + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/claim-test", + Headers: map[string]string{ + "Authorization": "Bearer " + jwtTokenWithoutRequiredValues, + }, + }, + Response: http.Response{ + StatusCode: 403, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) + + t.Run("allow requests with jwt scopes", func(t *testing.T) { + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/scope-test", + Headers: map[string]string{ + "Authorization": "Bearer " + jwtToken, + }, + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) + + t.Run("deny requests with jwt scopes that do not match the required scope value", func(t *testing.T) { + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/scope-test", + Headers: map[string]string{ + "Authorization": "Bearer " + jwtTokenWithoutRequiredValues, + }, + }, + Response: http.Response{ + StatusCode: 403, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) + + t.Run("allow requests with jwt claims and scopes", func(t *testing.T) { + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/combined-test", + Headers: map[string]string{ + "Authorization": "Bearer " + jwtToken, + }, + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) + + t.Run("deny requests with jwt scopes and claims that do not match the required scope and claim values", func(t *testing.T) { + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/combined-test", + Headers: map[string]string{ + "Authorization": "Bearer " + jwtTokenWithoutRequiredValues, + }, + }, + Response: http.Response{ + StatusCode: 403, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) + }, +} From d667f2ccd4e028b99539053b8458e8ccc39f893f Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 25 Sep 2024 16:45:40 +0800 Subject: [PATCH 195/523] chroe: fix license check (#4327) --- examples/extension-server/go.mod | 4 ++-- examples/extension-server/go.sum | 8 ++++---- go.mod | 12 ++++++------ go.sum | 24 +++++++++++------------ internal/xds/server/runner/runner_test.go | 5 +++++ 5 files changed, 29 insertions(+), 24 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index c4d2cbcf728..5ca8291fb47 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -34,8 +34,8 @@ require ( golang.org/x/net v0.29.0 // indirect golang.org/x/sys v0.25.0 // indirect golang.org/x/text v0.18.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/klog/v2 v2.130.1 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 99b3fb50e28..f3cec6685eb 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -105,10 +105,10 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc= -google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61 h1:pAjq8XSSzXoP9ya73v/w+9QEAAJNluLrpmMq5qFJQNY= +google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:O6rP0uBq4k0mdi/b4ZEMAZjkhYWhS815kCvaMha4VN8= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 h1:N9BgCIAUvn/M+p4NJccWPWb3BWh88+zyL0ll9HgbEeM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.67.0 h1:IdH9y6PF5MPSdAntIcpjQ+tXO41pcQsfZV2RxtQgVcw= google.golang.org/grpc v1.67.0/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= diff --git a/go.mod b/go.mod index bbe504923c8..14123a45a32 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( fortio.org/fortio v1.66.3 fortio.org/log v1.16.0 github.com/Masterminds/semver/v3 v3.3.0 - github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b + github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/docker/cli v27.3.1+incompatible github.com/dominikbraun/graph v0.23.0 @@ -35,8 +35,8 @@ require ( github.com/telepresenceio/watchable v0.0.0-20220726211108-9bb86f92afa7 github.com/tsaarni/certyaml v0.9.3 go.opentelemetry.io/otel v1.30.0 - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.30.0 - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.30.0 + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.29.0 + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.29.0 go.opentelemetry.io/otel/exporters/prometheus v0.52.0 go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.30.0 go.opentelemetry.io/otel/metric v1.30.0 @@ -68,7 +68,7 @@ require ( ) require ( - cel.dev/expr v0.15.0 // indirect + cel.dev/expr v0.16.0 // indirect dario.cat/mergo v1.0.1 // indirect filippo.io/edwards25519 v1.1.0 // indirect fortio.org/cli v1.9.0 // indirect @@ -268,8 +268,8 @@ require ( golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.24.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/component-base v0.31.1 // indirect diff --git a/go.sum b/go.sum index 603355075db..d82408060a0 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -cel.dev/expr v0.15.0 h1:O1jzfJCQBfL5BFoYktaxwIhuttaQPsVWerH9/EEKx0w= -cel.dev/expr v0.15.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg= +cel.dev/expr v0.16.0 h1:yloc84fytn4zmJX2GU3TkXGsaieaV7dQ057Qs4sIG2Y= +cel.dev/expr v0.16.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= @@ -119,8 +119,8 @@ github.com/cilium/ebpf v0.16.0 h1:+BiEnHL6Z7lXnlGUsXQPPAE7+kenAd4ES8MQ5min0Ok= github.com/cilium/ebpf v0.16.0/go.mod h1:L7u2Blt2jMM/vLAVgjxluxtBKlz3/GWjB0dMOEngfwE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b h1:ga8SEFjZ60pxLcmhnThWgvH2wg8376yUJmPhEH4H3kw= -github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 h1:N+3sFI5GUjRKBi+i0TxYVST9h4Ie192jJWpHvthBBgg= +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= @@ -849,10 +849,10 @@ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIX go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.30.0 h1:WypxHH02KX2poqqbaadmkMYalGyy/vil4HE4PM4nRJc= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.30.0/go.mod h1:U79SV99vtvGSEBeeHnpgGJfTsnsdkWLpPN/CcHAzBSI= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.30.0 h1:VrMAbeJz4gnVDg2zEzjHG4dEH86j4jO6VYB+NgtGD8s= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.30.0/go.mod h1:qqN/uFdpeitTvm+JDqqnjm517pmQRYxTORbETHq5tOc= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.29.0 h1:k6fQVDQexDE+3jG2SfCQjnHS7OamcP73YMoxEVq5B6k= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.29.0/go.mod h1:t4BrYLHU450Zo9fnydWlIuswB1bm7rM8havDpWOJeDo= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.29.0 h1:xvhQxJ/C9+RTnAj5DpTg7LSM1vbbMTiXt7e9hsfqHNw= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.29.0/go.mod h1:Fcvs2Bz1jkDM+Wf5/ozBGmi3tQ/c9zPKLnsipnfhGAo= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA= @@ -1039,10 +1039,10 @@ google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRn google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc= -google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd h1:BBOTEWLuuEGQy9n1y9MhVJ9Qt0BDu21X8qZs71/uPZo= +google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:fO8wJzT2zbQbAjbIoos1285VfEIYKDDY+Dt+WpTkh6g= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 h1:N9BgCIAUvn/M+p4NJccWPWb3BWh88+zyL0ll9HgbEeM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= diff --git a/internal/xds/server/runner/runner_test.go b/internal/xds/server/runner/runner_test.go index 74bf30f2caf..823d426864c 100644 --- a/internal/xds/server/runner/runner_test.go +++ b/internal/xds/server/runner/runner_test.go @@ -10,6 +10,7 @@ import ( "crypto/tls" "crypto/x509" "errors" + "io" "net" "os" "path/filepath" @@ -180,6 +181,10 @@ func peekError(conn net.Conn) error { _ = conn.SetReadDeadline(time.Now().Add(100 * time.Millisecond)) _, err := conn.Read(make([]byte, 1)) if err != nil { + if errors.Is(err, io.EOF) { + return nil + } + var netErr net.Error if !errors.As(netErr, &netErr) || !netErr.Timeout() { return err From 77c042cc146013bc731a27cbc4e7970610c31535 Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Wed, 25 Sep 2024 07:56:34 -0500 Subject: [PATCH 196/523] api: access log types (#4170) * api: access log scopes Signed-off-by: Guy Daich * renaming and merging all route types Signed-off-by: Guy Daich * fix pointer Signed-off-by: Guy Daich * explain behavior, rm backend log type Signed-off-by: Guy Daich * change how types impact scope Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich --- api/v1alpha1/accesslogging_types.go | 22 +++++++++++++++++++ api/v1alpha1/zz_generated.deepcopy.go | 5 +++++ .../gateway.envoyproxy.io_envoyproxies.yaml | 11 ++++++++++ site/content/en/latest/api/extension_types.md | 15 +++++++++++++ site/content/zh/latest/api/extension_types.md | 15 +++++++++++++ 5 files changed, 68 insertions(+) diff --git a/api/v1alpha1/accesslogging_types.go b/api/v1alpha1/accesslogging_types.go index 3a3628e985f..edc19e97599 100644 --- a/api/v1alpha1/accesslogging_types.go +++ b/api/v1alpha1/accesslogging_types.go @@ -30,8 +30,30 @@ type ProxyAccessLogSetting struct { // +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MaxItems=50 Sinks []ProxyAccessLogSink `json:"sinks"` + // Type defines the component emitting the accesslog, such as Listener and Route. + // If type not defined, the setting would apply to: + // (1) All Routes. + // (2) Listeners if and only if Envoy does not find a matching route for a request. + // If type is defined, the accesslog settings would apply to the relevant component (as-is). + // +kubebuilder:validation:Enum=Listener;Route + // +optional + // +notImplementedHide + Type *ProxyAccessLogType `json:"type,omitempty"` } +type ProxyAccessLogType string + +const ( + // ProxyAccessLogTypeListener defines the accesslog for Listeners. + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log + ProxyAccessLogTypeListener ProxyAccessLogType = "Listener" + // ProxyAccessLogTypeRoute defines the accesslog for HTTP, GRPC, UDP and TCP Routes. + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto#envoy-v3-api-field-extensions-filters-udp-udp-proxy-v3-udpproxyconfig-access-log + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto#envoy-v3-api-field-extensions-filters-network-tcp-proxy-v3-tcpproxy-access-log + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-access-log + ProxyAccessLogTypeRoute ProxyAccessLogType = "Route" +) + type ProxyAccessLogFormatType string const ( diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 953aef0206c..31128681193 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -4039,6 +4039,11 @@ func (in *ProxyAccessLogSetting) DeepCopyInto(out *ProxyAccessLogSetting) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.Type != nil { + in, out := &in.Type, &out.Type + *out = new(ProxyAccessLogType) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyAccessLogSetting. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index e5488fd636b..03fa274ad68 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -12255,6 +12255,17 @@ spec: maxItems: 50 minItems: 1 type: array + type: + description: |- + Type defines the component emitting the accesslog, such as Listener and Route. + If type not defined, the setting would apply to: + (1) All Routes. + (2) Listeners if and only if Envoy does not find a matching route for a request. + If type is defined, the accesslog settings would apply to the relevant component (as-is). + enum: + - Listener + - Route + type: string required: - sinks type: object diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index cbc5f9a9a57..3bf53044b08 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -2955,6 +2955,21 @@ _Appears in:_ | `OpenTelemetry` | ProxyAccessLogSinkTypeOpenTelemetry defines the OpenTelemetry accesslog sink.
When the provider is Kubernetes, EnvoyGateway always sends `k8s.namespace.name`
and `k8s.pod.name` as additional attributes.
| +#### ProxyAccessLogType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [ProxyAccessLogSetting](#proxyaccesslogsetting) + +| Value | Description | +| ----- | ----------- | +| `Listener` | ProxyAccessLogTypeListener defines the accesslog for Listeners.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log
| +| `Route` | ProxyAccessLogTypeRoute defines the accesslog for HTTP, GRPC, UDP and TCP Routes.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto#envoy-v3-api-field-extensions-filters-udp-udp-proxy-v3-udpproxyconfig-access-log
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto#envoy-v3-api-field-extensions-filters-network-tcp-proxy-v3-tcpproxy-access-log
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-access-log
| + + #### ProxyBootstrap diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index cbc5f9a9a57..3bf53044b08 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -2955,6 +2955,21 @@ _Appears in:_ | `OpenTelemetry` | ProxyAccessLogSinkTypeOpenTelemetry defines the OpenTelemetry accesslog sink.
When the provider is Kubernetes, EnvoyGateway always sends `k8s.namespace.name`
and `k8s.pod.name` as additional attributes.
| +#### ProxyAccessLogType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [ProxyAccessLogSetting](#proxyaccesslogsetting) + +| Value | Description | +| ----- | ----------- | +| `Listener` | ProxyAccessLogTypeListener defines the accesslog for Listeners.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log
| +| `Route` | ProxyAccessLogTypeRoute defines the accesslog for HTTP, GRPC, UDP and TCP Routes.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto#envoy-v3-api-field-extensions-filters-udp-udp-proxy-v3-udpproxyconfig-access-log
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto#envoy-v3-api-field-extensions-filters-network-tcp-proxy-v3-tcpproxy-access-log
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-access-log
| + + #### ProxyBootstrap From 6eefb28871160c166afe4d9db3ff1b11bea35c59 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Wed, 25 Sep 2024 15:13:31 -0700 Subject: [PATCH 197/523] api: custom error response (#4259) * api: custom error response Relates to https://github.com/envoyproxy/gateway/issues/1400 Signed-off-by: Arko Dasgupta * address comments Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta --- api/v1alpha1/backendtrafficpolicy_types.go | 7 + api/v1alpha1/shared_types.go | 79 ++++++++++ api/v1alpha1/zz_generated.deepcopy.go | 146 ++++++++++++++++++ ....envoyproxy.io_backendtrafficpolicies.yaml | 114 ++++++++++++++ site/content/en/latest/api/extension_types.md | 113 ++++++++++++++ site/content/zh/latest/api/extension_types.md | 113 ++++++++++++++ 6 files changed, 572 insertions(+) diff --git a/api/v1alpha1/backendtrafficpolicy_types.go b/api/v1alpha1/backendtrafficpolicy_types.go index 70a400015e9..4e6118e7035 100644 --- a/api/v1alpha1/backendtrafficpolicy_types.go +++ b/api/v1alpha1/backendtrafficpolicy_types.go @@ -69,6 +69,13 @@ type BackendTrafficPolicySpec struct { // +optional // +notImplementedHide Compression []*Compression `json:"compression,omitempty"` + + // ResponseOverride defines the configuration to override specific responses with a custom one. + // If multiple configurations are specified, the first one to match wins. + // + // +optional + // +notImplementedHide + ResponseOverride []*ResponseOverride `json:"responseOverride,omitempty"` } // +kubebuilder:object:root=true diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index 56440f096ca..48e3471c77d 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -609,3 +609,82 @@ type HTTP2Settings struct { // +optional OnInvalidMessage *InvalidMessageAction `json:"onInvalidMessage,omitempty"` } + +// ResponseOverride defines the configuration to override specific responses with a custom one. +type ResponseOverride struct { + // Match configuration. + Match CustomResponseMatch `json:"match"` + // Response configuration. + Response CustomResponse `json:"response"` +} + +// CustomResponseMatch defines the configuration for matching a user response to return a custom one. +type CustomResponseMatch struct { + // Status code to match on. The match evaluates to true if any of the matches are successful. + StatusCode []StatusCodeMatch `json:"statusCode"` +} + +// StatusCodeValueType defines the types of values for the status code match supported by Envoy Gateway. +// +kubebuilder:validation:Enum=Value;Range +type StatusCodeValueType string + +type StatusCodeMatch struct { + // Type is the type of value. + // + // +kubebuilder:default=Value + // +unionDiscriminator + Type *StatusCodeValueType `json:"type"` + + // Value contains the value of the status code. + // + // +optional + Value *string `json:"value,omitempty"` + // ValueRef contains the contents of the body + // specified as a local object reference. + // Only a reference to ConfigMap is supported. + // + // +optional + Range *StatusCodeRange `json:"range,omitempty"` +} + +// StatusCodeRange defines the configuration for define a range of status codes. +type StatusCodeRange struct { + // Start of the range, including the start value. + Start int `json:"start"` + // End of the range, including the end value. + End int `json:"end"` +} + +// CustomResponse defines the configuration for returning a custom response. +type CustomResponse struct { + // Content Type of the response. This will be set in the Content-Type header. + // + // +optional + ContentType *string `json:"contentType,omitempty"` + + // Body of the Custom Response + Body CustomResponseBody `json:"body"` +} + +// ResponseValueType defines the types of values for the response body supported by Envoy Gateway. +// +kubebuilder:validation:Enum=Inline;ValueRef +type ResponseValueType string + +// CustomResponseBody +type CustomResponseBody struct { + // Type is the type of method to use to read the body value. + // + // +unionDiscriminator + Type *ResponseValueType `json:"type"` + + // Inline contains the value as an inline string. + // + // +optional + Inline *string `json:"inline,omitempty"` + // ValueRef contains the contents of the body + // specified as a local object reference. + // Only a reference to ConfigMap is supported. + // + // +optional + ValueRef *gwapiv1.LocalObjectReference `json:"valueRef,omitempty"` +} diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 31128681193..b07978e609d 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -556,6 +556,17 @@ func (in *BackendTrafficPolicySpec) DeepCopyInto(out *BackendTrafficPolicySpec) } } } + if in.ResponseOverride != nil { + in, out := &in.ResponseOverride, &out.ResponseOverride + *out = make([]*ResponseOverride, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(ResponseOverride) + (*in).DeepCopyInto(*out) + } + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendTrafficPolicySpec. @@ -1124,6 +1135,79 @@ func (in *CustomHeaderExtensionSettings) DeepCopy() *CustomHeaderExtensionSettin return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CustomResponse) DeepCopyInto(out *CustomResponse) { + *out = *in + if in.ContentType != nil { + in, out := &in.ContentType, &out.ContentType + *out = new(string) + **out = **in + } + in.Body.DeepCopyInto(&out.Body) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomResponse. +func (in *CustomResponse) DeepCopy() *CustomResponse { + if in == nil { + return nil + } + out := new(CustomResponse) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CustomResponseBody) DeepCopyInto(out *CustomResponseBody) { + *out = *in + if in.Type != nil { + in, out := &in.Type, &out.Type + *out = new(ResponseValueType) + **out = **in + } + if in.Inline != nil { + in, out := &in.Inline, &out.Inline + *out = new(string) + **out = **in + } + if in.ValueRef != nil { + in, out := &in.ValueRef, &out.ValueRef + *out = new(apisv1.LocalObjectReference) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomResponseBody. +func (in *CustomResponseBody) DeepCopy() *CustomResponseBody { + if in == nil { + return nil + } + out := new(CustomResponseBody) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CustomResponseMatch) DeepCopyInto(out *CustomResponseMatch) { + *out = *in + if in.StatusCode != nil { + in, out := &in.StatusCode, &out.StatusCode + *out = make([]StatusCodeMatch, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomResponseMatch. +func (in *CustomResponseMatch) DeepCopy() *CustomResponseMatch { + if in == nil { + return nil + } + out := new(CustomResponseMatch) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CustomTag) DeepCopyInto(out *CustomTag) { *out = *in @@ -4639,6 +4723,23 @@ func (in *RequestHeaderCustomTag) DeepCopy() *RequestHeaderCustomTag { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResponseOverride) DeepCopyInto(out *ResponseOverride) { + *out = *in + in.Match.DeepCopyInto(&out.Match) + in.Response.DeepCopyInto(&out.Response) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResponseOverride. +func (in *ResponseOverride) DeepCopy() *ResponseOverride { + if in == nil { + return nil + } + out := new(ResponseOverride) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Retry) DeepCopyInto(out *Retry) { *out = *in @@ -4889,6 +4990,51 @@ func (in *SourceMatch) DeepCopy() *SourceMatch { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *StatusCodeMatch) DeepCopyInto(out *StatusCodeMatch) { + *out = *in + if in.Type != nil { + in, out := &in.Type, &out.Type + *out = new(StatusCodeValueType) + **out = **in + } + if in.Value != nil { + in, out := &in.Value, &out.Value + *out = new(string) + **out = **in + } + if in.Range != nil { + in, out := &in.Range, &out.Range + *out = new(StatusCodeRange) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatusCodeMatch. +func (in *StatusCodeMatch) DeepCopy() *StatusCodeMatch { + if in == nil { + return nil + } + out := new(StatusCodeMatch) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *StatusCodeRange) DeepCopyInto(out *StatusCodeRange) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatusCodeRange. +func (in *StatusCodeRange) DeepCopy() *StatusCodeRange { + if in == nil { + return nil + } + out := new(StatusCodeRange) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *StringMatch) DeepCopyInto(out *StringMatch) { *out = *in diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index 77133a803fc..7b13e2a123f 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -945,6 +945,120 @@ spec: required: - type type: object + responseOverride: + description: |- + ResponseOverride defines the configuration to override specific responses with a custom one. + If multiple configurations are specified, the first one to match wins. + items: + description: ResponseOverride defines the configuration to override + specific responses with a custom one. + properties: + match: + description: Match configuration. + properties: + statusCode: + description: Status code to match on. The match evaluates + to true if any of the matches are successful. + items: + properties: + range: + description: |- + ValueRef contains the contents of the body + specified as a local object reference. + Only a reference to ConfigMap is supported. + properties: + end: + description: End of the range, including the end + value. + type: integer + start: + description: Start of the range, including the + start value. + type: integer + required: + - end + - start + type: object + type: + default: Value + description: Type is the type of value. + enum: + - Value + - Range + type: string + value: + description: Value contains the value of the status + code. + type: string + required: + - type + type: object + type: array + required: + - statusCode + type: object + response: + description: Response configuration. + properties: + body: + description: Body of the Custom Response + properties: + inline: + description: Inline contains the value as an inline + string. + type: string + type: + description: Type is the type of method to use to read + the body value. + enum: + - Inline + - ValueRef + type: string + valueRef: + description: |- + ValueRef contains the contents of the body + specified as a local object reference. + Only a reference to ConfigMap is supported. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + required: + - type + type: object + contentType: + description: Content Type of the response. This will be + set in the Content-Type header. + type: string + required: + - body + type: object + required: + - match + - response + type: object + type: array retry: description: |- Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions. diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 3bf53044b08..93d845f3df7 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -852,6 +852,51 @@ _Appears in:_ | `failClosed` | _boolean_ | false | FailClosed is a switch used to control the flow of traffic when client IP detection
fails. If set to true, the listener will respond with 403 Forbidden when the client
IP address cannot be determined. | +#### CustomResponse + + + +CustomResponse defines the configuration for returning a custom response. + +_Appears in:_ +- [ResponseOverride](#responseoverride) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `contentType` | _string_ | false | Content Type of the response. This will be set in the Content-Type header. | +| `body` | _[CustomResponseBody](#customresponsebody)_ | true | Body of the Custom Response | + + +#### CustomResponseBody + + + +CustomResponseBody + +_Appears in:_ +- [CustomResponse](#customresponse) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[ResponseValueType](#responsevaluetype)_ | true | Type is the type of method to use to read the body value. | +| `inline` | _string_ | false | Inline contains the value as an inline string. | +| `valueRef` | _[LocalObjectReference](#localobjectreference)_ | false | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported. | + + +#### CustomResponseMatch + + + +CustomResponseMatch defines the configuration for matching a user response to return a custom one. + +_Appears in:_ +- [ResponseOverride](#responseoverride) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `statusCode` | _[StatusCodeMatch](#statuscodematch) array_ | true | Status code to match on. The match evaluates to true if any of the matches are successful. | + + #### CustomTag @@ -3450,6 +3495,32 @@ _Appears in:_ | `File` | ResourceProviderTypeFile defines the "File" provider.
| +#### ResponseOverride + + + +ResponseOverride defines the configuration to override specific responses with a custom one. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `match` | _[CustomResponseMatch](#customresponsematch)_ | true | Match configuration. | +| `response` | _[CustomResponse](#customresponse)_ | true | Response configuration. | + + +#### ResponseValueType + +_Underlying type:_ _string_ + +ResponseValueType defines the types of values for the response body supported by Envoy Gateway. + +_Appears in:_ +- [CustomResponseBody](#customresponsebody) + + + #### RetryOn @@ -3632,6 +3703,48 @@ _Appears in:_ | `Distinct` | SourceMatchDistinct Each IP Address within the specified Source IP CIDR is treated as a distinct client selector
and uses a separate rate limit bucket/counter.
Note: This is only supported for Global Rate Limits.
| +#### StatusCodeMatch + + + + + +_Appears in:_ +- [CustomResponseMatch](#customresponsematch) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[StatusCodeValueType](#statuscodevaluetype)_ | true | Type is the type of value. | +| `value` | _string_ | false | Value contains the value of the status code. | +| `range` | _[StatusCodeRange](#statuscoderange)_ | false | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported. | + + +#### StatusCodeRange + + + +StatusCodeRange defines the configuration for define a range of status codes. + +_Appears in:_ +- [StatusCodeMatch](#statuscodematch) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `start` | _integer_ | true | Start of the range, including the start value. | +| `end` | _integer_ | true | End of the range, including the end value. | + + +#### StatusCodeValueType + +_Underlying type:_ _string_ + +StatusCodeValueType defines the types of values for the status code match supported by Envoy Gateway. + +_Appears in:_ +- [StatusCodeMatch](#statuscodematch) + + + #### StringMatch diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 3bf53044b08..93d845f3df7 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -852,6 +852,51 @@ _Appears in:_ | `failClosed` | _boolean_ | false | FailClosed is a switch used to control the flow of traffic when client IP detection
fails. If set to true, the listener will respond with 403 Forbidden when the client
IP address cannot be determined. | +#### CustomResponse + + + +CustomResponse defines the configuration for returning a custom response. + +_Appears in:_ +- [ResponseOverride](#responseoverride) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `contentType` | _string_ | false | Content Type of the response. This will be set in the Content-Type header. | +| `body` | _[CustomResponseBody](#customresponsebody)_ | true | Body of the Custom Response | + + +#### CustomResponseBody + + + +CustomResponseBody + +_Appears in:_ +- [CustomResponse](#customresponse) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[ResponseValueType](#responsevaluetype)_ | true | Type is the type of method to use to read the body value. | +| `inline` | _string_ | false | Inline contains the value as an inline string. | +| `valueRef` | _[LocalObjectReference](#localobjectreference)_ | false | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported. | + + +#### CustomResponseMatch + + + +CustomResponseMatch defines the configuration for matching a user response to return a custom one. + +_Appears in:_ +- [ResponseOverride](#responseoverride) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `statusCode` | _[StatusCodeMatch](#statuscodematch) array_ | true | Status code to match on. The match evaluates to true if any of the matches are successful. | + + #### CustomTag @@ -3450,6 +3495,32 @@ _Appears in:_ | `File` | ResourceProviderTypeFile defines the "File" provider.
| +#### ResponseOverride + + + +ResponseOverride defines the configuration to override specific responses with a custom one. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `match` | _[CustomResponseMatch](#customresponsematch)_ | true | Match configuration. | +| `response` | _[CustomResponse](#customresponse)_ | true | Response configuration. | + + +#### ResponseValueType + +_Underlying type:_ _string_ + +ResponseValueType defines the types of values for the response body supported by Envoy Gateway. + +_Appears in:_ +- [CustomResponseBody](#customresponsebody) + + + #### RetryOn @@ -3632,6 +3703,48 @@ _Appears in:_ | `Distinct` | SourceMatchDistinct Each IP Address within the specified Source IP CIDR is treated as a distinct client selector
and uses a separate rate limit bucket/counter.
Note: This is only supported for Global Rate Limits.
| +#### StatusCodeMatch + + + + + +_Appears in:_ +- [CustomResponseMatch](#customresponsematch) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[StatusCodeValueType](#statuscodevaluetype)_ | true | Type is the type of value. | +| `value` | _string_ | false | Value contains the value of the status code. | +| `range` | _[StatusCodeRange](#statuscoderange)_ | false | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported. | + + +#### StatusCodeRange + + + +StatusCodeRange defines the configuration for define a range of status codes. + +_Appears in:_ +- [StatusCodeMatch](#statuscodematch) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `start` | _integer_ | true | Start of the range, including the start value. | +| `end` | _integer_ | true | End of the range, including the end value. | + + +#### StatusCodeValueType + +_Underlying type:_ _string_ + +StatusCodeValueType defines the types of values for the status code match supported by Envoy Gateway. + +_Appears in:_ +- [StatusCodeMatch](#statuscodematch) + + + #### StringMatch From 9b161ee914c246e113ec3f79372cba71ae038bbb Mon Sep 17 00:00:00 2001 From: qi Date: Fri, 27 Sep 2024 09:30:42 +0800 Subject: [PATCH 198/523] bugfix: EG loglevel error for admin and metrics module (#4340) * bugfix: EG loglevel error for admin and metrics module Signed-off-by: qicz * fix ut Signed-off-by: qicz * polish Signed-off-by: qicz --------- Signed-off-by: qicz --- internal/admin/server.go | 7 ++----- internal/admin/server_test.go | 3 +++ internal/metrics/metadata.go | 17 +++-------------- internal/metrics/register.go | 6 ++++++ 4 files changed, 14 insertions(+), 19 deletions(-) diff --git a/internal/admin/server.go b/internal/admin/server.go index 0569513033e..f71619a2238 100644 --- a/internal/admin/server.go +++ b/internal/admin/server.go @@ -12,13 +12,9 @@ import ( "github.com/davecgh/go-spew/spew" - egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway/config" - "github.com/envoyproxy/gateway/internal/logging" ) -var adminLogger = logging.DefaultLogger(egv1a1.LogLevelInfo).WithName("admin") - func Init(cfg *config.Server) error { if cfg.EnvoyGateway.GetEnvoyGatewayAdmin().EnableDumpConfig { spewConfig := spew.NewDefaultConfig() @@ -34,6 +30,7 @@ func start(cfg *config.Server) error { address := cfg.EnvoyGateway.GetEnvoyGatewayAdminAddress() enablePprof := cfg.EnvoyGateway.GetEnvoyGatewayAdmin().EnablePprof + adminLogger := cfg.Logger.WithName("admin") adminLogger.Info("starting admin server", "address", address, "enablePprof", enablePprof) if enablePprof { @@ -57,7 +54,7 @@ func start(cfg *config.Server) error { // Listen And Serve Admin Server. go func() { if err := adminServer.ListenAndServe(); err != nil { - cfg.Logger.Error(err, "start admin server failed") + adminLogger.Error(err, "start admin server failed") } }() diff --git a/internal/admin/server_test.go b/internal/admin/server_test.go index 2280738c235..a07291d8ba1 100644 --- a/internal/admin/server_test.go +++ b/internal/admin/server_test.go @@ -12,6 +12,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway/config" + "github.com/envoyproxy/gateway/internal/logging" ) func TestInitAdminServer(t *testing.T) { @@ -20,6 +21,8 @@ func TestInitAdminServer(t *testing.T) { EnvoyGatewaySpec: egv1a1.EnvoyGatewaySpec{}, }, } + + svrConfig.Logger = logging.NewLogger(egv1a1.DefaultEnvoyGatewayLogging()) err := Init(svrConfig) require.NoError(t, err) } diff --git a/internal/metrics/metadata.go b/internal/metrics/metadata.go index c6daf9e94da..5b5fd045d52 100644 --- a/internal/metrics/metadata.go +++ b/internal/metrics/metadata.go @@ -12,21 +12,10 @@ import ( "go.opentelemetry.io/otel" api "go.opentelemetry.io/otel/metric" "go.opentelemetry.io/otel/sdk/metric" - - egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" - log "github.com/envoyproxy/gateway/internal/logging" -) - -var ( - meter = func() api.Meter { - return otel.GetMeterProvider().Meter("envoy-gateway") - } - - metricsLogger = log.DefaultLogger(egv1a1.LogLevelInfo).WithName("metrics") ) -func init() { - otel.SetLogger(metricsLogger.Logger) +var meter = func() api.Meter { + return otel.GetMeterProvider().Meter("envoy-gateway") } // MetricType is the type of a metric. @@ -56,7 +45,7 @@ type Metadata struct { Bounds []float64 } -// metrics stores stores metrics +// metrics stores metrics type store struct { started bool mu sync.Mutex diff --git a/internal/metrics/register.go b/internal/metrics/register.go index f4e9e7a34cc..1f4c0a483f0 100644 --- a/internal/metrics/register.go +++ b/internal/metrics/register.go @@ -23,14 +23,20 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway/config" + log "github.com/envoyproxy/gateway/internal/logging" ) const ( defaultEndpoint = "/metrics" ) +var metricsLogger log.Logger + // Init initializes and registers the global metrics server. func Init(cfg *config.Server) error { + metricsLogger = cfg.Logger.WithName("metrics") + otel.SetLogger(metricsLogger.Logger) + options, err := newOptions(cfg) if err != nil { return err From 14830c7b7a7fa20cd3c5e82625c355485bcbd961 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Fri, 27 Sep 2024 09:31:10 +0800 Subject: [PATCH 199/523] fix: some status updates are discarded by the status updater (#4337) Signed-off-by: Huabing Zhao --- internal/provider/kubernetes/status_updater.go | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/internal/provider/kubernetes/status_updater.go b/internal/provider/kubernetes/status_updater.go index 9da708f1b02..24adaedd563 100644 --- a/internal/provider/kubernetes/status_updater.go +++ b/internal/provider/kubernetes/status_updater.go @@ -56,7 +56,6 @@ func (m MutatorFunc) Mutate(old client.Object) client.Object { type UpdateHandler struct { log logr.Logger client client.Client - sendUpdates chan struct{} updateChannel chan Update } @@ -64,7 +63,6 @@ func NewUpdateHandler(log logr.Logger, client client.Client) *UpdateHandler { return &UpdateHandler{ log: log, client: client, - sendUpdates: make(chan struct{}), updateChannel: make(chan Update, 100), } } @@ -129,9 +127,6 @@ func (u *UpdateHandler) Start(ctx context.Context) error { u.log.Info("started status update handler") defer u.log.Info("stopped status update handler") - // Enable Updaters to start sending updates to this handler. - close(u.sendUpdates) - for { select { case <-ctx.Done(): @@ -148,7 +143,6 @@ func (u *UpdateHandler) Start(ctx context.Context) error { // Writer retrieves the interface that should be used to write to the UpdateHandler. func (u *UpdateHandler) Writer() Updater { return &UpdateWriter{ - enabled: u.sendUpdates, updateChannel: u.updateChannel, } } @@ -160,18 +154,13 @@ type Updater interface { // UpdateWriter takes status updates and sends these to the UpdateHandler via a channel. type UpdateWriter struct { - enabled <-chan struct{} updateChannel chan<- Update } // Send sends the given Update off to the update channel for writing by the UpdateHandler. func (u *UpdateWriter) Send(update Update) { // Non-blocking receive to see if we should pass along update. - select { - case <-u.enabled: - u.updateChannel <- update - default: - } + u.updateChannel <- update } // isStatusEqual checks if two objects have equivalent status. From 7babca9bf8b6d677c3fa9944039aa0b034ebc53d Mon Sep 17 00:00:00 2001 From: qi Date: Fri, 27 Sep 2024 15:27:48 +0800 Subject: [PATCH 200/523] fix: Unsupported listener protocol type error for nil supportKinds assign gateway status. (#4345) --- internal/gatewayapi/listener.go | 1 + .../gateway-with-listener-with-unsupported-protocol.out.yaml | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index 88667b8ef6d..10c00578d6e 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -74,6 +74,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource case gwapiv1.UDPProtocolType: t.validateAllowedRoutes(listener, resource.KindUDPRoute) default: + listener.SetSupportedKinds(gwapiv1.RouteGroupKind{Kind: "InvalidKind"}) status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionAccepted, diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml index 123a0171cb6..373c2f894ca 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml @@ -34,7 +34,8 @@ gateways: status: "True" type: ResolvedRefs name: unsupported - supportedKinds: null + supportedKinds: + - kind: InvalidKind httpRoutes: - apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute From d895da32f8e42d518195e2f2a46309525964c099 Mon Sep 17 00:00:00 2001 From: Luv Date: Fri, 27 Sep 2024 16:38:38 +0530 Subject: [PATCH 201/523] feat: support request response sizes stats (#4314) * added req resp field Signed-off-by: Luv * gen-check Signed-off-by: Luv * add track cluster only if needed Signed-off-by: Luv * lint fixes Signed-off-by: Luv * made stats fields *bool Signed-off-by: Luv * added metric enabled test Signed-off-by: Luv * added xds test files Signed-off-by: Luv --------- Signed-off-by: Luv Co-authored-by: zirain --- api/v1alpha1/envoyproxy_metric_types.go | 13 +- api/v1alpha1/zz_generated.deepcopy.go | 15 ++ .../gateway.envoyproxy.io_envoyproxies.yaml | 5 + internal/gatewayapi/listener.go | 5 +- .../envoyproxy-metric-backend.out.yaml | 1 + .../envoyproxy-metric-enabled-backend.in.yaml | 82 ++++++++++ ...envoyproxy-metric-enabled-backend.out.yaml | 151 ++++++++++++++++++ internal/ir/xds.go | 5 +- internal/xds/translator/cluster.go | 17 +- .../in/xds-ir/http-req-resp-sizes-stats.yaml | 21 +++ .../in/xds-ir/tcp-req-resp-sizes-stats.yaml | 15 ++ .../in/xds-ir/udp-req-resp-sizes-stats.yaml | 17 ++ .../http-req-resp-sizes-stats.clusters.yaml | 19 +++ .../http-req-resp-sizes-stats.endpoints.yaml | 12 ++ .../http-req-resp-sizes-stats.listeners.yaml | 34 ++++ .../http-req-resp-sizes-stats.routes.yaml | 14 ++ .../tcp-req-resp-sizes-stats.clusters.yaml | 1 + .../tcp-req-resp-sizes-stats.endpoints.yaml | 1 + .../tcp-req-resp-sizes-stats.listeners.yaml | 6 + .../tcp-req-resp-sizes-stats.routes.yaml | 1 + .../udp-req-resp-sizes-stats.clusters.yaml | 19 +++ .../udp-req-resp-sizes-stats.endpoints.yaml | 18 +++ .../udp-req-resp-sizes-stats.listeners.yaml | 18 +++ .../udp-req-resp-sizes-stats.routes.yaml | 1 + site/content/en/latest/api/extension_types.md | 5 +- site/content/zh/latest/api/extension_types.md | 5 +- 26 files changed, 487 insertions(+), 14 deletions(-) create mode 100644 internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.in.yaml create mode 100644 internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.out.yaml create mode 100644 internal/xds/translator/testdata/in/xds-ir/http-req-resp-sizes-stats.yaml create mode 100644 internal/xds/translator/testdata/in/xds-ir/tcp-req-resp-sizes-stats.yaml create mode 100644 internal/xds/translator/testdata/in/xds-ir/udp-req-resp-sizes-stats.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.routes.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.routes.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.routes.yaml diff --git a/api/v1alpha1/envoyproxy_metric_types.go b/api/v1alpha1/envoyproxy_metric_types.go index 0e571ef23c9..f3fe7c3a5c0 100644 --- a/api/v1alpha1/envoyproxy_metric_types.go +++ b/api/v1alpha1/envoyproxy_metric_types.go @@ -27,11 +27,20 @@ type ProxyMetrics struct { Matches []StringMatch `json:"matches,omitempty"` // EnableVirtualHostStats enables envoy stat metrics for virtual hosts. - EnableVirtualHostStats bool `json:"enableVirtualHostStats,omitempty"` + // + // +optional + EnableVirtualHostStats *bool `json:"enableVirtualHostStats,omitempty"` // EnablePerEndpointStats enables per endpoint envoy stats metrics. // Please use with caution. - EnablePerEndpointStats bool `json:"enablePerEndpointStats,omitempty"` + // + // +optional + EnablePerEndpointStats *bool `json:"enablePerEndpointStats,omitempty"` + + // EnableRequestResponseSizesStats enables publishing of histograms tracking header and body sizes of requests and responses. + // + // +optional + EnableRequestResponseSizesStats *bool `json:"enableRequestResponseSizesStats,omitempty"` } // ProxyMetricSink defines the sink of metrics. diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index b07978e609d..b6b944b3a14 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -4266,6 +4266,21 @@ func (in *ProxyMetrics) DeepCopyInto(out *ProxyMetrics) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.EnableVirtualHostStats != nil { + in, out := &in.EnableVirtualHostStats, &out.EnableVirtualHostStats + *out = new(bool) + **out = **in + } + if in.EnablePerEndpointStats != nil { + in, out := &in.EnablePerEndpointStats, &out.EnablePerEndpointStats + *out = new(bool) + **out = **in + } + if in.EnableRequestResponseSizesStats != nil { + in, out := &in.EnableRequestResponseSizesStats, &out.EnableRequestResponseSizesStats + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyMetrics. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 03fa274ad68..8410c05c805 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -12282,6 +12282,11 @@ spec: EnablePerEndpointStats enables per endpoint envoy stats metrics. Please use with caution. type: boolean + enableRequestResponseSizesStats: + description: EnableRequestResponseSizesStats enables publishing + of histograms tracking header and body sizes of requests + and responses. + type: boolean enableVirtualHostStats: description: EnableVirtualHostStats enables envoy stat metrics for virtual hosts. diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index 10c00578d6e..724e835eb12 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -466,8 +466,9 @@ func (t *Translator) processMetrics(envoyproxy *egv1a1.EnvoyProxy, resources *re } return &ir.Metrics{ - EnableVirtualHostStats: envoyproxy.Spec.Telemetry.Metrics.EnableVirtualHostStats, - EnablePerEndpointStats: envoyproxy.Spec.Telemetry.Metrics.EnablePerEndpointStats, + EnableVirtualHostStats: envoyproxy.Spec.Telemetry.Metrics.EnableVirtualHostStats != nil && *envoyproxy.Spec.Telemetry.Metrics.EnableVirtualHostStats, + EnablePerEndpointStats: envoyproxy.Spec.Telemetry.Metrics.EnablePerEndpointStats != nil && *envoyproxy.Spec.Telemetry.Metrics.EnablePerEndpointStats, + EnableRequestResponseSizesStats: envoyproxy.Spec.Telemetry.Metrics.EnableRequestResponseSizesStats != nil && *envoyproxy.Spec.Telemetry.Metrics.EnableRequestResponseSizesStats, }, nil } diff --git a/internal/gatewayapi/testdata/envoyproxy-metric-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-metric-backend.out.yaml index 262d55065a9..4bff8f998d5 100644 --- a/internal/gatewayapi/testdata/envoyproxy-metric-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-metric-backend.out.yaml @@ -144,4 +144,5 @@ xdsIR: port: 10080 metrics: enablePerEndpointStats: false + enableRequestResponseSizesStats: false enableVirtualHostStats: false diff --git a/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.in.yaml b/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.in.yaml new file mode 100644 index 00000000000..e958af1e119 --- /dev/null +++ b/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.in.yaml @@ -0,0 +1,82 @@ +envoyProxyForGatewayClass: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + namespace: envoy-gateway-system + name: test + spec: + telemetry: + metrics: + sinks: + - type: OpenTelemetry + openTelemetry: + backendRefs: + - name: otel-collector + namespace: monitoring + port: 4317 + enableVirtualHostStats: true + enablePerEndpointStats: true + enableRequestResponseSizesStats: true + provider: + type: Kubernetes + kubernetes: + envoyService: + type: LoadBalancer + envoyDeployment: + replicas: 2 + container: + env: + - name: env_a + value: env_a_value + - name: env_b + value: env_b_name + image: "envoyproxy/envoy:distroless-dev" + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + runAsUser: 2000 + allowPrivilegeEscalation: false + pod: + annotations: + key1: val1 + key2: val2 + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cloud.google.com/gke-nodepool + operator: In + values: + - router-node + tolerations: + - effect: NoSchedule + key: node-type + operator: Exists + value: "router" + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + fsGroupChangePolicy: "OnRootMismatch" + volumes: + - name: certs + secret: + secretName: envoy-cert +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: Same diff --git a/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.out.yaml new file mode 100644 index 00000000000..7605114bf22 --- /dev/null +++ b/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.out.yaml @@ -0,0 +1,151 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: Same + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +infraIR: + envoy-gateway/gateway-1: + proxy: + config: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + creationTimestamp: null + name: test + namespace: envoy-gateway-system + spec: + logging: {} + provider: + kubernetes: + envoyDeployment: + container: + env: + - name: env_a + value: env_a_value + - name: env_b + value: env_b_name + image: envoyproxy/envoy:distroless-dev + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + runAsUser: 2000 + pod: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cloud.google.com/gke-nodepool + operator: In + values: + - router-node + annotations: + key1: val1 + key2: val2 + securityContext: + fsGroup: 2000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 3000 + runAsUser: 1000 + tolerations: + - effect: NoSchedule + key: node-type + operator: Exists + value: router + volumes: + - name: certs + secret: + secretName: envoy-cert + replicas: 2 + envoyService: + type: LoadBalancer + type: Kubernetes + telemetry: + metrics: + enablePerEndpointStats: true + enableRequestResponseSizesStats: true + enableVirtualHostStats: true + sinks: + - openTelemetry: + backendRefs: + - name: otel-collector + namespace: monitoring + port: 4317 + type: OpenTelemetry + status: {} + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + metrics: + enablePerEndpointStats: true + enableRequestResponseSizesStats: true + enableVirtualHostStats: true diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 399d1f0dbd3..8aefbd553ed 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -1928,8 +1928,9 @@ type Tracing struct { // Metrics defines the configuration for metrics generated by Envoy // +k8s:deepcopy-gen=true type Metrics struct { - EnableVirtualHostStats bool `json:"enableVirtualHostStats" yaml:"enableVirtualHostStats"` - EnablePerEndpointStats bool `json:"enablePerEndpointStats" yaml:"enablePerEndpointStats"` + EnableVirtualHostStats bool `json:"enableVirtualHostStats" yaml:"enableVirtualHostStats"` + EnablePerEndpointStats bool `json:"enablePerEndpointStats" yaml:"enablePerEndpointStats"` + EnableRequestResponseSizesStats bool `json:"enableRequestResponseSizesStats" yaml:"enableRequestResponseSizesStats"` } // TCPKeepalive define the TCP Keepalive configuration. diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index 75bfc532b61..409de7e2180 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -94,10 +94,19 @@ func buildXdsCluster(args *xdsClusterArgs) *clusterv3.Cluster { } cluster.ConnectTimeout = buildConnectTimeout(args.timeout) - // set peer endpoint stats - if args.metrics != nil && args.metrics.EnablePerEndpointStats { - cluster.TrackClusterStats = &clusterv3.TrackClusterStats{ - PerEndpointStats: args.metrics.EnablePerEndpointStats, + + // Initialize TrackClusterStats if any metrics are enabled + if args.metrics != nil && (args.metrics.EnablePerEndpointStats || args.metrics.EnableRequestResponseSizesStats) { + cluster.TrackClusterStats = &clusterv3.TrackClusterStats{} + + // Set per endpoint stats if enabled + if args.metrics.EnablePerEndpointStats { + cluster.TrackClusterStats.PerEndpointStats = args.metrics.EnablePerEndpointStats + } + + // Set request response sizes stats if enabled + if args.metrics.EnableRequestResponseSizesStats { + cluster.TrackClusterStats.RequestResponseSizes = args.metrics.EnableRequestResponseSizesStats } } diff --git a/internal/xds/translator/testdata/in/xds-ir/http-req-resp-sizes-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/http-req-resp-sizes-stats.yaml new file mode 100644 index 00000000000..5c174e363ef --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/http-req-resp-sizes-stats.yaml @@ -0,0 +1,21 @@ +name: "metrics-req-resp-sizes-stats" +metrics: + enableRequestResponseSizesStats: true +http: + - name: "listener-enable-req-resp-sizes-stats" + address: "0.0.0.0" + port: 10080 + hostnames: + - "*" + path: + mergeSlashes: true + escapedSlashesAction: UnescapeAndRedirect + routes: + - name: "first-route" + hostname: "*" + destination: + name: "first-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-req-resp-sizes-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-req-resp-sizes-stats.yaml new file mode 100644 index 00000000000..6d5d7fac73c --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/tcp-req-resp-sizes-stats.yaml @@ -0,0 +1,15 @@ +name: "metrics-req-resp-sizes-stats" +metrics: + enableRequestResponseSizesStats: true +tcp: +- name: "tcp-route-enable-req-resp-sizes-stats" + address: "0.0.0.0" + port: 10080 + destination: + name: "tcp-route-simple-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - host: "5.6.7.8" + port: 50001 diff --git a/internal/xds/translator/testdata/in/xds-ir/udp-req-resp-sizes-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/udp-req-resp-sizes-stats.yaml new file mode 100644 index 00000000000..1e7e0d9fb53 --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/udp-req-resp-sizes-stats.yaml @@ -0,0 +1,17 @@ +name: "metrics-req-resp-sizes-stats" +metrics: + enableRequestResponseSizesStats: true +udp: +- name: "udp-route-enable-req-resp-sizes-stats" + address: "0.0.0.0" + port: 10080 + route: + name: "udp-route" + destination: + name: "udp-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - host: "5.6.7.8" + port: 50001 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml new file mode 100644 index 00000000000..7d112afb676 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml @@ -0,0 +1,19 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: first-route-dest + lbPolicy: LEAST_REQUEST + name: first-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + trackClusterStats: + requestResponseSizes: true + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.endpoints.yaml new file mode 100644 index 00000000000..3b3f2d09076 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.endpoints.yaml @@ -0,0 +1,12 @@ +- clusterName: first-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: first-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.listeners.yaml new file mode 100644 index 00000000000..2d688753f05 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.listeners.yaml @@ -0,0 +1,34 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: listener-enable-req-resp-sizes-stats + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: listener-enable-req-resp-sizes-stats + name: listener-enable-req-resp-sizes-stats + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.routes.yaml new file mode 100644 index 00000000000..63cbc847197 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.routes.yaml @@ -0,0 +1,14 @@ +- ignorePortInHostMatching: true + name: listener-enable-req-resp-sizes-stats + virtualHosts: + - domains: + - '*' + name: listener-enable-req-resp-sizes-stats/* + routes: + - match: + prefix: / + name: first-route + route: + cluster: first-route-dest + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml @@ -0,0 +1 @@ +[] diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.endpoints.yaml new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.endpoints.yaml @@ -0,0 +1 @@ +[] diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.listeners.yaml new file mode 100644 index 00000000000..994341e55ec --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.listeners.yaml @@ -0,0 +1,6 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + name: tcp-route-enable-req-resp-sizes-stats + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.routes.yaml new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.routes.yaml @@ -0,0 +1 @@ +[] diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml new file mode 100644 index 00000000000..f7c6a0bf095 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml @@ -0,0 +1,19 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: udp-route-dest + lbPolicy: LEAST_REQUEST + name: udp-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + trackClusterStats: + requestResponseSizes: true + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.endpoints.yaml new file mode 100644 index 00000000000..2e3c84e672c --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.endpoints.yaml @@ -0,0 +1,18 @@ +- clusterName: udp-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + - endpoint: + address: + socketAddress: + address: 5.6.7.8 + portValue: 50001 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: udp-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.listeners.yaml new file mode 100644 index 00000000000..6bf13465916 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.listeners.yaml @@ -0,0 +1,18 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + protocol: UDP + listenerFilters: + - name: envoy.filters.udp_listener.udp_proxy + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.udp.udp_proxy.v3.UdpProxyConfig + matcher: + onNoMatch: + action: + name: route + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.udp.udp_proxy.v3.Route + cluster: udp-route-dest + statPrefix: service + name: udp-route-enable-req-resp-sizes-stats diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.routes.yaml new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.routes.yaml @@ -0,0 +1 @@ +[] diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 93d845f3df7..6aaec351939 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -3098,8 +3098,9 @@ _Appears in:_ | `prometheus` | _[ProxyPrometheusProvider](#proxyprometheusprovider)_ | true | Prometheus defines the configuration for Admin endpoint `/stats/prometheus`. | | `sinks` | _[ProxyMetricSink](#proxymetricsink) array_ | true | Sinks defines the metric sinks where metrics are sent to. | | `matches` | _[StringMatch](#stringmatch) array_ | true | Matches defines configuration for selecting specific metrics instead of generating all metrics stats
that are enabled by default. This helps reduce CPU and memory overhead in Envoy, but eliminating some stats
may after critical functionality. Here are the stats that we strongly recommend not disabling:
`cluster_manager.warming_clusters`, `cluster..membership_total`,`cluster..membership_healthy`,
`cluster..membership_degraded`,reference https://github.com/envoyproxy/envoy/issues/9856,
https://github.com/envoyproxy/envoy/issues/14610 | -| `enableVirtualHostStats` | _boolean_ | true | EnableVirtualHostStats enables envoy stat metrics for virtual hosts. | -| `enablePerEndpointStats` | _boolean_ | true | EnablePerEndpointStats enables per endpoint envoy stats metrics.
Please use with caution. | +| `enableVirtualHostStats` | _boolean_ | false | EnableVirtualHostStats enables envoy stat metrics for virtual hosts. | +| `enablePerEndpointStats` | _boolean_ | false | EnablePerEndpointStats enables per endpoint envoy stats metrics.
Please use with caution. | +| `enableRequestResponseSizesStats` | _boolean_ | false | EnableRequestResponseSizesStats enables publishing of histograms tracking header and body sizes of requests and responses. | #### ProxyOpenTelemetrySink diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 93d845f3df7..6aaec351939 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -3098,8 +3098,9 @@ _Appears in:_ | `prometheus` | _[ProxyPrometheusProvider](#proxyprometheusprovider)_ | true | Prometheus defines the configuration for Admin endpoint `/stats/prometheus`. | | `sinks` | _[ProxyMetricSink](#proxymetricsink) array_ | true | Sinks defines the metric sinks where metrics are sent to. | | `matches` | _[StringMatch](#stringmatch) array_ | true | Matches defines configuration for selecting specific metrics instead of generating all metrics stats
that are enabled by default. This helps reduce CPU and memory overhead in Envoy, but eliminating some stats
may after critical functionality. Here are the stats that we strongly recommend not disabling:
`cluster_manager.warming_clusters`, `cluster..membership_total`,`cluster..membership_healthy`,
`cluster..membership_degraded`,reference https://github.com/envoyproxy/envoy/issues/9856,
https://github.com/envoyproxy/envoy/issues/14610 | -| `enableVirtualHostStats` | _boolean_ | true | EnableVirtualHostStats enables envoy stat metrics for virtual hosts. | -| `enablePerEndpointStats` | _boolean_ | true | EnablePerEndpointStats enables per endpoint envoy stats metrics.
Please use with caution. | +| `enableVirtualHostStats` | _boolean_ | false | EnableVirtualHostStats enables envoy stat metrics for virtual hosts. | +| `enablePerEndpointStats` | _boolean_ | false | EnablePerEndpointStats enables per endpoint envoy stats metrics.
Please use with caution. | +| `enableRequestResponseSizesStats` | _boolean_ | false | EnableRequestResponseSizesStats enables publishing of histograms tracking header and body sizes of requests and responses. | #### ProxyOpenTelemetrySink From a9f740a6fae68399e8c75bd59c72ccb13bbf094f Mon Sep 17 00:00:00 2001 From: Hartigan Date: Sat, 28 Sep 2024 03:58:09 +0200 Subject: [PATCH 202/523] Datadog tracing support (#4298) * Add datadog as tracing provider Signed-off-by: Hartigan * Update API documentation Signed-off-by: Hartigan * Generate test data for Datadog tracing Signed-off-by: Hartigan --------- Signed-off-by: Hartigan --- api/v1alpha1/tracing_types.go | 3 +- .../gateway.envoyproxy.io_envoyproxies.yaml | 1 + .../testdata/in/xds-ir/tracing-datadog.yaml | 49 +++++++++++++++ .../xds-ir/tracing-unknown-provider-type.yaml | 12 ++-- .../out/xds-ir/tracing-datadog.clusters.yaml | 44 ++++++++++++++ .../out/xds-ir/tracing-datadog.endpoints.yaml | 12 ++++ .../out/xds-ir/tracing-datadog.listeners.yaml | 60 +++++++++++++++++++ .../out/xds-ir/tracing-datadog.routes.yaml | 12 ++++ internal/xds/translator/tracing.go | 11 ++++ internal/xds/translator/translator_test.go | 2 +- site/content/en/latest/api/extension_types.md | 1 + site/content/zh/latest/api/extension_types.md | 1 + 12 files changed, 200 insertions(+), 8 deletions(-) create mode 100644 internal/xds/translator/testdata/in/xds-ir/tracing-datadog.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/tracing-datadog.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/tracing-datadog.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/tracing-datadog.routes.yaml diff --git a/api/v1alpha1/tracing_types.go b/api/v1alpha1/tracing_types.go index 55fd63ef4e9..293664cddba 100644 --- a/api/v1alpha1/tracing_types.go +++ b/api/v1alpha1/tracing_types.go @@ -26,6 +26,7 @@ type TracingProviderType string const ( TracingProviderTypeOpenTelemetry TracingProviderType = "OpenTelemetry" TracingProviderTypeZipkin TracingProviderType = "Zipkin" + TracingProviderTypeDatadog TracingProviderType = "Datadog" ) // TracingProvider defines the tracing provider configuration. @@ -37,7 +38,7 @@ const ( type TracingProvider struct { BackendCluster `json:",inline"` // Type defines the tracing provider type. - // +kubebuilder:validation:Enum=OpenTelemetry;Zipkin + // +kubebuilder:validation:Enum=OpenTelemetry;Zipkin;Datadog // +kubebuilder:default=OpenTelemetry Type TracingProviderType `json:"type"` // Host define the provider service hostname. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 8410c05c805..1b18890cd27 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -14220,6 +14220,7 @@ spec: enum: - OpenTelemetry - Zipkin + - Datadog type: string zipkin: description: Zipkin defines the Zipkin tracing provider diff --git a/internal/xds/translator/testdata/in/xds-ir/tracing-datadog.yaml b/internal/xds/translator/testdata/in/xds-ir/tracing-datadog.yaml new file mode 100644 index 00000000000..1cc60f85e0e --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/tracing-datadog.yaml @@ -0,0 +1,49 @@ +name: "tracing" +tracing: + serviceName: "fake-name.fake-ns" + samplingRate: 90 + customTags: + "literal1": + type: Literal + literal: + value: "value1" + "env1": + type: Environment + environment: + name: "env1" + defaultValue: "-" + "req1": + type: RequestHeader + requestHeader: + name: "X-Request-Id" + defaultValue: "-" + authority: "datadog-agent.default.svc.cluster.local" + destination: + name: "tracing-0" + settings: + - endpoints: + - host: "datadog-agent.default.svc.cluster.local" + port: 8126 + provider: + type: Datadog +http: + - name: "first-listener" + address: "0.0.0.0" + port: 10080 + hostnames: + - "*" + path: + mergeSlashes: true + escapedSlashesAction: UnescapeAndRedirect + routes: + - name: "direct-route" + hostname: "*" + destination: + name: "direct-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + directResponse: + body: "Unknown custom filter type: UnsupportedType" + statusCode: 500 diff --git a/internal/xds/translator/testdata/in/xds-ir/tracing-unknown-provider-type.yaml b/internal/xds/translator/testdata/in/xds-ir/tracing-unknown-provider-type.yaml index 45f669ef643..02623bc0c7a 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tracing-unknown-provider-type.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tracing-unknown-provider-type.yaml @@ -17,17 +17,17 @@ tracing: requestHeader: name: "X-Request-Id" defaultValue: "-" - authority: "datadog-agent.default.svc.cluster.local" + authority: "awesome-agent.default.svc.cluster.local" destination: name: "tracing-0" settings: - endpoints: - - host: "datadog-agent.default.svc.cluster.local" - port: 8126 + - host: "awesome-agent.default.svc.cluster.local" + port: 1357 provider: - host: datadog-agent.monitoring.svc.cluster.local - port: 8126 - type: Datadog + host: awesome-agent.monitoring.svc.cluster.local + port: 1357 + type: AwesomeTelemetry http: - name: "first-listener" address: "0.0.0.0" diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml new file mode 100644 index 00000000000..51ef591844c --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml @@ -0,0 +1,44 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: direct-route-dest + lbPolicy: LEAST_REQUEST + name: direct-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: tracing-0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: datadog-agent.default.svc.cluster.local + portValue: 8126 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: tracing-0/backend/0 + name: tracing-0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.endpoints.yaml new file mode 100644 index 00000000000..20c80b3aaaa --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.endpoints.yaml @@ -0,0 +1,12 @@ +- clusterName: direct-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: direct-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.listeners.yaml new file mode 100644 index 00000000000..07a3d581575 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.listeners.yaml @@ -0,0 +1,60 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: first-listener + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + tracing: + clientSampling: + value: 100 + customTags: + - environment: + defaultValue: '-' + name: env1 + tag: env1 + - literal: + value: value1 + tag: literal1 + - requestHeader: + defaultValue: '-' + name: X-Request-Id + tag: req1 + overallSampling: + value: 100 + provider: + name: envoy.tracers.datadog + typedConfig: + '@type': type.googleapis.com/envoy.config.trace.v3.DatadogConfig + collectorCluster: tracing-0 + serviceName: fake-name.fake-ns + randomSampling: + value: 90 + spawnUpstreamSpan: true + useRemoteAddress: true + name: first-listener + name: first-listener + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.routes.yaml new file mode 100644 index 00000000000..b214e8b05a3 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.routes.yaml @@ -0,0 +1,12 @@ +- ignorePortInHostMatching: true + name: first-listener + virtualHosts: + - domains: + - '*' + name: first-listener/* + routes: + - directResponse: + status: 500 + match: + prefix: / + name: direct-route diff --git a/internal/xds/translator/tracing.go b/internal/xds/translator/tracing.go index ad9a3ecc0e1..c7777f94ba2 100644 --- a/internal/xds/translator/tracing.go +++ b/internal/xds/translator/tracing.go @@ -28,6 +28,7 @@ import ( const ( envoyOpenTelemetry = "envoy.tracers.opentelemetry" envoyZipkin = "envoy.traces.zipkin" + envoyDatadog = "envoy.tracers.datadog" ) type typConfigGen func() (*anypb.Any, error) @@ -41,6 +42,16 @@ func buildHCMTracing(tracing *ir.Tracing) (*hcm.HttpConnectionManager_Tracing, e var providerConfig typConfigGen switch tracing.Provider.Type { + case egv1a1.TracingProviderTypeDatadog: + providerName = envoyDatadog + + providerConfig = func() (*anypb.Any, error) { + config := &tracecfg.DatadogConfig{ + ServiceName: tracing.ServiceName, + CollectorCluster: tracing.Destination.Name, + } + return protocov.ToAnyWithError(config) + } case egv1a1.TracingProviderTypeOpenTelemetry: providerName = envoyOpenTelemetry diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go index e939ffb2b8b..4d41b865afa 100644 --- a/internal/xds/translator/translator_test.go +++ b/internal/xds/translator/translator_test.go @@ -106,7 +106,7 @@ func TestTranslateXds(t *testing.T) { errMsg: "validation failed for xds resource", }, "tracing-unknown-provider-type": { - errMsg: "unknown tracing provider type: Datadog", + errMsg: "unknown tracing provider type: AwesomeTelemetry", }, } diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 6aaec351939..193e698722c 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -3922,6 +3922,7 @@ _Appears in:_ | `OpenTelemetry` | | | `OpenTelemetry` | | | `Zipkin` | | +| `Datadog` | | #### TriggerEnum diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 6aaec351939..193e698722c 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -3922,6 +3922,7 @@ _Appears in:_ | `OpenTelemetry` | | | `OpenTelemetry` | | | `Zipkin` | | +| `Datadog` | | #### TriggerEnum From 2fdf0694ea147ed6b773e3acf499fa016f6694e0 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Fri, 27 Sep 2024 20:39:24 -0700 Subject: [PATCH 203/523] set invalid Listener.SupportedKinds to empty list (#4352) * set invalid Listener.SupportedKinds to empty list Fixes: https://github.com/envoyproxy/gateway/issues/4216 Relates to https://kubernetes.slack.com/archives/CR0H13KGA/p1727457195236889 Signed-off-by: Arko Dasgupta * lint Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta --- internal/gatewayapi/contexts.go | 3 ++- internal/gatewayapi/listener.go | 2 +- .../gateway-with-listener-with-unsupported-protocol.out.yaml | 3 +-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/gatewayapi/contexts.go b/internal/gatewayapi/contexts.go index 7d6aee73d99..fbd4c588f9b 100644 --- a/internal/gatewayapi/contexts.go +++ b/internal/gatewayapi/contexts.go @@ -76,7 +76,8 @@ type ListenerContext struct { } func (l *ListenerContext) SetSupportedKinds(kinds ...gwapiv1.RouteGroupKind) { - l.gateway.Status.Listeners[l.listenerStatusIdx].SupportedKinds = kinds + l.gateway.Status.Listeners[l.listenerStatusIdx].SupportedKinds = make([]gwapiv1.RouteGroupKind, 0, len(kinds)) + l.gateway.Status.Listeners[l.listenerStatusIdx].SupportedKinds = append(l.gateway.Status.Listeners[l.listenerStatusIdx].SupportedKinds, kinds...) } func (l *ListenerContext) IncrementAttachedRoutes() { diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index 724e835eb12..0c69d7b3097 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -74,7 +74,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource case gwapiv1.UDPProtocolType: t.validateAllowedRoutes(listener, resource.KindUDPRoute) default: - listener.SetSupportedKinds(gwapiv1.RouteGroupKind{Kind: "InvalidKind"}) + listener.SetSupportedKinds() status.SetGatewayListenerStatusCondition(listener.gateway.Gateway, listener.listenerStatusIdx, gwapiv1.ListenerConditionAccepted, diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml index 373c2f894ca..0875ec2454d 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-unsupported-protocol.out.yaml @@ -34,8 +34,7 @@ gateways: status: "True" type: ResolvedRefs name: unsupported - supportedKinds: - - kind: InvalidKind + supportedKinds: [] httpRoutes: - apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute From cbd92e2a423de036d5c8b9db530f0a66d5ce47f9 Mon Sep 17 00:00:00 2001 From: Md Sahil <85174511+MdSahil-oss@users.noreply.github.com> Date: Sat, 28 Sep 2024 09:17:56 +0530 Subject: [PATCH 204/523] feat: adds support for ratelimit metrics monitoring in grafana (#4083) Signed-off-by: MdSahil-oss Co-authored-by: sh2 --- .../dashboards/global-ratelimit.json | 633 +++++++++++++++++ .../helm/gateway-addons-helm/default.out.yaml | 634 ++++++++++++++++++ test/helm/gateway-addons-helm/e2e.out.yaml | 634 ++++++++++++++++++ 3 files changed, 1901 insertions(+) create mode 100644 charts/gateway-addons-helm/dashboards/global-ratelimit.json diff --git a/charts/gateway-addons-helm/dashboards/global-ratelimit.json b/charts/gateway-addons-helm/dashboards/global-ratelimit.json new file mode 100644 index 00000000000..3242aa62b7b --- /dev/null +++ b/charts/gateway-addons-helm/dashboards/global-ratelimit.json @@ -0,0 +1,633 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Envoy Gateway monitoring Dashboard with exported metrics.", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 6, + "links": [], + "panels": [ + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 273, + "panels": [], + "title": "Global Ratelimit", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "The fraction of this program's available CPU time used by the GC since the program started.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "series", + "axisGridShow": false, + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 25, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "miu" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 1 + }, + "id": 274, + "options": { + "legend": { + "calcs": [], + "displayMode": "hidden", + "placement": "right", + "showLegend": false + }, + "tooltip": { + "maxHeight": 600, + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "(go_memstats_gc_cpu_fraction)*1000000", + "format": "time_series", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "CPU Fraction", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Resident memory size", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "decmbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 7, + "x": 9, + "y": 1 + }, + "id": 291, + "options": { + "minVizHeight": 75, + "minVizWidth": 75, + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": false, + "sizing": "auto" + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "(process_resident_memory_bytes{app_kubernetes_io_component=\"ratelimit\"})/1000000", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Resident Memory", + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Virtual memory size", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "percentage", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "decmbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 7, + "x": 16, + "y": 1 + }, + "id": 325, + "options": { + "minVizHeight": 75, + "minVizWidth": 75, + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": false, + "sizing": "auto" + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "(process_virtual_memory_bytes{app_kubernetes_io_component=\"ratelimit\"})/1000000", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Virtual Memory", + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Number of ratelimit rule hits in total", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "light-blue", + "mode": "shades" + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 8 + }, + "id": 308, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "value", + "wideLayout": false + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "ratelimit_service_rate_limit_total_hits{domain=\"$DefaultDomain\", key1=\"httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example_httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example\", key2=\"rule-0-match-0_rule-0-match-0\"}", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Total Hits", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Number of rule hits over the NearLimit ratio threshold (currently 80%) but under the threshold rate.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "light-blue", + "mode": "shades" + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 8 + }, + "id": 326, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "value", + "wideLayout": false + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "ratelimit_service_rate_limit_near_limit{domain=\"$DefaultDomain\", key1=\"httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example_httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example\", key2=\"rule-0-match-0_rule-0-match-0\"}", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Near Limit", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Number of rule hits exceeding the threshold rate", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "light-blue", + "mode": "shades" + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 8 + }, + "id": 327, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "value", + "wideLayout": false + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "ratelimit_service_rate_limit_over_limit{domain=\"$DefaultDomain\", key1=\"httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example_httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example\", key2=\"rule-0-match-0_rule-0-match-0\"}", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Over Limit", + "type": "stat" + } + ], + "refresh": "", + "schemaVersion": 39, + "tags": [ + "Control Plane" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "PBFA97CFB590B2093" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "datasource", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "allValue": ".*", + "current": { + "selected": false, + "text": "envoy-gateway-system", + "value": "envoy-gateway-system" + }, + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "definition": "label_values(watchable_depth,namespace)", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "Namespace", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(watchable_depth,namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "allValue": ".*", + "current": { + "selected": true, + "text": [ + "All" + ], + "value": [ + "$__all" + ] + }, + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "definition": "label_values(watchable_depth,runner)", + "hide": 0, + "includeAll": true, + "multi": true, + "name": "Runner", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(watchable_depth,runner)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": { + "selected": false, + "text": "default/eg/http", + "value": "default/eg/http" + }, + "description": "DefaultDomain is set to default/eg/http", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "DefaultDomain", + "options": [ + { + "selected": true, + "text": "default/eg/http", + "value": "default/eg/http" + } + ], + "query": "default/eg/http", + "skipUrlSync": false, + "type": "custom" + } + ] + }, + "time": { + "from": "now-6h", + "to": "now" + }, + "timeRangeUpdatedDuringEditOrView": false, + "timepicker": {}, + "timezone": "browser", + "title": "Global Ratelimit", + "uid": "R2xvYmFsIFJhdGVsaW1pdAo", + "version": 4, + "weekStart": "" +} \ No newline at end of file diff --git a/test/helm/gateway-addons-helm/default.out.yaml b/test/helm/gateway-addons-helm/default.out.yaml index 060791f94d5..d349b1df810 100644 --- a/test/helm/gateway-addons-helm/default.out.yaml +++ b/test/helm/gateway-addons-helm/default.out.yaml @@ -8378,6 +8378,640 @@ data: "version": 1, "weekStart": "" } + global-ratelimit.json: |- + { + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Envoy Gateway monitoring Dashboard with exported metrics.", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 6, + "links": [], + "panels": [ + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 273, + "panels": [], + "title": "Global Ratelimit", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "The fraction of this program's available CPU time used by the GC since the program started.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "series", + "axisGridShow": false, + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 25, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "miu" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 1 + }, + "id": 274, + "options": { + "legend": { + "calcs": [], + "displayMode": "hidden", + "placement": "right", + "showLegend": false + }, + "tooltip": { + "maxHeight": 600, + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "(go_memstats_gc_cpu_fraction)*1000000", + "format": "time_series", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "CPU Fraction", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Resident memory size", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "decmbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 7, + "x": 9, + "y": 1 + }, + "id": 291, + "options": { + "minVizHeight": 75, + "minVizWidth": 75, + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": false, + "sizing": "auto" + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "(process_resident_memory_bytes{app_kubernetes_io_component=\"ratelimit\"})/1000000", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Resident Memory", + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Virtual memory size", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "percentage", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "decmbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 7, + "x": 16, + "y": 1 + }, + "id": 325, + "options": { + "minVizHeight": 75, + "minVizWidth": 75, + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": false, + "sizing": "auto" + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "(process_virtual_memory_bytes{app_kubernetes_io_component=\"ratelimit\"})/1000000", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Virtual Memory", + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Number of ratelimit rule hits in total", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "light-blue", + "mode": "shades" + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 8 + }, + "id": 308, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "value", + "wideLayout": false + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "ratelimit_service_rate_limit_total_hits{domain=\"$DefaultDomain\", key1=\"httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example_httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example\", key2=\"rule-0-match-0_rule-0-match-0\"}", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Total Hits", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Number of rule hits over the NearLimit ratio threshold (currently 80%) but under the threshold rate.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "light-blue", + "mode": "shades" + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 8 + }, + "id": 326, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "value", + "wideLayout": false + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "ratelimit_service_rate_limit_near_limit{domain=\"$DefaultDomain\", key1=\"httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example_httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example\", key2=\"rule-0-match-0_rule-0-match-0\"}", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Near Limit", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Number of rule hits exceeding the threshold rate", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "light-blue", + "mode": "shades" + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 8 + }, + "id": 327, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "value", + "wideLayout": false + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "ratelimit_service_rate_limit_over_limit{domain=\"$DefaultDomain\", key1=\"httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example_httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example\", key2=\"rule-0-match-0_rule-0-match-0\"}", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Over Limit", + "type": "stat" + } + ], + "refresh": "", + "schemaVersion": 39, + "tags": [ + "Control Plane" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "PBFA97CFB590B2093" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "datasource", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "allValue": ".*", + "current": { + "selected": false, + "text": "envoy-gateway-system", + "value": "envoy-gateway-system" + }, + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "definition": "label_values(watchable_depth,namespace)", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "Namespace", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(watchable_depth,namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "allValue": ".*", + "current": { + "selected": true, + "text": [ + "All" + ], + "value": [ + "$__all" + ] + }, + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "definition": "label_values(watchable_depth,runner)", + "hide": 0, + "includeAll": true, + "multi": true, + "name": "Runner", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(watchable_depth,runner)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": { + "selected": false, + "text": "default/eg/http", + "value": "default/eg/http" + }, + "description": "DefaultDomain is set to default/eg/http", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "DefaultDomain", + "options": [ + { + "selected": true, + "text": "default/eg/http", + "value": "default/eg/http" + } + ], + "query": "default/eg/http", + "skipUrlSync": false, + "type": "custom" + } + ] + }, + "time": { + "from": "now-6h", + "to": "now" + }, + "timeRangeUpdatedDuringEditOrView": false, + "timepicker": {}, + "timezone": "browser", + "title": "Global Ratelimit", + "uid": "R2xvYmFsIFJhdGVsaW1pdAo", + "version": 4, + "weekStart": "" + } resources-monitor.gen.json: |- { "description": "Memory and CPU Usage Monitor for Envoy Gateway and Envoy Proxy.\n", diff --git a/test/helm/gateway-addons-helm/e2e.out.yaml b/test/helm/gateway-addons-helm/e2e.out.yaml index df3d02ade7e..52ed8fcb97e 100644 --- a/test/helm/gateway-addons-helm/e2e.out.yaml +++ b/test/helm/gateway-addons-helm/e2e.out.yaml @@ -8410,6 +8410,640 @@ data: "version": 1, "weekStart": "" } + global-ratelimit.json: |- + { + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Envoy Gateway monitoring Dashboard with exported metrics.", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 6, + "links": [], + "panels": [ + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 273, + "panels": [], + "title": "Global Ratelimit", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "The fraction of this program's available CPU time used by the GC since the program started.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "series", + "axisGridShow": false, + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 25, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "miu" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 1 + }, + "id": 274, + "options": { + "legend": { + "calcs": [], + "displayMode": "hidden", + "placement": "right", + "showLegend": false + }, + "tooltip": { + "maxHeight": 600, + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "(go_memstats_gc_cpu_fraction)*1000000", + "format": "time_series", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "CPU Fraction", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Resident memory size", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "decmbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 7, + "x": 9, + "y": 1 + }, + "id": 291, + "options": { + "minVizHeight": 75, + "minVizWidth": 75, + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": false, + "sizing": "auto" + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "(process_resident_memory_bytes{app_kubernetes_io_component=\"ratelimit\"})/1000000", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Resident Memory", + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Virtual memory size", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "percentage", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "decmbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 7, + "x": 16, + "y": 1 + }, + "id": 325, + "options": { + "minVizHeight": 75, + "minVizWidth": 75, + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": false, + "sizing": "auto" + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "(process_virtual_memory_bytes{app_kubernetes_io_component=\"ratelimit\"})/1000000", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Virtual Memory", + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Number of ratelimit rule hits in total", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "light-blue", + "mode": "shades" + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 8 + }, + "id": 308, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "value", + "wideLayout": false + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "ratelimit_service_rate_limit_total_hits{domain=\"$DefaultDomain\", key1=\"httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example_httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example\", key2=\"rule-0-match-0_rule-0-match-0\"}", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Total Hits", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Number of rule hits over the NearLimit ratio threshold (currently 80%) but under the threshold rate.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "light-blue", + "mode": "shades" + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 8 + }, + "id": 326, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "value", + "wideLayout": false + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "ratelimit_service_rate_limit_near_limit{domain=\"$DefaultDomain\", key1=\"httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example_httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example\", key2=\"rule-0-match-0_rule-0-match-0\"}", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Near Limit", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Number of rule hits exceeding the threshold rate", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "light-blue", + "mode": "shades" + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 8 + }, + "id": 327, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "value", + "wideLayout": false + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "ratelimit_service_rate_limit_over_limit{domain=\"$DefaultDomain\", key1=\"httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example_httproute/default/http-ratelimit/rule/0/match/0/ratelimit_example\", key2=\"rule-0-match-0_rule-0-match-0\"}", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Over Limit", + "type": "stat" + } + ], + "refresh": "", + "schemaVersion": 39, + "tags": [ + "Control Plane" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "PBFA97CFB590B2093" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "datasource", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "allValue": ".*", + "current": { + "selected": false, + "text": "envoy-gateway-system", + "value": "envoy-gateway-system" + }, + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "definition": "label_values(watchable_depth,namespace)", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "Namespace", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(watchable_depth,namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "allValue": ".*", + "current": { + "selected": true, + "text": [ + "All" + ], + "value": [ + "$__all" + ] + }, + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "definition": "label_values(watchable_depth,runner)", + "hide": 0, + "includeAll": true, + "multi": true, + "name": "Runner", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(watchable_depth,runner)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": { + "selected": false, + "text": "default/eg/http", + "value": "default/eg/http" + }, + "description": "DefaultDomain is set to default/eg/http", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "DefaultDomain", + "options": [ + { + "selected": true, + "text": "default/eg/http", + "value": "default/eg/http" + } + ], + "query": "default/eg/http", + "skipUrlSync": false, + "type": "custom" + } + ] + }, + "time": { + "from": "now-6h", + "to": "now" + }, + "timeRangeUpdatedDuringEditOrView": false, + "timepicker": {}, + "timezone": "browser", + "title": "Global Ratelimit", + "uid": "R2xvYmFsIFJhdGVsaW1pdAo", + "version": 4, + "weekStart": "" + } resources-monitor.gen.json: |- { "description": "Memory and CPU Usage Monitor for Envoy Gateway and Envoy Proxy.\n", From e2272dfb511232c766a4f965356a4b17fa3de149 Mon Sep 17 00:00:00 2001 From: sh2 Date: Sun, 29 Sep 2024 10:30:05 +0800 Subject: [PATCH 205/523] chore: add envoy gateway logo into readme (#4355) --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 25fa9af8d94..2260a1fa72c 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,8 @@ [![OSV-Scanner](https://github.com/envoyproxy/gateway/actions/workflows/osv-scanner.yml/badge.svg)](https://github.com/envoyproxy/gateway/actions/workflows/osv-scanner.yml) [![Trivy](https://github.com/envoyproxy/gateway/actions/workflows/trivy.yml/badge.svg)](https://github.com/envoyproxy/gateway/actions/workflows/trivy.yml) +![Envoy Gateway Logo](https://github.com/cncf/artwork/blob/main/projects/envoy/envoy-gateway/horizontal/color/envoy-gateway-horizontal-color.svg) + Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. [Gateway API](https://gateway-api.sigs.k8s.io) resources are used to dynamically provision and configure the managed Envoy Proxies. From 652f6ba3c8ad36cccf6a3d52d9ee39f018bf7db2 Mon Sep 17 00:00:00 2001 From: sh2 Date: Sun, 29 Sep 2024 12:02:46 +0800 Subject: [PATCH 206/523] doc: update benchmark result (#4354) update brief benchmark report Signed-off-by: shawnh2 Co-authored-by: Xunzhuo --- site/content/en/contributions/DEVELOP.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/en/contributions/DEVELOP.md b/site/content/en/contributions/DEVELOP.md index f972c547f57..c3d97284c60 100644 --- a/site/content/en/contributions/DEVELOP.md +++ b/site/content/en/contributions/DEVELOP.md @@ -163,7 +163,7 @@ the detailed benchmark report, namely `benchmark_report.zip`. Here are some brief benchmark reports about Envoy Gateway: -- It will take up nearly 1.3GiB memory and 11s total CPU time for (1 GatewayClass + 1 Gateway + 500 HTTRoutes) settings +- It will take up nearly 550MiB memory and 11s total CPU time for (1 GatewayClass + 1 Gateway + 500 HTTRoutes) settings [Quickstart]: https://github.com/envoyproxy/gateway/blob/main/docs/latest/user/quickstart.md From 6edf452e4d7b5f1ae6d21e8e54dcce3b1d9ef5db Mon Sep 17 00:00:00 2001 From: Isaac <10012479+jukie@users.noreply.github.com> Date: Sat, 28 Sep 2024 22:03:37 -0600 Subject: [PATCH 207/523] feat: add priorityClassName support to helm chart (#4357) * Add priorityClassName support to helm chart Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> * fix Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> * actually fix Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> * format Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --------- Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> Co-authored-by: Xunzhuo --- charts/gateway-helm/README.md | 1 + .../templates/envoy-gateway-deployment.yaml | 3 + charts/gateway-helm/values.tmpl.yaml | 1 + .../en/latest/install/gateway-helm-api.md | 1 + .../zh/latest/install/gateway-helm-api.md | 1 + .../deployment-priorityclass.in.yaml | 7 + .../deployment-priorityclass.out.yaml | 571 ++++++++++++++++++ 7 files changed, 585 insertions(+) create mode 100644 test/helm/gateway-helm/deployment-priorityclass.in.yaml create mode 100644 test/helm/gateway-helm/deployment-priorityclass.out.yaml diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md index 2ef1455c1dc..4cf7e69965c 100644 --- a/charts/gateway-helm/README.md +++ b/charts/gateway-helm/README.md @@ -91,6 +91,7 @@ To uninstall the chart: | deployment.ports[3].name | string | `"metrics"` | | | deployment.ports[3].port | int | `19001` | | | deployment.ports[3].targetPort | int | `19001` | | +| deployment.priorityClassName | string | `nil` | | | deployment.replicas | int | `1` | | | global.images.envoyGateway.image | string | `nil` | | | global.images.envoyGateway.pullPolicy | string | `nil` | | diff --git a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml index af5cd116961..0be895fe76f 100644 --- a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml @@ -94,6 +94,9 @@ spec: name: certs readOnly: true {{- include "eg.image.pullSecrets" . | nindent 6 }} + {{- with .Values.deployment.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} serviceAccountName: envoy-gateway terminationGracePeriodSeconds: 10 volumes: diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index 2bce089d2dc..35651076f53 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -49,6 +49,7 @@ deployment: - name: metrics port: 19001 targetPort: 19001 + priorityClassName: null replicas: 1 pod: affinity: {} diff --git a/site/content/en/latest/install/gateway-helm-api.md b/site/content/en/latest/install/gateway-helm-api.md index 2b0f8e24d6a..5fcc06db40a 100644 --- a/site/content/en/latest/install/gateway-helm-api.md +++ b/site/content/en/latest/install/gateway-helm-api.md @@ -55,6 +55,7 @@ The Helm chart for Envoy Gateway | deployment.ports[3].name | string | `"metrics"` | | | deployment.ports[3].port | int | `19001` | | | deployment.ports[3].targetPort | int | `19001` | | +| deployment.priorityClassName | string | `nil` | | | deployment.replicas | int | `1` | | | global.images.envoyGateway.image | string | `nil` | | | global.images.envoyGateway.pullPolicy | string | `nil` | | diff --git a/site/content/zh/latest/install/gateway-helm-api.md b/site/content/zh/latest/install/gateway-helm-api.md index 2b0f8e24d6a..5fcc06db40a 100644 --- a/site/content/zh/latest/install/gateway-helm-api.md +++ b/site/content/zh/latest/install/gateway-helm-api.md @@ -55,6 +55,7 @@ The Helm chart for Envoy Gateway | deployment.ports[3].name | string | `"metrics"` | | | deployment.ports[3].port | int | `19001` | | | deployment.ports[3].targetPort | int | `19001` | | +| deployment.priorityClassName | string | `nil` | | | deployment.replicas | int | `1` | | | global.images.envoyGateway.image | string | `nil` | | | global.images.envoyGateway.pullPolicy | string | `nil` | | diff --git a/test/helm/gateway-helm/deployment-priorityclass.in.yaml b/test/helm/gateway-helm/deployment-priorityclass.in.yaml new file mode 100644 index 00000000000..f5dbd6afc49 --- /dev/null +++ b/test/helm/gateway-helm/deployment-priorityclass.in.yaml @@ -0,0 +1,7 @@ +global: + images: + envoyGateway: + image: "docker.io/envoyproxy/gateway-dev:latest" + pullPolicy: Always +deployment: + priorityClassName: system-cluster-critical diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml new file mode 100644 index 00000000000..d3648d443d9 --- /dev/null +++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml @@ -0,0 +1,571 @@ +--- +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +--- +# Source: gateway-helm/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:master + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway-dev:latest + type: Kubernetes +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: gateway-helm-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-helm-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-helm-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + verbs: + - create + - get + - delete + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - delete + - patch +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-leader-election-role + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-leader-election-rolebinding + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 +--- +# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: [] + priorityClassName: "system-cluster-critical" + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-certgen' +subjects: +- kind: ServiceAccount + name: 'gateway-helm-certgen' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 65534 + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: [] + restartPolicy: Never + serviceAccountName: gateway-helm-certgen + ttlSecondsAfterFinished: 30 From 3b9ab70a1859033d48f9c154b6eef1222d300580 Mon Sep 17 00:00:00 2001 From: Isaac <10012479+jukie@users.noreply.github.com> Date: Sat, 28 Sep 2024 22:04:14 -0600 Subject: [PATCH 208/523] feat: Add service annotations to helm chart (#4359) * Add service annotations to helm chart Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> * fix Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> * actually fix Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> * newline Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --------- Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- charts/gateway-helm/README.md | 1 + .../templates/envoy-gateway-service.yaml | 4 + charts/gateway-helm/values.tmpl.yaml | 3 + .../en/latest/install/gateway-helm-api.md | 1 + .../zh/latest/install/gateway-helm-api.md | 1 + .../gateway-helm/service-annotations.in.yaml | 8 + .../gateway-helm/service-annotations.out.yaml | 572 ++++++++++++++++++ 7 files changed, 590 insertions(+) create mode 100644 test/helm/gateway-helm/service-annotations.in.yaml create mode 100644 test/helm/gateway-helm/service-annotations.out.yaml diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md index 4cf7e69965c..a352ad78899 100644 --- a/charts/gateway-helm/README.md +++ b/charts/gateway-helm/README.md @@ -101,4 +101,5 @@ To uninstall the chart: | global.images.ratelimit.pullSecrets | list | `[]` | | | kubernetesClusterDomain | string | `"cluster.local"` | | | podDisruptionBudget.minAvailable | int | `0` | | +| service.annotations | object | `{}` | | diff --git a/charts/gateway-helm/templates/envoy-gateway-service.yaml b/charts/gateway-helm/templates/envoy-gateway-service.yaml index 099129477f7..39b30ea6710 100644 --- a/charts/gateway-helm/templates/envoy-gateway-service.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-service.yaml @@ -3,6 +3,10 @@ kind: Service metadata: name: envoy-gateway namespace: '{{ .Release.Namespace }}' + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: control-plane: envoy-gateway {{- include "eg.labels" . | nindent 4 }} diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index 35651076f53..a06f9f232ba 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -61,6 +61,9 @@ deployment: tolerations: [] nodeSelector: {} +service: + annotations: {} + config: envoyGateway: gateway: diff --git a/site/content/en/latest/install/gateway-helm-api.md b/site/content/en/latest/install/gateway-helm-api.md index 5fcc06db40a..937a74452ab 100644 --- a/site/content/en/latest/install/gateway-helm-api.md +++ b/site/content/en/latest/install/gateway-helm-api.md @@ -65,4 +65,5 @@ The Helm chart for Envoy Gateway | global.images.ratelimit.pullSecrets | list | `[]` | | | kubernetesClusterDomain | string | `"cluster.local"` | | | podDisruptionBudget.minAvailable | int | `0` | | +| service.annotations | object | `{}` | | diff --git a/site/content/zh/latest/install/gateway-helm-api.md b/site/content/zh/latest/install/gateway-helm-api.md index 5fcc06db40a..937a74452ab 100644 --- a/site/content/zh/latest/install/gateway-helm-api.md +++ b/site/content/zh/latest/install/gateway-helm-api.md @@ -65,4 +65,5 @@ The Helm chart for Envoy Gateway | global.images.ratelimit.pullSecrets | list | `[]` | | | kubernetesClusterDomain | string | `"cluster.local"` | | | podDisruptionBudget.minAvailable | int | `0` | | +| service.annotations | object | `{}` | | diff --git a/test/helm/gateway-helm/service-annotations.in.yaml b/test/helm/gateway-helm/service-annotations.in.yaml new file mode 100644 index 00000000000..0149c11c51f --- /dev/null +++ b/test/helm/gateway-helm/service-annotations.in.yaml @@ -0,0 +1,8 @@ +global: + images: + envoyGateway: + image: "docker.io/envoyproxy/gateway-dev:latest" + pullPolicy: Always +service: + annotations: + this: that diff --git a/test/helm/gateway-helm/service-annotations.out.yaml b/test/helm/gateway-helm/service-annotations.out.yaml new file mode 100644 index 00000000000..97f39cd0bea --- /dev/null +++ b/test/helm/gateway-helm/service-annotations.out.yaml @@ -0,0 +1,572 @@ +--- +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +--- +# Source: gateway-helm/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:master + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway-dev:latest + type: Kubernetes +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: gateway-helm-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-helm-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-helm-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + verbs: + - create + - get + - delete + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - delete + - patch +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-leader-election-role + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-leader-election-rolebinding + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + annotations: + this: that + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 +--- +# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-certgen' +subjects: +- kind: ServiceAccount + name: 'gateway-helm-certgen' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 65534 + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: [] + restartPolicy: Never + serviceAccountName: gateway-helm-certgen + ttlSecondsAfterFinished: 30 From b91f296667badbf45f2fc6d7a342bde1f96ae082 Mon Sep 17 00:00:00 2001 From: sh2 Date: Sun, 29 Sep 2024 12:08:14 +0800 Subject: [PATCH 209/523] feat: enable local validations for egctl translate and file provider (#4257) * add crds into gatewayapi resources embed Signed-off-by: shawnh2 * add create strategy for crds Signed-off-by: shawnh2 * add validations for kubernetesYAMLToResources and kind support for type-meta Signed-off-by: shawnh2 * fix lint Signed-off-by: shawnh2 * add unit test for create strategy map Signed-off-by: shawnh2 * fix cannot load strings full of comments Signed-off-by: shawnh2 * load crds from literal string instead of embed file Signed-off-by: shawnh2 * add egctl x validate command Signed-off-by: shawnh2 * use kubectl-validate as local validator and gateway-crds as embed string Signed-off-by: shawnh2 * fix gen-check Signed-off-by: shawnh2 * fix lint Signed-off-by: shawnh2 * fix ci and add some tests Signed-off-by: shawnh2 * rm copy of gateway_crds.yaml Signed-off-by: shawnh2 * fix lint Signed-off-by: shawnh2 --------- Signed-off-by: shawnh2 Co-authored-by: Xunzhuo --- embed.go | 52 ++++++ examples/extension-server/go.mod | 2 +- examples/extension-server/go.sum | 4 +- go.mod | 16 +- go.sum | 57 ++++++- internal/cmd/egctl/experimental.go | 1 + .../translate/in/default-resources.yaml | 1 + .../translate/out/default-resources.all.yaml | 8 +- .../out/echo-gateway-api.cluster.yaml | 4 +- .../translate/out/echo-gateway-api.route.json | 2 + .../out/from-gateway-api-to-xds.all.json | 4 +- .../out/from-gateway-api-to-xds.all.yaml | 4 +- .../out/from-gateway-api-to-xds.route.yaml | 4 +- .../translate/out/invalid-envoyproxy.all.yaml | 7 +- ...-single-route-single-match-to-xds.all.json | 2 +- ...-single-route-single-match-to-xds.all.yaml | 2 +- ...ingle-route-single-match-to-xds.route.yaml | 2 +- .../translate/out/multiple-xds.route.json | 4 +- .../out/no-service-cluster-ip.all.yaml | 2 +- .../translate/out/quickstart.all.yaml | 4 +- .../translate/out/quickstart.route.yaml | 2 +- .../out/rejected-http-route.route.yaml | 4 +- .../translate/out/valid-envoyproxy.all.yaml | 5 +- .../testdata/validate/invalid-resources.yaml | 161 ++++++++++++++++++ internal/cmd/egctl/translate.go | 2 +- internal/cmd/egctl/validate.go | 71 ++++++++ internal/cmd/egctl/validate_test.go | 94 ++++++++++ internal/gatewayapi/resource/fs.go | 73 ++++++++ internal/gatewayapi/resource/fs_test.go | 46 +++++ internal/gatewayapi/resource/load.go | 118 ++++++++----- internal/gatewayapi/resource/load_test.go | 39 +++++ internal/gatewayapi/resource/validator.go | 30 ++++ .../gatewayapi/resource/validator_test.go | 31 ++++ internal/provider/file/resources.go | 2 +- 34 files changed, 787 insertions(+), 73 deletions(-) create mode 100644 embed.go create mode 100644 internal/cmd/egctl/testdata/validate/invalid-resources.yaml create mode 100644 internal/cmd/egctl/validate.go create mode 100644 internal/cmd/egctl/validate_test.go create mode 100644 internal/gatewayapi/resource/fs.go create mode 100644 internal/gatewayapi/resource/fs_test.go create mode 100644 internal/gatewayapi/resource/load_test.go create mode 100644 internal/gatewayapi/resource/validator.go create mode 100644 internal/gatewayapi/resource/validator_test.go diff --git a/embed.go b/embed.go new file mode 100644 index 00000000000..97f2e3bf547 --- /dev/null +++ b/embed.go @@ -0,0 +1,52 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package envoygateway + +import ( + "bytes" + _ "embed" +) + +var ( + //go:embed charts/gateway-helm/crds/gatewayapi-crds.yaml + gatewayAPICRDs []byte + + //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml + backendCRD []byte + + //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml + backendTrafficPolicyCRD []byte + + //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml + clientTrafficPolicyCRD []byte + + //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml + envoyExtensionPolicyCRD []byte + + //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml + envoyPatchPolicyCRD []byte + + //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml + envoyProxyCRD []byte + + //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml + httpRouteFilterCRD []byte + + //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml + securityPolicyCRD []byte +) + +var GatewayCRDs = bytes.Join([][]byte{ + gatewayAPICRDs, + backendCRD, + backendTrafficPolicyCRD, + clientTrafficPolicyCRD, + envoyExtensionPolicyCRD, + envoyPatchPolicyCRD, + envoyProxyCRD, + httpRouteFilterCRD, + securityPolicyCRD, +}, []byte("")) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 5ca8291fb47..1773677910e 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -39,7 +39,7 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect + k8s.io/utils v0.0.0-20240821151609-f90d01438635 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect ) diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index f3cec6685eb..08a287612b0 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -129,8 +129,8 @@ k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2duqHWf5OX9S3zjI= +k8s.io/utils v0.0.0-20240821151609-f90d01438635/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= diff --git a/go.mod b/go.mod index 14123a45a32..95048fa0a59 100644 --- a/go.mod +++ b/go.mod @@ -54,7 +54,7 @@ require ( k8s.io/cli-runtime v0.31.1 k8s.io/client-go v0.31.1 k8s.io/kubectl v0.31.1 - k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 + k8s.io/utils v0.0.0-20240821151609-f90d01438635 sigs.k8s.io/controller-runtime v0.19.0 sigs.k8s.io/gateway-api v1.1.0 sigs.k8s.io/mcs-api v0.1.0 @@ -65,6 +65,7 @@ require ( github.com/docker/docker v27.3.1+incompatible github.com/replicatedhq/troubleshoot v0.102.0 google.golang.org/grpc v1.66.2 + sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 ) require ( @@ -84,6 +85,7 @@ require ( github.com/Masterminds/squirrel v1.5.4 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/Microsoft/hcsshim v0.12.5 // indirect + github.com/NYTimes/gziphandler v1.1.1 // indirect github.com/antlr4-go/antlr/v4 v4.13.0 // indirect github.com/apparentlymart/go-cidr v1.1.0 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect @@ -100,6 +102,7 @@ require ( github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect github.com/containers/ocicrypt v1.2.0 // indirect github.com/containers/storage v1.55.0 // indirect + github.com/coreos/go-semver v0.3.1 // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect github.com/cyphar/filepath-securejoin v0.3.1 // indirect github.com/distribution/distribution/v3 v3.0.0-beta.1 // indirect @@ -123,6 +126,7 @@ require ( github.com/gorilla/handlers v1.5.2 // indirect github.com/gorilla/mux v1.8.1 // indirect github.com/gosuri/uitable v0.0.4 // indirect + github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/huandu/xstrings v1.5.0 // indirect @@ -133,6 +137,7 @@ require ( github.com/klauspost/compress v1.17.9 // indirect github.com/klauspost/pgzip v1.2.6 // indirect github.com/kortschak/goroutine v1.1.2 // indirect + github.com/kylelemons/godebug v1.1.0 // indirect github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect github.com/lib/pq v1.10.9 // indirect @@ -176,7 +181,7 @@ require ( github.com/spf13/afero v1.11.0 // indirect github.com/spf13/cast v1.7.0 // indirect github.com/spf13/viper v1.19.0 // indirect - github.com/stoewer/go-strcase v1.2.0 // indirect + github.com/stoewer/go-strcase v1.3.0 // indirect github.com/subosito/gotenv v1.6.0 // indirect github.com/sylabs/sif/v2 v2.18.0 // indirect github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect @@ -190,8 +195,14 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect + go.etcd.io/etcd/api/v3 v3.5.14 // indirect + go.etcd.io/etcd/client/pkg/v3 v3.5.14 // indirect + go.etcd.io/etcd/client/v3 v3.5.14 // indirect go.opencensus.io v0.24.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect golang.org/x/crypto v0.27.0 // indirect golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect @@ -200,6 +211,7 @@ require ( k8s.io/metrics v0.31.1 // indirect oras.land/oras-go v1.2.6 // indirect periph.io/x/host/v3 v3.8.2 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect ) require ( diff --git a/go.sum b/go.sum index d82408060a0..eb3a20fa051 100644 --- a/go.sum +++ b/go.sum @@ -71,6 +71,8 @@ github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA github.com/Microsoft/hcsshim v0.12.5 h1:bpTInLlDy/nDRWFVcefDZZ1+U8tS+rz3MxjKgu9boo0= github.com/Microsoft/hcsshim v0.12.5/go.mod h1:tIUGego4G1EN5Hb6KC90aDYiUI2dqLSTTOCjVNpOgZ8= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I= +github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= @@ -150,6 +152,8 @@ github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8Nz github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4= +github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= @@ -206,6 +210,8 @@ github.com/dominikbraun/graph v0.23.0 h1:TdZB4pPqCLFxYhdyMFb1TBdFxp8XLcJfTTBQucV github.com/dominikbraun/graph v0.23.0/go.mod h1:yOjYyogZLY1LSG9E33JWZJiq5k83Qy2C6POAuiViluc= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= +github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= @@ -343,6 +349,8 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= +github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA= @@ -429,9 +437,14 @@ github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJr github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 h1:+9834+KizmvFV7pXQGSXQTsaWhq2GjuNUt0aUU0YBYw= +github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= +github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys= github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -469,6 +482,8 @@ github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJS github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o= github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ= +github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA= @@ -740,6 +755,8 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js= +github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo= github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= @@ -765,8 +782,8 @@ github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DM github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI= github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg= -github.com/stoewer/go-strcase v1.2.0 h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU= -github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= +github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs= +github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= @@ -805,6 +822,8 @@ github.com/tklauser/numcpus v0.6.1 h1:ng9scYS7az0Bk4OZLvrNXNSAO2Pxr1XXRAPyjhIx+F github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE= +github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= github.com/tsaarni/certyaml v0.9.3 h1:m8HHbuUzWVUOmv8IQU9HgVZZ8r5ICExKm++54DJKCs0= github.com/tsaarni/certyaml v0.9.3/go.mod h1:hhuU1qYr5re488geArUP4gZWqMUMqGlj4HA2qUyGYLk= github.com/tsaarni/x500dn v1.0.0 h1:LvaWTkqRpse4VHBhB5uwf3wytokK4vF9IOyNAEyiA+U= @@ -826,6 +845,7 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHo github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74= github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= @@ -836,7 +856,24 @@ github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/bbolt v1.3.10 h1:+BqfJTcCzTItrop8mq/lbzL8wSGtj94UO/3U31shqG0= +go.etcd.io/bbolt v1.3.10/go.mod h1:bK3UQLPJZly7IlNmV7uVHJDxfe5aK9Ll93e/74Y9oEQ= +go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738 h1:VcrIfasaLFkyjk6KNlXQSzO+B0fZcnECiDrKJsfxka0= go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= +go.etcd.io/etcd/api/v3 v3.5.14 h1:vHObSCxyB9zlF60w7qzAdTcGaglbJOpSj1Xj9+WGxq0= +go.etcd.io/etcd/api/v3 v3.5.14/go.mod h1:BmtWcRlQvwa1h3G2jvKYwIQy4PkHlDej5t7uLMUdJUU= +go.etcd.io/etcd/client/pkg/v3 v3.5.14 h1:SaNH6Y+rVEdxfpA2Jr5wkEvN6Zykme5+YnbCkxvuWxQ= +go.etcd.io/etcd/client/pkg/v3 v3.5.14/go.mod h1:8uMgAokyG1czCtIdsq+AGyYQMvpIKnSvPjFMunkgeZI= +go.etcd.io/etcd/client/v2 v2.305.13 h1:RWfV1SX5jTU0lbCvpVQe3iPQeAHETWdOTb6pxhd77C8= +go.etcd.io/etcd/client/v2 v2.305.13/go.mod h1:iQnL7fepbiomdXMb3om1rHq96htNNGv2sJkEcZGDRRg= +go.etcd.io/etcd/client/v3 v3.5.14 h1:CWfRs4FDaDoSz81giL7zPpZH2Z35tbOrAJkkjMqOupg= +go.etcd.io/etcd/client/v3 v3.5.14/go.mod h1:k3XfdV/VIHy/97rqWjoUzrj9tk7GgJGH9J8L4dNXmAk= +go.etcd.io/etcd/pkg/v3 v3.5.13 h1:st9bDWNsKkBNpP4PR1MvM/9NqUPfvYZx/YXegsYEH8M= +go.etcd.io/etcd/pkg/v3 v3.5.13/go.mod h1:N+4PLrp7agI/Viy+dUYpX7iRtSPvKq+w8Y14d1vX+m0= +go.etcd.io/etcd/raft/v3 v3.5.13 h1:7r/NKAOups1YnKcfro2RvGGo2PTuizF/xh26Z2CTAzA= +go.etcd.io/etcd/raft/v3 v3.5.13/go.mod h1:uUFibGLn2Ksm2URMxN1fICGhk8Wu96EfDQyuLhAcAmw= +go.etcd.io/etcd/server/v3 v3.5.13 h1:V6KG+yMfMSqWt+lGnhFpP5z5dRUj1BDRJ5k1fQ9DFok= +go.etcd.io/etcd/server/v3 v3.5.13/go.mod h1:K/8nbsGupHqmr5MkgaZpLlH1QdX1pcNQLAkODy44XcQ= go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= @@ -845,6 +882,8 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib/exporters/autoexport v0.46.1 h1:ysCfPZB9AjUlMa1UHYup3c9dAOCMQX/6sxSfPBUoxHw= go.opentelemetry.io/contrib/exporters/autoexport v0.46.1/go.mod h1:ha0aiYm+DOPsLHjh0zoQ8W8sLT+LJ58J3j47lGpSLrU= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 h1:9G6E0TXzGFVfTnawRzrPl83iHOAV7L8NJiR8RSGYV1g= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= @@ -1039,6 +1078,8 @@ google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRn google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY= +google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:VUhTRKeHn9wwcdrk73nvdC9gF178Tzhmt/qyaFcPLSo= google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd h1:BBOTEWLuuEGQy9n1y9MhVJ9Qt0BDu21X8qZs71/uPZo= google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:fO8wJzT2zbQbAjbIoos1285VfEIYKDDY+Dt+WpTkh6g= google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 h1:N9BgCIAUvn/M+p4NJccWPWb3BWh88+zyL0ll9HgbEeM= @@ -1080,6 +1121,8 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc= +gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= @@ -1142,6 +1185,8 @@ k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kms v0.31.1 h1:cGLyV3cIwb0ovpP/jtyIe2mEuQ/MkbhmeBF2IYCA9Io= +k8s.io/kms v0.31.1/go.mod h1:OZKwl1fan3n3N5FFxnW5C4V3ygrah/3YXeJWS3O6+94= k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5TxDkI7OGJjBNBzq5fJtLA= @@ -1152,13 +1197,15 @@ k8s.io/metrics v0.31.1 h1:h4I4dakgh/zKflWYAOQhwf0EXaqy8LxAIyE/GBvxqRc= k8s.io/metrics v0.31.1/go.mod h1:JuH1S9tJiH9q1VCY0yzSCawi7kzNLsDzlWDJN4xR+iA= k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= k8s.io/utils v0.0.0-20200603063816-c1c6865ac451/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2duqHWf5OX9S3zjI= +k8s.io/utils v0.0.0-20240821151609-f90d01438635/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= oras.land/oras-go v1.2.6 h1:z8cmxQXBU8yZ4mkytWqXfo6tZcamPwjsuxYU81xJ8Lk= oras.land/oras-go v1.2.6/go.mod h1:OVPc1PegSEe/K8YiLfosrlqlqTN9PUyFvOw5Y9gwrT8= periph.io/x/host/v3 v3.8.2 h1:ayKUDzgUCN0g8+/xM9GTkWaOBhSLVcVHGTfjAOi8OsQ= periph.io/x/host/v3 v3.8.2/go.mod h1:yFL76AesNHR68PboofSWYaQTKmvPXsQH2Apvp/ls/K4= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gEORz0efEja7A= sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= @@ -1168,6 +1215,8 @@ sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWU sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kind v0.8.1/go.mod h1:oNKTxUVPYkV9lWzY6CVMNluVq8cBsyq+UgPJdvA3uu4= +sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 h1:ju7xWt2VnWuZPh0ffWJtsC40ki1BW/pLy6DZRyoEB30= +sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263/go.mod h1:ex3aZREdgXoEH7+v6azT7Xm0J9rpWIDr1micQCzdomY= sigs.k8s.io/kustomize/api v0.17.2 h1:E7/Fjk7V5fboiuijoZHgs4aHuexi5Y2loXlVOAVAG5g= sigs.k8s.io/kustomize/api v0.17.2/go.mod h1:UWTz9Ct+MvoeQsHcJ5e+vziRRkwimm3HytpZgIYqye0= sigs.k8s.io/kustomize/kyaml v0.17.1 h1:TnxYQxFXzbmNG6gOINgGWQt09GghzgTP6mIurOgrLCQ= diff --git a/internal/cmd/egctl/experimental.go b/internal/cmd/egctl/experimental.go index 70f46650ff3..9af7e76f04a 100644 --- a/internal/cmd/egctl/experimental.go +++ b/internal/cmd/egctl/experimental.go @@ -29,6 +29,7 @@ func newExperimentalCommand() *cobra.Command { experimentalCommand.AddCommand(newInstallCommand()) experimentalCommand.AddCommand(newUnInstallCommand()) experimentalCommand.AddCommand(newCollectCommand()) + experimentalCommand.AddCommand(newValidateCommand()) return experimentalCommand } diff --git a/internal/cmd/egctl/testdata/translate/in/default-resources.yaml b/internal/cmd/egctl/testdata/translate/in/default-resources.yaml index 1cdb52f993a..13476a405eb 100644 --- a/internal/cmd/egctl/testdata/translate/in/default-resources.yaml +++ b/internal/cmd/egctl/testdata/translate/in/default-resources.yaml @@ -1,3 +1,4 @@ +--- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index 963a856e5bf..df12da2e2c1 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -178,6 +178,7 @@ envoyProxyForGatewayClass: logging: {} status: {} gatewayClass: + kind: GatewayClass metadata: creationTimestamp: null name: eg @@ -197,7 +198,8 @@ gatewayClass: status: "True" type: Accepted gateways: -- metadata: +- kind: Gateway + metadata: creationTimestamp: null name: eg namespace: default @@ -1133,7 +1135,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: default sectionName: http @@ -1164,7 +1166,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: default sectionName: grpc diff --git a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml index 3d88f20f51d..f88b74ed0c4 100644 --- a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml @@ -1,4 +1,5 @@ gatewayClass: + kind: GatewayClass metadata: creationTimestamp: null name: eg @@ -13,7 +14,8 @@ gatewayClass: status: "True" type: Accepted gateways: -- metadata: +- kind: Gateway + metadata: creationTimestamp: null name: eg namespace: envoy-gateway-system diff --git a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.route.json b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.route.json index 41dfd6683e7..f069c670afb 100644 --- a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.route.json +++ b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.route.json @@ -1,5 +1,6 @@ { "gatewayClass": { + "kind": "GatewayClass", "metadata": { "name": "eg", "namespace": "envoy-gateway-system", @@ -22,6 +23,7 @@ }, "gateways": [ { + "kind": "Gateway", "metadata": { "name": "eg", "namespace": "envoy-gateway-system", diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index 55437eba8ab..81f8f2b8c3d 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -1034,7 +1034,7 @@ "envoy-gateway": { "resources": [ { - "kind": "", + "kind": "Gateway", "name": "eg", "namespace": "default", "sectionName": "http" @@ -1092,7 +1092,7 @@ "envoy-gateway": { "resources": [ { - "kind": "", + "kind": "Gateway", "name": "eg", "namespace": "default", "sectionName": "grpc" diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index 1bad66a8512..d4ceef84de2 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -614,7 +614,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: default sectionName: http @@ -645,7 +645,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: default sectionName: grpc diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.route.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.route.yaml index 2163c6fb6bf..8ef62d3bf70 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.route.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.route.yaml @@ -13,7 +13,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: default sectionName: http @@ -44,7 +44,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: default sectionName: grpc diff --git a/internal/cmd/egctl/testdata/translate/out/invalid-envoyproxy.all.yaml b/internal/cmd/egctl/testdata/translate/out/invalid-envoyproxy.all.yaml index 81df01be9e4..bd4ac1d198d 100644 --- a/internal/cmd/egctl/testdata/translate/out/invalid-envoyproxy.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/invalid-envoyproxy.all.yaml @@ -1,4 +1,5 @@ envoyProxyForGatewayClass: + kind: EnvoyProxy metadata: creationTimestamp: null name: example @@ -6,7 +7,7 @@ envoyProxyForGatewayClass: spec: bootstrap: type: Replace - value: |- + value: | admin: access_log: - name: envoy.access_loggers.file @@ -20,6 +21,7 @@ envoyProxyForGatewayClass: logging: {} status: {} gatewayClass: + kind: GatewayClass metadata: creationTimestamp: null name: eg @@ -39,7 +41,8 @@ gatewayClass: status: "False" type: Accepted gateways: -- metadata: +- kind: Gateway + metadata: creationTimestamp: null name: eg namespace: default diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json index d79048a75cc..782775f605f 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json @@ -575,7 +575,7 @@ "envoy-gateway": { "resources": [ { - "kind": "", + "kind": "Gateway", "name": "eg", "namespace": "envoy-gateway-system", "sectionName": "http" diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml index bed4d0036ea..7579be57f5f 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml @@ -339,7 +339,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: envoy-gateway-system sectionName: http diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.route.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.route.yaml index 7e8a1adeed0..bac80f6e5d3 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.route.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.route.yaml @@ -13,7 +13,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: envoy-gateway-system sectionName: http diff --git a/internal/cmd/egctl/testdata/translate/out/multiple-xds.route.json b/internal/cmd/egctl/testdata/translate/out/multiple-xds.route.json index 335fffb6d41..7748851144e 100644 --- a/internal/cmd/egctl/testdata/translate/out/multiple-xds.route.json +++ b/internal/cmd/egctl/testdata/translate/out/multiple-xds.route.json @@ -18,7 +18,7 @@ "envoy-gateway": { "resources": [ { - "kind": "", + "kind": "Gateway", "name": "eg", "namespace": "default", "sectionName": "http" @@ -81,7 +81,7 @@ "envoy-gateway": { "resources": [ { - "kind": "", + "kind": "Gateway", "name": "eg2", "namespace": "default", "sectionName": "http" diff --git a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml index 0ed9f3e6893..e6e91b9ec45 100644 --- a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml @@ -280,7 +280,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: envoy-gateway-system sectionName: http diff --git a/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml b/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml index 9f9515e8e58..de96e757e8e 100644 --- a/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml @@ -1,5 +1,6 @@ gateways: -- metadata: +- kind: Gateway + metadata: creationTimestamp: null name: eg namespace: envoy-gateway-system @@ -99,6 +100,7 @@ xdsIR: - '*' isHTTP2: false metadata: + kind: Gateway name: eg namespace: envoy-gateway-system sectionName: http diff --git a/internal/cmd/egctl/testdata/translate/out/quickstart.route.yaml b/internal/cmd/egctl/testdata/translate/out/quickstart.route.yaml index a9149572285..7043ed9a5b7 100644 --- a/internal/cmd/egctl/testdata/translate/out/quickstart.route.yaml +++ b/internal/cmd/egctl/testdata/translate/out/quickstart.route.yaml @@ -13,7 +13,7 @@ xds: filterMetadata: envoy-gateway: resources: - - kind: "" + - kind: Gateway name: eg namespace: envoy-gateway-system sectionName: http diff --git a/internal/cmd/egctl/testdata/translate/out/rejected-http-route.route.yaml b/internal/cmd/egctl/testdata/translate/out/rejected-http-route.route.yaml index c578d14aef5..18e5910acc2 100644 --- a/internal/cmd/egctl/testdata/translate/out/rejected-http-route.route.yaml +++ b/internal/cmd/egctl/testdata/translate/out/rejected-http-route.route.yaml @@ -1,4 +1,5 @@ gatewayClass: + kind: GatewayClass metadata: creationTimestamp: null name: eg @@ -13,7 +14,8 @@ gatewayClass: status: "True" type: Accepted gateways: -- metadata: +- kind: Gateway + metadata: creationTimestamp: null name: eg namespace: envoy-gateway-system diff --git a/internal/cmd/egctl/testdata/translate/out/valid-envoyproxy.all.yaml b/internal/cmd/egctl/testdata/translate/out/valid-envoyproxy.all.yaml index 638390ff440..fe1b452f291 100644 --- a/internal/cmd/egctl/testdata/translate/out/valid-envoyproxy.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/valid-envoyproxy.all.yaml @@ -1,4 +1,5 @@ envoyProxyForGatewayClass: + kind: EnvoyProxy metadata: creationTimestamp: null name: example @@ -13,6 +14,7 @@ envoyProxyForGatewayClass: type: Kubernetes status: {} gatewayClass: + kind: GatewayClass metadata: creationTimestamp: null name: eg @@ -32,7 +34,8 @@ gatewayClass: status: "True" type: Accepted gateways: -- metadata: +- kind: Gateway + metadata: creationTimestamp: null name: eg namespace: default diff --git a/internal/cmd/egctl/testdata/validate/invalid-resources.yaml b/internal/cmd/egctl/testdata/validate/invalid-resources.yaml new file mode 100644 index 00000000000..b7815b10707 --- /dev/null +++ b/internal/cmd/egctl/testdata/validate/invalid-resources.yaml @@ -0,0 +1,161 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: eg +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: eg1 + namespace: default +spec: + gatewayClassName: eg + listeners: + - name: http + protocol: HTTP + port: 88888 # invalid port +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: eg2 + namespace: default +spec: + gatewayClassName: eg + listeners: + - name: tcp + protocol: TCP + port: 1234 + - name: tcp + protocol: TCP + port: 1234 + - name: tls-passthrough + protocol: TLS + port: 8443 + hostname: foo.com + tls: + mode: Passthrough + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + kinds: + - kind: HTTPRoute + group: gateway.networking.k8s.io + - name: grpc + protocol: HTTP + port: 8080 + allowedRoutes: + kinds: + - kind: GRPCRoute + group: gateway.networking.k8s.io +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: backend + namespace: default +spec: + parentRefs: + - name: eg + hostnames: + - ".;'.';[]" + rules: + - backendRefs: + - group: "" + kind: Service + name: backend + port: 3000 + weight: 1 + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyPatchPolicy +metadata: + name: ratelimit-patch-policy +spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: eg + type: JSONPatch + jsonPatches: + - type: "type.googleapis.com/envoy.config.listener.v3.Listener" + # The listener name is of the form // + name: default/eg/http + operation: + op: add + path: "/default_filter_chain/filters/0/typed_config/http_filters/0" + value: + name: "envoy.filters.http.ratelimit" + typed_config: + "@type": "type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit" + domain: "eag-ratelimit" + failure_mode_deny: true + timeout: 1s + rate_limit_service: + grpc_service: + envoy_grpc: + cluster_name: rate-limit-cluster + transport_api_version: V3 + - type: "type.googleapis.com/envoy.config.route.v3.RouteConfiguration" + # The route name is of the form // + name: default/eg/http + operation: + op: add + path: "/virtual_hosts/0/rate_limits" + value: + - actions: + - remote_address: {} + - type: "type.googleapis.com/envoy.config.cluster.v3.Cluster" + name: rate-limit-cluster + operation: + op: add + path: "" + value: + name: rate-limit-cluster + type: STRICT_DNS + connect_timeout: 10s + lb_policy: ROUND_ROBIN + http2_protocol_options: {} + load_assignment: + cluster_name: rate-limit-cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: ratelimit.svc.cluster.local + port_value: 8081 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend-1 + namespace: default +spec: + endpoints: + - ip: + address: a.b.c.d + port: 3001 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend-2 + namespace: default +spec: + endpoints: + - ip: + address: 1.1.1.1 + port: 3001 + - unix: + path: test.sock + - fqdn: + hostname: foo.bar + port: 8080 diff --git a/internal/cmd/egctl/translate.go b/internal/cmd/egctl/translate.go index 25811d600c3..7be07c4cfe2 100644 --- a/internal/cmd/egctl/translate.go +++ b/internal/cmd/egctl/translate.go @@ -224,7 +224,7 @@ func translate(w io.Writer, inFile, inType string, outTypes []string, output, re if inType == gatewayAPIType { // Unmarshal input - resources, err := resource.LoadResourcesFromYAMLString(string(inBytes), addMissingResources) + resources, err := resource.LoadResourcesFromYAMLBytes(inBytes, addMissingResources) if err != nil { return fmt.Errorf("unable to unmarshal input: %w", err) } diff --git a/internal/cmd/egctl/validate.go b/internal/cmd/egctl/validate.go new file mode 100644 index 00000000000..faae65bdd4a --- /dev/null +++ b/internal/cmd/egctl/validate.go @@ -0,0 +1,71 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package egctl + +import ( + "bytes" + "fmt" + "io" + + "github.com/spf13/cobra" + + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" +) + +func newValidateCommand() *cobra.Command { + var inFile string + + validateCommand := &cobra.Command{ + Use: "validate", + Short: "Validate Gateway API Resources from the given file, return all the errors if got any.", + Example: ` # Validate Gateway API Resources + egctl x validate -f +`, + RunE: func(cmd *cobra.Command, args []string) error { + if len(inFile) == 0 { + return fmt.Errorf("-f/--file must be specified") + } + + return runValidate(cmd.OutOrStdout(), inFile) + }, + } + + validateCommand.PersistentFlags().StringVarP(&inFile, "file", "f", "", "Location of input file.") + if err := validateCommand.MarkPersistentFlagRequired("file"); err != nil { + return nil + } + + return validateCommand +} + +func runValidate(w io.Writer, inFile string) error { + inBytes, err := getInputBytes(inFile) + if err != nil { + return fmt.Errorf("unable to read input file: %w", err) + } + + noErr := true + _ = resource.IterYAMLBytes(inBytes, func(yamlByte []byte) error { + // Passing each resource as YAML string and get all their errors from local validator. + _, err = resource.LoadResourcesFromYAMLBytes(yamlByte, false) + if err != nil { + noErr = false + yamlRows := bytes.Split(yamlByte, []byte("\n")) + if len(yamlRows) > 6 { + yamlRows = append(yamlRows[:6], []byte("...")) + } + _, err = fmt.Fprintf(w, "%s\n%s\n\n", + bytes.Join(yamlRows, []byte("\n")), err.Error()) + } + return nil + }) + + if noErr { + _, err = fmt.Fprintln(w, "\033[32mOK\033[0m") + } + + return err +} diff --git a/internal/cmd/egctl/validate_test.go b/internal/cmd/egctl/validate_test.go new file mode 100644 index 00000000000..c71342e0fcb --- /dev/null +++ b/internal/cmd/egctl/validate_test.go @@ -0,0 +1,94 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package egctl + +import ( + "bytes" + "context" + "io" + "path" + "testing" + + "github.com/stretchr/testify/require" +) + +func TestRunValidate(t *testing.T) { + testCases := []struct { + name string + output string + }{ + { + name: "invalid-resources", + output: `apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: eg1 + namespace: default +spec: +... +local validation error: Gateway.gateway.networking.k8s.io "eg1" is invalid: spec.listeners[0].port: Invalid value: 88888: spec.listeners[0].port in body should be less than or equal to 65535 + +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: eg2 + namespace: default +spec: +... +local validation error: Gateway.gateway.networking.k8s.io "eg2" is invalid: [spec.listeners[1]: Duplicate value: map[string]interface {}{"name":"tcp"}, spec.listeners: Invalid value: "array": Listener name must be unique within the Gateway, spec.listeners: Invalid value: "array": Combination of port, protocol and hostname must be unique for each listener] + +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: backend + namespace: default +spec: +... +local validation error: HTTPRoute.gateway.networking.k8s.io "backend" is invalid: spec.hostnames[0]: Invalid value: ".;'.';[]": spec.hostnames[0] in body should match '^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$' + +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend-1 + namespace: default +spec: +... +local validation error: Backend.gateway.envoyproxy.io "backend-1" is invalid: spec.endpoints[0].ip.address: Invalid value: "a.b.c.d": spec.endpoints[0].ip.address in body should match '^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$' + +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend-2 + namespace: default +spec: +... +local validation error: Backend.gateway.envoyproxy.io "backend-2" is invalid: spec.endpoints: Invalid value: "array": fqdn addresses cannot be mixed with other address types + +`, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + b := bytes.NewBufferString("") + root := newValidateCommand() + root.SetOut(b) + root.SetErr(b) + args := []string{ + "--file", + path.Join("testdata", "validate", tc.name+".yaml"), + } + + root.SetArgs(args) + err := root.ExecuteContext(context.Background()) + require.NoError(t, err) + + out, err := io.ReadAll(b) + require.NoError(t, err) + require.Equal(t, tc.output, string(out)) + }) + } +} diff --git a/internal/gatewayapi/resource/fs.go b/internal/gatewayapi/resource/fs.go new file mode 100644 index 00000000000..09fdcb1ab20 --- /dev/null +++ b/internal/gatewayapi/resource/fs.go @@ -0,0 +1,73 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package resource + +import ( + "bytes" + "io" + "io/fs" + "time" + + "github.com/envoyproxy/gateway" // nolint:goimports +) + +var ( + // gatewayCRDsFS is a virtual/mocked FS used for OpenAPI client. + gatewayCRDsFS = memGatewayCRDsFS{} + + _ fs.FS = memGatewayCRDsFS{} + _ fs.ReadDirFile = memGatewayCRDsFile{} + _ fs.FileInfo = memGatewayCRDsFileInfo{} + _ fs.DirEntry = memGatewayCRDsDirEntry{} +) + +// memGatewayCRDsFS is a mocked fs.FS for OpenAPI to read gatewayCRDs from. +type memGatewayCRDsFS struct{} + +func (m memGatewayCRDsFS) Open(_ string) (fs.File, error) { + return &memGatewayCRDsFile{}, nil +} + +// memGatewayCRDsFile is mocked fs.ReadDirFile for memGatewayCRDsFS. +type memGatewayCRDsFile struct{} + +func (m memGatewayCRDsFile) Stat() (fs.FileInfo, error) { + return &memGatewayCRDsFileInfo{}, nil +} + +func (m memGatewayCRDsFile) Close() error { + return nil +} + +func (m memGatewayCRDsFile) Read(b []byte) (int, error) { + fi, _ := m.Stat() + if int64(len(b)) >= fi.Size() { + return bytes.NewReader(envoygateway.GatewayCRDs).Read(b) + } + return 0, io.EOF +} + +func (m memGatewayCRDsFile) ReadDir(_ int) ([]fs.DirEntry, error) { + return []fs.DirEntry{&memGatewayCRDsDirEntry{}}, nil +} + +// memGatewayCRDsDirEntry is a mocked fs.DirEntry for memGatewayCRDsFile. +type memGatewayCRDsDirEntry struct { + memGatewayCRDsFileInfo +} + +func (m memGatewayCRDsDirEntry) Type() fs.FileMode { return 0o444 } +func (m memGatewayCRDsDirEntry) Info() (fs.FileInfo, error) { return &memGatewayCRDsFileInfo{}, nil } + +// memGatewayCRDsFileInfo is a mocked fs.FileInfo for memGatewayCRDsFile. +type memGatewayCRDsFileInfo struct{} + +func (m memGatewayCRDsFileInfo) Name() string { return "gateway-crds.yaml" } +func (m memGatewayCRDsFileInfo) Size() int64 { return int64(len(envoygateway.GatewayCRDs)) } +func (m memGatewayCRDsFileInfo) Mode() fs.FileMode { return 0o444 } +func (m memGatewayCRDsFileInfo) ModTime() time.Time { return time.Now() } +func (m memGatewayCRDsFileInfo) IsDir() bool { return false } +func (m memGatewayCRDsFileInfo) Sys() any { return nil } diff --git a/internal/gatewayapi/resource/fs_test.go b/internal/gatewayapi/resource/fs_test.go new file mode 100644 index 00000000000..c8742a02c84 --- /dev/null +++ b/internal/gatewayapi/resource/fs_test.go @@ -0,0 +1,46 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package resource + +import ( + "io/fs" + "testing" + + "github.com/stretchr/testify/require" + + "github.com/envoyproxy/gateway" // nolint:goimports +) + +func TestOpenAndReadGatewayCRDsFS(t *testing.T) { + crds, err := gatewayCRDsFS.Open("") + require.NoError(t, err) + defer crds.Close() + + buf := make([]byte, len(envoygateway.GatewayCRDs)) + cur, err := crds.Read(buf) + require.NoError(t, err) + require.Positive(t, cur) +} + +func TestReadGatewayCRDsDirFS(t *testing.T) { + dirEntries, err := fs.ReadDir(gatewayCRDsFS, ".") + require.NoError(t, err) + require.Len(t, dirEntries, 1) + + dirEntry := dirEntries[0] + require.Equal(t, fs.FileMode(0o444), dirEntry.Type()) + + fileInfo, err := dirEntry.Info() + require.NoError(t, err) + require.Equal(t, "gateway-crds.yaml", fileInfo.Name()) + require.NotNil(t, fileInfo.ModTime()) + require.Nil(t, fileInfo.Sys()) + require.False(t, fileInfo.IsDir()) + + fileBytes, err := fs.ReadFile(gatewayCRDsFS, fileInfo.Name()) + require.NoError(t, err) + require.Equal(t, fileInfo.Size(), int64(len(fileBytes))) +} diff --git a/internal/gatewayapi/resource/load.go b/internal/gatewayapi/resource/load.go index 317ad93418c..2445a459c74 100644 --- a/internal/gatewayapi/resource/load.go +++ b/internal/gatewayapi/resource/load.go @@ -6,14 +6,18 @@ package resource import ( + "bufio" + "bytes" + "errors" "fmt" + "io" "reflect" - "strings" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/util/sets" + utilyaml "k8s.io/apimachinery/pkg/util/yaml" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" "sigs.k8s.io/yaml" @@ -21,18 +25,16 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway" "github.com/envoyproxy/gateway/internal/envoygateway/config" + "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/xds/bootstrap" ) const dummyClusterIP = "1.2.3.4" -// LoadResourcesFromYAMLString will load Resources from given Kubernetes YAML string. -// TODO: This function should be able to process arbitrary number of resources, -// -// tracked by https://github.com/envoyproxy/gateway/issues/3207 -func LoadResourcesFromYAMLString(yamlStr string, addMissingResources bool) (*Resources, error) { - // TODO(sh2): Add local validations - r, err := kubernetesYAMLToResources(yamlStr, addMissingResources) +// LoadResourcesFromYAMLBytes will load Resources from given Kubernetes YAML string. +// TODO: This function should be able to process arbitrary number of resources, tracked by https://github.com/envoyproxy/gateway/issues/3207. +func LoadResourcesFromYAMLBytes(yamlBytes []byte, addMissingResources bool) (*Resources, error) { + r, err := loadKubernetesYAMLToResources(yamlBytes, addMissingResources) if err != nil { return nil, err } @@ -40,48 +42,57 @@ func LoadResourcesFromYAMLString(yamlStr string, addMissingResources bool) (*Res return r, nil } -// kubernetesYAMLToResources converts a Kubernetes YAML string into GatewayAPI Resources. -func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources, error) { +// loadKubernetesYAMLToResources converts a Kubernetes YAML string into GatewayAPI Resources. +// TODO: add support for kind: +// - Backend (gateway.envoyproxy.io/v1alpha1) +// - EnvoyExtensionPolicy (gateway.envoyproxy.io/v1alpha1) +// - HTTPRouteFilter (gateway.envoyproxy.io/v1alpha1) +// - BackendLPPolicy (gateway.networking.k8s.io/v1alpha2) +// - BackendTLSPolicy (gateway.networking.k8s.io/v1alpha3) +// - ReferenceGrant (gateway.networking.k8s.io/v1alpha2) +// - TLSRoute (gateway.networking.k8s.io/v1alpha2) +func loadKubernetesYAMLToResources(input []byte, addMissingResources bool) (*Resources, error) { resources := NewResources() var useDefaultNamespace bool providedNamespaceMap := sets.New[string]() requiredNamespaceMap := sets.New[string]() - yamls := strings.Split(str, "\n---") combinedScheme := envoygateway.GetScheme() - for _, y := range yamls { - if strings.TrimSpace(y) == "" { - continue - } + + if err := IterYAMLBytes(input, func(yamlByte []byte) error { var obj map[string]interface{} - err := yaml.Unmarshal([]byte(y), &obj) + err := yaml.Unmarshal(yamlByte, &obj) if err != nil { - return nil, err + return err } un := unstructured.Unstructured{Object: obj} gvk := un.GroupVersionKind() name, namespace := un.GetName(), un.GetNamespace() - if namespace == "" { - // When kubectl applies a resource in yaml which doesn't have a namespace, - // the current namespace is applied. Here we do the same thing before translating - // the GatewayAPI resource. Otherwise, the resource can't pass the namespace validation + if len(namespace) == 0 { useDefaultNamespace = true namespace = config.DefaultNamespace } + // Perform local validation for gateway-api related resources only. + if gvk.Group == egv1a1.GroupName || gvk.Group == gwapiv1.GroupName { + if err = defaultValidator.Validate(yamlByte); err != nil { + return fmt.Errorf("local validation error: %w", err) + } + } + requiredNamespaceMap.Insert(namespace) kobj, err := combinedScheme.New(gvk) if err != nil { - return nil, err + return err } err = combinedScheme.Convert(&un, kobj, nil) if err != nil { - return nil, err + return err } objType := reflect.TypeOf(kobj) if objType.Kind() != reflect.Ptr { - return nil, fmt.Errorf("expected pointer type, but got %s", objType.Kind().String()) + return fmt.Errorf("expected pointer type, but got %s", objType.Kind().String()) } kobjVal := reflect.ValueOf(kobj).Elem() spec := kobjVal.FieldByName("Spec") @@ -90,6 +101,9 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources case KindEnvoyProxy: typedSpec := spec.Interface() envoyProxy := &egv1a1.EnvoyProxy{ + TypeMeta: metav1.TypeMeta{ + Kind: KindEnvoyProxy, + }, ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: namespace, @@ -101,6 +115,9 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources case KindGatewayClass: typedSpec := spec.Interface() gatewayClass := &gwapiv1.GatewayClass{ + TypeMeta: metav1.TypeMeta{ + Kind: KindGatewayClass, + }, ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: namespace, @@ -115,6 +132,9 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources case KindGateway: typedSpec := spec.Interface() gateway := &gwapiv1.Gateway{ + TypeMeta: metav1.TypeMeta{ + Kind: KindGateway, + }, ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: namespace, @@ -213,12 +233,11 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources typedSpec := spec.Interface() envoyPatchPolicy := &egv1a1.EnvoyPatchPolicy{ TypeMeta: metav1.TypeMeta{ - Kind: egv1a1.KindEnvoyPatchPolicy, - APIVersion: egv1a1.GroupVersion.String(), + Kind: egv1a1.KindEnvoyPatchPolicy, }, ObjectMeta: metav1.ObjectMeta{ - Namespace: namespace, Name: name, + Namespace: namespace, }, Spec: typedSpec.(egv1a1.EnvoyPatchPolicySpec), } @@ -227,12 +246,11 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources typedSpec := spec.Interface() clientTrafficPolicy := &egv1a1.ClientTrafficPolicy{ TypeMeta: metav1.TypeMeta{ - Kind: KindClientTrafficPolicy, - APIVersion: egv1a1.GroupVersion.String(), + Kind: KindClientTrafficPolicy, }, ObjectMeta: metav1.ObjectMeta{ - Namespace: namespace, Name: name, + Namespace: namespace, }, Spec: typedSpec.(egv1a1.ClientTrafficPolicySpec), } @@ -241,12 +259,11 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources typedSpec := spec.Interface() backendTrafficPolicy := &egv1a1.BackendTrafficPolicy{ TypeMeta: metav1.TypeMeta{ - Kind: KindBackendTrafficPolicy, - APIVersion: egv1a1.GroupVersion.String(), + Kind: KindBackendTrafficPolicy, }, ObjectMeta: metav1.ObjectMeta{ - Namespace: namespace, Name: name, + Namespace: namespace, }, Spec: typedSpec.(egv1a1.BackendTrafficPolicySpec), } @@ -255,12 +272,11 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources typedSpec := spec.Interface() securityPolicy := &egv1a1.SecurityPolicy{ TypeMeta: metav1.TypeMeta{ - Kind: KindSecurityPolicy, - APIVersion: egv1a1.GroupVersion.String(), + Kind: KindSecurityPolicy, }, ObjectMeta: metav1.ObjectMeta{ - Namespace: namespace, Name: name, + Namespace: namespace, }, Spec: typedSpec.(egv1a1.SecurityPolicySpec), } @@ -280,6 +296,10 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources } resources.HTTPRouteFilters = append(resources.HTTPRouteFilters, httpRouteFilter) } + + return nil + }); err != nil { + return nil, err } if useDefaultNamespace { @@ -352,7 +372,7 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources } } - // Add EnvoyProxy if it does not exist + // Add EnvoyProxy if it does not exist. if resources.EnvoyProxyForGatewayClass == nil { if err := addDefaultEnvoyProxy(resources); err != nil { return nil, err @@ -365,7 +385,7 @@ func kubernetesYAMLToResources(str string, addMissingResources bool) (*Resources func addMissingServices(requiredServices map[string]*corev1.Service, obj interface{}) { var objNamespace string - protocol := corev1.Protocol("TCP") + protocol := ir.TCPProtocolType var refs []gwapiv1.BackendRef switch route := obj.(type) { @@ -394,7 +414,7 @@ func addMissingServices(requiredServices map[string]*corev1.Service, obj interfa refs = append(refs, rule.BackendRefs...) } case *gwapiv1a2.UDPRoute: - protocol = "UDP" + protocol = ir.UDPProtocolType objNamespace = route.Namespace for _, rule := range route.Spec.Rules { refs = append(refs, rule.BackendRefs...) @@ -416,7 +436,7 @@ func addMissingServices(requiredServices map[string]*corev1.Service, obj interfa port := int32(*ref.Port) servicePort := corev1.ServicePort{ Name: fmt.Sprintf("%s-%d", protocol, port), - Protocol: protocol, + Protocol: corev1.Protocol(protocol), Port: port, } if service, found := requiredServices[key]; !found { @@ -480,3 +500,21 @@ func addDefaultEnvoyProxy(resources *Resources) error { } return nil } + +// IterYAMLBytes iters every valid YAML resource from YAML bytes +// and process each of them by calling `handle` callback. +func IterYAMLBytes(input []byte, handle func([]byte) error) error { + reader := utilyaml.NewYAMLReader(bufio.NewReader(bytes.NewBuffer(input))) + for { + yamlBytes, err := reader.Read() + if errors.Is(err, io.EOF) || len(yamlBytes) == 0 { + break + } else if err != nil { + return err + } + if err = handle(yamlBytes); err != nil { + return err + } + } + return nil +} diff --git a/internal/gatewayapi/resource/load_test.go b/internal/gatewayapi/resource/load_test.go new file mode 100644 index 00000000000..df3629251e9 --- /dev/null +++ b/internal/gatewayapi/resource/load_test.go @@ -0,0 +1,39 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package resource + +import ( + "testing" + + "github.com/stretchr/testify/require" + "sigs.k8s.io/yaml" +) + +func TestIterYAMLBytes(t *testing.T) { + inputs := `test: foo1 +--- +test: foo2 +--- +# This is comment. +test: foo3 +--- +--- +` + + names := make([]string, 0) + err := IterYAMLBytes([]byte(inputs), func(bytes []byte) error { + var obj map[string]string + err := yaml.Unmarshal(bytes, &obj) + require.NoError(t, err) + + if name, ok := obj["test"]; ok { + names = append(names, name) + } + return nil + }) + require.NoError(t, err) + require.ElementsMatch(t, names, []string{"foo1", "foo2", "foo3"}) +} diff --git a/internal/gatewayapi/resource/validator.go b/internal/gatewayapi/resource/validator.go new file mode 100644 index 00000000000..beac7564e2a --- /dev/null +++ b/internal/gatewayapi/resource/validator.go @@ -0,0 +1,30 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package resource + +import ( + kvalidate "sigs.k8s.io/kubectl-validate/pkg/cmd" + "sigs.k8s.io/kubectl-validate/pkg/openapiclient" + "sigs.k8s.io/kubectl-validate/pkg/validator" +) + +var defaultValidator = newDefaultValidator() + +// Validator is a local/offline Kubernetes resources validator. +type Validator struct { + resolver *validator.Validator +} + +// newDefaultValidator init a default validator for internal usage. +func newDefaultValidator() *Validator { + factory, _ := validator.New(openapiclient.NewLocalCRDFiles(gatewayCRDsFS)) + return &Validator{resolver: factory} +} + +// Validate validates one Kubernetes resource. +func (v Validator) Validate(content []byte) error { + return kvalidate.ValidateDocument(content, v.resolver) +} diff --git a/internal/gatewayapi/resource/validator_test.go b/internal/gatewayapi/resource/validator_test.go new file mode 100644 index 00000000000..bbcd267dce3 --- /dev/null +++ b/internal/gatewayapi/resource/validator_test.go @@ -0,0 +1,31 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package resource + +import ( + "testing" + + "github.com/stretchr/testify/require" + "sigs.k8s.io/kubectl-validate/pkg/openapiclient" +) + +func TestNewOpenAPIClient(t *testing.T) { + apiClient := openapiclient.NewLocalCRDFiles(gatewayCRDsFS) + gvs, err := apiClient.Paths() + require.NoError(t, err) + + groups := make([]string, 0, len(gvs)) + for g := range gvs { + groups = append(groups, g) + } + require.ElementsMatch(t, groups, []string{ + "apis/gateway.envoyproxy.io/v1alpha1", + "apis/gateway.networking.k8s.io/v1", + "apis/gateway.networking.k8s.io/v1alpha2", + "apis/gateway.networking.k8s.io/v1alpha3", + "apis/gateway.networking.k8s.io/v1beta1", + }) +} diff --git a/internal/provider/file/resources.go b/internal/provider/file/resources.go index a89f3ae1686..ac80863f740 100644 --- a/internal/provider/file/resources.go +++ b/internal/provider/file/resources.go @@ -51,7 +51,7 @@ func loadFromFile(path string) (*resource.Resources, error) { return nil, err } - return resource.LoadResourcesFromYAMLString(string(bytes), false) + return resource.LoadResourcesFromYAMLBytes(bytes, false) } // loadFromDir loads resources from all the files under a specific directory excluding subdirectories. From 1f0b9ec52128e1450cbb1be11751483851bb1857 Mon Sep 17 00:00:00 2001 From: qi Date: Mon, 30 Sep 2024 09:11:14 +0800 Subject: [PATCH 210/523] chore: fix receivers & check ResourceRender implements. (#4344) * chore: fix receivers & check ResourceRender implements. Signed-off-by: qicz * fix lint Signed-off-by: qicz * fix lint Signed-off-by: qicz --------- Signed-off-by: qicz --- internal/infrastructure/kubernetes/infra.go | 6 ++++++ internal/ir/infra.go | 8 ++++---- internal/ir/xds.go | 14 +++++++------- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/internal/infrastructure/kubernetes/infra.go b/internal/infrastructure/kubernetes/infra.go index 6d90b3ac342..704c1bdfb62 100644 --- a/internal/infrastructure/kubernetes/infra.go +++ b/internal/infrastructure/kubernetes/infra.go @@ -17,8 +17,14 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway/config" + "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/proxy" + "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/ratelimit" ) +var _ ResourceRender = &proxy.ResourceRender{} + +var _ ResourceRender = &ratelimit.ResourceRender{} + // ResourceRender renders Kubernetes infrastructure resources // based on Infra IR resources. type ResourceRender interface { diff --git a/internal/ir/infra.go b/internal/ir/infra.go index ae46560d534..8bf433785fb 100644 --- a/internal/ir/infra.go +++ b/internal/ir/infra.go @@ -30,13 +30,13 @@ type Infra struct { Proxy *ProxyInfra `json:"proxy" yaml:"proxy"` } -func (i Infra) YAMLString() string { - y, _ := yaml.Marshal(&i) +func (i *Infra) YAMLString() string { + y, _ := yaml.Marshal(i) return string(y) } -func (i Infra) JSONString() string { - j, _ := json.MarshalIndent(&i, "", "\t") +func (i *Infra) JSONString() string { + j, _ := json.MarshalIndent(i, "", "\t") return string(j) } diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 8aefbd553ed..9750680f387 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -126,7 +126,7 @@ func (x *Xds) sort() { } // Validate the fields within the Xds structure. -func (x Xds) Validate() error { +func (x *Xds) Validate() error { var errs error for _, http := range x.HTTP { if err := http.Validate(); err != nil { @@ -146,7 +146,7 @@ func (x Xds) Validate() error { return errs } -func (x Xds) GetHTTPListener(name string) *HTTPListener { +func (x *Xds) GetHTTPListener(name string) *HTTPListener { for _, listener := range x.HTTP { if listener.Name == name { return listener @@ -155,7 +155,7 @@ func (x Xds) GetHTTPListener(name string) *HTTPListener { return nil } -func (x Xds) GetTCPListener(name string) *TCPListener { +func (x *Xds) GetTCPListener(name string) *TCPListener { for _, listener := range x.TCP { if listener.Name == name { return listener @@ -164,7 +164,7 @@ func (x Xds) GetTCPListener(name string) *TCPListener { return nil } -func (x Xds) GetUDPListener(name string) *UDPListener { +func (x *Xds) GetUDPListener(name string) *UDPListener { for _, listener := range x.UDP { if listener.Name == name { return listener @@ -173,18 +173,18 @@ func (x Xds) GetUDPListener(name string) *UDPListener { return nil } -func (x Xds) YAMLString() string { +func (x *Xds) YAMLString() string { y, _ := yaml.Marshal(x.Printable()) return string(y) } -func (x Xds) JSONString() string { +func (x *Xds) JSONString() string { j, _ := json.MarshalIndent(x.Printable(), "", "\t") return string(j) } // Printable returns a deep copy of the resource that can be safely logged. -func (x Xds) Printable() *Xds { +func (x *Xds) Printable() *Xds { out := x.DeepCopy() for _, listener := range out.HTTP { // Omit field From 13ba6ac59fd50252e209c08e5fc72df1ec28f94b Mon Sep 17 00:00:00 2001 From: zirain Date: Mon, 30 Sep 2024 11:40:55 +0800 Subject: [PATCH 211/523] helm: remove grafana testFramework (#4360) Signed-off-by: zirain --- charts/gateway-addons-helm/README.md | 1 + charts/gateway-addons-helm/values.yaml | 2 + .../latest/install/gateway-addons-helm-api.md | 1 + .../latest/install/gateway-addons-helm-api.md | 1 + .../helm/gateway-addons-helm/default.out.yaml | 72 ------------------- 5 files changed, 5 insertions(+), 72 deletions(-) diff --git a/charts/gateway-addons-helm/README.md b/charts/gateway-addons-helm/README.md index 43082172180..ccbd26b983d 100644 --- a/charts/gateway-addons-helm/README.md +++ b/charts/gateway-addons-helm/README.md @@ -84,6 +84,7 @@ To uninstall the chart: | grafana.enabled | bool | `true` | | | grafana.fullnameOverride | string | `"grafana"` | | | grafana.service.type | string | `"LoadBalancer"` | | +| grafana.testFramework.enabled | bool | `false` | | | loki.backend.replicas | int | `0` | | | loki.deploymentMode | string | `"SingleBinary"` | | | loki.enabled | bool | `true` | | diff --git a/charts/gateway-addons-helm/values.yaml b/charts/gateway-addons-helm/values.yaml index fa98354c5f0..55a02b68255 100644 --- a/charts/gateway-addons-helm/values.yaml +++ b/charts/gateway-addons-helm/values.yaml @@ -10,6 +10,8 @@ grafana: type: prometheus url: http://prometheus adminPassword: admin + testFramework: + enabled: false service: type: LoadBalancer dashboardProviders: diff --git a/site/content/en/latest/install/gateway-addons-helm-api.md b/site/content/en/latest/install/gateway-addons-helm-api.md index 448aa91e504..a0ae0ed62f6 100644 --- a/site/content/en/latest/install/gateway-addons-helm-api.md +++ b/site/content/en/latest/install/gateway-addons-helm-api.md @@ -63,6 +63,7 @@ An Add-ons Helm chart for Envoy Gateway | grafana.enabled | bool | `true` | | | grafana.fullnameOverride | string | `"grafana"` | | | grafana.service.type | string | `"LoadBalancer"` | | +| grafana.testFramework.enabled | bool | `false` | | | loki.backend.replicas | int | `0` | | | loki.deploymentMode | string | `"SingleBinary"` | | | loki.enabled | bool | `true` | | diff --git a/site/content/zh/latest/install/gateway-addons-helm-api.md b/site/content/zh/latest/install/gateway-addons-helm-api.md index 448aa91e504..a0ae0ed62f6 100644 --- a/site/content/zh/latest/install/gateway-addons-helm-api.md +++ b/site/content/zh/latest/install/gateway-addons-helm-api.md @@ -63,6 +63,7 @@ An Add-ons Helm chart for Envoy Gateway | grafana.enabled | bool | `true` | | | grafana.fullnameOverride | string | `"grafana"` | | | grafana.service.type | string | `"LoadBalancer"` | | +| grafana.testFramework.enabled | bool | `false` | | | loki.backend.replicas | int | `0` | | | loki.deploymentMode | string | `"SingleBinary"` | | | loki.enabled | bool | `true` | | diff --git a/test/helm/gateway-addons-helm/default.out.yaml b/test/helm/gateway-addons-helm/default.out.yaml index d349b1df810..f2fac1dfe09 100644 --- a/test/helm/gateway-addons-helm/default.out.yaml +++ b/test/helm/gateway-addons-helm/default.out.yaml @@ -10153,75 +10153,3 @@ spec: updateStrategy: type: RollingUpdate ---- -# Source: gateway-addons-helm/charts/grafana/templates/tests/test-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - helm.sh/chart: grafana-8.0.0 - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "11.0.0" - app.kubernetes.io/managed-by: Helm - name: grafana-test - namespace: monitoring - annotations: - "helm.sh/hook": test-success - "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" ---- -# Source: gateway-addons-helm/charts/grafana/templates/tests/test-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: grafana-test - namespace: monitoring - annotations: - "helm.sh/hook": test-success - "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" - labels: - helm.sh/chart: grafana-8.0.0 - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "11.0.0" - app.kubernetes.io/managed-by: Helm -data: - run.sh: |- - @test "Test Health" { - url="http://grafana/api/health" - - code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}') - [ "$code" == "200" ] - } ---- -# Source: gateway-addons-helm/charts/grafana/templates/tests/test.yaml -apiVersion: v1 -kind: Pod -metadata: - name: grafana-test - labels: - helm.sh/chart: grafana-8.0.0 - app.kubernetes.io/name: grafana - app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "11.0.0" - app.kubernetes.io/managed-by: Helm - annotations: - "helm.sh/hook": test-success - "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" - namespace: monitoring -spec: - serviceAccountName: grafana-test - containers: - - name: gateway-addons-helm-test - image: "docker.io/bats/bats:v1.4.1" - imagePullPolicy: "IfNotPresent" - command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"] - volumeMounts: - - mountPath: /tests - name: tests - readOnly: true - volumes: - - name: tests - configMap: - name: grafana-test - restartPolicy: Never From fe1e8bd4cce5ba8e0a5c933705587c2c3aca4fd0 Mon Sep 17 00:00:00 2001 From: qi Date: Mon, 30 Sep 2024 11:55:07 +0800 Subject: [PATCH 212/523] bugfix: ignore some unnecessary requests to apiserver. (#4362) Signed-off-by: qicz Co-authored-by: zirain --- internal/infrastructure/kubernetes/infra.go | 4 ++ .../kubernetes/infra_resource.go | 40 +++++++++++++ .../kubernetes/proxy/resource_provider.go | 58 +++++++++++++++---- .../kubernetes/ratelimit/resource_provider.go | 25 ++++++++ 4 files changed, 116 insertions(+), 11 deletions(-) diff --git a/internal/infrastructure/kubernetes/infra.go b/internal/infrastructure/kubernetes/infra.go index 704c1bdfb62..fed1f17cbe7 100644 --- a/internal/infrastructure/kubernetes/infra.go +++ b/internal/infrastructure/kubernetes/infra.go @@ -33,9 +33,13 @@ type ResourceRender interface { Service() (*corev1.Service, error) ConfigMap() (*corev1.ConfigMap, error) Deployment() (*appsv1.Deployment, error) + DeploymentSpec() (*egv1a1.KubernetesDeploymentSpec, error) DaemonSet() (*appsv1.DaemonSet, error) + DaemonSetSpec() (*egv1a1.KubernetesDaemonSetSpec, error) HorizontalPodAutoscaler() (*autoscalingv2.HorizontalPodAutoscaler, error) + HorizontalPodAutoscalerSpec() (*egv1a1.KubernetesHorizontalPodAutoscalerSpec, error) PodDisruptionBudget() (*policyv1.PodDisruptionBudget, error) + PodDisruptionBudgetSpec() (*egv1a1.KubernetesPodDisruptionBudgetSpec, error) } // Infra manages the creation and deletion of Kubernetes infrastructure diff --git a/internal/infrastructure/kubernetes/infra_resource.go b/internal/infrastructure/kubernetes/infra_resource.go index bf32ecfd127..9966f5ebdd4 100644 --- a/internal/infrastructure/kubernetes/infra_resource.go +++ b/internal/infrastructure/kubernetes/infra_resource.go @@ -90,6 +90,11 @@ func (i *Infra) createOrUpdateConfigMap(ctx context.Context, r ResourceRender) ( // createOrUpdateDeployment creates a Deployment in the kube api server based on the provided // ResourceRender, if it doesn't exist and updates it if it does. func (i *Infra) createOrUpdateDeployment(ctx context.Context, r ResourceRender) (err error) { + // If deployment config is nil,ignore Deployment. + if deploymentConfig, er := r.DeploymentSpec(); deploymentConfig == nil { + return er + } + var ( deployment *appsv1.Deployment startTime = time.Now() @@ -166,6 +171,11 @@ func (i *Infra) createOrUpdateDeployment(ctx context.Context, r ResourceRender) // createOrUpdateDaemonSet creates a DaemonSet in the kube api server based on the provided // ResourceRender, if it doesn't exist and updates it if it does. func (i *Infra) createOrUpdateDaemonSet(ctx context.Context, r ResourceRender) (err error) { + // If daemonset config is nil, ignore DaemonSet. + if daemonSetConfig, er := r.DaemonSetSpec(); daemonSetConfig == nil { + return er + } + var ( daemonSet *appsv1.DaemonSet startTime = time.Now() @@ -248,6 +258,11 @@ func isSelectorMatch(labelselector *metav1.LabelSelector, l map[string]string) ( } func (i *Infra) createOrUpdatePodDisruptionBudget(ctx context.Context, r ResourceRender) (err error) { + // If podDisruptionBudget config is nil or MinAvailable is nil, ignore PodDisruptionBudget. + if podDisruptionBudget, er := r.PodDisruptionBudgetSpec(); podDisruptionBudget == nil { + return er + } + var ( pdb *policyv1.PodDisruptionBudget startTime = time.Now() @@ -285,6 +300,11 @@ func (i *Infra) createOrUpdatePodDisruptionBudget(ctx context.Context, r Resourc // the provided ResourceRender, if it doesn't exist and updates it if it does, // and delete hpa if not set. func (i *Infra) createOrUpdateHPA(ctx context.Context, r ResourceRender) (err error) { + // If hpa config is nil, ignore HorizontalPodAutoscaler. + if hpaConfig, er := r.HorizontalPodAutoscalerSpec(); hpaConfig == nil { + return er + } + var ( hpa *autoscalingv2.HorizontalPodAutoscaler startTime = time.Now() @@ -380,6 +400,11 @@ func (i *Infra) deleteServiceAccount(ctx context.Context, r ResourceRender) (err // deleteDeployment deletes the Envoy Deployment in the kube api server, if it exists. func (i *Infra) deleteDeployment(ctx context.Context, r ResourceRender) (err error) { + // If deployment config is nil,ignore Deployment. + if deploymentConfig, er := r.DeploymentSpec(); deploymentConfig == nil { + return er + } + var ( name, ns = r.Name(), i.Namespace deployment = &appsv1.Deployment{ @@ -410,6 +435,11 @@ func (i *Infra) deleteDeployment(ctx context.Context, r ResourceRender) (err err // deleteDaemonSet deletes the Envoy DaemonSet in the kube api server, if it exists. func (i *Infra) deleteDaemonSet(ctx context.Context, r ResourceRender) (err error) { + // If daemonset config is nil, ignore DaemonSet. + if daemonSetConfig, er := r.DaemonSetSpec(); daemonSetConfig == nil { + return er + } + var ( name, ns = r.Name(), i.Namespace daemonSet = &appsv1.DaemonSet{ @@ -500,6 +530,11 @@ func (i *Infra) deleteService(ctx context.Context, r ResourceRender) (err error) // deleteHpa deletes the Horizontal Pod Autoscaler associated to its renderer, if it exists. func (i *Infra) deleteHPA(ctx context.Context, r ResourceRender) (err error) { + // If hpa config is nil, ignore HorizontalPodAutoscaler. + if hpaConfig, er := r.HorizontalPodAutoscalerSpec(); hpaConfig == nil { + return er + } + var ( name, ns = r.Name(), i.Namespace hpa = &autoscalingv2.HorizontalPodAutoscaler{ @@ -530,6 +565,11 @@ func (i *Infra) deleteHPA(ctx context.Context, r ResourceRender) (err error) { // deletePDB deletes the PodDistribution budget associated to its renderer, if it exists. func (i *Infra) deletePDB(ctx context.Context, r ResourceRender) (err error) { + // If podDisruptionBudget config is nil or MinAvailable is nil, ignore PodDisruptionBudget. + if podDisruptionBudget, er := r.PodDisruptionBudgetSpec(); podDisruptionBudget == nil { + return er + } + var ( name, ns = r.Name(), i.Namespace pdb = &policyv1.PodDisruptionBudget{ diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider.go b/internal/infrastructure/kubernetes/proxy/resource_provider.go index 27edd2949b3..768ed7514ba 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider.go @@ -205,8 +205,8 @@ func (r *ResourceRender) stableSelector() *metav1.LabelSelector { return resource.GetSelector(envoyLabels(labels)) } -// Deployment returns the expected Deployment based on the provided infra. -func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { +// DeploymentSpec returns the `Deployment` sets spec. +func (r *ResourceRender) DeploymentSpec() (*egv1a1.KubernetesDeploymentSpec, error) { proxyConfig := r.infra.GetProxyConfig() // Get the EnvoyProxy config to configure the deployment. @@ -214,13 +214,21 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { if provider.Type != egv1a1.ProviderTypeKubernetes { return nil, fmt.Errorf("invalid provider type %v for Kubernetes infra manager", provider.Type) } + deploymentConfig := provider.GetEnvoyProxyKubeProvider().EnvoyDeployment - // If deployment config is nil, it's not Deployment installation. + return deploymentConfig, nil +} + +// Deployment returns the expected Deployment based on the provided infra. +func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { + deploymentConfig, er := r.DeploymentSpec() + // If deployment config is nil,ignore Deployment. if deploymentConfig == nil { - return nil, nil + return nil, er } + proxyConfig := r.infra.GetProxyConfig() // Get expected bootstrap configurations rendered ProxyContainers containers, err := expectedProxyContainers(r.infra, deploymentConfig.Container, proxyConfig.Spec.Shutdown, r.ShutdownManager) if err != nil { @@ -286,6 +294,8 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { deployment.ObjectMeta.Name = r.Name() } + provider := proxyConfig.GetEnvoyProxyProvider() + // omit the deployment replicas if HPA is being set if provider.GetEnvoyProxyKubeProvider().EnvoyHpa != nil { deployment.Spec.Replicas = nil @@ -299,7 +309,8 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { return deployment, nil } -func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) { +// DaemonSetSpec returns the `DaemonSet` sets spec. +func (r *ResourceRender) DaemonSetSpec() (*egv1a1.KubernetesDaemonSetSpec, error) { proxyConfig := r.infra.GetProxyConfig() // Get the EnvoyProxy config to configure the daemonset. @@ -308,13 +319,18 @@ func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) { return nil, fmt.Errorf("invalid provider type %v for Kubernetes infra manager", provider.Type) } - daemonSetConfig := provider.GetEnvoyProxyKubeProvider().EnvoyDaemonSet + return provider.GetEnvoyProxyKubeProvider().EnvoyDaemonSet, nil +} - // If daemonset config is nil, it's not DaemonSet installation. +func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) { + daemonSetConfig, err := r.DaemonSetSpec() + // If daemonset config is nil, ignore DaemonSet. if daemonSetConfig == nil { - return nil, nil + return nil, err } + proxyConfig := r.infra.GetProxyConfig() + // Get expected bootstrap configurations rendered ProxyContainers containers, err := expectedProxyContainers(r.infra, daemonSetConfig.Container, proxyConfig.Spec.Shutdown, r.ShutdownManager) if err != nil { @@ -369,7 +385,8 @@ func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) { return daemonSet, nil } -func (r *ResourceRender) PodDisruptionBudget() (*policyv1.PodDisruptionBudget, error) { +// PodDisruptionBudgetSpec returns the `PodDisruptionBudget` sets spec. +func (r *ResourceRender) PodDisruptionBudgetSpec() (*egv1a1.KubernetesPodDisruptionBudgetSpec, error) { provider := r.infra.GetProxyConfig().GetEnvoyProxyProvider() if provider.Type != egv1a1.ProviderTypeKubernetes { return nil, fmt.Errorf("invalid provider type %v for Kubernetes infra manager", provider.Type) @@ -380,6 +397,16 @@ func (r *ResourceRender) PodDisruptionBudget() (*policyv1.PodDisruptionBudget, e return nil, nil } + return podDisruptionBudget, nil +} + +func (r *ResourceRender) PodDisruptionBudget() (*policyv1.PodDisruptionBudget, error) { + podDisruptionBudget, er := r.PodDisruptionBudgetSpec() + // If podDisruptionBudget config is nil or MinAvailable is nil, ignore PodDisruptionBudget. + if podDisruptionBudget == nil { + return nil, er + } + return &policyv1.PodDisruptionBudget{ ObjectMeta: metav1.ObjectMeta{ Name: r.Name(), @@ -396,15 +423,22 @@ func (r *ResourceRender) PodDisruptionBudget() (*policyv1.PodDisruptionBudget, e }, nil } -func (r *ResourceRender) HorizontalPodAutoscaler() (*autoscalingv2.HorizontalPodAutoscaler, error) { +// HorizontalPodAutoscalerSpec returns the `HorizontalPodAutoscaler` sets spec. +func (r *ResourceRender) HorizontalPodAutoscalerSpec() (*egv1a1.KubernetesHorizontalPodAutoscalerSpec, error) { provider := r.infra.GetProxyConfig().GetEnvoyProxyProvider() if provider.Type != egv1a1.ProviderTypeKubernetes { return nil, fmt.Errorf("invalid provider type %v for Kubernetes infra manager", provider.Type) } hpaConfig := provider.GetEnvoyProxyKubeProvider().EnvoyHpa + return hpaConfig, nil +} + +func (r *ResourceRender) HorizontalPodAutoscaler() (*autoscalingv2.HorizontalPodAutoscaler, error) { + hpaConfig, err := r.HorizontalPodAutoscalerSpec() + // If hpa config is nil, ignore HorizontalPodAutoscaler. if hpaConfig == nil { - return nil, nil + return nil, err } hpa := &autoscalingv2.HorizontalPodAutoscaler{ @@ -430,6 +464,8 @@ func (r *ResourceRender) HorizontalPodAutoscaler() (*autoscalingv2.HorizontalPod }, } + provider := r.infra.GetProxyConfig().GetEnvoyProxyProvider() + // set deployment target ref name deploymentConfig := provider.GetEnvoyProxyKubeProvider().EnvoyDeployment if deploymentConfig.Name != nil { diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go index e7519bb2569..63767efb034 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go @@ -183,8 +183,18 @@ func (r *ResourceRender) ServiceAccount() (*corev1.ServiceAccount, error) { return sa, nil } +// DeploymentSpec returns the `Deployment` sets spec. +func (r *ResourceRender) DeploymentSpec() (*egv1a1.KubernetesDeploymentSpec, error) { + return r.rateLimitDeployment, nil +} + // Deployment returns the expected rate limit Deployment based on the provided infra. func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { + // If deployment config is nil,ignore Deployment. + if deploymentConfig, er := r.DeploymentSpec(); deploymentConfig == nil { + return nil, er + } + containers := expectedRateLimitContainers(r.rateLimit, r.rateLimitDeployment, r.Namespace) labels := rateLimitLabels() selector := resource.GetSelector(labels) @@ -270,15 +280,30 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { return deployment, nil } +// DaemonSetSpec returns the `DaemonSet` sets spec. +func (r *ResourceRender) DaemonSetSpec() (*egv1a1.KubernetesDaemonSetSpec, error) { + return nil, nil +} + // TODO: implement this method func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) { return nil, nil } +// HorizontalPodAutoscalerSpec returns the `HorizontalPodAutoscaler` sets spec. +func (r *ResourceRender) HorizontalPodAutoscalerSpec() (*egv1a1.KubernetesHorizontalPodAutoscalerSpec, error) { + return nil, nil +} + func (r *ResourceRender) HorizontalPodAutoscaler() (*autoscalingv2.HorizontalPodAutoscaler, error) { return nil, nil } +// PodDisruptionBudgetSpec returns the `PodDisruptionBudget` sets spec. +func (r *ResourceRender) PodDisruptionBudgetSpec() (*egv1a1.KubernetesPodDisruptionBudgetSpec, error) { + return nil, nil +} + func (r *ResourceRender) PodDisruptionBudget() (*policyv1.PodDisruptionBudget, error) { return nil, nil } From 4b8c2f56dc45534c42b6513b126082f49a009658 Mon Sep 17 00:00:00 2001 From: zirain Date: Mon, 30 Sep 2024 14:05:04 +0800 Subject: [PATCH 213/523] chore: correct eg namespace (#4365) --- test/e2e/tests/utils.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/e2e/tests/utils.go b/test/e2e/tests/utils.go index 4196172246a..53aeb8b96a7 100644 --- a/test/e2e/tests/utils.go +++ b/test/e2e/tests/utils.go @@ -686,9 +686,9 @@ func createTagsQueryParam(tags map[string]string) (string, error) { // CollectAndDump collects and dumps the cluster data for troubleshooting and log. // This function should be call within t.Cleanup. func CollectAndDump(t *testing.T, rest *rest.Config) { - result := tb.CollectResult(context.TODO(), rest, "", "envoy-gateway") + result := tb.CollectResult(context.TODO(), rest, "", "envoy-gateway-system") for r, data := range result { - tlog.Logf(t, "filename: %s", r) - tlog.Logf(t, "data: \n%s", data) + tlog.Logf(t, "\nfilename: %s", r) + tlog.Logf(t, "\ndata: \n%s", data) } } From bb7f9f807cf814aa1f70f5587ee61a9abfa37b6e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 15:28:03 -0700 Subject: [PATCH 214/523] build(deps): bump github.com/urfave/cli/v2 from 2.27.2 to 2.27.4 in /examples/extension-server (#4372) build(deps): bump github.com/urfave/cli/v2 in /examples/extension-server Bumps [github.com/urfave/cli/v2](https://github.com/urfave/cli) from 2.27.2 to 2.27.4. - [Release notes](https://github.com/urfave/cli/releases) - [Changelog](https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md) - [Commits](https://github.com/urfave/cli/compare/v2.27.2...v2.27.4) --- updated-dependencies: - dependency-name: github.com/urfave/cli/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/extension-server/go.mod | 4 ++-- examples/extension-server/go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 1773677910e..dfa9b6ee15b 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -5,7 +5,7 @@ go 1.23.1 require ( github.com/envoyproxy/gateway v1.0.2 github.com/envoyproxy/go-control-plane v0.13.1-0.20240917224354-20d038a70568 - github.com/urfave/cli/v2 v2.27.2 + github.com/urfave/cli/v2 v2.27.4 google.golang.org/grpc v1.67.0 google.golang.org/protobuf v1.34.2 k8s.io/apimachinery v0.31.1 @@ -30,7 +30,7 @@ require ( github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect - github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect + github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect golang.org/x/net v0.29.0 // indirect golang.org/x/sys v0.25.0 // indirect golang.org/x/text v0.18.0 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 08a287612b0..6a0a34ad222 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -64,12 +64,12 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -github.com/urfave/cli/v2 v2.27.2 h1:6e0H+AkS+zDckwPCUrZkKX38mRaau4nL2uipkJpbkcI= -github.com/urfave/cli/v2 v2.27.2/go.mod h1:g0+79LmHHATl7DAcHO99smiR/T7uGLw84w8Y42x+4eM= +github.com/urfave/cli/v2 v2.27.4 h1:o1owoI+02Eb+K107p27wEX9Bb8eqIoZCfLXloLUSWJ8= +github.com/urfave/cli/v2 v2.27.4/go.mod h1:m4QzxcD2qpra4z7WhzEGn74WZLViBnMpb1ToCAKdGRQ= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= -github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 h1:+qGGcbkzsfDQNPPe9UDgpxAWQrhbbBXOYJFQDq/dtJw= -github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913/go.mod h1:4aEEwZQutDLsQv2Deui4iYQ6DWTxR14g6m8Wv88+Xqk= +github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4= +github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= From 869671e0050454eabdbbeb3a5bd78c3f51c968ec Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 15:28:24 -0700 Subject: [PATCH 215/523] build(deps): bump github.com/replicatedhq/troubleshoot from 0.102.0 to 0.105.1 (#4371) build(deps): bump github.com/replicatedhq/troubleshoot Bumps [github.com/replicatedhq/troubleshoot](https://github.com/replicatedhq/troubleshoot) from 0.102.0 to 0.105.1. - [Release notes](https://github.com/replicatedhq/troubleshoot/releases) - [Commits](https://github.com/replicatedhq/troubleshoot/compare/v0.102.0...v0.105.1) --- updated-dependencies: - dependency-name: github.com/replicatedhq/troubleshoot dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 95048fa0a59..5d576eff30c 100644 --- a/go.mod +++ b/go.mod @@ -63,7 +63,7 @@ require ( require ( github.com/docker/docker v27.3.1+incompatible - github.com/replicatedhq/troubleshoot v0.102.0 + github.com/replicatedhq/troubleshoot v0.105.1 google.golang.org/grpc v1.66.2 sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 ) @@ -132,7 +132,7 @@ require ( github.com/huandu/xstrings v1.5.0 // indirect github.com/jackc/pgpassfile v1.0.0 // indirect github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect - github.com/jackc/pgx/v5 v5.7.0 // indirect + github.com/jackc/pgx/v5 v5.7.1 // indirect github.com/jmoiron/sqlx v1.4.0 // indirect github.com/klauspost/compress v1.17.9 // indirect github.com/klauspost/pgzip v1.2.6 // indirect diff --git a/go.sum b/go.sum index eb3a20fa051..bd17cf24a9b 100644 --- a/go.sum +++ b/go.sum @@ -474,10 +474,10 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo= github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= -github.com/jackc/pgx/v5 v5.7.0 h1:FG6VLIdzvAPhnYqP14sQ2xhFLkiUQHCs6ySqO91kF4g= -github.com/jackc/pgx/v5 v5.7.0/go.mod h1:awP1KNnjylvpxHuHP63gzjhnGkI1iw+PMoIwvoleN/8= -github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk= -github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= +github.com/jackc/pgx/v5 v5.7.1 h1:x7SYsPBYDkHDksogeSmZZ5xzThcTgRz++I5E+ePFUcs= +github.com/jackc/pgx/v5 v5.7.1/go.mod h1:e7O26IywZZ+naJtWWos6i6fvWK+29etgITqrqHLfoZA= +github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo= +github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o= github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY= @@ -715,8 +715,8 @@ github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb github.com/redis/go-redis/extra/redisotel/v9 v9.0.5/go.mod h1:WZjPDy7VNzn77AAfnAfVjZNvfJTYfPetfZk5yoSTLaQ= github.com/redis/go-redis/v9 v9.1.0 h1:137FnGdk+EQdCbye1FW+qOEcY5S+SpY9T0NiuqvtfMY= github.com/redis/go-redis/v9 v9.1.0/go.mod h1:urWj3He21Dj5k4TK1y59xH8Uj6ATueP8AH1cY3lZl4c= -github.com/replicatedhq/troubleshoot v0.102.0 h1:qPuLdio9JnZHXQ+ah1uJDbkZyh5gR9NEM88aZBkQyq0= -github.com/replicatedhq/troubleshoot v0.102.0/go.mod h1:zw25eyvPPj6SUnoVGEUjFzWOlhH097UeJgakWLDYo9k= +github.com/replicatedhq/troubleshoot v0.105.1 h1:nNZHVqRxMjHlpJfbQEwHLalpWmPac2pUiZ9pk01c2/g= +github.com/replicatedhq/troubleshoot v0.105.1/go.mod h1:WqquTbNHLnZiSWsu6Mzo3rwez5kZ/A+1Hq4K/yq0HBo= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= From 6e4e12b53058024e20426e19b669bcc97572e074 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 15:30:32 -0700 Subject: [PATCH 216/523] build(deps): bump github/codeql-action from 3.26.8 to 3.26.9 (#4366) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.8 to 3.26.9. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/294a9d92911152fe08befb9ec03e240add280cb3...461ef6c76dfe95d5c364de2f431ddbd31a417628) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 90ad9f95da5..3334fdb5ef3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,14 +36,14 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8 + uses: github/codeql-action/init@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8 + uses: github/codeql-action/autobuild@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8 + uses: github/codeql-action/analyze@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 9c574f263df..e7b6da4c2bb 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8 + uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 with: sarif_file: results.sarif From 9e4fa47157e1aa92521d2a17a6251486d5ad880b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 15:31:18 -0700 Subject: [PATCH 217/523] build(deps): bump distroless/static from `dcd3f1f` to `26f9b99` in /tools/docker/envoy-gateway (#4368) build(deps): bump distroless/static in /tools/docker/envoy-gateway Bumps distroless/static from `dcd3f1f` to `26f9b99`. --- updated-dependencies: - dependency-name: distroless/static dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/docker/envoy-gateway/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index 2f30eec5468..6aa42f4998b 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -4,7 +4,7 @@ RUN mkdir -p /var/lib/eg # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:nonroot@sha256:dcd3f1f09adef5689088c9c4d96a8d98c889d8281d3946145074f89eafe7e1af +FROM gcr.io/distroless/static:nonroot@sha256:26f9b99f2463f55f20db19feb4d96eb88b056e0f1be7016bb9296a464a89d772 ARG TARGETPLATFORM COPY $TARGETPLATFORM/envoy-gateway /usr/local/bin/ COPY --from=source --chown=65532:65532 /var/lib /var/lib From c1c1c19b5831be5c955962ce924a58984193d9ba Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 15:31:50 -0700 Subject: [PATCH 218/523] build(deps): bump actions/checkout from 4.1.7 to 4.2.0 (#4367) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.7 to 4.2.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/692973e3d937129bcbf40652eb9f2f61becf3332...d632683dd7b4114ad314bca15554477dd762a938) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build_and_test.yaml | 18 +++++++++--------- .github/workflows/codeql.yml | 2 +- .github/workflows/docs.yaml | 4 ++-- .../workflows/experimental_conformance.yaml | 2 +- .github/workflows/latest_release.yaml | 4 ++-- .github/workflows/license-scan.yml | 2 +- .github/workflows/release.yaml | 4 ++-- .github/workflows/scorecard.yml | 2 +- .github/workflows/trivy.yml | 2 +- 9 files changed, 20 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index c00cb2e3211..b0bc2968188 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -20,7 +20,7 @@ jobs: lint: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps # Generate the installation manifests first, so it can check # for errors while running `make -k lint` @@ -31,14 +31,14 @@ jobs: gen-check: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - run: make -k gen-check license-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - run: make -k licensecheck @@ -48,7 +48,7 @@ jobs: contents: read # for actions/checkout id-token: write # for fetching OIDC token steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps # test @@ -67,7 +67,7 @@ jobs: runs-on: ubuntu-latest needs: [lint, gen-check, license-check, coverage-test] steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - name: Build EG Multiarch Binaries @@ -87,7 +87,7 @@ jobs: matrix: version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries @@ -116,7 +116,7 @@ jobs: matrix: version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries @@ -143,7 +143,7 @@ jobs: if: ${{ ! startsWith(github.event_name, 'push') }} needs: [build] steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz @@ -170,7 +170,7 @@ jobs: runs-on: ubuntu-latest needs: [conformance-test, e2e-test] steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3334fdb5ef3..3639ea5dfaa 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index c30624a0493..57a8868ff7a 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: ref: ${{ github.event.pull_request.head.sha }} @@ -48,7 +48,7 @@ jobs: contents: write steps: - name: Git checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: submodules: true ref: ${{ github.event.pull_request.head.sha }} diff --git a/.github/workflows/experimental_conformance.yaml b/.github/workflows/experimental_conformance.yaml index b45c7b8bf97..281bdbca9ae 100644 --- a/.github/workflows/experimental_conformance.yaml +++ b/.github/workflows/experimental_conformance.yaml @@ -21,7 +21,7 @@ jobs: matrix: version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps # gateway api experimental conformance diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index 09a88ab41d5..875e0a508e5 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -22,7 +22,7 @@ jobs: benchmark-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz @@ -57,7 +57,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - name: Generate Release Manifests diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index 055050bcec0..1a9459389b4 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Run scanner uses: google/osv-scanner-action/osv-scanner-action@f0e6719deb666cd19a0b56bc56d01161bd848b4f # v1.8.5 with: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d173a875bf0..48de6eb9489 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,7 +15,7 @@ jobs: benchmark-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz @@ -50,7 +50,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Extract Release Tag and Commit SHA id: vars diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index e7b6da4c2bb..f3075f3ebd5 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -21,7 +21,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: persist-credentials: false diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 24570e7f064..21c50d56902 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Build an image from Dockerfile run: | From ffe029b576eef5a500058bbad3b461ac489083a3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 15:32:37 -0700 Subject: [PATCH 219/523] build(deps): bump the go-opentelemetry-io group across 1 directory with 2 updates (#4369) Bumps the go-opentelemetry-io group with 2 updates in the / directory: [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc](https://github.com/open-telemetry/opentelemetry-go) and [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp](https://github.com/open-telemetry/opentelemetry-go). Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc` from 1.29.0 to 1.30.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.29.0...v1.30.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp` from 1.29.0 to 1.30.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.29.0...v1.30.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 5d576eff30c..19b329d910c 100644 --- a/go.mod +++ b/go.mod @@ -35,8 +35,8 @@ require ( github.com/telepresenceio/watchable v0.0.0-20220726211108-9bb86f92afa7 github.com/tsaarni/certyaml v0.9.3 go.opentelemetry.io/otel v1.30.0 - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.29.0 - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.29.0 + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.30.0 + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.30.0 go.opentelemetry.io/otel/exporters/prometheus v0.52.0 go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.30.0 go.opentelemetry.io/otel/metric v1.30.0 @@ -280,7 +280,7 @@ require ( golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.24.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum index bd17cf24a9b..d67318c05d3 100644 --- a/go.sum +++ b/go.sum @@ -888,10 +888,10 @@ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIX go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.29.0 h1:k6fQVDQexDE+3jG2SfCQjnHS7OamcP73YMoxEVq5B6k= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.29.0/go.mod h1:t4BrYLHU450Zo9fnydWlIuswB1bm7rM8havDpWOJeDo= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.29.0 h1:xvhQxJ/C9+RTnAj5DpTg7LSM1vbbMTiXt7e9hsfqHNw= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.29.0/go.mod h1:Fcvs2Bz1jkDM+Wf5/ozBGmi3tQ/c9zPKLnsipnfhGAo= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.30.0 h1:WypxHH02KX2poqqbaadmkMYalGyy/vil4HE4PM4nRJc= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.30.0/go.mod h1:U79SV99vtvGSEBeeHnpgGJfTsnsdkWLpPN/CcHAzBSI= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.30.0 h1:VrMAbeJz4gnVDg2zEzjHG4dEH86j4jO6VYB+NgtGD8s= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.30.0/go.mod h1:qqN/uFdpeitTvm+JDqqnjm517pmQRYxTORbETHq5tOc= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA= @@ -1080,8 +1080,8 @@ google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY= google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:VUhTRKeHn9wwcdrk73nvdC9gF178Tzhmt/qyaFcPLSo= -google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd h1:BBOTEWLuuEGQy9n1y9MhVJ9Qt0BDu21X8qZs71/uPZo= -google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:fO8wJzT2zbQbAjbIoos1285VfEIYKDDY+Dt+WpTkh6g= +google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc= +google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I= google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 h1:N9BgCIAUvn/M+p4NJccWPWb3BWh88+zyL0ll9HgbEeM= google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= From db1f437e09d1810755920d45f543919f8497055f Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 1 Oct 2024 09:05:43 +0800 Subject: [PATCH 220/523] [Gateway API 1.2.0] Upgrade Gateway API to 1.2.0-rc2 (#4270) * upgrade Gateway API to 1.2.0 Signed-off-by: Huabing Zhao * fix build Signed-off-by: Huabing Zhao * refactory Signed-off-by: Huabing Zhao * skip infrastrucure conformance test Signed-off-by: Huabing Zhao * fix multiple gc test Signed-off-by: Huabing Zhao * fix upgrage test Signed-off-by: Huabing Zhao * fix e2e Signed-off-by: Huabing Zhao * fix license scan Signed-off-by: Huabing Zhao * fix license scan Signed-off-by: Huabing Zhao * use 1.1.2 as the previous version for upgrade test Signed-off-by: Huabing Zhao * fix upgrade test Signed-off-by: Huabing Zhao * upgrade to gateway api v1.2.0-rc2 Signed-off-by: Huabing Zhao * fix license check Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- charts/gateway-helm/crds/gatewayapi-crds.yaml | 5357 ++++------------- examples/extension-server/go.mod | 2 +- examples/extension-server/go.sum | 4 +- go.mod | 2 +- go.sum | 4 +- internal/gatewayapi/conformance/suite.go | 28 +- .../gatewayapi/conformance/support_level.go | 18 +- internal/gatewayapi/helpers.go | 1 + internal/gatewayapi/route.go | 6 +- internal/gatewayapi/status/gatewayclass.go | 13 +- .../gatewayapi/status/gatewayclass_test.go | 49 +- osv-scanner.toml | 7 + test/e2e/e2e_test.go | 2 +- .../e2e/merge_gateways/merge_gateways_test.go | 2 +- test/e2e/multiple_gc/multiple_gc_test.go | 6 +- test/e2e/tests/eg_upgrade.go | 8 +- test/e2e/upgrade/eg_upgrade_test.go | 2 +- 17 files changed, 1112 insertions(+), 4399 deletions(-) diff --git a/charts/gateway-helm/crds/gatewayapi-crds.yaml b/charts/gateway-helm/crds/gatewayapi-crds.yaml index 8a50a1fa26a..f19c1adb3b4 100644 --- a/charts/gateway-helm/crds/gatewayapi-crds.yaml +++ b/charts/gateway-helm/crds/gatewayapi-crds.yaml @@ -24,9 +24,11 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null + labels: + gateway.networking.k8s.io/policy: Direct name: backendlbpolicies.gateway.networking.k8s.io spec: group: gateway.networking.k8s.io @@ -77,7 +79,6 @@ spec: SessionPersistence defines and configures session persistence for the backend. - Support: Extended properties: absoluteTimeout: @@ -86,7 +87,6 @@ spec: session. Once the AbsoluteTimeout duration has elapsed, the session becomes invalid. - Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string @@ -95,7 +95,6 @@ spec: CookieConfig provides configuration settings that are specific to cookie-based session persistence. - Support: Core properties: lifetimeType: @@ -107,20 +106,16 @@ spec: attributes, while a session cookie is deleted when the current session ends. - When set to "Permanent", AbsoluteTimeout indicates the cookie's lifetime via the Expires or Max-Age cookie attributes and is required. - When set to "Session", AbsoluteTimeout indicates the absolute lifetime of the cookie tracked by the gateway and is optional. - Support: Core for "Session" type - Support: Extended for "Permanent" type enum: - Permanent @@ -133,7 +128,6 @@ spec: Once the session has been idle for more than the specified IdleTimeout duration, the session becomes invalid. - Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string @@ -144,7 +138,6 @@ spec: should avoid reusing session names to prevent unintended consequences, such as rejection or unpredictable behavior. - Support: Implementation-specific maxLength: 128 type: string @@ -155,10 +148,8 @@ spec: the use a header or cookie. Defaults to cookie based session persistence. - Support: Core for "Cookie" type - Support: Extended for "Header" type enum: - Cookie @@ -168,8 +159,8 @@ spec: x-kubernetes-validations: - message: AbsoluteTimeout must be specified when cookie lifetimeType is Permanent - rule: '!has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType - != ''Permanent'' || has(self.absoluteTimeout)' + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' targetRefs: description: |- TargetRef identifies an API object to apply policy to. @@ -228,27 +219,22 @@ spec: the controller first sees the policy and SHOULD update the entry as appropriate when the relevant ancestor is modified. - Note that choosing the relevant ancestor is left to the Policy designers; an important part of Policy design is designing the right object level at which to namespace this status. - Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. Implementations MUST use the ControllerName field to uniquely identify the entries in this list that they are responsible for. - Note that to achieve this, the list of PolicyAncestorStatus structs MUST be treated as a map with a composite key, made up of the AncestorRef and ControllerName fields combined. - A maximum of 16 ancestors will be represented in this list. An empty list means the Policy is not relevant for any ancestors. - If this slice is full, implementations MUST NOT add further entries. Instead they MUST consider the policy unimplementable and signal that on any related resources such as the ancestor that would be referenced @@ -260,7 +246,6 @@ spec: PolicyAncestorStatus describes the status of a route with respect to an associated Ancestor. - Ancestors refer to objects that are either the Target of a policy or above it in terms of object hierarchy. For example, if a policy targets a Service, the Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and @@ -269,28 +254,23 @@ spec: SHOULD use Gateway as the PolicyAncestorStatus object unless the designers have a _very_ good reason otherwise. - In the context of policy attachment, the Ancestor is used to distinguish which resource results in a distinct application of this policy. For example, if a policy targets a Service, it may have a distinct result per attached Gateway. - Policies targeting the same resource may have different effects depending on the ancestors of those resources. For example, different Gateways targeting the same Service may have different capabilities, especially if they have different underlying implementations. - For example, in BackendTLSPolicy, the Policy attaches to a Service that is used as a backend in a HTTPRoute that is itself attached to a Gateway. In this case, the relevant object for status is the Gateway, and that is the ancestor object referred to in this status. - Note that a parent is also an ancestor, so for objects where the parent is the relevant object for status, this struct SHOULD still be used. - This struct is intended to be used in a slice that's effectively a map, with a composite key made up of the AncestorRef and the ControllerName. properties: @@ -307,7 +287,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -317,14 +296,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -334,7 +310,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -344,7 +319,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -352,12 +326,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -365,7 +337,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -376,7 +347,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -386,18 +356,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -406,7 +373,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -417,7 +383,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -425,12 +390,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -440,7 +403,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -453,18 +415,8 @@ spec: description: Conditions describes the status of the Policy with respect to the given Ancestor. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -506,12 +458,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -534,15 +481,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. @@ -581,7 +525,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null labels: @@ -631,6 +575,29 @@ spec: spec: description: Spec defines the desired state of BackendTLSPolicy. properties: + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. + + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. + + Support: Implementation-specific + maxProperties: 16 + type: object targetRefs: description: |- TargetRefs identifies an API object to apply the policy to. @@ -640,10 +607,8 @@ spec: by default, but this default may change in the future to provide a more granular application of the policy. - Support: Extended for Kubernetes Service - Support: Implementation-specific for any other resource items: description: |- @@ -653,7 +618,6 @@ spec: mode works, and a sample Policy resource, refer to the policy attachment documentation for Gateway API. - Note: This should only be used for direct policy attachment when references to SectionName are actually needed. In all other cases, LocalPolicyTargetReference should be used. @@ -680,12 +644,10 @@ spec: unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name * HTTPRoute: HTTPRouteRule name * Service: Port name - If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a `ResolvedRefs` or similar Condition in the Policy's status. @@ -710,26 +672,21 @@ spec: contain a PEM-encoded TLS CA certificate bundle, which is used to validate a TLS handshake between the Gateway and backend Pod. - If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. If CACertifcateRefs is empty or unspecified, the configuration for WellKnownCACertificates MUST be honored instead if supported by the implementation. - References to a resource in a different namespace are invalid for the moment, although we will revisit this in the future. - A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. Implementations MAY choose to support attaching multiple certificates to a backend, but this behavior is implementation-specific. - Support: Core - An optional single reference to a Kubernetes ConfigMap, with the CA certificate in a key named `ca.crt`. - Support: Implementation-specific (More than one reference, or other kinds of resources). items: @@ -739,7 +696,6 @@ spec: The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. - References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object. @@ -775,23 +731,84 @@ spec: Hostname is used for two purposes in the connection between Gateways and backends: - 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). - 2. Hostname MUST be used for authentication and MUST match the certificate - served by the matching backend. - + 2. If SubjectAltNames is not specified, Hostname MUST be used for + authentication and MUST match the certificate served by the matching + backend. Support: Core maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string + subjectAltNames: + description: |- + SubjectAltNames contains one or more Subject Alternative Names. + When specified, the certificate served from the backend MUST have at least one + Subject Alternate Name matching one of the specified SubjectAltNames. + + Support: Core + items: + description: SubjectAltName represents Subject Alternative Name. + properties: + hostname: + description: |- + Hostname contains Subject Alternative Name specified in DNS name format. + Required when Type is set to Hostname, ignored otherwise. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: + description: |- + Type determines the format of the Subject Alternative Name. Always required. + + Support: Core + enum: + - Hostname + - URI + type: string + uri: + description: |- + URI contains Subject Alternative Name specified in a full URI format. + It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. + Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". + Required when Type is set to URI, ignored otherwise. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: SubjectAltName element must contain Hostname, if + Type is set to Hostname + rule: '!(self.type == "Hostname" && (!has(self.hostname) || + self.hostname == ""))' + - message: SubjectAltName element must not contain Hostname, + if Type is not set to Hostname + rule: '!(self.type != "Hostname" && has(self.hostname) && + self.hostname != "")' + - message: SubjectAltName element must contain URI, if Type + is set to URI + rule: '!(self.type == "URI" && (!has(self.uri) || self.uri + == ""))' + - message: SubjectAltName element must not contain URI, if Type + is not set to URI + rule: '!(self.type != "URI" && has(self.uri) && self.uri != + "")' + maxItems: 5 + type: array wellKnownCACertificates: description: |- WellKnownCACertificates specifies whether system CA certificates may be used in the TLS handshake between the gateway and backend pod. - If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. If an @@ -799,7 +816,6 @@ spec: supplied is not supported, the Status Conditions on the Policy MUST be updated to include an Accepted: False Condition with Reason: Invalid. - Support: Implementation-specific enum: - System @@ -832,27 +848,22 @@ spec: the controller first sees the policy and SHOULD update the entry as appropriate when the relevant ancestor is modified. - Note that choosing the relevant ancestor is left to the Policy designers; an important part of Policy design is designing the right object level at which to namespace this status. - Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. Implementations MUST use the ControllerName field to uniquely identify the entries in this list that they are responsible for. - Note that to achieve this, the list of PolicyAncestorStatus structs MUST be treated as a map with a composite key, made up of the AncestorRef and ControllerName fields combined. - A maximum of 16 ancestors will be represented in this list. An empty list means the Policy is not relevant for any ancestors. - If this slice is full, implementations MUST NOT add further entries. Instead they MUST consider the policy unimplementable and signal that on any related resources such as the ancestor that would be referenced @@ -864,7 +875,6 @@ spec: PolicyAncestorStatus describes the status of a route with respect to an associated Ancestor. - Ancestors refer to objects that are either the Target of a policy or above it in terms of object hierarchy. For example, if a policy targets a Service, the Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and @@ -873,28 +883,23 @@ spec: SHOULD use Gateway as the PolicyAncestorStatus object unless the designers have a _very_ good reason otherwise. - In the context of policy attachment, the Ancestor is used to distinguish which resource results in a distinct application of this policy. For example, if a policy targets a Service, it may have a distinct result per attached Gateway. - Policies targeting the same resource may have different effects depending on the ancestors of those resources. For example, different Gateways targeting the same Service may have different capabilities, especially if they have different underlying implementations. - For example, in BackendTLSPolicy, the Policy attaches to a Service that is used as a backend in a HTTPRoute that is itself attached to a Gateway. In this case, the relevant object for status is the Gateway, and that is the ancestor object referred to in this status. - Note that a parent is also an ancestor, so for objects where the parent is the relevant object for status, this struct SHOULD still be used. - This struct is intended to be used in a slice that's effectively a map, with a composite key made up of the AncestorRef and the ControllerName. properties: @@ -911,7 +916,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -921,14 +925,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -938,7 +939,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -948,7 +948,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -956,12 +955,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -969,7 +966,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -980,7 +976,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -990,18 +985,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -1010,7 +1002,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -1021,7 +1012,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -1029,12 +1019,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -1044,7 +1032,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -1057,18 +1044,8 @@ spec: description: Conditions describes the status of the Policy with respect to the given Ancestor. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -1110,12 +1087,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1138,15 +1110,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. @@ -1185,7 +1154,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: gatewayclasses.gateway.networking.k8s.io @@ -1223,7 +1192,6 @@ spec: GatewayClass describes a class of Gateways available to the user for creating Gateway resources. - It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not @@ -1232,13 +1200,11 @@ spec: If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. - Whenever one or more Gateways are using a GatewayClass, implementations SHOULD add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. - GatewayClass is a Cluster level resource. properties: apiVersion: @@ -1266,13 +1232,10 @@ spec: ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. - Example: "example.net/gateway-controller". - This field is not mutable and cannot be empty. - Support: Core maxLength: 253 minLength: 1 @@ -1291,21 +1254,19 @@ spec: parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. - ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. - - If the referent cannot be found, the GatewayClass's "InvalidParameters" - status condition will be true. - + If the referent cannot be found, refers to an unsupported kind, or when + the data within that resource is malformed, the GatewayClass SHOULD be + rejected with the "Accepted" status condition set to "False" and an + "InvalidParameters" reason. A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, the merging behavior is implementation specific. It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. - Support: Implementation-specific properties: group: @@ -1346,13 +1307,12 @@ spec: conditions: - lastTransitionTime: "1970-01-01T00:00:00Z" message: Waiting for controller - reason: Waiting + reason: Pending status: Unknown type: Accepted description: |- Status defines the current state of GatewayClass. - Implementations MUST populate status on all GatewayClass resources which specify their controller name. properties: @@ -1367,20 +1327,11 @@ spec: Conditions is the current status from the controller for this GatewayClass. - Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition. items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -1421,12 +1372,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1445,15 +1391,22 @@ spec: supportedFeatures: description: | SupportedFeatures is the set of features the GatewayClass support. - It MUST be sorted in ascending alphabetical order. + It MUST be sorted in ascending alphabetical order by the Name key. items: - description: |- - SupportedFeature is used to describe distinct features that are covered by - conformance tests. - type: string + properties: + name: + description: |- + FeatureName is used to describe distinct features that are covered by + conformance tests. + type: string + required: + - name + type: object maxItems: 64 type: array - x-kubernetes-list-type: set + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map type: object required: - spec @@ -1483,7 +1436,6 @@ spec: GatewayClass describes a class of Gateways available to the user for creating Gateway resources. - It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not @@ -1492,13 +1444,11 @@ spec: If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. - Whenever one or more Gateways are using a GatewayClass, implementations SHOULD add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. - GatewayClass is a Cluster level resource. properties: apiVersion: @@ -1526,13 +1476,10 @@ spec: ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. - Example: "example.net/gateway-controller". - This field is not mutable and cannot be empty. - Support: Core maxLength: 253 minLength: 1 @@ -1551,21 +1498,19 @@ spec: parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. - ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. - - If the referent cannot be found, the GatewayClass's "InvalidParameters" - status condition will be true. - + If the referent cannot be found, refers to an unsupported kind, or when + the data within that resource is malformed, the GatewayClass SHOULD be + rejected with the "Accepted" status condition set to "False" and an + "InvalidParameters" reason. A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, the merging behavior is implementation specific. It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. - Support: Implementation-specific properties: group: @@ -1606,13 +1551,12 @@ spec: conditions: - lastTransitionTime: "1970-01-01T00:00:00Z" message: Waiting for controller - reason: Waiting + reason: Pending status: Unknown type: Accepted description: |- Status defines the current state of GatewayClass. - Implementations MUST populate status on all GatewayClass resources which specify their controller name. properties: @@ -1627,20 +1571,11 @@ spec: Conditions is the current status from the controller for this GatewayClass. - Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition. items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -1681,12 +1616,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1705,15 +1635,22 @@ spec: supportedFeatures: description: | SupportedFeatures is the set of features the GatewayClass support. - It MUST be sorted in ascending alphabetical order. + It MUST be sorted in ascending alphabetical order by the Name key. items: - description: |- - SupportedFeature is used to describe distinct features that are covered by - conformance tests. - type: string + properties: + name: + description: |- + FeatureName is used to describe distinct features that are covered by + conformance tests. + type: string + required: + - name + type: object maxItems: 64 type: array - x-kubernetes-list-type: set + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map type: object required: - spec @@ -1737,7 +1674,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: gateways.gateway.networking.k8s.io @@ -1801,27 +1738,22 @@ spec: requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. - The Addresses field represents a request for the address(es) on the "outside of the Gateway", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. - If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. - The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. - Support: Extended - items: description: GatewayAddress describes an address that can be bound to a Gateway. @@ -1852,7 +1784,6 @@ spec: Value of the address. The validity of the values will depend on the type and support by the controller. - Examples: `1.2.3.4`, `128::1`, `my-ip-address`. maxLength: 253 minLength: 1 @@ -1874,6 +1805,72 @@ spec: - message: Hostname values must be unique rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2, a2.type == a1.type && a2.value == a1.value) : true )' + backendTLS: + description: |+ + BackendTLS configures TLS settings for when this Gateway is connecting to + backends with TLS. + + Support: Core + + properties: + clientCertificateRef: + description: |+ + ClientCertificateRef is a reference to an object that contains a Client + Certificate and the associated private key. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + ClientCertificateRef can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + This setting can be overridden on the service level by use of BackendTLSPolicy. + + Support: Core + + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object gatewayClassName: description: |- GatewayClassName used for this Gateway. This is the name of a @@ -1882,13 +1879,10 @@ spec: minLength: 1 type: string infrastructure: - description: |+ + description: |- Infrastructure defines infrastructure level attributes about this Gateway instance. - - Support: Core - - + Support: Extended properties: annotations: additionalProperties: @@ -1903,56 +1897,74 @@ spec: description: |- Annotations that SHOULD be applied to any resources created in response to this Gateway. - For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. - An implementation may chose to add additional implementation-specific annotations as they see fit. - Support: Extended maxProperties: 8 type: object + x-kubernetes-validations: + - message: Annotation keys must be in the form of an optional + DNS subdomain prefix followed by a required name segment of + up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the annotation key's prefix must be a + DNS subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) labels: additionalProperties: description: |- - AnnotationValue is the value of an annotation in Gateway API. This is used - for validation of maps such as TLS options. This roughly matches Kubernetes - annotation validation, although the length validation in that case is based - on the entire size of the annotations struct. - maxLength: 4096 + LabelValue is the value of a label in the Gateway API. This is used for validation + of maps such as Gateway infrastructure labels. This matches the Kubernetes + label validation rules: + * must be 63 characters or less (can be empty), + * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]), + * could contain dashes (-), underscores (_), dots (.), and alphanumerics between. + + Valid values include: + + * MyValue + * my.name + * 123-my-value + maxLength: 63 minLength: 0 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ type: string description: |- Labels that SHOULD be applied to any resources created in response to this Gateway. - For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. For other implementations, this refers to any relevant (implementation specific) "labels" concepts. - An implementation may chose to add additional implementation-specific labels as they see fit. + If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels + change, it SHOULD clearly warn about this behavior in documentation. Support: Extended maxProperties: 8 type: object + x-kubernetes-validations: + - message: Label keys must be in the form of an optional DNS subdomain + prefix followed by a required name segment of up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the label key's prefix must be a DNS + subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) parametersRef: description: |- ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the Gateway. This is optional if the controller does not require any additional configuration. - This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis - The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, the merging behavior is implementation specific. It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. - Support: Implementation-specific properties: group: @@ -1983,7 +1995,6 @@ spec: logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. - Each Listener in a set of Listeners (for example, in a single Gateway) MUST be _distinct_, in that a traffic flow MUST be able to be assigned to exactly one listener. (This section uses "set of Listeners" rather than @@ -1991,42 +2002,32 @@ spec: from multiple Gateways onto a single data plane, and these rules _also_ apply in that case). - Practically, this means that each listener in a set MUST have a unique combination of Port, Protocol, and, if supported by the protocol, Hostname. - Some combinations of port, protocol, and TLS settings are considered Core support and MUST be supported by implementations based on their targeted conformance profile: - HTTP Profile - 1. HTTPRoute, Port: 80, Protocol: HTTP 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided - TLS Profile - 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough - "Distinct" Listeners have the following property: - The implementation can match inbound requests to a single distinct Listener. When multiple Listeners share values for fields (for example, two Listeners with the same Port value), the implementation can match requests to only one of the Listeners using other Listener fields. - For example, the following Listener scenarios are distinct: - 1. Multiple Listeners with the same Port that all use the "HTTP" Protocol that all have unique Hostname values. 2. Multiple Listeners with the same Port that use either the "HTTPS" or @@ -2034,45 +2035,37 @@ spec: 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener with the same Protocol has the same Port value. - Some fields in the Listener struct have possible values that affect whether the Listener is distinct. Hostname is particularly relevant for HTTP or HTTPS protocols. - When using the Hostname value to select between same-Port, same-Protocol Listeners, the Hostname value must be different on each Listener for the Listener to be distinct. - When the Listeners are distinct based on Hostname, inbound request hostnames MUST match from the most specific to least specific Hostname values to choose the correct Listener and its associated set of Routes. - Exact matches must be processed before wildcard matches, and wildcard matches must be processed before fallback (empty Hostname value) matches. For example, `"foo.example.com"` takes precedence over `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. - Additionally, if there are multiple wildcard entries, more specific wildcard entries must be processed before less specific wildcard entries. For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. The precise definition here is that the higher the number of dots in the hostname to the right of the wildcard character, the higher the precedence. - The wildcard character will match any number of characters _and dots_ to the left, however, so `"*.example.com"` will match both `"foo.bar.example.com"` _and_ `"bar.example.com"`. - If a set of Listeners contains Listeners that are not distinct, then those Listeners are Conflicted, and the implementation MUST set the "Conflicted" condition in the Listener Status to "True". - Implementations MAY choose to accept a Gateway with some Conflicted Listeners only if they only accept the partial Listener set that contains no Conflicted Listeners. To put this another way, implementations may @@ -2082,7 +2075,6 @@ spec: Listener in this case, otherwise it violates the requirement that at least one Listener must be present. - The implementation MUST set a "ListenersNotValid" condition on the Gateway Status when the Gateway contains Conflicted Listeners whether or not they accept the Gateway. That Condition SHOULD clearly @@ -2090,26 +2082,21 @@ spec: Accepted. Additionally, the Listener status for those listeners SHOULD indicate which Listeners are conflicted and not Accepted. - A Gateway's Listeners are considered "compatible" if: - 1. They are distinct. 2. The implementation can serve them in compliance with the Addresses requirement that all Listeners are available on all assigned addresses. - Compatible combinations in Extended support are expected to vary across implementations. A combination that is compatible for one implementation may not be compatible for another. - For example, an implementation that cannot serve both TCP and UDP listeners on the same address, or cannot mix HTTPS and generic TLS listens on the same port would not consider those cases compatible, even though they are distinct. - Note that requests SHOULD match at most one Listener. For example, if Listeners are defined for "foo.example.com" and "*.example.com", a request to "foo.example.com" SHOULD only be routed using routes attached @@ -2117,11 +2104,9 @@ spec: This concept is known as "Listener Isolation". Implementations that do not support Listener Isolation MUST clearly document this. - Implementations MAY merge separate Gateways onto a single set of Addresses if all Listeners across all Gateways are compatible. - Support: Core items: description: |- @@ -2137,12 +2122,10 @@ spec: Listener and the trusted namespaces where those Route resources MAY be present. - Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: - * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -2151,7 +2134,6 @@ spec: alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. - All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, @@ -2159,7 +2141,6 @@ spec: example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. - Support: Core properties: kinds: @@ -2168,14 +2149,12 @@ spec: to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. - A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the "ResolvedRefs" condition to False for this Listener with the "InvalidRouteKinds" reason. - Support: Core items: description: RouteGroupKind indicates the group and kind @@ -2205,7 +2184,6 @@ spec: Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. - Support: Core properties: from: @@ -2214,13 +2192,11 @@ spec: From indicates where Routes will be selected for this Gateway. Possible values are: - * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. - Support: Core enum: - All @@ -2233,7 +2209,6 @@ spec: only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of "From". - Support: Core properties: matchExpressions: @@ -2288,11 +2263,9 @@ spec: field is ignored for protocols that don't require hostname based matching. - Implementations MUST apply Hostname matching appropriately for each of the following protocols: - * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP @@ -2300,19 +2273,16 @@ spec: ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. - For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - Support: Core maxLength: 253 minLength: 1 @@ -2323,7 +2293,6 @@ spec: Name is the name of the Listener. This name MUST be unique within a Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -2334,7 +2303,6 @@ spec: Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. - Support: Core format: int32 maximum: 65535 @@ -2344,11 +2312,10 @@ spec: description: |- Protocol specifies the network protocol this listener expects to receive. - Support: Core maxLength: 255 minLength: 1 - pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ type: string tls: description: |- @@ -2356,15 +2323,12 @@ spec: the Protocol field is "HTTPS" or "TLS". It is invalid to set this field if the Protocol field is "HTTP", "TCP", or "UDP". - The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. - The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. - Support: Core properties: certificateRefs: @@ -2374,41 +2338,33 @@ spec: establish a TLS handshake for requests that match the hostname of the associated listener. - A single CertificateRef to a Kubernetes Secret has "Core" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. - References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the "ResolvedRefs" condition MUST be set to False for this listener with the "RefNotPermitted" reason. - This field is required to have at least one element when the mode is set to "Terminate" (default) and is optional otherwise. - CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. - Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - Support: Implementation-specific (More than one reference or other resource types) items: description: |- SecretObjectReference identifies an API object including its namespace, defaulting to Secret. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. - References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object. @@ -2439,13 +2395,11 @@ spec: Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -2464,10 +2418,8 @@ spec: that requests a user to specify the client certificate. The maximum depth of a certificate chain accepted in verification is Implementation specific. - Support: Extended - properties: caCertificateRefs: description: |- @@ -2476,21 +2428,17 @@ spec: the Certificate Authorities that can be used as a trust anchor to validate the certificates presented by the client. - A single CA certificate reference to a Kubernetes ConfigMap has "Core" support. Implementations MAY choose to support attaching multiple CA certificates to a Listener, but this behavior is implementation-specific. - Support: Core - A single reference to a Kubernetes ConfigMap with the CA certificate in a key named `ca.crt`. - Support: Implementation-specific (More than one reference, or other kinds of resources). - References to a resource in a different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the @@ -2500,11 +2448,9 @@ spec: description: |- ObjectReference identifies an API object including its namespace. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. - References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object. @@ -2533,13 +2479,11 @@ spec: Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -2560,7 +2504,6 @@ spec: Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: - - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificates to be specified in some way, such as populating the certificateRefs @@ -2570,7 +2513,6 @@ spec: the ClientHello message of the TLS protocol. The certificateRefs field is ignored in this mode. - Support: Core enum: - Terminate @@ -2591,13 +2533,11 @@ spec: configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. - A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. - Support: Implementation-specific maxProperties: 16 type: object @@ -2660,16 +2600,13 @@ spec: Addresses lists the network addresses that have been bound to the Gateway. - This list may differ from the addresses provided in the spec under some conditions: - * no addresses are specified, all addresses are dynamically assigned * a combination of specified and dynamic addresses are assigned * a specified address was unusable (e.g. already in use) - items: description: GatewayStatusAddress describes a network address that is bound to a Gateway. @@ -2700,7 +2637,6 @@ spec: Value of the address. The validity of the values will depend on the type and support by the controller. - Examples: `1.2.3.4`, `128::1`, `my-ip-address`. maxLength: 253 minLength: 1 @@ -2730,30 +2666,19 @@ spec: description: |- Conditions describe the current conditions of the Gateway. - Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. - Known condition types are: - * "Accepted" * "Programmed" * "Ready" items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -2794,12 +2719,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -2826,7 +2746,6 @@ spec: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. - Successful attachment of a Route to a Listener is based solely on the combination of the AllowedRoutes field on the corresponding Listener and the Route's ParentRefs field. A Route is successfully attached to @@ -2839,7 +2758,6 @@ spec: for Listeners with condition Accepted: false and MUST count successfully attached Routes that may themselves have Accepted: false conditions. - Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. format: int32 @@ -2848,18 +2766,8 @@ spec: description: Conditions describe the current condition of this listener. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -2901,12 +2809,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -2935,7 +2838,6 @@ spec: listener. This MUST represent the kinds an implementation supports for that Listener configuration. - If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the "ResolvedRefs" condition to "False" with the "InvalidRouteKinds" reason. If both valid @@ -3028,27 +2930,22 @@ spec: requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. - The Addresses field represents a request for the address(es) on the "outside of the Gateway", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. - If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. - The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. - Support: Extended - items: description: GatewayAddress describes an address that can be bound to a Gateway. @@ -3079,7 +2976,6 @@ spec: Value of the address. The validity of the values will depend on the type and support by the controller. - Examples: `1.2.3.4`, `128::1`, `my-ip-address`. maxLength: 253 minLength: 1 @@ -3101,6 +2997,72 @@ spec: - message: Hostname values must be unique rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2, a2.type == a1.type && a2.value == a1.value) : true )' + backendTLS: + description: |+ + BackendTLS configures TLS settings for when this Gateway is connecting to + backends with TLS. + + Support: Core + + properties: + clientCertificateRef: + description: |+ + ClientCertificateRef is a reference to an object that contains a Client + Certificate and the associated private key. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + ClientCertificateRef can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + This setting can be overridden on the service level by use of BackendTLSPolicy. + + Support: Core + + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object gatewayClassName: description: |- GatewayClassName used for this Gateway. This is the name of a @@ -3109,13 +3071,10 @@ spec: minLength: 1 type: string infrastructure: - description: |+ + description: |- Infrastructure defines infrastructure level attributes about this Gateway instance. - - Support: Core - - + Support: Extended properties: annotations: additionalProperties: @@ -3130,56 +3089,74 @@ spec: description: |- Annotations that SHOULD be applied to any resources created in response to this Gateway. - For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. - An implementation may chose to add additional implementation-specific annotations as they see fit. - Support: Extended maxProperties: 8 type: object + x-kubernetes-validations: + - message: Annotation keys must be in the form of an optional + DNS subdomain prefix followed by a required name segment of + up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the annotation key's prefix must be a + DNS subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) labels: additionalProperties: description: |- - AnnotationValue is the value of an annotation in Gateway API. This is used - for validation of maps such as TLS options. This roughly matches Kubernetes - annotation validation, although the length validation in that case is based - on the entire size of the annotations struct. - maxLength: 4096 + LabelValue is the value of a label in the Gateway API. This is used for validation + of maps such as Gateway infrastructure labels. This matches the Kubernetes + label validation rules: + * must be 63 characters or less (can be empty), + * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]), + * could contain dashes (-), underscores (_), dots (.), and alphanumerics between. + + Valid values include: + + * MyValue + * my.name + * 123-my-value + maxLength: 63 minLength: 0 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ type: string description: |- Labels that SHOULD be applied to any resources created in response to this Gateway. - For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. For other implementations, this refers to any relevant (implementation specific) "labels" concepts. - An implementation may chose to add additional implementation-specific labels as they see fit. + If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels + change, it SHOULD clearly warn about this behavior in documentation. Support: Extended maxProperties: 8 type: object + x-kubernetes-validations: + - message: Label keys must be in the form of an optional DNS subdomain + prefix followed by a required name segment of up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the label key's prefix must be a DNS + subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) parametersRef: description: |- ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the Gateway. This is optional if the controller does not require any additional configuration. - This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis - The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, the merging behavior is implementation specific. It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. - Support: Implementation-specific properties: group: @@ -3210,7 +3187,6 @@ spec: logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. - Each Listener in a set of Listeners (for example, in a single Gateway) MUST be _distinct_, in that a traffic flow MUST be able to be assigned to exactly one listener. (This section uses "set of Listeners" rather than @@ -3218,42 +3194,32 @@ spec: from multiple Gateways onto a single data plane, and these rules _also_ apply in that case). - Practically, this means that each listener in a set MUST have a unique combination of Port, Protocol, and, if supported by the protocol, Hostname. - Some combinations of port, protocol, and TLS settings are considered Core support and MUST be supported by implementations based on their targeted conformance profile: - HTTP Profile - 1. HTTPRoute, Port: 80, Protocol: HTTP 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided - TLS Profile - 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough - "Distinct" Listeners have the following property: - The implementation can match inbound requests to a single distinct Listener. When multiple Listeners share values for fields (for example, two Listeners with the same Port value), the implementation can match requests to only one of the Listeners using other Listener fields. - For example, the following Listener scenarios are distinct: - 1. Multiple Listeners with the same Port that all use the "HTTP" Protocol that all have unique Hostname values. 2. Multiple Listeners with the same Port that use either the "HTTPS" or @@ -3261,45 +3227,37 @@ spec: 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener with the same Protocol has the same Port value. - Some fields in the Listener struct have possible values that affect whether the Listener is distinct. Hostname is particularly relevant for HTTP or HTTPS protocols. - When using the Hostname value to select between same-Port, same-Protocol Listeners, the Hostname value must be different on each Listener for the Listener to be distinct. - When the Listeners are distinct based on Hostname, inbound request hostnames MUST match from the most specific to least specific Hostname values to choose the correct Listener and its associated set of Routes. - Exact matches must be processed before wildcard matches, and wildcard matches must be processed before fallback (empty Hostname value) matches. For example, `"foo.example.com"` takes precedence over `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. - Additionally, if there are multiple wildcard entries, more specific wildcard entries must be processed before less specific wildcard entries. For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. The precise definition here is that the higher the number of dots in the hostname to the right of the wildcard character, the higher the precedence. - The wildcard character will match any number of characters _and dots_ to the left, however, so `"*.example.com"` will match both `"foo.bar.example.com"` _and_ `"bar.example.com"`. - If a set of Listeners contains Listeners that are not distinct, then those Listeners are Conflicted, and the implementation MUST set the "Conflicted" condition in the Listener Status to "True". - Implementations MAY choose to accept a Gateway with some Conflicted Listeners only if they only accept the partial Listener set that contains no Conflicted Listeners. To put this another way, implementations may @@ -3309,7 +3267,6 @@ spec: Listener in this case, otherwise it violates the requirement that at least one Listener must be present. - The implementation MUST set a "ListenersNotValid" condition on the Gateway Status when the Gateway contains Conflicted Listeners whether or not they accept the Gateway. That Condition SHOULD clearly @@ -3317,26 +3274,21 @@ spec: Accepted. Additionally, the Listener status for those listeners SHOULD indicate which Listeners are conflicted and not Accepted. - A Gateway's Listeners are considered "compatible" if: - 1. They are distinct. 2. The implementation can serve them in compliance with the Addresses requirement that all Listeners are available on all assigned addresses. - Compatible combinations in Extended support are expected to vary across implementations. A combination that is compatible for one implementation may not be compatible for another. - For example, an implementation that cannot serve both TCP and UDP listeners on the same address, or cannot mix HTTPS and generic TLS listens on the same port would not consider those cases compatible, even though they are distinct. - Note that requests SHOULD match at most one Listener. For example, if Listeners are defined for "foo.example.com" and "*.example.com", a request to "foo.example.com" SHOULD only be routed using routes attached @@ -3344,11 +3296,9 @@ spec: This concept is known as "Listener Isolation". Implementations that do not support Listener Isolation MUST clearly document this. - Implementations MAY merge separate Gateways onto a single set of Addresses if all Listeners across all Gateways are compatible. - Support: Core items: description: |- @@ -3364,12 +3314,10 @@ spec: Listener and the trusted namespaces where those Route resources MAY be present. - Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: - * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of "2020-09-08 01:02:03" is given precedence over @@ -3378,7 +3326,6 @@ spec: alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. - All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, @@ -3386,7 +3333,6 @@ spec: example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. - Support: Core properties: kinds: @@ -3395,14 +3341,12 @@ spec: to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. - A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the "ResolvedRefs" condition to False for this Listener with the "InvalidRouteKinds" reason. - Support: Core items: description: RouteGroupKind indicates the group and kind @@ -3432,7 +3376,6 @@ spec: Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. - Support: Core properties: from: @@ -3441,13 +3384,11 @@ spec: From indicates where Routes will be selected for this Gateway. Possible values are: - * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. - Support: Core enum: - All @@ -3460,7 +3401,6 @@ spec: only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of "From". - Support: Core properties: matchExpressions: @@ -3515,11 +3455,9 @@ spec: field is ignored for protocols that don't require hostname based matching. - Implementations MUST apply Hostname matching appropriately for each of the following protocols: - * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP @@ -3527,19 +3465,16 @@ spec: ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. - For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - Support: Core maxLength: 253 minLength: 1 @@ -3550,7 +3485,6 @@ spec: Name is the name of the Listener. This name MUST be unique within a Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -3561,7 +3495,6 @@ spec: Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. - Support: Core format: int32 maximum: 65535 @@ -3571,11 +3504,10 @@ spec: description: |- Protocol specifies the network protocol this listener expects to receive. - Support: Core maxLength: 255 minLength: 1 - pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ type: string tls: description: |- @@ -3583,15 +3515,12 @@ spec: the Protocol field is "HTTPS" or "TLS". It is invalid to set this field if the Protocol field is "HTTP", "TCP", or "UDP". - The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. - The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. - Support: Core properties: certificateRefs: @@ -3601,41 +3530,33 @@ spec: establish a TLS handshake for requests that match the hostname of the associated listener. - A single CertificateRef to a Kubernetes Secret has "Core" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. - References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the "ResolvedRefs" condition MUST be set to False for this listener with the "RefNotPermitted" reason. - This field is required to have at least one element when the mode is set to "Terminate" (default) and is optional otherwise. - CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. - Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls - Support: Implementation-specific (More than one reference or other resource types) items: description: |- SecretObjectReference identifies an API object including its namespace, defaulting to Secret. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. - References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object. @@ -3666,13 +3587,11 @@ spec: Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -3691,10 +3610,8 @@ spec: that requests a user to specify the client certificate. The maximum depth of a certificate chain accepted in verification is Implementation specific. - Support: Extended - properties: caCertificateRefs: description: |- @@ -3703,21 +3620,17 @@ spec: the Certificate Authorities that can be used as a trust anchor to validate the certificates presented by the client. - A single CA certificate reference to a Kubernetes ConfigMap has "Core" support. Implementations MAY choose to support attaching multiple CA certificates to a Listener, but this behavior is implementation-specific. - Support: Core - A single reference to a Kubernetes ConfigMap with the CA certificate in a key named `ca.crt`. - Support: Implementation-specific (More than one reference, or other kinds of resources). - References to a resource in a different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the @@ -3727,11 +3640,9 @@ spec: description: |- ObjectReference identifies an API object including its namespace. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. - References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object. @@ -3760,13 +3671,11 @@ spec: Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -3787,7 +3696,6 @@ spec: Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: - - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificates to be specified in some way, such as populating the certificateRefs @@ -3797,7 +3705,6 @@ spec: the ClientHello message of the TLS protocol. The certificateRefs field is ignored in this mode. - Support: Core enum: - Terminate @@ -3818,13 +3725,11 @@ spec: configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. - A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. - Support: Implementation-specific maxProperties: 16 type: object @@ -3887,16 +3792,13 @@ spec: Addresses lists the network addresses that have been bound to the Gateway. - This list may differ from the addresses provided in the spec under some conditions: - * no addresses are specified, all addresses are dynamically assigned * a combination of specified and dynamic addresses are assigned * a specified address was unusable (e.g. already in use) - items: description: GatewayStatusAddress describes a network address that is bound to a Gateway. @@ -3927,7 +3829,6 @@ spec: Value of the address. The validity of the values will depend on the type and support by the controller. - Examples: `1.2.3.4`, `128::1`, `my-ip-address`. maxLength: 253 minLength: 1 @@ -3957,30 +3858,19 @@ spec: description: |- Conditions describe the current conditions of the Gateway. - Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. - Known condition types are: - * "Accepted" * "Programmed" * "Ready" items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -4021,12 +3911,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -4053,7 +3938,6 @@ spec: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. - Successful attachment of a Route to a Listener is based solely on the combination of the AllowedRoutes field on the corresponding Listener and the Route's ParentRefs field. A Route is successfully attached to @@ -4066,7 +3950,6 @@ spec: for Listeners with condition Accepted: false and MUST count successfully attached Routes that may themselves have Accepted: false conditions. - Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. format: int32 @@ -4075,18 +3958,8 @@ spec: description: Conditions describe the current condition of this listener. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -4128,12 +4001,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -4162,7 +4030,6 @@ spec: listener. This MUST represent the kinds an implementation supports for that Listener configuration. - If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the "ResolvedRefs" condition to "False" with the "InvalidRouteKinds" reason. If both valid @@ -4223,7 +4090,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: grpcroutes.gateway.networking.k8s.io @@ -4254,14 +4121,12 @@ spec: Filters can be used to specify additional processing steps. Backends specify where matching requests will be routed. - GRPCRoute falls under extended support within the Gateway API. Within the following specification, the word "MUST" indicates that an implementation supporting GRPCRoute must conform to the indicated requirement, but an implementation not supporting this route type need not follow the requirement unless explicitly indicated. - Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via ALPN. If the implementation does not support this, then it MUST set the @@ -4269,7 +4134,6 @@ spec: "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1. - Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c, https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial @@ -4306,17 +4170,14 @@ spec: Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: - 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label MUST appear by itself as the first label. - If a hostname is specified by both the Listener and GRPCRoute, there MUST be at least one intersecting hostname for the GRPCRoute to be attached to the Listener. For example: - * A Listener with `test.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. @@ -4326,58 +4187,48 @@ spec: `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - If both the Listener and GRPCRoute have specified hostnames, any GRPCRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the GRPCRoute specified `test.example.com` and `test.example.net`, `test.example.net` MUST NOT be considered for a match. - If both the Listener and GRPCRoute have specified hostnames, and none match with the criteria above, then the GRPCRoute MUST NOT be accepted by the implementation. The implementation MUST raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. - If a Route (A) of type HTTPRoute or GRPCRoute is attached to a Listener and that listener already has another Route (B) of the other type attached and the intersection of the hostnames of A and B is non-empty, then the implementation MUST accept exactly one of these two routes, determined by the following criteria, in order: - * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by "{namespace}/{name}". - The rejected Route MUST raise an 'Accepted' condition with a status of 'False' in the corresponding RouteParentStatus. - Support: Core items: description: |- Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: - 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - Hostname can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.example.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed. @@ -4400,21 +4251,16 @@ spec: create a "producer" route for a Service in a different namespace from the Route. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - ParentRefs must be _distinct_. This means either that: - * They select different objects. If this is the case, then parentRef entries are distinct. In terms of fields, this means that the multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -4424,10 +4270,8 @@ spec: optional fields to different values. If one ParentRef sets a combination of optional fields, all must set the same combination. - Some examples: - * If one ParentRef sets `sectionName`, all ParentRefs referencing the same object must also set `sectionName`. * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -4435,14 +4279,12 @@ spec: * If one ParentRef sets `sectionName` and `port`, all ParentRefs referencing the same object must also set `sectionName` and `port`. - It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. - Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, @@ -4450,12 +4292,10 @@ spec: generic way to enable other kinds of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -4466,22 +4306,18 @@ spec: - items: description: |- ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. properties: @@ -4493,7 +4329,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -4503,14 +4338,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -4520,7 +4352,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -4530,7 +4361,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -4538,12 +4368,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -4551,7 +4379,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -4562,7 +4389,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -4572,18 +4398,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -4592,7 +4415,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -4603,7 +4425,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -4611,12 +4432,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -4626,7 +4445,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -4661,7 +4479,9 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of GRPC matchers, filters and actions. + description: |+ + Rules are a list of GRPC matchers, filters and actions. + items: description: |- GRPCRouteRule defines the semantics for matching a gRPC request based on @@ -4673,71 +4493,56 @@ spec: BackendRefs defines the backend(s) where matching requests should be sent. - Failure behavior here depends on how many BackendRefs are specified and how many are invalid. - If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive an `UNAVAILABLE` status. - See the GRPCBackendRef definition for the rules about what makes a single GRPCBackendRef invalid. - When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive an `UNAVAILABLE` status. - For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. Implementations may choose how that 50 percent is determined. - Support: Core for Kubernetes Service - Support: Implementation-specific for any other resource - Support for weight: Core items: description: |- GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - - When the BackendRef points to a Kubernetes Service, implementations SHOULD honor the appProtocol field if it is set for the target Service Port. - Implementations supporting appProtocol SHOULD recognize the Kubernetes Standard Application Protocols defined in KEP-3726. - If a Service appProtocol isn't specified, an implementation MAY infer the backend protocol through its own means. Implementations MAY infer the protocol from the Route type referring to the backend Service. - If a Route is not able to send traffic to the backend using the specified protocol then the backend is considered invalid. Implementations MUST set the "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - properties: filters: @@ -4745,7 +4550,6 @@ spec: Filters defined at this level MUST be executed if and only if the request is being forwarded to the backend defined here. - Support: Implementation-specific (For broader support of filters, use the Filters field in GRPCRouteRule.) items: @@ -4764,10 +4568,8 @@ spec: "networking.example.net"). ExtensionRef MUST NOT be used for core and extended filters. - Support: Implementation-specific - This filter can be used multiple times within the same rule. properties: group: @@ -4799,7 +4601,6 @@ spec: RequestHeaderModifier defines a schema for a filter that modifies request headers. - Support: Core properties: add: @@ -4808,18 +4609,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -4833,7 +4631,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -4865,18 +4662,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -4890,18 +4684,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -4915,7 +4706,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -4942,49 +4732,42 @@ spec: x-kubernetes-list-type: map type: object requestMirror: - description: |- + description: |+ RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. - This filter can be used multiple times within the same rule. Note that not all implementations will be able to support mirroring to multiple backends. - Support: Extended + properties: backendRef: description: |- BackendRef references a resource where mirrored requests are sent. - Mirrored requests must be sent only to a single destination endpoint within this BackendRef, irrespective of how many endpoints are present within this BackendRef. - If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the "ResolvedRefs" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. - If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the "ResolvedRefs" condition on the Route is set to `status: False`, with the "RefNotPermitted" reason and not configure this backend in the underlying implementation. - In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. - Support: Extended for Kubernetes Service - Support: Implementation-specific for any other resource properties: group: @@ -5001,20 +4784,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -5030,13 +4809,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -5060,15 +4837,56 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' + fraction: + description: |+ + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |+ + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + format: int32 + maximum: 100 + minimum: 0 + type: integer required: - backendRef type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' responseHeaderModifier: description: |- ResponseHeaderModifier defines a schema for a filter that modifies response headers. - Support: Extended properties: add: @@ -5077,18 +4895,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -5102,7 +4917,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -5134,18 +4948,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -5159,18 +4970,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -5184,7 +4992,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -5215,17 +5022,14 @@ spec: Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: - - Core: Filter types and their corresponding configuration defined by "Support: Core" in this package, e.g. "RequestHeaderModifier". All implementations supporting GRPCRoute MUST support core filters. - - Extended: Filter types and their corresponding configuration defined by "Support: Extended" in this package, e.g. "RequestMirror". Implementers are encouraged to support extended filters. - - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core @@ -5233,16 +5037,13 @@ spec: is specified using the ExtensionRef field. `Type` MUST be set to "ExtensionRef" for custom filters. - Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. - If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. - enum: - ResponseHeaderModifier - RequestHeaderModifier @@ -5305,20 +5106,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -5334,13 +5131,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -5367,13 +5162,11 @@ spec: implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. - If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. - Support for this field varies based on the context where used. format: int32 maximum: 1000000 @@ -5393,32 +5186,26 @@ spec: Filters define the filters that are applied to requests that match this rule. - The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. - Conformance-levels at this level are defined based on the type of filter: - - ALL core filters MUST be supported by all implementations that support GRPCRoute. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. - Specifying the same filter multiple times is not supported unless explicitly indicated in the filter. - If an implementation can not support a combination of filters, it must clearly document that limitation. In cases where incompatible or unsupported filters are specified and cause the `Accepted` condition to be set to status `False`, implementations may use the `IncompatibleFilters` reason to specify this configuration error. - Support: Core items: description: |- @@ -5436,10 +5223,8 @@ spec: "networking.example.net"). ExtensionRef MUST NOT be used for core and extended filters. - Support: Implementation-specific - This filter can be used multiple times within the same rule. properties: group: @@ -5471,7 +5256,6 @@ spec: RequestHeaderModifier defines a schema for a filter that modifies request headers. - Support: Core properties: add: @@ -5480,18 +5264,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -5504,7 +5285,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -5536,18 +5316,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -5561,18 +5338,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -5585,7 +5359,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -5612,49 +5385,42 @@ spec: x-kubernetes-list-type: map type: object requestMirror: - description: |- + description: |+ RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. - This filter can be used multiple times within the same rule. Note that not all implementations will be able to support mirroring to multiple backends. - Support: Extended + properties: backendRef: description: |- BackendRef references a resource where mirrored requests are sent. - Mirrored requests must be sent only to a single destination endpoint within this BackendRef, irrespective of how many endpoints are present within this BackendRef. - If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the "ResolvedRefs" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. - If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the "ResolvedRefs" condition on the Route is set to `status: False`, with the "RefNotPermitted" reason and not configure this backend in the underlying implementation. - In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. - Support: Extended for Kubernetes Service - Support: Implementation-specific for any other resource properties: group: @@ -5671,20 +5437,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -5700,13 +5462,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -5730,15 +5490,56 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' + fraction: + description: |+ + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: |+ + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + format: int32 + maximum: 100 + minimum: 0 + type: integer required: - backendRef type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be specified + in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' responseHeaderModifier: description: |- ResponseHeaderModifier defines a schema for a filter that modifies response headers. - Support: Extended properties: add: @@ -5747,18 +5548,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -5771,7 +5569,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -5803,18 +5600,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -5828,18 +5622,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -5852,7 +5643,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -5883,17 +5673,14 @@ spec: Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: - - Core: Filter types and their corresponding configuration defined by "Support: Core" in this package, e.g. "RequestHeaderModifier". All implementations supporting GRPCRoute MUST support core filters. - - Extended: Filter types and their corresponding configuration defined by "Support: Extended" in this package, e.g. "RequestMirror". Implementers are encouraged to support extended filters. - - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core @@ -5901,16 +5688,13 @@ spec: is specified using the ExtensionRef field. `Type` MUST be set to "ExtensionRef" for custom filters. - Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. - If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. - enum: - ResponseHeaderModifier - RequestHeaderModifier @@ -5964,10 +5748,8 @@ spec: gRPC requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. - For example, take the following matches configuration: - ``` matches: - method: @@ -5979,44 +5761,35 @@ spec: service: foo.bar.v2 ``` - For a request to match against this rule, it MUST satisfy EITHER of the two conditions: - - service of foo.bar AND contains the header `version: 2` - service of foo.bar.v2 - See the documentation for GRPCRouteMatch on how to specify multiple match conditions to be ANDed together. - If no matches are specified, the implementation MUST match every gRPC request. - Proxy or Load Balancer routing configuration generated from GRPCRoutes MUST prioritize rules based on the following criteria, continuing on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. Precedence MUST be given to the rule with the largest number of: - * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. * Characters in a matching service. * Characters in a matching method. * Header matches. - If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: - * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by "{namespace}/{name}". - If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria. @@ -6026,11 +5799,9 @@ spec: action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. - For example, the match below will match a gRPC request only if its service is `foo` AND it contains the `version: v1` header: - ``` matches: - method: @@ -6040,7 +5811,6 @@ spec: - name: "version" value "v1" - ``` properties: headers: @@ -6057,7 +5827,6 @@ spec: description: |- Name is the name of the gRPC Header to be matched. - If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -6100,7 +5869,6 @@ spec: Value of the method to match against. If left empty or omitted, will match all services. - At least one of Service and Method MUST be a non-empty string. maxLength: 1024 type: string @@ -6109,7 +5877,6 @@ spec: Value of the service to match against. If left empty or omitted, will match any service. - At least one of Service and Method MUST be a non-empty string. maxLength: 1024 type: string @@ -6119,10 +5886,8 @@ spec: Type specifies how to match against the service and/or method. Support: Core (Exact with service and method specified) - Support: Implementation-specific (Exact with method specified but no service specified) - Support: Implementation-specific (RegularExpression) enum: - Exact @@ -6147,15 +5912,22 @@ spec: type: object maxItems: 8 type: array + name: + description: | + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string sessionPersistence: description: |+ SessionPersistence defines and configures session persistence for the route rule. - Support: Extended - properties: absoluteTimeout: description: |- @@ -6163,7 +5935,6 @@ spec: session. Once the AbsoluteTimeout duration has elapsed, the session becomes invalid. - Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string @@ -6172,7 +5943,6 @@ spec: CookieConfig provides configuration settings that are specific to cookie-based session persistence. - Support: Core properties: lifetimeType: @@ -6184,20 +5954,16 @@ spec: attributes, while a session cookie is deleted when the current session ends. - When set to "Permanent", AbsoluteTimeout indicates the cookie's lifetime via the Expires or Max-Age cookie attributes and is required. - When set to "Session", AbsoluteTimeout indicates the absolute lifetime of the cookie tracked by the gateway and is optional. - Support: Core for "Session" type - Support: Extended for "Permanent" type enum: - Permanent @@ -6210,7 +5976,6 @@ spec: Once the session has been idle for more than the specified IdleTimeout duration, the session becomes invalid. - Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string @@ -6221,7 +5986,6 @@ spec: should avoid reusing session names to prevent unintended consequences, such as rejection or unpredictable behavior. - Support: Implementation-specific maxLength: 128 type: string @@ -6232,10 +5996,8 @@ spec: the use a header or cookie. Defaults to cookie based session persistence. - Support: Core for "Cookie" type - Support: Extended for "Header" type enum: - Cookie @@ -6245,11 +6007,35 @@ spec: x-kubernetes-validations: - message: AbsoluteTimeout must be specified when cookie lifetimeType is Permanent - rule: '!has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType - != ''Permanent'' || has(self.absoluteTimeout)' + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' type: object maxItems: 16 type: array + x-kubernetes-validations: + - message: While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must be less + than 128 + rule: '(self.size() > 0 ? (has(self[0].matches) ? self[0].matches.size() + : 0) : 0) + (self.size() > 1 ? (has(self[1].matches) ? self[1].matches.size() + : 0) : 0) + (self.size() > 2 ? (has(self[2].matches) ? self[2].matches.size() + : 0) : 0) + (self.size() > 3 ? (has(self[3].matches) ? self[3].matches.size() + : 0) : 0) + (self.size() > 4 ? (has(self[4].matches) ? self[4].matches.size() + : 0) : 0) + (self.size() > 5 ? (has(self[5].matches) ? self[5].matches.size() + : 0) : 0) + (self.size() > 6 ? (has(self[6].matches) ? self[6].matches.size() + : 0) : 0) + (self.size() > 7 ? (has(self[7].matches) ? self[7].matches.size() + : 0) : 0) + (self.size() > 8 ? (has(self[8].matches) ? self[8].matches.size() + : 0) : 0) + (self.size() > 9 ? (has(self[9].matches) ? self[9].matches.size() + : 0) : 0) + (self.size() > 10 ? (has(self[10].matches) ? self[10].matches.size() + : 0) : 0) + (self.size() > 11 ? (has(self[11].matches) ? self[11].matches.size() + : 0) : 0) + (self.size() > 12 ? (has(self[12].matches) ? self[12].matches.size() + : 0) : 0) + (self.size() > 13 ? (has(self[13].matches) ? self[13].matches.size() + : 0) : 0) + (self.size() > 14 ? (has(self[14].matches) ? self[14].matches.size() + : 0) : 0) + (self.size() > 15 ? (has(self[15].matches) ? self[15].matches.size() + : 0) : 0) <= 128' + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) type: object status: description: Status defines the current state of GRPCRoute. @@ -6263,13 +6049,11 @@ spec: first sees the route and should update the entry as appropriate when the route or gateway is modified. - Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. - A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway. items: @@ -6283,38 +6067,24 @@ spec: Note that the route's availability is also subject to the Gateway's own status conditions and listener status. - If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the "Accepted" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. - A Route MUST be considered "Accepted" if at least one of the Route's rules is implemented by the Gateway. - There are a number of cases where the "Accepted" condition may not be set due to lack of controller visibility, that includes when: - * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -6356,12 +6126,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -6384,15 +6149,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. @@ -6413,7 +6175,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -6423,14 +6184,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -6440,7 +6198,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -6450,7 +6207,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -6458,12 +6214,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -6471,7 +6225,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -6482,7 +6235,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -6492,18 +6244,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -6512,7 +6261,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -6523,7 +6271,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -6531,12 +6278,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -6546,7 +6291,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -6569,2331 +6313,6 @@ spec: storage: true subresources: status: {} - - deprecated: true - deprecationWarning: The v1alpha2 version of GRPCRoute has been deprecated and - will be removed in a future release of the API. Please upgrade to v1. - name: v1alpha2 - schema: - openAPIV3Schema: - description: |- - GRPCRoute provides a way to route gRPC requests. This includes the capability - to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. - Filters can be used to specify additional processing steps. Backends specify - where matching requests will be routed. - - - GRPCRoute falls under extended support within the Gateway API. Within the - following specification, the word "MUST" indicates that an implementation - supporting GRPCRoute must conform to the indicated requirement, but an - implementation not supporting this route type need not follow the requirement - unless explicitly indicated. - - - Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST - accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via - ALPN. If the implementation does not support this, then it MUST set the - "Accepted" condition to "False" for the affected listener with a reason of - "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections - with an upgrade from HTTP/1. - - - Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST - support HTTP/2 over cleartext TCP (h2c, - https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial - upgrade from HTTP/1.1, i.e. with prior knowledge - (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation - does not support this, then it MUST set the "Accepted" condition to "False" - for the affected listener with a reason of "UnsupportedProtocol". - Implementations MAY also accept HTTP/2 connections with an upgrade from - HTTP/1, i.e. without prior knowledge. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of GRPCRoute. - properties: - hostnames: - description: |- - Hostnames defines a set of hostnames to match against the GRPC - Host header to select a GRPCRoute to process the request. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label MUST appear by itself as the first label. - - - If a hostname is specified by both the Listener and GRPCRoute, there - MUST be at least one intersecting hostname for the GRPCRoute to be - attached to the Listener. For example: - - - * A Listener with `test.example.com` as the hostname matches GRPCRoutes - that have either not specified any hostnames, or have specified at - least one of `test.example.com` or `*.example.com`. - * A Listener with `*.example.com` as the hostname matches GRPCRoutes - that have either not specified any hostnames or have specified at least - one hostname that matches the Listener hostname. For example, - `test.example.com` and `*.example.com` would both match. On the other - hand, `example.com` and `test.example.net` would not match. - - - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted - as a suffix match. That means that a match for `*.example.com` would match - both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - - - If both the Listener and GRPCRoute have specified hostnames, any - GRPCRoute hostnames that do not match the Listener hostname MUST be - ignored. For example, if a Listener specified `*.example.com`, and the - GRPCRoute specified `test.example.com` and `test.example.net`, - `test.example.net` MUST NOT be considered for a match. - - - If both the Listener and GRPCRoute have specified hostnames, and none - match with the criteria above, then the GRPCRoute MUST NOT be accepted by - the implementation. The implementation MUST raise an 'Accepted' Condition - with a status of `False` in the corresponding RouteParentStatus. - - - If a Route (A) of type HTTPRoute or GRPCRoute is attached to a - Listener and that listener already has another Route (B) of the other - type attached and the intersection of the hostnames of A and B is - non-empty, then the implementation MUST accept exactly one of these two - routes, determined by the following criteria, in order: - - - * The oldest Route based on creation timestamp. - * The Route appearing first in alphabetical order by - "{namespace}/{name}". - - - The rejected Route MUST raise an 'Accepted' condition with a status of - 'False' in the corresponding RouteParentStatus. - - - Support: Core - items: - description: |- - Hostname is the fully qualified domain name of a network host. This matches - the RFC 1123 definition of a hostname with 2 notable exceptions: - - - 1. IPs are not allowed. - 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard - label must appear by itself as the first label. - - - Hostname can be "precise" which is a domain name without the terminating - dot of a network host (e.g. "foo.example.com") or "wildcard", which is a - domain name prefixed with a single wildcard label (e.g. `*.example.com`). - - - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case - alphanumeric characters or '-', and must start and end with an alphanumeric - character. No other punctuation is allowed. - maxLength: 253 - minLength: 1 - pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - maxItems: 16 - type: array - parentRefs: - description: |+ - ParentRefs references the resources (usually Gateways) that a Route wants - to be attached to. Note that the referenced parent resource needs to - allow this for the attachment to be complete. For Gateways, that means - the Gateway needs to allow attachment from Routes of this kind and - namespace. For Services, that means the Service must either be in the same - namespace for a "producer" route, or the mesh implementation must support - and allow "consumer" routes for the referenced Service. ReferenceGrant is - not applicable for governing ParentRefs to Services - it is not possible to - create a "producer" route for a Service in a different namespace from the - Route. - - - There are two kinds of parent resources with "Core" support: - - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - - This API may be extended in the future to support additional kinds of parent - resources. - - - ParentRefs must be _distinct_. This means either that: - - - * They select different objects. If this is the case, then parentRef - entries are distinct. In terms of fields, this means that the - multi-part key defined by `group`, `kind`, `namespace`, and `name` must - be unique across all parentRef entries in the Route. - * They do not select different objects, but for each optional field used, - each ParentRef that selects the same object must set the same set of - optional fields to different values. If one ParentRef sets a - combination of optional fields, all must set the same combination. - - - Some examples: - - - * If one ParentRef sets `sectionName`, all ParentRefs referencing the - same object must also set `sectionName`. - * If one ParentRef sets `port`, all ParentRefs referencing the same - object must also set `port`. - * If one ParentRef sets `sectionName` and `port`, all ParentRefs - referencing the same object must also set `sectionName` and `port`. - - - It is possible to separately reference multiple distinct objects that may - be collapsed by an implementation. For example, some implementations may - choose to merge compatible Gateway Listeners together. If that is the - case, the list of routes attached to those resources should also be - merged. - - - Note that for ParentRefs that cross namespace boundaries, there are specific - rules. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example, - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable other kinds of cross-namespace reference. - - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - - - - - items: - description: |- - ParentReference identifies an API object (usually a Gateway) that can be considered - a parent of this resource (usually a route). There are two kinds of parent resources - with "Core" support: - - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - - This API may be extended in the future to support additional kinds of parent - resources. - - - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - - There are two kinds of parent resources with "Core" support: - - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - - - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. - - - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - maxItems: 32 - type: array - x-kubernetes-validations: - - message: sectionName or port must be specified when parentRefs includes - 2 or more references to the same parent - rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ - == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) - || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName - == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) - || p2.port == 0)): true))' - - message: sectionName or port must be unique when parentRefs includes - 2 or more references to the same parent - rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind - == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) - || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ - == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && - p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) - || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName - == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName - == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) - || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port - == p2.port)))) - rules: - description: Rules are a list of GRPC matchers, filters and actions. - items: - description: |- - GRPCRouteRule defines the semantics for matching a gRPC request based on - conditions (matches), processing it (filters), and forwarding the request to - an API object (backendRefs). - properties: - backendRefs: - description: |- - BackendRefs defines the backend(s) where matching requests should be - sent. - - - Failure behavior here depends on how many BackendRefs are specified and - how many are invalid. - - - If *all* entries in BackendRefs are invalid, and there are also no filters - specified in this route rule, *all* traffic which matches this rule MUST - receive an `UNAVAILABLE` status. - - - See the GRPCBackendRef definition for the rules about what makes a single - GRPCBackendRef invalid. - - - When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for - requests that would have otherwise been routed to an invalid backend. If - multiple backends are specified, and some are invalid, the proportion of - requests that would otherwise have been routed to an invalid backend - MUST receive an `UNAVAILABLE` status. - - - For example, if two backends are specified with equal weights, and one is - invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. - Implementations may choose how that 50 percent is determined. - - - Support: Core for Kubernetes Service - - - Support: Implementation-specific for any other resource - - - Support for weight: Core - items: - description: |- - GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. - - - Note that when a namespace different than the local namespace is specified, a - ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - - - - - When the BackendRef points to a Kubernetes Service, implementations SHOULD - honor the appProtocol field if it is set for the target Service Port. - - - Implementations supporting appProtocol SHOULD recognize the Kubernetes - Standard Application Protocols defined in KEP-3726. - - - If a Service appProtocol isn't specified, an implementation MAY infer the - backend protocol through its own means. Implementations MAY infer the - protocol from the Route type referring to the backend Service. - - - If a Route is not able to send traffic to the backend using the specified - protocol then the backend is considered invalid. Implementations MUST set the - "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - - - - properties: - filters: - description: |- - Filters defined at this level MUST be executed if and only if the - request is being forwarded to the backend defined here. - - - Support: Implementation-specific (For broader support of filters, use the - Filters field in GRPCRouteRule.) - items: - description: |- - GRPCRouteFilter defines processing steps that must be completed during the - request or response lifecycle. GRPCRouteFilters are meant as an extension - point to express processing that may be done in Gateway implementations. Some - examples include request or response modification, implementing - authentication strategies, rate-limiting, and traffic shaping. API - guarantee/conformance is defined based on the type of the filter. - properties: - extensionRef: - description: |- - ExtensionRef is an optional, implementation-specific extension to the - "filter" behavior. For example, resource "myroutefilter" in group - "networking.example.net"). ExtensionRef MUST NOT be used for core and - extended filters. - - - Support: Implementation-specific - - - This filter can be used multiple times within the same rule. - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For - example "HTTPRoute" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - - name - type: object - requestHeaderModifier: - description: |- - RequestHeaderModifier defines a schema for a filter that modifies request - headers. - - - Support: Core - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - - Input: - GET /foo HTTP/1.1 - my-header: foo - - - Config: - add: - - name: "my-header" - value: "bar,baz" - - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - - Config: - remove: ["my-header1", "my-header3"] - - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - - Input: - GET /foo HTTP/1.1 - my-header: foo - - - Config: - set: - - name: "my-header" - value: "bar" - - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. - - - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. - - - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. - - - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. - - - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. - - - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. - - - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. - - - Support: Extended for Kubernetes Service - - - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - - Defaults to "Service" when not specified. - - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - - Support: Core (Services with a type other than ExternalName) - - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind - == ''Service'') ? has(self.port) : true' - required: - - backendRef - type: object - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. - - - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - - Input: - GET /foo HTTP/1.1 - my-header: foo - - - Config: - add: - - name: "my-header" - value: "bar,baz" - - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - - Config: - remove: ["my-header1", "my-header3"] - - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - - Input: - GET /foo HTTP/1.1 - my-header: foo - - - Config: - set: - - name: "my-header" - value: "bar" - - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP - Header name and value as defined by RFC - 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP - Header to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: - description: |+ - Type identifies the type of filter to apply. As with other API fields, - types are classified into three conformance levels: - - - - Core: Filter types and their corresponding configuration defined by - "Support: Core" in this package, e.g. "RequestHeaderModifier". All - implementations supporting GRPCRoute MUST support core filters. - - - - Extended: Filter types and their corresponding configuration defined by - "Support: Extended" in this package, e.g. "RequestMirror". Implementers - are encouraged to support extended filters. - - - - Implementation-specific: Filters that are defined and supported by specific vendors. - In the future, filters showing convergence in behavior across multiple - implementations will be considered for inclusion in extended or core - conformance levels. Filter-specific configuration for such filters - is specified using the ExtensionRef field. `Type` MUST be set to - "ExtensionRef" for custom filters. - - - Implementers are encouraged to define custom implementation types to - extend the core API with implementation-specific behavior. - - - If a reference to a custom filter type cannot be resolved, the filter - MUST NOT be skipped. Instead, requests that would have been processed by - that filter MUST receive a HTTP error response. - - - enum: - - ResponseHeaderModifier - - RequestHeaderModifier - - RequestMirror - - ExtensionRef - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: filter.requestHeaderModifier must be nil - if the filter.type is not RequestHeaderModifier - rule: '!(has(self.requestHeaderModifier) && self.type - != ''RequestHeaderModifier'')' - - message: filter.requestHeaderModifier must be specified - for RequestHeaderModifier filter.type - rule: '!(!has(self.requestHeaderModifier) && self.type - == ''RequestHeaderModifier'')' - - message: filter.responseHeaderModifier must be nil - if the filter.type is not ResponseHeaderModifier - rule: '!(has(self.responseHeaderModifier) && self.type - != ''ResponseHeaderModifier'')' - - message: filter.responseHeaderModifier must be specified - for ResponseHeaderModifier filter.type - rule: '!(!has(self.responseHeaderModifier) && self.type - == ''ResponseHeaderModifier'')' - - message: filter.requestMirror must be nil if the filter.type - is not RequestMirror - rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' - - message: filter.requestMirror must be specified for - RequestMirror filter.type - rule: '!(!has(self.requestMirror) && self.type == - ''RequestMirror'')' - - message: filter.extensionRef must be nil if the filter.type - is not ExtensionRef - rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - - message: filter.extensionRef must be specified for - ExtensionRef filter.type - rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - maxItems: 16 - type: array - x-kubernetes-validations: - - message: RequestHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'RequestHeaderModifier').size() - <= 1 - - message: ResponseHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() - <= 1 - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - - Defaults to "Service" when not specified. - - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - - Support: Core (Services with a type other than ExternalName) - - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - weight: - default: 1 - description: |- - Weight specifies the proportion of requests forwarded to the referenced - backend. This is computed as weight/(sum of all weights in this - BackendRefs list). For non-zero values, there may be some epsilon from - the exact proportion defined here depending on the precision an - implementation supports. Weight is not a percentage and the sum of - weights does not need to equal 100. - - - If only one backend is specified and it has a weight greater than 0, 100% - of the traffic is forwarded to that backend. If weight is set to 0, no - traffic should be forwarded for this entry. If unspecified, weight - defaults to 1. - - - Support for this field varies based on the context where used. - format: int32 - maximum: 1000000 - minimum: 0 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - maxItems: 16 - type: array - filters: - description: |- - Filters define the filters that are applied to requests that match - this rule. - - - The effects of ordering of multiple behaviors are currently unspecified. - This can change in the future based on feedback during the alpha stage. - - - Conformance-levels at this level are defined based on the type of filter: - - - - ALL core filters MUST be supported by all implementations that support - GRPCRoute. - - Implementers are encouraged to support extended filters. - - Implementation-specific custom filters have no API guarantees across - implementations. - - - Specifying the same filter multiple times is not supported unless explicitly - indicated in the filter. - - - If an implementation can not support a combination of filters, it must clearly - document that limitation. In cases where incompatible or unsupported - filters are specified and cause the `Accepted` condition to be set to status - `False`, implementations may use the `IncompatibleFilters` reason to specify - this configuration error. - - - Support: Core - items: - description: |- - GRPCRouteFilter defines processing steps that must be completed during the - request or response lifecycle. GRPCRouteFilters are meant as an extension - point to express processing that may be done in Gateway implementations. Some - examples include request or response modification, implementing - authentication strategies, rate-limiting, and traffic shaping. API - guarantee/conformance is defined based on the type of the filter. - properties: - extensionRef: - description: |- - ExtensionRef is an optional, implementation-specific extension to the - "filter" behavior. For example, resource "myroutefilter" in group - "networking.example.net"). ExtensionRef MUST NOT be used for core and - extended filters. - - - Support: Implementation-specific - - - This filter can be used multiple times within the same rule. - properties: - group: - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: Kind is kind of the referent. For example - "HTTPRoute" or "Service". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - - name - type: object - requestHeaderModifier: - description: |- - RequestHeaderModifier defines a schema for a filter that modifies request - headers. - - - Support: Core - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - - Input: - GET /foo HTTP/1.1 - my-header: foo - - - Config: - add: - - name: "my-header" - value: "bar,baz" - - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - - Config: - remove: ["my-header1", "my-header3"] - - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - - Input: - GET /foo HTTP/1.1 - my-header: foo - - - Config: - set: - - name: "my-header" - value: "bar" - - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - requestMirror: - description: |- - RequestMirror defines a schema for a filter that mirrors requests. - Requests are sent to the specified destination, but responses from - that destination are ignored. - - - This filter can be used multiple times within the same rule. Note that - not all implementations will be able to support mirroring to multiple - backends. - - - Support: Extended - properties: - backendRef: - description: |- - BackendRef references a resource where mirrored requests are sent. - - - Mirrored requests must be sent only to a single destination endpoint - within this BackendRef, irrespective of how many endpoints are present - within this BackendRef. - - - If the referent cannot be found, this BackendRef is invalid and must be - dropped from the Gateway. The controller must ensure the "ResolvedRefs" - condition on the Route status is set to `status: False` and not configure - this backend in the underlying implementation. - - - If there is a cross-namespace reference to an *existing* object - that is not allowed by a ReferenceGrant, the controller must ensure the - "ResolvedRefs" condition on the Route is set to `status: False`, - with the "RefNotPermitted" reason and not configure this backend in the - underlying implementation. - - - In either error case, the Message of the `ResolvedRefs` Condition - should be used to provide more detail about the problem. - - - Support: Extended for Kubernetes Service - - - Support: Implementation-specific for any other resource - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - - Defaults to "Service" when not specified. - - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - - Support: Core (Services with a type other than ExternalName) - - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - required: - - backendRef - type: object - responseHeaderModifier: - description: |- - ResponseHeaderModifier defines a schema for a filter that modifies response - headers. - - - Support: Extended - properties: - add: - description: |- - Add adds the given header(s) (name, value) to the request - before the action. It appends to any existing values associated - with the header name. - - - Input: - GET /foo HTTP/1.1 - my-header: foo - - - Config: - add: - - name: "my-header" - value: "bar,baz" - - - Output: - GET /foo HTTP/1.1 - my-header: foo,bar,baz - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - remove: - description: |- - Remove the given header(s) from the HTTP request before the action. The - value of Remove is a list of HTTP header names. Note that the header - names are case-insensitive (see - https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - - - Input: - GET /foo HTTP/1.1 - my-header1: foo - my-header2: bar - my-header3: baz - - - Config: - remove: ["my-header1", "my-header3"] - - - Output: - GET /foo HTTP/1.1 - my-header2: bar - items: - type: string - maxItems: 16 - type: array - x-kubernetes-list-type: set - set: - description: |- - Set overwrites the request with the given header (name, value) - before the action. - - - Input: - GET /foo HTTP/1.1 - my-header: foo - - - Config: - set: - - name: "my-header" - value: "bar" - - - Output: - GET /foo HTTP/1.1 - my-header: bar - items: - description: HTTPHeader represents an HTTP Header - name and value as defined by RFC 7230. - properties: - name: - description: |- - Name is the name of the HTTP Header to be matched. Name matching MUST be - case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - - - If multiple entries specify equivalent header names, the first entry with - an equivalent name MUST be considered for a match. Subsequent entries - with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - value: - description: Value is the value of HTTP Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: - description: |+ - Type identifies the type of filter to apply. As with other API fields, - types are classified into three conformance levels: - - - - Core: Filter types and their corresponding configuration defined by - "Support: Core" in this package, e.g. "RequestHeaderModifier". All - implementations supporting GRPCRoute MUST support core filters. - - - - Extended: Filter types and their corresponding configuration defined by - "Support: Extended" in this package, e.g. "RequestMirror". Implementers - are encouraged to support extended filters. - - - - Implementation-specific: Filters that are defined and supported by specific vendors. - In the future, filters showing convergence in behavior across multiple - implementations will be considered for inclusion in extended or core - conformance levels. Filter-specific configuration for such filters - is specified using the ExtensionRef field. `Type` MUST be set to - "ExtensionRef" for custom filters. - - - Implementers are encouraged to define custom implementation types to - extend the core API with implementation-specific behavior. - - - If a reference to a custom filter type cannot be resolved, the filter - MUST NOT be skipped. Instead, requests that would have been processed by - that filter MUST receive a HTTP error response. - - - enum: - - ResponseHeaderModifier - - RequestHeaderModifier - - RequestMirror - - ExtensionRef - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: filter.requestHeaderModifier must be nil if the - filter.type is not RequestHeaderModifier - rule: '!(has(self.requestHeaderModifier) && self.type != - ''RequestHeaderModifier'')' - - message: filter.requestHeaderModifier must be specified - for RequestHeaderModifier filter.type - rule: '!(!has(self.requestHeaderModifier) && self.type == - ''RequestHeaderModifier'')' - - message: filter.responseHeaderModifier must be nil if the - filter.type is not ResponseHeaderModifier - rule: '!(has(self.responseHeaderModifier) && self.type != - ''ResponseHeaderModifier'')' - - message: filter.responseHeaderModifier must be specified - for ResponseHeaderModifier filter.type - rule: '!(!has(self.responseHeaderModifier) && self.type - == ''ResponseHeaderModifier'')' - - message: filter.requestMirror must be nil if the filter.type - is not RequestMirror - rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' - - message: filter.requestMirror must be specified for RequestMirror - filter.type - rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' - - message: filter.extensionRef must be nil if the filter.type - is not ExtensionRef - rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' - - message: filter.extensionRef must be specified for ExtensionRef - filter.type - rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' - maxItems: 16 - type: array - x-kubernetes-validations: - - message: RequestHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'RequestHeaderModifier').size() - <= 1 - - message: ResponseHeaderModifier filter cannot be repeated - rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() - <= 1 - matches: - description: |- - Matches define conditions used for matching the rule against incoming - gRPC requests. Each match is independent, i.e. this rule will be matched - if **any** one of the matches is satisfied. - - - For example, take the following matches configuration: - - - ``` - matches: - - method: - service: foo.bar - headers: - values: - version: 2 - - method: - service: foo.bar.v2 - ``` - - - For a request to match against this rule, it MUST satisfy - EITHER of the two conditions: - - - - service of foo.bar AND contains the header `version: 2` - - service of foo.bar.v2 - - - See the documentation for GRPCRouteMatch on how to specify multiple - match conditions to be ANDed together. - - - If no matches are specified, the implementation MUST match every gRPC request. - - - Proxy or Load Balancer routing configuration generated from GRPCRoutes - MUST prioritize rules based on the following criteria, continuing on - ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. - Precedence MUST be given to the rule with the largest number of: - - - * Characters in a matching non-wildcard hostname. - * Characters in a matching hostname. - * Characters in a matching service. - * Characters in a matching method. - * Header matches. - - - If ties still exist across multiple Routes, matching precedence MUST be - determined in order of the following criteria, continuing on ties: - - - * The oldest Route based on creation timestamp. - * The Route appearing first in alphabetical order by - "{namespace}/{name}". - - - If ties still exist within the Route that has been given precedence, - matching precedence MUST be granted to the first matching rule meeting - the above criteria. - items: - description: |- - GRPCRouteMatch defines the predicate used to match requests to a given - action. Multiple match types are ANDed together, i.e. the match will - evaluate to true only if all conditions are satisfied. - - - For example, the match below will match a gRPC request only if its service - is `foo` AND it contains the `version: v1` header: - - - ``` - matches: - - method: - type: Exact - service: "foo" - headers: - - name: "version" - value "v1" - - - ``` - properties: - headers: - description: |- - Headers specifies gRPC request header matchers. Multiple match values are - ANDed together, meaning, a request MUST match all the specified headers - to select the route. - items: - description: |- - GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request - headers. - properties: - name: - description: |- - Name is the name of the gRPC Header to be matched. - - - If multiple entries specify equivalent header names, only the first - entry with an equivalent name MUST be considered for a match. Subsequent - entries with an equivalent header name MUST be ignored. Due to the - case-insensitivity of header names, "foo" and "Foo" are considered - equivalent. - maxLength: 256 - minLength: 1 - pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ - type: string - type: - default: Exact - description: Type specifies how to match against - the value of the header. - enum: - - Exact - - RegularExpression - type: string - value: - description: Value is the value of the gRPC Header - to be matched. - maxLength: 4096 - minLength: 1 - type: string - required: - - name - - value - type: object - maxItems: 16 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - method: - description: |- - Method specifies a gRPC request service/method matcher. If this field is - not specified, all services and methods will match. - properties: - method: - description: |- - Value of the method to match against. If left empty or omitted, will - match all services. - - - At least one of Service and Method MUST be a non-empty string. - maxLength: 1024 - type: string - service: - description: |- - Value of the service to match against. If left empty or omitted, will - match any service. - - - At least one of Service and Method MUST be a non-empty string. - maxLength: 1024 - type: string - type: - default: Exact - description: |- - Type specifies how to match against the service and/or method. - Support: Core (Exact with service and method specified) - - - Support: Implementation-specific (Exact with method specified but no service specified) - - - Support: Implementation-specific (RegularExpression) - enum: - - Exact - - RegularExpression - type: string - type: object - x-kubernetes-validations: - - message: One or both of 'service' or 'method' must be - specified - rule: 'has(self.type) ? has(self.service) || has(self.method) - : true' - - message: service must only contain valid characters - (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$) - rule: '(!has(self.type) || self.type == ''Exact'') && - has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""): - true' - - message: method must only contain valid characters (matching - ^[A-Za-z_][A-Za-z_0-9]*$) - rule: '(!has(self.type) || self.type == ''Exact'') && - has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""): - true' - type: object - maxItems: 8 - type: array - sessionPersistence: - description: |+ - SessionPersistence defines and configures session persistence - for the route rule. - - - Support: Extended - - - properties: - absoluteTimeout: - description: |- - AbsoluteTimeout defines the absolute timeout of the persistent - session. Once the AbsoluteTimeout duration has elapsed, the - session becomes invalid. - - - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - cookieConfig: - description: |- - CookieConfig provides configuration settings that are specific - to cookie-based session persistence. - - - Support: Core - properties: - lifetimeType: - default: Session - description: |- - LifetimeType specifies whether the cookie has a permanent or - session-based lifetime. A permanent cookie persists until its - specified expiry time, defined by the Expires or Max-Age cookie - attributes, while a session cookie is deleted when the current - session ends. - - - When set to "Permanent", AbsoluteTimeout indicates the - cookie's lifetime via the Expires or Max-Age cookie attributes - and is required. - - - When set to "Session", AbsoluteTimeout indicates the - absolute lifetime of the cookie tracked by the gateway and - is optional. - - - Support: Core for "Session" type - - - Support: Extended for "Permanent" type - enum: - - Permanent - - Session - type: string - type: object - idleTimeout: - description: |- - IdleTimeout defines the idle timeout of the persistent session. - Once the session has been idle for more than the specified - IdleTimeout duration, the session becomes invalid. - - - Support: Extended - pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ - type: string - sessionName: - description: |- - SessionName defines the name of the persistent session token - which may be reflected in the cookie or the header. Users - should avoid reusing session names to prevent unintended - consequences, such as rejection or unpredictable behavior. - - - Support: Implementation-specific - maxLength: 128 - type: string - type: - default: Cookie - description: |- - Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session - persistence. - - - Support: Core for "Cookie" type - - - Support: Extended for "Header" type - enum: - - Cookie - - Header - type: string - type: object - x-kubernetes-validations: - - message: AbsoluteTimeout must be specified when cookie lifetimeType - is Permanent - rule: '!has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType - != ''Permanent'' || has(self.absoluteTimeout)' - type: object - maxItems: 16 - type: array - type: object - status: - description: Status defines the current state of GRPCRoute. - properties: - parents: - description: |- - Parents is a list of parent resources (usually Gateways) that are - associated with the route, and the status of the route with respect to - each parent. When this route attaches to a parent, the controller that - manages the parent must add an entry to this list when the controller - first sees the route and should update the entry as appropriate when the - route or gateway is modified. - - - Note that parent references that cannot be resolved by an implementation - of this API will not be added to this list. Implementations of this API - can only populate Route status for the Gateways/parent resources they are - responsible for. - - - A maximum of 32 Gateways will be represented in this list. An empty list - means the route has not been attached to any Gateway. - items: - description: |- - RouteParentStatus describes the status of a route with respect to an - associated Parent. - properties: - conditions: - description: |- - Conditions describes the status of the route with respect to the Gateway. - Note that the route's availability is also subject to the Gateway's own - status conditions and listener status. - - - If the Route's ParentRef specifies an existing Gateway that supports - Routes of this kind AND that Gateway's controller has sufficient access, - then that Gateway's controller MUST set the "Accepted" condition on the - Route, to indicate whether the route has been accepted or rejected by the - Gateway, and why. - - - A Route MUST be considered "Accepted" if at least one of the Route's - rules is implemented by the Gateway. - - - There are a number of cases where the "Accepted" condition may not be set - due to lack of controller visibility, that includes when: - - - * The Route refers to a non-existent parent. - * The Route is of a type that the controller does not support. - * The Route is in a namespace the controller does not have access to. - items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, - Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - maxItems: 8 - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controllerName: - description: |- - ControllerName is a domain/path string that indicates the name of the - controller that wrote this status. This corresponds with the - controllerName field on GatewayClass. - - - Example: "example.net/gateway-controller". - - - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are - valid Kubernetes names - (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - - - Controllers MUST populate this field when writing status. Controllers should ensure that - entries to status populated with their ControllerName are cleaned up when they are no - longer necessary. - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ - type: string - parentRef: - description: |- - ParentRef corresponds with a ParentRef in the spec that this - RouteParentStatus struct describes the status of. - properties: - group: - default: gateway.networking.k8s.io - description: |- - Group is the group of the referent. - When unspecified, "gateway.networking.k8s.io" is inferred. - To set the core API group (such as for a "Service" kind referent), - Group must be explicitly set to "" (empty string). - - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Gateway - description: |- - Kind is kind of the referent. - - - There are two kinds of parent resources with "Core" support: - - - * Gateway (Gateway conformance profile) - * Service (Mesh conformance profile, ClusterIP Services only) - - - Support for other resources is Implementation-Specific. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. - - - Support: Core - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referent. When unspecified, this refers - to the local namespace of the Route. - - - Note that there are specific rules for ParentRefs which cross namespace - boundaries. Cross-namespace references are only valid if they are explicitly - allowed by something in the namespace they are referring to. For example: - Gateway has the AllowedRoutes field, and ReferenceGrant provides a - generic way to enable any other kind of cross-namespace reference. - - - - ParentRefs from a Route to a Service in the same namespace are "producer" - routes, which apply default routing rules to inbound connections from - any namespace to the Service. - - - ParentRefs from a Route to a Service in a different namespace are - "consumer" routes, and these routing rules are only applied to outbound - connections originating from the same namespace as the Route, for which - the intended destination of the connections are a Service targeted as a - ParentRef of the Route. - - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port is the network port this Route targets. It can be interpreted - differently based on the type of parent resource. - - - When the parent resource is a Gateway, this targets all listeners - listening on the specified port that also support this kind of Route(and - select this Route). It's not recommended to set `Port` unless the - networking behaviors specified in a Route must apply to a specific port - as opposed to a listener(s) whose port(s) may be changed. When both Port - and SectionName are specified, the name and port of the selected listener - must match both specified values. - - - - When the parent resource is a Service, this targets a specific port in the - Service spec. When both Port (experimental) and SectionName are specified, - the name and port of the selected port must match both specified values. - - - - Implementations MAY choose to support other parent resources. - Implementations supporting other types of parent resources MUST clearly - document how/if Port is interpreted. - - - For the purpose of status, an attachment is considered successful as - long as the parent resource accepts it partially. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment - from the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, - the Route MUST be considered detached from the Gateway. - - - Support: Extended - format: int32 - maximum: 65535 - minimum: 1 - type: integer - sectionName: - description: |- - SectionName is the name of a section within the target resource. In the - following resources, SectionName is interpreted as the following: - - - * Gateway: Listener name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - * Service: Port name. When both Port (experimental) and SectionName - are specified, the name and port of the selected listener must match - both specified values. - - - Implementations MAY choose to support attaching Routes to other resources. - If that is the case, they MUST clearly document how SectionName is - interpreted. - - - When unspecified (empty string), this will reference the entire resource. - For the purpose of status, an attachment is considered successful if at - least one section in the parent resource accepts it. For example, Gateway - listeners can restrict which Routes can attach to them by Route kind, - namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from - the referencing Route, the Route MUST be considered successfully - attached. If no Gateway listeners accept attachment from this Route, the - Route MUST be considered detached from the Gateway. - - - Support: Core - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - required: - - name - type: object - required: - - controllerName - - parentRef - type: object - maxItems: 32 - type: array - required: - - parents - type: object - type: object - served: true - storage: false status: acceptedNames: kind: "" @@ -8909,7 +6328,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: httproutes.gateway.networking.k8s.io @@ -8968,21 +6387,17 @@ spec: performing a match and (absent of any applicable header modification configuration) MUST forward this header unmodified to the backend. - Valid values for Hostnames are determined by RFC 1123 definition of a hostname with 2 notable exceptions: - 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: - * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. @@ -8993,55 +6408,45 @@ spec: all match. On the other hand, `example.com` and `test.example.net` would not match. - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. - If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. - In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: - * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. - If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. - Support: Core items: description: |- Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: - 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - Hostname can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.example.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed. @@ -9064,21 +6469,16 @@ spec: create a "producer" route for a Service in a different namespace from the Route. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - ParentRefs must be _distinct_. This means either that: - * They select different objects. If this is the case, then parentRef entries are distinct. In terms of fields, this means that the multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -9088,10 +6488,8 @@ spec: optional fields to different values. If one ParentRef sets a combination of optional fields, all must set the same combination. - Some examples: - * If one ParentRef sets `sectionName`, all ParentRefs referencing the same object must also set `sectionName`. * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -9099,14 +6497,12 @@ spec: * If one ParentRef sets `sectionName` and `port`, all ParentRefs referencing the same object must also set `sectionName` and `port`. - It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. - Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, @@ -9114,12 +6510,10 @@ spec: generic way to enable other kinds of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -9130,22 +6524,18 @@ spec: - items: description: |- ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. properties: @@ -9157,7 +6547,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -9167,14 +6556,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -9184,7 +6570,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -9194,7 +6579,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -9202,12 +6586,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -9215,7 +6597,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -9226,7 +6607,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -9236,18 +6616,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -9256,7 +6633,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -9267,7 +6643,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -9275,12 +6650,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -9290,7 +6663,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -9330,7 +6702,9 @@ spec: - path: type: PathPrefix value: / - description: Rules are a list of HTTP matchers, filters and actions. + description: |+ + Rules are a list of HTTP matchers, filters and actions. + items: description: |- HTTPRouteRule defines semantics for matching an HTTP request based on @@ -9342,74 +6716,63 @@ spec: BackendRefs defines the backend(s) where matching requests should be sent. - Failure behavior here depends on how many BackendRefs are specified and how many are invalid. - If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. - See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. - When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. - For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. + When a HTTPBackendRef refers to a Service that has no ready endpoints, + implementations SHOULD return a 503 for requests to that backend instead. + If an implementation chooses to do this, all of the above rules for 500 responses + MUST also apply for responses that return a 503. Support: Core for Kubernetes Service - Support: Extended for Kubernetes ServiceImport - Support: Implementation-specific for any other resource - Support for weight: Core items: description: |- HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - - When the BackendRef points to a Kubernetes Service, implementations SHOULD honor the appProtocol field if it is set for the target Service Port. - Implementations supporting appProtocol SHOULD recognize the Kubernetes Standard Application Protocols defined in KEP-3726. - If a Service appProtocol isn't specified, an implementation MAY infer the backend protocol through its own means. Implementations MAY infer the protocol from the Route type referring to the backend Service. - If a Route is not able to send traffic to the backend using the specified protocol then the backend is considered invalid. Implementations MUST set the "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - properties: filters: @@ -9417,7 +6780,6 @@ spec: Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. - Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.) items: @@ -9436,10 +6798,8 @@ spec: "networking.example.net"). ExtensionRef MUST NOT be used for core and extended filters. - This filter can be used multiple times within the same rule. - Support: Implementation-specific properties: group: @@ -9471,7 +6831,6 @@ spec: RequestHeaderModifier defines a schema for a filter that modifies request headers. - Support: Core properties: add: @@ -9480,18 +6839,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -9505,7 +6861,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -9537,18 +6892,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -9562,18 +6914,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -9587,7 +6936,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -9614,49 +6962,42 @@ spec: x-kubernetes-list-type: map type: object requestMirror: - description: |- + description: |+ RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. - This filter can be used multiple times within the same rule. Note that not all implementations will be able to support mirroring to multiple backends. - Support: Extended + properties: backendRef: description: |- BackendRef references a resource where mirrored requests are sent. - Mirrored requests must be sent only to a single destination endpoint within this BackendRef, irrespective of how many endpoints are present within this BackendRef. - If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the "ResolvedRefs" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. - If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the "ResolvedRefs" condition on the Route is set to `status: False`, with the "RefNotPermitted" reason and not configure this backend in the underlying implementation. - In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. - Support: Extended for Kubernetes Service - Support: Implementation-specific for any other resource properties: group: @@ -9673,20 +7014,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -9702,13 +7039,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -9732,15 +7067,56 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' + fraction: + description: |+ + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |+ + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + format: int32 + maximum: 100 + minimum: 0 + type: integer required: - backendRef type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' requestRedirect: description: |- RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. - Support: Core properties: hostname: @@ -9749,7 +7125,6 @@ spec: header in the response. When empty, the hostname in the `Host` header of the request is used. - Support: Core maxLength: 253 minLength: 1 @@ -9761,7 +7136,6 @@ spec: The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. - Support: Extended properties: replaceFullPath: @@ -9777,32 +7151,17 @@ spec: to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch of "/xyz" would be modified to "/xyz/bar". - Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in the implementation setting the Accepted Condition for the Route to `status: False`. - Request Path | Prefix Match | Replace Prefix | Modified Path - -------------|--------------|----------------|---------- - /foo/bar | /foo | /xyz | /xyz/bar - /foo/bar | /foo | /xyz/ | /xyz/bar - /foo/bar | /foo/ | /xyz | /xyz/bar - /foo/bar | /foo/ | /xyz/ | /xyz/bar - /foo | /foo | /xyz | /xyz - /foo/ | /foo | /xyz | /xyz/ - /foo/bar | /foo | | /bar - /foo/ | /foo | | / - /foo | /foo | | / - /foo/ | /foo | / | / - /foo | /foo | / | / maxLength: 1024 type: string type: @@ -9810,11 +7169,9 @@ spec: Type defines the type of path modifier. Additional types may be added in a future release of the API. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -9847,11 +7204,9 @@ spec: Port is the port to be used in the value of the `Location` header in the response. - If no port is specified, the redirect port MUST be derived using the following rules: - * If redirect scheme is not-empty, the redirect port MUST be the well-known port associated with the redirect scheme. Specifically "http" to port 80 and "https" to port 443. If the redirect scheme does not have a @@ -9859,17 +7214,14 @@ spec: * If redirect scheme is empty, the redirect port MUST be the Gateway Listener port. - Implementations SHOULD NOT add the port number in the 'Location' header in the following cases: - * A Location header that will use HTTP (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 80. * A Location header that will use HTTPS (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 443. - Support: Extended format: int32 maximum: 65535 @@ -9880,20 +7232,16 @@ spec: Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. - Scheme redirects can affect the port of the redirect, for more information, refer to the documentation for the port field of this filter. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - Support: Extended enum: - http @@ -9904,16 +7252,13 @@ spec: description: |- StatusCode is the HTTP status code to be used in response. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - Support: Core enum: - 301 @@ -9925,7 +7270,6 @@ spec: ResponseHeaderModifier defines a schema for a filter that modifies response headers. - Support: Extended properties: add: @@ -9934,18 +7278,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -9959,7 +7300,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -9991,18 +7331,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -10016,18 +7353,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -10041,7 +7375,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -10072,17 +7405,14 @@ spec: Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: - - Core: Filter types and their corresponding configuration defined by "Support: Core" in this package, e.g. "RequestHeaderModifier". All implementations must support core filters. - - Extended: Filter types and their corresponding configuration defined by "Support: Extended" in this package, e.g. "RequestMirror". Implementers are encouraged to support extended filters. - - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple @@ -10091,20 +7421,16 @@ spec: is specified using the ExtensionRef field. `Type` should be set to "ExtensionRef" for custom filters. - Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. - If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -10120,7 +7446,6 @@ spec: description: |- URLRewrite defines a schema for a filter that modifies a request during forwarding. - Support: Extended properties: hostname: @@ -10128,7 +7453,6 @@ spec: Hostname is the value to be used to replace the Host header value during forwarding. - Support: Extended maxLength: 253 minLength: 1 @@ -10138,7 +7462,6 @@ spec: description: |- Path defines a path rewrite. - Support: Extended properties: replaceFullPath: @@ -10154,32 +7477,17 @@ spec: to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch of "/xyz" would be modified to "/xyz/bar". - Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in the implementation setting the Accepted Condition for the Route to `status: False`. - Request Path | Prefix Match | Replace Prefix | Modified Path - -------------|--------------|----------------|---------- - /foo/bar | /foo | /xyz | /xyz/bar - /foo/bar | /foo | /xyz/ | /xyz/bar - /foo/bar | /foo/ | /xyz | /xyz/bar - /foo/bar | /foo/ | /xyz/ | /xyz/bar - /foo | /foo | /xyz | /xyz - /foo/ | /foo | /xyz | /xyz/ - /foo/bar | /foo | | /bar - /foo/ | /foo | | / - /foo | /foo | | / - /foo/ | /foo | / | / - /foo | /foo | / | / maxLength: 1024 type: string type: @@ -10187,11 +7495,9 @@ spec: Type defines the type of path modifier. Additional types may be added in a future release of the API. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -10304,20 +7610,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -10333,13 +7635,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -10366,13 +7666,11 @@ spec: implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. - If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. - Support for this field varies based on the context where used. format: int32 maximum: 1000000 @@ -10392,37 +7690,30 @@ spec: Filters define the filters that are applied to requests that match this rule. - Wherever possible, implementations SHOULD implement filters in the order they are specified. - Implementations MAY choose to implement this ordering strictly, rejecting any combination or order of filters that can not be supported. If implementations choose a strict interpretation of filter ordering, they MUST clearly document that behavior. - To reject an invalid combination or order of filters, implementations SHOULD consider the Route Rules with this configuration invalid. If all Route Rules in a Route are invalid, the entire Route would be considered invalid. If only a portion of Route Rules are invalid, implementations MUST set the "PartiallyInvalid" condition for the Route. - Conformance-levels at this level are defined based on the type of filter: - - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. - Specifying the same filter multiple times is not supported unless explicitly indicated in the filter. - All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly @@ -10431,7 +7722,6 @@ spec: `False`, implementations may use the `IncompatibleFilters` reason to specify this configuration error. - Support: Core items: description: |- @@ -10449,10 +7739,8 @@ spec: "networking.example.net"). ExtensionRef MUST NOT be used for core and extended filters. - This filter can be used multiple times within the same rule. - Support: Implementation-specific properties: group: @@ -10484,7 +7772,6 @@ spec: RequestHeaderModifier defines a schema for a filter that modifies request headers. - Support: Core properties: add: @@ -10493,18 +7780,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -10517,7 +7801,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -10549,18 +7832,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -10574,18 +7854,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -10598,7 +7875,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -10625,49 +7901,42 @@ spec: x-kubernetes-list-type: map type: object requestMirror: - description: |- + description: |+ RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. - This filter can be used multiple times within the same rule. Note that not all implementations will be able to support mirroring to multiple backends. - Support: Extended + properties: backendRef: description: |- BackendRef references a resource where mirrored requests are sent. - Mirrored requests must be sent only to a single destination endpoint within this BackendRef, irrespective of how many endpoints are present within this BackendRef. - If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the "ResolvedRefs" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. - If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the "ResolvedRefs" condition on the Route is set to `status: False`, with the "RefNotPermitted" reason and not configure this backend in the underlying implementation. - In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. - Support: Extended for Kubernetes Service - Support: Implementation-specific for any other resource properties: group: @@ -10684,20 +7953,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -10713,13 +7978,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -10743,15 +8006,56 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' + fraction: + description: |+ + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: |+ + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + format: int32 + maximum: 100 + minimum: 0 + type: integer required: - backendRef type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be specified + in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' requestRedirect: description: |- RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. - Support: Core properties: hostname: @@ -10760,7 +8064,6 @@ spec: header in the response. When empty, the hostname in the `Host` header of the request is used. - Support: Core maxLength: 253 minLength: 1 @@ -10772,7 +8075,6 @@ spec: The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. - Support: Extended properties: replaceFullPath: @@ -10788,32 +8090,17 @@ spec: to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch of "/xyz" would be modified to "/xyz/bar". - Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in the implementation setting the Accepted Condition for the Route to `status: False`. - Request Path | Prefix Match | Replace Prefix | Modified Path - -------------|--------------|----------------|---------- - /foo/bar | /foo | /xyz | /xyz/bar - /foo/bar | /foo | /xyz/ | /xyz/bar - /foo/bar | /foo/ | /xyz | /xyz/bar - /foo/bar | /foo/ | /xyz/ | /xyz/bar - /foo | /foo | /xyz | /xyz - /foo/ | /foo | /xyz | /xyz/ - /foo/bar | /foo | | /bar - /foo/ | /foo | | / - /foo | /foo | | / - /foo/ | /foo | / | / - /foo | /foo | / | / maxLength: 1024 type: string type: @@ -10821,11 +8108,9 @@ spec: Type defines the type of path modifier. Additional types may be added in a future release of the API. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -10858,11 +8143,9 @@ spec: Port is the port to be used in the value of the `Location` header in the response. - If no port is specified, the redirect port MUST be derived using the following rules: - * If redirect scheme is not-empty, the redirect port MUST be the well-known port associated with the redirect scheme. Specifically "http" to port 80 and "https" to port 443. If the redirect scheme does not have a @@ -10870,17 +8153,14 @@ spec: * If redirect scheme is empty, the redirect port MUST be the Gateway Listener port. - Implementations SHOULD NOT add the port number in the 'Location' header in the following cases: - * A Location header that will use HTTP (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 80. * A Location header that will use HTTPS (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 443. - Support: Extended format: int32 maximum: 65535 @@ -10891,20 +8171,16 @@ spec: Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. - Scheme redirects can affect the port of the redirect, for more information, refer to the documentation for the port field of this filter. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - Support: Extended enum: - http @@ -10915,16 +8191,13 @@ spec: description: |- StatusCode is the HTTP status code to be used in response. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - Support: Core enum: - 301 @@ -10936,7 +8209,6 @@ spec: ResponseHeaderModifier defines a schema for a filter that modifies response headers. - Support: Extended properties: add: @@ -10945,18 +8217,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -10969,7 +8238,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -11001,18 +8269,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -11026,18 +8291,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -11050,7 +8312,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -11081,17 +8342,14 @@ spec: Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: - - Core: Filter types and their corresponding configuration defined by "Support: Core" in this package, e.g. "RequestHeaderModifier". All implementations must support core filters. - - Extended: Filter types and their corresponding configuration defined by "Support: Extended" in this package, e.g. "RequestMirror". Implementers are encouraged to support extended filters. - - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple @@ -11100,20 +8358,16 @@ spec: is specified using the ExtensionRef field. `Type` should be set to "ExtensionRef" for custom filters. - Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. - If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -11129,7 +8383,6 @@ spec: description: |- URLRewrite defines a schema for a filter that modifies a request during forwarding. - Support: Extended properties: hostname: @@ -11137,7 +8390,6 @@ spec: Hostname is the value to be used to replace the Host header value during forwarding. - Support: Extended maxLength: 253 minLength: 1 @@ -11147,7 +8399,6 @@ spec: description: |- Path defines a path rewrite. - Support: Extended properties: replaceFullPath: @@ -11163,32 +8414,17 @@ spec: to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch of "/xyz" would be modified to "/xyz/bar". - Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in the implementation setting the Accepted Condition for the Route to `status: False`. - Request Path | Prefix Match | Replace Prefix | Modified Path - -------------|--------------|----------------|---------- - /foo/bar | /foo | /xyz | /xyz/bar - /foo/bar | /foo | /xyz/ | /xyz/bar - /foo/bar | /foo/ | /xyz | /xyz/bar - /foo/bar | /foo/ | /xyz/ | /xyz/bar - /foo | /foo | /xyz | /xyz - /foo/ | /foo | /xyz | /xyz/ - /foo/bar | /foo | | /bar - /foo/ | /foo | | / - /foo | /foo | | / - /foo/ | /foo | / | / - /foo | /foo | / | / maxLength: 1024 type: string type: @@ -11196,11 +8432,9 @@ spec: Type defines the type of path modifier. Additional types may be added in a future release of the API. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -11301,10 +8535,8 @@ spec: HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. - For example, take the following matches configuration: - ``` matches: - path: @@ -11316,65 +8548,54 @@ spec: value: "/v2/foo" ``` - For a request to match against this rule, a request must satisfy EITHER of the two conditions: - - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` - See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. - If no matches are specified, the default is a prefix path match on "/", which has the effect of matching every HTTP request. - Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match having: - * "Exact" path match. * "Prefix" path match with largest number of characters. * Method match. * Largest number of header matches. * Largest number of query param matches. - Note: The precedence of RegularExpression path matches are implementation-specific. - If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: - * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by "{namespace}/{name}". - If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. - When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned. items: description: "HTTPRouteMatch defines the predicate used to match requests to a given\naction. Multiple match types are ANDed together, i.e. the match will\nevaluate to true - only if all conditions are satisfied.\n\n\nFor example, - the match below will match a HTTP request only if its path\nstarts - with `/foo` AND it contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t + only if all conditions are satisfied.\n\nFor example, the + match below will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + \ value \"v1\"\n\n```" properties: headers: description: |- @@ -11391,14 +8612,12 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, "foo" and "Foo" are considered equivalent. - When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: @@ -11413,13 +8632,10 @@ spec: description: |- Type specifies how to match against the value of the header. - Support: Core (Exact) - Support: Implementation-specific (RegularExpression) - Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to @@ -11449,7 +8665,6 @@ spec: When specified, this route will be matched only if the request has the specified method. - Support: Extended enum: - GET @@ -11475,10 +8690,8 @@ spec: description: |- Type specifies how to match against the path Value. - Support: Core (Exact, PathPrefix) - Support: Implementation-specific (RegularExpression) enum: - Exact @@ -11543,7 +8756,6 @@ spec: values are ANDed together, meaning, a request must match all the specified query parameters to select the route. - Support: Extended items: description: |- @@ -11556,12 +8768,10 @@ spec: exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. - If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should @@ -11569,7 +8779,6 @@ spec: as this behavior is expected in other load balancing contexts outside of the Gateway API. - Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations. maxLength: 256 @@ -11581,13 +8790,10 @@ spec: description: |- Type specifies how to match against the value of the query parameter. - Support: Extended (Exact) - Support: Implementation-specific (RegularExpression) - Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's @@ -11612,17 +8818,114 @@ spec: - name x-kubernetes-list-type: map type: object - maxItems: 8 + maxItems: 64 type: array + name: + description: | + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + retry: + description: |+ + Retry defines the configuration for when to retry an HTTP request. + + Support: Extended + + properties: + attempts: + description: |- + Attempts specifies the maxmimum number of times an individual request + from the gateway to a backend should be retried. + + If the maximum number of retries has been attempted without a successful + response from the backend, the Gateway MUST return an error. + + When this field is unspecified, the number of times to attempt to retry + a backend request is implementation-specific. + + Support: Extended + type: integer + backoff: + description: |- + Backoff specifies the minimum duration a Gateway should wait between + retry attempts and is represented in Gateway API Duration formatting. + + For example, setting the `rules[].retry.backoff` field to the value + `100ms` will cause a backend request to first be retried approximately + 100 milliseconds after timing out or receiving a response code configured + to be retryable. + + An implementation MAY use an exponential or alternative backoff strategy + for subsequent retry attempts, MAY cap the maximum backoff duration to + some amount greater than the specified minimum, and MAY add arbitrary + jitter to stagger requests, as long as unsuccessful backend requests are + not retried before the configured minimum duration. + + If a Request timeout (`rules[].timeouts.request`) is configured on the + route, the entire duration of the initial request and any retry attempts + MUST not exceed the Request timeout duration. If any retry attempts are + still in progress when the Request timeout duration has been reached, + these SHOULD be canceled if possible and the Gateway MUST immediately + return a timeout error. + + If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is + configured on the route, any retry attempts which reach the configured + BackendRequest timeout duration without a response SHOULD be canceled if + possible and the Gateway should wait for at least the specified backoff + duration before attempting to retry the backend request again. + + If a BackendRequest timeout is _not_ configured on the route, retry + attempts MAY time out after an implementation default duration, or MAY + remain pending until a configured Request timeout or implementation + default duration for total request time is reached. + + When this field is unspecified, the time to wait between retry attempts + is implementation-specific. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + codes: + description: |- + Codes defines the HTTP response status codes for which a backend request + should be retried. + + Support: Extended + items: + description: |- + HTTPRouteRetryStatusCode defines an HTTP response status code for + which a backend request should be retried. + + Implementations MUST support the following status codes as retryable: + + * 500 + * 502 + * 503 + * 504 + + Implementations MAY support specifying additional discrete values in the + 500-599 range. + + Implementations MAY support specifying discrete values in the 400-499 range, + which are often inadvisable to retry. + + + maximum: 599 + minimum: 400 + type: integer + type: array + type: object sessionPersistence: description: |+ SessionPersistence defines and configures session persistence for the route rule. - Support: Extended - properties: absoluteTimeout: description: |- @@ -11630,7 +8933,6 @@ spec: session. Once the AbsoluteTimeout duration has elapsed, the session becomes invalid. - Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string @@ -11639,7 +8941,6 @@ spec: CookieConfig provides configuration settings that are specific to cookie-based session persistence. - Support: Core properties: lifetimeType: @@ -11651,20 +8952,16 @@ spec: attributes, while a session cookie is deleted when the current session ends. - When set to "Permanent", AbsoluteTimeout indicates the cookie's lifetime via the Expires or Max-Age cookie attributes and is required. - When set to "Session", AbsoluteTimeout indicates the absolute lifetime of the cookie tracked by the gateway and is optional. - Support: Core for "Session" type - Support: Extended for "Permanent" type enum: - Permanent @@ -11677,7 +8974,6 @@ spec: Once the session has been idle for more than the specified IdleTimeout duration, the session becomes invalid. - Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string @@ -11688,7 +8984,6 @@ spec: should avoid reusing session names to prevent unintended consequences, such as rejection or unpredictable behavior. - Support: Implementation-specific maxLength: 128 type: string @@ -11699,10 +8994,8 @@ spec: the use a header or cookie. Defaults to cookie based session persistence. - Support: Core for "Cookie" type - Support: Extended for "Header" type enum: - Cookie @@ -11712,16 +9005,13 @@ spec: x-kubernetes-validations: - message: AbsoluteTimeout must be specified when cookie lifetimeType is Permanent - rule: '!has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType - != ''Permanent'' || has(self.absoluteTimeout)' + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' timeouts: - description: |+ + description: |- Timeouts defines the timeouts that can be configured for an HTTP request. - Support: Extended - - properties: backendRequest: description: |- @@ -11729,21 +9019,19 @@ spec: to a backend. This covers the time from when the request first starts being sent from the gateway to when the full response has been received from the backend. - Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout completely. Implementations that cannot completely disable the timeout MUST instead interpret the zero duration as the longest possible value to which the timeout can be set. - An entire client HTTP transaction with a gateway, covered by the Request timeout, may result in more than one call from the gateway to the destination backend, for example, if automatic retries are supported. - - Because the Request timeout encompasses the BackendRequest timeout, the value of - BackendRequest must be <= the value of Request timeout. - + The value of BackendRequest must be a Gateway API Duration string as defined by + GEP-2257. When this field is unspecified, its behavior is implementation-specific; + when specified, the value of BackendRequest must be no more than the value of the + Request timeout (since the Request timeout encompasses the BackendRequest timeout). Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ @@ -11754,26 +9042,22 @@ spec: If the gateway has not been able to respond before this deadline is met, the gateway MUST return a timeout error. - For example, setting the `rules.timeouts.request` field to the value `10s` in an `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds to complete. - Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout completely. Implementations that cannot completely disable the timeout MUST instead interpret the zero duration as the longest possible value to which the timeout can be set. - This timeout is intended to cover as close to the whole request-response transaction as possible although an implementation MAY choose to start the timeout after the entire request stream has been received instead of immediately after the transaction is initiated by the client. - - When this field is unspecified, request timeout behavior is implementation-specific. - + The value of Request is a Gateway API Duration string as defined by GEP-2257. When this + field is unspecified, request timeout behavior is implementation-specific. Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ @@ -11828,6 +9112,24 @@ spec: != ''PathPrefix'') ? false : true) : true' maxItems: 16 type: array + x-kubernetes-validations: + - message: While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must be less + than 128 + rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size() + > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size() + : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size() + > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size() + : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size() + > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size() + : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size() + > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size() + : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size() + > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size() + : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128' + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) type: object status: description: Status defines the current state of HTTPRoute. @@ -11841,13 +9143,11 @@ spec: first sees the route and should update the entry as appropriate when the route or gateway is modified. - Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. - A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway. items: @@ -11861,38 +9161,24 @@ spec: Note that the route's availability is also subject to the Gateway's own status conditions and listener status. - If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the "Accepted" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. - A Route MUST be considered "Accepted" if at least one of the Route's rules is implemented by the Gateway. - There are a number of cases where the "Accepted" condition may not be set due to lack of controller visibility, that includes when: - * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -11934,12 +9220,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -11962,15 +9243,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. @@ -11991,7 +9269,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -12001,14 +9278,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -12018,7 +9292,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -12028,7 +9301,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -12036,12 +9308,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -12049,7 +9319,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -12060,7 +9329,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -12070,18 +9338,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -12090,7 +9355,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -12101,7 +9365,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -12109,12 +9372,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -12124,7 +9385,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -12193,21 +9453,17 @@ spec: performing a match and (absent of any applicable header modification configuration) MUST forward this header unmodified to the backend. - Valid values for Hostnames are determined by RFC 1123 definition of a hostname with 2 notable exceptions: - 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: - * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. @@ -12218,55 +9474,45 @@ spec: all match. On the other hand, `example.com` and `test.example.net` would not match. - Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. - If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. - If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. - In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: - * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. - If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. - Support: Core items: description: |- Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: - 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - Hostname can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.example.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed. @@ -12289,21 +9535,16 @@ spec: create a "producer" route for a Service in a different namespace from the Route. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - ParentRefs must be _distinct_. This means either that: - * They select different objects. If this is the case, then parentRef entries are distinct. In terms of fields, this means that the multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -12313,10 +9554,8 @@ spec: optional fields to different values. If one ParentRef sets a combination of optional fields, all must set the same combination. - Some examples: - * If one ParentRef sets `sectionName`, all ParentRefs referencing the same object must also set `sectionName`. * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -12324,14 +9563,12 @@ spec: * If one ParentRef sets `sectionName` and `port`, all ParentRefs referencing the same object must also set `sectionName` and `port`. - It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. - Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, @@ -12339,12 +9576,10 @@ spec: generic way to enable other kinds of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -12355,22 +9590,18 @@ spec: - items: description: |- ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. properties: @@ -12382,7 +9613,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -12392,14 +9622,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -12409,7 +9636,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -12419,7 +9645,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -12427,12 +9652,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -12440,7 +9663,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -12451,7 +9673,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -12461,18 +9682,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -12481,7 +9699,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -12492,7 +9709,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -12500,12 +9716,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -12515,7 +9729,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -12555,7 +9768,9 @@ spec: - path: type: PathPrefix value: / - description: Rules are a list of HTTP matchers, filters and actions. + description: |+ + Rules are a list of HTTP matchers, filters and actions. + items: description: |- HTTPRouteRule defines semantics for matching an HTTP request based on @@ -12567,74 +9782,63 @@ spec: BackendRefs defines the backend(s) where matching requests should be sent. - Failure behavior here depends on how many BackendRefs are specified and how many are invalid. - If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. - See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. - When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. - For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. + When a HTTPBackendRef refers to a Service that has no ready endpoints, + implementations SHOULD return a 503 for requests to that backend instead. + If an implementation chooses to do this, all of the above rules for 500 responses + MUST also apply for responses that return a 503. Support: Core for Kubernetes Service - Support: Extended for Kubernetes ServiceImport - Support: Implementation-specific for any other resource - Support for weight: Core items: description: |- HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - - When the BackendRef points to a Kubernetes Service, implementations SHOULD honor the appProtocol field if it is set for the target Service Port. - Implementations supporting appProtocol SHOULD recognize the Kubernetes Standard Application Protocols defined in KEP-3726. - If a Service appProtocol isn't specified, an implementation MAY infer the backend protocol through its own means. Implementations MAY infer the protocol from the Route type referring to the backend Service. - If a Route is not able to send traffic to the backend using the specified protocol then the backend is considered invalid. Implementations MUST set the "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - properties: filters: @@ -12642,7 +9846,6 @@ spec: Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. - Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.) items: @@ -12661,10 +9864,8 @@ spec: "networking.example.net"). ExtensionRef MUST NOT be used for core and extended filters. - This filter can be used multiple times within the same rule. - Support: Implementation-specific properties: group: @@ -12696,7 +9897,6 @@ spec: RequestHeaderModifier defines a schema for a filter that modifies request headers. - Support: Core properties: add: @@ -12705,18 +9905,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -12730,7 +9927,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -12762,18 +9958,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -12787,18 +9980,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -12812,7 +10002,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -12839,49 +10028,42 @@ spec: x-kubernetes-list-type: map type: object requestMirror: - description: |- + description: |+ RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. - This filter can be used multiple times within the same rule. Note that not all implementations will be able to support mirroring to multiple backends. - Support: Extended + properties: backendRef: description: |- BackendRef references a resource where mirrored requests are sent. - Mirrored requests must be sent only to a single destination endpoint within this BackendRef, irrespective of how many endpoints are present within this BackendRef. - If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the "ResolvedRefs" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. - If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the "ResolvedRefs" condition on the Route is set to `status: False`, with the "RefNotPermitted" reason and not configure this backend in the underlying implementation. - In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. - Support: Extended for Kubernetes Service - Support: Implementation-specific for any other resource properties: group: @@ -12898,20 +10080,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -12927,13 +10105,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -12957,15 +10133,56 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' + fraction: + description: |+ + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |+ + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + format: int32 + maximum: 100 + minimum: 0 + type: integer required: - backendRef type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' requestRedirect: description: |- RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. - Support: Core properties: hostname: @@ -12974,7 +10191,6 @@ spec: header in the response. When empty, the hostname in the `Host` header of the request is used. - Support: Core maxLength: 253 minLength: 1 @@ -12986,7 +10202,6 @@ spec: The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. - Support: Extended properties: replaceFullPath: @@ -13002,32 +10217,17 @@ spec: to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch of "/xyz" would be modified to "/xyz/bar". - Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in the implementation setting the Accepted Condition for the Route to `status: False`. - Request Path | Prefix Match | Replace Prefix | Modified Path - -------------|--------------|----------------|---------- - /foo/bar | /foo | /xyz | /xyz/bar - /foo/bar | /foo | /xyz/ | /xyz/bar - /foo/bar | /foo/ | /xyz | /xyz/bar - /foo/bar | /foo/ | /xyz/ | /xyz/bar - /foo | /foo | /xyz | /xyz - /foo/ | /foo | /xyz | /xyz/ - /foo/bar | /foo | | /bar - /foo/ | /foo | | / - /foo | /foo | | / - /foo/ | /foo | / | / - /foo | /foo | / | / maxLength: 1024 type: string type: @@ -13035,11 +10235,9 @@ spec: Type defines the type of path modifier. Additional types may be added in a future release of the API. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -13072,11 +10270,9 @@ spec: Port is the port to be used in the value of the `Location` header in the response. - If no port is specified, the redirect port MUST be derived using the following rules: - * If redirect scheme is not-empty, the redirect port MUST be the well-known port associated with the redirect scheme. Specifically "http" to port 80 and "https" to port 443. If the redirect scheme does not have a @@ -13084,17 +10280,14 @@ spec: * If redirect scheme is empty, the redirect port MUST be the Gateway Listener port. - Implementations SHOULD NOT add the port number in the 'Location' header in the following cases: - * A Location header that will use HTTP (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 80. * A Location header that will use HTTPS (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 443. - Support: Extended format: int32 maximum: 65535 @@ -13105,20 +10298,16 @@ spec: Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. - Scheme redirects can affect the port of the redirect, for more information, refer to the documentation for the port field of this filter. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - Support: Extended enum: - http @@ -13129,16 +10318,13 @@ spec: description: |- StatusCode is the HTTP status code to be used in response. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - Support: Core enum: - 301 @@ -13150,7 +10336,6 @@ spec: ResponseHeaderModifier defines a schema for a filter that modifies response headers. - Support: Extended properties: add: @@ -13159,18 +10344,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -13184,7 +10366,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -13216,18 +10397,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -13241,18 +10419,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -13266,7 +10441,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -13297,17 +10471,14 @@ spec: Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: - - Core: Filter types and their corresponding configuration defined by "Support: Core" in this package, e.g. "RequestHeaderModifier". All implementations must support core filters. - - Extended: Filter types and their corresponding configuration defined by "Support: Extended" in this package, e.g. "RequestMirror". Implementers are encouraged to support extended filters. - - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple @@ -13316,20 +10487,16 @@ spec: is specified using the ExtensionRef field. `Type` should be set to "ExtensionRef" for custom filters. - Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. - If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -13345,7 +10512,6 @@ spec: description: |- URLRewrite defines a schema for a filter that modifies a request during forwarding. - Support: Extended properties: hostname: @@ -13353,7 +10519,6 @@ spec: Hostname is the value to be used to replace the Host header value during forwarding. - Support: Extended maxLength: 253 minLength: 1 @@ -13363,7 +10528,6 @@ spec: description: |- Path defines a path rewrite. - Support: Extended properties: replaceFullPath: @@ -13379,32 +10543,17 @@ spec: to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch of "/xyz" would be modified to "/xyz/bar". - Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in the implementation setting the Accepted Condition for the Route to `status: False`. - Request Path | Prefix Match | Replace Prefix | Modified Path - -------------|--------------|----------------|---------- - /foo/bar | /foo | /xyz | /xyz/bar - /foo/bar | /foo | /xyz/ | /xyz/bar - /foo/bar | /foo/ | /xyz | /xyz/bar - /foo/bar | /foo/ | /xyz/ | /xyz/bar - /foo | /foo | /xyz | /xyz - /foo/ | /foo | /xyz | /xyz/ - /foo/bar | /foo | | /bar - /foo/ | /foo | | / - /foo | /foo | | / - /foo/ | /foo | / | / - /foo | /foo | / | / maxLength: 1024 type: string type: @@ -13412,11 +10561,9 @@ spec: Type defines the type of path modifier. Additional types may be added in a future release of the API. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -13529,20 +10676,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -13558,13 +10701,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -13591,13 +10732,11 @@ spec: implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. - If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. - Support for this field varies based on the context where used. format: int32 maximum: 1000000 @@ -13617,37 +10756,30 @@ spec: Filters define the filters that are applied to requests that match this rule. - Wherever possible, implementations SHOULD implement filters in the order they are specified. - Implementations MAY choose to implement this ordering strictly, rejecting any combination or order of filters that can not be supported. If implementations choose a strict interpretation of filter ordering, they MUST clearly document that behavior. - To reject an invalid combination or order of filters, implementations SHOULD consider the Route Rules with this configuration invalid. If all Route Rules in a Route are invalid, the entire Route would be considered invalid. If only a portion of Route Rules are invalid, implementations MUST set the "PartiallyInvalid" condition for the Route. - Conformance-levels at this level are defined based on the type of filter: - - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. - Specifying the same filter multiple times is not supported unless explicitly indicated in the filter. - All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly @@ -13656,7 +10788,6 @@ spec: `False`, implementations may use the `IncompatibleFilters` reason to specify this configuration error. - Support: Core items: description: |- @@ -13674,10 +10805,8 @@ spec: "networking.example.net"). ExtensionRef MUST NOT be used for core and extended filters. - This filter can be used multiple times within the same rule. - Support: Implementation-specific properties: group: @@ -13709,7 +10838,6 @@ spec: RequestHeaderModifier defines a schema for a filter that modifies request headers. - Support: Core properties: add: @@ -13718,18 +10846,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -13742,7 +10867,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -13774,18 +10898,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -13799,18 +10920,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -13823,7 +10941,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -13850,49 +10967,42 @@ spec: x-kubernetes-list-type: map type: object requestMirror: - description: |- + description: |+ RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. - This filter can be used multiple times within the same rule. Note that not all implementations will be able to support mirroring to multiple backends. - Support: Extended + properties: backendRef: description: |- BackendRef references a resource where mirrored requests are sent. - Mirrored requests must be sent only to a single destination endpoint within this BackendRef, irrespective of how many endpoints are present within this BackendRef. - If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the "ResolvedRefs" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. - If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the "ResolvedRefs" condition on the Route is set to `status: False`, with the "RefNotPermitted" reason and not configure this backend in the underlying implementation. - In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. - Support: Extended for Kubernetes Service - Support: Implementation-specific for any other resource properties: group: @@ -13909,20 +11019,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -13938,13 +11044,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -13968,15 +11072,56 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' + fraction: + description: |+ + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: |+ + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + format: int32 + maximum: 100 + minimum: 0 + type: integer required: - backendRef type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be specified + in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' requestRedirect: description: |- RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. - Support: Core properties: hostname: @@ -13985,7 +11130,6 @@ spec: header in the response. When empty, the hostname in the `Host` header of the request is used. - Support: Core maxLength: 253 minLength: 1 @@ -13997,7 +11141,6 @@ spec: The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. - Support: Extended properties: replaceFullPath: @@ -14013,32 +11156,17 @@ spec: to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch of "/xyz" would be modified to "/xyz/bar". - Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in the implementation setting the Accepted Condition for the Route to `status: False`. - Request Path | Prefix Match | Replace Prefix | Modified Path - -------------|--------------|----------------|---------- - /foo/bar | /foo | /xyz | /xyz/bar - /foo/bar | /foo | /xyz/ | /xyz/bar - /foo/bar | /foo/ | /xyz | /xyz/bar - /foo/bar | /foo/ | /xyz/ | /xyz/bar - /foo | /foo | /xyz | /xyz - /foo/ | /foo | /xyz | /xyz/ - /foo/bar | /foo | | /bar - /foo/ | /foo | | / - /foo | /foo | | / - /foo/ | /foo | / | / - /foo | /foo | / | / maxLength: 1024 type: string type: @@ -14046,11 +11174,9 @@ spec: Type defines the type of path modifier. Additional types may be added in a future release of the API. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -14083,11 +11209,9 @@ spec: Port is the port to be used in the value of the `Location` header in the response. - If no port is specified, the redirect port MUST be derived using the following rules: - * If redirect scheme is not-empty, the redirect port MUST be the well-known port associated with the redirect scheme. Specifically "http" to port 80 and "https" to port 443. If the redirect scheme does not have a @@ -14095,17 +11219,14 @@ spec: * If redirect scheme is empty, the redirect port MUST be the Gateway Listener port. - Implementations SHOULD NOT add the port number in the 'Location' header in the following cases: - * A Location header that will use HTTP (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 80. * A Location header that will use HTTPS (whether that is determined via the Listener protocol or the Scheme field) _and_ use port 443. - Support: Extended format: int32 maximum: 65535 @@ -14116,20 +11237,16 @@ spec: Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. - Scheme redirects can affect the port of the redirect, for more information, refer to the documentation for the port field of this filter. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - Support: Extended enum: - http @@ -14140,16 +11257,13 @@ spec: description: |- StatusCode is the HTTP status code to be used in response. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - Support: Core enum: - 301 @@ -14161,7 +11275,6 @@ spec: ResponseHeaderModifier defines a schema for a filter that modifies response headers. - Support: Extended properties: add: @@ -14170,18 +11283,15 @@ spec: before the action. It appends to any existing values associated with the header name. - Input: GET /foo HTTP/1.1 my-header: foo - Config: add: - name: "my-header" value: "bar,baz" - Output: GET /foo HTTP/1.1 my-header: foo,bar,baz @@ -14194,7 +11304,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -14226,18 +11335,15 @@ spec: names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). - Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz - Config: remove: ["my-header1", "my-header3"] - Output: GET /foo HTTP/1.1 my-header2: bar @@ -14251,18 +11357,15 @@ spec: Set overwrites the request with the given header (name, value) before the action. - Input: GET /foo HTTP/1.1 my-header: foo - Config: set: - name: "my-header" value: "bar" - Output: GET /foo HTTP/1.1 my-header: bar @@ -14275,7 +11378,6 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the @@ -14306,17 +11408,14 @@ spec: Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: - - Core: Filter types and their corresponding configuration defined by "Support: Core" in this package, e.g. "RequestHeaderModifier". All implementations must support core filters. - - Extended: Filter types and their corresponding configuration defined by "Support: Extended" in this package, e.g. "RequestMirror". Implementers are encouraged to support extended filters. - - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple @@ -14325,20 +11424,16 @@ spec: is specified using the ExtensionRef field. `Type` should be set to "ExtensionRef" for custom filters. - Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. - If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -14354,7 +11449,6 @@ spec: description: |- URLRewrite defines a schema for a filter that modifies a request during forwarding. - Support: Extended properties: hostname: @@ -14362,7 +11456,6 @@ spec: Hostname is the value to be used to replace the Host header value during forwarding. - Support: Extended maxLength: 253 minLength: 1 @@ -14372,7 +11465,6 @@ spec: description: |- Path defines a path rewrite. - Support: Extended properties: replaceFullPath: @@ -14388,32 +11480,17 @@ spec: to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch of "/xyz" would be modified to "/xyz/bar". - Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. - ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in the implementation setting the Accepted Condition for the Route to `status: False`. - Request Path | Prefix Match | Replace Prefix | Modified Path - -------------|--------------|----------------|---------- - /foo/bar | /foo | /xyz | /xyz/bar - /foo/bar | /foo | /xyz/ | /xyz/bar - /foo/bar | /foo/ | /xyz | /xyz/bar - /foo/bar | /foo/ | /xyz/ | /xyz/bar - /foo | /foo | /xyz | /xyz - /foo/ | /foo | /xyz | /xyz/ - /foo/bar | /foo | | /bar - /foo/ | /foo | | / - /foo | /foo | | / - /foo/ | /foo | / | / - /foo | /foo | / | / maxLength: 1024 type: string type: @@ -14421,11 +11498,9 @@ spec: Type defines the type of path modifier. Additional types may be added in a future release of the API. - Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. - Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. @@ -14526,10 +11601,8 @@ spec: HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. - For example, take the following matches configuration: - ``` matches: - path: @@ -14541,65 +11614,54 @@ spec: value: "/v2/foo" ``` - For a request to match against this rule, a request must satisfy EITHER of the two conditions: - - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` - See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. - If no matches are specified, the default is a prefix path match on "/", which has the effect of matching every HTTP request. - Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match having: - * "Exact" path match. * "Prefix" path match with largest number of characters. * Method match. * Largest number of header matches. * Largest number of query param matches. - Note: The precedence of RegularExpression path matches are implementation-specific. - If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: - * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by "{namespace}/{name}". - If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. - When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned. items: description: "HTTPRouteMatch defines the predicate used to match requests to a given\naction. Multiple match types are ANDed together, i.e. the match will\nevaluate to true - only if all conditions are satisfied.\n\n\nFor example, - the match below will match a HTTP request only if its path\nstarts - with `/foo` AND it contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t + only if all conditions are satisfied.\n\nFor example, the + match below will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t - \ value \"v1\"\n\n\n```" + \ value \"v1\"\n\n```" properties: headers: description: |- @@ -14616,14 +11678,12 @@ spec: Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). - If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, "foo" and "Foo" are considered equivalent. - When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: @@ -14638,13 +11698,10 @@ spec: description: |- Type specifies how to match against the value of the header. - Support: Core (Exact) - Support: Implementation-specific (RegularExpression) - Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to @@ -14674,7 +11731,6 @@ spec: When specified, this route will be matched only if the request has the specified method. - Support: Extended enum: - GET @@ -14700,10 +11756,8 @@ spec: description: |- Type specifies how to match against the path Value. - Support: Core (Exact, PathPrefix) - Support: Implementation-specific (RegularExpression) enum: - Exact @@ -14768,7 +11822,6 @@ spec: values are ANDed together, meaning, a request must match all the specified query parameters to select the route. - Support: Extended items: description: |- @@ -14781,12 +11834,10 @@ spec: exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). - If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. - If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should @@ -14794,7 +11845,6 @@ spec: as this behavior is expected in other load balancing contexts outside of the Gateway API. - Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations. maxLength: 256 @@ -14806,13 +11856,10 @@ spec: description: |- Type specifies how to match against the value of the query parameter. - Support: Extended (Exact) - Support: Implementation-specific (RegularExpression) - Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's @@ -14837,17 +11884,114 @@ spec: - name x-kubernetes-list-type: map type: object - maxItems: 8 + maxItems: 64 type: array + name: + description: | + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + retry: + description: |+ + Retry defines the configuration for when to retry an HTTP request. + + Support: Extended + + properties: + attempts: + description: |- + Attempts specifies the maxmimum number of times an individual request + from the gateway to a backend should be retried. + + If the maximum number of retries has been attempted without a successful + response from the backend, the Gateway MUST return an error. + + When this field is unspecified, the number of times to attempt to retry + a backend request is implementation-specific. + + Support: Extended + type: integer + backoff: + description: |- + Backoff specifies the minimum duration a Gateway should wait between + retry attempts and is represented in Gateway API Duration formatting. + + For example, setting the `rules[].retry.backoff` field to the value + `100ms` will cause a backend request to first be retried approximately + 100 milliseconds after timing out or receiving a response code configured + to be retryable. + + An implementation MAY use an exponential or alternative backoff strategy + for subsequent retry attempts, MAY cap the maximum backoff duration to + some amount greater than the specified minimum, and MAY add arbitrary + jitter to stagger requests, as long as unsuccessful backend requests are + not retried before the configured minimum duration. + + If a Request timeout (`rules[].timeouts.request`) is configured on the + route, the entire duration of the initial request and any retry attempts + MUST not exceed the Request timeout duration. If any retry attempts are + still in progress when the Request timeout duration has been reached, + these SHOULD be canceled if possible and the Gateway MUST immediately + return a timeout error. + + If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is + configured on the route, any retry attempts which reach the configured + BackendRequest timeout duration without a response SHOULD be canceled if + possible and the Gateway should wait for at least the specified backoff + duration before attempting to retry the backend request again. + + If a BackendRequest timeout is _not_ configured on the route, retry + attempts MAY time out after an implementation default duration, or MAY + remain pending until a configured Request timeout or implementation + default duration for total request time is reached. + + When this field is unspecified, the time to wait between retry attempts + is implementation-specific. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + codes: + description: |- + Codes defines the HTTP response status codes for which a backend request + should be retried. + + Support: Extended + items: + description: |- + HTTPRouteRetryStatusCode defines an HTTP response status code for + which a backend request should be retried. + + Implementations MUST support the following status codes as retryable: + + * 500 + * 502 + * 503 + * 504 + + Implementations MAY support specifying additional discrete values in the + 500-599 range. + + Implementations MAY support specifying discrete values in the 400-499 range, + which are often inadvisable to retry. + + + maximum: 599 + minimum: 400 + type: integer + type: array + type: object sessionPersistence: description: |+ SessionPersistence defines and configures session persistence for the route rule. - Support: Extended - properties: absoluteTimeout: description: |- @@ -14855,7 +11999,6 @@ spec: session. Once the AbsoluteTimeout duration has elapsed, the session becomes invalid. - Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string @@ -14864,7 +12007,6 @@ spec: CookieConfig provides configuration settings that are specific to cookie-based session persistence. - Support: Core properties: lifetimeType: @@ -14876,20 +12018,16 @@ spec: attributes, while a session cookie is deleted when the current session ends. - When set to "Permanent", AbsoluteTimeout indicates the cookie's lifetime via the Expires or Max-Age cookie attributes and is required. - When set to "Session", AbsoluteTimeout indicates the absolute lifetime of the cookie tracked by the gateway and is optional. - Support: Core for "Session" type - Support: Extended for "Permanent" type enum: - Permanent @@ -14902,7 +12040,6 @@ spec: Once the session has been idle for more than the specified IdleTimeout duration, the session becomes invalid. - Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string @@ -14913,7 +12050,6 @@ spec: should avoid reusing session names to prevent unintended consequences, such as rejection or unpredictable behavior. - Support: Implementation-specific maxLength: 128 type: string @@ -14924,10 +12060,8 @@ spec: the use a header or cookie. Defaults to cookie based session persistence. - Support: Core for "Cookie" type - Support: Extended for "Header" type enum: - Cookie @@ -14937,16 +12071,13 @@ spec: x-kubernetes-validations: - message: AbsoluteTimeout must be specified when cookie lifetimeType is Permanent - rule: '!has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType - != ''Permanent'' || has(self.absoluteTimeout)' + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' timeouts: - description: |+ + description: |- Timeouts defines the timeouts that can be configured for an HTTP request. - Support: Extended - - properties: backendRequest: description: |- @@ -14954,21 +12085,19 @@ spec: to a backend. This covers the time from when the request first starts being sent from the gateway to when the full response has been received from the backend. - Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout completely. Implementations that cannot completely disable the timeout MUST instead interpret the zero duration as the longest possible value to which the timeout can be set. - An entire client HTTP transaction with a gateway, covered by the Request timeout, may result in more than one call from the gateway to the destination backend, for example, if automatic retries are supported. - - Because the Request timeout encompasses the BackendRequest timeout, the value of - BackendRequest must be <= the value of Request timeout. - + The value of BackendRequest must be a Gateway API Duration string as defined by + GEP-2257. When this field is unspecified, its behavior is implementation-specific; + when specified, the value of BackendRequest must be no more than the value of the + Request timeout (since the Request timeout encompasses the BackendRequest timeout). Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ @@ -14979,26 +12108,22 @@ spec: If the gateway has not been able to respond before this deadline is met, the gateway MUST return a timeout error. - For example, setting the `rules.timeouts.request` field to the value `10s` in an `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds to complete. - Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout completely. Implementations that cannot completely disable the timeout MUST instead interpret the zero duration as the longest possible value to which the timeout can be set. - This timeout is intended to cover as close to the whole request-response transaction as possible although an implementation MAY choose to start the timeout after the entire request stream has been received instead of immediately after the transaction is initiated by the client. - - When this field is unspecified, request timeout behavior is implementation-specific. - + The value of Request is a Gateway API Duration string as defined by GEP-2257. When this + field is unspecified, request timeout behavior is implementation-specific. Support: Extended pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ @@ -15053,6 +12178,24 @@ spec: != ''PathPrefix'') ? false : true) : true' maxItems: 16 type: array + x-kubernetes-validations: + - message: While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must be less + than 128 + rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size() + > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size() + : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size() + > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size() + : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size() + > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size() + : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size() + > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size() + : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size() + > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size() + : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128' + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) type: object status: description: Status defines the current state of HTTPRoute. @@ -15066,13 +12209,11 @@ spec: first sees the route and should update the entry as appropriate when the route or gateway is modified. - Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. - A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway. items: @@ -15086,38 +12227,24 @@ spec: Note that the route's availability is also subject to the Gateway's own status conditions and listener status. - If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the "Accepted" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. - A Route MUST be considered "Accepted" if at least one of the Route's rules is implemented by the Gateway. - There are a number of cases where the "Accepted" condition may not be set due to lack of controller visibility, that includes when: - * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -15159,12 +12286,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -15187,15 +12309,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. @@ -15216,7 +12335,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -15226,14 +12344,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -15243,7 +12358,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -15253,7 +12367,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -15261,12 +12374,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -15274,7 +12385,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -15285,7 +12395,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -15295,18 +12404,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -15315,7 +12421,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -15326,7 +12431,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -15334,12 +12438,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -15349,7 +12451,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -15389,7 +12490,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: referencegrants.gateway.networking.k8s.io @@ -15406,187 +12507,6 @@ spec: singular: referencegrant scope: Namespaced versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - deprecationWarning: The v1alpha2 version of ReferenceGrant has been deprecated - and will be removed in a future release of the API. Please upgrade to v1beta1. - name: v1alpha2 - schema: - openAPIV3Schema: - description: |- - ReferenceGrant identifies kinds of resources in other namespaces that are - trusted to reference the specified kinds of resources in the same namespace - as the policy. - - - Each ReferenceGrant can be used to represent a unique trust relationship. - Additional Reference Grants can be used to add to the set of trusted - sources of inbound references for the namespace they are defined within. - - - A ReferenceGrant is required for all cross-namespace references in Gateway API - (with the exception of cross-namespace Route-Gateway attachment, which is - governed by the AllowedRoutes configuration on the Gateway, and cross-namespace - Service ParentRefs on a "consumer" mesh Route, which defines routing rules - applicable only to workloads in the Route namespace). ReferenceGrants allowing - a reference from a Route to a Service are only applicable to BackendRefs. - - - ReferenceGrant is a form of runtime verification allowing users to assert - which cross-namespace object references are permitted. Implementations that - support ReferenceGrant MUST NOT permit cross-namespace references which have - no grant, and MUST respond to the removal of a grant by revoking the access - that the grant allowed. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines the desired state of ReferenceGrant. - properties: - from: - description: |- - From describes the trusted namespaces and kinds that can reference the - resources described in "To". Each entry in this list MUST be considered - to be an additional place that references can be valid from, or to put - this another way, entries MUST be combined using OR. - - - Support: Core - items: - description: ReferenceGrantFrom describes trusted namespaces and - kinds. - properties: - group: - description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. - - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field. - - - When used to permit a SecretObjectReference: - - - * Gateway - - - When used to permit a BackendObjectReference: - - - * GRPCRoute - * HTTPRoute - * TCPRoute - * TLSRoute - * UDPRoute - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - namespace: - description: |- - Namespace is the namespace of the referent. - - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - group - - kind - - namespace - type: object - maxItems: 16 - minItems: 1 - type: array - to: - description: |- - To describes the resources that may be referenced by the resources - described in "From". Each entry in this list MUST be considered to be an - additional place that references can be valid to, or to put this another - way, entries MUST be combined using OR. - - - Support: Core - items: - description: |- - ReferenceGrantTo describes what Kinds are allowed as targets of the - references. - properties: - group: - description: |- - Group is the group of the referent. - When empty, the Kubernetes core API group is inferred. - - - Support: Core - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: |- - Kind is the kind of the referent. Although implementations may support - additional resources, the following types are part of the "Core" - support level for this field: - - - * Secret when used to permit a SecretObjectReference - * Service when used to permit a BackendObjectReference - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: |- - Name is the name of the referent. When unspecified, this policy - refers to all resources of the specified Group and Kind in the local - namespace. - maxLength: 253 - minLength: 1 - type: string - required: - - group - - kind - type: object - maxItems: 16 - minItems: 1 - type: array - required: - - from - - to - type: object - type: object - served: true - storage: false - subresources: {} - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age @@ -15599,16 +12519,13 @@ spec: trusted to reference the specified kinds of resources in the same namespace as the policy. - Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. - All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. - ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have @@ -15642,7 +12559,6 @@ spec: to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. - Support: Core items: description: ReferenceGrantFrom describes trusted namespaces and @@ -15653,7 +12569,6 @@ spec: Group is the group of the referent. When empty, the Kubernetes core API group is inferred. - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -15664,16 +12579,12 @@ spec: additional resources, the following types are part of the "Core" support level for this field. - When used to permit a SecretObjectReference: - * Gateway - When used to permit a BackendObjectReference: - * GRPCRoute * HTTPRoute * TCPRoute @@ -15687,7 +12598,6 @@ spec: description: |- Namespace is the namespace of the referent. - Support: Core maxLength: 63 minLength: 1 @@ -15708,7 +12618,6 @@ spec: additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. - Support: Core items: description: |- @@ -15720,7 +12629,6 @@ spec: Group is the group of the referent. When empty, the Kubernetes core API group is inferred. - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -15731,7 +12639,6 @@ spec: additional resources, the following types are part of the "Core" support level for this field: - * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference maxLength: 63 @@ -15776,7 +12683,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: tcproutes.gateway.networking.k8s.io @@ -15836,21 +12743,16 @@ spec: create a "producer" route for a Service in a different namespace from the Route. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - ParentRefs must be _distinct_. This means either that: - * They select different objects. If this is the case, then parentRef entries are distinct. In terms of fields, this means that the multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -15860,10 +12762,8 @@ spec: optional fields to different values. If one ParentRef sets a combination of optional fields, all must set the same combination. - Some examples: - * If one ParentRef sets `sectionName`, all ParentRefs referencing the same object must also set `sectionName`. * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -15871,14 +12771,12 @@ spec: * If one ParentRef sets `sectionName` and `port`, all ParentRefs referencing the same object must also set `sectionName` and `port`. - It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. - Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, @@ -15886,12 +12784,10 @@ spec: generic way to enable other kinds of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -15902,22 +12798,18 @@ spec: - items: description: |- ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. properties: @@ -15929,7 +12821,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -15939,14 +12830,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -15956,7 +12844,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -15966,7 +12853,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -15974,12 +12860,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -15987,7 +12871,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -15998,7 +12881,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -16008,18 +12890,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -16028,7 +12907,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -16039,7 +12917,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -16047,12 +12924,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -16062,7 +12937,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -16097,7 +12971,9 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of TCP matchers and actions. + description: |+ + Rules are a list of TCP matchers and actions. + items: description: TCPRouteRule is the configuration for a given rule. properties: @@ -16110,53 +12986,41 @@ spec: respect weight; if an invalid backend is requested to have 80% of connections, then 80% of connections must be rejected instead. - Support: Core for Kubernetes Service - Support: Extended for Kubernetes ServiceImport - Support: Implementation-specific for any other resource - Support for weight: Extended items: description: |- BackendRef defines how a Route should forward a request to a Kubernetes resource. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - - When the BackendRef points to a Kubernetes Service, implementations SHOULD honor the appProtocol field if it is set for the target Service Port. - Implementations supporting appProtocol SHOULD recognize the Kubernetes Standard Application Protocols defined in KEP-3726. - If a Service appProtocol isn't specified, an implementation MAY infer the backend protocol through its own means. Implementations MAY infer the protocol from the Route type referring to the backend Service. - If a Route is not able to send traffic to the backend using the specified protocol then the backend is considered invalid. Implementations MUST set the "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - - Note that when the BackendTLSPolicy object is enabled by the implementation, there are some extra rules about validity to consider here. See the fields where this struct is used for more information about the exact behavior. @@ -16175,20 +13039,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -16204,13 +13064,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -16237,13 +13095,11 @@ spec: implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. - If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. - Support for this field varies based on the context where used. format: int32 maximum: 1000000 @@ -16259,10 +13115,23 @@ spec: maxItems: 16 minItems: 1 type: array + name: + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string type: object maxItems: 16 minItems: 1 type: array + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) required: - rules type: object @@ -16278,13 +13147,11 @@ spec: first sees the route and should update the entry as appropriate when the route or gateway is modified. - Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. - A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway. items: @@ -16298,38 +13165,24 @@ spec: Note that the route's availability is also subject to the Gateway's own status conditions and listener status. - If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the "Accepted" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. - A Route MUST be considered "Accepted" if at least one of the Route's rules is implemented by the Gateway. - There are a number of cases where the "Accepted" condition may not be set due to lack of controller visibility, that includes when: - * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -16371,12 +13224,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -16399,15 +13247,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. @@ -16428,7 +13273,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -16438,14 +13282,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -16455,7 +13296,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -16465,7 +13305,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -16473,12 +13312,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -16486,7 +13323,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -16497,7 +13333,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -16507,18 +13342,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -16527,7 +13359,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -16538,7 +13369,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -16546,12 +13376,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -16561,7 +13389,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -16601,7 +13428,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: tlsroutes.gateway.networking.k8s.io @@ -16628,7 +13455,6 @@ spec: to match against TLS-specific metadata. This allows more flexibility in matching streams for a given TLS listener. - If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener. properties: @@ -16658,17 +13484,14 @@ spec: SNI attribute of TLS ClientHello message in TLS handshake. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: - 1. IPs are not allowed in SNI names per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - If a hostname is specified by both the Listener and TLSRoute, there must be at least one intersecting hostname for the TLSRoute to be attached to the Listener. For example: - * A Listener with `test.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. @@ -16678,37 +13501,31 @@ spec: `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. - If both the Listener and TLSRoute have specified hostnames, any TLSRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the TLSRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. - If both the Listener and TLSRoute have specified hostnames, and none match with the criteria above, then the TLSRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. - Support: Core items: description: |- Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: - 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. - Hostname can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.example.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). - Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed. @@ -16731,21 +13548,16 @@ spec: create a "producer" route for a Service in a different namespace from the Route. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - ParentRefs must be _distinct_. This means either that: - * They select different objects. If this is the case, then parentRef entries are distinct. In terms of fields, this means that the multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -16755,10 +13567,8 @@ spec: optional fields to different values. If one ParentRef sets a combination of optional fields, all must set the same combination. - Some examples: - * If one ParentRef sets `sectionName`, all ParentRefs referencing the same object must also set `sectionName`. * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -16766,14 +13576,12 @@ spec: * If one ParentRef sets `sectionName` and `port`, all ParentRefs referencing the same object must also set `sectionName` and `port`. - It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. - Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, @@ -16781,12 +13589,10 @@ spec: generic way to enable other kinds of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -16797,22 +13603,18 @@ spec: - items: description: |- ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. properties: @@ -16824,7 +13626,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -16834,14 +13635,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -16851,7 +13649,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -16861,7 +13658,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -16869,12 +13665,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -16882,7 +13676,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -16893,7 +13686,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -16903,18 +13695,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -16923,7 +13712,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -16934,7 +13722,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -16942,12 +13729,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -16957,7 +13742,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -16992,7 +13776,9 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of TLS matchers and actions. + description: |+ + Rules are a list of TLS matchers and actions. + items: description: TLSRouteRule is the configuration for a given rule. properties: @@ -17008,53 +13794,41 @@ spec: requested to have 80% of requests, then 80% of requests must be rejected instead. - Support: Core for Kubernetes Service - Support: Extended for Kubernetes ServiceImport - Support: Implementation-specific for any other resource - Support for weight: Extended items: description: |- BackendRef defines how a Route should forward a request to a Kubernetes resource. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - - When the BackendRef points to a Kubernetes Service, implementations SHOULD honor the appProtocol field if it is set for the target Service Port. - Implementations supporting appProtocol SHOULD recognize the Kubernetes Standard Application Protocols defined in KEP-3726. - If a Service appProtocol isn't specified, an implementation MAY infer the backend protocol through its own means. Implementations MAY infer the protocol from the Route type referring to the backend Service. - If a Route is not able to send traffic to the backend using the specified protocol then the backend is considered invalid. Implementations MUST set the "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - - Note that when the BackendTLSPolicy object is enabled by the implementation, there are some extra rules about validity to consider here. See the fields where this struct is used for more information about the exact behavior. @@ -17073,20 +13847,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -17102,13 +13872,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -17135,13 +13903,11 @@ spec: implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. - If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. - Support for this field varies based on the context where used. format: int32 maximum: 1000000 @@ -17157,10 +13923,23 @@ spec: maxItems: 16 minItems: 1 type: array + name: + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string type: object maxItems: 16 minItems: 1 type: array + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) required: - rules type: object @@ -17176,13 +13955,11 @@ spec: first sees the route and should update the entry as appropriate when the route or gateway is modified. - Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. - A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway. items: @@ -17196,38 +13973,24 @@ spec: Note that the route's availability is also subject to the Gateway's own status conditions and listener status. - If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the "Accepted" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. - A Route MUST be considered "Accepted" if at least one of the Route's rules is implemented by the Gateway. - There are a number of cases where the "Accepted" condition may not be set due to lack of controller visibility, that includes when: - * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -17269,12 +14032,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -17297,15 +14055,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. @@ -17326,7 +14081,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -17336,14 +14090,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -17353,7 +14104,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -17363,7 +14113,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -17371,12 +14120,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -17384,7 +14131,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -17395,7 +14141,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -17405,18 +14150,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -17425,7 +14167,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -17436,7 +14177,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -17444,12 +14184,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -17459,7 +14197,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -17499,7 +14236,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: udproutes.gateway.networking.k8s.io @@ -17559,21 +14296,16 @@ spec: create a "producer" route for a Service in a different namespace from the Route. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - ParentRefs must be _distinct_. This means either that: - * They select different objects. If this is the case, then parentRef entries are distinct. In terms of fields, this means that the multi-part key defined by `group`, `kind`, `namespace`, and `name` must @@ -17583,10 +14315,8 @@ spec: optional fields to different values. If one ParentRef sets a combination of optional fields, all must set the same combination. - Some examples: - * If one ParentRef sets `sectionName`, all ParentRefs referencing the same object must also set `sectionName`. * If one ParentRef sets `port`, all ParentRefs referencing the same @@ -17594,14 +14324,12 @@ spec: * If one ParentRef sets `sectionName` and `port`, all ParentRefs referencing the same object must also set `sectionName` and `port`. - It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. - Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, @@ -17609,12 +14337,10 @@ spec: generic way to enable other kinds of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -17625,22 +14351,18 @@ spec: - items: description: |- ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - This API may be extended in the future to support additional kinds of parent resources. - The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. properties: @@ -17652,7 +14374,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -17662,14 +14383,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -17679,7 +14397,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -17689,7 +14406,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -17697,12 +14413,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -17710,7 +14424,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -17721,7 +14434,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -17731,18 +14443,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -17751,7 +14460,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -17762,7 +14470,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -17770,12 +14477,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -17785,7 +14490,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 @@ -17820,7 +14524,9 @@ spec: || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port == p2.port)))) rules: - description: Rules are a list of UDP matchers and actions. + description: |+ + Rules are a list of UDP matchers and actions. + items: description: UDPRouteRule is the configuration for a given rule. properties: @@ -17833,53 +14539,41 @@ spec: respect weight; if an invalid backend is requested to have 80% of the packets, then 80% of packets must be dropped instead. - Support: Core for Kubernetes Service - Support: Extended for Kubernetes ServiceImport - Support: Implementation-specific for any other resource - Support for weight: Extended items: description: |- BackendRef defines how a Route should forward a request to a Kubernetes resource. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - - When the BackendRef points to a Kubernetes Service, implementations SHOULD honor the appProtocol field if it is set for the target Service Port. - Implementations supporting appProtocol SHOULD recognize the Kubernetes Standard Application Protocols defined in KEP-3726. - If a Service appProtocol isn't specified, an implementation MAY infer the backend protocol through its own means. Implementations MAY infer the protocol from the Route type referring to the backend Service. - If a Route is not able to send traffic to the backend using the specified protocol then the backend is considered invalid. Implementations MUST set the "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. - - Note that when the BackendTLSPolicy object is enabled by the implementation, there are some extra rules about validity to consider here. See the fields where this struct is used for more information about the exact behavior. @@ -17898,20 +14592,16 @@ spec: Kind is the Kubernetes resource kind of the referent. For example "Service". - Defaults to "Service" when not specified. - ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. - Support: Core (Services with a type other than ExternalName) - Support: Implementation-specific (Services with type ExternalName) maxLength: 63 minLength: 1 @@ -17927,13 +14617,11 @@ spec: Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. - Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - Support: Core maxLength: 63 minLength: 1 @@ -17960,13 +14648,11 @@ spec: implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. - If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. - Support for this field varies based on the context where used. format: int32 maximum: 1000000 @@ -17982,10 +14668,23 @@ spec: maxItems: 16 minItems: 1 type: array + name: + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string type: object maxItems: 16 minItems: 1 type: array + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) required: - rules type: object @@ -18001,13 +14700,11 @@ spec: first sees the route and should update the entry as appropriate when the route or gateway is modified. - Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. - A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway. items: @@ -18021,38 +14718,24 @@ spec: Note that the route's availability is also subject to the Gateway's own status conditions and listener status. - If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the "Accepted" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. - A Route MUST be considered "Accepted" if at least one of the Route's rules is implemented by the Gateway. - There are a number of cases where the "Accepted" condition may not be set due to lack of controller visibility, that includes when: - * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to. items: - description: "Condition contains details for one aspect of - the current state of this API Resource.\n---\nThis struct - is intended for direct use as an array at the field path - .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type are: - \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // - +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of + the current state of this API Resource. properties: lastTransitionTime: description: |- @@ -18094,12 +14777,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -18122,15 +14800,12 @@ spec: controller that wrote this status. This corresponds with the controllerName field on GatewayClass. - Example: "example.net/gateway-controller". - The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). - Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. @@ -18151,7 +14826,6 @@ spec: To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). - Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -18161,14 +14835,11 @@ spec: description: |- Kind is kind of the referent. - There are two kinds of parent resources with "Core" support: - * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) - Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 @@ -18178,7 +14849,6 @@ spec: description: |- Name is the name of the referent. - Support: Core maxLength: 253 minLength: 1 @@ -18188,7 +14858,6 @@ spec: Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. - Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: @@ -18196,12 +14865,10 @@ spec: generic way to enable any other kind of cross-namespace reference. - ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. - ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which @@ -18209,7 +14876,6 @@ spec: ParentRef of the Route. - Support: Core maxLength: 63 minLength: 1 @@ -18220,7 +14886,6 @@ spec: Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. - When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the @@ -18230,18 +14895,15 @@ spec: must match both specified values. - When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. - Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. - For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, @@ -18250,7 +14912,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Extended format: int32 maximum: 65535 @@ -18261,7 +14922,6 @@ spec: SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: - * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. @@ -18269,12 +14929,10 @@ spec: are specified, the name and port of the selected listener must match both specified values. - Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. - When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway @@ -18284,7 +14942,6 @@ spec: attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. - Support: Core maxLength: 253 minLength: 1 diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index dfa9b6ee15b..a20daa41ef5 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -10,7 +10,7 @@ require ( google.golang.org/protobuf v1.34.2 k8s.io/apimachinery v0.31.1 sigs.k8s.io/controller-runtime v0.19.0 - sigs.k8s.io/gateway-api v1.1.0 + sigs.k8s.io/gateway-api v1.2.0-rc2 ) require ( diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 6a0a34ad222..d36dddf80cc 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -133,8 +133,8 @@ k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2d k8s.io/utils v0.0.0-20240821151609-f90d01438635/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= -sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= -sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs= +sigs.k8s.io/gateway-api v1.2.0-rc2 h1:v7V7JzaBuzwOLWWyyqlkqiqBi3ANBuZGV+uyyKzwmE8= +sigs.k8s.io/gateway-api v1.2.0-rc2/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/go.mod b/go.mod index 19b329d910c..8f8681f17de 100644 --- a/go.mod +++ b/go.mod @@ -56,7 +56,7 @@ require ( k8s.io/kubectl v0.31.1 k8s.io/utils v0.0.0-20240821151609-f90d01438635 sigs.k8s.io/controller-runtime v0.19.0 - sigs.k8s.io/gateway-api v1.1.0 + sigs.k8s.io/gateway-api v1.2.0-rc2 sigs.k8s.io/mcs-api v0.1.0 sigs.k8s.io/yaml v1.4.0 ) diff --git a/go.sum b/go.sum index d67318c05d3..e5e53e36ec6 100644 --- a/go.sum +++ b/go.sum @@ -1210,8 +1210,8 @@ sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gE sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI= -sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= -sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs= +sigs.k8s.io/gateway-api v1.2.0-rc2 h1:v7V7JzaBuzwOLWWyyqlkqiqBi3ANBuZGV+uyyKzwmE8= +sigs.k8s.io/gateway-api v1.2.0-rc2/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kind v0.8.1/go.mod h1:oNKTxUVPYkV9lWzY6CVMNluVq8cBsyq+UgPJdvA3uu4= diff --git a/internal/gatewayapi/conformance/suite.go b/internal/gatewayapi/conformance/suite.go index 4fafa008983..90181246b69 100644 --- a/internal/gatewayapi/conformance/suite.go +++ b/internal/gatewayapi/conformance/suite.go @@ -15,6 +15,7 @@ import ( // SkipTests is a list of tests that are skipped in the conformance suite. var SkipTests = []suite.ConformanceTest{ tests.GatewayStaticAddresses, + tests.GatewayInfrastructure, } func skipTestsShortNames(skipTests []suite.ConformanceTest) []string { @@ -27,9 +28,26 @@ func skipTestsShortNames(skipTests []suite.ConformanceTest) []string { // EnvoyGatewaySuite is the conformance suite configuration for the Gateway API. var EnvoyGatewaySuite = suite.ConformanceOptions{ - SupportedFeatures: features.AllFeatures, - ExemptFeatures: sets.New[features.SupportedFeature](). - Insert(features.MeshCoreFeatures.UnsortedList()...). - Insert(features.MeshExtendedFeatures.UnsortedList()...), - SkipTests: skipTestsShortNames(SkipTests), + SupportedFeatures: allFeatures(), + ExemptFeatures: meshFeatures(), + SkipTests: skipTestsShortNames(SkipTests), +} + +func allFeatures() sets.Set[features.FeatureName] { + allFeatures := sets.New[features.FeatureName]() + for _, feature := range features.AllFeatures.UnsortedList() { + allFeatures.Insert(feature.Name) + } + return allFeatures +} + +func meshFeatures() sets.Set[features.FeatureName] { + meshFeatures := sets.New[features.FeatureName]() + for _, feature := range features.MeshCoreFeatures.UnsortedList() { + meshFeatures.Insert(feature.Name) + } + for _, feature := range features.MeshExtendedFeatures.UnsortedList() { + meshFeatures.Insert(feature.Name) + } + return meshFeatures } diff --git a/internal/gatewayapi/conformance/support_level.go b/internal/gatewayapi/conformance/support_level.go index 938b90dcf00..cb3e8d317ae 100644 --- a/internal/gatewayapi/conformance/support_level.go +++ b/internal/gatewayapi/conformance/support_level.go @@ -26,10 +26,18 @@ const ( ) // ExtendedFeatures is a list of supported Gateway-API features that are considered Extended. -var ExtendedFeatures = sets.New[features.SupportedFeature](). - Insert(features.GatewayExtendedFeatures.UnsortedList()...). - Insert(features.HTTPRouteExtendedFeatures.UnsortedList()...). - Insert(features.MeshExtendedFeatures.UnsortedList()...) +var ExtendedFeatures = sets.New[features.FeatureName]() + +func init() { + featureLists := sets.New[features.Feature](). + Insert(features.GatewayExtendedFeatures.UnsortedList()...). + Insert(features.HTTPRouteExtendedFeatures.UnsortedList()...). + Insert(features.MeshExtendedFeatures.UnsortedList()...) + + for _, feature := range featureLists.UnsortedList() { + ExtendedFeatures.Insert(feature.Name) + } +} // GetTestSupportLevel returns the SupportLevel for a conformance test. // The support level is determined by the highest support level of the features. @@ -44,7 +52,7 @@ func GetTestSupportLevel(test suite.ConformanceTest) SupportLevel { } // GetFeatureSupportLevel returns the SupportLevel for a feature. -func GetFeatureSupportLevel(feature features.SupportedFeature) SupportLevel { +func GetFeatureSupportLevel(feature features.FeatureName) SupportLevel { supportLevel := Core if ExtendedFeatures.Has(feature) { diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index 9c5626d7524..21cb9142de0 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -82,6 +82,7 @@ var ( PathMatchTypeDerefOr = ptr.Deref[gwapiv1.PathMatchType] GRPCMethodMatchTypeDerefOr = ptr.Deref[gwapiv1.GRPCMethodMatchType] HeaderMatchTypeDerefOr = ptr.Deref[gwapiv1.HeaderMatchType] + GRPCHeaderMatchTypeDerefOr = ptr.Deref[gwapiv1.GRPCHeaderMatchType] QueryParamMatchTypeDerefOr = ptr.Deref[gwapiv1.QueryParamMatchType] ) diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 743337591bb..1239caadc91 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -608,13 +608,13 @@ func (t *Translator) processGRPCRouteRule(grpcRoute *GRPCRouteContext, ruleIdx i } for _, headerMatch := range match.Headers { - switch HeaderMatchTypeDerefOr(headerMatch.Type, gwapiv1.HeaderMatchExact) { - case gwapiv1.HeaderMatchExact: + switch GRPCHeaderMatchTypeDerefOr(headerMatch.Type, gwapiv1.GRPCHeaderMatchExact) { + case gwapiv1.GRPCHeaderMatchExact: irRoute.HeaderMatches = append(irRoute.HeaderMatches, &ir.StringMatch{ Name: string(headerMatch.Name), Exact: ptr.To(headerMatch.Value), }) - case gwapiv1.HeaderMatchRegularExpression: + case gwapiv1.GRPCHeaderMatchRegularExpression: if err := regex.Validate(headerMatch.Value); err != nil { return nil, err } diff --git a/internal/gatewayapi/status/gatewayclass.go b/internal/gatewayapi/status/gatewayclass.go index 490fc61b9fe..ee49b49345d 100644 --- a/internal/gatewayapi/status/gatewayclass.go +++ b/internal/gatewayapi/status/gatewayclass.go @@ -82,12 +82,19 @@ func getSupportedFeatures(gatewaySuite suite.ConformanceOptions, skippedTests [] ret := sets.New[gwapiv1.SupportedFeature]() for _, feature := range supportedFeatures.UnsortedList() { - ret.Insert(gwapiv1.SupportedFeature(feature)) + ret.Insert(gwapiv1.SupportedFeature{ + Name: gwapiv1.FeatureName(feature), + }) } - return sets.List(ret) + + var featureList []gwapiv1.SupportedFeature + for feature := range ret { + featureList = append(featureList, feature) + } + return featureList } -func getUnsupportedFeatures(gatewaySuite suite.ConformanceOptions, skippedTests []suite.ConformanceTest) []features.SupportedFeature { +func getUnsupportedFeatures(gatewaySuite suite.ConformanceOptions, skippedTests []suite.ConformanceTest) []features.FeatureName { unsupportedFeatures := gatewaySuite.ExemptFeatures.UnsortedList() for _, skippedTest := range skippedTests { diff --git a/internal/gatewayapi/status/gatewayclass_test.go b/internal/gatewayapi/status/gatewayclass_test.go index f2a9dfa42e1..c9f573c9250 100644 --- a/internal/gatewayapi/status/gatewayclass_test.go +++ b/internal/gatewayapi/status/gatewayclass_test.go @@ -80,63 +80,76 @@ func TestGetSupportedFeatures(t *testing.T) { { name: "No exempt features", gatewaySuite: suite.ConformanceOptions{ - SupportedFeatures: sets.New[features.SupportedFeature]("Gateway", "HTTPRoute"), - ExemptFeatures: sets.New[features.SupportedFeature](), + SupportedFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute"), + ExemptFeatures: sets.New[features.FeatureName](), + }, + expectedResult: []gwapiv1.SupportedFeature{ + {Name: "Gateway"}, + {Name: "HTTPRoute"}, }, - expectedResult: []gwapiv1.SupportedFeature{"Gateway", "HTTPRoute"}, }, { name: "All features exempt", gatewaySuite: suite.ConformanceOptions{ - SupportedFeatures: sets.New[features.SupportedFeature]("Gateway", "HTTPRoute"), - ExemptFeatures: sets.New[features.SupportedFeature]("Gateway", "HTTPRoute"), + SupportedFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute"), + ExemptFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute"), }, expectedResult: []gwapiv1.SupportedFeature{}, }, { name: "Some features exempt", gatewaySuite: suite.ConformanceOptions{ - SupportedFeatures: sets.New[features.SupportedFeature]("Gateway", "HTTPRoute", "GRPCRoute"), - ExemptFeatures: sets.New[features.SupportedFeature]("GRPCRoute"), + SupportedFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute", "GRPCRoute"), + ExemptFeatures: sets.New[features.FeatureName]("GRPCRoute"), + }, + expectedResult: []gwapiv1.SupportedFeature{ + {Name: "Gateway"}, + {Name: "HTTPRoute"}, }, - expectedResult: []gwapiv1.SupportedFeature{"Gateway", "HTTPRoute"}, }, { name: "Some features exempt with skipped tests", gatewaySuite: suite.ConformanceOptions{ - SupportedFeatures: sets.New[features.SupportedFeature]("Gateway", "HTTPRoute", "GRPCRoute"), - ExemptFeatures: sets.New[features.SupportedFeature]("GRPCRoute"), + SupportedFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute", "GRPCRoute"), + ExemptFeatures: sets.New[features.FeatureName]("GRPCRoute"), }, skippedTests: []suite.ConformanceTest{ { - Features: []features.SupportedFeature{"HTTPRoute"}, + Features: []features.FeatureName{"HTTPRoute"}, }, }, - expectedResult: []gwapiv1.SupportedFeature{"Gateway"}, + expectedResult: []gwapiv1.SupportedFeature{ + {Name: "Gateway"}, + }, }, { name: "Core features remain supported with skipped extended tests", gatewaySuite: suite.ConformanceOptions{ - SupportedFeatures: sets.New[features.SupportedFeature]("Gateway", "HTTPRoute", "GatewayHTTPListenerIsolation"), + SupportedFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute", "GatewayHTTPListenerIsolation"), }, skippedTests: []suite.ConformanceTest{ { - Features: []features.SupportedFeature{"Gateway", "GatewayHTTPListenerIsolation", "HTTPRoute"}, + Features: []features.FeatureName{"Gateway", "GatewayHTTPListenerIsolation", "HTTPRoute"}, }, }, - expectedResult: []gwapiv1.SupportedFeature{"Gateway", "HTTPRoute"}, + expectedResult: []gwapiv1.SupportedFeature{ + {Name: "Gateway"}, + {Name: "HTTPRoute"}, + }, }, { name: "Core feature removed when skipping core test", gatewaySuite: suite.ConformanceOptions{ - SupportedFeatures: sets.New[features.SupportedFeature]("Gateway", "HTTPRoute"), + SupportedFeatures: sets.New[features.FeatureName]("Gateway", "HTTPRoute"), }, skippedTests: []suite.ConformanceTest{ { - Features: []features.SupportedFeature{"HTTPRoute"}, + Features: []features.FeatureName{"HTTPRoute"}, }, }, - expectedResult: []gwapiv1.SupportedFeature{"Gateway"}, + expectedResult: []gwapiv1.SupportedFeature{ + {Name: "Gateway"}, + }, }, } diff --git a/osv-scanner.toml b/osv-scanner.toml index 61e02d0ceb8..7125af4a3f7 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -89,3 +89,10 @@ name = "stdlib" ecosystem = "Go" license.override = ["BSD-3-Clause"] reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/86 is resolved" + +[[PackageOverrides]] +name = "sigs.k8s.io/gateway-api" +version = "1.2.0-rc2" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "https://github.com/envoyproxy/gateway/actions/runs/11065210699/job/30744231458?pr=4270" diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index ef186153eef..dd448c96aaa 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -46,7 +46,7 @@ func TestE2E(t *testing.T) { RunTest: *flags.RunTest, // SupportedFeatures cannot be empty, so we set it to SupportGateway // All e2e tests should leave Features empty. - SupportedFeatures: sets.New[features.SupportedFeature](features.SupportGateway), + SupportedFeatures: sets.New[features.FeatureName](features.SupportGateway), SkipTests: []string{ tests.GatewayInfraResourceTest.ShortName, // https://github.com/envoyproxy/gateway/issues/3191 }, diff --git a/test/e2e/merge_gateways/merge_gateways_test.go b/test/e2e/merge_gateways/merge_gateways_test.go index fe8c616d2ed..ec2fd026390 100644 --- a/test/e2e/merge_gateways/merge_gateways_test.go +++ b/test/e2e/merge_gateways/merge_gateways_test.go @@ -47,7 +47,7 @@ func TestMergeGateways(t *testing.T) { RunTest: *flags.RunTest, // SupportedFeatures cannot be empty, so we set it to SupportGateway // All e2e tests should leave Features empty. - SupportedFeatures: sets.New[features.SupportedFeature](features.SupportGateway), + SupportedFeatures: sets.New[features.FeatureName](features.SupportGateway), SkipTests: []string{}, }) if err != nil { diff --git a/test/e2e/multiple_gc/multiple_gc_test.go b/test/e2e/multiple_gc/multiple_gc_test.go index 571d1afd33d..2d917f293e5 100644 --- a/test/e2e/multiple_gc/multiple_gc_test.go +++ b/test/e2e/multiple_gc/multiple_gc_test.go @@ -27,7 +27,6 @@ import ( func TestMultipleGC(t *testing.T) { flag.Parse() - c, cfg := kubetest.NewClient(t) if flags.RunTest != nil && *flags.RunTest != "" { @@ -50,7 +49,7 @@ func TestMultipleGC(t *testing.T) { RunTest: *flags.RunTest, // SupportedFeatures cannot be empty, so we set it to SupportGateway // All e2e tests should leave Features empty. - SupportedFeatures: sets.New[features.SupportedFeature](features.SupportGateway), + SupportedFeatures: sets.New[features.FeatureName](features.SupportGateway), SkipTests: []string{}, }) if err != nil { @@ -76,13 +75,14 @@ func TestMultipleGC(t *testing.T) { privateGatewaySuiteGatewayClassName := "private" privateGatewaySuite, err := suite.NewConformanceTestSuite(suite.ConformanceOptions{ Client: c, + RestConfig: cfg, GatewayClassName: privateGatewaySuiteGatewayClassName, Debug: *flags.ShowDebug, CleanupBaseResources: *flags.CleanupBaseResources, RunTest: *flags.RunTest, // SupportedFeatures cannot be empty, so we set it to SupportGateway // All e2e tests should leave Features empty. - SupportedFeatures: sets.New[features.SupportedFeature](features.SupportGateway), + SupportedFeatures: sets.New[features.FeatureName](features.SupportGateway), SkipTests: []string{}, }) if err != nil { diff --git a/test/e2e/tests/eg_upgrade.go b/test/e2e/tests/eg_upgrade.go index 5a394d134f1..41d53fefcb9 100644 --- a/test/e2e/tests/eg_upgrade.go +++ b/test/e2e/tests/eg_upgrade.go @@ -53,6 +53,7 @@ var EGUpgradeTest = suite.ConformanceTest{ depNS := "envoy-gateway-system" lastVersionTag := os.Getenv("last_version_tag") if lastVersionTag == "" { + // Use v1.0.2 instead of v1.1.2 due to https://github.com/envoyproxy/gateway/issues/4336 lastVersionTag = "v1.0.2" // Default version tag if not specified } @@ -274,13 +275,14 @@ func migrateChartCRDs(actionConfig *action.Configuration, gatewayChart *chart.Ch } for _, crd := range crds { - if crd.Name == "backendtlspolicies.gateway.networking.k8s.io" { + if crd.Name == "backendtlspolicies.gateway.networking.k8s.io" || + crd.Name == "grpcroutes.gateway.networking.k8s.io" { newVersion, err := getGWAPIVersion(crd.Object) if err != nil { return err } // https://gateway-api.sigs.k8s.io/guides/?h=upgrade#v11-upgrade-notes - if newVersion == "v1.1.0" { + if newVersion == "v1.2.0-rc2" { helper := resource.NewHelper(crd.Client, crd.Mapping) existingCRD, err := helper.Get(crd.Namespace, crd.Name) if kerrors.IsNotFound(err) { @@ -294,7 +296,7 @@ func migrateChartCRDs(actionConfig *action.Configuration, gatewayChart *chart.Ch } if existingVersion == "v1.0.0" { - // Delete the existing instance of the BTLS CRD + // Delete the existing instance of the BTLS and GRPCRoute CRDs _, errs := actionConfig.KubeClient.Delete([]*resource.Info{crd}) if errs != nil { return fmt.Errorf("failed to delete backendtlspolicies: %s", util.MultipleErrors("", errs)) diff --git a/test/e2e/upgrade/eg_upgrade_test.go b/test/e2e/upgrade/eg_upgrade_test.go index 7ef3c406e31..d673d5e423d 100644 --- a/test/e2e/upgrade/eg_upgrade_test.go +++ b/test/e2e/upgrade/eg_upgrade_test.go @@ -46,7 +46,7 @@ func TestEGUpgrade(t *testing.T) { ManifestFS: []fs.FS{e2e.UpgradeManifests}, RunTest: *flags.RunTest, BaseManifests: "upgrade/manifests.yaml", - SupportedFeatures: sets.New[features.SupportedFeature](features.SupportGateway), + SupportedFeatures: sets.New[features.FeatureName](features.SupportGateway), SkipTests: []string{}, }) if err != nil { From cf8492746ca7a72b404b7998ea9ab195b82d5101 Mon Sep 17 00:00:00 2001 From: Oscar Boher Date: Tue, 1 Oct 2024 03:18:47 +0200 Subject: [PATCH 221/523] fix: rateLimitDeployment ignoring pod labels and annotation merge (#4228) * fix labels and annotation merges for rate limit deployment Signed-off-by: Oscar Boher * fix tests and label merge Signed-off-by: Oscar Boher * fix annotation merge if prometheus was disabled and annotations were defined Signed-off-by: Oscar Boher * renamed labels and annotations to specify they apply to pods only Signed-off-by: Oscar Boher * linter Signed-off-by: Oscar Boher * fix resource provider tests to new annotation behavior Signed-off-by: Oscar Boher * go linter Signed-off-by: Oscar Boher * fix gen-check Signed-off-by: Oscar Boher * pod labels selector comment Signed-off-by: Oscar Boher --------- Signed-off-by: Oscar Boher Co-authored-by: zirain Co-authored-by: Arko Dasgupta --- .../kubernetes/ratelimit/resource_provider.go | 28 +++- .../ratelimit/resource_provider_test.go | 45 +++++ .../testdata/deployments/custom.yaml | 2 + .../testdata/deployments/default-env.yaml | 2 + .../testdata/deployments/extension-env.yaml | 2 + .../deployments/merge-annotations.yaml | 156 ++++++++++++++++++ .../testdata/deployments/merge-labels.yaml | 156 ++++++++++++++++++ .../testdata/deployments/override-env.yaml | 2 + .../deployments/redis-tls-settings.yaml | 2 + .../testdata/deployments/tolerations.yaml | 2 + .../testdata/deployments/volumes.yaml | 2 + 11 files changed, 391 insertions(+), 8 deletions(-) create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-annotations.yaml create mode 100644 internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-labels.yaml diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go index 63767efb034..50c5c8bf7f2 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go @@ -9,6 +9,7 @@ import ( _ "embed" "strconv" + "golang.org/x/exp/maps" appsv1 "k8s.io/api/apps/v1" autoscalingv2 "k8s.io/api/autoscaling/v2" corev1 "k8s.io/api/core/v1" @@ -196,19 +197,30 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { } containers := expectedRateLimitContainers(r.rateLimit, r.rateLimitDeployment, r.Namespace) - labels := rateLimitLabels() - selector := resource.GetSelector(labels) + selector := resource.GetSelector(rateLimitLabels()) + + podLabels := rateLimitLabels() + if r.rateLimitDeployment.Pod.Labels != nil { + maps.Copy(podLabels, r.rateLimitDeployment.Pod.Labels) + // Copy overwrites values in the dest map if they exist in the src map https://pkg.go.dev/maps#Copy + // It's applied again with the rateLimitLabels that are used as deployment selector to ensure those are not overwritten by user input + maps.Copy(podLabels, rateLimitLabels()) + } - var annotations map[string]string + var podAnnotations map[string]string if enablePrometheus(r.rateLimit) { - annotations = map[string]string{ + podAnnotations = map[string]string{ "prometheus.io/path": "/metrics", "prometheus.io/port": strconv.Itoa(PrometheusPort), "prometheus.io/scrape": "true", } } if r.rateLimitDeployment.Pod.Annotations != nil { - annotations = r.rateLimitDeployment.Pod.Annotations + if podAnnotations != nil { + maps.Copy(podAnnotations, r.rateLimitDeployment.Pod.Annotations) + } else { + podAnnotations = r.rateLimitDeployment.Pod.Annotations + } } deployment := &appsv1.Deployment{ @@ -218,7 +230,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { }, ObjectMeta: metav1.ObjectMeta{ Namespace: r.Namespace, - Labels: labels, + Labels: rateLimitLabels(), }, Spec: appsv1.DeploymentSpec{ Replicas: r.rateLimitDeployment.Replicas, @@ -226,8 +238,8 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { Selector: selector, Template: corev1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ - Labels: selector.MatchLabels, - Annotations: annotations, + Labels: podLabels, + Annotations: podAnnotations, }, Spec: corev1.PodSpec{ Containers: containers, diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go index 47c4901e198..c7aa23f7943 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go @@ -9,6 +9,7 @@ import ( "flag" "fmt" "os" + "strconv" "testing" "github.com/stretchr/testify/assert" @@ -678,6 +679,50 @@ func TestDeployment(t *testing.T) { }, }, }, + { + caseName: "merge-labels", + rateLimit: &egv1a1.RateLimit{ + Backend: egv1a1.RateLimitDatabaseBackend{ + Type: egv1a1.RedisBackendType, + Redis: &egv1a1.RateLimitRedisSettings{ + URL: "redis.redis.svc:6379", + }, + }, + }, + deploy: &egv1a1.KubernetesDeploymentSpec{ + Pod: &egv1a1.KubernetesPodSpec{ + Labels: map[string]string{ + "app.kubernetes.io/name": InfraName, + "app.kubernetes.io/component": "ratelimit", + "app.kubernetes.io/managed-by": "envoy-gateway", + "key1": "value1", + "key2": "value2", + }, + }, + }, + }, + { + caseName: "merge-annotations", + rateLimit: &egv1a1.RateLimit{ + Backend: egv1a1.RateLimitDatabaseBackend{ + Type: egv1a1.RedisBackendType, + Redis: &egv1a1.RateLimitRedisSettings{ + URL: "redis.redis.svc:6379", + }, + }, + }, + deploy: &egv1a1.KubernetesDeploymentSpec{ + Pod: &egv1a1.KubernetesPodSpec{ + Annotations: map[string]string{ + "prometheus.io/path": "/metrics", + "prometheus.io/port": strconv.Itoa(PrometheusPort), + "prometheus.io/scrape": "true", + "key1": "value1", + "key2": "value2", + }, + }, + }, + }, } for _, tc := range cases { t.Run(tc.caseName, func(t *testing.T) { diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml index bd75907c7af..0c1be549e83 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/custom.yaml @@ -27,6 +27,8 @@ spec: template: metadata: annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" prometheus.io/scrape: "true" creationTimestamp: null labels: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml index bd75907c7af..0c1be549e83 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default-env.yaml @@ -27,6 +27,8 @@ spec: template: metadata: annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" prometheus.io/scrape: "true" creationTimestamp: null labels: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml index 972dd635a38..65c68972f9d 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/extension-env.yaml @@ -27,6 +27,8 @@ spec: template: metadata: annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" prometheus.io/scrape: "true" creationTimestamp: null labels: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-annotations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-annotations.yaml new file mode 100644 index 00000000000..4bc241198c6 --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-annotations.yaml @@ -0,0 +1,156 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: envoy-ratelimit + namespace: envoy-gateway-system + ownerReferences: + - apiVersion: apps/v1 + kind: Deployment + name: envoy-gateway + uid: test-owner-reference-uid-for-deployment +spec: + progressDeadlineSeconds: 600 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + strategy: + type: RollingUpdate + template: + metadata: + annotations: + key1: value1 + key2: value2 + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + spec: + automountServiceAccountToken: false + containers: + - command: + - /bin/ratelimit + env: + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: LOG_LEVEL + value: info + - name: USE_STATSD + value: "false" + - name: CONFIG_TYPE + value: GRPC_XDS_SOTW + - name: CONFIG_GRPC_XDS_SERVER_URL + value: envoy-gateway:18001 + - name: CONFIG_GRPC_XDS_NODE_ID + value: envoy-ratelimit + - name: GRPC_SERVER_USE_TLS + value: "true" + - name: GRPC_SERVER_TLS_CERT + value: /certs/tls.crt + - name: GRPC_SERVER_TLS_KEY + value: /certs/tls.key + - name: GRPC_SERVER_TLS_CA_CERT + value: /certs/ca.crt + - name: CONFIG_GRPC_XDS_SERVER_USE_TLS + value: "true" + - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT + value: /certs/tls.crt + - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY + value: /certs/tls.key + - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT + value: /certs/ca.crt + - name: FORCE_START_WITHOUT_INITIAL_CONFIG + value: "true" + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml + image: envoyproxy/ratelimit:master + imagePullPolicy: IfNotPresent + name: envoy-ratelimit + ports: + - containerPort: 8081 + name: grpc + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: envoy-rate-limit + - configMap: + defaultMode: 420 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config +status: {} diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-labels.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-labels.yaml new file mode 100644 index 00000000000..6681232eeb8 --- /dev/null +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-labels.yaml @@ -0,0 +1,156 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + name: envoy-ratelimit + namespace: envoy-gateway-system + ownerReferences: + - apiVersion: apps/v1 + kind: Deployment + name: envoy-gateway + uid: test-owner-reference-uid-for-deployment +spec: + progressDeadlineSeconds: 600 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + strategy: + type: RollingUpdate + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: ratelimit + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy-ratelimit + key1: value1 + key2: value2 + spec: + automountServiceAccountToken: false + containers: + - command: + - /bin/ratelimit + env: + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: LOG_LEVEL + value: info + - name: USE_STATSD + value: "false" + - name: CONFIG_TYPE + value: GRPC_XDS_SOTW + - name: CONFIG_GRPC_XDS_SERVER_URL + value: envoy-gateway:18001 + - name: CONFIG_GRPC_XDS_NODE_ID + value: envoy-ratelimit + - name: GRPC_SERVER_USE_TLS + value: "true" + - name: GRPC_SERVER_TLS_CERT + value: /certs/tls.crt + - name: GRPC_SERVER_TLS_KEY + value: /certs/tls.key + - name: GRPC_SERVER_TLS_CA_CERT + value: /certs/ca.crt + - name: CONFIG_GRPC_XDS_SERVER_USE_TLS + value: "true" + - name: CONFIG_GRPC_XDS_CLIENT_TLS_CERT + value: /certs/tls.crt + - name: CONFIG_GRPC_XDS_CLIENT_TLS_KEY + value: /certs/tls.key + - name: CONFIG_GRPC_XDS_SERVER_TLS_CACERT + value: /certs/ca.crt + - name: FORCE_START_WITHOUT_INITIAL_CONFIG + value: "true" + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: redis.redis.svc:6379 + - name: USE_PROMETHEUS + value: "true" + - name: PROMETHEUS_ADDR + value: :19001 + - name: PROMETHEUS_MAPPER_YAML + value: /etc/statsd-exporter/conf.yaml + image: envoyproxy/ratelimit:master + imagePullPolicy: IfNotPresent + name: envoy-ratelimit + ports: + - containerPort: 8081 + name: grpc + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthcheck + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /etc/statsd-exporter + name: statsd-exporter-config + readOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + serviceAccountName: envoy-ratelimit + terminationGracePeriodSeconds: 300 + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: envoy-rate-limit + - configMap: + defaultMode: 420 + name: statsd-exporter-config + optional: true + name: statsd-exporter-config +status: {} diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml index 8d076381d71..0c0f73f3c83 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/override-env.yaml @@ -27,6 +27,8 @@ spec: template: metadata: annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" prometheus.io/scrape: "true" creationTimestamp: null labels: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml index 7fc4a4ec4ca..29428fc447b 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/redis-tls-settings.yaml @@ -27,6 +27,8 @@ spec: template: metadata: annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" prometheus.io/scrape: "true" creationTimestamp: null labels: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml index 685f5a76385..a2478222625 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/tolerations.yaml @@ -27,6 +27,8 @@ spec: template: metadata: annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" prometheus.io/scrape: "true" creationTimestamp: null labels: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml index 3659647a89a..30d8852d642 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/volumes.yaml @@ -27,6 +27,8 @@ spec: template: metadata: annotations: + prometheus.io/path: /metrics + prometheus.io/port: "19001" prometheus.io/scrape: "true" creationTimestamp: null labels: From 0f4cb27f0110051f7811122a2dd73652c93a15b2 Mon Sep 17 00:00:00 2001 From: zirain Date: Tue, 1 Oct 2024 10:23:48 +0800 Subject: [PATCH 222/523] chore: fix gen-check (#4376) Signed-off-by: zirain --- internal/cmd/egctl/testdata/translate/in/default-resources.yaml | 2 +- .../egctl/testdata/translate/in/from-gateway-api-to-xds.yaml | 2 +- .../cmd/egctl/testdata/translate/in/invalid-envoyproxy.yaml | 2 +- internal/cmd/egctl/testdata/translate/in/valid-envoyproxy.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/cmd/egctl/testdata/translate/in/default-resources.yaml b/internal/cmd/egctl/testdata/translate/in/default-resources.yaml index 13476a405eb..bf2af30da40 100644 --- a/internal/cmd/egctl/testdata/translate/in/default-resources.yaml +++ b/internal/cmd/egctl/testdata/translate/in/default-resources.yaml @@ -114,7 +114,7 @@ spec: type: PathPrefix value: / --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1 kind: GRPCRoute metadata: name: backend diff --git a/internal/cmd/egctl/testdata/translate/in/from-gateway-api-to-xds.yaml b/internal/cmd/egctl/testdata/translate/in/from-gateway-api-to-xds.yaml index b13096a2e3a..b501a74a758 100644 --- a/internal/cmd/egctl/testdata/translate/in/from-gateway-api-to-xds.yaml +++ b/internal/cmd/egctl/testdata/translate/in/from-gateway-api-to-xds.yaml @@ -145,7 +145,7 @@ spec: type: PathPrefix value: / --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1 kind: GRPCRoute metadata: name: backend diff --git a/internal/cmd/egctl/testdata/translate/in/invalid-envoyproxy.yaml b/internal/cmd/egctl/testdata/translate/in/invalid-envoyproxy.yaml index 9e31a94aa6a..5c72cb4f1bd 100644 --- a/internal/cmd/egctl/testdata/translate/in/invalid-envoyproxy.yaml +++ b/internal/cmd/egctl/testdata/translate/in/invalid-envoyproxy.yaml @@ -170,7 +170,7 @@ spec: type: PathPrefix value: / --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1 kind: GRPCRoute metadata: name: backend diff --git a/internal/cmd/egctl/testdata/translate/in/valid-envoyproxy.yaml b/internal/cmd/egctl/testdata/translate/in/valid-envoyproxy.yaml index bb9ca9478f9..ba8c25e2352 100644 --- a/internal/cmd/egctl/testdata/translate/in/valid-envoyproxy.yaml +++ b/internal/cmd/egctl/testdata/translate/in/valid-envoyproxy.yaml @@ -163,7 +163,7 @@ spec: type: PathPrefix value: / --- -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1 kind: GRPCRoute metadata: name: backend From dcc39fbf8340bf3b0247f2aa3f183c78701d80f0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 16:57:03 -0700 Subject: [PATCH 223/523] build(deps): bump the golang-org group across 2 directories with 2 updates (#4401) Bumps the golang-org group with 2 updates in the / directory: [golang.org/x/sys](https://github.com/golang/sys) and [golang.org/x/net](https://github.com/golang/net). Bumps the golang-org group with 2 updates in the /examples/extension-server directory: [golang.org/x/sys](https://github.com/golang/sys) and [golang.org/x/net](https://github.com/golang/net). Updates `golang.org/x/sys` from 0.25.0 to 0.26.0 - [Commits](https://github.com/golang/sys/compare/v0.25.0...v0.26.0) Updates `golang.org/x/net` from 0.29.0 to 0.30.0 - [Commits](https://github.com/golang/net/compare/v0.29.0...v0.30.0) Updates `golang.org/x/sys` from 0.25.0 to 0.26.0 - [Commits](https://github.com/golang/sys/compare/v0.25.0...v0.26.0) Updates `golang.org/x/net` from 0.29.0 to 0.30.0 - [Commits](https://github.com/golang/net/compare/v0.29.0...v0.30.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org - dependency-name: golang.org/x/net dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org - dependency-name: golang.org/x/sys dependency-type: indirect update-type: version-update:semver-minor dependency-group: golang-org - dependency-name: golang.org/x/net dependency-type: indirect update-type: version-update:semver-minor dependency-group: golang-org ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/extension-server/go.mod | 6 +++--- examples/extension-server/go.sum | 12 ++++++------ go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index a20daa41ef5..896e6ecc9ab 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -31,9 +31,9 @@ require ( github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect - golang.org/x/net v0.29.0 // indirect - golang.org/x/sys v0.25.0 // indirect - golang.org/x/text v0.18.0 // indirect + golang.org/x/net v0.30.0 // indirect + golang.org/x/sys v0.26.0 // indirect + golang.org/x/text v0.19.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index d36dddf80cc..348b042bfbb 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -81,20 +81,20 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= -golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= +golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= -golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= -golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= diff --git a/go.mod b/go.mod index 8f8681f17de..ae38b68b132 100644 --- a/go.mod +++ b/go.mod @@ -44,7 +44,7 @@ require ( go.opentelemetry.io/proto/otlp v1.3.1 go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e - golang.org/x/sys v0.25.0 + golang.org/x/sys v0.26.0 google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.1 @@ -203,7 +203,7 @@ require ( go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect - golang.org/x/crypto v0.27.0 // indirect + golang.org/x/crypto v0.28.0 // indirect golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect @@ -272,11 +272,11 @@ require ( go.starlark.net v0.0.0-20240520160348-046347dcd104 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/mod v0.21.0 // indirect - golang.org/x/net v0.29.0 + golang.org/x/net v0.30.0 golang.org/x/oauth2 v0.22.0 // indirect golang.org/x/sync v0.8.0 // indirect - golang.org/x/term v0.24.0 // indirect - golang.org/x/text v0.18.0 // indirect + golang.org/x/term v0.25.0 // indirect + golang.org/x/text v0.19.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.24.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum index e5e53e36ec6..60dcc02edc5 100644 --- a/go.sum +++ b/go.sum @@ -936,8 +936,8 @@ golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= -golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= +golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= +golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 h1:vKHSxFhPLnBEYu9R8DcQ4gXq9EqU0VVhC9pq9wmtYsg= golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -974,8 +974,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= -golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= +golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1027,17 +1027,17 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= -golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= -golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= +golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= +golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= -golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From 04b082238fbcc65c43edac5943e207cffefed018 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 16:57:31 -0700 Subject: [PATCH 224/523] build(deps): bump github.com/bufbuild/buf from 1.42.0 to 1.44.0 in /tools/src/buf (#4400) build(deps): bump github.com/bufbuild/buf in /tools/src/buf Bumps [github.com/bufbuild/buf](https://github.com/bufbuild/buf) from 1.42.0 to 1.44.0. - [Release notes](https://github.com/bufbuild/buf/releases) - [Changelog](https://github.com/bufbuild/buf/blob/main/CHANGELOG.md) - [Commits](https://github.com/bufbuild/buf/compare/v1.42.0...v1.44.0) --- updated-dependencies: - dependency-name: github.com/bufbuild/buf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/src/buf/go.mod | 49 ++++++++++++--------- tools/src/buf/go.sum | 101 +++++++++++++++++++++++++------------------ 2 files changed, 86 insertions(+), 64 deletions(-) diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index 7dcf60d5c51..9154ce02a93 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -2,25 +2,26 @@ module local go 1.23.1 -require github.com/bufbuild/buf v1.42.0 +require github.com/bufbuild/buf v1.44.0 require ( - buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240904181154-a0be11449112.2 // indirect - buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240717164558-a6c49f84cc0f.2 // indirect - buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240821192916-45ba72cdd479.1 // indirect - buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240821192916-45ba72cdd479.2 // indirect + buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240928190436-5e8abcfd7a7e.2 // indirect + buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240920164238-5a7b106cbb87.2 // indirect + buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20240925012807-1610ffa05635.1 // indirect + buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240925012807-1610ffa05635.2 // indirect buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2 // indirect - buf.build/go/bufplugin v0.2.0 // indirect + buf.build/go/bufplugin v0.5.0 // indirect buf.build/go/protoyaml v0.2.0 // indirect - connectrpc.com/connect v1.16.2 // indirect + buf.build/go/spdx v0.2.0 // indirect + connectrpc.com/connect v1.17.0 // indirect connectrpc.com/otelconnect v0.7.1 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect - github.com/Microsoft/hcsshim v0.12.6 // indirect + github.com/Microsoft/hcsshim v0.12.7 // indirect github.com/antlr4-go/antlr/v4 v4.13.1 // indirect github.com/bufbuild/protocompile v0.14.1 // indirect github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a // indirect - github.com/bufbuild/protovalidate-go v0.6.5 // indirect + github.com/bufbuild/protovalidate-go v0.7.1 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect github.com/containerd/containerd v1.7.22 // indirect github.com/containerd/continuity v0.4.3 // indirect @@ -30,11 +31,11 @@ require ( github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect github.com/containerd/ttrpc v1.2.5 // indirect github.com/containerd/typeurl/v2 v2.2.0 // indirect - github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect + github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect github.com/distribution/reference v0.6.0 // indirect - github.com/docker/cli v27.2.1+incompatible // indirect + github.com/docker/cli v27.3.1+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v27.2.1+incompatible // indirect + github.com/docker/docker v27.3.1+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-units v0.5.0 // indirect @@ -45,17 +46,16 @@ require ( github.com/go-logr/stdr v1.2.2 // indirect github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/gofrs/flock v0.12.1 // indirect - github.com/gofrs/uuid/v5 v5.3.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/google/cel-go v0.21.0 // indirect github.com/google/go-containerregistry v0.20.2 // indirect - github.com/google/pprof v0.0.0-20240910150728-a0b0bb1d4134 // indirect + github.com/google/pprof v0.0.0-20240929191954-255acd752d31 // indirect github.com/google/uuid v1.6.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jdx/go-netrc v1.0.0 // indirect - github.com/klauspost/compress v1.17.9 // indirect + github.com/klauspost/compress v1.17.10 // indirect github.com/klauspost/pgzip v1.2.6 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect @@ -81,11 +81,18 @@ require ( github.com/rogpeppe/go-internal v1.10.0 // indirect github.com/rs/cors v1.11.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect + github.com/segmentio/asm v1.2.0 // indirect + github.com/segmentio/encoding v0.4.0 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/spf13/cobra v1.8.1 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/stoewer/go-strcase v1.3.0 // indirect - github.com/vbatts/tar-split v0.11.5 // indirect + github.com/tetratelabs/wazero v1.8.0 // indirect + github.com/vbatts/tar-split v0.11.6 // indirect + go.lsp.dev/jsonrpc2 v0.10.0 // indirect + go.lsp.dev/pkg v0.0.0-20210717090340-384b27a52fb2 // indirect + go.lsp.dev/protocol v0.12.0 // indirect + go.lsp.dev/uri v0.3.0 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 // indirect go.opentelemetry.io/otel v1.30.0 // indirect @@ -106,10 +113,10 @@ require ( golang.org/x/term v0.24.0 // indirect golang.org/x/text v0.18.0 // indirect golang.org/x/tools v0.25.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect - google.golang.org/grpc v1.66.2 // indirect - google.golang.org/protobuf v1.34.3-0.20240816073751-94ecbc261689 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 // indirect + google.golang.org/grpc v1.67.0 // indirect + google.golang.org/protobuf v1.34.3-0.20240906163944-03df6c145d96 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - pluginrpc.com/pluginrpc v0.3.0 // indirect + pluginrpc.com/pluginrpc v0.5.0 // indirect ) diff --git a/tools/src/buf/go.sum b/tools/src/buf/go.sum index e76ce65da22..1c3d37804b5 100644 --- a/tools/src/buf/go.sum +++ b/tools/src/buf/go.sum @@ -1,20 +1,22 @@ -buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240904181154-a0be11449112.2 h1:X9qBPcvWGOJs/CeRVLoxxLJwC/eKyWDS/G4nj+3KGMY= -buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240904181154-a0be11449112.2/go.mod h1:B+9TKHRYqoAUW57pLjhkLOnBCu0DQYMV+f7imQ9nXwI= -buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240717164558-a6c49f84cc0f.2 h1:SZRVx928rbYZ6hEKUIN+vtGDkl7uotABRWGY4OAg5gM= -buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240717164558-a6c49f84cc0f.2/go.mod h1:ylS4c28ACSI59oJrOdW4pHS4n0Hw4TgSPHn8rpHl4Yw= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240821192916-45ba72cdd479.1 h1:QaJ6UkpvlGo4dBXR41vLRfPiKungbg7brjmbBC/k6Ig= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.16.2-20240821192916-45ba72cdd479.1/go.mod h1:oQsMFNU3YzxxjRS6O68UkcF/A+pXdXqQNcUfQEBTWcw= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240821192916-45ba72cdd479.2 h1:C3CTZTucEUm7i0O2tAM8GSlg23GnQYcljX1b1Jcpsro= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240821192916-45ba72cdd479.2/go.mod h1:psseUmlKRo9v5LZJtR/aTpdTLuyp9o3X7rnLT87SZEo= +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240928190436-5e8abcfd7a7e.2 h1:BQVQ0fcYgqpe6F/2ZPJUR1rTN+nwdrj2z7IAbAu9XAQ= +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240928190436-5e8abcfd7a7e.2/go.mod h1:B+9TKHRYqoAUW57pLjhkLOnBCu0DQYMV+f7imQ9nXwI= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240920164238-5a7b106cbb87.2 h1:hl0FrmGlNpQZIGvU1/jDz0lsPDd0BhCE0QDRwPfLZcA= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240920164238-5a7b106cbb87.2/go.mod h1:ylS4c28ACSI59oJrOdW4pHS4n0Hw4TgSPHn8rpHl4Yw= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20240925012807-1610ffa05635.1 h1:p4A9QnhBrKjCquBt1mKqfO37QseLwgWqQp+Wb9ZjasE= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20240925012807-1610ffa05635.1/go.mod h1:7WtU+waNF+dyxDsuNaqmG3d0w3y2poNju8cvun1/jLs= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240925012807-1610ffa05635.2 h1:3sSS9z8k6zVe7rNNt9R6DN2fOFBVClEflmICIjbXwms= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240925012807-1610ffa05635.2/go.mod h1:psseUmlKRo9v5LZJtR/aTpdTLuyp9o3X7rnLT87SZEo= buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2 h1:oSi+Adw4xvIjXrW8eY8QGR3sBdfWeY5HN/RefnRt52M= buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2/go.mod h1:GjH0gjlY/ns16X8d6eaXV2W+6IFwsO5Ly9WVnzyd1E0= -buf.build/go/bufplugin v0.2.0 h1:nnNvWzUgQXitRDmjWWIkuXj9klreAAE94sVCsL+0v5g= -buf.build/go/bufplugin v0.2.0/go.mod h1:ZZYGt6PDcjbBSywdz/G8NdXkIuWi2rzR8CduGzbCPdk= +buf.build/go/bufplugin v0.5.0 h1:pmK1AloAMp+4woH5hEisK9qVmDdLySzIKexUUVZLJ2Q= +buf.build/go/bufplugin v0.5.0/go.mod h1:r7Y8tpqpErLtUXUecEgwAHnjihY03YbN0IaBFNJF/x0= buf.build/go/protoyaml v0.2.0 h1:2g3OHjtLDqXBREIOjpZGHmQ+U/4mkN1YiQjxNB68Ip8= buf.build/go/protoyaml v0.2.0/go.mod h1:L/9QvTDkTWcDTzAL6HMfN+mYC6CmZRm2KnsUA054iL0= +buf.build/go/spdx v0.2.0 h1:IItqM0/cMxvFJJumcBuP8NrsIzMs/UYjp/6WSpq8LTw= +buf.build/go/spdx v0.2.0/go.mod h1:bXdwQFem9Si3nsbNy8aJKGPoaPi5DKwdeEp5/ArZ6w8= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -connectrpc.com/connect v1.16.2 h1:ybd6y+ls7GOlb7Bh5C8+ghA6SvCBajHwxssO2CGFjqE= -connectrpc.com/connect v1.16.2/go.mod h1:n2kgwskMHXC+lVqb18wngEpF95ldBHXjZYJussz5FRc= +connectrpc.com/connect v1.17.0 h1:W0ZqMhtVzn9Zhn2yATuUokDLO5N+gIuBWMOnsQrfmZk= +connectrpc.com/connect v1.17.0/go.mod h1:0292hj1rnx8oFrStN7cB4jjVBeqs+Yx5yDIC2prWDO8= connectrpc.com/otelconnect v0.7.1 h1:scO5pOb0i4yUE66CnNrHeK1x51yq0bE0ehPg6WvzXJY= connectrpc.com/otelconnect v0.7.1/go.mod h1:dh3bFgHBTb2bkqGCeVVOtHJreSns7uu9wwL2Tbz17ms= github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU= @@ -24,18 +26,18 @@ github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg6 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= -github.com/Microsoft/hcsshim v0.12.6 h1:qEnZjoHXv+4/s0LmKZWE0/AiZmMWEIkFfWBSf1a0wlU= -github.com/Microsoft/hcsshim v0.12.6/go.mod h1:ZABCLVcvLMjIkzr9rUGcQ1QA0p0P3Ps+d3N1g2DsFfk= +github.com/Microsoft/hcsshim v0.12.7 h1:MP6R1spmjxTE4EU4J3YsrTxn8CjvN9qwjTKJXldFaRg= +github.com/Microsoft/hcsshim v0.12.7/go.mod h1:HPbAuJ9BvQYYZbB4yEQcyGIsTP5L4yHKeO9XO149AEM= github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ= github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw= -github.com/bufbuild/buf v1.42.0 h1:awh6dZ1qjC468Wq9FN/3WAeBLoe6LV8GeFSHlL3ltvE= -github.com/bufbuild/buf v1.42.0/go.mod h1:AKKOqvsTLjeFXTEc7h9KsxsVBY/hETalmy7k8e0FVEo= +github.com/bufbuild/buf v1.44.0 h1:95vd2ZbgaDkKIJ557eZrx2z6jdMULEpVbNpLlw/9Y5w= +github.com/bufbuild/buf v1.44.0/go.mod h1:Ksh+C0pR3t1or0BGyzq7krkam3zhBv21QVs1zsqdOik= github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/FBatYVw= github.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c= github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a h1:l3RhVoG0RtC61h6TVWnkniGj4TgBebuyPQRdleFAmTg= github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a/go.mod h1:c5D8gWRIZ2HLWO3gXYTtUfw/hbJyD8xikv2ooPxnklQ= -github.com/bufbuild/protovalidate-go v0.6.5 h1:WucDKXIbK22WjkO8A8J6Yyxxy0jl91Oe9LSMduq3YEE= -github.com/bufbuild/protovalidate-go v0.6.5/go.mod h1:LHDiGCWSM3GagZEnyEZ1sPtFwi6Ja4tVTi/DCc+iDFI= +github.com/bufbuild/protovalidate-go v0.7.1 h1:ac50NTO6+1+mKg5sP/GBPLlMkQFeI+OeaYGFdS1vu98= +github.com/bufbuild/protovalidate-go v0.7.1/go.mod h1:PHV5pFuWlRzdDW02/cmVyNzdiQ+RNNwo7idGxdzS7o4= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -68,8 +70,9 @@ github.com/containerd/ttrpc v1.2.5 h1:IFckT1EFQoFBMG4c3sMdT8EP3/aKfumK1msY+Ze4oL github.com/containerd/ttrpc v1.2.5/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o= github.com/containerd/typeurl/v2 v2.2.0 h1:6NBDbQzr7I5LHgp34xAXYF5DOTQDn05X58lsPEmzLso= github.com/containerd/typeurl/v2 v2.2.0/go.mod h1:8XOOxnyatxSWuG8OfsZXVnAF4iZfedjS/8UHSPJnX4g= -github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc= +github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -77,12 +80,12 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v27.2.1+incompatible h1:U5BPtiD0viUzjGAjV1p0MGB8eVA3L3cbIrnyWmSJI70= -github.com/docker/cli v27.2.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.3.1+incompatible h1:qEGdFBF3Xu6SCvCYhc7CzaQTlBmqDuzxPDpigSyeKQQ= +github.com/docker/cli v27.3.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v27.2.1+incompatible h1:fQdiLfW7VLscyoeYEBz7/J8soYFDZV1u6VW6gJEjNMI= -github.com/docker/docker v27.2.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v27.3.1+incompatible h1:KttF0XoteNTicmUtBO0L2tP+J7FGRFTjaEF4k6WdhfI= +github.com/docker/docker v27.3.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= @@ -114,8 +117,6 @@ github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6Wezm github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY= github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E= github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0= -github.com/gofrs/uuid/v5 v5.3.0 h1:m0mUMr+oVYUdxpMLgSYCZiXe7PuVPnI94+OMeVBNedk= -github.com/gofrs/uuid/v5 v5.3.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= @@ -146,8 +147,8 @@ github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg= github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= -github.com/google/pprof v0.0.0-20240910150728-a0b0bb1d4134 h1:c5FlPPgxOn7kJz3VoPLkQYQXGBS3EklQ4Zfi57uOuqQ= -github.com/google/pprof v0.0.0-20240910150728-a0b0bb1d4134/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= +github.com/google/pprof v0.0.0-20240929191954-255acd752d31 h1:LcRdQWywSgfi5jPsYZ1r2avbbs5IQ5wtyhMBCcokyo4= +github.com/google/pprof v0.0.0-20240929191954-255acd752d31/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -164,8 +165,8 @@ github.com/jhump/protoreflect/v2 v2.0.0-beta.2/go.mod h1:4tnOYkB/mq7QTyS3YKtVtNr github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= -github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/klauspost/compress v1.17.10 h1:oXAz+Vh0PMUvJczoi+flxpnBEPxoER1IaAnU/NMPtT0= +github.com/klauspost/compress v1.17.10/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU= github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= @@ -220,8 +221,8 @@ github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDj github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= -github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI= github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg= github.com/quic-go/quic-go v0.47.0 h1:yXs3v7r2bm1wmPTYNLKAAJTHMYkPEsfYJmTazXrCZ7Y= @@ -232,6 +233,10 @@ github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA= github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys= +github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs= +github.com/segmentio/encoding v0.4.0 h1:MEBYvRqiUB2nfR2criEXWqwdY6HJOUrCn5hboVOVmy8= +github.com/segmentio/encoding v0.4.0/go.mod h1:/d03Cd8PoaDeceuhUUUQWjU0KhWjrmYrWPgtJHYZSnI= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= @@ -249,10 +254,20 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts= -github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk= +github.com/tetratelabs/wazero v1.8.0 h1:iEKu0d4c2Pd+QSRieYbnQC9yiFlMS9D+Jr0LsRmcF4g= +github.com/tetratelabs/wazero v1.8.0/go.mod h1:yAI0XTsMBhREkM/YDAK/zNou3GoiAce1P6+rp/wQhjs= +github.com/vbatts/tar-split v0.11.6 h1:4SjTW5+PU11n6fZenf2IPoV8/tz3AaYHMWjf23envGs= +github.com/vbatts/tar-split v0.11.6/go.mod h1:dqKNtesIOr2j2Qv3W/cHjnvk9I8+G7oAkFDFN6TCBEI= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +go.lsp.dev/jsonrpc2 v0.10.0 h1:Pr/YcXJoEOTMc/b6OTmcR1DPJ3mSWl/SWiU1Cct6VmI= +go.lsp.dev/jsonrpc2 v0.10.0/go.mod h1:fmEzIdXPi/rf6d4uFcayi8HpFP1nBF99ERP1htC72Ac= +go.lsp.dev/pkg v0.0.0-20210717090340-384b27a52fb2 h1:hCzQgh6UcwbKgNSRurYWSqh8MufqRRPODRBblutn4TE= +go.lsp.dev/pkg v0.0.0-20210717090340-384b27a52fb2/go.mod h1:gtSHRuYfbCT0qnbLnovpie/WEmqyJ7T4n6VXiFMBtcw= +go.lsp.dev/protocol v0.12.0 h1:tNprUI9klQW5FAFVM4Sa+AbPFuVQByWhP1ttNUAjIWg= +go.lsp.dev/protocol v0.12.0/go.mod h1:Qb11/HgZQ72qQbeyPfJbu3hZBH23s1sr4st8czGeDMQ= +go.lsp.dev/uri v0.3.0 h1:KcZJmh6nFIBeJzTugn5JTU6OOyG0lDOo3R9KwTxTYbo= +go.lsp.dev/uri v0.3.0/go.mod h1:P5sbO1IQR+qySTWOCnhnK7phBx+W3zbLqSMDJNTw88I= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 h1:ZIg3ZT/aQ7AfKqdwp7ECpOK6vHqquXXuyTjIO8ZdmPs= @@ -356,17 +371,17 @@ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc= -google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61 h1:pAjq8XSSzXoP9ya73v/w+9QEAAJNluLrpmMq5qFJQNY= +google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:O6rP0uBq4k0mdi/b4ZEMAZjkhYWhS815kCvaMha4VN8= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 h1:N9BgCIAUvn/M+p4NJccWPWb3BWh88+zyL0ll9HgbEeM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.66.2 h1:3QdXkuq3Bkh7w+ywLdLvM56cmGvQHUMZpiCzt6Rqaoo= -google.golang.org/grpc v1.66.2/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= +google.golang.org/grpc v1.67.0 h1:IdH9y6PF5MPSdAntIcpjQ+tXO41pcQsfZV2RxtQgVcw= +google.golang.org/grpc v1.67.0/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -376,8 +391,8 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.34.3-0.20240816073751-94ecbc261689 h1:hNwajDgT0MlsxZzlUajZVmUYFpts8/CYe4BSNx503ZE= -google.golang.org/protobuf v1.34.3-0.20240816073751-94ecbc261689/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= +google.golang.org/protobuf v1.34.3-0.20240906163944-03df6c145d96 h1:gqpvySYmKe3qf25lfA3WIEMTXBU+lfISbNkPH2BA844= +google.golang.org/protobuf v1.34.3-0.20240906163944-03df6c145d96/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= @@ -388,5 +403,5 @@ gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -pluginrpc.com/pluginrpc v0.3.0 h1:9BSGRIdNLf/+EU3JrkISLwgIAuYxBrMEzSfNyeQ/Gp0= -pluginrpc.com/pluginrpc v0.3.0/go.mod h1:UNWZ941hcVAoOZUn8YZsMmOZBzbUjQa3XMns8RQLp9o= +pluginrpc.com/pluginrpc v0.5.0 h1:tOQj2D35hOmvHyPu8e7ohW2/QvAnEtKscy2IJYWQ2yo= +pluginrpc.com/pluginrpc v0.5.0/go.mod h1:UNWZ941hcVAoOZUn8YZsMmOZBzbUjQa3XMns8RQLp9o= From b93e660405b3e96a6c342a1f19159f08c42efb52 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 17:14:43 -0700 Subject: [PATCH 225/523] build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0 (#4399) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.5.0 to 4.6.0. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/e28ff129e5465c2c0dcc6f003fc735cb6ae0c673...b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build_and_test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index b0bc2968188..debe2628477 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -55,7 +55,7 @@ jobs: - name: Run Coverage Tests run: make go.test.coverage - name: Upload coverage to Codecov - uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 with: fail_ci_if_error: true files: ./coverage.xml From 4cbc2d0fa6390863964bfdfb88fe76147087daf8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Oct 2024 08:18:45 +0800 Subject: [PATCH 226/523] build(deps): bump github/codeql-action from 3.26.9 to 3.26.11 (#4397) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.9 to 3.26.11. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/461ef6c76dfe95d5c364de2f431ddbd31a417628...6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3639ea5dfaa..95262e597e5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,14 +36,14 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 + uses: github/codeql-action/init@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 + uses: github/codeql-action/autobuild@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 + uses: github/codeql-action/analyze@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index f3075f3ebd5..88324734fb7 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 + uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 with: sarif_file: results.sarif From d0734ea6e4df93657df16c0f1ef880dc96a241f4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 17:42:10 -0700 Subject: [PATCH 227/523] build(deps): bump github.com/replicatedhq/troubleshoot from 0.105.1 to 0.105.2 (#4404) build(deps): bump github.com/replicatedhq/troubleshoot Bumps [github.com/replicatedhq/troubleshoot](https://github.com/replicatedhq/troubleshoot) from 0.105.1 to 0.105.2. - [Release notes](https://github.com/replicatedhq/troubleshoot/releases) - [Commits](https://github.com/replicatedhq/troubleshoot/compare/v0.105.1...v0.105.2) --- updated-dependencies: - dependency-name: github.com/replicatedhq/troubleshoot dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index ae38b68b132..2dd4911a207 100644 --- a/go.mod +++ b/go.mod @@ -63,7 +63,7 @@ require ( require ( github.com/docker/docker v27.3.1+incompatible - github.com/replicatedhq/troubleshoot v0.105.1 + github.com/replicatedhq/troubleshoot v0.105.2 google.golang.org/grpc v1.66.2 sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 ) diff --git a/go.sum b/go.sum index 60dcc02edc5..624b91ab533 100644 --- a/go.sum +++ b/go.sum @@ -715,8 +715,8 @@ github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb github.com/redis/go-redis/extra/redisotel/v9 v9.0.5/go.mod h1:WZjPDy7VNzn77AAfnAfVjZNvfJTYfPetfZk5yoSTLaQ= github.com/redis/go-redis/v9 v9.1.0 h1:137FnGdk+EQdCbye1FW+qOEcY5S+SpY9T0NiuqvtfMY= github.com/redis/go-redis/v9 v9.1.0/go.mod h1:urWj3He21Dj5k4TK1y59xH8Uj6ATueP8AH1cY3lZl4c= -github.com/replicatedhq/troubleshoot v0.105.1 h1:nNZHVqRxMjHlpJfbQEwHLalpWmPac2pUiZ9pk01c2/g= -github.com/replicatedhq/troubleshoot v0.105.1/go.mod h1:WqquTbNHLnZiSWsu6Mzo3rwez5kZ/A+1Hq4K/yq0HBo= +github.com/replicatedhq/troubleshoot v0.105.2 h1:Fm1kKdzhPw+J7UnpLByxYJ3XAVV4IkylUIDt0eaUTFE= +github.com/replicatedhq/troubleshoot v0.105.2/go.mod h1:WqquTbNHLnZiSWsu6Mzo3rwez5kZ/A+1Hq4K/yq0HBo= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= From e5f97ef001ed5d093f095d154e7770b9c1ae69d7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 17:42:44 -0700 Subject: [PATCH 228/523] build(deps): bump google/osv-scanner-action from 1.8.5 to 1.9.0 (#4398) Bumps [google/osv-scanner-action](https://github.com/google/osv-scanner-action) from 1.8.5 to 1.9.0. - [Release notes](https://github.com/google/osv-scanner-action/releases) - [Commits](https://github.com/google/osv-scanner-action/compare/f0e6719deb666cd19a0b56bc56d01161bd848b4f...19ec1116569a47416e11a45848722b1af31a857b) --- updated-dependencies: - dependency-name: google/osv-scanner-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/license-scan.yml | 2 +- .github/workflows/osv-scanner.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index 1a9459389b4..2484d76340e 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -18,7 +18,7 @@ jobs: - name: Checkout code uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Run scanner - uses: google/osv-scanner-action/osv-scanner-action@f0e6719deb666cd19a0b56bc56d01161bd848b4f # v1.8.5 + uses: google/osv-scanner-action/osv-scanner-action@19ec1116569a47416e11a45848722b1af31a857b # v1.9.0 with: # TODO enable call analysis once https://github.com/google/osv-scanner/issues/1220 is resolved scan-args: |- diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 5c50d8f1a82..8263faac895 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -19,7 +19,7 @@ permissions: jobs: scan-scheduled: if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@f0e6719deb666cd19a0b56bc56d01161bd848b4f" # v1.8.5 + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@19ec1116569a47416e11a45848722b1af31a857b" # v1.9.0 permissions: actions: read contents: read @@ -33,7 +33,7 @@ jobs: scan-pr: if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@f0e6719deb666cd19a0b56bc56d01161bd848b4f" # v1.8.5 + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@19ec1116569a47416e11a45848722b1af31a857b" # v1.9.0 permissions: actions: read contents: read From db515e223d44dd33c7596d82703990a8a138508f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 17:43:16 -0700 Subject: [PATCH 229/523] build(deps): bump sigs.k8s.io/gateway-api from 1.2.0-rc2 to 1.2.0 in /examples/extension-server (#4407) build(deps): bump sigs.k8s.io/gateway-api in /examples/extension-server Bumps [sigs.k8s.io/gateway-api](https://github.com/kubernetes-sigs/gateway-api) from 1.2.0-rc2 to 1.2.0. - [Release notes](https://github.com/kubernetes-sigs/gateway-api/releases) - [Changelog](https://github.com/kubernetes-sigs/gateway-api/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/gateway-api/compare/v1.2.0-rc2...v1.2.0) --- updated-dependencies: - dependency-name: sigs.k8s.io/gateway-api dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/extension-server/go.mod | 2 +- examples/extension-server/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 896e6ecc9ab..4b9bd2560b3 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -10,7 +10,7 @@ require ( google.golang.org/protobuf v1.34.2 k8s.io/apimachinery v0.31.1 sigs.k8s.io/controller-runtime v0.19.0 - sigs.k8s.io/gateway-api v1.2.0-rc2 + sigs.k8s.io/gateway-api v1.2.0 ) require ( diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 348b042bfbb..8deeedb9544 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -133,8 +133,8 @@ k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2d k8s.io/utils v0.0.0-20240821151609-f90d01438635/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= -sigs.k8s.io/gateway-api v1.2.0-rc2 h1:v7V7JzaBuzwOLWWyyqlkqiqBi3ANBuZGV+uyyKzwmE8= -sigs.k8s.io/gateway-api v1.2.0-rc2/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= +sigs.k8s.io/gateway-api v1.2.0 h1:LrToiFwtqKTKZcZtoQPTuo3FxhrrhTgzQG0Te+YGSo8= +sigs.k8s.io/gateway-api v1.2.0/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= From aac00136f662ec0c7f895fad02c61dc1d6492cc7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 17:50:11 -0700 Subject: [PATCH 230/523] build(deps): bump busybox from `c230832` to `768e5c6` in /tools/docker/envoy-gateway (#4408) build(deps): bump busybox in /tools/docker/envoy-gateway Bumps busybox from `c230832` to `768e5c6`. --- updated-dependencies: - dependency-name: busybox dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/docker/envoy-gateway/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index 6aa42f4998b..fedcddb59ae 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -1,4 +1,4 @@ -FROM busybox@sha256:c230832bd3b0be59a6c47ed64294f9ce71e91b327957920b6929a0caa8353140 as source +FROM busybox@sha256:768e5c6f5cb6db0794eec98dc7a967f40631746c32232b78a3105fb946f3ab83 as source # Create the data directory for eg RUN mkdir -p /var/lib/eg From f6b8a670e49d5a9f1c00dc8ce166fd45b3cba10f Mon Sep 17 00:00:00 2001 From: zirain Date: Tue, 8 Oct 2024 10:10:24 +0800 Subject: [PATCH 231/523] chore: remove +build tag (#4392) --- examples/extension-server/cmd/extension-server/main.go | 3 +-- examples/extension-server/tools/src/controller-gen/pin.go | 1 - internal/provider/kubernetes/kubernetes_test.go | 1 - test/benchmark/benchmark_test.go | 1 - test/benchmark/suite/flags.go | 1 - test/benchmark/suite/options.go | 1 - test/benchmark/suite/render.go | 1 - test/benchmark/suite/report.go | 1 - test/benchmark/suite/suite.go | 1 - test/benchmark/tests/scale_httproutes.go | 1 - test/benchmark/tests/tests.go | 1 - test/cel-validation/backend_test.go | 1 - test/cel-validation/backendtrafficpolicy_test.go | 1 - test/cel-validation/clienttrafficpolicy_test.go | 1 - test/cel-validation/envoyextensionpolicy_test.go | 1 - test/cel-validation/envoyproxy_test.go | 1 - test/cel-validation/httproutefilter_test.go | 1 - test/cel-validation/main_test.go | 1 - test/cel-validation/securitypolicy_test.go | 1 - test/conformance/conformance_test.go | 1 - test/conformance/experimental_conformance_test.go | 1 - test/e2e/e2e_test.go | 1 - test/e2e/embed.go | 1 - test/e2e/merge_gateways/merge_gateways_test.go | 1 - test/e2e/multiple_gc/multiple_gc_test.go | 1 - test/e2e/tests/accesslog.go | 1 - test/e2e/tests/authorization_client_ip.go | 1 - test/e2e/tests/authorization_default_action.go | 1 - test/e2e/tests/authorization_jwt.go | 1 - test/e2e/tests/backend_health_check.go | 1 - test/e2e/tests/backend_tls.go | 1 - test/e2e/tests/backend_tls_settings.go | 1 - test/e2e/tests/backend_upgrade.go | 1 - test/e2e/tests/backendtrafficpolicy_translation_failed.go | 1 - test/e2e/tests/basic_auth.go | 1 - test/e2e/tests/circuitbreaker.go | 1 - test/e2e/tests/client_mtls.go | 1 - test/e2e/tests/client_timeout.go | 1 - test/e2e/tests/connection_limit.go | 1 - test/e2e/tests/controlplane.go | 1 - test/e2e/tests/cors.go | 1 - test/e2e/tests/eg_upgrade.go | 1 - test/e2e/tests/envoy_patch_policy.go | 1 - test/e2e/tests/envoy_shutdown.go | 1 - test/e2e/tests/ext_auth_grpc_service.go | 1 - test/e2e/tests/ext_auth_http_backend.go | 1 - test/e2e/tests/ext_auth_http_service.go | 1 - test/e2e/tests/ext_proc.go | 1 - test/e2e/tests/fault_injection.go | 1 - test/e2e/tests/gateway_infra_resource.go | 1 - test/e2e/tests/header_settings.go | 1 - test/e2e/tests/httproute_rewrite_full_path.go | 1 - test/e2e/tests/httproute_rewrite_regex_path.go | 1 - test/e2e/tests/jwt.go | 1 - test/e2e/tests/listener_health_check.go | 1 - test/e2e/tests/load_balancing.go | 1 - test/e2e/tests/local_ratelimit.go | 1 - test/e2e/tests/merge_gateways.go | 1 - test/e2e/tests/metric.go | 1 - test/e2e/tests/multiple_gc.go | 1 - test/e2e/tests/oidc.go | 1 - test/e2e/tests/preservecase.go | 1 - test/e2e/tests/ratelimit.go | 1 - test/e2e/tests/redirect_replaceprefixmatch_slash.go | 1 - test/e2e/tests/referencegrants.go | 1 - test/e2e/tests/retry.go | 1 - test/e2e/tests/route_with_backend.go | 1 - test/e2e/tests/routingtype.go | 1 - test/e2e/tests/securitypolicy_transaltion_failed.go | 1 - test/e2e/tests/session_persistence.go | 1 - test/e2e/tests/tcp_route.go | 1 - test/e2e/tests/tests.go | 1 - test/e2e/tests/tracing.go | 1 - test/e2e/tests/udproute.go | 1 - test/e2e/tests/use_client_protocol.go | 1 - test/e2e/tests/wasm_http.go | 1 - test/e2e/tests/wasm_oci.go | 1 - test/e2e/tests/weighted_backend.go | 1 - test/e2e/upgrade/eg_upgrade_test.go | 1 - tools/boilerplate/boilerplate.py | 1 - tools/src/buf/pin.go | 1 - tools/src/controller-gen/pin.go | 1 - tools/src/crd-ref-docs/pin.go | 1 - tools/src/gci/pin.go | 1 - tools/src/golangci-lint/pin.go | 1 - tools/src/helm-docs/pin.go | 1 - tools/src/jb/pin.go | 1 - tools/src/jsonnet/pin.go | 1 - tools/src/kind/pin.go | 1 - tools/src/protoc-gen-go-grpc/pin.go | 1 - tools/src/protoc-gen-go/pin.go | 1 - tools/src/setup-envtest/pin.go | 1 - 92 files changed, 1 insertion(+), 93 deletions(-) diff --git a/examples/extension-server/cmd/extension-server/main.go b/examples/extension-server/cmd/extension-server/main.go index 9df1f4a885c..4a6b0474621 100644 --- a/examples/extension-server/cmd/extension-server/main.go +++ b/examples/extension-server/cmd/extension-server/main.go @@ -56,7 +56,6 @@ func main() { }, } app.Run(os.Args) - } var grpcServer *grpc.Server @@ -65,7 +64,7 @@ func handleSignals(cCtx *cli.Context) error { c := make(chan os.Signal, 1) signal.Notify(c, os.Interrupt, syscall.SIGQUIT) go func() { - for _ = range c { + for range c { if grpcServer != nil { grpcServer.Stop() os.Exit(0) diff --git a/examples/extension-server/tools/src/controller-gen/pin.go b/examples/extension-server/tools/src/controller-gen/pin.go index 82c8d1cf3c5..a3fbfac77f7 100644 --- a/examples/extension-server/tools/src/controller-gen/pin.go +++ b/examples/extension-server/tools/src/controller-gen/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/internal/provider/kubernetes/kubernetes_test.go b/internal/provider/kubernetes/kubernetes_test.go index 669a790af55..135de799948 100644 --- a/internal/provider/kubernetes/kubernetes_test.go +++ b/internal/provider/kubernetes/kubernetes_test.go @@ -1,5 +1,4 @@ //go:build integration -// +build integration // Copyright Envoy Gateway Authors // SPDX-License-Identifier: Apache-2.0 diff --git a/test/benchmark/benchmark_test.go b/test/benchmark/benchmark_test.go index 5ef46c08f56..a1dc6167b91 100644 --- a/test/benchmark/benchmark_test.go +++ b/test/benchmark/benchmark_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build benchmark -// +build benchmark package benchmark diff --git a/test/benchmark/suite/flags.go b/test/benchmark/suite/flags.go index f8ec9ca168b..4f23f0780f4 100644 --- a/test/benchmark/suite/flags.go +++ b/test/benchmark/suite/flags.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build benchmark -// +build benchmark package suite diff --git a/test/benchmark/suite/options.go b/test/benchmark/suite/options.go index 13a8a82a3c2..f16ccf41dae 100644 --- a/test/benchmark/suite/options.go +++ b/test/benchmark/suite/options.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build benchmark -// +build benchmark package suite diff --git a/test/benchmark/suite/render.go b/test/benchmark/suite/render.go index 69992fb69ee..413d02502d8 100644 --- a/test/benchmark/suite/render.go +++ b/test/benchmark/suite/render.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build benchmark -// +build benchmark package suite diff --git a/test/benchmark/suite/report.go b/test/benchmark/suite/report.go index b9ecbea9701..b159e798600 100644 --- a/test/benchmark/suite/report.go +++ b/test/benchmark/suite/report.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build benchmark -// +build benchmark package suite diff --git a/test/benchmark/suite/suite.go b/test/benchmark/suite/suite.go index 58bbcce4cd2..014d841798a 100644 --- a/test/benchmark/suite/suite.go +++ b/test/benchmark/suite/suite.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build benchmark -// +build benchmark package suite diff --git a/test/benchmark/tests/scale_httproutes.go b/test/benchmark/tests/scale_httproutes.go index 169a3faeb27..cf0839220de 100644 --- a/test/benchmark/tests/scale_httproutes.go +++ b/test/benchmark/tests/scale_httproutes.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build benchmark -// +build benchmark package tests diff --git a/test/benchmark/tests/tests.go b/test/benchmark/tests/tests.go index 0aa49a13bb1..052ea356daa 100644 --- a/test/benchmark/tests/tests.go +++ b/test/benchmark/tests/tests.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build benchmark -// +build benchmark package tests diff --git a/test/cel-validation/backend_test.go b/test/cel-validation/backend_test.go index c78e22ae24c..7b29c4353a7 100644 --- a/test/cel-validation/backend_test.go +++ b/test/cel-validation/backend_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build celvalidation -// +build celvalidation package celvalidation diff --git a/test/cel-validation/backendtrafficpolicy_test.go b/test/cel-validation/backendtrafficpolicy_test.go index 2755295336d..49f033eb6ae 100644 --- a/test/cel-validation/backendtrafficpolicy_test.go +++ b/test/cel-validation/backendtrafficpolicy_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build celvalidation -// +build celvalidation package celvalidation diff --git a/test/cel-validation/clienttrafficpolicy_test.go b/test/cel-validation/clienttrafficpolicy_test.go index b57adf7d025..14dd915d78a 100644 --- a/test/cel-validation/clienttrafficpolicy_test.go +++ b/test/cel-validation/clienttrafficpolicy_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build celvalidation -// +build celvalidation package celvalidation diff --git a/test/cel-validation/envoyextensionpolicy_test.go b/test/cel-validation/envoyextensionpolicy_test.go index 5e0e1f37ad9..7c9c168df10 100644 --- a/test/cel-validation/envoyextensionpolicy_test.go +++ b/test/cel-validation/envoyextensionpolicy_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build celvalidation -// +build celvalidation package celvalidation diff --git a/test/cel-validation/envoyproxy_test.go b/test/cel-validation/envoyproxy_test.go index 865da4ac306..8a2b198a18a 100644 --- a/test/cel-validation/envoyproxy_test.go +++ b/test/cel-validation/envoyproxy_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build celvalidation -// +build celvalidation package celvalidation diff --git a/test/cel-validation/httproutefilter_test.go b/test/cel-validation/httproutefilter_test.go index e9ebf380fb6..67a9e4455bb 100644 --- a/test/cel-validation/httproutefilter_test.go +++ b/test/cel-validation/httproutefilter_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build celvalidation -// +build celvalidation package celvalidation diff --git a/test/cel-validation/main_test.go b/test/cel-validation/main_test.go index 30ab253d7de..dd6f4d39fa7 100644 --- a/test/cel-validation/main_test.go +++ b/test/cel-validation/main_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build celvalidation -// +build celvalidation package celvalidation diff --git a/test/cel-validation/securitypolicy_test.go b/test/cel-validation/securitypolicy_test.go index 92d179fec6d..c4efa812d58 100644 --- a/test/cel-validation/securitypolicy_test.go +++ b/test/cel-validation/securitypolicy_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build celvalidation -// +build celvalidation package celvalidation diff --git a/test/conformance/conformance_test.go b/test/conformance/conformance_test.go index ce7dce052ab..77e7899cc1b 100644 --- a/test/conformance/conformance_test.go +++ b/test/conformance/conformance_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build conformance -// +build conformance package conformance diff --git a/test/conformance/experimental_conformance_test.go b/test/conformance/experimental_conformance_test.go index d337dbfe526..bb36d490794 100644 --- a/test/conformance/experimental_conformance_test.go +++ b/test/conformance/experimental_conformance_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build experimental -// +build experimental package conformance diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index dd448c96aaa..869c2891246 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package e2e diff --git a/test/e2e/embed.go b/test/e2e/embed.go index 7bf3080fac2..d8f32cf2d7c 100644 --- a/test/e2e/embed.go +++ b/test/e2e/embed.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package e2e diff --git a/test/e2e/merge_gateways/merge_gateways_test.go b/test/e2e/merge_gateways/merge_gateways_test.go index ec2fd026390..ffa1e1774e5 100644 --- a/test/e2e/merge_gateways/merge_gateways_test.go +++ b/test/e2e/merge_gateways/merge_gateways_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package mergegateways diff --git a/test/e2e/multiple_gc/multiple_gc_test.go b/test/e2e/multiple_gc/multiple_gc_test.go index 2d917f293e5..700ed86e03f 100644 --- a/test/e2e/multiple_gc/multiple_gc_test.go +++ b/test/e2e/multiple_gc/multiple_gc_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package multiplegc diff --git a/test/e2e/tests/accesslog.go b/test/e2e/tests/accesslog.go index 4d7fbd11844..2019d92568c 100644 --- a/test/e2e/tests/accesslog.go +++ b/test/e2e/tests/accesslog.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/authorization_client_ip.go b/test/e2e/tests/authorization_client_ip.go index 8ac95845c4a..8887c46b1a0 100644 --- a/test/e2e/tests/authorization_client_ip.go +++ b/test/e2e/tests/authorization_client_ip.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/authorization_default_action.go b/test/e2e/tests/authorization_default_action.go index 7eaed07b306..88462808dd9 100644 --- a/test/e2e/tests/authorization_default_action.go +++ b/test/e2e/tests/authorization_default_action.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/authorization_jwt.go b/test/e2e/tests/authorization_jwt.go index ff6872bc802..66f5a526a2d 100644 --- a/test/e2e/tests/authorization_jwt.go +++ b/test/e2e/tests/authorization_jwt.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/backend_health_check.go b/test/e2e/tests/backend_health_check.go index e2fc3d7d27c..bfb033499d2 100644 --- a/test/e2e/tests/backend_health_check.go +++ b/test/e2e/tests/backend_health_check.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/backend_tls.go b/test/e2e/tests/backend_tls.go index dea222b477f..7fa66f28308 100644 --- a/test/e2e/tests/backend_tls.go +++ b/test/e2e/tests/backend_tls.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/backend_tls_settings.go b/test/e2e/tests/backend_tls_settings.go index 0fdbdf10d62..e007a791fdd 100644 --- a/test/e2e/tests/backend_tls_settings.go +++ b/test/e2e/tests/backend_tls_settings.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/backend_upgrade.go b/test/e2e/tests/backend_upgrade.go index 261ee9acb63..e7bbf897c41 100644 --- a/test/e2e/tests/backend_upgrade.go +++ b/test/e2e/tests/backend_upgrade.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/backendtrafficpolicy_translation_failed.go b/test/e2e/tests/backendtrafficpolicy_translation_failed.go index f76eee15710..e5a0fab0cbc 100644 --- a/test/e2e/tests/backendtrafficpolicy_translation_failed.go +++ b/test/e2e/tests/backendtrafficpolicy_translation_failed.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/basic_auth.go b/test/e2e/tests/basic_auth.go index bcedeb21db9..8510de1998d 100644 --- a/test/e2e/tests/basic_auth.go +++ b/test/e2e/tests/basic_auth.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/circuitbreaker.go b/test/e2e/tests/circuitbreaker.go index 2f24d2ab3c8..1261a0e88d8 100644 --- a/test/e2e/tests/circuitbreaker.go +++ b/test/e2e/tests/circuitbreaker.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/client_mtls.go b/test/e2e/tests/client_mtls.go index bed591a1152..8d753cc766a 100644 --- a/test/e2e/tests/client_mtls.go +++ b/test/e2e/tests/client_mtls.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/client_timeout.go b/test/e2e/tests/client_timeout.go index 9a11f7a706a..faffec9df7b 100644 --- a/test/e2e/tests/client_timeout.go +++ b/test/e2e/tests/client_timeout.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/connection_limit.go b/test/e2e/tests/connection_limit.go index fca62d3a9e6..15e316fec47 100644 --- a/test/e2e/tests/connection_limit.go +++ b/test/e2e/tests/connection_limit.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/controlplane.go b/test/e2e/tests/controlplane.go index 56577c880ac..a5d29ab2600 100644 --- a/test/e2e/tests/controlplane.go +++ b/test/e2e/tests/controlplane.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/cors.go b/test/e2e/tests/cors.go index 50063f5cd3f..4308ee0799c 100644 --- a/test/e2e/tests/cors.go +++ b/test/e2e/tests/cors.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/eg_upgrade.go b/test/e2e/tests/eg_upgrade.go index 41d53fefcb9..385952bd2a5 100644 --- a/test/e2e/tests/eg_upgrade.go +++ b/test/e2e/tests/eg_upgrade.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/envoy_patch_policy.go b/test/e2e/tests/envoy_patch_policy.go index 2486518ac31..2c93872841e 100644 --- a/test/e2e/tests/envoy_patch_policy.go +++ b/test/e2e/tests/envoy_patch_policy.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/envoy_shutdown.go b/test/e2e/tests/envoy_shutdown.go index 6b5a35f490a..24e6b334637 100644 --- a/test/e2e/tests/envoy_shutdown.go +++ b/test/e2e/tests/envoy_shutdown.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/ext_auth_grpc_service.go b/test/e2e/tests/ext_auth_grpc_service.go index 430496675ea..123a6af3e75 100644 --- a/test/e2e/tests/ext_auth_grpc_service.go +++ b/test/e2e/tests/ext_auth_grpc_service.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/ext_auth_http_backend.go b/test/e2e/tests/ext_auth_http_backend.go index dd0e24c86c3..e05134b1862 100644 --- a/test/e2e/tests/ext_auth_http_backend.go +++ b/test/e2e/tests/ext_auth_http_backend.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/ext_auth_http_service.go b/test/e2e/tests/ext_auth_http_service.go index d7415590485..2c39699ef93 100644 --- a/test/e2e/tests/ext_auth_http_service.go +++ b/test/e2e/tests/ext_auth_http_service.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/ext_proc.go b/test/e2e/tests/ext_proc.go index dbbb4defaec..033da67f6bd 100644 --- a/test/e2e/tests/ext_proc.go +++ b/test/e2e/tests/ext_proc.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/fault_injection.go b/test/e2e/tests/fault_injection.go index 76fa27c4964..fffb8b578fa 100644 --- a/test/e2e/tests/fault_injection.go +++ b/test/e2e/tests/fault_injection.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/gateway_infra_resource.go b/test/e2e/tests/gateway_infra_resource.go index 7a468b80f60..213b6de1238 100644 --- a/test/e2e/tests/gateway_infra_resource.go +++ b/test/e2e/tests/gateway_infra_resource.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/header_settings.go b/test/e2e/tests/header_settings.go index ee5be4c3dfc..699f6baa975 100644 --- a/test/e2e/tests/header_settings.go +++ b/test/e2e/tests/header_settings.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/httproute_rewrite_full_path.go b/test/e2e/tests/httproute_rewrite_full_path.go index dd043571cbf..52083880256 100644 --- a/test/e2e/tests/httproute_rewrite_full_path.go +++ b/test/e2e/tests/httproute_rewrite_full_path.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/httproute_rewrite_regex_path.go b/test/e2e/tests/httproute_rewrite_regex_path.go index 975d2ec8868..bad6811d350 100644 --- a/test/e2e/tests/httproute_rewrite_regex_path.go +++ b/test/e2e/tests/httproute_rewrite_regex_path.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/jwt.go b/test/e2e/tests/jwt.go index fc7e826dd46..2ab756fcf3c 100644 --- a/test/e2e/tests/jwt.go +++ b/test/e2e/tests/jwt.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/listener_health_check.go b/test/e2e/tests/listener_health_check.go index 483a54caab1..14f4a8974d0 100644 --- a/test/e2e/tests/listener_health_check.go +++ b/test/e2e/tests/listener_health_check.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/load_balancing.go b/test/e2e/tests/load_balancing.go index 9f368dc0106..462916f76c1 100644 --- a/test/e2e/tests/load_balancing.go +++ b/test/e2e/tests/load_balancing.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/local_ratelimit.go b/test/e2e/tests/local_ratelimit.go index a4c1accee6f..4a630d1ed67 100644 --- a/test/e2e/tests/local_ratelimit.go +++ b/test/e2e/tests/local_ratelimit.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/merge_gateways.go b/test/e2e/tests/merge_gateways.go index c00cb3e84b7..018856d0fc7 100644 --- a/test/e2e/tests/merge_gateways.go +++ b/test/e2e/tests/merge_gateways.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/metric.go b/test/e2e/tests/metric.go index b9814f41e56..c1cc49bbb61 100644 --- a/test/e2e/tests/metric.go +++ b/test/e2e/tests/metric.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/multiple_gc.go b/test/e2e/tests/multiple_gc.go index 9b56ed1e2e4..2718aa8e93e 100644 --- a/test/e2e/tests/multiple_gc.go +++ b/test/e2e/tests/multiple_gc.go @@ -6,7 +6,6 @@ // This file contains code derived from upstream gateway-api, it will be moved to upstream. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/oidc.go b/test/e2e/tests/oidc.go index 4fcbabdc445..27fb79be9b3 100644 --- a/test/e2e/tests/oidc.go +++ b/test/e2e/tests/oidc.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/preservecase.go b/test/e2e/tests/preservecase.go index 458bebd8219..82e865aaad0 100644 --- a/test/e2e/tests/preservecase.go +++ b/test/e2e/tests/preservecase.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/ratelimit.go b/test/e2e/tests/ratelimit.go index f564eec6dd4..80064e6d906 100644 --- a/test/e2e/tests/ratelimit.go +++ b/test/e2e/tests/ratelimit.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/redirect_replaceprefixmatch_slash.go b/test/e2e/tests/redirect_replaceprefixmatch_slash.go index c1986809000..272f259ee99 100644 --- a/test/e2e/tests/redirect_replaceprefixmatch_slash.go +++ b/test/e2e/tests/redirect_replaceprefixmatch_slash.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/referencegrants.go b/test/e2e/tests/referencegrants.go index 903e64598bc..c17443130fd 100644 --- a/test/e2e/tests/referencegrants.go +++ b/test/e2e/tests/referencegrants.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/retry.go b/test/e2e/tests/retry.go index ca18d09c014..8b0b78a68ed 100644 --- a/test/e2e/tests/retry.go +++ b/test/e2e/tests/retry.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/route_with_backend.go b/test/e2e/tests/route_with_backend.go index 692764ccae5..7401e17c2f0 100644 --- a/test/e2e/tests/route_with_backend.go +++ b/test/e2e/tests/route_with_backend.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/routingtype.go b/test/e2e/tests/routingtype.go index 4649e5232a9..08da267338d 100644 --- a/test/e2e/tests/routingtype.go +++ b/test/e2e/tests/routingtype.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/securitypolicy_transaltion_failed.go b/test/e2e/tests/securitypolicy_transaltion_failed.go index 57cf4c397cf..302047cdb0b 100644 --- a/test/e2e/tests/securitypolicy_transaltion_failed.go +++ b/test/e2e/tests/securitypolicy_transaltion_failed.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/session_persistence.go b/test/e2e/tests/session_persistence.go index 0e6e9f73907..4448ba88555 100644 --- a/test/e2e/tests/session_persistence.go +++ b/test/e2e/tests/session_persistence.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/tcp_route.go b/test/e2e/tests/tcp_route.go index 71e43f17164..5526327a68e 100644 --- a/test/e2e/tests/tcp_route.go +++ b/test/e2e/tests/tcp_route.go @@ -6,7 +6,6 @@ // This file contains code derived from upstream gateway-api, it will be moved to upstream. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/tests.go b/test/e2e/tests/tests.go index dc39be7790b..f181e86ac3f 100644 --- a/test/e2e/tests/tests.go +++ b/test/e2e/tests/tests.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/tracing.go b/test/e2e/tests/tracing.go index bd169780121..5ead14b48a1 100644 --- a/test/e2e/tests/tracing.go +++ b/test/e2e/tests/tracing.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/udproute.go b/test/e2e/tests/udproute.go index 4eb160139c1..30211de759e 100644 --- a/test/e2e/tests/udproute.go +++ b/test/e2e/tests/udproute.go @@ -6,7 +6,6 @@ // This file contains code derived from upstream gateway-api, it will be moved to upstream. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/use_client_protocol.go b/test/e2e/tests/use_client_protocol.go index 0aa51afd077..185c95a0bdc 100644 --- a/test/e2e/tests/use_client_protocol.go +++ b/test/e2e/tests/use_client_protocol.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/wasm_http.go b/test/e2e/tests/wasm_http.go index 3dee419be19..e5ef2e14c82 100644 --- a/test/e2e/tests/wasm_http.go +++ b/test/e2e/tests/wasm_http.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/wasm_oci.go b/test/e2e/tests/wasm_oci.go index b0d664469fa..1a0a43a33c5 100644 --- a/test/e2e/tests/wasm_oci.go +++ b/test/e2e/tests/wasm_oci.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/tests/weighted_backend.go b/test/e2e/tests/weighted_backend.go index 5bab56f53b8..2ffb239c52f 100644 --- a/test/e2e/tests/weighted_backend.go +++ b/test/e2e/tests/weighted_backend.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package tests diff --git a/test/e2e/upgrade/eg_upgrade_test.go b/test/e2e/upgrade/eg_upgrade_test.go index d673d5e423d..b93a3bab0df 100644 --- a/test/e2e/upgrade/eg_upgrade_test.go +++ b/test/e2e/upgrade/eg_upgrade_test.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build e2e -// +build e2e package upgrade diff --git a/tools/boilerplate/boilerplate.py b/tools/boilerplate/boilerplate.py index 4741440808f..f3b21cd6b7c 100755 --- a/tools/boilerplate/boilerplate.py +++ b/tools/boilerplate/boilerplate.py @@ -229,7 +229,6 @@ def get_regexs(): regexs["date"] = re.compile(get_dates()) # strip the following build constraints/tags: # //go:build - # // +build \n\n regexs["go_build_constraints"] = re.compile( r"^(//(go:build| \+build).*\n)+\n", re.MULTILINE) # strip #!.* from scripts diff --git a/tools/src/buf/pin.go b/tools/src/buf/pin.go index c13637f5ca1..0efc9288fdc 100644 --- a/tools/src/buf/pin.go +++ b/tools/src/buf/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/controller-gen/pin.go b/tools/src/controller-gen/pin.go index 82c8d1cf3c5..a3fbfac77f7 100644 --- a/tools/src/controller-gen/pin.go +++ b/tools/src/controller-gen/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/crd-ref-docs/pin.go b/tools/src/crd-ref-docs/pin.go index 189206471eb..633c2a07b38 100644 --- a/tools/src/crd-ref-docs/pin.go +++ b/tools/src/crd-ref-docs/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/gci/pin.go b/tools/src/gci/pin.go index a9d92c30ded..b268ca2aa62 100644 --- a/tools/src/gci/pin.go +++ b/tools/src/gci/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/golangci-lint/pin.go b/tools/src/golangci-lint/pin.go index 79215a6f79c..124aa7ee154 100644 --- a/tools/src/golangci-lint/pin.go +++ b/tools/src/golangci-lint/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/helm-docs/pin.go b/tools/src/helm-docs/pin.go index c2a76758431..c199d5b0285 100644 --- a/tools/src/helm-docs/pin.go +++ b/tools/src/helm-docs/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/jb/pin.go b/tools/src/jb/pin.go index e7b14fc86ff..8aeb1584257 100644 --- a/tools/src/jb/pin.go +++ b/tools/src/jb/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/jsonnet/pin.go b/tools/src/jsonnet/pin.go index d8e5f03d16c..62839ad6881 100644 --- a/tools/src/jsonnet/pin.go +++ b/tools/src/jsonnet/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/kind/pin.go b/tools/src/kind/pin.go index 6f55c9cae83..71a5637bcc9 100644 --- a/tools/src/kind/pin.go +++ b/tools/src/kind/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/protoc-gen-go-grpc/pin.go b/tools/src/protoc-gen-go-grpc/pin.go index eb75ed5104b..de760119e13 100644 --- a/tools/src/protoc-gen-go-grpc/pin.go +++ b/tools/src/protoc-gen-go-grpc/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/protoc-gen-go/pin.go b/tools/src/protoc-gen-go/pin.go index 074554f8b17..b0b6eb1c034 100644 --- a/tools/src/protoc-gen-go/pin.go +++ b/tools/src/protoc-gen-go/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore diff --git a/tools/src/setup-envtest/pin.go b/tools/src/setup-envtest/pin.go index d7a602fb15f..c16aa88025f 100644 --- a/tools/src/setup-envtest/pin.go +++ b/tools/src/setup-envtest/pin.go @@ -4,7 +4,6 @@ // the root of the repo. //go:build pin -// +build pin package ignore From 5e53e2a2fea8e1f8d9f75ea7ee19726eae8ec594 Mon Sep 17 00:00:00 2001 From: zirain Date: Tue, 8 Oct 2024 10:11:25 +0800 Subject: [PATCH 232/523] chore: remove nit log (#4391) --- test/conformance/conformance_test.go | 4 ++++ test/conformance/experimental_conformance_test.go | 3 +++ test/e2e/e2e_test.go | 4 ++++ 3 files changed, 11 insertions(+) diff --git a/test/conformance/conformance_test.go b/test/conformance/conformance_test.go index 77e7899cc1b..b27cb0cc69d 100644 --- a/test/conformance/conformance_test.go +++ b/test/conformance/conformance_test.go @@ -9,8 +9,11 @@ package conformance import ( "flag" + "os" "testing" + "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" "sigs.k8s.io/gateway-api/conformance" "sigs.k8s.io/gateway-api/conformance/tests" "sigs.k8s.io/gateway-api/conformance/utils/suite" @@ -20,6 +23,7 @@ import ( func TestGatewayAPIConformance(t *testing.T) { flag.Parse() + log.SetLogger(zap.New(zap.WriteTo(os.Stderr), zap.UseDevMode(true))) opts := conformance.DefaultOptions(t) opts.SkipTests = internalconf.EnvoyGatewaySuite.SkipTests diff --git a/test/conformance/experimental_conformance_test.go b/test/conformance/experimental_conformance_test.go index bb36d490794..ea1fb0389e0 100644 --- a/test/conformance/experimental_conformance_test.go +++ b/test/conformance/experimental_conformance_test.go @@ -14,6 +14,8 @@ import ( "github.com/stretchr/testify/require" "k8s.io/apimachinery/pkg/util/sets" + "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" "sigs.k8s.io/gateway-api/conformance" conformancev1 "sigs.k8s.io/gateway-api/conformance/apis/v1" "sigs.k8s.io/gateway-api/conformance/tests" @@ -26,6 +28,7 @@ import ( func TestExperimentalConformance(t *testing.T) { flag.Parse() + log.SetLogger(zap.New(zap.WriteTo(os.Stderr), zap.UseDevMode(true))) opts := conformance.DefaultOptions(t) opts.SkipTests = internalconf.EnvoyGatewaySuite.SkipTests diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index 869c2891246..7267bbd2d75 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -10,9 +10,12 @@ package e2e import ( "flag" "io/fs" + "os" "testing" "k8s.io/apimachinery/pkg/util/sets" + "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" "sigs.k8s.io/gateway-api/conformance/utils/flags" "sigs.k8s.io/gateway-api/conformance/utils/suite" "sigs.k8s.io/gateway-api/conformance/utils/tlog" @@ -24,6 +27,7 @@ import ( func TestE2E(t *testing.T) { flag.Parse() + log.SetLogger(zap.New(zap.WriteTo(os.Stderr), zap.UseDevMode(true))) c, cfg := kubetest.NewClient(t) From fddbae7271ca9ff03df649b0dd2311d3fa727386 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Oct 2024 11:49:37 +0800 Subject: [PATCH 233/523] build(deps): bump google.golang.org/grpc from 1.67.0 to 1.67.1 in /examples/extension-server (#4406) build(deps): bump google.golang.org/grpc in /examples/extension-server Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.67.0 to 1.67.1. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.67.0...v1.67.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/extension-server/go.mod | 2 +- examples/extension-server/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 4b9bd2560b3..d6f03677ed6 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -6,7 +6,7 @@ require ( github.com/envoyproxy/gateway v1.0.2 github.com/envoyproxy/go-control-plane v0.13.1-0.20240917224354-20d038a70568 github.com/urfave/cli/v2 v2.27.4 - google.golang.org/grpc v1.67.0 + google.golang.org/grpc v1.67.1 google.golang.org/protobuf v1.34.2 k8s.io/apimachinery v0.31.1 sigs.k8s.io/controller-runtime v0.19.0 diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 8deeedb9544..fd1ecc8f322 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -109,8 +109,8 @@ google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61 h1: google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:O6rP0uBq4k0mdi/b4ZEMAZjkhYWhS815kCvaMha4VN8= google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 h1:N9BgCIAUvn/M+p4NJccWPWb3BWh88+zyL0ll9HgbEeM= google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= -google.golang.org/grpc v1.67.0 h1:IdH9y6PF5MPSdAntIcpjQ+tXO41pcQsfZV2RxtQgVcw= -google.golang.org/grpc v1.67.0/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From 871318510ba4895681dee64027e0d995417d71a8 Mon Sep 17 00:00:00 2001 From: zirain Date: Tue, 8 Oct 2024 19:09:08 +0800 Subject: [PATCH 234/523] chore: recover Coverage Tests (#4411) Signed-off-by: zirain --- .github/workflows/build_and_test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index debe2628477..dbbdbcd04ae 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -61,7 +61,7 @@ jobs: files: ./coverage.xml name: codecov-envoy-gateway verbose: true - use_oidc: true + use_oidc: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork) }} build: runs-on: ubuntu-latest From 2f67765aa62ff764856d7dabd90c6ab673ecd43c Mon Sep 17 00:00:00 2001 From: zirain Date: Tue, 8 Oct 2024 20:20:54 +0800 Subject: [PATCH 235/523] chore: fix docker build warning (#4389) Signed-off-by: zirain Co-authored-by: sh2 --- tools/docker/envoy-gateway/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index fedcddb59ae..1f5ad0cb8d0 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -1,4 +1,4 @@ -FROM busybox@sha256:768e5c6f5cb6db0794eec98dc7a967f40631746c32232b78a3105fb946f3ab83 as source +FROM busybox@sha256:768e5c6f5cb6db0794eec98dc7a967f40631746c32232b78a3105fb946f3ab83 AS source # Create the data directory for eg RUN mkdir -p /var/lib/eg From 93a05614a65a513367b2f92e5c49454ad0e1fa39 Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 9 Oct 2024 13:17:33 +0800 Subject: [PATCH 236/523] bump google.golang.org/grpc v1.67 (#4390) * bump grpc Signed-off-by: zirain * 1.67.1 Signed-off-by: zirain --------- Signed-off-by: zirain --- go.mod | 2 +- go.sum | 4 ++-- internal/gatewayapi/runner/runner.go | 1 + internal/globalratelimit/runner/runner.go | 1 + internal/xds/server/runner/runner.go | 1 + internal/xds/server/runner/runner_test.go | 1 + 6 files changed, 7 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 2dd4911a207..a07ab071892 100644 --- a/go.mod +++ b/go.mod @@ -64,7 +64,7 @@ require ( require ( github.com/docker/docker v27.3.1+incompatible github.com/replicatedhq/troubleshoot v0.105.2 - google.golang.org/grpc v1.66.2 + google.golang.org/grpc v1.67.1 sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 ) diff --git a/go.sum b/go.sum index 624b91ab533..6e355f58e24 100644 --- a/go.sum +++ b/go.sum @@ -1092,8 +1092,8 @@ google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQ google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.66.2 h1:3QdXkuq3Bkh7w+ywLdLvM56cmGvQHUMZpiCzt6Rqaoo= -google.golang.org/grpc v1.66.2/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index f9068b68dcf..f8f7b2a6965 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -564,6 +564,7 @@ func (r *Runner) tlsConfig() (*tls.Config, error) { // Configure the server to require client certificates return &tls.Config{ Certificates: []tls.Certificate{serverCert}, + NextProtos: []string{"h2"}, ClientAuth: tls.RequireAndVerifyClientCert, ClientCAs: caCertPool, MinVersion: tls.VersionTLS13, diff --git a/internal/globalratelimit/runner/runner.go b/internal/globalratelimit/runner/runner.go index ffccb1ab3a3..baaaaacd6b7 100644 --- a/internal/globalratelimit/runner/runner.go +++ b/internal/globalratelimit/runner/runner.go @@ -213,6 +213,7 @@ func (r *Runner) tlsConfig(cert, key, ca string) *tls.Config { return &tls.Config{ Certificates: []tls.Certificate{cert}, + NextProtos: []string{"h2"}, ClientAuth: tls.RequireAndVerifyClientCert, ClientCAs: certPool, MinVersion: tls.VersionTLS13, diff --git a/internal/xds/server/runner/runner.go b/internal/xds/server/runner/runner.go index d8acab8d951..19c4076d458 100644 --- a/internal/xds/server/runner/runner.go +++ b/internal/xds/server/runner/runner.go @@ -180,6 +180,7 @@ func (r *Runner) tlsConfig(cert, key, ca string) *tls.Config { return &tls.Config{ Certificates: []tls.Certificate{cert}, + NextProtos: []string{"h2"}, ClientAuth: tls.RequireAndVerifyClientCert, ClientCAs: certPool, MinVersion: tls.VersionTLS13, diff --git a/internal/xds/server/runner/runner_test.go b/internal/xds/server/runner/runner_test.go index 823d426864c..1a3e9322c68 100644 --- a/internal/xds/server/runner/runner_test.go +++ b/internal/xds/server/runner/runner_test.go @@ -157,6 +157,7 @@ func tryConnect(address string, clientCert tls.Certificate, caCertPool *x509.Cer ServerName: "localhost", MinVersion: tls.VersionTLS13, Certificates: []tls.Certificate{clientCert}, + NextProtos: []string{"h2"}, RootCAs: caCertPool, } conn, err := tls.Dial("tcp", address, clientConfig) From 87b841871d4cc44b7443187c318feeee493d01f6 Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 9 Oct 2024 13:18:41 +0800 Subject: [PATCH 237/523] chore: fix osv scanner (#4414) * chore: fix osv scanner Signed-off-by: zirain * remove comment Signed-off-by: zirain * nit Signed-off-by: zirain --------- Signed-off-by: zirain --- .github/workflows/license-scan.yml | 1 - .github/workflows/osv-scanner.yml | 1 - osv-scanner.toml | 7 +++++++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index 2484d76340e..ff3f8d31a02 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -20,7 +20,6 @@ jobs: - name: Run scanner uses: google/osv-scanner-action/osv-scanner-action@19ec1116569a47416e11a45848722b1af31a857b # v1.9.0 with: - # TODO enable call analysis once https://github.com/google/osv-scanner/issues/1220 is resolved scan-args: |- --skip-git --experimental-licenses=Apache-2.0,BSD-2-Clause,BSD-2-Clause-FreeBSD,BSD-3-Clause,MIT,ISC,Python-2.0,PostgreSQL,X11,Zlib diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 8263faac895..e43942d85c7 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -39,7 +39,6 @@ jobs: contents: read security-events: write with: - # TODO enable call analysis once https://github.com/google/osv-scanner/issues/1220 is resolved scan-args: |- --skip-git --recursive diff --git a/osv-scanner.toml b/osv-scanner.toml index 7125af4a3f7..02cdbc6af53 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -96,3 +96,10 @@ version = "1.2.0-rc2" ecosystem = "Go" license.override = ["Apache-2.0"] reason = "https://github.com/envoyproxy/gateway/actions/runs/11065210699/job/30744231458?pr=4270" + +[[PackageOverrides]] +name = "sigs.k8s.io/json" +version = "0.0.0-20221116044647-bc3834ca7abd" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "https://github.com/kubernetes-sigs/json/blob/main/LICENSE" From b9f594ca2cd3b189268e0ed44869ed24737fe9e7 Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 9 Oct 2024 20:45:03 +0800 Subject: [PATCH 238/523] chore: upgrade test should use VERSION by default (#4393) * chore: upgrade test should use VERSION by default Signed-off-by: zirain * update Signed-off-by: zirain --------- Signed-off-by: zirain --- test/e2e/tests/eg_upgrade.go | 96 +++++++++++++++++++++--------------- tools/make/kube.mk | 2 +- 2 files changed, 57 insertions(+), 41 deletions(-) diff --git a/test/e2e/tests/eg_upgrade.go b/test/e2e/tests/eg_upgrade.go index 385952bd2a5..4ca4db15637 100644 --- a/test/e2e/tests/eg_upgrade.go +++ b/test/e2e/tests/eg_upgrade.go @@ -12,14 +12,17 @@ import ( "context" "fmt" "os" + "strings" "testing" "time" + "github.com/stretchr/testify/require" "helm.sh/helm/v3/pkg/action" "helm.sh/helm/v3/pkg/chart" "helm.sh/helm/v3/pkg/chart/loader" "helm.sh/helm/v3/pkg/cli" "helm.sh/helm/v3/pkg/kube" + apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/meta" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -50,11 +53,11 @@ var EGUpgradeTest = suite.ConformanceTest{ chartPath := "../../../charts/gateway-helm" relName := "eg" depNS := "envoy-gateway-system" - lastVersionTag := os.Getenv("last_version_tag") + lastVersionTag := os.Getenv("LAST_VERSION_TAG") if lastVersionTag == "" { - // Use v1.0.2 instead of v1.1.2 due to https://github.com/envoyproxy/gateway/issues/4336 - lastVersionTag = "v1.0.2" // Default version tag if not specified + lastVersionTag = "v1.1.2" // Default version tag if not specified } + t.Logf("Upgrading from version: %s", lastVersionTag) // Uninstall the current version of EG relNamespace := "envoy-gateway-system" @@ -105,18 +108,25 @@ var EGUpgradeTest = suite.ConformanceTest{ suite.Applier.GatewayClass = suite.GatewayClassName suite.Applier.MustApplyWithCleanup(t, suite.Client, suite.TimeoutConfig, suite.BaseManifests, suite.Cleanup) + // verify latestVersion is working + kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{depNS}) + + // let's make sure the gateway is up and running + ns := "gateway-upgrade-infra" + gwNN := types.NamespacedName{Name: "ha-gateway", Namespace: ns} + _, err = kubernetes.WaitForGatewayAddress(t, suite.Client, suite.TimeoutConfig, kubernetes.GatewayRef{ + NamespacedName: gwNN, + }) + require.NoErrorf(t, err, "timed out waiting for Gateway address to be assigned") + + // Apply the test manifests for _, manifestLocation := range []string{"testdata/eg-upgrade.yaml"} { tlog.Logf(t, "Applying %s", manifestLocation) suite.Applier.MustApplyWithCleanup(t, suite.Client, suite.TimeoutConfig, manifestLocation, true) } // wait for everything to startup - kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{depNS}) - - // verify latestVersion is working - ns := "gateway-upgrade-infra" routeNN := types.NamespacedName{Name: "http-backend-eg-upgrade", Namespace: ns} - gwNN := types.NamespacedName{Name: "ha-gateway", Namespace: ns} gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) kubernetes.NamespacesMustBeReady(t, suite.Client, suite.TimeoutConfig, []string{depNS}) @@ -266,47 +276,53 @@ func updateChartCRDs(actionConfig *action.Configuration, gatewayChart *chart.Cha return err } -// TODO: proper migration framework required -func migrateChartCRDs(actionConfig *action.Configuration, gatewayChart *chart.Chart, timeout time.Duration) error { +func migrateChartCRDs(actionConfig *action.Configuration, gatewayChart *chart.Chart, _ time.Duration) error { crds, err := extractCRDs(actionConfig, gatewayChart) if err != nil { return err } + // https: //gateway-api.sigs.k8s.io/guides/?h=upgrade#v12-upgrade-notes + storedVersionsMap := map[string]string{ + "referencegrants.gateway.networking.k8s.io": "v1beta1", + "grpcroutes.gateway.networking.k8s.io": "v1", + } + + restCfg, err := actionConfig.RESTClientGetter.ToRESTConfig() + if err != nil { + return err + } + + cli, err := client.New(restCfg, client.Options{}) + if err != nil { + return err + } + for _, crd := range crds { - if crd.Name == "backendtlspolicies.gateway.networking.k8s.io" || - crd.Name == "grpcroutes.gateway.networking.k8s.io" { - newVersion, err := getGWAPIVersion(crd.Object) + storedVersion, ok := storedVersionsMap[crd.Name] + if !ok { + continue + } + + newVersion, err := getGWAPIVersion(crd.Object) + if err != nil { + return err + } + + if strings.HasPrefix(newVersion, "v1.2.0") { + existingCRD := &apiextensionsv1.CustomResourceDefinition{} + err := cli.Get(context.Background(), types.NamespacedName{Name: crd.Name}, existingCRD) + if kerrors.IsNotFound(err) { + continue + } if err != nil { - return err + return fmt.Errorf("failed to get CRD: %s", err.Error()) } - // https://gateway-api.sigs.k8s.io/guides/?h=upgrade#v11-upgrade-notes - if newVersion == "v1.2.0-rc2" { - helper := resource.NewHelper(crd.Client, crd.Mapping) - existingCRD, err := helper.Get(crd.Namespace, crd.Name) - if kerrors.IsNotFound(err) { - continue - } - // previous version exists - existingVersion, err := getGWAPIVersion(existingCRD) - if err != nil { - return err - } + existingCRD.Status.StoredVersions = []string{storedVersion} - if existingVersion == "v1.0.0" { - // Delete the existing instance of the BTLS and GRPCRoute CRDs - _, errs := actionConfig.KubeClient.Delete([]*resource.Info{crd}) - if errs != nil { - return fmt.Errorf("failed to delete backendtlspolicies: %s", util.MultipleErrors("", errs)) - } - - if kubeClient, ok := actionConfig.KubeClient.(kube.InterfaceExt); ok { - if err := kubeClient.WaitForDelete([]*resource.Info{crd}, timeout); err != nil { - return fmt.Errorf("failed to wait for backendtlspolicies deletion: %s", err.Error()) - } - } - } + if err := cli.Status().Patch(context.Background(), existingCRD, client.MergeFrom(existingCRD)); err != nil { + return fmt.Errorf("failed to patch CRD: %s", err.Error()) } } } @@ -354,7 +370,7 @@ func getGWAPIVersion(object runtime.Object) (string, error) { if ok { return newVersion, nil } - return "", fmt.Errorf("failed to determine Gateway API CRD version") + return "", fmt.Errorf("failed to determine Gateway API CRD version: %v", annotations) } // extractCRDs Extract the CRDs part of the chart diff --git a/tools/make/kube.mk b/tools/make/kube.mk index 2344a3b868d..c659e234787 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -158,7 +158,7 @@ ifeq ($(E2E_RUN_TEST),) go test $(E2E_TEST_ARGS) ./test/e2e --gateway-class=envoy-gateway --debug=true --cleanup-base-resources=false go test $(E2E_TEST_ARGS) ./test/e2e/merge_gateways --gateway-class=merge-gateways --debug=true --cleanup-base-resources=false go test $(E2E_TEST_ARGS) ./test/e2e/multiple_gc --debug=true --cleanup-base-resources=true - go test $(E2E_TEST_ARGS) ./test/e2e/upgrade --gateway-class=upgrade --debug=true --cleanup-base-resources=$(E2E_CLEANUP) + LAST_VERSION_TAG=$(shell cat VERSION) go test $(E2E_TEST_ARGS) ./test/e2e/upgrade --gateway-class=upgrade --debug=true --cleanup-base-resources=$(E2E_CLEANUP) else go test $(E2E_TEST_ARGS) ./test/e2e --gateway-class=envoy-gateway --debug=true --cleanup-base-resources=$(E2E_CLEANUP) \ --run-test $(E2E_RUN_TEST) From d1cc0ba4372fd7d3f8ede1a1278930e21c22b9f2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Oct 2024 20:55:38 +0800 Subject: [PATCH 239/523] build(deps): bump fortio.org/fortio from 1.66.3 to 1.67.1 (#4405) Bumps [fortio.org/fortio](https://github.com/fortio/fortio) from 1.66.3 to 1.67.1. - [Release notes](https://github.com/fortio/fortio/releases) - [Commits](https://github.com/fortio/fortio/compare/v1.66.3...v1.67.1) --- updated-dependencies: - dependency-name: fortio.org/fortio dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 11 ++++++----- go.sum | 22 ++++++++++++---------- 2 files changed, 18 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index a07ab071892..a34be2541d4 100644 --- a/go.mod +++ b/go.mod @@ -5,8 +5,8 @@ go 1.23.1 replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.16 require ( - fortio.org/fortio v1.66.3 - fortio.org/log v1.16.0 + fortio.org/fortio v1.67.1 + fortio.org/log v1.17.1 github.com/Masterminds/semver/v3 v3.3.0 github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc @@ -72,9 +72,10 @@ require ( cel.dev/expr v0.16.0 // indirect dario.cat/mergo v1.0.1 // indirect filippo.io/edwards25519 v1.1.0 // indirect - fortio.org/cli v1.9.0 // indirect - fortio.org/dflag v1.7.2 // indirect - fortio.org/scli v1.15.2 // indirect + fortio.org/cli v1.9.2 // indirect + fortio.org/dflag v1.7.3 // indirect + fortio.org/safecast v1.0.0 // indirect + fortio.org/scli v1.15.3 // indirect fortio.org/sets v1.2.0 // indirect fortio.org/struct2env v0.4.1 // indirect fortio.org/version v1.0.4 // indirect diff --git a/go.sum b/go.sum index 6e355f58e24..acca7a0b90d 100644 --- a/go.sum +++ b/go.sum @@ -9,16 +9,18 @@ filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= fortio.org/assert v1.2.1 h1:48I39urpeDj65RP1KguF7akCjILNeu6vICiYMEysR7Q= fortio.org/assert v1.2.1/go.mod h1:039mG+/iYDPO8Ibx8TrNuJCm2T2SuhwRI3uL9nHTTls= -fortio.org/cli v1.9.0 h1:cPgNHvrjxznmbmwuXSwPqQLKZ+RMW8i0iAOESLjt1aI= -fortio.org/cli v1.9.0/go.mod h1:pk/JBE8LcXtNuo5Yj2bLsVbwPaHo8NWdbstSN0cpbFk= -fortio.org/dflag v1.7.2 h1:lUhXFvDlw4CJj/q7hPv/TC+n/wVoQylzQO6bUg5GQa0= -fortio.org/dflag v1.7.2/go.mod h1:6yO/NIgrWfQH195WbHJ3Y45SCx11ffivQjfx2C/FS1U= -fortio.org/fortio v1.66.3 h1:N/Ic9W2tVoJ5LAcr8ZjcF3mNb2ftCw77ZtKF02jwf8Q= -fortio.org/fortio v1.66.3/go.mod h1:+W7ooyLn/Fp3h0UF9JclFEJN50EOvelO6c+VhCYGwnM= -fortio.org/log v1.16.0 h1:GhU8/9NkYZmEIzvTN/DTMedDAStLJraWUUVUA2EbNDc= -fortio.org/log v1.16.0/go.mod h1:t58Spg9njjymvRioh5F6qKGSupEsnMjXLGWIS1i3khE= -fortio.org/scli v1.15.2 h1:vWXt4QOViXNWy4Gdm7d2FDfptzWD00QiWzYAM/IUF7c= -fortio.org/scli v1.15.2/go.mod h1:XvY2JglgCeeZOIc5CrfBTtcsxkVV8xmGL5ykAcBjEHI= +fortio.org/cli v1.9.2 h1:17eJ8QZPjXHcLBpeCe0QMO/0fj5Bw0ZTxVgL7V9jOqc= +fortio.org/cli v1.9.2/go.mod h1:7r55OoTV8NXcTvJT4boWk8s3I2LP6TMZh/0LLMJEYw0= +fortio.org/dflag v1.7.3 h1:yws+v+/fJ67bYgrgcWpLtgdZPEWkYuwdfqz/WyQ8UXo= +fortio.org/dflag v1.7.3/go.mod h1:O1Pk4lKRolw9wwAGyjTo8IsNyqqNRQGKxPOfpOElMqM= +fortio.org/fortio v1.67.1 h1:KAYyeu6z/01d/QwJm2dCVIadAhd8jNsezJHhlkoOMwU= +fortio.org/fortio v1.67.1/go.mod h1:XfrXH/BJ/hhxBXHj9z8FaqvsBbnf46SLyoWtPgopDlU= +fortio.org/log v1.17.1 h1:YQoGyZBnXTVIs77/nZw7BppwSOIamP3I092PGBenBZs= +fortio.org/log v1.17.1/go.mod h1:t58Spg9njjymvRioh5F6qKGSupEsnMjXLGWIS1i3khE= +fortio.org/safecast v1.0.0 h1:dr3131WPX8iS1pTf76+39WeXbTrerDYLvi9s7Oi3wiY= +fortio.org/safecast v1.0.0/go.mod h1:xZmcPk3vi4kuUFf+tq4SvnlVdwViqf6ZSZl91Jr9Jdg= +fortio.org/scli v1.15.3 h1:XZYONPupGOd1Q68G4aq0vWg9obw0M57sC4snkyiab9w= +fortio.org/scli v1.15.3/go.mod h1:cWJJbXObkF+GsbtPqxE60GFctllOANYS+Yp9PJK0xK8= fortio.org/sets v1.2.0 h1:FBfC7R2xrOJtkcioUbY6WqEzdujuBoZRbSdp1fYF4Kk= fortio.org/sets v1.2.0/go.mod h1:J2BwIxNOLWsSU7IMZUg541kh3Au4JEKHrghVwXs68tE= fortio.org/struct2env v0.4.1 h1:rJludAMO5eBvpWplWEQNqoVDFZr4RWMQX7RUapgZyc0= From 3e0742122543d32d24e31b4295a8e74d6d953ce5 Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Wed, 9 Oct 2024 21:10:38 -0500 Subject: [PATCH 240/523] api: host header rewrite (#4410) * api: host header rewrite Signed-off-by: Guy Daich * review fixes Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich --- api/v1alpha1/httproutefilter_types.go | 30 ++++++++++ api/v1alpha1/zz_generated.deepcopy.go | 25 +++++++++ ...ateway.envoyproxy.io_httproutefilters.yaml | 24 ++++++++ site/content/en/latest/api/extension_types.md | 30 ++++++++++ site/content/zh/latest/api/extension_types.md | 30 ++++++++++ test/cel-validation/httproutefilter_test.go | 55 +++++++++++++++++++ 6 files changed, 194 insertions(+) diff --git a/api/v1alpha1/httproutefilter_types.go b/api/v1alpha1/httproutefilter_types.go index e0e4755f214..7f56ca07d7c 100644 --- a/api/v1alpha1/httproutefilter_types.go +++ b/api/v1alpha1/httproutefilter_types.go @@ -37,6 +37,12 @@ type HTTPRouteFilterSpec struct { // HTTPURLRewriteFilter define rewrites of HTTP URL components such as path and host type HTTPURLRewriteFilter struct { + // Hostname is the value to be used to replace the Host header value during + // forwarding. + // + // +optional + // +notImplementedHide + Hostname *HTTPHostnameModifier `json:"hostname,omitempty"` // Path defines a path rewrite. // // +optional @@ -53,6 +59,18 @@ const ( RegexHTTPPathModifier HTTPPathModifierType = "ReplaceRegexMatch" ) +// HTTPPathModifierType defines the type of Hostname rewrite. +type HTTPHostnameModifierType string + +const ( + // HeaderHTTPHostnameModifier indicates that the Host header value would be replaced with the value of the header specified in setFromHeader. + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-host-rewrite-header + HeaderHTTPHostnameModifier HTTPHostnameModifierType = "SetFromHeader" + // BackendHTTPHostnameModifier indicates that the Host header value would be replaced by the DNS name of the backend if it exists. + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-auto-host-rewrite + BackendHTTPHostnameModifier HTTPHostnameModifierType = "SetFromBackend" +) + type ReplaceRegexMatch struct { // Pattern matches a regular expression against the value of the HTTP Path.The regex string must // adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax. @@ -91,6 +109,18 @@ type HTTPPathModifier struct { ReplaceRegexMatch *ReplaceRegexMatch `json:"replaceRegexMatch,omitempty"` } +// +kubebuilder:validation:XValidation:message="setFromHeader must be nil if the type is not SetFromHeader",rule="!(has(self.setFromHeader) && self.type != 'SetFromHeader')" +// +kubebuilder:validation:XValidation:message="setFromHeader must be specified for SetFromHeader type",rule="!(!has(self.setFromHeader) && self.type == 'SetFromHeader')" +type HTTPHostnameModifier struct { + // +kubebuilder:validation:Enum=SetFromHeader;SetFromBackend + // +kubebuilder:validation:Required + Type HTTPHostnameModifierType `json:"type"` + + // SetFromHeader is the name of the header whose value would be used to rewrite the Host header + // +optional + SetFromHeader *string `json:"setFromHeader,omitempty"` +} + //+kubebuilder:object:root=true // HTTPRouteFilterList contains a list of HTTPRouteFilter resources. diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index b6b944b3a14..ed5df681ad2 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -2709,6 +2709,26 @@ func (in *HTTPExtAuthService) DeepCopy() *HTTPExtAuthService { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HTTPHostnameModifier) DeepCopyInto(out *HTTPHostnameModifier) { + *out = *in + if in.SetFromHeader != nil { + in, out := &in.SetFromHeader, &out.SetFromHeader + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPHostnameModifier. +func (in *HTTPHostnameModifier) DeepCopy() *HTTPHostnameModifier { + if in == nil { + return nil + } + out := new(HTTPHostnameModifier) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HTTPPathModifier) DeepCopyInto(out *HTTPPathModifier) { *out = *in @@ -2835,6 +2855,11 @@ func (in *HTTPTimeout) DeepCopy() *HTTPTimeout { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HTTPURLRewriteFilter) DeepCopyInto(out *HTTPURLRewriteFilter) { *out = *in + if in.Hostname != nil { + in, out := &in.Hostname, &out.Hostname + *out = new(HTTPHostnameModifier) + (*in).DeepCopyInto(*out) + } if in.Path != nil { in, out := &in.Path, &out.Path *out = new(HTTPPathModifier) diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml index 11447cc470e..7a55ec8871f 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml @@ -53,6 +53,30 @@ spec: description: HTTPURLRewriteFilter define rewrites of HTTP URL components such as path and host properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + properties: + setFromHeader: + description: SetFromHeader is the name of the header whose + value would be used to rewrite the Host header + type: string + type: + description: HTTPPathModifierType defines the type of Hostname + rewrite. + enum: + - SetFromHeader + - SetFromBackend + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: setFromHeader must be nil if the type is not SetFromHeader + rule: '!(has(self.setFromHeader) && self.type != ''SetFromHeader'')' + - message: setFromHeader must be specified for SetFromHeader type + rule: '!(!has(self.setFromHeader) && self.type == ''SetFromHeader'')' path: description: Path defines a path rewrite. properties: diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 193e698722c..bc01189920d 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -1938,6 +1938,36 @@ _Appears in:_ | `headersToBackend` | _string array_ | false | HeadersToBackend are the authorization response headers that will be added
to the original client request before sending it to the backend server.
Note that coexisting headers will be overridden.
If not specified, no authorization response headers will be added to the
original client request. | +#### HTTPHostnameModifier + + + + + +_Appears in:_ +- [HTTPURLRewriteFilter](#httpurlrewritefilter) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[HTTPHostnameModifierType](#httphostnamemodifiertype)_ | true | | +| `setFromHeader` | _string_ | false | SetFromHeader is the name of the header whose value would be used to rewrite the Host header | + + +#### HTTPHostnameModifierType + +_Underlying type:_ _string_ + +HTTPPathModifierType defines the type of Hostname rewrite. + +_Appears in:_ +- [HTTPHostnameModifier](#httphostnamemodifier) + +| Value | Description | +| ----- | ----------- | +| `SetFromHeader` | HeaderHTTPHostnameModifier indicates that the Host header value would be replaced with the value of the header specified in setFromHeader.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-host-rewrite-header
| +| `SetFromBackend` | BackendHTTPHostnameModifier indicates that the Host header value would be replaced by the DNS name of the backend if it exists.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-auto-host-rewrite
| + + #### HTTPPathModifier diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 193e698722c..bc01189920d 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -1938,6 +1938,36 @@ _Appears in:_ | `headersToBackend` | _string array_ | false | HeadersToBackend are the authorization response headers that will be added
to the original client request before sending it to the backend server.
Note that coexisting headers will be overridden.
If not specified, no authorization response headers will be added to the
original client request. | +#### HTTPHostnameModifier + + + + + +_Appears in:_ +- [HTTPURLRewriteFilter](#httpurlrewritefilter) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[HTTPHostnameModifierType](#httphostnamemodifiertype)_ | true | | +| `setFromHeader` | _string_ | false | SetFromHeader is the name of the header whose value would be used to rewrite the Host header | + + +#### HTTPHostnameModifierType + +_Underlying type:_ _string_ + +HTTPPathModifierType defines the type of Hostname rewrite. + +_Appears in:_ +- [HTTPHostnameModifier](#httphostnamemodifier) + +| Value | Description | +| ----- | ----------- | +| `SetFromHeader` | HeaderHTTPHostnameModifier indicates that the Host header value would be replaced with the value of the header specified in setFromHeader.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-host-rewrite-header
| +| `SetFromBackend` | BackendHTTPHostnameModifier indicates that the Host header value would be replaced by the DNS name of the backend if it exists.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-auto-host-rewrite
| + + #### HTTPPathModifier diff --git a/test/cel-validation/httproutefilter_test.go b/test/cel-validation/httproutefilter_test.go index 67a9e4455bb..7f84deb71e5 100644 --- a/test/cel-validation/httproutefilter_test.go +++ b/test/cel-validation/httproutefilter_test.go @@ -15,6 +15,7 @@ import ( "time" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" ) @@ -84,6 +85,60 @@ func TestHTTPRouteFilter(t *testing.T) { "spec.urlRewrite.path.replaceRegexMatch.pattern: Invalid value: \"\": spec.urlRewrite.path.replaceRegexMatch.pattern in body should be at least 1 chars long", }, }, + { + desc: "Valid SetFromHeader", + mutate: func(httproutefilter *egv1a1.HTTPRouteFilter) { + httproutefilter.Spec = egv1a1.HTTPRouteFilterSpec{ + URLRewrite: &egv1a1.HTTPURLRewriteFilter{ + Hostname: &egv1a1.HTTPHostnameModifier{ + Type: egv1a1.HeaderHTTPHostnameModifier, + SetFromHeader: ptr.To("foo"), + }, + }, + } + }, + wantErrors: []string{}, + }, + { + desc: "Valid SetFromBackend", + mutate: func(httproutefilter *egv1a1.HTTPRouteFilter) { + httproutefilter.Spec = egv1a1.HTTPRouteFilterSpec{ + URLRewrite: &egv1a1.HTTPURLRewriteFilter{ + Hostname: &egv1a1.HTTPHostnameModifier{ + Type: egv1a1.BackendHTTPHostnameModifier, + }, + }, + } + }, + wantErrors: []string{}, + }, + { + desc: "invalid SetFromHeader missing settings", + mutate: func(httproutefilter *egv1a1.HTTPRouteFilter) { + httproutefilter.Spec = egv1a1.HTTPRouteFilterSpec{ + URLRewrite: &egv1a1.HTTPURLRewriteFilter{ + Hostname: &egv1a1.HTTPHostnameModifier{ + Type: egv1a1.HeaderHTTPHostnameModifier, + }, + }, + } + }, + wantErrors: []string{"spec.urlRewrite.hostname: Invalid value: \"object\": setFromHeader must be specified for SetFromHeader type"}, + }, + { + desc: "invalid SetFromBackend type", + mutate: func(httproutefilter *egv1a1.HTTPRouteFilter) { + httproutefilter.Spec = egv1a1.HTTPRouteFilterSpec{ + URLRewrite: &egv1a1.HTTPURLRewriteFilter{ + Hostname: &egv1a1.HTTPHostnameModifier{ + Type: egv1a1.BackendHTTPHostnameModifier, + SetFromHeader: ptr.To("foo"), + }, + }, + } + }, + wantErrors: []string{"spec.urlRewrite.hostname: Invalid value: \"object\": setFromHeader must be nil if the type is not SetFromHeader"}, + }, } for _, tc := range cases { From ae6787e228677ce30274ea80e67d1265da99d1ca Mon Sep 17 00:00:00 2001 From: Rudrakh Panigrahi Date: Thu, 10 Oct 2024 08:23:40 +0530 Subject: [PATCH 241/523] feat: support inverting header matches for rate limit (#4286) Signed-off-by: Rudrakh Panigrahi --- internal/gatewayapi/backendtrafficpolicy.go | 10 +- ...-ratelimit-invalid-distinct-invert.in.yaml | 53 ++++++ ...ratelimit-invalid-distinct-invert.out.yaml | 164 ++++++++++++++++++ ...ackendtrafficpolicy-with-ratelimit.in.yaml | 3 + ...ckendtrafficpolicy-with-ratelimit.out.yaml | 7 + internal/ir/xds.go | 6 + internal/ir/xds_test.go | 19 +- internal/ir/zz_generated.deepcopy.go | 5 + internal/xds/translator/local_ratelimit.go | 6 +- internal/xds/translator/ratelimit.go | 6 +- .../testdata/in/xds-ir/ratelimit.yaml | 21 +++ .../out/xds-ir/ratelimit.clusters.yaml | 17 ++ .../out/xds-ir/ratelimit.endpoints.yaml | 12 ++ .../testdata/out/xds-ir/ratelimit.routes.yaml | 20 +++ 14 files changed, 344 insertions(+), 5 deletions(-) create mode 100644 internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.in.yaml create mode 100644 internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.out.yaml diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index d71d49f32ca..12453ea1826 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -710,8 +710,9 @@ func buildRateLimitRule(rule egv1a1.RateLimitRule) (*ir.RateLimitRule, error) { fallthrough case *header.Type == egv1a1.HeaderMatchExact && header.Value != nil: m := &ir.StringMatch{ - Name: header.Name, - Exact: header.Value, + Name: header.Name, + Exact: header.Value, + Invert: header.Invert, } irRule.HeaderMatches = append(irRule.HeaderMatches, m) case *header.Type == egv1a1.HeaderMatchRegularExpression && header.Value != nil: @@ -721,9 +722,14 @@ func buildRateLimitRule(rule egv1a1.RateLimitRule) (*ir.RateLimitRule, error) { m := &ir.StringMatch{ Name: header.Name, SafeRegex: header.Value, + Invert: header.Invert, } irRule.HeaderMatches = append(irRule.HeaderMatches, m) case *header.Type == egv1a1.HeaderMatchDistinct && header.Value == nil: + if header.Invert != nil && *header.Invert { + return nil, fmt.Errorf("unable to translate rateLimit." + + "Invert is not applicable for distinct header match type") + } m := &ir.StringMatch{ Name: header.Name, Distinct: true, diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.in.yaml new file mode 100644 index 00000000000..a1ed0f512cc --- /dev/null +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.in.yaml @@ -0,0 +1,53 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +grpcRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: GRPCRoute + metadata: + namespace: default + name: grpcroute + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway + sectionName: http + rules: + - backendRefs: + - name: service + port: 8080 +backendTrafficPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: envoy-gateway + name: policy-for-gateway + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway + rateLimit: + type: Global + global: + rules: + - clientSelectors: + - headers: + - name: x-org-id + type: Distinct + invert: true + limit: + requests: 10 + unit: Hour diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.out.yaml new file mode 100644 index 00000000000..4ea1623c867 --- /dev/null +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.out.yaml @@ -0,0 +1,164 @@ +backendTrafficPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: policy-for-gateway + namespace: envoy-gateway + spec: + rateLimit: + global: + rules: + - clientSelectors: + - headers: + - invert: true + name: x-org-id + type: Distinct + limit: + requests: 10 + unit: Hour + type: Global + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway + namespace: envoy-gateway + conditions: + - lastTransitionTime: null + message: 'RateLimit: unable to translate rateLimit.Invert is not applicable + for distinct header match type.' + reason: Invalid + status: "False" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +grpcRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: GRPCRoute + metadata: + creationTimestamp: null + name: grpcroute + namespace: default + spec: + parentRefs: + - name: gateway + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Service default/service not found + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway +xdsIR: + envoy-gateway/gateway: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: true + metadata: + kind: Gateway + name: gateway + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: grpcroute/default/grpcroute/rule/0 + settings: + - weight: 1 + directResponse: + statusCode: 500 + hostname: '*' + isHTTP2: true + metadata: + kind: GRPCRoute + name: grpcroute + namespace: default + name: grpcroute/default/grpcroute/rule/0/match/-1/* diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.in.yaml index e4f1fc10c64..f536d9a20bc 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.in.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.in.yaml @@ -83,6 +83,9 @@ backendTrafficPolicies: value: one - name: x-org-id type: Distinct + - name: x-org-id + value: admin + invert: true limit: requests: 10 unit: Hour diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml index 2f7a2d5e8f9..07fa997e109 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml @@ -52,6 +52,9 @@ backendTrafficPolicies: value: one - name: x-org-id type: Distinct + - invert: true + name: x-org-id + value: admin limit: requests: 10 unit: Hour @@ -306,6 +309,10 @@ xdsIR: name: x-user-id - distinct: true name: x-org-id + - distinct: false + exact: admin + invert: true + name: x-org-id limit: requests: 10 unit: Hour diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 9750680f387..40e7da917f3 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -47,6 +47,7 @@ var ( ErrDestEndpointUDSPortInvalid = errors.New("field Port must not be specified for Unix Domain Socket address") ErrDestEndpointUDSHostInvalid = errors.New("field Host must not be specified for Unix Domain Socket address") ErrStringMatchConditionInvalid = errors.New("only one of the Exact, Prefix, SafeRegex or Distinct fields must be set") + ErrStringMatchInvertDistinctInvalid = errors.New("only one of the Invert or Distinct fields can be set") ErrStringMatchNameIsEmpty = errors.New("field Name must be specified") ErrDirectResponseStatusInvalid = errors.New("only HTTP status codes 100 - 599 are supported for DirectResponse") ErrRedirectUnsupportedStatus = errors.New("only HTTP status codes 301 and 302 are supported for redirect filters") @@ -1443,6 +1444,8 @@ type StringMatch struct { // Distinct match condition. // Used to match any and all possible unique values encountered within the Name field. Distinct bool `json:"distinct" yaml:"distinct"` + // Invert inverts the final match decision + Invert *bool `json:"invert,omitempty" yaml:"invert,omitempty"` } // Validate the fields within the StringMatch structure @@ -1465,6 +1468,9 @@ func (s StringMatch) Validate() error { if s.Name == "" { errs = errors.Join(errs, ErrStringMatchNameIsEmpty) } + if s.Invert != nil && *s.Invert { + errs = errors.Join(errs, ErrStringMatchInvertDistinctInvalid) + } matchCount++ } diff --git a/internal/ir/xds_test.go b/internal/ir/xds_test.go index 14b624f22f3..5ff9a8736ef 100644 --- a/internal/ir/xds_test.go +++ b/internal/ir/xds_test.go @@ -1182,12 +1182,20 @@ func TestValidateStringMatch(t *testing.T) { want error }{ { - name: "happy", + name: "happy exact", input: StringMatch{ Exact: ptr.To("example"), }, want: nil, }, + { + name: "happy distinct", + input: StringMatch{ + Distinct: true, + Name: "example", + }, + want: nil, + }, { name: "no fields set", input: StringMatch{}, @@ -1202,6 +1210,15 @@ func TestValidateStringMatch(t *testing.T) { }, want: ErrStringMatchConditionInvalid, }, + { + name: "both invert and distinct fields are set", + input: StringMatch{ + Distinct: true, + Name: "example", + Invert: ptr.To(true), + }, + want: ErrStringMatchInvertDistinctInvalid, + }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) { diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 5afb29d12ce..4400b555dd7 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -2573,6 +2573,11 @@ func (in *StringMatch) DeepCopyInto(out *StringMatch) { *out = new(string) **out = **in } + if in.Invert != nil { + in, out := &in.Invert, &out.Invert + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StringMatch. diff --git a/internal/xds/translator/local_ratelimit.go b/internal/xds/translator/local_ratelimit.go index 1503758dfb4..ba330e22034 100644 --- a/internal/xds/translator/local_ratelimit.go +++ b/internal/xds/translator/local_ratelimit.go @@ -218,13 +218,17 @@ func buildRouteLocalRateLimits(local *ir.LocalRateLimit) ( StringMatch: buildXdsStringMatcher(match), }, } + expectMatch := true + if match.Invert != nil && *match.Invert { + expectMatch = false + } action := &routev3.RateLimit_Action{ ActionSpecifier: &routev3.RateLimit_Action_HeaderValueMatch_{ HeaderValueMatch: &routev3.RateLimit_Action_HeaderValueMatch{ DescriptorKey: descriptorKey, DescriptorValue: descriptorVal, ExpectMatch: &wrapperspb.BoolValue{ - Value: true, + Value: expectMatch, }, Headers: []*routev3.HeaderMatcher{headerMatcher}, }, diff --git a/internal/xds/translator/ratelimit.go b/internal/xds/translator/ratelimit.go index 8e3e661f9d7..660bc2a7dec 100644 --- a/internal/xds/translator/ratelimit.go +++ b/internal/xds/translator/ratelimit.go @@ -180,13 +180,17 @@ func buildRouteRateLimits(descriptorPrefix string, global *ir.GlobalRateLimit) [ StringMatch: buildXdsStringMatcher(match), }, } + expectMatch := true + if match.Invert != nil && *match.Invert { + expectMatch = false + } action := &routev3.RateLimit_Action{ ActionSpecifier: &routev3.RateLimit_Action_HeaderValueMatch_{ HeaderValueMatch: &routev3.RateLimit_Action_HeaderValueMatch{ DescriptorKey: descriptorKey, DescriptorValue: descriptorVal, ExpectMatch: &wrapperspb.BoolValue{ - Value: true, + Value: expectMatch, }, Headers: []*routev3.HeaderMatcher{headerMatcher}, }, diff --git a/internal/xds/translator/testdata/in/xds-ir/ratelimit.yaml b/internal/xds/translator/testdata/in/xds-ir/ratelimit.yaml index 271d39cfdcb..2279315caed 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ratelimit.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ratelimit.yaml @@ -65,3 +65,24 @@ http: - endpoints: - host: "1.2.3.4" port: 50000 + - name: "fourth-route" + hostname: "*" + traffic: + rateLimit: + global: + rules: + - headerMatches: + - name: "x-org-id" + exact: "admin" + invert: true + limit: + requests: 5 + unit: second + pathMatch: + exact: "foo/bar/login" + destination: + name: "fourth-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml index 0ba1749076a..427f6d15340 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml @@ -49,6 +49,23 @@ outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: fourth-route-dest + lbPolicy: LEAST_REQUEST + name: fourth-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS - circuitBreakers: thresholds: - maxRetries: 1024 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit.endpoints.yaml index 475b89a087c..f185af17da7 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit.endpoints.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit.endpoints.yaml @@ -34,3 +34,15 @@ loadBalancingWeight: 1 locality: region: third-route-dest/backend/0 +- clusterName: fourth-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: fourth-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit.routes.yaml index 479c2cd143c..e6e83bc2bfb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit.routes.yaml @@ -55,3 +55,23 @@ descriptorValue: rule-0-match--1 upgradeConfigs: - upgradeType: websocket + - match: + path: foo/bar/login + name: fourth-route + route: + cluster: fourth-route-dest + rateLimits: + - actions: + - genericKey: + descriptorKey: fourth-route + descriptorValue: fourth-route + - headerValueMatch: + descriptorKey: rule-0-match-0 + descriptorValue: rule-0-match-0 + expectMatch: false + headers: + - name: x-org-id + stringMatch: + exact: admin + upgradeConfigs: + - upgradeType: websocket From 956586369d6dc59bacf96e56ca214182c367a306 Mon Sep 17 00:00:00 2001 From: zirain Date: Thu, 10 Oct 2024 11:36:36 +0800 Subject: [PATCH 242/523] bump gwapi to 1.2.0 (#4384) * bump gwapi to 1.2.0 Signed-off-by: zirain * use v1.1.2 Signed-off-by: zirain * update Signed-off-by: zirain * fix Signed-off-by: zirain * lint Signed-off-by: zirain * update Signed-off-by: zirain * remove Signed-off-by: zirain --------- Signed-off-by: zirain --- charts/gateway-helm/crds/gatewayapi-crds.yaml | 40 +++++++++---------- go.mod | 2 +- go.sum | 4 +- osv-scanner.toml | 7 ---- 4 files changed, 23 insertions(+), 30 deletions(-) diff --git a/charts/gateway-helm/crds/gatewayapi-crds.yaml b/charts/gateway-helm/crds/gatewayapi-crds.yaml index f19c1adb3b4..57595956279 100644 --- a/charts/gateway-helm/crds/gatewayapi-crds.yaml +++ b/charts/gateway-helm/crds/gatewayapi-crds.yaml @@ -23,8 +23,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null labels: @@ -524,8 +524,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null labels: @@ -1153,8 +1153,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: gatewayclasses.gateway.networking.k8s.io @@ -1673,8 +1673,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: gateways.gateway.networking.k8s.io @@ -4089,8 +4089,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: grpcroutes.gateway.networking.k8s.io @@ -6327,8 +6327,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: httproutes.gateway.networking.k8s.io @@ -12489,8 +12489,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: referencegrants.gateway.networking.k8s.io @@ -12682,8 +12682,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: tcproutes.gateway.networking.k8s.io @@ -13427,8 +13427,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: tlsroutes.gateway.networking.k8s.io @@ -14235,8 +14235,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 - gateway.networking.k8s.io/bundle-version: v1.2.0-rc2 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.0 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: udproutes.gateway.networking.k8s.io diff --git a/go.mod b/go.mod index a34be2541d4..e34c38bed54 100644 --- a/go.mod +++ b/go.mod @@ -56,7 +56,7 @@ require ( k8s.io/kubectl v0.31.1 k8s.io/utils v0.0.0-20240821151609-f90d01438635 sigs.k8s.io/controller-runtime v0.19.0 - sigs.k8s.io/gateway-api v1.2.0-rc2 + sigs.k8s.io/gateway-api v1.2.0 sigs.k8s.io/mcs-api v0.1.0 sigs.k8s.io/yaml v1.4.0 ) diff --git a/go.sum b/go.sum index acca7a0b90d..01eea5533e5 100644 --- a/go.sum +++ b/go.sum @@ -1212,8 +1212,8 @@ sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gE sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI= -sigs.k8s.io/gateway-api v1.2.0-rc2 h1:v7V7JzaBuzwOLWWyyqlkqiqBi3ANBuZGV+uyyKzwmE8= -sigs.k8s.io/gateway-api v1.2.0-rc2/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= +sigs.k8s.io/gateway-api v1.2.0 h1:LrToiFwtqKTKZcZtoQPTuo3FxhrrhTgzQG0Te+YGSo8= +sigs.k8s.io/gateway-api v1.2.0/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kind v0.8.1/go.mod h1:oNKTxUVPYkV9lWzY6CVMNluVq8cBsyq+UgPJdvA3uu4= diff --git a/osv-scanner.toml b/osv-scanner.toml index 02cdbc6af53..6144707a297 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -90,13 +90,6 @@ ecosystem = "Go" license.override = ["BSD-3-Clause"] reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/86 is resolved" -[[PackageOverrides]] -name = "sigs.k8s.io/gateway-api" -version = "1.2.0-rc2" -ecosystem = "Go" -license.override = ["Apache-2.0"] -reason = "https://github.com/envoyproxy/gateway/actions/runs/11065210699/job/30744231458?pr=4270" - [[PackageOverrides]] name = "sigs.k8s.io/json" version = "0.0.0-20221116044647-bc3834ca7abd" From 4313fd607ba6fad2499aa4e01908a06f9a7b3575 Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Thu, 10 Oct 2024 06:33:26 -0500 Subject: [PATCH 243/523] feat(translator): implement access log types (#4341) * impl: access log types Signed-off-by: Guy Daich * clarify docs Signed-off-by: Guy Daich * add note on default settings override Signed-off-by: Guy Daich * support default log re-enablement Signed-off-by: Guy Daich * fix xds test to contain route Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich Co-authored-by: zirain --- api/v1alpha1/accesslogging_types.go | 1 - internal/gatewayapi/listener.go | 27 +- .../envoyproxy-accesslog-types.in.yaml | 236 +++++++++ .../envoyproxy-accesslog-types.out.yaml | 460 ++++++++++++++++++ internal/ir/xds.go | 37 +- internal/ir/zz_generated.deepcopy.go | 20 + internal/xds/translator/accesslog.go | 49 +- internal/xds/translator/listener.go | 12 +- .../testdata/in/xds-ir/accesslog-types.yaml | 184 +++++++ .../out/xds-ir/accesslog-types.clusters.yaml | 263 ++++++++++ .../out/xds-ir/accesslog-types.endpoints.yaml | 84 ++++ .../out/xds-ir/accesslog-types.listeners.yaml | 300 ++++++++++++ .../out/xds-ir/accesslog-types.routes.yaml | 20 + site/content/en/latest/api/extension_types.md | 1 + .../tasks/observability/proxy-accesslog.md | 59 +++ site/content/zh/latest/api/extension_types.md | 1 + test/config/gatewayclass.yaml | 9 + test/e2e/tests/accesslog.go | 32 ++ 18 files changed, 1764 insertions(+), 31 deletions(-) create mode 100644 internal/gatewayapi/testdata/envoyproxy-accesslog-types.in.yaml create mode 100644 internal/gatewayapi/testdata/envoyproxy-accesslog-types.out.yaml create mode 100644 internal/xds/translator/testdata/in/xds-ir/accesslog-types.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/accesslog-types.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/accesslog-types.routes.yaml diff --git a/api/v1alpha1/accesslogging_types.go b/api/v1alpha1/accesslogging_types.go index edc19e97599..31eac69f122 100644 --- a/api/v1alpha1/accesslogging_types.go +++ b/api/v1alpha1/accesslogging_types.go @@ -37,7 +37,6 @@ type ProxyAccessLogSetting struct { // If type is defined, the accesslog settings would apply to the relevant component (as-is). // +kubebuilder:validation:Enum=Listener;Route // +optional - // +notImplementedHide Type *ProxyAccessLogType `json:"type,omitempty"` } diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index 0c69d7b3097..5c85e561ea1 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -241,7 +241,6 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources * }, }, nil } - if envoyproxy.Spec.Telemetry.AccessLog.Disable { return nil, nil } @@ -249,6 +248,16 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources * irAccessLog := &ir.AccessLog{} // translate the access log configuration to the IR for i, accessLog := range envoyproxy.Spec.Telemetry.AccessLog.Settings { + var accessLogType *ir.ProxyAccessLogType + if accessLog.Type != nil { + switch *accessLog.Type { + case egv1a1.ProxyAccessLogTypeRoute: + accessLogType = ptr.To(ir.ProxyAccessLogTypeRoute) + case egv1a1.ProxyAccessLogTypeListener: + accessLogType = ptr.To(ir.ProxyAccessLogTypeListener) + } + } + var format egv1a1.ProxyAccessLogFormat if accessLog.Format != nil { format = *accessLog.Format @@ -274,6 +283,16 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources * return nil, utilerrors.NewAggregate(errs) } + if len(accessLog.Sinks) == 0 { + al := &ir.TextAccessLog{ + Format: format.Text, + CELMatches: validExprs, + LogType: accessLogType, + Path: "/dev/stdout", + } + irAccessLog.Text = append(irAccessLog.Text, al) + } + for j, sink := range accessLog.Sinks { switch sink.Type { case egv1a1.ProxyAccessLogSinkTypeFile: @@ -287,6 +306,7 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources * Format: format.Text, Path: sink.File.Path, CELMatches: validExprs, + LogType: accessLogType, } irAccessLog.Text = append(irAccessLog.Text, al) case egv1a1.ProxyAccessLogFormatTypeJSON: @@ -299,6 +319,7 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources * JSON: format.JSON, Path: sink.File.Path, CELMatches: validExprs, + LogType: accessLogType, } irAccessLog.JSON = append(irAccessLog.JSON, al) } @@ -329,6 +350,7 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources * Traffic: traffic, Type: sink.ALS.Type, CELMatches: validExprs, + LogType: accessLogType, } if al.Type == egv1a1.ALSEnvoyProxyAccessLogTypeHTTP && sink.ALS.HTTP != nil { @@ -339,7 +361,6 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources * } al.HTTP = http } - switch format.Type { case egv1a1.ProxyAccessLogFormatTypeJSON: al.Attributes = format.JSON @@ -367,6 +388,7 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources * Settings: ds, }, Traffic: traffic, + LogType: accessLogType, } if len(ds) == 0 { @@ -391,7 +413,6 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources * } } } - return irAccessLog, nil } diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-types.in.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-types.in.yaml new file mode 100644 index 00000000000..03977e33075 --- /dev/null +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-types.in.yaml @@ -0,0 +1,236 @@ +envoyProxyForGatewayClass: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + namespace: envoy-gateway-system + name: test + spec: + telemetry: + accessLog: + settings: + - type: Route + - type: Listener + - type: Route + format: + type: Text + text: | + this is a route log + sinks: + - type: File + file: + path: /dev/stdout + - type: ALS + als: + logName: accesslog + backendRefs: + - name: envoy-als + namespace: monitoring + port: 9000 + http: + requestHeaders: + - x-client-ip-address + responseHeaders: + - cache-control + responseTrailers: + - expires + type: HTTP + - type: ALS + als: + backendRefs: + - name: envoy-als + namespace: monitoring + port: 9000 + type: TCP + - type: OpenTelemetry + openTelemetry: + host: otel-collector.monitoring.svc.cluster.local + port: 4317 + resources: + k8s.cluster.name: "cluster-1" + - type: Listener + format: + type: Text + text: | + this is a listener log + sinks: + - type: File + file: + path: /dev/stdout + - type: ALS + als: + logName: accesslog + backendRefs: + - name: envoy-als + namespace: monitoring + port: 9000 + http: + requestHeaders: + - x-client-ip-address + responseHeaders: + - cache-control + responseTrailers: + - expires + type: HTTP + - type: ALS + als: + backendRefs: + - name: envoy-als + namespace: monitoring + port: 9000 + type: TCP + - type: OpenTelemetry + openTelemetry: + host: otel-collector.monitoring.svc.cluster.local + port: 4317 + resources: + k8s.cluster.name: "cluster-1" + - format: + type: Text + text: | + this is a Global log + sinks: + - type: File + file: + path: /dev/stdout + - type: ALS + als: + logName: accesslog + backendRefs: + - name: envoy-als + namespace: monitoring + port: 9000 + http: + requestHeaders: + - x-client-ip-address + responseHeaders: + - cache-control + responseTrailers: + - expires + type: HTTP + - type: ALS + als: + backendRefs: + - name: envoy-als + namespace: monitoring + port: 9000 + type: TCP + - type: OpenTelemetry + openTelemetry: + host: otel-collector.monitoring.svc.cluster.local + port: 4317 + resources: + k8s.cluster.name: "cluster-1" + provider: + type: Kubernetes + kubernetes: + envoyService: + type: LoadBalancer + envoyDeployment: + replicas: 2 + container: + env: + - name: env_a + value: env_a_value + - name: env_b + value: env_b_name + image: "envoyproxy/envoy:distroless-dev" + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + runAsUser: 2000 + allowPrivilegeEscalation: false + pod: + annotations: + key1: val1 + key2: val2 + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cloud.google.com/gke-nodepool + operator: In + values: + - router-node + tolerations: + - effect: NoSchedule + key: node-type + operator: Exists + value: "router" + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + fsGroupChangePolicy: "OnRootMismatch" + volumes: + - name: certs + secret: + secretName: envoy-cert +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: Same +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: envoy-gateway + name: httproute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + rules: + - matches: + - path: + type: Exact + value: "/exact" + backendRefs: + - name: service-1 + port: 8080 +services: +- apiVersion: v1 + kind: Service + metadata: + name: envoy-als + namespace: monitoring + spec: + type: ClusterIP + ports: + - name: grpc + port: 9000 + appProtocol: grpc + protocol: TCP + targetPort: 9000 +endpointSlices: +- apiVersion: discovery.k8s.io/v1 + kind: EndpointSlice + metadata: + name: endpointslice-envoy-als + namespace: monitoring + labels: + kubernetes.io/service-name: envoy-als + addressType: IPv4 + ports: + - name: grpc + protocol: TCP + appProtocol: grpc + port: 9090 + endpoints: + - addresses: + - "10.240.0.10" + conditions: + ready: true diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-types.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-types.out.yaml new file mode 100644 index 00000000000..9c2c0d1cf82 --- /dev/null +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-types.out.yaml @@ -0,0 +1,460 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: Same + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + type: Exact + value: /exact + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Service envoy-gateway/service-1 not found + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway +infraIR: + envoy-gateway/gateway-1: + proxy: + config: + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyProxy + metadata: + creationTimestamp: null + name: test + namespace: envoy-gateway-system + spec: + logging: {} + provider: + kubernetes: + envoyDeployment: + container: + env: + - name: env_a + value: env_a_value + - name: env_b + value: env_b_name + image: envoyproxy/envoy:distroless-dev + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + runAsUser: 2000 + pod: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cloud.google.com/gke-nodepool + operator: In + values: + - router-node + annotations: + key1: val1 + key2: val2 + securityContext: + fsGroup: 2000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 3000 + runAsUser: 1000 + tolerations: + - effect: NoSchedule + key: node-type + operator: Exists + value: router + volumes: + - name: certs + secret: + secretName: envoy-cert + replicas: 2 + envoyService: + type: LoadBalancer + type: Kubernetes + telemetry: + accessLog: + settings: + - sinks: null + type: Route + - sinks: null + type: Listener + - format: + text: | + this is a route log + type: Text + sinks: + - file: + path: /dev/stdout + type: File + - als: + backendRefs: + - name: envoy-als + namespace: monitoring + port: 9000 + http: + requestHeaders: + - x-client-ip-address + responseHeaders: + - cache-control + responseTrailers: + - expires + logName: accesslog + type: HTTP + type: ALS + - als: + backendRefs: + - name: envoy-als + namespace: monitoring + port: 9000 + type: TCP + type: ALS + - openTelemetry: + host: otel-collector.monitoring.svc.cluster.local + port: 4317 + resources: + k8s.cluster.name: cluster-1 + type: OpenTelemetry + type: Route + - format: + text: | + this is a listener log + type: Text + sinks: + - file: + path: /dev/stdout + type: File + - als: + backendRefs: + - name: envoy-als + namespace: monitoring + port: 9000 + http: + requestHeaders: + - x-client-ip-address + responseHeaders: + - cache-control + responseTrailers: + - expires + logName: accesslog + type: HTTP + type: ALS + - als: + backendRefs: + - name: envoy-als + namespace: monitoring + port: 9000 + type: TCP + type: ALS + - openTelemetry: + host: otel-collector.monitoring.svc.cluster.local + port: 4317 + resources: + k8s.cluster.name: cluster-1 + type: OpenTelemetry + type: Listener + - format: + text: | + this is a Global log + type: Text + sinks: + - file: + path: /dev/stdout + type: File + - als: + backendRefs: + - name: envoy-als + namespace: monitoring + port: 9000 + http: + requestHeaders: + - x-client-ip-address + responseHeaders: + - cache-control + responseTrailers: + - expires + logName: accesslog + type: HTTP + type: ALS + - als: + backendRefs: + - name: envoy-als + namespace: monitoring + port: 9000 + type: TCP + type: ALS + - openTelemetry: + host: otel-collector.monitoring.svc.cluster.local + port: 4317 + resources: + k8s.cluster.name: cluster-1 + type: OpenTelemetry + status: {} + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + als: + - destination: + name: accesslog_als_2_1 + settings: + - addressType: IP + endpoints: + - host: 10.240.0.10 + port: 9090 + protocol: GRPC + http: + requestHeaders: + - x-client-ip-address + responseHeaders: + - cache-control + responseTrailers: + - expires + logType: Route + name: accesslog + text: | + this is a route log + type: HTTP + - destination: + name: accesslog_als_2_2 + settings: + - addressType: IP + endpoints: + - host: 10.240.0.10 + port: 9090 + protocol: GRPC + logType: Route + name: envoy-gateway-system/test + text: | + this is a route log + type: TCP + - destination: + name: accesslog_als_3_1 + settings: + - addressType: IP + endpoints: + - host: 10.240.0.10 + port: 9090 + protocol: GRPC + http: + requestHeaders: + - x-client-ip-address + responseHeaders: + - cache-control + responseTrailers: + - expires + logType: Listener + name: accesslog + text: | + this is a listener log + type: HTTP + - destination: + name: accesslog_als_3_2 + settings: + - addressType: IP + endpoints: + - host: 10.240.0.10 + port: 9090 + protocol: GRPC + logType: Listener + name: envoy-gateway-system/test + text: | + this is a listener log + type: TCP + - destination: + name: accesslog_als_4_1 + settings: + - addressType: IP + endpoints: + - host: 10.240.0.10 + port: 9090 + protocol: GRPC + http: + requestHeaders: + - x-client-ip-address + responseHeaders: + - cache-control + responseTrailers: + - expires + name: accesslog + text: | + this is a Global log + type: HTTP + - destination: + name: accesslog_als_4_2 + settings: + - addressType: IP + endpoints: + - host: 10.240.0.10 + port: 9090 + protocol: GRPC + name: envoy-gateway-system/test + text: | + this is a Global log + type: TCP + openTelemetry: + - authority: otel-collector.monitoring.svc.cluster.local + destination: + name: accesslog_otel_2_3 + settings: + - endpoints: + - host: otel-collector.monitoring.svc.cluster.local + port: 4317 + protocol: GRPC + weight: 1 + logType: Route + resources: + k8s.cluster.name: cluster-1 + text: | + this is a route log + - authority: otel-collector.monitoring.svc.cluster.local + destination: + name: accesslog_otel_3_3 + settings: + - endpoints: + - host: otel-collector.monitoring.svc.cluster.local + port: 4317 + protocol: GRPC + weight: 1 + logType: Listener + resources: + k8s.cluster.name: cluster-1 + text: | + this is a listener log + - authority: otel-collector.monitoring.svc.cluster.local + destination: + name: accesslog_otel_4_3 + settings: + - endpoints: + - host: otel-collector.monitoring.svc.cluster.local + port: 4317 + protocol: GRPC + weight: 1 + resources: + k8s.cluster.name: cluster-1 + text: | + this is a Global log + text: + - logType: Route + path: /dev/stdout + - logType: Listener + path: /dev/stdout + - format: | + this is a route log + logType: Route + path: /dev/stdout + - format: | + this is a listener log + logType: Listener + path: /dev/stdout + - format: | + this is a Global log + path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/envoy-gateway/httproute-1/rule/0 + settings: + - weight: 1 + directResponse: + statusCode: 500 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: envoy-gateway + name: httproute/envoy-gateway/httproute-1/rule/0/match/0/* + pathMatch: + distinct: false + exact: /exact + name: "" diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 40e7da917f3..53eb34fa2a6 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -1739,6 +1739,13 @@ type RateLimitValue struct { Unit RateLimitUnit `json:"unit" yaml:"unit"` } +type ProxyAccessLogType egv1a1.ProxyAccessLogType + +const ( + ProxyAccessLogTypeRoute = ProxyAccessLogType(egv1a1.ProxyAccessLogTypeRoute) + ProxyAccessLogTypeListener = ProxyAccessLogType(egv1a1.ProxyAccessLogTypeListener) +) + // AccessLog holds the access logging configuration. // +k8s:deepcopy-gen=true type AccessLog struct { @@ -1751,17 +1758,19 @@ type AccessLog struct { // TextAccessLog holds the configuration for text access logging. // +k8s:deepcopy-gen=true type TextAccessLog struct { - CELMatches []string `json:"celMatches,omitempty" yaml:"celMatches,omitempty"` - Format *string `json:"format,omitempty" yaml:"format,omitempty"` - Path string `json:"path" yaml:"path"` + CELMatches []string `json:"celMatches,omitempty" yaml:"celMatches,omitempty"` + Format *string `json:"format,omitempty" yaml:"format,omitempty"` + Path string `json:"path" yaml:"path"` + LogType *ProxyAccessLogType `json:"logType,omitempty" yaml:"logType,omitempty"` } // JSONAccessLog holds the configuration for JSON access logging. // +k8s:deepcopy-gen=true type JSONAccessLog struct { - CELMatches []string `json:"celMatches,omitempty" yaml:"celMatches,omitempty"` - JSON map[string]string `json:"json,omitempty" yaml:"json,omitempty"` - Path string `json:"path" yaml:"path"` + CELMatches []string `json:"celMatches,omitempty" yaml:"celMatches,omitempty"` + JSON map[string]string `json:"json,omitempty" yaml:"json,omitempty"` + Path string `json:"path" yaml:"path"` + LogType *ProxyAccessLogType `json:"logType,omitempty" yaml:"logType,omitempty"` } // ALSAccessLog holds the configuration for gRPC ALS access logging. @@ -1775,6 +1784,7 @@ type ALSAccessLog struct { Text *string `json:"text,omitempty" yaml:"text,omitempty"` Attributes map[string]string `json:"attributes,omitempty" yaml:"attributes,omitempty"` HTTP *ALSAccessLogHTTP `json:"http,omitempty" yaml:"http,omitempty"` + LogType *ProxyAccessLogType `json:"logType,omitempty" yaml:"logType,omitempty"` } // ALSAccessLogHTTP holds the configuration for HTTP ALS access logging. @@ -1788,13 +1798,14 @@ type ALSAccessLogHTTP struct { // OpenTelemetryAccessLog holds the configuration for OpenTelemetry access logging. // +k8s:deepcopy-gen=true type OpenTelemetryAccessLog struct { - CELMatches []string `json:"celMatches,omitempty" yaml:"celMatches,omitempty"` - Authority string `json:"authority,omitempty" yaml:"authority,omitempty"` - Text *string `json:"text,omitempty" yaml:"text,omitempty"` - Attributes map[string]string `json:"attributes,omitempty" yaml:"attributes,omitempty"` - Resources map[string]string `json:"resources,omitempty" yaml:"resources,omitempty"` - Destination RouteDestination `json:"destination,omitempty" yaml:"destination,omitempty"` - Traffic *TrafficFeatures `json:"traffic,omitempty" yaml:"traffic,omitempty"` + CELMatches []string `json:"celMatches,omitempty" yaml:"celMatches,omitempty"` + Authority string `json:"authority,omitempty" yaml:"authority,omitempty"` + Text *string `json:"text,omitempty" yaml:"text,omitempty"` + Attributes map[string]string `json:"attributes,omitempty" yaml:"attributes,omitempty"` + Resources map[string]string `json:"resources,omitempty" yaml:"resources,omitempty"` + Destination RouteDestination `json:"destination,omitempty" yaml:"destination,omitempty"` + Traffic *TrafficFeatures `json:"traffic,omitempty" yaml:"traffic,omitempty"` + LogType *ProxyAccessLogType `json:"logType,omitempty" yaml:"logType,omitempty"` } // EnvoyPatchPolicy defines the intermediate representation of the EnvoyPatchPolicy resource. diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 4400b555dd7..1a0185bbb9f 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -47,6 +47,11 @@ func (in *ALSAccessLog) DeepCopyInto(out *ALSAccessLog) { *out = new(ALSAccessLogHTTP) (*in).DeepCopyInto(*out) } + if in.LogType != nil { + in, out := &in.LogType, &out.LogType + *out = new(ProxyAccessLogType) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ALSAccessLog. @@ -1690,6 +1695,11 @@ func (in *JSONAccessLog) DeepCopyInto(out *JSONAccessLog) { (*out)[key] = val } } + if in.LogType != nil { + in, out := &in.LogType, &out.LogType + *out = new(ProxyAccessLogType) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JSONAccessLog. @@ -1976,6 +1986,11 @@ func (in *OpenTelemetryAccessLog) DeepCopyInto(out *OpenTelemetryAccessLog) { *out = new(TrafficFeatures) (*in).DeepCopyInto(*out) } + if in.LogType != nil { + in, out := &in.LogType, &out.LogType + *out = new(ProxyAccessLogType) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenTelemetryAccessLog. @@ -2985,6 +3000,11 @@ func (in *TextAccessLog) DeepCopyInto(out *TextAccessLog) { *out = new(string) **out = **in } + if in.LogType != nil { + in, out := &in.LogType, &out.LogType + *out = new(ProxyAccessLogType) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TextAccessLog. diff --git a/internal/xds/translator/accesslog.go b/internal/xds/translator/accesslog.go index 8acb6e4b005..6660ba8fab6 100644 --- a/internal/xds/translator/accesslog.go +++ b/internal/xds/translator/accesslog.go @@ -90,15 +90,24 @@ var ( } ) -func buildXdsAccessLog(al *ir.AccessLog, forListener bool) []*accesslog.AccessLog { +func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) []*accesslog.AccessLog { if al == nil { return nil } totalLen := len(al.Text) + len(al.JSON) + len(al.OpenTelemetry) accessLogs := make([]*accesslog.AccessLog, 0, totalLen) + // handle text file access logs for _, text := range al.Text { + // Filter out logs that are not Global or match the desired access log type + if !(text.LogType == nil || *text.LogType == accessLogType) { + continue + } + + // NR is only added to listener logs originating from a global log configuration + defaultLogTypeForListener := accessLogType == ir.ProxyAccessLogTypeListener && text.LogType == nil + filelog := &fileaccesslog.FileAccessLog{ Path: text.Path, } @@ -131,11 +140,19 @@ func buildXdsAccessLog(al *ir.AccessLog, forListener bool) []*accesslog.AccessLo ConfigType: &accesslog.AccessLog_TypedConfig{ TypedConfig: accesslogAny, }, - Filter: buildAccessLogFilter(text.CELMatches, forListener), + Filter: buildAccessLogFilter(text.CELMatches, defaultLogTypeForListener), }) } // handle json file access logs for _, json := range al.JSON { + // Filter out logs that are not Global or match the desired access log type + if !(json.LogType == nil || *json.LogType == accessLogType) { + continue + } + + // NR is only added to listener logs originating from a global log configuration + defaultLogTypeForListener := accessLogType == ir.ProxyAccessLogTypeListener && json.LogType == nil + jsonFormat := &structpb.Struct{ Fields: make(map[string]*structpb.Value, len(json.JSON)), } @@ -174,11 +191,19 @@ func buildXdsAccessLog(al *ir.AccessLog, forListener bool) []*accesslog.AccessLo ConfigType: &accesslog.AccessLog_TypedConfig{ TypedConfig: accesslogAny, }, - Filter: buildAccessLogFilter(json.CELMatches, forListener), + Filter: buildAccessLogFilter(json.CELMatches, defaultLogTypeForListener), }) } // handle ALS access logs for _, als := range al.ALS { + // Filter out logs that are not Global or match the desired access log type + if !(als.LogType == nil || *als.LogType == accessLogType) { + continue + } + + // NR is only added to listener logs originating from a global log configuration + defaultLogTypeForListener := accessLogType == ir.ProxyAccessLogTypeListener && als.LogType == nil + cc := &grpcaccesslog.CommonGrpcAccessLogConfig{ LogName: als.LogName, GrpcService: &cfgcore.GrpcService{ @@ -209,7 +234,7 @@ func buildXdsAccessLog(al *ir.AccessLog, forListener bool) []*accesslog.AccessLo ConfigType: &accesslog.AccessLog_TypedConfig{ TypedConfig: accesslogAny, }, - Filter: buildAccessLogFilter(als.CELMatches, forListener), + Filter: buildAccessLogFilter(als.CELMatches, defaultLogTypeForListener), }) case egv1a1.ALSEnvoyProxyAccessLogTypeTCP: alCfg := &grpcaccesslog.TcpGrpcAccessLogConfig{ @@ -222,12 +247,20 @@ func buildXdsAccessLog(al *ir.AccessLog, forListener bool) []*accesslog.AccessLo ConfigType: &accesslog.AccessLog_TypedConfig{ TypedConfig: accesslogAny, }, - Filter: buildAccessLogFilter(als.CELMatches, forListener), + Filter: buildAccessLogFilter(als.CELMatches, defaultLogTypeForListener), }) } } // handle open telemetry access logs for _, otel := range al.OpenTelemetry { + // Filter out logs that are not Global or match the desired access log type + if !(otel.LogType == nil || *otel.LogType == accessLogType) { + continue + } + + // NR is only added to listener logs originating from a global log configuration + defaultLogTypeForListener := accessLogType == ir.ProxyAccessLogTypeListener && otel.LogType == nil + al := &otelaccesslog.OpenTelemetryAccessLogConfig{ CommonConfig: &grpcaccesslog.CommonGrpcAccessLogConfig{ LogName: otelLogName, @@ -270,7 +303,7 @@ func buildXdsAccessLog(al *ir.AccessLog, forListener bool) []*accesslog.AccessLo ConfigType: &accesslog.AccessLog_TypedConfig{ TypedConfig: accesslogAny, }, - Filter: buildAccessLogFilter(otel.CELMatches, forListener), + Filter: buildAccessLogFilter(otel.CELMatches, defaultLogTypeForListener), }) } @@ -292,13 +325,13 @@ func celAccessLogFilter(expr string) *accesslog.AccessLogFilter { } } -func buildAccessLogFilter(exprs []string, forListener bool) *accesslog.AccessLogFilter { +func buildAccessLogFilter(exprs []string, withNoRouteMatchFilter bool) *accesslog.AccessLogFilter { // add filter for access logs var filters []*accesslog.AccessLogFilter for _, expr := range exprs { filters = append(filters, celAccessLogFilter(expr)) } - if forListener { + if withNoRouteMatchFilter { filters = append(filters, listenerAccessLogFilter) } diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go index 98f7c28e372..9cc8e61f6ed 100644 --- a/internal/xds/translator/listener.go +++ b/internal/xds/translator/listener.go @@ -151,7 +151,7 @@ func originalIPDetectionExtensions(clientIPDetection *ir.ClientIPDetectionSettin // TODO: Improve function parameters func buildXdsTCPListener(name, address string, port uint32, keepalive *ir.TCPKeepalive, connection *ir.ClientConnection, accesslog *ir.AccessLog) *listenerv3.Listener { socketOptions := buildTCPSocketOptions(keepalive) - al := buildXdsAccessLog(accesslog, true) + al := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener) bufferLimitBytes := buildPerConnectionBufferLimitBytes(connection) return &listenerv3.Listener{ Name: name, @@ -183,7 +183,7 @@ func buildPerConnectionBufferLimitBytes(connection *ir.ClientConnection) *wrappe func buildXdsQuicListener(name, address string, port uint32, accesslog *ir.AccessLog) *listenerv3.Listener { xdsListener := &listenerv3.Listener{ Name: name + "-quic", - AccessLog: buildXdsAccessLog(accesslog, true), + AccessLog: buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener), Address: &corev3.Address{ Address: &corev3.Address_SocketAddress{ SocketAddress: &corev3.SocketAddress{ @@ -220,7 +220,7 @@ func buildXdsQuicListener(name, address string, port uint32, accesslog *ir.Acces func (t *Translator) addHCMToXDSListener(xdsListener *listenerv3.Listener, irListener *ir.HTTPListener, accesslog *ir.AccessLog, tracing *ir.Tracing, http3Listener bool, connection *ir.ClientConnection, ) error { - al := buildXdsAccessLog(accesslog, false) + al := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute) hcmTracing, err := buildHCMTracing(tracing) if err != nil { @@ -494,7 +494,7 @@ func addXdsTCPFilterChain(xdsListener *listenerv3.Listener, irRoute *ir.TCPRoute statPrefix = strings.Join([]string{statPrefix, strconv.Itoa(int(xdsListener.Address.GetSocketAddress().GetPortValue()))}, "-") mgr := &tcpv3.TcpProxy{ - AccessLog: buildXdsAccessLog(accesslog, false), + AccessLog: buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute), StatPrefix: statPrefix, ClusterSpecifier: &tcpv3.TcpProxy_Cluster{ Cluster: clusterName, @@ -773,7 +773,7 @@ func buildXdsUDPListener(clusterName string, udpListener *ir.UDPListener, access udpProxy := &udpv3.UdpProxyConfig{ StatPrefix: statPrefix, - AccessLog: buildXdsAccessLog(accesslog, false), + AccessLog: buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute), RouteSpecifier: &udpv3.UdpProxyConfig_Matcher{ Matcher: &matcher.Matcher{ OnNoMatch: &matcher.Matcher_OnMatch{ @@ -794,7 +794,7 @@ func buildXdsUDPListener(clusterName string, udpListener *ir.UDPListener, access xdsListener := &listenerv3.Listener{ Name: udpListener.Name, - AccessLog: buildXdsAccessLog(accesslog, true), + AccessLog: buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener), Address: &corev3.Address{ Address: &corev3.Address_SocketAddress{ SocketAddress: &corev3.SocketAddress{ diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog-types.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog-types.yaml new file mode 100644 index 00000000000..d2458abfce9 --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog-types.yaml @@ -0,0 +1,184 @@ +accessLog: + als: + - destination: + name: accesslog_als_0_1 + settings: + - addressType: IP + endpoints: + - host: 10.240.0.10 + port: 9090 + protocol: GRPC + http: + requestHeaders: + - x-client-ip-address + responseHeaders: + - cache-control + responseTrailers: + - expires + logType: Route + name: accesslog + text: | + this is a route log + type: HTTP + - destination: + name: accesslog_als_0_2 + settings: + - addressType: IP + endpoints: + - host: 10.240.0.10 + port: 9090 + protocol: GRPC + logType: Route + name: envoy-gateway-system/test + text: | + this is a route log + type: TCP + - destination: + name: accesslog_als_1_1 + settings: + - addressType: IP + endpoints: + - host: 10.240.0.10 + port: 9090 + protocol: GRPC + http: + requestHeaders: + - x-client-ip-address + responseHeaders: + - cache-control + responseTrailers: + - expires + logType: Listener + name: accesslog + text: | + this is a listener log + type: HTTP + - destination: + name: accesslog_als_1_2 + settings: + - addressType: IP + endpoints: + - host: 10.240.0.10 + port: 9090 + protocol: GRPC + logType: Listener + name: envoy-gateway-system/test + text: | + this is a listener log + type: TCP + - destination: + name: accesslog_als_2_1 + settings: + - addressType: IP + endpoints: + - host: 10.240.0.10 + port: 9090 + protocol: GRPC + http: + requestHeaders: + - x-client-ip-address + responseHeaders: + - cache-control + responseTrailers: + - expires + name: accesslog + text: | + this is a Global log + type: HTTP + - destination: + name: accesslog_als_2_2 + settings: + - addressType: IP + endpoints: + - host: 10.240.0.10 + port: 9090 + protocol: GRPC + name: envoy-gateway-system/test + text: | + this is a Global log + type: TCP + openTelemetry: + - authority: otel-collector.monitoring.svc.cluster.local + destination: + name: accesslog_otel_0_3 + settings: + - endpoints: + - host: otel-collector.monitoring.svc.cluster.local + port: 4317 + protocol: GRPC + weight: 1 + logType: Route + resources: + k8s.cluster.name: cluster-1 + text: | + this is a route log + - authority: otel-collector.monitoring.svc.cluster.local + destination: + name: accesslog_otel_1_3 + settings: + - endpoints: + - host: otel-collector.monitoring.svc.cluster.local + port: 4317 + protocol: GRPC + weight: 1 + logType: Listener + resources: + k8s.cluster.name: cluster-1 + text: | + this is a listener log + - authority: otel-collector.monitoring.svc.cluster.local + destination: + name: accesslog_otel_2_3 + settings: + - endpoints: + - host: otel-collector.monitoring.svc.cluster.local + port: 4317 + protocol: GRPC + weight: 1 + resources: + k8s.cluster.name: cluster-1 + text: | + this is a Global log + text: + - logType: Route + path: /dev/stdout + - logType: Listener + path: /dev/stdout + - format: | + this is a route log + logType: Route + path: /dev/stdout + - format: | + this is a listener log + logType: Listener + path: /dev/stdout + - format: | + this is a Global log + path: /dev/stdout +http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - name: "direct-route" + hostname: "*" + destination: + name: "direct-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + directResponse: + body: "Unknown custom filter type: UnsupportedType" + statusCode: 500 diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml new file mode 100644 index 00000000000..e0328b6e26c --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml @@ -0,0 +1,263 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: direct-route-dest + lbPolicy: LEAST_REQUEST + name: direct-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: accesslog_als_0_1 + lbPolicy: LEAST_REQUEST + name: accesslog_als_0_1 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: accesslog_als_0_2 + lbPolicy: LEAST_REQUEST + name: accesslog_als_0_2 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: accesslog_als_1_1 + lbPolicy: LEAST_REQUEST + name: accesslog_als_1_1 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: accesslog_als_1_2 + lbPolicy: LEAST_REQUEST + name: accesslog_als_1_2 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: accesslog_als_2_1 + lbPolicy: LEAST_REQUEST + name: accesslog_als_2_1 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: accesslog_als_2_2 + lbPolicy: LEAST_REQUEST + name: accesslog_als_2_2 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: accesslog_otel_0_3 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: otel-collector.monitoring.svc.cluster.local + portValue: 4317 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: accesslog_otel_0_3/backend/0 + name: accesslog_otel_0_3 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: accesslog_otel_1_3 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: otel-collector.monitoring.svc.cluster.local + portValue: 4317 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: accesslog_otel_1_3/backend/0 + name: accesslog_otel_1_3 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: accesslog_otel_2_3 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: otel-collector.monitoring.svc.cluster.local + portValue: 4317 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: accesslog_otel_2_3/backend/0 + name: accesslog_otel_2_3 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.endpoints.yaml new file mode 100644 index 00000000000..e9526ab5d90 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.endpoints.yaml @@ -0,0 +1,84 @@ +- clusterName: direct-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: direct-route-dest/backend/0 +- clusterName: accesslog_als_0_1 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 10.240.0.10 + portValue: 9090 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: accesslog_als_0_1/backend/0 +- clusterName: accesslog_als_0_2 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 10.240.0.10 + portValue: 9090 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: accesslog_als_0_2/backend/0 +- clusterName: accesslog_als_1_1 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 10.240.0.10 + portValue: 9090 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: accesslog_als_1_1/backend/0 +- clusterName: accesslog_als_1_2 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 10.240.0.10 + portValue: 9090 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: accesslog_als_1_2/backend/0 +- clusterName: accesslog_als_2_1 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 10.240.0.10 + portValue: 9090 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: accesslog_als_2_1/backend/0 +- clusterName: accesslog_als_2_2 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 10.240.0.10 + portValue: 9090 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: accesslog_als_2_2/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml new file mode 100644 index 00000000000..dbb30726378 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml @@ -0,0 +1,300 @@ +- accessLog: + - name: envoy.access_loggers.file + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + logFormat: + textFormatSource: + inlineString: | + {"start_time":"%START_TIME%","method":"%REQ(:METHOD)%","x-envoy-origin-path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","response_code_details":"%RESPONSE_CODE_DETAILS%","connection_termination_details":"%CONNECTION_TERMINATION_DETAILS%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","duration":"%DURATION%","x-envoy-upstream-service-time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","x-forwarded-for":"%REQ(X-FORWARDED-FOR)%","user-agent":"%REQ(USER-AGENT)%","x-request-id":"%REQ(X-REQUEST-ID)%",":authority":"%REQ(:AUTHORITY)%","upstream_host":"%UPSTREAM_HOST%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","requested_server_name":"%REQUESTED_SERVER_NAME%","route_name":"%ROUTE_NAME%"} + path: /dev/stdout + - name: envoy.access_loggers.file + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + logFormat: + textFormatSource: + inlineString: | + this is a listener log + path: /dev/stdout + - filter: + responseFlagFilter: + flags: + - NR + name: envoy.access_loggers.file + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + logFormat: + textFormatSource: + inlineString: | + this is a Global log + path: /dev/stdout + - name: envoy.access_loggers.http_grpc + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig + additionalRequestHeadersToLog: + - x-client-ip-address + additionalResponseHeadersToLog: + - cache-control + additionalResponseTrailersToLog: + - expires + commonConfig: + grpcService: + envoyGrpc: + clusterName: accesslog_als_1_1 + logName: accesslog + transportApiVersion: V3 + - name: envoy.access_loggers.tcp_grpc + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.TcpGrpcAccessLogConfig + commonConfig: + grpcService: + envoyGrpc: + clusterName: accesslog_als_1_2 + logName: envoy-gateway-system/test + transportApiVersion: V3 + - filter: + responseFlagFilter: + flags: + - NR + name: envoy.access_loggers.http_grpc + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig + additionalRequestHeadersToLog: + - x-client-ip-address + additionalResponseHeadersToLog: + - cache-control + additionalResponseTrailersToLog: + - expires + commonConfig: + grpcService: + envoyGrpc: + clusterName: accesslog_als_2_1 + logName: accesslog + transportApiVersion: V3 + - filter: + responseFlagFilter: + flags: + - NR + name: envoy.access_loggers.tcp_grpc + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.TcpGrpcAccessLogConfig + commonConfig: + grpcService: + envoyGrpc: + clusterName: accesslog_als_2_2 + logName: envoy-gateway-system/test + transportApiVersion: V3 + - name: envoy.access_loggers.open_telemetry + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.open_telemetry.v3.OpenTelemetryAccessLogConfig + attributes: + values: + - key: k8s.namespace.name + value: + stringValue: '%ENVIRONMENT(ENVOY_GATEWAY_NAMESPACE)%' + - key: k8s.pod.name + value: + stringValue: '%ENVIRONMENT(ENVOY_POD_NAME)%' + body: + stringValue: | + this is a listener log + commonConfig: + grpcService: + envoyGrpc: + authority: otel-collector.monitoring.svc.cluster.local + clusterName: accesslog_otel_1_3 + logName: otel_envoy_accesslog + transportApiVersion: V3 + resourceAttributes: + values: + - key: k8s.cluster.name + value: + stringValue: cluster-1 + - filter: + responseFlagFilter: + flags: + - NR + name: envoy.access_loggers.open_telemetry + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.open_telemetry.v3.OpenTelemetryAccessLogConfig + attributes: + values: + - key: k8s.namespace.name + value: + stringValue: '%ENVIRONMENT(ENVOY_GATEWAY_NAMESPACE)%' + - key: k8s.pod.name + value: + stringValue: '%ENVIRONMENT(ENVOY_POD_NAME)%' + body: + stringValue: | + this is a Global log + commonConfig: + grpcService: + envoyGrpc: + authority: otel-collector.monitoring.svc.cluster.local + clusterName: accesslog_otel_2_3 + logName: otel_envoy_accesslog + transportApiVersion: V3 + resourceAttributes: + values: + - key: k8s.cluster.name + value: + stringValue: cluster-1 + address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + accessLog: + - name: envoy.access_loggers.file + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + logFormat: + textFormatSource: + inlineString: | + {"start_time":"%START_TIME%","method":"%REQ(:METHOD)%","x-envoy-origin-path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","response_code_details":"%RESPONSE_CODE_DETAILS%","connection_termination_details":"%CONNECTION_TERMINATION_DETAILS%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","duration":"%DURATION%","x-envoy-upstream-service-time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","x-forwarded-for":"%REQ(X-FORWARDED-FOR)%","user-agent":"%REQ(USER-AGENT)%","x-request-id":"%REQ(X-REQUEST-ID)%",":authority":"%REQ(:AUTHORITY)%","upstream_host":"%UPSTREAM_HOST%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","requested_server_name":"%REQUESTED_SERVER_NAME%","route_name":"%ROUTE_NAME%"} + path: /dev/stdout + - name: envoy.access_loggers.file + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + logFormat: + textFormatSource: + inlineString: | + this is a route log + path: /dev/stdout + - name: envoy.access_loggers.file + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + logFormat: + textFormatSource: + inlineString: | + this is a Global log + path: /dev/stdout + - name: envoy.access_loggers.http_grpc + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig + additionalRequestHeadersToLog: + - x-client-ip-address + additionalResponseHeadersToLog: + - cache-control + additionalResponseTrailersToLog: + - expires + commonConfig: + grpcService: + envoyGrpc: + clusterName: accesslog_als_0_1 + logName: accesslog + transportApiVersion: V3 + - name: envoy.access_loggers.tcp_grpc + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.TcpGrpcAccessLogConfig + commonConfig: + grpcService: + envoyGrpc: + clusterName: accesslog_als_0_2 + logName: envoy-gateway-system/test + transportApiVersion: V3 + - name: envoy.access_loggers.http_grpc + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig + additionalRequestHeadersToLog: + - x-client-ip-address + additionalResponseHeadersToLog: + - cache-control + additionalResponseTrailersToLog: + - expires + commonConfig: + grpcService: + envoyGrpc: + clusterName: accesslog_als_2_1 + logName: accesslog + transportApiVersion: V3 + - name: envoy.access_loggers.tcp_grpc + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.grpc.v3.TcpGrpcAccessLogConfig + commonConfig: + grpcService: + envoyGrpc: + clusterName: accesslog_als_2_2 + logName: envoy-gateway-system/test + transportApiVersion: V3 + - name: envoy.access_loggers.open_telemetry + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.open_telemetry.v3.OpenTelemetryAccessLogConfig + attributes: + values: + - key: k8s.namespace.name + value: + stringValue: '%ENVIRONMENT(ENVOY_GATEWAY_NAMESPACE)%' + - key: k8s.pod.name + value: + stringValue: '%ENVIRONMENT(ENVOY_POD_NAME)%' + body: + stringValue: | + this is a route log + commonConfig: + grpcService: + envoyGrpc: + authority: otel-collector.monitoring.svc.cluster.local + clusterName: accesslog_otel_0_3 + logName: otel_envoy_accesslog + transportApiVersion: V3 + resourceAttributes: + values: + - key: k8s.cluster.name + value: + stringValue: cluster-1 + - name: envoy.access_loggers.open_telemetry + typedConfig: + '@type': type.googleapis.com/envoy.extensions.access_loggers.open_telemetry.v3.OpenTelemetryAccessLogConfig + attributes: + values: + - key: k8s.namespace.name + value: + stringValue: '%ENVIRONMENT(ENVOY_GATEWAY_NAMESPACE)%' + - key: k8s.pod.name + value: + stringValue: '%ENVIRONMENT(ENVOY_POD_NAME)%' + body: + stringValue: | + this is a Global log + commonConfig: + grpcService: + envoyGrpc: + authority: otel-collector.monitoring.svc.cluster.local + clusterName: accesslog_otel_2_3 + logName: otel_envoy_accesslog + transportApiVersion: V3 + resourceAttributes: + values: + - key: k8s.cluster.name + value: + stringValue: cluster-1 + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: envoy-gateway/gateway-1/http + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: envoy-gateway/gateway-1/http + name: envoy-gateway/gateway-1/http + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.routes.yaml new file mode 100644 index 00000000000..ff2210f8d50 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.routes.yaml @@ -0,0 +1,20 @@ +- ignorePortInHostMatching: true + name: envoy-gateway/gateway-1/http + virtualHosts: + - domains: + - '*' + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http/* + routes: + - directResponse: + status: 500 + match: + prefix: / + name: direct-route diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index bc01189920d..c26a8c713f8 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -2995,6 +2995,7 @@ _Appears in:_ | `format` | _[ProxyAccessLogFormat](#proxyaccesslogformat)_ | false | Format defines the format of accesslog.
This will be ignored if sink type is ALS. | | `matches` | _string array_ | true | Matches defines the match conditions for accesslog in CEL expression.
An accesslog will be emitted only when one or more match conditions are evaluated to true.
Invalid [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) expressions will be ignored. | | `sinks` | _[ProxyAccessLogSink](#proxyaccesslogsink) array_ | true | Sinks defines the sinks of accesslog. | +| `type` | _[ProxyAccessLogType](#proxyaccesslogtype)_ | false | Type defines the component emitting the accesslog, such as Listener and Route.
If type not defined, the setting would apply to:
(1) All Routes.
(2) Listeners if and only if Envoy does not find a matching route for a request.
If type is defined, the accesslog settings would apply to the relevant component (as-is). | #### ProxyAccessLogSink diff --git a/site/content/en/latest/tasks/observability/proxy-accesslog.md b/site/content/en/latest/tasks/observability/proxy-accesslog.md index fb0200f1739..17d444b8636 100644 --- a/site/content/en/latest/tasks/observability/proxy-accesslog.md +++ b/site/content/en/latest/tasks/observability/proxy-accesslog.md @@ -249,3 +249,62 @@ Envoy Gateway provides additional metadata about the K8s resources that were tra For example, details about the `HTTPRoute` and `GRPCRoute` (kind, group, name, namespace and annotations) are available for access log formatter using the `METADATA` operator. To enrich logs, users can add log operator such as: `%METADATA(ROUTE:envoy-gateway:resources)%` to their access log format. + +## Access Log Types + +By default, Access Log settings would apply to: +- All Routes +- If traffic is not matched by any Route known to Envoy, the Listener would emit the access log instead + +Users may wish to customize this behavior: +- Emit Access Logs by all Listeners for all traffic with specific settings +- Do not emit Route-oriented access logs when a route is not matched. + +To achieve this, users can select if Access Log settings follow the default behavior or apply specifically to +Routes or Listeners by specifying the setting's type. + +**Note**: When users define their own Access Log settings (with or without a type), the default Envoy Gateway +file access log is no longer configured. It can be re-enabled explicitly by adding empty settings for the desired components. + +In the following example: +- Route Access logs would use the default Envoy Gateway format and sink +- Listener Access logs are customized to report transport-level failures and connection attributes + +```shell +kubectl apply -f - <This will be ignored if sink type is ALS. | | `matches` | _string array_ | true | Matches defines the match conditions for accesslog in CEL expression.
An accesslog will be emitted only when one or more match conditions are evaluated to true.
Invalid [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) expressions will be ignored. | | `sinks` | _[ProxyAccessLogSink](#proxyaccesslogsink) array_ | true | Sinks defines the sinks of accesslog. | +| `type` | _[ProxyAccessLogType](#proxyaccesslogtype)_ | false | Type defines the component emitting the accesslog, such as Listener and Route.
If type not defined, the setting would apply to:
(1) All Routes.
(2) Listeners if and only if Envoy does not find a matching route for a request.
If type is defined, the accesslog settings would apply to the relevant component (as-is). | #### ProxyAccessLogSink diff --git a/test/config/gatewayclass.yaml b/test/config/gatewayclass.yaml index fa07a159305..6e8acf3d0f8 100644 --- a/test/config/gatewayclass.yaml +++ b/test/config/gatewayclass.yaml @@ -68,6 +68,15 @@ spec: namespace: monitoring port: 8080 type: HTTP + - type: Listener + format: + type: Text + text: | + LISTENER ACCESS LOG %UPSTREAM_PROTOCOL% %RESPONSE_CODE% + sinks: + - type: File + file: + path: /dev/stdout tracing: provider: backendRefs: diff --git a/test/e2e/tests/accesslog.go b/test/e2e/tests/accesslog.go index 2019d92568c..b2c9a28ac94 100644 --- a/test/e2e/tests/accesslog.go +++ b/test/e2e/tests/accesslog.go @@ -81,6 +81,38 @@ var FileAccessLogTest = suite.ConformanceTest{ runLogTest(t, suite, gwAddr, expectedResponse, labels, match, 0) }) + + t.Run("Listener Logs", func(t *testing.T) { + // Ensure that Listener is emitting the log: protocol and response code should be + // empty in listener logs as they are upstream L7 attributes + expectedMatch := "LISTENER ACCESS LOG - 0" + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "accesslog-file", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + expectedResponse := httputils.ExpectedResponse{ + Request: httputils.Request{ + Path: "/file", + Headers: map[string]string{ + "connection": "close", + }, + }, + ExpectedRequest: &httputils.ExpectedRequest{ + Request: httputils.Request{ + Path: "/file", + }, + }, + Response: httputils.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + // make sure listener is ready + httputils.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + + runLogTest(t, suite, gwAddr, expectedResponse, labels, expectedMatch, 0) + }) }, } From f1df0c95e0cffaec3f119d7dfb63607a78a4f808 Mon Sep 17 00:00:00 2001 From: shaoyue Date: Fri, 11 Oct 2024 00:19:59 +0800 Subject: [PATCH 244/523] fix dashboard typos (#4422) Signed-off-by: haorenfsa --- charts/gateway-addons-helm/dashboards/envoy-clusters.json | 4 ++-- .../gateway-addons-helm/dashboards/envoy-proxy-global.json | 2 +- test/helm/gateway-addons-helm/default.out.yaml | 6 +++--- test/helm/gateway-addons-helm/e2e.out.yaml | 6 +++--- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/charts/gateway-addons-helm/dashboards/envoy-clusters.json b/charts/gateway-addons-helm/dashboards/envoy-clusters.json index 4505f188e7d..8ee91675d96 100644 --- a/charts/gateway-addons-helm/dashboards/envoy-clusters.json +++ b/charts/gateway-addons-helm/dashboards/envoy-clusters.json @@ -259,7 +259,7 @@ "uid": "$datasource" }, "editorMode": "builder", - "expr": "SUM(envoy_server_memory_allocated{})", + "expr": "sum(envoy_server_memory_allocated{})", "format": "time_series", "intervalFactor": 1, "legendFormat": "", @@ -339,7 +339,7 @@ "uid": "$datasource" }, "editorMode": "code", - "expr": "SUM(envoy_server_memory_heap_size)", + "expr": "sum(envoy_server_memory_heap_size)", "format": "time_series", "intervalFactor": 1, "legendFormat": "", diff --git a/charts/gateway-addons-helm/dashboards/envoy-proxy-global.json b/charts/gateway-addons-helm/dashboards/envoy-proxy-global.json index f2c0ae2b0d4..99522ae061e 100644 --- a/charts/gateway-addons-helm/dashboards/envoy-proxy-global.json +++ b/charts/gateway-addons-helm/dashboards/envoy-proxy-global.json @@ -1849,7 +1849,7 @@ "uid": "${datasource}" }, "editorMode": "builder", - "expr": "sum by(namespace) (rate(envoy_cluster_upstream_cx_rx_bytes_total{namespace=~\"$Namespace\"}[5m]))", + "expr": "sum by(namespace) (rate(envoy_cluster_upstream_cx_tx_bytes_total{namespace=~\"$Namespace\"}[5m]))", "instant": false, "legendFormat": "{{namespace}}", "range": true, diff --git a/test/helm/gateway-addons-helm/default.out.yaml b/test/helm/gateway-addons-helm/default.out.yaml index f2fac1dfe09..614a2d22454 100644 --- a/test/helm/gateway-addons-helm/default.out.yaml +++ b/test/helm/gateway-addons-helm/default.out.yaml @@ -941,7 +941,7 @@ data: "uid": "$datasource" }, "editorMode": "builder", - "expr": "SUM(envoy_server_memory_allocated{})", + "expr": "sum(envoy_server_memory_allocated{})", "format": "time_series", "intervalFactor": 1, "legendFormat": "", @@ -1021,7 +1021,7 @@ data: "uid": "$datasource" }, "editorMode": "code", - "expr": "SUM(envoy_server_memory_heap_size)", + "expr": "sum(envoy_server_memory_heap_size)", "format": "time_series", "intervalFactor": 1, "legendFormat": "", @@ -7247,7 +7247,7 @@ data: "uid": "${datasource}" }, "editorMode": "builder", - "expr": "sum by(namespace) (rate(envoy_cluster_upstream_cx_rx_bytes_total{namespace=~\"$Namespace\"}[5m]))", + "expr": "sum by(namespace) (rate(envoy_cluster_upstream_cx_tx_bytes_total{namespace=~\"$Namespace\"}[5m]))", "instant": false, "legendFormat": "{{namespace}}", "range": true, diff --git a/test/helm/gateway-addons-helm/e2e.out.yaml b/test/helm/gateway-addons-helm/e2e.out.yaml index 52ed8fcb97e..15445239f3d 100644 --- a/test/helm/gateway-addons-helm/e2e.out.yaml +++ b/test/helm/gateway-addons-helm/e2e.out.yaml @@ -973,7 +973,7 @@ data: "uid": "$datasource" }, "editorMode": "builder", - "expr": "SUM(envoy_server_memory_allocated{})", + "expr": "sum(envoy_server_memory_allocated{})", "format": "time_series", "intervalFactor": 1, "legendFormat": "", @@ -1053,7 +1053,7 @@ data: "uid": "$datasource" }, "editorMode": "code", - "expr": "SUM(envoy_server_memory_heap_size)", + "expr": "sum(envoy_server_memory_heap_size)", "format": "time_series", "intervalFactor": 1, "legendFormat": "", @@ -7279,7 +7279,7 @@ data: "uid": "${datasource}" }, "editorMode": "builder", - "expr": "sum by(namespace) (rate(envoy_cluster_upstream_cx_rx_bytes_total{namespace=~\"$Namespace\"}[5m]))", + "expr": "sum by(namespace) (rate(envoy_cluster_upstream_cx_tx_bytes_total{namespace=~\"$Namespace\"}[5m]))", "instant": false, "legendFormat": "{{namespace}}", "range": true, From c1f4837f4af7b47d19c829091eacc8e4d3340eb7 Mon Sep 17 00:00:00 2001 From: Isaac <10012479+jukie@users.noreply.github.com> Date: Sat, 12 Oct 2024 18:38:00 -0600 Subject: [PATCH 245/523] feat: add labels to envoyService config (#4427) --- api/v1alpha1/shared_types.go | 6 +++ api/v1alpha1/zz_generated.deepcopy.go | 7 ++++ .../gateway.envoyproxy.io_envoyproxies.yaml | 7 ++++ .../kubernetes/proxy/resource_provider.go | 22 ++++++++--- .../proxy/resource_provider_test.go | 28 ++++++++++++++ .../proxy/testdata/services/custom.yaml | 1 + .../testdata/services/override-labels.yaml | 37 +++++++++++++++++++ .../testdata/services/with-svc-labels.yaml | 32 ++++++++++++++++ site/content/en/latest/api/extension_types.md | 1 + site/content/zh/latest/api/extension_types.md | 1 + 10 files changed, 136 insertions(+), 6 deletions(-) create mode 100644 internal/infrastructure/kubernetes/proxy/testdata/services/override-labels.yaml create mode 100644 internal/infrastructure/kubernetes/proxy/testdata/services/with-svc-labels.yaml diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index 48e3471c77d..3f165cc6c2d 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -262,6 +262,12 @@ type KubernetesServiceSpec struct { // +optional Annotations map[string]string `json:"annotations,omitempty"` + // Labels that should be appended to the service. + // By default, no labels are appended. + // + // +optional + Labels map[string]string `json:"labels,omitempty"` + // Type determines how the Service is exposed. Defaults to LoadBalancer. // Valid options are ClusterIP, LoadBalancer and NodePort. // "LoadBalancer" means a service will be exposed via an external load balancer (if the cloud provider supports it). diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index ed5df681ad2..a72706c33bb 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -3580,6 +3580,13 @@ func (in *KubernetesServiceSpec) DeepCopyInto(out *KubernetesServiceSpec) { (*out)[key] = val } } + if in.Labels != nil { + in, out := &in.Labels, &out.Labels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } if in.Type != nil { in, out := &in.Type, &out.Type *out = new(ServiceType) diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 1b18890cd27..487f436ab81 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -10134,6 +10134,13 @@ spec: - Local - Cluster type: string + labels: + additionalProperties: + type: string + description: |- + Labels that should be appended to the service. + By default, no labels are appended. + type: object loadBalancerClass: description: |- LoadBalancerClass, when specified, allows for choosing the LoadBalancer provider diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider.go b/internal/infrastructure/kubernetes/proxy/resource_provider.go index 768ed7514ba..233afddce73 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider.go @@ -101,10 +101,10 @@ func (r *ResourceRender) Service() (*corev1.Service, error) { } } - // Set the labels based on the owning gatewayclass name. - labels := envoyLabels(r.infra.GetProxyMetadata().Labels) - if OwningGatewayLabelsAbsent(labels) { - return nil, fmt.Errorf("missing owning gateway labels") + // Set the infraLabels based on the owning gatewayclass name. + infraLabels := envoyLabels(r.infra.GetProxyMetadata().Labels) + if OwningGatewayLabelsAbsent(infraLabels) { + return nil, fmt.Errorf("missing owning gateway infraLabels") } // Get annotations @@ -120,10 +120,20 @@ func (r *ResourceRender) Service() (*corev1.Service, error) { annotations = nil } + // Get service-specific labels + svcLabels := map[string]string{} + maps.Copy(svcLabels, infraLabels) + if envoyServiceConfig.Labels != nil { + maps.Copy(svcLabels, envoyServiceConfig.Labels) + } + if len(svcLabels) == 0 { + svcLabels = nil + } + // Set the spec of gateway service serviceSpec := resource.ExpectedServiceSpec(envoyServiceConfig) serviceSpec.Ports = ports - serviceSpec.Selector = resource.GetSelector(labels).MatchLabels + serviceSpec.Selector = resource.GetSelector(infraLabels).MatchLabels if (*envoyServiceConfig.Type) == egv1a1.ServiceTypeClusterIP { if len(r.infra.Addresses) > 0 { @@ -144,7 +154,7 @@ func (r *ResourceRender) Service() (*corev1.Service, error) { }, ObjectMeta: metav1.ObjectMeta{ Namespace: r.Namespace, - Labels: labels, + Labels: svcLabels, Annotations: annotations, }, Spec: serviceSpec, diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go index c92d94d4b42..8c4138a3825 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go @@ -1051,6 +1051,9 @@ func TestService(t *testing.T) { caseName: "custom", infra: newTestInfra(), service: &egv1a1.KubernetesServiceSpec{ + Labels: map[string]string{ + "key1": "value1", + }, Annotations: map[string]string{ "key1": "value1", }, @@ -1079,6 +1082,31 @@ func TestService(t *testing.T) { }, }, }, + { + caseName: "with-svc-labels", + infra: newTestInfra(), + service: &egv1a1.KubernetesServiceSpec{ + Labels: map[string]string{ + "label1": "value1", + "label2": "value2", + }, + }, + }, + { + caseName: "override-labels", + infra: newTestInfraWithAnnotationsAndLabels(map[string]string{ + "anno1": "value1", + "anno2": "value2", + }, map[string]string{ + "label1": "value1", + "label2": "value2", + }), + service: &egv1a1.KubernetesServiceSpec{ + Labels: map[string]string{ + "label1": "value1-override", + }, + }, + }, { caseName: "clusterIP-custom-addresses", infra: newTestInfraWithAddresses([]string{ diff --git a/internal/infrastructure/kubernetes/proxy/testdata/services/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/services/custom.yaml index e898ccb1aff..d087bf24bf6 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/services/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/services/custom.yaml @@ -4,6 +4,7 @@ metadata: annotations: key1: value1 labels: + key1: value1 app.kubernetes.io/name: envoy app.kubernetes.io/component: proxy app.kubernetes.io/managed-by: envoy-gateway diff --git a/internal/infrastructure/kubernetes/proxy/testdata/services/override-labels.yaml b/internal/infrastructure/kubernetes/proxy/testdata/services/override-labels.yaml new file mode 100644 index 00000000000..6f60f58176c --- /dev/null +++ b/internal/infrastructure/kubernetes/proxy/testdata/services/override-labels.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + anno1: value1 + anno2: value2 + labels: + app.kubernetes.io/name: envoy + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + gateway.envoyproxy.io/owning-gateway-name: default + gateway.envoyproxy.io/owning-gateway-namespace: default + label1: value1-override + label2: value2 + name: envoy-default-37a8eec1 + namespace: envoy-gateway-system +spec: + externalTrafficPolicy: Local + ports: + - name: EnvoyHTTPPort + port: 0 + protocol: TCP + targetPort: 8080 + - name: EnvoyHTTPSPort + port: 0 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/name: envoy + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + gateway.envoyproxy.io/owning-gateway-name: default + gateway.envoyproxy.io/owning-gateway-namespace: default + label1: value1 + label2: value2 + sessionAffinity: None + type: LoadBalancer diff --git a/internal/infrastructure/kubernetes/proxy/testdata/services/with-svc-labels.yaml b/internal/infrastructure/kubernetes/proxy/testdata/services/with-svc-labels.yaml new file mode 100644 index 00000000000..8ff9e5bb319 --- /dev/null +++ b/internal/infrastructure/kubernetes/proxy/testdata/services/with-svc-labels.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + label1: value1 + label2: value2 + app.kubernetes.io/name: envoy + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + gateway.envoyproxy.io/owning-gateway-name: default + gateway.envoyproxy.io/owning-gateway-namespace: default + name: envoy-default-37a8eec1 + namespace: envoy-gateway-system +spec: + externalTrafficPolicy: Local + ports: + - name: EnvoyHTTPPort + port: 0 + protocol: TCP + targetPort: 8080 + - name: EnvoyHTTPSPort + port: 0 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/name: envoy + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + gateway.envoyproxy.io/owning-gateway-name: default + gateway.envoyproxy.io/owning-gateway-namespace: default + sessionAffinity: None + type: LoadBalancer diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index c26a8c713f8..76adfb15735 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -2564,6 +2564,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `annotations` | _object (keys:string, values:string)_ | false | Annotations that should be appended to the service.
By default, no annotations are appended. | +| `labels` | _object (keys:string, values:string)_ | false | Labels that should be appended to the service.
By default, no labels are appended. | | `type` | _[ServiceType](#servicetype)_ | false | Type determines how the Service is exposed. Defaults to LoadBalancer.
Valid options are ClusterIP, LoadBalancer and NodePort.
"LoadBalancer" means a service will be exposed via an external load balancer (if the cloud provider supports it).
"ClusterIP" means a service will only be accessible inside the cluster, via the cluster IP.
"NodePort" means a service will be exposed on a static Port on all Nodes of the cluster. | | `loadBalancerClass` | _string_ | false | LoadBalancerClass, when specified, allows for choosing the LoadBalancer provider
implementation if more than one are available or is otherwise expected to be specified | | `allocateLoadBalancerNodePorts` | _boolean_ | false | AllocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for
services with type LoadBalancer. Default is "true". It may be set to "false" if the cluster
load-balancer does not rely on NodePorts. If the caller requests specific NodePorts (by specifying a
value), those requests will be respected, regardless of this field. This field may only be set for
services with type LoadBalancer and will be cleared if the type is changed to any other type. | diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index c26a8c713f8..76adfb15735 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -2564,6 +2564,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `annotations` | _object (keys:string, values:string)_ | false | Annotations that should be appended to the service.
By default, no annotations are appended. | +| `labels` | _object (keys:string, values:string)_ | false | Labels that should be appended to the service.
By default, no labels are appended. | | `type` | _[ServiceType](#servicetype)_ | false | Type determines how the Service is exposed. Defaults to LoadBalancer.
Valid options are ClusterIP, LoadBalancer and NodePort.
"LoadBalancer" means a service will be exposed via an external load balancer (if the cloud provider supports it).
"ClusterIP" means a service will only be accessible inside the cluster, via the cluster IP.
"NodePort" means a service will be exposed on a static Port on all Nodes of the cluster. | | `loadBalancerClass` | _string_ | false | LoadBalancerClass, when specified, allows for choosing the LoadBalancer provider
implementation if more than one are available or is otherwise expected to be specified | | `allocateLoadBalancerNodePorts` | _boolean_ | false | AllocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for
services with type LoadBalancer. Default is "true". It may be set to "false" if the cluster
load-balancer does not rely on NodePorts. If the caller requests specific NodePorts (by specifying a
value), those requests will be respected, regardless of this field. This field may only be set for
services with type LoadBalancer and will be cleared if the type is changed to any other type. | From e0455acdd6dc598a30a35cc90e481f9f81431bc1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 10:42:46 +0800 Subject: [PATCH 246/523] build(deps): bump helm.sh/helm/v3 from 3.16.1 to 3.16.2 (#4436) Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.16.1 to 3.16.2. - [Release notes](https://github.com/helm/helm/releases) - [Commits](https://github.com/helm/helm/compare/v3.16.1...v3.16.2) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index e34c38bed54..956bf2831c6 100644 --- a/go.mod +++ b/go.mod @@ -47,7 +47,7 @@ require ( golang.org/x/sys v0.26.0 google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v3 v3.0.1 - helm.sh/helm/v3 v3.16.1 + helm.sh/helm/v3 v3.16.2 k8s.io/api v0.31.1 k8s.io/apiextensions-apiserver v0.31.1 k8s.io/apimachinery v0.31.1 diff --git a/go.sum b/go.sum index 01eea5533e5..d26d6608694 100644 --- a/go.sum +++ b/go.sum @@ -1146,8 +1146,8 @@ gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= -helm.sh/helm/v3 v3.16.1 h1:cER6tI/8PgUAsaJaQCVBUg3VI9KN4oVaZJgY60RIc0c= -helm.sh/helm/v3 v3.16.1/go.mod h1:r+xBHHP20qJeEqtvBXMf7W35QDJnzY/eiEBzt+TfHps= +helm.sh/helm/v3 v3.16.2 h1:Y9v7ry+ubQmi+cb5zw1Llx8OKHU9Hk9NQ/+P+LGBe2o= +helm.sh/helm/v3 v3.16.2/go.mod h1:SyTXgKBjNqi2NPsHCW5dDAsHqvGIu0kdNYNH9gQaw70= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From 045a438c10ae3b3a60185065ab381ed178c0eed2 Mon Sep 17 00:00:00 2001 From: Puerco Date: Mon, 14 Oct 2024 22:30:11 -0600 Subject: [PATCH 247/523] docs: Fix capital D in ratelimit example (#4428) --- site/content/en/docs/tasks/traffic/global-rate-limit.md | 2 +- site/content/en/latest/tasks/traffic/global-rate-limit.md | 2 +- site/content/en/v1.1/tasks/traffic/global-rate-limit.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/site/content/en/docs/tasks/traffic/global-rate-limit.md b/site/content/en/docs/tasks/traffic/global-rate-limit.md index bb87c47de49..da00334b296 100644 --- a/site/content/en/docs/tasks/traffic/global-rate-limit.md +++ b/site/content/en/docs/tasks/traffic/global-rate-limit.md @@ -871,7 +871,7 @@ spec: - clientSelectors: - sourceCIDR: value: 0.0.0.0/0 - type: distinct + type: Distinct limit: requests: 3 unit: Hour diff --git a/site/content/en/latest/tasks/traffic/global-rate-limit.md b/site/content/en/latest/tasks/traffic/global-rate-limit.md index f105de880cd..6c96b12efe7 100644 --- a/site/content/en/latest/tasks/traffic/global-rate-limit.md +++ b/site/content/en/latest/tasks/traffic/global-rate-limit.md @@ -870,7 +870,7 @@ spec: - clientSelectors: - sourceCIDR: value: 0.0.0.0/0 - type: distinct + type: Distinct limit: requests: 3 unit: Hour diff --git a/site/content/en/v1.1/tasks/traffic/global-rate-limit.md b/site/content/en/v1.1/tasks/traffic/global-rate-limit.md index bb87c47de49..da00334b296 100644 --- a/site/content/en/v1.1/tasks/traffic/global-rate-limit.md +++ b/site/content/en/v1.1/tasks/traffic/global-rate-limit.md @@ -871,7 +871,7 @@ spec: - clientSelectors: - sourceCIDR: value: 0.0.0.0/0 - type: distinct + type: Distinct limit: requests: 3 unit: Hour From a6beeed0552ba7a5a4dcae29854bc20ced759433 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 13:37:57 +0800 Subject: [PATCH 248/523] build(deps): bump google.golang.org/protobuf from 1.34.2 to 1.35.1 in /examples/extension-server (#4439) build(deps): bump google.golang.org/protobuf Bumps google.golang.org/protobuf from 1.34.2 to 1.35.1. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Huabing Zhao --- examples/extension-server/go.mod | 2 +- examples/extension-server/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index d6f03677ed6..75d36f57857 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -7,7 +7,7 @@ require ( github.com/envoyproxy/go-control-plane v0.13.1-0.20240917224354-20d038a70568 github.com/urfave/cli/v2 v2.27.4 google.golang.org/grpc v1.67.1 - google.golang.org/protobuf v1.34.2 + google.golang.org/protobuf v1.35.1 k8s.io/apimachinery v0.31.1 sigs.k8s.io/controller-runtime v0.19.0 sigs.k8s.io/gateway-api v1.2.0 diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index fd1ecc8f322..e987ca82ce8 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -111,8 +111,8 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 h1: google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= -google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= -google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= +google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= +google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= From 14aadc7d4a23c7f0ed66d5f011ef1486b6a27b88 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:04:52 +0800 Subject: [PATCH 249/523] build(deps): bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#4438) Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.59.1 to 0.60.0. - [Release notes](https://github.com/prometheus/common/releases) - [Changelog](https://github.com/prometheus/common/blob/main/RELEASE.md) - [Commits](https://github.com/prometheus/common/compare/v0.59.1...v0.60.0) --- updated-dependencies: - dependency-name: github.com/prometheus/common dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Huabing Zhao --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 956bf2831c6..416c6bc01b5 100644 --- a/go.mod +++ b/go.mod @@ -28,7 +28,7 @@ require ( github.com/miekg/dns v1.1.62 github.com/ohler55/ojg v1.24.1 github.com/prometheus/client_golang v1.20.4 - github.com/prometheus/common v0.59.1 + github.com/prometheus/common v0.60.0 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.9.0 @@ -274,7 +274,7 @@ require ( go.uber.org/multierr v1.11.0 // indirect golang.org/x/mod v0.21.0 // indirect golang.org/x/net v0.30.0 - golang.org/x/oauth2 v0.22.0 // indirect + golang.org/x/oauth2 v0.23.0 // indirect golang.org/x/sync v0.8.0 // indirect golang.org/x/term v0.25.0 // indirect golang.org/x/text v0.19.0 // indirect diff --git a/go.sum b/go.sum index d26d6608694..7f32941ab83 100644 --- a/go.sum +++ b/go.sum @@ -701,8 +701,8 @@ github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7q github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= -github.com/prometheus/common v0.59.1 h1:LXb1quJHWm1P6wq/U824uxYi4Sg0oGvNeUm1z5dJoX0= -github.com/prometheus/common v0.59.1/go.mod h1:GpWM7dewqmVYcd7SmRaiWVe9SSqjf0UrwnYnpEZNuT0= +github.com/prometheus/common v0.60.0 h1:+V9PAREWNvJMAuJ1x1BaWl9dewMW4YrHZQbx0sJNllA= +github.com/prometheus/common v0.60.0/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -981,8 +981,8 @@ golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA= -golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= +golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= From 8f0131c50dcaaafae0c30a1f98eeb6a1ed7aee8d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:49:50 +0800 Subject: [PATCH 250/523] build(deps): bump github.com/replicatedhq/troubleshoot from 0.105.2 to 0.107.0 (#4437) build(deps): bump github.com/replicatedhq/troubleshoot Bumps [github.com/replicatedhq/troubleshoot](https://github.com/replicatedhq/troubleshoot) from 0.105.2 to 0.107.0. - [Release notes](https://github.com/replicatedhq/troubleshoot/releases) - [Commits](https://github.com/replicatedhq/troubleshoot/compare/v0.105.2...v0.107.0) --- updated-dependencies: - dependency-name: github.com/replicatedhq/troubleshoot dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Huabing Zhao --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 416c6bc01b5..b9599f0714e 100644 --- a/go.mod +++ b/go.mod @@ -63,7 +63,7 @@ require ( require ( github.com/docker/docker v27.3.1+incompatible - github.com/replicatedhq/troubleshoot v0.105.2 + github.com/replicatedhq/troubleshoot v0.107.0 google.golang.org/grpc v1.67.1 sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 ) diff --git a/go.sum b/go.sum index 7f32941ab83..8008b00e8e6 100644 --- a/go.sum +++ b/go.sum @@ -717,8 +717,8 @@ github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb github.com/redis/go-redis/extra/redisotel/v9 v9.0.5/go.mod h1:WZjPDy7VNzn77AAfnAfVjZNvfJTYfPetfZk5yoSTLaQ= github.com/redis/go-redis/v9 v9.1.0 h1:137FnGdk+EQdCbye1FW+qOEcY5S+SpY9T0NiuqvtfMY= github.com/redis/go-redis/v9 v9.1.0/go.mod h1:urWj3He21Dj5k4TK1y59xH8Uj6ATueP8AH1cY3lZl4c= -github.com/replicatedhq/troubleshoot v0.105.2 h1:Fm1kKdzhPw+J7UnpLByxYJ3XAVV4IkylUIDt0eaUTFE= -github.com/replicatedhq/troubleshoot v0.105.2/go.mod h1:WqquTbNHLnZiSWsu6Mzo3rwez5kZ/A+1Hq4K/yq0HBo= +github.com/replicatedhq/troubleshoot v0.107.0 h1:AzaKBxNKuIQpERyitjJ4EINZTz4vlUacW5QguZZkTww= +github.com/replicatedhq/troubleshoot v0.107.0/go.mod h1:AjaLpi9kidsFAuyAvBrvcG04w49WIDm7Iy6XyMVMv6U= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= From 838cd27771b1a0ba29e0a584ba9e68884109337b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 16:10:11 +0800 Subject: [PATCH 251/523] build(deps): bump github.com/bufbuild/buf from 1.44.0 to 1.45.0 in /tools/src/buf (#4440) build(deps): bump github.com/bufbuild/buf in /tools/src/buf Bumps [github.com/bufbuild/buf](https://github.com/bufbuild/buf) from 1.44.0 to 1.45.0. - [Release notes](https://github.com/bufbuild/buf/releases) - [Changelog](https://github.com/bufbuild/buf/blob/main/CHANGELOG.md) - [Commits](https://github.com/bufbuild/buf/compare/v1.44.0...v1.45.0) --- updated-dependencies: - dependency-name: github.com/bufbuild/buf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Huabing Zhao --- tools/src/buf/go.mod | 29 +++++++++++----------- tools/src/buf/go.sum | 58 +++++++++++++++++++++++--------------------- 2 files changed, 45 insertions(+), 42 deletions(-) diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index 9154ce02a93..b2022d8afde 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -2,7 +2,7 @@ module local go 1.23.1 -require github.com/bufbuild/buf v1.44.0 +require github.com/bufbuild/buf v1.45.0 require ( buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240928190436-5e8abcfd7a7e.2 // indirect @@ -21,7 +21,7 @@ require ( github.com/antlr4-go/antlr/v4 v4.13.1 // indirect github.com/bufbuild/protocompile v0.14.1 // indirect github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a // indirect - github.com/bufbuild/protovalidate-go v0.7.1 // indirect + github.com/bufbuild/protovalidate-go v0.7.2 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect github.com/containerd/containerd v1.7.22 // indirect github.com/containerd/continuity v0.4.3 // indirect @@ -50,7 +50,7 @@ require ( github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/google/cel-go v0.21.0 // indirect github.com/google/go-containerregistry v0.20.2 // indirect - github.com/google/pprof v0.0.0-20240929191954-255acd752d31 // indirect + github.com/google/pprof v0.0.0-20241001023024-f4c0cfd0cf1d // indirect github.com/google/uuid v1.6.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect @@ -87,7 +87,7 @@ require ( github.com/spf13/cobra v1.8.1 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/stoewer/go-strcase v1.3.0 // indirect - github.com/tetratelabs/wazero v1.8.0 // indirect + github.com/tetratelabs/wazero v1.8.1 // indirect github.com/vbatts/tar-split v0.11.6 // indirect go.lsp.dev/jsonrpc2 v0.10.0 // indirect go.lsp.dev/pkg v0.0.0-20210717090340-384b27a52fb2 // indirect @@ -104,18 +104,19 @@ require ( go.uber.org/mock v0.4.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/crypto v0.27.0 // indirect - golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect + go.uber.org/zap/exp v0.1.1-0.20240913022758-ede8e1888f83 // indirect + golang.org/x/crypto v0.28.0 // indirect + golang.org/x/exp v0.0.0-20241004190924-225e2abe05e6 // indirect golang.org/x/mod v0.21.0 // indirect - golang.org/x/net v0.29.0 // indirect + golang.org/x/net v0.30.0 // indirect golang.org/x/sync v0.8.0 // indirect - golang.org/x/sys v0.25.0 // indirect - golang.org/x/term v0.24.0 // indirect - golang.org/x/text v0.18.0 // indirect - golang.org/x/tools v0.25.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 // indirect - google.golang.org/grpc v1.67.0 // indirect + golang.org/x/sys v0.26.0 // indirect + golang.org/x/term v0.25.0 // indirect + golang.org/x/text v0.19.0 // indirect + golang.org/x/tools v0.26.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f // indirect + google.golang.org/grpc v1.67.1 // indirect google.golang.org/protobuf v1.34.3-0.20240906163944-03df6c145d96 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect pluginrpc.com/pluginrpc v0.5.0 // indirect diff --git a/tools/src/buf/go.sum b/tools/src/buf/go.sum index 1c3d37804b5..6fb21576d0e 100644 --- a/tools/src/buf/go.sum +++ b/tools/src/buf/go.sum @@ -30,14 +30,14 @@ github.com/Microsoft/hcsshim v0.12.7 h1:MP6R1spmjxTE4EU4J3YsrTxn8CjvN9qwjTKJXldF github.com/Microsoft/hcsshim v0.12.7/go.mod h1:HPbAuJ9BvQYYZbB4yEQcyGIsTP5L4yHKeO9XO149AEM= github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ= github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw= -github.com/bufbuild/buf v1.44.0 h1:95vd2ZbgaDkKIJ557eZrx2z6jdMULEpVbNpLlw/9Y5w= -github.com/bufbuild/buf v1.44.0/go.mod h1:Ksh+C0pR3t1or0BGyzq7krkam3zhBv21QVs1zsqdOik= +github.com/bufbuild/buf v1.45.0 h1:WdaM5OCjqEURmzOiz3h9gVilFXqWpt6X+zbOVqKti1A= +github.com/bufbuild/buf v1.45.0/go.mod h1:j+GjGIKS+CvubKtPiC0KpEiHAd3wS9/5sn2/U5WlA20= github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/FBatYVw= github.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c= github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a h1:l3RhVoG0RtC61h6TVWnkniGj4TgBebuyPQRdleFAmTg= github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a/go.mod h1:c5D8gWRIZ2HLWO3gXYTtUfw/hbJyD8xikv2ooPxnklQ= -github.com/bufbuild/protovalidate-go v0.7.1 h1:ac50NTO6+1+mKg5sP/GBPLlMkQFeI+OeaYGFdS1vu98= -github.com/bufbuild/protovalidate-go v0.7.1/go.mod h1:PHV5pFuWlRzdDW02/cmVyNzdiQ+RNNwo7idGxdzS7o4= +github.com/bufbuild/protovalidate-go v0.7.2 h1:UuvKyZHl5p7u3ztEjtRtqtDxOjRKX5VUOgKFq6p6ETk= +github.com/bufbuild/protovalidate-go v0.7.2/go.mod h1:PHV5pFuWlRzdDW02/cmVyNzdiQ+RNNwo7idGxdzS7o4= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -147,8 +147,8 @@ github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg= github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= -github.com/google/pprof v0.0.0-20240929191954-255acd752d31 h1:LcRdQWywSgfi5jPsYZ1r2avbbs5IQ5wtyhMBCcokyo4= -github.com/google/pprof v0.0.0-20240929191954-255acd752d31/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= +github.com/google/pprof v0.0.0-20241001023024-f4c0cfd0cf1d h1:Jaz2JzpQaQXyET0AjLBXShrthbpqMkhGiEfkcQAiAUs= +github.com/google/pprof v0.0.0-20241001023024-f4c0cfd0cf1d/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -254,8 +254,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -github.com/tetratelabs/wazero v1.8.0 h1:iEKu0d4c2Pd+QSRieYbnQC9yiFlMS9D+Jr0LsRmcF4g= -github.com/tetratelabs/wazero v1.8.0/go.mod h1:yAI0XTsMBhREkM/YDAK/zNou3GoiAce1P6+rp/wQhjs= +github.com/tetratelabs/wazero v1.8.1 h1:NrcgVbWfkWvVc4UtT4LRLDf91PsOzDzefMdwhLfA550= +github.com/tetratelabs/wazero v1.8.1/go.mod h1:yAI0XTsMBhREkM/YDAK/zNou3GoiAce1P6+rp/wQhjs= github.com/vbatts/tar-split v0.11.6 h1:4SjTW5+PU11n6fZenf2IPoV8/tz3AaYHMWjf23envGs= github.com/vbatts/tar-split v0.11.6/go.mod h1:dqKNtesIOr2j2Qv3W/cHjnvk9I8+G7oAkFDFN6TCBEI= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -298,14 +298,16 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +go.uber.org/zap/exp v0.1.1-0.20240913022758-ede8e1888f83 h1:wpjRiPjppWaUIH+GC0bRvsdaH2K4Dw49dEJa7MX01Mk= +go.uber.org/zap/exp v0.1.1-0.20240913022758-ede8e1888f83/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= -golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= +golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= +golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk= -golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY= +golang.org/x/exp v0.0.0-20241004190924-225e2abe05e6 h1:1wqE9dj9NpSm04INVsJhhEUzhuDVjbcyKH91sVyPATw= +golang.org/x/exp v0.0.0-20241004190924-225e2abe05e6/go.mod h1:NQtJDoLvd6faHhE7m4T/1IY708gDefGGjR/iUW8yQQ8= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= @@ -322,8 +324,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= -golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= +golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -342,14 +344,14 @@ golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= -golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= -golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= +golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= +golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= -golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -360,8 +362,8 @@ golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBn golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.25.0 h1:oFU9pkj/iJgs+0DT+VMHrx+oBKs/LJMV+Uvg78sl+fE= -golang.org/x/tools v0.25.0/go.mod h1:/vtpO8WL1N9cQC3FN5zPqb//fRXskFHbLKk4OW1Q7rg= +golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ= +golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -371,17 +373,17 @@ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61 h1:pAjq8XSSzXoP9ya73v/w+9QEAAJNluLrpmMq5qFJQNY= -google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:O6rP0uBq4k0mdi/b4ZEMAZjkhYWhS815kCvaMha4VN8= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 h1:N9BgCIAUvn/M+p4NJccWPWb3BWh88+zyL0ll9HgbEeM= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f h1:jTm13A2itBi3La6yTGqn8bVSrc3ZZ1r8ENHlIXBfnRA= +google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f/go.mod h1:CLGoBuH1VHxAUXVPP8FfPwPEVJB6lz3URE5mY2SuayE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f h1:cUMEy+8oS78BWIH9OWazBkzbr090Od9tWBNtZHkOhf0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.67.0 h1:IdH9y6PF5MPSdAntIcpjQ+tXO41pcQsfZV2RxtQgVcw= -google.golang.org/grpc v1.67.0/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= From cec67a86ac7e690b853eaf479a9a1127850c0b3b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 16:10:33 +0800 Subject: [PATCH 252/523] build(deps): bump the go-opentelemetry-io group across 1 directory with 8 updates (#4434) * build(deps): bump the go-opentelemetry-io group across 1 directory with 8 updates Bumps the go-opentelemetry-io group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go) | `1.30.0` | `1.31.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc](https://github.com/open-telemetry/opentelemetry-go) | `1.30.0` | `1.31.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp](https://github.com/open-telemetry/opentelemetry-go) | `1.30.0` | `1.31.0` | | [go.opentelemetry.io/otel/exporters/prometheus](https://github.com/open-telemetry/opentelemetry-go) | `0.52.0` | `0.53.0` | | [go.opentelemetry.io/otel/exporters/stdout/stdoutmetric](https://github.com/open-telemetry/opentelemetry-go) | `1.30.0` | `1.31.0` | Updates `go.opentelemetry.io/otel` from 1.30.0 to 1.31.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.30.0...v1.31.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc` from 1.30.0 to 1.31.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.30.0...v1.31.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp` from 1.30.0 to 1.31.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.30.0...v1.31.0) Updates `go.opentelemetry.io/otel/exporters/prometheus` from 0.52.0 to 0.53.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/example/prometheus/v0.52.0...example/prometheus/v0.53.0) Updates `go.opentelemetry.io/otel/exporters/stdout/stdoutmetric` from 1.30.0 to 1.31.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.30.0...v1.31.0) Updates `go.opentelemetry.io/otel/metric` from 1.30.0 to 1.31.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.30.0...v1.31.0) Updates `go.opentelemetry.io/otel/sdk/metric` from 1.30.0 to 1.31.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.30.0...v1.31.0) Updates `go.opentelemetry.io/otel/sdk` from 1.30.0 to 1.31.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.30.0...v1.31.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/prometheus dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/stdout/stdoutmetric dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/metric dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/sdk/metric dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/sdk dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io ... Signed-off-by: dependabot[bot] * update Signed-off-by: zirain --------- Signed-off-by: dependabot[bot] Signed-off-by: zirain Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain Co-authored-by: Huabing Zhao --- examples/extension-server/go.mod | 4 +-- examples/extension-server/go.sum | 8 ++--- go.mod | 24 +++++++-------- go.sum | 52 ++++++++++++++++---------------- 4 files changed, 44 insertions(+), 44 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 75d36f57857..c4a08fecafc 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -34,8 +34,8 @@ require ( golang.org/x/net v0.30.0 // indirect golang.org/x/sys v0.26.0 // indirect golang.org/x/text v0.19.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/klog/v2 v2.130.1 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index e987ca82ce8..7d995a60424 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -105,10 +105,10 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61 h1:pAjq8XSSzXoP9ya73v/w+9QEAAJNluLrpmMq5qFJQNY= -google.golang.org/genproto/googleapis/api v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:O6rP0uBq4k0mdi/b4ZEMAZjkhYWhS815kCvaMha4VN8= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 h1:N9BgCIAUvn/M+p4NJccWPWb3BWh88+zyL0ll9HgbEeM= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 h1:T6rh4haD3GVYsgEfWExoCZA2o2FmbNyKpTuAxbEFPTg= +google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:wp2WsuBYj6j8wUdo3ToZsdxxixbvQNAHqVJrTgi5E5M= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 h1:QCqS/PdaHTSWGvupk2F/ehwHtGc0/GYkT+3GAcR1CCc= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= diff --git a/go.mod b/go.mod index b9599f0714e..1a235360cd7 100644 --- a/go.mod +++ b/go.mod @@ -34,18 +34,18 @@ require ( github.com/stretchr/testify v1.9.0 github.com/telepresenceio/watchable v0.0.0-20220726211108-9bb86f92afa7 github.com/tsaarni/certyaml v0.9.3 - go.opentelemetry.io/otel v1.30.0 - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.30.0 - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.30.0 - go.opentelemetry.io/otel/exporters/prometheus v0.52.0 - go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.30.0 - go.opentelemetry.io/otel/metric v1.30.0 - go.opentelemetry.io/otel/sdk/metric v1.30.0 + go.opentelemetry.io/otel v1.31.0 + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0 + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0 + go.opentelemetry.io/otel/exporters/prometheus v0.53.0 + go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.31.0 + go.opentelemetry.io/otel/metric v1.31.0 + go.opentelemetry.io/otel/sdk/metric v1.31.0 go.opentelemetry.io/proto/otlp v1.3.1 go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e golang.org/x/sys v0.26.0 - google.golang.org/protobuf v1.34.2 + google.golang.org/protobuf v1.35.1 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.2 k8s.io/api v0.31.1 @@ -268,8 +268,8 @@ require ( github.com/sirupsen/logrus v1.9.3 // indirect github.com/tsaarni/x500dn v1.0.0 // indirect github.com/xlab/treeprint v1.2.0 // indirect - go.opentelemetry.io/otel/sdk v1.30.0 - go.opentelemetry.io/otel/trace v1.30.0 // indirect + go.opentelemetry.io/otel/sdk v1.31.0 + go.opentelemetry.io/otel/trace v1.31.0 // indirect go.starlark.net v0.0.0-20240520160348-046347dcd104 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/mod v0.21.0 // indirect @@ -281,8 +281,8 @@ require ( golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.24.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/component-base v0.31.1 // indirect diff --git a/go.sum b/go.sum index 8008b00e8e6..c5d453f9e0d 100644 --- a/go.sum +++ b/go.sum @@ -723,8 +723,8 @@ github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJ github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= -github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= -github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= +github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= github.com/rubenv/sql-migrate v1.7.0 h1:HtQq1xyTN2ISmQDggnh0c9U3JlP8apWh8YO2jzlXpTI= github.com/rubenv/sql-migrate v1.7.0/go.mod h1:S4wtDEG1CKn+0ShpTtzWhFpHHI5PvCUtiGI+C+Z2THE= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= @@ -888,32 +888,32 @@ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.5 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= -go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= -go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.30.0 h1:WypxHH02KX2poqqbaadmkMYalGyy/vil4HE4PM4nRJc= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.30.0/go.mod h1:U79SV99vtvGSEBeeHnpgGJfTsnsdkWLpPN/CcHAzBSI= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.30.0 h1:VrMAbeJz4gnVDg2zEzjHG4dEH86j4jO6VYB+NgtGD8s= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.30.0/go.mod h1:qqN/uFdpeitTvm+JDqqnjm517pmQRYxTORbETHq5tOc= +go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY= +go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0 h1:FZ6ei8GFW7kyPYdxJaV2rgI6M+4tvZzhYsQ2wgyVC08= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0/go.mod h1:MdEu/mC6j3D+tTEfvI15b5Ci2Fn7NneJ71YMoiS3tpI= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0 h1:ZsXq73BERAiNuuFXYqP4MR5hBrjXfMGSO+Cx7qoOZiM= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0/go.mod h1:hg1zaDMpyZJuUzjFxFsRYBoccE86tM9Uf4IqNMUxvrY= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0 h1:digkEZCJWobwBqMwC0cwCq8/wkkRy/OowZg5OArWZrM= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0/go.mod h1:/OpE/y70qVkndM0TrxT4KBoN3RsFZP0QaofcfYrj76I= -go.opentelemetry.io/otel/exporters/prometheus v0.52.0 h1:kmU3H0b9ufFSi8IQCcxack+sWUblKkFbqWYs6YiACGQ= -go.opentelemetry.io/otel/exporters/prometheus v0.52.0/go.mod h1:+wsAp2+JhuGXX7YRkjlkx6hyWY3ogFPfNA4x3nyiAh0= -go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.30.0 h1:IyFlqNsi8VT/nwYlLJfdM0y1gavxGpEvnf6FtVfZ6X4= -go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.30.0/go.mod h1:bxiX8eUeKoAEQmbq/ecUT8UqZwCjZW52yJrXJUSozsk= +go.opentelemetry.io/otel/exporters/prometheus v0.53.0 h1:QXobPHrwiGLM4ufrY3EOmDPJpo2P90UuFau4CDPJA/I= +go.opentelemetry.io/otel/exporters/prometheus v0.53.0/go.mod h1:WOAXGr3D00CfzmFxtTV1eR0GpoHuPEu+HJT8UWW2SIU= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.31.0 h1:HZgBIps9wH0RDrwjrmNa3DVbNRW60HEhdzqZFyAp3fI= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.31.0/go.mod h1:RDRhvt6TDG0eIXmonAx5bd9IcwpqCkziwkOClzWKwAQ= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.21.0 h1:VhlEQAPp9R1ktYfrPk5SOryw1e9LDDTZCbIPFrho0ec= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.21.0/go.mod h1:kB3ufRbfU+CQ4MlUcqtW8Z7YEOBeK2DJ6CmR5rYYF3E= -go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w= -go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= -go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE= -go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg= -go.opentelemetry.io/otel/sdk/metric v1.30.0 h1:QJLT8Pe11jyHBHfSAgYH7kEmT24eX792jZO1bo4BXkM= -go.opentelemetry.io/otel/sdk/metric v1.30.0/go.mod h1:waS6P3YqFNzeP01kuo/MBBYqaoBJl7efRQHOaydhy1Y= -go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= -go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= +go.opentelemetry.io/otel/metric v1.31.0 h1:FSErL0ATQAmYHUIzSezZibnyVlft1ybhy4ozRPcF2fE= +go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY= +go.opentelemetry.io/otel/sdk v1.31.0 h1:xLY3abVHYZ5HSfOg3l2E5LUj2Cwva5Y7yGxnSW9H5Gk= +go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0= +go.opentelemetry.io/otel/sdk/metric v1.31.0 h1:i9hxxLJF/9kkvfHppyLL55aW7iIJz4JjxTeYusH7zMc= +go.opentelemetry.io/otel/sdk/metric v1.31.0/go.mod h1:CRInTMVvNhUKgSAMbKyTMxqOBC0zgyxzW55lZzX43Y8= +go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HYdmJys= +go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A= go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= go.starlark.net v0.0.0-20240520160348-046347dcd104 h1:3qhteRISupnJvaWshOmeqEUs2y9oc/+/ePPvDh3Eygg= @@ -1082,10 +1082,10 @@ google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY= google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:VUhTRKeHn9wwcdrk73nvdC9gF178Tzhmt/qyaFcPLSo= -google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc= -google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 h1:N9BgCIAUvn/M+p4NJccWPWb3BWh88+zyL0ll9HgbEeM= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 h1:T6rh4haD3GVYsgEfWExoCZA2o2FmbNyKpTuAxbEFPTg= +google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:wp2WsuBYj6j8wUdo3ToZsdxxixbvQNAHqVJrTgi5E5M= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 h1:QCqS/PdaHTSWGvupk2F/ehwHtGc0/GYkT+3GAcR1CCc= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= @@ -1105,8 +1105,8 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= -google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= +google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= +google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20160105164936-4f90aeace3a2/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From 1f29518dc2472d3f904d07eb93778675a4bb2ea3 Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Tue, 15 Oct 2024 08:42:49 -0500 Subject: [PATCH 253/523] feat(translator): client tls session resumption (#4293) * api: client tls session resumption Signed-off-by: Guy Daich * change api Signed-off-by: Guy Daich * add cel Signed-off-by: Guy Daich * implement tls session Signed-off-by: Guy Daich * fix gen Signed-off-by: Guy Daich * fix e2e Signed-off-by: Guy Daich * review fixes Signed-off-by: Guy Daich * rm sessionTimeout, use session container and shorter names Signed-off-by: Guy Daich * fix review comments Signed-off-by: Guy Daich * fix comment Signed-off-by: Guy Daich * fix gen Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich Co-authored-by: zirain --- api/v1alpha1/tls_types.go | 41 ++ api/v1alpha1/zz_generated.deepcopy.go | 80 +++ ...y.envoyproxy.io_clienttrafficpolicies.yaml | 21 + internal/gatewayapi/clienttrafficpolicy.go | 9 + .../clienttrafficpolicy-tls-settings.in.yaml | 4 + .../clienttrafficpolicy-tls-settings.out.yaml | 6 + internal/ir/xds.go | 4 + internal/xds/translator/listener.go | 16 + .../tls-with-ciphers-versions-alpn.yaml | 2 + .../testdata/out/xds-ir/http3.listeners.yaml | 4 + .../jsonpatch-with-jsonpath.listeners.yaml | 2 + .../out/xds-ir/jsonpatch.listeners.yaml | 2 + .../listener-proxy-protocol.listeners.yaml | 2 + .../xds-ir/mixed-tls-jwt-authn.listeners.yaml | 2 + ...ultiple-listeners-same-port.listeners.yaml | 4 + ...ertificate-with-custom-data.listeners.yaml | 10 + ...-forward-client-certificate.listeners.yaml | 10 + ...client-certificate-disabled.listeners.yaml | 4 + .../out/xds-ir/mutual-tls.listeners.yaml | 4 + .../out/xds-ir/simple-tls.listeners.yaml | 2 + .../suppress-envoy-headers.listeners.yaml | 2 + .../tcp-route-tls-terminate.listeners.yaml | 4 + ...-with-ciphers-versions-alpn.listeners.yaml | 2 + site/content/en/latest/api/extension_types.md | 61 ++ .../latest/tasks/security/secure-gateways.md | 80 +++ site/content/zh/latest/api/extension_types.md | 61 ++ test/e2e/base/manifests.yaml | 546 +++++++++--------- test/e2e/testdata/client-mtls.yaml | 78 +++ test/e2e/tests/client_mtls.go | 170 ++++++ 29 files changed, 960 insertions(+), 273 deletions(-) diff --git a/api/v1alpha1/tls_types.go b/api/v1alpha1/tls_types.go index 38c52761125..b926558c525 100644 --- a/api/v1alpha1/tls_types.go +++ b/api/v1alpha1/tls_types.go @@ -15,6 +15,10 @@ type ClientTLSSettings struct { // +optional ClientValidation *ClientValidationContext `json:"clientValidation,omitempty"` TLSSettings `json:",inline"` + + // Session defines settings related to TLS session management. + // +optional + Session *Session `json:"session,omitempty"` } // +kubebuilder:validation:XValidation:rule="has(self.minVersion) && self.minVersion == '1.3' ? !has(self.ciphers) : true", message="setting ciphers has no effect if the minimum possible TLS version is 1.3" @@ -133,3 +137,40 @@ type ClientValidationContext struct { // +optional CACertificateRefs []gwapiv1.SecretObjectReference `json:"caCertificateRefs,omitempty"` } + +// Session defines settings related to TLS session management. +type Session struct { + // Resumption determines the proxy's supported TLS session resumption option. + // By default, Envoy Gateway does not enable session resumption. Use sessionResumption to + // enable stateful and stateless session resumption. Users should consider security impacts + // of different resumption methods. Performance gains from resumption are diminished when + // Envoy proxy is deployed with more than one replica. + // +optional + Resumption *SessionResumption `json:"resumption,omitempty"` +} + +// SessionResumption defines supported tls session resumption methods and their associated configuration. +type SessionResumption struct { + // Stateless defines setting for stateless (session-ticket based) session resumption + // +optional + Stateless *StatelessTLSSessionResumption `json:"stateless,omitempty"` + + // Stateful defines setting for stateful (session-id based) session resumption + // +optional + Stateful *StatefulTLSSessionResumption `json:"stateful,omitempty"` +} + +// StatefulTLSSessionResumption defines the stateful (session-id based) type of TLS session resumption. +// Note: When Envoy Proxy is deployed with more than one replica, session caches are not synchronized +// between instances, possibly leading to resumption failures. +// Envoy does not re-validate client certificates upon session resumption. +// https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-routematch-tlscontextmatchoptions +type StatefulTLSSessionResumption struct{} + +// StatelessTLSSessionResumption defines the stateless (session-ticket based) type of TLS session resumption. +// Note: When Envoy Proxy is deployed with more than one replica, session ticket encryption keys are not +// synchronized between instances, possibly leading to resumption failures. +// In-memory session ticket encryption keys are rotated every 48 hours. +// https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys +// https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Session-tickets +type StatelessTLSSessionResumption struct{} diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index a72706c33bb..2ce5a5762ee 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -759,6 +759,11 @@ func (in *ClientTLSSettings) DeepCopyInto(out *ClientTLSSettings) { (*in).DeepCopyInto(*out) } in.TLSSettings.DeepCopyInto(&out.TLSSettings) + if in.Session != nil { + in, out := &in.Session, &out.Session + *out = new(Session) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientTLSSettings. @@ -4947,6 +4952,51 @@ func (in *SecurityPolicySpec) DeepCopy() *SecurityPolicySpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Session) DeepCopyInto(out *Session) { + *out = *in + if in.Resumption != nil { + in, out := &in.Resumption, &out.Resumption + *out = new(SessionResumption) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Session. +func (in *Session) DeepCopy() *Session { + if in == nil { + return nil + } + out := new(Session) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SessionResumption) DeepCopyInto(out *SessionResumption) { + *out = *in + if in.Stateless != nil { + in, out := &in.Stateless, &out.Stateless + *out = new(StatelessTLSSessionResumption) + **out = **in + } + if in.Stateful != nil { + in, out := &in.Stateful, &out.Stateful + *out = new(StatefulTLSSessionResumption) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SessionResumption. +func (in *SessionResumption) DeepCopy() *SessionResumption { + if in == nil { + return nil + } + out := new(SessionResumption) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ShutdownConfig) DeepCopyInto(out *ShutdownConfig) { *out = *in @@ -5037,6 +5087,36 @@ func (in *SourceMatch) DeepCopy() *SourceMatch { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *StatefulTLSSessionResumption) DeepCopyInto(out *StatefulTLSSessionResumption) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatefulTLSSessionResumption. +func (in *StatefulTLSSessionResumption) DeepCopy() *StatefulTLSSessionResumption { + if in == nil { + return nil + } + out := new(StatefulTLSSessionResumption) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *StatelessTLSSessionResumption) DeepCopyInto(out *StatelessTLSSessionResumption) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatelessTLSSessionResumption. +func (in *StatelessTLSSessionResumption) DeepCopy() *StatelessTLSSessionResumption { + if in == nil { + return nil + } + out := new(StatelessTLSSessionResumption) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *StatusCodeMatch) DeepCopyInto(out *StatusCodeMatch) { *out = *in diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml index 81f449b8860..582486e706f 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -808,6 +808,27 @@ spec: - "1.2" - "1.3" type: string + session: + description: Session defines settings related to TLS session management. + properties: + resumption: + description: |- + Resumption determines the proxy's supported TLS session resumption option. + By default, Envoy Gateway does not enable session resumption. Use sessionResumption to + enable stateful and stateless session resumption. Users should consider security impacts + of different resumption methods. Performance gains from resumption are diminished when + Envoy proxy is deployed with more than one replica. + properties: + stateful: + description: Stateful defines setting for stateful (session-id + based) session resumption + type: object + stateless: + description: Stateless defines setting for stateless (session-ticket + based) session resumption + type: object + type: object + type: object signatureAlgorithms: description: |- SignatureAlgorithms specifies which signature algorithms the listener should diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go index 67cd60ad679..bded79d4cf9 100644 --- a/internal/gatewayapi/clienttrafficpolicy.go +++ b/internal/gatewayapi/clienttrafficpolicy.go @@ -864,6 +864,15 @@ func (t *Translator) buildListenerTLSParameters(policy *egv1a1.ClientTrafficPoli } } + if tlsParams.Session != nil && tlsParams.Session.Resumption != nil { + if tlsParams.Session.Resumption.Stateless != nil { + irTLSConfig.StatelessSessionResumption = true + } + if tlsParams.Session.Resumption.Stateful != nil { + irTLSConfig.StatefulSessionResumption = true + } + } + return irTLSConfig, nil } diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.in.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.in.yaml index 59dc2819c7c..bc5878a52f0 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.in.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.in.yaml @@ -22,6 +22,10 @@ clientTrafficPolicies: signatureAlgorithms: - sig1 - sig2 + session: + resumption: + stateless: {} + stateful: {} gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml index f66ef90810d..ed684f328b4 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml @@ -20,6 +20,10 @@ clientTrafficPolicies: - curve1 maxVersion: "1.3" minVersion: "1.0" + session: + resumption: + stateful: {} + stateless: {} signatureAlgorithms: - sig1 - sig2 @@ -174,6 +178,8 @@ xdsIR: signatureAlgorithms: - sig1 - sig2 + statefulSessionResumption: true + statelessSessionResumption: true - address: 0.0.0.0 hostnames: - '*' diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 53eb34fa2a6..49d6fdbf064 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -351,6 +351,10 @@ type TLSConfig struct { SignatureAlgorithms []string `json:"signatureAlgorithms,omitempty" yaml:"signatureAlgorithms,omitempty"` // ALPNProtocols exposed by this listener ALPNProtocols []string `json:"alpnProtocols,omitempty" yaml:"alpnProtocols,omitempty"` + // StatelessSessionResumption determines if stateless (session-ticket based) session resumption is enabled + StatelessSessionResumption bool `json:"statelessSessionResumption,omitempty" yaml:"statelessSessionResumption,omitempty"` + // StatefulSessionResumption determines if stateful (session-id based) session resumption is enabled + StatefulSessionResumption bool `json:"statefulSessionResumption,omitempty" yaml:"statefulSessionResumption,omitempty"` } // TLSCertificate holds a single certificate's details diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go index 9cc8e61f6ed..dda639f9f2f 100644 --- a/internal/xds/translator/listener.go +++ b/internal/xds/translator/listener.go @@ -624,6 +624,8 @@ func buildDownstreamQUICTransportSocket(tlsConfig *ir.TLSConfig) (*corev3.Transp } } + setDownstreamTLSSessionSettings(tlsConfig, tlsCtx.DownstreamTlsContext) + tlsCtxAny, err := anypb.New(tlsCtx) if err != nil { return nil, err @@ -664,6 +666,8 @@ func buildXdsDownstreamTLSSocket(tlsConfig *ir.TLSConfig) (*corev3.TransportSock } } + setDownstreamTLSSessionSettings(tlsConfig, tlsCtx) + tlsCtxAny, err := anypb.New(tlsCtx) if err != nil { return nil, err @@ -677,6 +681,18 @@ func buildXdsDownstreamTLSSocket(tlsConfig *ir.TLSConfig) (*corev3.TransportSock }, nil } +func setDownstreamTLSSessionSettings(tlsConfig *ir.TLSConfig, tlsCtx *tlsv3.DownstreamTlsContext) { + if !tlsConfig.StatefulSessionResumption { + tlsCtx.DisableStatefulSessionResumption = true + } + + if !tlsConfig.StatelessSessionResumption { + tlsCtx.SessionTicketKeysType = &tlsv3.DownstreamTlsContext_DisableStatelessSessionResumption{ + DisableStatelessSessionResumption: true, + } + } +} + func buildTLSParams(tlsConfig *ir.TLSConfig) *tlsv3.TlsParameters { p := &tlsv3.TlsParameters{} isEmpty := true diff --git a/internal/xds/translator/testdata/in/xds-ir/tls-with-ciphers-versions-alpn.yaml b/internal/xds/translator/testdata/in/xds-ir/tls-with-ciphers-versions-alpn.yaml index 03e161599b7..afcf3322715 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tls-with-ciphers-versions-alpn.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tls-with-ciphers-versions-alpn.yaml @@ -30,6 +30,7 @@ http: minVersion: "1.0" alpnProtocols: - some-other-protocol + statefulSessionResumption: true certificates: - name: secret-1 # byte slice representation of "key-data" @@ -107,6 +108,7 @@ tcp: minVersion: "1.0" alpnProtocols: - some-other-protocol + statelessSessionResumption: true certificates: - name: secret-3 # byte slice representation of "key-data" diff --git a/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml index 56a11c58a99..49a651da85e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml @@ -47,6 +47,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true name: envoy-gateway/gateway-1/tls-quic udpListenerConfig: downstreamSocketConfig: {} @@ -96,5 +98,7 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true name: envoy-gateway/gateway-1/tls perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml index 6fe14b03f97..fb7bceafa22 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml @@ -59,5 +59,7 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml index 6fe14b03f97..fb7bceafa22 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml @@ -59,5 +59,7 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml index 89d57c725f0..210069d7019 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml @@ -50,6 +50,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true listenerFilters: - name: envoy.filters.listener.proxy_protocol typedConfig: diff --git a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml index b7967da1cc0..1426aeaa71f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml @@ -43,5 +43,7 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml index 1e62e5ca424..86002534182 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml @@ -74,6 +74,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true - filterChainMatch: serverNames: - foo.net @@ -117,6 +119,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true - filterChainMatch: serverNames: - bar.com diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml index baaca0e4fb6..7d177b2e092 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml @@ -52,6 +52,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true requireClientCertificate: false name: first-listener perConnectionBufferLimitBytes: 32768 @@ -110,6 +112,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true requireClientCertificate: false name: second-listener perConnectionBufferLimitBytes: 32768 @@ -170,6 +174,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true requireClientCertificate: false name: third-listener perConnectionBufferLimitBytes: 32768 @@ -232,6 +238,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true requireClientCertificate: false name: fourth-listener perConnectionBufferLimitBytes: 32768 @@ -296,6 +304,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true requireClientCertificate: false name: fifth-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml index a99d3fd3906..33262561948 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml @@ -52,6 +52,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true requireClientCertificate: false name: first-listener perConnectionBufferLimitBytes: 32768 @@ -110,6 +112,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true requireClientCertificate: false name: second-listener perConnectionBufferLimitBytes: 32768 @@ -168,6 +172,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true requireClientCertificate: false name: third-listener perConnectionBufferLimitBytes: 32768 @@ -226,6 +232,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true requireClientCertificate: false name: fourth-listener perConnectionBufferLimitBytes: 32768 @@ -284,6 +292,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true requireClientCertificate: false name: fifth-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml index 28836be314c..e945b5d9221 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml @@ -52,6 +52,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true requireClientCertificate: false name: first-listener perConnectionBufferLimitBytes: 32768 @@ -85,6 +87,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true requireClientCertificate: false name: second-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml index 490cfa0f9d9..fc572910c06 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml @@ -52,6 +52,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true requireClientCertificate: true name: first-listener perConnectionBufferLimitBytes: 32768 @@ -85,6 +87,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true requireClientCertificate: true name: second-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml index 54f30d4c445..3d65ed1a895 100644 --- a/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml @@ -47,5 +47,7 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true name: first-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml index bcc936863ca..4c624b8788f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml @@ -49,6 +49,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true listenerFilters: - name: envoy.filters.listener.tls_inspector typedConfig: diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml index f27dc1b2123..10df3db202c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml @@ -23,6 +23,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true - filterChainMatch: serverNames: - '*.envoyproxy.io' @@ -47,6 +49,8 @@ sdsConfig: ads: {} resourceApiVersion: V3 + disableStatefulSessionResumption: true + disableStatelessSessionResumption: true listenerFilters: - name: envoy.filters.listener.tls_inspector typedConfig: diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml index dd12bc2b988..7eee7e167c0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml @@ -70,6 +70,7 @@ - rsa_pkcs1_sha1 tlsMaximumProtocolVersion: TLSv1_2 tlsMinimumProtocolVersion: TLSv1_0 + disableStatelessSessionResumption: true listenerFilters: - name: envoy.filters.listener.tls_inspector typedConfig: @@ -121,5 +122,6 @@ - rsa_pkcs1_sha1 tlsMaximumProtocolVersion: TLSv1_2 tlsMinimumProtocolVersion: TLSv1_0 + disableStatefulSessionResumption: true name: second-listener perConnectionBufferLimitBytes: 32768 diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 76adfb15735..956b3dbd228 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -610,6 +610,7 @@ _Appears in:_ | `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 | | `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. | | `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener. By default h2 and http/1.1 are enabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | +| `session` | _[Session](#session)_ | false | Session defines settings related to TLS session management. | #### ClientTimeout @@ -3676,6 +3677,35 @@ _Appears in:_ | `NodePort` | ServiceTypeNodePort means a service will be exposed on each Kubernetes Node
at a static Port, common across all Nodes.
| +#### Session + + + +Session defines settings related to TLS session management. + +_Appears in:_ +- [ClientTLSSettings](#clienttlssettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `resumption` | _[SessionResumption](#sessionresumption)_ | false | Resumption determines the proxy's supported TLS session resumption option.
By default, Envoy Gateway does not enable session resumption. Use sessionResumption to
enable stateful and stateless session resumption. Users should consider security impacts
of different resumption methods. Performance gains from resumption are diminished when
Envoy proxy is deployed with more than one replica. | + + +#### SessionResumption + + + +SessionResumption defines supported tls session resumption methods and their associated configuration. + +_Appears in:_ +- [Session](#session) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `stateless` | _[StatelessTLSSessionResumption](#statelesstlssessionresumption)_ | false | Stateless defines setting for stateless (session-ticket based) session resumption | +| `stateful` | _[StatefulTLSSessionResumption](#statefultlssessionresumption)_ | false | Stateful defines setting for stateful (session-id based) session resumption | + + #### ShutdownConfig @@ -3736,6 +3766,37 @@ _Appears in:_ | `Distinct` | SourceMatchDistinct Each IP Address within the specified Source IP CIDR is treated as a distinct client selector
and uses a separate rate limit bucket/counter.
Note: This is only supported for Global Rate Limits.
| +#### StatefulTLSSessionResumption + + + +StatefulTLSSessionResumption defines the stateful (session-id based) type of TLS session resumption. +Note: When Envoy Proxy is deployed with more than one replica, session caches are not synchronized +between instances, possibly leading to resumption failures. +Envoy does not re-validate client certificates upon session resumption. +https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-routematch-tlscontextmatchoptions + +_Appears in:_ +- [SessionResumption](#sessionresumption) + + + +#### StatelessTLSSessionResumption + + + +StatelessTLSSessionResumption defines the stateless (session-ticket based) type of TLS session resumption. +Note: When Envoy Proxy is deployed with more than one replica, session ticket encryption keys are not +synchronized between instances, possibly leading to resumption failures. +In-memory session ticket encryption keys are rotated every 48 hours. +https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys +https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Session-tickets + +_Appears in:_ +- [SessionResumption](#sessionresumption) + + + #### StatusCodeMatch diff --git a/site/content/en/latest/tasks/security/secure-gateways.md b/site/content/en/latest/tasks/security/secure-gateways.md index f0e5c8c2697..2c8d5043812 100644 --- a/site/content/en/latest/tasks/security/secure-gateways.md +++ b/site/content/en/latest/tasks/security/secure-gateways.md @@ -512,8 +512,88 @@ Since the multiple certificates are configured on the same Gateway listener, Env {{% /tab %}} {{< /tabpane >}} +## Customize Gateway TLS Parameters + +In addition to enablement of TLS with Gateway-API, Envoy Gateway supports customizing TLS parameters. +To achieve this, the [ClientTrafficPolicy][] resource can be used to specify TLS parameters. +We will customize the minimum supported TLS version in this example to TLSv1.3. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + + +## Testing TLS Parameters + +Attempt to connecting using an unsupported TLS version: + +```shell +curl -v -HHost:www.sample.com --resolve "www.sample.com:8443:127.0.0.1" \ +--cacert sample.com.crt --tlsv1.2 --tls-max 1.2 https://www.sample.com:8443/get -I + +[...] + +* ALPN: curl offers h2,http/1.1 +* (304) (OUT), TLS handshake, Client hello (1): +* LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version +* Closing connection +curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version +``` + +The output shows that the connection fails due to an unsupported TLS protocol version used by the client. Now, connect +to the Gateway without specifying a client version, and note that the connection is established with TLSv1.3. + +```shell +curl -v -HHost:www.sample.com --resolve "www.sample.com:8443:127.0.0.1" \ +--cacert sample.com.crt https://www.sample.com:8443/get -I + +[...] + +* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF +``` + ## Next Steps Checkout the [Developer Guide](../../../contributions/develop) to get involved in the project. [ReferenceGrant]: https://gateway-api.sigs.k8s.io/api-types/referencegrant/ +[ClientTrafficPolicy]: ../../api/extension_types#clienttrafficpolicy \ No newline at end of file diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 76adfb15735..956b3dbd228 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -610,6 +610,7 @@ _Appears in:_ | `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 | | `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. | | `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener. By default h2 and http/1.1 are enabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | +| `session` | _[Session](#session)_ | false | Session defines settings related to TLS session management. | #### ClientTimeout @@ -3676,6 +3677,35 @@ _Appears in:_ | `NodePort` | ServiceTypeNodePort means a service will be exposed on each Kubernetes Node
at a static Port, common across all Nodes.
| +#### Session + + + +Session defines settings related to TLS session management. + +_Appears in:_ +- [ClientTLSSettings](#clienttlssettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `resumption` | _[SessionResumption](#sessionresumption)_ | false | Resumption determines the proxy's supported TLS session resumption option.
By default, Envoy Gateway does not enable session resumption. Use sessionResumption to
enable stateful and stateless session resumption. Users should consider security impacts
of different resumption methods. Performance gains from resumption are diminished when
Envoy proxy is deployed with more than one replica. | + + +#### SessionResumption + + + +SessionResumption defines supported tls session resumption methods and their associated configuration. + +_Appears in:_ +- [Session](#session) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `stateless` | _[StatelessTLSSessionResumption](#statelesstlssessionresumption)_ | false | Stateless defines setting for stateless (session-ticket based) session resumption | +| `stateful` | _[StatefulTLSSessionResumption](#statefultlssessionresumption)_ | false | Stateful defines setting for stateful (session-id based) session resumption | + + #### ShutdownConfig @@ -3736,6 +3766,37 @@ _Appears in:_ | `Distinct` | SourceMatchDistinct Each IP Address within the specified Source IP CIDR is treated as a distinct client selector
and uses a separate rate limit bucket/counter.
Note: This is only supported for Global Rate Limits.
| +#### StatefulTLSSessionResumption + + + +StatefulTLSSessionResumption defines the stateful (session-id based) type of TLS session resumption. +Note: When Envoy Proxy is deployed with more than one replica, session caches are not synchronized +between instances, possibly leading to resumption failures. +Envoy does not re-validate client certificates upon session resumption. +https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-routematch-tlscontextmatchoptions + +_Appears in:_ +- [SessionResumption](#sessionresumption) + + + +#### StatelessTLSSessionResumption + + + +StatelessTLSSessionResumption defines the stateless (session-ticket based) type of TLS session resumption. +Note: When Envoy Proxy is deployed with more than one replica, session ticket encryption keys are not +synchronized between instances, possibly leading to resumption failures. +In-memory session ticket encryption keys are rotated every 48 hours. +https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys +https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Session-tickets + +_Appears in:_ +- [SessionResumption](#sessionresumption) + + + #### StatusCodeMatch diff --git a/test/e2e/base/manifests.yaml b/test/e2e/base/manifests.yaml index 3bba21844a0..db9a265cba0 100644 --- a/test/e2e/base/manifests.yaml +++ b/test/e2e/base/manifests.yaml @@ -21,12 +21,12 @@ metadata: spec: gatewayClassName: "{GATEWAY_CLASS_NAME}" listeners: - - name: http - port: 80 - protocol: HTTP - allowedRoutes: - namespaces: - from: Same + - name: http + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: Same --- apiVersion: gateway.networking.k8s.io/v1 kind: Gateway @@ -36,12 +36,12 @@ metadata: spec: gatewayClassName: "{GATEWAY_CLASS_NAME}" listeners: - - name: http - port: 80 - protocol: HTTP - allowedRoutes: - namespaces: - from: All + - name: http + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: All --- apiVersion: v1 kind: Service @@ -52,14 +52,14 @@ spec: selector: app: infra-backend-v1 ports: - - protocol: TCP - port: 8080 - name: http11 - targetPort: 3000 - - protocol: TCP - port: 8081 - name: http2 - targetPort: 3001 + - protocol: TCP + port: 8080 + name: http11 + targetPort: 3000 + - protocol: TCP + port: 8081 + name: http2 + targetPort: 3001 --- apiVersion: apps/v1 kind: Deployment @@ -79,23 +79,23 @@ spec: app: infra-backend-v1 spec: containers: - - name: infra-backend-v1 - # From https://github.com/kubernetes-sigs/gateway-api/blob/main/conformance/echo-basic/echo-basic.go - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: SERVICE_NAME - value: infra-backend-v1 - resources: - requests: - cpu: 10m + - name: infra-backend-v1 + # From https://github.com/kubernetes-sigs/gateway-api/blob/main/conformance/echo-basic/echo-basic.go + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SERVICE_NAME + value: infra-backend-v1 + resources: + requests: + cpu: 10m --- apiVersion: v1 kind: Service @@ -106,9 +106,9 @@ spec: selector: app: infra-backend-v2 ports: - - protocol: TCP - port: 8080 - targetPort: 3000 + - protocol: TCP + port: 8080 + targetPort: 3000 --- apiVersion: apps/v1 kind: Deployment @@ -128,22 +128,22 @@ spec: app: infra-backend-v2 spec: containers: - - name: infra-backend-v2 - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: SERVICE_NAME - value: infra-backend-v2 - resources: - requests: - cpu: 10m + - name: infra-backend-v2 + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SERVICE_NAME + value: infra-backend-v2 + resources: + requests: + cpu: 10m --- apiVersion: v1 kind: Service @@ -154,9 +154,9 @@ spec: selector: app: infra-backend-v3 ports: - - protocol: TCP - port: 8080 - targetPort: 3000 + - protocol: TCP + port: 8080 + targetPort: 3000 --- apiVersion: apps/v1 kind: Deployment @@ -176,22 +176,22 @@ spec: app: infra-backend-v3 spec: containers: - - name: infra-backend-v3 - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: SERVICE_NAME - value: infra-backend-v3 - resources: - requests: - cpu: 10m + - name: infra-backend-v3 + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SERVICE_NAME + value: infra-backend-v3 + resources: + requests: + cpu: 10m --- apiVersion: v1 kind: Service @@ -202,9 +202,9 @@ spec: selector: app: tls-backend ports: - - protocol: TCP - port: 443 - targetPort: 8443 + - protocol: TCP + port: 443 + targetPort: 8443 --- apiVersion: apps/v1 kind: Deployment @@ -224,38 +224,38 @@ spec: app: tls-backend spec: containers: - - name: tls-backend - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e - volumeMounts: - - name: secret-volume - mountPath: /etc/secret-volume - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: SERVICE_NAME - value: tls-backend - - name: TLS_SERVER_CERT - value: /etc/secret-volume/crt - - name: TLS_SERVER_PRIVKEY - value: /etc/secret-volume/key - resources: - requests: - cpu: 10m + - name: tls-backend + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e + volumeMounts: + - name: secret-volume + mountPath: /etc/secret-volume + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SERVICE_NAME + value: tls-backend + - name: TLS_SERVER_CERT + value: /etc/secret-volume/crt + - name: TLS_SERVER_PRIVKEY + value: /etc/secret-volume/key + resources: + requests: + cpu: 10m volumes: - - name: secret-volume - secret: - secretName: tls-passthrough-checks-certificate - items: - - key: tls.crt - path: crt - - key: tls.key - path: key + - name: secret-volume + secret: + secretName: tls-passthrough-checks-certificate + items: + - key: tls.crt + path: crt + - key: tls.key + path: key --- apiVersion: v1 kind: Namespace @@ -273,9 +273,9 @@ spec: selector: app: app-backend-v1 ports: - - protocol: TCP - port: 8080 - targetPort: 3000 + - protocol: TCP + port: 8080 + targetPort: 3000 --- apiVersion: apps/v1 kind: Deployment @@ -295,22 +295,22 @@ spec: app: app-backend-v1 spec: containers: - - name: app-backend-v1 - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: SERVICE_NAME - value: app-backend-v1 - resources: - requests: - cpu: 10m + - name: app-backend-v1 + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SERVICE_NAME + value: app-backend-v1 + resources: + requests: + cpu: 10m --- apiVersion: v1 kind: Service @@ -321,9 +321,9 @@ spec: selector: app: app-backend-v2 ports: - - protocol: TCP - port: 8080 - targetPort: 3000 + - protocol: TCP + port: 8080 + targetPort: 3000 --- apiVersion: apps/v1 kind: Deployment @@ -343,22 +343,22 @@ spec: app: app-backend-v2 spec: containers: - - name: app-backend-v2 - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: SERVICE_NAME - value: app-backend-v2 - resources: - requests: - cpu: 10m + - name: app-backend-v2 + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SERVICE_NAME + value: app-backend-v2 + resources: + requests: + cpu: 10m --- apiVersion: v1 kind: Namespace @@ -376,9 +376,9 @@ spec: selector: app: web-backend ports: - - protocol: TCP - port: 8080 - targetPort: 3000 + - protocol: TCP + port: 8080 + targetPort: 3000 --- apiVersion: apps/v1 kind: Deployment @@ -398,22 +398,22 @@ spec: app: web-backend spec: containers: - - name: web-backend - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: SERVICE_NAME - value: web-backend - resources: - requests: - cpu: 10m + - name: web-backend + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SERVICE_NAME + value: web-backend + resources: + requests: + cpu: 10m --- apiVersion: v1 kind: Namespace @@ -427,55 +427,55 @@ metadata: namespace: gateway-preserve-case-backend data: go.mod: | - module srvr - go 1.22 - require ( - github.com/andybalholm/brotli v1.0.5 // indirect - github.com/klauspost/compress v1.17.0 // indirect - github.com/valyala/bytebufferpool v1.0.0 // indirect - github.com/valyala/fasthttp v1.51.0 // indirect - ) + module srvr + go 1.22 + require ( + github.com/andybalholm/brotli v1.0.5 // indirect + github.com/klauspost/compress v1.17.0 // indirect + github.com/valyala/bytebufferpool v1.0.0 // indirect + github.com/valyala/fasthttp v1.51.0 // indirect + ) go.sum: | - github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs= - github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= - github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM= - github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= - github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= - github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= - github.com/valyala/fasthttp v1.51.0 h1:8b30A5JlZ6C7AS81RsWjYMQmrZG6feChmgAolCl1SqA= - github.com/valyala/fasthttp v1.51.0/go.mod h1:oI2XroL+lI7vdXyYoQk03bXBThfFl2cVdIA3Xl7cH8g= + github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs= + github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= + github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM= + github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= + github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= + github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= + github.com/valyala/fasthttp v1.51.0 h1:8b30A5JlZ6C7AS81RsWjYMQmrZG6feChmgAolCl1SqA= + github.com/valyala/fasthttp v1.51.0/go.mod h1:oI2XroL+lI7vdXyYoQk03bXBThfFl2cVdIA3Xl7cH8g= main.go: | - package main - import ( - "encoding/json" - "fmt" - "log" - "github.com/valyala/fasthttp" - ) - func HandleFastHTTP(ctx *fasthttp.RequestCtx) { - ctx.QueryArgs().VisitAll(func(key, value []byte) { - if string(key) == "headers" { - ctx.Response.Header.Add(string(value), "PrEsEnT") - } - }) - headers := map[string][]string{} - ctx.Request.Header.VisitAll(func(key, value []byte) { - headers[string(key)] = append(headers[string(key)], string(value)) - }) - if d, err := json.MarshalIndent(headers, "", " "); err != nil { - ctx.Error(fmt.Sprintf("%s", err), fasthttp.StatusBadRequest) - } else { - fmt.Fprintf(ctx, string(d)+"\n") - } - } - func main() { - s := fasthttp.Server{ - Handler: HandleFastHTTP, - DisableHeaderNamesNormalizing: true, - } - log.Printf("Starting on port 8000") - log.Fatal(s.ListenAndServe(":8000")) - } + package main + import ( + "encoding/json" + "fmt" + "log" + "github.com/valyala/fasthttp" + ) + func HandleFastHTTP(ctx *fasthttp.RequestCtx) { + ctx.QueryArgs().VisitAll(func(key, value []byte) { + if string(key) == "headers" { + ctx.Response.Header.Add(string(value), "PrEsEnT") + } + }) + headers := map[string][]string{} + ctx.Request.Header.VisitAll(func(key, value []byte) { + headers[string(key)] = append(headers[string(key)], string(value)) + }) + if d, err := json.MarshalIndent(headers, "", " "); err != nil { + ctx.Error(fmt.Sprintf("%s", err), fasthttp.StatusBadRequest) + } else { + fmt.Fprintf(ctx, string(d)+"\n") + } + } + func main() { + s := fasthttp.Server{ + Handler: HandleFastHTTP, + DisableHeaderNamesNormalizing: true, + } + log.Printf("Starting on port 8000") + log.Fatal(s.ListenAndServe(":8000")) + } --- apiVersion: apps/v1 kind: Deployment @@ -493,21 +493,21 @@ spec: app: golang-app spec: containers: - - name: golang-app-container - command: - - sh - - "-c" - - "cp -a /app /app-live && cd /app-live && go run . " - image: golang:1.22.3-alpine - ports: - - containerPort: 8000 - volumeMounts: - - name: go-server - mountPath: /app + - name: golang-app-container + command: + - sh + - "-c" + - "cp -a /app /app-live && cd /app-live && go run . " + image: golang:1.22.3-alpine + ports: + - containerPort: 8000 + volumeMounts: + - name: go-server + mountPath: /app volumes: - - name: go-server - configMap: - name: go-server + - name: go-server + configMap: + name: go-server --- apiVersion: v1 kind: Service @@ -518,9 +518,9 @@ spec: selector: app: golang-app ports: - - protocol: TCP - port: 8000 - targetPort: 8000 + - protocol: TCP + port: 8000 + targetPort: 8000 --- apiVersion: v1 data: @@ -579,9 +579,9 @@ spec: selector: app: tls-backend-2 ports: - - protocol: TCP - port: 443 - targetPort: 8443 + - protocol: TCP + port: 443 + targetPort: 8443 --- apiVersion: apps/v1 kind: Deployment @@ -601,38 +601,38 @@ spec: app: tls-backend-2 spec: containers: - - name: tls-backend - image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e - volumeMounts: - - name: secret-volume - mountPath: /etc/secret-volume - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: SERVICE_NAME - value: tls-backend-2 - - name: TLS_SERVER_CERT - value: /etc/secret-volume/crt - - name: TLS_SERVER_PRIVKEY - value: /etc/secret-volume/key - resources: - requests: - cpu: 10m + - name: tls-backend + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e + volumeMounts: + - name: secret-volume + mountPath: /etc/secret-volume + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SERVICE_NAME + value: tls-backend-2 + - name: TLS_SERVER_CERT + value: /etc/secret-volume/crt + - name: TLS_SERVER_PRIVKEY + value: /etc/secret-volume/key + resources: + requests: + cpu: 10m volumes: - - name: secret-volume - secret: - secretName: backend-tls-checks-certificate - items: - - key: tls.crt - path: crt - - key: tls.key - path: key + - name: secret-volume + secret: + secretName: backend-tls-checks-certificate + items: + - key: tls.crt + path: crt + - key: tls.key + path: key --- apiVersion: v1 data: @@ -657,12 +657,12 @@ spec: app: envoy-als type: LoadBalancer ports: - - name: grpc-als - protocol: TCP - appProtocol: grpc - port: 8080 - targetPort: 8080 - - name: http-monitoring - protocol: TCP - port: 19001 - targetPort: 19001 + - name: grpc-als + protocol: TCP + appProtocol: grpc + port: 8080 + targetPort: 8080 + - name: http-monitoring + protocol: TCP + port: 19001 + targetPort: 19001 diff --git a/test/e2e/testdata/client-mtls.yaml b/test/e2e/testdata/client-mtls.yaml index fc1a62f1ca4..a34a00f71d1 100644 --- a/test/e2e/testdata/client-mtls.yaml +++ b/test/e2e/testdata/client-mtls.yaml @@ -17,6 +17,16 @@ metadata: spec: gatewayClassName: "{GATEWAY_CLASS_NAME}" listeners: + - name: tls-settings + port: 443 + protocol: HTTPS + hostname: tls-settings.example.com + tls: + certificateRefs: + - group: "" + kind: Secret + name: client-tls-settings-certificate + mode: Terminate - name: mtls port: 443 protocol: HTTPS @@ -69,3 +79,71 @@ spec: - kind: "Secret" group: "" name: "client-mtls-certificate" +--- +# openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout ca.key -out ca.crt +# cat > openssl.conf < Date: Tue, 15 Oct 2024 12:11:18 -0700 Subject: [PATCH 254/523] build(deps): bump actions/checkout from 4.2.0 to 4.2.1 (#4442) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.0 to 4.2.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/d632683dd7b4114ad314bca15554477dd762a938...eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build_and_test.yaml | 18 +++++++++--------- .github/workflows/codeql.yml | 2 +- .github/workflows/docs.yaml | 4 ++-- .../workflows/experimental_conformance.yaml | 2 +- .github/workflows/latest_release.yaml | 4 ++-- .github/workflows/license-scan.yml | 2 +- .github/workflows/release.yaml | 4 ++-- .github/workflows/scorecard.yml | 2 +- .github/workflows/trivy.yml | 2 +- 9 files changed, 20 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index dbbdbcd04ae..6870c1738d2 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -20,7 +20,7 @@ jobs: lint: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: ./tools/github-actions/setup-deps # Generate the installation manifests first, so it can check # for errors while running `make -k lint` @@ -31,14 +31,14 @@ jobs: gen-check: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: ./tools/github-actions/setup-deps - run: make -k gen-check license-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: ./tools/github-actions/setup-deps - run: make -k licensecheck @@ -48,7 +48,7 @@ jobs: contents: read # for actions/checkout id-token: write # for fetching OIDC token steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: ./tools/github-actions/setup-deps # test @@ -67,7 +67,7 @@ jobs: runs-on: ubuntu-latest needs: [lint, gen-check, license-check, coverage-test] steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: ./tools/github-actions/setup-deps - name: Build EG Multiarch Binaries @@ -87,7 +87,7 @@ jobs: matrix: version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries @@ -116,7 +116,7 @@ jobs: matrix: version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries @@ -143,7 +143,7 @@ jobs: if: ${{ ! startsWith(github.event_name, 'push') }} needs: [build] steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz @@ -170,7 +170,7 @@ jobs: runs-on: ubuntu-latest needs: [conformance-test, e2e-test] steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 95262e597e5..7e911a0e584 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 57a8868ff7a..687c824ea41 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: ref: ${{ github.event.pull_request.head.sha }} @@ -48,7 +48,7 @@ jobs: contents: write steps: - name: Git checkout - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: submodules: true ref: ${{ github.event.pull_request.head.sha }} diff --git a/.github/workflows/experimental_conformance.yaml b/.github/workflows/experimental_conformance.yaml index 281bdbca9ae..4ca84797797 100644 --- a/.github/workflows/experimental_conformance.yaml +++ b/.github/workflows/experimental_conformance.yaml @@ -21,7 +21,7 @@ jobs: matrix: version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: ./tools/github-actions/setup-deps # gateway api experimental conformance diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index 875e0a508e5..b280daacadc 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -22,7 +22,7 @@ jobs: benchmark-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz @@ -57,7 +57,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: ./tools/github-actions/setup-deps - name: Generate Release Manifests diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index ff3f8d31a02..2bbb36ce830 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout code - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Run scanner uses: google/osv-scanner-action/osv-scanner-action@19ec1116569a47416e11a45848722b1af31a857b # v1.9.0 with: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 48de6eb9489..a794eb2a1f1 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,7 +15,7 @@ jobs: benchmark-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz @@ -50,7 +50,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Extract Release Tag and Commit SHA id: vars diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 88324734fb7..44331f3a595 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -21,7 +21,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: persist-credentials: false diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 21c50d56902..5c598890a8f 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout code - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Build an image from Dockerfile run: | From 96f241df280bb897d79a9988e177d99a6d658aae Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 12:22:47 -0700 Subject: [PATCH 255/523] build(deps): bump aquasecurity/trivy-action from 0.24.0 to 0.27.0 (#4443) Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.24.0 to 0.27.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8...5681af892cd0f4997658e2bacc62bd0a894cf564) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 5c598890a8f..9e4a1460f8e 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -25,7 +25,7 @@ jobs: IMAGE=envoy-proxy/gateway-dev TAG=${{ github.sha }} make image - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 + uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # v0.27.0 with: image-ref: envoy-proxy/gateway-dev:${{ github.sha }} exit-code: '1' From 3d7552a9e68ea494c2ee8f40f00dd4b188ac1316 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 12:23:14 -0700 Subject: [PATCH 256/523] build(deps): bump github/codeql-action from 3.26.11 to 3.26.12 (#4444) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.11 to 3.26.12. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea...c36620d31ac7c881962c3d9dd939c40ec9434f2b) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7e911a0e584..0f4771a3f5e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,14 +36,14 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 + uses: github/codeql-action/init@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 + uses: github/codeql-action/autobuild@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 + uses: github/codeql-action/analyze@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 44331f3a595..5750a0ce3c7 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 + uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 with: sarif_file: results.sarif From 172a73a1ebee1415715b51042757d9eef687b701 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 12:23:51 -0700 Subject: [PATCH 257/523] build(deps): bump actions/upload-artifact from 4.4.0 to 4.4.3 (#4441) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.4.0 to 4.4.3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/50769540e7f4bd5e21e526ee35c689e35e0d6874...b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build_and_test.yaml | 2 +- .github/workflows/experimental_conformance.yaml | 2 +- .github/workflows/latest_release.yaml | 2 +- .github/workflows/release.yaml | 2 +- .github/workflows/scorecard.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 6870c1738d2..80992fc9d6d 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -74,7 +74,7 @@ jobs: run: make build-multiarch PLATFORMS="linux_amd64 linux_arm64" - name: Upload EG Binaries - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: envoy-gateway path: bin/ diff --git a/.github/workflows/experimental_conformance.yaml b/.github/workflows/experimental_conformance.yaml index 4ca84797797..931831b2bf1 100644 --- a/.github/workflows/experimental_conformance.yaml +++ b/.github/workflows/experimental_conformance.yaml @@ -33,7 +33,7 @@ jobs: run: make experimental-conformance - name: Upload Conformance Report - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: conformance-report-k8s-${{ matrix.version }} path: ./test/conformance/conformance-report-k8s-${{ matrix.version }}.yaml diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index b280daacadc..a0ceb53e08d 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -46,7 +46,7 @@ jobs: run: cd test/benchmark && zip -r benchmark_report.zip benchmark_report - name: Upload Benchmark Report - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: benchmark_report path: test/benchmark/benchmark_report.zip diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a794eb2a1f1..a95f411890d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -39,7 +39,7 @@ jobs: run: cd test/benchmark && zip -r benchmark_report.zip benchmark_report - name: Upload Benchmark Report - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: benchmark_report path: test/benchmark/benchmark_report.zip diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 5750a0ce3c7..987f7c2b62d 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -33,7 +33,7 @@ jobs: publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: SARIF file path: results.sarif From 8fc4ecba40b53a21a7854bd7e750c2ab48ef1e1b Mon Sep 17 00:00:00 2001 From: Isaac <10012479+jukie@users.noreply.github.com> Date: Tue, 15 Oct 2024 13:59:07 -0600 Subject: [PATCH 258/523] feat: allow running EnvoyProxy as DaemonSet (#4429) * Update status when running in daemonset mode * Fix helm permissions and fully implement daemonset Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- charts/gateway-helm/templates/_rbac.tpl | 1 + internal/gatewayapi/status/gateway.go | 45 +++++++---- internal/provider/kubernetes/controller.go | 28 ++++++- internal/provider/kubernetes/kubernetes.go | 2 +- internal/provider/kubernetes/predicates.go | 63 +++++++++------ .../provider/kubernetes/predicates_test.go | 80 +++++++++++++------ internal/provider/kubernetes/status.go | 6 +- internal/provider/kubernetes/test/utils.go | 31 ++++++- .../certjen-custom-scheduling.out.yaml | 1 + .../control-plane-with-pdb.out.yaml | 1 + .../helm/gateway-helm/default-config.out.yaml | 1 + .../deployment-custom-topology.out.yaml | 1 + .../deployment-images-config.out.yaml | 1 + .../deployment-priorityclass.out.yaml | 1 + .../envoy-gateway-config.out.yaml | 1 + .../global-images-config.out.yaml | 1 + .../gateway-helm/service-annotations.out.yaml | 1 + 17 files changed, 189 insertions(+), 76 deletions(-) diff --git a/charts/gateway-helm/templates/_rbac.tpl b/charts/gateway-helm/templates/_rbac.tpl index 27e90061b0c..52a5648818c 100644 --- a/charts/gateway-helm/templates/_rbac.tpl +++ b/charts/gateway-helm/templates/_rbac.tpl @@ -43,6 +43,7 @@ apiGroups: - apps resources: - deployments +- daemonsets verbs: - get - list diff --git a/internal/gatewayapi/status/gateway.go b/internal/gatewayapi/status/gateway.go index f891f8c40af..8bf822479d0 100644 --- a/internal/gatewayapi/status/gateway.go +++ b/internal/gatewayapi/status/gateway.go @@ -13,6 +13,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/ptr" + "sigs.k8s.io/controller-runtime/pkg/client" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" ) @@ -30,8 +31,8 @@ func UpdateGatewayStatusAcceptedCondition(gw *gwapiv1.Gateway, accepted bool) *g // UpdateGatewayStatusProgrammedCondition updates the status addresses for the provided gateway // based on the status IP/Hostname of svc and updates the Programmed condition based on the -// service and deployment state. -func UpdateGatewayStatusProgrammedCondition(gw *gwapiv1.Gateway, svc *corev1.Service, deployment *appsv1.Deployment, nodeAddresses ...string) { +// service and deployment or daemonset state. +func UpdateGatewayStatusProgrammedCondition(gw *gwapiv1.Gateway, svc *corev1.Service, envoyObj client.Object, nodeAddresses ...string) { var addresses, hostnames []string // Update the status addresses field. if svc != nil { @@ -98,7 +99,7 @@ func UpdateGatewayStatusProgrammedCondition(gw *gwapiv1.Gateway, svc *corev1.Ser } // Update the programmed condition. - updateGatewayProgrammedCondition(gw, deployment) + updateGatewayProgrammedCondition(gw, envoyObj) } func SetGatewayListenerStatusCondition(gateway *gwapiv1.Gateway, listenerStatusIdx int, @@ -132,13 +133,13 @@ func computeGatewayAcceptedCondition(gw *gwapiv1.Gateway, accepted bool) metav1. const ( messageAddressNotAssigned = "No addresses have been assigned to the Gateway" messageFmtTooManyAddresses = "Too many addresses (%d) have been assigned to the Gateway, the maximum number of addresses is 16" - messageNoResources = "Deployment replicas unavailable" - messageFmtProgrammed = "Address assigned to the Gateway, %d/%d envoy Deployment replicas available" + messageNoResources = "Envoy replicas unavailable" + messageFmtProgrammed = "Address assigned to the Gateway, %d/%d envoy replicas available" ) // updateGatewayProgrammedCondition computes the Gateway Programmed status condition. -// Programmed condition surfaces true when the Envoy Deployment status is ready. -func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, deployment *appsv1.Deployment) { +// Programmed condition surfaces true when the Envoy Deployment or DaemonSet status is ready. +func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, envoyObj client.Object) { if len(gw.Status.Addresses) == 0 { gw.Status.Conditions = MergeConditions(gw.Status.Conditions, newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionFalse, string(gwapiv1.GatewayReasonAddressNotAssigned), @@ -157,17 +158,27 @@ func updateGatewayProgrammedCondition(gw *gwapiv1.Gateway, deployment *appsv1.De return } - // If there are no available replicas for the Envoy Deployment, don't - // mark the Gateway as ready yet. - - if deployment == nil || deployment.Status.AvailableReplicas == 0 { - gw.Status.Conditions = MergeConditions(gw.Status.Conditions, - newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionFalse, string(gwapiv1.GatewayReasonNoResources), - messageNoResources, time.Now(), gw.Generation)) - return + // Check for available Envoy replicas and if found mark the gateway as ready. + switch obj := envoyObj.(type) { + case *appsv1.Deployment: + if obj != nil && obj.Status.AvailableReplicas > 0 { + gw.Status.Conditions = MergeConditions(gw.Status.Conditions, + newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed), + fmt.Sprintf(messageFmtProgrammed, obj.Status.AvailableReplicas, obj.Status.Replicas), time.Now(), gw.Generation)) + return + } + case *appsv1.DaemonSet: + if obj != nil && obj.Status.NumberAvailable > 0 { + gw.Status.Conditions = MergeConditions(gw.Status.Conditions, + newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed), + fmt.Sprintf(messageFmtProgrammed, obj.Status.NumberAvailable, obj.Status.CurrentNumberScheduled), time.Now(), gw.Generation)) + return + } } + // If there are no available replicas for the Envoy Deployment or + // Envoy DaemonSet, don't mark the Gateway as ready yet. gw.Status.Conditions = MergeConditions(gw.Status.Conditions, - newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionTrue, string(gwapiv1.GatewayConditionProgrammed), - fmt.Sprintf(messageFmtProgrammed, deployment.Status.AvailableReplicas, deployment.Status.Replicas), time.Now(), gw.Generation)) + newCondition(string(gwapiv1.GatewayConditionProgrammed), metav1.ConditionFalse, string(gwapiv1.GatewayReasonNoResources), + messageNoResources, time.Now(), gw.Generation)) } diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index dac8f1780a8..915e6e5acd8 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -1386,13 +1386,13 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M } // Watch Deployment CRUDs and process affected Gateways. - dPredicates := []predicate.TypedPredicate[*appsv1.Deployment]{ + deploymentPredicates := []predicate.TypedPredicate[*appsv1.Deployment]{ predicate.NewTypedPredicateFuncs[*appsv1.Deployment](func(deploy *appsv1.Deployment) bool { - return r.validateDeploymentForReconcile(deploy) + return r.validateObjectForReconcile(deploy) }), } if r.namespaceLabel != nil { - dPredicates = append(dPredicates, predicate.NewTypedPredicateFuncs[*appsv1.Deployment](func(deploy *appsv1.Deployment) bool { + deploymentPredicates = append(deploymentPredicates, predicate.NewTypedPredicateFuncs[*appsv1.Deployment](func(deploy *appsv1.Deployment) bool { return r.hasMatchingNamespaceLabels(deploy) })) } @@ -1401,7 +1401,27 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, deploy *appsv1.Deployment) []reconcile.Request { return r.enqueueClass(ctx, deploy) }), - dPredicates...)); err != nil { + deploymentPredicates...)); err != nil { + return err + } + + // Watch DaemonSet CRUDs and process affected Gateways. + daemonsetPredicates := []predicate.TypedPredicate[*appsv1.DaemonSet]{ + predicate.NewTypedPredicateFuncs[*appsv1.DaemonSet](func(daemonset *appsv1.DaemonSet) bool { + return r.validateObjectForReconcile(daemonset) + }), + } + if r.namespaceLabel != nil { + daemonsetPredicates = append(daemonsetPredicates, predicate.NewTypedPredicateFuncs[*appsv1.DaemonSet](func(daemonset *appsv1.DaemonSet) bool { + return r.hasMatchingNamespaceLabels(daemonset) + })) + } + if err := c.Watch( + source.Kind(mgr.GetCache(), &appsv1.DaemonSet{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, daemonset *appsv1.DaemonSet) []reconcile.Request { + return r.enqueueClass(ctx, daemonset) + }), + daemonsetPredicates...)); err != nil { return err } diff --git a/internal/provider/kubernetes/kubernetes.go b/internal/provider/kubernetes/kubernetes.go index b909eced608..ffef819ee07 100644 --- a/internal/provider/kubernetes/kubernetes.go +++ b/internal/provider/kubernetes/kubernetes.go @@ -107,7 +107,7 @@ func New(cfg *rest.Config, svr *ec.Server, resources *message.ProviderResources) return nil, fmt.Errorf("unable to set up ready check: %w", err) } - // Emit elected & continue with deployment of infra resources + // Emit elected & continue with envoyObjects of infra resources go func() { <-mgr.Elected() close(svr.Elected) diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index 9fb3fe86fd1..9c4d582b58b 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -13,6 +13,7 @@ import ( corev1 "k8s.io/api/core/v1" discoveryv1 "k8s.io/api/discovery/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/labels" @@ -439,21 +440,16 @@ func (r *gatewayAPIReconciler) validateEndpointSliceForReconcile(obj client.Obje return r.isEnvoyExtensionPolicyReferencingBackend(&nsName) } -// validateDeploymentForReconcile tries finding the owning Gateway of the Deployment +// validateObjectForReconcile tries finding the owning Gateway of the Deployment or DaemonSet // if it exists, finds the Gateway's Service, and further updates the Gateway -// status Ready condition. No Deployments are pushed for reconciliation. -func (r *gatewayAPIReconciler) validateDeploymentForReconcile(obj client.Object) bool { +// status Ready condition. No Deployments or DaemonSets are pushed for reconciliation. +func (r *gatewayAPIReconciler) validateObjectForReconcile(obj client.Object) bool { ctx := context.Background() - deployment, ok := obj.(*appsv1.Deployment) - if !ok { - r.log.Info("unexpected object type, bypassing reconciliation", "object", obj) - return false - } - labels := deployment.GetLabels() + labels := obj.GetLabels() - // Only deployments in the configured namespace should be reconciled. - if deployment.Namespace == r.namespace { - // Check if the deployment belongs to a Gateway, if so, update the Gateway status. + // Only objects in the configured namespace should be reconciled. + if obj.GetNamespace() == r.namespace { + // Check if the obj belongs to a Gateway, if so, update the Gateway status. gtw := r.findOwningGateway(ctx, labels) if gtw != nil { r.updateStatusForGateway(ctx, gtw) @@ -471,27 +467,42 @@ func (r *gatewayAPIReconciler) validateDeploymentForReconcile(obj client.Object) return false } - // There is no need to reconcile the Deployment any further. + // There is no need to reconcile the object any further. return false } -// envoyDeploymentForGateway returns the Envoy Deployment, returning nil if the Deployment doesn't exist. -func (r *gatewayAPIReconciler) envoyDeploymentForGateway(ctx context.Context, gateway *gwapiv1.Gateway) (*appsv1.Deployment, error) { - var deployments appsv1.DeploymentList - labelSelector := labels.SelectorFromSet(labels.Set(gatewayapi.OwnerLabels(gateway, r.mergeGateways.Has(string(gateway.Spec.GatewayClassName))))) - if err := r.client.List(ctx, &deployments, &client.ListOptions{ - LabelSelector: labelSelector, - Namespace: r.namespace, - }); err != nil { - if kerrors.IsNotFound(err) { +// envoyObjectForGateway returns the Envoy Deployment or DaemonSet, returning nil if neither exists. +func (r *gatewayAPIReconciler) envoyObjectForGateway(ctx context.Context, gateway *gwapiv1.Gateway) (client.Object, error) { + // Helper func to list and return the first object from results + listResource := func(list client.ObjectList) (client.Object, error) { + if err := r.client.List(ctx, list, &client.ListOptions{ + LabelSelector: labels.SelectorFromSet(gatewayapi.OwnerLabels(gateway, r.mergeGateways.Has(string(gateway.Spec.GatewayClassName)))), + Namespace: r.namespace, + }); err != nil { + if !kerrors.IsNotFound(err) { + return nil, err + } + } + items, err := meta.ExtractList(list) + if err != nil || len(items) == 0 { return nil, nil } - return nil, err + return items[0].(client.Object), nil } - if len(deployments.Items) == 0 { - return nil, nil + + // Check for Deployment + deployments := &appsv1.DeploymentList{} + if obj, err := listResource(deployments); obj != nil || err != nil { + return obj, err + } + + // Check for DaemonSet + daemonsets := &appsv1.DaemonSetList{} + if obj, err := listResource(daemonsets); obj != nil || err != nil { + return obj, err } - return &deployments.Items[0], nil + + return nil, nil } // envoyServiceForGateway returns the Envoy service, returning nil if the service doesn't exist. diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go index 61a09ffb8ae..ef8182ffdb9 100644 --- a/internal/provider/kubernetes/predicates_test.go +++ b/internal/provider/kubernetes/predicates_test.go @@ -525,7 +525,7 @@ func TestValidateServiceForReconcile(t *testing.T) { expect bool }{ { - name: "gateway service but deployment does not exist", + name: "gateway service but deployment or daemonset does not exist", configs: []client.Object{ test.GetGatewayClass("test-gc", egv1a1.GatewayControllerName, nil), sampleGateway, @@ -547,7 +547,22 @@ func TestValidateServiceForReconcile(t *testing.T) { gatewayapi.OwningGatewayNameLabel: "scheduled-status-test", gatewayapi.OwningGatewayNamespaceLabel: "default", }, nil), - // Note that in case when a deployment exists, the Service is just processed for Gateway status + // Note that in case when a envoyObjects exists, the Service is just processed for Gateway status + // updates and not reconciled further. + expect: false, + }, + { + name: "gateway service daemonset also exist", + configs: []client.Object{ + test.GetGatewayClass("test-gc", egv1a1.GatewayControllerName, nil), + sampleGateway, + test.GetGatewayDaemonSet(types.NamespacedName{Name: proxy.ExpectedResourceHashedName("default/scheduled-status-test")}, nil), + }, + service: test.GetService(types.NamespacedName{Name: "service"}, map[string]string{ + gatewayapi.OwningGatewayNameLabel: "scheduled-status-test", + gatewayapi.OwningGatewayNamespaceLabel: "default", + }, nil), + // Note that in case when a envoyObjects exists, the Service is just processed for Gateway status // updates and not reconciled further. expect: false, }, @@ -859,34 +874,39 @@ func TestValidateServiceForReconcile(t *testing.T) { } } -// TestValidateDeploymentForReconcile tests the validateDeploymentForReconcile +// TestValidateObjectForReconcile tests the validateObjectForReconcile // predicate function. -func TestValidateDeploymentForReconcile(t *testing.T) { +func TestValidateObjectForReconcile(t *testing.T) { sampleGateway := test.GetGateway(types.NamespacedName{Namespace: "default", Name: "scheduled-status-test"}, "test-gc", 8080) mergeGatewaysConfig := test.GetEnvoyProxy(types.NamespacedName{Namespace: "default", Name: "merge-gateways-config"}, true) testCases := []struct { - name string - configs []client.Object - deployment client.Object - expect bool + name string + configs []client.Object + envoyObjects []client.Object + expect bool }{ { - // No config should lead to a reconciliation of a Deployment object. The main - // purpose of the Deployment watcher is just for update Gateway object statuses. - name: "gateway deployment deployment also exist", + // No config should lead to a reconciliation of a Deployment or DaemonSet object. The main + // purpose of the watcher is just for updating Gateway object statuses. + name: "gateway deployment or daemonset also exist", configs: []client.Object{ test.GetGatewayClass("test-gc", egv1a1.GatewayControllerName, nil), sampleGateway, - test.GetService(types.NamespacedName{Name: "deployment"}, map[string]string{ + test.GetService(types.NamespacedName{Name: "envoyObjects"}, map[string]string{ gatewayapi.OwningGatewayNameLabel: "scheduled-status-test", gatewayapi.OwningGatewayNamespaceLabel: "default", }, nil), }, - deployment: test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{ - gatewayapi.OwningGatewayNameLabel: "scheduled-status-test", - gatewayapi.OwningGatewayNamespaceLabel: "default", - }), + envoyObjects: []client.Object{ + test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{ + gatewayapi.OwningGatewayNameLabel: "scheduled-status-test", + gatewayapi.OwningGatewayNamespaceLabel: "default", + }), test.GetGatewayDaemonSet(types.NamespacedName{Name: "daemonset"}, map[string]string{ + gatewayapi.OwningGatewayNameLabel: "scheduled-status-test", + gatewayapi.OwningGatewayNamespaceLabel: "default", + }), + }, expect: false, }, { @@ -900,9 +920,14 @@ func TestValidateDeploymentForReconcile(t *testing.T) { }), mergeGatewaysConfig, }, - deployment: test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{ - gatewayapi.OwningGatewayClassLabel: "test-mg", - }), + envoyObjects: []client.Object{ + test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{ + gatewayapi.OwningGatewayClassLabel: "test-mg", + }), + test.GetGatewayDaemonSet(types.NamespacedName{Name: "daemonset"}, map[string]string{ + gatewayapi.OwningGatewayClassLabel: "test-mg", + }), + }, expect: false, }, { @@ -919,9 +944,14 @@ func TestValidateDeploymentForReconcile(t *testing.T) { test.GetGateway(types.NamespacedName{Name: "merged-gateway-2", Namespace: "default"}, "test-mg", 8082), test.GetGateway(types.NamespacedName{Name: "merged-gateway-3", Namespace: "default"}, "test-mg", 8083), }, - deployment: test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{ - gatewayapi.OwningGatewayClassLabel: "test-mg", - }), + envoyObjects: []client.Object{ + test.GetGatewayDeployment(types.NamespacedName{Name: "deployment"}, map[string]string{ + gatewayapi.OwningGatewayClassLabel: "test-mg", + }), + test.GetGatewayDaemonSet(types.NamespacedName{Name: "daemonset"}, map[string]string{ + gatewayapi.OwningGatewayClassLabel: "test-mg", + }), + }, expect: false, }, } @@ -938,8 +968,10 @@ func TestValidateDeploymentForReconcile(t *testing.T) { for _, tc := range testCases { r.client = fakeclient.NewClientBuilder().WithScheme(envoygateway.GetScheme()).WithObjects(tc.configs...).Build() t.Run(tc.name, func(t *testing.T) { - res := r.validateDeploymentForReconcile(tc.deployment) - require.Equal(t, tc.expect, res) + for _, obj := range tc.envoyObjects { + res := r.validateObjectForReconcile(obj) + require.Equal(t, tc.expect, res) + } }) } } diff --git a/internal/provider/kubernetes/status.go b/internal/provider/kubernetes/status.go index c94ad2bc556..c3d5553b0bf 100644 --- a/internal/provider/kubernetes/status.go +++ b/internal/provider/kubernetes/status.go @@ -475,8 +475,8 @@ func (r *gatewayAPIReconciler) updateStatusForGateway(ctx context.Context, gtw * return } - // Get deployment - deploy, err := r.envoyDeploymentForGateway(ctx, gtw) + // Get envoyObjects + envoyObj, err := r.envoyObjectForGateway(ctx, gtw) if err != nil { r.log.Info("failed to get Deployment for gateway", "namespace", gtw.Namespace, "name", gtw.Name) @@ -491,7 +491,7 @@ func (r *gatewayAPIReconciler) updateStatusForGateway(ctx context.Context, gtw * // update accepted condition status.UpdateGatewayStatusAcceptedCondition(gtw, true) // update address field and programmed condition - status.UpdateGatewayStatusProgrammedCondition(gtw, svc, deploy, r.store.listNodeAddresses()...) + status.UpdateGatewayStatusProgrammedCondition(gtw, svc, envoyObj, r.store.listNodeAddresses()...) key := utils.NamespacedName(gtw) diff --git a/internal/provider/kubernetes/test/utils.go b/internal/provider/kubernetes/test/utils.go index 6fe50fa75bd..77bc50c5e6f 100644 --- a/internal/provider/kubernetes/test/utils.go +++ b/internal/provider/kubernetes/test/utils.go @@ -12,6 +12,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/utils/ptr" + "sigs.k8s.io/controller-runtime/pkg/client" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" @@ -271,7 +272,7 @@ func GetUDPRoute(nsName types.NamespacedName, parent string, serviceName types.N } // GetGatewayDeployment returns a sample Deployment for a Gateway object. -func GetGatewayDeployment(nsName types.NamespacedName, labels map[string]string) *appsv1.Deployment { +func GetGatewayDeployment(nsName types.NamespacedName, labels map[string]string) client.Object { return &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ Namespace: nsName.Namespace, @@ -298,6 +299,34 @@ func GetGatewayDeployment(nsName types.NamespacedName, labels map[string]string) } } +// GetGatewayDaemonSet returns a sample DaemonSet for a Gateway object. +func GetGatewayDaemonSet(nsName types.NamespacedName, labels map[string]string) client.Object { + return &appsv1.DaemonSet{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: nsName.Namespace, + Name: nsName.Name, + Labels: labels, + }, + Spec: appsv1.DaemonSetSpec{ + Selector: &metav1.LabelSelector{MatchLabels: labels}, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: labels, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{{ + Name: "dummy", + Image: "dummy", + Ports: []corev1.ContainerPort{{ + ContainerPort: 8080, + }}, + }}, + }, + }, + }, + } +} + // GetService returns a sample Service with labels and ports. func GetService(nsName types.NamespacedName, labels map[string]string, ports map[string]int32) *corev1.Service { service := &corev1.Service{ diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index 096e1eb5561..8a1513469de 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -105,6 +105,7 @@ rules: - apps resources: - deployments + - daemonsets verbs: - get - list diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index 4c9a3d6cfdf..a71e46fe7bd 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -120,6 +120,7 @@ rules: - apps resources: - deployments + - daemonsets verbs: - get - list diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index c830348f012..140d271c6e7 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -105,6 +105,7 @@ rules: - apps resources: - deployments + - daemonsets verbs: - get - list diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index fd468b505f0..586b64b5584 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -105,6 +105,7 @@ rules: - apps resources: - deployments + - daemonsets verbs: - get - list diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index aa5a36ff23d..10f849e1d77 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -105,6 +105,7 @@ rules: - apps resources: - deployments + - daemonsets verbs: - get - list diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml index d3648d443d9..4f735c42095 100644 --- a/test/helm/gateway-helm/deployment-priorityclass.out.yaml +++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml @@ -105,6 +105,7 @@ rules: - apps resources: - deployments + - daemonsets verbs: - get - list diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index aa91dacecc8..04159958265 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -107,6 +107,7 @@ rules: - apps resources: - deployments + - daemonsets verbs: - get - list diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index e18eecd7bc7..f280fc9f218 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -109,6 +109,7 @@ rules: - apps resources: - deployments + - daemonsets verbs: - get - list diff --git a/test/helm/gateway-helm/service-annotations.out.yaml b/test/helm/gateway-helm/service-annotations.out.yaml index 97f39cd0bea..ec50a16e30d 100644 --- a/test/helm/gateway-helm/service-annotations.out.yaml +++ b/test/helm/gateway-helm/service-annotations.out.yaml @@ -105,6 +105,7 @@ rules: - apps resources: - deployments + - daemonsets verbs: - get - list From 5880d6bc0ae65c923142605e87516bb4e46bc6a8 Mon Sep 17 00:00:00 2001 From: Kensei Nakada Date: Wed, 16 Oct 2024 10:46:01 +1100 Subject: [PATCH 259/523] feat: implement RequestTimeout in BackendTrafficPolicy (#4329) * feat: implement RequestTimeout in BackendTrafficPolicy Signed-off-by: Kensei Nakada * fix: the timeout on HTTPRoute overwrites the timeout on BTP Signed-off-by: Kensei Nakada * fix: regenerate from the latest api spec Signed-off-by: Kensei Nakada --------- Signed-off-by: Kensei Nakada --- api/v1alpha1/timeout_types.go | 5 ++++ api/v1alpha1/zz_generated.deepcopy.go | 5 ++++ ....envoyproxy.io_backendtrafficpolicies.yaml | 5 ++++ ....envoyproxy.io_envoyextensionpolicies.yaml | 5 ++++ .../gateway.envoyproxy.io_envoyproxies.yaml | 26 ++++++++++++++++++ ...ateway.envoyproxy.io_securitypolicies.yaml | 15 +++++++++++ internal/gatewayapi/clustersettings.go | 27 ++++++++++++------- .../backendtrafficpolicy-with-timeout.in.yaml | 4 +++ ...backendtrafficpolicy-with-timeout.out.yaml | 6 +++++ site/content/en/latest/api/extension_types.md | 1 + site/content/zh/latest/api/extension_types.md | 1 + 11 files changed, 91 insertions(+), 9 deletions(-) diff --git a/api/v1alpha1/timeout_types.go b/api/v1alpha1/timeout_types.go index 36c0c320ed2..008582578d1 100644 --- a/api/v1alpha1/timeout_types.go +++ b/api/v1alpha1/timeout_types.go @@ -40,6 +40,11 @@ type HTTPTimeout struct { // // +optional MaxConnectionDuration *gwapiv1.Duration `json:"maxConnectionDuration,omitempty"` + + // RequestTimeout is the time until which entire response is received from the upstream. + // + // +optional + RequestTimeout *gwapiv1.Duration `json:"requestTimeout,omitempty" yaml:"requestTimeout,omitempty"` } type ClientTimeout struct { diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 2ce5a5762ee..a5e8dc183ff 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -2845,6 +2845,11 @@ func (in *HTTPTimeout) DeepCopyInto(out *HTTPTimeout) { *out = new(apisv1.Duration) **out = **in } + if in.RequestTimeout != nil { + in, out := &in.RequestTimeout, &out.RequestTimeout + *out = new(apisv1.Duration) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPTimeout. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index 7b13e2a123f..c0dce593804 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -1316,6 +1316,11 @@ spec: Default: unlimited. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + requestTimeout: + description: RequestTimeout is the time until which entire + response is received from the upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string type: object tcp: description: Timeout settings for TCP. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml index 867b8933c0c..6baa2842c0c 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml @@ -878,6 +878,11 @@ spec: Default: unlimited. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + requestTimeout: + description: RequestTimeout is the time until which + entire response is received from the upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string type: object tcp: description: Timeout settings for TCP. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 487f436ab81..5b0130f2736 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -11220,6 +11220,13 @@ spec: Default: unlimited. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + requestTimeout: + description: RequestTimeout is + the time until which entire + response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string type: object tcp: description: Timeout settings for @@ -12190,6 +12197,13 @@ spec: Default: unlimited. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + requestTimeout: + description: RequestTimeout is + the time until which entire + response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string type: object tcp: description: Timeout settings for @@ -13220,6 +13234,12 @@ spec: Default: unlimited. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + requestTimeout: + description: RequestTimeout is the time + until which entire response is received + from the upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string type: object tcp: description: Timeout settings for TCP. @@ -14195,6 +14215,12 @@ spec: Default: unlimited. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + requestTimeout: + description: RequestTimeout is the time until + which entire response is received from the + upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string type: object tcp: description: Timeout settings for TCP. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 8c4debcef0a..ad2c81818c2 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -1182,6 +1182,11 @@ spec: Default: unlimited. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + requestTimeout: + description: RequestTimeout is the time until + which entire response is received from the upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string type: object tcp: description: Timeout settings for TCP. @@ -2060,6 +2065,11 @@ spec: Default: unlimited. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + requestTimeout: + description: RequestTimeout is the time until + which entire response is received from the upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string type: object tcp: description: Timeout settings for TCP. @@ -3214,6 +3224,11 @@ spec: Default: unlimited. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string + requestTimeout: + description: RequestTimeout is the time until + which entire response is received from the upstream. + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string type: object tcp: description: Timeout settings for TCP. diff --git a/internal/gatewayapi/clustersettings.go b/internal/gatewayapi/clustersettings.go index cf8221d277d..742b026249e 100644 --- a/internal/gatewayapi/clustersettings.go +++ b/internal/gatewayapi/clustersettings.go @@ -81,11 +81,11 @@ func translateTrafficFeatures(policy *egv1a1.ClusterSettings) (*ir.TrafficFeatur return ret, nil } -func buildClusterSettingsTimeout(policy egv1a1.ClusterSettings, traffic *ir.TrafficFeatures) (*ir.Timeout, error) { +func buildClusterSettingsTimeout(policy egv1a1.ClusterSettings, routeTrafficFeatures *ir.TrafficFeatures) (*ir.Timeout, error) { if policy.Timeout == nil { - if traffic != nil { + if routeTrafficFeatures != nil { // Don't lose any existing timeout definitions. - return mergeTimeoutSettings(nil, traffic.Timeout), nil + return mergeTimeoutSettings(nil, routeTrafficFeatures.Timeout), nil } return nil, nil } @@ -109,6 +109,7 @@ func buildClusterSettingsTimeout(policy egv1a1.ClusterSettings, traffic *ir.Traf if pto.HTTP != nil { var cit *metav1.Duration var mcd *metav1.Duration + var rt *metav1.Duration if pto.HTTP.ConnectionIdleTimeout != nil { d, err := time.ParseDuration(string(*pto.HTTP.ConnectionIdleTimeout)) @@ -128,19 +129,27 @@ func buildClusterSettingsTimeout(policy egv1a1.ClusterSettings, traffic *ir.Traf } } + if pto.HTTP.RequestTimeout != nil { + d, err := time.ParseDuration(string(*pto.HTTP.RequestTimeout)) + if err != nil { + errs = errors.Join(errs, fmt.Errorf("invalid RequestTimeout value %s", *pto.HTTP.RequestTimeout)) + } else { + rt = ptr.To(metav1.Duration{Duration: d}) + } + } + to.HTTP = &ir.HTTPTimeout{ ConnectionIdleTimeout: cit, MaxConnectionDuration: mcd, + RequestTimeout: rt, } } - // http request timeout is translated during the gateway-api route resource translation - // merge route timeout setting with backendtrafficpolicy timeout settings. - // Merging is done after the clustersettings definitions are translated so that - // clustersettings will override previous settings. - if traffic != nil { - to = mergeTimeoutSettings(to, traffic.Timeout) + // The timeout from route's TrafficFeatures takes precedence over the timeout in BTP + if routeTrafficFeatures != nil { + to = mergeTimeoutSettings(routeTrafficFeatures.Timeout, to) } + return to, errs } diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.in.yaml index ef8843f70c4..30a9a3133ab 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.in.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.in.yaml @@ -62,6 +62,8 @@ httpRoutes: backendRefs: - name: service-1 port: 8080 + timeouts: + request: 1s backendTrafficPolicies: - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: BackendTrafficPolicy @@ -79,6 +81,7 @@ backendTrafficPolicies: http: connectionIdleTimeout: 16s maxConnectionDuration: 17s + requestTimeout: 18s - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: BackendTrafficPolicy metadata: @@ -95,3 +98,4 @@ backendTrafficPolicies: http: connectionIdleTimeout: 21s maxConnectionDuration: 22s + requestTimeout: 23s diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml index 5213fc9d6a2..0fad514c5e8 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml @@ -14,6 +14,7 @@ backendTrafficPolicies: http: connectionIdleTimeout: 21s maxConnectionDuration: 22s + requestTimeout: 23s tcp: connectTimeout: 20s status: @@ -46,6 +47,7 @@ backendTrafficPolicies: http: connectionIdleTimeout: 16s maxConnectionDuration: 17s + requestTimeout: 18s tcp: connectTimeout: 15s status: @@ -198,6 +200,8 @@ httpRoutes: matches: - path: value: / + timeouts: + request: 1s status: parents: - conditions: @@ -289,6 +293,7 @@ xdsIR: http: connectionIdleTimeout: 16s maxConnectionDuration: 17s + requestTimeout: 18s tcp: connectTimeout: 15s envoy-gateway/gateway-2: @@ -336,5 +341,6 @@ xdsIR: http: connectionIdleTimeout: 21s maxConnectionDuration: 22s + requestTimeout: 1s tcp: connectTimeout: 20s diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 956b3dbd228..60e92c2e019 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -2071,6 +2071,7 @@ _Appears in:_ | --- | --- | --- | --- | | `connectionIdleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. | | `maxConnectionDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The maximum duration of an HTTP connection.
Default: unlimited. | +| `requestTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | RequestTimeout is the time until which entire response is received from the upstream. | #### HTTPURLRewriteFilter diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 956b3dbd228..60e92c2e019 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -2071,6 +2071,7 @@ _Appears in:_ | --- | --- | --- | --- | | `connectionIdleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. | | `maxConnectionDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The maximum duration of an HTTP connection.
Default: unlimited. | +| `requestTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | RequestTimeout is the time until which entire response is received from the upstream. | #### HTTPURLRewriteFilter From 958df4899d826c03ecd3aafaea379289bba85f3a Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 16 Oct 2024 14:03:37 +0800 Subject: [PATCH 260/523] infra: use labels when deleting infra (#4430) --- api/v1alpha1/shared_types.go | 2 +- internal/infrastructure/kubernetes/infra.go | 2 + .../kubernetes/infra_resource.go | 43 ++++++++++++++++--- .../kubernetes/proxy/resource_provider.go | 5 +++ .../kubernetes/ratelimit/resource_provider.go | 5 +++ .../kubernetes/ratelimit_infra.go | 4 -- site/content/en/latest/api/extension_types.md | 2 +- site/content/zh/latest/api/extension_types.md | 2 +- 8 files changed, 51 insertions(+), 14 deletions(-) diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index 3f165cc6c2d..8e98b904e35 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -98,7 +98,7 @@ type KubernetesDeploymentSpec struct { // TODO: Expose config as use cases are better understood, e.g. labels. } -// KubernetesDaemonsetSpec defines the desired state of the Kubernetes daemonset resource. +// KubernetesDaemonSetSpec defines the desired state of the Kubernetes daemonset resource. type KubernetesDaemonSetSpec struct { // Patch defines how to perform the patch operation to daemonset // diff --git a/internal/infrastructure/kubernetes/infra.go b/internal/infrastructure/kubernetes/infra.go index fed1f17cbe7..3d9c3e7b14f 100644 --- a/internal/infrastructure/kubernetes/infra.go +++ b/internal/infrastructure/kubernetes/infra.go @@ -13,6 +13,7 @@ import ( autoscalingv2 "k8s.io/api/autoscaling/v2" corev1 "k8s.io/api/core/v1" policyv1 "k8s.io/api/policy/v1" + "k8s.io/apimachinery/pkg/labels" "sigs.k8s.io/controller-runtime/pkg/client" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" @@ -29,6 +30,7 @@ var _ ResourceRender = &ratelimit.ResourceRender{} // based on Infra IR resources. type ResourceRender interface { Name() string + LabelSelector() labels.Selector ServiceAccount() (*corev1.ServiceAccount, error) Service() (*corev1.Service, error) ConfigMap() (*corev1.ConfigMap, error) diff --git a/internal/infrastructure/kubernetes/infra_resource.go b/internal/infrastructure/kubernetes/infra_resource.go index 9966f5ebdd4..04d0a2e0c1f 100644 --- a/internal/infrastructure/kubernetes/infra_resource.go +++ b/internal/infrastructure/kubernetes/infra_resource.go @@ -19,6 +19,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" "github.com/envoyproxy/gateway/internal/metrics" ) @@ -395,7 +396,11 @@ func (i *Infra) deleteServiceAccount(ctx context.Context, r ResourceRender) (err } }() - return i.Client.Delete(ctx, sa) + return i.Client.DeleteAllOf(ctx, sa, &client.DeleteAllOfOptions{ + ListOptions: client.ListOptions{ + LabelSelector: r.LabelSelector(), + }, + }) } // deleteDeployment deletes the Envoy Deployment in the kube api server, if it exists. @@ -430,7 +435,11 @@ func (i *Infra) deleteDeployment(ctx context.Context, r ResourceRender) (err err } }() - return i.Client.Delete(ctx, deployment) + return i.Client.DeleteAllOf(ctx, deployment, &client.DeleteAllOfOptions{ + ListOptions: client.ListOptions{ + LabelSelector: r.LabelSelector(), + }, + }) } // deleteDaemonSet deletes the Envoy DaemonSet in the kube api server, if it exists. @@ -465,7 +474,11 @@ func (i *Infra) deleteDaemonSet(ctx context.Context, r ResourceRender) (err erro } }() - return i.Client.Delete(ctx, daemonSet) + return i.Client.DeleteAllOf(ctx, daemonSet, &client.DeleteAllOfOptions{ + ListOptions: client.ListOptions{ + LabelSelector: r.LabelSelector(), + }, + }) } // deleteConfigMap deletes the ConfigMap in the kube api server, if it exists. @@ -495,7 +508,11 @@ func (i *Infra) deleteConfigMap(ctx context.Context, r ResourceRender) (err erro } }() - return i.Client.Delete(ctx, cm) + return i.Client.DeleteAllOf(ctx, cm, &client.DeleteAllOfOptions{ + ListOptions: client.ListOptions{ + LabelSelector: r.LabelSelector(), + }, + }) } // deleteService deletes the Service in the kube api server, if it exists. @@ -525,7 +542,11 @@ func (i *Infra) deleteService(ctx context.Context, r ResourceRender) (err error) } }() - return i.Client.Delete(ctx, svc) + return i.Client.DeleteAllOf(ctx, svc, &client.DeleteAllOfOptions{ + ListOptions: client.ListOptions{ + LabelSelector: r.LabelSelector(), + }, + }) } // deleteHpa deletes the Horizontal Pod Autoscaler associated to its renderer, if it exists. @@ -560,7 +581,11 @@ func (i *Infra) deleteHPA(ctx context.Context, r ResourceRender) (err error) { } }() - return i.Client.Delete(ctx, hpa) + return i.Client.DeleteAllOf(ctx, hpa, &client.DeleteAllOfOptions{ + ListOptions: client.ListOptions{ + LabelSelector: r.LabelSelector(), + }, + }) } // deletePDB deletes the PodDistribution budget associated to its renderer, if it exists. @@ -595,5 +620,9 @@ func (i *Infra) deletePDB(ctx context.Context, r ResourceRender) (err error) { } }() - return i.Client.Delete(ctx, pdb) + return i.Client.DeleteAllOf(ctx, pdb, &client.DeleteAllOfOptions{ + ListOptions: client.ListOptions{ + LabelSelector: r.LabelSelector(), + }, + }) } diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider.go b/internal/infrastructure/kubernetes/proxy/resource_provider.go index 233afddce73..5411c29e1c6 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider.go @@ -15,6 +15,7 @@ import ( corev1 "k8s.io/api/core/v1" policyv1 "k8s.io/api/policy/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/utils/ptr" @@ -46,6 +47,10 @@ func (r *ResourceRender) Name() string { return ExpectedResourceHashedName(r.infra.Name) } +func (r *ResourceRender) LabelSelector() labels.Selector { + return labels.SelectorFromSet(r.stableSelector().MatchLabels) +} + // ServiceAccount returns the expected proxy serviceAccount. func (r *ResourceRender) ServiceAccount() (*corev1.ServiceAccount, error) { // Set the labels based on the owning gateway name. diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go index 50c5c8bf7f2..3336d41eec2 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go @@ -15,6 +15,7 @@ import ( corev1 "k8s.io/api/core/v1" policyv1 "k8s.io/api/policy/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/utils/ptr" @@ -60,6 +61,10 @@ func (r *ResourceRender) Name() string { return InfraName } +func (r *ResourceRender) LabelSelector() labels.Selector { + return labels.SelectorFromSet(rateLimitLabels()) +} + func enablePrometheus(rl *egv1a1.RateLimit) bool { if rl != nil && rl.Telemetry != nil && diff --git a/internal/infrastructure/kubernetes/ratelimit_infra.go b/internal/infrastructure/kubernetes/ratelimit_infra.go index 514f86a1d9d..d4f5707538c 100644 --- a/internal/infrastructure/kubernetes/ratelimit_infra.go +++ b/internal/infrastructure/kubernetes/ratelimit_infra.go @@ -52,10 +52,6 @@ func (i *Infra) CreateOrUpdateRateLimitInfra(ctx context.Context) error { // DeleteRateLimitInfra removes the managed kube infra, if it doesn't exist. func (i *Infra) DeleteRateLimitInfra(ctx context.Context) error { - if err := ratelimit.Validate(ctx, i.Client.Client, i.EnvoyGateway, i.Namespace); err != nil { - return err - } - // Delete ratelimit infra do not require the uid of owner reference. r := ratelimit.NewResourceRender(i.Namespace, i.EnvoyGateway, nil) return i.delete(ctx, r) diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 60e92c2e019..ddc32a2021e 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -2431,7 +2431,7 @@ _Appears in:_ -KubernetesDaemonsetSpec defines the desired state of the Kubernetes daemonset resource. +KubernetesDaemonSetSpec defines the desired state of the Kubernetes daemonset resource. _Appears in:_ - [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider) diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 60e92c2e019..ddc32a2021e 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -2431,7 +2431,7 @@ _Appears in:_ -KubernetesDaemonsetSpec defines the desired state of the Kubernetes daemonset resource. +KubernetesDaemonSetSpec defines the desired state of the Kubernetes daemonset resource. _Appears in:_ - [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider) From 70c7c34d34a3746f3fc6ab224361f6515480bf4a Mon Sep 17 00:00:00 2001 From: zirain Date: Thu, 17 Oct 2024 01:50:21 +0800 Subject: [PATCH 261/523] chore: set klog (#4455) * chore: set klog Signed-off-by: zirain * lint Signed-off-by: zirain --------- Signed-off-by: zirain --- go.mod | 2 +- internal/provider/kubernetes/kubernetes.go | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 1a235360cd7..482af942a9a 100644 --- a/go.mod +++ b/go.mod @@ -286,7 +286,7 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/component-base v0.31.1 // indirect - k8s.io/klog/v2 v2.130.1 // indirect + k8s.io/klog/v2 v2.130.1 k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/kustomize/api v0.17.2 // indirect diff --git a/internal/provider/kubernetes/kubernetes.go b/internal/provider/kubernetes/kubernetes.go index ffef819ee07..cca90a24a17 100644 --- a/internal/provider/kubernetes/kubernetes.go +++ b/internal/provider/kubernetes/kubernetes.go @@ -11,6 +11,7 @@ import ( "time" "k8s.io/client-go/rest" + "k8s.io/klog/v2" "k8s.io/utils/ptr" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/cache" @@ -47,6 +48,7 @@ func New(cfg *rest.Config, svr *ec.Server, resources *message.ProviderResources) } log.SetLogger(mgrOpts.Logger) + klog.SetLogger(mgrOpts.Logger) if !ptr.Deref(svr.EnvoyGateway.Provider.Kubernetes.LeaderElection.Disable, false) { mgrOpts.LeaderElection = true From aab669dd99f0337afaaa7c22f7826d9ebd37cfeb Mon Sep 17 00:00:00 2001 From: zirain Date: Thu, 17 Oct 2024 10:46:42 +0800 Subject: [PATCH 262/523] infra: fix DeleteAllOf rbac (#4459) * infra: fix DeleteAllOf rbac Signed-off-by: zirain * fix more Signed-off-by: zirain --------- Signed-off-by: zirain --- charts/gateway-helm/templates/infra-manager-rbac.yaml | 4 ++++ internal/infrastructure/kubernetes/infra_resource.go | 7 +++++++ test/helm/gateway-helm/certjen-custom-scheduling.out.yaml | 4 ++++ test/helm/gateway-helm/control-plane-with-pdb.out.yaml | 4 ++++ test/helm/gateway-helm/default-config.out.yaml | 4 ++++ test/helm/gateway-helm/deployment-custom-topology.out.yaml | 4 ++++ test/helm/gateway-helm/deployment-images-config.out.yaml | 4 ++++ test/helm/gateway-helm/deployment-priorityclass.out.yaml | 4 ++++ test/helm/gateway-helm/envoy-gateway-config.out.yaml | 4 ++++ test/helm/gateway-helm/global-images-config.out.yaml | 4 ++++ test/helm/gateway-helm/service-annotations.out.yaml | 4 ++++ 11 files changed, 47 insertions(+) diff --git a/charts/gateway-helm/templates/infra-manager-rbac.yaml b/charts/gateway-helm/templates/infra-manager-rbac.yaml index 02382bc271c..74c0ec6282e 100644 --- a/charts/gateway-helm/templates/infra-manager-rbac.yaml +++ b/charts/gateway-helm/templates/infra-manager-rbac.yaml @@ -11,10 +11,12 @@ rules: resources: - serviceaccounts - services + - configmaps verbs: - create - get - delete + - deletecollection - patch - apiGroups: - apps @@ -25,6 +27,7 @@ rules: - create - get - delete + - deletecollection - patch - apiGroups: - autoscaling @@ -36,6 +39,7 @@ rules: - create - get - delete + - deletecollection - patch --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/internal/infrastructure/kubernetes/infra_resource.go b/internal/infrastructure/kubernetes/infra_resource.go index 04d0a2e0c1f..16cd72b9545 100644 --- a/internal/infrastructure/kubernetes/infra_resource.go +++ b/internal/infrastructure/kubernetes/infra_resource.go @@ -398,6 +398,7 @@ func (i *Infra) deleteServiceAccount(ctx context.Context, r ResourceRender) (err return i.Client.DeleteAllOf(ctx, sa, &client.DeleteAllOfOptions{ ListOptions: client.ListOptions{ + Namespace: ns, LabelSelector: r.LabelSelector(), }, }) @@ -437,6 +438,7 @@ func (i *Infra) deleteDeployment(ctx context.Context, r ResourceRender) (err err return i.Client.DeleteAllOf(ctx, deployment, &client.DeleteAllOfOptions{ ListOptions: client.ListOptions{ + Namespace: ns, LabelSelector: r.LabelSelector(), }, }) @@ -476,6 +478,7 @@ func (i *Infra) deleteDaemonSet(ctx context.Context, r ResourceRender) (err erro return i.Client.DeleteAllOf(ctx, daemonSet, &client.DeleteAllOfOptions{ ListOptions: client.ListOptions{ + Namespace: ns, LabelSelector: r.LabelSelector(), }, }) @@ -510,6 +513,7 @@ func (i *Infra) deleteConfigMap(ctx context.Context, r ResourceRender) (err erro return i.Client.DeleteAllOf(ctx, cm, &client.DeleteAllOfOptions{ ListOptions: client.ListOptions{ + Namespace: ns, LabelSelector: r.LabelSelector(), }, }) @@ -544,6 +548,7 @@ func (i *Infra) deleteService(ctx context.Context, r ResourceRender) (err error) return i.Client.DeleteAllOf(ctx, svc, &client.DeleteAllOfOptions{ ListOptions: client.ListOptions{ + Namespace: ns, LabelSelector: r.LabelSelector(), }, }) @@ -583,6 +588,7 @@ func (i *Infra) deleteHPA(ctx context.Context, r ResourceRender) (err error) { return i.Client.DeleteAllOf(ctx, hpa, &client.DeleteAllOfOptions{ ListOptions: client.ListOptions{ + Namespace: ns, LabelSelector: r.LabelSelector(), }, }) @@ -622,6 +628,7 @@ func (i *Infra) deletePDB(ctx context.Context, r ResourceRender) (err error) { return i.Client.DeleteAllOf(ctx, pdb, &client.DeleteAllOfOptions{ ListOptions: client.ListOptions{ + Namespace: ns, LabelSelector: r.LabelSelector(), }, }) diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index 8a1513469de..3746f12a18d 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -204,10 +204,12 @@ rules: resources: - serviceaccounts - services + - configmaps verbs: - create - get - delete + - deletecollection - patch - apiGroups: - apps @@ -218,6 +220,7 @@ rules: - create - get - delete + - deletecollection - patch - apiGroups: - autoscaling @@ -229,6 +232,7 @@ rules: - create - get - delete + - deletecollection - patch --- # Source: gateway-helm/templates/leader-election-rbac.yaml diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index a71e46fe7bd..582fab0e8b9 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -219,10 +219,12 @@ rules: resources: - serviceaccounts - services + - configmaps verbs: - create - get - delete + - deletecollection - patch - apiGroups: - apps @@ -233,6 +235,7 @@ rules: - create - get - delete + - deletecollection - patch - apiGroups: - autoscaling @@ -244,6 +247,7 @@ rules: - create - get - delete + - deletecollection - patch --- # Source: gateway-helm/templates/leader-election-rbac.yaml diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index 140d271c6e7..b4aac21b12c 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -204,10 +204,12 @@ rules: resources: - serviceaccounts - services + - configmaps verbs: - create - get - delete + - deletecollection - patch - apiGroups: - apps @@ -218,6 +220,7 @@ rules: - create - get - delete + - deletecollection - patch - apiGroups: - autoscaling @@ -229,6 +232,7 @@ rules: - create - get - delete + - deletecollection - patch --- # Source: gateway-helm/templates/leader-election-rbac.yaml diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index 586b64b5584..37f58022beb 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -204,10 +204,12 @@ rules: resources: - serviceaccounts - services + - configmaps verbs: - create - get - delete + - deletecollection - patch - apiGroups: - apps @@ -218,6 +220,7 @@ rules: - create - get - delete + - deletecollection - patch - apiGroups: - autoscaling @@ -229,6 +232,7 @@ rules: - create - get - delete + - deletecollection - patch --- # Source: gateway-helm/templates/leader-election-rbac.yaml diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index 10f849e1d77..8506b87b0ee 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -204,10 +204,12 @@ rules: resources: - serviceaccounts - services + - configmaps verbs: - create - get - delete + - deletecollection - patch - apiGroups: - apps @@ -218,6 +220,7 @@ rules: - create - get - delete + - deletecollection - patch - apiGroups: - autoscaling @@ -229,6 +232,7 @@ rules: - create - get - delete + - deletecollection - patch --- # Source: gateway-helm/templates/leader-election-rbac.yaml diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml index 4f735c42095..3f82746416b 100644 --- a/test/helm/gateway-helm/deployment-priorityclass.out.yaml +++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml @@ -204,10 +204,12 @@ rules: resources: - serviceaccounts - services + - configmaps verbs: - create - get - delete + - deletecollection - patch - apiGroups: - apps @@ -218,6 +220,7 @@ rules: - create - get - delete + - deletecollection - patch - apiGroups: - autoscaling @@ -229,6 +232,7 @@ rules: - create - get - delete + - deletecollection - patch --- # Source: gateway-helm/templates/leader-election-rbac.yaml diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index 04159958265..9a3f5b4846b 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -206,10 +206,12 @@ rules: resources: - serviceaccounts - services + - configmaps verbs: - create - get - delete + - deletecollection - patch - apiGroups: - apps @@ -220,6 +222,7 @@ rules: - create - get - delete + - deletecollection - patch - apiGroups: - autoscaling @@ -231,6 +234,7 @@ rules: - create - get - delete + - deletecollection - patch --- # Source: gateway-helm/templates/leader-election-rbac.yaml diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index f280fc9f218..38be258c7a3 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -208,10 +208,12 @@ rules: resources: - serviceaccounts - services + - configmaps verbs: - create - get - delete + - deletecollection - patch - apiGroups: - apps @@ -222,6 +224,7 @@ rules: - create - get - delete + - deletecollection - patch - apiGroups: - autoscaling @@ -233,6 +236,7 @@ rules: - create - get - delete + - deletecollection - patch --- # Source: gateway-helm/templates/leader-election-rbac.yaml diff --git a/test/helm/gateway-helm/service-annotations.out.yaml b/test/helm/gateway-helm/service-annotations.out.yaml index ec50a16e30d..532988e919e 100644 --- a/test/helm/gateway-helm/service-annotations.out.yaml +++ b/test/helm/gateway-helm/service-annotations.out.yaml @@ -204,10 +204,12 @@ rules: resources: - serviceaccounts - services + - configmaps verbs: - create - get - delete + - deletecollection - patch - apiGroups: - apps @@ -218,6 +220,7 @@ rules: - create - get - delete + - deletecollection - patch - apiGroups: - autoscaling @@ -229,6 +232,7 @@ rules: - create - get - delete + - deletecollection - patch --- # Source: gateway-helm/templates/leader-election-rbac.yaml From 29d7020b5628545b307335e40fc4464ac94df880 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Thu, 17 Oct 2024 17:19:09 -0700 Subject: [PATCH 263/523] feat: implement fallback for the Backend API (#4461) * feat: implement fallback for the Backend API Relates to https://github.com/envoyproxy/gateway/issues/3055 Signed-off-by: Arko Dasgupta * fix lint Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta --- api/v1alpha1/backend_types.go | 1 - internal/gatewayapi/route.go | 12 +- .../testdata/backend-with-fallback.in.yaml | 58 ++++++ .../testdata/backend-with-fallback.out.yaml | 180 ++++++++++++++++++ site/content/en/latest/api/extension_types.md | 1 + site/content/zh/latest/api/extension_types.md | 1 + 6 files changed, 251 insertions(+), 2 deletions(-) create mode 100644 internal/gatewayapi/testdata/backend-with-fallback.in.yaml create mode 100644 internal/gatewayapi/testdata/backend-with-fallback.out.yaml diff --git a/api/v1alpha1/backend_types.go b/api/v1alpha1/backend_types.go index a2022c2c5ef..bb407981af8 100644 --- a/api/v1alpha1/backend_types.go +++ b/api/v1alpha1/backend_types.go @@ -131,7 +131,6 @@ type BackendSpec struct { // the health of the active backends falls below 72%. // // +optional - // +notImplementedHide Fallback *bool `json:"fallback,omitempty"` } diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 1239caadc91..f82158715a5 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -1291,6 +1291,7 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, resources, envoyProxy, ) + ds.Filters = t.processDestinationFilters(routeType, backendRefContext, parentRef, route, resources) } @@ -1672,9 +1673,18 @@ func (t *Translator) processBackendDestinationSetting(backendRef gwapiv1.Backend } } - return &ir.DestinationSetting{ + ds := &ir.DestinationSetting{ Protocol: dstProtocol, Endpoints: dstEndpoints, AddressType: dstAddrType, } + + if backend.Spec.Fallback != nil { + // set only the secondary priority, the backend defaults to a primary priority if unset. + if ptr.Deref(backend.Spec.Fallback, false) { + ds.Priority = ptr.To(uint32(1)) + } + } + + return ds } diff --git a/internal/gatewayapi/testdata/backend-with-fallback.in.yaml b/internal/gatewayapi/testdata/backend-with-fallback.in.yaml new file mode 100644 index 00000000000..667a75a6557 --- /dev/null +++ b/internal/gatewayapi/testdata/backend-with-fallback.in.yaml @@ -0,0 +1,58 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + rules: + - matches: + - path: + value: "/" + backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-1 + - group: gateway.envoyproxy.io + kind: Backend + name: backend-2 +backends: + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + name: backend-1 + namespace: default + spec: + endpoints: + - ip: + address: 1.1.1.1 + port: 3001 + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + name: backend-2 + namespace: default + spec: + fallback: true + endpoints: + - ip: + address: 2.2.2.2 + port: 3001 diff --git a/internal/gatewayapi/testdata/backend-with-fallback.out.yaml b/internal/gatewayapi/testdata/backend-with-fallback.out.yaml new file mode 100644 index 00000000000..74bd61795fe --- /dev/null +++ b/internal/gatewayapi/testdata/backend-with-fallback.out.yaml @@ -0,0 +1,180 @@ +backends: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + creationTimestamp: null + name: backend-1 + namespace: default + spec: + endpoints: + - ip: + address: 1.1.1.1 + port: 3001 + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Accepted +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + creationTimestamp: null + name: backend-2 + namespace: default + spec: + endpoints: + - ip: + address: 2.2.2.2 + port: 3001 + fallback: true + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Accepted +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + rules: + - backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-1 + - group: gateway.envoyproxy.io + kind: Backend + name: backend-2 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 1.1.1.1 + port: 3001 + weight: 1 + - addressType: IP + endpoints: + - host: 2.2.2.2 + port: 3001 + priority: 1 + weight: 1 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/* + pathMatch: + distinct: false + name: "" + prefix: / diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index ddc32a2021e..8a54fb2d6c6 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -384,6 +384,7 @@ _Appears in:_ | --- | --- | --- | --- | | `endpoints` | _[BackendEndpoint](#backendendpoint) array_ | true | Endpoints defines the endpoints to be used when connecting to the backend. | | `appProtocols` | _[AppProtocolType](#appprotocoltype) array_ | false | AppProtocols defines the application protocols to be supported when connecting to the backend. | +| `fallback` | _boolean_ | false | Fallback indicates whether the backend is designated as a fallback.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
the health of the active backends falls below 72%. | #### BackendStatus diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index ddc32a2021e..8a54fb2d6c6 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -384,6 +384,7 @@ _Appears in:_ | --- | --- | --- | --- | | `endpoints` | _[BackendEndpoint](#backendendpoint) array_ | true | Endpoints defines the endpoints to be used when connecting to the backend. | | `appProtocols` | _[AppProtocolType](#appprotocoltype) array_ | false | AppProtocols defines the application protocols to be supported when connecting to the backend. | +| `fallback` | _boolean_ | false | Fallback indicates whether the backend is designated as a fallback.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
the health of the active backends falls below 72%. | #### BackendStatus From d371d0b4ae1a74917f0a59574b14656be981a0b9 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Fri, 18 Oct 2024 08:24:25 +0800 Subject: [PATCH 264/523] chore: bump go control plane to 0.13.1 (#4465) * bump go control plane to 0.13.1 Signed-off-by: Huabing Zhao * bump go control plane to 0.13.1 Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- examples/extension-server/go.mod | 2 +- examples/extension-server/go.sum | 4 ++-- go.mod | 2 +- go.sum | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index c4a08fecafc..92af0438105 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -4,7 +4,7 @@ go 1.23.1 require ( github.com/envoyproxy/gateway v1.0.2 - github.com/envoyproxy/go-control-plane v0.13.1-0.20240917224354-20d038a70568 + github.com/envoyproxy/go-control-plane v0.13.1 github.com/urfave/cli/v2 v2.27.4 google.golang.org/grpc v1.67.1 google.golang.org/protobuf v1.35.1 diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 7d995a60424..1df719e00af 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -11,8 +11,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/envoyproxy/go-control-plane v0.13.1-0.20240917224354-20d038a70568 h1:bUMUmkPtm/z62/8WiVbxtqTK8I7AzXGYn+qB8JAzAXw= -github.com/envoyproxy/go-control-plane v0.13.1-0.20240917224354-20d038a70568/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= +github.com/envoyproxy/go-control-plane v0.13.1 h1:vPfJZCkob6yTMEgS+0TwfTUfbHjfy/6vOJ8hUWX/uXE= +github.com/envoyproxy/go-control-plane v0.13.1/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= diff --git a/go.mod b/go.mod index 482af942a9a..ee7928f0a0a 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/docker/cli v27.3.1+incompatible github.com/dominikbraun/graph v0.23.0 - github.com/envoyproxy/go-control-plane v0.13.1-0.20240917224354-20d038a70568 + github.com/envoyproxy/go-control-plane v0.13.1 github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 github.com/evanphx/json-patch/v5 v5.9.0 github.com/fatih/color v1.17.0 diff --git a/go.sum b/go.sum index c5d453f9e0d..93ade68d710 100644 --- a/go.sum +++ b/go.sum @@ -222,8 +222,8 @@ github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRr github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= -github.com/envoyproxy/go-control-plane v0.13.1-0.20240917224354-20d038a70568 h1:bUMUmkPtm/z62/8WiVbxtqTK8I7AzXGYn+qB8JAzAXw= -github.com/envoyproxy/go-control-plane v0.13.1-0.20240917224354-20d038a70568/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= +github.com/envoyproxy/go-control-plane v0.13.1 h1:vPfJZCkob6yTMEgS+0TwfTUfbHjfy/6vOJ8hUWX/uXE= +github.com/envoyproxy/go-control-plane v0.13.1/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= From 7293b6c7f1f90906b55ead3b58e1a1a4222977e6 Mon Sep 17 00:00:00 2001 From: Rudrakh Panigrahi Date: Fri, 18 Oct 2024 06:11:00 +0530 Subject: [PATCH 265/523] api: fix HeaderMatch list type to allow invert matches on same header (#4464) fix HeaderMatch list type to allow invert matches on same header Signed-off-by: Rudrakh Panigrahi --- api/v1alpha1/ratelimit_types.go | 9 --------- api/v1alpha1/zz_generated.deepcopy.go | 5 ----- ...way.envoyproxy.io_backendtrafficpolicies.yaml | 16 ---------------- 3 files changed, 30 deletions(-) diff --git a/api/v1alpha1/ratelimit_types.go b/api/v1alpha1/ratelimit_types.go index deb859400f8..d7a43751077 100644 --- a/api/v1alpha1/ratelimit_types.go +++ b/api/v1alpha1/ratelimit_types.go @@ -101,8 +101,6 @@ type RateLimitSelectCondition struct { // meaning, a request MUST match all the specified headers. // At least one of headers or sourceCIDR condition must be specified. // - // +listType=map - // +listMapKey=name // +optional // +kubebuilder:validation:MaxItems=16 Headers []HeaderMatch `json:"headers,omitempty"` @@ -138,13 +136,6 @@ type SourceMatch struct { // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=256 Value string `json:"value"` - - // Invert specifies whether the value match result will be inverted. - // - // +optional - // +kubebuilder:default=false - // +notImplementedHide - Invert *bool `json:"invert,omitempty"` } // HeaderMatch defines the match attributes within the HTTP Headers of the request. diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index a5e8dc183ff..d6a4f9daf2f 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -5075,11 +5075,6 @@ func (in *SourceMatch) DeepCopyInto(out *SourceMatch) { *out = new(SourceMatchType) **out = **in } - if in.Invert != nil { - in, out := &in.Invert, &out.Invert - *out = new(bool) - **out = **in - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceMatch. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index c0dce593804..521ee8bcf46 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -727,19 +727,11 @@ spec: type: object maxItems: 16 type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map sourceCIDR: description: |- SourceCIDR is the client IP Address range to match on. At least one of headers or sourceCIDR condition must be specified. properties: - invert: - default: false - description: Invert specifies whether the - value match result will be inverted. - type: boolean type: default: Exact enum: @@ -870,19 +862,11 @@ spec: type: object maxItems: 16 type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map sourceCIDR: description: |- SourceCIDR is the client IP Address range to match on. At least one of headers or sourceCIDR condition must be specified. properties: - invert: - default: false - description: Invert specifies whether the - value match result will be inverted. - type: boolean type: default: Exact enum: From 5375cf0e045c12ec3f9205db0c81f76b2e678695 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Thu, 17 Oct 2024 18:39:40 -0700 Subject: [PATCH 266/523] api: direct response (#4334) * api: direct response Relates to https://github.com/envoyproxy/gateway/issues/2714 Signed-off-by: Arko Dasgupta --- api/v1alpha1/httproutefilter_types.go | 20 +++++++ api/v1alpha1/shared_types.go | 4 +- api/v1alpha1/zz_generated.deepcopy.go | 41 ++++++++++++- ....envoyproxy.io_backendtrafficpolicies.yaml | 2 - ...ateway.envoyproxy.io_httproutefilters.yaml | 60 +++++++++++++++++++ site/content/en/latest/api/extension_types.md | 20 ++++++- site/content/zh/latest/api/extension_types.md | 20 ++++++- 7 files changed, 161 insertions(+), 6 deletions(-) diff --git a/api/v1alpha1/httproutefilter_types.go b/api/v1alpha1/httproutefilter_types.go index 7f56ca07d7c..9ae8be59842 100644 --- a/api/v1alpha1/httproutefilter_types.go +++ b/api/v1alpha1/httproutefilter_types.go @@ -33,6 +33,8 @@ type HTTPRouteFilter struct { type HTTPRouteFilterSpec struct { // +optional URLRewrite *HTTPURLRewriteFilter `json:"urlRewrite,omitempty"` + // +optional + DirectResponse *HTTPDirectResponseFilter `json:"directResponse,omitempty"` } // HTTPURLRewriteFilter define rewrites of HTTP URL components such as path and host @@ -49,6 +51,24 @@ type HTTPURLRewriteFilter struct { Path *HTTPPathModifier `json:"path,omitempty"` } +// HTTPDirectResponseFilter defines the configuration to return a fixed response. +type HTTPDirectResponseFilter struct { + // Content Type of the response. This will be set in the Content-Type header. + // + // +optional + ContentType *string `json:"contentType,omitempty"` + + // Body of the Response + // + // +optional + Body *CustomResponseBody `json:"body,omitempty"` + + // Status Code of the HTTP response + // If unset, defaults to 200. + // +optional + StatusCode *int `json:"statusCode,omitempty"` +} + // HTTPPathModifierType defines the type of path redirect or rewrite. type HTTPPathModifierType string diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index 8e98b904e35..fe795c833db 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -669,7 +669,9 @@ type CustomResponse struct { ContentType *string `json:"contentType,omitempty"` // Body of the Custom Response - Body CustomResponseBody `json:"body"` + // + // +optional + Body *CustomResponseBody `json:"body,omitempty"` } // ResponseValueType defines the types of values for the response body supported by Envoy Gateway. diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index d6a4f9daf2f..696c99259fb 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -1148,7 +1148,11 @@ func (in *CustomResponse) DeepCopyInto(out *CustomResponse) { *out = new(string) **out = **in } - in.Body.DeepCopyInto(&out.Body) + if in.Body != nil { + in, out := &in.Body, &out.Body + *out = new(CustomResponseBody) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomResponse. @@ -2688,6 +2692,36 @@ func (in *HTTPClientTimeout) DeepCopy() *HTTPClientTimeout { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HTTPDirectResponseFilter) DeepCopyInto(out *HTTPDirectResponseFilter) { + *out = *in + if in.ContentType != nil { + in, out := &in.ContentType, &out.ContentType + *out = new(string) + **out = **in + } + if in.Body != nil { + in, out := &in.Body, &out.Body + *out = new(CustomResponseBody) + (*in).DeepCopyInto(*out) + } + if in.StatusCode != nil { + in, out := &in.StatusCode, &out.StatusCode + *out = new(int) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPDirectResponseFilter. +func (in *HTTPDirectResponseFilter) DeepCopy() *HTTPDirectResponseFilter { + if in == nil { + return nil + } + out := new(HTTPDirectResponseFilter) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HTTPExtAuthService) DeepCopyInto(out *HTTPExtAuthService) { *out = *in @@ -2820,6 +2854,11 @@ func (in *HTTPRouteFilterSpec) DeepCopyInto(out *HTTPRouteFilterSpec) { *out = new(HTTPURLRewriteFilter) (*in).DeepCopyInto(*out) } + if in.DirectResponse != nil { + in, out := &in.DirectResponse, &out.DirectResponse + *out = new(HTTPDirectResponseFilter) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRouteFilterSpec. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index 521ee8bcf46..7b2e937312d 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -1035,8 +1035,6 @@ spec: description: Content Type of the response. This will be set in the Content-Type header. type: string - required: - - body type: object required: - match diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml index 7a55ec8871f..8a75fec4211 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml @@ -49,6 +49,66 @@ spec: spec: description: Spec defines the desired state of HTTPRouteFilter. properties: + directResponse: + description: HTTPDirectResponseFilter defines the configuration to + return a fixed response. + properties: + body: + description: Body of the Response + properties: + inline: + description: Inline contains the value as an inline string. + type: string + type: + description: Type is the type of method to use to read the + body value. + enum: + - Inline + - ValueRef + type: string + valueRef: + description: |- + ValueRef contains the contents of the body + specified as a local object reference. + Only a reference to ConfigMap is supported. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + required: + - type + type: object + contentType: + description: Content Type of the response. This will be set in + the Content-Type header. + type: string + statusCode: + description: |- + Status Code of the HTTP response + If unset, defaults to 200. + type: integer + type: object urlRewrite: description: HTTPURLRewriteFilter define rewrites of HTTP URL components such as path and host diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 8a54fb2d6c6..fe361099a84 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -866,7 +866,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `contentType` | _string_ | false | Content Type of the response. This will be set in the Content-Type header. | -| `body` | _[CustomResponseBody](#customresponsebody)_ | true | Body of the Custom Response | +| `body` | _[CustomResponseBody](#customresponsebody)_ | false | Body of the Custom Response | #### CustomResponseBody @@ -877,6 +877,7 @@ CustomResponseBody _Appears in:_ - [CustomResponse](#customresponse) +- [HTTPDirectResponseFilter](#httpdirectresponsefilter) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -1922,6 +1923,22 @@ _Appears in:_ | `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. | +#### HTTPDirectResponseFilter + + + +HTTPDirectResponseFilter defines the configuration to return a fixed response. + +_Appears in:_ +- [HTTPRouteFilterSpec](#httproutefilterspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `contentType` | _string_ | false | Content Type of the response. This will be set in the Content-Type header. | +| `body` | _[CustomResponseBody](#customresponsebody)_ | false | Body of the Response | +| `statusCode` | _integer_ | false | Status Code of the HTTP response
If unset, defaults to 200. | + + #### HTTPExtAuthService @@ -2045,6 +2062,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `urlRewrite` | _[HTTPURLRewriteFilter](#httpurlrewritefilter)_ | false | | +| `directResponse` | _[HTTPDirectResponseFilter](#httpdirectresponsefilter)_ | false | | #### HTTPStatus diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 8a54fb2d6c6..fe361099a84 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -866,7 +866,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `contentType` | _string_ | false | Content Type of the response. This will be set in the Content-Type header. | -| `body` | _[CustomResponseBody](#customresponsebody)_ | true | Body of the Custom Response | +| `body` | _[CustomResponseBody](#customresponsebody)_ | false | Body of the Custom Response | #### CustomResponseBody @@ -877,6 +877,7 @@ CustomResponseBody _Appears in:_ - [CustomResponse](#customresponse) +- [HTTPDirectResponseFilter](#httpdirectresponsefilter) | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -1922,6 +1923,22 @@ _Appears in:_ | `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. | +#### HTTPDirectResponseFilter + + + +HTTPDirectResponseFilter defines the configuration to return a fixed response. + +_Appears in:_ +- [HTTPRouteFilterSpec](#httproutefilterspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `contentType` | _string_ | false | Content Type of the response. This will be set in the Content-Type header. | +| `body` | _[CustomResponseBody](#customresponsebody)_ | false | Body of the Response | +| `statusCode` | _integer_ | false | Status Code of the HTTP response
If unset, defaults to 200. | + + #### HTTPExtAuthService @@ -2045,6 +2062,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `urlRewrite` | _[HTTPURLRewriteFilter](#httpurlrewritefilter)_ | false | | +| `directResponse` | _[HTTPDirectResponseFilter](#httpdirectresponsefilter)_ | false | | #### HTTPStatus From a351c4bb457dba62e4c5d39d76d2f3a6d135a0ae Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Fri, 18 Oct 2024 10:41:10 +0800 Subject: [PATCH 267/523] Use BackendCluster to represent OIDCProvider (#4227) * gateway api translation Signed-off-by: Huabing Zhao * gateway api translation Signed-off-by: Huabing Zhao * xds translation Signed-off-by: Huabing Zhao * add cel validation Signed-off-by: Huabing Zhao * add cel validation Signed-off-by: Huabing Zhao * CEL validation Signed-off-by: Huabing Zhao * add CEL validation Signed-off-by: Huabing Zhao * add retry trigger Signed-off-by: Huabing Zhao * refactory Signed-off-by: Huabing Zhao * fix gen Signed-off-by: Huabing Zhao * add e2e test for OIDC provider with BackendCluster Signed-off-by: Huabing Zhao * add dump Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * Update internal/gatewayapi/ext_service.go Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- api/v1alpha1/oidc_types.go | 3 +- ...ateway.envoyproxy.io_securitypolicies.yaml | 9 +- go.mod | 2 +- go.sum | 4 +- internal/gatewayapi/backendtrafficpolicy.go | 66 +---- internal/gatewayapi/clustersettings.go | 63 +++++ internal/gatewayapi/envoyextensionpolicy.go | 42 +-- internal/gatewayapi/ext_service.go | 53 +++- internal/gatewayapi/securitypolicy.go | 170 ++++++------ ...itypolicy-with-oidc-backendcluster.in.yaml | 101 +++++++ ...typolicy-with-oidc-backendcluster.out.yaml | 256 ++++++++++++++++++ internal/ir/xds.go | 9 + internal/ir/zz_generated.deepcopy.go | 27 +- internal/xds/translator/oidc.go | 188 +++++++++---- .../xds-ir/oidc-backend-cluster-provider.yaml | 60 ++++ .../oidc-backencluster-provider.clusters.yaml | 44 +++ ...oidc-backencluster-provider.endpoints.yaml | 12 + ...oidc-backencluster-provider.listeners.yaml | 83 ++++++ .../oidc-backencluster-provider.routes.yaml | 18 ++ .../oidc-backencluster-provider.secrets.yaml | 8 + ...idc-backend-cluster-provider.clusters.yaml | 44 +++ ...dc-backend-cluster-provider.endpoints.yaml | 12 + ...dc-backend-cluster-provider.listeners.yaml | 83 ++++++ .../oidc-backend-cluster-provider.routes.yaml | 18 ++ ...oidc-backend-cluster-provider.secrets.yaml | 8 + test/cel-validation/securitypolicy_test.go | 98 +++++++ .../oidc-securitypolicy-backendcluster.yaml | 86 ++++++ test/e2e/tests/oidc-backendcluster.go | 37 +++ test/e2e/tests/oidc.go | 192 ++++++------- 29 files changed, 1464 insertions(+), 332 deletions(-) create mode 100644 internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.in.yaml create mode 100644 internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml create mode 100644 internal/xds/translator/testdata/in/xds-ir/oidc-backend-cluster-provider.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.routes.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.secrets.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.routes.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.secrets.yaml create mode 100644 test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml create mode 100644 test/e2e/tests/oidc-backendcluster.go diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go index 73e1dea8c6e..78c32287cde 100644 --- a/api/v1alpha1/oidc_types.go +++ b/api/v1alpha1/oidc_types.go @@ -107,7 +107,8 @@ type OIDC struct { // OIDCProvider defines the OIDC Provider configuration. // +kubebuilder:validation:XValidation:rule="!has(self.backendRef)",message="BackendRefs must be used, backendRef is not supported." -// +kubebuilder:validation:XValidation:rule="has(self.backendRefs)? self.backendRefs.size() > 1 : true",message="Only one backendRefs is allowed." +// +kubebuilder:validation:XValidation:rule="has(self.backendSettings)? (has(self.backendSettings.retry)?(has(self.backendSettings.retry.perRetry)? !has(self.backendSettings.retry.perRetry.timeout):true):true):true",message="Retry timeout is not supported." +// +kubebuilder:validation:XValidation:rule="has(self.backendSettings)? (has(self.backendSettings.retry)?(has(self.backendSettings.retry.retryOn)? !has(self.backendSettings.retry.retryOn.httpStatusCodes):true):true):true",message="HTTPStatusCodes is not supported." type OIDCProvider struct { // BackendRefs is used to specify the address of the OIDC Provider. // If the BackendRefs is not specified, The host and port of the OIDC Provider's token endpoint diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index ad2c81818c2..b6a040f8c42 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -3261,9 +3261,12 @@ spec: x-kubernetes-validations: - message: BackendRefs must be used, backendRef is not supported. rule: '!has(self.backendRef)' - - message: Only one backendRefs is allowed. - rule: 'has(self.backendRefs)? self.backendRefs.size() > 1 : - true' + - message: Retry timeout is not supported. + rule: has(self.backendSettings)? (has(self.backendSettings.retry)?(has(self.backendSettings.retry.perRetry)? + !has(self.backendSettings.retry.perRetry.timeout):true):true):true + - message: HTTPStatusCodes is not supported. + rule: has(self.backendSettings)? (has(self.backendSettings.retry)?(has(self.backendSettings.retry.retryOn)? + !has(self.backendSettings.retry.retryOn.httpStatusCodes):true):true):true redirectURL: description: |- The redirect URL to be used in the OIDC diff --git a/go.mod b/go.mod index ee7928f0a0a..0b7c29eb542 100644 --- a/go.mod +++ b/go.mod @@ -159,7 +159,7 @@ require ( github.com/moby/patternmatcher v0.6.0 // indirect github.com/moby/sys/mountinfo v0.7.2 // indirect github.com/moby/sys/sequential v0.5.0 // indirect - github.com/moby/sys/user v0.2.0 // indirect + github.com/moby/sys/user v0.3.0 // indirect github.com/moby/sys/userns v0.1.0 // indirect github.com/onsi/ginkgo v1.16.5 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect diff --git a/go.sum b/go.sum index 93ade68d710..5aa804824a4 100644 --- a/go.sum +++ b/go.sum @@ -601,8 +601,8 @@ github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9Kou github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4= github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc= github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo= -github.com/moby/sys/user v0.2.0 h1:OnpapJsRp25vkhw8TFG6OLJODNh/3rEwRWtJ3kakwRM= -github.com/moby/sys/user v0.2.0/go.mod h1:RYstrcWOJpVh+6qzUqp2bU3eaRpdiQeKGlKitaH0PM8= +github.com/moby/sys/user v0.3.0 h1:9ni5DlcW5an3SvRSx4MouotOygvzaXbaSrc/wGDFWPo= +github.com/moby/sys/user v0.3.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs= github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g= github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28= github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index 12453ea1826..b8f289a9df0 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -16,7 +16,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" - "k8s.io/utils/ptr" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" @@ -324,7 +323,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen errs = errors.Join(errs, err) } if policy.Spec.Retry != nil { - rt = t.buildRetry(policy) + rt = buildRetry(policy.Spec.Retry) } if to, err = buildClusterSettingsTimeout(policy.Spec.ClusterSettings, nil); err != nil { err = perr.WithMessage(err, "Timeout") @@ -460,7 +459,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back errs = errors.Join(errs, err) } if policy.Spec.Retry != nil { - rt = t.buildRetry(policy) + rt = buildRetry(policy.Spec.Retry) } if ct, err = buildClusterSettingsTimeout(policy.Spec.ClusterSettings, nil); err != nil { err = perr.WithMessage(err, "Timeout") @@ -812,67 +811,6 @@ func (t *Translator) buildFaultInjection(policy *egv1a1.BackendTrafficPolicy) *i return fi } -func (t *Translator) buildRetry(policy *egv1a1.BackendTrafficPolicy) *ir.Retry { - var rt *ir.Retry - if policy.Spec.Retry != nil { - prt := policy.Spec.Retry - rt = &ir.Retry{} - - if prt.NumRetries != nil { - rt.NumRetries = ptr.To(uint32(*prt.NumRetries)) - } - - if prt.RetryOn != nil { - ro := &ir.RetryOn{} - bro := false - if prt.RetryOn.HTTPStatusCodes != nil { - ro.HTTPStatusCodes = makeIrStatusSet(prt.RetryOn.HTTPStatusCodes) - bro = true - } - - if prt.RetryOn.Triggers != nil { - ro.Triggers = makeIrTriggerSet(prt.RetryOn.Triggers) - bro = true - } - - if bro { - rt.RetryOn = ro - } - } - - if prt.PerRetry != nil { - pr := &ir.PerRetryPolicy{} - bpr := false - - if prt.PerRetry.Timeout != nil { - pr.Timeout = prt.PerRetry.Timeout - bpr = true - } - - if prt.PerRetry.BackOff != nil { - if prt.PerRetry.BackOff.MaxInterval != nil || prt.PerRetry.BackOff.BaseInterval != nil { - bop := &ir.BackOffPolicy{} - if prt.PerRetry.BackOff.MaxInterval != nil { - bop.MaxInterval = prt.PerRetry.BackOff.MaxInterval - } - - if prt.PerRetry.BackOff.BaseInterval != nil { - bop.BaseInterval = prt.PerRetry.BackOff.BaseInterval - } - pr.BackOff = bop - bpr = true - } - } - - if bpr { - rt.PerRetry = pr - } - } - } - - return rt -} - func makeIrStatusSet(in []egv1a1.HTTPStatus) []ir.HTTPStatus { statusSet := sets.NewInt() for _, r := range in { diff --git a/internal/gatewayapi/clustersettings.go b/internal/gatewayapi/clustersettings.go index 742b026249e..260c1db84d3 100644 --- a/internal/gatewayapi/clustersettings.go +++ b/internal/gatewayapi/clustersettings.go @@ -71,6 +71,8 @@ func translateTrafficFeatures(policy *egv1a1.ClusterSettings) (*ir.TrafficFeatur ret.HTTP2 = h2 } + ret.Retry = buildRetry(policy.Retry) + // If nothing was set in any of the above calls, return nil instead of an empty // container var empty ir.TrafficFeatures @@ -507,3 +509,64 @@ func translateDNS(policy egv1a1.ClusterSettings) *ir.DNS { DNSRefreshRate: policy.DNS.DNSRefreshRate, } } + +func buildRetry(r *egv1a1.Retry) *ir.Retry { + if r == nil { + return nil + } + + rt := &ir.Retry{} + + if r.NumRetries != nil { + rt.NumRetries = ptr.To(uint32(*r.NumRetries)) + } + + if r.RetryOn != nil { + ro := &ir.RetryOn{} + bro := false + if r.RetryOn.HTTPStatusCodes != nil { + ro.HTTPStatusCodes = makeIrStatusSet(r.RetryOn.HTTPStatusCodes) + bro = true + } + + if r.RetryOn.Triggers != nil { + ro.Triggers = makeIrTriggerSet(r.RetryOn.Triggers) + bro = true + } + + if bro { + rt.RetryOn = ro + } + } + + if r.PerRetry != nil { + pr := &ir.PerRetryPolicy{} + bpr := false + + if r.PerRetry.Timeout != nil { + pr.Timeout = r.PerRetry.Timeout + bpr = true + } + + if r.PerRetry.BackOff != nil { + if r.PerRetry.BackOff.MaxInterval != nil || r.PerRetry.BackOff.BaseInterval != nil { + bop := &ir.BackOffPolicy{} + if r.PerRetry.BackOff.MaxInterval != nil { + bop.MaxInterval = r.PerRetry.BackOff.MaxInterval + } + + if r.PerRetry.BackOff.BaseInterval != nil { + bop.BaseInterval = r.PerRetry.BackOff.BaseInterval + } + pr.BackOff = bop + bpr = true + } + } + + if bpr { + rt.PerRetry = pr + } + } + + return rt +} diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index 47394587529..5e61f2eb3aa 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -411,7 +411,7 @@ func (t *Translator) buildExtProcs(policy *egv1a1.EnvoyExtensionPolicy, resource for idx, ep := range policy.Spec.ExtProc { name := irConfigNameForExtProc(policy, idx) - extProcIR, err := t.buildExtProc(name, utils.NamespacedName(policy), ep, idx, resources, envoyProxy) + extProcIR, err := t.buildExtProc(name, policy, ep, idx, resources, envoyProxy) if err != nil { return nil, err } @@ -422,59 +422,33 @@ func (t *Translator) buildExtProcs(policy *egv1a1.EnvoyExtensionPolicy, resource func (t *Translator) buildExtProc( name string, - policyNamespacedName types.NamespacedName, + policy *egv1a1.EnvoyExtensionPolicy, extProc egv1a1.ExtProc, extProcIdx int, resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy, ) (*ir.ExtProc, error) { var ( - ds *ir.DestinationSetting + rd *ir.RouteDestination authority string err error ) - var dsl []*ir.DestinationSetting - for i := range extProc.BackendRefs { - if err = t.validateExtServiceBackendReference( - &extProc.BackendRefs[i].BackendObjectReference, - policyNamespacedName.Namespace, - egv1a1.KindEnvoyExtensionPolicy, - resources); err != nil { - return nil, err - } - - ds, err = t.processExtServiceDestination( - &extProc.BackendRefs[i], - policyNamespacedName, - egv1a1.KindEnvoyExtensionPolicy, - ir.GRPC, - resources, - envoyProxy, - ) - if err != nil { - return nil, err - } - - dsl = append(dsl, ds) - } - - rd := ir.RouteDestination{ - Name: irIndexedExtServiceDestinationName(policyNamespacedName, egv1a1.KindEnvoyExtensionPolicy, extProcIdx), - Settings: dsl, + if rd, err = t.translateExtServiceBackendRefs(policy, extProc.BackendRefs, ir.GRPC, resources, envoyProxy, extProcIdx); err != nil { + return nil, err } if extProc.BackendRefs[0].Port != nil { authority = fmt.Sprintf( "%s.%s:%d", extProc.BackendRefs[0].Name, - NamespaceDerefOr(extProc.BackendRefs[0].Namespace, policyNamespacedName.Namespace), + NamespaceDerefOr(extProc.BackendRefs[0].Namespace, policy.Namespace), *extProc.BackendRefs[0].Port) } else { authority = fmt.Sprintf( "%s.%s", extProc.BackendRefs[0].Name, - NamespaceDerefOr(extProc.BackendRefs[0].Namespace, policyNamespacedName.Namespace)) + NamespaceDerefOr(extProc.BackendRefs[0].Namespace, policy.Namespace)) } traffic, err := translateTrafficFeatures(extProc.BackendCluster.BackendSettings) @@ -484,7 +458,7 @@ func (t *Translator) buildExtProc( extProcIR := &ir.ExtProc{ Name: name, - Destination: rd, + Destination: *rd, Traffic: traffic, Authority: authority, } diff --git a/internal/gatewayapi/ext_service.go b/internal/gatewayapi/ext_service.go index 7e13b101011..e7ab19036ee 100644 --- a/internal/gatewayapi/ext_service.go +++ b/internal/gatewayapi/ext_service.go @@ -12,15 +12,66 @@ import ( "k8s.io/apimachinery/pkg/types" "k8s.io/utils/ptr" + "sigs.k8s.io/controller-runtime/pkg/client" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils" ) -// TODO: zhaohuabing combine this function with the one in the route translator +// translateExtServiceBackendRefs translates external service backend references to route destinations. +func (t *Translator) translateExtServiceBackendRefs( + policy client.Object, + backendRefs []egv1a1.BackendRef, + protocol ir.AppProtocol, + resources *resource.Resources, + envoyProxy *egv1a1.EnvoyProxy, + index int, // index is used to differentiate between multiple external services in the same policy +) (*ir.RouteDestination, error) { + var ( + rs *ir.RouteDestination + ds []*ir.DestinationSetting + err error + ) + + if len(backendRefs) == 0 { + return nil, errors.New("no backendRefs found for external service") + } + + pnn := utils.NamespacedName(policy) + for _, backendRef := range backendRefs { + if err = t.validateExtServiceBackendReference( + &backendRef.BackendObjectReference, + policy.GetNamespace(), + policy.GetObjectKind().GroupVersionKind().Kind, + resources); err != nil { + return nil, err + } + + var extServiceDest *ir.DestinationSetting + if extServiceDest, err = t.processExtServiceDestination( + &backendRef, + pnn, + policy.GetObjectKind().GroupVersionKind().Kind, + protocol, + resources, + envoyProxy, + ); err != nil { + return nil, err + } + ds = append(ds, extServiceDest) + } + + rs = &ir.RouteDestination{ + Name: irIndexedExtServiceDestinationName(pnn, policy.GetObjectKind().GroupVersionKind().Kind, index), + Settings: ds, + } + return rs, nil +} + func (t *Translator) processExtServiceDestination( backendRef *egv1a1.BackendRef, policyNamespacedName types.NamespacedName, diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 2ab9670d501..c9289bbcfb3 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -329,7 +329,6 @@ func (t *Translator) translateSecurityPolicyForRoute( var ( cors *ir.CORS jwt *ir.JWT - oidc *ir.OIDC basicAuth *ir.BasicAuth authorization *ir.Authorization err, errs error @@ -343,15 +342,6 @@ func (t *Translator) translateSecurityPolicyForRoute( jwt = t.buildJWT(policy.Spec.JWT) } - if policy.Spec.OIDC != nil { - if oidc, err = t.buildOIDC( - policy, - resources); err != nil { - err = perr.WithMessage(err, "OIDC") - errs = errors.Join(errs, err) - } - } - if policy.Spec.BasicAuth != nil { if basicAuth, err = t.buildBasicAuth( policy, @@ -388,6 +378,18 @@ func (t *Translator) translateSecurityPolicyForRoute( errs = errors.Join(errs, err) } } + + var oidc *ir.OIDC + if policy.Spec.OIDC != nil { + if oidc, err = t.buildOIDC( + policy, + resources, + gtwCtx.envoyProxy); err != nil { + err = perr.WithMessage(err, "OIDC") + errs = errors.Join(errs, err) + } + } + irKey := t.getIRKey(gtwCtx.Gateway) for _, listener := range parentRefCtx.listeners { irListener := xdsIR[irKey].GetHTTPListener(irListenerName(listener)) @@ -445,7 +447,8 @@ func (t *Translator) translateSecurityPolicyForGateway( if policy.Spec.OIDC != nil { if oidc, err = t.buildOIDC( policy, - resources); err != nil { + resources, + gateway.envoyProxy); err != nil { err = perr.WithMessage(err, "OIDC") errs = errors.Join(errs, err) } @@ -566,19 +569,30 @@ func (t *Translator) buildJWT(jwt *egv1a1.JWT) *ir.JWT { func (t *Translator) buildOIDC( policy *egv1a1.SecurityPolicy, resources *resource.Resources, + envoyProxy *egv1a1.EnvoyProxy, ) (*ir.OIDC, error) { var ( - oidc = policy.Spec.OIDC - clientSecret *corev1.Secret - provider *ir.OIDCProvider - err error + oidc = policy.Spec.OIDC + provider *ir.OIDCProvider + clientSecret *corev1.Secret + redirectURL = defaultRedirectURL + redirectPath = defaultRedirectPath + logoutPath = defaultLogoutPath + forwardAccessToken = defaultForwardAccessToken + refreshToken = defaultRefreshToken + err error ) + if provider, err = t.buildOIDCProvider(policy, resources, envoyProxy); err != nil { + return nil, err + } + from := crossNamespaceFrom{ group: egv1a1.GroupName, kind: resource.KindSecurityPolicy, namespace: policy.Namespace, } + if clientSecret, err = t.validateSecretRef( false, from, oidc.ClientSecret, resources); err != nil { return nil, err @@ -591,25 +605,8 @@ func (t *Translator) buildOIDC( clientSecret.Namespace, clientSecret.Name) } - // Discover the token and authorization endpoints from the issuer's - // well-known url if not explicitly specified - if provider, err = discoverEndpointsFromIssuer(&oidc.Provider); err != nil { - return nil, err - } - - if err = validateTokenEndpoint(provider.TokenEndpoint); err != nil { - return nil, err - } scopes := appendOpenidScopeIfNotExist(oidc.Scopes) - var ( - redirectURL = defaultRedirectURL - redirectPath = defaultRedirectPath - logoutPath = defaultLogoutPath - forwardAccessToken = defaultForwardAccessToken - refreshToken = defaultRefreshToken - ) - if oidc.RedirectURL != nil { path, err := extractRedirectPath(*oidc.RedirectURL) if err != nil { @@ -668,6 +665,62 @@ func (t *Translator) buildOIDC( }, nil } +func (t *Translator) buildOIDCProvider(policy *egv1a1.SecurityPolicy, resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy) (*ir.OIDCProvider, error) { + var ( + provider = policy.Spec.OIDC.Provider + tokenEndpoint string + authorizationEndpoint string + protocol ir.AppProtocol + rd *ir.RouteDestination + traffic *ir.TrafficFeatures + err error + ) + + // Discover the token and authorization endpoints from the issuer's + // well-known url if not explicitly specified + if provider.TokenEndpoint == nil || provider.AuthorizationEndpoint == nil { + tokenEndpoint, authorizationEndpoint, err = fetchEndpointsFromIssuer(provider.Issuer) + if err != nil { + return nil, fmt.Errorf("error fetching endpoints from issuer: %w", err) + } + } else { + tokenEndpoint = *provider.TokenEndpoint + authorizationEndpoint = *provider.AuthorizationEndpoint + } + + if err = validateTokenEndpoint(tokenEndpoint); err != nil { + return nil, err + } + + u, err := url.Parse(tokenEndpoint) + if err != nil { + return nil, err + } + + if u.Scheme == "https" { + protocol = ir.HTTPS + } else { + protocol = ir.HTTP + } + + if len(provider.BackendRefs) > 0 { + if rd, err = t.translateExtServiceBackendRefs(policy, provider.BackendRefs, protocol, resources, envoyProxy, 0); err != nil { + return nil, err + } + } + + if traffic, err = translateTrafficFeatures(provider.BackendSettings); err != nil { + return nil, err + } + + return &ir.OIDCProvider{ + Destination: rd, + Traffic: traffic, + AuthorizationEndpoint: authorizationEndpoint, + TokenEndpoint: tokenEndpoint, + }, nil +} + func extractRedirectPath(redirectURL string) (string, error) { schemeDelimiter := strings.Index(redirectURL, "://") if schemeDelimiter <= 0 { @@ -712,26 +765,6 @@ type OpenIDConfig struct { AuthorizationEndpoint string `json:"authorization_endpoint"` } -// discoverEndpointsFromIssuer discovers the token and authorization endpoints from the issuer's well-known url -// return error if failed to fetch the well-known configuration -func discoverEndpointsFromIssuer(provider *egv1a1.OIDCProvider) (*ir.OIDCProvider, error) { - if provider.TokenEndpoint == nil || provider.AuthorizationEndpoint == nil { - tokenEndpoint, authorizationEndpoint, err := fetchEndpointsFromIssuer(provider.Issuer) - if err != nil { - return nil, fmt.Errorf("error fetching endpoints from issuer: %w", err) - } - return &ir.OIDCProvider{ - TokenEndpoint: tokenEndpoint, - AuthorizationEndpoint: authorizationEndpoint, - }, nil - } - - return &ir.OIDCProvider{ - TokenEndpoint: *provider.TokenEndpoint, - AuthorizationEndpoint: *provider.AuthorizationEndpoint, - }, nil -} - func fetchEndpointsFromIssuer(issuerURL string) (string, string, error) { // Fetch the OpenID configuration from the issuer URL resp, err := http.Get(fmt.Sprintf("%s/.well-known/openid-configuration", issuerURL)) @@ -811,7 +844,7 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso grpc = policy.Spec.ExtAuth.GRPC backends *egv1a1.BackendCluster protocol ir.AppProtocol - ds []*ir.DestinationSetting + rd *ir.RouteDestination authority string err error traffic *ir.TrafficFeatures @@ -833,12 +866,12 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso backends = &grpc.BackendCluster protocol = ir.GRPC } - pnn := utils.NamespacedName(policy) - for _, backendRef := range backends.BackendRefs { - if err = t.validateExtServiceBackendReference(&backendRef.BackendObjectReference, policy.Namespace, policy.Kind, resources); err != nil { - return nil, err - } + if rd, err = t.translateExtServiceBackendRefs(policy, backends.BackendRefs, protocol, resources, envoyProxy, 0); err != nil { + return nil, err + } + + for _, backendRef := range backends.BackendRefs { // Authority is the calculated hostname that will be used as the Authority header. // If there are multiple backend referenced, simply use the first one - there are no good answers here. // When translated to XDS, the authority is used on the filter level not on the cluster level. @@ -846,23 +879,6 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso if authority == "" { authority = backendRefAuthority(resources, &backendRef.BackendObjectReference, policy) } - - extServiceDest, err := t.processExtServiceDestination( - &backendRef, - pnn, - resource.KindSecurityPolicy, - protocol, - resources, - envoyProxy, - ) - if err != nil { - return nil, err - } - ds = append(ds, extServiceDest) - } - rd := ir.RouteDestination{ - Name: irIndexedExtServiceDestinationName(pnn, resource.KindSecurityPolicy, 0), - Settings: ds, } if traffic, err = translateTrafficFeatures(backends.BackendSettings); err != nil { @@ -878,14 +894,14 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso if http != nil { extAuth.HTTP = &ir.HTTPExtAuthService{ - Destination: rd, + Destination: *rd, Authority: authority, Path: ptr.Deref(http.Path, ""), HeadersToBackend: http.HeadersToBackend, } } else { extAuth.GRPC = &ir.GRPCExtAuthService{ - Destination: rd, + Destination: *rd, Authority: authority, } } diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.in.yaml new file mode 100644 index 00000000000..67b051e4b31 --- /dev/null +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.in.yaml @@ -0,0 +1,101 @@ +secrets: +- apiVersion: v1 + kind: Secret + metadata: + namespace: envoy-gateway + name: client1-secret + data: + client-secret: Y2xpZW50MTpzZWNyZXQK +- apiVersion: v1 + kind: Secret + metadata: + namespace: envoy-gateway-system + name: envoy-oidc-hmac + data: + hmac-secret: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY= +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - www.example.com + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/foo" + backendRefs: + - name: service-1 + port: 8080 +backends: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + name: backend-fqdn + namespace: envoy-gateway + spec: + endpoints: + - fqdn: + hostname: 'oauth.foo.com' + port: 443 +securityPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + namespace: envoy-gateway + name: policy-for-gateway + uid: b8284d0f-de82-4c65-b204-96a0d3f258a1 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + oidc: + provider: + backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-fqdn + port: 443 + backendSettings: + retry: + numRetries: 3 + perRetry: + backOff: + baseInterval: 1s + maxInterval: 5s + retryOn: + triggers: ["5xx", "gateway-error", "reset"] + issuer: "https://oauth.foo.com" + authorizationEndpoint: "https://oauth.foo.com/oauth2/v2/auth" + tokenEndpoint: "https://oauth.foo.com/token" + clientID: "client1.apps.googleusercontent.com" + clientSecret: + name: "client1-secret" + redirectURL: "https://www.example.com/bar/oauth2/callback" + logoutPath: "/bar/logout" + forwardAccessToken: true + defaultTokenTTL: 30m + refreshToken: true + defaultRefreshTokenTTL: 24h diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml new file mode 100644 index 00000000000..d6f0c4dbc47 --- /dev/null +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml @@ -0,0 +1,256 @@ +backends: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + creationTimestamp: null + name: backend-fqdn + namespace: envoy-gateway + spec: + endpoints: + - fqdn: + hostname: oauth.foo.com + port: 443 + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Accepted +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - www.example.com + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: /foo + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +securityPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + creationTimestamp: null + name: policy-for-gateway + namespace: envoy-gateway + uid: b8284d0f-de82-4c65-b204-96a0d3f258a1 + spec: + oidc: + clientID: client1.apps.googleusercontent.com + clientSecret: + group: null + kind: null + name: client1-secret + defaultRefreshTokenTTL: 24h0m0s + defaultTokenTTL: 30m0s + forwardAccessToken: true + logoutPath: /bar/logout + provider: + authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth + backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-fqdn + port: 443 + backendSettings: + retry: + numRetries: 3 + perRetry: + backOff: + baseInterval: 1s + maxInterval: 5s + retryOn: + triggers: + - 5xx + - gateway-error + - reset + issuer: https://oauth.foo.com + tokenEndpoint: https://oauth.foo.com/token + redirectURL: https://www.example.com/bar/oauth2/callback + refreshToken: true + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + pathMatch: + distinct: false + name: "" + prefix: /foo + security: + oidc: + clientID: client1.apps.googleusercontent.com + clientSecret: Y2xpZW50MTpzZWNyZXQK + cookieSuffix: b0a1b740 + defaultRefreshTokenTTL: 24h0m0s + defaultTokenTTL: 30m0s + forwardAccessToken: true + hmacSecret: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY= + logoutPath: /bar/logout + name: securitypolicy/envoy-gateway/policy-for-gateway + provider: + authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth + destination: + name: securitypolicy/envoy-gateway/policy-for-gateway/0 + settings: + - addressType: FQDN + endpoints: + - host: oauth.foo.com + port: 443 + protocol: HTTPS + weight: 1 + tokenEndpoint: https://oauth.foo.com/token + traffic: + retry: + numRetries: 3 + perRetry: + backOff: + baseInterval: 1s + maxInterval: 5s + retryOn: + triggers: + - 5xx + - gateway-error + - reset + redirectPath: /bar/oauth2/callback + redirectURL: https://www.example.com/bar/oauth2/callback + refreshToken: true + scopes: + - openid diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 49d6fdbf064..fdcace324f5 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -848,7 +848,16 @@ type OIDC struct { CookieDomain *string `json:"cookieDomain,omitempty"` } +// OIDCProvider defines the schema for the OIDC Provider. +// +// +k8s:deepcopy-gen=true type OIDCProvider struct { + // Destination defines the destination for the OIDC Provider. + Destination *RouteDestination `json:"destination,omitempty"` + + // Traffic contains configuration for traffic features for the OIDC Provider + Traffic *TrafficFeatures `json:"traffic,omitempty"` + // The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint). AuthorizationEndpoint string `json:"authorizationEndpoint,omitempty"` diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 1a0185bbb9f..3c0c1135f44 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -1900,7 +1900,7 @@ func (in *Metrics) DeepCopy() *Metrics { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDC) DeepCopyInto(out *OIDC) { *out = *in - out.Provider = in.Provider + in.Provider.DeepCopyInto(&out.Provider) if in.ClientSecret != nil { in, out := &in.ClientSecret, &out.ClientSecret *out = make([]byte, len(*in)) @@ -1953,6 +1953,31 @@ func (in *OIDC) DeepCopy() *OIDC { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) { + *out = *in + if in.Destination != nil { + in, out := &in.Destination, &out.Destination + *out = new(RouteDestination) + (*in).DeepCopyInto(*out) + } + if in.Traffic != nil { + in, out := &in.Traffic, &out.Traffic + *out = new(TrafficFeatures) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProvider. +func (in *OIDCProvider) DeepCopy() *OIDCProvider { + if in == nil { + return nil + } + out := new(OIDCProvider) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OpenTelemetryAccessLog) DeepCopyInto(out *OpenTelemetryAccessLog) { *out = *in diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go index 41228a1d209..963b7c8046d 100644 --- a/internal/xds/translator/oidc.go +++ b/internal/xds/translator/oidc.go @@ -102,14 +102,24 @@ func oauth2FilterName(oidc *ir.OIDC) string { } func oauth2Config(oidc *ir.OIDC) (*oauth2v3.OAuth2, error) { - cluster, err := url2Cluster(oidc.Provider.TokenEndpoint) - if err != nil { - return nil, err - } - if cluster.endpointType == EndpointTypeStatic { - return nil, fmt.Errorf( - "static IP cluster is not allowed: %s", - oidc.Provider.TokenEndpoint) + var ( + tokenEndpointCluster string + err error + ) + + if oidc.Provider.Destination != nil && len(oidc.Provider.Destination.Settings) > 0 { + tokenEndpointCluster = oidc.Provider.Destination.Name + } else { + var cluster *urlCluster + if cluster, err = url2Cluster(oidc.Provider.TokenEndpoint); err != nil { + return nil, err + } + if cluster.endpointType == EndpointTypeStatic { + return nil, fmt.Errorf( + "static IP cluster is not allowed: %s", + oidc.Provider.TokenEndpoint) + } + tokenEndpointCluster = cluster.name } // Envoy OAuth2 filter deletes the HTTP authorization header by default, which surprises users. @@ -126,7 +136,7 @@ func oauth2Config(oidc *ir.OIDC) (*oauth2v3.OAuth2, error) { TokenEndpoint: &corev3.HttpUri{ Uri: oidc.Provider.TokenEndpoint, HttpUpstreamType: &corev3.HttpUri_Cluster{ - Cluster: cluster.name, + Cluster: tokenEndpointCluster, }, Timeout: &durationpb.Duration{ Seconds: defaultExtServiceRequestTimeout, @@ -210,9 +220,55 @@ func oauth2Config(oidc *ir.OIDC) (*oauth2v3.OAuth2, error) { oauth2.Config.Credentials.CookieDomain = *oidc.CookieDomain } + // Set the retry policy if it exists. + if oidc.Provider.Traffic != nil && oidc.Provider.Traffic.Retry != nil { + var rp *corev3.RetryPolicy + if rp, err = buildNonRouteRetryPolicy(oidc.Provider.Traffic.Retry); err != nil { + return nil, err + } + oauth2.Config.RetryPolicy = rp + } return oauth2, nil } +func buildNonRouteRetryPolicy(rr *ir.Retry) (*corev3.RetryPolicy, error) { + rp := &corev3.RetryPolicy{ + RetryOn: retryDefaultRetryOn, + } + + // These two fields in the RetryPolicy are just for route-level retries, they are not used for non-route retries. + // retry.PerRetry.Timeout + // retry.RetryOn.HTTPStatusCodes + + if rr.PerRetry != nil && rr.PerRetry.BackOff != nil { + rp.RetryBackOff = &corev3.BackoffStrategy{ + BaseInterval: &durationpb.Duration{ + Seconds: int64(rr.PerRetry.BackOff.BaseInterval.Seconds()), + }, + MaxInterval: &durationpb.Duration{ + Seconds: int64(rr.PerRetry.BackOff.MaxInterval.Seconds()), + }, + } + } + + if rr.NumRetries != nil { + rp.NumRetries = &wrappers.UInt32Value{ + Value: *rr.NumRetries, + } + } + + if rr.RetryOn != nil { + if len(rr.RetryOn.Triggers) > 0 { + if ro, err := buildRetryOn(rr.RetryOn.Triggers); err == nil { + rp.RetryOn = ro + } else { + return nil, err + } + } + } + return rp, nil +} + // routeContainsOIDC returns true if OIDC exists for the provided route. func routeContainsOIDC(irRoute *ir.HTTPRoute) bool { if irRoute != nil && @@ -226,7 +282,7 @@ func routeContainsOIDC(irRoute *ir.HTTPRoute) bool { func (*oidc) patchResources(tCtx *types.ResourceVersionTable, routes []*ir.HTTPRoute, ) error { - if err := createOAuth2TokenEndpointClusters(tCtx, routes); err != nil { + if err := createOAuthServerClusters(tCtx, routes); err != nil { return err } if err := createOAuth2Secrets(tCtx, routes); err != nil { @@ -235,9 +291,8 @@ func (*oidc) patchResources(tCtx *types.ResourceVersionTable, return nil } -// createOAuth2TokenEndpointClusters creates token endpoint clusters from the -// provided routes, if needed. -func createOAuth2TokenEndpointClusters(tCtx *types.ResourceVersionTable, +// createOAuthServerClusters creates clusters for the OAuth2 server. +func createOAuthServerClusters(tCtx *types.ResourceVersionTable, routes []*ir.HTTPRoute, ) error { if tCtx == nil || tCtx.XdsResources == nil { @@ -250,59 +305,78 @@ func createOAuth2TokenEndpointClusters(tCtx *types.ResourceVersionTable, continue } - var ( - cluster *urlCluster - ds *ir.DestinationSetting - tSocket *corev3.TransportSocket - err error - ) + oidc := route.Security.OIDC - cluster, err = url2Cluster(route.Security.OIDC.Provider.TokenEndpoint) - if err != nil { - errs = errors.Join(errs, err) - continue + // If the OIDC provider has a destination, use it. + if oidc.Provider.Destination != nil && len(oidc.Provider.Destination.Settings) > 0 { + if err := createExtServiceXDSCluster( + oidc.Provider.Destination, oidc.Provider.Traffic, tCtx); err != nil && !errors.Is( + err, ErrXdsClusterExists) { + errs = errors.Join(errs, err) + } + } else { + // Create a cluster with the token endpoint url. + if err := createOAuth2TokenEndpointCluster(tCtx, oidc.Provider.TokenEndpoint); err != nil { + errs = errors.Join(errs, err) + } } + } - // EG does not support static IP clusters for token endpoint clusters. - // This validation could be removed since it's already validated in the - // Gateway API translator. - if cluster.endpointType == EndpointTypeStatic { - errs = errors.Join(errs, fmt.Errorf( - "static IP cluster is not allowed: %s", - route.Security.OIDC.Provider.TokenEndpoint)) - continue - } + return errs +} - ds = &ir.DestinationSetting{ - Weight: ptr.To[uint32](1), - Endpoints: []*ir.DestinationEndpoint{ - ir.NewDestEndpoint( - cluster.hostname, - cluster.port), - }, - } +// createOAuth2TokenEndpointClusters creates token endpoint clusters from the +// provided routes, if needed. +func createOAuth2TokenEndpointCluster(tCtx *types.ResourceVersionTable, + tokenEndpoint string, +) error { + var ( + cluster *urlCluster + ds *ir.DestinationSetting + tSocket *corev3.TransportSocket + err error + ) + + if cluster, err = url2Cluster(tokenEndpoint); err != nil { + return err + } - clusterArgs := &xdsClusterArgs{ - name: cluster.name, - settings: []*ir.DestinationSetting{ds}, - tSocket: tSocket, - endpointType: cluster.endpointType, - } - if cluster.tls { - tSocket, err = buildXdsUpstreamTLSSocket(cluster.hostname) - if err != nil { - errs = errors.Join(errs, err) - continue - } - clusterArgs.tSocket = tSocket - } + // EG does not support static IP clusters for token endpoint clusters. + // This validation could be removed since it's already validated in the + // Gateway API translator. + if cluster.endpointType == EndpointTypeStatic { + return fmt.Errorf( + "static IP cluster is not allowed: %s", + tokenEndpoint) + } - if err = addXdsCluster(tCtx, clusterArgs); err != nil && !errors.Is(err, ErrXdsClusterExists) { - errs = errors.Join(errs, err) + ds = &ir.DestinationSetting{ + Weight: ptr.To[uint32](1), + Endpoints: []*ir.DestinationEndpoint{ + ir.NewDestEndpoint( + cluster.hostname, + cluster.port), + }, + } + + clusterArgs := &xdsClusterArgs{ + name: cluster.name, + settings: []*ir.DestinationSetting{ds}, + tSocket: tSocket, + endpointType: cluster.endpointType, + } + if cluster.tls { + if tSocket, err = buildXdsUpstreamTLSSocket(cluster.hostname); err != nil { + return err } + clusterArgs.tSocket = tSocket } - return errs + if err = addXdsCluster(tCtx, clusterArgs); err != nil && !errors.Is(err, ErrXdsClusterExists) { + return err + } + + return err } // createOAuth2Secrets creates OAuth2 client and HMAC secrets from the provided diff --git a/internal/xds/translator/testdata/in/xds-ir/oidc-backend-cluster-provider.yaml b/internal/xds/translator/testdata/in/xds-ir/oidc-backend-cluster-provider.yaml new file mode 100644 index 00000000000..6fc9a045bca --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/oidc-backend-cluster-provider.yaml @@ -0,0 +1,60 @@ +http: +- name: "first-listener" + address: "0.0.0.0" + port: 10080 + hostnames: + - "*" + path: + mergeSlashes: true + escapedSlashesAction: UnescapeAndRedirect + routes: + - name: "first-route" + hostname: "*" + pathMatch: + exact: "baz" + destination: + name: "third-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + security: + oidc: + name: securitypolicy/envoy-gateway/policy-for-gateway + clientID: client1.apps.googleusercontent.com + clientSecret: Y2xpZW50MTpzZWNyZXQK + cookieSuffix: b0a1b740 + defaultRefreshTokenTTL: 24h0m0s + defaultTokenTTL: 30m0s + forwardAccessToken: true + hmacSecret: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY= + logoutPath: /bar/logout + provider: + authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth + destination: + name: securitypolicy/envoy-gateway/policy-for-gateway/0 + settings: + - addressType: FQDN + endpoints: + - host: oauth.foo.com + port: 443 + protocol: HTTPS + weight: 1 + tokenEndpoint: https://oauth.foo.com/token + traffic: + retry: + numRetries: 3 + perRetry: + backOff: + baseInterval: 1s + maxInterval: 5s + retryOn: + triggers: + - "5xx" + - gateway-error + - reset + redirectPath: /bar/oauth2/callback + redirectURL: https://www.example.com/bar/oauth2/callback + refreshToken: true + scopes: + - openid diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.clusters.yaml new file mode 100644 index 00000000000..863e761bf9a --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.clusters.yaml @@ -0,0 +1,44 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: third-route-dest + lbPolicy: LEAST_REQUEST + name: third-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: securitypolicy/envoy-gateway/policy-for-gateway/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: oauth.foo.com + portValue: 443 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: securitypolicy/envoy-gateway/policy-for-gateway/0/backend/0 + name: securitypolicy/envoy-gateway/policy-for-gateway/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.endpoints.yaml new file mode 100644 index 00000000000..6c69841c2ad --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.endpoints.yaml @@ -0,0 +1,12 @@ +- clusterName: third-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: third-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.listeners.yaml new file mode 100644 index 00000000000..3addb294484 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.listeners.yaml @@ -0,0 +1,83 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - disabled: true + name: envoy.filters.http.oauth2/securitypolicy/envoy-gateway/policy-for-gateway + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 + config: + authScopes: + - openid + authType: BASIC_AUTH + authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth + credentials: + clientId: client1.apps.googleusercontent.com + cookieNames: + bearerToken: AccessToken-b0a1b740 + idToken: IdToken-b0a1b740 + oauthExpires: OauthExpires-b0a1b740 + oauthHmac: OauthHMAC-b0a1b740 + oauthNonce: OauthNonce-b0a1b740 + refreshToken: RefreshToken-b0a1b740 + hmacSecret: + name: oauth2/hmac_secret/securitypolicy/envoy-gateway/policy-for-gateway + sdsConfig: + ads: {} + resourceApiVersion: V3 + tokenSecret: + name: oauth2/client_secret/securitypolicy/envoy-gateway/policy-for-gateway + sdsConfig: + ads: {} + resourceApiVersion: V3 + defaultExpiresIn: 1800s + defaultRefreshTokenExpiresIn: 86400s + forwardBearerToken: true + redirectPathMatcher: + path: + exact: /bar/oauth2/callback + redirectUri: https://www.example.com/bar/oauth2/callback + retryPolicy: + numRetries: 3 + retryBackOff: + baseInterval: 1s + maxInterval: 5s + retryOn: 5xx,gateway-error,reset + signoutPath: + path: + exact: /bar/logout + tokenEndpoint: + cluster: securitypolicy/envoy-gateway/policy-for-gateway/0 + timeout: 10s + uri: https://oauth.foo.com/token + useRefreshToken: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: first-listener + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: first-listener + name: first-listener + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.routes.yaml new file mode 100644 index 00000000000..b17df86476d --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.routes.yaml @@ -0,0 +1,18 @@ +- ignorePortInHostMatching: true + name: first-listener + virtualHosts: + - domains: + - '*' + name: first-listener/* + routes: + - match: + path: baz + name: first-route + route: + cluster: third-route-dest + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.oauth2/securitypolicy/envoy-gateway/policy-for-gateway: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.secrets.yaml new file mode 100644 index 00000000000..398ab6cef7b --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.secrets.yaml @@ -0,0 +1,8 @@ +- genericSecret: + secret: + inlineBytes: Y2xpZW50MTpzZWNyZXQK + name: oauth2/client_secret/securitypolicy/envoy-gateway/policy-for-gateway +- genericSecret: + secret: + inlineBytes: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY= + name: oauth2/hmac_secret/securitypolicy/envoy-gateway/policy-for-gateway diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml new file mode 100644 index 00000000000..863e761bf9a --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml @@ -0,0 +1,44 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: third-route-dest + lbPolicy: LEAST_REQUEST + name: third-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: securitypolicy/envoy-gateway/policy-for-gateway/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: oauth.foo.com + portValue: 443 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: securitypolicy/envoy-gateway/policy-for-gateway/0/backend/0 + name: securitypolicy/envoy-gateway/policy-for-gateway/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.endpoints.yaml new file mode 100644 index 00000000000..6c69841c2ad --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.endpoints.yaml @@ -0,0 +1,12 @@ +- clusterName: third-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: third-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.listeners.yaml new file mode 100644 index 00000000000..3addb294484 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.listeners.yaml @@ -0,0 +1,83 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - disabled: true + name: envoy.filters.http.oauth2/securitypolicy/envoy-gateway/policy-for-gateway + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 + config: + authScopes: + - openid + authType: BASIC_AUTH + authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth + credentials: + clientId: client1.apps.googleusercontent.com + cookieNames: + bearerToken: AccessToken-b0a1b740 + idToken: IdToken-b0a1b740 + oauthExpires: OauthExpires-b0a1b740 + oauthHmac: OauthHMAC-b0a1b740 + oauthNonce: OauthNonce-b0a1b740 + refreshToken: RefreshToken-b0a1b740 + hmacSecret: + name: oauth2/hmac_secret/securitypolicy/envoy-gateway/policy-for-gateway + sdsConfig: + ads: {} + resourceApiVersion: V3 + tokenSecret: + name: oauth2/client_secret/securitypolicy/envoy-gateway/policy-for-gateway + sdsConfig: + ads: {} + resourceApiVersion: V3 + defaultExpiresIn: 1800s + defaultRefreshTokenExpiresIn: 86400s + forwardBearerToken: true + redirectPathMatcher: + path: + exact: /bar/oauth2/callback + redirectUri: https://www.example.com/bar/oauth2/callback + retryPolicy: + numRetries: 3 + retryBackOff: + baseInterval: 1s + maxInterval: 5s + retryOn: 5xx,gateway-error,reset + signoutPath: + path: + exact: /bar/logout + tokenEndpoint: + cluster: securitypolicy/envoy-gateway/policy-for-gateway/0 + timeout: 10s + uri: https://oauth.foo.com/token + useRefreshToken: true + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: first-listener + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: first-listener + name: first-listener + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.routes.yaml new file mode 100644 index 00000000000..b17df86476d --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.routes.yaml @@ -0,0 +1,18 @@ +- ignorePortInHostMatching: true + name: first-listener + virtualHosts: + - domains: + - '*' + name: first-listener/* + routes: + - match: + path: baz + name: first-route + route: + cluster: third-route-dest + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.oauth2/securitypolicy/envoy-gateway/policy-for-gateway: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.secrets.yaml new file mode 100644 index 00000000000..398ab6cef7b --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.secrets.yaml @@ -0,0 +1,8 @@ +- genericSecret: + secret: + inlineBytes: Y2xpZW50MTpzZWNyZXQK + name: oauth2/client_secret/securitypolicy/envoy-gateway/policy-for-gateway +- genericSecret: + secret: + inlineBytes: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY= + name: oauth2/hmac_secret/securitypolicy/envoy-gateway/policy-for-gateway diff --git a/test/cel-validation/securitypolicy_test.go b/test/cel-validation/securitypolicy_test.go index c4efa812d58..f00ee84260c 100644 --- a/test/cel-validation/securitypolicy_test.go +++ b/test/cel-validation/securitypolicy_test.go @@ -18,6 +18,7 @@ import ( "k8s.io/utils/ptr" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" ) @@ -1121,6 +1122,103 @@ func TestSecurityPolicyTarget(t *testing.T) { }, wantErrors: []string{"at least one of claims or scopes must be specified"}, }, + { + desc: "oidc-retry", + mutate: func(sp *egv1a1.SecurityPolicy) { + sp.Spec = egv1a1.SecurityPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetSelectors: []egv1a1.TargetSelector{ + { + Group: ptr.To(gwapiv1a2.Group("gateway.networking.k8s.io")), + Kind: "HTTPRoute", + MatchLabels: map[string]string{ + "eg/namespace": "reference-apps", + }, + }, + }, + }, + OIDC: &egv1a1.OIDC{ + Provider: egv1a1.OIDCProvider{ + BackendCluster: egv1a1.BackendCluster{ + BackendSettings: &egv1a1.ClusterSettings{ + Retry: &egv1a1.Retry{ + NumRetries: ptr.To(int32(3)), + PerRetry: &egv1a1.PerRetryPolicy{ + BackOff: &egv1a1.BackOffPolicy{ + BaseInterval: &metav1.Duration{ + Duration: time.Second * 1, + }, + MaxInterval: &metav1.Duration{ + Duration: time.Second * 10, + }, + }, + }, + RetryOn: &egv1a1.RetryOn{ + Triggers: []egv1a1.TriggerEnum{ + egv1a1.Error5XX, egv1a1.GatewayError, egv1a1.Reset, + }, + }, + }, + }, + }, + Issuer: "https://accounts.google.com", + AuthorizationEndpoint: ptr.To("https://accounts.google.com/o/oauth2/v2/auth"), + TokenEndpoint: ptr.To("https://oauth2.googleapis.com/token"), + }, + ClientID: "client-id", + ClientSecret: gwapiv1b1.SecretObjectReference{ + Name: "secret", + }, + }, + } + }, + wantErrors: []string{}, + }, + { + desc: "oidc-retry-unsupported-parameters", + mutate: func(sp *egv1a1.SecurityPolicy) { + sp.Spec = egv1a1.SecurityPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetSelectors: []egv1a1.TargetSelector{ + { + Group: ptr.To(gwapiv1a2.Group("gateway.networking.k8s.io")), + Kind: "HTTPRoute", + MatchLabels: map[string]string{ + "eg/namespace": "reference-apps", + }, + }, + }, + }, + OIDC: &egv1a1.OIDC{ + Provider: egv1a1.OIDCProvider{ + BackendCluster: egv1a1.BackendCluster{ + BackendSettings: &egv1a1.ClusterSettings{ + Retry: &egv1a1.Retry{ + NumRetries: ptr.To(int32(3)), + PerRetry: &egv1a1.PerRetryPolicy{ + Timeout: &metav1.Duration{ + Duration: time.Second * 10, + }, + }, + RetryOn: &egv1a1.RetryOn{ + HTTPStatusCodes: []egv1a1.HTTPStatus{500}, + }, + }, + }, + }, + Issuer: "https://accounts.google.com", + AuthorizationEndpoint: ptr.To("https://accounts.google.com/o/oauth2/v2/auth"), + TokenEndpoint: ptr.To("https://oauth2.googleapis.com/token"), + }, + ClientID: "client-id", + ClientSecret: gwapiv1b1.SecretObjectReference{ + Name: "secret", + }, + }, + } + }, + wantErrors: []string{"Retry timeout is not supported", "HTTPStatusCodes is not supported"}, + }, } for _, tc := range cases { diff --git a/test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml b/test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml new file mode 100644 index 00000000000..2e1a86791ec --- /dev/null +++ b/test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml @@ -0,0 +1,86 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-with-oidc + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + hostnames: ["www.example.com"] + rules: + - matches: + - path: + type: PathPrefix + value: /myapp # This is the path that will be protected by OIDC + backendRefs: + - name: infra-backend-v1 + port: 8080 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-keycloak + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + hostnames: ["keycloak.gateway-conformance-infra"] + rules: + - backendRefs: + - name: keycloak + port: 80 +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: gateway-conformance-infra + name: oidctest-secret +data: + client-secret: b2lkY3Rlc3QtY2xpZW50LXNlY3JldA== # base64 encoding of "oidctest-client-secret" +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: oidc-test # Test OIDC Provider represented by a backend cluster + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: http-with-oidc + oidc: + provider: + backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-keycloak + port: 80 + backendSettings: + retry: + numRetries: 3 + perRetry: + backOff: + baseInterval: 1s + maxInterval: 5s + retryOn: + triggers: ["5xx", "gateway-error", "reset"] + issuer: "http://keycloak.gateway-conformance-infra/realms/master" + authorizationEndpoint: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/auth" + tokenEndpoint: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/token" + clientID: "oidctest" + clientSecret: + name: "oidctest-secret" + redirectURL: "http://www.example.com/myapp/oauth2/callback" + logoutPath: "/myapp/logout" +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend-keycloak + namespace: gateway-conformance-infra +spec: + endpoints: + - fqdn: + hostname: 'keycloak.gateway-conformance-infra' + port: 80 diff --git a/test/e2e/tests/oidc-backendcluster.go b/test/e2e/tests/oidc-backendcluster.go new file mode 100644 index 00000000000..b2bcc93cecb --- /dev/null +++ b/test/e2e/tests/oidc-backendcluster.go @@ -0,0 +1,37 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e +// +build e2e + +package tests + +import ( + "testing" + + "sigs.k8s.io/gateway-api/conformance/utils/suite" +) + +func init() { + ConformanceTests = append(ConformanceTests, OIDCBackendClusterTest) +} + +// OIDCTest tests OIDC authentication for an http route with OIDC configured. +// The http route points to an application to verify that OIDC authentication works on application/http path level. +var OIDCBackendClusterTest = suite.ConformanceTest{ + ShortName: "OIDC with BackendCluster", + Description: "Test OIDC authentication", + Manifests: []string{"testdata/oidc-keycloak.yaml", "testdata/oidc-securitypolicy-backendcluster.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Run("oidc provider represented by a BackendCluster", func(t *testing.T) { + // Add a function to dump current cluster status + t.Cleanup(func() { + CollectAndDump(t, suite.RestConfig) + }) + + testOIDC(t, suite) + }) + }, +} diff --git a/test/e2e/tests/oidc.go b/test/e2e/tests/oidc.go index 27fb79be9b3..f03512c1e27 100644 --- a/test/e2e/tests/oidc.go +++ b/test/e2e/tests/oidc.go @@ -31,8 +31,6 @@ import ( ) const ( - testURL = "http://www.example.com/myapp" - logoutURL = "http://www.example.com/myapp/logout" keyCloakLoginFormID = "kc-form-login" username = "oidcuser" password = "oidcpassword" @@ -49,100 +47,13 @@ var OIDCTest = suite.ConformanceTest{ Description: "Test OIDC authentication", Manifests: []string{"testdata/oidc-keycloak.yaml", "testdata/oidc-securitypolicy.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { - t.Run("http route with oidc authentication", func(t *testing.T) { + t.Run("oidc provider represented by a URL", func(t *testing.T) { // Add a function to dump current cluster status t.Cleanup(func() { CollectAndDump(t, suite.RestConfig) }) - ns := "gateway-conformance-infra" - routeNN := types.NamespacedName{Name: "http-with-oidc", Namespace: ns} - gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} - gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) - - ancestorRef := gwapiv1a2.ParentReference{ - Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(resource.KindGateway), - Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), - Name: gwapiv1.ObjectName(gwNN.Name), - } - SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "oidc-test", Namespace: ns}, suite.ControllerName, ancestorRef) - podInitialized := corev1.PodCondition{Type: corev1.PodInitialized, Status: corev1.ConditionTrue} - - // Wait for the keycloak pod to be configured with the test user and client - WaitForPods(t, suite.Client, ns, map[string]string{"job-name": "setup-keycloak"}, corev1.PodSucceeded, podInitialized) - - // Initialize the test OIDC client that will keep track of the state of the OIDC login process - client, err := NewOIDCTestClient( - WithLoggingOptions(t.Log, true), - // Map the application and keycloak cluster DNS name to the gateway address - WithCustomAddressMappings(map[string]string{ - "www.example.com:80": gwAddr, - "keycloak.gateway-conformance-infra:80": gwAddr, - }), - ) - require.NoError(t, err) - - if err := wait.PollUntilContextTimeout(context.TODO(), time.Second, 5*time.Minute, true, - func(_ context.Context) (done bool, err error) { - tlog.Logf(t, "sending request to %s", testURL) - - // Send a request to the http route with OIDC configured. - // It will be redirected to the keycloak login page - res, err := client.Get(testURL, true) - require.NoError(t, err, "Failed to get the login page") - require.Equal(t, 200, res.StatusCode, "Expected 200 OK") - - // Parse the response body to get the URL where the login page would post the user-entered credentials - if err := client.ParseLoginForm(res.Body, keyCloakLoginFormID); err != nil { - tlog.Logf(t, "failed to parse login form: %v", err) - return false, nil - } - - t.Log("successfully parsed login form") - return true, nil - }); err != nil { - t.Errorf("failed to parse login form: %v", err) - } - - // Submit the login form to the IdP. - // This will authenticate and redirect back to the application - res, err := client.Login(map[string]string{"username": username, "password": password, "credentialId": ""}) - require.NoError(t, err, "Failed to login to the IdP") - - // Verify that we get the expected response from the application - body, err := io.ReadAll(res.Body) - require.NoError(t, err) - require.Equal(t, http.StatusOK, res.StatusCode) - require.Contains(t, string(body), "infra-backend-v1", "Expected response from the application") - - // Verify that we can access the application without logging in again - res, err = client.Get(testURL, false) - require.NoError(t, err) - require.Equal(t, http.StatusOK, res.StatusCode) - require.Contains(t, string(body), "infra-backend-v1", "Expected response from the application") - - // Verify that we can logout - // Note: OAuth2 filter just clears its cookies and does not log out from the IdP. - res, err = client.Get(logoutURL, false) - require.NoError(t, err) - require.Equal(t, http.StatusFound, res.StatusCode) - - // After logout, OAuth2 filter will redirect back to the root of the host, e.g, "www.example.com". - // Ideally, this should redirect to the application's root, e.g, "www.example.com/myapp", - // but Envoy OAuth2 filter does not support this yet. - require.Equal(t, "http://www.example.com/", res.Header.Get("Location"), "Expected redirect to the root of the host") - - // Verify that the oauth2 cookies have been deleted - var cookieDeleted bool - deletedCookies := res.Header.Values("Set-Cookie") - regx := regexp.MustCompile("^IdToken-.+=deleted.+") - for _, cookie := range deletedCookies { - if regx.Match([]byte(cookie)) { - cookieDeleted = true - } - } - require.True(t, cookieDeleted, "IdToken cookie not deleted") + testOIDC(t, suite) }) t.Run("http route without oidc authentication", func(t *testing.T) { @@ -185,3 +96,102 @@ var OIDCTest = suite.ConformanceTest{ }) }, } + +func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite) { + var ( + testURL = "http://www.example.com/myapp" + logoutURL = "http://www.example.com/myapp/logout" + route = "http-with-oidc" + sp = "oidc-test" + ns = "gateway-conformance-infra" + ) + + routeNN := types.NamespacedName{Name: route, Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + ancestorRef := gwapiv1a2.ParentReference{ + Group: gatewayapi.GroupPtr(gwapiv1.GroupName), + Kind: gatewayapi.KindPtr(resource.KindGateway), + Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), + Name: gwapiv1.ObjectName(gwNN.Name), + } + SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: sp, Namespace: ns}, suite.ControllerName, ancestorRef) + + podInitialized := corev1.PodCondition{Type: corev1.PodInitialized, Status: corev1.ConditionTrue} + + // Wait for the keycloak pod to be configured with the test user and client + WaitForPods(t, suite.Client, ns, map[string]string{"job-name": "setup-keycloak"}, corev1.PodSucceeded, podInitialized) + + // Initialize the test OIDC client that will keep track of the state of the OIDC login process + client, err := NewOIDCTestClient( + WithLoggingOptions(t.Log, true), + // Map the application and keycloak cluster DNS name to the gateway address + WithCustomAddressMappings(map[string]string{ + "www.example.com:80": gwAddr, + "keycloak.gateway-conformance-infra:80": gwAddr, + }), + ) + require.NoError(t, err) + + if err := wait.PollUntilContextTimeout(context.TODO(), time.Second, 5*time.Minute, true, + func(_ context.Context) (done bool, err error) { + tlog.Logf(t, "sending request to %s", testURL) + + // Send a request to the http route with OIDC configured. + // It will be redirected to the keycloak login page + res, err := client.Get(testURL, true) + require.NoError(t, err, "Failed to get the login page") + require.Equal(t, 200, res.StatusCode, "Expected 200 OK") + + // Parse the response body to get the URL where the login page would post the user-entered credentials + if err := client.ParseLoginForm(res.Body, keyCloakLoginFormID); err != nil { + tlog.Logf(t, "failed to parse login form: %v", err) + return false, nil + } + + t.Log("successfully parsed login form") + return true, nil + }); err != nil { + t.Errorf("failed to parse login form: %v", err) + } + + // Submit the login form to the IdP. + // This will authenticate and redirect back to the application + res, err := client.Login(map[string]string{"username": username, "password": password, "credentialId": ""}) + require.NoError(t, err, "Failed to login to the IdP") + + // Verify that we get the expected response from the application + body, err := io.ReadAll(res.Body) + require.NoError(t, err) + require.Equal(t, http.StatusOK, res.StatusCode) + require.Contains(t, string(body), "infra-backend-v1", "Expected response from the application") + + // Verify that we can access the application without logging in again + res, err = client.Get(testURL, false) + require.NoError(t, err) + require.Equal(t, http.StatusOK, res.StatusCode) + require.Contains(t, string(body), "infra-backend-v1", "Expected response from the application") + + // Verify that we can logout + // Note: OAuth2 filter just clears its cookies and does not log out from the IdP. + res, err = client.Get(logoutURL, false) + require.NoError(t, err) + require.Equal(t, http.StatusFound, res.StatusCode) + + // After logout, OAuth2 filter will redirect back to the root of the host, e.g, "www.example.com". + // Ideally, this should redirect to the application's root, e.g, "www.example.com/myapp", + // but Envoy OAuth2 filter does not support this yet. + require.Equal(t, "http://www.example.com/", res.Header.Get("Location"), "Expected redirect to the root of the host") + + // Verify that the oauth2 cookies have been deleted + var cookieDeleted bool + deletedCookies := res.Header.Values("Set-Cookie") + regx := regexp.MustCompile("^IdToken-.+=deleted.+") + for _, cookie := range deletedCookies { + if regx.Match([]byte(cookie)) { + cookieDeleted = true + } + } + require.True(t, cookieDeleted, "IdToken cookie not deleted") +} From 5a1c065e3ddbc12b6a232b92eaf3417cd3146a09 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 18 Oct 2024 11:59:03 +0800 Subject: [PATCH 268/523] support reloadable EnvoyGateway configuration (#4451) * support reloadable EnvoyGateway configuration Signed-off-by: zirain * lint Signed-off-by: zirain * shutdown wasm http server Signed-off-by: zirain --------- Signed-off-by: zirain --- internal/cmd/server.go | 33 +- .../config/loader/configloader.go | 113 ++++++ .../config/loader/configloader_test.go | 59 ++++ .../config/loader/testdata/default.yaml | 24 ++ .../config/loader/testdata/enable-redis.yaml | 14 + internal/filewatcher/filewatcher.go | 179 ++++++++++ internal/filewatcher/filewatcher_test.go | 321 ++++++++++++++++++ internal/filewatcher/worker.go | 256 ++++++++++++++ internal/infrastructure/runner/runner.go | 7 + internal/provider/kubernetes/controller.go | 6 +- internal/provider/kubernetes/kubernetes.go | 3 +- internal/wasm/httpserver.go | 6 + tools/hack/deployment-exists.sh | 3 +- tools/make/kube.mk | 3 - 14 files changed, 1010 insertions(+), 17 deletions(-) create mode 100644 internal/envoygateway/config/loader/configloader.go create mode 100644 internal/envoygateway/config/loader/configloader_test.go create mode 100644 internal/envoygateway/config/loader/testdata/default.yaml create mode 100644 internal/envoygateway/config/loader/testdata/enable-redis.yaml create mode 100644 internal/filewatcher/filewatcher.go create mode 100644 internal/filewatcher/filewatcher_test.go create mode 100644 internal/filewatcher/worker.go diff --git a/internal/cmd/server.go b/internal/cmd/server.go index 25add4c8541..a4c9d3e9713 100644 --- a/internal/cmd/server.go +++ b/internal/cmd/server.go @@ -6,12 +6,15 @@ package cmd import ( + "context" + "github.com/spf13/cobra" ctrl "sigs.k8s.io/controller-runtime" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/admin" "github.com/envoyproxy/gateway/internal/envoygateway/config" + "github.com/envoyproxy/gateway/internal/envoygateway/config/loader" extensionregistry "github.com/envoyproxy/gateway/internal/extension/registry" "github.com/envoyproxy/gateway/internal/extension/types" gatewayapirunner "github.com/envoyproxy/gateway/internal/gatewayapi/runner" @@ -51,6 +54,20 @@ func server() error { return err } + ctx := ctrl.SetupSignalHandler() + hook := func(c context.Context, cfg *config.Server) error { + cfg.Logger.Info("Setup runners") + if err := setupRunners(c, cfg); err != nil { + cfg.Logger.Error(err, "failed to setup runners") + return err + } + return nil + } + l := loader.New(cfgPath, cfg, hook) + if err := l.Start(ctx); err != nil { + return err + } + // Init eg admin servers. if err := admin.Init(cfg); err != nil { return err @@ -60,10 +77,10 @@ func server() error { return err } - // init eg runners. - if err := setupRunners(cfg); err != nil { - return err - } + // Wait exit signal + <-ctx.Done() + + cfg.Logger.Info("shutting down") return nil } @@ -110,11 +127,7 @@ func getConfigByPath(cfgPath string) (*config.Server, error) { // setupRunners starts all the runners required for the Envoy Gateway to // fulfill its tasks. -func setupRunners(cfg *config.Server) (err error) { - // TODO - Setup a Config Manager - // https://github.com/envoyproxy/gateway/issues/43 - ctx := ctrl.SetupSignalHandler() - +func setupRunners(ctx context.Context, cfg *config.Server) (err error) { // Setup the Extension Manager var extMgr types.Manager if cfg.EnvoyGateway.Provider.Type == egv1a1.ProviderTypeKubernetes { @@ -212,7 +225,7 @@ func setupRunners(cfg *config.Server) (err error) { infraIR.Close() xds.Close() - cfg.Logger.Info("shutting down") + cfg.Logger.Info("runners are shutting down") if extMgr != nil { // Close connections to extension services diff --git a/internal/envoygateway/config/loader/configloader.go b/internal/envoygateway/config/loader/configloader.go new file mode 100644 index 00000000000..9523c7a432e --- /dev/null +++ b/internal/envoygateway/config/loader/configloader.go @@ -0,0 +1,113 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package loader + +import ( + "context" + "time" + + "github.com/envoyproxy/gateway/internal/envoygateway/config" + "github.com/envoyproxy/gateway/internal/filewatcher" + "github.com/envoyproxy/gateway/internal/logging" +) + +type HookFunc func(c context.Context, cfg *config.Server) error + +type Loader struct { + cfgPath string + cfg *config.Server + logger logging.Logger + cancel context.CancelFunc + hook HookFunc + + w filewatcher.FileWatcher +} + +func New(cfgPath string, cfg *config.Server, f HookFunc) *Loader { + return &Loader{ + cfgPath: cfgPath, + cfg: cfg, + logger: cfg.Logger.WithName("config-loader"), + hook: f, + w: filewatcher.NewWatcher(), + } +} + +func (r *Loader) Start(ctx context.Context) error { + r.runHook() + + if r.cfgPath == "" { + r.logger.Info("no config file provided, skipping config watcher") + return nil + } + + r.logger.Info("watching for changes to the EnvoyGateway configuration", "path", r.cfgPath) + if err := r.w.Add(r.cfgPath); err != nil { + r.logger.Error(err, "failed to add config file to watcher") + return err + } + + go func() { + defer func() { + _ = r.w.Close() + }() + for { + select { + case e := <-r.w.Events(r.cfgPath): + r.logger.Info("received fsnotify events", "name", e.Name, "op", e.Op.String()) + + // Load the config file. + eg, err := config.Decode(r.cfgPath) + if err != nil { + r.logger.Info("failed to decode config file", "name", r.cfgPath, "error", err) + // TODO: add a metric for this? + continue + } + // Set defaults for unset fields + eg.SetEnvoyGatewayDefaults() + r.cfg.EnvoyGateway = eg + // update cfg logger + eg.Logging.SetEnvoyGatewayLoggingDefaults() + r.cfg.Logger = logging.NewLogger(eg.Logging) + + // cancel last + if r.cancel != nil { + r.cancel() + } + + // TODO: we need to make sure that all runners are stopped, before we start the new ones + // Otherwise we might end up with error listening on:8081 + time.Sleep(3 * time.Second) + + r.runHook() + case err := <-r.w.Errors(r.cfgPath): + r.logger.Error(err, "watcher error") + case <-ctx.Done(): + if r.cancel != nil { + r.cancel() + } + return + } + } + }() + + return nil +} + +func (r *Loader) runHook() { + if r.hook == nil { + return + } + + r.logger.Info("running hook") + c, cancel := context.WithCancel(context.TODO()) + r.cancel = cancel + go func(ctx context.Context) { + if err := r.hook(ctx, r.cfg); err != nil { + r.logger.Error(err, "hook error") + } + }(c) +} diff --git a/internal/envoygateway/config/loader/configloader_test.go b/internal/envoygateway/config/loader/configloader_test.go new file mode 100644 index 00000000000..d0420df0f5f --- /dev/null +++ b/internal/envoygateway/config/loader/configloader_test.go @@ -0,0 +1,59 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package loader + +import ( + "context" + _ "embed" + "os" + "testing" + + "github.com/stretchr/testify/require" + + "github.com/envoyproxy/gateway/internal/envoygateway/config" +) + +var ( + //go:embed testdata/default.yaml + defaultConfig string + //go:embed testdata/enable-redis.yaml + redisConfig string +) + +func TestConfigLoader(t *testing.T) { + tmpDir, err := os.MkdirTemp("", "envoy-gateway-configloader-test") + require.NoError(t, err) + defer func(path string) { + _ = os.RemoveAll(path) + }(tmpDir) + + cfgPath := tmpDir + "/config.yaml" + require.NoError(t, os.WriteFile(cfgPath, []byte(defaultConfig), 0o600)) + s, err := config.New() + require.NoError(t, err) + + ctx, cancel := context.WithCancel(context.TODO()) + defer func() { + cancel() + }() + + changed := 0 + loader := New(cfgPath, s, func(_ context.Context, cfg *config.Server) error { + changed++ + t.Logf("config changed %d times", changed) + if changed > 1 { + cancel() + } + return nil + }) + + require.NoError(t, loader.Start(ctx)) + go func() { + _ = os.WriteFile(cfgPath, []byte(redisConfig), 0o600) + }() + + <-ctx.Done() +} diff --git a/internal/envoygateway/config/loader/testdata/default.yaml b/internal/envoygateway/config/loader/testdata/default.yaml new file mode 100644 index 00000000000..20463f848e1 --- /dev/null +++ b/internal/envoygateway/config/loader/testdata/default.yaml @@ -0,0 +1,24 @@ +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyGateway +gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller +logging: + level: + default: info +provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:master + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway-dev:latest + type: Kubernetes diff --git a/internal/envoygateway/config/loader/testdata/enable-redis.yaml b/internal/envoygateway/config/loader/testdata/enable-redis.yaml new file mode 100644 index 00000000000..ed2218ab5ab --- /dev/null +++ b/internal/envoygateway/config/loader/testdata/enable-redis.yaml @@ -0,0 +1,14 @@ +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyGateway +provider: + type: Kubernetes +gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller +extensionApis: + enableEnvoyPatchPolicy: true + enableBackend: true +rateLimit: + backend: + type: Redis + redis: + url: redis.redis-system.svc.cluster.local:6379 diff --git a/internal/filewatcher/filewatcher.go b/internal/filewatcher/filewatcher.go new file mode 100644 index 00000000000..4fce5e9aba4 --- /dev/null +++ b/internal/filewatcher/filewatcher.go @@ -0,0 +1,179 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package filewatcher + +import ( + "errors" + "fmt" + "path/filepath" + "sync" + + "github.com/fsnotify/fsnotify" +) + +// FileWatcher is an interface that watches a set of files, +// delivering events to related channel. +type FileWatcher interface { + Add(path string) error + Remove(path string) error + Close() error + Events(path string) chan fsnotify.Event + Errors(path string) chan error +} + +type fileWatcher struct { + mu sync.RWMutex + + // The watcher maintain a map of workers, + // keyed by watched dir (parent dir of watched files). + workers map[string]*workerState + + funcs *patchTable +} + +type workerState struct { + worker *worker + count int +} + +// functions that can be replaced in a test setting +type patchTable struct { + newWatcher func() (*fsnotify.Watcher, error) + addWatcherPath func(*fsnotify.Watcher, string) error +} + +// NewWatcher return with a FileWatcher instance that implemented with fsnotify. +func NewWatcher() FileWatcher { + return &fileWatcher{ + workers: map[string]*workerState{}, + + // replaceable functions for tests + funcs: &patchTable{ + newWatcher: fsnotify.NewWatcher, + addWatcherPath: func(watcher *fsnotify.Watcher, path string) error { + return watcher.Add(path) + }, + }, + } +} + +// Close releases all resources associated with the watcher +func (fw *fileWatcher) Close() error { + fw.mu.Lock() + defer fw.mu.Unlock() + + for _, ws := range fw.workers { + ws.worker.terminate() + } + fw.workers = nil + + return nil +} + +// Add a path to watch +func (fw *fileWatcher) Add(path string) error { + fw.mu.Lock() + defer fw.mu.Unlock() + + ws, cleanedPath, _, err := fw.getWorker(path) + if err != nil { + return err + } + + if err = ws.worker.addPath(cleanedPath); err == nil { + ws.count++ + } + + return err +} + +// Stop watching a path +func (fw *fileWatcher) Remove(path string) error { + fw.mu.Lock() + defer fw.mu.Unlock() + + ws, cleanedPath, parentPath, err := fw.getWorker(path) + if err != nil { + return err + } + + if err = ws.worker.removePath(cleanedPath); err == nil { + ws.count-- + if ws.count == 0 { + ws.worker.terminate() + delete(fw.workers, parentPath) + } + } + + return err +} + +// Events returns an event notification channel for a path +func (fw *fileWatcher) Events(path string) chan fsnotify.Event { + fw.mu.RLock() + defer fw.mu.RUnlock() + + ws, cleanedPath, err := fw.findWorker(path) + if err != nil { + return nil + } + + return ws.worker.eventChannel(cleanedPath) +} + +// Errors returns an error notification channel for a path +func (fw *fileWatcher) Errors(path string) chan error { + fw.mu.RLock() + defer fw.mu.RUnlock() + + ws, cleanedPath, err := fw.findWorker(path) + if err != nil { + return nil + } + + return ws.worker.errorChannel(cleanedPath) +} + +func (fw *fileWatcher) getWorker(path string) (*workerState, string, string, error) { + if fw.workers == nil { + return nil, "", "", errors.New("using a closed watcher") + } + + cleanedPath := filepath.Clean(path) + parentPath, _ := filepath.Split(cleanedPath) + + ws, workerExists := fw.workers[parentPath] + if !workerExists { + wk, err := newWorker(parentPath, fw.funcs) + if err != nil { + return nil, "", "", err + } + + ws = &workerState{ + worker: wk, + } + + fw.workers[parentPath] = ws + } + + return ws, cleanedPath, parentPath, nil +} + +func (fw *fileWatcher) findWorker(path string) (*workerState, string, error) { + if fw.workers == nil { + return nil, "", errors.New("using a closed watcher") + } + + cleanedPath := filepath.Clean(path) + parentPath, _ := filepath.Split(cleanedPath) + + ws, workerExists := fw.workers[parentPath] + if !workerExists { + return nil, "", fmt.Errorf("no path registered for %s", path) + } + + return ws, cleanedPath, nil +} diff --git a/internal/filewatcher/filewatcher_test.go b/internal/filewatcher/filewatcher_test.go new file mode 100644 index 00000000000..5230d7c05ad --- /dev/null +++ b/internal/filewatcher/filewatcher_test.go @@ -0,0 +1,321 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package filewatcher + +import ( + "errors" + "fmt" + "os" + "os/exec" + "path" + "runtime" + "sync" + "testing" + + "github.com/fsnotify/fsnotify" + "github.com/stretchr/testify/require" +) + +func newWatchFile(t *testing.T) string { + watchDir := t.TempDir() + watchFile := path.Join(watchDir, "test.conf") + err := os.WriteFile(watchFile, []byte("foo: bar\n"), 0o600) + require.NoError(t, err) + + return watchFile +} + +func newWatchFileThatDoesNotExist(t *testing.T) string { + watchDir := t.TempDir() + + watchFile := path.Join(watchDir, "test.conf") + + return watchFile +} + +// newTwoWatchFile returns with two watch files that exist in the same base dir. +func newTwoWatchFile(t *testing.T) (string, string) { + watchDir := t.TempDir() + + watchFile1 := path.Join(watchDir, "test1.conf") + err := os.WriteFile(watchFile1, []byte("foo: bar\n"), 0o600) + require.NoError(t, err) + + watchFile2 := path.Join(watchDir, "test2.conf") + err = os.WriteFile(watchFile2, []byte("foo: baz\n"), 0o600) + require.NoError(t, err) + + return watchFile1, watchFile2 +} + +// newSymlinkedWatchFile simulates the behavior of k8s configmap/secret. +// Path structure looks like: +// +// /test.conf +// ^ +// | +// +// /data/test.conf +// +// ^ +// | +// +// /data1/test.conf +func newSymlinkedWatchFile(t *testing.T) (string, string) { + watchDir := t.TempDir() + + dataDir1 := path.Join(watchDir, "data1") + err := os.Mkdir(dataDir1, 0o777) + require.NoError(t, err) + + realTestFile := path.Join(dataDir1, "test.conf") + t.Logf("Real test file location: %s\n", realTestFile) + err = os.WriteFile(realTestFile, []byte("foo: bar\n"), 0o600) + require.NoError(t, err) + + // Now, symlink the tmp `data1` dir to `data` in the baseDir + require.NoError(t, os.Symlink(dataDir1, path.Join(watchDir, "data"))) + // And link the `/datadir/test.conf` to `/test.conf` + watchFile := path.Join(watchDir, "test.conf") + require.NoError(t, os.Symlink(path.Join(watchDir, "data", "test.conf"), watchFile)) + t.Logf("Watch file location: %s\n", path.Join(watchDir, "test.conf")) + return watchDir, watchFile +} + +func TestWatchFile(t *testing.T) { + t.Run("file content changed", func(t *testing.T) { + // Given a file being watched + watchFile := newWatchFile(t) + _, err := os.Stat(watchFile) + require.NoError(t, err) + + w := NewWatcher() + require.NoError(t, w.Add(watchFile)) + events := w.Events(watchFile) + + wg := sync.WaitGroup{} + wg.Add(1) + go func() { + <-events + wg.Done() + }() + + // Overwriting the file and waiting its event to be received. + err = os.WriteFile(watchFile, []byte("foo: baz\n"), 0o600) + require.NoError(t, err) + wg.Wait() + + _ = w.Close() + }) + + t.Run("link to real file changed (for k8s configmap/secret path)", func(t *testing.T) { + // skip if not executed on Linux + if runtime.GOOS != "linux" { + t.Skip("Skipping test as symlink replacements don't work on non-linux environment...") + } + + watchDir, watchFile := newSymlinkedWatchFile(t) + + w := NewWatcher() + require.NoError(t, w.Add(watchFile)) + events := w.Events(watchFile) + + wg := sync.WaitGroup{} + wg.Add(1) + go func() { + <-events + wg.Done() + }() + + // Link to another `test.conf` file + dataDir2 := path.Join(watchDir, "data2") + err := os.Mkdir(dataDir2, 0o777) + require.NoError(t, err) + + watchFile2 := path.Join(dataDir2, "test.conf") + err = os.WriteFile(watchFile2, []byte("foo: baz\n"), 0o600) + require.NoError(t, err) + + // change the symlink using the `ln -sfn` command + err = exec.Command("ln", "-sfn", dataDir2, path.Join(watchDir, "data")).Run() + require.NoError(t, err) + + // Wait its event to be received. + wg.Wait() + + _ = w.Close() + }) + + t.Run("file added later", func(t *testing.T) { + // Given a file being watched + watchFile := newWatchFileThatDoesNotExist(t) + + w := NewWatcher() + require.NoError(t, w.Add(watchFile)) + events := w.Events(watchFile) + + wg := sync.WaitGroup{} + wg.Add(1) + go func() { + <-events + wg.Done() + }() + + // Overwriting the file and waiting its event to be received. + err := os.WriteFile(watchFile, []byte("foo: baz\n"), 0o600) + require.NoError(t, err) + wg.Wait() + + _ = w.Close() + }) +} + +func TestWatcherLifecycle(t *testing.T) { + watchFile1, watchFile2 := newTwoWatchFile(t) + + w := NewWatcher() + + // Validate Add behavior + err := w.Add(watchFile1) + require.NoError(t, err) + err = w.Add(watchFile2) + require.NoError(t, err) + + // Validate events and errors channel are fulfilled. + events1 := w.Events(watchFile1) + require.NotNil(t, events1) + events2 := w.Events(watchFile2) + require.NotNil(t, events2) + + errors1 := w.Errors(watchFile1) + require.NotNil(t, errors1) + errors2 := w.Errors(watchFile2) + require.NotNil(t, errors2) + + // Validate Remove behavior + err = w.Remove(watchFile1) + require.NoError(t, err) + events1 = w.Events(watchFile1) + require.Nil(t, events1) + errors1 = w.Errors(watchFile1) + require.Nil(t, errors1) + events2 = w.Events(watchFile2) + require.NotNil(t, events2) + errors2 = w.Errors(watchFile2) + require.NotNil(t, errors2) + + fmt.Printf("2\n") + // Validate Close behavior + err = w.Close() + require.NoError(t, err) + events1 = w.Events(watchFile1) + require.Nil(t, events1) + errors1 = w.Errors(watchFile1) + require.Nil(t, errors1) + events2 = w.Events(watchFile2) + require.Nil(t, events2) + errors2 = w.Errors(watchFile2) + require.Nil(t, errors2) +} + +func TestErrors(t *testing.T) { + w := NewWatcher() + + if ch := w.Errors("XYZ"); ch != nil { + t.Error("Expected no channel") + } + + if ch := w.Events("XYZ"); ch != nil { + t.Error("Expected no channel") + } + + name := newWatchFile(t) + _ = w.Add(name) + _ = w.Remove(name) + + if ch := w.Errors("XYZ"); ch != nil { + t.Error("Expected no channel") + } + + if ch := w.Events(name); ch != nil { + t.Error("Expected no channel") + } + + _ = w.Close() + + if err := w.Add(name); err == nil { + t.Error("Expecting error") + } + + if err := w.Remove(name); err == nil { + t.Error("Expecting error") + } + + if ch := w.Errors(name); ch != nil { + t.Error("Expecting nil") + } + + if ch := w.Events(name); ch != nil { + t.Error("Expecting nil") + } +} + +func TestBadWatcher(t *testing.T) { + w := NewWatcher() + w.(*fileWatcher).funcs.newWatcher = func() (*fsnotify.Watcher, error) { + return nil, errors.New("FOOBAR") + } + + name := newWatchFile(t) + if err := w.Add(name); err == nil { + t.Errorf("Expecting error, got nil") + } + if err := w.Close(); err != nil { + t.Errorf("Expecting nil, got %v", err) + } +} + +func TestBadAddWatcher(t *testing.T) { + w := NewWatcher() + w.(*fileWatcher).funcs.addWatcherPath = func(*fsnotify.Watcher, string) error { + return errors.New("FOOBAR") + } + + name := newWatchFile(t) + if err := w.Add(name); err == nil { + t.Errorf("Expecting error, got nil") + } + if err := w.Close(); err != nil { + t.Errorf("Expecting nil, got %v", err) + } +} + +func TestDuplicateAdd(t *testing.T) { + w := NewWatcher() + + name := newWatchFile(t) + + if err := w.Add(name); err != nil { + t.Errorf("Expecting nil, got %v", err) + } + + if err := w.Add(name); err == nil { + t.Errorf("Expecting error, got nil") + } + + _ = w.Close() +} + +func TestBogusRemove(t *testing.T) { + w := NewWatcher() + + name := newWatchFile(t) + if err := w.Remove(name); err == nil { + t.Errorf("Expecting error, got nil") + } + + _ = w.Close() +} diff --git a/internal/filewatcher/worker.go b/internal/filewatcher/worker.go new file mode 100644 index 00000000000..6ae9c9f77ba --- /dev/null +++ b/internal/filewatcher/worker.go @@ -0,0 +1,256 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package filewatcher + +import ( + "bufio" + "bytes" + "crypto/sha256" + "fmt" + "io" + "os" + "sync" + + "github.com/fsnotify/fsnotify" +) + +type worker struct { + mu sync.RWMutex + + // watcher is an fsnotify watcher that watches the parent + // dir of watchedFiles. + dirWatcher *fsnotify.Watcher + + // The worker maintains a map of channels keyed by watched file path. + // The worker watches parent path of given path, + // and filters out events of given path, then redirect + // to the result channel. + // Note that for symlink files, the content in received events + // do not have to be related to the file itself. + watchedFiles map[string]*fileTracker + + // tracker lifecycle + retireTrackerCh chan *fileTracker + + // tells the worker to exit + terminateCh chan bool +} + +type fileTracker struct { + events chan fsnotify.Event + errors chan error + + // Hash sum to indicate if a file has been updated. + hash []byte +} + +func newWorker(path string, funcs *patchTable) (*worker, error) { + dirWatcher, err := funcs.newWatcher() + if err != nil { + return nil, err + } + + if err = funcs.addWatcherPath(dirWatcher, path); err != nil { + _ = dirWatcher.Close() + return nil, err + } + + wk := &worker{ + dirWatcher: dirWatcher, + watchedFiles: make(map[string]*fileTracker), + retireTrackerCh: make(chan *fileTracker), + terminateCh: make(chan bool), + } + + go wk.listen() + + return wk, nil +} + +func (wk *worker) listen() { + wk.loop() + + _ = wk.dirWatcher.Close() + + // drain any retiring trackers that may be pending + wk.drainRetiringTrackers() + + // clean up the rest + for _, ft := range wk.watchedFiles { + retireTracker(ft) + } +} + +func (wk *worker) loop() { + for { + select { + case event := <-wk.dirWatcher.Events: + // work on a copy of the watchedFiles map, so that we don't interfere + // with the caller's use of the map + for path, ft := range wk.getTrackers() { + if ft.events == nil { + // tracker has been retired, skip it + continue + } + + sum := getHashSum(path) + if !bytes.Equal(sum, ft.hash) { + ft.hash = sum + + select { + case ft.events <- event: + // nothing to do + + case ft := <-wk.retireTrackerCh: + retireTracker(ft) + + case <-wk.terminateCh: + return + } + } + } + + case err := <-wk.dirWatcher.Errors: + for _, ft := range wk.getTrackers() { + if ft.errors == nil { + // tracker has been retired, skip it + continue + } + + select { + case ft.errors <- err: + // nothing to do + + case ft := <-wk.retireTrackerCh: + retireTracker(ft) + + case <-wk.terminateCh: + return + } + } + + case ft := <-wk.retireTrackerCh: + retireTracker(ft) + + case <-wk.terminateCh: + return + } + } +} + +// used only by the worker goroutine +func (wk *worker) drainRetiringTrackers() { + // cleanup any trackers that were in the process + // of being retired, but didn't get processed due + // to termination + for { + select { + case ft := <-wk.retireTrackerCh: + retireTracker(ft) + default: + return + } + } +} + +// make a local copy of the set of trackers to avoid contention with callers +// used only by the worker goroutine +func (wk *worker) getTrackers() map[string]*fileTracker { + wk.mu.RLock() + + result := make(map[string]*fileTracker, len(wk.watchedFiles)) + for k, v := range wk.watchedFiles { + result[k] = v + } + + wk.mu.RUnlock() + return result +} + +// used only by the worker goroutine +func retireTracker(ft *fileTracker) { + close(ft.events) + close(ft.errors) + ft.events = nil + ft.errors = nil +} + +func (wk *worker) terminate() { + wk.terminateCh <- true +} + +func (wk *worker) addPath(path string) error { + wk.mu.Lock() + + ft := wk.watchedFiles[path] + if ft != nil { + wk.mu.Unlock() + return fmt.Errorf("path %s is already being watched", path) + } + + ft = &fileTracker{ + events: make(chan fsnotify.Event), + errors: make(chan error), + hash: getHashSum(path), + } + + wk.watchedFiles[path] = ft + wk.mu.Unlock() + + return nil +} + +func (wk *worker) removePath(path string) error { + wk.mu.Lock() + + ft := wk.watchedFiles[path] + if ft == nil { + wk.mu.Unlock() + return fmt.Errorf("path %s not found", path) + } + + delete(wk.watchedFiles, path) + wk.mu.Unlock() + + wk.retireTrackerCh <- ft + return nil +} + +func (wk *worker) eventChannel(path string) chan fsnotify.Event { + wk.mu.RLock() + defer wk.mu.RUnlock() + + if ft := wk.watchedFiles[path]; ft != nil { + return ft.events + } + + return nil +} + +func (wk *worker) errorChannel(path string) chan error { + wk.mu.RLock() + defer wk.mu.RUnlock() + + if ft := wk.watchedFiles[path]; ft != nil { + return ft.errors + } + + return nil +} + +// gets the hash of the given file, or nil if there's a problem +func getHashSum(file string) []byte { + f, err := os.Open(file) + if err != nil { + return nil + } + defer f.Close() + r := bufio.NewReader(f) + + h := sha256.New() + _, _ = io.Copy(h, r) + return h.Sum(nil) +} diff --git a/internal/infrastructure/runner/runner.go b/internal/infrastructure/runner/runner.go index 6c261aff3f3..300314d92e0 100644 --- a/internal/infrastructure/runner/runner.go +++ b/internal/infrastructure/runner/runner.go @@ -56,6 +56,13 @@ func (r *Runner) Start(ctx context.Context) (err error) { // Enable global ratelimit if it has been configured. if r.EnvoyGateway.RateLimit != nil { go r.enableRateLimitInfra(ctx) + } else { + // Delete the ratelimit infra if it exists. + go func() { + if err := r.mgr.DeleteRateLimitInfra(ctx); err != nil { + r.Logger.Error(err, "failed to delete ratelimit infra") + } + }() } r.Logger.Info("started") } diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 915e6e5acd8..167e70746ec 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -8,6 +8,7 @@ package kubernetes import ( "context" "fmt" + "time" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" @@ -111,7 +112,10 @@ func newGatewayAPIController(mgr manager.Manager, cfg *config.Server, su Updater r.namespaceLabel = cfg.EnvoyGateway.Provider.Kubernetes.Watch.NamespaceSelector } - c, err := controller.New("gatewayapi", mgr, controller.Options{Reconciler: r, SkipNameValidation: skipNameValidation()}) + // controller-runtime doesn't allow run controller with same name for more than once + // see https://github.com/kubernetes-sigs/controller-runtime/blob/2b941650bce159006c88bd3ca0d132c7bc40e947/pkg/controller/name.go#L29 + name := fmt.Sprintf("gatewayapi-%d", time.Now().Unix()) + c, err := controller.New(name, mgr, controller.Options{Reconciler: r, SkipNameValidation: skipNameValidation()}) if err != nil { return fmt.Errorf("error creating controller: %w", err) } diff --git a/internal/provider/kubernetes/kubernetes.go b/internal/provider/kubernetes/kubernetes.go index cca90a24a17..4fdbc329dd0 100644 --- a/internal/provider/kubernetes/kubernetes.go +++ b/internal/provider/kubernetes/kubernetes.go @@ -112,7 +112,8 @@ func New(cfg *rest.Config, svr *ec.Server, resources *message.ProviderResources) // Emit elected & continue with envoyObjects of infra resources go func() { <-mgr.Elected() - close(svr.Elected) + // WARN: DO NOT CLOSE IT + svr.Elected <- struct{}{} }() return &Provider{ diff --git a/internal/wasm/httpserver.go b/internal/wasm/httpserver.go index 9b1d0b32c90..14e70a8c6dc 100644 --- a/internal/wasm/httpserver.go +++ b/internal/wasm/httpserver.go @@ -131,6 +131,12 @@ func (s *HTTPServer) Start(ctx context.Context) { return } }() + + go func() { + // waiting for shutdown + <-ctx.Done() + _ = s.server.Shutdown(context.Background()) + }() s.cache.Start(ctx) go s.resetFailedAttempts(ctx) } diff --git a/tools/hack/deployment-exists.sh b/tools/hack/deployment-exists.sh index cc50e1c2638..d5081b424bc 100755 --- a/tools/hack/deployment-exists.sh +++ b/tools/hack/deployment-exists.sh @@ -3,9 +3,8 @@ DEPLOYMENT_LABEL_SELECTOR=$1 DEPLOYMENT_NAMESPACE=$2 - # Timeout for deployment to exist (in seconds) -exist_timeout=25 +exist_timeout=300 end=$((SECONDS+exist_timeout)) while true; do diff --git a/tools/make/kube.mk b/tools/make/kube.mk index c659e234787..91c1580ab2d 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -138,9 +138,6 @@ e2e: create-cluster kube-install-image kube-deploy install-ratelimit install-e2e install-ratelimit: @$(LOG_TARGET) kubectl apply -f examples/redis/redis.yaml - kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system - kubectl rollout status --watch --timeout=5m -n envoy-gateway-system deployment/envoy-gateway - kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available tools/hack/deployment-exists.sh "app.kubernetes.io/name=envoy-ratelimit" "envoy-gateway-system" kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-ratelimit --for=condition=Available From 272da6dae0a558c52a3a974ca6cb90cc3e8fe84a Mon Sep 17 00:00:00 2001 From: Rudrakh Panigrahi Date: Sat, 19 Oct 2024 05:08:22 +0530 Subject: [PATCH 269/523] e2e: add tests for ratelimit invert matching headers (#4452) add tests for ratelimit invert matching headers Signed-off-by: Rudrakh Panigrahi --- .../ratelimit-header-invert-match.yaml | 42 +++++++++ test/e2e/tests/ratelimit.go | 88 +++++++++++++++++++ 2 files changed, 130 insertions(+) create mode 100644 test/e2e/testdata/ratelimit-header-invert-match.yaml diff --git a/test/e2e/testdata/ratelimit-header-invert-match.yaml b/test/e2e/testdata/ratelimit-header-invert-match.yaml new file mode 100644 index 00000000000..7261ef30e35 --- /dev/null +++ b/test/e2e/testdata/ratelimit-header-invert-match.yaml @@ -0,0 +1,42 @@ +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: ratelimit-anded-headers-with-invert + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: header-ratelimit + rateLimit: + type: Global + global: + rules: + - clientSelectors: + - headers: + - name: x-user-name + type: Distinct + - name: x-user-name + type: Exact + value: admin + invert: true + limit: + requests: 3 + unit: Hour +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: header-ratelimit + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: PathPrefix + value: /get + backendRefs: + - name: infra-backend-v1 + port: 8080 diff --git a/test/e2e/tests/ratelimit.go b/test/e2e/tests/ratelimit.go index 80064e6d906..b87576b60aa 100644 --- a/test/e2e/tests/ratelimit.go +++ b/test/e2e/tests/ratelimit.go @@ -26,6 +26,7 @@ import ( func init() { ConformanceTests = append(ConformanceTests, RateLimitCIDRMatchTest) ConformanceTests = append(ConformanceTests, RateLimitHeaderMatchTest) + ConformanceTests = append(ConformanceTests, RateLimitHeaderInvertMatchTest) ConformanceTests = append(ConformanceTests, RateLimitHeadersDisabled) ConformanceTests = append(ConformanceTests, RateLimitBasedJwtClaimsTest) ConformanceTests = append(ConformanceTests, RateLimitMultipleListenersTest) @@ -170,6 +171,93 @@ var RateLimitHeaderMatchTest = suite.ConformanceTest{ }, } +var RateLimitHeaderInvertMatchTest = suite.ConformanceTest{ + ShortName: "RateLimitHeaderInvertMatch", + Description: "Limit all requests that match distinct headers except for which invert is set to true", + Manifests: []string{"testdata/ratelimit-header-invert-match.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "header-ratelimit", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + t.Run("all matched headers got limited", func(t *testing.T) { + requestHeaders := map[string]string{ + "x-user-name": "username", + } + + ratelimitHeader := make(map[string]string) + expectOkResp := http.ExpectedResponse{ + Request: http.Request{ + Path: "/get", + Headers: requestHeaders, + }, + Response: http.Response{ + StatusCode: 200, + Headers: ratelimitHeader, + }, + Namespace: ns, + } + expectOkResp.Response.Headers["X-Ratelimit-Limit"] = "3, 3;w=3600" + expectOkReq := http.MakeRequest(t, &expectOkResp, gwAddr, "HTTP", "http") + + expectLimitResp := http.ExpectedResponse{ + Request: http.Request{ + Path: "/get", + Headers: requestHeaders, + }, + Response: http.Response{ + StatusCode: 429, + }, + Namespace: ns, + } + expectLimitReq := http.MakeRequest(t, &expectLimitResp, gwAddr, "HTTP", "http") + + // should just send exactly 4 requests, and expect 429 + + // keep sending requests till get 200 first, that will cost one 200 + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectOkResp) + + // fire the rest of the requests + if err := GotExactExpectedResponse(t, 2, suite.RoundTripper, expectOkReq, expectOkResp); err != nil { + t.Errorf("failed to get expected response for the first three requests: %v", err) + } + if err := GotExactExpectedResponse(t, 1, suite.RoundTripper, expectLimitReq, expectLimitResp); err != nil { + t.Errorf("failed to get expected response for the last (fourth) request: %v", err) + } + }) + + t.Run("if header matched with invert will not get limited", func(t *testing.T) { + requestHeaders := map[string]string{ + "x-user-name": "admin", + } + + // it does not require any rate limit header, since this request never be rate limited. + expectOkResp := http.ExpectedResponse{ + Request: http.Request{ + Path: "/get", + Headers: requestHeaders, + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + expectOkReq := http.MakeRequest(t, &expectOkResp, gwAddr, "HTTP", "http") + + // send exactly 4 requests, and still expect 200 + + // keep sending requests till get 200 first, that will cost one 200 + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectOkResp) + + // fire the rest of the requests + if err := GotExactExpectedResponse(t, 3, suite.RoundTripper, expectOkReq, expectOkResp); err != nil { + t.Errorf("failed to get expected responses for the request: %v", err) + } + }) + }, +} + var RateLimitHeadersDisabled = suite.ConformanceTest{ ShortName: "RateLimitHeadersDisabled", Description: "Disable rate limit headers", From 8c748d385cd185e40d7c39e00135476a1f0c9bd2 Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 19 Oct 2024 13:24:24 +0800 Subject: [PATCH 270/523] chore: update logo (#4469) * chore: update logo Signed-off-by: zirain * update Signed-off-by: zirain --------- Signed-off-by: zirain --- site/assets/icons/logo.svg | 219 +++++++++---------------------------- 1 file changed, 51 insertions(+), 168 deletions(-) diff --git a/site/assets/icons/logo.svg b/site/assets/icons/logo.svg index b0e579bd9d4..77ac7ed5386 100644 --- a/site/assets/icons/logo.svg +++ b/site/assets/icons/logo.svg @@ -1,170 +1,53 @@ - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file From d996c29dc559e3f6c412a3f120834e1a2daee753 Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 19 Oct 2024 13:25:26 +0800 Subject: [PATCH 271/523] docs: correct the curl command (#4467) Signed-off-by: zirain --- .../content/en/docs/tasks/extensibility/envoy-patch-policy.md | 4 ++-- .../en/latest/tasks/extensibility/envoy-patch-policy.md | 4 ++-- .../content/en/v1.1/tasks/extensibility/envoy-patch-policy.md | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/site/content/en/docs/tasks/extensibility/envoy-patch-policy.md b/site/content/en/docs/tasks/extensibility/envoy-patch-policy.md index 7fe84762189..3c4c0a4d068 100644 --- a/site/content/en/docs/tasks/extensibility/envoy-patch-policy.md +++ b/site/content/en/docs/tasks/extensibility/envoy-patch-policy.md @@ -269,8 +269,8 @@ kubectl patch httproute backend --type=json --patch ' * Test it out by specifying a path apart from `/get` -``` -$ curl --header "Host: www.example.com" http://localhost:8888/find +```shell +$ curl --header "Host: www.example.com" http://$GATEWAY_HOST/find Handling connection for 8888 could not find what you are looking for ``` diff --git a/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md b/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md index e503244c503..e9709cc7651 100644 --- a/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md +++ b/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md @@ -268,8 +268,8 @@ kubectl patch httproute backend --type=json --patch ' * Test it out by specifying a path apart from `/get` -``` -$ curl --header "Host: www.example.com" http://localhost:8888/find +```shell +$ curl --header "Host: www.example.com" http://$GATEWAY_HOST/find Handling connection for 8888 could not find what you are looking for ``` diff --git a/site/content/en/v1.1/tasks/extensibility/envoy-patch-policy.md b/site/content/en/v1.1/tasks/extensibility/envoy-patch-policy.md index 7fe84762189..3c4c0a4d068 100644 --- a/site/content/en/v1.1/tasks/extensibility/envoy-patch-policy.md +++ b/site/content/en/v1.1/tasks/extensibility/envoy-patch-policy.md @@ -269,8 +269,8 @@ kubectl patch httproute backend --type=json --patch ' * Test it out by specifying a path apart from `/get` -``` -$ curl --header "Host: www.example.com" http://localhost:8888/find +```shell +$ curl --header "Host: www.example.com" http://$GATEWAY_HOST/find Handling connection for 8888 could not find what you are looking for ``` From 3e39606f3fc74a8f2e6d8fb5091d2289bd918a5a Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 19 Oct 2024 13:28:39 +0800 Subject: [PATCH 272/523] chore: use ptr.Deref to simply code (#4477) Signed-off-by: zirain --- internal/gatewayapi/listener.go | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index 5c85e561ea1..51fd1f74da2 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -344,7 +344,8 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources * al := &ir.ALSAccessLog{ LogName: logName, Destination: ir.RouteDestination{ - Name: fmt.Sprintf("accesslog_als_%d_%d", i, j), // TODO: rename this, so that we can share backend with tracing? + // TODO: rename this, so that we can share backend with tracing? + Name: fmt.Sprintf("accesslog_als_%d_%d", i, j), Settings: ds, }, Traffic: traffic, @@ -384,7 +385,8 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources * CELMatches: validExprs, Resources: sink.OpenTelemetry.Resources, Destination: ir.RouteDestination{ - Name: fmt.Sprintf("accesslog_otel_%d_%d", i, j), // TODO: rename this, so that we can share backend with tracing? + // TODO: rename this, so that we can share backend with tracing? + Name: fmt.Sprintf("accesslog_otel_%d_%d", i, j), Settings: ds, }, Traffic: traffic, @@ -416,7 +418,9 @@ func (t *Translator) processAccessLog(envoyproxy *egv1a1.EnvoyProxy, resources * return irAccessLog, nil } -func (t *Translator) processTracing(gw *gwapiv1.Gateway, envoyproxy *egv1a1.EnvoyProxy, mergeGateways bool, resources *resource.Resources) (*ir.Tracing, error) { +func (t *Translator) processTracing(gw *gwapiv1.Gateway, envoyproxy *egv1a1.EnvoyProxy, + mergeGateways bool, resources *resource.Resources, +) (*ir.Tracing, error) { if envoyproxy == nil || envoyproxy.Spec.Telemetry == nil || envoyproxy.Spec.Telemetry.Tracing == nil { @@ -460,7 +464,8 @@ func (t *Translator) processTracing(gw *gwapiv1.Gateway, envoyproxy *egv1a1.Envo SamplingRate: samplingRate, CustomTags: tracing.CustomTags, Destination: ir.RouteDestination{ - Name: "tracing", // TODO: rename this, so that we can share backend with accesslog? + // TODO: rename this, so that we can share backend with accesslog? + Name: "tracing", Settings: ds, }, Provider: tracing.Provider, @@ -487,13 +492,15 @@ func (t *Translator) processMetrics(envoyproxy *egv1a1.EnvoyProxy, resources *re } return &ir.Metrics{ - EnableVirtualHostStats: envoyproxy.Spec.Telemetry.Metrics.EnableVirtualHostStats != nil && *envoyproxy.Spec.Telemetry.Metrics.EnableVirtualHostStats, - EnablePerEndpointStats: envoyproxy.Spec.Telemetry.Metrics.EnablePerEndpointStats != nil && *envoyproxy.Spec.Telemetry.Metrics.EnablePerEndpointStats, - EnableRequestResponseSizesStats: envoyproxy.Spec.Telemetry.Metrics.EnableRequestResponseSizesStats != nil && *envoyproxy.Spec.Telemetry.Metrics.EnableRequestResponseSizesStats, + EnableVirtualHostStats: ptr.Deref(envoyproxy.Spec.Telemetry.Metrics.EnableVirtualHostStats, false), + EnablePerEndpointStats: ptr.Deref(envoyproxy.Spec.Telemetry.Metrics.EnablePerEndpointStats, false), + EnableRequestResponseSizesStats: ptr.Deref(envoyproxy.Spec.Telemetry.Metrics.EnableRequestResponseSizesStats, false), }, nil } -func (t *Translator) processBackendRefs(backendCluster egv1a1.BackendCluster, namespace string, resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy) ([]*ir.DestinationSetting, *ir.TrafficFeatures, error) { +func (t *Translator) processBackendRefs(backendCluster egv1a1.BackendCluster, namespace string, + resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy, +) ([]*ir.DestinationSetting, *ir.TrafficFeatures, error) { traffic, err := translateTrafficFeatures(backendCluster.BackendSettings) if err != nil { return nil, nil, err From 8854d2db3e454e9e908f469f274c83b0f7923248 Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 19 Oct 2024 13:32:14 +0800 Subject: [PATCH 273/523] chore: bump crd-ref-docs (#4474) * bump crd-ref-docs Signed-off-by: zirain * use go 1.23.1 Signed-off-by: zirain * lint Signed-off-by: zirain --------- Signed-off-by: zirain --- api/v1alpha1/basic_auth_types.go | 6 ++++-- api/v1alpha1/oidc_types.go | 4 ++-- api/v1alpha1/wasm_types.go | 4 ++-- internal/gatewayapi/validate.go | 6 +++--- internal/provider/kubernetes/controller.go | 6 +++--- internal/provider/kubernetes/indexers.go | 2 +- internal/provider/kubernetes/predicates_test.go | 7 +++---- test/e2e/tests/wasm_oci.go | 3 +-- tools/src/crd-ref-docs/go.mod | 4 ++-- tools/src/crd-ref-docs/go.sum | 6 ++---- 10 files changed, 23 insertions(+), 25 deletions(-) diff --git a/api/v1alpha1/basic_auth_types.go b/api/v1alpha1/basic_auth_types.go index 97fa66d5e76..f7bec283780 100644 --- a/api/v1alpha1/basic_auth_types.go +++ b/api/v1alpha1/basic_auth_types.go @@ -5,7 +5,9 @@ package v1alpha1 -import gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" +import ( + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" +) const BasicAuthUsersSecretKey = ".htpasswd" @@ -23,5 +25,5 @@ type BasicAuth struct { // for more details. // // Note: The secret must be in the same namespace as the SecurityPolicy. - Users gwapiv1b1.SecretObjectReference `json:"users"` + Users gwapiv1.SecretObjectReference `json:"users"` } diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go index 78c32287cde..dcc03615772 100644 --- a/api/v1alpha1/oidc_types.go +++ b/api/v1alpha1/oidc_types.go @@ -7,7 +7,7 @@ package v1alpha1 import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" ) const OIDCClientSecretKey = "client-secret" @@ -29,7 +29,7 @@ type OIDC struct { // This is an Opaque secret. The client secret should be stored in the key // "client-secret". // +kubebuilder:validation:Required - ClientSecret gwapiv1b1.SecretObjectReference `json:"clientSecret"` + ClientSecret gwapiv1.SecretObjectReference `json:"clientSecret"` // The optional cookie name overrides to be used for Bearer and IdToken cookies in the // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). diff --git a/api/v1alpha1/wasm_types.go b/api/v1alpha1/wasm_types.go index 1c41513f941..66c0e1fc84f 100644 --- a/api/v1alpha1/wasm_types.go +++ b/api/v1alpha1/wasm_types.go @@ -7,7 +7,7 @@ package v1alpha1 import ( apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" - gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" ) // Wasm defines a Wasm extension. @@ -136,7 +136,7 @@ type ImageWasmCodeSource struct { // Only support Kubernetes Secret resource from the same namespace. // +kubebuilder:validation:XValidation:message="only support Secret kind.",rule="self.kind == 'Secret'" // +optional - PullSecretRef *gwapiv1b1.SecretObjectReference `json:"pullSecretRef,omitempty"` + PullSecretRef *gwapiv1.SecretObjectReference `json:"pullSecretRef,omitempty"` } // ImagePullPolicy defines the policy to use when pulling an OIC image. diff --git a/internal/gatewayapi/validate.go b/internal/gatewayapi/validate.go index 87020d7f6ec..6b9a488b86b 100644 --- a/internal/gatewayapi/validate.go +++ b/internal/gatewayapi/validate.go @@ -914,7 +914,7 @@ func (t *Translator) validateHostname(hostname string) error { func (t *Translator) validateSecretRef( allowCrossNamespace bool, from crossNamespaceFrom, - secretObjRef gwapiv1b1.SecretObjectReference, + secretObjRef gwapiv1.SecretObjectReference, resources *resource.Resources, ) (*corev1.Secret, error) { if err := t.validateSecretObjectRef(allowCrossNamespace, from, secretObjRef, resources); err != nil { @@ -938,7 +938,7 @@ func (t *Translator) validateSecretRef( func (t *Translator) validateConfigMapRef( allowCrossNamespace bool, from crossNamespaceFrom, - secretObjRef gwapiv1b1.SecretObjectReference, + secretObjRef gwapiv1.SecretObjectReference, resources *resource.Resources, ) (*corev1.ConfigMap, error) { if err := t.validateSecretObjectRef(allowCrossNamespace, from, secretObjRef, resources); err != nil { @@ -962,7 +962,7 @@ func (t *Translator) validateConfigMapRef( func (t *Translator) validateSecretObjectRef( allowCrossNamespace bool, from crossNamespaceFrom, - secretRef gwapiv1b1.SecretObjectReference, + secretRef gwapiv1.SecretObjectReference, resources *resource.Resources, ) error { var kind string diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 167e70746ec..7fe3c3d32ff 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -602,7 +602,7 @@ func (r *gatewayAPIReconciler) processSecretRef( ownerKind string, ownerNS string, ownerName string, - secretRef gwapiv1b1.SecretObjectReference, + secretRef gwapiv1.SecretObjectReference, ) error { secret := new(corev1.Secret) secretNS := gatewayapi.NamespaceDerefOr(secretRef.Namespace, ownerNS) @@ -704,7 +704,7 @@ func (r *gatewayAPIReconciler) processConfigMapRef( ownerKind string, ownerNS string, ownerName string, - configMapRef gwapiv1b1.SecretObjectReference, + configMapRef gwapiv1.SecretObjectReference, ) error { configMap := new(corev1.ConfigMap) configMapNS := gatewayapi.NamespaceDerefOr(configMapRef.Namespace, ownerNS) @@ -1794,7 +1794,7 @@ func (r *gatewayAPIReconciler) processBackendTLSPolicyRefs( string(caCertRef.Kind) == resource.KindSecret { var err error - caRefNew := gwapiv1b1.SecretObjectReference{ + caRefNew := gwapiv1.SecretObjectReference{ Group: gatewayapi.GroupPtr(string(caCertRef.Group)), Kind: gatewayapi.KindPtr(string(caCertRef.Kind)), Name: caCertRef.Name, diff --git a/internal/provider/kubernetes/indexers.go b/internal/provider/kubernetes/indexers.go index 68a58dd872d..462a70542f3 100644 --- a/internal/provider/kubernetes/indexers.go +++ b/internal/provider/kubernetes/indexers.go @@ -531,7 +531,7 @@ func secretSecurityPolicyIndexFunc(rawObj client.Object) []string { securityPolicy := rawObj.(*egv1a1.SecurityPolicy) var ( - secretReferences []gwapiv1b1.SecretObjectReference + secretReferences []gwapiv1.SecretObjectReference values []string ) diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go index ef8182ffdb9..5954e94675e 100644 --- a/internal/provider/kubernetes/predicates_test.go +++ b/internal/provider/kubernetes/predicates_test.go @@ -19,7 +19,6 @@ import ( fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" - gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway" @@ -261,7 +260,7 @@ func TestValidateSecretForReconcile(t *testing.T) { TokenEndpoint: ptr.To("https://oauth2.googleapis.com/token"), }, ClientID: "client-id", - ClientSecret: gwapiv1b1.SecretObjectReference{ + ClientSecret: gwapiv1.SecretObjectReference{ Name: "secret", }, }, @@ -290,7 +289,7 @@ func TestValidateSecretForReconcile(t *testing.T) { }, }, BasicAuth: &egv1a1.BasicAuth{ - Users: gwapiv1b1.SecretObjectReference{ + Users: gwapiv1.SecretObjectReference{ Name: "secret", }, }, @@ -336,7 +335,7 @@ func TestValidateSecretForReconcile(t *testing.T) { Type: egv1a1.ImageWasmCodeSourceType, Image: &egv1a1.ImageWasmCodeSource{ URL: "https://example.com/testwasm:v1.0.0", - PullSecretRef: &gwapiv1b1.SecretObjectReference{ + PullSecretRef: &gwapiv1.SecretObjectReference{ Name: "secret", }, }, diff --git a/test/e2e/tests/wasm_oci.go b/test/e2e/tests/wasm_oci.go index 1a0a43a33c5..4a6a53f6603 100644 --- a/test/e2e/tests/wasm_oci.go +++ b/test/e2e/tests/wasm_oci.go @@ -32,7 +32,6 @@ import ( "k8s.io/utils/ptr" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" - gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" "sigs.k8s.io/gateway-api/conformance/utils/http" "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" "sigs.k8s.io/gateway-api/conformance/utils/suite" @@ -416,7 +415,7 @@ func createEEPForWasmTest( }, } if withPullSecret { - eep.Spec.Wasm[0].Code.Image.PullSecretRef = &gwapiv1b1.SecretObjectReference{ + eep.Spec.Wasm[0].Code.Image.PullSecretRef = &gwapiv1.SecretObjectReference{ Name: gwapiv1.ObjectName(pullSecret), } } diff --git a/tools/src/crd-ref-docs/go.mod b/tools/src/crd-ref-docs/go.mod index 23b3153de03..017b54837b8 100644 --- a/tools/src/crd-ref-docs/go.mod +++ b/tools/src/crd-ref-docs/go.mod @@ -1,8 +1,8 @@ module local -go 1.22.7 +go 1.23.1 -require github.com/elastic/crd-ref-docs v0.0.13-0.20240723135120-56876bccac3a +require github.com/elastic/crd-ref-docs v0.1.0 require ( github.com/Masterminds/goutils v1.1.1 // indirect diff --git a/tools/src/crd-ref-docs/go.sum b/tools/src/crd-ref-docs/go.sum index 2c129e265b6..8bfb30cec1a 100644 --- a/tools/src/crd-ref-docs/go.sum +++ b/tools/src/crd-ref-docs/go.sum @@ -8,10 +8,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/elastic/crd-ref-docs v0.0.13-0.20240413123740-ea9fcaa0230f h1:cE1CF4Bfi+9gvaNz35jOsp3tFJVm/mFr88szZ41FG8Q= -github.com/elastic/crd-ref-docs v0.0.13-0.20240413123740-ea9fcaa0230f/go.mod h1:X83mMBdJt05heJUYiS3T0yJ/JkCuliuhSUNav5Gjo/U= -github.com/elastic/crd-ref-docs v0.0.13-0.20240723135120-56876bccac3a h1:+sHMdth53bKHbct/BqfYIhYXGKhIZJDv2PhS9Gfw8xg= -github.com/elastic/crd-ref-docs v0.0.13-0.20240723135120-56876bccac3a/go.mod h1:X83mMBdJt05heJUYiS3T0yJ/JkCuliuhSUNav5Gjo/U= +github.com/elastic/crd-ref-docs v0.1.0 h1:Cr5kz89QB3Iuuj7dhAfLMApCrChEGAaIBTxGk/xuRKw= +github.com/elastic/crd-ref-docs v0.1.0/go.mod h1:X83mMBdJt05heJUYiS3T0yJ/JkCuliuhSUNav5Gjo/U= github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= From 70c568beae352160cebc138576dccd75239da0e4 Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 19 Oct 2024 13:40:11 +0800 Subject: [PATCH 274/523] docs: improve a little bit visual (#4468) * docs: improve a little bit visual Signed-off-by: zirain * sidebar Signed-off-by: zirain --------- Signed-off-by: zirain --- site/assets/scss/_variables_project.scss | 9 +++++++++ .../en/docs/tasks/extensibility/extension-server.md | 1 + .../en/latest/tasks/extensibility/extension-server.md | 1 + .../en/v1.1/tasks/extensibility/extension-server.md | 1 + 4 files changed, 12 insertions(+) diff --git a/site/assets/scss/_variables_project.scss b/site/assets/scss/_variables_project.scss index 8c3ce90a2cf..e799cef8e90 100644 --- a/site/assets/scss/_variables_project.scss +++ b/site/assets/scss/_variables_project.scss @@ -11,4 +11,13 @@ $dark: #280C53; // better style when pre inside tab pane .td-content .highlight pre{ margin-bottom: 1rem !important; +} + +nav.foldable-nav .with-child, nav.foldable-nav .without-child { + position: relative; + padding-left: 1.0em !important; +} + +nav.foldable-nav .ul-1 .with-child > label:before { + padding-left: 0 !important; } \ No newline at end of file diff --git a/site/content/en/docs/tasks/extensibility/extension-server.md b/site/content/en/docs/tasks/extensibility/extension-server.md index 7d67c23f6da..323ce5642ea 100644 --- a/site/content/en/docs/tasks/extensibility/extension-server.md +++ b/site/content/en/docs/tasks/extensibility/extension-server.md @@ -1,5 +1,6 @@ --- title: "Envoy Gateway Extension Server" +linkTitle: "Extension Server" --- This task explains how to extend Envoy Gateway using an Extension Server. Envoy Gateway diff --git a/site/content/en/latest/tasks/extensibility/extension-server.md b/site/content/en/latest/tasks/extensibility/extension-server.md index 922f0de7c8e..6d16013d410 100644 --- a/site/content/en/latest/tasks/extensibility/extension-server.md +++ b/site/content/en/latest/tasks/extensibility/extension-server.md @@ -1,5 +1,6 @@ --- title: "Envoy Gateway Extension Server" +linkTitle: "Extension Server" --- This task explains how to extend Envoy Gateway using an Extension Server. Envoy Gateway diff --git a/site/content/en/v1.1/tasks/extensibility/extension-server.md b/site/content/en/v1.1/tasks/extensibility/extension-server.md index 7d67c23f6da..323ce5642ea 100644 --- a/site/content/en/v1.1/tasks/extensibility/extension-server.md +++ b/site/content/en/v1.1/tasks/extensibility/extension-server.md @@ -1,5 +1,6 @@ --- title: "Envoy Gateway Extension Server" +linkTitle: "Extension Server" --- This task explains how to extend Envoy Gateway using an Extension Server. Envoy Gateway From 26ec49ab8ee3a03c90cd705cc9e90f8441cd97f2 Mon Sep 17 00:00:00 2001 From: zirain Date: Mon, 21 Oct 2024 10:59:18 +0800 Subject: [PATCH 275/523] docs: update configuration kick in tips (#4479) * docs: update configuration kick in tips Signed-off-by: zirain * lint Signed-off-by: zirain * update Signed-off-by: zirain --------- Signed-off-by: zirain --- .../en/latest/boilerplates/rollout-envoy-gateway.md | 10 ++++++++++ .../latest/tasks/extensibility/envoy-patch-policy.md | 6 +----- .../tasks/observability/gateway-observability.md | 12 ++---------- .../tasks/observability/rate-limit-observability.md | 6 +----- .../en/latest/tasks/security/private-key-provider.md | 6 +----- site/content/en/latest/tasks/traffic/backend.md | 6 +----- .../en/latest/tasks/traffic/global-rate-limit.md | 12 ++---------- site/layouts/shortcodes/boilerplate.html | 2 +- tools/make/docs.mk | 3 +++ 9 files changed, 22 insertions(+), 41 deletions(-) create mode 100644 site/content/en/latest/boilerplates/rollout-envoy-gateway.md diff --git a/site/content/en/latest/boilerplates/rollout-envoy-gateway.md b/site/content/en/latest/boilerplates/rollout-envoy-gateway.md new file mode 100644 index 00000000000..9072526868c --- /dev/null +++ b/site/content/en/latest/boilerplates/rollout-envoy-gateway.md @@ -0,0 +1,10 @@ +--- +--- + +> After updating the `ConfigMap`, you will need to wait the configuration kicks in.
+> You can **force** the configuration to be reloaded by restarting the `envoy-gateway` deployment. +> +> ```shell +> kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system +> ``` +> \ No newline at end of file diff --git a/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md b/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md index e9709cc7651..54e69f41d0f 100644 --- a/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md +++ b/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md @@ -80,11 +80,7 @@ data: {{% /tab %}} {{< /tabpane >}} -* After updating the `ConfigMap`, you will need to restart the `envoy-gateway` deployment so the configuration kicks in - -```shell -kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system -``` +{{< boilerplate rollout-envoy-gateway >}} ## Testing diff --git a/site/content/en/latest/tasks/observability/gateway-observability.md b/site/content/en/latest/tasks/observability/gateway-observability.md index 6e0040b4f5d..f23eb9097cf 100644 --- a/site/content/en/latest/tasks/observability/gateway-observability.md +++ b/site/content/en/latest/tasks/observability/gateway-observability.md @@ -86,11 +86,7 @@ data: {{% /tab %}} {{< /tabpane >}} -After updating the `ConfigMap`, you will need to restart the `envoy-gateway` deployment so the configuration kicks in: - -```shell -kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system -``` +{{< boilerplate rollout-envoy-gateway >}} ### Enable Open Telemetry sink in Envoy Gateway @@ -157,11 +153,7 @@ data: {{% /tab %}} {{< /tabpane >}} -After updating the `ConfigMap`, you will need to restart the `envoy-gateway` deployment so the configuration kicks in: - -```shell -kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system -``` +{{< boilerplate rollout-envoy-gateway >}} Verify OTel-Collector metrics: diff --git a/site/content/en/latest/tasks/observability/rate-limit-observability.md b/site/content/en/latest/tasks/observability/rate-limit-observability.md index a0e523d6c8a..ec1244f731e 100644 --- a/site/content/en/latest/tasks/observability/rate-limit-observability.md +++ b/site/content/en/latest/tasks/observability/rate-limit-observability.md @@ -91,8 +91,4 @@ data: {{% /tab %}} {{< /tabpane >}} -After updating the ConfigMap, you will need to restart the envoy-gateway deployment so the configuration kicks in: - -```shell -kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system -``` +{{< boilerplate rollout-envoy-gateway >}} diff --git a/site/content/en/latest/tasks/security/private-key-provider.md b/site/content/en/latest/tasks/security/private-key-provider.md index 529056b33e1..24544f67973 100644 --- a/site/content/en/latest/tasks/security/private-key-provider.md +++ b/site/content/en/latest/tasks/security/private-key-provider.md @@ -169,11 +169,7 @@ data: {{% /tab %}} {{< /tabpane >}} -* After updating the `ConfigMap`, you will need to restart the `envoy-gateway` deployment so the configuration kicks in - - ```shell - kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system - ``` +{{< boilerplate rollout-envoy-gateway >}} ## Create gateway for TLS termination diff --git a/site/content/en/latest/tasks/traffic/backend.md b/site/content/en/latest/tasks/traffic/backend.md index 0f2ade4dadd..2bb2a4e647a 100644 --- a/site/content/en/latest/tasks/traffic/backend.md +++ b/site/content/en/latest/tasks/traffic/backend.md @@ -94,11 +94,7 @@ data: {{% /tab %}} {{< /tabpane >}} -* After updating the `ConfigMap`, you will need to restart the `envoy-gateway` deployment so the configuration kicks in - -```shell -kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system -``` +{{< boilerplate rollout-envoy-gateway >}} ## Testing diff --git a/site/content/en/latest/tasks/traffic/global-rate-limit.md b/site/content/en/latest/tasks/traffic/global-rate-limit.md index 6c96b12efe7..15cc462dbf4 100644 --- a/site/content/en/latest/tasks/traffic/global-rate-limit.md +++ b/site/content/en/latest/tasks/traffic/global-rate-limit.md @@ -214,11 +214,7 @@ data: {{% /tab %}} {{< /tabpane >}} -* After updating the `ConfigMap`, you will need to restart the `envoy-gateway` deployment so the configuration kicks in - -```shell -kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system -``` +{{< boilerplate rollout-envoy-gateway >}} ## Rate Limit Specific User @@ -1287,11 +1283,7 @@ data: {{% /tab %}} {{< /tabpane >}} -* After updating the `ConfigMap`, you will need to restart the `envoy-gateway` deployment so the configuration kicks in - -```shell -kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system -``` +{{< boilerplate rollout-envoy-gateway >}} [Global Rate Limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting [Local rate limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/local_rate_limiting diff --git a/site/layouts/shortcodes/boilerplate.html b/site/layouts/shortcodes/boilerplate.html index b120a8d1b14..752c4ad2e89 100644 --- a/site/layouts/shortcodes/boilerplate.html +++ b/site/layouts/shortcodes/boilerplate.html @@ -15,7 +15,7 @@ {{- $pattern := printf "%s*" $name -}} {{- $resource := $bundle.Resources.GetMatch $pattern -}} {{- with $resource -}} - {{- .Content | markdownify -}} + {{- .Content -}} {{- else -}} {{- errorf "Could not find boilerplate '%s' (%s)" $name $position -}} {{- end -}} diff --git a/tools/make/docs.mk b/tools/make/docs.mk index d6c6b4d8232..698896f089a 100644 --- a/tools/make/docs.mk +++ b/tools/make/docs.mk @@ -118,6 +118,9 @@ docs-check-links: # Check for broken links in the docs @$(LOG_TARGET) linkinator site/public/ -r --concurrency 25 --skip $(LINKINATOR_IGNORE) +docs-markdown-lint: + markdownlint -c .github/markdown_lint_config.json site/content/* + release-notes-docs: $(tools/release-notes-docs) @$(LOG_TARGET) @for file in $(wildcard release-notes/*.yaml); do \ From 319283e4ca5d9d27ddb4b5fc035b4490a03a5a9b Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 22 Oct 2024 01:23:24 +0800 Subject: [PATCH 276/523] Fix wasm example link (#4491) fix wasm example link Signed-off-by: Huabing Zhao --- site/content/en/docs/tasks/extensibility/wasm.md | 6 +++--- site/content/en/latest/tasks/extensibility/wasm.md | 6 +++--- site/content/en/v1.1/tasks/extensibility/wasm.md | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/site/content/en/docs/tasks/extensibility/wasm.md b/site/content/en/docs/tasks/extensibility/wasm.md index cb2e013dd80..1b1d32f9ecb 100644 --- a/site/content/en/docs/tasks/extensibility/wasm.md +++ b/site/content/en/docs/tasks/extensibility/wasm.md @@ -23,7 +23,7 @@ kubectl get gateway/eg -o yaml ## Configuration -Envoy Gateway supports two types of Wasm extensions: +Envoy Gateway supports two types of Wasm extensions: * HTTP Wasm Extension: The Wasm extension is fetched from a remote URL. * Image Wasm Extension: The Wasm extension is packaged as an OCI image and fetched from an image registry. @@ -54,7 +54,7 @@ spec: code: type: HTTP http: - url: https://raw.githubusercontent.com/envoyproxy/envoy/main/examples/wasm-cc/lib/envoy_filter_http_wasm_example.wasm + url: https://raw.githubusercontent.com/envoyproxy/examples/main/wasm-cc/lib/envoy_filter_http_wasm_example.wasm sha256: 79c9f85128bb0177b6511afa85d587224efded376ac0ef76df56595f1e6315c0 EOF ``` @@ -80,7 +80,7 @@ spec: code: type: HTTP http: - url: https://raw.githubusercontent.com/envoyproxy/envoy/main/examples/wasm-cc/lib/envoy_filter_http_wasm_example.wasm + url: https://raw.githubusercontent.com/envoyproxy/examples/main/wasm-cc/lib/envoy_filter_http_wasm_example.wasm sha256: 79c9f85128bb0177b6511afa85d587224efded376ac0ef76df56595f1e6315c0 ``` diff --git a/site/content/en/latest/tasks/extensibility/wasm.md b/site/content/en/latest/tasks/extensibility/wasm.md index 8a640471ee1..baad6a5804f 100644 --- a/site/content/en/latest/tasks/extensibility/wasm.md +++ b/site/content/en/latest/tasks/extensibility/wasm.md @@ -16,7 +16,7 @@ This instantiated resource can be linked to a [Gateway][Gateway] and [HTTPRoute] ## Configuration -Envoy Gateway supports two types of Wasm extensions: +Envoy Gateway supports two types of Wasm extensions: * HTTP Wasm Extension: The Wasm extension is fetched from a remote URL. * Image Wasm Extension: The Wasm extension is packaged as an OCI image and fetched from an image registry. @@ -47,7 +47,7 @@ spec: code: type: HTTP http: - url: https://raw.githubusercontent.com/envoyproxy/envoy/main/examples/wasm-cc/lib/envoy_filter_http_wasm_example.wasm + url: https://raw.githubusercontent.com/envoyproxy/examples/main/wasm-cc/lib/envoy_filter_http_wasm_example.wasm sha256: 79c9f85128bb0177b6511afa85d587224efded376ac0ef76df56595f1e6315c0 EOF ``` @@ -73,7 +73,7 @@ spec: code: type: HTTP http: - url: https://raw.githubusercontent.com/envoyproxy/envoy/main/examples/wasm-cc/lib/envoy_filter_http_wasm_example.wasm + url: https://raw.githubusercontent.com/envoyproxy/examples/main/wasm-cc/lib/envoy_filter_http_wasm_example.wasm sha256: 79c9f85128bb0177b6511afa85d587224efded376ac0ef76df56595f1e6315c0 ``` diff --git a/site/content/en/v1.1/tasks/extensibility/wasm.md b/site/content/en/v1.1/tasks/extensibility/wasm.md index cb2e013dd80..1b1d32f9ecb 100644 --- a/site/content/en/v1.1/tasks/extensibility/wasm.md +++ b/site/content/en/v1.1/tasks/extensibility/wasm.md @@ -23,7 +23,7 @@ kubectl get gateway/eg -o yaml ## Configuration -Envoy Gateway supports two types of Wasm extensions: +Envoy Gateway supports two types of Wasm extensions: * HTTP Wasm Extension: The Wasm extension is fetched from a remote URL. * Image Wasm Extension: The Wasm extension is packaged as an OCI image and fetched from an image registry. @@ -54,7 +54,7 @@ spec: code: type: HTTP http: - url: https://raw.githubusercontent.com/envoyproxy/envoy/main/examples/wasm-cc/lib/envoy_filter_http_wasm_example.wasm + url: https://raw.githubusercontent.com/envoyproxy/examples/main/wasm-cc/lib/envoy_filter_http_wasm_example.wasm sha256: 79c9f85128bb0177b6511afa85d587224efded376ac0ef76df56595f1e6315c0 EOF ``` @@ -80,7 +80,7 @@ spec: code: type: HTTP http: - url: https://raw.githubusercontent.com/envoyproxy/envoy/main/examples/wasm-cc/lib/envoy_filter_http_wasm_example.wasm + url: https://raw.githubusercontent.com/envoyproxy/examples/main/wasm-cc/lib/envoy_filter_http_wasm_example.wasm sha256: 79c9f85128bb0177b6511afa85d587224efded376ac0ef76df56595f1e6315c0 ``` From 7ad22df2817b126c95eb1d36a732da872519468e Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 22 Oct 2024 01:30:41 +0800 Subject: [PATCH 277/523] Unhide BackendCluster for OIDC provider (#4490) unhide BackendCluster for OIDC provider Signed-off-by: Huabing Zhao --- api/v1alpha1/oidc_types.go | 1 - 1 file changed, 1 deletion(-) diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go index dcc03615772..dfe7a4604f4 100644 --- a/api/v1alpha1/oidc_types.go +++ b/api/v1alpha1/oidc_types.go @@ -119,7 +119,6 @@ type OIDCProvider struct { // Other settings for the connection to the OIDC Provider can be specified in the BackendSettings resource. // // +optional - // +notImplementedHide BackendCluster `json:",inline"` // The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery). From 996d753538855880bfb75db019de32a9843ec26f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Oct 2024 10:48:51 -0700 Subject: [PATCH 278/523] build(deps): bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 (#4484) Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.27.0 to 0.28.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/5681af892cd0f4997658e2bacc62bd0a894cf564...915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 9e4a1460f8e..f34bd237a88 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -25,7 +25,7 @@ jobs: IMAGE=envoy-proxy/gateway-dev TAG=${{ github.sha }} make image - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # v0.27.0 + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 with: image-ref: envoy-proxy/gateway-dev:${{ github.sha }} exit-code: '1' From faa615fc4a5e455429b2e0202caa38d7369a1742 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Oct 2024 10:49:53 -0700 Subject: [PATCH 279/523] build(deps): bump github.com/prometheus/client_golang from 1.20.4 to 1.20.5 (#4486) build(deps): bump github.com/prometheus/client_golang Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.20.4 to 1.20.5. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.20.4...v1.20.5) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 0b7c29eb542..4090b698e5e 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,7 @@ require ( github.com/hashicorp/go-multierror v1.1.1 github.com/miekg/dns v1.1.62 github.com/ohler55/ojg v1.24.1 - github.com/prometheus/client_golang v1.20.4 + github.com/prometheus/client_golang v1.20.5 github.com/prometheus/common v0.60.0 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 diff --git a/go.sum b/go.sum index 5aa804824a4..dcf087e087a 100644 --- a/go.sum +++ b/go.sum @@ -689,8 +689,8 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= -github.com/prometheus/client_golang v1.20.4 h1:Tgh3Yr67PaOv/uTqloMsCEdeuFTatm5zIq5+qNN23vI= -github.com/prometheus/client_golang v1.20.4/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y= +github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= From 138abd12a69826159ce7bf7e55ee09390b7d8148 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Oct 2024 10:50:47 -0700 Subject: [PATCH 280/523] build(deps): bump github.com/urfave/cli/v2 from 2.27.4 to 2.27.5 in /examples/extension-server (#4488) build(deps): bump github.com/urfave/cli/v2 in /examples/extension-server Bumps [github.com/urfave/cli/v2](https://github.com/urfave/cli) from 2.27.4 to 2.27.5. - [Release notes](https://github.com/urfave/cli/releases) - [Changelog](https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md) - [Commits](https://github.com/urfave/cli/compare/v2.27.4...v2.27.5) --- updated-dependencies: - dependency-name: github.com/urfave/cli/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/extension-server/go.mod | 4 ++-- examples/extension-server/go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 92af0438105..25eb15516ef 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -5,7 +5,7 @@ go 1.23.1 require ( github.com/envoyproxy/gateway v1.0.2 github.com/envoyproxy/go-control-plane v0.13.1 - github.com/urfave/cli/v2 v2.27.4 + github.com/urfave/cli/v2 v2.27.5 google.golang.org/grpc v1.67.1 google.golang.org/protobuf v1.35.1 k8s.io/apimachinery v0.31.1 @@ -17,7 +17,7 @@ require ( cel.dev/expr v0.16.0 // indirect github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 // indirect - github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect + github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-logr/logr v1.4.2 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 1df719e00af..29bfba9e9f4 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -4,8 +4,8 @@ github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMr github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 h1:N+3sFI5GUjRKBi+i0TxYVST9h4Ie192jJWpHvthBBgg= github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= -github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4= -github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc= +github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -64,8 +64,8 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -github.com/urfave/cli/v2 v2.27.4 h1:o1owoI+02Eb+K107p27wEX9Bb8eqIoZCfLXloLUSWJ8= -github.com/urfave/cli/v2 v2.27.4/go.mod h1:m4QzxcD2qpra4z7WhzEGn74WZLViBnMpb1ToCAKdGRQ= +github.com/urfave/cli/v2 v2.27.5 h1:WoHEJLdsXr6dDWoJgMq/CboDmyY/8HMMH1fTECbih+w= +github.com/urfave/cli/v2 v2.27.5/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4= From 83af7d4f8e89f37d6ec125665f09c082c0fe390f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Oct 2024 10:51:11 -0700 Subject: [PATCH 281/523] build(deps): bump github/codeql-action from 3.26.12 to 3.26.13 (#4485) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.12 to 3.26.13. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/c36620d31ac7c881962c3d9dd939c40ec9434f2b...f779452ac5af1c261dce0346a8f964149f49322b) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0f4771a3f5e..5fceea67877 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,14 +36,14 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 + uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 + uses: github/codeql-action/autobuild@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 + uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 987f7c2b62d..018bb5c0dd7 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 + uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 with: sarif_file: results.sarif From 66c0b510a0ff71af0755cd5a24a5cc85d62b61df Mon Sep 17 00:00:00 2001 From: sh2 Date: Tue, 22 Oct 2024 02:07:13 +0800 Subject: [PATCH 282/523] fix: ratelimit not working with both headers and cidr matches (#4377) * fix ratelimit descriptors do not respect both headers and cidr match for one rule Signed-off-by: shawnh2 * fix gen-check and lint Signed-off-by: shawnh2 * fix ratelimit e2e test Signed-off-by: shawnh2 * add more comment and update test case Signed-off-by: shawnh2 --------- Signed-off-by: shawnh2 Co-authored-by: Huabing Zhao --- internal/xds/translator/ratelimit.go | 85 ++++++------- .../header-and-cidr-matches.yaml | 38 ++++++ .../in/xds-ir/ratelimit-headers-and-cidr.yaml | 88 ++++++++++++++ .../header-and-cidr-matches.yaml | 38 ++++++ .../ratelimit-headers-and-cidr.clusters.yaml | 98 +++++++++++++++ .../ratelimit-headers-and-cidr.endpoints.yaml | 36 ++++++ .../ratelimit-headers-and-cidr.listeners.yaml | 44 +++++++ .../ratelimit-headers-and-cidr.routes.yaml | 88 ++++++++++++++ .../ratelimit-headers-and-cidr-match.yaml | 45 +++++++ test/e2e/tests/ratelimit.go | 113 ++++++++++++++++++ 10 files changed, 633 insertions(+), 40 deletions(-) create mode 100644 internal/xds/translator/testdata/in/ratelimit-config/header-and-cidr-matches.yaml create mode 100644 internal/xds/translator/testdata/in/xds-ir/ratelimit-headers-and-cidr.yaml create mode 100644 internal/xds/translator/testdata/out/ratelimit-config/header-and-cidr-matches.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.routes.yaml create mode 100644 test/e2e/testdata/ratelimit-headers-and-cidr-match.yaml diff --git a/internal/xds/translator/ratelimit.go b/internal/xds/translator/ratelimit.go index 660bc2a7dec..06b37bc4589 100644 --- a/internal/xds/translator/ratelimit.go +++ b/internal/xds/translator/ratelimit.go @@ -157,11 +157,12 @@ func buildRouteRateLimits(descriptorPrefix string, global *ir.GlobalRateLimit) [ // Matches are ANDed rlActions := []*routev3.RateLimit_Action{routeDescriptor} for mIdx, match := range rule.HeaderMatches { + var action *routev3.RateLimit_Action // Case for distinct match if match.Distinct { // Setup RequestHeader actions descriptorKey := getRouteRuleDescriptor(rIdx, mIdx) - action := &routev3.RateLimit_Action{ + action = &routev3.RateLimit_Action{ ActionSpecifier: &routev3.RateLimit_Action_RequestHeaders_{ RequestHeaders: &routev3.RateLimit_Action_RequestHeaders{ HeaderName: match.Name, @@ -169,7 +170,6 @@ func buildRouteRateLimits(descriptorPrefix string, global *ir.GlobalRateLimit) [ }, }, } - rlActions = append(rlActions, action) } else { // Setup HeaderValueMatch actions descriptorKey := getRouteRuleDescriptor(rIdx, mIdx) @@ -184,7 +184,7 @@ func buildRouteRateLimits(descriptorPrefix string, global *ir.GlobalRateLimit) [ if match.Invert != nil && *match.Invert { expectMatch = false } - action := &routev3.RateLimit_Action{ + action = &routev3.RateLimit_Action{ ActionSpecifier: &routev3.RateLimit_Action_HeaderValueMatch_{ HeaderValueMatch: &routev3.RateLimit_Action_HeaderValueMatch{ DescriptorKey: descriptorKey, @@ -196,8 +196,8 @@ func buildRouteRateLimits(descriptorPrefix string, global *ir.GlobalRateLimit) [ }, }, } - rlActions = append(rlActions, action) } + rlActions = append(rlActions, action) } // To be able to rate limit each individual IP, we need to use a nested descriptors structure in the configuration @@ -236,7 +236,7 @@ func buildRouteRateLimits(descriptorPrefix string, global *ir.GlobalRateLimit) [ // Setup RemoteAddress action if distinct match is set if rule.CIDRMatch.Distinct { // Setup RemoteAddress action - action := &routev3.RateLimit_Action{ + action = &routev3.RateLimit_Action{ ActionSpecifier: &routev3.RateLimit_Action_RemoteAddress_{ RemoteAddress: &routev3.RateLimit_Action_RemoteAddress{}, }, @@ -245,8 +245,8 @@ func buildRouteRateLimits(descriptorPrefix string, global *ir.GlobalRateLimit) [ } } - // Case when header match is not set and the rate limit is applied - // to all traffic. + // Case when both header and cidr match are not set and the ratelimit + // will be applied to all traffic. if !rule.IsMatchSet() { // Setup GenericKey action action := &routev3.RateLimit_Action{ @@ -333,22 +333,21 @@ func BuildRateLimitServiceConfig(irListener *ir.HTTPListener) *rlsconfv3.RateLim func buildRateLimitServiceDescriptors(global *ir.GlobalRateLimit) []*rlsconfv3.RateLimitDescriptor { pbDescriptors := make([]*rlsconfv3.RateLimitDescriptor, 0, len(global.Rules)) + // The order in which matching descriptors are built is consistent with + // the order in which ratelimit actions are built: + // 1) Header Matches + // 2) CIDR Match + // 3) No Match for rIdx, rule := range global.Rules { - var head, cur *rlsconfv3.RateLimitDescriptor - if !rule.IsMatchSet() { - pbDesc := new(rlsconfv3.RateLimitDescriptor) - // GenericKey case - pbDesc.Key = getRouteRuleDescriptor(rIdx, -1) - pbDesc.Value = getRouteRuleDescriptor(rIdx, -1) - rateLimit := rlsconfv3.RateLimitPolicy{ - RequestsPerUnit: uint32(rule.Limit.Requests), - Unit: rlsconfv3.RateLimitUnit(rlsconfv3.RateLimitUnit_value[strings.ToUpper(string(rule.Limit.Unit))]), - } - pbDesc.RateLimit = &rateLimit - head = pbDesc - cur = head + rateLimitPolicy := &rlsconfv3.RateLimitPolicy{ + RequestsPerUnit: uint32(rule.Limit.Requests), + Unit: rlsconfv3.RateLimitUnit(rlsconfv3.RateLimitUnit_value[strings.ToUpper(string(rule.Limit.Unit))]), } + // We use a chain structure to describe the matching descriptors for one rule. + // The RateLimitPolicy should be added to the last descriptor in the chain. + var head, cur *rlsconfv3.RateLimitDescriptor + for mIdx, match := range rule.HeaderMatches { pbDesc := new(rlsconfv3.RateLimitDescriptor) // Case for distinct match @@ -361,15 +360,6 @@ func buildRateLimitServiceDescriptors(global *ir.GlobalRateLimit) []*rlsconfv3.R pbDesc.Value = getRouteRuleDescriptor(rIdx, mIdx) } - // Add the ratelimit values to the last descriptor - if mIdx == len(rule.HeaderMatches)-1 { - rateLimit := rlsconfv3.RateLimitPolicy{ - RequestsPerUnit: uint32(rule.Limit.Requests), - Unit: rlsconfv3.RateLimitUnit(rlsconfv3.RateLimitUnit_value[strings.ToUpper(string(rule.Limit.Unit))]), - } - pbDesc.RateLimit = &rateLimit - } - if mIdx == 0 { head = pbDesc } else { @@ -377,6 +367,9 @@ func buildRateLimitServiceDescriptors(global *ir.GlobalRateLimit) []*rlsconfv3.R } cur = pbDesc + + // Do not add the RateLimitPolicy to the last header match descriptor yet, + // as it is also possible that CIDR match descriptor also exist. } // EG supports two kinds of rate limit descriptors for the source IP: exact and distinct. @@ -405,25 +398,37 @@ func buildRateLimitServiceDescriptors(global *ir.GlobalRateLimit) []*rlsconfv3.R pbDesc := new(rlsconfv3.RateLimitDescriptor) pbDesc.Key = "masked_remote_address" pbDesc.Value = rule.CIDRMatch.CIDR - rateLimit := rlsconfv3.RateLimitPolicy{ - RequestsPerUnit: uint32(rule.Limit.Requests), - Unit: rlsconfv3.RateLimitUnit(rlsconfv3.RateLimitUnit_value[strings.ToUpper(string(rule.Limit.Unit))]), + + if cur != nil { + // The header match descriptor chain exist, add current + // descriptor to the chain. + cur.Descriptors = []*rlsconfv3.RateLimitDescriptor{pbDesc} + } else { + head = pbDesc } + cur = pbDesc if rule.CIDRMatch.Distinct { - pbDesc.Descriptors = []*rlsconfv3.RateLimitDescriptor{ - { - Key: "remote_address", - RateLimit: &rateLimit, - }, - } - } else { - pbDesc.RateLimit = &rateLimit + pbDesc := new(rlsconfv3.RateLimitDescriptor) + pbDesc.Key = "remote_address" + cur.Descriptors = []*rlsconfv3.RateLimitDescriptor{pbDesc} + cur = pbDesc } + } + + // Case when both header and cidr match are not set and the ratelimit + // will be applied to all traffic. + if !rule.IsMatchSet() { + pbDesc := new(rlsconfv3.RateLimitDescriptor) + // GenericKey case + pbDesc.Key = getRouteRuleDescriptor(rIdx, -1) + pbDesc.Value = getRouteRuleDescriptor(rIdx, -1) head = pbDesc cur = head } + // Add the ratelimit policy to the last descriptor of chain. + cur.RateLimit = rateLimitPolicy pbDescriptors = append(pbDescriptors, head) } diff --git a/internal/xds/translator/testdata/in/ratelimit-config/header-and-cidr-matches.yaml b/internal/xds/translator/testdata/in/ratelimit-config/header-and-cidr-matches.yaml new file mode 100644 index 00000000000..481b8598695 --- /dev/null +++ b/internal/xds/translator/testdata/in/ratelimit-config/header-and-cidr-matches.yaml @@ -0,0 +1,38 @@ +name: "first-listener" +address: "0.0.0.0" +port: 10080 +hostnames: +- "*" +path: + mergeSlashes: true + escapedSlashesAction: UnescapeAndRedirect +routes: +- name: "first-route" + traffic: + rateLimit: + global: + rules: + - headerMatches: + - name: "x-user-id" + exact: "one" + - name: "x-user-id" + exact: "two" + - name: "x-org-id" + exact: "three" + cidrMatch: + cidr: 0.0.0.0/0 + ip: 0.0.0.0 + maskLen: 0 + isIPv6: false + distinct: false + limit: + requests: 5 + unit: second + pathMatch: + exact: "foo/bar" + destination: + name: "first-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 diff --git a/internal/xds/translator/testdata/in/xds-ir/ratelimit-headers-and-cidr.yaml b/internal/xds/translator/testdata/in/xds-ir/ratelimit-headers-and-cidr.yaml new file mode 100644 index 00000000000..fa9b6f31ae5 --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/ratelimit-headers-and-cidr.yaml @@ -0,0 +1,88 @@ +http: +- name: "first-listener" + address: "0.0.0.0" + port: 10080 + hostnames: + - "*" + path: + mergeSlashes: true + escapedSlashesAction: UnescapeAndRedirect + routes: + - name: "first-route" + hostname: "*" + traffic: + rateLimit: + global: + rules: + - headerMatches: + - name: "x-user-id" + exact: "one" + cidrMatch: + cidr: 192.168.0.0/16 + maskLen: 16 + limit: + requests: 5 + unit: second + destination: + name: "first-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - name: "second-route" + hostname: "*" + traffic: + rateLimit: + global: + rules: + - headerMatches: + - name: "x-user-id" + distinct: true + - name: "foobar" + distinct: true + cidrMatch: + cidr: 192.168.0.0/16 + maskLen: 16 + limit: + requests: 5 + unit: second + pathMatch: + exact: "example" + destination: + name: "second-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - name: "third-route" + hostname: "*" + traffic: + rateLimit: + global: + rules: + - headerMatches: + - name: "x-user-id" + exact: "one" + cidrMatch: + cidr: 192.168.0.0/16 + maskLen: 16 + limit: + requests: 5 + unit: second + - headerMatches: + - name: "x-user-id" + exact: "two" + - name: "foobar" + distinct: true + cidrMatch: + cidr: 192.169.0.0/16 + maskLen: 16 + limit: + requests: 10 + unit: second + destination: + name: "third-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 diff --git a/internal/xds/translator/testdata/out/ratelimit-config/header-and-cidr-matches.yaml b/internal/xds/translator/testdata/out/ratelimit-config/header-and-cidr-matches.yaml new file mode 100644 index 00000000000..83f5376dade --- /dev/null +++ b/internal/xds/translator/testdata/out/ratelimit-config/header-and-cidr-matches.yaml @@ -0,0 +1,38 @@ +name: first-listener +domain: first-listener +descriptors: + - key: first-route + value: first-route + rate_limit: null + descriptors: + - key: rule-0-match-0 + value: rule-0-match-0 + rate_limit: null + descriptors: + - key: rule-0-match-1 + value: rule-0-match-1 + rate_limit: null + descriptors: + - key: rule-0-match-2 + value: rule-0-match-2 + rate_limit: null + descriptors: + - key: masked_remote_address + value: 0.0.0.0/0 + rate_limit: + requests_per_unit: 5 + unit: SECOND + unlimited: false + name: "" + replaces: [] + descriptors: [] + shadow_mode: false + detailed_metric: false + shadow_mode: false + detailed_metric: false + shadow_mode: false + detailed_metric: false + shadow_mode: false + detailed_metric: false + shadow_mode: false + detailed_metric: false diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml new file mode 100644 index 00000000000..0ba1749076a --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml @@ -0,0 +1,98 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: first-route-dest + lbPolicy: LEAST_REQUEST + name: first-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: second-route-dest + lbPolicy: LEAST_REQUEST + name: second-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: third-route-dest + lbPolicy: LEAST_REQUEST + name: third-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: ratelimit_cluster + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: envoy-ratelimit.envoy-gateway-system.svc.cluster.local + portValue: 8081 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: ratelimit_cluster/backend/0 + name: ratelimit_cluster + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + tlsCertificates: + - certificateChain: + filename: /certs/tls.crt + privateKey: + filename: /certs/tls.key + validationContext: + trustedCa: + filename: /certs/ca.crt + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.endpoints.yaml new file mode 100644 index 00000000000..475b89a087c --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.endpoints.yaml @@ -0,0 +1,36 @@ +- clusterName: first-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: first-route-dest/backend/0 +- clusterName: second-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: second-route-dest/backend/0 +- clusterName: third-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: third-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.listeners.yaml new file mode 100644 index 00000000000..a80f448f017 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.listeners.yaml @@ -0,0 +1,44 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.ratelimit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + domain: first-listener + enableXRatelimitHeaders: DRAFT_VERSION_03 + rateLimitService: + grpcService: + envoyGrpc: + clusterName: ratelimit_cluster + transportApiVersion: V3 + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: first-listener + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: first-listener + name: first-listener + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.routes.yaml new file mode 100644 index 00000000000..459d975a9b0 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.routes.yaml @@ -0,0 +1,88 @@ +- ignorePortInHostMatching: true + name: first-listener + virtualHosts: + - domains: + - '*' + name: first-listener/* + routes: + - match: + prefix: / + name: first-route + route: + cluster: first-route-dest + rateLimits: + - actions: + - genericKey: + descriptorKey: first-route + descriptorValue: first-route + - headerValueMatch: + descriptorKey: rule-0-match-0 + descriptorValue: rule-0-match-0 + expectMatch: true + headers: + - name: x-user-id + stringMatch: + exact: one + - maskedRemoteAddress: + v4PrefixMaskLen: 16 + upgradeConfigs: + - upgradeType: websocket + - match: + path: example + name: second-route + route: + cluster: second-route-dest + rateLimits: + - actions: + - genericKey: + descriptorKey: second-route + descriptorValue: second-route + - requestHeaders: + descriptorKey: rule-0-match-0 + headerName: x-user-id + - requestHeaders: + descriptorKey: rule-0-match-1 + headerName: foobar + - maskedRemoteAddress: + v4PrefixMaskLen: 16 + upgradeConfigs: + - upgradeType: websocket + - match: + prefix: / + name: third-route + route: + cluster: third-route-dest + rateLimits: + - actions: + - genericKey: + descriptorKey: third-route + descriptorValue: third-route + - headerValueMatch: + descriptorKey: rule-0-match-0 + descriptorValue: rule-0-match-0 + expectMatch: true + headers: + - name: x-user-id + stringMatch: + exact: one + - maskedRemoteAddress: + v4PrefixMaskLen: 16 + - actions: + - genericKey: + descriptorKey: third-route + descriptorValue: third-route + - headerValueMatch: + descriptorKey: rule-1-match-0 + descriptorValue: rule-1-match-0 + expectMatch: true + headers: + - name: x-user-id + stringMatch: + exact: two + - requestHeaders: + descriptorKey: rule-1-match-1 + headerName: foobar + - maskedRemoteAddress: + v4PrefixMaskLen: 16 + upgradeConfigs: + - upgradeType: websocket diff --git a/test/e2e/testdata/ratelimit-headers-and-cidr-match.yaml b/test/e2e/testdata/ratelimit-headers-and-cidr-match.yaml new file mode 100644 index 00000000000..fef2f645a2b --- /dev/null +++ b/test/e2e/testdata/ratelimit-headers-and-cidr-match.yaml @@ -0,0 +1,45 @@ +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: ratelimit-headers-and-cidr + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: header-and-cidr-ratelimit + rateLimit: + type: Global + global: + rules: + - clientSelectors: + - headers: + - name: x-user-id + type: Exact + value: one + - name: x-user-org + type: Exact + value: acme + sourceCIDR: + value: 0.0.0.0/0 + type: Distinct + limit: + requests: 3 + unit: Hour +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: header-and-cidr-ratelimit + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: PathPrefix + value: /get + backendRefs: + - name: infra-backend-v1 + port: 8080 diff --git a/test/e2e/tests/ratelimit.go b/test/e2e/tests/ratelimit.go index b87576b60aa..f0082d77e85 100644 --- a/test/e2e/tests/ratelimit.go +++ b/test/e2e/tests/ratelimit.go @@ -30,6 +30,7 @@ func init() { ConformanceTests = append(ConformanceTests, RateLimitHeadersDisabled) ConformanceTests = append(ConformanceTests, RateLimitBasedJwtClaimsTest) ConformanceTests = append(ConformanceTests, RateLimitMultipleListenersTest) + ConformanceTests = append(ConformanceTests, RateLimitHeadersAndCIDRMatchTest) } var RateLimitCIDRMatchTest = suite.ConformanceTest{ @@ -538,6 +539,118 @@ var RateLimitMultipleListenersTest = suite.ConformanceTest{ }, } +var RateLimitHeadersAndCIDRMatchTest = suite.ConformanceTest{ + ShortName: "RateLimitHeadersAndCIDRMatch", + Description: "Limit requests on rule that has both headers and cidr matches", + Manifests: []string{"testdata/ratelimit-headers-and-cidr-match.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "header-and-cidr-ratelimit", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + t.Run("all matched both headers and cidr can got limited", func(t *testing.T) { + requestHeaders := map[string]string{ + "x-user-id": "one", + "x-user-org": "acme", + } + + ratelimitHeader := make(map[string]string) + expectOkResp := http.ExpectedResponse{ + Request: http.Request{ + Path: "/get", + Headers: requestHeaders, + }, + Response: http.Response{ + StatusCode: 200, + Headers: ratelimitHeader, + }, + Namespace: ns, + } + expectOkResp.Response.Headers["X-Ratelimit-Limit"] = "3, 3;w=3600" + expectOkReq := http.MakeRequest(t, &expectOkResp, gwAddr, "HTTP", "http") + + expectLimitResp := http.ExpectedResponse{ + Request: http.Request{ + Path: "/get", + Headers: requestHeaders, + }, + Response: http.Response{ + StatusCode: 429, + }, + Namespace: ns, + } + expectLimitReq := http.MakeRequest(t, &expectLimitResp, gwAddr, "HTTP", "http") + + // should just send exactly 4 requests, and expect 429 + + // keep sending requests till get 200 first, that will cost one 200 + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectOkResp) + + // fire the rest of the requests + if err := GotExactExpectedResponse(t, 2, suite.RoundTripper, expectOkReq, expectOkResp); err != nil { + t.Errorf("failed to get expected response for the first three requests: %v", err) + } + if err := GotExactExpectedResponse(t, 1, suite.RoundTripper, expectLimitReq, expectLimitResp); err != nil { + t.Errorf("failed to get expected response for the last (fourth) request: %v", err) + } + }) + + t.Run("only partly matched headers cannot got limited", func(t *testing.T) { + requestHeaders := map[string]string{ + "x-user-id": "one", + } + + // it does not require any rate limit header, since this request never be rate limited. + expectOkResp := http.ExpectedResponse{ + Request: http.Request{ + Path: "/get", + Headers: requestHeaders, + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + expectOkReq := http.MakeRequest(t, &expectOkResp, gwAddr, "HTTP", "http") + + // send exactly 4 requests, and still expect 200 + + // keep sending requests till get 200 first, that will cost one 200 + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectOkResp) + + // fire the rest of the requests + if err := GotExactExpectedResponse(t, 3, suite.RoundTripper, expectOkReq, expectOkResp); err != nil { + t.Errorf("failed to get expected responses for the request: %v", err) + } + }) + + t.Run("only matched cidr cannot got limited", func(t *testing.T) { + // it does not require any rate limit header, since this request never be rate limited. + expectOkResp := http.ExpectedResponse{ + Request: http.Request{ + Path: "/get", + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + expectOkReq := http.MakeRequest(t, &expectOkResp, gwAddr, "HTTP", "http") + + // send exactly 4 requests, and still expect 200 + + // keep sending requests till get 200 first, that will cost one 200 + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectOkResp) + + // fire the rest of the requests + if err := GotExactExpectedResponse(t, 3, suite.RoundTripper, expectOkReq, expectOkResp); err != nil { + t.Errorf("failed to get expected responses for the request: %v", err) + } + }) + }, +} + func GotExactExpectedResponse(t *testing.T, n int, r roundtripper.RoundTripper, req roundtripper.Request, resp http.ExpectedResponse) error { for i := 0; i < n; i++ { cReq, cRes, err := r.CaptureRoundTrip(req) From deddeb472fa7307bf6e83f782d02ec2eba828bf1 Mon Sep 17 00:00:00 2001 From: sh2 Date: Tue, 22 Oct 2024 05:44:31 +0800 Subject: [PATCH 283/523] chore: clean up gatewayapi v1alpha2 helpers (#4482) clean up gatewayapi v1alpha2 helpers Signed-off-by: shawnh2 Co-authored-by: Huabing Zhao --- internal/gatewayapi/helpers_v1alpha2.go | 45 ------------------------- internal/provider/kubernetes/routes.go | 9 ++--- 2 files changed, 3 insertions(+), 51 deletions(-) delete mode 100644 internal/gatewayapi/helpers_v1alpha2.go diff --git a/internal/gatewayapi/helpers_v1alpha2.go b/internal/gatewayapi/helpers_v1alpha2.go deleted file mode 100644 index 3b1dffde66f..00000000000 --- a/internal/gatewayapi/helpers_v1alpha2.go +++ /dev/null @@ -1,45 +0,0 @@ -// Copyright Envoy Gateway Authors -// SPDX-License-Identifier: Apache-2.0 -// The full text of the Apache license is available in the LICENSE file at -// the root of the repo. - -// This file contains code derived from Contour, -// https://github.com/projectcontour/contour -// and is provided here subject to the following: -// Copyright Project Contour Authors -// SPDX-License-Identifier: Apache-2.0 - -package gatewayapi - -import ( - gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" - gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" -) - -// TODO: [gwapiv1a2-gwapiv1] -// This file can be removed once all routes graduates to gwapiv1. - -// UpgradeBackendRef converts gwapiv1a2.BackendRef to gwapiv1.BackendRef -func UpgradeBackendRef(old gwapiv1a2.BackendRef) gwapiv1.BackendRef { - upgraded := gwapiv1.BackendRef{} - - if old.Group != nil { - upgraded.Group = GroupPtr(string(*old.Group)) - } - - if old.Kind != nil { - upgraded.Kind = KindPtr(string(*old.Kind)) - } - - if old.Namespace != nil { - upgraded.Namespace = NamespacePtr(string(*old.Namespace)) - } - - upgraded.Name = old.Name - - if old.Port != nil { - upgraded.Port = PortNumPtr(int32(*old.Port)) - } - - return upgraded -} diff --git a/internal/provider/kubernetes/routes.go b/internal/provider/kubernetes/routes.go index 3a0a9f8131e..956a2b59b3f 100644 --- a/internal/provider/kubernetes/routes.go +++ b/internal/provider/kubernetes/routes.go @@ -56,8 +56,7 @@ func (r *gatewayAPIReconciler) processTLSRoutes(ctx context.Context, gatewayName for _, rule := range tlsRoute.Spec.Rules { for _, backendRef := range rule.BackendRefs { - ref := gatewayapi.UpgradeBackendRef(backendRef) - if err := validateBackendRef(&ref); err != nil { + if err := validateBackendRef(&backendRef); err != nil { r.log.Error(err, "invalid backendRef") continue } @@ -467,8 +466,7 @@ func (r *gatewayAPIReconciler) processTCPRoutes(ctx context.Context, gatewayName for _, rule := range tcpRoute.Spec.Rules { for _, backendRef := range rule.BackendRefs { - ref := gatewayapi.UpgradeBackendRef(backendRef) - if err := validateBackendRef(&ref); err != nil { + if err := validateBackendRef(&backendRef); err != nil { r.log.Error(err, "invalid backendRef") continue } @@ -545,8 +543,7 @@ func (r *gatewayAPIReconciler) processUDPRoutes(ctx context.Context, gatewayName for _, rule := range udpRoute.Spec.Rules { for _, backendRef := range rule.BackendRefs { - ref := gatewayapi.UpgradeBackendRef(backendRef) - if err := validateBackendRef(&ref); err != nil { + if err := validateBackendRef(&backendRef); err != nil { r.log.Error(err, "invalid backendRef") continue } From 33ac6ca6873bac05cee79f7a177c18caa45506e2 Mon Sep 17 00:00:00 2001 From: Hartigan Date: Tue, 22 Oct 2024 01:23:37 +0200 Subject: [PATCH 284/523] Docs/Tests: documentation and e2e tests for Datadog tracing (#4480) * Add e2e test for Datadog tracing Signed-off-by: Hartigan * Add documentation for Datadog tracing support for proxy Signed-off-by: Hartigan * Format test yaml files Signed-off-by: Hartigan * Remove Grafana Alloy for Datadog tracing e2e test Signed-off-by: Hartigan * Update generated files Signed-off-by: Hartigan --------- Signed-off-by: Hartigan --- charts/gateway-addons-helm/Chart.lock | 6 +- charts/gateway-addons-helm/Chart.yaml | 2 +- charts/gateway-addons-helm/README.md | 14 ++- charts/gateway-addons-helm/values.yaml | 8 +- .../latest/install/gateway-addons-helm-api.md | 14 ++- .../latest/tasks/observability/proxy-trace.md | 62 ++++++++++++- .../latest/install/gateway-addons-helm-api.md | 14 ++- test/e2e/testdata/tracing-datadog.yaml | 91 +++++++++++++++++++ test/e2e/tests/tracing.go | 67 +++++++++++++- test/helm/gateway-addons-helm/e2e.out.yaml | 38 ++++---- 10 files changed, 277 insertions(+), 39 deletions(-) create mode 100644 test/e2e/testdata/tracing-datadog.yaml diff --git a/charts/gateway-addons-helm/Chart.lock b/charts/gateway-addons-helm/Chart.lock index 4b6f92ac77c..228a952fdc1 100644 --- a/charts/gateway-addons-helm/Chart.lock +++ b/charts/gateway-addons-helm/Chart.lock @@ -16,6 +16,6 @@ dependencies: version: 1.3.1 - name: opentelemetry-collector repository: https://open-telemetry.github.io/opentelemetry-helm-charts - version: 0.73.1 -digest: sha256:4c16df8d7efc27aff566fa5dfd2eba6527adbf3fc8e94e7e3ccfc0cee7836f1c -generated: "2024-06-20T11:46:59.148579+08:00" + version: 0.108.0 +digest: sha256:ea6663bb1358123b96b69d2c5b0b8c20650a43dc39b24c482f0560201fd2cc3a +generated: "2024-10-19T12:59:47.251089661+02:00" diff --git a/charts/gateway-addons-helm/Chart.yaml b/charts/gateway-addons-helm/Chart.yaml index 84ac6228f62..2571ccec51e 100644 --- a/charts/gateway-addons-helm/Chart.yaml +++ b/charts/gateway-addons-helm/Chart.yaml @@ -47,5 +47,5 @@ dependencies: condition: tempo.enabled - name: opentelemetry-collector repository: https://open-telemetry.github.io/opentelemetry-helm-charts - version: 0.73.1 + version: 0.108.0 condition: opentelemetry-collector.enabled diff --git a/charts/gateway-addons-helm/README.md b/charts/gateway-addons-helm/README.md index ccbd26b983d..a52af3e2d14 100644 --- a/charts/gateway-addons-helm/README.md +++ b/charts/gateway-addons-helm/README.md @@ -25,7 +25,7 @@ An Add-ons Helm chart for Envoy Gateway | https://grafana.github.io/helm-charts | grafana | 8.0.0 | | https://grafana.github.io/helm-charts | loki | 4.8.0 | | https://grafana.github.io/helm-charts | tempo | 1.3.1 | -| https://open-telemetry.github.io/opentelemetry-helm-charts | opentelemetry-collector | 0.73.1 | +| https://open-telemetry.github.io/opentelemetry-helm-charts | opentelemetry-collector | 0.108.0 | | https://prometheus-community.github.io/helm-charts | prometheus | 25.21.0 | ## Usage @@ -103,7 +103,7 @@ To uninstall the chart: | loki.singleBinary.replicas | int | `1` | | | loki.test.enabled | bool | `false` | | | loki.write.replicas | int | `0` | | -| opentelemetry-collector.config.exporters.logging.verbosity | string | `"detailed"` | | +| opentelemetry-collector.config.exporters.debug.verbosity | string | `"detailed"` | | | opentelemetry-collector.config.exporters.loki.endpoint | string | `"http://loki.monitoring.svc:3100/loki/api/v1/push"` | | | opentelemetry-collector.config.exporters.otlp.endpoint | string | `"tempo.monitoring.svc:4317"` | | | opentelemetry-collector.config.exporters.otlp.tls.insecure | bool | `true` | | @@ -112,6 +112,7 @@ To uninstall the chart: | opentelemetry-collector.config.processors.attributes.actions[0].action | string | `"insert"` | | | opentelemetry-collector.config.processors.attributes.actions[0].key | string | `"loki.attribute.labels"` | | | opentelemetry-collector.config.processors.attributes.actions[0].value | string | `"k8s.pod.name, k8s.namespace.name"` | | +| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"${env:MY_POD_IP}:8126"` | | | opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"${env:MY_POD_IP}:4317"` | | | opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"${env:MY_POD_IP}:4318"` | | | opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"${env:MY_POD_IP}:9411"` | | @@ -120,12 +121,15 @@ To uninstall the chart: | opentelemetry-collector.config.service.pipelines.logs.processors[0] | string | `"attributes"` | | | opentelemetry-collector.config.service.pipelines.logs.receivers[0] | string | `"otlp"` | | | opentelemetry-collector.config.service.pipelines.metrics.exporters[0] | string | `"prometheus"` | | -| opentelemetry-collector.config.service.pipelines.metrics.receivers[0] | string | `"otlp"` | | +| opentelemetry-collector.config.service.pipelines.metrics.receivers[0] | string | `"datadog"` | | +| opentelemetry-collector.config.service.pipelines.metrics.receivers[1] | string | `"otlp"` | | | opentelemetry-collector.config.service.pipelines.traces.exporters[0] | string | `"otlp"` | | -| opentelemetry-collector.config.service.pipelines.traces.receivers[0] | string | `"otlp"` | | -| opentelemetry-collector.config.service.pipelines.traces.receivers[1] | string | `"zipkin"` | | +| opentelemetry-collector.config.service.pipelines.traces.receivers[0] | string | `"datadog"` | | +| opentelemetry-collector.config.service.pipelines.traces.receivers[1] | string | `"otlp"` | | +| opentelemetry-collector.config.service.pipelines.traces.receivers[2] | string | `"zipkin"` | | | opentelemetry-collector.enabled | bool | `false` | | | opentelemetry-collector.fullnameOverride | string | `"otel-collector"` | | +| opentelemetry-collector.image.repository | string | `"otel/opentelemetry-collector-contrib"` | | | opentelemetry-collector.mode | string | `"deployment"` | | | prometheus.alertmanager.enabled | bool | `false` | | | prometheus.enabled | bool | `true` | | diff --git a/charts/gateway-addons-helm/values.yaml b/charts/gateway-addons-helm/values.yaml index 55a02b68255..d3fb043ddd4 100644 --- a/charts/gateway-addons-helm/values.yaml +++ b/charts/gateway-addons-helm/values.yaml @@ -181,11 +181,13 @@ opentelemetry-collector: enabled: false fullnameOverride: otel-collector mode: deployment + image: + repository: "otel/opentelemetry-collector-contrib" config: exporters: prometheus: endpoint: 0.0.0.0:19001 - logging: + debug: verbosity: detailed loki: endpoint: "http://loki.monitoring.svc:3100/loki/api/v1/push" @@ -207,6 +209,8 @@ opentelemetry-collector: # Loki will convert this to k8s_pod_name label. value: k8s.pod.name, k8s.namespace.name receivers: + datadog: + endpoint: ${env:MY_POD_IP}:8126 zipkin: endpoint: ${env:MY_POD_IP}:9411 otlp: @@ -223,6 +227,7 @@ opentelemetry-collector: exporters: - prometheus receivers: + - datadog - otlp logs: exporters: @@ -235,5 +240,6 @@ opentelemetry-collector: exporters: - otlp receivers: + - datadog - otlp - zipkin diff --git a/site/content/en/latest/install/gateway-addons-helm-api.md b/site/content/en/latest/install/gateway-addons-helm-api.md index a0ae0ed62f6..9835e21cd62 100644 --- a/site/content/en/latest/install/gateway-addons-helm-api.md +++ b/site/content/en/latest/install/gateway-addons-helm-api.md @@ -27,7 +27,7 @@ An Add-ons Helm chart for Envoy Gateway | https://grafana.github.io/helm-charts | grafana | 8.0.0 | | https://grafana.github.io/helm-charts | loki | 4.8.0 | | https://grafana.github.io/helm-charts | tempo | 1.3.1 | -| https://open-telemetry.github.io/opentelemetry-helm-charts | opentelemetry-collector | 0.73.1 | +| https://open-telemetry.github.io/opentelemetry-helm-charts | opentelemetry-collector | 0.108.0 | | https://prometheus-community.github.io/helm-charts | prometheus | 25.21.0 | ## Values @@ -82,7 +82,7 @@ An Add-ons Helm chart for Envoy Gateway | loki.singleBinary.replicas | int | `1` | | | loki.test.enabled | bool | `false` | | | loki.write.replicas | int | `0` | | -| opentelemetry-collector.config.exporters.logging.verbosity | string | `"detailed"` | | +| opentelemetry-collector.config.exporters.debug.verbosity | string | `"detailed"` | | | opentelemetry-collector.config.exporters.loki.endpoint | string | `"http://loki.monitoring.svc:3100/loki/api/v1/push"` | | | opentelemetry-collector.config.exporters.otlp.endpoint | string | `"tempo.monitoring.svc:4317"` | | | opentelemetry-collector.config.exporters.otlp.tls.insecure | bool | `true` | | @@ -91,6 +91,7 @@ An Add-ons Helm chart for Envoy Gateway | opentelemetry-collector.config.processors.attributes.actions[0].action | string | `"insert"` | | | opentelemetry-collector.config.processors.attributes.actions[0].key | string | `"loki.attribute.labels"` | | | opentelemetry-collector.config.processors.attributes.actions[0].value | string | `"k8s.pod.name, k8s.namespace.name"` | | +| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"${env:MY_POD_IP}:8126"` | | | opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"${env:MY_POD_IP}:4317"` | | | opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"${env:MY_POD_IP}:4318"` | | | opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"${env:MY_POD_IP}:9411"` | | @@ -99,12 +100,15 @@ An Add-ons Helm chart for Envoy Gateway | opentelemetry-collector.config.service.pipelines.logs.processors[0] | string | `"attributes"` | | | opentelemetry-collector.config.service.pipelines.logs.receivers[0] | string | `"otlp"` | | | opentelemetry-collector.config.service.pipelines.metrics.exporters[0] | string | `"prometheus"` | | -| opentelemetry-collector.config.service.pipelines.metrics.receivers[0] | string | `"otlp"` | | +| opentelemetry-collector.config.service.pipelines.metrics.receivers[0] | string | `"datadog"` | | +| opentelemetry-collector.config.service.pipelines.metrics.receivers[1] | string | `"otlp"` | | | opentelemetry-collector.config.service.pipelines.traces.exporters[0] | string | `"otlp"` | | -| opentelemetry-collector.config.service.pipelines.traces.receivers[0] | string | `"otlp"` | | -| opentelemetry-collector.config.service.pipelines.traces.receivers[1] | string | `"zipkin"` | | +| opentelemetry-collector.config.service.pipelines.traces.receivers[0] | string | `"datadog"` | | +| opentelemetry-collector.config.service.pipelines.traces.receivers[1] | string | `"otlp"` | | +| opentelemetry-collector.config.service.pipelines.traces.receivers[2] | string | `"zipkin"` | | | opentelemetry-collector.enabled | bool | `false` | | | opentelemetry-collector.fullnameOverride | string | `"otel-collector"` | | +| opentelemetry-collector.image.repository | string | `"otel/opentelemetry-collector-contrib"` | | | opentelemetry-collector.mode | string | `"deployment"` | | | prometheus.alertmanager.enabled | bool | `false` | | | prometheus.enabled | bool | `true` | | diff --git a/site/content/en/latest/tasks/observability/proxy-trace.md b/site/content/en/latest/tasks/observability/proxy-trace.md index ddaf68e415a..39243d329bc 100644 --- a/site/content/en/latest/tasks/observability/proxy-trace.md +++ b/site/content/en/latest/tasks/observability/proxy-trace.md @@ -19,7 +19,7 @@ TEMPO_IP=$(kubectl get svc tempo -n monitoring -o jsonpath='{.status.loadBalance By default, Envoy Gateway doesn't send traces to any sink. You can enable traces by setting the `telemetry.tracing` in the [EnvoyProxy][envoy-proxy-crd] CRD. -Currently, Envoy Gateway support OpenTelemetry and [Zipkin](../../api/extension_types#zipkintracingprovider) tracer. +Currently, Envoy Gateway support OpenTelemetry, [Zipkin](../../api/extension_types#zipkintracingprovider) and Datadog tracer. ### Tracing Provider @@ -155,6 +155,66 @@ Verify zipkin traces from tempo: curl -s "http://$TEMPO_IP:3100/api/search?tags=component%3Dproxy+provider%3Dzipkin" | jq .traces ``` +{{% /tab %}} +{{% tab header="Datadog" %}} + +```shell +kubectl apply -f - <}} diff --git a/site/content/zh/latest/install/gateway-addons-helm-api.md b/site/content/zh/latest/install/gateway-addons-helm-api.md index a0ae0ed62f6..9835e21cd62 100644 --- a/site/content/zh/latest/install/gateway-addons-helm-api.md +++ b/site/content/zh/latest/install/gateway-addons-helm-api.md @@ -27,7 +27,7 @@ An Add-ons Helm chart for Envoy Gateway | https://grafana.github.io/helm-charts | grafana | 8.0.0 | | https://grafana.github.io/helm-charts | loki | 4.8.0 | | https://grafana.github.io/helm-charts | tempo | 1.3.1 | -| https://open-telemetry.github.io/opentelemetry-helm-charts | opentelemetry-collector | 0.73.1 | +| https://open-telemetry.github.io/opentelemetry-helm-charts | opentelemetry-collector | 0.108.0 | | https://prometheus-community.github.io/helm-charts | prometheus | 25.21.0 | ## Values @@ -82,7 +82,7 @@ An Add-ons Helm chart for Envoy Gateway | loki.singleBinary.replicas | int | `1` | | | loki.test.enabled | bool | `false` | | | loki.write.replicas | int | `0` | | -| opentelemetry-collector.config.exporters.logging.verbosity | string | `"detailed"` | | +| opentelemetry-collector.config.exporters.debug.verbosity | string | `"detailed"` | | | opentelemetry-collector.config.exporters.loki.endpoint | string | `"http://loki.monitoring.svc:3100/loki/api/v1/push"` | | | opentelemetry-collector.config.exporters.otlp.endpoint | string | `"tempo.monitoring.svc:4317"` | | | opentelemetry-collector.config.exporters.otlp.tls.insecure | bool | `true` | | @@ -91,6 +91,7 @@ An Add-ons Helm chart for Envoy Gateway | opentelemetry-collector.config.processors.attributes.actions[0].action | string | `"insert"` | | | opentelemetry-collector.config.processors.attributes.actions[0].key | string | `"loki.attribute.labels"` | | | opentelemetry-collector.config.processors.attributes.actions[0].value | string | `"k8s.pod.name, k8s.namespace.name"` | | +| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"${env:MY_POD_IP}:8126"` | | | opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"${env:MY_POD_IP}:4317"` | | | opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"${env:MY_POD_IP}:4318"` | | | opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"${env:MY_POD_IP}:9411"` | | @@ -99,12 +100,15 @@ An Add-ons Helm chart for Envoy Gateway | opentelemetry-collector.config.service.pipelines.logs.processors[0] | string | `"attributes"` | | | opentelemetry-collector.config.service.pipelines.logs.receivers[0] | string | `"otlp"` | | | opentelemetry-collector.config.service.pipelines.metrics.exporters[0] | string | `"prometheus"` | | -| opentelemetry-collector.config.service.pipelines.metrics.receivers[0] | string | `"otlp"` | | +| opentelemetry-collector.config.service.pipelines.metrics.receivers[0] | string | `"datadog"` | | +| opentelemetry-collector.config.service.pipelines.metrics.receivers[1] | string | `"otlp"` | | | opentelemetry-collector.config.service.pipelines.traces.exporters[0] | string | `"otlp"` | | -| opentelemetry-collector.config.service.pipelines.traces.receivers[0] | string | `"otlp"` | | -| opentelemetry-collector.config.service.pipelines.traces.receivers[1] | string | `"zipkin"` | | +| opentelemetry-collector.config.service.pipelines.traces.receivers[0] | string | `"datadog"` | | +| opentelemetry-collector.config.service.pipelines.traces.receivers[1] | string | `"otlp"` | | +| opentelemetry-collector.config.service.pipelines.traces.receivers[2] | string | `"zipkin"` | | | opentelemetry-collector.enabled | bool | `false` | | | opentelemetry-collector.fullnameOverride | string | `"otel-collector"` | | +| opentelemetry-collector.image.repository | string | `"otel/opentelemetry-collector-contrib"` | | | opentelemetry-collector.mode | string | `"deployment"` | | | prometheus.alertmanager.enabled | bool | `false` | | | prometheus.enabled | bool | `true` | | diff --git a/test/e2e/testdata/tracing-datadog.yaml b/test/e2e/testdata/tracing-datadog.yaml new file mode 100644 index 00000000000..e4f54a7eebe --- /dev/null +++ b/test/e2e/testdata/tracing-datadog.yaml @@ -0,0 +1,91 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: eg-special-case-datadog + namespace: gateway-conformance-infra +spec: + gatewayClassName: "{GATEWAY_CLASS_NAME}" + listeners: + - name: http + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: All + infrastructure: + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: datadog-tracing +--- +apiVersion: v1 +kind: Service +metadata: + name: datadog-agent + namespace: monitoring +spec: + selector: + app.kubernetes.io/instance: eg-addons + app.kubernetes.io/name: opentelemetry-collector + component: standalone-collector + ports: + - protocol: TCP + port: 8126 + targetPort: 8126 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + name: datadog-tracing + namespace: gateway-conformance-infra +spec: + logging: + level: + default: debug + telemetry: + tracing: + provider: + type: Datadog + backendRefs: + - name: datadog-agent + namespace: monitoring + port: 8126 + customTags: + "provider": + type: Literal + literal: + value: "datadog" + "k8s.cluster.name": + type: Literal + literal: + value: "envoy-gateway" + "k8s.pod.name": + type: Environment + environment: + name: ENVOY_POD_NAME + defaultValue: "-" + "k8s.namespace.name": + type: Environment + environment: + name: ENVOY_GATEWAY_NAMESPACE + defaultValue: "envoy-gateway-system" + shutdown: + drainTimeout: 5s + minDrainDuration: 1s +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: tracing-datadog + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: eg-special-case-datadog + rules: + - matches: + - path: + type: PathPrefix + value: /datadog + backendRefs: + - name: infra-backend-v2 + port: 8080 diff --git a/test/e2e/tests/tracing.go b/test/e2e/tests/tracing.go index 5ead14b48a1..93e4cb23897 100644 --- a/test/e2e/tests/tracing.go +++ b/test/e2e/tests/tracing.go @@ -24,7 +24,7 @@ import ( ) func init() { - ConformanceTests = append(ConformanceTests, OpenTelemetryTracingTest, ZipkinTracingTest) + ConformanceTests = append(ConformanceTests, OpenTelemetryTracingTest, ZipkinTracingTest, DatadogTracingTest) } var OpenTelemetryTracingTest = suite.ConformanceTest{ @@ -141,3 +141,68 @@ var ZipkinTracingTest = suite.ConformanceTest{ }) }, } + +var DatadogTracingTest = suite.ConformanceTest{ + ShortName: "DatadogTracing", + Description: "Make sure Datadog tracing is working", + Manifests: []string{"testdata/tracing-datadog.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Run("tempo", func(t *testing.T) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "tracing-datadog", Namespace: ns} + gwNN := types.NamespacedName{Name: "eg-special-case-datadog", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + expectedResponse := httputils.ExpectedResponse{ + Request: httputils.Request{ + Path: "/datadog", + }, + Response: httputils.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + // make sure listener is ready + httputils.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + + tags := map[string]string{ + "component": "proxy", + "provider": "datadog", + "service.name": fmt.Sprintf("%s.%s", gwNN.Name, gwNN.Namespace), + } + if err := wait.PollUntilContextTimeout(context.TODO(), time.Second, time.Minute, true, + func(ctx context.Context) (bool, error) { + preCount, err := QueryTraceFromTempo(t, suite.Client, tags) + if err != nil { + tlog.Logf(t, "failed to get trace count from tempo: %v", err) + return false, nil + } + + httputils.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + + // looks like we need almost 15 seconds to get the trace from Tempo? + err = wait.PollUntilContextTimeout(context.TODO(), time.Second, 60*time.Second, true, func(ctx context.Context) (done bool, err error) { + curCount, err := QueryTraceFromTempo(t, suite.Client, tags) + if err != nil { + tlog.Logf(t, "failed to get curCount count from tempo: %v", err) + return false, nil + } + + if curCount > preCount { + return true, nil + } + + return false, nil + }) + if err != nil { + tlog.Logf(t, "failed to get current count from tempo: %v", err) + return false, nil + } + + return true, nil + }); err != nil { + t.Errorf("failed to get trace from tempo: %v", err) + } + }) + }, +} diff --git a/test/helm/gateway-addons-helm/e2e.out.yaml b/test/helm/gateway-addons-helm/e2e.out.yaml index 15445239f3d..1e7c8fda8ff 100644 --- a/test/helm/gateway-addons-helm/e2e.out.yaml +++ b/test/helm/gateway-addons-helm/e2e.out.yaml @@ -32,10 +32,10 @@ metadata: name: otel-collector namespace: monitoring labels: - helm.sh/chart: opentelemetry-collector-0.73.1 + helm.sh/chart: opentelemetry-collector-0.108.0 app.kubernetes.io/name: opentelemetry-collector app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "0.88.0" + app.kubernetes.io/version: "0.111.0" app.kubernetes.io/managed-by: Helm --- # Source: gateway-addons-helm/charts/prometheus/templates/serviceaccount.yaml @@ -219,16 +219,16 @@ metadata: name: otel-collector namespace: monitoring labels: - helm.sh/chart: opentelemetry-collector-0.73.1 + helm.sh/chart: opentelemetry-collector-0.108.0 app.kubernetes.io/name: opentelemetry-collector app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "0.88.0" + app.kubernetes.io/version: "0.111.0" app.kubernetes.io/managed-by: Helm + data: relay: | exporters: - debug: {} - logging: + debug: verbosity: detailed loki: endpoint: http://loki.monitoring.svc:3100/loki/api/v1/push @@ -239,9 +239,8 @@ data: prometheus: endpoint: 0.0.0.0:19001 extensions: - health_check: {} - memory_ballast: - size_in_percentage: 40 + health_check: + endpoint: ${env:MY_POD_IP}:13133 processors: attributes: actions: @@ -254,6 +253,8 @@ data: limit_percentage: 80 spike_limit_percentage: 25 receivers: + datadog: + endpoint: ${env:MY_POD_IP}:8126 jaeger: protocols: grpc: @@ -296,6 +297,7 @@ data: - memory_limiter - batch receivers: + - datadog - otlp traces: exporters: @@ -304,6 +306,7 @@ data: - memory_limiter - batch receivers: + - datadog - otlp - zipkin telemetry: @@ -9517,11 +9520,12 @@ metadata: name: otel-collector namespace: monitoring labels: - helm.sh/chart: opentelemetry-collector-0.73.1 + helm.sh/chart: opentelemetry-collector-0.108.0 app.kubernetes.io/name: opentelemetry-collector app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "0.88.0" + app.kubernetes.io/version: "0.111.0" app.kubernetes.io/managed-by: Helm + component: standalone-collector spec: type: ClusterIP @@ -9733,11 +9737,12 @@ metadata: name: otel-collector namespace: monitoring labels: - helm.sh/chart: opentelemetry-collector-0.73.1 + helm.sh/chart: opentelemetry-collector-0.108.0 app.kubernetes.io/name: opentelemetry-collector app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "0.88.0" + app.kubernetes.io/version: "0.111.0" app.kubernetes.io/managed-by: Helm + spec: replicas: 1 revisionHistoryLimit: 10 @@ -9751,7 +9756,7 @@ spec: template: metadata: annotations: - checksum/config: 4eb06aca6ff4da4de927cb9ba7d8ceb883d2484011fbd670683037b8ea4d996c + checksum/config: 270a8503091b51a264317115cf6df46b4501b03fc135eca95b93dca57a522a70 labels: app.kubernetes.io/name: opentelemetry-collector @@ -9765,12 +9770,11 @@ spec: {} containers: - name: opentelemetry-collector - command: - - /otelcol-contrib + args: - --config=/conf/relay.yaml securityContext: {} - image: "otel/opentelemetry-collector-contrib:0.88.0" + image: "otel/opentelemetry-collector-contrib:0.111.0" imagePullPolicy: IfNotPresent ports: From 04fc944f2cae7e15c23167c581389c958f4eaea1 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 22 Oct 2024 08:50:25 +0800 Subject: [PATCH 285/523] impl: custom error response (#4415) * gateway api translation Signed-off-by: Huabing Zhao * add tests for gateway api translation Signed-off-by: Huabing Zhao * xds translation Signed-off-by: Huabing Zhao * test for xds translation Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao * e2e test Signed-off-by: Huabing Zhao * add cel validation Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao * make Body required Signed-off-by: Huabing Zhao * fix e2e Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- api/v1alpha1/backendtrafficpolicy_types.go | 1 - api/v1alpha1/envoyproxy_types.go | 7 +- api/v1alpha1/shared_types.go | 47 +- api/v1alpha1/zz_generated.deepcopy.go | 12 +- ....envoyproxy.io_backendtrafficpolicies.yaml | 70 ++- .../gateway.envoyproxy.io_envoyproxies.yaml | 5 + ...ateway.envoyproxy.io_httproutefilters.yaml | 29 +- go.mod | 2 +- internal/gatewayapi/backendtrafficpolicy.go | 133 +++++- ...response-override-invalid-valueref.in.yaml | 141 ++++++ ...esponse-override-invalid-valueref.out.yaml | 371 +++++++++++++++ ...afficpolicy-with-response-override.in.yaml | 145 ++++++ ...fficpolicy-with-response-override.out.yaml | 414 ++++++++++++++++ internal/gatewayapi/translator.go | 2 +- internal/ir/xds.go | 59 +++ internal/ir/zz_generated.deepcopy.go | 111 +++++ internal/provider/kubernetes/controller.go | 45 +- internal/provider/kubernetes/indexers.go | 31 ++ internal/provider/kubernetes/predicates.go | 22 +- internal/xds/translator/custom_response.go | 450 ++++++++++++++++++ internal/xds/translator/oidc.go | 4 +- .../testdata/in/xds-ir/custom-response.yaml | 56 +++ .../out/xds-ir/custom-response.clusters.yaml | 17 + .../out/xds-ir/custom-response.endpoints.yaml | 12 + .../out/xds-ir/custom-response.listeners.yaml | 130 +++++ .../out/xds-ir/custom-response.routes.yaml | 33 ++ site/content/en/latest/api/extension_types.md | 28 +- site/content/zh/latest/api/extension_types.md | 28 +- .../backendtrafficpolicy_test.go | 245 ++++++++++ test/e2e/testdata/response-override.yaml | 62 +++ test/e2e/tests/response-override.go | 83 ++++ 31 files changed, 2712 insertions(+), 83 deletions(-) create mode 100644 internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override-invalid-valueref.in.yaml create mode 100644 internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override-invalid-valueref.out.yaml create mode 100644 internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override.in.yaml create mode 100644 internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override.out.yaml create mode 100644 internal/xds/translator/custom_response.go create mode 100644 internal/xds/translator/testdata/in/xds-ir/custom-response.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/custom-response.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/custom-response.routes.yaml create mode 100644 test/e2e/testdata/response-override.yaml create mode 100644 test/e2e/tests/response-override.go diff --git a/api/v1alpha1/backendtrafficpolicy_types.go b/api/v1alpha1/backendtrafficpolicy_types.go index 4e6118e7035..4183c12830f 100644 --- a/api/v1alpha1/backendtrafficpolicy_types.go +++ b/api/v1alpha1/backendtrafficpolicy_types.go @@ -74,7 +74,6 @@ type BackendTrafficPolicySpec struct { // If multiple configurations are specified, the first one to match wins. // // +optional - // +notImplementedHide ResponseOverride []*ResponseOverride `json:"responseOverride,omitempty"` } diff --git a/api/v1alpha1/envoyproxy_types.go b/api/v1alpha1/envoyproxy_types.go index d7a2a73abe8..4bf7920f624 100644 --- a/api/v1alpha1/envoyproxy_types.go +++ b/api/v1alpha1/envoyproxy_types.go @@ -124,6 +124,8 @@ type EnvoyProxySpec struct { // // - envoy.filters.http.ratelimit // + // - envoy.filters.http.custom_response + // // - envoy.filters.http.router // // Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. @@ -174,7 +176,7 @@ type FilterPosition struct { } // EnvoyFilter defines the type of Envoy HTTP filter. -// +kubebuilder:validation:Enum=envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.ext_authz;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.stateful_session;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit +// +kubebuilder:validation:Enum=envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.ext_authz;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.stateful_session;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit;envoy.filters.http.custom_response type EnvoyFilter string const ( @@ -217,6 +219,9 @@ const ( // EnvoyFilterRateLimit defines the Envoy HTTP rate limit filter. EnvoyFilterRateLimit EnvoyFilter = "envoy.filters.http.ratelimit" + // EnvoyFilterCustomResponse defines the Envoy HTTP custom response filter. + EnvoyFilterCustomResponse EnvoyFilter = "envoy.filters.http.custom_response" + // EnvoyFilterRouter defines the Envoy HTTP router filter. EnvoyFilterRouter EnvoyFilter = "envoy.filters.http.router" ) diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index fe795c833db..617151e296a 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -627,33 +627,48 @@ type ResponseOverride struct { // CustomResponseMatch defines the configuration for matching a user response to return a custom one. type CustomResponseMatch struct { // Status code to match on. The match evaluates to true if any of the matches are successful. - StatusCode []StatusCodeMatch `json:"statusCode"` + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=50 + StatusCodes []StatusCodeMatch `json:"statusCodes"` } // StatusCodeValueType defines the types of values for the status code match supported by Envoy Gateway. // +kubebuilder:validation:Enum=Value;Range type StatusCodeValueType string +const ( + // StatusCodeValueTypeValue defines the "Value" status code match type. + StatusCodeValueTypeValue StatusCodeValueType = "Value" + + // StatusCodeValueTypeRange defines the "Range" status code match type. + StatusCodeValueTypeRange StatusCodeValueType = "Range" +) + +// StatusCodeMatch defines the configuration for matching a status code. +// +kubebuilder:validation:XValidation:message="value must be set for type Value",rule="(!has(self.type) || self.type == 'Value')? has(self.value) : true" +// +kubebuilder:validation:XValidation:message="range must be set for type Range",rule="(has(self.type) && self.type == 'Range')? has(self.range) : true" type StatusCodeMatch struct { // Type is the type of value. + // Valid values are Value and Range, default is Value. // // +kubebuilder:default=Value + // +kubebuilder:validation:Enum=Value;Range // +unionDiscriminator Type *StatusCodeValueType `json:"type"` // Value contains the value of the status code. // // +optional - Value *string `json:"value,omitempty"` - // ValueRef contains the contents of the body - // specified as a local object reference. - // Only a reference to ConfigMap is supported. + Value *int `json:"value,omitempty"` + + // Range contains the range of status codes. // // +optional Range *StatusCodeRange `json:"range,omitempty"` } // StatusCodeRange defines the configuration for define a range of status codes. +// +kubebuilder:validation:XValidation: message="end must be greater than start",rule="self.end > self.start" type StatusCodeRange struct { // Start of the range, including the start value. Start int `json:"start"` @@ -669,19 +684,31 @@ type CustomResponse struct { ContentType *string `json:"contentType,omitempty"` // Body of the Custom Response - // - // +optional - Body *CustomResponseBody `json:"body,omitempty"` + Body CustomResponseBody `json:"body"` } // ResponseValueType defines the types of values for the response body supported by Envoy Gateway. // +kubebuilder:validation:Enum=Inline;ValueRef type ResponseValueType string +const ( + // ResponseValueTypeInline defines the "Inline" response body type. + ResponseValueTypeInline ResponseValueType = "Inline" + + // ResponseValueTypeValueRef defines the "ValueRef" response body type. + ResponseValueTypeValueRef ResponseValueType = "ValueRef" +) + // CustomResponseBody +// +kubebuilder:validation:XValidation:message="inline must be set for type Inline",rule="(!has(self.type) || self.type == 'Inline')? has(self.inline) : true" +// +kubebuilder:validation:XValidation:message="valueRef must be set for type ValueRef",rule="(has(self.type) && self.type == 'ValueRef')? has(self.valueRef) : true" +// +kubebuilder:validation:XValidation:message="only ConfigMap is supported for ValueRef",rule="has(self.valueRef) ? self.valueRef.kind == 'ConfigMap' : true" type CustomResponseBody struct { // Type is the type of method to use to read the body value. + // Valid values are Inline and ValueRef, default is Inline. // + // +kubebuilder:default=Inline + // +kubebuilder:validation:Enum=Inline;ValueRef // +unionDiscriminator Type *ResponseValueType `json:"type"` @@ -689,10 +716,14 @@ type CustomResponseBody struct { // // +optional Inline *string `json:"inline,omitempty"` + // ValueRef contains the contents of the body // specified as a local object reference. // Only a reference to ConfigMap is supported. // + // The value of key `response.body` in the ConfigMap will be used as the response body. + // If the key is not found, the first value in the ConfigMap will be used. + // // +optional ValueRef *gwapiv1.LocalObjectReference `json:"valueRef,omitempty"` } diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 696c99259fb..c225d65d39e 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -1148,11 +1148,7 @@ func (in *CustomResponse) DeepCopyInto(out *CustomResponse) { *out = new(string) **out = **in } - if in.Body != nil { - in, out := &in.Body, &out.Body - *out = new(CustomResponseBody) - (*in).DeepCopyInto(*out) - } + in.Body.DeepCopyInto(&out.Body) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomResponse. @@ -1198,8 +1194,8 @@ func (in *CustomResponseBody) DeepCopy() *CustomResponseBody { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CustomResponseMatch) DeepCopyInto(out *CustomResponseMatch) { *out = *in - if in.StatusCode != nil { - in, out := &in.StatusCode, &out.StatusCode + if in.StatusCodes != nil { + in, out := &in.StatusCodes, &out.StatusCodes *out = make([]StatusCodeMatch, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) @@ -5166,7 +5162,7 @@ func (in *StatusCodeMatch) DeepCopyInto(out *StatusCodeMatch) { } if in.Value != nil { in, out := &in.Value, &out.Value - *out = new(string) + *out = new(int) **out = **in } if in.Range != nil { diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml index 7b2e937312d..f9fb0f329dd 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml @@ -940,16 +940,15 @@ spec: match: description: Match configuration. properties: - statusCode: + statusCodes: description: Status code to match on. The match evaluates to true if any of the matches are successful. items: + description: StatusCodeMatch defines the configuration + for matching a status code. properties: range: - description: |- - ValueRef contains the contents of the body - specified as a local object reference. - Only a reference to ConfigMap is supported. + description: Range contains the range of status codes. properties: end: description: End of the range, including the end @@ -963,23 +962,41 @@ spec: - end - start type: object + x-kubernetes-validations: + - message: end must be greater than start + rule: self.end > self.start type: + allOf: + - enum: + - Value + - Range + - enum: + - Value + - Range default: Value - description: Type is the type of value. - enum: - - Value - - Range + description: |- + Type is the type of value. + Valid values are Value and Range, default is Value. type: string value: description: Value contains the value of the status code. - type: string + type: integer required: - type type: object + x-kubernetes-validations: + - message: value must be set for type Value + rule: '(!has(self.type) || self.type == ''Value'')? + has(self.value) : true' + - message: range must be set for type Range + rule: '(has(self.type) && self.type == ''Range'')? has(self.range) + : true' + maxItems: 50 + minItems: 1 type: array required: - - statusCode + - statusCodes type: object response: description: Response configuration. @@ -992,17 +1009,26 @@ spec: string. type: string type: - description: Type is the type of method to use to read - the body value. - enum: - - Inline - - ValueRef + allOf: + - enum: + - Inline + - ValueRef + - enum: + - Inline + - ValueRef + default: Inline + description: |- + Type is the type of method to use to read the body value. + Valid values are Inline and ValueRef, default is Inline. type: string valueRef: description: |- ValueRef contains the contents of the body specified as a local object reference. Only a reference to ConfigMap is supported. + + The value of key `response.body` in the ConfigMap will be used as the response body. + If the key is not found, the first value in the ConfigMap will be used. properties: group: description: |- @@ -1031,10 +1057,22 @@ spec: required: - type type: object + x-kubernetes-validations: + - message: inline must be set for type Inline + rule: '(!has(self.type) || self.type == ''Inline'')? has(self.inline) + : true' + - message: valueRef must be set for type ValueRef + rule: '(has(self.type) && self.type == ''ValueRef'')? + has(self.valueRef) : true' + - message: only ConfigMap is supported for ValueRef + rule: 'has(self.valueRef) ? self.valueRef.kind == ''ConfigMap'' + : true' contentType: description: Content Type of the response. This will be set in the Content-Type header. type: string + required: + - body type: object required: - match diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 5b0130f2736..0733ed112b6 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -305,6 +305,8 @@ spec: - envoy.filters.http.ratelimit + - envoy.filters.http.custom_response + - envoy.filters.http.router Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. @@ -330,6 +332,7 @@ spec: - envoy.filters.http.rbac - envoy.filters.http.local_ratelimit - envoy.filters.http.ratelimit + - envoy.filters.http.custom_response type: string before: description: |- @@ -349,6 +352,7 @@ spec: - envoy.filters.http.rbac - envoy.filters.http.local_ratelimit - envoy.filters.http.ratelimit + - envoy.filters.http.custom_response type: string name: description: Name of the filter. @@ -366,6 +370,7 @@ spec: - envoy.filters.http.rbac - envoy.filters.http.local_ratelimit - envoy.filters.http.ratelimit + - envoy.filters.http.custom_response type: string required: - name diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml index 8a75fec4211..672cfb59df8 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml @@ -60,17 +60,26 @@ spec: description: Inline contains the value as an inline string. type: string type: - description: Type is the type of method to use to read the - body value. - enum: - - Inline - - ValueRef + allOf: + - enum: + - Inline + - ValueRef + - enum: + - Inline + - ValueRef + default: Inline + description: |- + Type is the type of method to use to read the body value. + Valid values are Inline and ValueRef, default is Inline. type: string valueRef: description: |- ValueRef contains the contents of the body specified as a local object reference. Only a reference to ConfigMap is supported. + + The value of key `response.body` in the ConfigMap will be used as the response body. + If the key is not found, the first value in the ConfigMap will be used. properties: group: description: |- @@ -99,6 +108,16 @@ spec: required: - type type: object + x-kubernetes-validations: + - message: inline must be set for type Inline + rule: '(!has(self.type) || self.type == ''Inline'')? has(self.inline) + : true' + - message: valueRef must be set for type ValueRef + rule: '(has(self.type) && self.type == ''ValueRef'')? has(self.valueRef) + : true' + - message: only ConfigMap is supported for ValueRef + rule: 'has(self.valueRef) ? self.valueRef.kind == ''ConfigMap'' + : true' contentType: description: Content Type of the response. This will be set in the Content-Type header. diff --git a/go.mod b/go.mod index 4090b698e5e..a10aa68bbac 100644 --- a/go.mod +++ b/go.mod @@ -281,7 +281,7 @@ require ( golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.24.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index b8f289a9df0..89b6804a2ba 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -10,9 +10,11 @@ import ( "fmt" "math" "sort" + "strconv" "strings" perr "github.com/pkg/errors" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" @@ -34,6 +36,7 @@ func (t *Translator) ProcessBackendTrafficPolicies(backendTrafficPolicies []*egv gateways []*GatewayContext, routes []RouteContext, xdsIR resource.XdsIRMap, + configMaps []*corev1.ConfigMap, ) []*egv1a1.BackendTrafficPolicy { res := []*egv1a1.BackendTrafficPolicy{} @@ -127,7 +130,7 @@ func (t *Translator) ProcessBackendTrafficPolicies(backendTrafficPolicies []*egv } // Set conditions for translation error if it got any - if err := t.translateBackendTrafficPolicyForRoute(policy, route, xdsIR); err != nil { + if err := t.translateBackendTrafficPolicyForRoute(policy, route, xdsIR, configMaps); err != nil { status.SetTranslationErrorForPolicyAncestors(&policy.Status, ancestorRefs, t.GatewayControllerName, @@ -181,7 +184,7 @@ func (t *Translator) ProcessBackendTrafficPolicies(backendTrafficPolicies []*egv } // Set conditions for translation error if it got any - if err := t.translateBackendTrafficPolicyForGateway(policy, currTarget, gateway, xdsIR); err != nil { + if err := t.translateBackendTrafficPolicyForGateway(policy, currTarget, gateway, xdsIR, configMaps); err != nil { status.SetTranslationErrorForPolicyAncestors(&policy.Status, ancestorRefs, t.GatewayControllerName, @@ -281,7 +284,12 @@ func resolveBTPolicyRouteTargetRef(policy *egv1a1.BackendTrafficPolicy, target g return route.RouteContext, nil } -func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.BackendTrafficPolicy, route RouteContext, xdsIR resource.XdsIRMap) error { +func (t *Translator) translateBackendTrafficPolicyForRoute( + policy *egv1a1.BackendTrafficPolicy, + route RouteContext, + xdsIR resource.XdsIRMap, + configMaps []*corev1.ConfigMap, +) error { var ( rl *ir.RateLimit lb *ir.LoadBalancer @@ -295,6 +303,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen bc *ir.BackendConnection ds *ir.DNS h2 *ir.HTTP2Settings + ro *ir.ResponseOverride err, errs error ) @@ -340,6 +349,11 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen errs = errors.Join(errs, err) } + if ro, err = buildResponseOverride(policy, configMaps); err != nil { + err = perr.WithMessage(err, "ResponseOverride") + errs = errors.Join(errs, err) + } + ds = translateDNS(policy.Spec.ClusterSettings) // Apply IR to all relevant routes @@ -402,6 +416,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen HTTP2: h2, DNS: ds, Timeout: to, + ResponseOverride: ro, } // Update the Host field in HealthCheck, now that we have access to the Route Hostname. @@ -418,7 +433,13 @@ func (t *Translator) translateBackendTrafficPolicyForRoute(policy *egv1a1.Backen return errs } -func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.BackendTrafficPolicy, target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, gateway *GatewayContext, xdsIR resource.XdsIRMap) error { +func (t *Translator) translateBackendTrafficPolicyForGateway( + policy *egv1a1.BackendTrafficPolicy, + target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, + gateway *GatewayContext, + xdsIR resource.XdsIRMap, + configMaps []*corev1.ConfigMap, +) error { var ( rl *ir.RateLimit lb *ir.LoadBalancer @@ -431,6 +452,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back rt *ir.Retry ds *ir.DNS h2 *ir.HTTP2Settings + ro *ir.ResponseOverride err, errs error ) @@ -469,6 +491,10 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back err = perr.WithMessage(err, "HTTP2") errs = errors.Join(errs, err) } + if ro, err = buildResponseOverride(policy, configMaps); err != nil { + err = perr.WithMessage(err, "ResponseOverride") + errs = errors.Join(errs, err) + } ds = translateDNS(policy.Spec.ClusterSettings) @@ -542,16 +568,17 @@ func (t *Translator) translateBackendTrafficPolicyForGateway(policy *egv1a1.Back } r.Traffic = &ir.TrafficFeatures{ - RateLimit: rl, - LoadBalancer: lb, - ProxyProtocol: pp, - HealthCheck: hc, - CircuitBreaker: cb, - FaultInjection: fi, - TCPKeepalive: ka, - Retry: rt, - HTTP2: h2, - DNS: ds, + RateLimit: rl, + LoadBalancer: lb, + ProxyProtocol: pp, + HealthCheck: hc, + CircuitBreaker: cb, + FaultInjection: fi, + TCPKeepalive: ka, + Retry: rt, + HTTP2: h2, + DNS: ds, + ResponseOverride: ro, } // Update the Host field in HealthCheck, now that we have access to the Route Hostname. @@ -836,3 +863,81 @@ func makeIrTriggerSet(in []egv1a1.TriggerEnum) []ir.TriggerEnum { } return irTriggers } + +func buildResponseOverride(policy *egv1a1.BackendTrafficPolicy, configMaps []*corev1.ConfigMap) (*ir.ResponseOverride, error) { + if len(policy.Spec.ResponseOverride) == 0 { + return nil, nil + } + + rules := make([]ir.ResponseOverrideRule, 0, len(policy.Spec.ResponseOverride)) + for index, ro := range policy.Spec.ResponseOverride { + match := ir.CustomResponseMatch{ + StatusCodes: make([]ir.StatusCodeMatch, 0, len(ro.Match.StatusCodes)), + } + + for _, code := range ro.Match.StatusCodes { + if code.Type != nil && *code.Type == egv1a1.StatusCodeValueTypeRange { + match.StatusCodes = append(match.StatusCodes, ir.StatusCodeMatch{ + Range: &ir.StatusCodeRange{ + Start: code.Range.Start, + End: code.Range.End, + }, + }) + } else { + match.StatusCodes = append(match.StatusCodes, ir.StatusCodeMatch{ + Value: code.Value, + }) + } + } + + response := ir.CustomResponse{ + ContentType: ro.Response.ContentType, + } + + if ro.Response.Body.Type != nil && *ro.Response.Body.Type == egv1a1.ResponseValueTypeValueRef { + foundCM := false + for _, cm := range configMaps { + if cm.Namespace == policy.Namespace && cm.Name == string(ro.Response.Body.ValueRef.Name) { + body, dataOk := cm.Data["response.body"] + switch { + case dataOk: + response.Body = body + case len(cm.Data) > 0: // Fallback to the first key if response.body is not found + for _, value := range cm.Data { + body = value + break + } + response.Body = body + default: + return nil, fmt.Errorf("can't find the key response.body in the referenced configmap %s", ro.Response.Body.ValueRef.Name) + } + + foundCM = true + break + } + } + if !foundCM { + return nil, fmt.Errorf("can't find the referenced configmap %s", ro.Response.Body.ValueRef.Name) + } + } else { + response.Body = *ro.Response.Body.Inline + } + + rules = append(rules, ir.ResponseOverrideRule{ + Name: defaultResponseOverrideRuleName(policy, index), + Match: match, + Response: response, + }) + } + return &ir.ResponseOverride{ + Name: irConfigName(policy), + Rules: rules, + }, nil +} + +func defaultResponseOverrideRuleName(policy *egv1a1.BackendTrafficPolicy, index int) string { + return fmt.Sprintf( + "%s/responseoverride/rule/%s", + irConfigName(policy), + strconv.Itoa(index)) +} diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override-invalid-valueref.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override-invalid-valueref.in.yaml new file mode 100644 index 00000000000..e44a8473d5c --- /dev/null +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override-invalid-valueref.in.yaml @@ -0,0 +1,141 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: default + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: default + name: gateway-2 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +grpcRoutes: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: GRPCRoute + metadata: + namespace: default + name: grpcroute-1 + spec: + parentRefs: + - namespace: default + name: gateway-1 + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: default + name: gateway-2 + sectionName: http + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-1 + port: 8080 +configMaps: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: response-override-config + namespace: default + data: {} +backendTrafficPolicies: + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: default + name: policy-for-gateway + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + responseOverride: + - match: + statusCodes: + - type: Value + value: 404 + response: + contentType: text/plain + body: + type: Inline + inline: "gateway-1 Not Found" + - match: + statusCodes: + - type: Value + value: 500 + - type: Range + range: + start: 501 + end: 511 + response: + contentType: application/json + body: + type: ValueRef + valueRef: + group: "" + kind: ConfigMap + name: response-override-config + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: default + name: policy-for-route + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + responseOverride: + - match: + statusCodes: + - value: 404 + response: + contentType: text/plain + body: + inline: "httproute-1 Not Found" + - match: + statusCodes: + - value: 500 + - type: Range + range: + start: 501 + end: 511 + response: + contentType: application/json + body: + type: ValueRef + valueRef: + group: "" + kind: ConfigMap + name: response-override-config-1 diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override-invalid-valueref.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override-invalid-valueref.out.yaml new file mode 100644 index 00000000000..c1542d9caec --- /dev/null +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override-invalid-valueref.out.yaml @@ -0,0 +1,371 @@ +backendTrafficPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: policy-for-route + namespace: default + spec: + responseOverride: + - match: + statusCodes: + - type: null + value: 404 + response: + body: + inline: httproute-1 Not Found + type: null + contentType: text/plain + - match: + statusCodes: + - type: null + value: 500 + - range: + end: 511 + start: 501 + type: Range + response: + body: + type: ValueRef + valueRef: + group: "" + kind: ConfigMap + name: response-override-config-1 + contentType: application/json + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-2 + namespace: default + sectionName: http + conditions: + - lastTransitionTime: null + message: 'ResponseOverride: can''t find the referenced configmap response-override-config-1.' + reason: Invalid + status: "False" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: policy-for-gateway + namespace: default + spec: + responseOverride: + - match: + statusCodes: + - type: Value + value: 404 + response: + body: + inline: gateway-1 Not Found + type: Inline + contentType: text/plain + - match: + statusCodes: + - type: Value + value: 500 + - range: + end: 511 + start: 501 + type: Range + response: + body: + type: ValueRef + valueRef: + group: "" + kind: ConfigMap + name: response-override-config + contentType: application/json + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: default + conditions: + - lastTransitionTime: null + message: 'ResponseOverride: can''t find the key response.body in the referenced + configmap response-override-config.' + reason: Invalid + status: "False" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: default + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-2 + namespace: default + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +grpcRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: GRPCRoute + metadata: + creationTimestamp: null + name: grpcroute-1 + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: default + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: default + sectionName: http +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-2 + namespace: default + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-2 + namespace: default + sectionName: http +infraIR: + default/gateway-1: + proxy: + listeners: + - address: null + name: default/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: default + name: default/gateway-1 + default/gateway-2: + proxy: + listeners: + - address: null + name: default/gateway-2/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-2 + gateway.envoyproxy.io/owning-gateway-namespace: default + name: default/gateway-2 +xdsIR: + default/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: true + metadata: + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + name: default/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: grpcroute/default/grpcroute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: GRPC + weight: 1 + directResponse: + statusCode: 500 + hostname: '*' + isHTTP2: true + metadata: + kind: GRPCRoute + name: grpcroute-1 + namespace: default + name: grpcroute/default/grpcroute-1/rule/0/match/-1/* + default/gateway-2: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-2 + namespace: default + sectionName: http + name: default/gateway-2/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + directResponse: + statusCode: 500 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override.in.yaml new file mode 100644 index 00000000000..51dd9fd7114 --- /dev/null +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override.in.yaml @@ -0,0 +1,145 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: default + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: default + name: gateway-2 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +grpcRoutes: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: GRPCRoute + metadata: + namespace: default + name: grpcroute-1 + spec: + parentRefs: + - namespace: default + name: gateway-1 + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: default + name: gateway-2 + sectionName: http + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-1 + port: 8080 +configMaps: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: response-override-config + namespace: default + data: + response.body: | + { + "error": "Internal Server Error" + } +backendTrafficPolicies: + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: default + name: policy-for-gateway + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + responseOverride: + - match: + statusCodes: + - type: Value + value: 404 + response: + contentType: text/plain + body: + type: Inline + inline: "gateway-1 Not Found" + - match: + statusCodes: + - type: Value + value: 500 + - type: Range + range: + start: 501 + end: 511 + response: + contentType: application/json + body: + type: ValueRef + valueRef: + group: "" + kind: ConfigMap + name: response-override-config + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: default + name: policy-for-route + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + responseOverride: + - match: + statusCodes: + - value: 404 + response: + contentType: text/plain + body: + inline: "httproute-1 Not Found" + - match: + statusCodes: + - value: 500 + - type: Range + range: + start: 501 + end: 511 + response: + contentType: application/json + body: + type: ValueRef + valueRef: + group: "" + kind: ConfigMap + name: response-override-config diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override.out.yaml new file mode 100644 index 00000000000..568a57af484 --- /dev/null +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override.out.yaml @@ -0,0 +1,414 @@ +backendTrafficPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: policy-for-route + namespace: default + spec: + responseOverride: + - match: + statusCodes: + - type: null + value: 404 + response: + body: + inline: httproute-1 Not Found + type: null + contentType: text/plain + - match: + statusCodes: + - type: null + value: 500 + - range: + end: 511 + start: 501 + type: Range + response: + body: + type: ValueRef + valueRef: + group: "" + kind: ConfigMap + name: response-override-config + contentType: application/json + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-2 + namespace: default + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: policy-for-gateway + namespace: default + spec: + responseOverride: + - match: + statusCodes: + - type: Value + value: 404 + response: + body: + inline: gateway-1 Not Found + type: Inline + contentType: text/plain + - match: + statusCodes: + - type: Value + value: 500 + - range: + end: 511 + start: 501 + type: Range + response: + body: + type: ValueRef + valueRef: + group: "" + kind: ConfigMap + name: response-override-config + contentType: application/json + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: default + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: default + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-2 + namespace: default + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +grpcRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: GRPCRoute + metadata: + creationTimestamp: null + name: grpcroute-1 + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: default + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: default + sectionName: http +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-2 + namespace: default + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-2 + namespace: default + sectionName: http +infraIR: + default/gateway-1: + proxy: + listeners: + - address: null + name: default/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: default + name: default/gateway-1 + default/gateway-2: + proxy: + listeners: + - address: null + name: default/gateway-2/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-2 + gateway.envoyproxy.io/owning-gateway-namespace: default + name: default/gateway-2 +xdsIR: + default/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: true + metadata: + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + name: default/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: grpcroute/default/grpcroute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: GRPC + weight: 1 + hostname: '*' + isHTTP2: true + metadata: + kind: GRPCRoute + name: grpcroute-1 + namespace: default + name: grpcroute/default/grpcroute-1/rule/0/match/-1/* + traffic: + responseOverride: + name: backendtrafficpolicy/default/policy-for-gateway + rules: + - match: + statusCodes: + - value: 404 + name: backendtrafficpolicy/default/policy-for-gateway/responseoverride/rule/0 + response: + body: gateway-1 Not Found + contentType: text/plain + - match: + statusCodes: + - value: 500 + - range: + end: 511 + start: 501 + name: backendtrafficpolicy/default/policy-for-gateway/responseoverride/rule/1 + response: + body: | + { + "error": "Internal Server Error" + } + contentType: application/json + default/gateway-2: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-2 + namespace: default + sectionName: http + name: default/gateway-2/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / + traffic: + responseOverride: + name: backendtrafficpolicy/default/policy-for-route + rules: + - match: + statusCodes: + - value: 404 + name: backendtrafficpolicy/default/policy-for-route/responseoverride/rule/0 + response: + body: httproute-1 Not Found + contentType: text/plain + - match: + statusCodes: + - value: 500 + - range: + end: 511 + start: 501 + name: backendtrafficpolicy/default/policy-for-route/responseoverride/rule/1 + response: + body: | + { + "error": "Internal Server Error" + } + contentType: application/json diff --git a/internal/gatewayapi/translator.go b/internal/gatewayapi/translator.go index 0e6d683d855..0f518b71033 100644 --- a/internal/gatewayapi/translator.go +++ b/internal/gatewayapi/translator.go @@ -211,7 +211,7 @@ func (t *Translator) Translate(resources *resource.Resources) (*TranslateResult, // Process BackendTrafficPolicies backendTrafficPolicies := t.ProcessBackendTrafficPolicies( - resources.BackendTrafficPolicies, gateways, routes, xdsIR) + resources.BackendTrafficPolicies, gateways, routes, xdsIR, resources.ConfigMaps) // Process SecurityPolicies securityPolicies := t.ProcessSecurityPolicies( diff --git a/internal/ir/xds.go b/internal/ir/xds.go index fdcace324f5..cb5021f4c9f 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -477,6 +477,63 @@ type HTTP2Settings struct { ResetStreamOnError *bool `json:"resetStreamOnError,omitempty" yaml:"resetStreamOnError,omitempty"` } +// ResponseOverride defines the configuration to override specific responses with a custom one. +// +k8s:deepcopy-gen=true +type ResponseOverride struct { + // Name is a unique name for a ResponseOverride configuration. + // The xds translator only generates one CustomResponse filter for each unique name. + Name string `json:"name" yaml:"name"` + + // Rules contains the list of rules to override responses. + Rules []ResponseOverrideRule `json:"rules,omitempty"` +} + +// ResponseOverrideRule defines the configuration for overriding a response. +// +k8s:deepcopy-gen=true +type ResponseOverrideRule struct { + // Name is a generated name for the rule. + Name string `json:"name"` + // Match configuration. + Match CustomResponseMatch `json:"match"` + // Response configuration. + Response CustomResponse `json:"response"` +} + +// CustomResponseMatch defines the configuration for matching a user response to return a custom one. +// +k8s:deepcopy-gen=true +type CustomResponseMatch struct { + // Status code to match on. The match evaluates to true if any of the matches are successful. + StatusCodes []StatusCodeMatch `json:"statusCodes"` +} + +// StatusCodeMatch defines the configuration for matching a status code. +// +k8s:deepcopy-gen=true +type StatusCodeMatch struct { + // Value contains the value of the status code. + Value *int `json:"value,omitempty"` + + // Range contains a range of status codes. + Range *StatusCodeRange `json:"range,omitempty"` +} + +// StatusCodeRange defines the configuration for define a range of status codes. +type StatusCodeRange struct { + // Start of the range, including the start value. + Start int `json:"start"` + // End of the range, including the end value. + End int `json:"end"` +} + +// CustomResponse defines the configuration for returning a custom response. +// +k8s:deepcopy-gen=true +type CustomResponse struct { + // Content Type of the response. This will be set in the Content-Type header. + ContentType *string `json:"contentType,omitempty"` + + // Body of the Custom Response + Body string `json:"body"` +} + // HealthCheckSettings provides HealthCheck configuration on the HTTP/HTTPS listener. // +k8s:deepcopy-gen=true type HealthCheckSettings egv1a1.HealthCheckSettings @@ -657,6 +714,8 @@ type TrafficFeatures struct { HTTP2 *HTTP2Settings `json:"http2,omitempty" yaml:"http2,omitempty"` // DNS is used to configure how DNS resolution is handled by the Envoy Proxy cluster DNS *DNS `json:"dns,omitempty" yaml:"dns,omitempty"` + // ResponseOverride defines the schema for overriding the response. + ResponseOverride *ResponseOverride `json:"responseOverride,omitempty" yaml:"responseOverride,omitempty"` } func (b *TrafficFeatures) Validate() error { diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 3c0c1135f44..791b6d5dd68 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -602,6 +602,48 @@ func (in *CoreListenerDetails) DeepCopy() *CoreListenerDetails { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CustomResponse) DeepCopyInto(out *CustomResponse) { + *out = *in + if in.ContentType != nil { + in, out := &in.ContentType, &out.ContentType + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomResponse. +func (in *CustomResponse) DeepCopy() *CustomResponse { + if in == nil { + return nil + } + out := new(CustomResponse) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CustomResponseMatch) DeepCopyInto(out *CustomResponseMatch) { + *out = *in + if in.StatusCodes != nil { + in, out := &in.StatusCodes, &out.StatusCodes + *out = make([]StatusCodeMatch, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomResponseMatch. +func (in *CustomResponseMatch) DeepCopy() *CustomResponseMatch { + if in == nil { + return nil + } + out := new(CustomResponseMatch) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *DNS) DeepCopyInto(out *DNS) { *out = *in @@ -2399,6 +2441,45 @@ func (in *ResourceMetadata) DeepCopy() *ResourceMetadata { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResponseOverride) DeepCopyInto(out *ResponseOverride) { + *out = *in + if in.Rules != nil { + in, out := &in.Rules, &out.Rules + *out = make([]ResponseOverrideRule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResponseOverride. +func (in *ResponseOverride) DeepCopy() *ResponseOverride { + if in == nil { + return nil + } + out := new(ResponseOverride) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResponseOverrideRule) DeepCopyInto(out *ResponseOverrideRule) { + *out = *in + in.Match.DeepCopyInto(&out.Match) + in.Response.DeepCopyInto(&out.Response) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResponseOverrideRule. +func (in *ResponseOverrideRule) DeepCopy() *ResponseOverrideRule { + if in == nil { + return nil + } + out := new(ResponseOverrideRule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Retry) DeepCopyInto(out *Retry) { *out = *in @@ -2590,6 +2671,31 @@ func (in *SlowStart) DeepCopy() *SlowStart { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *StatusCodeMatch) DeepCopyInto(out *StatusCodeMatch) { + *out = *in + if in.Value != nil { + in, out := &in.Value, &out.Value + *out = new(int) + **out = **in + } + if in.Range != nil { + in, out := &in.Range, &out.Range + *out = new(StatusCodeRange) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatusCodeMatch. +func (in *StatusCodeMatch) DeepCopy() *StatusCodeMatch { + if in == nil { + return nil + } + out := new(StatusCodeMatch) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *StringMatch) DeepCopyInto(out *StringMatch) { *out = *in @@ -3159,6 +3265,11 @@ func (in *TrafficFeatures) DeepCopyInto(out *TrafficFeatures) { *out = new(DNS) (*in).DeepCopyInto(*out) } + if in.ResponseOverride != nil { + in, out := &in.ResponseOverride, &out.ResponseOverride + *out = new(ResponseOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrafficFeatures. diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 7fe3c3d32ff..de020dfcee8 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -239,7 +239,7 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques } // Add all BackendTrafficPolicies to the resourceTree - if err = r.processBackendTrafficPolicies(ctx, gwcResource); err != nil { + if err = r.processBackendTrafficPolicies(ctx, gwcResource, resourceMappings); err != nil { return reconcile.Result{}, err } @@ -748,6 +748,39 @@ func (r *gatewayAPIReconciler) processConfigMapRef( return nil } +// processBtpConfigMapRefs adds the referenced ConfigMaps in BackendTrafficPolicies +// to the resourceTree +func (r *gatewayAPIReconciler) processBtpConfigMapRefs( + ctx context.Context, resourceTree *resource.Resources, resourceMap *resourceMappings, +) { + for _, policy := range resourceTree.BackendTrafficPolicies { + for _, ro := range policy.Spec.ResponseOverride { + if ro.Response.Body.ValueRef != nil && string(ro.Response.Body.ValueRef.Kind) == resource.KindConfigMap { + configMap := new(corev1.ConfigMap) + err := r.client.Get(ctx, + types.NamespacedName{Namespace: policy.Namespace, Name: string(ro.Response.Body.ValueRef.Name)}, + configMap, + ) + // we don't return an error here, because we want to continue + // reconciling the rest of the BackendTrafficPolicies despite that this + // reference is invalid. + // This BackendTrafficPolicies will be marked as invalid in its status + // when translating to IR because the referenced configmap can't be + // found. + if err != nil { + r.log.Error(err, + "failed to process ResponseOverride ValueRef for BackendTrafficPolicy", + "policy", policy, "ValueRef", ro.Response.Body.ValueRef.Name) + } + + resourceMap.allAssociatedNamespaces.Insert(policy.Namespace) + resourceTree.ConfigMaps = append(resourceTree.ConfigMaps, configMap) + r.log.Info("processing ConfigMap", "namespace", policy.Namespace, "name", string(ro.Response.Body.ValueRef.Name)) + } + } + } +} + func (r *gatewayAPIReconciler) getNamespace(ctx context.Context, name string) (*corev1.Namespace, error) { nsKey := types.NamespacedName{Name: name} ns := new(corev1.Namespace) @@ -942,7 +975,8 @@ func (r *gatewayAPIReconciler) processClientTrafficPolicies( } // processBackendTrafficPolicies adds BackendTrafficPolicies to the resourceTree -func (r *gatewayAPIReconciler) processBackendTrafficPolicies(ctx context.Context, resourceTree *resource.Resources) error { +func (r *gatewayAPIReconciler) processBackendTrafficPolicies(ctx context.Context, resourceTree *resource.Resources, resourceMap *resourceMappings, +) error { backendTrafficPolicies := egv1a1.BackendTrafficPolicyList{} if err := r.client.List(ctx, &backendTrafficPolicies); err != nil { return fmt.Errorf("error listing BackendTrafficPolicies: %w", err) @@ -955,6 +989,7 @@ func (r *gatewayAPIReconciler) processBackendTrafficPolicies(ctx context.Context policy.Status = gwapiv1a2.PolicyStatus{} resourceTree.BackendTrafficPolicies = append(resourceTree.BackendTrafficPolicies, &policy) } + r.processBtpConfigMapRefs(ctx, resourceTree, resourceMap) return nil } @@ -1348,7 +1383,7 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return err } - // Watch ConfigMap CRUDs and process affected ClienTraffiPolicies and BackendTLSPolicies. + // Watch ConfigMap CRUDs and process affected EG Resources. configMapPredicates := []predicate.TypedPredicate[*corev1.ConfigMap]{ predicate.NewTypedPredicateFuncs[*corev1.ConfigMap](func(cm *corev1.ConfigMap) bool { return r.validateConfigMapForReconcile(cm) @@ -1492,6 +1527,10 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return err } + if err := addBtpIndexers(ctx, mgr); err != nil { + return err + } + // Watch SecurityPolicy spPredicates := []predicate.TypedPredicate[*egv1a1.SecurityPolicy]{ predicate.TypedGenerationChangedPredicate[*egv1a1.SecurityPolicy]{}, diff --git a/internal/provider/kubernetes/indexers.go b/internal/provider/kubernetes/indexers.go index 462a70542f3..2ad12069f98 100644 --- a/internal/provider/kubernetes/indexers.go +++ b/internal/provider/kubernetes/indexers.go @@ -46,6 +46,7 @@ const ( secretEnvoyProxyIndex = "secretEnvoyProxyIndex" secretEnvoyExtensionPolicyIndex = "secretEnvoyExtensionPolicyIndex" httpRouteFilterHTTPRouteIndex = "httpRouteFilterHTTPRouteIndex" + configMapBtpIndex = "configMapBtpIndex" ) func addReferenceGrantIndexers(ctx context.Context, mgr manager.Manager) error { @@ -641,6 +642,36 @@ func secretCtpIndexFunc(rawObj client.Object) []string { return secretReferences } +// addBtpIndexers adds indexing on BackendTrafficPolicy, for ConfigMap objects that are +// referenced in BackendTrafficPolicy objects. This helps in querying for BackendTrafficPolies that are +// affected by a particular ConfigMap CRUD. +func addBtpIndexers(ctx context.Context, mgr manager.Manager) error { + if err := mgr.GetFieldIndexer().IndexField(ctx, &egv1a1.BackendTrafficPolicy{}, configMapBtpIndex, configMapBtpIndexFunc); err != nil { + return err + } + + return nil +} + +func configMapBtpIndexFunc(rawObj client.Object) []string { + btp := rawObj.(*egv1a1.BackendTrafficPolicy) + var configMapReferences []string + + for _, ro := range btp.Spec.ResponseOverride { + if ro.Response.Body.ValueRef != nil { + if string(ro.Response.Body.ValueRef.Kind) == resource.KindConfigMap { + configMapReferences = append(configMapReferences, + types.NamespacedName{ + Namespace: btp.Namespace, + Name: string(ro.Response.Body.ValueRef.Name), + }.String(), + ) + } + } + } + return configMapReferences +} + // addBtlsIndexers adds indexing on BackendTLSPolicy, for ConfigMap objects that are // referenced in BackendTLSPolicy objects. This helps in querying for BackendTLSPolicies that are // affected by a particular ConfigMap CRUD. diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index 9c4d582b58b..a885d58ca62 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -588,7 +588,7 @@ func (r *gatewayAPIReconciler) handleNode(obj client.Object) bool { return true } -// validateConfigMapForReconcile checks whether the ConfigMap belongs to a valid ClientTrafficPolicy. +// validateConfigMapForReconcile checks whether the ConfigMap belongs to a valid EG resource. func (r *gatewayAPIReconciler) validateConfigMapForReconcile(obj client.Object) bool { configMap, ok := obj.(*corev1.ConfigMap) if !ok { @@ -604,8 +604,8 @@ func (r *gatewayAPIReconciler) validateConfigMapForReconcile(obj client.Object) return false } - if len(ctpList.Items) == 0 { - return false + if len(ctpList.Items) > 0 { + return true } btlsList := &gwapiv1a3.BackendTLSPolicyList{} @@ -616,11 +616,23 @@ func (r *gatewayAPIReconciler) validateConfigMapForReconcile(obj client.Object) return false } - if len(btlsList.Items) == 0 { + if len(btlsList.Items) > 0 { + return true + } + + btpList := &egv1a1.BackendTrafficPolicyList{} + if err := r.client.List(context.Background(), btpList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(configMapBtpIndex, utils.NamespacedName(configMap).String()), + }); err != nil { + r.log.Error(err, "unable to find associated BackendTrafficPolicy") return false } - return true + if len(btpList.Items) > 0 { + return true + } + + return false } func (r *gatewayAPIReconciler) isEnvoyExtensionPolicyReferencingBackend(nsName *types.NamespacedName) bool { diff --git a/internal/xds/translator/custom_response.go b/internal/xds/translator/custom_response.go new file mode 100644 index 00000000000..1d1bf3a5d2c --- /dev/null +++ b/internal/xds/translator/custom_response.go @@ -0,0 +1,450 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package translator + +import ( + "errors" + "fmt" + "strconv" + + cncfv3 "github.com/cncf/xds/go/xds/core/v3" + matcherv3 "github.com/cncf/xds/go/xds/type/matcher/v3" + typev3 "github.com/cncf/xds/go/xds/type/v3" + corev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" + respv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/custom_response/v3" + hcmv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" + policyv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/http/custom_response/local_response_policy/v3" + envoymatcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" + expr "google.golang.org/genproto/googleapis/api/expr/v1alpha1" + "google.golang.org/protobuf/types/known/anypb" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/xds/types" +) + +func init() { + registerHTTPFilter(&customResponse{}) +} + +type customResponse struct{} + +var _ httpFilter = &customResponse{} + +// patchHCM builds and appends the customResponse Filters to the HTTP Connection Manager +// if applicable, and it does not already exist. +// Note: this method creates an customResponse filter for each route that contains an ResponseOverride config. +// the filter is disabled by default. It is enabled on the route level. +func (c *customResponse) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPListener) error { + var errs error + + if mgr == nil { + return errors.New("hcm is nil") + } + + if irListener == nil { + return errors.New("ir listener is nil") + } + + for _, route := range irListener.Routes { + if !c.routeContainsResponseOverride(route) { + continue + } + + // Only generates one CustomResponse Envoy filter for each unique name. + // For example, if there are two routes under the same gateway with the + // same CustomResponse config, only one CustomResponse filter will be generated. + if hcmContainsFilter(mgr, c.customResponseFilterName(route.Traffic.ResponseOverride)) { + continue + } + + filter, err := c.buildHCMCustomResponseFilter(route.Traffic.ResponseOverride) + if err != nil { + errs = errors.Join(errs, err) + continue + } + + mgr.HttpFilters = append(mgr.HttpFilters, filter) + } + + return errs +} + +// buildHCMCustomResponseFilter returns an OAuth2 HTTP filter from the provided IR HTTPRoute. +func (c *customResponse) buildHCMCustomResponseFilter(ro *ir.ResponseOverride) (*hcmv3.HttpFilter, error) { + proto, err := c.customResponseConfig(ro) + if err != nil { + return nil, err + } + + if err := proto.ValidateAll(); err != nil { + return nil, err + } + + any, err := anypb.New(proto) + if err != nil { + return nil, err + } + + return &hcmv3.HttpFilter{ + Name: c.customResponseFilterName(ro), + Disabled: true, + ConfigType: &hcmv3.HttpFilter_TypedConfig{ + TypedConfig: any, + }, + }, nil +} + +func (c *customResponse) customResponseFilterName(ro *ir.ResponseOverride) string { + return perRouteFilterName(egv1a1.EnvoyFilterCustomResponse, ro.Name) +} + +func (c *customResponse) customResponseConfig(ro *ir.ResponseOverride) (*respv3.CustomResponse, error) { + var matchers []*matcherv3.Matcher_MatcherList_FieldMatcher + + for _, r := range ro.Rules { + var ( + action *matcherv3.Matcher_OnMatch_Action + predicate *matcherv3.Matcher_MatcherList_Predicate + err error + ) + + if action, err = c.buildAction(r); err != nil { + return nil, err + } + + switch { + case len(r.Match.StatusCodes) == 0: + // This is just a sanity check, as the CRD validation should have caught this. + return nil, fmt.Errorf("missing status code in response override rule") + case len(r.Match.StatusCodes) == 1: + if predicate, err = c.buildSinglePredicate(r.Match.StatusCodes[0]); err != nil { + return nil, err + } + + matcher := &matcherv3.Matcher_MatcherList_FieldMatcher{ + Predicate: predicate, + OnMatch: &matcherv3.Matcher_OnMatch{ + OnMatch: action, + }, + } + + matchers = append(matchers, matcher) + case len(r.Match.StatusCodes) > 1: + var predicates []*matcherv3.Matcher_MatcherList_Predicate + + for _, codeMatch := range r.Match.StatusCodes { + if predicate, err = c.buildSinglePredicate(codeMatch); err != nil { + return nil, err + } + + predicates = append(predicates, predicate) + } + + // Create a single matcher that ORs all the predicates together. + // The rule will match if any of the codes match. + matcher := &matcherv3.Matcher_MatcherList_FieldMatcher{ + Predicate: &matcherv3.Matcher_MatcherList_Predicate{ + MatchType: &matcherv3.Matcher_MatcherList_Predicate_OrMatcher{ + OrMatcher: &matcherv3.Matcher_MatcherList_Predicate_PredicateList{ + Predicate: predicates, + }, + }, + }, + OnMatch: &matcherv3.Matcher_OnMatch{ + OnMatch: action, + }, + } + + matchers = append(matchers, matcher) + } + + } + + // Create a MatcherList. + // The rules will be evaluated in order, and the first match wins. + cr := &respv3.CustomResponse{ + CustomResponseMatcher: &matcherv3.Matcher{ + MatcherType: &matcherv3.Matcher_MatcherList_{ + MatcherList: &matcherv3.Matcher_MatcherList{ + Matchers: matchers, + }, + }, + }, + } + + return cr, nil +} + +func (c *customResponse) buildSinglePredicate(codeMatch ir.StatusCodeMatch) (*matcherv3.Matcher_MatcherList_Predicate, error) { + var ( + httpAttributeCELInput *cncfv3.TypedExtensionConfig + statusCodeInput *cncfv3.TypedExtensionConfig + statusCodeCELMatcher *cncfv3.TypedExtensionConfig + err error + ) + + // Use CEL to match a range of status codes. + if codeMatch.Range != nil { + if httpAttributeCELInput, err = c.buildHTTPAttributeCELInput(); err != nil { + return nil, err + } + + if statusCodeCELMatcher, err = c.buildStatusCodeCELMatcher(*codeMatch.Range); err != nil { + return nil, err + } + + return &matcherv3.Matcher_MatcherList_Predicate{ + MatchType: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_{ + SinglePredicate: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate{ + Input: httpAttributeCELInput, + Matcher: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_CustomMatch{ + CustomMatch: statusCodeCELMatcher, + }, + }, + }, + }, nil + } else { + // Use exact string match to match a single status code. + if statusCodeInput, err = c.buildStatusCodeInput(); err != nil { + return nil, err + } + + return &matcherv3.Matcher_MatcherList_Predicate{ + MatchType: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_{ + SinglePredicate: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate{ + Input: statusCodeInput, + Matcher: &matcherv3.Matcher_MatcherList_Predicate_SinglePredicate_ValueMatch{ + ValueMatch: &matcherv3.StringMatcher{ + MatchPattern: &matcherv3.StringMatcher_Exact{ + Exact: strconv.Itoa(*codeMatch.Value), + }, + }, + }, + }, + }, + }, nil + } +} + +func (c *customResponse) buildHTTPAttributeCELInput() (*cncfv3.TypedExtensionConfig, error) { + var ( + pb *anypb.Any + err error + ) + + if pb, err = anypb.New(&matcherv3.HttpAttributesCelMatchInput{}); err != nil { + return nil, err + } + + return &cncfv3.TypedExtensionConfig{ + Name: "http-attributes-cel-match-input", + TypedConfig: pb, + }, nil +} + +func (c *customResponse) buildStatusCodeInput() (*cncfv3.TypedExtensionConfig, error) { + var ( + pb *anypb.Any + err error + ) + + if pb, err = anypb.New(&envoymatcherv3.HttpResponseStatusCodeMatchInput{}); err != nil { + return nil, err + } + + return &cncfv3.TypedExtensionConfig{ + Name: "http-response-status-code-match-input", + TypedConfig: pb, + }, nil +} + +func (c *customResponse) buildStatusCodeCELMatcher(codeRange ir.StatusCodeRange) (*cncfv3.TypedExtensionConfig, error) { + var ( + pb *anypb.Any + err error + ) + + // Build the CEL expression AST: response.code >= codeRange.Start && response.code <= codeRange.End + matcher := &matcherv3.CelMatcher{ + ExprMatch: &typev3.CelExpression{ + ExprSpecifier: &typev3.CelExpression_ParsedExpr{ + ParsedExpr: &expr.ParsedExpr{ + Expr: &expr.Expr{ + Id: 9, + ExprKind: &expr.Expr_CallExpr{ + CallExpr: &expr.Expr_Call{ + Function: "_&&_", + Args: []*expr.Expr{ + { + Id: 3, + ExprKind: &expr.Expr_CallExpr{ + CallExpr: &expr.Expr_Call{ + Function: "_>=_", + Args: []*expr.Expr{ + { + Id: 2, + ExprKind: &expr.Expr_SelectExpr{ + SelectExpr: &expr.Expr_Select{ + Operand: &expr.Expr{ + Id: 1, + ExprKind: &expr.Expr_IdentExpr{ + IdentExpr: &expr.Expr_Ident{ + Name: "response", + }, + }, + }, + Field: "code", + }, + }, + }, + { + Id: 4, + ExprKind: &expr.Expr_ConstExpr{ + ConstExpr: &expr.Constant{ + ConstantKind: &expr.Constant_Int64Value{ + Int64Value: int64(codeRange.Start), + }, + }, + }, + }, + }, + }, + }, + }, + { + Id: 7, + ExprKind: &expr.Expr_CallExpr{ + CallExpr: &expr.Expr_Call{ + Function: "_<=_", + Args: []*expr.Expr{ + { + Id: 6, + ExprKind: &expr.Expr_SelectExpr{ + SelectExpr: &expr.Expr_Select{ + Operand: &expr.Expr{ + Id: 5, + ExprKind: &expr.Expr_IdentExpr{ + IdentExpr: &expr.Expr_Ident{ + Name: "response", + }, + }, + }, + Field: "code", + }, + }, + }, + { + Id: 8, + ExprKind: &expr.Expr_ConstExpr{ + ConstExpr: &expr.Constant{ + ConstantKind: &expr.Constant_Int64Value{ + Int64Value: int64(codeRange.End), + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + } + if err := matcher.ValidateAll(); err != nil { + return nil, err + } + + if pb, err = anypb.New(matcher); err != nil { + return nil, err + } + + return &cncfv3.TypedExtensionConfig{ + Name: "cel-matcher", + TypedConfig: pb, + }, nil +} + +func (c *customResponse) buildAction(r ir.ResponseOverrideRule) (*matcherv3.Matcher_OnMatch_Action, error) { + response := &policyv3.LocalResponsePolicy{ + Body: &corev3.DataSource{ + Specifier: &corev3.DataSource_InlineString{ + InlineString: r.Response.Body, + }, + }, + } + + if r.Response.ContentType != nil && *r.Response.ContentType != "" { + response.ResponseHeadersToAdd = append(response.ResponseHeadersToAdd, &corev3.HeaderValueOption{ + Header: &corev3.HeaderValue{ + Key: "Content-Type", + Value: *r.Response.ContentType, + }, + AppendAction: corev3.HeaderValueOption_OVERWRITE_IF_EXISTS_OR_ADD, + }) + } + + var ( + pb *anypb.Any + err error + ) + + if err := response.ValidateAll(); err != nil { + return nil, err + } + + if pb, err = anypb.New(response); err != nil { + return nil, err + } + + return &matcherv3.Matcher_OnMatch_Action{ + Action: &cncfv3.TypedExtensionConfig{ + Name: r.Name, + TypedConfig: pb, + }, + }, nil +} + +// routeContainsResponseOverride returns true if ResponseOverride exists for the provided route. +func (c *customResponse) routeContainsResponseOverride(irRoute *ir.HTTPRoute) bool { + if irRoute != nil && + irRoute.Traffic != nil && + irRoute.Traffic.ResponseOverride != nil { + return true + } + return false +} + +func (c *customResponse) patchResources(tCtx *types.ResourceVersionTable, + routes []*ir.HTTPRoute, +) error { + return nil +} + +// patchRoute patches the provided route with the customResponse config if applicable. +// Note: this method enables the corresponding customResponse filter for the provided route. +func (c *customResponse) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { + if route == nil { + return errors.New("xds route is nil") + } + if irRoute == nil { + return errors.New("ir route is nil") + } + if irRoute.Traffic == nil || irRoute.Traffic.ResponseOverride == nil { + return nil + } + filterName := c.customResponseFilterName(irRoute.Traffic.ResponseOverride) + if err := enableFilterOnRoute(route, filterName); err != nil { + return err + } + return nil +} diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go index 963b7c8046d..e4e7b4a0216 100644 --- a/internal/xds/translator/oidc.go +++ b/internal/xds/translator/oidc.go @@ -53,9 +53,9 @@ func (*oidc) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPListe continue } - // Only generates one BasicAuth Envoy filter for each unique name. + // Only generates one OAuth2 Envoy filter for each unique name. // For example, if there are two routes under the same gateway with the - // same BasicAuth config, only one BasicAuth filter will be generated. + // same OAuth2 config, only one OAuth2 filter will be generated. if hcmContainsFilter(mgr, oauth2FilterName(route.Security.OIDC)) { continue } diff --git a/internal/xds/translator/testdata/in/xds-ir/custom-response.yaml b/internal/xds/translator/testdata/in/xds-ir/custom-response.yaml new file mode 100644 index 00000000000..cb00ac65af9 --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/custom-response.yaml @@ -0,0 +1,56 @@ +http: + - address: 0.0.0.0 + hostnames: + - "*" + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + name: default/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: "*" + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/-1/* + traffic: + responseOverride: + name: backendtrafficpolicy/default/policy-for-gateway + rules: + - match: + statusCodes: + - value: 404 + name: backendtrafficpolicy/default/policy-for-gateway/responseoverride/rule/0 + response: + body: gateway-1 Not Found + contentType: text/plain + - match: + statusCodes: + - value: 500 + - range: + end: 511 + start: 501 + name: backendtrafficpolicy/default/policy-for-gateway/responseoverride/rule/1 + response: + body: | + { + "error": "Internal Server Error" + } + contentType: application/json diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml new file mode 100644 index 00000000000..9714612e3de --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml @@ -0,0 +1,17 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/0 + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-response.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-response.endpoints.yaml new file mode 100644 index 00000000000..29bb6b4e444 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/custom-response.endpoints.yaml @@ -0,0 +1,12 @@ +- clusterName: httproute/default/httproute-1/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/0/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml new file mode 100644 index 00000000000..19c56586960 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml @@ -0,0 +1,130 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - disabled: true + name: envoy.filters.http.custom_response/backendtrafficpolicy/default/policy-for-gateway + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.custom_response.v3.CustomResponse + customResponseMatcher: + matcherList: + matchers: + - onMatch: + action: + name: backendtrafficpolicy/default/policy-for-gateway/responseoverride/rule/0 + typedConfig: + '@type': type.googleapis.com/envoy.extensions.http.custom_response.local_response_policy.v3.LocalResponsePolicy + body: + inlineString: gateway-1 Not Found + responseHeadersToAdd: + - appendAction: OVERWRITE_IF_EXISTS_OR_ADD + header: + key: Content-Type + value: text/plain + predicate: + singlePredicate: + input: + name: http-response-status-code-match-input + typedConfig: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpResponseStatusCodeMatchInput + valueMatch: + exact: "404" + - onMatch: + action: + name: backendtrafficpolicy/default/policy-for-gateway/responseoverride/rule/1 + typedConfig: + '@type': type.googleapis.com/envoy.extensions.http.custom_response.local_response_policy.v3.LocalResponsePolicy + body: + inlineString: | + { + "error": "Internal Server Error" + } + responseHeadersToAdd: + - appendAction: OVERWRITE_IF_EXISTS_OR_ADD + header: + key: Content-Type + value: application/json + predicate: + orMatcher: + predicate: + - singlePredicate: + input: + name: http-response-status-code-match-input + typedConfig: + '@type': type.googleapis.com/envoy.type.matcher.v3.HttpResponseStatusCodeMatchInput + valueMatch: + exact: "500" + - singlePredicate: + customMatch: + name: cel-matcher + typedConfig: + '@type': type.googleapis.com/xds.type.matcher.v3.CelMatcher + exprMatch: + parsedExpr: + expr: + callExpr: + args: + - callExpr: + args: + - id: "2" + selectExpr: + field: code + operand: + id: "1" + identExpr: + name: response + - constExpr: + int64Value: "501" + id: "4" + function: _>=_ + id: "3" + - callExpr: + args: + - id: "6" + selectExpr: + field: code + operand: + id: "5" + identExpr: + name: response + - constExpr: + int64Value: "511" + id: "8" + function: _<=_ + id: "7" + function: _&&_ + id: "9" + input: + name: http-attributes-cel-match-input + typedConfig: + '@type': type.googleapis.com/xds.type.matcher.v3.HttpAttributesCelMatchInput + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: default/gateway-1/http + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: default/gateway-1/http + name: default/gateway-1/http + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-response.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-response.routes.yaml new file mode 100644 index 00000000000..8262bb6f325 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/custom-response.routes.yaml @@ -0,0 +1,33 @@ +- ignorePortInHostMatching: true + name: default/gateway-1/http + virtualHosts: + - domains: + - '*' + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + name: default/gateway-1/http/* + routes: + - match: + prefix: / + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/-1/* + route: + cluster: httproute/default/httproute-1/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.custom_response/backendtrafficpolicy/default/policy-for-gateway: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index fe361099a84..4f562fce611 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -483,6 +483,7 @@ _Appears in:_ | `rateLimit` | _[RateLimitSpec](#ratelimitspec)_ | false | RateLimit allows the user to limit the number of incoming requests
to a predefined value based on attributes within the traffic flow. | | `faultInjection` | _[FaultInjection](#faultinjection)_ | false | FaultInjection defines the fault injection policy to be applied. This configuration can be used to
inject delays and abort requests to mimic failure scenarios such as service failures and overloads | | `useClientProtocol` | _boolean_ | false | UseClientProtocol configures Envoy to prefer sending requests to backends using
the same HTTP protocol that the incoming request used. Defaults to false, which means
that Envoy will use the protocol indicated by the attached BackendRef. | +| `responseOverride` | _[ResponseOverride](#responseoverride) array_ | false | ResponseOverride defines the configuration to override specific responses with a custom one.
If multiple configurations are specified, the first one to match wins. | #### BasicAuth @@ -866,7 +867,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `contentType` | _string_ | false | Content Type of the response. This will be set in the Content-Type header. | -| `body` | _[CustomResponseBody](#customresponsebody)_ | false | Body of the Custom Response | +| `body` | _[CustomResponseBody](#customresponsebody)_ | true | Body of the Custom Response | #### CustomResponseBody @@ -881,9 +882,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `type` | _[ResponseValueType](#responsevaluetype)_ | true | Type is the type of method to use to read the body value. | +| `type` | _[ResponseValueType](#responsevaluetype)_ | true | Type is the type of method to use to read the body value.
Valid values are Inline and ValueRef, default is Inline. | | `inline` | _string_ | false | Inline contains the value as an inline string. | -| `valueRef` | _[LocalObjectReference](#localobjectreference)_ | false | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported. | +| `valueRef` | _[LocalObjectReference](#localobjectreference)_ | false | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported.

The value of key `response.body` in the ConfigMap will be used as the response body.
If the key is not found, the first value in the ConfigMap will be used. | #### CustomResponseMatch @@ -897,7 +898,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `statusCode` | _[StatusCodeMatch](#statuscodematch) array_ | true | Status code to match on. The match evaluates to true if any of the matches are successful. | +| `statusCodes` | _[StatusCodeMatch](#statuscodematch) array_ | true | Status code to match on. The match evaluates to true if any of the matches are successful. | #### CustomTag @@ -1026,6 +1027,7 @@ _Appears in:_ | `envoy.filters.http.rbac` | EnvoyFilterRBAC defines the Envoy RBAC filter.
| | `envoy.filters.http.local_ratelimit` | EnvoyFilterLocalRateLimit defines the Envoy HTTP local rate limit filter.
| | `envoy.filters.http.ratelimit` | EnvoyFilterRateLimit defines the Envoy HTTP rate limit filter.
| +| `envoy.filters.http.custom_response` | EnvoyFilterCustomResponse defines the Envoy HTTP custom response filter.
| | `envoy.filters.http.router` | EnvoyFilterRouter defines the Envoy HTTP router filter.
| @@ -1479,7 +1481,7 @@ _Appears in:_ | `extraArgs` | _string array_ | false | ExtraArgs defines additional command line options that are provided to Envoy.
More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options
Note: some command line options are used internally(e.g. --log-level) so they cannot be provided here. | | `mergeGateways` | _boolean_ | false | MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.
Setting this field to true would merge all Gateway Listeners under the parent Gateway Class.
This means that the port, protocol and hostname tuple must be unique for every listener.
If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition. | | `shutdown` | _[ShutdownConfig](#shutdownconfig)_ | false | Shutdown defines configuration for graceful envoy shutdown process. | -| `filterOrder` | _[FilterPosition](#filterposition) array_ | false | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
The FilterPosition in the list will be applied in the order they are defined.
If unspecified, the default filter order is applied.
Default filter order is:

- envoy.filters.http.health_check

- envoy.filters.http.fault

- envoy.filters.http.cors

- envoy.filters.http.ext_authz

- envoy.filters.http.basic_auth

- envoy.filters.http.oauth2

- envoy.filters.http.jwt_authn

- envoy.filters.http.stateful_session

- envoy.filters.http.ext_proc

- envoy.filters.http.wasm

- envoy.filters.http.rbac

- envoy.filters.http.local_ratelimit

- envoy.filters.http.ratelimit

- envoy.filters.http.router

Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. | +| `filterOrder` | _[FilterPosition](#filterposition) array_ | false | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
The FilterPosition in the list will be applied in the order they are defined.
If unspecified, the default filter order is applied.
Default filter order is:

- envoy.filters.http.health_check

- envoy.filters.http.fault

- envoy.filters.http.cors

- envoy.filters.http.ext_authz

- envoy.filters.http.basic_auth

- envoy.filters.http.oauth2

- envoy.filters.http.jwt_authn

- envoy.filters.http.stateful_session

- envoy.filters.http.ext_proc

- envoy.filters.http.wasm

- envoy.filters.http.rbac

- envoy.filters.http.local_ratelimit

- envoy.filters.http.ratelimit

- envoy.filters.http.custom_response

- envoy.filters.http.router

Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. | | `backendTLS` | _[BackendTLSConfig](#backendtlsconfig)_ | false | BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.
These settings are applied on backends for which TLS policies are specified. | @@ -3573,6 +3575,10 @@ ResponseValueType defines the types of values for the response body supported by _Appears in:_ - [CustomResponseBody](#customresponsebody) +| Value | Description | +| ----- | ----------- | +| `Inline` | ResponseValueTypeInline defines the "Inline" response body type.
| +| `ValueRef` | ResponseValueTypeValueRef defines the "ValueRef" response body type.
| @@ -3821,16 +3827,16 @@ _Appears in:_ - +StatusCodeMatch defines the configuration for matching a status code. _Appears in:_ - [CustomResponseMatch](#customresponsematch) | Field | Type | Required | Description | | --- | --- | --- | --- | -| `type` | _[StatusCodeValueType](#statuscodevaluetype)_ | true | Type is the type of value. | -| `value` | _string_ | false | Value contains the value of the status code. | -| `range` | _[StatusCodeRange](#statuscoderange)_ | false | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported. | +| `type` | _[StatusCodeValueType](#statuscodevaluetype)_ | true | Type is the type of value.
Valid values are Value and Range, default is Value. | +| `value` | _integer_ | false | Value contains the value of the status code. | +| `range` | _[StatusCodeRange](#statuscoderange)_ | false | Range contains the range of status codes. | #### StatusCodeRange @@ -3857,6 +3863,10 @@ StatusCodeValueType defines the types of values for the status code match suppor _Appears in:_ - [StatusCodeMatch](#statuscodematch) +| Value | Description | +| ----- | ----------- | +| `Value` | StatusCodeValueTypeValue defines the "Value" status code match type.
| +| `Range` | StatusCodeValueTypeRange defines the "Range" status code match type.
| #### StringMatch diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index fe361099a84..4f562fce611 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -483,6 +483,7 @@ _Appears in:_ | `rateLimit` | _[RateLimitSpec](#ratelimitspec)_ | false | RateLimit allows the user to limit the number of incoming requests
to a predefined value based on attributes within the traffic flow. | | `faultInjection` | _[FaultInjection](#faultinjection)_ | false | FaultInjection defines the fault injection policy to be applied. This configuration can be used to
inject delays and abort requests to mimic failure scenarios such as service failures and overloads | | `useClientProtocol` | _boolean_ | false | UseClientProtocol configures Envoy to prefer sending requests to backends using
the same HTTP protocol that the incoming request used. Defaults to false, which means
that Envoy will use the protocol indicated by the attached BackendRef. | +| `responseOverride` | _[ResponseOverride](#responseoverride) array_ | false | ResponseOverride defines the configuration to override specific responses with a custom one.
If multiple configurations are specified, the first one to match wins. | #### BasicAuth @@ -866,7 +867,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `contentType` | _string_ | false | Content Type of the response. This will be set in the Content-Type header. | -| `body` | _[CustomResponseBody](#customresponsebody)_ | false | Body of the Custom Response | +| `body` | _[CustomResponseBody](#customresponsebody)_ | true | Body of the Custom Response | #### CustomResponseBody @@ -881,9 +882,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `type` | _[ResponseValueType](#responsevaluetype)_ | true | Type is the type of method to use to read the body value. | +| `type` | _[ResponseValueType](#responsevaluetype)_ | true | Type is the type of method to use to read the body value.
Valid values are Inline and ValueRef, default is Inline. | | `inline` | _string_ | false | Inline contains the value as an inline string. | -| `valueRef` | _[LocalObjectReference](#localobjectreference)_ | false | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported. | +| `valueRef` | _[LocalObjectReference](#localobjectreference)_ | false | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported.

The value of key `response.body` in the ConfigMap will be used as the response body.
If the key is not found, the first value in the ConfigMap will be used. | #### CustomResponseMatch @@ -897,7 +898,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `statusCode` | _[StatusCodeMatch](#statuscodematch) array_ | true | Status code to match on. The match evaluates to true if any of the matches are successful. | +| `statusCodes` | _[StatusCodeMatch](#statuscodematch) array_ | true | Status code to match on. The match evaluates to true if any of the matches are successful. | #### CustomTag @@ -1026,6 +1027,7 @@ _Appears in:_ | `envoy.filters.http.rbac` | EnvoyFilterRBAC defines the Envoy RBAC filter.
| | `envoy.filters.http.local_ratelimit` | EnvoyFilterLocalRateLimit defines the Envoy HTTP local rate limit filter.
| | `envoy.filters.http.ratelimit` | EnvoyFilterRateLimit defines the Envoy HTTP rate limit filter.
| +| `envoy.filters.http.custom_response` | EnvoyFilterCustomResponse defines the Envoy HTTP custom response filter.
| | `envoy.filters.http.router` | EnvoyFilterRouter defines the Envoy HTTP router filter.
| @@ -1479,7 +1481,7 @@ _Appears in:_ | `extraArgs` | _string array_ | false | ExtraArgs defines additional command line options that are provided to Envoy.
More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options
Note: some command line options are used internally(e.g. --log-level) so they cannot be provided here. | | `mergeGateways` | _boolean_ | false | MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.
Setting this field to true would merge all Gateway Listeners under the parent Gateway Class.
This means that the port, protocol and hostname tuple must be unique for every listener.
If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition. | | `shutdown` | _[ShutdownConfig](#shutdownconfig)_ | false | Shutdown defines configuration for graceful envoy shutdown process. | -| `filterOrder` | _[FilterPosition](#filterposition) array_ | false | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
The FilterPosition in the list will be applied in the order they are defined.
If unspecified, the default filter order is applied.
Default filter order is:

- envoy.filters.http.health_check

- envoy.filters.http.fault

- envoy.filters.http.cors

- envoy.filters.http.ext_authz

- envoy.filters.http.basic_auth

- envoy.filters.http.oauth2

- envoy.filters.http.jwt_authn

- envoy.filters.http.stateful_session

- envoy.filters.http.ext_proc

- envoy.filters.http.wasm

- envoy.filters.http.rbac

- envoy.filters.http.local_ratelimit

- envoy.filters.http.ratelimit

- envoy.filters.http.router

Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. | +| `filterOrder` | _[FilterPosition](#filterposition) array_ | false | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
The FilterPosition in the list will be applied in the order they are defined.
If unspecified, the default filter order is applied.
Default filter order is:

- envoy.filters.http.health_check

- envoy.filters.http.fault

- envoy.filters.http.cors

- envoy.filters.http.ext_authz

- envoy.filters.http.basic_auth

- envoy.filters.http.oauth2

- envoy.filters.http.jwt_authn

- envoy.filters.http.stateful_session

- envoy.filters.http.ext_proc

- envoy.filters.http.wasm

- envoy.filters.http.rbac

- envoy.filters.http.local_ratelimit

- envoy.filters.http.ratelimit

- envoy.filters.http.custom_response

- envoy.filters.http.router

Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. | | `backendTLS` | _[BackendTLSConfig](#backendtlsconfig)_ | false | BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.
These settings are applied on backends for which TLS policies are specified. | @@ -3573,6 +3575,10 @@ ResponseValueType defines the types of values for the response body supported by _Appears in:_ - [CustomResponseBody](#customresponsebody) +| Value | Description | +| ----- | ----------- | +| `Inline` | ResponseValueTypeInline defines the "Inline" response body type.
| +| `ValueRef` | ResponseValueTypeValueRef defines the "ValueRef" response body type.
| @@ -3821,16 +3827,16 @@ _Appears in:_ - +StatusCodeMatch defines the configuration for matching a status code. _Appears in:_ - [CustomResponseMatch](#customresponsematch) | Field | Type | Required | Description | | --- | --- | --- | --- | -| `type` | _[StatusCodeValueType](#statuscodevaluetype)_ | true | Type is the type of value. | -| `value` | _string_ | false | Value contains the value of the status code. | -| `range` | _[StatusCodeRange](#statuscoderange)_ | false | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported. | +| `type` | _[StatusCodeValueType](#statuscodevaluetype)_ | true | Type is the type of value.
Valid values are Value and Range, default is Value. | +| `value` | _integer_ | false | Value contains the value of the status code. | +| `range` | _[StatusCodeRange](#statuscoderange)_ | false | Range contains the range of status codes. | #### StatusCodeRange @@ -3857,6 +3863,10 @@ StatusCodeValueType defines the types of values for the status code match suppor _Appears in:_ - [StatusCodeMatch](#statuscodematch) +| Value | Description | +| ----- | ----------- | +| `Value` | StatusCodeValueTypeValue defines the "Value" status code match type.
| +| `Range` | StatusCodeValueTypeRange defines the "Range" status code match type.
| #### StringMatch diff --git a/test/cel-validation/backendtrafficpolicy_test.go b/test/cel-validation/backendtrafficpolicy_test.go index 49f033eb6ae..d5e6a1b2d1f 100644 --- a/test/cel-validation/backendtrafficpolicy_test.go +++ b/test/cel-validation/backendtrafficpolicy_test.go @@ -1257,6 +1257,251 @@ func TestBackendTrafficPolicyTarget(t *testing.T) { }, wantErrors: []string{}, }, + { + desc: "both targetref and targetrefs specified", + mutate: func(btp *egv1a1.BackendTrafficPolicy) { + btp.Spec = egv1a1.BackendTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + ResponseOverride: []*egv1a1.ResponseOverride{ + { + Match: egv1a1.CustomResponseMatch{ + StatusCodes: []egv1a1.StatusCodeMatch{ + { + Type: ptr.To(egv1a1.StatusCodeValueTypeValue), + Range: &egv1a1.StatusCodeRange{ + Start: 100, + End: 200, + }, + }, + }, + }, + }, + }, + } + }, + wantErrors: []string{ + "value must be set for type Value", + }, + }, + { + desc: "both targetref and targetrefs specified", + mutate: func(btp *egv1a1.BackendTrafficPolicy) { + btp.Spec = egv1a1.BackendTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + ResponseOverride: []*egv1a1.ResponseOverride{ + { + Match: egv1a1.CustomResponseMatch{ + StatusCodes: []egv1a1.StatusCodeMatch{ + { + Range: &egv1a1.StatusCodeRange{ + Start: 100, + End: 200, + }, + }, + }, + }, + }, + }, + } + }, + wantErrors: []string{ + "value must be set for type Value", + }, + }, + { + desc: "both targetref and targetrefs specified", + mutate: func(btp *egv1a1.BackendTrafficPolicy) { + btp.Spec = egv1a1.BackendTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + ResponseOverride: []*egv1a1.ResponseOverride{ + { + Match: egv1a1.CustomResponseMatch{ + StatusCodes: []egv1a1.StatusCodeMatch{ + { + Type: ptr.To(egv1a1.StatusCodeValueTypeRange), + Value: ptr.To(100), + }, + }, + }, + }, + }, + } + }, + wantErrors: []string{ + "range must be set for type Range", + }, + }, + { + desc: "both targetref and targetrefs specified", + mutate: func(btp *egv1a1.BackendTrafficPolicy) { + btp.Spec = egv1a1.BackendTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + ResponseOverride: []*egv1a1.ResponseOverride{ + { + Match: egv1a1.CustomResponseMatch{ + StatusCodes: []egv1a1.StatusCodeMatch{ + { + Type: ptr.To(egv1a1.StatusCodeValueTypeRange), + Range: &egv1a1.StatusCodeRange{ + Start: 200, + End: 100, + }, + }, + }, + }, + }, + }, + } + }, + wantErrors: []string{ + "end must be greater than start", + }, + }, + { + desc: "both targetref and targetrefs specified", + mutate: func(btp *egv1a1.BackendTrafficPolicy) { + btp.Spec = egv1a1.BackendTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + ResponseOverride: []*egv1a1.ResponseOverride{ + { + Match: egv1a1.CustomResponseMatch{ + StatusCodes: []egv1a1.StatusCodeMatch{ + { + Value: ptr.To(100), + }, + }, + }, + Response: egv1a1.CustomResponse{ + Body: egv1a1.CustomResponseBody{ + ValueRef: &gwapiv1a2.LocalObjectReference{ + Kind: gwapiv1a2.Kind("ConfigMap"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + }, + }, + } + }, + wantErrors: []string{ + "inline must be set for type Inline", + }, + }, + { + desc: "both targetref and targetrefs specified", + mutate: func(btp *egv1a1.BackendTrafficPolicy) { + btp.Spec = egv1a1.BackendTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + ResponseOverride: []*egv1a1.ResponseOverride{ + { + Match: egv1a1.CustomResponseMatch{ + StatusCodes: []egv1a1.StatusCodeMatch{ + { + Value: ptr.To(100), + }, + }, + }, + Response: egv1a1.CustomResponse{ + Body: egv1a1.CustomResponseBody{ + Type: ptr.To(egv1a1.ResponseValueTypeValueRef), + Inline: ptr.To("foo"), + }, + }, + }, + }, + } + }, + wantErrors: []string{ + "valueRef must be set for type ValueRef", + }, + }, + { + desc: "both targetref and targetrefs specified", + mutate: func(btp *egv1a1.BackendTrafficPolicy) { + btp.Spec = egv1a1.BackendTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + ResponseOverride: []*egv1a1.ResponseOverride{ + { + Match: egv1a1.CustomResponseMatch{ + StatusCodes: []egv1a1.StatusCodeMatch{ + { + Value: ptr.To(100), + }, + }, + }, + Response: egv1a1.CustomResponse{ + Body: egv1a1.CustomResponseBody{ + Type: ptr.To(egv1a1.ResponseValueTypeValueRef), + ValueRef: &gwapiv1a2.LocalObjectReference{ + Kind: gwapiv1a2.Kind("Foo"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + }, + }, + } + }, + wantErrors: []string{ + "only ConfigMap is supported for ValueRe", + }, + }, } for _, tc := range cases { diff --git a/test/e2e/testdata/response-override.yaml b/test/e2e/testdata/response-override.yaml new file mode 100644 index 00000000000..084747aaa6c --- /dev/null +++ b/test/e2e/testdata/response-override.yaml @@ -0,0 +1,62 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: response-override + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: infra-backend-v1 + port: 8080 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: response-override-config + namespace: gateway-conformance-infra +data: + response.body: '{"error": "Internal Server Error"}' +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: response-override + namespace: gateway-conformance-infra +spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: response-override + responseOverride: + - match: + statusCodes: + - type: Value + value: 404 + response: + contentType: text/plain + body: + type: Inline + inline: "Oops! Your request is not found." + - match: + statusCodes: + - type: Value + value: 500 + - type: Range + range: + start: 501 + end: 511 + response: + contentType: application/json + body: + type: ValueRef + valueRef: + group: "" + kind: ConfigMap + name: response-override-config diff --git a/test/e2e/tests/response-override.go b/test/e2e/tests/response-override.go new file mode 100644 index 00000000000..b21db88e242 --- /dev/null +++ b/test/e2e/tests/response-override.go @@ -0,0 +1,83 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e + +package tests + +import ( + "fmt" + "io" + "net/http" + "net/url" + "testing" + + "k8s.io/apimachinery/pkg/types" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" + gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + httputils "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" + + "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" +) + +func init() { + ConformanceTests = append(ConformanceTests, ResponseOverrideTest) +} + +var ResponseOverrideTest = suite.ConformanceTest{ + ShortName: "ResponseOverrideSpecificUser", + Description: "Response Override", + Manifests: []string{"testdata/response-override.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Run("response override", func(t *testing.T) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "response-override", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + ancestorRef := gwapiv1a2.ParentReference{ + Group: gatewayapi.GroupPtr(gwapiv1.GroupName), + Kind: gatewayapi.KindPtr(resource.KindGateway), + Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), + Name: gwapiv1.ObjectName(gwNN.Name), + } + BackendTrafficPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "response-override", Namespace: ns}, suite.ControllerName, ancestorRef) + verifyResponseOverride(t, gwAddr, 404, "text/plain", "Oops! Your request is not found.") + verifyResponseOverride(t, gwAddr, 500, "application/json", `{"error": "Internal Server Error"}`) + }) + }, +} + +func verifyResponseOverride(t *testing.T, gwAddr string, statusCode int, expectedContentType string, expectedBody string) { + reqURL := url.URL{ + Scheme: "http", + Host: httputils.CalculateHost(t, gwAddr, "http"), + Path: fmt.Sprintf("/status/%d", statusCode), + } + + rsp, err := http.Get(reqURL.String()) + if err != nil { + t.Fatalf("failed to get response: %v", err) + } + + // Verify that the response body is overridden + defer rsp.Body.Close() + body, err := io.ReadAll(rsp.Body) + if err != nil { + t.Fatalf("failed to read response body: %v", err) + } + if string(body) != expectedBody { + t.Errorf("expected response body to be %s but got %s", expectedBody, string(body)) + } + + // Verify that the content type is overridden + contentType := rsp.Header.Get("Content-Type") + if contentType != expectedContentType { + t.Errorf("expected content type to be %s but got %s", expectedContentType, contentType) + } +} From 31ff8ffd1dfefa9c0acd7d67a6aee76e4d30abbf Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Tue, 22 Oct 2024 05:32:16 -0500 Subject: [PATCH 286/523] fix: enforce connection limit value (#4458) * fix: enforce connection limit value Signed-off-by: Guy Daich * rm omitempty Signed-off-by: Guy Daich * fix cel Signed-off-by: Guy Daich * remove validation Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich Co-authored-by: zirain --- api/v1alpha1/connection_types.go | 5 +- ...y.envoyproxy.io_clienttrafficpolicies.yaml | 5 +- site/content/en/latest/api/extension_types.md | 2 +- site/content/zh/latest/api/extension_types.md | 2 +- .../clienttrafficpolicy_test.go | 46 +++++++++++++++++++ 5 files changed, 53 insertions(+), 7 deletions(-) diff --git a/api/v1alpha1/connection_types.go b/api/v1alpha1/connection_types.go index 6f27794748b..efb24dc3bb1 100644 --- a/api/v1alpha1/connection_types.go +++ b/api/v1alpha1/connection_types.go @@ -66,10 +66,9 @@ type BackendConnection struct { type ConnectionLimit struct { // Value of the maximum concurrent connections limit. // When the limit is reached, incoming connections will be closed after the CloseDelay duration. - // Default: unlimited. // - // +kubebuilder:validation:Minimum=0 - Value int64 `json:"value,omitempty"` + // +kubebuilder:validation:Minimum=1 + Value int64 `json:"value"` // CloseDelay defines the delay to use before closing connections that are rejected // once the limit value is reached. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml index 582486e706f..3e626f3f88a 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -125,10 +125,11 @@ spec: description: |- Value of the maximum concurrent connections limit. When the limit is reached, incoming connections will be closed after the CloseDelay duration. - Default: unlimited. format: int64 - minimum: 0 + minimum: 1 type: integer + required: + - value type: object socketBufferLimit: allOf: diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 4f562fce611..c183a4f0b8f 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -782,7 +782,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `value` | _integer_ | true | Value of the maximum concurrent connections limit.
When the limit is reached, incoming connections will be closed after the CloseDelay duration.
Default: unlimited. | +| `value` | _integer_ | true | Value of the maximum concurrent connections limit.
When the limit is reached, incoming connections will be closed after the CloseDelay duration. | | `closeDelay` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | CloseDelay defines the delay to use before closing connections that are rejected
once the limit value is reached.
Default: none. | diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 4f562fce611..c183a4f0b8f 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -782,7 +782,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `value` | _integer_ | true | Value of the maximum concurrent connections limit.
When the limit is reached, incoming connections will be closed after the CloseDelay duration.
Default: unlimited. | +| `value` | _integer_ | true | Value of the maximum concurrent connections limit.
When the limit is reached, incoming connections will be closed after the CloseDelay duration. | | `closeDelay` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | CloseDelay defines the delay to use before closing connections that are rejected
once the limit value is reached.
Default: none. | diff --git a/test/cel-validation/clienttrafficpolicy_test.go b/test/cel-validation/clienttrafficpolicy_test.go index 14dd915d78a..3558d1848f9 100644 --- a/test/cel-validation/clienttrafficpolicy_test.go +++ b/test/cel-validation/clienttrafficpolicy_test.go @@ -314,6 +314,52 @@ func TestClientTrafficPolicyTarget(t *testing.T) { "spec.connection.bufferLimit: Invalid value: \"15m\": spec.connection.bufferLimit in body should match '^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$', : Invalid value: \"\"", }, }, + { + desc: "invalid Connection Limit Empty", + mutate: func(ctp *egv1a1.ClientTrafficPolicy) { + ctp.Spec = egv1a1.ClientTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + Connection: &egv1a1.ClientConnection{ + ConnectionLimit: &egv1a1.ConnectionLimit{}, + }, + } + }, + wantErrors: []string{ + "spec.connection.connectionLimit.value: Invalid value: 0: spec.connection.connectionLimit.value in body should be greater than or equal to 1", + }, + }, + { + desc: "invalid Connection Limit < 1", + mutate: func(ctp *egv1a1.ClientTrafficPolicy) { + ctp.Spec = egv1a1.ClientTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + Connection: &egv1a1.ClientConnection{ + ConnectionLimit: &egv1a1.ConnectionLimit{ + Value: -1, // Value: 0 is covered by existence test, as 0 is the nil value. + }, + }, + } + }, + wantErrors: []string{ + "spec.connection.connectionLimit.value: Invalid value: -1: spec.connection.connectionLimit.value in body should be greater than or equal to 1", + }, + }, { desc: "invalid InitialStreamWindowSize format", mutate: func(ctp *egv1a1.ClientTrafficPolicy) { From a5c3cd21fe39308778e028b79079596ce34c6c04 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 22 Oct 2024 19:36:42 +0800 Subject: [PATCH 287/523] Collect release note in each PR (#4473) * release note for v1.2 Signed-off-by: Huabing Zhao * collecting release note in each PR Signed-off-by: Huabing Zhao * collecting release note in each PR Signed-off-by: Huabing Zhao * collecting release note in each PR Signed-off-by: Huabing Zhao * collecting release note in each PR Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao * reorganize sections Signed-off-by: Huabing Zhao * minor wording Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- .github/PULL_REQUEST_TEMPLATE.md | 8 +++++- release-notes/current.yaml | 29 ++++++++++++++++++++++ site/content/en/contributions/RELEASING.md | 14 ++++++++--- 3 files changed, 46 insertions(+), 5 deletions(-) create mode 100644 release-notes/current.yaml diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 8dc586ce114..c50e9d08e25 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -1,6 +1,6 @@ **What type of PR is this?** Fixes # + + +Release Notes: Yes/No diff --git a/release-notes/current.yaml b/release-notes/current.yaml new file mode 100644 index 00000000000..524802636e6 --- /dev/null +++ b/release-notes/current.yaml @@ -0,0 +1,29 @@ +date: Pending + +# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs. +breaking changes: | + - Add a breaking change here + +# Updates addressing vulnerabilities, security flaws, or compliance requirements. +security updates: | + - Add a security update here + +# New features or capabilities added in this release. +new features: | + - Add a new feature here + +# Fixes for bugs identified in previous versions. +bug fixes: | + - Add a bug fix here + +# Enhancements that improve performance. +performance improvements: | + - Add a performance improvement here + +# Deprecated features or APIs. +deprecations: | + - Add a deprecation here + +# Other notable changes not covered by the above sections. +Other changes: | + - Add other changes here diff --git a/site/content/en/contributions/RELEASING.md b/site/content/en/contributions/RELEASING.md index 319bb73d057..70fff1c083b 100644 --- a/site/content/en/contributions/RELEASING.md +++ b/site/content/en/contributions/RELEASING.md @@ -29,7 +29,13 @@ export GITHUB_REMOTE=origin ``` 1. Clone the repo, checkout the `main` branch, ensure it’s up-to-date, and your local branch is clean. -2. Create a topic branch for adding the release notes and updating the [VERSION][] file with the release version. Refer to previous [release notes][] and [VERSION][] for additional details. +2. Create a topic branch for adding the release notes and updating the [VERSION][] file with the release version. Refer to previous [release notes][] and [VERSION][] for additional details. The latest changes are already accumulated in the current.yaml file. Copy the content of the current.yaml file to the release notes file and clear the current.yaml file. + + ```shell + echo "${MAJOR_VERSION}.${MINOR_VERSION}.0-rc.${RELEASE_CANDIDATE_NUMBER}" > VERSION + ``` + + __Note:__ The release candidate version should be in the format `${MAJOR_VERSION}.${MINOR_VERSION}.0-rc.${RELEASE_CANDIDATE_NUMBER}`. 3. Sign, commit, and push your changes to your fork. 4. Submit a [Pull Request][] to merge the changes into the `main` branch. Do not proceed until your PR has merged and the [Build and Test][] has successfully completed. @@ -106,7 +112,7 @@ export GITHUB_REMOTE=origin ``` 1. Update the `Documentation` referred link on the menu in `site/hugo.toml`: - + **DON'T FORGOT TO MOVE IT UNDER `LATEST`** ```shell @@ -118,7 +124,7 @@ export GITHUB_REMOTE=origin ``` 1. Update `site/layouts/shortcodes/helm-version.html` base on latest minor version. - + ```console {{- $pagePrefix := (index (split $.Page.File.Dir "/") 0) -}} {{- with (eq $pagePrefix "latest") -}} @@ -133,7 +139,7 @@ export GITHUB_REMOTE=origin ``` 1. Update `site/layouts/shortcodes/yaml-version.html` base on latest minor version. - + ```console {{- $pagePrefix := (index (split $.Page.File.Dir "/") 0) -}} {{- with (eq $pagePrefix "latest") -}} From 291c0830bf9334febbbd162665e69dbb6fd57f51 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 22 Oct 2024 19:49:36 +0800 Subject: [PATCH 288/523] build(deps): bump github.com/replicatedhq/troubleshoot from 0.107.0 to 0.107.1 (#4487) build(deps): bump github.com/replicatedhq/troubleshoot Bumps [github.com/replicatedhq/troubleshoot](https://github.com/replicatedhq/troubleshoot) from 0.107.0 to 0.107.1. - [Release notes](https://github.com/replicatedhq/troubleshoot/releases) - [Commits](https://github.com/replicatedhq/troubleshoot/compare/v0.107.0...v0.107.1) --- updated-dependencies: - dependency-name: github.com/replicatedhq/troubleshoot dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index a10aa68bbac..4d03c682219 100644 --- a/go.mod +++ b/go.mod @@ -63,7 +63,7 @@ require ( require ( github.com/docker/docker v27.3.1+incompatible - github.com/replicatedhq/troubleshoot v0.107.0 + github.com/replicatedhq/troubleshoot v0.107.1 google.golang.org/grpc v1.67.1 sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 ) diff --git a/go.sum b/go.sum index dcf087e087a..d11cb03bbf0 100644 --- a/go.sum +++ b/go.sum @@ -717,8 +717,8 @@ github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb github.com/redis/go-redis/extra/redisotel/v9 v9.0.5/go.mod h1:WZjPDy7VNzn77AAfnAfVjZNvfJTYfPetfZk5yoSTLaQ= github.com/redis/go-redis/v9 v9.1.0 h1:137FnGdk+EQdCbye1FW+qOEcY5S+SpY9T0NiuqvtfMY= github.com/redis/go-redis/v9 v9.1.0/go.mod h1:urWj3He21Dj5k4TK1y59xH8Uj6ATueP8AH1cY3lZl4c= -github.com/replicatedhq/troubleshoot v0.107.0 h1:AzaKBxNKuIQpERyitjJ4EINZTz4vlUacW5QguZZkTww= -github.com/replicatedhq/troubleshoot v0.107.0/go.mod h1:AjaLpi9kidsFAuyAvBrvcG04w49WIDm7Iy6XyMVMv6U= +github.com/replicatedhq/troubleshoot v0.107.1 h1:Hx9VbVv1r3M5fiH2fPTeoZ8LNIxh5R/e6vpe2jBgPfc= +github.com/replicatedhq/troubleshoot v0.107.1/go.mod h1:6mZzcO/EWVBNXVnFdSHfPaoTnjcQdV3sq61NkBF60YE= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= From 1e6899d4445287e1df027024e8f3f1c3408c7add Mon Sep 17 00:00:00 2001 From: Rudrakh Panigrahi Date: Tue, 22 Oct 2024 17:22:49 +0530 Subject: [PATCH 289/523] docs: add docs for ratelimit invert match headers (#4483) * add docs for ratelimit invert match headers Signed-off-by: Rudrakh Panigrahi * add e2e test for local ratelimit header match with invert Signed-off-by: Rudrakh Panigrahi --------- Signed-off-by: Rudrakh Panigrahi --- api/v1alpha1/ratelimit_types.go | 1 - .../latest/tasks/traffic/global-rate-limit.md | 52 ++++- .../latest/tasks/traffic/local-rate-limit.md | 221 ++++++++++++++++++ ...ratelimit-header-invert-match-global.yaml} | 0 .../ratelimit-header-invert-match-local.yaml | 41 ++++ test/e2e/tests/local_ratelimit.go | 89 +++++++ test/e2e/tests/ratelimit.go | 8 +- 7 files changed, 403 insertions(+), 9 deletions(-) rename test/e2e/testdata/{ratelimit-header-invert-match.yaml => ratelimit-header-invert-match-global.yaml} (100%) create mode 100644 test/e2e/testdata/ratelimit-header-invert-match-local.yaml diff --git a/api/v1alpha1/ratelimit_types.go b/api/v1alpha1/ratelimit_types.go index d7a43751077..72382d699f1 100644 --- a/api/v1alpha1/ratelimit_types.go +++ b/api/v1alpha1/ratelimit_types.go @@ -166,7 +166,6 @@ type HeaderMatch struct { // TODO: zhaohuabing this type could be replaced with // // +optional // +kubebuilder:default=false - // +notImplementedHide Invert *bool `json:"invert,omitempty"` } diff --git a/site/content/en/latest/tasks/traffic/global-rate-limit.md b/site/content/en/latest/tasks/traffic/global-rate-limit.md index 15cc462dbf4..47eac33bc3e 100644 --- a/site/content/en/latest/tasks/traffic/global-rate-limit.md +++ b/site/content/en/latest/tasks/traffic/global-rate-limit.md @@ -433,11 +433,11 @@ server: envoy ``` -## Rate Limit Distinct Users +## Rate Limit Distinct Users Except Admin Here is an example of a rate limit implemented by the application developer to limit distinct users who can be differentiated based on the value in the `x-user-id` header. Here, user `one` (recognised from the traffic flow using the header `x-user-id` and value `one`) will be rate limited at 3 requests/hour -and so will user `two` (recognised from the traffic flow using the header `x-user-id` and value `two`). +and so will user `two` (recognised from the traffic flow using the header `x-user-id` and value `two`). But if `x-user-id` is `admin`, it will not be rate limited even beyond 3 requests/hour. {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} @@ -461,6 +461,9 @@ spec: - headers: - type: Distinct name: x-user-id + - name: x-user-id + value: admin + invert: true limit: requests: 3 unit: Hour @@ -636,6 +639,47 @@ transfer-encoding: chunked ``` +But when the value for header `x-user-id` is set to `admin` and 4 requests are sent, all 4 of them should respond with 200 OK. + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" --header "x-user-id: admin" http://${GATEWAY_HOST}/get ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:31 GMT +content-length: 460 +x-envoy-upstream-service-time: 4 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:32 GMT +content-length: 460 +x-envoy-upstream-service-time: 2 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +``` + ## Rate Limit All Requests This example shows you how to rate limit all requests matching the HTTPRoute rule at 3 requests/Hour by leaving the `clientSelectors` field unset. @@ -809,7 +853,7 @@ spec: targetRefs: - group: gateway.networking.k8s.io kind: HTTPRoute - name: http-ratelimit + name: http-ratelimit rateLimit: type: Global global: @@ -858,7 +902,7 @@ spec: targetRefs: - group: gateway.networking.k8s.io kind: HTTPRoute - name: http-ratelimit + name: http-ratelimit rateLimit: type: Global global: diff --git a/site/content/en/latest/tasks/traffic/local-rate-limit.md b/site/content/en/latest/tasks/traffic/local-rate-limit.md index 62e369044a5..05caf07258c 100644 --- a/site/content/en/latest/tasks/traffic/local-rate-limit.md +++ b/site/content/en/latest/tasks/traffic/local-rate-limit.md @@ -245,6 +245,227 @@ server: envoy ``` +## Rate Limit Specific User Unless within Test Org + +Here is an example of a rate limit implemented by the application developer to limit a specific user by matching on a custom `x-user-id` header +with a value set to `one`. But the user must not be limited if logging in within Test org, determined by custom header `x-org-id` set to `test`. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +### HTTPRoute + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-ratelimit -o yaml +``` + +Get the Gateway's address: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Let's query `ratelimit.example/get` 4 times with `x-user-id` set to `one` and `x-org-id` set to `org1`. We should receive a `200` response from the example Gateway for the first 3 requests and the last request should be rate limited. + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" --header "x-user-id: one" --header "x-org-id: org1" http://${GATEWAY_HOST}/get ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:31 GMT +content-length: 460 +x-envoy-upstream-service-time: 4 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:32 GMT +content-length: 460 +x-envoy-upstream-service-time: 2 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 429 Too Many Requests +x-envoy-ratelimited: true +date: Wed, 08 Feb 2023 02:33:34 GMT +server: envoy +transfer-encoding: chunked + +``` + +Let's query `ratelimit.example/get` 4 times with `x-user-id` set to `one` and `x-org-id` set to `test`. We should receive a `200` response from the example Gateway for all the 4 requests, unlike previous example where the last request was rate limited. + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" --header "x-user-id: one" --header "x-org-id: test" http://${GATEWAY_HOST}/get ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:31 GMT +content-length: 460 +x-envoy-upstream-service-time: 4 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:32 GMT +content-length: 460 +x-envoy-upstream-service-time: 2 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +``` + ## Rate Limit All Requests This example shows you how to rate limit all requests matching the HTTPRoute rule at 3 requests/Hour by leaving the `clientSelectors` field unset. diff --git a/test/e2e/testdata/ratelimit-header-invert-match.yaml b/test/e2e/testdata/ratelimit-header-invert-match-global.yaml similarity index 100% rename from test/e2e/testdata/ratelimit-header-invert-match.yaml rename to test/e2e/testdata/ratelimit-header-invert-match-global.yaml diff --git a/test/e2e/testdata/ratelimit-header-invert-match-local.yaml b/test/e2e/testdata/ratelimit-header-invert-match-local.yaml new file mode 100644 index 00000000000..0b390af221f --- /dev/null +++ b/test/e2e/testdata/ratelimit-header-invert-match-local.yaml @@ -0,0 +1,41 @@ +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: ratelimit-specific-user + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: http-ratelimit-specific-user + rateLimit: + type: Local + local: + rules: + - clientSelectors: + - headers: + - name: x-user-id + value: one + - name: x-org-id + value: test + invert: true + limit: + requests: 3 + unit: Hour +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-ratelimit-specific-user + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - backendRefs: + - name: infra-backend-v1 + port: 8080 + matches: + - path: + type: Exact + value: /ratelimit-specific-user diff --git a/test/e2e/tests/local_ratelimit.go b/test/e2e/tests/local_ratelimit.go index 4a630d1ed67..f35782de8c0 100644 --- a/test/e2e/tests/local_ratelimit.go +++ b/test/e2e/tests/local_ratelimit.go @@ -25,6 +25,7 @@ func init() { ConformanceTests = append(ConformanceTests, LocalRateLimitSpecificUserTest) ConformanceTests = append(ConformanceTests, LocalRateLimitAllTrafficTest) ConformanceTests = append(ConformanceTests, LocalRateLimitNoLimitRouteTest) + ConformanceTests = append(ConformanceTests, LocalRateLimitHeaderInvertMatchTest) } var LocalRateLimitSpecificUserTest = suite.ConformanceTest{ @@ -207,3 +208,91 @@ var LocalRateLimitNoLimitRouteTest = suite.ConformanceTest{ }) }, } + +var LocalRateLimitHeaderInvertMatchTest = suite.ConformanceTest{ + ShortName: "LocalRateLimitHeaderInvertMatch", + Description: "Limit a specific user unless in a specific org", + Manifests: []string{"testdata/ratelimit-header-invert-match-local.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Run("limit a specific user", func(t *testing.T) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "http-ratelimit-specific-user", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + ancestorRef := gwapiv1a2.ParentReference{ + Group: gatewayapi.GroupPtr(gwapiv1.GroupName), + Kind: gatewayapi.KindPtr(resource.KindGateway), + Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), + Name: gwapiv1.ObjectName(gwNN.Name), + } + BackendTrafficPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "ratelimit-specific-user", Namespace: ns}, suite.ControllerName, ancestorRef) + + expectOkResp := http.ExpectedResponse{ + Request: http.Request{ + Path: "/ratelimit-specific-user", + Headers: map[string]string{ + "x-user-id": "one", + "x-org-id": "org1", + }, + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + + expectOkReq := http.MakeRequest(t, &expectOkResp, gwAddr, "HTTP", "http") + + expectLimitResp := http.ExpectedResponse{ + Request: http.Request{ + Path: "/ratelimit-specific-user", + Headers: map[string]string{ + "x-user-id": "one", + "x-org-id": "org1", + }, + }, + Response: http.Response{ + StatusCode: 429, + }, + Namespace: ns, + } + expectLimitReq := http.MakeRequest(t, &expectLimitResp, gwAddr, "HTTP", "http") + + // should just send exactly 4 requests, and expect 429 + + // keep sending requests till get 200 first, that will cost one 200 + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectOkResp) + + // fire the rest request + if err := GotExactExpectedResponse(t, 2, suite.RoundTripper, expectOkReq, expectOkResp); err != nil { + t.Errorf("fail to get expected response at first three request: %v", err) + } + + // this request should be limited because the user is one and org is not test and the limit is 3 + if err := GotExactExpectedResponse(t, 1, suite.RoundTripper, expectLimitReq, expectLimitResp); err != nil { + t.Errorf("fail to get expected response at last fourth request: %v", err) + } + + // with test org + expectOkResp = http.ExpectedResponse{ + Request: http.Request{ + Path: "/ratelimit-specific-user", + Headers: map[string]string{ + "x-user-id": "one", + "x-org-id": "test", + }, + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + expectOkReq = http.MakeRequest(t, &expectOkResp, gwAddr, "HTTP", "http") + // the requests should not be limited because the user is one but org is test + if err := GotExactExpectedResponse(t, 4, suite.RoundTripper, expectOkReq, expectOkResp); err != nil { + t.Errorf("fail to get expected response at first three request: %v", err) + } + }) + }, +} diff --git a/test/e2e/tests/ratelimit.go b/test/e2e/tests/ratelimit.go index f0082d77e85..d1e18f74b92 100644 --- a/test/e2e/tests/ratelimit.go +++ b/test/e2e/tests/ratelimit.go @@ -26,7 +26,7 @@ import ( func init() { ConformanceTests = append(ConformanceTests, RateLimitCIDRMatchTest) ConformanceTests = append(ConformanceTests, RateLimitHeaderMatchTest) - ConformanceTests = append(ConformanceTests, RateLimitHeaderInvertMatchTest) + ConformanceTests = append(ConformanceTests, GlobalRateLimitHeaderInvertMatchTest) ConformanceTests = append(ConformanceTests, RateLimitHeadersDisabled) ConformanceTests = append(ConformanceTests, RateLimitBasedJwtClaimsTest) ConformanceTests = append(ConformanceTests, RateLimitMultipleListenersTest) @@ -172,10 +172,10 @@ var RateLimitHeaderMatchTest = suite.ConformanceTest{ }, } -var RateLimitHeaderInvertMatchTest = suite.ConformanceTest{ - ShortName: "RateLimitHeaderInvertMatch", +var GlobalRateLimitHeaderInvertMatchTest = suite.ConformanceTest{ + ShortName: "GlobalRateLimitHeaderInvertMatch", Description: "Limit all requests that match distinct headers except for which invert is set to true", - Manifests: []string{"testdata/ratelimit-header-invert-match.yaml"}, + Manifests: []string{"testdata/ratelimit-header-invert-match-global.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { ns := "gateway-conformance-infra" routeNN := types.NamespacedName{Name: "header-ratelimit", Namespace: ns} From 544bd9c8b9b1628bd640f3e47f091ee4d62baaf8 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 22 Oct 2024 20:01:27 +0800 Subject: [PATCH 290/523] feat: implement Backend API for TLSRoute (#4493) add tests for tlsroute with Backend Signed-off-by: Huabing Zhao --- .../testdata/tlsroute-with-backend.out.yaml | 13 +-- internal/gatewayapi/validate.go | 2 +- internal/provider/kubernetes/predicates.go | 20 ++--- test/e2e/base/manifests.yaml | 8 ++ .../testdata/tlsroute-to-backend-fqdn.yaml | 27 ++++++ test/e2e/testdata/tlsroute-to-backend-ip.yaml | 41 +++++++++ ...h_backend.go => httproute_with_backend.go} | 0 test/e2e/tests/tlsroute_with_backend.go | 89 +++++++++++++++++++ 8 files changed, 184 insertions(+), 16 deletions(-) create mode 100644 test/e2e/testdata/tlsroute-to-backend-fqdn.yaml create mode 100644 test/e2e/testdata/tlsroute-to-backend-ip.yaml rename test/e2e/tests/{route_with_backend.go => httproute_with_backend.go} (100%) create mode 100644 test/e2e/tests/tlsroute_with_backend.go diff --git a/internal/gatewayapi/testdata/tlsroute-with-backend.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-backend.out.yaml index 13c3ef41cae..97bce6d0acf 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-backend.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-backend.out.yaml @@ -100,10 +100,9 @@ tlsRoutes: status: "True" type: Accepted - lastTransitionTime: null - message: Resource default/backend-ip of type Backend is not supported for - TLSRoute routes - reason: UnsupportedValue - status: "False" + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" type: ResolvedRefs controllerName: gateway.envoyproxy.io/gatewayclass-controller parentRef: @@ -122,7 +121,11 @@ xdsIR: - destination: name: tlsroute/default/tlsroute-1/rule/-1 settings: - - weight: 1 + - addressType: IP + endpoints: + - host: 1.1.1.1 + port: 3001 + weight: 1 name: tlsroute/default/tlsroute-1 tls: inspector: diff --git a/internal/gatewayapi/validate.go b/internal/gatewayapi/validate.go index 6b9a488b86b..fb5d4995700 100644 --- a/internal/gatewayapi/validate.go +++ b/internal/gatewayapi/validate.go @@ -288,7 +288,7 @@ func (t *Translator) validateBackendRefBackend(backendRef *gwapiv1a2.BackendRef, return false } - if kind != resource.KindHTTPRoute { + if kind != resource.KindHTTPRoute && kind != resource.KindTLSRoute { status.SetRouteStatusCondition(routeStatus, parentRef.routeParentStatusIdx, route.GetGeneration(), diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index a885d58ca62..bfdecbd6e24 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -353,40 +353,40 @@ func (r *gatewayAPIReconciler) isRouteReferencingBackend(nsName *types.Namespace httpRouteList := &gwapiv1.HTTPRouteList{} if err := r.client.List(ctx, httpRouteList, &client.ListOptions{ FieldSelector: fields.OneTermEqualSelector(backendHTTPRouteIndex, nsName.String()), - }); err != nil { - r.log.Error(err, "unable to find associated HTTPRoutes") + }); err != nil && !kerrors.IsNotFound(err) { + r.log.Error(err, "failed to find associated HTTPRoutes") return false } grpcRouteList := &gwapiv1.GRPCRouteList{} if err := r.client.List(ctx, grpcRouteList, &client.ListOptions{ FieldSelector: fields.OneTermEqualSelector(backendGRPCRouteIndex, nsName.String()), - }); err != nil { - r.log.Error(err, "unable to find associated GRPCRoutes") + }); err != nil && !kerrors.IsNotFound(err) { + r.log.Error(err, "failed to find associated GRPCRoutes") return false } tlsRouteList := &gwapiv1a2.TLSRouteList{} if err := r.client.List(ctx, tlsRouteList, &client.ListOptions{ FieldSelector: fields.OneTermEqualSelector(backendTLSRouteIndex, nsName.String()), - }); err != nil { - r.log.Error(err, "unable to find associated TLSRoutes") + }); err != nil && !kerrors.IsNotFound(err) { + r.log.Error(err, "failed to find associated TLSRoutes") return false } tcpRouteList := &gwapiv1a2.TCPRouteList{} if err := r.client.List(ctx, tcpRouteList, &client.ListOptions{ FieldSelector: fields.OneTermEqualSelector(backendTCPRouteIndex, nsName.String()), - }); err != nil { - r.log.Error(err, "unable to find associated TCPRoutes") + }); err != nil && !kerrors.IsNotFound(err) { + r.log.Error(err, "failed to find associated TCPRoutes") return false } udpRouteList := &gwapiv1a2.UDPRouteList{} if err := r.client.List(ctx, udpRouteList, &client.ListOptions{ FieldSelector: fields.OneTermEqualSelector(backendUDPRouteIndex, nsName.String()), - }); err != nil { - r.log.Error(err, "unable to find associated UDPRoutes") + }); err != nil && !kerrors.IsNotFound(err) { + r.log.Error(err, "failed to find associated UDPRoutes") return false } diff --git a/test/e2e/base/manifests.yaml b/test/e2e/base/manifests.yaml index db9a265cba0..714dd296067 100644 --- a/test/e2e/base/manifests.yaml +++ b/test/e2e/base/manifests.yaml @@ -27,6 +27,14 @@ spec: allowedRoutes: namespaces: from: Same + - name: tls + protocol: TLS + port: 443 + tls: + mode: Passthrough + allowedRoutes: + namespaces: + from: Same --- apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/test/e2e/testdata/tlsroute-to-backend-fqdn.yaml b/test/e2e/testdata/tlsroute-to-backend-fqdn.yaml new file mode 100644 index 00000000000..cf02dc10eae --- /dev/null +++ b/test/e2e/testdata/tlsroute-to-backend-fqdn.yaml @@ -0,0 +1,27 @@ +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TLSRoute +metadata: + name: tlsroute-to-backend-fqdn + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + sectionName: tls + hostnames: + - "example.com" + rules: + - backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-fqdn +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend-fqdn + namespace: gateway-conformance-infra +spec: + endpoints: + - fqdn: + hostname: tls-backend-2.gateway-conformance-infra.svc.cluster.local + port: 443 diff --git a/test/e2e/testdata/tlsroute-to-backend-ip.yaml b/test/e2e/testdata/tlsroute-to-backend-ip.yaml new file mode 100644 index 00000000000..7206078e2b5 --- /dev/null +++ b/test/e2e/testdata/tlsroute-to-backend-ip.yaml @@ -0,0 +1,41 @@ +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TLSRoute +metadata: + name: tlsroute-to-backend-ip + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + sectionName: tls + hostnames: + - "example.com" + rules: + - backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-ip +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend-ip + namespace: gateway-conformance-infra +spec: + endpoints: + - ip: + address: 10.96.96.96 + port: 443 +--- +apiVersion: v1 +kind: Service +metadata: + name: tls-backend-2-clusterip + namespace: gateway-conformance-infra +spec: + selector: + app: tls-backend-2 + clusterIP: 10.96.96.96 + ports: + - protocol: TCP + port: 443 + targetPort: 8443 diff --git a/test/e2e/tests/route_with_backend.go b/test/e2e/tests/httproute_with_backend.go similarity index 100% rename from test/e2e/tests/route_with_backend.go rename to test/e2e/tests/httproute_with_backend.go diff --git a/test/e2e/tests/tlsroute_with_backend.go b/test/e2e/tests/tlsroute_with_backend.go new file mode 100644 index 00000000000..c43162ee94f --- /dev/null +++ b/test/e2e/tests/tlsroute_with_backend.go @@ -0,0 +1,89 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e + +package tests + +import ( + "testing" + + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" +) + +func init() { + ConformanceTests = append(ConformanceTests, TLSRouteBackendFQDNTest) + ConformanceTests = append(ConformanceTests, TLSRouteBackendIPTest) +} + +var TLSRouteBackendFQDNTest = suite.ConformanceTest{ + ShortName: "TLSRouteBackendFQDNTest", + Description: "TLSRoutes with a backend ref to a Backend", + Manifests: []string{ + "testdata/tlsroute-to-backend-fqdn.yaml", + }, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Run("TLSRoute with a FQDN type Backend", func(t *testing.T) { + testTLSRouteWithBackend(t, suite, "tlsroute-to-backend-fqdn", "backend-fqdn") + }) + }, +} + +var TLSRouteBackendIPTest = suite.ConformanceTest{ + ShortName: "TLSRouteBackendIPTest", + Description: "TLSRoutes with a backend ref to a Backend", + Manifests: []string{ + "testdata/tlsroute-to-backend-ip.yaml", + }, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Run("TLSRoute with a IP type Backend", func(t *testing.T) { + testTLSRouteWithBackend(t, suite, "tlsroute-to-backend-ip", "backend-ip") + }) + }, +} + +func testTLSRouteWithBackend(t *testing.T, suite *suite.ConformanceTestSuite, route, backend string) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: route, Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr, _ := kubernetes.GatewayAndTLSRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN, "tls"), routeNN) + certNN := types.NamespacedName{Name: "backend-tls-certificate", Namespace: ns} + + BackendMustBeAccepted(t, suite.Client, types.NamespacedName{Name: backend, Namespace: ns}) + + expected := http.ExpectedResponse{ + Request: http.Request{ + Host: "example.com", + Path: "/", + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + + req := http.MakeRequest(t, &expected, gwAddr, "HTTPS", "https") + + // This test uses the same key/cert pair as both a client cert and server cert + // Both backend and client treat the self-signed cert as a trusted CA + cPem, keyPem, err := GetTLSSecret(suite.Client, certNN) + if err != nil { + t.Fatalf("unexpected error finding TLS secret: %v", err) + } + + WaitForConsistentMTLSResponse( + t, + suite.RoundTripper, + req, + expected, + suite.TimeoutConfig.RequiredConsecutiveSuccesses, + suite.TimeoutConfig.MaxTimeToConsistency, + cPem, + keyPem, + "example.com") +} From e24ada61e3f5c294f7c94f707890627b0fc76b1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20B=C3=A9lorgey?= <628135+RomainBelorgey@users.noreply.github.com> Date: Wed, 23 Oct 2024 01:33:33 +0200 Subject: [PATCH 291/523] helm: Remove default cpu limit inside chart (#4290) Remove default cpu limit Signed-off-by: Romain BELORGEY --- charts/gateway-helm/README.md | 1 - charts/gateway-helm/values.tmpl.yaml | 1 - site/content/en/latest/install/gateway-helm-api.md | 1 - site/content/zh/latest/install/gateway-helm-api.md | 1 - test/helm/gateway-helm/certjen-custom-scheduling.out.yaml | 1 - test/helm/gateway-helm/control-plane-with-pdb.out.yaml | 1 - test/helm/gateway-helm/default-config.out.yaml | 1 - test/helm/gateway-helm/deployment-custom-topology.out.yaml | 1 - test/helm/gateway-helm/deployment-images-config.out.yaml | 1 - test/helm/gateway-helm/deployment-priorityclass.out.yaml | 1 - test/helm/gateway-helm/envoy-gateway-config.out.yaml | 1 - test/helm/gateway-helm/global-images-config.out.yaml | 1 - test/helm/gateway-helm/service-annotations.out.yaml | 1 - 13 files changed, 13 deletions(-) diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md index a352ad78899..61942016a29 100644 --- a/charts/gateway-helm/README.md +++ b/charts/gateway-helm/README.md @@ -68,7 +68,6 @@ To uninstall the chart: | deployment.envoyGateway.image.tag | string | `""` | | | deployment.envoyGateway.imagePullPolicy | string | `""` | | | deployment.envoyGateway.imagePullSecrets | list | `[]` | | -| deployment.envoyGateway.resources.limits.cpu | string | `"500m"` | | | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | | | deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | | | deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | | diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index a06f9f232ba..90e72f09956 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -31,7 +31,6 @@ deployment: imagePullSecrets: [] resources: limits: - cpu: 500m memory: 1024Mi requests: cpu: 100m diff --git a/site/content/en/latest/install/gateway-helm-api.md b/site/content/en/latest/install/gateway-helm-api.md index 937a74452ab..99023e65c6c 100644 --- a/site/content/en/latest/install/gateway-helm-api.md +++ b/site/content/en/latest/install/gateway-helm-api.md @@ -32,7 +32,6 @@ The Helm chart for Envoy Gateway | deployment.envoyGateway.image.tag | string | `""` | | | deployment.envoyGateway.imagePullPolicy | string | `""` | | | deployment.envoyGateway.imagePullSecrets | list | `[]` | | -| deployment.envoyGateway.resources.limits.cpu | string | `"500m"` | | | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | | | deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | | | deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | | diff --git a/site/content/zh/latest/install/gateway-helm-api.md b/site/content/zh/latest/install/gateway-helm-api.md index 937a74452ab..99023e65c6c 100644 --- a/site/content/zh/latest/install/gateway-helm-api.md +++ b/site/content/zh/latest/install/gateway-helm-api.md @@ -32,7 +32,6 @@ The Helm chart for Envoy Gateway | deployment.envoyGateway.image.tag | string | `""` | | | deployment.envoyGateway.imagePullPolicy | string | `""` | | | deployment.envoyGateway.imagePullSecrets | list | `[]` | | -| deployment.envoyGateway.resources.limits.cpu | string | `"500m"` | | | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | | | deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | | | deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | | diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index 3746f12a18d..f0c1e0d1309 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -422,7 +422,6 @@ spec: periodSeconds: 10 resources: limits: - cpu: 500m memory: 1024Mi requests: cpu: 100m diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index 582fab0e8b9..ab0c09e3ed3 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -437,7 +437,6 @@ spec: periodSeconds: 10 resources: limits: - cpu: 500m memory: 1024Mi requests: cpu: 100m diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index b4aac21b12c..655c1b7fbeb 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -422,7 +422,6 @@ spec: periodSeconds: 10 resources: limits: - cpu: 500m memory: 1024Mi requests: cpu: 100m diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index 37f58022beb..879ca6a2351 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -450,7 +450,6 @@ spec: periodSeconds: 10 resources: limits: - cpu: 500m memory: 1024Mi requests: cpu: 100m diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index 8506b87b0ee..28eba2f209e 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -422,7 +422,6 @@ spec: periodSeconds: 10 resources: limits: - cpu: 500m memory: 1024Mi requests: cpu: 100m diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml index 3f82746416b..28375ac5bf0 100644 --- a/test/helm/gateway-helm/deployment-priorityclass.out.yaml +++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml @@ -422,7 +422,6 @@ spec: periodSeconds: 10 resources: limits: - cpu: 500m memory: 1024Mi requests: cpu: 100m diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index 9a3f5b4846b..e401a1062ee 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -424,7 +424,6 @@ spec: periodSeconds: 10 resources: limits: - cpu: 500m memory: 1024Mi requests: cpu: 100m diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index 38be258c7a3..14129b666b6 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -426,7 +426,6 @@ spec: periodSeconds: 10 resources: limits: - cpu: 500m memory: 1024Mi requests: cpu: 100m diff --git a/test/helm/gateway-helm/service-annotations.out.yaml b/test/helm/gateway-helm/service-annotations.out.yaml index 532988e919e..64676e18497 100644 --- a/test/helm/gateway-helm/service-annotations.out.yaml +++ b/test/helm/gateway-helm/service-annotations.out.yaml @@ -424,7 +424,6 @@ spec: periodSeconds: 10 resources: limits: - cpu: 500m memory: 1024Mi requests: cpu: 100m From 337142150fe3aeb0511226c016754e52a58e6f83 Mon Sep 17 00:00:00 2001 From: sh2 Date: Wed, 23 Oct 2024 07:34:55 +0800 Subject: [PATCH 292/523] feat: add host-infra provider support (#4481) * add host-infra provider support Signed-off-by: shawnh2 * add more tests and polish code for each runner Signed-off-by: shawnh2 * fix lint Signed-off-by: shawnh2 --------- Signed-off-by: shawnh2 --- api/v1alpha1/envoygateway_helpers.go | 10 ++ go.mod | 8 +- go.sum | 16 +- internal/cmd/certgen.go | 81 +++++++-- internal/cmd/certgen_test.go | 27 +++ .../translate/out/default-resources.all.yaml | 8 +- internal/crypto/cert_load.go | 57 ++++++ internal/gatewayapi/runner/runner.go | 102 ++++++----- internal/globalratelimit/runner/runner.go | 78 ++++---- internal/infrastructure/common/proxy_args.go | 69 +++++++ internal/infrastructure/common/proxy_sds.go | 27 +++ internal/infrastructure/host/infra.go | 112 ++++++++++++ internal/infrastructure/host/proxy_infra.go | 89 ++++++++++ .../infrastructure/host/proxy_infra_test.go | 89 ++++++++++ .../infrastructure/host/ratelimit_infra.go | 23 +++ .../kubernetes/infra_resource.go | 4 +- .../kubernetes/proxy/resource.go | 85 ++------- .../kubernetes/proxy/resource_provider.go | 17 +- .../proxy/testdata/daemonsets/custom.yaml | 8 +- .../testdata/daemonsets/default-env.yaml | 8 +- .../proxy/testdata/daemonsets/default.yaml | 8 +- .../daemonsets/disable-prometheus.yaml | 8 +- .../testdata/daemonsets/extension-env.yaml | 8 +- .../override-labels-and-annotations.yaml | 8 +- .../testdata/daemonsets/patch-daemonset.yaml | 8 +- .../testdata/daemonsets/shutdown-manager.yaml | 8 +- .../proxy/testdata/daemonsets/volumes.yaml | 8 +- .../testdata/daemonsets/with-annotations.yaml | 8 +- .../testdata/daemonsets/with-extra-args.yaml | 8 +- .../daemonsets/with-image-pull-secrets.yaml | 8 +- .../proxy/testdata/daemonsets/with-name.yaml | 8 +- .../daemonsets/with-node-selector.yaml | 8 +- .../with-topology-spread-constraints.yaml | 8 +- .../proxy/testdata/deployments/custom.yaml | 8 +- .../custom_with_initcontainers.yaml | 8 +- .../testdata/deployments/default-env.yaml | 8 +- .../proxy/testdata/deployments/default.yaml | 8 +- .../deployments/disable-prometheus.yaml | 8 +- .../testdata/deployments/extension-env.yaml | 8 +- .../override-labels-and-annotations.yaml | 8 +- .../deployments/patch-deployment.yaml | 8 +- .../deployments/shutdown-manager.yaml | 8 +- .../proxy/testdata/deployments/volumes.yaml | 8 +- .../deployments/with-annotations.yaml | 8 +- .../deployments/with-empty-memory-limits.yaml | 8 +- .../testdata/deployments/with-extra-args.yaml | 8 +- .../deployments/with-image-pull-secrets.yaml | 8 +- .../proxy/testdata/deployments/with-name.yaml | 8 +- .../deployments/with-node-selector.yaml | 8 +- .../with-topology-spread-constraints.yaml | 8 +- .../kubernetes/proxy_configmap_test.go | 9 +- internal/infrastructure/manager.go | 47 +++-- internal/infrastructure/runner/runner.go | 4 +- internal/utils/file/file.go | 12 ++ internal/utils/file/file_test.go | 28 +++ internal/xds/bootstrap/bootstrap.go | 56 +++++- internal/xds/bootstrap/bootstrap.yaml.tpl | 8 +- internal/xds/bootstrap/bootstrap_test.go | 23 +++ .../testdata/render/custom-server-port.yaml | 168 ++++++++++++++++++ .../testdata/render/custom-stats-matcher.yaml | 8 +- .../testdata/render/disable-prometheus.yaml | 8 +- .../enable-prometheus-gzip-compression.yaml | 8 +- .../testdata/render/enable-prometheus.yaml | 8 +- .../render/otel-metrics-backendref.yaml | 8 +- .../testdata/render/otel-metrics.yaml | 8 +- .../render/with-max-heap-size-bytes.yaml | 8 +- internal/xds/server/runner/runner.go | 78 ++++---- internal/xds/server/runner/runner_test.go | 14 +- 68 files changed, 1227 insertions(+), 434 deletions(-) create mode 100644 internal/crypto/cert_load.go create mode 100644 internal/infrastructure/common/proxy_args.go create mode 100644 internal/infrastructure/common/proxy_sds.go create mode 100644 internal/infrastructure/host/infra.go create mode 100644 internal/infrastructure/host/proxy_infra.go create mode 100644 internal/infrastructure/host/proxy_infra_test.go create mode 100644 internal/infrastructure/host/ratelimit_infra.go create mode 100644 internal/utils/file/file_test.go create mode 100644 internal/xds/bootstrap/testdata/render/custom-server-port.yaml diff --git a/api/v1alpha1/envoygateway_helpers.go b/api/v1alpha1/envoygateway_helpers.go index fed2f6fa075..c61b43c82e1 100644 --- a/api/v1alpha1/envoygateway_helpers.go +++ b/api/v1alpha1/envoygateway_helpers.go @@ -241,6 +241,16 @@ func (r *EnvoyGatewayProvider) GetEnvoyGatewayKubeProvider() *EnvoyGatewayKubern return r.Kubernetes } +func (r *EnvoyGatewayProvider) IsRunningOnKubernetes() bool { + return r.Type == ProviderTypeKubernetes +} + +func (r *EnvoyGatewayProvider) IsRunningOnHost() bool { + return r.Type == ProviderTypeCustom && + r.Custom.Infrastructure != nil && + r.Custom.Infrastructure.Type == InfrastructureProviderTypeHost +} + // DefaultEnvoyGatewayLoggingLevel returns a new EnvoyGatewayLogging with default configuration parameters. // When v1alpha1.LogComponentGatewayDefault specified, all other logging components are ignored. func (logging *EnvoyGatewayLogging) DefaultEnvoyGatewayLoggingLevel(level LogLevel) LogLevel { diff --git a/go.mod b/go.mod index 4d03c682219..1ec72d0a6bd 100644 --- a/go.mod +++ b/go.mod @@ -64,6 +64,7 @@ require ( require ( github.com/docker/docker v27.3.1+incompatible github.com/replicatedhq/troubleshoot v0.107.1 + github.com/tetratelabs/func-e v1.1.5-0.20240822223546-c85a098d5bf0 google.golang.org/grpc v1.67.1 sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 ) @@ -105,6 +106,7 @@ require ( github.com/containers/storage v1.55.0 // indirect github.com/coreos/go-semver v0.3.1 // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect + github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect github.com/cyphar/filepath-securejoin v0.3.1 // indirect github.com/distribution/distribution/v3 v3.0.0-beta.1 // indirect github.com/distribution/reference v0.6.0 // indirect @@ -143,7 +145,7 @@ require ( github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect github.com/lib/pq v1.10.9 // indirect github.com/longhorn/go-iscsi-helper v0.0.0-20210330030558-49a327fb024e // indirect - github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect + github.com/lufia/plan9stats v0.0.0-20220913051719-115f729f3c8c // indirect github.com/magiconair/properties v1.8.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect @@ -169,7 +171,7 @@ require ( github.com/ostreedev/ostree-go v0.0.0-20210805093236-719684c64e4f // indirect github.com/pelletier/go-toml/v2 v2.2.2 // indirect github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect - github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect + github.com/power-devops/perfstat v0.0.0-20221212215047-62379fc7944b // indirect github.com/rivo/uniseg v0.4.7 // indirect github.com/rubenv/sql-migrate v1.7.0 // indirect github.com/sagikazarmark/locafero v0.4.0 // indirect @@ -190,11 +192,13 @@ require ( github.com/tklauser/go-sysconf v0.3.12 // indirect github.com/tklauser/numcpus v0.6.1 // indirect github.com/ulikunitz/xz v0.5.12 // indirect + github.com/urfave/cli/v2 v2.8.1 // indirect github.com/vbatts/tar-split v0.11.5 // indirect github.com/x448/float16 v0.8.4 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect + github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect go.etcd.io/etcd/api/v3 v3.5.14 // indirect go.etcd.io/etcd/client/pkg/v3 v3.5.14 // indirect diff --git a/go.sum b/go.sum index d11cb03bbf0..dbaf681efbb 100644 --- a/go.sum +++ b/go.sum @@ -165,6 +165,7 @@ github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfc github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= @@ -395,7 +396,6 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -537,8 +537,8 @@ github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9 github.com/longhorn/go-iscsi-helper v0.0.0-20210330030558-49a327fb024e h1:hz4quJkaJWDo+xW+G6wTF6d6/95QvJ+o2D0+bB/tJ1U= github.com/longhorn/go-iscsi-helper v0.0.0-20210330030558-49a327fb024e/go.mod h1:9z/y9glKmWEdV50tjlUPxFwi1goQfIrrsoZbnMyIZbY= github.com/longhorn/nsfilelock v0.0.0-20200723175406-fa7c83ad0003/go.mod h1:0CLeXlf59Lg6C0kjLSDf47ft73Dh37CwymYRKWwAn04= -github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4= -github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= +github.com/lufia/plan9stats v0.0.0-20220913051719-115f729f3c8c h1:VtwQ41oftZwlMnOEbMWQtSEUgU64U4s+GHk7hZK+jtY= +github.com/lufia/plan9stats v0.0.0-20220913051719-115f729f3c8c/go.mod h1:JKx41uQRwqlTZabZc+kILPrO/3jlKnQ2Z8b7YiVw5cE= github.com/lyft/gostats v0.4.14 h1:xmP4yMfDvEKtlNZEcS2sYz0cvnps1ri337ZEEbw3ab8= github.com/lyft/gostats v0.4.14/go.mod h1:cJWqEVL8JIewIJz/olUIios2F1q06Nc51hXejPQmBH0= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= @@ -680,8 +680,8 @@ github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw= -github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE= +github.com/power-devops/perfstat v0.0.0-20221212215047-62379fc7944b h1:0LFwY6Q3gMACTjAbMZBjXAqTOzOwFaj2Ld6cjeQ7Rig= +github.com/power-devops/perfstat v0.0.0-20221212215047-62379fc7944b/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE= github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY= github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjzg= github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= @@ -817,6 +817,8 @@ github.com/telepresenceio/telepresence/rpc/v2 v2.6.8 h1:q5V85LBT9bA/c4YPa/kMvJGy github.com/telepresenceio/telepresence/rpc/v2 v2.6.8/go.mod h1:VlgfRoXaW6Tl8IZbHmMWhITne8HY09/wOFtABHGj3ic= github.com/telepresenceio/watchable v0.0.0-20220726211108-9bb86f92afa7 h1:GMw3nEaOVyi+tNiGko5kAeRtoiEIpXNHmISyZ7fpw14= github.com/telepresenceio/watchable v0.0.0-20220726211108-9bb86f92afa7/go.mod h1:ihJ97e2gsd8GuzFF/I3B1qcik3XZLpXjumQifXi8Slg= +github.com/tetratelabs/func-e v1.1.5-0.20240822223546-c85a098d5bf0 h1:+OHaiOveLnsmUMSZT5vxL6rrpy5rcSsfnx9Mogfo1Kk= +github.com/tetratelabs/func-e v1.1.5-0.20240822223546-c85a098d5bf0/go.mod h1:u78wX1mT5MiSZ3rw8+epQ7fcIT7m83YiwdPT2EWgb0Y= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU= github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI= @@ -835,6 +837,8 @@ github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljT github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc= github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli/v2 v2.8.1 h1:CGuYNZF9IKZY/rfBe3lJpccSoIY1ytfvmgQT90cNOl4= +github.com/urfave/cli/v2 v2.8.1/go.mod h1:Z41J9TPoffeoqP0Iza0YbAhGvymRdZAd2uPmZ5JxRdY= github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts= github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk= github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw= @@ -852,6 +856,8 @@ github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 h1:bAn7/zixMGCfxrRTfdpNzjtPYqr8smhKouy9mxVdGPU= +github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0= diff --git a/internal/cmd/certgen.go b/internal/cmd/certgen.go index afa626f8d9a..cc9017a17bf 100644 --- a/internal/cmd/certgen.go +++ b/internal/cmd/certgen.go @@ -9,6 +9,7 @@ import ( "context" "errors" "fmt" + "path" "github.com/spf13/cobra" ctrl "sigs.k8s.io/controller-runtime" @@ -19,23 +20,32 @@ import ( "github.com/envoyproxy/gateway/internal/envoygateway" "github.com/envoyproxy/gateway/internal/envoygateway/config" "github.com/envoyproxy/gateway/internal/provider/kubernetes" + "github.com/envoyproxy/gateway/internal/utils/file" ) +// TODO: make this path configurable or use server config directly. +const defaultLocalCertPath = "/tmp/envoy-gateway/certs" + // getCertGenCommand returns the certGen cobra command to be executed. func getCertGenCommand() *cobra.Command { + var local bool + cmd := &cobra.Command{ Use: "certgen", Short: "Generate Control Plane Certificates", RunE: func(cmd *cobra.Command, args []string) error { - return certGen() + return certGen(local) }, } + cmd.PersistentFlags().BoolVarP(&local, "local", "l", false, + "Generate all the certificates locally.") + return cmd } // certGen generates control plane certificates. -func certGen() error { +func certGen(local bool) error { cfg, err := getConfig() if err != nil { return err @@ -46,22 +56,29 @@ func certGen() error { if err != nil { return fmt.Errorf("failed to generate certificates: %w", err) } - log.Info("generated certificates") - cli, err := client.New(clicfg.GetConfigOrDie(), client.Options{Scheme: envoygateway.GetScheme()}) - if err != nil { - return fmt.Errorf("failed to create controller-runtime client: %w", err) - } + if !local { + log.Info("generated certificates") + cli, err := client.New(clicfg.GetConfigOrDie(), client.Options{Scheme: envoygateway.GetScheme()}) + if err != nil { + return fmt.Errorf("failed to create controller-runtime client: %w", err) + } - if err := outputCerts(ctrl.SetupSignalHandler(), cli, cfg, certs); err != nil { - return fmt.Errorf("failed to output certificates: %w", err) + if err = outputCertsForKubernetes(ctrl.SetupSignalHandler(), cli, cfg, certs); err != nil { + return fmt.Errorf("failed to output certificates: %w", err) + } + } else { + log.Info("generated certificates", "path", defaultLocalCertPath) + if err = outputCertsForLocal(defaultLocalCertPath, certs); err != nil { + return fmt.Errorf("failed to output certificates locally: %w", err) + } } return nil } -// outputCerts outputs the provided certs to a secret in namespace ns. -func outputCerts(ctx context.Context, cli client.Client, cfg *config.Server, certs *crypto.Certificates) error { +// outputCertsForKubernetes outputs the provided certs to a secret in namespace ns. +func outputCertsForKubernetes(ctx context.Context, cli client.Client, cfg *config.Server, certs *crypto.Certificates) error { var updateSecrets bool if cfg.EnvoyGateway != nil && cfg.EnvoyGateway.Provider != nil && @@ -88,3 +105,45 @@ func outputCerts(ctx context.Context, cli client.Client, cfg *config.Server, cer return nil } + +// outputCertsForLocal outputs the provided certs to the local directory as files. +func outputCertsForLocal(localPath string, certs *crypto.Certificates) (err error) { + egDir := path.Join(localPath, "envoy-gateway") + if err = file.WriteDir(certs.CACertificate, egDir, "ca.crt"); err != nil { + return err + } + if err = file.WriteDir(certs.EnvoyGatewayCertificate, egDir, "tls.crt"); err != nil { + return err + } + if err = file.WriteDir(certs.EnvoyGatewayPrivateKey, egDir, "tls.key"); err != nil { + return err + } + + envoyDir := path.Join(localPath, "envoy") + if err = file.WriteDir(certs.CACertificate, envoyDir, "ca.crt"); err != nil { + return err + } + if err = file.WriteDir(certs.EnvoyCertificate, envoyDir, "tls.crt"); err != nil { + return err + } + if err = file.WriteDir(certs.EnvoyPrivateKey, envoyDir, "tls.key"); err != nil { + return err + } + + rlDir := path.Join(localPath, "envoy-rate-limit") + if err = file.WriteDir(certs.CACertificate, rlDir, "ca.crt"); err != nil { + return err + } + if err = file.WriteDir(certs.EnvoyRateLimitCertificate, rlDir, "tls.crt"); err != nil { + return err + } + if err = file.WriteDir(certs.EnvoyRateLimitPrivateKey, rlDir, "tls.key"); err != nil { + return err + } + + if err = file.WriteDir(certs.OIDCHMACSecret, path.Join(localPath, "envoy-oidc-hmac"), "hmac-secret"); err != nil { + return err + } + + return +} diff --git a/internal/cmd/certgen_test.go b/internal/cmd/certgen_test.go index fedd07d2236..299b0e8df23 100644 --- a/internal/cmd/certgen_test.go +++ b/internal/cmd/certgen_test.go @@ -6,12 +6,39 @@ package cmd import ( + "path/filepath" "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/envoyproxy/gateway/internal/crypto" ) func TestGetCertgenCommand(t *testing.T) { got := getCertGenCommand() assert.Equal(t, "certgen", got.Use) } + +func TestOutputCertsForLocal(t *testing.T) { + cfg, err := getConfig() + require.NoError(t, err) + + certs, err := crypto.GenerateCerts(cfg) + require.NoError(t, err) + + tmpDir := t.TempDir() + err = outputCertsForLocal(tmpDir, certs) + require.NoError(t, err) + + assert.FileExists(t, filepath.Join(tmpDir, "envoy-gateway", "ca.crt")) + assert.FileExists(t, filepath.Join(tmpDir, "envoy-gateway", "tls.crt")) + assert.FileExists(t, filepath.Join(tmpDir, "envoy-gateway", "tls.key")) + assert.FileExists(t, filepath.Join(tmpDir, "envoy", "ca.crt")) + assert.FileExists(t, filepath.Join(tmpDir, "envoy", "tls.crt")) + assert.FileExists(t, filepath.Join(tmpDir, "envoy", "tls.key")) + assert.FileExists(t, filepath.Join(tmpDir, "envoy-rate-limit", "ca.crt")) + assert.FileExists(t, filepath.Join(tmpDir, "envoy-rate-limit", "tls.crt")) + assert.FileExists(t, filepath.Join(tmpDir, "envoy-rate-limit", "tls.key")) + assert.FileExists(t, filepath.Join(tmpDir, "envoy-oidc-hmac", "hmac-secret")) +} diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index df12da2e2c1..b965d6d9818 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -122,13 +122,13 @@ envoyProxyForGatewayClass: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -160,13 +160,13 @@ envoyProxyForGatewayClass: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/crypto/cert_load.go b/internal/crypto/cert_load.go new file mode 100644 index 00000000000..f00dec1d9a3 --- /dev/null +++ b/internal/crypto/cert_load.go @@ -0,0 +1,57 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package crypto + +import ( + "crypto/rand" + "crypto/tls" + "crypto/x509" + "fmt" + "os" +) + +// LoadTLSConfig returns TLSConfig form certificates. +func LoadTLSConfig(tlsCrt, tlsKey, caCrt string) (*tls.Config, error) { + loadConfig := func() (*tls.Config, error) { + cert, err := tls.LoadX509KeyPair(tlsCrt, tlsKey) + if err != nil { + return nil, err + } + + // Load the CA cert. + ca, err := os.ReadFile(caCrt) + if err != nil { + return nil, err + } + + certPool := x509.NewCertPool() + if !certPool.AppendCertsFromPEM(ca) { + return nil, fmt.Errorf("failed to parse CA certificate") + } + + return &tls.Config{ + Certificates: []tls.Certificate{cert}, + NextProtos: []string{"h2"}, + ClientAuth: tls.RequireAndVerifyClientCert, + ClientCAs: certPool, + MinVersion: tls.VersionTLS13, + }, nil + } + + // Attempt to load certificates and key to catch configuration errors early. + if _, err := loadConfig(); err != nil { + return nil, err + } + + return &tls.Config{ + MinVersion: tls.VersionTLS13, + ClientAuth: tls.RequireAndVerifyClientCert, + Rand: rand.Reader, + GetConfigForClient: func(*tls.ClientHelloInfo) (*tls.Config, error) { + return loadConfig() + }, + }, nil +} diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index f8f7b2a6965..bd093761911 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -8,9 +8,7 @@ package runner import ( "context" "crypto/tls" - "crypto/x509" "encoding/json" - "errors" "fmt" "os" "reflect" @@ -27,6 +25,7 @@ import ( gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/crypto" "github.com/envoyproxy/gateway/internal/envoygateway/config" extension "github.com/envoyproxy/gateway/internal/extension/types" "github.com/envoyproxy/gateway/internal/gatewayapi" @@ -37,10 +36,22 @@ import ( ) const ( - wasmCacheDir = "/var/lib/eg/wasm" - serveTLSCertFilename = "/certs/tls.crt" - serveTLSKeyFilename = "/certs/tls.key" - serveTLSCaFilename = "/certs/ca.crt" + wasmCacheDir = "/var/lib/eg/wasm" + + // Default certificates path for envoy-gateway with Kubernetes provider. + serveTLSCertFilepath = "/certs/tls.crt" + serveTLSKeyFilepath = "/certs/tls.key" + serveTLSCaFilepath = "/certs/ca.crt" + + // TODO: Make these path configurable. + // Default certificates path for envoy-gateway with Host infrastructure provider. + localTLSCertFilepath = "/tmp/envoy-gateway/certs/envoy-gateway/tls.crt" + localTLSKeyFilepath = "/tmp/envoy-gateway/certs/envoy-gateway/tls.key" + localTLSCaFilepath = "/tmp/envoy-gateway/certs/envoy-gateway/ca.crt" + + hmacSecretName = "envoy-oidc-hmac" // nolint: gosec + hmacSecretKey = "hmac-secret" + hmacSecretPath = "/tmp/envoy-gateway/certs/envoy-oidc-hmac/hmac-secret" // nolint: gosec ) type Config struct { @@ -62,12 +73,6 @@ func New(cfg *Config) *Runner { } } -const ( - // nolint: gosec - hmacSecretName = "envoy-oidc-hmac" - hmacSecretKey = "hmac-secret" -) - func (r *Runner) Name() string { return string(egv1a1.LogComponentGatewayAPIRunner) } @@ -86,16 +91,12 @@ func (r *Runner) startWasmCache(ctx context.Context) { // Start the wasm cache server // EG reuse the OIDC HMAC secret as a hash salt to generate an unguessable // downloading path for the Wasm module. - salt, err := hmac(ctx, r.Namespace) - if err != nil { - r.Logger.Error(err, "failed to get hmac secret") - return - } - tlsConfig, err := r.tlsConfig() + tlsConfig, salt, err := r.loadTLSConfig(ctx) if err != nil { - r.Logger.Error(err, "failed to create tls config") + r.Logger.Error(err, "failed to start wasm cache") return } + // Create the file directory if it does not exist. if err = fileutils.CreateIfNotExists(wasmCacheDir, true); err != nil { r.Logger.Error(err, "Failed to create Wasm cache directory") @@ -299,6 +300,36 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { r.Logger.Info("shutting down") } +func (r *Runner) loadTLSConfig(ctx context.Context) (tlsConfig *tls.Config, salt []byte, err error) { + switch { + case r.EnvoyGateway.Provider.IsRunningOnKubernetes(): + salt, err = hmac(ctx, r.Namespace) + if err != nil { + return nil, nil, fmt.Errorf("failed to get hmac secret: %w", err) + } + + tlsConfig, err = crypto.LoadTLSConfig(serveTLSCertFilepath, serveTLSKeyFilepath, serveTLSCaFilepath) + if err != nil { + return nil, nil, fmt.Errorf("failed to create tls config: %w", err) + } + + case r.EnvoyGateway.Provider.IsRunningOnHost(): + salt, err = os.ReadFile(hmacSecretPath) + if err != nil { + return nil, nil, fmt.Errorf("failed to get hmac secret: %w", err) + } + + tlsConfig, err = crypto.LoadTLSConfig(localTLSCertFilepath, localTLSKeyFilepath, localTLSCaFilepath) + if err != nil { + return nil, nil, fmt.Errorf("failed to create tls config: %w", err) + } + + default: + return nil, nil, fmt.Errorf("no valid tls certificates") + } + return +} + func unstructuredToPolicyStatus(policyStatus map[string]any) gwapiv1a2.PolicyStatus { var ret gwapiv1a2.PolicyStatus // No need to check the json marshal/unmarshal error, the policyStatus was @@ -537,36 +568,3 @@ func hmac(ctx context.Context, namespace string) (hmac []byte, err error) { } return } - -func (r *Runner) tlsConfig() (*tls.Config, error) { - var ( - serverCert tls.Certificate // server's certificate and private key - caCert []byte // the CA certificate for client verification - caCertPool *x509.CertPool - err error - ) - - // Load server's certificate and private key - if serverCert, err = tls.LoadX509KeyPair(serveTLSCertFilename, serveTLSKeyFilename); err != nil { - return nil, err - } - - // Load client's CA certificate - if caCert, err = os.ReadFile(serveTLSCaFilename); err != nil { - return nil, err - } - - caCertPool = x509.NewCertPool() - if !caCertPool.AppendCertsFromPEM(caCert) { - return nil, errors.New("failed to parse CA certificate") - } - - // Configure the server to require client certificates - return &tls.Config{ - Certificates: []tls.Certificate{serverCert}, - NextProtos: []string{"h2"}, - ClientAuth: tls.RequireAndVerifyClientCert, - ClientCAs: caCertPool, - MinVersion: tls.VersionTLS13, - }, nil -} diff --git a/internal/globalratelimit/runner/runner.go b/internal/globalratelimit/runner/runner.go index baaaaacd6b7..e3430373454 100644 --- a/internal/globalratelimit/runner/runner.go +++ b/internal/globalratelimit/runner/runner.go @@ -7,13 +7,10 @@ package runner import ( "context" - "crypto/rand" "crypto/tls" - "crypto/x509" "fmt" "math" "net" - "os" "strconv" discoveryv3 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3" @@ -25,6 +22,7 @@ import ( "google.golang.org/grpc/credentials" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/crypto" "github.com/envoyproxy/gateway/internal/envoygateway/config" "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/ratelimit" "github.com/envoyproxy/gateway/internal/ir" @@ -36,12 +34,20 @@ import ( const ( // XdsGrpcSotwConfigServerAddress is the listening address of the ratelimit xDS config server. XdsGrpcSotwConfigServerAddress = "0.0.0.0" - // rateLimitTLSCertFilename is the ratelimit tls cert file. - rateLimitTLSCertFilename = "/certs/tls.crt" - // rateLimitTLSKeyFilename is the ratelimit key file. - rateLimitTLSKeyFilename = "/certs/tls.key" - // rateLimitTLSCACertFilename is the ratelimit ca cert file. - rateLimitTLSCACertFilename = "/certs/ca.crt" + + // Default certificates path for envoy-gateway with Kubernetes provider. + // rateLimitTLSCertFilepath is the ratelimit tls cert file. + rateLimitTLSCertFilepath = "/certs/tls.crt" + // rateLimitTLSKeyFilepath is the ratelimit key file. + rateLimitTLSKeyFilepath = "/certs/tls.key" + // rateLimitTLSCACertFilepath is the ratelimit ca cert file. + rateLimitTLSCACertFilepath = "/certs/ca.crt" + + // TODO: Make these path configurable. + // Default certificates path for envoy-gateway with Host infrastructure provider. + localTLSCertFilepath = "/tmp/envoy-gateway/certs/envoy-gateway/tls.crt" + localTLSKeyFilepath = "/tmp/envoy-gateway/certs/envoy-gateway/tls.key" + localTLSCaFilepath = "/tmp/envoy-gateway/certs/envoy-gateway/ca.crt" ) type Config struct { @@ -71,8 +77,13 @@ func (r *Runner) Start(ctx context.Context) (err error) { // Set up the gRPC server and register the xDS handler. // Create SnapshotCache before start subscribeAndTranslate, // prevent panics in case cache is nil. - cfg := r.tlsConfig(rateLimitTLSCertFilename, rateLimitTLSKeyFilename, rateLimitTLSCACertFilename) - r.grpc = grpc.NewServer(grpc.Creds(credentials.NewTLS(cfg))) + tlsConfig, err := r.loadTLSConfig() + if err != nil { + return fmt.Errorf("failed to load TLS config: %w", err) + } + r.Logger.Info("loaded TLS certificate and key") + + r.grpc = grpc.NewServer(grpc.Creds(credentials.NewTLS(tlsConfig))) r.cache = cachev3.NewSnapshotCache(false, cachev3.IDHash{}, r.Logger.Sugar()) @@ -193,45 +204,22 @@ func (r *Runner) addNewSnapshot(ctx context.Context, resource types.XdsResources return nil } -func (r *Runner) tlsConfig(cert, key, ca string) *tls.Config { - loadConfig := func() (*tls.Config, error) { - cert, err := tls.LoadX509KeyPair(cert, key) +func (r *Runner) loadTLSConfig() (tlsConfig *tls.Config, err error) { + switch { + case r.EnvoyGateway.Provider.IsRunningOnKubernetes(): + tlsConfig, err = crypto.LoadTLSConfig(rateLimitTLSCertFilepath, rateLimitTLSKeyFilepath, rateLimitTLSCACertFilepath) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to create tls config: %w", err) } - // Load the CA cert. - ca, err := os.ReadFile(ca) + case r.EnvoyGateway.Provider.IsRunningOnHost(): + tlsConfig, err = crypto.LoadTLSConfig(localTLSCertFilepath, localTLSKeyFilepath, localTLSCaFilepath) if err != nil { - return nil, err - } - - certPool := x509.NewCertPool() - if !certPool.AppendCertsFromPEM(ca) { - return nil, fmt.Errorf("failed to parse CA certificate") + return nil, fmt.Errorf("failed to create tls config: %w", err) } - return &tls.Config{ - Certificates: []tls.Certificate{cert}, - NextProtos: []string{"h2"}, - ClientAuth: tls.RequireAndVerifyClientCert, - ClientCAs: certPool, - MinVersion: tls.VersionTLS13, - }, nil - } - - // Attempt to load certificates and key to catch configuration errors early. - if _, lerr := loadConfig(); lerr != nil { - r.Logger.Error(lerr, "failed to load certificate and key") - } - r.Logger.Info("loaded TLS certificate and key") - - return &tls.Config{ - MinVersion: tls.VersionTLS13, - ClientAuth: tls.RequireAndVerifyClientCert, - Rand: rand.Reader, - GetConfigForClient: func(*tls.ClientHelloInfo) (*tls.Config, error) { - return loadConfig() - }, + default: + return nil, fmt.Errorf("no valid tls certificates") } + return } diff --git a/internal/infrastructure/common/proxy_args.go b/internal/infrastructure/common/proxy_args.go new file mode 100644 index 00000000000..0ffaa36c64e --- /dev/null +++ b/internal/infrastructure/common/proxy_args.go @@ -0,0 +1,69 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package common + +import ( + "fmt" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/xds/bootstrap" +) + +// BuildProxyArgs builds command arguments for proxy infrastructure. +func BuildProxyArgs( + infra *ir.ProxyInfra, + shutdownConfig *egv1a1.ShutdownConfig, + bootstrapConfigOptions *bootstrap.RenderBootstrapConfigOptions, + serviceNode string, +) ([]string, error) { + bootstrapConfigurations, err := bootstrap.GetRenderedBootstrapConfig(bootstrapConfigOptions) + if err != nil { + return nil, err + } + + // Apply Bootstrap from EnvoyProxy API if set by the user + // The config should have been validated already. + if infra.Config != nil && infra.Config.Spec.Bootstrap != nil { + bootstrapConfigurations, err = bootstrap.ApplyBootstrapConfig(infra.Config.Spec.Bootstrap, bootstrapConfigurations) + if err != nil { + return nil, err + } + } + + logging := infra.Config.Spec.Logging + + args := []string{ + fmt.Sprintf("--service-cluster %s", infra.Name), + fmt.Sprintf("--service-node %s", serviceNode), + fmt.Sprintf("--config-yaml %s", bootstrapConfigurations), + fmt.Sprintf("--log-level %s", logging.DefaultEnvoyProxyLoggingLevel()), + "--cpuset-threads", + "--drain-strategy immediate", + } + + if infra.Config != nil && + infra.Config.Spec.Concurrency != nil { + args = append(args, fmt.Sprintf("--concurrency %d", *infra.Config.Spec.Concurrency)) + } + + if componentsLogLevel := logging.GetEnvoyProxyComponentLevel(); componentsLogLevel != "" { + args = append(args, fmt.Sprintf("--component-log-level %s", componentsLogLevel)) + } + + // Default drain timeout. + drainTimeout := 60.0 + if shutdownConfig != nil && shutdownConfig.DrainTimeout != nil { + drainTimeout = shutdownConfig.DrainTimeout.Seconds() + } + args = append(args, fmt.Sprintf("--drain-time-s %.0f", drainTimeout)) + + if infra.Config != nil { + args = append(args, infra.Config.Spec.ExtraArgs...) + } + + return args, nil +} diff --git a/internal/infrastructure/common/proxy_sds.go b/internal/infrastructure/common/proxy_sds.go new file mode 100644 index 00000000000..ea6a9227b6e --- /dev/null +++ b/internal/infrastructure/common/proxy_sds.go @@ -0,0 +1,27 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package common + +import "fmt" + +// xDS certificate rotation is supported by using SDS path-based resource files. + +const ( + SdsCAFilename = "xds-trusted-ca.json" + SdsCertFilename = "xds-certificate.json" +) + +func GetSdsCAConfigMapData(ca string) string { + return fmt.Sprintf(`{"resources":[{"@type":"type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret",`+ + `"name":"xds_trusted_ca","validation_context":{"trusted_ca":{"filename":"%s"},`+ + `"match_typed_subject_alt_names":[{"san_type":"DNS","matcher":{"exact":"envoy-gateway"}}]}}]}`, ca) +} + +func GetSdsCertConfigMapData(tlsCert, tlsKey string) string { + return fmt.Sprintf(`{"resources":[{"@type":"type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret",`+ + `"name":"xds_certificate","tls_certificate":{"certificate_chain":{"filename":"%s"},`+ + `"private_key":{"filename":"%s"}}}]}`, tlsCert, tlsKey) +} diff --git a/internal/infrastructure/host/infra.go b/internal/infrastructure/host/infra.go new file mode 100644 index 00000000000..71804561f3f --- /dev/null +++ b/internal/infrastructure/host/infra.go @@ -0,0 +1,112 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package host + +import ( + "context" + "fmt" + "os" + "path/filepath" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/envoygateway/config" + "github.com/envoyproxy/gateway/internal/infrastructure/common" + "github.com/envoyproxy/gateway/internal/logging" + "github.com/envoyproxy/gateway/internal/utils/file" +) + +const ( + // TODO: Make these path configurable. + defaultHomeDir = "/tmp/envoy-gateway" + defaultLocalCertPathDir = "/tmp/envoy-gateway/certs/envoy" + + // XdsTLSCertFilename is the fully qualified name of the file containing Envoy's + // xDS server TLS certificate. + XdsTLSCertFilename = "tls.crt" + // XdsTLSKeyFilename is the fully qualified name of the file containing Envoy's + // xDS server TLS key. + XdsTLSKeyFilename = "tls.key" + // XdsTLSCaFilename is the fully qualified name of the file containing Envoy's + // trusted CA certificate. + XdsTLSCaFilename = "ca.crt" +) + +// Infra manages the creation and deletion of host process +// based on Infra IR resources. +type Infra struct { + HomeDir string + Logger logging.Logger + + // EnvoyGateway is the configuration used to startup Envoy Gateway. + EnvoyGateway *egv1a1.EnvoyGateway + + // proxyContextMap store the context of each running proxy by its name for lifecycle management. + proxyContextMap map[string]*proxyContext + + // TODO: remove this field once it supports the configurable homeDir + sdsConfigPath string +} + +func NewInfra(runnerCtx context.Context, cfg *config.Server, logger logging.Logger) (*Infra, error) { + // Ensure the home directory exist. + if err := os.MkdirAll(defaultHomeDir, 0o750); err != nil { + return nil, fmt.Errorf("failed to create dir: %w", err) + } + + // Check local certificates dir exist. + if _, err := os.Lstat(defaultLocalCertPathDir); err != nil { + return nil, fmt.Errorf("failed to stat dir: %w", err) + } + + // Ensure the sds config exist. + if err := createSdsConfig(defaultLocalCertPathDir); err != nil { + return nil, fmt.Errorf("failed to create sds config: %w", err) + } + + infra := &Infra{ + HomeDir: defaultHomeDir, + Logger: logger, + EnvoyGateway: cfg.EnvoyGateway, + proxyContextMap: make(map[string]*proxyContext), + sdsConfigPath: defaultLocalCertPathDir, + } + go infra.cleanProxy(runnerCtx) + + return infra, nil +} + +// cleanProxy stops all the running proxies when infra provider is closing. +func (i *Infra) cleanProxy(ctx context.Context) { + <-ctx.Done() + if len(i.proxyContextMap) < 1 { + return + } + + i.Logger.Info("start cleaning up proxies") + for name, proxyCtx := range i.proxyContextMap { + proxyCtx.cancel() + i.Logger.Info("proxy closed", "name", name) + } + i.Logger.Info("all proxies has been cleaned up") +} + +// createSdsConfig creates the needing SDS config under certain directory. +func createSdsConfig(dir string) error { + if err := file.Write(common.GetSdsCAConfigMapData( + filepath.Join(dir, XdsTLSCaFilename)), + filepath.Join(dir, common.SdsCAFilename)); err != nil { + return err + } + + if err := file.Write(common.GetSdsCertConfigMapData( + filepath.Join(dir, XdsTLSCertFilename), + filepath.Join(dir, XdsTLSKeyFilename)), + filepath.Join(dir, common.SdsCertFilename)); err != nil { + return err + } + + return nil +} diff --git a/internal/infrastructure/host/proxy_infra.go b/internal/infrastructure/host/proxy_infra.go new file mode 100644 index 00000000000..371aedc2be9 --- /dev/null +++ b/internal/infrastructure/host/proxy_infra.go @@ -0,0 +1,89 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package host + +import ( + "context" + "errors" + "path/filepath" + + funcE "github.com/tetratelabs/func-e/api" + "k8s.io/utils/ptr" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/infrastructure/common" + "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils" + "github.com/envoyproxy/gateway/internal/xds/bootstrap" +) + +type proxyContext struct { + ctx context.Context + cancel context.CancelFunc +} + +// CreateOrUpdateProxyInfra creates the managed host process, if it doesn't exist. +func (i *Infra) CreateOrUpdateProxyInfra(ctx context.Context, infra *ir.Infra) error { + if infra == nil { + return errors.New("infra ir is nil") + } + + if infra.Proxy == nil { + return errors.New("infra proxy ir is nil") + } + + proxyInfra := infra.GetProxyInfra() + proxyName := utils.GetHashedName(proxyInfra.Name, 64) + // Return directly if the proxy is running. + if _, ok := i.proxyContextMap[proxyName]; ok { + return nil + } + + proxyConfig := proxyInfra.GetProxyConfig() + // Disable Prometheus to make envoy running as a host process successfully. + // TODO: Add Prometheus support to host infra. + bootstrapConfigOptions := &bootstrap.RenderBootstrapConfigOptions{ + ProxyMetrics: &egv1a1.ProxyMetrics{ + Prometheus: &egv1a1.ProxyPrometheusProvider{ + Disable: true, + }, + }, + SdsConfig: bootstrap.SdsConfigPath{ + Certificate: filepath.Join(i.sdsConfigPath, common.SdsCertFilename), + TrustedCA: filepath.Join(i.sdsConfigPath, common.SdsCAFilename), + }, + XdsServerHost: ptr.To("0.0.0.0"), + WasmServerPort: ptr.To(int32(0)), + AdminServerPort: ptr.To(int32(0)), + ReadyServerPort: ptr.To(int32(0)), + } + + args, err := common.BuildProxyArgs(proxyInfra, proxyConfig.Spec.Shutdown, bootstrapConfigOptions, proxyName) + if err != nil { + return err + } + + // Create a new context for up-running proxy. + pCtx, cancel := context.WithCancel(context.Background()) + i.proxyContextMap[proxyName] = &proxyContext{ctx: pCtx, cancel: cancel} + return funcE.Run(pCtx, args, funcE.HomeDir(i.HomeDir)) +} + +// DeleteProxyInfra removes the managed host process, if it doesn't exist. +func (i *Infra) DeleteProxyInfra(ctx context.Context, infra *ir.Infra) error { + if infra == nil { + return errors.New("infra ir is nil") + } + + proxyInfra := infra.GetProxyInfra() + proxyName := utils.GetHashedName(proxyInfra.Name, 64) + if pCtx, ok := i.proxyContextMap[proxyName]; ok { + pCtx.cancel() + } + + // Return directly if the proxy is already stopped. + return nil +} diff --git a/internal/infrastructure/host/proxy_infra_test.go b/internal/infrastructure/host/proxy_infra_test.go new file mode 100644 index 00000000000..3437fe5a5d6 --- /dev/null +++ b/internal/infrastructure/host/proxy_infra_test.go @@ -0,0 +1,89 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package host + +import ( + "context" + "path" + "testing" + + "github.com/stretchr/testify/require" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/crypto" + "github.com/envoyproxy/gateway/internal/envoygateway/config" + "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/logging" + "github.com/envoyproxy/gateway/internal/utils/file" +) + +func newMockInfra(t *testing.T, tCtx context.Context, cfg *config.Server, cleanProxy bool) *Infra { + t.Helper() + homeDir := t.TempDir() + // Create envoy certs under home dir. + certs, err := crypto.GenerateCerts(cfg) + require.NoError(t, err) + // Write certs into proxy dir. + proxyDir := path.Join(homeDir, "envoy") + err = file.WriteDir(certs.CACertificate, proxyDir, "ca.crt") + require.NoError(t, err) + err = file.WriteDir(certs.EnvoyCertificate, proxyDir, "tls.crt") + require.NoError(t, err) + err = file.WriteDir(certs.EnvoyPrivateKey, proxyDir, "tls.key") + require.NoError(t, err) + // Write sds config as well. + err = createSdsConfig(proxyDir) + require.NoError(t, err) + + infra := &Infra{ + HomeDir: homeDir, + Logger: logging.DefaultLogger(egv1a1.LogLevelInfo), + EnvoyGateway: cfg.EnvoyGateway, + proxyContextMap: make(map[string]*proxyContext), + sdsConfigPath: proxyDir, + } + if cleanProxy { + go infra.cleanProxy(tCtx) + } + return infra +} + +func TestInfraCreateProxy(t *testing.T) { + cfg, err := config.New() + require.NoError(t, err) + infra := newMockInfra(t, context.Background(), cfg, true) + + // TODO: add more tests once it supports configurable homeDir and runDir. + testCases := []struct { + name string + expect bool + infra *ir.Infra + }{ + { + name: "nil cfg", + expect: false, + infra: nil, + }, + { + name: "nil proxy", + expect: false, + infra: &ir.Infra{ + Proxy: nil, + }, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + err = infra.CreateOrUpdateProxyInfra(context.Background(), tc.infra) + if tc.expect { + require.NoError(t, err) + } else { + require.Error(t, err) + } + }) + } +} diff --git a/internal/infrastructure/host/ratelimit_infra.go b/internal/infrastructure/host/ratelimit_infra.go new file mode 100644 index 00000000000..41871c9137e --- /dev/null +++ b/internal/infrastructure/host/ratelimit_infra.go @@ -0,0 +1,23 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package host + +import ( + "context" + "fmt" +) + +// TODO: add ratelimit support for host infra + +// CreateOrUpdateRateLimitInfra creates the managed host rate limit process, if it doesn't exist. +func (i *Infra) CreateOrUpdateRateLimitInfra(ctx context.Context) error { + return fmt.Errorf("create/update ratelimit infrastructure is not supported yet for host infrastructure") +} + +// DeleteRateLimitInfra removes the managed host rate limit process, if it doesn't exist. +func (i *Infra) DeleteRateLimitInfra(ctx context.Context) error { + return fmt.Errorf("delete ratelimit infrastructure is not supported yet for host infrastructure") +} diff --git a/internal/infrastructure/kubernetes/infra_resource.go b/internal/infrastructure/kubernetes/infra_resource.go index 16cd72b9545..1bec17c0903 100644 --- a/internal/infrastructure/kubernetes/infra_resource.go +++ b/internal/infrastructure/kubernetes/infra_resource.go @@ -17,7 +17,7 @@ import ( "k8s.io/apimachinery/pkg/api/equality" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/labels" + klabels "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/controller-runtime/pkg/client" @@ -255,7 +255,7 @@ func isSelectorMatch(labelselector *metav1.LabelSelector, l map[string]string) ( return false, fmt.Errorf("invalid label selector is generated: %w", err) } - return selector.Matches(labels.Set(l)), nil + return selector.Matches(klabels.Set(l)), nil } func (i *Infra) createOrUpdatePodDisruptionBudget(ctx context.Context, r ResourceRender) (err error) { diff --git a/internal/infrastructure/kubernetes/proxy/resource.go b/internal/infrastructure/kubernetes/proxy/resource.go index d4d210418b7..6eb8a894e18 100644 --- a/internal/infrastructure/kubernetes/proxy/resource.go +++ b/internal/infrastructure/kubernetes/proxy/resource.go @@ -7,6 +7,7 @@ package proxy import ( "fmt" + "path/filepath" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/intstr" @@ -15,6 +16,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/cmd/envoy" "github.com/envoyproxy/gateway/internal/envoygateway/config" + "github.com/envoyproxy/gateway/internal/infrastructure/common" "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/resource" "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/utils" @@ -22,17 +24,6 @@ import ( ) const ( - SdsCAFilename = "xds-trusted-ca.json" - SdsCertFilename = "xds-certificate.json" - // XdsTLSCertFilename is the fully qualified path of the file containing Envoy's - // xDS server TLS certificate. - XdsTLSCertFilename = "/certs/tls.crt" - // XdsTLSKeyFilename is the fully qualified path of the file containing Envoy's - // xDS server TLS key. - XdsTLSKeyFilename = "/certs/tls.key" - // XdsTLSCaFilename is the fully qualified path of the file containing Envoy's - // trusted CA certificate. - XdsTLSCaFilename = "/certs/ca.crt" // envoyContainerName is the name of the Envoy container. envoyContainerName = "envoy" // envoyNsEnvVar is the name of the Envoy Gateway namespace environment variable. @@ -41,16 +32,6 @@ const ( envoyPodEnvVar = "ENVOY_POD_NAME" ) -var ( - // xDS certificate rotation is supported by using SDS path-based resource files. - SdsCAConfigMapData = fmt.Sprintf(`{"resources":[{"@type":"type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret",`+ - `"name":"xds_trusted_ca","validation_context":{"trusted_ca":{"filename":"%s"},`+ - `"match_typed_subject_alt_names":[{"san_type":"DNS","matcher":{"exact":"envoy-gateway"}}]}}]}`, XdsTLSCaFilename) - SdsCertConfigMapData = fmt.Sprintf(`{"resources":[{"@type":"type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret",`+ - `"name":"xds_certificate","tls_certificate":{"certificate_chain":{"filename":"%s"},`+ - `"private_key":{"filename":"%s"}}}]}`, XdsTLSCertFilename, XdsTLSKeyFilename) -) - // ExpectedResourceHashedName returns expected resource hashed name including up to the 48 characters of the original name. func ExpectedResourceHashedName(name string) string { hashedName := utils.GetHashedName(name, 48) @@ -135,8 +116,6 @@ func expectedProxyContainers(infra *ir.ProxyInfra, }) } - var bootstrapConfigurations string - var proxyMetrics *egv1a1.ProxyMetrics if infra.Config != nil && infra.Config.Spec.Telemetry != nil { @@ -146,52 +125,18 @@ func expectedProxyContainers(infra *ir.ProxyInfra, maxHeapSizeBytes := calculateMaxHeapSizeBytes(containerSpec.Resources) // Get the default Bootstrap - bootstrapConfigurations, err := bootstrap.GetRenderedBootstrapConfig(&bootstrap.RenderBootstrapConfigOptions{ - ProxyMetrics: proxyMetrics, + bootstrapConfigOptions := &bootstrap.RenderBootstrapConfigOptions{ + ProxyMetrics: proxyMetrics, + SdsConfig: bootstrap.SdsConfigPath{ + Certificate: filepath.Join("/sds", common.SdsCertFilename), + TrustedCA: filepath.Join("/sds", common.SdsCAFilename), + }, MaxHeapSizeBytes: maxHeapSizeBytes, - }) - if err != nil { - return nil, err } - // Apply Bootstrap from EnvoyProxy API if set by the user - // The config should have been validated already - if infra.Config != nil && infra.Config.Spec.Bootstrap != nil { - bootstrapConfigurations, err = bootstrap.ApplyBootstrapConfig(infra.Config.Spec.Bootstrap, bootstrapConfigurations) - if err != nil { - return nil, err - } - } - - logging := infra.Config.Spec.Logging - - args := []string{ - fmt.Sprintf("--service-cluster %s", infra.Name), - fmt.Sprintf("--service-node $(%s)", envoyPodEnvVar), - fmt.Sprintf("--config-yaml %s", bootstrapConfigurations), - fmt.Sprintf("--log-level %s", logging.DefaultEnvoyProxyLoggingLevel()), - "--cpuset-threads", - "--drain-strategy immediate", - } - - if infra.Config != nil && - infra.Config.Spec.Concurrency != nil { - args = append(args, fmt.Sprintf("--concurrency %d", *infra.Config.Spec.Concurrency)) - } - - if componentsLogLevel := logging.GetEnvoyProxyComponentLevel(); componentsLogLevel != "" { - args = append(args, fmt.Sprintf("--component-log-level %s", componentsLogLevel)) - } - - // Default - drainTimeout := 60.0 - if shutdownConfig != nil && shutdownConfig.DrainTimeout != nil { - drainTimeout = shutdownConfig.DrainTimeout.Seconds() - } - args = append(args, fmt.Sprintf("--drain-time-s %.0f", drainTimeout)) - - if infra.Config != nil { - args = append(args, infra.Config.Spec.ExtraArgs...) + args, err := common.BuildProxyArgs(infra, shutdownConfig, bootstrapConfigOptions, fmt.Sprintf("$(%s)", envoyPodEnvVar)) + if err != nil { + return nil, err } containers := []corev1.Container{ @@ -378,12 +323,12 @@ func expectedVolumes(name string, pod *egv1a1.KubernetesPodSpec) []corev1.Volume }, Items: []corev1.KeyToPath{ { - Key: SdsCAFilename, - Path: SdsCAFilename, + Key: common.SdsCAFilename, + Path: common.SdsCAFilename, }, { - Key: SdsCertFilename, - Path: SdsCertFilename, + Key: common.SdsCertFilename, + Path: common.SdsCertFilename, }, }, DefaultMode: ptr.To[int32](420), diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider.go b/internal/infrastructure/kubernetes/proxy/resource_provider.go index 5411c29e1c6..b1d47e906d9 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider.go @@ -21,11 +21,24 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/infrastructure/common" "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/resource" "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/xds/bootstrap" ) +const ( + // XdsTLSCertFilepath is the fully qualified path of the file containing Envoy's + // xDS server TLS certificate. + XdsTLSCertFilepath = "/certs/tls.crt" + // XdsTLSKeyFilepath is the fully qualified path of the file containing Envoy's + // xDS server TLS key. + XdsTLSKeyFilepath = "/certs/tls.key" + // XdsTLSCaFilepath is the fully qualified path of the file containing Envoy's + // trusted CA certificate. + XdsTLSCaFilepath = "/certs/ca.crt" +) + type ResourceRender struct { infra *ir.ProxyInfra @@ -201,8 +214,8 @@ func (r *ResourceRender) ConfigMap() (*corev1.ConfigMap, error) { Annotations: r.infra.GetProxyMetadata().Annotations, }, Data: map[string]string{ - SdsCAFilename: SdsCAConfigMapData, - SdsCertFilename: SdsCertConfigMapData, + common.SdsCAFilename: common.GetSdsCAConfigMapData(XdsTLSCaFilepath), + common.SdsCertFilename: common.GetSdsCertConfigMapData(XdsTLSCertFilepath, XdsTLSKeyFilepath), }, }, nil } diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml index a3bad89951a..678eebb7cac 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml @@ -154,13 +154,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -192,13 +192,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml index 6afaa48eb50..4cc285a5ea4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml @@ -153,13 +153,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -191,13 +191,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml index c55efd9a651..26fcec34835 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml @@ -153,13 +153,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -191,13 +191,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml index 0190a032347..a6a402450e3 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml @@ -127,13 +127,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -165,13 +165,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml index 59abefc9f7e..6642390520f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml @@ -153,13 +153,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -191,13 +191,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml index acf981d6eaf..3fa8846e2fb 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml @@ -162,13 +162,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -200,13 +200,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml index 6eaf679f35b..e673031325d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml @@ -153,13 +153,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -191,13 +191,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml index b4ff0f41c3b..2604c99141f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml @@ -153,13 +153,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -191,13 +191,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml index 8707cd1289b..ee1d74b0f16 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml @@ -153,13 +153,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -191,13 +191,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml index 1288195935a..5d862446c38 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml @@ -158,13 +158,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -196,13 +196,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml index c4e4ef57509..a2ba2172f18 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml @@ -153,13 +153,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -191,13 +191,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml index a368ec3334e..75451d36eca 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml @@ -153,13 +153,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -191,13 +191,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml index 34d8438df3d..564842ad1df 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml @@ -153,13 +153,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -191,13 +191,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml index aa6aba8b813..6e3f9b20f94 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml @@ -153,13 +153,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -191,13 +191,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml index a69ed0181ee..341bbd81f8a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml @@ -153,13 +153,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -191,13 +191,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml index 7825fe6a5d4..31841738dee 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml @@ -159,13 +159,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -197,13 +197,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml index 7c19b8404b4..a81f3c8335a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml @@ -159,13 +159,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -197,13 +197,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml index 608be7b1164..d90e6910a18 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml @@ -158,13 +158,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -196,13 +196,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml index 7ab09dccee7..4a1d7251b9e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml @@ -157,13 +157,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -195,13 +195,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml index 8eba24a439e..8a9f46f5bd8 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml @@ -131,13 +131,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -169,13 +169,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml index 2cb179ea5ce..53220f06d29 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml @@ -158,13 +158,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -196,13 +196,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml index a2ad5c78026..f8247753baf 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml @@ -166,13 +166,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -204,13 +204,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml index 7e742ac47f0..10452128cec 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml @@ -157,13 +157,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -195,13 +195,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml index 9abe8a6cae2..611f1f9eb06 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml @@ -157,13 +157,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -195,13 +195,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml index b5fca7f2c29..62deebaba1e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml @@ -158,13 +158,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -196,13 +196,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml index c96b3d7a3da..e4d4eac6563 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml @@ -162,13 +162,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -200,13 +200,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml index 001c2c627be..b24dfaea2a4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml @@ -157,13 +157,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -195,13 +195,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml index 3a44833a244..b41a5135a58 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml @@ -157,13 +157,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -195,13 +195,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml index ba938efc580..bb79e14f0e4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml @@ -157,13 +157,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -195,13 +195,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml index 3b4404c54e4..1f9239bfb3d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml @@ -157,13 +157,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -195,13 +195,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml index f8288066623..b6845764655 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml @@ -157,13 +157,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -195,13 +195,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml index 1b3a530ce53..0436bc70075 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml @@ -157,13 +157,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -195,13 +195,13 @@ spec: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/infrastructure/kubernetes/proxy_configmap_test.go b/internal/infrastructure/kubernetes/proxy_configmap_test.go index a761b569498..ef461fdde0a 100644 --- a/internal/infrastructure/kubernetes/proxy_configmap_test.go +++ b/internal/infrastructure/kubernetes/proxy_configmap_test.go @@ -20,6 +20,7 @@ import ( "github.com/envoyproxy/gateway/internal/envoygateway" "github.com/envoyproxy/gateway/internal/envoygateway/config" "github.com/envoyproxy/gateway/internal/gatewayapi" + "github.com/envoyproxy/gateway/internal/infrastructure/common" "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/proxy" "github.com/envoyproxy/gateway/internal/ir" ) @@ -53,8 +54,8 @@ func TestCreateOrUpdateProxyConfigMap(t *testing.T) { }, }, Data: map[string]string{ - proxy.SdsCAFilename: proxy.SdsCAConfigMapData, - proxy.SdsCertFilename: proxy.SdsCertConfigMapData, + common.SdsCAFilename: common.GetSdsCAConfigMapData(proxy.XdsTLSCaFilepath), + common.SdsCertFilename: common.GetSdsCertConfigMapData(proxy.XdsTLSCertFilepath, proxy.XdsTLSKeyFilepath), }, }, }, @@ -87,8 +88,8 @@ func TestCreateOrUpdateProxyConfigMap(t *testing.T) { }, }, Data: map[string]string{ - proxy.SdsCAFilename: proxy.SdsCAConfigMapData, - proxy.SdsCertFilename: proxy.SdsCertConfigMapData, + common.SdsCAFilename: common.GetSdsCAConfigMapData(proxy.XdsTLSCaFilepath), + common.SdsCertFilename: common.GetSdsCertConfigMapData(proxy.XdsTLSCertFilepath, proxy.XdsTLSKeyFilepath), }, }, }, diff --git a/internal/infrastructure/manager.go b/internal/infrastructure/manager.go index 198acef8708..0254eb1853b 100644 --- a/internal/infrastructure/manager.go +++ b/internal/infrastructure/manager.go @@ -15,11 +15,16 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway" "github.com/envoyproxy/gateway/internal/envoygateway/config" + "github.com/envoyproxy/gateway/internal/infrastructure/host" "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/logging" ) -var _ Manager = (*kubernetes.Infra)(nil) +var ( + _ Manager = (*kubernetes.Infra)(nil) + _ Manager = (*host.Infra)(nil) +) // Manager provides the scaffolding for managing infrastructure. type Manager interface { @@ -34,26 +39,34 @@ type Manager interface { } // NewManager returns a new infrastructure Manager. -func NewManager(cfg *config.Server) (Manager, error) { - var mgr Manager - +func NewManager(ctx context.Context, cfg *config.Server, logger logging.Logger) (mgr Manager, err error) { switch cfg.EnvoyGateway.Provider.Type { case egv1a1.ProviderTypeKubernetes: - cli, err := client.New(clicfg.GetConfigOrDie(), client.Options{Scheme: envoygateway.GetScheme()}) - if err != nil { - return nil, err - } - mgr = kubernetes.NewInfra(cli, cfg) + mgr, err = newManagerForKubernetes(cfg) case egv1a1.ProviderTypeCustom: - infra := cfg.EnvoyGateway.Provider.Custom.Infrastructure - switch infra.Type { - case egv1a1.InfrastructureProviderTypeHost: - // TODO(sh2): implement host provider - return nil, fmt.Errorf("host provider is not available yet") - default: - return nil, fmt.Errorf("unsupported provider type: %s", infra.Type) - } + mgr, err = newManagerForCustom(ctx, cfg, logger) } + if err != nil { + return nil, err + } return mgr, nil } + +func newManagerForKubernetes(cfg *config.Server) (Manager, error) { + cli, err := client.New(clicfg.GetConfigOrDie(), client.Options{Scheme: envoygateway.GetScheme()}) + if err != nil { + return nil, err + } + return kubernetes.NewInfra(cli, cfg), nil +} + +func newManagerForCustom(ctx context.Context, cfg *config.Server, logger logging.Logger) (Manager, error) { + infra := cfg.EnvoyGateway.Provider.Custom.Infrastructure + switch infra.Type { + case egv1a1.InfrastructureProviderTypeHost: + return host.NewInfra(ctx, cfg, logger) + default: + return nil, fmt.Errorf("unsupported provider type: %s", infra.Type) + } +} diff --git a/internal/infrastructure/runner/runner.go b/internal/infrastructure/runner/runner.go index 300314d92e0..6896a6e5a16 100644 --- a/internal/infrastructure/runner/runner.go +++ b/internal/infrastructure/runner/runner.go @@ -40,11 +40,11 @@ func (r *Runner) Start(ctx context.Context) (err error) { r.Logger = r.Logger.WithName(r.Name()).WithValues("runner", r.Name()) if r.EnvoyGateway.Provider.Type == egv1a1.ProviderTypeCustom && r.EnvoyGateway.Provider.Custom.Infrastructure == nil { - r.Logger.Info("provider is not specified, no provider is available") + r.Logger.Info("provider is not specified, no infrastructure is available") return nil } - r.mgr, err = infrastructure.NewManager(&r.Config.Server) + r.mgr, err = infrastructure.NewManager(ctx, &r.Config.Server, r.Logger) if err != nil { r.Logger.Error(err, "failed to create new manager") return err diff --git a/internal/utils/file/file.go b/internal/utils/file/file.go index 51a02571493..da4cb67a877 100644 --- a/internal/utils/file/file.go +++ b/internal/utils/file/file.go @@ -8,8 +8,10 @@ package file import ( "bufio" "os" + "path/filepath" ) +// Write writes data into a given filepath. func Write(data string, filepath string) error { file, err := os.OpenFile(filepath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o644) if err != nil { @@ -25,3 +27,13 @@ func Write(data string, filepath string) error { return nil } + +// WriteDir write data into a given filename under certain directory. +func WriteDir(data []byte, dir, filename string) error { + err := os.MkdirAll(dir, 0o755) + if err != nil { + return err + } + + return Write(string(data), filepath.Join(dir, filename)) +} diff --git a/internal/utils/file/file_test.go b/internal/utils/file/file_test.go new file mode 100644 index 00000000000..488ff415191 --- /dev/null +++ b/internal/utils/file/file_test.go @@ -0,0 +1,28 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package file + +import ( + "os" + "path/filepath" + "testing" + + "github.com/stretchr/testify/require" +) + +func TestWriteDir(t *testing.T) { + tmpDir := t.TempDir() + testFilename := "test" + data := []byte("foobar") + + err := WriteDir(data, tmpDir, testFilename) + require.NoError(t, err) + require.FileExists(t, filepath.Join(tmpDir, testFilename)) + + got, err := os.ReadFile(filepath.Join(tmpDir, testFilename)) + require.NoError(t, err) + require.Equal(t, data, got) +} diff --git a/internal/xds/bootstrap/bootstrap.go b/internal/xds/bootstrap/bootstrap.go index e74620483f4..0efad8c314f 100644 --- a/internal/xds/bootstrap/bootstrap.go +++ b/internal/xds/bootstrap/bootstrap.go @@ -42,6 +42,9 @@ const ( envoyReadinessAddress = "0.0.0.0" EnvoyReadinessPort = 19001 EnvoyReadinessPath = "/ready" + + defaultSdsTrustedCAPath = "/sds/xds-trusted-ca.json" + defaultSdsCertificatePath = "/sds/xds-certificate.json" ) //go:embed bootstrap.yaml.tpl @@ -67,6 +70,12 @@ type bootstrapParameters struct { AdminServer adminServerParameters // ReadyServer defines the configuration for health check ready listener ReadyServer readyServerParameters + + // SdsCertificatePath defines the path to SDS certificate config. + SdsCertificatePath string + // SdsTrustedCAPath defines the path to SDS trusted CA config. + SdsTrustedCAPath string + // EnablePrometheus defines whether to enable metrics endpoint for prometheus. EnablePrometheus bool // EnablePrometheusCompression defines whether to enable HTTP compression on metrics endpoint for prometheus. @@ -130,9 +139,20 @@ type overloadManagerParameters struct { type RenderBootstrapConfigOptions struct { ProxyMetrics *egv1a1.ProxyMetrics + SdsConfig SdsConfigPath + XdsServerHost *string + XdsServerPort *int32 + WasmServerPort *int32 + AdminServerPort *int32 + ReadyServerPort *int32 MaxHeapSizeBytes uint64 } +type SdsConfigPath struct { + Certificate string + TrustedCA string +} + // render the stringified bootstrap config in yaml format. func (b *bootstrapConfig) render() error { buf := new(strings.Builder) @@ -238,17 +258,47 @@ func GetRenderedBootstrapConfig(opts *RenderBootstrapConfigOptions) (string, err Port: EnvoyReadinessPort, ReadinessPath: EnvoyReadinessPath, }, + SdsCertificatePath: defaultSdsCertificatePath, + SdsTrustedCAPath: defaultSdsTrustedCAPath, EnablePrometheus: enablePrometheus, EnablePrometheusCompression: enablePrometheusCompression, PrometheusCompressionLibrary: PrometheusCompressionLibrary, OtelMetricSinks: metricSinks, }, } - if opts != nil && opts.ProxyMetrics != nil && opts.ProxyMetrics.Matches != nil { - cfg.parameters.StatsMatcher = &StatsMatcher - } + // Bootstrap config override if opts != nil { + if opts.ProxyMetrics != nil && opts.ProxyMetrics.Matches != nil { + cfg.parameters.StatsMatcher = &StatsMatcher + } + + // Override Sds configs + if len(opts.SdsConfig.Certificate) > 0 { + cfg.parameters.SdsCertificatePath = opts.SdsConfig.Certificate + } + if len(opts.SdsConfig.TrustedCA) > 0 { + cfg.parameters.SdsTrustedCAPath = opts.SdsConfig.TrustedCA + } + + if opts.XdsServerHost != nil { + cfg.parameters.XdsServer.Address = *opts.XdsServerHost + } + + // Override the various server port + if opts.XdsServerPort != nil { + cfg.parameters.XdsServer.Port = *opts.XdsServerPort + } + if opts.AdminServerPort != nil { + cfg.parameters.AdminServer.Port = *opts.AdminServerPort + } + if opts.ReadyServerPort != nil { + cfg.parameters.ReadyServer.Port = *opts.ReadyServerPort + } + if opts.WasmServerPort != nil { + cfg.parameters.WasmServer.Port = *opts.WasmServerPort + } + cfg.parameters.OverloadManager.MaxHeapSizeBytes = opts.MaxHeapSizeBytes } diff --git a/internal/xds/bootstrap/bootstrap.yaml.tpl b/internal/xds/bootstrap/bootstrap.yaml.tpl index b7d26c7d4a9..d243b7777ec 100644 --- a/internal/xds/bootstrap/bootstrap.yaml.tpl +++ b/internal/xds/bootstrap/bootstrap.yaml.tpl @@ -191,13 +191,13 @@ static_resources: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: {{ .SdsCertificatePath }} resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: {{ .SdsTrustedCAPath }} resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -229,13 +229,13 @@ static_resources: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: {{ .SdsCertificatePath }} resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: {{ .SdsTrustedCAPath }} resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/xds/bootstrap/bootstrap_test.go b/internal/xds/bootstrap/bootstrap_test.go index 2023a7096bd..3c334eeaeb5 100644 --- a/internal/xds/bootstrap/bootstrap_test.go +++ b/internal/xds/bootstrap/bootstrap_test.go @@ -20,6 +20,11 @@ import ( ) func TestGetRenderedBootstrapConfig(t *testing.T) { + sds := SdsConfigPath{ + Certificate: "/sds/xds-certificate.json", + TrustedCA: "/sds/xds-trusted-ca.json", + } + cases := []struct { name string opts *RenderBootstrapConfigOptions @@ -32,6 +37,7 @@ func TestGetRenderedBootstrapConfig(t *testing.T) { Disable: true, }, }, + SdsConfig: sds, }, }, { @@ -40,6 +46,7 @@ func TestGetRenderedBootstrapConfig(t *testing.T) { ProxyMetrics: &egv1a1.ProxyMetrics{ Prometheus: &egv1a1.ProxyPrometheusProvider{}, }, + SdsConfig: sds, }, }, { @@ -52,6 +59,7 @@ func TestGetRenderedBootstrapConfig(t *testing.T) { }, }, }, + SdsConfig: sds, }, }, { @@ -71,6 +79,7 @@ func TestGetRenderedBootstrapConfig(t *testing.T) { }, }, }, + SdsConfig: sds, }, }, { @@ -101,6 +110,7 @@ func TestGetRenderedBootstrapConfig(t *testing.T) { }, }, }, + SdsConfig: sds, }, }, { @@ -130,12 +140,25 @@ func TestGetRenderedBootstrapConfig(t *testing.T) { }, }, }, + SdsConfig: sds, + }, + }, + { + name: "custom-server-port", + opts: &RenderBootstrapConfigOptions{ + XdsServerHost: ptr.To("foo.bar"), + XdsServerPort: ptr.To(int32(12345)), + WasmServerPort: ptr.To(int32(1111)), + AdminServerPort: ptr.To(int32(2222)), + ReadyServerPort: ptr.To(int32(3333)), + SdsConfig: sds, }, }, { name: "with-max-heap-size-bytes", opts: &RenderBootstrapConfigOptions{ MaxHeapSizeBytes: 1073741824, + SdsConfig: sds, }, }, } diff --git a/internal/xds/bootstrap/testdata/render/custom-server-port.yaml b/internal/xds/bootstrap/testdata/render/custom-server-port.yaml new file mode 100644 index 00000000000..23cd059a2a6 --- /dev/null +++ b/internal/xds/bootstrap/testdata/render/custom-server-port.yaml @@ -0,0 +1,168 @@ +admin: + access_log: + - name: envoy.access_loggers.file + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + path: /dev/null + address: + socket_address: + address: 127.0.0.1 + port_value: 2222 +layered_runtime: + layers: + - name: global_config + static_layer: + envoy.restart_features.use_eds_cache_for_ads: true + re2.max_program_size.error_level: 4294967295 + re2.max_program_size.warn_level: 1000 +dynamic_resources: + ads_config: + api_type: DELTA_GRPC + transport_api_version: V3 + grpc_services: + - envoy_grpc: + cluster_name: xds_cluster + set_node_on_first_message_only: true + lds_config: + ads: {} + resource_api_version: V3 + cds_config: + ads: {} + resource_api_version: V3 +static_resources: + listeners: + - name: envoy-gateway-proxy-ready-0.0.0.0-3333 + address: + socket_address: + address: 0.0.0.0 + port_value: 3333 + protocol: TCP + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: eg-ready-http + route_config: + name: local_route + virtual_hosts: + - name: prometheus_stats + domains: + - "*" + routes: + - match: + prefix: /stats/prometheus + route: + cluster: prometheus_stats + http_filters: + - name: envoy.filters.http.health_check + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck + pass_through_mode: false + headers: + - name: ":path" + string_match: + exact: /ready + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + clusters: + - name: prometheus_stats + connect_timeout: 0.250s + type: STATIC + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: prometheus_stats + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 2222 + - connect_timeout: 10s + load_assignment: + cluster_name: xds_cluster + endpoints: + - load_balancing_weight: 1 + lb_endpoints: + - load_balancing_weight: 1 + endpoint: + address: + socket_address: + address: foo.bar + port_value: 12345 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + explicit_http_config: + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s + name: xds_cluster + type: STRICT_DNS + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + common_tls_context: + tls_params: + tls_maximum_protocol_version: TLSv1_3 + tls_certificate_sds_secret_configs: + - name: xds_certificate + sds_config: + path_config_source: + path: /sds/xds-certificate.json + resource_api_version: V3 + validation_context_sds_secret_config: + name: xds_trusted_ca + sds_config: + path_config_source: + path: /sds/xds-trusted-ca.json + resource_api_version: V3 + - name: wasm_cluster + type: STRICT_DNS + connect_timeout: 10s + load_assignment: + cluster_name: wasm_cluster + endpoints: + - load_balancing_weight: 1 + lb_endpoints: + - load_balancing_weight: 1 + endpoint: + address: + socket_address: + address: envoy-gateway + port_value: 1111 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + explicit_http_config: + http2_protocol_options: {} + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + common_tls_context: + tls_params: + tls_maximum_protocol_version: TLSv1_3 + tls_certificate_sds_secret_configs: + - name: xds_certificate + sds_config: + path_config_source: + path: /sds/xds-certificate.json + resource_api_version: V3 + validation_context_sds_secret_config: + name: xds_trusted_ca + sds_config: + path_config_source: + path: /sds/xds-trusted-ca.json + resource_api_version: V3 +overload_manager: + refresh_interval: 0.25s + resource_monitors: + - name: "envoy.resource_monitors.global_downstream_max_connections" + typed_config: + "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig + max_active_downstream_connections: 50000 diff --git a/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml b/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml index e23e57ff515..370b66914e3 100644 --- a/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml +++ b/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml @@ -124,13 +124,13 @@ static_resources: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -162,13 +162,13 @@ static_resources: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml b/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml index 02902fec330..1b5be570ce3 100644 --- a/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml +++ b/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml @@ -91,13 +91,13 @@ static_resources: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -129,13 +129,13 @@ static_resources: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/xds/bootstrap/testdata/render/enable-prometheus-gzip-compression.yaml b/internal/xds/bootstrap/testdata/render/enable-prometheus-gzip-compression.yaml index 39219431305..93829b713f1 100644 --- a/internal/xds/bootstrap/testdata/render/enable-prometheus-gzip-compression.yaml +++ b/internal/xds/bootstrap/testdata/render/enable-prometheus-gzip-compression.yaml @@ -120,13 +120,13 @@ static_resources: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -158,13 +158,13 @@ static_resources: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml b/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml index f2e0b49b859..5d17a89534f 100644 --- a/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml +++ b/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml @@ -113,13 +113,13 @@ static_resources: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -151,13 +151,13 @@ static_resources: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/xds/bootstrap/testdata/render/otel-metrics-backendref.yaml b/internal/xds/bootstrap/testdata/render/otel-metrics-backendref.yaml index 6079f777dc8..3f6c0259a7e 100644 --- a/internal/xds/bootstrap/testdata/render/otel-metrics-backendref.yaml +++ b/internal/xds/bootstrap/testdata/render/otel-metrics-backendref.yaml @@ -116,13 +116,13 @@ static_resources: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -154,13 +154,13 @@ static_resources: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/xds/bootstrap/testdata/render/otel-metrics.yaml b/internal/xds/bootstrap/testdata/render/otel-metrics.yaml index 6079f777dc8..3f6c0259a7e 100644 --- a/internal/xds/bootstrap/testdata/render/otel-metrics.yaml +++ b/internal/xds/bootstrap/testdata/render/otel-metrics.yaml @@ -116,13 +116,13 @@ static_resources: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -154,13 +154,13 @@ static_resources: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml b/internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml index 9eebf9d010c..854b8a28988 100644 --- a/internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml +++ b/internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml @@ -113,13 +113,13 @@ static_resources: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 - name: wasm_cluster type: STRICT_DNS @@ -151,13 +151,13 @@ static_resources: - name: xds_certificate sds_config: path_config_source: - path: "/sds/xds-certificate.json" + path: /sds/xds-certificate.json resource_api_version: V3 validation_context_sds_secret_config: name: xds_trusted_ca sds_config: path_config_source: - path: "/sds/xds-trusted-ca.json" + path: /sds/xds-trusted-ca.json resource_api_version: V3 overload_manager: refresh_interval: 0.25s diff --git a/internal/xds/server/runner/runner.go b/internal/xds/server/runner/runner.go index 19c4076d458..bd2e0c64eb4 100644 --- a/internal/xds/server/runner/runner.go +++ b/internal/xds/server/runner/runner.go @@ -7,12 +7,9 @@ package runner import ( "context" - "crypto/rand" "crypto/tls" - "crypto/x509" "fmt" "net" - "os" "strconv" "time" @@ -29,6 +26,7 @@ import ( "google.golang.org/grpc/keepalive" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/crypto" "github.com/envoyproxy/gateway/internal/envoygateway/config" "github.com/envoyproxy/gateway/internal/message" "github.com/envoyproxy/gateway/internal/xds/bootstrap" @@ -39,15 +37,23 @@ import ( const ( // XdsServerAddress is the listening address of the xds-server. XdsServerAddress = "0.0.0.0" - // xdsTLSCertFilename is the fully qualified path of the file containing the + + // Default certificates path for envoy-gateway with Kubernetes provider. + // xdsTLSCertFilepath is the fully qualified path of the file containing the // xDS server TLS certificate. - xdsTLSCertFilename = "/certs/tls.crt" - // xdsTLSKeyFilename is the fully qualified path of the file containing the + xdsTLSCertFilepath = "/certs/tls.crt" + // xdsTLSKeyFilepath is the fully qualified path of the file containing the // xDS server TLS key. - xdsTLSKeyFilename = "/certs/tls.key" - // xdsTLSCaFilename is the fully qualified path of the file containing the + xdsTLSKeyFilepath = "/certs/tls.key" + // xdsTLSCaFilepath is the fully qualified path of the file containing the // xDS server trusted CA certificate. - xdsTLSCaFilename = "/certs/ca.crt" + xdsTLSCaFilepath = "/certs/ca.crt" + + // TODO: Make these path configurable. + // Default certificates path for envoy-gateway with Host infrastructure provider. + localTLSCertFilepath = "/tmp/envoy-gateway/certs/envoy-gateway/tls.crt" + localTLSKeyFilepath = "/tmp/envoy-gateway/certs/envoy-gateway/tls.key" + localTLSCaFilepath = "/tmp/envoy-gateway/certs/envoy-gateway/ca.crt" ) type Config struct { @@ -76,8 +82,13 @@ func (r *Runner) Start(ctx context.Context) (err error) { // Set up the gRPC server and register the xDS handler. // Create SnapshotCache before start subscribeAndTranslate, // prevent panics in case cache is nil. - cfg := r.tlsConfig(xdsTLSCertFilename, xdsTLSKeyFilename, xdsTLSCaFilename) - r.grpc = grpc.NewServer(grpc.Creds(credentials.NewTLS(cfg)), grpc.KeepaliveEnforcementPolicy(keepalive.EnforcementPolicy{ + tlsConfig, err := r.loadTLSConfig() + if err != nil { + return fmt.Errorf("failed to load TLS config: %w", err) + } + r.Logger.Info("loaded TLS certificate and key") + + r.grpc = grpc.NewServer(grpc.Creds(credentials.NewTLS(tlsConfig)), grpc.KeepaliveEnforcementPolicy(keepalive.EnforcementPolicy{ MinTime: 15 * time.Second, PermitWithoutStream: true, })) @@ -160,45 +171,22 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { r.Logger.Info("subscriber shutting down") } -func (r *Runner) tlsConfig(cert, key, ca string) *tls.Config { - loadConfig := func() (*tls.Config, error) { - cert, err := tls.LoadX509KeyPair(cert, key) +func (r *Runner) loadTLSConfig() (tlsConfig *tls.Config, err error) { + switch { + case r.EnvoyGateway.Provider.IsRunningOnKubernetes(): + tlsConfig, err = crypto.LoadTLSConfig(xdsTLSCertFilepath, xdsTLSKeyFilepath, xdsTLSCaFilepath) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to create tls config: %w", err) } - // Load the CA cert. - ca, err := os.ReadFile(ca) + case r.EnvoyGateway.Provider.IsRunningOnHost(): + tlsConfig, err = crypto.LoadTLSConfig(localTLSCertFilepath, localTLSKeyFilepath, localTLSCaFilepath) if err != nil { - return nil, err - } - - certPool := x509.NewCertPool() - if !certPool.AppendCertsFromPEM(ca) { - return nil, fmt.Errorf("failed to parse CA certificate") + return nil, fmt.Errorf("failed to create tls config: %w", err) } - return &tls.Config{ - Certificates: []tls.Certificate{cert}, - NextProtos: []string{"h2"}, - ClientAuth: tls.RequireAndVerifyClientCert, - ClientCAs: certPool, - MinVersion: tls.VersionTLS13, - }, nil - } - - // Attempt to load certificates and key to catch configuration errors early. - if _, lerr := loadConfig(); lerr != nil { - r.Logger.Error(lerr, "failed to load certificate and key") - } - r.Logger.Info("loaded TLS certificate and key") - - return &tls.Config{ - MinVersion: tls.VersionTLS13, - ClientAuth: tls.RequireAndVerifyClientCert, - Rand: rand.Reader, - GetConfigForClient: func(*tls.ClientHelloInfo) (*tls.Config, error) { - return loadConfig() - }, + default: + return nil, fmt.Errorf("no valid tls certificates") } + return } diff --git a/internal/xds/server/runner/runner_test.go b/internal/xds/server/runner/runner_test.go index 1a3e9322c68..e0517d1fa0d 100644 --- a/internal/xds/server/runner/runner_test.go +++ b/internal/xds/server/runner/runner_test.go @@ -24,9 +24,8 @@ import ( "google.golang.org/grpc" "google.golang.org/grpc/credentials" - egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/crypto" "github.com/envoyproxy/gateway/internal/envoygateway/config" - "github.com/envoyproxy/gateway/internal/logging" "github.com/envoyproxy/gateway/internal/xds/bootstrap" ) @@ -108,15 +107,10 @@ func TestTLSConfig(t *testing.T) { require.NoError(t, err) // Start a dummy server. - logger := logging.DefaultLogger(egv1a1.LogLevelInfo) + tlsCfg, err := crypto.LoadTLSConfig(certFile, keyFile, caFile) + require.NoError(t, err) - cfg := &Config{ - Server: config.Server{ - Logger: logger, - }, - } - r := New(cfg) - g := grpc.NewServer(grpc.Creds(credentials.NewTLS(r.tlsConfig(certFile, keyFile, caFile)))) + g := grpc.NewServer(grpc.Creds(credentials.NewTLS(tlsCfg))) if g == nil { t.Error("failed to create server") } From d9dd4e6d9ea9f7456b1e738e9769067017173638 Mon Sep 17 00:00:00 2001 From: qi Date: Wed, 23 Oct 2024 07:40:24 +0800 Subject: [PATCH 293/523] bugfix: filter repeated resources and optimize memory usage. (#4454) Signed-off-by: qicz --- internal/provider/kubernetes/controller.go | 204 +++++++++++---------- internal/provider/kubernetes/resource.go | 92 ++++++++++ internal/provider/kubernetes/routes.go | 60 ++++-- 3 files changed, 240 insertions(+), 116 deletions(-) create mode 100644 internal/provider/kubernetes/resource.go diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index de020dfcee8..ac106a69f7e 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -131,47 +131,6 @@ func newGatewayAPIController(mgr manager.Manager, cfg *config.Server, su Updater return nil } -type resourceMappings struct { - // Map for storing namespaces for Route, Service and Gateway objects. - allAssociatedNamespaces sets.Set[string] - // Map for storing EnvoyProxies' NamespacedNames attaching to Gateway or GatewayClass. - allAssociatedEnvoyProxies sets.Set[string] - // Map for storing TLSRoutes' NamespacedNames attaching to various Gateway objects. - allAssociatedTLSRoutes sets.Set[string] - // Map for storing HTTPRoutes' NamespacedNames attaching to various Gateway objects. - allAssociatedHTTPRoutes sets.Set[string] - // Map for storing GRPCRoutes' NamespacedNames attaching to various Gateway objects. - allAssociatedGRPCRoutes sets.Set[string] - // Map for storing TCPRoutes' NamespacedNames attaching to various Gateway objects. - allAssociatedTCPRoutes sets.Set[string] - // Map for storing UDPRoutes' NamespacedNames attaching to various Gateway objects. - allAssociatedUDPRoutes sets.Set[string] - // Map for storing backendRefs' NamespaceNames referred by various Route objects. - allAssociatedBackendRefs sets.Set[gwapiv1.BackendObjectReference] - // extensionRefFilters is a map of filters managed by an extension. - // The key is the namespaced name, group and kind of the filter and the value is the - // unstructured form of the resource. - extensionRefFilters map[utils.NamespacedNameWithGroupKind]unstructured.Unstructured - // httpRouteFilters is a map of HTTPRouteFilters, where the key is the namespaced name, - // group and kind of the HTTPFilter. - httpRouteFilters map[utils.NamespacedNameWithGroupKind]*egv1a1.HTTPRouteFilter -} - -func newResourceMapping() *resourceMappings { - return &resourceMappings{ - allAssociatedNamespaces: sets.New[string](), - allAssociatedEnvoyProxies: sets.New[string](), - allAssociatedTLSRoutes: sets.New[string](), - allAssociatedHTTPRoutes: sets.New[string](), - allAssociatedGRPCRoutes: sets.New[string](), - allAssociatedTCPRoutes: sets.New[string](), - allAssociatedUDPRoutes: sets.New[string](), - allAssociatedBackendRefs: sets.New[gwapiv1.BackendObjectReference](), - extensionRefFilters: map[utils.NamespacedNameWithGroupKind]unstructured.Unstructured{}, - httpRouteFilters: map[utils.NamespacedNameWithGroupKind]*egv1a1.HTTPRouteFilter{}, - } -} - // Reconcile handles reconciling all resources in a single call. Any resource event should enqueue the // same reconcile.Request containing the gateway controller name. This allows multiple resource updates to // be handled by a single call to Reconcile. The reconcile.Request DOES NOT map to a specific resource. @@ -229,7 +188,7 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques } // Add all EnvoyPatchPolicies to the resourceTree - if err = r.processEnvoyPatchPolicies(ctx, gwcResource); err != nil { + if err = r.processEnvoyPatchPolicies(ctx, gwcResource, resourceMappings); err != nil { return reconcile.Result{}, err } @@ -414,9 +373,12 @@ func (r *gatewayAPIReconciler) processBackendRefs(ctx context.Context, gwcResour "name", string(backendRef.Name)) } else { resourceMappings.allAssociatedNamespaces.Insert(serviceImport.Namespace) - gwcResource.ServiceImports = append(gwcResource.ServiceImports, serviceImport) - r.log.Info("added ServiceImport to resource tree", "namespace", string(*backendRef.Namespace), - "name", string(backendRef.Name)) + if !resourceMappings.allAssociatedServiceImports.Has(utils.NamespacedName(serviceImport).String()) { + resourceMappings.allAssociatedServiceImports.Insert(utils.NamespacedName(serviceImport).String()) + gwcResource.ServiceImports = append(gwcResource.ServiceImports, serviceImport) + r.log.Info("added ServiceImport to resource tree", "namespace", string(*backendRef.Namespace), + "name", string(backendRef.Name)) + } } endpointSliceLabelKey = mcsapiv1a1.LabelServiceName @@ -428,6 +390,7 @@ func (r *gatewayAPIReconciler) processBackendRefs(ctx context.Context, gwcResour "name", string(backendRef.Name)) } else { resourceMappings.allAssociatedNamespaces[backend.Namespace] = struct{}{} + backend.Status = egv1a1.BackendStatus{} gwcResource.Backends = append(gwcResource.Backends, backend) r.log.Info("added Backend to resource tree", "namespace", string(*backendRef.Namespace), "name", string(backendRef.Name)) @@ -449,9 +412,12 @@ func (r *gatewayAPIReconciler) processBackendRefs(ctx context.Context, gwcResour } else { for _, endpointSlice := range endpointSliceList.Items { endpointSlice := endpointSlice //nolint:copyloopvar - r.log.Info("added EndpointSlice to resource tree", "namespace", endpointSlice.Namespace, - "name", endpointSlice.Name) - gwcResource.EndpointSlices = append(gwcResource.EndpointSlices, &endpointSlice) + if !resourceMappings.allAssociatedEndpointSlices.Has(utils.NamespacedName(&endpointSlice).String()) { + resourceMappings.allAssociatedEndpointSlices.Insert(utils.NamespacedName(&endpointSlice).String()) + r.log.Info("added EndpointSlice to resource tree", "namespace", endpointSlice.Namespace, + "name", endpointSlice.Name) + gwcResource.EndpointSlices = append(gwcResource.EndpointSlices, &endpointSlice) + } } } } @@ -555,9 +521,12 @@ func (r *gatewayAPIReconciler) processSecurityPolicyObjectRefs( r.log.Info("no matching ReferenceGrants found", "from", from.kind, "from namespace", from.namespace, "target", to.kind, "target namespace", to.namespace) default: - resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) - r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, - "name", refGrant.Name) + if !resourceMap.allAssociatedReferenceGrants.Has(utils.NamespacedName(refGrant).String()) { + resourceMap.allAssociatedReferenceGrants.Insert(utils.NamespacedName(refGrant).String()) + resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) + r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, + "name", refGrant.Name) + } } } } @@ -567,7 +536,7 @@ func (r *gatewayAPIReconciler) processSecurityPolicyObjectRefs( // processOIDCHMACSecret adds the OIDC HMAC Secret to the resourceTree. // The OIDC HMAC Secret is created by the CertGen job and is used by SecurityPolicy // to configure OAuth2 filters. -func (r *gatewayAPIReconciler) processOIDCHMACSecret(ctx context.Context, resourceTree *resource.Resources) { +func (r *gatewayAPIReconciler) processOIDCHMACSecret(ctx context.Context, resourceTree *resource.Resources, resourceMap *resourceMappings) { var ( secret corev1.Secret err error @@ -588,8 +557,11 @@ func (r *gatewayAPIReconciler) processOIDCHMACSecret(ctx context.Context, resour return } - resourceTree.Secrets = append(resourceTree.Secrets, &secret) - r.log.Info("processing OIDC HMAC Secret", "namespace", r.namespace, "name", oidcHMACSecretName) + if !resourceMap.allAssociatedSecrets.Has(utils.NamespacedName(&secret).String()) { + resourceMap.allAssociatedSecrets.Insert(utils.NamespacedName(&secret).String()) + resourceTree.Secrets = append(resourceTree.Secrets, &secret) + r.log.Info("processing OIDC HMAC Secret", "namespace", r.namespace, "name", oidcHMACSecretName) + } } // processSecretRef adds the referenced Secret to the resourceTree if it's valid. @@ -635,14 +607,20 @@ func (r *gatewayAPIReconciler) processSecretRef( from.kind, from.namespace, to.kind, to.namespace) default: // RefGrant found - resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) - r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, - "name", refGrant.Name) + if !resourceMap.allAssociatedReferenceGrants.Has(utils.NamespacedName(refGrant).String()) { + resourceMap.allAssociatedReferenceGrants.Insert(utils.NamespacedName(refGrant).String()) + resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) + r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, + "name", refGrant.Name) + } } } resourceMap.allAssociatedNamespaces.Insert(secretNS) // TODO Zhaohuabing do we need this line? - resourceTree.Secrets = append(resourceTree.Secrets, secret) - r.log.Info("processing Secret", "namespace", secretNS, "name", string(secretRef.Name)) + if !resourceMap.allAssociatedSecrets.Has(utils.NamespacedName(secret).String()) { + resourceMap.allAssociatedSecrets.Insert(utils.NamespacedName(secret).String()) + resourceTree.Secrets = append(resourceTree.Secrets, secret) + r.log.Info("processing Secret", "namespace", secretNS, "name", string(secretRef.Name)) + } return nil } @@ -737,14 +715,20 @@ func (r *gatewayAPIReconciler) processConfigMapRef( from.kind, from.namespace, to.kind, to.namespace) default: // RefGrant found - resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) - r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, - "name", refGrant.Name) + if !resourceMap.allAssociatedReferenceGrants.Has(utils.NamespacedName(refGrant).String()) { + resourceMap.allAssociatedReferenceGrants.Insert(utils.NamespacedName(refGrant).String()) + resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) + r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, + "name", refGrant.Name) + } } } resourceMap.allAssociatedNamespaces.Insert(configMapNS) // TODO Zhaohuabing do we need this line? - resourceTree.ConfigMaps = append(resourceTree.ConfigMaps, configMap) - r.log.Info("processing ConfigMap", "namespace", configMapNS, "name", string(configMapRef.Name)) + if !resourceMap.allAssociatedConfigMaps.Has(utils.NamespacedName(configMap).String()) { + resourceMap.allAssociatedConfigMaps.Insert(utils.NamespacedName(configMap).String()) + resourceTree.ConfigMaps = append(resourceTree.ConfigMaps, configMap) + r.log.Info("processing ConfigMap", "namespace", configMapNS, "name", string(configMapRef.Name)) + } return nil } @@ -774,8 +758,11 @@ func (r *gatewayAPIReconciler) processBtpConfigMapRefs( } resourceMap.allAssociatedNamespaces.Insert(policy.Namespace) - resourceTree.ConfigMaps = append(resourceTree.ConfigMaps, configMap) - r.log.Info("processing ConfigMap", "namespace", policy.Namespace, "name", string(ro.Response.Body.ValueRef.Name)) + if !resourceMap.allAssociatedConfigMaps.Has(utils.NamespacedName(configMap).String()) { + resourceMap.allAssociatedConfigMaps.Insert(utils.NamespacedName(configMap).String()) + resourceTree.ConfigMaps = append(resourceTree.ConfigMaps, configMap) + r.log.Info("processing ConfigMap", "namespace", policy.Namespace, "name", string(ro.Response.Body.ValueRef.Name)) + } } } } @@ -899,55 +886,61 @@ func (r *gatewayAPIReconciler) processGateways(ctx context.Context, managedGC *g } } + gtwNamespacedName := utils.NamespacedName(>w).String() // Route Processing // Get TLSRoute objects and check if it exists. - if err := r.processTLSRoutes(ctx, utils.NamespacedName(>w).String(), resourceMap, resourceTree); err != nil { + if err := r.processTLSRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { return err } // Get HTTPRoute objects and check if it exists. - if err := r.processHTTPRoutes(ctx, utils.NamespacedName(>w).String(), resourceMap, resourceTree); err != nil { + if err := r.processHTTPRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { return err } // Get GRPCRoute objects and check if it exists. - if err := r.processGRPCRoutes(ctx, utils.NamespacedName(>w).String(), resourceMap, resourceTree); err != nil { + if err := r.processGRPCRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { return err } // Get TCPRoute objects and check if it exists. - if err := r.processTCPRoutes(ctx, utils.NamespacedName(>w).String(), resourceMap, resourceTree); err != nil { + if err := r.processTCPRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { return err } // Get UDPRoute objects and check if it exists. - if err := r.processUDPRoutes(ctx, utils.NamespacedName(>w).String(), resourceMap, resourceTree); err != nil { + if err := r.processUDPRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { return err } // Discard Status to reduce memory consumption in watchable // It will be recomputed by the gateway-api layer gtw.Status = gwapiv1.GatewayStatus{} - resourceTree.Gateways = append(resourceTree.Gateways, >w) + if !resourceMap.allAssociatedGateways.Has(gtwNamespacedName) { + resourceMap.allAssociatedGateways.Insert(gtwNamespacedName) + resourceTree.Gateways = append(resourceTree.Gateways, >w) + } } return nil } // processEnvoyPatchPolicies adds EnvoyPatchPolicies to the resourceTree -func (r *gatewayAPIReconciler) processEnvoyPatchPolicies(ctx context.Context, resourceTree *resource.Resources) error { +func (r *gatewayAPIReconciler) processEnvoyPatchPolicies(ctx context.Context, resourceTree *resource.Resources, resourceMap *resourceMappings) error { envoyPatchPolicies := egv1a1.EnvoyPatchPolicyList{} if err := r.client.List(ctx, &envoyPatchPolicies); err != nil { return fmt.Errorf("error listing EnvoyPatchPolicies: %w", err) } for _, policy := range envoyPatchPolicies.Items { - policy := policy //nolint:copyloopvar + envoyPatchPolicy := policy //nolint:copyloopvar // Discard Status to reduce memory consumption in watchable // It will be recomputed by the gateway-api layer - policy.Status = gwapiv1a2.PolicyStatus{} - - resourceTree.EnvoyPatchPolicies = append(resourceTree.EnvoyPatchPolicies, &policy) + envoyPatchPolicy.Status = gwapiv1a2.PolicyStatus{} + if !resourceMap.allAssociatedEnvoyPatchPolicies.Has(utils.NamespacedName(&envoyPatchPolicy).String()) { + resourceMap.allAssociatedEnvoyPatchPolicies.Insert(utils.NamespacedName(&envoyPatchPolicy).String()) + resourceTree.EnvoyPatchPolicies = append(resourceTree.EnvoyPatchPolicies, &envoyPatchPolicy) + } } return nil } @@ -962,11 +955,14 @@ func (r *gatewayAPIReconciler) processClientTrafficPolicies( } for _, policy := range clientTrafficPolicies.Items { - policy := policy //nolint:copyloopvar + clientTrafficPolicy := policy //nolint:copyloopvar // Discard Status to reduce memory consumption in watchable // It will be recomputed by the gateway-api layer - policy.Status = gwapiv1a2.PolicyStatus{} - resourceTree.ClientTrafficPolicies = append(resourceTree.ClientTrafficPolicies, &policy) + clientTrafficPolicy.Status = gwapiv1a2.PolicyStatus{} + if !resourceMap.allAssociatedClientTrafficPolicies.Has(utils.NamespacedName(&clientTrafficPolicy).String()) { + resourceMap.allAssociatedClientTrafficPolicies.Insert(utils.NamespacedName(&clientTrafficPolicy).String()) + resourceTree.ClientTrafficPolicies = append(resourceTree.ClientTrafficPolicies, &clientTrafficPolicy) + } } r.processCtpConfigMapRefs(ctx, resourceTree, resourceMap) @@ -983,11 +979,14 @@ func (r *gatewayAPIReconciler) processBackendTrafficPolicies(ctx context.Context } for _, policy := range backendTrafficPolicies.Items { - policy := policy //nolint:copyloopvar + backendTrafficPolicy := policy //nolint:copyloopvar // Discard Status to reduce memory consumption in watchable // It will be recomputed by the gateway-api layer - policy.Status = gwapiv1a2.PolicyStatus{} - resourceTree.BackendTrafficPolicies = append(resourceTree.BackendTrafficPolicies, &policy) + backendTrafficPolicy.Status = gwapiv1a2.PolicyStatus{} + if !resourceMap.allAssociatedBackendTrafficPolicies.Has(utils.NamespacedName(&backendTrafficPolicy).String()) { + resourceMap.allAssociatedBackendTrafficPolicies.Insert(utils.NamespacedName(&backendTrafficPolicy).String()) + resourceTree.BackendTrafficPolicies = append(resourceTree.BackendTrafficPolicies, &backendTrafficPolicy) + } } r.processBtpConfigMapRefs(ctx, resourceTree, resourceMap) return nil @@ -1003,18 +1002,21 @@ func (r *gatewayAPIReconciler) processSecurityPolicies( } for _, policy := range securityPolicies.Items { - policy := policy //nolint:copyloopvar + securityPolicy := policy //nolint:copyloopvar // Discard Status to reduce memory consumption in watchable // It will be recomputed by the gateway-api layer - policy.Status = gwapiv1a2.PolicyStatus{} - resourceTree.SecurityPolicies = append(resourceTree.SecurityPolicies, &policy) + securityPolicy.Status = gwapiv1a2.PolicyStatus{} + if !resourceMap.allAssociatedSecurityPolicies.Has(utils.NamespacedName(&securityPolicy).String()) { + resourceMap.allAssociatedSecurityPolicies.Insert(utils.NamespacedName(&securityPolicy).String()) + resourceTree.SecurityPolicies = append(resourceTree.SecurityPolicies, &securityPolicy) + } } // Add the referenced Resources in SecurityPolicies to the resourceTree r.processSecurityPolicyObjectRefs(ctx, resourceTree, resourceMap) // Add the OIDC HMAC Secret to the resourceTree - r.processOIDCHMACSecret(ctx, resourceTree) + r.processOIDCHMACSecret(ctx, resourceTree, resourceMap) return nil } @@ -1028,11 +1030,14 @@ func (r *gatewayAPIReconciler) processBackendTLSPolicies( } for _, policy := range backendTLSPolicies.Items { - policy := policy //nolint:copyloopvar + backendTLSPolicy := policy //nolint:copyloopvar // Discard Status to reduce memory consumption in watchable // It will be recomputed by the gateway-api layer - policy.Status = gwapiv1a2.PolicyStatus{} - resourceTree.BackendTLSPolicies = append(resourceTree.BackendTLSPolicies, &policy) + backendTLSPolicy.Status = gwapiv1a2.PolicyStatus{} + if !resourceMap.allAssociatedBackendTLSPolicies.Has(utils.NamespacedName(&backendTLSPolicy).String()) { + resourceMap.allAssociatedBackendTLSPolicies.Insert(utils.NamespacedName(&backendTLSPolicy).String()) + resourceTree.BackendTLSPolicies = append(resourceTree.BackendTLSPolicies, &backendTLSPolicy) + } } // Add the referenced Secrets and ConfigMaps in BackendTLSPolicies to the resourceTree. @@ -1052,7 +1057,6 @@ func (r *gatewayAPIReconciler) processBackends(ctx context.Context, resourceTree // Discard Status to reduce memory consumption in watchable // It will be recomputed by the gateway-api layer backend.Status = egv1a1.BackendStatus{} - resourceTree.Backends = append(resourceTree.Backends, &backend) } return nil @@ -1887,11 +1891,14 @@ func (r *gatewayAPIReconciler) processEnvoyExtensionPolicies( } for _, policy := range envoyExtensionPolicies.Items { - policy := policy //nolint:copyloopvar + envoyExtensionPolicy := policy //nolint:copyloopvar // Discard Status to reduce memory consumption in watchable // It will be recomputed by the gateway-api layer - policy.Status = gwapiv1a2.PolicyStatus{} - resourceTree.EnvoyExtensionPolicies = append(resourceTree.EnvoyExtensionPolicies, &policy) + envoyExtensionPolicy.Status = gwapiv1a2.PolicyStatus{} + if !resourceMap.allAssociatedEnvoyExtensionPolicies.Has(utils.NamespacedName(&envoyExtensionPolicy).String()) { + resourceMap.allAssociatedEnvoyExtensionPolicies.Insert(utils.NamespacedName(&envoyExtensionPolicy).String()) + resourceTree.EnvoyExtensionPolicies = append(resourceTree.EnvoyExtensionPolicies, &envoyExtensionPolicy) + } } // Add the referenced Resources in EnvoyExtensionPolicies to the resourceTree @@ -1980,9 +1987,12 @@ func (r *gatewayAPIReconciler) processEnvoyExtensionPolicyObjectRefs( r.log.Info("no matching ReferenceGrants found", "from", from.kind, "from namespace", from.namespace, "target", to.kind, "target namespace", to.namespace) default: - resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) - r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, - "name", refGrant.Name) + if !resourceMap.allAssociatedReferenceGrants.Has(utils.NamespacedName(refGrant).String()) { + resourceMap.allAssociatedReferenceGrants.Insert(utils.NamespacedName(refGrant).String()) + resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) + r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, + "name", refGrant.Name) + } } } } diff --git a/internal/provider/kubernetes/resource.go b/internal/provider/kubernetes/resource.go new file mode 100644 index 00000000000..4d3aafb6fa2 --- /dev/null +++ b/internal/provider/kubernetes/resource.go @@ -0,0 +1,92 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package kubernetes + +import ( + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/util/sets" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/utils" +) + +type resourceMappings struct { + // Map for storing Gateways' NamespacedNames. + allAssociatedGateways sets.Set[string] + // Map for storing ReferenceGrants' NamespacedNames. + allAssociatedReferenceGrants sets.Set[string] + // Map for storing ServiceImports' NamespacedNames. + allAssociatedServiceImports sets.Set[string] + // Map for storing EndpointSlices' NamespacedNames. + allAssociatedEndpointSlices sets.Set[string] + // Map for storing Secrets' NamespacedNames. + allAssociatedSecrets sets.Set[string] + // Map for storing ConfigMaps' NamespacedNames. + allAssociatedConfigMaps sets.Set[string] + // Map for storing namespaces for Route, Service and Gateway objects. + allAssociatedNamespaces sets.Set[string] + // Map for storing EnvoyProxies' NamespacedNames attaching to Gateway or GatewayClass. + allAssociatedEnvoyProxies sets.Set[string] + // Map for storing EnvoyPatchPolicies' NamespacedNames attaching to Gateway. + allAssociatedEnvoyPatchPolicies sets.Set[string] + // Map for storing TLSRoutes' NamespacedNames attaching to various Gateway objects. + allAssociatedTLSRoutes sets.Set[string] + // Map for storing HTTPRoutes' NamespacedNames attaching to various Gateway objects. + allAssociatedHTTPRoutes sets.Set[string] + // Map for storing GRPCRoutes' NamespacedNames attaching to various Gateway objects. + allAssociatedGRPCRoutes sets.Set[string] + // Map for storing TCPRoutes' NamespacedNames attaching to various Gateway objects. + allAssociatedTCPRoutes sets.Set[string] + // Map for storing UDPRoutes' NamespacedNames attaching to various Gateway objects. + allAssociatedUDPRoutes sets.Set[string] + // Map for storing backendRefs' BackendObjectReference referred by various Route objects. + allAssociatedBackendRefs sets.Set[gwapiv1.BackendObjectReference] + // Map for storing ClientTrafficPolicies' NamespacedNames referred by various Route objects. + allAssociatedClientTrafficPolicies sets.Set[string] + // Map for storing BackendTrafficPolicies' NamespacedNames referred by various Route objects. + allAssociatedBackendTrafficPolicies sets.Set[string] + // Map for storing SecurityPolicies' NamespacedNames referred by various Route objects. + allAssociatedSecurityPolicies sets.Set[string] + // Map for storing BackendTLSPolicies' NamespacedNames referred by various Backend objects. + allAssociatedBackendTLSPolicies sets.Set[string] + // Map for storing EnvoyExtensionPolicies' NamespacedNames attaching to various Gateway objects. + allAssociatedEnvoyExtensionPolicies sets.Set[string] + // extensionRefFilters is a map of filters managed by an extension. + // The key is the namespaced name, group and kind of the filter and the value is the + // unstructured form of the resource. + extensionRefFilters map[utils.NamespacedNameWithGroupKind]unstructured.Unstructured + // httpRouteFilters is a map of HTTPRouteFilters, where the key is the namespaced name, + // group and kind of the HTTPFilter. + httpRouteFilters map[utils.NamespacedNameWithGroupKind]*egv1a1.HTTPRouteFilter +} + +func newResourceMapping() *resourceMappings { + return &resourceMappings{ + allAssociatedGateways: sets.New[string](), + allAssociatedReferenceGrants: sets.New[string](), + allAssociatedServiceImports: sets.New[string](), + allAssociatedEndpointSlices: sets.New[string](), + allAssociatedSecrets: sets.New[string](), + allAssociatedConfigMaps: sets.New[string](), + allAssociatedNamespaces: sets.New[string](), + allAssociatedEnvoyProxies: sets.New[string](), + allAssociatedEnvoyPatchPolicies: sets.New[string](), + allAssociatedTLSRoutes: sets.New[string](), + allAssociatedHTTPRoutes: sets.New[string](), + allAssociatedGRPCRoutes: sets.New[string](), + allAssociatedTCPRoutes: sets.New[string](), + allAssociatedUDPRoutes: sets.New[string](), + allAssociatedBackendRefs: sets.New[gwapiv1.BackendObjectReference](), + allAssociatedClientTrafficPolicies: sets.New[string](), + allAssociatedBackendTrafficPolicies: sets.New[string](), + allAssociatedSecurityPolicies: sets.New[string](), + allAssociatedBackendTLSPolicies: sets.New[string](), + allAssociatedEnvoyExtensionPolicies: sets.New[string](), + extensionRefFilters: map[utils.NamespacedNameWithGroupKind]unstructured.Unstructured{}, + httpRouteFilters: map[utils.NamespacedNameWithGroupKind]*egv1a1.HTTPRouteFilter{}, + } +} diff --git a/internal/provider/kubernetes/routes.go b/internal/provider/kubernetes/routes.go index 956a2b59b3f..74bc1312e58 100644 --- a/internal/provider/kubernetes/routes.go +++ b/internal/provider/kubernetes/routes.go @@ -80,9 +80,13 @@ func (r *gatewayAPIReconciler) processTLSRoutes(ctx context.Context, gatewayName r.log.Info("no matching ReferenceGrants found", "from", from.kind, "from namespace", from.namespace, "target", to.kind, "target namespace", to.namespace) default: - resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) - r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, - "name", refGrant.Name) + refGrantNamespacedName := utils.NamespacedName(refGrant).String() + if !resourceMap.allAssociatedReferenceGrants.Has(refGrantNamespacedName) { + resourceMap.allAssociatedReferenceGrants.Insert(refGrantNamespacedName) + resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) + r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, + "name", refGrant.Name) + } } } } @@ -166,9 +170,13 @@ func (r *gatewayAPIReconciler) processGRPCRoutes(ctx context.Context, gatewayNam r.log.Info("no matching ReferenceGrants found", "from", from.kind, "from namespace", from.namespace, "target", to.kind, "target namespace", to.namespace) default: - resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) - r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, - "name", refGrant.Name) + refGrantNamespacedName := utils.NamespacedName(refGrant).String() + if !resourceMap.allAssociatedReferenceGrants.Has(refGrantNamespacedName) { + resourceMap.allAssociatedReferenceGrants.Insert(refGrantNamespacedName) + resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) + r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, + "name", refGrant.Name) + } } } } @@ -309,9 +317,13 @@ func (r *gatewayAPIReconciler) processHTTPRoutes(ctx context.Context, gatewayNam r.log.Info("no matching ReferenceGrants found", "from", from.kind, "from namespace", from.namespace, "target", to.kind, "target namespace", to.namespace) default: - resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) - r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, - "name", refGrant.Name) + refGrantNamespacedName := utils.NamespacedName(refGrant).String() + if !resourceMap.allAssociatedReferenceGrants.Has(refGrantNamespacedName) { + resourceMap.allAssociatedReferenceGrants.Insert(refGrantNamespacedName) + resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) + r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, + "name", refGrant.Name) + } } } } @@ -376,9 +388,13 @@ func (r *gatewayAPIReconciler) processHTTPRoutes(ctx context.Context, gatewayNam r.log.Info("no matching ReferenceGrants found", "from", from.kind, "from namespace", from.namespace, "target", to.kind, "target namespace", to.namespace) default: - resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) - r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, - "name", refGrant.Name) + refGrantNamespacedName := utils.NamespacedName(refGrant).String() + if !resourceMap.allAssociatedReferenceGrants.Has(refGrantNamespacedName) { + resourceMap.allAssociatedReferenceGrants.Insert(refGrantNamespacedName) + resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) + r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, + "name", refGrant.Name) + } } } } else if filter.Type == gwapiv1.HTTPRouteFilterExtensionRef { @@ -402,7 +418,6 @@ func (r *gatewayAPIReconciler) processHTTPRoutes(ctx context.Context, gatewayNam r.log.Error(err, "HTTPRouteFilters not found; bypassing rule", "index", i) continue } - resourceTree.HTTPRouteFilters = append(resourceTree.HTTPRouteFilters, httpFilter) default: extRefFilter, ok := resourceMap.extensionRefFilters[key] @@ -490,9 +505,13 @@ func (r *gatewayAPIReconciler) processTCPRoutes(ctx context.Context, gatewayName r.log.Info("no matching ReferenceGrants found", "from", from.kind, "from namespace", from.namespace, "target", to.kind, "target namespace", to.namespace) default: - resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) - r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, - "name", refGrant.Name) + refGrantNamespacedName := utils.NamespacedName(refGrant).String() + if !resourceMap.allAssociatedReferenceGrants.Has(refGrantNamespacedName) { + resourceMap.allAssociatedReferenceGrants.Insert(refGrantNamespacedName) + resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) + r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, + "name", refGrant.Name) + } } } } @@ -567,9 +586,12 @@ func (r *gatewayAPIReconciler) processUDPRoutes(ctx context.Context, gatewayName r.log.Info("no matching ReferenceGrants found", "from", from.kind, "from namespace", from.namespace, "target", to.kind, "target namespace", to.namespace) default: - resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) - r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, - "name", refGrant.Name) + if !resourceMap.allAssociatedReferenceGrants.Has(utils.NamespacedName(refGrant).String()) { + resourceMap.allAssociatedReferenceGrants.Insert(utils.NamespacedName(refGrant).String()) + resourceTree.ReferenceGrants = append(resourceTree.ReferenceGrants, refGrant) + r.log.Info("added ReferenceGrant to resource map", "namespace", refGrant.Namespace, + "name", refGrant.Name) + } } } } From 8b8884d3a899fed1eb30d31ca7f86bbc423f2922 Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Tue, 22 Oct 2024 19:15:21 -0500 Subject: [PATCH 294/523] feat(translator): implement httproutefilter host rewrite (#4446) * implement httproutefilter host rewrite Signed-off-by: Guy Daich * review fixes Signed-off-by: Guy Daich * fix gen Signed-off-by: Guy Daich * fix comment Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich Co-authored-by: zirain --- api/v1alpha1/httproutefilter_types.go | 17 +- api/v1alpha1/zz_generated.deepcopy.go | 4 +- ...ateway.envoyproxy.io_httproutefilters.yaml | 18 +- internal/gatewayapi/filters.go | 190 ++++++--- ...te-filter-hostname-prefix-replace.out.yaml | 3 +- ...e-with-urlrewrite-filter-hostname.out.yaml | 3 +- ...ewrite-filter-invalid-filter-type.out.yaml | 3 +- ...e-filter-regex-match-replace-http.out.yaml | 6 +- ...ilter-regex-match-replace-invalid.out.yaml | 31 +- ...urlrewrite-hostname-filter-invalid.in.yaml | 236 ++++++++++++ ...rlrewrite-hostname-filter-invalid.out.yaml | 364 ++++++++++++++++++ ...te-with-urlrewrite-hostname-filter.in.yaml | 147 +++++++ ...e-with-urlrewrite-hostname-filter.out.yaml | 362 +++++++++++++++++ internal/ir/xds.go | 39 +- internal/ir/xds_test.go | 8 +- internal/ir/zz_generated.deepcopy.go | 38 +- internal/xds/translator/route.go | 18 +- .../xds-ir/http-route-rewrite-url-host.yaml | 39 +- .../http-route-rewrite-url-host.routes.yaml | 28 ++ site/content/en/latest/api/extension_types.md | 7 +- .../latest/tasks/traffic/http-urlrewrite.md | 147 ++++++- site/content/zh/latest/api/extension_types.md | 7 +- test/cel-validation/httproutefilter_test.go | 16 +- test/e2e/testdata/httproute-rewrite-host.yaml | 68 ++++ test/e2e/tests/httproute_rewrite_host.go | 75 ++++ 25 files changed, 1736 insertions(+), 138 deletions(-) create mode 100644 internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.in.yaml create mode 100644 internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml create mode 100644 internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter.in.yaml create mode 100644 internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter.out.yaml create mode 100644 test/e2e/testdata/httproute-rewrite-host.yaml create mode 100644 test/e2e/tests/httproute_rewrite_host.go diff --git a/api/v1alpha1/httproutefilter_types.go b/api/v1alpha1/httproutefilter_types.go index 9ae8be59842..3259fabc8f4 100644 --- a/api/v1alpha1/httproutefilter_types.go +++ b/api/v1alpha1/httproutefilter_types.go @@ -43,7 +43,6 @@ type HTTPURLRewriteFilter struct { // forwarding. // // +optional - // +notImplementedHide Hostname *HTTPHostnameModifier `json:"hostname,omitempty"` // Path defines a path rewrite. // @@ -83,12 +82,12 @@ const ( type HTTPHostnameModifierType string const ( - // HeaderHTTPHostnameModifier indicates that the Host header value would be replaced with the value of the header specified in setFromHeader. + // HeaderHTTPHostnameModifier indicates that the Host header value would be replaced with the value of the header specified in header. // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-host-rewrite-header - HeaderHTTPHostnameModifier HTTPHostnameModifierType = "SetFromHeader" + HeaderHTTPHostnameModifier HTTPHostnameModifierType = "Header" // BackendHTTPHostnameModifier indicates that the Host header value would be replaced by the DNS name of the backend if it exists. // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-auto-host-rewrite - BackendHTTPHostnameModifier HTTPHostnameModifierType = "SetFromBackend" + BackendHTTPHostnameModifier HTTPHostnameModifierType = "Backend" ) type ReplaceRegexMatch struct { @@ -129,16 +128,16 @@ type HTTPPathModifier struct { ReplaceRegexMatch *ReplaceRegexMatch `json:"replaceRegexMatch,omitempty"` } -// +kubebuilder:validation:XValidation:message="setFromHeader must be nil if the type is not SetFromHeader",rule="!(has(self.setFromHeader) && self.type != 'SetFromHeader')" -// +kubebuilder:validation:XValidation:message="setFromHeader must be specified for SetFromHeader type",rule="!(!has(self.setFromHeader) && self.type == 'SetFromHeader')" +// +kubebuilder:validation:XValidation:message="header must be nil if the type is not Header",rule="!(has(self.header) && self.type != 'Header')" +// +kubebuilder:validation:XValidation:message="header must be specified for Header type",rule="!(!has(self.header) && self.type == 'Header')" type HTTPHostnameModifier struct { - // +kubebuilder:validation:Enum=SetFromHeader;SetFromBackend + // +kubebuilder:validation:Enum=Header;Backend // +kubebuilder:validation:Required Type HTTPHostnameModifierType `json:"type"` - // SetFromHeader is the name of the header whose value would be used to rewrite the Host header + // Header is the name of the header whose value would be used to rewrite the Host header // +optional - SetFromHeader *string `json:"setFromHeader,omitempty"` + Header *string `json:"header,omitempty"` } //+kubebuilder:object:root=true diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index c225d65d39e..f2cf9072fa6 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -2747,8 +2747,8 @@ func (in *HTTPExtAuthService) DeepCopy() *HTTPExtAuthService { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HTTPHostnameModifier) DeepCopyInto(out *HTTPHostnameModifier) { *out = *in - if in.SetFromHeader != nil { - in, out := &in.SetFromHeader, &out.SetFromHeader + if in.Header != nil { + in, out := &in.Header, &out.Header *out = new(string) **out = **in } diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml index 672cfb59df8..195bf24ece8 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml @@ -137,25 +137,25 @@ spec: Hostname is the value to be used to replace the Host header value during forwarding. properties: - setFromHeader: - description: SetFromHeader is the name of the header whose - value would be used to rewrite the Host header + header: + description: Header is the name of the header whose value + would be used to rewrite the Host header type: string type: description: HTTPPathModifierType defines the type of Hostname rewrite. enum: - - SetFromHeader - - SetFromBackend + - Header + - Backend type: string required: - type type: object x-kubernetes-validations: - - message: setFromHeader must be nil if the type is not SetFromHeader - rule: '!(has(self.setFromHeader) && self.type != ''SetFromHeader'')' - - message: setFromHeader must be specified for SetFromHeader type - rule: '!(!has(self.setFromHeader) && self.type == ''SetFromHeader'')' + - message: header must be nil if the type is not Header + rule: '!(has(self.header) && self.type != ''Header'')' + - message: header must be specified for Header type + rule: '!(!has(self.header) && self.type == ''Header'')' path: description: Path defines a path rewrite. properties: diff --git a/internal/gatewayapi/filters.go b/internal/gatewayapi/filters.go index 41acc4c76ba..e969b7365fc 100644 --- a/internal/gatewayapi/filters.go +++ b/internal/gatewayapi/filters.go @@ -11,6 +11,7 @@ import ( "strings" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" @@ -147,14 +148,46 @@ func (t *Translator) ProcessGRPCFilters(parentRef *RouteParentContext, return httpFiltersContext } +// Checks if the context and the rewrite both contain a core gw-api HTTP URL rewrite +func hasMultipleCoreRewrites(rewrite *gwapiv1.HTTPURLRewriteFilter, contextRewrite *ir.URLRewrite) bool { + contextHasCoreRewrites := contextRewrite.Path != nil && (contextRewrite.Path.FullReplace != nil || + contextRewrite.Path.PrefixMatchReplace != nil) || (contextRewrite.Host != nil && contextRewrite.Host.Name != nil) + rewriteHasCoreRewrites := rewrite.Hostname != nil || rewrite.Path != nil + return contextHasCoreRewrites && rewriteHasCoreRewrites +} + +// Checks if the context and the rewrite both contain a envoy-gateway extended HTTP URL rewrite +func hasMultipleExtensionRewrites(rewrite *egv1a1.HTTPURLRewriteFilter, contextRewrite *ir.URLRewrite) bool { + contextHasExtensionRewrites := (contextRewrite.Path != nil && contextRewrite.Path.RegexMatchReplace != nil) || + (contextRewrite.Host != nil && (contextRewrite.Host.Header != nil || contextRewrite.Host.Backend != nil)) + + return contextHasExtensionRewrites && (rewrite.Hostname != nil || rewrite.Path != nil) +} + +// Checks if the context and the gw-api core rewrite both contain an HTTP URL rewrite that creates a conflict (e.g. both rewrite path) +func hasConflictingCoreAndExtensionRewrites(rewrite *gwapiv1.HTTPURLRewriteFilter, contextRewrite *ir.URLRewrite) bool { + contextHasExtensionPathRewrites := contextRewrite.Path != nil && contextRewrite.Path.RegexMatchReplace != nil + contextHasExtensionHostRewrites := contextRewrite.Host != nil && (contextRewrite.Host.Header != nil || + contextRewrite.Host.Backend != nil) + return (rewrite.Hostname != nil && contextHasExtensionHostRewrites) || (rewrite.Path != nil && contextHasExtensionPathRewrites) +} + +// Checks if the context and the envoy-gateway extended rewrite both contain an HTTP URL rewrite that creates a conflict (e.g. both rewrite path) +func hasConflictingExtensionAndCoreRewrites(rewrite *egv1a1.HTTPURLRewriteFilter, contextRewrite *ir.URLRewrite) bool { + contextHasCorePathRewrites := contextRewrite.Path != nil && (contextRewrite.Path.FullReplace != nil || + contextRewrite.Path.PrefixMatchReplace != nil) + contextHasCoreHostnameRewrites := contextRewrite.Host != nil && contextRewrite.Host.Name != nil + + return (rewrite.Hostname != nil && contextHasCoreHostnameRewrites) || (rewrite.Path != nil && contextHasCorePathRewrites) +} + func (t *Translator) processURLRewriteFilter( rewrite *gwapiv1.HTTPURLRewriteFilter, filterContext *HTTPFiltersContext, ) { if filterContext.URLRewrite != nil { - if filterContext.URLRewrite.Hostname != nil || - filterContext.URLRewrite.Path.FullReplace != nil || - filterContext.URLRewrite.Path.PrefixMatchReplace != nil { + if hasMultipleCoreRewrites(rewrite, filterContext.URLRewrite) || + hasConflictingCoreAndExtensionRewrites(rewrite, filterContext.URLRewrite) { routeStatus := GetRouteStatus(filterContext.Route) status.SetRouteStatusCondition(routeStatus, filterContext.ParentRef.routeParentStatusIdx, @@ -188,7 +221,9 @@ func (t *Translator) processURLRewriteFilter( return } redirectHost := string(*rewrite.Hostname) - newURLRewrite.Hostname = &redirectHost + newURLRewrite.Host = &ir.HTTPHostModifier{ + Name: &redirectHost, + } } if rewrite.Path != nil { @@ -751,48 +786,12 @@ func (t *Translator) processExtensionRefHTTPFilter(extFilter *gwapiv1.LocalObjec if string(extFilter.Kind) == egv1a1.KindHTTPRouteFilter { for _, hrf := range resources.HTTPRouteFilters { - if hrf.Namespace == filterNs && hrf.Name == string(extFilter.Name) && - hrf.Spec.URLRewrite.Path.Type == egv1a1.RegexHTTPPathModifier { - - if hrf.Spec.URLRewrite.Path.ReplaceRegexMatch == nil || - hrf.Spec.URLRewrite.Path.ReplaceRegexMatch.Pattern == "" { - errMsg := "ReplaceRegexMatch Pattern must be set when rewrite path type is \"ReplaceRegexMatch\"" - routeStatus := GetRouteStatus(filterContext.Route) - status.SetRouteStatusCondition(routeStatus, - filterContext.ParentRef.routeParentStatusIdx, - filterContext.Route.GetGeneration(), - gwapiv1.RouteConditionAccepted, - metav1.ConditionFalse, - gwapiv1.RouteReasonUnsupportedValue, - errMsg, - ) - return - } else if _, err := regexp.Compile(hrf.Spec.URLRewrite.Path.ReplaceRegexMatch.Pattern); err != nil { - // Avoid envoy NACKs due to invalid regex. - // Golang's regexp is almost identical to RE2: https://pkg.go.dev/regexp/syntax - errMsg := "ReplaceRegexMatch must be a valid RE2 regular expression" - routeStatus := GetRouteStatus(filterContext.Route) - status.SetRouteStatusCondition(routeStatus, - filterContext.ParentRef.routeParentStatusIdx, - filterContext.Route.GetGeneration(), - gwapiv1.RouteConditionAccepted, - metav1.ConditionFalse, - gwapiv1.RouteReasonUnsupportedValue, - errMsg, - ) - return - } - - rmr := &ir.RegexMatchReplace{ - Pattern: hrf.Spec.URLRewrite.Path.ReplaceRegexMatch.Pattern, - Substitution: hrf.Spec.URLRewrite.Path.ReplaceRegexMatch.Substitution, - } + if hrf.Namespace == filterNs && hrf.Name == string(extFilter.Name) { + if hrf.Spec.URLRewrite != nil { - if filterContext.HTTPFilterIR.URLRewrite != nil { - // If path IR is already set - check for a conflict - if filterContext.HTTPFilterIR.URLRewrite.Path != nil { - path := filterContext.HTTPFilterIR.URLRewrite.Path - if path.RegexMatchReplace != nil || path.PrefixMatchReplace != nil || path.FullReplace != nil { + if filterContext.URLRewrite != nil { + if hasMultipleExtensionRewrites(hrf.Spec.URLRewrite, filterContext.URLRewrite) || + hasConflictingExtensionAndCoreRewrites(hrf.Spec.URLRewrite, filterContext.URLRewrite) { routeStatus := GetRouteStatus(filterContext.Route) status.SetRouteStatusCondition(routeStatus, filterContext.ParentRef.routeParentStatusIdx, @@ -804,19 +803,100 @@ func (t *Translator) processExtensionRefHTTPFilter(extFilter *gwapiv1.LocalObjec ) return } - } else { // no path - filterContext.HTTPFilterIR.URLRewrite.Path = &ir.ExtendedHTTPPathModifier{ - RegexMatchReplace: rmr, + } + + if hrf.Spec.URLRewrite.Path != nil { + if hrf.Spec.URLRewrite.Path.Type == egv1a1.RegexHTTPPathModifier { + if hrf.Spec.URLRewrite.Path.ReplaceRegexMatch == nil || + hrf.Spec.URLRewrite.Path.ReplaceRegexMatch.Pattern == "" { + errMsg := "ReplaceRegexMatch Pattern must be set when rewrite path type is \"ReplaceRegexMatch\"" + routeStatus := GetRouteStatus(filterContext.Route) + status.SetRouteStatusCondition(routeStatus, + filterContext.ParentRef.routeParentStatusIdx, + filterContext.Route.GetGeneration(), + gwapiv1.RouteConditionAccepted, + metav1.ConditionFalse, + gwapiv1.RouteReasonUnsupportedValue, + errMsg, + ) + return + } else if _, err := regexp.Compile(hrf.Spec.URLRewrite.Path.ReplaceRegexMatch.Pattern); err != nil { + // Avoid envoy NACKs due to invalid regex. + // Golang's regexp is almost identical to RE2: https://pkg.go.dev/regexp/syntax + errMsg := "ReplaceRegexMatch must be a valid RE2 regular expression" + routeStatus := GetRouteStatus(filterContext.Route) + status.SetRouteStatusCondition(routeStatus, + filterContext.ParentRef.routeParentStatusIdx, + filterContext.Route.GetGeneration(), + gwapiv1.RouteConditionAccepted, + metav1.ConditionFalse, + gwapiv1.RouteReasonUnsupportedValue, + errMsg, + ) + return + } + + rmr := &ir.RegexMatchReplace{ + Pattern: hrf.Spec.URLRewrite.Path.ReplaceRegexMatch.Pattern, + Substitution: hrf.Spec.URLRewrite.Path.ReplaceRegexMatch.Substitution, + } + + if filterContext.HTTPFilterIR.URLRewrite != nil { + if filterContext.HTTPFilterIR.URLRewrite.Path == nil { + filterContext.HTTPFilterIR.URLRewrite.Path = &ir.ExtendedHTTPPathModifier{ + RegexMatchReplace: rmr, + } + return + } + } else { // no url rewrite + filterContext.HTTPFilterIR.URLRewrite = &ir.URLRewrite{ + Path: &ir.ExtendedHTTPPathModifier{ + RegexMatchReplace: rmr, + }, + } + return + } } - return } - } else { // no url rewrite - filterContext.HTTPFilterIR.URLRewrite = &ir.URLRewrite{ - Path: &ir.ExtendedHTTPPathModifier{ - RegexMatchReplace: rmr, - }, + + if hrf.Spec.URLRewrite.Hostname != nil { + var hm *ir.HTTPHostModifier + if hrf.Spec.URLRewrite.Hostname.Type == egv1a1.HeaderHTTPHostnameModifier { + if hrf.Spec.URLRewrite.Hostname.Header == nil { + errMsg := "Header must be set when rewrite path type is \"Header\"" + routeStatus := GetRouteStatus(filterContext.Route) + status.SetRouteStatusCondition(routeStatus, + filterContext.ParentRef.routeParentStatusIdx, + filterContext.Route.GetGeneration(), + gwapiv1.RouteConditionAccepted, + metav1.ConditionFalse, + gwapiv1.RouteReasonUnsupportedValue, + errMsg, + ) + return + } + hm = &ir.HTTPHostModifier{ + Header: hrf.Spec.URLRewrite.Hostname.Header, + } + } else if hrf.Spec.URLRewrite.Hostname.Type == egv1a1.BackendHTTPHostnameModifier { + hm = &ir.HTTPHostModifier{ + Backend: ptr.To(true), + } + } + + if filterContext.HTTPFilterIR.URLRewrite != nil { + if filterContext.HTTPFilterIR.URLRewrite.Host == nil { + filterContext.HTTPFilterIR.URLRewrite.Host = hm + return + } + } else { // no url rewrite + filterContext.HTTPFilterIR.URLRewrite = &ir.URLRewrite{ + Host: hm, + } + return + } } - return + } } } diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml index 1577ab27e64..8e3079c9bbe 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml @@ -144,7 +144,8 @@ xdsIR: name: "" prefix: / urlRewrite: - hostname: rewrite.com + host: + name: rewrite.com path: fullReplace: null prefixMatchReplace: /rewrite diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml index 658725825f3..c0d8cce8b8a 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml @@ -141,4 +141,5 @@ xdsIR: name: "" prefix: / urlRewrite: - hostname: rewrite.com + host: + name: rewrite.com diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml index d0d62e98a27..7cbff74f25b 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml @@ -141,4 +141,5 @@ xdsIR: name: "" prefix: / urlRewrite: - hostname: urlrewrite.envoyproxy.io + host: + name: urlrewrite.envoyproxy.io diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.out.yaml index 5c8d2527a1f..c42f3934568 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.out.yaml @@ -308,7 +308,8 @@ xdsIR: name: "" prefix: /host-and-regex-path urlRewrite: - hostname: rewrite.com + host: + name: rewrite.com path: fullReplace: null prefixMatchReplace: null @@ -336,7 +337,8 @@ xdsIR: name: "" prefix: /regex-path-and-host urlRewrite: - hostname: rewrite.com + host: + name: rewrite.com - destination: name: httproute/default/httproute-1/rule/0 settings: diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml index fb9e85a632d..17ffc680f52 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml @@ -164,9 +164,9 @@ httpRoutes: parents: - conditions: - lastTransitionTime: null - message: Route is accepted - reason: Accepted - status: "True" + message: Cannot configure multiple urlRewrite filters for a single HTTPRouteRule + reason: UnsupportedValue + status: "False" type: Accepted - lastTransitionTime: null message: Resolved all the Object references for the Route @@ -356,28 +356,3 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - routes: - - destination: - name: httproute/default/httproute-multiple-path-rewrites-1/rule/0 - settings: - - addressType: IP - endpoints: - - host: 7.7.7.7 - port: 8080 - protocol: HTTP - weight: 1 - hostname: gateway.envoyproxy.io - isHTTP2: false - metadata: - kind: HTTPRoute - name: httproute-multiple-path-rewrites-1 - namespace: default - name: httproute/default/httproute-multiple-path-rewrites-1/rule/0/match/0/gateway_envoyproxy_io - pathMatch: - distinct: false - name: "" - prefix: /ext-first - urlRewrite: - path: - fullReplace: null - prefixMatchReplace: /rewrite diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.in.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.in.yaml new file mode 100644 index 00000000000..5a7f4499048 --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.in.yaml @@ -0,0 +1,236 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + hostname: "*.envoyproxy.io" + allowedRoutes: + namespaces: + from: All +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-invalid-header + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/invalid-header" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: invalid-header + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-multiple-host-rewrites-1 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/ext-first" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-header + - type: URLRewrite + urlRewrite: + hostname: "rewrite.com" + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-multiple-path-rewrites-2 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/inline-first" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: URLRewrite + urlRewrite: + hostname: "rewrite.com" + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-header + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-multiple-header-host-rewrites + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/two-headers" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-header + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-header-2 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-multiple-header-host-rewrites + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/two-backends" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-backend + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-backend-2 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-header-and-backend-host-rewrites + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/header-and-backend" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-header + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-header +httpFilters: + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: valid-header + namespace: default + spec: + urlRewrite: + hostname: + type: Header + header: my-host + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: valid-header-2 + namespace: default + spec: + urlRewrite: + hostname: + type: Header + header: my-host2 + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: valid-backend + namespace: default + spec: + urlRewrite: + hostname: + type: Backend + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: valid-backend-2 + namespace: default + spec: + urlRewrite: + hostname: + type: Backend + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: invalid-header + namespace: default + spec: + urlRewrite: + hostname: + type: Header diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml new file mode 100644 index 00000000000..ab24ec0e81d --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml @@ -0,0 +1,364 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.envoyproxy.io' + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 6 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-invalid-header + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: invalid-header + type: ExtensionRef + matches: + - path: + value: /invalid-header + status: + parents: + - conditions: + - lastTransitionTime: null + message: Header must be set when rewrite path type is "Header" + reason: UnsupportedValue + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-multiple-host-rewrites-1 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-header + type: ExtensionRef + - type: URLRewrite + urlRewrite: + hostname: rewrite.com + matches: + - path: + value: /ext-first + status: + parents: + - conditions: + - lastTransitionTime: null + message: Cannot configure multiple urlRewrite filters for a single HTTPRouteRule + reason: UnsupportedValue + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-multiple-path-rewrites-2 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - type: URLRewrite + urlRewrite: + hostname: rewrite.com + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-header + type: ExtensionRef + matches: + - path: + value: /inline-first + status: + parents: + - conditions: + - lastTransitionTime: null + message: Cannot configure multiple urlRewrite filters for a single HTTPRouteRule + reason: UnsupportedValue + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-multiple-header-host-rewrites + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-header + type: ExtensionRef + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-header-2 + type: ExtensionRef + matches: + - path: + value: /two-headers + status: + parents: + - conditions: + - lastTransitionTime: null + message: Cannot configure multiple urlRewrite filters for a single HTTPRouteRule + reason: UnsupportedValue + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-multiple-header-host-rewrites + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-backend + type: ExtensionRef + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-backend-2 + type: ExtensionRef + matches: + - path: + value: /two-backends + status: + parents: + - conditions: + - lastTransitionTime: null + message: Cannot configure multiple urlRewrite filters for a single HTTPRouteRule + reason: UnsupportedValue + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-header-and-backend-host-rewrites + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-header + type: ExtensionRef + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-header + type: ExtensionRef + matches: + - path: + value: /header-and-backend + status: + parents: + - conditions: + - lastTransitionTime: null + message: Cannot configure multiple urlRewrite filters for a single HTTPRouteRule + reason: UnsupportedValue + status: "False" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.envoyproxy.io' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter.in.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter.in.yaml new file mode 100644 index 00000000000..f39c951e5f8 --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter.in.yaml @@ -0,0 +1,147 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + hostname: "*.envoyproxy.io" + allowedRoutes: + namespaces: + from: All +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/valid-header" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-header +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-2 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/valid-backend" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-backend +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-3 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/path-and-header-host" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: URLRewrite + urlRewrite: + path: + type: ReplacePrefixMatch + replacePrefixMatch: /rewrite + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-header +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-4 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/header-host-and-path" + backendRefs: + - name: service-1 + port: 8080 + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-header + - type: URLRewrite + urlRewrite: + path: + type: ReplacePrefixMatch + replacePrefixMatch: /rewrite +httpFilters: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: valid-header + namespace: default + spec: + urlRewrite: + hostname: + type: Header + header: my-host +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: valid-backend + namespace: default + spec: + urlRewrite: + hostname: + type: Backend diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter.out.yaml new file mode 100644 index 00000000000..916f7d0cefe --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter.out.yaml @@ -0,0 +1,362 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.envoyproxy.io' + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 4 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-header + type: ExtensionRef + matches: + - path: + value: /valid-header + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-2 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-backend + type: ExtensionRef + matches: + - path: + value: /valid-backend + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-3 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - type: URLRewrite + urlRewrite: + path: + replacePrefixMatch: /rewrite + type: ReplacePrefixMatch + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-header + type: ExtensionRef + matches: + - path: + value: /path-and-header-host + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-4 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: valid-header + type: ExtensionRef + - type: URLRewrite + urlRewrite: + path: + replacePrefixMatch: /rewrite + type: ReplacePrefixMatch + matches: + - path: + value: /header-host-and-path + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.envoyproxy.io' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-3/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-3 + namespace: default + name: httproute/default/httproute-3/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /path-and-header-host + urlRewrite: + host: + header: my-host + path: + fullReplace: null + prefixMatchReplace: /rewrite + - destination: + name: httproute/default/httproute-4/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-4 + namespace: default + name: httproute/default/httproute-4/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /header-host-and-path + urlRewrite: + path: + fullReplace: null + prefixMatchReplace: /rewrite + - destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /valid-backend + urlRewrite: + host: + backend: true + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /valid-header + urlRewrite: + host: + header: my-host diff --git a/internal/ir/xds.go b/internal/ir/xds.go index cb5021f4c9f..00edaf21b57 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -55,6 +55,7 @@ var ( ErrHTTPPathModifierDoubleReplace = errors.New("redirect filter cannot have a path modifier that supplies more than one of fullPathReplace, prefixMatchReplace and regexMatchReplace") ErrHTTPPathModifierNoReplace = errors.New("redirect filter cannot have a path modifier that does not supply either fullPathReplace, prefixMatchReplace or regexMatchReplace") ErrHTTPPathRegexModifierNoSetting = errors.New("redirect filter cannot have a path modifier that does not supply either fullPathReplace, prefixMatchReplace or regexMatchReplace") + ErrHTTPHostModifierDoubleReplace = errors.New("redirect filter cannot have a host modifier that supplies more than one of Hostname, Header and Backend") ErrAddHeaderEmptyName = errors.New("header modifier filter cannot configure a header without a name to be added") ErrAddHeaderDuplicate = errors.New("header modifier filter attempts to add the same header more than once (case insensitive)") ErrRemoveHeaderDuplicate = errors.New("header modifier filter attempts to remove the same header more than once (case insensitive)") @@ -1382,8 +1383,8 @@ func (r DirectResponse) Validate() error { type URLRewrite struct { // Path contains config for rewriting the path of the request. Path *ExtendedHTTPPathModifier `json:"path,omitempty" yaml:"path,omitempty"` - // Hostname configures the replacement of the request's hostname. - Hostname *string `json:"hostname,omitempty" yaml:"hostname,omitempty"` + // Host configures the replacement of the request's host header. + Host *HTTPHostModifier `json:"host,omitempty" yaml:"host,omitempty"` } // Validate the fields within the URLRewrite structure @@ -1396,6 +1397,12 @@ func (r URLRewrite) Validate() error { } } + if r.Host != nil { + if err := r.Host.Validate(); err != nil { + errs = errors.Join(errs, err) + } + } + return errs } @@ -1499,6 +1506,34 @@ func (r ExtendedHTTPPathModifier) Validate() error { return errs } +// HTTPHostModifier holds instructions for how to modify the host of a request +// with both core gateway-api and extended envoy gateway capabilities +// +k8s:deepcopy-gen=true +type HTTPHostModifier struct { + Name *string `json:"name,omitempty" yaml:"name,omitempty"` + Header *string `json:"header,omitempty" yaml:"header,omitempty"` + Backend *bool `json:"backend,omitempty" yaml:"backend,omitempty"` +} + +// Validate the fields within the HTTPPathModifier structure +func (r HTTPHostModifier) Validate() error { + var errs error + + rewrites := []bool{r.Name != nil, r.Header != nil, r.Backend != nil} + rwc := 0 + for _, rw := range rewrites { + if rw { + rwc++ + } + } + + if rwc > 1 { + errs = errors.Join(errs, ErrHTTPHostModifierDoubleReplace) + } + + return errs +} + // StringMatch holds the various match conditions. // Only one of Exact, Prefix, SafeRegex or Distinct can be set. // +k8s:deepcopy-gen=true diff --git a/internal/ir/xds_test.go b/internal/ir/xds_test.go index 5ff9a8736ef..b4593152593 100644 --- a/internal/ir/xds_test.go +++ b/internal/ir/xds_test.go @@ -308,7 +308,9 @@ var ( Exact: ptr.To("rewrite"), }, URLRewrite: &URLRewrite{ - Hostname: ptr.To("rewrite.example.com"), + Host: &HTTPHostModifier{ + Name: ptr.To("rewrite.example.com"), + }, Path: &ExtendedHTTPPathModifier{ HTTPPathModifier: HTTPPathModifier{ FullReplace: ptr.To("/rewrite"), @@ -324,7 +326,9 @@ var ( Exact: ptr.To("rewrite"), }, URLRewrite: &URLRewrite{ - Hostname: ptr.To("rewrite.example.com"), + Host: &HTTPHostModifier{ + Name: ptr.To("rewrite.example.com"), + }, Path: &ExtendedHTTPPathModifier{ HTTPPathModifier: HTTPPathModifier{ FullReplace: ptr.To("/rewrite"), diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 791b6d5dd68..111f2661377 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -1270,6 +1270,36 @@ func (in *HTTPHealthChecker) DeepCopy() *HTTPHealthChecker { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HTTPHostModifier) DeepCopyInto(out *HTTPHostModifier) { + *out = *in + if in.Name != nil { + in, out := &in.Name, &out.Name + *out = new(string) + **out = **in + } + if in.Header != nil { + in, out := &in.Header, &out.Header + *out = new(string) + **out = **in + } + if in.Backend != nil { + in, out := &in.Backend, &out.Backend + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPHostModifier. +func (in *HTTPHostModifier) DeepCopy() *HTTPHostModifier { + if in == nil { + return nil + } + out := new(HTTPHostModifier) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HTTPListener) DeepCopyInto(out *HTTPListener) { *out = *in @@ -3341,10 +3371,10 @@ func (in *URLRewrite) DeepCopyInto(out *URLRewrite) { *out = new(ExtendedHTTPPathModifier) (*in).DeepCopyInto(*out) } - if in.Hostname != nil { - in, out := &in.Hostname, &out.Hostname - *out = new(string) - **out = **in + if in.Host != nil { + in, out := &in.Host, &out.Host + *out = new(HTTPHostModifier) + (*in).DeepCopyInto(*out) } } diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go index a8ec4a291d5..e1d790268dc 100644 --- a/internal/xds/translator/route.go +++ b/internal/xds/translator/route.go @@ -417,9 +417,21 @@ func buildXdsURLRewriteAction(destName string, urlRewrite *ir.URLRewrite, pathMa } } - if urlRewrite.Hostname != nil { - routeAction.HostRewriteSpecifier = &routev3.RouteAction_HostRewriteLiteral{ - HostRewriteLiteral: *urlRewrite.Hostname, + if urlRewrite.Host != nil { + + switch { + case urlRewrite.Host.Name != nil: + routeAction.HostRewriteSpecifier = &routev3.RouteAction_HostRewriteLiteral{ + HostRewriteLiteral: *urlRewrite.Host.Name, + } + case urlRewrite.Host.Header != nil: + routeAction.HostRewriteSpecifier = &routev3.RouteAction_HostRewriteHeader{ + HostRewriteHeader: *urlRewrite.Host.Header, + } + case urlRewrite.Host.Backend != nil: + routeAction.HostRewriteSpecifier = &routev3.RouteAction_AutoHostRewrite{ + AutoHostRewrite: wrapperspb.Bool(true), + } } routeAction.AppendXForwardedHost = true diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-host.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-host.yaml index 8cc673a7e5b..525a22210b9 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-host.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-host.yaml @@ -23,6 +23,43 @@ http: - host: "1.2.3.4" port: 50000 urlRewrite: - hostname: "3.3.3.3" + host: + name: "3.3.3.3" + path: + prefixMatchReplace: /rewrite + - name: "rewrite-host-header" + pathMatch: + prefix: "/host-header" + hostname: gateway.envoyproxy.io + headerMatches: + - name: ":authority" + exact: gateway.envoyproxy.io + destination: + name: "rewrite-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + urlRewrite: + host: + header: "foo" + path: + prefixMatchReplace: /rewrite + - name: "rewrite-host-backend" + pathMatch: + prefix: "/host-backend" + hostname: gateway.envoyproxy.io + headerMatches: + - name: ":authority" + exact: gateway.envoyproxy.io + destination: + name: "rewrite-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + urlRewrite: + host: + backend: true path: prefixMatchReplace: /rewrite diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.routes.yaml index 680a67404ee..a3e1e29e821 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.routes.yaml @@ -19,3 +19,31 @@ prefixRewrite: /rewrite upgradeConfigs: - upgradeType: websocket + - match: + headers: + - name: :authority + stringMatch: + exact: gateway.envoyproxy.io + pathSeparatedPrefix: /host-header + name: rewrite-host-header + route: + appendXForwardedHost: true + cluster: rewrite-route-dest + hostRewriteHeader: foo + prefixRewrite: /rewrite + upgradeConfigs: + - upgradeType: websocket + - match: + headers: + - name: :authority + stringMatch: + exact: gateway.envoyproxy.io + pathSeparatedPrefix: /host-backend + name: rewrite-host-backend + route: + appendXForwardedHost: true + autoHostRewrite: true + cluster: rewrite-route-dest + prefixRewrite: /rewrite + upgradeConfigs: + - upgradeType: websocket diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index c183a4f0b8f..f90ee0702ad 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -1971,7 +1971,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `type` | _[HTTPHostnameModifierType](#httphostnamemodifiertype)_ | true | | -| `setFromHeader` | _string_ | false | SetFromHeader is the name of the header whose value would be used to rewrite the Host header | +| `header` | _string_ | false | Header is the name of the header whose value would be used to rewrite the Host header | #### HTTPHostnameModifierType @@ -1985,8 +1985,8 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `SetFromHeader` | HeaderHTTPHostnameModifier indicates that the Host header value would be replaced with the value of the header specified in setFromHeader.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-host-rewrite-header
| -| `SetFromBackend` | BackendHTTPHostnameModifier indicates that the Host header value would be replaced by the DNS name of the backend if it exists.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-auto-host-rewrite
| +| `Header` | HeaderHTTPHostnameModifier indicates that the Host header value would be replaced with the value of the header specified in header.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-host-rewrite-header
| +| `Backend` | BackendHTTPHostnameModifier indicates that the Host header value would be replaced by the DNS name of the backend if it exists.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-auto-host-rewrite
| #### HTTPPathModifier @@ -2106,6 +2106,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | +| `hostname` | _[HTTPHostnameModifier](#httphostnamemodifier)_ | false | Hostname is the value to be used to replace the Host header value during
forwarding. | | `path` | _[HTTPPathModifier](#httppathmodifier)_ | false | Path defines a path rewrite. | diff --git a/site/content/en/latest/tasks/traffic/http-urlrewrite.md b/site/content/en/latest/tasks/traffic/http-urlrewrite.md index a643d775a57..3515bd9caa4 100644 --- a/site/content/en/latest/tasks/traffic/http-urlrewrite.md +++ b/site/content/en/latest/tasks/traffic/http-urlrewrite.md @@ -374,14 +374,14 @@ spec: The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. ```shell -kubectl get httproute/http-filter-url-rewrite -o yaml +kubectl get httproute/http-filter-url-regex-rewrite -o yaml ``` -Querying `http://${GATEWAY_HOST}/get/origin/path/extra` should rewrite the request to -`http://${GATEWAY_HOST}/force/replace/fullpath`. +Querying `http://${GATEWAY_HOST}/service/foo/v1/api` should rewrite the request to +`http://${GATEWAY_HOST}/service/foo/v1/api`. ```console -$ curl -L -vvv --header "Host: path.regex.rewrite.example" "http://${GATEWAY_HOST}/get/origin/path/extra" +$ curl -L -vvv --header "Host: path.regex.rewrite.example" "http://${GATEWAY_HOST}/service/foo/v1/api" ... > GET /service/foo/v1/api HTTP/1.1 > Host: path.regex.rewrite.example @@ -555,6 +555,145 @@ $ curl -L -vvv --header "Host: path.rewrite.example" "http://${GATEWAY_HOST}/get You can see that the `X-Forwarded-Host` is `path.rewrite.example`, but the actual host is `envoygateway.io`. +## Rewrite URL Host Name by Header or Backend + +In addition to core Gateway-API rewrite options, Envoy Gateway supports extended rewrite options through the [HTTPRouteFilter][] API. +The `HTTPRouteFilter` API can be configured to rewrite the Host header value to: +- The value of a different request header +- The DNS name of the backend that the request is routed to + +In the following example, the host header is rewritten to the value of the x-custom-host header. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-filter-header-host-rewrite -o yaml +``` + +Querying `http://${GATEWAY_HOST}/header` and providing a custom host rewrite header x-custom-host should rewrite the +request host header to the value of the x-custom-host header. + +```console +$ curl -L -vvv --header "Host: host.header.rewrite.example" --header "x-custom-host: foo" "http://${GATEWAY_HOST}/header" +... +> GET /header HTTP/1.1 +> Host: host.header.rewrite.example +> User-Agent: curl/8.7.1 +> Accept: */* +> x-custom-host: foo +> +* Request completely sent off +< HTTP/1.1 200 OK +< +{ + "path": "/header", + "host": "foo", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "X-Custom-Host": [ + "foo" + ], + "X-Forwarded-Host": [ + "host.header.rewrite.example" + ], + }, + "namespace": "default", + "ingress": "", + "service": "", + "pod": "backend-765694d47f-5t6f2" +... +``` + +You can see that the host is rewritten from `host.header.rewrite.example`, to the value of the provided +`x-custom-host` header `foo`. The original host header is preserved in the `X-Forwarded-Host` header. + + [HTTPURLRewriteFilter]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPURLRewriteFilter [HTTPRouteFilter]: ../../../api/extension_types#httproutefilter [RE2]: https://github.com/google/re2/wiki/Syntax \ No newline at end of file diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index c183a4f0b8f..f90ee0702ad 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -1971,7 +1971,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `type` | _[HTTPHostnameModifierType](#httphostnamemodifiertype)_ | true | | -| `setFromHeader` | _string_ | false | SetFromHeader is the name of the header whose value would be used to rewrite the Host header | +| `header` | _string_ | false | Header is the name of the header whose value would be used to rewrite the Host header | #### HTTPHostnameModifierType @@ -1985,8 +1985,8 @@ _Appears in:_ | Value | Description | | ----- | ----------- | -| `SetFromHeader` | HeaderHTTPHostnameModifier indicates that the Host header value would be replaced with the value of the header specified in setFromHeader.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-host-rewrite-header
| -| `SetFromBackend` | BackendHTTPHostnameModifier indicates that the Host header value would be replaced by the DNS name of the backend if it exists.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-auto-host-rewrite
| +| `Header` | HeaderHTTPHostnameModifier indicates that the Host header value would be replaced with the value of the header specified in header.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-host-rewrite-header
| +| `Backend` | BackendHTTPHostnameModifier indicates that the Host header value would be replaced by the DNS name of the backend if it exists.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-auto-host-rewrite
| #### HTTPPathModifier @@ -2106,6 +2106,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | +| `hostname` | _[HTTPHostnameModifier](#httphostnamemodifier)_ | false | Hostname is the value to be used to replace the Host header value during
forwarding. | | `path` | _[HTTPPathModifier](#httppathmodifier)_ | false | Path defines a path rewrite. | diff --git a/test/cel-validation/httproutefilter_test.go b/test/cel-validation/httproutefilter_test.go index 7f84deb71e5..c0b6e1ec817 100644 --- a/test/cel-validation/httproutefilter_test.go +++ b/test/cel-validation/httproutefilter_test.go @@ -86,13 +86,13 @@ func TestHTTPRouteFilter(t *testing.T) { }, }, { - desc: "Valid SetFromHeader", + desc: "Valid Header", mutate: func(httproutefilter *egv1a1.HTTPRouteFilter) { httproutefilter.Spec = egv1a1.HTTPRouteFilterSpec{ URLRewrite: &egv1a1.HTTPURLRewriteFilter{ Hostname: &egv1a1.HTTPHostnameModifier{ - Type: egv1a1.HeaderHTTPHostnameModifier, - SetFromHeader: ptr.To("foo"), + Type: egv1a1.HeaderHTTPHostnameModifier, + Header: ptr.To("foo"), }, }, } @@ -113,7 +113,7 @@ func TestHTTPRouteFilter(t *testing.T) { wantErrors: []string{}, }, { - desc: "invalid SetFromHeader missing settings", + desc: "invalid Header missing settings", mutate: func(httproutefilter *egv1a1.HTTPRouteFilter) { httproutefilter.Spec = egv1a1.HTTPRouteFilterSpec{ URLRewrite: &egv1a1.HTTPURLRewriteFilter{ @@ -123,7 +123,7 @@ func TestHTTPRouteFilter(t *testing.T) { }, } }, - wantErrors: []string{"spec.urlRewrite.hostname: Invalid value: \"object\": setFromHeader must be specified for SetFromHeader type"}, + wantErrors: []string{"spec.urlRewrite.hostname: Invalid value: \"object\": header must be specified for Header type"}, }, { desc: "invalid SetFromBackend type", @@ -131,13 +131,13 @@ func TestHTTPRouteFilter(t *testing.T) { httproutefilter.Spec = egv1a1.HTTPRouteFilterSpec{ URLRewrite: &egv1a1.HTTPURLRewriteFilter{ Hostname: &egv1a1.HTTPHostnameModifier{ - Type: egv1a1.BackendHTTPHostnameModifier, - SetFromHeader: ptr.To("foo"), + Type: egv1a1.BackendHTTPHostnameModifier, + Header: ptr.To("foo"), }, }, } }, - wantErrors: []string{"spec.urlRewrite.hostname: Invalid value: \"object\": setFromHeader must be nil if the type is not SetFromHeader"}, + wantErrors: []string{"spec.urlRewrite.hostname: Invalid value: \"object\": header must be nil if the type is not Header"}, }, } diff --git a/test/e2e/testdata/httproute-rewrite-host.yaml b/test/e2e/testdata/httproute-rewrite-host.yaml new file mode 100644 index 00000000000..871b2008b3b --- /dev/null +++ b/test/e2e/testdata/httproute-rewrite-host.yaml @@ -0,0 +1,68 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: rewrite-host + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: PathPrefix + value: /header + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: header-host-rewrite + backendRefs: + - name: infra-backend-v1 + port: 8080 + - matches: + - path: + type: PathPrefix + value: /backend + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: backend-host-rewrite + backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-fqdn +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: HTTPRouteFilter +metadata: + name: header-host-rewrite + namespace: gateway-conformance-infra +spec: + urlRewrite: + hostname: + type: Header + header: x-custom-host +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: HTTPRouteFilter +metadata: + name: backend-host-rewrite + namespace: gateway-conformance-infra +spec: + urlRewrite: + hostname: + type: Backend +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend-fqdn + namespace: gateway-conformance-infra +spec: + endpoints: + - fqdn: + hostname: infra-backend-v1.gateway-conformance-infra.svc.cluster.local + port: 8080 diff --git a/test/e2e/tests/httproute_rewrite_host.go b/test/e2e/tests/httproute_rewrite_host.go new file mode 100644 index 00000000000..643d0891e9f --- /dev/null +++ b/test/e2e/tests/httproute_rewrite_host.go @@ -0,0 +1,75 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e + +package tests + +import ( + "testing" + + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" +) + +func init() { + ConformanceTests = append(ConformanceTests, HTTPRouteRewriteHostHeader) +} + +var HTTPRouteRewriteHostHeader = suite.ConformanceTest{ + ShortName: "HTTPRouteRewriteHostHeader", + Description: "An HTTPRoute with host rewrite filter to rewrite a host header", + Manifests: []string{"testdata/httproute-rewrite-host.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "rewrite-host", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + kubernetes.HTTPRouteMustHaveResolvedRefsConditionsTrue(t, suite.Client, suite.TimeoutConfig, routeNN, gwNN) + + testCases := []http.ExpectedResponse{ + { + Request: http.Request{ + Path: "/header", + Headers: map[string]string{ + "x-custom-host": "custom-host", + }, + }, + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Path: "/header", + Host: "custom-host", + }, + }, + Backend: "infra-backend-v1", + Namespace: ns, + }, + { + Request: http.Request{ + Path: "/backend", + }, + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Path: "/backend", + Host: "infra-backend-v1.gateway-conformance-infra.svc.cluster.local", + }, + }, + Backend: "infra-backend-v1", + Namespace: ns, + }, + } + for i := range testCases { + // Declare tc here to avoid loop variable + // reuse issues across parallel tests. + tc := testCases[i] + t.Run(tc.GetTestCaseName(i), func(t *testing.T) { + t.Parallel() + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, tc) + }) + } + }, +} From 7188dad953db69490907431c290dcaf489124e2a Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Tue, 22 Oct 2024 17:41:49 -0700 Subject: [PATCH 295/523] benchmark: test for 1000 HTTPRoutes (#4287) Signed-off-by: Arko Dasgupta Co-authored-by: zirain --- test/benchmark/tests/scale_httproutes.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/benchmark/tests/scale_httproutes.go b/test/benchmark/tests/scale_httproutes.go index cf0839220de..1431032bcec 100644 --- a/test/benchmark/tests/scale_httproutes.go +++ b/test/benchmark/tests/scale_httproutes.go @@ -44,7 +44,7 @@ var ScaleHTTPRoutes = suite.BenchmarkTest{ require.NoError(t, err) routeNameFormat := "benchmark-route-%d" - routeScales := []uint16{10, 50, 100, 300, 500} + routeScales := []uint16{10, 50, 100, 300, 500, 1000} routeScalesN := len(routeScales) routeNNs := make([]types.NamespacedName, 0, routeScales[routeScalesN-1]) From 8adbf1d3cc681d901f6c041d86c8814d65158673 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 23 Oct 2024 21:21:33 +0800 Subject: [PATCH 296/523] docs: update Backend docs (#4497) * add docs Signed-off-by: Huabing Zhao * update backedn docs Signed-off-by: Huabing Zhao * update backedn docs Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- site/content/en/latest/tasks/traffic/backend.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/site/content/en/latest/tasks/traffic/backend.md b/site/content/en/latest/tasks/traffic/backend.md index 2bb2a4e647a..55d125a27ad 100644 --- a/site/content/en/latest/tasks/traffic/backend.md +++ b/site/content/en/latest/tasks/traffic/backend.md @@ -7,26 +7,28 @@ Envoy Gateway supports routing to native K8s resources such as `Service` and `Se ## Motivation The Backend API was added to support several use cases: - Allowing users to integrate Envoy with services (Ext Auth, Rate Limit, ALS, ...) using Unix Domain Sockets, which are currently not supported by K8s. -- Simplify [routing to cluster-external backends][], which currently requires users to maintain both K8s `Service` and `EndpointSlice` resources. +- Simplify [routing to cluster-external backends][], which currently requires users to maintain both K8s `Service` and `EndpointSlice` resources. ## Warning -Similar to the K8s EndpointSlice API, the Backend API can be misused to allow traffic to be sent to otherwise restricted destinations, as described in [CVE-2021-25740][]. +Similar to the K8s EndpointSlice API, the Backend API can be misused to allow traffic to be sent to otherwise restricted destinations, as described in [CVE-2021-25740][]. A Backend resource can be used to: - Expose a Service or Pod that should not be accessible - Reference a Service or Pod by a Route without appropriate Reference Grants - Expose the Envoy Proxy localhost (including the Envoy admin endpoint) -For these reasons, the Backend API is disabled by default in Envoy Gateway configuration. Envoy Gateway admins are advised to follow [upstream recommendations][] and restrict access to the Backend API using K8s RBAC. +For these reasons, the Backend API is disabled by default in Envoy Gateway configuration. Envoy Gateway admins are advised to follow [upstream recommendations][] and restrict access to the Backend API using K8s RBAC. ## Restrictions The Backend API is currently supported only in the following BackendReferences: - [HTTPRoute]: IP and FQDN endpoints +- [TLSRoute]: IP and FQDN endpoints - [Envoy Extension Policy] (ExtProc): IP, FQDN and unix domain socket endpoints +- [Security Policy]: IP and FQDN endpoints for the OIDC providers The Backend API supports attachment the following policies: -- [Backend TLS Policy][] +- [Backend TLS Policy][] Certain restrictions apply on the value of hostnames and addresses. For example, the loopback IP address range and the localhost hostname are forbidden. @@ -200,7 +202,9 @@ curl -I -HHost:www.example.com http://${GATEWAY_HOST}/headers [CVE-2021-25740]: https://nvd.nist.gov/vuln/detail/CVE-2021-25740 [upstream recommendations]: https://github.com/kubernetes/kubernetes/issues/103675 [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[TLSRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute [Envoy Extension Policy]: ../../../api/extension_types#envoyextensionpolicy +[Security Policy]: ../../../api/extension_types#oidcprovider [Backend TLS Policy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ [EnvoyProxy]: ../../../api/extension_types#envoyproxy [EnvoyGateway]: ../../../api/extension_types#envoygateway From 4f0266c5e173c859139192f89d34bd98a456f318 Mon Sep 17 00:00:00 2001 From: zirain Date: Thu, 24 Oct 2024 12:22:44 +0800 Subject: [PATCH 297/523] e2e: add test for DaemonSet (#4502) * e2e: add test for DaemonSet Signed-off-by: zirain * remove nit Signed-off-by: zirain * lint Signed-off-by: zirain --------- Signed-off-by: zirain --- test/e2e/testdata/envoyproxy-daemonset.yaml | 57 ++++++++++++++ test/e2e/tests/envoyproxy_daemonset.go | 87 +++++++++++++++++++++ 2 files changed, 144 insertions(+) create mode 100644 test/e2e/testdata/envoyproxy-daemonset.yaml create mode 100644 test/e2e/tests/envoyproxy_daemonset.go diff --git a/test/e2e/testdata/envoyproxy-daemonset.yaml b/test/e2e/testdata/envoyproxy-daemonset.yaml new file mode 100644 index 00000000000..fabe93e5420 --- /dev/null +++ b/test/e2e/testdata/envoyproxy-daemonset.yaml @@ -0,0 +1,57 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: eg-daemonset + namespace: gateway-conformance-infra +spec: + gatewayClassName: "{GATEWAY_CLASS_NAME}" + listeners: + - name: http + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: All + infrastructure: + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: eg-daemonset +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + name: eg-daemonset + namespace: gateway-conformance-infra +spec: + provider: + type: Kubernetes + kubernetes: + envoyDaemonSet: + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - name: envoy + readinessProbe: + initialDelaySeconds: 5 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: foo-route + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: eg-daemonset + rules: + - backendRefs: + - name: infra-backend-v1 + port: 8080 + matches: + - path: + type: PathPrefix + value: /foo diff --git a/test/e2e/tests/envoyproxy_daemonset.go b/test/e2e/tests/envoyproxy_daemonset.go new file mode 100644 index 00000000000..4af6b6eb94f --- /dev/null +++ b/test/e2e/tests/envoyproxy_daemonset.go @@ -0,0 +1,87 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e + +package tests + +import ( + "context" + "testing" + "time" + + appsv1 "k8s.io/api/apps/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/wait" + "sigs.k8s.io/controller-runtime/pkg/client" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" +) + +func init() { + ConformanceTests = append(ConformanceTests, EnvoyProxyDaemonSetTest) +} + +var EnvoyProxyDaemonSetTest = suite.ConformanceTest{ + ShortName: "EnvoyProxyDaemonSet", + Description: "Test running Envoy as a DaemonSet", + Manifests: []string{"testdata/envoyproxy-daemonset.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Run("RunAndDelete", func(t *testing.T) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "foo-route", Namespace: ns} + gwNN := types.NamespacedName{Name: "eg-daemonset", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + OkResp := http.ExpectedResponse{ + Request: http.Request{ + Path: "/foo", + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + + // Send a request to a valid path and expect a successful response + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, OkResp) + + gtw := &gwapiv1.Gateway{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: gwNN.Namespace, + Name: gwNN.Name, + }, + } + err := suite.Client.Delete(context.TODO(), gtw) + if err != nil { + t.Fatalf("Failed to delete Gateway: %v", err) + } + + err = wait.PollUntilContextTimeout(context.TODO(), time.Second, suite.TimeoutConfig.DeleteTimeout, true, func(ctx context.Context) (bool, error) { + dsList := &appsv1.DaemonSetList{} + err := suite.Client.List(ctx, dsList, &client.ListOptions{ + Namespace: "envoy-gateway-system", + LabelSelector: labels.SelectorFromSet(map[string]string{ + "app.kubernetes.io/managed-by": "envoy-gateway", + "app.kubernetes.io/name": "envoy", + "gateway.envoyproxy.io/owning-gateway-name": gwNN.Name, + "gateway.envoyproxy.io/owning-gateway-namespace": gwNN.Namespace, + }), + }) + if err != nil { + return false, err + } + + return len(dsList.Items) == 0, err + }) + if err != nil { + t.Fatalf("Failed to delete Gateway: %v", err) + } + }) + }, +} From 9353be2e7cfe017389bcf21c468f1472ac7c51f8 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Wed, 23 Oct 2024 23:02:38 -0700 Subject: [PATCH 298/523] feat: direct response (#4508) * feat: direct response Relates to https://github.com/envoyproxy/gateway/issues/2714 Signed-off-by: Arko Dasgupta * provider logic Signed-off-by: Arko Dasgupta * default status code is 200 Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta --- internal/gatewayapi/backendtrafficpolicy.go | 87 ++++++++++--------- internal/gatewayapi/envoyextensionpolicy.go | 8 +- internal/gatewayapi/filters.go | 53 ++++++++--- internal/gatewayapi/route.go | 8 +- internal/gatewayapi/securitypolicy.go | 8 +- internal/gatewayapi/translator.go | 2 +- internal/ir/xds.go | 34 ++++---- internal/ir/xds_test.go | 8 +- internal/ir/zz_generated.deepcopy.go | 29 +++---- internal/provider/kubernetes/controller.go | 4 + internal/provider/kubernetes/filters.go | 38 ++++++++ internal/provider/kubernetes/indexers.go | 30 +++++++ internal/provider/kubernetes/predicates.go | 12 +++ internal/provider/kubernetes/routes.go | 2 + internal/xds/translator/custom_response.go | 9 +- internal/xds/translator/route.go | 16 +++- .../testdata/in/xds-ir/accesslog-cel.yaml | 3 - .../in/xds-ir/accesslog-endpoint-stats.yaml | 3 - .../in/xds-ir/accesslog-formatters.yaml | 3 - .../in/xds-ir/accesslog-multi-cel.yaml | 3 - .../testdata/in/xds-ir/accesslog-types.yaml | 3 - .../in/xds-ir/accesslog-without-format.yaml | 3 - .../testdata/in/xds-ir/accesslog.yaml | 3 - .../testdata/in/xds-ir/tracing-datadog.yaml | 3 - .../in/xds-ir/tracing-endpoint-stats.yaml | 3 - .../testdata/in/xds-ir/tracing-zipkin.yaml | 3 - .../testdata/in/xds-ir/tracing.yaml | 3 - .../out/xds-ir/accesslog-cel.routes.yaml | 8 +- .../accesslog-endpoint-stats.routes.yaml | 8 +- .../xds-ir/accesslog-formatters.routes.yaml | 8 +- .../xds-ir/accesslog-multi-cel.routes.yaml | 8 +- .../out/xds-ir/accesslog-types.routes.yaml | 8 +- .../accesslog-without-format.routes.yaml | 8 +- .../testdata/out/xds-ir/accesslog.routes.yaml | 8 +- .../http-route-direct-response.routes.yaml | 2 + .../out/xds-ir/tracing-datadog.routes.yaml | 8 +- .../xds-ir/tracing-endpoint-stats.routes.yaml | 8 +- .../out/xds-ir/tracing-zipkin.routes.yaml | 8 +- .../testdata/out/xds-ir/tracing.routes.yaml | 8 +- 39 files changed, 292 insertions(+), 179 deletions(-) diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index 89b6804a2ba..3069ef5cc50 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -14,10 +14,10 @@ import ( "strings" perr "github.com/pkg/errors" - corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/utils/ptr" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" @@ -32,14 +32,14 @@ const ( MaxConsistentHashTableSize = 5000011 // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-maglevlbconfig ) -func (t *Translator) ProcessBackendTrafficPolicies(backendTrafficPolicies []*egv1a1.BackendTrafficPolicy, +func (t *Translator) ProcessBackendTrafficPolicies(resources *resource.Resources, gateways []*GatewayContext, routes []RouteContext, xdsIR resource.XdsIRMap, - configMaps []*corev1.ConfigMap, ) []*egv1a1.BackendTrafficPolicy { res := []*egv1a1.BackendTrafficPolicy{} + backendTrafficPolicies := resources.BackendTrafficPolicies // Sort based on timestamp sort.Slice(backendTrafficPolicies, func(i, j int) bool { return backendTrafficPolicies[i].CreationTimestamp.Before(&(backendTrafficPolicies[j].CreationTimestamp)) @@ -130,7 +130,7 @@ func (t *Translator) ProcessBackendTrafficPolicies(backendTrafficPolicies []*egv } // Set conditions for translation error if it got any - if err := t.translateBackendTrafficPolicyForRoute(policy, route, xdsIR, configMaps); err != nil { + if err := t.translateBackendTrafficPolicyForRoute(policy, route, xdsIR, resources); err != nil { status.SetTranslationErrorForPolicyAncestors(&policy.Status, ancestorRefs, t.GatewayControllerName, @@ -184,7 +184,7 @@ func (t *Translator) ProcessBackendTrafficPolicies(backendTrafficPolicies []*egv } // Set conditions for translation error if it got any - if err := t.translateBackendTrafficPolicyForGateway(policy, currTarget, gateway, xdsIR, configMaps); err != nil { + if err := t.translateBackendTrafficPolicyForGateway(policy, currTarget, gateway, xdsIR, resources); err != nil { status.SetTranslationErrorForPolicyAncestors(&policy.Status, ancestorRefs, t.GatewayControllerName, @@ -288,7 +288,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute( policy *egv1a1.BackendTrafficPolicy, route RouteContext, xdsIR resource.XdsIRMap, - configMaps []*corev1.ConfigMap, + resources *resource.Resources, ) error { var ( rl *ir.RateLimit @@ -349,7 +349,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute( errs = errors.Join(errs, err) } - if ro, err = buildResponseOverride(policy, configMaps); err != nil { + if ro, err = buildResponseOverride(policy, resources); err != nil { err = perr.WithMessage(err, "ResponseOverride") errs = errors.Join(errs, err) } @@ -392,8 +392,8 @@ func (t *Translator) translateBackendTrafficPolicyForRoute( if strings.HasPrefix(r.Name, prefix) { if errs != nil { // Return a 500 direct response - r.DirectResponse = &ir.DirectResponse{ - StatusCode: 500, + r.DirectResponse = &ir.CustomResponse{ + StatusCode: ptr.To(uint32(500)), } continue } @@ -438,7 +438,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway( target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, gateway *GatewayContext, xdsIR resource.XdsIRMap, - configMaps []*corev1.ConfigMap, + resources *resource.Resources, ) error { var ( rl *ir.RateLimit @@ -491,7 +491,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway( err = perr.WithMessage(err, "HTTP2") errs = errors.Join(errs, err) } - if ro, err = buildResponseOverride(policy, configMaps); err != nil { + if ro, err = buildResponseOverride(policy, resources); err != nil { err = perr.WithMessage(err, "ResponseOverride") errs = errors.Join(errs, err) } @@ -561,8 +561,8 @@ func (t *Translator) translateBackendTrafficPolicyForGateway( if errs != nil { // Return a 500 direct response - r.DirectResponse = &ir.DirectResponse{ - StatusCode: 500, + r.DirectResponse = &ir.CustomResponse{ + StatusCode: ptr.To(uint32(500)), } continue } @@ -864,7 +864,7 @@ func makeIrTriggerSet(in []egv1a1.TriggerEnum) []ir.TriggerEnum { return irTriggers } -func buildResponseOverride(policy *egv1a1.BackendTrafficPolicy, configMaps []*corev1.ConfigMap) (*ir.ResponseOverride, error) { +func buildResponseOverride(policy *egv1a1.BackendTrafficPolicy, resources *resource.Resources) (*ir.ResponseOverride, error) { if len(policy.Spec.ResponseOverride) == 0 { return nil, nil } @@ -894,33 +894,10 @@ func buildResponseOverride(policy *egv1a1.BackendTrafficPolicy, configMaps []*co ContentType: ro.Response.ContentType, } - if ro.Response.Body.Type != nil && *ro.Response.Body.Type == egv1a1.ResponseValueTypeValueRef { - foundCM := false - for _, cm := range configMaps { - if cm.Namespace == policy.Namespace && cm.Name == string(ro.Response.Body.ValueRef.Name) { - body, dataOk := cm.Data["response.body"] - switch { - case dataOk: - response.Body = body - case len(cm.Data) > 0: // Fallback to the first key if response.body is not found - for _, value := range cm.Data { - body = value - break - } - response.Body = body - default: - return nil, fmt.Errorf("can't find the key response.body in the referenced configmap %s", ro.Response.Body.ValueRef.Name) - } - - foundCM = true - break - } - } - if !foundCM { - return nil, fmt.Errorf("can't find the referenced configmap %s", ro.Response.Body.ValueRef.Name) - } - } else { - response.Body = *ro.Response.Body.Inline + var err error + response.Body, err = getCustomResponseBody(ro.Response.Body, resources, policy.Namespace) + if err != nil { + return nil, err } rules = append(rules, ir.ResponseOverrideRule{ @@ -935,6 +912,34 @@ func buildResponseOverride(policy *egv1a1.BackendTrafficPolicy, configMaps []*co }, nil } +func getCustomResponseBody(body egv1a1.CustomResponseBody, resources *resource.Resources, policyNs string) (*string, error) { + if body.Type != nil && *body.Type == egv1a1.ResponseValueTypeValueRef { + cm := resources.GetConfigMap(policyNs, string(body.ValueRef.Name)) + if cm != nil { + b, dataOk := cm.Data["response.body"] + switch { + case dataOk: + return &b, nil + case len(cm.Data) > 0: // Fallback to the first key if response.body is not found + for _, value := range cm.Data { + b = value + break + } + return &b, nil + default: + return nil, fmt.Errorf("can't find the key response.body in the referenced configmap %s", body.ValueRef.Name) + } + + } else { + return nil, fmt.Errorf("can't find the referenced configmap %s", body.ValueRef.Name) + } + } else if body.Inline != nil { + return body.Inline, nil + } + + return nil, nil +} + func defaultResponseOverrideRuleName(policy *egv1a1.BackendTrafficPolicy, index int) string { return fmt.Sprintf( "%s/responseoverride/rule/%s", diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index 5e61f2eb3aa..4abc9a69046 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -324,8 +324,8 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute( if strings.HasPrefix(r.Name, prefix) { // return 500 and do not configure EnvoyExtensions in this case if errs != nil { - r.DirectResponse = &ir.DirectResponse{ - StatusCode: 500, + r.DirectResponse = &ir.CustomResponse{ + StatusCode: ptr.To(uint32(500)), } continue } @@ -386,8 +386,8 @@ func (t *Translator) translateEnvoyExtensionPolicyForGateway( // return 500 and do not configure EnvoyExtensions in this case if errs != nil { - r.DirectResponse = &ir.DirectResponse{ - StatusCode: 500, + r.DirectResponse = &ir.CustomResponse{ + StatusCode: ptr.To(uint32(500)), } continue } diff --git a/internal/gatewayapi/filters.go b/internal/gatewayapi/filters.go index e969b7365fc..68bf84b33c2 100644 --- a/internal/gatewayapi/filters.go +++ b/internal/gatewayapi/filters.go @@ -47,7 +47,7 @@ type HTTPFiltersContext struct { // HTTPFilterIR contains the ir processing results. type HTTPFilterIR struct { - DirectResponse *ir.DirectResponse + DirectResponse *ir.CustomResponse RedirectResponse *ir.Redirect URLRewrite *ir.URLRewrite @@ -785,8 +785,10 @@ func (t *Translator) processExtensionRefHTTPFilter(extFilter *gwapiv1.LocalObjec filterNs := filterContext.Route.GetNamespace() if string(extFilter.Kind) == egv1a1.KindHTTPRouteFilter { + found := false for _, hrf := range resources.HTTPRouteFilters { if hrf.Namespace == filterNs && hrf.Name == string(extFilter.Name) { + found = true if hrf.Spec.URLRewrite != nil { if filterContext.URLRewrite != nil { @@ -846,7 +848,6 @@ func (t *Translator) processExtensionRefHTTPFilter(extFilter *gwapiv1.LocalObjec filterContext.HTTPFilterIR.URLRewrite.Path = &ir.ExtendedHTTPPathModifier{ RegexMatchReplace: rmr, } - return } } else { // no url rewrite filterContext.HTTPFilterIR.URLRewrite = &ir.URLRewrite{ @@ -854,7 +855,6 @@ func (t *Translator) processExtensionRefHTTPFilter(extFilter *gwapiv1.LocalObjec RegexMatchReplace: rmr, }, } - return } } } @@ -887,22 +887,49 @@ func (t *Translator) processExtensionRefHTTPFilter(extFilter *gwapiv1.LocalObjec if filterContext.HTTPFilterIR.URLRewrite != nil { if filterContext.HTTPFilterIR.URLRewrite.Host == nil { filterContext.HTTPFilterIR.URLRewrite.Host = hm - return } } else { // no url rewrite filterContext.HTTPFilterIR.URLRewrite = &ir.URLRewrite{ Host: hm, } + } + } + + } + + if hrf.Spec.DirectResponse != nil { + dr := &ir.CustomResponse{} + if hrf.Spec.DirectResponse.Body != nil { + var err error + if dr.Body, err = getCustomResponseBody(*hrf.Spec.DirectResponse.Body, resources, filterNs); err != nil { + t.processInvalidHTTPFilter(string(extFilter.Kind), filterContext, err) return } } + if hrf.Spec.DirectResponse.StatusCode != nil { + dr.StatusCode = ptr.To(uint32(*hrf.Spec.DirectResponse.StatusCode)) + } else { + dr.StatusCode = ptr.To(uint32(200)) + } + + if hrf.Spec.DirectResponse.ContentType != nil { + newHeader := ir.AddHeader{ + Name: "Content-Type", + Value: []string{*hrf.Spec.DirectResponse.ContentType}, + } + filterContext.AddResponseHeaders = append(filterContext.AddResponseHeaders, newHeader) + } + + filterContext.HTTPFilterIR.DirectResponse = dr } } } - errMsg := fmt.Sprintf("Unable to translate HTTPRouteFilter: %s/%s", filterNs, - extFilter.Name) - t.processUnresolvedHTTPFilter(errMsg, filterContext) + if !found { + errMsg := fmt.Sprintf("Unable to translate HTTPRouteFilter: %s/%s", filterNs, + extFilter.Name) + t.processUnresolvedHTTPFilter(errMsg, filterContext) + } return } @@ -993,8 +1020,8 @@ func (t *Translator) processUnresolvedHTTPFilter(errMsg string, filterContext *H gwapiv1.RouteReasonUnsupportedValue, errMsg, ) - filterContext.DirectResponse = &ir.DirectResponse{ - StatusCode: 500, + filterContext.DirectResponse = &ir.CustomResponse{ + StatusCode: ptr.To(uint32(500)), } } @@ -1009,8 +1036,8 @@ func (t *Translator) processUnsupportedHTTPFilter(filterType string, filterConte gwapiv1.RouteReasonUnsupportedValue, errMsg, ) - filterContext.DirectResponse = &ir.DirectResponse{ - StatusCode: 500, + filterContext.DirectResponse = &ir.CustomResponse{ + StatusCode: ptr.To(uint32(500)), } } @@ -1025,7 +1052,7 @@ func (t *Translator) processInvalidHTTPFilter(filterType string, filterContext * gwapiv1.RouteReasonUnsupportedValue, errMsg, ) - filterContext.DirectResponse = &ir.DirectResponse{ - StatusCode: 500, + filterContext.DirectResponse = &ir.CustomResponse{ + StatusCode: ptr.To(uint32(500)), } } diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index f82158715a5..648aebaeb5c 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -238,8 +238,8 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe for _, ruleRoute := range ruleRoutes { noValidBackends := ruleRoute.Destination == nil || ruleRoute.Destination.ToBackendWeights().Valid == 0 if noValidBackends && ruleRoute.Redirect == nil { - ruleRoute.DirectResponse = &ir.DirectResponse{ - StatusCode: 500, + ruleRoute.DirectResponse = &ir.CustomResponse{ + StatusCode: ptr.To(uint32(500)), } } ruleRoute.IsHTTP2 = false @@ -570,8 +570,8 @@ func (t *Translator) processGRPCRouteRules(grpcRoute *GRPCRouteContext, parentRe for _, ruleRoute := range ruleRoutes { noValidBackends := ruleRoute.Destination == nil || ruleRoute.Destination.ToBackendWeights().Valid == 0 if noValidBackends && ruleRoute.Redirect == nil { - ruleRoute.DirectResponse = &ir.DirectResponse{ - StatusCode: 500, + ruleRoute.DirectResponse = &ir.CustomResponse{ + StatusCode: ptr.To(uint32(500)), } } ruleRoute.IsHTTP2 = true diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index c9289bbcfb3..302d5054507 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -406,8 +406,8 @@ func (t *Translator) translateSecurityPolicyForRoute( } if errs != nil { // Return a 500 direct response to avoid unauthorized access - r.DirectResponse = &ir.DirectResponse{ - StatusCode: 500, + r.DirectResponse = &ir.CustomResponse{ + StatusCode: ptr.To(uint32(500)), } } } @@ -514,8 +514,8 @@ func (t *Translator) translateSecurityPolicyForGateway( } if errs != nil { // Return a 500 direct response to avoid unauthorized access - r.DirectResponse = &ir.DirectResponse{ - StatusCode: 500, + r.DirectResponse = &ir.CustomResponse{ + StatusCode: ptr.To(uint32(500)), } } } diff --git a/internal/gatewayapi/translator.go b/internal/gatewayapi/translator.go index 0f518b71033..23e651b6c69 100644 --- a/internal/gatewayapi/translator.go +++ b/internal/gatewayapi/translator.go @@ -211,7 +211,7 @@ func (t *Translator) Translate(resources *resource.Resources) (*TranslateResult, // Process BackendTrafficPolicies backendTrafficPolicies := t.ProcessBackendTrafficPolicies( - resources.BackendTrafficPolicies, gateways, routes, xdsIR, resources.ConfigMaps) + resources, gateways, routes, xdsIR) // Process SecurityPolicies securityPolicies := t.ProcessSecurityPolicies( diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 00edaf21b57..e10a1ec2987 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -532,7 +532,20 @@ type CustomResponse struct { ContentType *string `json:"contentType,omitempty"` // Body of the Custom Response - Body string `json:"body"` + Body *string `json:"body,omitempty"` + + // StatusCode will be used for the response's status code. + StatusCode *uint32 `json:"statusCode,omitempty"` +} + +// Validate the fields within the CustomResponse structure +func (r *CustomResponse) Validate() error { + var errs error + if status := r.StatusCode; status != nil && (*status > 599 || *status < 100) { + errs = errors.Join(errs, ErrDirectResponseStatusInvalid) + } + + return errs } // HealthCheckSettings provides HealthCheck configuration on the HTTP/HTTPS listener. @@ -625,7 +638,7 @@ type HTTPRoute struct { // RemoveResponseHeaders defines a list of headers to be removed from response. RemoveResponseHeaders []string `json:"removeResponseHeaders,omitempty" yaml:"removeResponseHeaders,omitempty"` // Direct responses to be returned for this route. Takes precedence over Destinations and Redirect. - DirectResponse *DirectResponse `json:"directResponse,omitempty" yaml:"directResponse,omitempty"` + DirectResponse *CustomResponse `json:"directResponse,omitempty" yaml:"directResponse,omitempty"` // Redirections to be returned for this route. Takes precedence over Destinations. Redirect *Redirect `json:"redirect,omitempty" yaml:"redirect,omitempty"` // Destination that requests to this HTTPRoute will be mirrored to @@ -1361,23 +1374,6 @@ func (h AddHeader) Validate() error { return errs } -// DirectResponse holds the details for returning a body and status code for a route. -// +k8s:deepcopy-gen=true -type DirectResponse struct { - // StatusCode will be used for the direct response's status code. - StatusCode uint32 `json:"statusCode" yaml:"statusCode"` -} - -// Validate the fields within the DirectResponse structure -func (r DirectResponse) Validate() error { - var errs error - if status := r.StatusCode; status > 599 || status < 100 { - errs = errors.Join(errs, ErrDirectResponseStatusInvalid) - } - - return errs -} - // URLRewrite holds the details for how to rewrite a request // +k8s:deepcopy-gen=true type URLRewrite struct { diff --git a/internal/ir/xds_test.go b/internal/ir/xds_test.go index b4593152593..7a81491417d 100644 --- a/internal/ir/xds_test.go +++ b/internal/ir/xds_test.go @@ -254,8 +254,8 @@ var ( PathMatch: &StringMatch{ Exact: ptr.To("filter-error"), }, - DirectResponse: &DirectResponse{ - StatusCode: uint32(500), + DirectResponse: &CustomResponse{ + StatusCode: ptr.To(uint32(500)), }, } @@ -296,8 +296,8 @@ var ( PathMatch: &StringMatch{ Exact: ptr.To("redirect"), }, - DirectResponse: &DirectResponse{ - StatusCode: uint32(799), + DirectResponse: &CustomResponse{ + StatusCode: ptr.To(uint32(799)), }, } diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 111f2661377..9054f99854a 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -610,6 +610,16 @@ func (in *CustomResponse) DeepCopyInto(out *CustomResponse) { *out = new(string) **out = **in } + if in.Body != nil { + in, out := &in.Body, &out.Body + *out = new(string) + **out = **in + } + if in.StatusCode != nil { + in, out := &in.StatusCode, &out.StatusCode + *out = new(uint32) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomResponse. @@ -779,21 +789,6 @@ func (in *DestinationSetting) DeepCopy() *DestinationSetting { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *DirectResponse) DeepCopyInto(out *DirectResponse) { - *out = *in -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DirectResponse. -func (in *DirectResponse) DeepCopy() *DirectResponse { - if in == nil { - return nil - } - out := new(DirectResponse) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *EnvoyExtensionFeatures) DeepCopyInto(out *EnvoyExtensionFeatures) { *out = *in @@ -1464,8 +1459,8 @@ func (in *HTTPRoute) DeepCopyInto(out *HTTPRoute) { } if in.DirectResponse != nil { in, out := &in.DirectResponse, &out.DirectResponse - *out = new(DirectResponse) - **out = **in + *out = new(CustomResponse) + (*in).DeepCopyInto(*out) } if in.Redirect != nil { in, out := &in.Redirect, &out.Redirect diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index ac106a69f7e..d4681406454 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -1660,6 +1660,10 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return err } + if err := addRouteFilterIndexers(ctx, mgr); err != nil { + return err + } + return nil } diff --git a/internal/provider/kubernetes/filters.go b/internal/provider/kubernetes/filters.go index 109c0314dd0..b322950cced 100644 --- a/internal/provider/kubernetes/filters.go +++ b/internal/provider/kubernetes/filters.go @@ -9,9 +9,13 @@ import ( "context" "fmt" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/types" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" + "github.com/envoyproxy/gateway/internal/utils" ) func (r *gatewayAPIReconciler) getExtensionRefFilters(ctx context.Context) ([]unstructured.Unstructured, error) { @@ -54,3 +58,37 @@ func (r *gatewayAPIReconciler) getHTTPRouteFilters(ctx context.Context) ([]egv1a return httpFilterList.Items, nil } + +// processRouteFilterConfigMapRef adds the referenced ConfigMap in a HTTPRouteFilter +// to the resourceTree +func (r *gatewayAPIReconciler) processRouteFilterConfigMapRef( + ctx context.Context, filter *egv1a1.HTTPRouteFilter, + resourceMap *resourceMappings, resourceTree *resource.Resources, +) { + if filter.Spec.DirectResponse != nil && + filter.Spec.DirectResponse.Body.ValueRef != nil && + string(filter.Spec.DirectResponse.Body.ValueRef.Kind) == resource.KindConfigMap { + configMap := new(corev1.ConfigMap) + err := r.client.Get(ctx, + types.NamespacedName{Namespace: filter.Namespace, Name: string(filter.Spec.DirectResponse.Body.ValueRef.Name)}, + configMap) + // we don't return an error here, because we want to continue + // reconciling the rest of the HTTPRouteFilter despite that this + // reference is invalid. + // This HTTPRouteFilter will be marked as invalid in its status + // when translating to IR because the referenced configmap can't be + // found. + if err != nil { + r.log.Error(err, + "failed to process DirectResponse ValueRef for HTTPRouteFilter", + "filter", filter, "ValueRef", filter.Spec.DirectResponse.Body.ValueRef.Name) + } + + resourceMap.allAssociatedNamespaces.Insert(filter.Namespace) + if !resourceMap.allAssociatedConfigMaps.Has(utils.NamespacedName(configMap).String()) { + resourceMap.allAssociatedConfigMaps.Insert(utils.NamespacedName(configMap).String()) + resourceTree.ConfigMaps = append(resourceTree.ConfigMaps, configMap) + r.log.Info("processing ConfigMap", "namespace", filter.Namespace, "name", string(filter.Spec.DirectResponse.Body.ValueRef.Name)) + } + } +} diff --git a/internal/provider/kubernetes/indexers.go b/internal/provider/kubernetes/indexers.go index 2ad12069f98..ab3c098961e 100644 --- a/internal/provider/kubernetes/indexers.go +++ b/internal/provider/kubernetes/indexers.go @@ -47,6 +47,7 @@ const ( secretEnvoyExtensionPolicyIndex = "secretEnvoyExtensionPolicyIndex" httpRouteFilterHTTPRouteIndex = "httpRouteFilterHTTPRouteIndex" configMapBtpIndex = "configMapBtpIndex" + configMapHTTPRouteFilterIndex = "configMapHTTPRouteFilterIndex" ) func addReferenceGrantIndexers(ctx context.Context, mgr manager.Manager) error { @@ -672,6 +673,35 @@ func configMapBtpIndexFunc(rawObj client.Object) []string { return configMapReferences } +// addRouteFilterIndexers adds indexing on HTTPRouteFilter, for ConfigMap objects that are +// referenced in HTTPRouteFilter objects. This helps in querying for HTTPRouteFilters that are +// affected by a particular ConfigMap CRUD. +func addRouteFilterIndexers(ctx context.Context, mgr manager.Manager) error { + if err := mgr.GetFieldIndexer().IndexField(ctx, &egv1a1.HTTPRouteFilter{}, + configMapHTTPRouteFilterIndex, configMapRouteFilterIndexFunc); err != nil { + return err + } + return nil +} + +func configMapRouteFilterIndexFunc(rawObj client.Object) []string { + filter := rawObj.(*egv1a1.HTTPRouteFilter) + var configMapReferences []string + if filter.Spec.DirectResponse != nil && + filter.Spec.DirectResponse.Body != nil && + filter.Spec.DirectResponse.Body.ValueRef != nil { + if string(filter.Spec.DirectResponse.Body.ValueRef.Kind) == resource.KindConfigMap { + configMapReferences = append(configMapReferences, + types.NamespacedName{ + Namespace: filter.Namespace, + Name: string(filter.Spec.DirectResponse.Body.ValueRef.Name), + }.String(), + ) + } + } + return configMapReferences +} + // addBtlsIndexers adds indexing on BackendTLSPolicy, for ConfigMap objects that are // referenced in BackendTLSPolicy objects. This helps in querying for BackendTLSPolicies that are // affected by a particular ConfigMap CRUD. diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index bfdecbd6e24..ae4f63ef3e9 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -632,6 +632,18 @@ func (r *gatewayAPIReconciler) validateConfigMapForReconcile(obj client.Object) return true } + routeFilterList := &egv1a1.HTTPRouteFilterList{} + if err := r.client.List(context.Background(), routeFilterList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(configMapHTTPRouteFilterIndex, utils.NamespacedName(configMap).String()), + }); err != nil { + r.log.Error(err, "unable to find associated HTTPRouteFilter") + return false + } + + if len(routeFilterList.Items) > 0 { + return true + } + return false } diff --git a/internal/provider/kubernetes/routes.go b/internal/provider/kubernetes/routes.go index 74bc1312e58..dcc01631f3b 100644 --- a/internal/provider/kubernetes/routes.go +++ b/internal/provider/kubernetes/routes.go @@ -243,9 +243,11 @@ func (r *gatewayAPIReconciler) processHTTPRoutes(ctx context.Context, gatewayNam if err != nil { return err } + for i := range httpFilters { filter := httpFilters[i] resourceMap.httpRouteFilters[utils.GetNamespacedNameWithGroupKind(&filter)] = &filter + r.processRouteFilterConfigMapRef(ctx, &filter, resourceMap, resourceTree) } extensionRefFilters, err := r.getExtensionRefFilters(ctx) diff --git a/internal/xds/translator/custom_response.go b/internal/xds/translator/custom_response.go index 1d1bf3a5d2c..e5d48d21bfd 100644 --- a/internal/xds/translator/custom_response.go +++ b/internal/xds/translator/custom_response.go @@ -375,12 +375,13 @@ func (c *customResponse) buildStatusCodeCELMatcher(codeRange ir.StatusCodeRange) } func (c *customResponse) buildAction(r ir.ResponseOverrideRule) (*matcherv3.Matcher_OnMatch_Action, error) { - response := &policyv3.LocalResponsePolicy{ - Body: &corev3.DataSource{ + response := &policyv3.LocalResponsePolicy{} + if r.Response.Body != nil && *r.Response.Body != "" { + response.Body = &corev3.DataSource{ Specifier: &corev3.DataSource_InlineString{ - InlineString: r.Response.Body, + InlineString: *r.Response.Body, }, - }, + } } if r.Response.ContentType != nil && *r.Response.ContentType != "" { diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go index e1d790268dc..3750194fb16 100644 --- a/internal/xds/translator/route.go +++ b/internal/xds/translator/route.go @@ -440,8 +440,20 @@ func buildXdsURLRewriteAction(destName string, urlRewrite *ir.URLRewrite, pathMa return routeAction } -func buildXdsDirectResponseAction(res *ir.DirectResponse) *routev3.DirectResponseAction { - routeAction := &routev3.DirectResponseAction{Status: res.StatusCode} +func buildXdsDirectResponseAction(res *ir.CustomResponse) *routev3.DirectResponseAction { + routeAction := &routev3.DirectResponseAction{} + if res.StatusCode != nil { + routeAction.Status = *res.StatusCode + } + + if res.Body != nil && *res.Body != "" { + routeAction.Body = &corev3.DataSource{ + Specifier: &corev3.DataSource_InlineString{ + InlineString: *res.Body, + }, + } + } + return routeAction } diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog-cel.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog-cel.yaml index e9cff901d3d..405c2372d91 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog-cel.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog-cel.yaml @@ -51,6 +51,3 @@ http: - endpoints: - host: "1.2.3.4" port: 50000 - directResponse: - body: "Unknown custom filter type: UnsupportedType" - statusCode: 500 diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog-endpoint-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog-endpoint-stats.yaml index b5244667de9..2355c6504cf 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog-endpoint-stats.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog-endpoint-stats.yaml @@ -47,6 +47,3 @@ http: - endpoints: - host: "1.2.3.4" port: 50000 - directResponse: - body: "Unknown custom filter type: UnsupportedType" - statusCode: 500 diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog-formatters.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog-formatters.yaml index 7c1024879d8..e4e088d349b 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog-formatters.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog-formatters.yaml @@ -55,6 +55,3 @@ http: - endpoints: - host: "1.2.3.4" port: 50000 - directResponse: - body: "Unknown custom filter type: UnsupportedType" - statusCode: 500 diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog-multi-cel.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog-multi-cel.yaml index fab193fe564..95b4971cd39 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog-multi-cel.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog-multi-cel.yaml @@ -55,6 +55,3 @@ http: - endpoints: - host: "1.2.3.4" port: 50000 - directResponse: - body: "Unknown custom filter type: UnsupportedType" - statusCode: 500 diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog-types.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog-types.yaml index d2458abfce9..b42a839f018 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog-types.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog-types.yaml @@ -179,6 +179,3 @@ http: - endpoints: - host: "1.2.3.4" port: 50000 - directResponse: - body: "Unknown custom filter type: UnsupportedType" - statusCode: 500 diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml index 40aef558e3e..90e9f0e0c9b 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml @@ -59,6 +59,3 @@ http: - endpoints: - host: "1.2.3.4" port: 50000 - directResponse: - body: "Unknown custom filter type: UnsupportedType" - statusCode: 500 diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml index 26f0f5663f8..5169bae040e 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml @@ -68,6 +68,3 @@ http: - endpoints: - host: "1.2.3.4" port: 50000 - directResponse: - body: "Unknown custom filter type: UnsupportedType" - statusCode: 500 diff --git a/internal/xds/translator/testdata/in/xds-ir/tracing-datadog.yaml b/internal/xds/translator/testdata/in/xds-ir/tracing-datadog.yaml index 1cc60f85e0e..1ed5b3aef3c 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tracing-datadog.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tracing-datadog.yaml @@ -44,6 +44,3 @@ http: - endpoints: - host: "1.2.3.4" port: 50000 - directResponse: - body: "Unknown custom filter type: UnsupportedType" - statusCode: 500 diff --git a/internal/xds/translator/testdata/in/xds-ir/tracing-endpoint-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/tracing-endpoint-stats.yaml index b5ee8b57dd9..1d8c4b7a338 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tracing-endpoint-stats.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tracing-endpoint-stats.yaml @@ -49,6 +49,3 @@ http: - endpoints: - host: "1.2.3.4" port: 50000 - directResponse: - body: "Unknown custom filter type: UnsupportedType" - statusCode: 500 diff --git a/internal/xds/translator/testdata/in/xds-ir/tracing-zipkin.yaml b/internal/xds/translator/testdata/in/xds-ir/tracing-zipkin.yaml index 9b4e57fd74f..dded17dd193 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tracing-zipkin.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tracing-zipkin.yaml @@ -50,6 +50,3 @@ http: - endpoints: - host: "1.2.3.4" port: 50000 - directResponse: - body: "Unknown custom filter type: UnsupportedType" - statusCode: 500 diff --git a/internal/xds/translator/testdata/in/xds-ir/tracing.yaml b/internal/xds/translator/testdata/in/xds-ir/tracing.yaml index 2bd8aff1b7d..b5cccf6dbab 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tracing.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tracing.yaml @@ -68,6 +68,3 @@ http: - endpoints: - host: "1.2.3.4" port: 50000 - directResponse: - body: "Unknown custom filter type: UnsupportedType" - statusCode: 500 diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.routes.yaml index b214e8b05a3..ea343799ac1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.routes.yaml @@ -5,8 +5,10 @@ - '*' name: first-listener/* routes: - - directResponse: - status: 500 - match: + - match: prefix: / name: direct-route + route: + cluster: direct-route-dest + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.routes.yaml index b214e8b05a3..ea343799ac1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.routes.yaml @@ -5,8 +5,10 @@ - '*' name: first-listener/* routes: - - directResponse: - status: 500 - match: + - match: prefix: / name: direct-route + route: + cluster: direct-route-dest + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.routes.yaml index b214e8b05a3..ea343799ac1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.routes.yaml @@ -5,8 +5,10 @@ - '*' name: first-listener/* routes: - - directResponse: - status: 500 - match: + - match: prefix: / name: direct-route + route: + cluster: direct-route-dest + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.routes.yaml index b214e8b05a3..ea343799ac1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.routes.yaml @@ -5,8 +5,10 @@ - '*' name: first-listener/* routes: - - directResponse: - status: 500 - match: + - match: prefix: / name: direct-route + route: + cluster: direct-route-dest + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.routes.yaml index ff2210f8d50..084eabe4105 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.routes.yaml @@ -13,8 +13,10 @@ sectionName: http name: envoy-gateway/gateway-1/http/* routes: - - directResponse: - status: 500 - match: + - match: prefix: / name: direct-route + route: + cluster: direct-route-dest + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.routes.yaml index b214e8b05a3..ea343799ac1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.routes.yaml @@ -5,8 +5,10 @@ - '*' name: first-listener/* routes: - - directResponse: - status: 500 - match: + - match: prefix: / name: direct-route + route: + cluster: direct-route-dest + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog.routes.yaml index b214e8b05a3..ea343799ac1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog.routes.yaml @@ -5,8 +5,10 @@ - '*' name: first-listener/* routes: - - directResponse: - status: 500 - match: + - match: prefix: / name: direct-route + route: + cluster: direct-route-dest + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.routes.yaml index b214e8b05a3..d4a7fa5ae20 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.routes.yaml @@ -6,6 +6,8 @@ name: first-listener/* routes: - directResponse: + body: + inlineString: 'Unknown custom filter type: UnsupportedType' status: 500 match: prefix: / diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.routes.yaml index b214e8b05a3..ea343799ac1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.routes.yaml @@ -5,8 +5,10 @@ - '*' name: first-listener/* routes: - - directResponse: - status: 500 - match: + - match: prefix: / name: direct-route + route: + cluster: direct-route-dest + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.routes.yaml index b214e8b05a3..ea343799ac1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.routes.yaml @@ -5,8 +5,10 @@ - '*' name: first-listener/* routes: - - directResponse: - status: 500 - match: + - match: prefix: / name: direct-route + route: + cluster: direct-route-dest + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.routes.yaml index b214e8b05a3..ea343799ac1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.routes.yaml @@ -5,8 +5,10 @@ - '*' name: first-listener/* routes: - - directResponse: - status: 500 - match: + - match: prefix: / name: direct-route + route: + cluster: direct-route-dest + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing.routes.yaml index b214e8b05a3..ea343799ac1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing.routes.yaml @@ -5,8 +5,10 @@ - '*' name: first-listener/* routes: - - directResponse: - status: 500 - match: + - match: prefix: / name: direct-route + route: + cluster: direct-route-dest + upgradeConfigs: + - upgradeType: websocket From 0b69387dcb504ed9b822f32d2b946690c801ba60 Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Thu, 24 Oct 2024 06:37:13 -0500 Subject: [PATCH 299/523] fix: disable ALPN for non-HTTP routes (#4460) * fix: disable ALPN for non-HTTP routes Signed-off-by: Guy Daich * use nil array Signed-off-by: Guy Daich * stop using pointer Signed-off-by: Guy Daich * rm omitempty Signed-off-by: Guy Daich * split IR TLS Configs method Signed-off-by: Guy Daich * fix lint Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich --- internal/gatewayapi/helpers.go | 16 ++++++++++++++++ internal/gatewayapi/listener.go | 2 +- .../backendtlspolicy-ca-only-secret.out.yaml | 1 + .../testdata/backendtlspolicy-ca-only.out.yaml | 1 + ...ckendtlspolicy-default-ns-targetrefs.out.yaml | 4 ++++ .../backendtlspolicy-default-ns.out.yaml | 2 ++ .../backendtlspolicy-system-truststore.out.yaml | 1 + .../testdata/clienttrafficpolicy-http3.out.yaml | 1 + ...afficpolicy-mtls-client-verification.out.yaml | 2 ++ ...mtls-forward-client-cert-custom-data.out.yaml | 5 +++++ ...afficpolicy-mtls-forward-client-cert.out.yaml | 5 +++++ .../testdata/clienttrafficpolicy-mtls.out.yaml | 2 ++ ...y-with-extproc-with-backendtlspolicy.out.yaml | 2 ++ ...th-extproc-with-multiple-backendrefs.out.yaml | 2 ++ ...y-with-extproc-with-traffic-features.out.yaml | 2 ++ .../envoyproxy-priority-backend.out.yaml | 2 ++ .../envoyproxy-tls-settings-invalid-ns.out.yaml | 3 +++ .../envoyproxy-tls-settings-invalid.out.yaml | 3 +++ .../testdata/envoyproxy-tls-settings.out.yaml | 3 +++ .../testdata/gateway-infrastructure.out.yaml | 1 + ...-other-namespace-allowed-by-refgrant.out.yaml | 1 + ...r-with-tls-terminate-and-passthrough.out.yaml | 1 + ...n-with-same-algorithm-different-fqdn.out.yaml | 1 + ...ith-valid-multiple-tls-configuration.out.yaml | 1 + ...istener-with-valid-tls-configuration.out.yaml | 1 + .../gateway-with-stale-status-condition.out.yaml | 1 + ...h-two-listeners-with-different-ports.out.yaml | 1 + ...y-with-extauth-with-backendtlspolicy.out.yaml | 2 ++ ...-gateway-with-listener-tls-terminate.out.yaml | 4 ++++ internal/ir/xds.go | 2 +- internal/xds/translator/listener.go | 5 +++-- ...tls-required-client-certificate-disabled.yaml | 1 + .../testdata/in/xds-ir/mutual-tls.yaml | 1 + .../in/xds-ir/tcp-route-tls-terminate.yaml | 2 ++ ...ed-client-certificate-disabled.listeners.yaml | 3 --- .../out/xds-ir/mutual-tls.listeners.yaml | 3 --- .../tcp-route-tls-terminate.listeners.yaml | 6 ------ internal/xds/translator/translator.go | 4 ++-- 38 files changed, 82 insertions(+), 18 deletions(-) diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index 21cb9142de0..a72054cbee8 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -421,6 +421,7 @@ func irRouteDestinationName(route RouteContext, ruleIdx int) string { return fmt.Sprintf("%srule/%d", irRoutePrefix(route), ruleIdx) } +// irTLSConfigs produces a defaulted IR TLSConfig func irTLSConfigs(tlsSecrets ...*corev1.Secret) *ir.TLSConfig { if len(tlsSecrets) == 0 { return nil @@ -436,6 +437,21 @@ func irTLSConfigs(tlsSecrets ...*corev1.Secret) *ir.TLSConfig { PrivateKey: tlsSecret.Data[corev1.TLSPrivateKeyKey], } } + + return tlsListenerConfigs +} + +// irTLSConfigsForTCPListener creates an IR TLSConfig with defaults appropriate +// for TCP/TLS routes, e.g. disabling ALPN +func irTLSConfigsForTCPListener(tlsSecrets ...*corev1.Secret) *ir.TLSConfig { + tlsListenerConfigs := irTLSConfigs(tlsSecrets...) + + // Envoy Gateway disables ALPN by default for non-HTTPS listeners + // by setting an empty slice instead of a nil slice + if tlsListenerConfigs != nil { + tlsListenerConfigs.ALPNProtocols = []string{} + } + return tlsListenerConfigs } diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index 51fd1f74da2..42f24459724 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -138,7 +138,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource // TLS field should be added to TCPListener as ClientTrafficPolicy will affect // Listener TLS. Then TCPRoute whose TLS should be configured as Terminate just // refers to the Listener TLS. - TLS: irTLSConfigs(listener.tlsSecrets...), + TLS: irTLSConfigsForTCPListener(listener.tlsSecrets...), } xdsIR[irKey].TCP = append(xdsIR[irKey].TCP, irListener) case gwapiv1.UDPProtocolType: diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml index 0e86f25e41f..a5b87b3fa1f 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml @@ -156,6 +156,7 @@ xdsIR: port: 8080 protocol: HTTP tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls/backends-ca diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml index e3354747d5e..8489f047341 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml @@ -156,6 +156,7 @@ xdsIR: port: 8080 protocol: HTTP tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls/backends-ca diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml index 5791f607119..9f4874f90f4 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml @@ -290,6 +290,7 @@ xdsIR: port: 8080 protocol: HTTP tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls/default-ca @@ -300,6 +301,7 @@ xdsIR: - host: 2.2.2.2 port: 3443 tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls/default-ca @@ -345,6 +347,7 @@ xdsIR: port: 8080 protocol: HTTP tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls/default-ca @@ -355,6 +358,7 @@ xdsIR: - host: 2.2.2.2 port: 3443 tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls/default-ca diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml index d07083f26cf..2e2186879f9 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml @@ -251,6 +251,7 @@ xdsIR: port: 8080 protocol: HTTP tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls/default-ca @@ -261,6 +262,7 @@ xdsIR: - host: 2.2.2.2 port: 3443 tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls-backend-ip-1/default-ca diff --git a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml index 8eccc22950c..f91dc4d768e 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml @@ -153,6 +153,7 @@ xdsIR: port: 8080 protocol: HTTP tls: + alpnProtocols: null sni: example.com useSystemTrustStore: true weight: 1 diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml index cd1488caed4..814335baf87 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml @@ -169,6 +169,7 @@ xdsIR: name: "" prefix: / tls: + alpnProtocols: null certificates: - name: envoy-gateway/tls-secret-1 privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml index 3994993966c..4cac0b62d34 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml @@ -247,6 +247,7 @@ xdsIR: mergeSlashes: true port: 10443 tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPekNDQWlPZ0F3SUJBZ0lVYzQxa3BFOXdLK05IZ1JHdkJJZ3c4U0Nhei84d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeE1qVXlNekUxTXpGYU1DMHhGVEFUQmdOVkJBb01ER1Y0CllXMXdiR1VnU1c1akxqRVVNQklHQTFVRUF3d0xaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURDTGhaNURuQ1ZFNUpKOTd5T29jcFJ3Y2xibDBVd1gzY0krMVpaTmx0bApXNmpSZ3kxR3VONlZyN0NCbUkvbVB0Z0dzOVQ3RE5STWw1Z0pKa05IU1pvbUk2R2p1UDFLVWh1dmxmYlpQV05vCnA0NVQyMzVaODJHZzhPUkpIVDVtbjFRUksrYno5cnVKZnlsZE1NbGljVUp2L1lmdDZ6TlVSeFE3QlU5Y2lHZTEKdE0rVU1TeGtvcDNkb3ZWcHRFTG5rVERKU3d0NWRuK25qNmovR3I5NXo5MC9lMmdqZlZUdG1BckFHM3hoLzJCMQovRDZOWGh3UE16WXJwbG5NM2xPcHh6ZmxPVmdqTVVsb0wxb0k3c202YysyQTE0TmVCclcvb2ZCOVJEN0RXQkhkCjc2aitoY0FXRnN4WW1zSG81T3gvdEZlVGs3R1Jka0hFRUxMV0ZCdllHMEJUQWdNQkFBR2pVekJSTUIwR0ExVWQKRGdRV0JCU3JMYmNRUHBFeCtEdCtoWUUveXJqdDZyT1Y2VEFmQmdOVkhTTUVHREFXZ0JTckxiY1FQcEV4K0R0KwpoWUUveXJqdDZyT1Y2VEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGCjRqbHRxeFZhS1phVk1MN0hOUVN3ZWd5K2daMXhhbHltTU5vN0lwYzh6T3lVVUk0N3dlRWYvcCtua3E4b3hpL20KbUxab2VNU2RYZytnZWJZTU1jVVJndGw5UWZ1RjBhWUNCM0FsQ3hscGRINExrM3VYTlRMUVhKaUxRUlROc0J1LwpMSjZVWXZMRktQd29kdlJLTDhLV0tFZ0xWSm1yVGUzZzhpTDNTU253MDBoV2lldUNkU3N4TmwvNDdUaGdZWHJnCnUxUFJCVXQ1ZytYb1dwVVNPQ01PRldsQkpxd0pZS2ZSQTNFNmZmNDRJVUpzYjdxVUhIQWUxd2ExWURmdUQrVDUKQXQ5L20rTTdHeVc5b0ViU1FzUFRHZllxUDU5UUUrMWllaTZxaUcrN2tuNGlSeEpxaGdtNU41bzg2UVNrME1hegpDejRqVEVLZE52WFlWRmZoNlpxcgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== name: envoy-gateway/target-gateway-1/ca.crt @@ -291,6 +292,7 @@ xdsIR: mergeSlashes: true port: 10443 tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPekNDQWlPZ0F3SUJBZ0lVYzQxa3BFOXdLK05IZ1JHdkJJZ3c4U0Nhei84d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeE1qVXlNekUxTXpGYU1DMHhGVEFUQmdOVkJBb01ER1Y0CllXMXdiR1VnU1c1akxqRVVNQklHQTFVRUF3d0xaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURDTGhaNURuQ1ZFNUpKOTd5T29jcFJ3Y2xibDBVd1gzY0krMVpaTmx0bApXNmpSZ3kxR3VONlZyN0NCbUkvbVB0Z0dzOVQ3RE5STWw1Z0pKa05IU1pvbUk2R2p1UDFLVWh1dmxmYlpQV05vCnA0NVQyMzVaODJHZzhPUkpIVDVtbjFRUksrYno5cnVKZnlsZE1NbGljVUp2L1lmdDZ6TlVSeFE3QlU5Y2lHZTEKdE0rVU1TeGtvcDNkb3ZWcHRFTG5rVERKU3d0NWRuK25qNmovR3I5NXo5MC9lMmdqZlZUdG1BckFHM3hoLzJCMQovRDZOWGh3UE16WXJwbG5NM2xPcHh6ZmxPVmdqTVVsb0wxb0k3c202YysyQTE0TmVCclcvb2ZCOVJEN0RXQkhkCjc2aitoY0FXRnN4WW1zSG81T3gvdEZlVGs3R1Jka0hFRUxMV0ZCdllHMEJUQWdNQkFBR2pVekJSTUIwR0ExVWQKRGdRV0JCU3JMYmNRUHBFeCtEdCtoWUUveXJqdDZyT1Y2VEFmQmdOVkhTTUVHREFXZ0JTckxiY1FQcEV4K0R0KwpoWUUveXJqdDZyT1Y2VEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGCjRqbHRxeFZhS1phVk1MN0hOUVN3ZWd5K2daMXhhbHltTU5vN0lwYzh6T3lVVUk0N3dlRWYvcCtua3E4b3hpL20KbUxab2VNU2RYZytnZWJZTU1jVVJndGw5UWZ1RjBhWUNCM0FsQ3hscGRINExrM3VYTlRMUVhKaUxRUlROc0J1LwpMSjZVWXZMRktQd29kdlJLTDhLV0tFZ0xWSm1yVGUzZzhpTDNTU253MDBoV2lldUNkU3N4TmwvNDdUaGdZWHJnCnUxUFJCVXQ1ZytYb1dwVVNPQ01PRldsQkpxd0pZS2ZSQTNFNmZmNDRJVUpzYjdxVUhIQWUxd2ExWURmdUQrVDUKQXQ5L20rTTdHeVc5b0ViU1FzUFRHZllxUDU5UUUrMWllaTZxaUcrN2tuNGlSeEpxaGdtNU41bzg2UVNrME1hegpDejRqVEVLZE52WFlWRmZoNlpxcgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== name: envoy-gateway/target-gateway-2/ca.crt diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml index 8d030ca0d23..6e47f653078 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml @@ -563,6 +563,7 @@ xdsIR: mergeSlashes: true port: 10443 tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPekNDQWlPZ0F3SUJBZ0lVYzQxa3BFOXdLK05IZ1JHdkJJZ3c4U0Nhei84d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeE1qVXlNekUxTXpGYU1DMHhGVEFUQmdOVkJBb01ER1Y0CllXMXdiR1VnU1c1akxqRVVNQklHQTFVRUF3d0xaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURDTGhaNURuQ1ZFNUpKOTd5T29jcFJ3Y2xibDBVd1gzY0krMVpaTmx0bApXNmpSZ3kxR3VONlZyN0NCbUkvbVB0Z0dzOVQ3RE5STWw1Z0pKa05IU1pvbUk2R2p1UDFLVWh1dmxmYlpQV05vCnA0NVQyMzVaODJHZzhPUkpIVDVtbjFRUksrYno5cnVKZnlsZE1NbGljVUp2L1lmdDZ6TlVSeFE3QlU5Y2lHZTEKdE0rVU1TeGtvcDNkb3ZWcHRFTG5rVERKU3d0NWRuK25qNmovR3I5NXo5MC9lMmdqZlZUdG1BckFHM3hoLzJCMQovRDZOWGh3UE16WXJwbG5NM2xPcHh6ZmxPVmdqTVVsb0wxb0k3c202YysyQTE0TmVCclcvb2ZCOVJEN0RXQkhkCjc2aitoY0FXRnN4WW1zSG81T3gvdEZlVGs3R1Jka0hFRUxMV0ZCdllHMEJUQWdNQkFBR2pVekJSTUIwR0ExVWQKRGdRV0JCU3JMYmNRUHBFeCtEdCtoWUUveXJqdDZyT1Y2VEFmQmdOVkhTTUVHREFXZ0JTckxiY1FQcEV4K0R0KwpoWUUveXJqdDZyT1Y2VEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGCjRqbHRxeFZhS1phVk1MN0hOUVN3ZWd5K2daMXhhbHltTU5vN0lwYzh6T3lVVUk0N3dlRWYvcCtua3E4b3hpL20KbUxab2VNU2RYZytnZWJZTU1jVVJndGw5UWZ1RjBhWUNCM0FsQ3hscGRINExrM3VYTlRMUVhKaUxRUlROc0J1LwpMSjZVWXZMRktQd29kdlJLTDhLV0tFZ0xWSm1yVGUzZzhpTDNTU253MDBoV2lldUNkU3N4TmwvNDdUaGdZWHJnCnUxUFJCVXQ1ZytYb1dwVVNPQ01PRldsQkpxd0pZS2ZSQTNFNmZmNDRJVUpzYjdxVUhIQWUxd2ExWURmdUQrVDUKQXQ5L20rTTdHeVc5b0ViU1FzUFRHZllxUDU5UUUrMWllaTZxaUcrN2tuNGlSeEpxaGdtNU41bzg2UVNrME1hegpDejRqVEVLZE52WFlWRmZoNlpxcgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== name: envoy-gateway/target-gateway-1/ca.crt @@ -615,6 +616,7 @@ xdsIR: mergeSlashes: true port: 10443 tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPekNDQWlPZ0F3SUJBZ0lVYzQxa3BFOXdLK05IZ1JHdkJJZ3c4U0Nhei84d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeE1qVXlNekUxTXpGYU1DMHhGVEFUQmdOVkJBb01ER1Y0CllXMXdiR1VnU1c1akxqRVVNQklHQTFVRUF3d0xaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURDTGhaNURuQ1ZFNUpKOTd5T29jcFJ3Y2xibDBVd1gzY0krMVpaTmx0bApXNmpSZ3kxR3VONlZyN0NCbUkvbVB0Z0dzOVQ3RE5STWw1Z0pKa05IU1pvbUk2R2p1UDFLVWh1dmxmYlpQV05vCnA0NVQyMzVaODJHZzhPUkpIVDVtbjFRUksrYno5cnVKZnlsZE1NbGljVUp2L1lmdDZ6TlVSeFE3QlU5Y2lHZTEKdE0rVU1TeGtvcDNkb3ZWcHRFTG5rVERKU3d0NWRuK25qNmovR3I5NXo5MC9lMmdqZlZUdG1BckFHM3hoLzJCMQovRDZOWGh3UE16WXJwbG5NM2xPcHh6ZmxPVmdqTVVsb0wxb0k3c202YysyQTE0TmVCclcvb2ZCOVJEN0RXQkhkCjc2aitoY0FXRnN4WW1zSG81T3gvdEZlVGs3R1Jka0hFRUxMV0ZCdllHMEJUQWdNQkFBR2pVekJSTUIwR0ExVWQKRGdRV0JCU3JMYmNRUHBFeCtEdCtoWUUveXJqdDZyT1Y2VEFmQmdOVkhTTUVHREFXZ0JTckxiY1FQcEV4K0R0KwpoWUUveXJqdDZyT1Y2VEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGCjRqbHRxeFZhS1phVk1MN0hOUVN3ZWd5K2daMXhhbHltTU5vN0lwYzh6T3lVVUk0N3dlRWYvcCtua3E4b3hpL20KbUxab2VNU2RYZytnZWJZTU1jVVJndGw5UWZ1RjBhWUNCM0FsQ3hscGRINExrM3VYTlRMUVhKaUxRUlROc0J1LwpMSjZVWXZMRktQd29kdlJLTDhLV0tFZ0xWSm1yVGUzZzhpTDNTU253MDBoV2lldUNkU3N4TmwvNDdUaGdZWHJnCnUxUFJCVXQ1ZytYb1dwVVNPQ01PRldsQkpxd0pZS2ZSQTNFNmZmNDRJVUpzYjdxVUhIQWUxd2ExWURmdUQrVDUKQXQ5L20rTTdHeVc5b0ViU1FzUFRHZllxUDU5UUUrMWllaTZxaUcrN2tuNGlSeEpxaGdtNU41bzg2UVNrME1hegpDejRqVEVLZE52WFlWRmZoNlpxcgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== name: envoy-gateway/target-gateway-2/ca.crt @@ -651,6 +653,7 @@ xdsIR: mergeSlashes: true port: 10443 tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPekNDQWlPZ0F3SUJBZ0lVYzQxa3BFOXdLK05IZ1JHdkJJZ3c4U0Nhei84d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeE1qVXlNekUxTXpGYU1DMHhGVEFUQmdOVkJBb01ER1Y0CllXMXdiR1VnU1c1akxqRVVNQklHQTFVRUF3d0xaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURDTGhaNURuQ1ZFNUpKOTd5T29jcFJ3Y2xibDBVd1gzY0krMVpaTmx0bApXNmpSZ3kxR3VONlZyN0NCbUkvbVB0Z0dzOVQ3RE5STWw1Z0pKa05IU1pvbUk2R2p1UDFLVWh1dmxmYlpQV05vCnA0NVQyMzVaODJHZzhPUkpIVDVtbjFRUksrYno5cnVKZnlsZE1NbGljVUp2L1lmdDZ6TlVSeFE3QlU5Y2lHZTEKdE0rVU1TeGtvcDNkb3ZWcHRFTG5rVERKU3d0NWRuK25qNmovR3I5NXo5MC9lMmdqZlZUdG1BckFHM3hoLzJCMQovRDZOWGh3UE16WXJwbG5NM2xPcHh6ZmxPVmdqTVVsb0wxb0k3c202YysyQTE0TmVCclcvb2ZCOVJEN0RXQkhkCjc2aitoY0FXRnN4WW1zSG81T3gvdEZlVGs3R1Jka0hFRUxMV0ZCdllHMEJUQWdNQkFBR2pVekJSTUIwR0ExVWQKRGdRV0JCU3JMYmNRUHBFeCtEdCtoWUUveXJqdDZyT1Y2VEFmQmdOVkhTTUVHREFXZ0JTckxiY1FQcEV4K0R0KwpoWUUveXJqdDZyT1Y2VEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGCjRqbHRxeFZhS1phVk1MN0hOUVN3ZWd5K2daMXhhbHltTU5vN0lwYzh6T3lVVUk0N3dlRWYvcCtua3E4b3hpL20KbUxab2VNU2RYZytnZWJZTU1jVVJndGw5UWZ1RjBhWUNCM0FsQ3hscGRINExrM3VYTlRMUVhKaUxRUlROc0J1LwpMSjZVWXZMRktQd29kdlJLTDhLV0tFZ0xWSm1yVGUzZzhpTDNTU253MDBoV2lldUNkU3N4TmwvNDdUaGdZWHJnCnUxUFJCVXQ1ZytYb1dwVVNPQ01PRldsQkpxd0pZS2ZSQTNFNmZmNDRJVUpzYjdxVUhIQWUxd2ExWURmdUQrVDUKQXQ5L20rTTdHeVc5b0ViU1FzUFRHZllxUDU5UUUrMWllaTZxaUcrN2tuNGlSeEpxaGdtNU41bzg2UVNrME1hegpDejRqVEVLZE52WFlWRmZoNlpxcgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== name: envoy-gateway/target-gateway-3/ca.crt @@ -689,6 +692,7 @@ xdsIR: mergeSlashes: true port: 10443 tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPekNDQWlPZ0F3SUJBZ0lVYzQxa3BFOXdLK05IZ1JHdkJJZ3c4U0Nhei84d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeE1qVXlNekUxTXpGYU1DMHhGVEFUQmdOVkJBb01ER1Y0CllXMXdiR1VnU1c1akxqRVVNQklHQTFVRUF3d0xaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURDTGhaNURuQ1ZFNUpKOTd5T29jcFJ3Y2xibDBVd1gzY0krMVpaTmx0bApXNmpSZ3kxR3VONlZyN0NCbUkvbVB0Z0dzOVQ3RE5STWw1Z0pKa05IU1pvbUk2R2p1UDFLVWh1dmxmYlpQV05vCnA0NVQyMzVaODJHZzhPUkpIVDVtbjFRUksrYno5cnVKZnlsZE1NbGljVUp2L1lmdDZ6TlVSeFE3QlU5Y2lHZTEKdE0rVU1TeGtvcDNkb3ZWcHRFTG5rVERKU3d0NWRuK25qNmovR3I5NXo5MC9lMmdqZlZUdG1BckFHM3hoLzJCMQovRDZOWGh3UE16WXJwbG5NM2xPcHh6ZmxPVmdqTVVsb0wxb0k3c202YysyQTE0TmVCclcvb2ZCOVJEN0RXQkhkCjc2aitoY0FXRnN4WW1zSG81T3gvdEZlVGs3R1Jka0hFRUxMV0ZCdllHMEJUQWdNQkFBR2pVekJSTUIwR0ExVWQKRGdRV0JCU3JMYmNRUHBFeCtEdCtoWUUveXJqdDZyT1Y2VEFmQmdOVkhTTUVHREFXZ0JTckxiY1FQcEV4K0R0KwpoWUUveXJqdDZyT1Y2VEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGCjRqbHRxeFZhS1phVk1MN0hOUVN3ZWd5K2daMXhhbHltTU5vN0lwYzh6T3lVVUk0N3dlRWYvcCtua3E4b3hpL20KbUxab2VNU2RYZytnZWJZTU1jVVJndGw5UWZ1RjBhWUNCM0FsQ3hscGRINExrM3VYTlRMUVhKaUxRUlROc0J1LwpMSjZVWXZMRktQd29kdlJLTDhLV0tFZ0xWSm1yVGUzZzhpTDNTU253MDBoV2lldUNkU3N4TmwvNDdUaGdZWHJnCnUxUFJCVXQ1ZytYb1dwVVNPQ01PRldsQkpxd0pZS2ZSQTNFNmZmNDRJVUpzYjdxVUhIQWUxd2ExWURmdUQrVDUKQXQ5L20rTTdHeVc5b0ViU1FzUFRHZllxUDU5UUUrMWllaTZxaUcrN2tuNGlSeEpxaGdtNU41bzg2UVNrME1hegpDejRqVEVLZE52WFlWRmZoNlpxcgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== name: envoy-gateway/target-gateway-4/ca.crt @@ -729,6 +733,7 @@ xdsIR: mergeSlashes: true port: 10443 tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPekNDQWlPZ0F3SUJBZ0lVYzQxa3BFOXdLK05IZ1JHdkJJZ3c4U0Nhei84d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeE1qVXlNekUxTXpGYU1DMHhGVEFUQmdOVkJBb01ER1Y0CllXMXdiR1VnU1c1akxqRVVNQklHQTFVRUF3d0xaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURDTGhaNURuQ1ZFNUpKOTd5T29jcFJ3Y2xibDBVd1gzY0krMVpaTmx0bApXNmpSZ3kxR3VONlZyN0NCbUkvbVB0Z0dzOVQ3RE5STWw1Z0pKa05IU1pvbUk2R2p1UDFLVWh1dmxmYlpQV05vCnA0NVQyMzVaODJHZzhPUkpIVDVtbjFRUksrYno5cnVKZnlsZE1NbGljVUp2L1lmdDZ6TlVSeFE3QlU5Y2lHZTEKdE0rVU1TeGtvcDNkb3ZWcHRFTG5rVERKU3d0NWRuK25qNmovR3I5NXo5MC9lMmdqZlZUdG1BckFHM3hoLzJCMQovRDZOWGh3UE16WXJwbG5NM2xPcHh6ZmxPVmdqTVVsb0wxb0k3c202YysyQTE0TmVCclcvb2ZCOVJEN0RXQkhkCjc2aitoY0FXRnN4WW1zSG81T3gvdEZlVGs3R1Jka0hFRUxMV0ZCdllHMEJUQWdNQkFBR2pVekJSTUIwR0ExVWQKRGdRV0JCU3JMYmNRUHBFeCtEdCtoWUUveXJqdDZyT1Y2VEFmQmdOVkhTTUVHREFXZ0JTckxiY1FQcEV4K0R0KwpoWUUveXJqdDZyT1Y2VEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGCjRqbHRxeFZhS1phVk1MN0hOUVN3ZWd5K2daMXhhbHltTU5vN0lwYzh6T3lVVUk0N3dlRWYvcCtua3E4b3hpL20KbUxab2VNU2RYZytnZWJZTU1jVVJndGw5UWZ1RjBhWUNCM0FsQ3hscGRINExrM3VYTlRMUVhKaUxRUlROc0J1LwpMSjZVWXZMRktQd29kdlJLTDhLV0tFZ0xWSm1yVGUzZzhpTDNTU253MDBoV2lldUNkU3N4TmwvNDdUaGdZWHJnCnUxUFJCVXQ1ZytYb1dwVVNPQ01PRldsQkpxd0pZS2ZSQTNFNmZmNDRJVUpzYjdxVUhIQWUxd2ExWURmdUQrVDUKQXQ5L20rTTdHeVc5b0ViU1FzUFRHZllxUDU5UUUrMWllaTZxaUcrN2tuNGlSeEpxaGdtNU41bzg2UVNrME1hegpDejRqVEVLZE52WFlWRmZoNlpxcgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== name: envoy-gateway/target-gateway-5/ca.crt diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml index 57f75b69a32..8d84753bcea 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml @@ -550,6 +550,7 @@ xdsIR: mergeSlashes: true port: 10443 tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPekNDQWlPZ0F3SUJBZ0lVYzQxa3BFOXdLK05IZ1JHdkJJZ3c4U0Nhei84d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeE1qVXlNekUxTXpGYU1DMHhGVEFUQmdOVkJBb01ER1Y0CllXMXdiR1VnU1c1akxqRVVNQklHQTFVRUF3d0xaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURDTGhaNURuQ1ZFNUpKOTd5T29jcFJ3Y2xibDBVd1gzY0krMVpaTmx0bApXNmpSZ3kxR3VONlZyN0NCbUkvbVB0Z0dzOVQ3RE5STWw1Z0pKa05IU1pvbUk2R2p1UDFLVWh1dmxmYlpQV05vCnA0NVQyMzVaODJHZzhPUkpIVDVtbjFRUksrYno5cnVKZnlsZE1NbGljVUp2L1lmdDZ6TlVSeFE3QlU5Y2lHZTEKdE0rVU1TeGtvcDNkb3ZWcHRFTG5rVERKU3d0NWRuK25qNmovR3I5NXo5MC9lMmdqZlZUdG1BckFHM3hoLzJCMQovRDZOWGh3UE16WXJwbG5NM2xPcHh6ZmxPVmdqTVVsb0wxb0k3c202YysyQTE0TmVCclcvb2ZCOVJEN0RXQkhkCjc2aitoY0FXRnN4WW1zSG81T3gvdEZlVGs3R1Jka0hFRUxMV0ZCdllHMEJUQWdNQkFBR2pVekJSTUIwR0ExVWQKRGdRV0JCU3JMYmNRUHBFeCtEdCtoWUUveXJqdDZyT1Y2VEFmQmdOVkhTTUVHREFXZ0JTckxiY1FQcEV4K0R0KwpoWUUveXJqdDZyT1Y2VEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGCjRqbHRxeFZhS1phVk1MN0hOUVN3ZWd5K2daMXhhbHltTU5vN0lwYzh6T3lVVUk0N3dlRWYvcCtua3E4b3hpL20KbUxab2VNU2RYZytnZWJZTU1jVVJndGw5UWZ1RjBhWUNCM0FsQ3hscGRINExrM3VYTlRMUVhKaUxRUlROc0J1LwpMSjZVWXZMRktQd29kdlJLTDhLV0tFZ0xWSm1yVGUzZzhpTDNTU253MDBoV2lldUNkU3N4TmwvNDdUaGdZWHJnCnUxUFJCVXQ1ZytYb1dwVVNPQ01PRldsQkpxd0pZS2ZSQTNFNmZmNDRJVUpzYjdxVUhIQWUxd2ExWURmdUQrVDUKQXQ5L20rTTdHeVc5b0ViU1FzUFRHZllxUDU5UUUrMWllaTZxaUcrN2tuNGlSeEpxaGdtNU41bzg2UVNrME1hegpDejRqVEVLZE52WFlWRmZoNlpxcgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== name: envoy-gateway/target-gateway-1/ca.crt @@ -602,6 +603,7 @@ xdsIR: mergeSlashes: true port: 10443 tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPekNDQWlPZ0F3SUJBZ0lVYzQxa3BFOXdLK05IZ1JHdkJJZ3c4U0Nhei84d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeE1qVXlNekUxTXpGYU1DMHhGVEFUQmdOVkJBb01ER1Y0CllXMXdiR1VnU1c1akxqRVVNQklHQTFVRUF3d0xaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURDTGhaNURuQ1ZFNUpKOTd5T29jcFJ3Y2xibDBVd1gzY0krMVpaTmx0bApXNmpSZ3kxR3VONlZyN0NCbUkvbVB0Z0dzOVQ3RE5STWw1Z0pKa05IU1pvbUk2R2p1UDFLVWh1dmxmYlpQV05vCnA0NVQyMzVaODJHZzhPUkpIVDVtbjFRUksrYno5cnVKZnlsZE1NbGljVUp2L1lmdDZ6TlVSeFE3QlU5Y2lHZTEKdE0rVU1TeGtvcDNkb3ZWcHRFTG5rVERKU3d0NWRuK25qNmovR3I5NXo5MC9lMmdqZlZUdG1BckFHM3hoLzJCMQovRDZOWGh3UE16WXJwbG5NM2xPcHh6ZmxPVmdqTVVsb0wxb0k3c202YysyQTE0TmVCclcvb2ZCOVJEN0RXQkhkCjc2aitoY0FXRnN4WW1zSG81T3gvdEZlVGs3R1Jka0hFRUxMV0ZCdllHMEJUQWdNQkFBR2pVekJSTUIwR0ExVWQKRGdRV0JCU3JMYmNRUHBFeCtEdCtoWUUveXJqdDZyT1Y2VEFmQmdOVkhTTUVHREFXZ0JTckxiY1FQcEV4K0R0KwpoWUUveXJqdDZyT1Y2VEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGCjRqbHRxeFZhS1phVk1MN0hOUVN3ZWd5K2daMXhhbHltTU5vN0lwYzh6T3lVVUk0N3dlRWYvcCtua3E4b3hpL20KbUxab2VNU2RYZytnZWJZTU1jVVJndGw5UWZ1RjBhWUNCM0FsQ3hscGRINExrM3VYTlRMUVhKaUxRUlROc0J1LwpMSjZVWXZMRktQd29kdlJLTDhLV0tFZ0xWSm1yVGUzZzhpTDNTU253MDBoV2lldUNkU3N4TmwvNDdUaGdZWHJnCnUxUFJCVXQ1ZytYb1dwVVNPQ01PRldsQkpxd0pZS2ZSQTNFNmZmNDRJVUpzYjdxVUhIQWUxd2ExWURmdUQrVDUKQXQ5L20rTTdHeVc5b0ViU1FzUFRHZllxUDU5UUUrMWllaTZxaUcrN2tuNGlSeEpxaGdtNU41bzg2UVNrME1hegpDejRqVEVLZE52WFlWRmZoNlpxcgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== name: envoy-gateway/target-gateway-2/ca.crt @@ -636,6 +638,7 @@ xdsIR: mergeSlashes: true port: 10443 tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPekNDQWlPZ0F3SUJBZ0lVYzQxa3BFOXdLK05IZ1JHdkJJZ3c4U0Nhei84d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeE1qVXlNekUxTXpGYU1DMHhGVEFUQmdOVkJBb01ER1Y0CllXMXdiR1VnU1c1akxqRVVNQklHQTFVRUF3d0xaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURDTGhaNURuQ1ZFNUpKOTd5T29jcFJ3Y2xibDBVd1gzY0krMVpaTmx0bApXNmpSZ3kxR3VONlZyN0NCbUkvbVB0Z0dzOVQ3RE5STWw1Z0pKa05IU1pvbUk2R2p1UDFLVWh1dmxmYlpQV05vCnA0NVQyMzVaODJHZzhPUkpIVDVtbjFRUksrYno5cnVKZnlsZE1NbGljVUp2L1lmdDZ6TlVSeFE3QlU5Y2lHZTEKdE0rVU1TeGtvcDNkb3ZWcHRFTG5rVERKU3d0NWRuK25qNmovR3I5NXo5MC9lMmdqZlZUdG1BckFHM3hoLzJCMQovRDZOWGh3UE16WXJwbG5NM2xPcHh6ZmxPVmdqTVVsb0wxb0k3c202YysyQTE0TmVCclcvb2ZCOVJEN0RXQkhkCjc2aitoY0FXRnN4WW1zSG81T3gvdEZlVGs3R1Jka0hFRUxMV0ZCdllHMEJUQWdNQkFBR2pVekJSTUIwR0ExVWQKRGdRV0JCU3JMYmNRUHBFeCtEdCtoWUUveXJqdDZyT1Y2VEFmQmdOVkhTTUVHREFXZ0JTckxiY1FQcEV4K0R0KwpoWUUveXJqdDZyT1Y2VEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGCjRqbHRxeFZhS1phVk1MN0hOUVN3ZWd5K2daMXhhbHltTU5vN0lwYzh6T3lVVUk0N3dlRWYvcCtua3E4b3hpL20KbUxab2VNU2RYZytnZWJZTU1jVVJndGw5UWZ1RjBhWUNCM0FsQ3hscGRINExrM3VYTlRMUVhKaUxRUlROc0J1LwpMSjZVWXZMRktQd29kdlJLTDhLV0tFZ0xWSm1yVGUzZzhpTDNTU253MDBoV2lldUNkU3N4TmwvNDdUaGdZWHJnCnUxUFJCVXQ1ZytYb1dwVVNPQ01PRldsQkpxd0pZS2ZSQTNFNmZmNDRJVUpzYjdxVUhIQWUxd2ExWURmdUQrVDUKQXQ5L20rTTdHeVc5b0ViU1FzUFRHZllxUDU5UUUrMWllaTZxaUcrN2tuNGlSeEpxaGdtNU41bzg2UVNrME1hegpDejRqVEVLZE52WFlWRmZoNlpxcgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== name: envoy-gateway/target-gateway-3/ca.crt @@ -670,6 +673,7 @@ xdsIR: mergeSlashes: true port: 10443 tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPekNDQWlPZ0F3SUJBZ0lVYzQxa3BFOXdLK05IZ1JHdkJJZ3c4U0Nhei84d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeE1qVXlNekUxTXpGYU1DMHhGVEFUQmdOVkJBb01ER1Y0CllXMXdiR1VnU1c1akxqRVVNQklHQTFVRUF3d0xaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURDTGhaNURuQ1ZFNUpKOTd5T29jcFJ3Y2xibDBVd1gzY0krMVpaTmx0bApXNmpSZ3kxR3VONlZyN0NCbUkvbVB0Z0dzOVQ3RE5STWw1Z0pKa05IU1pvbUk2R2p1UDFLVWh1dmxmYlpQV05vCnA0NVQyMzVaODJHZzhPUkpIVDVtbjFRUksrYno5cnVKZnlsZE1NbGljVUp2L1lmdDZ6TlVSeFE3QlU5Y2lHZTEKdE0rVU1TeGtvcDNkb3ZWcHRFTG5rVERKU3d0NWRuK25qNmovR3I5NXo5MC9lMmdqZlZUdG1BckFHM3hoLzJCMQovRDZOWGh3UE16WXJwbG5NM2xPcHh6ZmxPVmdqTVVsb0wxb0k3c202YysyQTE0TmVCclcvb2ZCOVJEN0RXQkhkCjc2aitoY0FXRnN4WW1zSG81T3gvdEZlVGs3R1Jka0hFRUxMV0ZCdllHMEJUQWdNQkFBR2pVekJSTUIwR0ExVWQKRGdRV0JCU3JMYmNRUHBFeCtEdCtoWUUveXJqdDZyT1Y2VEFmQmdOVkhTTUVHREFXZ0JTckxiY1FQcEV4K0R0KwpoWUUveXJqdDZyT1Y2VEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGCjRqbHRxeFZhS1phVk1MN0hOUVN3ZWd5K2daMXhhbHltTU5vN0lwYzh6T3lVVUk0N3dlRWYvcCtua3E4b3hpL20KbUxab2VNU2RYZytnZWJZTU1jVVJndGw5UWZ1RjBhWUNCM0FsQ3hscGRINExrM3VYTlRMUVhKaUxRUlROc0J1LwpMSjZVWXZMRktQd29kdlJLTDhLV0tFZ0xWSm1yVGUzZzhpTDNTU253MDBoV2lldUNkU3N4TmwvNDdUaGdZWHJnCnUxUFJCVXQ1ZytYb1dwVVNPQ01PRldsQkpxd0pZS2ZSQTNFNmZmNDRJVUpzYjdxVUhIQWUxd2ExWURmdUQrVDUKQXQ5L20rTTdHeVc5b0ViU1FzUFRHZllxUDU5UUUrMWllaTZxaUcrN2tuNGlSeEpxaGdtNU41bzg2UVNrME1hegpDejRqVEVLZE52WFlWRmZoNlpxcgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== name: envoy-gateway/target-gateway-4/ca.crt @@ -704,6 +708,7 @@ xdsIR: mergeSlashes: true port: 10443 tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPekNDQWlPZ0F3SUJBZ0lVYzQxa3BFOXdLK05IZ1JHdkJJZ3c4U0Nhei84d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeE1qVXlNekUxTXpGYU1DMHhGVEFUQmdOVkJBb01ER1Y0CllXMXdiR1VnU1c1akxqRVVNQklHQTFVRUF3d0xaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURDTGhaNURuQ1ZFNUpKOTd5T29jcFJ3Y2xibDBVd1gzY0krMVpaTmx0bApXNmpSZ3kxR3VONlZyN0NCbUkvbVB0Z0dzOVQ3RE5STWw1Z0pKa05IU1pvbUk2R2p1UDFLVWh1dmxmYlpQV05vCnA0NVQyMzVaODJHZzhPUkpIVDVtbjFRUksrYno5cnVKZnlsZE1NbGljVUp2L1lmdDZ6TlVSeFE3QlU5Y2lHZTEKdE0rVU1TeGtvcDNkb3ZWcHRFTG5rVERKU3d0NWRuK25qNmovR3I5NXo5MC9lMmdqZlZUdG1BckFHM3hoLzJCMQovRDZOWGh3UE16WXJwbG5NM2xPcHh6ZmxPVmdqTVVsb0wxb0k3c202YysyQTE0TmVCclcvb2ZCOVJEN0RXQkhkCjc2aitoY0FXRnN4WW1zSG81T3gvdEZlVGs3R1Jka0hFRUxMV0ZCdllHMEJUQWdNQkFBR2pVekJSTUIwR0ExVWQKRGdRV0JCU3JMYmNRUHBFeCtEdCtoWUUveXJqdDZyT1Y2VEFmQmdOVkhTTUVHREFXZ0JTckxiY1FQcEV4K0R0KwpoWUUveXJqdDZyT1Y2VEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGCjRqbHRxeFZhS1phVk1MN0hOUVN3ZWd5K2daMXhhbHltTU5vN0lwYzh6T3lVVUk0N3dlRWYvcCtua3E4b3hpL20KbUxab2VNU2RYZytnZWJZTU1jVVJndGw5UWZ1RjBhWUNCM0FsQ3hscGRINExrM3VYTlRMUVhKaUxRUlROc0J1LwpMSjZVWXZMRktQd29kdlJLTDhLV0tFZ0xWSm1yVGUzZzhpTDNTU253MDBoV2lldUNkU3N4TmwvNDdUaGdZWHJnCnUxUFJCVXQ1ZytYb1dwVVNPQ01PRldsQkpxd0pZS2ZSQTNFNmZmNDRJVUpzYjdxVUhIQWUxd2ExWURmdUQrVDUKQXQ5L20rTTdHeVc5b0ViU1FzUFRHZllxUDU5UUUrMWllaTZxaUcrN2tuNGlSeEpxaGdtNU41bzg2UVNrME1hegpDejRqVEVLZE52WFlWRmZoNlpxcgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== name: envoy-gateway/target-gateway-5/ca.crt diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml index 872ac5b5d17..0ee4643dab6 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml @@ -246,6 +246,7 @@ xdsIR: mergeSlashes: true port: 10443 tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPekNDQWlPZ0F3SUJBZ0lVYzQxa3BFOXdLK05IZ1JHdkJJZ3c4U0Nhei84d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeE1qVXlNekUxTXpGYU1DMHhGVEFUQmdOVkJBb01ER1Y0CllXMXdiR1VnU1c1akxqRVVNQklHQTFVRUF3d0xaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURDTGhaNURuQ1ZFNUpKOTd5T29jcFJ3Y2xibDBVd1gzY0krMVpaTmx0bApXNmpSZ3kxR3VONlZyN0NCbUkvbVB0Z0dzOVQ3RE5STWw1Z0pKa05IU1pvbUk2R2p1UDFLVWh1dmxmYlpQV05vCnA0NVQyMzVaODJHZzhPUkpIVDVtbjFRUksrYno5cnVKZnlsZE1NbGljVUp2L1lmdDZ6TlVSeFE3QlU5Y2lHZTEKdE0rVU1TeGtvcDNkb3ZWcHRFTG5rVERKU3d0NWRuK25qNmovR3I5NXo5MC9lMmdqZlZUdG1BckFHM3hoLzJCMQovRDZOWGh3UE16WXJwbG5NM2xPcHh6ZmxPVmdqTVVsb0wxb0k3c202YysyQTE0TmVCclcvb2ZCOVJEN0RXQkhkCjc2aitoY0FXRnN4WW1zSG81T3gvdEZlVGs3R1Jka0hFRUxMV0ZCdllHMEJUQWdNQkFBR2pVekJSTUIwR0ExVWQKRGdRV0JCU3JMYmNRUHBFeCtEdCtoWUUveXJqdDZyT1Y2VEFmQmdOVkhTTUVHREFXZ0JTckxiY1FQcEV4K0R0KwpoWUUveXJqdDZyT1Y2VEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGCjRqbHRxeFZhS1phVk1MN0hOUVN3ZWd5K2daMXhhbHltTU5vN0lwYzh6T3lVVUk0N3dlRWYvcCtua3E4b3hpL20KbUxab2VNU2RYZytnZWJZTU1jVVJndGw5UWZ1RjBhWUNCM0FsQ3hscGRINExrM3VYTlRMUVhKaUxRUlROc0J1LwpMSjZVWXZMRktQd29kdlJLTDhLV0tFZ0xWSm1yVGUzZzhpTDNTU253MDBoV2lldUNkU3N4TmwvNDdUaGdZWHJnCnUxUFJCVXQ1ZytYb1dwVVNPQ01PRldsQkpxd0pZS2ZSQTNFNmZmNDRJVUpzYjdxVUhIQWUxd2ExWURmdUQrVDUKQXQ5L20rTTdHeVc5b0ViU1FzUFRHZllxUDU5UUUrMWllaTZxaUcrN2tuNGlSeEpxaGdtNU41bzg2UVNrME1hegpDejRqVEVLZE52WFlWRmZoNlpxcgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== name: envoy-gateway/target-gateway-1/ca.crt @@ -290,6 +291,7 @@ xdsIR: mergeSlashes: true port: 10443 tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPekNDQWlPZ0F3SUJBZ0lVYzQxa3BFOXdLK05IZ1JHdkJJZ3c4U0Nhei84d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkpibU11TVJRd0VnWURWUVFEREF0bGVHRnRjR3hsTG1OdgpiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeE1qVXlNekUxTXpGYU1DMHhGVEFUQmdOVkJBb01ER1Y0CllXMXdiR1VnU1c1akxqRVVNQklHQTFVRUF3d0xaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURDTGhaNURuQ1ZFNUpKOTd5T29jcFJ3Y2xibDBVd1gzY0krMVpaTmx0bApXNmpSZ3kxR3VONlZyN0NCbUkvbVB0Z0dzOVQ3RE5STWw1Z0pKa05IU1pvbUk2R2p1UDFLVWh1dmxmYlpQV05vCnA0NVQyMzVaODJHZzhPUkpIVDVtbjFRUksrYno5cnVKZnlsZE1NbGljVUp2L1lmdDZ6TlVSeFE3QlU5Y2lHZTEKdE0rVU1TeGtvcDNkb3ZWcHRFTG5rVERKU3d0NWRuK25qNmovR3I5NXo5MC9lMmdqZlZUdG1BckFHM3hoLzJCMQovRDZOWGh3UE16WXJwbG5NM2xPcHh6ZmxPVmdqTVVsb0wxb0k3c202YysyQTE0TmVCclcvb2ZCOVJEN0RXQkhkCjc2aitoY0FXRnN4WW1zSG81T3gvdEZlVGs3R1Jka0hFRUxMV0ZCdllHMEJUQWdNQkFBR2pVekJSTUIwR0ExVWQKRGdRV0JCU3JMYmNRUHBFeCtEdCtoWUUveXJqdDZyT1Y2VEFmQmdOVkhTTUVHREFXZ0JTckxiY1FQcEV4K0R0KwpoWUUveXJqdDZyT1Y2VEFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGCjRqbHRxeFZhS1phVk1MN0hOUVN3ZWd5K2daMXhhbHltTU5vN0lwYzh6T3lVVUk0N3dlRWYvcCtua3E4b3hpL20KbUxab2VNU2RYZytnZWJZTU1jVVJndGw5UWZ1RjBhWUNCM0FsQ3hscGRINExrM3VYTlRMUVhKaUxRUlROc0J1LwpMSjZVWXZMRktQd29kdlJLTDhLV0tFZ0xWSm1yVGUzZzhpTDNTU253MDBoV2lldUNkU3N4TmwvNDdUaGdZWHJnCnUxUFJCVXQ1ZytYb1dwVVNPQ01PRldsQkpxd0pZS2ZSQTNFNmZmNDRJVUpzYjdxVUhIQWUxd2ExWURmdUQrVDUKQXQ5L20rTTdHeVc5b0ViU1FzUFRHZllxUDU5UUUrMWllaTZxaUcrN2tuNGlSeEpxaGdtNU41bzg2UVNrME1hegpDejRqVEVLZE52WFlWRmZoNlpxcgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== name: envoy-gateway/target-gateway-2/ca.crt diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml index 4bfbd4e7df5..6b9ad5ee281 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml @@ -316,6 +316,7 @@ xdsIR: port: 9000 protocol: GRPC tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls-grpc-2/default-ca @@ -353,6 +354,7 @@ xdsIR: - addressType: IP protocol: GRPC tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls-grpc/envoy-gateway-ca diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml index b8b810a3d50..021ae6a2cd5 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml @@ -313,6 +313,7 @@ xdsIR: - addressType: IP protocol: GRPC tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls-grpc/envoy-gateway-ca @@ -336,6 +337,7 @@ xdsIR: port: 3443 protocol: GRPC tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls-backend-ip/envoy-gateway-ca diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml index bae507b4d75..4edde355292 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml @@ -342,6 +342,7 @@ xdsIR: - addressType: IP protocol: GRPC tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls-grpc/envoy-gateway-ca @@ -365,6 +366,7 @@ xdsIR: port: 3443 protocol: GRPC tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls-backend-ip/envoy-gateway-ca diff --git a/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml index cdb84b46915..fda9d4ccca9 100644 --- a/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml @@ -316,6 +316,7 @@ xdsIR: - addressType: IP protocol: GRPC tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls-grpc/envoy-gateway-ca @@ -342,6 +343,7 @@ xdsIR: priority: 1 protocol: GRPC tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls-backend-ip/envoy-gateway-ca diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml index d5cdc135857..b70ae56fce4 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml @@ -276,6 +276,7 @@ xdsIR: namespace: envoy-gateway name: httproute/envoy-gateway/httproute-tls/rule/0/match/-1/* tls: + alpnProtocols: null certificates: - name: envoy-gateway/default-cert privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= @@ -314,11 +315,13 @@ xdsIR: name: tcproute/envoy-gateway/envoy-gateway tls: terminate: + alpnProtocols: [] certificates: - name: envoy-gateway/default-cert privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tls: + alpnProtocols: [] certificates: - name: envoy-gateway/default-cert privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml index b949e8af176..80c15494330 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml @@ -275,6 +275,7 @@ xdsIR: namespace: envoy-gateway name: httproute/envoy-gateway/httproute-tls/rule/0/match/-1/* tls: + alpnProtocols: null certificates: - name: envoy-gateway/default-cert privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= @@ -313,11 +314,13 @@ xdsIR: name: tcproute/envoy-gateway/envoy-gateway tls: terminate: + alpnProtocols: [] certificates: - name: envoy-gateway/default-cert privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tls: + alpnProtocols: [] certificates: - name: envoy-gateway/default-cert privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml index 2913349045c..137941240af 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml @@ -278,6 +278,7 @@ xdsIR: namespace: envoy-gateway name: httproute/envoy-gateway/httproute-tls/rule/0/match/-1/* tls: + alpnProtocols: null certificates: - name: envoy-gateway/default-cert privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= @@ -320,11 +321,13 @@ xdsIR: name: tcproute/envoy-gateway/envoy-gateway tls: terminate: + alpnProtocols: [] certificates: - name: envoy-gateway/default-cert privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tls: + alpnProtocols: [] certificates: - name: envoy-gateway/default-cert privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= diff --git a/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml b/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml index 2cbe1ecc667..7616aff3b9e 100644 --- a/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml +++ b/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml @@ -150,6 +150,7 @@ xdsIR: name: "" prefix: / tls: + alpnProtocols: null certificates: - name: default/tls-secret-1 privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml index 73cd302aa02..649a4555722 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml @@ -139,6 +139,7 @@ xdsIR: name: "" prefix: / tls: + alpnProtocols: null certificates: - name: default/tls-secret-1 privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml index 465408282d9..9d4d0a7528e 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml @@ -208,6 +208,7 @@ xdsIR: name: "" prefix: / tls: + alpnProtocols: null certificates: - name: envoy-gateway/tls-secret-1 privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml index 44d08629515..cb443c09c8b 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml @@ -141,6 +141,7 @@ xdsIR: name: "" prefix: / tls: + alpnProtocols: null certificates: - name: envoy-gateway/tls-secret-ecdsa-1 privateKey: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUxEbnZNM1RKM3NHYm9EeTF4T3dqSVppVFNWeWZXVWF5YVExcWdrdUdacEtvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSDVWdHJjenJQS091alV5RTMyaDU2UnVrdHUzSVhTVnJJMkNibXh5UUpqcEY3di9rNVNqTQpSVXZjUnBCdmpnQWROaGhUNGNUMXV4YW1TMFlmQ2JXMVhRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml index 8db9361d4be..754923d89fe 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml @@ -141,6 +141,7 @@ xdsIR: name: "" prefix: / tls: + alpnProtocols: null certificates: - name: envoy-gateway/tls-secret-1 privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml index 9bcaa10ec80..5b692e70ab2 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml @@ -138,6 +138,7 @@ xdsIR: name: "" prefix: / tls: + alpnProtocols: null certificates: - name: envoy-gateway/tls-secret-1 privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml b/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml index cedcb828721..10f483e7293 100644 --- a/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml @@ -138,6 +138,7 @@ xdsIR: name: "" prefix: / tls: + alpnProtocols: null certificates: - name: default/tls-secret-1 privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml index 228a1d80a2a..bec756628f7 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml @@ -209,6 +209,7 @@ xdsIR: name: "" prefix: / tls: + alpnProtocols: null certificates: - name: envoy-gateway/tls-secret-1 privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml index ac1b52a58ea..7c4b2ce2739 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml @@ -330,6 +330,7 @@ xdsIR: port: 9000 protocol: GRPC tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls-grpc/default-ca @@ -373,6 +374,7 @@ xdsIR: port: 80 protocol: HTTP tls: + alpnProtocols: null caCertificate: certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K name: policy-btls-http/envoy-gateway-ca diff --git a/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml b/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml index 52e3a0563e9..7a4f2288ace 100644 --- a/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml +++ b/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml @@ -182,11 +182,13 @@ xdsIR: name: tcproute/default/tcproute-1 tls: terminate: + alpnProtocols: [] certificates: - name: envoy-gateway/tls-secret-1 privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= tls: + alpnProtocols: [] certificates: - name: envoy-gateway/tls-secret-1 privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K @@ -210,11 +212,13 @@ xdsIR: snis: - foo.bar.com terminate: + alpnProtocols: [] certificates: - name: envoy-gateway/tls-secret-1 privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= tls: + alpnProtocols: [] certificates: - name: envoy-gateway/tls-secret-1 privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/internal/ir/xds.go b/internal/ir/xds.go index e10a1ec2987..65bd87c050b 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -351,7 +351,7 @@ type TLSConfig struct { // SignatureAlgorithms supported by this listener SignatureAlgorithms []string `json:"signatureAlgorithms,omitempty" yaml:"signatureAlgorithms,omitempty"` // ALPNProtocols exposed by this listener - ALPNProtocols []string `json:"alpnProtocols,omitempty" yaml:"alpnProtocols,omitempty"` + ALPNProtocols []string `json:"alpnProtocols" yaml:"alpnProtocols"` // StatelessSessionResumption determines if stateless (session-ticket based) session resumption is enabled StatelessSessionResumption bool `json:"statelessSessionResumption,omitempty" yaml:"statelessSessionResumption,omitempty"` // StatefulSessionResumption determines if stateful (session-id based) session resumption is enabled diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go index dda639f9f2f..55336c5b136 100644 --- a/internal/xds/translator/listener.go +++ b/internal/xds/translator/listener.go @@ -736,11 +736,12 @@ func buildTLSVersion(version *ir.TLSVersion) tlsv3.TlsParameters_TlsProtocol { } func buildALPNProtocols(alpn []string) []string { - if len(alpn) == 0 { + if alpn == nil { // not set - default to h2 and http/1.1 out := []string{"h2", "http/1.1"} return out + } else { + return alpn } - return alpn } func buildXdsTLSCertSecret(tlsConfig ir.TLSCertificate) *tlsv3.Secret { diff --git a/internal/xds/translator/testdata/in/xds-ir/mutual-tls-required-client-certificate-disabled.yaml b/internal/xds/translator/testdata/in/xds-ir/mutual-tls-required-client-certificate-disabled.yaml index 67b17e8158b..61f67998deb 100644 --- a/internal/xds/translator/testdata/in/xds-ir/mutual-tls-required-client-certificate-disabled.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/mutual-tls-required-client-certificate-disabled.yaml @@ -52,6 +52,7 @@ tcp: - name: "tls-route-terminate" tls: terminate: + alpnProtocols: [] certificates: - name: secret-3 # byte slice representation of "key-data" diff --git a/internal/xds/translator/testdata/in/xds-ir/mutual-tls.yaml b/internal/xds/translator/testdata/in/xds-ir/mutual-tls.yaml index ff96a528eaa..01103c9e5ec 100644 --- a/internal/xds/translator/testdata/in/xds-ir/mutual-tls.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/mutual-tls.yaml @@ -52,6 +52,7 @@ tcp: - name: "tls-route-terminate" tls: terminate: + alpnProtocols: [] certificates: - name: secret-3 # byte slice representation of "key-data" diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-route-tls-terminate.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-route-tls-terminate.yaml index 4e5be724781..2acfdc391ea 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tcp-route-tls-terminate.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tcp-route-tls-terminate.yaml @@ -6,6 +6,7 @@ tcp: - name: "tls-route-terminate" tls: terminate: + alpnProtocols: [] certificates: - Name: envoy-gateway-tls-secret-1 PrivateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K @@ -27,6 +28,7 @@ tcp: - "*.envoyproxy.io" - "example.com" terminate: + alpnProtocols: [] certificates: - Name: envoy-gateway-tls-secret-1 PrivateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml index e945b5d9221..bae66f2ff21 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml @@ -74,9 +74,6 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext commonTlsContext: - alpnProtocols: - - h2 - - http/1.1 tlsCertificateSdsSecretConfigs: - name: secret-3 sdsConfig: diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml index fc572910c06..cdb0e351dec 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml @@ -74,9 +74,6 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext commonTlsContext: - alpnProtocols: - - h2 - - http/1.1 tlsCertificateSdsSecretConfigs: - name: secret-3 sdsConfig: diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml index 10df3db202c..b3f30d194ed 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml @@ -15,9 +15,6 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext commonTlsContext: - alpnProtocols: - - h2 - - http/1.1 tlsCertificateSdsSecretConfigs: - name: envoy-gateway-tls-secret-1 sdsConfig: @@ -41,9 +38,6 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext commonTlsContext: - alpnProtocols: - - h2 - - http/1.1 tlsCertificateSdsSecretConfigs: - name: envoy-gateway-tls-secret-1 sdsConfig: diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index 67878736f26..0a75136aa44 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -896,8 +896,8 @@ func buildXdsUpstreamTLSSocketWthCert(tlsConfig *ir.TLSUpstreamConfig) (*corev3. tlsCtx.CommonTlsContext.TlsParams = tlsParams } - if len(tlsConfig.ALPNProtocols) > 0 { - tlsCtx.CommonTlsContext.AlpnProtocols = buildALPNProtocols(tlsConfig.ALPNProtocols) + if tlsConfig.ALPNProtocols != nil { + tlsCtx.CommonTlsContext.AlpnProtocols = tlsConfig.ALPNProtocols } if len(tlsConfig.ClientCertificates) > 0 { From bc3df034bf18f4fef77fe7052270d51f33015545 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 25 Oct 2024 04:59:12 +0800 Subject: [PATCH 300/523] chore: share UnitToDuration logic (#4510) * chore: share UnitToDuration logic Signed-off-by: zirain * lint Signed-off-by: zirain --------- Signed-off-by: zirain --- internal/gatewayapi/backendtrafficpolicy.go | 21 ++---------- internal/utils/ratelimit/unit.go | 36 +++++++++++++++++++++ internal/xds/translator/local_ratelimit.go | 24 ++------------ 3 files changed, 42 insertions(+), 39 deletions(-) create mode 100644 internal/utils/ratelimit/unit.go diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index 3069ef5cc50..7a7cd1369b3 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -25,6 +25,7 @@ import ( "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/utils" + "github.com/envoyproxy/gateway/internal/utils/ratelimit" "github.com/envoyproxy/gateway/internal/utils/regex" ) @@ -642,9 +643,9 @@ func (t *Translator) buildLocalRateLimit(policy *egv1a1.BackendTrafficPolicy) (* // Validate that the rule limit unit is a multiple of the default limit unit. // This is required by Envoy local rateLimit implementation. // see https://github.com/envoyproxy/envoy/blob/6d9a6e995f472526de2b75233abca69aa00021ed/source/extensions/filters/common/local_ratelimit/local_ratelimit_impl.cc#L49 - defaultLimitUnit := ratelimitUnitToDuration(egv1a1.RateLimitUnit(defaultLimit.Unit)) + defaultLimitUnit := ratelimit.UnitToSeconds(egv1a1.RateLimitUnit(defaultLimit.Unit)) for _, rule := range local.Rules { - ruleLimitUint := ratelimitUnitToDuration(rule.Limit.Unit) + ruleLimitUint := ratelimit.UnitToSeconds(rule.Limit.Unit) if defaultLimitUnit == 0 || ruleLimitUint%defaultLimitUnit != 0 { return nil, fmt.Errorf("local rateLimit rule limit unit must be a multiple of the default limit unit") } @@ -788,22 +789,6 @@ func buildRateLimitRule(rule egv1a1.RateLimitRule) (*ir.RateLimitRule, error) { return irRule, nil } -func ratelimitUnitToDuration(unit egv1a1.RateLimitUnit) int64 { - var seconds int64 - - switch unit { - case egv1a1.RateLimitUnitSecond: - seconds = 1 - case egv1a1.RateLimitUnitMinute: - seconds = 60 - case egv1a1.RateLimitUnitHour: - seconds = 60 * 60 - case egv1a1.RateLimitUnitDay: - seconds = 60 * 60 * 24 - } - return seconds -} - func int64ToUint32(in int64) (uint32, bool) { if in >= 0 && in <= math.MaxUint32 { return uint32(in), true diff --git a/internal/utils/ratelimit/unit.go b/internal/utils/ratelimit/unit.go new file mode 100644 index 00000000000..94c8c7f6fbe --- /dev/null +++ b/internal/utils/ratelimit/unit.go @@ -0,0 +1,36 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package ratelimit + +import ( + "google.golang.org/protobuf/types/known/durationpb" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/ir" +) + +func UnitToSeconds(unit egv1a1.RateLimitUnit) int64 { + var seconds int64 + + switch unit { + case egv1a1.RateLimitUnitSecond: + seconds = 1 + case egv1a1.RateLimitUnitMinute: + seconds = 60 + case egv1a1.RateLimitUnitHour: + seconds = 60 * 60 + case egv1a1.RateLimitUnitDay: + seconds = 60 * 60 * 24 + } + return seconds +} + +func UnitToDuration(unit ir.RateLimitUnit) *durationpb.Duration { + seconds := UnitToSeconds(egv1a1.RateLimitUnit(unit)) + return &durationpb.Duration{ + Seconds: seconds, + } +} diff --git a/internal/xds/translator/local_ratelimit.go b/internal/xds/translator/local_ratelimit.go index ba330e22034..ea3c4351629 100644 --- a/internal/xds/translator/local_ratelimit.go +++ b/internal/xds/translator/local_ratelimit.go @@ -16,11 +16,11 @@ import ( hcmv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" typev3 "github.com/envoyproxy/go-control-plane/envoy/type/v3" "google.golang.org/protobuf/types/known/anypb" - "google.golang.org/protobuf/types/known/durationpb" "google.golang.org/protobuf/types/known/wrapperspb" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/ratelimit" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -151,7 +151,7 @@ func (*localRateLimit) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) e TokensPerFill: &wrapperspb.UInt32Value{ Value: uint32(local.Default.Requests), }, - FillInterval: ratelimitUnitToDuration(local.Default.Unit), + FillInterval: ratelimit.UnitToDuration(local.Default.Unit), }, FilterEnabled: &configv3.RuntimeFractionalPercent{ DefaultValue: &typev3.FractionalPercent{ @@ -281,7 +281,7 @@ func buildRouteLocalRateLimits(local *ir.LocalRateLimit) ( TokensPerFill: &wrapperspb.UInt32Value{ Value: uint32(rule.Limit.Requests), }, - FillInterval: ratelimitUnitToDuration(rule.Limit.Unit), + FillInterval: ratelimit.UnitToDuration(rule.Limit.Unit), }, } descriptors = append(descriptors, descriptor) @@ -289,21 +289,3 @@ func buildRouteLocalRateLimits(local *ir.LocalRateLimit) ( return rateLimits, descriptors, nil } - -func ratelimitUnitToDuration(unit ir.RateLimitUnit) *durationpb.Duration { - var seconds int64 - - switch egv1a1.RateLimitUnit(unit) { - case egv1a1.RateLimitUnitSecond: - seconds = 1 - case egv1a1.RateLimitUnitMinute: - seconds = 60 - case egv1a1.RateLimitUnitHour: - seconds = 60 * 60 - case egv1a1.RateLimitUnitDay: - seconds = 60 * 60 * 24 - } - return &durationpb.Duration{ - Seconds: seconds, - } -} From 7886ff7de98dc74f98d539d0c50c379a2d1d9deb Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 25 Oct 2024 04:59:35 +0800 Subject: [PATCH 301/523] e2e: incr timeout (#4512) Signed-off-by: zirain --- tools/make/kube.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/make/kube.mk b/tools/make/kube.mk index 91c1580ab2d..430084dc544 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -22,7 +22,7 @@ BENCHMARK_REPORT_DIR ?= benchmark_report E2E_RUN_TEST ?= E2E_CLEANUP ?= true -E2E_TEST_ARGS ?= -v -tags e2e -timeout 15m +E2E_TEST_ARGS ?= -v -tags e2e -timeout 20m # Set Kubernetes Resources Directory Path ifeq ($(origin KUBE_PROVIDER_DIR),undefined) From c24ceb1f2ffe3b9d448def5932d1c53db8bb7516 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 25 Oct 2024 05:00:28 +0800 Subject: [PATCH 302/523] chore: refactor byNamespaceSelectorEnabled (#4513) Signed-off-by: zirain --- internal/provider/kubernetes/controller.go | 26 +++++++++++++++------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index d4681406454..06d9dc39a0d 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -87,13 +87,6 @@ func newGatewayAPIController(mgr manager.Manager, cfg *config.Server, su Updater } } - byNamespaceSelector := cfg.EnvoyGateway.Provider != nil && - cfg.EnvoyGateway.Provider.Kubernetes != nil && - cfg.EnvoyGateway.Provider.Kubernetes.Watch != nil && - cfg.EnvoyGateway.Provider.Kubernetes.Watch.Type == egv1a1.KubernetesWatchModeTypeNamespaceSelector && - (cfg.EnvoyGateway.Provider.Kubernetes.Watch.NamespaceSelector.MatchLabels != nil || - len(cfg.EnvoyGateway.Provider.Kubernetes.Watch.NamespaceSelector.MatchExpressions) > 0) - r := &gatewayAPIReconciler{ client: mgr.GetClient(), log: cfg.Logger, @@ -108,7 +101,7 @@ func newGatewayAPIController(mgr manager.Manager, cfg *config.Server, su Updater extServerPolicies: extServerPoliciesGVKs, } - if byNamespaceSelector { + if byNamespaceSelectorEnabled(cfg.EnvoyGateway) { r.namespaceLabel = cfg.EnvoyGateway.Provider.Kubernetes.Watch.NamespaceSelector } @@ -131,6 +124,23 @@ func newGatewayAPIController(mgr manager.Manager, cfg *config.Server, su Updater return nil } +func byNamespaceSelectorEnabled(eg *egv1a1.EnvoyGateway) bool { + if eg.Provider == nil || + eg.Provider.Kubernetes == nil || + eg.Provider.Kubernetes.Watch == nil { + return false + } + + watch := eg.Provider.Kubernetes.Watch + switch watch.Type { + case egv1a1.KubernetesWatchModeTypeNamespaceSelector: + // Make sure that the namespace selector has at least one label or expression is set. + return watch.NamespaceSelector.MatchLabels != nil || len(watch.NamespaceSelector.MatchExpressions) > 0 + default: + return false + } +} + // Reconcile handles reconciling all resources in a single call. Any resource event should enqueue the // same reconcile.Request containing the gateway controller name. This allows multiple resource updates to // be handled by a single call to Reconcile. The reconcile.Request DOES NOT map to a specific resource. From d7849d7d2ef2c24068bd05d3c85d5876988d7e38 Mon Sep 17 00:00:00 2001 From: Kevin Date: Fri, 25 Oct 2024 08:22:09 +0900 Subject: [PATCH 303/523] feat: add ipv4/ipv6 dual stack support (#4375) * feat: dualstack support Signed-off-by: Juwon Hwang (Kevin) --- api/v1alpha1/backend_types.go | 9 +- api/v1alpha1/envoyproxy_types.go | 25 +++ api/v1alpha1/zz_generated.deepcopy.go | 5 + .../gateway.envoyproxy.io_backends.yaml | 15 +- .../gateway.envoyproxy.io_envoyproxies.yaml | 14 ++ internal/cmd/egctl/validate_test.go | 2 +- internal/gatewayapi/backend.go | 9 +- internal/gatewayapi/helpers.go | 18 ++ internal/gatewayapi/listener.go | 11 +- internal/gatewayapi/resource/resource_test.go | 77 ++++++++ internal/gatewayapi/route_test.go | 179 ++++++++++++++++++ internal/gatewayapi/status/gateway_test.go | 64 +++++++ internal/ir/xds.go | 12 ++ internal/ir/zz_generated.deepcopy.go | 5 + internal/xds/translator/cluster.go | 8 +- internal/xds/translator/listener.go | 38 +++- .../in/xds-ir/tcp-listener-ipfamily.yaml | 13 ++ .../tcp-listener-ipfamily.clusters.yaml | 17 ++ .../tcp-listener-ipfamily.endpoints.yaml | 18 ++ .../tcp-listener-ipfamily.listeners.yaml | 19 ++ .../xds-ir/tcp-listener-ipfamily.routes.yaml | 1 + internal/xds/translator/translator.go | 4 +- site/content/en/latest/api/extension_types.md | 23 ++- site/content/zh/latest/api/extension_types.md | 23 ++- test/cel-validation/backend_test.go | 8 +- test/e2e/testdata/backend-dualstack.yaml | 166 ++++++++++++++++ test/e2e/testdata/httproute-dualstack.yaml | 121 ++++++++++++ test/e2e/tests/backend_dualstack.go | 73 +++++++ test/e2e/tests/httproute_dualstack.go | 73 +++++++ 29 files changed, 1013 insertions(+), 37 deletions(-) create mode 100644 internal/gatewayapi/route_test.go create mode 100644 internal/xds/translator/testdata/in/xds-ir/tcp-listener-ipfamily.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.routes.yaml create mode 100644 test/e2e/testdata/backend-dualstack.yaml create mode 100644 test/e2e/testdata/httproute-dualstack.yaml create mode 100644 test/e2e/tests/backend_dualstack.go create mode 100644 test/e2e/tests/httproute_dualstack.go diff --git a/api/v1alpha1/backend_types.go b/api/v1alpha1/backend_types.go index bb407981af8..563bb5d2019 100644 --- a/api/v1alpha1/backend_types.go +++ b/api/v1alpha1/backend_types.go @@ -58,7 +58,7 @@ type BackendEndpoint struct { // +optional FQDN *FQDNEndpoint `json:"fqdn,omitempty"` - // IP defines an IP endpoint. Currently, only IPv4 Addresses are supported. + // IP defines an IP endpoint. Supports both IPv4 and IPv6 addresses. // // +optional IP *IPEndpoint `json:"ip,omitempty"` @@ -73,10 +73,11 @@ type BackendEndpoint struct { // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#config-core-v3-socketaddress type IPEndpoint struct { // Address defines the IP address of the backend endpoint. + // Supports both IPv4 and IPv6 addresses. // - // +kubebuilder:validation:MinLength=7 - // +kubebuilder:validation:MaxLength=15 - // +kubebuilder:validation:Pattern=`^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` + // +kubebuilder:validation:MinLength=3 + // +kubebuilder:validation:MaxLength=45 + // +kubebuilder:validation:Pattern=`^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|^(([0-9a-fA-F]{1,4}:){1,7}[0-9a-fA-F]{1,4}|::|(([0-9a-fA-F]{1,4}:){0,5})?(:[0-9a-fA-F]{1,4}){1,2})$` Address string `json:"address"` // Port defines the port of the backend endpoint. diff --git a/api/v1alpha1/envoyproxy_types.go b/api/v1alpha1/envoyproxy_types.go index 4bf7920f624..cbf2c9226d0 100644 --- a/api/v1alpha1/envoyproxy_types.go +++ b/api/v1alpha1/envoyproxy_types.go @@ -136,6 +136,17 @@ type EnvoyProxySpec struct { // These settings are applied on backends for which TLS policies are specified. // +optional BackendTLS *BackendTLSConfig `json:"backendTLS,omitempty"` + + // IPFamily specifies the IP family for the EnvoyProxy fleet. + // This setting only affects the Gateway listener port and does not impact + // other aspects of the Envoy proxy configuration. + // If not specified, the system will operate as follows: + // - It defaults to IPv4 only. + // - IPv6 and dual-stack environments are not supported in this default configuration. + // Note: To enable IPv6 or dual-stack functionality, explicit configuration is required. + // +kubebuilder:validation:Enum=IPv4;IPv6;DualStack + // +optional + IPFamily *IPFamily `json:"ipFamily,omitempty"` } // RoutingType defines the type of routing of this Envoy proxy. @@ -415,6 +426,20 @@ type EnvoyProxyList struct { Items []EnvoyProxy `json:"items"` } +// IPFamily defines the IP family to use for the Envoy proxy. +type IPFamily string + +const ( + // IPv4 defines the IPv4 family. + IPv4 IPFamily = "IPv4" + // IPv6 defines the IPv6 family. + IPv6 IPFamily = "IPv6" + // DualStack defines the dual-stack family. + // When set to DualStack, Envoy proxy will listen on both IPv4 and IPv6 addresses + // for incoming client traffic, enabling support for both IP protocol versions. + DualStack IPFamily = "DualStack" +) + func init() { SchemeBuilder.Register(&EnvoyProxy{}, &EnvoyProxyList{}) } diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index f2cf9072fa6..321a143df9c 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -2065,6 +2065,11 @@ func (in *EnvoyProxySpec) DeepCopyInto(out *EnvoyProxySpec) { *out = new(BackendTLSConfig) (*in).DeepCopyInto(*out) } + if in.IPFamily != nil { + in, out := &in.IPFamily, &out.IPFamily + *out = new(IPFamily) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvoyProxySpec. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml index be16ceff86f..7d0da8385be 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml @@ -93,15 +93,16 @@ spec: - port type: object ip: - description: IP defines an IP endpoint. Currently, only IPv4 - Addresses are supported. + description: IP defines an IP endpoint. Supports both IPv4 and + IPv6 addresses. properties: address: - description: Address defines the IP address of the backend - endpoint. - maxLength: 15 - minLength: 7 - pattern: ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ + description: |- + Address defines the IP address of the backend endpoint. + Supports both IPv4 and IPv6 addresses. + maxLength: 45 + minLength: 3 + pattern: ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|^(([0-9a-fA-F]{1,4}:){1,7}[0-9a-fA-F]{1,4}|::|(([0-9a-fA-F]{1,4}:){0,5})?(:[0-9a-fA-F]{1,4}){1,2})$ type: string port: description: Port defines the port of the backend endpoint. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 0733ed112b6..4277092874a 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -382,6 +382,20 @@ spec: rule: (has(self.before) && !has(self.after)) || (!has(self.before) && has(self.after)) type: array + ipFamily: + description: |- + IPFamily specifies the IP family for the EnvoyProxy fleet. + This setting only affects the Gateway listener port and does not impact + other aspects of the Envoy proxy configuration. + If not specified, the system will operate as follows: + - It defaults to IPv4 only. + - IPv6 and dual-stack environments are not supported in this default configuration. + Note: To enable IPv6 or dual-stack functionality, explicit configuration is required. + enum: + - IPv4 + - IPv6 + - DualStack + type: string logging: default: level: diff --git a/internal/cmd/egctl/validate_test.go b/internal/cmd/egctl/validate_test.go index c71342e0fcb..bbb18605e12 100644 --- a/internal/cmd/egctl/validate_test.go +++ b/internal/cmd/egctl/validate_test.go @@ -56,7 +56,7 @@ metadata: namespace: default spec: ... -local validation error: Backend.gateway.envoyproxy.io "backend-1" is invalid: spec.endpoints[0].ip.address: Invalid value: "a.b.c.d": spec.endpoints[0].ip.address in body should match '^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$' +local validation error: Backend.gateway.envoyproxy.io "backend-1" is invalid: spec.endpoints[0].ip.address: Invalid value: "a.b.c.d": spec.endpoints[0].ip.address in body should match '^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|^(([0-9a-fA-F]{1,4}:){1,7}[0-9a-fA-F]{1,4}|::|(([0-9a-fA-F]{1,4}:){0,5})?(:[0-9a-fA-F]{1,4}){1,2})$' apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend diff --git a/internal/gatewayapi/backend.go b/internal/gatewayapi/backend.go index 8c9f20f69d5..6b9bb095714 100644 --- a/internal/gatewayapi/backend.go +++ b/internal/gatewayapi/backend.go @@ -58,13 +58,8 @@ func validateBackend(backend *egv1a1.Backend) error { ip, err := netip.ParseAddr(ep.IP.Address) if err != nil { return fmt.Errorf("IP address %s is invalid", ep.IP.Address) - } else { - if !ip.Is4() { - return fmt.Errorf("IP address %s is not IPv4", ep.IP.Address) - } - if ip.IsLoopback() { - return fmt.Errorf("IP address %s in the loopback range is not supported", ep.IP.Address) - } + } else if ip.IsLoopback() { + return fmt.Errorf("IP address %s in the loopback range is not supported", ep.IP.Address) } } } diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index a72054cbee8..1c1ecee7672 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -608,3 +608,21 @@ func setIfNil[T any](target **T, value *T) { *target = value } } + +func getIPFamily(envoyProxy *egv1a1.EnvoyProxy) *ir.IPFamily { + if envoyProxy == nil || envoyProxy.Spec.IPFamily == nil { + return nil + } + var result ir.IPFamily + switch *envoyProxy.Spec.IPFamily { + case egv1a1.IPv4: + result = ir.IPv4 + case egv1a1.IPv6: + result = ir.IPv6 + case egv1a1.DualStack: + result = ir.Dualstack + default: + return nil + } + return &result +} diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index 42f24459724..30e75ad6197 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -110,6 +110,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource Address: "0.0.0.0", Port: uint32(containerPort), Metadata: buildListenerMetadata(listener, gateway), + IPFamily: getIPFamily(gateway.envoyProxy), }, TLS: irTLSConfigs(listener.tlsSecrets...), Path: ir.PathSettings{ @@ -117,6 +118,9 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource EscapedSlashesAction: ir.UnescapeAndRedirect, }, } + if ipFamily := getIPFamily(gateway.envoyProxy); ipFamily != nil { + irListener.CoreListenerDetails.IPFamily = ipFamily + } if listener.Hostname != nil { irListener.Hostnames = append(irListener.Hostnames, string(*listener.Hostname)) } else { @@ -129,9 +133,10 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource case gwapiv1.TCPProtocolType, gwapiv1.TLSProtocolType: irListener := &ir.TCPListener{ CoreListenerDetails: ir.CoreListenerDetails{ - Name: irListenerName(listener), - Address: "0.0.0.0", - Port: uint32(containerPort), + Name: irListenerName(listener), + Address: "0.0.0.0", + Port: uint32(containerPort), + IPFamily: getIPFamily(gateway.envoyProxy), }, // Gateway is processed firstly, then ClientTrafficPolicy, then xRoute. diff --git a/internal/gatewayapi/resource/resource_test.go b/internal/gatewayapi/resource/resource_test.go index 3255cb6b07e..00e39d5db45 100644 --- a/internal/gatewayapi/resource/resource_test.go +++ b/internal/gatewayapi/resource/resource_test.go @@ -9,7 +9,9 @@ import ( "testing" "github.com/google/go-cmp/cmp" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + discoveryv1 "k8s.io/api/discovery/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" ) @@ -123,3 +125,78 @@ func TestEqualXds(t *testing.T) { }) } } + +func TestGetEndpointSlicesForBackendDualStack(t *testing.T) { + // Test data setup + dualStackService := &discoveryv1.EndpointSlice{ + ObjectMeta: metav1.ObjectMeta{ + Name: "dual-stack-service", + Namespace: "default", + Labels: map[string]string{ + discoveryv1.LabelServiceName: "my-dual-stack-service", + }, + }, + AddressType: discoveryv1.AddressTypeIPv4, + Endpoints: []discoveryv1.Endpoint{ + { + Addresses: []string{"192.0.2.1"}, + }, + { + Addresses: []string{"192.0.2.2"}, + }, + }, + } + + dualStackServiceIPv6 := &discoveryv1.EndpointSlice{ + ObjectMeta: metav1.ObjectMeta{ + Name: "dual-stack-service-ipv6", + Namespace: "default", + Labels: map[string]string{ + discoveryv1.LabelServiceName: "my-dual-stack-service", + }, + }, + AddressType: discoveryv1.AddressTypeIPv6, + Endpoints: []discoveryv1.Endpoint{ + { + Addresses: []string{"2001:db8::1"}, + }, + { + Addresses: []string{"2001:db8::2"}, + }, + }, + } + + resources := &Resources{ + EndpointSlices: []*discoveryv1.EndpointSlice{dualStackService, dualStackServiceIPv6}, + } + + t.Run("Dual Stack Service", func(t *testing.T) { + result := resources.GetEndpointSlicesForBackend("default", "my-dual-stack-service", KindService) + + assert.Len(t, result, 2, "Expected 2 EndpointSlices for dual-stack service") + + var ipv4Slice, ipv6Slice *discoveryv1.EndpointSlice + for _, slice := range result { + if slice.AddressType == discoveryv1.AddressTypeIPv4 { + ipv4Slice = slice + } else if slice.AddressType == discoveryv1.AddressTypeIPv6 { + ipv6Slice = slice + } + } + + assert.NotNil(t, ipv4Slice, "Expected to find an IPv4 EndpointSlice") + assert.NotNil(t, ipv6Slice, "Expected to find an IPv6 EndpointSlice") + + if ipv4Slice != nil { + assert.Len(t, ipv4Slice.Endpoints, 2, "Expected 2 IPv4 endpoints") + assert.Equal(t, "192.0.2.1", ipv4Slice.Endpoints[0].Addresses[0], "Unexpected IPv4 address") + assert.Equal(t, "192.0.2.2", ipv4Slice.Endpoints[1].Addresses[0], "Unexpected IPv4 address") + } + + if ipv6Slice != nil { + assert.Len(t, ipv6Slice.Endpoints, 2, "Expected 2 IPv6 endpoints") + assert.Equal(t, "2001:db8::1", ipv6Slice.Endpoints[0].Addresses[0], "Unexpected IPv6 address") + assert.Equal(t, "2001:db8::2", ipv6Slice.Endpoints[1].Addresses[0], "Unexpected IPv6 address") + } + }) +} diff --git a/internal/gatewayapi/route_test.go b/internal/gatewayapi/route_test.go new file mode 100644 index 00000000000..dd850f29049 --- /dev/null +++ b/internal/gatewayapi/route_test.go @@ -0,0 +1,179 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package gatewayapi + +import ( + "fmt" + "testing" + + corev1 "k8s.io/api/core/v1" + discoveryv1 "k8s.io/api/discovery/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" + + "github.com/envoyproxy/gateway/internal/ir" +) + +func TestGetIREndpointsFromEndpointSlices(t *testing.T) { + tests := []struct { + name string + endpointSlices []*discoveryv1.EndpointSlice + portName string + portProtocol corev1.Protocol + expectedEndpoints int + expectedAddrType ir.DestinationAddressType + }{ + { + name: "All IP endpoints", + endpointSlices: []*discoveryv1.EndpointSlice{ + { + ObjectMeta: metav1.ObjectMeta{Name: "slice1"}, + AddressType: discoveryv1.AddressTypeIPv4, + Endpoints: []discoveryv1.Endpoint{ + {Addresses: []string{"192.0.2.1"}}, + {Addresses: []string{"192.0.2.2"}}, + }, + Ports: []discoveryv1.EndpointPort{ + {Name: ptr.To("http"), Port: ptr.To(int32(80)), Protocol: ptr.To(corev1.ProtocolTCP)}, + }, + }, + { + ObjectMeta: metav1.ObjectMeta{Name: "slice2"}, + AddressType: discoveryv1.AddressTypeIPv6, + Endpoints: []discoveryv1.Endpoint{ + {Addresses: []string{"2001:db8::1"}}, + }, + Ports: []discoveryv1.EndpointPort{ + {Name: ptr.To("http"), Port: ptr.To(int32(80)), Protocol: ptr.To(corev1.ProtocolTCP)}, + }, + }, + }, + portName: "http", + portProtocol: corev1.ProtocolTCP, + expectedEndpoints: 3, + expectedAddrType: ir.IP, + }, + { + name: "Mixed IP and FQDN endpoints", + endpointSlices: []*discoveryv1.EndpointSlice{ + { + ObjectMeta: metav1.ObjectMeta{Name: "slice1"}, + AddressType: discoveryv1.AddressTypeIPv4, + Endpoints: []discoveryv1.Endpoint{ + {Addresses: []string{"192.0.2.1"}}, + }, + Ports: []discoveryv1.EndpointPort{ + {Name: ptr.To("http"), Port: ptr.To(int32(80)), Protocol: ptr.To(corev1.ProtocolTCP)}, + }, + }, + { + ObjectMeta: metav1.ObjectMeta{Name: "slice2"}, + AddressType: discoveryv1.AddressTypeFQDN, + Endpoints: []discoveryv1.Endpoint{ + {Addresses: []string{"example.com"}}, + }, + Ports: []discoveryv1.EndpointPort{ + {Name: ptr.To("http"), Port: ptr.To(int32(80)), Protocol: ptr.To(corev1.ProtocolTCP)}, + }, + }, + }, + portName: "http", + portProtocol: corev1.ProtocolTCP, + expectedEndpoints: 2, + expectedAddrType: ir.MIXED, + }, + { + name: "Dual-stack IP endpoints", + endpointSlices: []*discoveryv1.EndpointSlice{ + { + ObjectMeta: metav1.ObjectMeta{Name: "slice1-ipv4"}, + AddressType: discoveryv1.AddressTypeIPv4, + Endpoints: []discoveryv1.Endpoint{ + {Addresses: []string{"192.0.2.1"}}, + {Addresses: []string{"192.0.2.2"}}, + }, + Ports: []discoveryv1.EndpointPort{ + {Name: ptr.To("http"), Port: ptr.To(int32(80)), Protocol: ptr.To(corev1.ProtocolTCP)}, + }, + }, + { + ObjectMeta: metav1.ObjectMeta{Name: "slice2-ipv6"}, + AddressType: discoveryv1.AddressTypeIPv6, + Endpoints: []discoveryv1.Endpoint{ + {Addresses: []string{"2001:db8::1"}}, + {Addresses: []string{"2001:db8::2"}}, + }, + Ports: []discoveryv1.EndpointPort{ + {Name: ptr.To("http"), Port: ptr.To(int32(80)), Protocol: ptr.To(corev1.ProtocolTCP)}, + }, + }, + }, + portName: "http", + portProtocol: corev1.ProtocolTCP, + expectedEndpoints: 4, + expectedAddrType: ir.IP, + }, + { + name: "Dual-stack with FQDN", + endpointSlices: []*discoveryv1.EndpointSlice{ + { + ObjectMeta: metav1.ObjectMeta{Name: "slice1-ipv4"}, + AddressType: discoveryv1.AddressTypeIPv4, + Endpoints: []discoveryv1.Endpoint{ + {Addresses: []string{"192.0.2.1"}}, + }, + Ports: []discoveryv1.EndpointPort{ + {Name: ptr.To("http"), Port: ptr.To(int32(80)), Protocol: ptr.To(corev1.ProtocolTCP)}, + }, + }, + { + ObjectMeta: metav1.ObjectMeta{Name: "slice2-ipv6"}, + AddressType: discoveryv1.AddressTypeIPv6, + Endpoints: []discoveryv1.Endpoint{ + {Addresses: []string{"2001:db8::1"}}, + }, + Ports: []discoveryv1.EndpointPort{ + {Name: ptr.To("http"), Port: ptr.To(int32(80)), Protocol: ptr.To(corev1.ProtocolTCP)}, + }, + }, + { + ObjectMeta: metav1.ObjectMeta{Name: "slice3-fqdn"}, + AddressType: discoveryv1.AddressTypeFQDN, + Endpoints: []discoveryv1.Endpoint{ + {Addresses: []string{"example.com"}}, + }, + Ports: []discoveryv1.EndpointPort{ + {Name: ptr.To("http"), Port: ptr.To(int32(80)), Protocol: ptr.To(corev1.ProtocolTCP)}, + }, + }, + }, + portName: "http", + portProtocol: corev1.ProtocolTCP, + expectedEndpoints: 3, + expectedAddrType: ir.MIXED, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + endpoints, addrType := getIREndpointsFromEndpointSlices(tt.endpointSlices, tt.portName, tt.portProtocol) + + fmt.Printf("Test case: %s\n", tt.name) + fmt.Printf("Number of endpoints: %d\n", len(endpoints)) + fmt.Printf("Address type: %v\n", *addrType) + + fmt.Println("Actual endpoints:") + for i, endpoint := range endpoints { + fmt.Printf(" Endpoint %d:\n", i+1) + fmt.Printf(" Address: %s\n", endpoint.Host) + fmt.Printf(" Port: %d\n", endpoint.Port) + + } + + fmt.Println() + }) + } +} diff --git a/internal/gatewayapi/status/gateway_test.go b/internal/gatewayapi/status/gateway_test.go index 8c87c16190a..9f9791ac6a5 100644 --- a/internal/gatewayapi/status/gateway_test.go +++ b/internal/gatewayapi/status/gateway_test.go @@ -178,6 +178,70 @@ func TestUpdateGatewayStatusProgrammedCondition(t *testing.T) { return }(), }, + { + name: "LoadBalancer svc with IPv6 ingress ip", + args: args{ + gw: &gwapiv1.Gateway{}, + svc: &corev1.Service{ + Spec: corev1.ServiceSpec{ + Type: corev1.ServiceTypeLoadBalancer, + }, + Status: corev1.ServiceStatus{ + LoadBalancer: corev1.LoadBalancerStatus{ + Ingress: []corev1.LoadBalancerIngress{ + {IP: "2001:db8::1"}, + }, + }, + }, + }, + }, + wantAddresses: []gwapiv1.GatewayStatusAddress{ + { + Type: ptr.To(gwapiv1.IPAddressType), + Value: "2001:db8::1", + }, + }, + }, + { + name: "ClusterIP svc with IPv6", + args: args{ + gw: &gwapiv1.Gateway{}, + svc: &corev1.Service{ + Spec: corev1.ServiceSpec{ + ClusterIPs: []string{"2001:db8::2"}, + Type: corev1.ServiceTypeClusterIP, + }, + }, + }, + wantAddresses: []gwapiv1.GatewayStatusAddress{ + { + Type: ptr.To(gwapiv1.IPAddressType), + Value: "2001:db8::2", + }, + }, + }, + { + name: "Nodeport svc with IPv6 node addresses", + args: args{ + gw: &gwapiv1.Gateway{}, + nodeAddresses: []string{"2001:db8::3", "2001:db8::4"}, + svc: &corev1.Service{ + Spec: corev1.ServiceSpec{ + Type: corev1.ServiceTypeNodePort, + }, + }, + }, + wantAddresses: []gwapiv1.GatewayStatusAddress{ + { + Type: ptr.To(gwapiv1.IPAddressType), + Value: "2001:db8::3", + }, + { + Type: ptr.To(gwapiv1.IPAddressType), + Value: "2001:db8::4", + }, + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 65bd87c050b..10c418af462 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -225,8 +225,20 @@ type CoreListenerDetails struct { ExtensionRefs []*UnstructuredRef `json:"extensionRefs,omitempty" yaml:"extensionRefs,omitempty"` // Metadata is used to enrich envoy resource metadata with user and provider-specific information Metadata *ResourceMetadata `json:"metadata,omitempty" yaml:"metadata,omitempty"` + // IPFamily specifies the IP address family for the gateway. + // It can be IPv4, IPv6, or Dual. + IPFamily *IPFamily `json:"ipFamily,omitempty" yaml:"ipFamily,omitempty"` } +// IPFamily specifies the IP address family used by the Gateway for its listening ports. +type IPFamily string + +const ( + IPv4 IPFamily = "IPv4" + IPv6 IPFamily = "IPv6" + Dualstack IPFamily = "DualStack" +) + func (l CoreListenerDetails) GetName() string { return l.Name } diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 9054f99854a..85a26447ecb 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -590,6 +590,11 @@ func (in *CoreListenerDetails) DeepCopyInto(out *CoreListenerDetails) { *out = new(ResourceMetadata) (*in).DeepCopyInto(*out) } + if in.IPFamily != nil { + in, out := &in.IPFamily, &out.IPFamily + *out = new(IPFamily) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CoreListenerDetails. diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index 409de7e2180..145d616bde7 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -28,6 +28,7 @@ import ( "google.golang.org/protobuf/types/known/wrapperspb" "k8s.io/utils/ptr" + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" ) @@ -55,6 +56,7 @@ type xdsClusterArgs struct { backendConnection *ir.BackendConnection dns *ir.DNS useClientProtocol bool + ipFamily *egv1a1.IPFamily } type EndpointType int @@ -81,9 +83,13 @@ func buildEndpointType(settings []*ir.DestinationSetting) EndpointType { } func buildXdsCluster(args *xdsClusterArgs) *clusterv3.Cluster { + dnsLookupFamily := clusterv3.Cluster_V4_ONLY + if args.ipFamily != nil && *args.ipFamily == egv1a1.DualStack { + dnsLookupFamily = clusterv3.Cluster_ALL + } cluster := &clusterv3.Cluster{ Name: args.name, - DnsLookupFamily: clusterv3.Cluster_V4_ONLY, + DnsLookupFamily: dnsLookupFamily, CommonLbConfig: &clusterv3.Cluster_CommonLbConfig{ LocalityConfigSpecifier: &clusterv3.Cluster_CommonLbConfig_LocalityWeightedLbConfig_{ LocalityWeightedLbConfig: &clusterv3.Cluster_CommonLbConfig_LocalityWeightedLbConfig{}, diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go index 55336c5b136..c855d3ddf92 100644 --- a/internal/xds/translator/listener.go +++ b/internal/xds/translator/listener.go @@ -147,13 +147,43 @@ func originalIPDetectionExtensions(clientIPDetection *ir.ClientIPDetectionSettin return extensionConfig } +func setAddressByIPFamily(socketAddress *corev3.SocketAddress, ipFamily *ir.IPFamily, port uint32) []*listenerv3.AdditionalAddress { + if ipFamily == nil { + return nil + } + switch *ipFamily { + case ir.IPv4: + socketAddress.Address = "0.0.0.0" + case ir.IPv6: + socketAddress.Address = "::" + case ir.Dualstack: + socketAddress.Address = "0.0.0.0" + return []*listenerv3.AdditionalAddress{ + { + Address: &corev3.Address{ + Address: &corev3.Address_SocketAddress{ + SocketAddress: &corev3.SocketAddress{ + Protocol: socketAddress.Protocol, + Address: "::", + PortSpecifier: &corev3.SocketAddress_PortValue{ + PortValue: port, + }, + }, + }, + }, + }, + } + } + return nil +} + // buildXdsTCPListener creates a xds Listener resource // TODO: Improve function parameters -func buildXdsTCPListener(name, address string, port uint32, keepalive *ir.TCPKeepalive, connection *ir.ClientConnection, accesslog *ir.AccessLog) *listenerv3.Listener { +func buildXdsTCPListener(name, address string, port uint32, ipFamily *ir.IPFamily, keepalive *ir.TCPKeepalive, connection *ir.ClientConnection, accesslog *ir.AccessLog) *listenerv3.Listener { socketOptions := buildTCPSocketOptions(keepalive) al := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener) bufferLimitBytes := buildPerConnectionBufferLimitBytes(connection) - return &listenerv3.Listener{ + listener := &listenerv3.Listener{ Name: name, AccessLog: al, SocketOptions: socketOptions, @@ -170,6 +200,10 @@ func buildXdsTCPListener(name, address string, port uint32, keepalive *ir.TCPKee }, }, } + + socketAddress := listener.Address.GetSocketAddress() + listener.AdditionalAddresses = setAddressByIPFamily(socketAddress, ipFamily, port) + return listener } func buildPerConnectionBufferLimitBytes(connection *ir.ClientConnection) *wrapperspb.UInt32Value { diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-listener-ipfamily.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-listener-ipfamily.yaml new file mode 100644 index 00000000000..b74056ec017 --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/tcp-listener-ipfamily.yaml @@ -0,0 +1,13 @@ +tcp: + - name: tcp-listener-dual + address: 0.0.0.0 + port: 8082 + ipFamily: DualStack + routes: + - name: tcp-route-dual + destination: + name: tcp-route-dual-dest + settings: + - endpoints: + - host: 192.168.1.2 + - host: '2001:db8::2' diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml new file mode 100644 index 00000000000..3b5a7b58376 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml @@ -0,0 +1,17 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: tcp-route-dual-dest + lbPolicy: LEAST_REQUEST + name: tcp-route-dual-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.endpoints.yaml new file mode 100644 index 00000000000..2b06ec86228 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.endpoints.yaml @@ -0,0 +1,18 @@ +- clusterName: tcp-route-dual-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 192.168.1.2 + portValue: 0 + loadBalancingWeight: 1 + - endpoint: + address: + socketAddress: + address: 2001:db8::2 + portValue: 0 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: tcp-route-dual-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.listeners.yaml new file mode 100644 index 00000000000..0615ffcff8a --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.listeners.yaml @@ -0,0 +1,19 @@ +- additionalAddresses: + - address: + socketAddress: + address: '::' + portValue: 8082 + address: + socketAddress: + address: 0.0.0.0 + portValue: 8082 + filterChains: + - filters: + - name: envoy.filters.network.tcp_proxy + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + cluster: tcp-route-dual-dest + statPrefix: tcp-8082 + name: tcp-route-dual + name: tcp-listener-dual + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.routes.yaml new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.routes.yaml @@ -0,0 +1 @@ +[] diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index 0a75136aa44..30a54fe6990 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -225,7 +225,7 @@ func (t *Translator) processHTTPListenerXdsTranslation( } // Create a new TCP listener for HTTP1/HTTP2 traffic. - tcpXDSListener = buildXdsTCPListener(httpListener.Name, httpListener.Address, httpListener.Port, httpListener.TCPKeepalive, httpListener.Connection, accessLog) + tcpXDSListener = buildXdsTCPListener(httpListener.Name, httpListener.Address, httpListener.Port, httpListener.IPFamily, httpListener.TCPKeepalive, httpListener.Connection, accessLog) if err = tCtx.AddXdsResource(resourcev3.ListenerType, tcpXDSListener); err != nil { errs = errors.Join(errs, err) continue @@ -565,7 +565,7 @@ func (t *Translator) processTCPListenerXdsTranslation( // Search for an existing listener, if it does not exist, create one. xdsListener := findXdsListenerByHostPort(tCtx, tcpListener.Address, tcpListener.Port, corev3.SocketAddress_TCP) if xdsListener == nil { - xdsListener = buildXdsTCPListener(tcpListener.Name, tcpListener.Address, tcpListener.Port, tcpListener.TCPKeepalive, tcpListener.Connection, accesslog) + xdsListener = buildXdsTCPListener(tcpListener.Name, tcpListener.Address, tcpListener.Port, tcpListener.IPFamily, tcpListener.TCPKeepalive, tcpListener.Connection, accesslog) if err := tCtx.AddXdsResource(resourcev3.ListenerType, xdsListener); err != nil { // skip this listener if failed to add xds listener to the errs = errors.Join(errs, err) diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index f90ee0702ad..2999d46410c 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -324,7 +324,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `fqdn` | _[FQDNEndpoint](#fqdnendpoint)_ | false | FQDN defines a FQDN endpoint | -| `ip` | _[IPEndpoint](#ipendpoint)_ | false | IP defines an IP endpoint. Currently, only IPv4 Addresses are supported. | +| `ip` | _[IPEndpoint](#ipendpoint)_ | false | IP defines an IP endpoint. Supports both IPv4 and IPv6 addresses. | | `unix` | _[UnixSocket](#unixsocket)_ | false | Unix defines the unix domain socket endpoint | @@ -1483,6 +1483,7 @@ _Appears in:_ | `shutdown` | _[ShutdownConfig](#shutdownconfig)_ | false | Shutdown defines configuration for graceful envoy shutdown process. | | `filterOrder` | _[FilterPosition](#filterposition) array_ | false | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
The FilterPosition in the list will be applied in the order they are defined.
If unspecified, the default filter order is applied.
Default filter order is:

- envoy.filters.http.health_check

- envoy.filters.http.fault

- envoy.filters.http.cors

- envoy.filters.http.ext_authz

- envoy.filters.http.basic_auth

- envoy.filters.http.oauth2

- envoy.filters.http.jwt_authn

- envoy.filters.http.stateful_session

- envoy.filters.http.ext_proc

- envoy.filters.http.wasm

- envoy.filters.http.rbac

- envoy.filters.http.local_ratelimit

- envoy.filters.http.ratelimit

- envoy.filters.http.custom_response

- envoy.filters.http.router

Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. | | `backendTLS` | _[BackendTLSConfig](#backendtlsconfig)_ | false | BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.
These settings are applied on backends for which TLS policies are specified. | +| `ipFamily` | _[IPFamily](#ipfamily)_ | false | IPFamily specifies the IP family for the EnvoyProxy fleet.
This setting only affects the Gateway listener port and does not impact
other aspects of the Envoy proxy configuration.
If not specified, the system will operate as follows:
- It defaults to IPv4 only.
- IPv6 and dual-stack environments are not supported in this default configuration.
Note: To enable IPv6 or dual-stack functionality, explicit configuration is required. | #### EnvoyProxyStatus @@ -1644,7 +1645,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `fqdn` | _[FQDNEndpoint](#fqdnendpoint)_ | false | FQDN defines a FQDN endpoint | -| `ip` | _[IPEndpoint](#ipendpoint)_ | false | IP defines an IP endpoint. Currently, only IPv4 Addresses are supported. | +| `ip` | _[IPEndpoint](#ipendpoint)_ | false | IP defines an IP endpoint. Supports both IPv4 and IPv6 addresses. | | `unix` | _[UnixSocket](#unixsocket)_ | false | Unix defines the unix domain socket endpoint | | `host` | _string_ | false | Host define the extension service hostname.
Deprecated: use the appropriate transport attribute instead (FQDN,IP,Unix) | | `port` | _integer_ | false | Port defines the port the extension service is exposed on.
Deprecated: use the appropriate transport attribute instead (FQDN,IP,Unix) | @@ -2207,10 +2208,26 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `address` | _string_ | true | Address defines the IP address of the backend endpoint. | +| `address` | _string_ | true | Address defines the IP address of the backend endpoint.
Supports both IPv4 and IPv6 addresses. | | `port` | _integer_ | true | Port defines the port of the backend endpoint. | +#### IPFamily + +_Underlying type:_ _string_ + +IPFamily defines the IP family to use for the Envoy proxy. + +_Appears in:_ +- [EnvoyProxySpec](#envoyproxyspec) + +| Value | Description | +| ----- | ----------- | +| `IPv4` | IPv4 defines the IPv4 family.
| +| `IPv6` | IPv6 defines the IPv6 family.
| +| `DualStack` | DualStack defines the dual-stack family.
When set to DualStack, Envoy proxy will listen on both IPv4 and IPv6 addresses
for incoming client traffic, enabling support for both IP protocol versions.
| + + #### ImagePullPolicy _Underlying type:_ _string_ diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index f90ee0702ad..2999d46410c 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -324,7 +324,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `fqdn` | _[FQDNEndpoint](#fqdnendpoint)_ | false | FQDN defines a FQDN endpoint | -| `ip` | _[IPEndpoint](#ipendpoint)_ | false | IP defines an IP endpoint. Currently, only IPv4 Addresses are supported. | +| `ip` | _[IPEndpoint](#ipendpoint)_ | false | IP defines an IP endpoint. Supports both IPv4 and IPv6 addresses. | | `unix` | _[UnixSocket](#unixsocket)_ | false | Unix defines the unix domain socket endpoint | @@ -1483,6 +1483,7 @@ _Appears in:_ | `shutdown` | _[ShutdownConfig](#shutdownconfig)_ | false | Shutdown defines configuration for graceful envoy shutdown process. | | `filterOrder` | _[FilterPosition](#filterposition) array_ | false | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
The FilterPosition in the list will be applied in the order they are defined.
If unspecified, the default filter order is applied.
Default filter order is:

- envoy.filters.http.health_check

- envoy.filters.http.fault

- envoy.filters.http.cors

- envoy.filters.http.ext_authz

- envoy.filters.http.basic_auth

- envoy.filters.http.oauth2

- envoy.filters.http.jwt_authn

- envoy.filters.http.stateful_session

- envoy.filters.http.ext_proc

- envoy.filters.http.wasm

- envoy.filters.http.rbac

- envoy.filters.http.local_ratelimit

- envoy.filters.http.ratelimit

- envoy.filters.http.custom_response

- envoy.filters.http.router

Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. | | `backendTLS` | _[BackendTLSConfig](#backendtlsconfig)_ | false | BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.
These settings are applied on backends for which TLS policies are specified. | +| `ipFamily` | _[IPFamily](#ipfamily)_ | false | IPFamily specifies the IP family for the EnvoyProxy fleet.
This setting only affects the Gateway listener port and does not impact
other aspects of the Envoy proxy configuration.
If not specified, the system will operate as follows:
- It defaults to IPv4 only.
- IPv6 and dual-stack environments are not supported in this default configuration.
Note: To enable IPv6 or dual-stack functionality, explicit configuration is required. | #### EnvoyProxyStatus @@ -1644,7 +1645,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `fqdn` | _[FQDNEndpoint](#fqdnendpoint)_ | false | FQDN defines a FQDN endpoint | -| `ip` | _[IPEndpoint](#ipendpoint)_ | false | IP defines an IP endpoint. Currently, only IPv4 Addresses are supported. | +| `ip` | _[IPEndpoint](#ipendpoint)_ | false | IP defines an IP endpoint. Supports both IPv4 and IPv6 addresses. | | `unix` | _[UnixSocket](#unixsocket)_ | false | Unix defines the unix domain socket endpoint | | `host` | _string_ | false | Host define the extension service hostname.
Deprecated: use the appropriate transport attribute instead (FQDN,IP,Unix) | | `port` | _integer_ | false | Port defines the port the extension service is exposed on.
Deprecated: use the appropriate transport attribute instead (FQDN,IP,Unix) | @@ -2207,10 +2208,26 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `address` | _string_ | true | Address defines the IP address of the backend endpoint. | +| `address` | _string_ | true | Address defines the IP address of the backend endpoint.
Supports both IPv4 and IPv6 addresses. | | `port` | _integer_ | true | Port defines the port of the backend endpoint. | +#### IPFamily + +_Underlying type:_ _string_ + +IPFamily defines the IP family to use for the Envoy proxy. + +_Appears in:_ +- [EnvoyProxySpec](#envoyproxyspec) + +| Value | Description | +| ----- | ----------- | +| `IPv4` | IPv4 defines the IPv4 family.
| +| `IPv6` | IPv6 defines the IPv6 family.
| +| `DualStack` | DualStack defines the dual-stack family.
When set to DualStack, Envoy proxy will listen on both IPv4 and IPv6 addresses
for incoming client traffic, enabling support for both IP protocol versions.
| + + #### ImagePullPolicy _Underlying type:_ _string_ diff --git a/test/cel-validation/backend_test.go b/test/cel-validation/backend_test.go index 7b29c4353a7..a46a2d4078a 100644 --- a/test/cel-validation/backend_test.go +++ b/test/cel-validation/backend_test.go @@ -224,10 +224,10 @@ func TestBackend(t *testing.T) { } }, wantErrors: []string{ - "spec.endpoints[0].ip.address: Invalid value: \"300.0.0.0\": spec.endpoints[0].ip.address in body should match '^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$'", - "spec.endpoints[1].ip.address: Invalid value: \"0.0.0.0:443\": spec.endpoints[1].ip.address in body should match '^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$'", - "spec.endpoints[2].ip.address: Invalid value: \"0.0.0.0/12\": spec.endpoints[2].ip.address in body should match '^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$'", - "spec.endpoints[3].ip.address: Invalid value: \"a.b.c.e\": spec.endpoints[3].ip.address in body should match '^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$'", + "spec.endpoints[0].ip.address: Invalid value: \"300.0.0.0\": spec.endpoints[0].ip.address in body should match '^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|^(([0-9a-fA-F]{1,4}:){1,7}[0-9a-fA-F]{1,4}|::|(([0-9a-fA-F]{1,4}:){0,5})?(:[0-9a-fA-F]{1,4}){1,2})$'", + "spec.endpoints[1].ip.address: Invalid value: \"0.0.0.0:443\": spec.endpoints[1].ip.address in body should match '^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|^(([0-9a-fA-F]{1,4}:){1,7}[0-9a-fA-F]{1,4}|::|(([0-9a-fA-F]{1,4}:){0,5})?(:[0-9a-fA-F]{1,4}){1,2})$'", + "spec.endpoints[2].ip.address: Invalid value: \"0.0.0.0/12\": spec.endpoints[2].ip.address in body should match '^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|^(([0-9a-fA-F]{1,4}:){1,7}[0-9a-fA-F]{1,4}|::|(([0-9a-fA-F]{1,4}:){0,5})?(:[0-9a-fA-F]{1,4}){1,2})$'", + "spec.endpoints[3].ip.address: Invalid value: \"a.b.c.e\": spec.endpoints[3].ip.address in body should match '^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|^(([0-9a-fA-F]{1,4}:){1,7}[0-9a-fA-F]{1,4}|::|(([0-9a-fA-F]{1,4}:){0,5})?(:[0-9a-fA-F]{1,4}){1,2})$'", }, }, } diff --git a/test/e2e/testdata/backend-dualstack.yaml b/test/e2e/testdata/backend-dualstack.yaml new file mode 100644 index 00000000000..536cf66827b --- /dev/null +++ b/test/e2e/testdata/backend-dualstack.yaml @@ -0,0 +1,166 @@ +apiVersion: v1 +kind: Service +metadata: + name: infra-backend-v1-ipv6 + namespace: gateway-conformance-infra +spec: + clusterIP: fd00:10:96::1411 + ipFamilies: + - IPv6 + ipFamilyPolicy: SingleStack + ports: + - port: 8080 + targetPort: 3000 + selector: + app: infra-backend-v1 +--- +apiVersion: v1 +kind: Service +metadata: + name: infra-backend-v1-dualstack + namespace: gateway-conformance-infra +spec: + clusterIP: 10.96.0.100 + clusterIPs: + - 10.96.0.100 + - fd00:10:96::100 + ipFamilies: + - IPv4 + - IPv6 + ipFamilyPolicy: RequireDualStack + ports: + - port: 8080 + targetPort: 3000 + selector: + app: infra-backend-v1 +--- +apiVersion: v1 +kind: Service +metadata: + name: infra-backend-v1-ipv4 + namespace: gateway-conformance-infra +spec: + clusterIP: 10.96.0.101 + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - port: 8080 + targetPort: 3000 + selector: + app: infra-backend-v1 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: infra-backend-v1-route-ipv6 + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: dualstack-gateway + rules: + - matches: + - path: + type: PathPrefix + value: /backend-ipv6 + backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: infra-backend-v1-ipv6 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: infra-backend-v1-route-dualstack + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: dualstack-gateway + rules: + - matches: + - path: + type: PathPrefix + value: /backend-dualstack + backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: infra-backend-v1-dualstack +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: infra-backend-v1-route-ipv4 + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: dualstack-gateway + rules: + - matches: + - path: + type: PathPrefix + value: /backend-ipv4 + backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: infra-backend-v1-ipv4 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: infra-backend-v1-ipv6 + namespace: gateway-conformance-infra +spec: + endpoints: + - ip: + address: "fd00:10:96::1411" + port: 8080 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: infra-backend-v1-dualstack + namespace: gateway-conformance-infra +spec: + endpoints: + - ip: + address: "10.96.0.100" + port: 8080 + - ip: + address: "fd00:10:96::100" + port: 8080 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: infra-backend-v1-ipv4 + namespace: gateway-conformance-infra +spec: + endpoints: + - ip: + address: "10.96.0.101" + port: 8080 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + name: dualstack-proxy-config + namespace: gateway-conformance-infra +spec: + ipFamily: DualStack +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: dualstack-gateway + namespace: gateway-conformance-infra +spec: + gatewayClassName: envoy-gateway + infrastructure: + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: dualstack-proxy-config + listeners: + - name: http + port: 80 + protocol: HTTP diff --git a/test/e2e/testdata/httproute-dualstack.yaml b/test/e2e/testdata/httproute-dualstack.yaml new file mode 100644 index 00000000000..e1289dac50e --- /dev/null +++ b/test/e2e/testdata/httproute-dualstack.yaml @@ -0,0 +1,121 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: infra-backend-v1-httproute-ipv6 + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: dualstack-gateway + rules: + - backendRefs: + - name: infra-backend-v1-service-ipv6 + port: 8080 + matches: + - path: + type: PathPrefix + value: /ipv6-only +--- +apiVersion: v1 +kind: Service +metadata: + name: infra-backend-v1-service-ipv6 + namespace: gateway-conformance-infra +spec: + ipFamilies: + - IPv6 + ipFamilyPolicy: SingleStack + ports: + - port: 8080 + targetPort: 3000 + selector: + app: infra-backend-v1 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: infra-backend-v1-httproute-dualstack + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: dualstack-gateway + rules: + - backendRefs: + - name: infra-backend-v1-service-dualstack + port: 8080 + matches: + - path: + type: PathPrefix + value: /dual-stack +--- +apiVersion: v1 +kind: Service +metadata: + name: infra-backend-v1-service-dualstack + namespace: gateway-conformance-infra +spec: + ipFamilies: + - IPv4 + - IPv6 + ipFamilyPolicy: RequireDualStack + ports: + - port: 8080 + targetPort: 3000 + selector: + app: infra-backend-v1 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: infra-backend-v1-httproute-ipv4 + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: dualstack-gateway + rules: + - backendRefs: + - name: infra-backend-v1-service-ipv4 + port: 8080 + matches: + - path: + type: PathPrefix + value: /ipv4-only +--- +apiVersion: v1 +kind: Service +metadata: + name: infra-backend-v1-service-ipv4 + namespace: gateway-conformance-infra +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - port: 8080 + targetPort: 3000 + selector: + app: infra-backend-v1 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + name: dualstack-proxy-config + namespace: gateway-conformance-infra +spec: + ipFamily: DualStack +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: dualstack-gateway + namespace: gateway-conformance-infra +spec: + gatewayClassName: envoy-gateway + infrastructure: + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: dualstack-proxy-config + listeners: + - name: http + port: 80 + protocol: HTTP diff --git a/test/e2e/tests/backend_dualstack.go b/test/e2e/tests/backend_dualstack.go new file mode 100644 index 00000000000..c7db450824e --- /dev/null +++ b/test/e2e/tests/backend_dualstack.go @@ -0,0 +1,73 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e +// +build e2e + +package tests + +import ( + "os" + "testing" + + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" +) + +// If the environment is not dual, the IPv6 manifest cannot be applied, so the test will be skipped. +func init() { + if os.Getenv("IP_FAMILY") == "dual" { + ConformanceTests = append(ConformanceTests, BackendDualStackTest) + } else { + ConformanceTests = append(ConformanceTests, SkipBackendDualStackTest) + } +} + +var BackendDualStackTest = suite.ConformanceTest{ + ShortName: "BackendDualStack", + Description: "Test IPv6 and Dual Stack support for backends", + Manifests: []string{"testdata/backend-dualstack.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + ns := "gateway-conformance-infra" + gwNN := types.NamespacedName{Name: "dualstack-gateway", Namespace: ns} + + t.Run("IPv6 Backend", func(t *testing.T) { + runBackendDualStackTest(t, suite, ns, gwNN, "infra-backend-v1-route-ipv6", "/backend-ipv6") + }) + t.Run("Dual Stack Backend", func(t *testing.T) { + runBackendDualStackTest(t, suite, ns, gwNN, "infra-backend-v1-route-dualstack", "/backend-dualstack") + }) + t.Run("IPv4 Backend", func(t *testing.T) { + runBackendDualStackTest(t, suite, ns, gwNN, "infra-backend-v1-route-ipv4", "/backend-ipv4") + }) + }, +} + +func runBackendDualStackTest(t *testing.T, suite *suite.ConformanceTestSuite, ns string, gwNN types.NamespacedName, routeName, path string) { + routeNN := types.NamespacedName{Name: routeName, Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: path, + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) +} + +var SkipBackendDualStackTest = suite.ConformanceTest{ + ShortName: "BackendDualStack", + Description: "Skipping BackendDualStack test as IP_FAMILY is not dual", + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Skip("Skipping BackendDualStack test as IP_FAMILY is not dual") + }, +} diff --git a/test/e2e/tests/httproute_dualstack.go b/test/e2e/tests/httproute_dualstack.go new file mode 100644 index 00000000000..0e969577870 --- /dev/null +++ b/test/e2e/tests/httproute_dualstack.go @@ -0,0 +1,73 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e +// +build e2e + +package tests + +import ( + "os" + "testing" + + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" +) + +// If the environment is not dual, the IPv6 manifest cannot be applied, so the test will be skipped. +func init() { + if os.Getenv("IP_FAMILY") == "dual" { + ConformanceTests = append(ConformanceTests, HTTPRouteDualStackTest) + } else { + ConformanceTests = append(ConformanceTests, SkipHTTPRouteDualStackTest) + } +} + +var HTTPRouteDualStackTest = suite.ConformanceTest{ + ShortName: "HTTPRouteDualStack", + Description: "Test HTTPRoute support for IPv6 only, dual-stack, and IPv4 only services", + Manifests: []string{"testdata/httproute-dualstack.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + ns := "gateway-conformance-infra" + gwNN := types.NamespacedName{Name: "dualstack-gateway", Namespace: ns} + + t.Run("HTTPRoute to IPv6 only service", func(t *testing.T) { + runHTTPRouteTest(t, suite, ns, gwNN, "infra-backend-v1-httproute-ipv6", "/ipv6-only") + }) + t.Run("HTTPRoute to Dual-stack service", func(t *testing.T) { + runHTTPRouteTest(t, suite, ns, gwNN, "infra-backend-v1-httproute-dualstack", "/dual-stack") + }) + t.Run("HTTPRoute to IPv4 only service", func(t *testing.T) { + runHTTPRouteTest(t, suite, ns, gwNN, "infra-backend-v1-httproute-ipv4", "/ipv4-only") + }) + }, +} + +func runHTTPRouteTest(t *testing.T, suite *suite.ConformanceTestSuite, ns string, gwNN types.NamespacedName, routeName, path string) { + routeNN := types.NamespacedName{Name: routeName, Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: path, + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) +} + +var SkipHTTPRouteDualStackTest = suite.ConformanceTest{ + ShortName: "HTTPRouteDualStack", + Description: "Skipping HTTPRouteDualStack test as IP_FAMILY is not dual", + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Skip("Skipping HTTPRouteDualStack test as IP_FAMILY is not dual") + }, +} From c2dd08efaa63126b5c830feb7e08a211f99aff75 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 25 Oct 2024 10:49:42 +0800 Subject: [PATCH 304/523] docs: skip current in release-notes-docs (#4521) * docs: skip current in release-notes-docs Signed-off-by: zirain * revert Signed-off-by: zirain --------- Signed-off-by: zirain --- tools/make/docs.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/make/docs.mk b/tools/make/docs.mk index 698896f089a..f1ee2844f4b 100644 --- a/tools/make/docs.mk +++ b/tools/make/docs.mk @@ -123,6 +123,6 @@ docs-markdown-lint: release-notes-docs: $(tools/release-notes-docs) @$(LOG_TARGET) - @for file in $(wildcard release-notes/*.yaml); do \ + @for file in $(wildcard release-notes/v*.yaml); do \ $(tools/release-notes-docs) $$file site/content/en/news/releases/notes; \ done From 6f5ae8ebc8ca3c30257a74d5dedc868c96e15038 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Fri, 25 Oct 2024 13:55:12 +0800 Subject: [PATCH 305/523] release: v1.2.0-rc.1 (#4476) * release note for v1.2-rc.1 Signed-off-by: Huabing Zhao * release note for v1.2-rc.1 Signed-off-by: Huabing Zhao * release note for v1.2-rc.1 Signed-off-by: Huabing Zhao * release note for v1.2-rc.1 Signed-off-by: Huabing Zhao * fix typo Signed-off-by: Huabing Zhao * release v1.2.0-rc.1 Signed-off-by: Huabing Zhao * added recent changes Signed-off-by: Huabing Zhao * add recent changes Signed-off-by: Huabing Zhao * added recent changes Signed-off-by: Huabing Zhao * added recent changes Signed-off-by: Huabing Zhao * adopted the new format Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * minor change on the release note template Signed-off-by: Huabing Zhao * VERSION Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * fix docs gen Signed-off-by: Huabing Zhao * fix docs gen Signed-off-by: Huabing Zhao * Update release-notes/v1.2.0-rc.1.yaml Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao * Update release-notes/v1.2.0-rc.1.yaml Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * fix e2e Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao Co-authored-by: Xunzhuo Co-authored-by: Arko Dasgupta --- VERSION | 2 +- release-notes/current.yaml | 14 +- release-notes/v1.2.0-rc.1.yaml | 132 +++++++++++++++++ site/content/en/contributions/RELEASING.md | 2 +- .../en/news/releases/notes/v1.2.0-rc.1.md | 133 ++++++++++++++++++ test/e2e/tests/eg_upgrade.go | 7 +- tools/src/release-notes-docs/yml2md.py | 52 +++++-- 7 files changed, 317 insertions(+), 25 deletions(-) create mode 100644 release-notes/v1.2.0-rc.1.yaml create mode 100644 site/content/en/news/releases/notes/v1.2.0-rc.1.md diff --git a/VERSION b/VERSION index 0f1acbd5656..1bf010be510 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v1.1.2 +v1.2.0-rc.1 diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 524802636e6..bfc711148bd 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -2,28 +2,28 @@ date: Pending # Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs. breaking changes: | - - Add a breaking change here + Add a breaking change here # Updates addressing vulnerabilities, security flaws, or compliance requirements. security updates: | - - Add a security update here + Add a security update here # New features or capabilities added in this release. new features: | - - Add a new feature here + Add a new feature here # Fixes for bugs identified in previous versions. bug fixes: | - - Add a bug fix here + Add a bug fix here # Enhancements that improve performance. performance improvements: | - - Add a performance improvement here + Add a performance improvement here # Deprecated features or APIs. deprecations: | - - Add a deprecation here + Add a deprecation here # Other notable changes not covered by the above sections. Other changes: | - - Add other changes here + Add other changes here diff --git a/release-notes/v1.2.0-rc.1.yaml b/release-notes/v1.2.0-rc.1.yaml new file mode 100644 index 00000000000..0ff64d9325f --- /dev/null +++ b/release-notes/v1.2.0-rc.1.yaml @@ -0,0 +1,132 @@ +date: October 25, 2024 + +# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs. +breaking changes: | + Gateway API GRPCRoute and ReferenceGrant v1alpha2 have been removed. + Please refer to the [Gateway API v1.2.0 documentation](https://github.com/kubernetes-sigs/gateway-api/releases) for more information. + Removed default CPU limit of the Envoy Gateway deployment + Changed default Envoy shutdown settings: drain strategy has been changed to immediate, default minDrainDuration, drainTimeout and terminationGracePeriodSeconds have been set to 10s, 60s and 360s respectively + +# New features or capabilities added in this release. +new features: | + Added support for Gateway-API v1.2.0 + Added support for IPv4/IPv6 Dual Stack for Envoy listeners and BackendRef resources + Added support for EG standalone(host deployment) mode (experimental) + Added support for JWT claims based Authorization in SecurityPolicy CRD + Added support for Direct Response in HTTPRouteFilter CRD + Added support for Response Override in BackendTrafficPolicy CRD + Added support for RequestTimeout in BackendTrafficPolicy CRD + Added support for inverting header matches for rate limit in BackendTrafficPolicy CRD + Added support for client TLS session resumption in ClientTrafficPolicy CRD + Added support for HTTPRouteFilter and path regex rewrite + Added support for host header rewrite in HTTPRouteFilter CRD + Added support for Listener Access Log in EnvoyProxy CRD + Added support for Datadog tracing support in EnvoyProxy CRD + Added support for request response sizes stats in EnvoyProxy CRD + Added support for wildcard matching for CORS AllowMethods and AllowHeaders settings in SecurityPolicy CRD + Added support for match conditions for access log in EnvoyProxy CRD + Added support for using BackendCluster to represent OIDCProvider + Added support for RecomputeRoute for ExtAuth in SecurityPolicy CRD + Added support for sharing token cookies between multiple domains in SecurityPolicy CRD + Added support for JSONPatches for proxy bootstrap modifications in EnvoyProxy CRD + Added support for LB priority for non xRoute endpoints + Added support for configuring the GRPC Health Checker in the BackendTrafficPolicy CRD + Added support for early request header mutation in the ClientTrafficPolicy CRD + Added support for JsonPath in the EnvoyPatchPolicy CRD + Added support for cluster settings for tracing and access log backends in EnvoyProxy CRD + Added support for cluster settings for non xRoute-generated backend refs + Added support for socket buffer limit field in ClientTrafficPolicy and BackendTrafficPolicy CRD + Added support for http2 upstream settings in BackendTrafficPolicy CRD + Added support for DNS resolution settings in BackendTrafficPolicy CRD + Added support for configuring service annotations in the Envoy Gateway helm chart + Added support for configuring priorityClassName to Envoy Gateway helm chart + Added support for ratelimit metrics monitoring in grafana in the addons helm chart + Added support for default user group and user id for the SecurityContexts in the Envoy Gateway helm chart + Added support for maxUnavailable in the PodDisruptionBudget in the Envoy Gateway helm chart + Added support for configuring NodeSelector in the Envoy Gateway helm chart + Added support for nonce in the OIDC auth flow + Added support for choosing an HTTPRoute's non-wildcard hostname as the default Host + Added support for returning 500 when EnvoyExtensionTrafficPolicy translation fails + Added support for returning 500 when SecurityPolicy translation fails + Added support for multiple backendRefs for ExtAuth and ExtProc + Added support for session persistence in HTTPRoute rules + Added support for the Backend resource for ExtAuth + Added support for target selectors on Envoy Gateway Extension Server policies + Added support for non-Kubernetes Backends for TLSRoute + Added support for fallback to the Backend API + Added support for reloadable EnvoyGateway configuration + Added support for adding Labels to the Envoy Service + Added support for custom name for ratelimit deployment + Added default SecurityContext for EG components + Added startupProbe to all provisioned containers + Added support for local validations for egctl translate and file provider + Added support for egctl x collect to collect information from the cluster for debugging + Added support for a native prometheus metrics endpoint in the ratelimit server + +# Fixes for bugs identified in previous versions. +bug fixes: | + Fixed unsupported listener protocol type causing an error while updating Gateway Status + Fixed some status updates were being discarded by the status updater + Fixed Gateway crash adding BackendTLSPolicy to External Backend of an HTTPRoute + Fixed Delay in SecurityPolicy change propagation for HTTPRoute when using targetSelectors + Fixed JSONPath not correctly translated to JSONPatch paths + Fixed allow empty slowStart when using LeastRequest + Fixed Backends which should be rejected are still used as an HTTPRoute's destination + Fixed losing timeout settings that originate from the route when translating the backend traffic policy + Fixed Backend resources don't get status updates + Fixed Active Health check requires expectedStatuses field to work + Fixed HTTPHeaderFilter processing doesn't correctly support multiple header values + Fixed multiple reference grants in same namespace + Fixed upstream get unwanted /. + Fixed creation of SecurityPolicy with targetSelectors fails + Fixed wrong gateway is chosen as HTTPRoute parent + Fixed override issue for EEP + Fixed nil pointer err translating hash load balancing + Fixed ratelimit does not work across multiple GatewayClasses + Fixed upstream mTLS only works for HTTPS listeners + Fixed nil pointer if backedtls.minVersion is set but backedtls.maxVersion is not + Fixed empty connection limit causes XDS rejection + Fixed ratelimit not working with both headers and cidr matches + Fixed EDS didn't update when deployments was created after services + Fixed RBAC issue for deleting infrastructure resources + Fixed customized infrastructure resources not being deleted + Fixed Gateways never become ready/programmed when running Envoy as a Daemonset + Fixed Ratelimit Deployment ignoring pod labels and annotation merge + Fixed the API Server receives unnecessary requests + Fixed terminating envoy pods don't respond with "Connection: close" (H1) or GOAWAY(H2) on shutdown, switch to an immediate drain strategy + Fixed ratelimit statsd not working + Fixed not generating selector of deployment/daemonset based on the custom label configuration of EnvoyProxy + Fixed egctl experimental translate using a wrong ns + +# Enhancements that improve performance. +performance improvements: | + Fixed repeated resources and optimize memory usage + +# Other notable changes not covered by the above sections. +Other changes: | + Removed grafana test framework from the addons helm chart + Disabled ALPN for non-HTTP routes + Added statPrefix for HCM and TCPProxy + Enabled GatewayHTTPListenerIsolation conformance test + Enabled GRPC conformance profile + Enabled HTTPRouteBackendRequestHeaderModifier conformance test + Added e2e test for Daemonset mode + Updated upgrades tests to use VERSION env variable + Fixed OVS scanner wrong license warnings + Added e2e test for TLS session resumption + Added heap profile into benchmark report + Added e2e test for RecomputeRoute in ExtAuth + Added benchmark memory profiles into report + Fixed flaky gateway_with_conflicted_listener_cannot_be_merged e2e test + Fixed flaky Zipkin Tracing e2e test + Added e2e test for cookie based consistent hash load balancing + Added e2e test for load balancing + Fixed flaky authorization tests + Enabled upgrade test + Fixed flaky basic auth e2e test + Enabled use-client-protocol e2e test + Added performance benchmarking test for 1000 HTTPRoutes + Added e2e test for Datadog tracing + Added e2e tests for ratelimit invert matching headers + Reduced readinessProbe failureThreshold and periodSeconds + Bumped go-control-plane to v0.13.1 diff --git a/site/content/en/contributions/RELEASING.md b/site/content/en/contributions/RELEASING.md index 70fff1c083b..ec2365a15dc 100644 --- a/site/content/en/contributions/RELEASING.md +++ b/site/content/en/contributions/RELEASING.md @@ -32,7 +32,7 @@ export GITHUB_REMOTE=origin 2. Create a topic branch for adding the release notes and updating the [VERSION][] file with the release version. Refer to previous [release notes][] and [VERSION][] for additional details. The latest changes are already accumulated in the current.yaml file. Copy the content of the current.yaml file to the release notes file and clear the current.yaml file. ```shell - echo "${MAJOR_VERSION}.${MINOR_VERSION}.0-rc.${RELEASE_CANDIDATE_NUMBER}" > VERSION + echo "v${MAJOR_VERSION}.${MINOR_VERSION}.0-rc.${RELEASE_CANDIDATE_NUMBER}" > VERSION ``` __Note:__ The release candidate version should be in the format `${MAJOR_VERSION}.${MINOR_VERSION}.0-rc.${RELEASE_CANDIDATE_NUMBER}`. diff --git a/site/content/en/news/releases/notes/v1.2.0-rc.1.md b/site/content/en/news/releases/notes/v1.2.0-rc.1.md new file mode 100644 index 00000000000..cfdfe12d27f --- /dev/null +++ b/site/content/en/news/releases/notes/v1.2.0-rc.1.md @@ -0,0 +1,133 @@ +--- +title: "v1.2.0-rc.1" +publishdate: 2024-10-25 +--- + +Date: October 25, 2024 + +## Breaking changes +- Gateway API GRPCRoute and ReferenceGrant v1alpha2 have been removed. +- Please refer to the [Gateway API v1.2.0 documentation](https://github.com/kubernetes-sigs/gateway-api/releases) for more information. +- Removed default CPU limit of the Envoy Gateway deployment +- Changed default Envoy shutdown settings: drain strategy has been changed to immediate, default minDrainDuration, drainTimeout and terminationGracePeriodSeconds have been set to 10s, 60s and 360s respectively + +## New features +- Added support for Gateway-API v1.2.0 +- Added support for IPv4/IPv6 Dual Stack for Envoy listeners and BackendRef resources +- Added support for EG standalone(host deployment) mode (experimental) +- Added support for JWT claims based Authorization in SecurityPolicy CRD +- Added support for Direct Response in HTTPRouteFilter CRD +- Added support for Response Override in BackendTrafficPolicy CRD +- Added support for RequestTimeout in BackendTrafficPolicy CRD +- Added support for inverting header matches for rate limit in BackendTrafficPolicy CRD +- Added support for client TLS session resumption in ClientTrafficPolicy CRD +- Added support for HTTPRouteFilter and path regex rewrite +- Added support for host header rewrite in HTTPRouteFilter CRD +- Added support for Listener Access Log in EnvoyProxy CRD +- Added support for Datadog tracing support in EnvoyProxy CRD +- Added support for request response sizes stats in EnvoyProxy CRD +- Added support for wildcard matching for CORS AllowMethods and AllowHeaders settings in SecurityPolicy CRD +- Added support for match conditions for access log in EnvoyProxy CRD +- Added support for using BackendCluster to represent OIDCProvider +- Added support for RecomputeRoute for ExtAuth in SecurityPolicy CRD +- Added support for sharing token cookies between multiple domains in SecurityPolicy CRD +- Added support for JSONPatches for proxy bootstrap modifications in EnvoyProxy CRD +- Added support for LB priority for non xRoute endpoints +- Added support for configuring the GRPC Health Checker in the BackendTrafficPolicy CRD +- Added support for early request header mutation in the ClientTrafficPolicy CRD +- Added support for JsonPath in the EnvoyPatchPolicy CRD +- Added support for cluster settings for tracing and access log backends in EnvoyProxy CRD +- Added support for cluster settings for non xRoute-generated backend refs +- Added support for socket buffer limit field in ClientTrafficPolicy and BackendTrafficPolicy CRD +- Added support for http2 upstream settings in BackendTrafficPolicy CRD +- Added support for DNS resolution settings in BackendTrafficPolicy CRD +- Added support for configuring service annotations in the Envoy Gateway helm chart +- Added support for configuring priorityClassName to Envoy Gateway helm chart +- Added support for ratelimit metrics monitoring in grafana in the addons helm chart +- Added support for default user group and user id for the SecurityContexts in the Envoy Gateway helm chart +- Added support for maxUnavailable in the PodDisruptionBudget in the Envoy Gateway helm chart +- Added support for configuring NodeSelector in the Envoy Gateway helm chart +- Added support for nonce in the OIDC auth flow +- Added support for choosing an HTTPRoute's non-wildcard hostname as the default Host +- Added support for returning 500 when EnvoyExtensionTrafficPolicy translation fails +- Added support for returning 500 when SecurityPolicy translation fails +- Added support for multiple backendRefs for ExtAuth and ExtProc +- Added support for session persistence in HTTPRoute rules +- Added support for the Backend resource for ExtAuth +- Added support for target selectors on Envoy Gateway Extension Server policies +- Added support for non-Kubernetes Backends for TLSRoute +- Added support for fallback to the Backend API +- Added support for reloadable EnvoyGateway configuration +- Added support for adding Labels to the Envoy Service +- Added support for custom name for ratelimit deployment +- Added default SecurityContext for EG components +- Added startupProbe to all provisioned containers +- Added support for local validations for egctl translate and file provider +- Added support for egctl x collect to collect information from the cluster for debugging +- Added support for a native prometheus metrics endpoint in the ratelimit server + +## Bug fixes +- Fixed unsupported listener protocol type causing an error while updating Gateway Status +- Fixed some status updates were being discarded by the status updater +- Fixed Gateway crash adding BackendTLSPolicy to External Backend of an HTTPRoute +- Fixed Delay in SecurityPolicy change propagation for HTTPRoute when using targetSelectors +- Fixed JSONPath not correctly translated to JSONPatch paths +- Fixed allow empty slowStart when using LeastRequest +- Fixed Backends which should be rejected are still used as an HTTPRoute's destination +- Fixed losing timeout settings that originate from the route when translating the backend traffic policy +- Fixed Backend resources don't get status updates +- Fixed Active Health check requires expectedStatuses field to work +- Fixed HTTPHeaderFilter processing doesn't correctly support multiple header values +- Fixed multiple reference grants in same namespace +- Fixed upstream get unwanted /. +- Fixed creation of SecurityPolicy with targetSelectors fails +- Fixed wrong gateway is chosen as HTTPRoute parent +- Fixed override issue for EEP +- Fixed nil pointer err translating hash load balancing +- Fixed ratelimit does not work across multiple GatewayClasses +- Fixed upstream mTLS only works for HTTPS listeners +- Fixed nil pointer if backedtls.minVersion is set but backedtls.maxVersion is not +- Fixed empty connection limit causes XDS rejection +- Fixed ratelimit not working with both headers and cidr matches +- Fixed EDS didn't update when deployments was created after services +- Fixed RBAC issue for deleting infrastructure resources +- Fixed customized infrastructure resources not being deleted +- Fixed Gateways never become ready/programmed when running Envoy as a Daemonset +- Fixed Ratelimit Deployment ignoring pod labels and annotation merge +- Fixed the API Server receives unnecessary requests +- Fixed terminating envoy pods don't respond with "Connection: close" (H1) or GOAWAY(H2) on shutdown, switch to an immediate drain strategy +- Fixed ratelimit statsd not working +- Fixed not generating selector of deployment/daemonset based on the custom label configuration of EnvoyProxy +- Fixed egctl experimental translate using a wrong ns + +## Performance improvements +- Fixed repeated resources and optimize memory usage + +## Other changes +- Removed grafana test framework from the addons helm chart +- Disabled ALPN for non-HTTP routes +- Added statPrefix for HCM and TCPProxy +- Enabled GatewayHTTPListenerIsolation conformance test +- Enabled GRPC conformance profile +- Enabled HTTPRouteBackendRequestHeaderModifier conformance test +- Added e2e test for Daemonset mode +- Updated upgrades tests to use VERSION env variable +- Fixed OVS scanner wrong license warnings +- Added e2e test for TLS session resumption +- Added heap profile into benchmark report +- Added e2e test for RecomputeRoute in ExtAuth +- Added benchmark memory profiles into report +- Fixed flaky gateway_with_conflicted_listener_cannot_be_merged e2e test +- Fixed flaky Zipkin Tracing e2e test +- Added e2e test for cookie based consistent hash load balancing +- Added e2e test for load balancing +- Fixed flaky authorization tests +- Enabled upgrade test +- Fixed flaky basic auth e2e test +- Enabled use-client-protocol e2e test +- Added performance benchmarking test for 1000 HTTPRoutes +- Added e2e test for Datadog tracing +- Added e2e tests for ratelimit invert matching headers +- Reduced readinessProbe failureThreshold and periodSeconds +- Bumped go-control-plane to v0.13.1 + diff --git a/test/e2e/tests/eg_upgrade.go b/test/e2e/tests/eg_upgrade.go index 4ca4db15637..721b22d4c9c 100644 --- a/test/e2e/tests/eg_upgrade.go +++ b/test/e2e/tests/eg_upgrade.go @@ -11,7 +11,6 @@ import ( "bytes" "context" "fmt" - "os" "strings" "testing" "time" @@ -53,10 +52,8 @@ var EGUpgradeTest = suite.ConformanceTest{ chartPath := "../../../charts/gateway-helm" relName := "eg" depNS := "envoy-gateway-system" - lastVersionTag := os.Getenv("LAST_VERSION_TAG") - if lastVersionTag == "" { - lastVersionTag = "v1.1.2" // Default version tag if not specified - } + lastVersionTag := "v1.1.2" // Default version tag if not specified + t.Logf("Upgrading from version: %s", lastVersionTag) // Uninstall the current version of EG diff --git a/tools/src/release-notes-docs/yml2md.py b/tools/src/release-notes-docs/yml2md.py index b3b31b6724d..67105c7f666 100755 --- a/tools/src/release-notes-docs/yml2md.py +++ b/tools/src/release-notes-docs/yml2md.py @@ -15,7 +15,7 @@ def format_date(date_str): return datetime.strptime(date_str, date_format).date() except ValueError: pass # If the format doesn't match, move to the next one - + raise ValueError(f"Date string '{date_str}' does not match any supported format.") def capitalize(name): @@ -46,19 +46,49 @@ def convert_yaml_to_markdown(input_yaml_file, output_markdown_path): file.write("Date: {}\n\n".format(data['date'])) - for area in data['changes']: - file.write("## {}\n".format(capitalize(area['area']))) - if 'change' in area: - file.write(change_to_markdown(area['change']) + '\n\n') + # old release notes format + if 'changes' in data: + for area in data['changes']: + file.write("## {}\n".format(capitalize(area['area']))) + if 'change' in area: + file.write(change_to_markdown(area['change']) + '\n\n') + + if 'breaking-change' in area: + file.write("### Breaking Changes\n") + file.write(change_to_markdown(area['breaking-change']) + '\n\n') + + if 'deprecation' in area: + file.write("### Deprecations\n") + file.write(change_to_markdown(area['deprecation']) + '\n\n') + # new release notes format + else: + if 'breaking changes' in data: + file.write("## {}\n".format(capitalize('breaking changes'))) + file.write(change_to_markdown(data['breaking changes']) + '\n\n') + + if 'security updates' in data: + file.write("## {}\n".format(capitalize('security updates'))) + file.write(change_to_markdown(data['security updates']) + '\n\n') + + if 'new features' in data: + file.write("## {}\n".format(capitalize('new features'))) + file.write(change_to_markdown(data['new features']) + '\n\n') + + if 'bug fixes' in data: + file.write("## {}\n".format(capitalize('bug fixes'))) + file.write(change_to_markdown(data['bug fixes']) + '\n\n') - if 'breaking-change' in area: - file.write("### Breaking Changes\n") - file.write(change_to_markdown(area['breaking-change']) + '\n\n') + if 'performance improvements' in data: + file.write("## {}\n".format(capitalize('performance improvements'))) + file.write(change_to_markdown(data['performance improvements']) + '\n\n') - if 'deprecation' in area: - file.write("### Deprecations\n") - file.write(change_to_markdown(area['deprecation']) + '\n\n') + if 'deprecations' in data: + file.write("## {}\n".format(capitalize('deprecations'))) + file.write(change_to_markdown(data['deprecations']) + '\n\n') + if 'Other changes' in data: + file.write("## {}\n".format(capitalize('Other changes'))) + file.write(change_to_markdown(data['Other changes']) + '\n\n') print("Markdown file '{}' has been generated.".format(output_markdown_file)) if __name__ == "__main__": From 3e8730fa54a06f476207fd82de091cd29ebe7746 Mon Sep 17 00:00:00 2001 From: Rajat Vig Date: Sat, 26 Oct 2024 17:09:22 +0100 Subject: [PATCH 306/523] feat: set full URI for the envoy-gateway service using name and namespace (#4533) * feat: set full URI for the envoy-gateway service using name and namespace Signed-off-by: Rajat Vig * Use the correct namespace and dnsdomain from Gateway config Signed-off-by: Rajat Vig * Use constant from config Signed-off-by: Rajat Vig --------- Signed-off-by: Rajat Vig --- internal/infrastructure/kubernetes/infra.go | 4 ++++ .../infrastructure/kubernetes/proxy/resource.go | 3 +++ .../kubernetes/proxy/resource_provider.go | 10 +++++++--- .../kubernetes/proxy/resource_provider_test.go | 14 +++++++------- .../proxy/testdata/daemonsets/custom.yaml | 2 +- .../proxy/testdata/daemonsets/default-env.yaml | 2 +- .../proxy/testdata/daemonsets/default.yaml | 2 +- .../testdata/daemonsets/disable-prometheus.yaml | 2 +- .../proxy/testdata/daemonsets/extension-env.yaml | 2 +- .../override-labels-and-annotations.yaml | 2 +- .../proxy/testdata/daemonsets/patch-daemonset.yaml | 2 +- .../testdata/daemonsets/shutdown-manager.yaml | 2 +- .../proxy/testdata/daemonsets/volumes.yaml | 2 +- .../testdata/daemonsets/with-annotations.yaml | 2 +- .../proxy/testdata/daemonsets/with-extra-args.yaml | 2 +- .../daemonsets/with-image-pull-secrets.yaml | 2 +- .../proxy/testdata/daemonsets/with-name.yaml | 2 +- .../testdata/daemonsets/with-node-selector.yaml | 2 +- .../with-topology-spread-constraints.yaml | 2 +- .../proxy/testdata/deployments/custom.yaml | 2 +- .../deployments/custom_with_initcontainers.yaml | 2 +- .../proxy/testdata/deployments/default-env.yaml | 2 +- .../proxy/testdata/deployments/default.yaml | 2 +- .../testdata/deployments/disable-prometheus.yaml | 2 +- .../proxy/testdata/deployments/extension-env.yaml | 2 +- .../override-labels-and-annotations.yaml | 2 +- .../testdata/deployments/patch-deployment.yaml | 2 +- .../testdata/deployments/shutdown-manager.yaml | 2 +- .../proxy/testdata/deployments/volumes.yaml | 2 +- .../testdata/deployments/with-annotations.yaml | 2 +- .../deployments/with-empty-memory-limits.yaml | 2 +- .../testdata/deployments/with-extra-args.yaml | 2 +- .../deployments/with-image-pull-secrets.yaml | 2 +- .../proxy/testdata/deployments/with-name.yaml | 2 +- .../testdata/deployments/with-node-selector.yaml | 2 +- .../with-topology-spread-constraints.yaml | 2 +- .../kubernetes/proxy_configmap_test.go | 4 ++-- .../kubernetes/proxy_daemonset_test.go | 4 ++-- .../kubernetes/proxy_deployment_test.go | 6 +++--- internal/infrastructure/kubernetes/proxy_infra.go | 4 ++-- .../kubernetes/proxy_service_test.go | 2 +- .../kubernetes/proxy_serviceaccount_test.go | 4 ++-- 42 files changed, 65 insertions(+), 54 deletions(-) diff --git a/internal/infrastructure/kubernetes/infra.go b/internal/infrastructure/kubernetes/infra.go index 3d9c3e7b14f..4285f395967 100644 --- a/internal/infrastructure/kubernetes/infra.go +++ b/internal/infrastructure/kubernetes/infra.go @@ -50,6 +50,9 @@ type Infra struct { // Namespace is the Namespace used for managed infra. Namespace string + // DNSDomain is the dns domain used by k8s services. Defaults to "cluster.local". + DNSDomain string + // EnvoyGateway is the configuration used to startup Envoy Gateway. EnvoyGateway *egv1a1.EnvoyGateway @@ -61,6 +64,7 @@ type Infra struct { func NewInfra(cli client.Client, cfg *config.Server) *Infra { return &Infra{ Namespace: cfg.Namespace, + DNSDomain: cfg.DNSDomain, EnvoyGateway: cfg.EnvoyGateway, Client: New(cli), } diff --git a/internal/infrastructure/kubernetes/proxy/resource.go b/internal/infrastructure/kubernetes/proxy/resource.go index 6eb8a894e18..aa5a4d64e70 100644 --- a/internal/infrastructure/kubernetes/proxy/resource.go +++ b/internal/infrastructure/kubernetes/proxy/resource.go @@ -83,6 +83,8 @@ func expectedProxyContainers(infra *ir.ProxyInfra, containerSpec *egv1a1.KubernetesContainerSpec, shutdownConfig *egv1a1.ShutdownConfig, shutdownManager *egv1a1.ShutdownManager, + namespace string, + dnsDomain string, ) ([]corev1.Container, error) { // Define slice to hold container ports var ports []corev1.ContainerPort @@ -132,6 +134,7 @@ func expectedProxyContainers(infra *ir.ProxyInfra, TrustedCA: filepath.Join("/sds", common.SdsCAFilename), }, MaxHeapSizeBytes: maxHeapSizeBytes, + XdsServerHost: ptr.To(fmt.Sprintf("%s.%s.svc.%s", config.EnvoyGatewayServiceName, namespace, dnsDomain)), } args, err := common.BuildProxyArgs(infra, shutdownConfig, bootstrapConfigOptions, fmt.Sprintf("$(%s)", envoyPodEnvVar)) diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider.go b/internal/infrastructure/kubernetes/proxy/resource_provider.go index b1d47e906d9..9830bafad71 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider.go @@ -45,12 +45,16 @@ type ResourceRender struct { // Namespace is the Namespace used for managed infra. Namespace string + // DNSDomain is the dns domain used by k8s services. Defaults to "cluster.local". + DNSDomain string + ShutdownManager *egv1a1.ShutdownManager } -func NewResourceRender(ns string, infra *ir.ProxyInfra, gateway *egv1a1.EnvoyGateway) *ResourceRender { +func NewResourceRender(ns string, dnsDomain string, infra *ir.ProxyInfra, gateway *egv1a1.EnvoyGateway) *ResourceRender { return &ResourceRender{ Namespace: ns, + DNSDomain: dnsDomain, infra: infra, ShutdownManager: gateway.GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().ShutdownManager, } @@ -258,7 +262,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { proxyConfig := r.infra.GetProxyConfig() // Get expected bootstrap configurations rendered ProxyContainers - containers, err := expectedProxyContainers(r.infra, deploymentConfig.Container, proxyConfig.Spec.Shutdown, r.ShutdownManager) + containers, err := expectedProxyContainers(r.infra, deploymentConfig.Container, proxyConfig.Spec.Shutdown, r.ShutdownManager, r.Namespace, r.DNSDomain) if err != nil { return nil, err } @@ -360,7 +364,7 @@ func (r *ResourceRender) DaemonSet() (*appsv1.DaemonSet, error) { proxyConfig := r.infra.GetProxyConfig() // Get expected bootstrap configurations rendered ProxyContainers - containers, err := expectedProxyContainers(r.infra, daemonSetConfig.Container, proxyConfig.Spec.Shutdown, r.ShutdownManager) + containers, err := expectedProxyContainers(r.infra, daemonSetConfig.Container, proxyConfig.Spec.Shutdown, r.ShutdownManager, r.Namespace, r.DNSDomain) if err != nil { return nil, err } diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go index 8c4138a3825..0cf54a40427 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go @@ -564,7 +564,7 @@ func TestDeployment(t *testing.T) { tc.infra.Proxy.Config.Spec.ExtraArgs = tc.extraArgs } - r := NewResourceRender(cfg.Namespace, tc.infra.GetProxyInfra(), cfg.EnvoyGateway) + r := NewResourceRender(cfg.Namespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway) dp, err := r.Deployment() require.NoError(t, err) @@ -993,7 +993,7 @@ func TestDaemonSet(t *testing.T) { tc.infra.Proxy.Config.Spec.ExtraArgs = tc.extraArgs } - r := NewResourceRender(cfg.Namespace, tc.infra.GetProxyInfra(), cfg.EnvoyGateway) + r := NewResourceRender(cfg.Namespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway) ds, err := r.DaemonSet() require.NoError(t, err) @@ -1143,7 +1143,7 @@ func TestService(t *testing.T) { provider.EnvoyService = tc.service } - r := NewResourceRender(cfg.Namespace, tc.infra.GetProxyInfra(), cfg.EnvoyGateway) + r := NewResourceRender(cfg.Namespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway) svc, err := r.Service() require.NoError(t, err) @@ -1186,7 +1186,7 @@ func TestConfigMap(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - r := NewResourceRender(cfg.Namespace, tc.infra.GetProxyInfra(), cfg.EnvoyGateway) + r := NewResourceRender(cfg.Namespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway) cm, err := r.ConfigMap() require.NoError(t, err) @@ -1229,7 +1229,7 @@ func TestServiceAccount(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - r := NewResourceRender(cfg.Namespace, tc.infra.GetProxyInfra(), cfg.EnvoyGateway) + r := NewResourceRender(cfg.Namespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway) sa, err := r.ServiceAccount() require.NoError(t, err) @@ -1285,7 +1285,7 @@ func TestPDB(t *testing.T) { provider.GetEnvoyProxyKubeProvider() - r := NewResourceRender(cfg.Namespace, tc.infra.GetProxyInfra(), cfg.EnvoyGateway) + r := NewResourceRender(cfg.Namespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway) pdb, err := r.PodDisruptionBudget() require.NoError(t, err) @@ -1371,7 +1371,7 @@ func TestHorizontalPodAutoscaler(t *testing.T) { } provider.GetEnvoyProxyKubeProvider() - r := NewResourceRender(cfg.Namespace, tc.infra.GetProxyInfra(), cfg.EnvoyGateway) + r := NewResourceRender(cfg.Namespace, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway) hpa, err := r.HorizontalPodAutoscaler() require.NoError(t, err) diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml index 678eebb7cac..5683159e6c5 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml @@ -131,7 +131,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml index 4cc285a5ea4..75db2fc35a8 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml @@ -130,7 +130,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml index 26fcec34835..e2d420a0407 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml @@ -130,7 +130,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml index a6a402450e3..a351838340a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml @@ -104,7 +104,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml index 6642390520f..1ed87f21c2c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml @@ -130,7 +130,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml index 3fa8846e2fb..70534adc4cc 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml @@ -139,7 +139,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml index e673031325d..b3ed37d3241 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml @@ -130,7 +130,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml index 2604c99141f..97debe2f4e8 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml @@ -130,7 +130,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml index ee1d74b0f16..64d66281152 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml @@ -130,7 +130,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml index 5d862446c38..b5fadea1445 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml @@ -135,7 +135,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml index a2ba2172f18..6cc85628272 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml @@ -130,7 +130,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml index 75451d36eca..3f6090692bb 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml @@ -130,7 +130,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml index 564842ad1df..01a84c9e25f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml @@ -130,7 +130,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml index 6e3f9b20f94..c32b7625ae7 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml @@ -130,7 +130,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml index 341bbd81f8a..06e48c355a3 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml @@ -130,7 +130,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml index 31841738dee..3a080205897 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml @@ -136,7 +136,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml index a81f3c8335a..c26ec592cd9 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml @@ -136,7 +136,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml index d90e6910a18..4a7a1b1c1c0 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml @@ -135,7 +135,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml index 4a1d7251b9e..13d12e3fa40 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml @@ -134,7 +134,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml index 8a9f46f5bd8..29207aaa3f8 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml @@ -108,7 +108,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml index 53220f06d29..7c724bce6ce 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml @@ -135,7 +135,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml index f8247753baf..aa87ba5b43c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml @@ -143,7 +143,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml index 10452128cec..f4bf7a49f83 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml @@ -134,7 +134,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml index 611f1f9eb06..4281e7c3697 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml @@ -134,7 +134,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml index 62deebaba1e..ff84e18cdf2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml @@ -135,7 +135,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml index e4d4eac6563..2f44c8853d9 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml @@ -139,7 +139,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml index b24dfaea2a4..432b8f31188 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml @@ -134,7 +134,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml index b41a5135a58..bd87ca6b3a6 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml @@ -134,7 +134,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml index bb79e14f0e4..8033aa516af 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml @@ -134,7 +134,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml index 1f9239bfb3d..5c7da4fcdd3 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml @@ -134,7 +134,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml index b6845764655..93c65430254 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml @@ -134,7 +134,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml index 0436bc70075..93f0cd1456a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml @@ -134,7 +134,7 @@ spec: endpoint: address: socket_address: - address: envoy-gateway + address: envoy-gateway.envoy-gateway-system.svc.cluster.local port_value: 18000 typed_extension_protocol_options: envoy.extensions.upstreams.http.v3.HttpProtocolOptions: diff --git a/internal/infrastructure/kubernetes/proxy_configmap_test.go b/internal/infrastructure/kubernetes/proxy_configmap_test.go index ef461fdde0a..ec4c0ec74e7 100644 --- a/internal/infrastructure/kubernetes/proxy_configmap_test.go +++ b/internal/infrastructure/kubernetes/proxy_configmap_test.go @@ -111,7 +111,7 @@ func TestCreateOrUpdateProxyConfigMap(t *testing.T) { Build() } kube := NewInfra(cli, cfg) - r := proxy.NewResourceRender(kube.Namespace, infra.GetProxyInfra(), kube.EnvoyGateway) + r := proxy.NewResourceRender(kube.Namespace, kube.DNSDomain, infra.GetProxyInfra(), kube.EnvoyGateway) err := kube.createOrUpdateConfigMap(context.Background(), r) require.NoError(t, err) actual := &corev1.ConfigMap{ @@ -169,7 +169,7 @@ func TestDeleteConfigProxyMap(t *testing.T) { infra.Proxy.GetProxyMetadata().Labels[gatewayapi.OwningGatewayNamespaceLabel] = "default" infra.Proxy.GetProxyMetadata().Labels[gatewayapi.OwningGatewayNameLabel] = infra.Proxy.Name - r := proxy.NewResourceRender(kube.Namespace, infra.GetProxyInfra(), kube.EnvoyGateway) + r := proxy.NewResourceRender(kube.Namespace, kube.DNSDomain, infra.GetProxyInfra(), kube.EnvoyGateway) cm := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Namespace: kube.Namespace, diff --git a/internal/infrastructure/kubernetes/proxy_daemonset_test.go b/internal/infrastructure/kubernetes/proxy_daemonset_test.go index e9fef86470c..2c126586247 100644 --- a/internal/infrastructure/kubernetes/proxy_daemonset_test.go +++ b/internal/infrastructure/kubernetes/proxy_daemonset_test.go @@ -66,7 +66,7 @@ func TestCreateOrUpdateProxyDaemonSet(t *testing.T) { }, } - r := proxy.NewResourceRender(cfg.Namespace, infra.GetProxyInfra(), cfg.EnvoyGateway) + r := proxy.NewResourceRender(cfg.Namespace, cfg.DNSDomain, infra.GetProxyInfra(), cfg.EnvoyGateway) ds, err := r.DaemonSet() require.NoError(t, err) @@ -245,7 +245,7 @@ func TestCreateOrUpdateProxyDaemonSet(t *testing.T) { } kube := NewInfra(cli, cfg) - r := proxy.NewResourceRender(kube.Namespace, tc.in.GetProxyInfra(), cfg.EnvoyGateway) + r := proxy.NewResourceRender(kube.Namespace, kube.DNSDomain, tc.in.GetProxyInfra(), cfg.EnvoyGateway) err := kube.createOrUpdateDaemonSet(context.Background(), r) if tc.wantErr { require.Error(t, err) diff --git a/internal/infrastructure/kubernetes/proxy_deployment_test.go b/internal/infrastructure/kubernetes/proxy_deployment_test.go index 616101e18a2..188c92961b3 100644 --- a/internal/infrastructure/kubernetes/proxy_deployment_test.go +++ b/internal/infrastructure/kubernetes/proxy_deployment_test.go @@ -59,7 +59,7 @@ func TestCreateOrUpdateProxyDeployment(t *testing.T) { infra.Proxy.GetProxyMetadata().Labels[gatewayapi.OwningGatewayNamespaceLabel] = "default" infra.Proxy.GetProxyMetadata().Labels[gatewayapi.OwningGatewayNameLabel] = infra.Proxy.Name - r := proxy.NewResourceRender(cfg.Namespace, infra.GetProxyInfra(), cfg.EnvoyGateway) + r := proxy.NewResourceRender(cfg.Namespace, cfg.DNSDomain, infra.GetProxyInfra(), cfg.EnvoyGateway) deploy, err := r.Deployment() require.NoError(t, err) @@ -238,7 +238,7 @@ func TestCreateOrUpdateProxyDeployment(t *testing.T) { } kube := NewInfra(cli, cfg) - r := proxy.NewResourceRender(kube.Namespace, tc.in.GetProxyInfra(), cfg.EnvoyGateway) + r := proxy.NewResourceRender(kube.Namespace, kube.DNSDomain, tc.in.GetProxyInfra(), cfg.EnvoyGateway) err := kube.createOrUpdateDeployment(context.Background(), r) if tc.wantErr { require.Error(t, err) @@ -284,7 +284,7 @@ func TestDeleteProxyDeployment(t *testing.T) { infra := ir.NewInfra() infra.Proxy.GetProxyMetadata().Labels[gatewayapi.OwningGatewayNamespaceLabel] = "default" infra.Proxy.GetProxyMetadata().Labels[gatewayapi.OwningGatewayNameLabel] = infra.Proxy.Name - r := proxy.NewResourceRender(kube.Namespace, infra.GetProxyInfra(), kube.EnvoyGateway) + r := proxy.NewResourceRender(kube.Namespace, kube.DNSDomain, infra.GetProxyInfra(), kube.EnvoyGateway) err := kube.createOrUpdateDeployment(context.Background(), r) require.NoError(t, err) diff --git a/internal/infrastructure/kubernetes/proxy_infra.go b/internal/infrastructure/kubernetes/proxy_infra.go index e0b1fc5f9cc..b7d96f3bb3c 100644 --- a/internal/infrastructure/kubernetes/proxy_infra.go +++ b/internal/infrastructure/kubernetes/proxy_infra.go @@ -23,7 +23,7 @@ func (i *Infra) CreateOrUpdateProxyInfra(ctx context.Context, infra *ir.Infra) e return errors.New("infra proxy ir is nil") } - r := proxy.NewResourceRender(i.Namespace, infra.GetProxyInfra(), i.EnvoyGateway) + r := proxy.NewResourceRender(i.Namespace, i.DNSDomain, infra.GetProxyInfra(), i.EnvoyGateway) return i.createOrUpdate(ctx, r) } @@ -33,6 +33,6 @@ func (i *Infra) DeleteProxyInfra(ctx context.Context, infra *ir.Infra) error { return errors.New("infra ir is nil") } - r := proxy.NewResourceRender(i.Namespace, infra.GetProxyInfra(), i.EnvoyGateway) + r := proxy.NewResourceRender(i.Namespace, i.DNSDomain, infra.GetProxyInfra(), i.EnvoyGateway) return i.delete(ctx, r) } diff --git a/internal/infrastructure/kubernetes/proxy_service_test.go b/internal/infrastructure/kubernetes/proxy_service_test.go index ffc8e4912e6..dab16d5b981 100644 --- a/internal/infrastructure/kubernetes/proxy_service_test.go +++ b/internal/infrastructure/kubernetes/proxy_service_test.go @@ -32,7 +32,7 @@ func TestDeleteProxyService(t *testing.T) { infra.Proxy.GetProxyMetadata().Labels[gatewayapi.OwningGatewayNamespaceLabel] = "default" infra.Proxy.GetProxyMetadata().Labels[gatewayapi.OwningGatewayNameLabel] = infra.Proxy.Name - r := proxy.NewResourceRender(kube.Namespace, infra.GetProxyInfra(), kube.EnvoyGateway) + r := proxy.NewResourceRender(kube.Namespace, kube.DNSDomain, infra.GetProxyInfra(), kube.EnvoyGateway) err := kube.createOrUpdateService(context.Background(), r) require.NoError(t, err) diff --git a/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go b/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go index 9aed62b6e6b..44732bf6b48 100644 --- a/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go +++ b/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go @@ -187,7 +187,7 @@ func TestCreateOrUpdateProxyServiceAccount(t *testing.T) { kube := NewInfra(cli, cfg) - r := proxy.NewResourceRender(kube.Namespace, tc.in.GetProxyInfra(), cfg.EnvoyGateway) + r := proxy.NewResourceRender(kube.Namespace, kube.DNSDomain, tc.in.GetProxyInfra(), cfg.EnvoyGateway) err = kube.createOrUpdateServiceAccount(context.Background(), r) require.NoError(t, err) @@ -220,7 +220,7 @@ func TestDeleteProxyServiceAccount(t *testing.T) { infra := ir.NewInfra() infra.Proxy.GetProxyMetadata().Labels[gatewayapi.OwningGatewayNamespaceLabel] = "default" infra.Proxy.GetProxyMetadata().Labels[gatewayapi.OwningGatewayNameLabel] = infra.Proxy.Name - r := proxy.NewResourceRender(kube.Namespace, infra.GetProxyInfra(), kube.EnvoyGateway) + r := proxy.NewResourceRender(kube.Namespace, kube.DNSDomain, infra.GetProxyInfra(), kube.EnvoyGateway) err := kube.createOrUpdateServiceAccount(context.Background(), r) require.NoError(t, err) From 7897fc50274dc89540a232118aa23077e73092d6 Mon Sep 17 00:00:00 2001 From: Evan Anderson Date: Sat, 26 Oct 2024 16:26:38 -0700 Subject: [PATCH 307/523] Reduce the amount of configuration logging, and make it line-delimeted friendly (#4505) * Reduce the amount and style of configuration logging Signed-off-by: Evan Anderson * Update verbosity from 1->4 Signed-off-by: Evan Anderson Signed-off-by: Evan Anderson --------- Signed-off-by: Evan Anderson Signed-off-by: Evan Anderson --- internal/gatewayapi/runner/runner.go | 8 ++++++-- internal/ir/infra.go | 2 +- internal/ir/xds.go | 2 +- release-notes/current.yaml | 2 +- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index bd093761911..55023c41a8d 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -173,7 +173,9 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { // Publish the IRs. // Also validate the ir before sending it. for key, val := range result.InfraIR { - r.Logger.WithValues("infra-ir", key).Info(val.JSONString()) + if vlog := r.Logger.V(4); vlog.Enabled() { + vlog.WithValues("infra-ir", key).Info(val.JSONString()) + } if err := val.Validate(); err != nil { r.Logger.Error(err, "unable to validate infra ir, skipped sending it") errChan <- err @@ -184,7 +186,9 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { } for key, val := range result.XdsIR { - r.Logger.WithValues("xds-ir", key).Info(val.JSONString()) + if vlog := r.Logger.V(4); vlog.Enabled() { + vlog.WithValues("xds-ir", key).Info(val.JSONString()) + } if err := val.Validate(); err != nil { r.Logger.Error(err, "unable to validate xds ir, skipped sending it") errChan <- err diff --git a/internal/ir/infra.go b/internal/ir/infra.go index 8bf433785fb..7044b695fda 100644 --- a/internal/ir/infra.go +++ b/internal/ir/infra.go @@ -36,7 +36,7 @@ func (i *Infra) YAMLString() string { } func (i *Infra) JSONString() string { - j, _ := json.MarshalIndent(i, "", "\t") + j, _ := json.Marshal(i) return string(j) } diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 10c418af462..5e26af0f479 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -181,7 +181,7 @@ func (x *Xds) YAMLString() string { } func (x *Xds) JSONString() string { - j, _ := json.MarshalIndent(x.Printable(), "", "\t") + j, _ := json.Marshal(x.Printable()) return string(j) } diff --git a/release-notes/current.yaml b/release-notes/current.yaml index bfc711148bd..8240c9ab163 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -14,7 +14,7 @@ new features: | # Fixes for bugs identified in previous versions. bug fixes: | - Add a bug fix here + Only log endpoint configuration in verbose logging mode (`-v 4` or higher) # Enhancements that improve performance. performance improvements: | From 9c9f435d88610448f2f61b1d6658b4518905d71c Mon Sep 17 00:00:00 2001 From: sh2 Date: Sun, 27 Oct 2024 09:52:58 +0800 Subject: [PATCH 308/523] feat: enable load backend resources (#4535) enable load backend resources Signed-off-by: shawnh2 --- .../translate/in/backend-endpoint.yaml | 46 ++++++++ .../translate/out/backend-endpoint.all.yaml | 106 ++++++++++++++++++ internal/cmd/egctl/translate_test.go | 6 + internal/gatewayapi/resource/load.go | 14 ++- 4 files changed, 171 insertions(+), 1 deletion(-) create mode 100644 internal/cmd/egctl/testdata/translate/in/backend-endpoint.yaml create mode 100644 internal/cmd/egctl/testdata/translate/out/backend-endpoint.all.yaml diff --git a/internal/cmd/egctl/testdata/translate/in/backend-endpoint.yaml b/internal/cmd/egctl/testdata/translate/in/backend-endpoint.yaml new file mode 100644 index 00000000000..d2aa0f78f07 --- /dev/null +++ b/internal/cmd/egctl/testdata/translate/in/backend-endpoint.yaml @@ -0,0 +1,46 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: eg +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: eg +spec: + gatewayClassName: eg + listeners: + - name: http + protocol: HTTP + port: 80 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: backend +spec: + parentRefs: + - name: eg + hostnames: + - "www.example.com" + rules: + - backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend +spec: + endpoints: + - ip: + address: 0.0.0.0 + port: 3000 diff --git a/internal/cmd/egctl/testdata/translate/out/backend-endpoint.all.yaml b/internal/cmd/egctl/testdata/translate/out/backend-endpoint.all.yaml new file mode 100644 index 00000000000..d3f3ed2c771 --- /dev/null +++ b/internal/cmd/egctl/testdata/translate/out/backend-endpoint.all.yaml @@ -0,0 +1,106 @@ +backends: +- kind: Backend + metadata: + creationTimestamp: null + name: backend + namespace: envoy-gateway-system + spec: + endpoints: + - ip: + address: 0.0.0.0 + port: 3000 + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Accepted +gatewayClass: + kind: GatewayClass + metadata: + creationTimestamp: null + name: eg + namespace: envoy-gateway-system + spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + status: + conditions: + - lastTransitionTime: null + message: Valid GatewayClass + reason: Accepted + status: "True" + type: Accepted +gateways: +- kind: Gateway + metadata: + creationTimestamp: null + name: eg + namespace: envoy-gateway-system + spec: + gatewayClassName: eg + listeners: + - name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- kind: HTTPRoute + metadata: + creationTimestamp: null + name: backend + namespace: envoy-gateway-system + spec: + hostnames: + - www.example.com + parentRefs: + - name: eg + rules: + - backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend + matches: + - path: + type: PathPrefix + value: / + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: eg diff --git a/internal/cmd/egctl/translate_test.go b/internal/cmd/egctl/translate_test.go index 9207c8bb75b..20cf76d0162 100644 --- a/internal/cmd/egctl/translate_test.go +++ b/internal/cmd/egctl/translate_test.go @@ -287,6 +287,12 @@ func TestTranslate(t *testing.T) { expect: true, extraArgs: []string{"--add-missing-resources"}, }, + { + name: "backend-endpoint", + from: "gateway-api", + to: "gateway-api", + expect: true, + }, } flag.Parse() diff --git a/internal/gatewayapi/resource/load.go b/internal/gatewayapi/resource/load.go index 2445a459c74..7c87ffb7918 100644 --- a/internal/gatewayapi/resource/load.go +++ b/internal/gatewayapi/resource/load.go @@ -44,7 +44,6 @@ func LoadResourcesFromYAMLBytes(yamlBytes []byte, addMissingResources bool) (*Re // loadKubernetesYAMLToResources converts a Kubernetes YAML string into GatewayAPI Resources. // TODO: add support for kind: -// - Backend (gateway.envoyproxy.io/v1alpha1) // - EnvoyExtensionPolicy (gateway.envoyproxy.io/v1alpha1) // - HTTPRouteFilter (gateway.envoyproxy.io/v1alpha1) // - BackendLPPolicy (gateway.networking.k8s.io/v1alpha2) @@ -295,6 +294,19 @@ func loadKubernetesYAMLToResources(input []byte, addMissingResources bool) (*Res Spec: typedSpec.(egv1a1.HTTPRouteFilterSpec), } resources.HTTPRouteFilters = append(resources.HTTPRouteFilters, httpRouteFilter) + case KindBackend: + typedSpec := spec.Interface() + backend := &egv1a1.Backend{ + TypeMeta: metav1.TypeMeta{ + Kind: KindBackend, + }, + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: typedSpec.(egv1a1.BackendSpec), + } + resources.Backends = append(resources.Backends, backend) } return nil From 6ccbbac3f98b628877cf713c065ccbdd04cfbdcf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Oct 2024 13:07:18 +0800 Subject: [PATCH 309/523] build(deps): bump actions/setup-node from 4.0.4 to 4.1.0 (#4537) Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.0.4 to 4.1.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/0a44ba7841725637a19e28fa30b79a866c81b0a6...39370e3970a6d050c480ffad4ff0ed4d3fdee5af) --- updated-dependencies: - dependency-name: actions/setup-node dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/docs.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 687c824ea41..350b0283a99 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -62,7 +62,7 @@ jobs: extended: true - name: Setup Node - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.1.0 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: '18' From 7ad18fa8548ab6cc959381b308626673666727cb Mon Sep 17 00:00:00 2001 From: zirain Date: Mon, 28 Oct 2024 16:00:46 +0800 Subject: [PATCH 310/523] chore: optimized code (#4514) * chore: optimized code Signed-off-by: zirain * revert Signed-off-by: zirain --------- Signed-off-by: zirain --- internal/provider/kubernetes/controller.go | 41 ++++++++++++--------- internal/provider/kubernetes/resource.go | 43 ++++++++++++---------- 2 files changed, 47 insertions(+), 37 deletions(-) diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 06d9dc39a0d..40e1cf335c8 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -336,7 +336,7 @@ func (r *gatewayAPIReconciler) managedGatewayClasses(ctx context.Context) ([]*gw // so clean-up dependents. if !gwClass.DeletionTimestamp.IsZero() && !slice.ContainsString(gwClass.Finalizers, gatewayClassFinalizer) { - r.log.Info("gatewayclass marked for deletion") + r.log.Info("gatewayclass marked for deletion", "name", gwClass.Name) cc.removeMatch(&gwClass) continue } @@ -383,8 +383,9 @@ func (r *gatewayAPIReconciler) processBackendRefs(ctx context.Context, gwcResour "name", string(backendRef.Name)) } else { resourceMappings.allAssociatedNamespaces.Insert(serviceImport.Namespace) - if !resourceMappings.allAssociatedServiceImports.Has(utils.NamespacedName(serviceImport).String()) { - resourceMappings.allAssociatedServiceImports.Insert(utils.NamespacedName(serviceImport).String()) + key := utils.NamespacedName(serviceImport).String() + if !resourceMappings.allAssociatedServiceImports.Has(key) { + resourceMappings.allAssociatedServiceImports.Insert(key) gwcResource.ServiceImports = append(gwcResource.ServiceImports, serviceImport) r.log.Info("added ServiceImport to resource tree", "namespace", string(*backendRef.Namespace), "name", string(backendRef.Name)) @@ -399,11 +400,14 @@ func (r *gatewayAPIReconciler) processBackendRefs(ctx context.Context, gwcResour r.log.Error(err, "failed to get Backend", "namespace", string(*backendRef.Namespace), "name", string(backendRef.Name)) } else { - resourceMappings.allAssociatedNamespaces[backend.Namespace] = struct{}{} - backend.Status = egv1a1.BackendStatus{} - gwcResource.Backends = append(gwcResource.Backends, backend) - r.log.Info("added Backend to resource tree", "namespace", string(*backendRef.Namespace), - "name", string(backendRef.Name)) + resourceMappings.allAssociatedNamespaces.Insert(backend.Namespace) + key := utils.NamespacedName(backend).String() + if !resourceMappings.allAssociatedBackends.Has(key) { + resourceMappings.allAssociatedBackends.Insert(key) + gwcResource.Backends = append(gwcResource.Backends, backend) + r.log.Info("added Backend to resource tree", "namespace", string(*backendRef.Namespace), + "name", string(backendRef.Name)) + } } } @@ -414,17 +418,18 @@ func (r *gatewayAPIReconciler) processBackendRefs(ctx context.Context, gwcResour client.MatchingLabels(map[string]string{ endpointSliceLabelKey: string(backendRef.Name), }), - client.InNamespace(string(*backendRef.Namespace)), + client.InNamespace(*backendRef.Namespace), } if err := r.client.List(ctx, endpointSliceList, opts...); err != nil { r.log.Error(err, "failed to get EndpointSlices", "namespace", string(*backendRef.Namespace), backendRefKind, string(backendRef.Name)) } else { for _, endpointSlice := range endpointSliceList.Items { - endpointSlice := endpointSlice //nolint:copyloopvar - if !resourceMappings.allAssociatedEndpointSlices.Has(utils.NamespacedName(&endpointSlice).String()) { - resourceMappings.allAssociatedEndpointSlices.Insert(utils.NamespacedName(&endpointSlice).String()) - r.log.Info("added EndpointSlice to resource tree", "namespace", endpointSlice.Namespace, + key := utils.NamespacedName(&endpointSlice).String() + if !resourceMappings.allAssociatedEndpointSlices.Has(key) { + resourceMappings.allAssociatedEndpointSlices.Insert(key) + r.log.Info("added EndpointSlice to resource tree", + "namespace", endpointSlice.Namespace, "name", endpointSlice.Name) gwcResource.EndpointSlices = append(gwcResource.EndpointSlices, &endpointSlice) } @@ -567,8 +572,9 @@ func (r *gatewayAPIReconciler) processOIDCHMACSecret(ctx context.Context, resour return } - if !resourceMap.allAssociatedSecrets.Has(utils.NamespacedName(&secret).String()) { - resourceMap.allAssociatedSecrets.Insert(utils.NamespacedName(&secret).String()) + key := utils.NamespacedName(&secret).String() + if !resourceMap.allAssociatedSecrets.Has(key) { + resourceMap.allAssociatedSecrets.Insert(key) resourceTree.Secrets = append(resourceTree.Secrets, &secret) r.log.Info("processing OIDC HMAC Secret", "namespace", r.namespace, "name", oidcHMACSecretName) } @@ -626,8 +632,9 @@ func (r *gatewayAPIReconciler) processSecretRef( } } resourceMap.allAssociatedNamespaces.Insert(secretNS) // TODO Zhaohuabing do we need this line? - if !resourceMap.allAssociatedSecrets.Has(utils.NamespacedName(secret).String()) { - resourceMap.allAssociatedSecrets.Insert(utils.NamespacedName(secret).String()) + key := utils.NamespacedName(secret).String() + if !resourceMap.allAssociatedSecrets.Has(key) { + resourceMap.allAssociatedSecrets.Insert(key) resourceTree.Secrets = append(resourceTree.Secrets, secret) r.log.Info("processing Secret", "namespace", secretNS, "name", string(secretRef.Name)) } diff --git a/internal/provider/kubernetes/resource.go b/internal/provider/kubernetes/resource.go index 4d3aafb6fa2..b867d6319d3 100644 --- a/internal/provider/kubernetes/resource.go +++ b/internal/provider/kubernetes/resource.go @@ -15,45 +15,47 @@ import ( ) type resourceMappings struct { - // Map for storing Gateways' NamespacedNames. + // Set for storing Gateways' NamespacedNames. allAssociatedGateways sets.Set[string] - // Map for storing ReferenceGrants' NamespacedNames. + // Set for storing ReferenceGrants' NamespacedNames. allAssociatedReferenceGrants sets.Set[string] - // Map for storing ServiceImports' NamespacedNames. + // Set for storing ServiceImports' NamespacedNames. allAssociatedServiceImports sets.Set[string] - // Map for storing EndpointSlices' NamespacedNames. + // Set for storing EndpointSlices' NamespacedNames. allAssociatedEndpointSlices sets.Set[string] - // Map for storing Secrets' NamespacedNames. + // Set for storing Backends' NamespacedNames. + allAssociatedBackends sets.Set[string] + // Set for storing Secrets' NamespacedNames. allAssociatedSecrets sets.Set[string] - // Map for storing ConfigMaps' NamespacedNames. + // Set for storing ConfigMaps' NamespacedNames. allAssociatedConfigMaps sets.Set[string] - // Map for storing namespaces for Route, Service and Gateway objects. + // Set for storing namespaces for Route, Service and Gateway objects. allAssociatedNamespaces sets.Set[string] - // Map for storing EnvoyProxies' NamespacedNames attaching to Gateway or GatewayClass. + // Set for storing EnvoyProxies' NamespacedNames attaching to Gateway or GatewayClass. allAssociatedEnvoyProxies sets.Set[string] - // Map for storing EnvoyPatchPolicies' NamespacedNames attaching to Gateway. + // Set for storing EnvoyPatchPolicies' NamespacedNames attaching to Gateway. allAssociatedEnvoyPatchPolicies sets.Set[string] - // Map for storing TLSRoutes' NamespacedNames attaching to various Gateway objects. + // Set for storing TLSRoutes' NamespacedNames attaching to various Gateway objects. allAssociatedTLSRoutes sets.Set[string] - // Map for storing HTTPRoutes' NamespacedNames attaching to various Gateway objects. + // Set for storing HTTPRoutes' NamespacedNames attaching to various Gateway objects. allAssociatedHTTPRoutes sets.Set[string] - // Map for storing GRPCRoutes' NamespacedNames attaching to various Gateway objects. + // Set for storing GRPCRoutes' NamespacedNames attaching to various Gateway objects. allAssociatedGRPCRoutes sets.Set[string] - // Map for storing TCPRoutes' NamespacedNames attaching to various Gateway objects. + // Set for storing TCPRoutes' NamespacedNames attaching to various Gateway objects. allAssociatedTCPRoutes sets.Set[string] - // Map for storing UDPRoutes' NamespacedNames attaching to various Gateway objects. + // Set for storing UDPRoutes' NamespacedNames attaching to various Gateway objects. allAssociatedUDPRoutes sets.Set[string] - // Map for storing backendRefs' BackendObjectReference referred by various Route objects. + // Set for storing backendRefs' BackendObjectReference referred by various Route objects. allAssociatedBackendRefs sets.Set[gwapiv1.BackendObjectReference] - // Map for storing ClientTrafficPolicies' NamespacedNames referred by various Route objects. + // Set for storing ClientTrafficPolicies' NamespacedNames referred by various Route objects. allAssociatedClientTrafficPolicies sets.Set[string] - // Map for storing BackendTrafficPolicies' NamespacedNames referred by various Route objects. + // Set for storing BackendTrafficPolicies' NamespacedNames referred by various Route objects. allAssociatedBackendTrafficPolicies sets.Set[string] - // Map for storing SecurityPolicies' NamespacedNames referred by various Route objects. + // Set for storing SecurityPolicies' NamespacedNames referred by various Route objects. allAssociatedSecurityPolicies sets.Set[string] - // Map for storing BackendTLSPolicies' NamespacedNames referred by various Backend objects. + // Set for storing BackendTLSPolicies' NamespacedNames referred by various Backend objects. allAssociatedBackendTLSPolicies sets.Set[string] - // Map for storing EnvoyExtensionPolicies' NamespacedNames attaching to various Gateway objects. + // Set for storing EnvoyExtensionPolicies' NamespacedNames attaching to various Gateway objects. allAssociatedEnvoyExtensionPolicies sets.Set[string] // extensionRefFilters is a map of filters managed by an extension. // The key is the namespaced name, group and kind of the filter and the value is the @@ -70,6 +72,7 @@ func newResourceMapping() *resourceMappings { allAssociatedReferenceGrants: sets.New[string](), allAssociatedServiceImports: sets.New[string](), allAssociatedEndpointSlices: sets.New[string](), + allAssociatedBackends: sets.New[string](), allAssociatedSecrets: sets.New[string](), allAssociatedConfigMaps: sets.New[string](), allAssociatedNamespaces: sets.New[string](), From a13f3843ac53ce457eb94ddd69d92bedcf0dd277 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Oct 2024 10:51:25 -0700 Subject: [PATCH 311/523] build(deps): bump github/codeql-action from 3.26.13 to 3.27.0 (#4538) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.13 to 3.27.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/f779452ac5af1c261dce0346a8f964149f49322b...662472033e021d55d94146f66f6058822b0b39fd) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5fceea67877..5ee3177e4fa 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,14 +36,14 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 + uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 + uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 + uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 018bb5c0dd7..740be892f17 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 + uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 with: sarif_file: results.sarif From 6667e4c9ba85f4a6eda5d111b190ba3107d6b810 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Oct 2024 11:34:13 -0700 Subject: [PATCH 312/523] build(deps): bump distroless/static from `26f9b99` to `3a03fc0` in /tools/docker/envoy-gateway (#4541) build(deps): bump distroless/static in /tools/docker/envoy-gateway Bumps distroless/static from `26f9b99` to `3a03fc0`. --- updated-dependencies: - dependency-name: distroless/static dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/docker/envoy-gateway/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index 1f5ad0cb8d0..5fef537da10 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -4,7 +4,7 @@ RUN mkdir -p /var/lib/eg # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:nonroot@sha256:26f9b99f2463f55f20db19feb4d96eb88b056e0f1be7016bb9296a464a89d772 +FROM gcr.io/distroless/static:nonroot@sha256:3a03fc0826340c7deb82d4755ca391bef5adcedb8892e58412e1a6008199fa91 ARG TARGETPLATFORM COPY $TARGETPLATFORM/envoy-gateway /usr/local/bin/ COPY --from=source --chown=65532:65532 /var/lib /var/lib From de72c774acc993282f90f4b68a3af63b56d3f84a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Oct 2024 12:45:08 -0700 Subject: [PATCH 313/523] build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 in /tools/github-actions/setup-deps (#4540) build(deps): bump actions/setup-go in /tools/github-actions/setup-deps Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.0.2 to 5.1.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32...41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/github-actions/setup-deps/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/github-actions/setup-deps/action.yaml b/tools/github-actions/setup-deps/action.yaml index 7de23aac7ec..6dca9f5e1c3 100644 --- a/tools/github-actions/setup-deps/action.yaml +++ b/tools/github-actions/setup-deps/action.yaml @@ -6,7 +6,7 @@ runs: steps: - shell: bash run: sudo apt-get install libbtrfs-dev -y - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.1 + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.0.1 with: go-version: 1.23.x cache: true From 189325b7090ee263f1b03d49eecf7bf8309ea2eb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Oct 2024 12:45:38 -0700 Subject: [PATCH 314/523] build(deps): bump github.com/replicatedhq/troubleshoot from 0.107.1 to 0.107.4 (#4543) build(deps): bump github.com/replicatedhq/troubleshoot Bumps [github.com/replicatedhq/troubleshoot](https://github.com/replicatedhq/troubleshoot) from 0.107.1 to 0.107.4. - [Release notes](https://github.com/replicatedhq/troubleshoot/releases) - [Commits](https://github.com/replicatedhq/troubleshoot/compare/v0.107.1...v0.107.4) --- updated-dependencies: - dependency-name: github.com/replicatedhq/troubleshoot dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 1ec72d0a6bd..0fa00e3433c 100644 --- a/go.mod +++ b/go.mod @@ -63,7 +63,7 @@ require ( require ( github.com/docker/docker v27.3.1+incompatible - github.com/replicatedhq/troubleshoot v0.107.1 + github.com/replicatedhq/troubleshoot v0.107.4 github.com/tetratelabs/func-e v1.1.5-0.20240822223546-c85a098d5bf0 google.golang.org/grpc v1.67.1 sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 diff --git a/go.sum b/go.sum index dbaf681efbb..969f51b02ea 100644 --- a/go.sum +++ b/go.sum @@ -717,8 +717,8 @@ github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb github.com/redis/go-redis/extra/redisotel/v9 v9.0.5/go.mod h1:WZjPDy7VNzn77AAfnAfVjZNvfJTYfPetfZk5yoSTLaQ= github.com/redis/go-redis/v9 v9.1.0 h1:137FnGdk+EQdCbye1FW+qOEcY5S+SpY9T0NiuqvtfMY= github.com/redis/go-redis/v9 v9.1.0/go.mod h1:urWj3He21Dj5k4TK1y59xH8Uj6ATueP8AH1cY3lZl4c= -github.com/replicatedhq/troubleshoot v0.107.1 h1:Hx9VbVv1r3M5fiH2fPTeoZ8LNIxh5R/e6vpe2jBgPfc= -github.com/replicatedhq/troubleshoot v0.107.1/go.mod h1:6mZzcO/EWVBNXVnFdSHfPaoTnjcQdV3sq61NkBF60YE= +github.com/replicatedhq/troubleshoot v0.107.4 h1:w6sHGU/Xq5Or7tVNTfMaGZTrqDp2IR7YEWEjooFBDo8= +github.com/replicatedhq/troubleshoot v0.107.4/go.mod h1:6mZzcO/EWVBNXVnFdSHfPaoTnjcQdV3sq61NkBF60YE= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= From 5e397ea7dcf7bff9b855d059ccbd565ade014de7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Oct 2024 13:48:52 -0700 Subject: [PATCH 315/523] build(deps): bump github.com/tsaarni/certyaml from 0.9.3 to 0.10.0 (#4546) Bumps [github.com/tsaarni/certyaml](https://github.com/tsaarni/certyaml) from 0.9.3 to 0.10.0. - [Release notes](https://github.com/tsaarni/certyaml/releases) - [Commits](https://github.com/tsaarni/certyaml/compare/v0.9.3...v0.10.0) --- updated-dependencies: - dependency-name: github.com/tsaarni/certyaml dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 0fa00e3433c..9a4fa1cb6e1 100644 --- a/go.mod +++ b/go.mod @@ -33,7 +33,7 @@ require ( github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.9.0 github.com/telepresenceio/watchable v0.0.0-20220726211108-9bb86f92afa7 - github.com/tsaarni/certyaml v0.9.3 + github.com/tsaarni/certyaml v0.10.0 go.opentelemetry.io/otel v1.31.0 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0 diff --git a/go.sum b/go.sum index 969f51b02ea..9dc89c7584a 100644 --- a/go.sum +++ b/go.sum @@ -828,8 +828,8 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= -github.com/tsaarni/certyaml v0.9.3 h1:m8HHbuUzWVUOmv8IQU9HgVZZ8r5ICExKm++54DJKCs0= -github.com/tsaarni/certyaml v0.9.3/go.mod h1:hhuU1qYr5re488geArUP4gZWqMUMqGlj4HA2qUyGYLk= +github.com/tsaarni/certyaml v0.10.0 h1:8ZWHO4Zg4VHUf7YblZNju44PcG5M+YtlJawiArYUHRs= +github.com/tsaarni/certyaml v0.10.0/go.mod h1:rI1wDTE/VQIglHOyGbjfvqb+5mWTVT5uLFVDDcT1sq8= github.com/tsaarni/x500dn v1.0.0 h1:LvaWTkqRpse4VHBhB5uwf3wytokK4vF9IOyNAEyiA+U= github.com/tsaarni/x500dn v1.0.0/go.mod h1:QaHa3EcUKC4dfCAZmj8+ZRGLKukWgpGv9H3oOCsAbcE= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= From a9e5cfe6f779bbe58e479b13679fd083191e2a76 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Oct 2024 14:05:49 -0700 Subject: [PATCH 316/523] build(deps): bump actions/checkout from 4.2.1 to 4.2.2 (#4539) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.1 to 4.2.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871...11bd71901bbe5b1630ceea73d27597364c9af683) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build_and_test.yaml | 18 +++++++++--------- .github/workflows/codeql.yml | 2 +- .github/workflows/docs.yaml | 4 ++-- .../workflows/experimental_conformance.yaml | 2 +- .github/workflows/latest_release.yaml | 4 ++-- .github/workflows/license-scan.yml | 2 +- .github/workflows/release.yaml | 4 ++-- .github/workflows/scorecard.yml | 2 +- .github/workflows/trivy.yml | 2 +- 9 files changed, 20 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 80992fc9d6d..bafd90d8351 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -20,7 +20,7 @@ jobs: lint: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps # Generate the installation manifests first, so it can check # for errors while running `make -k lint` @@ -31,14 +31,14 @@ jobs: gen-check: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - run: make -k gen-check license-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - run: make -k licensecheck @@ -48,7 +48,7 @@ jobs: contents: read # for actions/checkout id-token: write # for fetching OIDC token steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps # test @@ -67,7 +67,7 @@ jobs: runs-on: ubuntu-latest needs: [lint, gen-check, license-check, coverage-test] steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Build EG Multiarch Binaries @@ -87,7 +87,7 @@ jobs: matrix: version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries @@ -116,7 +116,7 @@ jobs: matrix: version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries @@ -143,7 +143,7 @@ jobs: if: ${{ ! startsWith(github.event_name, 'push') }} needs: [build] steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz @@ -170,7 +170,7 @@ jobs: runs-on: ubuntu-latest needs: [conformance-test, e2e-test] steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Download EG Binaries diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5ee3177e4fa..2027c7548aa 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 350b0283a99..22437cb9cd8 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} @@ -48,7 +48,7 @@ jobs: contents: write steps: - name: Git checkout - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true ref: ${{ github.event.pull_request.head.sha }} diff --git a/.github/workflows/experimental_conformance.yaml b/.github/workflows/experimental_conformance.yaml index 931831b2bf1..e2b43edfbba 100644 --- a/.github/workflows/experimental_conformance.yaml +++ b/.github/workflows/experimental_conformance.yaml @@ -21,7 +21,7 @@ jobs: matrix: version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps # gateway api experimental conformance diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index a0ceb53e08d..4ce04c21efd 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -22,7 +22,7 @@ jobs: benchmark-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz @@ -57,7 +57,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Generate Release Manifests diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index 2bbb36ce830..649f27fe979 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout code - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run scanner uses: google/osv-scanner-action/osv-scanner-action@19ec1116569a47416e11a45848722b1af31a857b # v1.9.0 with: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a95f411890d..d4a2213cab5 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,7 +15,7 @@ jobs: benchmark-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps - name: Setup Graphviz @@ -50,7 +50,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Extract Release Tag and Commit SHA id: vars diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 740be892f17..6e816b5460f 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -21,7 +21,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index f34bd237a88..077dfa44fcb 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout code - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build an image from Dockerfile run: | From 902925fd53cfda9efc3f867d5ff109e5e3e6a70c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 29 Oct 2024 06:14:28 +0800 Subject: [PATCH 317/523] build(deps): bump github.com/fatih/color from 1.17.0 to 1.18.0 (#4545) Bumps [github.com/fatih/color](https://github.com/fatih/color) from 1.17.0 to 1.18.0. - [Release notes](https://github.com/fatih/color/releases) - [Commits](https://github.com/fatih/color/compare/v1.17.0...v1.18.0) --- updated-dependencies: - dependency-name: github.com/fatih/color dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 9a4fa1cb6e1..d00254554f8 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/envoyproxy/go-control-plane v0.13.1 github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 github.com/evanphx/json-patch/v5 v5.9.0 - github.com/fatih/color v1.17.0 + github.com/fatih/color v1.18.0 github.com/go-logfmt/logfmt v0.6.0 github.com/go-logr/logr v1.4.2 github.com/go-logr/zapr v1.3.0 diff --git a/go.sum b/go.sum index 9dc89c7584a..9ca74a4e5da 100644 --- a/go.sum +++ b/go.sum @@ -240,8 +240,8 @@ github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= -github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= -github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= +github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM= +github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI= From 217c6a58ed798a01fa77a56b3910178e608339b7 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 29 Oct 2024 06:15:03 +0800 Subject: [PATCH 318/523] e2e test for Gateway with EnvoyProxy (#4548) * e2e test for Gateway with EnvoyProxy Signed-off-by: Huabing Zhao * remove unnecessary comments Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- internal/provider/kubernetes/controller.go | 4 +- .../e2e/testdata/gateway-with-envoyproxy.yaml | 49 +++++++++++++++ test/e2e/tests/gatewayt-with-envoyproxy.go | 59 +++++++++++++++++++ 3 files changed, 110 insertions(+), 2 deletions(-) create mode 100644 test/e2e/testdata/gateway-with-envoyproxy.yaml create mode 100644 test/e2e/tests/gatewayt-with-envoyproxy.go diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 40e1cf335c8..66b8b883c01 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -631,7 +631,7 @@ func (r *gatewayAPIReconciler) processSecretRef( } } } - resourceMap.allAssociatedNamespaces.Insert(secretNS) // TODO Zhaohuabing do we need this line? + resourceMap.allAssociatedNamespaces.Insert(secretNS) key := utils.NamespacedName(secret).String() if !resourceMap.allAssociatedSecrets.Has(key) { resourceMap.allAssociatedSecrets.Insert(key) @@ -740,7 +740,7 @@ func (r *gatewayAPIReconciler) processConfigMapRef( } } } - resourceMap.allAssociatedNamespaces.Insert(configMapNS) // TODO Zhaohuabing do we need this line? + resourceMap.allAssociatedNamespaces.Insert(configMapNS) if !resourceMap.allAssociatedConfigMaps.Has(utils.NamespacedName(configMap).String()) { resourceMap.allAssociatedConfigMaps.Insert(utils.NamespacedName(configMap).String()) resourceTree.ConfigMaps = append(resourceTree.ConfigMaps, configMap) diff --git a/test/e2e/testdata/gateway-with-envoyproxy.yaml b/test/e2e/testdata/gateway-with-envoyproxy.yaml new file mode 100644 index 00000000000..0d04562c13d --- /dev/null +++ b/test/e2e/testdata/gateway-with-envoyproxy.yaml @@ -0,0 +1,49 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: gateway-with-envoyproxy + namespace: gateway-conformance-infra +spec: + gatewayClassName: "{GATEWAY_CLASS_NAME}" + infrastructure: + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: test + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + namespace: gateway-conformance-infra + name: test +spec: + routingType: Service +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-route + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: gateway-with-envoyproxy + rules: + - matches: + - path: + value: / + backendRefs: + - name: infra-backend-v1 + port: 8080 + filters: + - type: ResponseHeaderModifier + responseHeaderModifier: + add: + - name: upstream-host + value: '%UPSTREAM_HOST%' diff --git a/test/e2e/tests/gatewayt-with-envoyproxy.go b/test/e2e/tests/gatewayt-with-envoyproxy.go new file mode 100644 index 00000000000..0ea33a52bd5 --- /dev/null +++ b/test/e2e/tests/gatewayt-with-envoyproxy.go @@ -0,0 +1,59 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e + +package tests + +import ( + "context" + "testing" + + "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" +) + +func init() { + ConformanceTests = append(ConformanceTests, GatewayWithEnvoyProxy) +} + +var GatewayWithEnvoyProxy = suite.ConformanceTest{ + ShortName: "Gateway with EnvoyProxy", + Description: "Attach an EnvoyProxy to a Gateway", + Manifests: []string{"testdata/gateway-with-envoyproxy.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Run("Attach an EnvoyProxy to a Gateway and set RoutingType to Service", func(t *testing.T) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "http-route", Namespace: ns} + gwNN := types.NamespacedName{Name: "gateway-with-envoyproxy", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + backendNN := types.NamespacedName{Name: "infra-backend-v1", Namespace: ns} + svc := corev1.Service{} + require.NoError(t, suite.Client.Get(context.Background(), backendNN, &svc)) + + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/basic-auth-1", + }, + Response: http.Response{ + StatusCode: 200, + + // Verify that the RouteType is set to Service by the attached EnvoyProxy + Headers: map[string]string{ + "upstream-host": svc.Spec.ClusterIP + ":8080", + }, + }, + Namespace: ns, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + }) + }, +} From b877baca98bc9b28086bd80a8109aa25bca96247 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Mon, 28 Oct 2024 17:23:47 -0700 Subject: [PATCH 319/523] make watching alpha CRDs optional (#4519) * make watching alpha CRDs optional * The ownership of CRD installation is not tied to a single entity https://gateway-api.sigs.k8s.io/guides/crd-management/#who-should-manage-crds This results in multiple entities taking ownership of CRD installation * infra users * implementations * cloud providers This complicates things for implementations who may not know which version and release of CRDs are installed, so this PR makes watching alpha versioned CRDs optional * Even Envoy Gateway specific CRDs have been made optional to solve the use case where users want to only configure Gateway API resources * GRPCRoute is the only exception, which is v1, but has been made optional because it just graduated to v1 in v1.2 but a lot of cloud providers or service mesh implementations have not moved to v1.2 Fixes: https://github.com/envoyproxy/gateway/issues/3387 Signed-off-by: Arko Dasgupta --- internal/provider/kubernetes/controller.go | 623 ++++++++++-------- internal/provider/kubernetes/predicates.go | 244 ++++--- .../provider/kubernetes/predicates_test.go | 16 +- internal/provider/kubernetes/routes.go | 19 +- 4 files changed, 536 insertions(+), 366 deletions(-) diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 66b8b883c01..28a0eafaa77 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -65,6 +65,21 @@ type gatewayAPIReconciler struct { resources *message.ProviderResources extGVKs []schema.GroupVersionKind extServerPolicies []schema.GroupVersionKind + + backendCRDExists bool + bTLSPolicyCRDExists bool + btpCRDExists bool + ctpCRDExists bool + eepCRDExists bool + epCRDExists bool + eppCRDExists bool + hrfCRDExists bool + grpcRouteCRDExists bool + serviceImportCRDExists bool + spCRDExists bool + tcpRouteCRDExists bool + tlsRouteCRDExists bool + udpRouteCRDExists bool } // newGatewayAPIController @@ -197,42 +212,55 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques return reconcile.Result{}, err } - // Add all EnvoyPatchPolicies to the resourceTree - if err = r.processEnvoyPatchPolicies(ctx, gwcResource, resourceMappings); err != nil { - return reconcile.Result{}, err + if r.eppCRDExists { + // Add all EnvoyPatchPolicies to the resourceTree + if err = r.processEnvoyPatchPolicies(ctx, gwcResource, resourceMappings); err != nil { + return reconcile.Result{}, err + } } - - // Add all ClientTrafficPolicies and their referenced resources to the resourceTree - if err = r.processClientTrafficPolicies(ctx, gwcResource, resourceMappings); err != nil { - return reconcile.Result{}, err + if r.ctpCRDExists { + // Add all ClientTrafficPolicies and their referenced resources to the resourceTree + if err = r.processClientTrafficPolicies(ctx, gwcResource, resourceMappings); err != nil { + return reconcile.Result{}, err + } } - // Add all BackendTrafficPolicies to the resourceTree - if err = r.processBackendTrafficPolicies(ctx, gwcResource, resourceMappings); err != nil { - return reconcile.Result{}, err + if r.btpCRDExists { + // Add all BackendTrafficPolicies to the resourceTree + if err = r.processBackendTrafficPolicies(ctx, gwcResource, resourceMappings); err != nil { + return reconcile.Result{}, err + } } - // Add all SecurityPolicies and their referenced resources to the resourceTree - if err = r.processSecurityPolicies(ctx, gwcResource, resourceMappings); err != nil { - return reconcile.Result{}, err + if r.spCRDExists { + // Add all SecurityPolicies and their referenced resources to the resourceTree + if err = r.processSecurityPolicies(ctx, gwcResource, resourceMappings); err != nil { + return reconcile.Result{}, err + } } - // Add all BackendTLSPolies to the resourceTree - if err = r.processBackendTLSPolicies(ctx, gwcResource, resourceMappings); err != nil { - return reconcile.Result{}, err + if r.bTLSPolicyCRDExists { + // Add all BackendTLSPolies to the resourceTree + if err = r.processBackendTLSPolicies(ctx, gwcResource, resourceMappings); err != nil { + return reconcile.Result{}, err + } } - // Add all EnvoyExtensionPolicies and their referenced resources to the resourceTree - if err = r.processEnvoyExtensionPolicies(ctx, gwcResource, resourceMappings); err != nil { - return reconcile.Result{}, err + if r.eepCRDExists { + // Add all EnvoyExtensionPolicies and their referenced resources to the resourceTree + if err = r.processEnvoyExtensionPolicies(ctx, gwcResource, resourceMappings); err != nil { + return reconcile.Result{}, err + } } if err = r.processExtensionServerPolicies(ctx, gwcResource); err != nil { return reconcile.Result{}, err } - if err = r.processBackends(ctx, gwcResource); err != nil { - return reconcile.Result{}, err + if r.backendCRDExists { + if err = r.processBackends(ctx, gwcResource); err != nil { + return reconcile.Result{}, err + } } // Add the referenced services, ServiceImports, and EndpointSlices in @@ -905,9 +933,12 @@ func (r *gatewayAPIReconciler) processGateways(ctx context.Context, managedGC *g gtwNamespacedName := utils.NamespacedName(>w).String() // Route Processing - // Get TLSRoute objects and check if it exists. - if err := r.processTLSRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { - return err + + if r.tlsRouteCRDExists { + // Get TLSRoute objects and check if it exists. + if err := r.processTLSRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { + return err + } } // Get HTTPRoute objects and check if it exists. @@ -915,21 +946,26 @@ func (r *gatewayAPIReconciler) processGateways(ctx context.Context, managedGC *g return err } - // Get GRPCRoute objects and check if it exists. - if err := r.processGRPCRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { - return err + if r.grpcRouteCRDExists { + // Get GRPCRoute objects and check if it exists. + if err := r.processGRPCRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { + return err + } } - // Get TCPRoute objects and check if it exists. - if err := r.processTCPRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { - return err + if r.tcpRouteCRDExists { + // Get TCPRoute objects and check if it exists. + if err := r.processTCPRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { + return err + } } - // Get UDPRoute objects and check if it exists. - if err := r.processUDPRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { - return err + if r.udpRouteCRDExists { + // Get UDPRoute objects and check if it exists. + if err := r.processUDPRoutes(ctx, gtwNamespacedName, resourceMap, resourceTree); err != nil { + return err + } } - // Discard Status to reduce memory consumption in watchable // It will be recomputed by the gateway-api layer gtw.Status = gwapiv1.GatewayStatus{} @@ -1122,24 +1158,30 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return fmt.Errorf("failed to watch GatewayClass: %w", err) } - epPredicates := []predicate.TypedPredicate[*egv1a1.EnvoyProxy]{ - &predicate.TypedGenerationChangedPredicate[*egv1a1.EnvoyProxy]{}, - } - if r.namespaceLabel != nil { - epPredicates = append(epPredicates, predicate.NewTypedPredicateFuncs(func(ep *egv1a1.EnvoyProxy) bool { - return r.hasMatchingNamespaceLabels(ep) - })) - } - if err := c.Watch( - source.Kind(mgr.GetCache(), &egv1a1.EnvoyProxy{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, t *egv1a1.EnvoyProxy) []reconcile.Request { - return r.enqueueClass(ctx, t) - }), - epPredicates...)); err != nil { - return err - } - if err := addEnvoyProxyIndexers(ctx, mgr); err != nil { - return err + r.epCRDExists = r.crdExists(mgr, resource.KindEnvoyProxy, egv1a1.GroupVersion.String()) + if !r.epCRDExists { + r.log.Info("EnvoyProxy CRD not found, skipping EnvoyProxy watch") + } else { + epPredicates := []predicate.TypedPredicate[*egv1a1.EnvoyProxy]{ + &predicate.TypedGenerationChangedPredicate[*egv1a1.EnvoyProxy]{}, + } + if r.namespaceLabel != nil { + epPredicates = append(epPredicates, predicate.NewTypedPredicateFuncs(func(ep *egv1a1.EnvoyProxy) bool { + return r.hasMatchingNamespaceLabels(ep) + })) + } + + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.EnvoyProxy{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, t *egv1a1.EnvoyProxy) []reconcile.Request { + return r.enqueueClass(ctx, t) + }), + epPredicates...)); err != nil { + return err + } + if err := addEnvoyProxyIndexers(ctx, mgr); err != nil { + return err + } } // Watch Gateway CRUDs and reconcile affected GatewayClass. @@ -1189,92 +1231,113 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return err } - // Watch GRPCRoute CRUDs and process affected Gateways. - grpcrPredicates := []predicate.TypedPredicate[*gwapiv1.GRPCRoute]{ - predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1.GRPCRoute]{}, - predicate.TypedLabelChangedPredicate[*gwapiv1.GRPCRoute]{}), - } - if r.namespaceLabel != nil { - grpcrPredicates = append(grpcrPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1.GRPCRoute](func(grpc *gwapiv1.GRPCRoute) bool { - return r.hasMatchingNamespaceLabels(grpc) - })) - } - if err := c.Watch( - source.Kind(mgr.GetCache(), &gwapiv1.GRPCRoute{}, - handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1.GRPCRoute](func(ctx context.Context, route *gwapiv1.GRPCRoute) []reconcile.Request { - return r.enqueueClass(ctx, route) - }), - grpcrPredicates...)); err != nil { - return err - } - if err := addGRPCRouteIndexers(ctx, mgr); err != nil { - return err + // TODO: Remove this optional check once most cloud providers and service meshes support GRPCRoute v1 + r.grpcRouteCRDExists = r.crdExists(mgr, resource.KindGRPCRoute, gwapiv1.GroupVersion.String()) + if !r.grpcRouteCRDExists { + r.log.Info("GRPCRoute CRD not found, skipping GRPCRoute watch") + } else { + // Watch GRPCRoute CRUDs and process affected Gateways. + grpcrPredicates := []predicate.TypedPredicate[*gwapiv1.GRPCRoute]{ + predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1.GRPCRoute]{}, + predicate.TypedLabelChangedPredicate[*gwapiv1.GRPCRoute]{}), + } + if r.namespaceLabel != nil { + grpcrPredicates = append(grpcrPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1.GRPCRoute](func(grpc *gwapiv1.GRPCRoute) bool { + return r.hasMatchingNamespaceLabels(grpc) + })) + } + if err := c.Watch( + source.Kind(mgr.GetCache(), &gwapiv1.GRPCRoute{}, + handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1.GRPCRoute](func(ctx context.Context, route *gwapiv1.GRPCRoute) []reconcile.Request { + return r.enqueueClass(ctx, route) + }), + grpcrPredicates...)); err != nil { + return err + } + if err := addGRPCRouteIndexers(ctx, mgr); err != nil { + return err + } } - // Watch TLSRoute CRUDs and process affected Gateways. - tlsrPredicates := []predicate.TypedPredicate[*gwapiv1a2.TLSRoute]{ - predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.TLSRoute]{}, - predicate.TypedLabelChangedPredicate[*gwapiv1a2.TLSRoute]{}), - } - if r.namespaceLabel != nil { - tlsrPredicates = append(tlsrPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.TLSRoute](func(route *gwapiv1a2.TLSRoute) bool { - return r.hasMatchingNamespaceLabels(route) - })) - } - if err := c.Watch( - source.Kind(mgr.GetCache(), &gwapiv1a2.TLSRoute{}, - handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1a2.TLSRoute](func(ctx context.Context, route *gwapiv1a2.TLSRoute) []reconcile.Request { - return r.enqueueClass(ctx, route) - }), - tlsrPredicates...)); err != nil { - return err - } - if err := addTLSRouteIndexers(ctx, mgr); err != nil { - return err + r.tlsRouteCRDExists = r.crdExists(mgr, resource.KindTLSRoute, gwapiv1a2.GroupVersion.String()) + if !r.tlsRouteCRDExists { + r.log.Info("TLSRoute CRD not found, skipping TLSRoute watch") + } else { + // Watch TLSRoute CRUDs and process affected Gateways. + tlsrPredicates := []predicate.TypedPredicate[*gwapiv1a2.TLSRoute]{ + predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.TLSRoute]{}, + predicate.TypedLabelChangedPredicate[*gwapiv1a2.TLSRoute]{}), + } + if r.namespaceLabel != nil { + tlsrPredicates = append(tlsrPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.TLSRoute](func(route *gwapiv1a2.TLSRoute) bool { + return r.hasMatchingNamespaceLabels(route) + })) + } + if err := c.Watch( + source.Kind(mgr.GetCache(), &gwapiv1a2.TLSRoute{}, + handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1a2.TLSRoute](func(ctx context.Context, route *gwapiv1a2.TLSRoute) []reconcile.Request { + return r.enqueueClass(ctx, route) + }), + tlsrPredicates...)); err != nil { + return err + } + if err := addTLSRouteIndexers(ctx, mgr); err != nil { + return err + } } - // Watch UDPRoute CRUDs and process affected Gateways. - udprPredicates := []predicate.TypedPredicate[*gwapiv1a2.UDPRoute]{ - predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.UDPRoute]{}, - predicate.TypedLabelChangedPredicate[*gwapiv1a2.UDPRoute]{}), - } - if r.namespaceLabel != nil { - udprPredicates = append(udprPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.UDPRoute](func(route *gwapiv1a2.UDPRoute) bool { - return r.hasMatchingNamespaceLabels(route) - })) - } - if err := c.Watch( - source.Kind(mgr.GetCache(), &gwapiv1a2.UDPRoute{}, - handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1a2.UDPRoute](func(ctx context.Context, route *gwapiv1a2.UDPRoute) []reconcile.Request { - return r.enqueueClass(ctx, route) - }), - udprPredicates...)); err != nil { - return err - } - if err := addUDPRouteIndexers(ctx, mgr); err != nil { - return err + r.udpRouteCRDExists = r.crdExists(mgr, resource.KindUDPRoute, gwapiv1a2.GroupVersion.String()) + if !r.udpRouteCRDExists { + r.log.Info("UDPRoute CRD not found, skipping UDPRoute watch") + } else { + // Watch UDPRoute CRUDs and process affected Gateways. + udprPredicates := []predicate.TypedPredicate[*gwapiv1a2.UDPRoute]{ + predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.UDPRoute]{}, + predicate.TypedLabelChangedPredicate[*gwapiv1a2.UDPRoute]{}), + } + if r.namespaceLabel != nil { + udprPredicates = append(udprPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.UDPRoute](func(route *gwapiv1a2.UDPRoute) bool { + return r.hasMatchingNamespaceLabels(route) + })) + } + if err := c.Watch( + source.Kind(mgr.GetCache(), &gwapiv1a2.UDPRoute{}, + handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1a2.UDPRoute](func(ctx context.Context, route *gwapiv1a2.UDPRoute) []reconcile.Request { + return r.enqueueClass(ctx, route) + }), + udprPredicates...)); err != nil { + return err + } + if err := addUDPRouteIndexers(ctx, mgr); err != nil { + return err + } } - // Watch TCPRoute CRUDs and process affected Gateways. - tcprPredicates := []predicate.TypedPredicate[*gwapiv1a2.TCPRoute]{ - predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.TCPRoute]{}, - predicate.TypedLabelChangedPredicate[*gwapiv1a2.TCPRoute]{}), - } - if r.namespaceLabel != nil { - tcprPredicates = append(tcprPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.TCPRoute](func(route *gwapiv1a2.TCPRoute) bool { - return r.hasMatchingNamespaceLabels(route) - })) - } - if err := c.Watch( - source.Kind(mgr.GetCache(), &gwapiv1a2.TCPRoute{}, - handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1a2.TCPRoute](func(ctx context.Context, route *gwapiv1a2.TCPRoute) []reconcile.Request { - return r.enqueueClass(ctx, route) - }), - tcprPredicates...)); err != nil { - return err - } - if err := addTCPRouteIndexers(ctx, mgr); err != nil { - return err + r.tcpRouteCRDExists = r.crdExists(mgr, resource.KindTCPRoute, gwapiv1a2.GroupVersion.String()) + if !r.tcpRouteCRDExists { + r.log.Info("TCPRoute CRD not found, skipping TCPRoute watch") + } else { + // Watch TCPRoute CRUDs and process affected Gateways. + tcprPredicates := []predicate.TypedPredicate[*gwapiv1a2.TCPRoute]{ + predicate.Or(predicate.TypedGenerationChangedPredicate[*gwapiv1a2.TCPRoute]{}, + predicate.TypedLabelChangedPredicate[*gwapiv1a2.TCPRoute]{}), + } + if r.namespaceLabel != nil { + tcprPredicates = append(tcprPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a2.TCPRoute](func(route *gwapiv1a2.TCPRoute) bool { + return r.hasMatchingNamespaceLabels(route) + })) + } + if err := c.Watch( + source.Kind(mgr.GetCache(), &gwapiv1a2.TCPRoute{}, + handler.TypedEnqueueRequestsFromMapFunc[*gwapiv1a2.TCPRoute](func(ctx context.Context, route *gwapiv1a2.TCPRoute) []reconcile.Request { + return r.enqueueClass(ctx, route) + }), + tcprPredicates...)); err != nil { + return err + } + if err := addTCPRouteIndexers(ctx, mgr); err != nil { + return err + } } // Watch Service CRUDs and process affected *Route objects. @@ -1298,11 +1361,10 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M } // Watch ServiceImport CRUDs and process affected *Route objects. - serviceImportCRDExists := r.serviceImportCRDExists(mgr) - if !serviceImportCRDExists { + r.serviceImportCRDExists = r.crdExists(mgr, resource.KindServiceImport, mcsapiv1a1.GroupVersion.String()) + if !r.serviceImportCRDExists { r.log.Info("ServiceImport CRD not found, skipping ServiceImport watch") - } - if serviceImportCRDExists { + } else { if err := c.Watch( source.Kind(mgr.GetCache(), &mcsapiv1a1.ServiceImport{}, handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, si *mcsapiv1a1.ServiceImport) []reconcile.Request { @@ -1338,8 +1400,11 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return err } - // Watch Backend CRUDs and process affected *Route objects. - if r.envoyGateway.ExtensionAPIs != nil && r.envoyGateway.ExtensionAPIs.EnableBackend { + r.backendCRDExists = r.crdExists(mgr, resource.KindBackend, egv1a1.GroupVersion.String()) + if !r.backendCRDExists { + r.log.Info("Backend CRD not found, skipping Backend watch") + } else if r.envoyGateway.ExtensionAPIs != nil && r.envoyGateway.ExtensionAPIs.EnableBackend { + // Watch Backend CRUDs and process affected *Route objects. backendPredicates := []predicate.TypedPredicate[*egv1a1.Backend]{ predicate.TypedGenerationChangedPredicate[*egv1a1.Backend]{}, predicate.NewTypedPredicateFuncs[*egv1a1.Backend](func(be *egv1a1.Backend) bool { @@ -1485,7 +1550,10 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M return err } - if r.envoyGateway.ExtensionAPIs != nil && r.envoyGateway.ExtensionAPIs.EnableEnvoyPatchPolicy { + r.eppCRDExists = r.crdExists(mgr, resource.KindEnvoyPatchPolicy, egv1a1.GroupVersion.String()) + if !r.eppCRDExists { + r.log.Info("EnvoyPatchPolicy CRD not found, skipping EnvoyPatchPolicy watch") + } else if r.envoyGateway.ExtensionAPIs != nil && r.envoyGateway.ExtensionAPIs.EnableEnvoyPatchPolicy { // Watch EnvoyPatchPolicy if enabled in config eppPredicates := []predicate.TypedPredicate[*egv1a1.EnvoyPatchPolicy]{ predicate.TypedGenerationChangedPredicate[*egv1a1.EnvoyPatchPolicy]{}, @@ -1506,118 +1574,143 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M } } - // Watch ClientTrafficPolicy - ctpPredicates := []predicate.TypedPredicate[*egv1a1.ClientTrafficPolicy]{ - predicate.TypedGenerationChangedPredicate[*egv1a1.ClientTrafficPolicy]{}, - } - if r.namespaceLabel != nil { - ctpPredicates = append(ctpPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.ClientTrafficPolicy](func(ctp *egv1a1.ClientTrafficPolicy) bool { - return r.hasMatchingNamespaceLabels(ctp) - })) - } + r.ctpCRDExists = r.crdExists(mgr, resource.KindClientTrafficPolicy, egv1a1.GroupVersion.String()) + if !r.ctpCRDExists { + r.log.Info("ClientTrafficPolicy CRD not found, skipping ClientTrafficPolicy watch") + } else { + // Watch ClientTrafficPolicy + ctpPredicates := []predicate.TypedPredicate[*egv1a1.ClientTrafficPolicy]{ + predicate.TypedGenerationChangedPredicate[*egv1a1.ClientTrafficPolicy]{}, + } + if r.namespaceLabel != nil { + ctpPredicates = append(ctpPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.ClientTrafficPolicy](func(ctp *egv1a1.ClientTrafficPolicy) bool { + return r.hasMatchingNamespaceLabels(ctp) + })) + } - if err := c.Watch( - source.Kind(mgr.GetCache(), &egv1a1.ClientTrafficPolicy{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, ctp *egv1a1.ClientTrafficPolicy) []reconcile.Request { - return r.enqueueClass(ctx, ctp) - }), - ctpPredicates...)); err != nil { - return err - } + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.ClientTrafficPolicy{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, ctp *egv1a1.ClientTrafficPolicy) []reconcile.Request { + return r.enqueueClass(ctx, ctp) + }), + ctpPredicates...)); err != nil { + return err + } - if err := addCtpIndexers(ctx, mgr); err != nil { - return err + if err := addCtpIndexers(ctx, mgr); err != nil { + return err + } } - // Watch BackendTrafficPolicy - btpPredicates := []predicate.TypedPredicate[*egv1a1.BackendTrafficPolicy]{ - predicate.TypedGenerationChangedPredicate[*egv1a1.BackendTrafficPolicy]{}, - } - if r.namespaceLabel != nil { - btpPredicates = append(btpPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.BackendTrafficPolicy](func(btp *egv1a1.BackendTrafficPolicy) bool { - return r.hasMatchingNamespaceLabels(btp) - })) - } + r.btpCRDExists = r.crdExists(mgr, resource.KindBackendTrafficPolicy, egv1a1.GroupVersion.String()) + if !r.btpCRDExists { + r.log.Info("BackendTrafficPolicy CRD not found, skipping BackendTrafficPolicy watch") + } else { + // Watch BackendTrafficPolicy + btpPredicates := []predicate.TypedPredicate[*egv1a1.BackendTrafficPolicy]{ + predicate.TypedGenerationChangedPredicate[*egv1a1.BackendTrafficPolicy]{}, + } + if r.namespaceLabel != nil { + btpPredicates = append(btpPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.BackendTrafficPolicy](func(btp *egv1a1.BackendTrafficPolicy) bool { + return r.hasMatchingNamespaceLabels(btp) + })) + } - if err := c.Watch( - source.Kind(mgr.GetCache(), &egv1a1.BackendTrafficPolicy{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, btp *egv1a1.BackendTrafficPolicy) []reconcile.Request { - return r.enqueueClass(ctx, btp) - }), - btpPredicates...)); err != nil { - return err - } + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.BackendTrafficPolicy{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, btp *egv1a1.BackendTrafficPolicy) []reconcile.Request { + return r.enqueueClass(ctx, btp) + }), + btpPredicates...)); err != nil { + return err + } - if err := addBtpIndexers(ctx, mgr); err != nil { - return err + if err := addBtpIndexers(ctx, mgr); err != nil { + return err + } } - // Watch SecurityPolicy - spPredicates := []predicate.TypedPredicate[*egv1a1.SecurityPolicy]{ - predicate.TypedGenerationChangedPredicate[*egv1a1.SecurityPolicy]{}, - } - if r.namespaceLabel != nil { - spPredicates = append(spPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.SecurityPolicy](func(sp *egv1a1.SecurityPolicy) bool { - return r.hasMatchingNamespaceLabels(sp) - })) - } + r.spCRDExists = r.crdExists(mgr, resource.KindSecurityPolicy, egv1a1.GroupVersion.String()) + if !r.spCRDExists { + r.log.Info("SecurityPolicy CRD not found, skipping SecurityPolicy watch") + } else { + // Watch SecurityPolicy + spPredicates := []predicate.TypedPredicate[*egv1a1.SecurityPolicy]{ + predicate.TypedGenerationChangedPredicate[*egv1a1.SecurityPolicy]{}, + } + if r.namespaceLabel != nil { + spPredicates = append(spPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.SecurityPolicy](func(sp *egv1a1.SecurityPolicy) bool { + return r.hasMatchingNamespaceLabels(sp) + })) + } - if err := c.Watch( - source.Kind(mgr.GetCache(), &egv1a1.SecurityPolicy{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, sp *egv1a1.SecurityPolicy) []reconcile.Request { - return r.enqueueClass(ctx, sp) - }), - spPredicates...)); err != nil { - return err - } - if err := addSecurityPolicyIndexers(ctx, mgr); err != nil { - return err + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.SecurityPolicy{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, sp *egv1a1.SecurityPolicy) []reconcile.Request { + return r.enqueueClass(ctx, sp) + }), + spPredicates...)); err != nil { + return err + } + if err := addSecurityPolicyIndexers(ctx, mgr); err != nil { + return err + } } - // Watch BackendTLSPolicy - btlsPredicates := []predicate.TypedPredicate[*gwapiv1a3.BackendTLSPolicy]{ - predicate.TypedGenerationChangedPredicate[*gwapiv1a3.BackendTLSPolicy]{}, - } - if r.namespaceLabel != nil { - btlsPredicates = append(btlsPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a3.BackendTLSPolicy](func(btp *gwapiv1a3.BackendTLSPolicy) bool { - return r.hasMatchingNamespaceLabels(btp) - })) - } + r.bTLSPolicyCRDExists = r.crdExists(mgr, resource.KindBackendTLSPolicy, gwapiv1a3.GroupVersion.String()) + if !r.bTLSPolicyCRDExists { + r.log.Info("BackendTLSPolicy CRD not found, skipping BackendTLSPolicy watch") + } else { + // Watch BackendTLSPolicy + btlsPredicates := []predicate.TypedPredicate[*gwapiv1a3.BackendTLSPolicy]{ + predicate.TypedGenerationChangedPredicate[*gwapiv1a3.BackendTLSPolicy]{}, + } + if r.namespaceLabel != nil { + btlsPredicates = append(btlsPredicates, predicate.NewTypedPredicateFuncs[*gwapiv1a3.BackendTLSPolicy](func(btp *gwapiv1a3.BackendTLSPolicy) bool { + return r.hasMatchingNamespaceLabels(btp) + })) + } - if err := c.Watch( - source.Kind(mgr.GetCache(), &gwapiv1a3.BackendTLSPolicy{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, btp *gwapiv1a3.BackendTLSPolicy) []reconcile.Request { - return r.enqueueClass(ctx, btp) - }), - btlsPredicates...)); err != nil { - return err - } + if err := c.Watch( + source.Kind(mgr.GetCache(), &gwapiv1a3.BackendTLSPolicy{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, btp *gwapiv1a3.BackendTLSPolicy) []reconcile.Request { + return r.enqueueClass(ctx, btp) + }), + btlsPredicates...)); err != nil { + return err + } - if err := addBtlsIndexers(ctx, mgr); err != nil { - return err + if err := addBtlsIndexers(ctx, mgr); err != nil { + return err + } } - // Watch EnvoyExtensionPolicy - eepPredicates := []predicate.TypedPredicate[*egv1a1.EnvoyExtensionPolicy]{ - predicate.TypedGenerationChangedPredicate[*egv1a1.EnvoyExtensionPolicy]{}, - } - if r.namespaceLabel != nil { - eepPredicates = append(eepPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.EnvoyExtensionPolicy](func(eep *egv1a1.EnvoyExtensionPolicy) bool { - return r.hasMatchingNamespaceLabels(eep) - })) - } + r.eepCRDExists = r.crdExists(mgr, resource.KindEnvoyExtensionPolicy, egv1a1.GroupVersion.String()) + if !r.eepCRDExists { + r.log.Info("EnvoyExtensionPolicy CRD not found, skipping EnvoyExtensionPolicy watch") + } else { + // Watch EnvoyExtensionPolicy + eepPredicates := []predicate.TypedPredicate[*egv1a1.EnvoyExtensionPolicy]{ + predicate.TypedGenerationChangedPredicate[*egv1a1.EnvoyExtensionPolicy]{}, + } + if r.namespaceLabel != nil { + eepPredicates = append(eepPredicates, predicate.NewTypedPredicateFuncs[*egv1a1.EnvoyExtensionPolicy](func(eep *egv1a1.EnvoyExtensionPolicy) bool { + return r.hasMatchingNamespaceLabels(eep) + })) + } - // Watch EnvoyExtensionPolicy CRUDs - if err := c.Watch( - source.Kind(mgr.GetCache(), &egv1a1.EnvoyExtensionPolicy{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, eep *egv1a1.EnvoyExtensionPolicy) []reconcile.Request { - return r.enqueueClass(ctx, eep) - }), - eepPredicates...)); err != nil { - return err - } - if err := addEnvoyExtensionPolicyIndexers(ctx, mgr); err != nil { - return err + // Watch EnvoyExtensionPolicy CRUDs + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.EnvoyExtensionPolicy{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, eep *egv1a1.EnvoyExtensionPolicy) []reconcile.Request { + return r.enqueueClass(ctx, eep) + }), + eepPredicates...)); err != nil { + return err + } + if err := addEnvoyExtensionPolicyIndexers(ctx, mgr); err != nil { + return err + } } r.log.Info("Watching gatewayAPI related objects") @@ -1656,31 +1749,35 @@ func (r *gatewayAPIReconciler) watchResources(ctx context.Context, mgr manager.M r.log.Info("Watching additional policy resource", "resource", gvk.String()) } - // Watch HTTPRouteFilter CRUDs and process affected HTTPRoute objects. - httpRouteFilter := []predicate.TypedPredicate[*egv1a1.HTTPRouteFilter]{ - predicate.TypedGenerationChangedPredicate[*egv1a1.HTTPRouteFilter]{}, - predicate.NewTypedPredicateFuncs[*egv1a1.HTTPRouteFilter](func(be *egv1a1.HTTPRouteFilter) bool { - return r.validateHTTPRouteFilterForReconcile(be) - }), - } - if r.namespaceLabel != nil { - httpRouteFilter = append(httpRouteFilter, predicate.NewTypedPredicateFuncs[*egv1a1.HTTPRouteFilter](func(be *egv1a1.HTTPRouteFilter) bool { - return r.hasMatchingNamespaceLabels(be) - })) - } - if err := c.Watch( - source.Kind(mgr.GetCache(), &egv1a1.HTTPRouteFilter{}, - handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, be *egv1a1.HTTPRouteFilter) []reconcile.Request { - return r.enqueueClass(ctx, be) + r.hrfCRDExists = r.crdExists(mgr, resource.KindHTTPRouteFilter, egv1a1.GroupVersion.String()) + if !r.hrfCRDExists { + r.log.Info("HTTPRouteFilter CRD not found, skipping HTTPRouteFilter watch") + } else { + // Watch HTTPRouteFilter CRUDs and process affected HTTPRoute objects. + httpRouteFilter := []predicate.TypedPredicate[*egv1a1.HTTPRouteFilter]{ + predicate.TypedGenerationChangedPredicate[*egv1a1.HTTPRouteFilter]{}, + predicate.NewTypedPredicateFuncs[*egv1a1.HTTPRouteFilter](func(be *egv1a1.HTTPRouteFilter) bool { + return r.validateHTTPRouteFilterForReconcile(be) }), - httpRouteFilter...)); err != nil { - return err - } + } + if r.namespaceLabel != nil { + httpRouteFilter = append(httpRouteFilter, predicate.NewTypedPredicateFuncs[*egv1a1.HTTPRouteFilter](func(be *egv1a1.HTTPRouteFilter) bool { + return r.hasMatchingNamespaceLabels(be) + })) + } + if err := c.Watch( + source.Kind(mgr.GetCache(), &egv1a1.HTTPRouteFilter{}, + handler.TypedEnqueueRequestsFromMapFunc(func(ctx context.Context, be *egv1a1.HTTPRouteFilter) []reconcile.Request { + return r.enqueueClass(ctx, be) + }), + httpRouteFilter...)); err != nil { + return err + } - if err := addRouteFilterIndexers(ctx, mgr); err != nil { - return err + if err := addRouteFilterIndexers(ctx, mgr); err != nil { + return err + } } - return nil } @@ -1820,8 +1917,8 @@ func (r *gatewayAPIReconciler) processEnvoyProxy(ep *egv1a1.EnvoyProxy, resource return nil } -// serviceImportCRDExists checks for the existence of the ServiceImport CRD in k8s APIServer before watching it -func (r *gatewayAPIReconciler) serviceImportCRDExists(mgr manager.Manager) bool { +// crdExists checks for the existence of the CRD in k8s APIServer before watching it +func (r *gatewayAPIReconciler) crdExists(mgr manager.Manager, kind string, groupVersion string) bool { discoveryClient, err := discovery.NewDiscoveryClientForConfig(mgr.GetConfig()) if err != nil { r.log.Error(err, "failed to create discovery client") @@ -1830,17 +1927,17 @@ func (r *gatewayAPIReconciler) serviceImportCRDExists(mgr manager.Manager) bool if err != nil { r.log.Error(err, "failed to get API resource list") } - serviceImportFound := false + found := false for _, list := range apiResourceList { for _, res := range list.APIResources { - if list.GroupVersion == mcsapiv1a1.GroupVersion.String() && res.Kind == resource.KindServiceImport { - serviceImportFound = true + if list.GroupVersion == groupVersion && res.Kind == kind { + found = true break } } } - return serviceImportFound + return found } func (r *gatewayAPIReconciler) processBackendTLSPolicyRefs( diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index ae4f63ef3e9..916a58b2f77 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -144,24 +144,32 @@ func (r *gatewayAPIReconciler) validateSecretForReconcile(obj client.Object) boo return true } - if r.isSecurityPolicyReferencingSecret(&nsName) { - return true + if r.spCRDExists { + if r.isSecurityPolicyReferencingSecret(&nsName) { + return true + } } - if r.isCtpReferencingSecret(&nsName) { - return true + if r.ctpCRDExists { + if r.isCtpReferencingSecret(&nsName) { + return true + } } if r.isOIDCHMACSecret(&nsName) { return true } - if r.isEnvoyProxyReferencingSecret(&nsName) { - return true + if r.epCRDExists { + if r.isEnvoyProxyReferencingSecret(&nsName) { + return true + } } - if r.isExtensionPolicyReferencingSecret(&nsName) { - return true + if r.eepCRDExists { + if r.isExtensionPolicyReferencingSecret(&nsName) { + return true + } } return false @@ -283,15 +291,25 @@ func (r *gatewayAPIReconciler) validateServiceForReconcile(obj client.Object) bo return true } - if r.isSecurityPolicyReferencingBackend(&nsName) { - return true + if r.spCRDExists { + if r.isSecurityPolicyReferencingBackend(&nsName) { + return true + } } - if r.isEnvoyProxyReferencingBackend(&nsName) { - return true + if r.epCRDExists { + if r.isEnvoyProxyReferencingBackend(&nsName) { + return true + } + } + + if r.eepCRDExists { + if r.isEnvoyExtensionPolicyReferencingBackend(&nsName) { + return true + } } - return r.isEnvoyExtensionPolicyReferencingBackend(&nsName) + return false } // validateBackendForReconcile tries finding the owning Gateway of the Backend @@ -309,15 +327,25 @@ func (r *gatewayAPIReconciler) validateBackendForReconcile(obj client.Object) bo return true } - if r.isSecurityPolicyReferencingBackend(&nsName) { - return true + if r.spCRDExists { + if r.isSecurityPolicyReferencingBackend(&nsName) { + return true + } } - if r.isEnvoyProxyReferencingBackend(&nsName) { - return true + if r.epCRDExists { + if r.isEnvoyProxyReferencingBackend(&nsName) { + return true + } } - return r.isEnvoyExtensionPolicyReferencingBackend(&nsName) + if r.eepCRDExists { + if r.isEnvoyExtensionPolicyReferencingBackend(&nsName) { + return true + } + } + + return false } func (r *gatewayAPIReconciler) isSecurityPolicyReferencingBackend(nsName *types.NamespacedName) bool { @@ -357,47 +385,63 @@ func (r *gatewayAPIReconciler) isRouteReferencingBackend(nsName *types.Namespace r.log.Error(err, "failed to find associated HTTPRoutes") return false } - - grpcRouteList := &gwapiv1.GRPCRouteList{} - if err := r.client.List(ctx, grpcRouteList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(backendGRPCRouteIndex, nsName.String()), - }); err != nil && !kerrors.IsNotFound(err) { - r.log.Error(err, "failed to find associated GRPCRoutes") - return false + if len(httpRouteList.Items) > 0 { + return true } - tlsRouteList := &gwapiv1a2.TLSRouteList{} - if err := r.client.List(ctx, tlsRouteList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(backendTLSRouteIndex, nsName.String()), - }); err != nil && !kerrors.IsNotFound(err) { - r.log.Error(err, "failed to find associated TLSRoutes") - return false + if r.grpcRouteCRDExists { + grpcRouteList := &gwapiv1.GRPCRouteList{} + if err := r.client.List(ctx, grpcRouteList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(backendGRPCRouteIndex, nsName.String()), + }); err != nil && !kerrors.IsNotFound(err) { + r.log.Error(err, "failed to find associated GRPCRoutes") + return false + } + if len(grpcRouteList.Items) > 0 { + return true + } } - tcpRouteList := &gwapiv1a2.TCPRouteList{} - if err := r.client.List(ctx, tcpRouteList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(backendTCPRouteIndex, nsName.String()), - }); err != nil && !kerrors.IsNotFound(err) { - r.log.Error(err, "failed to find associated TCPRoutes") - return false + if r.tlsRouteCRDExists { + tlsRouteList := &gwapiv1a2.TLSRouteList{} + if err := r.client.List(ctx, tlsRouteList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(backendTLSRouteIndex, nsName.String()), + }); err != nil && !kerrors.IsNotFound(err) { + r.log.Error(err, "failed to find associated TLSRoutes") + return false + } + if len(tlsRouteList.Items) > 0 { + return true + } } - udpRouteList := &gwapiv1a2.UDPRouteList{} - if err := r.client.List(ctx, udpRouteList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(backendUDPRouteIndex, nsName.String()), - }); err != nil && !kerrors.IsNotFound(err) { - r.log.Error(err, "failed to find associated UDPRoutes") - return false + if r.tcpRouteCRDExists { + tcpRouteList := &gwapiv1a2.TCPRouteList{} + if err := r.client.List(ctx, tcpRouteList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(backendTCPRouteIndex, nsName.String()), + }); err != nil && !kerrors.IsNotFound(err) { + r.log.Error(err, "failed to find associated TCPRoutes") + return false + } + if len(tcpRouteList.Items) > 0 { + return true + } } - // Check how many Route objects refer this Backend - allAssociatedRoutes := len(httpRouteList.Items) + - len(grpcRouteList.Items) + - len(tlsRouteList.Items) + - len(tcpRouteList.Items) + - len(udpRouteList.Items) + if r.udpRouteCRDExists { + udpRouteList := &gwapiv1a2.UDPRouteList{} + if err := r.client.List(ctx, udpRouteList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(backendUDPRouteIndex, nsName.String()), + }); err != nil && !kerrors.IsNotFound(err) { + r.log.Error(err, "failed to find associated UDPRoutes") + return false + } + if len(udpRouteList.Items) > 0 { + return true + } + } - return allAssociatedRoutes != 0 + return false } // validateEndpointSliceForReconcile returns true if the endpointSlice references @@ -429,15 +473,25 @@ func (r *gatewayAPIReconciler) validateEndpointSliceForReconcile(obj client.Obje return true } - if r.isSecurityPolicyReferencingBackend(&nsName) { - return true + if r.spCRDExists { + if r.isSecurityPolicyReferencingBackend(&nsName) { + return true + } } - if r.isEnvoyProxyReferencingBackend(&nsName) { - return true + if r.epCRDExists { + if r.isEnvoyProxyReferencingBackend(&nsName) { + return true + } + } + + if r.eepCRDExists { + if r.isEnvoyExtensionPolicyReferencingBackend(&nsName) { + return true + } } - return r.isEnvoyExtensionPolicyReferencingBackend(&nsName) + return false } // validateObjectForReconcile tries finding the owning Gateway of the Deployment or DaemonSet @@ -596,52 +650,60 @@ func (r *gatewayAPIReconciler) validateConfigMapForReconcile(obj client.Object) return false } - ctpList := &egv1a1.ClientTrafficPolicyList{} - if err := r.client.List(context.Background(), ctpList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(configMapCtpIndex, utils.NamespacedName(configMap).String()), - }); err != nil { - r.log.Error(err, "unable to find associated ClientTrafficPolicy") - return false - } + if r.ctpCRDExists { + ctpList := &egv1a1.ClientTrafficPolicyList{} + if err := r.client.List(context.Background(), ctpList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(configMapCtpIndex, utils.NamespacedName(configMap).String()), + }); err != nil { + r.log.Error(err, "unable to find associated ClientTrafficPolicy") + return false + } - if len(ctpList.Items) > 0 { - return true + if len(ctpList.Items) > 0 { + return true + } } - btlsList := &gwapiv1a3.BackendTLSPolicyList{} - if err := r.client.List(context.Background(), btlsList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(configMapBtlsIndex, utils.NamespacedName(configMap).String()), - }); err != nil { - r.log.Error(err, "unable to find associated BackendTLSPolicy") - return false - } + if r.bTLSPolicyCRDExists { + btlsList := &gwapiv1a3.BackendTLSPolicyList{} + if err := r.client.List(context.Background(), btlsList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(configMapBtlsIndex, utils.NamespacedName(configMap).String()), + }); err != nil { + r.log.Error(err, "unable to find associated BackendTLSPolicy") + return false + } - if len(btlsList.Items) > 0 { - return true + if len(btlsList.Items) > 0 { + return true + } } - btpList := &egv1a1.BackendTrafficPolicyList{} - if err := r.client.List(context.Background(), btpList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(configMapBtpIndex, utils.NamespacedName(configMap).String()), - }); err != nil { - r.log.Error(err, "unable to find associated BackendTrafficPolicy") - return false - } + if r.btpCRDExists { + btpList := &egv1a1.BackendTrafficPolicyList{} + if err := r.client.List(context.Background(), btpList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(configMapBtpIndex, utils.NamespacedName(configMap).String()), + }); err != nil { + r.log.Error(err, "unable to find associated BackendTrafficPolicy") + return false + } - if len(btpList.Items) > 0 { - return true + if len(btpList.Items) > 0 { + return true + } } - routeFilterList := &egv1a1.HTTPRouteFilterList{} - if err := r.client.List(context.Background(), routeFilterList, &client.ListOptions{ - FieldSelector: fields.OneTermEqualSelector(configMapHTTPRouteFilterIndex, utils.NamespacedName(configMap).String()), - }); err != nil { - r.log.Error(err, "unable to find associated HTTPRouteFilter") - return false - } + if r.hrfCRDExists { + routeFilterList := &egv1a1.HTTPRouteFilterList{} + if err := r.client.List(context.Background(), routeFilterList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(configMapHTTPRouteFilterIndex, utils.NamespacedName(configMap).String()), + }); err != nil { + r.log.Error(err, "unable to find associated HTTPRouteFilter") + return false + } - if len(routeFilterList.Items) > 0 { - return true + if len(routeFilterList.Items) > 0 { + return true + } } return false diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go index 5954e94675e..d8abf845f4d 100644 --- a/internal/provider/kubernetes/predicates_test.go +++ b/internal/provider/kubernetes/predicates_test.go @@ -356,6 +356,9 @@ func TestValidateSecretForReconcile(t *testing.T) { r := gatewayAPIReconciler{ classController: egv1a1.GatewayControllerName, log: logger, + spCRDExists: true, + epCRDExists: true, + eepCRDExists: true, } for _, tc := range testCases { @@ -848,9 +851,16 @@ func TestValidateServiceForReconcile(t *testing.T) { logger := logging.DefaultLogger(egv1a1.LogLevelInfo) r := gatewayAPIReconciler{ - classController: egv1a1.GatewayControllerName, - log: logger, - mergeGateways: sets.New[string]("test-mg"), + classController: egv1a1.GatewayControllerName, + log: logger, + mergeGateways: sets.New[string]("test-mg"), + grpcRouteCRDExists: true, + tcpRouteCRDExists: true, + udpRouteCRDExists: true, + tlsRouteCRDExists: true, + spCRDExists: true, + eepCRDExists: true, + epCRDExists: true, } for _, tc := range testCases { diff --git a/internal/provider/kubernetes/routes.go b/internal/provider/kubernetes/routes.go index dcc01631f3b..fa148ffd441 100644 --- a/internal/provider/kubernetes/routes.go +++ b/internal/provider/kubernetes/routes.go @@ -238,16 +238,17 @@ func (r *gatewayAPIReconciler) processHTTPRoutes(ctx context.Context, gatewayNam resourceMap *resourceMappings, resourceTree *resource.Resources, ) error { httpRouteList := &gwapiv1.HTTPRouteList{} + if r.hrfCRDExists { + httpFilters, err := r.getHTTPRouteFilters(ctx) + if err != nil { + return err + } - httpFilters, err := r.getHTTPRouteFilters(ctx) - if err != nil { - return err - } - - for i := range httpFilters { - filter := httpFilters[i] - resourceMap.httpRouteFilters[utils.GetNamespacedNameWithGroupKind(&filter)] = &filter - r.processRouteFilterConfigMapRef(ctx, &filter, resourceMap, resourceTree) + for i := range httpFilters { + filter := httpFilters[i] + resourceMap.httpRouteFilters[utils.GetNamespacedNameWithGroupKind(&filter)] = &filter + r.processRouteFilterConfigMapRef(ctx, &filter, resourceMap, resourceTree) + } } extensionRefFilters, err := r.getExtensionRefFilters(ctx) From 05817fcc42d803caba384d54eee6d9f0c562c1ef Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 29 Oct 2024 09:10:12 +0800 Subject: [PATCH 320/523] fix: validate proto messages before converting them to anypb.Any (#4499) * validate proto message before converting to any Signed-off-by: Huabing Zhao --- internal/utils/protocov/protocov.go | 36 +++++----- internal/xds/translator/accesslog.go | 33 ++++++--- internal/xds/translator/authorization.go | 26 +++---- internal/xds/translator/basicauth.go | 5 +- internal/xds/translator/cluster.go | 9 +-- internal/xds/translator/custom_response.go | 11 +-- internal/xds/translator/fault.go | 5 +- internal/xds/translator/jwt.go | 11 ++- internal/xds/translator/listener.go | 68 +++++++++++++------ internal/xds/translator/listener_test.go | 19 +++++- internal/xds/translator/oidc.go | 4 +- .../in/xds-ir/accesslog-without-format.yaml | 3 +- .../testdata/in/xds-ir/accesslog.yaml | 3 +- .../authorization-multiple-principals.yaml | 4 +- .../accesslog-without-format.listeners.yaml | 2 + .../out/xds-ir/accesslog.listeners.yaml | 2 + ...horization-multiple-principals.routes.yaml | 20 +++--- internal/xds/translator/tracing.go | 6 +- internal/xds/translator/translator.go | 29 ++++++-- 19 files changed, 184 insertions(+), 112 deletions(-) diff --git a/internal/utils/protocov/protocov.go b/internal/utils/protocov/protocov.go index 6533f84c543..2c5693ee9a3 100644 --- a/internal/utils/protocov/protocov.go +++ b/internal/utils/protocov/protocov.go @@ -12,30 +12,30 @@ import ( "google.golang.org/protobuf/types/known/anypb" ) -const ( - APIPrefix = "type.googleapis.com/" -) - -var marshalOpts = proto.MarshalOptions{} +// Deprecated: error should not be ignored, use ToAnyWithValidation instead. +func ToAny(msg proto.Message) *anypb.Any { + res, err := ToAnyWithValidation(msg) + if err != nil { + return nil + } + return res +} -func ToAnyWithError(msg proto.Message) (*anypb.Any, error) { +func ToAnyWithValidation(msg proto.Message) (*anypb.Any, error) { if msg == nil { return nil, errors.New("empty message received") } - b, err := marshalOpts.Marshal(msg) - if err != nil { - return nil, err + + // If the message has a ValidateAll method, call it before marshaling. + if validator, ok := msg.(interface{ ValidateAll() error }); ok { + if err := validator.ValidateAll(); err != nil { + return nil, err + } } - return &anypb.Any{ - TypeUrl: APIPrefix + string(msg.ProtoReflect().Descriptor().FullName()), - Value: b, - }, nil -} -func ToAny(msg proto.Message) *anypb.Any { - res, err := ToAnyWithError(msg) + any, err := anypb.New(msg) if err != nil { - return nil + return nil, err } - return res + return any, nil } diff --git a/internal/xds/translator/accesslog.go b/internal/xds/translator/accesslog.go index 6660ba8fab6..076eb659d83 100644 --- a/internal/xds/translator/accesslog.go +++ b/internal/xds/translator/accesslog.go @@ -22,7 +22,6 @@ import ( "github.com/envoyproxy/go-control-plane/pkg/wellknown" otlpcommonv1 "go.opentelemetry.io/proto/otlp/common/v1" "golang.org/x/exp/maps" - "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/structpb" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" @@ -90,9 +89,9 @@ var ( } ) -func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) []*accesslog.AccessLog { +func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) ([]*accesslog.AccessLog, error) { if al == nil { - return nil + return nil, nil } totalLen := len(al.Text) + len(al.JSON) + len(al.OpenTelemetry) @@ -133,8 +132,10 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) [] filelog.GetLogFormat().Formatters = formatters } - // TODO: find a better way to handle this - accesslogAny, _ := anypb.New(filelog) + accesslogAny, err := protocov.ToAnyWithValidation(filelog) + if err != nil { + return nil, err + } accessLogs = append(accessLogs, &accesslog.AccessLog{ Name: wellknown.FileAccessLog, ConfigType: &accesslog.AccessLog_TypedConfig{ @@ -185,7 +186,10 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) [] filelog.GetLogFormat().Formatters = formatters } - accesslogAny, _ := anypb.New(filelog) + accesslogAny, err := protocov.ToAnyWithValidation(filelog) + if err != nil { + return nil, err + } accessLogs = append(accessLogs, &accesslog.AccessLog{ Name: wellknown.FileAccessLog, ConfigType: &accesslog.AccessLog_TypedConfig{ @@ -228,7 +232,10 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) [] alCfg.AdditionalResponseTrailersToLog = als.HTTP.ResponseTrailers } - accesslogAny, _ := anypb.New(alCfg) + accesslogAny, err := protocov.ToAnyWithValidation(alCfg) + if err != nil { + return nil, err + } accessLogs = append(accessLogs, &accesslog.AccessLog{ Name: wellknown.HTTPGRPCAccessLog, ConfigType: &accesslog.AccessLog_TypedConfig{ @@ -241,7 +248,10 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) [] CommonConfig: cc, } - accesslogAny, _ := anypb.New(alCfg) + accesslogAny, err := protocov.ToAnyWithValidation(alCfg) + if err != nil { + return nil, err + } accessLogs = append(accessLogs, &accesslog.AccessLog{ Name: tcpGRPCAccessLog, ConfigType: &accesslog.AccessLog_TypedConfig{ @@ -297,7 +307,10 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) [] al.Formatters = formatters } - accesslogAny, _ := anypb.New(al) + accesslogAny, err := protocov.ToAnyWithValidation(al) + if err != nil { + return nil, err + } accessLogs = append(accessLogs, &accesslog.AccessLog{ Name: otelAccessLog, ConfigType: &accesslog.AccessLog_TypedConfig{ @@ -307,7 +320,7 @@ func buildXdsAccessLog(al *ir.AccessLog, accessLogType ir.ProxyAccessLogType) [] }) } - return accessLogs + return accessLogs, nil } func celAccessLogFilter(expr string) *accesslog.AccessLogFilter { diff --git a/internal/xds/translator/authorization.go b/internal/xds/translator/authorization.go index 0d2d19dc571..e19d1dbaf53 100644 --- a/internal/xds/translator/authorization.go +++ b/internal/xds/translator/authorization.go @@ -26,6 +26,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -75,7 +76,7 @@ func (*rbac) patchHCM( // buildHCMRBACFilter returns a RBAC filter from the provided IR listener. func buildHCMRBACFilter() (*hcmv3.HttpFilter, error) { rbacProto := &rbacv3.RBAC{} - rbacAny, err := anypb.New(rbacProto) + rbacAny, err := protocov.ToAnyWithValidation(rbacProto) if err != nil { return nil, err } @@ -133,7 +134,7 @@ func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { return err } - if cfgAny, err = anypb.New(rbacPerRoute); err != nil { + if cfgAny, err = protocov.ToAnyWithValidation(rbacPerRoute); err != nil { return err } @@ -159,7 +160,7 @@ func buildRBACPerRoute(authorization *ir.Authorization) (*rbacv3.RBACPerRoute, e Name: "ALLOW", Action: rbacconfigv3.RBAC_ALLOW, } - if allowAction, err = anypb.New(allow); err != nil { + if allowAction, err = protocov.ToAnyWithValidation(allow); err != nil { return nil, err } @@ -167,7 +168,7 @@ func buildRBACPerRoute(authorization *ir.Authorization) (*rbacv3.RBACPerRoute, e Name: "DENY", Action: rbacconfigv3.RBAC_DENY, } - if denyAction, err = anypb.New(deny); err != nil { + if denyAction, err = protocov.ToAnyWithValidation(deny); err != nil { return nil, err } @@ -287,11 +288,6 @@ func buildRBACPerRoute(authorization *ir.Authorization) (*rbacv3.RBACPerRoute, e rbac.Rbac.Matcher.MatcherType = nil } - // We need to validate the RBACPerRoute message before converting it to an Any. - if err = rbac.ValidateAll(); err != nil { - return nil, err - } - return rbac, nil } @@ -316,11 +312,11 @@ func buildIPPredicate(clientCIDRs []*ir.CIDRMatch) (*matcherv3.Matcher_MatcherLi }) } - if ipMatcher, err = anypb.New(ipRangeMatcher); err != nil { + if ipMatcher, err = protocov.ToAnyWithValidation(ipRangeMatcher); err != nil { return nil, err } - if sourceIPInput, err = anypb.New(&networkinput.SourceIPInput{}); err != nil { + if sourceIPInput, err = protocov.ToAnyWithValidation(&networkinput.SourceIPInput{}); err != nil { return nil, err } @@ -389,11 +385,11 @@ func buildJWTPredicate(jwt egv1a1.JWTPrincipal) ([]*matcherv3.Matcher_MatcherLis }, } - if inputPb, err = anypb.New(input); err != nil { + if inputPb, err = protocov.ToAnyWithValidation(input); err != nil { return nil, err } - if matcherPb, err = anypb.New(scopeMatcher); err != nil { + if matcherPb, err = protocov.ToAnyWithValidation(scopeMatcher); err != nil { return nil, err } @@ -454,7 +450,7 @@ func buildJWTPredicate(jwt egv1a1.JWTPrincipal) ([]*matcherv3.Matcher_MatcherLis Path: path, } - if inputPb, err = anypb.New(input); err != nil { + if inputPb, err = protocov.ToAnyWithValidation(input); err != nil { return nil, err } @@ -492,7 +488,7 @@ func buildJWTPredicate(jwt egv1a1.JWTPrincipal) ([]*matcherv3.Matcher_MatcherLis } } - if matcherPb, err = anypb.New(&metadatav3.Metadata{ + if matcherPb, err = protocov.ToAnyWithValidation(&metadatav3.Metadata{ Value: valueMatcher, }); err != nil { return nil, err diff --git a/internal/xds/translator/basicauth.go b/internal/xds/translator/basicauth.go index 50c4935140b..31a421ae8a9 100644 --- a/internal/xds/translator/basicauth.go +++ b/internal/xds/translator/basicauth.go @@ -17,6 +17,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -84,7 +85,7 @@ func buildHCMBasicAuthFilter(basicAuth *ir.BasicAuth) (*hcmv3.HttpFilter, error) if err = basicAuthProto.ValidateAll(); err != nil { return nil, err } - if basicAuthAny, err = anypb.New(basicAuthProto); err != nil { + if basicAuthAny, err = protocov.ToAnyWithValidation(basicAuthProto); err != nil { return nil, err } @@ -134,7 +135,7 @@ func (*basicAuth) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error return err } - if basicAuthAny, err = anypb.New(basicAuthProto); err != nil { + if basicAuthAny, err = protocov.ToAnyWithValidation(basicAuthProto); err != nil { return err } diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index 145d616bde7..2a182ce5b75 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -30,6 +30,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" ) const ( @@ -509,7 +510,7 @@ func buildTypedExtensionProtocolOptions(args *xdsClusterArgs) map[string]*anypb. if args.http1Settings != nil { http1opts.EnableTrailers = args.http1Settings.EnableTrailers if args.http1Settings.PreserveHeaderCase { - preservecaseAny, _ := anypb.New(&preservecasev3.PreserveCaseFormatterConfig{}) + preservecaseAny, _ := protocov.ToAnyWithValidation(&preservecasev3.PreserveCaseFormatterConfig{}) http1opts.HeaderKeyFormat = &corev3.Http1ProtocolOptions_HeaderKeyFormat{ HeaderFormat: &corev3.Http1ProtocolOptions_HeaderKeyFormat_StatefulFormatter{ StatefulFormatter: &corev3.TypedExtensionConfig{ @@ -562,7 +563,7 @@ func buildTypedExtensionProtocolOptions(args *xdsClusterArgs) map[string]*anypb. } } - anyProtocolOptions, _ := anypb.New(&protocolOptions) + anyProtocolOptions, _ := protocov.ToAnyWithValidation(&protocolOptions) extensionOptions := map[string]*anypb.Any{ extensionOptionsKey: anyProtocolOptions, @@ -593,7 +594,7 @@ func buildProxyProtocolSocket(proxyProtocol *ir.ProxyProtocol, tSocket *corev3.T // If existing transport socket does not exist wrap around raw buffer if tSocket == nil { rawCtx := &rawbufferv3.RawBuffer{} - rawCtxAny, err := anypb.New(rawCtx) + rawCtxAny, err := protocov.ToAnyWithValidation(rawCtx) if err != nil { return nil } @@ -608,7 +609,7 @@ func buildProxyProtocolSocket(proxyProtocol *ir.ProxyProtocol, tSocket *corev3.T ppCtx.TransportSocket = tSocket } - ppCtxAny, err := anypb.New(ppCtx) + ppCtxAny, err := protocov.ToAnyWithValidation(ppCtx) if err != nil { return nil } diff --git a/internal/xds/translator/custom_response.go b/internal/xds/translator/custom_response.go index e5d48d21bfd..6cca67982e9 100644 --- a/internal/xds/translator/custom_response.go +++ b/internal/xds/translator/custom_response.go @@ -24,6 +24,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -85,7 +86,7 @@ func (c *customResponse) buildHCMCustomResponseFilter(ro *ir.ResponseOverride) ( return nil, err } - any, err := anypb.New(proto) + any, err := protocov.ToAnyWithValidation(proto) if err != nil { return nil, err } @@ -237,7 +238,7 @@ func (c *customResponse) buildHTTPAttributeCELInput() (*cncfv3.TypedExtensionCon err error ) - if pb, err = anypb.New(&matcherv3.HttpAttributesCelMatchInput{}); err != nil { + if pb, err = protocov.ToAnyWithValidation(&matcherv3.HttpAttributesCelMatchInput{}); err != nil { return nil, err } @@ -253,7 +254,7 @@ func (c *customResponse) buildStatusCodeInput() (*cncfv3.TypedExtensionConfig, e err error ) - if pb, err = anypb.New(&envoymatcherv3.HttpResponseStatusCodeMatchInput{}); err != nil { + if pb, err = protocov.ToAnyWithValidation(&envoymatcherv3.HttpResponseStatusCodeMatchInput{}); err != nil { return nil, err } @@ -364,7 +365,7 @@ func (c *customResponse) buildStatusCodeCELMatcher(codeRange ir.StatusCodeRange) return nil, err } - if pb, err = anypb.New(matcher); err != nil { + if pb, err = protocov.ToAnyWithValidation(matcher); err != nil { return nil, err } @@ -403,7 +404,7 @@ func (c *customResponse) buildAction(r ir.ResponseOverrideRule) (*matcherv3.Matc return nil, err } - if pb, err = anypb.New(response); err != nil { + if pb, err = protocov.ToAnyWithValidation(response); err != nil { return nil, err } diff --git a/internal/xds/translator/fault.go b/internal/xds/translator/fault.go index e0acbd6c840..192ce5bf8e9 100644 --- a/internal/xds/translator/fault.go +++ b/internal/xds/translator/fault.go @@ -20,6 +20,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -71,7 +72,7 @@ func buildHCMFaultFilter() (*hcmv3.HttpFilter, error) { return nil, err } - faultAny, err := anypb.New(faultProto) + faultAny, err := protocov.ToAnyWithValidation(faultProto) if err != nil { return nil, err } @@ -165,7 +166,7 @@ func (*fault) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { return nil } - routeCfgAny, err := anypb.New(routeCfgProto) + routeCfgAny, err := protocov.ToAnyWithValidation(routeCfgProto) if err != nil { return err } diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go index 53a20808ff6..f3f16b20c6f 100644 --- a/internal/xds/translator/jwt.go +++ b/internal/xds/translator/jwt.go @@ -22,6 +22,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -76,11 +77,7 @@ func buildHCMJWTFilter(irListener *ir.HTTPListener) (*hcmv3.HttpFilter, error) { return nil, err } - if err := jwtAuthnProto.ValidateAll(); err != nil { - return nil, err - } - - jwtAuthnAny, err := anypb.New(jwtAuthnProto) + jwtAuthnAny, err := protocov.ToAnyWithValidation(jwtAuthnProto) if err != nil { return nil, err } @@ -214,7 +211,7 @@ func buildXdsUpstreamTLSSocket(sni string) (*corev3.TransportSocket, error) { }, } - tlsCtxAny, err := anypb.New(tlsCtxProto) + tlsCtxAny, err := protocov.ToAnyWithValidation(tlsCtxProto) if err != nil { return nil, err } @@ -247,7 +244,7 @@ func (*jwt) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { RequirementSpecifier: &jwtauthnv3.PerRouteConfig_RequirementName{RequirementName: irRoute.Name}, } - routeCfgAny, err := anypb.New(routeCfgProto) + routeCfgAny, err := protocov.ToAnyWithValidation(routeCfgProto) if err != nil { return err } diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go index c855d3ddf92..9a68c5f3c1f 100644 --- a/internal/xds/translator/listener.go +++ b/internal/xds/translator/listener.go @@ -29,7 +29,6 @@ import ( "github.com/envoyproxy/go-control-plane/pkg/resource/v3" "github.com/envoyproxy/go-control-plane/pkg/wellknown" "google.golang.org/protobuf/proto" - "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/durationpb" "google.golang.org/protobuf/types/known/wrapperspb" "k8s.io/utils/ptr" @@ -66,7 +65,7 @@ func http1ProtocolOptions(opts *ir.HTTP1Settings) *corev3.Http1ProtocolOptions { EnableTrailers: opts.EnableTrailers, } if opts.PreserveHeaderCase { - preservecaseAny, _ := anypb.New(&preservecasev3.PreserveCaseFormatterConfig{}) + preservecaseAny, _ := protocov.ToAnyWithValidation(&preservecasev3.PreserveCaseFormatterConfig{}) r.HeaderKeyFormat = &corev3.Http1ProtocolOptions_HeaderKeyFormat{ HeaderFormat: &corev3.Http1ProtocolOptions_HeaderKeyFormat_StatefulFormatter{ StatefulFormatter: &corev3.TypedExtensionConfig{ @@ -131,7 +130,7 @@ func originalIPDetectionExtensions(clientIPDetection *ir.ClientIPDetectionSettin rejectWithStatus = &typev3.HttpStatus{Code: typev3.StatusCode_Forbidden} } - customHeaderConfigAny, _ := anypb.New(&customheaderv3.CustomHeaderConfig{ + customHeaderConfigAny, _ := protocov.ToAnyWithValidation(&customheaderv3.CustomHeaderConfig{ HeaderName: clientIPDetection.CustomHeader.Name, RejectWithStatus: rejectWithStatus, @@ -179,9 +178,19 @@ func setAddressByIPFamily(socketAddress *corev3.SocketAddress, ipFamily *ir.IPFa // buildXdsTCPListener creates a xds Listener resource // TODO: Improve function parameters -func buildXdsTCPListener(name, address string, port uint32, ipFamily *ir.IPFamily, keepalive *ir.TCPKeepalive, connection *ir.ClientConnection, accesslog *ir.AccessLog) *listenerv3.Listener { +func buildXdsTCPListener( + name, address string, + port uint32, + ipFamily *ir.IPFamily, + keepalive *ir.TCPKeepalive, + connection *ir.ClientConnection, + accesslog *ir.AccessLog, +) (*listenerv3.Listener, error) { socketOptions := buildTCPSocketOptions(keepalive) - al := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener) + al, err := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener) + if err != nil { + return nil, err + } bufferLimitBytes := buildPerConnectionBufferLimitBytes(connection) listener := &listenerv3.Listener{ Name: name, @@ -203,7 +212,7 @@ func buildXdsTCPListener(name, address string, port uint32, ipFamily *ir.IPFamil socketAddress := listener.Address.GetSocketAddress() listener.AdditionalAddresses = setAddressByIPFamily(socketAddress, ipFamily, port) - return listener + return listener, nil } func buildPerConnectionBufferLimitBytes(connection *ir.ClientConnection) *wrapperspb.UInt32Value { @@ -214,10 +223,14 @@ func buildPerConnectionBufferLimitBytes(connection *ir.ClientConnection) *wrappe } // buildXdsQuicListener creates a xds Listener resource for quic -func buildXdsQuicListener(name, address string, port uint32, accesslog *ir.AccessLog) *listenerv3.Listener { +func buildXdsQuicListener(name, address string, port uint32, accesslog *ir.AccessLog) (*listenerv3.Listener, error) { + log, err := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener) + if err != nil { + return nil, err + } xdsListener := &listenerv3.Listener{ Name: name + "-quic", - AccessLog: buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener), + AccessLog: log, Address: &corev3.Address{ Address: &corev3.Address_SocketAddress{ SocketAddress: &corev3.SocketAddress{ @@ -238,7 +251,7 @@ func buildXdsQuicListener(name, address string, port uint32, accesslog *ir.Acces DrainType: listenerv3.Listener_MODIFY_ONLY, } - return xdsListener + return xdsListener, nil } // addHCMToXDSListener adds a HCM filter to the listener's filter chain, and adds @@ -254,7 +267,10 @@ func buildXdsQuicListener(name, address string, port uint32, accesslog *ir.Acces func (t *Translator) addHCMToXDSListener(xdsListener *listenerv3.Listener, irListener *ir.HTTPListener, accesslog *ir.AccessLog, tracing *ir.Tracing, http3Listener bool, connection *ir.ClientConnection, ) error { - al := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute) + al, err := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute) + if err != nil { + return err + } hcmTracing, err := buildHCMTracing(tracing) if err != nil { @@ -454,7 +470,7 @@ func buildEarlyHeaderMutation(headers *ir.HeaderSettings) []*corev3.TypedExtensi mutationRules = append(mutationRules, mr) } - earlyHeaderMutationAny, _ := anypb.New(&early_header_mutationv3.HeaderMutation{ + earlyHeaderMutationAny, _ := protocov.ToAnyWithValidation(&early_header_mutationv3.HeaderMutation{ Mutations: mutationRules, }) @@ -526,9 +542,12 @@ func addXdsTCPFilterChain(xdsListener *listenerv3.Listener, irRoute *ir.TCPRoute // Append port to the statPrefix. statPrefix = strings.Join([]string{statPrefix, strconv.Itoa(int(xdsListener.Address.GetSocketAddress().GetPortValue()))}, "-") - + al, error := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute) + if error != nil { + return error + } mgr := &tcpv3.TcpProxy{ - AccessLog: buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute), + AccessLog: al, StatPrefix: statPrefix, ClusterSpecifier: &tcpv3.TcpProxy_Cluster{ Cluster: clusterName, @@ -612,7 +631,7 @@ func addXdsTLSInspectorFilter(xdsListener *listenerv3.Listener) error { } tlsInspector := &tls_inspectorv3.TlsInspector{} - tlsInspectorAny, err := anypb.New(tlsInspector) + tlsInspectorAny, err := protocov.ToAnyWithValidation(tlsInspector) if err != nil { return err } @@ -660,7 +679,7 @@ func buildDownstreamQUICTransportSocket(tlsConfig *ir.TLSConfig) (*corev3.Transp setDownstreamTLSSessionSettings(tlsConfig, tlsCtx.DownstreamTlsContext) - tlsCtxAny, err := anypb.New(tlsCtx) + tlsCtxAny, err := protocov.ToAnyWithValidation(tlsCtx) if err != nil { return nil, err } @@ -702,7 +721,7 @@ func buildXdsDownstreamTLSSocket(tlsConfig *ir.TLSConfig) (*corev3.TransportSock setDownstreamTLSSessionSettings(tlsConfig, tlsCtx) - tlsCtxAny, err := anypb.New(tlsCtx) + tlsCtxAny, err := protocov.ToAnyWithValidation(tlsCtx) if err != nil { return nil, err } @@ -817,14 +836,18 @@ func buildXdsUDPListener(clusterName string, udpListener *ir.UDPListener, access route := &udpv3.Route{ Cluster: clusterName, } - routeAny, err := anypb.New(route) + routeAny, err := protocov.ToAnyWithValidation(route) if err != nil { return nil, err } + al, error := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute) + if error != nil { + return nil, error + } udpProxy := &udpv3.UdpProxyConfig{ StatPrefix: statPrefix, - AccessLog: buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute), + AccessLog: al, RouteSpecifier: &udpv3.UdpProxyConfig_Matcher{ Matcher: &matcher.Matcher{ OnNoMatch: &matcher.Matcher_OnMatch{ @@ -838,14 +861,17 @@ func buildXdsUDPListener(clusterName string, udpListener *ir.UDPListener, access }, }, } - udpProxyAny, err := anypb.New(udpProxy) + udpProxyAny, err := protocov.ToAnyWithValidation(udpProxy) if err != nil { return nil, err } + if al, err = buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener); err != nil { + return nil, err + } xdsListener := &listenerv3.Listener{ Name: udpListener.Name, - AccessLog: buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener), + AccessLog: al, Address: &corev3.Address{ Address: &corev3.Address_SocketAddress{ SocketAddress: &corev3.SocketAddress{ @@ -892,7 +918,7 @@ func translateEscapePath(in ir.PathEscapedSlashAction) hcmv3.HttpConnectionManag } func toNetworkFilter(filterName string, filterProto proto.Message) (*listenerv3.Filter, error) { - filterAny, err := protocov.ToAnyWithError(filterProto) + filterAny, err := protocov.ToAnyWithValidation(filterProto) if err != nil { return nil, err } diff --git a/internal/xds/translator/listener_test.go b/internal/xds/translator/listener_test.go index 28572bb06be..fbb716c1ac4 100644 --- a/internal/xds/translator/listener_test.go +++ b/internal/xds/translator/listener_test.go @@ -10,6 +10,7 @@ import ( "reflect" "testing" + routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" hcmv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" typev3 "github.com/envoyproxy/go-control-plane/envoy/type/v3" "github.com/stretchr/testify/assert" @@ -25,12 +26,24 @@ func Test_toNetworkFilter(t *testing.T) { wantErr error }{ { - name: "valid filter", - proto: &hcmv3.HttpConnectionManager{}, + name: "valid filter", + proto: &hcmv3.HttpConnectionManager{ + StatPrefix: "stats", + RouteSpecifier: &hcmv3.HttpConnectionManager_RouteConfig{ + RouteConfig: &routev3.RouteConfiguration{ + Name: "route", + }, + }, + }, wantErr: nil, }, { name: "invalid proto msg", + proto: &hcmv3.HttpConnectionManager{}, + wantErr: errors.New("invalid HttpConnectionManager.StatPrefix: value length must be at least 1 runes; invalid HttpConnectionManager.RouteSpecifier: value is required"), + }, + { + name: "nil proto msg", proto: nil, wantErr: errors.New("empty message received"), }, @@ -39,7 +52,7 @@ func Test_toNetworkFilter(t *testing.T) { t.Run(tt.name, func(t *testing.T) { _, err := toNetworkFilter("name", tt.proto) if tt.wantErr != nil { - assert.Equalf(t, tt.wantErr, err, "toNetworkFilter(%v)", tt.proto) + assert.Containsf(t, err.Error(), tt.wantErr.Error(), "toNetworkFilter(%v)", tt.proto) } else { assert.NoErrorf(t, err, "toNetworkFilter(%v)", tt.proto) } diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go index e4e7b4a0216..a706cae662f 100644 --- a/internal/xds/translator/oidc.go +++ b/internal/xds/translator/oidc.go @@ -16,12 +16,12 @@ import ( tlsv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" matcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" "github.com/golang/protobuf/ptypes/wrappers" - "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/durationpb" "k8s.io/utils/ptr" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/ir" + "github.com/envoyproxy/gateway/internal/utils/protocov" "github.com/envoyproxy/gateway/internal/xds/types" ) @@ -83,7 +83,7 @@ func buildHCMOAuth2Filter(oidc *ir.OIDC) (*hcmv3.HttpFilter, error) { return nil, err } - OAuth2Any, err := anypb.New(oauth2Proto) + OAuth2Any, err := protocov.ToAnyWithValidation(oauth2Proto) if err != nil { return nil, err } diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml index 90e9f0e0c9b..434f2fb524c 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml @@ -11,7 +11,8 @@ accesslog: protocol: "%PROTOCOL%" response_code: "%RESPONSE_CODE%" als: - - destination: + - name: als + destination: name: accesslog/monitoring/envoy-als/port/9000 settings: - addressType: IP diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml index 5169bae040e..3f84816fdcf 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml @@ -13,7 +13,8 @@ accesslog: protocol: "%PROTOCOL%" response_code: "%RESPONSE_CODE%" als: - - destination: + - name: als + destination: name: accesslog/monitoring/envoy-als/port/9000 settings: - addressType: IP diff --git a/internal/xds/translator/testdata/in/xds-ir/authorization-multiple-principals.yaml b/internal/xds/translator/testdata/in/xds-ir/authorization-multiple-principals.yaml index c93708b4c8a..8b83e16d556 100644 --- a/internal/xds/translator/testdata/in/xds-ir/authorization-multiple-principals.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/authorization-multiple-principals.yaml @@ -44,7 +44,7 @@ http: isIPv6: false maskLen: 24 jwt: - issuer: https://one.example.com + provider: https://one.example.com scopes: - foo claims: @@ -68,7 +68,7 @@ http: isIPv6: false maskLen: 24 jwt: - issuer: https://two.example.com + provider: https://two.example.com scopes: - for - bar diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml index fecb2076871..9df135e671c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml @@ -43,6 +43,7 @@ grpcService: envoyGrpc: clusterName: accesslog/monitoring/envoy-als/port/9000 + logName: als transportApiVersion: V3 - filter: responseFlagFilter: @@ -119,6 +120,7 @@ grpcService: envoyGrpc: clusterName: accesslog/monitoring/envoy-als/port/9000 + logName: als transportApiVersion: V3 - name: envoy.access_loggers.open_telemetry typedConfig: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml index 3b52d45e8e8..0ef9cdc5fab 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml @@ -43,6 +43,7 @@ grpcService: envoyGrpc: clusterName: accesslog/monitoring/envoy-als/port/9000 + logName: als transportApiVersion: V3 - filter: responseFlagFilter: @@ -119,6 +120,7 @@ grpcService: envoyGrpc: clusterName: accesslog/monitoring/envoy-als/port/9000 + logName: als transportApiVersion: V3 - name: envoy.access_loggers.open_telemetry typedConfig: diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.routes.yaml index c6510f63778..2b9a4906343 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.routes.yaml @@ -59,7 +59,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://one.example.com - key: scope - orMatcher: predicate: @@ -79,7 +79,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://one.example.com - key: roles - singlePredicate: customMatch: @@ -97,7 +97,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://one.example.com - key: roles - singlePredicate: customMatch: @@ -113,7 +113,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://one.example.com - key: department - onMatch: action: @@ -155,7 +155,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://two.example.com - key: scope - singlePredicate: customMatch: @@ -173,7 +173,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://two.example.com - key: scope - orMatcher: predicate: @@ -193,7 +193,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://two.example.com - key: roles - singlePredicate: customMatch: @@ -211,7 +211,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://two.example.com - key: roles - orMatcher: predicate: @@ -229,7 +229,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://two.example.com - key: name - singlePredicate: customMatch: @@ -245,7 +245,7 @@ '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput filter: envoy.filters.http.jwt_authn path: - - key: "" + - key: https://two.example.com - key: name onNoMatch: action: diff --git a/internal/xds/translator/tracing.go b/internal/xds/translator/tracing.go index c7777f94ba2..3e817bad1bf 100644 --- a/internal/xds/translator/tracing.go +++ b/internal/xds/translator/tracing.go @@ -50,7 +50,7 @@ func buildHCMTracing(tracing *ir.Tracing) (*hcm.HttpConnectionManager_Tracing, e ServiceName: tracing.ServiceName, CollectorCluster: tracing.Destination.Name, } - return protocov.ToAnyWithError(config) + return protocov.ToAnyWithValidation(config) } case egv1a1.TracingProviderTypeOpenTelemetry: providerName = envoyOpenTelemetry @@ -68,7 +68,7 @@ func buildHCMTracing(tracing *ir.Tracing) (*hcm.HttpConnectionManager_Tracing, e ServiceName: tracing.ServiceName, } - return protocov.ToAnyWithError(config) + return protocov.ToAnyWithValidation(config) } case egv1a1.TracingProviderTypeZipkin: providerName = envoyZipkin @@ -82,7 +82,7 @@ func buildHCMTracing(tracing *ir.Tracing) (*hcm.HttpConnectionManager_Tracing, e CollectorEndpointVersion: tracecfg.ZipkinConfig_HTTP_JSON, } - return protocov.ToAnyWithError(config) + return protocov.ToAnyWithValidation(config) } default: return nil, fmt.Errorf("unknown tracing provider type: %s", tracing.Provider.Type) diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index 30a54fe6990..27c0d3c5a04 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -217,7 +217,11 @@ func (t *Translator) processHTTPListenerXdsTranslation( case !xdsListenerOnSameAddressPortExists: // Create a new UDP(QUIC) listener for HTTP3 traffic if HTTP3 is enabled if http3Enabled { - quicXDSListener = buildXdsQuicListener(httpListener.Name, httpListener.Address, httpListener.Port, accessLog) + if quicXDSListener, err = buildXdsQuicListener(httpListener.Name, httpListener.Address, httpListener.Port, accessLog); err != nil { + errs = errors.Join(errs, err) + continue + } + if err = tCtx.AddXdsResource(resourcev3.ListenerType, quicXDSListener); err != nil { errs = errors.Join(errs, err) continue @@ -225,7 +229,13 @@ func (t *Translator) processHTTPListenerXdsTranslation( } // Create a new TCP listener for HTTP1/HTTP2 traffic. - tcpXDSListener = buildXdsTCPListener(httpListener.Name, httpListener.Address, httpListener.Port, httpListener.IPFamily, httpListener.TCPKeepalive, httpListener.Connection, accessLog) + if tcpXDSListener, err = buildXdsTCPListener( + httpListener.Name, httpListener.Address, httpListener.Port, httpListener.IPFamily, + httpListener.TCPKeepalive, httpListener.Connection, accessLog); err != nil { + errs = errors.Join(errs, err) + continue + } + if err = tCtx.AddXdsResource(resourcev3.ListenerType, tcpXDSListener); err != nil { errs = errors.Join(errs, err) continue @@ -514,7 +524,7 @@ func (t *Translator) addHTTPFiltersToHCM(filterChain *listenerv3.FilterChain, ht for i, filter := range filterChain.Filters { if filter.Name == wellknown.HTTPConnectionManager { var mgrAny *anypb.Any - if mgrAny, err = protocov.ToAnyWithError(hcm); err != nil { + if mgrAny, err = protocov.ToAnyWithValidation(hcm); err != nil { return err } @@ -560,12 +570,19 @@ func (t *Translator) processTCPListenerXdsTranslation( ) error { // The XDS translation is done in a best-effort manner, so we collect all // errors and return them at the end. - var errs error + var errs, err error for _, tcpListener := range tcpListeners { // Search for an existing listener, if it does not exist, create one. xdsListener := findXdsListenerByHostPort(tCtx, tcpListener.Address, tcpListener.Port, corev3.SocketAddress_TCP) if xdsListener == nil { - xdsListener = buildXdsTCPListener(tcpListener.Name, tcpListener.Address, tcpListener.Port, tcpListener.IPFamily, tcpListener.TCPKeepalive, tcpListener.Connection, accesslog) + if xdsListener, err = buildXdsTCPListener( + tcpListener.Name, tcpListener.Address, tcpListener.Port, tcpListener.IPFamily, + tcpListener.TCPKeepalive, tcpListener.Connection, accesslog); err != nil { + // skip this listener if failed to build xds listener + errs = errors.Join(errs, err) + continue + } + if err := tCtx.AddXdsResource(resourcev3.ListenerType, xdsListener); err != nil { // skip this listener if failed to add xds listener to the errs = errors.Join(errs, err) @@ -911,7 +928,7 @@ func buildXdsUpstreamTLSSocketWthCert(tlsConfig *ir.TLSUpstreamConfig) (*corev3. } } - tlsCtxAny, err := anypb.New(tlsCtx) + tlsCtxAny, err := protocov.ToAnyWithValidation(tlsCtx) if err != nil { return nil, err } From 74e5750386e0c9a08ae1933ac260b5c579f466cb Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 29 Oct 2024 09:17:17 +0800 Subject: [PATCH 321/523] Fix: xds translation failed when wasm http code source configured without sha (#4547) * fix wasm http code source without sha Signed-off-by: Huabing Zhao * release note Signed-off-by: Huabing Zhao * fix gen Signed-off-by: Huabing Zhao * fix gen Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- internal/gatewayapi/envoyextensionpolicy.go | 6 +- .../testdata/custom-filter-order.in.yaml | 4 +- .../testdata/custom-filter-order.out.yaml | 8 +- ...tensionpolicy-with-wasm-targetrefs.in.yaml | 4 +- ...ensionpolicy-with-wasm-targetrefs.out.yaml | 12 +-- .../envoyextensionpolicy-with-wasm.in.yaml | 6 +- .../envoyextensionpolicy-with-wasm.out.yaml | 10 +- internal/gatewayapi/translator_test.go | 5 +- release-notes/current.yaml | 1 + test/e2e/testdata/wasm-http.yaml | 36 ++++++++ test/e2e/tests/wasm_http.go | 92 ++++++++++--------- 11 files changed, 117 insertions(+), 67 deletions(-) diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index 4abc9a69046..9ba561f1b5d 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -561,6 +561,8 @@ func (t *Translator) buildWasm( switch config.Code.Type { case egv1a1.HTTPWasmCodeSourceType: + var checksum string + // This is a sanity check, the validation should have caught this if config.Code.HTTP == nil { return nil, fmt.Errorf("missing HTTP field in Wasm code source") @@ -572,7 +574,7 @@ func (t *Translator) buildWasm( http := config.Code.HTTP - if servingURL, _, err = t.WasmCache.Get(http.URL, wasm.GetOptions{ + if servingURL, checksum, err = t.WasmCache.Get(http.URL, wasm.GetOptions{ Checksum: originalChecksum, PullPolicy: pullPolicy, ResourceName: irConfigNameForWasm(policy, idx), @@ -584,7 +586,7 @@ func (t *Translator) buildWasm( code = &ir.HTTPWasmCode{ ServingURL: servingURL, OriginalURL: http.URL, - SHA256: originalChecksum, + SHA256: checksum, } case egv1a1.ImageWasmCodeSourceType: diff --git a/internal/gatewayapi/testdata/custom-filter-order.in.yaml b/internal/gatewayapi/testdata/custom-filter-order.in.yaml index 99b46e6de82..6f27637135c 100644 --- a/internal/gatewayapi/testdata/custom-filter-order.in.yaml +++ b/internal/gatewayapi/testdata/custom-filter-order.in.yaml @@ -111,7 +111,7 @@ envoyextensionpolicies: type: HTTP http: url: https://www.example.com/wasm-filter-1.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 config: parameter1: key1: value1 @@ -122,7 +122,7 @@ envoyextensionpolicies: type: HTTP http: url: https://www.example.com/wasm-filter-2.wasm - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e config: parameter1: value1 parameter2: value2 diff --git a/internal/gatewayapi/testdata/custom-filter-order.out.yaml b/internal/gatewayapi/testdata/custom-filter-order.out.yaml index 6967bf280f3..043eeab1543 100644 --- a/internal/gatewayapi/testdata/custom-filter-order.out.yaml +++ b/internal/gatewayapi/testdata/custom-filter-order.out.yaml @@ -13,7 +13,7 @@ envoyExtensionPolicies: wasm: - code: http: - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 url: https://www.example.com/wasm-filter-1.wasm type: HTTP config: @@ -24,7 +24,7 @@ envoyExtensionPolicies: name: wasm-filter-1 - code: http: - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e url: https://www.example.com/wasm-filter-2.wasm type: HTTP config: @@ -257,7 +257,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 wasmName: wasm-filter-1 - config: @@ -267,7 +267,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-2.wasm servingURL: https://envoy-gateway:18002/593e4cc60a7e0fa4d4f86531a5e20e785213a52000f056a7a8b5c5afcb908052.wasm - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1 wasmName: wasm-filter-2 hostname: www.example.com diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.in.yaml index 106267da645..17026ebbad6 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.in.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.in.yaml @@ -72,7 +72,7 @@ envoyextensionpolicies: type: HTTP http: url: https://www.example.com/wasm-filter-1.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 config: parameter1: key1: value1 @@ -83,7 +83,7 @@ envoyextensionpolicies: type: HTTP http: url: https://www.example.com/wasm-filter-2.wasm - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e config: parameter1: value1 parameter2: value2 diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml index 4abc9f59092..8c65fb9cf65 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml @@ -16,7 +16,7 @@ envoyExtensionPolicies: wasm: - code: http: - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 url: https://www.example.com/wasm-filter-1.wasm type: HTTP config: @@ -27,7 +27,7 @@ envoyExtensionPolicies: name: wasm-filter-1 - code: http: - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e url: https://www.example.com/wasm-filter-2.wasm type: HTTP config: @@ -239,7 +239,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 wasmName: wasm-filter-1 - config: @@ -249,7 +249,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-2.wasm servingURL: https://envoy-gateway:18002/593e4cc60a7e0fa4d4f86531a5e20e785213a52000f056a7a8b5c5afcb908052.wasm - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1 wasmName: wasm-filter-2 hostname: www.example.com @@ -280,7 +280,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 wasmName: wasm-filter-1 - config: @@ -290,7 +290,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-2.wasm servingURL: https://envoy-gateway:18002/593e4cc60a7e0fa4d4f86531a5e20e785213a52000f056a7a8b5c5afcb908052.wasm - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 84274ca23246855cc491b3c6a657a89167e0b109a7ae380f1e64df77c910307e name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1 wasmName: wasm-filter-2 hostname: www.example.com diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.in.yaml index 5cb2b192553..e7414013410 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.in.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.in.yaml @@ -77,7 +77,7 @@ envoyextensionpolicies: type: HTTP http: url: https://www.example.com/wasm-filter-1.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 config: parameter1: key1: value1 @@ -91,7 +91,7 @@ envoyextensionpolicies: url: oci://www.example.com/wasm-filter-2:v1.0.0 pullSecretRef: name: my-pull-secret - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 config: parameter1: value1 parameter2: value2 @@ -115,7 +115,7 @@ envoyextensionpolicies: type: HTTP http: url: https://www.test.com/wasm-filter-4.wasm - sha256: a1f0b78b8c1320690327800e3a5de10e7dbba7b6c752e702193a395a52c727b6 + sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463 config: parameter1: key1: value1 diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml index 68cfaf92515..368c32a4055 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml @@ -13,7 +13,7 @@ envoyExtensionPolicies: wasm: - code: http: - sha256: a1f0b78b8c1320690327800e3a5de10e7dbba7b6c752e702193a395a52c727b6 + sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463 url: https://www.test.com/wasm-filter-4.wasm type: HTTP config: @@ -53,7 +53,7 @@ envoyExtensionPolicies: wasm: - code: http: - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 url: https://www.example.com/wasm-filter-1.wasm type: HTTP config: @@ -68,7 +68,7 @@ envoyExtensionPolicies: group: null kind: null name: my-pull-secret - sha256: a1efca12ea51069abb123bf9c77889fcc2a31cc5483fc14d115e44fdf07c7980 + sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 url: oci://www.example.com/wasm-filter-2:v1.0.0 type: Image config: @@ -277,7 +277,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.test.com/wasm-filter-4.wasm servingURL: https://envoy-gateway:18002/fe571e7b1ef5dc626ceb2c2c86782a134a92989a2643485238951696ae4334c3.wasm - sha256: a1f0b78b8c1320690327800e3a5de10e7dbba7b6c752e702193a395a52c727b6 + sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463 name: envoyextensionpolicy/default/policy-for-http-route/wasm/0 wasmName: wasm-filter-4 hostname: www.example.com @@ -311,7 +311,7 @@ xdsIR: httpWasmCode: originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm - sha256: 746df05c8f3a0b07a46c0967cfbc5cbe5b9d48d0f79b6177eeedf8be6c8b34b5 + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 wasmName: wasm-filter-1 - config: diff --git a/internal/gatewayapi/translator_test.go b/internal/gatewayapi/translator_test.go index 7184326fd62..39200342a5f 100644 --- a/internal/gatewayapi/translator_test.go +++ b/internal/gatewayapi/translator_test.go @@ -833,7 +833,7 @@ type mockWasmCache struct{} func (m *mockWasmCache) Start(_ context.Context) {} -func (m *mockWasmCache) Get(downloadURL string, _ wasm.GetOptions) (url string, checksum string, err error) { +func (m *mockWasmCache) Get(downloadURL string, options wasm.GetOptions) (url string, checksum string, err error) { // This is a mock implementation of the wasm.Cache.Get method. sha := sha256.Sum256([]byte(downloadURL)) hashedName := hex.EncodeToString(sha[:]) @@ -841,6 +841,9 @@ func (m *mockWasmCache) Get(downloadURL string, _ wasm.GetOptions) (url string, salt = append(salt, hashedName...) sha = sha256.Sum256(salt) checksum = hex.EncodeToString(sha[:]) + if options.Checksum != "" && checksum != options.Checksum { + return "", "", fmt.Errorf("module downloaded from %v has checksum %v, which does not match: %v", downloadURL, checksum, options.Checksum) + } return fmt.Sprintf("https://envoy-gateway:18002/%s.wasm", hashedName), checksum, nil } diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 8240c9ab163..cf4ea00691b 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -15,6 +15,7 @@ new features: | # Fixes for bugs identified in previous versions. bug fixes: | Only log endpoint configuration in verbose logging mode (`-v 4` or higher) + The xDS translation failed when wasm http code source configured without a sha # Enhancements that improve performance. performance improvements: | diff --git a/test/e2e/testdata/wasm-http.yaml b/test/e2e/testdata/wasm-http.yaml index 2bc1aae0ab3..856d381a517 100644 --- a/test/e2e/testdata/wasm-http.yaml +++ b/test/e2e/testdata/wasm-http.yaml @@ -19,6 +19,24 @@ spec: --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute +metadata: + name: http-with-http-wasm-source-no-sha + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + hostnames: ["www.example.com"] + rules: + - matches: + - path: + type: PathPrefix + value: /wasm-http-no-sha + backendRefs: + - name: infra-backend-v1 + port: 8080 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute metadata: name: http-without-wasm namespace: gateway-conformance-infra @@ -53,3 +71,21 @@ spec: http: url: https://raw.githubusercontent.com/envoyproxy/examples/main/wasm-cc/lib/envoy_filter_http_wasm_example.wasm sha256: 79c9f85128bb0177b6511afa85d587224efded376ac0ef76df56595f1e6315c0 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyExtensionPolicy +metadata: + name: http-wasm-source-test-no-sha + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: http-with-http-wasm-source-no-sha + wasm: + - name: wasm-filter + rootID: my_root_id + code: + type: HTTP + http: + url: https://raw.githubusercontent.com/envoyproxy/examples/main/wasm-cc/lib/envoy_filter_http_wasm_example.wasm diff --git a/test/e2e/tests/wasm_http.go b/test/e2e/tests/wasm_http.go index e5ef2e14c82..7f7da0c833b 100644 --- a/test/e2e/tests/wasm_http.go +++ b/test/e2e/tests/wasm_http.go @@ -32,49 +32,11 @@ var HTTPWasmTest = suite.ConformanceTest{ Manifests: []string{"testdata/wasm-http.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { t.Run("http route with http wasm source", func(t *testing.T) { - ns := "gateway-conformance-infra" - routeNN := types.NamespacedName{Name: "http-with-http-wasm-source", Namespace: ns} - gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} - gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) - - ancestorRef := gwapiv1a2.ParentReference{ - Group: gatewayapi.GroupPtr(gwapiv1.GroupName), - Kind: gatewayapi.KindPtr(resource.KindGateway), - Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), - Name: gwapiv1.ObjectName(gwNN.Name), - } - EnvoyExtensionPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "http-wasm-source-test", Namespace: ns}, suite.ControllerName, ancestorRef) - - expectedResponse := http.ExpectedResponse{ - Request: http.Request{ - Host: "www.example.com", - Path: "/wasm-http", - }, - - // Set the expected request properties to empty strings. - // This is a workaround to avoid the test failure. - // These values can't be extracted from the json format response - // body because the test wasm code appends a "Hello, world" text - // to the response body, invalidating the json format. - ExpectedRequest: &http.ExpectedRequest{ - Request: http.Request{ - Host: "", - Method: "", - Path: "", - Headers: nil, - }, - }, - Namespace: "", - - Response: http.Response{ - StatusCode: 200, - Headers: map[string]string{ - "x-wasm-custom": "FOO", // response header added by wasm - }, - }, - } + testWasmHTTPCodeSource(t, suite, "http-with-http-wasm-source", "http-wasm-source-test", "/wasm-http") + }) - http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) + t.Run("http route with http wasm source no sha", func(t *testing.T) { + testWasmHTTPCodeSource(t, suite, "http-with-http-wasm-source-no-sha", "http-wasm-source-test-no-sha", "/wasm-http-no-sha") }) t.Run("http route without wasm", func(t *testing.T) { @@ -115,3 +77,49 @@ var HTTPWasmTest = suite.ConformanceTest{ }) }, } + +func testWasmHTTPCodeSource(t *testing.T, suite *suite.ConformanceTestSuite, route, eep, path string) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: route, Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + ancestorRef := gwapiv1a2.ParentReference{ + Group: gatewayapi.GroupPtr(gwapiv1.GroupName), + Kind: gatewayapi.KindPtr(resource.KindGateway), + Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), + Name: gwapiv1.ObjectName(gwNN.Name), + } + EnvoyExtensionPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: eep, Namespace: ns}, suite.ControllerName, ancestorRef) + + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Host: "www.example.com", + Path: path, + }, + + // Set the expected request properties to empty strings. + // This is a workaround to avoid the test failure. + // These values can't be extracted from the json format response + // body because the test wasm code appends a "Hello, world" text + // to the response body, invalidating the json format. + ExpectedRequest: &http.ExpectedRequest{ + Request: http.Request{ + Host: "", + Method: "", + Path: "", + Headers: nil, + }, + }, + Namespace: "", + + Response: http.Response{ + StatusCode: 200, + Headers: map[string]string{ + "x-wasm-custom": "FOO", // response header added by wasm + }, + }, + } + + http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) +} From f5552a44f14b9d62e06d47f273704d7e28bc9bad Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 29 Oct 2024 11:38:28 -0700 Subject: [PATCH 322/523] build(deps): bump sigs.k8s.io/controller-runtime from 0.19.0 to 0.19.1 (#4544) * build(deps): bump sigs.k8s.io/controller-runtime from 0.19.0 to 0.19.1 Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.19.0 to 0.19.1. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.19.0...v0.19.1) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * fix gen check Signed-off-by: zirain --------- Signed-off-by: dependabot[bot] Signed-off-by: zirain Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain Co-authored-by: Huabing Zhao --- examples/extension-server/go.mod | 2 +- examples/extension-server/go.sum | 4 ++-- go.mod | 2 +- go.sum | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 25eb15516ef..d1fe3381491 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -9,7 +9,7 @@ require ( google.golang.org/grpc v1.67.1 google.golang.org/protobuf v1.35.1 k8s.io/apimachinery v0.31.1 - sigs.k8s.io/controller-runtime v0.19.0 + sigs.k8s.io/controller-runtime v0.19.1 sigs.k8s.io/gateway-api v1.2.0 ) diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 29bfba9e9f4..fab51e3743e 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -131,8 +131,8 @@ k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2duqHWf5OX9S3zjI= k8s.io/utils v0.0.0-20240821151609-f90d01438635/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= -sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= +sigs.k8s.io/controller-runtime v0.19.1 h1:Son+Q40+Be3QWb+niBXAg2vFiYWolDjjRfO8hn/cxOk= +sigs.k8s.io/controller-runtime v0.19.1/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/gateway-api v1.2.0 h1:LrToiFwtqKTKZcZtoQPTuo3FxhrrhTgzQG0Te+YGSo8= sigs.k8s.io/gateway-api v1.2.0/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= diff --git a/go.mod b/go.mod index d00254554f8..2b49c973462 100644 --- a/go.mod +++ b/go.mod @@ -55,7 +55,7 @@ require ( k8s.io/client-go v0.31.1 k8s.io/kubectl v0.31.1 k8s.io/utils v0.0.0-20240821151609-f90d01438635 - sigs.k8s.io/controller-runtime v0.19.0 + sigs.k8s.io/controller-runtime v0.19.1 sigs.k8s.io/gateway-api v1.2.0 sigs.k8s.io/mcs-api v0.1.0 sigs.k8s.io/yaml v1.4.0 diff --git a/go.sum b/go.sum index 9ca74a4e5da..6fc83ac3376 100644 --- a/go.sum +++ b/go.sum @@ -1215,8 +1215,8 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gEORz0efEja7A= -sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= -sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= +sigs.k8s.io/controller-runtime v0.19.1 h1:Son+Q40+Be3QWb+niBXAg2vFiYWolDjjRfO8hn/cxOk= +sigs.k8s.io/controller-runtime v0.19.1/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI= sigs.k8s.io/gateway-api v1.2.0 h1:LrToiFwtqKTKZcZtoQPTuo3FxhrrhTgzQG0Te+YGSo8= sigs.k8s.io/gateway-api v1.2.0/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= From 20a46220d95396661be875049700ab67e5dd913a Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Tue, 29 Oct 2024 20:58:03 -0400 Subject: [PATCH 323/523] feat(chart): Make security context configurable (#4536) * Make security context configurable Signed-off-by: Tamal Saha * make gen-check Signed-off-by: Tamal Saha * Update current.yaml Signed-off-by: Tamal Saha --------- Signed-off-by: Tamal Saha --- charts/gateway-helm/README.md | 9 +- charts/gateway-helm/templates/certgen.yaml | 12 +- .../templates/envoy-gateway-deployment.yaml | 17 +- charts/gateway-helm/values.tmpl.yaml | 23 + release-notes/current.yaml | 2 +- .../en/latest/install/gateway-helm-api.md | 9 +- .../zh/latest/install/gateway-helm-api.md | 9 +- .../certjen-custom-scheduling.out.yaml | 4 +- .../control-plane-with-pdb.out.yaml | 4 +- .../helm/gateway-helm/default-config.out.yaml | 4 +- .../deployment-custom-topology.out.yaml | 4 +- .../deployment-images-config.out.yaml | 4 +- .../deployment-priorityclass.out.yaml | 4 +- .../deployment-securitycontext.in.yaml | 32 + .../deployment-securitycontext.out.yaml | 574 ++++++++++++++++++ .../envoy-gateway-config.out.yaml | 4 +- .../global-images-config.out.yaml | 4 +- .../gateway-helm/service-annotations.out.yaml | 4 +- 18 files changed, 677 insertions(+), 46 deletions(-) create mode 100644 test/helm/gateway-helm/deployment-securitycontext.in.yaml create mode 100644 test/helm/gateway-helm/deployment-securitycontext.out.yaml diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md index 61942016a29..5d9cecf616b 100644 --- a/charts/gateway-helm/README.md +++ b/charts/gateway-helm/README.md @@ -59,7 +59,7 @@ To uninstall the chart: | Key | Type | Default | Description | |-----|------|---------|-------------| -| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | | | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | @@ -71,6 +71,13 @@ To uninstall the chart: | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | | | deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | | | deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | | +| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | | +| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| deployment.envoyGateway.securityContext.privileged | bool | `false` | | +| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | | +| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | | +| deployment.envoyGateway.securityContext.runAsUser | int | `65532` | | +| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | deployment.pod.affinity | object | `{}` | | | deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | | | deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | | diff --git a/charts/gateway-helm/templates/certgen.yaml b/charts/gateway-helm/templates/certgen.yaml index 00b7b6f8dca..f98c414ba22 100644 --- a/charts/gateway-helm/templates/certgen.yaml +++ b/charts/gateway-helm/templates/certgen.yaml @@ -39,17 +39,7 @@ spec: {{- toYaml . | nindent 10 }} {{- end }} securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsGroup: 65534 - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault + {{- toYaml .Values.certgen.job.securityContext | nindent 10 }} {{- include "eg.image.pullSecrets" . | nindent 6 }} {{- with .Values.certgen.job.affinity }} affinity: diff --git a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml index 0be895fe76f..7746dd2e4ac 100644 --- a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml @@ -30,7 +30,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.deployment.pod.nodeSelector }} - nodeSelector: + nodeSelector: {{ toYaml . | nindent 8 }} {{- end }} {{- with .Values.deployment.pod.topologySpreadConstraints }} @@ -73,19 +73,10 @@ spec: port: 8081 initialDelaySeconds: 5 periodSeconds: 10 - resources: {{- toYaml .Values.deployment.envoyGateway.resources | nindent 10 - }} + resources: + {{- toYaml .Values.deployment.envoyGateway.resources | nindent 10 }} securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsNonRoot: true - runAsGroup: 65532 - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault + {{- toYaml .Values.deployment.envoyGateway.securityContext | nindent 10 }} volumeMounts: - mountPath: /config name: envoy-gateway-config diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index 90e72f09956..cfcd9532491 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -35,6 +35,17 @@ deployment: requests: cpu: 100m memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault ports: - name: grpc port: 18000 @@ -86,6 +97,18 @@ certgen: tolerations: [] nodeSelector: {} ttlSecondsAfterFinished: 30 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 65534 + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault rbac: annotations: {} labels: {} diff --git a/release-notes/current.yaml b/release-notes/current.yaml index cf4ea00691b..1268ce35b0f 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -10,7 +10,7 @@ security updates: | # New features or capabilities added in this release. new features: | - Add a new feature here + Add support for modifying container securityContext for Envoy Gateway deployment in Helm # Fixes for bugs identified in previous versions. bug fixes: | diff --git a/site/content/en/latest/install/gateway-helm-api.md b/site/content/en/latest/install/gateway-helm-api.md index 99023e65c6c..bb817b992dc 100644 --- a/site/content/en/latest/install/gateway-helm-api.md +++ b/site/content/en/latest/install/gateway-helm-api.md @@ -23,7 +23,7 @@ The Helm chart for Envoy Gateway | Key | Type | Default | Description | |-----|------|---------|-------------| -| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | | | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | @@ -35,6 +35,13 @@ The Helm chart for Envoy Gateway | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | | | deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | | | deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | | +| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | | +| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| deployment.envoyGateway.securityContext.privileged | bool | `false` | | +| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | | +| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | | +| deployment.envoyGateway.securityContext.runAsUser | int | `65532` | | +| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | deployment.pod.affinity | object | `{}` | | | deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | | | deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | | diff --git a/site/content/zh/latest/install/gateway-helm-api.md b/site/content/zh/latest/install/gateway-helm-api.md index 99023e65c6c..bb817b992dc 100644 --- a/site/content/zh/latest/install/gateway-helm-api.md +++ b/site/content/zh/latest/install/gateway-helm-api.md @@ -23,7 +23,7 @@ The Helm chart for Envoy Gateway | Key | Type | Default | Description | |-----|------|---------|-------------| -| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | | | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | @@ -35,6 +35,13 @@ The Helm chart for Envoy Gateway | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | | | deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | | | deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | | +| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | | +| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| deployment.envoyGateway.securityContext.privileged | bool | `false` | | +| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | | +| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | | +| deployment.envoyGateway.securityContext.runAsUser | int | `65532` | | +| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | deployment.pod.affinity | object | `{}` | | | deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | | | deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | | diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index f0c1e0d1309..37d0212f719 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -432,8 +432,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -563,8 +563,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index ab0c09e3ed3..69f08e1dbb7 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -447,8 +447,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -578,8 +578,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index 655c1b7fbeb..6e1b1846bae 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -432,8 +432,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -563,8 +563,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index 879ca6a2351..0bc5809337c 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -460,8 +460,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -591,8 +591,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index 28eba2f209e..f99a89039d8 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -432,8 +432,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -565,8 +565,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml index 28375ac5bf0..3757e360d95 100644 --- a/test/helm/gateway-helm/deployment-priorityclass.out.yaml +++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml @@ -432,8 +432,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -564,8 +564,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-securitycontext.in.yaml b/test/helm/gateway-helm/deployment-securitycontext.in.yaml new file mode 100644 index 00000000000..47b8d1cec23 --- /dev/null +++ b/test/helm/gateway-helm/deployment-securitycontext.in.yaml @@ -0,0 +1,32 @@ +global: + images: + envoyGateway: + image: "docker.io/envoyproxy/gateway-dev:latest" + pullPolicy: Always +deployment: + envoyGateway: + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault +certgen: + job: + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault diff --git a/test/helm/gateway-helm/deployment-securitycontext.out.yaml b/test/helm/gateway-helm/deployment-securitycontext.out.yaml new file mode 100644 index 00000000000..e98bd1e9730 --- /dev/null +++ b/test/helm/gateway-helm/deployment-securitycontext.out.yaml @@ -0,0 +1,574 @@ +--- +# Source: gateway-helm/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +--- +# Source: gateway-helm/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:master + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway-dev:latest + type: Kubernetes +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: gateway-helm-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +--- +# Source: gateway-helm/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gateway-helm-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gateway-helm-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - configmaps + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - delete + - deletecollection + - patch +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-leader-election-role + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +# Source: gateway-helm/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-infra-manager + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-leader-election-rolebinding + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 +--- +# Source: gateway-helm/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'envoy-gateway-system' + labels: + control-plane: envoy-gateway + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: gateway-helm/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'gateway-helm-certgen' +subjects: +- kind: ServiceAccount + name: 'gateway-helm-certgen' + namespace: 'envoy-gateway-system' +--- +# Source: gateway-helm/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: gateway-helm-certgen + namespace: 'envoy-gateway-system' + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: Always + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: [] + restartPolicy: Never + serviceAccountName: gateway-helm-certgen + ttlSecondsAfterFinished: 30 diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index e401a1062ee..fb1e51f2209 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -434,8 +434,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -565,8 +565,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index 14129b666b6..ebcda594b19 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -436,8 +436,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -569,8 +569,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault diff --git a/test/helm/gateway-helm/service-annotations.out.yaml b/test/helm/gateway-helm/service-annotations.out.yaml index 64676e18497..9d37bdffcde 100644 --- a/test/helm/gateway-helm/service-annotations.out.yaml +++ b/test/helm/gateway-helm/service-annotations.out.yaml @@ -434,8 +434,8 @@ spec: drop: - ALL privileged: false - runAsNonRoot: true runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault @@ -565,8 +565,8 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsNonRoot: true runAsGroup: 65534 + runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault From b0c6f8ca3c2b55ab1007a800264efe6226100db1 Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 30 Oct 2024 10:22:07 +0800 Subject: [PATCH 324/523] helm: make eg-addons support IPv6 cluster (#4559) Signed-off-by: zirain --- charts/gateway-addons-helm/README.md | 19 ++++++---- charts/gateway-addons-helm/values.yaml | 35 ++++++++++++++----- .../latest/install/gateway-addons-helm-api.md | 19 ++++++---- .../latest/install/gateway-addons-helm-api.md | 19 ++++++---- test/helm/gateway-addons-helm/e2e.out.yaml | 24 ++++++------- 5 files changed, 77 insertions(+), 39 deletions(-) diff --git a/charts/gateway-addons-helm/README.md b/charts/gateway-addons-helm/README.md index a52af3e2d14..11eab2edf84 100644 --- a/charts/gateway-addons-helm/README.md +++ b/charts/gateway-addons-helm/README.md @@ -107,15 +107,21 @@ To uninstall the chart: | opentelemetry-collector.config.exporters.loki.endpoint | string | `"http://loki.monitoring.svc:3100/loki/api/v1/push"` | | | opentelemetry-collector.config.exporters.otlp.endpoint | string | `"tempo.monitoring.svc:4317"` | | | opentelemetry-collector.config.exporters.otlp.tls.insecure | bool | `true` | | -| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"0.0.0.0:19001"` | | -| opentelemetry-collector.config.extensions.health_check | object | `{}` | | +| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"[${env:MY_POD_IP}]:19001"` | | +| opentelemetry-collector.config.extensions.health_check.endpoint | string | `"[${env:MY_POD_IP}]:13133"` | | | opentelemetry-collector.config.processors.attributes.actions[0].action | string | `"insert"` | | | opentelemetry-collector.config.processors.attributes.actions[0].key | string | `"loki.attribute.labels"` | | | opentelemetry-collector.config.processors.attributes.actions[0].value | string | `"k8s.pod.name, k8s.namespace.name"` | | -| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"${env:MY_POD_IP}:8126"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"${env:MY_POD_IP}:4317"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"${env:MY_POD_IP}:4318"` | | -| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"${env:MY_POD_IP}:9411"` | | +| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"[${env:MY_POD_IP}]:8126"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:14250"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_compact.endpoint | string | `"[${env:MY_POD_IP}]:6831"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_http.endpoint | string | `"[${env:MY_POD_IP}]:14268"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:4317"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"[${env:MY_POD_IP}]:4318"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].job_name | string | `"opentelemetry-collector"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].scrape_interval | string | `"10s"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].static_configs[0].targets[0] | string | `"[${env:MY_POD_IP}]:8888"` | | +| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"[${env:MY_POD_IP}]:9411"` | | | opentelemetry-collector.config.service.extensions[0] | string | `"health_check"` | | | opentelemetry-collector.config.service.pipelines.logs.exporters[0] | string | `"loki"` | | | opentelemetry-collector.config.service.pipelines.logs.processors[0] | string | `"attributes"` | | @@ -127,6 +133,7 @@ To uninstall the chart: | opentelemetry-collector.config.service.pipelines.traces.receivers[0] | string | `"datadog"` | | | opentelemetry-collector.config.service.pipelines.traces.receivers[1] | string | `"otlp"` | | | opentelemetry-collector.config.service.pipelines.traces.receivers[2] | string | `"zipkin"` | | +| opentelemetry-collector.config.service.telemetry.metrics.address | string | `"[${env:MY_POD_IP}]:8888"` | | | opentelemetry-collector.enabled | bool | `false` | | | opentelemetry-collector.fullnameOverride | string | `"otel-collector"` | | | opentelemetry-collector.image.repository | string | `"otel/opentelemetry-collector-contrib"` | | diff --git a/charts/gateway-addons-helm/values.yaml b/charts/gateway-addons-helm/values.yaml index d3fb043ddd4..8ee3cbfaea9 100644 --- a/charts/gateway-addons-helm/values.yaml +++ b/charts/gateway-addons-helm/values.yaml @@ -186,7 +186,7 @@ opentelemetry-collector: config: exporters: prometheus: - endpoint: 0.0.0.0:19001 + endpoint: "[${env:MY_POD_IP}]:19001" debug: verbosity: detailed loki: @@ -196,10 +196,8 @@ opentelemetry-collector: tls: insecure: true extensions: - # The health_check extension is mandatory for this chart. - # Without the health_check extension the collector will fail the readiness and liveliness probes. - # The health_check extension can be modified, but should never be removed. - health_check: {} + health_check: + endpoint: "[${env:MY_POD_IP}]:13133" processors: attributes: actions: @@ -209,17 +207,36 @@ opentelemetry-collector: # Loki will convert this to k8s_pod_name label. value: k8s.pod.name, k8s.namespace.name receivers: + jaeger: + protocols: + grpc: + endpoint: "[${env:MY_POD_IP}]:14250" + thrift_http: + endpoint: "[${env:MY_POD_IP}]:14268" + thrift_compact: + endpoint: "[${env:MY_POD_IP}]:6831" datadog: - endpoint: ${env:MY_POD_IP}:8126 + endpoint: "[${env:MY_POD_IP}]:8126" zipkin: - endpoint: ${env:MY_POD_IP}:9411 + endpoint: "[${env:MY_POD_IP}]:9411" otlp: protocols: grpc: - endpoint: ${env:MY_POD_IP}:4317 + endpoint: "[${env:MY_POD_IP}]:4317" http: - endpoint: ${env:MY_POD_IP}:4318 + endpoint: "[${env:MY_POD_IP}]:4318" + prometheus: + config: + scrape_configs: + - job_name: opentelemetry-collector + scrape_interval: 10s + static_configs: + - targets: + - "[${env:MY_POD_IP}]:8888" service: + telemetry: + metrics: + address: "[${env:MY_POD_IP}]:8888" extensions: - health_check pipelines: diff --git a/site/content/en/latest/install/gateway-addons-helm-api.md b/site/content/en/latest/install/gateway-addons-helm-api.md index 9835e21cd62..ba60a7d51b0 100644 --- a/site/content/en/latest/install/gateway-addons-helm-api.md +++ b/site/content/en/latest/install/gateway-addons-helm-api.md @@ -86,15 +86,21 @@ An Add-ons Helm chart for Envoy Gateway | opentelemetry-collector.config.exporters.loki.endpoint | string | `"http://loki.monitoring.svc:3100/loki/api/v1/push"` | | | opentelemetry-collector.config.exporters.otlp.endpoint | string | `"tempo.monitoring.svc:4317"` | | | opentelemetry-collector.config.exporters.otlp.tls.insecure | bool | `true` | | -| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"0.0.0.0:19001"` | | -| opentelemetry-collector.config.extensions.health_check | object | `{}` | | +| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"[${env:MY_POD_IP}]:19001"` | | +| opentelemetry-collector.config.extensions.health_check.endpoint | string | `"[${env:MY_POD_IP}]:13133"` | | | opentelemetry-collector.config.processors.attributes.actions[0].action | string | `"insert"` | | | opentelemetry-collector.config.processors.attributes.actions[0].key | string | `"loki.attribute.labels"` | | | opentelemetry-collector.config.processors.attributes.actions[0].value | string | `"k8s.pod.name, k8s.namespace.name"` | | -| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"${env:MY_POD_IP}:8126"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"${env:MY_POD_IP}:4317"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"${env:MY_POD_IP}:4318"` | | -| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"${env:MY_POD_IP}:9411"` | | +| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"[${env:MY_POD_IP}]:8126"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:14250"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_compact.endpoint | string | `"[${env:MY_POD_IP}]:6831"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_http.endpoint | string | `"[${env:MY_POD_IP}]:14268"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:4317"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"[${env:MY_POD_IP}]:4318"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].job_name | string | `"opentelemetry-collector"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].scrape_interval | string | `"10s"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].static_configs[0].targets[0] | string | `"[${env:MY_POD_IP}]:8888"` | | +| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"[${env:MY_POD_IP}]:9411"` | | | opentelemetry-collector.config.service.extensions[0] | string | `"health_check"` | | | opentelemetry-collector.config.service.pipelines.logs.exporters[0] | string | `"loki"` | | | opentelemetry-collector.config.service.pipelines.logs.processors[0] | string | `"attributes"` | | @@ -106,6 +112,7 @@ An Add-ons Helm chart for Envoy Gateway | opentelemetry-collector.config.service.pipelines.traces.receivers[0] | string | `"datadog"` | | | opentelemetry-collector.config.service.pipelines.traces.receivers[1] | string | `"otlp"` | | | opentelemetry-collector.config.service.pipelines.traces.receivers[2] | string | `"zipkin"` | | +| opentelemetry-collector.config.service.telemetry.metrics.address | string | `"[${env:MY_POD_IP}]:8888"` | | | opentelemetry-collector.enabled | bool | `false` | | | opentelemetry-collector.fullnameOverride | string | `"otel-collector"` | | | opentelemetry-collector.image.repository | string | `"otel/opentelemetry-collector-contrib"` | | diff --git a/site/content/zh/latest/install/gateway-addons-helm-api.md b/site/content/zh/latest/install/gateway-addons-helm-api.md index 9835e21cd62..ba60a7d51b0 100644 --- a/site/content/zh/latest/install/gateway-addons-helm-api.md +++ b/site/content/zh/latest/install/gateway-addons-helm-api.md @@ -86,15 +86,21 @@ An Add-ons Helm chart for Envoy Gateway | opentelemetry-collector.config.exporters.loki.endpoint | string | `"http://loki.monitoring.svc:3100/loki/api/v1/push"` | | | opentelemetry-collector.config.exporters.otlp.endpoint | string | `"tempo.monitoring.svc:4317"` | | | opentelemetry-collector.config.exporters.otlp.tls.insecure | bool | `true` | | -| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"0.0.0.0:19001"` | | -| opentelemetry-collector.config.extensions.health_check | object | `{}` | | +| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"[${env:MY_POD_IP}]:19001"` | | +| opentelemetry-collector.config.extensions.health_check.endpoint | string | `"[${env:MY_POD_IP}]:13133"` | | | opentelemetry-collector.config.processors.attributes.actions[0].action | string | `"insert"` | | | opentelemetry-collector.config.processors.attributes.actions[0].key | string | `"loki.attribute.labels"` | | | opentelemetry-collector.config.processors.attributes.actions[0].value | string | `"k8s.pod.name, k8s.namespace.name"` | | -| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"${env:MY_POD_IP}:8126"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"${env:MY_POD_IP}:4317"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"${env:MY_POD_IP}:4318"` | | -| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"${env:MY_POD_IP}:9411"` | | +| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"[${env:MY_POD_IP}]:8126"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:14250"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_compact.endpoint | string | `"[${env:MY_POD_IP}]:6831"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_http.endpoint | string | `"[${env:MY_POD_IP}]:14268"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:4317"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"[${env:MY_POD_IP}]:4318"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].job_name | string | `"opentelemetry-collector"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].scrape_interval | string | `"10s"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].static_configs[0].targets[0] | string | `"[${env:MY_POD_IP}]:8888"` | | +| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"[${env:MY_POD_IP}]:9411"` | | | opentelemetry-collector.config.service.extensions[0] | string | `"health_check"` | | | opentelemetry-collector.config.service.pipelines.logs.exporters[0] | string | `"loki"` | | | opentelemetry-collector.config.service.pipelines.logs.processors[0] | string | `"attributes"` | | @@ -106,6 +112,7 @@ An Add-ons Helm chart for Envoy Gateway | opentelemetry-collector.config.service.pipelines.traces.receivers[0] | string | `"datadog"` | | | opentelemetry-collector.config.service.pipelines.traces.receivers[1] | string | `"otlp"` | | | opentelemetry-collector.config.service.pipelines.traces.receivers[2] | string | `"zipkin"` | | +| opentelemetry-collector.config.service.telemetry.metrics.address | string | `"[${env:MY_POD_IP}]:8888"` | | | opentelemetry-collector.enabled | bool | `false` | | | opentelemetry-collector.fullnameOverride | string | `"otel-collector"` | | | opentelemetry-collector.image.repository | string | `"otel/opentelemetry-collector-contrib"` | | diff --git a/test/helm/gateway-addons-helm/e2e.out.yaml b/test/helm/gateway-addons-helm/e2e.out.yaml index 1e7c8fda8ff..84a0691299a 100644 --- a/test/helm/gateway-addons-helm/e2e.out.yaml +++ b/test/helm/gateway-addons-helm/e2e.out.yaml @@ -237,10 +237,10 @@ data: tls: insecure: true prometheus: - endpoint: 0.0.0.0:19001 + endpoint: '[${env:MY_POD_IP}]:19001' extensions: health_check: - endpoint: ${env:MY_POD_IP}:13133 + endpoint: '[${env:MY_POD_IP}]:13133' processors: attributes: actions: @@ -254,21 +254,21 @@ data: spike_limit_percentage: 25 receivers: datadog: - endpoint: ${env:MY_POD_IP}:8126 + endpoint: '[${env:MY_POD_IP}]:8126' jaeger: protocols: grpc: - endpoint: ${env:MY_POD_IP}:14250 + endpoint: '[${env:MY_POD_IP}]:14250' thrift_compact: - endpoint: ${env:MY_POD_IP}:6831 + endpoint: '[${env:MY_POD_IP}]:6831' thrift_http: - endpoint: ${env:MY_POD_IP}:14268 + endpoint: '[${env:MY_POD_IP}]:14268' otlp: protocols: grpc: - endpoint: ${env:MY_POD_IP}:4317 + endpoint: '[${env:MY_POD_IP}]:4317' http: - endpoint: ${env:MY_POD_IP}:4318 + endpoint: '[${env:MY_POD_IP}]:4318' prometheus: config: scrape_configs: @@ -276,9 +276,9 @@ data: scrape_interval: 10s static_configs: - targets: - - ${env:MY_POD_IP}:8888 + - '[${env:MY_POD_IP}]:8888' zipkin: - endpoint: ${env:MY_POD_IP}:9411 + endpoint: '[${env:MY_POD_IP}]:9411' service: extensions: - health_check @@ -311,7 +311,7 @@ data: - zipkin telemetry: metrics: - address: ${env:MY_POD_IP}:8888 + address: '[${env:MY_POD_IP}]:8888' --- # Source: gateway-addons-helm/charts/prometheus/templates/cm.yaml apiVersion: v1 @@ -9756,7 +9756,7 @@ spec: template: metadata: annotations: - checksum/config: 270a8503091b51a264317115cf6df46b4501b03fc135eca95b93dca57a522a70 + checksum/config: 77c11cf41a890ec6a75a644880450d53887eca3e37511c3139cf0b3e8ebbe1ee labels: app.kubernetes.io/name: opentelemetry-collector From 1a275b99560a8cf1b1c68d72808a7671d0b6ec63 Mon Sep 17 00:00:00 2001 From: shahar-h Date: Thu, 31 Oct 2024 01:52:34 +0200 Subject: [PATCH 325/523] ci: cleanup osv-scanner config (#4579) Signed-off-by: Shahar Harari --- osv-scanner.toml | 33 +++++---------------------------- 1 file changed, 5 insertions(+), 28 deletions(-) diff --git a/osv-scanner.toml b/osv-scanner.toml index 6144707a297..bed9a0c7a6a 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -1,7 +1,3 @@ -[[IgnoredVulns]] -id = "GO-2022-0646" -reason = "No a real issue, just a warning about third party package." - [[PackageOverrides]] name = "github.com/AdaLogics/go-fuzz-headers" version = "0.0.0-20230811130428-ced1acdcaa24" @@ -16,13 +12,6 @@ ecosystem = "Go" license.override = ["MIT"] reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/87 is resolved" -[[PackageOverrides]] -name = "github.com/containers/storage" -version = "1.55.0" -ecosystem = "Go" -license.override = ["Apache-2.0"] -reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/104 is resolved" - [[PackageOverrides]] name = "github.com/distribution/distribution/v3" version = "3.0.0-beta.1" @@ -41,32 +30,28 @@ reason = "This package has dual license - the code is licensed under the Apache name = "github.com/go-sql-driver/mysql" version = "1.8.1" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead -license.override = ["Apache-2.0"] +license.ignore = true reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" [[PackageOverrides]] name = "github.com/hashicorp/errwrap" version = "1.1.0" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead -license.override = ["Apache-2.0"] +license.ignore = true reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" [[PackageOverrides]] name = "github.com/hashicorp/go-multierror" version = "1.1.1" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead -license.override = ["Apache-2.0"] +license.ignore = true reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" [[PackageOverrides]] name = "github.com/hashicorp/hcl" version = "1.0.0" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead -license.override = ["Apache-2.0"] +license.ignore = true reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" [[PackageOverrides]] @@ -80,8 +65,7 @@ reason = "This package has dual license - the code is licensed under the Apache name = "github.com/shoenig/go-m1cpu" version = "0.1.6" ecosystem = "Go" -# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from license scanning instead -license.override = ["Apache-2.0"] +license.ignore = true reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/cncf-exceptions-2023-08-31.spdx" [[PackageOverrides]] @@ -89,10 +73,3 @@ name = "stdlib" ecosystem = "Go" license.override = ["BSD-3-Clause"] reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/86 is resolved" - -[[PackageOverrides]] -name = "sigs.k8s.io/json" -version = "0.0.0-20221116044647-bc3834ca7abd" -ecosystem = "Go" -license.override = ["Apache-2.0"] -reason = "https://github.com/kubernetes-sigs/json/blob/main/LICENSE" From 82ce107e76bfc9b8d7f1e2704c7d294bbb8b9606 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Wed, 30 Oct 2024 19:31:05 -0700 Subject: [PATCH 326/523] fix egctl release artifacts (#4580) * the release artifact for `egctl` was being pulled from the `latest` release instead of a binary associated with the release tag Signed-off-by: Arko Dasgupta --- .github/workflows/release.yaml | 16 ++++++++++++---- tools/make/kube.mk | 11 +---------- 2 files changed, 13 insertions(+), 14 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d4a2213cab5..0f021c7e15c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -80,6 +80,14 @@ jobs: name: benchmark_report path: release-artifacts + - name: Build egctl multiarch binaries + run: | + make build-multiarch BINS="egctl" + tar -zcvf egctl_${{ env.release_tag }}_linux_amd64.tar.gz bin/linux/amd64/ + tar -zcvf egctl_${{ env.release_tag }}_linux_arm64.tar.gz bin/linux/arm64/ + tar -zcvf egctl_${{ env.release_tag }}_darwin_amd64.tar.gz bin/darwin/amd64/ + tar -zcvf egctl_${{ env.release_tag }}_darwin_arm64.tar.gz bin/darwin/arm64/ + - name: Upload Release Manifests uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v0.1.15 with: @@ -88,7 +96,7 @@ jobs: release-artifacts/quickstart.yaml release-artifacts/release-notes.yaml release-artifacts/benchmark_report.zip - release-artifacts/egctl_${{ env.release_tag }}_linux_amd64.tar.gz - release-artifacts/egctl_${{ env.release_tag }}_linux_arm64.tar.gz - release-artifacts/egctl_${{ env.release_tag }}_darwin_amd64.tar.gz - release-artifacts/egctl_${{ env.release_tag }}_darwin_arm64.tar.gz + egctl_${{ env.release_tag }}_linux_amd64.tar.gz + egctl_${{ env.release_tag }}_linux_arm64.tar.gz + egctl_${{ env.release_tag }}_darwin_amd64.tar.gz + egctl_${{ env.release_tag }}_darwin_arm64.tar.gz diff --git a/tools/make/kube.mk b/tools/make/kube.mk index 430084dc544..daf109f478e 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -249,16 +249,7 @@ generate-manifests: helm-generate.gateway-helm ## Generate Kubernetes release ma @$(call log, "Added: $(OUTPUT_DIR)/quickstart.yaml") .PHONY: generate-artifacts -generate-artifacts: generate-manifests generate-egctl-releases ## Generate release artifacts. +generate-artifacts: generate-manifests ## Generate release artifacts. @$(LOG_TARGET) cp -r $(ROOT_DIR)/release-notes/$(TAG).yaml $(OUTPUT_DIR)/release-notes.yaml @$(call log, "Added: $(OUTPUT_DIR)/release-notes.yaml") - -.PHONY: generate-egctl-releases -generate-egctl-releases: ## Generate egctl releases - @$(LOG_TARGET) - mkdir -p $(OUTPUT_DIR)/ - curl -sSL https://github.com/envoyproxy/gateway/releases/download/latest/egctl_latest_darwin_amd64.tar.gz -o $(OUTPUT_DIR)/egctl_$(TAG)_darwin_amd64.tar.gz - curl -sSL https://github.com/envoyproxy/gateway/releases/download/latest/egctl_latest_darwin_arm64.tar.gz -o $(OUTPUT_DIR)/egctl_$(TAG)_darwin_arm64.tar.gz - curl -sSL https://github.com/envoyproxy/gateway/releases/download/latest/egctl_latest_linux_amd64.tar.gz -o $(OUTPUT_DIR)/egctl_$(TAG)_linux_amd64.tar.gz - curl -sSL https://github.com/envoyproxy/gateway/releases/download/latest/egctl_latest_linux_arm64.tar.gz -o $(OUTPUT_DIR)/egctl_$(TAG)_linux_arm64.tar.gz From e6307f0d090c28aae1a5231274848ea933e5f5af Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Wed, 30 Oct 2024 21:42:53 -0700 Subject: [PATCH 327/523] fix debug level logging for IR (#4584) https://pkg.go.dev/github.com/go-logr/zapr#hdr-Implementation_Details ``` V(1) is equivalent to Zap's DebugLevel ``` Now after setting the log level to `default: debug` I see ``` 2024-10-31T01:59:31.138Z DEBUG gateway-api runner/runner.go:176 {"proxy":{"metadata":{"labels":{"gateway.envoyproxy.io/owning-gateway-name":"eg","gateway.envoyproxy.io/owning-gateway-namespace":"default"}},"name":"default/eg","listeners":[{"name":"default/eg/http","address":null,"ports":[{"name":"http-80","protocol":"HTTP","servicePort":80,"containerPort":10080}]}]}} {"runner": "gateway-api", "infra-ir": "default/eg"} 2024-10-31T01:59:31.138Z DEBUG gateway-api runner/runner.go:187 {"accessLog":{"text":[{"path":"/dev/stdout"}]},"http":[{"name":"default/eg/http","address":"0.0.0.0","port":10080,"metadata":{"kind":"Gateway","name":"eg","namespace":"default","sectionName":"http"},"hostnames":["*"],"routes":[{"name":"httproute/default/backend/rule/0/match/0/www_example_com","hostname":"www.example.com","isHTTP2":false,"pathMatch":{"name":"","prefix":"/","distinct":false},"destination":{"name":"httproute/default/backend/rule/0","settings":[{"weight":1,"protocol":"HTTP","endpoints":[{"host":"10.1.19.7","port":3000}],"addressType":"IP"}]},"metadata":{"kind":"HTTPRoute","name":"backend","namespace":"default"}}],"isHTTP2":false,"path":{"mergeSlashes":true,"escapedSlashesAction":"UnescapeAndRedirect"}}]} {"runner": "gateway-api", "xds-ir": "default/eg"} ``` Relates to https://github.com/envoyproxy/gateway/pull/4505 Signed-off-by: Arko Dasgupta --- internal/gatewayapi/runner/runner.go | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index 55023c41a8d..62975892918 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -173,9 +173,7 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { // Publish the IRs. // Also validate the ir before sending it. for key, val := range result.InfraIR { - if vlog := r.Logger.V(4); vlog.Enabled() { - vlog.WithValues("infra-ir", key).Info(val.JSONString()) - } + r.Logger.V(1).WithValues("infra-ir", key).Info(val.JSONString()) if err := val.Validate(); err != nil { r.Logger.Error(err, "unable to validate infra ir, skipped sending it") errChan <- err @@ -186,9 +184,7 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { } for key, val := range result.XdsIR { - if vlog := r.Logger.V(4); vlog.Enabled() { - vlog.WithValues("xds-ir", key).Info(val.JSONString()) - } + r.Logger.V(1).WithValues("xds-ir", key).Info(val.JSONString()) if err := val.Validate(); err != nil { r.Logger.Error(err, "unable to validate xds ir, skipped sending it") errChan <- err From 13490ac59ddabc6d05b2b5993cad54a4b373b8d4 Mon Sep 17 00:00:00 2001 From: zirain Date: Thu, 31 Oct 2024 12:43:10 +0800 Subject: [PATCH 328/523] docs: remove List type (#4585) Signed-off-by: zirain --- site/content/en/latest/api/extension_types.md | 140 +----------------- site/content/zh/latest/api/extension_types.md | 140 +----------------- tools/crd-ref-docs/config.yaml | 2 +- 3 files changed, 15 insertions(+), 267 deletions(-) diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 2999d46410c..23f69fd832a 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -15,21 +15,14 @@ API group. ### Resource Types - [Backend](#backend) -- [BackendList](#backendlist) - [BackendTrafficPolicy](#backendtrafficpolicy) -- [BackendTrafficPolicyList](#backendtrafficpolicylist) - [ClientTrafficPolicy](#clienttrafficpolicy) -- [ClientTrafficPolicyList](#clienttrafficpolicylist) - [EnvoyExtensionPolicy](#envoyextensionpolicy) -- [EnvoyExtensionPolicyList](#envoyextensionpolicylist) - [EnvoyGateway](#envoygateway) - [EnvoyPatchPolicy](#envoypatchpolicy) -- [EnvoyPatchPolicyList](#envoypatchpolicylist) - [EnvoyProxy](#envoyproxy) - [HTTPRouteFilter](#httproutefilter) -- [HTTPRouteFilterList](#httproutefilterlist) - [SecurityPolicy](#securitypolicy) -- [SecurityPolicyList](#securitypolicylist) @@ -267,8 +260,7 @@ _Appears in:_ Backend allows the user to configure the endpoints of a backend and the behavior of the connection from Envoy Proxy to the backend. -_Appears in:_ -- [BackendList](#backendlist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -328,22 +320,6 @@ _Appears in:_ | `unix` | _[UnixSocket](#unixsocket)_ | false | Unix defines the unix domain socket endpoint | -#### BackendList - - - -BackendList contains a list of Backend resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`BackendList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[Backend](#backend) array_ | true | | - - #### BackendRef @@ -428,8 +404,7 @@ _Appears in:_ BackendTrafficPolicy allows the user to configure the behavior of the connection between the Envoy Proxy listener and the backend service. -_Appears in:_ -- [BackendTrafficPolicyList](#backendtrafficpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -440,22 +415,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | status defines the current status of BackendTrafficPolicy. | -#### BackendTrafficPolicyList - - - -BackendTrafficPolicyList contains a list of BackendTrafficPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`BackendTrafficPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[BackendTrafficPolicy](#backendtrafficpolicy) array_ | true | | - - #### BackendTrafficPolicySpec @@ -637,8 +596,7 @@ _Appears in:_ ClientTrafficPolicy allows the user to configure the behavior of the connection between the downstream client and Envoy Proxy listener. -_Appears in:_ -- [ClientTrafficPolicyList](#clienttrafficpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -649,22 +607,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of ClientTrafficPolicy. | -#### ClientTrafficPolicyList - - - -ClientTrafficPolicyList contains a list of ClientTrafficPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`ClientTrafficPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[ClientTrafficPolicy](#clienttrafficpolicy) array_ | true | | - - #### ClientTrafficPolicySpec @@ -957,8 +899,7 @@ _Appears in:_ EnvoyExtensionPolicy allows the user to configure various envoy extensibility options for the Gateway. -_Appears in:_ -- [EnvoyExtensionPolicyList](#envoyextensionpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -969,22 +910,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyExtensionPolicy. | -#### EnvoyExtensionPolicyList - - - -EnvoyExtensionPolicyList contains a list of EnvoyExtensionPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`EnvoyExtensionPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[EnvoyExtensionPolicy](#envoyextensionpolicy) array_ | true | | - - #### EnvoyExtensionPolicySpec @@ -1350,8 +1275,7 @@ _Appears in:_ EnvoyPatchPolicy allows the user to modify the generated Envoy xDS resources by Envoy Gateway using this patch API -_Appears in:_ -- [EnvoyPatchPolicyList](#envoypatchpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -1362,22 +1286,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyPatchPolicy. | -#### EnvoyPatchPolicyList - - - -EnvoyPatchPolicyList contains a list of EnvoyPatchPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`EnvoyPatchPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[EnvoyPatchPolicy](#envoypatchpolicy) array_ | true | | - - #### EnvoyPatchPolicySpec @@ -2026,8 +1934,7 @@ _Appears in:_ HTTPRouteFilter is a custom Envoy Gateway HTTPRouteFilter which provides extended traffic processing options such as path regex rewrite, direct response and more. -_Appears in:_ -- [HTTPRouteFilterList](#httproutefilterlist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -2037,22 +1944,6 @@ _Appears in:_ | `spec` | _[HTTPRouteFilterSpec](#httproutefilterspec)_ | true | Spec defines the desired state of HTTPRouteFilter. | -#### HTTPRouteFilterList - - - -HTTPRouteFilterList contains a list of HTTPRouteFilter resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`HTTPRouteFilterList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[HTTPRouteFilter](#httproutefilter) array_ | true | | - - #### HTTPRouteFilterSpec @@ -3638,8 +3529,7 @@ _Appears in:_ SecurityPolicy allows the user to configure various security settings for a Gateway. -_Appears in:_ -- [SecurityPolicyList](#securitypolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -3650,22 +3540,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of SecurityPolicy. | -#### SecurityPolicyList - - - -SecurityPolicyList contains a list of SecurityPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`SecurityPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[SecurityPolicy](#securitypolicy) array_ | true | | - - #### SecurityPolicySpec diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 2999d46410c..23f69fd832a 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -15,21 +15,14 @@ API group. ### Resource Types - [Backend](#backend) -- [BackendList](#backendlist) - [BackendTrafficPolicy](#backendtrafficpolicy) -- [BackendTrafficPolicyList](#backendtrafficpolicylist) - [ClientTrafficPolicy](#clienttrafficpolicy) -- [ClientTrafficPolicyList](#clienttrafficpolicylist) - [EnvoyExtensionPolicy](#envoyextensionpolicy) -- [EnvoyExtensionPolicyList](#envoyextensionpolicylist) - [EnvoyGateway](#envoygateway) - [EnvoyPatchPolicy](#envoypatchpolicy) -- [EnvoyPatchPolicyList](#envoypatchpolicylist) - [EnvoyProxy](#envoyproxy) - [HTTPRouteFilter](#httproutefilter) -- [HTTPRouteFilterList](#httproutefilterlist) - [SecurityPolicy](#securitypolicy) -- [SecurityPolicyList](#securitypolicylist) @@ -267,8 +260,7 @@ _Appears in:_ Backend allows the user to configure the endpoints of a backend and the behavior of the connection from Envoy Proxy to the backend. -_Appears in:_ -- [BackendList](#backendlist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -328,22 +320,6 @@ _Appears in:_ | `unix` | _[UnixSocket](#unixsocket)_ | false | Unix defines the unix domain socket endpoint | -#### BackendList - - - -BackendList contains a list of Backend resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`BackendList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[Backend](#backend) array_ | true | | - - #### BackendRef @@ -428,8 +404,7 @@ _Appears in:_ BackendTrafficPolicy allows the user to configure the behavior of the connection between the Envoy Proxy listener and the backend service. -_Appears in:_ -- [BackendTrafficPolicyList](#backendtrafficpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -440,22 +415,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | status defines the current status of BackendTrafficPolicy. | -#### BackendTrafficPolicyList - - - -BackendTrafficPolicyList contains a list of BackendTrafficPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`BackendTrafficPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[BackendTrafficPolicy](#backendtrafficpolicy) array_ | true | | - - #### BackendTrafficPolicySpec @@ -637,8 +596,7 @@ _Appears in:_ ClientTrafficPolicy allows the user to configure the behavior of the connection between the downstream client and Envoy Proxy listener. -_Appears in:_ -- [ClientTrafficPolicyList](#clienttrafficpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -649,22 +607,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of ClientTrafficPolicy. | -#### ClientTrafficPolicyList - - - -ClientTrafficPolicyList contains a list of ClientTrafficPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`ClientTrafficPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[ClientTrafficPolicy](#clienttrafficpolicy) array_ | true | | - - #### ClientTrafficPolicySpec @@ -957,8 +899,7 @@ _Appears in:_ EnvoyExtensionPolicy allows the user to configure various envoy extensibility options for the Gateway. -_Appears in:_ -- [EnvoyExtensionPolicyList](#envoyextensionpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -969,22 +910,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyExtensionPolicy. | -#### EnvoyExtensionPolicyList - - - -EnvoyExtensionPolicyList contains a list of EnvoyExtensionPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`EnvoyExtensionPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[EnvoyExtensionPolicy](#envoyextensionpolicy) array_ | true | | - - #### EnvoyExtensionPolicySpec @@ -1350,8 +1275,7 @@ _Appears in:_ EnvoyPatchPolicy allows the user to modify the generated Envoy xDS resources by Envoy Gateway using this patch API -_Appears in:_ -- [EnvoyPatchPolicyList](#envoypatchpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -1362,22 +1286,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyPatchPolicy. | -#### EnvoyPatchPolicyList - - - -EnvoyPatchPolicyList contains a list of EnvoyPatchPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`EnvoyPatchPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[EnvoyPatchPolicy](#envoypatchpolicy) array_ | true | | - - #### EnvoyPatchPolicySpec @@ -2026,8 +1934,7 @@ _Appears in:_ HTTPRouteFilter is a custom Envoy Gateway HTTPRouteFilter which provides extended traffic processing options such as path regex rewrite, direct response and more. -_Appears in:_ -- [HTTPRouteFilterList](#httproutefilterlist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -2037,22 +1944,6 @@ _Appears in:_ | `spec` | _[HTTPRouteFilterSpec](#httproutefilterspec)_ | true | Spec defines the desired state of HTTPRouteFilter. | -#### HTTPRouteFilterList - - - -HTTPRouteFilterList contains a list of HTTPRouteFilter resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`HTTPRouteFilterList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[HTTPRouteFilter](#httproutefilter) array_ | true | | - - #### HTTPRouteFilterSpec @@ -3638,8 +3529,7 @@ _Appears in:_ SecurityPolicy allows the user to configure various security settings for a Gateway. -_Appears in:_ -- [SecurityPolicyList](#securitypolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -3650,22 +3540,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of SecurityPolicy. | -#### SecurityPolicyList - - - -SecurityPolicyList contains a list of SecurityPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`SecurityPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[SecurityPolicy](#securitypolicy) array_ | true | | - - #### SecurityPolicySpec diff --git a/tools/crd-ref-docs/config.yaml b/tools/crd-ref-docs/config.yaml index f63d53b2bf0..c29ec42ff40 100644 --- a/tools/crd-ref-docs/config.yaml +++ b/tools/crd-ref-docs/config.yaml @@ -1,7 +1,7 @@ processor: # RE2 regular expressions describing types that should be excluded from the generated documentation. ignoreTypes: - - "(EnvoyProxy)List$" + - "(.+)List$" # RE2 regular expressions describing type fields that should be excluded from the generated documentation. ignoreFields: - "TypeMeta$" From bb3bbdbd5b8272c1e73b5771abd3cc054fb87729 Mon Sep 17 00:00:00 2001 From: zirain Date: Thu, 31 Oct 2024 12:50:30 +0800 Subject: [PATCH 329/523] ci: enable test for dual stack cluster (#4574) * ci: enable dual stack test Signed-off-by: zirain * more comment Signed-off-by: zirain * remove 1.31.0 ipv4 test suite Signed-off-by: zirain --------- Signed-off-by: zirain --- .github/workflows/build_and_test.yaml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index bafd90d8351..92ae1b4822d 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -114,7 +114,19 @@ jobs: strategy: fail-fast: false matrix: - version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] + target: + - version: v1.28.13 + ipFamily: ipv4 + - version: v1.29.8 + ipFamily: ipv4 + - version: v1.30.4 + ipFamily: ipv4 + # Enable these after https://github.com/envoyproxy/gateway/issues/4572 fixed + # - version: v1.31.0 + # ipFamily: ipv6 # only run ipv6 test on latest version to save time + # TODO: this's IPv4 first, need a way to test IPv6 first. + - version: v1.31.0 + ipFamily: dual # only run dual test on latest version to save time steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps @@ -133,8 +145,9 @@ jobs: # E2E - name: Run E2E Tests env: - KIND_NODE_TAG: ${{ matrix.version }} + KIND_NODE_TAG: ${{ matrix.target.version }} IMAGE_PULL_POLICY: IfNotPresent + IP_FAMILY: ${{ matrix.target.ipFamily }} run: make e2e benchmark-test: From 74f43771ccdf2c2af8af8cfc61713ec92e78877e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 31 Oct 2024 17:52:05 +0800 Subject: [PATCH 330/523] build(deps): bump the k8s-io group across 2 directories with 6 updates (#4542) * build(deps): bump the k8s-io group across 2 directories with 6 updates Bumps the k8s-io group with 4 updates in the / directory: [k8s.io/api](https://github.com/kubernetes/api), [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver), [k8s.io/cli-runtime](https://github.com/kubernetes/cli-runtime) and [k8s.io/kubectl](https://github.com/kubernetes/kubectl). Bumps the k8s-io group with 1 update in the /examples/extension-server directory: [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery). Updates `k8s.io/api` from 0.31.1 to 0.31.2 - [Commits](https://github.com/kubernetes/api/compare/v0.31.1...v0.31.2) Updates `k8s.io/apiextensions-apiserver` from 0.31.1 to 0.31.2 - [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases) - [Commits](https://github.com/kubernetes/apiextensions-apiserver/compare/v0.31.1...v0.31.2) Updates `k8s.io/apimachinery` from 0.31.1 to 0.31.2 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.31.1...v0.31.2) Updates `k8s.io/cli-runtime` from 0.31.1 to 0.31.2 - [Commits](https://github.com/kubernetes/cli-runtime/compare/v0.31.1...v0.31.2) Updates `k8s.io/client-go` from 0.31.1 to 0.31.2 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.31.1...v0.31.2) Updates `k8s.io/kubectl` from 0.31.1 to 0.31.2 - [Commits](https://github.com/kubernetes/kubectl/compare/v0.31.1...v0.31.2) Updates `k8s.io/apimachinery` from 0.31.1 to 0.31.2 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.31.1...v0.31.2) --- updated-dependencies: - dependency-name: k8s.io/api dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/apiextensions-apiserver dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/cli-runtime dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kubectl dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io ... Signed-off-by: dependabot[bot] * fix gen Signed-off-by: zirain --------- Signed-off-by: dependabot[bot] Signed-off-by: zirain Signed-off-by: Huabing Zhao Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain Co-authored-by: Huabing Zhao --- examples/extension-server/go.mod | 2 +- examples/extension-server/go.sum | 8 +++---- go.mod | 18 +++++++------- go.sum | 40 ++++++++++++++++---------------- 4 files changed, 34 insertions(+), 34 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index d1fe3381491..7b09ae7320b 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -8,7 +8,7 @@ require ( github.com/urfave/cli/v2 v2.27.5 google.golang.org/grpc v1.67.1 google.golang.org/protobuf v1.35.1 - k8s.io/apimachinery v0.31.1 + k8s.io/apimachinery v0.31.2 sigs.k8s.io/controller-runtime v0.19.1 sigs.k8s.io/gateway-api v1.2.0 ) diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index fab51e3743e..42db960b446 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -123,10 +123,10 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= -k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= -k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= -k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0= +k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk= +k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw= +k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2duqHWf5OX9S3zjI= diff --git a/go.mod b/go.mod index 2b49c973462..c50662d61ec 100644 --- a/go.mod +++ b/go.mod @@ -48,12 +48,12 @@ require ( google.golang.org/protobuf v1.35.1 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.2 - k8s.io/api v0.31.1 - k8s.io/apiextensions-apiserver v0.31.1 - k8s.io/apimachinery v0.31.1 - k8s.io/cli-runtime v0.31.1 - k8s.io/client-go v0.31.1 - k8s.io/kubectl v0.31.1 + k8s.io/api v0.31.2 + k8s.io/apiextensions-apiserver v0.31.2 + k8s.io/apimachinery v0.31.2 + k8s.io/cli-runtime v0.31.2 + k8s.io/client-go v0.31.2 + k8s.io/kubectl v0.31.2 k8s.io/utils v0.0.0-20240821151609-f90d01438635 sigs.k8s.io/controller-runtime v0.19.1 sigs.k8s.io/gateway-api v1.2.0 @@ -212,8 +212,8 @@ require ( golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect - k8s.io/apiserver v0.31.1 // indirect - k8s.io/metrics v0.31.1 // indirect + k8s.io/apiserver v0.31.2 // indirect + k8s.io/metrics v0.31.2 // indirect oras.land/oras-go v1.2.6 // indirect periph.io/x/host/v3 v3.8.2 // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect @@ -289,7 +289,7 @@ require ( google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - k8s.io/component-base v0.31.1 // indirect + k8s.io/component-base v0.31.2 // indirect k8s.io/klog/v2 v2.130.1 k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect diff --git a/go.sum b/go.sum index 6fc83ac3376..94b88fa9f7a 100644 --- a/go.sum +++ b/go.sum @@ -1159,32 +1159,32 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78= k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4= -k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= -k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= +k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0= +k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk= k8s.io/apiextensions-apiserver v0.18.2/go.mod h1:q3faSnRGmYimiocj6cHQ1I3WpLqmDgJFlKL37fC4ZvY= k8s.io/apiextensions-apiserver v0.18.4/go.mod h1:NYeyeYq4SIpFlPxSAB6jHPIdvu3hL0pc36wuRChybio= -k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= -k8s.io/apiextensions-apiserver v0.31.1/go.mod h1:tWMPR3sgW+jsl2xm9v7lAyRF1rYEK71i9G5dRtkknoQ= +k8s.io/apiextensions-apiserver v0.31.2 h1:W8EwUb8+WXBLu56ser5IudT2cOho0gAKeTOnywBLxd0= +k8s.io/apiextensions-apiserver v0.31.2/go.mod h1:i+Geh+nGCJEGiCGR3MlBDkS7koHIIKWVfWeRFiOsUcM= k8s.io/apimachinery v0.18.2/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftcA= k8s.io/apimachinery v0.18.4/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko= -k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= -k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw= +k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= k8s.io/apiserver v0.18.2/go.mod h1:Xbh066NqrZO8cbsoenCwyDJ1OSi8Ag8I2lezeHxzwzw= k8s.io/apiserver v0.18.4/go.mod h1:q+zoFct5ABNnYkGIaGQ3bcbUNdmPyOCoEBcg51LChY8= -k8s.io/apiserver v0.31.1 h1:Sars5ejQDCRBY5f7R3QFHdqN3s61nhkpaX8/k1iEw1c= -k8s.io/apiserver v0.31.1/go.mod h1:lzDhpeToamVZJmmFlaLwdYZwd7zB+WYRYIboqA1kGxM= -k8s.io/cli-runtime v0.31.1 h1:/ZmKhmZ6hNqDM+yf9s3Y4KEYakNXUn5sod2LWGGwCuk= -k8s.io/cli-runtime v0.31.1/go.mod h1:pKv1cDIaq7ehWGuXQ+A//1OIF+7DI+xudXtExMCbe9U= +k8s.io/apiserver v0.31.2 h1:VUzOEUGRCDi6kX1OyQ801m4A7AUPglpsmGvdsekmcI4= +k8s.io/apiserver v0.31.2/go.mod h1:o3nKZR7lPlJqkU5I3Ove+Zx3JuoFjQobGX1Gctw6XuE= +k8s.io/cli-runtime v0.31.2 h1:7FQt4C4Xnqx8V1GJqymInK0FFsoC+fAZtbLqgXYVOLQ= +k8s.io/cli-runtime v0.31.2/go.mod h1:XROyicf+G7rQ6FQJMbeDV9jqxzkWXTYD6Uxd15noe0Q= k8s.io/client-go v0.18.2/go.mod h1:Xcm5wVGXX9HAA2JJ2sSBUn3tCJ+4SVlCbl2MNNv+CIU= k8s.io/client-go v0.18.4/go.mod h1:f5sXwL4yAZRkAtzOxRWUhA/N8XzGCb+nPZI8PfobZ9g= -k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0= -k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg= +k8s.io/client-go v0.31.2 h1:Y2F4dxU5d3AQj+ybwSMqQnpZH9F30//1ObxOKlTI9yc= +k8s.io/client-go v0.31.2/go.mod h1:NPa74jSVR/+eez2dFsEIHNa+3o09vtNaWwWwb1qSxSs= k8s.io/code-generator v0.18.2/go.mod h1:+UHX5rSbxmR8kzS+FAv7um6dtYrZokQvjHpDSYRVkTc= k8s.io/code-generator v0.18.4/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c= k8s.io/component-base v0.18.2/go.mod h1:kqLlMuhJNHQ9lz8Z7V5bxUUtjFZnrypArGl58gmDfUM= k8s.io/component-base v0.18.4/go.mod h1:7jr/Ef5PGmKwQhyAz/pjByxJbC58mhKAhiaDu0vXfPk= -k8s.io/component-base v0.31.1 h1:UpOepcrX3rQ3ab5NB6g5iP0tvsgJWzxTyAo20sgYSy8= -k8s.io/component-base v0.31.1/go.mod h1:WGeaw7t/kTsqpVTaCoVEtillbqAhF2/JgvO0LDOMa0w= +k8s.io/component-base v0.31.2 h1:Z1J1LIaC0AV+nzcPRFqfK09af6bZ4D1nAOpWsy9owlA= +k8s.io/component-base v0.31.2/go.mod h1:9PeyyFN/drHjtJZMCTkSpQJS3U9OXORnHQqMLDz0sUQ= k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= @@ -1193,16 +1193,16 @@ k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kms v0.31.1 h1:cGLyV3cIwb0ovpP/jtyIe2mEuQ/MkbhmeBF2IYCA9Io= -k8s.io/kms v0.31.1/go.mod h1:OZKwl1fan3n3N5FFxnW5C4V3ygrah/3YXeJWS3O6+94= +k8s.io/kms v0.31.2 h1:pyx7l2qVOkClzFMIWMVF/FxsSkgd+OIGH7DecpbscJI= +k8s.io/kms v0.31.2/go.mod h1:OZKwl1fan3n3N5FFxnW5C4V3ygrah/3YXeJWS3O6+94= k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5TxDkI7OGJjBNBzq5fJtLA= k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a/go.mod h1:UxDHUPsUwTOOxSU+oXURfFBcAS6JwiRXTYqYwfuGowc= -k8s.io/kubectl v0.31.1 h1:ih4JQJHxsEggFqDJEHSOdJ69ZxZftgeZvYo7M/cpp24= -k8s.io/kubectl v0.31.1/go.mod h1:aNuQoR43W6MLAtXQ/Bu4GDmoHlbhHKuyD49lmTC8eJM= -k8s.io/metrics v0.31.1 h1:h4I4dakgh/zKflWYAOQhwf0EXaqy8LxAIyE/GBvxqRc= -k8s.io/metrics v0.31.1/go.mod h1:JuH1S9tJiH9q1VCY0yzSCawi7kzNLsDzlWDJN4xR+iA= +k8s.io/kubectl v0.31.2 h1:gTxbvRkMBwvTSAlobiTVqsH6S8Aa1aGyBcu5xYLsn8M= +k8s.io/kubectl v0.31.2/go.mod h1:EyASYVU6PY+032RrTh5ahtSOMgoDRIux9V1JLKtG5xM= +k8s.io/metrics v0.31.2 h1:sQhujR9m3HN/Nu/0fTfTscjnswQl0qkQAodEdGBS0N4= +k8s.io/metrics v0.31.2/go.mod h1:QqqyReApEWO1UEgXOSXiHCQod6yTxYctbAAQBWZkboU= k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= k8s.io/utils v0.0.0-20200603063816-c1c6865ac451/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2duqHWf5OX9S3zjI= From efe625d67eb9f6c0280200cf4910f5b5adfabdf1 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 1 Nov 2024 00:02:30 +0800 Subject: [PATCH 331/523] chore: remove dump (#4593) Signed-off-by: zirain --- test/e2e/tests/oidc-backendcluster.go | 7 +------ test/e2e/tests/oidc.go | 5 ----- 2 files changed, 1 insertion(+), 11 deletions(-) diff --git a/test/e2e/tests/oidc-backendcluster.go b/test/e2e/tests/oidc-backendcluster.go index b2bcc93cecb..fec73d74313 100644 --- a/test/e2e/tests/oidc-backendcluster.go +++ b/test/e2e/tests/oidc-backendcluster.go @@ -18,7 +18,7 @@ func init() { ConformanceTests = append(ConformanceTests, OIDCBackendClusterTest) } -// OIDCTest tests OIDC authentication for an http route with OIDC configured. +// OIDCBackendClusterTest tests OIDC authentication for an http route with OIDC configured. // The http route points to an application to verify that OIDC authentication works on application/http path level. var OIDCBackendClusterTest = suite.ConformanceTest{ ShortName: "OIDC with BackendCluster", @@ -26,11 +26,6 @@ var OIDCBackendClusterTest = suite.ConformanceTest{ Manifests: []string{"testdata/oidc-keycloak.yaml", "testdata/oidc-securitypolicy-backendcluster.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { t.Run("oidc provider represented by a BackendCluster", func(t *testing.T) { - // Add a function to dump current cluster status - t.Cleanup(func() { - CollectAndDump(t, suite.RestConfig) - }) - testOIDC(t, suite) }) }, diff --git a/test/e2e/tests/oidc.go b/test/e2e/tests/oidc.go index f03512c1e27..46f82f7ae09 100644 --- a/test/e2e/tests/oidc.go +++ b/test/e2e/tests/oidc.go @@ -48,11 +48,6 @@ var OIDCTest = suite.ConformanceTest{ Manifests: []string{"testdata/oidc-keycloak.yaml", "testdata/oidc-securitypolicy.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { t.Run("oidc provider represented by a URL", func(t *testing.T) { - // Add a function to dump current cluster status - t.Cleanup(func() { - CollectAndDump(t, suite.RestConfig) - }) - testOIDC(t, suite) }) From db6802736680a08a210b16085af5a7bf2f124127 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Thu, 31 Oct 2024 15:11:16 -0700 Subject: [PATCH 332/523] =?UTF-8?q?fix:=20trigger=20reconcile=20for=20Secr?= =?UTF-8?q?et=20updates=20referenced=20by=20a=20BackendTLSP=E2=80=A6=20(#4?= =?UTF-8?q?581)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit fix: trigger reconcile for Secret updates referenced by a BackendTLSPolicy Signed-off-by: Arko Dasgupta --- internal/provider/kubernetes/indexers.go | 24 +++++++++++++++++++++- internal/provider/kubernetes/predicates.go | 22 ++++++++++++++++++++ 2 files changed, 45 insertions(+), 1 deletion(-) diff --git a/internal/provider/kubernetes/indexers.go b/internal/provider/kubernetes/indexers.go index ab3c098961e..031a2657a9c 100644 --- a/internal/provider/kubernetes/indexers.go +++ b/internal/provider/kubernetes/indexers.go @@ -40,6 +40,7 @@ const ( backendSecurityPolicyIndex = "backendSecurityPolicyIndex" configMapCtpIndex = "configMapCtpIndex" secretCtpIndex = "secretCtpIndex" + secretBtlsIndex = "secretBtlsIndex" configMapBtlsIndex = "configMapBtlsIndex" backendEnvoyExtensionPolicyIndex = "backendEnvoyExtensionPolicyIndex" backendEnvoyProxyTelemetryIndex = "backendEnvoyProxyTelemetryIndex" @@ -702,7 +703,7 @@ func configMapRouteFilterIndexFunc(rawObj client.Object) []string { return configMapReferences } -// addBtlsIndexers adds indexing on BackendTLSPolicy, for ConfigMap objects that are +// addBtlsIndexers adds indexing on BackendTLSPolicy, for ConfigMap and Secret objects that are // referenced in BackendTLSPolicy objects. This helps in querying for BackendTLSPolicies that are // affected by a particular ConfigMap CRUD. func addBtlsIndexers(ctx context.Context, mgr manager.Manager) error { @@ -710,6 +711,9 @@ func addBtlsIndexers(ctx context.Context, mgr manager.Manager) error { return err } + if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1a3.BackendTLSPolicy{}, secretBtlsIndex, secretBtlsIndexFunc); err != nil { + return err + } return nil } @@ -731,6 +735,24 @@ func configMapBtlsIndexFunc(rawObj client.Object) []string { return configMapReferences } +func secretBtlsIndexFunc(rawObj client.Object) []string { + btls := rawObj.(*gwapiv1a3.BackendTLSPolicy) + var secretReferences []string + if btls.Spec.Validation.CACertificateRefs != nil { + for _, caCertRef := range btls.Spec.Validation.CACertificateRefs { + if string(caCertRef.Kind) == resource.KindSecret { + secretReferences = append(secretReferences, + types.NamespacedName{ + Namespace: btls.Namespace, + Name: string(caCertRef.Name), + }.String(), + ) + } + } + } + return secretReferences +} + // addEnvoyExtensionPolicyIndexers adds indexing on EnvoyExtensionPolicy. // - For Service objects that are referenced in EnvoyExtensionPolicy objects via // `.spec.extProc.[*].service.backendObjectReference`. This helps in querying for diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index 916a58b2f77..d25ec2fb7d4 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -172,6 +172,28 @@ func (r *gatewayAPIReconciler) validateSecretForReconcile(obj client.Object) boo } } + if r.bTLSPolicyCRDExists { + if r.isBackendTLSPolicyReferencingSecret(&nsName) { + return true + } + } + + return false +} + +func (r *gatewayAPIReconciler) isBackendTLSPolicyReferencingSecret(nsName *types.NamespacedName) bool { + btlsList := &gwapiv1a3.BackendTLSPolicyList{} + if err := r.client.List(context.Background(), btlsList, &client.ListOptions{ + FieldSelector: fields.OneTermEqualSelector(secretBtlsIndex, nsName.String()), + }); err != nil { + r.log.Error(err, "unable to find associated BackendTLSPolicy") + return false + } + + if len(btlsList.Items) > 0 { + return true + } + return false } From 6e2587decbd9cd3f73a55bc0337873fd1c9108d1 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 1 Nov 2024 11:45:37 +0800 Subject: [PATCH 333/523] chore: use net.JoinHostPort (#4599) * chore: use net.JoinHostPort Signed-off-by: zirain * more fix Signed-off-by: zirain * remove netutils.JoinHostPort Signed-off-by: zirain --------- Signed-off-by: zirain --- api/v1alpha1/envoygateway_helpers.go | 5 +++-- .../extension-server/cmd/extension-server/main.go | 3 +-- internal/extension/registry/extension_manager.go | 7 ++++--- internal/gatewayapi/securitypolicy.go | 11 ++++++----- internal/kubernetes/port_forwarder.go | 4 +++- internal/xds/bootstrap/bootstrap.go | 8 +++++--- test/e2e/tests/ratelimit.go | 3 +-- 7 files changed, 23 insertions(+), 18 deletions(-) diff --git a/api/v1alpha1/envoygateway_helpers.go b/api/v1alpha1/envoygateway_helpers.go index c61b43c82e1..68c451e68df 100644 --- a/api/v1alpha1/envoygateway_helpers.go +++ b/api/v1alpha1/envoygateway_helpers.go @@ -6,7 +6,8 @@ package v1alpha1 import ( - "fmt" + "net" + "strconv" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/ptr" @@ -80,7 +81,7 @@ func (e *EnvoyGateway) GetEnvoyGatewayAdmin() *EnvoyGatewayAdmin { func (e *EnvoyGateway) GetEnvoyGatewayAdminAddress() string { address := e.GetEnvoyGatewayAdmin().Address if address != nil { - return fmt.Sprintf("%s:%d", address.Host, address.Port) + return net.JoinHostPort(address.Host, strconv.Itoa(address.Port)) } return "" diff --git a/examples/extension-server/cmd/extension-server/main.go b/examples/extension-server/cmd/extension-server/main.go index 4a6b0474621..41a9018adc0 100644 --- a/examples/extension-server/cmd/extension-server/main.go +++ b/examples/extension-server/cmd/extension-server/main.go @@ -6,7 +6,6 @@ package main import ( - "fmt" "log/slog" "net" "os" @@ -82,7 +81,7 @@ func startExtensionServer(cCtx *cli.Context) error { logger := slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{ Level: level, })) - address := fmt.Sprintf("%s:%d", cCtx.String("host"), cCtx.Int("port")) + address := net.JoinHostPort(cCtx.String("host"), cCtx.String("port")) logger.Info("Starting the extension server", slog.String("host", address)) lis, err := net.Listen("tcp", address) if err != nil { diff --git a/internal/extension/registry/extension_manager.go b/internal/extension/registry/extension_manager.go index 918c9a7c018..cf4b86d3d08 100644 --- a/internal/extension/registry/extension_manager.go +++ b/internal/extension/registry/extension_manager.go @@ -11,6 +11,7 @@ import ( "errors" "fmt" "net" + "strconv" "google.golang.org/grpc" "google.golang.org/grpc/credentials" @@ -123,13 +124,13 @@ func getExtensionServerAddress(service *egv1a1.ExtensionService) string { var serverAddr string switch { case service.FQDN != nil: - serverAddr = fmt.Sprintf("%s:%d", service.FQDN.Hostname, service.FQDN.Port) + serverAddr = net.JoinHostPort(service.FQDN.Hostname, strconv.Itoa(int(service.FQDN.Port))) case service.IP != nil: - serverAddr = fmt.Sprintf("%s:%d", service.IP.Address, service.IP.Port) + serverAddr = net.JoinHostPort(service.IP.Address, strconv.Itoa(int(service.IP.Port))) case service.Unix != nil: serverAddr = fmt.Sprintf("unix://%s", service.Unix.Path) case service.Host != "": - serverAddr = fmt.Sprintf("%s:%d", service.Host, service.Port) + serverAddr = net.JoinHostPort(service.Host, strconv.Itoa(int(service.Port))) } return serverAddr } diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 302d5054507..3c2d2af31ed 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -9,6 +9,7 @@ import ( "encoding/json" "errors" "fmt" + "net" "net/http" "net/netip" "net/url" @@ -921,16 +922,16 @@ func backendRefAuthority(resources *resource.Resources, backendRef *gwapiv1.Back // TODO: exists multi FQDN endpoints? for _, ep := range backend.Spec.Endpoints { if ep.FQDN != nil { - return fmt.Sprintf("%s:%d", ep.FQDN.Hostname, ep.FQDN.Port) + return net.JoinHostPort(ep.FQDN.Hostname, strconv.Itoa(int(ep.FQDN.Port))) } } } } - return fmt.Sprintf("%s.%s:%d", - backendRef.Name, - backendNamespace, - *backendRef.Port) + return net.JoinHostPort( + fmt.Sprintf("%s.%s", backendRef.Name, backendNamespace), + strconv.Itoa(int(*backendRef.Port)), + ) } func (t *Translator) buildAuthorization(policy *egv1a1.SecurityPolicy) (*ir.Authorization, error) { diff --git a/internal/kubernetes/port_forwarder.go b/internal/kubernetes/port_forwarder.go index 176610dab3e..8e88b9c0212 100644 --- a/internal/kubernetes/port_forwarder.go +++ b/internal/kubernetes/port_forwarder.go @@ -8,8 +8,10 @@ package kubernetes import ( "fmt" "io" + "net" "net/http" "os" + "strconv" "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/rest" @@ -134,5 +136,5 @@ func (f *localForwarder) WaitForStop() { } func (f *localForwarder) Address() string { - return fmt.Sprintf("%s:%d", netutil.DefaultLocalAddress, f.localPort) + return net.JoinHostPort(netutil.DefaultLocalAddress, strconv.Itoa(f.localPort)) } diff --git a/internal/xds/bootstrap/bootstrap.go b/internal/xds/bootstrap/bootstrap.go index 0efad8c314f..e8aab4d836a 100644 --- a/internal/xds/bootstrap/bootstrap.go +++ b/internal/xds/bootstrap/bootstrap.go @@ -9,13 +9,15 @@ import ( // Register embed _ "embed" "fmt" + "net" + "strconv" "strings" "text/template" "k8s.io/apimachinery/pkg/util/sets" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" - "github.com/envoyproxy/gateway/internal/utils/net" + netutils "github.com/envoyproxy/gateway/internal/utils/net" "github.com/envoyproxy/gateway/internal/utils/regex" ) @@ -199,9 +201,9 @@ func GetRenderedBootstrapConfig(opts *RenderBootstrapConfigOptions) (string, err host, port = *sink.OpenTelemetry.Host, uint32(sink.OpenTelemetry.Port) } if len(sink.OpenTelemetry.BackendRefs) > 0 { - host, port = net.BackendHostAndPort(sink.OpenTelemetry.BackendRefs[0].BackendObjectReference, "") + host, port = netutils.BackendHostAndPort(sink.OpenTelemetry.BackendRefs[0].BackendObjectReference, "") } - addr := fmt.Sprintf("%s:%d", host, port) + addr := net.JoinHostPort(host, strconv.Itoa(int(port))) if addresses.Has(addr) { continue } diff --git a/test/e2e/tests/ratelimit.go b/test/e2e/tests/ratelimit.go index d1e18f74b92..17ce6d245cf 100644 --- a/test/e2e/tests/ratelimit.go +++ b/test/e2e/tests/ratelimit.go @@ -9,7 +9,6 @@ package tests import ( "context" - "fmt" "net" "testing" "time" @@ -495,7 +494,7 @@ var RateLimitMultipleListenersTest = suite.ConformanceTest{ gwPorts := []string{"80", "8080"} for _, port := range gwPorts { - gwAddr = fmt.Sprintf("%s:%s", gwIP, port) + gwAddr = net.JoinHostPort(gwIP, port) ratelimitHeader := make(map[string]string) expectOkResp := http.ExpectedResponse{ From d42915a7b7d12b7170232694845581a9fd48e7dd Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Fri, 1 Nov 2024 12:50:30 +0800 Subject: [PATCH 334/523] fix keycloak ipv6 issue (#4601) --- test/e2e/testdata/oidc-keycloak.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/testdata/oidc-keycloak.yaml b/test/e2e/testdata/oidc-keycloak.yaml index 5e7eca54013..8921b9eb204 100644 --- a/test/e2e/testdata/oidc-keycloak.yaml +++ b/test/e2e/testdata/oidc-keycloak.yaml @@ -43,7 +43,7 @@ spec: serviceAccountName: keycloak containers: - name: keycloak - image: quay.io/keycloak/keycloak:23.0.6 + image: quay.io/keycloak/keycloak:26.0.4 imagePullPolicy: IfNotPresent args: - "start-dev" From 7285dda6ba2727d10423887dc2262bad2711f80b Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Fri, 1 Nov 2024 14:45:00 +0800 Subject: [PATCH 335/523] fix: Route with multiple parents has incorrect namespace in parentRef status (#4592) fix route status wrong ns Signed-off-by: Huabing Zhao --- internal/gatewayapi/contexts.go | 52 +++- ...ultiple-gateways-from-different-ns.in.yaml | 55 ++++ ...ltiple-gateways-from-different-ns.out.yaml | 249 ++++++++++++++++++ ...ith-multiple-gateways-from-same-ns.in.yaml | 54 ++++ ...th-multiple-gateways-from-same-ns.out.yaml | 247 +++++++++++++++++ release-notes/current.yaml | 1 + 6 files changed, 646 insertions(+), 12 deletions(-) create mode 100644 internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.in.yaml create mode 100644 internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.out.yaml create mode 100644 internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.in.yaml create mode 100644 internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.out.yaml diff --git a/internal/gatewayapi/contexts.go b/internal/gatewayapi/contexts.go index fbd4c588f9b..7bcf321d3a2 100644 --- a/internal/gatewayapi/contexts.go +++ b/internal/gatewayapi/contexts.go @@ -238,21 +238,26 @@ func GetRouteStatus(route RouteContext) *gwapiv1.RouteStatus { return &rs } -// GetRouteParentContext returns RouteParentContext by using the Route -// objects' ParentReference. +// GetRouteParentContext returns RouteParentContext by using the Route objects' ParentReference. +// It creates a new RouteParentContext and add a new RouteParentStatus to the Route's Status if the ParentReference is not found. func GetRouteParentContext(route RouteContext, forParentRef gwapiv1.ParentReference) *RouteParentContext { rv := reflect.ValueOf(route).Elem() pr := rv.FieldByName("ParentRefs") + + // If the ParentRefs field is nil, initialize it. if pr.IsNil() { mm := reflect.MakeMap(reflect.TypeOf(map[gwapiv1.ParentReference]*RouteParentContext{})) pr.Set(mm) } + // If the RouteParentContext is already in the RouteContext, return it. if p := pr.MapIndex(reflect.ValueOf(forParentRef)); p.IsValid() && !p.IsZero() { ctx := p.Interface().(*RouteParentContext) return ctx } + // Verify that the ParentReference is present in the Route.Spec.ParentRefs. + // This is just a sanity check, the parentRef should always be present, otherwise it's a programming error. var parentRef *gwapiv1.ParentReference specParentRefs := rv.FieldByName("Spec").FieldByName("ParentRefs") for i := 0; i < specParentRefs.Len(); i++ { @@ -266,25 +271,19 @@ func GetRouteParentContext(route RouteContext, forParentRef gwapiv1.ParentRefere panic("parentRef not found") } + // Find the parent in the Route's Status. routeParentStatusIdx := -1 - defaultNamespace := gwapiv1.Namespace(metav1.NamespaceDefault) statusParents := rv.FieldByName("Status").FieldByName("Parents") + for i := 0; i < statusParents.Len(); i++ { p := statusParents.Index(i).FieldByName("ParentRef").Interface().(gwapiv1.ParentReference) - // For those non-v1 routes, their underlying type of `ParentReference` is v1 as well. - // So we can skip upgrading these routes for simplicity. - if forParentRef.Namespace == nil { - forParentRef.Namespace = &defaultNamespace - } - if p.Namespace == nil { - p.Namespace = &defaultNamespace - } - if reflect.DeepEqual(p, forParentRef) { + if isParentRefEqual(p, *parentRef, route.GetNamespace()) { routeParentStatusIdx = i break } } + // If the parent is not found in the Route's Status, create a new RouteParentStatus and add it to the Route's Status. if routeParentStatusIdx == -1 { rParentStatus := gwapiv1a2.RouteParentStatus{ ControllerName: gwapiv1a2.GatewayController(rv.FieldByName("GatewayControllerName").String()), @@ -294,6 +293,7 @@ func GetRouteParentContext(route RouteContext, forParentRef gwapiv1.ParentRefere routeParentStatusIdx = statusParents.Len() - 1 } + // Also add the RouteParentContext to the RouteContext. ctx := &RouteParentContext{ ParentReference: parentRef, routeParentStatusIdx: routeParentStatusIdx, @@ -304,6 +304,34 @@ func GetRouteParentContext(route RouteContext, forParentRef gwapiv1.ParentRefere return ctx } +func isParentRefEqual(ref1, ref2 gwapiv1.ParentReference, routeNS string) bool { + defaultGroup := (*gwapiv1.Group)(&gwapiv1.GroupVersion.Group) + if ref1.Group == nil { + ref1.Group = defaultGroup + } + if ref2.Group == nil { + ref2.Group = defaultGroup + } + + defaultKind := gwapiv1.Kind(resource.KindGateway) + if ref1.Kind == nil { + ref1.Kind = &defaultKind + } + if ref2.Kind == nil { + ref2.Kind = &defaultKind + } + + // If the parent's namespace is not set, default to the namespace of the Route. + defaultNS := gwapiv1.Namespace(routeNS) + if ref1.Namespace == nil { + ref1.Namespace = &defaultNS + } + if ref2.Namespace == nil { + ref2.Namespace = &defaultNS + } + return reflect.DeepEqual(ref1, ref2) +} + // RouteParentContext wraps a ParentReference and provides helper methods for // setting conditions and other status information on the associated // HTTPRoute, TLSRoute etc. diff --git a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.in.yaml b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.in.yaml new file mode 100644 index 00000000000..12aa992ef44 --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.in.yaml @@ -0,0 +1,55 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-a + namespace: default + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: default + port: 80 + protocol: HTTP + hostname: '*.a.example.com' + allowedRoutes: + namespaces: + from: All + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-b + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: default + port: 80 + protocol: HTTP + hostname: '*.b.example.com' + allowedRoutes: + namespaces: + from: All +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: targeted-route + namespace: envoy-gateway + spec: + hostnames: + - targeted.a.example.com + - targeted.b.example.com + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-a + namespace: default + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-b + rules: + - matches: + - method: GET + path: + type: PathPrefix + value: /toy diff --git a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.out.yaml b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.out.yaml new file mode 100644 index 00000000000..ba2f58b8667 --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.out.yaml @@ -0,0 +1,249 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-a + namespace: default + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.a.example.com' + name: default + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: default + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-b + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.b.example.com' + name: default + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: default + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: targeted-route + namespace: envoy-gateway + spec: + hostnames: + - targeted.a.example.com + - targeted.b.example.com + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-a + namespace: default + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-b + rules: + - matches: + - method: GET + path: + type: PathPrefix + value: /toy + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-a + namespace: default + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-b +infraIR: + default/gateway-a: + proxy: + listeners: + - address: null + name: default/gateway-a/default + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-a + gateway.envoyproxy.io/owning-gateway-namespace: default + name: default/gateway-a + envoy-gateway/gateway-b: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-b/default + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-b + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-b +xdsIR: + default/gateway-a: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.a.example.com' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-a + namespace: default + sectionName: default + name: default/gateway-a/default + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - directResponse: + statusCode: 500 + headerMatches: + - distinct: false + exact: GET + name: :method + hostname: targeted.a.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: targeted-route + namespace: envoy-gateway + name: httproute/envoy-gateway/targeted-route/rule/0/match/0/targeted_a_example_com + pathMatch: + distinct: false + name: "" + prefix: /toy + envoy-gateway/gateway-b: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.b.example.com' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-b + namespace: envoy-gateway + sectionName: default + name: envoy-gateway/gateway-b/default + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - directResponse: + statusCode: 500 + headerMatches: + - distinct: false + exact: GET + name: :method + hostname: targeted.b.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: targeted-route + namespace: envoy-gateway + name: httproute/envoy-gateway/targeted-route/rule/0/match/0/targeted_b_example_com + pathMatch: + distinct: false + name: "" + prefix: /toy diff --git a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.in.yaml b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.in.yaml new file mode 100644 index 00000000000..6c9aa71d29c --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.in.yaml @@ -0,0 +1,54 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-a + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: default + port: 80 + protocol: HTTP + hostname: '*.a.example.com' + allowedRoutes: + namespaces: + from: All + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-b + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: default + port: 80 + protocol: HTTP + hostname: '*.b.example.com' + allowedRoutes: + namespaces: + from: All +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: targeted-route + namespace: envoy-gateway + spec: + hostnames: + - targeted.a.example.com + - targeted.b.example.com + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-a + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-b + rules: + - matches: + - method: GET + path: + type: PathPrefix + value: /toy diff --git a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.out.yaml b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.out.yaml new file mode 100644 index 00000000000..4e6bef64b9e --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.out.yaml @@ -0,0 +1,247 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-a + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.a.example.com' + name: default + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: default + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-b + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.b.example.com' + name: default + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 1 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: default + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: targeted-route + namespace: envoy-gateway + spec: + hostnames: + - targeted.a.example.com + - targeted.b.example.com + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-a + - group: gateway.networking.k8s.io + kind: Gateway + name: gateway-b + rules: + - matches: + - method: GET + path: + type: PathPrefix + value: /toy + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-a + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-b +infraIR: + envoy-gateway/gateway-a: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-a/default + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-a + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-a + envoy-gateway/gateway-b: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-b/default + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-b + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-b +xdsIR: + envoy-gateway/gateway-a: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.a.example.com' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-a + namespace: envoy-gateway + sectionName: default + name: envoy-gateway/gateway-a/default + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - directResponse: + statusCode: 500 + headerMatches: + - distinct: false + exact: GET + name: :method + hostname: targeted.a.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: targeted-route + namespace: envoy-gateway + name: httproute/envoy-gateway/targeted-route/rule/0/match/0/targeted_a_example_com + pathMatch: + distinct: false + name: "" + prefix: /toy + envoy-gateway/gateway-b: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.b.example.com' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-b + namespace: envoy-gateway + sectionName: default + name: envoy-gateway/gateway-b/default + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - directResponse: + statusCode: 500 + headerMatches: + - distinct: false + exact: GET + name: :method + hostname: targeted.b.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: targeted-route + namespace: envoy-gateway + name: httproute/envoy-gateway/targeted-route/rule/0/match/0/targeted_b_example_com + pathMatch: + distinct: false + name: "" + prefix: /toy diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 1268ce35b0f..b2d9b889bed 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -16,6 +16,7 @@ new features: | bug fixes: | Only log endpoint configuration in verbose logging mode (`-v 4` or higher) The xDS translation failed when wasm http code source configured without a sha + Route with multiple parents has incorrect namespace in parentRef status # Enhancements that improve performance. performance improvements: | From b51c66a75260571b5fc69e90e604a46906f1373b Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Fri, 1 Nov 2024 09:38:13 -0700 Subject: [PATCH 336/523] add envoy-gateway binary to release artifacts (#4588) Fixes: https://github.com/envoyproxy/gateway/issues/4566 Signed-off-by: Arko Dasgupta --- .github/workflows/latest_release.yaml | 14 +++++++++----- .github/workflows/release.yaml | 14 +++++++++----- 2 files changed, 18 insertions(+), 10 deletions(-) diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index 4ce04c21efd..13f1895ddc8 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -72,11 +72,15 @@ jobs: - name: Build egctl latest multiarch binaries run: | - make build-multiarch BINS="egctl" - tar -zcvf egctl_latest_linux_amd64.tar.gz bin/linux/amd64/ - tar -zcvf egctl_latest_linux_arm64.tar.gz bin/linux/arm64/ - tar -zcvf egctl_latest_darwin_amd64.tar.gz bin/darwin/amd64/ - tar -zcvf egctl_latest_darwin_arm64.tar.gz bin/darwin/arm64/ + make build-multiarch + tar -zcvf envoy-gateway_latest_linux_amd64.tar.gz bin/linux/amd64/envoy-gateway + tar -zcvf envoy-gateway_linux_arm64.tar.gz bin/linux/arm64/envoy-gateway + tar -zcvf envoy-gateway_darwin_amd64.tar.gz bin/darwin/amd64/envoy-gateway + tar -zcvf envoy-gateway_darwin_arm64.tar.gz bin/darwin/arm64/envoy-gateway + tar -zcvf egctl_latest_linux_amd64.tar.gz bin/linux/amd64/egctl + tar -zcvf egctl_latest_linux_arm64.tar.gz bin/linux/arm64/egctl + tar -zcvf egctl_latest_darwin_amd64.tar.gz bin/darwin/amd64/egctl + tar -zcvf egctl_latest_darwin_arm64.tar.gz bin/darwin/arm64/egctl # Ignore the error when we delete the latest release, it might not exist. diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0f021c7e15c..f1d45bddfe4 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -82,11 +82,15 @@ jobs: - name: Build egctl multiarch binaries run: | - make build-multiarch BINS="egctl" - tar -zcvf egctl_${{ env.release_tag }}_linux_amd64.tar.gz bin/linux/amd64/ - tar -zcvf egctl_${{ env.release_tag }}_linux_arm64.tar.gz bin/linux/arm64/ - tar -zcvf egctl_${{ env.release_tag }}_darwin_amd64.tar.gz bin/darwin/amd64/ - tar -zcvf egctl_${{ env.release_tag }}_darwin_arm64.tar.gz bin/darwin/arm64/ + make build-multiarch + tar -zcvf envoy-gateway_${{ env.release_tag }}_linux_amd64.tar.gz bin/linux/amd64/envoy-gateway + tar -zcvf envoy-gateway_${{ env.release_tag }}_linux_arm64.tar.gz bin/linux/arm64/envoy-gateway + tar -zcvf envoy-gateway_${{ env.release_tag }}_darwin_amd64.tar.gz bin/darwin/amd64/envoy-gateway + tar -zcvf envoy-gateway_${{ env.release_tag }}_darwin_arm64.tar.gz bin/darwin/arm64/envoy-gateway + tar -zcvf egctl_${{ env.release_tag }}_linux_amd64.tar.gz bin/linux/amd64/egctl + tar -zcvf egctl_${{ env.release_tag }}_linux_arm64.tar.gz bin/linux/arm64/egctl + tar -zcvf egctl_${{ env.release_tag }}_darwin_amd64.tar.gz bin/darwin/amd64/egctl + tar -zcvf egctl_${{ env.release_tag }}_darwin_arm64.tar.gz bin/darwin/arm64/egctl - name: Upload Release Manifests uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v0.1.15 From a88e6eba5e7e360c7c14bdbfaa4d56aee2003188 Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Fri, 1 Nov 2024 15:57:32 -0500 Subject: [PATCH 337/523] [release/v1.1] release v1.1.3 (#4600) * release: v1.1.3 Signed-off-by: Guy Daich * remove gw-api, fix style Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich --- release-notes/v1.1.3.yaml | 28 +++++++++++++++++ site/content/en/news/releases/notes/v1.1.3.md | 31 +++++++++++++++++++ site/layouts/shortcodes/helm-version.html | 4 +-- site/layouts/shortcodes/yaml-version.html | 4 +-- 4 files changed, 63 insertions(+), 4 deletions(-) create mode 100644 release-notes/v1.1.3.yaml create mode 100644 site/content/en/news/releases/notes/v1.1.3.md diff --git a/release-notes/v1.1.3.yaml b/release-notes/v1.1.3.yaml new file mode 100644 index 00000000000..7e2f9070888 --- /dev/null +++ b/release-notes/v1.1.3.yaml @@ -0,0 +1,28 @@ +date: November 1, 2024 + +# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs. +breaking changes: | + +# New features or capabilities added in this release. +new features: | + +# Fixes for bugs identified in previous versions. +bug fixes: | + Fixed unsupported listener protocol type causing an error while updating Gateway Status + Fixed some status updates were being discarded by the status updater + Fixed error level logging for admin and metrics modules + Fixed Dashboard typos + Fixed Ratelimit Deployment ignoring pod labels and annotation merge + Fixed the API Server receives unnecessary requests + Fixed set invalid Listener.SupportedKinds to empty list + Fixed losing timeout settings that originate from the route when translating the backend traffic policy + Fixed xds translation failure when wasm http code source configured without sha + +# Enhancements that improve performance. +performance improvements: | + +# Other notable changes not covered by the above sections. +Other changes: | + Bumped Envoy proxy to 1.31.3 + Bumped github.com/docker/docker to 27.3.1+incompatible + diff --git a/site/content/en/news/releases/notes/v1.1.3.md b/site/content/en/news/releases/notes/v1.1.3.md new file mode 100644 index 00000000000..97128c1cc6c --- /dev/null +++ b/site/content/en/news/releases/notes/v1.1.3.md @@ -0,0 +1,31 @@ +--- +title: "v1.1.3" +publishdate: 2024-11-01 +--- + +Date: November 1, 2024 + +## Breaking changes +- + +## New features +- + +## Bug fixes +- Fixed unsupported listener protocol type causing an error while updating Gateway Status +- Fixed some status updates were being discarded by the status updater +- Fixed error level logging for admin and metrics modules +- Fixed Dashboard typos +- Fixed Ratelimit Deployment ignoring pod labels and annotation merge +- Fixed the API Server receives unnecessary requests +- Fixed set invalid Listener.SupportedKinds to empty list +- Fixed losing timeout settings that originate from the route when translating the backend traffic policy +- Fixed xds translation failure when wasm http code source configured without sha + +## Performance improvements +- + +## Other changes +- Bumped Envoy proxy to 1.31.3 +- Bumped github.com/docker/docker to 27.3.1+incompatible + diff --git a/site/layouts/shortcodes/helm-version.html b/site/layouts/shortcodes/helm-version.html index 704c3dfde80..0bdf6092027 100644 --- a/site/layouts/shortcodes/helm-version.html +++ b/site/layouts/shortcodes/helm-version.html @@ -3,8 +3,8 @@ {{- "v0.0.0-latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.2" -}} +{{- "v1.1.3" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.1.2" -}} +{{- "v1.1.3" -}} {{- end -}} diff --git a/site/layouts/shortcodes/yaml-version.html b/site/layouts/shortcodes/yaml-version.html index eced902814a..fd96ac1799e 100644 --- a/site/layouts/shortcodes/yaml-version.html +++ b/site/layouts/shortcodes/yaml-version.html @@ -3,8 +3,8 @@ {{- "latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.2" -}} +{{- "v1.1.3" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.1.2" -}} +{{- "v1.1.3" -}} {{- end -}} From ee33b284565e2cc0c08a0d4bcf82ea302814f957 Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 2 Nov 2024 09:26:33 +0800 Subject: [PATCH 338/523] chore: donot use space in short name (#4608) Signed-off-by: zirain --- test/e2e/tests/authorization_client_ip.go | 2 +- test/e2e/tests/authorization_default_action.go | 2 +- test/e2e/tests/authorization_jwt.go | 2 +- test/e2e/tests/backend_tls_settings.go | 2 +- test/e2e/tests/gateway_infra_resource.go | 2 +- test/e2e/tests/gatewayt-with-envoyproxy.go | 2 +- test/e2e/tests/wasm_http.go | 2 +- test/e2e/tests/wasm_oci.go | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/test/e2e/tests/authorization_client_ip.go b/test/e2e/tests/authorization_client_ip.go index 8887c46b1a0..698a4d73a6a 100644 --- a/test/e2e/tests/authorization_client_ip.go +++ b/test/e2e/tests/authorization_client_ip.go @@ -26,7 +26,7 @@ func init() { } var AuthorizationClientIPTest = suite.ConformanceTest{ - ShortName: "Authorization with client IP", + ShortName: "AuthzWithClientIP", Description: "Authorization with client IP Allow/Deny list", Manifests: []string{"testdata/authorization-client-ip.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { diff --git a/test/e2e/tests/authorization_default_action.go b/test/e2e/tests/authorization_default_action.go index 88462808dd9..81345fa3ee9 100644 --- a/test/e2e/tests/authorization_default_action.go +++ b/test/e2e/tests/authorization_default_action.go @@ -26,7 +26,7 @@ func init() { } var AuthorizationDefaultActionTest = suite.ConformanceTest{ - ShortName: "Authorization with default actions", + ShortName: "AuthzWithDefaultActions", Description: "Authorization with default actions", Manifests: []string{"testdata/authorization-default-action.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { diff --git a/test/e2e/tests/authorization_jwt.go b/test/e2e/tests/authorization_jwt.go index 66f5a526a2d..635bdbc451c 100644 --- a/test/e2e/tests/authorization_jwt.go +++ b/test/e2e/tests/authorization_jwt.go @@ -59,7 +59,7 @@ func init() { } var AuthorizationJWTTest = suite.ConformanceTest{ - ShortName: "Authorization with jwt claims and scopes", + ShortName: "AuthzWithJWTClaimsScopes", Description: "Authorization with jwt claims and scopes", Manifests: []string{"testdata/authorization-jwt.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { diff --git a/test/e2e/tests/backend_tls_settings.go b/test/e2e/tests/backend_tls_settings.go index e007a791fdd..6545be196da 100644 --- a/test/e2e/tests/backend_tls_settings.go +++ b/test/e2e/tests/backend_tls_settings.go @@ -46,7 +46,7 @@ func init() { } var BackendTLSSettingsTest = suite.ConformanceTest{ - ShortName: "Backend tls settings", + ShortName: "BackendTLSSettings", Description: "Use envoy proxy tls settings with backend", Manifests: []string{"testdata/backend-tls-settings.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { diff --git a/test/e2e/tests/gateway_infra_resource.go b/test/e2e/tests/gateway_infra_resource.go index 213b6de1238..0a92f9d311e 100644 --- a/test/e2e/tests/gateway_infra_resource.go +++ b/test/e2e/tests/gateway_infra_resource.go @@ -27,7 +27,7 @@ func init() { } var GatewayInfraResourceTest = suite.ConformanceTest{ - ShortName: "GatewayInfraResourceTest", + ShortName: "GatewayInfraResource", Description: "Gateway Infra Resource E2E Test", Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { gatewayTypeMeta := metav1.TypeMeta{ diff --git a/test/e2e/tests/gatewayt-with-envoyproxy.go b/test/e2e/tests/gatewayt-with-envoyproxy.go index 0ea33a52bd5..ec9f7252a5e 100644 --- a/test/e2e/tests/gatewayt-with-envoyproxy.go +++ b/test/e2e/tests/gatewayt-with-envoyproxy.go @@ -24,7 +24,7 @@ func init() { } var GatewayWithEnvoyProxy = suite.ConformanceTest{ - ShortName: "Gateway with EnvoyProxy", + ShortName: "GatewayWithEnvoyProxy", Description: "Attach an EnvoyProxy to a Gateway", Manifests: []string{"testdata/gateway-with-envoyproxy.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { diff --git a/test/e2e/tests/wasm_http.go b/test/e2e/tests/wasm_http.go index 7f7da0c833b..824e9b3d2f4 100644 --- a/test/e2e/tests/wasm_http.go +++ b/test/e2e/tests/wasm_http.go @@ -27,7 +27,7 @@ func init() { // HTTPWasmTest tests Wasm extension for an http route with HTTP Wasm configured. var HTTPWasmTest = suite.ConformanceTest{ - ShortName: "Wasm HTTP Code Source", + ShortName: "WasmHTTPCodeSource", Description: "Test Wasm extension that adds response headers", Manifests: []string{"testdata/wasm-http.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { diff --git a/test/e2e/tests/wasm_oci.go b/test/e2e/tests/wasm_oci.go index 4a6a53f6603..00abdc9ca1f 100644 --- a/test/e2e/tests/wasm_oci.go +++ b/test/e2e/tests/wasm_oci.go @@ -60,7 +60,7 @@ func init() { // OCIWasmTest tests Wasm extension for an http route with OCI Wasm configured. var OCIWasmTest = suite.ConformanceTest{ - ShortName: "Wasm OCI Image Code Source", + ShortName: "WasmOCIImageCodeSource", Description: "Test OCI Wasm extension", Manifests: []string{"testdata/wasm-oci.yaml", "testdata/wasm-oci-registry-test-server.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { From 656ce52fad7ca98c0b4e200773e583f82f5476ad Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Sun, 3 Nov 2024 14:50:15 -0800 Subject: [PATCH 339/523] Move v1.1 docs tag to v1.1.2 (#4615) Wait until v1.1.3 tag is ready Fixes: https://github.com/envoyproxy/gateway/issues/4614 Signed-off-by: Arko Dasgupta --- site/layouts/shortcodes/helm-version.html | 4 ++-- site/layouts/shortcodes/yaml-version.html | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/site/layouts/shortcodes/helm-version.html b/site/layouts/shortcodes/helm-version.html index 0bdf6092027..704c3dfde80 100644 --- a/site/layouts/shortcodes/helm-version.html +++ b/site/layouts/shortcodes/helm-version.html @@ -3,8 +3,8 @@ {{- "v0.0.0-latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.3" -}} +{{- "v1.1.2" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.1.3" -}} +{{- "v1.1.2" -}} {{- end -}} diff --git a/site/layouts/shortcodes/yaml-version.html b/site/layouts/shortcodes/yaml-version.html index fd96ac1799e..eced902814a 100644 --- a/site/layouts/shortcodes/yaml-version.html +++ b/site/layouts/shortcodes/yaml-version.html @@ -3,8 +3,8 @@ {{- "latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.3" -}} +{{- "v1.1.2" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.1.3" -}} +{{- "v1.1.2" -}} {{- end -}} From 04ac7b404d4f0e7bd462e68d8f888a169be3feda Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Mon, 4 Nov 2024 09:28:46 +0800 Subject: [PATCH 340/523] fix: HTTPRoute status only shows one parent when targeting multiple Gateways from different GatewayClasses (#4587) * fix route status Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * update unit test Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- internal/gatewayapi/helpers.go | 1 + internal/provider/kubernetes/status.go | 74 ++++- internal/provider/kubernetes/status_test.go | 294 ++++++++++++++++++++ release-notes/current.yaml | 1 + 4 files changed, 359 insertions(+), 11 deletions(-) create mode 100644 internal/provider/kubernetes/status_test.go diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index 1c1ecee7672..366a24b827e 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -86,6 +86,7 @@ var ( QueryParamMatchTypeDerefOr = ptr.Deref[gwapiv1.QueryParamMatchType] ) +// Deprecated: use k8s.io/utils/ptr ptr.Deref instead func NamespaceDerefOr(namespace *gwapiv1.Namespace, defaultNamespace string) string { if namespace != nil && *namespace != "" { return string(*namespace) diff --git a/internal/provider/kubernetes/status.go b/internal/provider/kubernetes/status.go index c3d5553b0bf..a59eb82f75a 100644 --- a/internal/provider/kubernetes/status.go +++ b/internal/provider/kubernetes/status.go @@ -8,6 +8,7 @@ package kubernetes import ( "context" "fmt" + "reflect" kerrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -18,6 +19,7 @@ import ( gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/gatewayapi/status" "github.com/envoyproxy/gateway/internal/message" "github.com/envoyproxy/gateway/internal/utils" @@ -74,7 +76,7 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, ext panic(err) } hCopy := h.DeepCopy() - hCopy.Status.Parents = val.Parents + hCopy.Status.Parents = mergeRouteParentStatus(h.Namespace, h.Status.Parents, val.Parents) return hCopy }), }) @@ -97,15 +99,15 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, ext NamespacedName: key, Resource: new(gwapiv1.GRPCRoute), Mutator: MutatorFunc(func(obj client.Object) client.Object { - h, ok := obj.(*gwapiv1.GRPCRoute) + g, ok := obj.(*gwapiv1.GRPCRoute) if !ok { err := fmt.Errorf("unsupported object type %T", obj) errChan <- err panic(err) } - hCopy := h.DeepCopy() - hCopy.Status.Parents = val.Parents - return hCopy + gCopy := g.DeepCopy() + gCopy.Status.Parents = mergeRouteParentStatus(g.Namespace, g.Status.Parents, val.Parents) + return gCopy }), }) }, @@ -136,7 +138,7 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, ext panic(err) } tCopy := t.DeepCopy() - tCopy.Status.Parents = val.Parents + tCopy.Status.Parents = mergeRouteParentStatus(t.Namespace, t.Status.Parents, val.Parents) return tCopy }), }) @@ -168,7 +170,7 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, ext panic(err) } tCopy := t.DeepCopy() - tCopy.Status.Parents = val.Parents + tCopy.Status.Parents = mergeRouteParentStatus(t.Namespace, t.Status.Parents, val.Parents) return tCopy }), }) @@ -193,15 +195,15 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, ext NamespacedName: key, Resource: new(gwapiv1a2.UDPRoute), Mutator: MutatorFunc(func(obj client.Object) client.Object { - t, ok := obj.(*gwapiv1a2.UDPRoute) + u, ok := obj.(*gwapiv1a2.UDPRoute) if !ok { err := fmt.Errorf("unsupported object type %T", obj) errChan <- err panic(err) } - tCopy := t.DeepCopy() - tCopy.Status.Parents = val.Parents - return tCopy + uCopy := u.DeepCopy() + uCopy.Status.Parents = mergeRouteParentStatus(u.Namespace, u.Status.Parents, val.Parents) + return uCopy }), }) }, @@ -469,6 +471,56 @@ func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, ext } } +// mergeRouteParentStatus merges the old and new RouteParentStatus. +// This is needed because the RouteParentStatus doesn't support strategic merge patch yet. +func mergeRouteParentStatus(ns string, old, new []gwapiv1.RouteParentStatus) []gwapiv1.RouteParentStatus { + merged := make([]gwapiv1.RouteParentStatus, len(old)) + _ = copy(merged, old) + for _, parent := range new { + found := -1 + for i, existing := range old { + if isParentRefEqual(parent.ParentRef, existing.ParentRef, ns) { + found = i + break + } + } + if found >= 0 { + merged[found] = parent + } else { + merged = append(merged, parent) + } + } + return merged +} + +func isParentRefEqual(ref1, ref2 gwapiv1.ParentReference, routeNS string) bool { + defaultGroup := (*gwapiv1.Group)(&gwapiv1.GroupVersion.Group) + if ref1.Group == nil { + ref1.Group = defaultGroup + } + if ref2.Group == nil { + ref2.Group = defaultGroup + } + + defaultKind := gwapiv1.Kind(resource.KindGateway) + if ref1.Kind == nil { + ref1.Kind = &defaultKind + } + if ref2.Kind == nil { + ref2.Kind = &defaultKind + } + + // If the parent's namespace is not set, default to the namespace of the Route. + defaultNS := gwapiv1.Namespace(routeNS) + if ref1.Namespace == nil { + ref1.Namespace = &defaultNS + } + if ref2.Namespace == nil { + ref2.Namespace = &defaultNS + } + return reflect.DeepEqual(ref1, ref2) +} + func (r *gatewayAPIReconciler) updateStatusForGateway(ctx context.Context, gtw *gwapiv1.Gateway) { // nil check for unit tests. if r.statusUpdater == nil { diff --git a/internal/provider/kubernetes/status_test.go b/internal/provider/kubernetes/status_test.go new file mode 100644 index 00000000000..5e81c46135e --- /dev/null +++ b/internal/provider/kubernetes/status_test.go @@ -0,0 +1,294 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package kubernetes + +import ( + "reflect" + "testing" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" +) + +func Test_mergeRouteParentStatus(t *testing.T) { + type args struct { + old []gwapiv1.RouteParentStatus + new []gwapiv1.RouteParentStatus + } + tests := []struct { + name string + args args + want []gwapiv1.RouteParentStatus + }{ + { + name: "merge old and new", + args: args{ + old: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway1", + Namespace: ptr.To[gwapiv1.Namespace]("default"), + SectionName: ptr.To[gwapiv1.SectionName]("listener1"), + Port: ptr.To[gwapiv1.PortNumber](80), + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + }, + new: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + }, + want: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway1", + Namespace: ptr.To[gwapiv1.Namespace]("default"), + SectionName: ptr.To[gwapiv1.SectionName]("listener1"), + Port: ptr.To[gwapiv1.PortNumber](80), + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + }, + + { + name: "override an existing parent", + args: args{ + old: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway1", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + Namespace: ptr.To[gwapiv1.Namespace]("default"), + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + }, + new: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + }, + want: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway1", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + }, + + { + name: "nothing changed", + args: args{ + old: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway1", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + new: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + }, + want: []gwapiv1.RouteParentStatus{ + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway1", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionTrue, + Reason: "Accepted", + }, + { + Type: string(gwapiv1.RouteConditionResolvedRefs), + Status: metav1.ConditionTrue, + Reason: "ResolvedRefs", + }, + }, + }, + { + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + ParentRef: gwapiv1.ParentReference{ + Name: "gateway2", + }, + Conditions: []metav1.Condition{ + { + Type: string(gwapiv1.RouteConditionAccepted), + Status: metav1.ConditionFalse, + Reason: "SomeReason", + }, + }, + }, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := mergeRouteParentStatus("default", tt.args.old, tt.args.new); !reflect.DeepEqual(got, tt.want) { + t.Errorf("mergeRouteParentStatus() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/release-notes/current.yaml b/release-notes/current.yaml index b2d9b889bed..3b54de7121e 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -16,6 +16,7 @@ new features: | bug fixes: | Only log endpoint configuration in verbose logging mode (`-v 4` or higher) The xDS translation failed when wasm http code source configured without a sha + HTTPRoute status only shows one parent when targeting multiple Gateways from different GatewayClasses Route with multiple parents has incorrect namespace in parentRef status # Enhancements that improve performance. From f384a64f4d2d6f0fbee9c698fd4b32cd71a64108 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Sun, 3 Nov 2024 20:20:50 -0800 Subject: [PATCH 341/523] direct response docs and tests (#4583) * tests: direct response Signed-off-by: Arko Dasgupta * unit tests Signed-off-by: Arko Dasgupta * fix ns Signed-off-by: Arko Dasgupta * docs for direct response Signed-off-by: Arko Dasgupta * negative tests Signed-off-by: Arko Dasgupta --- internal/gatewayapi/route.go | 2 +- .../httproute-with-direct-response.in.yaml | 119 ++++++++ .../httproute-with-direct-response.out.yaml | 208 +++++++++++++ .../latest/tasks/traffic/direct-response.md | 284 ++++++++++++++++++ test/e2e/testdata/direct-response.yaml | 64 ++++ test/e2e/tests/direct-response.go | 38 +++ test/e2e/tests/response-override.go | 58 ++-- 7 files changed, 749 insertions(+), 24 deletions(-) create mode 100644 internal/gatewayapi/testdata/httproute-with-direct-response.in.yaml create mode 100644 internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml create mode 100644 site/content/en/latest/tasks/traffic/direct-response.md create mode 100644 test/e2e/testdata/direct-response.yaml create mode 100644 test/e2e/tests/direct-response.go diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 648aebaeb5c..e51947411d8 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -237,7 +237,7 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe // If the route has no valid backends then just use a direct response and don't fuss with weighted responses for _, ruleRoute := range ruleRoutes { noValidBackends := ruleRoute.Destination == nil || ruleRoute.Destination.ToBackendWeights().Valid == 0 - if noValidBackends && ruleRoute.Redirect == nil { + if ruleRoute.DirectResponse == nil && noValidBackends && ruleRoute.Redirect == nil { ruleRoute.DirectResponse = &ir.CustomResponse{ StatusCode: ptr.To(uint32(500)), } diff --git a/internal/gatewayapi/testdata/httproute-with-direct-response.in.yaml b/internal/gatewayapi/testdata/httproute-with-direct-response.in.yaml new file mode 100644 index 00000000000..bd9a316227e --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-direct-response.in.yaml @@ -0,0 +1,119 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + hostname: "*.envoyproxy.io" + allowedRoutes: + namespaces: + from: All +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: direct-response + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - matches: + - path: + type: PathPrefix + value: /inline + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-inline + - matches: + - path: + type: PathPrefix + value: /value-ref + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-value-ref +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: direct-response-with-errors + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - matches: + - path: + type: PathPrefix + value: /value-ref-not-found + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-value-ref-not-found +configMaps: +- apiVersion: v1 + kind: ConfigMap + metadata: + name: value-ref-response + namespace: default + data: + response.body: '{"error": "Internal Server Error"}' +httpFilters: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: direct-response-inline + namespace: default + spec: + directResponse: + contentType: text/plain + body: + type: Inline + inline: "OK" +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: direct-response-value-ref-not-exit + namespace: default + spec: + directResponse: + contentType: application/json + statusCode: 502 + body: + type: ValueRef + valueRef: + group: "" + kind: ConfigMap + name: value-ref-does-not-exist +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: HTTPRouteFilter + metadata: + name: direct-response-value-ref + namespace: default + spec: + directResponse: + contentType: application/json + statusCode: 502 + body: + type: ValueRef + valueRef: + group: "" + kind: ConfigMap + name: value-ref-response diff --git a/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml b/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml new file mode 100644 index 00000000000..29b6b051366 --- /dev/null +++ b/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml @@ -0,0 +1,208 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.envoyproxy.io' + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 2 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: direct-response + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-inline + type: ExtensionRef + matches: + - path: + type: PathPrefix + value: /inline + - filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-value-ref + type: ExtensionRef + matches: + - path: + type: PathPrefix + value: /value-ref + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: direct-response-with-errors + namespace: default + spec: + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - filters: + - extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-value-ref-not-found + type: ExtensionRef + matches: + - path: + type: PathPrefix + value: /value-ref-not-found + status: + parents: + - conditions: + - lastTransitionTime: null + message: 'Unable to translate HTTPRouteFilter: default/direct-response-value-ref-not-found' + reason: UnsupportedValue + status: "False" + type: Accepted + - lastTransitionTime: null + message: 'Unable to translate HTTPRouteFilter: default/direct-response-value-ref-not-found' + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*.envoyproxy.io' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - addResponseHeaders: + - append: false + name: Content-Type + value: + - application/json + directResponse: + body: '{"error": "Internal Server Error"}' + statusCode: 502 + hostname: '*.envoyproxy.io' + isHTTP2: false + metadata: + kind: HTTPRoute + name: direct-response + namespace: default + name: httproute/default/direct-response/rule/1/match/0/*_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /value-ref + - addResponseHeaders: + - append: false + name: Content-Type + value: + - text/plain + directResponse: + body: OK + statusCode: 200 + hostname: '*.envoyproxy.io' + isHTTP2: false + metadata: + kind: HTTPRoute + name: direct-response + namespace: default + name: httproute/default/direct-response/rule/0/match/0/*_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: /inline diff --git a/site/content/en/latest/tasks/traffic/direct-response.md b/site/content/en/latest/tasks/traffic/direct-response.md new file mode 100644 index 00000000000..4b9aaa5551e --- /dev/null +++ b/site/content/en/latest/tasks/traffic/direct-response.md @@ -0,0 +1,284 @@ +--- +title: "Direct Response" +--- + +Direct responses are valuable in cases where you want the gateway itself +to handle certain requests without forwarding them to backend services. +This task shows you how to configure them. + +## Installation + +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. +Before proceeding, you should be able to query the example backend using HTTP. + +## Testing Direct Response + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +```shell +curl --header "Host: timeout.example.com" http://${GATEWAY_HOST}/?delay=3s -I +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Mon, 04 Mar 2024 02:34:21 GMT +content-length: 480 +``` + +Then we set the request timeout to 2 seconds. In this case, Envoy Gateway will respond with a timeout. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +```shell +curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/inline +``` + +```console +* Trying 127.0.0.1:80... +* Connected to 127.0.0.1 (127.0.0.1) port 80 +> GET /inline HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.4.0 +> Accept: */* +> +< HTTP/1.1 503 Service Unavailable +< content-type: text/plain +< content-length: 32 +< date: Sat, 02 Nov 2024 00:35:48 GMT +< +* Connection #0 to host 127.0.0.1 left intact +Oops! Your request is not found. +``` + +```shell +curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/value-ref +``` + +```console +* Trying 127.0.0.1:80... +* Connected to 127.0.0.1 (127.0.0.1) port 80 +> GET /value-ref HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.4.0 +> Accept: */* +> +< HTTP/1.1 500 Internal Server Error +< content-type: application/json +< content-length: 34 +< date: Sat, 02 Nov 2024 00:35:55 GMT +< +* Connection #0 to host 127.0.0.1 left intact +{"error": "Internal Server Error"} +``` diff --git a/test/e2e/testdata/direct-response.yaml b/test/e2e/testdata/direct-response.yaml new file mode 100644 index 00000000000..a1d2d81e8bb --- /dev/null +++ b/test/e2e/testdata/direct-response.yaml @@ -0,0 +1,64 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: direct-response + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + rules: + - matches: + - path: + type: PathPrefix + value: /inline + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-inline + - matches: + - path: + type: PathPrefix + value: /value-ref + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-value-ref +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: value-ref-response + namespace: gateway-conformance-infra +data: + response.body: '{"error": "Internal Server Error"}' +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: HTTPRouteFilter +metadata: + name: direct-response-inline + namespace: gateway-conformance-infra +spec: + directResponse: + contentType: text/plain + body: + type: Inline + inline: "Oops! Your request is not found." +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: HTTPRouteFilter +metadata: + name: direct-response-value-ref + namespace: gateway-conformance-infra +spec: + directResponse: + contentType: application/json + body: + type: ValueRef + valueRef: + group: "" + kind: ConfigMap + name: value-ref-response diff --git a/test/e2e/tests/direct-response.go b/test/e2e/tests/direct-response.go new file mode 100644 index 00000000000..12c667fdd30 --- /dev/null +++ b/test/e2e/tests/direct-response.go @@ -0,0 +1,38 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build e2e + +package tests + +import ( + "testing" + + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/suite" +) + +func init() { + ConformanceTests = append(ConformanceTests, DirectResponseTest) +} + +var DirectResponseTest = suite.ConformanceTest{ + ShortName: "DirectResponse", + Description: "Direct", + Manifests: []string{"testdata/direct-response.yaml"}, + Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + t.Run("direct response", func(t *testing.T) { + ns := "gateway-conformance-infra" + routeNN := types.NamespacedName{Name: "direct-response", Namespace: ns} + gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + kubernetes.HTTPRouteMustHaveResolvedRefsConditionsTrue(t, suite.Client, suite.TimeoutConfig, routeNN, gwNN) + verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/inline", "text/plain", "Oops! Your request is not found.") + verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/value-ref", "application/json", `{"error": "Internal Server Error"}`) + }) + }, +} diff --git a/test/e2e/tests/response-override.go b/test/e2e/tests/response-override.go index b21db88e242..c7c12bd2c10 100644 --- a/test/e2e/tests/response-override.go +++ b/test/e2e/tests/response-override.go @@ -8,18 +8,20 @@ package tests import ( - "fmt" "io" "net/http" "net/url" "testing" + "time" "k8s.io/apimachinery/pkg/types" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + "sigs.k8s.io/gateway-api/conformance/utils/config" httputils "sigs.k8s.io/gateway-api/conformance/utils/http" "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" "sigs.k8s.io/gateway-api/conformance/utils/suite" + "sigs.k8s.io/gateway-api/conformance/utils/tlog" "github.com/envoyproxy/gateway/internal/gatewayapi" "github.com/envoyproxy/gateway/internal/gatewayapi/resource" @@ -47,37 +49,47 @@ var ResponseOverrideTest = suite.ConformanceTest{ Name: gwapiv1.ObjectName(gwNN.Name), } BackendTrafficPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "response-override", Namespace: ns}, suite.ControllerName, ancestorRef) - verifyResponseOverride(t, gwAddr, 404, "text/plain", "Oops! Your request is not found.") - verifyResponseOverride(t, gwAddr, 500, "application/json", `{"error": "Internal Server Error"}`) + verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/status/404", "text/plain", "Oops! Your request is not found.") + verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/status/500", "application/json", `{"error": "Internal Server Error"}`) }) }, } -func verifyResponseOverride(t *testing.T, gwAddr string, statusCode int, expectedContentType string, expectedBody string) { +func verifyCustomResponse(t *testing.T, timeoutConfig config.TimeoutConfig, gwAddr, path, expectedContentType, expectedBody string) { reqURL := url.URL{ Scheme: "http", Host: httputils.CalculateHost(t, gwAddr, "http"), - Path: fmt.Sprintf("/status/%d", statusCode), + Path: path, } - rsp, err := http.Get(reqURL.String()) - if err != nil { - t.Fatalf("failed to get response: %v", err) - } + httputils.AwaitConvergence(t, timeoutConfig.RequiredConsecutiveSuccesses, timeoutConfig.MaxTimeToConsistency, func(elapsed time.Duration) bool { + rsp, err := http.Get(reqURL.String()) + if err != nil { + tlog.Logf(t, "failed to get response: %v", err) + return false + } - // Verify that the response body is overridden - defer rsp.Body.Close() - body, err := io.ReadAll(rsp.Body) - if err != nil { - t.Fatalf("failed to read response body: %v", err) - } - if string(body) != expectedBody { - t.Errorf("expected response body to be %s but got %s", expectedBody, string(body)) - } + // Verify that the response body is overridden + defer rsp.Body.Close() + body, err := io.ReadAll(rsp.Body) + if err != nil { + tlog.Logf(t, "failed to read response body: %v", err) + return false + } + if string(body) != expectedBody { + tlog.Logf(t, "expected response body to be %s but got %s", expectedBody, string(body)) + return false + } - // Verify that the content type is overridden - contentType := rsp.Header.Get("Content-Type") - if contentType != expectedContentType { - t.Errorf("expected content type to be %s but got %s", expectedContentType, contentType) - } + // Verify that the content type is overridden + contentType := rsp.Header.Get("Content-Type") + if contentType != expectedContentType { + tlog.Logf(t, "expected content type to be %s but got %s", expectedContentType, contentType) + return false + } + + return true + }) + + tlog.Logf(t, "Request passed") } From 6f91867384c36c53bc75e71085edcd0264bf3311 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Nov 2024 16:10:43 +0800 Subject: [PATCH 342/523] build(deps): bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#4619) Bumps [github.com/fsnotify/fsnotify](https://github.com/fsnotify/fsnotify) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/fsnotify/fsnotify/releases) - [Changelog](https://github.com/fsnotify/fsnotify/blob/main/CHANGELOG.md) - [Commits](https://github.com/fsnotify/fsnotify/compare/v1.7.0...v1.8.0) --- updated-dependencies: - dependency-name: github.com/fsnotify/fsnotify dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index c50662d61ec..693ef9ccbb7 100644 --- a/go.mod +++ b/go.mod @@ -231,7 +231,7 @@ require ( github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect github.com/evanphx/json-patch v5.9.0+incompatible github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect - github.com/fsnotify/fsnotify v1.7.0 + github.com/fsnotify/fsnotify v1.8.0 github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect github.com/go-errors/errors v1.5.1 // indirect github.com/go-logr/stdr v1.2.2 // indirect diff --git a/go.sum b/go.sum index 94b88fa9f7a..3c239ab5ed5 100644 --- a/go.sum +++ b/go.sum @@ -250,8 +250,8 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= -github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= -github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M= +github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= From 22658622fb25ccd7898af9984b2a94fd0b50b486 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Nov 2024 16:11:14 +0800 Subject: [PATCH 343/523] build(deps): bump github.com/bufbuild/buf from 1.45.0 to 1.46.0 in /tools/src/buf (#4616) build(deps): bump github.com/bufbuild/buf in /tools/src/buf Bumps [github.com/bufbuild/buf](https://github.com/bufbuild/buf) from 1.45.0 to 1.46.0. - [Release notes](https://github.com/bufbuild/buf/releases) - [Changelog](https://github.com/bufbuild/buf/blob/main/CHANGELOG.md) - [Commits](https://github.com/bufbuild/buf/compare/v1.45.0...v1.46.0) --- updated-dependencies: - dependency-name: github.com/bufbuild/buf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Huabing Zhao --- tools/src/buf/go.mod | 42 +++++++++++----------- tools/src/buf/go.sum | 84 ++++++++++++++++++++++---------------------- 2 files changed, 63 insertions(+), 63 deletions(-) diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index b2022d8afde..d8bea4a9f7c 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -2,15 +2,15 @@ module local go 1.23.1 -require github.com/bufbuild/buf v1.45.0 +require github.com/bufbuild/buf v1.46.0 require ( - buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240928190436-5e8abcfd7a7e.2 // indirect - buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240920164238-5a7b106cbb87.2 // indirect - buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20240925012807-1610ffa05635.1 // indirect - buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240925012807-1610ffa05635.2 // indirect - buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2 // indirect - buf.build/go/bufplugin v0.5.0 // indirect + buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.1-20241023225133-42bdb4b67625.1 // indirect + buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.1-20240920164238-5a7b106cbb87.1 // indirect + buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241025140216-aa40f2c93090.1 // indirect + buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.35.1-20241025140216-aa40f2c93090.1 // indirect + buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.35.1-20241007202033-cf42259fcbfc.1 // indirect + buf.build/go/bufplugin v0.6.0 // indirect buf.build/go/protoyaml v0.2.0 // indirect buf.build/go/spdx v0.2.0 // indirect connectrpc.com/connect v1.17.0 // indirect @@ -21,11 +21,11 @@ require ( github.com/antlr4-go/antlr/v4 v4.13.1 // indirect github.com/bufbuild/protocompile v0.14.1 // indirect github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a // indirect - github.com/bufbuild/protovalidate-go v0.7.2 // indirect + github.com/bufbuild/protovalidate-go v0.7.3-0.20241015162221-1446f1e1d576 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect - github.com/containerd/containerd v1.7.22 // indirect + github.com/containerd/containerd v1.7.23 // indirect github.com/containerd/continuity v0.4.3 // indirect - github.com/containerd/errdefs v0.2.0 // indirect + github.com/containerd/errdefs v0.3.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect @@ -50,12 +50,12 @@ require ( github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/google/cel-go v0.21.0 // indirect github.com/google/go-containerregistry v0.20.2 // indirect - github.com/google/pprof v0.0.0-20241001023024-f4c0cfd0cf1d // indirect + github.com/google/pprof v0.0.0-20241017200806-017d972448fc // indirect github.com/google/uuid v1.6.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jdx/go-netrc v1.0.0 // indirect - github.com/klauspost/compress v1.17.10 // indirect + github.com/klauspost/compress v1.17.11 // indirect github.com/klauspost/pgzip v1.2.6 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect @@ -77,7 +77,7 @@ require ( github.com/pkg/errors v0.9.1 // indirect github.com/pkg/profile v1.7.0 // indirect github.com/quic-go/qpack v0.5.1 // indirect - github.com/quic-go/quic-go v0.47.0 // indirect + github.com/quic-go/quic-go v0.48.1 // indirect github.com/rogpeppe/go-internal v1.10.0 // indirect github.com/rs/cors v1.11.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect @@ -94,19 +94,19 @@ require ( go.lsp.dev/protocol v0.12.0 // indirect go.lsp.dev/uri v0.3.0 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 // indirect - go.opentelemetry.io/otel v1.30.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 // indirect + go.opentelemetry.io/otel v1.31.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 // indirect - go.opentelemetry.io/otel/metric v1.30.0 // indirect + go.opentelemetry.io/otel/metric v1.31.0 // indirect go.opentelemetry.io/otel/sdk v1.30.0 // indirect - go.opentelemetry.io/otel/trace v1.30.0 // indirect + go.opentelemetry.io/otel/trace v1.31.0 // indirect go.uber.org/atomic v1.11.0 // indirect - go.uber.org/mock v0.4.0 // indirect + go.uber.org/mock v0.5.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - go.uber.org/zap/exp v0.1.1-0.20240913022758-ede8e1888f83 // indirect + go.uber.org/zap/exp v0.3.0 // indirect golang.org/x/crypto v0.28.0 // indirect - golang.org/x/exp v0.0.0-20241004190924-225e2abe05e6 // indirect + golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c // indirect golang.org/x/mod v0.21.0 // indirect golang.org/x/net v0.30.0 // indirect golang.org/x/sync v0.8.0 // indirect @@ -117,7 +117,7 @@ require ( google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f // indirect google.golang.org/grpc v1.67.1 // indirect - google.golang.org/protobuf v1.34.3-0.20240906163944-03df6c145d96 // indirect + google.golang.org/protobuf v1.35.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect pluginrpc.com/pluginrpc v0.5.0 // indirect ) diff --git a/tools/src/buf/go.sum b/tools/src/buf/go.sum index 6fb21576d0e..b2a67028e40 100644 --- a/tools/src/buf/go.sum +++ b/tools/src/buf/go.sum @@ -1,15 +1,15 @@ -buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240928190436-5e8abcfd7a7e.2 h1:BQVQ0fcYgqpe6F/2ZPJUR1rTN+nwdrj2z7IAbAu9XAQ= -buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.34.2-20240928190436-5e8abcfd7a7e.2/go.mod h1:B+9TKHRYqoAUW57pLjhkLOnBCu0DQYMV+f7imQ9nXwI= -buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240920164238-5a7b106cbb87.2 h1:hl0FrmGlNpQZIGvU1/jDz0lsPDd0BhCE0QDRwPfLZcA= -buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240920164238-5a7b106cbb87.2/go.mod h1:ylS4c28ACSI59oJrOdW4pHS4n0Hw4TgSPHn8rpHl4Yw= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20240925012807-1610ffa05635.1 h1:p4A9QnhBrKjCquBt1mKqfO37QseLwgWqQp+Wb9ZjasE= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20240925012807-1610ffa05635.1/go.mod h1:7WtU+waNF+dyxDsuNaqmG3d0w3y2poNju8cvun1/jLs= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240925012807-1610ffa05635.2 h1:3sSS9z8k6zVe7rNNt9R6DN2fOFBVClEflmICIjbXwms= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240925012807-1610ffa05635.2/go.mod h1:psseUmlKRo9v5LZJtR/aTpdTLuyp9o3X7rnLT87SZEo= -buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2 h1:oSi+Adw4xvIjXrW8eY8QGR3sBdfWeY5HN/RefnRt52M= -buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.34.2-20240828222655-5345c0a56177.2/go.mod h1:GjH0gjlY/ns16X8d6eaXV2W+6IFwsO5Ly9WVnzyd1E0= -buf.build/go/bufplugin v0.5.0 h1:pmK1AloAMp+4woH5hEisK9qVmDdLySzIKexUUVZLJ2Q= -buf.build/go/bufplugin v0.5.0/go.mod h1:r7Y8tpqpErLtUXUecEgwAHnjihY03YbN0IaBFNJF/x0= +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.1-20241023225133-42bdb4b67625.1 h1:O31Hu5Oho5suEWOD7FuMU9vfzeQT07ukTu4YuBVjLbw= +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.1-20241023225133-42bdb4b67625.1/go.mod h1:rYPnjsUZ2lGpoQ/T322HWZQil9/MIZF2njP+/u/0GKg= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.1-20240920164238-5a7b106cbb87.1 h1:9wP6ZZYWnF2Z0TxmII7m3XNykxnP4/w8oXeth6ekcRI= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.1-20240920164238-5a7b106cbb87.1/go.mod h1:Duw/9JoXkXIydyASnLYIiufkzySThoqavOsF+IihqvM= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241025140216-aa40f2c93090.1 h1:FHQXg3T7S2jp8yc7/bQJgqEH1yza/rrDHXITUK2Tm0g= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241025140216-aa40f2c93090.1/go.mod h1:5iwF5l+9lKCnvr1zLvDgUHrv6X+vU5nNPjvig1sbnao= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.35.1-20241025140216-aa40f2c93090.1 h1:PyqnJojY+BXNuJHp5aEfN9wPiP1dzrobXVmgLrUMe+A= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.35.1-20241025140216-aa40f2c93090.1/go.mod h1:x5Mti5bhMO87zJxCkcEbr7Lz+bHiFsqpxnpqSB1okG0= +buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.35.1-20241007202033-cf42259fcbfc.1 h1:rPi3qs3qpDIXIl5QW2IPOaYZhppRkvuVKwEZrfhpy78= +buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.35.1-20241007202033-cf42259fcbfc.1/go.mod h1:4IVMTaeh4JIjBYcGFLlTorfWpKVEXDjDfHAgKTeR0Ds= +buf.build/go/bufplugin v0.6.0 h1:3lhoh+0z+IUPS3ZajTPn/27LaLIkero2BDVnV7yXD1s= +buf.build/go/bufplugin v0.6.0/go.mod h1:hWCjxxv24xdR6F5pNlQavZV2oo0J3uF4Ff1XEoyV6vU= buf.build/go/protoyaml v0.2.0 h1:2g3OHjtLDqXBREIOjpZGHmQ+U/4mkN1YiQjxNB68Ip8= buf.build/go/protoyaml v0.2.0/go.mod h1:L/9QvTDkTWcDTzAL6HMfN+mYC6CmZRm2KnsUA054iL0= buf.build/go/spdx v0.2.0 h1:IItqM0/cMxvFJJumcBuP8NrsIzMs/UYjp/6WSpq8LTw= @@ -30,14 +30,14 @@ github.com/Microsoft/hcsshim v0.12.7 h1:MP6R1spmjxTE4EU4J3YsrTxn8CjvN9qwjTKJXldF github.com/Microsoft/hcsshim v0.12.7/go.mod h1:HPbAuJ9BvQYYZbB4yEQcyGIsTP5L4yHKeO9XO149AEM= github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ= github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw= -github.com/bufbuild/buf v1.45.0 h1:WdaM5OCjqEURmzOiz3h9gVilFXqWpt6X+zbOVqKti1A= -github.com/bufbuild/buf v1.45.0/go.mod h1:j+GjGIKS+CvubKtPiC0KpEiHAd3wS9/5sn2/U5WlA20= +github.com/bufbuild/buf v1.46.0 h1:QqlFiy2l0F+hhyTF9xm7j91E7ovGyZVnneG2y38F0rk= +github.com/bufbuild/buf v1.46.0/go.mod h1:oN16LKwdlgji2eHLn3R07dxnQjxm9Q0pdUor5VXj3H8= github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/FBatYVw= github.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c= github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a h1:l3RhVoG0RtC61h6TVWnkniGj4TgBebuyPQRdleFAmTg= github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a/go.mod h1:c5D8gWRIZ2HLWO3gXYTtUfw/hbJyD8xikv2ooPxnklQ= -github.com/bufbuild/protovalidate-go v0.7.2 h1:UuvKyZHl5p7u3ztEjtRtqtDxOjRKX5VUOgKFq6p6ETk= -github.com/bufbuild/protovalidate-go v0.7.2/go.mod h1:PHV5pFuWlRzdDW02/cmVyNzdiQ+RNNwo7idGxdzS7o4= +github.com/bufbuild/protovalidate-go v0.7.3-0.20241015162221-1446f1e1d576 h1:A4TfjZJqApnAvGKDgxHqA1rG6BK1OswyNcTcnSrDbJc= +github.com/bufbuild/protovalidate-go v0.7.3-0.20241015162221-1446f1e1d576/go.mod h1:R/UFeIPyFAh0eH7Ic/JJbO2ABdkxFuZZKDbzsI5UiwM= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -54,12 +54,12 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= -github.com/containerd/containerd v1.7.22 h1:nZuNnNRA6T6jB975rx2RRNqqH2k6ELYKDZfqTHqwyy0= -github.com/containerd/containerd v1.7.22/go.mod h1:e3Jz1rYRUZ2Lt51YrH9Rz0zPyJBOlSvB3ghr2jbVD8g= +github.com/containerd/containerd v1.7.23 h1:H2CClyUkmpKAGlhQp95g2WXHfLYc7whAuvZGBNYOOwQ= +github.com/containerd/containerd v1.7.23/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw= github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8= github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ= -github.com/containerd/errdefs v0.2.0 h1:XllDESRfJtVrMwMmR2mCabxyvBK4UlbyyiWI3MvRw0o= -github.com/containerd/errdefs v0.2.0/go.mod h1:C28ixlj3dKhQS9hsQ13b+HIb4X7+s2G4FYhbSPcRDLM= +github.com/containerd/errdefs v0.3.0 h1:FSZgGOeK4yuT/+DnF07/Olde/q4KBoMsaamhXxIMDp4= +github.com/containerd/errdefs v0.3.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= @@ -147,8 +147,8 @@ github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg= github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= -github.com/google/pprof v0.0.0-20241001023024-f4c0cfd0cf1d h1:Jaz2JzpQaQXyET0AjLBXShrthbpqMkhGiEfkcQAiAUs= -github.com/google/pprof v0.0.0-20241001023024-f4c0cfd0cf1d/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= +github.com/google/pprof v0.0.0-20241017200806-017d972448fc h1:NGyrhhFhwvRAZg02jnYVg3GBQy0qGBKmFQJwaPmpmxs= +github.com/google/pprof v0.0.0-20241017200806-017d972448fc/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -165,8 +165,8 @@ github.com/jhump/protoreflect/v2 v2.0.0-beta.2/go.mod h1:4tnOYkB/mq7QTyS3YKtVtNr github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.17.10 h1:oXAz+Vh0PMUvJczoi+flxpnBEPxoER1IaAnU/NMPtT0= -github.com/klauspost/compress v1.17.10/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= +github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc= +github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU= github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= @@ -225,8 +225,8 @@ github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0leargg github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI= github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg= -github.com/quic-go/quic-go v0.47.0 h1:yXs3v7r2bm1wmPTYNLKAAJTHMYkPEsfYJmTazXrCZ7Y= -github.com/quic-go/quic-go v0.47.0/go.mod h1:3bCapYsJvXGZcipOHuu7plYtaV6tnF+z7wIFsU0WK9E= +github.com/quic-go/quic-go v0.48.1 h1:y/8xmfWI9qmGTc+lBr4jKRUWLGSlSigv847ULJ4hYXA= +github.com/quic-go/quic-go v0.48.1/go.mod h1:yBgs3rWBOADpga7F+jJsb6Ybg1LSYiQvwWlLX+/6HMs= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA= @@ -270,44 +270,44 @@ go.lsp.dev/uri v0.3.0 h1:KcZJmh6nFIBeJzTugn5JTU6OOyG0lDOo3R9KwTxTYbo= go.lsp.dev/uri v0.3.0/go.mod h1:P5sbO1IQR+qySTWOCnhnK7phBx+W3zbLqSMDJNTw88I= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 h1:ZIg3ZT/aQ7AfKqdwp7ECpOK6vHqquXXuyTjIO8ZdmPs= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0/go.mod h1:DQAwmETtZV00skUwgD6+0U89g80NKsJE3DCKeLLPQMI= -go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= -go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 h1:UP6IpuHFkUgOQL9FFQFrZ+5LiwhhYRbi7VZSIx6Nj5s= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0/go.mod h1:qxuZLtbq5QDtdeSHsS7bcf6EH6uO6jUAgk764zd3rhM= +go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY= +go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 h1:9M3+rhx7kZCIQQhQRYaZCdNu1V73tm4TvXs2ntl98C4= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0/go.mod h1:noq80iT8rrHP1SfybmPiRGc9dc5M8RPmGvtwo7Oo7tc= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU= -go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w= -go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= +go.opentelemetry.io/otel/metric v1.31.0 h1:FSErL0ATQAmYHUIzSezZibnyVlft1ybhy4ozRPcF2fE= +go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY= go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE= go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg= go.opentelemetry.io/otel/sdk/metric v1.19.0 h1:EJoTO5qysMsYCa+w4UghwFV/ptQgqSL/8Ni+hx+8i1k= go.opentelemetry.io/otel/sdk/metric v1.19.0/go.mod h1:XjG0jQyFJrv2PbMvwND7LwCEhsJzCzV5210euduKcKY= -go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= -go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= +go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HYdmJys= +go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A= go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= -go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU= -go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc= +go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU= +go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= -go.uber.org/zap/exp v0.1.1-0.20240913022758-ede8e1888f83 h1:wpjRiPjppWaUIH+GC0bRvsdaH2K4Dw49dEJa7MX01Mk= -go.uber.org/zap/exp v0.1.1-0.20240913022758-ede8e1888f83/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ= +go.uber.org/zap/exp v0.3.0 h1:6JYzdifzYkGmTdRR59oYH+Ng7k49H9qVpWwNSsGJj3U= +go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20241004190924-225e2abe05e6 h1:1wqE9dj9NpSm04INVsJhhEUzhuDVjbcyKH91sVyPATw= -golang.org/x/exp v0.0.0-20241004190924-225e2abe05e6/go.mod h1:NQtJDoLvd6faHhE7m4T/1IY708gDefGGjR/iUW8yQQ8= +golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c h1:7dEasQXItcW1xKJ2+gg5VOiBnqWrJc+rq0DPKyvvdbY= +golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c/go.mod h1:NQtJDoLvd6faHhE7m4T/1IY708gDefGGjR/iUW8yQQ8= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= @@ -393,8 +393,8 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.34.3-0.20240906163944-03df6c145d96 h1:gqpvySYmKe3qf25lfA3WIEMTXBU+lfISbNkPH2BA844= -google.golang.org/protobuf v1.34.3-0.20240906163944-03df6c145d96/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= +google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= From 1205ccf0e1f45a0408fcd6c8e17252b4f3df1d19 Mon Sep 17 00:00:00 2001 From: Alice Lilith Date: Mon, 4 Nov 2024 09:35:22 -0800 Subject: [PATCH 344/523] remove myself from maintainers (#4624) remove myself from maintainers and update github user Signed-off-by: Alice Lilith --- OWNERS | 2 +- site/content/en/contributions/CODEOWNERS.md | 2 +- site/content/en/news/releases/_index.md | 2 +- site/content/en/v0.2/contributions/CODEOWNERS.md | 2 +- site/content/en/v0.2/contributions/RELEASING.md | 4 ++-- site/content/en/v0.3/contributions/CODEOWNERS.md | 2 +- site/content/en/v0.3/contributions/RELEASING.md | 4 ++-- site/content/en/v0.4/contributions/CODEOWNERS.md | 2 +- site/content/en/v0.4/contributions/RELEASING.md | 4 ++-- site/content/en/v0.5/contributions/CODEOWNERS.md | 2 +- site/content/en/v0.5/contributions/RELEASING.md | 4 ++-- site/content/en/v0.6/contributions/CODEOWNERS.md | 2 +- site/content/en/v0.6/contributions/RELEASING.md | 4 ++-- site/content/zh/contributions/CODEOWNERS.md | 2 +- site/content/zh/contributions/RELEASING.md | 4 ++-- site/content/zh/news/releases/_index.md | 2 +- 16 files changed, 22 insertions(+), 22 deletions(-) diff --git a/OWNERS b/OWNERS index 9237b007189..4a2e54e6db2 100644 --- a/OWNERS +++ b/OWNERS @@ -9,7 +9,6 @@ admins: maintainers: -- AliceProxy - arkodg - Xunzhuo - zirain @@ -25,6 +24,7 @@ emeritus-maintainers: - skriss - youngnick - qicz +- Alice-Lilith reviewers: diff --git a/site/content/en/contributions/CODEOWNERS.md b/site/content/en/contributions/CODEOWNERS.md index aeec0b7439b..071532f02c1 100644 --- a/site/content/en/contributions/CODEOWNERS.md +++ b/site/content/en/contributions/CODEOWNERS.md @@ -5,7 +5,6 @@ description: "This section includes Maintainers of Envoy Gateway." ## The following maintainers, listed in alphabetical order, own everything -- @AliceProxy - @arkodg - @qicz - @Xunzhuo @@ -19,3 +18,4 @@ description: "This section includes Maintainers of Envoy Gateway." - @LukeShu - @skriss - @youngnick +- @Alice-Lilith diff --git a/site/content/en/news/releases/_index.md b/site/content/en/news/releases/_index.md index 71ff48fd392..4449a100c7e 100644 --- a/site/content/en/news/releases/_index.md +++ b/site/content/en/news/releases/_index.md @@ -31,7 +31,7 @@ communications with the Envoy Gateway community, and the mechanics of the releas |:-------:|:--------------------------------------------------------------:| | 2022 Q4 | Daneyon Hansen ([danehans](https://github.com/danehans)) | | 2023 Q1 | Xunzhuo Liu ([Xunzhuo](https://github.com/Xunzhuo)) | -| 2023 Q2 | Alice Wasko ([AliceProxy](https://github.com/AliceProxy)) | +| 2023 Q2 | Alice Wasko ([Alice-Lilith](https://github.com/Alice-Lilith)) | | 2023 Q3 | Arko Dasgupta ([arkodg](https://github.com/arkodg)) | | 2023 Q4 | Arko Dasgupta ([arkodg](https://github.com/arkodg)) | | 2024 Q1 | Xunzhuo Liu ([Xunzhuo](https://github.com/Xunzhuo)) | diff --git a/site/content/en/v0.2/contributions/CODEOWNERS.md b/site/content/en/v0.2/contributions/CODEOWNERS.md index 63b751abde5..b4c4c737e19 100644 --- a/site/content/en/v0.2/contributions/CODEOWNERS.md +++ b/site/content/en/v0.2/contributions/CODEOWNERS.md @@ -5,7 +5,7 @@ description: "This section includes Maintainers of Envoy Gateway." ## The following maintainers, listed in alphabetical order, own everything -- @AliceProxy +- @Alice-Lilith - @arkodg - @Xunzhuo - @zirain diff --git a/site/content/en/v0.2/contributions/RELEASING.md b/site/content/en/v0.2/contributions/RELEASING.md index bad13a6830c..ad0143bdeb9 100644 --- a/site/content/en/v0.2/contributions/RELEASING.md +++ b/site/content/en/v0.2/contributions/RELEASING.md @@ -97,10 +97,10 @@ Configuration looks like following: cherrypick/release-v0.4 # put release manager here reviewers: | - AliceProxy + Alice-Lilith ``` -Replace `v0.4` with real branch name, and `AliceProxy` with the real name of RM. +Replace `v0.4` with real branch name, and `Alice-Lilith` with the real name of RM. ## Minor Release diff --git a/site/content/en/v0.3/contributions/CODEOWNERS.md b/site/content/en/v0.3/contributions/CODEOWNERS.md index 63b751abde5..b4c4c737e19 100644 --- a/site/content/en/v0.3/contributions/CODEOWNERS.md +++ b/site/content/en/v0.3/contributions/CODEOWNERS.md @@ -5,7 +5,7 @@ description: "This section includes Maintainers of Envoy Gateway." ## The following maintainers, listed in alphabetical order, own everything -- @AliceProxy +- @Alice-Lilith - @arkodg - @Xunzhuo - @zirain diff --git a/site/content/en/v0.3/contributions/RELEASING.md b/site/content/en/v0.3/contributions/RELEASING.md index bad13a6830c..ad0143bdeb9 100644 --- a/site/content/en/v0.3/contributions/RELEASING.md +++ b/site/content/en/v0.3/contributions/RELEASING.md @@ -97,10 +97,10 @@ Configuration looks like following: cherrypick/release-v0.4 # put release manager here reviewers: | - AliceProxy + Alice-Lilith ``` -Replace `v0.4` with real branch name, and `AliceProxy` with the real name of RM. +Replace `v0.4` with real branch name, and `Alice-Lilith` with the real name of RM. ## Minor Release diff --git a/site/content/en/v0.4/contributions/CODEOWNERS.md b/site/content/en/v0.4/contributions/CODEOWNERS.md index 63b751abde5..b4c4c737e19 100644 --- a/site/content/en/v0.4/contributions/CODEOWNERS.md +++ b/site/content/en/v0.4/contributions/CODEOWNERS.md @@ -5,7 +5,7 @@ description: "This section includes Maintainers of Envoy Gateway." ## The following maintainers, listed in alphabetical order, own everything -- @AliceProxy +- @Alice-Lilith - @arkodg - @Xunzhuo - @zirain diff --git a/site/content/en/v0.4/contributions/RELEASING.md b/site/content/en/v0.4/contributions/RELEASING.md index bad13a6830c..ad0143bdeb9 100644 --- a/site/content/en/v0.4/contributions/RELEASING.md +++ b/site/content/en/v0.4/contributions/RELEASING.md @@ -97,10 +97,10 @@ Configuration looks like following: cherrypick/release-v0.4 # put release manager here reviewers: | - AliceProxy + Alice-Lilith ``` -Replace `v0.4` with real branch name, and `AliceProxy` with the real name of RM. +Replace `v0.4` with real branch name, and `Alice-Lilith` with the real name of RM. ## Minor Release diff --git a/site/content/en/v0.5/contributions/CODEOWNERS.md b/site/content/en/v0.5/contributions/CODEOWNERS.md index 63b751abde5..b4c4c737e19 100644 --- a/site/content/en/v0.5/contributions/CODEOWNERS.md +++ b/site/content/en/v0.5/contributions/CODEOWNERS.md @@ -5,7 +5,7 @@ description: "This section includes Maintainers of Envoy Gateway." ## The following maintainers, listed in alphabetical order, own everything -- @AliceProxy +- @Alice-Lilith - @arkodg - @Xunzhuo - @zirain diff --git a/site/content/en/v0.5/contributions/RELEASING.md b/site/content/en/v0.5/contributions/RELEASING.md index 206c9f0589d..7e02ccff581 100644 --- a/site/content/en/v0.5/contributions/RELEASING.md +++ b/site/content/en/v0.5/contributions/RELEASING.md @@ -97,10 +97,10 @@ Configuration looks like following: cherrypick/release-v0.4 # put release manager here reviewers: | - AliceProxy + Alice-Lilith ``` -Replace `v0.4` with real branch name, and `AliceProxy` with the real name of RM. +Replace `v0.4` with real branch name, and `Alice-Lilith` with the real name of RM. ## Minor Release diff --git a/site/content/en/v0.6/contributions/CODEOWNERS.md b/site/content/en/v0.6/contributions/CODEOWNERS.md index 63b751abde5..b4c4c737e19 100644 --- a/site/content/en/v0.6/contributions/CODEOWNERS.md +++ b/site/content/en/v0.6/contributions/CODEOWNERS.md @@ -5,7 +5,7 @@ description: "This section includes Maintainers of Envoy Gateway." ## The following maintainers, listed in alphabetical order, own everything -- @AliceProxy +- @Alice-Lilith - @arkodg - @Xunzhuo - @zirain diff --git a/site/content/en/v0.6/contributions/RELEASING.md b/site/content/en/v0.6/contributions/RELEASING.md index 5abb7ba4503..37336d96acd 100644 --- a/site/content/en/v0.6/contributions/RELEASING.md +++ b/site/content/en/v0.6/contributions/RELEASING.md @@ -100,10 +100,10 @@ Configuration looks like following: cherrypick/release-v0.4 # put release manager here reviewers: | - AliceProxy + Alice-Lilith ``` -Replace `v0.4` with real branch name, and `AliceProxy` with the real name of RM. +Replace `v0.4` with real branch name, and `Alice-Lilith` with the real name of RM. ## Minor Release diff --git a/site/content/zh/contributions/CODEOWNERS.md b/site/content/zh/contributions/CODEOWNERS.md index 74e885d852a..d7ad10786d4 100644 --- a/site/content/zh/contributions/CODEOWNERS.md +++ b/site/content/zh/contributions/CODEOWNERS.md @@ -5,7 +5,6 @@ description: "本部分包括 Envoy Gateway 的维护者。" ## 以下是拥有所有权限的维护者(按字母顺序排列) {#the-following-maintainers-listed-in-alphabetical-order-own-everything} -- @AliceProxy - @arkodg - @qicz - @Xunzhuo @@ -19,3 +18,4 @@ description: "本部分包括 Envoy Gateway 的维护者。" - @LukeShu - @skriss - @youngnick +- @Alice-Lilith diff --git a/site/content/zh/contributions/RELEASING.md b/site/content/zh/contributions/RELEASING.md index e1412e4eb7c..fd4b0af328e 100644 --- a/site/content/zh/contributions/RELEASING.md +++ b/site/content/zh/contributions/RELEASING.md @@ -102,10 +102,10 @@ export GITHUB_REMOTE=origin cherrypick/release-v0.4 # 将发布经理名字放在这里 reviewers: | - AliceProxy + Alice-Lilith ``` -将 `v0.4` 替换为真实的分支名称,并将 `AliceProxy` 替换为 RM 的真实名称。 +将 `v0.4` 替换为真实的分支名称,并将 `Alice-Lilith` 替换为 RM 的真实名称。 ## 次要版本 {#minor-release} diff --git a/site/content/zh/news/releases/_index.md b/site/content/zh/news/releases/_index.md index 8afc5916c6e..0862210010f 100644 --- a/site/content/zh/news/releases/_index.md +++ b/site/content/zh/news/releases/_index.md @@ -32,7 +32,7 @@ Envoy Gateway 的稳定版本包括: |:-------:|:--------------------------------------------------------------:| | 2022 Q4 | Daneyon Hansen ([danehans](https://github.com/danehans)) | | 2023 Q1 | Xunzhuo Liu ([Xunzhuo](https://github.com/Xunzhuo)) | -| 2023 Q2 | Alice Wasko ([AliceProxy](https://github.com/AliceProxy)) | +| 2023 Q2 | Alice Wasko ([Alice-Lilith](https://github.com/Alice-Lilith)) | | 2023 Q3 | Arko Dasgupta ([arkodg](https://github.com/arkodg)) | | 2023 Q4 | Arko Dasgupta ([arkodg](https://github.com/arkodg)) | | 2024 Q1 | Xunzhuo Liu ([Xunzhuo](https://github.com/Xunzhuo)) | From a011146bf4bdaa36c53e167507b88e5598a238e4 Mon Sep 17 00:00:00 2001 From: zirain Date: Tue, 5 Nov 2024 02:29:43 +0800 Subject: [PATCH 345/523] e2e: move apps to examples and pre-built (#4576) * e2e: move grpc-ext-auth envoy-als to examples Signed-off-by: zirain --- examples/envoy-als/Dockerfile | 23 ++ examples/envoy-als/Makefile | 8 + examples/envoy-als/go.mod | 27 ++ examples/envoy-als/go.sum | 40 ++ examples/envoy-als/main.go | 115 ++++++ examples/grpc-ext-auth/Dockerfile | 23 ++ examples/grpc-ext-auth/Makefile | 8 + examples/grpc-ext-auth/go.mod | 20 + examples/grpc-ext-auth/go.sum | 24 ++ examples/grpc-ext-auth/main.go | 225 +++++++++++ examples/grpc-ext-proc/Dockerfile | 22 ++ examples/grpc-ext-proc/Makefile | 8 + examples/grpc-ext-proc/go.mod | 19 + examples/grpc-ext-proc/go.sum | 22 ++ examples/grpc-ext-proc/main.go | 289 ++++++++++++++ examples/http-ext-auth/Dockerfile | 6 + examples/http-ext-auth/Makefile | 8 + examples/http-ext-auth/http-ext-auth.js | 38 ++ examples/preserve-case-backend/Dockerfile | 22 ++ examples/preserve-case-backend/Makefile | 8 + examples/preserve-case-backend/go.mod | 11 + examples/preserve-case-backend/go.sum | 8 + examples/preserve-case-backend/main.go | 42 ++ test/e2e/base/manifests.yaml | 107 ----- test/e2e/testdata/accesslog-als.yaml | 194 +-------- test/e2e/testdata/ext-auth-grpc-service.yaml | 394 +++---------------- test/e2e/testdata/ext-auth-http-service.yaml | 76 +--- test/e2e/testdata/ext-proc-service.yaml | 354 +---------------- test/e2e/testdata/preserve-case.yaml | 73 +++- test/e2e/tests/preservecase.go | 4 +- tools/make/common.mk | 1 + tools/make/examples.mk | 20 + tools/make/kube.mk | 4 +- 33 files changed, 1178 insertions(+), 1065 deletions(-) create mode 100644 examples/envoy-als/Dockerfile create mode 100644 examples/envoy-als/Makefile create mode 100644 examples/envoy-als/go.mod create mode 100644 examples/envoy-als/go.sum create mode 100644 examples/envoy-als/main.go create mode 100644 examples/grpc-ext-auth/Dockerfile create mode 100644 examples/grpc-ext-auth/Makefile create mode 100644 examples/grpc-ext-auth/go.mod create mode 100644 examples/grpc-ext-auth/go.sum create mode 100644 examples/grpc-ext-auth/main.go create mode 100644 examples/grpc-ext-proc/Dockerfile create mode 100644 examples/grpc-ext-proc/Makefile create mode 100644 examples/grpc-ext-proc/go.mod create mode 100644 examples/grpc-ext-proc/go.sum create mode 100644 examples/grpc-ext-proc/main.go create mode 100644 examples/http-ext-auth/Dockerfile create mode 100644 examples/http-ext-auth/Makefile create mode 100644 examples/http-ext-auth/http-ext-auth.js create mode 100644 examples/preserve-case-backend/Dockerfile create mode 100644 examples/preserve-case-backend/Makefile create mode 100644 examples/preserve-case-backend/go.mod create mode 100644 examples/preserve-case-backend/go.sum create mode 100644 examples/preserve-case-backend/main.go create mode 100644 tools/make/examples.mk diff --git a/examples/envoy-als/Dockerfile b/examples/envoy-als/Dockerfile new file mode 100644 index 00000000000..0ad9437f993 --- /dev/null +++ b/examples/envoy-als/Dockerfile @@ -0,0 +1,23 @@ +FROM golang:1.23.1 AS builder + +ARG GO_LDFLAGS="" + +WORKDIR /workspace +COPY go.mod go.sum ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + go mod download + +COPY . ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + CGO_ENABLED=0 \ + GOOS=${TARGETOS} \ + GOARCH=${TARGETARCH} \ + go build -o /bin/envoy-als -ldflags "${GO_LDFLAGS}" . + +# Make our production image +FROM gcr.io/distroless/static-debian11:nonroot +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=builder /bin/envoy-als / + +USER nonroot:nonroot +ENTRYPOINT ["/envoy-als"] diff --git a/examples/envoy-als/Makefile b/examples/envoy-als/Makefile new file mode 100644 index 00000000000..a8ca6cec25d --- /dev/null +++ b/examples/envoy-als/Makefile @@ -0,0 +1,8 @@ + +IMAGE_PREFIX ?= envoyproxy/gateway- +APP_NAME ?= envoy-als +TAG ?= latest + +.PHONY: docker-buildx +docker-buildx: + docker buildx build . -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --build-arg GO_LDFLAGS="$(GO_LDFLAGS)" --load diff --git a/examples/envoy-als/go.mod b/examples/envoy-als/go.mod new file mode 100644 index 00000000000..610090483ad --- /dev/null +++ b/examples/envoy-als/go.mod @@ -0,0 +1,27 @@ +module github.com/envoyproxy/gateway-envoy-als + +go 1.23.1 + +require ( + github.com/envoyproxy/go-control-plane v0.13.1 + github.com/prometheus/client_golang v1.20.5 + google.golang.org/grpc v1.67.1 +) + +require ( + github.com/beorn7/perks v1.0.1 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 // indirect + github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect + github.com/klauspost/compress v1.17.9 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.55.0 // indirect + github.com/prometheus/procfs v0.15.1 // indirect + golang.org/x/net v0.28.0 // indirect + golang.org/x/sys v0.24.0 // indirect + golang.org/x/text v0.17.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect + google.golang.org/protobuf v1.34.2 // indirect +) diff --git a/examples/envoy-als/go.sum b/examples/envoy-als/go.sum new file mode 100644 index 00000000000..1e30c20ec65 --- /dev/null +++ b/examples/envoy-als/go.sum @@ -0,0 +1,40 @@ +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 h1:N+3sFI5GUjRKBi+i0TxYVST9h4Ie192jJWpHvthBBgg= +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/envoyproxy/go-control-plane v0.13.1 h1:vPfJZCkob6yTMEgS+0TwfTUfbHjfy/6vOJ8hUWX/uXE= +github.com/envoyproxy/go-control-plane v0.13.1/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= +github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= +github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= +github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= +github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y= +github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= +github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 h1:e7S5W7MGGLaSu8j3YjdezkZ+m1/Nm0uRVRMEMGk26Xs= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= diff --git a/examples/envoy-als/main.go b/examples/envoy-als/main.go new file mode 100644 index 00000000000..9cecabe763a --- /dev/null +++ b/examples/envoy-als/main.go @@ -0,0 +1,115 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package main + +import ( + "log" + "net" + "net/http" + + alsv2 "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v2" + alsv3 "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v3" + "github.com/prometheus/client_golang/prometheus" + "github.com/prometheus/client_golang/prometheus/promhttp" + + "google.golang.org/grpc" +) + +var ( + LogCount = prometheus.NewCounterVec(prometheus.CounterOpts{ + Name: "log_count", + Help: "The total number of logs received.", + }, []string{"api_version"}) +) + +func init() { + // Register the summary and the histogram with Prometheus's default registry. + prometheus.MustRegister(LogCount) +} + +type ALSServer struct { +} + +func (a *ALSServer) StreamAccessLogs(logStream alsv2.AccessLogService_StreamAccessLogsServer) error { + log.Println("Streaming als v2 logs") + for { + data, err := logStream.Recv() + if err != nil { + return err + } + + httpLogs := data.GetHttpLogs() + if httpLogs != nil { + LogCount.WithLabelValues("v2").Add(float64(len(httpLogs.LogEntry))) + } + + log.Printf("Received v2 log data: %s\n", data.String()) + } +} + +type ALSServerV3 struct { +} + +func (a *ALSServerV3) StreamAccessLogs(logStream alsv3.AccessLogService_StreamAccessLogsServer) error { + log.Println("Streaming als v3 logs") + for { + data, err := logStream.Recv() + if err != nil { + return err + } + + httpLogs := data.GetHttpLogs() + if httpLogs != nil { + LogCount.WithLabelValues("v3").Add(float64(len(httpLogs.LogEntry))) + } + + log.Printf("Received v3 log data: %s\n", data.String()) + } +} + +func NewALSServer() *ALSServer { + return &ALSServer{} +} + +func NewALSServerV3() *ALSServerV3 { + return &ALSServerV3{} +} + +func main() { + mux := http.NewServeMux() + if err := addMonitor(mux); err != nil { + log.Printf("could not establish self-monitoring: %v\n", err) + } + + s := &http.Server{ + Addr: ":19001", + Handler: mux, + } + + go func() { + s.ListenAndServe() + }() + + listener, err := net.Listen("tcp", "0.0.0.0:8080") + if err != nil { + log.Fatalf("Failed to start listener on port 8080: %v", err) + } + + var opts []grpc.ServerOption + grpcServer := grpc.NewServer(opts...) + alsv2.RegisterAccessLogServiceServer(grpcServer, NewALSServer()) + alsv3.RegisterAccessLogServiceServer(grpcServer, NewALSServerV3()) + log.Println("Starting ALS Server") + if err := grpcServer.Serve(listener); err != nil { + log.Fatalf("grpc serve err: %v", err) + } +} + +func addMonitor(mux *http.ServeMux) error { + mux.Handle("/metrics", promhttp.HandlerFor(prometheus.DefaultGatherer, promhttp.HandlerOpts{EnableOpenMetrics: true})) + + return nil +} diff --git a/examples/grpc-ext-auth/Dockerfile b/examples/grpc-ext-auth/Dockerfile new file mode 100644 index 00000000000..4f6ea6ff545 --- /dev/null +++ b/examples/grpc-ext-auth/Dockerfile @@ -0,0 +1,23 @@ +FROM golang:1.23.1 AS builder + +ARG GO_LDFLAGS="" + +WORKDIR /workspace +COPY go.mod go.sum ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + go mod download + +COPY . ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + CGO_ENABLED=0 \ + GOOS=${TARGETOS} \ + GOARCH=${TARGETARCH} \ + go build -o /bin/grpc-ext-auth -ldflags "${GO_LDFLAGS}" . + +# Make our production image +FROM gcr.io/distroless/static-debian11:nonroot +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=builder /bin/grpc-ext-auth / + +USER nonroot:nonroot +ENTRYPOINT ["/grpc-ext-auth"] diff --git a/examples/grpc-ext-auth/Makefile b/examples/grpc-ext-auth/Makefile new file mode 100644 index 00000000000..bdcb69d99eb --- /dev/null +++ b/examples/grpc-ext-auth/Makefile @@ -0,0 +1,8 @@ + +IMAGE_PREFIX ?= envoyproxy/gateway- +APP_NAME ?= grpc-ext-auth +TAG ?= latest + +.PHONY: docker-buildx +docker-buildx: + docker buildx build . -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --build-arg GO_LDFLAGS="$(GO_LDFLAGS)" --load diff --git a/examples/grpc-ext-auth/go.mod b/examples/grpc-ext-auth/go.mod new file mode 100644 index 00000000000..8e3fcb7e061 --- /dev/null +++ b/examples/grpc-ext-auth/go.mod @@ -0,0 +1,20 @@ +module github.com/envoyproxy/gateway-grcp-ext-auth + +go 1.23.1 + +require ( + github.com/envoyproxy/go-control-plane v0.13.1 + github.com/golang/protobuf v1.5.4 + google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 + google.golang.org/grpc v1.67.1 +) + +require ( + github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 // indirect + github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect + github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect + golang.org/x/net v0.28.0 // indirect + golang.org/x/sys v0.24.0 // indirect + golang.org/x/text v0.17.0 // indirect + google.golang.org/protobuf v1.35.1 // indirect +) diff --git a/examples/grpc-ext-auth/go.sum b/examples/grpc-ext-auth/go.sum new file mode 100644 index 00000000000..03b2f7f5cee --- /dev/null +++ b/examples/grpc-ext-auth/go.sum @@ -0,0 +1,24 @@ +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 h1:N+3sFI5GUjRKBi+i0TxYVST9h4Ie192jJWpHvthBBgg= +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/envoyproxy/go-control-plane v0.13.1 h1:vPfJZCkob6yTMEgS+0TwfTUfbHjfy/6vOJ8hUWX/uXE= +github.com/envoyproxy/go-control-plane v0.13.1/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= +github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= +github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 h1:zciRKQ4kBpFgpfC5QQCVtnnNAcLIqweL7plyZRQHVpI= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= +google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= diff --git a/examples/grpc-ext-auth/main.go b/examples/grpc-ext-auth/main.go new file mode 100644 index 00000000000..f63b0ec1e85 --- /dev/null +++ b/examples/grpc-ext-auth/main.go @@ -0,0 +1,225 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package main + +import ( + "context" + "crypto/tls" + "crypto/x509" + "flag" + "fmt" + "log" + "net" + "net/http" + "os" + "strings" + + envoy_api_v3_core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + "github.com/golang/protobuf/ptypes/wrappers" + "google.golang.org/genproto/googleapis/rpc/code" + "google.golang.org/genproto/googleapis/rpc/status" + "google.golang.org/grpc" + "google.golang.org/grpc/credentials" +) + +var ( + port int + certPath string +) + +func main() { + flag.IntVar(&port, "port", 9002, "gRPC port") + flag.StringVar(&certPath, "certPath", "", "path to server certificate and private key") + flag.Parse() + + lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) + if err != nil { + log.Fatalf("failed to listen to %d: %v", port, err) + } + + users := TestUsers() + + // Load TLS credentials + creds, err := loadTLSCredentials(certPath) + if err != nil { + log.Fatalf("Failed to load TLS credentials: %v", err) + } + gs := grpc.NewServer(grpc.Creds(creds)) + + envoy_service_auth_v3.RegisterAuthorizationServer(gs, NewAuthServer(users)) + + log.Printf("starting gRPC server on: %d\n", port) + + go func() { + err = gs.Serve(lis) + if err != nil { + log.Fatalf("failed to serve: %v", err) + } + }() + + http.HandleFunc("/healthz", healthCheckHandler) + err = http.ListenAndServe(":8080", nil) + if err != nil { + log.Fatalf("failed to serve: %v", err) + } +} + +type authServer struct { + users Users +} + +var _ envoy_service_auth_v3.AuthorizationServer = &authServer{} + +// NewAuthServer creates a new authorization server. +func NewAuthServer(users Users) envoy_service_auth_v3.AuthorizationServer { + return &authServer{users} +} + +// Check implements authorization's Check interface which performs authorization check based on the +// attributes associated with the incoming request. +func (s *authServer) Check( + _ context.Context, + req *envoy_service_auth_v3.CheckRequest) (*envoy_service_auth_v3.CheckResponse, error) { + authorization := req.Attributes.Request.Http.Headers["authorization"] + log.Println(authorization) + + extracted := strings.Fields(authorization) + if len(extracted) == 2 && extracted[0] == "Bearer" { + valid, user := s.users.Check(extracted[1]) + if valid { + return &envoy_service_auth_v3.CheckResponse{ + HttpResponse: &envoy_service_auth_v3.CheckResponse_OkResponse{ + OkResponse: &envoy_service_auth_v3.OkHttpResponse{ + Headers: []*envoy_api_v3_core.HeaderValueOption{ + { + Append: &wrappers.BoolValue{Value: false}, + Header: &envoy_api_v3_core.HeaderValue{ + // For a successful request, the authorization server sets the + // x-current-user value. + Key: "x-current-user", + Value: user, + }, + }, + }, + }, + }, + Status: &status.Status{ + Code: int32(code.Code_OK), + }, + }, nil + } + } + + return &envoy_service_auth_v3.CheckResponse{ + Status: &status.Status{ + Code: int32(code.Code_PERMISSION_DENIED), + }, + }, nil +} + +// Users holds a list of users. +type Users map[string]string + +// Check checks if a key could retrieve a user from a list of users. +func (u Users) Check(key string) (bool, string) { + value, ok := u[key] + if !ok { + return false, "" + } + return ok, value +} + +func TestUsers() Users { + return map[string]string{ + "token1": "user1", + "token2": "user2", + "token3": "user3", + } +} + +func healthCheckHandler(w http.ResponseWriter, r *http.Request) { + certPool, err := loadCA(certPath) + if err != nil { + log.Fatalf("Could not load CA certificate: %v", err) + } + + // Create TLS configuration + tlsConfig := &tls.Config{ + RootCAs: certPool, + } + + // Create gRPC dial options + opts := []grpc.DialOption{ + grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), + } + + conn, err := grpc.Dial("localhost:9002", opts...) + if err != nil { + log.Fatalf("Could not connect: %v", err) + } + client := envoy_service_auth_v3.NewAuthorizationClient(conn) + + response, err := client.Check(context.Background(), &envoy_service_auth_v3.CheckRequest{ + Attributes: &envoy_service_auth_v3.AttributeContext{ + Request: &envoy_service_auth_v3.AttributeContext_Request{ + Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{ + Headers: map[string]string{ + "authorization": "Bearer token1", + }, + }, + }, + }, + }) + if err != nil { + log.Fatalf("Could not check: %v", err) + } + if response != nil && response.Status.Code == int32(code.Code_OK) { + w.WriteHeader(http.StatusOK) + } else { + w.WriteHeader(http.StatusServiceUnavailable) + } +} + +func loadTLSCredentials(certPath string) (credentials.TransportCredentials, error) { + // Load server's certificate and private key + crt := "server.crt" + key := "server.key" + + if certPath != "" { + if !strings.HasSuffix(certPath, "/") { + certPath = fmt.Sprintf("%s/", certPath) + } + crt = fmt.Sprintf("%s%s", certPath, crt) + key = fmt.Sprintf("%s%s", certPath, key) + } + certificate, err := tls.LoadX509KeyPair(crt, key) + if err != nil { + return nil, fmt.Errorf("could not load server key pair: %s", err) + } + + // Create a new credentials object + creds := credentials.NewTLS(&tls.Config{Certificates: []tls.Certificate{certificate}}) + + return creds, nil +} + +func loadCA(caPath string) (*x509.CertPool, error) { + ca := x509.NewCertPool() + caCertPath := "server.crt" + if caPath != "" { + if !strings.HasSuffix(caPath, "/") { + caPath = fmt.Sprintf("%s/", caPath) + } + caCertPath = fmt.Sprintf("%s%s", caPath, caCertPath) + } + caCert, err := os.ReadFile(caCertPath) + if err != nil { + return nil, fmt.Errorf("could not read ca certificate: %s", err) + } + ca.AppendCertsFromPEM(caCert) + return ca, nil +} diff --git a/examples/grpc-ext-proc/Dockerfile b/examples/grpc-ext-proc/Dockerfile new file mode 100644 index 00000000000..a07ab13f48b --- /dev/null +++ b/examples/grpc-ext-proc/Dockerfile @@ -0,0 +1,22 @@ +FROM golang:1.23.1 AS builder + +ARG GO_LDFLAGS="" + +WORKDIR /workspace +COPY go.mod go.sum ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + go mod download + +COPY . ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + CGO_ENABLED=0 \ + GOOS=${TARGETOS} \ + GOARCH=${TARGETARCH} \ + go build -o /bin/grpc-ext-proc -ldflags "${GO_LDFLAGS}" . + +# Need root user for UDS +FROM gcr.io/distroless/static-debian11 +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=builder /bin/grpc-ext-proc / + +ENTRYPOINT ["/grpc-ext-proc"] diff --git a/examples/grpc-ext-proc/Makefile b/examples/grpc-ext-proc/Makefile new file mode 100644 index 00000000000..85de130d8fd --- /dev/null +++ b/examples/grpc-ext-proc/Makefile @@ -0,0 +1,8 @@ + +IMAGE_PREFIX ?= envoyproxy/gateway- +APP_NAME ?= grpc-ext-proc +TAG ?= latest + +.PHONY: docker-buildx +docker-buildx: + docker buildx build . -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --build-arg GO_LDFLAGS="$(GO_LDFLAGS)" --load diff --git a/examples/grpc-ext-proc/go.mod b/examples/grpc-ext-proc/go.mod new file mode 100644 index 00000000000..bb18254c721 --- /dev/null +++ b/examples/grpc-ext-proc/go.mod @@ -0,0 +1,19 @@ +module github.com/envoyproxy/gateway-grpc-ext-proc + +go 1.23.1 + +require ( + github.com/envoyproxy/go-control-plane v0.13.1 + google.golang.org/grpc v1.67.1 +) + +require ( + github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 // indirect + github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect + github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect + golang.org/x/net v0.28.0 // indirect + golang.org/x/sys v0.24.0 // indirect + golang.org/x/text v0.17.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect + google.golang.org/protobuf v1.34.2 // indirect +) diff --git a/examples/grpc-ext-proc/go.sum b/examples/grpc-ext-proc/go.sum new file mode 100644 index 00000000000..d3004724f02 --- /dev/null +++ b/examples/grpc-ext-proc/go.sum @@ -0,0 +1,22 @@ +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 h1:N+3sFI5GUjRKBi+i0TxYVST9h4Ie192jJWpHvthBBgg= +github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/envoyproxy/go-control-plane v0.13.1 h1:vPfJZCkob6yTMEgS+0TwfTUfbHjfy/6vOJ8hUWX/uXE= +github.com/envoyproxy/go-control-plane v0.13.1/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= +github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= +github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= +github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 h1:e7S5W7MGGLaSu8j3YjdezkZ+m1/Nm0uRVRMEMGk26Xs= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= diff --git a/examples/grpc-ext-proc/main.go b/examples/grpc-ext-proc/main.go new file mode 100644 index 00000000000..785480f1d20 --- /dev/null +++ b/examples/grpc-ext-proc/main.go @@ -0,0 +1,289 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package main + +import ( + "context" + "crypto/tls" + "crypto/x509" + "flag" + "fmt" + "io" + "log" + "net" + "net/http" + "os" + "strings" + + "google.golang.org/grpc/credentials" + + envoy_api_v3_core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + envoy_service_proc_v3 "github.com/envoyproxy/go-control-plane/envoy/service/ext_proc/v3" + + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +type extProcServer struct{} + +var ( + port int + certPath string +) + +func main() { + flag.IntVar(&port, "port", 9002, "gRPC port") + flag.StringVar(&certPath, "certPath", "", "path to extProcServer certificate and private key") + flag.Parse() + + lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) + if err != nil { + log.Fatalf("failed to listen: %v", err) + } + + creds, err := loadTLSCredentials(certPath) + if err != nil { + log.Fatalf("Failed to load TLS credentials: %v", err) + } + gs := grpc.NewServer(grpc.Creds(creds)) + envoy_service_proc_v3.RegisterExternalProcessorServer(gs, &extProcServer{}) + + go func() { + err = gs.Serve(lis) + if err != nil { + log.Fatalf("failed to serve: %v", err) + } + }() + + // Create Unix listener + gus := grpc.NewServer(grpc.Creds(creds)) + envoy_service_proc_v3.RegisterExternalProcessorServer(gus, &extProcServer{}) + + udsAddr := "/var/run/ext-proc/extproc.sock" + if _, err := os.Stat(udsAddr); err == nil { + if err := os.RemoveAll(udsAddr); err != nil { + log.Fatalf("failed to remove: %v", err) + } + } + + ul, err := net.Listen("unix", udsAddr) + if err != nil { + log.Fatalf("failed to listen: %v", err) + } + + err = os.Chmod(udsAddr, 0700) + if err != nil { + log.Fatalf("failed to set permissions: %v", err) + } + + // envoy distroless uid + err = os.Chown(udsAddr, 65532, 0) + if err != nil { + log.Fatalf("failed to set permissions: %v", err) + } + + go func() { + err = gus.Serve(ul) + if err != nil { + log.Fatalf("failed to serve: %v", err) + } + }() + + http.HandleFunc("/healthz", healthCheckHandler) + err = http.ListenAndServe(":8080", nil) + if err != nil { + log.Fatalf("failed to serve: %v", err) + } +} + +// used by k8s readiness probes +// makes a processing request to check if the processor service is healthy +func healthCheckHandler(w http.ResponseWriter, r *http.Request) { + certPool, err := loadCA(certPath) + if err != nil { + log.Fatalf("Could not load CA certificate: %v", err) + } + + // Create TLS configuration + tlsConfig := &tls.Config{ + RootCAs: certPool, + ServerName: "grpc-ext-proc.envoygateway", + } + + // Create gRPC dial options + opts := []grpc.DialOption{ + grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), + } + + conn, err := grpc.Dial("localhost:9002", opts...) + if err != nil { + log.Fatalf("Could not connect: %v", err) + } + client := envoy_service_proc_v3.NewExternalProcessorClient(conn) + + processor, err := client.Process(context.Background()) + if err != nil { + log.Fatalf("Could not check: %v", err) + } + + err = processor.Send(&envoy_service_proc_v3.ProcessingRequest{ + Request: &envoy_service_proc_v3.ProcessingRequest_RequestHeaders{ + RequestHeaders: &envoy_service_proc_v3.HttpHeaders{}, + }, + }) + if err != nil { + log.Fatalf("Could not check: %v", err) + } + + response, err := processor.Recv() + if err != nil { + log.Fatalf("Could not check: %v", err) + } + + if response != nil && response.GetRequestHeaders().Response.Status == envoy_service_proc_v3.CommonResponse_CONTINUE { + w.WriteHeader(http.StatusOK) + } else { + w.WriteHeader(http.StatusServiceUnavailable) + } +} + +func loadTLSCredentials(certPath string) (credentials.TransportCredentials, error) { + // Load extProcServer's certificate and private key + crt := "server.crt" + key := "server.key" + + if certPath != "" { + if !strings.HasSuffix(certPath, "/") { + certPath = fmt.Sprintf("%s/", certPath) + } + crt = fmt.Sprintf("%s%s", certPath, crt) + key = fmt.Sprintf("%s%s", certPath, key) + } + certificate, err := tls.LoadX509KeyPair(crt, key) + if err != nil { + return nil, fmt.Errorf("could not load extProcServer key pair: %s", err) + } + + // Create a new credentials object + creds := credentials.NewTLS(&tls.Config{Certificates: []tls.Certificate{certificate}}) + + return creds, nil +} + +func loadCA(caPath string) (*x509.CertPool, error) { + ca := x509.NewCertPool() + caCertPath := "server.crt" + if caPath != "" { + if !strings.HasSuffix(caPath, "/") { + caPath = fmt.Sprintf("%s/", caPath) + } + caCertPath = fmt.Sprintf("%s%s", caPath, caCertPath) + } + caCert, err := os.ReadFile(caCertPath) + if err != nil { + return nil, fmt.Errorf("could not read ca certificate: %s", err) + } + ca.AppendCertsFromPEM(caCert) + return ca, nil +} + +func (s *extProcServer) Process(srv envoy_service_proc_v3.ExternalProcessor_ProcessServer) error { + ctx := srv.Context() + for { + select { + case <-ctx.Done(): + return ctx.Err() + default: + } + req, err := srv.Recv() + if err == io.EOF { + return nil + } + if err != nil { + return status.Errorf(codes.Unknown, "cannot receive stream request: %v", err) + } + + resp := &envoy_service_proc_v3.ProcessingResponse{} + switch v := req.Request.(type) { + case *envoy_service_proc_v3.ProcessingRequest_RequestHeaders: + xrch := "" + if v.RequestHeaders != nil { + hdrs := v.RequestHeaders.Headers.GetHeaders() + for _, hdr := range hdrs { + if hdr.Key == "x-request-client-header" { + xrch = string(hdr.RawValue) + } + } + } + + rhq := &envoy_service_proc_v3.HeadersResponse{ + Response: &envoy_service_proc_v3.CommonResponse{ + HeaderMutation: &envoy_service_proc_v3.HeaderMutation{ + SetHeaders: []*envoy_api_v3_core.HeaderValueOption{ + { + Header: &envoy_api_v3_core.HeaderValue{ + Key: "x-request-ext-processed", + RawValue: []byte("true"), + }, + }, + }, + }, + }, + } + + if xrch != "" { + rhq.Response.HeaderMutation.SetHeaders = append(rhq.Response.HeaderMutation.SetHeaders, + &envoy_api_v3_core.HeaderValueOption{ + Header: &envoy_api_v3_core.HeaderValue{ + Key: "x-request-client-header", + RawValue: []byte("mutated"), + }, + }) + rhq.Response.HeaderMutation.SetHeaders = append(rhq.Response.HeaderMutation.SetHeaders, + &envoy_api_v3_core.HeaderValueOption{ + Header: &envoy_api_v3_core.HeaderValue{ + Key: "x-request-client-header-received", + RawValue: []byte(xrch), + }, + }) + } + + resp = &envoy_service_proc_v3.ProcessingResponse{ + Response: &envoy_service_proc_v3.ProcessingResponse_RequestHeaders{ + RequestHeaders: rhq, + }, + } + break + case *envoy_service_proc_v3.ProcessingRequest_ResponseHeaders: + rhq := &envoy_service_proc_v3.HeadersResponse{ + Response: &envoy_service_proc_v3.CommonResponse{ + HeaderMutation: &envoy_service_proc_v3.HeaderMutation{ + SetHeaders: []*envoy_api_v3_core.HeaderValueOption{ + { + Header: &envoy_api_v3_core.HeaderValue{ + Key: "x-response-ext-processed", + RawValue: []byte("true"), + }, + }, + }, + }, + }, + } + resp = &envoy_service_proc_v3.ProcessingResponse{ + Response: &envoy_service_proc_v3.ProcessingResponse_ResponseHeaders{ + ResponseHeaders: rhq, + }, + } + break + default: + log.Printf("Unknown Request type %v\n", v) + } + if err := srv.Send(resp); err != nil { + log.Printf("send error %v", err) + } + } +} diff --git a/examples/http-ext-auth/Dockerfile b/examples/http-ext-auth/Dockerfile new file mode 100644 index 00000000000..f3e3ef5d614 --- /dev/null +++ b/examples/http-ext-auth/Dockerfile @@ -0,0 +1,6 @@ +FROM node:19-bullseye + +COPY ./http-ext-auth.js . + +ENTRYPOINT ["node", "./http-ext-auth.js"] + diff --git a/examples/http-ext-auth/Makefile b/examples/http-ext-auth/Makefile new file mode 100644 index 00000000000..a0fe0063528 --- /dev/null +++ b/examples/http-ext-auth/Makefile @@ -0,0 +1,8 @@ + +IMAGE_PREFIX ?= envoyproxy/gateway- +APP_NAME ?= http-ext-auth +TAG ?= latest + +.PHONY: docker-buildx +docker-buildx: + docker buildx build . -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --build-arg GO_LDFLAGS="$(GO_LDFLAGS)" --load diff --git a/examples/http-ext-auth/http-ext-auth.js b/examples/http-ext-auth/http-ext-auth.js new file mode 100644 index 00000000000..17ece921822 --- /dev/null +++ b/examples/http-ext-auth/http-ext-auth.js @@ -0,0 +1,38 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +const Http = require("http"); +const path = require("path"); + +const tokens = { + "token1": "user1", + "token2": "user2", + "token3": "user3" +}; + +const server = new Http.Server((req, res) => { + const authorization = req.headers["authorization"] || ""; + const extracted = authorization.split(" "); + if (extracted.length === 2 && extracted[0] === "Bearer") { + const user = checkToken(extracted[1]); + console.log(`token: "${extracted[1]}" user: "${user}`); + if (user !== undefined) { + // The authorization server returns a response with "x-current-user" header for a successful + // request. + res.writeHead(200, { "x-current-user": user }); + return res.end(); + } + } + res.writeHead(403); + res.end(); +}); + +const port = process.env.PORT || 9002; +server.listen(port); +console.log(`starting HTTP server on: ${port}`); + +function checkToken(token) { + return tokens[token]; +} \ No newline at end of file diff --git a/examples/preserve-case-backend/Dockerfile b/examples/preserve-case-backend/Dockerfile new file mode 100644 index 00000000000..4616d465cb6 --- /dev/null +++ b/examples/preserve-case-backend/Dockerfile @@ -0,0 +1,22 @@ +FROM golang:1.23.1 AS builder + +ARG GO_LDFLAGS="" + +WORKDIR /workspace +COPY go.mod go.sum ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + go mod download + +COPY . ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + CGO_ENABLED=0 \ + GOOS=${TARGETOS} \ + GOARCH=${TARGETARCH} \ + go build -o /bin/preserve-case-backend -ldflags "${GO_LDFLAGS}" . + +# Need root user for UDS +FROM gcr.io/distroless/static-debian11 +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=builder /bin/preserve-case-backend / + +ENTRYPOINT ["/preserve-case-backend"] diff --git a/examples/preserve-case-backend/Makefile b/examples/preserve-case-backend/Makefile new file mode 100644 index 00000000000..159725237f4 --- /dev/null +++ b/examples/preserve-case-backend/Makefile @@ -0,0 +1,8 @@ + +IMAGE_PREFIX ?= envoyproxy/gateway- +APP_NAME ?= preserve-case-backend +TAG ?= latest + +.PHONY: docker-buildx +docker-buildx: + docker buildx build . -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --build-arg GO_LDFLAGS="$(GO_LDFLAGS)" --load diff --git a/examples/preserve-case-backend/go.mod b/examples/preserve-case-backend/go.mod new file mode 100644 index 00000000000..7a9712aa341 --- /dev/null +++ b/examples/preserve-case-backend/go.mod @@ -0,0 +1,11 @@ +module github.com/envoyproxy/gateway-preserve-case-backend + +go 1.23.1 + +require github.com/valyala/fasthttp v1.51.0 + +require ( + github.com/andybalholm/brotli v1.0.5 // indirect + github.com/klauspost/compress v1.17.0 // indirect + github.com/valyala/bytebufferpool v1.0.0 // indirect +) diff --git a/examples/preserve-case-backend/go.sum b/examples/preserve-case-backend/go.sum new file mode 100644 index 00000000000..cfe8f6c10e5 --- /dev/null +++ b/examples/preserve-case-backend/go.sum @@ -0,0 +1,8 @@ +github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs= +github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= +github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM= +github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= +github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= +github.com/valyala/fasthttp v1.51.0 h1:8b30A5JlZ6C7AS81RsWjYMQmrZG6feChmgAolCl1SqA= +github.com/valyala/fasthttp v1.51.0/go.mod h1:oI2XroL+lI7vdXyYoQk03bXBThfFl2cVdIA3Xl7cH8g= diff --git a/examples/preserve-case-backend/main.go b/examples/preserve-case-backend/main.go new file mode 100644 index 00000000000..1922d3c9b95 --- /dev/null +++ b/examples/preserve-case-backend/main.go @@ -0,0 +1,42 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package main + +import ( + "encoding/json" + "fmt" + "log" + "net" + + "github.com/valyala/fasthttp" +) + +func HandleFastHTTP(ctx *fasthttp.RequestCtx) { + ctx.QueryArgs().VisitAll(func(key, value []byte) { + if string(key) == "headers" { + ctx.Response.Header.Add(string(value), "PrEsEnT") + } + }) + headers := map[string][]string{} + ctx.Request.Header.VisitAll(func(key, value []byte) { + headers[string(key)] = append(headers[string(key)], string(value)) + }) + if d, err := json.MarshalIndent(headers, "", " "); err != nil { + ctx.Error(fmt.Sprintf("%s", err), fasthttp.StatusBadRequest) + } else { + fmt.Fprintf(ctx, string(d)+"\n") + } +} + +func main() { + s := fasthttp.Server{ + Handler: HandleFastHTTP, + DisableHeaderNamesNormalizing: true, + } + log.Printf("Starting on port 8000") + l, _ := net.Listen("tcp", ":8000") + log.Fatal(s.Serve(l)) +} diff --git a/test/e2e/base/manifests.yaml b/test/e2e/base/manifests.yaml index 714dd296067..c7390d6d70d 100644 --- a/test/e2e/base/manifests.yaml +++ b/test/e2e/base/manifests.yaml @@ -424,113 +424,6 @@ spec: cpu: 10m --- apiVersion: v1 -kind: Namespace -metadata: - name: gateway-preserve-case-backend ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: go-server - namespace: gateway-preserve-case-backend -data: - go.mod: | - module srvr - go 1.22 - require ( - github.com/andybalholm/brotli v1.0.5 // indirect - github.com/klauspost/compress v1.17.0 // indirect - github.com/valyala/bytebufferpool v1.0.0 // indirect - github.com/valyala/fasthttp v1.51.0 // indirect - ) - go.sum: | - github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs= - github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= - github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM= - github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= - github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= - github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= - github.com/valyala/fasthttp v1.51.0 h1:8b30A5JlZ6C7AS81RsWjYMQmrZG6feChmgAolCl1SqA= - github.com/valyala/fasthttp v1.51.0/go.mod h1:oI2XroL+lI7vdXyYoQk03bXBThfFl2cVdIA3Xl7cH8g= - main.go: | - package main - import ( - "encoding/json" - "fmt" - "log" - "github.com/valyala/fasthttp" - ) - func HandleFastHTTP(ctx *fasthttp.RequestCtx) { - ctx.QueryArgs().VisitAll(func(key, value []byte) { - if string(key) == "headers" { - ctx.Response.Header.Add(string(value), "PrEsEnT") - } - }) - headers := map[string][]string{} - ctx.Request.Header.VisitAll(func(key, value []byte) { - headers[string(key)] = append(headers[string(key)], string(value)) - }) - if d, err := json.MarshalIndent(headers, "", " "); err != nil { - ctx.Error(fmt.Sprintf("%s", err), fasthttp.StatusBadRequest) - } else { - fmt.Fprintf(ctx, string(d)+"\n") - } - } - func main() { - s := fasthttp.Server{ - Handler: HandleFastHTTP, - DisableHeaderNamesNormalizing: true, - } - log.Printf("Starting on port 8000") - log.Fatal(s.ListenAndServe(":8000")) - } ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: golang-app-deployment - namespace: gateway-preserve-case-backend -spec: - replicas: 1 - selector: - matchLabels: - app: golang-app - template: - metadata: - labels: - app: golang-app - spec: - containers: - - name: golang-app-container - command: - - sh - - "-c" - - "cp -a /app /app-live && cd /app-live && go run . " - image: golang:1.22.3-alpine - ports: - - containerPort: 8000 - volumeMounts: - - name: go-server - mountPath: /app - volumes: - - name: go-server - configMap: - name: go-server ---- -apiVersion: v1 -kind: Service -metadata: - name: fasthttp-backend - namespace: gateway-preserve-case-backend -spec: - selector: - app: golang-app - ports: - - protocol: TCP - port: 8000 - targetPort: 8000 ---- -apiVersion: v1 data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPVENDQWlHZ0F3SUJBZ0lVUWNxbnZtQXlkRUtuOEdqWTdjZzVDb3A2QWp3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeElUQWZCZ05WQkFvTQpHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQWVGdzB5TkRBMU1USXhOakF3TlROYUZ3MHlOVEExCk1USXhOakF3TlROYU1FVXhDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJREFwVGIyMWxMVk4wWVhSbE1TRXcKSHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXdnZ0VpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ2kzUis1WGx3SnlYSTNidTRVQ3E0NXgwSkdWQVBTVXRFTFlLUkxpOEo2CnlxOStySE1hVUtubDhsdldLaHlCNDk4WkJBdVVGS0RpcGhkS1A2eU0rRGl1azVIa2UrK0NmeGxkUDFiSGZiNlkKSGFWczh2cFMyUThneUF6NEZqc3NnNThMV1NKWTdEeEhSOWJibUVWelhSUjNWOEtDeDVaYVlkZ3RxU0NZTGJMTwozaGtGRGQramZxSzM3RHdiT253d21OQ2R0QmpRSTF1TmF2dm1QZzB0c3pwd29TQUtPRitPR0pHcTZHcDdNY0NtClFHZ3dYNkV0YzMwd3hJQTd6c3RnTWwzT293a3p4NHNMcFdJamdCSDVlVk9oYnB6NXROLzB2VFZ3Z3hlbTlOVisKQURjSTFBcnY5M1ZsaFB6VEFmZUNDUlljeFFiNlp4dnBuMWlRbVIrZkVpT0JBZ01CQUFHaklUQWZNQjBHQTFVZApEZ1FXQkJTMGRnRHNtQ3AyU0pZVzNPa3pkNDZtbFNndHZ6QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFab0NCCnE0M2taV1RZT21QR3JYMU5RMllIVTQ2Y0pzRGxsN2JFL0ZIRUo1eEJEcWRGaUdhWkZBcGRkK3Mra2tkUUw5NUUKcU1SVk9nYS83TUFIL042dlRmb2tXcnVKUUFqaStpLzhGSllWb1VZTWMyeUxqYXp3ZS9ZMHlzTDRWRTNGUlZybApmVHRCTC9nVkhjNk9ZOFBpVFh4eitqdy9FN2kxQkRxZkdSK29sYmt4ZkVmWnhHN0tEZUVtQnVva0dxbDlYQXhSCjMzbnhSbFZuODdxSnJrdUlzdWl2ZzczaVVNMVpGUE1CRVp0OEJjU05MaWhxZEx0b29FVy9mcGZ1am9oaC9yTjUKOFA1ajJpWm9KOGpBS0t4YW5SaWhXTklSNzJtYnJ1R2hYOFRIQkxzczFvZlpLdHBXMzlUOTBTM2hnWkFwSmNZYQp2aGVwSnRtbm9jcHNnYUJiL0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2kzUis1WGx3SnlYSTMKYnU0VUNxNDV4MEpHVkFQU1V0RUxZS1JMaThKNnlxOStySE1hVUtubDhsdldLaHlCNDk4WkJBdVVGS0RpcGhkSwpQNnlNK0RpdWs1SGtlKytDZnhsZFAxYkhmYjZZSGFWczh2cFMyUThneUF6NEZqc3NnNThMV1NKWTdEeEhSOWJiCm1FVnpYUlIzVjhLQ3g1WmFZZGd0cVNDWUxiTE8zaGtGRGQramZxSzM3RHdiT253d21OQ2R0QmpRSTF1TmF2dm0KUGcwdHN6cHdvU0FLT0YrT0dKR3E2R3A3TWNDbVFHZ3dYNkV0YzMwd3hJQTd6c3RnTWwzT293a3p4NHNMcFdJagpnQkg1ZVZPaGJwejV0Ti8wdlRWd2d4ZW05TlYrQURjSTFBcnY5M1ZsaFB6VEFmZUNDUlljeFFiNlp4dnBuMWlRCm1SK2ZFaU9CQWdNQkFBRUNnZ0VBQkZlOUxUbXNMb3VBWGZTWmdRZStnT0pZbU1pTDZpcG91aWI0Wlk1dFUvM3kKYVZoRXlOVHhuVlRadkoyT2lWc0JzWVNLWUo5TzBaRmFSOUhJSnBHR1BTYzRvOGNYWGpkb2RqUmFrbjdtbDQ2NwprT3JQR0lsQ3ZFb0NVTVdTdkExNXpzMGdmNTZUdmthMjFxL2VHdmtPZ3c3SVBEbVJSNEZpT05nNGt3ODlwRU1FClhNMVROK1NZSGR1eU50RG1wSy90bjFFcUxtOUJUVy9XSk8rMHhLaG1EVStDZnN6Y2hmcS82QitQSVNteEhXUTUKV2JVL3BBNVlvRlM3TWZYbjhMcXVuSG55RGcvNERaQ2NXQkpZZTdZNWtqczVVd2c2MnJBanZxTUZPaWk2ZEgvWgpSQWFWbzlUeEEwZVB4TkZIY2w5M2xuQzRvSGpFV0pvajIzOUdTb3pMWVFLQmdRRGJaNDhNOUpNdkJ2Q2JvSWlXCi9jc3U2ZFRNNmlRTzd3dVJEekhETlpGN0pxWmxOVUhkMU1hZXVYOGhYaE1YeWZpN2FFcGhKMGFZOXNwZ29SdWYKamIyeWVhb3JBbnlOL1VIZ2NjdG5ESWdheEJ0K1JVREZUeE1uTnhrRUVnTnF5WDJCZllOdlNyMmxOVm9PbGhUWQo4VzV6UGJyekNDbUgzSXd6bkhmcW54QVZJUUtCZ1FDK0IwOEVpRERZd1ZKRU9uNyt3eDZyZWlQQklmanBFNUNICjM4ekpYVVBUaWRLZWpORnU4aUlGZmkrdzEvY0VBTTJXcE1xVEtnM2RCSTlzUGZnWXZFSUlvMW5adUFNVnhaY04Kb0k2QXdUckdWMldHSjdQNlNNbjhyWTJhUGRQcDl1ZXE2MFEwZ2p2NVQ1eUliekdPaElmeUpxSXJHYlFvbGdkagp3cXg4K2ZQaVlRS0JnRWJSdklqd0FQb3pBVU1hcER3b200Yi9EeU05aUhvUml1Zzl3VkJEWUR3aUU1K2pleWxCClh3TW8yUEpLVFZ0bVpCVUo2c2hGUnpKa3BwcGVKbTV2OEFWRjVEbVJ5ZWFERXRxQm9LZ1lrVzRpVXNXRlVRemYKSTAyTEtWWDVBb1ZibUZsTnpEa0dKUVRJbmRNTGVwczBBdlRMdmlab1FnK0tqdTZ4Mkxzd3NKNUJBb0dCQUxFcApDUzcxZFd5dkZ1NUxCdGltdWpJdDVhV0o4WkFDVUcyTVpWU1o0Y0VXcmNocENsdi8yMTM1bmFhbVFVRjNLalEyCm9ER0JOSG1JWmRvSkVBS25pSHliSmdwSGRvRFd2SlBVeXVZWXY1M29IdHRxcW0wOWJTcG45eXNFVjB1NWg1UWUKVUhFUHRiQWgyNUtLNzgycG0wQlRhajc2Y0s2aDZIUEdLNTg4UEhZaEFvR0FILzJMS044WnJ3c1R6Nmx6T2c3ZApzdUFuaDVFTUp0TEhTSDJHeFJ5aFcrYVFHdGNxdDZYK1dkNDZnd1BMQjRjd2QzL01nQkFvcFhGazhYV3pTVUlhCnI5SG9SQzZJT2tzQ0lOallCd2h2TjArcm5oN3JzTm5XZVd5Z2tWQ2tERDN5NlNTa2RTZjliOUZzWUJtOHY0VkcKYzFqdmVjWVF6S243QzFRU2FtUnAzRUk9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/test/e2e/testdata/accesslog-als.yaml b/test/e2e/testdata/accesslog-als.yaml index cd998df4655..569195aba1a 100644 --- a/test/e2e/testdata/accesslog-als.yaml +++ b/test/e2e/testdata/accesslog-als.yaml @@ -15,186 +15,6 @@ spec: - name: infra-backend-v1 port: 8080 --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: envoy-als - namespace: monitoring -data: - go.mod: | - module envoy-als - go 1.22 - require ( - github.com/envoyproxy/go-control-plane v0.12.0 - github.com/prometheus/client_golang v1.19.1 - google.golang.org/grpc v1.64.0 - ) - - require ( - github.com/beorn7/perks v1.0.1 // indirect - github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/cncf/xds/go v0.0.0-20240318125728-8a4994d93e50 // indirect - github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect - github.com/golang/protobuf v1.5.4 // indirect - github.com/prometheus/client_model v0.5.0 // indirect - github.com/prometheus/common v0.48.0 // indirect - github.com/prometheus/procfs v0.12.0 // indirect - golang.org/x/net v0.22.0 // indirect - golang.org/x/sys v0.18.0 // indirect - golang.org/x/text v0.14.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect - google.golang.org/protobuf v1.33.0 // indirect - ) - go.sum: | - github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= - github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= - github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= - github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= - github.com/cncf/xds/go v0.0.0-20240318125728-8a4994d93e50 h1:DBmgJDC9dTfkVyGgipamEh2BpGYxScCH1TOF1LL1cXc= - github.com/cncf/xds/go v0.0.0-20240318125728-8a4994d93e50/go.mod h1:5e1+Vvlzido69INQaVO6d87Qn543Xr6nooe9Kz7oBFM= - github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= - github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= - github.com/envoyproxy/go-control-plane v0.12.0 h1:4X+VP1GHd1Mhj6IB5mMeGbLCleqxjletLK6K0rbxyZI= - github.com/envoyproxy/go-control-plane v0.12.0/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0= - github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= - github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= - github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= - github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= - github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= - github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= - github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= - github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= - github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= - github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= - github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE= - github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc= - github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= - github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= - golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc= - golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= - golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= - golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= - golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= - golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= - google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 h1:NnYq6UN9ReLM9/Y01KWNOWyI5xQ9kbIms5GGJVwS/Yc= - google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= - google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY= - google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg= - google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= - google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= - main.go: | - package main - - import ( - "log" - "net" - "net/http" - - alsv2 "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v2" - alsv3 "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v3" - "github.com/prometheus/client_golang/prometheus" - "github.com/prometheus/client_golang/prometheus/promhttp" - - "google.golang.org/grpc" - ) - - var ( - LogCount = prometheus.NewCounterVec(prometheus.CounterOpts{ - Name: "log_count", - Help: "The total number of logs received.", - }, []string{"api_version"}) - ) - - func init() { - // Register the summary and the histogram with Prometheus's default registry. - prometheus.MustRegister(LogCount) - } - - type ALSServer struct { - } - - func (a *ALSServer) StreamAccessLogs(logStream alsv2.AccessLogService_StreamAccessLogsServer) error { - log.Println("Streaming als v2 logs") - for { - data, err := logStream.Recv() - if err != nil { - return err - } - - httpLogs := data.GetHttpLogs() - if httpLogs != nil { - LogCount.WithLabelValues("v2").Add(float64(len(httpLogs.LogEntry))) - } - - log.Printf("Received v2 log data: %s\n", data.String()) - } - } - - type ALSServerV3 struct { - } - - func (a *ALSServerV3) StreamAccessLogs(logStream alsv3.AccessLogService_StreamAccessLogsServer) error { - log.Println("Streaming als v3 logs") - for { - data, err := logStream.Recv() - if err != nil { - return err - } - - httpLogs := data.GetHttpLogs() - if httpLogs != nil { - LogCount.WithLabelValues("v3").Add(float64(len(httpLogs.LogEntry))) - } - - log.Printf("Received v3 log data: %s\n", data.String()) - } - } - - func NewALSServer() *ALSServer { - return &ALSServer{} - } - - func NewALSServerV3() *ALSServerV3 { - return &ALSServerV3{} - } - - func main() { - mux := http.NewServeMux() - if err := addMonitor(mux); err != nil { - log.Printf("could not establish self-monitoring: %v\n", err) - } - - s := &http.Server{ - Addr: ":19001", - Handler: mux, - } - - go func() { - s.ListenAndServe() - }() - - listener, err := net.Listen("tcp", "0.0.0.0:8080") - if err != nil { - log.Fatalf("Failed to start listener on port 8080: %v", err) - } - - var opts []grpc.ServerOption - grpcServer := grpc.NewServer(opts...) - alsv2.RegisterAccessLogServiceServer(grpcServer, NewALSServer()) - alsv3.RegisterAccessLogServiceServer(grpcServer, NewALSServerV3()) - log.Println("Starting ALS Server") - if err := grpcServer.Serve(listener); err != nil { - log.Fatalf("grpc serve err: %v", err) - } - } - - func addMonitor(mux *http.ServeMux) error { - mux.Handle("/metrics", promhttp.HandlerFor(prometheus.DefaultGatherer, promhttp.HandlerOpts{EnableOpenMetrics: true})) - - return nil - } - ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -215,18 +35,8 @@ spec: spec: containers: - name: envoy-als - command: - - sh - - "-c" - - "cp -a /app /app-live && cd /app-live && go run . " - image: golang:1.22.3-alpine + image: envoyproxy/gateway-envoy-als + imagePullPolicy: IfNotPresent ports: - containerPort: 8080 - containerPort: 19001 - volumeMounts: - - name: envoy-als - mountPath: /app - volumes: - - name: envoy-als - configMap: - name: envoy-als diff --git a/test/e2e/testdata/ext-auth-grpc-service.yaml b/test/e2e/testdata/ext-auth-grpc-service.yaml index 744be444ba0..587dad8a860 100644 --- a/test/e2e/testdata/ext-auth-grpc-service.yaml +++ b/test/e2e/testdata/ext-auth-grpc-service.yaml @@ -1,276 +1,5 @@ --- apiVersion: v1 -kind: ConfigMap -metadata: - name: grpc-ext-auth - namespace: gateway-conformance-infra -data: - go.mod: | - module github.com/envoyproxy/gateway - - go 1.21 - - require ( - github.com/envoyproxy/go-control-plane v0.12.0 - github.com/golang/protobuf v1.5.4 - google.golang.org/genproto/googleapis/rpc v0.0.0-20240304212257-790db918fca8 - google.golang.org/grpc v1.62.1 - ) - - require ( - github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa // indirect - github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect - golang.org/x/net v0.20.0 // indirect - golang.org/x/sys v0.16.0 // indirect - golang.org/x/text v0.14.0 // indirect - google.golang.org/protobuf v1.33.0 // indirect - ) - go.sum: | - github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa h1:jQCWAUqqlij9Pgj2i/PB79y4KOPYVyFYdROxgaCwdTQ= - github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa/go.mod h1:x/1Gn8zydmfq8dk6e9PdstVsDgu9RuyIIJqAaF//0IM= - github.com/envoyproxy/go-control-plane v0.12.0 h1:4X+VP1GHd1Mhj6IB5mMeGbLCleqxjletLK6K0rbxyZI= - github.com/envoyproxy/go-control-plane v0.12.0/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0= - github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= - github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= - github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= - github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= - github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= - github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= - golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= - golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= - golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= - golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= - golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= - golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= - google.golang.org/genproto/googleapis/rpc v0.0.0-20240304212257-790db918fca8 h1:IR+hp6ypxjH24bkMfEJ0yHR21+gwPWdV+/IBrPQyn3k= - google.golang.org/genproto/googleapis/rpc v0.0.0-20240304212257-790db918fca8/go.mod h1:UCOku4NytXMJuLQE5VuqA5lX3PcHCBo8pxNyvkf4xBs= - google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk= - google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= - google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= - google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= - main.go: | - package main - - import ( - "context" - "crypto/tls" - "crypto/x509" - "flag" - "fmt" - "log" - "net" - "net/http" - "os" - "strings" - - envoy_api_v3_core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" - envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" - "github.com/golang/protobuf/ptypes/wrappers" - "google.golang.org/genproto/googleapis/rpc/code" - "google.golang.org/genproto/googleapis/rpc/status" - "google.golang.org/grpc" - "google.golang.org/grpc/credentials" - ) - - var ( - port int - certPath string - ) - - func main() { - flag.IntVar(&port, "port", 9002, "gRPC port") - flag.StringVar(&certPath, "certPath", "", "path to server certificate and private key") - flag.Parse() - - lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) - if err != nil { - log.Fatalf("failed to listen to %d: %v", port, err) - } - - users := TestUsers() - - // Load TLS credentials - creds, err := loadTLSCredentials(certPath) - if err != nil { - log.Fatalf("Failed to load TLS credentials: %v", err) - } - gs := grpc.NewServer(grpc.Creds(creds)) - - envoy_service_auth_v3.RegisterAuthorizationServer(gs, NewAuthServer(users)) - - log.Printf("starting gRPC server on: %d\n", port) - - go func() { - err = gs.Serve(lis) - if err != nil { - log.Fatalf("failed to serve: %v", err) - } - }() - - http.HandleFunc("/healthz", healthCheckHandler) - err = http.ListenAndServe(":8080", nil) - if err != nil { - log.Fatalf("failed to serve: %v", err) - } - } - - type authServer struct { - users Users - } - - var _ envoy_service_auth_v3.AuthorizationServer = &authServer{} - - // NewAuthServer creates a new authorization server. - func NewAuthServer(users Users) envoy_service_auth_v3.AuthorizationServer { - return &authServer{users} - } - - // Check implements authorization's Check interface which performs authorization check based on the - // attributes associated with the incoming request. - func (s *authServer) Check( - _ context.Context, - req *envoy_service_auth_v3.CheckRequest) (*envoy_service_auth_v3.CheckResponse, error) { - authorization := req.Attributes.Request.Http.Headers["authorization"] - log.Println(authorization) - - extracted := strings.Fields(authorization) - if len(extracted) == 2 && extracted[0] == "Bearer" { - valid, user := s.users.Check(extracted[1]) - if valid { - return &envoy_service_auth_v3.CheckResponse{ - HttpResponse: &envoy_service_auth_v3.CheckResponse_OkResponse{ - OkResponse: &envoy_service_auth_v3.OkHttpResponse{ - Headers: []*envoy_api_v3_core.HeaderValueOption{ - { - Append: &wrappers.BoolValue{Value: false}, - Header: &envoy_api_v3_core.HeaderValue{ - // For a successful request, the authorization server sets the - // x-current-user value. - Key: "x-current-user", - Value: user, - }, - }, - }, - }, - }, - Status: &status.Status{ - Code: int32(code.Code_OK), - }, - }, nil - } - } - - return &envoy_service_auth_v3.CheckResponse{ - Status: &status.Status{ - Code: int32(code.Code_PERMISSION_DENIED), - }, - }, nil - } - - // Users holds a list of users. - type Users map[string]string - - // Check checks if a key could retrieve a user from a list of users. - func (u Users) Check(key string) (bool, string) { - value, ok := u[key] - if !ok { - return false, "" - } - return ok, value - } - - func TestUsers() Users { - return map[string]string{ - "token1": "user1", - "token2": "user2", - "token3": "user3", - } - } - - func healthCheckHandler(w http.ResponseWriter, r *http.Request) { - certPool, err := loadCA(certPath) - if err != nil { - log.Fatalf("Could not load CA certificate: %v", err) - } - - // Create TLS configuration - tlsConfig := &tls.Config{ - RootCAs: certPool, - } - - // Create gRPC dial options - opts := []grpc.DialOption{ - grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), - } - - conn, err := grpc.Dial("localhost:9002", opts...) - if err != nil { - log.Fatalf("Could not connect: %v", err) - } - client := envoy_service_auth_v3.NewAuthorizationClient(conn) - - response, err := client.Check(context.Background(), &envoy_service_auth_v3.CheckRequest{ - Attributes: &envoy_service_auth_v3.AttributeContext{ - Request: &envoy_service_auth_v3.AttributeContext_Request{ - Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{ - Headers: map[string]string{ - "authorization": "Bearer token1", - }, - }, - }, - }, - }) - if err != nil { - log.Fatalf("Could not check: %v", err) - } - if response != nil && response.Status.Code == int32(code.Code_OK) { - w.WriteHeader(http.StatusOK) - } else { - w.WriteHeader(http.StatusServiceUnavailable) - } - } - - func loadTLSCredentials(certPath string) (credentials.TransportCredentials, error) { - // Load server's certificate and private key - crt := "server.crt" - key := "server.key" - - if certPath != "" { - if !strings.HasSuffix(certPath, "/") { - certPath = fmt.Sprintf("%s/", certPath) - } - crt = fmt.Sprintf("%s%s", certPath, crt) - key = fmt.Sprintf("%s%s", certPath, key) - } - certificate, err := tls.LoadX509KeyPair(crt, key) - if err != nil { - return nil, fmt.Errorf("could not load server key pair: %s", err) - } - - // Create a new credentials object - creds := credentials.NewTLS(&tls.Config{Certificates: []tls.Certificate{certificate}}) - - return creds, nil - } - - func loadCA(caPath string) (*x509.CertPool, error) { - ca := x509.NewCertPool() - caCertPath := "server.crt" - if caPath != "" { - if !strings.HasSuffix(caPath, "/") { - caPath = fmt.Sprintf("%s/", caPath) - } - caCertPath = fmt.Sprintf("%s%s", caPath, caCertPath) - } - caCert, err := os.ReadFile(caCertPath) - if err != nil { - return nil, fmt.Errorf("could not read ca certificate: %s", err) - } - ca.AppendCertsFromPEM(caCert) - return ca, nil - } ---- -apiVersion: v1 kind: Secret metadata: name: grpc-ext-auth-secret @@ -287,39 +16,39 @@ metadata: namespace: gateway-conformance-infra data: ca.crt: | - -----BEGIN CERTIFICATE----- - MIIFqzCCA5OgAwIBAgIUVuzUBkjFNxlNvZ+MPyR1AC7Tqb8wDQYJKoZIhvcNAQEL - BQAwGDEWMBQGA1UEAwwNZ3JwYy1leHQtYXV0aDAeFw0yNDAzMDkwMzUzMTdaFw0z - NDAzMDcwMzUzMTdaMBgxFjAUBgNVBAMMDWdycGMtZXh0LWF1dGgwggIiMA0GCSqG - SIb3DQEBAQUAA4ICDwAwggIKAoICAQCZnjeGlZbDVent0vEvFQZYLR8X/FeMN9O8 - zxFIZu9wGBEHk3Swn/Zxo8maNNB1L7R1/Ns2uT0uGWu/XHuUyRr8nsx3FKmnNLH7 - tXSlllEWSW3NTNt6OiMUqQygBpNlyHDL4WDzMXnwKm4lQaDYjpgsQVO3zIXDVEU2 - 4FFYN5RRdi29PK2TSMlVaktDLbsimXS4Yr0BPdm6GE73j1sSgzXwyFvzkn+AcHTV - u0d7gbOS0R0cE1T+BRIQ1TCB1boFwC5nA63rIC+oIseAIKk88v2OzkWGPx39+9EM - 0TEjmFBtoYqtsmxFVPzbGao+bxfJGH7pnEIctWXuXxaxEdonm0ZUIbjBZlQ9UhrG - qPZp7dpxc+lGafNTVrx0oXl4LKzVTNuJfqIuvpVTSwxNY2hdO0xwjl0VbZ/ojs5Z - UuKSp16KMj+i7gk2cyrLnBTDGaiZq2Uu0gmPV73MKc8LEqoI7g8bi6opAb93hlil - sJCmYkgy6Bw+H3rtLzYx+EpCQf5rZz6CxAd+L/ZHADFcGuTSRDOC6wuDfi4QCIbO - 7r6gso+sznqmRCd8B1vRT/NF6T8IaSY6hbpfFB+7kX1rC++V7NfVx81WKjTPsISi - 80kobVvC8qjvv/6lCDHvL5fbZb6bu0HoE7y3+YkaOXhKNpwGifPOkhm38O8Gwo41 - wM6mUnGtvwIDAQABo4HsMIHpMB0GA1UdDgQWBBQFwa6nI2fNbFi/gBpoGWzaiGba - zzAfBgNVHSMEGDAWgBQFwa6nI2fNbFi/gBpoGWzaiGbazzAJBgNVHRMEAjAAMAsG - A1UdDwQEAwIF4DATBgNVHSUEDDAKBggrBgEFBQcDATBMBgNVHREERTBDgg1ncnBj - LWV4dC1hdXRogidncnBjLWV4dC1hdXRoLmdhdGV3YXktY29uZm9ybWFuY2UtaW5m - cmGCCWxvY2FsaG9zdDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg - Q2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggIBAJIzSoC9PQ/R8f02p+4DWvTz - W78vKJIxiLko7onR1qt0H2OLv5Kc4atnT/jxt7VZWy4UJkfj0bVqTuWU4WyahmlH - b1QKwWiX3bjv+swbo8/wZJ22sHw0boqn0GVrgrQX0hEbh6T47eYCcBtvgVVmCKnr - issmU0Hhpox6roT3wan8l9dFD4xo9ihq4rHuorBlIMCgvEhdIUHT0wyX2z4KXRSZ - bgE8ezUgoyueOjgoE6agLbtK8KUUQWfLLqgFQOs8rA7HfvnQxB7wiJduvIdeyf+i - tn7fQVCqpWzsHuGfvY3ivjnAcQb9Toq+Q4I+/Xtq17Gh39go6+1nm/V/oJPEagEg - XL+OzcOF6cOMD7Zyov3PWVbJmRFsqvi2/ijf8vtgm5fGUFRIcJKZak7f4C9D5Cij - +3yyi8PhoQHyqC6q+GMEaxs2FCXWAmo1xWU67pCCYOMgegKcmXahGhVDpwTuuDsH - e1QwTLfMACks0vQWt9lL0u17OtqzQ94zNtLE9dSuLaZvSXqi0PjIVquMuqUBu9v8 - 01Z1TVBfFwUNO0tgUAiMRMcVlfjKj3fE0xNZeB/mXhvaiy5hZa6vUqIrEc9yxrIw - uCo3Acgff9aF+3AUBX4oWiaDmP0ZL5V0rD0dVSWeAmjagWUtTsVFzY8cbyOG6hWx - iFI1UfLQ/CuOtNsDTbi0 - -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIFqzCCA5OgAwIBAgIUVuzUBkjFNxlNvZ+MPyR1AC7Tqb8wDQYJKoZIhvcNAQEL + BQAwGDEWMBQGA1UEAwwNZ3JwYy1leHQtYXV0aDAeFw0yNDAzMDkwMzUzMTdaFw0z + NDAzMDcwMzUzMTdaMBgxFjAUBgNVBAMMDWdycGMtZXh0LWF1dGgwggIiMA0GCSqG + SIb3DQEBAQUAA4ICDwAwggIKAoICAQCZnjeGlZbDVent0vEvFQZYLR8X/FeMN9O8 + zxFIZu9wGBEHk3Swn/Zxo8maNNB1L7R1/Ns2uT0uGWu/XHuUyRr8nsx3FKmnNLH7 + tXSlllEWSW3NTNt6OiMUqQygBpNlyHDL4WDzMXnwKm4lQaDYjpgsQVO3zIXDVEU2 + 4FFYN5RRdi29PK2TSMlVaktDLbsimXS4Yr0BPdm6GE73j1sSgzXwyFvzkn+AcHTV + u0d7gbOS0R0cE1T+BRIQ1TCB1boFwC5nA63rIC+oIseAIKk88v2OzkWGPx39+9EM + 0TEjmFBtoYqtsmxFVPzbGao+bxfJGH7pnEIctWXuXxaxEdonm0ZUIbjBZlQ9UhrG + qPZp7dpxc+lGafNTVrx0oXl4LKzVTNuJfqIuvpVTSwxNY2hdO0xwjl0VbZ/ojs5Z + UuKSp16KMj+i7gk2cyrLnBTDGaiZq2Uu0gmPV73MKc8LEqoI7g8bi6opAb93hlil + sJCmYkgy6Bw+H3rtLzYx+EpCQf5rZz6CxAd+L/ZHADFcGuTSRDOC6wuDfi4QCIbO + 7r6gso+sznqmRCd8B1vRT/NF6T8IaSY6hbpfFB+7kX1rC++V7NfVx81WKjTPsISi + 80kobVvC8qjvv/6lCDHvL5fbZb6bu0HoE7y3+YkaOXhKNpwGifPOkhm38O8Gwo41 + wM6mUnGtvwIDAQABo4HsMIHpMB0GA1UdDgQWBBQFwa6nI2fNbFi/gBpoGWzaiGba + zzAfBgNVHSMEGDAWgBQFwa6nI2fNbFi/gBpoGWzaiGbazzAJBgNVHRMEAjAAMAsG + A1UdDwQEAwIF4DATBgNVHSUEDDAKBggrBgEFBQcDATBMBgNVHREERTBDgg1ncnBj + LWV4dC1hdXRogidncnBjLWV4dC1hdXRoLmdhdGV3YXktY29uZm9ybWFuY2UtaW5m + cmGCCWxvY2FsaG9zdDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg + Q2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggIBAJIzSoC9PQ/R8f02p+4DWvTz + W78vKJIxiLko7onR1qt0H2OLv5Kc4atnT/jxt7VZWy4UJkfj0bVqTuWU4WyahmlH + b1QKwWiX3bjv+swbo8/wZJ22sHw0boqn0GVrgrQX0hEbh6T47eYCcBtvgVVmCKnr + issmU0Hhpox6roT3wan8l9dFD4xo9ihq4rHuorBlIMCgvEhdIUHT0wyX2z4KXRSZ + bgE8ezUgoyueOjgoE6agLbtK8KUUQWfLLqgFQOs8rA7HfvnQxB7wiJduvIdeyf+i + tn7fQVCqpWzsHuGfvY3ivjnAcQb9Toq+Q4I+/Xtq17Gh39go6+1nm/V/oJPEagEg + XL+OzcOF6cOMD7Zyov3PWVbJmRFsqvi2/ijf8vtgm5fGUFRIcJKZak7f4C9D5Cij + +3yyi8PhoQHyqC6q+GMEaxs2FCXWAmo1xWU67pCCYOMgegKcmXahGhVDpwTuuDsH + e1QwTLfMACks0vQWt9lL0u17OtqzQ94zNtLE9dSuLaZvSXqi0PjIVquMuqUBu9v8 + 01Z1TVBfFwUNO0tgUAiMRMcVlfjKj3fE0xNZeB/mXhvaiy5hZa6vUqIrEc9yxrIw + uCo3Acgff9aF+3AUBX4oWiaDmP0ZL5V0rD0dVSWeAmjagWUtTsVFzY8cbyOG6hWx + iFI1UfLQ/CuOtNsDTbi0 + -----END CERTIFICATE----- --- apiVersion: apps/v1 kind: Deployment @@ -337,35 +66,30 @@ spec: app: grpc-ext-auth spec: containers: - - name: golang-app-container - command: - - sh - - "-c" - - "cp -a /app /app-live && cd /app-live && go run . --certPath=/app-live/certs/ " - image: golang:1.21.3-alpine - ports: - - containerPort: 8000 - volumeMounts: - - name: grpc-ext-auth - mountPath: /app - - name: grpc-ext-auth-secret - mountPath: /app/certs - readinessProbe: - httpGet: - path: /healthz - port: 8080 + - name: golang-app-container + command: + - /grpc-ext-auth + - "--certPath=/app/certs" + image: envoyproxy/gateway-grpc-ext-auth:latest + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8000 + volumeMounts: + - name: grpc-ext-auth-secret + mountPath: /app/certs + readinessProbe: + httpGet: + path: /healthz + port: 8080 volumes: - - name: grpc-ext-auth - configMap: - name: grpc-ext-auth - - name: grpc-ext-auth-secret - secret: - secretName: grpc-ext-auth-secret - items: - - key: tls.crt - path: server.crt - - key: tls.key - path: server.key + - name: grpc-ext-auth-secret + secret: + secretName: grpc-ext-auth-secret + items: + - key: tls.crt + path: server.crt + - key: tls.key + path: server.key --- apiVersion: v1 kind: Service @@ -376,6 +100,6 @@ spec: selector: app: grpc-ext-auth ports: - - protocol: TCP - port: 9002 - targetPort: 9002 + - protocol: TCP + port: 9002 + targetPort: 9002 diff --git a/test/e2e/testdata/ext-auth-http-service.yaml b/test/e2e/testdata/ext-auth-http-service.yaml index cf08cc20751..a4e96928292 100644 --- a/test/e2e/testdata/ext-auth-http-service.yaml +++ b/test/e2e/testdata/ext-auth-http-service.yaml @@ -1,45 +1,4 @@ --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: http-ext-auth - namespace: gateway-conformance-infra -data: - http-ext-auth.js: | - const Http = require("http"); - const path = require("path"); - - const tokens = { - "token1": "user1", - "token2": "user2", - "token3": "user3" - }; - - const server = new Http.Server((req, res) => { - const authorization = req.headers["authorization"] || ""; - const extracted = authorization.split(" "); - if (extracted.length === 2 && extracted[0] === "Bearer") { - const user = checkToken(extracted[1]); - console.log(`token: "${extracted[1]}" user: "${user}`); - if (user !== undefined) { - // The authorization server returns a response with "x-current-user" header for a successful - // request. - res.writeHead(200, { "x-current-user": user }); - return res.end(); - } - } - res.writeHead(403); - res.end(); - }); - - const port = process.env.PORT || 9002; - server.listen(port); - console.log(`starting HTTP server on: ${port}`); - - function checkToken(token) { - return tokens[token]; - } ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -56,26 +15,17 @@ spec: app: http-ext-auth spec: containers: - - name: http-ext-auth - command: - - node - - /usr/src/app/http-ext-auth.js - image: node:19-bullseye - ports: - - containerPort: 9002 - volumeMounts: - name: http-ext-auth - mountPath: /usr/src/app - readinessProbe: - httpGet: - httpHeaders: - - name: authorization - value: "Bearer token1" - port: 9002 - volumes: - - name: http-ext-auth - configMap: - name: http-ext-auth + image: envoyproxy/gateway-http-ext-auth + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9002 + readinessProbe: + httpGet: + httpHeaders: + - name: authorization + value: "Bearer token1" + port: 9002 --- apiVersion: v1 kind: Service @@ -86,6 +36,6 @@ spec: selector: app: http-ext-auth ports: - - protocol: TCP - port: 9002 - targetPort: 9002 + - protocol: TCP + port: 9002 + targetPort: 9002 diff --git a/test/e2e/testdata/ext-proc-service.yaml b/test/e2e/testdata/ext-proc-service.yaml index 23b325f2031..3dc4796e123 100644 --- a/test/e2e/testdata/ext-proc-service.yaml +++ b/test/e2e/testdata/ext-proc-service.yaml @@ -1,343 +1,3 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: grpc-ext-proc - namespace: gateway-conformance-infra -data: - go.mod: | - module github.com/envoyproxy/gateway - - go 1.22 - - require ( - github.com/envoyproxy/go-control-plane v0.12.1-0.20240322155512-db0b36a50fa8 - google.golang.org/grpc v1.62.1 - ) - - require ( - github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa // indirect - github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect - github.com/golang/protobuf v1.5.4 // indirect - github.com/planetscale/vtprotobuf v0.5.1-0.20231212170721-e7d721933795 // indirect - golang.org/x/net v0.20.0 // indirect - golang.org/x/sys v0.16.0 // indirect - golang.org/x/text v0.14.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 // indirect - google.golang.org/protobuf v1.33.0 // indirect - ) - go.sum: | - github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa h1:jQCWAUqqlij9Pgj2i/PB79y4KOPYVyFYdROxgaCwdTQ= - github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa/go.mod h1:x/1Gn8zydmfq8dk6e9PdstVsDgu9RuyIIJqAaF//0IM= - github.com/envoyproxy/go-control-plane v0.12.1-0.20240322155512-db0b36a50fa8 h1:Zghtu+wdlGvrmutCyhU9Ew5ozU18PVpxP+zGSgyUpFs= - github.com/envoyproxy/go-control-plane v0.12.1-0.20240322155512-db0b36a50fa8/go.mod h1:YtsM9q/kVkKyvmemY+BF/ZK7I93OWsx4uk4Do2Mr/OA= - github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= - github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= - github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= - github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= - github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= - github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= - github.com/planetscale/vtprotobuf v0.5.1-0.20231212170721-e7d721933795 h1:pH+U6pJP0BhxqQ4njBUjOg0++WMMvv3eByWzB+oATBY= - github.com/planetscale/vtprotobuf v0.5.1-0.20231212170721-e7d721933795/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= - golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= - golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= - golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= - golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= - golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= - golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= - google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 h1:AjyfHzEPEFp/NpvfN5g+KDla3EMojjhRVZc1i7cj+oM= - google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80/go.mod h1:PAREbraiVEVGVdTZsVWjSbbTtSyGbAgIIvni8a8CD5s= - google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk= - google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= - google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= - google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= - main.go: | - package main - - import ( - "context" - "crypto/tls" - "crypto/x509" - "flag" - "fmt" - "io" - "log" - "net" - "net/http" - "os" - "strings" - - "google.golang.org/grpc/credentials" - - envoy_api_v3_core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" - envoy_service_proc_v3 "github.com/envoyproxy/go-control-plane/envoy/service/ext_proc/v3" - - "google.golang.org/grpc" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" - ) - - type extProcServer struct{} - - var ( - port int - certPath string - ) - - func main() { - flag.IntVar(&port, "port", 9002, "gRPC port") - flag.StringVar(&certPath, "certPath", "", "path to extProcServer certificate and private key") - flag.Parse() - - lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) - if err != nil { - log.Fatalf("failed to listen: %v", err) - } - - creds, err := loadTLSCredentials(certPath) - if err != nil { - log.Fatalf("Failed to load TLS credentials: %v", err) - } - gs := grpc.NewServer(grpc.Creds(creds)) - envoy_service_proc_v3.RegisterExternalProcessorServer(gs, &extProcServer{}) - - go func() { - err = gs.Serve(lis) - if err != nil { - log.Fatalf("failed to serve: %v", err) - } - }() - - // Create Unix listener - gus := grpc.NewServer(grpc.Creds(creds)) - envoy_service_proc_v3.RegisterExternalProcessorServer(gus, &extProcServer{}) - - udsAddr := "/var/run/ext-proc/extproc.sock" - if _, err := os.Stat(udsAddr); err == nil { - if err := os.RemoveAll(udsAddr); err != nil { - log.Fatalf("failed to remove: %v", err) - } - } - - ul, err := net.Listen("unix", udsAddr) - if err != nil { - log.Fatalf("failed to listen: %v", err) - } - - err = os.Chmod(udsAddr, 0700) - if err != nil { - log.Fatalf("failed to set permissions: %v", err) - } - - // envoy distroless uid - err = os.Chown(udsAddr, 65532, 0) - if err != nil { - log.Fatalf("failed to set permissions: %v", err) - } - - go func() { - err = gus.Serve(ul) - if err != nil { - log.Fatalf("failed to serve: %v", err) - } - }() - - http.HandleFunc("/healthz", healthCheckHandler) - err = http.ListenAndServe(":8080", nil) - if err != nil { - log.Fatalf("failed to serve: %v", err) - } - } - - // used by k8s readiness probes - // makes a processing request to check if the processor service is healthy - func healthCheckHandler(w http.ResponseWriter, r *http.Request) { - certPool, err := loadCA(certPath) - if err != nil { - log.Fatalf("Could not load CA certificate: %v", err) - } - - // Create TLS configuration - tlsConfig := &tls.Config{ - RootCAs: certPool, - ServerName: "grpc-ext-proc.envoygateway", - } - - // Create gRPC dial options - opts := []grpc.DialOption{ - grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), - } - - conn, err := grpc.Dial("localhost:9002", opts...) - if err != nil { - log.Fatalf("Could not connect: %v", err) - } - client := envoy_service_proc_v3.NewExternalProcessorClient(conn) - - processor, err := client.Process(context.Background()) - if err != nil { - log.Fatalf("Could not check: %v", err) - } - - err = processor.Send(&envoy_service_proc_v3.ProcessingRequest{ - Request: &envoy_service_proc_v3.ProcessingRequest_RequestHeaders{ - RequestHeaders: &envoy_service_proc_v3.HttpHeaders{}, - }, - }) - if err != nil { - log.Fatalf("Could not check: %v", err) - } - - response, err := processor.Recv() - if err != nil { - log.Fatalf("Could not check: %v", err) - } - - if response != nil && response.GetRequestHeaders().Response.Status == envoy_service_proc_v3.CommonResponse_CONTINUE { - w.WriteHeader(http.StatusOK) - } else { - w.WriteHeader(http.StatusServiceUnavailable) - } - } - - func loadTLSCredentials(certPath string) (credentials.TransportCredentials, error) { - // Load extProcServer's certificate and private key - crt := "server.crt" - key := "server.key" - - if certPath != "" { - if !strings.HasSuffix(certPath, "/") { - certPath = fmt.Sprintf("%s/", certPath) - } - crt = fmt.Sprintf("%s%s", certPath, crt) - key = fmt.Sprintf("%s%s", certPath, key) - } - certificate, err := tls.LoadX509KeyPair(crt, key) - if err != nil { - return nil, fmt.Errorf("could not load extProcServer key pair: %s", err) - } - - // Create a new credentials object - creds := credentials.NewTLS(&tls.Config{Certificates: []tls.Certificate{certificate}}) - - return creds, nil - } - - func loadCA(caPath string) (*x509.CertPool, error) { - ca := x509.NewCertPool() - caCertPath := "server.crt" - if caPath != "" { - if !strings.HasSuffix(caPath, "/") { - caPath = fmt.Sprintf("%s/", caPath) - } - caCertPath = fmt.Sprintf("%s%s", caPath, caCertPath) - } - caCert, err := os.ReadFile(caCertPath) - if err != nil { - return nil, fmt.Errorf("could not read ca certificate: %s", err) - } - ca.AppendCertsFromPEM(caCert) - return ca, nil - } - - func (s *extProcServer) Process(srv envoy_service_proc_v3.ExternalProcessor_ProcessServer) error { - ctx := srv.Context() - for { - select { - case <-ctx.Done(): - return ctx.Err() - default: - } - req, err := srv.Recv() - if err == io.EOF { - return nil - } - if err != nil { - return status.Errorf(codes.Unknown, "cannot receive stream request: %v", err) - } - - resp := &envoy_service_proc_v3.ProcessingResponse{} - switch v := req.Request.(type) { - case *envoy_service_proc_v3.ProcessingRequest_RequestHeaders: - xrch := "" - if v.RequestHeaders != nil { - hdrs := v.RequestHeaders.Headers.GetHeaders() - for _, hdr := range hdrs { - if hdr.Key == "x-request-client-header" { - xrch = string(hdr.RawValue) - } - } - } - - rhq := &envoy_service_proc_v3.HeadersResponse{ - Response: &envoy_service_proc_v3.CommonResponse{ - HeaderMutation: &envoy_service_proc_v3.HeaderMutation{ - SetHeaders: []*envoy_api_v3_core.HeaderValueOption{ - { - Header: &envoy_api_v3_core.HeaderValue{ - Key: "x-request-ext-processed", - RawValue: []byte("true"), - }, - }, - }, - }, - }, - } - - if xrch != "" { - rhq.Response.HeaderMutation.SetHeaders = append(rhq.Response.HeaderMutation.SetHeaders, - &envoy_api_v3_core.HeaderValueOption{ - Header: &envoy_api_v3_core.HeaderValue{ - Key: "x-request-client-header", - RawValue: []byte("mutated"), - }, - }) - rhq.Response.HeaderMutation.SetHeaders = append(rhq.Response.HeaderMutation.SetHeaders, - &envoy_api_v3_core.HeaderValueOption{ - Header: &envoy_api_v3_core.HeaderValue{ - Key: "x-request-client-header-received", - RawValue: []byte(xrch), - }, - }) - } - - resp = &envoy_service_proc_v3.ProcessingResponse{ - Response: &envoy_service_proc_v3.ProcessingResponse_RequestHeaders{ - RequestHeaders: rhq, - }, - } - break - case *envoy_service_proc_v3.ProcessingRequest_ResponseHeaders: - rhq := &envoy_service_proc_v3.HeadersResponse{ - Response: &envoy_service_proc_v3.CommonResponse{ - HeaderMutation: &envoy_service_proc_v3.HeaderMutation{ - SetHeaders: []*envoy_api_v3_core.HeaderValueOption{ - { - Header: &envoy_api_v3_core.HeaderValue{ - Key: "x-response-ext-processed", - RawValue: []byte("true"), - }, - }, - }, - }, - }, - } - resp = &envoy_service_proc_v3.ProcessingResponse{ - Response: &envoy_service_proc_v3.ProcessingResponse_ResponseHeaders{ - ResponseHeaders: rhq, - }, - } - break - default: - log.Printf("Unknown Request type %v\n", v) - } - if err := srv.Send(resp); err != nil { - log.Printf("send error %v", err) - } - } - } - - --- apiVersion: v1 kind: Secret @@ -394,16 +54,13 @@ spec: spec: containers: - name: golang-app-container - command: - - sh - - "-c" - - "cd /app && go run . --certPath=/app/certs/" - image: golang:1.22.3-alpine + image: envoyproxy/gateway-grpc-ext-proc:latest + imagePullPolicy: IfNotPresent + args: + - --certPath=/app/certs/ ports: - containerPort: 8000 volumeMounts: - - name: grpc-ext-proc - mountPath: /app - name: grpc-ext-proc-secret mountPath: /app/certs - name: socket-dir @@ -413,9 +70,6 @@ spec: path: /healthz port: 8080 volumes: - - name: grpc-ext-proc - configMap: - name: grpc-ext-proc - name: grpc-ext-proc-secret secret: secretName: grpc-ext-proc-secret diff --git a/test/e2e/testdata/preserve-case.yaml b/test/e2e/testdata/preserve-case.yaml index c815a19e332..52f061662d1 100644 --- a/test/e2e/testdata/preserve-case.yaml +++ b/test/e2e/testdata/preserve-case.yaml @@ -1,3 +1,9 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: gateway-preserve-case-backend +--- apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: @@ -5,12 +11,12 @@ metadata: namespace: gateway-preserve-case-backend spec: from: - - group: gateway.networking.k8s.io - kind: HTTPRoute - namespace: gateway-conformance-infra + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: gateway-conformance-infra to: - - group: "" - kind: Service + - group: "" + kind: Service --- apiVersion: gateway.envoyproxy.io/v1alpha1 kind: ClientTrafficPolicy @@ -19,9 +25,9 @@ metadata: namespace: gateway-conformance-infra spec: targetRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: same-namespace + - group: gateway.networking.k8s.io + kind: Gateway + name: same-namespace http1: preserveHeaderCase: true --- @@ -32,13 +38,48 @@ metadata: namespace: gateway-conformance-infra spec: parentRefs: - - name: same-namespace + - name: same-namespace rules: - - matches: - - path: - type: PathPrefix - value: /preserve - backendRefs: - - name: fasthttp-backend - namespace: gateway-preserve-case-backend + - matches: + - path: + type: PathPrefix + value: /preserve + backendRefs: + - name: fasthttp-backend + namespace: gateway-preserve-case-backend + port: 8000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: preserve-case + namespace: gateway-preserve-case-backend +spec: + replicas: 1 + selector: + matchLabels: + app: preserve-case + template: + metadata: + labels: + app: preserve-case + spec: + containers: + - name: preserve-case + image: envoyproxy/gateway-preserve-case-backend + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8000 +--- +apiVersion: v1 +kind: Service +metadata: + name: fasthttp-backend + namespace: gateway-preserve-case-backend +spec: + selector: + app: preserve-case + ports: + - protocol: TCP port: 8000 + targetPort: 8000 diff --git a/test/e2e/tests/preservecase.go b/test/e2e/tests/preservecase.go index 82e865aaad0..6c81dfe5092 100644 --- a/test/e2e/tests/preservecase.go +++ b/test/e2e/tests/preservecase.go @@ -17,6 +17,7 @@ import ( "regexp" "testing" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/gateway-api/conformance/utils/http" "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" @@ -101,7 +102,7 @@ func casePreservingRoundTrip(request roundtripper.Request, transport nethttp.Rou } var PreserveCaseTest = suite.ConformanceTest{ - ShortName: "Preserve Case", + ShortName: "PreserveCase", Description: "Preserve header cases", Manifests: []string{"testdata/preserve-case.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { @@ -111,6 +112,7 @@ var PreserveCaseTest = suite.ConformanceTest{ gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + WaitForPods(t, suite.Client, "gateway-preserve-case-backend", map[string]string{"app": "preserve-case"}, corev1.PodRunning, PodReady) // Can't use the standard method for checking the response, since the remote side isn't the // conformance echo server and it returns a differently formatted response. expectedResponse := http.ExpectedResponse{ diff --git a/tools/make/common.mk b/tools/make/common.mk index 4d5d42a7626..4eca7ce06ec 100644 --- a/tools/make/common.mk +++ b/tools/make/common.mk @@ -79,6 +79,7 @@ include tools/make/kube.mk include tools/make/docs.mk include tools/make/helm.mk include tools/make/proto.mk +include tools/make/examples.mk # Log the running target LOG_TARGET = echo -e "\033[0;32m===========> Running $@ ... \033[0m" diff --git a/tools/make/examples.mk b/tools/make/examples.mk new file mode 100644 index 00000000000..5caf9846e63 --- /dev/null +++ b/tools/make/examples.mk @@ -0,0 +1,20 @@ + +EXAMPLE_APPS := grpc-ext-auth envoy-als grpc-ext-proc http-ext-auth preserve-case-backend +EXAMPLE_IMAGE_PREFIX ?= envoyproxy/gateway- +EXAMPLE_TAG ?= latest + +.PHONY: kube-build-examples-image +kube-build-examples-image: + @$(LOG_TARGET) + @for app in $(EXAMPLE_APPS); do \ + pushd $(ROOT_DIR)/examples/$$app; \ + make docker-buildx; \ + popd; \ + done + +.PHONY: kube-install-examples-image +kube-install-examples-image: kube-build-examples-image + @$(LOG_TARGET) + @for app in $(EXAMPLE_APPS); do \ + tools/hack/kind-load-image.sh $(EXAMPLE_IMAGE_PREFIX)$$app $(EXAMPLE_TAG); \ + done \ No newline at end of file diff --git a/tools/make/kube.mk b/tools/make/kube.mk index daf109f478e..0abbe5dac98 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -132,7 +132,9 @@ experimental-conformance: create-cluster kube-install-image kube-deploy run-expe benchmark: create-cluster kube-install-image kube-deploy-for-benchmark-test run-benchmark delete-cluster ## Create a kind cluster, deploy EG into it, run Envoy Gateway benchmark test, and clean up. .PHONY: e2e -e2e: create-cluster kube-install-image kube-deploy install-ratelimit install-e2e-telemetry run-e2e delete-cluster +e2e: create-cluster kube-install-image kube-deploy \ + install-ratelimit install-e2e-telemetry kube-install-examples-image \ + run-e2e delete-cluster .PHONY: install-ratelimit install-ratelimit: From 7b85d22ee1cc58d24ac99364a27cb75dcba93f29 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 5 Nov 2024 02:31:04 +0800 Subject: [PATCH 346/523] fix: wasm oci image source e2e test failed when IP_FAMILY=ipv6 (#4623) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit fixt wasm test” Signed-off-by: Huabing Zhao --- test/e2e/tests/wasm_oci.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/e2e/tests/wasm_oci.go b/test/e2e/tests/wasm_oci.go index 00abdc9ca1f..514ab937352 100644 --- a/test/e2e/tests/wasm_oci.go +++ b/test/e2e/tests/wasm_oci.go @@ -15,6 +15,7 @@ import ( "errors" "fmt" "io" + "net" "testing" "time" @@ -70,7 +71,7 @@ var OCIWasmTest = suite.ConformanceTest{ if err != nil { t.Fatalf("failed to get registry IP: %v", err) } - registryAddr := fmt.Sprintf("%s:5000", registryIP) + registryAddr := net.JoinHostPort(registryIP, "5000") // Push the wasm image to the registry digest := pushWasmImageForTest(t, suite, registryAddr) From b0ab317fa7ac81df756d647ea3a6f79678926f3f Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 5 Nov 2024 02:32:03 +0800 Subject: [PATCH 347/523] workaroud for the flaky oidc e2e test (#4603) * workaroud for the flaky oidc e2e test Signed-off-by: Huabing Zhao * add issue link Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- test/e2e/tests/oidc-backendcluster.go | 2 +- test/e2e/tests/oidc.go | 40 ++++++++++++++++++++------- 2 files changed, 31 insertions(+), 11 deletions(-) diff --git a/test/e2e/tests/oidc-backendcluster.go b/test/e2e/tests/oidc-backendcluster.go index fec73d74313..146c5f194ab 100644 --- a/test/e2e/tests/oidc-backendcluster.go +++ b/test/e2e/tests/oidc-backendcluster.go @@ -26,7 +26,7 @@ var OIDCBackendClusterTest = suite.ConformanceTest{ Manifests: []string{"testdata/oidc-keycloak.yaml", "testdata/oidc-securitypolicy-backendcluster.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { t.Run("oidc provider represented by a BackendCluster", func(t *testing.T) { - testOIDC(t, suite) + testOIDC(t, suite, "testdata/oidc-securitypolicy-backendcluster.yaml") }) }, } diff --git a/test/e2e/tests/oidc.go b/test/e2e/tests/oidc.go index 46f82f7ae09..ccc11bc02c5 100644 --- a/test/e2e/tests/oidc.go +++ b/test/e2e/tests/oidc.go @@ -17,6 +17,7 @@ import ( "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/wait" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" @@ -26,6 +27,7 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" "sigs.k8s.io/gateway-api/conformance/utils/tlog" + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi" "github.com/envoyproxy/gateway/internal/gatewayapi/resource" ) @@ -48,7 +50,7 @@ var OIDCTest = suite.ConformanceTest{ Manifests: []string{"testdata/oidc-keycloak.yaml", "testdata/oidc-securitypolicy.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { t.Run("oidc provider represented by a URL", func(t *testing.T) { - testOIDC(t, suite) + testOIDC(t, suite, "testdata/oidc-securitypolicy.yaml") }) t.Run("http route without oidc authentication", func(t *testing.T) { @@ -92,7 +94,7 @@ var OIDCTest = suite.ConformanceTest{ }, } -func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite) { +func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite, securityPolicyManifest string) { var ( testURL = "http://www.example.com/myapp" logoutURL = "http://www.example.com/myapp/logout" @@ -119,7 +121,7 @@ func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite) { WaitForPods(t, suite.Client, ns, map[string]string{"job-name": "setup-keycloak"}, corev1.PodSucceeded, podInitialized) // Initialize the test OIDC client that will keep track of the state of the OIDC login process - client, err := NewOIDCTestClient( + oidcClient, err := NewOIDCTestClient( WithLoggingOptions(t.Log, true), // Map the application and keycloak cluster DNS name to the gateway address WithCustomAddressMappings(map[string]string{ @@ -135,13 +137,31 @@ func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite) { // Send a request to the http route with OIDC configured. // It will be redirected to the keycloak login page - res, err := client.Get(testURL, true) - require.NoError(t, err, "Failed to get the login page") - require.Equal(t, 200, res.StatusCode, "Expected 200 OK") + res, err := oidcClient.Get(testURL, true) + if err != nil { + tlog.Logf(t, "failed to get the login page: %v", err) + return false, nil + } + if res.StatusCode != http.StatusOK { + tlog.Logf(t, "Failed to get the login page, expected 200 OK, got %d", res.StatusCode) + return false, nil + } // Parse the response body to get the URL where the login page would post the user-entered credentials - if err := client.ParseLoginForm(res.Body, keyCloakLoginFormID); err != nil { + if err := oidcClient.ParseLoginForm(res.Body, keyCloakLoginFormID); err != nil { tlog.Logf(t, "failed to parse login form: %v", err) + // recreate the security policy to force repushing the configuration to the envoy proxy to recover from the error. + // This is a workaround for the flaky test: https://github.com/envoyproxy/gateway/issues/3898 + // TODO: we should investigate the root cause of the flakiness and remove this workaround + existingSP := &egv1a1.SecurityPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: ns, + Name: sp, + }, + } + require.NoError(t, suite.Client.Delete(context.TODO(), existingSP)) + suite.Applier.MustApplyWithCleanup(t, suite.Client, suite.TimeoutConfig, securityPolicyManifest, false) + SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: sp, Namespace: ns}, suite.ControllerName, ancestorRef) return false, nil } @@ -153,7 +173,7 @@ func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite) { // Submit the login form to the IdP. // This will authenticate and redirect back to the application - res, err := client.Login(map[string]string{"username": username, "password": password, "credentialId": ""}) + res, err := oidcClient.Login(map[string]string{"username": username, "password": password, "credentialId": ""}) require.NoError(t, err, "Failed to login to the IdP") // Verify that we get the expected response from the application @@ -163,14 +183,14 @@ func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite) { require.Contains(t, string(body), "infra-backend-v1", "Expected response from the application") // Verify that we can access the application without logging in again - res, err = client.Get(testURL, false) + res, err = oidcClient.Get(testURL, false) require.NoError(t, err) require.Equal(t, http.StatusOK, res.StatusCode) require.Contains(t, string(body), "infra-backend-v1", "Expected response from the application") // Verify that we can logout // Note: OAuth2 filter just clears its cookies and does not log out from the IdP. - res, err = client.Get(logoutURL, false) + res, err = oidcClient.Get(logoutURL, false) require.NoError(t, err) require.Equal(t, http.StatusFound, res.StatusCode) From 26a63e169bbb86abcc4d9034e98a3a947064a582 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Nov 2024 10:35:59 -0800 Subject: [PATCH 348/523] build(deps): bump softprops/action-gh-release from 2.0.8 to 2.0.9 (#4622) Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2.0.8 to 2.0.9. - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](https://github.com/softprops/action-gh-release/compare/c062e08bd532815e2082a85e87e3ef29c3e6d191...e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Huabing Zhao --- .github/workflows/latest_release.yaml | 2 +- .github/workflows/release.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index 13f1895ddc8..786bc4d058e 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -107,7 +107,7 @@ jobs: GITHUB_REPOSITORY: ${{ github.repository_owner }}/${{ github.event.repository.name }} - name: Recreate the Latest Release and Tag - uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v0.1.15 + uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v0.1.15 with: draft: false prerelease: true diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f1d45bddfe4..feec5902af6 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -93,7 +93,7 @@ jobs: tar -zcvf egctl_${{ env.release_tag }}_darwin_arm64.tar.gz bin/darwin/arm64/egctl - name: Upload Release Manifests - uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v0.1.15 + uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v0.1.15 with: files: | release-artifacts/install.yaml From 1a57daf8eeb995c54aa5e32161806a5da201727b Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Mon, 4 Nov 2024 13:15:17 -0800 Subject: [PATCH 349/523] Set ignore_health_on_host_removal to true for static clusters (#4612) Removes the endpoint from the pool faster instead of waiting for the result of the active health. Since the control plane already has definitive endpoint health info from the EndpointSlice API, its safe to set this. Fixes: https://github.com/envoyproxy/gateway/issues/4564 Signed-off-by: Arko Dasgupta --- .../testdata/translate/out/default-resources.all.yaml | 5 +++++ .../translate/out/echo-gateway-api.cluster.yaml | 1 + .../translate/out/from-gateway-api-to-xds.all.json | 5 +++++ .../translate/out/from-gateway-api-to-xds.all.yaml | 5 +++++ .../translate/out/from-gateway-api-to-xds.cluster.yaml | 5 +++++ .../out/jwt-single-route-single-match-to-xds.all.json | 1 + .../out/jwt-single-route-single-match-to-xds.all.yaml | 1 + .../jwt-single-route-single-match-to-xds.cluster.yaml | 1 + .../translate/out/no-service-cluster-ip.all.yaml | 1 + internal/xds/translator/cluster.go | 3 +++ .../extensionpolicy-tcp-udp-http.clusters.yaml | 1 + .../http-route-extension-filter.clusters.yaml | 1 + .../out/extension-xds-ir/http-route.clusters.yaml | 1 + .../out/xds-ir/accesslog-als-tcp.clusters.yaml | 1 + .../testdata/out/xds-ir/accesslog-cel.clusters.yaml | 1 + .../out/xds-ir/accesslog-endpoint-stats.clusters.yaml | 1 + .../out/xds-ir/accesslog-formatters.clusters.yaml | 1 + .../out/xds-ir/accesslog-multi-cel.clusters.yaml | 1 + .../testdata/out/xds-ir/accesslog-types.clusters.yaml | 7 +++++++ .../out/xds-ir/accesslog-without-format.clusters.yaml | 2 ++ .../testdata/out/xds-ir/accesslog.clusters.yaml | 2 ++ .../out/xds-ir/authorization-client-cidr.clusters.yaml | 3 +++ .../out/xds-ir/authorization-jwt-claim.clusters.yaml | 2 ++ .../out/xds-ir/authorization-jwt-scope.clusters.yaml | 2 ++ .../authorization-multiple-principals.clusters.yaml | 1 + .../out/xds-ir/backend-buffer-limit.clusters.yaml | 3 +++ .../testdata/out/xds-ir/backend-priority.clusters.yaml | 3 +++ .../testdata/out/xds-ir/basic-auth.clusters.yaml | 3 +++ .../testdata/out/xds-ir/circuit-breaker.clusters.yaml | 1 + .../out/xds-ir/client-buffer-limit.clusters.yaml | 2 ++ .../out/xds-ir/client-ip-detection.clusters.yaml | 3 +++ .../testdata/out/xds-ir/client-timeout.clusters.yaml | 2 ++ .../translator/testdata/out/xds-ir/cors.clusters.yaml | 1 + .../testdata/out/xds-ir/custom-response.clusters.yaml | 1 + .../testdata/out/xds-ir/ext-auth-backend.clusters.yaml | 3 +++ .../out/xds-ir/ext-auth-recomputation.clusters.yaml | 3 +++ .../testdata/out/xds-ir/ext-auth.clusters.yaml | 5 +++++ .../ext-proc-with-traffic-settings.clusters.yaml | 3 +++ .../testdata/out/xds-ir/ext-proc.clusters.yaml | 6 ++++++ .../testdata/out/xds-ir/fault-injection.clusters.yaml | 5 +++++ .../headers-with-preserve-x-request-id.clusters.yaml | 2 ++ .../headers-with-underscores-action.clusters.yaml | 4 ++++ .../testdata/out/xds-ir/health-check.clusters.yaml | 5 +++++ .../xds-ir/http-early-header-mutation.clusters.yaml | 2 ++ .../out/xds-ir/http-endpoint-stats.clusters.yaml | 1 + .../out/xds-ir/http-health-check.clusters.yaml | 1 + .../xds-ir/http-preserve-client-protocol.clusters.yaml | 1 + .../out/xds-ir/http-req-resp-sizes-stats.clusters.yaml | 1 + .../xds-ir/http-route-direct-response.clusters.yaml | 1 + .../out/xds-ir/http-route-mirror.clusters.yaml | 1 + .../xds-ir/http-route-multiple-matches.clusters.yaml | 7 +++++++ .../xds-ir/http-route-multiple-mirrors.clusters.yaml | 3 +++ .../xds-ir/http-route-partial-invalid.clusters.yaml | 1 + .../out/xds-ir/http-route-redirect.clusters.yaml | 1 + .../testdata/out/xds-ir/http-route-regex.clusters.yaml | 1 + .../xds-ir/http-route-request-headers.clusters.yaml | 1 + .../http-route-response-add-headers.clusters.yaml | 1 + ...ttp-route-response-add-remove-headers.clusters.yaml | 1 + .../http-route-response-remove-headers.clusters.yaml | 1 + ...tp-route-rewrite-root-path-url-prefix.clusters.yaml | 1 + ...-rewrite-sufixx-with-slash-url-prefix.clusters.yaml | 1 + .../http-route-rewrite-url-fullpath.clusters.yaml | 1 + .../xds-ir/http-route-rewrite-url-host.clusters.yaml | 1 + .../xds-ir/http-route-rewrite-url-prefix.clusters.yaml | 1 + .../xds-ir/http-route-rewrite-url-regex.clusters.yaml | 1 + .../http-route-session-persistence.clusters.yaml | 1 + .../out/xds-ir/http-route-timeout.clusters.yaml | 3 +++ .../http-route-weighted-backend-uds-ip.clusters.yaml | 1 + ...p-route-weighted-backend-with-filters.clusters.yaml | 2 ++ .../xds-ir/http-route-weighted-backend.clusters.yaml | 1 + .../http-route-weighted-invalid-backend.clusters.yaml | 1 + .../xds-ir/http-route-with-clientcert.clusters.yaml | 1 + .../out/xds-ir/http-route-with-metadata.clusters.yaml | 2 ++ ...http-route-with-tls-system-truststore.clusters.yaml | 1 + ...p-route-with-tlsbundle-multiple-certs.clusters.yaml | 2 ++ .../out/xds-ir/http-route-with-tlsbundle.clusters.yaml | 1 + .../testdata/out/xds-ir/http-route.clusters.yaml | 1 + .../out/xds-ir/http1-preserve-case.clusters.yaml | 2 ++ .../testdata/out/xds-ir/http1-trailers.clusters.yaml | 1 + .../testdata/out/xds-ir/http10.clusters.yaml | 1 + .../testdata/out/xds-ir/http2-route.clusters.yaml | 4 ++++ .../translator/testdata/out/xds-ir/http2.clusters.yaml | 1 + .../translator/testdata/out/xds-ir/http3.clusters.yaml | 1 + .../xds-ir/jsonpatch-missing-resource.clusters.yaml | 1 + .../out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml | 2 ++ .../testdata/out/xds-ir/jsonpatch.clusters.yaml | 1 + .../out/xds-ir/jwt-custom-extractor.clusters.yaml | 1 + .../jwt-multi-route-multi-provider.clusters.yaml | 3 +++ .../jwt-multi-route-single-provider.clusters.yaml | 2 ++ .../testdata/out/xds-ir/jwt-optional.clusters.yaml | 1 + .../testdata/out/xds-ir/jwt-ratelimit.clusters.yaml | 4 ++++ .../xds-ir/jwt-single-route-single-match.clusters.yaml | 1 + .../out/xds-ir/listener-connection-limit.clusters.yaml | 2 ++ .../out/xds-ir/listener-proxy-protocol.clusters.yaml | 2 ++ .../out/xds-ir/listener-tcp-keepalive.clusters.yaml | 2 ++ .../testdata/out/xds-ir/load-balancer.clusters.yaml | 10 ++++++++++ .../testdata/out/xds-ir/local-ratelimit.clusters.yaml | 3 +++ .../out/xds-ir/metrics-virtual-host.clusters.yaml | 1 + .../out/xds-ir/mixed-tls-jwt-authn.clusters.yaml | 1 + ...ners-same-port-with-different-filters.clusters.yaml | 4 ++++ .../xds-ir/multiple-listeners-same-port.clusters.yaml | 6 ++++++ .../multiple-simple-tcp-route-same-port.clusters.yaml | 5 +++++ ...d-client-certificate-with-custom-data.clusters.yaml | 5 +++++ ...mutual-tls-forward-client-certificate.clusters.yaml | 5 +++++ ...-required-client-certificate-disabled.clusters.yaml | 2 ++ .../testdata/out/xds-ir/mutual-tls.clusters.yaml | 2 ++ .../xds-ir/oidc-backend-cluster-provider.clusters.yaml | 1 + .../translator/testdata/out/xds-ir/oidc.clusters.yaml | 2 ++ .../testdata/out/xds-ir/path-settings.clusters.yaml | 1 + .../out/xds-ir/proxy-protocol-upstream.clusters.yaml | 1 + .../out/xds-ir/ratelimit-custom-domain.clusters.yaml | 3 +++ .../out/xds-ir/ratelimit-disable-headers.clusters.yaml | 3 +++ .../out/xds-ir/ratelimit-endpoint-stats.clusters.yaml | 3 +++ .../xds-ir/ratelimit-headers-and-cidr.clusters.yaml | 3 +++ .../out/xds-ir/ratelimit-sourceip.clusters.yaml | 4 ++++ .../testdata/out/xds-ir/ratelimit.clusters.yaml | 4 ++++ .../out/xds-ir/retry-partial-invalid.clusters.yaml | 1 + .../testdata/out/xds-ir/simple-tls.clusters.yaml | 1 + .../out/xds-ir/suppress-envoy-headers.clusters.yaml | 1 + .../out/xds-ir/tcp-listener-ipfamily.clusters.yaml | 1 + .../out/xds-ir/tcp-route-complex.clusters.yaml | 1 + .../testdata/out/xds-ir/tcp-route-simple.clusters.yaml | 1 + .../out/xds-ir/tcp-route-tls-terminate.clusters.yaml | 2 ++ .../xds-ir/tcp-route-weighted-backend.clusters.yaml | 1 + .../testdata/out/xds-ir/timeout.clusters.yaml | 1 + .../out/xds-ir/tls-route-passthrough.clusters.yaml | 1 + .../tls-with-ciphers-versions-alpn.clusters.yaml | 2 ++ .../testdata/out/xds-ir/tracing-datadog.clusters.yaml | 1 + .../out/xds-ir/tracing-endpoint-stats.clusters.yaml | 1 + .../testdata/out/xds-ir/tracing-zipkin.clusters.yaml | 1 + .../testdata/out/xds-ir/tracing.clusters.yaml | 1 + .../out/xds-ir/udp-endpoint-stats.clusters.yaml | 1 + .../out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml | 1 + .../testdata/out/xds-ir/udp-route.clusters.yaml | 1 + .../out/xds-ir/upstream-tcpkeepalive.clusters.yaml | 1 + .../translator/testdata/out/xds-ir/wasm.clusters.yaml | 2 ++ 136 files changed, 282 insertions(+) diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index b965d6d9818..26e42496459 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -778,6 +778,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/default/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/backend/rule/0 outlierDetection: {} @@ -797,6 +798,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: grpcroute/default/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: grpcroute/default/backend/rule/0 outlierDetection: {} @@ -823,6 +825,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: tcproute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcproute/default/backend/rule/-1 outlierDetection: {} @@ -842,6 +845,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: tlsroute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tlsroute/default/backend/rule/-1 outlierDetection: {} @@ -861,6 +865,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: udproute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udproute/default/backend/rule/-1 outlierDetection: {} diff --git a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml index f88b74ed0c4..cc99b73a833 100644 --- a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml @@ -106,6 +106,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway-system/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway-system/backend/rule/0 outlierDetection: {} diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index 81f8f2b8c3d..a89e4bcdae3 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -466,6 +466,7 @@ }, "serviceName": "httproute/default/backend/rule/0" }, + "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "httproute/default/backend/rule/0", "outlierDetection": {}, @@ -495,6 +496,7 @@ }, "serviceName": "grpcroute/default/backend/rule/0" }, + "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "grpcroute/default/backend/rule/0", "outlierDetection": {}, @@ -535,6 +537,7 @@ }, "serviceName": "tcproute/default/backend/rule/-1" }, + "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "tcproute/default/backend/rule/-1", "outlierDetection": {}, @@ -564,6 +567,7 @@ }, "serviceName": "tlsroute/default/backend/rule/-1" }, + "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "tlsroute/default/backend/rule/-1", "outlierDetection": {}, @@ -593,6 +597,7 @@ }, "serviceName": "udproute/default/backend/rule/-1" }, + "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "udproute/default/backend/rule/-1", "outlierDetection": {}, diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index d4ceef84de2..fbb1df4f5b0 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -257,6 +257,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/default/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/backend/rule/0 outlierDetection: {} @@ -276,6 +277,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: grpcroute/default/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: grpcroute/default/backend/rule/0 outlierDetection: {} @@ -302,6 +304,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: tcproute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcproute/default/backend/rule/-1 outlierDetection: {} @@ -321,6 +324,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: tlsroute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tlsroute/default/backend/rule/-1 outlierDetection: {} @@ -340,6 +344,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: udproute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udproute/default/backend/rule/-1 outlierDetection: {} diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml index c9f782804a4..7545c4660d0 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml @@ -16,6 +16,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/default/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/backend/rule/0 outlierDetection: {} @@ -35,6 +36,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: grpcroute/default/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: grpcroute/default/backend/rule/0 outlierDetection: {} @@ -61,6 +63,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: tcproute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcproute/default/backend/rule/-1 outlierDetection: {} @@ -80,6 +83,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: tlsroute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tlsroute/default/backend/rule/-1 outlierDetection: {} @@ -99,6 +103,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: udproute/default/backend/rule/-1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udproute/default/backend/rule/-1 outlierDetection: {} diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json index 782775f605f..6ce6ee01347 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json @@ -358,6 +358,7 @@ }, "serviceName": "httproute/envoy-gateway-system/backend/rule/0" }, + "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "httproute/envoy-gateway-system/backend/rule/0", "outlierDetection": {}, diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml index 7579be57f5f..237f0f3a4ac 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml @@ -201,6 +201,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway-system/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway-system/backend/rule/0 outlierDetection: {} diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml index d0add370ce3..9d93c93a8a4 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml @@ -16,6 +16,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway-system/backend/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway-system/backend/rule/0 outlierDetection: {} diff --git a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml index e6e91b9ec45..517f3482f9f 100644 --- a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml @@ -201,6 +201,7 @@ xds: ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway-system/routes/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway-system/routes/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index 2a182ce5b75..5a13076e456 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -158,6 +158,9 @@ func buildXdsCluster(args *xdsClusterArgs) *clusterv3.Cluster { }, }, } + // Dont wait for a health check to determine health and remove these endpoints + // if the endpoint has been removed via EDS by the control plane + cluster.IgnoreHealthOnHostRemoval = true } else { cluster.ClusterDiscoveryType = &clusterv3.Cluster_Type{Type: clusterv3.Cluster_STRICT_DNS} cluster.DnsRefreshRate = durationpb.New(30 * time.Second) diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml index 8012c6fa499..cdbb352dd54 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: udp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml index 45f45f5c9bf..f986750be1b 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml index 45f45f5c9bf..f986750be1b 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml index be515fc1afb..9696a28a86c 100755 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml @@ -11,6 +11,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog/monitoring/envoy-als/port/9000 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog/monitoring/envoy-als/port/9000 outlierDetection: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml index 6d040000dbb..22d5e08aca3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml index ea9ef9405ee..7709f2c4e9c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml index 6d040000dbb..22d5e08aca3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml index 6d040000dbb..22d5e08aca3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml index e0328b6e26c..5e41cf09397 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog_als_0_1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_0_1 outlierDetection: {} @@ -51,6 +53,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog_als_0_2 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_0_2 outlierDetection: {} @@ -75,6 +78,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog_als_1_1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_1_1 outlierDetection: {} @@ -99,6 +103,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog_als_1_2 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_1_2 outlierDetection: {} @@ -123,6 +128,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog_als_2_1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_2_1 outlierDetection: {} @@ -147,6 +153,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog_als_2_2 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_2_2 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml index d9c561cee48..dbf145e7d6d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog/monitoring/envoy-als/port/9000 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog/monitoring/envoy-als/port/9000 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml index d9c561cee48..dbf145e7d6d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: accesslog/monitoring/envoy-als/port/9000 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog/monitoring/envoy-als/port/9000 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml index b3f75f0e04e..0002897cb8d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-3/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-3/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml index 660d4f6b224..f5211bc9922 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml index 660d4f6b224..f5211bc9922 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml index 9714612e3de..1c72d4f070f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml index 33c8f6a68a4..e36a7f976be 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: udp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml index b6f2821b650..4088295c2de 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: envoyextensionpolicy/default/policy-for-http-route/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/default/policy-for-http-route/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml index e4e5b8994bc..1c7cbaf45e0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/1 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml index 90636e8ffe1..93e5ebb91b6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml @@ -13,6 +13,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml index 5aa4727b18a..045afb39e71 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml index a89644e62d9..b7a2badfead 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml index d65e267ad7d..820f85f625b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml index 9714612e3de..1c72d4f070f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml index 880f77a06f0..18846488a59 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/1 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml index 880f77a06f0..18846488a59 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/1 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml index e478c2054cd..ba70eb86e94 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/1 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend outlierDetection: {} @@ -85,6 +89,7 @@ ads: {} resourceApiVersion: V3 serviceName: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml index 4e73328fa8e..3bac84394be 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} @@ -45,6 +47,7 @@ ads: {} resourceApiVersion: V3 serviceName: envoyextensionpolicy/default/policy-for-http-route/0 + ignoreHealthOnHostRemoval: true name: envoyextensionpolicy/default/policy-for-http-route/0 outlierDetection: baseEjectionTime: 30s diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml index 6ea0615cb31..ede262a5694 100755 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: envoyextensionpolicy/default/policy-for-route-2/0/grpc-backend-4 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/default/policy-for-route-2/0/grpc-backend-4 outlierDetection: {} @@ -68,6 +71,7 @@ ads: {} resourceApiVersion: V3 serviceName: envoyextensionpolicy/default/policy-for-route-1/0/grpc-backend-2 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/default/policy-for-route-1/0/grpc-backend-2 outlierDetection: {} @@ -92,6 +96,7 @@ ads: {} resourceApiVersion: V3 serviceName: envoyextensionpolicy/envoy-gateway/policy-for-gateway-2/0/grpc-backend-3 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-2/0/grpc-backend-3 outlierDetection: {} @@ -116,6 +121,7 @@ ads: {} resourceApiVersion: V3 serviceName: envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/0/grpc-backend + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/0/grpc-backend outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml index 03e10ccd7fc..ff3aedce52a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} @@ -78,6 +82,7 @@ ads: {} resourceApiVersion: V3 serviceName: fifth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml index d65e267ad7d..820f85f625b 100755 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml index 7a7e90de25b..0a3d6ba340e 100755 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml index 485139eb2c8..09b9396270a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml @@ -25,6 +25,7 @@ interval: 3s timeout: 0.500s unhealthyThreshold: 3 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: @@ -61,6 +62,7 @@ interval: 5s timeout: 1s unhealthyThreshold: 3 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: @@ -94,6 +96,7 @@ text: "70696e67" timeout: 1s unhealthyThreshold: 3 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: @@ -127,6 +130,7 @@ binary: cGluZw== timeout: 1s unhealthyThreshold: 3 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: @@ -158,6 +162,7 @@ interval: 5s timeout: 1s unhealthyThreshold: 3 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml index 22e6727066a..35b68d18b32 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -37,6 +38,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml index e9ea29c138f..f1b16b07b54 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml index f8cfa834cdd..4f007ff7c47 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml index 7d112afb676..9b420408aaa 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml index f0ea3b32320..3e4300de532 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml index 53d1f9a7c1a..0bd72d2b460 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml index 0322cbb616d..d76408ee96f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} @@ -78,6 +82,7 @@ ads: {} resourceApiVersion: V3 serviceName: fifth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest outlierDetection: {} @@ -95,6 +100,7 @@ ads: {} resourceApiVersion: V3 serviceName: sixth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: sixth-route-dest outlierDetection: {} @@ -112,6 +118,7 @@ ads: {} resourceApiVersion: V3 serviceName: seventh-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: seventh-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml index 046021604df..7be6b0f7ade 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: mirror-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: mirror-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: mirror-route-dest1 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: mirror-route-dest1 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml index 61496817710..565c93fd5ff 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: valid-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: valid-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml index b435363bef7..c8dc8147580 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: redirect-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: redirect-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml index 0f75e67e278..de1e5ced9a4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: regex-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: regex-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml index 2adb8e01e4d..1e0be1f0405 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: request-header-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: request-header-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml index ca020e482fe..f3b7838ceee 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: response-header-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: response-header-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml index ca020e482fe..f3b7838ceee 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: response-header-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: response-header-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml index ca020e482fe..f3b7838ceee 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: response-header-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: response-header-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml index 027db39fb29..3041d18c4eb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: rewrite-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml index 027db39fb29..3041d18c4eb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: rewrite-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml index 3a2b7308d8e..8290c2d1837 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: rewrite-route + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml index 027db39fb29..3041d18c4eb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: rewrite-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml index 027db39fb29..3041d18c4eb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: rewrite-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml index 3a2b7308d8e..8290c2d1837 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: rewrite-route + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml index 0f75e67e278..de1e5ced9a4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: regex-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: regex-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml index a89644e62d9..b7a2badfead 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml index d65e267ad7d..820f85f625b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml index 6d69b493981..a9be418a101 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway/httproute-btls/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml index d65e267ad7d..820f85f625b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml index 573625b4671..fccf18807c5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway/httproute-btls/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml index ccfa16dbd99..51702c7c79b 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway/httproute-btls/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls/rule/0 outlierDetection: {} @@ -68,6 +69,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway/httproute-btls-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls-2/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml index f368f4c94d0..73cb7f276b2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/envoy-gateway/httproute-btls/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml index 1489e95f6fd..ee7ebf5a19f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -37,6 +38,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml index 8c3dd7a549c..7fb571dc42f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml index 2cb022cfad0..de12099b7de 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml index 05cf41776c6..0a2796cd6ac 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -36,6 +37,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -60,6 +62,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -87,6 +90,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml index d53a7a1b2ce..9ada55d6523 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml index 9714612e3de..1c72d4f070f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml index b3842b6e52e..f9a046becf5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml index b6e4ed1ae7d..745719faa2b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml index 8ede70cf99a..8f5d81ea045 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml index 9de709310e6..308f92773e8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-www.test.com-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-www.test.com-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-www.test.com-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-www.test.com-dest outlierDetection: {} @@ -71,6 +73,7 @@ ads: {} resourceApiVersion: V3 serviceName: "192_168_1_250_8080" + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: "192_168_1_250_8080" outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml index 8d7b2d37ca0..8555780dab4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml index 8ede70cf99a..8f5d81ea045 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml index e75a68919d1..a5f1527ade9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: "192_168_1_250_443" + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: "192_168_1_250_443" outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml index 8ede70cf99a..8f5d81ea045 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml index d65e267ad7d..820f85f625b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml index 454192ce491..c21b71ce6c5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml index d65e267ad7d..820f85f625b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml index 16792f24cb1..0c2202ce28f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true name: first-route-dest outlierDetection: {} perConnectionBufferLimitBytes: 32768 @@ -26,6 +27,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: RANDOM name: second-route-dest outlierDetection: {} @@ -43,6 +45,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -60,6 +63,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: MAGLEV name: fourth-route-dest outlierDetection: {} @@ -77,6 +81,7 @@ ads: {} resourceApiVersion: V3 serviceName: fifth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST leastRequestLbConfig: slowStartConfig: @@ -97,6 +102,7 @@ ads: {} resourceApiVersion: V3 serviceName: sixth-route-dest + ignoreHealthOnHostRemoval: true name: sixth-route-dest outlierDetection: {} perConnectionBufferLimitBytes: 32768 @@ -116,6 +122,7 @@ ads: {} resourceApiVersion: V3 serviceName: seventh-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: MAGLEV name: seventh-route-dest outlierDetection: {} @@ -133,6 +140,7 @@ ads: {} resourceApiVersion: V3 serviceName: eighth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: MAGLEV maglevLbConfig: tableSize: "524287" @@ -152,6 +160,7 @@ ads: {} resourceApiVersion: V3 serviceName: ninth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: MAGLEV name: ninth-route-dest outlierDetection: {} @@ -169,6 +178,7 @@ ads: {} resourceApiVersion: V3 serviceName: tenth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: MAGLEV name: tenth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml index a89644e62d9..b7a2badfead 100644 --- a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml index 2b9b567cf39..c3b0666ab24 100755 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: securitypolicy/default/policy-for-http-route-2/envoy-gateway/http-backend + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: securitypolicy/default/policy-for-http-route-2/envoy-gateway/http-backend outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-3/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-3/rule/0 outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml index ce7f4361a40..bd6b6e1ae2e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} @@ -78,6 +82,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-dest outlierDetection: {} @@ -95,6 +100,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml index e0f57c2a695..19e6869eb5e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-simple-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-simple-1-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-1-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-simple-2-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-2-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-simple-3-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-3-dest outlierDetection: {} @@ -78,6 +82,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-simple-4-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-4-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml index 03e10ccd7fc..ff3aedce52a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} @@ -78,6 +82,7 @@ ads: {} resourceApiVersion: V3 serviceName: fifth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml index 03e10ccd7fc..ff3aedce52a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} @@ -78,6 +82,7 @@ ads: {} resourceApiVersion: V3 serviceName: fifth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml index 4dad0aad1a7..16f6727a1a1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-terminate-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml index 4dad0aad1a7..16f6727a1a1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-terminate-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml index 863e761bf9a..e467e24db53 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml index 5309331d017..f196a3fdd9a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml index 6441952eae8..47b4007397e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml index 45e8e0898ce..182245f1986 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml index 0ba1749076a..d2577b68f8b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml index a3c9b6623c9..4e607e59dbb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -29,6 +30,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -48,6 +50,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml index 0ba1749076a..d2577b68f8b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml index 427f6d15340..8aff78e3195 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml index 427f6d15340..8aff78e3195 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: second-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest outlierDetection: {} @@ -44,6 +46,7 @@ ads: {} resourceApiVersion: V3 serviceName: third-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest outlierDetection: {} @@ -61,6 +64,7 @@ ads: {} resourceApiVersion: V3 serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml index d53a7a1b2ce..9ada55d6523 100644 --- a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml index 3b5a7b58376..1daefb357c5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-dual-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-dual-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml index 382c2857a1f..c6291c77dd5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-complex-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-complex-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml index c845c64037d..aa8f0b0902b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-simple-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml index a7bedbf76be..dbd196ef664 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-terminate-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-terminate-hostname-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-hostname-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml index 849359c1385..2219185b250 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tcp-route-weighted-backend-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-weighted-backend-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml index e2156cb6aff..4c2749a767a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml index f60942991df..c2659deb6c9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-passthrough-foo-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-passthrough-foo-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml index 4dad0aad1a7..16f6727a1a1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: tls-terminate-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml index 51ef591844c..7597e1328d9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml index 9e7469dd278..7ea8aa936c4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml index a9d0472bfac..f1a975a6e6a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml index 4d419611516..975086f5fff 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: direct-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml index e26cb444c5c..dd47af97cdd 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: udp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml index f7c6a0bf095..7ce45648946 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: udp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml index 0656b7c45e5..e153c882fd6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: udp-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml index 6d5dffadf8c..eca236db657 100644 --- a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: first-route-dest + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest outlierDetection: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml index 6a277bb94f6..408fc9c218e 100755 --- a/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml @@ -10,6 +10,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 outlierDetection: {} @@ -27,6 +28,7 @@ ads: {} resourceApiVersion: V3 serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 outlierDetection: {} From e5968c9d958faee0eaed130999759fd020635dd1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 06:57:33 +0800 Subject: [PATCH 350/523] build(deps): bump github.com/prometheus/common from 0.60.0 to 0.60.1 (#4620) Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.60.0 to 0.60.1. - [Release notes](https://github.com/prometheus/common/releases) - [Changelog](https://github.com/prometheus/common/blob/main/RELEASE.md) - [Commits](https://github.com/prometheus/common/compare/v0.60.0...v0.60.1) --- updated-dependencies: - dependency-name: github.com/prometheus/common dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 693ef9ccbb7..c658676e928 100644 --- a/go.mod +++ b/go.mod @@ -28,7 +28,7 @@ require ( github.com/miekg/dns v1.1.62 github.com/ohler55/ojg v1.24.1 github.com/prometheus/client_golang v1.20.5 - github.com/prometheus/common v0.60.0 + github.com/prometheus/common v0.60.1 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.9.0 diff --git a/go.sum b/go.sum index 3c239ab5ed5..c7511b48bd8 100644 --- a/go.sum +++ b/go.sum @@ -701,8 +701,8 @@ github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7q github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= -github.com/prometheus/common v0.60.0 h1:+V9PAREWNvJMAuJ1x1BaWl9dewMW4YrHZQbx0sJNllA= -github.com/prometheus/common v0.60.0/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw= +github.com/prometheus/common v0.60.1 h1:FUas6GcOw66yB/73KC+BOZoFJmbo/1pojoILArPAaSc= +github.com/prometheus/common v0.60.1/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= From 976e6a1baed8542417bf85f8c6f91fd8a36a06c5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 07:05:31 +0800 Subject: [PATCH 351/523] build(deps): bump github.com/replicatedhq/troubleshoot from 0.107.4 to 0.107.5 (#4621) build(deps): bump github.com/replicatedhq/troubleshoot Bumps [github.com/replicatedhq/troubleshoot](https://github.com/replicatedhq/troubleshoot) from 0.107.4 to 0.107.5. - [Release notes](https://github.com/replicatedhq/troubleshoot/releases) - [Commits](https://github.com/replicatedhq/troubleshoot/compare/v0.107.4...v0.107.5) --- updated-dependencies: - dependency-name: github.com/replicatedhq/troubleshoot dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index c658676e928..9e03dc318b4 100644 --- a/go.mod +++ b/go.mod @@ -63,7 +63,7 @@ require ( require ( github.com/docker/docker v27.3.1+incompatible - github.com/replicatedhq/troubleshoot v0.107.4 + github.com/replicatedhq/troubleshoot v0.107.5 github.com/tetratelabs/func-e v1.1.5-0.20240822223546-c85a098d5bf0 google.golang.org/grpc v1.67.1 sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 diff --git a/go.sum b/go.sum index c7511b48bd8..2cc86143739 100644 --- a/go.sum +++ b/go.sum @@ -717,8 +717,8 @@ github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb github.com/redis/go-redis/extra/redisotel/v9 v9.0.5/go.mod h1:WZjPDy7VNzn77AAfnAfVjZNvfJTYfPetfZk5yoSTLaQ= github.com/redis/go-redis/v9 v9.1.0 h1:137FnGdk+EQdCbye1FW+qOEcY5S+SpY9T0NiuqvtfMY= github.com/redis/go-redis/v9 v9.1.0/go.mod h1:urWj3He21Dj5k4TK1y59xH8Uj6ATueP8AH1cY3lZl4c= -github.com/replicatedhq/troubleshoot v0.107.4 h1:w6sHGU/Xq5Or7tVNTfMaGZTrqDp2IR7YEWEjooFBDo8= -github.com/replicatedhq/troubleshoot v0.107.4/go.mod h1:6mZzcO/EWVBNXVnFdSHfPaoTnjcQdV3sq61NkBF60YE= +github.com/replicatedhq/troubleshoot v0.107.5 h1:XrJEK8vN3HHEKmFnAe8rSmY+hPw8Fh5dsTMhhEBKQCM= +github.com/replicatedhq/troubleshoot v0.107.5/go.mod h1:QTV4q6TXiCO825IS1GcLzgJu2KHWekXiKdcHCqBJTck= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= From cc7104891d49d1c89b15f4b712ef055dbf4d65c9 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Mon, 4 Nov 2024 15:45:57 -0800 Subject: [PATCH 352/523] add docker.io registry name in image name (#4628) * add docker.io registry name in image name Fixes: https://github.com/envoyproxy/gateway/issues/4626 Signed-off-by: Arko Dasgupta * add api file Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta --- api/v1alpha1/shared_types.go | 6 +++--- .../proxy/testdata/daemonsets/component-level.yaml | 4 ++-- .../kubernetes/proxy/testdata/daemonsets/custom.yaml | 2 +- .../kubernetes/proxy/testdata/daemonsets/default-env.yaml | 2 +- .../kubernetes/proxy/testdata/daemonsets/default.yaml | 4 ++-- .../proxy/testdata/daemonsets/disable-prometheus.yaml | 4 ++-- .../kubernetes/proxy/testdata/daemonsets/extension-env.yaml | 2 +- .../daemonsets/override-labels-and-annotations.yaml | 4 ++-- .../proxy/testdata/daemonsets/patch-daemonset.yaml | 4 ++-- .../proxy/testdata/daemonsets/shutdown-manager.yaml | 2 +- .../kubernetes/proxy/testdata/daemonsets/volumes.yaml | 2 +- .../proxy/testdata/daemonsets/with-annotations.yaml | 4 ++-- .../proxy/testdata/daemonsets/with-concurrency.yaml | 4 ++-- .../proxy/testdata/daemonsets/with-extra-args.yaml | 4 ++-- .../proxy/testdata/daemonsets/with-image-pull-secrets.yaml | 4 ++-- .../kubernetes/proxy/testdata/daemonsets/with-name.yaml | 4 ++-- .../proxy/testdata/daemonsets/with-node-selector.yaml | 4 ++-- .../daemonsets/with-topology-spread-constraints.yaml | 4 ++-- .../kubernetes/proxy/testdata/deployments/bootstrap.yaml | 4 ++-- .../proxy/testdata/deployments/component-level.yaml | 4 ++-- .../kubernetes/proxy/testdata/deployments/custom.yaml | 2 +- .../testdata/deployments/custom_with_initcontainers.yaml | 2 +- .../kubernetes/proxy/testdata/deployments/default-env.yaml | 2 +- .../kubernetes/proxy/testdata/deployments/default.yaml | 4 ++-- .../proxy/testdata/deployments/disable-prometheus.yaml | 4 ++-- .../proxy/testdata/deployments/extension-env.yaml | 2 +- .../deployments/override-labels-and-annotations.yaml | 4 ++-- .../proxy/testdata/deployments/patch-deployment.yaml | 4 ++-- .../proxy/testdata/deployments/shutdown-manager.yaml | 2 +- .../kubernetes/proxy/testdata/deployments/volumes.yaml | 2 +- .../proxy/testdata/deployments/with-annotations.yaml | 4 ++-- .../proxy/testdata/deployments/with-concurrency.yaml | 4 ++-- .../testdata/deployments/with-empty-memory-limits.yaml | 4 ++-- .../proxy/testdata/deployments/with-extra-args.yaml | 4 ++-- .../proxy/testdata/deployments/with-image-pull-secrets.yaml | 4 ++-- .../kubernetes/proxy/testdata/deployments/with-name.yaml | 4 ++-- .../proxy/testdata/deployments/with-node-selector.yaml | 4 ++-- .../deployments/with-topology-spread-constraints.yaml | 4 ++-- .../kubernetes/ratelimit/testdata/deployments/default.yaml | 2 +- .../ratelimit/testdata/deployments/disable-prometheus.yaml | 2 +- .../testdata/deployments/enable-tracing-custom.yaml | 2 +- .../ratelimit/testdata/deployments/enable-tracing.yaml | 2 +- .../ratelimit/testdata/deployments/merge-annotations.yaml | 2 +- .../ratelimit/testdata/deployments/merge-labels.yaml | 2 +- .../ratelimit/testdata/deployments/patch-deployment.yaml | 2 +- .../ratelimit/testdata/deployments/with-node-selector.yaml | 2 +- .../deployments/with-topology-spread-constraints.yaml | 2 +- 47 files changed, 75 insertions(+), 75 deletions(-) diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index 617151e296a..b79839a7dda 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -22,15 +22,15 @@ const ( // DefaultDeploymentMemoryResourceRequests for deployment memory resource DefaultDeploymentMemoryResourceRequests = "512Mi" // DefaultEnvoyProxyImage is the default image used by envoyproxy - DefaultEnvoyProxyImage = "envoyproxy/envoy:distroless-dev" + DefaultEnvoyProxyImage = "docker.io/envoyproxy/envoy:distroless-dev" // DefaultShutdownManagerCPUResourceRequests for shutdown manager cpu resource DefaultShutdownManagerCPUResourceRequests = "10m" // DefaultShutdownManagerMemoryResourceRequests for shutdown manager memory resource DefaultShutdownManagerMemoryResourceRequests = "32Mi" // DefaultShutdownManagerImage is the default image used for the shutdown manager. - DefaultShutdownManagerImage = "envoyproxy/gateway-dev:latest" + DefaultShutdownManagerImage = "docker.io/envoyproxy/gateway-dev:latest" // DefaultRateLimitImage is the default image used by ratelimit. - DefaultRateLimitImage = "envoyproxy/ratelimit:master" + DefaultRateLimitImage = "docker.io/envoyproxy/ratelimit:master" // HTTPProtocol is the common-used http protocol. HTTPProtocol = "http" // GRPCProtocol is the common-used grpc protocol. diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml index 4f9107fb4d7..d68b1e56076 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml @@ -56,7 +56,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -132,7 +132,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml index 5683159e6c5..b3472d7ce4a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml @@ -309,7 +309,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml index 75db2fc35a8..329cb6fcfdb 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml @@ -308,7 +308,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml index e2d420a0407..7fd747bfc54 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml @@ -223,7 +223,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -299,7 +299,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml index a351838340a..8de53f5399b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml @@ -197,7 +197,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -270,7 +270,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml index 1ed87f21c2c..ae4f11bf6a4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml @@ -312,7 +312,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml index 70534adc4cc..fd9dad594d2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml @@ -232,7 +232,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -308,7 +308,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml index b3ed37d3241..44303a333ff 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml @@ -223,7 +223,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -299,7 +299,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml index 97debe2f4e8..f656e51276b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml @@ -223,7 +223,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml index 64d66281152..268a27505a6 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml @@ -312,7 +312,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml index b5fadea1445..de2cfc52cb5 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml @@ -228,7 +228,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -304,7 +304,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml index aceabd683a3..35135058572 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml @@ -56,7 +56,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -132,7 +132,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml index 6cc85628272..bd684b6f4d5 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml @@ -225,7 +225,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -301,7 +301,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml index 3f6090692bb..924d99cee9f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml @@ -223,7 +223,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -299,7 +299,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml index 01a84c9e25f..0f6bb5dcb83 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml @@ -223,7 +223,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -299,7 +299,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml index c32b7625ae7..69797a95a41 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml @@ -223,7 +223,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -299,7 +299,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml index 06e48c355a3..b8cf4d12a6c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml @@ -223,7 +223,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -299,7 +299,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml index edbcf01d06f..9cb872f552a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml @@ -59,7 +59,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -135,7 +135,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml index 6ac7da41299..80fa00394ae 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml @@ -60,7 +60,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -136,7 +136,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml index 3a080205897..dff786a3515 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml @@ -314,7 +314,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml index c26ec592cd9..65079b2316e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml @@ -316,7 +316,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml index 4a7a1b1c1c0..88371d81d1f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml @@ -313,7 +313,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml index 13d12e3fa40..57a62e569b5 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml @@ -227,7 +227,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -303,7 +303,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml index 29207aaa3f8..e575a3f3111 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml @@ -201,7 +201,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -274,7 +274,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml index 7c724bce6ce..9b84c2b4177 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml @@ -317,7 +317,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml index aa87ba5b43c..6300b906552 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml @@ -236,7 +236,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -312,7 +312,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml index f4bf7a49f83..269909aec48 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml @@ -227,7 +227,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -303,7 +303,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml index 4281e7c3697..5774c9dc1d2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml @@ -227,7 +227,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml index ff84e18cdf2..9f6f50940c8 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml @@ -317,7 +317,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml index 2f44c8853d9..3924adc4869 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml @@ -232,7 +232,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -308,7 +308,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml index 3cafba40548..2086f2297a9 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml @@ -60,7 +60,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -136,7 +136,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml index 432b8f31188..ce6f8b7b5de 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml @@ -227,7 +227,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -302,7 +302,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml index bd87ca6b3a6..bc0a7e23a5a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml @@ -229,7 +229,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -305,7 +305,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml index 8033aa516af..360253c560e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml @@ -227,7 +227,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -303,7 +303,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml index 5c7da4fcdd3..52ea316c857 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml @@ -227,7 +227,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -303,7 +303,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml index 93c65430254..6a8cfb126be 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml @@ -227,7 +227,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -303,7 +303,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml index 93f0cd1456a..3bdf275ce09 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml @@ -227,7 +227,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/envoy:distroless-dev + image: docker.io/envoyproxy/envoy:distroless-dev imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -303,7 +303,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - image: envoyproxy/gateway-dev:latest + image: docker.io/envoyproxy/gateway-dev:latest imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml index 32e56a1ea5c..f3b49afb414 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/default.yaml @@ -86,7 +86,7 @@ spec: value: :19001 - name: PROMETHEUS_MAPPER_YAML value: /etc/statsd-exporter/conf.yaml - image: envoyproxy/ratelimit:master + image: docker.io/envoyproxy/ratelimit:master imagePullPolicy: IfNotPresent name: envoy-ratelimit ports: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml index 449ed2c1d70..b579400b05a 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/disable-prometheus.yaml @@ -76,7 +76,7 @@ spec: value: tcp - name: REDIS_URL value: redis.redis.svc:6379 - image: envoyproxy/ratelimit:master + image: docker.io/envoyproxy/ratelimit:master imagePullPolicy: IfNotPresent name: envoy-ratelimit ports: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml index 320497017f7..c8586388f37 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing-custom.yaml @@ -101,7 +101,7 @@ spec: value: "0.6" - name: OTEL_EXPORTER_OTLP_ENDPOINT value: http://trace-collector.envoy-gateway-system.svc.cluster.local:4317 - image: envoyproxy/ratelimit:master + image: docker.io/envoyproxy/ratelimit:master imagePullPolicy: IfNotPresent name: envoy-ratelimit ports: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml index 5b01b9ef319..002ee53bda6 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/enable-tracing.yaml @@ -101,7 +101,7 @@ spec: value: "1.0" - name: OTEL_EXPORTER_OTLP_ENDPOINT value: http://trace-collector.envoy-gateway-system.svc.cluster.local:4318 - image: envoyproxy/ratelimit:master + image: docker.io/envoyproxy/ratelimit:master imagePullPolicy: IfNotPresent name: envoy-ratelimit ports: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-annotations.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-annotations.yaml index 4bc241198c6..fc6600de072 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-annotations.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-annotations.yaml @@ -88,7 +88,7 @@ spec: value: :19001 - name: PROMETHEUS_MAPPER_YAML value: /etc/statsd-exporter/conf.yaml - image: envoyproxy/ratelimit:master + image: docker.io/envoyproxy/ratelimit:master imagePullPolicy: IfNotPresent name: envoy-ratelimit ports: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-labels.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-labels.yaml index 6681232eeb8..0c944d8fd82 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-labels.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/merge-labels.yaml @@ -88,7 +88,7 @@ spec: value: :19001 - name: PROMETHEUS_MAPPER_YAML value: /etc/statsd-exporter/conf.yaml - image: envoyproxy/ratelimit:master + image: docker.io/envoyproxy/ratelimit:master imagePullPolicy: IfNotPresent name: envoy-ratelimit ports: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml index 773607b225a..5556e12d2ee 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/patch-deployment.yaml @@ -86,7 +86,7 @@ spec: value: :19001 - name: PROMETHEUS_MAPPER_YAML value: /etc/statsd-exporter/conf.yaml - image: envoyproxy/ratelimit:master + image: docker.io/envoyproxy/ratelimit:master imagePullPolicy: IfNotPresent name: envoy-ratelimit ports: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml index 9cf4e01fbff..f65e6f23e18 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-node-selector.yaml @@ -86,7 +86,7 @@ spec: value: :19001 - name: PROMETHEUS_MAPPER_YAML value: /etc/statsd-exporter/conf.yaml - image: envoyproxy/ratelimit:master + image: docker.io/envoyproxy/ratelimit:master imagePullPolicy: IfNotPresent name: envoy-ratelimit ports: diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml index 5625daf61a0..e726269ccbe 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/deployments/with-topology-spread-constraints.yaml @@ -86,7 +86,7 @@ spec: value: :19001 - name: PROMETHEUS_MAPPER_YAML value: /etc/statsd-exporter/conf.yaml - image: envoyproxy/ratelimit:master + image: docker.io/envoyproxy/ratelimit:master imagePullPolicy: IfNotPresent name: envoy-ratelimit ports: From da4a060fc05f195956cf490da2ceae3ed52320a1 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 5 Nov 2024 07:46:47 +0800 Subject: [PATCH 353/523] docs: Jwt claim based authorization (#4617) * docs for jwt claim auth Signed-off-by: Huabing Zhao * add docs for JWT claim based authorization Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- .../tasks/security/jwt-claim-authorization.md | 226 ++++++++++++++++++ 1 file changed, 226 insertions(+) create mode 100644 site/content/en/latest/tasks/security/jwt-claim-authorization.md diff --git a/site/content/en/latest/tasks/security/jwt-claim-authorization.md b/site/content/en/latest/tasks/security/jwt-claim-authorization.md new file mode 100644 index 00000000000..2e67ea7ffe9 --- /dev/null +++ b/site/content/en/latest/tasks/security/jwt-claim-authorization.md @@ -0,0 +1,226 @@ +--- +title: "JWT Claim-Based Authorization" +--- + +This task provides instructions for configuring JWT claim-based authorization. JWT claim-based authorization checks if an incoming request has the required JWT claims before routing the request to a backend service. + +Envoy Gateway introduces a new CRD called [SecurityPolicy][SecurityPolicy] that allows the user to configure JWT claim-based authorization. + +This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HTTPRoute] or [GRPCRoute][GRPCRoute] resource. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Configuration + +### Create a SecurityPolicy + +Please note that the JWT claim-based authorization requires the JWT token to be present in the request. A JWT authentication must be configured in the same SecurityPolicy to validate the JWT token and extract the claims. + +The below SecurityPolicy configuration allows requests with a valid JWT token that has the following claims: +- `user.name` claim with the value `John Doe` +- `user.roles` claim with the value `admin` +- `scope` claim with the values `read`, `add`, and `modify` + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the SecurityPolicy configuration: + +```shell +kubectl get securitypolicy/authorization-jwt-claim -o yaml +``` + +## Testing + +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the +Quickstart instructions to set the variable. + +```shell +echo $GATEWAY_HOST +``` + +Define a JWT token with the required claims. + +```shell +export VALID_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImI1MjBiM2MyYzRiZDc1YTEwZTljZWJjOTU3NjkzM2RjIn0.eyJpc3MiOiJodHRwczovL2Zvby5iYXIuY29tIiwic3ViIjoiMTIzNDU2Nzg5MCIsInVzZXIiOnsibmFtZSI6IkpvaG4gRG9lIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsInJvbGVzIjpbImFkbWluIiwiZWRpdG9yIl19LCJwcmVtaXVtX3VzZXIiOnRydWUsImlhdCI6MTUxNjIzOTAyMiwic2NvcGUiOiJyZWFkIGFkZCBkZWxldGUgbW9kaWZ5In0.P36iAlmiRCC79OiB3vstF5Q_9OqUYAMGF3a3H492GlojbV6DcuOz8YIEYGsRSWc-BNJaBKlyvUKsKsGVPtYbbF8ajwZTs64wyO-zhd2R8riPkg_HsW7iwGswV12f5iVRpfQ4AG2owmdOToIaoch0aym89He1ZzEjcShr9olgqlAbbmhnk-namd1rP-xpzPnWhhIVI3mCz5hYYgDTMcM7qbokM5FzFttTRXAn5_Luor23U1062Ct_K53QArwxBvwJ-QYiqcBycHf-hh6sMx_941cUswrZucCpa-EwA3piATf9PKAyeeWHfHV9X-y8ipGOFg3mYMMVBuUZ1lBkJCik9f9kboRY6QzpOISARQj9PKMXfxZdIPNuGmA7msSNAXQgqkvbx04jMwb9U7eCEdGZztH4C8LhlRjgj0ZdD7eNbRjeH2F6zrWyMUpGWaWyq6rMuP98W2DWM5ZflK6qvT1c7FuFsWPvWLkgxQwTWQKrHdKwdbsu32Sj8VtUBJ0-ddEb" +``` + +Decode the JWT token to verify that it has the required claims. + +```shell +jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< $(echo ${VALID_TOKEN}) +``` + +The decoded JWT token should look like the following: + +```json +{ + "typ": "JWT", + "alg": "RS256", + "kid": "b520b3c2c4bd75a10e9cebc9576933dc" +} +{ + "iss": "https://foo.bar.com", + "sub": "1234567890", + "user": { + "name": "John Doe", + "email": "john.doe@example.com", + "roles": [ + "admin", + "editor" + ] + }, + "premium_user": true, + "iat": 1516239022, + "scope": "read add delete modify" +} +``` + +Send a request to the backend service with the valid JWT token: + +```shell +curl -H "Host: www.example.com" -H "Authorization: Bearer ${VALID_TOKEN}" "http://${GATEWAY_HOST}/" +``` + +The request should be allowed and you should see the response from the backend service. + +Define a JWT token without the required claims. + +```shell +export INVALID_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImI1MjBiM2MyYzRiZDc1YTEwZTljZWJjOTU3NjkzM2RjIn0.eyJpc3MiOiJodHRwczovL2Zvby5iYXIuY29tIiwic3ViIjoiMTIzNDU2Nzg5MCIsInVzZXIiOnsibmFtZSI6IkFsaWNlIFNtaXRoIiwiZW1haWwiOiJhbGljZS5zbWl0aEBleGFtcGxlLmNvbSIsInJvbGVzIjpbImRldmVsb3BlciJdfSwicHJlbWl1bV91c2VyIjpmYWxzZSwiaWF0IjoxNTE2MjM5MDIyLCJzY29wZSI6InJlYWQgYWRkIGRlbGV0ZSJ9.Da547nNXzuQXm5E7LuLAiyFswXsW4RDhuitD_rpadtR7PTwzzOsJoqrVWJ_u1jJDaOTWIpLF4gwxDoY-Aoz_couzXzlAbECLs45ZFoc_UdffpfIbGKqTZx8VtwKuDLFsAeDDDqqx1flxFhvXHftJJdZYr1FgFz9u-absMmRU90DLmEZX3Hnyc8k8eBgeiu6vsWUD0-aNy8cWkFRbwRggkGmucFyUTG8Z1MY3iyH5E66W-ISoX8G9bzE9PTxVAAPDTvefD5iLJPSDJ8qV69OuMCJ8Dczq0L9Dd_w0sF-D1s9MTvexmGg4zBWluJ3r-pU9NHEdhqBypehp_yH8xF5Rt9AE7stZ4oPFZNyfrtkE-4IOnSEkMmzcC65g_rscn0ycerv4N5ZNpkr0x2IYYM4iGuo-ULv5Htnli3rffST45kx1XA8cdsrT1D0K3aPxdIxDIk8sTJf5-WVqRyo-bwxXXltwQLB9jCM_7QbTWQBYAJwUpi-0RW4jCl44-42gZnXf" +``` + +Decode the JWT token to verify that it does not have the required claims. + +```shell +jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< $(echo ${INVALID_TOKEN}) +``` + +The decoded JWT token should look like the following: + +```json +{ + "typ": "JWT", + "alg": "RS256", + "kid": "b520b3c2c4bd75a10e9cebc9576933dc" +} +{ + "iss": "https://foo.bar.com", + "sub": "1234567890", + "user": { + "name": "Alice Smith", + "email": "alice.smith@example.com", + "roles": [ + "developer" + ] + }, + "premium_user": false, + "iat": 1516239022, + "scope": "read add delete" +} +``` + +Send a request to the backend service with the invalid JWT token: + +```shell +curl -v -H "Host: www.example.com" -H "Authorization: Bearer ${INVALID_TOKEN}" "http://${GATEWAY_HOST}/" +``` + +The request should be denied and you should see a `403 Forbidden` response. + +## Clean-Up + +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. + +Delete the SecurityPolicy and the ClientTrafficPolicy + +```shell +kubectl delete securitypolicy/authorization-jwt-claim +``` + +## Next Steps + +Checkout the [Developer Guide](../../../contributions/develop) to get involved in the project. + +[SecurityPolicy]: ../../../contributions/design/security-policy +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute From 2d68e6a03a25d3f909e5f8828c2312911436f9cf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 08:37:18 +0800 Subject: [PATCH 354/523] build(deps): bump github.com/ohler55/ojg from 1.24.1 to 1.25.0 (#4618) Bumps [github.com/ohler55/ojg](https://github.com/ohler55/ojg) from 1.24.1 to 1.25.0. - [Release notes](https://github.com/ohler55/ojg/releases) - [Changelog](https://github.com/ohler55/ojg/blob/develop/CHANGELOG.md) - [Commits](https://github.com/ohler55/ojg/compare/v1.24.1...v1.25.0) --- updated-dependencies: - dependency-name: github.com/ohler55/ojg dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 9e03dc318b4..68fd42b5a31 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/google/go-containerregistry v0.20.2 github.com/hashicorp/go-multierror v1.1.1 github.com/miekg/dns v1.1.62 - github.com/ohler55/ojg v1.24.1 + github.com/ohler55/ojg v1.25.0 github.com/prometheus/client_golang v1.20.5 github.com/prometheus/common v0.60.1 github.com/spf13/cobra v1.8.1 diff --git a/go.sum b/go.sum index 2cc86143739..00d7b32bb36 100644 --- a/go.sum +++ b/go.sum @@ -629,8 +629,8 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+ github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= -github.com/ohler55/ojg v1.24.1 h1:PaVLelrNgT5/0ppPaUtey54tOVp245z33fkhL2jljjY= -github.com/ohler55/ojg v1.24.1/go.mod h1:gQhDVpQLqrmnd2eqGAvJtn+NfKoYJbe/A4Sj3/Vro4o= +github.com/ohler55/ojg v1.25.0 h1:sDwc4u4zex65Uz5Nm7O1QwDKTT+YRcpeZQTy1pffRkw= +github.com/ohler55/ojg v1.25.0/go.mod h1:gQhDVpQLqrmnd2eqGAvJtn+NfKoYJbe/A4Sj3/Vro4o= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= From 3191d49d455069e9b08a0f32b2e005cc47ed8b38 Mon Sep 17 00:00:00 2001 From: zirain Date: Tue, 5 Nov 2024 10:22:15 +0800 Subject: [PATCH 355/523] e2e: use grafana alloy instead of fluent-bit (#4525) * use grafana alloy instead of fluent-bit Signed-off-by: zirain * make alloy disabled by default Signed-off-by: zirain * enable alloy in e2e Signed-off-by: zirain --------- Signed-off-by: zirain --- charts/gateway-addons-helm/Chart.lock | 7 +- charts/gateway-addons-helm/Chart.yaml | 4 + charts/gateway-addons-helm/README.md | 4 + charts/gateway-addons-helm/values.yaml | 104 +++++ .../latest/install/gateway-addons-helm-api.md | 4 + .../latest/install/gateway-addons-helm-api.md | 4 + test/e2e/tests/accesslog.go | 6 +- test/helm/gateway-addons-helm/e2e.in.yaml | 4 + test/helm/gateway-addons-helm/e2e.out.yaml | 405 ++++++++++++------ tools/make/kube.mk | 12 +- 10 files changed, 405 insertions(+), 149 deletions(-) diff --git a/charts/gateway-addons-helm/Chart.lock b/charts/gateway-addons-helm/Chart.lock index 228a952fdc1..4e15b355cb5 100644 --- a/charts/gateway-addons-helm/Chart.lock +++ b/charts/gateway-addons-helm/Chart.lock @@ -8,6 +8,9 @@ dependencies: - name: fluent-bit repository: https://fluent.github.io/helm-charts version: 0.30.4 +- name: alloy + repository: https://grafana.github.io/helm-charts + version: 0.9.2 - name: loki repository: https://grafana.github.io/helm-charts version: 4.8.0 @@ -17,5 +20,5 @@ dependencies: - name: opentelemetry-collector repository: https://open-telemetry.github.io/opentelemetry-helm-charts version: 0.108.0 -digest: sha256:ea6663bb1358123b96b69d2c5b0b8c20650a43dc39b24c482f0560201fd2cc3a -generated: "2024-10-19T12:59:47.251089661+02:00" +digest: sha256:bc634c59972bfd4a01e0f4310a4949095752e659a9b5cb1d9c0fbe9a86f37011 +generated: "2024-10-25T10:55:26.755739+08:00" diff --git a/charts/gateway-addons-helm/Chart.yaml b/charts/gateway-addons-helm/Chart.yaml index 2571ccec51e..3a2303ef8c9 100644 --- a/charts/gateway-addons-helm/Chart.yaml +++ b/charts/gateway-addons-helm/Chart.yaml @@ -37,6 +37,10 @@ dependencies: repository: https://fluent.github.io/helm-charts version: 0.30.4 condition: fluent-bit.enabled + - name: alloy + repository: https://grafana.github.io/helm-charts + version: 0.9.2 + condition: alloy.enabled - name: loki version: 4.8.0 repository: https://grafana.github.io/helm-charts diff --git a/charts/gateway-addons-helm/README.md b/charts/gateway-addons-helm/README.md index 11eab2edf84..b30a535e724 100644 --- a/charts/gateway-addons-helm/README.md +++ b/charts/gateway-addons-helm/README.md @@ -22,6 +22,7 @@ An Add-ons Helm chart for Envoy Gateway | Repository | Name | Version | |------------|------|---------| | https://fluent.github.io/helm-charts | fluent-bit | 0.30.4 | +| https://grafana.github.io/helm-charts | alloy | 0.9.2 | | https://grafana.github.io/helm-charts | grafana | 8.0.0 | | https://grafana.github.io/helm-charts | loki | 4.8.0 | | https://grafana.github.io/helm-charts | tempo | 1.3.1 | @@ -55,6 +56,9 @@ To uninstall the chart: | Key | Type | Default | Description | |-----|------|---------|-------------| +| alloy.alloy.configMap.content | string | `"// Write your Alloy config here:\nlogging {\n level = \"info\"\n format = \"logfmt\"\n}\nloki.write \"alloy\" {\n endpoint {\n url = \"http://loki.monitoring.svc:3100/loki/api/v1/push\"\n }\n}\n// discovery.kubernetes allows you to find scrape targets from Kubernetes resources.\n// It watches cluster state and ensures targets are continually synced with what is currently running in your cluster.\ndiscovery.kubernetes \"pod\" {\n role = \"pod\"\n}\n\n// discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules.\n// If no rules are defined, then the input targets are exported as-is.\ndiscovery.relabel \"pod_logs\" {\n targets = discovery.kubernetes.pod.targets\n\n // Label creation - \"namespace\" field from \"__meta_kubernetes_namespace\"\n rule {\n source_labels = [\"__meta_kubernetes_namespace\"]\n action = \"replace\"\n target_label = \"namespace\"\n }\n\n // Label creation - \"pod\" field from \"__meta_kubernetes_pod_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_name\"]\n action = \"replace\"\n target_label = \"pod\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_container_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"container\"\n }\n\n // Label creation - \"app\" field from \"__meta_kubernetes_pod_label_app_kubernetes_io_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_label_app_kubernetes_io_name\"]\n action = \"replace\"\n target_label = \"app\"\n }\n\n // Label creation - \"job\" field from \"__meta_kubernetes_namespace\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name\n rule {\n source_labels = [\"__meta_kubernetes_namespace\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"job\"\n separator = \"/\"\n replacement = \"$1\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_uid\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log\n rule {\n source_labels = [\"__meta_kubernetes_pod_uid\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"__path__\"\n separator = \"/\"\n replacement = \"/var/log/pods/*$1/*.log\"\n }\n\n // Label creation - \"container_runtime\" field from \"__meta_kubernetes_pod_container_id\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_id\"]\n action = \"replace\"\n target_label = \"container_runtime\"\n regex = \"^(\\\\S+):\\\\/\\\\/.+$\"\n replacement = \"$1\"\n }\n}\n\n// loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API.\nloki.source.kubernetes \"pod_logs\" {\n targets = discovery.relabel.pod_logs.output\n forward_to = [loki.process.pod_logs.receiver]\n}\n// loki.process receives log entries from other Loki components, applies one or more processing stages,\n// and forwards the results to the list of receivers in the component’s arguments.\nloki.process \"pod_logs\" {\n stage.static_labels {\n values = {\n cluster = \"envoy-gateway\",\n }\n }\n\n forward_to = [loki.write.alloy.receiver]\n}"` | | +| alloy.enabled | bool | `false` | | +| alloy.fullnameOverride | string | `"alloy"` | | | fluent-bit.config.filters | string | `"[FILTER]\n Name kubernetes\n Match kube.*\n Merge_Log On\n Keep_Log Off\n K8S-Logging.Parser On\n K8S-Logging.Exclude On\n\n[FILTER]\n Name grep\n Match kube.*\n Regex $kubernetes['container_name'] ^envoy$\n\n[FILTER]\n Name parser\n Match kube.*\n Key_Name log\n Parser envoy\n Reserve_Data True\n"` | | | fluent-bit.config.inputs | string | `"[INPUT]\n Name tail\n Path /var/log/containers/*.log\n multiline.parser docker, cri\n Tag kube.*\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n"` | | | fluent-bit.config.outputs | string | `"[OUTPUT]\n Name loki\n Match kube.*\n Host loki.monitoring.svc.cluster.local\n Port 3100\n Labels job=fluentbit, app=$kubernetes['labels']['app'], k8s_namespace_name=$kubernetes['namespace_name'], k8s_pod_name=$kubernetes['pod_name'], k8s_container_name=$kubernetes['container_name']\n"` | | diff --git a/charts/gateway-addons-helm/values.yaml b/charts/gateway-addons-helm/values.yaml index 8ee3cbfaea9..f8f80958129 100644 --- a/charts/gateway-addons-helm/values.yaml +++ b/charts/gateway-addons-helm/values.yaml @@ -60,6 +60,7 @@ prometheus: # Values for Fluent-bit dependency +# TODO: remove fluent-bit dependency fluent-bit: enabled: true image: @@ -167,6 +168,109 @@ loki: gateway: enabled: false +# Values for Alloy dependency +alloy: + enabled: false + fullnameOverride: alloy + alloy: + configMap: + content: |- + // Write your Alloy config here: + logging { + level = "info" + format = "logfmt" + } + loki.write "alloy" { + endpoint { + url = "http://loki.monitoring.svc:3100/loki/api/v1/push" + } + } + // discovery.kubernetes allows you to find scrape targets from Kubernetes resources. + // It watches cluster state and ensures targets are continually synced with what is currently running in your cluster. + discovery.kubernetes "pod" { + role = "pod" + } + + // discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules. + // If no rules are defined, then the input targets are exported as-is. + discovery.relabel "pod_logs" { + targets = discovery.kubernetes.pod.targets + + // Label creation - "namespace" field from "__meta_kubernetes_namespace" + rule { + source_labels = ["__meta_kubernetes_namespace"] + action = "replace" + target_label = "namespace" + } + + // Label creation - "pod" field from "__meta_kubernetes_pod_name" + rule { + source_labels = ["__meta_kubernetes_pod_name"] + action = "replace" + target_label = "pod" + } + + // Label creation - "container" field from "__meta_kubernetes_pod_container_name" + rule { + source_labels = ["__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "container" + } + + // Label creation - "app" field from "__meta_kubernetes_pod_label_app_kubernetes_io_name" + rule { + source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_name"] + action = "replace" + target_label = "app" + } + + // Label creation - "job" field from "__meta_kubernetes_namespace" and "__meta_kubernetes_pod_container_name" + // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name + rule { + source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "job" + separator = "/" + replacement = "$1" + } + + // Label creation - "container" field from "__meta_kubernetes_pod_uid" and "__meta_kubernetes_pod_container_name" + // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log + rule { + source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "__path__" + separator = "/" + replacement = "/var/log/pods/*$1/*.log" + } + + // Label creation - "container_runtime" field from "__meta_kubernetes_pod_container_id" + rule { + source_labels = ["__meta_kubernetes_pod_container_id"] + action = "replace" + target_label = "container_runtime" + regex = "^(\\S+):\\/\\/.+$" + replacement = "$1" + } + } + + // loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API. + loki.source.kubernetes "pod_logs" { + targets = discovery.relabel.pod_logs.output + forward_to = [loki.process.pod_logs.receiver] + } + // loki.process receives log entries from other Loki components, applies one or more processing stages, + // and forwards the results to the list of receivers in the component’s arguments. + loki.process "pod_logs" { + stage.static_labels { + values = { + cluster = "envoy-gateway", + } + } + + forward_to = [loki.write.alloy.receiver] + } + # Values for Tempo dependency tempo: diff --git a/site/content/en/latest/install/gateway-addons-helm-api.md b/site/content/en/latest/install/gateway-addons-helm-api.md index ba60a7d51b0..dce51039fa2 100644 --- a/site/content/en/latest/install/gateway-addons-helm-api.md +++ b/site/content/en/latest/install/gateway-addons-helm-api.md @@ -24,6 +24,7 @@ An Add-ons Helm chart for Envoy Gateway | Repository | Name | Version | |------------|------|---------| | https://fluent.github.io/helm-charts | fluent-bit | 0.30.4 | +| https://grafana.github.io/helm-charts | alloy | 0.9.2 | | https://grafana.github.io/helm-charts | grafana | 8.0.0 | | https://grafana.github.io/helm-charts | loki | 4.8.0 | | https://grafana.github.io/helm-charts | tempo | 1.3.1 | @@ -34,6 +35,9 @@ An Add-ons Helm chart for Envoy Gateway | Key | Type | Default | Description | |-----|------|---------|-------------| +| alloy.alloy.configMap.content | string | `"// Write your Alloy config here:\nlogging {\n level = \"info\"\n format = \"logfmt\"\n}\nloki.write \"alloy\" {\n endpoint {\n url = \"http://loki.monitoring.svc:3100/loki/api/v1/push\"\n }\n}\n// discovery.kubernetes allows you to find scrape targets from Kubernetes resources.\n// It watches cluster state and ensures targets are continually synced with what is currently running in your cluster.\ndiscovery.kubernetes \"pod\" {\n role = \"pod\"\n}\n\n// discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules.\n// If no rules are defined, then the input targets are exported as-is.\ndiscovery.relabel \"pod_logs\" {\n targets = discovery.kubernetes.pod.targets\n\n // Label creation - \"namespace\" field from \"__meta_kubernetes_namespace\"\n rule {\n source_labels = [\"__meta_kubernetes_namespace\"]\n action = \"replace\"\n target_label = \"namespace\"\n }\n\n // Label creation - \"pod\" field from \"__meta_kubernetes_pod_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_name\"]\n action = \"replace\"\n target_label = \"pod\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_container_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"container\"\n }\n\n // Label creation - \"app\" field from \"__meta_kubernetes_pod_label_app_kubernetes_io_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_label_app_kubernetes_io_name\"]\n action = \"replace\"\n target_label = \"app\"\n }\n\n // Label creation - \"job\" field from \"__meta_kubernetes_namespace\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name\n rule {\n source_labels = [\"__meta_kubernetes_namespace\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"job\"\n separator = \"/\"\n replacement = \"$1\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_uid\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log\n rule {\n source_labels = [\"__meta_kubernetes_pod_uid\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"__path__\"\n separator = \"/\"\n replacement = \"/var/log/pods/*$1/*.log\"\n }\n\n // Label creation - \"container_runtime\" field from \"__meta_kubernetes_pod_container_id\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_id\"]\n action = \"replace\"\n target_label = \"container_runtime\"\n regex = \"^(\\\\S+):\\\\/\\\\/.+$\"\n replacement = \"$1\"\n }\n}\n\n// loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API.\nloki.source.kubernetes \"pod_logs\" {\n targets = discovery.relabel.pod_logs.output\n forward_to = [loki.process.pod_logs.receiver]\n}\n// loki.process receives log entries from other Loki components, applies one or more processing stages,\n// and forwards the results to the list of receivers in the component’s arguments.\nloki.process \"pod_logs\" {\n stage.static_labels {\n values = {\n cluster = \"envoy-gateway\",\n }\n }\n\n forward_to = [loki.write.alloy.receiver]\n}"` | | +| alloy.enabled | bool | `false` | | +| alloy.fullnameOverride | string | `"alloy"` | | | fluent-bit.config.filters | string | `"[FILTER]\n Name kubernetes\n Match kube.*\n Merge_Log On\n Keep_Log Off\n K8S-Logging.Parser On\n K8S-Logging.Exclude On\n\n[FILTER]\n Name grep\n Match kube.*\n Regex $kubernetes['container_name'] ^envoy$\n\n[FILTER]\n Name parser\n Match kube.*\n Key_Name log\n Parser envoy\n Reserve_Data True\n"` | | | fluent-bit.config.inputs | string | `"[INPUT]\n Name tail\n Path /var/log/containers/*.log\n multiline.parser docker, cri\n Tag kube.*\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n"` | | | fluent-bit.config.outputs | string | `"[OUTPUT]\n Name loki\n Match kube.*\n Host loki.monitoring.svc.cluster.local\n Port 3100\n Labels job=fluentbit, app=$kubernetes['labels']['app'], k8s_namespace_name=$kubernetes['namespace_name'], k8s_pod_name=$kubernetes['pod_name'], k8s_container_name=$kubernetes['container_name']\n"` | | diff --git a/site/content/zh/latest/install/gateway-addons-helm-api.md b/site/content/zh/latest/install/gateway-addons-helm-api.md index ba60a7d51b0..dce51039fa2 100644 --- a/site/content/zh/latest/install/gateway-addons-helm-api.md +++ b/site/content/zh/latest/install/gateway-addons-helm-api.md @@ -24,6 +24,7 @@ An Add-ons Helm chart for Envoy Gateway | Repository | Name | Version | |------------|------|---------| | https://fluent.github.io/helm-charts | fluent-bit | 0.30.4 | +| https://grafana.github.io/helm-charts | alloy | 0.9.2 | | https://grafana.github.io/helm-charts | grafana | 8.0.0 | | https://grafana.github.io/helm-charts | loki | 4.8.0 | | https://grafana.github.io/helm-charts | tempo | 1.3.1 | @@ -34,6 +35,9 @@ An Add-ons Helm chart for Envoy Gateway | Key | Type | Default | Description | |-----|------|---------|-------------| +| alloy.alloy.configMap.content | string | `"// Write your Alloy config here:\nlogging {\n level = \"info\"\n format = \"logfmt\"\n}\nloki.write \"alloy\" {\n endpoint {\n url = \"http://loki.monitoring.svc:3100/loki/api/v1/push\"\n }\n}\n// discovery.kubernetes allows you to find scrape targets from Kubernetes resources.\n// It watches cluster state and ensures targets are continually synced with what is currently running in your cluster.\ndiscovery.kubernetes \"pod\" {\n role = \"pod\"\n}\n\n// discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules.\n// If no rules are defined, then the input targets are exported as-is.\ndiscovery.relabel \"pod_logs\" {\n targets = discovery.kubernetes.pod.targets\n\n // Label creation - \"namespace\" field from \"__meta_kubernetes_namespace\"\n rule {\n source_labels = [\"__meta_kubernetes_namespace\"]\n action = \"replace\"\n target_label = \"namespace\"\n }\n\n // Label creation - \"pod\" field from \"__meta_kubernetes_pod_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_name\"]\n action = \"replace\"\n target_label = \"pod\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_container_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"container\"\n }\n\n // Label creation - \"app\" field from \"__meta_kubernetes_pod_label_app_kubernetes_io_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_label_app_kubernetes_io_name\"]\n action = \"replace\"\n target_label = \"app\"\n }\n\n // Label creation - \"job\" field from \"__meta_kubernetes_namespace\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name\n rule {\n source_labels = [\"__meta_kubernetes_namespace\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"job\"\n separator = \"/\"\n replacement = \"$1\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_uid\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log\n rule {\n source_labels = [\"__meta_kubernetes_pod_uid\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"__path__\"\n separator = \"/\"\n replacement = \"/var/log/pods/*$1/*.log\"\n }\n\n // Label creation - \"container_runtime\" field from \"__meta_kubernetes_pod_container_id\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_id\"]\n action = \"replace\"\n target_label = \"container_runtime\"\n regex = \"^(\\\\S+):\\\\/\\\\/.+$\"\n replacement = \"$1\"\n }\n}\n\n// loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API.\nloki.source.kubernetes \"pod_logs\" {\n targets = discovery.relabel.pod_logs.output\n forward_to = [loki.process.pod_logs.receiver]\n}\n// loki.process receives log entries from other Loki components, applies one or more processing stages,\n// and forwards the results to the list of receivers in the component’s arguments.\nloki.process \"pod_logs\" {\n stage.static_labels {\n values = {\n cluster = \"envoy-gateway\",\n }\n }\n\n forward_to = [loki.write.alloy.receiver]\n}"` | | +| alloy.enabled | bool | `false` | | +| alloy.fullnameOverride | string | `"alloy"` | | | fluent-bit.config.filters | string | `"[FILTER]\n Name kubernetes\n Match kube.*\n Merge_Log On\n Keep_Log Off\n K8S-Logging.Parser On\n K8S-Logging.Exclude On\n\n[FILTER]\n Name grep\n Match kube.*\n Regex $kubernetes['container_name'] ^envoy$\n\n[FILTER]\n Name parser\n Match kube.*\n Key_Name log\n Parser envoy\n Reserve_Data True\n"` | | | fluent-bit.config.inputs | string | `"[INPUT]\n Name tail\n Path /var/log/containers/*.log\n multiline.parser docker, cri\n Tag kube.*\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n"` | | | fluent-bit.config.outputs | string | `"[OUTPUT]\n Name loki\n Match kube.*\n Host loki.monitoring.svc.cluster.local\n Port 3100\n Labels job=fluentbit, app=$kubernetes['labels']['app'], k8s_namespace_name=$kubernetes['namespace_name'], k8s_pod_name=$kubernetes['pod_name'], k8s_container_name=$kubernetes['container_name']\n"` | | diff --git a/test/e2e/tests/accesslog.go b/test/e2e/tests/accesslog.go index b2c9a28ac94..4edc12f7c55 100644 --- a/test/e2e/tests/accesslog.go +++ b/test/e2e/tests/accesslog.go @@ -30,9 +30,9 @@ var FileAccessLogTest = suite.ConformanceTest{ Manifests: []string{"testdata/accesslog-file.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { labels := map[string]string{ - "job": "fluentbit", - "k8s_namespace_name": "envoy-gateway-system", - "k8s_container_name": "envoy", + "job": "envoy-gateway-system/envoy", + "namespace": "envoy-gateway-system", + "container": "envoy", } match := "test-annotation-value" diff --git a/test/helm/gateway-addons-helm/e2e.in.yaml b/test/helm/gateway-addons-helm/e2e.in.yaml index 93ce0d8d622..bf913c259a9 100644 --- a/test/helm/gateway-addons-helm/e2e.in.yaml +++ b/test/helm/gateway-addons-helm/e2e.in.yaml @@ -1,4 +1,8 @@ +alloy: + enabled: true grafana: enabled: false opentelemetry-collector: enabled: true +fluent-bit: + enabled: false diff --git a/test/helm/gateway-addons-helm/e2e.out.yaml b/test/helm/gateway-addons-helm/e2e.out.yaml index 84a0691299a..5a2f32ed2c8 100644 --- a/test/helm/gateway-addons-helm/e2e.out.yaml +++ b/test/helm/gateway-addons-helm/e2e.out.yaml @@ -1,16 +1,19 @@ --- -# Source: gateway-addons-helm/charts/fluent-bit/templates/serviceaccount.yaml +# Source: gateway-addons-helm/charts/alloy/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: fluent-bit + name: alloy namespace: monitoring labels: - helm.sh/chart: fluent-bit-0.30.4 - app.kubernetes.io/name: fluent-bit + helm.sh/chart: alloy-0.9.2 + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "2.1.4" + + app.kubernetes.io/version: "v1.4.3" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: alloy + app.kubernetes.io/component: rbac --- # Source: gateway-addons-helm/charts/loki/templates/serviceaccount.yaml apiVersion: v1 @@ -69,73 +72,117 @@ metadata: app.kubernetes.io/managed-by: Helm automountServiceAccountToken: true --- -# Source: gateway-addons-helm/charts/fluent-bit/templates/configmap.yaml +# Source: gateway-addons-helm/charts/alloy/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: fluent-bit - namespace: monitoring + name: alloy labels: - helm.sh/chart: fluent-bit-0.30.4 - app.kubernetes.io/name: fluent-bit + helm.sh/chart: alloy-0.9.2 + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "2.1.4" + + app.kubernetes.io/version: "v1.4.3" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: alloy + app.kubernetes.io/component: config data: - custom_parsers.conf: | - [PARSER] - Name docker_no_time - Format json - Time_Keep Off - Time_Key time - Time_Format %Y-%m-%dT%H:%M:%S.%L + config.alloy: |- + // Write your Alloy config here: + logging { + level = "info" + format = "logfmt" + } + loki.write "alloy" { + endpoint { + url = "http://loki.monitoring.svc:3100/loki/api/v1/push" + } + } + // discovery.kubernetes allows you to find scrape targets from Kubernetes resources. + // It watches cluster state and ensures targets are continually synced with what is currently running in your cluster. + discovery.kubernetes "pod" { + role = "pod" + } - fluent-bit.conf: | - [SERVICE] - Daemon Off - Flush 1 - Log_Level info - Parsers_File parsers.conf - Parsers_File custom_parsers.conf - HTTP_Server On - HTTP_Listen 0.0.0.0 - HTTP_Port 2020 - Health_Check On + // discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules. + // If no rules are defined, then the input targets are exported as-is. + discovery.relabel "pod_logs" { + targets = discovery.kubernetes.pod.targets - [INPUT] - Name tail - Path /var/log/containers/*.log - multiline.parser docker, cri - Tag kube.* - Mem_Buf_Limit 5MB - Skip_Long_Lines On + // Label creation - "namespace" field from "__meta_kubernetes_namespace" + rule { + source_labels = ["__meta_kubernetes_namespace"] + action = "replace" + target_label = "namespace" + } - [FILTER] - Name kubernetes - Match kube.* - Merge_Log On - Keep_Log Off - K8S-Logging.Parser On - K8S-Logging.Exclude On + // Label creation - "pod" field from "__meta_kubernetes_pod_name" + rule { + source_labels = ["__meta_kubernetes_pod_name"] + action = "replace" + target_label = "pod" + } - [FILTER] - Name grep - Match kube.* - Regex $kubernetes['container_name'] ^envoy$ + // Label creation - "container" field from "__meta_kubernetes_pod_container_name" + rule { + source_labels = ["__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "container" + } - [FILTER] - Name parser - Match kube.* - Key_Name log - Parser envoy - Reserve_Data True + // Label creation - "app" field from "__meta_kubernetes_pod_label_app_kubernetes_io_name" + rule { + source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_name"] + action = "replace" + target_label = "app" + } + + // Label creation - "job" field from "__meta_kubernetes_namespace" and "__meta_kubernetes_pod_container_name" + // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name + rule { + source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "job" + separator = "/" + replacement = "$1" + } - [OUTPUT] - Name loki - Match kube.* - Host loki.monitoring.svc.cluster.local - Port 3100 - Labels job=fluentbit, app=$kubernetes['labels']['app'], k8s_namespace_name=$kubernetes['namespace_name'], k8s_pod_name=$kubernetes['pod_name'], k8s_container_name=$kubernetes['container_name'] + // Label creation - "container" field from "__meta_kubernetes_pod_uid" and "__meta_kubernetes_pod_container_name" + // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log + rule { + source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"] + action = "replace" + target_label = "__path__" + separator = "/" + replacement = "/var/log/pods/*$1/*.log" + } + + // Label creation - "container_runtime" field from "__meta_kubernetes_pod_container_id" + rule { + source_labels = ["__meta_kubernetes_pod_container_id"] + action = "replace" + target_label = "container_runtime" + regex = "^(\\S+):\\/\\/.+$" + replacement = "$1" + } + } + + // loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API. + loki.source.kubernetes "pod_logs" { + targets = discovery.relabel.pod_logs.output + forward_to = [loki.process.pod_logs.receiver] + } + // loki.process receives log entries from other Loki components, applies one or more processing stages, + // and forwards the results to the list of receivers in the component’s arguments. + loki.process "pod_logs" { + stage.static_labels { + values = { + cluster = "envoy-gateway", + } + } + + forward_to = [loki.write.alloy.receiver] + } --- # Source: gateway-addons-helm/charts/loki/templates/configmap.yaml apiVersion: v1 @@ -9298,27 +9345,105 @@ data: "uid": "f7aeb41676b7865cf31ae49691325f91" } --- -# Source: gateway-addons-helm/charts/fluent-bit/templates/clusterrole.yaml +# Source: gateway-addons-helm/charts/alloy/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: fluent-bit + name: alloy labels: - helm.sh/chart: fluent-bit-0.30.4 - app.kubernetes.io/name: fluent-bit + helm.sh/chart: alloy-0.9.2 + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "2.1.4" + + app.kubernetes.io/version: "v1.4.3" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: alloy + app.kubernetes.io/component: rbac rules: + # Rules which allow discovery.kubernetes to function. - apiGroups: - "" + - "discovery.k8s.io" + - "networking.k8s.io" resources: - - namespaces + - endpoints + - endpointslices + - ingresses + - nodes + - nodes/proxy + - nodes/metrics - pods + - services + verbs: + - get + - list + - watch + # Rules which allow loki.source.kubernetes and loki.source.podlogs to work. + - apiGroups: + - "" + resources: + - pods + - pods/log + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - "monitoring.grafana.com" + resources: + - podlogs + verbs: + - get + - list + - watch + # Rules which allow mimir.rules.kubernetes to work. + - apiGroups: ["monitoring.coreos.com"] + resources: + - prometheusrules + verbs: + - get + - list + - watch + - nonResourceURLs: + - /metrics + verbs: + - get + # Rules for prometheus.kubernetes.* + - apiGroups: ["monitoring.coreos.com"] + resources: + - podmonitors + - servicemonitors + - probes + verbs: + - get + - list + - watch + # Rules which allow eventhandler to work. + - apiGroups: + - "" + resources: + - events verbs: - get - list - watch + # needed for remote.kubernetes.* + - apiGroups: [""] + resources: + - "configmaps" + - "secrets" + verbs: + - get + - list + - watch + # needed for otelcol.processor.k8sattributes + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] --- # Source: gateway-addons-helm/charts/prometheus/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -9372,24 +9497,27 @@ rules: verbs: - get --- -# Source: gateway-addons-helm/charts/fluent-bit/templates/clusterrolebinding.yaml +# Source: gateway-addons-helm/charts/alloy/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: fluent-bit + name: alloy labels: - helm.sh/chart: fluent-bit-0.30.4 - app.kubernetes.io/name: fluent-bit + helm.sh/chart: alloy-0.9.2 + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "2.1.4" + + app.kubernetes.io/version: "v1.4.3" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: alloy + app.kubernetes.io/component: rbac roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: fluent-bit + name: alloy subjects: - kind: ServiceAccount - name: fluent-bit + name: alloy namespace: monitoring --- # Source: gateway-addons-helm/charts/prometheus/templates/clusterrolebinding.yaml @@ -9414,28 +9542,31 @@ roleRef: kind: ClusterRole name: prometheus --- -# Source: gateway-addons-helm/charts/fluent-bit/templates/service.yaml +# Source: gateway-addons-helm/charts/alloy/templates/service.yaml apiVersion: v1 kind: Service metadata: - name: fluent-bit - namespace: monitoring + name: alloy labels: - helm.sh/chart: fluent-bit-0.30.4 - app.kubernetes.io/name: fluent-bit + helm.sh/chart: alloy-0.9.2 + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "2.1.4" + + app.kubernetes.io/version: "v1.4.3" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: alloy + app.kubernetes.io/component: networking spec: type: ClusterIP - ports: - - port: 2020 - targetPort: http - protocol: TCP - name: http selector: - app.kubernetes.io/name: fluent-bit + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm + internalTrafficPolicy: Cluster + ports: + - name: http-metrics + port: 12345 + targetPort: 12345 + protocol: "TCP" --- # Source: gateway-addons-helm/charts/loki/templates/service-memberlist.yaml apiVersion: v1 @@ -9651,84 +9782,82 @@ spec: app.kubernetes.io/name: tempo app.kubernetes.io/instance: gateway-addons-helm --- -# Source: gateway-addons-helm/charts/fluent-bit/templates/daemonset.yaml +# Source: gateway-addons-helm/charts/alloy/templates/controllers/daemonset.yaml apiVersion: apps/v1 kind: DaemonSet metadata: - name: fluent-bit - namespace: monitoring + name: alloy labels: - helm.sh/chart: fluent-bit-0.30.4 - app.kubernetes.io/name: fluent-bit + helm.sh/chart: alloy-0.9.2 + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm - app.kubernetes.io/version: "2.1.4" + + app.kubernetes.io/version: "v1.4.3" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: alloy spec: + minReadySeconds: 10 selector: matchLabels: - app.kubernetes.io/name: fluent-bit + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm template: metadata: annotations: - checksum/config: 03d122555879033ccf6443369f73463490b100f195550b1483d337f497c749e3 - checksum/luascripts: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - fluentbit.io/exclude: "true" - prometheus.io/path: /api/v1/metrics/prometheus - prometheus.io/port: "2020" - prometheus.io/scrape: "true" + kubectl.kubernetes.io/default-container: alloy labels: - app.kubernetes.io/name: fluent-bit + app.kubernetes.io/name: alloy app.kubernetes.io/instance: gateway-addons-helm spec: - serviceAccountName: fluent-bit - hostNetwork: false - dnsPolicy: ClusterFirst + serviceAccountName: alloy containers: - - name: fluent-bit - image: "fluent/fluent-bit:2.1.4" - imagePullPolicy: Always + - name: alloy + image: docker.io/grafana/alloy:v1.4.3 + imagePullPolicy: IfNotPresent + args: + - run + - /etc/alloy/config.alloy + - --storage.path=/tmp/alloy + - --server.http.listen-addr=0.0.0.0:12345 + - --server.http.ui-path-prefix=/ + - --stability.level=generally-available + env: + - name: ALLOY_DEPLOY_MODE + value: "helm" + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName ports: - - name: http - containerPort: 2020 - protocol: TCP - livenessProbe: - httpGet: - path: / - port: http + - containerPort: 12345 + name: http-metrics readinessProbe: httpGet: - path: /api/v1/health - port: http + path: /-/ready + port: 12345 + scheme: HTTP + initialDelaySeconds: 10 + timeoutSeconds: 1 volumeMounts: - - mountPath: /fluent-bit/etc/fluent-bit.conf - name: config - subPath: fluent-bit.conf - - mountPath: /fluent-bit/etc/custom_parsers.conf - name: config - subPath: custom_parsers.conf - - mountPath: /var/log - name: varlog - - mountPath: /var/lib/docker/containers - name: varlibdockercontainers - readOnly: true - - mountPath: /etc/machine-id - name: etcmachineid - readOnly: true + - name: config + mountPath: /etc/alloy + - name: config-reloader + image: ghcr.io/jimmidyson/configmap-reload:v0.12.0 + args: + - --volume-dir=/etc/alloy + - --webhook-url=http://localhost:12345/-/reload + volumeMounts: + - name: config + mountPath: /etc/alloy + resources: + requests: + cpu: 1m + memory: 5Mi + dnsPolicy: ClusterFirst volumes: - name: config configMap: - name: fluent-bit - - hostPath: - path: /var/log - name: varlog - - hostPath: - path: /var/lib/docker/containers - name: varlibdockercontainers - - hostPath: - path: /etc/machine-id - type: File - name: etcmachineid + name: alloy --- # Source: gateway-addons-helm/charts/opentelemetry-collector/templates/deployment.yaml apiVersion: apps/v1 diff --git a/tools/make/kube.mk b/tools/make/kube.mk index 0abbe5dac98..d53c1931360 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -133,7 +133,7 @@ benchmark: create-cluster kube-install-image kube-deploy-for-benchmark-test run- .PHONY: e2e e2e: create-cluster kube-install-image kube-deploy \ - install-ratelimit install-e2e-telemetry kube-install-examples-image \ + install-ratelimit install-eg-addons kube-install-examples-image \ run-e2e delete-cluster .PHONY: install-ratelimit @@ -190,10 +190,10 @@ uninstall-benchmark-server: ## Uninstall nighthawk server for benchmark test kubectl delete configmap test-server-config -n benchmark-test kubectl delete namespace benchmark-test -.PHONY: install-e2e-telemetry -install-e2e-telemetry: helm-generate.gateway-addons-helm +.PHONY: install-eg-addons +install-eg-addons: helm-generate.gateway-addons-helm @$(LOG_TARGET) - helm upgrade -i eg-addons charts/gateway-addons-helm --set grafana.enabled=false,opentelemetry-collector.enabled=true -n monitoring --create-namespace --timeout='$(WAIT_TIMEOUT)' --wait --wait-for-jobs + helm upgrade -i eg-addons charts/gateway-addons-helm -f test/helm/gateway-addons-helm/e2e.in.yaml -n monitoring --create-namespace --timeout='$(WAIT_TIMEOUT)' --wait --wait-for-jobs # Change loki service type from ClusterIP to LoadBalancer kubectl patch service loki -n monitoring -p '{"spec": {"type": "LoadBalancer"}}' # Wait service Ready @@ -204,8 +204,8 @@ install-e2e-telemetry: helm-generate.gateway-addons-helm kubectl rollout restart -n monitoring deployment/otel-collector kubectl rollout status --watch --timeout=5m -n monitoring deployment/otel-collector -.PHONY: uninstall-e2e-telemetry -uninstall-e2e-telemetry: +.PHONY: uninstall-eg-addons +uninstall-eg-addons: @$(LOG_TARGET) helm delete $(shell helm list -n monitoring -q) -n monitoring From 5698e88228efaad6c8d3384179a9f2b45382245d Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Tue, 5 Nov 2024 15:13:18 -0600 Subject: [PATCH 356/523] chore: update site docs link for latest release (#4634) update site docs link for latest release Signed-off-by: Guy Daich --- site/layouts/shortcodes/helm-version.html | 4 ++-- site/layouts/shortcodes/yaml-version.html | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/site/layouts/shortcodes/helm-version.html b/site/layouts/shortcodes/helm-version.html index 704c3dfde80..0bdf6092027 100644 --- a/site/layouts/shortcodes/helm-version.html +++ b/site/layouts/shortcodes/helm-version.html @@ -3,8 +3,8 @@ {{- "v0.0.0-latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.2" -}} +{{- "v1.1.3" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.1.2" -}} +{{- "v1.1.3" -}} {{- end -}} diff --git a/site/layouts/shortcodes/yaml-version.html b/site/layouts/shortcodes/yaml-version.html index eced902814a..fd96ac1799e 100644 --- a/site/layouts/shortcodes/yaml-version.html +++ b/site/layouts/shortcodes/yaml-version.html @@ -3,8 +3,8 @@ {{- "latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.2" -}} +{{- "v1.1.3" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.1.2" -}} +{{- "v1.1.3" -}} {{- end -}} From f2c8b77c07c986be8b259e27bb922dc5e06f4514 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 10:00:29 +0800 Subject: [PATCH 357/523] fix: push a helm chart without v in ther version (#4636) * push a helm chart without v in ther version Signed-off-by: Huabing Zhao * rename tag Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- .github/workflows/build_and_test.yaml | 1 + .github/workflows/release.yaml | 2 ++ release-notes/current.yaml | 1 + 3 files changed, 4 insertions(+) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 92ae1b4822d..10375375d46 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -224,3 +224,4 @@ jobs: # use `0.0.0` as the default latest version. # use `Always` image pull policy for latest version. run: IMAGE_PULL_POLICY=Always OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=v0.0.0-latest TAG=latest make helm-push + run: IMAGE_PULL_POLICY=Always OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=0.0.0-latest TAG=latest make helm-push diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index feec5902af6..8e792355d10 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -57,6 +57,7 @@ jobs: shell: bash run: | echo "release_tag=$(echo ${GITHUB_REF##*/})" >> $GITHUB_ENV + echo "without_v_release_tag=${release_tag:1}" >> $GITHUB_ENV echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV - name: Login to DockerHub @@ -73,6 +74,7 @@ jobs: - name: Build and Push EG Release Helm Chart run: IMAGE_PULL_POLICY=IfNotPresent OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=${{ env.release_tag }} IMAGE=docker.io/envoyproxy/gateway TAG=${{ env.release_tag }} make helm-package helm-push + run: IMAGE_PULL_POLICY=IfNotPresent OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=${{ env.without_v_release_tag }} IMAGE=docker.io/envoyproxy/gateway TAG=${{ env.release_tag }} make helm-package helm-push - name: Download Benchmark Report uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 3b54de7121e..3795a8b2fb9 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -18,6 +18,7 @@ bug fixes: | The xDS translation failed when wasm http code source configured without a sha HTTPRoute status only shows one parent when targeting multiple Gateways from different GatewayClasses Route with multiple parents has incorrect namespace in parentRef status + Helm chart fails for Flux HelmRelease # Enhancements that improve performance. performance improvements: | From 7b6834ee4a7cab94694e2a5aff10c1398948284f Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Tue, 5 Nov 2024 18:18:32 -0800 Subject: [PATCH 358/523] add envoy-gateway binary to latest release artifacts (#4638) * add envoy-gateway binary to latest release artifcats Missed in https://github.com/envoyproxy/gateway/issues/4566 Signed-off-by: Arko Dasgupta * fix also in tagged release Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta --- .github/workflows/latest_release.yaml | 4 ++++ .github/workflows/release.yaml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index 786bc4d058e..0b709f9fe1a 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -116,6 +116,10 @@ jobs: release-artifacts/install.yaml release-artifacts/quickstart.yaml release-artifacts/benchmark_report.zip + envoy-gateway_latest_linux_amd64.tar.gz + envoy-gateway_latest_linux_arm64.tar.gz + envoy-gateway_latest_darwin_amd64.tar.gz + envoy-gateway_latest_darwin_arm64.tar.gz egctl_latest_linux_amd64.tar.gz egctl_latest_linux_arm64.tar.gz egctl_latest_darwin_amd64.tar.gz diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8e792355d10..ad49f40082c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -102,6 +102,10 @@ jobs: release-artifacts/quickstart.yaml release-artifacts/release-notes.yaml release-artifacts/benchmark_report.zip + envoy-gateway_${{ env.release_tag }}_linux_amd64.tar.gz + envoy-gateway_${{ env.release_tag }}_linux_arm64.tar.gz + envoy-gateway_${{ env.release_tag }}_darwin_amd64.tar.gz + envoy-gateway_${{ env.release_tag }}_darwin_arm64.tar.gz egctl_${{ env.release_tag }}_linux_amd64.tar.gz egctl_${{ env.release_tag }}_linux_arm64.tar.gz egctl_${{ env.release_tag }}_darwin_amd64.tar.gz From 44c2f7421cdd5fa2d84fd25d847ed661a3d4588c Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 10:21:22 +0800 Subject: [PATCH 359/523] fix: BackendTlsPolicy specify multiple targetRefs of the same service, only one will work (#4630) * add tests Signed-off-by: Huabing Zhao * fix matching comparison Signed-off-by: Huabing Zhao * add release note Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- internal/gatewayapi/backendtlspolicy.go | 12 +- .../backendtlspolicy-multiple-targets.in.yaml | 123 +++++++++ ...backendtlspolicy-multiple-targets.out.yaml | 239 ++++++++++++++++++ release-notes/current.yaml | 1 + 4 files changed, 369 insertions(+), 6 deletions(-) create mode 100644 internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml create mode 100644 internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml diff --git a/internal/gatewayapi/backendtlspolicy.go b/internal/gatewayapi/backendtlspolicy.go index a04f93c9c19..b76e215f99a 100644 --- a/internal/gatewayapi/backendtlspolicy.go +++ b/internal/gatewayapi/backendtlspolicy.go @@ -7,6 +7,7 @@ package gatewayapi import ( "fmt" + "reflect" "k8s.io/utils/ptr" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" @@ -145,13 +146,12 @@ func backendTLSTargetMatched(policy gwapiv1a3.BackendTLSPolicy, target gwapiv1a2 target.Kind == currTarget.Kind && backendNamespace == policy.Namespace && target.Name == currTarget.Name { - if currTarget.SectionName != nil { - if target.SectionName != nil && *currTarget.SectionName == *target.SectionName { - return true - } - return false + // if section name is not set, then it targets the entire backend + if currTarget.SectionName == nil { + return true + } else if reflect.DeepEqual(currTarget.SectionName, target.SectionName) { + return true } - return true } } return false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml new file mode 100644 index 00000000000..d3458d06da8 --- /dev/null +++ b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml @@ -0,0 +1,123 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + name: gateway-btls + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All + +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: httproute-btls-1 + namespace: envoy-gateway + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-btls + sectionName: http + rules: + - matches: + - path: + type: Exact + value: "/exact-1" + backendRefs: + - name: http-backend + namespace: envoy-gateway + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: httproute-btls-2 + namespace: envoy-gateway + spec: + parentRefs: + - namespace: envoy-gateway + name: gateway-btls + sectionName: http + rules: + - matches: + - path: + type: Exact + value: "/exact-2" + backendRefs: + - name: http-backend + namespace: envoy-gateway + port: 8081 + +services: + - apiVersion: v1 + kind: Service + metadata: + name: http-backend + namespace: envoy-gateway + spec: + clusterIP: 10.11.12.13 + ports: + - port: 8080 + name: http + protocol: TCP + targetPort: 8080 + - port: 8081 + name: http + protocol: TCP + targetPort: 8081 + +configMaps: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: ca-cmap + namespace: envoy-gateway + data: + ca.crt: | + -----BEGIN CERTIFICATE----- + MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL + BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw + MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G + A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc + 1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM + yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b + kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU + Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq + ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR + bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48 + 6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/ + BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz + 2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J + i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE + A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg + d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1 + 3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q== + -----END CERTIFICATE----- +backendTLSPolicies: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + name: policy-btls + namespace: envoy-gateway + spec: + targetRefs: + - group: "" + kind: Service + name: http-backend + sectionName: "8080" + - group: "" + kind: Service + name: http-backend + sectionName: "8081" + validation: + caCertificateRefs: + - name: ca-cmap + group: "" + kind: ConfigMap + hostname: example.com diff --git a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml new file mode 100644 index 00000000000..8ecd25a2418 --- /dev/null +++ b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml @@ -0,0 +1,239 @@ +backendTLSPolicies: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + creationTimestamp: null + name: policy-btls + namespace: envoy-gateway + spec: + targetRefs: + - group: "" + kind: Service + name: http-backend + sectionName: "8080" + - group: "" + kind: Service + name: http-backend + sectionName: "8081" + validation: + caCertificateRefs: + - group: "" + kind: ConfigMap + name: ca-cmap + hostname: example.com + status: + ancestors: + - ancestorRef: + name: gateway-btls + namespace: envoy-gateway + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-btls + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 2 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-btls-1 + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-btls + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: http-backend + namespace: envoy-gateway + port: 8080 + matches: + - path: + type: Exact + value: /exact-1 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-btls + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-btls-2 + namespace: envoy-gateway + spec: + parentRefs: + - name: gateway-btls + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: http-backend + namespace: envoy-gateway + port: 8081 + matches: + - path: + type: Exact + value: /exact-2 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-btls + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-btls: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-btls/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-btls + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-btls +xdsIR: + envoy-gateway/gateway-btls: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-btls + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-btls/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/envoy-gateway/httproute-btls-1/rule/0 + settings: + - protocol: HTTP + tls: + alpnProtocols: null + caCertificate: + certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: policy-btls/envoy-gateway-ca + sni: example.com + weight: 1 + directResponse: + statusCode: 500 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-btls-1 + namespace: envoy-gateway + name: httproute/envoy-gateway/httproute-btls-1/rule/0/match/0/* + pathMatch: + distinct: false + exact: /exact-1 + name: "" + - destination: + name: httproute/envoy-gateway/httproute-btls-2/rule/0 + settings: + - protocol: HTTP + tls: + alpnProtocols: null + caCertificate: + certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: policy-btls/envoy-gateway-ca + sni: example.com + weight: 1 + directResponse: + statusCode: 500 + hostname: '*' + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-btls-2 + namespace: envoy-gateway + name: httproute/envoy-gateway/httproute-btls-2/rule/0/match/0/* + pathMatch: + distinct: false + exact: /exact-2 + name: "" diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 3795a8b2fb9..2a028241148 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -18,6 +18,7 @@ bug fixes: | The xDS translation failed when wasm http code source configured without a sha HTTPRoute status only shows one parent when targeting multiple Gateways from different GatewayClasses Route with multiple parents has incorrect namespace in parentRef status + BackendTlsPolicy specify multiple targetRefs of the same service, only one will work Helm chart fails for Flux HelmRelease # Enhancements that improve performance. From 7ff065cef6ede0e6f7b4fa0c826c48a5e417ef26 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 11:37:56 +0800 Subject: [PATCH 360/523] fix build (#4641) Signed-off-by: Huabing Zhao --- .github/workflows/build_and_test.yaml | 5 +++-- .github/workflows/release.yaml | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 10375375d46..cd49c5a82c7 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -223,5 +223,6 @@ jobs: if: github.event_name == 'push' && github.ref == 'refs/heads/main' # use `0.0.0` as the default latest version. # use `Always` image pull policy for latest version. - run: IMAGE_PULL_POLICY=Always OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=v0.0.0-latest TAG=latest make helm-push - run: IMAGE_PULL_POLICY=Always OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=0.0.0-latest TAG=latest make helm-push + run: | + IMAGE_PULL_POLICY=Always OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=v0.0.0-latest TAG=latest make helm-push + IMAGE_PULL_POLICY=Always OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=0.0.0-latest TAG=latest make helm-push diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ad49f40082c..6c4d715edc8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -73,8 +73,9 @@ jobs: run: IMAGE_PULL_POLICY=IfNotPresent make generate-artifacts IMAGE=envoyproxy/gateway TAG=${{ env.release_tag }} OUTPUT_DIR=release-artifacts - name: Build and Push EG Release Helm Chart - run: IMAGE_PULL_POLICY=IfNotPresent OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=${{ env.release_tag }} IMAGE=docker.io/envoyproxy/gateway TAG=${{ env.release_tag }} make helm-package helm-push - run: IMAGE_PULL_POLICY=IfNotPresent OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=${{ env.without_v_release_tag }} IMAGE=docker.io/envoyproxy/gateway TAG=${{ env.release_tag }} make helm-package helm-push + run: | + IMAGE_PULL_POLICY=IfNotPresent OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=${{ env.release_tag }} IMAGE=docker.io/envoyproxy/gateway TAG=${{ env.release_tag }} make helm-package helm-push + IMAGE_PULL_POLICY=IfNotPresent OCI_REGISTRY=oci://docker.io/envoyproxy CHART_VERSION=${{ env.without_v_release_tag }} IMAGE=docker.io/envoyproxy/gateway TAG=${{ env.release_tag }} make helm-package helm-push - name: Download Benchmark Report uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 From 3efdb15e61361365b031d0f575bd84f5939e07dd Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 15:22:16 +0800 Subject: [PATCH 361/523] Add release docs for v1.2.0 (#4570) * add release note for v1.2.0 Signed-off-by: Huabing Zhao update release note Signed-off-by: Huabing Zhao update release note Signed-off-by: Huabing Zhao * manually create release note Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * Update release-notes/v1.2.0.yaml Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao * Update release-notes/v1.2.0.yaml Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao * Update release-notes/v1.2.0.yaml Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * manually create release note Signed-off-by: Huabing Zhao * manually create release note Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * Update release-notes/v1.2.0.yaml Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao Co-authored-by: Arko Dasgupta --- release-notes/current.yaml | 9 +- release-notes/v1.2.0.yaml | 140 ++++++++++++++++++ site/content/en/news/releases/notes/v1.2.0.md | 85 +++++++++++ tools/make/common.mk | 2 +- tools/make/docs.mk | 2 +- 5 files changed, 229 insertions(+), 9 deletions(-) create mode 100644 release-notes/v1.2.0.yaml create mode 100644 site/content/en/news/releases/notes/v1.2.0.md diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 2a028241148..bfc711148bd 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -10,16 +10,11 @@ security updates: | # New features or capabilities added in this release. new features: | - Add support for modifying container securityContext for Envoy Gateway deployment in Helm + Add a new feature here # Fixes for bugs identified in previous versions. bug fixes: | - Only log endpoint configuration in verbose logging mode (`-v 4` or higher) - The xDS translation failed when wasm http code source configured without a sha - HTTPRoute status only shows one parent when targeting multiple Gateways from different GatewayClasses - Route with multiple parents has incorrect namespace in parentRef status - BackendTlsPolicy specify multiple targetRefs of the same service, only one will work - Helm chart fails for Flux HelmRelease + Add a bug fix here # Enhancements that improve performance. performance improvements: | diff --git a/release-notes/v1.2.0.yaml b/release-notes/v1.2.0.yaml new file mode 100644 index 00000000000..c87a1d2c1d5 --- /dev/null +++ b/release-notes/v1.2.0.yaml @@ -0,0 +1,140 @@ +date: November 6, 2024 + +# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs or updating default values. +breaking changes: | + Gateway API GRPCRoute and ReferenceGrant v1alpha2 have been removed + Please refer to the [Gateway API v1.2.0 documentation](https://github.com/kubernetes-sigs/gateway-api/releases) for more information + Removed default CPU limit of the Envoy Gateway deployment, to eliminate CPU throttling + Changed default Envoy shutdown settings: drain strategy has been changed to immediate, default minDrainDuration, drainTimeout and terminationGracePeriodSeconds have been set to 10s, 60s and 360s respectively + Set ignore_health_on_host_removal to true for clusters with static endpoints This was done to speed up removal of static endpoints by the control plane when active health check is configured + Xds and Infra IR logs are logged at Debug level instead of Info level. They will now not be seen by default in Envoy Gateway logs. You can change the logging level to default: debug to view them + +# New features or capabilities added in this release. +new features: | + Added support for Gateway-API v1.2.0 + Added support for IPv4/IPv6 Dual Stack for EnvoyProxy fleet and BackendRef resources + Added experimental support for EG standalone(host deployment) mode + Added support for JWT claims based Authorization in SecurityPolicy CRD + Added support for Response Override in BackendTrafficPolicy CRD + Added support for RequestTimeout in BackendTrafficPolicy CRD + Added support for inverting header matches for Rate Limit in BackendTrafficPolicy CRD + Added support for client TLS session resumption in ClientTrafficPolicy CRD + Added support for HTTPRouteFilter and path regex rewrite + Added support for host header rewrite in HTTPRouteFilter CRD + Added support for Listener Access Log in EnvoyProxy CRD + Added support for Datadog tracing support in EnvoyProxy CRD + Added support for request response sizes stats in EnvoyProxy CRD + Added support for modifying container SecurityContext for Envoy Gateway deployment in Helm + Added support for wildcard matching for CORS AllowMethods and AllowHeaders settings in SecurityPolicy CRD + Added support for match conditions for access log in EnvoyProxy CRD + Added support for using BackendCluster to represent OIDCProvider + Added support for RecomputeRoute for ExtAuth in SecurityPolicy CRD + Added support for sharing token cookies between multiple domains in SecurityPolicy CRD + Added support for JSONPatches for proxy bootstrap modifications in EnvoyProxy CRD + Added support for Active Passive Failover Backends + Added support for configuring the GRPC Health Checker in the BackendTrafficPolicy CRD + Added support for early request header mutation in the ClientTrafficPolicy CRD + Added support for JsonPath in the EnvoyPatchPolicy CRD + Added support for cluster settings for tracing and access log backends in EnvoyProxy CRD + Added support for cluster settings for non xRoute-generated backend refs + Added support for socket buffer limit field in ClientTrafficPolicy and BackendTrafficPolicy CRD + Added support for http2 upstream settings in BackendTrafficPolicy CRD + Added support for DNS resolution settings in BackendTrafficPolicy CRD + Added support for configuring service annotations in the Envoy Gateway helm chart + Added support for configuring priorityClassName to Envoy Gateway helm chart + Added support for ratelimit metrics monitoring in grafana in the addons helm chart + Added support for default user group and user id for the SecurityContexts in the Envoy Gateway helm chart + Added support for maxUnavailable in the PodDisruptionBudget in the Envoy Gateway helm chart + Added support for configuring NodeSelector in the Envoy Gateway helm chart + Added support for nonce in the OIDC auth flow + Added support for choosing an HTTPRoute's non-wildcard hostname as the default Host + Added support for returning 500 when EnvoyExtensionTrafficPolicy translation fails + Added support for returning 500 when SecurityPolicy translation fails + Added support for multiple backendRefs for ExtAuth and ExtProc + Added support for session persistence in HTTPRoute rules + Added support for the Backend resource for ExtAuth + Added support for target selectors on Envoy Gateway Extension Server policies + Added support for non-Kubernetes Backends for TLSRoute + Added support for fallback to the Backend API + Added support for reloadable EnvoyGateway configuration + Added support for adding Labels to the Envoy Service + Added support for custom name for ratelimit deployment + Added default SecurityContext for EG components + Added startupProbe to all provisioned containers + Added support for local validations for egctl translate and file provider + Added support for egctl x collect to collect information from the cluster for debugging + Added support for a native prometheus metrics endpoint in the ratelimit server + +# Fixes for bugs identified in previous versions. +bug fixes: | + Fixed xDS translation failing when the WASM HTTP code source was configured without an SHA + Fixed unsupported listener protocol types causing errors while updating Gateway status + Fixed unsupported listener protocol types causing errors while updating Gateway status + Fixed invalid sectionName in BackendTLSPolicy for Backend + Fixed Delay in SecurityPolicy change propagation for HTTPRoute when using targetSelectors + Fixed JSONPath not being correctly translated to JSONPatch paths + Fixed allowing an empty slowStart value when using LeastRequest + Fixed updating the HTTPRoute status correctly when the linked Backend resource is invalid + Fixed timeout settings originating from the route being lost when translating the backend traffic policy + Fixed Backend resources not receiving status updates + Fixed active health checks requiring the expectedStatuses field to function correctly + Fixed HTTPHeaderFilter processing not correctly supporting multiple header values + Fixed reconciling multiple ReferenceGrants within the same namespace + Fixed unwanted / appearing in the Path when using Prefix Rewrites + Fixed incorrect gateway being selected as the HTTPRoute parent + Fixed override issues for EnvoyExtensionPolicy + Fixed nil pointer error when translating hash load balancing + Fixed nil pointer if backedtls.minVersion is set but backedtls.maxVersion is not + Fixed empty connection limits causing xDS rejection + Fixed rate limiting not working with both headers and CIDR matches + Fixed EDS not updating when deployments were created after services + Fixed RBAC issue for deleting infrastructure resources + Fixed gateways never reaching ready/programmed status when running Envoy as a Daemonset + Fixed rate limit deployment ignoring pod labels and annotation merges + Fixed the API Server receives unnecessary requests + Fixed egctl experimental translate using an incorrect namespace + Fixed reconciliation not being triggered for Secret updates referenced by a BackendTLSPolicy + Fixed xDS translation failure when WASM HTTP code source was configured without an SHA + Fixed HTTPRoute status displaying only one parent when targeting multiple gateways from different GatewayClasses + Fixed Route with multiple parents having an incorrect namespace in the parentRef status + Fixed BackendTlsPolicy specifying multiple targetRefs for the same service, to work + +# Enhancements that improve performance. +performance improvements: | + Optimize memory usage by only storing distinct resources + +# Other notable changes not covered by the above sections. +Other changes: | + Upgraded Envoy Proxy to v1.32.1 + Reduced the amount of configuration logging, and make it line-delimited friendly + Made watching alpha CRDs optional, so that Envoy Gateway can run with older Gateway Api versions + Removed grafana test framework from the addons helm chart + Disabled ALPN for non-HTTP routes + Added statPrefix for HCM and TCPProxy + Enabled GatewayHTTPListenerIsolation conformance test + Enabled GRPC conformance profile + Enabled HTTPRouteBackendRequestHeaderModifier conformance test + Added e2e test for Daemonset mode + Fixed OVS scanner wrong license warnings + Added e2e test for Gateway with EnvoyProxy + Added e2e test for TLS session resumption + Added heap profile into benchmark report + Added e2e test for RecomputeRoute in ExtAuth + Added benchmark memory profiles into report + Fixed flaky gateway_with_conflicted_listener_cannot_be_merged e2e test + Fixed flaky Zipkin Tracing e2e test + Added e2e test for cookie based consistent hash load balancing + Added e2e test for load balancing + Fixed flaky authorization tests + Enabled upgrade test + Fixed flaky basic auth e2e test + Enabled use-client-protocol e2e test + Added performance benchmarking test for 1000 HTTPRoutes + Added e2e test for Datadog tracing + Added e2e tests for ratelimit invert matching headers + Reduced readinessProbe failureThreshold and periodSeconds + Bumped go-control-plane to v0.13.1 + Enabled e2e tests for dual stack + Use grafana alloy instead of fluent-bit for e2e tests + Push tags without the v prefix for helm charts to support Flux HelmReleases + Use a stable label selector when creating Envoy Proxy fleet pods diff --git a/site/content/en/news/releases/notes/v1.2.0.md b/site/content/en/news/releases/notes/v1.2.0.md new file mode 100644 index 00000000000..de9eb3a0bff --- /dev/null +++ b/site/content/en/news/releases/notes/v1.2.0.md @@ -0,0 +1,85 @@ +--- +title: "v1.2.0" +publishdate: 2024-11-06 +--- + +# Envoy Gateway v1.2.0 Release Notes + +**Release Date:** November 6, 2024 + +The Envoy Gateway v1.2.0 release brings a host of new features, performance improvements, and critical bug fixes to enhance networking, traffic management, and security. Explore the latest changes below. + +--- + +## 🚨 Breaking Changes + +- **Gateway API Updates**: Removed `GRPCRoute` and `ReferenceGrant` v1alpha2. [See the Gateway API v1.2.0 documentation](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.0) for details. +- **CPU Limits**: Removed default CPU limit for Envoy Gateway deployment to avoid throttling. +- **Envoy Shutdown Settings**: Drain strategy set to immediate, with default values as follows: + - `minDrainDuration`: 10s + - `drainTimeout`: 60s + - `terminationGracePeriodSeconds`: 360s +- **Endpoint Health Removal**: Enabled `ignore_health_on_host_removal` for clusters with static endpoints to improve removal speed. +- **Logging Level Adjustment**: Set xDS and Infra IR logs to Debug level instead of Info, so they will no longer appear in Envoy Gateway logs by default. Change logging level to `debug` to view them. + +--- + +## ✨ New Features + +### API & Traffic Management Enhancements +- **Gateway-API v1.2.0 Support**: Fully compatible with the latest Gateway-API standards. +- **IPv4/IPv6 Dual Stack**: Now available for EnvoyProxy fleet and `BackendRef` resources. +- **Standalone Mode**: Experimental support for Envoy Gateway standalone (host deployment) mode. +- **JWT Authorization**: Added JWT claims-based authorization in [`SecurityPolicy`](https://gateway.envoyproxy.io/latest/api/extension_types/#securitypolicy) CRD. +- **Response Override**: Added support for `Response Override` and `RequestTimeout` in [`BackendTrafficPolicy`](https://gateway.envoyproxy.io/latest/api/extension_types/#backendtrafficpolicy). +- **Active Passive Failover**: Supported with the new `fallback` field in the [Backend](https://gateway.envoyproxy.io/latest/api/extension_types/#backend) API. +- **Session Persistence in HTTPRoute**: Session persistence is supported in [`HTTPRoute`](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute) rules for stateful traffic management. +- **HTTPRouteFilter**: Adds support for Direct Response and Path Regex Rewrites in [`HTTPRouteFilter`](https://gateway.envoyproxy.io/latest/api/extension_types/#httproutefilter) + +### Security Enhancements +- **JWT Claims-Based Authorization**: Advanced security control with claims-based policies in [`SecurityPolicy`](https://gateway.envoyproxy.io/latest/api/extension_types/#securitypolicy). +- **CORS Wildcard Matching**: Wildcard matching for `AllowMethods` and `AllowHeaders` settings. +- **OIDC Flow Support**: Added nonce support for OIDC authorization. + +### Observability & Tracing +- **Datadog Tracing Integration**: Improved support for Datadog tracing in [`EnvoyProxy`](https://gateway.envoyproxy.io/latest/api/extension_types/#envoyproxy) CRD. +- **Access Log Matching**: Filter logs based on custom criteria using `match conditions` in EnvoyProxy. +- **Native Prometheus Metrics**: Introduced a Prometheus metrics endpoint for rate limit monitoring. + +### Helm Customization +- **SecurityContext Options**: Customizable security context for improved deployment. +- **NodeSelector and PriorityClassName**: Added for more granular deployment configuration. + +--- + +## 🐞 Bug Fixes + +- Fixed xDS translation failure when the WASM HTTP code source was configured without an SHA. +- Resolved unsupported listener protocol types causing errors in Gateway status updates. +- Fixed `BackendTLSPolicy` causing crashes due to invalid `sectionName` in `Backend` configurations. +- Fixed propagation delays in `SecurityPolicy` updates for `HTTPRoute` when using `targetSelectors`. +- Improved `JSONPath` to `JSONPatch` translation accuracy. +- Fixed unwanted `/` appearing in paths when using prefix rewrites. +- Corrected nil pointer errors when configuring hash load balancing. +- Fixed active health check issues where `expectedStatuses` was not functioning properly. +- Ensured correct status updates for `Backend` resources and `HTTPRoute`. + +--- + +## 🚀 Performance Improvements + +- **Memory Optimization**: Enhanced memory usage by eliminating redundant resource storage. + +--- + +## ⚙️ Other Notable Changes + +- **Envoy Upgrade**: Now using Envoy [v1.32.1](https://www.envoyproxy.io/docs/envoy/v1.32.1/version_history/v1.32/v1.32.1) for added stability and performance. +- **Optional Alpha CRD Watching**: Allows Envoy Gateway to run with older Gateway API versions. + + +For more information and full API documentation, please visit the [Envoy Gateway Documentation](https://gateway.envoyproxy.io/docs/). + +--- + +This release strengthens Envoy Gateway with enhanced API support, security policies, and observability features to better serve high-demand environments. \ No newline at end of file diff --git a/tools/make/common.mk b/tools/make/common.mk index 4eca7ce06ec..c2e0d380f2b 100644 --- a/tools/make/common.mk +++ b/tools/make/common.mk @@ -120,7 +120,7 @@ export USAGE_OPTIONS .PHONY: generate generate: ## Generate go code from templates and tags -generate: kube-generate docs-api helm-generate go.generate release-notes-docs copy-current-release-docs +generate: kube-generate docs-api helm-generate go.generate copy-current-release-docs ## help: Show this help info. .PHONY: help diff --git a/tools/make/docs.mk b/tools/make/docs.mk index f1ee2844f4b..761fb183d75 100644 --- a/tools/make/docs.mk +++ b/tools/make/docs.mk @@ -26,7 +26,7 @@ copy-current-release-docs: ## Copy the current release docs to the docs folder cp -r $(ROOT_DIR)/site/content/en/$$CURRENT_RELEASE/** $(ROOT_DIR)/site/content/en/docs .PHONY: docs-release -docs-release: docs-release-prepare release-notes-docs docs-release-gen docs ## Generate Envoy Gateway Release Docs +docs-release: docs-release-prepare docs-release-gen docs ## Generate Envoy Gateway Release Docs .PHONY: docs-serve docs-serve: copy-current-release-docs ## Start Envoy Gateway Site Locally From e68d5737f7f6fa962ee8baecd0a96fe26f25895f Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 15:30:20 +0800 Subject: [PATCH 362/523] Update compatiblility matrix for v1.2. (#4571) * update compatiblility matrix Signed-off-by: Huabing Zhao * Update site/content/en/news/releases/matrix.md Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao Co-authored-by: Arko Dasgupta --- site/content/en/news/releases/matrix.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/site/content/en/news/releases/matrix.md b/site/content/en/news/releases/matrix.md index c4911f317e5..8fbb021322a 100644 --- a/site/content/en/news/releases/matrix.md +++ b/site/content/en/news/releases/matrix.md @@ -7,7 +7,8 @@ Envoy Gateway relies on the Envoy Proxy and the Gateway API, and runs within a K | Envoy Gateway version | Envoy Proxy version | Rate Limit version | Gateway API version | Kubernetes version | |-----------------------|-----------------------------|--------------------|---------------------|----------------------------| -| latest | **dev-latest** | **master** | **v1.0.0** | v1.28, v1.29, v1.30, v1.31 | +| latest | **dev-latest** | **master** | **v1.2.0** | v1.28, v1.29, v1.30, v1.31 | +| v1.2 | **distroless-v1.32.1** | **28b1629a** | **v1.2.0** | v1.28, v1.29, v1.30, v1.31 | | v1.1 | **distroless-v1.31.0** | **91484c59** | **v1.1.0** | v1.27, v1.28, v1.29, v1.30 | | v1.0 | **distroless-v1.29.2** | **19f2079f** | **v1.0.0** | v1.26, v1.27, v1.28, v1.29 | | v0.6 | **distroless-v1.28-latest** | **b9796237** | **v1.0.0** | v1.26, v1.27, v1.28 | From 46da4b959360ab5359b7014a88b4d8a6cb5a9361 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 18:53:12 +0800 Subject: [PATCH 363/523] docs for release v1.2.0 (#4642) * docs for release v1.2.0 Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- VERSION | 2 +- site/content/en/docs/api/extension_types.md | 859 ++-- .../boilerplates/rollout-envoy-gateway.md | 10 + .../docs/install/gateway-addons-helm-api.md | 36 +- .../en/docs/install/gateway-helm-api.md | 13 +- .../en/docs/install/migrating-to-envoy.md | 143 + .../tasks/extensibility/envoy-patch-policy.md | 88 +- .../en/docs/tasks/extensibility/ext-proc.md | 9 +- .../tasks/extensibility/extension-server.md | 3 +- .../en/docs/tasks/extensibility/wasm.md | 35 +- .../observability/gateway-api-metrics.md | 3 +- .../observability/gateway-observability.md | 12 +- .../tasks/observability/proxy-accesslog.md | 59 + .../docs/tasks/observability/proxy-trace.md | 62 +- .../observability/rate-limit-observability.md | 6 +- .../content/en/docs/tasks/operations/egctl.md | 2 - .../en/docs/tasks/security/backend-tls.md | 5 +- .../en/docs/tasks/security/basic-auth.md | 3 +- site/content/en/docs/tasks/security/cors.md | 3 +- .../en/docs/tasks/security/ext-auth.md | 9 +- .../docs/tasks/security/jwt-authentication.md | 4 +- .../tasks/security/jwt-claim-authorization.md | 226 + .../en/docs/tasks/security/mutual-tls.md | 3 +- site/content/en/docs/tasks/security/oidc.md | 108 +- .../tasks/security/private-key-provider.md | 72 +- .../docs/tasks/security/restrict-ip-access.md | 23 +- .../en/docs/tasks/security/secure-gateways.md | 83 +- .../docs/tasks/security/tls-cert-manager.md | 3 +- .../en/docs/tasks/security/tls-passthrough.md | 3 +- .../en/docs/tasks/security/tls-termination.md | 3 +- site/content/en/docs/tasks/traffic/backend.md | 21 +- .../en/docs/tasks/traffic/circuit-breaker.md | 3 +- .../tasks/traffic/client-traffic-policy.md | 8 +- .../en/docs/tasks/traffic/connection-limit.md | 4 +- .../en/docs/tasks/traffic/direct-response.md | 284 ++ .../en/docs/tasks/traffic/fault-injection.md | 5 +- .../en/docs/tasks/traffic/gateway-address.md | 2 +- .../docs/tasks/traffic/global-rate-limit.md | 63 +- .../en/docs/tasks/traffic/grpc-routing.md | 3 +- .../en/docs/tasks/traffic/http-redirect.md | 3 +- .../tasks/traffic/http-request-headers.md | 175 +- .../tasks/traffic/http-request-mirroring.md | 6 +- .../tasks/traffic/http-response-headers.md | 3 +- .../en/docs/tasks/traffic/http-routing.md | 3 +- .../en/docs/tasks/traffic/http-timeouts.md | 5 +- .../tasks/traffic/http-traffic-splitting.md | 5 +- .../en/docs/tasks/traffic/http-urlrewrite.md | 298 +- site/content/en/docs/tasks/traffic/http3.md | 3 +- .../en/docs/tasks/traffic/load-balancing.md | 5 +- .../en/docs/tasks/traffic/local-rate-limit.md | 226 +- site/content/en/docs/tasks/traffic/retry.md | 2 +- .../en/docs/tasks/traffic/tcp-routing.md | 5 +- .../en/docs/tasks/traffic/udp-routing.md | 3 +- site/content/en/news/releases/notes/v1.2.0.md | 4 +- site/content/en/v1.2/_index.md | 15 + site/content/en/v1.2/api/_index.md | 5 + site/content/en/v1.2/api/extension_types.md | 4167 +++++++++++++++++ site/content/en/v1.2/boilerplates/index.md | 5 + .../v1.2/boilerplates/o11y_prerequisites.md | 14 + .../en/v1.2/boilerplates/prerequisites.md | 24 + .../boilerplates/rollout-envoy-gateway.md | 10 + site/content/en/v1.2/concepts/_index.md | 5 + .../en/v1.2/concepts/concepts_overview.md | 53 + site/content/en/v1.2/install/_index.md | 5 + site/content/en/v1.2/install/custom-cert.md | 146 + .../v1.2/install/gateway-addons-helm-api.md | 139 + .../en/v1.2/install/gateway-helm-api.md | 75 + site/content/en/v1.2/install/install-egctl.md | 72 + site/content/en/v1.2/install/install-helm.md | 144 + site/content/en/v1.2/install/install-yaml.md | 67 + .../en/v1.2/install/migrating-to-envoy.md | 143 + site/content/en/v1.2/tasks/_index.md | 5 + .../en/v1.2/tasks/extensibility/_index.md | 5 + .../tasks/extensibility/build-wasm-image.md | 71 + .../tasks/extensibility/envoy-patch-policy.md | 428 ++ .../en/v1.2/tasks/extensibility/ext-proc.md | 283 ++ .../tasks/extensibility/extension-server.md | 209 + .../en/v1.2/tasks/extensibility/wasm.md | 187 + .../en/v1.2/tasks/observability/_index.md | 5 + .../observability/gateway-api-metrics.md | 58 + .../observability/gateway-exported-metrics.md | 97 + .../observability/gateway-observability.md | 168 + .../observability/grafana-integration.md | 87 + .../tasks/observability/proxy-accesslog.md | 310 ++ .../v1.2/tasks/observability/proxy-metric.md | 47 + .../v1.2/tasks/observability/proxy-trace.md | 293 ++ .../observability/rate-limit-observability.md | 94 + .../en/v1.2/tasks/operations/_index.md | 5 + .../tasks/operations/customize-envoyproxy.md | 1008 ++++ .../v1.2/tasks/operations/deployment-mode.md | 1072 +++++ .../content/en/v1.2/tasks/operations/egctl.md | 906 ++++ site/content/en/v1.2/tasks/quickstart.md | 130 + site/content/en/v1.2/tasks/security/_index.md | 5 + .../en/v1.2/tasks/security/backend-mtls.md | 200 + .../en/v1.2/tasks/security/backend-tls.md | 408 ++ .../en/v1.2/tasks/security/basic-auth.md | 219 + site/content/en/v1.2/tasks/security/cors.md | 176 + .../en/v1.2/tasks/security/ext-auth.md | 453 ++ .../v1.2/tasks/security/jwt-authentication.md | 170 + .../tasks/security/jwt-claim-authorization.md | 226 + .../en/v1.2/tasks/security/mutual-tls.md | 183 + site/content/en/v1.2/tasks/security/oidc.md | 414 ++ .../tasks/security/private-key-provider.md | 653 +++ .../v1.2/tasks/security/restrict-ip-access.md | 196 + .../en/v1.2/tasks/security/secure-gateways.md | 599 +++ .../en/v1.2/tasks/security/threat-model.md | 665 +++ .../v1.2/tasks/security/tls-cert-manager.md | 435 ++ .../en/v1.2/tasks/security/tls-passthrough.md | 123 + .../en/v1.2/tasks/security/tls-termination.md | 92 + site/content/en/v1.2/tasks/traffic/_index.md | 5 + site/content/en/v1.2/tasks/traffic/backend.md | 210 + .../en/v1.2/tasks/traffic/circuit-breaker.md | 149 + .../tasks/traffic/client-traffic-policy.md | 680 +++ .../en/v1.2/tasks/traffic/connection-limit.md | 135 + .../en/v1.2/tasks/traffic/direct-response.md | 284 ++ .../en/v1.2/tasks/traffic/fault-injection.md | 382 ++ .../en/v1.2/tasks/traffic/gateway-address.md | 68 + .../v1.2/tasks/traffic/gatewayapi-support.md | 120 + .../v1.2/tasks/traffic/global-rate-limit.md | 1339 ++++++ .../en/v1.2/tasks/traffic/grpc-routing.md | 271 ++ .../en/v1.2/tasks/traffic/http-redirect.md | 398 ++ .../tasks/traffic/http-request-headers.md | 620 +++ .../tasks/traffic/http-request-mirroring.md | 445 ++ .../tasks/traffic/http-response-headers.md | 445 ++ .../en/v1.2/tasks/traffic/http-routing.md | 301 ++ .../en/v1.2/tasks/traffic/http-timeouts.md | 198 + .../tasks/traffic/http-traffic-splitting.md | 526 +++ .../en/v1.2/tasks/traffic/http-urlrewrite.md | 699 +++ site/content/en/v1.2/tasks/traffic/http3.md | 133 + .../en/v1.2/tasks/traffic/load-balancing.md | 923 ++++ .../en/v1.2/tasks/traffic/local-rate-limit.md | 628 +++ .../tasks/traffic/multicluster-service.md | 86 + site/content/en/v1.2/tasks/traffic/retry.md | 145 + .../traffic/routing-outside-kubernetes.md | 168 + .../en/v1.2/tasks/traffic/tcp-routing.md | 482 ++ .../en/v1.2/tasks/traffic/udp-routing.md | 169 + site/hugo.toml | 7 +- site/layouts/shortcodes/helm-version.html | 5 +- site/layouts/shortcodes/yaml-version.html | 5 +- 139 files changed, 28338 insertions(+), 491 deletions(-) create mode 100644 site/content/en/docs/boilerplates/rollout-envoy-gateway.md create mode 100644 site/content/en/docs/install/migrating-to-envoy.md create mode 100644 site/content/en/docs/tasks/security/jwt-claim-authorization.md create mode 100644 site/content/en/docs/tasks/traffic/direct-response.md create mode 100644 site/content/en/v1.2/_index.md create mode 100644 site/content/en/v1.2/api/_index.md create mode 100644 site/content/en/v1.2/api/extension_types.md create mode 100644 site/content/en/v1.2/boilerplates/index.md create mode 100644 site/content/en/v1.2/boilerplates/o11y_prerequisites.md create mode 100644 site/content/en/v1.2/boilerplates/prerequisites.md create mode 100644 site/content/en/v1.2/boilerplates/rollout-envoy-gateway.md create mode 100644 site/content/en/v1.2/concepts/_index.md create mode 100644 site/content/en/v1.2/concepts/concepts_overview.md create mode 100644 site/content/en/v1.2/install/_index.md create mode 100644 site/content/en/v1.2/install/custom-cert.md create mode 100644 site/content/en/v1.2/install/gateway-addons-helm-api.md create mode 100644 site/content/en/v1.2/install/gateway-helm-api.md create mode 100644 site/content/en/v1.2/install/install-egctl.md create mode 100644 site/content/en/v1.2/install/install-helm.md create mode 100644 site/content/en/v1.2/install/install-yaml.md create mode 100644 site/content/en/v1.2/install/migrating-to-envoy.md create mode 100644 site/content/en/v1.2/tasks/_index.md create mode 100644 site/content/en/v1.2/tasks/extensibility/_index.md create mode 100644 site/content/en/v1.2/tasks/extensibility/build-wasm-image.md create mode 100644 site/content/en/v1.2/tasks/extensibility/envoy-patch-policy.md create mode 100644 site/content/en/v1.2/tasks/extensibility/ext-proc.md create mode 100644 site/content/en/v1.2/tasks/extensibility/extension-server.md create mode 100644 site/content/en/v1.2/tasks/extensibility/wasm.md create mode 100644 site/content/en/v1.2/tasks/observability/_index.md create mode 100644 site/content/en/v1.2/tasks/observability/gateway-api-metrics.md create mode 100644 site/content/en/v1.2/tasks/observability/gateway-exported-metrics.md create mode 100644 site/content/en/v1.2/tasks/observability/gateway-observability.md create mode 100644 site/content/en/v1.2/tasks/observability/grafana-integration.md create mode 100644 site/content/en/v1.2/tasks/observability/proxy-accesslog.md create mode 100644 site/content/en/v1.2/tasks/observability/proxy-metric.md create mode 100644 site/content/en/v1.2/tasks/observability/proxy-trace.md create mode 100644 site/content/en/v1.2/tasks/observability/rate-limit-observability.md create mode 100644 site/content/en/v1.2/tasks/operations/_index.md create mode 100644 site/content/en/v1.2/tasks/operations/customize-envoyproxy.md create mode 100644 site/content/en/v1.2/tasks/operations/deployment-mode.md create mode 100644 site/content/en/v1.2/tasks/operations/egctl.md create mode 100644 site/content/en/v1.2/tasks/quickstart.md create mode 100644 site/content/en/v1.2/tasks/security/_index.md create mode 100644 site/content/en/v1.2/tasks/security/backend-mtls.md create mode 100644 site/content/en/v1.2/tasks/security/backend-tls.md create mode 100644 site/content/en/v1.2/tasks/security/basic-auth.md create mode 100644 site/content/en/v1.2/tasks/security/cors.md create mode 100644 site/content/en/v1.2/tasks/security/ext-auth.md create mode 100644 site/content/en/v1.2/tasks/security/jwt-authentication.md create mode 100644 site/content/en/v1.2/tasks/security/jwt-claim-authorization.md create mode 100644 site/content/en/v1.2/tasks/security/mutual-tls.md create mode 100644 site/content/en/v1.2/tasks/security/oidc.md create mode 100644 site/content/en/v1.2/tasks/security/private-key-provider.md create mode 100644 site/content/en/v1.2/tasks/security/restrict-ip-access.md create mode 100644 site/content/en/v1.2/tasks/security/secure-gateways.md create mode 100644 site/content/en/v1.2/tasks/security/threat-model.md create mode 100644 site/content/en/v1.2/tasks/security/tls-cert-manager.md create mode 100644 site/content/en/v1.2/tasks/security/tls-passthrough.md create mode 100644 site/content/en/v1.2/tasks/security/tls-termination.md create mode 100644 site/content/en/v1.2/tasks/traffic/_index.md create mode 100644 site/content/en/v1.2/tasks/traffic/backend.md create mode 100644 site/content/en/v1.2/tasks/traffic/circuit-breaker.md create mode 100644 site/content/en/v1.2/tasks/traffic/client-traffic-policy.md create mode 100644 site/content/en/v1.2/tasks/traffic/connection-limit.md create mode 100644 site/content/en/v1.2/tasks/traffic/direct-response.md create mode 100644 site/content/en/v1.2/tasks/traffic/fault-injection.md create mode 100644 site/content/en/v1.2/tasks/traffic/gateway-address.md create mode 100644 site/content/en/v1.2/tasks/traffic/gatewayapi-support.md create mode 100644 site/content/en/v1.2/tasks/traffic/global-rate-limit.md create mode 100644 site/content/en/v1.2/tasks/traffic/grpc-routing.md create mode 100644 site/content/en/v1.2/tasks/traffic/http-redirect.md create mode 100644 site/content/en/v1.2/tasks/traffic/http-request-headers.md create mode 100644 site/content/en/v1.2/tasks/traffic/http-request-mirroring.md create mode 100644 site/content/en/v1.2/tasks/traffic/http-response-headers.md create mode 100644 site/content/en/v1.2/tasks/traffic/http-routing.md create mode 100644 site/content/en/v1.2/tasks/traffic/http-timeouts.md create mode 100644 site/content/en/v1.2/tasks/traffic/http-traffic-splitting.md create mode 100644 site/content/en/v1.2/tasks/traffic/http-urlrewrite.md create mode 100644 site/content/en/v1.2/tasks/traffic/http3.md create mode 100644 site/content/en/v1.2/tasks/traffic/load-balancing.md create mode 100644 site/content/en/v1.2/tasks/traffic/local-rate-limit.md create mode 100644 site/content/en/v1.2/tasks/traffic/multicluster-service.md create mode 100644 site/content/en/v1.2/tasks/traffic/retry.md create mode 100644 site/content/en/v1.2/tasks/traffic/routing-outside-kubernetes.md create mode 100644 site/content/en/v1.2/tasks/traffic/tcp-routing.md create mode 100644 site/content/en/v1.2/tasks/traffic/udp-routing.md diff --git a/VERSION b/VERSION index 1bf010be510..79127d85a49 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v1.2.0-rc.1 +v1.2.0 diff --git a/site/content/en/docs/api/extension_types.md b/site/content/en/docs/api/extension_types.md index 2079770c76f..23f69fd832a 100644 --- a/site/content/en/docs/api/extension_types.md +++ b/site/content/en/docs/api/extension_types.md @@ -15,19 +15,14 @@ API group. ### Resource Types - [Backend](#backend) -- [BackendList](#backendlist) - [BackendTrafficPolicy](#backendtrafficpolicy) -- [BackendTrafficPolicyList](#backendtrafficpolicylist) - [ClientTrafficPolicy](#clienttrafficpolicy) -- [ClientTrafficPolicyList](#clienttrafficpolicylist) - [EnvoyExtensionPolicy](#envoyextensionpolicy) -- [EnvoyExtensionPolicyList](#envoyextensionpolicylist) - [EnvoyGateway](#envoygateway) - [EnvoyPatchPolicy](#envoypatchpolicy) -- [EnvoyPatchPolicyList](#envoypatchpolicylist) - [EnvoyProxy](#envoyproxy) +- [HTTPRouteFilter](#httproutefilter) - [SecurityPolicy](#securitypolicy) -- [SecurityPolicyList](#securitypolicylist) @@ -68,7 +63,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRefs` | _[BackendRef](#backendref) array_ | true | BackendRefs references a Kubernetes object that represents the gRPC service to which
the access logs will be sent. Currently only Service is supported. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `logName` | _string_ | false | LogName defines the friendly name of the access log to be returned in
StreamAccessLogsMessage.Identifier. This allows the access log server
to differentiate between different access logs coming from the same Envoy. | | `type` | _[ALSEnvoyProxyAccessLogType](#alsenvoyproxyaccesslogtype)_ | true | Type defines the type of accesslog. Supported types are "HTTP" and "TCP". | | `http` | _[ALSEnvoyProxyHTTPAccessLogConfig](#alsenvoyproxyhttpaccesslogconfig)_ | false | HTTP defines additional configuration specific to HTTP access logs. | @@ -124,6 +121,7 @@ _Appears in:_ | `type` | _[ActiveHealthCheckerType](#activehealthcheckertype)_ | true | Type defines the type of health checker. | | `http` | _[HTTPActiveHealthChecker](#httpactivehealthchecker)_ | false | HTTP defines the configuration of http health checker.
It's required while the health checker type is HTTP. | | `tcp` | _[TCPActiveHealthChecker](#tcpactivehealthchecker)_ | false | TCP defines the configuration of tcp health checker.
It's required while the health checker type is TCP. | +| `grpc` | _[GRPCActiveHealthChecker](#grpcactivehealthchecker)_ | false | GRPC defines the configuration of the GRPC health checker.
It's optional, and can only be used if the specified type is GRPC. | #### ActiveHealthCheckPayload @@ -171,6 +169,7 @@ _Appears in:_ | ----- | ----------- | | `HTTP` | ActiveHealthCheckerTypeHTTP defines the HTTP type of health checking.
| | `TCP` | ActiveHealthCheckerTypeTCP defines the TCP type of health checking.
| +| `GRPC` | ActiveHealthCheckerTypeGRPC defines the GRPC type of health checking.
| #### AppProtocolType @@ -234,9 +233,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `name` | _string_ | false | Name is a user-friendly name for the rule.
If not specified, Envoy Gateway will generate a unique name for the rule.n | +| `name` | _string_ | false | Name is a user-friendly name for the rule.
If not specified, Envoy Gateway will generate a unique name for the rule. | | `action` | _[AuthorizationAction](#authorizationaction)_ | true | Action defines the action to be taken if the rule matches. | -| `principal` | _[Principal](#principal)_ | true | Principal specifies the client identity of a request. | +| `principal` | _[Principal](#principal)_ | true | Principal specifies the client identity of a request.
If there are multiple principal types, all principals must match for the rule to match.
For example, if there are two principals: one for client IP and one for JWT claim,
the rule will match only if both the client IP and the JWT claim match. | #### BackOffPolicy @@ -261,8 +260,7 @@ _Appears in:_ Backend allows the user to configure the endpoints of a backend and the behavior of the connection from Envoy Proxy to the backend. -_Appears in:_ -- [BackendList](#backendlist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -273,22 +271,35 @@ _Appears in:_ | `status` | _[BackendStatus](#backendstatus)_ | true | Status defines the current status of Backend. | +#### BackendCluster +BackendCluster contains all the configuration required for configuring access +to a backend. This can include multiple endpoints, and settings that apply for +managing the connection to all these endpoints. + +_Appears in:_ +- [ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog) +- [ExtProc](#extproc) +- [GRPCExtAuthService](#grpcextauthservice) +- [HTTPExtAuthService](#httpextauthservice) +- [OIDCProvider](#oidcprovider) +- [OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog) +- [ProxyOpenTelemetrySink](#proxyopentelemetrysink) +- [TracingProvider](#tracingprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | -#### BackendConnection -BackendConnection allows users to configure connection-level settings of backend -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `bufferLimit` | _[Quantity](#quantity)_ | false | BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes. | #### BackendEndpoint @@ -305,26 +316,10 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `fqdn` | _[FQDNEndpoint](#fqdnendpoint)_ | false | FQDN defines a FQDN endpoint | -| `ip` | _[IPEndpoint](#ipendpoint)_ | false | IP defines an IP endpoint. Currently, only IPv4 Addresses are supported. | +| `ip` | _[IPEndpoint](#ipendpoint)_ | false | IP defines an IP endpoint. Supports both IPv4 and IPv6 addresses. | | `unix` | _[UnixSocket](#unixsocket)_ | false | Unix defines the unix domain socket endpoint | -#### BackendList - - - -BackendList contains a list of Backend resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`BackendList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[Backend](#backend) array_ | true | | - - #### BackendRef @@ -333,9 +328,11 @@ BackendRef defines how an ObjectReference that is specific to BackendRef. _Appears in:_ - [ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog) +- [BackendCluster](#backendcluster) - [ExtProc](#extproc) - [GRPCExtAuthService](#grpcextauthservice) - [HTTPExtAuthService](#httpextauthservice) +- [OIDCProvider](#oidcprovider) - [OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog) - [ProxyOpenTelemetrySink](#proxyopentelemetrysink) - [TracingProvider](#tracingprovider) @@ -347,6 +344,7 @@ _Appears in:_ | `name` | _[ObjectName](#objectname)_ | true | Name is the name of the referent. | | `namespace` | _[Namespace](#namespace)_ | false | Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.

Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.

Support: Core | | `port` | _[PortNumber](#portnumber)_ | false | Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field. | +| `fallback` | _boolean_ | false | Fallback indicates whether the backend is designated as a fallback.
Multiple fallback backends can be configured.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
the health of the active backends falls below 72%. | #### BackendSpec @@ -362,6 +360,7 @@ _Appears in:_ | --- | --- | --- | --- | | `endpoints` | _[BackendEndpoint](#backendendpoint) array_ | true | Endpoints defines the endpoints to be used when connecting to the backend. | | `appProtocols` | _[AppProtocolType](#appprotocoltype) array_ | false | AppProtocols defines the application protocols to be supported when connecting to the backend. | +| `fallback` | _boolean_ | false | Fallback indicates whether the backend is designated as a fallback.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
the health of the active backends falls below 72%. | #### BackendStatus @@ -405,8 +404,7 @@ _Appears in:_ BackendTrafficPolicy allows the user to configure the behavior of the connection between the Envoy Proxy listener and the backend service. -_Appears in:_ -- [BackendTrafficPolicyList](#backendtrafficpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -417,24 +415,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | status defines the current status of BackendTrafficPolicy. | - - -#### BackendTrafficPolicyList - - - -BackendTrafficPolicyList contains a list of BackendTrafficPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`BackendTrafficPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[BackendTrafficPolicy](#backendtrafficpolicy) array_ | true | | - - #### BackendTrafficPolicySpec @@ -449,17 +429,20 @@ _Appears in:_ | `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect

Deprecated: use targetRefs/targetSelectors instead | | `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. | | `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels | -| `rateLimit` | _[RateLimitSpec](#ratelimitspec)_ | false | RateLimit allows the user to limit the number of incoming requests
to a predefined value based on attributes within the traffic flow. | -| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints | +| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. | +| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. | | `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. | | `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. | | `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. | -| `faultInjection` | _[FaultInjection](#faultinjection)_ | false | FaultInjection defines the fault injection policy to be applied. This configuration can be used to
inject delays and abort requests to mimic failure scenarios such as service failures and overloads | | `circuitBreaker` | _[CircuitBreaker](#circuitbreaker)_ | false | Circuit Breaker settings for the upstream connections and requests.
If not set, circuit breakers will be enabled with the default thresholds | -| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. | -| `useClientProtocol` | _boolean_ | false | UseClientProtocol configures Envoy to prefer sending requests to backends using
the same HTTP protocol that the incoming request used. Defaults to false, which means
that Envoy will use the protocol indicated by the attached BackendRef. | | `timeout` | _[Timeout](#timeout)_ | false | Timeout settings for the backend connections. | | `connection` | _[BackendConnection](#backendconnection)_ | false | Connection includes backend connection settings. | +| `dns` | _[DNS](#dns)_ | false | DNS includes dns resolution settings. | +| `http2` | _[HTTP2Settings](#http2settings)_ | false | HTTP2 provides HTTP/2 configuration for backend connections. | +| `rateLimit` | _[RateLimitSpec](#ratelimitspec)_ | false | RateLimit allows the user to limit the number of incoming requests
to a predefined value based on attributes within the traffic flow. | +| `faultInjection` | _[FaultInjection](#faultinjection)_ | false | FaultInjection defines the fault injection policy to be applied. This configuration can be used to
inject delays and abort requests to mimic failure scenarios such as service failures and overloads | +| `useClientProtocol` | _boolean_ | false | UseClientProtocol configures Envoy to prefer sending requests to backends using
the same HTTP protocol that the incoming request used. Defaults to false, which means
that Envoy will use the protocol indicated by the attached BackendRef. | +| `responseOverride` | _[ResponseOverride](#responseoverride) array_ | false | ResponseOverride defines the configuration to override specific responses with a custom one.
If multiple configurations are specified, the first one to match wins. | #### BasicAuth @@ -473,7 +456,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `users` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the username-password pairs in
htpasswd format, used to verify user credentials in the "Authorization"
header.

This is an Opaque secret. The username-password pairs should be stored in
the key ".htpasswd". As the key name indicates, the value needs to be the
htpasswd format, for example: "user1:{SHA}hashed_user1_password".
Right now, only SHA hash algorithm is supported.
Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
for more details.

Note: The secret must be in the same namespace as the SecurityPolicy. | +| `users` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the username-password pairs in
htpasswd format, used to verify user credentials in the "Authorization"
header.

This is an Opaque secret. The username-password pairs should be stored in
the key ".htpasswd". As the key name indicates, the value needs to be the
htpasswd format, for example: "user1:\{SHA\}hashed_user1_password".
Right now, only SHA hash algorithm is supported.
Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
for more details.

Note: The secret must be in the same namespace as the SecurityPolicy. | #### BootstrapType @@ -489,6 +472,7 @@ _Appears in:_ | ----- | ----------- | | `Merge` | Merge merges the provided bootstrap with the default one. The provided bootstrap can add or override a value
within a map, or add a new value to a list.
Please note that the provided bootstrap can't override a value within a list.
| | `Replace` | Replace replaces the default bootstrap with the provided one.
| +| `JSONPatch` | JSONPatch applies the provided JSONPatches to the default bootstrap.
| #### CIDR @@ -514,31 +498,15 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `allowOrigins` | _[Origin](#origin) array_ | true | AllowOrigins defines the origins that are allowed to make requests. | -| `allowMethods` | _string array_ | true | AllowMethods defines the methods that are allowed to make requests. | -| `allowHeaders` | _string array_ | true | AllowHeaders defines the headers that are allowed to be sent with requests. | -| `exposeHeaders` | _string array_ | true | ExposeHeaders defines the headers that can be exposed in the responses. | -| `maxAge` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | MaxAge defines how long the results of a preflight request can be cached. | -| `allowCredentials` | _boolean_ | true | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates. | - - -#### CircuitBreaker +| `allowOrigins` | _[Origin](#origin) array_ | false | AllowOrigins defines the origins that are allowed to make requests.
It specifies the allowed origins in the Access-Control-Allow-Origin CORS response header.
The value "*" allows any origin to make requests. | +| `allowMethods` | _string array_ | false | AllowMethods defines the methods that are allowed to make requests.
It specifies the allowed methods in the Access-Control-Allow-Methods CORS response header..
The value "*" allows any method to be used. | +| `allowHeaders` | _string array_ | false | AllowHeaders defines the headers that are allowed to be sent with requests.
It specifies the allowed headers in the Access-Control-Allow-Headers CORS response header..
The value "*" allows any header to be sent. | +| `exposeHeaders` | _string array_ | false | ExposeHeaders defines which response headers should be made accessible to
scripts running in the browser.
It specifies the headers in the Access-Control-Expose-Headers CORS response header..
The value "*" allows any header to be exposed. | +| `maxAge` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | MaxAge defines how long the results of a preflight request can be cached.
It specifies the value in the Access-Control-Max-Age CORS response header.. | +| `allowCredentials` | _boolean_ | false | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates.
It specifies the value in the Access-Control-Allow-Credentials CORS response header. | -CircuitBreaker defines the Circuit Breaker configuration. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `maxConnections` | _integer_ | false | The maximum number of connections that Envoy will establish to the referenced backend defined within a xRoute rule. | -| `maxPendingRequests` | _integer_ | false | The maximum number of pending requests that Envoy will queue to the referenced backend defined within a xRoute rule. | -| `maxParallelRequests` | _integer_ | false | The maximum number of parallel requests that Envoy will make to the referenced backend defined within a xRoute rule. | -| `maxParallelRetries` | _integer_ | false | The maximum number of parallel retries that Envoy will make to the referenced backend defined within a xRoute rule. | -| `maxRequestsPerConnection` | _integer_ | false | The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
Default: unlimited. | - #### ClaimToHeader @@ -567,7 +535,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `connectionLimit` | _[ConnectionLimit](#connectionlimit)_ | false | ConnectionLimit defines limits related to connections | -| `bufferLimit` | _[Quantity](#quantity)_ | false | BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
For example, 20Mi, 1Gi, 256Ki etc.
Note that when the suffix is not provided, the value is interpreted as bytes.
Default: 32768 bytes. | +| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
For example, 20Mi, 1Gi, 256Ki etc.
Note that when the suffix is not provided, the value is interpreted as bytes.
Default: 32768 bytes. | #### ClientIPDetectionSettings @@ -603,6 +571,7 @@ _Appears in:_ | `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 | | `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. | | `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener. By default h2 and http/1.1 are enabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | +| `session` | _[Session](#session)_ | false | Session defines settings related to TLS session management. | #### ClientTimeout @@ -627,8 +596,7 @@ _Appears in:_ ClientTrafficPolicy allows the user to configure the behavior of the connection between the downstream client and Envoy Proxy listener. -_Appears in:_ -- [ClientTrafficPolicyList](#clienttrafficpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -639,22 +607,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of ClientTrafficPolicy. | -#### ClientTrafficPolicyList - - - -ClientTrafficPolicyList contains a list of ClientTrafficPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`ClientTrafficPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[ClientTrafficPolicy](#clienttrafficpolicy) array_ | true | | - - #### ClientTrafficPolicySpec @@ -700,6 +652,39 @@ _Appears in:_ | `caCertificateRefs` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference) array_ | false | CACertificateRefs contains one or more references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the client.

A single reference to a Kubernetes ConfigMap or a Kubernetes Secret,
with the CA certificate in a key named `ca.crt` is currently supported.

References to a resource in different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. | +#### ClusterSettings + + + +ClusterSettings provides the various knobs that can be set to control how traffic to a given +backend will be configured. + +_Appears in:_ +- [ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog) +- [BackendCluster](#backendcluster) +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ExtProc](#extproc) +- [GRPCExtAuthService](#grpcextauthservice) +- [HTTPExtAuthService](#httpextauthservice) +- [OIDCProvider](#oidcprovider) +- [OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog) +- [ProxyOpenTelemetrySink](#proxyopentelemetrysink) +- [TracingProvider](#tracingprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. | +| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. | +| `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. | +| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. | +| `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. | +| `circuitBreaker` | _[CircuitBreaker](#circuitbreaker)_ | false | Circuit Breaker settings for the upstream connections and requests.
If not set, circuit breakers will be enabled with the default thresholds | +| `timeout` | _[Timeout](#timeout)_ | false | Timeout settings for the backend connections. | +| `connection` | _[BackendConnection](#backendconnection)_ | false | Connection includes backend connection settings. | +| `dns` | _[DNS](#dns)_ | false | DNS includes dns resolution settings. | +| `http2` | _[HTTP2Settings](#http2settings)_ | false | HTTP2 provides HTTP/2 configuration for backend connections. | + + #### Compression @@ -739,7 +724,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `value` | _integer_ | true | Value of the maximum concurrent connections limit.
When the limit is reached, incoming connections will be closed after the CloseDelay duration.
Default: unlimited. | +| `value` | _integer_ | true | Value of the maximum concurrent connections limit.
When the limit is reached, incoming connections will be closed after the CloseDelay duration. | | `closeDelay` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | CloseDelay defines the delay to use before closing connections that are rejected
once the limit value is reached.
Default: none. | @@ -812,6 +797,52 @@ _Appears in:_ | `failClosed` | _boolean_ | false | FailClosed is a switch used to control the flow of traffic when client IP detection
fails. If set to true, the listener will respond with 403 Forbidden when the client
IP address cannot be determined. | +#### CustomResponse + + + +CustomResponse defines the configuration for returning a custom response. + +_Appears in:_ +- [ResponseOverride](#responseoverride) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `contentType` | _string_ | false | Content Type of the response. This will be set in the Content-Type header. | +| `body` | _[CustomResponseBody](#customresponsebody)_ | true | Body of the Custom Response | + + +#### CustomResponseBody + + + +CustomResponseBody + +_Appears in:_ +- [CustomResponse](#customresponse) +- [HTTPDirectResponseFilter](#httpdirectresponsefilter) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[ResponseValueType](#responsevaluetype)_ | true | Type is the type of method to use to read the body value.
Valid values are Inline and ValueRef, default is Inline. | +| `inline` | _string_ | false | Inline contains the value as an inline string. | +| `valueRef` | _[LocalObjectReference](#localobjectreference)_ | false | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported.

The value of key `response.body` in the ConfigMap will be used as the response body.
If the key is not found, the first value in the ConfigMap will be used. | + + +#### CustomResponseMatch + + + +CustomResponseMatch defines the configuration for matching a user response to return a custom one. + +_Appears in:_ +- [ResponseOverride](#responseoverride) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `statusCodes` | _[StatusCodeMatch](#statuscodematch) array_ | true | Status code to match on. The match evaluates to true if any of the matches are successful. | + + #### CustomTag @@ -845,6 +876,8 @@ _Appears in:_ | `RequestHeader` | CustomTagTypeRequestHeader adds value from request header to each span.
| + + #### EnvironmentCustomTag @@ -866,8 +899,7 @@ _Appears in:_ EnvoyExtensionPolicy allows the user to configure various envoy extensibility options for the Gateway. -_Appears in:_ -- [EnvoyExtensionPolicyList](#envoyextensionpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -878,22 +910,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyExtensionPolicy. | -#### EnvoyExtensionPolicyList - - - -EnvoyExtensionPolicyList contains a list of EnvoyExtensionPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`EnvoyExtensionPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[EnvoyExtensionPolicy](#envoyextensionpolicy) array_ | true | | - - #### EnvoyExtensionPolicySpec @@ -930,11 +946,13 @@ _Appears in:_ | `envoy.filters.http.basic_auth` | EnvoyFilterBasicAuth defines the Envoy HTTP basic authentication filter.
| | `envoy.filters.http.oauth2` | EnvoyFilterOAuth2 defines the Envoy HTTP OAuth2 filter.
| | `envoy.filters.http.jwt_authn` | EnvoyFilterJWTAuthn defines the Envoy HTTP JWT authentication filter.
| +| `envoy.filters.http.stateful_session` | EnvoyFilterSessionPersistence defines the Envoy HTTP session persistence filter.
| | `envoy.filters.http.ext_proc` | EnvoyFilterExtProc defines the Envoy HTTP external process filter.
| | `envoy.filters.http.wasm` | EnvoyFilterWasm defines the Envoy HTTP WebAssembly filter.
| | `envoy.filters.http.rbac` | EnvoyFilterRBAC defines the Envoy RBAC filter.
| | `envoy.filters.http.local_ratelimit` | EnvoyFilterLocalRateLimit defines the Envoy HTTP local rate limit filter.
| | `envoy.filters.http.ratelimit` | EnvoyFilterRateLimit defines the Envoy HTTP rate limit filter.
| +| `envoy.filters.http.custom_response` | EnvoyFilterCustomResponse defines the Envoy HTTP custom response filter.
| | `envoy.filters.http.router` | EnvoyFilterRouter defines the Envoy HTTP router filter.
| @@ -1004,7 +1022,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `resource` | _[EnvoyGatewayResourceProvider](#envoygatewayresourceprovider)_ | true | Resource defines the desired resource provider.
This provider is used to specify the provider to be used
to retrieve the resource configurations such as Gateway API
resources | -| `infrastructure` | _[EnvoyGatewayInfrastructureProvider](#envoygatewayinfrastructureprovider)_ | true | Infrastructure defines the desired infrastructure provider.
This provider is used to specify the provider to be used
to provide an environment to deploy the out resources like
the Envoy Proxy data plane. | +| `infrastructure` | _[EnvoyGatewayInfrastructureProvider](#envoygatewayinfrastructureprovider)_ | false | Infrastructure defines the desired infrastructure provider.
This provider is used to specify the provider to be used
to provide an environment to deploy the out resources like
the Envoy Proxy data plane.

Infrastructure is optional, if provider is not specified,
No infrastructure provider is available. | #### EnvoyGatewayFileResourceProvider @@ -1018,7 +1036,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `paths` | _string array_ | true | Paths are the paths to a directory or file containing the resource configuration.
Recursive sub directories are not currently supported. | +| `paths` | _string array_ | true | Paths are the paths to a directory or file containing the resource configuration.
Recursive subdirectories are not currently supported. | #### EnvoyGatewayHostInfrastructureProvider @@ -1176,9 +1194,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `type` | _[ProviderType](#providertype)_ | true | Type is the type of provider to use. Supported types are "Kubernetes". | +| `type` | _[ProviderType](#providertype)_ | true | Type is the type of provider to use. Supported types are "Kubernetes", "Custom". | | `kubernetes` | _[EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)_ | false | Kubernetes defines the configuration of the Kubernetes provider. Kubernetes
provides runtime configuration via the Kubernetes API. | -| `custom` | _[EnvoyGatewayCustomProvider](#envoygatewaycustomprovider)_ | false | Custom defines the configuration for the Custom provider. This provider
allows you to define a specific resource provider and a infrastructure
provider. | +| `custom` | _[EnvoyGatewayCustomProvider](#envoygatewaycustomprovider)_ | false | Custom defines the configuration for the Custom provider. This provider
allows you to define a specific resource provider and an infrastructure
provider. | #### EnvoyGatewayResourceProvider @@ -1257,8 +1275,7 @@ _Appears in:_ EnvoyPatchPolicy allows the user to modify the generated Envoy xDS resources by Envoy Gateway using this patch API -_Appears in:_ -- [EnvoyPatchPolicyList](#envoypatchpolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -1269,22 +1286,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyPatchPolicy. | -#### EnvoyPatchPolicyList - - - -EnvoyPatchPolicyList contains a list of EnvoyPatchPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`EnvoyPatchPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[EnvoyPatchPolicy](#envoypatchpolicy) array_ | true | | - - #### EnvoyPatchPolicySpec @@ -1388,8 +1389,9 @@ _Appears in:_ | `extraArgs` | _string array_ | false | ExtraArgs defines additional command line options that are provided to Envoy.
More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options
Note: some command line options are used internally(e.g. --log-level) so they cannot be provided here. | | `mergeGateways` | _boolean_ | false | MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.
Setting this field to true would merge all Gateway Listeners under the parent Gateway Class.
This means that the port, protocol and hostname tuple must be unique for every listener.
If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition. | | `shutdown` | _[ShutdownConfig](#shutdownconfig)_ | false | Shutdown defines configuration for graceful envoy shutdown process. | -| `filterOrder` | _[FilterPosition](#filterposition) array_ | false | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
The FilterPosition in the list will be applied in the order they are defined.
If unspecified, the default filter order is applied.
Default filter order is:

- envoy.filters.http.health_check

- envoy.filters.http.fault

- envoy.filters.http.cors

- envoy.filters.http.ext_authz

- envoy.filters.http.basic_auth

- envoy.filters.http.oauth2

- envoy.filters.http.jwt_authn

- envoy.filters.http.ext_proc

- envoy.filters.http.wasm

- envoy.filters.http.rbac

- envoy.filters.http.local_ratelimit

- envoy.filters.http.ratelimit

- envoy.filters.http.router

Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. | +| `filterOrder` | _[FilterPosition](#filterposition) array_ | false | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
The FilterPosition in the list will be applied in the order they are defined.
If unspecified, the default filter order is applied.
Default filter order is:

- envoy.filters.http.health_check

- envoy.filters.http.fault

- envoy.filters.http.cors

- envoy.filters.http.ext_authz

- envoy.filters.http.basic_auth

- envoy.filters.http.oauth2

- envoy.filters.http.jwt_authn

- envoy.filters.http.stateful_session

- envoy.filters.http.ext_proc

- envoy.filters.http.wasm

- envoy.filters.http.rbac

- envoy.filters.http.local_ratelimit

- envoy.filters.http.ratelimit

- envoy.filters.http.custom_response

- envoy.filters.http.router

Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. | | `backendTLS` | _[BackendTLSConfig](#backendtlsconfig)_ | false | BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.
These settings are applied on backends for which TLS policies are specified. | +| `ipFamily` | _[IPFamily](#ipfamily)_ | false | IPFamily specifies the IP family for the EnvoyProxy fleet.
This setting only affects the Gateway listener port and does not impact
other aspects of the Envoy proxy configuration.
If not specified, the system will operate as follows:
- It defaults to IPv4 only.
- IPv6 and dual-stack environments are not supported in this default configuration.
Note: To enable IPv6 or dual-stack functionality, explicit configuration is required. | #### EnvoyProxyStatus @@ -1436,6 +1438,7 @@ _Appears in:_ | `http` | _[HTTPExtAuthService](#httpextauthservice)_ | true | HTTP defines the HTTP External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. | | `headersToExtAuth` | _string array_ | false | HeadersToExtAuth defines the client request headers that will be included
in the request to the external authorization service.
Note: If not specified, the default behavior for gRPC and HTTP external
authorization services is different due to backward compatibility reasons.
All headers will be included in the check request to a gRPC authorization server.
Only the following headers will be included in the check request to an HTTP
authorization server: Host, Method, Path, Content-Length, and Authorization.
And these headers will always be included to the check request to an HTTP
authorization server by default, no matter whether they are specified
in HeadersToExtAuth or not. | | `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
If FailOpen is set to true, the system allows the traffic to pass through.
Otherwise, if it is set to false or not set (defaulting to false),
the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
This setting determines whether to prioritize accessibility over strict security in case of authorization service failure. | +| `recomputeRoute` | _boolean_ | false | RecomputeRoute clears the route cache and recalculates the routing decision.
This field must be enabled if the headers added or modified by the ExtAuth are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied. | #### ExtProc @@ -1449,7 +1452,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRefs` | _[BackendRef](#backendref) array_ | true | BackendRefs defines the configuration of the external processing service | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `messageTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | MessageTimeout is the timeout for a response to be returned from the external processor
Default: 200ms | | `failOpen` | _boolean_ | false | FailOpen defines if requests or responses that cannot be processed due to connectivity to the
external processor are terminated or passed-through.
Default: false | | `processingMode` | _[ExtProcProcessingMode](#extprocprocessingmode)_ | false | ProcessingMode defines how request and response body is processed
Default: header and body are not sent to the external processor | @@ -1548,7 +1553,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `fqdn` | _[FQDNEndpoint](#fqdnendpoint)_ | false | FQDN defines a FQDN endpoint | -| `ip` | _[IPEndpoint](#ipendpoint)_ | false | IP defines an IP endpoint. Currently, only IPv4 Addresses are supported. | +| `ip` | _[IPEndpoint](#ipendpoint)_ | false | IP defines an IP endpoint. Supports both IPv4 and IPv6 addresses. | | `unix` | _[UnixSocket](#unixsocket)_ | false | Unix defines the unix domain socket endpoint | | `host` | _string_ | false | Host define the extension service hostname.
Deprecated: use the appropriate transport attribute instead (FQDN,IP,Unix) | | `port` | _integer_ | false | Port defines the port the extension service is exposed on.
Deprecated: use the appropriate transport attribute instead (FQDN,IP,Unix) | @@ -1663,6 +1668,20 @@ _Appears in:_ | `after` | _[EnvoyFilter](#envoyfilter)_ | true | After defines the filter that should come after the filter.
Only one of Before or After must be set. | +#### GRPCActiveHealthChecker + + + +GRPCActiveHealthChecker defines the settings of the GRPC health check. + +_Appears in:_ +- [ActiveHealthCheck](#activehealthcheck) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `service` | _string_ | false | Service to send in the health check request.
If this is not specified, then the health check request applies to the entire
server and not to a specific service. | + + #### GRPCExtAuthService @@ -1676,8 +1695,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Only Service kind is supported for now.

Deprecated: Use BackendRefs instead. | -| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Only Service kind is supported for now. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | #### Gateway @@ -1769,20 +1789,6 @@ _Appears in:_ | `http10` | _[HTTP10Settings](#http10settings)_ | false | HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 requests. | -#### HTTP2Settings - - - -HTTP2Settings provides HTTP/2 configuration on the listener. - -_Appears in:_ -- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `initialStreamWindowSize` | _[Quantity](#quantity)_ | false | InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
If not set, the default value is 64 KiB(64*1024). | -| `initialConnectionWindowSize` | _[Quantity](#quantity)_ | false | InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
If not set, the default value is 1 MiB. | -| `maxConcurrentStreams` | _integer_ | false | MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
If not set, the default value is 100. | #### HTTP3Settings @@ -1828,6 +1834,22 @@ _Appears in:_ | `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. | +#### HTTPDirectResponseFilter + + + +HTTPDirectResponseFilter defines the configuration to return a fixed response. + +_Appears in:_ +- [HTTPRouteFilterSpec](#httproutefilterspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `contentType` | _string_ | false | Content Type of the response. This will be set in the Content-Type header. | +| `body` | _[CustomResponseBody](#customresponsebody)_ | false | Body of the Response | +| `statusCode` | _integer_ | false | Status Code of the HTTP response
If unset, defaults to 200. | + + #### HTTPExtAuthService @@ -1839,12 +1861,104 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | true | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Only Service kind is supported for now.

Deprecated: Use BackendRefs instead. | -| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent.
Only Service kind is supported for now. | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `path` | _string_ | true | Path is the path of the HTTP External Authorization service.
If path is specified, the authorization request will be sent to that path,
or else the authorization request will be sent to the root path. | | `headersToBackend` | _string array_ | false | HeadersToBackend are the authorization response headers that will be added
to the original client request before sending it to the backend server.
Note that coexisting headers will be overridden.
If not specified, no authorization response headers will be added to the
original client request. | +#### HTTPHostnameModifier + + + + + +_Appears in:_ +- [HTTPURLRewriteFilter](#httpurlrewritefilter) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[HTTPHostnameModifierType](#httphostnamemodifiertype)_ | true | | +| `header` | _string_ | false | Header is the name of the header whose value would be used to rewrite the Host header | + + +#### HTTPHostnameModifierType + +_Underlying type:_ _string_ + +HTTPPathModifierType defines the type of Hostname rewrite. + +_Appears in:_ +- [HTTPHostnameModifier](#httphostnamemodifier) + +| Value | Description | +| ----- | ----------- | +| `Header` | HeaderHTTPHostnameModifier indicates that the Host header value would be replaced with the value of the header specified in header.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-host-rewrite-header
| +| `Backend` | BackendHTTPHostnameModifier indicates that the Host header value would be replaced by the DNS name of the backend if it exists.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-auto-host-rewrite
| + + +#### HTTPPathModifier + + + + + +_Appears in:_ +- [HTTPURLRewriteFilter](#httpurlrewritefilter) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[HTTPPathModifierType](#httppathmodifiertype)_ | true | | +| `replaceRegexMatch` | _[ReplaceRegexMatch](#replaceregexmatch)_ | false | ReplaceRegexMatch defines a path regex rewrite. The path portions matched by the regex pattern are replaced by the defined substitution.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite
Some examples:
(1) replaceRegexMatch:
pattern: ^/service/([^/]+)(/.*)$
substitution: \2/instance/\1
Would transform /service/foo/v1/api into /v1/api/instance/foo.
(2) replaceRegexMatch:
pattern: one
substitution: two
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz.
(3) replaceRegexMatch:
pattern: ^(.*?)one(.*)$
substitution: \1two\2
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz.
(3) replaceRegexMatch:
pattern: (?i)/xxx/
substitution: /yyy/
Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive). | + + +#### HTTPPathModifierType + +_Underlying type:_ _string_ + +HTTPPathModifierType defines the type of path redirect or rewrite. + +_Appears in:_ +- [HTTPPathModifier](#httppathmodifier) + +| Value | Description | +| ----- | ----------- | +| `ReplaceRegexMatch` | RegexHTTPPathModifier This type of modifier indicates that the portions of the path that match the specified
regex would be substituted with the specified substitution value
https://www.envoyproxy.io/docs/envoy/latest/api-v3/type/matcher/v3/regex.proto#type-matcher-v3-regexmatchandsubstitute
| + + +#### HTTPRouteFilter + + + +HTTPRouteFilter is a custom Envoy Gateway HTTPRouteFilter which provides extended +traffic processing options such as path regex rewrite, direct response and more. + + + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` +| `kind` | _string_ | |`HTTPRouteFilter` +| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | +| `spec` | _[HTTPRouteFilterSpec](#httproutefilterspec)_ | true | Spec defines the desired state of HTTPRouteFilter. | + + +#### HTTPRouteFilterSpec + + + +HTTPRouteFilterSpec defines the desired state of HTTPRouteFilter. + +_Appears in:_ +- [HTTPRouteFilter](#httproutefilter) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `urlRewrite` | _[HTTPURLRewriteFilter](#httpurlrewritefilter)_ | false | | +| `directResponse` | _[HTTPDirectResponseFilter](#httpdirectresponsefilter)_ | false | | + + #### HTTPStatus _Underlying type:_ _integer_ @@ -1870,6 +1984,22 @@ _Appears in:_ | --- | --- | --- | --- | | `connectionIdleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. | | `maxConnectionDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The maximum duration of an HTTP connection.
Default: unlimited. | +| `requestTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | RequestTimeout is the time until which entire response is received from the upstream. | + + +#### HTTPURLRewriteFilter + + + +HTTPURLRewriteFilter define rewrites of HTTP URL components such as path and host + +_Appears in:_ +- [HTTPRouteFilterSpec](#httproutefilterspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `hostname` | _[HTTPHostnameModifier](#httphostnamemodifier)_ | false | Hostname is the value to be used to replace the Host header value during
forwarding. | +| `path` | _[HTTPPathModifier](#httppathmodifier)_ | false | Path defines a path rewrite. | #### HTTPWasmCodeSource @@ -1884,7 +2014,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `url` | _string_ | true | URL is the URL containing the Wasm code. | -| `sha256` | _string_ | false | SHA256 checksum that will be used to verify the Wasm code.

If not specified, Envoy Gateway will not verify the downloaded Wasm code.
kubebuilder:validation:Pattern=`^[a-f0-9]{64}$` | +| `sha256` | _string_ | false | SHA256 checksum that will be used to verify the Wasm code.

If not specified, Envoy Gateway will not verify the downloaded Wasm code.
kubebuilder:validation:Pattern=`^[a-f0-9]\{64\}$` | #### Header @@ -1937,23 +2067,10 @@ _Appears in:_ | `xForwardedClientCert` | _[XForwardedClientCert](#xforwardedclientcert)_ | false | XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-cert (XFCC) HTTP header.

x-forwarded-client-cert (XFCC) is an HTTP header used to forward the certificate
information of part or all of the clients or proxies that a request has flowed through,
on its way from the client to the server.

Envoy proxy may choose to sanitize/append/forward the XFCC header before proxying the request.

If not set, the default behavior is sanitizing the XFCC header. | | `withUnderscoresAction` | _[WithUnderscoresAction](#withunderscoresaction)_ | false | WithUnderscoresAction configures the action to take when an HTTP header with underscores
is encountered. The default action is to reject the request. | | `preserveXRequestID` | _boolean_ | false | PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge
(Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour.
It defaults to false. | - - -#### HealthCheck +| `earlyRequestHeaders` | _[HTTPHeaderFilter](#httpheaderfilter)_ | false | EarlyRequestHeaders defines settings for early request header modification, before envoy performs
routing, tracing and built-in header manipulation. | -HealthCheck configuration to decide which endpoints -are healthy and can be used for routing. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `active` | _[ActiveHealthCheck](#activehealthcheck)_ | false | Active health check configuration | -| `passive` | _[PassiveHealthCheck](#passivehealthcheck)_ | false | Passive passive check configuration | - #### HealthCheckSettings @@ -1982,10 +2099,26 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `address` | _string_ | true | Address defines the IP address of the backend endpoint. | +| `address` | _string_ | true | Address defines the IP address of the backend endpoint.
Supports both IPv4 and IPv6 addresses. | | `port` | _integer_ | true | Port defines the port of the backend endpoint. | +#### IPFamily + +_Underlying type:_ _string_ + +IPFamily defines the IP family to use for the Envoy proxy. + +_Appears in:_ +- [EnvoyProxySpec](#envoyproxyspec) + +| Value | Description | +| ----- | ----------- | +| `IPv4` | IPv4 defines the IPv4 family.
| +| `IPv6` | IPv6 defines the IPv6 family.
| +| `DualStack` | DualStack defines the dual-stack family.
When set to DualStack, Envoy proxy will listen on both IPv4 and IPv6 addresses
for incoming client traffic, enabling support for both IP protocol versions.
| + + #### ImagePullPolicy _Underlying type:_ _string_ @@ -2013,7 +2146,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `url` | _string_ | true | URL is the URL of the OCI image.
URL can be in the format of `registry/image:tag` or `registry/image@sha256:digest`. | -| `sha256` | _string_ | false | SHA256 checksum that will be used to verify the OCI image.

It must match the digest of the OCI image.

If not specified, Envoy Gateway will not verify the downloaded OCI image.
kubebuilder:validation:Pattern=`^[a-f0-9]{64}$` | +| `sha256` | _string_ | false | SHA256 checksum that will be used to verify the OCI image.

It must match the digest of the OCI image.

If not specified, Envoy Gateway will not verify the downloaded OCI image.
kubebuilder:validation:Pattern=`^[a-f0-9]\{64\}$` | | `pullSecretRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | PullSecretRef is a reference to the secret containing the credentials to pull the image.
Only support Kubernetes Secret resource from the same namespace. | @@ -2031,6 +2164,21 @@ _Appears in:_ | `Host` | InfrastructureProviderTypeHost defines the "Host" provider.
| +#### InvalidMessageAction + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [HTTP2Settings](#http2settings) + +| Value | Description | +| ----- | ----------- | +| `TerminateConnection` | | +| `TerminateStream` | | + + #### JSONPatchOperation @@ -2040,11 +2188,13 @@ https://datatracker.ietf.org/doc/html/rfc6902 _Appears in:_ - [EnvoyJSONPatchConfig](#envoyjsonpatchconfig) +- [ProxyBootstrap](#proxybootstrap) | Field | Type | Required | Description | | --- | --- | --- | --- | | `op` | _[JSONPatchOperationType](#jsonpatchoperationtype)_ | true | Op is the type of operation to perform | -| `path` | _string_ | true | Path is the location of the target document/field where the operation will be performed
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. | +| `path` | _string_ | false | Path is a JSONPointer expression. Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
It specifies the location of the target document/field where the operation will be performed | +| `jsonPath` | _string_ | false | JSONPath is a JSONPath expression. Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details.
It produces one or more JSONPointer expressions based on the given JSON document.
If no JSONPointer is found, it will result in an error.
If the 'Path' property is also set, it will be appended to the resulting JSONPointer expressions from the JSONPath evaluation.
This is useful when creating a property that does not yet exist in the JSON document.
The final JSONPointer expressions specifies the locations in the target document/field where the operation will be applied. | | `from` | _string_ | false | From is the source location of the value to be copied or moved. Only valid
for move or copy operations
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. | | `value` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | Value is the new value of the path location. The value is only used by
the `add` and `replace` operations. | @@ -2075,6 +2225,37 @@ _Appears in:_ | `providers` | _[JWTProvider](#jwtprovider) array_ | true | Providers defines the JSON Web Token (JWT) authentication provider type.
When multiple JWT providers are specified, the JWT is considered valid if
any of the providers successfully validate the JWT. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. | +#### JWTClaim + + + +JWTClaim specifies a claim in a JWT token. + +_Appears in:_ +- [JWTPrincipal](#jwtprincipal) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `name` | _string_ | true | Name is the name of the claim.
If it is a nested claim, use a dot (.) separated string as the name to
represent the full path to the claim.
For example, if the claim is in the "department" field in the "organization" field,
the name should be "organization.department". | +| `valueType` | _[JWTClaimValueType](#jwtclaimvaluetype)_ | false | ValueType is the type of the claim value.
Only String and StringArray types are supported for now. | +| `values` | _string array_ | true | Values are the values that the claim must match.
If the claim is a string type, the specified value must match exactly.
If the claim is a string array type, the specified value must match one of the values in the array.
If multiple values are specified, one of the values must match for the rule to match. | + + +#### JWTClaimValueType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [JWTClaim](#jwtclaim) + +| Value | Description | +| ----- | ----------- | +| `String` | | +| `StringArray` | | + + #### JWTExtractor @@ -2105,7 +2286,25 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `name` | _string_ | true | Name is the HTTP header name to retrieve the token | -| `valuePrefix` | _string_ | false | ValuePrefix is the prefix that should be stripped before extracting the token.
The format would be used by Envoy like "{ValuePrefix}".
For example, "Authorization: Bearer ", then the ValuePrefix="Bearer " with a space at the end. | +| `valuePrefix` | _string_ | false | ValuePrefix is the prefix that should be stripped before extracting the token.
The format would be used by Envoy like "\{ValuePrefix\}".
For example, "Authorization: Bearer ", then the ValuePrefix="Bearer " with a space at the end. | + + +#### JWTPrincipal + + + +JWTPrincipal specifies the client identity of a request based on the JWT claims and scopes. +At least one of the claims or scopes must be specified. +Claims and scopes are And-ed together if both are specified. + +_Appears in:_ +- [Principal](#principal) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `provider` | _string_ | true | Provider is the name of the JWT provider that used to verify the JWT token.
In order to use JWT claims for authorization, you must configure the JWT
authentication with the same provider in the same `SecurityPolicy`. | +| `claims` | _[JWTClaim](#jwtclaim) array_ | false | Claims are the claims in a JWT token.

If multiple claims are specified, all claims must match for the rule to match.
For example, if there are two claims: one for the audience and one for the issuer,
the rule will match only if both the audience and the issuer match. | +| `scopes` | _[JWTScope](#jwtscope) array_ | false | Scopes are a special type of claim in a JWT token that represents the permissions of the client.

The value of the scopes field should be a space delimited string that is expected in the scope parameter,
as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.

If multiple scopes are specified, all scopes must match for the rule to match. | #### JWTProvider @@ -2128,6 +2327,17 @@ _Appears in:_ | `extractFrom` | _[JWTExtractor](#jwtextractor)_ | false | ExtractFrom defines different ways to extract the JWT token from HTTP request.
If empty, it defaults to extract JWT token from the Authorization HTTP request header using Bearer schema
or access_token from query parameters. | +#### JWTScope + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [JWTPrincipal](#jwtprincipal) + + + #### KubernetesContainerSpec @@ -2151,7 +2361,7 @@ _Appears in:_ -KubernetesDaemonsetSpec defines the desired state of the Kubernetes daemonset resource. +KubernetesDaemonSetSpec defines the desired state of the Kubernetes daemonset resource. _Appears in:_ - [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider) @@ -2222,7 +2432,9 @@ _Appears in:_ -KubernetesPatchSpec defines how to perform the patch operation +KubernetesPatchSpec defines how to perform the patch operation. +Note that `value` can be an in-line YAML document, as can be seen in e.g. (the example of patching the Envoy proxy Deployment)[https://gateway.envoyproxy.io/docs/tasks/operations/customize-envoyproxy/#patching-deployment-for-envoyproxy]. +Note also that, currently, strings containing literal JSON are _rejected_. _Appears in:_ - [KubernetesDaemonSetSpec](#kubernetesdaemonsetspec) @@ -2284,6 +2496,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `annotations` | _object (keys:string, values:string)_ | false | Annotations that should be appended to the service.
By default, no annotations are appended. | +| `labels` | _object (keys:string, values:string)_ | false | Labels that should be appended to the service.
By default, no labels are appended. | | `type` | _[ServiceType](#servicetype)_ | false | Type determines how the Service is exposed. Defaults to LoadBalancer.
Valid options are ClusterIP, LoadBalancer and NodePort.
"LoadBalancer" means a service will be exposed via an external load balancer (if the cloud provider supports it).
"ClusterIP" means a service will only be accessible inside the cluster, via the cluster IP.
"NodePort" means a service will be exposed on a static Port on all Nodes of the cluster. | | `loadBalancerClass` | _string_ | false | LoadBalancerClass, when specified, allows for choosing the LoadBalancer provider
implementation if more than one are available or is otherwise expected to be specified | | `allocateLoadBalancerNodePorts` | _boolean_ | false | AllocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for
services with type LoadBalancer. Default is "true". It may be set to "false" if the cluster
load-balancer does not rely on NodePorts. If the caller requests specific NodePorts (by specifying a
value), those requests will be respected, regardless of this field. This field may only be set for
services with type LoadBalancer and will be cleared if the type is changed to any other type. | @@ -2352,20 +2565,6 @@ _Appears in:_ | `value` | _string_ | true | Value defines the hard-coded value to add to each span. | -#### LoadBalancer - - - -LoadBalancer defines the load balancer policy to be applied. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `type` | _[LoadBalancerType](#loadbalancertype)_ | true | Type decides the type of Load Balancer policy.
Valid LoadBalancerType values are
"ConsistentHash",
"LeastRequest",
"Random",
"RoundRobin". | -| `consistentHash` | _[ConsistentHash](#consistenthash)_ | false | ConsistentHash defines the configuration when the load balancer type is
set to ConsistentHash | -| `slowStart` | _[SlowStart](#slowstart)_ | false | SlowStart defines the configuration related to the slow start load balancer policy.
If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
Currently this is only supported for RoundRobin and LeastRequest load balancers | #### LoadBalancerType @@ -2485,6 +2684,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `issuer` | _string_ | true | The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST
be https, a host component, and optionally, port and path components and
no query or fragment components. | | `authorizationEndpoint` | _string_ | false | The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). | | `tokenEndpoint` | _string_ | false | The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). | @@ -2501,9 +2703,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `host` | _string_ | false | Host define the extension service hostname.
Deprecated: Use BackendRefs instead. | | `port` | _integer_ | false | Port defines the port the extension service is exposed on.
Deprecated: Use BackendRefs instead. | -| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the access log will be sent.
Only Service kind is supported for now. | | `resources` | _object (keys:string, values:string)_ | false | Resources is a set of labels that describe the source of a log entry, including envoy node info.
It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). | @@ -2623,17 +2827,14 @@ _Appears in:_ -Principal specifies the client identity of a request. -A client identity can be a client IP, a JWT claim, username from the Authorization header, -or any other identity that can be extracted from a custom header. -Currently, only the client IP is supported. +If there are multiple principal types, all principals must match for the rule to match. _Appears in:_ - [AuthorizationRule](#authorizationrule) | Field | Type | Required | Description | | --- | --- | --- | --- | -| `clientCIDRs` | _[CIDR](#cidr) array_ | true | ClientCIDRs are the IP CIDR ranges of the client.
Valid examples are "192.168.1.0/24" or "2001:db8::/64"

The client IP is inferred from the X-Forwarded-For header, a custom header,
or the proxy protocol.
You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
the `ClientTrafficPolicy` to configure how the client IP is detected. | +| `clientCIDRs` | _[CIDR](#cidr) array_ | false | ClientCIDRs are the IP CIDR ranges of the client.
Valid examples are "192.168.1.0/24" or "2001:db8::/64"

If multiple CIDR ranges are specified, one of the CIDR ranges must match
the client IP for the rule to match.

The client IP is inferred from the X-Forwarded-For header, a custom header,
or the proxy protocol.
You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
the `ClientTrafficPolicy` to configure how the client IP is detected. | #### ProcessingModeOptions @@ -2663,7 +2864,7 @@ _Appears in:_ | Value | Description | | ----- | ----------- | | `Kubernetes` | ProviderTypeKubernetes defines the "Kubernetes" provider.
| -| `File` | ProviderTypeFile defines the "File" provider. This type is not implemented
until https://github.com/envoyproxy/gateway/issues/1001 is fixed.
| +| `Custom` | ProviderTypeCustom defines the "Custom" provider.
| #### ProxyAccessLog @@ -2727,6 +2928,7 @@ _Appears in:_ | `format` | _[ProxyAccessLogFormat](#proxyaccesslogformat)_ | false | Format defines the format of accesslog.
This will be ignored if sink type is ALS. | | `matches` | _string array_ | true | Matches defines the match conditions for accesslog in CEL expression.
An accesslog will be emitted only when one or more match conditions are evaluated to true.
Invalid [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) expressions will be ignored. | | `sinks` | _[ProxyAccessLogSink](#proxyaccesslogsink) array_ | true | Sinks defines the sinks of accesslog. | +| `type` | _[ProxyAccessLogType](#proxyaccesslogtype)_ | false | Type defines the component emitting the accesslog, such as Listener and Route.
If type not defined, the setting would apply to:
(1) All Routes.
(2) Listeners if and only if Envoy does not find a matching route for a request.
If type is defined, the accesslog settings would apply to the relevant component (as-is). | #### ProxyAccessLogSink @@ -2762,6 +2964,21 @@ _Appears in:_ | `OpenTelemetry` | ProxyAccessLogSinkTypeOpenTelemetry defines the OpenTelemetry accesslog sink.
When the provider is Kubernetes, EnvoyGateway always sends `k8s.namespace.name`
and `k8s.pod.name` as additional attributes.
| +#### ProxyAccessLogType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [ProxyAccessLogSetting](#proxyaccesslogsetting) + +| Value | Description | +| ----- | ----------- | +| `Listener` | ProxyAccessLogTypeListener defines the accesslog for Listeners.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log
| +| `Route` | ProxyAccessLogTypeRoute defines the accesslog for HTTP, GRPC, UDP and TCP Routes.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto#envoy-v3-api-field-extensions-filters-udp-udp-proxy-v3-udpproxyconfig-access-log
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto#envoy-v3-api-field-extensions-filters-network-tcp-proxy-v3-tcpproxy-access-log
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-access-log
| + + #### ProxyBootstrap @@ -2773,8 +2990,9 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `type` | _[BootstrapType](#bootstraptype)_ | false | Type is the type of the bootstrap configuration, it should be either Replace or Merge.
If unspecified, it defaults to Replace. | -| `value` | _string_ | true | Value is a YAML string of the bootstrap. | +| `type` | _[BootstrapType](#bootstraptype)_ | false | Type is the type of the bootstrap configuration, it should be either Replace, Merge, or JSONPatch.
If unspecified, it defaults to Replace. | +| `value` | _string_ | false | Value is a YAML string of the bootstrap. | +| `jsonPatches` | _[JSONPatchOperation](#jsonpatchoperation) array_ | true | JSONPatches is an array of JSONPatches to be applied to the default bootstrap. Patches are
applied in the order in which they are defined. | #### ProxyLogComponent @@ -2844,8 +3062,9 @@ _Appears in:_ | `prometheus` | _[ProxyPrometheusProvider](#proxyprometheusprovider)_ | true | Prometheus defines the configuration for Admin endpoint `/stats/prometheus`. | | `sinks` | _[ProxyMetricSink](#proxymetricsink) array_ | true | Sinks defines the metric sinks where metrics are sent to. | | `matches` | _[StringMatch](#stringmatch) array_ | true | Matches defines configuration for selecting specific metrics instead of generating all metrics stats
that are enabled by default. This helps reduce CPU and memory overhead in Envoy, but eliminating some stats
may after critical functionality. Here are the stats that we strongly recommend not disabling:
`cluster_manager.warming_clusters`, `cluster..membership_total`,`cluster..membership_healthy`,
`cluster..membership_degraded`,reference https://github.com/envoyproxy/envoy/issues/9856,
https://github.com/envoyproxy/envoy/issues/14610 | -| `enableVirtualHostStats` | _boolean_ | true | EnableVirtualHostStats enables envoy stat metrics for virtual hosts. | -| `enablePerEndpointStats` | _boolean_ | true | EnablePerEndpointStats enables per endpoint envoy stats metrics.
Please use with caution. | +| `enableVirtualHostStats` | _boolean_ | false | EnableVirtualHostStats enables envoy stat metrics for virtual hosts. | +| `enablePerEndpointStats` | _boolean_ | false | EnablePerEndpointStats enables per endpoint envoy stats metrics.
Please use with caution. | +| `enableRequestResponseSizesStats` | _boolean_ | false | EnableRequestResponseSizesStats enables publishing of histograms tracking header and body sizes of requests and responses. | #### ProxyOpenTelemetrySink @@ -2859,9 +3078,11 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `host` | _string_ | false | Host define the service hostname.
Deprecated: Use BackendRefs instead. | | `port` | _integer_ | false | Port defines the port the service is exposed on.
Deprecated: Use BackendRefs instead. | -| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the metric will be sent.
Only Service kind is supported for now. | #### ProxyPrometheusProvider @@ -2879,19 +3100,6 @@ _Appears in:_ | `compression` | _[Compression](#compression)_ | false | Configure the compression on Prometheus endpoint. Compression is useful in situations when bandwidth is scarce and large payloads can be effectively compressed at the expense of higher CPU load. | -#### ProxyProtocol - - - -ProxyProtocol defines the configuration related to the proxy protocol -when communicating with the backend. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `version` | _[ProxyProtocolVersion](#proxyprotocolversion)_ | true | Version of ProxyProtol
Valid ProxyProtocolVersion values are
"V1"
"V2" | #### ProxyProtocolVersion @@ -3208,6 +3416,21 @@ _Appears in:_ | `uri` | _string_ | true | URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to
validate the server certificate. | +#### ReplaceRegexMatch + + + + + +_Appears in:_ +- [HTTPPathModifier](#httppathmodifier) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `pattern` | _string_ | true | Pattern matches a regular expression against the value of the HTTP Path.The regex string must
adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax. | +| `substitution` | _string_ | true | Substitution is an expression that replaces the matched portion.The expression may include numbered
capture groups that adhere to syntax documented in https://github.com/google/re2/wiki/Syntax. | + + #### RequestHeaderCustomTag @@ -3237,20 +3460,36 @@ _Appears in:_ | `File` | ResourceProviderTypeFile defines the "File" provider.
| -#### Retry +#### ResponseOverride -Retry defines the retry strategy to be applied. +ResponseOverride defines the configuration to override specific responses with a custom one. _Appears in:_ - [BackendTrafficPolicySpec](#backendtrafficpolicyspec) | Field | Type | Required | Description | | --- | --- | --- | --- | -| `numRetries` | _integer_ | false | NumRetries is the number of retries to be attempted. Defaults to 2. | -| `retryOn` | _[RetryOn](#retryon)_ | false | RetryOn specifies the retry trigger condition.

If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). | -| `perRetry` | _[PerRetryPolicy](#perretrypolicy)_ | false | PerRetry is the retry policy to be applied per retry attempt. | +| `match` | _[CustomResponseMatch](#customresponsematch)_ | true | Match configuration. | +| `response` | _[CustomResponse](#customresponse)_ | true | Response configuration. | + + +#### ResponseValueType + +_Underlying type:_ _string_ + +ResponseValueType defines the types of values for the response body supported by Envoy Gateway. + +_Appears in:_ +- [CustomResponseBody](#customresponsebody) + +| Value | Description | +| ----- | ----------- | +| `Inline` | ResponseValueTypeInline defines the "Inline" response body type.
| +| `ValueRef` | ResponseValueTypeValueRef defines the "ValueRef" response body type.
| + + #### RetryOn @@ -3290,8 +3529,7 @@ _Appears in:_ SecurityPolicy allows the user to configure various security settings for a Gateway. -_Appears in:_ -- [SecurityPolicyList](#securitypolicylist) + | Field | Type | Required | Description | | --- | --- | --- | --- | @@ -3302,22 +3540,6 @@ _Appears in:_ | `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of SecurityPolicy. | -#### SecurityPolicyList - - - -SecurityPolicyList contains a list of SecurityPolicy resources. - - - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` -| `kind` | _string_ | |`SecurityPolicyList` -| `metadata` | _[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#listmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | -| `items` | _[SecurityPolicy](#securitypolicy) array_ | true | | - - #### SecurityPolicySpec @@ -3373,6 +3595,35 @@ _Appears in:_ | `NodePort` | ServiceTypeNodePort means a service will be exposed on each Kubernetes Node
at a static Port, common across all Nodes.
| +#### Session + + + +Session defines settings related to TLS session management. + +_Appears in:_ +- [ClientTLSSettings](#clienttlssettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `resumption` | _[SessionResumption](#sessionresumption)_ | false | Resumption determines the proxy's supported TLS session resumption option.
By default, Envoy Gateway does not enable session resumption. Use sessionResumption to
enable stateful and stateless session resumption. Users should consider security impacts
of different resumption methods. Performance gains from resumption are diminished when
Envoy proxy is deployed with more than one replica. | + + +#### SessionResumption + + + +SessionResumption defines supported tls session resumption methods and their associated configuration. + +_Appears in:_ +- [Session](#session) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `stateless` | _[StatelessTLSSessionResumption](#statelesstlssessionresumption)_ | false | Stateless defines setting for stateless (session-ticket based) session resumption | +| `stateful` | _[StatefulTLSSessionResumption](#statefultlssessionresumption)_ | false | Stateful defines setting for stateful (session-id based) session resumption | + + #### ShutdownConfig @@ -3384,8 +3635,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `drainTimeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
If unspecified, defaults to 600 seconds. | -| `minDrainDuration` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
If unspecified, defaults to 5 seconds. | +| `drainTimeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
If unspecified, defaults to 60 seconds. | +| `minDrainDuration` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
If unspecified, defaults to 10 seconds. | #### ShutdownManager @@ -3433,6 +3684,83 @@ _Appears in:_ | `Distinct` | SourceMatchDistinct Each IP Address within the specified Source IP CIDR is treated as a distinct client selector
and uses a separate rate limit bucket/counter.
Note: This is only supported for Global Rate Limits.
| +#### StatefulTLSSessionResumption + + + +StatefulTLSSessionResumption defines the stateful (session-id based) type of TLS session resumption. +Note: When Envoy Proxy is deployed with more than one replica, session caches are not synchronized +between instances, possibly leading to resumption failures. +Envoy does not re-validate client certificates upon session resumption. +https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-routematch-tlscontextmatchoptions + +_Appears in:_ +- [SessionResumption](#sessionresumption) + + + +#### StatelessTLSSessionResumption + + + +StatelessTLSSessionResumption defines the stateless (session-ticket based) type of TLS session resumption. +Note: When Envoy Proxy is deployed with more than one replica, session ticket encryption keys are not +synchronized between instances, possibly leading to resumption failures. +In-memory session ticket encryption keys are rotated every 48 hours. +https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys +https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Session-tickets + +_Appears in:_ +- [SessionResumption](#sessionresumption) + + + +#### StatusCodeMatch + + + +StatusCodeMatch defines the configuration for matching a status code. + +_Appears in:_ +- [CustomResponseMatch](#customresponsematch) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[StatusCodeValueType](#statuscodevaluetype)_ | true | Type is the type of value.
Valid values are Value and Range, default is Value. | +| `value` | _integer_ | false | Value contains the value of the status code. | +| `range` | _[StatusCodeRange](#statuscoderange)_ | false | Range contains the range of status codes. | + + +#### StatusCodeRange + + + +StatusCodeRange defines the configuration for define a range of status codes. + +_Appears in:_ +- [StatusCodeMatch](#statuscodematch) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `start` | _integer_ | true | Start of the range, including the start value. | +| `end` | _integer_ | true | End of the range, including the end value. | + + +#### StatusCodeValueType + +_Underlying type:_ _string_ + +StatusCodeValueType defines the types of values for the status code match supported by Envoy Gateway. + +_Appears in:_ +- [StatusCodeMatch](#statuscodematch) + +| Value | Description | +| ----- | ----------- | +| `Value` | StatusCodeValueTypeValue defines the "Value" status code match type.
| +| `Range` | StatusCodeValueTypeRange defines the "Range" status code match type.
| + + #### StringMatch @@ -3497,21 +3825,6 @@ _Appears in:_ | `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | IdleTimeout for a TCP connection. Idle time is defined as a period in which there are no
bytes sent or received on either the upstream or downstream connection.
Default: 1 hour. | -#### TCPKeepalive - - - -TCPKeepalive define the TCP Keepalive configuration. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) -- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `probes` | _integer_ | false | The total number of unacknowledged probes to send before deciding
the connection is dead.
Defaults to 9. | -| `idleTime` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The duration a connection needs to be idle before keep-alive
probes start being sent.
The duration format is
Defaults to `7200s`. | -| `interval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The duration between keep-alive probes.
Defaults to `75s`. | #### TCPTimeout @@ -3588,19 +3901,6 @@ _Appears in:_ | `matchLabels` | _object (keys:string, values:string)_ | true | MatchLabels are the set of label selectors for identifying the targeted resource | -#### Timeout - - - -Timeout defines configuration for timeouts related to connections. - -_Appears in:_ -- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `tcp` | _[TCPTimeout](#tcptimeout)_ | false | Timeout settings for TCP. | -| `http` | _[HTTPTimeout](#httptimeout)_ | false | Timeout settings for HTTP. | #### TracingProvider @@ -3614,10 +3914,12 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | | `type` | _[TracingProviderType](#tracingprovidertype)_ | true | Type defines the tracing provider type. | | `host` | _string_ | false | Host define the provider service hostname.
Deprecated: Use BackendRefs instead. | | `port` | _integer_ | false | Port defines the port the provider service is exposed on.
Deprecated: Use BackendRefs instead. | -| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the trace will be sent.
Only Service kind is supported for now. | | `zipkin` | _[ZipkinTracingProvider](#zipkintracingprovider)_ | false | Zipkin defines the Zipkin tracing provider configuration | @@ -3635,6 +3937,7 @@ _Appears in:_ | `OpenTelemetry` | | | `OpenTelemetry` | | | `Zipkin` | | +| `Datadog` | | #### TriggerEnum diff --git a/site/content/en/docs/boilerplates/rollout-envoy-gateway.md b/site/content/en/docs/boilerplates/rollout-envoy-gateway.md new file mode 100644 index 00000000000..9072526868c --- /dev/null +++ b/site/content/en/docs/boilerplates/rollout-envoy-gateway.md @@ -0,0 +1,10 @@ +--- +--- + +> After updating the `ConfigMap`, you will need to wait the configuration kicks in.
+> You can **force** the configuration to be reloaded by restarting the `envoy-gateway` deployment. +> +> ```shell +> kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system +> ``` +> \ No newline at end of file diff --git a/site/content/en/docs/install/gateway-addons-helm-api.md b/site/content/en/docs/install/gateway-addons-helm-api.md index 448aa91e504..dce51039fa2 100644 --- a/site/content/en/docs/install/gateway-addons-helm-api.md +++ b/site/content/en/docs/install/gateway-addons-helm-api.md @@ -24,16 +24,20 @@ An Add-ons Helm chart for Envoy Gateway | Repository | Name | Version | |------------|------|---------| | https://fluent.github.io/helm-charts | fluent-bit | 0.30.4 | +| https://grafana.github.io/helm-charts | alloy | 0.9.2 | | https://grafana.github.io/helm-charts | grafana | 8.0.0 | | https://grafana.github.io/helm-charts | loki | 4.8.0 | | https://grafana.github.io/helm-charts | tempo | 1.3.1 | -| https://open-telemetry.github.io/opentelemetry-helm-charts | opentelemetry-collector | 0.73.1 | +| https://open-telemetry.github.io/opentelemetry-helm-charts | opentelemetry-collector | 0.108.0 | | https://prometheus-community.github.io/helm-charts | prometheus | 25.21.0 | ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| +| alloy.alloy.configMap.content | string | `"// Write your Alloy config here:\nlogging {\n level = \"info\"\n format = \"logfmt\"\n}\nloki.write \"alloy\" {\n endpoint {\n url = \"http://loki.monitoring.svc:3100/loki/api/v1/push\"\n }\n}\n// discovery.kubernetes allows you to find scrape targets from Kubernetes resources.\n// It watches cluster state and ensures targets are continually synced with what is currently running in your cluster.\ndiscovery.kubernetes \"pod\" {\n role = \"pod\"\n}\n\n// discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules.\n// If no rules are defined, then the input targets are exported as-is.\ndiscovery.relabel \"pod_logs\" {\n targets = discovery.kubernetes.pod.targets\n\n // Label creation - \"namespace\" field from \"__meta_kubernetes_namespace\"\n rule {\n source_labels = [\"__meta_kubernetes_namespace\"]\n action = \"replace\"\n target_label = \"namespace\"\n }\n\n // Label creation - \"pod\" field from \"__meta_kubernetes_pod_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_name\"]\n action = \"replace\"\n target_label = \"pod\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_container_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"container\"\n }\n\n // Label creation - \"app\" field from \"__meta_kubernetes_pod_label_app_kubernetes_io_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_label_app_kubernetes_io_name\"]\n action = \"replace\"\n target_label = \"app\"\n }\n\n // Label creation - \"job\" field from \"__meta_kubernetes_namespace\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name\n rule {\n source_labels = [\"__meta_kubernetes_namespace\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"job\"\n separator = \"/\"\n replacement = \"$1\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_uid\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log\n rule {\n source_labels = [\"__meta_kubernetes_pod_uid\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"__path__\"\n separator = \"/\"\n replacement = \"/var/log/pods/*$1/*.log\"\n }\n\n // Label creation - \"container_runtime\" field from \"__meta_kubernetes_pod_container_id\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_id\"]\n action = \"replace\"\n target_label = \"container_runtime\"\n regex = \"^(\\\\S+):\\\\/\\\\/.+$\"\n replacement = \"$1\"\n }\n}\n\n// loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API.\nloki.source.kubernetes \"pod_logs\" {\n targets = discovery.relabel.pod_logs.output\n forward_to = [loki.process.pod_logs.receiver]\n}\n// loki.process receives log entries from other Loki components, applies one or more processing stages,\n// and forwards the results to the list of receivers in the component’s arguments.\nloki.process \"pod_logs\" {\n stage.static_labels {\n values = {\n cluster = \"envoy-gateway\",\n }\n }\n\n forward_to = [loki.write.alloy.receiver]\n}"` | | +| alloy.enabled | bool | `false` | | +| alloy.fullnameOverride | string | `"alloy"` | | | fluent-bit.config.filters | string | `"[FILTER]\n Name kubernetes\n Match kube.*\n Merge_Log On\n Keep_Log Off\n K8S-Logging.Parser On\n K8S-Logging.Exclude On\n\n[FILTER]\n Name grep\n Match kube.*\n Regex $kubernetes['container_name'] ^envoy$\n\n[FILTER]\n Name parser\n Match kube.*\n Key_Name log\n Parser envoy\n Reserve_Data True\n"` | | | fluent-bit.config.inputs | string | `"[INPUT]\n Name tail\n Path /var/log/containers/*.log\n multiline.parser docker, cri\n Tag kube.*\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n"` | | | fluent-bit.config.outputs | string | `"[OUTPUT]\n Name loki\n Match kube.*\n Host loki.monitoring.svc.cluster.local\n Port 3100\n Labels job=fluentbit, app=$kubernetes['labels']['app'], k8s_namespace_name=$kubernetes['namespace_name'], k8s_pod_name=$kubernetes['pod_name'], k8s_container_name=$kubernetes['container_name']\n"` | | @@ -63,6 +67,7 @@ An Add-ons Helm chart for Envoy Gateway | grafana.enabled | bool | `true` | | | grafana.fullnameOverride | string | `"grafana"` | | | grafana.service.type | string | `"LoadBalancer"` | | +| grafana.testFramework.enabled | bool | `false` | | | loki.backend.replicas | int | `0` | | | loki.deploymentMode | string | `"SingleBinary"` | | | loki.enabled | bool | `true` | | @@ -81,29 +86,40 @@ An Add-ons Helm chart for Envoy Gateway | loki.singleBinary.replicas | int | `1` | | | loki.test.enabled | bool | `false` | | | loki.write.replicas | int | `0` | | -| opentelemetry-collector.config.exporters.logging.verbosity | string | `"detailed"` | | +| opentelemetry-collector.config.exporters.debug.verbosity | string | `"detailed"` | | | opentelemetry-collector.config.exporters.loki.endpoint | string | `"http://loki.monitoring.svc:3100/loki/api/v1/push"` | | | opentelemetry-collector.config.exporters.otlp.endpoint | string | `"tempo.monitoring.svc:4317"` | | | opentelemetry-collector.config.exporters.otlp.tls.insecure | bool | `true` | | -| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"0.0.0.0:19001"` | | -| opentelemetry-collector.config.extensions.health_check | object | `{}` | | +| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"[${env:MY_POD_IP}]:19001"` | | +| opentelemetry-collector.config.extensions.health_check.endpoint | string | `"[${env:MY_POD_IP}]:13133"` | | | opentelemetry-collector.config.processors.attributes.actions[0].action | string | `"insert"` | | | opentelemetry-collector.config.processors.attributes.actions[0].key | string | `"loki.attribute.labels"` | | | opentelemetry-collector.config.processors.attributes.actions[0].value | string | `"k8s.pod.name, k8s.namespace.name"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"${env:MY_POD_IP}:4317"` | | -| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"${env:MY_POD_IP}:4318"` | | -| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"${env:MY_POD_IP}:9411"` | | +| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"[${env:MY_POD_IP}]:8126"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:14250"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_compact.endpoint | string | `"[${env:MY_POD_IP}]:6831"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_http.endpoint | string | `"[${env:MY_POD_IP}]:14268"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:4317"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"[${env:MY_POD_IP}]:4318"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].job_name | string | `"opentelemetry-collector"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].scrape_interval | string | `"10s"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].static_configs[0].targets[0] | string | `"[${env:MY_POD_IP}]:8888"` | | +| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"[${env:MY_POD_IP}]:9411"` | | | opentelemetry-collector.config.service.extensions[0] | string | `"health_check"` | | | opentelemetry-collector.config.service.pipelines.logs.exporters[0] | string | `"loki"` | | | opentelemetry-collector.config.service.pipelines.logs.processors[0] | string | `"attributes"` | | | opentelemetry-collector.config.service.pipelines.logs.receivers[0] | string | `"otlp"` | | | opentelemetry-collector.config.service.pipelines.metrics.exporters[0] | string | `"prometheus"` | | -| opentelemetry-collector.config.service.pipelines.metrics.receivers[0] | string | `"otlp"` | | +| opentelemetry-collector.config.service.pipelines.metrics.receivers[0] | string | `"datadog"` | | +| opentelemetry-collector.config.service.pipelines.metrics.receivers[1] | string | `"otlp"` | | | opentelemetry-collector.config.service.pipelines.traces.exporters[0] | string | `"otlp"` | | -| opentelemetry-collector.config.service.pipelines.traces.receivers[0] | string | `"otlp"` | | -| opentelemetry-collector.config.service.pipelines.traces.receivers[1] | string | `"zipkin"` | | +| opentelemetry-collector.config.service.pipelines.traces.receivers[0] | string | `"datadog"` | | +| opentelemetry-collector.config.service.pipelines.traces.receivers[1] | string | `"otlp"` | | +| opentelemetry-collector.config.service.pipelines.traces.receivers[2] | string | `"zipkin"` | | +| opentelemetry-collector.config.service.telemetry.metrics.address | string | `"[${env:MY_POD_IP}]:8888"` | | | opentelemetry-collector.enabled | bool | `false` | | | opentelemetry-collector.fullnameOverride | string | `"otel-collector"` | | +| opentelemetry-collector.image.repository | string | `"otel/opentelemetry-collector-contrib"` | | | opentelemetry-collector.mode | string | `"deployment"` | | | prometheus.alertmanager.enabled | bool | `false` | | | prometheus.enabled | bool | `true` | | diff --git a/site/content/en/docs/install/gateway-helm-api.md b/site/content/en/docs/install/gateway-helm-api.md index 9f2046a537f..bb817b992dc 100644 --- a/site/content/en/docs/install/gateway-helm-api.md +++ b/site/content/en/docs/install/gateway-helm-api.md @@ -23,7 +23,7 @@ The Helm chart for Envoy Gateway | Key | Type | Default | Description | |-----|------|---------|-------------| -| certgen | object | `{"job":{"annotations":{},"resources":{},"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | | | config.envoyGateway.logging.level.default | string | `"info"` | | | config.envoyGateway.provider.type | string | `"Kubernetes"` | | @@ -32,14 +32,21 @@ The Helm chart for Envoy Gateway | deployment.envoyGateway.image.tag | string | `""` | | | deployment.envoyGateway.imagePullPolicy | string | `""` | | | deployment.envoyGateway.imagePullSecrets | list | `[]` | | -| deployment.envoyGateway.resources.limits.cpu | string | `"500m"` | | | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | | | deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | | | deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | | +| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | | +| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| deployment.envoyGateway.securityContext.privileged | bool | `false` | | +| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | | +| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | | +| deployment.envoyGateway.securityContext.runAsUser | int | `65532` | | +| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | deployment.pod.affinity | object | `{}` | | | deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | | | deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | | | deployment.pod.labels | object | `{}` | | +| deployment.pod.nodeSelector | object | `{}` | | | deployment.pod.tolerations | list | `[]` | | | deployment.pod.topologySpreadConstraints | list | `[]` | | | deployment.ports[0].name | string | `"grpc"` | | @@ -54,6 +61,7 @@ The Helm chart for Envoy Gateway | deployment.ports[3].name | string | `"metrics"` | | | deployment.ports[3].port | int | `19001` | | | deployment.ports[3].targetPort | int | `19001` | | +| deployment.priorityClassName | string | `nil` | | | deployment.replicas | int | `1` | | | global.images.envoyGateway.image | string | `nil` | | | global.images.envoyGateway.pullPolicy | string | `nil` | | @@ -63,4 +71,5 @@ The Helm chart for Envoy Gateway | global.images.ratelimit.pullSecrets | list | `[]` | | | kubernetesClusterDomain | string | `"cluster.local"` | | | podDisruptionBudget.minAvailable | int | `0` | | +| service.annotations | object | `{}` | | diff --git a/site/content/en/docs/install/migrating-to-envoy.md b/site/content/en/docs/install/migrating-to-envoy.md new file mode 100644 index 00000000000..470c759ab7e --- /dev/null +++ b/site/content/en/docs/install/migrating-to-envoy.md @@ -0,0 +1,143 @@ +--- +title: Migrating from Ingress Resources +--- + +## Introduction + +Migrating from Ingress to Envoy Gateway involves converting existing Ingress resources into resources compatible with Envoy Gateway. The `ingress2gateway` tool simplifies this migration by transforming Ingress resources into Gateway API resources that Envoy Gateway can use. This guide will walk you through the prerequisites, installation of the `ingress2gateway` tool, and provide an example migration process. + +## Prerequisites + +Before you start the migration, ensure you have the following: + +1. **Envoy Gateway Installed**: You need Envoy Gateway set up in your Kubernetes cluster. Follow the [Envoy Gateway installation guide](../install) for details. +2. **Kubernetes Cluster Access**: Ensure you have access to your Kubernetes cluster and necessary permissions to manage resources. +3. **Installation of `ingress2gateway` Tool**: You need to install the `ingress2gateway` tool in your Kubernetes cluster and configure it accordingly. Follow the [ingress2gateway tool installation guide](https://github.com/kubernetes-sigs/ingress2gateway/blob/main/README.md#installation) for details. + +## Example Migration + +Here’s a step-by-step example of migrating from Ingress to Envoy Gateway using `ingress2gateway`: + +### 1. Install and Configure Envoy Gateway + +Ensure that Envoy Gateway is installed and running in your cluster. Follow the [official Envoy Gateway installation guide](../install) for setup instructions. + +### 2. Create a GatewayClass + +To ensure the generated HTTPRoutes are programmed correctly in the Envoy Gateway data plane, create a GatewayClass that links to the Envoy Gateway controller. + +Create a `GatewayClass` resource: + +```yaml +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: GatewayClass +metadata: + name: envoy-gateway-class +spec: + controllerName: gateway.envoyproxy.io/controller +``` + +Apply this resource: + +```sh +kubectl apply -f gatewayclass.yaml +``` + +### 3. Install Ingress2gateway + +Ensure you have the Ingress2gateway package installed. If not, follow the package’s installation instructions. + +### 4. Run Ingress2gateway + +Use Ingress2gateway to read your existing Ingress resources and translate them into Gateway API resources. + +```sh +./ingress2gateway print +``` + +This command will: +1. Read your Kube config file to extract the cluster credentials and the current active namespace. +2. Search for Ingress and provider-specific resources in that namespace. +3. Convert them to Gateway API resources (Gateways and HTTPRoutes). + +#### Example Ingress Configuration + +```yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: example-ingress + namespace: default + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / +spec: + rules: + - host: example.com + http: + paths: + - path: /foo + pathType: Prefix + backend: + service: + name: foo-service + port: + number: 80 +``` + +### 5. Save the Output + +The command will output the equivalent Gateway API resources in YAML/JSON format to stdout. Save this output to a file for further use. + +```sh +./ingress2gateway print > gateway-resources.yaml +``` + +### 6. Apply the Translated Resources + +Apply the translated Gateway API resources to your cluster. + +```sh +kubectl apply -f gateway-resources.yaml +``` + +### 7. Create a Gateway Resource + +Create a `Gateway` resource specifying the `GatewayClass` created earlier and including the necessary listeners. + +```yaml +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: Gateway +metadata: + name: example-gateway + namespace: default +spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + hostname: example.com +``` + +Apply this resource: + +```sh +kubectl apply -f gateway.yaml +``` + +### 8. Validate the Migration + +Ensure the HTTPRoutes and Gateways are correctly set up and that traffic is being routed as expected. Validate the new configuration by checking the status of the Gateway and HTTPRoute resources. + +```sh +kubectl get gateways +kubectl get httproutes +``` + +### 9. Monitor and Troubleshoot + +Monitor the Envoy Gateway logs and metrics to ensure everything is functioning correctly. Troubleshoot any issues by reviewing the Gateway and HTTPRoute statuses and Envoy Gateway controller logs. + +## Summary + +By following this guide, users can effectively migrate their existing Ingress resources to Envoy Gateway using the Ingress2gateway package. Creating a GatewayClass and linking it to the Envoy Gateway controller ensures that the translated resources are properly programmed in the data plane, providing a seamless transition to the Envoy Gateway environment. \ No newline at end of file diff --git a/site/content/en/docs/tasks/extensibility/envoy-patch-policy.md b/site/content/en/docs/tasks/extensibility/envoy-patch-policy.md index 3c4c0a4d068..54e69f41d0f 100644 --- a/site/content/en/docs/tasks/extensibility/envoy-patch-policy.md +++ b/site/content/en/docs/tasks/extensibility/envoy-patch-policy.md @@ -22,8 +22,7 @@ not exposed by Envoy Gateway APIs today. ### Prerequisites -* Follow the steps from the [Quickstart](../../quickstart) task to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ### Enable EnvoyPatchPolicy @@ -81,11 +80,7 @@ data: {{% /tab %}} {{< /tabpane >}} -* After updating the `ConfigMap`, you will need to restart the `envoy-gateway` deployment so the configuration kicks in - -```shell -kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system -``` +{{< boilerplate rollout-envoy-gateway >}} ## Testing @@ -275,6 +270,85 @@ Handling connection for 8888 could not find what you are looking for ``` +### Customize VirtualHost by name + +* Use EnvoyProxy's `include_attempt_count_in_response` feature to include the attempt count as header in the downstream response. +* Apply the configuration + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <// + name: default/eg/http + operation: + op: add + # Every virtual_host that ends with 'www_example_com' (using RegEx Filter) + jsonPath: "..virtual_hosts[?match(@.name, '.*www_example_com')]" + # If the property does not exists, it can not be selected with jsonPath + # Therefore the new property must be set in path + path: "include_attempt_count_in_response" + value: true +EOF +``` + +{{% /tab %}} +{{% tab header="Apply from file" %}} +Save and apply the following resource to your cluster: + +```yaml +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyPatchPolicy +metadata: + name: include-attempts + namespace: default +spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: eg + type: JSONPatch + jsonPatches: + - type: "type.googleapis.com/envoy.config.route.v3.RouteConfiguration" + # The RouteConfiguration name is of the form // + name: default/eg/http + operation: + op: add + # Every virtual_host that ends with 'www_example_com' (using RegEx Filter) + jsonPath: "..virtual_hosts[?match(@.name, '.*www_example_com')]" + # If the property does not exists, it can not be selected with jsonPath + # Therefore the new property must be set in path + path: "include_attempt_count_in_response" + value: true +``` + +{{% /tab %}} +{{< /tabpane >}} + +* Test it out by looking at the response headers + +``` +$ curl -v --header "Host: www.example.com" http://localhost:8888/ +... +< x-envoy-attempt-count: 1 +... +``` + ## Debugging ### Runtime diff --git a/site/content/en/docs/tasks/extensibility/ext-proc.md b/site/content/en/docs/tasks/extensibility/ext-proc.md index 31ad551c63b..910332f4740 100644 --- a/site/content/en/docs/tasks/extensibility/ext-proc.md +++ b/site/content/en/docs/tasks/extensibility/ext-proc.md @@ -12,14 +12,7 @@ This instantiated resource can be linked to a [Gateway][Gateway] and [HTTPRoute] ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. - -Verify the Gateway status: - -```shell -kubectl get gateway/eg -o yaml -``` +{{< boilerplate prerequisites >}} ## GRPC External Processing Service diff --git a/site/content/en/docs/tasks/extensibility/extension-server.md b/site/content/en/docs/tasks/extensibility/extension-server.md index 323ce5642ea..6d16013d410 100644 --- a/site/content/en/docs/tasks/extensibility/extension-server.md +++ b/site/content/en/docs/tasks/extensibility/extension-server.md @@ -38,8 +38,7 @@ Authentication. ### Prerequisites -* Follow the steps from the [Quickstart](../quickstart) task to install Envoy Gateway and the example manifest. - Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ### Build and run the example Extension Server diff --git a/site/content/en/docs/tasks/extensibility/wasm.md b/site/content/en/docs/tasks/extensibility/wasm.md index 1b1d32f9ecb..baad6a5804f 100644 --- a/site/content/en/docs/tasks/extensibility/wasm.md +++ b/site/content/en/docs/tasks/extensibility/wasm.md @@ -12,14 +12,7 @@ This instantiated resource can be linked to a [Gateway][Gateway] and [HTTPRoute] ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. - -Verify the Gateway status: - -```shell -kubectl get gateway/eg -o yaml -``` +{{< boilerplate prerequisites >}} ## Configuration @@ -45,9 +38,9 @@ metadata: name: wasm-test spec: targetRefs: - - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend wasm: - name: wasm-filter rootID: my_root_id @@ -71,17 +64,17 @@ metadata: name: wasm-test spec: targetRefs: - - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend wasm: - - name: wasm-filter - rootID: my_root_id - code: - type: HTTP - http: - url: https://raw.githubusercontent.com/envoyproxy/examples/main/wasm-cc/lib/envoy_filter_http_wasm_example.wasm - sha256: 79c9f85128bb0177b6511afa85d587224efded376ac0ef76df56595f1e6315c0 + - name: wasm-filter + rootID: my_root_id + code: + type: HTTP + http: + url: https://raw.githubusercontent.com/envoyproxy/examples/main/wasm-cc/lib/envoy_filter_http_wasm_example.wasm + sha256: 79c9f85128bb0177b6511afa85d587224efded376ac0ef76df56595f1e6315c0 ``` {{% /tab %}} diff --git a/site/content/en/docs/tasks/observability/gateway-api-metrics.md b/site/content/en/docs/tasks/observability/gateway-api-metrics.md index bd9e5b89317..bf799616aff 100644 --- a/site/content/en/docs/tasks/observability/gateway-api-metrics.md +++ b/site/content/en/docs/tasks/observability/gateway-api-metrics.md @@ -7,8 +7,7 @@ The project also provides example dashboard for visualising the metrics using Gr ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} Run the following commands to install the metrics stack, with the Gateway API State Metrics configuration, on your kubernetes cluster: diff --git a/site/content/en/docs/tasks/observability/gateway-observability.md b/site/content/en/docs/tasks/observability/gateway-observability.md index 6e0040b4f5d..f23eb9097cf 100644 --- a/site/content/en/docs/tasks/observability/gateway-observability.md +++ b/site/content/en/docs/tasks/observability/gateway-observability.md @@ -86,11 +86,7 @@ data: {{% /tab %}} {{< /tabpane >}} -After updating the `ConfigMap`, you will need to restart the `envoy-gateway` deployment so the configuration kicks in: - -```shell -kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system -``` +{{< boilerplate rollout-envoy-gateway >}} ### Enable Open Telemetry sink in Envoy Gateway @@ -157,11 +153,7 @@ data: {{% /tab %}} {{< /tabpane >}} -After updating the `ConfigMap`, you will need to restart the `envoy-gateway` deployment so the configuration kicks in: - -```shell -kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system -``` +{{< boilerplate rollout-envoy-gateway >}} Verify OTel-Collector metrics: diff --git a/site/content/en/docs/tasks/observability/proxy-accesslog.md b/site/content/en/docs/tasks/observability/proxy-accesslog.md index fb0200f1739..17d444b8636 100644 --- a/site/content/en/docs/tasks/observability/proxy-accesslog.md +++ b/site/content/en/docs/tasks/observability/proxy-accesslog.md @@ -249,3 +249,62 @@ Envoy Gateway provides additional metadata about the K8s resources that were tra For example, details about the `HTTPRoute` and `GRPCRoute` (kind, group, name, namespace and annotations) are available for access log formatter using the `METADATA` operator. To enrich logs, users can add log operator such as: `%METADATA(ROUTE:envoy-gateway:resources)%` to their access log format. + +## Access Log Types + +By default, Access Log settings would apply to: +- All Routes +- If traffic is not matched by any Route known to Envoy, the Listener would emit the access log instead + +Users may wish to customize this behavior: +- Emit Access Logs by all Listeners for all traffic with specific settings +- Do not emit Route-oriented access logs when a route is not matched. + +To achieve this, users can select if Access Log settings follow the default behavior or apply specifically to +Routes or Listeners by specifying the setting's type. + +**Note**: When users define their own Access Log settings (with or without a type), the default Envoy Gateway +file access log is no longer configured. It can be re-enabled explicitly by adding empty settings for the desired components. + +In the following example: +- Route Access logs would use the default Envoy Gateway format and sink +- Listener Access logs are customized to report transport-level failures and connection attributes + +```shell +kubectl apply -f - <}} diff --git a/site/content/en/docs/tasks/observability/rate-limit-observability.md b/site/content/en/docs/tasks/observability/rate-limit-observability.md index a0e523d6c8a..ec1244f731e 100644 --- a/site/content/en/docs/tasks/observability/rate-limit-observability.md +++ b/site/content/en/docs/tasks/observability/rate-limit-observability.md @@ -91,8 +91,4 @@ data: {{% /tab %}} {{< /tabpane >}} -After updating the ConfigMap, you will need to restart the envoy-gateway deployment so the configuration kicks in: - -```shell -kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system -``` +{{< boilerplate rollout-envoy-gateway >}} diff --git a/site/content/en/docs/tasks/operations/egctl.md b/site/content/en/docs/tasks/operations/egctl.md index ac1f13d7a61..36c1f9979e2 100644 --- a/site/content/en/docs/tasks/operations/egctl.md +++ b/site/content/en/docs/tasks/operations/egctl.md @@ -4,8 +4,6 @@ title: "Use egctl" `egctl` is a command line tool to provide additional functionality for Envoy Gateway users. - - ## egctl experimental translate This subcommand allows users to translate from an input configuration type to an output configuration type. diff --git a/site/content/en/docs/tasks/security/backend-tls.md b/site/content/en/docs/tasks/security/backend-tls.md index 3aadbc34714..7fca5ef8477 100644 --- a/site/content/en/docs/tasks/security/backend-tls.md +++ b/site/content/en/docs/tasks/security/backend-tls.md @@ -13,7 +13,7 @@ Envoy Gateway supports the Gateway-API defined [BackendTLSPolicy][]. ## Installation -Follow the steps from the [Quickstart][] to install Envoy Gateway and the example manifest. +{{< boilerplate prerequisites >}} ## TLS Certificates @@ -404,6 +404,5 @@ The TLS version is now TLS1.3, as configured in the EnvoyProxy resource. The TLS } ``` -[Quickstart]: ../quickstart [BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ -[EnvoyProxy]: ../../api/extension_types#envoyproxy \ No newline at end of file +[EnvoyProxy]: ../../api/extension_types#envoyproxy diff --git a/site/content/en/docs/tasks/security/basic-auth.md b/site/content/en/docs/tasks/security/basic-auth.md index 9fc969affb7..cc0ec54ada1 100644 --- a/site/content/en/docs/tasks/security/basic-auth.md +++ b/site/content/en/docs/tasks/security/basic-auth.md @@ -12,8 +12,7 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ## Configuration diff --git a/site/content/en/docs/tasks/security/cors.md b/site/content/en/docs/tasks/security/cors.md index fe711041449..90a972ce4ca 100644 --- a/site/content/en/docs/tasks/security/cors.md +++ b/site/content/en/docs/tasks/security/cors.md @@ -11,8 +11,7 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ## Configuration diff --git a/site/content/en/docs/tasks/security/ext-auth.md b/site/content/en/docs/tasks/security/ext-auth.md index 8b048016a29..1d1625d5780 100644 --- a/site/content/en/docs/tasks/security/ext-auth.md +++ b/site/content/en/docs/tasks/security/ext-auth.md @@ -13,14 +13,7 @@ This instantiated resource can be linked to a [Gateway][Gateway] and [HTTPRoute] ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. - -Verify the Gateway status: - -```shell -kubectl get gateway/eg -o yaml -``` +{{< boilerplate prerequisites >}} ## HTTP External Authorization Service diff --git a/site/content/en/docs/tasks/security/jwt-authentication.md b/site/content/en/docs/tasks/security/jwt-authentication.md index 14024e18c95..e4361b6354f 100644 --- a/site/content/en/docs/tasks/security/jwt-authentication.md +++ b/site/content/en/docs/tasks/security/jwt-authentication.md @@ -11,9 +11,9 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT ## Prerequisites -Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. +{{< boilerplate prerequisites >}} + For GRPC - follow the steps from the [GRPC Routing](../traffic/grpc-routing) example. -Before proceeding, you should be able to query the example backend using HTTP or GRPC. ## Configuration diff --git a/site/content/en/docs/tasks/security/jwt-claim-authorization.md b/site/content/en/docs/tasks/security/jwt-claim-authorization.md new file mode 100644 index 00000000000..2e67ea7ffe9 --- /dev/null +++ b/site/content/en/docs/tasks/security/jwt-claim-authorization.md @@ -0,0 +1,226 @@ +--- +title: "JWT Claim-Based Authorization" +--- + +This task provides instructions for configuring JWT claim-based authorization. JWT claim-based authorization checks if an incoming request has the required JWT claims before routing the request to a backend service. + +Envoy Gateway introduces a new CRD called [SecurityPolicy][SecurityPolicy] that allows the user to configure JWT claim-based authorization. + +This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HTTPRoute] or [GRPCRoute][GRPCRoute] resource. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Configuration + +### Create a SecurityPolicy + +Please note that the JWT claim-based authorization requires the JWT token to be present in the request. A JWT authentication must be configured in the same SecurityPolicy to validate the JWT token and extract the claims. + +The below SecurityPolicy configuration allows requests with a valid JWT token that has the following claims: +- `user.name` claim with the value `John Doe` +- `user.roles` claim with the value `admin` +- `scope` claim with the values `read`, `add`, and `modify` + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the SecurityPolicy configuration: + +```shell +kubectl get securitypolicy/authorization-jwt-claim -o yaml +``` + +## Testing + +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the +Quickstart instructions to set the variable. + +```shell +echo $GATEWAY_HOST +``` + +Define a JWT token with the required claims. + +```shell +export VALID_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImI1MjBiM2MyYzRiZDc1YTEwZTljZWJjOTU3NjkzM2RjIn0.eyJpc3MiOiJodHRwczovL2Zvby5iYXIuY29tIiwic3ViIjoiMTIzNDU2Nzg5MCIsInVzZXIiOnsibmFtZSI6IkpvaG4gRG9lIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsInJvbGVzIjpbImFkbWluIiwiZWRpdG9yIl19LCJwcmVtaXVtX3VzZXIiOnRydWUsImlhdCI6MTUxNjIzOTAyMiwic2NvcGUiOiJyZWFkIGFkZCBkZWxldGUgbW9kaWZ5In0.P36iAlmiRCC79OiB3vstF5Q_9OqUYAMGF3a3H492GlojbV6DcuOz8YIEYGsRSWc-BNJaBKlyvUKsKsGVPtYbbF8ajwZTs64wyO-zhd2R8riPkg_HsW7iwGswV12f5iVRpfQ4AG2owmdOToIaoch0aym89He1ZzEjcShr9olgqlAbbmhnk-namd1rP-xpzPnWhhIVI3mCz5hYYgDTMcM7qbokM5FzFttTRXAn5_Luor23U1062Ct_K53QArwxBvwJ-QYiqcBycHf-hh6sMx_941cUswrZucCpa-EwA3piATf9PKAyeeWHfHV9X-y8ipGOFg3mYMMVBuUZ1lBkJCik9f9kboRY6QzpOISARQj9PKMXfxZdIPNuGmA7msSNAXQgqkvbx04jMwb9U7eCEdGZztH4C8LhlRjgj0ZdD7eNbRjeH2F6zrWyMUpGWaWyq6rMuP98W2DWM5ZflK6qvT1c7FuFsWPvWLkgxQwTWQKrHdKwdbsu32Sj8VtUBJ0-ddEb" +``` + +Decode the JWT token to verify that it has the required claims. + +```shell +jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< $(echo ${VALID_TOKEN}) +``` + +The decoded JWT token should look like the following: + +```json +{ + "typ": "JWT", + "alg": "RS256", + "kid": "b520b3c2c4bd75a10e9cebc9576933dc" +} +{ + "iss": "https://foo.bar.com", + "sub": "1234567890", + "user": { + "name": "John Doe", + "email": "john.doe@example.com", + "roles": [ + "admin", + "editor" + ] + }, + "premium_user": true, + "iat": 1516239022, + "scope": "read add delete modify" +} +``` + +Send a request to the backend service with the valid JWT token: + +```shell +curl -H "Host: www.example.com" -H "Authorization: Bearer ${VALID_TOKEN}" "http://${GATEWAY_HOST}/" +``` + +The request should be allowed and you should see the response from the backend service. + +Define a JWT token without the required claims. + +```shell +export INVALID_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImI1MjBiM2MyYzRiZDc1YTEwZTljZWJjOTU3NjkzM2RjIn0.eyJpc3MiOiJodHRwczovL2Zvby5iYXIuY29tIiwic3ViIjoiMTIzNDU2Nzg5MCIsInVzZXIiOnsibmFtZSI6IkFsaWNlIFNtaXRoIiwiZW1haWwiOiJhbGljZS5zbWl0aEBleGFtcGxlLmNvbSIsInJvbGVzIjpbImRldmVsb3BlciJdfSwicHJlbWl1bV91c2VyIjpmYWxzZSwiaWF0IjoxNTE2MjM5MDIyLCJzY29wZSI6InJlYWQgYWRkIGRlbGV0ZSJ9.Da547nNXzuQXm5E7LuLAiyFswXsW4RDhuitD_rpadtR7PTwzzOsJoqrVWJ_u1jJDaOTWIpLF4gwxDoY-Aoz_couzXzlAbECLs45ZFoc_UdffpfIbGKqTZx8VtwKuDLFsAeDDDqqx1flxFhvXHftJJdZYr1FgFz9u-absMmRU90DLmEZX3Hnyc8k8eBgeiu6vsWUD0-aNy8cWkFRbwRggkGmucFyUTG8Z1MY3iyH5E66W-ISoX8G9bzE9PTxVAAPDTvefD5iLJPSDJ8qV69OuMCJ8Dczq0L9Dd_w0sF-D1s9MTvexmGg4zBWluJ3r-pU9NHEdhqBypehp_yH8xF5Rt9AE7stZ4oPFZNyfrtkE-4IOnSEkMmzcC65g_rscn0ycerv4N5ZNpkr0x2IYYM4iGuo-ULv5Htnli3rffST45kx1XA8cdsrT1D0K3aPxdIxDIk8sTJf5-WVqRyo-bwxXXltwQLB9jCM_7QbTWQBYAJwUpi-0RW4jCl44-42gZnXf" +``` + +Decode the JWT token to verify that it does not have the required claims. + +```shell +jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< $(echo ${INVALID_TOKEN}) +``` + +The decoded JWT token should look like the following: + +```json +{ + "typ": "JWT", + "alg": "RS256", + "kid": "b520b3c2c4bd75a10e9cebc9576933dc" +} +{ + "iss": "https://foo.bar.com", + "sub": "1234567890", + "user": { + "name": "Alice Smith", + "email": "alice.smith@example.com", + "roles": [ + "developer" + ] + }, + "premium_user": false, + "iat": 1516239022, + "scope": "read add delete" +} +``` + +Send a request to the backend service with the invalid JWT token: + +```shell +curl -v -H "Host: www.example.com" -H "Authorization: Bearer ${INVALID_TOKEN}" "http://${GATEWAY_HOST}/" +``` + +The request should be denied and you should see a `403 Forbidden` response. + +## Clean-Up + +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. + +Delete the SecurityPolicy and the ClientTrafficPolicy + +```shell +kubectl delete securitypolicy/authorization-jwt-claim +``` + +## Next Steps + +Checkout the [Developer Guide](../../../contributions/develop) to get involved in the project. + +[SecurityPolicy]: ../../../contributions/design/security-policy +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute diff --git a/site/content/en/docs/tasks/security/mutual-tls.md b/site/content/en/docs/tasks/security/mutual-tls.md index 8a28d0d3603..4ac9f96430a 100644 --- a/site/content/en/docs/tasks/security/mutual-tls.md +++ b/site/content/en/docs/tasks/security/mutual-tls.md @@ -11,8 +11,7 @@ This task uses a self-signed CA, so it should be used for testing and demonstrat ## Installation -Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ## TLS Certificates diff --git a/site/content/en/docs/tasks/security/oidc.md b/site/content/en/docs/tasks/security/oidc.md index 5110cc9745d..45adc554a90 100644 --- a/site/content/en/docs/tasks/security/oidc.md +++ b/site/content/en/docs/tasks/security/oidc.md @@ -13,8 +13,7 @@ This instantiated resource can be linked to a [Gateway][Gateway] and [HTTPRoute] ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} EG OIDC authentication requires the redirect URL to be HTTPS. Follow the [Secure Gateways](../secure-gateways) guide to generate the TLS certificates and update the Gateway configuration to add an HTTPS listener. @@ -98,7 +97,7 @@ providers, including Auth0, Azure AD, Keycloak, Okta, OneLogin, Salesforce, UAA, Follow the steps in the [Google OIDC documentation][google-oidc] to register an OIDC application. Please make sure the redirect URL is set to the one you configured in the SecurityPolicy that you will create in the step below. In this example, -the redirect URL is `http://www.example.com:8443/myapp/oauth2/callback`. +the redirect URL is `https://www.example.com:8443/myapp/oauth2/callback`. After registering the application, you should have the following information: * Client ID: The client ID of the OIDC application. @@ -222,12 +221,78 @@ If you haven't registered an OIDC application, follow the steps in the previous If you haven't created a kubernetes secret, follow the steps in the previous section to create a kubernetes secret. +### Create an HTTPRoute with a different subdomain + +Let's create another HTTPRoute in the same Gateway, but with a different subdomain. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the HTTPRoute status: + +```shell +kubectl get httproute/foo -o yaml +``` + ### Create a SecurityPolicy Create or update the SecurityPolicy to target the Gateway instead of the HTTPRoute. **Please notice that the `redirectURL` and `logoutPath` must match one of the HTTPRoutes associated with the Gateway.** In this example, the target Gateway has -two HTTPRoutes associated with it, one with the host `www.example.com` and the path `/myapp`, and the other with the host -`www.example.com` and the path `/`. Either one of the HTTPRoutes can be used to match the `redirectURL` and `logoutPath`. +three HTTPRoutes associated with it, one with the host `www.example.com` and the path `/myapp`, one with the host +`www.example.com` and the path `/`, and one with the host `foo.example.com` and the path `/`. Any of these HTTPRoutes +can be used to match the `redirectURL` and `logoutPath`. + +By default, the access token and ID token cookies are set to the host of the request, excluding subdomains. To allow the +token cookies to be shared across subdomains and prevent users from having to log in again when switching between subdomains, +the `cookieDomain` field needs to be set to the root domain. In this example, the root domain is `example.com`. {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} @@ -251,6 +316,7 @@ spec: name: "my-app-client-secret" redirectURL: "https://www.example.com:8443/myapp/oauth2/callback" logoutPath: "/myapp/logout" + cookieDomain: "example.com" EOF ``` @@ -277,6 +343,7 @@ spec: name: "my-app-client-secret" redirectURL: "https://www.example.com:8443/myapp/oauth2/callback" logoutPath: "/myapp/logout" + cookieDomain: "example.com" ``` {{% /tab %}} @@ -288,16 +355,40 @@ Verify the SecurityPolicy configuration: kubectl get securitypolicy/oidc-example -o yaml ``` +### Update the Listener TLS certificate to support multiple subdomains + +Create a multi-domain wildcard certificate for `*.example.com`. + +```shell +openssl req -out wildcard.csr -newkey rsa:2048 -nodes -keyout wildcard.key -subj "/CN=*.example.com/O=example organization" +openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in wildcard.csr -out wildcard.crt +``` + +Replace the TLS certificate of the Gateway with the wildcard certificate. + +```shell +kubectl delete secret example-cert +kubectl create secret tls example-cert --key=wildcard.key --cert=wildcard.crt +``` + ### Testing If you haven't done so, follow the steps in the previous section to port forward gateway port to localhost and put www.example.com in the /etc/hosts file in your test machine. -Open a browser and navigate to the `https://www.example.com:8443/foo` address. You should be redirected to the Google +Also, put foo.example.com in the /etc/hosts file in your test machine. + +```shell +... +127.0.0.1 foo.example.com +``` + +Open a browser and navigate to the `https://www.example.com:8443/myapp` address. You should be redirected to the Google login page. After you successfully login, you should see the response from the backend service. -You can also try to access `https://www.example.com:8443/myapp` address. You should be able to see this page since the -path `/myapp` is protected by the same OIDC policy. +You can also try to access `https://foo.example.com:8443` and `https://www.example.com:8443/bar` addresses. You should +be able to see the response from the backend service since these HTTPRoutes are also protected by the same OIDC config, +and the cookies are shared across subdomains. ## Clean-Up @@ -309,6 +400,7 @@ Delete the SecurityPolicy, the secret and the HTTPRoute: kubectl delete securitypolicy/oidc-example kubectl delete secret/my-app-client-secret kubectl delete httproute/myapp +kubectl delete httproute/foo ``` ## Next Steps diff --git a/site/content/en/docs/tasks/security/private-key-provider.md b/site/content/en/docs/tasks/security/private-key-provider.md index 79f992aa599..24544f67973 100644 --- a/site/content/en/docs/tasks/security/private-key-provider.md +++ b/site/content/en/docs/tasks/security/private-key-provider.md @@ -14,7 +14,9 @@ This task will walk you through the steps required to configure TLS Termination ## Prerequisites -### For QAT +{{< tabpane text=true >}} + +{{% tab header="QAT (Intel QuickAssist Technology)" %}} - Install Linux kernel 5.17 or similar - Ensure the node has QAT devices by checking the QAT physical function devices presented. [Supported Devices](https://intel.github.io/quickassist/qatlib/requirements.html#qat2-0-qatlib-supported-devices) @@ -88,7 +90,9 @@ This task will walk you through the steps required to configure TLS Termination kubectl get node -o yaml| grep qat.intel.com ``` -### For CryptoMB: +{{% /tab %}} + +{{% tab header="CryptoMB" %}} It required the node with 3rd generation Intel Xeon Scalable processor server processors, or later. - For kubernetes Cluster, if not all nodes that support Intel® AVX-512 in Kubernetes cluster, you need to add some labels to divide these two kinds of nodes manually or using [NFD](https://github.com/kubernetes-sigs/node-feature-discovery). @@ -110,6 +114,10 @@ It required the node with 3rd generation Intel Xeon Scalable processor server pr cat /proc/cpuinfo |grep avx512f|grep avx512dq|grep avx512bw|grep avx512_vbmi2|grep avx512ifma ``` +{{% /tab %}} + +{{< /tabpane >}} + ## Installation * Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway. @@ -161,11 +169,7 @@ data: {{% /tab %}} {{< /tabpane >}} -* After updating the `ConfigMap`, you will need to restart the `envoy-gateway` deployment so the configuration kicks in - - ```shell - kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system - ``` +{{< boilerplate rollout-envoy-gateway >}} ## Create gateway for TLS termination @@ -214,10 +218,14 @@ spec: {{% /tab %}} {{< /tabpane >}} -### Change EnvoyProxy configuration for QAT +## Change EnvoyProxy configuration Using the envoyproxy image with contrib extensions and add qat resources requesting, ensure the k8s scheduler find out a machine with required resource. +{{< tabpane text=true >}} + +{{% tab header="QAT (Intel QuickAssist Technology)" %}} + {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} @@ -285,7 +293,9 @@ spec: {{% /tab %}} {{< /tabpane >}} -### Change EnvoyProxy configuration for CryptoMB +{{% /tab %}} + +{{% tab header="CryptoMB" %}} Using the envoyproxy image with contrib extensions and add the node affinity to scheduling the Envoy Gateway pod on the machine with required CPU instructions. @@ -386,9 +396,11 @@ spec: Or using `preferredDuringSchedulingIgnoredDuringExecution` for best effort scheduling, or not doing any node affinity, just doing the random scheduling. The CryptoMB private key provider supports software fallback if the required CPU instructions aren't here. -## Apply EnvoyPatchPolicy to enable private key provider +{{% /tab %}} + +{{< /tabpane >}} -### Benchmark before enabling private key provider +## Benchmark before enabling private key provider First follow the instructions in [TLS Termination for TCP](./tls-termination) to do the functionality test. @@ -416,7 +428,11 @@ Benchmark the gateway with fortio. fortio load -c 10 -k -qps 0 -t 30s -keepalive=false https://www.example.com:${NODE_PORT} ``` -### For QAT +## Apply EnvoyPatchPolicy to enable private key provider + +{{< tabpane text=true >}} + +{{% tab header="QAT (Intel QuickAssist Technology)" %}} {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} @@ -501,7 +517,9 @@ spec: {{% /tab %}} {{< /tabpane >}} -### For CryptoMB +{{% /tab %}} + +{{% tab header="CryptoMB" %}} {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} @@ -586,7 +604,11 @@ spec: {{% /tab %}} {{< /tabpane >}} -### Benchmark after enabling private key provider +{{% /tab %}} + +{{< /tabpane >}} + +## Benchmark after enabling private key provider First follow the instructions in [TLS Termination for TCP](./tls-termination) to do the functionality test again. @@ -596,6 +618,8 @@ Benchmark the gateway with fortio. fortio load -c 64 -k -qps 0 -t 30s -keepalive=false https://www.example.com:${NODE_PORT} ``` +## Benchmark Result + You will see a performance boost after private key provider enabled. For example, you will get results as below. Without private key provider: @@ -604,14 +628,26 @@ Without private key provider: All done 43069 calls (plus 10 warmup) 6.966 ms avg, 1435.4 qps ``` -With CryptoMB private key provider, the QPS is over 2 times than without private key provider. +{{< tabpane text=true >}} -```shell -All done 93983 calls (plus 128 warmup) 40.880 ms avg, 3130.5 qps -``` +{{% tab header="QAT (Intel QuickAssist Technology)" %}} With QAT private key provider, the QPS is over 3 times than without private key provider ```shell All done 134746 calls (plus 128 warmup) 28.505 ms avg, 4489.6 qps ``` + +{{% /tab %}} + +{{% tab header="CryptoMB" %}} + +With CryptoMB private key provider, the QPS is over 2 times than without private key provider. + +```shell +All done 93983 calls (plus 128 warmup) 40.880 ms avg, 3130.5 qps +``` + +{{% /tab %}} + +{{< /tabpane >}} diff --git a/site/content/en/docs/tasks/security/restrict-ip-access.md b/site/content/en/docs/tasks/security/restrict-ip-access.md index 9eded4e7197..ab8965d7966 100644 --- a/site/content/en/docs/tasks/security/restrict-ip-access.md +++ b/site/content/en/docs/tasks/security/restrict-ip-access.md @@ -10,8 +10,7 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ## Configuration @@ -34,9 +33,9 @@ metadata: name: authorization-client-ip spec: targetRefs: - - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend authorization: defaultAction: Deny rules: @@ -59,16 +58,16 @@ metadata: name: authorization-client-ip spec: targetRefs: - - group: gateway.networking.k8s.io - kind: HTTPRoute - name: backend + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: backend authorization: defaultAction: Deny rules: - - action: Allow - principal: - clientCIDRs: - - 10.0.1.0/24 + - action: Allow + principal: + clientCIDRs: + - 10.0.1.0/24 ``` {{% /tab %}} diff --git a/site/content/en/docs/tasks/security/secure-gateways.md b/site/content/en/docs/tasks/security/secure-gateways.md index af5e922412d..2c8d5043812 100644 --- a/site/content/en/docs/tasks/security/secure-gateways.md +++ b/site/content/en/docs/tasks/security/secure-gateways.md @@ -11,8 +11,7 @@ This task uses a self-signed CA, so it should be used for testing and demonstrat ## Installation -Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ## TLS Certificates @@ -513,8 +512,88 @@ Since the multiple certificates are configured on the same Gateway listener, Env {{% /tab %}} {{< /tabpane >}} +## Customize Gateway TLS Parameters + +In addition to enablement of TLS with Gateway-API, Envoy Gateway supports customizing TLS parameters. +To achieve this, the [ClientTrafficPolicy][] resource can be used to specify TLS parameters. +We will customize the minimum supported TLS version in this example to TLSv1.3. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + + +## Testing TLS Parameters + +Attempt to connecting using an unsupported TLS version: + +```shell +curl -v -HHost:www.sample.com --resolve "www.sample.com:8443:127.0.0.1" \ +--cacert sample.com.crt --tlsv1.2 --tls-max 1.2 https://www.sample.com:8443/get -I + +[...] + +* ALPN: curl offers h2,http/1.1 +* (304) (OUT), TLS handshake, Client hello (1): +* LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version +* Closing connection +curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version +``` + +The output shows that the connection fails due to an unsupported TLS protocol version used by the client. Now, connect +to the Gateway without specifying a client version, and note that the connection is established with TLSv1.3. + +```shell +curl -v -HHost:www.sample.com --resolve "www.sample.com:8443:127.0.0.1" \ +--cacert sample.com.crt https://www.sample.com:8443/get -I + +[...] + +* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF +``` + ## Next Steps Checkout the [Developer Guide](../../../contributions/develop) to get involved in the project. [ReferenceGrant]: https://gateway-api.sigs.k8s.io/api-types/referencegrant/ +[ClientTrafficPolicy]: ../../api/extension_types#clienttrafficpolicy \ No newline at end of file diff --git a/site/content/en/docs/tasks/security/tls-cert-manager.md b/site/content/en/docs/tasks/security/tls-cert-manager.md index d2b217d0545..61ebb5c0162 100644 --- a/site/content/en/docs/tasks/security/tls-cert-manager.md +++ b/site/content/en/docs/tasks/security/tls-cert-manager.md @@ -18,8 +18,7 @@ Changing to the Let's Encrypt production environment is straight-forward after t ## Installation -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ## Deploying cert-manager diff --git a/site/content/en/docs/tasks/security/tls-passthrough.md b/site/content/en/docs/tasks/security/tls-passthrough.md index 4f9665d6763..47e3793355d 100644 --- a/site/content/en/docs/tasks/security/tls-passthrough.md +++ b/site/content/en/docs/tasks/security/tls-passthrough.md @@ -12,8 +12,7 @@ to terminate the TLS connection, while the Gateway routes the requests to the ap ## Installation -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ## TLS Certificates diff --git a/site/content/en/docs/tasks/security/tls-termination.md b/site/content/en/docs/tasks/security/tls-termination.md index e4534dd57e1..1100b04699f 100644 --- a/site/content/en/docs/tasks/security/tls-termination.md +++ b/site/content/en/docs/tasks/security/tls-termination.md @@ -11,9 +11,10 @@ This task uses a self-signed CA, so it should be used for testing and demonstrat ## Installation -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway. +{{< boilerplate prerequisites >}} ## TLS Certificates + Generate the certificates and keys used by the Gateway to terminate client TLS connections. Create a root certificate and private key to sign certificates: diff --git a/site/content/en/docs/tasks/traffic/backend.md b/site/content/en/docs/tasks/traffic/backend.md index 02de7161fe2..55d125a27ad 100644 --- a/site/content/en/docs/tasks/traffic/backend.md +++ b/site/content/en/docs/tasks/traffic/backend.md @@ -7,26 +7,28 @@ Envoy Gateway supports routing to native K8s resources such as `Service` and `Se ## Motivation The Backend API was added to support several use cases: - Allowing users to integrate Envoy with services (Ext Auth, Rate Limit, ALS, ...) using Unix Domain Sockets, which are currently not supported by K8s. -- Simplify [routing to cluster-external backends][], which currently requires users to maintain both K8s `Service` and `EndpointSlice` resources. +- Simplify [routing to cluster-external backends][], which currently requires users to maintain both K8s `Service` and `EndpointSlice` resources. ## Warning -Similar to the K8s EndpointSlice API, the Backend API can be misused to allow traffic to be sent to otherwise restricted destinations, as described in [CVE-2021-25740][]. +Similar to the K8s EndpointSlice API, the Backend API can be misused to allow traffic to be sent to otherwise restricted destinations, as described in [CVE-2021-25740][]. A Backend resource can be used to: - Expose a Service or Pod that should not be accessible - Reference a Service or Pod by a Route without appropriate Reference Grants - Expose the Envoy Proxy localhost (including the Envoy admin endpoint) -For these reasons, the Backend API is disabled by default in Envoy Gateway configuration. Envoy Gateway admins are advised to follow [upstream recommendations][] and restrict access to the Backend API using K8s RBAC. +For these reasons, the Backend API is disabled by default in Envoy Gateway configuration. Envoy Gateway admins are advised to follow [upstream recommendations][] and restrict access to the Backend API using K8s RBAC. ## Restrictions The Backend API is currently supported only in the following BackendReferences: - [HTTPRoute]: IP and FQDN endpoints +- [TLSRoute]: IP and FQDN endpoints - [Envoy Extension Policy] (ExtProc): IP, FQDN and unix domain socket endpoints +- [Security Policy]: IP and FQDN endpoints for the OIDC providers The Backend API supports attachment the following policies: -- [Backend TLS Policy][] +- [Backend TLS Policy][] Certain restrictions apply on the value of hostnames and addresses. For example, the loopback IP address range and the localhost hostname are forbidden. @@ -36,8 +38,7 @@ Envoy Gateway does not manage the lifecycle of unix domain sockets referenced by ### Prerequisites -* Follow the steps from the [Quickstart](../../quickstart) task to install Envoy Gateway and the example manifest. - Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ### Enable Backend @@ -95,11 +96,7 @@ data: {{% /tab %}} {{< /tabpane >}} -* After updating the `ConfigMap`, you will need to restart the `envoy-gateway` deployment so the configuration kicks in - -```shell -kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system -``` +{{< boilerplate rollout-envoy-gateway >}} ## Testing @@ -205,7 +202,9 @@ curl -I -HHost:www.example.com http://${GATEWAY_HOST}/headers [CVE-2021-25740]: https://nvd.nist.gov/vuln/detail/CVE-2021-25740 [upstream recommendations]: https://github.com/kubernetes/kubernetes/issues/103675 [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[TLSRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute [Envoy Extension Policy]: ../../../api/extension_types#envoyextensionpolicy +[Security Policy]: ../../../api/extension_types#oidcprovider [Backend TLS Policy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ [EnvoyProxy]: ../../../api/extension_types#envoyproxy [EnvoyGateway]: ../../../api/extension_types#envoygateway diff --git a/site/content/en/docs/tasks/traffic/circuit-breaker.md b/site/content/en/docs/tasks/traffic/circuit-breaker.md index 267bb05cce0..6a359c5e0dc 100644 --- a/site/content/en/docs/tasks/traffic/circuit-breaker.md +++ b/site/content/en/docs/tasks/traffic/circuit-breaker.md @@ -20,9 +20,10 @@ This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRP ### Install Envoy Gateway -* Follow the installation step from the [Quickstart](../../quickstart) to install Envoy Gateway and sample resources. +{{< boilerplate prerequisites >}} ### Install the hey load testing tool + * The `hey` CLI will be used to generate load and measure response times. Follow the installation instruction from the [Hey project] docs. ## Test and customize circuit breaker settings diff --git a/site/content/en/docs/tasks/traffic/client-traffic-policy.md b/site/content/en/docs/tasks/traffic/client-traffic-policy.md index 42ee63ac43f..2099ea13685 100644 --- a/site/content/en/docs/tasks/traffic/client-traffic-policy.md +++ b/site/content/en/docs/tasks/traffic/client-traffic-policy.md @@ -4,7 +4,6 @@ title: "Client Traffic Policy" This task explains the usage of the [ClientTrafficPolicy][] API. - ## Introduction The [ClientTrafficPolicy][] API allows system administrators to configure @@ -18,8 +17,7 @@ This API was added as a new policy attachment resource that can be applied to Ga ### Prerequisites -* Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ### Support TCP keepalive for downstream client @@ -34,7 +32,7 @@ metadata: name: enable-tcp-keepalive-policy namespace: default spec: - targetRefs: + targetRef: - group: gateway.networking.k8s.io kind: Gateway name: eg @@ -351,7 +349,7 @@ metadata: name: http-client-ip-detection namespace: default spec: - targetRefs: + targetRef: - group: gateway.networking.k8s.io kind: Gateway name: eg diff --git a/site/content/en/docs/tasks/traffic/connection-limit.md b/site/content/en/docs/tasks/traffic/connection-limit.md index e754d1dba81..9c0e9bbc1fc 100644 --- a/site/content/en/docs/tasks/traffic/connection-limit.md +++ b/site/content/en/docs/tasks/traffic/connection-limit.md @@ -25,10 +25,10 @@ When a [Client Traffic Policy][] is attached to a gateway, the connection limit ### Install Envoy Gateway -* Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. - Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ### Install the hey load testing tool + * The `hey` CLI will be used to generate load and measure response times. Follow the installation instruction from the [Hey project] docs. ## Test and customize connection limit settings diff --git a/site/content/en/docs/tasks/traffic/direct-response.md b/site/content/en/docs/tasks/traffic/direct-response.md new file mode 100644 index 00000000000..4b9aaa5551e --- /dev/null +++ b/site/content/en/docs/tasks/traffic/direct-response.md @@ -0,0 +1,284 @@ +--- +title: "Direct Response" +--- + +Direct responses are valuable in cases where you want the gateway itself +to handle certain requests without forwarding them to backend services. +This task shows you how to configure them. + +## Installation + +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. +Before proceeding, you should be able to query the example backend using HTTP. + +## Testing Direct Response + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +```shell +curl --header "Host: timeout.example.com" http://${GATEWAY_HOST}/?delay=3s -I +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Mon, 04 Mar 2024 02:34:21 GMT +content-length: 480 +``` + +Then we set the request timeout to 2 seconds. In this case, Envoy Gateway will respond with a timeout. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +```shell +curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/inline +``` + +```console +* Trying 127.0.0.1:80... +* Connected to 127.0.0.1 (127.0.0.1) port 80 +> GET /inline HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.4.0 +> Accept: */* +> +< HTTP/1.1 503 Service Unavailable +< content-type: text/plain +< content-length: 32 +< date: Sat, 02 Nov 2024 00:35:48 GMT +< +* Connection #0 to host 127.0.0.1 left intact +Oops! Your request is not found. +``` + +```shell +curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/value-ref +``` + +```console +* Trying 127.0.0.1:80... +* Connected to 127.0.0.1 (127.0.0.1) port 80 +> GET /value-ref HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.4.0 +> Accept: */* +> +< HTTP/1.1 500 Internal Server Error +< content-type: application/json +< content-length: 34 +< date: Sat, 02 Nov 2024 00:35:55 GMT +< +* Connection #0 to host 127.0.0.1 left intact +{"error": "Internal Server Error"} +``` diff --git a/site/content/en/docs/tasks/traffic/fault-injection.md b/site/content/en/docs/tasks/traffic/fault-injection.md index 4e0bd62223e..82068c4cf55 100644 --- a/site/content/en/docs/tasks/traffic/fault-injection.md +++ b/site/content/en/docs/tasks/traffic/fault-injection.md @@ -13,11 +13,12 @@ This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRP ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. +{{< boilerplate prerequisites >}} + For GRPC - follow the steps from the [GRPC Routing](../grpc-routing) example. -Before proceeding, you should be able to query the example backend using HTTP or GRPC. ### Install the hey load testing tool + * The `hey` CLI will be used to generate load and measure response times. Follow the installation instruction from the [Hey project] docs. ## Configuration diff --git a/site/content/en/docs/tasks/traffic/gateway-address.md b/site/content/en/docs/tasks/traffic/gateway-address.md index bd87726c139..f49d7f99e01 100644 --- a/site/content/en/docs/tasks/traffic/gateway-address.md +++ b/site/content/en/docs/tasks/traffic/gateway-address.md @@ -10,7 +10,7 @@ Depending on the Service Type, the addresses of gateway can be used as: ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. +{{< boilerplate prerequisites >}} ## External IPs diff --git a/site/content/en/docs/tasks/traffic/global-rate-limit.md b/site/content/en/docs/tasks/traffic/global-rate-limit.md index da00334b296..47eac33bc3e 100644 --- a/site/content/en/docs/tasks/traffic/global-rate-limit.md +++ b/site/content/en/docs/tasks/traffic/global-rate-limit.md @@ -27,8 +27,7 @@ has its own 100r/s rate limit bucket. ### Install Envoy Gateway -* Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ### Install Redis @@ -215,11 +214,7 @@ data: {{% /tab %}} {{< /tabpane >}} -* After updating the `ConfigMap`, you will need to restart the `envoy-gateway` deployment so the configuration kicks in - -```shell -kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system -``` +{{< boilerplate rollout-envoy-gateway >}} ## Rate Limit Specific User @@ -438,11 +433,11 @@ server: envoy ``` -## Rate Limit Distinct Users +## Rate Limit Distinct Users Except Admin Here is an example of a rate limit implemented by the application developer to limit distinct users who can be differentiated based on the value in the `x-user-id` header. Here, user `one` (recognised from the traffic flow using the header `x-user-id` and value `one`) will be rate limited at 3 requests/hour -and so will user `two` (recognised from the traffic flow using the header `x-user-id` and value `two`). +and so will user `two` (recognised from the traffic flow using the header `x-user-id` and value `two`). But if `x-user-id` is `admin`, it will not be rate limited even beyond 3 requests/hour. {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} @@ -466,6 +461,9 @@ spec: - headers: - type: Distinct name: x-user-id + - name: x-user-id + value: admin + invert: true limit: requests: 3 unit: Hour @@ -641,6 +639,47 @@ transfer-encoding: chunked ``` +But when the value for header `x-user-id` is set to `admin` and 4 requests are sent, all 4 of them should respond with 200 OK. + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" --header "x-user-id: admin" http://${GATEWAY_HOST}/get ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:31 GMT +content-length: 460 +x-envoy-upstream-service-time: 4 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:32 GMT +content-length: 460 +x-envoy-upstream-service-time: 2 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +``` + ## Rate Limit All Requests This example shows you how to rate limit all requests matching the HTTPRoute rule at 3 requests/Hour by leaving the `clientSelectors` field unset. @@ -1288,11 +1327,7 @@ data: {{% /tab %}} {{< /tabpane >}} -* After updating the `ConfigMap`, you will need to restart the `envoy-gateway` deployment so the configuration kicks in - -```shell -kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system -``` +{{< boilerplate rollout-envoy-gateway >}} [Global Rate Limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting [Local rate limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/local_rate_limiting diff --git a/site/content/en/docs/tasks/traffic/grpc-routing.md b/site/content/en/docs/tasks/traffic/grpc-routing.md index 7c41b54c885..15f10601bc2 100644 --- a/site/content/en/docs/tasks/traffic/grpc-routing.md +++ b/site/content/en/docs/tasks/traffic/grpc-routing.md @@ -7,8 +7,7 @@ To learn more about gRPC routing, refer to the [Gateway API documentation][]. ## Prerequisites -Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ## Installation diff --git a/site/content/en/docs/tasks/traffic/http-redirect.md b/site/content/en/docs/tasks/traffic/http-redirect.md index b3177e89263..49ccd59ee77 100644 --- a/site/content/en/docs/tasks/traffic/http-redirect.md +++ b/site/content/en/docs/tasks/traffic/http-redirect.md @@ -9,8 +9,7 @@ learn more about HTTP routing, refer to the [Gateway API documentation][]. ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTPS. +{{< boilerplate prerequisites >}} ## Redirects diff --git a/site/content/en/docs/tasks/traffic/http-request-headers.md b/site/content/en/docs/tasks/traffic/http-request-headers.md index 7bc709c49c6..5b73bfaf8d3 100644 --- a/site/content/en/docs/tasks/traffic/http-request-headers.md +++ b/site/content/en/docs/tasks/traffic/http-request-headers.md @@ -14,8 +14,7 @@ client. ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ## Adding Request Headers @@ -443,7 +442,179 @@ spec: {{% /tab %}} {{< /tabpane >}} +## Early Header Modification + +In some cases, it could be necessary to modify headers before the proxy performs any sort of processing, routing or tracing. Envoy Gateway supports this functionality using the [ClientTrafficPolicy][] API. + +A ClientTrafficPolicy resource can be attached to a Gateway resource to configure early header modifications for all its routes. In the following example we will demonstrate how early header modification can be configured. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + + +Querying `headers.example/get` should result in a `200` response from the example Gateway and the output from the +example app should indicate that the upstream example app received the following headers: +- `early-added-header` contains early (ClientTrafficPolicy) and late (RouteFilter) values +- `early-set-header` contains only early (ClientTrafficPolicy) and late (RouteFilter) values, since the early modification overwritten the client value. +- `early-removed-header` contains only the late (RouteFilter) value, since the early modification deleted the client value. + +```console +$ curl -vvv --header "Host: headers.example" "http://${GATEWAY_HOST}/get" --header "early-added-header: client" --header "early-set-header: client" --header "early-removed-header: client" +... +> GET /get HTTP/1.1 +> Host: headers.example +> User-Agent: curl/7.81.0 +> Accept: */* +> add-header: something +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< content-length: 474 +< x-envoy-upstream-service-time: 0 +< server: envoy +< + + "headers": { + "Accept": [ + "*/*" + ], + "Early-Added-Header": [ + "client", + "early", + "late" + ], + "Early-Set-Header": [ + "early", + "late" + ], + "Early-removed-Header": [ + "late" + ] +... +``` + [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ [HTTPRoute filters]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteFilter [Gateway API documentation]: https://gateway-api.sigs.k8s.io/ [req_filter]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPHeaderFilter +[ClientTrafficPolicy]: ../../../api/extension_types#clienttrafficpolicy diff --git a/site/content/en/docs/tasks/traffic/http-request-mirroring.md b/site/content/en/docs/tasks/traffic/http-request-mirroring.md index f22ef51da36..5c1c8065652 100644 --- a/site/content/en/docs/tasks/traffic/http-request-mirroring.md +++ b/site/content/en/docs/tasks/traffic/http-request-mirroring.md @@ -6,10 +6,9 @@ The [HTTPRoute][] resource allows one or more [backendRefs][] to be provided. Re When requests are made to a `HTTPRoute` that uses a `HTTPRequestMirrorFilter`, the response will never come from the `backendRef` defined in the filter. Responses from the mirror `backendRef` are always ignored. -## Installation +## Prerequisites -Follow the steps from the [Quickstart][] to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ## Mirroring the Traffic @@ -440,7 +439,6 @@ spec: Error from server: error when creating "STDIN": admission webhook "validate.gateway.networking.k8s.io" denied the request: spec.rules[0].filters: Invalid value: "RequestMirror": cannot be used multiple times in the same rule ``` -[Quickstart]: ../../quickstart/ [Traffic Splitting]: ../http-traffic-splitting/ [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ [backendRefs]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.BackendRef diff --git a/site/content/en/docs/tasks/traffic/http-response-headers.md b/site/content/en/docs/tasks/traffic/http-response-headers.md index 60121674b00..b1588e87a89 100644 --- a/site/content/en/docs/tasks/traffic/http-response-headers.md +++ b/site/content/en/docs/tasks/traffic/http-response-headers.md @@ -12,8 +12,7 @@ upstream service. ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ## Adding Response Headers diff --git a/site/content/en/docs/tasks/traffic/http-routing.md b/site/content/en/docs/tasks/traffic/http-routing.md index f9fcfaffdde..bb9eba88157 100644 --- a/site/content/en/docs/tasks/traffic/http-routing.md +++ b/site/content/en/docs/tasks/traffic/http-routing.md @@ -9,8 +9,7 @@ Services. To learn more about HTTP routing, refer to the [Gateway API documentat ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ## Installation diff --git a/site/content/en/docs/tasks/traffic/http-timeouts.md b/site/content/en/docs/tasks/traffic/http-timeouts.md index 1eb9beabb24..4fb264204ed 100644 --- a/site/content/en/docs/tasks/traffic/http-timeouts.md +++ b/site/content/en/docs/tasks/traffic/http-timeouts.md @@ -12,10 +12,9 @@ The [HTTPRouteTimeouts][] supports two kinds of timeouts: __Note:__ The Request duration must be >= BackendRequest duration -## Installation +## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ## Verification diff --git a/site/content/en/docs/tasks/traffic/http-traffic-splitting.md b/site/content/en/docs/tasks/traffic/http-traffic-splitting.md index 06e4a236589..2f3dbdf6e9c 100644 --- a/site/content/en/docs/tasks/traffic/http-traffic-splitting.md +++ b/site/content/en/docs/tasks/traffic/http-traffic-splitting.md @@ -6,10 +6,9 @@ The [HTTPRoute][] resource allows one or more [backendRefs][] to be provided. Re if they match the rules of the HTTPRoute. If an invalid backendRef is configured, then HTTP responses will be returned with status code `500` for all requests that would have been sent to that backend. -## Installation +## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ## Single backendRef diff --git a/site/content/en/docs/tasks/traffic/http-urlrewrite.md b/site/content/en/docs/tasks/traffic/http-urlrewrite.md index 0ebb7595c22..3515bd9caa4 100644 --- a/site/content/en/docs/tasks/traffic/http-urlrewrite.md +++ b/site/content/en/docs/tasks/traffic/http-urlrewrite.md @@ -7,8 +7,7 @@ used on a Route rule. This MUST NOT be used on the same Route rule as a HTTPRequ ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ## Rewrite URL Prefix Path @@ -276,6 +275,160 @@ $ curl -L -vvv --header "Host: path.rewrite.example" "http://${GATEWAY_HOST}/get You can see that the `X-Envoy-Original-Path` is `/get/origin/path/extra`, but the actual path is `/force/replace/fullpath`. +## Rewrite URL Path with Regex + +In addition to core Gateway-API rewrite options, Envoy Gateway supports extended rewrite options through the [HTTPRouteFilter][] API. +The `HTTPRouteFilter` API can be configured to use [RE2][]-compatible regex matchers and substitutions to rewrite a portion of the url. +In the example below, requests sent to `http://${GATEWAY_HOST}/service/xxx/yyy` (where `xxx` is a single path portion and `yyy` is one or more path portions) +are rewritten to `http://${GATEWAY_HOST}/yyy/instance/xxx`. The entire path is matched and rewritten using capture groups. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-filter-url-regex-rewrite -o yaml +``` + +Querying `http://${GATEWAY_HOST}/service/foo/v1/api` should rewrite the request to +`http://${GATEWAY_HOST}/service/foo/v1/api`. + +```console +$ curl -L -vvv --header "Host: path.regex.rewrite.example" "http://${GATEWAY_HOST}/service/foo/v1/api" +... +> GET /service/foo/v1/api HTTP/1.1 +> Host: path.regex.rewrite.example +> User-Agent: curl/8.7.1 +> Accept: */* +> +* Request completely sent off +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< date: Mon, 16 Sep 2024 18:49:48 GMT +< content-length: 482 +< +{ + "path": "/v1/api/instance/foo", + "host": "path.regex.rewrite.example", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "Accept": [ + "*/*" + ], + "User-Agent": [ + "curl/8.7.1" + ], + "X-Envoy-Internal": [ + "true" + ], + "X-Forwarded-For": [ + "10.244.0.37" + ], + "X-Forwarded-Proto": [ + "http" + ], + "X-Request-Id": [ + "24a5958f-1bfa-4694-a9c1-807d5139a18a" + ] + }, + "namespace": "default", + "ingress": "", + "service": "", + "pod": "backend-765694d47f-lzmpm" +... +``` + +You can see that the path is rewritten from `/service/foo/v1/api`, to `/v1/api/instance/foo`. + ## Rewrite Host Name You can configure to rewrite the hostname like below. In this example, any requests sent to @@ -402,4 +555,145 @@ $ curl -L -vvv --header "Host: path.rewrite.example" "http://${GATEWAY_HOST}/get You can see that the `X-Forwarded-Host` is `path.rewrite.example`, but the actual host is `envoygateway.io`. +## Rewrite URL Host Name by Header or Backend + +In addition to core Gateway-API rewrite options, Envoy Gateway supports extended rewrite options through the [HTTPRouteFilter][] API. +The `HTTPRouteFilter` API can be configured to rewrite the Host header value to: +- The value of a different request header +- The DNS name of the backend that the request is routed to + +In the following example, the host header is rewritten to the value of the x-custom-host header. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-filter-header-host-rewrite -o yaml +``` + +Querying `http://${GATEWAY_HOST}/header` and providing a custom host rewrite header x-custom-host should rewrite the +request host header to the value of the x-custom-host header. + +```console +$ curl -L -vvv --header "Host: host.header.rewrite.example" --header "x-custom-host: foo" "http://${GATEWAY_HOST}/header" +... +> GET /header HTTP/1.1 +> Host: host.header.rewrite.example +> User-Agent: curl/8.7.1 +> Accept: */* +> x-custom-host: foo +> +* Request completely sent off +< HTTP/1.1 200 OK +< +{ + "path": "/header", + "host": "foo", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "X-Custom-Host": [ + "foo" + ], + "X-Forwarded-Host": [ + "host.header.rewrite.example" + ], + }, + "namespace": "default", + "ingress": "", + "service": "", + "pod": "backend-765694d47f-5t6f2" +... +``` + +You can see that the host is rewritten from `host.header.rewrite.example`, to the value of the provided +`x-custom-host` header `foo`. The original host header is preserved in the `X-Forwarded-Host` header. + + [HTTPURLRewriteFilter]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPURLRewriteFilter +[HTTPRouteFilter]: ../../../api/extension_types#httproutefilter +[RE2]: https://github.com/google/re2/wiki/Syntax \ No newline at end of file diff --git a/site/content/en/docs/tasks/traffic/http3.md b/site/content/en/docs/tasks/traffic/http3.md index 1a65339c56c..a0fb1594295 100644 --- a/site/content/en/docs/tasks/traffic/http3.md +++ b/site/content/en/docs/tasks/traffic/http3.md @@ -11,8 +11,7 @@ This task uses a self-signed CA, so it should be used for testing and demonstrat ## Installation -Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ## TLS Certificates diff --git a/site/content/en/docs/tasks/traffic/load-balancing.md b/site/content/en/docs/tasks/traffic/load-balancing.md index 89f6ee94b87..3c9a78450b5 100644 --- a/site/content/en/docs/tasks/traffic/load-balancing.md +++ b/site/content/en/docs/tasks/traffic/load-balancing.md @@ -17,8 +17,9 @@ This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRP ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +### Install Envoy Gateway + +{{< boilerplate prerequisites >}} For better testing the load balancer, you can add more hosts in upstream cluster by increasing the replicas of one deployment: diff --git a/site/content/en/docs/tasks/traffic/local-rate-limit.md b/site/content/en/docs/tasks/traffic/local-rate-limit.md index 15ec9d2f2b5..05caf07258c 100644 --- a/site/content/en/docs/tasks/traffic/local-rate-limit.md +++ b/site/content/en/docs/tasks/traffic/local-rate-limit.md @@ -26,10 +26,7 @@ has its own 100r/s rate limit bucket. ## Prerequisites -### Install Envoy Gateway - -* Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ## Rate Limit Specific User @@ -248,6 +245,227 @@ server: envoy ``` +## Rate Limit Specific User Unless within Test Org + +Here is an example of a rate limit implemented by the application developer to limit a specific user by matching on a custom `x-user-id` header +with a value set to `one`. But the user must not be limited if logging in within Test org, determined by custom header `x-org-id` set to `test`. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +### HTTPRoute + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-ratelimit -o yaml +``` + +Get the Gateway's address: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Let's query `ratelimit.example/get` 4 times with `x-user-id` set to `one` and `x-org-id` set to `org1`. We should receive a `200` response from the example Gateway for the first 3 requests and the last request should be rate limited. + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" --header "x-user-id: one" --header "x-org-id: org1" http://${GATEWAY_HOST}/get ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:31 GMT +content-length: 460 +x-envoy-upstream-service-time: 4 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:32 GMT +content-length: 460 +x-envoy-upstream-service-time: 2 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 429 Too Many Requests +x-envoy-ratelimited: true +date: Wed, 08 Feb 2023 02:33:34 GMT +server: envoy +transfer-encoding: chunked + +``` + +Let's query `ratelimit.example/get` 4 times with `x-user-id` set to `one` and `x-org-id` set to `test`. We should receive a `200` response from the example Gateway for all the 4 requests, unlike previous example where the last request was rate limited. + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" --header "x-user-id: one" --header "x-org-id: test" http://${GATEWAY_HOST}/get ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:31 GMT +content-length: 460 +x-envoy-upstream-service-time: 4 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:32 GMT +content-length: 460 +x-envoy-upstream-service-time: 2 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +``` + ## Rate Limit All Requests This example shows you how to rate limit all requests matching the HTTPRoute rule at 3 requests/Hour by leaving the `clientSelectors` field unset. diff --git a/site/content/en/docs/tasks/traffic/retry.md b/site/content/en/docs/tasks/traffic/retry.md index a0e1eff5767..75d151bdff6 100644 --- a/site/content/en/docs/tasks/traffic/retry.md +++ b/site/content/en/docs/tasks/traffic/retry.md @@ -15,7 +15,7 @@ Envoy Gateway introduces a new CRD called [BackendTrafficPolicy](../../../api/ex ## Prerequisites -Follow the installation step from the [Quickstart](../../quickstart) to install Envoy Gateway and sample resources. +{{< boilerplate prerequisites >}} ## Test and customize retry settings diff --git a/site/content/en/docs/tasks/traffic/tcp-routing.md b/site/content/en/docs/tasks/traffic/tcp-routing.md index d36f145e266..0befbd0140d 100644 --- a/site/content/en/docs/tasks/traffic/tcp-routing.md +++ b/site/content/en/docs/tasks/traffic/tcp-routing.md @@ -6,10 +6,9 @@ title: "TCP Routing" connections on the port specified by the listener to a set of backends specified by the TCPRoute. To learn more about HTTP routing, refer to the [Gateway API documentation][]. -## Installation +## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ## Configuration diff --git a/site/content/en/docs/tasks/traffic/udp-routing.md b/site/content/en/docs/tasks/traffic/udp-routing.md index b9d8e379282..546b77f9159 100644 --- a/site/content/en/docs/tasks/traffic/udp-routing.md +++ b/site/content/en/docs/tasks/traffic/udp-routing.md @@ -12,8 +12,7 @@ For additional information, refer to Envoy's [UDP proxy documentation][]. ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. -Before proceeding, you should be able to query the example backend using HTTP. +{{< boilerplate prerequisites >}} ## Installation diff --git a/site/content/en/news/releases/notes/v1.2.0.md b/site/content/en/news/releases/notes/v1.2.0.md index de9eb3a0bff..1926da6d04d 100644 --- a/site/content/en/news/releases/notes/v1.2.0.md +++ b/site/content/en/news/releases/notes/v1.2.0.md @@ -1,10 +1,8 @@ --- -title: "v1.2.0" +title: "Envoy Gateway v1.2.0 Release Notes" publishdate: 2024-11-06 --- -# Envoy Gateway v1.2.0 Release Notes - **Release Date:** November 6, 2024 The Envoy Gateway v1.2.0 release brings a host of new features, performance improvements, and critical bug fixes to enhance networking, traffic management, and security. Explore the latest changes below. diff --git a/site/content/en/v1.2/_index.md b/site/content/en/v1.2/_index.md new file mode 100644 index 00000000000..92ae8586885 --- /dev/null +++ b/site/content/en/v1.2/_index.md @@ -0,0 +1,15 @@ ++++ +title = "Welcome to Envoy Gateway" +linktitle = "Documentation" +description = "Envoy Gateway Documents" + +[[cascade]] +type = "docs" ++++ + +Envoy Gateway is an open source project for managing [Envoy Proxy](https://www.envoyproxy.io/) as a standalone or Kubernetes-based application +gateway. [Gateway API](https://gateway-api.sigs.k8s.io/) resources are used to dynamically provision and configure the managed Envoy Proxies. + +![architecture](/img/traffic.png) + +## Ready to get started? diff --git a/site/content/en/v1.2/api/_index.md b/site/content/en/v1.2/api/_index.md new file mode 100644 index 00000000000..396d9ffcefc --- /dev/null +++ b/site/content/en/v1.2/api/_index.md @@ -0,0 +1,5 @@ +--- +title: "API" +description: This section includes APIs of Envoy Gateway. +weight: 80 +--- diff --git a/site/content/en/v1.2/api/extension_types.md b/site/content/en/v1.2/api/extension_types.md new file mode 100644 index 00000000000..23f69fd832a --- /dev/null +++ b/site/content/en/v1.2/api/extension_types.md @@ -0,0 +1,4167 @@ ++++ +title = "API Reference" ++++ + + +## Packages +- [gateway.envoyproxy.io/v1alpha1](#gatewayenvoyproxyiov1alpha1) + + +## gateway.envoyproxy.io/v1alpha1 + +Package v1alpha1 contains API schema definitions for the gateway.envoyproxy.io +API group. + + +### Resource Types +- [Backend](#backend) +- [BackendTrafficPolicy](#backendtrafficpolicy) +- [ClientTrafficPolicy](#clienttrafficpolicy) +- [EnvoyExtensionPolicy](#envoyextensionpolicy) +- [EnvoyGateway](#envoygateway) +- [EnvoyPatchPolicy](#envoypatchpolicy) +- [EnvoyProxy](#envoyproxy) +- [HTTPRouteFilter](#httproutefilter) +- [SecurityPolicy](#securitypolicy) + + + +#### ALPNProtocol + +_Underlying type:_ _string_ + +ALPNProtocol specifies the protocol to be negotiated using ALPN + +_Appears in:_ +- [BackendTLSConfig](#backendtlsconfig) +- [ClientTLSSettings](#clienttlssettings) +- [TLSSettings](#tlssettings) + +| Value | Description | +| ----- | ----------- | +| `http/1.0` | HTTPProtocolVersion1_0 specifies that HTTP/1.0 should be negotiable with ALPN
| +| `http/1.1` | HTTPProtocolVersion1_1 specifies that HTTP/1.1 should be negotiable with ALPN
| +| `h2` | HTTPProtocolVersion2 specifies that HTTP/2 should be negotiable with ALPN
| + + +#### ALSEnvoyProxyAccessLog + + + +ALSEnvoyProxyAccessLog defines the gRPC Access Log Service (ALS) sink. +The service must implement the Envoy gRPC Access Log Service streaming API: +https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/accesslog/v3/als.proto +Access log format information is passed in the form of gRPC metadata when the +stream is established. Specifically, the following metadata is passed: + + +- `x-accesslog-text` - The access log format string when a Text format is used. +- `x-accesslog-attr` - JSON encoded key/value pairs when a JSON format is used. + +_Appears in:_ +- [ProxyAccessLogSink](#proxyaccesslogsink) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | +| `logName` | _string_ | false | LogName defines the friendly name of the access log to be returned in
StreamAccessLogsMessage.Identifier. This allows the access log server
to differentiate between different access logs coming from the same Envoy. | +| `type` | _[ALSEnvoyProxyAccessLogType](#alsenvoyproxyaccesslogtype)_ | true | Type defines the type of accesslog. Supported types are "HTTP" and "TCP". | +| `http` | _[ALSEnvoyProxyHTTPAccessLogConfig](#alsenvoyproxyhttpaccesslogconfig)_ | false | HTTP defines additional configuration specific to HTTP access logs. | + + +#### ALSEnvoyProxyAccessLogType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog) + +| Value | Description | +| ----- | ----------- | +| `HTTP` | ALSEnvoyProxyAccessLogTypeHTTP defines the HTTP access log type and will populate StreamAccessLogsMessage.http_logs.
| +| `TCP` | ALSEnvoyProxyAccessLogTypeTCP defines the TCP access log type and will populate StreamAccessLogsMessage.tcp_logs.
| + + +#### ALSEnvoyProxyHTTPAccessLogConfig + + + + + +_Appears in:_ +- [ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `requestHeaders` | _string array_ | false | RequestHeaders defines request headers to include in log entries sent to the access log service. | +| `responseHeaders` | _string array_ | false | ResponseHeaders defines response headers to include in log entries sent to the access log service. | +| `responseTrailers` | _string array_ | false | ResponseTrailers defines response trailers to include in log entries sent to the access log service. | + + +#### ActiveHealthCheck + + + +ActiveHealthCheck defines the active health check configuration. +EG supports various types of active health checking including HTTP, TCP. + +_Appears in:_ +- [HealthCheck](#healthcheck) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | Timeout defines the time to wait for a health check response. | +| `interval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | Interval defines the time between active health checks. | +| `unhealthyThreshold` | _integer_ | false | UnhealthyThreshold defines the number of unhealthy health checks required before a backend host is marked unhealthy. | +| `healthyThreshold` | _integer_ | false | HealthyThreshold defines the number of healthy health checks required before a backend host is marked healthy. | +| `type` | _[ActiveHealthCheckerType](#activehealthcheckertype)_ | true | Type defines the type of health checker. | +| `http` | _[HTTPActiveHealthChecker](#httpactivehealthchecker)_ | false | HTTP defines the configuration of http health checker.
It's required while the health checker type is HTTP. | +| `tcp` | _[TCPActiveHealthChecker](#tcpactivehealthchecker)_ | false | TCP defines the configuration of tcp health checker.
It's required while the health checker type is TCP. | +| `grpc` | _[GRPCActiveHealthChecker](#grpcactivehealthchecker)_ | false | GRPC defines the configuration of the GRPC health checker.
It's optional, and can only be used if the specified type is GRPC. | + + +#### ActiveHealthCheckPayload + + + +ActiveHealthCheckPayload defines the encoding of the payload bytes in the payload. + +_Appears in:_ +- [HTTPActiveHealthChecker](#httpactivehealthchecker) +- [TCPActiveHealthChecker](#tcpactivehealthchecker) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[ActiveHealthCheckPayloadType](#activehealthcheckpayloadtype)_ | true | Type defines the type of the payload. | +| `text` | _string_ | false | Text payload in plain text. | +| `binary` | _integer array_ | false | Binary payload base64 encoded. | + + +#### ActiveHealthCheckPayloadType + +_Underlying type:_ _string_ + +ActiveHealthCheckPayloadType is the type of the payload. + +_Appears in:_ +- [ActiveHealthCheckPayload](#activehealthcheckpayload) + +| Value | Description | +| ----- | ----------- | +| `Text` | ActiveHealthCheckPayloadTypeText defines the Text type payload.
| +| `Binary` | ActiveHealthCheckPayloadTypeBinary defines the Binary type payload.
| + + +#### ActiveHealthCheckerType + +_Underlying type:_ _string_ + +ActiveHealthCheckerType is the type of health checker. + +_Appears in:_ +- [ActiveHealthCheck](#activehealthcheck) + +| Value | Description | +| ----- | ----------- | +| `HTTP` | ActiveHealthCheckerTypeHTTP defines the HTTP type of health checking.
| +| `TCP` | ActiveHealthCheckerTypeTCP defines the TCP type of health checking.
| +| `GRPC` | ActiveHealthCheckerTypeGRPC defines the GRPC type of health checking.
| + + +#### AppProtocolType + +_Underlying type:_ _string_ + +AppProtocolType defines various backend applications protocols supported by Envoy Gateway + +_Appears in:_ +- [BackendSpec](#backendspec) + +| Value | Description | +| ----- | ----------- | +| `gateway.envoyproxy.io/h2c` | AppProtocolTypeH2C defines the HTTP/2 application protocol.
| +| `gateway.envoyproxy.io/ws` | AppProtocolTypeWS defines the WebSocket over HTTP protocol.
| +| `gateway.envoyproxy.io/wss` | AppProtocolTypeWSS defines the WebSocket over HTTPS protocol.
| + + +#### Authorization + + + +Authorization defines the authorization configuration. + + +Note: if neither `Rules` nor `DefaultAction` is specified, the default action is to deny all requests. + +_Appears in:_ +- [SecurityPolicySpec](#securitypolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `rules` | _[AuthorizationRule](#authorizationrule) array_ | false | Rules defines a list of authorization rules.
These rules are evaluated in order, the first matching rule will be applied,
and the rest will be skipped.

For example, if there are two rules: the first rule allows the request
and the second rule denies it, when a request matches both rules, it will be allowed. | +| `defaultAction` | _[AuthorizationAction](#authorizationaction)_ | false | DefaultAction defines the default action to be taken if no rules match.
If not specified, the default action is Deny. | + + +#### AuthorizationAction + +_Underlying type:_ _string_ + +AuthorizationAction defines the action to be taken if a rule matches. + +_Appears in:_ +- [Authorization](#authorization) +- [AuthorizationRule](#authorizationrule) + +| Value | Description | +| ----- | ----------- | +| `Allow` | AuthorizationActionAllow is the action to allow the request.
| +| `Deny` | AuthorizationActionDeny is the action to deny the request.
| + + +#### AuthorizationRule + + + +AuthorizationRule defines a single authorization rule. + +_Appears in:_ +- [Authorization](#authorization) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `name` | _string_ | false | Name is a user-friendly name for the rule.
If not specified, Envoy Gateway will generate a unique name for the rule. | +| `action` | _[AuthorizationAction](#authorizationaction)_ | true | Action defines the action to be taken if the rule matches. | +| `principal` | _[Principal](#principal)_ | true | Principal specifies the client identity of a request.
If there are multiple principal types, all principals must match for the rule to match.
For example, if there are two principals: one for client IP and one for JWT claim,
the rule will match only if both the client IP and the JWT claim match. | + + +#### BackOffPolicy + + + + + +_Appears in:_ +- [PerRetryPolicy](#perretrypolicy) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `baseInterval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | BaseInterval is the base interval between retries. | +| `maxInterval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
The default is 10 times the base_interval | + + +#### Backend + + + +Backend allows the user to configure the endpoints of a backend and +the behavior of the connection from Envoy Proxy to the backend. + + + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` +| `kind` | _string_ | |`Backend` +| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | +| `spec` | _[BackendSpec](#backendspec)_ | true | Spec defines the desired state of Backend. | +| `status` | _[BackendStatus](#backendstatus)_ | true | Status defines the current status of Backend. | + + +#### BackendCluster + + + +BackendCluster contains all the configuration required for configuring access +to a backend. This can include multiple endpoints, and settings that apply for +managing the connection to all these endpoints. + +_Appears in:_ +- [ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog) +- [ExtProc](#extproc) +- [GRPCExtAuthService](#grpcextauthservice) +- [HTTPExtAuthService](#httpextauthservice) +- [OIDCProvider](#oidcprovider) +- [OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog) +- [ProxyOpenTelemetrySink](#proxyopentelemetrysink) +- [TracingProvider](#tracingprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | + + + + + + + + +#### BackendEndpoint + + + +BackendEndpoint describes a backend endpoint, which can be either a fully-qualified domain name, IP address or unix domain socket +corresponding to Envoy's Address: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#config-core-v3-address + +_Appears in:_ +- [BackendSpec](#backendspec) +- [ExtensionService](#extensionservice) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `fqdn` | _[FQDNEndpoint](#fqdnendpoint)_ | false | FQDN defines a FQDN endpoint | +| `ip` | _[IPEndpoint](#ipendpoint)_ | false | IP defines an IP endpoint. Supports both IPv4 and IPv6 addresses. | +| `unix` | _[UnixSocket](#unixsocket)_ | false | Unix defines the unix domain socket endpoint | + + +#### BackendRef + + + +BackendRef defines how an ObjectReference that is specific to BackendRef. + +_Appears in:_ +- [ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog) +- [BackendCluster](#backendcluster) +- [ExtProc](#extproc) +- [GRPCExtAuthService](#grpcextauthservice) +- [HTTPExtAuthService](#httpextauthservice) +- [OIDCProvider](#oidcprovider) +- [OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog) +- [ProxyOpenTelemetrySink](#proxyopentelemetrysink) +- [TracingProvider](#tracingprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `group` | _[Group](#group)_ | false | Group is the group of the referent. For example, "gateway.networking.k8s.io".
When unspecified or empty string, core API group is inferred. | +| `kind` | _[Kind](#kind)_ | false | Kind is the Kubernetes resource kind of the referent. For example
"Service".

Defaults to "Service" when not specified.

ExternalName services can refer to CNAME DNS records that may live
outside of the cluster and as such are difficult to reason about in
terms of conformance. They also may not be safe to forward to (see
CVE-2021-25740 for more information). Implementations SHOULD NOT
support ExternalName Services.

Support: Core (Services with a type other than ExternalName)

Support: Implementation-specific (Services with type ExternalName) | +| `name` | _[ObjectName](#objectname)_ | true | Name is the name of the referent. | +| `namespace` | _[Namespace](#namespace)_ | false | Namespace is the namespace of the backend. When unspecified, the local
namespace is inferred.

Note that when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
documentation for details.

Support: Core | +| `port` | _[PortNumber](#portnumber)_ | false | Port specifies the destination port number to use for this resource.
Port is required when the referent is a Kubernetes Service. In this
case, the port number is the service port number, not the target port.
For other resources, destination port might be derived from the referent
resource or this field. | +| `fallback` | _boolean_ | false | Fallback indicates whether the backend is designated as a fallback.
Multiple fallback backends can be configured.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
the health of the active backends falls below 72%. | + + +#### BackendSpec + + + +BackendSpec describes the desired state of BackendSpec. + +_Appears in:_ +- [Backend](#backend) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `endpoints` | _[BackendEndpoint](#backendendpoint) array_ | true | Endpoints defines the endpoints to be used when connecting to the backend. | +| `appProtocols` | _[AppProtocolType](#appprotocoltype) array_ | false | AppProtocols defines the application protocols to be supported when connecting to the backend. | +| `fallback` | _boolean_ | false | Fallback indicates whether the backend is designated as a fallback.
It is highly recommended to configure active or passive health checks to ensure that failover can be detected
when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
the health of the active backends falls below 72%. | + + +#### BackendStatus + + + +BackendStatus defines the state of Backend + +_Appears in:_ +- [Backend](#backend) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `conditions` | _[Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#condition-v1-meta) array_ | false | Conditions describe the current conditions of the Backend. | + + +#### BackendTLSConfig + + + +BackendTLSConfig describes the BackendTLS configuration for Envoy Proxy. + +_Appears in:_ +- [EnvoyProxySpec](#envoyproxyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `clientCertificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | ClientCertificateRef defines the reference to a Kubernetes Secret that contains
the client certificate and private key for Envoy to use when connecting to
backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc.
This secret should be located within the same namespace as the Envoy proxy resource that references it. | +| `minVersion` | _[TLSVersion](#tlsversion)_ | false | Min specifies the minimal TLS protocol version to allow.
The default is TLS 1.2 if this is not specified. | +| `maxVersion` | _[TLSVersion](#tlsversion)_ | false | Max specifies the maximal TLS protocol version to allow
The default is TLS 1.3 if this is not specified. | +| `ciphers` | _string array_ | false | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 | +| `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 | +| `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. | +| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener. By default h2 and http/1.1 are enabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | + + +#### BackendTrafficPolicy + + + +BackendTrafficPolicy allows the user to configure the behavior of the connection +between the Envoy Proxy listener and the backend service. + + + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` +| `kind` | _string_ | |`BackendTrafficPolicy` +| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | +| `spec` | _[BackendTrafficPolicySpec](#backendtrafficpolicyspec)_ | true | spec defines the desired state of BackendTrafficPolicy. | +| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | status defines the current status of BackendTrafficPolicy. | + + +#### BackendTrafficPolicySpec + + + +BackendTrafficPolicySpec defines the desired state of BackendTrafficPolicy. + +_Appears in:_ +- [BackendTrafficPolicy](#backendtrafficpolicy) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect

Deprecated: use targetRefs/targetSelectors instead | +| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. | +| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels | +| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. | +| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. | +| `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. | +| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. | +| `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. | +| `circuitBreaker` | _[CircuitBreaker](#circuitbreaker)_ | false | Circuit Breaker settings for the upstream connections and requests.
If not set, circuit breakers will be enabled with the default thresholds | +| `timeout` | _[Timeout](#timeout)_ | false | Timeout settings for the backend connections. | +| `connection` | _[BackendConnection](#backendconnection)_ | false | Connection includes backend connection settings. | +| `dns` | _[DNS](#dns)_ | false | DNS includes dns resolution settings. | +| `http2` | _[HTTP2Settings](#http2settings)_ | false | HTTP2 provides HTTP/2 configuration for backend connections. | +| `rateLimit` | _[RateLimitSpec](#ratelimitspec)_ | false | RateLimit allows the user to limit the number of incoming requests
to a predefined value based on attributes within the traffic flow. | +| `faultInjection` | _[FaultInjection](#faultinjection)_ | false | FaultInjection defines the fault injection policy to be applied. This configuration can be used to
inject delays and abort requests to mimic failure scenarios such as service failures and overloads | +| `useClientProtocol` | _boolean_ | false | UseClientProtocol configures Envoy to prefer sending requests to backends using
the same HTTP protocol that the incoming request used. Defaults to false, which means
that Envoy will use the protocol indicated by the attached BackendRef. | +| `responseOverride` | _[ResponseOverride](#responseoverride) array_ | false | ResponseOverride defines the configuration to override specific responses with a custom one.
If multiple configurations are specified, the first one to match wins. | + + +#### BasicAuth + + + +BasicAuth defines the configuration for the HTTP Basic Authentication. + +_Appears in:_ +- [SecurityPolicySpec](#securitypolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `users` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the username-password pairs in
htpasswd format, used to verify user credentials in the "Authorization"
header.

This is an Opaque secret. The username-password pairs should be stored in
the key ".htpasswd". As the key name indicates, the value needs to be the
htpasswd format, for example: "user1:\{SHA\}hashed_user1_password".
Right now, only SHA hash algorithm is supported.
Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
for more details.

Note: The secret must be in the same namespace as the SecurityPolicy. | + + +#### BootstrapType + +_Underlying type:_ _string_ + +BootstrapType defines the types of bootstrap supported by Envoy Gateway. + +_Appears in:_ +- [ProxyBootstrap](#proxybootstrap) + +| Value | Description | +| ----- | ----------- | +| `Merge` | Merge merges the provided bootstrap with the default one. The provided bootstrap can add or override a value
within a map, or add a new value to a list.
Please note that the provided bootstrap can't override a value within a list.
| +| `Replace` | Replace replaces the default bootstrap with the provided one.
| +| `JSONPatch` | JSONPatch applies the provided JSONPatches to the default bootstrap.
| + + +#### CIDR + +_Underlying type:_ _string_ + +CIDR defines a CIDR Address range. +A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64". + +_Appears in:_ +- [Principal](#principal) + + + +#### CORS + + + +CORS defines the configuration for Cross-Origin Resource Sharing (CORS). + +_Appears in:_ +- [SecurityPolicySpec](#securitypolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `allowOrigins` | _[Origin](#origin) array_ | false | AllowOrigins defines the origins that are allowed to make requests.
It specifies the allowed origins in the Access-Control-Allow-Origin CORS response header.
The value "*" allows any origin to make requests. | +| `allowMethods` | _string array_ | false | AllowMethods defines the methods that are allowed to make requests.
It specifies the allowed methods in the Access-Control-Allow-Methods CORS response header..
The value "*" allows any method to be used. | +| `allowHeaders` | _string array_ | false | AllowHeaders defines the headers that are allowed to be sent with requests.
It specifies the allowed headers in the Access-Control-Allow-Headers CORS response header..
The value "*" allows any header to be sent. | +| `exposeHeaders` | _string array_ | false | ExposeHeaders defines which response headers should be made accessible to
scripts running in the browser.
It specifies the headers in the Access-Control-Expose-Headers CORS response header..
The value "*" allows any header to be exposed. | +| `maxAge` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | MaxAge defines how long the results of a preflight request can be cached.
It specifies the value in the Access-Control-Max-Age CORS response header.. | +| `allowCredentials` | _boolean_ | false | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates.
It specifies the value in the Access-Control-Allow-Credentials CORS response header. | + + + + +#### ClaimToHeader + + + +ClaimToHeader defines a configuration to convert JWT claims into HTTP headers + +_Appears in:_ +- [JWTProvider](#jwtprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `header` | _string_ | true | Header defines the name of the HTTP request header that the JWT Claim will be saved into. | +| `claim` | _string_ | true | Claim is the JWT Claim that should be saved into the header : it can be a nested claim of type
(eg. "claim.nested.key", "sub"). The nested claim name must use dot "."
to separate the JSON name path. | + + +#### ClientConnection + + + +ClientConnection allows users to configure connection-level settings of client + +_Appears in:_ +- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `connectionLimit` | _[ConnectionLimit](#connectionlimit)_ | false | ConnectionLimit defines limits related to connections | +| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
For example, 20Mi, 1Gi, 256Ki etc.
Note that when the suffix is not provided, the value is interpreted as bytes.
Default: 32768 bytes. | + + +#### ClientIPDetectionSettings + + + +ClientIPDetectionSettings provides configuration for determining the original client IP address for requests. + +_Appears in:_ +- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `xForwardedFor` | _[XForwardedForSettings](#xforwardedforsettings)_ | false | XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. | +| `customHeader` | _[CustomHeaderExtensionSettings](#customheaderextensionsettings)_ | false | CustomHeader provides configuration for determining the client IP address for a request based on
a trusted custom HTTP header. This uses the custom_header original IP detection extension.
Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
for more details. | + + +#### ClientTLSSettings + + + + + +_Appears in:_ +- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `clientValidation` | _[ClientValidationContext](#clientvalidationcontext)_ | false | ClientValidation specifies the configuration to validate the client
initiating the TLS connection to the Gateway listener. | +| `minVersion` | _[TLSVersion](#tlsversion)_ | false | Min specifies the minimal TLS protocol version to allow.
The default is TLS 1.2 if this is not specified. | +| `maxVersion` | _[TLSVersion](#tlsversion)_ | false | Max specifies the maximal TLS protocol version to allow
The default is TLS 1.3 if this is not specified. | +| `ciphers` | _string array_ | false | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 | +| `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 | +| `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. | +| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener. By default h2 and http/1.1 are enabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | +| `session` | _[Session](#session)_ | false | Session defines settings related to TLS session management. | + + +#### ClientTimeout + + + + + +_Appears in:_ +- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `tcp` | _[TCPClientTimeout](#tcpclienttimeout)_ | false | Timeout settings for TCP. | +| `http` | _[HTTPClientTimeout](#httpclienttimeout)_ | false | Timeout settings for HTTP. | + + +#### ClientTrafficPolicy + + + +ClientTrafficPolicy allows the user to configure the behavior of the connection +between the downstream client and Envoy Proxy listener. + + + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` +| `kind` | _string_ | |`ClientTrafficPolicy` +| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | +| `spec` | _[ClientTrafficPolicySpec](#clienttrafficpolicyspec)_ | true | Spec defines the desired state of ClientTrafficPolicy. | +| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of ClientTrafficPolicy. | + + +#### ClientTrafficPolicySpec + + + +ClientTrafficPolicySpec defines the desired state of ClientTrafficPolicy. + +_Appears in:_ +- [ClientTrafficPolicy](#clienttrafficpolicy) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect

Deprecated: use targetRefs/targetSelectors instead | +| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. | +| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels | +| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the downstream client connection.
If defined, sets SO_KEEPALIVE on the listener socket to enable TCP Keepalives.
Disabled by default. | +| `enableProxyProtocol` | _boolean_ | false | EnableProxyProtocol interprets the ProxyProtocol header and adds the
Client Address into the X-Forwarded-For header.
Note Proxy Protocol must be present when this field is set, else the connection
is closed. | +| `clientIPDetection` | _[ClientIPDetectionSettings](#clientipdetectionsettings)_ | false | ClientIPDetectionSettings provides configuration for determining the original client IP address for requests. | +| `tls` | _[ClientTLSSettings](#clienttlssettings)_ | false | TLS settings configure TLS termination settings with the downstream client. | +| `path` | _[PathSettings](#pathsettings)_ | false | Path enables managing how the incoming path set by clients can be normalized. | +| `headers` | _[HeaderSettings](#headersettings)_ | false | HeaderSettings provides configuration for header management. | +| `timeout` | _[ClientTimeout](#clienttimeout)_ | false | Timeout settings for the client connections. | +| `connection` | _[ClientConnection](#clientconnection)_ | false | Connection includes client connection settings. | +| `http1` | _[HTTP1Settings](#http1settings)_ | false | HTTP1 provides HTTP/1 configuration on the listener. | +| `http2` | _[HTTP2Settings](#http2settings)_ | false | HTTP2 provides HTTP/2 configuration on the listener. | +| `http3` | _[HTTP3Settings](#http3settings)_ | false | HTTP3 provides HTTP/3 configuration on the listener. | +| `healthCheck` | _[HealthCheckSettings](#healthchecksettings)_ | false | HealthCheck provides configuration for determining whether the HTTP/HTTPS listener is healthy. | + + +#### ClientValidationContext + + + +ClientValidationContext holds configuration that can be used to validate the client initiating the TLS connection +to the Gateway. +By default, no client specific configuration is validated. + +_Appears in:_ +- [ClientTLSSettings](#clienttlssettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `optional` | _boolean_ | false | Optional set to true accepts connections even when a client doesn't present a certificate.
Defaults to false, which rejects connections without a valid client certificate. | +| `caCertificateRefs` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference) array_ | false | CACertificateRefs contains one or more references to
Kubernetes objects that contain TLS certificates of
the Certificate Authorities that can be used
as a trust anchor to validate the certificates presented by the client.

A single reference to a Kubernetes ConfigMap or a Kubernetes Secret,
with the CA certificate in a key named `ca.crt` is currently supported.

References to a resource in different namespace are invalid UNLESS there
is a ReferenceGrant in the target namespace that allows the certificate
to be attached. | + + +#### ClusterSettings + + + +ClusterSettings provides the various knobs that can be set to control how traffic to a given +backend will be configured. + +_Appears in:_ +- [ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog) +- [BackendCluster](#backendcluster) +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ExtProc](#extproc) +- [GRPCExtAuthService](#grpcextauthservice) +- [HTTPExtAuthService](#httpextauthservice) +- [OIDCProvider](#oidcprovider) +- [OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog) +- [ProxyOpenTelemetrySink](#proxyopentelemetrysink) +- [TracingProvider](#tracingprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `loadBalancer` | _[LoadBalancer](#loadbalancer)_ | false | LoadBalancer policy to apply when routing traffic from the gateway to
the backend endpoints. Defaults to `LeastRequest`. | +| `retry` | _[Retry](#retry)_ | false | Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled. | +| `proxyProtocol` | _[ProxyProtocol](#proxyprotocol)_ | false | ProxyProtocol enables the Proxy Protocol when communicating with the backend. | +| `tcpKeepalive` | _[TCPKeepalive](#tcpkeepalive)_ | false | TcpKeepalive settings associated with the upstream client connection.
Disabled by default. | +| `healthCheck` | _[HealthCheck](#healthcheck)_ | false | HealthCheck allows gateway to perform active health checking on backends. | +| `circuitBreaker` | _[CircuitBreaker](#circuitbreaker)_ | false | Circuit Breaker settings for the upstream connections and requests.
If not set, circuit breakers will be enabled with the default thresholds | +| `timeout` | _[Timeout](#timeout)_ | false | Timeout settings for the backend connections. | +| `connection` | _[BackendConnection](#backendconnection)_ | false | Connection includes backend connection settings. | +| `dns` | _[DNS](#dns)_ | false | DNS includes dns resolution settings. | +| `http2` | _[HTTP2Settings](#http2settings)_ | false | HTTP2 provides HTTP/2 configuration for backend connections. | + + +#### Compression + + + +Compression defines the config of enabling compression. +This can help reduce the bandwidth at the expense of higher CPU. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ProxyPrometheusProvider](#proxyprometheusprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[CompressorType](#compressortype)_ | true | CompressorType defines the compressor type to use for compression. | +| `gzip` | _[GzipCompressor](#gzipcompressor)_ | false | The configuration for GZIP compressor. | + + +#### CompressorType + +_Underlying type:_ _string_ + +CompressorType defines the types of compressor library supported by Envoy Gateway. + +_Appears in:_ +- [Compression](#compression) + + + +#### ConnectionLimit + + + + + +_Appears in:_ +- [ClientConnection](#clientconnection) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `value` | _integer_ | true | Value of the maximum concurrent connections limit.
When the limit is reached, incoming connections will be closed after the CloseDelay duration. | +| `closeDelay` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | CloseDelay defines the delay to use before closing connections that are rejected
once the limit value is reached.
Default: none. | + + +#### ConsistentHash + + + +ConsistentHash defines the configuration related to the consistent hash +load balancer policy. + +_Appears in:_ +- [LoadBalancer](#loadbalancer) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[ConsistentHashType](#consistenthashtype)_ | true | ConsistentHashType defines the type of input to hash on. Valid Type values are
"SourceIP",
"Header",
"Cookie". | +| `header` | _[Header](#header)_ | false | Header configures the header hash policy when the consistent hash type is set to Header. | +| `cookie` | _[Cookie](#cookie)_ | false | Cookie configures the cookie hash policy when the consistent hash type is set to Cookie. | +| `tableSize` | _integer_ | false | The table size for consistent hashing, must be prime number limited to 5000011. | + + +#### ConsistentHashType + +_Underlying type:_ _string_ + +ConsistentHashType defines the type of input to hash on. + +_Appears in:_ +- [ConsistentHash](#consistenthash) + +| Value | Description | +| ----- | ----------- | +| `SourceIP` | SourceIPConsistentHashType hashes based on the source IP address.
| +| `Header` | HeaderConsistentHashType hashes based on a request header.
| +| `Cookie` | CookieConsistentHashType hashes based on a cookie.
| + + +#### Cookie + + + +Cookie defines the cookie hashing configuration for consistent hash based +load balancing. + +_Appears in:_ +- [ConsistentHash](#consistenthash) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `name` | _string_ | true | Name of the cookie to hash.
If this cookie does not exist in the request, Envoy will generate a cookie and set
the TTL on the response back to the client based on Layer 4
attributes of the backend endpoint, to ensure that these future requests
go to the same backend endpoint. Make sure to set the TTL field for this case. | +| `ttl` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | TTL of the generated cookie if the cookie is not present. This value sets the
Max-Age attribute value. | +| `attributes` | _object (keys:string, values:string)_ | false | Additional Attributes to set for the generated cookie. | + + +#### CustomHeaderExtensionSettings + + + +CustomHeaderExtensionSettings provides configuration for determining the client IP address for a request based on +a trusted custom HTTP header. This uses the the custom_header original IP detection extension. +Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto +for more details. + +_Appears in:_ +- [ClientIPDetectionSettings](#clientipdetectionsettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `name` | _string_ | true | Name of the header containing the original downstream remote address, if present. | +| `failClosed` | _boolean_ | false | FailClosed is a switch used to control the flow of traffic when client IP detection
fails. If set to true, the listener will respond with 403 Forbidden when the client
IP address cannot be determined. | + + +#### CustomResponse + + + +CustomResponse defines the configuration for returning a custom response. + +_Appears in:_ +- [ResponseOverride](#responseoverride) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `contentType` | _string_ | false | Content Type of the response. This will be set in the Content-Type header. | +| `body` | _[CustomResponseBody](#customresponsebody)_ | true | Body of the Custom Response | + + +#### CustomResponseBody + + + +CustomResponseBody + +_Appears in:_ +- [CustomResponse](#customresponse) +- [HTTPDirectResponseFilter](#httpdirectresponsefilter) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[ResponseValueType](#responsevaluetype)_ | true | Type is the type of method to use to read the body value.
Valid values are Inline and ValueRef, default is Inline. | +| `inline` | _string_ | false | Inline contains the value as an inline string. | +| `valueRef` | _[LocalObjectReference](#localobjectreference)_ | false | ValueRef contains the contents of the body
specified as a local object reference.
Only a reference to ConfigMap is supported.

The value of key `response.body` in the ConfigMap will be used as the response body.
If the key is not found, the first value in the ConfigMap will be used. | + + +#### CustomResponseMatch + + + +CustomResponseMatch defines the configuration for matching a user response to return a custom one. + +_Appears in:_ +- [ResponseOverride](#responseoverride) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `statusCodes` | _[StatusCodeMatch](#statuscodematch) array_ | true | Status code to match on. The match evaluates to true if any of the matches are successful. | + + +#### CustomTag + + + + + +_Appears in:_ +- [ProxyTracing](#proxytracing) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[CustomTagType](#customtagtype)_ | true | Type defines the type of custom tag. | +| `literal` | _[LiteralCustomTag](#literalcustomtag)_ | true | Literal adds hard-coded value to each span.
It's required when the type is "Literal". | +| `environment` | _[EnvironmentCustomTag](#environmentcustomtag)_ | true | Environment adds value from environment variable to each span.
It's required when the type is "Environment". | +| `requestHeader` | _[RequestHeaderCustomTag](#requestheadercustomtag)_ | true | RequestHeader adds value from request header to each span.
It's required when the type is "RequestHeader". | + + +#### CustomTagType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [CustomTag](#customtag) + +| Value | Description | +| ----- | ----------- | +| `Literal` | CustomTagTypeLiteral adds hard-coded value to each span.
| +| `Environment` | CustomTagTypeEnvironment adds value from environment variable to each span.
| +| `RequestHeader` | CustomTagTypeRequestHeader adds value from request header to each span.
| + + + + +#### EnvironmentCustomTag + + + +EnvironmentCustomTag adds value from environment variable to each span. + +_Appears in:_ +- [CustomTag](#customtag) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `name` | _string_ | true | Name defines the name of the environment variable which to extract the value from. | +| `defaultValue` | _string_ | false | DefaultValue defines the default value to use if the environment variable is not set. | + + +#### EnvoyExtensionPolicy + + + +EnvoyExtensionPolicy allows the user to configure various envoy extensibility options for the Gateway. + + + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` +| `kind` | _string_ | |`EnvoyExtensionPolicy` +| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | +| `spec` | _[EnvoyExtensionPolicySpec](#envoyextensionpolicyspec)_ | true | Spec defines the desired state of EnvoyExtensionPolicy. | +| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyExtensionPolicy. | + + +#### EnvoyExtensionPolicySpec + + + +EnvoyExtensionPolicySpec defines the desired state of EnvoyExtensionPolicy. + +_Appears in:_ +- [EnvoyExtensionPolicy](#envoyextensionpolicy) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect

Deprecated: use targetRefs/targetSelectors instead | +| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. | +| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels | +| `wasm` | _[Wasm](#wasm) array_ | false | Wasm is a list of Wasm extensions to be loaded by the Gateway.
Order matters, as the extensions will be loaded in the order they are
defined in this list. | +| `extProc` | _[ExtProc](#extproc) array_ | false | ExtProc is an ordered list of external processing filters
that should added to the envoy filter chain | + + +#### EnvoyFilter + +_Underlying type:_ _string_ + +EnvoyFilter defines the type of Envoy HTTP filter. + +_Appears in:_ +- [FilterPosition](#filterposition) + +| Value | Description | +| ----- | ----------- | +| `envoy.filters.http.health_check` | EnvoyFilterHealthCheck defines the Envoy HTTP health check filter.
| +| `envoy.filters.http.fault` | EnvoyFilterFault defines the Envoy HTTP fault filter.
| +| `envoy.filters.http.cors` | EnvoyFilterCORS defines the Envoy HTTP CORS filter.
| +| `envoy.filters.http.ext_authz` | EnvoyFilterExtAuthz defines the Envoy HTTP external authorization filter.
| +| `envoy.filters.http.basic_auth` | EnvoyFilterBasicAuth defines the Envoy HTTP basic authentication filter.
| +| `envoy.filters.http.oauth2` | EnvoyFilterOAuth2 defines the Envoy HTTP OAuth2 filter.
| +| `envoy.filters.http.jwt_authn` | EnvoyFilterJWTAuthn defines the Envoy HTTP JWT authentication filter.
| +| `envoy.filters.http.stateful_session` | EnvoyFilterSessionPersistence defines the Envoy HTTP session persistence filter.
| +| `envoy.filters.http.ext_proc` | EnvoyFilterExtProc defines the Envoy HTTP external process filter.
| +| `envoy.filters.http.wasm` | EnvoyFilterWasm defines the Envoy HTTP WebAssembly filter.
| +| `envoy.filters.http.rbac` | EnvoyFilterRBAC defines the Envoy RBAC filter.
| +| `envoy.filters.http.local_ratelimit` | EnvoyFilterLocalRateLimit defines the Envoy HTTP local rate limit filter.
| +| `envoy.filters.http.ratelimit` | EnvoyFilterRateLimit defines the Envoy HTTP rate limit filter.
| +| `envoy.filters.http.custom_response` | EnvoyFilterCustomResponse defines the Envoy HTTP custom response filter.
| +| `envoy.filters.http.router` | EnvoyFilterRouter defines the Envoy HTTP router filter.
| + + +#### EnvoyGateway + + + +EnvoyGateway is the schema for the envoygateways API. + + + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` +| `kind` | _string_ | |`EnvoyGateway` +| `gateway` | _[Gateway](#gateway)_ | false | Gateway defines desired Gateway API specific configuration. If unset,
default configuration parameters will apply. | +| `provider` | _[EnvoyGatewayProvider](#envoygatewayprovider)_ | false | Provider defines the desired provider and provider-specific configuration.
If unspecified, the Kubernetes provider is used with default configuration
parameters. | +| `logging` | _[EnvoyGatewayLogging](#envoygatewaylogging)_ | false | Logging defines logging parameters for Envoy Gateway. | +| `admin` | _[EnvoyGatewayAdmin](#envoygatewayadmin)_ | false | Admin defines the desired admin related abilities.
If unspecified, the Admin is used with default configuration
parameters. | +| `telemetry` | _[EnvoyGatewayTelemetry](#envoygatewaytelemetry)_ | false | Telemetry defines the desired control plane telemetry related abilities.
If unspecified, the telemetry is used with default configuration. | +| `rateLimit` | _[RateLimit](#ratelimit)_ | false | RateLimit defines the configuration associated with the Rate Limit service
deployed by Envoy Gateway required to implement the Global Rate limiting
functionality. The specific rate limit service used here is the reference
implementation in Envoy. For more details visit https://github.com/envoyproxy/ratelimit.
This configuration is unneeded for "Local" rate limiting. | +| `extensionManager` | _[ExtensionManager](#extensionmanager)_ | false | ExtensionManager defines an extension manager to register for the Envoy Gateway Control Plane. | +| `extensionApis` | _[ExtensionAPISettings](#extensionapisettings)_ | false | ExtensionAPIs defines the settings related to specific Gateway API Extensions
implemented by Envoy Gateway | + + +#### EnvoyGatewayAdmin + + + +EnvoyGatewayAdmin defines the Envoy Gateway Admin configuration. + +_Appears in:_ +- [EnvoyGateway](#envoygateway) +- [EnvoyGatewaySpec](#envoygatewayspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `address` | _[EnvoyGatewayAdminAddress](#envoygatewayadminaddress)_ | false | Address defines the address of Envoy Gateway Admin Server. | +| `enableDumpConfig` | _boolean_ | false | EnableDumpConfig defines if enable dump config in Envoy Gateway logs. | +| `enablePprof` | _boolean_ | false | EnablePprof defines if enable pprof in Envoy Gateway Admin Server. | + + +#### EnvoyGatewayAdminAddress + + + +EnvoyGatewayAdminAddress defines the Envoy Gateway Admin Address configuration. + +_Appears in:_ +- [EnvoyGatewayAdmin](#envoygatewayadmin) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `port` | _integer_ | false | Port defines the port the admin server is exposed on. | +| `host` | _string_ | false | Host defines the admin server hostname. | + + +#### EnvoyGatewayCustomProvider + + + +EnvoyGatewayCustomProvider defines configuration for the Custom provider. + +_Appears in:_ +- [EnvoyGatewayProvider](#envoygatewayprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `resource` | _[EnvoyGatewayResourceProvider](#envoygatewayresourceprovider)_ | true | Resource defines the desired resource provider.
This provider is used to specify the provider to be used
to retrieve the resource configurations such as Gateway API
resources | +| `infrastructure` | _[EnvoyGatewayInfrastructureProvider](#envoygatewayinfrastructureprovider)_ | false | Infrastructure defines the desired infrastructure provider.
This provider is used to specify the provider to be used
to provide an environment to deploy the out resources like
the Envoy Proxy data plane.

Infrastructure is optional, if provider is not specified,
No infrastructure provider is available. | + + +#### EnvoyGatewayFileResourceProvider + + + +EnvoyGatewayFileResourceProvider defines configuration for the File Resource provider. + +_Appears in:_ +- [EnvoyGatewayResourceProvider](#envoygatewayresourceprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `paths` | _string array_ | true | Paths are the paths to a directory or file containing the resource configuration.
Recursive subdirectories are not currently supported. | + + +#### EnvoyGatewayHostInfrastructureProvider + + + +EnvoyGatewayHostInfrastructureProvider defines configuration for the Host Infrastructure provider. + +_Appears in:_ +- [EnvoyGatewayInfrastructureProvider](#envoygatewayinfrastructureprovider) + + + +#### EnvoyGatewayInfrastructureProvider + + + +EnvoyGatewayInfrastructureProvider defines configuration for the Custom Infrastructure provider. + +_Appears in:_ +- [EnvoyGatewayCustomProvider](#envoygatewaycustomprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[InfrastructureProviderType](#infrastructureprovidertype)_ | true | Type is the type of infrastructure providers to use. Supported types are "Host". | +| `host` | _[EnvoyGatewayHostInfrastructureProvider](#envoygatewayhostinfrastructureprovider)_ | false | Host defines the configuration of the Host provider. Host provides runtime
deployment of the data plane as a child process on the host environment. | + + +#### EnvoyGatewayKubernetesProvider + + + +EnvoyGatewayKubernetesProvider defines configuration for the Kubernetes provider. + +_Appears in:_ +- [EnvoyGatewayProvider](#envoygatewayprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `rateLimitDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | RateLimitDeployment defines the desired state of the Envoy ratelimit deployment resource.
If unspecified, default settings for the managed Envoy ratelimit deployment resource
are applied. | +| `watch` | _[KubernetesWatchMode](#kuberneteswatchmode)_ | false | Watch holds configuration of which input resources should be watched and reconciled. | +| `deploy` | _[KubernetesDeployMode](#kubernetesdeploymode)_ | false | Deploy holds configuration of how output managed resources such as the Envoy Proxy data plane
should be deployed | +| `overwriteControlPlaneCerts` | _boolean_ | false | OverwriteControlPlaneCerts updates the secrets containing the control plane certs, when set. | +| `leaderElection` | _[LeaderElection](#leaderelection)_ | false | LeaderElection specifies the configuration for leader election.
If it's not set up, leader election will be active by default, using Kubernetes' standard settings. | +| `shutdownManager` | _[ShutdownManager](#shutdownmanager)_ | false | ShutdownManager defines the configuration for the shutdown manager. | + + +#### EnvoyGatewayLogComponent + +_Underlying type:_ _string_ + +EnvoyGatewayLogComponent defines a component that supports a configured logging level. + +_Appears in:_ +- [EnvoyGatewayLogging](#envoygatewaylogging) + +| Value | Description | +| ----- | ----------- | +| `default` | LogComponentGatewayDefault defines the "default"-wide logging component. When specified,
all other logging components are ignored.
| +| `provider` | LogComponentProviderRunner defines the "provider" runner component.
| +| `gateway-api` | LogComponentGatewayAPIRunner defines the "gateway-api" runner component.
| +| `xds-translator` | LogComponentXdsTranslatorRunner defines the "xds-translator" runner component.
| +| `xds-server` | LogComponentXdsServerRunner defines the "xds-server" runner component.
| +| `infrastructure` | LogComponentInfrastructureRunner defines the "infrastructure" runner component.
| +| `global-ratelimit` | LogComponentGlobalRateLimitRunner defines the "global-ratelimit" runner component.
| + + +#### EnvoyGatewayLogging + + + +EnvoyGatewayLogging defines logging for Envoy Gateway. + +_Appears in:_ +- [EnvoyGateway](#envoygateway) +- [EnvoyGatewaySpec](#envoygatewayspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `level` | _object (keys:[EnvoyGatewayLogComponent](#envoygatewaylogcomponent), values:[LogLevel](#loglevel))_ | true | Level is the logging level. If unspecified, defaults to "info".
EnvoyGatewayLogComponent options: default/provider/gateway-api/xds-translator/xds-server/infrastructure/global-ratelimit.
LogLevel options: debug/info/error/warn. | + + +#### EnvoyGatewayMetricSink + + + +EnvoyGatewayMetricSink defines control plane +metric sinks where metrics are sent to. + +_Appears in:_ +- [EnvoyGatewayMetrics](#envoygatewaymetrics) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[MetricSinkType](#metricsinktype)_ | true | Type defines the metric sink type.
EG control plane currently supports OpenTelemetry. | +| `openTelemetry` | _[EnvoyGatewayOpenTelemetrySink](#envoygatewayopentelemetrysink)_ | true | OpenTelemetry defines the configuration for OpenTelemetry sink.
It's required if the sink type is OpenTelemetry. | + + +#### EnvoyGatewayMetrics + + + +EnvoyGatewayMetrics defines control plane push/pull metrics configurations. + +_Appears in:_ +- [EnvoyGatewayTelemetry](#envoygatewaytelemetry) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `sinks` | _[EnvoyGatewayMetricSink](#envoygatewaymetricsink) array_ | true | Sinks defines the metric sinks where metrics are sent to. | +| `prometheus` | _[EnvoyGatewayPrometheusProvider](#envoygatewayprometheusprovider)_ | true | Prometheus defines the configuration for prometheus endpoint. | + + +#### EnvoyGatewayOpenTelemetrySink + + + + + +_Appears in:_ +- [EnvoyGatewayMetricSink](#envoygatewaymetricsink) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `host` | _string_ | true | Host define the sink service hostname. | +| `protocol` | _string_ | true | Protocol define the sink service protocol. | +| `port` | _integer_ | false | Port defines the port the sink service is exposed on. | +| `exportInterval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | ExportInterval configures the intervening time between exports for a
Sink. This option overrides any value set for the
OTEL_METRIC_EXPORT_INTERVAL environment variable.
If ExportInterval is less than or equal to zero, 60 seconds
is used as the default. | +| `exportTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | ExportTimeout configures the time a Sink waits for an export to
complete before canceling it. This option overrides any value set for the
OTEL_METRIC_EXPORT_TIMEOUT environment variable.
If ExportTimeout is less than or equal to zero, 30 seconds
is used as the default. | + + +#### EnvoyGatewayPrometheusProvider + + + +EnvoyGatewayPrometheusProvider will expose prometheus endpoint in pull mode. + +_Appears in:_ +- [EnvoyGatewayMetrics](#envoygatewaymetrics) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `disable` | _boolean_ | true | Disable defines if disables the prometheus metrics in pull mode. | + + +#### EnvoyGatewayProvider + + + +EnvoyGatewayProvider defines the desired configuration of a provider. + +_Appears in:_ +- [EnvoyGateway](#envoygateway) +- [EnvoyGatewaySpec](#envoygatewayspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[ProviderType](#providertype)_ | true | Type is the type of provider to use. Supported types are "Kubernetes", "Custom". | +| `kubernetes` | _[EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider)_ | false | Kubernetes defines the configuration of the Kubernetes provider. Kubernetes
provides runtime configuration via the Kubernetes API. | +| `custom` | _[EnvoyGatewayCustomProvider](#envoygatewaycustomprovider)_ | false | Custom defines the configuration for the Custom provider. This provider
allows you to define a specific resource provider and an infrastructure
provider. | + + +#### EnvoyGatewayResourceProvider + + + +EnvoyGatewayResourceProvider defines configuration for the Custom Resource provider. + +_Appears in:_ +- [EnvoyGatewayCustomProvider](#envoygatewaycustomprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[ResourceProviderType](#resourceprovidertype)_ | true | Type is the type of resource provider to use. Supported types are "File". | +| `file` | _[EnvoyGatewayFileResourceProvider](#envoygatewayfileresourceprovider)_ | false | File defines the configuration of the File provider. File provides runtime
configuration defined by one or more files. | + + +#### EnvoyGatewaySpec + + + +EnvoyGatewaySpec defines the desired state of Envoy Gateway. + +_Appears in:_ +- [EnvoyGateway](#envoygateway) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `gateway` | _[Gateway](#gateway)_ | false | Gateway defines desired Gateway API specific configuration. If unset,
default configuration parameters will apply. | +| `provider` | _[EnvoyGatewayProvider](#envoygatewayprovider)_ | false | Provider defines the desired provider and provider-specific configuration.
If unspecified, the Kubernetes provider is used with default configuration
parameters. | +| `logging` | _[EnvoyGatewayLogging](#envoygatewaylogging)_ | false | Logging defines logging parameters for Envoy Gateway. | +| `admin` | _[EnvoyGatewayAdmin](#envoygatewayadmin)_ | false | Admin defines the desired admin related abilities.
If unspecified, the Admin is used with default configuration
parameters. | +| `telemetry` | _[EnvoyGatewayTelemetry](#envoygatewaytelemetry)_ | false | Telemetry defines the desired control plane telemetry related abilities.
If unspecified, the telemetry is used with default configuration. | +| `rateLimit` | _[RateLimit](#ratelimit)_ | false | RateLimit defines the configuration associated with the Rate Limit service
deployed by Envoy Gateway required to implement the Global Rate limiting
functionality. The specific rate limit service used here is the reference
implementation in Envoy. For more details visit https://github.com/envoyproxy/ratelimit.
This configuration is unneeded for "Local" rate limiting. | +| `extensionManager` | _[ExtensionManager](#extensionmanager)_ | false | ExtensionManager defines an extension manager to register for the Envoy Gateway Control Plane. | +| `extensionApis` | _[ExtensionAPISettings](#extensionapisettings)_ | false | ExtensionAPIs defines the settings related to specific Gateway API Extensions
implemented by Envoy Gateway | + + +#### EnvoyGatewayTelemetry + + + +EnvoyGatewayTelemetry defines telemetry configurations for envoy gateway control plane. +Control plane will focus on metrics observability telemetry and tracing telemetry later. + +_Appears in:_ +- [EnvoyGateway](#envoygateway) +- [EnvoyGatewaySpec](#envoygatewayspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `metrics` | _[EnvoyGatewayMetrics](#envoygatewaymetrics)_ | true | Metrics defines metrics configuration for envoy gateway. | + + +#### EnvoyJSONPatchConfig + + + +EnvoyJSONPatchConfig defines the configuration for patching a Envoy xDS Resource +using JSONPatch semantic + +_Appears in:_ +- [EnvoyPatchPolicySpec](#envoypatchpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[EnvoyResourceType](#envoyresourcetype)_ | true | Type is the typed URL of the Envoy xDS Resource | +| `name` | _string_ | true | Name is the name of the resource | +| `operation` | _[JSONPatchOperation](#jsonpatchoperation)_ | true | Patch defines the JSON Patch Operation | + + +#### EnvoyPatchPolicy + + + +EnvoyPatchPolicy allows the user to modify the generated Envoy xDS +resources by Envoy Gateway using this patch API + + + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` +| `kind` | _string_ | |`EnvoyPatchPolicy` +| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | +| `spec` | _[EnvoyPatchPolicySpec](#envoypatchpolicyspec)_ | true | Spec defines the desired state of EnvoyPatchPolicy. | +| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of EnvoyPatchPolicy. | + + +#### EnvoyPatchPolicySpec + + + +EnvoyPatchPolicySpec defines the desired state of EnvoyPatchPolicy. + +_Appears in:_ +- [EnvoyPatchPolicy](#envoypatchpolicy) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[EnvoyPatchType](#envoypatchtype)_ | true | Type decides the type of patch.
Valid EnvoyPatchType values are "JSONPatch". | +| `jsonPatches` | _[EnvoyJSONPatchConfig](#envoyjsonpatchconfig) array_ | false | JSONPatch defines the JSONPatch configuration. | +| `targetRef` | _[LocalPolicyTargetReference](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReference)_ | true | TargetRef is the name of the Gateway API resource this policy
is being attached to.
By default, attaching to Gateway is supported and
when mergeGateways is enabled it should attach to GatewayClass.
This Policy and the TargetRef MUST be in the same namespace
for this Policy to have effect and be applied to the Gateway
TargetRef | +| `priority` | _integer_ | true | Priority of the EnvoyPatchPolicy.
If multiple EnvoyPatchPolicies are applied to the same
TargetRef, they will be applied in the ascending order of
the priority i.e. int32.min has the highest priority and
int32.max has the lowest priority.
Defaults to 0. | + + +#### EnvoyPatchType + +_Underlying type:_ _string_ + +EnvoyPatchType specifies the types of Envoy patching mechanisms. + +_Appears in:_ +- [EnvoyPatchPolicySpec](#envoypatchpolicyspec) + +| Value | Description | +| ----- | ----------- | +| `JSONPatch` | JSONPatchEnvoyPatchType allows the user to patch the generated xDS resources using JSONPatch semantics.
For more details on the semantics, please refer to https://datatracker.ietf.org/doc/html/rfc6902
| + + +#### EnvoyProxy + + + +EnvoyProxy is the schema for the envoyproxies API. + + + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` +| `kind` | _string_ | |`EnvoyProxy` +| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | +| `spec` | _[EnvoyProxySpec](#envoyproxyspec)_ | true | EnvoyProxySpec defines the desired state of EnvoyProxy. | +| `status` | _[EnvoyProxyStatus](#envoyproxystatus)_ | true | EnvoyProxyStatus defines the actual state of EnvoyProxy. | + + +#### EnvoyProxyKubernetesProvider + + + +EnvoyProxyKubernetesProvider defines configuration for the Kubernetes resource +provider. + +_Appears in:_ +- [EnvoyProxyProvider](#envoyproxyprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `envoyDeployment` | _[KubernetesDeploymentSpec](#kubernetesdeploymentspec)_ | false | EnvoyDeployment defines the desired state of the Envoy deployment resource.
If unspecified, default settings for the managed Envoy deployment resource
are applied. | +| `envoyDaemonSet` | _[KubernetesDaemonSetSpec](#kubernetesdaemonsetspec)_ | false | EnvoyDaemonSet defines the desired state of the Envoy daemonset resource.
Disabled by default, a deployment resource is used instead to provision the Envoy Proxy fleet | +| `envoyService` | _[KubernetesServiceSpec](#kubernetesservicespec)_ | false | EnvoyService defines the desired state of the Envoy service resource.
If unspecified, default settings for the managed Envoy service resource
are applied. | +| `envoyHpa` | _[KubernetesHorizontalPodAutoscalerSpec](#kuberneteshorizontalpodautoscalerspec)_ | false | EnvoyHpa defines the Horizontal Pod Autoscaler settings for Envoy Proxy Deployment.
Once the HPA is being set, Replicas field from EnvoyDeployment will be ignored. | +| `useListenerPortAsContainerPort` | _boolean_ | false | UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.
When set to false (default value), if the service port is a privileged port (1-1023), add a constant to the value converting it into an ephemeral port.
This allows the container to bind to the port without needing a CAP_NET_BIND_SERVICE capability. | +| `envoyPDB` | _[KubernetesPodDisruptionBudgetSpec](#kubernetespoddisruptionbudgetspec)_ | false | EnvoyPDB allows to control the pod disruption budget of an Envoy Proxy. | + + +#### EnvoyProxyProvider + + + +EnvoyProxyProvider defines the desired state of a resource provider. + +_Appears in:_ +- [EnvoyProxySpec](#envoyproxyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[ProviderType](#providertype)_ | true | Type is the type of resource provider to use. A resource provider provides
infrastructure resources for running the data plane, e.g. Envoy proxy, and
optional auxiliary control planes. Supported types are "Kubernetes". | +| `kubernetes` | _[EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)_ | false | Kubernetes defines the desired state of the Kubernetes resource provider.
Kubernetes provides infrastructure resources for running the data plane,
e.g. Envoy proxy. If unspecified and type is "Kubernetes", default settings
for managed Kubernetes resources are applied. | + + +#### EnvoyProxySpec + + + +EnvoyProxySpec defines the desired state of EnvoyProxy. + +_Appears in:_ +- [EnvoyProxy](#envoyproxy) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `provider` | _[EnvoyProxyProvider](#envoyproxyprovider)_ | false | Provider defines the desired resource provider and provider-specific configuration.
If unspecified, the "Kubernetes" resource provider is used with default configuration
parameters. | +| `logging` | _[ProxyLogging](#proxylogging)_ | true | Logging defines logging parameters for managed proxies. | +| `telemetry` | _[ProxyTelemetry](#proxytelemetry)_ | false | Telemetry defines telemetry parameters for managed proxies. | +| `bootstrap` | _[ProxyBootstrap](#proxybootstrap)_ | false | Bootstrap defines the Envoy Bootstrap as a YAML string.
Visit https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-msg-config-bootstrap-v3-bootstrap
to learn more about the syntax.
If set, this is the Bootstrap configuration used for the managed Envoy Proxy fleet instead of the default Bootstrap configuration
set by Envoy Gateway.
Some fields within the Bootstrap that are required to communicate with the xDS Server (Envoy Gateway) and receive xDS resources
from it are not configurable and will result in the `EnvoyProxy` resource being rejected.
Backward compatibility across minor versions is not guaranteed.
We strongly recommend using `egctl x translate` to generate a `EnvoyProxy` resource with the `Bootstrap` field set to the default
Bootstrap configuration used. You can edit this configuration, and rerun `egctl x translate` to ensure there are no validation errors. | +| `concurrency` | _integer_ | false | Concurrency defines the number of worker threads to run. If unset, it defaults to
the number of cpuset threads on the platform. | +| `routingType` | _[RoutingType](#routingtype)_ | false | RoutingType can be set to "Service" to use the Service Cluster IP for routing to the backend,
or it can be set to "Endpoint" to use Endpoint routing. The default is "Endpoint". | +| `extraArgs` | _string array_ | false | ExtraArgs defines additional command line options that are provided to Envoy.
More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options
Note: some command line options are used internally(e.g. --log-level) so they cannot be provided here. | +| `mergeGateways` | _boolean_ | false | MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.
Setting this field to true would merge all Gateway Listeners under the parent Gateway Class.
This means that the port, protocol and hostname tuple must be unique for every listener.
If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition. | +| `shutdown` | _[ShutdownConfig](#shutdownconfig)_ | false | Shutdown defines configuration for graceful envoy shutdown process. | +| `filterOrder` | _[FilterPosition](#filterposition) array_ | false | FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
The FilterPosition in the list will be applied in the order they are defined.
If unspecified, the default filter order is applied.
Default filter order is:

- envoy.filters.http.health_check

- envoy.filters.http.fault

- envoy.filters.http.cors

- envoy.filters.http.ext_authz

- envoy.filters.http.basic_auth

- envoy.filters.http.oauth2

- envoy.filters.http.jwt_authn

- envoy.filters.http.stateful_session

- envoy.filters.http.ext_proc

- envoy.filters.http.wasm

- envoy.filters.http.rbac

- envoy.filters.http.local_ratelimit

- envoy.filters.http.ratelimit

- envoy.filters.http.custom_response

- envoy.filters.http.router

Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain. | +| `backendTLS` | _[BackendTLSConfig](#backendtlsconfig)_ | false | BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.
These settings are applied on backends for which TLS policies are specified. | +| `ipFamily` | _[IPFamily](#ipfamily)_ | false | IPFamily specifies the IP family for the EnvoyProxy fleet.
This setting only affects the Gateway listener port and does not impact
other aspects of the Envoy proxy configuration.
If not specified, the system will operate as follows:
- It defaults to IPv4 only.
- IPv6 and dual-stack environments are not supported in this default configuration.
Note: To enable IPv6 or dual-stack functionality, explicit configuration is required. | + + +#### EnvoyProxyStatus + + + +EnvoyProxyStatus defines the observed state of EnvoyProxy. This type is not implemented +until https://github.com/envoyproxy/gateway/issues/1007 is fixed. + +_Appears in:_ +- [EnvoyProxy](#envoyproxy) + + + +#### EnvoyResourceType + +_Underlying type:_ _string_ + +EnvoyResourceType specifies the type URL of the Envoy resource. + +_Appears in:_ +- [EnvoyJSONPatchConfig](#envoyjsonpatchconfig) + +| Value | Description | +| ----- | ----------- | +| `type.googleapis.com/envoy.config.listener.v3.Listener` | ListenerEnvoyResourceType defines the Type URL of the Listener resource
| +| `type.googleapis.com/envoy.config.route.v3.RouteConfiguration` | RouteConfigurationEnvoyResourceType defines the Type URL of the RouteConfiguration resource
| +| `type.googleapis.com/envoy.config.cluster.v3.Cluster` | ClusterEnvoyResourceType defines the Type URL of the Cluster resource
| +| `type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment` | ClusterLoadAssignmentEnvoyResourceType defines the Type URL of the ClusterLoadAssignment resource
| + + +#### ExtAuth + + + +ExtAuth defines the configuration for External Authorization. + +_Appears in:_ +- [SecurityPolicySpec](#securitypolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `grpc` | _[GRPCExtAuthService](#grpcextauthservice)_ | true | GRPC defines the gRPC External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. | +| `http` | _[HTTPExtAuthService](#httpextauthservice)_ | true | HTTP defines the HTTP External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. | +| `headersToExtAuth` | _string array_ | false | HeadersToExtAuth defines the client request headers that will be included
in the request to the external authorization service.
Note: If not specified, the default behavior for gRPC and HTTP external
authorization services is different due to backward compatibility reasons.
All headers will be included in the check request to a gRPC authorization server.
Only the following headers will be included in the check request to an HTTP
authorization server: Host, Method, Path, Content-Length, and Authorization.
And these headers will always be included to the check request to an HTTP
authorization server by default, no matter whether they are specified
in HeadersToExtAuth or not. | +| `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
If FailOpen is set to true, the system allows the traffic to pass through.
Otherwise, if it is set to false or not set (defaulting to false),
the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
This setting determines whether to prioritize accessibility over strict security in case of authorization service failure. | +| `recomputeRoute` | _boolean_ | false | RecomputeRoute clears the route cache and recalculates the routing decision.
This field must be enabled if the headers added or modified by the ExtAuth are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied. | + + +#### ExtProc + + + +ExtProc defines the configuration for External Processing filter. + +_Appears in:_ +- [EnvoyExtensionPolicySpec](#envoyextensionpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | +| `messageTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | MessageTimeout is the timeout for a response to be returned from the external processor
Default: 200ms | +| `failOpen` | _boolean_ | false | FailOpen defines if requests or responses that cannot be processed due to connectivity to the
external processor are terminated or passed-through.
Default: false | +| `processingMode` | _[ExtProcProcessingMode](#extprocprocessingmode)_ | false | ProcessingMode defines how request and response body is processed
Default: header and body are not sent to the external processor | + + +#### ExtProcBodyProcessingMode + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [ProcessingModeOptions](#processingmodeoptions) + +| Value | Description | +| ----- | ----------- | +| `Streamed` | StreamedExtProcBodyProcessingMode will stream the body to the server in pieces as they arrive at the proxy.
| +| `Buffered` | BufferedExtProcBodyProcessingMode will buffer the message body in memory and send the entire body at once. If the body exceeds the configured buffer limit, then the downstream system will receive an error.
| +| `BufferedPartial` | BufferedPartialExtBodyHeaderProcessingMode will buffer the message body in memory and send the entire body in one chunk. If the body exceeds the configured buffer limit, then the body contents up to the buffer limit will be sent.
| + + +#### ExtProcProcessingMode + + + +ExtProcProcessingMode defines if and how headers and bodies are sent to the service. +https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_proc/v3/processing_mode.proto#envoy-v3-api-msg-extensions-filters-http-ext-proc-v3-processingmode + +_Appears in:_ +- [ExtProc](#extproc) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `request` | _[ProcessingModeOptions](#processingmodeoptions)_ | false | Defines processing mode for requests. If present, request headers are sent. Request body is processed according
to the specified mode. | +| `response` | _[ProcessingModeOptions](#processingmodeoptions)_ | false | Defines processing mode for responses. If present, response headers are sent. Response body is processed according
to the specified mode. | + + +#### ExtensionAPISettings + + + +ExtensionAPISettings defines the settings specific to Gateway API Extensions. + +_Appears in:_ +- [EnvoyGateway](#envoygateway) +- [EnvoyGatewaySpec](#envoygatewayspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `enableEnvoyPatchPolicy` | _boolean_ | true | EnableEnvoyPatchPolicy enables Envoy Gateway to
reconcile and implement the EnvoyPatchPolicy resources. | +| `enableBackend` | _boolean_ | true | EnableBackend enables Envoy Gateway to
reconcile and implement the Backend resources. | + + +#### ExtensionHooks + + + +ExtensionHooks defines extension hooks across all supported runners + +_Appears in:_ +- [ExtensionManager](#extensionmanager) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `xdsTranslator` | _[XDSTranslatorHooks](#xdstranslatorhooks)_ | true | XDSTranslator defines all the supported extension hooks for the xds-translator runner | + + +#### ExtensionManager + + + +ExtensionManager defines the configuration for registering an extension manager to +the Envoy Gateway control plane. + +_Appears in:_ +- [EnvoyGateway](#envoygateway) +- [EnvoyGatewaySpec](#envoygatewayspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `resources` | _[GroupVersionKind](#groupversionkind) array_ | false | Resources defines the set of K8s resources the extension will handle as route
filter resources | +| `policyResources` | _[GroupVersionKind](#groupversionkind) array_ | false | PolicyResources defines the set of K8S resources the extension server will handle
as directly attached GatewayAPI policies | +| `hooks` | _[ExtensionHooks](#extensionhooks)_ | true | Hooks defines the set of hooks the extension supports | +| `service` | _[ExtensionService](#extensionservice)_ | true | Service defines the configuration of the extension service that the Envoy
Gateway Control Plane will call through extension hooks. | + + +#### ExtensionService + + + +ExtensionService defines the configuration for connecting to a registered extension service. + +_Appears in:_ +- [ExtensionManager](#extensionmanager) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `fqdn` | _[FQDNEndpoint](#fqdnendpoint)_ | false | FQDN defines a FQDN endpoint | +| `ip` | _[IPEndpoint](#ipendpoint)_ | false | IP defines an IP endpoint. Supports both IPv4 and IPv6 addresses. | +| `unix` | _[UnixSocket](#unixsocket)_ | false | Unix defines the unix domain socket endpoint | +| `host` | _string_ | false | Host define the extension service hostname.
Deprecated: use the appropriate transport attribute instead (FQDN,IP,Unix) | +| `port` | _integer_ | false | Port defines the port the extension service is exposed on.
Deprecated: use the appropriate transport attribute instead (FQDN,IP,Unix) | +| `tls` | _[ExtensionTLS](#extensiontls)_ | false | TLS defines TLS configuration for communication between Envoy Gateway and
the extension service. | + + +#### ExtensionTLS + + + +ExtensionTLS defines the TLS configuration when connecting to an extension service + +_Appears in:_ +- [ExtensionService](#extensionservice) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `certificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | CertificateRef contains a references to objects (Kubernetes objects or otherwise) that
contains a TLS certificate and private keys. These certificates are used to
establish a TLS handshake to the extension server.

CertificateRef can only reference a Kubernetes Secret at this time. | + + +#### FQDNEndpoint + + + +FQDNEndpoint describes TCP/UDP socket address, corresponding to Envoy's Socket Address +https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#config-core-v3-socketaddress + +_Appears in:_ +- [BackendEndpoint](#backendendpoint) +- [ExtensionService](#extensionservice) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `hostname` | _string_ | true | Hostname defines the FQDN hostname of the backend endpoint. | +| `port` | _integer_ | true | Port defines the port of the backend endpoint. | + + +#### FaultInjection + + + +FaultInjection defines the fault injection policy to be applied. This configuration can be used to +inject delays and abort requests to mimic failure scenarios such as service failures and overloads + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `delay` | _[FaultInjectionDelay](#faultinjectiondelay)_ | false | If specified, a delay will be injected into the request. | +| `abort` | _[FaultInjectionAbort](#faultinjectionabort)_ | false | If specified, the request will be aborted if it meets the configuration criteria. | + + +#### FaultInjectionAbort + + + +FaultInjectionAbort defines the abort fault injection configuration + +_Appears in:_ +- [FaultInjection](#faultinjection) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `httpStatus` | _integer_ | false | StatusCode specifies the HTTP status code to be returned | +| `grpcStatus` | _integer_ | false | GrpcStatus specifies the GRPC status code to be returned | +| `percentage` | _float_ | false | Percentage specifies the percentage of requests to be aborted. Default 100%, if set 0, no requests will be aborted. Accuracy to 0.0001%. | + + +#### FaultInjectionDelay + + + +FaultInjectionDelay defines the delay fault injection configuration + +_Appears in:_ +- [FaultInjection](#faultinjection) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `fixedDelay` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | FixedDelay specifies the fixed delay duration | +| `percentage` | _float_ | false | Percentage specifies the percentage of requests to be delayed. Default 100%, if set 0, no requests will be delayed. Accuracy to 0.0001%. | + + +#### FileEnvoyProxyAccessLog + + + + + +_Appears in:_ +- [ProxyAccessLogSink](#proxyaccesslogsink) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `path` | _string_ | true | Path defines the file path used to expose envoy access log(e.g. /dev/stdout). | + + +#### FilterPosition + + + +FilterPosition defines the position of an Envoy HTTP filter in the filter chain. + +_Appears in:_ +- [EnvoyProxySpec](#envoyproxyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `name` | _[EnvoyFilter](#envoyfilter)_ | true | Name of the filter. | +| `before` | _[EnvoyFilter](#envoyfilter)_ | true | Before defines the filter that should come before the filter.
Only one of Before or After must be set. | +| `after` | _[EnvoyFilter](#envoyfilter)_ | true | After defines the filter that should come after the filter.
Only one of Before or After must be set. | + + +#### GRPCActiveHealthChecker + + + +GRPCActiveHealthChecker defines the settings of the GRPC health check. + +_Appears in:_ +- [ActiveHealthCheck](#activehealthcheck) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `service` | _string_ | false | Service to send in the health check request.
If this is not specified, then the health check request applies to the entire
server and not to a specific service. | + + +#### GRPCExtAuthService + + + +GRPCExtAuthService defines the gRPC External Authorization service +The authorization request message is defined in +https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto + +_Appears in:_ +- [ExtAuth](#extauth) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | + + +#### Gateway + + + +Gateway defines the desired Gateway API configuration of Envoy Gateway. + +_Appears in:_ +- [EnvoyGateway](#envoygateway) +- [EnvoyGatewaySpec](#envoygatewayspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `controllerName` | _string_ | false | ControllerName defines the name of the Gateway API controller. If unspecified,
defaults to "gateway.envoyproxy.io/gatewayclass-controller". See the following
for additional details:
https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass | + + +#### GlobalRateLimit + + + +GlobalRateLimit defines global rate limit configuration. + +_Appears in:_ +- [RateLimitSpec](#ratelimitspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `rules` | _[RateLimitRule](#ratelimitrule) array_ | true | Rules are a list of RateLimit selectors and limits. Each rule and its
associated limit is applied in a mutually exclusive way. If a request
matches multiple rules, each of their associated limits get applied, so a
single request might increase the rate limit counters for multiple rules
if selected. The rate limit service will return a logical OR of the individual
rate limit decisions of all matching rules. For example, if a request
matches two rules, one rate limited and one not, the final decision will be
to rate limit the request. | + + +#### GroupVersionKind + + + +GroupVersionKind unambiguously identifies a Kind. +It can be converted to k8s.io/apimachinery/pkg/runtime/schema.GroupVersionKind + +_Appears in:_ +- [ExtensionManager](#extensionmanager) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `group` | _string_ | true | | +| `version` | _string_ | true | | +| `kind` | _string_ | true | | + + +#### GzipCompressor + + + +GzipCompressor defines the config for the Gzip compressor. +The default values can be found here: +https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/compression/gzip/compressor/v3/gzip.proto#extension-envoy-compression-gzip-compressor + +_Appears in:_ +- [Compression](#compression) + + + +#### HTTP10Settings + + + +HTTP10Settings provides HTTP/1.0 configuration on the listener. + +_Appears in:_ +- [HTTP1Settings](#http1settings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `useDefaultHost` | _boolean_ | false | UseDefaultHost defines if the HTTP/1.0 request is missing the Host header,
then the hostname associated with the listener should be injected into the
request.
If this is not set and an HTTP/1.0 request arrives without a host, then
it will be rejected. | + + +#### HTTP1Settings + + + +HTTP1Settings provides HTTP/1 configuration on the listener. + +_Appears in:_ +- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `enableTrailers` | _boolean_ | false | EnableTrailers defines if HTTP/1 trailers should be proxied by Envoy. | +| `preserveHeaderCase` | _boolean_ | false | PreserveHeaderCase defines if Envoy should preserve the letter case of headers.
By default, Envoy will lowercase all the headers. | +| `http10` | _[HTTP10Settings](#http10settings)_ | false | HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 requests. | + + + + +#### HTTP3Settings + + + +HTTP3Settings provides HTTP/3 configuration on the listener. + +_Appears in:_ +- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) + + + +#### HTTPActiveHealthChecker + + + +HTTPActiveHealthChecker defines the settings of http health check. + +_Appears in:_ +- [ActiveHealthCheck](#activehealthcheck) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `path` | _string_ | true | Path defines the HTTP path that will be requested during health checking. | +| `method` | _string_ | false | Method defines the HTTP method used for health checking.
Defaults to GET | +| `expectedStatuses` | _[HTTPStatus](#httpstatus) array_ | false | ExpectedStatuses defines a list of HTTP response statuses considered healthy.
Defaults to 200 only | +| `expectedResponse` | _[ActiveHealthCheckPayload](#activehealthcheckpayload)_ | false | ExpectedResponse defines a list of HTTP expected responses to match. | + + +#### HTTPClientTimeout + + + + + +_Appears in:_ +- [ClientTimeout](#clienttimeout) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `requestReceivedTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | RequestReceivedTimeout is the duration envoy waits for the complete request reception. This timer starts upon request
initiation and stops when either the last byte of the request is sent upstream or when the response begins. | +| `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. | + + +#### HTTPDirectResponseFilter + + + +HTTPDirectResponseFilter defines the configuration to return a fixed response. + +_Appears in:_ +- [HTTPRouteFilterSpec](#httproutefilterspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `contentType` | _string_ | false | Content Type of the response. This will be set in the Content-Type header. | +| `body` | _[CustomResponseBody](#customresponsebody)_ | false | Body of the Response | +| `statusCode` | _integer_ | false | Status Code of the HTTP response
If unset, defaults to 200. | + + +#### HTTPExtAuthService + + + +HTTPExtAuthService defines the HTTP External Authorization service + +_Appears in:_ +- [ExtAuth](#extauth) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | +| `path` | _string_ | true | Path is the path of the HTTP External Authorization service.
If path is specified, the authorization request will be sent to that path,
or else the authorization request will be sent to the root path. | +| `headersToBackend` | _string array_ | false | HeadersToBackend are the authorization response headers that will be added
to the original client request before sending it to the backend server.
Note that coexisting headers will be overridden.
If not specified, no authorization response headers will be added to the
original client request. | + + +#### HTTPHostnameModifier + + + + + +_Appears in:_ +- [HTTPURLRewriteFilter](#httpurlrewritefilter) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[HTTPHostnameModifierType](#httphostnamemodifiertype)_ | true | | +| `header` | _string_ | false | Header is the name of the header whose value would be used to rewrite the Host header | + + +#### HTTPHostnameModifierType + +_Underlying type:_ _string_ + +HTTPPathModifierType defines the type of Hostname rewrite. + +_Appears in:_ +- [HTTPHostnameModifier](#httphostnamemodifier) + +| Value | Description | +| ----- | ----------- | +| `Header` | HeaderHTTPHostnameModifier indicates that the Host header value would be replaced with the value of the header specified in header.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-host-rewrite-header
| +| `Backend` | BackendHTTPHostnameModifier indicates that the Host header value would be replaced by the DNS name of the backend if it exists.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-auto-host-rewrite
| + + +#### HTTPPathModifier + + + + + +_Appears in:_ +- [HTTPURLRewriteFilter](#httpurlrewritefilter) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[HTTPPathModifierType](#httppathmodifiertype)_ | true | | +| `replaceRegexMatch` | _[ReplaceRegexMatch](#replaceregexmatch)_ | false | ReplaceRegexMatch defines a path regex rewrite. The path portions matched by the regex pattern are replaced by the defined substitution.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite
Some examples:
(1) replaceRegexMatch:
pattern: ^/service/([^/]+)(/.*)$
substitution: \2/instance/\1
Would transform /service/foo/v1/api into /v1/api/instance/foo.
(2) replaceRegexMatch:
pattern: one
substitution: two
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz.
(3) replaceRegexMatch:
pattern: ^(.*?)one(.*)$
substitution: \1two\2
Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz.
(3) replaceRegexMatch:
pattern: (?i)/xxx/
substitution: /yyy/
Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive). | + + +#### HTTPPathModifierType + +_Underlying type:_ _string_ + +HTTPPathModifierType defines the type of path redirect or rewrite. + +_Appears in:_ +- [HTTPPathModifier](#httppathmodifier) + +| Value | Description | +| ----- | ----------- | +| `ReplaceRegexMatch` | RegexHTTPPathModifier This type of modifier indicates that the portions of the path that match the specified
regex would be substituted with the specified substitution value
https://www.envoyproxy.io/docs/envoy/latest/api-v3/type/matcher/v3/regex.proto#type-matcher-v3-regexmatchandsubstitute
| + + +#### HTTPRouteFilter + + + +HTTPRouteFilter is a custom Envoy Gateway HTTPRouteFilter which provides extended +traffic processing options such as path regex rewrite, direct response and more. + + + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` +| `kind` | _string_ | |`HTTPRouteFilter` +| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | +| `spec` | _[HTTPRouteFilterSpec](#httproutefilterspec)_ | true | Spec defines the desired state of HTTPRouteFilter. | + + +#### HTTPRouteFilterSpec + + + +HTTPRouteFilterSpec defines the desired state of HTTPRouteFilter. + +_Appears in:_ +- [HTTPRouteFilter](#httproutefilter) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `urlRewrite` | _[HTTPURLRewriteFilter](#httpurlrewritefilter)_ | false | | +| `directResponse` | _[HTTPDirectResponseFilter](#httpdirectresponsefilter)_ | false | | + + +#### HTTPStatus + +_Underlying type:_ _integer_ + +HTTPStatus defines the http status code. + +_Appears in:_ +- [HTTPActiveHealthChecker](#httpactivehealthchecker) +- [RetryOn](#retryon) + + + +#### HTTPTimeout + + + + + +_Appears in:_ +- [Timeout](#timeout) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `connectionIdleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
Default: 1 hour. | +| `maxConnectionDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The maximum duration of an HTTP connection.
Default: unlimited. | +| `requestTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | RequestTimeout is the time until which entire response is received from the upstream. | + + +#### HTTPURLRewriteFilter + + + +HTTPURLRewriteFilter define rewrites of HTTP URL components such as path and host + +_Appears in:_ +- [HTTPRouteFilterSpec](#httproutefilterspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `hostname` | _[HTTPHostnameModifier](#httphostnamemodifier)_ | false | Hostname is the value to be used to replace the Host header value during
forwarding. | +| `path` | _[HTTPPathModifier](#httppathmodifier)_ | false | Path defines a path rewrite. | + + +#### HTTPWasmCodeSource + + + +HTTPWasmCodeSource defines the HTTP URL containing the Wasm code. + +_Appears in:_ +- [WasmCodeSource](#wasmcodesource) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `url` | _string_ | true | URL is the URL containing the Wasm code. | +| `sha256` | _string_ | false | SHA256 checksum that will be used to verify the Wasm code.

If not specified, Envoy Gateway will not verify the downloaded Wasm code.
kubebuilder:validation:Pattern=`^[a-f0-9]\{64\}$` | + + +#### Header + + + +Header defines the header hashing configuration for consistent hash based +load balancing. + +_Appears in:_ +- [ConsistentHash](#consistenthash) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `name` | _string_ | true | Name of the header to hash. | + + + + +#### HeaderMatchType + +_Underlying type:_ _string_ + +HeaderMatchType specifies the semantics of how HTTP header values should be compared. +Valid HeaderMatchType values are "Exact", "RegularExpression", and "Distinct". + +_Appears in:_ +- [HeaderMatch](#headermatch) + +| Value | Description | +| ----- | ----------- | +| `Exact` | HeaderMatchExact matches the exact value of the Value field against the value of
the specified HTTP Header.
| +| `RegularExpression` | HeaderMatchRegularExpression matches a regular expression against the value of the
specified HTTP Header. The regex string must adhere to the syntax documented in
https://github.com/google/re2/wiki/Syntax.
| +| `Distinct` | HeaderMatchDistinct matches any and all possible unique values encountered in the
specified HTTP Header. Note that each unique value will receive its own rate limit
bucket.
Note: This is only supported for Global Rate Limits.
| + + +#### HeaderSettings + + + +HeaderSettings provides configuration options for headers on the listener. + +_Appears in:_ +- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `enableEnvoyHeaders` | _boolean_ | false | EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests
and responses. | +| `disableRateLimitHeaders` | _boolean_ | false | DisableRateLimitHeaders configures Envoy Proxy to omit the "X-RateLimit-" response headers
when rate limiting is enabled. | +| `xForwardedClientCert` | _[XForwardedClientCert](#xforwardedclientcert)_ | false | XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-cert (XFCC) HTTP header.

x-forwarded-client-cert (XFCC) is an HTTP header used to forward the certificate
information of part or all of the clients or proxies that a request has flowed through,
on its way from the client to the server.

Envoy proxy may choose to sanitize/append/forward the XFCC header before proxying the request.

If not set, the default behavior is sanitizing the XFCC header. | +| `withUnderscoresAction` | _[WithUnderscoresAction](#withunderscoresaction)_ | false | WithUnderscoresAction configures the action to take when an HTTP header with underscores
is encountered. The default action is to reject the request. | +| `preserveXRequestID` | _boolean_ | false | PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge
(Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour.
It defaults to false. | +| `earlyRequestHeaders` | _[HTTPHeaderFilter](#httpheaderfilter)_ | false | EarlyRequestHeaders defines settings for early request header modification, before envoy performs
routing, tracing and built-in header manipulation. | + + + + +#### HealthCheckSettings + + + +HealthCheckSettings provides HealthCheck configuration on the HTTP/HTTPS listener. + +_Appears in:_ +- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `path` | _string_ | true | Path specifies the HTTP path to match on for health check requests. | + + +#### IPEndpoint + + + +IPEndpoint describes TCP/UDP socket address, corresponding to Envoy's Socket Address +https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#config-core-v3-socketaddress + +_Appears in:_ +- [BackendEndpoint](#backendendpoint) +- [ExtensionService](#extensionservice) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `address` | _string_ | true | Address defines the IP address of the backend endpoint.
Supports both IPv4 and IPv6 addresses. | +| `port` | _integer_ | true | Port defines the port of the backend endpoint. | + + +#### IPFamily + +_Underlying type:_ _string_ + +IPFamily defines the IP family to use for the Envoy proxy. + +_Appears in:_ +- [EnvoyProxySpec](#envoyproxyspec) + +| Value | Description | +| ----- | ----------- | +| `IPv4` | IPv4 defines the IPv4 family.
| +| `IPv6` | IPv6 defines the IPv6 family.
| +| `DualStack` | DualStack defines the dual-stack family.
When set to DualStack, Envoy proxy will listen on both IPv4 and IPv6 addresses
for incoming client traffic, enabling support for both IP protocol versions.
| + + +#### ImagePullPolicy + +_Underlying type:_ _string_ + +ImagePullPolicy defines the policy to use when pulling an OIC image. + +_Appears in:_ +- [WasmCodeSource](#wasmcodesource) + +| Value | Description | +| ----- | ----------- | +| `IfNotPresent` | ImagePullPolicyIfNotPresent will only pull the image if it does not already exist in the EG cache.
| +| `Always` | ImagePullPolicyAlways will pull the image when the EnvoyExtension resource version changes.
Note: EG does not update the Wasm module every time an Envoy proxy requests the Wasm module.
| + + +#### ImageWasmCodeSource + + + +ImageWasmCodeSource defines the OCI image containing the Wasm code. + +_Appears in:_ +- [WasmCodeSource](#wasmcodesource) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `url` | _string_ | true | URL is the URL of the OCI image.
URL can be in the format of `registry/image:tag` or `registry/image@sha256:digest`. | +| `sha256` | _string_ | false | SHA256 checksum that will be used to verify the OCI image.

It must match the digest of the OCI image.

If not specified, Envoy Gateway will not verify the downloaded OCI image.
kubebuilder:validation:Pattern=`^[a-f0-9]\{64\}$` | +| `pullSecretRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | PullSecretRef is a reference to the secret containing the credentials to pull the image.
Only support Kubernetes Secret resource from the same namespace. | + + +#### InfrastructureProviderType + +_Underlying type:_ _string_ + +InfrastructureProviderType defines the types of custom infrastructure providers supported by Envoy Gateway. + +_Appears in:_ +- [EnvoyGatewayInfrastructureProvider](#envoygatewayinfrastructureprovider) + +| Value | Description | +| ----- | ----------- | +| `Host` | InfrastructureProviderTypeHost defines the "Host" provider.
| + + +#### InvalidMessageAction + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [HTTP2Settings](#http2settings) + +| Value | Description | +| ----- | ----------- | +| `TerminateConnection` | | +| `TerminateStream` | | + + +#### JSONPatchOperation + + + +JSONPatchOperation defines the JSON Patch Operation as defined in +https://datatracker.ietf.org/doc/html/rfc6902 + +_Appears in:_ +- [EnvoyJSONPatchConfig](#envoyjsonpatchconfig) +- [ProxyBootstrap](#proxybootstrap) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `op` | _[JSONPatchOperationType](#jsonpatchoperationtype)_ | true | Op is the type of operation to perform | +| `path` | _string_ | false | Path is a JSONPointer expression. Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
It specifies the location of the target document/field where the operation will be performed | +| `jsonPath` | _string_ | false | JSONPath is a JSONPath expression. Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details.
It produces one or more JSONPointer expressions based on the given JSON document.
If no JSONPointer is found, it will result in an error.
If the 'Path' property is also set, it will be appended to the resulting JSONPointer expressions from the JSONPath evaluation.
This is useful when creating a property that does not yet exist in the JSON document.
The final JSONPointer expressions specifies the locations in the target document/field where the operation will be applied. | +| `from` | _string_ | false | From is the source location of the value to be copied or moved. Only valid
for move or copy operations
Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. | +| `value` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | Value is the new value of the path location. The value is only used by
the `add` and `replace` operations. | + + +#### JSONPatchOperationType + +_Underlying type:_ _string_ + +JSONPatchOperationType specifies the JSON Patch operations that can be performed. + +_Appears in:_ +- [JSONPatchOperation](#jsonpatchoperation) + + + +#### JWT + + + +JWT defines the configuration for JSON Web Token (JWT) authentication. + +_Appears in:_ +- [SecurityPolicySpec](#securitypolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `optional` | _boolean_ | true | Optional determines whether a missing JWT is acceptable, defaulting to false if not specified.
Note: Even if optional is set to true, JWT authentication will still fail if an invalid JWT is presented. | +| `providers` | _[JWTProvider](#jwtprovider) array_ | true | Providers defines the JSON Web Token (JWT) authentication provider type.
When multiple JWT providers are specified, the JWT is considered valid if
any of the providers successfully validate the JWT. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. | + + +#### JWTClaim + + + +JWTClaim specifies a claim in a JWT token. + +_Appears in:_ +- [JWTPrincipal](#jwtprincipal) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `name` | _string_ | true | Name is the name of the claim.
If it is a nested claim, use a dot (.) separated string as the name to
represent the full path to the claim.
For example, if the claim is in the "department" field in the "organization" field,
the name should be "organization.department". | +| `valueType` | _[JWTClaimValueType](#jwtclaimvaluetype)_ | false | ValueType is the type of the claim value.
Only String and StringArray types are supported for now. | +| `values` | _string array_ | true | Values are the values that the claim must match.
If the claim is a string type, the specified value must match exactly.
If the claim is a string array type, the specified value must match one of the values in the array.
If multiple values are specified, one of the values must match for the rule to match. | + + +#### JWTClaimValueType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [JWTClaim](#jwtclaim) + +| Value | Description | +| ----- | ----------- | +| `String` | | +| `StringArray` | | + + +#### JWTExtractor + + + +JWTExtractor defines a custom JWT token extraction from HTTP request. +If specified, Envoy will extract the JWT token from the listed extractors (headers, cookies, or params) and validate each of them. +If any value extracted is found to be an invalid JWT, a 401 error will be returned. + +_Appears in:_ +- [JWTProvider](#jwtprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `headers` | _[JWTHeaderExtractor](#jwtheaderextractor) array_ | false | Headers represents a list of HTTP request headers to extract the JWT token from. | +| `cookies` | _string array_ | false | Cookies represents a list of cookie names to extract the JWT token from. | +| `params` | _string array_ | false | Params represents a list of query parameters to extract the JWT token from. | + + +#### JWTHeaderExtractor + + + +JWTHeaderExtractor defines an HTTP header location to extract JWT token + +_Appears in:_ +- [JWTExtractor](#jwtextractor) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `name` | _string_ | true | Name is the HTTP header name to retrieve the token | +| `valuePrefix` | _string_ | false | ValuePrefix is the prefix that should be stripped before extracting the token.
The format would be used by Envoy like "\{ValuePrefix\}".
For example, "Authorization: Bearer ", then the ValuePrefix="Bearer " with a space at the end. | + + +#### JWTPrincipal + + + +JWTPrincipal specifies the client identity of a request based on the JWT claims and scopes. +At least one of the claims or scopes must be specified. +Claims and scopes are And-ed together if both are specified. + +_Appears in:_ +- [Principal](#principal) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `provider` | _string_ | true | Provider is the name of the JWT provider that used to verify the JWT token.
In order to use JWT claims for authorization, you must configure the JWT
authentication with the same provider in the same `SecurityPolicy`. | +| `claims` | _[JWTClaim](#jwtclaim) array_ | false | Claims are the claims in a JWT token.

If multiple claims are specified, all claims must match for the rule to match.
For example, if there are two claims: one for the audience and one for the issuer,
the rule will match only if both the audience and the issuer match. | +| `scopes` | _[JWTScope](#jwtscope) array_ | false | Scopes are a special type of claim in a JWT token that represents the permissions of the client.

The value of the scopes field should be a space delimited string that is expected in the scope parameter,
as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.

If multiple scopes are specified, all scopes must match for the rule to match. | + + +#### JWTProvider + + + +JWTProvider defines how a JSON Web Token (JWT) can be verified. + +_Appears in:_ +- [JWT](#jwt) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `name` | _string_ | true | Name defines a unique name for the JWT provider. A name can have a variety of forms,
including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels. | +| `issuer` | _string_ | false | Issuer is the principal that issued the JWT and takes the form of a URL or email address.
For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.1 for
URL format and https://rfc-editor.org/rfc/rfc5322.html for email format. If not provided,
the JWT issuer is not checked. | +| `audiences` | _string array_ | false | Audiences is a list of JWT audiences allowed access. For additional details, see
https://tools.ietf.org/html/rfc7519#section-4.1.3. If not provided, JWT audiences
are not checked. | +| `remoteJWKS` | _[RemoteJWKS](#remotejwks)_ | true | RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote
HTTP/HTTPS endpoint. | +| `claimToHeaders` | _[ClaimToHeader](#claimtoheader) array_ | false | ClaimToHeaders is a list of JWT claims that must be extracted into HTTP request headers
For examples, following config:
The claim must be of type; string, int, double, bool. Array type claims are not supported | +| `recomputeRoute` | _boolean_ | false | RecomputeRoute clears the route cache and recalculates the routing decision.
This field must be enabled if the headers generated from the claim are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied. | +| `extractFrom` | _[JWTExtractor](#jwtextractor)_ | false | ExtractFrom defines different ways to extract the JWT token from HTTP request.
If empty, it defaults to extract JWT token from the Authorization HTTP request header using Bearer schema
or access_token from query parameters. | + + +#### JWTScope + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [JWTPrincipal](#jwtprincipal) + + + +#### KubernetesContainerSpec + + + +KubernetesContainerSpec defines the desired state of the Kubernetes container resource. + +_Appears in:_ +- [KubernetesDaemonSetSpec](#kubernetesdaemonsetspec) +- [KubernetesDeploymentSpec](#kubernetesdeploymentspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `env` | _[EnvVar](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#envvar-v1-core) array_ | false | List of environment variables to set in the container. | +| `resources` | _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#resourcerequirements-v1-core)_ | false | Resources required by this container.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| `securityContext` | _[SecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#securitycontext-v1-core)_ | false | SecurityContext defines the security options the container should be run with.
If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | +| `image` | _string_ | false | Image specifies the EnvoyProxy container image to be used, instead of the default image. | +| `volumeMounts` | _[VolumeMount](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#volumemount-v1-core) array_ | false | VolumeMounts are volumes to mount into the container's filesystem.
Cannot be updated. | + + +#### KubernetesDaemonSetSpec + + + +KubernetesDaemonSetSpec defines the desired state of the Kubernetes daemonset resource. + +_Appears in:_ +- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to daemonset | +| `strategy` | _[DaemonSetUpdateStrategy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#daemonsetupdatestrategy-v1-apps)_ | false | The daemonset strategy to use to replace existing pods with new ones. | +| `pod` | _[KubernetesPodSpec](#kubernetespodspec)_ | false | Pod defines the desired specification of pod. | +| `container` | _[KubernetesContainerSpec](#kubernetescontainerspec)_ | false | Container defines the desired specification of main container. | +| `name` | _string_ | false | Name of the daemonSet.
When unset, this defaults to an autogenerated name. | + + +#### KubernetesDeployMode + + + +KubernetesDeployMode holds configuration for how to deploy managed resources such as the Envoy Proxy +data plane fleet. + +_Appears in:_ +- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider) + + + +#### KubernetesDeploymentSpec + + + +KubernetesDeploymentSpec defines the desired state of the Kubernetes deployment resource. + +_Appears in:_ +- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider) +- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to deployment | +| `replicas` | _integer_ | false | Replicas is the number of desired pods. Defaults to 1. | +| `strategy` | _[DeploymentStrategy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#deploymentstrategy-v1-apps)_ | false | The deployment strategy to use to replace existing pods with new ones. | +| `pod` | _[KubernetesPodSpec](#kubernetespodspec)_ | false | Pod defines the desired specification of pod. | +| `container` | _[KubernetesContainerSpec](#kubernetescontainerspec)_ | false | Container defines the desired specification of main container. | +| `initContainers` | _[Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#container-v1-core) array_ | false | List of initialization containers belonging to the pod.
More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ | +| `name` | _string_ | false | Name of the deployment.
When unset, this defaults to an autogenerated name. | + + +#### KubernetesHorizontalPodAutoscalerSpec + + + +KubernetesHorizontalPodAutoscalerSpec defines Kubernetes Horizontal Pod Autoscaler settings of Envoy Proxy Deployment. +When HPA is enabled, it is recommended that the value in `KubernetesDeploymentSpec.replicas` be removed, otherwise +Envoy Gateway will revert back to this value every time reconciliation occurs. +See k8s.io.autoscaling.v2.HorizontalPodAutoScalerSpec. + +_Appears in:_ +- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `minReplicas` | _integer_ | false | minReplicas is the lower limit for the number of replicas to which the autoscaler
can scale down. It defaults to 1 replica. | +| `maxReplicas` | _integer_ | true | maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
It cannot be less that minReplicas. | +| `metrics` | _[MetricSpec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#metricspec-v2-autoscaling) array_ | false | metrics contains the specifications for which to use to calculate the
desired replica count (the maximum replica count across all metrics will
be used).
If left empty, it defaults to being based on CPU utilization with average on 80% usage. | +| `behavior` | _[HorizontalPodAutoscalerBehavior](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#horizontalpodautoscalerbehavior-v2-autoscaling)_ | false | behavior configures the scaling behavior of the target
in both Up and Down directions (scaleUp and scaleDown fields respectively).
If not set, the default HPAScalingRules for scale up and scale down are used.
See k8s.io.autoscaling.v2.HorizontalPodAutoScalerBehavior. | + + +#### KubernetesPatchSpec + + + +KubernetesPatchSpec defines how to perform the patch operation. +Note that `value` can be an in-line YAML document, as can be seen in e.g. (the example of patching the Envoy proxy Deployment)[https://gateway.envoyproxy.io/docs/tasks/operations/customize-envoyproxy/#patching-deployment-for-envoyproxy]. +Note also that, currently, strings containing literal JSON are _rejected_. + +_Appears in:_ +- [KubernetesDaemonSetSpec](#kubernetesdaemonsetspec) +- [KubernetesDeploymentSpec](#kubernetesdeploymentspec) +- [KubernetesServiceSpec](#kubernetesservicespec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[MergeType](#mergetype)_ | false | Type is the type of merge operation to perform

By default, StrategicMerge is used as the patch type. | +| `value` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | true | Object contains the raw configuration for merged object | + + +#### KubernetesPodDisruptionBudgetSpec + + + +KubernetesPodDisruptionBudgetSpec defines Kubernetes PodDisruptionBudget settings of Envoy Proxy Deployment. + +_Appears in:_ +- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `minAvailable` | _integer_ | false | MinAvailable specifies the minimum number of pods that must be available at all times during voluntary disruptions,
such as node drains or updates. This setting ensures that your envoy proxy maintains a certain level of availability
and resilience during maintenance operations. | + + +#### KubernetesPodSpec + + + +KubernetesPodSpec defines the desired state of the Kubernetes pod resource. + +_Appears in:_ +- [KubernetesDaemonSetSpec](#kubernetesdaemonsetspec) +- [KubernetesDeploymentSpec](#kubernetesdeploymentspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `annotations` | _object (keys:string, values:string)_ | false | Annotations are the annotations that should be appended to the pods.
By default, no pod annotations are appended. | +| `labels` | _object (keys:string, values:string)_ | false | Labels are the additional labels that should be tagged to the pods.
By default, no additional pod labels are tagged. | +| `securityContext` | _[PodSecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#podsecuritycontext-v1-core)_ | false | SecurityContext holds pod-level security attributes and common container settings.
Optional: Defaults to empty. See type description for default values of each field. | +| `affinity` | _[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#affinity-v1-core)_ | false | If specified, the pod's scheduling constraints. | +| `tolerations` | _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#toleration-v1-core) array_ | false | If specified, the pod's tolerations. | +| `volumes` | _[Volume](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#volume-v1-core) array_ | false | Volumes that can be mounted by containers belonging to the pod.
More info: https://kubernetes.io/docs/concepts/storage/volumes | +| `imagePullSecrets` | _[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#localobjectreference-v1-core) array_ | false | ImagePullSecrets is an optional list of references to secrets
in the same namespace to use for pulling any of the images used by this PodSpec.
If specified, these secrets will be passed to individual puller implementations for them to use.
More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod | +| `nodeSelector` | _object (keys:string, values:string)_ | false | NodeSelector is a selector which must be true for the pod to fit on a node.
Selector which must match a node's labels for the pod to be scheduled on that node.
More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ | +| `topologySpreadConstraints` | _[TopologySpreadConstraint](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#topologyspreadconstraint-v1-core) array_ | false | TopologySpreadConstraints describes how a group of pods ought to spread across topology
domains. Scheduler will schedule pods in a way which abides by the constraints.
All topologySpreadConstraints are ANDed. | + + +#### KubernetesServiceSpec + + + +KubernetesServiceSpec defines the desired state of the Kubernetes service resource. + +_Appears in:_ +- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `annotations` | _object (keys:string, values:string)_ | false | Annotations that should be appended to the service.
By default, no annotations are appended. | +| `labels` | _object (keys:string, values:string)_ | false | Labels that should be appended to the service.
By default, no labels are appended. | +| `type` | _[ServiceType](#servicetype)_ | false | Type determines how the Service is exposed. Defaults to LoadBalancer.
Valid options are ClusterIP, LoadBalancer and NodePort.
"LoadBalancer" means a service will be exposed via an external load balancer (if the cloud provider supports it).
"ClusterIP" means a service will only be accessible inside the cluster, via the cluster IP.
"NodePort" means a service will be exposed on a static Port on all Nodes of the cluster. | +| `loadBalancerClass` | _string_ | false | LoadBalancerClass, when specified, allows for choosing the LoadBalancer provider
implementation if more than one are available or is otherwise expected to be specified | +| `allocateLoadBalancerNodePorts` | _boolean_ | false | AllocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for
services with type LoadBalancer. Default is "true". It may be set to "false" if the cluster
load-balancer does not rely on NodePorts. If the caller requests specific NodePorts (by specifying a
value), those requests will be respected, regardless of this field. This field may only be set for
services with type LoadBalancer and will be cleared if the type is changed to any other type. | +| `loadBalancerSourceRanges` | _string array_ | false | LoadBalancerSourceRanges defines a list of allowed IP addresses which will be configured as
firewall rules on the platform providers load balancer. This is not guaranteed to be working as
it happens outside of kubernetes and has to be supported and handled by the platform provider.
This field may only be set for services with type LoadBalancer and will be cleared if the type
is changed to any other type. | +| `loadBalancerIP` | _string_ | false | LoadBalancerIP defines the IP Address of the underlying load balancer service. This field
may be ignored if the load balancer provider does not support this feature.
This field has been deprecated in Kubernetes, but it is still used for setting the IP Address in some cloud
providers such as GCP. | +| `externalTrafficPolicy` | _[ServiceExternalTrafficPolicy](#serviceexternaltrafficpolicy)_ | false | ExternalTrafficPolicy determines the externalTrafficPolicy for the Envoy Service. Valid options
are Local and Cluster. Default is "Local". "Local" means traffic will only go to pods on the node
receiving the traffic. "Cluster" means connections are loadbalanced to all pods in the cluster. | +| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to the service | +| `name` | _string_ | false | Name of the service.
When unset, this defaults to an autogenerated name. | + + +#### KubernetesWatchMode + + + +KubernetesWatchMode holds the configuration for which input resources to watch and reconcile. + +_Appears in:_ +- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[KubernetesWatchModeType](#kuberneteswatchmodetype)_ | true | Type indicates what watch mode to use. KubernetesWatchModeTypeNamespaces and
KubernetesWatchModeTypeNamespaceSelector are currently supported
By default, when this field is unset or empty, Envoy Gateway will watch for input namespaced resources
from all namespaces. | +| `namespaces` | _string array_ | true | Namespaces holds the list of namespaces that Envoy Gateway will watch for namespaced scoped
resources such as Gateway, HTTPRoute and Service.
Note that Envoy Gateway will continue to reconcile relevant cluster scoped resources such as
GatewayClass that it is linked to. Precisely one of Namespaces and NamespaceSelector must be set. | +| `namespaceSelector` | _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#labelselector-v1-meta)_ | true | NamespaceSelector holds the label selector used to dynamically select namespaces.
Envoy Gateway will watch for namespaces matching the specified label selector.
Precisely one of Namespaces and NamespaceSelector must be set. | + + +#### KubernetesWatchModeType + +_Underlying type:_ _string_ + +KubernetesWatchModeType defines the type of KubernetesWatchMode + +_Appears in:_ +- [KubernetesWatchMode](#kuberneteswatchmode) + + + +#### LeaderElection + + + +LeaderElection defines the desired leader election settings. + +_Appears in:_ +- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `leaseDuration` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | LeaseDuration defines the time non-leader contenders will wait before attempting to claim leadership.
It's based on the timestamp of the last acknowledged signal. The default setting is 15 seconds. | +| `renewDeadline` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | RenewDeadline represents the time frame within which the current leader will attempt to renew its leadership
status before relinquishing its position. The default setting is 10 seconds. | +| `retryPeriod` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | RetryPeriod denotes the interval at which LeaderElector clients should perform action retries.
The default setting is 2 seconds. | +| `disable` | _boolean_ | true | Disable provides the option to turn off leader election, which is enabled by default. | + + +#### LiteralCustomTag + + + +LiteralCustomTag adds hard-coded value to each span. + +_Appears in:_ +- [CustomTag](#customtag) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `value` | _string_ | true | Value defines the hard-coded value to add to each span. | + + + + +#### LoadBalancerType + +_Underlying type:_ _string_ + +LoadBalancerType specifies the types of LoadBalancer. + +_Appears in:_ +- [LoadBalancer](#loadbalancer) + +| Value | Description | +| ----- | ----------- | +| `ConsistentHash` | ConsistentHashLoadBalancerType load balancer policy.
| +| `LeastRequest` | LeastRequestLoadBalancerType load balancer policy.
| +| `Random` | RandomLoadBalancerType load balancer policy.
| +| `RoundRobin` | RoundRobinLoadBalancerType load balancer policy.
| + + +#### LocalRateLimit + + + +LocalRateLimit defines local rate limit configuration. + +_Appears in:_ +- [RateLimitSpec](#ratelimitspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `rules` | _[RateLimitRule](#ratelimitrule) array_ | false | Rules are a list of RateLimit selectors and limits. If a request matches
multiple rules, the strictest limit is applied. For example, if a request
matches two rules, one with 10rps and one with 20rps, the final limit will
be based on the rule with 10rps. | + + +#### LogLevel + +_Underlying type:_ _string_ + +LogLevel defines a log level for Envoy Gateway and EnvoyProxy system logs. + +_Appears in:_ +- [EnvoyGatewayLogging](#envoygatewaylogging) +- [ProxyLogging](#proxylogging) + +| Value | Description | +| ----- | ----------- | +| `debug` | LogLevelDebug defines the "debug" logging level.
| +| `info` | LogLevelInfo defines the "Info" logging level.
| +| `warn` | LogLevelWarn defines the "Warn" logging level.
| +| `error` | LogLevelError defines the "Error" logging level.
| + + + + +#### MetricSinkType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [EnvoyGatewayMetricSink](#envoygatewaymetricsink) +- [ProxyMetricSink](#proxymetricsink) + +| Value | Description | +| ----- | ----------- | +| `OpenTelemetry` | | + + +#### OIDC + + + +OIDC defines the configuration for the OpenID Connect (OIDC) authentication. + +_Appears in:_ +- [SecurityPolicySpec](#securitypolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `provider` | _[OIDCProvider](#oidcprovider)_ | true | The OIDC Provider configuration. | +| `clientID` | _string_ | true | The client ID to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | +| `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the OIDC client secret to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).

This is an Opaque secret. The client secret should be stored in the key
"client-secret". | +| `cookieNames` | _[OIDCCookieNames](#oidccookienames)_ | false | The optional cookie name overrides to be used for Bearer and IdToken cookies in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses a randomly generated suffix | +| `scopes` | _string array_ | false | The OIDC scopes to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
The "openid" scope is always added to the list of scopes if not already
specified. | +| `resources` | _string array_ | false | The OIDC resources to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | +| `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" | +| `logoutPath` | _string_ | true | The path to log a user out, clearing their credential cookies.

If not specified, uses a default logout path "/logout" | +| `forwardAccessToken` | _boolean_ | false | ForwardAccessToken indicates whether the Envoy should forward the access token
via the Authorization header Bearer scheme to the upstream.
If not specified, defaults to false. | +| `defaultTokenTTL` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | DefaultTokenTTL is the default lifetime of the id token and access token.
Please note that Envoy will always use the expiry time from the response
of the authorization server if it is provided. This field is only used when
the expiry time is not provided by the authorization.

If not specified, defaults to 0. In this case, the "expires_in" field in
the authorization response must be set by the authorization server, or the
OAuth flow will fail. | +| `refreshToken` | _boolean_ | false | RefreshToken indicates whether the Envoy should automatically refresh the
id token and access token when they expire.
When set to true, the Envoy will use the refresh token to get a new id token
and access token when they expire.

If not specified, defaults to false. | +| `defaultRefreshTokenTTL` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | DefaultRefreshTokenTTL is the default lifetime of the refresh token.
This field is only used when the exp (expiration time) claim is omitted in
the refresh token or the refresh token is not JWT.

If not specified, defaults to 604800s (one week).
Note: this field is only applicable when the "refreshToken" field is set to true. | + + +#### OIDCCookieNames + + + +OIDCCookieNames defines the names of cookies to use in the Envoy OIDC filter. + +_Appears in:_ +- [OIDC](#oidc) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `accessToken` | _string_ | false | The name of the cookie used to store the AccessToken in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, defaults to "AccessToken-(randomly generated uid)" | +| `idToken` | _string_ | false | The name of the cookie used to store the IdToken in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, defaults to "IdToken-(randomly generated uid)" | + + +#### OIDCProvider + + + +OIDCProvider defines the OIDC Provider configuration. + +_Appears in:_ +- [OIDC](#oidc) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | +| `issuer` | _string_ | true | The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST
be https, a host component, and optionally, port and path components and
no query or fragment components. | +| `authorizationEndpoint` | _string_ | false | The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). | +| `tokenEndpoint` | _string_ | false | The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). | + + +#### OpenTelemetryEnvoyProxyAccessLog + + + +OpenTelemetryEnvoyProxyAccessLog defines the OpenTelemetry access log sink. + +_Appears in:_ +- [ProxyAccessLogSink](#proxyaccesslogsink) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | +| `host` | _string_ | false | Host define the extension service hostname.
Deprecated: Use BackendRefs instead. | +| `port` | _integer_ | false | Port defines the port the extension service is exposed on.
Deprecated: Use BackendRefs instead. | +| `resources` | _object (keys:string, values:string)_ | false | Resources is a set of labels that describe the source of a log entry, including envoy node info.
It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/). | + + +#### Origin + +_Underlying type:_ _string_ + +Origin is defined by the scheme (protocol), hostname (domain), and port of +the URL used to access it. The hostname can be "precise" which is just the +domain name or "wildcard" which is a domain name prefixed with a single +wildcard label such as "*.example.com". +In addition to that a single wildcard (with or without scheme) can be +configured to match any origin. + + +For example, the following are valid origins: +- https://foo.example.com +- https://*.example.com +- http://foo.example.com:8080 +- http://*.example.com:8080 +- https://* + +_Appears in:_ +- [CORS](#cors) + + + +#### PassiveHealthCheck + + + +PassiveHealthCheck defines the configuration for passive health checks in the context of Envoy's Outlier Detection, +see https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/outlier + +_Appears in:_ +- [HealthCheck](#healthcheck) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `splitExternalLocalOriginErrors` | _boolean_ | false | SplitExternalLocalOriginErrors enables splitting of errors between external and local origin. | +| `interval` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | Interval defines the time between passive health checks. | +| `consecutiveLocalOriginFailures` | _integer_ | false | ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
Parameter takes effect only when split_external_local_origin_errors is set to true. | +| `consecutiveGatewayErrors` | _integer_ | false | ConsecutiveGatewayErrors sets the number of consecutive gateway errors triggering ejection. | +| `consecutive5XxErrors` | _integer_ | false | Consecutive5xxErrors sets the number of consecutive 5xx errors triggering ejection. | +| `baseEjectionTime` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures. | +| `maxEjectionPercent` | _integer_ | false | MaxEjectionPercent sets the maximum percentage of hosts in a cluster that can be ejected. | + + +#### PathEscapedSlashAction + +_Underlying type:_ _string_ + +PathEscapedSlashAction determines the action for requests that contain %2F, %2f, %5C, or %5c +sequences in the URI path. + +_Appears in:_ +- [PathSettings](#pathsettings) + +| Value | Description | +| ----- | ----------- | +| `KeepUnchanged` | KeepUnchangedAction keeps escaped slashes as they arrive without changes
| +| `RejectRequest` | RejectRequestAction rejects client requests containing escaped slashes
with a 400 status. gRPC requests will be rejected with the INTERNAL (13)
error code.
The "httpN.downstream_rq_failed_path_normalization" counter is incremented
for each rejected request.
| +| `UnescapeAndRedirect` | UnescapeAndRedirect unescapes %2F and %5C sequences and redirects to the new path
if these sequences were present.
Redirect occurs after path normalization and merge slashes transformations if
they were configured. gRPC requests will be rejected with the INTERNAL (13)
error code.
This option minimizes possibility of path confusion exploits by forcing request
with unescaped slashes to traverse all parties: downstream client, intermediate
proxies, Envoy and upstream server.
The “httpN.downstream_rq_redirected_with_normalized_path” counter is incremented
for each redirected request.
| +| `UnescapeAndForward` | UnescapeAndForward unescapes %2F and %5C sequences and forwards the request.
Note: this option should not be enabled if intermediaries perform path based access
control as it may lead to path confusion vulnerabilities.
| + + +#### PathSettings + + + +PathSettings provides settings that managing how the incoming path set by clients is handled. + +_Appears in:_ +- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `escapedSlashesAction` | _[PathEscapedSlashAction](#pathescapedslashaction)_ | false | EscapedSlashesAction determines how %2f, %2F, %5c, or %5C sequences in the path URI
should be handled.
The default is UnescapeAndRedirect. | +| `disableMergeSlashes` | _boolean_ | false | DisableMergeSlashes allows disabling the default configuration of merging adjacent
slashes in the path.
Note that slash merging is not part of the HTTP spec and is provided for convenience. | + + +#### PerRetryPolicy + + + + + +_Appears in:_ +- [Retry](#retry) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | Timeout is the timeout per retry attempt. | +| `backOff` | _[BackOffPolicy](#backoffpolicy)_ | false | Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
back-off algorithm for retries. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries | + + +#### PolicyTargetReferences + + + + + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) +- [EnvoyExtensionPolicySpec](#envoyextensionpolicyspec) +- [SecurityPolicySpec](#securitypolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect

Deprecated: use targetRefs/targetSelectors instead | +| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. | +| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels | + + +#### Principal + + + +If there are multiple principal types, all principals must match for the rule to match. + +_Appears in:_ +- [AuthorizationRule](#authorizationrule) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `clientCIDRs` | _[CIDR](#cidr) array_ | false | ClientCIDRs are the IP CIDR ranges of the client.
Valid examples are "192.168.1.0/24" or "2001:db8::/64"

If multiple CIDR ranges are specified, one of the CIDR ranges must match
the client IP for the rule to match.

The client IP is inferred from the X-Forwarded-For header, a custom header,
or the proxy protocol.
You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
the `ClientTrafficPolicy` to configure how the client IP is detected. | + + +#### ProcessingModeOptions + + + +ProcessingModeOptions defines if headers or body should be processed by the external service + +_Appears in:_ +- [ExtProcProcessingMode](#extprocprocessingmode) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `body` | _[ExtProcBodyProcessingMode](#extprocbodyprocessingmode)_ | false | Defines body processing mode | + + +#### ProviderType + +_Underlying type:_ _string_ + +ProviderType defines the types of providers supported by Envoy Gateway. + +_Appears in:_ +- [EnvoyGatewayProvider](#envoygatewayprovider) +- [EnvoyProxyProvider](#envoyproxyprovider) + +| Value | Description | +| ----- | ----------- | +| `Kubernetes` | ProviderTypeKubernetes defines the "Kubernetes" provider.
| +| `Custom` | ProviderTypeCustom defines the "Custom" provider.
| + + +#### ProxyAccessLog + + + + + +_Appears in:_ +- [ProxyTelemetry](#proxytelemetry) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `disable` | _boolean_ | true | Disable disables access logging for managed proxies if set to true. | +| `settings` | _[ProxyAccessLogSetting](#proxyaccesslogsetting) array_ | false | Settings defines accesslog settings for managed proxies.
If unspecified, will send default format to stdout. | + + +#### ProxyAccessLogFormat + + + +ProxyAccessLogFormat defines the format of accesslog. +By default accesslogs are written to standard output. + +_Appears in:_ +- [ProxyAccessLogSetting](#proxyaccesslogsetting) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[ProxyAccessLogFormatType](#proxyaccesslogformattype)_ | true | Type defines the type of accesslog format. | +| `text` | _string_ | false | Text defines the text accesslog format, following Envoy accesslog formatting,
It's required when the format type is "Text".
Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format.
The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. | +| `json` | _object (keys:string, values:string)_ | false | JSON is additional attributes that describe the specific event occurrence.
Structured format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
can be used as values for fields within the Struct.
It's required when the format type is "JSON". | + + +#### ProxyAccessLogFormatType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [ProxyAccessLogFormat](#proxyaccesslogformat) + +| Value | Description | +| ----- | ----------- | +| `Text` | ProxyAccessLogFormatTypeText defines the text accesslog format.
| +| `JSON` | ProxyAccessLogFormatTypeJSON defines the JSON accesslog format.
| + + +#### ProxyAccessLogSetting + + + + + +_Appears in:_ +- [ProxyAccessLog](#proxyaccesslog) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `format` | _[ProxyAccessLogFormat](#proxyaccesslogformat)_ | false | Format defines the format of accesslog.
This will be ignored if sink type is ALS. | +| `matches` | _string array_ | true | Matches defines the match conditions for accesslog in CEL expression.
An accesslog will be emitted only when one or more match conditions are evaluated to true.
Invalid [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) expressions will be ignored. | +| `sinks` | _[ProxyAccessLogSink](#proxyaccesslogsink) array_ | true | Sinks defines the sinks of accesslog. | +| `type` | _[ProxyAccessLogType](#proxyaccesslogtype)_ | false | Type defines the component emitting the accesslog, such as Listener and Route.
If type not defined, the setting would apply to:
(1) All Routes.
(2) Listeners if and only if Envoy does not find a matching route for a request.
If type is defined, the accesslog settings would apply to the relevant component (as-is). | + + +#### ProxyAccessLogSink + + + +ProxyAccessLogSink defines the sink of accesslog. + +_Appears in:_ +- [ProxyAccessLogSetting](#proxyaccesslogsetting) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[ProxyAccessLogSinkType](#proxyaccesslogsinktype)_ | true | Type defines the type of accesslog sink. | +| `als` | _[ALSEnvoyProxyAccessLog](#alsenvoyproxyaccesslog)_ | false | ALS defines the gRPC Access Log Service (ALS) sink. | +| `file` | _[FileEnvoyProxyAccessLog](#fileenvoyproxyaccesslog)_ | false | File defines the file accesslog sink. | +| `openTelemetry` | _[OpenTelemetryEnvoyProxyAccessLog](#opentelemetryenvoyproxyaccesslog)_ | false | OpenTelemetry defines the OpenTelemetry accesslog sink. | + + +#### ProxyAccessLogSinkType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [ProxyAccessLogSink](#proxyaccesslogsink) + +| Value | Description | +| ----- | ----------- | +| `ALS` | ProxyAccessLogSinkTypeALS defines the gRPC Access Log Service (ALS) sink.
The service must implement the Envoy gRPC Access Log Service streaming API:
https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/accesslog/v3/als.proto
| +| `File` | ProxyAccessLogSinkTypeFile defines the file accesslog sink.
| +| `OpenTelemetry` | ProxyAccessLogSinkTypeOpenTelemetry defines the OpenTelemetry accesslog sink.
When the provider is Kubernetes, EnvoyGateway always sends `k8s.namespace.name`
and `k8s.pod.name` as additional attributes.
| + + +#### ProxyAccessLogType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [ProxyAccessLogSetting](#proxyaccesslogsetting) + +| Value | Description | +| ----- | ----------- | +| `Listener` | ProxyAccessLogTypeListener defines the accesslog for Listeners.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log
| +| `Route` | ProxyAccessLogTypeRoute defines the accesslog for HTTP, GRPC, UDP and TCP Routes.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto#envoy-v3-api-field-extensions-filters-udp-udp-proxy-v3-udpproxyconfig-access-log
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto#envoy-v3-api-field-extensions-filters-network-tcp-proxy-v3-tcpproxy-access-log
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-access-log
| + + +#### ProxyBootstrap + + + +ProxyBootstrap defines Envoy Bootstrap configuration. + +_Appears in:_ +- [EnvoyProxySpec](#envoyproxyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[BootstrapType](#bootstraptype)_ | false | Type is the type of the bootstrap configuration, it should be either Replace, Merge, or JSONPatch.
If unspecified, it defaults to Replace. | +| `value` | _string_ | false | Value is a YAML string of the bootstrap. | +| `jsonPatches` | _[JSONPatchOperation](#jsonpatchoperation) array_ | true | JSONPatches is an array of JSONPatches to be applied to the default bootstrap. Patches are
applied in the order in which they are defined. | + + +#### ProxyLogComponent + +_Underlying type:_ _string_ + +ProxyLogComponent defines a component that supports a configured logging level. + +_Appears in:_ +- [ProxyLogging](#proxylogging) + +| Value | Description | +| ----- | ----------- | +| `default` | LogComponentDefault defines the default logging component.
See more details: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#cmdoption-l
| +| `upstream` | LogComponentUpstream defines the "upstream" logging component.
| +| `http` | LogComponentHTTP defines the "http" logging component.
| +| `connection` | LogComponentConnection defines the "connection" logging component.
| +| `admin` | LogComponentAdmin defines the "admin" logging component.
| +| `client` | LogComponentClient defines the "client" logging component.
| +| `filter` | LogComponentFilter defines the "filter" logging component.
| +| `main` | LogComponentMain defines the "main" logging component.
| +| `router` | LogComponentRouter defines the "router" logging component.
| +| `runtime` | LogComponentRuntime defines the "runtime" logging component.
| + + +#### ProxyLogging + + + +ProxyLogging defines logging parameters for managed proxies. + +_Appears in:_ +- [EnvoyProxySpec](#envoyproxyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `level` | _object (keys:[ProxyLogComponent](#proxylogcomponent), values:[LogLevel](#loglevel))_ | true | Level is a map of logging level per component, where the component is the key
and the log level is the value. If unspecified, defaults to "default: warn". | + + +#### ProxyMetricSink + + + +ProxyMetricSink defines the sink of metrics. +Default metrics sink is OpenTelemetry. + +_Appears in:_ +- [ProxyMetrics](#proxymetrics) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[MetricSinkType](#metricsinktype)_ | true | Type defines the metric sink type.
EG currently only supports OpenTelemetry. | +| `openTelemetry` | _[ProxyOpenTelemetrySink](#proxyopentelemetrysink)_ | false | OpenTelemetry defines the configuration for OpenTelemetry sink.
It's required if the sink type is OpenTelemetry. | + + +#### ProxyMetrics + + + + + +_Appears in:_ +- [ProxyTelemetry](#proxytelemetry) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `prometheus` | _[ProxyPrometheusProvider](#proxyprometheusprovider)_ | true | Prometheus defines the configuration for Admin endpoint `/stats/prometheus`. | +| `sinks` | _[ProxyMetricSink](#proxymetricsink) array_ | true | Sinks defines the metric sinks where metrics are sent to. | +| `matches` | _[StringMatch](#stringmatch) array_ | true | Matches defines configuration for selecting specific metrics instead of generating all metrics stats
that are enabled by default. This helps reduce CPU and memory overhead in Envoy, but eliminating some stats
may after critical functionality. Here are the stats that we strongly recommend not disabling:
`cluster_manager.warming_clusters`, `cluster..membership_total`,`cluster..membership_healthy`,
`cluster..membership_degraded`,reference https://github.com/envoyproxy/envoy/issues/9856,
https://github.com/envoyproxy/envoy/issues/14610 | +| `enableVirtualHostStats` | _boolean_ | false | EnableVirtualHostStats enables envoy stat metrics for virtual hosts. | +| `enablePerEndpointStats` | _boolean_ | false | EnablePerEndpointStats enables per endpoint envoy stats metrics.
Please use with caution. | +| `enableRequestResponseSizesStats` | _boolean_ | false | EnableRequestResponseSizesStats enables publishing of histograms tracking header and body sizes of requests and responses. | + + +#### ProxyOpenTelemetrySink + + + +ProxyOpenTelemetrySink defines the configuration for OpenTelemetry sink. + +_Appears in:_ +- [ProxyMetricSink](#proxymetricsink) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | +| `host` | _string_ | false | Host define the service hostname.
Deprecated: Use BackendRefs instead. | +| `port` | _integer_ | false | Port defines the port the service is exposed on.
Deprecated: Use BackendRefs instead. | + + +#### ProxyPrometheusProvider + + + + + +_Appears in:_ +- [ProxyMetrics](#proxymetrics) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `disable` | _boolean_ | true | Disable the Prometheus endpoint. | +| `compression` | _[Compression](#compression)_ | false | Configure the compression on Prometheus endpoint. Compression is useful in situations when bandwidth is scarce and large payloads can be effectively compressed at the expense of higher CPU load. | + + + + +#### ProxyProtocolVersion + +_Underlying type:_ _string_ + +ProxyProtocolVersion defines the version of the Proxy Protocol to use. + +_Appears in:_ +- [ProxyProtocol](#proxyprotocol) + +| Value | Description | +| ----- | ----------- | +| `V1` | ProxyProtocolVersionV1 is the PROXY protocol version 1 (human readable format).
| +| `V2` | ProxyProtocolVersionV2 is the PROXY protocol version 2 (binary format).
| + + +#### ProxyTelemetry + + + + + +_Appears in:_ +- [EnvoyProxySpec](#envoyproxyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `accessLog` | _[ProxyAccessLog](#proxyaccesslog)_ | false | AccessLogs defines accesslog parameters for managed proxies.
If unspecified, will send default format to stdout. | +| `tracing` | _[ProxyTracing](#proxytracing)_ | false | Tracing defines tracing configuration for managed proxies.
If unspecified, will not send tracing data. | +| `metrics` | _[ProxyMetrics](#proxymetrics)_ | true | Metrics defines metrics configuration for managed proxies. | + + +#### ProxyTracing + + + + + +_Appears in:_ +- [ProxyTelemetry](#proxytelemetry) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `samplingRate` | _integer_ | false | SamplingRate controls the rate at which traffic will be
selected for tracing if no prior sampling decision has been made.
Defaults to 100, valid values [0-100]. 100 indicates 100% sampling. | +| `customTags` | _object (keys:string, values:[CustomTag](#customtag))_ | true | CustomTags defines the custom tags to add to each span.
If provider is kubernetes, pod name and namespace are added by default. | +| `provider` | _[TracingProvider](#tracingprovider)_ | true | Provider defines the tracing provider. | + + +#### RateLimit + + + +RateLimit defines the configuration associated with the Rate Limit Service +used for Global Rate Limiting. + +_Appears in:_ +- [EnvoyGateway](#envoygateway) +- [EnvoyGatewaySpec](#envoygatewayspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `backend` | _[RateLimitDatabaseBackend](#ratelimitdatabasebackend)_ | true | Backend holds the configuration associated with the
database backend used by the rate limit service to store
state associated with global ratelimiting. | +| `timeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | Timeout specifies the timeout period for the proxy to access the ratelimit server
If not set, timeout is 20ms. | +| `failClosed` | _boolean_ | true | FailClosed is a switch used to control the flow of traffic
when the response from the ratelimit server cannot be obtained.
If FailClosed is false, let the traffic pass,
otherwise, don't let the traffic pass and return 500.
If not set, FailClosed is False. | +| `telemetry` | _[RateLimitTelemetry](#ratelimittelemetry)_ | false | Telemetry defines telemetry configuration for RateLimit. | + + +#### RateLimitDatabaseBackend + + + +RateLimitDatabaseBackend defines the configuration associated with +the database backend used by the rate limit service. + +_Appears in:_ +- [RateLimit](#ratelimit) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[RateLimitDatabaseBackendType](#ratelimitdatabasebackendtype)_ | true | Type is the type of database backend to use. Supported types are:
* Redis: Connects to a Redis database. | +| `redis` | _[RateLimitRedisSettings](#ratelimitredissettings)_ | false | Redis defines the settings needed to connect to a Redis database. | + + +#### RateLimitDatabaseBackendType + +_Underlying type:_ _string_ + +RateLimitDatabaseBackendType specifies the types of database backend +to be used by the rate limit service. + +_Appears in:_ +- [RateLimitDatabaseBackend](#ratelimitdatabasebackend) + +| Value | Description | +| ----- | ----------- | +| `Redis` | RedisBackendType uses a redis database for the rate limit service.
| + + +#### RateLimitMetrics + + + + + +_Appears in:_ +- [RateLimitTelemetry](#ratelimittelemetry) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `prometheus` | _[RateLimitMetricsPrometheusProvider](#ratelimitmetricsprometheusprovider)_ | true | Prometheus defines the configuration for prometheus endpoint. | + + +#### RateLimitMetricsPrometheusProvider + + + + + +_Appears in:_ +- [RateLimitMetrics](#ratelimitmetrics) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `disable` | _boolean_ | true | Disable the Prometheus endpoint. | + + +#### RateLimitRedisSettings + + + +RateLimitRedisSettings defines the configuration for connecting to redis database. + +_Appears in:_ +- [RateLimitDatabaseBackend](#ratelimitdatabasebackend) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `url` | _string_ | true | URL of the Redis Database. | +| `tls` | _[RedisTLSSettings](#redistlssettings)_ | false | TLS defines TLS configuration for connecting to redis database. | + + +#### RateLimitRule + + + +RateLimitRule defines the semantics for matching attributes +from the incoming requests, and setting limits for them. + +_Appears in:_ +- [GlobalRateLimit](#globalratelimit) +- [LocalRateLimit](#localratelimit) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `clientSelectors` | _[RateLimitSelectCondition](#ratelimitselectcondition) array_ | false | ClientSelectors holds the list of select conditions to select
specific clients using attributes from the traffic flow.
All individual select conditions must hold True for this rule
and its limit to be applied.

If no client selectors are specified, the rule applies to all traffic of
the targeted Route.

If the policy targets a Gateway, the rule applies to each Route of the Gateway.
Please note that each Route has its own rate limit counters. For example,
if a Gateway has two Routes, and the policy has a rule with limit 10rps,
each Route will have its own 10rps limit. | +| `limit` | _[RateLimitValue](#ratelimitvalue)_ | true | Limit holds the rate limit values.
This limit is applied for traffic flows when the selectors
compute to True, causing the request to be counted towards the limit.
The limit is enforced and the request is ratelimited, i.e. a response with
429 HTTP status code is sent back to the client when
the selected requests have reached the limit. | + + +#### RateLimitSelectCondition + + + +RateLimitSelectCondition specifies the attributes within the traffic flow that can +be used to select a subset of clients to be ratelimited. +All the individual conditions must hold True for the overall condition to hold True. + +_Appears in:_ +- [RateLimitRule](#ratelimitrule) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `headers` | _[HeaderMatch](#headermatch) array_ | false | Headers is a list of request headers to match. Multiple header values are ANDed together,
meaning, a request MUST match all the specified headers.
At least one of headers or sourceCIDR condition must be specified. | +| `sourceCIDR` | _[SourceMatch](#sourcematch)_ | false | SourceCIDR is the client IP Address range to match on.
At least one of headers or sourceCIDR condition must be specified. | + + +#### RateLimitSpec + + + +RateLimitSpec defines the desired state of RateLimitSpec. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[RateLimitType](#ratelimittype)_ | true | Type decides the scope for the RateLimits.
Valid RateLimitType values are "Global" or "Local". | +| `global` | _[GlobalRateLimit](#globalratelimit)_ | false | Global defines global rate limit configuration. | +| `local` | _[LocalRateLimit](#localratelimit)_ | false | Local defines local rate limit configuration. | + + +#### RateLimitTelemetry + + + + + +_Appears in:_ +- [RateLimit](#ratelimit) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `metrics` | _[RateLimitMetrics](#ratelimitmetrics)_ | true | Metrics defines metrics configuration for RateLimit. | +| `tracing` | _[RateLimitTracing](#ratelimittracing)_ | true | Tracing defines traces configuration for RateLimit. | + + +#### RateLimitTracing + + + + + +_Appears in:_ +- [RateLimitTelemetry](#ratelimittelemetry) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `samplingRate` | _integer_ | false | SamplingRate controls the rate at which traffic will be
selected for tracing if no prior sampling decision has been made.
Defaults to 100, valid values [0-100]. 100 indicates 100% sampling. | +| `provider` | _[RateLimitTracingProvider](#ratelimittracingprovider)_ | true | Provider defines the rateLimit tracing provider.
Only OpenTelemetry is supported currently. | + + +#### RateLimitTracingProvider + + + +RateLimitTracingProvider defines the tracing provider configuration of RateLimit + +_Appears in:_ +- [RateLimitTracing](#ratelimittracing) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[RateLimitTracingProviderType](#ratelimittracingprovidertype)_ | true | Type defines the tracing provider type.
Since to RateLimit Exporter currently using OpenTelemetry, only OpenTelemetry is supported | +| `url` | _string_ | true | URL is the endpoint of the trace collector that supports the OTLP protocol | + + + + +#### RateLimitType + +_Underlying type:_ _string_ + +RateLimitType specifies the types of RateLimiting. + +_Appears in:_ +- [RateLimitSpec](#ratelimitspec) + +| Value | Description | +| ----- | ----------- | +| `Global` | GlobalRateLimitType allows the rate limits to be applied across all Envoy
proxy instances.
| +| `Local` | LocalRateLimitType allows the rate limits to be applied on a per Envoy
proxy instance basis.
| + + +#### RateLimitUnit + +_Underlying type:_ _string_ + +RateLimitUnit specifies the intervals for setting rate limits. +Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day". + +_Appears in:_ +- [RateLimitValue](#ratelimitvalue) + +| Value | Description | +| ----- | ----------- | +| `Second` | RateLimitUnitSecond specifies the rate limit interval to be 1 second.
| +| `Minute` | RateLimitUnitMinute specifies the rate limit interval to be 1 minute.
| +| `Hour` | RateLimitUnitHour specifies the rate limit interval to be 1 hour.
| +| `Day` | RateLimitUnitDay specifies the rate limit interval to be 1 day.
| + + +#### RateLimitValue + + + +RateLimitValue defines the limits for rate limiting. + +_Appears in:_ +- [RateLimitRule](#ratelimitrule) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `requests` | _integer_ | true | | +| `unit` | _[RateLimitUnit](#ratelimitunit)_ | true | | + + +#### RedisTLSSettings + + + +RedisTLSSettings defines the TLS configuration for connecting to redis database. + +_Appears in:_ +- [RateLimitRedisSettings](#ratelimitredissettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `certificateRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | false | CertificateRef defines the client certificate reference for TLS connections.
Currently only a Kubernetes Secret of type TLS is supported. | + + +#### RemoteJWKS + + + +RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote +HTTP/HTTPS endpoint. + +_Appears in:_ +- [JWTProvider](#jwtprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `uri` | _string_ | true | URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to
validate the server certificate. | + + +#### ReplaceRegexMatch + + + + + +_Appears in:_ +- [HTTPPathModifier](#httppathmodifier) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `pattern` | _string_ | true | Pattern matches a regular expression against the value of the HTTP Path.The regex string must
adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax. | +| `substitution` | _string_ | true | Substitution is an expression that replaces the matched portion.The expression may include numbered
capture groups that adhere to syntax documented in https://github.com/google/re2/wiki/Syntax. | + + +#### RequestHeaderCustomTag + + + +RequestHeaderCustomTag adds value from request header to each span. + +_Appears in:_ +- [CustomTag](#customtag) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `name` | _string_ | true | Name defines the name of the request header which to extract the value from. | +| `defaultValue` | _string_ | false | DefaultValue defines the default value to use if the request header is not set. | + + +#### ResourceProviderType + +_Underlying type:_ _string_ + +ResourceProviderType defines the types of custom resource providers supported by Envoy Gateway. + +_Appears in:_ +- [EnvoyGatewayResourceProvider](#envoygatewayresourceprovider) + +| Value | Description | +| ----- | ----------- | +| `File` | ResourceProviderTypeFile defines the "File" provider.
| + + +#### ResponseOverride + + + +ResponseOverride defines the configuration to override specific responses with a custom one. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `match` | _[CustomResponseMatch](#customresponsematch)_ | true | Match configuration. | +| `response` | _[CustomResponse](#customresponse)_ | true | Response configuration. | + + +#### ResponseValueType + +_Underlying type:_ _string_ + +ResponseValueType defines the types of values for the response body supported by Envoy Gateway. + +_Appears in:_ +- [CustomResponseBody](#customresponsebody) + +| Value | Description | +| ----- | ----------- | +| `Inline` | ResponseValueTypeInline defines the "Inline" response body type.
| +| `ValueRef` | ResponseValueTypeValueRef defines the "ValueRef" response body type.
| + + + + +#### RetryOn + + + + + +_Appears in:_ +- [Retry](#retry) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `triggers` | _[TriggerEnum](#triggerenum) array_ | false | Triggers specifies the retry trigger condition(Http/Grpc). | +| `httpStatusCodes` | _[HTTPStatus](#httpstatus) array_ | false | HttpStatusCodes specifies the http status codes to be retried.
The retriable-status-codes trigger must also be configured for these status codes to trigger a retry. | + + +#### RoutingType + +_Underlying type:_ _string_ + +RoutingType defines the type of routing of this Envoy proxy. + +_Appears in:_ +- [EnvoyProxySpec](#envoyproxyspec) + +| Value | Description | +| ----- | ----------- | +| `Service` | ServiceRoutingType is the RoutingType for Service Cluster IP routing.
| +| `Endpoint` | EndpointRoutingType is the RoutingType for Endpoint routing.
| + + +#### SecurityPolicy + + + +SecurityPolicy allows the user to configure various security settings for a +Gateway. + + + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `apiVersion` | _string_ | |`gateway.envoyproxy.io/v1alpha1` +| `kind` | _string_ | |`SecurityPolicy` +| `metadata` | _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | true | Refer to Kubernetes API documentation for fields of `metadata`. | +| `spec` | _[SecurityPolicySpec](#securitypolicyspec)_ | true | Spec defines the desired state of SecurityPolicy. | +| `status` | _[PolicyStatus](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyStatus)_ | true | Status defines the current status of SecurityPolicy. | + + +#### SecurityPolicySpec + + + +SecurityPolicySpec defines the desired state of SecurityPolicy. + +_Appears in:_ +- [SecurityPolicy](#securitypolicy) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `targetRef` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName)_ | true | TargetRef is the name of the resource this policy is being attached to.
This policy and the TargetRef MUST be in the same namespace for this
Policy to have effect

Deprecated: use targetRefs/targetSelectors instead | +| `targetRefs` | _[LocalPolicyTargetReferenceWithSectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReferenceWithSectionName) array_ | true | TargetRefs are the names of the Gateway resources this policy
is being attached to. | +| `targetSelectors` | _[TargetSelector](#targetselector) array_ | true | TargetSelectors allow targeting resources for this policy based on labels | +| `cors` | _[CORS](#cors)_ | false | CORS defines the configuration for Cross-Origin Resource Sharing (CORS). | +| `basicAuth` | _[BasicAuth](#basicauth)_ | false | BasicAuth defines the configuration for the HTTP Basic Authentication. | +| `jwt` | _[JWT](#jwt)_ | false | JWT defines the configuration for JSON Web Token (JWT) authentication. | +| `oidc` | _[OIDC](#oidc)_ | false | OIDC defines the configuration for the OpenID Connect (OIDC) authentication. | +| `extAuth` | _[ExtAuth](#extauth)_ | false | ExtAuth defines the configuration for External Authorization. | +| `authorization` | _[Authorization](#authorization)_ | false | Authorization defines the authorization configuration. | + + +#### ServiceExternalTrafficPolicy + +_Underlying type:_ _string_ + +ServiceExternalTrafficPolicy describes how nodes distribute service traffic they +receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs, +and LoadBalancer IPs. + +_Appears in:_ +- [KubernetesServiceSpec](#kubernetesservicespec) + +| Value | Description | +| ----- | ----------- | +| `Cluster` | ServiceExternalTrafficPolicyCluster routes traffic to all endpoints.
| +| `Local` | ServiceExternalTrafficPolicyLocal preserves the source IP of the traffic by
routing only to endpoints on the same node as the traffic was received on
(dropping the traffic if there are no local endpoints).
| + + +#### ServiceType + +_Underlying type:_ _string_ + +ServiceType string describes ingress methods for a service + +_Appears in:_ +- [KubernetesServiceSpec](#kubernetesservicespec) + +| Value | Description | +| ----- | ----------- | +| `ClusterIP` | ServiceTypeClusterIP means a service will only be accessible inside the
cluster, via the cluster IP.
| +| `LoadBalancer` | ServiceTypeLoadBalancer means a service will be exposed via an
external load balancer (if the cloud provider supports it).
| +| `NodePort` | ServiceTypeNodePort means a service will be exposed on each Kubernetes Node
at a static Port, common across all Nodes.
| + + +#### Session + + + +Session defines settings related to TLS session management. + +_Appears in:_ +- [ClientTLSSettings](#clienttlssettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `resumption` | _[SessionResumption](#sessionresumption)_ | false | Resumption determines the proxy's supported TLS session resumption option.
By default, Envoy Gateway does not enable session resumption. Use sessionResumption to
enable stateful and stateless session resumption. Users should consider security impacts
of different resumption methods. Performance gains from resumption are diminished when
Envoy proxy is deployed with more than one replica. | + + +#### SessionResumption + + + +SessionResumption defines supported tls session resumption methods and their associated configuration. + +_Appears in:_ +- [Session](#session) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `stateless` | _[StatelessTLSSessionResumption](#statelesstlssessionresumption)_ | false | Stateless defines setting for stateless (session-ticket based) session resumption | +| `stateful` | _[StatefulTLSSessionResumption](#statefultlssessionresumption)_ | false | Stateful defines setting for stateful (session-id based) session resumption | + + +#### ShutdownConfig + + + +ShutdownConfig defines configuration for graceful envoy shutdown process. + +_Appears in:_ +- [EnvoyProxySpec](#envoyproxyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `drainTimeout` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
If unspecified, defaults to 60 seconds. | +| `minDrainDuration` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | false | MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
If unspecified, defaults to 10 seconds. | + + +#### ShutdownManager + + + +ShutdownManager defines the configuration for the shutdown manager. + +_Appears in:_ +- [EnvoyGatewayKubernetesProvider](#envoygatewaykubernetesprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `image` | _string_ | true | Image specifies the ShutdownManager container image to be used, instead of the default image. | + + +#### SlowStart + + + +SlowStart defines the configuration related to the slow start load balancer policy. + +_Appears in:_ +- [LoadBalancer](#loadbalancer) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `window` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | Window defines the duration of the warm up period for newly added host.
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig | + + + + +#### SourceMatchType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [SourceMatch](#sourcematch) + +| Value | Description | +| ----- | ----------- | +| `Exact` | SourceMatchExact All IP Addresses within the specified Source IP CIDR are treated as a single client selector
and share the same rate limit bucket.
| +| `Distinct` | SourceMatchDistinct Each IP Address within the specified Source IP CIDR is treated as a distinct client selector
and uses a separate rate limit bucket/counter.
Note: This is only supported for Global Rate Limits.
| + + +#### StatefulTLSSessionResumption + + + +StatefulTLSSessionResumption defines the stateful (session-id based) type of TLS session resumption. +Note: When Envoy Proxy is deployed with more than one replica, session caches are not synchronized +between instances, possibly leading to resumption failures. +Envoy does not re-validate client certificates upon session resumption. +https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-routematch-tlscontextmatchoptions + +_Appears in:_ +- [SessionResumption](#sessionresumption) + + + +#### StatelessTLSSessionResumption + + + +StatelessTLSSessionResumption defines the stateless (session-ticket based) type of TLS session resumption. +Note: When Envoy Proxy is deployed with more than one replica, session ticket encryption keys are not +synchronized between instances, possibly leading to resumption failures. +In-memory session ticket encryption keys are rotated every 48 hours. +https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys +https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Session-tickets + +_Appears in:_ +- [SessionResumption](#sessionresumption) + + + +#### StatusCodeMatch + + + +StatusCodeMatch defines the configuration for matching a status code. + +_Appears in:_ +- [CustomResponseMatch](#customresponsematch) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[StatusCodeValueType](#statuscodevaluetype)_ | true | Type is the type of value.
Valid values are Value and Range, default is Value. | +| `value` | _integer_ | false | Value contains the value of the status code. | +| `range` | _[StatusCodeRange](#statuscoderange)_ | false | Range contains the range of status codes. | + + +#### StatusCodeRange + + + +StatusCodeRange defines the configuration for define a range of status codes. + +_Appears in:_ +- [StatusCodeMatch](#statuscodematch) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `start` | _integer_ | true | Start of the range, including the start value. | +| `end` | _integer_ | true | End of the range, including the end value. | + + +#### StatusCodeValueType + +_Underlying type:_ _string_ + +StatusCodeValueType defines the types of values for the status code match supported by Envoy Gateway. + +_Appears in:_ +- [StatusCodeMatch](#statuscodematch) + +| Value | Description | +| ----- | ----------- | +| `Value` | StatusCodeValueTypeValue defines the "Value" status code match type.
| +| `Range` | StatusCodeValueTypeRange defines the "Range" status code match type.
| + + +#### StringMatch + + + +StringMatch defines how to match any strings. +This is a general purpose match condition that can be used by other EG APIs +that need to match against a string. + +_Appears in:_ +- [ProxyMetrics](#proxymetrics) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[StringMatchType](#stringmatchtype)_ | false | Type specifies how to match against a string. | +| `value` | _string_ | true | Value specifies the string value that the match must have. | + + +#### StringMatchType + +_Underlying type:_ _string_ + +StringMatchType specifies the semantics of how a string value should be compared. +Valid MatchType values are "Exact", "Prefix", "Suffix", "RegularExpression". + +_Appears in:_ +- [StringMatch](#stringmatch) + +| Value | Description | +| ----- | ----------- | +| `Exact` | StringMatchExact :the input string must match exactly the match value.
| +| `Prefix` | StringMatchPrefix :the input string must start with the match value.
| +| `Suffix` | StringMatchSuffix :the input string must end with the match value.
| +| `RegularExpression` | StringMatchRegularExpression :The input string must match the regular expression
specified in the match value.
The regex string must adhere to the syntax documented in
https://github.com/google/re2/wiki/Syntax.
| + + +#### TCPActiveHealthChecker + + + +TCPActiveHealthChecker defines the settings of tcp health check. + +_Appears in:_ +- [ActiveHealthCheck](#activehealthcheck) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `send` | _[ActiveHealthCheckPayload](#activehealthcheckpayload)_ | false | Send defines the request payload. | +| `receive` | _[ActiveHealthCheckPayload](#activehealthcheckpayload)_ | false | Receive defines the expected response payload. | + + +#### TCPClientTimeout + + + +TCPClientTimeout only provides timeout configuration on the listener whose protocol is TCP or TLS. + +_Appears in:_ +- [ClientTimeout](#clienttimeout) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | IdleTimeout for a TCP connection. Idle time is defined as a period in which there are no
bytes sent or received on either the upstream or downstream connection.
Default: 1 hour. | + + + + +#### TCPTimeout + + + + + +_Appears in:_ +- [Timeout](#timeout) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `connectTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The timeout for network connection establishment, including TCP and TLS handshakes.
Default: 10 seconds. | + + +#### TLSSettings + + + + + +_Appears in:_ +- [BackendTLSConfig](#backendtlsconfig) +- [ClientTLSSettings](#clienttlssettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `minVersion` | _[TLSVersion](#tlsversion)_ | false | Min specifies the minimal TLS protocol version to allow.
The default is TLS 1.2 if this is not specified. | +| `maxVersion` | _[TLSVersion](#tlsversion)_ | false | Max specifies the maximal TLS protocol version to allow
The default is TLS 1.3 if this is not specified. | +| `ciphers` | _string array_ | false | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 | +| `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 | +| `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. | +| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener. By default h2 and http/1.1 are enabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | + + +#### TLSVersion + +_Underlying type:_ _string_ + +TLSVersion specifies the TLS version + +_Appears in:_ +- [BackendTLSConfig](#backendtlsconfig) +- [ClientTLSSettings](#clienttlssettings) +- [TLSSettings](#tlssettings) + +| Value | Description | +| ----- | ----------- | +| `Auto` | TLSAuto allows Envoy to choose the optimal TLS Version
| +| `1.0` | TLS1.0 specifies TLS version 1.0
| +| `1.1` | TLS1.1 specifies TLS version 1.1
| +| `1.2` | TLSv1.2 specifies TLS version 1.2
| +| `1.3` | TLSv1.3 specifies TLS version 1.3
| + + +#### TargetSelector + + + + + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) +- [EnvoyExtensionPolicySpec](#envoyextensionpolicyspec) +- [PolicyTargetReferences](#policytargetreferences) +- [SecurityPolicySpec](#securitypolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `group` | _[Group](#group)_ | true | Group is the group that this selector targets. Defaults to gateway.networking.k8s.io | +| `kind` | _[Kind](#kind)_ | true | Kind is the resource kind that this selector targets. | +| `matchLabels` | _object (keys:string, values:string)_ | true | MatchLabels are the set of label selectors for identifying the targeted resource | + + + + +#### TracingProvider + + + +TracingProvider defines the tracing provider configuration. + +_Appears in:_ +- [ProxyTracing](#proxytracing) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `backendRef` | _[BackendObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.BackendObjectReference)_ | false | BackendRef references a Kubernetes object that represents the
backend server to which the authorization request will be sent.

Deprecated: Use BackendRefs instead. | +| `backendRefs` | _[BackendRef](#backendref) array_ | false | BackendRefs references a Kubernetes object that represents the
backend server to which the authorization request will be sent. | +| `backendSettings` | _[ClusterSettings](#clustersettings)_ | false | BackendSettings holds configuration for managing the connection
to the backend. | +| `type` | _[TracingProviderType](#tracingprovidertype)_ | true | Type defines the tracing provider type. | +| `host` | _string_ | false | Host define the provider service hostname.
Deprecated: Use BackendRefs instead. | +| `port` | _integer_ | false | Port defines the port the provider service is exposed on.
Deprecated: Use BackendRefs instead. | +| `zipkin` | _[ZipkinTracingProvider](#zipkintracingprovider)_ | false | Zipkin defines the Zipkin tracing provider configuration | + + +#### TracingProviderType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [TracingProvider](#tracingprovider) + +| Value | Description | +| ----- | ----------- | +| `OpenTelemetry` | | +| `OpenTelemetry` | | +| `Zipkin` | | +| `Datadog` | | + + +#### TriggerEnum + +_Underlying type:_ _string_ + +TriggerEnum specifies the conditions that trigger retries. + +_Appears in:_ +- [RetryOn](#retryon) + +| Value | Description | +| ----- | ----------- | +| `5xx` | The upstream server responds with any 5xx response code, or does not respond at all (disconnect/reset/read timeout).
Includes connect-failure and refused-stream.
| +| `gateway-error` | The response is a gateway error (502,503 or 504).
| +| `reset` | The upstream server does not respond at all (disconnect/reset/read timeout.)
| +| `connect-failure` | Connection failure to the upstream server (connect timeout, etc.). (Included in *5xx*)
| +| `retriable-4xx` | The upstream server responds with a retriable 4xx response code.
Currently, the only response code in this category is 409.
| +| `refused-stream` | The upstream server resets the stream with a REFUSED_STREAM error code.
| +| `retriable-status-codes` | The upstream server responds with any response code matching one defined in the RetriableStatusCodes.
| +| `cancelled` | The gRPC status code in the response headers is “cancelled”.
| +| `deadline-exceeded` | The gRPC status code in the response headers is “deadline-exceeded”.
| +| `internal` | The gRPC status code in the response headers is “internal”.
| +| `resource-exhausted` | The gRPC status code in the response headers is “resource-exhausted”.
| +| `unavailable` | The gRPC status code in the response headers is “unavailable”.
| + + +#### UnixSocket + + + +UnixSocket describes TCP/UDP unix domain socket address, corresponding to Envoy's Pipe +https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#config-core-v3-pipe + +_Appears in:_ +- [BackendEndpoint](#backendendpoint) +- [ExtensionService](#extensionservice) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `path` | _string_ | true | Path defines the unix domain socket path of the backend endpoint. | + + +#### Wasm + + + +Wasm defines a Wasm extension. + + +Note: at the moment, Envoy Gateway does not support configuring Wasm runtime. +v8 is used as the VM runtime for the Wasm extensions. + +_Appears in:_ +- [EnvoyExtensionPolicySpec](#envoyextensionpolicyspec) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `name` | _string_ | false | Name is a unique name for this Wasm extension. It is used to identify the
Wasm extension if multiple extensions are handled by the same vm_id and root_id.
It's also used for logging/debugging.
If not specified, EG will generate a unique name for the Wasm extension. | +| `rootID` | _string_ | true | RootID is a unique ID for a set of extensions in a VM which will share a
RootContext and Contexts if applicable (e.g., an Wasm HttpFilter and an Wasm AccessLog).
If left blank, all extensions with a blank root_id with the same vm_id will share Context(s).

Note: RootID must match the root_id parameter used to register the Context in the Wasm code. | +| `code` | _[WasmCodeSource](#wasmcodesource)_ | true | Code is the Wasm code for the extension. | +| `config` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | Config is the configuration for the Wasm extension.
This configuration will be passed as a JSON string to the Wasm extension. | +| `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a fatal error occurs
during the initialization or the execution of the Wasm extension.
If FailOpen is set to true, the system bypasses the Wasm extension and
allows the traffic to pass through. Otherwise, if it is set to false or
not set (defaulting to false), the system blocks the traffic and returns
an HTTP 5xx error. | + + +#### WasmCodeSource + + + +WasmCodeSource defines the source of the Wasm code. + +_Appears in:_ +- [Wasm](#wasm) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[WasmCodeSourceType](#wasmcodesourcetype)_ | true | Type is the type of the source of the Wasm code.
Valid WasmCodeSourceType values are "HTTP" or "Image". | +| `http` | _[HTTPWasmCodeSource](#httpwasmcodesource)_ | false | HTTP is the HTTP URL containing the Wasm code.

Note that the HTTP server must be accessible from the Envoy proxy. | +| `image` | _[ImageWasmCodeSource](#imagewasmcodesource)_ | false | Image is the OCI image containing the Wasm code.

Note that the image must be accessible from the Envoy Gateway. | +| `pullPolicy` | _[ImagePullPolicy](#imagepullpolicy)_ | false | PullPolicy is the policy to use when pulling the Wasm module by either the HTTP or Image source.
This field is only applicable when the SHA256 field is not set.

If not specified, the default policy is IfNotPresent except for OCI images whose tag is latest.

Note: EG does not update the Wasm module every time an Envoy proxy requests
the Wasm module even if the pull policy is set to Always.
It only updates the Wasm module when the EnvoyExtension resource version changes. | + + +#### WasmCodeSourceType + +_Underlying type:_ _string_ + +WasmCodeSourceType specifies the types of sources for the Wasm code. + +_Appears in:_ +- [WasmCodeSource](#wasmcodesource) + +| Value | Description | +| ----- | ----------- | +| `HTTP` | HTTPWasmCodeSourceType allows the user to specify the Wasm code in an HTTP URL.
| +| `Image` | ImageWasmCodeSourceType allows the user to specify the Wasm code in an OCI image.
| + + +#### WithUnderscoresAction + +_Underlying type:_ _string_ + +WithUnderscoresAction configures the action to take when an HTTP header with underscores +is encountered. + +_Appears in:_ +- [HeaderSettings](#headersettings) + +| Value | Description | +| ----- | ----------- | +| `Allow` | WithUnderscoresActionAllow allows headers with underscores to be passed through.
| +| `RejectRequest` | WithUnderscoresActionRejectRequest rejects the client request. HTTP/1 requests are rejected with
the 400 status. HTTP/2 requests end with the stream reset.
| +| `DropHeader` | WithUnderscoresActionDropHeader drops the client header with name containing underscores. The header
is dropped before the filter chain is invoked and as such filters will not see
dropped headers.
| + + +#### XDSTranslatorHook + +_Underlying type:_ _string_ + +XDSTranslatorHook defines the types of hooks that an Envoy Gateway extension may support +for the xds-translator + +_Appears in:_ +- [XDSTranslatorHooks](#xdstranslatorhooks) + +| Value | Description | +| ----- | ----------- | +| `VirtualHost` | | +| `Route` | | +| `HTTPListener` | | +| `Translation` | | + + +#### XDSTranslatorHooks + + + +XDSTranslatorHooks contains all the pre and post hooks for the xds-translator runner. + +_Appears in:_ +- [ExtensionHooks](#extensionhooks) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `pre` | _[XDSTranslatorHook](#xdstranslatorhook) array_ | true | | +| `post` | _[XDSTranslatorHook](#xdstranslatorhook) array_ | true | | + + +#### XFCCCertData + +_Underlying type:_ _string_ + +XFCCCertData specifies the fields in the client certificate to be forwarded in the XFCC header. + +_Appears in:_ +- [XForwardedClientCert](#xforwardedclientcert) + +| Value | Description | +| ----- | ----------- | +| `Subject` | XFCCCertDataSubject is the Subject field of the current client certificate.
| +| `Cert` | XFCCCertDataCert is the entire client certificate in URL encoded PEM format.
| +| `Chain` | XFCCCertDataChain is the entire client certificate chain (including the leaf certificate) in URL encoded PEM format.
| +| `DNS` | XFCCCertDataDNS is the DNS type Subject Alternative Name field of the current client certificate.
| +| `URI` | XFCCCertDataURI is the URI type Subject Alternative Name field of the current client certificate.
| + + +#### XFCCForwardMode + +_Underlying type:_ _string_ + +XFCCForwardMode defines how XFCC header is handled by Envoy Proxy. + +_Appears in:_ +- [XForwardedClientCert](#xforwardedclientcert) + +| Value | Description | +| ----- | ----------- | +| `Sanitize` | XFCCForwardModeSanitize removes the XFCC header from the request. This is the default mode.
| +| `ForwardOnly` | XFCCForwardModeForwardOnly forwards the XFCC header in the request if the client connection is mTLS.
| +| `AppendForward` | XFCCForwardModeAppendForward appends the client certificate information to the request’s XFCC header and forward it if the client connection is mTLS.
| +| `SanitizeSet` | XFCCForwardModeSanitizeSet resets the XFCC header with the client certificate information and forward it if the client connection is mTLS.
The existing certificate information in the XFCC header is removed.
| +| `AlwaysForwardOnly` | XFCCForwardModeAlwaysForwardOnly always forwards the XFCC header in the request, regardless of whether the client connection is mTLS.
| + + +#### XForwardedClientCert + + + +XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-cert (XFCC) HTTP header. + +_Appears in:_ +- [HeaderSettings](#headersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `mode` | _[XFCCForwardMode](#xfccforwardmode)_ | false | Mode defines how XFCC header is handled by Envoy Proxy.
If not set, the default mode is `Sanitize`. | +| `certDetailsToAdd` | _[XFCCCertData](#xfcccertdata) array_ | false | CertDetailsToAdd specifies the fields in the client certificate to be forwarded in the XFCC header.

Hash(the SHA 256 digest of the current client certificate) and By(the Subject Alternative Name)
are always included if the client certificate is forwarded.

This field is only applicable when the mode is set to `AppendForward` or
`SanitizeSet` and the client connection is mTLS. | + + +#### XForwardedForSettings + + + +XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. + +_Appears in:_ +- [ClientIPDetectionSettings](#clientipdetectionsettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details. | + + +#### ZipkinTracingProvider + + + +ZipkinTracingProvider defines the Zipkin tracing provider configuration. + +_Appears in:_ +- [TracingProvider](#tracingprovider) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `enable128BitTraceId` | _boolean_ | false | Enable128BitTraceID determines whether a 128bit trace id will be used
when creating a new trace instance. If set to false, a 64bit trace
id will be used. | +| `disableSharedSpanContext` | _boolean_ | false | DisableSharedSpanContext determines whether the default Envoy behaviour of
client and server spans sharing the same span context should be disabled. | + + diff --git a/site/content/en/v1.2/boilerplates/index.md b/site/content/en/v1.2/boilerplates/index.md new file mode 100644 index 00000000000..dda80adbcbf --- /dev/null +++ b/site/content/en/v1.2/boilerplates/index.md @@ -0,0 +1,5 @@ +--- +headless: true +--- + +This file tells Hugo that the files in this directory tree shouldn't be rendered as normal pages on the site. diff --git a/site/content/en/v1.2/boilerplates/o11y_prerequisites.md b/site/content/en/v1.2/boilerplates/o11y_prerequisites.md new file mode 100644 index 00000000000..2d33128946f --- /dev/null +++ b/site/content/en/v1.2/boilerplates/o11y_prerequisites.md @@ -0,0 +1,14 @@ +--- +--- + +Follow the steps from the [Quickstart](../tasks/quickstart) to install Envoy Gateway and the example manifest. +Before proceeding, you should be able to query the example backend using HTTP. + +Envoy Gateway provides an add-ons Helm Chart, which includes all the needing components for observability. +By default, the [OpenTelemetry Collector](https://opentelemetry.io/docs/collector/) is disabled. + +Install the add-ons Helm Chart: + +```shell +helm install eg-addons oci://docker.io/envoyproxy/gateway-addons-helm --version {{< helm-version >}} --set opentelemetry-collector.enabled=true -n monitoring --create-namespace +``` diff --git a/site/content/en/v1.2/boilerplates/prerequisites.md b/site/content/en/v1.2/boilerplates/prerequisites.md new file mode 100644 index 00000000000..064238e4d13 --- /dev/null +++ b/site/content/en/v1.2/boilerplates/prerequisites.md @@ -0,0 +1,24 @@ +--- +--- + +Follow the steps from the [Quickstart](../tasks/quickstart) task to install Envoy Gateway and the example manifest. +Before proceeding, you should be able to query the example backend using HTTP. + +Verify the Gateway status: + +{{< tabpane text=true >}} +{{% tab header="kubectl" %}} + +```shell +kubectl get gateway/eg -o yaml +``` + +{{% /tab %}} +{{% tab header="egctl (experimental)" %}} + +```shell +egctl x status gateway -v +``` + +{{% /tab %}} +{{< /tabpane >}} diff --git a/site/content/en/v1.2/boilerplates/rollout-envoy-gateway.md b/site/content/en/v1.2/boilerplates/rollout-envoy-gateway.md new file mode 100644 index 00000000000..9072526868c --- /dev/null +++ b/site/content/en/v1.2/boilerplates/rollout-envoy-gateway.md @@ -0,0 +1,10 @@ +--- +--- + +> After updating the `ConfigMap`, you will need to wait the configuration kicks in.
+> You can **force** the configuration to be reloaded by restarting the `envoy-gateway` deployment. +> +> ```shell +> kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system +> ``` +> \ No newline at end of file diff --git a/site/content/en/v1.2/concepts/_index.md b/site/content/en/v1.2/concepts/_index.md new file mode 100644 index 00000000000..4d568bd4491 --- /dev/null +++ b/site/content/en/v1.2/concepts/_index.md @@ -0,0 +1,5 @@ +--- +title: "Concepts" +weight: 1 +description: Learn about key concepts when working with Envoy Gateway +--- diff --git a/site/content/en/v1.2/concepts/concepts_overview.md b/site/content/en/v1.2/concepts/concepts_overview.md new file mode 100644 index 00000000000..9af9a3fff10 --- /dev/null +++ b/site/content/en/v1.2/concepts/concepts_overview.md @@ -0,0 +1,53 @@ ++++ +title = "Envoy Gateway Resources" ++++ + +There are several resources that play a part in enabling you to meet your Kubernetes ingress traffic handling needs. This page provides a brief overview of the resources you’ll be working with. + +## Overview + +![](/img/envoy-gateway-resources-overview.png) + +There are several resources that play a part in enabling you to meet your Kubernetes ingress traffic handling needs. This page provides a brief overview of the resources you’ll be working with. + +### Kubernetes Gateway API Resources +- **GatewayClass:** Defines a class of Gateways with common configuration. +- **Gateway:** Specifies how traffic can enter the cluster. +- **Routes:** **HTTPRoute, GRPCRoute, TLSRoute, TCPRoute, UDPRoute:** Define routing rules for different types of traffic. + +### Envoy Gateway (EG) API Resources +- **EnvoyProxy:** Represents the deployment and configuration of the Envoy proxy within a Kubernetes cluster, managing its lifecycle and settings. +- **EnvoyPatchPolicy, ClientTrafficPolicy, SecurityPolicy, BackendTrafficPolicy, EnvoyExtensionPolicy, BackendTLSPolicy:** Additional policies and configurations specific to Envoy Gateway. +- **Backend:** A resource that makes routing to cluster-external backends easier and makes access to external processes via Unix Domain Sockets possible. + +| Resource | API | Required | Purpose | References | Description | +| ----------------------------------------------------------------------- | ----------- | -------- | ------------------ | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [GatewayClass][1] | Gateway API | Yes | Gateway Config | Core | Defines a class of Gateways with common configuration. | +| [Gateway][2] | Gateway API | Yes | Gateway Config | GatewayClass | Specifies how traffic can enter the cluster. | +| [HTTPRoute][3] [GRPCRoute][4] [TLSRoute][5] [TCPRoute][6] [UDPRoute][7] | Gateway API | Yes | Routing | Gateway | Define routing rules for different types of traffic. **Note:**_For simplicity these resources are referenced collectively as Route in the References column_ | +| [Backend][8] | EG API | No | Routing | N/A | Used for routing to cluster-external backends using FQDN or IP. Can also be used when you want to extend Envoy with external processes accessed via Unix Domain Sockets. | +| [ClientTrafficPolicy][9] | EG API | No | Traffic Handling | Gateway | Specifies policies for handling client traffic, including rate limiting, retries, and other client-specific configurations. | +| [BackendTrafficPolicy][10] | EG API | No | Traffic Handling | Gateway Route | Specifies policies for traffic directed towards backend services, including load balancing, health checks, and failover strategies. **Note:**_Most specific configuration wins_ | +| [SecurityPolicy][11] | EG API | No | Security | Gateway Route | Defines security-related policies such as authentication, authorization, and encryption settings for traffic handled by Envoy Gateway. **Note:**_Most specific configuration wins_ | +| [BackendTLSPolicy][12] | Gateway API | No | Security | Service | Defines TLS settings for backend connections, including certificate management, TLS version settings, and other security configurations. This policy is applied to Kubernetes Services. | +| [EnvoyProxy][13] | EG API | No | Customize & Extend | GatewayClass Gateway | The EnvoyProxy resource represents the deployment and configuration of the Envoy proxy itself within a Kubernetes cluster, managing its lifecycle and settings. **Note:**_Most specific configuration wins_ | +| [EnvoyPatchPolicy][14] | EG API | No | Customize & Extend | GatewayClass Gateway | This policy defines custom patches to be applied to Envoy Gateway resources, allowing users to tailor the configuration to their specific needs. **Note:**_Most specific configuration wins_ | +| [EnvoyExtensionPolicy][15] | EG API | No | Customize & Extend | Gateway Route, Backend | Allows for the configuration of Envoy proxy extensions, enabling custom behavior and functionality. **Note:**_Most specific configuration wins_ | + + + +[1]: https://gateway-api.sigs.k8s.io/api-types/gatewayclass/ +[2]: https://gateway-api.sigs.k8s.io/api-types/gateway/ +[3]: https://gateway-api.sigs.k8s.io/api-types/httproute/ +[4]: https://gateway-api.sigs.k8s.io/api-types/grpcroute/ +[5]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute +[6]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute +[7]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.UDPRoute +[8]: ../tasks/traffic/backend +[9]: ../api/extension_types#clienttrafficpolicy +[10]: ../api/extension_types#backendtrafficpolicy +[11]: ../api/extension_types#securitypolicy +[12]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ +[13]: ../api/extension_types#envoyproxy +[14]: ../api/extension_types#envoypatchpolicy +[15]: ../api/extension_types#envoyextensionpolicy \ No newline at end of file diff --git a/site/content/en/v1.2/install/_index.md b/site/content/en/v1.2/install/_index.md new file mode 100644 index 00000000000..b4c6f79c6fd --- /dev/null +++ b/site/content/en/v1.2/install/_index.md @@ -0,0 +1,5 @@ +--- +title: "Installation" +description: This section includes installation related contents of Envoy Gateway. +weight: 70 +--- diff --git a/site/content/en/v1.2/install/custom-cert.md b/site/content/en/v1.2/install/custom-cert.md new file mode 100644 index 00000000000..dd059c03520 --- /dev/null +++ b/site/content/en/v1.2/install/custom-cert.md @@ -0,0 +1,146 @@ +--- +title: Control Plane Authentication using custom certs +weight: -70 +--- + +Envoy Gateway establishes a secure TLS connection for control plane communication between Envoy Gateway pods and the Envoy Proxy fleet. The TLS Certificates used here are self signed and generated using a job that runs before envoy gateway is created, and these certs and mounted on to the envoy gateway and envoy proxy pods. + +This task will walk you through configuring custom certs for control plane auth. + +## Before you begin + +We use Cert-Manager to manage the certificates. You can install it by following the [official guide](https://cert-manager.io/docs/installation/kubernetes/). + +## Configure custom certs for control plane + +1. First you need to set up the CA issuer, in this task, we use the `selfsigned-issuer` as an example. + + *You should not use the self-signed issuer in production, you should use a real CA issuer.* + + ```shell + cat < + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| envoy-gateway-steering-committee | | | +| envoy-gateway-maintainers | | | + +## Source Code + +* + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://fluent.github.io/helm-charts | fluent-bit | 0.30.4 | +| https://grafana.github.io/helm-charts | alloy | 0.9.2 | +| https://grafana.github.io/helm-charts | grafana | 8.0.0 | +| https://grafana.github.io/helm-charts | loki | 4.8.0 | +| https://grafana.github.io/helm-charts | tempo | 1.3.1 | +| https://open-telemetry.github.io/opentelemetry-helm-charts | opentelemetry-collector | 0.108.0 | +| https://prometheus-community.github.io/helm-charts | prometheus | 25.21.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| alloy.alloy.configMap.content | string | `"// Write your Alloy config here:\nlogging {\n level = \"info\"\n format = \"logfmt\"\n}\nloki.write \"alloy\" {\n endpoint {\n url = \"http://loki.monitoring.svc:3100/loki/api/v1/push\"\n }\n}\n// discovery.kubernetes allows you to find scrape targets from Kubernetes resources.\n// It watches cluster state and ensures targets are continually synced with what is currently running in your cluster.\ndiscovery.kubernetes \"pod\" {\n role = \"pod\"\n}\n\n// discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules.\n// If no rules are defined, then the input targets are exported as-is.\ndiscovery.relabel \"pod_logs\" {\n targets = discovery.kubernetes.pod.targets\n\n // Label creation - \"namespace\" field from \"__meta_kubernetes_namespace\"\n rule {\n source_labels = [\"__meta_kubernetes_namespace\"]\n action = \"replace\"\n target_label = \"namespace\"\n }\n\n // Label creation - \"pod\" field from \"__meta_kubernetes_pod_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_name\"]\n action = \"replace\"\n target_label = \"pod\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_container_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"container\"\n }\n\n // Label creation - \"app\" field from \"__meta_kubernetes_pod_label_app_kubernetes_io_name\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_label_app_kubernetes_io_name\"]\n action = \"replace\"\n target_label = \"app\"\n }\n\n // Label creation - \"job\" field from \"__meta_kubernetes_namespace\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name\n rule {\n source_labels = [\"__meta_kubernetes_namespace\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"job\"\n separator = \"/\"\n replacement = \"$1\"\n }\n\n // Label creation - \"container\" field from \"__meta_kubernetes_pod_uid\" and \"__meta_kubernetes_pod_container_name\"\n // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log\n rule {\n source_labels = [\"__meta_kubernetes_pod_uid\", \"__meta_kubernetes_pod_container_name\"]\n action = \"replace\"\n target_label = \"__path__\"\n separator = \"/\"\n replacement = \"/var/log/pods/*$1/*.log\"\n }\n\n // Label creation - \"container_runtime\" field from \"__meta_kubernetes_pod_container_id\"\n rule {\n source_labels = [\"__meta_kubernetes_pod_container_id\"]\n action = \"replace\"\n target_label = \"container_runtime\"\n regex = \"^(\\\\S+):\\\\/\\\\/.+$\"\n replacement = \"$1\"\n }\n}\n\n// loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API.\nloki.source.kubernetes \"pod_logs\" {\n targets = discovery.relabel.pod_logs.output\n forward_to = [loki.process.pod_logs.receiver]\n}\n// loki.process receives log entries from other Loki components, applies one or more processing stages,\n// and forwards the results to the list of receivers in the component’s arguments.\nloki.process \"pod_logs\" {\n stage.static_labels {\n values = {\n cluster = \"envoy-gateway\",\n }\n }\n\n forward_to = [loki.write.alloy.receiver]\n}"` | | +| alloy.enabled | bool | `false` | | +| alloy.fullnameOverride | string | `"alloy"` | | +| fluent-bit.config.filters | string | `"[FILTER]\n Name kubernetes\n Match kube.*\n Merge_Log On\n Keep_Log Off\n K8S-Logging.Parser On\n K8S-Logging.Exclude On\n\n[FILTER]\n Name grep\n Match kube.*\n Regex $kubernetes['container_name'] ^envoy$\n\n[FILTER]\n Name parser\n Match kube.*\n Key_Name log\n Parser envoy\n Reserve_Data True\n"` | | +| fluent-bit.config.inputs | string | `"[INPUT]\n Name tail\n Path /var/log/containers/*.log\n multiline.parser docker, cri\n Tag kube.*\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n"` | | +| fluent-bit.config.outputs | string | `"[OUTPUT]\n Name loki\n Match kube.*\n Host loki.monitoring.svc.cluster.local\n Port 3100\n Labels job=fluentbit, app=$kubernetes['labels']['app'], k8s_namespace_name=$kubernetes['namespace_name'], k8s_pod_name=$kubernetes['pod_name'], k8s_container_name=$kubernetes['container_name']\n"` | | +| fluent-bit.config.service | string | `"[SERVICE]\n Daemon Off\n Flush {{ .Values.flush }}\n Log_Level {{ .Values.logLevel }}\n Parsers_File parsers.conf\n Parsers_File custom_parsers.conf\n HTTP_Server On\n HTTP_Listen 0.0.0.0\n HTTP_Port {{ .Values.metricsPort }}\n Health_Check On\n"` | | +| fluent-bit.enabled | bool | `true` | | +| fluent-bit.fullnameOverride | string | `"fluent-bit"` | | +| fluent-bit.image.repository | string | `"fluent/fluent-bit"` | | +| fluent-bit.podAnnotations."fluentbit.io/exclude" | string | `"true"` | | +| fluent-bit.podAnnotations."prometheus.io/path" | string | `"/api/v1/metrics/prometheus"` | | +| fluent-bit.podAnnotations."prometheus.io/port" | string | `"2020"` | | +| fluent-bit.podAnnotations."prometheus.io/scrape" | string | `"true"` | | +| fluent-bit.testFramework.enabled | bool | `false` | | +| grafana.adminPassword | string | `"admin"` | | +| grafana.dashboardProviders."dashboardproviders.yaml".apiVersion | int | `1` | | +| grafana.dashboardProviders."dashboardproviders.yaml".providers[0].disableDeletion | bool | `false` | | +| grafana.dashboardProviders."dashboardproviders.yaml".providers[0].editable | bool | `true` | | +| grafana.dashboardProviders."dashboardproviders.yaml".providers[0].folder | string | `"envoy-gateway"` | | +| grafana.dashboardProviders."dashboardproviders.yaml".providers[0].name | string | `"envoy-gateway"` | | +| grafana.dashboardProviders."dashboardproviders.yaml".providers[0].options.path | string | `"/var/lib/grafana/dashboards/envoy-gateway"` | | +| grafana.dashboardProviders."dashboardproviders.yaml".providers[0].orgId | int | `1` | | +| grafana.dashboardProviders."dashboardproviders.yaml".providers[0].type | string | `"file"` | | +| grafana.dashboardsConfigMaps.envoy-gateway | string | `"grafana-dashboards"` | | +| grafana.datasources."datasources.yaml".apiVersion | int | `1` | | +| grafana.datasources."datasources.yaml".datasources[0].name | string | `"Prometheus"` | | +| grafana.datasources."datasources.yaml".datasources[0].type | string | `"prometheus"` | | +| grafana.datasources."datasources.yaml".datasources[0].url | string | `"http://prometheus"` | | +| grafana.enabled | bool | `true` | | +| grafana.fullnameOverride | string | `"grafana"` | | +| grafana.service.type | string | `"LoadBalancer"` | | +| grafana.testFramework.enabled | bool | `false` | | +| loki.backend.replicas | int | `0` | | +| loki.deploymentMode | string | `"SingleBinary"` | | +| loki.enabled | bool | `true` | | +| loki.fullnameOverride | string | `"loki"` | | +| loki.gateway.enabled | bool | `false` | | +| loki.loki.auth_enabled | bool | `false` | | +| loki.loki.commonConfig.replication_factor | int | `1` | | +| loki.loki.compactorAddress | string | `"loki"` | | +| loki.loki.memberlist | string | `"loki-memberlist"` | | +| loki.loki.rulerConfig.storage.type | string | `"local"` | | +| loki.loki.storage.type | string | `"filesystem"` | | +| loki.monitoring.lokiCanary.enabled | bool | `false` | | +| loki.monitoring.selfMonitoring.enabled | bool | `false` | | +| loki.monitoring.selfMonitoring.grafanaAgent.installOperator | bool | `false` | | +| loki.read.replicas | int | `0` | | +| loki.singleBinary.replicas | int | `1` | | +| loki.test.enabled | bool | `false` | | +| loki.write.replicas | int | `0` | | +| opentelemetry-collector.config.exporters.debug.verbosity | string | `"detailed"` | | +| opentelemetry-collector.config.exporters.loki.endpoint | string | `"http://loki.monitoring.svc:3100/loki/api/v1/push"` | | +| opentelemetry-collector.config.exporters.otlp.endpoint | string | `"tempo.monitoring.svc:4317"` | | +| opentelemetry-collector.config.exporters.otlp.tls.insecure | bool | `true` | | +| opentelemetry-collector.config.exporters.prometheus.endpoint | string | `"[${env:MY_POD_IP}]:19001"` | | +| opentelemetry-collector.config.extensions.health_check.endpoint | string | `"[${env:MY_POD_IP}]:13133"` | | +| opentelemetry-collector.config.processors.attributes.actions[0].action | string | `"insert"` | | +| opentelemetry-collector.config.processors.attributes.actions[0].key | string | `"loki.attribute.labels"` | | +| opentelemetry-collector.config.processors.attributes.actions[0].value | string | `"k8s.pod.name, k8s.namespace.name"` | | +| opentelemetry-collector.config.receivers.datadog.endpoint | string | `"[${env:MY_POD_IP}]:8126"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:14250"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_compact.endpoint | string | `"[${env:MY_POD_IP}]:6831"` | | +| opentelemetry-collector.config.receivers.jaeger.protocols.thrift_http.endpoint | string | `"[${env:MY_POD_IP}]:14268"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.grpc.endpoint | string | `"[${env:MY_POD_IP}]:4317"` | | +| opentelemetry-collector.config.receivers.otlp.protocols.http.endpoint | string | `"[${env:MY_POD_IP}]:4318"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].job_name | string | `"opentelemetry-collector"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].scrape_interval | string | `"10s"` | | +| opentelemetry-collector.config.receivers.prometheus.config.scrape_configs[0].static_configs[0].targets[0] | string | `"[${env:MY_POD_IP}]:8888"` | | +| opentelemetry-collector.config.receivers.zipkin.endpoint | string | `"[${env:MY_POD_IP}]:9411"` | | +| opentelemetry-collector.config.service.extensions[0] | string | `"health_check"` | | +| opentelemetry-collector.config.service.pipelines.logs.exporters[0] | string | `"loki"` | | +| opentelemetry-collector.config.service.pipelines.logs.processors[0] | string | `"attributes"` | | +| opentelemetry-collector.config.service.pipelines.logs.receivers[0] | string | `"otlp"` | | +| opentelemetry-collector.config.service.pipelines.metrics.exporters[0] | string | `"prometheus"` | | +| opentelemetry-collector.config.service.pipelines.metrics.receivers[0] | string | `"datadog"` | | +| opentelemetry-collector.config.service.pipelines.metrics.receivers[1] | string | `"otlp"` | | +| opentelemetry-collector.config.service.pipelines.traces.exporters[0] | string | `"otlp"` | | +| opentelemetry-collector.config.service.pipelines.traces.receivers[0] | string | `"datadog"` | | +| opentelemetry-collector.config.service.pipelines.traces.receivers[1] | string | `"otlp"` | | +| opentelemetry-collector.config.service.pipelines.traces.receivers[2] | string | `"zipkin"` | | +| opentelemetry-collector.config.service.telemetry.metrics.address | string | `"[${env:MY_POD_IP}]:8888"` | | +| opentelemetry-collector.enabled | bool | `false` | | +| opentelemetry-collector.fullnameOverride | string | `"otel-collector"` | | +| opentelemetry-collector.image.repository | string | `"otel/opentelemetry-collector-contrib"` | | +| opentelemetry-collector.mode | string | `"deployment"` | | +| prometheus.alertmanager.enabled | bool | `false` | | +| prometheus.enabled | bool | `true` | | +| prometheus.kube-state-metrics.enabled | bool | `false` | | +| prometheus.prometheus-node-exporter.enabled | bool | `false` | | +| prometheus.prometheus-pushgateway.enabled | bool | `false` | | +| prometheus.server.fullnameOverride | string | `"prometheus"` | | +| prometheus.server.global.scrape_interval | string | `"15s"` | | +| prometheus.server.image.repository | string | `"prom/prometheus"` | | +| prometheus.server.persistentVolume.enabled | bool | `false` | | +| prometheus.server.readinessProbeInitialDelay | int | `0` | | +| prometheus.server.securityContext | object | `{}` | | +| prometheus.server.service.type | string | `"LoadBalancer"` | | +| tempo.enabled | bool | `true` | | +| tempo.fullnameOverride | string | `"tempo"` | | +| tempo.service.type | string | `"LoadBalancer"` | | + diff --git a/site/content/en/v1.2/install/gateway-helm-api.md b/site/content/en/v1.2/install/gateway-helm-api.md new file mode 100644 index 00000000000..bb817b992dc --- /dev/null +++ b/site/content/en/v1.2/install/gateway-helm-api.md @@ -0,0 +1,75 @@ ++++ +title = "Gateway Helm Chart" ++++ + +![Version: v0.0.0-latest](https://img.shields.io/badge/Version-v0.0.0--latest-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square) + +The Helm chart for Envoy Gateway + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| envoy-gateway-steering-committee | | | +| envoy-gateway-maintainers | | | + +## Source Code + +* + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | | +| config.envoyGateway.logging.level.default | string | `"info"` | | +| config.envoyGateway.provider.type | string | `"Kubernetes"` | | +| createNamespace | bool | `false` | | +| deployment.envoyGateway.image.repository | string | `""` | | +| deployment.envoyGateway.image.tag | string | `""` | | +| deployment.envoyGateway.imagePullPolicy | string | `""` | | +| deployment.envoyGateway.imagePullSecrets | list | `[]` | | +| deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | | +| deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | | +| deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | | +| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | | +| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| deployment.envoyGateway.securityContext.privileged | bool | `false` | | +| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | | +| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | | +| deployment.envoyGateway.securityContext.runAsUser | int | `65532` | | +| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | +| deployment.pod.affinity | object | `{}` | | +| deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | | +| deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | | +| deployment.pod.labels | object | `{}` | | +| deployment.pod.nodeSelector | object | `{}` | | +| deployment.pod.tolerations | list | `[]` | | +| deployment.pod.topologySpreadConstraints | list | `[]` | | +| deployment.ports[0].name | string | `"grpc"` | | +| deployment.ports[0].port | int | `18000` | | +| deployment.ports[0].targetPort | int | `18000` | | +| deployment.ports[1].name | string | `"ratelimit"` | | +| deployment.ports[1].port | int | `18001` | | +| deployment.ports[1].targetPort | int | `18001` | | +| deployment.ports[2].name | string | `"wasm"` | | +| deployment.ports[2].port | int | `18002` | | +| deployment.ports[2].targetPort | int | `18002` | | +| deployment.ports[3].name | string | `"metrics"` | | +| deployment.ports[3].port | int | `19001` | | +| deployment.ports[3].targetPort | int | `19001` | | +| deployment.priorityClassName | string | `nil` | | +| deployment.replicas | int | `1` | | +| global.images.envoyGateway.image | string | `nil` | | +| global.images.envoyGateway.pullPolicy | string | `nil` | | +| global.images.envoyGateway.pullSecrets | list | `[]` | | +| global.images.ratelimit.image | string | `"docker.io/envoyproxy/ratelimit:master"` | | +| global.images.ratelimit.pullPolicy | string | `"IfNotPresent"` | | +| global.images.ratelimit.pullSecrets | list | `[]` | | +| kubernetesClusterDomain | string | `"cluster.local"` | | +| podDisruptionBudget.minAvailable | int | `0` | | +| service.annotations | object | `{}` | | + diff --git a/site/content/en/v1.2/install/install-egctl.md b/site/content/en/v1.2/install/install-egctl.md new file mode 100644 index 00000000000..cbd82385740 --- /dev/null +++ b/site/content/en/v1.2/install/install-egctl.md @@ -0,0 +1,72 @@ +--- +title: "Install egctl" +weight: -80 +--- + +{{% alert title="What is egctl?" color="primary" %}} + +`egctl` is a command line tool to provide additional functionality for Envoy Gateway users. + +{{% /alert %}} + + +This task shows how to install the egctl CLI. egctl can be installed either from source, or from pre-built binary releases. + +### From The Envoy Gateway Project + +The Envoy Gateway project provides two ways to fetch and install egctl. These are the official methods to get egctl releases. Installation through those methods can be found below the official methods. + +{{< tabpane text=true >}} +{{% tab header="From the Binary Releases" %}} + +Every [release](https://github.com/envoyproxy/gateway/releases) of egctl provides binary releases for a variety of OSes. These binary versions can be manually downloaded and installed. + +1. Download your [desired version](https://github.com/envoyproxy/gateway/releases) +2. Unpack it (tar -zxvf egctl_latest_linux_amd64.tar.gz) +3. Find the egctl binary in the unpacked directory, and move it to its desired destination (mv bin/linux/amd64/egctl /usr/local/bin/egctl) + +From there, you should be able to run: `egctl help`. + +{{% /tab %}} +{{% tab header="From Script" %}} + +`egctl` now has an installer script that will automatically grab the latest release version of egctl and install it locally. + +You can fetch that script, and then execute it locally. It's well documented so that you can read through it and understand what it is doing before you run it. + +```shell +curl -fsSL -o get-egctl.sh https://gateway.envoyproxy.io/get-egctl.sh + +chmod +x get-egctl.sh + +# get help info of the +bash get-egctl.sh --help + +# install the latest development version of egctl +bash VERSION=latest get-egctl.sh +``` + +Yes, you can just use the below command if you want to live on the edge. + +```shell +curl -fsSL https://gateway.envoyproxy.io/get-egctl.sh | VERSION=latest bash +``` + +{{% /tab %}} + +{{% tab header="From Homebrew" %}} + +You can also install egctl using homebrew: + +```shell +brew install egctl +``` + +{{% /tab %}} +{{< /tabpane >}} + +{{% alert title="Next Steps" color="warning" %}} + +You can refer to the [Use egctl task](../tasks/operations/egctl) for more details about egctl. + +{{% /alert %}} diff --git a/site/content/en/v1.2/install/install-helm.md b/site/content/en/v1.2/install/install-helm.md new file mode 100644 index 00000000000..277856b9aac --- /dev/null +++ b/site/content/en/v1.2/install/install-helm.md @@ -0,0 +1,144 @@ ++++ +title = "Install with Helm" +weight = -100 ++++ + +[Helm](https://helm.sh) is a package manager for Kubernetes that automates the release and management of software on Kubernetes. + +Envoy Gateway can be installed via a Helm chart with a few simple steps, depending on if you are deploying for the first time, upgrading Envoy Gateway from an existing installation, or migrating from Envoy Gateway. + +## Before you begin + +{{% alert title="Compatibility Matrix" color="warning" %}} +Refer to the [Version Compatibility Matrix](/news/releases/matrix) to learn more. +{{% /alert %}} + +The Envoy Gateway Helm chart is hosted by DockerHub. + +It is published at `oci://docker.io/envoyproxy/gateway-helm`. + +{{% alert title="Note" color="primary" %}} +We use `v0.0.0-latest` as the latest development version. + +You can visit [Envoy Gateway Helm Chart](https://hub.docker.com/r/envoyproxy/gateway-helm/tags) for more releases. +{{% /alert %}} + +## Install with Helm + +Envoy Gateway is typically deployed to Kubernetes from the command line. If you don't have Kubernetes, you should use `kind` to create one. + +{{% alert title="Developer Guide" color="primary" %}} +Refer to the [Developer Guide](../../contributions/develop) to learn more. +{{% /alert %}} + +Install the Gateway API CRDs and Envoy Gateway: + +```shell +helm install eg oci://docker.io/envoyproxy/gateway-helm --version {{< helm-version >}} -n envoy-gateway-system --create-namespace +``` + +Wait for Envoy Gateway to become available: + +```shell +kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available +``` + +Install the GatewayClass, Gateway, HTTPRoute and example app: + +```shell +kubectl apply -f https://github.com/envoyproxy/gateway/releases/download/{{< yaml-version >}}/quickstart.yaml -n default +``` + +**Note**: [`quickstart.yaml`] defines that Envoy Gateway will listen for +traffic on port 80 on its globally-routable IP address, to make it easy to use +browsers to test Envoy Gateway. When Envoy Gateway sees that its Listener is +using a privileged port (<1024), it will map this internally to an +unprivileged port, so that Envoy Gateway doesn't need additional privileges. +It's important to be aware of this mapping, since you may need to take it into +consideration when debugging. + +[`quickstart.yaml`]: https://github.com/envoyproxy/gateway/releases/download/{{< yaml-version >}}/quickstart.yaml + +## Helm chart customizations + +Some of the quick ways of using the helm install command for envoy gateway installation are below. + +{{% alert title="Helm Chart Values" color="primary" %}} +If you want to know all the available fields inside the values.yaml file, please see the [Helm Chart Values](./gateway-helm-api). +{{% /alert %}} + +### Increase the replicas + +```shell +helm install eg oci://docker.io/envoyproxy/gateway-helm --version {{< helm-version >}} -n envoy-gateway-system --create-namespace --set deployment.replicas=2 +``` + +### Change the kubernetesClusterDomain name + +If you have installed your cluster with different domain name you can use below command. + +```shell +helm install eg oci://docker.io/envoyproxy/gateway-helm --version {{< helm-version >}} -n envoy-gateway-system --create-namespace --set kubernetesClusterDomain= +``` + +**Note**: Above are some of the ways we can directly use for customization of our installation. But if you are looking for more complex changes [values.yaml](https://helm.sh/docs/chart_template_guide/values_files/) comes to rescue. + +### Using values.yaml file for complex installation + +```yaml +deployment: + envoyGateway: + resources: + limits: + cpu: 700m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + ports: + - name: grpc + port: 18005 + targetPort: 18000 + - name: ratelimit + port: 18006 + targetPort: 18001 + +config: + envoyGateway: + logging: + level: + default: debug +``` + +Here we have made three changes to our values.yaml file. Increase the resources limit for cpu to `700m`, changed the port for grpc to `18005` and for ratelimit to `18006` and also updated the logging level to `debug`. + +You can use the below command to install the envoy gateway using values.yaml file. + +```shell +helm install eg oci://docker.io/envoyproxy/gateway-helm --version {{< helm-version >}} -n envoy-gateway-system --create-namespace -f values.yaml +``` + +## Open Ports + +These are the ports used by Envoy Gateway and the managed Envoy Proxy. + +### Envoy Gateway + +| Envoy Gateway | Address | Port | Configurable | +|:----------------------:|:---------:|:------:| :------: | +| Xds EnvoyProxy Server | 0.0.0.0 | 18000 | No | +| Xds RateLimit Server | 0.0.0.0 | 18001 | No | +| Admin Server | 127.0.0.1 | 19000 | Yes | +| Metrics Server | 0.0.0.0 | 19001 | No | +| Health Check | 127.0.0.1 | 8081 | No | + +### EnvoyProxy + +| Envoy Proxy | Address | Port | +|:---------------------------------:|:-----------:| :-----: | +| Admin Server | 127.0.0.1 | 19000 | +| Heath Check | 0.0.0.0 | 19001 | + +{{% alert title="Next Steps" color="warning" %}} +Envoy Gateway should now be successfully installed and running. To experience more abilities of Envoy Gateway, refer to [Tasks](../tasks). +{{% /alert %}} diff --git a/site/content/en/v1.2/install/install-yaml.md b/site/content/en/v1.2/install/install-yaml.md new file mode 100644 index 00000000000..c0a8d1caa72 --- /dev/null +++ b/site/content/en/v1.2/install/install-yaml.md @@ -0,0 +1,67 @@ ++++ +title = "Install with Kubernetes YAML" +weight = -99 ++++ + +This task walks you through installing Envoy Gateway in your Kubernetes cluster. + +The manual install process does not allow for as much control over configuration +as the [Helm install method](./install-helm), so if you need more control over your Envoy Gateway +installation, it is recommended that you use helm. + +## Before you begin + +Envoy Gateway is designed to run in Kubernetes for production. The most essential requirements are: + +* Kubernetes 1.27 or later +* The `kubectl` command-line tool + +{{% alert title="Compatibility Matrix" color="warning" %}} +Refer to the [Version Compatibility Matrix](/news/releases/matrix) to learn more. +{{% /alert %}} + +## Install with YAML + +Envoy Gateway is typically deployed to Kubernetes from the command line. If you don't have Kubernetes, you should use `kind` to create one. + +{{% alert title="Developer Guide" color="primary" %}} +Refer to the [Developer Guide](../../contributions/develop) to learn more. +{{% /alert %}} + +1. In your terminal, run the following command: + + ```shell + kubectl apply --server-side -f https://github.com/envoyproxy/gateway/releases/download/{{< yaml-version >}}/install.yaml + ``` + +2. Next Steps + + Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [Tasks](/latest/tasks). + +## Upgrading from v1.0 + +Due to breaking changes in Gateway API v1.1, some manual migration steps are required to upgrade Envoy Gateway to v1.1. + +1. Delete `BackendTLSPolicy` CRD (and resources): + +```shell +kubectl delete crd backendtlspolicies.gateway.networking.k8s.io +``` + +2. Update Gateway-API and Envoy Gateway CRDs: + +```shell +helm pull oci://docker.io/envoyproxy/gateway-helm --version {{< yaml-version >}} --untar +kubectl apply --force-conflicts --server-side -f ./gateway-helm/crds/gatewayapi-crds.yaml +kubectl apply --force-conflicts --server-side -f ./gateway-helm/crds/generated +``` + +3. Update your `BackendTLSPolicy` and `GRPCRoute` resources according to Gateway-API [v1.1 Upgrade Notes](https://gateway-api.sigs.k8s.io/guides/#v11-upgrade-notes) + +4. Update your Envoy Gateway xPolicy resources: remove the namespace section from targetRef. + +5. Install Envoy Gateway {{< yaml-version >}}: + +```shell +helm upgrade eg oci://docker.io/envoyproxy/gateway-helm --version {{< yaml-version >}} -n envoy-gateway-system +``` diff --git a/site/content/en/v1.2/install/migrating-to-envoy.md b/site/content/en/v1.2/install/migrating-to-envoy.md new file mode 100644 index 00000000000..470c759ab7e --- /dev/null +++ b/site/content/en/v1.2/install/migrating-to-envoy.md @@ -0,0 +1,143 @@ +--- +title: Migrating from Ingress Resources +--- + +## Introduction + +Migrating from Ingress to Envoy Gateway involves converting existing Ingress resources into resources compatible with Envoy Gateway. The `ingress2gateway` tool simplifies this migration by transforming Ingress resources into Gateway API resources that Envoy Gateway can use. This guide will walk you through the prerequisites, installation of the `ingress2gateway` tool, and provide an example migration process. + +## Prerequisites + +Before you start the migration, ensure you have the following: + +1. **Envoy Gateway Installed**: You need Envoy Gateway set up in your Kubernetes cluster. Follow the [Envoy Gateway installation guide](../install) for details. +2. **Kubernetes Cluster Access**: Ensure you have access to your Kubernetes cluster and necessary permissions to manage resources. +3. **Installation of `ingress2gateway` Tool**: You need to install the `ingress2gateway` tool in your Kubernetes cluster and configure it accordingly. Follow the [ingress2gateway tool installation guide](https://github.com/kubernetes-sigs/ingress2gateway/blob/main/README.md#installation) for details. + +## Example Migration + +Here’s a step-by-step example of migrating from Ingress to Envoy Gateway using `ingress2gateway`: + +### 1. Install and Configure Envoy Gateway + +Ensure that Envoy Gateway is installed and running in your cluster. Follow the [official Envoy Gateway installation guide](../install) for setup instructions. + +### 2. Create a GatewayClass + +To ensure the generated HTTPRoutes are programmed correctly in the Envoy Gateway data plane, create a GatewayClass that links to the Envoy Gateway controller. + +Create a `GatewayClass` resource: + +```yaml +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: GatewayClass +metadata: + name: envoy-gateway-class +spec: + controllerName: gateway.envoyproxy.io/controller +``` + +Apply this resource: + +```sh +kubectl apply -f gatewayclass.yaml +``` + +### 3. Install Ingress2gateway + +Ensure you have the Ingress2gateway package installed. If not, follow the package’s installation instructions. + +### 4. Run Ingress2gateway + +Use Ingress2gateway to read your existing Ingress resources and translate them into Gateway API resources. + +```sh +./ingress2gateway print +``` + +This command will: +1. Read your Kube config file to extract the cluster credentials and the current active namespace. +2. Search for Ingress and provider-specific resources in that namespace. +3. Convert them to Gateway API resources (Gateways and HTTPRoutes). + +#### Example Ingress Configuration + +```yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: example-ingress + namespace: default + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / +spec: + rules: + - host: example.com + http: + paths: + - path: /foo + pathType: Prefix + backend: + service: + name: foo-service + port: + number: 80 +``` + +### 5. Save the Output + +The command will output the equivalent Gateway API resources in YAML/JSON format to stdout. Save this output to a file for further use. + +```sh +./ingress2gateway print > gateway-resources.yaml +``` + +### 6. Apply the Translated Resources + +Apply the translated Gateway API resources to your cluster. + +```sh +kubectl apply -f gateway-resources.yaml +``` + +### 7. Create a Gateway Resource + +Create a `Gateway` resource specifying the `GatewayClass` created earlier and including the necessary listeners. + +```yaml +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: Gateway +metadata: + name: example-gateway + namespace: default +spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + hostname: example.com +``` + +Apply this resource: + +```sh +kubectl apply -f gateway.yaml +``` + +### 8. Validate the Migration + +Ensure the HTTPRoutes and Gateways are correctly set up and that traffic is being routed as expected. Validate the new configuration by checking the status of the Gateway and HTTPRoute resources. + +```sh +kubectl get gateways +kubectl get httproutes +``` + +### 9. Monitor and Troubleshoot + +Monitor the Envoy Gateway logs and metrics to ensure everything is functioning correctly. Troubleshoot any issues by reviewing the Gateway and HTTPRoute statuses and Envoy Gateway controller logs. + +## Summary + +By following this guide, users can effectively migrate their existing Ingress resources to Envoy Gateway using the Ingress2gateway package. Creating a GatewayClass and linking it to the Envoy Gateway controller ensures that the translated resources are properly programmed in the data plane, providing a seamless transition to the Envoy Gateway environment. \ No newline at end of file diff --git a/site/content/en/v1.2/tasks/_index.md b/site/content/en/v1.2/tasks/_index.md new file mode 100644 index 00000000000..49e8595328b --- /dev/null +++ b/site/content/en/v1.2/tasks/_index.md @@ -0,0 +1,5 @@ +--- +title: "Tasks" +weight: 2 +description: Learn Envoy Gateway hands-on through tasks +--- diff --git a/site/content/en/v1.2/tasks/extensibility/_index.md b/site/content/en/v1.2/tasks/extensibility/_index.md new file mode 100644 index 00000000000..664c734aeca --- /dev/null +++ b/site/content/en/v1.2/tasks/extensibility/_index.md @@ -0,0 +1,5 @@ +--- +title: "Extensibility" +weight: 4 +description: This section includes Extensibility tasks. +--- diff --git a/site/content/en/v1.2/tasks/extensibility/build-wasm-image.md b/site/content/en/v1.2/tasks/extensibility/build-wasm-image.md new file mode 100644 index 00000000000..dfe983dd193 --- /dev/null +++ b/site/content/en/v1.2/tasks/extensibility/build-wasm-image.md @@ -0,0 +1,71 @@ +--- +title: "Build a Wasm image" +--- + +Envoy Gateway supports two types of Wasm extensions within the [EnvoyExtensionPolicy][] API: HTTP Wasm Extensions and Image Wasm Extensions. +Packaging a Wasm extension as an OCI image is beneficial because it simplifies versioning and distribution for users. +Additionally, users can leverage existing image toolchain to build and manage Wasm images. + +This document describes how to build OCI images which are consumable by Envoy Gateway. + +## Wasm Image Formats + +There are two types of images that are supported by Envoy Gateway. One is in the Docker format, and another is the standard +OCI specification compliant format. Please note that both of them are supported by any OCI registries. You can choose +either format depending on your preference, and both types of images are consumable by Envoy Gateway [EnvoyExtensionPolicy][] API. + +## Build Wasm Docker image + +We assume that you have a valid Wasm binary named `plugin.wasm`. Then you can build a Wasm Docker image with the Docker CLI. + +1. First, we prepare the following Dockerfile: + +``` +$ cat Dockerfile +FROM scratch + +COPY plugin.wasm ./ +``` + +**Note: you must have exactly one `COPY` instruction in the Dockerfile in order to end up having only one layer in produced images.** + +2. Then, build your image via `docker build` command + +``` +$ docker build . -t my-registry/mywasm:0.1.0 +``` + +3. Finally, push the image to your registry via `docker push` command + +``` +$ docker push my-registry/mywasm:0.1.0 +``` + +## Build Wasm OCI image + +We assume that you have a valid Wasm binary named `plugin.wasm`, and you have [buildah](https://buildah.io/) installed on your machine. +Then you can build a Wasm OCI image with the `buildah` CLI. + +1. First, we create a working container from `scratch` base image with `buildah from` command. + +``` +$ buildah --name mywasm from scratch +mywasm +``` + +2. Then copy the Wasm binary into that base image by `buildah copy` command to create the layer. + +``` +$ buildah copy mywasm plugin.wasm ./ +af82a227630327c24026d7c6d3057c3d5478b14426b74c547df011ca5f23d271 +``` + +**Note: you must execute `buildah copy` exactly once in order to end up having only one layer in produced images** + +4. Now, you can build an OCI image and push it to your registry via `buildah commit` command + +``` +$ buildah commit mywasm docker://my-remote-registry/mywasm:0.1.0 +``` + +[EnvoyExtensionPolicy]: ../../../api/extension_types#envoyextensionpolicy diff --git a/site/content/en/v1.2/tasks/extensibility/envoy-patch-policy.md b/site/content/en/v1.2/tasks/extensibility/envoy-patch-policy.md new file mode 100644 index 00000000000..54e69f41d0f --- /dev/null +++ b/site/content/en/v1.2/tasks/extensibility/envoy-patch-policy.md @@ -0,0 +1,428 @@ +--- +title: "Envoy Patch Policy" +--- + +This task explains the usage of the [EnvoyPatchPolicy][] API. +__Note:__ This API is meant for users extremely familiar with Envoy [xDS][] semantics. +Also before considering this API for production use cases, please be aware that this API +is unstable and the outcome may change across versions. Use at your own risk. + +## Introduction + +The [EnvoyPatchPolicy][] API allows user to modify the output [xDS][] +configuration generated by Envoy Gateway intended for EnvoyProxy, +using [JSON Patch][] semantics. + +## Motivation + +This API was introduced to allow advanced users to be able to leverage Envoy Proxy functionality +not exposed by Envoy Gateway APIs today. + +## Quickstart + +### Prerequisites + +{{< boilerplate prerequisites >}} + +### Enable EnvoyPatchPolicy + +* By default [EnvoyPatchPolicy][] is disabled. Lets enable it in the [EnvoyGateway][] startup configuration + +* The default installation of Envoy Gateway installs a default [EnvoyGateway][] configuration and attaches it +using a `ConfigMap`. In the next step, we will update this resource to enable EnvoyPatchPolicy. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +{{< boilerplate rollout-envoy-gateway >}} + +## Testing + +### Customize Response + +* Use EnvoyProxy's [Local Reply Modification][] feature to return a custom response back to the client when +the status code is `404` + +* Apply the configuration + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <// + name: default/eg/http + operation: + op: add + path: "/default_filter_chain/filters/0/typed_config/local_reply_config" + value: + mappers: + - filter: + status_code_filter: + comparison: + op: EQ + value: + default_value: 404 + runtime_key: key_b + status_code: 406 + body: + inline_string: "could not find what you are looking for" +EOF +``` + +{{% /tab %}} +{{% tab header="Apply from file" %}} +Save and apply the following resource to your cluster: + +```yaml +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyPatchPolicy +metadata: + name: custom-response-patch-policy + namespace: default +spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: eg + type: JSONPatch + jsonPatches: + - type: "type.googleapis.com/envoy.config.listener.v3.Listener" + # The listener name is of the form // + name: default/eg/http + operation: + op: add + path: "/default_filter_chain/filters/0/typed_config/local_reply_config" + value: + mappers: + - filter: + status_code_filter: + comparison: + op: EQ + value: + default_value: 404 + runtime_key: key_b + status_code: 406 + body: + inline_string: "could not find what you are looking for" +``` + +{{% /tab %}} +{{< /tabpane >}} + +When mergeGateways is enabled, there will be one Envoy deployment for all Gateways in the cluster. +Then the EnvoyPatchPolicy should target a specific GatewayClass. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <// + name: default/eg/http + operation: + op: add + path: "/default_filter_chain/filters/0/typed_config/local_reply_config" + value: + mappers: + - filter: + status_code_filter: + comparison: + op: EQ + value: + default_value: 404 + runtime_key: key_b + status_code: 406 + body: + inline_string: "could not find what you are looking for" +EOF +``` + +{{% /tab %}} +{{% tab header="Apply from file" %}} +Save and apply the following resource to your cluster: + +```yaml +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyPatchPolicy +metadata: + name: custom-response-patch-policy + namespace: default +spec: + targetRef: + group: gateway.networking.k8s.io + kind: GatewayClass + name: eg + type: JSONPatch + jsonPatches: + - type: "type.googleapis.com/envoy.config.listener.v3.Listener" + # The listener name is of the form // + name: default/eg/http + operation: + op: add + path: "/default_filter_chain/filters/0/typed_config/local_reply_config" + value: + mappers: + - filter: + status_code_filter: + comparison: + op: EQ + value: + default_value: 404 + runtime_key: key_b + status_code: 406 + body: + inline_string: "could not find what you are looking for" +``` + +{{% /tab %}} +{{< /tabpane >}} + +* Edit the HTTPRoute resource from the Quickstart to only match on paths with value `/get` + +```shell +kubectl patch httproute backend --type=json --patch ' + - op: add + path: /spec/rules/0/matches/0/path/value + value: /get + ' +``` + +* Test it out by specifying a path apart from `/get` + +```shell +$ curl --header "Host: www.example.com" http://$GATEWAY_HOST/find +Handling connection for 8888 +could not find what you are looking for +``` + +### Customize VirtualHost by name + +* Use EnvoyProxy's `include_attempt_count_in_response` feature to include the attempt count as header in the downstream response. +* Apply the configuration + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <// + name: default/eg/http + operation: + op: add + # Every virtual_host that ends with 'www_example_com' (using RegEx Filter) + jsonPath: "..virtual_hosts[?match(@.name, '.*www_example_com')]" + # If the property does not exists, it can not be selected with jsonPath + # Therefore the new property must be set in path + path: "include_attempt_count_in_response" + value: true +EOF +``` + +{{% /tab %}} +{{% tab header="Apply from file" %}} +Save and apply the following resource to your cluster: + +```yaml +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyPatchPolicy +metadata: + name: include-attempts + namespace: default +spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: eg + type: JSONPatch + jsonPatches: + - type: "type.googleapis.com/envoy.config.route.v3.RouteConfiguration" + # The RouteConfiguration name is of the form // + name: default/eg/http + operation: + op: add + # Every virtual_host that ends with 'www_example_com' (using RegEx Filter) + jsonPath: "..virtual_hosts[?match(@.name, '.*www_example_com')]" + # If the property does not exists, it can not be selected with jsonPath + # Therefore the new property must be set in path + path: "include_attempt_count_in_response" + value: true +``` + +{{% /tab %}} +{{< /tabpane >}} + +* Test it out by looking at the response headers + +``` +$ curl -v --header "Host: www.example.com" http://localhost:8888/ +... +< x-envoy-attempt-count: 1 +... +``` + +## Debugging + +### Runtime + +* The `Status` subresource should have information about the status of the resource. Make sure +`Accepted=True` and `Programmed=True` conditions are set to ensure that the policy has been +applied to Envoy Proxy. + +```yaml +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyPatchPolicy +metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"gateway.envoyproxy.io/v1alpha1","kind":"EnvoyPatchPolicy","metadata":{"annotations":{},"name":"custom-response-patch-policy","namespace":"default"},"spec":{"jsonPatches":[{"name":"default/eg/http","operation":{"op":"add","path":"/default_filter_chain/filters/0/typed_config/local_reply_config","value":{"mappers":[{"body":{"inline_string":"could not find what you are looking for"},"filter":{"status_code_filter":{"comparison":{"op":"EQ","value":{"default_value":404}}}}}]}},"type":"type.googleapis.com/envoy.config.listener.v3.Listener"}],"priority":0,"targetRef":{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"eg","namespace":"default"},"type":"JSONPatch"}} + creationTimestamp: "2023-07-31T21:47:53Z" + generation: 1 + name: custom-response-patch-policy + namespace: default + resourceVersion: "10265" + uid: a35bda6e-a0cc-46d7-a63a-cee765174bc3 +spec: + jsonPatches: + - name: default/eg/http + operation: + op: add + path: /default_filter_chain/filters/0/typed_config/local_reply_config + value: + mappers: + - body: + inline_string: could not find what you are looking for + filter: + status_code_filter: + comparison: + op: EQ + value: + default_value: 404 + type: type.googleapis.com/envoy.config.listener.v3.Listener + priority: 0 + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: eg + type: JSONPatch +status: + conditions: + - lastTransitionTime: "2023-07-31T21:48:19Z" + message: EnvoyPatchPolicy has been accepted. + observedGeneration: 1 + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: "2023-07-31T21:48:19Z" + message: successfully applied patches. + reason: Programmed + status: "True" + type: Programmed +``` + +### Offline + +* You can use [egctl x translate][] to validate the translated xds output. + +## Caveats + +This API will always be an unstable API and the same outcome cannot be garunteed +across versions for these reasons +* The Envoy Proxy API might deprecate and remove API fields +* Envoy Gateway might alter the xDS translation creating a different xDS output +such as changing the `name` field of resources. + +[EnvoyPatchPolicy]: ../../../api/extension_types#envoypatchpolicy +[EnvoyGateway]: ../../../api/extension_types#envoygateway +[JSON Patch]: https://datatracker.ietf.org/doc/html/rfc6902 +[xDS]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/dynamic_configuration +[Local Reply Modification]: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/local_reply +[egctl x translate]: ../operations/egctl#egctl-experimental-translate diff --git a/site/content/en/v1.2/tasks/extensibility/ext-proc.md b/site/content/en/v1.2/tasks/extensibility/ext-proc.md new file mode 100644 index 00000000000..910332f4740 --- /dev/null +++ b/site/content/en/v1.2/tasks/extensibility/ext-proc.md @@ -0,0 +1,283 @@ +--- +title: "External Processing" +--- + +This task provides instructions for configuring external processing. + +External processing calls an external gRPC service to process HTTP requests and responses. +The external processing service can inspect and mutate requests and responses. + +Envoy Gateway introduces a new CRD called [EnvoyExtensionPolicy][] that allows the user to configure external processing. +This instantiated resource can be linked to a [Gateway][Gateway] and [HTTPRoute][HTTPRoute] resource. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## GRPC External Processing Service + +### Installation + +Install a demo GRPC service that will be used as the external processing service: + +```shell +kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/ext-proc-grpc-service.yaml +``` + +Create a new HTTPRoute resource to route traffic on the path `/myapp` to the backend service. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the HTTPRoute status: + +```shell +kubectl get httproute/myapp -o yaml +``` + +### Configuration + +Create a new EnvoyExtensionPolicy resource to configure the external processing service. This EnvoyExtensionPolicy targets the HTTPRoute +"myApp" created in the previous step. It calls the GRPC external processing service "grpc-ext-proc" on port 9002 for +processing. + +By default, requests and responses are not sent to the external processor. The `processingMode` struct is used to define what should be sent to the external processor. +In this example, we configure the following processing modes: +* The empty `request` field configures envoy to send request headers to the external processor. +* The `response` field includes configuration for body processing. As a result, response headers are sent to the external processor. Additionally, the response body is streamed to the external processor. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the Envoy Extension Policy configuration: + +```shell +kubectl get envoyextensionpolicy/ext-proc-example -o yaml +``` + + +Because the gRPC external processing service is enabled with TLS, a [BackendTLSPolicy][] needs to be created to configure +the communication between the Envoy proxy and the gRPC auth service. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the BackendTLSPolicy configuration: + +```shell +kubectl get backendtlspolicy/grpc-ext-proc-btls -o yaml +``` + +### Testing + +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the +Quickstart instructions to set the variable. + +```shell +echo $GATEWAY_HOST +``` + +Send a request to the backend service without `Authentication` header: + +```shell +curl -v -H "Host: www.example.com" "http://${GATEWAY_HOST}/myapp" +``` + +You should see that the external processor added headers: +- `x-request-ext-processed` - this header was added before the request was forwarded to the backend +- `x-response-ext-processed`- this header was added before the response was returned to the client + + +``` +curl -v -H "Host: www.example.com" http://localhost:10080/myapp +[...] +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< date: Fri, 14 Jun 2024 19:30:40 GMT +< content-length: 502 +< x-response-ext-processed: true +< +{ + "path": "/myapp", + "host": "www.example.com", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { +[...] + "X-Request-Ext-Processed": [ + "true" + ], +[...] + } +``` + +## Clean-Up + +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. + +Delete the demo auth services, HTTPRoute, EnvoyExtensionPolicy and BackendTLSPolicy: + +```shell +kubectl delete -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/ext-proc-grpc-service.yaml +kubectl delete httproute/myapp +kubectl delete envoyextensionpolicy/ext-proc-example +kubectl delete backendtlspolicy/grpc-ext-proc-btls +``` + +## Next Steps + +Checkout the [Developer Guide](../../../contributions/develop) to get involved in the project. + +[EnvoyExtensionPolicy]: ../../../api/extension_types#envoyextensionpolicy +[BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute diff --git a/site/content/en/v1.2/tasks/extensibility/extension-server.md b/site/content/en/v1.2/tasks/extensibility/extension-server.md new file mode 100644 index 00000000000..6d16013d410 --- /dev/null +++ b/site/content/en/v1.2/tasks/extensibility/extension-server.md @@ -0,0 +1,209 @@ +--- +title: "Envoy Gateway Extension Server" +linkTitle: "Extension Server" +--- + +This task explains how to extend Envoy Gateway using an Extension Server. Envoy Gateway +can be configured to call an external server over gRPC with the xDS configuration _before_ +it is sent to Envoy Proxy. The external server can modify the provided configuration +programmatically using any semantics supported by the [xDS][] API. + +Using an extension server allows vendors to add xDS configuration that Envoy Gateway itself +doesn't support with a very high level of control over the generated xDS configuration. + +**Note:** Modifying the xDS configuration generated by Envoy Gateway may break functionality +configured by native Envoy Gateway means. Like other cases where the xDS configuration +is modified outside of Envoy Gateway's control, this is risky and should be tested thoroughly, +especially when using the same extension server across different Envoy Gateway versions. + +## Introduction + +One of the Envoy Gateway project goals is to "provide a common foundation for vendors to +build value-added products without having to re-engineer fundamental interactions". The +Envoy Gateway Extension Server provides a mechanism where Envoy Gateway tracks all provider +resources and then calls a set of hooks that allow the generated xDS configuration to be +modified before it is sent to Envoy Proxy. See the [design documentation][] for full details. + +This task sets up an example extension server that adds the Envoy Proxy Basic Authentication +HTTP filter to all the listeners generated by Envoy Gateway. The example extension server +includes its own CRD which allows defining username/password pairs that will be accepted by +the Envoy Proxy. + +**Note:** Envoy Gateway supports adding Basic Authentication to routes using a [SecurityPolicy][]. +See [this task](../security/basic-auth) for the preferred way to configure Basic +Authentication. + + +## Quickstart + +### Prerequisites + +{{< boilerplate prerequisites >}} + +### Build and run the example Extension Server + +Build and deploy the example extension server in the `examples/extension-server` folder into the cluster +running Envoy Gateway. + +* Build the extension server image + + **Note:** The provided `Makefile` builds an image with the name `extension-server:latest`. You may need to create +a different tag for it in order to allow Kubernetes to pull it correctly. + + ```shell + make image + ``` + +* Publish the extension server image in your docker repository + + {{< tabpane text=true >}} + {{% tab header="local kind server" %}} + + ```shell + kind load docker-image --name envoy-gateway extension-server:latest + ``` + + {{% /tab %}} + {{% tab header="other Kubernetes server" %}} + + ```shell + docker tag extension-server:latest $YOUR_DOCKER_REPO + docker push $YOUR_DOCKER_REPO + ``` + + {{% /tab %}} + {{< /tabpane >}} + +* Deploy the extension server in your cluster + + If you are using your own docker image repository, make sure to update the `values.yaml` with the correct +image name and tag. + + ```shell + helm install -n envoy-gateway-system extension-server ./examples/extension-server/charts/extension-server + ``` + +### Configure Envoy Gateway + +* Grant Envoy Gateway's `ServiceAccount` permission to access the extension server's CRD + + ```shell + kubectl create clusterrole listener-context-example-viewer \ + --verb=get,list,watch \ + --resource=ListenerContextExample + + kubectl create clusterrolebinding envoy-gateway-listener-context \ + --clusterrole=listener-context-example-viewer \ + --serviceaccount=envoy-gateway-system:envoy-gateway + ``` + +* Configure Envoy Gateway to use the Extension Server + + Add the following fragment to Envoy Gateway's [configuration][] file: + + ```yaml + extensionManager: + # Envoy Gateway will watch these resource kinds and use them as extension policies + # which can be attached to Gateway resources. + policyResources: + - group: example.extensions.io + version: v1alpha1 + kind: ListenerContextExample + hooks: + # The type of hooks that should be invoked + xdsTranslator: + post: + - HTTPListener + service: + # The service that is hosting the extension server + fqdn: + hostname: extension-server.envoy-gateway-system.svc.cluster.local + port: 5005 + ``` + + After updating Envoy Gateway's configuration file, restart Envoy Gateway. + +## Testing + +Get the Gateway's address: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +The extension server adds the Basic Authentication HTTP filter to all listeners configured by +Envoy Gateway. Initially there are no valid user/password combinations available. Accessing the +example backend should fail with a 401 status: + +```console +$ curl -v --header "Host: www.example.com" "http://${GATEWAY_HOST}/example" +... +> GET /example HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/7.81.0 +> Accept: */* +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 401 Unauthorized +< www-authenticate: Basic realm="http://www.example.com/example" +< content-length: 58 +< content-type: text/plain +< date: Mon, 08 Jul 2024 10:53:11 GMT +< +... +User authentication failed. Missing username and password. +... +``` + +Add a new Username/Password combination using the example extension server's CRD: + +```shell +kubectl apply -f - << EOF +apiVersion: example.extensions.io/v1alpha1 +kind: ListenerContextExample +metadata: + name: listeneruser +spec: + targetRefs: + - kind: Gateway + name: eg + group: gateway.networking.k8s.io + username: user + password: p@ssw0rd +EOF +``` + +Authenticating with this user/password combination will now work. + +```console +$ curl -v http://${GATEWAY_HOST}/example -H "Host: www.example.com" --user 'user:p@ssw0rd' +... +> GET /example HTTP/1.1 +> Host: www.example.com +> Authorization: Basic dXNlcm5hbWU6cEBzc3cwcmQ= +> User-Agent: curl/7.81.0 +> Accept: */* +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< date: Mon, 08 Jul 2024 10:56:17 GMT +< content-length: 559 +< +... + "headers": { + "Authorization": [ + "Basic dXNlcm5hbWU6cEBzc3cwcmQ=" + ], + "X-Example-Ext": [ + "user" + ], +... +``` + + +[xDS]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/dynamic_configuration +[design documentation]: /contributions/design/extending-envoy-gateway +[SecurityPolicy]: /latest/api/extension_types/#securitypolicy +[configuration]: /latest/api/extension_types/#extensionmanager diff --git a/site/content/en/v1.2/tasks/extensibility/wasm.md b/site/content/en/v1.2/tasks/extensibility/wasm.md new file mode 100644 index 00000000000..baad6a5804f --- /dev/null +++ b/site/content/en/v1.2/tasks/extensibility/wasm.md @@ -0,0 +1,187 @@ +--- +title: "Wasm Extensions" +--- + +This task provides instructions for extending Envoy Gateway with WebAssembly (Wasm) extensions. + +Wasm extensions allow you to extend the functionality of Envoy Gateway by running custom code against HTTP requests and responses, +without modifying the Envoy Gateway binary. These extensions can be written in any language that compiles to Wasm, such as C++, Rust, AssemblyScript, or TinyGo. + +Envoy Gateway introduces a new CRD called [EnvoyExtensionPolicy][] that allows the user to configure Wasm extensions. +This instantiated resource can be linked to a [Gateway][Gateway] and [HTTPRoute][HTTPRoute] resource. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Configuration + +Envoy Gateway supports two types of Wasm extensions: +* HTTP Wasm Extension: The Wasm extension is fetched from a remote URL. +* Image Wasm Extension: The Wasm extension is packaged as an OCI image and fetched from an image registry. + +The following example demonstrates how to configure an [EnvoyExtensionPolicy][] to attach a Wasm extension to an [EnvoyExtensionPolicy][] . +This Wasm extension adds a custom header `x-wasm-custom: FOO` to the response. + +### HTTP Wasm Extension + +This [EnvoyExtensionPolicy][] configuration fetches the Wasm extension from an HTTP URL. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the EnvoyExtensionPolicy status: + +```shell +kubectl get envoyextensionpolicy/http-wasm-source-test -o yaml +``` + +### Image Wasm Extension + +This [EnvoyExtensionPolicy][] configuration fetches the Wasm extension from an OCI image. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the EnvoyExtensionPolicy status: + +```shell +kubectl get envoyextensionpolicy/http-wasm-source-test -o yaml +``` + +### Testing + +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the +Quickstart instructions to set the variable. + +```shell +echo $GATEWAY_HOST +``` + +Send a request to the backend service: + +```shell +curl -i -H "Host: www.example.com" "http://${GATEWAY_HOST}" +``` + +You should see that the wasm extension has added this header to the response: + +``` +x-wasm-custom: FOO +``` + +## Clean-Up + +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. + +Delete the EnvoyExtensionPolicy: + +```shell +kubectl delete envoyextensionpolicy/wasm-test +``` + +## Next Steps + +Checkout the [Developer Guide](../../../contributions/develop) to get involved in the project. + +[EnvoyExtensionPolicy]: ../../../api/extension_types#envoyextensionpolicy +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute diff --git a/site/content/en/v1.2/tasks/observability/_index.md b/site/content/en/v1.2/tasks/observability/_index.md new file mode 100644 index 00000000000..9ca4896ee8b --- /dev/null +++ b/site/content/en/v1.2/tasks/observability/_index.md @@ -0,0 +1,5 @@ +--- +title: "Observability" +weight: 4 +description: This section includes Observability tasks. +--- diff --git a/site/content/en/v1.2/tasks/observability/gateway-api-metrics.md b/site/content/en/v1.2/tasks/observability/gateway-api-metrics.md new file mode 100644 index 00000000000..bf799616aff --- /dev/null +++ b/site/content/en/v1.2/tasks/observability/gateway-api-metrics.md @@ -0,0 +1,58 @@ +--- +title: "Gateway API Metrics" +--- + +Resource metrics for Gateway API objects are available using the [Gateway API State Metrics][gasm] project. +The project also provides example dashboard for visualising the metrics using Grafana, and example alerts using Prometheus & Alertmanager. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +Run the following commands to install the metrics stack, with the Gateway API State Metrics configuration, on your kubernetes cluster: + +```shell +kubectl apply --server-side -f https://raw.githubusercontent.com/Kuadrant/gateway-api-state-metrics/main/config/examples/kube-prometheus/bundle_crd.yaml +kubectl apply -f https://raw.githubusercontent.com/Kuadrant/gateway-api-state-metrics/main/config/examples/kube-prometheus/bundle.yaml +``` + +## Metrics and Alerts + +To access the Prometheus UI, wait for the statefulset to be ready, then use the port-forward command: + +```shell +# This first command may fail if the statefulset has not been created yet. +# In that case, try again until you get a message like 'Waiting for 2 pods to be ready...' +# or 'statefulset rolling update complete 2 pods...' +kubectl -n monitoring rollout status --watch --timeout=5m statefulset/prometheus-k8s +kubectl -n monitoring port-forward service/prometheus-k8s 9090:9090 > /dev/null & +``` + +Navigate to `http://localhost:9090`. +Metrics can be queried from the 'Graph' tab e.g. `gatewayapi_gateway_created` +See the [Gateway API State Metrics README][gasm-readme] for the full list of Gateway API metrics available. + +Alerts can be seen in the 'Alerts' tab. +Gateway API specific alerts will be grouped under the 'gateway-api.rules' heading. + +***Note:*** Alerts are defined in a PrometheusRules custom resource in the 'monitoring' namespace. You can modify the alert rules by updating this resource. + +## Dashboards + +To view the dashboards in Grafana, wait for the deployment to be ready, then use the port-forward command: + +```shell +kubectl -n monitoring wait --timeout=5m deployment/grafana --for=condition=Available +kubectl -n monitoring port-forward service/grafana 3000:3000 > /dev/null & +``` + +Navigate to `http://localhost:3000` and sign in with admin/admin. +The Gateway API State dashboards will be available in the 'Default' folder and tagged with 'gateway-api'. +See the [Gateway API State Metrics README][gasm-dashboards] for further information on available dashboards. + +***Note:*** Dashboards are loaded from configmaps. You can modify the dashboards in the Grafana UI, however you will need to export them from the UI and update the json in the configmaps to persist changes. + + +[gasm]: https://github.com/Kuadrant/gateway-api-state-metrics +[gasm-readme]: https://github.com/Kuadrant/gateway-api-state-metrics/tree/main#metrics +[gasm-dashboards]: https://github.com/Kuadrant/gateway-api-state-metrics/tree/main#dashboards diff --git a/site/content/en/v1.2/tasks/observability/gateway-exported-metrics.md b/site/content/en/v1.2/tasks/observability/gateway-exported-metrics.md new file mode 100644 index 00000000000..cf04f1d444b --- /dev/null +++ b/site/content/en/v1.2/tasks/observability/gateway-exported-metrics.md @@ -0,0 +1,97 @@ +--- +title: "Gateway Exported Metrics" +--- + +The Envoy Gateway provides a collection of self-monitoring metrics in [Prometheus format][prom-format]. + +These metrics allow monitoring of the behavior of Envoy Gateway itself (as distinct from that of the EnvoyProxy it managed). + +{{% alert title="EnvoyProxy Metrics" color="warning" %}} +For EnvoyProxy Metrics, please refer to the [EnvoyProxy Metrics](./proxy-metric) to learn more. +{{% /alert %}} + +## Watching Components + +The Resource Provider, xDS Translator and Infra Manager etc. are key components that made up of Envoy Gateway, +they all follow the design of [Watching Components](../../../contributions/design/watching). + +Envoy Gateway collects the following metrics in Watching Components: + +| Name | Description | +|----------------------------------------|--------------------------------------------------------------| +| `watchable_depth` | Current depth of watchable map. | +| `watchable_subscribe_duration_seconds` | How long in seconds a subscribed watchable queue is handled. | +| `watchable_subscribe_total` | Total number of subscribed watchable queue. | + +Each metric includes the `runner` label to identify the corresponding components, +the relationship between label values and components is as follows: + +| Value | Components | +|--------------------|---------------------------------| +| `gateway-api` | Gateway API Translator | +| `infrastructure` | Infrastructure Manager | +| `xds-server` | xDS Server | +| `xds-translator` | xDS Translator | +| `global-ratelimit` | Global RateLimit xDS Translator | + +Metrics may include one or more additional labels, such as `message`, `status` and `reason` etc. + +## Status Updater + +Envoy Gateway monitors the status updates of various resources (like `GatewayClass`, `Gateway` and `HTTPRoute` etc.) through Status Updater. + +Envoy Gateway collects the following metrics in Status Updater: + +| Name | Description | +|----------------------------------|------------------------------------------------| +| `status_update_total` | Total number of status update by object kind. | +| `status_update_duration_seconds` | How long a status update takes to finish. | + +Each metric includes `kind` label to identify the corresponding resources. + +## xDS Server + +Envoy Gateway monitors the cache and xDS connection status in xDS Server. + +Envoy Gateway collects the following metrics in xDS Server: + +| Name | Description | +|-------------------------------|--------------------------------------------------------| +| `xds_snapshot_create_total` | Total number of xds snapshot cache creates. | +| `xds_snapshot_update_total` | Total number of xds snapshot cache updates by node id. | +| `xds_stream_duration_seconds` | How long a xds stream takes to finish. | + +- For xDS snapshot cache update and xDS stream connection status, each metric includes `nodeID` label to identify the connection peer. +- For xDS stream connection status, each metric also includes `streamID` label to identify the connection stream, and `isDeltaStream` label to identify the delta connection stream. + +## Infrastructure Manager + +Envoy Gateway monitors the `apply` (`create` or `update`) and `delete` operations in Infrastructure Manager. + +Envoy Gateway collects the following metrics in Infrastructure Manager: + +| Name | Description | +|------------------------------------|---------------------------------------------------------| +| `resource_apply_total` | Total number of applied resources. | +| `resource_apply_duration_seconds` | How long in seconds a resource be applied successfully. | +| `resource_delete_total` | Total number of deleted resources. | +| `resource_delete_duration_seconds` | How long in seconds a resource be deleted successfully. | + +Each metric includes the `kind` label to identify the corresponding resources being applied or deleted by Infrastructure Manager. + +Metrics may also include `name` and `namespace` label to identify the name and namespace of corresponding Infrastructure Manager. + +## Wasm + +Envoy Gateway monitors the status of Wasm remote fetch cache. + +| Name | Description | +|---------------------------|--------------------------------------------------| +| `wasm_cache_entries` | Number of Wasm remote fetch cache entries. | +| `wasm_cache_lookup_total` | Total number of Wasm remote fetch cache lookups. | +| `wasm_remote_fetch_total` | Total number of Wasm remote fetches and results. | + +For metric `wasm_cache_lookup_total`, we are using `hit` label (boolean) to indicate whether the Wasm cache has been hit. + + +[prom-format]: https://prometheus.io/docs/instrumenting/exposition_formats/#text-based-format diff --git a/site/content/en/v1.2/tasks/observability/gateway-observability.md b/site/content/en/v1.2/tasks/observability/gateway-observability.md new file mode 100644 index 00000000000..f23eb9097cf --- /dev/null +++ b/site/content/en/v1.2/tasks/observability/gateway-observability.md @@ -0,0 +1,168 @@ +--- +title: "Gateway Observability" +--- + +Envoy Gateway provides observability for the ControlPlane and the underlying EnvoyProxy instances. +This task show you how to config gateway control-plane observability, includes metrics. + +## Prerequisites + +{{< boilerplate o11y_prerequisites >}} + +## Metrics + +The default installation of Envoy Gateway installs a default [EnvoyGateway][] configuration and attaches it +using a `ConfigMap`. In this section, we will update this resource to enable various ways to retrieve metrics +from Envoy Gateway. + +{{% alert title="Exported Metrics" color="warning" %}} +Refer to the [Gateway Exported Metrics List](./gateway-exported-metrics) to learn more about Envoy Gateway's Metrics. +{{% /alert %}} + +### Retrieve Prometheus Metrics from Envoy Gateway + +By default, prometheus metric is enabled. You can directly retrieve metrics from Envoy Gateway: + +```shell +export ENVOY_POD_NAME=$(kubectl get pod -n envoy-gateway-system --selector=control-plane=envoy-gateway,app.kubernetes.io/instance=eg -o jsonpath='{.items[0].metadata.name}') +kubectl port-forward pod/$ENVOY_POD_NAME -n envoy-gateway-system 19001:19001 + +# check metrics +curl localhost:19001/metrics +``` + +The following is an example to disable prometheus metric for Envoy Gateway. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +{{< boilerplate rollout-envoy-gateway >}} + +### Enable Open Telemetry sink in Envoy Gateway + +The following is an example to send metric via Open Telemetry sink to OTEL gRPC Collector. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +{{< boilerplate rollout-envoy-gateway >}} + +Verify OTel-Collector metrics: + +```shell +export OTEL_POD_NAME=$(kubectl get pod -n monitoring --selector=app.kubernetes.io/name=opentelemetry-collector -o jsonpath='{.items[0].metadata.name}') +kubectl port-forward pod/$OTEL_POD_NAME -n monitoring 19001:19001 + +# check metrics +curl localhost:19001/metrics +``` + +[EnvoyGateway]: ../../api/extension_types#envoygateway diff --git a/site/content/en/v1.2/tasks/observability/grafana-integration.md b/site/content/en/v1.2/tasks/observability/grafana-integration.md new file mode 100644 index 00000000000..259f6958bf0 --- /dev/null +++ b/site/content/en/v1.2/tasks/observability/grafana-integration.md @@ -0,0 +1,87 @@ +--- +title: "Visualising metrics using Grafana" +--- + +Envoy Gateway provides support for exposing Envoy Gateway and Envoy Proxy metrics to a Prometheus instance. +This task shows you how to visualise the metrics exposed to Prometheus using Grafana. + +## Prerequisites + +{{< boilerplate o11y_prerequisites >}} + +Follow the steps from the [Gateway Observability](./gateway-observability) and [Proxy Metrics](./proxy-metric) to enable Prometheus metrics +for both Envoy Gateway (Control Plane) and Envoy Proxy (Data Plane). + +Expose endpoints: + +```shell +GRAFANA_IP=$(kubectl get svc grafana -n monitoring -o jsonpath='{.status.loadBalancer.ingress[0].ip}') +``` + +## Connecting Grafana with Prometheus datasource + +To visualise metrics from Prometheus, we have to connect Grafana with Prometheus. If you installed Grafana follow the command +from prerequisites sections, the Prometheus datasource should be already configured. + +You can also add the datasource manually by following the instructions from [Grafana Docs](https://grafana.com/docs/grafana/latest/datasources/prometheus/configure-prometheus-data-source/). + +## Accessing Grafana + +You can access the Grafana instance by visiting `http://{GRAFANA_IP}`, derived in prerequisites. + +To log in to Grafana, use the credentials `admin:admin`. + +Envoy Gateway has examples of dashboard for you to get started, you can check them out under `Dashboards/envoy-gateway`. + +If you'd like import Grafana dashboards on your own, please refer to Grafana docs for [importing dashboards](https://grafana.com/docs/grafana/latest/dashboards/manage-dashboards/#import-a-dashboard). + +### Envoy Proxy Global + +This dashboard example shows the overall downstream and upstream stats for each Envoy Proxy instance. + +![Envoy Proxy Global](/img/envoy-proxy-global-dashboard.png) + +### Envoy Clusters + +This dashboard example shows the overall stats for each cluster from Envoy Proxy fleet. + +![Envoy Clusters](/img/envoy-clusters-dashboard.png) + +### Envoy Gateway Global + +This dashboard example shows the overall stats exported by Envoy Gateway fleet. + +![Envoy Gateway Global: Watching Components](/img/envoy-gateway-global-watching-components.png) + +![Envoy Gateway Global: Status Updater](/img/envoy-gateway-global-status-updater.png) + +![Envoy Gateway Global: xDS Server](/img/envoy-gateway-global-xds-server.png) + +![Envoy Gateway Global: Infrastructure Manager](/img/envoy-gateway-global-infra-manager.png) + +### Resources Monitor + +This dashboard example shows the overall resources stats for both Envoy Gateway and Envoy Proxy fleet. + +![Envoy Gateway Resources](/img/resources-monitor-dashboard.png) + +## Update Dashboards + +All dashboards of Envoy Gateway are maintained under `charts/gateway-addons-helm/dashboards`, +feel free to make [contributions](../../../contributions/CONTRIBUTING). + +### Grafonnet + +Newer dashboards are generated with [Jsonnet](https://jsonnet.org/) with the [Grafonnet](https://grafana.github.io/grafonnet/index.html). +This is the preferred method for any new dashboards. + +You can run `make helm-generate.gateway-addons-helm` to generate new version of dashboards. +All the generated dashboards have a `.gen.json` suffix. + +### Legacy Dashboards + +Many of our older dashboards are manually created in the UI and exported as JSON and checked in. + +These example dashboards cannot be updated in-place by default, if you are trying to +make some changes to the older dashboards, you can save them directly as a JSON file +and then re-import. diff --git a/site/content/en/v1.2/tasks/observability/proxy-accesslog.md b/site/content/en/v1.2/tasks/observability/proxy-accesslog.md new file mode 100644 index 00000000000..17d444b8636 --- /dev/null +++ b/site/content/en/v1.2/tasks/observability/proxy-accesslog.md @@ -0,0 +1,310 @@ +--- +title: "Proxy Access Logs" +--- + +Envoy Gateway provides observability for the ControlPlane and the underlying EnvoyProxy instances. +This task show you how to config proxy access logs. + +## Prerequisites + +{{< boilerplate o11y_prerequisites >}} + +By default, the Service type of `loki` is ClusterIP, you can change it to LoadBalancer type for further usage: + +```shell +kubectl patch service loki -n monitoring -p '{"spec": {"type": "LoadBalancer"}}' +``` + +Expose endpoints: + +```shell +LOKI_IP=$(kubectl get svc loki -n monitoring -o jsonpath='{.status.loadBalancer.ingress[0].ip}') +``` + +## Default Access Log + +If custom format string is not specified, Envoy Gateway uses the following default format: + +```json +{ + "start_time": "%START_TIME%", + "method": "%REQ(:METHOD)%", + "x-envoy-origin-path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%", + "protocol": "%PROTOCOL%", + "response_code": "%RESPONSE_CODE%", + "response_flags": "%RESPONSE_FLAGS%", + "response_code_details": "%RESPONSE_CODE_DETAILS%", + "connection_termination_details": "%CONNECTION_TERMINATION_DETAILS%", + "upstream_transport_failure_reason": "%UPSTREAM_TRANSPORT_FAILURE_REASON%", + "bytes_received": "%BYTES_RECEIVED%", + "bytes_sent": "%BYTES_SENT%", + "duration": "%DURATION%", + "x-envoy-upstream-service-time": "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%", + "x-forwarded-for": "%REQ(X-FORWARDED-FOR)%", + "user-agent": "%REQ(USER-AGENT)%", + "x-request-id": "%REQ(X-REQUEST-ID)%", + ":authority": "%REQ(:AUTHORITY)%", + "upstream_host": "%UPSTREAM_HOST%", + "upstream_cluster": "%UPSTREAM_CLUSTER%", + "upstream_local_address": "%UPSTREAM_LOCAL_ADDRESS%", + "downstream_local_address": "%DOWNSTREAM_LOCAL_ADDRESS%", + "downstream_remote_address": "%DOWNSTREAM_REMOTE_ADDRESS%", + "requested_server_name": "%REQUESTED_SERVER_NAME%", + "route_name": "%ROUTE_NAME%" +} +``` + +> Note: Envoy Gateway disable envoy headers by default, you can enable it by setting `EnableEnvoyHeaders` to `true` in the [ClientTrafficPolicy](../../api/extension_types#backendtrafficpolicy) CRD. + + +Verify logs from loki: + +```shell +curl -s "http://$LOKI_IP:3100/loki/api/v1/query_range" --data-urlencode "query={job=\"fluentbit\"}" | jq '.data.result[0].values' +``` + +## Disable Access Log + +If you want to disable it, set the `telemetry.accesslog.disable` to `true` in the `EnvoyProxy` CRD. + +```shell +kubectl apply -f - <}} + +## Metrics + +By default, Envoy Gateway expose metrics with prometheus endpoint. + +Verify metrics: + +```shell +export ENVOY_POD_NAME=$(kubectl get pod -n envoy-gateway-system --selector=gateway.envoyproxy.io/owning-gateway-namespace=default,gateway.envoyproxy.io/owning-gateway-name=eg -o jsonpath='{.items[0].metadata.name}') +kubectl port-forward pod/$ENVOY_POD_NAME -n envoy-gateway-system 19001:19001 + +# check metrics +curl localhost:19001/stats/prometheus | grep "default/backend/rule/0" +``` + +You can disable metrics by setting the `telemetry.metrics.prometheus.disable` to `true` in the `EnvoyProxy` CRD. + +```shell +kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/metric/disable-prometheus.yaml +``` + +Envoy Gateway can send metrics to OpenTelemetry Sink. +Send metrics to OTel-Collector: + +```shell +kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/metric/otel-sink.yaml +``` + +Verify OTel-Collector metrics: + +```shell +export OTEL_POD_NAME=$(kubectl get pod -n monitoring --selector=app.kubernetes.io/name=opentelemetry-collector -o jsonpath='{.items[0].metadata.name}') +kubectl port-forward pod/$OTEL_POD_NAME -n monitoring 19001:19001 + +# check metrics +curl localhost:19001/metrics | grep "default/backend/rule/0" +``` diff --git a/site/content/en/v1.2/tasks/observability/proxy-trace.md b/site/content/en/v1.2/tasks/observability/proxy-trace.md new file mode 100644 index 00000000000..39243d329bc --- /dev/null +++ b/site/content/en/v1.2/tasks/observability/proxy-trace.md @@ -0,0 +1,293 @@ +--- +title: "Proxy Tracing" +--- + +Envoy Gateway provides observability for the ControlPlane and the underlying EnvoyProxy instances. +This task show you how to config proxy tracing. + +## Prerequisites + +{{< boilerplate o11y_prerequisites >}} + +Expose Tempo endpoints: + +```shell +TEMPO_IP=$(kubectl get svc tempo -n monitoring -o jsonpath='{.status.loadBalancer.ingress[0].ip}') +``` + +## Traces + +By default, Envoy Gateway doesn't send traces to any sink. +You can enable traces by setting the `telemetry.tracing` in the [EnvoyProxy][envoy-proxy-crd] CRD. +Currently, Envoy Gateway support OpenTelemetry, [Zipkin](../../api/extension_types#zipkintracingprovider) and Datadog tracer. + +### Tracing Provider + +The following configurations show how to apply proxy with different providers: + +{{< tabpane text=true >}} +{{% tab header="OpenTelemetry" %}} + +```shell +kubectl apply -f - <}} + +Query trace by trace id: + +```shell +curl -s "http://$TEMPO_IP:3100/api/traces/" | jq +``` + + +### Sampling Rate + +Envoy Gateway use 100% sample rate, which means all requests will be traced. +This may cause performance issues when traffic is very high, you can adjust +the sample rate by setting the `telemetry.tracing.samplingRate` in the [EnvoyProxy][envoy-proxy-crd] CRD. + +The following configurations show how to apply proxy with 1% sample rates: + +```shell +kubectl apply -f - <}} + +Follow the steps from the [Global Rate Limit](../traffic/global-rate-limit) to install RateLimit. + +## Traces + +By default, the Envoy Gateway does not configure RateLimit to send traces to the OpenTelemetry Sink. +You can configure the collector in the `rateLimit.telemetry.tracing` of the `EnvoyGateway`CRD. + +RateLimit uses the OpenTelemetry Exporter to export traces to the collector. +You can configure a collector that supports the OTLP protocol, which includes but is not limited to: OpenTelemetry Collector, Jaeger, Zipkin, and so on. + +***Note:*** + +* By default, the Envoy Gateway configures a `100%` sampling rate for RateLimit, which may lead to performance issues. + +Assuming the OpenTelemetry Collector is running in the `observability` namespace, and it has a service named `otel-svc`, +we only want to sample `50%` of the trace data. We would configure it as follows: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +{{< boilerplate rollout-envoy-gateway >}} diff --git a/site/content/en/v1.2/tasks/operations/_index.md b/site/content/en/v1.2/tasks/operations/_index.md new file mode 100644 index 00000000000..d87097c7d1e --- /dev/null +++ b/site/content/en/v1.2/tasks/operations/_index.md @@ -0,0 +1,5 @@ +--- +title: "Operations" +weight: 4 +description: This section includes Operations tasks. +--- diff --git a/site/content/en/v1.2/tasks/operations/customize-envoyproxy.md b/site/content/en/v1.2/tasks/operations/customize-envoyproxy.md new file mode 100644 index 00000000000..892c3496ff0 --- /dev/null +++ b/site/content/en/v1.2/tasks/operations/customize-envoyproxy.md @@ -0,0 +1,1008 @@ +--- +title: "Customize EnvoyProxy" +--- + +Envoy Gateway provides an [EnvoyProxy][] CRD that can be linked to the ParametersRef +in a Gateway and GatewayClass, allowing cluster admins to customize the managed EnvoyProxy Deployment and +Service. To learn more about GatewayClass and ParametersRef, please refer to [Gateway API documentation][]. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +Before you start, you need to add `Infrastructure.ParametersRef` in Gateway, and refer to EnvoyProxy Config: +**Note**: `MergeGateways` cannot be set to `true` in your EnvoyProxy config if attaching to the Gateway. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +You can also attach the EnvoyProxy resource to the GatewayClass using the `parametersRef` field. +This configuration is discouraged if you plan on creating multiple Gateways linking to the same +GatewayClass and would like different infrastructure configurations for each of them. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +## Customize EnvoyProxy Deployment Replicas + +You can customize the EnvoyProxy Deployment Replicas via EnvoyProxy Config like: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +After you apply the config, you should see the replicas of envoyproxy changes to 2. +And also you can dynamically change the value. + +``` shell +kubectl get deployment -l gateway.envoyproxy.io/owning-gateway-name=eg -n envoy-gateway-system +``` + +## Customize EnvoyProxy Image + +You can customize the EnvoyProxy Image via EnvoyProxy Config like: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +After applying the config, you can get the deployment image, and see it has changed. + +## Customize EnvoyProxy Pod Annotations + +You can customize the EnvoyProxy Pod Annotations via EnvoyProxy Config like: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +After applying the config, you can get the envoyproxy pods, and see new annotations has been added. + +## Customize EnvoyProxy Deployment Resources + +You can customize the EnvoyProxy Deployment Resources via EnvoyProxy Config like: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +## Customize EnvoyProxy Deployment Env + +You can customize the EnvoyProxy Deployment Env via EnvoyProxy Config like: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +> Envoy Gateway has provided two initial `env` `ENVOY_GATEWAY_NAMESPACE` and `ENVOY_POD_NAME` for envoyproxy container. + +After applying the config, you can get the envoyproxy deployment, and see resources has been changed. + +## Customize EnvoyProxy Deployment Volumes or VolumeMounts + +You can customize the EnvoyProxy Deployment Volumes or VolumeMounts via EnvoyProxy Config like: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +After applying the config, you can get the envoyproxy deployment, and see resources has been changed. + +## Customize EnvoyProxy Service Annotations + +You can customize the EnvoyProxy Service Annotations via EnvoyProxy Config like: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +After applying the config, you can get the envoyproxy service, and see annotations has been added. + +## Customize EnvoyProxy Bootstrap Config + +You can customize the EnvoyProxy bootstrap config via EnvoyProxy Config. +There are two ways to customize it: + +* Replace: the whole bootstrap config will be replaced by the config you provided. +* Merge: the config you provided will be merged into the default bootstrap config. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +You can use [egctl translate][] +to get the default xDS Bootstrap configuration used by Envoy Gateway. + +After applying the config, the bootstrap config will be overridden by the new config you provided. +Any errors in the configuration will be surfaced as status within the `GatewayClass` resource. +You can also validate this configuration using [egctl translate][]. + +## Customize EnvoyProxy Horizontal Pod Autoscaler + +You can enable [Horizontal Pod Autoscaler](https://github.com/envoyproxy/gateway/issues/703) for EnvoyProxy Deployment. However, before enabling the HPA for EnvoyProxy, please ensure that the [metrics-server](https://github.com/kubernetes-sigs/metrics-server) component is installed in the cluster. + +Once confirmed, you can apply it via EnvoyProxy Config as shown below: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +After applying the config, the EnvoyProxy HPA (Horizontal Pod Autoscaler) is generated. However, upon activating the EnvoyProxy's HPA, the Envoy Gateway will no longer reference the `replicas` field specified in the `envoyDeployment`, as outlined [here](#customize-envoyproxy-deployment-replicas). + +## Customize EnvoyProxy Command line options + +You can customize the EnvoyProxy Command line options via `spec.extraArgs` in EnvoyProxy Config. +For example, the following configuration will add `--disable-extensions` arg in order to disable `envoy.access_loggers/envoy.access_loggers.wasm` extension: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +## Customize EnvoyProxy with Patches + +You can customize the EnvoyProxy using patches. + +### Patching Deployment for EnvoyProxy + +For example, the following configuration will add resource limits to the `envoy` and the `shutdown-manager` containers in the `envoyproxy` deployment: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +After applying the configuration, you will see the change in both containers in the `envoyproxy` deployment. + +### Patching Service for EnvoyProxy + +For example, the following configuration will add an annotation for the `envoyproxy` service: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +After applying the configuration, you will see the `custom-annotation: foobar` has been added to the `envoyproxy` service. + +## Customize Filter Order + +Under the hood, Envoy Gateway uses a series of [Envoy HTTP filters](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/http_filters) +to process HTTP requests and responses, and to apply various policies. + +By default, Envoy Gateway applies the following filters in the order shown: +* envoy.filters.http.fault +* envoy.filters.http.cors +* envoy.filters.http.ext_authz +* envoy.filters.http.basic_authn +* envoy.filters.http.oauth2 +* envoy.filters.http.jwt_authn +* envoy.filters.http.ext_proc +* envoy.filters.http.wasm +* envoy.filters.http.rbac +* envoy.filters.http.local_ratelimit +* envoy.filters.http.ratelimit +* envoy.filters.http.router + +The default order in which these filters are applied is opinionated and may not suit all use cases. +To address this, Envoy Gateway allows you to adjust the execution order of these filters with the `filterOrder` field in the [EnvoyProxy][] resource. + +`filterOrder` is a list of customized filter order configurations. Each configuration can specify a filter +name and a filter to place it before or after. These configurations are applied in the order they are listed. +If a filter occurs in multiple configurations, the final order is the result of applying all these configurations in order. +To avoid conflicts, it is recommended to only specify one configuration per filter. + +For example, the following configuration moves the `envoy.filters.http.wasm` filter before the `envoy.filters.http.jwt_authn` +filter and the `envoy.filters.http.cors` filter after the `envoy.filters.http.basic_authn` filter: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +[Gateway API documentation]: https://gateway-api.sigs.k8s.io/ +[EnvoyProxy]: ../../../api/extension_types#envoyproxy +[egctl translate]: ../egctl/#validating-gateway-api-configuration diff --git a/site/content/en/v1.2/tasks/operations/deployment-mode.md b/site/content/en/v1.2/tasks/operations/deployment-mode.md new file mode 100644 index 00000000000..c50d65b2863 --- /dev/null +++ b/site/content/en/v1.2/tasks/operations/deployment-mode.md @@ -0,0 +1,1072 @@ +--- +title: "Deployment Mode" +--- +## Deployment modes + +### One GatewayClass per Envoy Gateway Controller +* An Envoy Gateway is associated with a single [GatewayClass][] resource under one controller. +This is the simplest deployment mode and is suitable for scenarios where each Gateway needs to have its own dedicated set of resources and configurations. + +### Multiple GatewayClasses per Envoy Gateway Controller +* An Envoy Gateway is associated with multiple [GatewayClass][] resources under one controller. +* Support for accepting multiple GatewayClasses was added [here][issue1231]. + +### Separate Envoy Gateway Controllers +If you've instantiated multiple GatewayClasses, you can also run separate Envoy Gateway controllers in different namespaces, linking a GatewayClass to each of them for multi-tenancy. +Please follow the example [Multi-tenancy](#multi-tenancy). + +### Merged Gateways onto a single EnvoyProxy fleet +By default, each Gateway has its own dedicated set of Envoy Proxy and its configurations. +However, for some deployments, it may be more convenient to merge listeners across multiple Gateways and deploy a single Envoy Proxy fleet. + +This can help to efficiently utilize the infra resources in the cluster and manage them in a centralized manner, or have a single IP address for all of the listeners. +Setting the `mergeGateways` field in the EnvoyProxy resource linked to GatewayClass will result in merging all Gateway listeners under one GatewayClass resource. + +* The tuple of port, protocol, and hostname must be unique across all Listeners. + +Please follow the example [Merged gateways deployment](#merged-gateways-deployment). + +### Supported Modes + +#### Kubernetes + +* The default deployment model is - Envoy Gateway **watches** for resources such a `Service` & `HTTPRoute` in **all** namespaces +and **creates** managed data plane resources such as EnvoyProxy `Deployment` in the **namespace where Envoy Gateway is running**. +* Envoy Gateway also supports [Namespaced deployment mode][], you can watch resources in the specific namespaces by assigning +`EnvoyGateway.provider.kubernetes.watch.namespaces` or `EnvoyGateway.provider.kubernetes.watch.namespaceSelector` and **creates** managed data plane resources in the **namespace where Envoy Gateway is running**. +* Support for alternate deployment modes is being tracked [here][issue1117]. + +### Multi-tenancy + +#### Kubernetes + +* A `tenant` is a group within an organization (e.g. a team or department) who shares organizational resources. We recommend +each `tenant` deploy their own Envoy Gateway controller in their respective `namespace`. Below is an example of deploying Envoy Gateway +by the `marketing` and `product` teams in separate namespaces. + +* Lets deploy Envoy Gateway in the `marketing` namespace and also watch resources only in this namespace. We are also setting the controller name to a unique string here `gateway.envoyproxy.io/marketing-gatewayclass-controller`. + +```shell +helm install \ +--set config.envoyGateway.gateway.controllerName=gateway.envoyproxy.io/marketing-gatewayclass-controller \ +--set config.envoyGateway.provider.kubernetes.watch.type=Namespaces \ +--set config.envoyGateway.provider.kubernetes.watch.namespaces={marketing} \ +eg-marketing oci://docker.io/envoyproxy/gateway-helm \ +--version {{< helm-version >}} -n marketing --create-namespace +``` + +Lets create a `GatewayClass` linked to the marketing team's Envoy Gateway controller, and as well other resources linked to it, so the `backend` application operated by this team can be exposed to external clients. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Lets port forward to the generated envoy proxy service in the `marketing` namespace and send a request to it. + +```shell +export ENVOY_SERVICE=$(kubectl get svc -n marketing --selector=gateway.envoyproxy.io/owning-gateway-namespace=marketing,gateway.envoyproxy.io/owning-gateway-name=eg -o jsonpath='{.items[0].metadata.name}') +kubectl -n marketing port-forward service/${ENVOY_SERVICE} 8888:8080 & +``` + +```shell +curl --verbose --header "Host: www.marketing.example.com" http://localhost:8888/get +``` + +```console +* Trying 127.0.0.1:8888... +* Connected to localhost (127.0.0.1) port 8888 (#0) +> GET /get HTTP/1.1 +> Host: www.marketing.example.com +> User-Agent: curl/7.86.0 +> Accept: */* +> +Handling connection for 8888 +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< date: Thu, 20 Apr 2023 19:19:42 GMT +< content-length: 521 +< x-envoy-upstream-service-time: 0 +< server: envoy +< +{ + "path": "/get", + "host": "www.marketing.example.com", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "Accept": [ + "*/*" + ], + "User-Agent": [ + "curl/7.86.0" + ], + "X-Envoy-Expected-Rq-Timeout-Ms": [ + "15000" + ], + "X-Envoy-Internal": [ + "true" + ], + "X-Forwarded-For": [ + "10.1.0.157" + ], + "X-Forwarded-Proto": [ + "http" + ], + "X-Request-Id": [ + "c637977c-458a-48ae-92b3-f8c429849322" + ] + }, + "namespace": "marketing", + "ingress": "", + "service": "", + "pod": "backend-74888f465f-bcs8f" +* Connection #0 to host localhost left intact +``` + +* Lets deploy Envoy Gateway in the `product` namespace and also watch resources only in this namespace. + +```shell +helm install \ +--set config.envoyGateway.gateway.controllerName=gateway.envoyproxy.io/product-gatewayclass-controller \ +--set config.envoyGateway.provider.kubernetes.watch.type=Namespaces \ +--set config.envoyGateway.provider.kubernetes.watch.namespaces={product} \ +eg-product oci://docker.io/envoyproxy/gateway-helm \ +--version {{< helm-version >}} -n product --create-namespace +``` + +Lets create a `GatewayClass` linked to the product team's Envoy Gateway controller, and as well other resources linked to it, so the `backend` application operated by this team can be exposed to external clients. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Lets port forward to the generated envoy proxy service in the `product` namespace and send a request to it. + +```shell +export ENVOY_SERVICE=$(kubectl get svc -n product --selector=gateway.envoyproxy.io/owning-gateway-namespace=product,gateway.envoyproxy.io/owning-gateway-name=eg -o jsonpath='{.items[0].metadata.name}') +kubectl -n product port-forward service/${ENVOY_SERVICE} 8889:8080 & +``` + +```shell +curl --verbose --header "Host: www.product.example.com" http://localhost:8889/get +``` + +```shell +* Trying 127.0.0.1:8889... +* Connected to localhost (127.0.0.1) port 8889 (#0) +> GET /get HTTP/1.1 +> Host: www.product.example.com +> User-Agent: curl/7.86.0 +> Accept: */* +> +Handling connection for 8889 +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< date: Thu, 20 Apr 2023 19:20:17 GMT +< content-length: 517 +< x-envoy-upstream-service-time: 0 +< server: envoy +< +{ + "path": "/get", + "host": "www.product.example.com", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "Accept": [ + "*/*" + ], + "User-Agent": [ + "curl/7.86.0" + ], + "X-Envoy-Expected-Rq-Timeout-Ms": [ + "15000" + ], + "X-Envoy-Internal": [ + "true" + ], + "X-Forwarded-For": [ + "10.1.0.156" + ], + "X-Forwarded-Proto": [ + "http" + ], + "X-Request-Id": [ + "39196453-2250-4331-b756-54003b2853c2" + ] + }, + "namespace": "product", + "ingress": "", + "service": "", + "pod": "backend-74888f465f-64fjs" +* Connection #0 to host localhost left intact +``` + +With the below command you can ensure that you are no able to access the marketing team's backend exposed using the `www.marketing.example.com` hostname +and the product team's data plane. + +```shell +curl --verbose --header "Host: www.marketing.example.com" http://localhost:8889/get +``` + +```console +* Trying 127.0.0.1:8889... +* Connected to localhost (127.0.0.1) port 8889 (#0) +> GET /get HTTP/1.1 +> Host: www.marketing.example.com +> User-Agent: curl/7.86.0 +> Accept: */* +> +Handling connection for 8889 +* Mark bundle as not supporting multiuse +< HTTP/1.1 404 Not Found +< date: Thu, 20 Apr 2023 19:22:13 GMT +< server: envoy +< content-length: 0 +< +* Connection #0 to host localhost left intact +``` + +### Merged gateways deployment + +In this example, we will deploy GatewayClass + +```shell +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: merged-eg +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: custom-proxy-config + namespace: envoy-gateway-system +``` + +with a referenced [EnvoyProxy][] resource configured to enable merged Gateways deployment mode. + +```shell +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + name: custom-proxy-config + namespace: envoy-gateway-system +spec: + mergeGateways: true +``` + +#### Deploy merged-gateways example + +Deploy resources on your cluster from the example. + +```shell +kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/merged-gateways.yaml +``` + +Verify that Gateways are deployed and programmed + +```shell +kubectl get gateways -n default + +NAMESPACE NAME CLASS ADDRESS PROGRAMMED AGE +default merged-eg-1 merged-eg 172.18.255.202 True 2m4s +default merged-eg-2 merged-eg 172.18.255.202 True 2m4s +default merged-eg-3 merged-eg 172.18.255.202 True 2m4s +``` + +Verify that HTTPRoutes are deployed + +```shell +kubectl get httproute -n default +NAMESPACE NAME HOSTNAMES AGE +default hostname1-route ["www.merged1.com"] 2m4s +default hostname2-route ["www.merged2.com"] 2m4s +default hostname3-route ["www.merged3.com"] 2m4s +``` + +If you take a look at the deployed Envoy Proxy service you would notice that all of the Gateway listeners ports are added to that service. + +```shell +kubectl get service -n envoy-gateway-system +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +envoy-gateway ClusterIP 10.96.141.4 18000/TCP,18001/TCP 6m43s +envoy-gateway-metrics-service ClusterIP 10.96.113.191 19001/TCP 6m43s +envoy-merged-eg-668ac7ae LoadBalancer 10.96.48.255 172.18.255.202 8081:30467/TCP,8082:31793/TCP,8080:31153/TCP 3m17s +``` + +There should be also one deployment (envoy-merged-eg-668ac7ae-775f9865d-55zhs) for every Gateway and its name should reference the name of the GatewayClass. + +```shell +kubectl get pods -n envoy-gateway-system +NAME READY STATUS RESTARTS AGE +envoy-gateway-5d998778f6-wr6m9 1/1 Running 0 6m43s +envoy-merged-eg-668ac7ae-775f9865d-55zhs 2/2 Running 0 3m17s +``` + +#### Testing the Configuration + +Get the name of the merged gateways Envoy service: + +```shell +export ENVOY_SERVICE=$(kubectl get svc -n envoy-gateway-system --selector=gateway.envoyproxy.io/owning-gatewayclass=merged-eg -o jsonpath='{.items[0].metadata.name}') +``` + +Fetch external IP of the service: + +```shell +export GATEWAY_HOST=$(kubectl get svc/${ENVOY_SERVICE} -n envoy-gateway-system -o jsonpath='{.status.loadBalancer.ingress[0].ip}') +``` + +In certain environments, the load balancer may be exposed using a hostname, instead of an IP address. If so, replace +`ip` in the above command with `hostname`. + +Curl the route hostname-route2 through Envoy proxy: + +```shell +curl --header "Host: www.merged2.com" http://$GATEWAY_HOST:8081/example2 +``` + +```shell +{ + "path": "/example2", + "host": "www.merged2.com", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "Accept": [ + "*/*" + ], + "User-Agent": [ + "curl/8.4.0" + ], + "X-Envoy-Internal": [ + "true" + ], + "X-Forwarded-For": [ + "172.18.0.2" + ], + "X-Forwarded-Proto": [ + "http" + ], + "X-Request-Id": [ + "deed2767-a483-4291-9429-0e256ab3a65f" + ] + }, + "namespace": "default", + "ingress": "", + "service": "", + "pod": "merged-backend-64ddb65fd7-ttv5z" +} +``` + +Curl the route hostname-route1 through Envoy proxy: + +```shell +curl --header "Host: www.merged1.com" http://$GATEWAY_HOST:8080/example +``` + +```shell +{ + "path": "/example", + "host": "www.merged1.com", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "Accept": [ + "*/*" + ], + "User-Agent": [ + "curl/8.4.0" + ], + "X-Envoy-Internal": [ + "true" + ], + "X-Forwarded-For": [ + "172.18.0.2" + ], + "X-Forwarded-Proto": [ + "http" + ], + "X-Request-Id": [ + "20a53440-6327-4c3c-bc8b-8e79e7311043" + ] + }, + "namespace": "default", + "ingress": "", + "service": "", + "pod": "merged-backend-64ddb65fd7-ttv5z" +} +``` + +#### Verify deployment of multiple GatewayClass + +Install the GatewayClass, Gateway, HTTPRoute and example app from [Quickstart][] example: + +```shell +kubectl apply -f https://github.com/envoyproxy/gateway/releases/download/{{< yaml-version >}}/quickstart.yaml -n default +``` + +Lets create also and additional `Gateway` linked to the GatewayClass and `backend` application from Quickstart example. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify that Gateways are deployed and programmed + +```shell +kubectl get gateways -n default +``` + +```shell +NAME CLASS ADDRESS PROGRAMMED AGE +eg eg 172.18.255.203 True 114s +eg-2 eg 172.18.255.204 True 89s +merged-eg-1 merged-eg 172.18.255.202 True 8m33s +merged-eg-2 merged-eg 172.18.255.202 True 8m33s +merged-eg-3 merged-eg 172.18.255.202 True 8m33s +``` + +Verify that HTTPRoutes are deployed + +```shell +kubectl get httproute -n default +``` + +```shell +NAMESPACE NAME HOSTNAMES AGE +default backend ["www.example.com"] 2m29s +default eg-2 ["www.quickstart.example.com"] 87s +default hostname1-route ["www.merged1.com"] 10m4s +default hostname2-route ["www.merged2.com"] 10m4s +default hostname3-route ["www.merged3.com"] 10m4s +``` + +Verify that services are now deployed separately. + +```shell +kubectl get service -n envoy-gateway-system +``` + +```shell +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +envoy-default-eg-2-7e515b2f LoadBalancer 10.96.121.46 172.18.255.204 8080:32705/TCP 3m27s +envoy-default-eg-e41e7b31 LoadBalancer 10.96.11.244 172.18.255.203 80:31930/TCP 2m26s +envoy-gateway ClusterIP 10.96.141.4 18000/TCP,18001/TCP 14m25s +envoy-gateway-metrics-service ClusterIP 10.96.113.191 19001/TCP 14m25s +envoy-merged-eg-668ac7ae LoadBalancer 10.96.243.32 172.18.255.202 8082:31622/TCP,8080:32262/TCP,8081:32305/TCP 10m59s +``` + +There should be two deployments for each of newly deployed Gateway and its name should reference the name of the namespace and the Gateway. + +```shell +kubectl get pods -n envoy-gateway-system +``` + +```shell +NAME READY STATUS RESTARTS AGE +envoy-default-eg-2-7e515b2f-8c98fdf88-p6jhg 2/2 Running 0 3m27s +envoy-default-eg-e41e7b31-6f998d85d7-jpvmj 2/2 Running 0 2m26s +envoy-gateway-5d998778f6-wr6m9 1/1 Running 0 14m25s +envoy-merged-eg-668ac7ae-5958f7b7f6-9h9v2 2/2 Running 0 10m59s +``` + +#### Testing the Configuration + +Get the name of the merged gateways Envoy service: + +```shell +export DEFAULT_ENVOY_SERVICE=$(kubectl get svc -n envoy-gateway-system --selector=gateway.envoyproxy.io/owning-gateway-namespace=default,gateway.envoyproxy.io/owning-gateway-name=eg -o jsonpath='{.items[0].metadata.name}') +``` + +Fetch external IP of the service: + +```shell +export DEFAULT_GATEWAY_HOST=$(kubectl get svc/${DEFAULT_ENVOY_SERVICE} -n envoy-gateway-system -o jsonpath='{.status.loadBalancer.ingress[0].ip}') +``` + +Curl the route Quickstart backend route through Envoy proxy: + +```shell +curl --header "Host: www.example.com" http://$DEFAULT_GATEWAY_HOST +``` + +```shell +{ + "path": "/", + "host": "www.example.com", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "Accept": [ + "*/*" + ], + "User-Agent": [ + "curl/8.4.0" + ], + "X-Envoy-Internal": [ + "true" + ], + "X-Forwarded-For": [ + "172.18.0.2" + ], + "X-Forwarded-Proto": [ + "http" + ], + "X-Request-Id": [ + "70a40595-67a1-4776-955b-2dee361baed7" + ] + }, + "namespace": "default", + "ingress": "", + "service": "", + "pod": "backend-96f75bbf-6w67z" +} +``` + +Curl the route hostname-route3 through Envoy proxy: + +```shell +curl --header "Host: www.merged3.com" http://$GATEWAY_HOST:8082/example3 +``` + +```shell +{ + "path": "/example3", + "host": "www.merged3.com", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "Accept": [ + "*/*" + ], + "User-Agent": [ + "curl/8.4.0" + ], + "X-Envoy-Internal": [ + "true" + ], + "X-Forwarded-For": [ + "172.18.0.2" + ], + "X-Forwarded-Proto": [ + "http" + ], + "X-Request-Id": [ + "47aeaef3-abb5-481a-ab92-c2ae3d0862d6" + ] + }, + "namespace": "default", + "ingress": "", + "service": "", + "pod": "merged-backend-64ddb65fd7-k84gv" +} +``` + +[Quickstart]: ../quickstart.md +[EnvoyProxy]: ../../api/extension_types#envoyproxy +[GatewayClass]: https://gateway-api.sigs.k8s.io/api-types/gatewayclass/ +[Namespaced deployment mode]: ../../api/extension_types#kuberneteswatchmode +[issue1231]: https://github.com/envoyproxy/gateway/issues/1231 +[issue1117]: https://github.com/envoyproxy/gateway/issues/1117 diff --git a/site/content/en/v1.2/tasks/operations/egctl.md b/site/content/en/v1.2/tasks/operations/egctl.md new file mode 100644 index 00000000000..36c1f9979e2 --- /dev/null +++ b/site/content/en/v1.2/tasks/operations/egctl.md @@ -0,0 +1,906 @@ +--- +title: "Use egctl" +--- + +`egctl` is a command line tool to provide additional functionality for Envoy Gateway users. + +## egctl experimental translate + +This subcommand allows users to translate from an input configuration type to an output configuration type. + +The `translate` subcommand can translate Kubernetes resources to: +* Gateway API resources + This is useful in order to see how validation would occur if these resources were applied to Kubernetes. + + Use the `--to gateway-api` parameter to translate to Gateway API resources. + +* Envoy Gateway intermediate representation (IR) + This represents Envoy Gateway's translation of the Gateway API resources. + + Use the `--to ir` parameter to translate to Envoy Gateway intermediate representation. + +* Envoy Proxy xDS + This is the xDS configuration provided to Envoy Proxy. + + Use the `--to xds` parameter to translate to Envoy Proxy xDS. + + +In the below example, we will translate the Kubernetes resources (including the Gateway API resources) into xDS +resources. + +```shell +cat < Note: If CRDs are already installed, then we need to specify `--skip-crds` to avoid repeated installation of CRDs resources. + +```bash +egctl x install --name shop-backend --namespace shop +``` + + +## egctl experimental uninstall + +This subcommand can be used to uninstall envoy-gateway. + +```bash +egctl x uninstall +``` + +By default, this will only uninstall the envoy-gateway workload resource, if we want to also uninstall CRDs, we need to specify `--with-crds` + +```bash +egctl x uninstall --with-crds +``` \ No newline at end of file diff --git a/site/content/en/v1.2/tasks/quickstart.md b/site/content/en/v1.2/tasks/quickstart.md new file mode 100644 index 00000000000..e1943c21e92 --- /dev/null +++ b/site/content/en/v1.2/tasks/quickstart.md @@ -0,0 +1,130 @@ +--- +title: "Quickstart" +weight: 1 +description: Get started with Envoy Gateway in a few simple steps. +--- + +This "quick start" will help you get started with Envoy Gateway in a few simple steps. + +## Prerequisites + +A Kubernetes cluster. + +__Note:__ Refer to the [Compatibility Matrix](/news/releases/matrix) for supported Kubernetes versions. + +__Note:__ In case your Kubernetes cluster does not have a LoadBalancer implementation, we recommend installing one +so the `Gateway` resource has an Address associated with it. We recommend using [MetalLB](https://metallb.universe.tf/installation/). + +__Note:__ For Mac user, you need install and run [Docker Mac Net Connect](https://github.com/chipmk/docker-mac-net-connect) to make the Docker network work. + +## Installation + +Install the Gateway API CRDs and Envoy Gateway: + +```shell +helm install eg oci://docker.io/envoyproxy/gateway-helm --version {{< helm-version >}} -n envoy-gateway-system --create-namespace +``` + +Wait for Envoy Gateway to become available: + +```shell +kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available +``` + +Install the GatewayClass, Gateway, HTTPRoute and example app: + +```shell +kubectl apply -f https://github.com/envoyproxy/gateway/releases/download/{{< yaml-version >}}/quickstart.yaml -n default +``` + +**Note**: [`quickstart.yaml`] defines that Envoy Gateway will listen for +traffic on port 80 on its globally-routable IP address, to make it easy to use +browsers to test Envoy Gateway. When Envoy Gateway sees that its Listener is +using a privileged port (<1024), it will map this internally to an +unprivileged port, so that Envoy Gateway doesn't need additional privileges. +It's important to be aware of this mapping, since you may need to take it into +consideration when debugging. + +[`quickstart.yaml`]: https://github.com/envoyproxy/gateway/releases/download/{{< yaml-version >}}/quickstart.yaml + +## Testing the Configuration + +{{< tabpane text=true >}} +{{% tab header="With External LoadBalancer Support" %}} + +You can also test the same functionality by sending traffic to the External IP. To get the external IP of the +Envoy service, run: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +In certain environments, the load balancer may be exposed using a hostname, instead of an IP address. If so, replace +`ip` in the above command with `hostname`. + +Curl the example app through Envoy proxy: + +```shell +curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/get +``` + +{{% /tab %}} +{{% tab header="Without LoadBalancer Support" %}} + +Get the name of the Envoy service created the by the example Gateway: + +```shell +export ENVOY_SERVICE=$(kubectl get svc -n envoy-gateway-system --selector=gateway.envoyproxy.io/owning-gateway-namespace=default,gateway.envoyproxy.io/owning-gateway-name=eg -o jsonpath='{.items[0].metadata.name}') +``` + +Port forward to the Envoy service: + +```shell +kubectl -n envoy-gateway-system port-forward service/${ENVOY_SERVICE} 8888:80 & +``` + +Curl the example app through Envoy proxy: + +```shell +curl --verbose --header "Host: www.example.com" http://localhost:8888/get +``` + +{{% /tab %}} +{{< /tabpane >}} + +## What to explore next? + +In this quickstart, you have: +- Installed Envoy Gateway +- Deployed a backend service, and a gateway +- Configured the gateway using Kubernetes Gateway API resources [Gateway](https://gateway-api.sigs.k8s.io/api-types/gateway/) and [HttpRoute](https://gateway-api.sigs.k8s.io/api-types/httproute/) to direct incoming requests over HTTP to the backend service. + +Here is a suggested list of follow-on tasks to guide you in your exploration of Envoy Gateway: + +- [HTTP Routing](traffic/http-routing) +- [Traffic Splitting](traffic/http-traffic-splitting) +- [Secure Gateways](security/secure-gateways/) +- [Global Rate Limit](traffic/global-rate-limit/) +- [gRPC Routing](traffic/grpc-routing/) + +Review the [Tasks](./) section for the scenario matching your use case. The Envoy Gateway tasks are organized by category: traffic management, security, extensibility, observability, and operations. + +## Clean-Up + +Use the steps in this section to uninstall everything from the quickstart. + +Delete the GatewayClass, Gateway, HTTPRoute and Example App: + +```shell +kubectl delete -f https://github.com/envoyproxy/gateway/releases/download/{{< yaml-version >}}/quickstart.yaml --ignore-not-found=true +``` + +Delete the Gateway API CRDs and Envoy Gateway: + +```shell +helm uninstall eg -n envoy-gateway-system +``` + +## Next Steps + +Checkout the [Developer Guide](../../contributions/develop) to get involved in the project. diff --git a/site/content/en/v1.2/tasks/security/_index.md b/site/content/en/v1.2/tasks/security/_index.md new file mode 100644 index 00000000000..0e6a64144a7 --- /dev/null +++ b/site/content/en/v1.2/tasks/security/_index.md @@ -0,0 +1,5 @@ +--- +title: "Security" +weight: 2 +description: This section includes Security tasks. +--- diff --git a/site/content/en/v1.2/tasks/security/backend-mtls.md b/site/content/en/v1.2/tasks/security/backend-mtls.md new file mode 100644 index 00000000000..1d91c7a95f8 --- /dev/null +++ b/site/content/en/v1.2/tasks/security/backend-mtls.md @@ -0,0 +1,200 @@ +--- +title: "Backend Mutual TLS: Gateway to Backend" +--- + +This task demonstrates how mTLS can be achieved between the Gateway and a backend. +This task uses a self-signed CA, so it should be used for testing and demonstration purposes only. + +Envoy Gateway supports the Gateway-API defined [BackendTLSPolicy][] to establish TLS. For mTLS, the Gateway must authenticate by presenting a client certificate to the backend. + +## Prerequisites + +- OpenSSL to generate TLS assets. + +## Installation + +Follow the steps from the [Backend TLS][] to install Envoy Gateway and configure TLS to the backend server. + +## TLS Certificates + +Generate the certificates and keys used by the Gateway for authentication against the backend. + +Create a root certificate and private key to sign certificates: + +```shell +openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout clientca.key -out clientca.crt +``` + +Create a certificate and a private key for `www.example.com`: + +```shell +openssl req -new -newkey rsa:2048 -nodes -keyout client.key -out client.csr -subj "/CN=example-client/O=example organization" +openssl x509 -req -days 365 -CA clientca.crt -CAkey clientca.key -set_serial 0 -in client.csr -out client.crt +``` + +Store the cert/key in a Secret: + +```shell +kubectl -n envoy-gateway-system create secret tls example-client-cert --key=client.key --cert=client.crt +``` + +Store the CA Cert in another Secret: + +```shell +kubectl create configmap example-client-ca --from-file=clientca.crt +``` + +## Enforce Client Certificate Authentication on the backend + +Patch the existing quickstart backend to enforce Client Certificate Authentication. The patch will mount the server certificate and key required for TLS, and the CA certificate into the backend as volumes. + +```shell +kubectl patch deployment backend --type=json --patch ' + - op: add + path: /spec/template/spec/containers/0/volumeMounts + value: + - name: client-certs-volume + mountPath: /etc/client-certs + - name: secret-volume + mountPath: /etc/secret-volume + - op: add + path: /spec/template/spec/volumes + value: + - name: client-certs-volume + configMap: + name: example-client-ca + items: + - key: clientca.crt + path: crt + - name: secret-volume + secret: + secretName: example-cert + items: + - key: tls.crt + path: crt + - key: tls.key + path: key + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: TLS_CLIENT_CACERTS + value: /etc/client-certs/crt + ' +``` + +## Configure Envoy Proxy to use a client certificate + +In addition to enablement of backend TLS with the Gateway-API BackendTLSPolicy, Envoy Gateway supports customizing TLS parameters such as TLS Client Certificate. +To achieve this, the [EnvoyProxy][] resource can be used to specify a TLS Client Certificate. + +First, you need to add ParametersRef in GatewayClass, and refer to EnvoyProxy Config: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +## Testing mTLS + +Query the TLS-enabled backend through Envoy proxy: + +```shell +curl -v -HHost:www.example.com --resolve "www.example.com:80:127.0.0.1" \ +http://www.example.com:80/get +``` + +Inspect the output and see that the response contains the details of the TLS handshake between Envoy and the backend. +The response now contains a "peerCertificates" attribute that reflects the client certificate used by the Gateway to establish mTLS with the backend. + +```shell +< HTTP/1.1 200 OK +[...] + "tls": { + "version": "TLSv1.2", + "serverName": "www.example.com", + "negotiatedProtocol": "http/1.1", + "cipherSuite": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + "peerCertificates": ["-----BEGIN CERTIFICATE-----\n[...]-----END CERTIFICATE-----\n"] + } +``` + +[Backend TLS]: ./backend-tls +[BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ +[EnvoyProxy]: ../../api/extension_types#envoyproxy \ No newline at end of file diff --git a/site/content/en/v1.2/tasks/security/backend-tls.md b/site/content/en/v1.2/tasks/security/backend-tls.md new file mode 100644 index 00000000000..7fca5ef8477 --- /dev/null +++ b/site/content/en/v1.2/tasks/security/backend-tls.md @@ -0,0 +1,408 @@ +--- +title: "Backend TLS: Gateway to Backend" +--- + +This task demonstrates how TLS can be achieved between the Gateway and a backend. +This task uses a self-signed CA, so it should be used for testing and demonstration purposes only. + +Envoy Gateway supports the Gateway-API defined [BackendTLSPolicy][]. + +## Prerequisites + +- OpenSSL to generate TLS assets. + +## Installation + +{{< boilerplate prerequisites >}} + +## TLS Certificates + +Generate the certificates and keys used by the backend to terminate TLS connections from the Gateways. + +Create a root certificate and private key to sign certificates: + +```shell +openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout ca.key -out ca.crt +``` + +Create a certificate and a private key for `www.example.com`. + +First, create an openssl configuration file: + +```shell +cat > openssl.conf <}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Create a [BackendTLSPolicy][] instructing Envoy Gateway to establish a TLS connection with the backend and validate the backend certificate is issued by a trusted CA and contains an appropriate DNS SAN. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Patch the HTTPRoute's backend reference, so that it refers to the new TLS-enabled service: + +```shell +kubectl patch HTTPRoute backend --type=json --patch ' + - op: replace + path: /spec/rules/0/backendRefs/0/port + value: 443 + - op: replace + path: /spec/rules/0/backendRefs/0/name + value: tls-backend + ' +``` + +Verify the HTTPRoute status: + +```shell +kubectl get HTTPRoute backend -o yaml +``` + +## Testing backend TLS + +{{< tabpane text=true >}} +{{% tab header="With External LoadBalancer Support" %}} + +Get the External IP of the Gateway: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Query the example app through the Gateway: + +```shell +curl -v -HHost:www.example.com --resolve "www.example.com:80:${GATEWAY_HOST}" \ +http://www.example.com:80/get +``` + +Inspect the output and see that the response contains the details of the TLS handshake between Envoy and the backend: + +```shell +< HTTP/1.1 200 OK +[...] + "tls": { + "version": "TLSv1.2", + "serverName": "www.example.com", + "negotiatedProtocol": "http/1.1", + "cipherSuite": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + } +``` + +{{% /tab %}} +{{% tab header="Without LoadBalancer Support" %}} + +Get the name of the Envoy service created the by the example Gateway: + +```shell +export ENVOY_SERVICE=$(kubectl get svc -n envoy-gateway-system --selector=gateway.envoyproxy.io/owning-gateway-namespace=default,gateway.envoyproxy.io/owning-gateway-name=eg -o jsonpath='{.items[0].metadata.name}') +``` + +Port forward to the Envoy service: + +```shell +kubectl -n envoy-gateway-system port-forward service/${ENVOY_SERVICE} 80:80 & +``` + +Query the TLS-enabled backend through Envoy proxy: + +```shell +curl -v -HHost:www.example.com --resolve "www.example.com:80:127.0.0.1" \ +http://www.example.com:80/get +``` + +Inspect the output and see that the response contains the details of the TLS handshake between Envoy and the backend: + +```shell +< HTTP/1.1 200 OK +[...] + "tls": { + "version": "TLSv1.2", + "serverName": "www.example.com", + "negotiatedProtocol": "http/1.1", + "cipherSuite": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + } +``` + +{{% /tab %}} +{{< /tabpane >}} + +## Customize backend TLS Parameters + +In addition to enablement of backend TLS with the Gateway-API BackendTLSPolicy, Envoy Gateway supports customizing TLS parameters. +To achieve this, the [EnvoyProxy][] resource can be used to specify TLS parameters. We will customize the TLS version in this example. + +First, you need to add ParametersRef in GatewayClass, and refer to EnvoyProxy Config: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +You can customize the EnvoyProxy Backend TLS Parameters via EnvoyProxy Config like: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +## Testing TLS Parameters + +Query the TLS-enabled backend through Envoy proxy: + +```shell +curl -v -HHost:www.example.com --resolve "www.example.com:80:127.0.0.1" \ +http://www.example.com:80/get +``` + +Inspect the output and see that the response contains the details of the TLS handshake between Envoy and the backend. +The TLS version is now TLS1.3, as configured in the EnvoyProxy resource. The TLS cipher is also changed, since TLS1.3 supports different ciphers from TLS1.2. + +```shell +< HTTP/1.1 200 OK +[...] + "tls": { + "version": "TLSv1.3", + "serverName": "www.example.com", + "negotiatedProtocol": "http/1.1", + "cipherSuite": "TLS_AES_128_GCM_SHA256" + } +``` + +[BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ +[EnvoyProxy]: ../../api/extension_types#envoyproxy diff --git a/site/content/en/v1.2/tasks/security/basic-auth.md b/site/content/en/v1.2/tasks/security/basic-auth.md new file mode 100644 index 00000000000..cc0ec54ada1 --- /dev/null +++ b/site/content/en/v1.2/tasks/security/basic-auth.md @@ -0,0 +1,219 @@ +--- +title: "Basic Authentication" +--- + +This task provides instructions for configuring [HTTP Basic authentication][http Basic authentication]. +HTTP Basic authentication checks if an incoming request has a valid username and password before routing the request to +a backend service. + +Envoy Gateway introduces a new CRD called [SecurityPolicy][SecurityPolicy] that allows the user to configure HTTP Basic +authentication. +This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HTTPRoute] or [GRPCRoute][GRPCRoute] resource. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Configuration + +Envoy Gateway uses [.htpasswd][.htpasswd] format to store the username-password pairs for authentication. +The file must be stored in a kubernetes secret and referenced in the [SecurityPolicy][SecurityPolicy] configuration. +The secret is an Opaque secret, and the username-password pairs must be stored in the key ".htpasswd". + +### Create a root certificate + +Create a root certificate and private key to sign certificates: + +```shell +openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt +``` + +### Create a certificate secret + +Create a certificate and a private key for `www.example.com`: + +```shell +openssl req -out www.example.com.csr -newkey rsa:2048 -nodes -keyout www.example.com.key -subj "/CN=www.example.com/O=example organization" +openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in www.example.com.csr -out www.example.com.crt +``` + +### Create certificate + +```shell +kubectl create secret tls example-cert --key=www.example.com.key --cert=www.example.com.crt +``` + +### Enable HTTPS +Update the Gateway from the Quickstart to include an HTTPS listener that listens on port `443` and references the +`example-cert` Secret: + +```shell +kubectl patch gateway eg --type=json --patch ' + - op: add + path: /spec/listeners/- + value: + name: https + protocol: HTTPS + port: 443 + tls: + mode: Terminate + certificateRefs: + - kind: Secret + group: "" + name: example-cert + ' +``` + +### Create a .htpasswd file +First, create a [.htpasswd][.htpasswd] file with the username and password you want to use for authentication. + +Note: Please always use HTTPS with Basic Authentication. This prevents credentials from being transmitted in plain text. + +The input password won't be saved, instead, a hash will be generated and saved in the output file. When a request +tries to access protected resources, the password in the "Authorization" HTTP header will be hashed and compared with the +saved hash. + +Note: only SHA hash algorithm is supported for now. + +```shell +htpasswd -cbs .htpasswd foo bar +``` + +You can also add more users to the file: + +```shell +htpasswd -bs .htpasswd foo1 bar1 +``` + +### Create a basic-auth secret + + +Next, create a kubernetes secret with the generated .htpasswd file in the previous step. + +```shell +kubectl create secret generic basic-auth --from-file=.htpasswd +``` + +### Create a SecurityPolicy + +The below example defines a SecurityPolicy that authenticates requests against the user list in the kubernetes +secret generated in the previous step. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the SecurityPolicy configuration: + +```shell +kubectl get securitypolicy/basic-auth-example -o yaml +``` + +## Testing + +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the +Quickstart instructions to set the variable. + +```shell +echo $GATEWAY_HOST +``` + +Send a request to the backend service without `Authentication` header: + +```shell +curl -kv -H "Host: www.example.com" "https://${GATEWAY_HOST}/" +``` + +You should see `401 Unauthorized` in the response, indicating that the request is not allowed without authentication. + +```shell +* Connected to 127.0.0.1 (127.0.0.1) port 443 +... +* Server certificate: +* subject: CN=www.example.com; O=example organization +* issuer: O=example Inc.; CN=example.com +> GET / HTTP/2 +> Host: www.example.com +> User-Agent: curl/8.6.0 +> Accept: */* +... +< HTTP/2 401 +< content-length: 58 +< content-type: text/plain +< date: Wed, 06 Mar 2024 15:59:36 GMT +< + +* Connection #0 to host 127.0.0.1 left intact +User authentication failed. Missing username and password. +``` + +Send a request to the backend service with `Authentication` header: + +```shell +curl -kv -H "Host: www.example.com" -u 'foo:bar' "https://${GATEWAY_HOST}/" +``` + +The request should be allowed and you should see the response from the backend service. + + +## Clean-Up + +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. + +Delete the SecurityPolicy and the secret + +```shell +kubectl delete securitypolicy/basic-auth-example +kubectl delete secret/basic-auth +kubectl delete secret/example-cert +``` + +## Next Steps + +Checkout the [Developer Guide](../../../contributions/develop) to get involved in the project. + +[SecurityPolicy]: ../../../contributions/design/security-policy +[http Basic authentication]: https://tools.ietf.org/html/rfc2617 +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute +[.htpasswd]: https://httpd.apache.org/docs/current/programs/htpasswd.html diff --git a/site/content/en/v1.2/tasks/security/cors.md b/site/content/en/v1.2/tasks/security/cors.md new file mode 100644 index 00000000000..90a972ce4ca --- /dev/null +++ b/site/content/en/v1.2/tasks/security/cors.md @@ -0,0 +1,176 @@ +--- +title: "CORS" +--- + +This task provides instructions for configuring [Cross-Origin Resource Sharing (CORS)][cors] on Envoy Gateway. +CORS defines a way for client web applications that are loaded in one domain to interact with resources in a different +domain. + +Envoy Gateway introduces a new CRD called [SecurityPolicy][SecurityPolicy] that allows the user to configure CORS. +This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HTTPRoute] or [GRPCRoute][GRPCRoute] resource. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Configuration + +When configuring CORS either an origin with a precise hostname can be configured or an hostname containing a wildcard prefix, +allowing all subdomains of the specified hostname. +In addition to that the entire origin (with or without specifying a scheme) can be a wildcard to allow all origins. + +The below example defines a SecurityPolicy that allows CORS for all HTTP requests originating from `www.foo.com`. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the SecurityPolicy configuration: + +```shell +kubectl get securitypolicy/cors-example -o yaml +``` + +## Testing + +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the +Quickstart instructions to set the variable. + +```shell +echo $GATEWAY_HOST +``` + +Verify that the CORS headers are present in the response of the OPTIONS request from `http://www.foo.com`: + +```shell +curl -H "Origin: http://www.foo.com" \ + -H "Host: www.example.com" \ + -H "Access-Control-Request-Method: GET" \ + -X OPTIONS -v -s \ + http://$GATEWAY_HOST \ + 1> /dev/null +``` + +You should see the below response, indicating that the request from `http://www.foo.com` is allowed: + +```shell +< access-control-allow-origin: http://www.foo.com +< access-control-allow-methods: GET, POST +< access-control-allow-headers: x-header-1, x-header-2 +< access-control-max-age: 86400 +< access-control-expose-headers: x-header-3, x-header-4 +``` + +If you try to send a request from `http://www.bar.com`, you should see the below response: + +```shell +curl -H "Origin: http://www.bar.com" \ + -H "Host: www.example.com" \ + -H "Access-Control-Request-Method: GET" \ + -X OPTIONS -v -s \ + http://$GATEWAY_HOST \ + 1> /dev/null +``` + +You won't see any CORS headers in the response, indicating that the request from `http://www.bar.com` was not allowed. + +If you try to send a request from `http://www.foo.com:8080`, you should also see similar response because the port number +`8080` is not included in the allowed origins. + +```shell +```shell +curl -H "Origin: http://www.foo.com:8080" \ + -H "Host: www.example.com" \ + -H "Access-Control-Request-Method: GET" \ + -X OPTIONS -v -s \ + http://$GATEWAY_HOST \ + 1> /dev/null +``` + +Note: +* CORS specification requires that the browsers to send a preflight request to the server to ask if it's allowed +to access the limited resource in another domains. The browsers are supposed to follow the response from the server to +determine whether to send the actual request or not. The CORS filter only response to the preflight requests according to +its configuration. It won't deny any requests. The browsers are responsible for enforcing the CORS policy. +* The targeted HTTPRoute or the HTTPRoutes that the targeted Gateway routes to must allow the OPTIONS method for the CORS +filter to work. Otherwise, the OPTIONS request won't match the routes and the CORS filter won't be invoked. + + +## Clean-Up + +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. + +Delete the SecurityPolicy: + +```shell +kubectl delete securitypolicy/cors-example +``` + +## Next Steps + +Checkout the [Developer Guide](../../../contributions/develop) to get involved in the project. + +[SecurityPolicy]: ../../../contributions/design/security-policy +[cors]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute diff --git a/site/content/en/v1.2/tasks/security/ext-auth.md b/site/content/en/v1.2/tasks/security/ext-auth.md new file mode 100644 index 00000000000..1d1625d5780 --- /dev/null +++ b/site/content/en/v1.2/tasks/security/ext-auth.md @@ -0,0 +1,453 @@ +--- +title: "External Authorization" +--- + +This task provides instructions for configuring external authentication. + +External authorization calls an external HTTP or gRPC service to check whether an incoming HTTP request is authorized +or not. If the request is deemed unauthorized, then the request will be denied with a 403 (Forbidden) response. If the +request is authorized, then the request will be allowed to proceed to the backend service. + +Envoy Gateway introduces a new CRD called [SecurityPolicy][SecurityPolicy] that allows the user to configure external authorization. +This instantiated resource can be linked to a [Gateway][Gateway] and [HTTPRoute][HTTPRoute] resource. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## HTTP External Authorization Service + +### Installation + +Install a demo HTTP service that will be used as the external authorization service: + +```shell +kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/ext-auth-http-service.yaml +``` + +Create a new HTTPRoute resource to route traffic on the path `/myapp` to the backend service. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the HTTPRoute status: + +```shell +kubectl get httproute/myapp -o yaml +``` + +### Configuration + +Create a new SecurityPolicy resource to configure the external authorization. This SecurityPolicy targets the HTTPRoute +"myApp" created in the previous step. It calls the HTTP external authorization service "http-ext-auth" on port 9002 for +authorization. The `headersToBackend` field specifies the headers that will be sent to the backend service if the request +is successfully authorized. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the SecurityPolicy configuration: + +```shell +kubectl get securitypolicy/ext-auth-example -o yaml +``` + +### Testing + +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the +Quickstart instructions to set the variable. + +```shell +echo $GATEWAY_HOST +``` + +Send a request to the backend service without `Authentication` header: + +```shell +curl -v -H "Host: www.example.com" "http://${GATEWAY_HOST}/myapp" +``` + +You should see `403 Forbidden` in the response, indicating that the request is not allowed without authentication. + +```shell +* Connected to 172.18.255.200 (172.18.255.200) port 80 (#0) +> GET /myapp HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/7.68.0 +> Accept: */* +... +< HTTP/1.1 403 Forbidden +< date: Mon, 11 Mar 2024 03:41:15 GMT +< x-envoy-upstream-service-time: 0 +< content-length: 0 +< +* Connection #0 to host 172.18.255.200 left intact +``` + +Send a request to the backend service with `Authentication` header: + +```shell +curl -v -H "Host: www.example.com" -H "Authorization: Bearer token1" "http://${GATEWAY_HOST}/myapp" +``` + +The request should be allowed and you should see the response from the backend service. +Because the `x-current-user` header from the auth response has been sent to the backend service, +you should see the `x-current-user` header in the response. + +``` +"X-Current-User": [ + "user1" + ], +``` + +## GRPC External Authorization Service + +### Installation + +Install a demo gRPC service that will be used as the external authorization service. The demo gRPC service is enabled +with TLS and a BackendTLSConfig is created to configure the communication between the Envoy proxy and the gRPC service. + +Note: TLS is optional for HTTP or gRPC external authorization services. However, enabling TLS is recommended for enhanced +security in production environments. + +```shell +kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/ext-auth-grpc-service.yaml +``` + +The HTTPRoute created in the previous section is still valid and can be used with the gRPC auth service, but if you have +not created the HTTPRoute, you can create it now. + +Create a new HTTPRoute resource to route traffic on the path `/myapp` to the backend service. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the HTTPRoute status: + +```shell +kubectl get httproute/myapp -o yaml +``` + +### Configuration + +Update the SecurityPolicy that was created in the previous section to use the gRPC external authorization service. +It calls the gRPC external authorization service "grpc-ext-auth" on port 9002 for authorization. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the SecurityPolicy configuration: + +```shell +kubectl get securitypolicy/ext-auth-example -o yaml +``` + +Because the gRPC external authorization service is enabled with TLS, a BackendTLSConfig needs to be created to configure +the communication between the Envoy proxy and the gRPC auth service. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the BackendTLSPolicy configuration: + +```shell +kubectl get backendtlspolicy/grpc-ext-auth-btls -o yaml +``` + +### Testing + +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the +Quickstart instructions to set the variable. + +```shell +echo $GATEWAY_HOST +``` + +Send a request to the backend service without `Authentication` header: + +```shell +curl -v -H "Host: www.example.com" "http://${GATEWAY_HOST}/myapp" +``` + +You should see `403 Forbidden` in the response, indicating that the request is not allowed without authentication. + +```shell +* Connected to 172.18.255.200 (172.18.255.200) port 80 (#0) +> GET /myapp HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/7.68.0 +> Accept: */* +... +< HTTP/1.1 403 Forbidden +< date: Mon, 11 Mar 2024 03:41:15 GMT +< x-envoy-upstream-service-time: 0 +< content-length: 0 +< +* Connection #0 to host 172.18.255.200 left intact +``` + +Send a request to the backend service with `Authentication` header: + +```shell +curl -v -H "Host: www.example.com" -H "Authorization: Bearer token1" "http://${GATEWAY_HOST}/myapp" +``` + +## Clean-Up + +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. + +Delete the demo auth services, HTTPRoute, SecurityPolicy and BackendTLSPolicy: + +```shell +kubectl delete -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/ext-auth-http-service.yaml +kubectl delete -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/ext-auth-grpc-service.yaml +kubectl delete httproute/myapp +kubectl delete securitypolicy/ext-auth-example +kubectl delete backendtlspolicy/grpc-ext-auth-btls +``` + +## Next Steps + +Checkout the [Developer Guide](../../../contributions/develop) to get involved in the project. + +[SecurityPolicy]: ../../../contributions/design/security-policy +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute diff --git a/site/content/en/v1.2/tasks/security/jwt-authentication.md b/site/content/en/v1.2/tasks/security/jwt-authentication.md new file mode 100644 index 00000000000..e4361b6354f --- /dev/null +++ b/site/content/en/v1.2/tasks/security/jwt-authentication.md @@ -0,0 +1,170 @@ +--- +title: "JWT Authentication" +--- + +This task provides instructions for configuring [JSON Web Token (JWT)][jwt] authentication. JWT authentication checks +if an incoming request has a valid JWT before routing the request to a backend service. Currently, Envoy Gateway only +supports validating a JWT from an HTTP header, e.g. `Authorization: Bearer `. + +Envoy Gateway introduces a new CRD called [SecurityPolicy][SecurityPolicy] that allows the user to configure JWT authentication. +This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HTTPRoute] or [GRPCRoute][GRPCRoute] resource. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +For GRPC - follow the steps from the [GRPC Routing](../traffic/grpc-routing) example. + +## Configuration + +Allow requests with a valid JWT by creating an [SecurityPolicy][SecurityPolicy] and attaching it to the example +HTTPRoute or GRPCRoute. + +### HTTPRoute + +```shell +kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/jwt/jwt.yaml +``` + +Two HTTPRoute has been created, one for `/foo` and another for `/bar`. A SecurityPolicy has been created and targeted +HTTPRoute foo to authenticate requests for `/foo`. The HTTPRoute bar is not targeted by the SecurityPolicy and will allow +unauthenticated requests to `/bar`. + +Verify the HTTPRoute configuration and status: + +```shell +kubectl get httproute/foo -o yaml +kubectl get httproute/bar -o yaml +``` + +The SecurityPolicy is configured for JWT authentication and uses a single [JSON Web Key Set (JWKS)][jwks] +provider for authenticating the JWT. + +Verify the SecurityPolicy configuration: + +```shell +kubectl get securitypolicy/jwt-example -o yaml +``` + +### GRPCRoute + +```shell +kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/jwt/grpc-jwt.yaml +``` + +A SecurityPolicy has been created and targeted GRPCRoute yages to authenticate all requests for `yages` service.. + +Verify the GRPCRoute configuration and status: + +```shell +kubectl get grpcroute/yages -o yaml +``` + +The SecurityPolicy is configured for JWT authentication and uses a single [JSON Web Key Set (JWKS)][jwks] +provider for authenticating the JWT. + +Verify the SecurityPolicy configuration: + +```shell +kubectl get securitypolicy/jwt-example -o yaml +``` + +## Testing + +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the +Quickstart instructions to set the variable. + +```shell +echo $GATEWAY_HOST +``` + +### HTTPRoute + +Verify that requests to `/foo` are denied without a JWT: + +```shell +curl -sS -o /dev/null -H "Host: www.example.com" -w "%{http_code}\n" http://$GATEWAY_HOST/foo +``` + +A `401` HTTP response code should be returned. + +Get the JWT used for testing request authentication: + +```shell +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode +``` + +__Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's +header. + +Verify that a request to `/foo` with a valid JWT is allowed: + +```shell +curl -sS -o /dev/null -H "Host: www.example.com" -H "Authorization: Bearer $TOKEN" -w "%{http_code}\n" http://$GATEWAY_HOST/foo +``` + +A `200` HTTP response code should be returned. + +Verify that requests to `/bar` are allowed __without__ a JWT: + +```shell +curl -sS -o /dev/null -H "Host: www.example.com" -w "%{http_code}\n" http://$GATEWAY_HOST/bar +``` + +### GRPCRoute + +Verify that requests to `yages`service are denied without a JWT: + +```shell +grpcurl -plaintext -authority=grpc-example.com ${GATEWAY_HOST}:80 yages.Echo/Ping +``` + +You should see the below response + +```shell +Error invoking method "yages.Echo/Ping": rpc error: code = Unauthenticated desc = failed to query for service descriptor "yages.Echo": Jwt is missing +``` + +Get the JWT used for testing request authentication: + +```shell +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode +``` + +__Note:__ The above command decodes and returns the token's payload. You can replace `f2` with `f1` to view the token's +header. + +Verify that a request to `yages` service with a valid JWT is allowed: + +```shell +grpcurl -plaintext -H "authorization: Bearer $TOKEN" -authority=grpc-example.com ${GATEWAY_HOST}:80 yages.Echo/Ping +``` + +You should see the below response + +```shell +{ + "text": "pong" +} +``` + +## Clean-Up + +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. + +Delete the SecurityPolicy: + +```shell +kubectl delete securitypolicy/jwt-example +``` + +## Next Steps + +Checkout the [Developer Guide](../../../contributions/develop) to get involved in the project. + +[SecurityPolicy]: ../../../contributions/design/security-policy +[jwt]: https://tools.ietf.org/html/rfc7519 +[jwks]: https://tools.ietf.org/html/rfc7517 +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute diff --git a/site/content/en/v1.2/tasks/security/jwt-claim-authorization.md b/site/content/en/v1.2/tasks/security/jwt-claim-authorization.md new file mode 100644 index 00000000000..2e67ea7ffe9 --- /dev/null +++ b/site/content/en/v1.2/tasks/security/jwt-claim-authorization.md @@ -0,0 +1,226 @@ +--- +title: "JWT Claim-Based Authorization" +--- + +This task provides instructions for configuring JWT claim-based authorization. JWT claim-based authorization checks if an incoming request has the required JWT claims before routing the request to a backend service. + +Envoy Gateway introduces a new CRD called [SecurityPolicy][SecurityPolicy] that allows the user to configure JWT claim-based authorization. + +This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HTTPRoute] or [GRPCRoute][GRPCRoute] resource. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Configuration + +### Create a SecurityPolicy + +Please note that the JWT claim-based authorization requires the JWT token to be present in the request. A JWT authentication must be configured in the same SecurityPolicy to validate the JWT token and extract the claims. + +The below SecurityPolicy configuration allows requests with a valid JWT token that has the following claims: +- `user.name` claim with the value `John Doe` +- `user.roles` claim with the value `admin` +- `scope` claim with the values `read`, `add`, and `modify` + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the SecurityPolicy configuration: + +```shell +kubectl get securitypolicy/authorization-jwt-claim -o yaml +``` + +## Testing + +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the +Quickstart instructions to set the variable. + +```shell +echo $GATEWAY_HOST +``` + +Define a JWT token with the required claims. + +```shell +export VALID_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImI1MjBiM2MyYzRiZDc1YTEwZTljZWJjOTU3NjkzM2RjIn0.eyJpc3MiOiJodHRwczovL2Zvby5iYXIuY29tIiwic3ViIjoiMTIzNDU2Nzg5MCIsInVzZXIiOnsibmFtZSI6IkpvaG4gRG9lIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsInJvbGVzIjpbImFkbWluIiwiZWRpdG9yIl19LCJwcmVtaXVtX3VzZXIiOnRydWUsImlhdCI6MTUxNjIzOTAyMiwic2NvcGUiOiJyZWFkIGFkZCBkZWxldGUgbW9kaWZ5In0.P36iAlmiRCC79OiB3vstF5Q_9OqUYAMGF3a3H492GlojbV6DcuOz8YIEYGsRSWc-BNJaBKlyvUKsKsGVPtYbbF8ajwZTs64wyO-zhd2R8riPkg_HsW7iwGswV12f5iVRpfQ4AG2owmdOToIaoch0aym89He1ZzEjcShr9olgqlAbbmhnk-namd1rP-xpzPnWhhIVI3mCz5hYYgDTMcM7qbokM5FzFttTRXAn5_Luor23U1062Ct_K53QArwxBvwJ-QYiqcBycHf-hh6sMx_941cUswrZucCpa-EwA3piATf9PKAyeeWHfHV9X-y8ipGOFg3mYMMVBuUZ1lBkJCik9f9kboRY6QzpOISARQj9PKMXfxZdIPNuGmA7msSNAXQgqkvbx04jMwb9U7eCEdGZztH4C8LhlRjgj0ZdD7eNbRjeH2F6zrWyMUpGWaWyq6rMuP98W2DWM5ZflK6qvT1c7FuFsWPvWLkgxQwTWQKrHdKwdbsu32Sj8VtUBJ0-ddEb" +``` + +Decode the JWT token to verify that it has the required claims. + +```shell +jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< $(echo ${VALID_TOKEN}) +``` + +The decoded JWT token should look like the following: + +```json +{ + "typ": "JWT", + "alg": "RS256", + "kid": "b520b3c2c4bd75a10e9cebc9576933dc" +} +{ + "iss": "https://foo.bar.com", + "sub": "1234567890", + "user": { + "name": "John Doe", + "email": "john.doe@example.com", + "roles": [ + "admin", + "editor" + ] + }, + "premium_user": true, + "iat": 1516239022, + "scope": "read add delete modify" +} +``` + +Send a request to the backend service with the valid JWT token: + +```shell +curl -H "Host: www.example.com" -H "Authorization: Bearer ${VALID_TOKEN}" "http://${GATEWAY_HOST}/" +``` + +The request should be allowed and you should see the response from the backend service. + +Define a JWT token without the required claims. + +```shell +export INVALID_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImI1MjBiM2MyYzRiZDc1YTEwZTljZWJjOTU3NjkzM2RjIn0.eyJpc3MiOiJodHRwczovL2Zvby5iYXIuY29tIiwic3ViIjoiMTIzNDU2Nzg5MCIsInVzZXIiOnsibmFtZSI6IkFsaWNlIFNtaXRoIiwiZW1haWwiOiJhbGljZS5zbWl0aEBleGFtcGxlLmNvbSIsInJvbGVzIjpbImRldmVsb3BlciJdfSwicHJlbWl1bV91c2VyIjpmYWxzZSwiaWF0IjoxNTE2MjM5MDIyLCJzY29wZSI6InJlYWQgYWRkIGRlbGV0ZSJ9.Da547nNXzuQXm5E7LuLAiyFswXsW4RDhuitD_rpadtR7PTwzzOsJoqrVWJ_u1jJDaOTWIpLF4gwxDoY-Aoz_couzXzlAbECLs45ZFoc_UdffpfIbGKqTZx8VtwKuDLFsAeDDDqqx1flxFhvXHftJJdZYr1FgFz9u-absMmRU90DLmEZX3Hnyc8k8eBgeiu6vsWUD0-aNy8cWkFRbwRggkGmucFyUTG8Z1MY3iyH5E66W-ISoX8G9bzE9PTxVAAPDTvefD5iLJPSDJ8qV69OuMCJ8Dczq0L9Dd_w0sF-D1s9MTvexmGg4zBWluJ3r-pU9NHEdhqBypehp_yH8xF5Rt9AE7stZ4oPFZNyfrtkE-4IOnSEkMmzcC65g_rscn0ycerv4N5ZNpkr0x2IYYM4iGuo-ULv5Htnli3rffST45kx1XA8cdsrT1D0K3aPxdIxDIk8sTJf5-WVqRyo-bwxXXltwQLB9jCM_7QbTWQBYAJwUpi-0RW4jCl44-42gZnXf" +``` + +Decode the JWT token to verify that it does not have the required claims. + +```shell +jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< $(echo ${INVALID_TOKEN}) +``` + +The decoded JWT token should look like the following: + +```json +{ + "typ": "JWT", + "alg": "RS256", + "kid": "b520b3c2c4bd75a10e9cebc9576933dc" +} +{ + "iss": "https://foo.bar.com", + "sub": "1234567890", + "user": { + "name": "Alice Smith", + "email": "alice.smith@example.com", + "roles": [ + "developer" + ] + }, + "premium_user": false, + "iat": 1516239022, + "scope": "read add delete" +} +``` + +Send a request to the backend service with the invalid JWT token: + +```shell +curl -v -H "Host: www.example.com" -H "Authorization: Bearer ${INVALID_TOKEN}" "http://${GATEWAY_HOST}/" +``` + +The request should be denied and you should see a `403 Forbidden` response. + +## Clean-Up + +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. + +Delete the SecurityPolicy and the ClientTrafficPolicy + +```shell +kubectl delete securitypolicy/authorization-jwt-claim +``` + +## Next Steps + +Checkout the [Developer Guide](../../../contributions/develop) to get involved in the project. + +[SecurityPolicy]: ../../../contributions/design/security-policy +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute diff --git a/site/content/en/v1.2/tasks/security/mutual-tls.md b/site/content/en/v1.2/tasks/security/mutual-tls.md new file mode 100644 index 00000000000..4ac9f96430a --- /dev/null +++ b/site/content/en/v1.2/tasks/security/mutual-tls.md @@ -0,0 +1,183 @@ +--- +title: "Mutual TLS: External Clients to the Gateway" +--- + +This task demonstrates how mutual TLS can be achieved between external clients and the Gateway. +This task uses a self-signed CA, so it should be used for testing and demonstration purposes only. + +## Prerequisites + +- OpenSSL to generate TLS assets. + +## Installation + +{{< boilerplate prerequisites >}} + +## TLS Certificates + +Generate the certificates and keys used by the Gateway to terminate client TLS connections. + +Create a root certificate and private key to sign certificates: + +```shell +openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt +``` + +Create a certificate and a private key for `www.example.com`: + +```shell +openssl req -out www.example.com.csr -newkey rsa:2048 -nodes -keyout www.example.com.key -subj "/CN=www.example.com/O=example organization" +openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in www.example.com.csr -out www.example.com.crt +``` + +Store the cert/key in a Secret: + +```shell +kubectl create secret tls example-cert --key=www.example.com.key --cert=www.example.com.crt --certificate-authority=example.com.crt +``` + +Store the CA Cert in another Secret: + +```shell +kubectl create secret generic example-ca-cert --from-file=ca.crt=example.com.crt +``` + +Create a certificate and a private key for the client `client.example.com`: + +```shell +openssl req -out client.example.com.csr -newkey rsa:2048 -nodes -keyout client.example.com.key -subj "/CN=client.example.com/O=example organization" +openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in client.example.com.csr -out client.example.com.crt +``` + +Update the Gateway from the Quickstart to include an HTTPS listener that listens on port `443` and references the +`example-cert` Secret: + +```shell +kubectl patch gateway eg --type=json --patch ' + - op: add + path: /spec/listeners/- + value: + name: https + protocol: HTTPS + port: 443 + tls: + mode: Terminate + certificateRefs: + - kind: Secret + group: "" + name: example-cert + ' +``` + +Verify the Gateway status: + +```shell +kubectl get gateway/eg -o yaml +``` + +Create a [ClientTrafficPolicy][] to enforce client validation using the CA Certificate as a trusted anchor. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +## Testing + +{{< tabpane text=true >}} +{{% tab header="With External LoadBalancer Support" %}} + +Get the External IP of the Gateway: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Query the example app through the Gateway: + +```shell +curl -v -HHost:www.example.com --resolve "www.example.com:443:${GATEWAY_HOST}" \ +--cert client.example.com.crt --key client.example.com.key \ +--cacert example.com.crt https://www.example.com/get +``` + +Don't specify the client key and certificate in the above command, and ensure that the connection fails: + +```shell +curl -v -HHost:www.example.com --resolve "www.example.com:443:${GATEWAY_HOST}" \ +--cacert example.com.crt https://www.example.com/get +``` + +{{% /tab %}} +{{% tab header="Without LoadBalancer Support" %}} + +Get the name of the Envoy service created the by the example Gateway: + +```shell +export ENVOY_SERVICE=$(kubectl get svc -n envoy-gateway-system --selector=gateway.envoyproxy.io/owning-gateway-namespace=default,gateway.envoyproxy.io/owning-gateway-name=eg -o jsonpath='{.items[0].metadata.name}') +``` + +Port forward to the Envoy service: + +```shell +kubectl -n envoy-gateway-system port-forward service/${ENVOY_SERVICE} 8443:443 & +``` + +Query the example app through Envoy proxy: + +```shell +curl -v -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1" \ +--cert client.example.com.crt --key client.example.com.key \ +--cacert example.com.crt https://www.example.com:8443/get +``` + +{{% /tab %}} +{{< /tabpane >}} + +[ClientTrafficPolicy]: ../../../api/extension_types#clienttrafficpolicy diff --git a/site/content/en/v1.2/tasks/security/oidc.md b/site/content/en/v1.2/tasks/security/oidc.md new file mode 100644 index 00000000000..45adc554a90 --- /dev/null +++ b/site/content/en/v1.2/tasks/security/oidc.md @@ -0,0 +1,414 @@ +--- +title: "OIDC Authentication" +--- + +This task provides instructions for configuring [OpenID Connect (OIDC)][oidc] authentication. +OpenID Connect (OIDC) is an authentication standard built on top of OAuth 2.0. +It enables EG to rely on authentication that is performed by an OpenID Connect Provider (OP) +to verify the identity of a user. + +Envoy Gateway introduces a new CRD called [SecurityPolicy][SecurityPolicy] that allows the user to configure OIDC +authentication. +This instantiated resource can be linked to a [Gateway][Gateway] and [HTTPRoute][HTTPRoute] resource. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +EG OIDC authentication requires the redirect URL to be HTTPS. Follow the [Secure Gateways](../secure-gateways) guide +to generate the TLS certificates and update the Gateway configuration to add an HTTPS listener. + +Verify the Gateway status: + +```shell +kubectl get gateway/eg -o yaml +``` + +Let's create an HTTPRoute that represents an application protected by OIDC. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the HTTPRoute status: + +```shell +kubectl get httproute/myapp -o yaml +``` + +## OIDC Authentication for a HTTPRoute + +OIDC can be configured at the Gateway level to authenticate all the HTTPRoutes that are associated with the Gateway with +the same OIDC configuration, or at the HTTPRoute level to authenticate each HTTPRoute with different OIDC configurations. + +This section demonstrates how to configure OIDC authentication for a specific HTTPRoute. + +### Register an OIDC application + +This task uses Google as the OIDC provider to demonstrate the configuration of OIDC. However, EG works with any OIDC +providers, including Auth0, Azure AD, Keycloak, Okta, OneLogin, Salesforce, UAA, etc. + +Follow the steps in the [Google OIDC documentation][google-oidc] to register an OIDC application. Please make sure the +redirect URL is set to the one you configured in the SecurityPolicy that you will create in the step below. In this example, +the redirect URL is `https://www.example.com:8443/myapp/oauth2/callback`. + +After registering the application, you should have the following information: +* Client ID: The client ID of the OIDC application. +* Client Secret: The client secret of the OIDC application. + +### Create a kubernetes secret + +Next, create a kubernetes secret with the Client Secret created in the previous step. The secret is an Opaque secret, +and the Client Secret must be stored in the key "client-secret". + +Note: please replace the ${CLIENT_SECRET} with the actual Client Secret that you got from the previous step. + +```shell +kubectl create secret generic my-app-client-secret --from-literal=client-secret=${CLIENT_SECRET} +``` + +### Create a SecurityPolicy + +**Please notice that the `redirectURL` and `logoutPath` must match the target HTTPRoute.** In this example, the target +HTTPRoute is configured to match the host `www.example.com` and the path `/myapp`, so the `redirectURL` must be prefixed +with `https://www.example.com:8443/myapp`, and `logoutPath` must be prefixed with`/myapp`, otherwise the OIDC authentication +will fail because the redirect and logout requests will not match the target HTTPRoute and therefore can't be processed +by the OAuth2 filter on that HTTPRoute. + +Note: please replace the ${CLIENT_ID} in the below yaml snippet with the actual Client ID that you got from the OIDC provider. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the SecurityPolicy configuration: + +```shell +kubectl get securitypolicy/oidc-example -o yaml +``` + +### Testing + +Port forward gateway port to localhost: + +```shell +export ENVOY_SERVICE=$(kubectl get svc -n envoy-gateway-system --selector=gateway.envoyproxy.io/owning-gateway-namespace=default,gateway.envoyproxy.io/owning-gateway-name=eg -o jsonpath='{.items[0].metadata.name}') + +kubectl -n envoy-gateway-system port-forward service/${ENVOY_SERVICE} 8443:443 +``` + +Put www.example.com in the /etc/hosts file in your test machine, so we can use this host name to access the gateway from a browser: + +```shell +... +127.0.0.1 www.example.com +``` + +Open a browser and navigate to the `https://www.example.com:8443/myapp` address. You should be redirected to the Google +login page. After you successfully login, you should see the response from the backend service. + +Clean the cookies in the browser and try to access `https://www.example.com:8443/foo` address. You should be able to see +this page since the path `/foo` is not protected by the OIDC policy. + +## OIDC Authentication for a Gateway + +OIDC can be configured at the Gateway level to authenticate all the HTTPRoutes that are associated with the Gateway with +the same OIDC configuration, or at the HTTPRoute level to authenticate each HTTPRoute with different OIDC configurations. + +This section demonstrates how to configure OIDC authentication for a Gateway. + +### Register an OIDC application + +If you haven't registered an OIDC application, follow the steps in the previous section to register an OIDC application. + +### Create a kubernetes secret + +If you haven't created a kubernetes secret, follow the steps in the previous section to create a kubernetes secret. + +### Create an HTTPRoute with a different subdomain + +Let's create another HTTPRoute in the same Gateway, but with a different subdomain. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the HTTPRoute status: + +```shell +kubectl get httproute/foo -o yaml +``` + +### Create a SecurityPolicy + +Create or update the SecurityPolicy to target the Gateway instead of the HTTPRoute. **Please notice that the `redirectURL` +and `logoutPath` must match one of the HTTPRoutes associated with the Gateway.** In this example, the target Gateway has +three HTTPRoutes associated with it, one with the host `www.example.com` and the path `/myapp`, one with the host +`www.example.com` and the path `/`, and one with the host `foo.example.com` and the path `/`. Any of these HTTPRoutes +can be used to match the `redirectURL` and `logoutPath`. + +By default, the access token and ID token cookies are set to the host of the request, excluding subdomains. To allow the +token cookies to be shared across subdomains and prevent users from having to log in again when switching between subdomains, +the `cookieDomain` field needs to be set to the root domain. In this example, the root domain is `example.com`. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the SecurityPolicy configuration: + +```shell +kubectl get securitypolicy/oidc-example -o yaml +``` + +### Update the Listener TLS certificate to support multiple subdomains + +Create a multi-domain wildcard certificate for `*.example.com`. + +```shell +openssl req -out wildcard.csr -newkey rsa:2048 -nodes -keyout wildcard.key -subj "/CN=*.example.com/O=example organization" +openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in wildcard.csr -out wildcard.crt +``` + +Replace the TLS certificate of the Gateway with the wildcard certificate. + +```shell +kubectl delete secret example-cert +kubectl create secret tls example-cert --key=wildcard.key --cert=wildcard.crt +``` + +### Testing + +If you haven't done so, follow the steps in the previous section to port forward gateway port to localhost and put +www.example.com in the /etc/hosts file in your test machine. + +Also, put foo.example.com in the /etc/hosts file in your test machine. + +```shell +... +127.0.0.1 foo.example.com +``` + +Open a browser and navigate to the `https://www.example.com:8443/myapp` address. You should be redirected to the Google +login page. After you successfully login, you should see the response from the backend service. + +You can also try to access `https://foo.example.com:8443` and `https://www.example.com:8443/bar` addresses. You should +be able to see the response from the backend service since these HTTPRoutes are also protected by the same OIDC config, +and the cookies are shared across subdomains. + +## Clean-Up + +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. + +Delete the SecurityPolicy, the secret and the HTTPRoute: + +```shell +kubectl delete securitypolicy/oidc-example +kubectl delete secret/my-app-client-secret +kubectl delete httproute/myapp +kubectl delete httproute/foo +``` + +## Next Steps + +Checkout the [Developer Guide](../../../../contributions/develop) to get involved in the project. + +[oidc]: https://openid.net/connect/ +[google-oidc]: https://developers.google.com/identity/protocols/oauth2/openid-connect +[SecurityPolicy]: ../../../../contributions/design/security-policy +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute diff --git a/site/content/en/v1.2/tasks/security/private-key-provider.md b/site/content/en/v1.2/tasks/security/private-key-provider.md new file mode 100644 index 00000000000..24544f67973 --- /dev/null +++ b/site/content/en/v1.2/tasks/security/private-key-provider.md @@ -0,0 +1,653 @@ +--- +title: "Accelerating TLS Handshakes using Private Key Provider in Envoy" +--- + +TLS operations can be accelerated or the private key can be protected using specialized hardware. This can be leveraged in Envoy using [Envoy Private Key Provider](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-privatekeyprovider) is added to Envoy. + +Today, there are two private key providers implemented in Envoy as contrib extensions: +- [QAT in Envoy 1.24 release](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/private_key_providers/qat/v3alpha/qat.proto#extensions-private-key-providers-qat-v3alpha-qatprivatekeymethodconfig) +- [CryptoMB in Envoy 1.20 release](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/private_key_providers/cryptomb/v3alpha/cryptomb.proto ) + +Both of them are used to accelerate the TLS handshake through the hardware capabilities. + +This task will walk you through the steps required to configure TLS Termination mode for TCP traffic while also using the Envoy Private Key Provider to accelerate the TLS handshake by leveraging QAT and the HW accelerator available on Intel SPR/EMR Xeon server platforms. + +## Prerequisites + +{{< tabpane text=true >}} + +{{% tab header="QAT (Intel QuickAssist Technology)" %}} + +- Install Linux kernel 5.17 or similar +- Ensure the node has QAT devices by checking the QAT physical function devices presented. [Supported Devices](https://intel.github.io/quickassist/qatlib/requirements.html#qat2-0-qatlib-supported-devices) + + ```shell + echo `(lspci -d 8086:4940 && lspci -d 8086:4941 && lspci -d 8086:4942 && lspci -d 8086:4943 && lspci -d 8086:4946 && lspci -d 8086:4947) | wc -l` supported devices found. + ``` + +- Enable IOMMU from BIOS +- Enable IOMMU for Linux kernel + + Figure out the QAT VF device id + + ```shell + lspci -d 8086:4941 && lspci -d 8086:4943 && lspci -d 8086:4947 + ``` + + Attach the QAT device to vfio-pci through kernel parameter by the device id gotten from previous command. + + ```shell + cat /etc/default/grub: + GRUB_CMDLINE_LINUX="intel_iommu=on vfio-pci.ids=[QAT device id]" + update-grub + reboot + ```` + + Once the system is rebooted, check if the IOMMU has been enabled via the following command: + + ```shell + dmesg| grep IOMMU + [ 1.528237] DMAR: IOMMU enabled + ``` + +- Enable virtual function devices for QAT device + + ```shell + modprobe vfio_pci + rmmod qat_4xxx + modprobe qat_4xxx + qat_device=$(lspci -D -d :[QAT device id] | awk '{print $1}') + for i in $qat_device; do echo 16|sudo tee /sys/bus/pci/devices/$i/sriov_numvfs; done + chmod a+rw /dev/vfio/* + ``` + +- Increase the container runtime memory lock limit (using the containerd as example here) + + ```shell + mkdir /etc/systemd/system/containerd.service.d + cat <>/etc/systemd/system/containerd.service.d/memlock.conf + [Service] + LimitMEMLOCK=134217728 + EOF + ``` + + Restart the container runtime (for containerd, CRIO has similar concept) + + ```shell + systemctl daemon-reload + systemctl restart containerd + ``` + +- Install [Intel® QAT Device Plugin for Kubernetes](https://github.com/intel/intel-device-plugins-for-kubernetes) + + ```shell + kubectl apply -k 'https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/qat_plugin?ref=main' + ``` + + Verification of the plugin deployment and detection of QAT hardware can be confirmed by examining the resource allocations on the nodes: + + ```shell + kubectl get node -o yaml| grep qat.intel.com + ``` + +{{% /tab %}} + +{{% tab header="CryptoMB" %}} + +It required the node with 3rd generation Intel Xeon Scalable processor server processors, or later. +- For kubernetes Cluster, if not all nodes that support Intel® AVX-512 in Kubernetes cluster, you need to add some labels to divide these two kinds of nodes manually or using [NFD](https://github.com/kubernetes-sigs/node-feature-discovery). + + ```shell + kubectl apply -k https://github.com/kubernetes-sigs/node-feature-discovery/deployment/overlays/default?ref=v0.15.1 + ``` + +- Checking the available nodes with required cpu instructions: + - Check the node labels if using [NFD](https://github.com/kubernetes-sigs/node-feature-discovery): + + ```shell + kubectl get nodes -l feature.node.kubernetes.io/cpu-cpuid.AVX512F,feature.node.kubernetes.io/cpu-cpuid.AVX512DQ,feature.node.kubernetes.io/cpu-cpuid.AVX512BW,feature.node.kubernetes.io/cpu-cpuid.AVX512VBMI2,feature.node.kubernetes.io/cpu-cpuid.AVX512IFMA + ``` + + - Check CPUIDS manually on the node if without using NFD: + + ```shell + cat /proc/cpuinfo |grep avx512f|grep avx512dq|grep avx512bw|grep avx512_vbmi2|grep avx512ifma + ``` + +{{% /tab %}} + +{{< /tabpane >}} + +## Installation + +* Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway. + +* Enable the EnvoyPatchPolicy feature, which will allow us to directly configure the Private Key Provider Envoy Filter, since Envoy Gateway does not directly expose this functionality. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +{{< boilerplate rollout-envoy-gateway >}} + +## Create gateway for TLS termination + +* Follow the instructions in [TLS Termination for TCP](./tls-termination) to setup a TCP gateway to terminate the TLS connection. + +* Update GatewayClass for using the envoyproxy image with contrib extensions and requests required resources. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +## Change EnvoyProxy configuration + +Using the envoyproxy image with contrib extensions and add qat resources requesting, ensure the k8s scheduler find out a machine with required resource. + +{{< tabpane text=true >}} + +{{% tab header="QAT (Intel QuickAssist Technology)" %}} + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +{{% /tab %}} + +{{% tab header="CryptoMB" %}} + +Using the envoyproxy image with contrib extensions and add the node affinity to scheduling the Envoy Gateway pod on the machine with required CPU instructions. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Or using `preferredDuringSchedulingIgnoredDuringExecution` for best effort scheduling, or not doing any node affinity, just doing the random scheduling. The CryptoMB private key provider supports software fallback if the required CPU instructions aren't here. + +{{% /tab %}} + +{{< /tabpane >}} + +## Benchmark before enabling private key provider + +First follow the instructions in [TLS Termination for TCP](./tls-termination) to do the functionality test. + +Ensure the cpu frequency governor set as `performance`. + +```shell +export NUM_CPUS=`lscpu | grep "^CPU(s):"|awk '{print $2}'` +for i in `seq 0 1 $NUM_CPUS`; do sudo cpufreq-set -c $i -g performance; done +``` + +Using the nodeport as the example, fetch the node port from envoy gateway service. + +```shell +export ENVOY_SERVICE=$(kubectl get svc -n envoy-gateway-system --selector=gateway.envoyproxy.io/owning-gateway-namespace=default,gateway.envoyproxy.io/owning-gateway-name=eg -o jsonpath='{.items[0].metadata.name}') +export NODE_PORT=$(kubectl -n envoy-gateway-system get svc/$ENVOY_SERVICE -o jsonpath='{.spec.ports[0].nodePort}') +``` + +```shell +echo "127.0.0.1 www.example.com" >> /etc/hosts +``` + +Benchmark the gateway with fortio. + +```shell +fortio load -c 10 -k -qps 0 -t 30s -keepalive=false https://www.example.com:${NODE_PORT} +``` + +## Apply EnvoyPatchPolicy to enable private key provider + +{{< tabpane text=true >}} + +{{% tab header="QAT (Intel QuickAssist Technology)" %}} + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +{{% /tab %}} + +{{% tab header="CryptoMB" %}} + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +{{% /tab %}} + +{{< /tabpane >}} + +## Benchmark after enabling private key provider + +First follow the instructions in [TLS Termination for TCP](./tls-termination) to do the functionality test again. + +Benchmark the gateway with fortio. + +```shell +fortio load -c 64 -k -qps 0 -t 30s -keepalive=false https://www.example.com:${NODE_PORT} +``` + +## Benchmark Result + +You will see a performance boost after private key provider enabled. For example, you will get results as below. + +Without private key provider: + +```shell +All done 43069 calls (plus 10 warmup) 6.966 ms avg, 1435.4 qps +``` + +{{< tabpane text=true >}} + +{{% tab header="QAT (Intel QuickAssist Technology)" %}} + +With QAT private key provider, the QPS is over 3 times than without private key provider + +```shell +All done 134746 calls (plus 128 warmup) 28.505 ms avg, 4489.6 qps +``` + +{{% /tab %}} + +{{% tab header="CryptoMB" %}} + +With CryptoMB private key provider, the QPS is over 2 times than without private key provider. + +```shell +All done 93983 calls (plus 128 warmup) 40.880 ms avg, 3130.5 qps +``` + +{{% /tab %}} + +{{< /tabpane >}} diff --git a/site/content/en/v1.2/tasks/security/restrict-ip-access.md b/site/content/en/v1.2/tasks/security/restrict-ip-access.md new file mode 100644 index 00000000000..ab8965d7966 --- /dev/null +++ b/site/content/en/v1.2/tasks/security/restrict-ip-access.md @@ -0,0 +1,196 @@ +--- +title: "IP Allowlist/Denylist" +--- + +This task provides instructions for configuring IP allowlist/denylist on Envoy Gateway. IP allowlist/denylist +checks if an incoming request is from an allowed IP address before routing the request to a backend service. + +Envoy Gateway introduces a new CRD called [SecurityPolicy][SecurityPolicy] that allows the user to configure IP allowlist/denylist. +This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HTTPRoute] or [GRPCRoute][GRPCRoute] resource. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Configuration + +### Create a SecurityPolicy + +The below SecurityPolicy restricts access to the backend service by allowing requests only from the IP addresses `10.0.1.0/24`. + +In this example, the default action is set to `Deny`, which means that only requests from the specified IP addresses with `Allow` +action are allowed, and all other requests are denied. You can also change the default action to `Allow` to allow all requests +except those from the specified IP addresses with `Deny` action. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the SecurityPolicy configuration: + +```shell +kubectl get securitypolicy/authorization-client-ip -o yaml +``` + +### Original Source IP + +It's important to note that the IP address used for allowlist/denylist is the original source IP address of the request. +You can use a [ClientTrafficPolicy] to configure how Envoy Gateway should determine the original source IP address. + +For example, the below ClientTrafficPolicy configures Envoy Gateway to use the `X-Forwarded-For` header to determine the original source IP address. +The `numTrustedHops` field specifies the number of trusted hops in the `X-Forwarded-For` header. In this example, the `numTrustedHops` is set to `1`, +which means that the first rightmost IP address in the `X-Forwarded-For` header is used as the original source IP address. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + + +## Testing + +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the +Quickstart instructions to set the variable. + +```shell +echo $GATEWAY_HOST +``` + +Send a request to the backend service without the `X-Forwarded-For` header: + +```shell +curl -v -H "Host: www.example.com" "http://${GATEWAY_HOST}/" +``` + +You should see `403 Forbidden` in the response, indicating that the request is not allowed. + +```shell +* Connected to 172.18.255.200 (172.18.255.200) port 80 +> GET /get HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.8.0-DEV +> Accept: */* +> +* Request completely sent off +< HTTP/1.1 403 Forbidden +< content-length: 19 +< content-type: text/plain +< date: Mon, 08 Jul 2024 04:23:31 GMT +< +* Connection #0 to host 172.18.255.200 left intact +RBAC: access denied +``` + +Send a request to the backend service with the `X-Forwarded-For` header: + +```shell +curl -v -H "Host: www.example.com" -H "X-Forwarded-For: 10.0.1.1" "http://${GATEWAY_HOST}/" +``` + +The request should be allowed and you should see the response from the backend service. + +## Clean-Up + +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. + +Delete the SecurityPolicy and the ClientTrafficPolicy + +```shell +kubectl delete securitypolicy/authorization-client-ip +kubectl delete clientTrafficPolicy/enable-client-ip-detection +``` + +## Next Steps + +Checkout the [Developer Guide](../../../contributions/develop) to get involved in the project. + +[SecurityPolicy]: ../../../contributions/design/security-policy +[ClientTrafficPolicy]: ../../../api/extension_types#clienttrafficpolicy +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute diff --git a/site/content/en/v1.2/tasks/security/secure-gateways.md b/site/content/en/v1.2/tasks/security/secure-gateways.md new file mode 100644 index 00000000000..2c8d5043812 --- /dev/null +++ b/site/content/en/v1.2/tasks/security/secure-gateways.md @@ -0,0 +1,599 @@ +--- +title: "Secure Gateways" +--- + +This task will help you get started using secure Gateways. +This task uses a self-signed CA, so it should be used for testing and demonstration purposes only. + +## Prerequisites + +- OpenSSL to generate TLS assets. + +## Installation + +{{< boilerplate prerequisites >}} + +## TLS Certificates + +Generate the certificates and keys used by the Gateway to terminate client TLS connections. + +Create a root certificate and private key to sign certificates: + +```shell +openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt +``` + +Create a certificate and a private key for `www.example.com`: + +```shell +openssl req -out www.example.com.csr -newkey rsa:2048 -nodes -keyout www.example.com.key -subj "/CN=www.example.com/O=example organization" +openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in www.example.com.csr -out www.example.com.crt +``` + +Store the cert/key in a Secret: + +```shell +kubectl create secret tls example-cert --key=www.example.com.key --cert=www.example.com.crt +``` + +Update the Gateway from the Quickstart to include an HTTPS listener that listens on port `443` and references the +`example-cert` Secret: + +```shell +kubectl patch gateway eg --type=json --patch ' + - op: add + path: /spec/listeners/- + value: + name: https + protocol: HTTPS + port: 443 + tls: + mode: Terminate + certificateRefs: + - kind: Secret + group: "" + name: example-cert + ' +``` + +Verify the Gateway status: + +```shell +kubectl get gateway/eg -o yaml +``` + +## Testing + +{{< tabpane text=true >}} +{{% tab header="With External LoadBalancer Support" %}} + +Get the External IP of the Gateway: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Query the example app through the Gateway: + +```shell +curl -v -HHost:www.example.com --resolve "www.example.com:443:${GATEWAY_HOST}" \ +--cacert example.com.crt https://www.example.com/get +``` + +{{% /tab %}} +{{% tab header="Without LoadBalancer Support" %}} + +Get the name of the Envoy service created the by the example Gateway: + +```shell +export ENVOY_SERVICE=$(kubectl get svc -n envoy-gateway-system --selector=gateway.envoyproxy.io/owning-gateway-namespace=default,gateway.envoyproxy.io/owning-gateway-name=eg -o jsonpath='{.items[0].metadata.name}') +``` + +Port forward to the Envoy service: + +```shell +kubectl -n envoy-gateway-system port-forward service/${ENVOY_SERVICE} 8443:443 & +``` + +Query the example app through Envoy proxy: + +```shell +curl -v -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1" \ +--cacert example.com.crt https://www.example.com:8443/get +``` + +{{% /tab %}} +{{< /tabpane >}} + + +## Multiple HTTPS Listeners + +Create a TLS cert/key for the additional HTTPS listener: + +```shell +openssl req -out foo.example.com.csr -newkey rsa:2048 -nodes -keyout foo.example.com.key -subj "/CN=foo.example.com/O=example organization" +openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in foo.example.com.csr -out foo.example.com.crt +``` + +Store the cert/key in a Secret: + +```shell +kubectl create secret tls foo-cert --key=foo.example.com.key --cert=foo.example.com.crt +``` + +Create another HTTPS listener on the example Gateway: + +```shell +kubectl patch gateway eg --type=json --patch ' + - op: add + path: /spec/listeners/- + value: + name: https-foo + protocol: HTTPS + port: 443 + hostname: foo.example.com + tls: + mode: Terminate + certificateRefs: + - kind: Secret + group: "" + name: foo-cert + ' +``` + +Update the HTTPRoute to route traffic for hostname `foo.example.com` to the example backend service: + +```shell +kubectl patch httproute backend --type=json --patch ' + - op: add + path: /spec/hostnames/- + value: foo.example.com + ' +``` + +Verify the Gateway status: + +```shell +kubectl get gateway/eg -o yaml +``` + +Follow the steps in the [Testing section](#testing) to test connectivity to the backend app through both Gateway +listeners. Replace `www.example.com` with `foo.example.com` to test the new HTTPS listener. + +## Cross Namespace Certificate References + +A Gateway can be configured to reference a certificate in a different namespace. This is allowed by a [ReferenceGrant][] +created in the target namespace. Without the ReferenceGrant, a cross-namespace reference is invalid. + +Before proceeding, ensure you can query the HTTPS backend service from the [Testing section](#testing). + +To demonstrate cross namespace certificate references, create a ReferenceGrant that allows Gateways from the "default" +namespace to reference Secrets in the "envoy-gateway-system" namespace: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Delete the previously created Secret: + +```shell +kubectl delete secret/example-cert +``` + +The Gateway HTTPS listener should now surface the `Ready: False` status condition and the example HTTPS backend should +no longer be reachable through the Gateway. + +```shell +kubectl get gateway/eg -o yaml +``` + +Recreate the example Secret in the `envoy-gateway-system` namespace: + +```shell +kubectl create secret tls example-cert -n envoy-gateway-system --key=www.example.com.key --cert=www.example.com.crt +``` + +Update the Gateway HTTPS listener with `namespace: envoy-gateway-system`, for example: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The Gateway HTTPS listener status should now surface the `Ready: True` condition and you should once again be able to +query the HTTPS backend through the Gateway. + +Lastly, test connectivity using the above [Testing section](#testing). + +## Clean-Up + +Follow the steps from the [Quickstart](../quickstart) to uninstall Envoy Gateway and the example manifest. + +Delete the Secrets: + +```shell +kubectl delete secret/example-cert +kubectl delete secret/foo-cert +``` + +# RSA + ECDSA Dual stack certificates + +This section gives a walkthrough to generate RSA and ECDSA derived certificates and keys for the Server, which can then be configured in the Gateway listener, to terminate TLS traffic. + +## Prerequisites + +Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. +Before proceeding, you should be able to query the example backend using HTTP. + +Follow the steps in the [TLS Certificates](#tls-certificates) section to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic. + +## Pre-checks + +While testing in [Cluster without External LoadBalancer Support](#clusters-without-external-loadbalancer-support), we can query the example app through Envoy proxy while enforcing an RSA cipher, as shown below: + +```shell +curl -v -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1" \ +--cacert example.com.crt https://www.example.com:8443/get -Isv --ciphers ECDHE-RSA-CHACHA20-POLY1305 --tlsv1.2 --tls-max 1.2 +``` + +Since the Secret configured at this point is an RSA based Secret, if we enforce the usage of an ECDSA cipher, the call should fail as follows + +```shell +$ curl -v -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1" \ +--cacert example.com.crt https://www.example.com:8443/get -Isv --ciphers ECDHE-ECDSA-CHACHA20-POLY1305 --tlsv1.2 --tls-max 1.2 + +* Added www.example.com:8443:127.0.0.1 to DNS cache +* Hostname www.example.com was found in DNS cache +* Trying 127.0.0.1:8443... +* Connected to www.example.com (127.0.0.1) port 8443 (#0) +* ALPN: offers h2 +* ALPN: offers http/1.1 +* Cipher selection: ECDHE-ECDSA-CHACHA20-POLY1305 +* CAfile: example.com.crt +* CApath: none +* (304) (OUT), TLS handshake, Client hello (1): +* error:1404B410:SSL routines:ST_CONNECT:sslv3 alert handshake failure +* Closing connection 0 +``` + +Moving forward in the doc, we will be configuring the existing Gateway listener to accept both kinds of ciphers. + +## TLS Certificates + +Reuse the CA certificate and key pair generated in the [Secure Gateways](#tls-certificates) task and use this CA to sign both RSA and ECDSA Server certificates. +Note the CA certificate and key names are `example.com.crt` and `example.com.key` respectively. + + +Create an ECDSA certificate and a private key for `www.example.com`: + +```shell +openssl ecparam -noout -genkey -name prime256v1 -out www.example.com.ecdsa.key +openssl req -new -SHA384 -key www.example.com.ecdsa.key -nodes -out www.example.com.ecdsa.csr -subj "/CN=www.example.com/O=example organization" +openssl x509 -req -SHA384 -days 365 -in www.example.com.ecdsa.csr -CA example.com.crt -CAkey example.com.key -CAcreateserial -out www.example.com.ecdsa.crt +``` + +Store the cert/key in a Secret: + +```shell +kubectl create secret tls example-cert-ecdsa --key=www.example.com.ecdsa.key --cert=www.example.com.ecdsa.crt +``` + +Patch the Gateway with this additional ECDSA Secret: + +```shell +kubectl patch gateway eg --type=json --patch ' + - op: add + path: /spec/listeners/1/tls/certificateRefs/- + value: + name: example-cert-ecdsa + ' +``` + +Verify the Gateway status: + +```shell +kubectl get gateway/eg -o yaml +``` + +## Testing + +Again, while testing in Cluster without External LoadBalancer Support, we can query the example app through Envoy proxy while enforcing an RSA cipher, which should work as it did before: + +```shell +curl -v -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1" \ +--cacert example.com.crt https://www.example.com:8443/get -Isv --ciphers ECDHE-RSA-CHACHA20-POLY1305 --tlsv1.2 --tls-max 1.2 +``` + +```shell +... +* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): +* TLSv1.2 (IN), TLS handshake, Finished (20): +* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305 +... +``` + +Additionally, querying the example app while enforcing an ECDSA cipher should also work now: + +```shell +curl -v -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1" \ +--cacert example.com.crt https://www.example.com:8443/get -Isv --ciphers ECDHE-ECDSA-CHACHA20-POLY1305 --tlsv1.2 --tls-max 1.2 +``` + +```shell +... +* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): +* TLSv1.2 (IN), TLS handshake, Finished (20): +* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305 +... +``` + +# SNI based Certificate selection + +This sections gives a walkthrough to generate multiple certificates corresponding to different FQDNs. The same Gateway listener can then be configured to terminate TLS traffic for multiple FQDNs based on the SNI matching. + +## Prerequisites + +Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. +Before proceeding, you should be able to query the example backend using HTTP. + +Follow the steps in the [TLS Certificates](#tls-certificates) section to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic. + +## Additional Configurations + +Using the [TLS Certificates](#tls-certificates) section, we first generate additional Secret for another Host `www.sample.com`. + +```shell +openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=sample Inc./CN=sample.com' -keyout sample.com.key -out sample.com.crt + +openssl req -out www.sample.com.csr -newkey rsa:2048 -nodes -keyout www.sample.com.key -subj "/CN=www.sample.com/O=sample organization" +openssl x509 -req -days 365 -CA sample.com.crt -CAkey sample.com.key -set_serial 0 -in www.sample.com.csr -out www.sample.com.crt + +kubectl create secret tls sample-cert --key=www.sample.com.key --cert=www.sample.com.crt +``` + +Note that all occurrences of `example.com` were just replaced with `sample.com` + + +Next we update the `Gateway` configuration to accommodate the new Certificate which will be used to Terminate TLS traffic: + +```shell +kubectl patch gateway eg --type=json --patch ' + - op: add + path: /spec/listeners/1/tls/certificateRefs/- + value: + name: sample-cert + ' +``` + +Finally, we update the HTTPRoute to route traffic for hostname `www.sample.com` to the example backend service: + +```shell +kubectl patch httproute backend --type=json --patch ' + - op: add + path: /spec/hostnames/- + value: www.sample.com + ' +``` + +## Testing + +{{< tabpane text=true >}} +{{% tab header="With External LoadBalancer Support" %}} + +Refer to the steps mentioned earlier under [Testing in clusters with External LoadBalancer Support](#testing) + + +{{% /tab %}} +{{% tab header="Without LoadBalancer Support" %}} + +Get the name of the Envoy service created the by the example Gateway: + +```shell +export ENVOY_SERVICE=$(kubectl get svc -n envoy-gateway-system --selector=gateway.envoyproxy.io/owning-gateway-namespace=default,gateway.envoyproxy.io/owning-gateway-name=eg -o jsonpath='{.items[0].metadata.name}') +``` + +Port forward to the Envoy service: + +```shell +kubectl -n envoy-gateway-system port-forward service/${ENVOY_SERVICE} 8443:443 & +``` + +Query the example app through Envoy proxy: + +```shell +curl -v -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1" \ +--cacert example.com.crt https://www.example.com:8443/get -I +``` + +Similarly, query the sample app through the same Envoy proxy: + +```shell +curl -v -HHost:www.sample.com --resolve "www.sample.com:8443:127.0.0.1" \ +--cacert sample.com.crt https://www.sample.com:8443/get -I +``` + +Since the multiple certificates are configured on the same Gateway listener, Envoy was able to provide the client with appropriate certificate based on the SNI in the client request. + +{{% /tab %}} +{{< /tabpane >}} + +## Customize Gateway TLS Parameters + +In addition to enablement of TLS with Gateway-API, Envoy Gateway supports customizing TLS parameters. +To achieve this, the [ClientTrafficPolicy][] resource can be used to specify TLS parameters. +We will customize the minimum supported TLS version in this example to TLSv1.3. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + + +## Testing TLS Parameters + +Attempt to connecting using an unsupported TLS version: + +```shell +curl -v -HHost:www.sample.com --resolve "www.sample.com:8443:127.0.0.1" \ +--cacert sample.com.crt --tlsv1.2 --tls-max 1.2 https://www.sample.com:8443/get -I + +[...] + +* ALPN: curl offers h2,http/1.1 +* (304) (OUT), TLS handshake, Client hello (1): +* LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version +* Closing connection +curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version +``` + +The output shows that the connection fails due to an unsupported TLS protocol version used by the client. Now, connect +to the Gateway without specifying a client version, and note that the connection is established with TLSv1.3. + +```shell +curl -v -HHost:www.sample.com --resolve "www.sample.com:8443:127.0.0.1" \ +--cacert sample.com.crt https://www.sample.com:8443/get -I + +[...] + +* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF +``` + +## Next Steps + +Checkout the [Developer Guide](../../../contributions/develop) to get involved in the project. + +[ReferenceGrant]: https://gateway-api.sigs.k8s.io/api-types/referencegrant/ +[ClientTrafficPolicy]: ../../api/extension_types#clienttrafficpolicy \ No newline at end of file diff --git a/site/content/en/v1.2/tasks/security/threat-model.md b/site/content/en/v1.2/tasks/security/threat-model.md new file mode 100644 index 00000000000..a16319f9d72 --- /dev/null +++ b/site/content/en/v1.2/tasks/security/threat-model.md @@ -0,0 +1,665 @@ +--- +title: "Threat Model" +--- + +# Envoy Gateway Threat Model and End User Recommendations + +## About + +This work was performed by [ControlPlane](https://control-plane.io/) and commissioned by the [Linux Foundation](https://www.linuxfoundation.org/). ControlPlane is a global cloud native and open source cybersecurity consultancy, trusted as the partner of choice in securing: multinational banks; major public clouds; international financial institutions; critical national infrastructure programs; multinational oil and gas companies, healthcare and insurance providers; and global media firms. + +## Threat Modelling Team + +James Callaghan, Torin van den Bulk, Eduardo Olarte + +## Reviewers + +Arko Dasgupta, Matt Turner, Zack Butcher, Marco De Benedictis + +## Introduction + +As we embrace the proliferation of microservice-based architectures in the cloud-native landscape, simplicity in setup and configuration becomes paramount as DevOps teams face the challenge of choosing between numerous similar technologies. One such choice which every team deploying to Kubernetes faces is what to use as an ingress controller. With a plethora of options available, and the existence of vendor-specific annotations leading to small inconsistencies between implementations, the [Gateway API](https://gateway-api.sigs.k8s.io/) project was introduced by the SIG-NETWORK community, with the goal of eventually replacing the Ingress resource. + +Envoy Gateway is configured by Gateway API resources, and serves as an intuitive and feature-rich wrapper over the widely acclaimed Envoy Proxy. With a convenient setup based on Kubernetes (K8s) manifests, Envoy Gateway streamlines the management of Envoy Proxy instances in an edge-proxy setting, reducing the operational overhead of managing low-level Envoy configurations. Envoy Gateway benefits cloud-native DevOps teams through its role-oriented configuration, providing granular control based on Role-Based Access Control (RBAC) principles. These features form the basis of our exploration into Envoy Gateway and the rich feature set it brings to the table. + +In this threat model, we aim to provide an analysis of Envoy Gateway's design components and their capabilities (at version 1.0) through a threat-driven approach. It should be noted that this does not constitute a security audit of the Envoy Gateway project, but instead focuses on different possible deployment topologies for Envoy Gateway with the goal of deriving recommendations and best practice guidance for end users. + +The Envoy Gateway project recommends a [multi-tenancy model](../operations/deployment-mode#multi-tenancy) whereby each tenant deploys their own Envoy Gateway controller in a namespace which they own. We will also explore the implications and risks associated with multiple tenants using a shared controller. + +### Scope + +The primary focus of this threat model is to identify and assess security risks associated with deploying and operating Envoy Gateway within a multi-tenant Kubernetes (K8s) cluster. This model aims to provide a comprehensive understanding of the system, its transmission points, and potential vulnerabilities to enumerated threats. + +### In Scope + +**Envoy Gateway**: As the primary focus of this threat model, all aspects of Envoy Gateway, including its configuration, deployment, and operation will be analysed. This includes how the gateway manages TLS certificates, authentication, service-to-service traffic routing, and more. + +**Kubernetes Cluster**: Configuration and operation of the underlying Kubernetes cluster, including how it manages network policies, access control, and resource isolation for different namespaces/tenants in relation to Envoy will be considered. + +**Tenant Workloads**: Tenant workloads (and the pods they run on) will be considered, focusing on how they interact with the Envoy Gateway and potential vulnerabilities that could be exploited. + +#### Out of Scope + +This threat model will not consider security risks associated with the underlying infrastructure (e.g., EC2 compute instances and S3 buckets) or non-Envoy related components within the Kubernetes Cluster. It will focus solely on the Envoy Gateway and its interaction with the Kubernetes cluster and tenant workloads. + +Implementation of Envoy Gateway as an egress traffic controller is out of scope for this threat model and will not be considered in the report's findings. + +### Related Resources + +[Introducing Envoy Gateway](https://blog.envoyproxy.io/introducing-envoy-gateway-ad385cc59532) + +[Envoy Proxy Threat Model](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/threat_model#threat-model) + +[Configuring Envoy as an Edge Proxy](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#best-practices-edge) + +[Envoy Gateway Deployment Mode](../operations/deployment-mode) + +[Kubernetes Gateway API Security Model](https://gateway-api.sigs.k8s.io/concepts/security-model/) + +## Architecture Overview + +### Summary + +To provide an in-depth look into both the system design and end-user deployment of Envoy Gateway, we will be focusing on the [Deployment Architecture Diagram](#deployment-architecture-diagram) below. + +The Deployment Architecture Diagram provides a high-level model of an end-user deployment of Envoy Gateway. For simplicity, we will look at different deployment topologies on a single multi-tenant Kubernetes cluster. Envoy Gateway operates as an edge proxy within this environment, handling the traffic flow between external interfaces and services within the cluster. The example will use two Envoy Gateway controllers - one dedicated controller for a single tenant, and one shared controller for two other tenants. Each Envoy Gateway controller will accept a single GatewayClass resource. + +### Deployment Architecture Diagram + +As Envoy Gateway implements the [Kubernetes GatewayAPI](https://gateway-api.sigs.k8s.io/concepts/api-overview/), this threat model will focus on the key objects in the Gateway API resource model: + +1. **GatewayClass:** defines a set of gateways with a commonconfiguration and behaviour. It is a cluster scoped resource. + +2. **Gateway:** requests a point where traffic can be translated to Services within the cluster. + +3. **Routes:** describe how traffic coming via the Gateway maps to theServices. + +At the time of writing, Envoy Gateway only supports a Kubernetes provider. As such, we will consider a reference architecture where multiple teams are working on the same Kubernetes cluster within different namespaces (Tenant A, B, & C). We will assume that some teams have similar security and performance needs, and a decision has been made to use a shared Gateway. However, we will also consider the case that some teams require dedicated Gateways, perhaps for compliance reasons or requirements driven by an internal threat model. + +We will consider the following organisational roles, as per the [Gateway API security model](https://gateway-api.sigs.k8s.io/concepts/security-model/): + +1. **Infrastructure provider**: The infrastructure provider (infra) is responsible for the overall environment that the cluster(s) are operating in. Examples include: the cloud provider (AWS, Azure, GCP, ...) or the PaaS provider in a company. + +2. **Cluster operator**: The cluster operator (ops) is responsible for administration of entire clusters. They manage policies, network access, application permissions. + +3. **Application developer**: The application developer (dev) is responsible for defining their application configuration (e.g. timeouts, request matching/filter) and Service composition (e.g. path routing to backends). + +4. **Application admin**: The application admin has administrative access to some namespaces within a cluster, but not the cluster as a whole. + +Our threat model will be based on the high-level setup shown below, where Envoy is used in an edge-proxy scenario: + +![Architecture](/img/architecture_threat_model.png) + +The following use cases will be considered, in line with the [Envoy Gateway tasks](../quickstart): + +1. Routing and controlling traffic, including: + a. HTTP \ + b. TCP \ + c. UDP \ + d. gRPC \ + e.TLS passthrough +2. TLS termination +3. Request Authentication +4. Rate Limiting + +## Key Assumptions + +This section outlines the foundational premises that shape our analysis and recommendations for the deployment and management of Envoy Gateway within an organisation. The key assumptions are as follows: + +**1. Kubernetes Provider**: For the purposes of this analysis, we assume that a K8s provider will be used to host the cluster. + +**2. Multi-tenant cluster**: In order to produce a broad set of recommendations, it is assumed that within the single cluster, there is: + +- A dedicated cluster operation (ops) team responsible for maintaining the core cluster infrastructure. + +- Multiple application teams who wish to define their own Gateway resources, which will route traffic to their respective applications. + +**3. Soft multi-tenancy model**: It is assumed that co-tenants will have some level of trust between themselves, and will not act in an overtly hostile manner to each other. + +**4. Ingress Control**: It's assumed that Envoy Gateway is the only ingress controller in the K8s cluster as multiple controllers can lead to complex routing challenges and introduce out-of-scope security vulnerabilities. + +**5. Container Security**: This threat model focuses on evaluating the security of the Envoy Gateway and Envoy Proxy images. All other container images running in tenant clusters, not associated with the edge proxy deployment, are assumed to be secure and obtained from trusted registries such as Docker Hub or Google Container Registry (GCR). + +**6. Cloud Provider Security**: It is assumed that the K8s cluster is running on secure cloud infrastructure provided by a trusted Cloud Service Provider (CSP) such as AWS, GCP, or Azure Cloud. + +## Data + +### Data Dictionary + +Ultimately, the data of interest in a threat model is the business data processed by the system in question. However, in the case of this threat model, we are looking at a generic deployment architecture involving Envoy Gateway in order to draw out a set of generalised threats which can be considered by teams looking to adopt an implementation of Gateway API. As such, we do not know the business impacts of a compromise of confidentiality, integrity or availability that would typically be captured in a data impact assessment. Instead, will we base our threat assessment on high-level groupings of data structures used in the configuration and operation of the general use cases considered (e.g. HTTP routing, TLS termination, request authentication etc.). We will then assign a confidentiality, integrity and availability impact based on a worst-case scenario of how each compromise could potentially affect business data processed by the generic deployment. + +| Data Name / Type | Notes | Confidentiality | Integrity | Availability | +| ------------ | ------------ | ------------ |--------------- | ------------ | +| Static Configuration Data | Static configuration data is used to configure Envoy Gateway at startup. This data structure allows for a Provider to be set, which Envoy Gateway calls to establish its runtime configuration, resolve services and persist data. Unauthorised modification of static configuration data could enable the Envoy Gateway admin interface to be configured, logging parameters to be modified, global rate limiting configuration to be misconfigured, or malicious extensions registered for the Envoy Gateway Control Plane. A compromise of confidentiality could potentially give an attacker some useful reconnaissance information. A compromise of the availability of this information at startup time would result in Envoy Gateway starting with default parameters. | Medium | High | Low | +| Dynamic Configuration Data | Dynamic configuration data represents the desired state of the Data Plane, and is defined through Envoy Gateway and Gateway API Kubernetes resources. Unauthorised modification of this data could lead to vulnerabilities in an organisation’s Data Plane infrastructure via misconfiguration of an EnvoyProxy custom resource. Misconfiguration of Gateway API objects such as HTTPRoutes or TLSRoutes could result in traffic being directed to incorrect backends. A compromise of confidentiality could potentially give an attacker some useful reconnaissance information. A compromise of the availability of this information could result in tenant application traffic not being routable until the configuration is recovered and reapplied. | Medium | High | Medium | +| TLS Private Keys | TLS Private Keys, typically in PEM format, are used to initiate secure connections and encrypt communications. In the context of this threat model, private keys will be associated with the server side of an inbound TLS connection being terminated at a secure gateway configured through Envoy Gateway. Unauthorised exposure could lead to security threats such as person-in-the-middle attacks, whereby the confidentiality or integrity of business data could be compromised. A compromise of integrity may lead to similar consequences if an attacker could insert their own key material. An availability compromise could lead to tenant services being unavailable until new key material is generated and an appropriate CSR submitted. | High | High | Medium | +| TLS Certificates | X.509 certificates represent the binding of a public key (associated with the private key described above) to an identity in a TLS handshake. If an attacker could compromise the integrity of a certificate, they may be able to bind the identity of a TLS termination point to a key pair under their control, enabling person-in-the middle attacks. An availability compromise could lead to tenant services being unavailable until new key material is generated and an appropriate CSR submitted. | Low | High | Medium | +| JWKs | JWK (JSON Web Key) containing a public key used to validate JWTs for the client authentication use case considered in this threat model. If an attacker could compromise the integrity of a JWK or JSON web key set (JWKS), they could potentially authenticate to a service maliciously. Unavailability of an endpoint exposing JWKs could lead to client requests which require authentication being denied. | Low | High | Medium | +| JWTs | JWTs, formatted as compact, URL-safe JSON data structures, are utilised for the client authentication use case considered in this threat model. Maintaining their confidentiality and integrity is vital to prevent unauthorised access and ensure correct user identification. | High | High | Low | +| OIDC credentials | In OIDC authentication scenarios, the application credentials are represented by a client ID and a client secret. A compromise of its confidentiality or integrity could allow malicious actors to impersonate the application, potentially being able to access resources on behalf of the application and request ID tokens on behalf of users. Unavailability of this data would produce a rejection of the requests coming from legitimate users. | High | High | Medium | +| Basic authentiation password hashes | In basic authentication scenarios, passwords are stored as Kubernetes secrets in [htpasswd](https://httpd.apache.org/docs/current/programs/htpasswd.html) format, where each entry is formed by the username and the hashed password. A compromise of these credentials' confidentiality and integrity could lead to unauthorised access to the application. Unavailability of these credentials will cause login failures from the application users. | High | High | Medium | + +### CIA Impact Assessment + +| Priority | Description | +| --- | --- | +| **Confidentiality** | | +| High | Compromise of sensitive client data | +| Medium | Information leaked which could be useful for attacker reconnaissance | +| Low | Non-sensitive information leakage | +| **Integrity** | | +| High | Compromise of source code repositories and gateway deployments | +| Medium | Traffic routing fails due to misconfiguration / invalid configuration | +| Low | Non-critical operation is blocked due to misconfiguration / invalid configuration | +| **Availability** | | +| High | Large scale DoS | +| Medium | Tenant application is blocked for a significant period | +| Low | Tenant application is blocked for a short period | + +### Data Flow Diagrams + +The Data Flow Diagrams (DFDs) below describe the flow of data between the various processes, entities and data stores in a system, as well as the trust boundaries between different user roles and network interfaces. The DFDs are drawn at two different levels, starting at L0 (high-level system view) and increasing in granularity (to L1). + +### DFD L0 + +![DFD L0](/img/DFDL0.png) + +### DFD L1 + +![DFD L1](/img/DFDL1.png) + +## Key Threats and Recommendations + +The scope of this threat model led to us categorising threats into priorities of High, Medium or Low; notably in a production implementation some of the threats' prioritisation may be upgraded or downgraded depending on the business context and data classification. + +### Risk vs. Threat + +For every finding, the risk and threat are stated. Risk defines the potential for negative outcome while threat defines the event that causes the negative outcome. + +### Threat Categorization + +Throughout this threat model, we categorised threats into different areas based on their origin and the segment of the system that they impact. Here's an overview of each category: + +**Container Security (CS)**: These threats are general to containerised applications. Therefore, they are not associated with Envoy Gateway or the Gateway API and could occur in most containerised workloads. They can originate from misconfigurations or vulnerabilities in the orchestrator or the container. + +**Gateway API (GW)**: These are threats related to the Gateway API that could affect any of its implementations. Malicious actors could benefit from misconfigurations or excessive permissions on the Gateway API resources (e.g. xRoutes or Gateways) to compromise the confidentiality, integrity, or availability of the application. + +**Envoy Gateway (EG)**: These threats are associated with specific configurations or features from Envoy Gateway or Envoy Proxy. If not set properly, these features could be leveraged to gain unauthorised access to protected resources. + +### Threat Actors + +In order to provide a realistic set of threats that is applicable to most organisations, we de-scoped the most advanced and hard to mitigate threat actors as described below: + +#### In Scope Threat Actors + +When considering internal threat actors, we chose to follow the [security model](https://gateway-api.sigs.k8s.io/concepts/security-model/) of the Kubernetes Gateway API. + +##### Internal Attacker + +- Cluster Operator: The cluster operator (ops) is responsible for administration of entire clusters. They manage policies, network access, application permissions. + +- Application Developer: The application developer (dev) is responsible for defining their application configuration (e.g. timeouts, request matching/filter) and Service composition (e.g. path routing to backends). + +- Application Administrator: The application admin has administrative access to some namespaces within a cluster, but not the cluster as a whole. + +##### External Attacker + +- Vandal: Script kiddie, trespasser + +- Motivated Individual: Political activist, thief, terrorist + +- Organised Crime: Syndicates, state-affiliated groups + +#### Out of Scope Threat Actors + +##### External Actors + +- Infrastructure Provider: The infrastructure provider (infra) is responsible for the overall environment that the cluster(s) are operating in. Examples include: the cloud provider, or the PaaS provider in a company. + +- Cloud Service Insider: Employee, external contractor, temporary worker + +- Foreign Intelligence Services (FIS): Nation states + +## High Priority Findings + +### EGTM-001 Usage of self-signed certificates + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|---------------|-----------------------|-----------------| +|EGTM-001|EGTM-GW-001|Gateway API|High| + + **Risk**: Self-signed certificates (which do not comply with PKI best practices) could lead to unauthorised access to the private key associated with the certificate used for inbound TLS termination at Envoy Proxy, compromising the confidentiality and integrity of proxied traffic. + + **Threat**: Compromise of the private key associated with the certificate used for inbound TLS terminating at Envoy Proxy. + + **Recommendation**: The Envoy Gateway quickstart demonstrates how to set up a Secure Gateway using an example where a self-signed root certificate is created using openssl. As stated in the Envoy Gateway documentation, this is not a suitable configuration for Production usage. It is recommended that PKI best practices are followed, whereby certificates are signed by an Intermediary CA which sits underneath an organisational \'offline\' Root CA. + + PKI best practices should also apply to the management of client certificates when using mTLS. The Envoy Gateway [mTLS](../security/mutual-tls) task shows how to set up client certificates using self-signed certificates. In the same way as gateway certificates and, as mentioned in the documentation, this configuration should not be used in production environments. + +### EGTM-002 Private keys are stored as Kubernetes secrets + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|--------------|------------------------|-----------------| +|EGTM-002|EGTM-CS-001|Container Security|High| + + **Risk**: There is a risk that a threat actor could compromise the Kubernetes secret containing the Envoy private key, allowing the attacker to decrypt Envoy Proxy traffic, compromising the confidentiality of proxied traffic. + + **Threat**: Kubernetes secret containing the Envoy private key is compromised and used to decrypt proxied traffic. + + **Recommendation**: Certificate management best practices mandate short-lived key material where practical, meaning that a mechanism for rotation of private keys and certificates is required, along with a way for certificates to be mounted into Envoy containers. If Kubernetes secrets are used, when a certificate expires, the associated secret must be updated, and Envoy containers must be redeployed. Instead of a manual configuration, it is recommended that [cert-manager](https://github.com/cert-manager/cert-manager) is used. + +### EGTM-004 Usage of ClusterRoles with wide permissions + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|--------------|------------------------|-----------------| +|EGTM-004|EGTM-K8-002|Container Security|High| + + **Risk**: There is a risk that a threat actor could abuse misconfigured RBAC to access the Envoy Gateway ClusterRole (envoy-gateway-role) and use it to expose all secrets across the cluster, thus compromising the confidentiality and integrity of tenant data. + + **Threat**: Compromised Envoy Gateway or misconfigured ClusterRoleBinding (envoy-gateway-rolebinding) to Envoy Gateway ClusterRole (envoy-gateway-role), provides access to resources and secrets in different namespaces. + + **Recommendation**: Users should be aware that Envoy Gateway uses a ClusterRole (envoy-gateway-role) when deployed via the Helm chart, to allow management of Envoy Proxies across different namespaces. This ClusterRole is powerful and includes the ability to read secrets in namespaces which may not be within the purview of Envoy Gateway. + + Kubernetes best-practices involve restriction of ClusterRoleBindings, with the use of RoleBindings where possible to limit access per namespace by specifying the namespace in metadata. Namespace isolation reduces the impact of compromise from cluster-scoped roles. Ideally, fine-grained K8s roles should be created per the principle of least privilege to ensure they have the minimum access necessary for role functions. + + The pull request \#[1656](https://github.com/envoyproxy/gateway/pull/1656) introduced the use of Roles and RoleBindings in [namespaced mode](https://gateway.envoyproxy.io/latest/api/extension_types/#kuberneteswatchmode). This feature can be leveraged to reduce the amount of permissions required by the Envoy Gateway. + +### EGTM-007 Misconfiguration of Envoy Gateway dynamic config + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|---------------|-----------------------|-----------------| +|EGTM-007|EGTM-EG-002|Envoy Gateway|High| + + **Risk**: There is a risk that a threat actor could exploit misconfigured Kubernetes RBAC to create or modify Gateway API resources with no business need, potentially leading to the compromise of the confidentiality, integrity, and availability of resources and traffic within the cluster. + + **Threat**: Unauthorised creation or misconfiguration of Gateway API resources by a threat actor with cluster-scoped access. + + **Recommendation**: Configure the apiGroup and resource fields in RBAC policies to restrict access to [Gateway](https://gateway-api.sigs.k8s.io/) and [GatewayClass](https://gateway-api.sigs.k8s.io/api-types/gatewayclass/) resources. Enable namespace isolation by using the namespace field, preventing unauthorised access to gateways in other namespaces. + +### EGTM-009 Co-tenant misconfigures resource across namespaces + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|---------------|-----------------------|-----------------| +|EGTM-009|EGTM-GW-002|Gateway API|High| + + **Risk**: There is a risk that a co-tenant misconfigures Gateway or Route resources, compromising the confidentiality, integrity, and availability of routed traffic through Envoy Gateway. + + **Threat**: Malicious or accidental co-tenant misconfiguration of Gateways and Routes associated with other application teams. + + **Recommendation**: Dedicated Envoy Gateways should be provided to each tenant within their respective namespace. A one-to-one relationship should be established between GatewayClass and Gateway resources, meaning that each tenant namespace should have their own GatewayClass watched by a unique Envoy Gateway Controller as defined here in the [Deployment Mode](../operations/deployment-mode) documentation. + + Application Admins should have write permissions on the Gateway resource, but only in their specific namespaces, and Application Developers should only hold write permissions on Route resources. To enact this access control schema, follow the [Write Permissions for Advanced 4 Tier Model](https://gateway-api.sigs.k8s.io/concepts/security-model/#write-permissions-for-advanced-4-tier-model) described in the Kubernetes Gateway API security model. Examples of secured gateway-route topologies can be found [here](https://gateway-api.sigs.k8s.io/concepts/api-overview/#attaching-routes-to-gateways) within the Kubernetes Gateway API docs. + + Optionally, consider a GitOps model, where only the GitOps operator has the permission to deploy or modify custom resources in production. + +### EGTM-014 Malicious image admission + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|---------------|-----------------------|-----------------| +|EGTM-014|EGTM-CS-006|Container Security|High| + + **Risk**: There is a risk that a supply chain attack on Envoy Gateway results in an arbitrary compromise of the confidentiality, integrity or availability of tenant data. + + **Threat**: Supply chain threat actor introduces malicious code into Envoy Gateway or Proxy. + + **Recommendation**: The Envoy Gateway project should continue to work towards conformance with supply-chain security best practices throughout the project lifecycle (for example, as set out in the [CNCF Software Supply Chain Best Practices Whitepaper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)). Adherence to [Supply-chain Levels for Software Artefacts](https://slsa.dev/) (SLSA) standards is crucial for maintaining the security of the system. Employ version control systems to monitor the source and build platforms and assign responsibility to a specific stakeholder. + + Integrate a supply chain security tool such as Sigstore, which provides native capabilities for signing and verifying container images and software artefacts. [Software Bill of Materials](https://www.cisa.gov/sbom) (SBOM), [Vulnerability Exploitability eXchange](https://www.ntia.gov/files/ntia/publications/vex_one-page_summary.pdf) (VEX), and signed artefacts should also be incorporated into the security protocol. + +### EGTM-020 Out of date or misconfigured Envoy Proxy image + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|---------------|-----------------------|-----------------| +|EGTM-020|EGTM-CS-009|Container Security|High| + + **Risk**: There is a risk that a threat actor exploits an Envoy Proxy vulnerability to remote code execution (RCE) due to out of date or misconfigured Envoy Proxy pod deployment, compromising the confidentiality and integrity of Envoy Proxy along with the availability of the proxy service. + + **Threat**: Deployment of an Envoy Proxy or Gateway image containing exploitable CVEs. + + **Recommendation**: Always use the latest version of the Envoy Proxy image. Regularly check for updates and patch the system as soon as updates become available. Implement a CI/CD pipeline that includes security checks for images and prevents deployment of insecure configurations. A suitable tool should be chosen to provide container vulnerability scanning to mitigate the risk of known vulnerabilities. + + Utilise the [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) controller to enforce [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) and configure the [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) to limit its capabilities per the principle of least privilege. + +### EGTM-022 Credentials are stored as Kubernetes Secrets + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|---------------|-----------------------|-----------------| +|EGTM-022|EGTM-CS-010|Container Security|High| + + **Risk**: There is a risk that the OIDC client secret (for OIDC authentication) and user password hashes (for basic authentication) get leaked due to misconfigured RBAC permissions. + + **Threat**: Unauthorised access to the application due to credential leakage. + + **Recommendation**: Ensure that only authorised users and service accounts are able to access secrets. This is especially important in namespaces where SecurityPolicy objects are configured, since those namespaces are the ones to store secrets containing the client secret (in OIDC scenarios) and user password hashes (in basic authentication scenarios). + + To do so, minimise the use of ClusterRoles and Roles allowing listing and getting secrets. Perform periodic audits of RBAC permissions. + +### EGTM-023 Weak Authentication + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|---------------|-----------------------|-----------------| +|EGTM-023|EGTM-EG-007|Envoy Gateway|High| + + **Risk**: There is a risk of unauthorised access due to the use of basic authentication, which does not enforce any password restriction in terms of complexity and length. In addition, password hashes are stored in SHA1 format, which is a deprecated hashing function. + + **Threat**: Unauthorised access to the application due to weak authentication mechanisms. + + **Recommendation**: It is recommended to make use of stronger authentication mechanisms (i.e. JWT authentication and OIDC authentication) instead of basic authentication. These authentication mechanisms have many advantages, such as the use of short-lived credentials and a central management of security policies through the identity provider. + +## Medium Priority Findings + +### EGTM-008 Misconfiguration of Envoy Gateway static config + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|---------------|-----------------------|-----------------| +|EGTM-008|EGTM-EG-003|Envoy Gateway|Medium| + + **Risk**: There is a risk of a threat actor misconfiguring static config and compromising the integrity of Envoy Gateway, ultimately leading to the compromised confidentiality, integrity, or availability of tenant data and cluster resources. + + **Threat**: Accidental or deliberate misconfiguration of static configuration leads to a misconfigured deployment of Envoy Gateway, for example logging parameters could be modified or global rate limiting configuration misconfigured. + + **Recommendation**: Implement a GitOps model, utilising Kubernetes\' Role-Based Access Control (RBAC) and adhering to the principle of least privilege to minimise human intervention on the cluster. For instance, tools like [Flux](https://fluxcd.io/) and [ArgoCD](https://argo-cd.readthedocs.io/en/stable/) can be used for declarative GitOps deployments, ensuring all changes are tracked and reviewed. Additionally, configure your source control management (SCM) system to include mandatory pull request (PR) reviews, commit signing, and protected branches to ensure only authorised changes can be committed to the start-up configuration. + +### EGTM-010 Weak pod security contexts and policies + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|---------------|-----------------------|-----------------| +|EGTM-010|EGTM-CS-005|Container Security|Medium| + + **Risk**: There is a risk that a threat actor exploits a weak pod security context, compromising the CIA of a node and the resources / services which run on it. + + **Threat**: Threat Actor who has compromised a pod exploits weak security context to escape to a node, potentially leading to the compromise of Envoy Proxy or Gateway running on the same node. + + **Recommendation**: To mitigate this risk, apply [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) at a minimum of [Baseline](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline) level to all namespaces, especially those containing Envoy Gateway and Proxy Pods. Pod security standards are implemented through K8s [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) to provide [admission control modes](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces) (enforce, audit, and warn) for namespaces. Pod security standards can be enforced by namespace labels as shown [here](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/), to enforce a baseline level of pod security to specific namespaces. + + Further enhance the security by implementing a sandboxing solution such as [gVisor](https://gvisor.dev/) for Envoy Gateway and Proxy Pods to isolate the application from the host kernel. This can be set within the runtimeClassName of the Pod specification. + +### EGTM-012 ClusterRoles and Roles with permission to deploy ReferenceGrants + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|----------------|----------------------|-----------------| +|EGTM-012|EGTM-GW-004|Gateway API|Medium| + + **Risk**: There is a risk that a threat actor could abuse excessive RBAC privileges to create ReferenceGrant resources. These resources could then be used to create cross-namespace communication, leading to unauthorised access to the application. This could compromise the confidentiality and integrity of resources and configuration in the affected namespaces and potentially disrupt the availability of services that rely on these object references. + + **Threat**: A ReferenceGrant is created, which validates traffic to cross namespace trust boundaries without a valid business reason, such as a route in one tenant\'s namespace referencing a backend in another. + + **Recommendation**: Ensure that the ability to create ReferenceGrant resources is restricted to the minimum number of people. Pay special attention to ClusterRoles that allow that action. + +### EGTM-018 Network Denial of Service (DoS) + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|----------------|----------------------|-----------------| +|EGTM-018|EGTM-GW-006|Gateway API|Medium| + + **Risk**: There is a risk that malicious requests could lead to a Denial of Service (DoS) attack, thereby reducing API gateway availability due to misconfigurations in rate-limiting or load balancing controls, or a lack of route timeout enforcement. + + **Threat**: Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack. + + **Recommendation**: To ensure high availability and mitigate potential security threats, follow the guidelines in the Envoy Gateway documentation for configuring [local rate limit](../traffic/local-rate-limit) filters, [global rate limit](../traffic/global-rate-limit) filters, and load balancing. + + Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action). + + [Path normalisation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) should be enabled to minimise path confusion vulnerabilities. These measures help protect against volumetric threats such as Denial of Service (DoS) attacks. Utilise custom resources to implement policy attachment, thereby exposing request limit configuration for route types. + +### EGTM-019 JWT-based authentication replay attacks + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|---------------|-----------------------|-----------------| +|EGTM-019|EGTM-DP-004|Container Security|Medium| + + **Risk**: There is a risk that replay attacks using stolen or reused JSON Web Tokens (JWTs) can compromise transmission integrity, thereby undermining the confidentiality and integrity of the data plane. + + **Threat**: Transmission integrity is compromised due to replay attacks using stolen or reused JSON Web Tokens (JWTs). + + **Recommendation**: Comply with JWT best practices for enhanced security, paying special attention to the use of short-lived tokens, which reduce the window of opportunity for a replay attack. The [exp](https://datatracker.ietf.org/doc/html/rfc7519#page-9) claim can be used to set token expiration times. + +### EGTM-024 Excessive privileges via extension policies + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|---------------|-----------------------|-----------------| +|EGTM-024|EGTM-EG-008|Envoy Gateway|Medium| + + **Risk**: There is a risk of developers getting more privileges than required due to the use of SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy and BackendTrafficPolicy. These resources can be attached to a Gateway resource. Therefore, a developer with permission to deploy them would be able to modify a Gateway configuration by targeting the gateway in the policy manifest. This conflicts with the [Advanced 4 Tier Model](https://gateway-api.sigs.k8s.io/concepts/security-model/#write-permissions-for-advanced-4-tier-model), where developers do not have write permissions on Gateways. + + **Threat**: Excessive developer permissions lead to a misconfiguration and/or unauthorised access. + + **Recommendation**: Considering the Tenant C scenario (represented in the Architecture Diagram), if a developer can create SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy or BackendTrafficPolicy objects in namespace C, they would be able to modify a Gateway configuration by attaching the policy to the gateway. In such scenarios, it is recommended to either: + + a. Create a separate namespace, where developers have no permissions, to host tenant C\'s gateway. Note that, due to design decisions, the SecurityPolicy/EnvoyPatchPolicy/ClientTrafficPolicy/BackendTrafficPolicy object can only target resources deployed in the same namespace. Therefore, having a separate namespace for the gateway would prevent developers from attaching the policy to the gateway. + + b. Forbid the creation of these policies for developers in namespace C. + + On the other hand, in scenarios similar to tenants A and B, where a shared gateway namespace is in place, this issue is more limited. Note that in this scenario, developers don\'t have access to the shared gateway namespace. + + In addition, it is important to mention that EnvoyPatchPolicy resources can also be attached to GatewayClass resources. This means that, in order to comply with the Advanced 4 Tier model, individuals with the Application Administrator role should not have access to this resource either. + +## Low Priority Findings + +### EGTM-003 Misconfiguration leads to insecure TLS settings + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|--------------|------------------------|-----------------| +|EGTM-003|EGTM-EG-001|Envoy Gateway|Low| + + **Risk**: There is a risk that a threat actor could downgrade the security of proxied connections by configuring a weak set of cipher suites, compromising the confidentiality and integrity of proxied traffic. + + **Threat**: Exploit weak cipher suite configuration to downgrade security of proxied connections. + + **Recommendation**: Users operating in highly regulated environments may need to tightly control the TLS protocol and associated cipher suites, blocking non-conforming incoming connections to the gateway. + + EnvoyProxy bootstrap config can be customised as per the [customise EnvoyProxy](../operations/customize-envoyproxy) documentation. In addition, from v.1.0.0, it is possible to configure common TLS properties for a Gateway or XRoute through the [ClientTrafficPolicy](https://gateway.envoyproxy.io/latest/api/extension_types/#clienttrafficpolicy) object. + +### EGTM-005 Envoy Gateway Helm chart deployment does not set AppArmor and Seccomp profiles + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|---------------|-----------------------|-----------------| +|EGTM-005|EGTM-CP-002|Container Security|Low| + + **Risk**: Threat actor who has obtained access to Envoy Gateway pod could exploit the lack of AppArmor and Seccomp profiles in the Envoy Gateway deployment to attempt a container breakout, given the presence of an exploitable vulnerability, potentially impacting the confidentiality and integrity node resources. + + **Threat**: Unauthorised syscalls and malicious code running in the Envoy Gateway pod. + + **Recommendation**: Implement [AppArmor](https://kubernetes.io/docs/tutorials/security/apparmor/) policies by setting \: \ within container.apparmor.security.beta.kubernetes.io (note, this config is set *per container*). Well-defined AppArmor policies may provide greater protection from unknown threats. + + Enforce [Seccomp](https://kubernetes.io/docs/tutorials/security/seccomp/) profiles by setting the seccompProfile under securityContext. Ideally, a [fine-grained](https://kubernetes.io/docs/tutorials/security/seccomp/#create-pod-with-a-seccomp-profile-that-only-allows-necessary-syscalls) profile should be used to restrict access to only necessary syscalls, however the \--seccomp-default flag can be set to resort to [RuntimeDefault](https://kubernetes.io/docs/tutorials/security/seccomp/#create-pod-that-uses-the-container-runtime-default-seccomp-profile) which provides a container runtime specific. Example seccomp profiles can be found [here](https://kubernetes.io/docs/tutorials/security/seccomp/#download-profiles). + + To further enhance pod security, consider implementing [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) via seLinuxOptions for additional syscall attack surface reduction. Setting readOnlyRootFilesystem == true enforces an immutable root filesystem, preventing the addition of malicious binaries to the PATH and increasing the attack cost. Together, these configuration items improve the pods [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). + +### EGTM-006 Envoy Proxy pods deployed with a shell enabled + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|---------------|-----------------------|-----------------| +|EGTM-006|EGTM-CS-004|Container Security|Low| + + **Risk**: There is a risk that a threat actor exploits a vulnerability in Envoy Proxy to expose a reverse shell, enabling them to compromise the confidentiality, integrity and availability of tenant data via a secondary attack. + + **Threat**: If an external attacker managed to exploit a vulnerability in Envoy, the presence of a shell would be greatly helpful for the attacker in terms of potentially pivoting, escalating, or establishing some form of persistence. + + **Recommendation**: By default, Envoy uses a [distroless](https://github.com/GoogleContainerTools/distroless) image since v.0.6.0, which does not ship a shell. Therefore, ensure EnvoyProxy image is up-to-date and patched with the latest stable version. + + If using private EnvoyProxy images, use a lightweight EnvoyProxy image without a shell or debugging tool(s) which may be useful for an attacker. + + An [AuditPolicy](https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#audit-policy) (audit.k8s.io/v1beta1) can be configured to record API calls made within your cluster, allowing for identification of malicious traffic and enabling incident response. Requests are recorded based on stages which delineate between the lifecycle stage of the request made (e.g., RequestReceived, ResponseStarted, & ResponseComplete). + +### EGTM-011 Route Bindings on custom labels + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|---------------|-----------------------|-----------------| +|EGTM-011|EGTM-GW-003|Gateway API|Low| + + **Risk**: There is a risk that a gateway owner (or someone with the ability to set namespace labels) maliciously or accidentally binds routes across namespace boundaries, potentially compromising the confidentiality and integrity of traffic in a multitenant scenario. + + **Threat**: If a Route Binding within a Gateway Listener is configured based on a custom label, it could allow a malicious internal actor with the ability to label namespaces to change the set of namespaces supported by the Gateway. + + **Recommendation**: Consider the use of custom admission control to restrict what labels can be set on namespaces through tooling such as [Kubewarden](https://kyverno.io/policies/pod-security/), [Kyverno](https://github.com/kubewarden), and [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper). Route binding should follow the Kubernetes Gateway API security model, as shown [here](https://gateway-api.sigs.k8s.io/concepts/security-model/#1-route-binding), to connect gateways in different namespaces. + +### EGTM-013 GatewayClass namespace validation is not configured + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|---------------|-----------------------|-----------------| +|EGTM-013|EGTM-GW-005|Gateway API|Low| + + **Risk**: There is a risk that an unauthorised actor deploys an unauthorised GatewayClass due to GatewayClass namespace validation not being configured, leading to non-compliance with business and security requirements. + + **Threat**: Unauthorised deployment of Gateway resource via GatewayClass template which crosses namespace trust boundaries. + + **Recommendation**: Leverage GatewayClass namespace validation to limit the namespaces where GatewayClasses can be run through a tool such as [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper). Reference pull request \#[24](https://github.com/open-policy-agent/gatekeeper-library/pull/24) within gatekeeper-library which outlines how to add GatewayClass namespace validation through a GatewayClassNamespaces API resource kind within the constraints.gatekeeper.sh/v1beta1 apiGroup. + +### EGTM-015 ServiceAccount token authentication + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|---------------|-----------------------|-----------------| +|EGTM-015|EGTM-CS-007|Container Security|Low| + + **Risk**: There is a risk that threat actors could exploit ServiceAccount tokens for illegitimate authentication, thereby leading to privilege escalation and the undermining of gateway API resources\' integrity, confidentiality, and availability. + + **Threat**: The threat arises from threat actors impersonating the envoy-gateway ServiceAccount through the replay of ServiceAccount tokens, thereby achieving escalated privileges and gaining unauthorised access to Kubernetes resources. + + **Recommendation**: Limit the creation of ServiceAccounts to only when necessary, specifically refraining from using default service account tokens, especially for high-privilege service accounts. For legacy clusters running Kubernetes version 1.21 or earlier, note that ServiceAccount tokens are long-lived by default. To disable the automatic mounting of the service account token, set automountServiceAccountToken: false in the PodSpec. + +### EGTM-016 Misconfiguration leads to lack of Envoy Proxy access activity visibility + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|---------------|-----------------------|-----------------| +|EGTM-016|EGTM-EG-004|Envoy Gateway|Low| + + **Risk**: There is a risk that threat actors establish persistence and move laterally through the cluster unnoticed due to limited visibility into access and application-level activity. + + **Threat**: Threat actors establish persistence and move laterally through the cluster unnoticed. + + **Recommendation**: Configure [access logging](../../../contributions/design/proxy-accesslog) in the EnvoyProxy. Use [ProxyAccessLogFormatType](../../api/extension_types#proxyaccesslogformattype) (Text or JSON) to specify the log format and ensure that the logs are sent to the desired sink types by setting the [ProxyAccessLogSinkType](https://gateway.envoyproxy.io/latest/api/extension_types/#proxyaccesslogsinktype). Make use of [FileEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#fileenvoyproxyaccesslog) or [OpenTelemetryEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#opentelemetryenvoyproxyaccesslog) to configure File and OpenTelemetry sinks, respectively. If the settings aren\'t defined, the default format is sent to stdout. + + Additionally, consider leveraging a central logging mechanism such as [Fluentd](https://github.com/fluent/fluentd) to enhance visibility into access activity and enable effective incident response (IR). + +### EGTM-017 Misconfiguration leads to lack of Envoy Gateway activity visibility + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|---------------|-----------------------|-----------------| +|EGTM-017|EGTM-EG-005|Envoy Gateway|Low| + + **Risk**: There is a risk that an insider misconfigures an envoy gateway component and goes unnoticed due to a low-touch logging configuration (via default) which responsible stakeholders are not aptly aware of or have immediate access to. + + **Threat**: The threat emerges from an insider misconfiguring an Envoy Gateway component without detection. + + **Recommendation**: Configure the logging level of the Envoy Gateway using the \'level\' field in [EnvoyGatewayLogging](https://gateway.envoyproxy.io/latest/api/extension_types/#envoygatewaylogging). Ensure the appropriate logging levels are set for relevant components such as \'gateway-api\', \'xds-translator\', or \'global-ratelimit\'. If left unspecified, the logging level defaults to \"info\", which may not provide sufficient detail for security monitoring. + + Employ a centralised logging mechanism, like [Fluentd](https://github.com/fluent/fluentd), to enhance visibility into application-level activity and to enable efficient incident response. + +### EGTM-021 Exposed Envoy Proxy admin interface + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|---------------|-----------------------|-----------------| +|EGTM-021|EGTM-EG-006|Envoy Gateway|Low| + + **Risk**: There is a risk that the admin interface is exposed without valid business reason, increasing the attack surface. + + **Threat**: Exposed admin interfaces give internal attackers the option to affect production traffic in unauthorised ways, and the option to exploit any vulnerabilities which may be present in the admin interface (e.g. by orchestrating malicious GET requests to the admin interface through CSRF, compromising Envoy Proxy global configuration or shutting off the service entirely e.g. /quitquitquit). + + **Recommendation**: The Envoy Proxy admin interface is only exposed to localhost, meaning that it is secure by default. However, due to the risk of misconfiguration, this recommendation is included. + + Due to the importance of the admin interface, it is recommended to ensure that Envoy Proxies have not been accidentally misconfigured to expose the admin interface to untrusted networks. + +### EGTM-025 Envoy Proxy pods deployed running as root user in the container + +|**ID**|**UID**|**Category**|**Priority**| +|--------------|--------------|------------------------|-----------------| +|EGTM-025|EGTM-CS-011|Container Security|Low| + +**Risk**: The presence of a vulnerability, be it in the kernel or another system component, when coupled with containers running as root, could enable a threat actor to escape the container, thereby compromising the confidentiality, integrity, or availability of cluster resources + + **Threat**: The Envoy Proxy container's root-user configuration can be leveraged by an attacker to escalate privileges, execute a container breakout, and traverse across trust boundaries. + + **Recommendation**: By default, Envoy Gateway deployments do not use root users. Nonetheless, in case a custom image or deployment manifest is to be used, make sure Envoy Proxy pods run as a non-root user with a high UID within the container. + +Set runAsUser and runAsGroup security context options to specific UIDs (e.g., runAsUser: 1000 & runAsGroup: 3000) to ensure the container operates with the stipulated non-root user and group ID. If using helm chart deployment, define the user and group ID in the values.yaml file or via the command line during helm install / upgrade. + +## Appendix + +### In Scope Threat Actor Details + +|Threat Actor | Capability | Personal Motivation | Envoy Gateway Attack Samples| +|-|-|-|-| +|Application Developer | Leverage internal knowledge and personal access to the Envoy Gateway infrastructure to move laterally and transit trust boundaries | Disgruntled / personal grievances.

Financial incentives | Misconfigure XRoute resources to expose internal applications.

Misconfigure SecurityPolicy objects, reducing the security posture of an application.| +|Application Administrator | Abuse privileged status to disrupt operations and tenant cluster services through Envoy Gateway misconfig | Disgruntled / personal grievances.

Financial incentives | Create malicious routes to internal applications.

Introduce malicious Envoy Proxy images.

Expose the Envoy Proxy Admin interface.| +|Cluster Operator | Alter application-level deployments by misconfiguring resource dependencies & SCM to introduce vulnerabilities | Disgruntled / personal grievances.

Financial incentives.

Notoriety | Deploy malicious resources to expose internal applications.

Access authentication secrets.

Fall victim to phishing attacks and inadvertently share authentication credentials to cloud infrastructure or Kubernetes clusters.| +|Vandal: Script Kiddie, Trespasser | Uses publicly available tools and applications (Nmap,Metasploit, CVE PoCs) | Curiosity.

Personal fame through defacement / denial of service of prominent public facing web resources | Small scale DOS.

Launches prepackaged exploits, runs crypto mining tools.

Exploit public-facing application services such as the bastion host to gain an initial foothold in the environment| +|Motivated individual: Political activist, Thief, Terrorist | Write tools and exploits required for their means if sufficiently motivated.

Tend to use these in a targeted fashion against specific organisations. May combine publicly available exploits in a targeted fashion. Tamper with open source supply chains | Personal Gain (Political or Ideological) | Phishing, DDOS, exploit known vulnerabilities.

Compromise third-party components such as Helm charts and container images to inject malicious codes to propagate access throughout the environment.| +|Organised crime: syndicates, state-affiliated groups | Write tools and exploits required for their means.

Tend to use these in a non-targeted fashion, unless motivation is sufficiently high.

Devotes considerable resources, writes exploits, can bribe/coerce, can launch targeted attacks | Ransom.

Mass extraction of PII / credentials / PCI data.

Financial incentives | Social Engineering, phishing, ransomware, coordinated attacks.

Intercept and replay JWT tokens (via MiTM) between tenant user(s) and envoy gateway to modify app configs in-transit| + +### Identified Threats by Priority + +|ID|UID|Category|Risk|Threat|Priority| Recommendation | +|-|-|-|-|-|-|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|EGTM-001|EGTM-GW-001|Gateway API| Self-signed certificates (which do not comply with PKI best practices) could lead to unauthorised access to the private key associated with the certificate used for inbound TLS termination at Envoy Proxy, compromising the confidentiality and integrity of proxied traffic.

| Compromise of the private key associated with the certificate used for inbound TLS terminating at Envoy Proxy.

|High| The Envoy Gateway quickstart demonstrates how to set up a Secure Gateway using an example where a self-signed root certificate is created using openssl. As stated in the Envoy Gateway documentation, this is not a suitable configuration for Production usage. It is recommended that PKI best practices are followed, whereby certificates are signed by an Intermediary CA which sits underneath an organisational \'offline\' Root CA.

PKI best practices should also apply to the management of client certificates when using mTLS. The Envoy Gateway [mTLS](../security/mutual-tls) task shows how to set up client certificates using self-signed certificates. In the same way as gateway certificates and, as mentioned in the documentation, this configuration should not be used in production environments. | +|EGTM-002|EGTM-CS-001|Container Security| There is a risk that a threat actor could compromise the Kubernetes secret containing the Envoy private key, allowing the attacker to decrypt Envoy Proxy traffic, compromising the confidentiality of proxied traffic.

| Kubernetes secret containing the Envoy private key is compromised and used to decrypt proxied traffic.

|High| Certificate management best practices mandate short-lived key material where practical, meaning that a mechanism for rotation of private keys and certificates is required, along with a way for certificates to be mounted into Envoy containers. If Kubernetes secrets are used, when a certificate expires, the associated secret must be updated, and Envoy containers must be redeployed. Instead of a manual configuration, it is recommended that [cert-manager](https://github.com/cert-manager/cert-manager) is used. | +|EGTM-004|EGTM-K8-002|Container Security| There is a risk that a threat actor could abuse misconfigured RBAC to access the Envoy Gateway ClusterRole (envoy-gateway-role) and use it to expose all secrets across the cluster, thus compromising the confidentiality and integrity of tenant data.

| Compromised Envoy Gateway or misconfigured ClusterRoleBinding (envoy-gateway-rolebinding) to Envoy Gateway ClusterRole (envoy-gateway-role), provides access to resources and secrets in different namespaces.

|High| Users should be aware that Envoy Gateway uses a ClusterRole (envoy-gateway-role) when deployed via the Helm chart, to allow management of Envoy Proxies across different namespaces. This ClusterRole is powerful and includes the ability to read secrets in namespaces which may not be within the purview of Envoy Gateway.

Kubernetes best-practices involve restriction of ClusterRoleBindings, with the use of RoleBindings where possible to limit access per namespace by specifying the namespace in metadata. Namespace isolation reduces the impact of compromise from cluster-scoped roles. Ideally, fine-grained K8s roles should be created per the principle of least privilege to ensure they have the minimum access necessary for role functions.

The pull request \#[1656](https://github.com/envoyproxy/gateway/pull/1656) introduced the use of Roles and RoleBindings in [namespaced mode](https://gateway.envoyproxy.io/latest/api/extension_types/#kuberneteswatchmode). This feature can be leveraged to reduce the amount of permissions required by the Envoy Gateway. | +|EGTM-007|EGTM-EG-002|Envoy Gateway| There is a risk that a threat actor could exploit misconfigured Kubernetes RBAC to create or modify Gateway API resources with no business need, potentially leading to the compromise of the confidentiality, integrity, and availability of resources and traffic within the cluster.

| Unauthorised creation or misconfiguration of Gateway API resources by a threat actor with cluster-scoped access.

|High| Configure the apiGroup and resource fields in RBAC policies to restrict access to [Gateway](https://gateway-api.sigs.k8s.io/) and [GatewayClass](https://gateway-api.sigs.k8s.io/api-types/gatewayclass/) resources. Enable namespace isolation by using the namespace field, preventing unauthorised access to gateways in other namespaces. | +|EGTM-009|EGTM-GW-002|Gateway API| There is a risk that a co-tenant misconfigures Gateway or Route resources, compromising the confidentiality, integrity, and availability of routed traffic through Envoy Gateway.

| Malicious or accidental co-tenant misconfiguration of Gateways and Routes associated with other application teams.

|High| Dedicated Envoy Gateways should be provided to each tenant within their respective namespace. A one-to-one relationship should be established between GatewayClass and Gateway resources, meaning that each tenant namespace should have their own GatewayClass watched by a unique Envoy Gateway Controller as defined here in the [Deployment Mode](../operations/deployment-mode) documentation.

Application Admins should have write permissions on the Gateway resource, but only in their specific namespaces, and Application Developers should only hold write permissions on Route resources. To enact this access control schema, follow the [Write Permissions for Advanced 4 Tier Model](https://gateway-api.sigs.k8s.io/concepts/security-model/#write-permissions-for-advanced-4-tier-model) described in the Kubernetes Gateway API security model. Examples of secured gateway-route topologies can be found [here](https://gateway-api.sigs.k8s.io/concepts/api-overview/#attaching-routes-to-gateways) within the Kubernetes Gateway API docs.

Optionally, consider a GitOps model, where only the GitOps operator has the permission to deploy or modify custom resources in production. | +|EGTM-014|EGTM-CS-006|Container Security| There is a risk that a supply chain attack on Envoy Gateway results in an arbitrary compromise of the confidentiality, integrity or availability of tenant data.

| Supply chain threat actor introduces malicious code into Envoy Gateway or Proxy.

|High| The Envoy Gateway project should continue to work towards conformance with supply-chain security best practices throughout the project lifecycle (for example, as set out in the [CNCF Software Supply Chain Best Practices Whitepaper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf). Adherence to [Supply-chain Levels for Software Artefacts](https://slsa.dev/) (SLSA) standards is crucial for maintaining the security of the system. Employ version control systems to monitor the source and build platforms and assign responsibility to a specific stakeholder.

Integrate a supply chain security tool such as Sigstore, which provides native capabilities for signing and verifying container images and software artefacts. [Software Bill of Materials](https://www.cisa.gov/sbom) (SBOM), [Vulnerability Exploitability eXchange](https://www.ntia.gov/files/ntia/publications/vex_one-page_summary.pdf) (VEX), and signed artefacts should also be incorporated into the security protocol. | +|EGTM-020|EGTM-CS-009|Container Security| There is a risk that a threat actor exploits an Envoy Proxy vulnerability to remote code execution (RCE) due to out of date or misconfigured Envoy Proxy pod deployment, compromising the confidentiality and integrity of Envoy Proxy along with the availability of the proxy service.

| Deployment of an Envoy Proxy or Gateway image containing exploitable CVEs.

|High| Always use the latest version of the Envoy Proxy image. Regularly check for updates and patch the system as soon as updates become available. Implement a CI/CD pipeline that includes security checks for images and prevents deployment of insecure configurations. A tool such as Snyk can be used to provide container vulnerability scanning to mitigate the risk of known vulnerabilities.

Utilise the [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) controller to enforce [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) and configure the [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) to limit its capabilities per the principle of least privilege. | +|EGTM-022|EGTM-CS-010|Container Security| There is a risk that the OIDC client secret (for OIDC authentication) and user password hashes (for basic authentication) get leaked due to misconfigured RBAC permissions.

| Unauthorised access to the application due to credential leakage.

|High| Ensure that only authorised users and service accounts are able to access secrets. This is especially important in namespaces where SecurityPolicy objects are configured, since those namespaces are the ones to store secrets containing the client secret (in OIDC scenarios) and user password hashes (in basic authentication scenarios).

To do so, minimise the use of ClusterRoles and Roles allowing listing and getting secrets. Perform periodic audits of RBAC permissions. | +|EGTM-023|EGTM-EG-007|Envoy Gateway| There is a risk of unauthorised access due to the use of basic authentication, which does not enforce any password restriction in terms of complexity and length. In addition, password hashes are stored in SHA1 format, which is a deprecated hashing function.

| Unauthorised access to the application due to weak authentication mechanisms.

|High| It is recommended to make use of stronger authentication mechanisms (i.e. JWT authentication and OIDC authentication) instead of basic authentication. These authentication mechanisms have many advantages, such as the use of short-lived credentials and a central management of security policies through the identity provider. | +|EGTM-008|EGTM-EG-003|Envoy Gateway| There is a risk of a threat actor misconfiguring static config and compromising the integrity of Envoy Gateway, ultimately leading to the compromised confidentiality, integrity, or availability of tenant data and cluster resources.

| Accidental or deliberate misconfiguration of static configuration leads to a misconfigured deployment of Envoy Gateway, for example logging parameters could be modified or global rate limiting configuration misconfigured.

|Medium| Implement a GitOps model, utilising Kubernetes\' Role-Based Access Control (RBAC) and adhering to the principle of least privilege to minimise human intervention on the cluster. For instance, tools like [ArgoCD](https://argo-cd.readthedocs.io/en/stable/) can be used for declarative GitOps deployments, ensuring all changes are tracked and reviewed. Additionally, configure your source control management (SCM) system to include mandatory pull request (PR) reviews, commit signing, and protected branches to ensure only authorised changes can be committed to the start-up configuration. | +|EGTM-010|EGTM-CS-005|Container Security| There is a risk that a threat actor exploits a weak pod security context, compromising the CIA of a node and the resources / services which run on it.

| Threat Actor who has compromised a pod exploits weak security context to escape to a node, potentially leading to the compromise of Envoy Proxy or Gateway running on the same node.

|Medium| To mitigate this risk, apply [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) at a minimum of [Baseline](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline) level to all namespaces, especially those containing Envoy Gateway and Proxy Pods. Pod security standards are implemented through K8s [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) to provide [admission control modes](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces) (enforce, audit, and warn) for namespaces. Pod security standards can be enforced by namespace labels as shown [here](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/), to enforce a baseline level of pod security to specific namespaces.

Further enhance the security by implementing a sandboxing solution such as [gVisor](https://gvisor.dev/) for Envoy Gateway and Proxy Pods to isolate the application from the host kernel. This can be set within the runtimeClassName of the Pod specification. | +|EGTM-012|EGTM-GW-004|Gateway API| There is a risk that a threat actor could abuse excessive RBAC privileges to create ReferenceGrant resources. These resources could then be used to create cross-namespace communication, leading to unauthorised access to the application. This could compromise the confidentiality and integrity of resources and configuration in the affected namespaces and potentially disrupt the availability of services that rely on these object references.

| A ReferenceGrant is created, which validates traffic to cross namespace trust boundaries without a valid business reason, such as a route in one tenant\'s namespace referencing a backend in another.

|Medium| Ensure that the ability to create ReferenceGrant resources is restricted to the minimum number of people. Pay special attention to ClusterRoles that allow that action. | +|EGTM-018|EGTM-GW-006|Gateway API| There is a risk that malicious requests could lead to a Denial of Service (DoS) attack, thereby reducing API gateway availability due to misconfigurations in rate-limiting or load balancing controls, or a lack of route timeout enforcement.

| Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack.

|Medium| To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](../traffic/global-rate-limit) filter and load balancing.

Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action).

[Path normalisation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) should be enabled to minimise path confusion vulnerabilities. These measures help protect against volumetric threats such as Denial of Service (DoS)nattacks. Utilise custom resources to implement policy attachment, thereby exposing request limit configuration for route types. | +|EGTM-019|EGTM-DP-004|Container Security| There is a risk that replay attacks using stolen or reused JSON Web Tokens (JWTs) can compromise transmission integrity, thereby undermining the confidentiality and integrity of the data plane.

| Transmission integrity is compromised due to replay attacks using stolen or reused JSON Web Tokens (JWTs).

|Medium| Comply with JWT best practices for enhanced security, paying special attention to the use of short-lived tokens, which reduce the window of opportunity for a replay attack. The [exp](https://datatracker.ietf.org/doc/html/rfc7519#page-9) claim can be used to set token expiration times. | +|EGTM-024|EGTM-EG-008|Envoy Gateway| There is a risk of developers getting more privileges than required due to the use of SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy and BackendTrafficPolicy. These resources can be attached to a Gateway resource. Therefore, a developer with permission to deploy them would be able to modify a Gateway configuration by targeting the gateway in the policy manifest. This conflicts with the [Advanced 4 Tier Model](https://gateway-api.sigs.k8s.io/concepts/security-model/#write-permissions-for-advanced-4-tier-model), where developers do not have write permissions on Gateways.

| Excessive developer permissions lead to a misconfiguration and/or unauthorised access.

|Medium| Considering the Tenant C scenario (represented in the Architecture Diagram), if a developer can create SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy or BackendTrafficPolicy objects in namespace C, they would be able to modify a Gateway configuration by attaching the policy to the gateway. In such scenarios, it is recommended to either:

a. Create a separate namespace, where developers have no permissions, > to host tenant C\'s gateway. Note that, due to design decisions, > the > SecurityPolicy/EnvoyPatchPolicy/ClientTrafficPolicy/BackendTrafficPolicy > object can only target resources deployed in the same namespace. > Therefore, having a separate namespace for the gateway would > prevent developers from attaching the policy to the gateway.

b. Forbid the creation of these policies for developers in namespace C.

On the other hand, in scenarios similar to tenants A and B, where a shared gateway namespace is in place, this issue is more limited. Note that in this scenario, developers don\'t have access to the shared gateway namespace.

In addition, it is important to mention that EnvoyPatchPolicy resources can also be attached to GatewayClass resources. This means that, in order to comply with the Advanced 4 Tier model, individuals with the Application Administrator role should not have access to this resource either. | +|EGTM-003|EGTM-EG-001|Envoy Gateway| There is a risk that a threat actor could downgrade the security of proxied connections by configuring a weak set of cipher suites, compromising the confidentiality and integrity of proxied traffic.

| Exploit weak cipher suite configuration to downgrade security of proxied connections.

|Low| Users operating in highly regulated environments may need to tightly control the TLS protocol and associated cipher suites, blocking non-conforming incoming connections to the gateway.

EnvoyProxy bootstrap config can be customised as per the [customise EnvoyProxy](../operations/customize-envoyproxy) documentation. In addition, from v.1.0.0, it is possible to configure common TLS properties for a Gateway or XRoute through the [ClientTrafficPolicy](https://gateway.envoyproxy.io/latest/api/extension_types/#clienttrafficpolicy) object. | +|EGTM-005|EGTM-CP-002|Container Security| Threat actor who has obtained access to Envoy Gateway pod could exploit the lack of AppArmor and Seccomp profiles in the Envoy Gateway deployment to attempt a container breakout, given the presence of an exploitable vulnerability, potentially impacting the confidentiality and integrity of namespace resources.

| Unauthorised syscalls and malicious code running in the Envoy Gateway pod.

|Low| Implement [AppArmor](https://kubernetes.io/docs/tutorials/security/apparmor/) policies by setting \: \ within container.apparmor.security.beta.kubernetes.io (note, this config is set *per container*). Well-defined AppArmor policies may provide greater protection from unknown threats.

Enforce [Seccomp](https://kubernetes.io/docs/tutorials/security/seccomp/) profiles by setting the seccompProfile under securityContext. Ideally, a [fine-grained](https://kubernetes.io/docs/tutorials/security/seccomp/#create-pod-with-a-seccomp-profile-that-only-allows-necessary-syscalls) profile should be used to restrict access to only necessary syscalls, however the \--seccomp-default flag can be set to resort to [RuntimeDefault](https://kubernetes.io/docs/tutorials/security/seccomp/#create-pod-that-uses-the-container-runtime-default-seccomp-profile) which provides a container runtime specific. Example seccomp profiles can be found [here](https://kubernetes.io/docs/tutorials/security/seccomp/#download-profiles).

To further enhance pod security, consider implementing [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) via seLinuxOptions for additional syscall attack surface reduction. Setting readOnlyRootFilesystem == true enforces an immutable root filesystem, preventing the addition of malicious binaries to the PATH and increasing the attack cost. Together, these configuration items improve the pods [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). | +|EGTM-006|EGTM-CS-004|Container Security| There is a risk that a threat actor exploits a vulnerability in Envoy Proxy to expose a reverse shell, enabling them to compromise the confidentiality, integrity and availability of tenant data via a secondary attack.

| If an external attacker managed to exploit a vulnerability in Envoy, the presence of a shell would be greatly helpful for the attacker in terms of potentially pivoting, escalating, or establishing some form of persistence.

|Low| By default, Envoy uses a [distroless](https://github.com/GoogleContainerTools/distroless) image since v.0.6.0, which does not ship a shell. Therefore, ensure EnvoyProxy image is up-to-date and patched with the latest stable version.

If using private EnvoyProxy images, use a lightweight EnvoyProxy image without a shell or debugging tool(s) which may be useful for an attacker.

An [AuditPolicy](https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#audit-policy) (audit.k8s.io/v1beta1) can be configured to record API calls made within your cluster, allowing for identification of malicious traffic and enabling incident response. Requests are recorded based on stages which delineate between the lifecycle stage of the request made (e.g., RequestReceived, ResponseStarted, & ResponseComplete). | +|EGTM-011|EGTM-GW-003|Gateway API| There is a risk that a gateway owner (or someone with the ability to set namespace labels) maliciously or accidentally binds routes across namespace boundaries, potentially compromising the confidentiality and integrity of traffic in a multitenant scenario.

| If a Route Binding within a Gateway Listener is configured based on a custom label, it could allow a malicious internal actor with the ability to label namespaces to change the set of namespaces supported by the Gateway

|Low| Consider the use of custom admission control to restrict what labels can be set on namespaces through tooling such as [Kubewarden](https://kyverno.io/policies/pod-security/), [Kyverno](https://github.com/kubewarden), and [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper). Route binding should follow the Kubernetes Gateway API security model, as shown [here](https://gateway-api.sigs.k8s.io/concepts/security-model/#1-route-binding), to connect gateways in different namespaces. | +|EGTM-013|EGTM-GW-005|Gateway API| There is a risk that an unauthorised actor deploys an unauthorised GatewayClass due to GatewayClass namespace validation not being configured, leading to non-compliance with business and security requirements.

| Unauthorised deployment of Gateway resource via GatewayClass template which crosses namespace trust boundaries.

|Low| Leverage GatewayClass namespace validation to limit the namespaces where GatewayClasses can be run through a tool such as using [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper). Reference pull request \#[24](https://github.com/open-policy-agent/gatekeeper-library/pull/24) within gatekeeper-library which outlines how to add GatewayClass namespace validation through a GatewayClassNamespaces API resource kind within the constraints.gatekeeper.sh/v1beta1 apiGroup. | +|EGTM-015|EGTM-CS-007|Container Security| There is a risk that threat actors could exploit ServiceAccount tokens for illegitimate authentication, thereby leading to privilege escalation and the undermining of gateway API resources\' integrity, confidentiality, and availability.

| The threat arises from threat actors impersonating the envoy-gateway ServiceAccount through the replay of ServiceAccount tokens, thereby achieving escalated privileges and gaining unauthorised access to Kubernetes resources.

|Low| Limit the creation of ServiceAccounts to only when necessary, specifically refraining from using default service account tokens, especially for high-privilege service accounts. For legacy clusters running Kubernetes version 1.21 or earlier, note that ServiceAccount tokens are long-lived by default. To disable the automatic mounting of the service account token, set automountServiceAccountToken: false in the PodSpec. | +|EGTM-016|EGTM-EG-004|Envoy Gateway| There is a risk that threat actors establish persistence and move laterally through the cluster unnoticed due to limited visibility into access and application-level activity.

| Threat actors establish persistence and move laterally through the cluster unnoticed.

|Low| Configure [access logging](../../../contributions/design/proxy-accesslog) in the EnvoyProxy. Use [ProxyAccessLogFormatType](../../api/extension_types#proxyaccesslogformattype) (Text or JSON) to specify the log format and ensure that the logs are sent to the desired sink types by setting the [ProxyAccessLogSinkType](https://gateway.envoyproxy.io/latest/api/extension_types/#proxyaccesslogsinktype). Make use of [FileEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#fileenvoyproxyaccesslog) or [OpenTelemetryEnvoyProxyAccessLog](https://gateway.envoyproxy.io/latest/api/extension_types/#opentelemetryenvoyproxyaccesslog) to configure File and OpenTelemetry sinks, respectively. If the settings aren\'t defined, the default format is sent to stdout.

Additionally, consider leveraging a central logging mechanism such as [Fluentd](https://github.com/fluent/fluentd) to enhance visibility into access activity and enable effective incident response (IR). | +|EGTM-017|EGTM-EG-005|Envoy Gateway| There is a risk that an insider misconfigures an envoy gateway component and goes unnoticed due to a low-touch logging configuration (via default) which responsible stakeholders are not aptly aware of or have immediate access to.

| The threat emerges from an insider misconfiguring an Envoy Gateway component without detection.

|Low| Configure the logging level of the Envoy Gateway using the \'level\' field in [EnvoyGatewayLogging](https://gateway.envoyproxy.io/latest/api/extension_types/#envoygatewaylogging). Ensure the appropriate logging levels are set for relevant components such as \'gateway-api\', \'xds-translator\', or \'global-ratelimit\'. If left unspecified, the logging level defaults to \"info\", which may not provide sufficient detail for security monitoring.

Employ a centralised logging mechanism, like [Fluentd](https://github.com/fluent/fluentd), to enhance visibility into application-level activity and to enable efficient incident response. | +|EGTM-021|EGTM-EG-006|Envoy Gateway| There is a risk that the admin interface is exposed without valid business reason, increasing the attack surface.

| Exposed admin interfaces give internal attackers the option to affect production traffic in unauthorised ways, and the option to exploit any vulnerabilities which may be present in the admin interface (e.g. by orchestrating malicious GET requests to the admin interface through CSRF, compromising Envoy Proxy global configuration or shutting off the service entirely (e.g., /quitquitquit).

|Low| The Envoy Proxy admin interface is only exposed to localhost, meaning that it is secure by default. However, due to the risk of misconfiguration, this recommendation is included.

Due to the importance of the admin interface, it is recommended to ensure that Envoy Proxies have not been accidentally misconfigured to expose the admin interface to untrusted networks. | +|EGTM-025 | EGTM-CS-011 | Container Security | The presence of a vulnerability, be it in the kernel or another system component, when coupled with containers running as root, could enable a threat actor to escape the container, thereby compromising the confidentiality, integrity, or availability of cluster resources. | The Envoy Proxy container's root-user configuration can be leveraged by an attacker to escalate privileges, execute a container breakout, and traverse across trust boundaries. | Low | By default, Envoy Gateway deployments do not use root users. Nonetheless, in case a custom image or deployment manifest is to be used, make sure Envoy Proxy pods run as a non-root user with a high UID within the container. Set runAsUser and runAsGroup security context options to specific UIDs (e.g., runAsUser: 1000 & runAsGroup: 3000) to ensure the container operates with the stipulated non-root user and group ID. If using helm chart deployment, define the user and group ID in the values.yaml file or via the command line during helm install / upgrade. | + + +## Attack Trees + +Attack trees offer a methodical way of describing the security of systems, based on varying attack patterns. It's important to approach the review of attack trees from a top-down perspective. The top node, also known as the root node, symbolises the attacker's primary objective. This goal is then broken down into subsidiary aims, each reflecting a different strategy to attain the root objective. This deconstruction persists until reaching the lowest level objectives or 'leaf nodes', which depict attacks that can be directly launched. + +It is essential to note that attack trees presented here are speculative paths for potential exploitation. The Envoy Gateway project is in a continuous development cycle, and as the project evolves, new vulnerabilities may be exposed, or additional controls could be introduced. Therefore, the threats illustrated in the attack trees should be perceived as point-in-time reflections of the project’s current state at the time of writing this threat model. + +### Node ID Schema + +Each node in the attack tree is assigned a unique identifier following the AT#-## schema. This allows easy reference to specific nodes in the attack trees throughout the threat model. The first part of the ID (AT#) signifies the attack tree number, while the second part (##) represents the node number within that tree. + +### Logical Operators + +Logical AND/OR operators are used to represent the relationship between parent and child nodes. An AND operator means that all child nodes must be achieved to satisfy the parent node. An OR operator between a parent node and its child nodes means that any of the child nodes can be achieved to satisfy the parent node. + +### Attack Tree Node Legend + +![AT Legend](/img/AT-legend.png) + +### AT0 + +![AT0](/img/AT0.png) + +### AT1 + +![AT1](/img/AT1.png) + +### AT2 + +![AT2](/img/AT2.png) + +### AT3 + +![AT3](/img/AT3.png) + +### AT4 + +![AT4](/img/AT4.png) + +### AT5 + +![AT5](/img/AT5.png) + +### AT6 + +![AT6](/img/AT6.png) diff --git a/site/content/en/v1.2/tasks/security/tls-cert-manager.md b/site/content/en/v1.2/tasks/security/tls-cert-manager.md new file mode 100644 index 00000000000..61ebb5c0162 --- /dev/null +++ b/site/content/en/v1.2/tasks/security/tls-cert-manager.md @@ -0,0 +1,435 @@ +--- +title: "Using cert-manager For TLS Termination" +--- + +This task shows how to set up [cert-manager](https://cert-manager.io/) to automatically create certificates and secrets for use by Envoy Gateway. +It will first show how to enable the self-sign issuer, which is useful to test that cert-manager and Envoy Gateway can talk to each other. +Then it shows how to use [Let's Encrypt's staging environment](https://letsencrypt.org/docs/staging-environment/). +Changing to the Let's Encrypt production environment is straight-forward after that. + +## Prerequisites + +* A Kubernetes cluster and a configured `kubectl`. +* The `helm` command. +* The `curl` command or similar for testing HTTPS requests. +* For the ACME HTTP-01 challenge to work + * your Gateway must be reachable on the public Internet. + * the domain name you use (we use `www.example.com`) must point to the Gateway's external IP(s). + +## Installation + +{{< boilerplate prerequisites >}} + +## Deploying cert-manager + +*This is a summary of [cert-manager Installation with Helm](https://cert-manager.io/docs/installation/helm/).* + +Installing cert-manager is straight-forward, but currently (v1.12) requires setting a feature gate to enable the Gateway API support. + +```console +$ helm repo add jetstack https://charts.jetstack.io +$ helm upgrade --install --create-namespace --namespace cert-manager --set installCRDs=true --set featureGates=ExperimentalGatewayAPISupport=true cert-manager jetstack/cert-manager +``` + +You should now have `cert-manager` running with nothing to do: + +```console +$ kubectl wait --for=condition=Available deployment -n cert-manager --all +deployment.apps/cert-manager condition met +deployment.apps/cert-manager-cainjector condition met +deployment.apps/cert-manager-webhook condition met + +$ kubectl get -n cert-manager deployment +NAME READY UP-TO-DATE AVAILABLE AGE +cert-manager 1/1 1 1 42m +cert-manager-cainjector 1/1 1 1 42m +cert-manager-webhook 1/1 1 1 42m +``` + +## A Self-Signing Issuer + +cert-manager can have any number of *issuer* configurations. +The simplest issuer type is [SelfSigned](https://cert-manager.io/docs/configuration/selfsigned/). +It simply takes the certificate request and signs it with the private key it generates for the TLS Secret. + +``` +Self-signed certificates don't provide any help in establishing trust between certificates. +However, they are great for initial testing, due to their simplicity. +``` + +To install self-signing, run + +```console +$ kubectl apply -f - <}} + +## TLS Certificates + +Generate the certificates and keys used by the Service to terminate client TLS connections. +For the application, we'll deploy a sample echoserver app, with the certificates loaded in the application Pod. + +__Note:__ These certificates will not be used by the Gateway, but will remain in the application scope. + +Create a root certificate and private key to sign certificates: + +```shell +openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt +``` + +Create a certificate and a private key for `passthrough.example.com`: + +```shell +openssl req -out passthrough.example.com.csr -newkey rsa:2048 -nodes -keyout passthrough.example.com.key -subj "/CN=passthrough.example.com/O=some organization" +openssl x509 -req -sha256 -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in passthrough.example.com.csr -out passthrough.example.com.crt +``` + +Store the cert/keys in A Secret: + +```shell +kubectl create secret tls server-certs --key=passthrough.example.com.key --cert=passthrough.example.com.crt +``` + +## Deployment + +Deploy TLS Passthrough application Deployment, Service and TLSRoute: + +```shell +kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/tls-passthrough.yaml +``` + +Patch the Gateway from the Quickstart to include a TLS listener that listens on port `6443` and is configured for +TLS mode Passthrough: + +```shell +kubectl patch gateway eg --type=json --patch ' + - op: add + path: /spec/listeners/- + value: + name: tls + protocol: TLS + hostname: passthrough.example.com + port: 6443 + tls: + mode: Passthrough + ' +``` + +## Testing + +{{< tabpane text=true >}} +{{% tab header="With External LoadBalancer Support" %}} + +You can also test the same functionality by sending traffic to the External IP of the Gateway: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Curl the example app through the Gateway, e.g. Envoy proxy: + +```shell +curl -v -HHost:passthrough.example.com --resolve "passthrough.example.com:6443:${GATEWAY_HOST}" \ +--cacert example.com.crt https://passthrough.example.com:6443/get +``` + +{{% /tab %}} +{{% tab header="Without LoadBalancer Support" %}} + +Get the name of the Envoy service created the by the example Gateway: + +```shell +export ENVOY_SERVICE=$(kubectl get svc -n envoy-gateway-system --selector=gateway.envoyproxy.io/owning-gateway-namespace=default,gateway.envoyproxy.io/owning-gateway-name=eg -o jsonpath='{.items[0].metadata.name}') +``` + +Port forward to the Envoy service: + +```shell +kubectl -n envoy-gateway-system port-forward service/${ENVOY_SERVICE} 6043:6443 & +``` + +Curl the example app through Envoy proxy: + +```shell +curl -v --resolve "passthrough.example.com:6043:127.0.0.1" https://passthrough.example.com:6043 \ +--cacert passthrough.example.com.crt +``` + +{{% /tab %}} +{{< /tabpane >}} + +## Clean-Up + +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. + +Delete the Secret: + +```shell +kubectl delete secret/server-certs +``` + +## Next Steps + +Checkout the [Developer Guide](../../../contributions/develop) to get involved in the project. diff --git a/site/content/en/v1.2/tasks/security/tls-termination.md b/site/content/en/v1.2/tasks/security/tls-termination.md new file mode 100644 index 00000000000..1100b04699f --- /dev/null +++ b/site/content/en/v1.2/tasks/security/tls-termination.md @@ -0,0 +1,92 @@ +--- +title: "TLS Termination for TCP" +--- + +This task will walk through the steps required to configure TLS Terminate mode for TCP traffic via Envoy Gateway. +This task uses a self-signed CA, so it should be used for testing and demonstration purposes only. + +## Prerequisites + +- OpenSSL to generate TLS assets. + +## Installation + +{{< boilerplate prerequisites >}} + +## TLS Certificates + +Generate the certificates and keys used by the Gateway to terminate client TLS connections. + +Create a root certificate and private key to sign certificates: + +```shell +openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt +``` + +Create a certificate and a private key for `www.example.com`: + +```shell +openssl req -out www.example.com.csr -newkey rsa:2048 -nodes -keyout www.example.com.key -subj "/CN=www.example.com/O=example organization" +openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in www.example.com.csr -out www.example.com.crt +``` + +Store the cert/key in a Secret: + +```shell +kubectl create secret tls example-cert --key=www.example.com.key --cert=www.example.com.crt +``` + +Install the TLS Termination for TCP example resources: + +```shell +kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/tls-termination.yaml +``` + +Verify the Gateway status: + +```shell +kubectl get gateway/eg -o yaml +``` + +## Testing + +{{< tabpane text=true >}} +{{% tab header="With External LoadBalancer Support" %}} + +Get the External IP of the Gateway: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Query the example app through the Gateway: + +```shell +curl -v -HHost:www.example.com --resolve "www.example.com:443:${GATEWAY_HOST}" \ +--cacert example.com.crt https://www.example.com/get +``` + +{{% /tab %}} +{{% tab header="Without LoadBalancer Support" %}} + +Get the name of the Envoy service created the by the example Gateway: + +```shell +export ENVOY_SERVICE=$(kubectl get svc -n envoy-gateway-system --selector=gateway.envoyproxy.io/owning-gateway-namespace=default,gateway.envoyproxy.io/owning-gateway-name=eg -o jsonpath='{.items[0].metadata.name}') +``` + +Port forward to the Envoy service: + +```shell +kubectl -n envoy-gateway-system port-forward service/${ENVOY_SERVICE} 8443:443 & +``` + +Query the example app through Envoy proxy: + +```shell +curl -v -HHost:www.example.com --resolve "www.example.com:8443:127.0.0.1" \ +--cacert example.com.crt https://www.example.com:8443/get +``` + +{{% /tab %}} +{{< /tabpane >}} diff --git a/site/content/en/v1.2/tasks/traffic/_index.md b/site/content/en/v1.2/tasks/traffic/_index.md new file mode 100644 index 00000000000..f884ccdfcb0 --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/_index.md @@ -0,0 +1,5 @@ +--- +title: "Traffic" +weight: 1 +description: This section includes Traffic Management tasks. +--- diff --git a/site/content/en/v1.2/tasks/traffic/backend.md b/site/content/en/v1.2/tasks/traffic/backend.md new file mode 100644 index 00000000000..55d125a27ad --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/backend.md @@ -0,0 +1,210 @@ +--- +title: "Backend Routing" +--- + +Envoy Gateway supports routing to native K8s resources such as `Service` and `ServiceImport`. The `Backend` API is a custom Envoy Gateway [extension resource][] that can used in Gateway-API [BackendObjectReference][]. + +## Motivation +The Backend API was added to support several use cases: +- Allowing users to integrate Envoy with services (Ext Auth, Rate Limit, ALS, ...) using Unix Domain Sockets, which are currently not supported by K8s. +- Simplify [routing to cluster-external backends][], which currently requires users to maintain both K8s `Service` and `EndpointSlice` resources. + +## Warning + +Similar to the K8s EndpointSlice API, the Backend API can be misused to allow traffic to be sent to otherwise restricted destinations, as described in [CVE-2021-25740][]. +A Backend resource can be used to: +- Expose a Service or Pod that should not be accessible +- Reference a Service or Pod by a Route without appropriate Reference Grants +- Expose the Envoy Proxy localhost (including the Envoy admin endpoint) + +For these reasons, the Backend API is disabled by default in Envoy Gateway configuration. Envoy Gateway admins are advised to follow [upstream recommendations][] and restrict access to the Backend API using K8s RBAC. + +## Restrictions + +The Backend API is currently supported only in the following BackendReferences: +- [HTTPRoute]: IP and FQDN endpoints +- [TLSRoute]: IP and FQDN endpoints +- [Envoy Extension Policy] (ExtProc): IP, FQDN and unix domain socket endpoints +- [Security Policy]: IP and FQDN endpoints for the OIDC providers + +The Backend API supports attachment the following policies: +- [Backend TLS Policy][] + +Certain restrictions apply on the value of hostnames and addresses. For example, the loopback IP address range and the localhost hostname are forbidden. + +Envoy Gateway does not manage the lifecycle of unix domain sockets referenced by the Backend resource. Envoy Gateway admins are responsible for creating and mounting the sockets into the envoy proxy pod. The latter can be achieved by patching the envoy deployment using the [EnvoyProxy][] resource. + +## Quickstart + +### Prerequisites + +{{< boilerplate prerequisites >}} + +### Enable Backend + +* By default [Backend][] is disabled. Lets enable it in the [EnvoyGateway][] startup configuration + +* The default installation of Envoy Gateway installs a default [EnvoyGateway][] configuration and attaches it + using a `ConfigMap`. In the next step, we will update this resource to enable Backend. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +{{< boilerplate rollout-envoy-gateway >}} + +## Testing + +### Route to External Backend + +* In the following example, we will create a `Backend` resource that routes to httpbin.org:80 and a `HTTPRoute` that references this backend. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Get the Gateway address: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Send a request and view the response: + +```shell +curl -I -HHost:www.example.com http://${GATEWAY_HOST}/headers +``` + +[Backend]: ../../../api/extension_types#backend +[routing to cluster-external backends]: ./../../tasks/traffic/routing-outside-kubernetes.md +[BackendObjectReference]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.BackendObjectReference +[extension resource]: https://gateway-api.sigs.k8s.io/guides/migrating-from-ingress/#approach-to-extensibility +[CVE-2021-25740]: https://nvd.nist.gov/vuln/detail/CVE-2021-25740 +[upstream recommendations]: https://github.com/kubernetes/kubernetes/issues/103675 +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[TLSRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute +[Envoy Extension Policy]: ../../../api/extension_types#envoyextensionpolicy +[Security Policy]: ../../../api/extension_types#oidcprovider +[Backend TLS Policy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ +[EnvoyProxy]: ../../../api/extension_types#envoyproxy +[EnvoyGateway]: ../../../api/extension_types#envoygateway diff --git a/site/content/en/v1.2/tasks/traffic/circuit-breaker.md b/site/content/en/v1.2/tasks/traffic/circuit-breaker.md new file mode 100644 index 00000000000..6a359c5e0dc --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/circuit-breaker.md @@ -0,0 +1,149 @@ +--- +title: "Circuit Breakers" +--- + +[Envoy circuit breakers] can be used to fail quickly and apply back-pressure in response to upstream service degradation. + +Envoy Gateway supports the following circuit breaker thresholds: +- **Concurrent Connections**: limit the connections that Envoy can establish to the upstream service. When this threshold is met, new connections will not be established, and some requests will be queued until an existing connection becomes available. +- **Concurrent Requests**: limit on concurrent requests in-flight from Envoy to the upstream service. When this threshold is met, requests will be queued. +- **Pending Requests**: limit the pending request queue size. When this threshold is met, overflowing requests will be terminated with a `503` status code. + +Envoy's circuit breakers are distributed: counters are not synchronized across different Envoy processes. The default Envoy and Envoy Gateway circuit breaker threshold values (1024) may be too strict for high-throughput systems. + +Envoy Gateway introduces a new CRD called [BackendTrafficPolicy][] that allows the user to describe their desired circuit breaker thresholds. +This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRPCRoute][] resource. + +**Note**: There are distinct circuit breaker counters for each `BackendReference` in an `xRoute` rule. Even if a `BackendTrafficPolicy` targets a `Gateway`, each `BackendReference` in that gateway still has separate circuit breaker counter. + +## Prerequisites + +### Install Envoy Gateway + +{{< boilerplate prerequisites >}} + +### Install the hey load testing tool + +* The `hey` CLI will be used to generate load and measure response times. Follow the installation instruction from the [Hey project] docs. + +## Test and customize circuit breaker settings + +This example will simulate a degraded backend that responds within 10 seconds by adding the `?delay=10s` query parameter to API calls. The hey tool will be used to generate 100 concurrent requests. + +```shell +hey -n 100 -c 100 -host "www.example.com" http://${GATEWAY_HOST}/?delay=10s +``` + +```console +Summary: + Total: 10.3426 secs + Slowest: 10.3420 secs + Fastest: 10.0664 secs + Average: 10.2145 secs + Requests/sec: 9.6687 + + Total data: 36600 bytes + Size/request: 366 bytes + +Response time histogram: + 10.066 [1] |■■■■ + 10.094 [4] |■■■■■■■■■■■■■■■ + 10.122 [9] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 10.149 [10] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 10.177 [10] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 10.204 [11] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 10.232 [11] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 10.259 [11] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 10.287 [11] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 10.314 [11] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 10.342 [11] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ +``` + +The default circuit breaker threshold (1024) is not met. As a result, requests do not overflow: all requests are proxied upstream and both Envoy and clients wait for 10s. + +In order to fail fast, apply a `BackendTrafficPolicy` that limits concurrent requests to 10 and pending requests to 0. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Execute the load simulation again. + +```shell +hey -n 100 -c 100 -host "www.example.com" http://${GATEWAY_HOST}/?delay=10s +``` + +```console +Summary: + Total: 10.1230 secs + Slowest: 10.1224 secs + Fastest: 0.0529 secs + Average: 1.0677 secs + Requests/sec: 9.8785 + + Total data: 10940 bytes + Size/request: 109 bytes + +Response time histogram: + 0.053 [1] | + 1.060 [89] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 2.067 [0] | + 3.074 [0] | + 4.081 [0] | + 5.088 [0] | + 6.095 [0] | + 7.102 [0] | + 8.109 [0] | + 9.115 [0] | + 10.122 [10] |■■■■ +``` + +With the new circuit breaker settings, and due to the slowness of the backend, only the first 10 concurrent requests were proxied, while the other 90 overflowed. +* Overflowing Requests failed fast, reducing proxy resource consumption. +* Upstream traffic was limited, alleviating the pressure on the degraded service. + +[Envoy Circuit Breakers]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking +[BackendTrafficPolicy]: ../../../api/extension_types#backendtrafficpolicy +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/ +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ +[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute/ +[Hey project]: https://github.com/rakyll/hey diff --git a/site/content/en/v1.2/tasks/traffic/client-traffic-policy.md b/site/content/en/v1.2/tasks/traffic/client-traffic-policy.md new file mode 100644 index 00000000000..2099ea13685 --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/client-traffic-policy.md @@ -0,0 +1,680 @@ +--- +title: "Client Traffic Policy" +--- + +This task explains the usage of the [ClientTrafficPolicy][] API. + +## Introduction + +The [ClientTrafficPolicy][] API allows system administrators to configure +the behavior for how the Envoy Proxy server behaves with downstream clients. + +## Motivation + +This API was added as a new policy attachment resource that can be applied to Gateway resources and it is meant to hold settings for configuring behavior of the connection between the downstream client and Envoy Proxy listener. It is the counterpart to the [BackendTrafficPolicy][] API resource. + +## Quickstart + +### Prerequisites + +{{< boilerplate prerequisites >}} + +### Support TCP keepalive for downstream client + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify that ClientTrafficPolicy is Accepted: + +```shell +kubectl get clienttrafficpolicies.gateway.envoyproxy.io -n default +``` + +You should see the policy marked as accepted like this: + +```shell +NAME STATUS AGE +enable-tcp-keepalive-policy Accepted 5s +``` + +Curl the example app through Envoy proxy once again: + +```shell +curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/get --next --header "Host: www.example.com" http://$GATEWAY_HOST/get +``` + +You should see the output like this: + +```shell +* Trying 172.18.255.202:80... +* Connected to 172.18.255.202 (172.18.255.202) port 80 (#0) +> GET /get HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.1.2 +> Accept: */* +> +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< date: Fri, 01 Dec 2023 10:17:04 GMT +< content-length: 507 +< x-envoy-upstream-service-time: 0 +< server: envoy +< +{ + "path": "/get", + "host": "www.example.com", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "Accept": [ + "*/*" + ], + "User-Agent": [ + "curl/8.1.2" + ], + "X-Envoy-Expected-Rq-Timeout-Ms": [ + "15000" + ], + "X-Envoy-Internal": [ + "true" + ], + "X-Forwarded-For": [ + "172.18.0.2" + ], + "X-Forwarded-Proto": [ + "http" + ], + "X-Request-Id": [ + "4d0d33e8-d611-41f0-9da0-6458eec20fa5" + ] + }, + "namespace": "default", + "ingress": "", + "service": "", + "pod": "backend-58d58f745-2zwvn" +* Connection #0 to host 172.18.255.202 left intact +}* Found bundle for host: 0x7fb9f5204ea0 [serially] +* Can not multiplex, even if we wanted to +* Re-using existing connection #0 with host 172.18.255.202 +> GET /headers HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.1.2 +> Accept: */* +> +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< date: Fri, 01 Dec 2023 10:17:04 GMT +< content-length: 511 +< x-envoy-upstream-service-time: 0 +< server: envoy +< +{ + "path": "/headers", + "host": "www.example.com", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "Accept": [ + "*/*" + ], + "User-Agent": [ + "curl/8.1.2" + ], + "X-Envoy-Expected-Rq-Timeout-Ms": [ + "15000" + ], + "X-Envoy-Internal": [ + "true" + ], + "X-Forwarded-For": [ + "172.18.0.2" + ], + "X-Forwarded-Proto": [ + "http" + ], + "X-Request-Id": [ + "9a8874c0-c117-481c-9b04-933571732ca5" + ] + }, + "namespace": "default", + "ingress": "", + "service": "", + "pod": "backend-58d58f745-2zwvn" +* Connection #0 to host 172.18.255.202 left intact +} +``` + +You can see keepalive connection marked by the output in: + +```shell +* Connection #0 to host 172.18.255.202 left intact +* Re-using existing connection #0 with host 172.18.255.202 +``` + +### Enable Proxy Protocol for downstream client + +This example configures Proxy Protocol for downstream clients. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify that ClientTrafficPolicy is Accepted: + +```shell +kubectl get clienttrafficpolicies.gateway.envoyproxy.io -n default +``` + +You should see the policy marked as accepted like this: + +```shell +NAME STATUS AGE +enable-proxy-protocol-policy Accepted 5s +``` + +Try the endpoint without using PROXY protocol with curl: + +```shell +curl -v --header "Host: www.example.com" http://$GATEWAY_HOST/get +``` + +```shell +* Trying 172.18.255.202:80... +* Connected to 172.18.255.202 (172.18.255.202) port 80 (#0) +> GET /get HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.1.2 +> Accept: */* +> +* Recv failure: Connection reset by peer +* Closing connection 0 +curl: (56) Recv failure: Connection reset by peer +``` + +Curl the example app through Envoy proxy once again, now sending HAProxy PROXY protocol header at the beginning of the connection with --haproxy-protocol flag: + +```shell +curl --verbose --haproxy-protocol --header "Host: www.example.com" http://$GATEWAY_HOST/get +``` + +You should now expect 200 response status and also see that source IP was preserved in the X-Forwarded-For header. + +```shell +* Trying 172.18.255.202:80... +* Connected to 172.18.255.202 (172.18.255.202) port 80 (#0) +> GET /get HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.1.2 +> Accept: */* +> +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< date: Mon, 04 Dec 2023 21:11:43 GMT +< content-length: 510 +< x-envoy-upstream-service-time: 0 +< server: envoy +< +{ + "path": "/get", + "host": "www.example.com", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "Accept": [ + "*/*" + ], + "User-Agent": [ + "curl/8.1.2" + ], + "X-Envoy-Expected-Rq-Timeout-Ms": [ + "15000" + ], + "X-Envoy-Internal": [ + "true" + ], + "X-Forwarded-For": [ + "192.168.255.6" + ], + "X-Forwarded-Proto": [ + "http" + ], + "X-Request-Id": [ + "290e4b61-44b7-4e5c-a39c-0ec76784e897" + ] + }, + "namespace": "default", + "ingress": "", + "service": "", + "pod": "backend-58d58f745-2zwvn" +* Connection #0 to host 172.18.255.202 left intact +} +``` + +### Configure Client IP Detection + +This example configures the number of additional ingress proxy hops from the right side of XFF HTTP headers to trust when determining the origin client's IP address and determines whether or not `x-forwarded-proto` headers will be trusted. Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for for details. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify that ClientTrafficPolicy is Accepted: + +```shell +kubectl get clienttrafficpolicies.gateway.envoyproxy.io -n default +``` + +You should see the policy marked as accepted like this: + +```shell +NAME STATUS AGE +http-client-ip-detection Accepted 5s +``` + +Open port-forward to the admin interface port: + +```shell +kubectl port-forward deploy/${ENVOY_DEPLOYMENT} -n envoy-gateway-system 19000:19000 +``` + +Curl the admin interface port to fetch the configured value for `xff_num_trusted_hops`: + +```shell +curl -s 'http://localhost:19000/config_dump?resource=dynamic_listeners' \ + | jq -r '.configs[0].active_state.listener.default_filter_chain.filters[0].typed_config + | with_entries(select(.key | match("xff|remote_address|original_ip")))' +``` + +You should expect to see the following: + +```json +{ + "use_remote_address": true, + "xff_num_trusted_hops": 2 +} +``` + +Curl the example app through Envoy proxy: + +```shell +curl -v http://$GATEWAY_HOST/get \ + -H "Host: www.example.com" \ + -H "X-Forwarded-Proto: https" \ + -H "X-Forwarded-For: 1.1.1.1,2.2.2.2" +``` + +You should expect 200 response status, see that `X-Forwarded-Proto` was preserved and `X-Envoy-External-Address` was set to the leftmost address in the `X-Forwarded-For` header: + +```shell +* Trying [::1]:8888... +* Connected to localhost (::1) port 8888 +> GET /get HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.4.0 +> Accept: */* +> X-Forwarded-Proto: https +> X-Forwarded-For: 1.1.1.1,2.2.2.2 +> +Handling connection for 8888 +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< date: Tue, 30 Jan 2024 15:19:22 GMT +< content-length: 535 +< x-envoy-upstream-service-time: 0 +< server: envoy +< +{ + "path": "/get", + "host": "www.example.com", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "Accept": [ + "*/*" + ], + "User-Agent": [ + "curl/8.4.0" + ], + "X-Envoy-Expected-Rq-Timeout-Ms": [ + "15000" + ], + "X-Envoy-External-Address": [ + "1.1.1.1" + ], + "X-Forwarded-For": [ + "1.1.1.1,2.2.2.2,10.244.0.9" + ], + "X-Forwarded-Proto": [ + "https" + ], + "X-Request-Id": [ + "53ccfad7-1899-40fa-9322-ddb833aa1ac3" + ] + }, + "namespace": "default", + "ingress": "", + "service": "", + "pod": "backend-58d58f745-8psnc" +* Connection #0 to host localhost left intact +} +``` + +### Enable HTTP Request Received Timeout + +This feature allows you to limit the time taken by the Envoy Proxy fleet to receive the entire request from the client, which is useful in preventing certain clients from consuming too much memory in Envoy +This example configures the HTTP request timeout for the client, please check out the details [here](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#stream-timeouts). + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Curl the example app through Envoy proxy: + +```shell +curl -v http://$GATEWAY_HOST/get \ + -H "Host: www.example.com" \ + -H "Content-Length: 10000" +``` + +You should expect `428` response status after 2s: + +```shell +curl -v http://$GATEWAY_HOST/get \ + -H "Host: www.example.com" \ + -H "Content-Length: 10000" +* Trying 172.18.255.200:80... +* Connected to 172.18.255.200 (172.18.255.200) port 80 +> GET /get HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.4.0 +> Accept: */* +> Content-Length: 10000 +> +< HTTP/1.1 408 Request Timeout +< content-length: 15 +< content-type: text/plain +< date: Tue, 27 Feb 2024 07:38:27 GMT +< connection: close +< +* Closing connection +request timeout +``` + +### Configure Client HTTP Idle Timeout + +The idle timeout is defined as the period in which there are no active requests. When the idle timeout is reached the connection will be closed. +For more details see [here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-idle-timeout:~:text=...%7D%0A%7D-,idle_timeout,-(Duration)%20The). + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Curl the example app through Envoy proxy: + +```shell +openssl s_client -crlf -connect $GATEWAY_HOST:443 +``` + +You should expect the connection to be closed after 5s. + +You can also check the number of connections closed due to idle timeout by using the following query: + +```shell +envoy_http_downstream_cx_idle_timeout{envoy_http_conn_manager_prefix=""} +``` + +The number of connections closed due to idle timeout should be increased by 1. + + +### Configure Downstream Per Connection Buffer Limit + +This feature allows you to set a soft limit on size of the listener’s new connection read and write buffers. +The size is configured using the `resource.Quantity` format, see examples [here](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory). + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +[ClientTrafficPolicy]: ../../../api/extension_types#clienttrafficpolicy +[BackendTrafficPolicy]: ../../../api/extension_types#backendtrafficpolicy diff --git a/site/content/en/v1.2/tasks/traffic/connection-limit.md b/site/content/en/v1.2/tasks/traffic/connection-limit.md new file mode 100644 index 00000000000..9c0e9bbc1fc --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/connection-limit.md @@ -0,0 +1,135 @@ +--- +title: "Connection Limit" +--- + +The connection limit features allows users to limit the number of concurrently active TCP connections on a [Gateway][] or a [Listener][]. +When the [connection limit][] is reached, new connections are closed immediately by Envoy proxy. It's possible to configure a delay for connection rejection. + +Users may want to limit the number of connections for several reasons: +* Protect resources like CPU and Memory. +* Ensure that different listeners can receive a fair share of global resources. +* Protect from malicious activity like DoS attacks. + +Envoy Gateway introduces a new CRD called [Client Traffic Policy][] that allows the user to describe their desired connection limit settings. +This instantiated resource can be linked to a [Gateway][]. + +The Envoy [connection limit][] implementation is distributed: counters are not synchronized between different envoy proxies. + +When a [Client Traffic Policy][] is attached to a gateway, the connection limit will apply differently based on the +[Listener][] protocol in use: +- HTTP: all HTTP listeners in a [Gateway][] will share a common connection counter, and a limit defined by the policy. +- HTTPS/TLS: each HTTPS/TLS listener will have a dedicated connection counter, and a limit defined by the policy. + + +## Prerequisites + +### Install Envoy Gateway + +{{< boilerplate prerequisites >}} + +### Install the hey load testing tool + +* The `hey` CLI will be used to generate load and measure response times. Follow the installation instruction from the [Hey project] docs. + +## Test and customize connection limit settings + +This example we use `hey` to open 10 connections and execute 1 RPS per connection for 10 seconds. + +```shell +hey -c 10 -q 1 -z 10s -host "www.example.com" http://${GATEWAY_HOST}/get +``` + +```console +Summary: + Total: 10.0058 secs + Slowest: 0.0275 secs + Fastest: 0.0029 secs + Average: 0.0111 secs + Requests/sec: 9.9942 + +[...] + +Status code distribution: + [200] 100 responses +``` + +There are no connection limits, and so all 100 requests succeed. + +Next, we apply a limit of 5 connections. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Execute the load simulation again. + +```shell +hey -c 10 -q 1 -z 10s -host "www.example.com" http://${GATEWAY_HOST}/get +``` + +```console +Summary: + Total: 11.0327 secs + Slowest: 0.0361 secs + Fastest: 0.0013 secs + Average: 0.0088 secs + Requests/sec: 9.0640 + +[...] + +Status code distribution: + [200] 50 responses + +Error distribution: + [50] Get "http://localhost:8888/get": EOF +``` + +With the new connection limit, only 5 of 10 connections are established, and so only 50 requests succeed. + + +[Client Traffic Policy]: ../../../api/extension_types#clienttrafficpolicy +[Hey project]: https://github.com/rakyll/hey +[connection limit]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/connection_limit_filter +[listener]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Listener +[gateway]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.Gateway diff --git a/site/content/en/v1.2/tasks/traffic/direct-response.md b/site/content/en/v1.2/tasks/traffic/direct-response.md new file mode 100644 index 00000000000..4b9aaa5551e --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/direct-response.md @@ -0,0 +1,284 @@ +--- +title: "Direct Response" +--- + +Direct responses are valuable in cases where you want the gateway itself +to handle certain requests without forwarding them to backend services. +This task shows you how to configure them. + +## Installation + +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. +Before proceeding, you should be able to query the example backend using HTTP. + +## Testing Direct Response + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +```shell +curl --header "Host: timeout.example.com" http://${GATEWAY_HOST}/?delay=3s -I +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Mon, 04 Mar 2024 02:34:21 GMT +content-length: 480 +``` + +Then we set the request timeout to 2 seconds. In this case, Envoy Gateway will respond with a timeout. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +```shell +curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/inline +``` + +```console +* Trying 127.0.0.1:80... +* Connected to 127.0.0.1 (127.0.0.1) port 80 +> GET /inline HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.4.0 +> Accept: */* +> +< HTTP/1.1 503 Service Unavailable +< content-type: text/plain +< content-length: 32 +< date: Sat, 02 Nov 2024 00:35:48 GMT +< +* Connection #0 to host 127.0.0.1 left intact +Oops! Your request is not found. +``` + +```shell +curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/value-ref +``` + +```console +* Trying 127.0.0.1:80... +* Connected to 127.0.0.1 (127.0.0.1) port 80 +> GET /value-ref HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.4.0 +> Accept: */* +> +< HTTP/1.1 500 Internal Server Error +< content-type: application/json +< content-length: 34 +< date: Sat, 02 Nov 2024 00:35:55 GMT +< +* Connection #0 to host 127.0.0.1 left intact +{"error": "Internal Server Error"} +``` diff --git a/site/content/en/v1.2/tasks/traffic/fault-injection.md b/site/content/en/v1.2/tasks/traffic/fault-injection.md new file mode 100644 index 00000000000..82068c4cf55 --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/fault-injection.md @@ -0,0 +1,382 @@ +--- +title: "Fault Injection" +--- + +[Envoy fault injection] can be used to inject delays and abort requests to mimic failure scenarios such as service failures and overloads. + +Envoy Gateway supports the following fault scenarios: +- **delay fault**: inject a custom fixed delay into the request with a certain probability to simulate delay failures. +- **abort fault**: inject a custom response code into the response with a certain probability to simulate abort failures. + +Envoy Gateway introduces a new CRD called [BackendTrafficPolicy][] that allows the user to describe their desired fault scenarios. +This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRPCRoute][] resource. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +For GRPC - follow the steps from the [GRPC Routing](../grpc-routing) example. + +### Install the hey load testing tool + +* The `hey` CLI will be used to generate load and measure response times. Follow the installation instruction from the [Hey project] docs. + +## Configuration + +Allow requests with a valid faultInjection by creating an [BackendTrafficPolicy][BackendTrafficPolicy] and attaching it to the example HTTPRoute or GRPCRoute. + +### HTTPRoute + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + + +Two HTTPRoute resources were created, one for `/foo` and another for `/bar`. `fault-injection-abort` BackendTrafficPolicy has been created and targeted HTTPRoute foo to abort requests for `/foo`. `fault-injection-delay` BackendTrafficPolicy has been created and targeted HTTPRoute foo to delay `2s` requests for `/bar`. + +Verify the HTTPRoute configuration and status: + +```shell +kubectl get httproute/foo -o yaml +kubectl get httproute/bar -o yaml +``` + +Verify the BackendTrafficPolicy configuration: + +```shell +kubectl get backendtrafficpolicy/fault-injection-50-percent-abort -o yaml +kubectl get backendtrafficpolicy/fault-injection-delay -o yaml +``` + +### GRPCRoute + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +A BackendTrafficPolicy has been created and targeted GRPCRoute yages to abort requests for `yages` service.. + +Verify the GRPCRoute configuration and status: + +```shell +kubectl get grpcroute/yages -o yaml +``` + +Verify the SecurityPolicy configuration: + +```shell +kubectl get backendtrafficpolicy/fault-injection-abort -o yaml +``` + +## Testing + +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the +Quickstart instructions to set the variable. + +```shell +echo $GATEWAY_HOST +``` + +### HTTPRoute + +Verify that requests to `foo` route are aborted. + +```shell +hey -n 1000 -c 100 -host "www.example.com" http://${GATEWAY_HOST}/foo +``` + +```console +Status code distribution: + [200] 501 responses + [501] 499 responses +``` + +Verify that requests to `bar` route are delayed. + +```shell +hey -n 1000 -c 100 -host "www.example.com" http://${GATEWAY_HOST}/bar +``` + +```console +Summary: + Total: 20.1493 secs + Slowest: 2.1020 secs + Fastest: 1.9940 secs + Average: 2.0123 secs + Requests/sec: 49.6295 + + Total data: 557000 bytes + Size/request: 557 bytes + +Response time histogram: + 1.994 [1] | + 2.005 [475] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 2.016 [419] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 2.026 [5] | + 2.037 [0] | + 2.048 [0] | + 2.059 [30] |■■■ + 2.070 [0] | + 2.080 [0] | + 2.091 [11] |■ + 2.102 [59] |■■■■■ +``` + +### GRPCRoute + +Verify that requests to `yages`service are aborted. + +```shell +grpcurl -plaintext -authority=grpc-example.com ${GATEWAY_HOST}:80 yages.Echo/Ping +``` + +You should see the below response + +```shell +Error invoking method "yages.Echo/Ping": rpc error: code = Unavailable desc = failed to query for service descriptor "yages.Echo": fault filter abort +``` + +## Clean-Up + +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. + +Delete the BackendTrafficPolicy: + +```shell +kubectl delete BackendTrafficPolicy/fault-injection-abort +``` + +[Envoy fault injection]: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/fault_filter.html +[BackendTrafficPolicy]: ../../../api/extension_types#backendtrafficpolicy +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/ +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ +[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute/ +[Hey project]: https://github.com/rakyll/hey diff --git a/site/content/en/v1.2/tasks/traffic/gateway-address.md b/site/content/en/v1.2/tasks/traffic/gateway-address.md new file mode 100644 index 00000000000..f49d7f99e01 --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/gateway-address.md @@ -0,0 +1,68 @@ +--- +title: "Gateway Address" +--- + +The Gateway API provides an optional [Addresses][] field through which Envoy Gateway can set addresses for Envoy Proxy Service. +Depending on the Service Type, the addresses of gateway can be used as: + +- [External IPs](#external-ips) +- [Cluster IP](#cluster-ip) + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## External IPs + +Using the addresses in `Gateway.Spec.Addresses` as the [External IPs][] of Envoy Proxy Service, +this will __require__ the address to be of type `IPAddress` and the [ServiceType][] to be of `LoadBalancer` or `NodePort`. + +The Envoy Gateway deploys Envoy Proxy Service as `LoadBalancer` by default, +so you can set the address of the Gateway directly (the address settings here are for reference only): + +```shell +kubectl patch gateway eg --type=json --patch ' +- op: add + path: /spec/addresses + value: + - type: IPAddress + value: 1.2.3.4 +' +``` + +Verify the Gateway status: + +```shell +kubectl get gateway +``` + +```console +NAME CLASS ADDRESS PROGRAMMED AGE +eg eg 1.2.3.4 True 14m +``` + +Verify the Envoy Proxy Service status: + +```shell +kubectl get service -n envoy-gateway-system +``` + +```console +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +envoy-default-eg-64656661 LoadBalancer 10.96.236.219 1.2.3.4 80:31017/TCP 15m +envoy-gateway ClusterIP 10.96.192.76 18000/TCP 15m +envoy-gateway-metrics-service ClusterIP 10.96.124.73 8443/TCP 15m +``` + +__Note:__ If the `Gateway.Spec.Addresses` is explicitly set, it will be the only addresses that populates the Gateway status. + +## Cluster IP + +Using the addresses in `Gateway.Spec.Addresses` as the [Cluster IP][] of Envoy Proxy Service, +this will __require__ the address to be of type `IPAddress` and the [ServiceType][] to be of `ClusterIP`. + + +[Addresses]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayAddress +[External IPs]: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips +[Cluster IP]: https://kubernetes.io/docs/concepts/services-networking/service/#type-clusterip +[ServiceType]: ../../../api/extension_types#servicetype diff --git a/site/content/en/v1.2/tasks/traffic/gatewayapi-support.md b/site/content/en/v1.2/tasks/traffic/gatewayapi-support.md new file mode 100644 index 00000000000..779cce6fb12 --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/gatewayapi-support.md @@ -0,0 +1,120 @@ +--- +title: "Gateway API Support" +--- + +As mentioned in the [system design][] document, Envoy Gateway's managed data plane is configured dynamically through +Kubernetes resources, primarily [Gateway API][] objects. Envoy Gateway supports configuration using the following Gateway API resources. + +## GatewayClass + +A [GatewayClass][] represents a "class" of gateways, i.e. which Gateways should be managed by Envoy Gateway. +Envoy Gateway supports managing __a single__ GatewayClass resource that matches its configured `controllerName` and +follows Gateway API guidelines for [resolving conflicts][] when multiple GatewayClasses exist with a matching +`controllerName`. + +__Note:__ If specifying GatewayClass [parameters reference][], it must refer to an [EnvoyProxy][] resource. + +## Gateway + +When a [Gateway][] resource is created that references the managed GatewayClass, Envoy Gateway will create and manage a +new Envoy Proxy deployment. Gateway API resources that reference this Gateway will configure this managed Envoy Proxy +deployment. + +## HTTPRoute + +A [HTTPRoute][] configures routing of HTTP traffic through one or more Gateways. The following HTTPRoute filters are +supported by Envoy Gateway: + +- `requestHeaderModifier`: [RequestHeaderModifiers][http-filter] + can be used to modify or add request headers before the request is proxied to its destination. +- `responseHeaderModifier`: [ResponseHeaderModifiers][http-filter] + can be used to modify or add response headers before the response is sent back to the client. +- `requestMirror`: [RequestMirrors][http-filter] + configure destinations where the requests should also be mirrored to. Responses to mirrored requests will be ignored. +- `requestRedirect`: [RequestRedirects][http-filter] + configure policied for how requests that match the HTTPRoute should be modified and then redirected. +- `urlRewrite`: [UrlRewrites][http-filter] + allow for modification of the request's hostname and path before it is proxied to its destination. +- `extensionRef`: [ExtensionRefs][] are used by Envoy Gateway to implement extended filters. Currently, Envoy Gateway + supports rate limiting and request authentication filters. For more information about these filters, refer to the + [rate limiting][] and [request authentication][] documentation. + +__Notes:__ +- The only [BackendRef][] kind supported by Envoy Gateway is a [Service][]. Routing traffic to other destinations such + as arbitrary URLs is not possible. +- Only `requestHeaderModifier` and `responseHeaderModifier` filters are currently supported within [HTTPBackendRef][]. + +## TCPRoute + +A [TCPRoute][] configures routing of raw TCP traffic through one or more Gateways. Traffic can be forwarded to the +desired BackendRefs based on a TCP port number. + +__Note:__ A TCPRoute only supports proxying in non-transparent mode, i.e. the backend will see the source IP and port of +the Envoy Proxy instance instead of the client. + +## UDPRoute + +A [UDPRoute][] configures routing of raw UDP traffic through one or more Gateways. Traffic can be forwarded to the +desired BackendRefs based on a UDP port number. + +__Note:__ Similar to TCPRoutes, UDPRoutes only support proxying in non-transparent mode i.e. the backend will see the +source IP and port of the Envoy Proxy instance instead of the client. + +## GRPCRoute + +A [GRPCRoute][] configures routing of [gRPC][] requests through one or more Gateways. They offer request matching by +hostname, gRPC service, gRPC method, or HTTP/2 Header. Envoy Gateway supports the following filters on GRPCRoutes to +provide additional traffic processing: + +- `requestHeaderModifier`: [RequestHeaderModifiers][grpc-filter] + can be used to modify or add request headers before the request is proxied to its destination. +- `responseHeaderModifier`: [ResponseHeaderModifiers][grpc-filter] + can be used to modify or add response headers before the response is sent back to the client. +- `requestMirror`: [RequestMirrors][grpc-filter] + configure destinations where the requests should also be mirrored to. Responses to mirrored requests will be ignored. + +__Notes:__ +- The only [BackendRef][grpc-filter] kind supported by Envoy Gateway is a [Service][]. Routing traffic to other + destinations such as arbitrary URLs is not currently possible. +- Only `requestHeaderModifier` and `responseHeaderModifier` filters are currently supported within [GRPCBackendRef][]. + +## TLSRoute + +A [TLSRoute][] configures routing of TCP traffic through one or more Gateways. However, unlike TCPRoutes, TLSRoutes +can match against TLS-specific metadata. + +## ReferenceGrant + +A [ReferenceGrant][] is used to allow a resource to reference another resource in a different namespace. Normally an +HTTPRoute created in namespace `foo` is not allowed to reference a Service in namespace `bar`. A ReferenceGrant permits +these types of cross-namespace references. Envoy Gateway supports the following ReferenceGrant use-cases: + +- Allowing an HTTPRoute, GRPCRoute, TLSRoute, UDPRoute, or TCPRoute to reference a Service in a different namespace. +- Allowing an HTTPRoute's `requestMirror` filter to include a BackendRef that references a Service in a different + namespace. +- Allowing a Gateway's [SecretObjectReference][] to reference a secret in a different namespace. + +[system design]: ../../../contributions/design/system-design +[Gateway API]: https://gateway-api.sigs.k8s.io/ +[GatewayClass]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GatewayClass +[parameters reference]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ParametersReference +[Gateway]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Gateway +[HTTPRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute +[Service]: https://kubernetes.io/docs/concepts/services-networking/service/ +[BackendRef]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.BackendRef +[HTTPBackendRef]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPBackendRef +[TCPRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute +[UDPRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.UDPRoute +[GRPCRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute +[GRPCBackendRef]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.GRPCBackendRef +[gRPC]: https://grpc.io/ +[TLSRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute +[ReferenceGrant]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.ReferenceGrant +[SecretObjectReference]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.SecretObjectReference +[rate limiting]: ../../../contributions/design/rate-limit +[request authentication]: ../security/jwt-authentication +[EnvoyProxy]: ../../../api/extension_types#envoyproxy +[resolving conflicts]: https://gateway-api.sigs.k8s.io/concepts/guidelines/?h=conflict#conflicts +[ExtensionRefs]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteFilterType +[grpc-filter]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRouteFilter +[http-filter]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteFilter diff --git a/site/content/en/v1.2/tasks/traffic/global-rate-limit.md b/site/content/en/v1.2/tasks/traffic/global-rate-limit.md new file mode 100644 index 00000000000..47eac33bc3e --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/global-rate-limit.md @@ -0,0 +1,1339 @@ +--- +title: "Global Rate Limit" +--- + +Rate limit is a feature that allows the user to limit the number of incoming requests to a predefined value based on attributes within the traffic flow. + +Here are some reasons why you may want to implement Rate limits + +* To prevent malicious activity such as DDoS attacks. +* To prevent applications and its resources (such as a database) from getting overloaded. +* To create API limits based on user entitlements. + +Envoy Gateway supports two types of rate limiting: [Global rate limiting][] and [Local rate limiting][]. + +[Global rate limiting][] applies a shared rate limit to the traffic flowing through all the instances of Envoy proxies where it is configured. +i.e. if the data plane has 2 replicas of Envoy running, and the rate limit is 10 requests/second, this limit is shared and will be hit +if 5 requests pass through the first replica and 5 requests pass through the second replica within the same second. + +Envoy Gateway introduces a new CRD called [BackendTrafficPolicy][] that allows the user to describe their rate limit intent. This instantiated resource +can be linked to a [Gateway][], [HTTPRoute][] or [GRPCRoute][] resource. + +**Note:** Limit is applied per route. Even if a [BackendTrafficPolicy][] targets a gateway, each route in that gateway +still has a separate rate limit bucket. For example, if a gateway has 2 routes, and the limit is 100r/s, then each route +has its own 100r/s rate limit bucket. + +## Prerequisites + +### Install Envoy Gateway + +{{< boilerplate prerequisites >}} + +### Install Redis + +* The global rate limit feature is based on [Envoy Ratelimit][] which requires a Redis instance as its caching layer. +Lets install a Redis deployment in the `redis-system` namespce. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +### Enable Global Rate limit in Envoy Gateway + +* The default installation of Envoy Gateway installs a default [EnvoyGateway][] configuration and attaches it +using a `ConfigMap`. In the next step, we will update this resource to enable rate limit in Envoy Gateway +as well as configure the URL for the Redis instance used for Global rate limiting. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +{{< boilerplate rollout-envoy-gateway >}} + +## Rate Limit Specific User + +Here is an example of a rate limit implemented by the application developer to limit a specific user by matching on a custom `x-user-id` header +with a value set to `one`. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +### HTTPRoute + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-ratelimit -o yaml +``` + +Get the Gateway's address: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Let's query `ratelimit.example/get` 4 times. We should receive a `200` response from the example Gateway for the first 3 requests +and then receive a `429` status code for the 4th request since the limit is set at 3 requests/Hour for the request which contains the header `x-user-id` +and value `one`. + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" --header "x-user-id: one" http://${GATEWAY_HOST}/get ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:31 GMT +content-length: 460 +x-envoy-upstream-service-time: 4 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:32 GMT +content-length: 460 +x-envoy-upstream-service-time: 2 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 429 Too Many Requests +x-envoy-ratelimited: true +date: Wed, 08 Feb 2023 02:33:34 GMT +server: envoy +transfer-encoding: chunked + +``` + +You should be able to send requests with the `x-user-id` header and a different value and receive successful responses from the server. + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" --header "x-user-id: two" http://${GATEWAY_HOST}/get ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:34:36 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:34:37 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:34:38 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:34:39 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +``` + +## Rate Limit Distinct Users Except Admin + +Here is an example of a rate limit implemented by the application developer to limit distinct users who can be differentiated based on the +value in the `x-user-id` header. Here, user `one` (recognised from the traffic flow using the header `x-user-id` and value `one`) will be rate limited at 3 requests/hour +and so will user `two` (recognised from the traffic flow using the header `x-user-id` and value `two`). But if `x-user-id` is `admin`, it will not be rate limited even beyond 3 requests/hour. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +### HTTPRoute + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Lets run the same command again with the header `x-user-id` and value `one` set in the request. We should the first 3 requests succeeding and +the 4th request being rate limited. + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" --header "x-user-id: one" http://${GATEWAY_HOST}/get ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:31 GMT +content-length: 460 +x-envoy-upstream-service-time: 4 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:32 GMT +content-length: 460 +x-envoy-upstream-service-time: 2 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 429 Too Many Requests +x-envoy-ratelimited: true +date: Wed, 08 Feb 2023 02:33:34 GMT +server: envoy +transfer-encoding: chunked + +``` + +You should see the same behavior when the value for header `x-user-id` is set to `two` and 4 requests are sent. + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" --header "x-user-id: two" http://${GATEWAY_HOST}/get ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:31 GMT +content-length: 460 +x-envoy-upstream-service-time: 4 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:32 GMT +content-length: 460 +x-envoy-upstream-service-time: 2 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 429 Too Many Requests +x-envoy-ratelimited: true +date: Wed, 08 Feb 2023 02:33:34 GMT +server: envoy +transfer-encoding: chunked + +``` + +But when the value for header `x-user-id` is set to `admin` and 4 requests are sent, all 4 of them should respond with 200 OK. + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" --header "x-user-id: admin" http://${GATEWAY_HOST}/get ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:31 GMT +content-length: 460 +x-envoy-upstream-service-time: 4 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:32 GMT +content-length: 460 +x-envoy-upstream-service-time: 2 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +``` + +## Rate Limit All Requests + +This example shows you how to rate limit all requests matching the HTTPRoute rule at 3 requests/Hour by leaving the `clientSelectors` field unset. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +### HTTPRoute + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" http://${GATEWAY_HOST}/get ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:31 GMT +content-length: 460 +x-envoy-upstream-service-time: 4 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:32 GMT +content-length: 460 +x-envoy-upstream-service-time: 2 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 429 Too Many Requests +x-envoy-ratelimited: true +date: Wed, 08 Feb 2023 02:33:34 GMT +server: envoy +transfer-encoding: chunked + +``` + +## Rate Limit Client IP Addresses + +Here is an example of a rate limit implemented by the application developer to limit distinct users who can be differentiated based on their + IP address (also reflected in the `X-Forwarded-For` header). + +Note: EG supports two kinds of rate limit for the IP address: Exact and Distinct. +* Exact means that all IP addresses within the specified Source IP CIDR share the same rate limit bucket. +* Distinct means that each IP address within the specified Source IP CIDR has its own rate limit bucket. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" http://${GATEWAY_HOST}/get ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Tue, 28 Mar 2023 08:28:45 GMT +content-length: 512 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Tue, 28 Mar 2023 08:28:46 GMT +content-length: 512 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Tue, 28 Mar 2023 08:28:48 GMT +content-length: 512 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 429 Too Many Requests +x-envoy-ratelimited: true +date: Tue, 28 Mar 2023 08:28:48 GMT +server: envoy +transfer-encoding: chunked + +``` + +## Rate Limit Jwt Claims + +Here is an example of a rate limit implemented by the application developer to limit distinct users who can be differentiated based on the value of the Jwt claims carried. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Get the JWT used for testing request authentication: + +```shell +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode +``` + +```shell +TOKEN1=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN1" | cut -d '.' -f2 - | base64 --decode +``` + +### Rate limit by carrying `TOKEN` + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" --header "Authorization: Bearer $TOKEN" http://${GATEWAY_HOST}/foo ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Mon, 12 Jun 2023 12:00:25 GMT +content-length: 561 +x-envoy-upstream-service-time: 0 +server: envoy + + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Mon, 12 Jun 2023 12:00:26 GMT +content-length: 561 +x-envoy-upstream-service-time: 0 +server: envoy + + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Mon, 12 Jun 2023 12:00:27 GMT +content-length: 561 +x-envoy-upstream-service-time: 0 +server: envoy + + +HTTP/1.1 429 Too Many Requests +x-envoy-ratelimited: true +date: Mon, 12 Jun 2023 12:00:28 GMT +server: envoy +transfer-encoding: chunked + +``` + +### No Rate Limit by carrying `TOKEN1` + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" --header "Authorization: Bearer $TOKEN1" http://${GATEWAY_HOST}/foo ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Mon, 12 Jun 2023 12:02:34 GMT +content-length: 556 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Mon, 12 Jun 2023 12:02:35 GMT +content-length: 556 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Mon, 12 Jun 2023 12:02:36 GMT +content-length: 556 +x-envoy-upstream-service-time: 1 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Mon, 12 Jun 2023 12:02:37 GMT +content-length: 556 +x-envoy-upstream-service-time: 0 +server: envoy + +``` + +### (Optional) Editing Kubernetes Resources settings for the Rate Limit Service + +* The default installation of Envoy Gateway installs a default [EnvoyGateway][] configuration and provides the initial rate +limit kubernetes resources settings. such as `replicas` is 1, requests resources cpu is `100m`, memory is `512Mi`. the others +like container `image`, `securityContext`, `env` and pod `annotations` and `securityContext` can be modified by modifying the `ConfigMap`. + +* `tls.certificateRef` set the client certificate for redis server TLS connections. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +{{< boilerplate rollout-envoy-gateway >}} + +[Global Rate Limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting +[Local rate limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/local_rate_limiting +[BackendTrafficPolicy]: ../../../api/extension_types#backendtrafficpolicy +[Envoy Ratelimit]: https://github.com/envoyproxy/ratelimit +[EnvoyGateway]: ../../api/extension_types#envoygateway +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/ +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ +[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute/ diff --git a/site/content/en/v1.2/tasks/traffic/grpc-routing.md b/site/content/en/v1.2/tasks/traffic/grpc-routing.md new file mode 100644 index 00000000000..15f10601bc2 --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/grpc-routing.md @@ -0,0 +1,271 @@ +--- +title: "GRPC Routing" +--- + +The [GRPCRoute][] resource allows users to configure gRPC routing by matching HTTP/2 traffic and forwarding it to backend gRPC servers. +To learn more about gRPC routing, refer to the [Gateway API documentation][]. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Installation + +Install the gRPC routing example resources: + +```shell +kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/grpc-routing.yaml +``` + +The manifest installs a [GatewayClass][], [Gateway][], a Deployment, a Service, and a GRPCRoute resource. +The GatewayClass is a cluster-scoped resource that represents a class of Gateways that can be instantiated. + +__Note:__ Envoy Gateway is configured by default to manage a GatewayClass with +`controllerName: gateway.envoyproxy.io/gatewayclass-controller`. + +## Verification + +Check the status of the GatewayClass: + +```shell +kubectl get gc --selector=example=grpc-routing +``` + +The status should reflect "Accepted=True", indicating Envoy Gateway is managing the GatewayClass. + +A Gateway represents configuration of infrastructure. When a Gateway is created, [Envoy proxy][] infrastructure is +provisioned or configured by Envoy Gateway. The `gatewayClassName` defines the name of a GatewayClass used by this +Gateway. Check the status of the Gateway: + +```shell +kubectl get gateways --selector=example=grpc-routing +``` + +The status should reflect "Ready=True", indicating the Envoy proxy infrastructure has been provisioned. The status also +provides the address of the Gateway. This address is used later to test connectivity to proxied backend services. + +Check the status of the GRPCRoute: + +```shell +kubectl get grpcroutes --selector=example=grpc-routing -o yaml +``` + +The status for the GRPCRoute should surface "Accepted=True" and a `parentRef` that references the example Gateway. +The `example-route` matches any traffic for "grpc-example.com" and forwards it to the "yages" Service. + +## Testing the Configuration + +Before testing GRPC routing to the `yages` backend, get the Gateway's address. + +```shell +export GATEWAY_HOST=$(kubectl get gateway/example-gateway -o jsonpath='{.status.addresses[0].value}') +``` + +Test GRPC routing to the `yages` backend using the [grpcurl][] command. + +```shell +grpcurl -plaintext -authority=grpc-example.com ${GATEWAY_HOST}:80 yages.Echo/Ping +``` + +You should see the below response + +```shell +{ + "text": "pong" +} +``` + +Envoy Gateway also supports [gRPC-Web][] requests for this configuration. The below `curl` command can be used to send a grpc-Web request with over HTTP/2. You should receive the same response seen in the previous command. + +The data in the body `AAAAAAA=` is a base64 encoded representation of an empty message (data length 0) that the Ping RPC accepts. + +```shell +curl --http2-prior-knowledge -s ${GATEWAY_HOST}:80/yages.Echo/Ping -H 'Host: grpc-example.com' -H 'Content-Type: application/grpc-web-text' -H 'Accept: application/grpc-web-text' -XPOST -d'AAAAAAA=' | base64 -d +``` + +## GRPCRoute Match +The `matches` field can be used to restrict the route to a specific set of requests based on GRPC's service and/or method names. +It supports two match types: `Exact` and `RegularExpression`. + +### Exact + +`Exact` match is the default match type. + +The following example shows how to match a request based on the service and method names for `grpc.reflection.v1alpha.ServerReflection/ServerReflectionInfo`, +as well as a match for all services with a method name `Ping` which matches `yages.Echo/Ping` in our deployment. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the GRPCRoute status: + +```shell +kubectl get grpcroutes --selector=example=grpc-routing -o yaml +``` + +Test GRPC routing to the `yages` backend using the [grpcurl][] command. + +```shell +grpcurl -plaintext -authority=grpc-example.com ${GATEWAY_HOST}:80 yages.Echo/Ping +``` + +### RegularExpression + +The following example shows how to match a request based on the service and method names +with match type `RegularExpression`. It matches all the services and methods with pattern +`/.*.Echo/Pin.+`, which matches `yages.Echo/Ping` in our deployment. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the GRPCRoute status: + +```shell +kubectl get grpcroutes --selector=example=grpc-routing -o yaml +``` + +Test GRPC routing to the `yages` backend using the [grpcurl][] command. + +```shell +grpcurl -plaintext -authority=grpc-example.com ${GATEWAY_HOST}:80 yages.Echo/Ping +``` + +[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute/ +[Gateway API documentation]: https://gateway-api.sigs.k8s.io/ +[GatewayClass]: https://gateway-api.sigs.k8s.io/api-types/gatewayclass/ +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/ +[Envoy proxy]: https://www.envoyproxy.io/ +[grpcurl]: https://github.com/fullstorydev/grpcurl +[gRPC-Web]: https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-WEB.md#protocol-differences-vs-grpc-over-http2 diff --git a/site/content/en/v1.2/tasks/traffic/http-redirect.md b/site/content/en/v1.2/tasks/traffic/http-redirect.md new file mode 100644 index 00000000000..49ccd59ee77 --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/http-redirect.md @@ -0,0 +1,398 @@ +--- +title: "HTTP Redirects" +--- + +The [HTTPRoute][] resource can issue redirects to clients or rewrite paths sent upstream using filters. Note that +HTTPRoute rules cannot use both filter types at once. Currently, Envoy Gateway only supports __core__ +[HTTPRoute filters][] which consist of `RequestRedirect` and `RequestHeaderModifier` at the time of this writing. To +learn more about HTTP routing, refer to the [Gateway API documentation][]. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Redirects + +Redirects return HTTP 3XX responses to a client, instructing it to retrieve a different resource. A +[`RequestRedirect` filter][req_filter] instructs Gateways to emit a redirect response to requests that match the rule. +For example, to issue a permanent redirect (301) from HTTP to HTTPS, configure `requestRedirect.statusCode=301` and +`requestRedirect.scheme="https"`: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +__Note:__ `301` (default) and `302` are the only supported statusCodes. + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-to-https-filter-redirect -o yaml +``` + +Get the Gateway's address: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Querying `redirect.example/get` should result in a `301` response from the example Gateway and redirecting to the +configured redirect hostname. + +```console +$ curl -L -vvv --header "Host: redirect.example" "http://${GATEWAY_HOST}/get" +... +< HTTP/1.1 301 Moved Permanently +< location: https://www.example.com/get +... +``` + +If you followed the steps in the [Secure Gateways](../security/secure-gateways) task, you should be able to curl the redirect +location. + +## HTTP --> HTTPS + +Listeners expose the TLS setting on a per domain or subdomain basis. TLS settings of a listener are applied to all domains that satisfy the hostname criteria. + +Create a root certificate and private key to sign certificates: + +```shell +openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/CN=example.com' -keyout CA.key -out CA.crt +openssl req -out example.com.csr -newkey rsa:2048 -nodes -keyout tls.key -subj "/CN=example.com" +``` + +Generate a self-signed wildcard certificate for `example.com` with `*.example.com` extension + +```shell +cat <}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Check for any TLS certificate issues on the gateway. + +```bash +kubectl -n default describe gateway eg +``` + +Create two HTTPRoutes and attach them to the HTTP and HTTPS listeners using the [sectionName][] field. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Curl the example app through http listener: + +```bash +curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/get +``` + +Curl the example app through https listener: + +```bash +curl -v -H 'Host:www.example.com' --resolve "www.example.com:443:$GATEWAY_HOST" \ +--cacert CA.crt https://www.example.com:443/get +``` + + +## Path Redirects + +Path redirects use an HTTP Path Modifier to replace either entire paths or path prefixes. For example, the HTTPRoute +below will issue a 302 redirect to all `path.redirect.example` requests whose path begins with `/get` to `/status/200`. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-filter-path-redirect -o yaml +``` + +Querying `path.redirect.example` should result in a `302` response from the example Gateway and a redirect location +containing the configured redirect path. + +Query the `path.redirect.example` host: + +```shell +curl -vvv --header "Host: path.redirect.example" "http://${GATEWAY_HOST}/get" +``` + +You should receive a `302` with a redirect location of `http://path.redirect.example/status/200`. + +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ +[HTTPRoute filters]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.HTTPRouteFilter +[Gateway API documentation]: https://gateway-api.sigs.k8s.io/ +[req_filter]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.HTTPRequestRedirectFilter +[sectionName]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.CommonRouteSpec diff --git a/site/content/en/v1.2/tasks/traffic/http-request-headers.md b/site/content/en/v1.2/tasks/traffic/http-request-headers.md new file mode 100644 index 00000000000..5b73bfaf8d3 --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/http-request-headers.md @@ -0,0 +1,620 @@ +--- +title: "HTTP Request Headers" +--- + +The [HTTPRoute][] resource can modify the headers of a request before forwarding it to the upstream service. HTTPRoute +rules cannot use both filter types at once. Currently, Envoy Gateway only supports __core__ [HTTPRoute filters][] which +consist of `RequestRedirect` and `RequestHeaderModifier` at the time of this writing. To learn more about HTTP routing, +refer to the [Gateway API documentation][]. + +A [`RequestHeaderModifier` filter][req_filter] instructs Gateways to modify the headers in requests that match the rule +before forwarding the request upstream. Note that the `RequestHeaderModifier` filter will only modify headers before the +request is sent from Envoy to the upstream service and will not affect response headers returned to the downstream +client. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Adding Request Headers + +The `RequestHeaderModifier` filter can add new headers to a request before it is sent to the upstream. If the request +does not have the header configured by the filter, then that header will be added to the request. If the request already +has the header configured by the filter, then the value of the header in the filter will be appended to the value of the +header in the request. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-headers -o yaml +``` + +Get the Gateway's address: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Querying `headers.example/get` should result in a `200` response from the example Gateway and the output from the +example app should indicate that the upstream example app received the header `add-header` with the value: +`something,foo` + +```console +$ curl -vvv --header "Host: headers.example" "http://${GATEWAY_HOST}/get" --header "add-header: something" +... +> GET /get HTTP/1.1 +> Host: headers.example +> User-Agent: curl/7.81.0 +> Accept: */* +> add-header: something +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< content-length: 474 +< x-envoy-upstream-service-time: 0 +< server: envoy +< +... + "headers": { + "Accept": [ + "*/*" + ], + "Add-Header": [ + "something", + "foo" + ], +... +``` + +## Setting Request Headers + +Setting headers is similar to adding headers. If the request does not have the header configured by the filter, then it +will be added, but unlike [adding request headers](#adding-request-headers) which will append the value of the header if +the request already contains it, setting a header will cause the value to be replaced by the value configured in the +filter. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Querying `headers.example/get` should result in a `200` response from the example Gateway and the output from the +example app should indicate that the upstream example app received the header `add-header` with the original value +`something` replaced by `foo`. + +```console +$ curl -vvv --header "Host: headers.example" "http://${GATEWAY_HOST}/get" --header "set-header: something" +... +> GET /get HTTP/1.1 +> Host: headers.example +> User-Agent: curl/7.81.0 +> Accept: */* +> add-header: something +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< content-length: 474 +< x-envoy-upstream-service-time: 0 +< server: envoy +< + "headers": { + "Accept": [ + "*/*" + ], + "Set-Header": [ + "foo" + ], +... +``` + +## Removing Request Headers + +Headers can be removed from a request by simply supplying a list of header names. + +Setting headers is similar to adding headers. If the request does not have the header configured by the filter, then it +will be added, but unlike [adding request headers](#adding-request-headers) which will append the value of the header if +the request already contains it, setting a header will cause the value to be replaced by the value configured in the +filter. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Querying `headers.example/get` should result in a `200` response from the example Gateway and the output from the +example app should indicate that the upstream example app received the header `add-header`, but the header +`remove-header` that was sent by curl was removed before the upstream received the request. + +```console +$ curl -vvv --header "Host: headers.example" "http://${GATEWAY_HOST}/get" --header "add-header: something" --header "remove-header: foo" +... +> GET /get HTTP/1.1 +> Host: headers.example +> User-Agent: curl/7.81.0 +> Accept: */* +> add-header: something +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< content-length: 474 +< x-envoy-upstream-service-time: 0 +< server: envoy +< + + "headers": { + "Accept": [ + "*/*" + ], + "Add-Header": [ + "something" + ], +... +``` + +## Combining Filters + +Headers can be added/set/removed in a single filter on the same HTTPRoute and they will all perform as expected + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +## Early Header Modification + +In some cases, it could be necessary to modify headers before the proxy performs any sort of processing, routing or tracing. Envoy Gateway supports this functionality using the [ClientTrafficPolicy][] API. + +A ClientTrafficPolicy resource can be attached to a Gateway resource to configure early header modifications for all its routes. In the following example we will demonstrate how early header modification can be configured. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + + +Querying `headers.example/get` should result in a `200` response from the example Gateway and the output from the +example app should indicate that the upstream example app received the following headers: +- `early-added-header` contains early (ClientTrafficPolicy) and late (RouteFilter) values +- `early-set-header` contains only early (ClientTrafficPolicy) and late (RouteFilter) values, since the early modification overwritten the client value. +- `early-removed-header` contains only the late (RouteFilter) value, since the early modification deleted the client value. + +```console +$ curl -vvv --header "Host: headers.example" "http://${GATEWAY_HOST}/get" --header "early-added-header: client" --header "early-set-header: client" --header "early-removed-header: client" +... +> GET /get HTTP/1.1 +> Host: headers.example +> User-Agent: curl/7.81.0 +> Accept: */* +> add-header: something +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< content-length: 474 +< x-envoy-upstream-service-time: 0 +< server: envoy +< + + "headers": { + "Accept": [ + "*/*" + ], + "Early-Added-Header": [ + "client", + "early", + "late" + ], + "Early-Set-Header": [ + "early", + "late" + ], + "Early-removed-Header": [ + "late" + ] +... +``` + +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ +[HTTPRoute filters]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteFilter +[Gateway API documentation]: https://gateway-api.sigs.k8s.io/ +[req_filter]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPHeaderFilter +[ClientTrafficPolicy]: ../../../api/extension_types#clienttrafficpolicy diff --git a/site/content/en/v1.2/tasks/traffic/http-request-mirroring.md b/site/content/en/v1.2/tasks/traffic/http-request-mirroring.md new file mode 100644 index 00000000000..5c1c8065652 --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/http-request-mirroring.md @@ -0,0 +1,445 @@ +--- +title: "HTTPRoute Request Mirroring" +--- + +The [HTTPRoute][] resource allows one or more [backendRefs][] to be provided. Requests will be routed to these upstreams. It is possible to divide the traffic between these backends using [Traffic Splitting][], but it is also possible to mirror requests to another Service instead. Request mirroring is accomplished using Gateway API's [HTTPRequestMirrorFilter][] on the `HTTPRoute`. + +When requests are made to a `HTTPRoute` that uses a `HTTPRequestMirrorFilter`, the response will never come from the `backendRef` defined in the filter. Responses from the mirror `backendRef` are always ignored. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Mirroring the Traffic + +Next, create a new `Deployment` and `Service` to mirror requests to. The following example will use +a second instance of the application deployed in the quickstart. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} +Then create an `HTTPRoute` that uses a `HTTPRequestMirrorFilter` to send requests to the original +service from the quickstart, and mirror request to the service that was just deployed. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-mirror -o yaml +``` + +Get the Gateway's address: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Querying `backends.example/get` should result in a `200` response from the example Gateway and the output from the +example app should indicate which pod handled the request. There is only one pod in the deployment for the example app +from the quickstart, so it will be the same on all subsequent requests. + +```console +$ curl -v --header "Host: backends.example" "http://${GATEWAY_HOST}/get" +... +> GET /get HTTP/1.1 +> Host: backends.example +> User-Agent: curl/7.81.0 +> Accept: */* +> add-header: something +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< content-length: 474 +< x-envoy-upstream-service-time: 0 +< server: envoy +< +... + + "namespace": "default", + "ingress": "", + "service": "", + "pod": "backend-79665566f5-s589f" +... +``` + +Check the logs of the pods and you will see that the original deployment and the new deployment each got a request: + +```shell +$ kubectl logs deploy/backend && kubectl logs deploy/backend-2 +... +Starting server, listening on port 3000 (http) +Echoing back request made to /get to client (10.42.0.10:41566) +Starting server, listening on port 3000 (http) +Echoing back request made to /get to client (10.42.0.10:45096) +``` + +## Multiple BackendRefs + +When an `HTTPRoute` has multiple `backendRefs` and an `HTTPRequestMirrorFilter`, traffic splitting will still behave the same as it normally would for the main `backendRefs` while the `backendRef` of the `HTTPRequestMirrorFilter` will continue receiving mirrored copies of the incoming requests. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +## Multiple HTTPRequestMirrorFilters + +Multiple `HTTPRequestMirrorFilters` are not supported on the same `HTTPRoute` `rule`. When attempting to do so, the admission webhook will reject the configuration. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +```console +Error from server: error when creating "STDIN": admission webhook "validate.gateway.networking.k8s.io" denied the request: spec.rules[0].filters: Invalid value: "RequestMirror": cannot be used multiple times in the same rule +``` + +[Traffic Splitting]: ../http-traffic-splitting/ +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ +[backendRefs]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.BackendRef +[HTTPRequestMirrorFilter]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRequestMirrorFilter diff --git a/site/content/en/v1.2/tasks/traffic/http-response-headers.md b/site/content/en/v1.2/tasks/traffic/http-response-headers.md new file mode 100644 index 00000000000..b1588e87a89 --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/http-response-headers.md @@ -0,0 +1,445 @@ +--- +title: "HTTP Response Headers" +--- + +The [HTTPRoute][] resource can modify the headers of a response before responding it to the downstream service. To learn +more about HTTP routing, refer to the [Gateway API documentation][]. + +A [`ResponseHeaderModifier` filter][req_filter] instructs Gateways to modify the headers in responses that match the +rule before responding to the downstream. Note that the `ResponseHeaderModifier` filter will only modify headers before +the response is returned from Envoy to the downstream client and will not affect request headers forwarding to the +upstream service. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Adding Response Headers + +The `ResponseHeaderModifier` filter can add new headers to a response before it is sent to the upstream. If the response +does not have the header configured by the filter, then that header will be added to the response. If the response +already has the header configured by the filter, then the value of the header in the filter will be appended to the +value of the header in the response. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-headers -o yaml +``` + +Get the Gateway's address: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Querying `headers.example/get` should result in a `200` response from the example Gateway and the output from the +example app should indicate that the downstream client received the header `add-header` with the value: `foo` + +```console +$ curl -vvv --header "Host: headers.example" "http://${GATEWAY_HOST}/get" -H 'X-Echo-Set-Header: X-Foo: value1' +... +> GET /get HTTP/1.1 +> Host: headers.example +> User-Agent: curl/7.81.0 +> Accept: */* +> X-Echo-Set-Header: X-Foo: value1 +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< content-length: 474 +< x-envoy-upstream-service-time: 0 +< server: envoy +< x-foo: value1 +< add-header: foo +< +... + "headers": { + "Accept": [ + "*/*" + ], + "X-Echo-Set-Header": [ + "X-Foo: value1" + ] +... +``` + +## Setting Response Headers + +Setting headers is similar to adding headers. If the response does not have the header configured by the filter, then it +will be added, but unlike [adding response headers](#adding-response-headers) which will append the value of the header +if the response already contains it, setting a header will cause the value to be replaced by the value configured in the +filter. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Querying `headers.example/get` should result in a `200` response from the example Gateway and the output from the +example app should indicate that the downstream client received the header `set-header` with the original value `value1` +replaced by `foo`. + +```console +$ curl -vvv --header "Host: headers.example" "http://${GATEWAY_HOST}/get" -H 'X-Echo-Set-Header: set-header: value1' +... +> GET /get HTTP/1.1 +> Host: headers.example +> User-Agent: curl/7.81.0 +> Accept: */* +> X-Echo-Set-Header: set-header: value1 +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< content-length: 474 +< x-envoy-upstream-service-time: 0 +< server: envoy +< set-header: foo +< + "headers": { + "Accept": [ + "*/*" + ], + "X-Echo-Set-Header": [ + "set-header": value1" + ] +... +``` + +## Removing Response Headers + +Headers can be removed from a response by simply supplying a list of header names. + +Setting headers is similar to adding headers. If the response does not have the header configured by the filter, then it +will be added, but unlike [adding response headers](#adding-response-headers) which will append the value of the header +if the response already contains it, setting a header will cause the value to be replaced by the value configured in the +filter. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Querying `headers.example/get` should result in a `200` response from the example Gateway and the output from the +example app should indicate that the header `remove-header` that was sent by curl was removed before the upstream +received the response. + +```console +$ curl -vvv --header "Host: headers.example" "http://${GATEWAY_HOST}/get" -H 'X-Echo-Set-Header: remove-header: value1' +... +> GET /get HTTP/1.1 +> Host: headers.example +> User-Agent: curl/7.81.0 +> Accept: */* +> X-Echo-Set-Header: remove-header: value1 +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< content-length: 474 +< x-envoy-upstream-service-time: 0 +< server: envoy +< + + "headers": { + "Accept": [ + "*/*" + ], + "X-Echo-Set-Header": [ + "remove-header": value1" + ] +... +``` + +## Combining Filters + +Headers can be added/set/removed in a single filter on the same HTTPRoute and they will all perform as expected + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ +[Gateway API documentation]: https://gateway-api.sigs.k8s.io/ +[req_filter]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPHeaderFilter diff --git a/site/content/en/v1.2/tasks/traffic/http-routing.md b/site/content/en/v1.2/tasks/traffic/http-routing.md new file mode 100644 index 00000000000..bb9eba88157 --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/http-routing.md @@ -0,0 +1,301 @@ +--- +title: "HTTP Routing" +--- + +The [HTTPRoute][] resource allows users to configure HTTP routing by matching HTTP traffic and forwarding it to +Kubernetes backends. Currently, the only supported backend supported by Envoy Gateway is a Service resource. This task +shows how to route traffic based on host, header, and path fields and forward the traffic to different Kubernetes +Services. To learn more about HTTP routing, refer to the [Gateway API documentation][]. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Installation + +Install the HTTP routing example resources: + +```shell +kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/http-routing.yaml +``` + +The manifest installs a [GatewayClass][], [Gateway][], four Deployments, four Services, and three HTTPRoute resources. +The GatewayClass is a cluster-scoped resource that represents a class of Gateways that can be instantiated. + +__Note:__ Envoy Gateway is configured by default to manage a GatewayClass with +`controllerName: gateway.envoyproxy.io/gatewayclass-controller`. + +## Verification + +Check the status of the GatewayClass: + +```shell +kubectl get gc --selector=example=http-routing +``` + +The status should reflect "Accepted=True", indicating Envoy Gateway is managing the GatewayClass. + +A Gateway represents configuration of infrastructure. When a Gateway is created, [Envoy proxy][] infrastructure is +provisioned or configured by Envoy Gateway. The `gatewayClassName` defines the name of a GatewayClass used by this +Gateway. Check the status of the Gateway: + +```shell +kubectl get gateways --selector=example=http-routing +``` + +The status should reflect "Ready=True", indicating the Envoy proxy infrastructure has been provisioned. The status also +provides the address of the Gateway. This address is used later to test connectivity to proxied backend +services. + +The three HTTPRoute resources create routing rules on the Gateway. In order to receive traffic from a Gateway, +an HTTPRoute must be configured with `parentRefs` which reference the parent Gateway(s) that it should be attached to. +An HTTPRoute can match against a [single set of hostnames][spec]. These hostnames are matched before any other matching +within the HTTPRoute takes place. Since `example.com`, `foo.example.com`, and `bar.example.com` are separate hosts with +different routing requirements, each is deployed as its own HTTPRoute - `example-route, ``foo-route`, and `bar-route`. + +Check the status of the HTTPRoutes: + +```shell +kubectl get httproutes --selector=example=http-routing -o yaml +``` + +The status for each HTTPRoute should surface "Accepted=True" and a `parentRef` that references the example Gateway. +The `example-route` matches any traffic for "example.com" and forwards it to the "example-svc" Service. + +## Testing the Configuration + +Before testing HTTP routing to the `example-svc` backend, get the Gateway's address. + +```shell +export GATEWAY_HOST=$(kubectl get gateway/example-gateway -o jsonpath='{.status.addresses[0].value}') +``` + +Test HTTP routing to the `example-svc` backend. + +```shell +curl -vvv --header "Host: example.com" "http://${GATEWAY_HOST}/" +``` + +A `200` status code should be returned and the body should include `"pod": "example-backend-*"` indicating the traffic +was routed to the example backend service. If you change the hostname to a hostname not represented in any of the +HTTPRoutes, e.g. "www.example.com", the HTTP traffic will not be routed and a `404` should be returned. + +The `foo-route` matches any traffic for `foo.example.com` and applies its routing rules to forward the traffic to the +"foo-svc" Service. Since there is only one path prefix match for `/login`, only `foo.example.com/login/*` traffic will +be forwarded. Test HTTP routing to the `foo-svc` backend. + +```shell +curl -vvv --header "Host: foo.example.com" "http://${GATEWAY_HOST}/login" +``` + +A `200` status code should be returned and the body should include `"pod": "foo-backend-*"` indicating the traffic +was routed to the foo backend service. Traffic to any other paths that do not begin with `/login` will not be matched by +this HTTPRoute. Test this by removing `/login` from the request. + +```shell +curl -vvv --header "Host: foo.example.com" "http://${GATEWAY_HOST}/" +``` + +The HTTP traffic will not be routed and a `404` should be returned. + +Similarly, the `bar-route` HTTPRoute matches traffic for `bar.example.com`. All traffic for this hostname will be +evaluated against the routing rules. The most specific match will take precedence which means that any traffic with the +`env:canary` header will be forwarded to `bar-svc-canary` and if the header is missing or not `canary` then it'll be +forwarded to `bar-svc`. Test HTTP routing to the `bar-svc` backend. + +```shell +curl -vvv --header "Host: bar.example.com" "http://${GATEWAY_HOST}/" +``` + +A `200` status code should be returned and the body should include `"pod": "bar-backend-*"` indicating the traffic +was routed to the foo backend service. + +Test HTTP routing to the `bar-canary-svc` backend by adding the `env: canary` header to the request. + +```shell +curl -vvv --header "Host: bar.example.com" --header "env: canary" "http://${GATEWAY_HOST}/" +``` + +A `200` status code should be returned and the body should include `"pod": "bar-canary-backend-*"` indicating the +traffic was routed to the foo backend service. + +### JWT Claims Based Routing + +Users can route to a specific backend by matching on JWT claims. +This can be achieved, by defining a SecurityPolicy with a jwt configuration that does the following +* Converts jwt claims to headers, which can be used for header based routing +* Sets the recomputeRoute field to `true`. This is required so that the incoming request matches on a fallback/catch all route where the JWT can be authenticated, the claims from the JWT can be converted to headers, and then the route match can be recomputed to match based on the updated headers. + +For this feature to work please make sure +* you have a fallback route rule defined, the backend for this route rule can be invalid. +* The SecurityPolicy is applied to both the fallback route as well as the route with the claim header matches, to avoid spoofing. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Get the JWT used for testing request authentication: + +```shell +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/test.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode +``` + +Test routing to the `foo-svc` backend by specifying a JWT Token with a claim `name: John Doe`. + +```shell +curl -sS -H "Host: foo.example.com" -H "Authorization: Bearer $TOKEN" "http://${GATEWAY_HOST}/login" | jq .pod +"foo-backend-6df8cc6b9f-fmwcg" +``` + +Get another JWT used for testing request authentication: + +```shell +TOKEN=$(curl https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/with-different-claim.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode +``` + +Test HTTP routing to the `bar-svc` backend by specifying a JWT Token with a claim `name: Tom`. + +```shell +curl -sS -H "Host: bar.example.com" -H "Authorization: Bearer $TOKEN" "http://${GATEWAY_HOST}/" | jq .pod +"bar-backend-6688b8944c-s8htr" +``` + +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ +[Gateway API documentation]: https://gateway-api.sigs.k8s.io/ +[GatewayClass]: https://gateway-api.sigs.k8s.io/api-types/gatewayclass/ +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/ +[Envoy proxy]: https://www.envoyproxy.io/ +[spec]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec diff --git a/site/content/en/v1.2/tasks/traffic/http-timeouts.md b/site/content/en/v1.2/tasks/traffic/http-timeouts.md new file mode 100644 index 00000000000..4fb264204ed --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/http-timeouts.md @@ -0,0 +1,198 @@ +--- +title: "HTTP Timeouts" +--- + +The default request timeout is set to 15 seconds in Envoy Proxy. +The [HTTPRouteTimeouts][] resource allows users to configure request timeouts for an [HTTPRouteRule][]. +This task shows you how to configure timeouts. + +The [HTTPRouteTimeouts][] supports two kinds of timeouts: +- **request**: Request specifies the maximum duration for a gateway to respond to an HTTP request. +- **backendRequest**: BackendRequest specifies a timeout for an individual request from the gateway to a backend. + +__Note:__ The Request duration must be >= BackendRequest duration + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Verification + +backend has the ability to delay responses; we use it as the backend to control response time. + +### request timeout +We configure the backend to delay responses by 3 seconds, then we set the request timeout to 4 seconds. Envoy Gateway will successfully respond to the request. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +```shell +curl --header "Host: timeout.example.com" http://${GATEWAY_HOST}/?delay=3s -I +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Mon, 04 Mar 2024 02:34:21 GMT +content-length: 480 +``` + +Then we set the request timeout to 2 seconds. In this case, Envoy Gateway will respond with a timeout. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +```shell +curl --header "Host: timeout.example.com" http://${GATEWAY_HOST}/?delay=3s -v +``` + +```console +* Trying 127.0.0.1:80... +* Connected to 127.0.0.1 (127.0.0.1) port 80 +> GET /?delay=3s HTTP/1.1 +> Host: timeout.example.com +> User-Agent: curl/8.6.0 +> Accept: */* +> + + +< HTTP/1.1 504 Gateway Timeout +< content-length: 24 +< content-type: text/plain +< date: Mon, 04 Mar 2024 02:35:03 GMT +< +* Connection #0 to host 127.0.0.1 left intact +upstream request timeout +``` + +[HTTPRouteTimeouts]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteTimeouts +[HTTPRouteRule]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteRule diff --git a/site/content/en/v1.2/tasks/traffic/http-traffic-splitting.md b/site/content/en/v1.2/tasks/traffic/http-traffic-splitting.md new file mode 100644 index 00000000000..2f3dbdf6e9c --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/http-traffic-splitting.md @@ -0,0 +1,526 @@ +--- +title: "HTTPRoute Traffic Splitting" +--- + +The [HTTPRoute][] resource allows one or more [backendRefs][] to be provided. Requests will be routed to these upstreams +if they match the rules of the HTTPRoute. If an invalid backendRef is configured, then HTTP responses will be returned +with status code `500` for all requests that would have been sent to that backend. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Single backendRef + +When a single backendRef is configured in a HTTPRoute, it will receive 100% of the traffic. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-headers -o yaml +``` + +Get the Gateway's address: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Querying `backends.example/get` should result in a `200` response from the example Gateway and the output from the +example app should indicate which pod handled the request. There is only one pod in the deployment for the example app +from the quickstart, so it will be the same on all subsequent requests. + +```console +$ curl -vvv --header "Host: backends.example" "http://${GATEWAY_HOST}/get" +... +> GET /get HTTP/1.1 +> Host: backends.example +> User-Agent: curl/7.81.0 +> Accept: */* +> add-header: something +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< content-length: 474 +< x-envoy-upstream-service-time: 0 +< server: envoy +< +... + "namespace": "default", + "ingress": "", + "service": "", + "pod": "backend-79665566f5-s589f" +... +``` + +## Multiple backendRefs + +If multiple backendRefs are configured, then traffic will be split between the backendRefs equally unless a weight is +configured. + +First, create a second instance of the example app from the quickstart: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Then create an HTTPRoute that uses both the app from the quickstart and the second instance that was just created + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Querying `backends.example/get` should result in `200` responses from the example Gateway and the output from the +example app that indicates which pod handled the request should switch between the first pod and the second one from the +new deployment on subsequent requests. + +```console +$ curl -vvv --header "Host: backends.example" "http://${GATEWAY_HOST}/get" +... +> GET /get HTTP/1.1 +> Host: backends.example +> User-Agent: curl/7.81.0 +> Accept: */* +> add-header: something +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< content-length: 474 +< x-envoy-upstream-service-time: 0 +< server: envoy +< +... + "namespace": "default", + "ingress": "", + "service": "", + "pod": "backend-75bcd4c969-lsxpz" +... +``` + +## Weighted backendRefs + +If multiple backendRefs are configured and an un-even traffic split between the backends is desired, then the `weight` +field can be used to control the weight of requests to each backend. If weight is not configured for a backendRef it is +assumed to be `1`. + +The [weight field in a backendRef][backendRefs] controls the distribution of the traffic split. The proportion of +requests to a single backendRef is calculated by dividing its `weight` by the sum of all backendRef weights in the +HTTPRoute. The weight is not a percentage and the sum of all weights does not need to add up to 100. + +The HTTPRoute below will configure the gateway to send 80% of the traffic to the backend service, and 20% to the +backend-2 service. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +## Invalid backendRefs + +backendRefs can be considered invalid for the following reasons: + +- The `group` field is configured to something other than `""`. Currently, only the core API group (specified by + omitting the group field or setting it to an empty string) is supported +- The `kind` field is configured to anything other than `Service`. Envoy Gateway currently only supports Kubernetes + Service backendRefs +- The backendRef configures a service with a `namespace` not permitted by any existing ReferenceGrants +- The `port` field is not configured or is configured to a port that does not exist on the Service +- The named Service configured by the backendRef cannot be found + +Modifying the above example to make the backend-2 backendRef invalid by using a port that does not exist on the Service +will result in 80% of the traffic being sent to the backend service, and 20% of the traffic receiving an HTTP response +with status code `500`. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Querying `backends.example/get` should result in `200` responses 80% of the time, and `500` responses 20% of the time. + +```console +$ curl -vvv --header "Host: backends.example" "http://${GATEWAY_HOST}/get" +> GET /get HTTP/1.1 +> Host: backends.example +> User-Agent: curl/7.81.0 +> Accept: */* +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 500 Internal Server Error +< server: envoy +< content-length: 0 +< +``` + +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ +[backendRefs]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.BackendRef diff --git a/site/content/en/v1.2/tasks/traffic/http-urlrewrite.md b/site/content/en/v1.2/tasks/traffic/http-urlrewrite.md new file mode 100644 index 00000000000..3515bd9caa4 --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/http-urlrewrite.md @@ -0,0 +1,699 @@ +--- +title: "HTTP URL Rewrite" +--- + +[HTTPURLRewriteFilter][] defines a filter that modifies a request during forwarding. At most one of these filters may be +used on a Route rule. This MUST NOT be used on the same Route rule as a HTTPRequestRedirect filter. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Rewrite URL Prefix Path + +You can configure to rewrite the prefix in the url like below. In this example, any curls to +`http://${GATEWAY_HOST}/get/xxx` will be rewritten to `http://${GATEWAY_HOST}/replace/xxx`. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-filter-url-rewrite -o yaml +``` + +Get the Gateway's address: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Querying `http://${GATEWAY_HOST}/get/origin/path` should rewrite to +`http://${GATEWAY_HOST}/replace/origin/path`. + +```console +$ curl -L -vvv --header "Host: path.rewrite.example" "http://${GATEWAY_HOST}/get/origin/path" +... +> GET /get/origin/path HTTP/1.1 +> Host: path.rewrite.example +> User-Agent: curl/7.85.0 +> Accept: */* +> + +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< date: Wed, 21 Dec 2022 11:03:28 GMT +< content-length: 503 +< x-envoy-upstream-service-time: 0 +< server: envoy +< +{ + "path": "/replace/origin/path", + "host": "path.rewrite.example", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "Accept": [ + "*/*" + ], + "User-Agent": [ + "curl/7.85.0" + ], + "X-Envoy-Expected-Rq-Timeout-Ms": [ + "15000" + ], + "X-Envoy-Original-Path": [ + "/get/origin/path" + ], + "X-Forwarded-Proto": [ + "http" + ], + "X-Request-Id": [ + "fd84b842-9937-4fb5-83c7-61470d854b90" + ] + }, + "namespace": "default", + "ingress": "", + "service": "", + "pod": "backend-6fdd4b9bd8-8vlc5" +... +``` + +You can see that the `X-Envoy-Original-Path` is `/get/origin/path`, but the actual path is `/replace/origin/path`. + +## Rewrite URL Full Path + +You can configure to rewrite the fullpath in the url like below. In this example, any request sent to +`http://${GATEWAY_HOST}/get/origin/path/xxxx` will be rewritten to +`http://${GATEWAY_HOST}/force/replace/fullpath`. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-filter-url-rewrite -o yaml +``` + +Querying `http://${GATEWAY_HOST}/get/origin/path/extra` should rewrite the request to +`http://${GATEWAY_HOST}/force/replace/fullpath`. + +```console +$ curl -L -vvv --header "Host: path.rewrite.example" "http://${GATEWAY_HOST}/get/origin/path/extra" +... +> GET /get/origin/path/extra HTTP/1.1 +> Host: path.rewrite.example +> User-Agent: curl/7.85.0 +> Accept: */* +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< date: Wed, 21 Dec 2022 11:09:31 GMT +< content-length: 512 +< x-envoy-upstream-service-time: 0 +< server: envoy +< +{ + "path": "/force/replace/fullpath", + "host": "path.rewrite.example", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "Accept": [ + "*/*" + ], + "User-Agent": [ + "curl/7.85.0" + ], + "X-Envoy-Expected-Rq-Timeout-Ms": [ + "15000" + ], + "X-Envoy-Original-Path": [ + "/get/origin/path/extra" + ], + "X-Forwarded-Proto": [ + "http" + ], + "X-Request-Id": [ + "8ab774d6-9ffa-4faa-abbb-f45b0db00895" + ] + }, + "namespace": "default", + "ingress": "", + "service": "", + "pod": "backend-6fdd4b9bd8-8vlc5" +... +``` + +You can see that the `X-Envoy-Original-Path` is `/get/origin/path/extra`, but the actual path is +`/force/replace/fullpath`. + +## Rewrite URL Path with Regex + +In addition to core Gateway-API rewrite options, Envoy Gateway supports extended rewrite options through the [HTTPRouteFilter][] API. +The `HTTPRouteFilter` API can be configured to use [RE2][]-compatible regex matchers and substitutions to rewrite a portion of the url. +In the example below, requests sent to `http://${GATEWAY_HOST}/service/xxx/yyy` (where `xxx` is a single path portion and `yyy` is one or more path portions) +are rewritten to `http://${GATEWAY_HOST}/yyy/instance/xxx`. The entire path is matched and rewritten using capture groups. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-filter-url-regex-rewrite -o yaml +``` + +Querying `http://${GATEWAY_HOST}/service/foo/v1/api` should rewrite the request to +`http://${GATEWAY_HOST}/service/foo/v1/api`. + +```console +$ curl -L -vvv --header "Host: path.regex.rewrite.example" "http://${GATEWAY_HOST}/service/foo/v1/api" +... +> GET /service/foo/v1/api HTTP/1.1 +> Host: path.regex.rewrite.example +> User-Agent: curl/8.7.1 +> Accept: */* +> +* Request completely sent off +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< date: Mon, 16 Sep 2024 18:49:48 GMT +< content-length: 482 +< +{ + "path": "/v1/api/instance/foo", + "host": "path.regex.rewrite.example", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "Accept": [ + "*/*" + ], + "User-Agent": [ + "curl/8.7.1" + ], + "X-Envoy-Internal": [ + "true" + ], + "X-Forwarded-For": [ + "10.244.0.37" + ], + "X-Forwarded-Proto": [ + "http" + ], + "X-Request-Id": [ + "24a5958f-1bfa-4694-a9c1-807d5139a18a" + ] + }, + "namespace": "default", + "ingress": "", + "service": "", + "pod": "backend-765694d47f-lzmpm" +... +``` + +You can see that the path is rewritten from `/service/foo/v1/api`, to `/v1/api/instance/foo`. + +## Rewrite Host Name + +You can configure to rewrite the hostname like below. In this example, any requests sent to +`http://${GATEWAY_HOST}/get` with `--header "Host: path.rewrite.example"` will rewrite host into `envoygateway.io`. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-filter-url-rewrite -o yaml +``` + +Querying `http://${GATEWAY_HOST}/get` with `--header "Host: path.rewrite.example"` will rewrite host into +`envoygateway.io`. + +```console +$ curl -L -vvv --header "Host: path.rewrite.example" "http://${GATEWAY_HOST}/get" +... +> GET /get HTTP/1.1 +> Host: path.rewrite.example +> User-Agent: curl/7.85.0 +> Accept: */* +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< date: Wed, 21 Dec 2022 11:15:15 GMT +< content-length: 481 +< x-envoy-upstream-service-time: 0 +< server: envoy +< +{ + "path": "/get", + "host": "envoygateway.io", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "Accept": [ + "*/*" + ], + "User-Agent": [ + "curl/7.85.0" + ], + "X-Envoy-Expected-Rq-Timeout-Ms": [ + "15000" + ], + "X-Forwarded-Host": [ + "path.rewrite.example" + ], + "X-Forwarded-Proto": [ + "http" + ], + "X-Request-Id": [ + "39aa447c-97b9-45a3-a675-9fb266ab1af0" + ] + }, + "namespace": "default", + "ingress": "", + "service": "", + "pod": "backend-6fdd4b9bd8-8vlc5" +... +``` + +You can see that the `X-Forwarded-Host` is `path.rewrite.example`, but the actual host is `envoygateway.io`. + +## Rewrite URL Host Name by Header or Backend + +In addition to core Gateway-API rewrite options, Envoy Gateway supports extended rewrite options through the [HTTPRouteFilter][] API. +The `HTTPRouteFilter` API can be configured to rewrite the Host header value to: +- The value of a different request header +- The DNS name of the backend that the request is routed to + +In the following example, the host header is rewritten to the value of the x-custom-host header. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-filter-header-host-rewrite -o yaml +``` + +Querying `http://${GATEWAY_HOST}/header` and providing a custom host rewrite header x-custom-host should rewrite the +request host header to the value of the x-custom-host header. + +```console +$ curl -L -vvv --header "Host: host.header.rewrite.example" --header "x-custom-host: foo" "http://${GATEWAY_HOST}/header" +... +> GET /header HTTP/1.1 +> Host: host.header.rewrite.example +> User-Agent: curl/8.7.1 +> Accept: */* +> x-custom-host: foo +> +* Request completely sent off +< HTTP/1.1 200 OK +< +{ + "path": "/header", + "host": "foo", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "X-Custom-Host": [ + "foo" + ], + "X-Forwarded-Host": [ + "host.header.rewrite.example" + ], + }, + "namespace": "default", + "ingress": "", + "service": "", + "pod": "backend-765694d47f-5t6f2" +... +``` + +You can see that the host is rewritten from `host.header.rewrite.example`, to the value of the provided +`x-custom-host` header `foo`. The original host header is preserved in the `X-Forwarded-Host` header. + + +[HTTPURLRewriteFilter]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPURLRewriteFilter +[HTTPRouteFilter]: ../../../api/extension_types#httproutefilter +[RE2]: https://github.com/google/re2/wiki/Syntax \ No newline at end of file diff --git a/site/content/en/v1.2/tasks/traffic/http3.md b/site/content/en/v1.2/tasks/traffic/http3.md new file mode 100644 index 00000000000..a0fb1594295 --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/http3.md @@ -0,0 +1,133 @@ +--- +title: "HTTP3" +--- + +This task will help you get started using HTTP3 using EG. +This task uses a self-signed CA, so it should be used for testing and demonstration purposes only. + +## Prerequisites + +- OpenSSL to generate TLS assets. + +## Installation + +{{< boilerplate prerequisites >}} + +## TLS Certificates + +Generate the certificates and keys used by the Gateway to terminate client TLS connections. + +Create a root certificate and private key to sign certificates: + +```shell +openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt +``` + +Create a certificate and a private key for `www.example.com`: + +```shell +openssl req -out www.example.com.csr -newkey rsa:2048 -nodes -keyout www.example.com.key -subj "/CN=www.example.com/O=example organization" +openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in www.example.com.csr -out www.example.com.crt +``` + +Store the cert/key in a Secret: + +```shell +kubectl create secret tls example-cert --key=www.example.com.key --cert=www.example.com.crt +``` + +Update the Gateway from the Quickstart to include an HTTPS listener that listens on port `443` and references the +`example-cert` Secret: + +```shell +kubectl patch gateway eg --type=json --patch ' + - op: add + path: /spec/listeners/- + value: + name: https + protocol: HTTPS + port: 443 + tls: + mode: Terminate + certificateRefs: + - kind: Secret + group: "" + name: example-cert + ' +``` + +Apply the following ClientTrafficPolicy to enable HTTP3 + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the Gateway status: + +```shell +kubectl get gateway/eg -o yaml +``` + +## Testing + +{{< tabpane text=true >}} +{{% tab header="With External LoadBalancer Support" %}} + +Get the External IP of the Gateway: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Query the example app through the Gateway: + +The below example uses a custom docker image with custom `curl` binary with built-in http3. + +```shell +docker run --net=host --rm ghcr.io/macbre/curl-http3 curl -kv --http3 -HHost:www.example.com --resolve "www.example.com:443:${GATEWAY_HOST}" https://www.example.com/get +``` + +{{% /tab %}} +{{% tab header="Without LoadBalancer Support" %}} + +It is not possible at the moment to port-forward UDP protocol in kubernetes service +check out https://github.com/kubernetes/kubernetes/issues/47862. +Hence we need external loadbalancer to test this feature out. + +{{% /tab %}} +{{< /tabpane >}} diff --git a/site/content/en/v1.2/tasks/traffic/load-balancing.md b/site/content/en/v1.2/tasks/traffic/load-balancing.md new file mode 100644 index 00000000000..3c9a78450b5 --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/load-balancing.md @@ -0,0 +1,923 @@ +--- +title: "Load Balancing" +--- + +[Envoy load balancing][] is a way of distributing traffic between multiple hosts within a single upstream cluster +in order to effectively make use of available resources. + +Envoy Gateway supports the following load balancing policies: + +- **Round Robin**: a simple policy in which each available upstream host is selected in round robin order. +- **Random**: load balancer selects a random available host. +- **Least Request**: load balancer uses different algorithms depending on whether hosts have the same or different weights. +- **Consistent Hash**: load balancer implements consistent hashing to upstream hosts. + +Envoy Gateway introduces a new CRD called [BackendTrafficPolicy][] that allows the user to describe their desired load balancing polices. +This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRPCRoute][] resource. If `loadBalancer` is not specified in [BackendTrafficPolicy][], the default load balancing policy is `Least Request`. + +## Prerequisites + +### Install Envoy Gateway + +{{< boilerplate prerequisites >}} + +For better testing the load balancer, you can add more hosts in upstream cluster by increasing the replicas of one deployment: + +```shell +kubectl patch deployment backend -n default -p '{"spec": {"replicas": 4}}' +``` + +### Install the hey load testing tool + +Install the `Hey` CLI tool, this tool will be used to generate load and measure response times. + +Follow the installation instruction from the [Hey project] docs. + +## Round Robin + +This example will create a Load Balancer with Round Robin policy via [BackendTrafficPolicy][]. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The `hey` tool will be used to generate 100 concurrent requests. + +```shell +hey -n 100 -c 100 -host "www.example.com" http://${GATEWAY_HOST}/round +``` + +```console +Summary: + Total: 0.0487 secs + Slowest: 0.0440 secs + Fastest: 0.0181 secs + Average: 0.0307 secs + Requests/sec: 2053.1676 + + Total data: 50500 bytes + Size/request: 505 bytes + +Response time histogram: + 0.018 [1] |■■ + 0.021 [2] |■■■■ + 0.023 [10] |■■■■■■■■■■■■■■■■■■■■■■ + 0.026 [16] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 0.028 [7] |■■■■■■■■■■■■■■■■ + 0.031 [10] |■■■■■■■■■■■■■■■■■■■■■■ + 0.034 [17] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 0.036 [18] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 0.039 [11] |■■■■■■■■■■■■■■■■■■■■■■■■ + 0.041 [6] |■■■■■■■■■■■■■ + 0.044 [2] |■■■■ +``` + +As a result, you can see all available upstream hosts receive traffics evenly. + +```shell +kubectl get pods -l app=backend --no-headers -o custom-columns=":metadata.name" | while read -r pod; do echo "$pod: received $(($(kubectl logs $pod | wc -l) - 2)) requests"; done +``` + +```console +backend-69fcff487f-2gfp7: received 26 requests +backend-69fcff487f-69g8c: received 25 requests +backend-69fcff487f-bqwpr: received 24 requests +backend-69fcff487f-kbn8l: received 25 requests +``` + +You should note that this results may vary, the output here is for reference purpose only. + +## Random + +This example will create a Load Balancer with Random policy via [BackendTrafficPolicy][]. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The `hey` tool will be used to generate 1000 concurrent requests. + +```shell +hey -n 1000 -c 100 -host "www.example.com" http://${GATEWAY_HOST}/random +``` + +```console +Summary: + Total: 0.2624 secs + Slowest: 0.0851 secs + Fastest: 0.0007 secs + Average: 0.0179 secs + Requests/sec: 3811.3020 + + Total data: 506000 bytes + Size/request: 506 bytes + +Response time histogram: + 0.001 [1] | + 0.009 [421] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 0.018 [219] |■■■■■■■■■■■■■■■■■■■■■ + 0.026 [118] |■■■■■■■■■■■ + 0.034 [64] |■■■■■■ + 0.043 [73] |■■■■■■■ + 0.051 [41] |■■■■ + 0.060 [22] |■■ + 0.068 [19] |■■ + 0.077 [13] |■ + 0.085 [9] |■ +``` + +As a result, you can see all available upstream hosts receive traffics randomly. + +```shell +kubectl get pods -l app=backend --no-headers -o custom-columns=":metadata.name" | while read -r pod; do echo "$pod: received $(($(kubectl logs $pod | wc -l) - 2)) requests"; done +``` + +```console +backend-69fcff487f-bf6lm: received 246 requests +backend-69fcff487f-gwmqk: received 256 requests +backend-69fcff487f-mzngr: received 230 requests +backend-69fcff487f-xghqq: received 268 requests +``` + +You should note that this results may vary, the output here is for reference purpose only. + +## Least Request + +This example will create a Load Balancer with Least Request policy via [BackendTrafficPolicy][]. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The `hey` tool will be used to generate 100 concurrent requests. + +```shell +hey -n 100 -c 100 -host "www.example.com" http://${GATEWAY_HOST}/least +``` + +```console +Summary: + Total: 0.0489 secs + Slowest: 0.0479 secs + Fastest: 0.0054 secs + Average: 0.0297 secs + Requests/sec: 2045.9317 + + Total data: 50500 bytes + Size/request: 505 bytes + +Response time histogram: + 0.005 [1] |■■ + 0.010 [1] |■■ + 0.014 [8] |■■■■■■■■■■■■■■■ + 0.018 [6] |■■■■■■■■■■■ + 0.022 [11] |■■■■■■■■■■■■■■■■■■■■ + 0.027 [7] |■■■■■■■■■■■■■ + 0.031 [15] |■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 0.035 [13] |■■■■■■■■■■■■■■■■■■■■■■■■ + 0.039 [22] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 0.044 [12] |■■■■■■■■■■■■■■■■■■■■■■ + 0.048 [4] |■■■■■■■ +``` + +As a result, you can see all available upstream hosts receive traffics randomly, +and host `backend-69fcff487f-6l2pw` receives fewer requests than others. + +```shell +kubectl get pods -l app=backend --no-headers -o custom-columns=":metadata.name" | while read -r pod; do echo "$pod: received $(($(kubectl logs $pod | wc -l) - 2)) requests"; done +``` + +```console +backend-69fcff487f-59hvs: received 24 requests +backend-69fcff487f-6l2pw: received 19 requests +backend-69fcff487f-ktsx4: received 30 requests +backend-69fcff487f-nqxc7: received 27 requests +``` + +If you send one more requests to the `${GATEWAY_HOST}/least`, you can tell that host `backend-69fcff487f-6l2pw` is very likely +to get the attention of load balancer and receive this request. + +```console +backend-69fcff487f-59hvs: received 24 requests +backend-69fcff487f-6l2pw: received 20 requests +backend-69fcff487f-ktsx4: received 30 requests +backend-69fcff487f-nqxc7: received 27 requests +``` + +You should note that this results may vary, the output here is for reference purpose only. + +## Consistent Hash + +This example will create a Load Balancer with Consistent Hash policy via [BackendTrafficPolicy][]. + +The underlying consistent hash algorithm that Envoy Gateway utilise is [Maglev][], and it can derive hash from following aspects: + +- **SourceIP** +- **Header** +- **Cookie** + +They are also the supported value as consistent hash type. + +### Source IP + +This example will create a Load Balancer with Source IP based Consistent Hash policy. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The `hey` tool will be used to generate 100 concurrent requests. + +```shell +hey -n 100 -c 100 -host "www.example.com" http://${GATEWAY_HOST}/source +``` + +```console +Summary: + Total: 0.0539 secs + Slowest: 0.0500 secs + Fastest: 0.0198 secs + Average: 0.0340 secs + Requests/sec: 1856.5666 + + Total data: 50600 bytes + Size/request: 506 bytes + +Response time histogram: + 0.020 [1] |■■ + 0.023 [5] |■■■■■■■■■■■ + 0.026 [12] |■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 0.029 [16] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 0.032 [11] |■■■■■■■■■■■■■■■■■■■■■■■■ + 0.035 [7] |■■■■■■■■■■■■■■■■ + 0.038 [8] |■■■■■■■■■■■■■■■■■■ + 0.041 [18] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 0.044 [15] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 0.047 [4] |■■■■■■■■■ + 0.050 [3] |■■■■■■■ +``` + +As a result, you can see all traffics are routed to only one upstream host, since the client that send requests +has the same source IP. + +```shell +kubectl get pods -l app=backend --no-headers -o custom-columns=":metadata.name" | while read -r pod; do echo "$pod: received $(($(kubectl logs $pod | wc -l) - 2)) requests"; done +``` + +```console +backend-69fcff487f-grzkj: received 0 requests +backend-69fcff487f-n4d8w: received 100 requests +backend-69fcff487f-tb7zx: received 0 requests +backend-69fcff487f-wbzpg: received 0 requests +``` + +You can try different client to send out these requests, the upstream host that receives traffics may vary. + +### Header + +This example will create a Load Balancer with Header based Consistent Hash policy. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The `hey` tool will be used to generate 100 concurrent requests. + +```shell +hey -n 100 -c 100 -host "www.example.com" -H "FooBar: 1.2.3.4" http://${GATEWAY_HOST}/header +``` + +```console +Summary: + Total: 0.0579 secs + Slowest: 0.0510 secs + Fastest: 0.0323 secs + Average: 0.0431 secs + Requests/sec: 1728.6064 + + Total data: 53800 bytes + Size/request: 538 bytes + +Response time histogram: + 0.032 [1] |■■ + 0.034 [3] |■■■■■■ + 0.036 [1] |■■ + 0.038 [1] |■■ + 0.040 [7] |■■■■■■■■■■■■■■ + 0.042 [20] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 0.044 [20] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 0.045 [20] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 0.047 [16] |■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ + 0.049 [9] |■■■■■■■■■■■■■■■■■■ + 0.051 [2] |■■■■ +``` + +As a result, you can see all traffics are routed to only one upstream host, since the header of all requests are the same. + +```shell +kubectl get pods -l app=backend --no-headers -o custom-columns=":metadata.name" | while read -r pod; do echo "$pod: received $(($(kubectl logs $pod | wc -l) - 2)) requests"; done +``` + +```console +backend-69fcff487f-dvt9r: received 0 requests +backend-69fcff487f-f8qdl: received 100 requests +backend-69fcff487f-gnpm4: received 0 requests +backend-69fcff487f-t2pgm: received 0 requests +``` + +You can try to add different header to these requests, and the upstream host that receives traffics may vary. +The following output happens when you use `hey` to send another 100 requests with header `FooBar: 5.6.7.8`. + +```console +backend-69fcff487f-dvt9r: received 0 requests +backend-69fcff487f-f8qdl: received 100 requests +backend-69fcff487f-gnpm4: received 100 requests +backend-69fcff487f-t2pgm: received 0 requests +``` + +### Cookie + +This example will create a Load Balancer with Cookie based Consistent Hash policy. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +By sending 10 request with `curl` to the `${GATEWAY_HOST}/cookie`, you can see that all requests got routed to only +one upstream host, since they have same cookie setting. + +```shell +for i in {1..10}; do curl -I --header "Host: www.example.com" --cookie "FooBar=1.2.3.4" http://${GATEWAY_HOST}/cookie ; sleep 1; done +``` + +```shell +kubectl get pods -l app=backend --no-headers -o custom-columns=":metadata.name" | while read -r pod; do echo "$pod: received $(($(kubectl logs $pod | wc -l) - 2)) requests"; done +``` + +```console +backend-69fcff487f-5dxz9: received 0 requests +backend-69fcff487f-gpvl2: received 0 requests +backend-69fcff487f-pglgv: received 10 requests +backend-69fcff487f-qxr74: received 0 requests +``` + +You can try to set different cookie to these requests, the upstream host that receives traffics may vary. +The following output happens when you use `curl` to send another 10 requests with cookie `FooBar: 5.6.7.8`. + +```console +backend-69fcff487f-dvt9r: received 0 requests +backend-69fcff487f-f8qdl: received 0 requests +backend-69fcff487f-gnpm4: received 10 requests +backend-69fcff487f-t2pgm: received 10 requests +``` + +If the cookie has not been set in one request, Envoy Gateway will auto-generate a cookie for this request +according to the `ttl` and `attributes` field. + +In this example, the following cookie will be generated (see `set-cookie` header in response) if sending a request without cookie: + +```shell +curl -v --header "Host: www.example.com" http://${GATEWAY_HOST}/cookie +``` + +```console +> GET /cookie HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/7.74.0 +> Accept: */* +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< content-type: application/json +< x-content-type-options: nosniff +< date: Fri, 19 Jul 2024 16:49:57 GMT +< content-length: 458 +< set-cookie: FooBar="88358b9442700c56"; Max-Age=60; SameSite=Strict; HttpOnly +< +{ + "path": "/cookie", + "host": "www.example.com", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "Accept": [ + "*/*" + ], + "User-Agent": [ + "curl/7.74.0" + ], + "X-Envoy-Internal": [ + "true" + ], + "X-Forwarded-For": [ + "10.244.0.1" + ], + "X-Forwarded-Proto": [ + "http" + ], + "X-Request-Id": [ + "1adeaaf7-d45c-48c8-9a4d-eadbccb2fd50" + ] + }, + "namespace": "default", + "ingress": "", + "service": "", + "pod": "backend-69fcff487f-5dxz9" +``` + + +[Envoy load balancing]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/overview +[BackendTrafficPolicy]: ../../../api/extension_types#backendtrafficpolicy +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/ +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ +[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute/ +[Hey project]: https://github.com/rakyll/hey +[Maglev]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#maglev diff --git a/site/content/en/v1.2/tasks/traffic/local-rate-limit.md b/site/content/en/v1.2/tasks/traffic/local-rate-limit.md new file mode 100644 index 00000000000..05caf07258c --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/local-rate-limit.md @@ -0,0 +1,628 @@ +--- +title: "Local Rate Limit" +--- + +Rate limit is a feature that allows the user to limit the number of incoming requests to a predefined value based on attributes within the traffic flow. + +Here are some reasons why you may want to implement Rate limits + +* To prevent malicious activity such as DDoS attacks. +* To prevent applications and its resources (such as a database) from getting overloaded. +* To create API limits based on user entitlements. + +Envoy Gateway supports two types of rate limiting: [Global rate limiting][] and [Local rate limiting][]. + +[Local rate limiting][] applies rate limits to the traffic flowing through a single instance of Envoy proxy. This means +that if the data plane has 2 replicas of Envoy running, and the rate limit is 10 requests/second, each replica will allow +10 requests/second. This is in contrast to [Global Rate Limiting][] which applies rate limits to the traffic flowing through +all instances of Envoy proxy. + +Envoy Gateway introduces a new CRD called [BackendTrafficPolicy][] that allows the user to describe their rate limit intent. +This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRPCRoute][] resource. + +**Note:** Limit is applied per route. Even if a [BackendTrafficPolicy][] targets a gateway, each route in that gateway +still has a separate rate limit bucket. For example, if a gateway has 2 routes, and the limit is 100r/s, then each route +has its own 100r/s rate limit bucket. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Rate Limit Specific User + +Here is an example of a rate limit implemented by the application developer to limit a specific user by matching on a custom `x-user-id` header +with a value set to `one`. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +### HTTPRoute + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-ratelimit -o yaml +``` + +Get the Gateway's address: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Let's query `ratelimit.example/get` 4 times. We should receive a `200` response from the example Gateway for the first 3 requests +and then receive a `429` status code for the 4th request since the limit is set at 3 requests/Hour for the request which contains the header `x-user-id` +and value `one`. + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" --header "x-user-id: one" http://${GATEWAY_HOST}/get ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:31 GMT +content-length: 460 +x-envoy-upstream-service-time: 4 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:32 GMT +content-length: 460 +x-envoy-upstream-service-time: 2 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 429 Too Many Requests +x-envoy-ratelimited: true +date: Wed, 08 Feb 2023 02:33:34 GMT +server: envoy +transfer-encoding: chunked + +``` + +You should be able to send requests with the `x-user-id` header and a different value and receive successful responses from the server. + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" --header "x-user-id: two" http://${GATEWAY_HOST}/get ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:34:36 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:34:37 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:34:38 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:34:39 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +``` + +## Rate Limit Specific User Unless within Test Org + +Here is an example of a rate limit implemented by the application developer to limit a specific user by matching on a custom `x-user-id` header +with a value set to `one`. But the user must not be limited if logging in within Test org, determined by custom header `x-org-id` set to `test`. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +### HTTPRoute + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +The HTTPRoute status should indicate that it has been accepted and is bound to the example Gateway. + +```shell +kubectl get httproute/http-ratelimit -o yaml +``` + +Get the Gateway's address: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Let's query `ratelimit.example/get` 4 times with `x-user-id` set to `one` and `x-org-id` set to `org1`. We should receive a `200` response from the example Gateway for the first 3 requests and the last request should be rate limited. + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" --header "x-user-id: one" --header "x-org-id: org1" http://${GATEWAY_HOST}/get ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:31 GMT +content-length: 460 +x-envoy-upstream-service-time: 4 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:32 GMT +content-length: 460 +x-envoy-upstream-service-time: 2 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 429 Too Many Requests +x-envoy-ratelimited: true +date: Wed, 08 Feb 2023 02:33:34 GMT +server: envoy +transfer-encoding: chunked + +``` + +Let's query `ratelimit.example/get` 4 times with `x-user-id` set to `one` and `x-org-id` set to `test`. We should receive a `200` response from the example Gateway for all the 4 requests, unlike previous example where the last request was rate limited. + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" --header "x-user-id: one" --header "x-org-id: test" http://${GATEWAY_HOST}/get ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:31 GMT +content-length: 460 +x-envoy-upstream-service-time: 4 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:32 GMT +content-length: 460 +x-envoy-upstream-service-time: 2 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +``` + +## Rate Limit All Requests + +This example shows you how to rate limit all requests matching the HTTPRoute rule at 3 requests/Hour by leaving the `clientSelectors` field unset. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +### HTTPRoute + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +```shell +for i in {1..4}; do curl -I --header "Host: ratelimit.example" http://${GATEWAY_HOST}/get ; sleep 1; done +``` + +```console +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:31 GMT +content-length: 460 +x-envoy-upstream-service-time: 4 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:32 GMT +content-length: 460 +x-envoy-upstream-service-time: 2 +server: envoy + +HTTP/1.1 200 OK +content-type: application/json +x-content-type-options: nosniff +date: Wed, 08 Feb 2023 02:33:33 GMT +content-length: 460 +x-envoy-upstream-service-time: 0 +server: envoy + +HTTP/1.1 429 Too Many Requests +x-envoy-ratelimited: true +date: Wed, 08 Feb 2023 02:33:34 GMT +server: envoy +transfer-encoding: chunked + +``` + +**Note:** Local rate limiting does not support `distinct` matching. If you want to rate limit based on distinct values, +you should use [Global Rate Limiting][]. + +[Global Rate Limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/global_rate_limiting +[Local rate limiting]: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/local_rate_limiting +[BackendTrafficPolicy]: ../../../api/extension_types#backendtrafficpolicy +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/ +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ +[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute/ diff --git a/site/content/en/v1.2/tasks/traffic/multicluster-service.md b/site/content/en/v1.2/tasks/traffic/multicluster-service.md new file mode 100644 index 00000000000..690fa354bf3 --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/multicluster-service.md @@ -0,0 +1,86 @@ +--- +title: "Multicluster Service Routing" +--- + +The Multicluster Service API ServiceImport object can be used as part of the GatewayAPI backendRef for configuring routes. For more information about multicluster service API follow [sig documentation](https://multicluster.sigs.k8s.io/concepts/multicluster-services-api/). + +We will use [Submariner project](https://github.com/submariner-io/submariner) for setting up the multicluster environment for exporting the service to be routed from peer clusters. + +## Setting KIND clusters and installing Submariner. + +- We will be using KIND clusters to demonstrate this example. + +```shell +git clone https://github.com/submariner-io/submariner-operator +cd submariner-operator +make clusters +``` + +Note: remain in submariner-operator directory for the rest of the steps in this section + +- Install subctl: + +```shell +curl -Ls https://get.submariner.io | VERSION=v0.14.6 bash +``` + +- Set up multicluster service API and submariner for cross cluster traffic using ServiceImport + +```shell +subctl deploy-broker --kubeconfig output/kubeconfigs/kind-config-cluster1 --globalnet +subctl join --kubeconfig output/kubeconfigs/kind-config-cluster1 broker-info.subm --clusterid cluster1 --natt=false +subctl join --kubeconfig output/kubeconfigs/kind-config-cluster2 broker-info.subm --clusterid cluster2 --natt=false +``` + +Once the above steps are done and all the pods are up in both the clusters. We are ready for installing envoy gateway. + +## Install EnvoyGateway + +Install the Gateway API CRDs and Envoy Gateway in cluster1: + +```shell +helm install eg oci://docker.io/envoyproxy/gateway-helm --version {{< helm-version >}} -n envoy-gateway-system --create-namespace --kubeconfig output/kubeconfigs/kind-config-cluster1 +``` + +Wait for Envoy Gateway to become available: + +```shell +kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available --kubeconfig output/kubeconfigs/kind-config-cluster1 +``` + +## Install Application + +Install the backend application in cluster2 and export it through subctl command. + +```shell +kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/application.yaml --kubeconfig output/kubeconfigs/kind-config-cluster2 +subctl export service backend --namespace default --kubeconfig output/kubeconfigs/kind-config-cluster2 +``` + +## Create Gateway API Objects + +Create the Gateway API objects GatewayClass, Gateway and HTTPRoute in cluster1 to set up the routing. + +```shell +kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/multicluster-service.yaml --kubeconfig output/kubeconfigs/kind-config-cluster1 +``` + +## Testing the Configuration + +Get the name of the Envoy service created the by the example Gateway: + +```shell +export ENVOY_SERVICE=$(kubectl get svc -n envoy-gateway-system --selector=gateway.envoyproxy.io/owning-gateway-namespace=default,gateway.envoyproxy.io/owning-gateway-name=eg -o jsonpath='{.items[0].metadata.name}') +``` + +Port forward to the Envoy service: + +```shell +kubectl -n envoy-gateway-system port-forward service/${ENVOY_SERVICE} 8888:80 & +``` + +Curl the example app through Envoy proxy: + +```shell +curl --verbose --header "Host: www.example.com" http://localhost:8888/get +``` diff --git a/site/content/en/v1.2/tasks/traffic/retry.md b/site/content/en/v1.2/tasks/traffic/retry.md new file mode 100644 index 00000000000..75d151bdff6 --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/retry.md @@ -0,0 +1,145 @@ +--- +title: Retry +--- + +A retry setting specifies the maximum number of times an Envoy proxy attempts to connect to a service if the initial call fails. Retries can enhance service availability and application performance by making sure that calls don’t fail permanently because of transient problems such as a temporarily overloaded service or network. The interval between retries prevents the called service from being overwhelmed with requests. + +Envoy Gateway supports the following retry settings: +- **NumRetries**: is the number of retries to be attempted. Defaults to 2. +- **RetryOn**: specifies the retry trigger condition. +- **PerRetryPolicy**: is the retry policy to be applied per retry attempt. + +Envoy Gateway introduces a new CRD called [BackendTrafficPolicy](../../../api/extension_types#backendtrafficpolicy) that allows the user to describe their desired retry settings. This instantiated resource can be linked to a [Gateway](https://gateway-api.sigs.k8s.io/api-types/gateway/), [HTTPRoute](https://gateway-api.sigs.k8s.io/api-types/httproute/) or [GRPCRoute](https://gateway-api.sigs.k8s.io/api-types/grpcroute/) resource. + +**Note**: There are distinct circuit breaker counters for each `BackendReference` in an `xRoute` rule. Even if a `BackendTrafficPolicy` targets a `Gateway`, each `BackendReference` in that gateway still has separate circuit breaker counter. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Test and customize retry settings + +Before applying a `BackendTrafficPolicy` with retry setting to a route, let's test the default retry settings. + +```shell +curl -v -H "Host: www.example.com" "http://${GATEWAY_HOST}/status/500" +``` + +It will return `500` response immediately. + +```console +* Trying 172.18.255.200:80... +* Connected to 172.18.255.200 (172.18.255.200) port 80 +> GET /status/500 HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.4.0 +> Accept: */* +> +< HTTP/1.1 500 Internal Server Error +< date: Fri, 01 Mar 2024 15:12:55 GMT +< content-length: 0 +< +* Connection #0 to host 172.18.255.200 left intact +``` + +Let's create a `BackendTrafficPolicy` with a retry setting. + +The request will be retried 5 times with a 100ms base interval and a 10s maximum interval. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Execute the test again. + +```shell +curl -v -H "Host: www.example.com" "http://${GATEWAY_HOST}/status/500" +``` + +It will return `500` response after a few while. + +```console +* Trying 172.18.255.200:80... +* Connected to 172.18.255.200 (172.18.255.200) port 80 +> GET /status/500 HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.4.0 +> Accept: */* +> +< HTTP/1.1 500 Internal Server Error +< date: Fri, 01 Mar 2024 15:15:53 GMT +< content-length: 0 +< +* Connection #0 to host 172.18.255.200 left intact +``` + +Let's check the stats to see the retry behavior. + +```shell +egctl x stats envoy-proxy -n envoy-gateway-system -l gateway.envoyproxy.io/owning-gateway-name=eg,gateway.envoyproxy.io/owning-gateway-namespace=default | grep "envoy_cluster_upstream_rq_retry{envoy_cluster_name=\"httproute/default/backend/rule/0\"}" +``` + +You will expect to see the stats. + +```console +envoy_cluster_upstream_rq_retry{envoy_cluster_name="httproute/default/backend/rule/0"} 5 +``` diff --git a/site/content/en/v1.2/tasks/traffic/routing-outside-kubernetes.md b/site/content/en/v1.2/tasks/traffic/routing-outside-kubernetes.md new file mode 100644 index 00000000000..7382b9cb78d --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/routing-outside-kubernetes.md @@ -0,0 +1,168 @@ +--- +title: "Routing outside Kubernetes" +--- + +Routing to endpoints outside the Kubernetes cluster where Envoy Gateway and its corresponding Envoy Proxy fleet is +running is a common use case. This can be achieved by: +- defining FQDN addresses in a [EndpointSlice][] (covered in this document) +- defining a [Backend][] resource, as described in the [Backend Task][]. + +## Installation + +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. +Before proceeding, you should be able to query the example backend using HTTP. + +## Configuration + +Define a Service and EndpointSlice that represents https://httpbin.org + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Update the [Gateway][] to include a TLS Listener on port 443 + +```shell +kubectl patch gateway eg --type=json --patch ' + - op: add + path: /spec/listeners/- + value: + name: tls + protocol: TLS + port: 443 + tls: + mode: Passthrough + ' +``` + +Add a [TLSRoute][] that can route incoming traffic to the above backend that we created + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Get the Gateway address: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Send a request and view the response: + +```shell +curl -I -HHost:httpbin.org --resolve "httpbin.org:443:${GATEWAY_HOST}" https://httpbin.org/ +``` + +[EndpointSlice]: https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/ +[Backend]: ../../api/extension_types#backend +[Backend Task]: ./backend.md +[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/ +[TLSRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute diff --git a/site/content/en/v1.2/tasks/traffic/tcp-routing.md b/site/content/en/v1.2/tasks/traffic/tcp-routing.md new file mode 100644 index 00000000000..0befbd0140d --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/tcp-routing.md @@ -0,0 +1,482 @@ +--- +title: "TCP Routing" +--- + +[TCPRoute][] provides a way to route TCP requests. When combined with a Gateway listener, it can be used to forward +connections on the port specified by the listener to a set of backends specified by the TCPRoute. To learn more about +HTTP routing, refer to the [Gateway API documentation][]. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Configuration + +In this example, we have one Gateway resource and two TCPRoute resources that distribute the traffic with the following +rules: + +All TCP streams on port `8088` of the Gateway are forwarded to port 3001 of `foo` Kubernetes Service. +All TCP streams on port `8089` of the Gateway are forwarded to port 3002 of `bar` Kubernetes Service. +In this example two TCP listeners will be applied to the Gateway in order to route them to two separate backend +TCPRoutes, note that the protocol set for the listeners on the Gateway is TCP: + +Install the GatewayClass and a `tcp-gateway` Gateway first. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Install two services `foo` and `bar`, which are bound to `backend-1` and `backend-2`. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Install two TCPRoutes `tcp-app-1` and `tcp-app-2` with different `sectionName`: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +In the above example we separate the traffic for the two separate backend TCP Services by using the sectionName field in +the parentRefs: + +``` yaml +spec: + parentRefs: + - name: tcp-gateway + sectionName: foo +``` + +This corresponds directly with the name in the listeners in the Gateway: + +``` yaml + listeners: + - name: foo + protocol: TCP + port: 8088 + - name: bar + protocol: TCP + port: 8089 +``` + +In this way each TCPRoute "attaches" itself to a different port on the Gateway so that the `foo` service +is taking traffic for port `8088` from outside the cluster and `bar` service takes the port `8089` traffic. + +Before testing, please get the tcp-gateway Gateway's address first: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/tcp-gateway -o jsonpath='{.status.addresses[0].value}') +``` + +You can try to use nc to test the TCP connections of envoy gateway with different ports, and you can see them succeeded: + +```shell +nc -zv ${GATEWAY_HOST} 8088 + +nc -zv ${GATEWAY_HOST} 8089 +``` + +You can also try to send requests to envoy gateway and get responses as shown below: + +```shell +curl -i "http://${GATEWAY_HOST}:8088" + +HTTP/1.1 200 OK +Content-Type: application/json +X-Content-Type-Options: nosniff +Date: Tue, 03 Jan 2023 10:18:36 GMT +Content-Length: 267 + +{ + "path": "/", + "host": "xxx.xxx.xxx.xxx:8088", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "Accept": [ + "*/*" + ], + "User-Agent": [ + "curl/7.85.0" + ] + }, + "namespace": "default", + "ingress": "", + "service": "foo", + "pod": "backend-1-c6c5fb958-dl8vl" +} +``` + +You can see that the traffic routing to `foo` service when sending request to `8088` port. + +```shell +curl -i "http://${GATEWAY_HOST}:8089" + +HTTP/1.1 200 OK +Content-Type: application/json +X-Content-Type-Options: nosniff +Date: Tue, 03 Jan 2023 10:19:28 GMT +Content-Length: 267 + +{ + "path": "/", + "host": "xxx.xxx.xxx.xxx:8089", + "method": "GET", + "proto": "HTTP/1.1", + "headers": { + "Accept": [ + "*/*" + ], + "User-Agent": [ + "curl/7.85.0" + ] + }, + "namespace": "default", + "ingress": "", + "service": "bar", + "pod": "backend-2-98fcff498-hcmgb" +} +``` + +You can see that the traffic routing to `bar` service when sending request to `8089` port. + +[TCPRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute +[Gateway API documentation]: https://gateway-api.sigs.k8s.io/ diff --git a/site/content/en/v1.2/tasks/traffic/udp-routing.md b/site/content/en/v1.2/tasks/traffic/udp-routing.md new file mode 100644 index 00000000000..546b77f9159 --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/udp-routing.md @@ -0,0 +1,169 @@ +--- +title: "UDP Routing" +--- + +The [UDPRoute][] resource allows users to configure UDP routing by matching UDP traffic and forwarding it to Kubernetes +backends. This task will use CoreDNS example to walk you through the steps required to configure UDPRoute on Envoy +Gateway. + +__Note:__ UDPRoute allows Envoy Gateway to operate as a non-transparent proxy between a UDP client and server. The lack +of transparency means that the upstream server will see the source IP and port of the Gateway instead of the client. +For additional information, refer to Envoy's [UDP proxy documentation][]. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Installation + +Install CoreDNS in the Kubernetes cluster as the example backend. The installed CoreDNS is listening on +UDP port 53 for DNS lookups. + +```shell +kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/udp-routing-example-backend.yaml +``` + +Wait for the CoreDNS deployment to become available: + +```shell +kubectl wait --timeout=5m deployment/coredns --for=condition=Available +``` + +Update the Gateway from the Quickstart to include a UDP listener that listens on UDP port `5300`: + +```shell +kubectl patch gateway eg --type=json --patch ' + - op: add + path: /spec/listeners/- + value: + name: coredns + protocol: UDP + port: 5300 + allowedRoutes: + kinds: + - kind: UDPRoute + ' +``` + +Verify the Gateway status: + +```shell +kubectl get gateway/eg -o yaml +``` + +## Configuration + +Create a UDPRoute resource to route UDP traffic received on Gateway port 5300 to the CoredDNS backend. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the UDPRoute status: + +```shell +kubectl get udproute/coredns -o yaml +``` + +## Testing + +Get the External IP of the Gateway: + +```shell +export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}') +``` + +Use `dig` command to query the dns entry foo.bar.com through the Gateway. + +```shell +dig @${GATEWAY_HOST} -p 5300 foo.bar.com +``` + +You should see the result of the dns query as the below output, which means that the dns query has been successfully +routed to the backend CoreDNS. + +Note: 49.51.177.138 is the resolved address of GATEWAY_HOST. + +```bash +; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> @49.51.177.138 -p 5300 foo.bar.com +; (1 server found) +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58125 +;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 3 +;; WARNING: recursion requested but not available + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags:; udp: 1232 +; COOKIE: 24fb86eba96ebf62 (echoed) +;; QUESTION SECTION: +;foo.bar.com. IN A + +;; ADDITIONAL SECTION: +foo.bar.com. 0 IN A 10.244.0.19 +_udp.foo.bar.com. 0 IN SRV 0 0 42376 . + +;; Query time: 1 msec +;; SERVER: 49.51.177.138#5300(49.51.177.138) (UDP) +;; WHEN: Fri Jan 13 10:20:34 UTC 2023 +;; MSG SIZE rcvd: 114 +``` + +## Clean-Up + +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway. + +Delete the CoreDNS example manifest and the UDPRoute: + +```shell +kubectl delete deploy/coredns +kubectl delete service/coredns +kubectl delete cm/coredns +kubectl delete udproute/coredns +``` + +## Next Steps + +Checkout the [Developer Guide](../../../contributions/develop) to get involved in the project. + +[UDPRoute]: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.UDPRoute +[UDP proxy documentation]: https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/udp_filters/udp_proxy diff --git a/site/hugo.toml b/site/hugo.toml index 90dddd05e26..6fabd7aa245 100644 --- a/site/hugo.toml +++ b/site/hugo.toml @@ -275,9 +275,13 @@ enable = true url = "/latest" [[params.versions]] - version = "v1.1" + version = "v1.2" url = "/docs" +[[params.versions]] + version = "v1.1" + url = "/v1.1" + [[params.versions]] version = "v1.0" url = "/v1.0" @@ -301,3 +305,4 @@ enable = true [[params.versions]] version = "v0.2" url = "/v0.2" + diff --git a/site/layouts/shortcodes/helm-version.html b/site/layouts/shortcodes/helm-version.html index 0bdf6092027..9ee7d09e6ab 100644 --- a/site/layouts/shortcodes/helm-version.html +++ b/site/layouts/shortcodes/helm-version.html @@ -5,6 +5,9 @@ {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} {{- "v1.1.3" -}} {{- end -}} +{{- with (strings.HasPrefix $pagePrefix "v1.2") -}} +{{- "v1.2.0" -}} +{{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.1.3" -}} +{{- "v1.2.0" -}} {{- end -}} diff --git a/site/layouts/shortcodes/yaml-version.html b/site/layouts/shortcodes/yaml-version.html index fd96ac1799e..36f702f75e0 100644 --- a/site/layouts/shortcodes/yaml-version.html +++ b/site/layouts/shortcodes/yaml-version.html @@ -5,6 +5,9 @@ {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} {{- "v1.1.3" -}} {{- end -}} +{{- with (strings.HasPrefix $pagePrefix "v1.2") -}} +{{- "v1.2.0" -}} +{{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.1.3" -}} +{{- "v1.2.0" -}} {{- end -}} From 0c7ecd9d08315bc3bc94930bf11cb0d0b47e4d55 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Wed, 6 Nov 2024 06:28:25 -0800 Subject: [PATCH 364/523] docs: Active Passive Failover (#4637) Fixes: https://github.com/envoyproxy/gateway/issues/4501 Signed-off-by: Arko Dasgupta --- .../en/latest/tasks/traffic/failover.md | 566 ++++++++++++++++++ 1 file changed, 566 insertions(+) create mode 100644 site/content/en/latest/tasks/traffic/failover.md diff --git a/site/content/en/latest/tasks/traffic/failover.md b/site/content/en/latest/tasks/traffic/failover.md new file mode 100644 index 00000000000..625d5e2afcd --- /dev/null +++ b/site/content/en/latest/tasks/traffic/failover.md @@ -0,0 +1,566 @@ +--- +title: Failover +--- + +Active-passive failover in an API gateway setup is like having a backup plan in place to keep things +running smoothly if something goes wrong. Here’s why it’s valuable: + +* Staying Online: When the main (or "active") backend has issues or goes offline, +the fallback (or "passive") backend is ready to step in instantly. +This helps keep your API accessible and your services running, so users don’t even notice any interruptions. + +* Automatic Switch Over: If a problem occurs, the system can automatically switch traffic over to the fallback backend. +This avoids needing someone to jump in and fix things manually, which could take time and might even lead to mistakes. + +* Lower Costs: In an active-passive setup, the fallback backend doesn’t need to work all the time—it’s just on standby. +This can save on costs (like cloud egress costs) compared to setups where both backend are running at full capacity. + +* Peace of Mind with Redundancy: Although the fallback backend isn’t handling traffic daily, it's there as a safety net. +If something happens with the primary backend, the backup can take over immediately, ensuring your service doesn’t skip a beat. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Test + +* We'll first create two services & deployments, called `active` and `passive`, representing an `active` and `passive` backend application. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + + +* Follow the instructions [here](./../../tasks/traffic/backend/#enable-backend) to enable the Backend API + +* Create two Backend resources that are used to represent the `active` backend and `passive` backend. +Note, we've set `fallback: true` for the `passive` backend to indicate its a passive backend + + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +* Lets create an HTTPRoute that can route to both these backends + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +* Lets configure a `BackendTrafficPolicy` with a passive health check setting to detect an transient errors. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + + + +* Lets send 10 requests. You should see that they all go to the `active` backend. + +```shell +for i in {1..10; do curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/test 2>/dev/null | jq .pod; done +``` + +```console +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +``` + +* Lets simulate a failure in the `active` backend by changing the server listening port to `5000` + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +* Lets send 10 requests again. You should see them all being sent to the `passive` backend + +```shell +for i in {1..10; do curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/test 2>/dev/null | jq .pod; done +``` + +```console +parse error: Invalid numeric literal at line 1, column 9 +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +``` + +The first error can be avoided by configuring [retries](./../../tasks/traffic/retry.md). From 44408dd37a851e0994deb40862a50f4501f7991f Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 6 Nov 2024 23:04:14 +0800 Subject: [PATCH 365/523] docs: add failover docs to v1.2.0 (#4646) add failover docs to v1.2.0 Signed-off-by: Huabing Zhao --- .../content/en/docs/tasks/traffic/failover.md | 566 ++++++++++++++++++ site/content/en/news/releases/notes/v1.2.0.md | 4 +- .../content/en/v1.2/tasks/traffic/failover.md | 566 ++++++++++++++++++ 3 files changed, 1135 insertions(+), 1 deletion(-) create mode 100644 site/content/en/docs/tasks/traffic/failover.md create mode 100644 site/content/en/v1.2/tasks/traffic/failover.md diff --git a/site/content/en/docs/tasks/traffic/failover.md b/site/content/en/docs/tasks/traffic/failover.md new file mode 100644 index 00000000000..625d5e2afcd --- /dev/null +++ b/site/content/en/docs/tasks/traffic/failover.md @@ -0,0 +1,566 @@ +--- +title: Failover +--- + +Active-passive failover in an API gateway setup is like having a backup plan in place to keep things +running smoothly if something goes wrong. Here’s why it’s valuable: + +* Staying Online: When the main (or "active") backend has issues or goes offline, +the fallback (or "passive") backend is ready to step in instantly. +This helps keep your API accessible and your services running, so users don’t even notice any interruptions. + +* Automatic Switch Over: If a problem occurs, the system can automatically switch traffic over to the fallback backend. +This avoids needing someone to jump in and fix things manually, which could take time and might even lead to mistakes. + +* Lower Costs: In an active-passive setup, the fallback backend doesn’t need to work all the time—it’s just on standby. +This can save on costs (like cloud egress costs) compared to setups where both backend are running at full capacity. + +* Peace of Mind with Redundancy: Although the fallback backend isn’t handling traffic daily, it's there as a safety net. +If something happens with the primary backend, the backup can take over immediately, ensuring your service doesn’t skip a beat. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Test + +* We'll first create two services & deployments, called `active` and `passive`, representing an `active` and `passive` backend application. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + + +* Follow the instructions [here](./../../tasks/traffic/backend/#enable-backend) to enable the Backend API + +* Create two Backend resources that are used to represent the `active` backend and `passive` backend. +Note, we've set `fallback: true` for the `passive` backend to indicate its a passive backend + + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +* Lets create an HTTPRoute that can route to both these backends + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +* Lets configure a `BackendTrafficPolicy` with a passive health check setting to detect an transient errors. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + + + +* Lets send 10 requests. You should see that they all go to the `active` backend. + +```shell +for i in {1..10; do curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/test 2>/dev/null | jq .pod; done +``` + +```console +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +``` + +* Lets simulate a failure in the `active` backend by changing the server listening port to `5000` + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +* Lets send 10 requests again. You should see them all being sent to the `passive` backend + +```shell +for i in {1..10; do curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/test 2>/dev/null | jq .pod; done +``` + +```console +parse error: Invalid numeric literal at line 1, column 9 +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +``` + +The first error can be avoided by configuring [retries](./../../tasks/traffic/retry.md). diff --git a/site/content/en/news/releases/notes/v1.2.0.md b/site/content/en/news/releases/notes/v1.2.0.md index 1926da6d04d..07c6fba95b6 100644 --- a/site/content/en/news/releases/notes/v1.2.0.md +++ b/site/content/en/news/releases/notes/v1.2.0.md @@ -1,8 +1,10 @@ --- -title: "Envoy Gateway v1.2.0 Release Notes" +title: "v1.2.0" publishdate: 2024-11-06 --- +## Envoy Gateway v1.2.0 Release Notes + **Release Date:** November 6, 2024 The Envoy Gateway v1.2.0 release brings a host of new features, performance improvements, and critical bug fixes to enhance networking, traffic management, and security. Explore the latest changes below. diff --git a/site/content/en/v1.2/tasks/traffic/failover.md b/site/content/en/v1.2/tasks/traffic/failover.md new file mode 100644 index 00000000000..625d5e2afcd --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/failover.md @@ -0,0 +1,566 @@ +--- +title: Failover +--- + +Active-passive failover in an API gateway setup is like having a backup plan in place to keep things +running smoothly if something goes wrong. Here’s why it’s valuable: + +* Staying Online: When the main (or "active") backend has issues or goes offline, +the fallback (or "passive") backend is ready to step in instantly. +This helps keep your API accessible and your services running, so users don’t even notice any interruptions. + +* Automatic Switch Over: If a problem occurs, the system can automatically switch traffic over to the fallback backend. +This avoids needing someone to jump in and fix things manually, which could take time and might even lead to mistakes. + +* Lower Costs: In an active-passive setup, the fallback backend doesn’t need to work all the time—it’s just on standby. +This can save on costs (like cloud egress costs) compared to setups where both backend are running at full capacity. + +* Peace of Mind with Redundancy: Although the fallback backend isn’t handling traffic daily, it's there as a safety net. +If something happens with the primary backend, the backup can take over immediately, ensuring your service doesn’t skip a beat. + +## Prerequisites + +{{< boilerplate prerequisites >}} + +## Test + +* We'll first create two services & deployments, called `active` and `passive`, representing an `active` and `passive` backend application. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + + +* Follow the instructions [here](./../../tasks/traffic/backend/#enable-backend) to enable the Backend API + +* Create two Backend resources that are used to represent the `active` backend and `passive` backend. +Note, we've set `fallback: true` for the `passive` backend to indicate its a passive backend + + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +* Lets create an HTTPRoute that can route to both these backends + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +* Lets configure a `BackendTrafficPolicy` with a passive health check setting to detect an transient errors. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + + + +* Lets send 10 requests. You should see that they all go to the `active` backend. + +```shell +for i in {1..10; do curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/test 2>/dev/null | jq .pod; done +``` + +```console +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +"active-5bb896774f-lz8s9" +``` + +* Lets simulate a failure in the `active` backend by changing the server listening port to `5000` + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +* Lets send 10 requests again. You should see them all being sent to the `passive` backend + +```shell +for i in {1..10; do curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/test 2>/dev/null | jq .pod; done +``` + +```console +parse error: Invalid numeric literal at line 1, column 9 +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +"passive-7ddbf945c9-wkc4f" +``` + +The first error can be avoided by configuring [retries](./../../tasks/traffic/retry.md). From 54289e3dfe3f4551b97ee1dc956a4f21f41a4cac Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Wed, 6 Nov 2024 17:36:20 -0800 Subject: [PATCH 366/523] Release News for v1.2.0 (#4650) * Release News for v1.2.0 * Updates Release Notes on Website with Release Note content from https://github.com/envoyproxy/gateway/blob/main/release-notes/v1.2.0.yaml * Updated Release News with the release summary * Updated the Release Schedule matrix Signed-off-by: Arko Dasgupta * fix typo Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta --- site/content/en/news/releases/_index.md | 10 +- site/content/en/news/releases/notes/v1.2.0.md | 219 +++++++++++------- site/content/en/news/releases/v1.2.md | 95 ++++++++ 3 files changed, 239 insertions(+), 85 deletions(-) create mode 100644 site/content/en/news/releases/v1.2.md diff --git a/site/content/en/news/releases/_index.md b/site/content/en/news/releases/_index.md index 4449a100c7e..3be0024984b 100644 --- a/site/content/en/news/releases/_index.md +++ b/site/content/en/news/releases/_index.md @@ -35,8 +35,8 @@ communications with the Envoy Gateway community, and the mechanics of the releas | 2023 Q3 | Arko Dasgupta ([arkodg](https://github.com/arkodg)) | | 2023 Q4 | Arko Dasgupta ([arkodg](https://github.com/arkodg)) | | 2024 Q1 | Xunzhuo Liu ([Xunzhuo](https://github.com/Xunzhuo)) | -| 2024 Q2 | Guy Daich ([guydc](https://github.com/guydc)) | -| 2024 Q3 | Huabing Zhao ([zhaohuabing](https://github.com/zhaohuabing))| +| 2024 Q3 | Guy Daich ([guydc](https://github.com/guydc)) | +| 2024 Q4 | Huabing Zhao ([zhaohuabing](https://github.com/zhaohuabing))| ## Release Schedule @@ -50,9 +50,9 @@ In order to align with the Envoy Proxy [release schedule][], Envoy Gateway relea | 0.4.0 | 2023/04/22 | 2023/04/24 | +2 days | 2023/10/24 | | 0.5.0 | 2023/07/22 | 2023/08/02 | +10 days | 2024/01/02 | | 0.6.0 | 2023/10/22 | 2023/11/02 | +10 days | 2024/05/02 | -| 1.0.0 | 2024/03/06 | 2023/03/13 | +7 days | 2024/09/13 | -| 1.1.0 | 2024/07/16 | 2024/07/22 | +6 days | 2024/01/22 | -| 1.2.0 | 2024/10/22 | | | | +| 1.0.x | 2024/03/06 | 2023/03/13 | +7 days | 2024/09/13 | +| 1.1.x | 2024/07/16 | 2024/07/22 | +6 days | 2024/01/22 | +| 1.2.x | 2024/10/22 | 2024/11/06 | +14 days | 2025/05/06 | [v2.0.0 spec]: https://semver.org/spec/v2.0.0.html [release guide]: ../../contributions/releasing diff --git a/site/content/en/news/releases/notes/v1.2.0.md b/site/content/en/news/releases/notes/v1.2.0.md index 07c6fba95b6..29c00593b3e 100644 --- a/site/content/en/news/releases/notes/v1.2.0.md +++ b/site/content/en/news/releases/notes/v1.2.0.md @@ -3,83 +3,142 @@ title: "v1.2.0" publishdate: 2024-11-06 --- -## Envoy Gateway v1.2.0 Release Notes - -**Release Date:** November 6, 2024 - -The Envoy Gateway v1.2.0 release brings a host of new features, performance improvements, and critical bug fixes to enhance networking, traffic management, and security. Explore the latest changes below. - ---- - -## 🚨 Breaking Changes - -- **Gateway API Updates**: Removed `GRPCRoute` and `ReferenceGrant` v1alpha2. [See the Gateway API v1.2.0 documentation](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.0) for details. -- **CPU Limits**: Removed default CPU limit for Envoy Gateway deployment to avoid throttling. -- **Envoy Shutdown Settings**: Drain strategy set to immediate, with default values as follows: - - `minDrainDuration`: 10s - - `drainTimeout`: 60s - - `terminationGracePeriodSeconds`: 360s -- **Endpoint Health Removal**: Enabled `ignore_health_on_host_removal` for clusters with static endpoints to improve removal speed. -- **Logging Level Adjustment**: Set xDS and Infra IR logs to Debug level instead of Info, so they will no longer appear in Envoy Gateway logs by default. Change logging level to `debug` to view them. - ---- - -## ✨ New Features - -### API & Traffic Management Enhancements -- **Gateway-API v1.2.0 Support**: Fully compatible with the latest Gateway-API standards. -- **IPv4/IPv6 Dual Stack**: Now available for EnvoyProxy fleet and `BackendRef` resources. -- **Standalone Mode**: Experimental support for Envoy Gateway standalone (host deployment) mode. -- **JWT Authorization**: Added JWT claims-based authorization in [`SecurityPolicy`](https://gateway.envoyproxy.io/latest/api/extension_types/#securitypolicy) CRD. -- **Response Override**: Added support for `Response Override` and `RequestTimeout` in [`BackendTrafficPolicy`](https://gateway.envoyproxy.io/latest/api/extension_types/#backendtrafficpolicy). -- **Active Passive Failover**: Supported with the new `fallback` field in the [Backend](https://gateway.envoyproxy.io/latest/api/extension_types/#backend) API. -- **Session Persistence in HTTPRoute**: Session persistence is supported in [`HTTPRoute`](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute) rules for stateful traffic management. -- **HTTPRouteFilter**: Adds support for Direct Response and Path Regex Rewrites in [`HTTPRouteFilter`](https://gateway.envoyproxy.io/latest/api/extension_types/#httproutefilter) - -### Security Enhancements -- **JWT Claims-Based Authorization**: Advanced security control with claims-based policies in [`SecurityPolicy`](https://gateway.envoyproxy.io/latest/api/extension_types/#securitypolicy). -- **CORS Wildcard Matching**: Wildcard matching for `AllowMethods` and `AllowHeaders` settings. -- **OIDC Flow Support**: Added nonce support for OIDC authorization. - -### Observability & Tracing -- **Datadog Tracing Integration**: Improved support for Datadog tracing in [`EnvoyProxy`](https://gateway.envoyproxy.io/latest/api/extension_types/#envoyproxy) CRD. -- **Access Log Matching**: Filter logs based on custom criteria using `match conditions` in EnvoyProxy. -- **Native Prometheus Metrics**: Introduced a Prometheus metrics endpoint for rate limit monitoring. - -### Helm Customization -- **SecurityContext Options**: Customizable security context for improved deployment. -- **NodeSelector and PriorityClassName**: Added for more granular deployment configuration. - ---- - -## 🐞 Bug Fixes - -- Fixed xDS translation failure when the WASM HTTP code source was configured without an SHA. -- Resolved unsupported listener protocol types causing errors in Gateway status updates. -- Fixed `BackendTLSPolicy` causing crashes due to invalid `sectionName` in `Backend` configurations. -- Fixed propagation delays in `SecurityPolicy` updates for `HTTPRoute` when using `targetSelectors`. -- Improved `JSONPath` to `JSONPatch` translation accuracy. -- Fixed unwanted `/` appearing in paths when using prefix rewrites. -- Corrected nil pointer errors when configuring hash load balancing. -- Fixed active health check issues where `expectedStatuses` was not functioning properly. -- Ensured correct status updates for `Backend` resources and `HTTPRoute`. - ---- - -## 🚀 Performance Improvements - -- **Memory Optimization**: Enhanced memory usage by eliminating redundant resource storage. - ---- - -## ⚙️ Other Notable Changes - -- **Envoy Upgrade**: Now using Envoy [v1.32.1](https://www.envoyproxy.io/docs/envoy/v1.32.1/version_history/v1.32/v1.32.1) for added stability and performance. -- **Optional Alpha CRD Watching**: Allows Envoy Gateway to run with older Gateway API versions. - - -For more information and full API documentation, please visit the [Envoy Gateway Documentation](https://gateway.envoyproxy.io/docs/). - ---- - -This release strengthens Envoy Gateway with enhanced API support, security policies, and observability features to better serve high-demand environments. \ No newline at end of file +Date: November 06, 2024 + +## Breaking Changes +- Gateway API GRPCRoute and ReferenceGrant v1alpha2 have been removed +- Please refer to the [Gateway API v1.2.0 documentation](https://github.com/kubernetes-sigs/gateway-api/releases) for more information +- Removed default CPU limit of the Envoy Gateway deployment, to eliminate CPU throttling +- Changed default Envoy shutdown settings: drain strategy has been changed to immediate, default minDrainDuration, drainTimeout and terminationGracePeriodSeconds have been set to 10s, 60s and 360s respectively +- Set `ignore_health_on_host_removal` to true for clusters with static endpoints This was done to speed up removal of static endpoints by the control plane when active health check is configured +- Xds and Infra IR logs are logged at Debug level instead of Info level. They will now not be seen by default in Envoy Gateway logs. You can change the logging level to `default: debug` to view them + +## New Features +- Added support for Gateway-API v1.2.0 +- Added support for IPv4/IPv6 Dual Stack for EnvoyProxy fleet and BackendRef resources +- Added experimental support for EG standalone(host deployment) mode +- Added support for JWT claims based Authorization in SecurityPolicy CRD +- Added support for Response Override in BackendTrafficPolicy CRD +- Added support for RequestTimeout in BackendTrafficPolicy CRD +- Added support for inverting header matches for Rate Limit in BackendTrafficPolicy CRD +- Added support for client TLS session resumption in ClientTrafficPolicy CRD +- Added support for HTTPRouteFilter and path regex rewrite +- Added support for host header rewrite in HTTPRouteFilter CRD +- Added support for Listener Access Log in EnvoyProxy CRD +- Added support for Datadog tracing support in EnvoyProxy CRD +- Added support for request response sizes stats in EnvoyProxy CRD +- Added support for modifying container SecurityContext for Envoy Gateway deployment in Helm +- Added support for wildcard matching for CORS AllowMethods and AllowHeaders settings in SecurityPolicy CRD +- Added support for match conditions for access log in EnvoyProxy CRD +- Added support for using BackendCluster to represent OIDCProvider +- Added support for RecomputeRoute for ExtAuth in SecurityPolicy CRD +- Added support for sharing token cookies between multiple domains in SecurityPolicy CRD +- Added support for JSONPatches for proxy bootstrap modifications in EnvoyProxy CRD +- Added support for Active Passive Failover Backends +- Added support for configuring the GRPC Health Checker in the BackendTrafficPolicy CRD +- Added support for early request header mutation in the ClientTrafficPolicy CRD +- Added support for JsonPath in the EnvoyPatchPolicy CRD +- Added support for cluster settings for tracing and access log backends in EnvoyProxy CRD +- Added support for cluster settings for non xRoute-generated backend refs +- Added support for socket buffer limit field in ClientTrafficPolicy and BackendTrafficPolicy CRD +- Added support for http2 upstream settings in BackendTrafficPolicy CRD +- Added support for DNS resolution settings in BackendTrafficPolicy CRD +- Added support for configuring service annotations in the Envoy Gateway helm chart +- Added support for configuring priorityClassName to Envoy Gateway helm chart +- Added support for ratelimit metrics monitoring in grafana in the addons helm chart +- Added support for default user group and user id for the SecurityContexts in the Envoy Gateway helm chart +- Added support for maxUnavailable in the PodDisruptionBudget in the Envoy Gateway helm chart +- Added support for configuring NodeSelector in the Envoy Gateway helm chart +- Added support for nonce in the OIDC auth flow +- Added support for choosing an HTTPRoute's non-wildcard hostname as the default Host +- Added support for returning 500 when EnvoyExtensionTrafficPolicy translation fails +- Added support for returning 500 when SecurityPolicy translation fails +- Added support for multiple backendRefs for ExtAuth and ExtProc +- Added support for session persistence in HTTPRoute rules +- Added support for the Backend resource for ExtAuth +- Added support for target selectors on Envoy Gateway Extension Server policies +- Added support for non-Kubernetes Backends for TLSRoute +- Added support for fallback to the Backend API +- Added support for reloadable EnvoyGateway configuration +- Added support for adding Labels to the Envoy Service +- Added support for custom name for ratelimit deployment +- Added default SecurityContext for EG components +- Added startupProbe to all provisioned containers +- Added support for local validations for egctl translate and file provider +- Added support for egctl x collect to collect information from the cluster for debugging +- Added support for a native prometheus metrics endpoint in the ratelimit server + +## Bug Fixes +- Fixed xDS translation failing when the WASM HTTP code source was configured without an SHA +- Fixed unsupported listener protocol types causing errors while updating Gateway status +- Fixed unsupported listener protocol types causing errors while updating Gateway status +- Fixed invalid sectionName in BackendTLSPolicy for Backend +- Fixed Delay in SecurityPolicy change propagation for HTTPRoute when using targetSelectors +- Fixed JSONPath not being correctly translated to JSONPatch paths +- Fixed allowing an empty slowStart value when using LeastRequest +- Fixed updating the HTTPRoute status correctly when the linked Backend resource is invalid +- Fixed timeout settings originating from the route being lost when translating the backend traffic policy +- Fixed Backend resources not receiving status updates +- Fixed active health checks requiring the expectedStatuses field to function correctly +- Fixed HTTPHeaderFilter processing not correctly supporting multiple header values +- Fixed reconciling multiple ReferenceGrants within the same namespace +- Fixed unwanted / appearing in the Path when using Prefix Rewrites +- Fixed incorrect gateway being selected as the HTTPRoute parent +- Fixed override issues for EnvoyExtensionPolicy +- Fixed nil pointer error when translating hash load balancing +- Fixed nil pointer if backedtls.minVersion is set but backedtls.maxVersion is not +- Fixed empty connection limits causing xDS rejection +- Fixed rate limiting not working with both headers and CIDR matches +- Fixed EDS not updating when deployments were created after services +- Fixed RBAC issue for deleting infrastructure resources +- Fixed gateways never reaching ready/programmed status when running Envoy as a Daemonset +- Fixed rate limit deployment ignoring pod labels and annotation merges +- Fixed the API Server receives unnecessary requests +- Fixed egctl experimental translate using an incorrect namespace +- Fixed reconciliation not being triggered for Secret updates referenced by a BackendTLSPolicy +- Fixed xDS translation failure when WASM HTTP code source was configured without an SHA +- Fixed HTTPRoute status displaying only one parent when targeting multiple gateways from different GatewayClasses +- Fixed Route with multiple parents having an incorrect namespace in the parentRef status +- Fixed BackendTlsPolicy specifying multiple targetRefs for the same service, to work + + +### Performance Improvements +- Optimize memory usage by only storing distinct resources +- SecurityPolicy translation failures will now cause routes referenced by the policy to return an immediate 500 response +- Gateway-API BackendTLSPolicy v1alpha3 is incompatible with previous versions of the CRD +- xPolicy targetRefs can no longer specify a namespace, since Gateway-API v1.1.0 uses LocalPolicyTargetReferenceWithSectionName in Policy resources + +### Other changes +- Upgraded Envoy Proxy to v1.32.1 +- Reduced the amount of configuration logging, and make it line-delimited friendly +- Made watching alpha CRDs optional, so that Envoy Gateway can run with older Gateway Api versions +- Removed grafana test framework from the addons helm chart +- Disabled ALPN for non-HTTP routes +- Added statPrefix for HCM and TCPProxy +- Enabled GatewayHTTPListenerIsolation conformance test +- Enabled GRPC conformance profile +- Enabled HTTPRouteBackendRequestHeaderModifier conformance test +- Added e2e test for Daemonset mode +- Fixed OVS scanner wrong license warnings +- Added e2e test for Gateway with EnvoyProxy +- Added e2e test for TLS session resumption +- Added heap profile into benchmark report +- Added e2e test for RecomputeRoute in ExtAuth +- Added benchmark memory profiles into report +- Fixed flaky gateway_with_conflicted_listener_cannot_be_merged e2e test +- Fixed flaky Zipkin Tracing e2e test +- Added e2e test for cookie based consistent hash load balancing +- Added e2e test for load balancing +- Fixed flaky authorization tests +- Enabled upgrade test +- Fixed flaky basic auth e2e test +- Enabled use-client-protocol e2e test +- Added performance benchmarking test for 1000 HTTPRoutes +- Added e2e test for Datadog tracing +- Added e2e tests for ratelimit invert matching headers +- Reduced readinessProbe failureThreshold and periodSeconds +- Bumped go-control-plane to v0.13.1 +- Enabled e2e tests for dual stack +- Use grafana alloy instead of fluent-bit for e2e tests +- Push tags without the v prefix for helm charts to support Flux HelmReleases +- Use a stable label selector when creating Envoy Proxy fleet pods diff --git a/site/content/en/news/releases/v1.2.md b/site/content/en/news/releases/v1.2.md new file mode 100644 index 00000000000..ea39fe44262 --- /dev/null +++ b/site/content/en/news/releases/v1.2.md @@ -0,0 +1,95 @@ +--- +title: Announcing Envoy Gateway v1.2 +subtitle: Minor Update +linktitle: Release v1.2 +description: Envoy Gateway v1.2 release announcement. +publishdate: 2024-11-06 +release: v1.2.0 +skip_list: true +--- + +We are thrilled to announce the arrival of Envoy Gateway v1.2.0. + +This release represents a significant achievement, and we extend our heartfelt gratitude to the entire Envoy Gateway community for their contributions, dedication, and support. Your collaborative efforts have been instrumental in reaching this pivotal release. + +Thank you for being an integral part of this journey. We are excited to see how Envoy Gateway v1.2.0 will empower your operations and look forward to continuing our work together to drive the future of Cloud Native API Gateway. + +| [Release Notes][] | [Docs][docs] | [Compatibility Matrix][matrix] | [Download][] | +|-------------------|--------------|--------------------------------|--------------| + +## What's New + +The release adds a ton of features and functionality. Here are some highlights: + +--- + +## 🚨 Breaking Changes + +- **Gateway API Updates**: Removed support for the v1alpha2 versions for `GRPCRoute` and `ReferenceGrant`. [See the Gateway API v1.2.0 documentation](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.0) for details. +- **CPU Limits**: Removed default CPU limit for Envoy Gateway deployment to avoid throttling. +- **Envoy Shutdown Settings**: Drain strategy set to immediate, with default values as follows: + - `minDrainDuration`: 10s + - `drainTimeout`: 60s + - `terminationGracePeriodSeconds`: 360s +- **Endpoint Health On Host Removal**: Enabled `ignore_health_on_host_removal` for clusters with static endpoints to allow faster removal of endpoints that have been deleted by the control plane, without waiting for the results of an active health check. +- **Logging Level Adjustment**: Set xDS and Infra IR logs to Debug level instead of Info, so they will no longer appear in Envoy Gateway logs by default. You can change the logging level to `debug` to view them. + +--- + +## ✨ New Features + +### API & Traffic Management Enhancements +- **Gateway-API v1.2.0 Support**: Fully compatible with the latest Gateway-API standards. +- **IPv4/IPv6 Dual Stack**: Now available for EnvoyProxy fleet and `BackendRef` resources. +- **Standalone Mode**: Experimental support for Envoy Gateway standalone (host deployment) mode. +- **Response Override**: Added support for `Response Override` and `RequestTimeout` in [BackendTrafficPolicy](https://gateway.envoyproxy.io/docs/api/extension_types/#backendtrafficpolicy). +- **Active Passive Failover**: Supported with the new `fallback` field in the [Backend](https://gateway.envoyproxy.io/docs/api/extension_types/#backend) API. +- **Session Persistence in HTTPRoute**: Session persistence is supported in [HTTPRoute](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute) rules for stateful traffic management. +- **HTTPRouteFilter**: Adds support for Direct Response and Path Regex Rewrites in [HTTPRouteFilter](https://gateway.envoyproxy.io/docs/api/extension_types/#httproutefilter) + +### Security Enhancements +- **JWT Claims-Based Authorization**: Advanced security control with claims-based policies in [SecurityPolicy](https://gateway.envoyproxy.io/docs/api/extension_types/#securitypolicy). +- **CORS Wildcard Matching**: Wildcard matching for `AllowMethods` and `AllowHeaders` settings. +- **OIDC Flow Support**: Added nonce support for OIDC authorization. + +### Observability & Tracing +- **Datadog Tracing Integration**: Improved support for Datadog tracing in [EnvoyProxy](https://gateway.envoyproxy.io/docs/api/extension_types/#envoyproxy) CRD. +- **Listener Access Logs**: Adds support for configuring Listener level Access Logs for EnvoyProxy. +- **Native Prometheus Metrics**: Introduced a Prometheus metrics endpoint for rate limit monitoring. + +### Helm Customization +- **SecurityContext Options**: Customizable security context for improved deployment. +- **NodeSelector and PriorityClassName**: Added for more granular deployment configuration. + +--- + +## 🐞 Bug Fixes + +- Fixed xDS translation failure when the WASM HTTP code source was configured without an SHA. +- Resolved unsupported listener protocol types causing errors in Gateway status updates. +- Fixed `BackendTLSPolicy` causing crashes due to invalid `sectionName` in `Backend` configurations. +- Fixed propagation delays in `SecurityPolicy` updates for `HTTPRoute` when using `targetSelectors`. +- Improved `JSONPath` to `JSONPatch` translation accuracy. +- Fixed unwanted `/` appearing in paths when using prefix rewrites. +- Corrected nil pointer errors when configuring hash load balancing. +- Fixed active health check issues where `expectedStatuses` was not functioning properly. +- Ensured correct status updates for `Backend` resources and `HTTPRoute`. + +--- + +## 🚀 Performance Improvements + +- **Memory Optimization**: Enhanced memory usage by eliminating redundant resource storage. + +--- + +## ⚙️ Other Notable Changes + +- **Envoy Upgrade**: Now using Envoy [v1.32.1](https://www.envoyproxy.io/docs/envoy/v1.32.1/version_history/v1.32/v1.32.1) for added stability and performance. +- **Optional Alpha CRD Watching**: Allows Envoy Gateway to run with older Gateway API versions. + + +[Release Notes]: ./notes/v1.2.0 +[matrix]: ./matrix +[docs]: /v1.2/ +[Download]: https://github.com/envoyproxy/gateway/releases/tag/v1.2.0 From ad518329bd6025fb56493ff75b39029263de2d02 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Wed, 6 Nov 2024 17:42:10 -0800 Subject: [PATCH 367/523] fix panic in provider when the direct response body is nil (#4647) body is an optional field, it may be nil Signed-off-by: Arko Dasgupta --- internal/provider/kubernetes/filters.go | 1 + test/e2e/testdata/direct-response.yaml | 20 ++++++++++++++++++++ test/e2e/tests/direct-response.go | 5 +++-- test/e2e/tests/response-override.go | 13 ++++++++++--- 4 files changed, 34 insertions(+), 5 deletions(-) diff --git a/internal/provider/kubernetes/filters.go b/internal/provider/kubernetes/filters.go index b322950cced..cffcf214f6b 100644 --- a/internal/provider/kubernetes/filters.go +++ b/internal/provider/kubernetes/filters.go @@ -66,6 +66,7 @@ func (r *gatewayAPIReconciler) processRouteFilterConfigMapRef( resourceMap *resourceMappings, resourceTree *resource.Resources, ) { if filter.Spec.DirectResponse != nil && + filter.Spec.DirectResponse.Body != nil && filter.Spec.DirectResponse.Body.ValueRef != nil && string(filter.Spec.DirectResponse.Body.ValueRef.Kind) == resource.KindConfigMap { configMap := new(corev1.ConfigMap) diff --git a/test/e2e/testdata/direct-response.yaml b/test/e2e/testdata/direct-response.yaml index a1d2d81e8bb..da869f8729a 100644 --- a/test/e2e/testdata/direct-response.yaml +++ b/test/e2e/testdata/direct-response.yaml @@ -27,6 +27,17 @@ spec: group: gateway.envoyproxy.io kind: HTTPRouteFilter name: direct-response-value-ref + - matches: + - path: + type: PathPrefix + value: /401 + filters: + - type: ExtensionRef + extensionRef: + group: gateway.envoyproxy.io + kind: HTTPRouteFilter + name: direct-response-status + --- apiVersion: v1 kind: ConfigMap @@ -62,3 +73,12 @@ spec: group: "" kind: ConfigMap name: value-ref-response +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: HTTPRouteFilter +metadata: + name: direct-response-status + namespace: gateway-conformance-infra +spec: + directResponse: + statusCode: 401 diff --git a/test/e2e/tests/direct-response.go b/test/e2e/tests/direct-response.go index 12c667fdd30..cc839f39313 100644 --- a/test/e2e/tests/direct-response.go +++ b/test/e2e/tests/direct-response.go @@ -31,8 +31,9 @@ var DirectResponseTest = suite.ConformanceTest{ gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) kubernetes.HTTPRouteMustHaveResolvedRefsConditionsTrue(t, suite.Client, suite.TimeoutConfig, routeNN, gwNN) - verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/inline", "text/plain", "Oops! Your request is not found.") - verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/value-ref", "application/json", `{"error": "Internal Server Error"}`) + verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/inline", "text/plain", "Oops! Your request is not found.", 200) + verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/value-ref", "application/json", `{"error": "Internal Server Error"}`, 200) + verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/401", "", ``, 401) }) }, } diff --git a/test/e2e/tests/response-override.go b/test/e2e/tests/response-override.go index c7c12bd2c10..3f7a553fee6 100644 --- a/test/e2e/tests/response-override.go +++ b/test/e2e/tests/response-override.go @@ -49,13 +49,15 @@ var ResponseOverrideTest = suite.ConformanceTest{ Name: gwapiv1.ObjectName(gwNN.Name), } BackendTrafficPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "response-override", Namespace: ns}, suite.ControllerName, ancestorRef) - verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/status/404", "text/plain", "Oops! Your request is not found.") - verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/status/500", "application/json", `{"error": "Internal Server Error"}`) + verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/status/404", "text/plain", "Oops! Your request is not found.", 404) + verifyCustomResponse(t, suite.TimeoutConfig, gwAddr, "/status/500", "application/json", `{"error": "Internal Server Error"}`, 500) }) }, } -func verifyCustomResponse(t *testing.T, timeoutConfig config.TimeoutConfig, gwAddr, path, expectedContentType, expectedBody string) { +func verifyCustomResponse(t *testing.T, timeoutConfig config.TimeoutConfig, gwAddr, + path, expectedContentType, expectedBody string, expectedStatusCode int, +) { reqURL := url.URL{ Scheme: "http", Host: httputils.CalculateHost(t, gwAddr, "http"), @@ -88,6 +90,11 @@ func verifyCustomResponse(t *testing.T, timeoutConfig config.TimeoutConfig, gwAd return false } + if expectedStatusCode != rsp.StatusCode { + tlog.Logf(t, "expected status code to be %d but got %d", expectedStatusCode, rsp.StatusCode) + return false + } + return true }) From 774497860872ecf17e09080f0c1ed14ae629c29a Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Wed, 6 Nov 2024 17:42:58 -0800 Subject: [PATCH 368/523] update concepts to include reference to HTTPRouteFilter (#4648) update concepts to include reference to HttpRouteFilter Signed-off-by: Arko Dasgupta --- .../en/docs/concepts/concepts_overview.md | 15 +++++++++------ .../en/latest/concepts/concepts_overview.md | 15 +++++++++------ .../en/v1.2/concepts/concepts_overview.md | 15 +++++++++------ .../img/envoy-gateway-resources-overview.png | Bin 563199 -> 618650 bytes 4 files changed, 27 insertions(+), 18 deletions(-) diff --git a/site/content/en/docs/concepts/concepts_overview.md b/site/content/en/docs/concepts/concepts_overview.md index 9af9a3fff10..6f37f87f283 100644 --- a/site/content/en/docs/concepts/concepts_overview.md +++ b/site/content/en/docs/concepts/concepts_overview.md @@ -27,12 +27,14 @@ There are several resources that play a part in enabling you to meet your Kubern | [HTTPRoute][3] [GRPCRoute][4] [TLSRoute][5] [TCPRoute][6] [UDPRoute][7] | Gateway API | Yes | Routing | Gateway | Define routing rules for different types of traffic. **Note:**_For simplicity these resources are referenced collectively as Route in the References column_ | | [Backend][8] | EG API | No | Routing | N/A | Used for routing to cluster-external backends using FQDN or IP. Can also be used when you want to extend Envoy with external processes accessed via Unix Domain Sockets. | | [ClientTrafficPolicy][9] | EG API | No | Traffic Handling | Gateway | Specifies policies for handling client traffic, including rate limiting, retries, and other client-specific configurations. | -| [BackendTrafficPolicy][10] | EG API | No | Traffic Handling | Gateway Route | Specifies policies for traffic directed towards backend services, including load balancing, health checks, and failover strategies. **Note:**_Most specific configuration wins_ | -| [SecurityPolicy][11] | EG API | No | Security | Gateway Route | Defines security-related policies such as authentication, authorization, and encryption settings for traffic handled by Envoy Gateway. **Note:**_Most specific configuration wins_ | +| [BackendTrafficPolicy][10] | EG API | No | Traffic Handling | Gateway, Route | Specifies policies for traffic directed towards backend services, including load balancing, health checks, and failover strategies. **Note:**_Most specific configuration wins_ | +| [SecurityPolicy][11] | EG API | No | Security | Gateway, Route | Defines security-related policies such as authentication, authorization, and encryption settings for traffic handled by Envoy Gateway. **Note:**_Most specific configuration wins_ | | [BackendTLSPolicy][12] | Gateway API | No | Security | Service | Defines TLS settings for backend connections, including certificate management, TLS version settings, and other security configurations. This policy is applied to Kubernetes Services. | -| [EnvoyProxy][13] | EG API | No | Customize & Extend | GatewayClass Gateway | The EnvoyProxy resource represents the deployment and configuration of the Envoy proxy itself within a Kubernetes cluster, managing its lifecycle and settings. **Note:**_Most specific configuration wins_ | -| [EnvoyPatchPolicy][14] | EG API | No | Customize & Extend | GatewayClass Gateway | This policy defines custom patches to be applied to Envoy Gateway resources, allowing users to tailor the configuration to their specific needs. **Note:**_Most specific configuration wins_ | -| [EnvoyExtensionPolicy][15] | EG API | No | Customize & Extend | Gateway Route, Backend | Allows for the configuration of Envoy proxy extensions, enabling custom behavior and functionality. **Note:**_Most specific configuration wins_ | +| [EnvoyProxy][13] | EG API | No | Customize & Extend | GatewayClass, Gateway | The EnvoyProxy resource represents the deployment and configuration of the Envoy proxy itself within a Kubernetes cluster, managing its lifecycle and settings. **Note:**_Most specific configuration wins_ | +| [EnvoyPatchPolicy][14] | EG API | No | Customize & Extend | GatewayClass, Gateway | This policy defines custom patches to be applied to Envoy Gateway resources, allowing users to tailor the configuration to their specific needs. **Note:**_Most specific configuration wins_ | +| [EnvoyExtensionPolicy][15] | EG API | No | Customize & Extend | Gateway, Route, Backend| Allows for the configuration of Envoy proxy extensions, enabling custom behavior and functionality. **Note:**_Most specific configuration wins_ | +| [HTTPRouteFilter][16] | EG API | No | Customize & Extend | HTTPRoute | Allows for the additional request/response processing. | + @@ -50,4 +52,5 @@ There are several resources that play a part in enabling you to meet your Kubern [12]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ [13]: ../api/extension_types#envoyproxy [14]: ../api/extension_types#envoypatchpolicy -[15]: ../api/extension_types#envoyextensionpolicy \ No newline at end of file +[15]: ../api/extension_types#envoyextensionpolicy +[16]: ../api/extension_types#httproutefilter diff --git a/site/content/en/latest/concepts/concepts_overview.md b/site/content/en/latest/concepts/concepts_overview.md index 9af9a3fff10..6f37f87f283 100644 --- a/site/content/en/latest/concepts/concepts_overview.md +++ b/site/content/en/latest/concepts/concepts_overview.md @@ -27,12 +27,14 @@ There are several resources that play a part in enabling you to meet your Kubern | [HTTPRoute][3] [GRPCRoute][4] [TLSRoute][5] [TCPRoute][6] [UDPRoute][7] | Gateway API | Yes | Routing | Gateway | Define routing rules for different types of traffic. **Note:**_For simplicity these resources are referenced collectively as Route in the References column_ | | [Backend][8] | EG API | No | Routing | N/A | Used for routing to cluster-external backends using FQDN or IP. Can also be used when you want to extend Envoy with external processes accessed via Unix Domain Sockets. | | [ClientTrafficPolicy][9] | EG API | No | Traffic Handling | Gateway | Specifies policies for handling client traffic, including rate limiting, retries, and other client-specific configurations. | -| [BackendTrafficPolicy][10] | EG API | No | Traffic Handling | Gateway Route | Specifies policies for traffic directed towards backend services, including load balancing, health checks, and failover strategies. **Note:**_Most specific configuration wins_ | -| [SecurityPolicy][11] | EG API | No | Security | Gateway Route | Defines security-related policies such as authentication, authorization, and encryption settings for traffic handled by Envoy Gateway. **Note:**_Most specific configuration wins_ | +| [BackendTrafficPolicy][10] | EG API | No | Traffic Handling | Gateway, Route | Specifies policies for traffic directed towards backend services, including load balancing, health checks, and failover strategies. **Note:**_Most specific configuration wins_ | +| [SecurityPolicy][11] | EG API | No | Security | Gateway, Route | Defines security-related policies such as authentication, authorization, and encryption settings for traffic handled by Envoy Gateway. **Note:**_Most specific configuration wins_ | | [BackendTLSPolicy][12] | Gateway API | No | Security | Service | Defines TLS settings for backend connections, including certificate management, TLS version settings, and other security configurations. This policy is applied to Kubernetes Services. | -| [EnvoyProxy][13] | EG API | No | Customize & Extend | GatewayClass Gateway | The EnvoyProxy resource represents the deployment and configuration of the Envoy proxy itself within a Kubernetes cluster, managing its lifecycle and settings. **Note:**_Most specific configuration wins_ | -| [EnvoyPatchPolicy][14] | EG API | No | Customize & Extend | GatewayClass Gateway | This policy defines custom patches to be applied to Envoy Gateway resources, allowing users to tailor the configuration to their specific needs. **Note:**_Most specific configuration wins_ | -| [EnvoyExtensionPolicy][15] | EG API | No | Customize & Extend | Gateway Route, Backend | Allows for the configuration of Envoy proxy extensions, enabling custom behavior and functionality. **Note:**_Most specific configuration wins_ | +| [EnvoyProxy][13] | EG API | No | Customize & Extend | GatewayClass, Gateway | The EnvoyProxy resource represents the deployment and configuration of the Envoy proxy itself within a Kubernetes cluster, managing its lifecycle and settings. **Note:**_Most specific configuration wins_ | +| [EnvoyPatchPolicy][14] | EG API | No | Customize & Extend | GatewayClass, Gateway | This policy defines custom patches to be applied to Envoy Gateway resources, allowing users to tailor the configuration to their specific needs. **Note:**_Most specific configuration wins_ | +| [EnvoyExtensionPolicy][15] | EG API | No | Customize & Extend | Gateway, Route, Backend| Allows for the configuration of Envoy proxy extensions, enabling custom behavior and functionality. **Note:**_Most specific configuration wins_ | +| [HTTPRouteFilter][16] | EG API | No | Customize & Extend | HTTPRoute | Allows for the additional request/response processing. | + @@ -50,4 +52,5 @@ There are several resources that play a part in enabling you to meet your Kubern [12]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ [13]: ../api/extension_types#envoyproxy [14]: ../api/extension_types#envoypatchpolicy -[15]: ../api/extension_types#envoyextensionpolicy \ No newline at end of file +[15]: ../api/extension_types#envoyextensionpolicy +[16]: ../api/extension_types#httproutefilter diff --git a/site/content/en/v1.2/concepts/concepts_overview.md b/site/content/en/v1.2/concepts/concepts_overview.md index 9af9a3fff10..6f37f87f283 100644 --- a/site/content/en/v1.2/concepts/concepts_overview.md +++ b/site/content/en/v1.2/concepts/concepts_overview.md @@ -27,12 +27,14 @@ There are several resources that play a part in enabling you to meet your Kubern | [HTTPRoute][3] [GRPCRoute][4] [TLSRoute][5] [TCPRoute][6] [UDPRoute][7] | Gateway API | Yes | Routing | Gateway | Define routing rules for different types of traffic. **Note:**_For simplicity these resources are referenced collectively as Route in the References column_ | | [Backend][8] | EG API | No | Routing | N/A | Used for routing to cluster-external backends using FQDN or IP. Can also be used when you want to extend Envoy with external processes accessed via Unix Domain Sockets. | | [ClientTrafficPolicy][9] | EG API | No | Traffic Handling | Gateway | Specifies policies for handling client traffic, including rate limiting, retries, and other client-specific configurations. | -| [BackendTrafficPolicy][10] | EG API | No | Traffic Handling | Gateway Route | Specifies policies for traffic directed towards backend services, including load balancing, health checks, and failover strategies. **Note:**_Most specific configuration wins_ | -| [SecurityPolicy][11] | EG API | No | Security | Gateway Route | Defines security-related policies such as authentication, authorization, and encryption settings for traffic handled by Envoy Gateway. **Note:**_Most specific configuration wins_ | +| [BackendTrafficPolicy][10] | EG API | No | Traffic Handling | Gateway, Route | Specifies policies for traffic directed towards backend services, including load balancing, health checks, and failover strategies. **Note:**_Most specific configuration wins_ | +| [SecurityPolicy][11] | EG API | No | Security | Gateway, Route | Defines security-related policies such as authentication, authorization, and encryption settings for traffic handled by Envoy Gateway. **Note:**_Most specific configuration wins_ | | [BackendTLSPolicy][12] | Gateway API | No | Security | Service | Defines TLS settings for backend connections, including certificate management, TLS version settings, and other security configurations. This policy is applied to Kubernetes Services. | -| [EnvoyProxy][13] | EG API | No | Customize & Extend | GatewayClass Gateway | The EnvoyProxy resource represents the deployment and configuration of the Envoy proxy itself within a Kubernetes cluster, managing its lifecycle and settings. **Note:**_Most specific configuration wins_ | -| [EnvoyPatchPolicy][14] | EG API | No | Customize & Extend | GatewayClass Gateway | This policy defines custom patches to be applied to Envoy Gateway resources, allowing users to tailor the configuration to their specific needs. **Note:**_Most specific configuration wins_ | -| [EnvoyExtensionPolicy][15] | EG API | No | Customize & Extend | Gateway Route, Backend | Allows for the configuration of Envoy proxy extensions, enabling custom behavior and functionality. **Note:**_Most specific configuration wins_ | +| [EnvoyProxy][13] | EG API | No | Customize & Extend | GatewayClass, Gateway | The EnvoyProxy resource represents the deployment and configuration of the Envoy proxy itself within a Kubernetes cluster, managing its lifecycle and settings. **Note:**_Most specific configuration wins_ | +| [EnvoyPatchPolicy][14] | EG API | No | Customize & Extend | GatewayClass, Gateway | This policy defines custom patches to be applied to Envoy Gateway resources, allowing users to tailor the configuration to their specific needs. **Note:**_Most specific configuration wins_ | +| [EnvoyExtensionPolicy][15] | EG API | No | Customize & Extend | Gateway, Route, Backend| Allows for the configuration of Envoy proxy extensions, enabling custom behavior and functionality. **Note:**_Most specific configuration wins_ | +| [HTTPRouteFilter][16] | EG API | No | Customize & Extend | HTTPRoute | Allows for the additional request/response processing. | + @@ -50,4 +52,5 @@ There are several resources that play a part in enabling you to meet your Kubern [12]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ [13]: ../api/extension_types#envoyproxy [14]: ../api/extension_types#envoypatchpolicy -[15]: ../api/extension_types#envoyextensionpolicy \ No newline at end of file +[15]: ../api/extension_types#envoyextensionpolicy +[16]: ../api/extension_types#httproutefilter diff --git a/site/static/img/envoy-gateway-resources-overview.png b/site/static/img/envoy-gateway-resources-overview.png index d42ac01e27f616a7e8407d7ce829e3fcef19da80..ae3f92767aa976f9da7922ad9c024e9f17e9b588 100644 GIT binary patch literal 618650 zcmcG$2~?74|2IBQQ!~?8+SH_(nyp&7<%)_+%aoa^nW^JmV`{j7ilB(-l;gCRTAG<6 zP`PiIJ8saXh#ow-e_nq=B#lPoIKPWyqbSy>pyYEha=lI*1Yw`b@<503S zLzA@Q+oQ}15yINNO~GmJUaCmm{Ah7*zgFUnLy4okhHpsUrKivuf0zXQDz{noczx>8TGV_`&M$3MUO*Osk6?K=1+QE9O827Yy zCH{Wvgd01)j2rt8!Ki5jsns-L}{Aji&dB z31ILsTB)Sa|GwET5I$)^GN(?8 zuKpYmtZZxT(rdD*Tpzq3H`B---IE*6n(f?eDbe)q`~(cnp>_&;SD#}GMw5oLzbE8< z;7F8jeCy(NSt4(TlgnSKZVh=cmCb&=c~t2X`CQM%HFSr>u7J8IZK-?(6n{>Q!-f9@m2K?ZZ*_4Ym&Y&CQ_s8lQ} zl1Q>o*{>^%O)rU4iJ$Hg{?=m04kvH_x}g8<82{bH>(!rj_&m=;_lQDnf9i0LU>={c zMJOzeyE<1-3s^(<1{u%SQO@=PaCRtbA=4|`I~4k;69cGQJ);_vaT2c@!QXI+ME>%1 z+}nAlQKF;*(L;d2fSK-3e)nE`hG{j1$zAl=>U}Vda4z12G>kr$U__2FU@sm1?jdF3hl-2Tx>~$r?ZDJe}&uksgiyQETe{;nSb)Y@M;mi!*p-)!iG7+TEdc5Q2T` zrLt8NT?wCbNg;)`%`n~<7{FCI_ZNL6*>R>TlEAG>|Bq#`h+pZ+wrCsH%8Bj)o zz~+aFZ#9(DzSj%4<+uFOjwLK70imh&Be#5%GGgc}Md8U4(mjD9PV0+y)znGbuwu@o zRqdnm6wmfgIePZYUk?p8KL4W*lra6%F3aTGnx%AcjYqoCv(wInF!8M{JNpmPc^4v- zOKVewYIW>Bz=(@^kf(W`8UJ`|*n`V~Mat8?xmz+=Mg|f8Xzd$<<)@e1@R0+5>SNo{ zv4wD^ejmG6MsbGxS`+J-d_?5)YBVWQZ~_Aqe#o^gIB(YYc_8f{?d?!i%m|DU!Grsx zPN?R88_PEg`)`ZZbiXd#LP>b**)s;p#ck6T>xL@(oPO4MI7fu(;kuP{9*+F=-?1ZV z%k4zru=e@*5yQhuX3b(P(olw)&bOM|KNB3e{3!?4y@q||;X2v#GV@HDsQ@-~n4A7YzE*2i$C-7HtzJOpxa>qR1 z6XFfe0d3UUbg2qIy53Awk`X<#?-+4xnOPGzVYjaEIEivlf_!yMN@OINO#2FpK(gv0 z-v_R~U;urX?m&N<8jEgt;oa4@=sD4a$PMmLxjLU@b0CnEgc^vQyS16qAWbrLUeqRL zNzPahO_dHLEfq(W=ysgD3Xu&Px4JX8p3+D?8CBz274Q2;7 zgH$z+52`|7KkuvQuQC$XCbUy4drwfqX|TxphTta)t*nepgkZHW4_~Nl-aLzXBsCLR zZ-UJvRx0d1n`%)eKb(hP^gV$aP~OZ1T8hl*I4L|r`p1~v-KVVMqKy!w3Dw+UZ}L)D z1|?#>q6&@3j^lmaKpRqTFu_1vHTqSORLLx#yERljQ`?!i_P8N7}>9PyzbeSU$0S4 z*6OVC|Be1Q^w3FZqH6$B*qFk8?hgpn?ug+@C|h+LezDc4PgNJ`Zj|YE9}i{_eRjkE z07MZ#MC{D+k7RbsKIfoYb+_A;-6IU1EkKU4FKO)^N{rNfg;@fYL-Va6OPo)3ZMPHI zee5xpRg??@pnH06=Z1CKI>*>z#HmQV7 z9f32JguK|hWNzXcy4#ubbguwJu>CaF?4>fm-OC`WpozyCAA}i2dx-igXI!pJkG~8( z0vmiLjGdd$_tok)biT$ghPU|uW_g9ohaPQj_5vPw8SH9B3&#*>vm7{E|Db^2_7+JY zz*zMy_4LcRb>U?yEY?FDq*MjAW7ul*R3OusYrbhy5VyULM$(gA&8v%FxgIdq{%Gy8 zzjld1b_lyd=*>FNK!0D-Y%gpG)xyhTQ35-pBmxK%0cLAjJ{}OvB^OA|P_}FGaDHAS zV_z&WtEQ)Fp>nM?;I8--P?=OuA9iF$x9Obsns`uYzyFbm_Eg6e$V_}bM|zS{;l(t& z#QafcMu~RPq8F71g^uS`WqLJ69*W*l-#XvOL&F-S{&inm9FX(6^UseYov5H{-DiI_ z0fOTeC%G*s{Ic{Ulz#K^1 zSbcQmwkFXI8{*9RRmLse$p(+4^IF4?SNO2*cMnHXnA7LKt;YH8cJ@zxzByJ(fG&R- zl(z)-TK`C3AKxHgbOBIOe@6JBSOGxk- zPxKm_8?~RlPkQuuAMTb*sAgC+BgHJ~W4vIbW*f})>ZYVb%a!@gxJFb)w5b<&ZDeeS zN~#MpR#M9b7j7MzNP7+L;b6$2$Sm=jEZ;RK6dRIF!_Jncg!rSMi0ewb6Zb9pCxVDP z!vuDWWkhhlI6Fv_6uc7678Mk!bO(}|CBcKRt}cd7z4$67utU8C#d$yMXH^d`(aSV_{7PA&79{q4V_|~ekC|Bx!070* zAx5xUI-a;GUe7bu6aPs5{I27sR>B%NXRAad6;fjxwwUl!}$?4#ZwrCBeESU6+uqMSNp9$uH5>oz>c0HH9iRcI~f~^p-#Me@hY_ zUwi_%D$*zy@Y_ei0^gcLlx5ds_5K^$6uOyRbGY4P{7B?`g9xgA*!ZQ~&NDrz0%;Pz zr(s~p`zANBzZ32KJ8Y!sy%w?VPf%8(19?QhbuAXz#94iufKFd1CgDX5W@@qhT3kb*cd;q@RIc;*n?`c5Q}PPsND( z==^;wR}B&EU40@C5ie=M(X5-XYvIFKx3*8-BuU+7VHe^#a}zw~G@ZS6rcUm(VFG_X>&!_*U}e6Pfp`ul?=SU&0qz|)l_ z+nw|%X>KxP&gW>|$J|N86IAw1;O7s`zYev&kagHhi{D&*`POI?JQpGqs3Eh8dM5@K``r{)a<8p3& z_^2H;7!aZ)Mq;38qH0e9U)VoU%qI?tkB;*bpNWV#L>%P6twel&91E62JxoeXG#}23 z%a+(&;_#jTyOC3RTxURb+>7*jtA;ico|UMoHiEY7y+_#sbSXW$*oix%`8#<&;B$f) zze-KgMM!;@T@;dsODN=o7%|ujb02*(LR%*p`AaY+w1S=LHQ>2krtTdyY+8!HwwiZD z22DW_M%%>G;BIfPbtk}1mi_mTcR&lvu^r$TFp{pU;8rsc-BNHfofjEt%% zW=yFTE}>+oCJ%v>CNYV*A9O*zaA@dTjNn1Ye%7~I@8>~% zA40&nZf}8k-|t0L%JWFngnzwm<=q%-(l<*mh*YPsJaBudBN-u}{5E`_ev{f^(oa#{qYyfHR&t=K&G4PF5io2Uc(G_vSaCzIx3CI2Q}CAqwRya1-b>vB|EcM zCF+S_547tQux-cO_3QGxR(R3Ulp~@IGDW_E@N&HQ9QWyZS{ zV%PiWGi&f&xenE4Fy)${F9CWUSH z^>xiLifF4`8t{ab!PPEGV7 z)<)Ag%dypxO4Zp|Nj)Y?b&TRXsgfYkI?p)!xFNFp1fUV3eXR9$dP8+b{8H3-Uqxr0 zm_NLty9pG3fl9o2agb~a#+`h4EBiHRv1>DAZIVRCe&20>z>=GP9?x+>4H2hX|8kTD zxaLz=M}r@mlzgwBt6w3xZ*_!0ytM8vS;nEh54P(r=TB|!jJj!48D$%dP#(Cqg#PrAznGK<9^hD}~BeZ_BI z&4Zc*_sxdK{3z1}Cqen#$jUw!ISXObmpX|v>VtSSvofA()fB=Lfd$r2*J7VS%ltQW z#z*5myErgAG6-X3ORz!_yFk!&;^v^?ak0DuUkfgE%HMd;fsl0*D@B_5Hp`rbSg;dY zMzI0CQ=l1PIUQ|ye|7qg)i&Z(p|5ZygfN3|8GKkNe8Lza!RvzV(rGF#QCKT@M`*#q zWg>5)VF`sp)c42vaoa1Q8|uDQ21LkX*_@@_?_Q_Zn$TvMzyTNr4b0LyKeS+O_49JX z{^qX@rlCO3(LjrFmW7sT^^L)Wlq< z|Dq_htmhX4qFjBsw-f*yt%r@h8;VQ89v|sJPT#40_GD9MXYYy;!2>%filx<>fpYU2 zD!ZmnA!ujIiW9=ej-5kBgt_@LY{CFjrwWo>=_U9jr?lFhh?O!pifwCr4KKyO z54eaW6&MBH2bI4k>D40|>1^Cm<2^+6xgNV=&1q{vDK%mDe8Z?RYj&H7OWUlwf6H#> zMp32otsXSAVb|l+{P&)AaOQ$~VI%YptnM;Jjo`Wmkj%*5@31{^L@&Te&}tR}5Msd0 zvM13sM}(fO7W4N+4=<_v3&x8ZK%QD6C*D)S{=)PCb)L|9cL~0uAQLV|D559iYO2{c zrlt1Zw$OUFP|!l-?wwrZ*WQ(=L4xj)`&KSCN`%dCEAP-ffJR|~s%f#D_JFhj_}zvR z@{|FU6SAs-lFV%9o_Uj=!&NGPZr0^&8>i)9B5V~K4|Z~|C3P;-dfMex5^Wr0o00XWaf&i#l{!V8v*u`Gmk-@AI+yVBrNl}w+7 z#*xIrQWH;Nk^g?ydjrbt5UsovCt0@OhH1KRd5f_|YZ;6#B1Ag~Q)=#G?NAAY*ta8z zDpo{mX4FL4+I+a0$t3W_qNnyB_MqHsaSsLV=St9*A|(drODX<53G?dP-v$dl->V5i z4gO;E;9GM+s7}3hEFIp~%)Rj-JezNIN@Yxnx6-cK{t4Tx6j z&d#~?H&>I9;Fv(h>kZg;!%_KkiSRy|fN2VS;RPH$O9*|#x^<|3dK>koO{;!_>XoXw z?zxe?rajC0-}zg+w5g`VPF4rS?v^?_*aBG5)2xBF~0pctu=BU-ymTuU>OX3iF$MI{WmFa zHs~(YCh<|60dX#|R9m}K{i^{CB9ZXKT*zWP%w%}JEev5tAW28S!PjWd zGQEO(p2gW(HDVRW&$}Q%cbr!agW1e7b*P{@)zn?Y0CM4eEhf|V_B8r@y1qQm6H?;A zag%=5&9I`DLAN|45C205(Y1BLt207)Iv#1eWFR5Ab4~t(rFenFA4Yrwa-d7O`R@ zW7Gd~zki_7X}V>Vh>1Al2R#UQ?YhUxXJlc^))@MxhOzf&NAODW6FHHzt3~ILjsJt&Usj!W_>>=cP3-f=m3v zyap6f@!xA$U*KDz%?oL5h}IqdkwRcn4=v@Zp@SF-R%=wEO z#ytyS?K=6*uHd>&7w}a` z+}v}m+8Zl`RSSLj)nk>2#jBK@Jo#0eX>ti!GY`MI=+jo^W78k7j&ZXwP1`@y?e<&Hksz-r{dN-~J@wws?@v^QKW1KC_3)#-=u1o8mJbT0 zV15+NWX*d54ME|z1;vR&?6l5ziFReRK*0r&~*}7b_gs7G6ltdl>a`Uuko8Q(gnrRABD#&)!>!QjSvWc72SJNr=%M)>YELDwS8R zRIHwRKAm15%6Dtzcq9QSc?xIeTs-D#5>mJ~Co+@^9~di7>cbmJViN6as8-j{+rqzb zTlGuU&wjJBaRyNzD1A-)&f}~T&WZo8K^0K#}99)wNvd72Qq0S{Mj-;Dx(1rTg3~^4hb^h`^FXXkR)x|bA8WFk2 zQt5VIf4}z=mZI@69=V7NLBldG211JN6pLQ&&B>^%Q4LSJ>Uu$BMXLD#R{QT7hyThAkM^8U=1rWu2&@0M@2txDESqqA3=Xq2ssHyb;epfO_+ zM)BP(FMDOGqQJX461O6@rA_ z;G))+rqjj0KeH0u;=g|z4al^oh88&3t_}|`%v9FQ9~Hq}<<{D4A*=bM-8nzk!~Q-y zhW$HP$)Kn%@RM3gm*HM)D9B~9YctM7 zAT>n3qdiACsj5q>d4t)BHL$+iQrloHyJ9@7iqSIRQcR0)=jiLPV0fSSV|eU6MCC75 zR7r|Ap(!%}J z@HrKWA<+5x3bWBT-RT3RRU78hPvJEFhc=4V{YtA^U?!T9hxqcv6m-Dox1SWOCZg_B zVu}g8Pzf?JYW7?l@8jixK?V)DG%fCn(6!6_GFL!whYeXB)MhPnvYSYcqYvn^r4`|$ zDs|!ufm;^-W3>MrjQIPpSBu;8y)U1d{?M*~4n?u=wRLAaIcA*1(nk{iPxOpCvtzSw z0QmwPv0GaeoA5OtjVkS-KAUd_?nx2C*{xCQ&8FZK@^$}~+#AVj%XBy}qs_9)pDI?( z=%i;@kotdVwm2D_ZoOOK`~G37$@bmr@{1F+`ADQ* z<#pWYxj2?AUuhq7?jcLY+jynL_<6HzFEOS-d@ZNnTr|K3wXGuvs&mEoZW}+`iJ$@m z-G-ZvmdzrM)^I}DPVF4nWk@H)Y_LcGY(oY7e$ql*qw0#UHsYuHW|)7inhou zsS@%vy9)@TYH#}eE5Fy5S|{XA1Q<6CRe*{z<2ANwejZ1!Ka)5j+{ z{Ih>$Y=jqPB^UhW1V9OXm~k|Pa&BNOG|hM+EM5j7$L)k5>b9q;8@MNlxr4NoFbZaKd2P?vb~2XqD&SUlYAC6a_QGj9EjSFQ?-J75AH8p zc%%$7pjKG9Dd~7Vsb|%S())&@P3@*G=Z~+#d+ctBoW>FoLKuEC`auCtX+v9#Q6raX z6?@~(Pv$fL(xGQJBT6WQ4B-acucv&`!Y;ILksFa~ijH%dY90_ay=^?b6g75J*#M)o zXgjcMJ8C#lygjt)sj3b6R(It0kD`H;R?*x;S~eW}SDfk8Oj}L(jbQ}>r-ksmP^{G^ z+$y%C3NAsDB^=1#xMtzf^m7g$FHQhDAF%;P1m;sRQrCx?-YBWpf0Xts+DS>#svWi6 z+TdBAv{*zs2_%yTtfDfgrMB?!&lj%%>U0wZ$8t1ESZRsM*|D91zZcNwz)3XcX^{@ivyJ+fVmr_% z;u@y`M-|4!zEUlZh$-UeguT#2Z#;edQ2&V^{fcT;qzgn@z3y~cuMbw_{&*f zYXz`3Yh%X^ka}}f{HGa|wv)~LbCk3YEpy1#o0ys|%1T&hW3#%n4iaiN*R(Svi3d*% zBv5gqfSD2d>3hJ3Ju8Fj`^=?`l|D6xVarCcxx%BGT6NTyD$YQ1b7I1NiDqby)-0u* zB;34DZ!VUQmxpyIHdOO>I#bvS`8#?CY6GT9NKRaD)N*j2!)RPQCM%J*Dtk$`5ko;Q zVwv6y|Dmz;0IR!(R)fYljGKj9sK?!wUr>L^^OY)?4N`JFwCjR-$U`jn$(6(3+6+b< zda(9U8OS!fIXkj;vNyI$Wy_ zIqPKOcd*e+lm*cxf2?+1q)`nNq(*1H|CFP=c+J$y?gQRUh$HpkTHfd4>Q_%~nDEo8 zpV{@SL^djzLPh0bxlFk77gEtVx%QA4)a;mf07@N#_3w%*nB#@8byz1#QS;C2 z{SycKaIq@raY1Yw$`B6?MXAJU@f`dghHKSGGY%V$U+5AfwRxkLBC)z4ML^TQ30wL{ z8r$am?zA$=c04DzG33rHj&&<|hLY5CJ;?8cApP zYHi2C-z(Uy-^P)7?Q=U__15qoY3!Bt09O#O#jO>)`*$UynUMKnFN4G~^h)+TuXP%A z;>_Wg!eyZU!rt7q+3gNafRCXJ_z-5%AqPL}0rSe25L-bgdaAXsorWZInW8@XoVu#y zXNOInBKQev5=`6-@D%xvLz|10agmS}=B#5}s3*6q#eR8skDiL)@`ReioQ@fS^Se@( zAk32_Rj!S<^ht>cn$qHCx>?okXgZG=p(d7}Kj1G+B6XG3sMH%*o%fVl56qRYK@RI@ zuXWw1+tvT`lj(|>I!Kn8o?yDw+Q;K($xoAPxm);G491fU?z%Y@-$$2frg+6f2t&p= zd8OgW7JQBiGVra67bQ1j?H{yP;KGo4HP+|RBx+k~XIn!oZ2-eob+i+0UG?Hn3NF>F zN@Vn#*_Lj1!OK(yL*^a$$Y{>~&4;`JY2YHHA-=)evq`N7D`e%NEbMhCuN5R6SqB!* z?Oj+&LSEj37k!b=#tXaSKrc;?%^?36=zl)LY84S2Yz3)yH9jNOkqnRED(jj?I%KyC zN%`vhfL~2(jICGlr<;RbE^tcbyVRqw%fW_ohQ9@zJ{b9|p%SAGH<$~!Xsto-KYMeF z9zPyfe(GCutm@VP@1LrFn!F(Tv8B94)jpO}Wp`=a1^k}tn4c2i3f&XO*%z?TSXRAQ zoiMZqFY!87wgx@7%7T3l*W-*IrVIkRi7NGFB{QT&#YqY`a1$}7l{KwWuPfXrb;Y@; zd~Y;vU)!RVvZx7*-Hg&lFR0Ueu0{Qt^95P!@3RZ~uRVf9ZJ>t_f3_ve`mB5 z`HODUy?4!@ZfnZszkAP}VR}V&&%WaL%Upqmk>%$taky7(j;sB~l4N_Yp>-#Ne|xvL^>{+jv;XjUxUxd%Bq z@K>-=P(!Y9>*x#;6`H)8#o14CR*)&W-e#Xd2UArkA~RkXkOwVPkb&|m%VnNpgEaexX^1Y{*j#oRipKE;bq_BrABHe{pl!s+GTG3=4B-5UA73We}H1@*FE( zdm^?iPpOjs=Bm1SHgVf7aRWxIvnp8}ql_q5KmtBT+tbO855o@44D8AK!@>pKC0_M} z9c{0uAj8(HE=A=@hu)^vT_kD48lX=I30Ilpcn{^#xJT0TCji^a?QiVM>*F4?6W{bz z{E?NMWetH9m!td_CjM5sdC|+zvv=R%E78sqR?}VwQclc%-gkMmy*6Yhd_w~TtB@)OJ)7lZ|5;g5{o7<@+*hfvmewYB^es_4sm`zrg8Q`)n8 zSB)aP6x8I}z-6sC!cUF+_uUi&=k{_eo z0N)sGXw9!1Ur=h!@AhtpX#?Lnkl&m~Tr4dB+|_?lg=S`pE{tV|cz@p<9?kE#jR^QK zxln~3;9eFSQ2Bh_;7N<=!40%FvLQ=0Li~_O zi>7RNVvn!SBd!bm=bHQ@KbD6!=g3=jKK0&D8fYwpE^jb^Nm|oJ`W0O>?L?l51B7AY zKQvlk+FXAtHrylMSyCK$m)kKrhfe9D@XLzK!ZOCj~7cco`_FP&vdQk zo2p4JZKw=nyioG4xu#8L#Pvwu?oaO7Oa4P-sS3J~K85ZknURLgYazFTd(cJgjnJT{ zC6!}7Hs;=5qz$yv;P1hH*5sq)w>*lI&*i*mYnvb3C1Vp<`Nt|Psn}Z#X5wO&vHDpv z;c>R0g^?*dez|j0<7G->C@Fh^gsB}F(E|y%R?;=Iy7)Cy|}eQ_GQz_HK6D;|-J` z7cnec?Q*o6jW3&>e-drK>;f>*1I=1$E|ITU7|6^9ihX4o)`r(|ZD4FJO>m#6t@`uc z|8zqCRSov3cyIg^!L|n7ku44AsJ}1~g0(iMrc)tD+cBL#`>qy{O77!y<{etPkw&9B zVlCa(%T_8`n`dUm97iFc$R{*O`W*dza{R*t6$sm9j9)onkre!5AnEcvz*ONClqh5y zGtY(|l9)r^A&rcia%LA9p@2yiSfF@?kilowqr{)?+lN9wE$?qzZNE?P+-rl@)AnG6 zPV<*@Ht&SK-OE_c*NLGw_^;+pg!}*mi8~rrU1)waiS+hNQ^85mg_`UPm`6;OiAC)_ z*K}utf|XOawr)DWbEqJvrbk06ogfZfepaVT`BEWVk|r%G&IcR?Gk4%5@E%+dm2TLC zJ>JUoxHW?uvAEQFXkKxmf*tEIqyf;VWN8T|^hN>G6vCT~Nu16oFi)v)sb0J=a~qc-|-d|6f==j9TvVOvwW&;PLEjgAMB&Esb7RT?dWk}qi8Oa zh8=>D2MRDlLsdj*8~+-UZWRbLUHT3G>_{fEt{`Noh4y$cofR+#;s1^cOpf#@-QA2M zw2mPk#ZnN~l=;-!OUwtp2{3>A zn=ZQR-D3BRO?rIyHazjx1}$B1R{41EIHR>!4W5Ef#s#JrQ&hv+)(^ zzUg8U2Ip#m!rCoap$L4-#o`&SnPkPGpMbx_z2~V)ux~u6_$u#pE$(@X_ksY|bGQX+ zt_>TM3>Z9YJh;&7{d&Sl$ycBo^;B$_W(sLUX6e>DGo#;<_r(7~tQX(iK1MD0{ku~R zs+IxIUVCH14R=p(n`b!1IVU_8U*vonMjPOHTMc}h-)sGdJT0B;KFiZT+LBX>;vA^E zqT{-wZPX*QXGHWs%|US(QsDd?dop)hK2Qh`Ju}9G7kueGaSDCJiF-Hih&0gUmyZ7z zC(?{^|J;^u#E93HG^vJ!^!K+RxQ_2V&xbtbpRofoB&`hnO_?y(d(sN@&r#4%h`k@I z7Qt;oE85UIzK$?{JlFjo7vs-Om6PTMhp< zxX^QgTwj)&sef@aS+PrlR(kw3p~kyxB}x@ki>#6iPji5v1w@6`)LaVUrs-YJXeR_! zhJKrYeD%Xmge}d zx^pbIGmqzCTO}H3=NdbBo)}eF_BU2}TLWzVr8p+vZpACcx(6`bHuVOP@;e+8=Fn_cZ@?tJPwO)nZKF zwvMC!RbKsnOw{>yCFM_HuJ3iT{pqtOZq%n9_w{aQFjsSApLyGOTM?+jP-A7cCzNAF=5YX*B z-lYAMjqW^6C3)ptOcFq}aH2UfDmogYL!TFI%0*o50>slp8wkJ@ySrUotNEdOUo)=B z=5jJT)15zO84p0UWUrSRZ)VaThF~4HsBC^xkzcP-Z<&U#nf64Z02}32aVOTG8*9rf zvaQ;BzxGByoO(=DYQ)NYZm(;n=2rq`&H0_O_tK8ACg)EZ(p#<%<7A3QuaV^Ml2=rg zJL-AtVa+Lb7Pes0?~0&Fp?KR%;RQ-Akry+5wq9tVDCh!H-Vp>UsH~L=x?UjX-=}TE zLtT=u@Q<}p^PCbF5bB#M0&799aqDHloranB0t<#!V1`gVqJ;{2{-5vUPP6#}tKL2D zY0#(6F2-Fn=>BK9(|(UaFe_}nb*V9-lr(K!dSk}A^mg@ zk^$M_|IA!={$qB17$dqDv#iTem!y1I>vXIVX*G}4_vFe44^vp@dR>#pT$AT_P~wKC z={O|WJ2oG^%g%+>L~BKz>!s}^0`tN%?@pq%Sgs~^g@;zDhlFQT)5lic*{{FbI0W-Z zt~*%SCFrBNpJST3BH7S4bARWm@TdG<(i~N{a`!Q@PKjXTBj_6>`7^E9rg)=S#T~U>wGVBSEAwkn&f>{h2;GNJMySxmsx8;&t8TV8Ecnf z(n?*u(+i_M2SMlFuY%(+;!f=m1-p9AyTQAQhh-Tqw7jN4O_q|d^`qmq#YVNsrGjV-vMl&QNuPiTfUR@_+QlFK3k$Ob>s9kuvSc z&^L75)iYvD5s-e~wVe0GF$pD{PNS*h8S#wngt>KpW{~8tmdN#!;-h1umhY@|6z&ja zJoo72Y}d*tTRltYH&Eg)4H?s5c#+~SPYBaZ3xeKima6>i2|&j1Z`~q7FOqV2Ya1_? z`xGxVAb%`Q&=UAv(fVN2|AR(>JDFS`bb~h&BDjOp2(={t1| zw-^ZS%+Nk-jsox%YxU6+-fw#ozf)IJMZPUHJ=hm_Ve+b~Wc>1d|6$8m} zP-gX-q59QOKJ)piRneULMIb&r>(Eq@J>YJUJ*@%6iob}$L;t>ov8kRdxFHr#PNZCl z!a%2b;vbDz>A)4D5NMX7ze-nN$@zOj`wb0Bh2FyZEr>PkX;wAr0&6miil8(O^1fbJ zxd0Ro-nVTq{HmtEsd>B-8jQ+1x470Zw5!_P5%^hZQy!govJvZi2oI&MTI-V1TC>mR z<92LpFh_TguKtf@*q6nh{37ETlitKAg00G83d;@2^}Z|aeIB^MOJ2|1I%`5GAOo9IvD`mCbScb&^H3 zsd$c+2T4&q1NM=Cih6Bi`r^oBdYycxMm{4=TBGBLE&q%{fh39TlLSES>P>pWCV6v3 zdvgLJ=R*`6RK*nisgav@f+k#q4}{N@nhNCo|4dvYpBKs7Y|bxwp@)%qw8*bfE5bU{ z^$6yx4oi(QEl#|HWy}^h^SeRCib#d{_agtX8nwvNEzRlr`h9x7(`?T_M&J!_aDkF=0>8c%1I8&jTj>i`TRyH0UI%jM znsLGZBOv=Jcn@KCE^1?MN19K8xA4PDT)JAX#~OF7n!9#h^^E*{WMG$Ufo z7@RJM`?0-|u(}UnC~Wz(4=TKhQ~LXWlDGa!=sB|3hA#Mh-yrdjQX8#a+rtZ^6oWqy z3+`QjgJ?rTxI<~Cy$8vxPhy8DU}o+=)^AMX!!&tqf`J1-JQVNO(zhwF>hgnPOzp4G z#_3;00(};8*MmS+2sHp&J!91sm#O${|3QVDtiJ>0N` zn&a8!@IF6Zc$Lp>!r(I@=}6c-dl7AP|JJDa@!)$Bj!$Y-XLRpZW%OqXG-@0I*kCgW z2b8MY5kXyxhqpICx#N)I#c|l2SjxJwaP(stxF5QJHk#4^9o@AzCmz77PG$#u(5cDi zhU3i=1GMMfh#A1bNxqn@O{cMK>x3;5B!z7=x6#^(^@!Xs*rrw5e`2gL4*|MK(Oz5l{!$)zy zUgJZqcV;1CSa>1$(!N0*)nyLfqXdxcl~uLAl{CadFjmiCF-#}R2pUXVIa)+0iy;nF!7otvrAfX7)#DJJ3^rR<$UV8g=85xGLo;A_x3gbgO zLe>2!a|FJy{vq#mnJxVo$^ek9;t(uRRi++3oF*)NRZ2wyzc~xegls}?~5l1U#)jQjQViw1HIznfnAD^%SxY*IdEcE-p+1P5I{bM8f(vCDD|IfXMmk zt(ZqFf}&9Rh6ut3pj9tBr-!_sJ<|A&3~HbvVU)m&3o(?I?_rBDbjL_T7QP>{VMl1z zfE67iDqMS@XQ65NA;@r%x--G50j4_E9Yc zkJeloqv7NWaU`n zlU%!?6GZ3yd4a;9zFo*JbH-UptbL@x>E;S?dHl)#5@mt*wqGQ;D%;QI!z2 zEM(&phHsCcrh8o&W03JUUqDgn!vH@B%kOy`&|IJA>>wMe$c2!s&C1BzIzvo(>{+`w z_ugL_?nA>Mh%!?`h@Iys6C}qH2_{bGpFIr*ezLJ|*DTU3ja=+nQcG8euBng8Eurp@ zC+=&#`m&5prQ&ya?z`u@xNr-oX{9}mpVmRH=W1=t z{U*0fNf)ZSA=yb2A-Me+wN|^t>e8v-kwxx;xu0pV>(Rb_q}(khAD#POYk2&~fjFR% zi${n;@%INp1`LFpUF`QT^ke_u+(+dk%Ajw5{9irr-zq0*gqpniEqU2BdIXT;z`x}9 zMuC6H@q>Q&{}DOj=N(l9R2CXgena5*4?q=KgAF{2fFA^WqMKg1On@VF zqq7h&^9iflMt|<)ohWQ zANd2yf2Z;9-?4Wfp}%hwT^32)=J-8r4n=DM`WyXl_~I^0^7lOwh2EDL7Ks935WXg( z#@`~*E^U^BI8C4vAaVOh<=-1TQR0#tL<4a|28*nFzsE1)gBcd1doQ~v#w^SAxRh0JYi;Y0Fpr&9fa0 ze4l-dH%BmpapSFVvq=?EiIPff8V49{$;B#k6FQRO`hY<$<|J(DQs}gYLT5eC!$g;~njNvR7SN*QwMM z_cg`bcw4dLZQ%6iI;}wMOC_{?-s^CKK~M6DePAcEB6Y=2DH1Wm=h?40yzOB>RLm?( zvJh@!9cMOjfV5vLmr!k;JJWG{BU(c%xoM{G?MQTAV1D;{h9UiJD}47)2_=RH$y;WR zHjMuu$-i>%zx-!!tR>ynO7G5j*z<0J>s zIYFC9*++5)OI#pntE(l`JQmRoRd(Bs>QF=Yiki^tmbKuZCdF=$R}^|Jm)o1bdC5YKXJEwn6h+heI{)b z{rS@eLdN;ICKSh=kb1X{`U&hKtCN7C2TIrh#8#I zzD>N@xU*pvCd zWh@X2bzCz(&AG`*NuhM-2K5^7YqP~pGhV_)iQ2?Z8BrCMe~hY#2xREg)yk;*`0-=5 zuvM2N=k?sw5eZ^r{<(i>#nI=(4f_rpHrTpnaxdThfG=D|&M%3zk<$nB^SfW#(>)KZ zjeoKda3=S7MMTir($Z3nu9n@KQ*10m6~r&D4tk?u9Fl-1M3Xo99mwFE*gshIS@rc< z;$!_!`CV-81qFxARctN@y^H?-`O`Q831oAWr8(_FrMG31*e-VxEK)z;(`fBucrlkF zW;ea`BLPfW$g~f+?+ppuVcHL}@`3XfQ=C|Oh`R0X(P0;(OO}s}^!|#v&d`s2|IpQc z{i*yqU=y6Iy{C2IpNu6gjD+N(M+%qSKWW5-4VX{B-Q3h;KeOq7nNo}5-o24!9U;2} zM}GksQR4Ey0_LNTqo?&h7exG?;FF1u_B0wz*Zm`xGvf_lK4*K=Id=i)_Z{vI&Lwr( zNB8)g#{ZGW+3zhdpCD`Pkl#~OyKv3@0;_CpSnLw5Pgu+}rpi?Qe<{DYN#{HtsebX;e&RM9y!X?x2hM7A$$?r}1 z*iv@Yt5Ha}=x89H3O8XC@#0*y5z|#NtshhY^f1{H(uI6{$B22f<$~Ewp2KqijU?9I zh^d;Qt#68UAD?ydH>=kU6H^W|_WV{1QnxGoc7c2GDj|95D%Y0vh+j8EB73@~ zokZ9|L+r|TstW2r-$IaX%E+4kbHe4(q)W)=7mdoq<_{o+l@wTnKS_nJfAGm~R|qxk zcz*fti=FYBsF1X0!LUtJ_+*%fLsyUmyAHFLtx81Ew>Q4@EPqp$uyI{Dx$Z0Sz(-pM zLmaMw=ZI<#=o>)H;Wdqy@YDUgk;U`@lRi;DI2c*u4f&^-%zQ(2) z8K4REe39ZsrgKG_I#NIAE|VmnkBC!VJ8g1@1AmhxyrvCj_-?6kFI}G@avD^JpWq;|V zbm~bxsv7`B!S%pJ#;@&_uTm(faz|}rXjI2R_<{rr3u?a7MbRP^s17OKz<1M#tG0-(E{t`rH;390u%p1 zvwuG=Di|=0PgX+bzK#Oeuo5=-FAiW0PIIucdxc1#MTwKKLDj_3-F;nVJV&>{x|a)Z zt+?>=gU6N@C6Il8^}I+E?(VeKw>E$=`o33c##4Lom=EpRH@`X~sF1)gDr`T{acN8H zYy1%-jE*M0^h4dqm3R${m-H*~$oq{6qFdAbLn{S@R`&r6h}sqJCk!g8=lN^mG}}r7 zJ}`0W$KJ01yS#6dF2f+B)-ARj zEPf&1(8J;7GSsv?@RZMp2y=5M_Kz2YU3yX=Zbvn&-;Vor--Z6gDb>BZQia`_Q>?b^Y4)?LpRYYK3 z^f5~~b9-qcm)aE5n#Iu3u!C(U;g@ty6Bplaa=iTjr8z1Jc#}fj zPF{dx(#O=c#h9Y)MIZb;Gu}__>VwqM~1ZE!1Za3=D!_3;HM^0w7MA-!=woc+@;|bs4VIIo5VXMI!$8Bupv3H zmm{f9{720|sj1_pr2d-nZ})B>bMf6yEr9Pv@Nj$Et;iqtkM_ENt?T{|6PW+M6N4hT zSV9W=XL;qakCI$|(ZRpXscr7GZ2O3KD-2ZrQ8NHknEx-J@-IBTqreY(2nbRB3y<%J z^YFs^y!si#uPF5kDi1pAeF8@q9;#|~##nP3BXY7Q<`^z!A}5|zMS^%4&yr~o-@Fpj zm*4f%Ko5AZ`ajbAxo{0DL;1Y$RaLo2x1^EmWb8*i+(iUFf3ERSV;#je`}e!gf8Zfe zD-`k_jZx3Ff2_0oI6zwvhZMFWZ?$V#2=jI7B^vVfCP9aQVS<;V>r#P00l zkxRxUi4No5G6FS~+6BC%@+tmDI!NEJxVjlLaPku86yTD)hFZ!+zJOVrC|Q}c4v;Ze z3sTj+pA|Owx4zq3!0NYj0^mekAW1gur!E`g2a>p%WF~!Sup*11<3ek8i798L3d~ti zsWwmM(tVoN?r8m>%qn}@HV$vI*+3pq8T5_B>uAV$|^bM;fzT%lKTc2bX?2Jvm+ zSB#l_B4cNeRutRz1IZSWWJgUf_apk|Y$(0Jv$GNF+4>`!DGC0dz3&&B%S6Nsv}R`` zBlBphFJ&T2MUI4U5l1R_xGbrq7j_2H-$Q7lqzp~=BgWisy4Y0_@Kfv4BLK$5Wsw9* zuG~8Nc=c^7-Sgq@Ih+ksGPHfF9AEC51fXJCW-5Ra*W_ihBq{W@&GB1X1KCir_ zjDffrgQ((d!y0sD?W@g>FiBj2`4DarI38isTdaW0-_yt)Nc(qs zXMzn-Gb+}$XZVXqX!f`cCxVj?7OfaE9BNbnXP5`xq|#VZebepvVvroUxn_3}vAWEZ zTk=3!FWq#oD2Y9|F2&J&mV7-e>GDJU*%js94rPOs^+vP@eDrSK4PI)O>OhuxPI8fH z$JP9+LR$r9gTw!zB-f4QAb?gYK-q!WT+I|Jns#Digj3bfX!+9wEP(u8WAL@rqf2&oIUM7I=IE;ja(R z;EJtcyQ>eB9%N-GU$rTTi@WVECA?0_JD_FStQTgxf?z?<2aXumP3kZEgOI<}CmKZb?e>qACj z&Q?k=%5*-&F&`<2`ADEuBt5e5t%HBcnvrl%x7b@!;!rVakRZmXvNK9wxfL&kP!A!H1Bp>t!@BTu1p zU&)GOUpi=JZB>eWU!}*bZeB{Pot7b39FODG@~Zxo(BxDJvW5`7e1b@(ui=DQYC~<#8K2vj8|{OvHwEV4hdWER29c;+c&92{v1A=$Ntd5*-Av;`)e&BO zh+J+~E^p6g408GD>|;*>ZCbqVociD&{)Ag&YPd~jH=Sk${mt~rDAjx&1Kb!N?oyZM zYDRYGfT(7kP3eK4_$)}jOJS3JdaRvM#{$f@>Hx17;aom=g~r|;(%Kw-b8d5{>V1JV zA~8F~6*A*|${!m&uwls4++|bgYSapY-HcgDPM&x2BO-%468{;92_N=ix^NnL8%plA zKGIEau8MP=IV3>NA_D+)N}h^MM?>kvbJ=oD6EmUn>Fl@OH*m09jI|}s@Ttc7IHJ@@ zVH51+ns)95xAw!;xq0>_nxbSNJd+?bGakzXw({Kn~QeN#?ZAu7{&S*$@ z(j0y4Uhzh1OH&3{d0qN!wrIj zd^yy^R6b$g>LNSi30jy_g>UCf9R@Uo3P3CrW1*tB>)AaPmfSP3@fk9!&|u2QQ1f?Q zLmGZkZ`F$w?C-rzB7jrUPBfZytB_or8S3QrK}~5}A_x6%$7`%Qr_!t2E<+ zhZ{JRNpY3eUUVI!Wm8WPyEB~P`Ptk})wV^9q{H;eRV$xI`OV-5AZJI}ndMHD*_m?4 zdFNQALw^{<$OpJF;G8G!AK82iB2`;Vc$)z~HcX=P`EXg+F{i+lG)igfvgA#v`LYD^ za09<%7`@rL-Z{3wA}_0KS}UdK2t^;HcM(zp#{VK`MX(Gvh?x=JIIknKSO($d&f!g#VBL->Scb-{y zNifdJ$85DJX5KGb>cGGsRckODGd9J2Fu2J>eY`m^hBE<{-;Nj&B%D|6IGsN^^i;0g zjF<6YckBu{7;aMQx^jh&`nVecXSjx#+Q-*?3i8}T{ldC?$y6>3vnp#z#Z^Z)svIR9 zI+Q4E4MJeI#;Q0|eWCJ?Z1Nm9LwqBWnnJ2$xvI(>n_oEO44C?lVH|^Qf zTNX?1^&!qrr}2gWWE=GmNphp2zt(?xU(K{ep9=wQ?&*bib64v$2g+vwz4_b3et-#DP`yf#BOUdAxjRK)ds+ zLPv#h7U=z*1Eag7zC2{5-W!RmF?3mTqNOcdbo-WG_4OL4jKKA5OM#VEHS~k-w@>a4I!i4a#APFS)Ref3*Zx60` zFCN5IVpYZVxT{#3k|tO`bG@e1AFvC=j^7WBh@-}R40r~2*ItaS$K4b2eN^pyp)N}Q zL1}4We|arzeyG=(L@B~$S%_U*vgL!}MI49ol?-X*dYPd_b^aZl!dEU4#;c7MN7W;m z4WuO~P6nyUna;Wpu+>}a)lh6mp+R{~9(mso=^>eW67p^)A;1wlr*9nI85T=9?CUv0 z!awTC+mfe4dF`1YZ)azjyXsP_b58w(f%e)}S;@lStvT{GB`J}rN4CYE3M^?ebwlvP?zzqT0m3hH)4S1n8{rwDKJD`kc$*l_YbxW?^F- z@g16MS$W$z#ZXUYOUr46_V#v6iqY+pGR2PLb(@oh%cel;u;@AaBF3UXy2uh`9d_-R zjQX?eSjnfp@phnaP^emuwCzQYFzPOm-BJq(AEfi z!IW`f;YE2Z4-ApGths<&fMcW6wiamp-*x+ph+%Pzv}V&=r{a0U!72-%BA%!rUA;jM z=1PX#?M5TB@X35*yf&E!y+8t3wrQ=T8VQnE4KIgA=1K{Bz%mOBr%5Em;6^+|@4Lu>RqLAO*`d?b3Y?k~q5%3cARG60AAPlh7*K7L_%to~pnV}n0XeN1gdwHiCgG^9-$pR_)mfDxpBnYMyd z5KG7sbOLuI%)0Qw^t`&rB3DeIHRp|OXW8pI`a}#vbLWMonJ;If5%@7tO#^+zS!|iD zC+pA~O@cFNMZx|>d7~gxzfqRL*d=MVu`x)(p%IQwh0?haebqT_J)HE%qMJ@sNexH? zR{jtdKcTTInmWXkAZ*%#^JS6ykPEQM=FTfm)k@nMM{UiaF2w@DgmlXxAUcu7&cR_} z3o7~(t%A}E+Vvy zSE0qw9`OLnVXZ-@3^ZT~n#miFbUMsCtW{L5-Ug=mP@L{fgz+V94x zLezSU-W=U!sFlx+vnhMV&MR&OaI1NTQ_)^&Uit=&KOM0iU#EhmNRN`S}z`dn^LFLOBn8JHWN1Cr&KKa+kwy1fWE?i~O(Np<{6kd7bI*ieEd%3iNv##e3+Y;}D0sd^M83H|6T4hA-5 z@+mQ>G;R zz|w|k_R0aD;Rd_PfjGGf|M4b*G~i<@GWLX~R+^GKAD%TIlbLCfz?8DkGZzr9+D|Yd z4y8&yBoRo7D;~X@Pm&$!G%FdVDDcuiSwJjanE$;bjMB(+B&BTpT&}eKfuggw(w8H~ zmDK{fX6ixM<9iKKZX9yp&8Ib2dU-t&Si&O22dEA=D6{o0VP}GI4dW(CP0trDxky=K zvnIMv++yI0BDA}Bbqq`iI$zsdfs`g=k5qnq%2R2Hf*+&3H_fg%HXk*EbuRG?O-n1B zU>R?iYdB8J?>N^Msk(WpA{8!PE%Dj|IXcuuan-?^H^m^L)R3v#a<20jMh;kz(wg`d zd_!g#xGLGA2d=#iUsB(1npCHO6B#;j>!edtzWF>VRWz1TTjVl(=b3kl0==aW>1>(Ca&uPNmkR0xG<<)hMOG0J`*WGXHt~blP?sOiClR$kaEx14ESH& zdn-(W(0tj_E3SK+Mq6#O%}u1u6C}zE?$Daa1OAVyHTOKwYhnzn^)Gx4EYhmHtgaRX z7^%z*CYI+FZFNbWFn=eUojc`fM}GWZ^B3Kbc+uK z7o!BeXdT&xWxX=@WxlR-y~WYxnQmkufCjgU2+9m@8KN4e;h3)Yq7IUVm0yX(>9W6C zV6mZq#=MRZ=qd-uHAY()Dh-W$?Cat^mkKEv6nCm6zF>OS^X5dMwfm$;a!(gk?`vlkK zY4ucp^e6)cv}uz>LR~^(pTPyQ4TrzTWb3CIXj3Pg;I+x>7v|5-fJl-dWv(vJ5 z45bjv$npAhgTQL9&brPF!WTHmxgpxUCUvbHH^BX`N(H=HPS}T?NIP$5J4czRAIC#- zbY_~yZNmAkA4pX?-$EV*C~va{wk917FG*hii=*fvMNhzT?pOsWxOW!%;h_XX2OTaaHM+H6&*93iNG-N%3bbhA?tE6i1eLNo9U3+j?;L~a6 z{V}ROtj*3TgKV#yaXQV(>=v5M-C*R}v;KS00WR#qYizuhU>%DA-L*vCM`8=}D^i(v z2eI8~$l}A5J{4_>Knh`}5^HUtK&=KdK^@NX!dr%x;8+SlEh%E>z492IBLRIxgO zqcU(^WC%GHu+^}>ZEH1oj+G(nLT^J;h}yF*EB$&pWcMbK{Ja~4PYa%U#CKnM4^M%r*TdOH6)qu)F=g5xft4?p}`?-9y4IfOh zjCwn-91+s3#aw5W(p-$qW~8hoYmqOX3NS5YTYuD_*mEO4IBv9tgPwdqdseeAvW`qV z&Fm2zo2bd^VC6+jrg!}0jLbk*e?ohxr64Pbz_8~=hRfmW4~qHZZ6AMBb-`ER%J2i+e+_lklmMF==mU|odN;Y&suBcmp5`mum2LD<{u_WksID$T9fPp z7$5W{CZSL}r;?-cNE0h@gZ2aNw%PR-92W|i?x&)J>W<5#Y}Jz2q|fhtS1! zukPC*w+{0eK3I0VmtOWNQ_BATM6qhrtrDqn*@MocLXh1|G&u6pvdZxpZ$Yr|w_kbp9gy)Y5{_rJDQhX@tN1Tw;B7YY2q$ z@-l0jraZwwPz`%{a*unpp>Yh2eJH2SYOKy!*~%cssuX9)AlyHN!K_~C-%xjR@<_LJ zX}4WG5jvB#UNfuJSD#b80YpGBR_Wkoxk|L$_@`NmQX%;3^{5+$9>e1d>fTY+UB@t$ zrf-Ygua%EoIUrfRID&Zyn2V7>h7#v;CxuWarSi)Z%T*$&5Wi(MjFmHq%Ek z!tV#D?v=7@lMh8Tq}i%pCOsk@b+Cn-q_D1H_HL5hDMbaE{{$|3{WQWvu@cVaDlYc5WgO__BI$H#(V8U(WbD02gKh=s-a zoAl5qQTA3j(dx!-D2r1Uhg@WTI@YEqJQrMI!CMW2cn9f_n&L*7%NF=#f`G%v6b9Mi zo}2i$j}4SxMkrF2c>n6IFW)3{gxY1-=x<(wfHGAj3uVXPc1TwJ_h?_~E|tgQj=t)d zVjN|AjFw!g!mnHD)f>`{8Wcj4dT(l~TtlKO<%XWT0vu;1nUvJFe2;-p$`soi=el1) zM!cc;jeJVdd2pVCc{cfdQo7`}p zpn`kTkwC_Q6oq@eG(YGJJLi9#EYDnX5}s<9Yy4omx$a-v-ff(lI9C!>>hS#VGs9B5 z42YfDQ&-hd*AiSduWW8`tpa6*R-yiV_=fEuXr8cDRtwQLO~mm;+1(gAL9l&0d$Vu= z6-Xg?L*)PwpX-tV>w2)6cXd~Jm8-qqzVr+99!iOmlzxZ~&D5DFPhNT&?kdS?b&x|{ z0~y?+Y8+n4Yesc$-CV=TZ{t#v1GJ{drKRnP-;s_rbl)ZVVWl~f6VfTtqoQ8b1zDHo zft-caKD9a?YDWAZO9X7nVK-YXVEXCUI@3Fq20kV=17}lfC=e>2#ZC)d5o~w!$I{?x8R%Ad){A!o3cpz1$!0nu)0ewFbsgPAd(*^vK$d zSe~tmnGVaMWK)s)u)P8L)o}UpA80F(?C@Z>k?;p*1U@Pt#6T7rIpx{z%~P1?`ch#5q({S(J^NO^mUD zhRB1I2D3NPXH7&Is88$-cA_;N0cUJ5WpSC!4|>Ga2nlB=4<7AZPr(pYe#8rMOo!G%6+z*Z7H4_?LLQ@yDLz!Q01DXZl;7)vFYDxT*x^N z^X=u38Ljxcl!3{#@-~F@;0FpInf{Zh$x1*;+g^*g)QzFY%cIUX-la9i$Jb`++5|oW zvC921W~?6V)tUACA5^k#0-n1>^79^Cw|HX9wu5tfH-QMRuIQhgICBR9UnB{Dc@1s_EfeVSkl?NNU?TX*f>`lzL;C#q04gr5l?rdYTSi`Y-=J|Z8 z$UcfusVr#;KaC~_yHX)QgP<+}$vNio8`3&?70fPP=a|A>^zP}@)_^+Hd!7RBI$;t9 z8C+sxWhx34apzRGSH@~dE!ib`uTErgCI80#Y#;Cp>h{`zD+I{-87SI{EF9{0?Kbu9 zEXL*Al4y=GJE!0-i3FtqY%_P;cF6o}$1z@m>XO?us@}s|JJ%|59Q<5BUd`~czt}x?qON9+;Yr zXz(F77reKNf9Pmu8m#pPrKZ$T>#{)^2f%N8VjOrc?0?@+cCzUl3O=9#7||gpAh}AF zIo83t-PpLBs_G`$o@f2rDNFk;GsMuF6X0w|r<2Wz;U^s&?sV~v1J>lc{_LXy&Eu)n zUFp&f)THQ99}=nD4fIJ@c#RS9SkF((?NWjFbOLM}&n|nUbH_yKzR&29681V%S>g^@ z`As$Pwj@eQInP)8nRU;ux)2mMa%lPLl(GPi%)*SW=g`9sHgZu(9Mn%y7Is^A+okwN z?9MaXH88Eb`N=oNR2a+BHT#^YWV}kX)FQ~p)6KXaiFKxpI|FmIwS1)%ZKcd!ljpM< zv!kuQ@!BMuG!kF}i%}fZ3I!i(kp_UJSR?oJ6L!Y0$q{}eXQyPT^wyv8|LOg+w~C3s6`#eYTUBQR{GpL zR%YQPHH22c3q&yEi#_|RTmDPvPV@r*+UjUv7UyFjh~}m{3MeFCv3*YnVsZO2D(@8x ziV&2Nl42eQq=^|r!&zHz_}n-Wqcr_|FLrv58z+WQH;{rItHBW6J2m#)RbJ`kfl|pNm#p}y~u#L85|K_2k+KHPe37;2a=F@MR#`DL~mCW<3Cn|C? zF0gavQ6BWWf>tz220BFG7#Pne0$82nq99aNCEspU|x;) zdYFf;Td6U)V0_VItrrMbEm3%bOAwzJK{x${XCYHhZz&~JOm z1K1Tlg2ZE31)itrDDdl*#Ff1^7p+z;yx=UB5ml}}!9c60emNBI&j>rjmu3YwhkxWp zNs7BQu^Qz9IXVp~Wob?n$eLv13q!pZ56d<|h%9gv|i zw)V#Ka0{CDZ%(3xb1(F~uHU{{(Zg;&dX$vh&s(;H;;6unq&_E+?b)3fdHWEeaH2vnEI7N+jJK5dCpwlqj&8Gs)GG1t%fsc&+ig@;!!N{`dwE zMT_qXK6oudt+)Sh#e3g9ohls6A*2rYxYbG@EGUMYj@G`IqMUaIbtA3_2zZ4OlPvr; z$ujz}-ocbL;ADZY%D#Bj4HlnDwCU*&w(1H757eG&A9CxeH0bQd|Qc+b!a)ik_*y?>pxv<7NVO1}E_hgn7O81<6 z7x?Ip;$u(?fjy^a&mw>%I<^DonfX9aSO&86(l8IZQ685!Ne&%{eIb4o{N=WjIq} zJ-9cI`+lx;l}pC=14y-bso0Mw5q9HTXr7DJ8?wL3jyhY(SPi5QhlF){6?hyeImDI; z4i5&DOt^RX3tEn*R5)0xQ7oCb!D(`egto*56PsB=V8*ysUv)yqSn=79xS;b<#aZA> znXJGrYQxy;jRTOm=#R%P)=@SVXX=43o6ULfa%!_nLyY!%pBwm^<+mjBK;SdW<;Ndh z{xJRC45iFZMrgj4B>O)3{x{bgem1Ah-P@e_Nel- zboDbGlUfNQCBhS#QZ04h*2(W?d7XR`q8cZ9?NK>56o@Wbbgh24vZ7pdIB?s-Y;do_dYNkDX<{-liK*sal6 zj7>eg&c?k5(ch@?%Y&c)Bj$_MNhw;d%Uvm~fdo?~7H;Pm-=$f**ay~G$0bofw5^&_ z!G?kgF016)hYj{-VxX7Em3JRWk@DXltPNRbD7~z06TSS+lKJZaIHM7G%(s$R%>7-j z44eP}6-cSB=cPVAdW`=0?9rm;Fbt3de7_l-+=qi=P{B4RVYETZ^Fh5`Qp~pp55;aD zKp2|KS|OEJXVp#(U=|upHuR|gRp`&Xj^^OkB>^&23NK9--|h?FWByo4>m$)9`NUc3 zk_+>YwWk3&J-`gbi<{)0oc$~-P_T5ZG2mV2D_g`p#bq605riGZQ3W_Lm1Z*ffMw%- zd1je}MCM>JeT6nfNkB&BJq%5K0@(X6qbkMUg&7ZouGec)<&fVxYHu~`GwU+;`W zi9<~Wpe8bZKJXUP2W_cw;-<%!mL`MB+fI#h=>ub2k~1MF@?DJO(SDz)n4LDXo$eB~ zwO(9YAAMHVWDnVyJsUMaSM$&L)(VKA?Da=Sj-+RmHQgXOyN72#=SoTR8zF!VrZA9u zF>aAz?U6ybU(uvHR-vDM@`)UBG0Ye6nDmF%kr9>sFM!DgP9ck3QqG7ct-5L=N8{-> z4p3T>5S7fthbYBpvg*vn7Z&Jdi<1;&u7BpBiVm!vi3>e@p5L$|Ws@muzgZY$6pI6= z#5gFtAJ-z1@Gnast3y=d`R1%<0X*GFAr;8yw8L#1;;+q8`cu>b?spPJ7xZhLizd*9-w+Ji;L>tz-G5k|C-4&UBCfLEfO35kIqE? zI}~E_{x4PjrOIDR^^YpxXF2~DEB|j`Wjky9u)`YNukI-#NGUI(Jjvp+XPHQ13}BVW zke-oUWPl&w(=V6}84#=fz13tADJxK&Yztk9!SlU2`ZEl_EDRROmTQNw|T2O{$q;a#Us3WIb*pWw3rf!E>z{8$(6ob zhs);^(BmW*bzaIMxoy9?-KF9TPT6D!a_}=qn)58F?4JAqQ-^6 zCeu$V<&T&VJGB6iw+n3tvpB0gi4J8Cl!CDB@d_C%&>;H8KE!E zX(%MCD#hmW!)u@J$a0*viD@69zKcZc#&_(4w$cFQv&3yuzFG|B)WCL(WmVqiX-~5h zZop8jg~8Yp3*nmB$9!`23KuIe~5I-Y;*V zByTbBV>fV{T&r~Tv-k$OiznJG5CyP(J7f7mR=@4STmld7cYaML*nb(A1Z&=7!Ec}a z@K7E{0W|&}`iSso@k`mWtM$I0&j;?9p0*cXg0lSD%AwqA=4;3zmym_J$s==XjI#7 z`Fn7c_iUHV+R)ka6*4XQKrdy>A-iOaQ5AkE&V}r$ec(9Wn#?feaB7F}j1tg9t^jEp zTtl{%Gu`*4xn!>rO2T$n`&%7YBWrVy$cVs4gfB<>-k(?d(;h4jCy#a-i!jACpsU{& zq<#nMHMZzZ~Q&ja(IJa=K2GPaCr(8RO1v!EGWAN!5K_e@7VVpFbKl-b1# z)Iv=3Z+-!W(x zg_^j$x|Cvc7Ybgayf6oIzN+4li~YAvOlvz@tHwH7U$h67wds0IuDwXqsNP>(esHIF z-JjS61LGKCa6a;Nwt$&V*x21nmql&wP~jAjv~nt3&K=y&ozb%(JxStsF9F+WAApu> z4{j{)$jP?}{rvERi(id?Zu?p#x=P%U81PCjp?YDw9>)Xd^!$ZrVlLGm$oc0Av0s09 zvNa(skU*Fnq|7tc0(01(zC*!A9sQA=@#6V2H_wwF%j;5c^7IcBk5^%7&(6rRlK0HF zG<425Zf@-m%9|#Lu!kSZF0jkF7%jVryZ78iHz2^*a}3B|LccUMGma#sd% zn*`j@K-AdKK(pb@1c3mnmfrAel19Tya9eX_X4O7G?)2hS#V}rcLoEl)b8)jNd*It% z@B6u%+@YMMYAM}Zs7E;w@Hm2(2dDQ*#~PQdM&z1EcR_tA(IxpWIDUnT$ri;Xl7J(q ztYQNpn>Cj#4xF?vhbPCnPh0hw4}GtVcElIZmID+gb%7{P$&n_dg~UHr)LaG}suL#W zZ>j(7N&jyRm}HX87tdsR<0>M=_)$ol|voMl~%k4*q3+K1D{>wu-6;RTrX-|C;5#;V@`2YSBl$^Wr zPqg2LvJh6Qy|-@?lUj@Qm>1hbY|KkczW;Ezf9bh`U)&aWUAurt zLfto$>-{a#hB)}G%-7pBK27+@--2qKx(#uPE+{arj?`k}rOTjGcO-XxaoI~U@7*Z8 z5%Xvrho65XewrwGzYmGjuG%Pji6H$ z?;x<);EcZ`BKJjLS*4uwspSKhxDr?1m7(A5cXMl-Y@QwB^}Dv+N-~X7=-1s@9EnZP zHd!AyUHVo1IWal=T7{a6whz?-}Qm}=(eFYcIE%D_oZP?p4-|5ai9uV zZMA@a76AtY1!N}C(t^k+pool$5FkKACK(b$tk^1`GLHe7$H}UEh!Mj|)iN_nGds*1hhv9s|oyEc7Qo`LFNgzAOZV zoTB9a(LnxdbHsfA4KSdm&fX=z^`-v9z0;Eeco|J~$sZ}={r5}r&rS5=0x%%8XS?ZI zpE^^2<-1~H z*7_I;pL8_;1sr~zGM?+y%1bHSb$c~Q-Ko2Rv%Wc>xc2L`LCiL51A6_Vi{CGq;~9jr zW!t0-S0-%(d4!je21~q<42Qo4RCCDoj-3iokqfk-p=V0w%K^8;Ou1q?5sPI9weYQ< z2wnBQyqZ}rU;40Zs^454-VKm#ldS;n)PiTU1>HGh_Sc+*7ja@5dm|AT7zMi;2i|;l zQc{0DFUuOlnK4-Jdw29>)DM76-@8NZdZoPa0~C`Hv{dfsCpv!peqwi<9tF6v*^9-Br)6{CFt( z7flz>1ejfHV3_@1J0pLzp2FX_iwM2-_Jh{Le`|K(!eTy3qrrcXdLKp3k8an0eXAFD zx2F!bx`ofCm@bXfOn>+_rizsUZS?*M3(dWM@t823rc}V3uJdFJ47~a4+3qhgN9l8B zk{Ia}y;Osb&X=lROpZuqnoH;?V*+@vVEXPhN!|CRVD8)4RG^nWJ62(HDqbr5jd8Wx zNQnyjFRlN2bc~SsxCDgjkrwx~%oXy~Q%PAunec8aBi5h}LjYmy`RKgAfQd<}epQ2W zk%R|ujGlYti$UeDdG$wGl-0Y~rGx+ty+;ShC z`%r*xVNXUn{3kZWy)!}X{I(z^d5&VS-L?hgPH z4cX-t^ieqbt6T5xXO^Cyuywzi|4+@xX=7k4nqqZ-k-hxHXn=Os8h`n4ee^rh^8wQ= zeQ)&d-RyAqoSpQ4x+8wOjy*PjS>Ds(_qTi=pdzbm&tF}`-#-7JpZZ_;_{}>0KZB2@ z^D&fW&#;-i0tLRer+Dvp;KsW+nByJDk!eCO4O^L=a9(?aAnGO0lAT8;|^b|KyZPPS9{`dbn9+7ra?QP+wJB6fk4CmCX z`TV%aGbiFsUa8#J`gcqAX`H(1C!~_dUxi_TVSTOm0=N*ULi3Rqu1gq{y0nDSCHS|I z|3mwwdPPXEvbqgm0O0T0l`O5rK#Whzvx|CwE_pqhYJeOCJ)K~%jCa&|@#yfDfui>Q@56_!GKH98^7+xd%n^^oHs6^YS3dojKYq)<{$?d_n-s8cS*Cib088<2 zkHde@?F+{CU;XZM=dbg^_9R^X=z!AW+hYJv-+GHwD%P#)OZks-T#X=*=gRt1cdp?M{E>_ z1yAT#nIE*XZp(99*8KSP?1^s|Ih%13)w(**TW(=|05;^E0f5_R4PWRlVh@M7{ec0cU84Ux=P$O0ZucG@Xk-mLsaG=E z{#x+=;)Pg(;p!WzdgUSfsgI88Krz5cXp(RLtt&wHjtGfoc21k(pW^9%59Sj;>=s_Y zE!uXg_HVt+k}!S4>z#c1*Oud-DE`|+6tn#V;Ni!(>W==kz4Y-tDz+}nQ@|mNHy=GB zAAj^8mZ@FzD}a+Yr=IQiw`P|oB;>JmVK@JdQ|cZAc>2zH2d&V5Yj)wnv=(L5;Li=g zznQcb=e8@0dAkZZ3BimCSkF5q_t9UQqN{`dID*~_+k$_2ZgOk&qfZ(!7u`9do8}s^ zU?;S1b$D{g3{z+=K$|NsQTl6r#xNoT{Lzp8VP$*VVpQg5V7J{zvg@kJ$2M%t=x)_hU)3u}r&yQ_ofOG*lWmy%6J0_KNAU&F zfp4dZPMiW_1MYdaSI)l|u~wjPiqFFdcqyI}2~9tJ~eMLNX@c+mpJPc6&M&;>4w zhN*VKEax^^!Ug81JefcPKj&wf(+vU_H^_JH(O;DktMeJ-d{%Z2Y4boMf1RuVJ`v}s zOsK;*KQgJpd?Jhpb#wO_WgRaF#r<3U!X32x=&koWieM`i$Et#zvIgx>zcX?@j=u5A zZS&PBrXEF;;MB{6Ga@O?kJOsIS%6k$x}LwZsWzyA&)Q%;U%IYfs{e=9Y-v`w8H)YGI8KJ%1Zw~8rViQk#W4|slh9jUwmoNc+2cWpdV)kPe#iP zF4Oq2^7dYxhF-^X>&B8lTQpeYaW*sWj&EgxX^zC^iJp2Ur~FiItN(aopd$jenu4ly zou`B_XUpMJ+Z3*nBt!eCv}8Lg$GyaA5QR<^%Xf|X@X7!ZQ;kmqZ*5e0-K&=Qly}m8 zGsZ0bmn5B<`=9ibfH>$i!S}2hRot1gj={A(@9_&`eY?BAbuJT{DzW`1!_9Y66yRdf zS~;cDx4O(!a_Y}g1t)Qaj+IbJ;K0ev%B#K#CHMcZ@9JimHGHuY zba;~*y+sw6-SuiKccnf$$FBzNX#hw3u-X*qpwz+je6T#kpRBl2)m*X}K&-167dUZQ zyXisqG64HNgqi#+pL%nvg9X z-o=Db1)q1tPukxLB~|;!j_p4k_3np*uC=#_7kkBfqGO^+Z6D%cQ9Y5sL52|o$FJpbgcyN+(u_$ej@R(m->><++j&YVNHjCl;;Pw5vD`J|L*vCMhaLHo6 zKX$t8i|b#=EDhMHDf(6;h>?>)<2K5!o9_?8MilffW&;3Vn)U!YMAt)0{NQ*`I8!G0FzA?E!T_7snyZI8l`7&uN8@qTJ)r=L(%=!ZJeFl{gmpdw4d_mccAtG~$ z(e0|AchhT*2wx6@^4@NQ`P)z4ytySq)$inJ05S09@LjlEaBrR%(oZeq z?S8Lk7IK|Ixy)=b(`m6bfyU;MaeQ)v-4LD>(;d(>n;N_SFaZ0e0d7E;ydLWQ^QC*@ zKlzXvwq+09%>;5UI}KvhIwjOnq<8I~Nfjv@TU!N%`zG4O-U@}dR~On5H93wr1bHe*k+1# z30_a$s78*wlt=SR3lhdA??YH%8;Dyp~U;>yYw0|Y0_ zg1H(*FO* ziRumU!+WJl@CT%$^}Qt-%^gtK~+}8%S!XZD|Q7nISyx*xZrWp7_WegK#d% zH;I;`RSX>{sVe~`w(QWGYlK*3l`K-!DoC|1S13|)VdD*D33R@0^<#;NxaodttXG62 z%ek0&4M)?^?SS!zVLAPnm#(3so~HJw{8kd94r`H+8Lmh6T!{s8R6#!Q;hD%9d5>d6 zV^Sf|ZW^?Z7*X9j7&zZ(=Tgy3{K~;O@H-?XN(vMHbyzPSYm9`BR%_QRG`g*?t=70E;SfC;0tQ~LYLMLZ*SFPZ$#-4iP2k3sLAZ?Be%`> zi)H%v9*>0`Ic2>q5J{QEr&(VchD|fE`!Bc$N?#BAR&fUJwzZlC?aYR!X_{7xDjoBm zO~bAgU1kNjBH67}|4jdvx3Y5C`?vRxxae=n4X7Edk9c5uzugKt`L{-wg{ME=Om{$teV^!&b)60FEXCD+Gj;b(A>?*qxV_N*6pm4I1qxRr+p}%AbnKi(ZFBqt~B5 zQoA;>JW$L7!iaEYX>l|5G-AYUHRXCyz`_od!dg|yWxt6{;>0W95u)hi^a*)!okE-3Kd zD#+<12Z(Qs-d-PtxapLu`89ii*+Jm2Na;e@%V1i=gX-%>iT!ggG;pjSRwa@-=0*#3 znM`vh`$Mt=U%$Q-TO%PCt?yY1?zIW`$AsgZCTp>X+}^_vKB$Ex(JnsuFxKn_C$Q96 zEhMY2>E#C|cD7jjn0m^h?^;}B>(s^<=wLzj!= z79RorH{0zk4ApW6JD)Kwu~x!gqi2s&Ga;@uBdneZDmaTYo&{KbI~_K0 zOXxwjh^{=yJrbU(vI`X!`C2nK&?yp^7}B3!9Jp@XTCI@41dFOYTE6sVx95 zP{p%)+cfPDfOw-sL=^!79YNX+D^-PNZShNMGw4{MOVtaTfXt6xCdEfuwsbU#sKhPD z=C2h;AQD@Y2aJeYyzpZRsh?1u#Jp0zHFd+_9VZy;Q@<#iG`6YaT__h==Yj#ZS(~Oo zz`Rk+V9>>veOZ%h#k55TifKJnUQw<8Tw8aTq%X6!iKoBsxfG68MUjfJlJTop-H`Pj zN671YzAkR~hi~`ayUFf(T4KclGUhIqnf7ialhEq{PZ@;%^DBi5Vh}VWogPgMLr@2U z#eCBkKeCIGCJQ0n(vDGGxw@&plQ*{C*n3R#8>?Mocs-Sofbt;gmDhH;tH}g@Xqgi& ztq8CRX1S|j(d;lNFE1~YJlK|ew=!v8)PR}-8+2Y;fj@7WD1A{UD@n#=ga>Cr0dtSoZlqG*A)tEGRb5Tk>N z)yT4_**l#|-eKkF=QH#aRMhMT@zxA0?CnVuf>mLCC?z1ZB-?AQ71WlIu9SDWjww+z zP-2ip>>2>#sqp?rXwKSxE!m2F>H0@(fXl&xVAd(ijeP12m+pC+TVDNEqpCD(Ig)ES zGpGE}Y^F+18%H&x+Oit97;KtCGIYSV)nZQxjET!)W|DH6q{isnqEoAdNmgUmFxF#r z$2~F}Yl|K&yl1$6iT7{1(D0ciLUQJ-%5q(wX!b_4)Aro1A8^;Uo zVG5;A7>X?FxIn3NGr0^~@;+Vrv31n@{Vn&-^EPKUS1shzh8v;%CDcz4lRy_IIKX)g zU^1Df)Ug}y&2mh*vB_^+RC;VjP!u;%nh7?m+nbyQ`EIy>FUaSYG5)M!&Q2lQ05I~w zH@}uS)gm7_RDPL#^Cq=_!NbXA7+aj=s-LqacW%u851RbBw04^pua3kWs`VJ$69Hd# z`|y*4-toR>);PP}G0OEVM%A5o?nXz^|OE5~W zFE(akEj=yLyR9A6f`ho2aXwU*Ip>D0p=?Hz|-I-G$2Eaw^6huE2R9Jjv zPtJ8~Q#K~1gc|(LxBI_-Jy2@!SWYe|!feDhYa}t2`PE;*Z9Kv?D)F{R0ENtIXO`ms*eCT!#tPPaQvK9XU1- zV6gf|5u-v7D?(GBo^N+uxp#2sio3Pw^|*VB@3Y(M0QsYzX;)|FHPB+9NA6T}kD)`F zMB6Z5-R`3G?YUPY^SNuphevL$N7$5O6&u2rZSyZT zj6Z1%-=a~!I(cR3Sceyh8WhcdIA(M#7e_EGzY2C>P}Z-dKs9_`ca8_mW?w;fP>pAg zkt)P0C!W=2wI)-$RzZoLxDfI0kc*>fd{e%K&Xe%+h~aDp1Q{|VbV6cLKx}3fJC61* zZmJ$Ffon$tESOWSd)-#+#i_abkej^=O6uWV)sZ@y=X<}Gj-1m(HtDgyg{H>b;c4h< zy=XsPl6^a}O^VE?zUTM(<;2NH%#Sc0TvPMNj*&_`<%CuwKAlk^{s{8cz-!8Sg)2|~ zgA<`VYU&mL94sV@y4E>AT8cV3VZ^G_BB$o=6h4OFkOBOGXgs_vXuYS|uT=GMW?OKn zszpfRoGxoLWazTPtfS767uYDuOqMv*PZGCQuJh_g}A=WMALg3hjPWGoN23132 zawLvFlDqDf9W8_MEr1zq3CXA`ty>dh?Qe^&2bP=AwPuR;pSM&&`P``zNnE)9Bth0k z*L>SGeXqhx5PM^{1QKza^YcOMEjzUJOD}1cFcw(A1gpaaB8Tg8Ln0|tqjQjP-qlS4 zWs`9Kb){B0n5svV9!(#jDlVXaz&X;Vy{E}PBf#}`^{dEmBV^(J0*^$aP^h#KJHa=7 zwvN*kcw0hP`Bvm})hh1c3?{g-sQ{MlpE#g%tE8Z#G~u96VJnbNQqi(afNlgZ?PV_~ zl?Y{ZPNpe|naJA&<@n7lz+VcrJf$<;3mt5b4IB4eJr|cLUXViyve4tMm4Msy6?>^s zx7B>y8TjzXP3K3ZMvIr62Hts&hm>|Q+&VKbon;&|&LM|t-Wm^@T$`bBS}iBI*G!N1 zS_gZkjQOoTbVx&ES>Akd;H_fL&1YBINI`DNk{TFRF&t|Oucp@d3>4?guBCeY zDp>bP!*I%dEG~PI`83}8*v(Ok<*rNVSV`PdUyHw1UErjCcXa>^bKD~7P#s^ zn@HyQI;*tido*|kHWOJ(cBXf503)ePQ2QWs*-K}XI-$6iyy=pc;|H-TKU}7>hwTx@ z#NK@9WNJplcA*f41HxNY%pyswHk)8<}4 zbpWj`NYWE$H+C28CjjUh{zKbT9V%ShHp?EC;*QhKxzh@CSHsTfAf|P!5`6+2)lp?C z<}%X=`3n&9<4`j1Gr~B=IM?|6OQnbN#lwdea)HRvfUEUrqPaG};q*vptAxagwl7(g z*mjMX*>RP}D>jt!vQL~uT325deaQ>Pw;{eW3RrzBC6+~7c?Y1~>fGpBo-;}X^x;RR zF(^{wH2M4@SAS>*G7l*YKvM#yGMekKsBzSOuRE4l6qdUphhgBvXD6JB{|tm&ZlJ5917WUYIvBcOs$J zu}f?@mL8{R{`n*2C?a*UyQk2>zH{bOr`lXtJ=<9HC#TLfY`0E%P@bcBhMglbcBv+A zHR~;m_n=SAKKboQ#>pJr1coWx(%9UmZ%nT_jC|K+z$)(&(p7YM87J7<_CV%7G(wsX z6eg3`KSfbcFZhlmseINg+|uK+&)sV}TD8H$B}cR+`aCI4!XP>!J6ucR85JmsEZ~`p z7CuF0+xav`+lb#F+nPMU2I$8JfhU6A<9zl;^2ii~GsVU+F^g&C;bgKDAgc&H(Poa8 zYxWuiNqjgv(JZi0^fVFO!s9maA#jz)&DO4uKE!rEESHUV2?EnWXP{sgML0nJ%bOG&SwiVBN*QTNTgc9WTJ-P7Zp%V zbMQUgVx8W=?$V#()GD(smGlz@Qta8{fU5&tyZG?%4T^vlt#J0s%@p{+rIWaD@S;54 zyKQy@%4>xncP>BjsAUMLm7Icu5RN@~!Qxql1aCFt_50+qb(#2!P-kqdb+_Nb<}LFD zRqgAkzi78z;=Iv53uEP~E;Pt3jonmkQ;6^yj=wEI=6TKM_5?lGdIpY|ejT4AicGR1 z3|Js*jETdUsLTL4E?UK84#HWNn7z)MdhkNx3!StWez>7tC;2cxJ%}8?~_F`i{!7{ z!oBa^;5PSNV*OC3hYO|De_xMef}$}}LlS$o53cc+!n*du^SB{ znO$sQw-e8^yZovFEK`QJb(iK9%;0)9(6xg`^v@qyPF!C6lBd6+jSO5MLE3A@oYq<3 z5F1>mU>z>n6VXz5c{yGkL#F@8)+1uaRr1Q)s#%SwJFiY^9~~*HqCRpmF!r86!{aaS zxD8FC6WE?p&14?)M+V+?y*6udH5F3{W8P*@gfV^895y?pOHzm%0>E*TDy)#YR1CQta3*RrY!Zd88dp#uRM-l7P9G>2W#sM zvuLn^G6`w{`cQ6_m`3%*avcwu4s{IEOPJRZG_T(p(6{qf_$RH^D7 z!k9twR_@i*%{@78jC2nwVxBhR)S1s z9+4y}LDM!aiZpF|T`hJrcQEm_fiG`V6&a9w`|(Vh*s&^I zz*Q|d zSUu7{Kb`#jSF(`K3<@WQqSxU3sDk%drJv3ORBIrzk?^vQ7ra+jNSQ1d?2z!!g4*k! zx8TWGhEV33XGSmShgkZmT4B3G9FdWM$JFVyVgYIHUCD7S1-nTs&Ev5(r{XuQ=S|a5 zK7?7CMRizijd*=luV$ngGreBJqg`mPSOvLR4Thkl>r!OUm(E}pL17ZJ_1y#6RH>A> zKx&G{C`z3acugdtNn!uF(dFo$#Z@eJJ?Uxg7k{6;Fs`VVXh?G7bUU~TXh7!I0HWYM zkh{Rk;Id|C7ObPWbiT#z3_>l@bm3uRMS+`38Wg0}e~0lTAut5ls!W^}Y)kUG>5VC4 z@E{lU^VZ~E*V0R^zA=`A_SXcIDw-P=|IXf=c8ST?kL!7+T_2sA)*LThaj~tt5Z6JL zFdg6x>jKI3%IS z|7I7^dbwp2aEhIBMQH0+5JA~{o((B50uv+0?>DD}@`+nZ#DIkyJarcSnO6(3l$ILP zF-GUIjYDqeg?hzV%4-_XfIBX6L0)eW6r&G%vD2)D)b`pAjSL!jXQwB{Hmn}{pbyAK zAb^xM#>bm8dF_hmn;qL`e_|GLyR^>*l^&9dT&i)}e@i!~HBsjDEqz`uOS{O=QlE6l zqjU+=*=y7XRv~9RsPo^k<;U*gY3l~6bzgOYIo`|D0f0%*bx|GK7M=^9&CR?Ozwc@m z-HSOu5+s<@gt^f<#FH2V&u>5-Po2S`WUcNllv3XgnLD1~}; z*6UI1*3tBE@AkWu#1Bb{XbHs*x_=hS9&jQcur|q|&a{rSu*c1D!U{t<|H*5eTRa01 zv=6BZ)?y8(I8EG{j^}JCw9bVnpgx{Q1*)m;#E5t7n$~Futrpu?->2hRlwX+eel*PY zf`_e)hsoIhiP@7PdE$GeuaVR$I-qt%E;7X86jzzg@ZJR&%b^#fx$Dgg)9v9!UmW+T zj}PED%PbEkJMxxku~8b^oN@mB7ZjI)i*`ek-zKLu(5A17CM9H0M2R6XVHrPZBa^{t2-Pa1bsB9map_Es6N|KB8wOF$Qy1V9snBss~NC zzPBnQDuYdA7zVFr9d(m2GamDf!_g$k_&cs%ZbmmsxAod|W?stKOVj&p@ly=n^l*q0 zf7GHx?F9ugNZn$P2lXCvoxpe=uA?q`(bR;lx!B0`BdZ4G{$)!A5*Z~3%TN!4g(oNXEy z(&0SNlxR9zv}X-nCh?htqd&1itk$ZOxfJ^za_zNH2wv8D^Rwa!KdKHTqxX9)&ow#Ne;E8FMthct`(98ya(ks%-y*C<)B+-E)*Q<{81lo z{CuIK;8(J2%%r>7+GpvSL%+O%`Hj`29j~+k+E#v0A5Z>5C#eMc6y(#Zm0mOFF%A{Y z=uaOEuoJC7W8Z&;YAkC$`q`QDFnXx?>TyK_SY^((eZLG;TSqL|4D>dp^~xxv(=I9P zy-6x<))Or3SoRbM#a2mPy%q&9X_56gt#wE-S_-ieOB?ezsy@(kU^E~Maq;j(CIW{& zq8-kF81mj9#5Fc+52rG@C54xwy#~WgOJ!6J@Y*Hr)HFVMfO19)MRo| z9TCJE)3PsldzQo&Qg&zjAtlN0gp{wpQK%&EMZft*F3@%LS(;zZy0oX^Y;#-mgWe-#G;lkQO-SY7XI-n4h+}Rwa6Zi~8s5ez3Bna`b8aFjCzA>Xi2Y;aV#CyPm?8Sv ziy$8I@scz05j-}m+e>^Ou9~8PjLY5cDaIvl;iEa~vi&|ss8>YgNvtccJSQHxu01~v z+4=ZV8^rv@IKY+v+^iPvgEt1T!L!nh&k;KdJxuholOf%Okp`a6XTpBIEBY$@+a|NI zKu#Nl*Cq?4K3-x1dLa1EsstcGR;V)=?(SUjWJxm#>HJ8{2+iA*^6EA}5#P+&GEWa3)z(B0_qx+r7o@!zEq>(Gq^RDuXRCt&Bwk9!eHaue-sMETbewI5EGf)E zYQ%bNS=U0f`}3c+nR8pb!Y?4kT93xt%Il;tv1OqqgtH8YCn3zA{vvag9ClOY^Anb1 z@Xk!FABI3U7(3U={d}xxj#T} zBct*5tWy3~_9;ZWA>=i(%n%oOZ?iX}AHOcG5(aMGf~Nf+wGTaSx4bk>KPO}ogvg7p7bAhmSyu!YHi zWmAg9x$k5P-^yd)$h*xlU#6J6XmzXeBCLZ@{&&A`5%^82tQ1awC4S^D{iKHzySCLS z*if*B$v)p#dPNol15_kt5*D7rSn(Ju@#mar@Yb|!_l3%xauM_S1{y7{GAxJ6t7ob% zJr*XgIu7?~B#jLb^v0Q!Y%JT!Q)>j^jM9y+J0$99?StOyUgWmUjhkH+C8Yn8UsxKYs4U;Q6IF9%AY*tITTRgnC{PV=}9=OWRn)PY;)EZmCF3 zwNitJ_ckD{R&Mu8>xWuKk2g14!sTj-VV93fsi283{Gvxa)8sDUPOdH;le1Db-1h8B zB+(1$=O$W;IzG!!zJ`X}&MiusE))lwS!rh3rXH_796e7-bJyL|)DCpHyC zPb#f69}1!hzz>#_G83_OPyzfI6v+Rec)y$^4(NNBQLdj1Eqd8Q=W~=4h8h@el7mik zJjatgBtj~?_%6(M|LjBf52Z6u#=U7dDYcq}JEEy;!b@$%V4auwFj*hV&5Fpu$cq!na!6vGBOtG2Rr@Xg9Y*pAp^yh z`@J4yS4Lp6>b<6P)W6Bh~BLHSaQcsP2J(ryXA+#w0^5(ZvDb|P#uA( zn;4i-XSDq72yU<@K-O3G>lF46t9~*m0##y=en+H#mW@BAapsx1a{Yc!-k!<~QXqJ` zd&FL|R(Yc5;pp%yG%J(u9u#yr&2cdrrqH}DtsA7qAS|F$5}1Ur^*(NtLZ`2{3y{9P zN6SkzCeLsNh&Nmy>T)M`6C;M}LM3tylP7aswS(I<8fSwOoydW8aDgCCHOuUpPht-U z@hP=<%*4U3{bok^GfR3Y=VTJO?x~;`N8%}Pj~g#ZSSpb|w($_8>&e0s1X%@cmk)F&9<6K-HyOvezZ zJ$p0Gz0y9dys#$noiR`H6wQEnGplDqr=C85+*%WxUjDoqubmNCb11r3_U8vO+>7S` zkKj(gJx_i4*|1|cO&9H8djDZv`_x*$ux_}?CY^a%-^M>ccDfEL^$Vd^u!$5fPx&i` zrw+M4Z>8iQlL=_mA+3w;j4*&mMtEH2XOm`XcHrii_H{paW%(gV>k#|ckQPEITl_QG z2xW=c*_gu&abjYb$q<1hf5O^$UCAcO;jm|K-A1K1)96ckM-rQDd+$nx|3dO@>xpWt zmohg0_2xty1KKY3p#&I@E0iAv0nY2BZ(ei@As2zXE7Rexm(T4rD#bW!`@jlY=8C9}K>+7759Xpq3Nc@ziEDZ$j zGe%djtU|KZ8wS%XcirmQDl_%LWS|)4FFK9jF7F!Av9_4T3J|QBIyfxXz`L3HcAe=* zp~|FmR4DJ+Oox6Lr-In22%Gk>Hk!+RbQZm)WGvcy2lkSh8Eq$!TBzotGedU}D;exT z=;9L81+n<= zX`{y#rp2C}Fc*0L%A%KsO*;|0C|yA>es`|{2})?~1Yn+cgI%fc3hxRDPe zAw(l9+MxEipDYG_Wa)03N4&9ZgiMVDB)nGXU#N8|$jGtGtRwpA{vJ2byd?;@rC9p` zmDz|CD~P`aP7akVJX7x`{@`o9=Y9%%Gx(inpGXyf0~}>Gc`Q%mpA}8wZJlIHRkYR{ z;&Y@W8hQeBk2F=PpAWItT`Vm?ryS0%>XeUMsx(PD#mVVAb0q#nLA8^pbDXG;%FSB| zpc$Fer#JRjHq%rJ;;0xcd05wlcNy2Kbo~@`MCsKzB_EVE7g$*-hx5r?PgYRZOEh*I zQ}5^N|lv@6@{yCUPkSo6-b zS!s?zPOyfe5BZILaAk(7c}XUM*S}$KM{+cv{51nqb*W(abpZv3g=CSe`Ea9E=Ye(bJVr}Sda zTfoI55bb$vIg7>hf>aXAn8b=T~@P%bTfTotaJmCxx8-S}&xM1D~24c~a}z`>s*D zs%!@nipg2#<%_g(x%t{vwh78ZIw|Y-%sSlZpxrD!K!|~luhjP*XtW{vgfVmSXlOM} zmLS}U%}NBaUbxd`@DubK{Bya}0Fy<%#%w|Gxn`v2Fayg>Kuz1cm!@F{c+4TQky@MQOQ0yu75iT5@u1$jQgOcv zd8REZKv0Y;c&t6H7GWa_E+(gIsD174tu-Q)tou2Beek}fmMznM!BV&8IA~813sA0k z+M1>XcKxCwam`0}Db{KcA*&PMoJz?I6>SzalOf|P<77)@U!>FQ1}acOJwzc8YX!it z*!l0($DBp)lh)-Dp2cZd%we>@ExDu{^HM#UgNIG#JZO(_h4(q9f&r#hRysZH^_ylG zd}84I6_#!gYpi!^xFn<3nZJt*_kecWG_gskl6uhYhRhY``GKrQMDf(c0W;G|#ON|Y zUPk1OzK_y;6{T9t3)Kz7MGaDiwR2EE(a!MEO$w_{{S!la&kY&qWXG#I@z5E@K*j6wE-BaF*aJ|D7p4QM~#RBRU$bh!-jy7)wVT(OH9zwPFXQ zLU&m}GI|a;Ex+Yd%f%O?i)nFVCeL0A3r3_HbOr$-aT^z*j1mu4 z)pjC}UbGAAH&7u6i3uo=n`k6G$P(sp8)4BrvT1Tekx~PQ`fCvZeCqO|6_B~^FTPE& zI8+SKx`VWx6mw~=Fg3^}Me|82d+ha3Ohq{7@Pk)h7?6QN8YNGU#2pWcC(6}L#n<3n z=B~AYr7lz{fVD|9|IESAyk!XPgSrC{l9BY~Y)TYah4_BUzgkzH)qFOr#Vr>FcRaRWu}hh#Sugi6eLKD7A0+|<$VKJcYOz~Zt`*@KeU(1FP4$1_@d^k7gXqEA?0La+@0opjGJ>8iM_DKmAKLa> zmCL!Uo5+V@_P?EcLw1%g&{j?S+%_OFMbetn_G|j&tSg4RT*Y2E-M5pyT;-vDe>(Z? zdldpVlS;Cg1OnU|#hmW35b0f0r(ofDZm6SR$&8v6yy%Bnps?k_xvWTDkU&*>@ur?u z)^`h^-8RkT(K&;o=Y_%pam@#NLe5>>nF!_o6J2VR!N{bw<;W*&umBS>uWf*?OV&R)5T)l^{m}z6U#g} zCDGiH%NgHS^^}IMI1e5ftfxU2?=JGV+zeurm;a8;@(z3Pa`?0?Wg|U5G^^PfE_YEq z)=eqz1JJx+A~QxD(jUsacd&IT71Um{<4cu0$2)m((Hn7>jairAdjkp6&aHFKw~6&W zZG1Y+`qlvJ?A22NMF@Y}bN)Vl&(++h2|Cca?`Dhdu_=A_ zyz`8QvkaK239f5Xf9a_`$WoeGNZoTz&(~`((8nrl;@9Bg4qe9P6cOXlws=`(wiSB% z#-d>Bz53P-f4R-mb8e~2#5KLQ2!^py4hX%M!G&P8ao$R12QikvT2Xrapev7SK%V{+Ms_>&#xq< zkozH%u&VVPE29BevDd{*Up*49yRVGm2)^$%5LxVkEx!{BxPt$BhJ7Y6yr&uxVBz6} z=|Y4nE0=0ej+<5N8EKx`?Y8lAxwbdj562W3d!GI=huFWA1|aPjrr>UU(M;rXv5o*b zYTBB;ChSA~vGDO~D^M(U?|}NtNj+x&-jG4RMEiT6ldMXfMmzTn_4NeX&C+7v=so^n zv?`2M=0bpXOOtczgTed^15>#It)rH^o>{zf@zI(9N)->HHWnRl&E-Ac>3nVIG+?gs zF!)7!xhBCzCBFXxy0EwoN%4n`eDp}j9v6{BlAw`!W zJePUFTPNZt@MG{Xwoj|olgY*hTcNzsRt7|WX~0)@2*@NiT}dOdNxusJdsuLz!BKT~ zf8Q~xRB%N43Otn_fmt_D);up6@&M1z=si^7fSSyezB_P)`71eO4GjZJg)C>ryXjl3 z<$Qx%D^jmoM48_ECW*Ql5h*dB2=VeKgqcJF?q;u39MFi%!DzJIvsHZRnW+?Ng+5b<>DdDs_m$ND#D!LvHd+U9w;sKQj@ zZYs{7H^|(xs=(9lzhoA9n-3E4!G%U>Wg(8IYUMKNQyo~ z=uDp^-%j?Rj@l!jp~`J@*Lv3@2vb{4(Y8C*+wUb$_=1w7yy_2K%k=~b0L*kk>Dp!c z<;xFNlPxa4e&Cf^$y1vF^uAK~wuXGRm7Xf`r>7M0<6)fKsvY5$6OoK9AQ5rLSfWs& zT)`@5Rd~WIL$b8nT9M_dYnpe~c?<$k>5ZUxUyuIv)V@3Q=gW)%Y2*SDW-M^XSTs=b zDIw%z4rMxO6Sp#5*T2Zq3-(l1{0GnVyYmECTad3sn<+&gP=94b#H1zUK7sr>)L z-Ft>LnXPTZBch_Hh@$i+cB&w~Dhd`55h3&4X*(CDNsY z&|8E+LJ>j;op0UjXV0_8!P&=myzj5qUmP=#+-0q6UF9rg1q(Ihdn=l3jN)GW;9Gei zc_B+zQmB#sB6rA}U=mO;?PIY6>gsc_2UOpKZ_=Z@M8!k_))_K!?Yfq?1-x1!V-j{{1=>2wk z11a1e3&mQWZEUn4Y;~eTc)Y~|gB4CsXCAzkTG%)aXzSScZ-T-p*JD=ao@ch4Y+VnG zU+mFSXw){g&|tu3ibr4!kP3y%N^ENDf5cS&PP`=#dOHnLc20d(l%Uo1`{k$x17vWN z|4jIz;t0f3*Ih?s&33ar^h$mo-*SA?r-P(OH&dP|BOGQdPi>~2j4>@JaK;uAuUA;? zwZvAfPXX5Ke}q^Om7q@lKuF~2c%eHDRU6)M=3{`#&|*ocS>NWgF};4M!N#DRa%AC7 zj5aN<{GqZgTn6uMS5dvY+*Sgk8=R?n^@qc5opY$d2<6|&UBM41y@|KIf9yg1*drTF zSzPj3b{NgWe?_V( z+RR0u!hdRVN|vp&cZNOyKEUfUr(0$RCiFd*4O zlI?P$(sxd&8Q%mXWE^QBMX(XsITFV8MocPuMmrg!VnD8wiXY9OQX*vU%-oJiFp}wW zLF60`=n-3msAusjL977bBFhi6wXI46tvayxI#*`P*Q)~t5({9IzSRK2COUF+53dy2 zcVPCF-Pkt~Y(30@op0@+HrLQnoot$Z=@5Ub-G9E2|Cl3vP-W&RQ%&vsbxdX9Z8x8qMZO40FZ_nVQEroSg|lO^`Lj2CE0+^JokQZkXk(;mQ0QJ>^X(?L~_Nq`$Tb` z0z=CwC(8Va@gg^8kwIy_ldYZ;*jT&RO(g{FGjdx+tS6V+HlhWp&333be8}z_mnLAF z5oR%OFuI901=_i0%5=X$7lp~P$lsb0{2Q#bORHyQL^9PcdZjeno|n5LL&&pGJ$ox} z+)1T65Dd=~*}g^v*s={*U%Wu~o@PAHmJp}W7TLI=)VMzeAtOxLdphAmj=0_Ap~(4m ze%a(3ua(n8^S0<=E%TU-OrieLN!t@Y77?o|W2bG(2kFz)tmt*WAyQx_g@Q~DzdL!q zE$ua(ID-!CdmR9_r{c=A>iVP(OLU^jQ^nN-%62OY~$ly$CasqgTrFQKrKCHH3fV--1S5b?mEtV^$yuj;*< zDGk@!b8IRH_o(Ci+FvDI5PW)mr)p8+;l6^X9Xoq3%&)nsl8{M)(*<``>fbbJ_wbp zMnA+FYsBqRq>=6@<#J|uw|HH{cFNAYw9Ges=sqSeCKTkT{;-=ydeQ2j$`NC3QmR^n z!ispl+ADFLlLux%Oy(RLmD87>j>uO`rqK93n|m)H)^GE9+1I+IV#bzygSBm5-J{SNq?0Dyk9}H%a1*CH zg}RhVJ(E0*Hsd4>dKJACy6nuc+A4Mf_Zkh8IQMe#UMF$3`qX{pRDM#D9MRaGd%O2& z9^iqV8cJy}>%F=v6Z^LOdn6%%UbNc*cb(V0A{#kGcu4TYl0X zJSZ70cdWLCk{vC;BqnLu`GIlow-efjCr(YSO>3S0kz~<`L9EnQmBPIhu6dI>^rsQC z)C3@N6VQUu`7paas6Kp^ty{dt`^0gc=PCq~MBzck=W3>f6wuJIFgIRbY%BVM@M&al zDqNr&wVt<0D}reII^SjA62tyj*u4=5_xi%EFn7wT(CadCQvL9aysE|CUfF}1$Vu*} zusf|GvZHnLefNoBndH*Jx^oV!rkN#*3>kQMS=i#|Js$58=fbk^@RV>_7BsD>xOkfV zxgsE0o9s*6h(}T3GI!L`4r_`;Zi`0QrsHZyggv7J^(z*FVm8R7d?-LQGEFj2LnAFu ze$rx%6Q*R+<*G85S3FRr!n>UK>ZvJ821q49=UZ3GvKfu{K(CH!cPtsq7O>F9Zzr%* z(JLCxl@2Cx`V{_%Rv^l@@p!Vim3M5<2Qre`tq55r`+z8Iz?;ksugovxT5!g{HUB0< zj_|rea^6>*$jZNTHjn>e37I36K)Sg1Tb-w#TV?6~mM>1Sy+0s{7_9804%y~p-QcEA zCm!4IKlQtd$C4YK&($I1HNy7CBM+st$&YQY$z^j-1p>@>b>@^wg5Io3oBd4X$N{+A zFbn)L$Gj!BdUTL0cq}1@&^m#tTBQr~_Z#x!o~%A|`tsyLmUW`}tC056m*P)Zye``- z&D?0CFV*xn%MJzH^&I@{`OdkJQk4)$=FOwSkyReF#Vh_<#Fsleb5>Fbbqxj1%GeO` z>M~hc#Ufn8NTpZ5CC6tylK#W7CquO%ay^p{zv!!^8a|iH-q4C`bg9}rn6Xh&`g{E! ziTc=rgAsob)EfSJIthCu^zx|b$V5Hzdy^5jOPhYp#N z(zN4uV>=z&-d&j+{2HE-w;~%`5dJdM3GEV+A94PM423V?$H$M=bf0NdG4E|hyXWX2IdDXB1ZEYc^ zk{3ureCcN!@8g8W;cn6z5-1NmavzEN&HH2jgqaDGLFzeL#)I9s}` z8GFAUCFcfu`o@s0;*`%9`MER$>04Yg^S>H#_+{~+O< zuAwU_C|%gW@Uinb!EfF0_hgV%hHyAZX9CiM2v7IE=O4z49*?&ntB$D&{=uaXH;VJ~Q?6`jpY;XMtm z*!9ILlipa&Ys#6@x!n%SN_@Dg?@%-5K~JIGED~_C3I(w{R{1xHsDN?sFn_%G;MP*?xVFY}@ofsA6Z5{bw+*9R|g+t8b1Dz8K;O zFTj5@57kYGH%BN>^7UYCo8vH`F^sB8c0to|6Hb+rW=P(;vULA%zV7_tguu$zyf*Oz zr{7IO#(BfY<1-F;%#jiD%RoS`E38OQxBJ=vxmt9NF>9FZz!0pJi9RA^G6+@~ksn2Fz`#4=;Z5*j!tt(xX}%amy=V217i#*gcZr?#&tm-pR7d z$?tN)dKKeVg3*QdvQ=7g@$0mth$0u=>epsfPDKUq_tP0&Jxy5Sl7K(~L`HUc8*yYt zb`K)kBVNPlRcl_U%LM`@ir01MYMtc?bN7Lri7?Exwft-{usJc7P$Hr6Wb8{kJE)YooAR#y?E9h*J!JTDLYXVA z*Cr-~H-|C%_J5pU5R zGU$aJD2(#NGh;M{gba7*Lkum zXxA20tJCDL2Ei1ICXzFo3)+q=55op>(;xZ=c63opng~UIkX}SFr7(K5xkm77ahQu zxw{I#-5kknoABv>2qdNIG5A%z!axnP$y$`62G`{Cw*MtZ8ICg1YC*-In+F@AZp2QO}Y2Tf`YYgsnkH zgY`>|Z6)?7UyJ8R+KhI-YT#|KH8a8p}owh&B5 zYhIo>gmThBaVN5lEG{J7APGe%6%6@5*ogLZv%S1l!8WtZ%z%cS#eOUGYx=dWeNE6l zE#+_f5>zYI_H~P9MK_>t8PEy-d>`Y;8$}93f$)hao6!U&ov78U2*jaOuDXoq5YpL+ zw)jgo)eXF}qZ?`Z^awl^8v6{mAW9wEsH z!}vlhjf~A)Jkf-DFFdH(*j$ZaU1mt09Wj*L3fFG@?D6-DfRf^;9hukFHsSk-sZq^H zjNMZ@o@Md?$@s;Y7S74;FLHzm*Xj+Q!L&Itmur8mm{vpJBL`usV%>Mp z5EIGMRk^w2gP=8=V7WnVGR6La?EGAQZ+MZ}a`Bz2JdndD`yW@)>T;}jm*iunPvM+d zV=|NB+GNW7@2eHlRFRr31cQm_@O1wMdLv{6I>>{Ia_#HQL10_kGf=TOcOf@TFXiT%TLiQ&X`| zq`52mmVG@}fkxBauRcKCV(p8y(43g{uu}8e z_K0n+wQdHuR3REu`N=<#B8Dy< z#;`fciz7KrNiL-WB@%%hL%h-H;?ar~#zcr+lr}4Pr_mp1><87KI%M&In~nn+%EALO z``Q%?VhC+b6fvc#Tx}^(fs5Hyw|ag|e{{CZVXQrRNa$QEE%tvUEPlF%Z_n@Fw-vs= z$8a2oKMaa%aSGoqHlF6+7~!9R$r!Ysd#FMqKfiC1t-=mhh{6e7V7>TS<6>li^RgU+ z4C`XjWXp^<_Z?S^3g#gHf;dH3s4^;3|sth(;0UC~}L=+i4v zDsH!BKXgn~R;n7XhWyZ1E;Kz=cUP{$aK|)!V;s(xMId#@tSsxe=a||Rx;%Q&zQ=*@ z*^ir^JXGJdv<%qJ>O6hbNPp2s$6AT$`1}xxM$b^9^xTH*rOW4MXrJy_ zap%>4Kobflyqg;RtY5Xd$eh9}2=#YoROjaA%H!wV*JGV%y-AHFlCmB>`Mo9Wx#8jA z%FX6C&Wp`yZ;t5B7Dx6OcXf~{=aRYmY)5K1YL~{x9hb|zOZ<{KwBtwp+BTV#>bf-) z!K)?$%B<_xCr7hzxKZDxfsr+9=XYBD*p%j!D%Vi;%9hc<_Ka3tZ^H!7E~6^l+#cyd zi?u$ZR&lJDMge&iqC^I7s@$1<>%KmrBOKTkbEdB;ukHCa+D6|A^0O!_wDn7s%bh=l z5@XZn;Myq!;{c|!<48L@(u+-%O!JhLwFk^%8QeE@__KTNh*EyGrI1hvf<&HH*QX^P zh&h}rvzZLpAA_4k(g#XE82bmvcVFJ9a4l9%0-Af47Z@g)y%f0;*=N^HfdX*r1qIj5 z381|~O=ekcuXWUh$U5bWz{(u@?Y|5<{>-Ya&q|zpyvM@Tz-r~k+K{Z`O!o-;Q+Reb z%auscXCHKyt)5z}lVOOJm6fz&P)cj_M|O9Jl+BHaqkJa;D!D4v2Fbeb*&EBj7?u0y zmo#9Vvb{C8a-E9$m@+iF&pr?VLLl+SE=CwmqK$^gW=`4UOqe%DJmR9aH@#_@N}5$B zhDv#bE;QHlcNx^>S9+!3@G`(f`aP;_SvN1&R0loXu>RG$^zN7EyeSyhsuG?CBp9}$ z$|WDCKB=7a2UE3;WTjk8a$6dk8@YAW#KBtTKnh39PGn+On&_MYe}r}9tm>TcbHe&n zms(Z-?;BwyNw(In^H^=(g-v>5;bp6OeDs|doeNHSD$#izWT&OTKY%N{+Hcn`U%Vre zENjr`{A!)$i?RS+o^Ex4dMY`dWLbo|K%Y0&85}PuR^WS5D_-jPzONvMI^Nu;7>7!y zO4nu%l6l6EvN3-%CD#x?gj!vKm>QMk3`Qwj#2ay7<|&@TIRm!{Ybi|z`~KBM0R#6n zi0YXL%M*7`h5%Ij{PnAsY2^I8YBfLp)llG7@H7$(foM9d~ZI3nMTAzd9me2Z>&bL9|+!zXhDkMRR+w8^O z_wG%}1I=6iLC{EEG`-h$1!;}AQVgm$%h7$GWAN*(o6A6|aDAZzfe;S|`ga@9mWuB` zUHJ85PaPHpbi!H{fI_UaXs(3+;#3tRoazVA+AfP@JNDpAbBHi-18d=7+wx{5FuQgS zy^rlT>-^J3E9lu7w+?MtPce(?0GxQ>T*xkftc2MWvj8nTZojNmrJuBX80$0yauiDB z15-*s?BT>12-n!`H34boT8J9sjy%kGoabf%E=B$1tqp(AjND0uKR46QKLp)YQ!DKJ z@n<-g-E#}j;O56EV_-s=ziMb7+-m;ima+Zo2Ro3ACuUTd%`0NA9L zw1TbbpX({;;mIH1kW0%k9{_Tdeio0Ua{6_3a4Nt0n&GQQ?H4(dZIcfu+^$-P-}ZE~ zJ}EJs8e?95a$RsyigqsHymei$-|95C1p}}c=ynH0JnyI+Xla*3w`$Ip4PxBGUUt3} z2@<+EY_Ul}RZY@SoAf7@UE{6E*x9QS6)Hg5aoCc1Z8>>!xfj6A>_09}_oaU+9&e5> z^#+tSMX~aUchwJ(F0^09M#fWdHQ7dmU9;W!*1lCC)}p(isn$T3)|12W%xb z&3Y@**q8mza8QoJv7Kcc^mvR^8IrKZvO+1%8nh)wRW=&KVQK1zy9xA`sFK=$lf&V(wqzNdG@SQtKADp}h)jasNkV5dRN8mLP{CMFaoksRXHueE?2J z4j=_lJSPTOrz$_G+#yz$tj6~WN<9?EW33lwU^NGS6}F(zyXTsk8dcz9);})vpgGYW zfJW6+NzOvIKmySTH^eaSS9_iE%m^7@fPjTXAJjh|1svZ#kJmu7YI?oNPNi@h3`5Bw z<&YewSOk&X+-GDQomcIb_`x!oYt`kEWQWhaK}4%^h@Zc|-FM+^;NRqUUACFf)?`2y(+=S z$an!)d&Yj}uQy7~n;LD|fzH>LU=K&$X?cM5o{B`=n?9)c`4PxZ%Rsbo?pKnnwX+Jy}el!?s<7F;>e-26}zDzX28B(7;${|1}>e@)7F-6M`}sbOhhjB zRNaUX8=zk26_4?3PE_=kIAb_N^>Jp*8fh}DzpzV+PFq-LDw}T*PR{g>GQ3haxKUq} zmzUSdenBT~2cDfF;`ORkQGFOq1_%H#Lhmtl8k^EYT3N&mw{&6zr70;WH#^K*z zanLcww5r1`YxRxd*nqo{I(;x2ozA}r$oxh8K&63&$)V&;2GigF?%)5VCYDKw)~Sa; zA5{jbfy^3Q-$3fft%ycbKqmjYUGdD^l2VR<-`4Vf=VF)WX^?k+{3CZNY8AdYEyemh z4C4VE@A!B-n{TC6RaL4v4dvxbHeFnFKy3&ZkS3TSG&-Z|oT-qUdvozazR=fdjJAyg zuh2dSH;_x-HR?(2Dy=St9EoN^emk>2*X&PxNc(?S> z#n0La4`kbcz}1lTKgN(7!##G%iF!GTk7ek6Fi|}f6tKgv1?C5diDT7134?TU-VAp{ z>y3v+qol66?z;N+G$vgc=G%3q=W6e76>;RpQnf@7V)}hS-&yH`k#n7sDrC1H_SGe% z#<|MPRwap{kTuRMCYgV4-w%6Rj}sgdLP0|MmXxlX#t=8#FhP|gk&8nKUX_@Vj-A_I zEQeH3<|Ir0tmB=&!76`}?0;r_|9;i~yLy81*}8%3MA1Nnw+_1NwZSXXL%6I}ZspB! zS*(27@w>F8`qRmkDdq4=|QTt zfryec_mu+-e0b&<*4NiV;sq*m>(4*=>*@UO3mE>5aWrhIS2omua&4q}5|7*}acjOG zyUHIJM+4-Ayxu~)*0lxgtPZ=@qyhi-Yp0bJoVv0HUR99%G`HCWH6zECn&E*RZmCUj zUTs&{X$J^(hI2oF=Yfe~o~f`E4ypx!*YEHHUPZ6{yDvdyF&&~dD{|$;8O|!?i$92l z0$pE9(sW;`j!C7D`{whb!d{=xh0t1-@p*yL>3Ml@<9#VDq7mNS-kPZ0-cUj9axc*L zW(qDdsU!mq)TpFLAU%~;g4Dfcl%VrTM)5R1WHYc*s6Jz11QRB{qBQhP(1FCEjI6(A zyoR1m(djS~aK!bcU5S5}bn-^@f-LnpqCq}Jv|$}sz`!+KomLc=2MYq^`NrgRRR~e7 zIi)!SxhP}eFemVntz zweYuVBjFvLg$z&d>aJIJ?t-P2Bv}fu29Bhw5RoUM{{J~%~&YPhUrYj5>5KO8bTBR^G=+|n{ zdVfGNj=qDSPQ}e$6&C1Xh&X$zwD%x^cz?Kk0-ErYv~>m-wUw1R@>GM` zX+5t6jNO=<#}j%sm-siWeV2_} z2-gKCT9%qyZ_wuxJhDA{Dz!DHp_BO;9uwO;m!)(JKi7;nNoaEhYNsP-AteET zelDNdLxF>?P}e_HRF=p0X(c`l>#~K`g`6D2%E&X9lM2@yI{sT%wrX3N>UxK&*=q*(#;l;S z457exN%kH3Ff-5I*~QMyAtnXDxZzhq_mqvvTw%&Hz9B!utoRva%s?iR}sVK+t+8mRLeU9%+)KA-chrY1ff@dr7o?0&k2 zGVAehj744|9&-pW0f9JQht-LYLkLEX9yYFkGpLa`Cs+63o_MRnLhmzQeye^B#QC~W z2vgne5zvUa?V?^q0^~|(QI4d#w3+_r=h4-bW1AOhlIUQTdagSZZH?v}jkSb!q< z5XTV$N1+lQsDUG9j_N&>YM{y_o|)6)?B4c2vZWYp20o3>sI0Oeb-oXzh7~&5$CJC z6m{fA9`zc=AX2mQ+K7*t*}Hn9`XjPnGvL|Ux+IMe!C8tPz|L253E_y$Nzgc%jT|+ouEF1HU zUMbDq|HnAhdE2nFb@siwXo;2eJf)t#5CkpdI`cP!4RO|}qte?MlenE=zEgYU?47O{ z<>M1agcS^SS}yxAE_#%Se!9dub6t2Y@nr;oS^tZ?jT{xQ?wsflwTj1~=PB^;tn_z;qy8m2gC`kVj4#%99bxOwwaAU^U9WkER!w169e%mj?2t zi4PtYN3GpfM#h+WT$_b-c9Ub&@34LqK{g&eMJ%86F{!Ff4ZN2cwb0Ted<;O=o@VD{ z3%BS5m5tfNLwemgInlnLR;`lHxm13f5cMD_|GKT{BX-(n$ADCC#?z|6)J<78+#~@p z;7Jf|+%Ys^y^mNNbMdoBbs`ut7yo9?SU)OzDbTlaw0zdL)xR7)9kxD41=UHXfns*9 zDF-e^2Q$mcsD;kR72WC7mdiAh>Xi(JUknd?%`fxjtld$^BriAFbw#@5dMBdRa41v5 z^2>_gDO4t9QPa(pp>AyZy_}EV++CfTGS}qbTW7RQeEUZ3y!5fL;~a@H4~cxlINk=r zJw_|)hFtnuW-zPXA+M|UG6pD-+Si%N@p^{-X7W$o%_uz?rNvRiN!JGn&L+E0QhCla z;*bKLFd)t62^u3;L%Oxa6274~At_&6MCb=>@8p4F5g#0lV2l;z<>ihexHD|%xdX>;ZXQ90rb&!g>o>~rS@n7J zH`JI2cOj8T_3Eh-uK7lnr!EI0>xhys*jrO($L1X6q#8c!EL54Y7MRD*dY`0h!Z~k; zAD;A8CmNoVAsj|`jN|gd1Y82m#S>mf==X68*10v~tW6Tt&;F1*AraSTU}4S5*Mw`B zZb?*hTBYo=Li9+6avw^Ce$zD4)FWO%6FTMj&;1ZOc-ha@pxP>@qE~zSSygvDx2xk*o$e< zc7Kw+0n06m+24g{4jnI_?W8IOmu zx)Ku;SHob1FD!g>n6jf<(TJQW|E5;k@%#r9qhCUvFs?L|b1R2`v)~*Ik(dUSDDuDK zzs~nV+JTcQW087}e9MN}0dWtD^2I;3^r*y~EzQ4v7t>%LCnfdDKW9+#1TPZal?FOc zR(8JA^9sxE@~6=kyTQELhU0uO>S--R0xt15m>OmJfG(Fpz zsdAI*`jyrZpmdJhJT|}fl+cP=V%dC4*+S*HXLE&$kOC|DI`-9?Ab9h6U8|$5-MftJ zXkE-#Nh|L*l9G}HKTZT>b1@E7BUfLnT8OdtF;&I1{%sWWAFog&C>S2CRo6lWj+on2 zK3l(8v&3f4CU#E!_xyGX#6ul1Pk zM2+OiMU(jsXWV%EUg~)Fv7j2;pdz`_wM;Iaug?+r4CV(72cY~m4+ssw%={)(b^?-a|~#u=?7r(10%#gI&)FUK>qVD+Knbf>xc9mVN{?Z@htK=)7;>I0D^g7$q5q zUVY+kp8JWzhC638j^c1H5wK!WhLMezufognuM4Xj+*=ZDeU$cn`A|g1^(b|Q$N70{ z*AQtkEi?mMDB<4L+bqbH3^mL_C#bXD;c-1EYFg&@)u%IFc&r#5(bwDSNDr4QfslsF zabs(8t5b#kjS?hktE%en=26qR-mP5FYnub4_P6Q1E%UyG`5EE9#+jbJ<;kvrgo?pp zhZFRQc|TCuZdb}eNBXIP`}fB$^C`RhJZ1ck*LpYzc+=uPUA5tuu~)$_&YVuZglW?!!3Qr-HmTx`}n;g9-Y4wY_n{y^Qgyz>3m6Mb7P9u zR7BJcy*|IYUn+Q-&b78iaC3eq3iVVId1t%bK#2PW3MBgOE1^M$tK!y(HZmIH z?2H!HGJsKp8^>{=Z<3p{^qP+lI#Wd-3^zU1uO~OfGEX%q@jcnbM2r?Jv_}b(2*P^C z;-J0vb>9=r8Waj=Qw`JuF3 z8Pi+m2{EN%EY1q_b7I?C%ZAL{KJHQmJaiMkhK04<6e z4<&~UMF|a5NNZsr#v;%cR(7W`eWP>$AVU&i7D!qHRLYS&Jw2N<^wMPbSj!zx+D944 z@$!UZpiMnLOu=XhIZCa>SC_2SdyUMF7DttPye`lN?Zo~-4c*)+9qISclxHqRFb}T7 zmqcI}o$n(F}jS-m3QuLF9y4PCA!Bf-KxzbU3~- zI$l47a6BbDm7*CK~I7<6Wg=~cs6^qxC zuVdRYxD>Lz*O}tSjxrE^IA?@ci~pzGIWj;wWu6tD`ovN<HyfPcGs!0htfRg{uq1T@gs?gS4}#?h%}Z<}wLH1cskgs=u=0`2IY(f} zVm6qZ>&V`i_54l1HM1f?2)JA(`7w`L&hH*V0~&4@0t~xdq%E+Nz2<2gCvoik66b=EVwZn zJkFt{v2zv6J|F<<*FN>7HJEypxl{&HDJL2XX0>Y*lOtlR4^!pLpDZUGS{JoAViSu1 zz5Wg?Xky$O_v6Y*lJ5@?#l15slg{mE5-$~k69*3mE%U@hyqSQcWy9~aQkoE|_)>w# zP9(moZxk$Ae?8)q;Mx_p&@D4e9#?P$Fv0LI)OZx=3N_9kq>X6N!dn)k zJr;ka@f#HUf>UoJHOI=iT^gfij{oqiKN-{6+cA+)srmqx-`+nKV`0v$T9*$wl44x( zmK$r!s~)`8m}aYH6JW#ovS85TOH;Q+?wVn+StFtWH|Che+9?bp?k_Z5RJ#;C<`}1I zAsri=_p+4rSjc^|wYuw%d{OxF!Rs$`f;&gKFoWF&B;y{sq@`ifD}GIshre|^ouxD< zm=i)Ye>{Xpp?-Qd=-CT010ovJRUPu?!a?LZZllKb|vi#@+(#W*nk+*!8Y zt#*FukZ=PuMdm&no4r*4O7Pj{fa2WXi46-hzzMh1tL7IBL!jSOh|v+wq!=yCTn)}ezQef{>x+Ht zGGvQRDx?QKWjebxYM$>dx|?XQX7ZvHq>}R+-L7EvZo6E`B__5S*s4qyfxNkc83_#t zERbjxxj~ebBeW<`vIh%hZ7_Zj9iEE|3k&;$hi})oUbQbWR>>JGm(1J8nU@@p2nG&; zIz}ZuhF^G=0bI|}pSR28i%f)Xr_q7jXu>mG?Jg#wr(sLIElnCNJir{>^cFIy)tx~V zYoE`f`h2%eL7Jrz{6*K|rtH3}A(Tt!ilW?qF04t!1kyMS4zyn3} z&FW(+Qxr=4F{?JndGE#+opA^h`cJY;Vp>B!41?T3*JMuWk~{wX@18dGOf_Rv%>r=V zVJp6m$HUFNKv&s2O#?>V`CK|Rn5 zE&k2L_~nN}(`HG+kv_MTZk&pjt)T}0JMpnOkdkBbOkYZBQSecedXh$bgZ!(@)k&s z#6~`WbF7h|Q>46$zZ8VaF#V=Xwm{{=Y!bN9p%+K*K4HE_a{BJVDWEmdY0N!8=aVyr z%g@AIFBZ}k_# zZ@G%WW))cNn?Kf^0YC6B)$A$H1tL`+@#<7Vn<0*L96u_+RX!P^4DFsLkCLD@ga+!YqVq~^uX(09yEDrHd`01&Xk5NFLt2Ig4-y(?! zR#$F%kBqrLo_HRoH{pYoa4ff*mOY)~j4#X1>j}sSzf$N%aSNQRmhlmP>ZEy<3Y>NQ z^s9%iJpC7UHqj133326enJj+%HCUnM^3g*@uQP*{1~PCY6^fZ*z?LNQ_AZm*4##$+DYI22b43bqDR_G0Z}S$5;XIFp0+ zb>ufTYUjufop~9G53&Ftr1`~f`ks&LBLcn)QEuDAZ94UL_j&YLb8Fy#b5h~^*dWOk zv)c7F^R+i4A8P(pvPh`HyN$M@%mnypaL$MKw^W9`Fh2OauG&u!Yq|)4mmK@4U#Nay zrZJRaS}1?`Z9U{Yt8S1I3fNE2KDh0J7;#R3H+e=DGd{`+emqX3fg)C> zUuOKGrX~*bfs%TqkH0saP5R@(+lLq13R?VxUB-!9M?~CXla%U_HI?q8NY#KELwAP z1y7t)`lRV_6j#i8F56pawgMu|q9`E5q-)SVZ)ni&d3xe6nPI9m`V3Z%lF|-!57TnN z5PbbpGXB2P!D)PjEytIA309r_rsJ^;n6)n znZv?ly}0dqd>dWEIzI0R@nzjzn*FEOm~eyKBOhx=a*wz?wKOZt=gLj;IQZo`8WTn< zvAHktDdBt_-eZ#agp>7cai;jj7|$~93}5x+UpnnuQ*nv+p=X{TwEy7+}T1#n7BQ5 zU*q_pAPgkzf|!?Q-Q5&{?gNOYJkeRFV$(+yuE#|lW`@A2LI z6Ky#39KF2c*7vd~2ftA#{Uknb%rm~{ikVH1hBfQh=;>Y#gor^u?=(nEq?awgknQ@L zii(O!|EkHM-m})8qO|R|Pz{!e$$lf`u_hD>M|TA?+qWdh7m6bd$I>;G*nZo#|EhI6 zh=~^z&8h6)XTD^`v>U!<*5Uc*R{zTn!{7EsqF>kP zgH=Z7DMwcv4tgkj2(7X;PytC+9{bw#(8jc?bh$B@MMGoxW*m^!aTXj4wfc49As}(t zlKjFhY3o@9SuuJ|b)QGY9zVFsFk3b&1bCBm|3EIJ@S9cKo4hStAARN@8oo@O08Hz|#s@tqHDLxt z?-^%!YJ%kU?RtqhMo{Wx_U?;=_~e_PDM81MWQf104)B)LgB_Y>rdgsoa9UZM|H%_0qyxqeA>rg|$ z;II-Pd^%hxc%bvp)0^kCRr~@20-bm9EzI~Ny(_d zRseJ=k-wBU=KeE3=r3>K&aO0Q{x1&mj&9wGfB`dG+z2i6pau9RMdQfh)hsLE+sZoBBzreb_+-rCd z@w@qTXyK|Io}f@nMBX@@`{lPCF%!s%#n`>0UtIn56rb^6a!qHgw*w5S)`Fg$``|># zT?8i2MLL~}PO^V_2*3QIpVvpwPC!FYx^$h1eN=7KtD04_T&fnQ1v9Jxclp$ zP*!sPA&UHJN&;QRu-iUR!`?&^z*DSYWcLAzm^uZ|#~JxAH~)He@=wo`BMOXOGP)DC zR=nULw7m)tLAYW6Pk-`LX7r!8F4xX@{0*j9H$7eJwdA*n*!8XdDZqIA{j~?%gq#0- z1qabJgQsBdrJgsZNOHf}f1*s6)u_=LW42AP`I&9!|FzoGn403Gow)aId)WN%eaHnc zOd|X2xXqN27gt%hcni01QGb862emB8z@M8o)Xsl5In&_P;w*IHAHlD0foFdU5|Kcz zESLcRSGELdcmA*B!vFP9YOD?!0+{@fIiqB9DpBg9Ui!`T*?)i1f8PAoWz=*tX+3j< z>dRdKP}*K$9=JRv9Imo5(a`}PN{~k+B>@OtO}D9rDD>$Ptc-ktOC#Pzy)6r~ms{IY zZ@{2B2rIj6oTD!PUmgYrchEvl@+646rbYhrnUi3p)6-jb*AML!f z{ZiKt`gq?Kg8;J%@5p}*VuOS^h_Kl&+a&OR+L~4eICjD|Czx9YL zN0~&-E0+?Fq!$}+%i;=pCM@AHDr43NMV8@P%uF_Xj_!o*RlWZ9M1NXx9C-|SIH%g8 zUz0rkY3u#_X-Jp@5e*#Wt3CUF`@VnJC;}3$(5Fm)v)?|8{rkGy_P_jJyOy-DzG#R4 zaw(^t)qsBskeBjzkYp``u1frdKbG!K>Fev0)lODHTK;iQS9aSA{htTRe|mCiF-x9(`vdhTDG@5=!w>@q)gcSSAc3wm*0L+xhyuV7g%0G-%$>v! z&2d{X`_*O3#%NIh?uWxwS0+-tON)zX?@=f(oj-CXcmLx%XFQmxwldYa03O*Z@bVQm zK^?eJA9+^K^%@9DAEBVc*B)H9{TdAy2y!@^;Cpvv=d{jkIqK&LdQFYmTFERx&=Mf_ ziJoAykiE>rIdBCBU)IbFRM_R1l+N@+r9wbGfRb09dwhWaP3m*r*c$w|p#FmaTKWGU zdv6^T<@N>&D}v&nfJ#YYfgquDj|D17cZw+8E$N`xgd!r1(%l_{pdixSCDJX;5Z@j> z45%}x=eNFf*ShzdKhAm2F!S!cpZ#>sgXB6jugo;f(*+DpB*WK7*w2St4LNx2=ykfP zK4PCuT-Xvo;FF?{IFY3^H!XS61O(S_}}tv-4BXpVYI_z~=0?9jx?oqN1XbjPl`hh>vX(uRQyUV5xRk znBVLLu>FEPZXx&c;rfcpWxj=(Q)N`g&{5Pbm^4IOY=~LU$^>F6fl5qfBZq;qx6D;j zvG~*+ko(dS(W7`-$#P-5tpFG>m617?LnZ-2PAf%viBpunY-#&8aK$gcmJUdTg**s3 zXkg{~T_O1e^=tj1X~NZ+3io8bOC@Y9Fx-nmKKWd+{|o{c_Q90E)1w2?pOj!S6fv{x z015&pn|A55u0x$f-IVX{GN6@RKkVZNMEHlk*cgF^D4oLl82SGqOl*L`8G{18kv5R{ zU8XnoXx8F}CBU_(_~F5Q)$YBzDk+u?FHVXzN3so1_I={!3vTCiSzDP;>Oz+B0Lhz? z|3oirrSzr?By|#5pZ6d_%r{ZcYX#^HR*sNrYB*Bo-V>vHrpA4jDR8SbfSh|37utCn zYis77TF z(M|Rca0YwZ_Q`9zN7ZLmXvFZW51~c;O@8tV-~mp+N>0;;-r<>7N2=|j(NG9>;ySVg z@VXtOfRp?QZqnsP%*78uvfI*#p2E;Gvq5i3p*!!C_V$ry*q%U?Y#=Mbnce0GLqOUL zoUA-22YA|r9NLk=5CLHt)(+fh5c2A?25L@FaB+sDd!)L)MWe$Gn80(v$@%Dc_zYR~83f7hMh=_f8Y$_Zfm@y30o_+lPl=T)h7yD%-Zc&EJ095f zX};f@@J-cgZV>Ly>jjxIYc9udDY_E^lMehADSshTGD$3jT1v^VH%Pscrx=@rRU==> zncJk(&e7C#>T1eppWUe|Oj<1B6RP|#xI}o&@)wy_ys`YBisbtDfvl&pdArN-V}#j& z-7SEeCL37+(|KLsi#U!SpQ*B_sn7$4-&|KXoFN+NdUf^!J4$$T#053qb4IK3IlSauWI)DZ<2Bx(+wimnMg%CCh zykxJ)K+pEk!{^&ML*-#H2_$kJ-{_R`8Vq?&4KY!{D;4r_3TrMvq&xJ2nh8~k^JU1A z-(IQA`)lK3-sQe~-4Bh<*2)Ga)PU@5kHH zY~APl4-o|egX7V45&NLJSDr2JkbR-;IfkN$4MRMZ1^g`u=6Qh~l6E{g2jt=ie`7lr zot*xSu3v>+I{!qmiu`+f7fN2NflvN*V?Za%m;fCh6jp*jdzICilpr|LB%eWm@plJJ z%C6D7njN|!&a@;b=pU+?emp^`71>gU#@5<8fl`u5U*rmFTcYH7xHOJrm?;Qbt;!;0 z#PGy~puRxDCo-*W96S=ED_Za8>#FNkkvV*DJJ3Q?vI7)=&Kx45yiTR>Qtcs50+2xAzVghUQO2Z-{_1nO^?E`mC6izZVHt` zGPJu2iNXV^;fF%I^K7T)(nkkYLF0>zh_W<%j-r53{T`5ky9%7;#uQ^VaTq#$?1XsF zM1T{Q!=M`Fb83~O1^m3{W=7lf94Tz>h9^O@4NtUS5h0rmIzI=lEOG&#P_%R{6aNCBn6&j~moKeIjz{IVbIj?u&GA3Wlz z1a{fOJG<0^HzCn$iC~vPN;bss*4KDC;*>b|WF_d+6_1ATtFk^c!DFfB4S| zX7}+fNwGV7n(giSYpxD6XJNAr%#xhl@le0jMEa3ko;nXc-uw4T%QgV?tAn@XdwMPW zZ*Tc;FPo_M18@7k@s4h^+nI)LLl+(?7_gXYdXQ`vL|+b80_M>HYaVjk*|I^WgwTfS zB24{*3 z;MQd={5qI({C+^3?Hkv-40?<@a9K*O{bw!(&FHCP}* ztroKGkg0!V_5-P=fV05j`3}@^etBSqa5zYYgAM{J@v0a$qDM=(yGoObXCd||yN;2; z4<*6<$~OR_>_Luz&DAmP%rI0$faHhv03Y*bn^&`WYLvCW){Rq-ICk*j>k&L=7q;$> zBqy|od>xG?>j}E05rhlB7m}TTw!;m9aFmo=MD_vw2SPXAesc=vS9aEK~#hqjQFbI%9Gg)3+)VwV4TnFLSRRJ?7E4b zHS3qy*w@zO9ZxX`QE&uzBpRdL+v|^54R2?XR_PYjX6%s8_4mzNgDhd?v|d>L-wgqZ z`P)DhYp?~uWnrH&W4TiFwcJQ9P-I8?$Ve_$%5DSP}{!k4nFnB7c2$(xu++%Vo z=Pjkv`aS+$Y{FtegID?YsOG}3tMticeZ})td>KfEUNzH5-&CO#1Kw{t^v|e7D+LU= zSL9o9Yw>Hak%lOONUX%Lyy%iiYajb=4P4@1$?#Wn}0{ zDJ2(_50+Qv-!12VP4c=bzFk@P>8Yp6++75<`FD4>`>ox}4%i!Q%s?=GOABXRR`u~M zvD8a#$4<+>9PH+R-1^{qj9Dgk@vAoULdgiLCsuHzE*x`S#z;_c8);iuR!P~?TSUltaK0en0Jrh$?g4@;;&EM<}w7884 z<`blZwMOumqbTG!%m9+IliQ->?F*=1Rt($>JG=4=Z~N^EMTI~&FT5{`+Nd}l_IatX zi3w&-l`qZBuVgtWc8~luOkp$tq%PspsHR7>V_2Xqm7(2}K@jdoq?+77&+ssv9eIpe zYM|UN@c6rJaz0udEKrntaF73h#T_1;3aMi#HuR?tC!kO$`|f~HY}Dz!58=A@T8A+; zjm?Kj!-Y0K|I-%|(k8P?wYpeB(4dwSscJwscz6O;t|$%mUI zM>uS4Y*tc}B@8hhJy$kVjm1+wuBjY&<<_)-7byt@cUHx0uPJe&-Is(&FX9NtRCfVl z2xJ1X7Hd|nC(6XAwY9cpXQZZDjNQ6sM!a<}`r}?TL$>7V<@^2Jt>!TDm#ZX7s;YS) z-mtD^H6>|9Af+@G66WCgLM^QwEz)_}z|@x9@4yL2XJ-1`@}1Z0&#gvGjQ80jq3{AUL|7ixzTzu%pjWp5JWW8#ELLPzp)% zft@3In`DH3BiOi?fGiT)hyM7#6=dJ{10w-!Koy()$2k)}>=o1M+ki(KI>P>k3!?Og*Q`{ zw3XPOj%A$M62>Uv+WA2b4s?3N^(s^^Z?D6<-&MXedU@_|cj*O%sbLw)9R7RoZG$Xr z9S{|dyQx25)E;&|&i7Yc1y?NoIWhWMeD`l<#HM_>k`5sAHcQm}PgcbA9q3^ow!E{M z4A4j6{}5J(L8gk|@PstwAATS0k-aVfQGR0b2?k~72a>~doL#U>z|Vim-hl{Ro60|? z#S=h?vOmsy`}gSj{{yN#!t&4Rhv2#1VE$v;k76b4?oVqEebRAo#R@&97M;bm0G$~_ zN()?W-TD&uqw;u0Dz3>DL|qHAa&!5VW8_xq^GPzc+)mpLiM*9AW;PCvbV7QdT)P~> z$nresrI3-{2@vXAjZ$M-jADzwbK0L}MWJArGz+Z7Ok-+4wN4M|$ zKAk#sibO|8XOhNf7PErowHF5XSVl@p3f$PpNG+*l>;sKKA(fLkqO-HJpCkUfJ6g24 z5(cGX2!X&Obb-@eOR zLlr*yL+vgW4`g#DBqV%T_)s8xQ=ve8 z2)h!hl7L@!wb3Bsrdo*2Uo&S~GbzyFJM;ktui7T3`Uzit1_107(qjrehq9pmjMP!5 z`2O(UR(@3_z$l9U`z{EA&>jSIYGZ3F+}+;pKMwpi1GCGYoI_BKou4q{Cp3J)OxTS$ z0u+;wE|9_0KiwUYG&nd&O`mtO2`#In?ZWEW$1&BFw}`MWSihS7(%s#CN>T0%38{#v zDCkL7ynznzKP?J)iI);gCdO)_DNZp>m}qHeS|gObPw;$5XSR8N!+VkhHnh|iu0~6` zer%xy$*L(eM3;>1TZ)qheM%-YFtXzx$jgfo=F6%nL4&KiuB2ooSqln+ofoz5(f{xz z)Lv^9fG6W=YfovFQi1|&*}VQ%FbDM=G!MOVIK`|tJqyaBqN3;*x%0eEB~PkW)Q5&#MR;1 z8Tb8(fzdl@XcND)`4lb&R#ZnssO+>Nw#*5sq?UU`K5;v43|j?6N{n__NbUG8-1K8o zEWQs_j+&m?@dP6ve^IXFJLTS}MRcMq26RQI6;ItDztxmEI)QQAqRYSOXe<0ul{XK%!xsJiT5fL|0&k zlfzyDE**I*>?JDnTT2ZC&Xz;m4WJ6e0=*iW0LizXH;8UpBm*^fm|qUH2byR@nj$00 zove4SsIsyWzVE!0kbr!n4Ty2Lp_jdOim>_l`EpyQq(!t^#OAVIj<5?~#pLKvn}99s zzfZ6CDoLYYWdQW2cQ6K`K3XGb-@SYHD!jeDJ>M2CsF#cXDhaw+0GgELb``Dc~sLR^XQ>rX_#F1qcL6LPe^wYe{M4(`Dk zAuq2*%rufDneB{!Kxi60DW~1>OSl}Y$+@}qIm>k-D9l3P=C%hf5#UJRnDqDG2{43L z;)^PLSs%tWjhfxWlS5xVvdO880j(L~gCBGb`UrxMItz=f zkR3P2LkGJSQLo786Dc`t!E$jEdC=%ycZ*H~eiwYKP;5tq(2E)N;ll?oBVZC~T9uD7kd5#wNgkaaxQ2|F3#&3U+&@3A9i-PY%KhEMG zQZ;*lB@Lam>BPZvyKwsVYU8Rbc&E^Q@1jtdG23JRty?hR5XKwrQMi^u(90#b^6L6N>>iDs!#x27D6 zZ`{Fy2iMAadwUz!xIA})B{<2n>^FZ%T$90vkOjT(xw7=f37z*NEbKyRT9zFP9ebZp z0E1#ghp=`gJ5W9ka{!-YC4+fXJ=Rkycfh zy~~o@_(ViRLcQPdD#i2|&RZ}EB)3YDiAfFtpVxoJYn*m?AV`FT-&ef`|muU}a` z>pu?7X2dBbIp1mI!BCF%5C01XLrmEV9HK1HUh5`DmXM-_=sF`NvRVRizJOT;lcY~S zSg>omqw>sAD*3ht+90Iv(#b847HKzmpqVRH!hQA{;3=F2Z5KQxk_CKsq?%qLY)F*Z zb>GdT@Xam$$cmu`*uesKEGEEwy|gN#&W;Y%T#JEEEmhArAMA)yR>0*Q>98TUvug7Y z8|dNFOEdkNudYRm=&&5ZKF@nVx7%1J{w(Ug&^?4}0${H>=%KghH$j)K94Zqt#|$_l z*#nNJRpL}`>`0B~c8by&ZuV}n9WSb$6(H%lVEVTf3!5+e1w`!($=TULyuzesIlDg+zk@Lq96+h<01bhaS25^?0{M)q2N|uO0ZAUg3g+nul*+7#ET0y9bTC-t(z*xcs+}}@>#Pz;93tAK?NP3 z@t6WD@?vf&(&m>9sdSDOH*mPnEOdE{wO~+irdXtKdsa%bhNuD=S4&${?j;HCXzJXB zlHI2R)5z(p0z!llgO+cPp13WTvuU$GkkfXMNs$R184FM-V=Y+p@&43 zZ zn-PG|;=UCFDJDuuoQHW%!+yms1G)635)>H?%*@P0_4VrzVrR%QfBdi$>Jnbb0E$R# zmgEdZjBCbjZfPk)N?Ua{c0+zc!6-UHoO8hP76Zc*4T0%xDDg?aUES>ZPGD;TV5^+$ zRym56`2!O7I)=337KiJ?ax8KLUcF8Axz;O(^LCdGQ2j4^f@s}g!G-yGV^IB=NcrF# z_tOtIm*w!R%y(K7`y4XVJ~ENPgXvqe2eCGm%7k?k6%-OP;+luw7qNwA9>r;LrM06H zDm+kPm@&P)C_IttaR)sULUE(JP;Q`D*vw9<{;DAULuzKRSamUe1k?iA@(BtLJ!P-h z$@Cg5rE&4_WOK2x5xSi-Ec2^z*iYzDU#z>?3jhtpZpRi_7)VI)`9{P;ab`@6xQ|1jmS2D47XF88%0Uu0G}r0$?-%kC)>=riM}p>>*#+jltH| z){>Z*7*UA|f&2X@G3*}&LY|X=)ycZrDq}*1(7bQfT5)mlL#-=mt)D(2byhP_J9C~b zjhOSB8nJcXsLi7uphMs?_)W(l7zxQ2FJFu&4auA>EG)FFtgI3$md~J9JGQ;!gbd)E z&pX~SVA?k=6IQ|l_St2}2~fSf2x=#n7?}1ppWkV($W5n$xQX8fbxWTr|K%Y+4;t53+1J+><;$YJ!goNwxqB_P8|9(g zj^IDsY2ZtMiC3@Y;s5X{N_2uuaCxk6;cl}cC?a^ zKsbT48*?1O&TXO{3?ElqTwLH$fQ^}%8SgKiB|VWFT3UT2pyq&*(+0psxHu$A)V*Ox zJL?0?bewM>ev+4bb?Y@2~M@l~d1IML-^LTwDex4rW zQNN`q!Yi3jy0(Fs@0I#U1cEx?xY9<0LA&skF{F(REbG#@ZD3}ZZ&_JcP;i@uK^h9s z;QOI*D8G)U${a93X{teXps+#U&JG5o453{{UR=*{Vw6|b3Q8+*bylCpc&`7asyv>| zqW&_^BpS}EOA+S>Mn*>5!b(SWRaKx9eYDV!`0}~M5N_O zRv%BrDItsr`B5b4g%5bB)wnk!CY1tqA0hzmtzA0ey14imBA{SP_s{L<9{Bd|-^ORI zyoOrY>m(>JaWOIpaHb($EbuzAZ8?+}y8KlV4W!y@ZLLKJ&!{KAKl_P#Y?OZ!Y zH^6ug#m+H3=!F4&iQ?>ajJ|v;PbhnoE4l;sn9cqJ2M-D!fInL6 zQyoO~gC;scE@F8YbOjKTq4VztGvMF>At4(^y1GOC)1;XjYoL2Z1Tx=^tI`yL@j8IJ zmW!J^ik$h=h~M^_7pn_5K-%Bf@QJGF@Wt|JxZ;MboqJL-s|md8v7sLZ7v}nD;Ll*U z=i}yHIK-Qd17ZZDB-hJ~FhX zs-lwn_3J=IIk25TCS>OznAB(s2dyXSSI_(y)q-+E?nmi*OiWC0t|C57Pfx3Gw=1## z?kvMxum{|PRum7ms(x;10zW7V@XRRzC8Extq>LT-nX^Hi73ktIVS2&8ZR3E_RyYzY z-~qx4Z8b_^i;KXi04ld~{)j7aVOz8*J&@m`0X+$z0+`zf2i}>clI{o-^&G^{{JHTi zKAw@WG3Noj2YupEy3``G{y&fp8Z@{i2Sj)ng`qM^n=~awUX8s&jUPK`H+b<^J>dk1 zlZujG1qtsg+@meO&kMdK3YOq^&_9V<;yNx!G9&){094A+{-Pwk!SZ}17vaE_>l#gd-!(Euv-vN?UtJ)efz`B zl*VXH6hFoMN@f^0mOltQ9dAfwA zTg(rlhY62mBq7}@m^uXyt{7Mcc^Seh3mv94*yoeEz&{~1Lrh+n&I542I&lAnNBy+O z;)OR-{af8;d((mUyuB8vv-|q`TS4=L#bQ2_hl}g0IwmHQGx|+ma#6^#{o!LSltqAZ zR)(y4^_beQDB`KRvor$mZ5Q6rfY8M<2h94+E%n~$yMv&eo#V{yW?}5+O|-od4PEMq zbpq+cG$Mm8)X4zea=%I&H z9JwJN+7)P=K1quk7}|z=1$C{^GHl?{O`MvXESz}1_DtPCdzv08oR4R__j(T`GD{Yha`Ihx%dj^^CP_p?=MmV=%i0P*P)uhuW)vawJCm|EITn z3 zJBU$j{q14EO6QOP&2r-mjGlvExEPvi3iSrOGN_UBUv%r+JPhED$U7D{iMxzZY4{V6 z2Z6+^@$kePOvcBb02d|>?pVh{l^N9^lgg&X$vD}BgB4Vt~LL2}D$e}8-X zofH*}`<>>36?c$lY%%7KsYPHw37kzxs4yEu{L=ICRBOdn|BbbLbbi|It)@!l{}nfWD@_nE)`0vg_U!^DeO1>inlX2G(d%Z22Aq^{4xZy zPWhWRAi)U|r*Js9KR@|2G&}G^Ngx{HL%r_Ag&XvVPriA3Fg1thwZqB*x~FjIb#oBi z`}0=^79v~A-^*q!cDT20iV=Bvf}x3042~ocGfjQ^uCz*2J-dX8}=%ogX3zrDg3UL+R83b7!i(}I>njq-DAqKiXS-7~s8`wK` z8DaLtY{%CiqK^X>AgQe!Ug)@NVGkmYKWW>wX%JQpHUcQg?pb~U&!4#GBVQH+vABm+VBL-3hzt3df|?_0jQhD z_&^U*dhUE3Ohi>}|3X5Wd;sGsuyMoHfHE;a5&bXP-EA$``vuU2WOpa=|D<8PM5b6d z?(sqSAg3p>1}t*O*76Yt{vgcr^C3Y7&TzAvDoX!^E<)myl02DNSe%h|FVShxm#ENg z=5tGbe}6?++|7ZX@A9{5VeONtgL&Y|WK)6Qc_^US`xw~uD>A$u53lR?I3;D|T9 z>=dIJiu3dSe!E=JV-U&@#!Y*Q`sInszyZIkqQ)#HCYJV#6J{s8+&oJW(hGNw{QEc+ zKR@(asQj}2 zHa-pG#)j0zEiW&Nf%$3hgCWkVzzb#`fT`jTF)&7|1b71N zK?JP?lwcoKj=KHp+0lIRF&t{;DQT4?86lH%Scvt((|qdgeRE^ecpdOZlLtS2d5ggg z*-!Y<4S2krh$;ot#O5m6Gcq!A(AQF+xh_!02+A(oXk7hFiHN(75M^$RxQno&mr9|= zSUJMd5fBH47fizknPWE7Ic6X>Gh8ZrD7imcgZBKySRCer-&=#_6 zyYkITfF8q!9E^Qbz#aY00Yf!D^vEA%exbRGA0P$N@<9utqH`D$zkfRJ=I(w*TEhLf zdMlK_TMN^#zhkNjvYhBpCC0=kG(h@!8_>IV??%>q|8!|%yoU+$? zh40ugr7xPtZZx=_ymBI@-2cj3Df6`;#V>0!juMkYk{1rYn64DhU$mUc845;Z4|OvP zexTTmO$gofum9!G06ZR#Z*YkI`&Vo&kE?fX-`4;A`zP2b2)LYMWL1a$hm)a}$MUcI z*Wf|D1OPeoF&5|nfGcA8KLPxoH{QK_%5n?jy{``s*GE*m(H?cpQTlhUhbbHaegMXJ zt0%j#aB1%%|5dAjW4|!2?5$_y=jTWKcp-)A-@-u?AbQd}zRefkg+`GwfPXw<-`?po zFLSaPjfpaun%kvDi~0s?6W@07n}0!{;v$Jrgzr2GB*P3?iLQh67a!s~b;aIheC_xA zxwO2JQnmXWPfwT|AFjpp!E&0{{z|oaga$t(@xd3$gWT`YgG!x>}U1rC@0ZhWn=ow3icvv0)q%i(=`fKIf}5-sT`?~PM?oP^Q?772b5(h{^6Y$)OFf)-OGWqC5mjRltvn*t# zbf3e53_s`wUESlXV6FA9crPNx25jL7^=^j?bN*mp{!G{geCw@Sq0$G=8W z$>9z1@~DwzDvs;RL!ja}1YQst+8a8d{TO+vwT`eCFJ3(BFohRfnQBWWHCD~DNhq`= zer-cHs*e5W;z`WZw-Xv0LadCdsz<(?UN8>^WEX$eht&4bY(Zv`E>2VM4d=ml^KRnfW`a!R^KSCRvDWp*73`8(Y!mtbzuR*`fO~#~m9caA?F=9R65RmE` za+>I;g+1rFmcZ03B2TijZ@Yy$EQ;>#-lxWyRgWBkSNoK;kW4XS0?beQNU$d;wt9py z|91O~ipnF|J}Jc<_C;2gWwDZVjRJcrasfNDuJ@0R#H~q1yBMX;BV$0)#Iod~Y z6#Oex?Vts8tt=laXA`J)~=V0yqlqM~|d zQr9Z`wfPpy_?rCu{5?I0?nOoj1cKi_vo6ywb)~sS0aT%L-}(B*z!(qFuyjiNwUke^ zFg(Oea8xbVrToH8mP@blz`LlOHOmu4C*Dp!5yPjfnyuHt1hd^H|=y^iS^f|ak)go`C6kbiq zYjG>6hed6%jHtUJ*;v*2)fyOj<`~$O_9~d5D(97%_(*lwU|?KKS?g-E`ABs_WbnO( zKNsXE0deBUBOLk{oHuE{%cwHfA~4FD!i_viB1q*GBdul0LGG8vt;uvOoiScgN|!CG z{5g5GGOpur5HsYBCFVVe#|ku^D7EU%9ZT%+Ig>n?l{IhMeTTln?Ywp$ukqqVqvq;Y z@b&p5JhkjIECR6$nZivnyMw_|1bWK5NsugAHSON#HbI;zZiR2W(R+`;{(cJ)F?Lsqwx~#}g#3-J zj3hinOW@+gas%BreaQ(PGXRj@EJYDTimwe!#BpWGyT9QPfNliK1OzXTILA(pj zgxc-)Z$c;SZsJ74xzTQeykcb}Cw$VGUsJEUAx3?@APbV)ZPjr7cmfUgV1n4IGb2Nu z9V-WhSrM~B70s-_7Bl;7)(gOnStywOQ*%Rb1v>V=8=Smp*@`ciFJf-YO z$;7&Dn(e#F0~=jlMrygiaf!JG&*uA`6~^bL60lk){U}4%gb{5unTS)6_Z>`5jY(u0r3i3loML%Cd>b)61$yVcA0>+$M-#9LRDD zA;z-YUGm(Sw#+o_Y!}G=y-Xeg7i?MqF2@e3)AgoNkeBPasx4&2W|0?IVv0Fz@-JLy z(R5kEbz?Z9{xCznc1TosrS7#=61_A}!-_0})KD{-k!oth%IqE+E!ByU-1}hmdPUT(K%VMx%UakAetIcPf#vONQ&aIBRX1Q+DwP;qIca|fT zXpAN-)>*nw+%RliZP?7q)hM${b2N}eii@vJP|9JxAM3drL};aqUe$JY+Ii{o=lDg2 ztlp%!q}Pm`>Eg-lSOhoP!qDnqSNQBel4!r#o3Y|cL$%f;IiBQ6lRkqP!QPiVoZ(zT z%t$5fwfWm2={Fi1cB(CD&-KK)fkrim$2(Y;aKy#5XrkIB7r@@`Bkr%ofXtQFf*16GailwERb_EwHzwRI$@YEe$p zaTgz2o~fzXa^U^B##?nr4_D8mEj7Xu5z!R@CZ{fSKBRHBD+OuaM#_X-_c?#;EusS{mcjJgljMml3Z zl9><)=MhSa@U7)|$s)Txy)@vsQM22*t(* zJ4vKlS!PRHw?}8PWcx(jHEJxB>*$2D4(SEuZE;r-H z*wC0B7Dnjslw?NYS+{pL-OJo+nM6IQ)f1q(JrB>k9ekW-m|bJTtfO7lE|9#IDKHZ5 zOr5!>O6B9f77;l>IKIx{a*2`-7<>PaG_pAN9^Nq4&t56>-Ch2}@pNwffb>bWm z;`1e3EAhSFc+Kx!1==H%8LX(Bk`9H@hQxVfar$ZxL)wbu~u?$P@I;tCZh_n!b zFq@5`d-mF(&|oretTLH5)R`y|GNrn)zBXo(-S(RzkFfG=%TuENFO1WkVbb#U3 zpFBMr{mHAje`S6w?UZCNWt>jjnsY|gv~ry}WFKhLkxxf^M$|2h#$i0=@EChreQ7vX zb*3}WYpru~at`+8fp*fY4QuB_Jfm$N1)qj%4#|!b_vclr(bci_4reX4l$Z^MU-kaf zCCHLiI45N0bM#@G(!9ruryDHM@$t_b3cK>out0}HScB$8sqdUHnQSYV^PKO>P$#Ad zx)_)@8Q~(#sVRTEex=Ux4e!kmS!U}lXC8I~A%@WS*z{)KU;^&Mg9~@2d*4}e)dU%j z4=F9N;P!~F*TjO#;no`Bt`IYiTwe8YxN3=Q?&O;@t3%foRjIjrIlIAZ(PP5TJspMy z+c@=)K4`WUd?U}pLN(MQDkuzJX-e9g4ZjpBhgiDsqoV_56!7KUE%uw-zzMV*uBAh` zNcXIPsp^Ge7yNB=d)CZ1o*K!iYzW7u@tZqgq8>3kD{B|11AHufKuGCrts)OKX|lfD z44YBEiw#}42wg?;leg^;-%+`rW_&-eXgoG)+AAor`wUJ$QMeq#xGqpR@P(uMFWlUh zm^YcLZu5*86!RR#JJObE7Q+@Xds>0v8u5wSCurQy8X@v})>v42k4&}dU#TXU_DODK3RHJ-i^c&V>_j=Cw}8?V*PuMh=Z%fygqQ6Rsw< z%E*LZx7%l1ZOjTbOCX3^XFI|zd%_0Cz}$B(CcTlxi1}oh;nAkJeu1Wz5&~hh&o#se z4`($!AU1Am4?~D^Enx{0{>N8>xlJ`<26b9l0;l@cFNLV{WWLjQ$Icx!mJpO@J8!d5 zErb})z8mKt^tqc!i%@1a`^HLBR5#9gHuI{^kXS~e8gf>%4e5Hvi9PdCrfqtvcB`@S zaj9$2_{papY0!xFG37cZ{19(Br;$6B@2Zt*Whdr^YMnsuWH7wCe^8`xvHY{rW-kB) zkAR}AP~H&B!erx}fkV_u#w^if4uxM5rEat)o)nH^rcYhBDhBn|vTimug3qpkM7hY&lY*+&OT6j^| z&PnS?ueI-cVw|9#s>CCHs;2CQi=(=BCOSI)a6hLhE48#aBrRp>yhK451E?S4o{#}Ex@{NP~J_3G>M08M!b1mIyo z_xmpK+khd!dB$C@9_N=l@opBX`wB=b@oU_Nn4k+!oR>xtvbqg8MB2W+x(^5TZ^h;c)q+uDF>+dI9Sy5%9h14_7A1GI`*th+E#RB-}E_d z{mjLMvu2erbRmy1Atm<7ijih6jaEdh+@b<3F}gO0k-Ko|^HcLTY>Fp^2J+KV(!ZSJ zkg_|Qo<8f=udq}VBHGMiFcLha?(9<*&9$D%Y1sT;zSbQg8&@!y7I#aTrkVoIs!K)s z!o$8ho^^vNiY;82drc^;nV4<0gl3(P+XNmIe7PXNC;%_gBy;{&g}0>8awvsZ{9~+P zXDQCiFdPM|gX`?ijf5D6qs_t!;?@>F0Y{*AOUxQX%b=3v^_mN&=v5+I8c(bFyq+qt;hzVb_8U1h8zY;nYSSgM4ZT8dW9N>TeiCc+ z>9BP~`QJm?_g`{58+IX}Jh2T2PL6ZI9`t=;NFQ13Qxu-fS_C6wrQNQ$xbTfZ%I=@% zCMBy%-{rZIOz7Fu15CA?mW|FvYn%ikab{N5sW(zFuKZf_rB*9)$qdpbYfPQSRGYM* zX|b`f($J5>o{Wybs=DmPq%NP84e@r?lpcfJkHHEl*2(O_!P6dVUjUkTsoN(jcdZB> zelCL;hgbt2XJUyBN-cSD`J3rxFIOyyxez?}uDOL5ue0V)7sr~ZF7ZkSfTmpGvz!LO z#z6O#d|Nxyv%Zj}bQ0=*ewK^!>Be%nw*=p?OQ!Xm0bmANSsrf=aqEn~uF8Dzo)~LE z`mws467z?PoItd8aNZV*q0yyU?BqDvdDNpMNg+DrgnhS_+R|i4p_7A7>cV=Cnon6J z+kuIx7DNMq-U`B~t6O$Kxx%b_8KGkDRPx}U`P73;HLt4Umc5=opUJ7}LOKOfhUfyB z>=$#5trs+;qE!|zm*v{ZMixJ(ahyIs9-Jp-P_L^v)KYU`v3f*9Rh0sddu%PyDW*{E zbz!l~zMMrH7{$fME`gd?<+KcO>ekj&TGkqc@G=tB^SBn9RZZ9YgO9t(4csWx>)J5t zP{!mp4^r=)tr4E``$FEouEuwj-v(nafJ2&gK`isSfXCo>DQU$B0}d(?I-lq#H_BP~ z7-@$Yt2sxxm1&p@YUE?$%(U{=#uVwO;@(CYlYCBDi@6}*%%a9Podw#>3E-S%zC@I% zKdMXG{3Nb+kS2-o>AG%$su_K!Nr<{zgVNoy%(i+rY6_gyPHPTGrwZayg{kvwK!!84 zK|Z!(dQXb;-Rn-zj*3_%GVNU$YsW&sL)sQ zx)pEVzU5PuOdkh6g9{~>%Jdw7iz98Y2A8NNkCQSF}@hS5j(RZK$wsNoLhr{36KO#5bcWJ>U{w zH8FL?1J9+f6KQf!@+YteuTGaJ^(yVlCe(2+80z9bb@82zde}nFyg#V%>z~tLWMOG$ z?RiO)m>bu15J92f>N4!i7q|M&v%!1VwlGw`-c!p=y??sraW4HjrCcb7boSR^hsib} zFd6l^&D0!z%Hktuo173l>o5`bSo5YZ!}^1WQ&a-{|03paH^UO7hwu!% zlqJXUR%^DKE2#$mAu#4`a?7I3eq*q zZ`d3!gHVWQl^e=OOy=zy5sa|aSfY&N%j8_(&bVNidiDUd01ru`!czUlo$zZB5RWlC zMb7j-s=k^J$uDBsN0yLIp1HIdAyu;zed6;GNpVSqx#JZXtQ+5a)Ez^l8g_Iw%^88f zL1nU$22V^LdVBdP7n9?pX-h8FyOpEqVCrizn9v$B5Nk*hd(EKL<1a#qC=XtDTq}L}bg}&YGo3aZLY_3jh4o2qv$ab0;_S68 zm~U21F?hF`8hP&|LP_#&7*AruZV*UGyUB8&6dpFH)N zf}509(=F|*wjr*;EYosfIof4PP1o>B+im2T#-Gr>)8AIHiB4W{F8P6Vx?A#QB{N{6M%jh0_PR=!uVf%OXXFO80**TTNur@ckxQAI z6Vs(h*ZLHx(BOj8vXL((U$ecrW}IM3+IwcMhGL>}VjD+` zpQJ4M6==U=)l5vjT{3Ih#AzMhO|R1K+wF$za{XMh$pTEi@PT;89ZPrcbxB+dY*#n` zK&;ztUjB;w-iC(No61$Bl@&wKqdJu0@H|?$Yw^QVQc|W%xi>#N5g-+x>Su(MxiwhF z7yH}SPrpwbTeMb{YtW=75p!56r^x4u3ex!Ck~eK>9LvwkE}-i!Uhbsk?L^51x)YC2wje zmVf)k7jMah*^;1k5_uol4%Ja6R#sLPsYqvQ2?}kopeVt`BM;7+0)sbbqHm>3ZMias zQ;uAm!v3;kSn%!s#7_az_W=F4)uw*)!tS{{EIi1NGGyrS~%Y>j}Kj0&7qny`B z;WAD+aIs=z!E_@tFQ;V~dCf0Qv#Q^d_n*7?8e}3*Y1hEJ{odSjML6>`$iq9WL4+tW zUdsQ|ct_8=O+-POm2*K!MMZ`7c^RsnmrsggBS#8t+wL@lT$o9%fBck>in zPy>SND$cFhfQ|);9+0DMO;l^z zhZC6I_s4c~-lr(xO2kst$esWoHzC5B>ri6&*rPKBI9_>*wJKMZK_BqVQQP)dYsixy zOz=M}l6tmHhE7VgrC$Dhg;iga(ym4V7w0k6o+pN551ZmWoADtJVEjS0AcSDPTZ`i9 ztJtqGMLw}#^t*amq+8^P>uDTP#}+#>7IN_vN?ohUgP&WKzF~aaTrF>2S-X~2b6r`* zM~Pp=QejF35oj=?*waL|x;X2n8>~$A;IQnx@8mj=XX$0b-9BfT=4ljKuP+7~M2&&E z6Mfv5Ot%nVh!tnP?*vukTH*!Wl2r#_qiIi7N819muJGt0i_v4V$Wk8j&+iR3hH5|g zFwL&sg%^jHcVEo)w5M;)TA71e#mBAYjJ?}ObEd9FvqSfd6r%E91Oj2NNI+n<{_WgD z8^))!BNsH)wF=IvhvcFr*Z)k4QR@Q+ldxmZ-v^`yvZ9acu7EV~LG z$-hrysgF^z2ayP3;QJI3nQ!TgeF3@XHv5s_n0`Kl@Fd>xHqMhOxn9bh1v1Iiremtn zsc+n}8c!J+$}g<;tJ7d?pqQ@H2BL?i zp775YJawk34b;YocrcC2h6EhJZ86u}>ZoPHLU?>Z?5Kgd0!j12#ZZ>Hb~978*Zf=}@+}$t#z!BB zAE^>1oqKkmMpd})Tz*up#)htLES$C%>5JSq929D*NSww{mpxZVfi!^x4wMz^Vz6s4 z_;$XDO%)kXDko-8Pm1(pLLZW5gE-jw_(Pp>SE5tWZ13d-1zOyCSfupC-&L`VM=p4u zy3T0I+Qe?Ws$J&cj`#U~zrsL;tE+2v@^h*HqoXRoU^v;~#yHC?5LQ&j*`mf?k9Dzp zZAUFfEg>o4a>~&o_3- zZOG`;(4pfZjSm;rXS7-up0QUy!t28^J~BDmK{b+V>50cY*3Eb~29XO=I*go{;)fU) z-0}ZE_P#T$$*fyjQPcqyM?q8+ETbq=MCsjzN|h3N73oa~MM^+aKt;d?NDW0==q*4f zp(rRV^b(qg5PAy`NC^4%<1}YpnWOWbAK#Dj!|Oswp0f7ZYp-(OYgJc=>AUm{oRFlo zNJ;HX87J$%!yboe?y5~9)RbM8Eir=oTsUNmQv=BhDgTQXVTX5Ke#xL}b$AHz6HXeG z)EuQBrIq*PiF5B{nQ)&nm|SJVC3|&*N!RKN_InmE^4wmkH(Wn&yhmWC3hI!#2s^#+ zlHCnw#LyDg&aq&Xt~8Qiw-SM|He>bUj6>grxR1v1tFiNzQm0D~2N@FT8yf>*f%!yM z7M6D?v<|%{t)BzdC+`M}cxkHXs@UOXIiS-*2|K&==7Il@8Vqb=|`Y*z9% z#7y!!=}uQ!238@cU&-r&b%{gS1tGd3N1%?FJ^v#m3m-UZ$D=?O>V7EzIVdth!}$yg?ex*oXm#R6xEV<0 zhYuB1nd{B!VH+X0e3HEEzb>c=%agKuK#8rZTras)*$rAxnf0!z(<{*id}}!==^p%E zYb$bC?*e54HG?7ltVa6#uBFKXq^9?g=S}61ahLr&M@L2kAF4rBJR5xenO+Vv&aPgb>!Jvhc7-`w1!N_PawXo+)G~_;rLuFS&2ut^sYnBrPGR{ znHhMDk;2vXVrC1~*mG8fC|l!qrB|j|@N)TlEiS$noTCimcu^UBZ9mPK-oAa<@mTh& z%6bqqxOYAG8xq*ACv(utwg zlX;2)dImKRf~vB~6UZ}u{HuKQ18LbbU=`ik= zk3;7>tWqtI13hAeHAc1t>ZYG>538{0BkxD)6lMYNfUxN~!HFXlE|@T(8YZcg*kf82 zh~5QO?8>{Kx$x^k9D4MPt>?y4%l&q-?RRbDjXFpYO-^g#UX|SbBRHm-ltcBd`3pf?c9`oIO$IRY<1CRb$4R+UT=}tCGZ!v{L`gN^HTQA4cy7Ud1KR zlvL)H0YGeGl(esaJxER3yA@I6oSqh6e5^&HW7S4VV9ES)yH=0ipKk8={v;ztr!NF5 z%2#v!0P7H|j7I)iLW#asK~-1@yRCV_WvbhRY<}s+jT^GIwzh>}2m|{JVR*CVv3VIx z<%`>yw#BpJgR4#2po*TufDkLZuc*S(6CuXy3kOCpG{>8^?)OYdMMXtl%@Y7*N*UMS zT-}N1f^08%Ba}>MQN>F|pPrm;$~P%c-yt7&ymyo&?71>WzI}{eJn4+QTT%As;vs$p zqR_jO66F^V%Y+7iz3EfL!L0iNmTkd+`OMt=>Xw^F?<)jzPGlIMw+3ce2XK z6BwtOAyV@4HOJsVfcoSXH-`XEnu0_lHKaZ^_{710!0J#JzNHKCuCoLFdIf!36ptX6 zj1d!u5-ug9u?1o4W!8^#ijLY;LRki*VW}6SxB;S_luIE}v~eEoko^@`CH4&6+N!o% zzD2+$y7Eo4Ook7>!%)U7or#I@ju$6RdWNvxAAb9Erw`Ra(B+Vxj=Mm4!I zB+bjk)F}GaeA^hd=`{0C^oShxv)*AY*VZ^pc7i34dL@sbA{6@v%1su*C0lCFS1x|}RRl1AO1xqYkzv%4j%w#>uwUa0% zuydml`akT6BO1W}^e=PXdHC0dZKn&^&vR&TJQ*pwUMfBGaNq7mkVbNyFtB(YbPrX{ zqgRxDPDK}XHX4HM##3#seYE(g0V(bM>^__vBWSIWbiWr$=(XIHTKV|E59RNb9aQX@ zKcikNJ`2^smRPr@gDkHHNco7m&_f}lU4~qe%kF>iHIa&qTE8H>SuK}ulPzmQz?#d{19(L=nByMEnrS9a*R_B)%h>fN~r z0|4737t%z>$5MX&A)&pWe7jtk>0m{vZv$e5%EyuPap1ee~GLAmQHC-rC%ZDDIq+HMYig| z?vbvgEwqY4R_xxs(|ml&OEmYAO&c;pniuHwb<5@5|AqPZPctJ{2=V9;-o;}7LI{6% zJS_l=J|g3uT-d*GW&WOLYAyyif0r3beaD8Sm%o4IZ$kd+zcObbA||~$=6^wEK21D; zS_~gF%-sD?VcCYR_h0{@a}n6cv$3rwH#oz-dWnCqw7<&R$qtA=nzHWb{J$Z8&`d=@ zcXJ5uzbKmg^%Vib7|sYdk$t4Fw9Eggfqz$`zkm7f-|*3Zm;ekZPG6W1KO&!R=u5ON z5I>@RqP$~m*z_*0S(O@(2;tnw&}kSPGstLObwKk)B>kN)(fN}$@P27(ZDeS z!wrAsJCvI?$?)xP;@%wdILH}$U|N$70_{ic%{By1)(jYjz=)lQo5w#pcG(K_?APnN z%cQ&U>O9&%1~^Fb5U4b+w|9=lQKlgXFeN2Dlm@Pilud?_!HG@Ks(pq>7yZ=nSYxd| zc9^BXDXvk6TA7g+yLy8$CLr^-TYk*0P*au+u^&>fZN;E0G51D!pY0LZPmd>Fh?`5P zDKxJ3ivlE~85eH=jMJ1hsfV#^u?W}x?q#n03O z+T?}BGM8z5Up*hTv;p>xClA3bp1g?|2OrSPWcbD|feZ~GyfawFcrJXHbe058NOY@q zX26ErcYL0V-b$P#)2p0cCD0tc74j_B@zz-*mvvpVKu||kZV+0rxIrAWcn6;v{d-W7Xn5UpDakLsj5#dA$QPO_H5mE@U z_K?uO8IVkw>7sYfUcfx3Od#YMJGk0fS z$GWB=LXZOJnjE(^qb;OT%E~j2{BA{l$kL4!K?ZZC%;fVIyAmyP@2Dnc(PO4D2{o7!3DPYgT;$c>$h=Ie7%*LKN=-$jr8-D+#RkHR z0>rnHB8IRsmJp1AvN1gXBG}M}_4cmDTBjge60UU>d08cJ)uxjBz$ObzBZA>e9Oi_= zkuSxN$uB&r7lBs^-oPDR=qLxuS#rd@9$=Ys4MF|-@)G9u=tM27qJF6{a@d&A;n)&? zb@e;|x4Gu7P3stzxY#ZOF6f~tMn=X-fW6hrn07JDw=>izP^K{NXqRjgYy{g`-F8Z% z(?DKYZ_FOr!7d;U=qr^oO(#wq7?g$2H(bD_-w^Pp!euj(-A}DitZIXghzn_Cv~sVB zx(@lWY6x<2r>>4=^0@?)NwbE?_sVglruCsLp1_3ff+N5TzG6_;rtq?vfJET9q{p&A z-|SGef7dlh*2h7%jnj@^U{+d5S7)b-HQ(?;t&;%PZhvBBSv`shNR85qeHau<&~AOP z#lM?oaQ(gGJt#^-C20%z?(W-FRg}JcwD(2Y!>cQjt4m%qH^O;xS~7S znT(6Oa_@x?Vl(*kisr1t487cXzzKGXWveZchvkx^$p=>->{?1Wq(y5G^A#HMv6G^5 zlzTDTt6-6I=2h5~7|SmUy%eg2{&2Rf$|zMO68*f}c87&*G^a|%9ffD?%Gd>JL9|)jPggT z0Y^soZBqfL!zh;L&D4Wouf2qa`;Lbo?CFXw;Vp;Nd$pEn6+4;^Bq>JbCX9xT zrd;TWw6I%ExUtL|Hu9R^1eFC+cx6Mlvsflw=~hvD>eqR(@72QCGN|EDmaCt`uNh(@ z9Rs>(!ZV>dTao!GodU0(Kr8+BfVQ7LYH={gTz$A^ttZ0WOJ6KhJAH?Pd8~My zJbA4s)|9&sBrXULDY+8|L7ZQ3onz^^W^MO!RZ+NK;L@;yGrPY3eHTSR3LwG9 zgwG)4ld(>C3F=~7F_YxtO=A?=gEZ6l8akDP2kx4TGkMKDs8gQ~cEU2AV|v11u7kys zULx1tP)vd)HE#8)@^oeBvNB#oWpKSeC2lrQ>c&tb^w4BqfyZLYHKP7Khnw-#2)JFk zq+Tq4Jw1QnHQzz-e3)XFKvb0u(p~dP8DBaorGOab?h>u6qP|0QdMZ3HViJ`-9?ZG( zxVv%XjIl+BG?J@^Y|;uJyHrs9qD znpN_;+nRGU9Q29IG0ME3y8i_)FR$GWT^$O*(iP3)U3Ayy{H3`yM~o?b$;wEaO_^Y5 z>cB9@KNICp&gfyz8KDb+N$t*57TLxV1uZU;YGfrAd{-20+TNQjjn|rxomi77ic~Um z+4*k{L42f4*Rs&jng_pma)u12Paj};F+Pa(rb13D>_bDLYWF)>v;4u>JQL>YPZ(BH z4VSWrTDrPi=bV9+^oOxwlkRD%zveoeFc{1zBs5XG%n@j+RuwKJ6<)&Sb9K2mBQ!JK z42u>EYf@8HeewKsRQMP>7!r2(S&((3!wkOQ?B&Wlb;6yCO6o3(#hA-u$ zj#l5>yk&PvZZaa-YBo3_buvPC$U_g#)zaq}q8_m3F@{toO##dX&%$hEquM0SK8q;Z zlNNYCCW7c?D8##zxXGqFENH$k=L;+T$HG#XYkMpf0|t*6H$VOP%lYEd#2b4qoK9uk znXCDernUO(QGzsWwE{#1Z&6h3J&p86R#cOOPRK~g#wFc&c`Br2lXChYeRYd@h?@;& zqPm1HrQW-FV6IimzIY^5mCc_{n_=5(*Bhe_$haj6kqtoS5{`~!M)PO`7>tGWQ7!^M zSmHX1D^OTWyz{C+^KL7X`}hIP>FkwuHD%i!+gA~1Vn>3NZKuW5&)h`9d~y2rdRIl3 zvYx5tPI!uG7=lXKM-3iekw19xm9N~2qIGB*mRVOl{0WAi4VFh%^AR;Zj_0>2rPaTG zFR};(c{0P`&~nQw9LCkyqcMcdt|(67m?VAqZQ{ysa4pvruGdQyTbOoQ$&J*_9Zr?% z?F)O5XT9UIZ9fKP+|W0tC5)yM## zMp>@+6q%9$yZ)`Dxs~fm&r?YxgM3N09k

8*+V7*$XRnsweDH>w1){aVdtj5==W? zFcCde)ZQ70Xa@K*la5RMdFtl4Nx)DS+|Gtdn(59tvA?tZz#0PdP|TriQ(18Y9IYIy zm+lasThL0q1Lw7zCr#;a>8J^m+%Ma8VH_o@LAL$;kqh2A7M(&&b{EFX*U;ac)^5+4 z@j9H9SYBl`6s8+IAl+ZW>p~NJl2SaPc_JhurXz&}JD}?9)2HgIKuv4Iog%SretRiO zW!Z{0X-E?j;_V*>UIN@hM0janaqu8-vuFh>luWq&FPfqGEOYOnjEpTyT(9}H+EtNr z>ZXAKJL99Cf|7G4iH46AFJ7S!(>pzR*Y`bht6DF}(&p2ds`!*cv3*vwvV61&fCQOl zl`hD|L|=xjF~83{r+#1$!-F>y*L?U`%X`wT5MC=*BXuEe`|=H)UV2X&Zok#S<*WG2XD_DP2v-bU3`#V;#EbD>-X8JJ^kQwI z=JCUA{h272b;&jds8~(BjEP_r+CL~8R|It%Q7q1Msx_Ui$~k>=^nSqhwU6=mnVvk( z=}l>dOSq=CzQoZ`j=dTz*CUCY$uSpLPYsOVDhmhPZuMIo;U|X#-i<3&|j|ki1UrkHX0Cg-!?h%Mkb4Z;4#$m#8p`!~d$3Dsw`AI*c zu<$3YCHCEp6VLpzzA!`9_$?D=a`4*kwMq5;gY235++(ROGY8MWhu(I(QAvTzymlAnbF-jXVl(_ele&0g zKg3>2$|VujfRn^_X~l(IcOp8jE=j0xd8R+I1wYFuF8ps!5*;}RI&`Cz>DNp}2KO8k z)OyW&45rOh+cEI+fO%m>qRCRLpIh_J>_5l~5j>R0onSXv)5Ojvjy*wc!J z5UUiEb|HjiIzu?QQq;E$;J}?|#a>jh$o4>4%sJK}z$?&I} zy}Fa~o6j>|L3fI#4?>I-u6#WD-~}@Q23JcY>Ht^z#P-AbMZ(DiHK;mIubb^P$+oD) ziQsC(LYGE;uKWrAoz-5SP2w)`Km}q!8)`dN><$IgevD8RQUc)U6QT*yw|(???*!vl%vU96=Z^1NON__C2C_} z=XNIc!>&<`tY!~!$f}17F*=X ztc~<73ux8+3RkblIercT5Nek3&p5K2cRYs5gHl1Wbi!YN@sMj1jZ&)-R3JW}Q}TKz zbtLJDJMXiwNt8k-(_xWprJ=K~0Y~nxRx<_B+i72Fa{)PBsR062J96XK57&$aX|DDKTDse8?` zKQ=6ci~Veo2h;&%1=Nao)x-g)W zwG)vAYMh$AEU(!Bj$?^MQ!htYSns zlV1)?=hJNApTP)7$B&xEORY5<#0yQ^mKfS*pR6541&pF}5@Iq!rwT<8#gx5iIw`|^ zAO`_&o372eH?C>k-goo0YNc968rGYf?2STOCCy-kbJa&$rCq(ey!2MuYGOZrhH{u# zs5(Abzbt5aP{SDkT1EhdRGt)w^ospRDF~MiW!GN!YdQc#dfG6q_e8iZY7HgVxP0Lv zDAm(5Pw+7|13cb30DS2R8dp8!q7h_XwHfjAZH=QtCi+q*Qm<-5YW5K^D`i0hDErpVgFIirX^=QDGfH zt0zs_X;R^t+X?W72tn)H03V`v^(wYMCpRWMyvJYV9vpvsErR=ZMSGy%+RN`~5zm zFCiFiSi?;dDNsKMGE1j=7PVX_T$Gu@qDT43g`p#u1YE!Tm=^A#+n?ZU<>^>)NqQ~d! z8!mx5s6%kP9asgu-WqnWVGOH|jIB2>KcigjZ@t5T{Owk;wp*E7OQ&+{x%4{<(=`p; zPU3vE&cC1!jX^B;+*eZ)9l6Ii^=7C31Osz?IKNP*X<=S%h%pX>z< z$PisjAji9KTiR6sxfDiMbjS2dT>l;^yi9!Od%fNOvD5+0S0G%Wda7s$0}eLrE`ZRk8``cqHd2+E8#5!!GSc3xB8Q|l&S@VmzIT87 zg}u&jkRA21uHm_(L{Y7|I*)o0skn)RSLzjcugflUzgf53`L~AGw zJLHVnq&oWf!^^aUnk5k2yyM!0Uq8**+r=LG_>!qNrFZbw=7JOl%)LHyI}h$y5U$`Z zGwi-rFwNcT2!{_}N(6oO>aWAJ`CAGmwHFAX9#UKY|LEOLql%SgfzS_ENIBMirE6b- zJ}%fcD(D)=7Dz$D>&y~H)@x3k|h%BH!^e|i_mT`^&A zUx&%Gp6br&aN%G+)j^DPO<78q2!A}Fs~F7$AUSoKi8m%aAkxgfGWm2xc<79K?%F*| z`KF9HLJ(D<*^qfIS(7F;d6Bk;qv=K4%%t#9OPdQb)exW&R9rAce)FNxhv;#_ z6Gp%N#kOpV;d~qJ*CfUwX=_{NrhEgvlZ|P8WN*Cr#y}Gu&gKrPqT80e&LmLUBPrwu z|4uV%cBjj%({iO~?6@}QBIK*jysR=(4@E>JwuOml6=4E*%%{_7)thsR>RcFXxYFOi zq0+=Lb(304%Z`&!i9{Ag>de$&>kqjGOJUGx5X5gOM5~Y;PQ6Ng0$}@q# z0l`ZxDD4dHG154vMxl}(dPu)*dKnhhWf21cnB-%9sl)2K7Oq!^Ph2z1oUo3ffPQQB zbi%r|y>a`NxJ0E%SHa%dMWR@U8_d5A!qTpfuZt7@qkE5P*7RQE!W64@cwUfhPIK4m%rv_>}#`5VAm}d_d*Xtn$`JR?30&3gE>JPHC?JLZx%!_t*$c{D%(CA4(wZ%V&*fczruQs8=b zemT_R5V-4aVF6Ad+qU}=Y#tx&0X2z-42J4 zX-$#TS>R9v()BU~PHJmt;h6YziA;p8O5G6uW4cCebv7Ni*Ele6KS9UbpFZ6kSL z{au}H+I}P_P#?*;lN5vm?>KXX`fzsp5f4yfnhDHh*wP2V^nzgZ!ow^o3fE&xVj(pSa%nQkHt|hX7D`0&}b$ zs34)6;_T^}^+(>xc5LYvy#>SRZQ|ptNRi@jAB(F3fV_g6h;a|7Qe`ZnHeK`dVB44& zRLc>YCSskUq11DAA?W<&t}de%)EQ=YvWZ@UP2WFL-&W8IVF+&&JV8D8Jen3HKC|*N zBROy917|TaP-~^10G(kDoQw9_TTuM*KI1J?Eq-hrnEJA-gXGS_rs(sgb=rmfF1^>K zpIJ>;CDQkuG!OV)aDFPS33P$tE|R5hfw|swFi5uxnSw{*{f@nb z(pJ*x>}gWJ_NWx$mr!me0IGh`y-{FDnp5nLu*N9&R#8yJ=K$gDx%*7PAT4)(d>um| zb5IdzcBw*!Q{>GCnsK?Zwp8o(15gyfXxfvQZAaKZbi%B(i{wvW96SNRI~c2kR7{>Q zlq*Gv@XzS4y+0AWlYx?(LmL&wJ}%)LlGu4Rh^sj|g^&ILb<%}++D?f=(fa*66cO&jxl8c^YLnoh%k<>K@m-+Jz-B$R(sibSbvXJ;tyJ+e9dj%jv_ zl1_+gR%8|4IS|^IlVcLRthydCsqxcIGxv2pqdU(SpBLW>Tk4Ox=$e;5Z)MPn3C(P^ zC^L+P;qp;kn2%T@HIr!)(b3|NBmR>NFPW-DDQp!&W1*nL|+TsKQDK}^;V^@%)!52GChV998j&G_MU zFI^7MXwp}jL$DSiWJ>4pQlZV9?BMz$w3{vW+EWHBwFfBF#4Rd zGU??xeH&Sw$f)~{E*np1karF=F1dnqZp18Kq3p9QJf|K{efRF2rJ+f@)E9D6>S!<{ z-7G`e+|?yv0M6M066i)ZQ0r?Zk=DZ`hx{(VuIklTnehAh49%-U=L0)@dr*2I9~#$7 zJIgxDb|5b-#o041edt7zCVI2xBHmxRIGJr9*hoh6W3mk{SMxJu&c_d@rxHZkHpWDcS*-i^Unb4nLaI zjk`$mTD7fSGF!mcTz@1qUadp3xPsE90S>bSBinNYYir;i$5D`y@cQCblewtQ@C-%3yV z(2!*%0Xf5{eOtXKXS;1bb^mg3YAa!1luT|3`qRS^6MwCDS`G`pz!sfbC9X!u0bplG2d2DPsLPeZ53XO7C`AtUO39ae{6e)KW* zt_~h*ePd;PN0Gv72dXXsKdZN~ALxv+OU2Exu~iRdnIz#H7@MHpWFN0I?PIPo0AW=Sxki&-C%}ZgP^-aNfY_S6kBJX7 zX1BHDNp=<`p57M~9N7VrbLq+!q_Ylap$-)n#y3s{Na5llMnz163NM1l$= z@v}|JUJEaSlw%v0pNB->9|`q5ZraHSXsJc7Ml2CHazUHc(|na0$J*D*hzYd-I)Ex$ z8M-=%>{fpDa=JwF-UVHb+5Ympo)vILmM`g8yUpLO?L05WBfaqcL;&42DDTNW`wERf zEZQzQ2&bhO+5`)63+~6)Pc6X@S9>oea8OZg-F0N10*{t%IiDGTa+;kIDOY#XCU@^2 zf%t+3%ul0iaRXtLnJbuvNy;E?Jdyy<(g%>1n_^B9_p078kt@E@@8y;-nPqPg#x8g}a zQh#=?t5I3J(KCEmLzd6BVPSb#lFeL2rgT|OwO{UWzYz(Y)w40ABcsHI=t}vV<41F7F`o^iR-kqPYcVP zwFCX-U5;Ql+)nwU(OCvFIDIoZxjUaVLZ8gG zqW4;@Hyl_5Tx;Us?Ol&J_4m6yu?fX}y<7=AAJ=*;NZ8JOV^=HY6IdnPpb3IUgYRu> zl#pxv=6tMJ8r?9JPxbNFPm>ZPBT+dIIv^|~v;#klha*=T%*}Ff13x;B@TRO$uEHs| zuQleTsn3qOwN;$A7rcG`W95TFq=cKJqQ+pfxNA8AprZ^Lq&zrf?)@Ri@A*OIAds19 z`{!eSelNC_4%F1@FteTn@y28`vyi}Kb18tQ@P7X;F;{CI&FbxzJPX%i4p4eg(M&9(R^?QF}E|Cv0etYfnjkCLcXv2dK*X?*3 z_Td+%AN|_bdLU!;ihip_kmIcN*ZTXl68>dO+(x&$DJOH!?2J(OUoQP);@RY*vVTvk zXkA&>^bg#Q_S#6nnqo+yb=>KYVcjDHq7NNIZKK`D) zv(aY`m_l}_kAheFL23TwOMI5R;g$M7MfrwW{-2`!r&Jdu@~au{F@Jd)NdZ0neQob7?yXyDQlGZdH`TgAKR;pY3lK^YzoE=^Clr z1GA)_;Qw5pZ{GatFMUIy{Z1T}fr~UPU;59T`Tf6XzYfmxKruD7f8HMdp^<-iV4tBK zJDLv%<&}NY;r-r+5rodJgr;`p-?!kmg!c_O{N>4wMCj-Q{D*D${-+QA(^JU=f&;xX z<$|E^|F8sqx%J<#cpwNw0Yf6ajQ{36e!tkw6TmJBPADjT^L$HjY(<)rGF)51%)Ua+U@&-h*&(`_y95$G^9Z+0)lgJvWIt&-C#LY ztH3(l<(q4!)la9nMWF3Q4~(GL&ttaWo0ZHbSco(bS1XOe9t<`Q0bv0 zxJN68+2Emz5vc{ZWDlQ100y;i0f4@n^Oo$(_J7j~7@2OZX?xsVX4!>HMDEIfUH4YB zp9H53I{$l51et=ZpV*O$#EMII%<@1P6^;Yeu3gXE=iARs<~$dp^mb-aU5}x)w4_aF z@{e=x9~Dl^&BuZc1dYKslO(0y^gmZE`w)F+hOTS8T3K>( zvhrV!s;^ZEdV*LKU47qh+x$Q*3Vp5Yo6nT3v-P-48yJ21+h(qKzXLP^8ZS@^><8J* zw0}J9{$g8xzW{V49T35wt+Y=4uJ|cs6`(Ax47IT4Q&d!pu0K>_))>(S_)oLaHE5e? z*B`ee&5B03y|TT3zEiu(N6?H{l3f~P93z94f!YZ_5S;8bu>Ik)?!F4}xDDgk#u%T&(F$1&x z&On9p$A$g-Is%Pq1!ntfzvPdG+JETRmmkzsz+uMXaW(oo9{Zcy1CoP}99X7wCsNAc zze?-JWOVZ?u-mXH7Uv&Uldtc}#RGD;t^Em(8$RvVpWfiDWmv$r(a6zk|F7cH|G$*w zWk_c9S899USp}#=Cn-gXEwwy;{I~}+Ta7j-ahYD-JS~^=!?L@189H;P)D{0&yD{Fm zTIqF%NeHxIXpI7e+ob~VGqI!7IrNX+yn*=ts-n;~lHv53&o@qLtI?u?o|p=*plkIX z%jnbb%bm5Ad7kOYa1|P8@#Q)Rnryn^tgHes-#nYX7yw>?arQdsn@QTn^RmnA+xu|r z_@2!XwHO=wC~5EYgx{0KUu0t>_)`?<-#MeSB(L2KhsMC*pnVr`ebjv1{s zw8svNqyCn7Uok)0)M)5hAGuyPFlyIp`)4XIJ7O!ZUQzS>DPQ?8UN`qOs|f|?lYiQQ zzuL1yV2a~Mot{6};_G*ly=Ej)wmWIG$;o;FM4ad(PRq>M&>Ep{zW#sMO1~4& z*2l=?k(ii+g4#vG79t_Jtl#|R)7KR%0Q-1Cgy`RomlPHjc3$}W0q6e0O!(wiXVQOM z|4-H1X>c?q%I(wJ$2bGP*+caX)YR1MhMWzaaNBRK)Sja^RgKOsC@LsOxB}<^qQCCZ z(Z)qh5_=Koj@>`mnc*?*$7Ux&jblQLmD#!3{JD}FEgJMJv93N)geBHrn0Lmjwe5m^ zliDqJ_t8AJ)*F}qy2QUf`N-DHZ5Bz`SFTgQE2OCXtp7m3g!RlbxEPhC+;+sp6_M$5 zd_|RES)v>;DmB$&$5toRxUr+4{3#4LM9bx+oX9Y~9M30S`JD7sc5>1r^*G5?<)%cL zK4EBLmX&tMN?KrQ@JvvS8v3c%NMux$gruY-l^iHMup%3Newa@=2C)5NcBmW7WZeus zgSCiBO-+4y#)yn;!_CLLoj^>yEExY#L`n=0iA1%=fK9o2y~pGtxhb6nRiBKky2v4R z%F;pfFfp|0@L9bC+aAL4S(w=Vw>doP-7?^#`Qm{E6tGiQ_-oO}6OJ0cCj z-4{qMwf8*-uBt8#cWWfNDLqHK%IPMWM7lM7GI(O*TNH4evNzwCAjRb*Q##@%eL5y;;bG63oE;LQdT9sw=kle5S5!10=#Az`;kQ@5# zjY>Xt?m5c>7@JJ>P9Dhuu5=H^xHOp)uGG-fG~l$pwyJ2|l_?ox_b8Glcd%&BD_$W_ zq3G9!^B=J(uGSu^M?XdaL!kL2pR=DEE!aOs%R1X0le&XhQ94z$&G*43Wnle{Fc%%H zC434VRmZlT>Jl8k)Rg4(^KI_H!k1S`M9_cEQ)&b&NiMb+xcDa6;l=%{_R7Oko-LgC z8sAuG7-L?ly?v^xN9*057k1CQIrWQ5wBFjpNz!=Byo(s7AB)|tMW3&|Uz8)Pe|N30 zT5A6rBU0wnINj$O=58&K3eh0j)G6gtVRDBVczvTSLQ&r>k@PYCVegnB5!x`&$Qhw<~*`pDT!ZmELa%aZ)F`8 zC#m8;rDYV;W}$8xlh>Cs18B(}Jh*4VxDN^HQi_Ke8{nhV26$a?f`sTWjp&p<@OpIH zsOV1(5}de{Gf1#z5z$1^F79nP%(X%Uc;*K&B)sv~9(e~FxRklUGDw{1w$4g2`F}W? z9uTTs>!u`zruN7oaoRJkb&K089i3r^I5lywWKtCYerr2~cTyt29aUJBK6^IZ%0)%t zK3Ek*5Jc;bNH4^^tmFRFFOdvOpw*9xb}491U^)s8aT}b+X-}!N5kVF;#_K$v zm{eMo*@euU5J3adhW^h%j$KxXN=(-(by{9S==H=!)e?htPSU^Ru$52u|>|&?2|o>-wK$7usV=0zMzq zz_*8H4C&wYc6b2W+QaRWjy7Ea(%BxzH-1! zf&v+=d$)496ptD<-tE)2!4+QS53IHKomz6|=F8qo)g>v`rrfQvk2BGg!=@_LqKi`F zpVZzTYdb%jgsMfK6T+p=NF+D#{}N>D4A}%AqK50ILu)0>2kIq~yNk|5;w6$>&f(68 zyFVGZfU^|%FS)LC+FUG4q&LEl&9FMJxck#BO;#!6lW z`TEwHqq8nzYjcivWZm>=eYbvT7~X7a!2?Y0IIZTAFk8~H<}!_)7-fZn>(m;=m=dET zpMG&U`Hm1VirffCd1m4zY9*5AE~0L4BOdO`klP)t+S7XXtWz}S5k^K_ zwLC2S%Bil5LxCX}I~LN~8(KB#t)$FJjMDyZ9`k!npFY@bpv;Y^oxK;^>dK~p7!Rok_!AZ9^CUJcRu2tLT%h247;G}&ce7j3x+(=>f?;2d6 zcH^=qx5p%_daPd?03r`tf3lRPTWBZw+7;^$AivLA*ON=f{iA21!C+gia;zIE5)c0+ zG2`<-i-cWQ%f+8d6`1o5q^-!+qPw2t6Ewj*HuPebLV`EfD)<#vdD`u`{fL3r>PXp{ zX{LoF4j0U#CKBrnDA>|ru2{?Tt9S(Tfc>dz$?Nr?ZJ@{LSuZt@7-dTiT%=d`xT;6_ zUgg!Ml0kt11CHgjllJ`$aFis@a=KQc)`l3RkyFXX8clc$R&^q&vMarhec@?N=Zi+T zj^MTu8?bg4x_?F&IS~&N;QNCgRU#avk_`y(2KY9Tz9nDJD)=?N_U%z=aiGpkM{6~$ zdop#4?K;HRx0OwK22E-_U^mfTZ6b&uUk3UbmuC49MSqSusNCc^7Uv(dtNN|f@7~8> zO;2o#*5cO2oxiLk2<5ImNFSJ*RT76<{x4UD$cS)(XcIFlF!PxL_fN z6yK3}y$2!Zkzyp;5>r=x>eMNQ4!$Kq97^aEZ!YssO;26kY)ZmrSb395FHP0WRCD>O4ZHnKU}w; zp)~A+TI|ZgjYc50y5N{wqR!! zHrO0>*XFDTcgjSmQJkdjC_Rhxer}4sr7}34dCwQ&MnwZf*dqu#?H(0`+QeL-iAT99 zO{N@Z&UFhSif%ciBhOOeZ9D*Gm!9nEaEgIDeW=M?t1}PKh^xX@iy~i&wXH_QpTIbg zsm@}^ygQi~a9+2znUk2OwF&SiPeSAktBIloz{Zs6EOvwWrvnnneVXytd5KYPOk>n; zzh8WX)`0BOp}=E}@LRma($kYOMYWt%Z&ffsw(U_!__wWmCWF(i=BLaK{O6+I_D3p> z+9|La9KU(ouJdUCf-08EHgZ_5GF&{s;I6{zA%`}tD2t%;pWyTcnp>XlU*|G5PH2zW z5y40}XE3j+mmSP@<;-J9_AFy)Z!i*Ny@-LE9k zJbhX}4`*;q7h8osHECe>dgsdPras-h?8H=yE_1L+Z_PRCTo-e`7R|uUc*|2CEc5c= zCrnoj_`^~@VdXI7s!fbib+0!&kFz`m z{#72RxV0>1HsfXtDjN5AxUEINZuc7`=O;1Mr_ry~Sgby1xWQ{Njh+mMsShN(g%XU-`*I16Tk+t8N-4^>Ut#C20qmHT_mL#TqMFZ zd-VHK7aItP%DN}E$6M{>#>t}Zcp5=)5pCk`PKmE|5H#z}|J?hGTb&*kU z5$l10RF|*d?KI> zwcB=U_6_v$yLLgdH^_2Qg<;44n~U6pL#fhPqsH&c3vD1RG9R!9v?RG-Hc;yCG86x2 zRKB6b|7le8IM2cRBdpJ2Y)eAx_WtnNKP?4T>NyA9rr-7U1m~T6wSZcXW&FpI;RY+e zV~+(3Fjy$#KOB?TWxBk)Jmohs4JOmO0-g8m+lNDEk^cDehS&KIo##FY;1Oq7CVzj> ztyX8V&2cd%U|0)2{Lo7EBHZbi7TlYmsjnEMolFXBi~N4r^2!*}pQ7kQRQ+*}9qDvF zJ6aVw`brp3s3+g0w|{;YtWG)TZqJ;f48X@o(ybP1!NcCiq`%N-i$2DdUeM z==|_oe6@>ZoT1uNp?&+)A2+yvzEMgFP`W2BPpy7o;>H!>I)VyZq@?AFN(e~zhyscTD%~j3Eesuw3aF%V z=~R>sX(Y!0l$IJgg`q=WhURz1dl|5~_rAZi-nHJZe?5zNJkL2hK6{_D<3!@|W9sVb zr@KJ~eeErS_V4b3fByMO(rwY9It~Ys&2rf(H@gS?R+r$B3LIIztp8k;t)qc1OkuBY{RG)<9t&cBE`^8(1= zKgGViblg<`!NaEmkj7fnALLuJ`btQ4H&Pt7bn4>uA7tt5l0tzBfIi|Ul6U#~4^ZGT zfb`3RL_Y+B-K-Pt3b1Ql=;D8ZE)rvaI_B5Zc1OVH505b&LNq1DbMjiHNLfnST6m{HXIu3m3x&iz@%z{=z5lSu!>C!L3ezn<@BF zB5+Ns5euKys)EN#bLr5~kna72${-%lnb7S;WnCNZ)|28XVkgh{_#9^@(yty90k(O?TuUhFXkC)1GrpK z_i^XQyI#iDdZfYm=*WHIJ$2hD<=+*lpOg6^SP#1;%l@Cg^&K7Dng;lZYY=!~GOl}! z#sAAFSFq>3HatQ<|JKi!2qy(6=|Y41p!5GcOLUt7aO`?~BHy3=rAX}{!q*e?Ed zarGJ-eQac8BsC3D!v48q>Nb+{|-EJl0;3WhZulI3_?dAc&Bx;a)S8f7B z@nH99+2GEQUW`te>vBcx`lQiZ$G^YBf$;v-sc8g|7UjQzV{Jcr>7?K(=Yvtg9E)5u*LD$ z2r%Q^Eiblty)CJYSWu2RK>oG3fA8HNzT+DK2Dv(6GxftvWE^jP^56`r+BLeFFfEheSN8rF$|91$xe{$2JyPf2lLVwk8v%POM#j3$ zv425gDn2kseA`gxrT;R_0y{Y3GLj_tG4X#XvwQL4Spb5yIBU85Co2~N%mP|2Y0rP5 z?EgUJJCgK2Q2CxnNnh5x)p9iLJ3u>+7f>cxFd!SBWo4c*H>wpscM?=4MVPsG z;R`*z{QPZ8uVObdUm}M@By#DxNOyz5a8goWJ&w_(hkrdUxC;D8)bb6&-l9}kv;iK7 zg<7jRKOXU!Yw7OHzw%}mtH6h(-3C^Y99nSc>s2FU2}M^hwk`xl88?aB1>oeQg%j1m zm5OZHMk2eis8!!ZR%6ZX**QHW~hgP_am?dZmvSpy#(E0YQ@7XD+8^EZx0;|0L6wagy1ccoCiuDI& z61!R)Nm3>lWCfib^3ONRJ49(8sJRznRIB(;hIJ7eSnVroJ+mbk@ZbOdMz)0XaTtzVR<{m9RV2caBW-c{|?EfdAeHaiTO62EL& zG78<}h|a2_7kTm4Idyl$-}w~;4ERZz%vs<{-M`i!H;o4xt-Bk73hU{Xda<$OaD`{X zepwmQQ*Gi~6xzXpuT}NSpGIR5H#Z+%+fLMgw=#cDV@S@Q8~Qtt)1uWcVXjdIuj1rA z+M$rx5?lWK!;%FC)zC+oAD*c=i;pJDYG)wWe zA-{9$(Z~%;W&G+_OhLT>PD?E5~vGwrlbsCwet&Os!U zQ~1Ybx!n0PqlwvRmG&_=+HRs<_r}iQH$q;o)z47uKXEw4a-ChElloOmY@tor#yWek zvHAd&gvb1dYhPs$-}fu#zr~wI(0qh5eE2&MdPN3a>QJ{|>hMzwsXIJ5>s8JC%#GZ5 ze5yliF~1iT44;Z+>+njtgkR;AO!>|Hx8(Fox6zr@n&uj(^QUi-AWazV`1`O#RH4cg zB+T~&+jOU^g*Lm`@`H*o3ae<3V>iu&rn*Gj{Gm1NMiUcDp3*~^ea5{0^|hIPQ^nV! z#XZc-QkEI(%9j$Q<7E{*e4VQlPvxkdXvj=Jyeq$GBGS4ZI>UdoZ{1Br_9Z5Ey@v12 zNv1no5*q^(tNd+ZkMN}R*&TNYa&c(@6ti!A`u6oSSvZ8m_x8I<@)}Yq>WT8AH1y0wC)!DK>5KB6xkDD}ETwnd zWzTid2WRfkrEWZgzDL{VNeJ1gSwK*3G8vf)t7Nj?$_%T!>md?H4*+fALjbt&{cBNa zjEA~#T@R?x4i&q@+7%nKjI?5Rk3hk~n;tUcigEB%k2&;@UR#~2DmoiUk*wcxyhKyC zxQXoYZYBPT3fL{G3oU=UcGKf8lp6I#ow9T@pI2LX2#;J_eaJfn_n(5tTpHFKgU#jE zqE8s+7wEUc%rX9YNVM?bVtMrLvPKc(Z8^CNR^_`adhVaT z`+REZbT16tc&Cqbl8#CDxInW@DPN zs>)<|bE80@4gIh>h*Zy)f~ocf3D3ym{lC+&De)6|(KFcSZ&-cc8R-*5dV7Qz7?@c_ z_2it2a>6JaEwD$s4RzmGP#J0KP^bDqNj^?+{(694Cnag54Pi5(!*Pz|KorD?p4DD{ zpf-8I-J??=NHW6PXSIa>GCX;`CMZ(A#y+uCH@_rGD$s#djHUS;HkT33L~!h&ce(d45?C2f%RIFpo1d?%KD9G74pM$A*d`i@+fg`ff$W2 zwYR!>VS1$YHx)$I7uXdT66x!AxH`M9v@>K^QJ{S*_;*DB#1$f6;>B@xT;%9BLIW<+ zW-0vgxn)L}88u zsI3>V&vpn_jx%d`P?{Mp_`=@CBRNJI3(=J?(a!$+TsI0|H_!E)Dm(Xl=Gx{g{B8~L zrpbyWAHwVmY*#vSnE;E1H*L_ugk1Wu^@AVtN1r@uSbr|I!XgWOL#lqTY_a5ULnXpU|DB!KPzEL}X@nX@i~=jSztvNbRa&17 zG238rD|k4gCi;~$e%~QFmi)Q&tY3RuHj>ansX*Mh#4eQb*Op#ee|yD`>cCl zd|EYYMi{C#7&e>dxMSD7ht?(5IC~G=p^$N0XdNuBFY)J-zQAkcv{+sF616(CJeZR+ zxsp5>@(D@0C*4$4H_!k`wvmgPz?A>JqZr7fF%u+<9EFcn`HXKatleJ8xUnO@oS^VG~CZ@M;Q)S2{ahw`k0BJe(8+70gMr!@9sCm@ zGzn!m@KO1skD@7sB|F*zvj_mZip?b7R;!kq-hd-t#xW;j&}hi!L&53Wo$cj4n5$2+ z+n+ujRz8K_RYSpqRI?S3OfJ*DU9AUq`iAsL~VPJ-S)g7W@v;Zgjznn>~-%T?X^U`wf%|Yc-X;eOdoh z<{)N}UdlP06uzH_IZ2ItDNR^Lq-#jjZ@zG4tyNjJi`q)eP2X+clf!$#Hkw{PTaAW7 zfAs={?D0B)u6%hnkYf4!zF_`0uHN5tH7`WG^@{y)VCTz?`f#7a?0umLT&+VUf}dk* z=79(U()U(Rq{2AyT$R%;bz8aX04-;yV`)9k@0m{{+ceXrXZJ-ltX&Mzc6<8iqw=Z# zrA|$Cit9}&XovC(@V5*1vu@OukXO|f1dE}nLZ^Hzrj&ZpCNv8&$GiQyift|*Z5VK? zB1otdFmiZy6=UyubKkdHm2I~Kw?l8&gOf=tclPH9)9qAz=Rdd>-+ofEXD`kRZuXef zR!0wb#2ADoRJq8T4MW_3+;dUkIg|=g&C}+oQ=}SDAUBYkQ%l7;3TvEBl!=YQtMa;< zQ#p=uCH~L^(?@=+y&gkN^)w}qCEv`2tr~=^uMl(ic}&ELXSr@F*!yziwrK9IL6#dU zV_ZifWo7OTO&;|}EH%kiBy_%N=>F3nXQnQjZKE(hGWsvIeS`lgaKtOR@c|^4$@&$w zIz>Q0sYp%C%1qVW2rK$jhJIoh)s0uaAsZijR~}97RE{4iRig-et~a_fd?(jmWZ@~U zhMve7o?I!)krtds6GM#Js5`b??4;lCd-NYGyHw$j(#ap<<~&@iZgE0n=Kwo2^~(=0 z6x_aT=%LGyv!h-i?k*nI2N0k+&1xh~a1v)`_1y60v{}m(`AmY+T?Nd}c=ha1r|+=; zZ#i(rQdQ9%3jkZ+)?+3J$(hV9nvb@Ps1ApTqqqEj4f6Z45e%ZKCNrHghL;1{c9s4M z4FE>a#dUAgj#h;5Lr2u=6DI2I4d!JPVBTF@q++~6vNX#;-uq{XmgT3Ow2vga%er0& z24vFJJ{*Me1VJRJ22T+-q-!nRqqB+=m`>8L4b){91-_{#`*zAa?uD-&;Nlb{jgvz@ z`ldT*X{V)^ZFzogoiH63n2H5{3chf?D5^~|&H#>C&j~5Ee>NnP$VZoeE>>@jhvC%i zXAh0~d-vAS>+VV1!G*urVV;X9|Glx>_!f$}krHoHgEpHpDvvYd^2Lph&KC5+! zZ3j{Q8Z-Bg7mK<#J3fwt6pf$1jR=IiHF94G@Vdzz^6kEMTPkqk5vKq)8>=5B!+!gk zgnIG#@(PwxjV5p8sqhz*wjY-bT*?XhMN&!1yz6e}|@j5%(rugeBgVV+mqYYH6CY z;5y0^6XbPc^>o^U3qD@=u6R{?69(i?726fDqG8Pnf}Q3p#`c`UT}lgo%NB z2ncv-YD>PrJ~%nNvz#(=z4ZOBoeL_Ed0aP8oUqNYE6guSO0;MiwKOzR)?ZoFHQH~% z$7jAENQmUXzgCXSj=o4(RVPmMe@K;s2|$qbbOds6#8peg7G_8WolA_IEQs8Kt4bH`iF?R~9uv-|bRfFa1J;;Eza+(ZnmF0%v}w05@ZN ztpi{EB@F^GE+WNAq_nJ_xw(1S`#YQ#*?pEv&cf&B<^bWF`yz>$-`#kRx{KCOxL{n3fQcqLFda1fYn%fVC z-Ch7fj}T&fcm&2{wlxeKMo25>oU2YyH@3ctQOK}$^!|#ugi%W(S!jlZi{$*2Ue;qF z-zxIgd~N|0YU^*um0obU;<=zF)i0!Kq-l1%eS3Z?z;ePr@5?H5FNHYIaxzMX>24tj zSGIyRGf1N=IP?aL#22A8IPAcrMXAlOL(Os9f-ug>tk2g-vyfySN@(&4V{gs1;jaN3( zJ|eQ%j#sAQAI@|xK-Zx^Q@+Ri%jU_x5zv)YYu0q9qW49_0v%SnnEE|1^>dC_IdFwY zaXNY+GGjfSrG_+{AE`qkrwYC#yYxA|=7h^#k!f~wZ~MY87j=BO!tV*x!APLIFSM^t z;B?4XxxW}j7aAHWp`v5o+XvUjxH($l-TpzWYH^tMtM3+>8Kml;G$-AjB?irbCy0?5swn%{Rg1mL; z1a~`6(bLdG%AQz=wm;Xhiuq&AJxq3Q-Nb}p*fjY-tuW)ZTZDtBFCP$rL_q(S3G#8> z4&WN_B_<1PC=Z@@L4vqLoBs_X3JI-V(6{)>!q9MX)DQx`k7%r_+QlAdW~|lxc3b#3 zU4p~(qJq(74bxU@@{xFvJRip^ZTIqG?O8NfUO%MUzcjh_?VAdRqF&$P$K4vDk z`PC6L5nDzoi-gM!yqSm$;4Kmx85yw`*a$3*<39CFy>a&OmdS{l!T)4!7@;;MQTuxz z>;wzTT0FCx!*G$vlcboA$%A9Ph2`oDtG}MZx90saeg?R4$PL(dB3MsTfaN8RByES< z`%`9UeHc?6X)zP~R^}SlNxZt(;hr#a&Jy&kcLW;AG1MM1m3=|y~l?SgRr*Wui!Jjl$upN}nvUt6p_ zSI6?E{puNSdfr1>H1sqnxjnF{ZR;H-$XDIQFjH=eb6a&l5X(cWu7d<9&-6~LD& z=`0DoU|VQKkh-;bI_L`(8IbcJJ6LNl_3k`sWMulnCZtZOM=!;wZLIy5j)?RnDAYDL zqhK4nl^`YS=q{e)OmE&q@>@hC3%(s8`)s`A>|L6=Dk!epbT5oe>UD4!>1Ak=TczE5t$#1;>ohA%RlXzyvI3ZzVrz}n?O!2S1v%ZeZ z(5Cbc2=EYuMLs|&3E3Kg)=@-!-W@PWJ_IyT(_A=F#6&_^SvPM)+dk1PCl@plmJxnV&JJvE_mKW_mqt%^j(kw@` zzO7KWm4E#pEeAgG_H^O!wy)8C5`4t(u{}Lb5YB*)oFVVJ1&0`&=H#5I=|hSoj)(t6 zuZ)0QxQNDta=s(k={qj2f%}o%4>Vl4zE+EcUc0jQET|}7_YV^OW=%*-ymO~!M`qk3 zOJ~=Ja|+xsl_`tSw$n}>%M9(0qn9&sR4p)G2u8xUZX1!hWg(@XJ`trRcvKeGSNG2M zVvJC_xdyHFR)AM8=)uGnll+a_O|zr<;H~Y5bLh=IbeBqGF??OYv7O_(dW-uRZKC>f0(G-fFE;lU`U2x&D7## zj^N8Bb6TfcmcyiHKSq{22BbttF=iehNg^kyPaCEli(bXd#C8MY?gj!}Zfqo2djfE- zvsqRbdknaxa^HUdF#@2iJ!V$J+jQnv0*HL>Wpr8tfsW&bcSpf=ajHp0ZIQwG=ZK`D zmze4OD=85pZn4G5cAc81myPpzJZ1Afklv3QzUu*Vp}?#k)vlG!`Qs>j7hMs-Cc<(lKnW@k9UNalp$ zi$~=5tHUvF(j6BJt5O4x+F`RtwfSiD2IF!)PQX$}+NguLFKRZof zh(DNzMylkOmIy!MfE@3H9yVOHB?=Ri_ZbKh;|mf^If$^fqy)6D^;`_#7nPB|z_T9c z&cb>#L78tg%TDK_EsH-5JpmgvA3W*g(zcxC2Mp&fl(~|(h8TT0{HaCy?8f3OA z*v=L`j3jMx?Y~rD6uY@n5b2+}4{k}cR(BWE)|lyHv%QVe6Bi!iyX;MQZq{fBAWL*3b3L*ooX4w%@_dhxVCA+)X^ zY4V=rK~l5}F#gs3pP^+xgHzHiUsYXard4;sOgC3d;%~3t{Nb(GA8r>*?_`=`Z(|cM zU4pJ;fBnvnLo#AcJ(*^xzkoqDHfTQ$@nXy#IO!3RdfHb$IyoO9h6&}bEH7#w3lmar z&ND|26!a0i4NBVT1>o+|0BU?FYV13|Iq1U4Kkgyvcap}m$63)hF+-e!JY)DxBI>a2 z0V4|Ui^05^3TNvkn3KXKBQXKaQWu!&273k;xrojyBZ?58QGBX&^;Hu>V>)~4p>{{e zCGp2%VXOvak6(uwOhE~)^JyAgd6fHnS);AW=DL*6RYq0g*`*3w^hahp#W=NfbSzU^ zbRg8t*OF7(=*U%8$5uX`u_0E;3!AyDTatL@9&J@Rez1f~l`KIAs_Ao#-gGkBfDZY@>g!Ir3V|fTXOMG zz&3%)m_8@D4&6!oWi6o8seTUsbiz3DP+F!;$Mec>A+=L-0e+^WA**d}4z0g!+&G=(kMgJ0 zak^L6Tg-6s5Sw%($7`6ugg@g=<>3#ikBvIGZKfe4WgDrns$OzK8h_@687U7p*k^*P zXU9@IJmk+dW>1irl`(n>*05%HS*5Ybjcedjq;|Hk8LCdD5FN8xeQQpktk-3dm5_3K zWR3VRD5o1cPvpHh-&>r$Y{$T7_CcV$Z_xHCtenrkxgMsyY*iUFR!(!Ok=9Zqb9uhW zrO44=MS|0&)){$4G!}{Pe2Ouuv2RQiw#|&z9ga4Wl$M2OdaNAUyc86Mi-1{c)1|~0 zd(67vKG7>ulhAIbS+)TjDFp-L!ZAi+l6ENYQV+eIewBRep3}-$qC%yFqbQUbd-%`q$^TPM$lGM3Ys(Cu6W?Vu)ee!J6>E*+OwCv)`sF$kZCtI z<#VnL9$K2uZ`B+h-dk7nLRSfyW|p~;Rw8TI11q;PJF=Xo6QwmO|cV^!1ZJXB!j@Qec$rAdG7^psYXP3b`Gpml)w zQY-uG6oV&YNvs;fy0r1rFfH#SmSW&4BJDIg3hKdZ)O_a7(NChdAi-Y7w4UVnq)4W3I$VC=-k^D;Q$9Jcm`1k76f93?)c;@O;3FEhv?DCDxXU23{So`kgrf{Se#L6^Ze6I z^+t9H{yX=q5=d?eXw>GMuBDhS>EEZRGIBJSe8^4R2VsC;e-!03mY?_P-P%&pJ@qyn zx0j-~!!hZEH`?eN+~2^g40_UaVrQODXlXfU)ucR(o|h1e;*4K-nXzJq&+9WKz=v^a zUG}L`E%k4>K&y*R5>9BHvf=c0Q}(fS2kwXpJ>eL7CX%0G;`m3#j8-8=~c&OG> z_l0}(G(=BN=VZHZ+=*1?V34TvugYgLymaoFjcd-Pv{LjNdpw%sfvjxu6%w_N>IGh2 zMcKs+kP6N@bjYPd2r)+qi6UENchC~&ee8UImP3-_IyhBdZ|5j^$zsn#iA>H?Cd3Ub zg0=+?&&D|w@8%*Fm`7HdhzBswVeAsVQ>?Wfp#LE1JSQHu211%m2e)@LDUtGt_ zEK{PJH9I&CGrQKeIX&K}Gbc(~ZJu^NT=hwm#I3^i#g7w4F`_SiXZJZoss)-Otm?{7 zuj+10Z90B}%}L=O%~} zs@YQSQ7bdmtWcoHSDEj1snunrd@{s8OtbHWja!OFG4e!)_T0+b!cfZ|oukt}Wuz;q zgbXU$n>@!FBUx=JG^gC$2P*L&`OKRP!;}ix&1~E(H(rZ%ET1~4Wu8@u^$Etrj{1}O za`eV#rH^ks;2J64oTN)#sS=}KFaH#7cBz3Bb8${%7?~+pwFXPOKGQ>-_7ZtxZGX9) zi-|!C1VbUgxvUm*VBs#pBr)1vm(ZBd2>qslDo*G;7f+9X!*jinvb_=c$=l}!I~jv> z4Z*`cmbg13x3#&Nap6NMb~syR$*n%%a-NpkTSwDWi`s939`l|pRxl{TTAIXLu8~!i zA76GxMNG$^zLI9BmTP=)j2ttZIn*A!NAKRAF2|2ms0Oh0&Qm`7!qw#-OAVenDWdqa zXH|-ZdRSJ9Rce>Mn@mgu+Y~)hMG{E0DwnF_@^vFMXEP)1H8)pQ=B-H~+bF-BVl<*( zzO)wbDfC2aDyy+h6kfVtdKc2D>x7E;DIZj3gwcW%H^IT0&V{P{%nmJBtW1?{uS;*l zMrkj}KvxRItIA4i!v#MJ9&(Jvz2hE1;zkwdNZoXI-EJfme?6u`3~X6^T_ozSnwMJ& z>e}>GNh~Mx4b-+X3~jEKI#3j6l=#mzh)zrfznF`N<|i552S1W6@_gpG+Y5Zfb~X5$ zIgIKW9fe1L#bk0cE{EgCCvALt$$4d_9%|xB!l4TI@@rgLpA04>WHR4geD2Ml+d4DC z*=zgB4WFscdB`uA(9M7;w?zLQuYTHSUwd^vAKC=trcC}m1)*WH1~HLteODQ%SIdKU zze4sorPji$!6zqlW%>lmsPH(5EMi3CW{;&9SaK-+>6?|}`!vEpUvp;h!At%Op-M|p z07FS7YWXp!7$L2r)_!FM`c+GsoVqkizAh;#70avXQpcMIQ6HE1MCfn&yJV!4CK~od zTBRMnqT)x|HRM{cn%ypdm**6?R+6$vn~dtY8jz}-B^MT>U=?CAtm zf?h`yH!F&+oJk93)vK=(MRxhqiJ;Yv4h<~Q_to2+I=IqfzcO(NT>h-`+Gxh&w6*99 z6}nHR;*u_6DXc;xXY-0a9NXgv%-?fzL1tsMgRfitD9M@iqe`S^v$KLdkI~!>fRRfx zpHxS7z7$v9Tb(_}Ow}paFdDj_o95hY(r$J$?s7x3lOh>?1rHPuegoN-XQ{gbr1Fe*M-RMdPnKmPJL$MtR^%Iz^=oBR7Rh zDb?gQ8Ef^&tl(DkAY0lU8*3_!eN4UW$o)v|K~XcP#8>Th#(9S;(u|&b43~l)$lT*A zNKACp3ZZYtiesty=cB{{B^DBiKymASMDN1gu~m74C<=dV?7>p{=VN9#Ashl6jLBdn zi%*zj!hTmmROw0+5qW8G&P&!Mih1ErE%1aBz~d-qH}kvx9#W>P9OMf%q;E_kOq!N! z6=rZ7O-+^0YZ6dq7e#ds1yiQBW%ugopU6;9GBA&FD7#;&XKL<|^+(jvuGF?Gl+tNM z{MNb_C%#6Y;8>xi>FY+zMjC1fdHdsE$4N*mkff^ zPKSL==H|!d?3`&;PTBrxMPT;Jla+OF#@``ub5^ zw}+HE?M$5I5->qyZfjhnniBG{3aF(K0K8=(^)}TUl}>AORq@$%940Tu6zQ#}_V@sc z$&+}LMO!3|17G;W6%`w9>44iRoErBkHa6bx>tK^`x&GYwM&`&>EtekJ&s$FY(y6*5 z*=FXX_t=O!$x|Kqe-qL7O*+3c*ArWPIH6Hfe{{M6|q2PzNr@@hE@aZR6ct%;x6XmYyOZl9-RqG^34)$YF-HvWZo-wXiA)E3R zItG-#j8dsDMF?q1w|#{I5i>T9j<9ux#MOGxEN+hh0)H8WIb0DT_W@p60BN-+VYE zic#{`b+WxLQSKxaFI5UkoIh5a>PB}zdXs8j_L!C3vd;dwsZa9w4XHwI3HMg`iC*)! ziw_XGX<1of4j;!R$7!rYUM^QKY>s}M81#W8siZTZmGcT4R`WcoURg;fjW<0I(v883 zXh?jRtBg6{AvCCS-)R`hTDeq^e9KH7!p~YJt&D^mDro*R7yo($>wRMPik*zcBKi}T z;xzH*qBH9P6J{Rv6j4>;4E&EU0c-~aPjR__3f_6FPBQxBwzVPgTy#+?9!huVRrOqr zu7a4zSP*vR4g5rAGRYIc-xL_8Oq?f_5nh$39Y}v)-rNTRG3!+2q(>z3Nva9%@;fX4hl0apV52GA7pu zg(B7{>eWqyiq0E-KF6Olw)alhe@x!j0S=ePZjxlv%s*g_@K|27%Di_HDYAjNmLx1* zZWCSInX%CKU_#slRkSbUs``9cLr)Yr+q;nHDt^3mMiQpFq?nkI--F2`^WG;FQulF3 z!g7BdvjijqI|!vlt<0#MTZqvxK%1(Qhg!Vxl%JG@joT(?_f{#wN)~f(#AP_HQ5!{T zyB2?1(Zuv9Q%_fm$mnsWxW#yU*q<}c+5K1wG6(1E>0KyXTe1|Bc`+A-i7A*KNL_2# zM1(Zy>D+5MePOlwPRLau9u0iD&-gfUWZ)%0yrrQ$a@Kf#?LwRQ4263H@q>ep5=T_( z#Cp%G36@i);srBo-drqoK1*m^DW*iR$NhM?bVa4`T|P45tO0m=QRx}MLX3oXV6?3z zY`8v!Ti-=16MOWm9UAPmyiSR^>dId)I*~RB-&{v0RPov0CmGIXvwvQls*veAJwG1i zx1Q3QSu5b?kLg|4GYO>l%z_#bRNxBO(K40-Xos98sj0^x+fe)%2T4 zBlM6iH!5?8o4Re-jcQOc+$e@PFIhLPlKHpErgGybXbjbi1A!{VR( zs>5YwU$j4!HB$DON1q7`Z!kM<9{Sphl*G(jIarcrHE*>njnL4S6q%fM!$|++Y5&a) z{XTVAr>f4znCwZ*)=Dy~e63H9vg_Ddk6dzi=GRjwew8jat;yitKISlWSb2+bLoG^| ze8YDg8>`6IDN9WcH0*H`U(cFaHbE|Gk*`I`lS^Bz42n%0&FQ&2SWYzePP2P+{?x}+ zfkUn8^Xqf87^9(5wQgNky1mVg=dJmzWMYH^=|CW^sX=4GY0-%DqqZ2?s0%jMT7I4d z7q;H9+21D5=g=YxGHl-| zEoGIx+$+-U*;GppEv^b>rb!v6ste|@bE)&IoXD5z&q|}aNWQLN!i|JvR@kZ&ysPBC zF=a5}!RC1+{-K_}*}*b?VVO;cc}VmsI3)NphRt6c_|Q%nsFm|n_GT&Lo$WVDk_wk@ zND(xqOeoTxkgJxP7bjk8oeG|)Tm9Go!#FKGc!6@(jP8<4Y1creWT^IV+mtzeRAx`D zXRr@VB#acvOy8K1(n_oh31DcLqfUy{S3;Ip&d~Xti*nWFD+r=1VQe(oihea~m|r*j zEBYm3OymZ`C35`45HL1AzD*dx!9BJk`44&mob`$%o1~p3x!M+lB8POF+p;2g4EaHHgfkeH7tx`VD=VBqifGg*x;m|50*`K z0w=LbSJO=^=2BPM<>UJBm3FU?zh61~Wr_*O=u2QG8aUwx7A`Q}F(ah{5rs2rBc%?8 zx`hMP?5u~xBP1WpErEk*1KkZDGnIU#Cl7P3ii*=rlx?4`bM-ODUb z|CG2=u~~&bGrQ5S73$Y2;Ip2BXH%D<5G-RenS#uU$)4c#_-H-Gq?sAU(W8^kT^S?a zsy?BiROP!WisxnHQKj)|RaDXsHc(6D0La#I$U}BD286giEiH-i_Z9?4H~Y`C-3gpq zPAPJ?X%JuW8*k`cPCjbZdpZMhK!yZu#U{>aW9}N0q9O8XD23bnL?hAOU|yFe(^0=h zxV?Bxad#3{cWkTShsa3kySYqHjGu!;t^heQQoUmgYxdcrCc^Z>H7&B-T4Cc>t1Wk< zayKbcMv^c!IZJ#4^^7o^56SSnOiV_4lR9nuB(54YqN(_ETgQ=z?N7z%F!Z3b>5$U;9iD^>M4Ab5F+I25%X|vu5YxqUh-9mZ&r3G1E*16=YaZp9If60k z;j3G16|0&fy~0s!b*yA*WTy8W086%LREg57MZd|4BS~woFe56{c||rf7&lR6%k(0N zL3j6oDv8+M5AK_l zRyiOvrCNV#C3hwKe%VoATdrKp>C3pk{Odg;zVta@hIun`l(&&{Ta@7lth<@HIi6R2 zrPVpnvBzj8Ev>D9gJA9$m3rGT$WdjHR1M|(=_wxOR(!cjvVzx8d1p8f&-X$M-MUL8TkJhPEP=w{Gh? zc~>erI9eoSmO``kc?atFow)RT`FpyWVxjK%MaMzn5r_KF_Ue8Nh)M^1Ri|ET2UUTI ziT<6We)7*}HeP2LC9ep0%*EuNvobIX*fV_DBn`5xoCm3qx}VxZ@hUr|`VmZDJEp!> zHjb0^JT`=sNj(l+e@&#T&pyvfN=GaV=t)nen{i9G3SK{gN--mCN;Ts~I|Jv=4QcE4 z>1FQGl5Xb;bN36H4OtlwlS(Jy4})c+N`gEi&EsyJf*5-g$&>1o)kK@gBFtQ$-iwW8JfOxW1Q zUpcd&4c}#6|8$SN`bPE?YKWr$K`zc>E^XC2zQ(3 zlX>?F)X;Aen`tO7*sDgc5vVG9lR8K3vzlqSHt1Z!0`es#BktaMUb`a`V@C?a7l_2Q zghzI_93S+s#NiLfg1yJHx>y~iDgik^JMQ>mydh`C10&MmBe8KEU44nOMV`a|0YVF$ zTO40frDc~?L+LKOnrw6^*LI45nAJTa3?n@+5**^)gmuRzJ##aV9xwB+8AeUi3Ak%I zMI>1ZMz?7QNYC}pwmV&R3VwB?yb?+Ij1g6>bxo=v+kUKV<@ODH(O8jNg_DiJR|c0U z^C*tgWj4H$p=VuuNM<*_@-fKoB|~lBpQ18>g7r=*9Fl%>g5daNGCXl4n=)qe`c$Az z{UwQfu`cK3jQpATPB@Ky{;k+bris#mPtC)zi;%bCK?eujopJ`{)o3PyKn%THeg}EVealCiQP^F0XWcnYH}| zQMYN?{|wRoUR4JRMTmDq;9?C9BonwUdu5Xb2K`*IhG2!eA2iaj(|d{DM7j+%DPNlP zLU<9KH=bxc(&W0Xnwc()0a+((o@@na#e@SXubLtua%C&Ggc~?@YkFl-t`3A|+SUUh zA*u5G{>VwUv{P*q6A$yEY^PUq9Li@(^6y-)(sp;hReyEwoNrFOynb}SnVIW^;T9hk zm#cNP6sg-wmwhnLptEShPzUW*=4aHH-pF#7p^tMQ3tHiD_n=RhVt0J`#n^zgjZOgg z!swT5^6_)-{%&(Z2k$0TJEvf5#od=GogWT4d@4WAwr^Deq#dj++b+`S^zyZ}Zl*tB zC=Y7$Y5$zR@`knF!-JuX&1^>o`8SS#{OQJ4hH_uwj75;@q}PbQ2EEys5w;9KEY5>q zWzl;UFJj%LAq-^G({PfUZRG5>HW+)r9OpO_f7MPNTWp_vU_m&JI%ftslaRR?s2QI7p1z169Wcmf9s*?CDal`7(eGlzbbusC z_*pXSk;@t=^pT6e+#s@z1qDUINBT@OM^nEnefYjH!uEd#y>t)h?dbo!g*+h3F3uM3 zD#v_3GqJ(E%;8K?dT@luHj`TaV)2u9oK z-oB?-L}M%ko4)$nHR$m=c!@d7E;MXZ6C8w>mGZJ|=MCvu*WFiR0(FCW3d%mS#p=P(eeUM*+fEHwL{O@m6@vL!t{<`xDoU$N9{9B(i+fV(JBHb+-%V zZU;DTXhr8>@%hcMMtSU~W9&OkioFe{+O~3QcOdc?G{t_dQ3(E^{*b{RJEkdp6)af{lc?KChxH3XOY4LsoMra^!)#ZMx7<&>% zMGmYdy{MzLp^3@Z6%AVp&)OCvQzfmmUDyw391L)vEq!4}4Sn2sMo%8pC4Nc)kdMVz z0tz4yzY&=)H_GJvRj&9#CC)Fy?}^f?eAMiGMP)J=jW~*$STBwJq7^&`vr+;{-q&WT}mV%72-Q z-fd8_wSQ?aT=>V+#ZmN!4~;ZHHF^t0*#65PTnMn9eXetIU%2K!So}9YvBj}bKTt<( z)g2xD!^v*F`4iZo(!)j_%N!H_MMubO9xX_NDo26o`d^o&ZfW55|Hb{~;0sXfwntY~ z@t2XRpHa%08AP#Y9E^VE6a11czo~&eK->xuQx#as*;Fb(;_7|j z_V^?2>U}Qe?2(x>*Kt`bKh>TMAo!Cr6Z-Z$B-HMTo-4bEmO!^c-@ELYbxaXGu3HHt z_trJ9wifDIif+A+tmo`DS}9 z!tkZji%Xp2&a{0FgT?Ce{?1?M+K(1B3Yt6DiI;LE;A-E&Rsux;x~Fj%)^rF=NW0Ig zh4jonmW_Z(<5rb||MZrjYv{unC76XddshKyladki>q0H;99FdSo;IM2oOh6qWHbrU zbRL~Ir{BQ=yDJ^nzq#TRA{LJKn`)Ur&1u1*rTA$oT%B+{>+FQY%?{hmFoT8-#gO#{ zzqTX%0Y(maZHl{Vdb^HIqc2BR*6x&#JBZi*S)M*4Au|n?1}Ti7}CmlVoZlyD<3(Ylts#)tNM0=V7e%PA6igtDBZ9rPPp+RM?Vd_~8TW zQA?-Wo(vp3_d^rEL&@WSBN$Pd<6yWo0GN&QA1_`QncJ8s@(0P6H^!e5mHWfQ?>eB$Mx`1Z(_@M3?nDVp?ENJg2u$-l8H9)ef1l&t~)z z`F-PeGd^Siw1qL;)FR^95y{cJOQ6#&#GmA_#j9IDi$(TC)<=R&%YjKUo}L^-_-k?Hwa@0d!>ZCjmC;4Ird|1#_V0JyCD*2fPbTf!n|~+ zqJS<=rV%E6i=fk!RgaxUzKe-amv{*1i)EpR&2++{1?XQ0(L3$yXD~muJf`pQj-ISq z%jf2`>ny&HDc(qHtx|2XTDM<8_u79-AA<;Cf~6=8}YF{WBnwat1REs;QYuciCnMD=hFs z6dhAtTMXLD@yKeNteQU$q9_-efA5G^mvAKo+yWkMbDZtl9 zo%K6R>0h5PR%FBr!&YxLU3cQj5qy1flB|jSvEwcd!2T99~uP8 z4`KohPY>XZNWPZ0Z*;{x4s5S}yCL$;{mXI6aEdqK%hr-#RvLcGlrR4B;w(@t8vH5V zFaC<9xe7t&L8Fm3geD`u|GJE4OV$y;fgOtFo@~W$92gC9H6uYD2AvB$p|jg`lG4vcrS;3*?0v8!ZKGU0q!h zI!qL>qyA>Fv-0@okmrZJ?^dnl?)^Of7ylRcJ3pA5oO4~@b6wwSoO7lQ77tl;BmVhhodNLl#q9q} z^ZxlG&#C}uYy5Z6ez_MIE+strL(k;-0^KCP#{ z>%La}xm{NlD3qT*wp2k4zmzVQcjPwu=61IZ1sn<5>_4KfFCZoR6&vJQJ7W6uXmPEm zmHbH1mxJRUoQ$`6*p62Ak52n8-B0DWcS;6-v4rotg&n3Rf1v-SoBN>$)%|5%MPdGs z(SC4l!H)+&(BI#)yQ{IEZplpxyYwNpU#;INn>|6C-3fj%qbU1Nc>Y_n)IPrD+_P9i z6X=INO2zFJz)kYbJZxP5NUZ7K*OtG&Td7li`j%KZz%R`{YiRs-XGp{cAbx-4@7leG zX6vL+I8F!r{1-7etaEjBbvyzKZ}{$+YDWH0M=MIPcVRZ@4En2^|a&I<%@}~j>q)slVB#`T$ANDkIJy55AptS7xGp`x9(2M{pG(6 zQ`>!h=~c}GCXY)~>}Ai&oBm_LoILqM3G^>=yX=|3!HYsg3)B4un#xW~6U1Y)XTZ5b z<3gdZAhhkD!{xw%Q~d^iL6h#oc5;OyCtk#E0tqrsM8?sH$n1>8tFO9IZ&KXT>CZg+ z3XMebyLNO%tnFRi5ryaEhQ6xUAJ@H8uls#jl@CuU1BEZ_4||Bo+lxPiN1rMsaJ;K9_FY~Rb*_WyGLfBpHnXNKQd*nVhbR2)6y;>1>L zW8TYb{{T?e%Eg!eVW<9y*UHLvWM+zm=RaQjUlh2?LBIOy*4>u-QfHn1UxsOC0_$_5 z`5*k_6|H}4D&AGjnGK4Us;92)-2H#^?SHTCVe9H977YFT|Mbk6lMP_ORE3^D{)Ljf zGvR;#b}_|G&Z|wWS@nC6@Yw+6d%X&HERc zf8bF6A&L!mt&7}s!Ww0)c8ZImxivL=rY`y0HjJ%=xPhEe)()m zF8BL|wFraL#Z`v0eEG*en+HF_XWDD`$Oc%(f?l!>f{+28Cmr!;dt0q-qt(=u8_Bu zdJg~P`gw3@ zXzG#qty}M-j!sejl574q|6V1y?Vkhdb^Gnc!FRg*J~G$T()OWx|E{gy5D0j@vGeh> zYpwdzb*e`JHvN-A>a!0v|NB_gEnHV>jY7aZCdl#r9)v&I5#ImQzh>(I0cbwc@4Ni}Rr6-M`N%wtX95Kr}s1thtR(dJ@*<<>eKbJ!{kE;QLFh&HM5<6~BLH z{l6#ryH?uOcLH|ALjKP2HSy^bm%u25&(iN7Qcd8FpYdK;a~cnYtJXxaFY%rJ@4pHy z!TZ2NVvYZxb|ZyCQR(tD_;yW^c_sj0-EgvX&3PVpnB1ODC|p|6h}^ek`$9W&Yrd=a zi!*B{?Gnhlo#+%zz-{1c3575?2KtTu-%Ns7aNcPPWr12)N*9^baM6!rpnNyD>J=4Br-D1WZAGIiCogc)CbsgAdHJqqFweYhI<0K>kvkqHGYvgYKw}dbQ)|n#rN| zi>r<{*oM2Nn}1`mB{(F6=El#~3>qJ1u~-z;;ZO3`gq`R4S0kPkXV={JoAWQP?h(wY zjij0NwKZ;gOOSw!DLe{U+xZa@|LHR?F9R$|UgCdg(_bb0&R=BfPAd7Q9?|1+&H7~3 zGyHX#RYW@`=zvat}Q|~P4FJdVK13r#4 z;f*=G=8CeudO0%UW&r00OKaAE;MSeszLB)7+BHWuS{->*6Z6iq7a#e2))(iz=)fVX z(dv6(qMPgMtmr2b!(jwm46q|bAw`jEPRlA4a8McCO7@)(WC3iaCHq2vJtSZM)q3na zR{Nb{{I&vOPhpKcfK`KU%z_%2ZN1Rj-wZ&N=POOHo~>mCPVkv z1A$RlS4jOkW3DQ(J^afjkd`*X==k-W8_s3Thz#{Z8UxZjE42%R!`A~zdZMa69ht7=`vZFixzv)Gld<6 zBHo^!riu{YN{~HDf1op=Xy-X;y2;A8Ni~_EQWGZ;3-(x7`itn$)=_Mk|Z`g;D z3GrdFgFf^%?ZK;|FK*pk3N|#wez>EozHhHV@G96;KlC4}yS#awga?sm31_jKV*`>; zJIhMUFO0d!nMUEXjYycf*XwxOpa&}%(dfeAi>3zUklxrwHGcBi6(4!n{7(@X$^h~} zr7$kNce&69^Vzx{a95pL6A#dO9%Ya5wDm;91&E}z^N5PY-E<=;)9C7>nnBdVO<~v% zg!&$Q`G*1Ojq<$yA1kMH%De(5(FywdQ{8>MY++ny{#JC zi$^okl>7>3vfF3>#N1yD%;p(Kz#$_#lGixO;RH?~8H;9I5Nh>5$e2HM>o#o&JVmSd z-ncrZR9aJ|Vt4-459ag-$lm_LDGo3-6_Vud)}WThO%Eg@{rmD;oWaNDe{@gA$ zdyUJ0^eh87X{_L%RFM!jpKNiP4mj#q)y2@BZ9lTbB3>)9 z-mCRZPPip=1%$T3i)OJQ;GDGb>FBk`&-VntptAVe@ZTTqdZoL0pvDjH9v*7vZs6IL zAOrz&Mlq-+qi~dkj1PrAAni4kQ5BB9;Y%~z{HVTIW5*&kNzH)Z-4XE zNx)1>J*F%F{S*?4zR>lIpci|!VDR|DqCf2R$2ijJQVM?toV?1f!8_L&^31wT=la^> zg$vWJ0DDD*Jse>`Frem-fs6t#qmQ^S{`0<6RIY1Q{IM< z8r~`Y5z?k=fQ2dhsrQ|;J|F(h@k2ly&5Mq5Q<$02GV7a3XkIfj0o3(Nk6oshn;!UN z4OHw>dDzmThqeqmS|8qx>^Zb{egc@1wF@AIjNMK0AJf?Hd#b&BHR9lUIk|op4!~^; zc&JLXX-`W38f*Jq#Dxv3FjfmS`r8S&Z`t#bN^Nx}+|+aV;kUubp6oGKul%pq+RLko zf0ej3AO2d^<%7&mWn(+{tI;5PkV9PfekM*I;mmu49Ebra3v>=z8Ck9d8aN{y4Uj3=b@k>t@RK&TC^ud#xp9J<(Q2=SIygD8 zB{`@EW`gk08iTllfAAYk0h2*!<)v7MZh$Vb1cJ}_>aF(QIIRP=(hw%sv+Yv)YJMPgHQGt)oL++@{q9<Y}>CO9g6F8z5gT2I-Ad#EQ*3nrcJm#Nr#czt2X$#eyiGJVyh&_j)ifh%}syd7=- z{>wjyBy#FUW1%czl}BDr(atAOCnn-)kk(ZS{qHnLwxu1Z=^wh9)p@S}d#2&i zt+lf{036>mZ0Iv&e^U9uegML}7dD7F_Mx7ogl=w6gv5n6i8d`bp#QK4G$&=0Fu=abm-~95Uus`j2BUf_&^PJ=*W7#f=;0S;)+Mz5O%!+J(k(G5&FJ zao(eQ|Kr&+Py6-DKhV*JTf*OUhp#5K#M-*9goF))6=fW8BS9qJ^t9CZ?8UlhSLrc@ zlI?nqn++`!oC*0$Q5!J!ydE^nI^$AoEwee05N!9TrXmI<(&!TDlVTkr=rpE?gcg*z z%2L!Z64grNK|;ylowzUFvLRjl1Yd*^cV?)5$;8y=Piy_|Wd4ji+iQVv2X<6G$> zejLn7M%jhLpQ&b%77^cEqGYcxk_@{K%sG%Ble1tfg!^Y42k}E@<&SrXl+L{H8oOS+ z4mvsx$*4kyfMbUu^QBE)>llhIym5Bt#3-pXX<9wJ#E-30+ND2}x%eP{(4#e>089sm z^ymP0@{_I6h@ohrF2_p`A{HBUDyoO{HaCT&_BRKb6ec^<^?XO}Yk&r4w8H&3Nz2y< zVUc&$;qm@=aY0YHY0i?-udmG(E>t_K8KWIbs`&4Me%I?n665L1*D{e zI^Jl{3ne3#+V)eOG*>29?zZA>v^b|+N6V9RF-noXeT_b}ChGO+r5L#zURKaT7~N_l zWMAFW=EoX##~j8t;Zkc@`az||lAmbxHzbQ8?#i?G<}J1Sa4R^H<8U+6fqd=G<1f>= z_L`2a`e|75)f)Cx0RunF&4mdc@mmQk$N+sakUho}a_7LL*hjZ#>;f&dJdr zH8TvWE($6ttYAnq&VT{pf4 zu4HFt3%B?3n)NtV_0f)l*bI7()~q(=bm^F#w}G{e-zACrSf#gQAAR3~Ipel}0ry@y z|M7w!8Rq>uH{2OoHnCF4bs^t#dZAsN3%fpA9_a9v2RvL&mUn6~eu8lw)&bA#{f9c# z>JD?b&k9ckC%Jj?z=nfCfg4wmY1oqqHZhZ`99sMH3hXFL&rdoGW2Bd{CVl` zucyaf4`ro)pMJclOtIyX2Uv1nohBZNOg|#2V&ba9JJq|bz?X6z>&BqymDWIs^A)g5 zPwtfHMsjF5l0jmhV{)BB=%@bV)ow=1QqRzZR!K*Q1nuqMcX1t zx5k&Y&1T*U&+xOLKh<>8rYH9-LL5_uaOlJqcaJt5C&2;WvWGL!&P{4dE7OKpzF{81uoh3*zIV#nQ6@}t z;dcK_2g|gna)!8n3Btr!U_R|>X3t4Wc z721!$sNhqc%F^_s(5qgl-DWdTCCY>Woeck}um^nHGjp}~V!nT;%)5}V0w~y(P`i*_ z;rfY+%qtI2J{f#PW<$4rfcd;7on=P1bnT=S4C>D)Pc>}$7EB*HXIhiYYE>A1)`}Wv zmO@8I(sQE5%3I46?;R4vJ8KD|SQt?moi^_vhCyRS<-9VenMqOUR0RqT+NEgcn^KuK z??s-u=V}si7+C>q;O7b%Ez-j{KTnhDD-YDhFVuO^1ACqsDhz%a zX8qWN2oPl9yRV!~UujLp89^|4r9le%e!W0tCAWBF`DOrp=IPR`PonpjR?`)df8y|- z9n+kzbtYg9L63RY(6!TM{ERrC5g!*w<#=nyqB?C^0T(#t`kUZiSJ6MtVe#`VVI zHhV24??^}xHJ%?b(o(9{!U^qvrjXY%tPu)g8j=9;?=p3qCz`O1m2}PU9!tTlHa78*j2<$J$n_<+*@krE0vzAk%FU~p+VuPu?J%a;S3IG#4VL((yB_jj)V=;%9G3rxwPrKQ0CtHcr>+Rak8Pt z$Y;5u@m^oNN7SX@u$QkU&*u}WZpVrChS-Vk20Hdpz+Th*Ti(>x^tcARxEUL+R{|1Q z@7u34#9k69u%dEXhW%H1$FNY6G?&twb3(bK+9%d4lw!WTufLBhNv)X088KqZd}u1p z*A43=jYsF7yc|@aRGqHIrb89^G-Ll1Rwn~DoBfhtuO*;sqF$sebveYZmPp#~t+sDe z@V4f1>C_c+4FY2n_Wj!ZCTl3|q;$lwV=cXkss92k;&Ip;sfrPi%T`E zajx}^4{>YJiu6fYk?+?IDqQd_(5^;Nq8wjPKr-YvV6tKM0P(hw6dRkHeS|y93GM@F z_4ms(T$1cjZQz~WQ4QL@vn<@-M^%-caQLvqz9-Nvb zsdJ+vo7j5s_&~2|Y2E&;bbg}+^S--**qPv7!>*~O;hk9}CJzX+X;r2o#y4p*K{js4 zBDq~@QfR~lE#;-Q5~6F+l%`2FTpJD8z0?uZ3w_DU*Ke<+(A7vV>m!0L^&KU1D4PDv zsedIkSNF}ILCPQe{F4OxJwS&P)B0TOdz|i8aqe=UOSaRl+uWrh$I!tjW}VWOlVe8> zuIg7?9$<#X)mvT2R!bC*=KoSJ^pI^<*<#U?bx$-5XE;wd(qC)Y)u9kek%W6KR$c>@ z6J>~GXRbtBa7;f0MJnD%7{q=p*2!&bbDgtV7v`1g3vrJ$f1UiOIdJfaafF3vJnJ4K zVlQ_`M^x?p`ZUE>z=qbP6&*qn)STfaq}DjcdD-!S)+=29(Z-RgB*jaqr70~c-kPTI z!O|-)jO`-EngeHzo@h!)t(>#u#$?tva}N}=DxYVK)T5PZmFWZ5VkSlb*C}IpI(XhN zBHxak4JY5iuNY=msA)~+q1m$ag`8Q>__t1E{B6B4C<_DAGy)2N88GphEh2Bfb7Zxp zYqIp<`?=_I-@fSlL@&^~ga#i!6&$++AZ#ECJkXsJNp|T=Il`aHv4&M)pL#A3Bo5z8D*S1U)#5`d7bPs1d#MDl_+}5)Q!~!^TSXag;Sw3~wvP`5# zbmcFZ_dAgJnwi`Nzy>p)He1n^fOi@f>#!Hkq-A)xF)*Nj{*#1V2j5t-8!R7pFU63x!OW#rt94fC zAykb!S2G?LRz*MCnJliX{uw2XFb{W%<`L6-Ej!$GaQxbS(XX$LO6hc}@jB2$j)8;S zwNdCET13%`#eJ5JiO1{;k}FlJB@nj-8aTQe+i8TQ8;!-3kvFW;I@zrDpEm5GIsbD7-`t|ojl5r#j!+p*i8xa(z^oXYJ|HSi~9FV5$E&t*inFT^4zPzl3)@&d1YN>SP< z@rCv7p4>eZqj2dYlC$>{MbbB5YqlntRlP@kmpR?K zS9B+R$)t=L4+Vlm?$c*Ar{vD0UoH&u0$YS6j=S2|*Esv)^o0V9$P5zC0Y?v)#SAEM zB4u1fBT{wI^rQ}MZ*LgCTE!C52g&nb6efq5)05&{saLW5_==2`=IXHL>T}AU>LjMS z?{hgg-q`vn&Rb-NttQ^aMR8!1QF-ocP17pemo{E!Yj5w!CAIquZWmoj3t$$v_`5N{ z#YAqP`Rkm9?Etg)4s?tN3m%=>U(&_J1!cd*_~v!-%i{_l;4r9E5VvHtdf&+SyLRV< zrFBKmFS$w7_`LmE)%xh%2nldVa~LRlyflua6RQde3PdK_l<%KUu>%2S>_QXFIYQ#1 zu&hX+tkB;7MGhhj=Mn@d*U#;|#i=Sl(*#a^{#jzgo|T1C6P)u{#-6}my+!Ve8K~t6 zm$epT!`+iF1v9Axa z#p(EP@`5;w47VR%Vn&pwi$rruHk=MLvL4b&zJ(c%%J@X*L}M-^3(Qm2D_5h{7&V5_ zmhz$^Y6F}2C|0b;uMW^LMA~U(*fD2G!KhF8e#f|b0g_fd)BvoFs&T@aBEjl+yC92_ zyfs3wHeGk((Yfj{f8pGO-h|N<)}jB`bUo2zDB)gpJ%jrhTNGfHtgsOJBp+oLR}sj6 z4gwy`9CM<;B=pRCtK<)+(>pB_@$^k)e;+b@9G!s{OFx?37e$J>5F&Qkqh!!H9yy8+ zVz64(*e|QaOS8p#JBCz7_vET`t(wsFmd}U+@aRyZ52W7gwMB@UCjTt?aUQf3q7hvb zXwv!83VqDAj)Xui$T0QCg>#rkFPe-)ri^PcT2~%5R2dY9xM6tc9$dO!Yg8*v+(-pD z^V~ShVls^V|EsbXqWSsGUUZDpzo%l?%^x z%kprI&RXNb2jXKRqQV~N#qDh#V;R`-(y^a{cP zfs~3lrHCv+z08>?(C$|5KGy=;q9;H{Ph#|2p1WJ5K?c=Xvc-z2$F>|2Kv{Tu2D^1% zhGcKnN_DKe$|iRm@L4Ee#Tl_hf%KWdzL@ZCJj$+HDE80d?TQqPNV8JVAiEHA{y=7a zSD9RYZ-1+A8ZyWYqXw}8)yX@eQWV;s zqb0$$$m?4Miy2wEgtC~Lmft$`6>b^{N+;x|Ns&d=(Q<01(8XO~u477|y=|g2yna%g zHnh}pO4Gj#Paw_=eC%*byXL`Lgeeb+(HlSMEi8h}>}-W(Y)2_&n&2^RC7$s&!P+u7 zj`uq!kO{hvQ|<&vryJKCHszM6J;M1=rj00@I>YQBl^m&s0R576JcL^XLlPr{z|hbv zc4My|P<1;lwsN7vEAfTbCC1lkQ>I#(Ak{koi8Q{%EGBH>~uY{Q03fqsWmp7Ugni^sK zg(y&3y~&o`&%$oMU(>&eUI(59vsGRzcB^z}1BE&YKr6yk!A4*wR(i+_K`a^3joYN= z8s(k-J$13pswq@DLAvXi{qV0<|Go>LRlz|terLIB9`TKX7udal(d7>J7=d||SAjbT zdR2M~M{1c}JS&X2T1S_wSbhYa926^3+H%#^(z`HxHmE11)u|>XjGA**6XL2tDh|mB zM?mk2{V+H?Op+$)fr+F Rw!TU5sxKy({lU}Vm)sz$$Wh_l6{sH-#L`c_^P@^<&S zpN=-CGfCO0&BZ=_$F3*$)Dvtls?H#9u5;RNN%p(U35w2I;?=TCXcb}%1>f#$GUqmf zfo21FMB+|VW9<1o8EE%5*ve2>ol>}uNlkC_*Q85_vZ5DptxurdUenoo&|gQ5aHibj zohYuj#xvQ86$((V96MTC*R%ScFXC!VU6LqiKBQ7 zjXa2f%y0X>j^vXd+-hG0vmKN?YnqpgziC_iC>uNuxtsnSUHt3#NFIv-@&H#sHe*+B z7jVrCuG17;-!V-+J*ll0Q3xRY1=r&b84?e#nk}Ep1bwKda zXD}ysoXgA;&>G=Ey>ru*dbxaJMhqdqmD~@57gCzgqMdsZ{J(ug)U4f__g;jU;BR@L z`&+R_^>sz+6(z7yn7!q^72yh4H{`yR4*fvlIU0_po|s-gXqkMPrTpooio93fcPW13 zOB#X`h{KVudvT`D=?AikE5H7jfV@{F4n5L{0}B$~QW)Ag>u?iP;+uuV#dkwr|6 z$N~_Ay-&Unl%@@ZIg;u@rXG+e-5JpHh zRr37A#8MN*-Ep)ioJ{PG-&7F*<+$p-Ed{=MwgFM=*~#7@{^&sqpp`W6q;0Xf0=j+ z&>oc~dD-5aB8j_hKxYVP>DWj>XVpvqzJW`lNnNJWMQu{!x$V28fk?x8GgaeVI&|P6 zC_z!?fwCSza)q#pfMy+BA80lukAJUUk)ya}TIzIxD3~>9X$Te~9d|_1Dl^tM#8(J` zNMSt?R;YqKsb%|nijEEW7g}0)xB`#8HP7d3C`YPMz4=)a)rJ{}r6{eDverX|BRXM) z3sRYtqElpN^-e`_T<$$-7Neq1^J&gva>cPD&H(Q^&Gju< zz>osHV+!V`QI6>cmVl?C;N7@HZmd;|5?ib>kfoln(moxu9hR|=H!6xR z(+l^RWo*)K+DP@&vP6#q#bBM?aUk+7_X?@fE;ohZHhZ03?h}00+!KS_Em3pdhlVRCsp(}Cj>8V+i;|N%1_BYRMu;%NHM@cqmNvJ z7c%?4?t>pKJ(4tc{#9lUw}-Gi2{Jex7f=yfD9YT$izof+IW*`e8!LV4FCzdY~BK9NB|b5WZn~OcV1w*ig*44fo5mMjzxteFqUQR;$7~J?ON-)|YK3BPHEfepjG_eGs7L36&fx6dKs_2je~}7V z8R`Ft9dIhaROS5GsiKvcCC2GEg%H88zdL0SvLJz$wH6Z1`)26qs89;@x8lTul3+cD zv7c-!;>+WbgCKYk_6Fs@-=zGc_qWt0f#I4+2^P7fU&V(e$XQIwV| zR_q&r-x5hhSj%{)Ctnb_rr&8$7#4Rf=_-qH!S<(_<98ls2%EXYn-^`8H^o`i53;CI zk)vlKJHkvj7M+Ct4Xuyo9v0f*HvuU~(U7eH$bh;&z07BSB4ai^}xM2>%AUOM&b%C(IZgan4ad+K#3XnEv z&-kK@v;2V2<=0^wNfen(Af_6H$41Jp4|ux=%4B%sKK*6a)$8l~3{S&rfA1`MKSSGP z`Ksgdt5cL8G8W3-W^WV5j~>@K#RZ}#;6xC&|ErH&WSmfVQptL>vc#rl$xg{{v|QNZ zn{iH~x|86hwIxp+aS!o;>q3|-hB#hGmyE`|fUFa#0Ox69)8yWsr?Fa1dh8M}h7|sp zApTc5?A77Tm6Tj?`*JapvuTh7%0=ist6qJcpjpR_~TWl4e(k6Wq-LT?;U}) zANhO$q`O1e(&2~6p3I<@nh9cPJorWBW0FqbED75oePk%a{dHPyWEDNONoT=2Ud)1wv8W~9qt#lSn9ee)t!<-i z1-t*PMGx&sHbDscQJv8PR~Yd@v1N8MHI!yks%n-FHDQVO{O07n@Sexd`qVM8IBKW8 zH!_AmryTf2$0+K+QfctG_Y$xjD66FcT|!1$F#t6v>N653mk*@9J$_vWlhf^ z^p;B~(Se;WZxlk>yj;)jVXn+*PWI<=o~D&PiXR+-=|orM!6PNrwwMq~8!GD;pR3nZ z`dz{sQAsvctuo$nP_%Mqnu1OzY`3!ticlwP7|k=l42lEuoL81m5?DUtxyQoL>dSPedptiu!rv2on$s!sVu?88|aMKroJVSw@KM(CqNQFvReu{m=BL<<3V zU{Nzbt!dO@`{SnJa~FEUFYcFI(x-$jlkp4w^(ns{C#iO-@{qmqUG{=l)ka!8Vokt05;OaTnO*r7F0rEUDY$QF2DW{l{1>#0l>wWpt~t=FXAI^>>Fwi%G)7 zX%{l?0$4ty^(tt4N4n3$6n*y!trr7XTcg77bwVn%pn<*F{z~2hIf~HK;XDx|QmA0| zjOZ4{VX?(zes(Lqzj1p31>v>ud|S^YpFeCbG7RJVfWYf1Cq%Y9BNTU3iYM3uF; zi`eWm!;HYy+{q7q7$c2FuL3&}97Ac_qu^_8Uop*j(7B8vK#XD?nv{N<@FTOPr^j3^ zu~t#Z{X9d_{(ApRc;R>8d`xKJWM%^Ib;Q>gAr~>r(5%&=4Sa)2aM~8PF`81YJFj<6 zdT^FelfE&GZTZ4L4>~&%og!+Z#G(gXjv&hisb%o`S&wdNR5-lmVkfxjwtsZUUHBAj z|6cyN{!zEDC&@6svrFj;}YFiTI2m8ZQV+B2j&Y`26!u86s*wx|{q zw>2IL!dMxf)={lKEy<^hIFGx?1YsuUqlX7gNLaTy#g%X&v(3b(YX5xfFo`bW4aL@& zyeX?z?X>9-z{t5K3-M zjH5%t>T8y{U$fZCDpKr=4z5+VIkc3U2T8S%vw)EjcEUhGD-}E>ZB|PEDQmA?Y~ox@ zmFAb;)MLdC`Af?)cEnA>y@l1INN##goD`kzfEqC4r9h9tD3= zMhKSJqzqS{Dnfpyz;1Skw~@p%M_FmnYGW4!Doc~N)`MF zL}9G5agFG#d8X@jJcR(~YvWQn{ztxQ0V_p7o`{0{sgZ=m^xSx3`lkQSqvZ}?@8 zi%>rI^5W}n33|1PB?uAPE!%grf+b2+**&>r5=Fv@N3u!gvlSx97%8qRB$!dB0~0$3r%`1Ls=_{Z39#%$Hmd%5npQQ3!=Mi(z36ZUCpJ%PTuIs`8n zZ{_@Iir<=rEFJ7Mapj9>c~HL)|5G@K7RFwZ*Kp3%LGL|-kk@@YxQ7o?07xM zpYFaT6d(8AvI+@ik7J__P_0$N1N`sCjal+~oG2BAp)APCe0H|KQT{|VyaKqndxjpO4DnWTV}sF+FE??`LmczJ6^|05ojY- zXsJ2YK^-RIL(^RZw>d3=q6QWOGrjx^UKNA_J`c~yl5C!tysmo|@yh2)o>>IhZMvLGj#*p{^8N{Bf$xDRIn9vzM9D?{X zA`*!y5fK`RFa0c5Xx@;-v|gM@KV@iPD3u>Ie&w>>48nwbVylUXmY<;Bq3M|HaFP;d zk>@dtKSp8)HT?2-eCQ8#{N*37OcUlldF*qSop{22-AQRx&^9#(!c}Og(8LHJ_2Pi| zbOnzpefhlvn=R(?LS{wH?6!s8z^5Q1wo>%qk~mj1zQ3)>1IU|&6eVm)KNOCm>QM24 zqUPBlbF&KWWB5He+Yl(4Z5=XvF`s0vU8MyTIIu$ft2EpzxY=kAWOadf!qGzN;2jk$ z)55WzsEr0Gn=Y}8jVciML9M52xHItsDFLZ_=8Xp!zeV@+pG^;ZlUQp~f3fT<*>gno>(~ndc3fv*uo-`$b9N}%B#`Flf29B&SIWUT zivwyzUE-CSlU9Tf1xizH?OY7DrEgk{<_M?}Et=2x=WN;2Ul+CZ#ll9HzItI(;NOeW zh>PaTYMoHg!o$;4$oa5{u)^n=`gjlCy$fsw`$vR^lv*^upcEMDkx)RA1Mi^ zj2S353jD>W({^Lc^sy;gJscT@=8VTg50ftwn1?Wft{>NO;Av*$F4MC zhP4|0P*UHDT}rQs$}aEt*wLP}z|;yctd%wGvQ%k&p=38Su*!rCbQ|e0MDcFC2Yyv~ zt3XH_Ay`~n-|KrP`6CSd9R~gvU<1W$qXc2n8}N6|!$CQP7LxmMgrz4nrCWYVQ#?EX zX&fsT&L=-k5dcL#CTN`C%DaafFjBA|E1n$|CoLywKU>})*(SCWzhJ;m3+%obJ&PHW zoq}Tr;Wh3xs4pA^sZ9J8_<>_dSB5^O7g^I2z{Qb=0S##+TnJ7*{V_XcvKd`}uQX>#%cwX`8w*HEh zS?O3i$-T9xjN@7NCbI3~s&{eND@L@aUXz@52Qi0&jljuJWT9$IeH4!NG8cbr3sc8( zxcspjK|A-yB1}nK)oXbvcBzc*coz*Oaf$=TJEm2FAb==Htg*LLRLAkjd!2D^cHhjN z)oG)XJjQ0LOS?qu9FH-L?4oUG-KGkE+^?dy zX*2P&*oWJ>F1)xAVMBpwxW_R{&?qK)w(XI9jf3oPh-e`e>qX=W%lMZcuxnU`9Pn`T z&kTx&V~19GE~l)(t?9w*rzYOUHTr?WkshKphZ`yAv^z{u*_cz%1Xh1zhR0anf-o9a z!6CyWTv*kwPZ&%D2k)Fsd0`XO5j%wy;HL4{@msBXHA!)prWB&ddA~RWmZ#qp^qD~3 z#kNC-CGs64s8|NhE$2?2l~WKR4kxK%Cg<8UEAC-A?XO%W3pu}5@ZuWl4c>6#NBRQl z2VJVvt%grMMP3`3kY9_HeAG7UK3`X~4?9-)98uiM%jPHula`$;sp((LMTmV@3Y?Q1 zDeUDAal(q?T@Qszkb#9fvlC_)x;&A}U*k-kwK#-~C-7B9Pgq9FZ9f`Y@tWY_C)gyk zvKLiDVWCnyg^Wf;jADSlzek(8S=~8<5`MvtsJ1XDmCrZiX8nc%%yb9|)+=~oFrvWK zrF`WofaPrK?eB0Hm!GzNVV0h7eKyatFpmj9ckYY-CkuZF=EV zCeRkV&6om*H$2Rm7LX1~s_o>jN%HeC4&H?RzOh1*ONCrLvE~2LCOLQ>I{eB`+#wOM z@2Z3sD(1TQ4?rqbyjF2dm-*5~{G( zdev7Lddk&ksTM(3!#HdC!D!TLIkQ7-DR>~I-{=@`Yy481!?z=#AZrPP92?55xCPA; z%MQG>-lVO+|B^wLrSE+6*iT{Gf|u_>BkoGh=P@-k_vc*pzstT?G7VjliIT`nJ`|-6 zz~?|x+w~tO&Enio_~IWODG_YyR5A^#8uNJ6#FCR_Q%^Hz4LrQ(-F2ta*bqw2vKL3< z%?b6M(B*vgiw;C7J!T&``e;Yiz>AIxu|q#y|9Jx2>qj{_@$hGpCnewS-8%98uAf9# z+9$vJ^u}jDeD+O5!WsUfb@#QCM7JJ&JMifZ&)c7r6s_madfc^1kNU*iI2Dvp8Upq#;Tw03k944^Opsiu%UJup#~=}JP^ zXt3(Mk&BIWYPtLELa_N))2HK7&%j|vD|1m_*{5cG*)@pveA=L^Ws#yjHXj**$w&d2#64cQ@lcM{PT2=xo6fv}$hB-bY4;iJ8C~_A4C`=zI^1{F25wB?XzR z&EE%vo%=cSND^@u+sLhNI0)x$^VMa{Vck$5)l}NUdyJog-Dr7&{kmOa3_ADnm3$no z)Xl%T>*em(0ksVwYC^1=SKO zC9A+ET&Hf2K5g}G(e3gsRN!RRd=rQHhAq6=-~nD5)h7pes~gQv#tu!$a_T$0@Ue2X zmky&|*IwL`hxVSnZb-|tg7?sPV3RJV)H_VKq?Ljr4|wh=`r0Wfbk2n{_dt%t1vk~J z9f}>5&$!AM%N)_(RkWUxcGE8 z*XQJga3e@ptn1NIOD`iTP)m$K&x7u;%Ibbr_pu;G=!Fq@IUp6)M$mU(yx5o)i#jWw zY^{gL%=^0AG`d@n#=jjh8qEGCXt4HTVy#-px#ouX;4>~o>0ZgInlsOooAxytkxP`d znz%b2?EK=Y>D=wGTjkOC^RPAun*PYU;Qz4q-eFB<&Hu0hqOPdeC{o2$EOew-8@M8% zB0UsAKnW13p+}ZSSp^bZrB_7(DFMU)Av6mFDFHzUEd+riKnM{62@pcwo84vCXLalI z{`I@Qe|TM(+&T9-bEbS|&YT&R@c~M2U0jIHyz)zbaht*kUyO|R(9=Qe^XwQ{$FZ^C zmjnK;S5I5scd6K?Zpp@6^c!nEqWY5E^dkrF5-Hzk(}IohFivLY9k;VPmKz8s#x}kT zm+&v}X&^oSWOE#^I$gb?{pz#v&okrxmUKiJZGC%tDR$q<4gFYBwM6kZSAKYDD$HT! zYeb90)Rn^eq~j#LP36&^H4iFOPDSTD5`CO_F0zIUAJ*;GW8_Nkr5M^#Hxl)S93 zh02lp5AK@`e5f9$#~eE~UB5l>Z77a%DN&bbEB-8dL;Ix_c~`8(n;}uI{_A=g2d zaXlfn0k68XD<_}^l9`+oLQEM$ycJ3EgJT(PaGE+cr+!vf%!pXICpK2w`_o>mPGtUkXpiB^c;d{Up!gmSj+R zS@XAwZCSo}v3^hj<(x!us?#^R5q4T&S}W=lnIRmVlcxYjtWI3 zdmSmQN4k8V-A|CuW~ej%d}7|7l#-UN=_2e!matP zn+;!y|0@3f6VuSQmFGC=q><7a;g%crrFCOGyocSyqmC<@mMXBXUQX7@$$U&Pne|C_ zNY!M@1vw@0Ho6Yp!8jS!4ESk%I`(}fJfPK>6Jp%H-Q=k}4YCMY7 zg~C|}&56=++fy`oR+UsdcHV`H+K5Xs)*kEuoZ++K>^PSs*`uRvTd{mUymJ$3_3jInX`4 ztPXW)d2YA2TlnA{=|5T_4>m$G8c+qhiqDMVU#nzk@Kpt=8qd}++@XQPnfMmo{eeD7 z)c%%*^yc@g@25}CaD(mQBC7VfVq}N+n3N5J-;FIjESp_*6irQ*JgvKXOvkaOQpBI% zlj18)3GOONWHg2}U)Cz#N_|i7>642BA6U!WKzMPWqN+ zSxuq+?tSX7m57_)xD)T21I_t%9RH`BCan}_$TuU0z0E-+%#j;cu`;yaqY;mKVn$Cb zHC}#2f7EMjLPhUa-b}mw1InhbuUGXbU4Nf21=5#!Qc!F+Is8y`nG1Jcbg$jji^H3F z_q~QGPuYqj`--{$poKpA>02@m1P|<-*&3U4Y;MTnfx6PsDNpNb1>rj>VeB zw#rf+1Y6N_Ih5ZkQ(+vls4~zxQZx$Up7QzOn0h;*Ev&3FoztylW!+9NJ}9_4p1!@Z z_vT@(O0b&lo3;#Ai|2`uCC)B}L9`FT$ZocFS7EVLvK)zdq%vIjs@Te&h{&fy?JFPz z_RZi8agy?dn~@5M)XdIhPjsddB&qvwnI!j;ac1SC!h6r{xVlQmo@+}cQjs8{L&~v# z&|GL;n&)>lkKCymiA2k^9t^n}es;O@J5j#fDH@x0T)TL^?8k}I{B}kAy0uG^j&&^` zKC36p`|@5&DBsDwvN!^v*p$ONpt}U)M;*Z-JWGv}f1^z`*`?e=tMHyGv zxyFuhPxXXPUSj2r6Vfh!`zNvfKlm!@0N?2M?7U+yvS*iMTT^n1e|T=A z=U|3dNbs`*U8|p*aU$t9F4QO)Oc`9h(2C#1cd5rwYf!hiXf~)?WI}U3Sw;l%0auA4K2d~Dr3_h85L7=bL8doA|%i^xyNo+?(vc`Pa%OSIF zd{`UJN08o0Ku>rUXx!l;4tbv98G4O>xg&t$`9qfoy}#!m`WFf=WHaG)I-jMp_+uUP8;93QDQB* zF}3#E(?6-g^>xY`Iz{Q96gP%oXccxRLkV}D3_YB!COFXbjZ2&N5b%wZg83>X1Nu|E z0-4Ivj^6vE?bO*!(!G~x)2V$Eg1nJ(n!+)n!5;OMG4BT3_b?R$orE)`?x`0tzdK-3 z7)ULyl#HJ<5!;y40u0z*5dST*6z|9)!T}JUeh%S$?p&;@%C5 z$XX@R@@7ked7Hd_Lu&ca<$aRu@M&}geKOhH*w1XAWUMVqu1Szq$9E9-uEuJp5jz<=92Y?oQ}J^b9+NcHz4x0;mz!d{969v1+d(C?v8Tq|0(i$# z7F4{@0>Ui&q!n@^=-p*qp<`2h0ZC(}`GJxmnWqOWUlMm`+dh-|v$T+}8@xNae~2A0 zpKlIUKJu+XE`-%rcK|34dwcOgaKM{8Hh0xka!J>;YRer(^97?eIK>|;R2U~-G_4TZ ziq-hm(M~HN-s)*b;N=odKafkTv6$VaV^|H62km`47SCxoc) zb}g1275VlXH$iZi^T+1}NINK1G9uG9TD6{l zL#*$URN0uWdCBZ}iLp*cVwaFiv958FNr*y;kr>IF^rASw#M8+M>H3YLkYD75$HP|( z#S3T?E_L{r79FoQrmc7nAC{g%Aoc;aZ4I7JzNX%&Z@Wd3&3Q0Qe;+K@6gpFRHA(Tx zweaUM#m~P3?~`b)#Gg95ocpv77N0rh>oqW+Wp!rYB6j%94``(iy2E^`*G_$aJ&^%N znkiU5g`98UJc?*jZfsgf4_9HnQ=Qdx#EE0)EJ!aw9W3Ww3siA(FV#Ok*`pJ@F*W)> zUSE_(I&o%XGB3+5k{D+P_6RJ4Jscp8s^OmPM~zg#h?3xx@w`|TSv&po+JI_R_$oj&t`Zj)CVxb583+oNV34lN*A@^F z6#Xf+J2?Gt-3qCaX8&VT4#nq)_xG}|hMYciIlh!8k}^o^R}%Gmx4R;BoJ#lJeC->7%2KK${EVen8^G<5pLE3my-TX60*tpl3`oQnME`mQ_NRG-lAc$|u zio12^wurZ7=XsqjL=#a9VU#Iw*rq-E`$e`#uE$0DL~3RF56jleZq3Yt(&W~C8#9Fg zR2r1zI*12K`#q#p;<5~g@YogA=IhT3hMU7ipCvik6%SPG>3U5L7J2G{aj6kzxhd;0 zJ%(?5^1EDQkP5@Y|8tVfbV=!h6_#=Rq~slt<1Mi>L$;H+w0um28>7)$c9d9vwr){R z>6w_Z;|tOi=S1WJ6<(GXuf-jr^jatrtz5(O{c!S4Kp1EFy$xY}cc321fdZPLi*&0h z-#W^UFPc?1EtbsjRe zrp~kxNqo(IqRo5RK1W-0cMm41c+1LN&7w0@_qoz=w7l2Xv?`(Gpbl2>HLZQ=!VLG- z8;bo_h^2%my0Hrgjj)y>o}VF3m`6%V-Bq@ZNUV_I%*(M24rJv$$(-{z4Tn7kY8Huf z+g0r2r-{RA+E{O0a@9iaMwS>QnZMO6;PFxH=;*8K62+cs>rsR@1uGwAPWsi@#OZF! z(A^W!!ZN>-%v~}nTU`+dR$-o;Nt*F^Z_dB_qESGfOjHfneFgCNhQe2l1jv1V z!s(uL`$Lj<@8|WmzC5N>0!K-$jBFMayx*P}ec+zMyKNs;MY5B7=?giR=oevo;_Dyl zi|ligHpE=Hij<0{iB3R$EoyugCg0q>Iw*%y)hOJ>y}$7XQ9?G;dz)*w@Hxsevd5SE;V-cmA&$6OfH@bE~z6n2sS1qg|H z?zohO`I%>`5k&9(Zy)V>eT2e%qrB?q&o1i=dM_OjDqrTUCON6reP|$DbANcQPSQ8= zkUlILhB3ia&UH<4b4c^KC0ON=YjKpv_huEFlIv2(6mYZmW>18|u`AOHSr+3L2WA1| zl2W3m&=@h;pQlxsbvHi5M}77X!gh95bgKM-m?9H3l+stRJ8BBsI!RbCvlqR{>G83f zT)O_jcUHI5SSLgdCu8!=?{x8uiSo@ZisS$pGiiH@058 zZ@VJF_*k_V5ty$2BK(7Ym09*RP&!Px>UfI+;(ZXmhon@_%Fy0+=a^Dmao*5^rtHiu z^{#4jPPl;^B~}|Q&O;7K?sP(4Yf^mDA?uo{zdyo8EN4;xr>kwWWVCmCti{#Yk$j;` z3KaX|kv8#Qz7KM&jT4nLm$Is~fk{V_t8O4Uvcz*aH)hc9n&x{A3$Hee^^O+R7N!zR zlV*G*OeWkc{-V#|zR5OP!2ZdI%(~fpy-L}Q`y%T5f|yr7ELXhX<}lIr3U{(7n{p(R zR7!7NtMrk|s$L7q^P*P0JO72omF$V8nvY|B}qBSL^si7TGFyIjD-C8@4aV?Zm)va+( zwW(b5ojNA4QN%iDMgTC8X}xrVmf+>mTG5Ii&K<1ap577zQ%C>q{Z@rKrmI@*z)MqZEJJpnSKXh>Z9+3#^jR$A|30(YbX( z9eGbKltd&DCNbCgZ^BLt3EvaVnIVma*5j3j_gsoBOP1}jiluf(W^6<#!!6$9F1N8_ zMnfJe(YrmLJ=sYLNw@X17h?85zp1(3JL15APtt&W{6e0~;JYn}Qxy+7NcsVl3HO}r zw&O|HUEfq(7`(6Ke5l34AXDC5jAEnd)erBEF3TEtAJf7LnLm!L-yPY}M15jehHCs^mM!i2u-Jpd2hCYov80Z%A{m2+{&mmj&tKQ!y!Y5X;hO)4cazW<2HL0|S<8AY3CvoATQQF(lBHC~w%tkBUqv-pA| znJA2PnsFK@1W5ikra&pQD^cB?6Fw8WQUsE8+abh+X2K-z&Jy=5$O|o_QoYY`%+C&! zd_pUPmoPxcEk=Tf-2SX+4Iwwcg@TtS^YHAAx}O?&^);3^_Wzc@>3p6C*OSLrX!mnu z*V&T?=ag$y=<>BdZ`0l%s#0$k$tX0J2+IovcnT zQB6MHlniwpn)O$Ze|*Y8XWfMUXq`%;QD)BM z*?gMIP4~RsoVBXe)(00~5Nu1rTWFV7Q~IioI`LiCx3oPc^UDyU?b(Tf-#15Vm>_H{T7mV1~FTQWv>pG=9}b!&+f>^SwU zckn&$WAu)Z7T;sBbFH@K zy&7hEE$ePl>M?1<^5dVlTLnqoq7dBaIC)h@%3dsaO8nr;a)smxH{s8 zmnfT#>^AzDf%A`SXM7mzw-u5-Hf~I1)Ij6c1>mb=f0Zk?TrkYu6M)u@D!8(K;XYX` zir}xhn|FQBzv}dVA)3E`W!pK!TjaQGwLfiO_Gez`+H~6x4Z};K_a3ZIfow7Yv_{w_ ztN_y7owNKJXd3ULTRB!Hi11B9Ibeb^hHJxEci+V9EP-F{_wUfF+#9GXoQQ!M7&b!>co^Si@oFh|3;rY0M=CB`fZQmd9ab zC!D7knc|e+Q>|r2rnR6?H9|GDR$Fo4`)*tXBx>--(~nG7`LIKuH;+; z`iu{oX*QTT>?3H}WCn{m!$oCZ{X4YvYdldWE@Uk_UihOp=ldVS_ah zcT&OKVPj|7Tf39N-I_4bQ&%rzf#OIemg}_uR(wh|&xCd3Mysp@S9>e#P$Kmndc*x1 z_8bR~X|xdKlU4^jsA-S6eRVQ;(`raM*cTokhwC4>ebuMO#J^aY*okIdPlqA*Rcp<+ z>LOFXr~P}{HG7xr9+K@=CHF-;!8-!{<)u>>)3BPv?fW(H)v%p`Aj~|Jf*lPXxqhLx zSU(A_5XaJc83ij;$NQBub!j2hZXh$@V|J0`BFAaxc32xwuzTT!`6%Y3E7>l6EIqXx zeA5g|pGNc!KC|}g=!ZrJfiMZMoqGEZ4o!7*mcbC7Bfj26)Y>-GaXMyey$b$(_IAuL zc&MXO7fJG%*o8%P!6p4sj5Mqb78Q~P_LTsyntB|S)IW_)cWN93()nD%W%mcP&)dy= zsHIzvF7<1680bwy$e4RNE#Nin)7Q^qZomm3##T!Ok8I2m(+RsL!inRXlNqpGsY;Ta z^c@WbuGks{DBNq`&|oC5oVnu1zDY1^43Y@Y516E?<4A6a^`t5Sk`#yAh-?X@no^9dAs>@XK^sSL`+Z@f<>*o z*B6JI-whu3Y)8ckA0feVeGdx?8{J7i^-39sCwn7Fb++j|vo@CSP>?FV$wjK*W(^dM z^_aN(SVdT+(PIJ*u#zt9=uNA-^fzMzpmx+Ef%=JJz+Fmc$-o~}?!b%VLq{$sh2Y>| zurhu|1HYe5aDF;w7mg26#>EfpNoPLH_e7HIZWXYV)cmD0V9f z5mh+d)*90cu&-C>iAaRDt%oka=G;rvln^as;P8|K8VS6MZXS73+X{;!ORiC;5gp)K zl43@^x_Ua15V-T!+^;7I7mTI3f?@{u3?zlqYDJtp;b)I;>%K90x%j=2V_zcegM(zD zy|d7gtFAEv@onHh%Zdb5yV3ne4QBhh>g|nE2P9iLc9laf86H_Kx>)1u9zK8sEsE?g zHdabL`#_ee-ZhS9&SItT`p8D%i2=8%)c79_C>IE0c9fWzgE=oXXeu99f(h#68%Po* zJeo34R_!m3vxPUUf(kI^9uEv61qa__QR(21;Q>OufrCH%w08h6eN1HMUoy!o>EQ^p zqlHLt4NvI|T%0mqC`~i-5+HCe3T39I4HX0oIa{Oj5?3=Bey8`CMc%6KTob5}BOyn& zi=0UXk2UPPq)z1Z9rE7!V8Ji(a0g1$sgOfx0AXstdCN~!@t(DLV!C*tHk4}ossJq< zDjI4=0mW(!NLDvY19$B~+bS9teQv(o;S_14wiMnD(#aBLFq$#Ztptsz>#|Hj)-hg#j(p2NXKbBpmKV&v0~M8%Bo~YR-nP@u|D6T zyI9n8_Yo`#SV%Rj5V!JCNyESR9scY!;#3`{4OQ)uLy{s@^#U`(4pr}7W7qJ4h}xtv zJ3_62-73x_AKly8(W$v3y$Ivs5eRB!1g@6}(DD%WvBTGTPlmOA9M#W56myh?mlQ+p5z5sznX*D1qtX=EH?vyzD0+Q+^5;;+9C5fLJCw^apS{BB_pUF>*m74Zuf-m{H8l297 zpqQp@C}!zJ`v;1+t%*}F2S1@J_F_@Dwa4z(pqiY@XMD@?so+^-l-&}R1|rPOV%}fQ zP*KKvW|Z_k590}GM{SihE4-HsHlF(6jqG{9Uk6e=_CZ|}+1>*ZyGmDxzvymt)^ovo z2gR}POlK9Bx8OMZ1t1wsc3<>pVAJ!%T?m#UfyE6?j-32ar9Vol8 ztX{K;OArD&k=y?r#@N9=6U2&;s3)l}SE;`yssVGy1;+prjHUDM?3uSONP#8x3j-a1 z@W^gw@y(vJ4(&ihn#OX)l{~nn6L{ITc*eJ&cadsiDoqCz&1jSvv+7vR3Ew@U^SU)Ob!AyYumBqJxc1@YTNAnk8~t z{U@MN)UcMGw(S68_xsb>#?tXsR(6LQu)*?sM4gD< zkj|jv4*Wn}1bcWfC2J`KvLgx8qYYevGKJL4HYsjTgY_;U(d1Na0A~STujz#$50qXW zqZI1k^%qB?(}w7LOS&ELC%F8Px!7^PP$Vu?`eI~lv^H4Iz^9cY!MD6qCv z7i5HLomh>s7iN~=?4y6$V0j`Z+Fi`xWEN+HoCaBacy$w*ruqROV+SG&GK`cD01c*s zbH_klYRI0*PmCmT`%Jm^jko&9T}*B?d|!7ZKz7>iGB2P z-Fon}$MqG>6}ybt6P$2Bu!`UL%PTIHltYjJ54Ra;0M@M*9A6LbsS06KSpgFn1kZsA z*|m)zF)06bCw&8dz!Wxmm=!Y;7Tex+P{EnbJ=_y0AR#Rn3$Dna*M(U=V=W3W7)Z6QCH#z?IfRNP%JC3IHDUc zGWF&73~*q*SiDw*=RPSnH3Q2t0k@o#ILF`A=-fyGr~&wkVZ}$s?PugmnauEC(u9mihIqgX(~fK zZPUOHQ@le?=LSQzr7|F)J^2A?$>`aGq^tkUOhum9XwPrwIGk2jSD^bX!2J+l*h2U`$0% zmr0TB3f++VJl@VbBDC?N#;r!HCt;5OyhyGYsZy`i>MiaE@Yv{%A>xfGP^+sC)M-0o zXuhKpCw2agXiFmi4p~#W5_mskW5a${%#(DkuPnii(rB6qR)#nN^d0q|BIV+M8v|mi z_{OWlhQJqr(JK^RWMdez_qOSqX~uWscXh-m$_2du#1f)tqE@A~AOLqgt2Z$Bmv3TZ zx%#QksRjUi!iHwqL2$cN5p$vgAJB>P$wjI0tP+#=!2VE<2R1$ApG6Ng6Y)kVYk=eJ zn4LDlug)FWlhU3;k#GavSNx#9ykij5nw^vp2}$lVuZ`H zE@j|OEL90b6h_3U;HRcJ?-@?8u&2Mg}Y;bCdp$ZqCx)Rcu&Bvn$^11lgKEpD6inj)NO>5)01_devUpwa_}%t zu)%F2yOyZ)9)j`a+wx)0BG9{#6P%vS@vH@m0ZuAv)R9Q7g*O@#;Qvne}wC}-A-KFeKE5obT%SD9uY(!n-*?)szKTntvE_53_lHjuhK z*1yc$DVFm>QBo^YUXR#;7UC@VhJVyo9R-Df@kj@$raCQWWKYKSXa=wuv98_3Mi3j0 z?)7X`o{fQnqlvsZTw!qI{iCybX=lS%)n|Yw zVun~qt-djC# zjI9E2WgVU4aGEk;AIOS;A~STLGu11Sc5(*sj3gJ1Wl1|K{+MYh7!3hbOrvixGehUe zv^hidr6p?mdXyPx_B3$ zj!E^9#?g+0sZ91jJ_W1{-v(f$EG=bx#Y$zznxCJPJ5sae`sG~$Sb7Z9O2m^tRtd4m zv?{^ru$=In?PCLg6Dy@o3-`v62Z(QjJvZB^1tJN-WAViOBq%eO7$K6SL$)K9H@w#% z6L*ePF~3I#P40N&ua1xGdP?Uf47mdP8a8w!fmAarq_-V&L7()bb?M6Yd zv!KeJ`dv@$a3}$xSgc9lzO-dg?WqOF?U`V1$Xhyph(ix{N#p)uV4C8bkAT&ktqUsw zV7(@HrL~%Un1Q8VipNwaA;9E;M%R@vAb27R=e1V*sCuF#b^?UezI@+r55>+AyWh27 zUtc;sErcx)U#|wLaj%Z@_eLU9B;AlCVnO913nhT7S%$(`P%fbnoyE2JDQ0N+jV@=t zo67lCGI%7)fm1PPbgSVLPl!E3(^hKA=iHL()s;_NJ6%T!65`4m)_Jp^gPPgTc{&WZ zE4-ZLAbKrJpYW5c{1n-WvfZW$OF>mJ{~{vkd?gBKZRVK8-Pped3#>sDgAcIm-BC}V z;`-sif%N?NW4|87D^(k=0O<(Zk7aO=JFJ)+6XUs;!t)JrCl~tvMeulw*WMq}j@D)% zs)D#A=x_)H2L!oTGtKWcm?}J4h_jil7!518U&D{i13bR0w%b6QK8G{#Zlq1jr|P33 zp9j<8#jlV2WdLzK=C|d7*$99H*{h}+g!%UT*|Ci%{YPaRc}{FT(*J7!^rhjD9-}#1 zn}JJNGPo(w;_;O-OkaF9N|R0PIlAnxb1@3T88h|FM~Af<*Vx~!2wtQ z!$)u_od0dAj#B>)egrt0<15>aUq;U1?Ml?-H)n2< z3wiCXZ|fA7zP5gD*7xmx$ z_?KTrZR7#Oe#5U~|F_NzzgYBP>$9nUb-}!R!1de>FH*kx<=@@;i$a3g zwnAn9#z_6PgCf#^O4;!LuS#i{-;@}pRt6!~X@q(|{5SJ!Gm}Qn!fMUIt$>D}=v%M+ znS7@KILW%}xFD$=Fu|^^`0n4Zrn~G-LLk1jGY=)pcb)mZY`qMi()K8z&o_{e6LAy3 z$AyGtD1A7>=jzpu=q;V$s5J7w*{nY8s6wFHUi_L_N3R*hixZ7@HIbhHEUi~td4J;2 zx*lo(&P~q9rD}7EArau&wb)kuP(2Jbd(GRZwo_pJseiyOo#rEJK_BuM(D)NyQe3PT zu=wd?k544DbNYPny4LoJYFIn7*!L>MenZK3|J)#4JS{zwyA-6XsT%uDXVJzZ$N$Ad ze-jmHz#61({=3}&+wVS;{iswxI>Fz+`!_uIn@k91-`Mfn|Nf2c^!#Q^XVKQf{{~zA zwl2e4xmv&d@3U3@Z7Sy<1+3cPq^7&hN$%eYaxIK7))thGEQ3C9TEIWoVTR5@ zJiN$R$hOXOLS5(Xzb#u|Q4314fcBwWGv3etKaHXTNL+b&@BdBZzp(ZHQRQnK_kUFR zKdO8#CSS3>>%c+j|2Mz3>#vnhoR@DHoD0g zW`E?-pc`~QQ&N8gmedL$@*Iq^fCeT@}OVk zqQ`ok0uPz)3tq_4!*huSbw0C*;TkfMSPkI&NOvxJXWD=@=fAo#|9;H%T`QFU@@BDS z)b(J}`sYCMbTH5Ns#u0aYD3WOX2WS*SR^rMs_>!<(RR6c&R_a=e=3SUE@r$Kd2>wKA^T&3UyQMpCM)j1l`L3&n zOHE4t5m`T*egkv2U^cpznKb;jNcTr1*bc-w`fp`qZ~I$o`CVftA z=_7&$4z56djj`7nBT;X)<7!tOXYX}PD+JZ04%4+;%n2z0xL$TbG})Gc3zRWFbj8sD%& z6qDr1)VdivvVVzNa%e$I@1%*{_(814-^_eAbcm|zrqKs-6f?Tndg0qv+zut0T;?T`cBd<^_BFx}5 zuZAKXQ@_TXqJh5(hT*kHF3|T)T0$wvG5@7NL$eX z`i4}XKHi?|bfHRj6S!)$p6Y$S!le1I(NE9nKGg1+vSK-~{~nK?umGa0s;pSYFZ8^^ zwzm=|3>Jqd`YbP&PYQ7FW1{mhel6R_pxrx3HB?zSN+7*W$HL6@U3R0u-XebuoWPMb zL+p)(8~exPdQ+fV_3WxzJ$wg?oIISmobHp0NT^>A;6BsEUr@w(m2b35VLk8SH{)m6 zy-7uoL4mDOvcRDRm8ZFp6o`GX0gQ9rT=k*~9l6+Ok9QtBd zb=w`d@CC2J1-4@48sDEMF%^w~Ue6E3!0%pg=N0XWS?UDyK-W53q+30AB*xlqnzWR# zC2l3Ud9aWUV?MN^0u4;h>*dreFCVuSC=chqx;mtm#`4Z3Ib8Oavik$I{`+Mq6#(Y< z66w(w)>p7Ekw;WIdE*1ZA)xfwwOkmf*JtXPbPK@K!(rB4_exq8_Es*0W<+JjZWF6? zcOI=@OpA|-?RV#oA!q2S-Y>;mYxr1lR?57#&$NG;^5QgJ)l@b6CFUBDu_K!pj7obk ziw1Qx6~8HVOS4?avhzl*E)nbZ7WEe&r9Vw!60-Yzs@HFp{C?8E-zI_MrD1(>b6@bv z7QtkXs8I)L%vjro_U{x(m;iSr*I_l4=sksr0&;Sj1<4slRQt*%P593zVlC_ZCyJWx z;}GfnLs@eY=RJC)Xn!yCrX;oIY`Yrl|EV|bfBmK*nTO>3TDfrWif;6=R%pixCrM+t z-QVKzx!@N8m2E{HT~RrfG&33Rf!x65cgRJ1r;jhTAgL$6SkHg3fWqlX+ z_e9gnDXNO^-MR|=%z`<4Y`b=U7*KrWC+jz~w>eqn+O!&QVvj?c+ngKb=4x3jM|-IK z2$x$P-O=Cp7uC=9x4TYi3@Z+Id6II7bImDMh2q!x6=5Ovmh2n-5Q8LY>E8^VMj;Iw z-L4W$Gk?|Czj1$CmLdN}NyjP`WELjK^^+^K74MYdHR5P_%e}JrWQTnO4RsF&<(e!nsSfXnM@K5of-8Ygk|!jZuvSJkiP>C_jGBduAkXF zXBi$y=3p&d3?jMwp+zT5f40k*jSL$bnu(UmB%&ZP359D_%(e?Iw!PvHc=F1j8Kb+( zblO=L=1vY4v)r5+z8P@ih8k|onnN(PCP{#sS8JDw) zkaEB;$KbOfmSD^CY+~(LgBH=33`r8(_1A8Iv+>rqC@#CVw|54J-y(b>SC=Rq(*r25 z8*7FjyF*I9=9rxyR~wcv;4xDyY>!XCUzAxQVd+ZV+jzaN#lv?!|) zxyZrJ1hY$;ip@j5keaX2%KpI3)s-b)-(s#}Bjc4BJ9gK$QW52iCcDILa%YMs9;vU3 zs*bHRJ-vTBPELD#>tGrX(q`Se;kZXyDFP^SK|T%R+=a<$`Y-p|tuf!8O)6EhET`eV z@|Z#E@4waX5rxS|i^iJpI|b3FlB2$F#6Z{JDxk8gj`NDgnlRD9cx=Ijb^zIyy=}r< zZpcpe zv&-z!9jOHFd-u8c{GV#R?N_`Hg|+F}3elI7qaKLLX-$%LM)r9|9GdC01p$T^f{J99 zC=$L?J!+a-)H@)cN5?6+vVXTCBwaPDOOqAQ`M<0uYj?4Lo zkpl7M!AZE{nppShry>0+(U)blW-b*4olnulFFUO=?>H@cK0d7N zr%$9e^(syeLqF0^Lo0B!`WyJ$dO&wHjM1yMbqjOln`uV_`~YKC2ZLOlEX3^K%qKX6 z;Ua8O%w?iPw*lR()sYHRwA|Lt=^L(qQ~%Sjz*TKMy42oRY3$tIf_qy9`=swfeRrp$ zquv6&A^C!e3|UA-qmCt6;)rT;nbQWM!SeWsj<-8O^ijWq$`K`Axma&E>9IXAC4AT2 zhvlpVs-_b=ZnZ*c1{^T+pdPLq8#05rLP@DqAnAmkUdWJx)pyp%t0C$VUE8GJ&vey> zxuNL<+R_Tpw7EEk=5l_4DzJfux+d+;KNyr0aE^Gab$aaSjQD_ehd(4rplhX=PP|F1 zU!Jxn){NaU$evGp@dr?VeAbz>QpYPiTs3o(I#k!ny~LdRTGYh`Ic1q`QFmf=*hsCQ*g6wJt0bG2ZpGMGu#)m1Ur+LvlzeJ`#b42^Ds!upID6$?lfwbZm{W;5T&D0p}wlN4> zD5jP;1Tv7(^!n1UkF|8fmAj|-+@(vy_`R?HS0SbN-I}XTNN(8os$wXUfIGkd_6nV~ z+uX_yMt={SVo~c>Y4vphvhCWW7l@^NI~BcX4K`u69HhViv|ze6dZFgDo9{av+f}=v zkABCK1pL~S%?}<4JdQ^sG58VE z%<1CZk5v2Ou+iDOoM=WX5R;6e$=n=;RGOH340hCPa~obz=G}^Eg@jl1EK6lkk)}*7 zI$sJjRd=8+fYmxm(80))Bor{v+ijGZZ6x}9AB-^arbg9cX(oZNJg3F0sv7*lOv$5c zrL?4cHGD7q$x=ecTZywyGZNRey$El}RDKk)rpGfvuP9HCe3gw#SX%7}J4{?|m8!5? z3SLH8Q5O*WcrKl&dy~Sw$=FP+A8SA#ar+F+{N`K%D`gzKIg3l7O9<*J8DKt~`S~@{ghWw}bZu1h>9w5_mbGXku?~C|``)hfe z;Y8Lzo&jevFQ(``kgsPXxJaz4EM1f$)>YFvm>n}WP?C#R3KxhGe*fX$3(TiMeJzsK zmhos~GC{gsKn^g5;j39NWY6;Xj}MOn5|A9w`D0*Uw2msI40qDaJIg5wD>D(C+R9}- zG>J-;N~aTB4A8UFEGdjDtpsp_5`evs6Rd~nc9w8~yUQhjzWKb)#QM5RX?(pMbe)?Y zu^N%DGE^%G$nLAZ=rhcgYq!XG!{I@AN$!F9pnf+-SBDg5!Z?DvDv@-<_Hza+RplGj ztqdb7y-MLyVLhINP-l;1k)QHBP8dtm6Kzo|RJz0Y+6soru*bpss`R;(jp>|3f#v{g zbL6QC)6>%2=va&^e6^L^<+-q}Yo)xhqIV*~F0#?evVZ4Kwd7eXYjSPyGi z+$2jM8eFsJ&b>Uq7T8u6>ha`k8Ao5qwBQWZQyrGyFfhyr&O#w%l@3`QAq}Iw{)mqT zPfOD?(UHt4`$}WT!jHeau{3@Yj)u9xc|8+>31aVjTsiBQjzQ8hF}p+sKNr~0E#Z_} zj>bY?fbvol!ejByGDye?<9p}C9FWR6% zcN-{}-I>AA)ps3?T#Hu|^}Ag^Qx!&ggD0o!sLT5}mxm@ld#PyDn~07YyW*tCYN#Rn z-TZ0!&$P&C>;`$S7kCy83DWnh9mgnQ!D4Jp^ z^|hpRm=BkrX?+k#!n4M7JAd}03E58{Zxh1U-on}a=Gb-O8R|u)FX&B@e+v-m)ct}lxXVj8iWx=gvfzAc==>v(hLhU6fe&Z@V37ZQ^{ox2{=a|Fdi7P) zdMyCy(l>lQ!rACI%&L#OtG@k2l)L};CJfAj=Y;I@=L)~yB0!%lLLk>sLQL;y_!Ll~ zWY3;v*2-w$o_r21Q`#7D2ihLg{W0 zkdPFRZmAhUKdfTC-TJS;J=be(vXv>$>jy z5mpKB@Yf9xCwhbT-o*QP_pRF#i^Ae!-kh&Frr9wy$vHghqZb~{`O0%LXKsQx3CTH`aW@E3j~%(UkZfKlwkekof@R0f(}2 zwizw*k4EpHz{6cyY>42c-!bAny)`8My}==^@JCck4A*H}cvRHtrIS>1H527OJ&*tS zzRz3ajlMwKx1vDas1}Vvj$D!|3eE9DI#afP{`SHFxF8=BTp_eaBph^S|G#gvZp?;= zes5L1|9@Sf+}vEV4avoYo85)S=TQ|Q|Hah*ZubB4cP0Nj_u}(jC|7<#{*k%2_tkp_ zx{oF$z)XFvA{1qAwEyK+AK-Ai9-CbQb7w9k2K#z?4ABsHiQ4fp|GXgo%{hQxd7~nv zX!?FX;SlQQhV8JTr7KUNJ11LXMtHJ9!vDNrJ`ZUWw6vxt2d?WKwx3yz<_?K8^ZxV4 z|IPZUP$;mfKFmt`WTDv1u`n#Qy#?soTp366lcIKCNZhcEm@$``F?k9gUkN)jIW>c6_KzptSo4Pc{v z-IKpRF`V3DcOiVJ3$1+eAbR6QN1hd_?$ zzl|@zn+G_sUw8EyNXtln+pO?3hz?J_^U|69JwW)%N`?@XE#y27{`=$mZ@<3?0j$4a zaj`A1t(}Jk75+=vaP1%-xi4P$v;aqOFIZik?$&YYM|F3qMZb1g?hM_|n{n$THht<0 zz>Dey4LtU1m1^tUq6)|3+BU1yVwGGYrwt7aZIHn$;TkT|eu`i5Y(^5>T=UKuRkHh8 z?tZtFlAoAf2h=HY9!R0aNwnbUZQU4o`E%ng+36<2dF|Kxtz><&(XOx8PCL`x@P2I_m9j9tlq zM&6p5s>kBa0-LeTM2|sFjEY)xCc1w2?)`_8PQdr2L0mqwOyssTI*OV=bZWGkVd`cH5UXJ1h$!9>IiNVoOwjb`@xA!aC*n=l3A3&+vSytgy1@@9hJyd_i~(Oj?&EQJ zn)Gws(c1c_b+cXc@10(c^Q%|?28V!W_}G4PILjrDe6V3X*^N^O7z{BNxgq7J*RcsX zovyPt9S3@FV@d|B0Iz^e8w?Z?g_`Hc8BDR^5;bEEj|~oVo#w`r+v5ugv@_3v*%zE& z25=rd)TSHc@E#pqy*SwhT!hEzl<6`>GrD4(ST6%H0N|In^6!; z{YJV64x%X;gS&V5y0N{}+vVSz0}!4RX3*#c3wMcs{6c;t+z*X`fkADoKpk6N*lNpY z{yjb8F}*4HA1xwWH~=)+=;q`mq`o~~VJA-UF3@FHpUSpp;ypWEL7x`?!dSi3Z~Su%RFZpBx!4(XzH?xeePuhZzG; z_MP+(U@W@15ih#I>~F8O&Z=9_!76oi-zV{EmwAWJ6DlVr1Z&|j>I@n0=;+X_wI0n? z?C?gpdwLG1K->&UOx;PF2Zo45mt0s(m9H+^_w$%G>w6JRur>n9c^4dJ4)qeF2WTfR z5`z^=F{dqOYs<=YfjfLXz_-_MU54>_Z~*Wv3G|-(>p_gglg#NklxwkNI?^iNuK+QV zvDJJ759DwK2w4d-NxUyP28y(*c-;{%C-7!2I%g^JbFIm?I+k;$gmx-0{q}%1-4jkX z;KNSNhb!N=X=US84uDZ5)#I1irEf%}s|1hT9UcqK12bV7WD_`78T#pb$$ZhV=S_`5 z9cUJ~0@_n?zEu=&Nt5CW>0BaWtdh`*G+#QIGd;E1R;*DR+a1o527IWVRyr_aXgsH0 zQkB%9aw^2F6liI>{OYi+W`6i_@-oS3{$2L;@0kJN-XN)QS#0G!_H(`rGB&LCE|SW5*UwcK9BHJO{u=b zZgM{!k{m~;+nf7Z<0F`2{%q(Li?spdSaPw;Rr=(#Sf{Q$uU>vY@N(z6M^f8sO{d^x zI=jNnmWw%4v&Vv?7X=C3sndyIrEzcc;Efm1Jz-UjxLZ4QDnHR=G)=T!#gk)J!XA<> zG#1FeLL-gv)p}yi(&uUE=DqE~GtCo}C2t&76w1KJ%36|BqCAtFzeTe(uX+uH%743k z$7Js`9|$?_XjEH0HM`r|)KI1h>=k4^A>4@*OPPF$$&v6n65*EF?-xQ1?RrHnhYF~3 zc7qQ^EE|ekeD6PUoIH$^MEx#zN2qhI)IiMZT*PhFOVAM*#6J(r0m5FDUiJNMEwuYz zi->c@w?^lS>ve0U)4&iVRx2P7QQ!a`@jdQjnUN%+($M-S?UFIauy0IjXpanzC?nTBB=u-I4jASfaVNcf_cfm(8Ic%18^C2`6Bh`pbC*;_VzHJ+~$-XT9)lLaI^ewZ~1=%@w> z%&wPwKWj5`OG}^Y>nk66rWk2wfJg*@WbxjMW`h$|uZ8oWZ=Cu#aTPxFYHGXhM|;Vk zFV;y!(}3i+Jj3Gg;InNlKizFvTQY9y^lt(FScGevj^x;9QL?G@>A8=2*+Z-z zOnkIdP9_r~bCaZe;F_)hgWPp;soR&I}A`bF!r10aoXYOhyuxfrtfdE%rJ#H;A?*gQ?ZM@|f z9+){ga-_IWwctIq=XHC@l5O_n2y*%~Kmf@11x-#(`>U)%W4Cpttc)`DE~^FZpep}* zX}i>JeZe~oq~4D`u-~8imW^rQF203JPv%*MtimoID8h9gvVPquPZAMz+=+phgiR(y zkrtnrBs_7C4sWyyH4mm7uWXQ%Xb7BXPei7Sd8bdu(6{pJXA}h|R^lz7V{Pu6#uqvT zys=ypmwa2P0;l9hRc3m~uz#t(1+v1HGqipnH^a0$Nm*D=Y z$>jpP)Te*Fr7m!F5dm|#_a?WdAnyq1>1qyMn5F0Yc%^dEM|nkfplrONsQUO@2(J?< zg(z;?oH;z3`1GT&l#MT2F|vLEJ*gW{%`ds~Zh5t;x(cK7h7>>2p{+$POD2Ch+9l?v zc}=noV=!AQ(re^}0Osw2-NO3iTbyY!v15v)1-s=PW$^H++VUGYs4xjlVykoU$>le6 zGU%k$w9$oDl*OdWh%DDhyMVFX^GnrBsRj!adpM5+oPEsM{3lpeVRcio%F{p10efiM zP_T47V@{fl6+*tdWQa0T>Y1@CUqhX2UnuaLec_9We$O)u8dW_jQg9Z&s1hOHWY)NM zFPZUIjG&`^LGYfI^7Rio)FCG1v-4pFNqns883{9QJcqNZdd#?r`5C!v$ZCw5meCuA zNkUD=!aO4dxYLV+AX>PHDpkU<%N?4UBhOL2zxBj z-8HmXqul1MVn&_U5l@&N>%!Te^Dy%ro2nd&me6L5t+ZP0_VFU92eP zzZZc`TK3K0872nGxk1ATeH!o6^Mo$Ki`XqX8I32maXm%@;ke-Ih`!gpQMk z949)C@WUgpv;rvxDHV?9n?}GFyTY~zWW4}J%4QP+h(UQDq9Z!AS>D~~wC*@}MNg1$mV!z>Jw6tA1QlO~;NOHGX? zSx{cEutCLsc~IWBp2~ZI!f!5Hu~=1tuz*<@WCtx+P~FP&uOBvt6*8q8Wgx@5qb0a5 zpXeez4bAMC3KN{sf^BpFeMGXxC|@_pgI&#(hu1&c`WNWVHO%~ z20HwE1cY1>EuPcrg5L8eY~e=i?j2@tGgNEg+p$xXUMTT^=O1@v9@b(UqkGzVb$-;< z`$Up22H#<8w9a(C!Nu#AWhuLWo4 z3b3K9P?DFtu`fOiDg4cPeJW`|RQ)PynA@=Qw68-sn)q>rH znx)@B=iA39;BJ4+k3U?RJ+DQ<`zlmSF26L5D_?+LbNJuEZml(=7hxI(0>JQg@z>&9 z?HcPW*giGnGwN~HnU4jG@(N-kvf)FBMuOB%e*&_Arvwz9QYt1vO6i;OWJ1&S3EUf> zrCFw2x=5YyM4n=ZV4_)+G#tLp62{^bTR9fGJrc4Q<%YeX;gr}9>*N}fUb=Gy$+I|LNm!1gcKT*#zsv4SpOm~I3;p6vZLKhaN7pu zqvHdH07;+ls`3Pqm1nm?vk%)M+rH4qUZ@lqjIxQp*N}$oXZxi<9^BCGgu6B#U!u6= zKU{Y`mV?=RyL-;CxsB!mvW1t@%7EY})XSdUc7-`3a(qR27Q_=$Fp0pI*?zgP==O=Y zFXf>#4adXMjQ74&OC{Jfs|O`n8mf($U_|seP>Jr11Em3dYptC=LBcAhL5-}lf88d4 zTK>4YUBvd%@CVNLSr@8tIYMwTcBFNG1&RW$;BI~@(8&7TLPVAKg}SbT>JZQ^TZ+qH zcI(~T6f^l#x6+=vkTwDK)Gc)foM0@7ZG?Tbt$#bM1)&XqkCw9b%&Pwc<0P?)>O8bv z_;s)>=NY(UazQi-s$mYTgdU+9b$ox=a}VhO2W?ybV^_D+Mj49 zoiiM=t{MGk@##1;stGDDFLx~+sk(n$6~GIOMC#{SpuGW7#IH#h@QE&quYIbxlN@im z!;=ng6WWS-I_lNj5=o@T_1kA9E9P4aw?^~snPYFveLeF$YPtfxK*GjZH8TUv&hreb zX^2%%GCs{6)zj^+VAiHu=$8Mfm3@*SqPMY1Ypm-sj<=?JP0q2H_>;zdf_)2SP!Aj<=TYd-fck9HzEU{Nnb=|YbU$?)%EhVLck4$ zX#Hk(g6l>r`?2wZNXzRCA-I$#eX%z)DDL_&rgF|ue{PE`dBqNn_1%~!&=wqU)KIb-s$~gU{QMT zTWht6A1o12bv*zrTi-+#`30}SXFZE%)_$gDv>{1tHhg5cen_={ZElI7O!1tFg{5Eg zSQR4|dUXu{$?n$;`9Y8KO-=(%9qOTSy>WtIvoZ$Biqd6GygX0aiMJ@G2LQU0Mcd`h z6BP%x0bU_!=I9=-vW9VRP~OFh46E086QvsowF_mOD%X0AuKw*)KhX5LC)S@%fUYTe zlHTD$+CSdA*dEU6^=y2){`yCtV0hm~a<{Jns4F!y*62Fkp{!rEPVW>rn^khwX00*! zoPced zF-a*{*y`(=H=HLU8aNe1Su7PKn{?V2^l_6VWG~hzgRo9lnH)W`e{hf{hz*jR0Zyk9 zc&8;YTv}|x$L{iBrb*Ll zhz2J%n=iETdS2^EPUB;+ zML$?uVTQigl?m=K>sIl>yA;@j$TzO>Y1mxQT!67Ou(v5nMehO#ydj`dBgs4nVC`Z@Wo^FLqb2X+2^6XMXwZLHK zEAfYZ-l~Lf!-p8=4z}4Ogo;XtmzjRn`JZ;pW)gI7W~ONwus@pETN!$)WXgFYPM6A) z=_iTRn&O(K&+6RGEeK{;CF6!1mV1V}RKR0ScsOY%d z8#*v)L+Hb2)$-n1I5zpbaNhX6y^RUSF!Ebd zp-WA)0S%!iX=F72;40sthNNnawDbIiD>BJ_mb=0h=uB7-*>$0b%d41?_ABqAwXe6z z{xEyw*BIT{)?qzivVxy;j!$FG9xmJ((M6baeIkwFG#`a2!iH^l1}XpZe@VHbmciHo zK=R2&VZyQ8kT6cJ0qP;;VgNAD7&F+o!3tW;tp0lKd%5$GMSPEukDT_+8fxRc+QCQ_xkNBmM>;mOu$DS}va!`wlvw0xbcc@VU=&QBA zqgYi`R4``CC6R!wluj%za?sd7A)B5Vf?M@~k%19;)&(aRWs&c+6F9AUWQM|CETspt zOy@{G5WfLXG)D2y`N_MnDJf)NW_w_GPgFXEc0&G|fd?GKZL!{;q)CKj|1sA=bywZS z=7?-)?3nkW?h0{H>sf@QPSMRiG31oq7cMLn7KC|#gQn#Q6~wqHEne}&4o-$2+rp^7&Hn31cSjD=k)8w*NYi-x3NQR2*Coo zB50T^nQ5|1wgZ_6^1O|`31Y}V$Q>BJ_U9`6Z^WptwRJHJ56Yu9Av&romlgI+RQW#y zM@+yStH0n=ej@G3@UoS!5lSyjWS^Eb_1V5{w*ARdea<$ce)jSw`vg(-%O7Wg2B*Gt zPDR8O#V(IHO`a8l^CqH84h?l}c4ul>zi=8{^7}=ZH#+RiUwi9)Iy1y4Rv{cRa)(03 zCW@PyS1r}TlSFCKfa9$+XslJ z`27i7B??R=8%CtIW>A-M=H?tN2 z)OjBtm2=J%e6SM(Q;&)uQ@rovFD;W><6qiGz#}&X_GvQ!dyCZKtA4zLPz5i?e#9Jo zgyUX+QL&m(E&9PQ2-j*?CE0x(>-uJ~#pf=#*>@i|xz=6zn&!}~LiU;2kCk~K!7kkh zD-}mecE~7u^(L*b!%Jy0lAx_)U{E;e)2@G&7Mj7Nn0T>ubZ+$vb zaqPHO$1<#Hj1x6TpI8ZJ@NMr05MzP-i(&+2d-K{alMm{Rvz$V%F0zU1D=W|)T_VD> zu)6z(9w`cA~E@fnV!SAGC}zY$`WUn4tO2MgL#&tiQ?Mzg;IusyL-BK#hjD7%TA{qXb8o0z=nReh%J?FV%!BuR>bq z(aGFFGz9*-#ZnIS2spnJ=1%^L`@dAP1ZF(tQ+e0cFXs#P`e@#lG!5m~nA)?38gsx} z5#7xULB-GTaU<*xo}~v5j_LVel&;0TY?O~(M%O($lKxBP^FOi?fDC%TVc~Y4`!`RS ziGczSs#8rjlf$zIl6EEt;z{Pb8oVA}FY{;T5=(eP5DydH*Z*0!----+QSYTbyg0h} zxMQ>x$+9GBJH)0)05Tu(g~|5($3BhnhPD)jSQ3VXffUFY3>5GXOaJ-PHVancrJ=YG8$GeinywCe&pB;rAVrWD zmOy275Ay9hNuKjcgk*i3M~55p4dn}iRd>U=hr}=5npR%NwdNvAn3cSoQjUnVf=`$+=U6 za2r}}zTCTa@7g_bdz20|NRO0ppITawN9^IgT=XT$$lpeUq+=ZjoI1LDDj0POf~Nyz zz`UnHduU1d`GIr`V|DVem#V8RY>6tXN74`5N*VqJlKySw+htP^vDt0US_1xBR54*_ z3@+5&rH*@+v1JqUXnkM-n5j2Ncz3JpuRQb-rb1?1z?auCf3_p?C%HeSLSkI&7s-(? zLEad=(|c1DInv>ZC)*ROF=S`O*!f*{$Q%NYhJcDTQQ^+lNU(-o`MK$KFHN zv!&JUEZNsY^;t8vR-W}1P>Vn;efJehmU+24{PL5b9Zca>RT8>iKOwPft7w15v>odBOXwzF{%oiDTzif+4xJES0^Z&BnA3x)Fu9*^ym;hW-kq&OYzL3bVQ!9t+%MZvo$dnft1^aXN+MDZRN$mG( zOqunY_$_xuLa-b`Z9R#8h=d?vvnT55UjoqTT;o#6bxPD{)~nACX6)ZyLmOyOa)sLnJo(ng_KhNF#gaq*zx19x23N~b+nGqEz6%;G zOGdb!+-x7&V(lSnn279{SO^x4gwTo zL=@5YZ+!G1@0!RVh;8LIMy*$WJh>U_>r736Ds3UdBIR=|Y;s?mB@;@NuO!_G`%l*` zMP7k4o~a}GJzU8*K$2!fJuLTTr2whM+8xasDQ^$$Oa5(SCm0RLqGM?L2MWZUA}DF0 z_qY-uiDdZSMi*?02NQ^g1eVv#yD~z8XrU$|kZM9b=QO4Ltj?AL;4lkiXcLUO=a^Sj zAjVAJAe|Fq`l|g4$ms{QX#IT<`sT7&dxrk<>}mqWqnTKTf^Cv3*%|T|zGT&GR)zxb zmD&NdiD;+gP%eVFa}c3i+zV<^oxBOLI(oWM@t_}8(Ew_C-jU4>91LxGSXwvK1z(>f zNE)VjtLkC&sBRpdZ&cifPt`B7H4ArmT}zYB~!06W_J@RX#IR{fMAd+Z1RZkE-U zpVILw9}zt#wNcCr)R|$17(;M83&SOW82f| zy<4jXiPCr-rB$c~>29wW^ulNBY1W5mgN^EcG_Cy~rVMG0b8Hi$MeVgPw_D?><6 zf;z_un6(NA`ukbJvRSr~9}@Rt)^^!- z>80IDH`zl{-bx`TX^#Y)g$Vo-)D)M_R*HMeFq3x*=eC}2m?DAqo6P*7=&T@Dy%ke5 zvu%DZp4FnMluM}?iZg%|Piwy-<+>2NQ^B20u-FEGijwKLE~EA^oMK&ubmS8_i^Moi zEFENMa(#i?OZSP;=r^sKRaUPlNqt&inuQk>`rdwb@n)oJu=krvvp%980twNU!V6AC zm;|~k0A&&%9-Gn`_4JWMD2YFuWvHKE3VVqadc<*=1n8vDOlNB#^AB-TL~}} zDaJ3SXDeD1+w~0~4!WiH9f{Oyh>y&0S;RKp^|Q4ba@rQn>z5}QA?fozc`lEEc0q5q z1w6f(tLNgMbA8*Pcx58tOH#!1*6^%ck&~e(j0|+pzhqxs!y5`O!_>#-&F6Y+vnT3OGjLwYz_y z1E>Az@gUZEHzVUE4FjX1&En_tsNJD~Lwx`F==4Y6-7?Rd+f~fHPPQ2T@sn1kb;(f! ziCvHex&61sY{yA^6@XM9g@8^aS4UqYjsF2_MhQ^PKVNA&yWVW zKi*=XXdm+mY^9Rj$4H!aKSDeQuOOu-B9n^~kByOXub6vS1eKQa4d;u%F^(p2sB~jD z0MxdS->)l)!9{Mycezs`ZD(i4pmQxUOBL~y($A~dGvj+;2?&ScA~`>dPJcq*%fse8 z`5kR~_;<0p<$&69Y?MZ4bhi!}8bzAKg>qt4qUr!5P0q4NI{!w5%+{ zjF1Cl1kc&Xw?qcV0hOS<+wq3tecMEs;gR@rLW&S^UG*1dkG`B>d;Mz5?Pypds;jF5 zqsl&CC^wca<`2&hMQh?4y*UOB26Cs>*xp7tE9>iWF_-PVFbi;NeTu#stIWROXf;Fm zJbStVNSYKF6c;K$D5^F0JWe)8XqlE$ckYS9iu1zm8k9pnT2426-GXYeq+>WMc5{%2 z0njw+mZwmDF2=xTJX4*-65QASIraEOO4r+6zn=olm%`_8y6UxyuIV=ZRFA^zJkJas z!$-n9xsu+IRbxuyB;(qvmwr}_iyqPoUFpQEiVnqJf7V0nn>&25q2aMl_FVY@IO1&c zGS#}kWzR_8Zp{A<$F!RQ+1>Ru*KhT$Zq+!je2fvr7m z`B|gv&mvri(bFM<>kwjr`LTOP7Tzs=6LK*7F@;$RJWQm>Op5%o_a1g8WdVEOUzvm) zQkXg^02$t)SHJ5UE7gw3Q>uXjh3}z>f)^95&j$#(zC;b5-HOyQKno~@M9bky>$hSk zWD*DX5>kZ^p>Y;!E*9zOZ7}OUUtq*`PKQ9_ukSxPx_C?yKh(Fu|0mzsL8I#rNg~z` z_YQ3VKmcAK(WTvy+^%-*22={XgMhe4UU#+cw?0RPVjtLhH5?wh0LG&Nkw|bx74=67 zTe{`B)6hae;3+?7PjW$VeLkJkBzoFCNQQ`pF|JZx(|bPy)!tHTH61|FuwufHibByXxAl+)D zANNTCxVs?bRP=}-SRtpR#h3g*DGQue)+fH$f|IiA`8~d$Kw?v!FFSlT&>LjeO8Me# zy?`T*BRA3+j{_a^i(o`t1#T#39Y7Ttp3|eEYj3%-{auGP|KW9hRmtJ#5RG0r=BUaw zz!`|c9K`vb2G!>U-#6exv&v86jbCDqvf-OPeWZ%LtyshpMc4~gWEO8Aq-hm*s~V`Z zoH{JUF*6LE`pNZcqb7TC8!4|eEbFD_?)0#lpUKxR6j6@F;^Zu=@f^rMy#QNaoPAA> z*;$XJowQ28DtzUk`#N$ssoJ$Z3}n!IH=YtAkp5|&tX3=+{h)fjDSsUsI5^yOO3ZD` z(WvO&+%0HT&0)uRM&ETaiyF`}(Q}fqC`6smVDp7eT10wW+{FrCrxlH7oz+JDTG?x0y<%_oorU9Hn{`=)`CPPi+= zxHdkf={fO8BxLjRDMB9gSEzX{50Lq<2BwpkFUhC^$$+$d@=52cs7QjL;WKcOA{;ny z0jd{9DnLu81FDByXY#AthxG4aDF+H7s5=p660?yMf8sDcLDv zR=PIFocDb0i)XcP?p(PhBiOofiN`MqyUr_ZBGpOII-#QmAJ$)4kkJ$F>A z*=~WXz`BW0Zvk+seAQ;Ou^*taRC_kRjAH&PYXdR*1O)|wAx*O+#$PcH#Sx$l$2LUC}_y_FJ{uVkKUEarkuoet{tSCT`=8XFoz?TzU!n6=+z@hfN2Nqc0?n0k?I%MuGnL!m`L4h|ie0@z6#}Tj)KExGNM{MIH zQ0U4)HeCKfqqJ*{%o3U@-dODN$@b^hy{1_4FcYELfQ{kkum+$_xdE)7km+`|k3QHA@(8?@7$x#*q%)j&2e+37F!!YtVkJV9QbtM3Jfu?yZ} zxEbow?srtn;bFrK2?-1oS7+L#fy}ym+(Eq0zp?z;-3j6~Q(y*rlZD!pe}>h9!m3HT zR211Rm{aV-W={Ay|F`5<6g7B(*7MSzGHL~a$JhPcS*a#uowcgiZl1(XwwtjGJoy^jU`8-=j9d_ z3Lep4gaOI@Pv1$)IU#VS@g6W;Pp3{kx+m;Sp?>b>iHjU+o|G`0V>Phpdex)t>=yDm zlV1Lg-gK@ar9`Z32WAd}YM&GZpo{z*4xXRlc}u< zmHAJICk@R4mwpc15;v8G2EUU#6+WQQDIjG-@4f>ND$@Z^I4w6=A&4EbS%2;dZU)6R?VTi~#Gnm{aUCMH1c zw3n8<0ASHkv3%$AYo1`)k?f}oZCxByyyN+Q*701@1RC4hFjm_NP7s9sOB zmxDuxXLh>?K9a$xtSqpvefH*@78>cN&3r|!N%@_hhfrKaoE)HBl_5$FF&)v0a7P{B zkw}3c>=N6E%VK;7M(i-gYRK}lZM;aEthxyMdDk_dSOaFK8z&L2hPiwIA`_5}SyxyW zPG~p*DIGp%(~{fdwObn@jScMW|{ee!N8t4J&>wl;m^QV^q~5o>$f z{q!=jvzLD5)pg@8ul%}a%`SqgKH(%8T>-UqA>888kEV+bR?jj@#Y^`>$M_T6y7|&# zRXi(?r%>jxk})3W#tSk7?2%57rJ8|)>f(%gLaXgNR)PRhq?6>qap_ojR@_VTuZA08 z2&V7`Mwu2zy39nanOg>oPg0j{`pHYf$^xyv^K+b}fvDpRr()jC&)96K(!U(fJ0@JO zIZ)oz|I$hF1mcP3==L1`kX_F)TrnY6@`vS+jwd?g=$*9Z_MDo~)FJtF^7-@!csSoe z!c_|gD_K*v)ZvW$F-9)^(qjZt^XbEY>&=bZd@{jzAt%OuiR_ap{iN4o{}*Wp3-oqB zA7jyq$R58%b20yLeEVdC~f&oDEwP|hi2znDSe z_krfwdP!XR;j6`<=(a0v!I_bgNTlSy3@4VgRR+e68%5s#l-)&33C00l#8nirdbg1~ zG!JrN`;)Lb&odWX(>E-bp7Gz33`Hp=5|h%7Lr{cJ`5br5SmiHvLeSTKjVT-BnKIz~ z=H`WgAtnGk?DghBEA(vzRP&BOD8^l}p?oSOH7FXhsyr#;hMdm-hip{Wbc%V*#xj6I z+C6^Ctzd&>5)VPO58z798h*i&S5S4%Cn`d8eA|T;J%&J8JQ8&V2s_jzghEYN2C;X( zoGmk9fEP`H`+MzR5NuJHzrslK2J7HWWp%s}gV(CPixe~tVd#s# z-(He6RLSm<2e+6T&!0Z;d}6bLES%;(d_}lvvId{&AlRlQzsf;5=Fu!rEl9Qt>VNW8 zsf|7Z?_DShG9(o6avhWxBOKqH11&}6Vb*Qu>nZwIlSW}YlxU3BL-Pf$3vgbpi97SO z>G*-PJpme*inGJUjr3kE6w_7VK}Q7J{1pH%AiM_Vt{%BP!-$ilau5jMwx7+Y@lQ9P z=?Nx}Si=MRvgjDz_N;^odEps!?j>JU)mVxfXn4xWQSNQNViyonRMqgsYxYikpAV(0 z%qq*Eb@pW;B2n}+3jp=0I@yKl&n>HEdCkNRUn+0s9}jZPzX!L(ryD_48jik2xPB?M zFC3T+2o-gSz3ZX7e9@0C>0)fW;8*pHJHyMK^M zXbl!MNpA8BtCAs)b(ceM?hG$mGnbU$fSKY8oXHAPc_EiUTlPRJe*<}<4=RS7zcc+i zn7?qsY16DjsXwndCCP^8a7Ao={?{x3!3FZxClVvaS-q_s)XxW3W8B~O+DEaapbh)q zp?sI!D>ICZvrijtW=kU>#(~INwmy31?3x|J?A7oe9ZsNdGIq}S%6H1QW>912J5s+n zPImfDz;qMI$%QfzGgTJqgz!|{lLace{*|rYjjbzG-rXwB)IIgkGr|(x`0ni2DT|e! zOE0On96?^4BvB7f$1+3TOFSugZMl5Fg^_KdtuUrgSFKmDBCX=9TBZcC(gnIC+p$0D zfRFPH9r^8_ZVP})Jf^kshG)B$jT$&7K7372PrnZ{$%PEnLtPzT{#3-ohMl)443q(60@ND`Wk=&3#s=6-bw4oP#l3d8R@|TdSeYw}S#?uV!r<5QFxt(RTToIAHYO;TQij8_*_k_&K~Phlp! zYU8v&QK%{e{DMJ*1Ma(;*b#~mD^E?2$+F*X% z=*syQa`Pe*ARmc&4?gfwpsiqKUd&WmZ9`BIBSxFyOMMz3AB_c>WHZvW=JV)!3pxsd>&<>Gd_dsvMJj4qW%6KUqS zW|eoI8`xNO0F^02l;{{t<1r_3zIBv@d3xM;HV%A!oe#sC%msE3hF0E6ZJqU%o`o@rQq41-LLn@rr2o8KWET zh^i7wkLpvRsx+i)O1j=wxqOn!cK*vL|H4fb9!bHLMrLK+XoloK#Q?NuCom&i#b;Ff z;<;c7NB1AR%%JXc{f!hqL!%p(33JILqUtNqjX`LDls@{}dD0mXmFBWp$ObI8Q2fZL)#pKO~Gk)8wT;=Fa5|lFLma zF%SW_E7Q-*;uyp}@I&wD&_%52Y)-|=XQ~|Y$B^a43u!@a?@{+Hm*e}7n}fze>!@Es z{nXHxy8G}&>{OM1I$`e?n+ts(el{c^JCtwz1hUqjD4;v=fY0kyk89$&jK(w8KY6)Q z3bG+zDDe3Aqy8Lp2O4iUICZp!a8vr^)Mc2+GFqsd)9>{dU^-Qqb~XR7>EtH>BogOp zFA@BT9M)n7R)_RtFR{_U^J!q|K9us%3l(rVU% zN_`+0XCl7ELBZP@i;MI||CDFiH z-eyk%71`Y zd}eb^4!X*b6t-jqi!RzbP|w7AeyrIlr_{Xgr~9yL$|!(A4Ay-?LckfYpHsiiq8WQW zg_7)c`tw17(ia`j9Km-RvX-k3yRflpd4uQ64W&hzg=eRjK@3lGG%bHmlfa||+Ui>s z%Kws3B_TUren!AzwZ%WcyYBf5L@1Y-@&zj3vVvWTKQDXr;GSc#)~$Rls;)=&wj(K1 z55O^H-#i_@i!+GXm$G>?oWJnHz-LKjOkM9LZ{ESEGg#_KEehXpw$wzNuGPe`B}No< z&HNdb0PESLeJZXp;OQIS;vxQY>vc)6jpt3CW3JKo0eP>Te}N%J!nVA#H@E1 zIn32Ngdugd9snQP49gLi`9t;m`APMu#Wcl(0K5unOtI}GMt=tMW;ui;$8nEuj*cKf zq8|gufdLeK4-Z4P>0zMWKb{0I`QeB=>87H0R$pT;T-TOxE8C#kj!!!<^26Ay-qk@( zp;VpDxH}EDea7Q!L{Ah2eR2Gh?B|nLnRS*}HPa3V!!IPpZE2{Pd?lz z&=OWGIG2?Dv<)-pw|p161HQg^Sc$K?_AQ6UuK7)|)fpCpT8_M@8{&r-8G$N?X4M2! zjLTGml~|U|1tv6p(juVO)dBux@%E7sYsDe-k}$jP5ne-jSbGe?ob-9NfFblyR`le3GFM8LVaR$rn6%~RQA0Pi&d%T?<-Sw4j zvHGjb{_9hkzCW{Lq{NYyyi_=3f&-(v6J4)!LmsI06k!+4Pp1q^!WVC+%RGc`6Q4bP1uGd4AiDd7JN zJp+=ZFmL{+_JQutUQaq*nRo#`9r?Ked)zMo7sr8ygpf`?+l}dYU!DSD)tLog;6=IF zbcNg+KvF6<8L{d$xx0J;c)jK+02r=#Ov|u**S1A}>(884% z@_wy-7QG{W-M5<)oh6oO7z8Qjy|_)whK113byMjVks|JAGXT!mD^_D42YZntlR~8G zfw8#%v6dBVpEDC-xemIP!(S{;d80a2SS$Qc3s>iUFbw}Jo*91+D{Mb+0^UU%!hS_N zAwfMj-j&~PUno@ic-lhY(@7{HBuVhYz%m$B3-(->f9RS06Ds#JZAyXu(%VnjyyvAh zK*e}Wsc;@xeQY24>`$debr)dSObaG$>oJ&UyUQ3TOkLsJ6*0%Q@{O)1q90{>78pv# z4z;LDu0J=Q03zB;`guH(-zuc=kH`e!+pCQ4RBu50xV0h*X1KT{x=Ge&P!XDh^VJC}K+vrOBcoip`3+YY}r(HyL@@C4;m$OiV0 z3l3$!9f;A>3sz2=YZHpO{qgQ-W{MaKxqU)`{BSHFnly(91@`=a7icUN0KegkKJxlP zrp6@*P!dMxGqEqzmH1g8=Gj+L{~up(0Tp%E_5Ca2C7{xI(WL?cA|TQ=gi46Clz^0g zNJ%rIC>@H_(4f-YFoXyUQbTtLIMmQE)G+X#!Rxx8`+5KC{jcR>$r8mM=lu5B=ezg* zd?!!kZ>N%ue>ksfq<0d6agfCn-3tM8YuY~_917y|SX)bz^>=K52J9-;@%SQEGfR^Y^F=6Qq(;vE`kckrwcy5^| zSHKsp68m`Uipm{>&LHlub0VRHp8%AFzV;Nf=pK8ljXCE^ai2WbfukJK7sy=5Eb{t%wC)^VX;V_FkppsRa) z{qMy!56nQ@Ow@<^Ciw2I^h{;`+B|5EWD_E^ps=xk`07o8ETQS9wcEY|LE?jF0Ip!N z)v30*A`0TmH;NoEU+*>eP2Gc?0(vm9%2K?!~X;9ph@*-VkXarGh*%=iH@zX{6!h%CZOimSC^IM>ekhC{G^a_*W+ zpv2zAkJbftpCF;(qVf*+4o@;Fc}2p87j4nShSdYSGnJKQY#&t?Xl(LM?|2Myd)qlG zztpYbS|$2u4}MTqmoh6CpD*3GPDi8xr9(7io_wbuK+c932&ZCoHnVw`w7D{Q)`G?4 z9YSmUya&2VRAFOLr5*|wUVO9VpyGT{$d3|}6~kvLZ~)&#mKyzPyS1Y?PqJ3O0AD~ zdX6)0#SFxoxrET090g0+DXYJq4S}V}s;AIfzeM_9;t0&kdu!&VKNRq0Ft$$+aNy+D z!3?srRKle++>24l$baKFS9B5KmL(1d)vsr2oH<#p{rqpVQuGZ%P*5E40__~rw|doL zh`%y&J-!MMGy(jhg+^j;njYj_J`}yr)oNcfbXqaSa--njUDdSG2U*7Aj4* zGRUPdXwF&9uCDN>*^@ys7Bp9TkD3g%!YDAMYy+^}Dr`Np;bmTm;%x@?w?y0AiIVy) z@av}s<}*2b%0Y{y3c~uZ-MH>|d-0^i1PveuqNNw7(sFp$+V^YT!%63TeA?k;cu`0# zG3DJKbW>^m2e;NDmShS;)4Yw=MCIqz4g+epAJv>?hxQGsy<`3;K#@2`TWU~=Fs|wJ zNuE1Zk9>hVAJv8^zM&Aw%4n6qU-9G!h`C>lTg5l9F*n`;^lU~AiIp$g9AgggeHX|6 zGy=&fQ#6xdnhxi~%IjaR*NJ2?WtVeBKPP0{a{XE*q}=R=p;A9Z3ywD>zxlOIX9-k> zySmg5lW-mHerbm=2L_aC z9vuHMdXRDos!THJw8ES(rw zDGyfs6*>qnCad>d`HtFRHDkO5TGQoi-v^eGQ&6e7mNR;N{S=ksag{qXgU`G`i&Mi_ zB}$@%Mvw~*UX^Ni^+NI{CHfJ|dKWpigL4NQ@7@y%fb;UeeCiTmF?nd+9Hd9fx&e zFZR-0q+ggQ$PCJqty0*{r8UpGsIy;fahEnA5=&J+xR2BQt-Vn%ie76fmGioycp~k( zU#@YHeIvz4Wty?-+dJP-j0|R%d*W_W!;RnN!H-nJSdYCCeo}smR3kYFE0U&mMxRx@e_ELAz4dpI^i}GB)Ambr>q%FN-XKXAr;KxNFmJL z2g0J=(hiV`B=5#KIbA)o8RD8`>nPm*!usgmW>EyS({jfA=e4iCcc6Lc5p+2zm zp3pZl!Uv*p{Kwy5g1RcQ`)iCWUIR}4MRgd{r4wU6v_ZpUiL0wW=r8zNuSh_l%Bkw= zgX*y6AyHPpE7!G6@SRVO!w4TfdSo;*zr}P84+D>=%Jzdu)$KF#RC!E|SQy_CPqnq}lP-;gU zd4jtCuf*tdaxDq=z82@TWF6tTW=L^4 zs6!hl1<})0t#Bw2G2#L{4LH9A-|5Kq+|W*WAhqQ0bA3eeqz?y>3&gT+2MfJ(amBZ; z@%><$*dW%qi(b8MVpY;r@xTdjURDSOGOKO7LfAj!+MX%<9U^IsTT z`SKOqJaQ_A-bD}6_GsyLcX^yC0{{%doPKe5HY6({)ZOp;6^7zKx<`{sgU zbugvldBBj#)HM3Q;5T?{M_gcJ-MHzR%aMuK@WWK>Lo6stTJ;0W(QQ$0zJg zJC_Cta3o4saRS~b;?mWk=;h)D2!|VYH{;^)jr$PR+|;;-pCL(3TUT3jA-!&2g*b>B zoz;GC@;`>IFYz^;T%9_2m#-H(c|St>ctaO|%b^o%^CY+5%_MUfC? z?B;}hpX^Az0Bjf$xJ)U?C=6+1!tMHCRx^kit8$u?xQ`3?&8H`im8bn1ey~ctv`0$e zU)HJi>s>#R__@*IChmO z<%S*z%8p@%yJ)ZIKYVsQNse;*z!d@=3i_bwnMlFPu5&`tuQ&-6{IEXmk$w;*KKD_y zU;oxBDpjxnPJ6S_Sk5RZdhmvu$mK)nW zh_}RuE2SWSF3GxpbOdJyXF3h=py@T-k8lqlaFiN{_h}<{gg@;DIdpv3&`pF zeX&0!?fytXlzs5zMA|-X^P+=$bdYU$k+?_YgRj1_6zL3B1AAAy*$Hpc_7^8w7}_9D zP{e|x!49D^{VF0HV;}XWDDT1f>Nt6o&@t<$0sQ3rbsGzJIP*LMmJ5p9uPn-=aV`|$ zlZ)J9l431ok6XLODaP6Nf4$k>dv2N4DR=ZtWfh>IH$0B|yb2Evty>o-DG0?=yK>cyY>v zq4n@j()Dm=qmeHAcT1EEdO;17R#N&CCA3<19+|Yo9*x)5&MTsF(ekb0)OFDedzeicYl`1I*AduaAU`oTCiNe5Jw6r@3|_2iIP zyXRIGd3N1m(`NcFK`uxCJD?MtZJUsUghUUta4%h=R}$WK82=AZM(%!qwuZP>*Uy`2 z#+0dDe18Ox^N#^KfK=v=uUj_RAX5c$ZDk#S;;YI+aH6iT(|wsgB&B)Laevdbe~^wN zr-g5(!e>^X_#OL`a?E9Oz3Avc8bdN%Z0r?i&`U zV-*&CR#e{qT=R}~#9B;x+px0FrIznOzW=_GN}NMs3~yU%BzX}LT>8zxIjTF0f37jO z{ibYy@CZbmNW=tWW0$dSpUCFE(-$EoP=hO7Qk+?X$*eQ^H_!N|@Ho ze9P{1nWj%2u|?0rUa#cYcZuQNb(BQ}i#QUru5)Otqpx3gx8zgV>j2^ogh+(l_V$s$ z@wc=Z3XY%YIwreWnI4%?Vg7i`R@U68p7msFZXWq5zDJSk%0=H1G?*9|0EndhY*k_L z#X!A(q(!;9^Ltb6$s1_B6yfbtGwyGU)W?edfm-|h&m>&8pt0CJNq zSI)aP7WXHe(Idi7E5%+52N3EnTmezQXuc+GuF$AD^_lai6z)c`^f*v^n6%;(){` zDj+E6#Ibap>d10-u_wtXn)PhBH%8;GyUU8$|J-@;D-7}<+u^+7*YJS>aS5gKRgESm z;OA<|;&bHrB-?NDYW{n5k;KnrvH&~xuR3(adUWxSgRAC?$<;PquBT3M5UL1YRp(5^ zqy5w7A93>(4HL(?ky4OoW>Mb?v6Gv#vT70^7Y>g$=3_gy?X!yI&t!&@#C^P5`+{#= zP17ARHLi!`O(WNs`%@Y45&tm_0ky5(dzQ)nNzu;r7%u#nBC+DnNI<_N8f*2vqpb9F zk80gS>@_?no?qH?!HR-IeyBV|f&J8HuU9LT-#fE#(+!FKP5$s@d~oJ79hD1XgvlxO zX@`m;nW``a1hZK(x%EU~%C8kMq$FfW+-1a*T-s-zl;NTMsQInHVU;BF6MpPbADHC zf)&R<^Sj&s9B=2JhH&@I+^kD7)2V5F`h5m8>B?=-2sS*>Je`Fyz;t~PqJN9W~~Ft!l}=r#oGv?ei&Gl9P>QI zWI~A`_Yu&ahf*Y;{^u%v{@v^pL6xB*@u9@0IYI{unfK2zI|^oVsd+Y%FbXE!6gX|+ zklk{yHxO)SZ!Nz2C0K05SFDZ|Fijei^dT3L@m}gEX?(Ge=@`_@lBwCAq)`eHa-3{* zy+!#&{TET`7yjIi#9Q`!;oTK4>@qy26Si3vhvJOqmAjD@51NWT9tEfl-Jl<7Ya!2_ z7@=KEpG_a~BPnv!0D8p=1WZP{!PJix2v$@swDbV%O)a6I=S|Sg1vt3BV?TdRW{EP; zCQKX0Ptw1!g*i@CjDPZPUH*ULK!;=kNH3?PC>I?0DjA5}vr&5Vy#^R(gdR+A8puf7 zSz85)JsJ$OLWx~H(=gejC-|E8g;vH-|EpOQF15LP9QjwMFgt+*k86KpdYDIDaD-%s zJ?Qx9%?X%2NQK#KjndK#xEJdN#e*8co(pr+dWT&Cy3*GFg)K{+{x%Drx?HOc&4V(D z`;bW+j+2szVg1F6J{5^0MMhdYea4NMeYZ(X$m*UYh^8g}|LuRBM6myLl{-jP+3bjF zGHF|yt*$QmC@M#ghFrE38sjE_usT9~bFw4s^`Bn$$hlNH6D80zf|m5O4ZMEuW9p0( z2hxb~9@@{$y{o}F%mCxx?Miebo?px?wKI7R7azv3dbaDfo^Y|1=mpwbosBq2W&LK3yLPr+ zIg<`$g*j_oaAlmh3>)SqsNjD;M`woC)%DFi2vd!0!!{0;D=hVgYT!5uj@K_zT+(CD zdaoJSH}Cg4!<**ARZ-^KT6e*;OGxm`IDehxh*~SS{tW{CQJE=R_YB2)f;>J(>T-kP zq%Lup^#2u1r|@N3MrOuOa!)AVEMM>EaqRz_eHAOqwNT9qMBpTHeUhR}n(q zPe0!cbo2L-y}d7T(hVE2#9z(Ub5ms>TADgI+`CT*lg9cBc0xoRRLnjLW;heFiE~f= zK9NlKe#H7xXWwE#wv958jc&bXRPb9nD%+M#_JQ0-CzA&p%E<6|@yU;J>XhlKgb^QV2ktBk5=wvm&c;e9{9NhAK$IhkAk`TXtj{H9Y`2YTx%=Rm^ z^}~R;Q_s$0mPf4*ATn-WS!{IpUB2d<8TtE!d|Q5)6n4+kzhBX0J;6+va72|_4k$3R zAMXkaxo=J&_)IBztaU8l=~%bba!L~&!Xaw~NSi#zVSdDrY3AVsA*}zHP^g%1ct~QK z@ru@M_7|8(TNf=nja)*0n#_B*T~{$uAk+!AIGj$HhZbAQR7V`Y2m&q>YY%TKH zAcznk65s!rhU%C!6!h^XxO$13WwO>~8YzennWv>b3|%Ksf%J-?SJykc9%8y)NbA2< znPd~Vm}TgJh`Y}Iooj5YwZz)bh+1tZV0nPrl%px8WLP_UV{Y^on1+tKBUto1v?k;z zpky@Gcy~3gct>dIp3g7gv2kCIN-e(~AV5SLgUP0HjT8wQ`8alhX}om4AZ+{CP4&w%JWC05G`*mIBsuc`bdI%3u6^cVQ4Ux)b|eD}s1#h?c@tK~C=mnYDEu13^*FJ94(; zkhy0jD;aw!H)Z>`B{zEyQkaN@>24>|h2{l!gdX$VlpL*gbf-O5S};a)4!u|3vP&dl zb0j8EZfbONobP$pF;qGFrd*vmKdMr0Q6r7aorRi#X5Pz)pxTO$b~03oNaTE((j|yM z^?_Mu{MT?}Fs&%;w_OrV_ypFh#L>4$H7W0QgfEuQ-$&gKbOp!GD&JyY4pJ@X z;R5!P`A0E3#Bvu9TiT`6UhAFNX0=zTzx|&PSuJ;+h~@7zY(Pv|Wt9WByAT zx2Jq}K}i$DR?x#CqAjloLXibm`c+XpM~=mD7gQpxwZAa%^Z#?R{_j4Ee|{gZOeEJK z@}kw&#wwV~iOI+CR!h<&+rX1q=_7j^>icdo2AO-q&wt-LL{aYc;Kk*TZyV4(y-m=H z=Pedl+g*QLb+rLs#`eGz(%q;u5LO*RB`ta_^xkR~5q=lToUZ$nrirsR2wq;g!VzCbx!?Q#u1D3-T!lc@TBp>gx524a zhE3S*P;9o@=Ec}`FkJ)!SqK*hWE^&7f11($r|m`#4AlL_VR4yK)sBGtk}1ftipeIq z3BFL$Yhb5~8=BOi9DB!uLm}+_?48CIif&U*TX%|WngS>+YalWC@pQ^Vx(wvu%8a#7 zD!&U!B5-@H;JDJCAk)fZxICoUO2Q%_&yk?U?2+_R871yptrVt1W2~U0TNEjcCDqA} zRY|ffFYCK+H#md)`kpV;&b>S8?$rXvpENz?n@SskG7h-&+ow2wwU~D0_`qt-b6&`> z1_hs4yZ+3!V_TneRpF;k3eGDaE02Cfh|P4=gAwR@IG$o)2F1BI>|s8qp4Z5ZsXXyu z?|f-#T*KF(fATWG()eKJTNtz)2!tyhB2h$$t@E*2Dp80KyHp)ojN{p7UwtmgVH3wo%H?a9-`k+hjmnFC;UjftG;T7SuSD_c!dkY@Sxg|KeTul2b#B(zCMu_I( z4CQaC|^dj zS;~*UhO;(xTPr1M9Jg_qCbDw}b-I4gtIo$@kxwP`nesbIJg~HFQ)gx9)k}Au~co(9Jd*t6C1I z29Lm)fak3o8GIMar?3lz?s(FDwf0W41jvwSY<-o0EBTcXOpFd%wKmsEX5NpK#iqy0+8q9d}j(ee*Vn84|??XRU{Ge z{$TF?>n|`S!2hOrv*Ez>G+EsBp;At5S(V??;djDUn@yMzBd^8dWk4CX1AI!-=Q}Lq zYEh!9Y|_LhU=Dbl4Xa@986=IvlNEMA>v76s$}ibnd!hd*oS#yg6Z#kYl)^eM21jg# za!0VZI~4{uvq`jdSr><13*Fhzb|)o{XFGXoOG0o{e}^ijc7jV{R&bvEL}5rXwmmYH z{MOzR_ZU?0Q3*G90keDC^5)|0QLI8>VuG1=f~|cTsaIA}O`B0wSsw$B2v;htkb9SP zA$(wGAX;@4xj9D%ZPGhg)wM}X(=AAI-j|N4c@ zx*wAd+(5#bA5%=Sk3)jDKfPgd>Hck}LGcTp@*05ye?mGi390J#P~Rnl-vslKHNutx z!&W3hb?9JR-@?Nb*w9bJ+wY`Wam?)G%H%$+M;IqB!z+~aB8!!M>l&r_YfAPnW~*YJ zIj;WXx}yENSq>rXuZP~V#R2JttrE}hnAlZ8gMGvGupTl99F5VR03FKX6rWOE5z^vN zugEoPI_*zC#^c6;tVM2%M{t|Ch279hg&*U6UDB7V295wZe`F_C-;_9nGpcDv#`E= zWQYeHRewB)m;wNurH7EkC(>z4KNT-zPJ)Ka3fDq1E4w}bI`RaqyQ*XavmsTA^J=J% z!6HTvPiaZ2Xej>a(!sa($UPGQlc-uDB9^737Iky7&MNU?UyD6g@hvJDx7@AwB!=l) z)%!`3{|ck$y_J`;S}hTkzz5lZ40WVeyq*sIQX<}=(Ev{)`f1&p`jUoSp+wB;n6SZn zOgzxBsFpN8A(Jiv+n?3$t(~pu=6zv%e$nye#jFH_q+Dbm#zpCqL{q_W#P6a=1W3$W4+8 zByI}TFRD}=5LxFN%^b((75$W$kT)rezOA3UO>if5LJJKln@m;_nYp8rjpL{9`|$aC zXvGTeDE3tfpFojIEZMeIbo!8>H&<&IXmbc$?ez{M9}vud-&j%^Cos1K0cz5z@6K=_ zKye08-;n!gO`^%74mJQ0#hbn|K$K4#$=Bap26hiEtw#4C(Ue?pZ9O)LiBKB89eiU-=6N4;XB6tz+tW}WvKhd*bf+K0+;ER>qSHUs zyG)^cPGR4s53$VzHVx(<^_70ri5mv0lbeOm*UKp(uI^BvFBSg_l~msRFGSw**!k<|h@76B}JwAXXVD1$K=&?BW5}BSJ#<7Y_;c^ri zp(~z0-Z^ps%k8TKmPTU;f&X?JTrPj}$~tX@N%a|o2y(bRsBb*V+>L(p&SC^1_VupJ z>v3Ioo8H@Tj2Vao{<2|}z@5yKMkx*^uYE7N*GRST<-?v8qhpCQuRMeR1?*%jzIfyC zNA>=C(vv8em7zG3`QPf7KIg){qipR@hI~X|e&wEOflqw~Wz7diPk$~setn5$_EbeQ zt{~oB2>8eztq22@-tmzFrO9fiv@PJop31aon6z#$34B36Jb8A8JAgjln5reKbm=WB zDjEmlakB7OzjZ~tJ>sRCJ%BNvSBvhjEy=g^r`CX6_vge z*7g@dE$j-bm$8SZkOHhw#$|cC$}N@E)ZI&^VYk)c6ZBAJ^I`doduJ*W%1bgUdtx3z zno!T-QOTEBXH50B5>8TIc3KE)H4Lr6#_Y-@ukQ5f%odAPhLq8!`MyB#nR)0HD;8h5 zIj9_^7%5fNzZjXIw0mZXUGMaJdflYmAo%g>V~l2z1EI6!$*>Q6U@Z}2TX6G^!(|s$ z;T~R(9UvPpo=SR>+OfFx$yaNn$@u*!ajXahKJ@d1U|7EiB@_b!9@BJzGZHLQfX`Yf zVi6=t9$w{sjyLgU#sL(;udHD|%dGd?jdwu$W2!1^G>-u@Z&Jd=f&!d@9xcQ-3w$v7 zW(|!sjpMsnkrFQk#TvIG>h+6^#hn+s6DQ~0%Pk#Py#qvyW?F_+V$BgmW9{@I3-J-pFQ2X&MYgfs;@2^a*Q+&_83cyevNkt9Y zlg!opwYlaru0E&B*EgruGm5=wBIG9Rps(~`b~|D2lT_~W-|D%LV|c3KWa*KD-sOU8Y@^RhwZKL6BN^hTe(q-k31 zjPqG=n%*R}uwr{dUdjaZ!krCKC-s9!`!mhD(J4ReAJJ}mkGfC(#vWK*L);HOEu?FW z{AD9~^t-VN__sbM4regz>HquR{fE8!#p&J5cupK(k`-%sh)8tYBXGRc7dh9h&!0HD zWq+ZmvF19vZb&l`ji<{vC$q`4@FN+M!4{mUzbc}@3oDWmTeg_~m*BjVkdM_8Y&O+q zr(%WKIg-ehw4GDojgY1F=(mX6>w|SRRt_S&&vltY-6P95+$6>@MR|zF1$K%{&OHdUqHu&N7NY`0rG^QHS2>DE2AGfAjhpsdpF$Ke{m#7l2QbYxk%BJCfp|!k&1efRKr5Yk4Wa%>pTa@sfL3GbM1Z~OeFJ; zc}5Biu{sBbM&;nkZP8QXP4U)Gr&P8IF3>6?zih+TLPYFe+znN^&s@V+g!DV6KINls zGD?lZN}FZj%}5G1tzMlr@5|GWknUmfl_v@J4wnjW-o0|L`xmFCTG%mX z^r`9O)-K|DlQ>-V=Ih)421^h%v-H!Me|z4BbBv z8gk!o^255GJg#)NB3T{rfus@Jj0~2hHgD10iCNs*R0L+w=~Hx)O30IAwI86CwBX&c2u&LDjO#1BCJF*$isXbe6e##;d!Q|Rq7o#CzXTpc! zWlggdn2l>>va}R>V<@#LCl%#70|uYUS^f6RS$dX4|6Jf{`tb+%V@{I2Xye^ z%HT4lDw1T9Yb6nQ9+v&-9GllB15TH8O*i)As8Wu=`vZIH4YiCu-3SF==SX})sPQ_u z>?wnO0|V7~Ri5ULHM3Kc*CQtynXCm>@z*#EgT+)c)rH!cz=J)($cut={E!Ro;PHy3@+Uh-msky z+*okBs1M_OW=EYEyBiIbVeB)WETbk_h9dbz2iEHymbV(55}p<Fu_{3W_w1&ZSwbY z-afDoPn2rxTJKq?>EA3YGaAP9N16)u*OVD#rdA5BDag89F<}` zP5ebxkyM&e&L#~$rk}M7ECs3!;$4!GFg605aazSQre*kALklAq9xouW8s+Z&{b1DYr8Z8FEQkSeR3JC_lMm2a5v=?m5grIi)rchfaL?Ymd!zK#T+8JAyWO7s%9Qgj+SC0N zq;F<=(5Ig|venhI%3=dTu0l0P*mgn-a78NI+8@@qqB6EWPrnPZX_UPx2uWn?;o*^FT7Zp}8|9o%~FJ4x6e7;KVDd3y$GGkNdOVTXLC zfZ3ODm!p@Rb*mL7G6X{b^IBk>ty%rR_%essL%F$7>|zfqZdqlwvs_uZ`CA@yL_35< zpT}S#(c0a&f|uIRNe%K!xQC-IXN`P49L)7+%iN8B=iBh(` z??3O}J@b^N&jEETf%>dH;`{3ot0#OaUiM^;Y>5t`ZlFIcYrz!Doc}gb_H;YSCcejF ze|jnv9&YHwX<#DdF+RhW%|HK7Y;6h$sC5Z@-uw55$w^c}V|0 zb=1@N%y3Zc*83i{9goy6E>J$GyQsY@M$rerV$K{-tKaWD^snR@a zI`i`)Yi08{!o0#oyw51Uce@F~W;-#MB98`prD5r>QyRs@|K&8_XA}TE8*g$)-Z65Y znreU+Tbje>#@>OA{Eq+5>k`d$-+$5&{MJ^Edh=>=dBvU|nApqJlSn06cb%+M&Te@A zKILXUn0c*@_)3Qx-B`k``gD9mj7&b4zDU5S$`&L7P{V`LF&bIl+UO!$=^|TwCY7<{ z%HR#lpdEvr;aC&JU9ArsU=h8zwQ?lOruFfFzr> zD_>C;lGFEd%iS>a<%c`|rP7^8%PO)H1KFQAZt2i~i`hXU(syx-C=BJ^W;KNF%Gqc#40~TF@tm5Lq21_lzQGLStCwH8kw~s^LyzrJSFZJ9g5nx1& zg<#rn^Im`FPk-;9KaM9TXwzjb_H5(3N23o(`H?Y`(1UFk|553g7GZzS3E7okB_b;* zsGVMls7lbPfSWap_V3Sx_bVUl=wb7!58l++V3rPaYuAPHt+Rw^aFmw0QW`Ge&eE-G ztvy9Sw{Bi0gv#pMH(dIc1+b4q#Kk+$hGUI}5BWAG9~!pduFQMo;}}StHJyffUHo7X zwceYunVO$)T7{-&JZ$wjo_?|DInn=06$qcw)SRR>_BmreB}uRx4u6WwKSk|CdYWuH z_p+wxJH=o?o<#rn;>DheC>{F${KbHNKDK0WZ>(t-*vWkw1ZM|kP1D;cT}^$=-6v^h zn^1fDUMY0)u7oub*YG;8v5uVWPB4K2>|JoaEx0tRvGo*T`T~im>R>5b0Hi1RZCs{` zimlI-z-~X6rMyjd_|9cR(py0~9B#C8!8@lyKBj~hEe&VlTC{gLsI^Va{8OxlLi;=h z-#i^^@^uKjm%pkzBl!No{>h3abfQ84wUB3;eJr46p2c#pcC5OSUEyBC^#-|_4j-WY0f)1VA69~GGAwnj2ARB6~6Rx4LV|IQ~2_=u|w1a z%kYo$nqJ@9Z4tn`X@qlVYS}x=er@29;JR}})syUb84A;|Usld0{-&ZuEp<|+8Zt+} zdwtbRXI@V_ie|JYR0=uq2|&SpZg`Du^2vpYMep$OD|CXUa6ZDP#l7SC2LAr0aHO(X ztDlGyxYFyH@acXZNO)fn`|9OqMn9kJHafBESK1qoC=Pb=8Y6tn8yY(iwDCtQkFO2U zR@0?rGq5gIyD-x*hau?FJlx$QqQ;+uq4QD^M~yqN#d~ALGZ=C!ors?XtfQK`Z=~8E zHejup^f8BvVokLrH061gKIKI-_lxwE_iTm=^HNZj$GfMTmj%djjx9oJtS#0M7z5`< zb|JpBQTzW6Uy;o_G*NEGJ`2^7GMKMtBisE=xMF5~+%Ae4B;dsk&$?5+e)IX-d2mO@ z5)xgjdGluRO$=}JpQ9h-0L{x(6*Q!(0sb2g9dox7Wxb>bzzNQ>0bbhOm!ESYng+4tt$SI(qG{(gEDbxg#H;vRYec{4c$i!0(X$G%-qD9+*#^aVOU|bW zH03q?tA8&Y9U-CqkM0}059@k>>{m!scwTq7!9aQ2E3hn+EEJtN8yZkDUp2igMes;B zAp6x>H56NIRIccy2C2^@c#OIyb@V$%JFBNKJcP+OG}2;V)=cI*KD}~BX zx4(f5^tkM;30B{PvwyZ04va4?_35|l&9G0S$lX|2=O|^Jr(=irY z)x7#Lo7L@_wDb4XS<5Cd<^g%@BNSk_?-l;K=`h>qr%-+j8ckoKTi#!F3L|S5n;d<8 z{*r-IBDRZlW!ZRFXYdC{ve$QRGjzgTcke;Jb@1wRP<62Pm;ngi&CRLW^0}su2%jm> zVxKYdplQmCoR8TVO5lxC3E5WX{?V9spj+eJ(+LTuWP{#=GDSbu6DIF0KUdpq~TQsM!}k2Z((xQ zaE-Y*FZ&1~t&(kJZHKV>^>*FUH=NY59a&FO{jZ z8<(8fjuhRNVktcX#_v^M7~tN4YS4NW^ck+#qj8XPORLBy5IeAD*L1tS{hCFtz=4?L zBrp~CfkV{}P%QG9)~IWXczvxQ$d541LJGC}K`}f8^rJ>J;kmN!KXF{Z&_TE9_$+Q9 z;7(p3J^r#26;blU`Hb3PQaB=I<5VCrV_s$(-e0xT*oKS2?eFa4zy$T9S~$`DuR?}Y zLtzV@3!IFx2+P34u!Sn$-g$JHyhHvH!}qrAH2*qm9e!vaX|qk9tvc?W zIs>ZP5wE|znwXmJe(fx+3_`*uDClt+$x2%=eX<|6t9x0o%O70&GR>wIIDGZp9-bj} zg|Aw}FCzz}rdaE&J5r*B#)F00qB zTd;mPGmI92J^}2*W4!IIJqKZ8b=zHqulVbD&+OjI2FwUc`9Ufm*iGYfrK(oF8iZg9 zFCUTMwiQm9wTd(e*>?{MSM!N}(jc_xzm&}3Q0RO9f~~lETOHlm#?!_;UcL<;o@buW zMvY9UnGXJ-hSJr{o zT$wXjpOoyJo@ary(59~v>RqFH8O1y1^>GnZ>l3;24|JiafYD(eI_ei52C6VS8?r|+ zvf`y|Ok&`OT12qmY*yH|OIu?2RU> zD3?2aJPO~FW!8obYuztTj9x$gVzU6V+1ZmMN;2`)n#i-Ix0-Gc)j?2k=;!N8infN2 zsr^{%jERTsdL{7Uv@PkQa zIKYsKj(JDc z0Zl!^=aI*9wbZWlng?*c*d+09YsjOw;EU7tm2q9{W|1EjVLU3r8h$Rf?ay>?^HByb zuN4B9H5DHb9=a5@)WDFn>4o&si@gME`{mz%FKx-u$;T)vQ7X&C$$K!#`?EXnWJK}= zt+|Mot|2$`EyRzG&b3ICGeZ+u*J3F&e9m_Y4|9h3m=qMhuqh~ZHQ79V5&-HsB?$L~ z#^CfDhfFAlbXU{aylH=$JzuBe-Yqkq(#(W z#bG-~3+~+|Oy75RqQI}&?= z;J3hFs$R6gxnAtDh|fuYTeC(18^JrS=u;y2*!lg=^FC?wE6LcLP1+3BKjfg#^lg|)wooS{1oPa0ps6RAc ze;~wYEc9w*`Eb69Iy$#Nf4JMHZDBsSZFF0zhpXD&x_+l>Z*$SUYp!ueCc-rPm3ma- z-hhJ%6@Xd|zzjEC7=)7a{Zr%H632Jy=4#Z|m(8`18F_v})_EgK?wEFnBr|9Febwd}SwXoNz3)z8%A)is8G zpG~-2!Nd`6e_tU0Whi8++-gC;9VxjH%=X&jRnh$}s|rEu&3wAQd)A}U9lHaQdWHF| zN5Y>i0KcFYEz@4J^8m9KWo&lM_JfL01>-v31}oAGlczu2uoQdH0OFX(<)^z<-j*V7 zJ@LM^PCv0U@%{SvCnxa47!Mej>F-70@{a{amJo8MjiGl33qB{gjJH`yAirgLIU7l7 zn$N(h+Pe$RPLO9)oE3&L0!;!Ro`#k8wC~@t-=1%aZ93yvGZfrQ?PAHX8m=6*O>Ww7 zFE%pTKwe?-Oh=6IjtE*$3pDm3(U?awEM0lzjxa-yejwHR$-#O&wT;o+lAN8qL9fD4 z|CSujcWZ#&3m zlHtD-Z{G`5VZZyXiuqO(Q6Tm!az~$D7!wEX>8SJi9H!Tfw#WPK2o=2-0mZ;W;itW4 z0IMl<)4F70nm_!Pb}cF9tzW4b^oL*Dxa6)E=h)z_sTiPw&38L^nRpqB4w`0-pLQb1 z_R;iLP;4ec#Y|&%I#GGA9J6piKdM}!1y_?#P3jQ^A+`J~oA-=%cHsqo4|*9ni`(=j z({+}Ar+w$!=7&9&0{O%cy(L`bPDwFpL{fkt0_Ese)A%|TG{4xmeIwUb|CkHk7{BI( z*CN}lLl1+XV~GUT!n>7B3*r;3=EW|P+QD~at_?3xuvdfJ^`&XIw_&4<_nNVd(r`iS z+3Dt)%*`v9PE6z*GcVfj5=tJ$8c@p>itv{r%IH|#VSPKbeR|~4VV>Yc)dhD|XwcBr zjjw{0g+39=IBheHj&;u!%;C%wddFc%$lks**)x@(FgBxq$NwF!E>G5Mzbqb;CmSv`3p999T!jw4mK$sIAZggY60GJA#sruWNl&;Lguk*g;bxoX$$GmU@Q-0O#p{6M@VCscEwuf6pis5TC+svL5$kp=7X~`i*5J zQb}h0!Y$9i5q+xlHv{teynqZ1@vF~M#Q?L&vEkyGu!}QIJ*Q?Z>64% z2NXGxX`m77^(p?giw&wPx-|aMisIiN_rHhJfCCI2HrGwg@JaSb`hP9rv)?3N$O@d! zujp7zG1Tvg&=&^Q=TJZj_1E|P<@dYFwCg`7obp>aQac%t{E7R1I1dB z*0Y#w@}n{l^gyOJ|Jv#*EJY!?d@v{-%S@f)L5e0OAM+!i7|A2CX< zW4Yfc@?-JsPPnV0;com}#n>~wgvO2%{ftb#)f5?~(${k>@A;8$M_$mc(g0Dfj=Ce+ zsNe@^%&4^CyVyhIV(Qkf6t-L1uSxOyc+Ez(UZfa}EaP>cVXwv)0qmdhSNE%B7smC! z#I}XIqDp6Py-Iv*CN1*_XbIQ~>Nvh2;ve%Wvd8^Xd4>y-6012Z3&NLEUi3DAs@lk! zwqSB1K~xg$ZG#f$oT39FK4l}Lb@UHXNe4^kSkNb2-( zVU)&3*>|sBB|FweB*H$|_qwuY18*_|_8Z#Mulw`grdrj1QggIE<^&j4ZKy5Wdi!NM z3cL;$|A)Qzj%qUN+J_ZU5euR;rK!w_bdlZyHn4z52dRP->40#@4w$#Gi%+3+K9ktT zgF6$%l#iWrG&ZUA`k z5d@M(g5Pbh>UWyaH7?$sb|H(r*u#HA&fp2THFAv*F=B9&@>&|?+%8Fzlu)BIJEW8@ zE`DlR6{h8l_)=0AKQKR1Z=@Z^Ix?$4Lo?U_;>`w^slBo`JWnkXQtoAgH6m#rJB% z+3f?`V)6`D!8i4}a?@&HBa>nu-gV(Xj$E8>AB%vJdZVn!GqjtyT=262ue~gtnUh>5 zrBETUQEWkV_}cmsQvayCM|-MXzHouujx^B>R_6gPDRi1vZvF3s&$pYLV_6|*0R302 ziwmL4H1mu;74>}-hLNX#oluy0HKWvII6zz)IL}m6HadEcr)ZcRtX0)rwA-Zw>e4lC zcn|s+e_RfLr;<27WLCrdQ2_t@nZ=4PsCcMinowq5(0#AJKp9J8*{95;Zzu14f^AB3 zUFtZ-u zfSrwe{e=Kx9xH}--}{EQ?#I)GV(O4rcIoijrmNo<9e6uvuJnIGio;u1*~Y8L6)8=F z8ekoq;BMcPpeyvBaCcjMxg^Syn8(Wj8bJ23Oi$_;smZ6Z=~@6l>~Z(;z`j62cHj=L zL5^AFvFyb8yQhn4Qy-oJ4h-g;WA70rx644`?NQki35hx5m%VjoKs3B-1YhpLEI4BNw) z>KxLFB(Rx6pFiY3n%c7f8$2wnv?RMSvgSK{?!$u-*M8T@^bjN78Y9XYJcGpDn%c++ z?)s4tG(XJH@$;%UUu#3S|M9?JQ5(SXjH+i+4nU8bFi2a$ZLA@sl^x1!3%p#v?$FLI zqqs_^PahYSnTfEYjUBNN_Blj#Ce$7<*iYZ%4w|IljJ{Q2`WEiCXxCt?#f@veNTsV! zJAeU6PDMi=_*h^2VjCO43nq4#yOD!MCC$PPo`5Z9PS9VU52L5`e8ZyTp{9RXls97z zvCx07o=3pO-d)zGr3Serb39kiXIf1GV#oO^n0{*k2*(kr>r z+94*{<)!ZFa>Z&UY{aFTY}Ya0Z;d}50FLiOyx2LC64wuZ_#V;#53(sTq{H{CY*C=L z3A-h5rPQ1mX|W_@yLCbrBSjXhCSYA{X)$svZO_ruyDyZOmT|?hU4Smb&tBCI)T2ef z(Q=3@V{&pqMNul>#IcFS1S4?ax!TBDWB+R7$?-COm2iBKQ~9JWGLG!3XY(0J4PG|p zRwI+9*}!KensSHF1U)5OHXA9&!Er-^5(dE~P|D47<=vm zJJS$5QDeMi-1W((|iGgz1qpvc@MQrK)$Sg z)VyKkZG@4=2sS(5*`4yqNr3E_`Y?p29Y*xj4r4#Y3$+o^oi!7~(?DBU0<3^((qO2Nx z0@BY*>yvskl-4ys2*StCQW6!s8I^0*Oo@0ZP(b@A+oj)8N8RUEYWFb*h*B3@yH??x zSqiEuI`zJ+UproV$)HHmTA$LTBfQ$-7E`L7WqX2-dOJ*Q@(ZqjWjKX%mU(Fgu@2Qe zbn^~NZED3h@DE${v<|Uvuw1>}uA5j~R@9LsAECUkn=(6nS?_nU2^*Js?Hdh9--%xB zdl8}E4drhSUXC=$#M(l~w0QBKRG#f}2Ji;(* z83hvn1v1uq1yHcY0t_gZq55YE@3)7m%V>JSrC;#`$;f(pS1gs|+P#I=ho#qz^eAsn zMVN+b=iK=`MREAhrQY>L#f|%F-tYWIE}yyA7%BAf)F%NrY0-+~iV%-UDc4?vE90wx zW`I%xw{I7W%#lCp7T5ICo2X51gLYS;$VxP@hGOnMF661s(sxuOq#8Q5g8Ie^*Ct0n zEi5Ua+YQMoO#M*{c*lOhm)#xr{?L>MEd_(e5^n;B)J$FLLv zKK&MySP;_>;zk9=zGV$7vbt|J7ADoh@G}wovaIg2@1?5P%2AA-psHd6uO3FpgIEH* zry*P#H{6y=`{7d{{?aYPAB33ES5l{R&O}V4c6L|?OKMx$9T;&Ob?XISVQE-nK?(Mt zNKf;ylYt#!hylxy>?YG9OcEx0G`Dgaz`C_hmFZNNKE4{AYN^8FmR+8?RE$^;aFul_ zmNpWeMhFuKPTIxHz}qotra+7Yb^#-{Ry6S0y^&ApW>|#hs`s zzm<dV1DV1^|@>{cqzz$_w%YRvp?jHMY}{?2%M~6V}75x{CVZ$xe12)A^efdRF=WR z0-mAujVp=5c(DN{qfwyWQLIEZn=f8o{c8UzY!f>~i*BDxWuOYIF$#!4F8d=H7TsjB zGuGg-H63i5=3;d=3o5F25|J^9STSkKREigG80u5DmTT|ycO7vhjKb*GB4)7HrGXoj zNl#MoRePGW%51iYB~366w~(ySj+-%A@)pHGg;vl#N9&MB4dW=>lP+ggHQA-@{l4no z9t@l)0(zO*9d7)+e1LE6xnTg1@?4A|1t6hg-+0x4kia{k?tWo_3GkI6|Lv67m$U-v zH=@9pSz%%_SNCWqBx{rFovKvMm&)`f)yl^c9Xvy+U)`-{i({LhbC|lmgReWx#B9~r zrimUK*hRiqAo>{gNf!;!s`&cQ4KPBW9C;grdp8yfSik5k_c4^4OZEng)>) zkDa$Lxy8-mhK+IR@a_h|UcS|HJ}hXOrMrug^7oo^T0HOt)!9n2353w#Kv0bN#r2s~ zahrf*ij!f%9LOMkI)TX$beO)J3v~&1CMt6?T)*t&l*evkQxM=-E1Kp6uNG|_{B%zX zz^5-QaVJ;f@5+|vSEGq84T}+R^kKI<&D_7js{|YSN~Dn11@e0wRt6evJnU7LWJhWl z6sA)wO^HSBz3PpwQ7ed8o8mNgeLsGszK*6$wxX3K&yA&}rP1U5ZjSBvcFc+irKnAS zn@fmd?n;kUVXwNqm0F0B4m~{jLLgOscU-acquw}refPN>XHTUxiv+CFhTwwfQUJ1g z4MDP5UnL&wm!Jt=ivDqrHy^>;nj06sQJ=A(bUNVJ~Kb{DDdS>aJR_iTTwe)J0bPuah86ptS6lX-F2sOo!4DRaiwXmwO ze+G2?nH~-@@*jk{86D(br<54+OdMTt2ZwZEwzgJbvdt^>ldheWFtwSMt)VVd^FNxCPSl87CTm7;Ot3F;18W(X5B+{Qs}X-TM0onoOEaG-CJMl z_C4mjwWwx$z4)hZ?sM3(vI0!JKqQk?($eE$#eVh`S>~;CxW>SyC46;YK{r5<{c!+* z*n@Ot^z|X9cdM&K?b6G=TqsBbibs+u0(`(pl;lFg8`lwekjA-?RduK|zt0i)Wf<1U zKrD5m4OHt64t}Ox(kGIbRkL61d{S@A7eRmAvZTaNLxeyfUWB2`oDm=l;~L!o7_Bzx z8EF~h<5^0q&Q^&WGO_)A>3p=nMEC`5?e5pC_sR_|y)U*|B$MKm^haE)!^bjJZ0hTb z&iP*O9g6&nWqLCA93ycP?Utdvh=xi+y$hMVlbo3;Yn0Mepo8wrL=H>u{&ENj*2}`= zbg+SrO;v2;MD)s?6E$Ym8#jCRN99{(70_q;i^_RsOrDtp{9Ms(`nftuUPUP5LNA0i zug!^2mombL(+o&9h1~_<(WAceYwu<9w2pzR^UQur{r2SrijlSQ(_1q>7FStBgxNGp zpO;&bGXN@&%k??uosDlEW4H9o-V-O{iy50^?zK@;m<4rbpl$y+W(`F4QJBq~c24?T z#-I(j(k`R)3M{)m<9E~qG8W>)je>~M_yTRk?~9~);^7^TQ`_`(q&%a7G@+k&#GHo} z`_0{X_8vL8pxh08^L>9T=~+qeZ(lj-z_weVyCQr0J4KZlQ+2nx+ zt5_4cfk&>RcOo(K7*k&s*D=?@h8#ci_b>hVAR8+~(w>|G$C;gD-OknEwvwnDqJ!R1 zZ$ii-Uk?E2@a7m8481_nMV)Mrue|i}E~I;}$Aj(~J#SFih|GhnNwhY&DqP#36S^pq8yf^+;h$}sZSJqF_T$yOo*relHlt~l?;jH{ZqJ#L+Zy&XSulu-zLgzp z*n}=A$uZ~O&6Bt*{l~&?$=&8yo^xk`3Wpc(iRN}Tz1p{YGg85Rt#jxaYAcXJ{`k^> z6uxO5z@4YGZKAg3V0%lE`{ZLKT`nfT!NN{7t+$PdemB1plm-C$BGVoBs?XjEssbCP z3)sWCWE1>_|AcgJoiv9T6v*zLN}P!hNbQa`X>~6=CYX9B?T@@g5TAJ?LrM(TjrRip zn3Y$qn6zzv}BmtXUEuBKG7{g=ymnwNd^?EyC8TILqhq__n(7*Ma0^S88sI_STdqnE&y!$}2}1kXBV! zEM5=}*Z^enV6Uh7_bU>>>iNhIg|{tx*5T%mQ{~NhT;H0F&#t8E5bW!lD%ToLu=+cR zon||0GStyTNC}MmcC3@j7F2dV<%3D(XeT>VDS$J-2p>-R9+3ol%G4_%$wn75Ht>#7 zLfm8CGC|7n`?+Oyd4PRf7u`+Ih;wPnqj%SQ$NxP2+wgxF?^zx4MCpxA+Z2TBR_l*T zE1Nz?MY$U<+Sd!fr zC7aWmC}|HQEKe5*U@h<7&Kw=tOi%b#FQ%-$_>G(_nFVfZSMde*^*Y@5__kP;R}M1> zjQfNbEp>JX9qE2^kWCIu#n;7mp+^`#c7*^f_m7<=B{JNw$#B(ps!^c;0DazAcIU z>yk0>lJyFRDd29EED-PdQiX}9vTwB}x-THEBR{WdDxxZ-URFVOx1gMYhQ*m}zdva^ z@XAUzGcMnl7#wTC^d$f;q0%|v7c$oX1;qd8Q#|=lxn>zVWAgl~&2;o{W8c;adG}?5 zser(Grx_*@kJ_5g{@w3xK$%yYUtypoQxTSWVS;kEyp(sDO*Xo+lNx>M;Hhn=s?1R@ zs+rQk=UT%~6uSlOaw5LH`)o7W91C}!|H1pkb>D^ghXZ>0)LD~Jl3a~^|8jFv5Hsd4 zug)NosGaE%x2{RtTRV+k{W93S2hTzTmM9xCIR8&T_ztfZm1+AV3f6nyqk2!j)p|Jh zVyg#F$maS|SEMvu`GlV&DG6>L^tMZ+bDE6*< z?(B*w3>UKxcN{o_AS^4jsVi*X{gu34yOJy?Nnh*ZN+*v7H;S(pTNx!ybq{<~qd~m# z!Tw943orTfoixh!GR}UW{gnm)y|nwL!4%7Q|3}k}(LQFrAkVi(^>1CqO=p6phfRXI z_)RV_s%wO7^}STrprMFam)XeaeqcmVey-8PLU7tLpM_`4w7;+DWa zKVv%;U^Qt(mxLtY(_VTD${A8w9R1_(z{YnOl^<+y96R{k@Y}u_HWP)$4w=tn+quX! zAjI0(onTuHgBJGaR<5j`XLlsq_F1>qiHBqwECqy6G^#tNEM_vrdaEacXAa}Chsr~3 zM{TF19KPE@KZwV6VKqB#u&2@F0!R}1E_-K(cAF@4X5)|Y=`S^V#!9SbXG#gJJ&VhX zE9!q@1FD*T`|6&n2J=NR(3#>Bvf(mQQ%f$ecb``F_SXMw^n2@@4^|*()J4}De`MR2 z^B&2NQ>-H&dD!FZwQFJb;n=q>OE%G>Zq=c40^)^%F*zCRVqO>OW|)#;dY!o3gE?-S)a~i?E9ags+<4Y~M--o%=7v4=7?C z(x=9rY@(L_x?tZI{?`wSGz=K~5TT!6^{+k&1STTmc;|mmjQ={Lzid4D@Zsh(nQXs5 zW%bux{*U8pz9J)&`#k8sDX{;!J6@FFhNPrP{riRZ$yV+JThHf<30%?D1VPwWq%cUFC^=J*t^Kz>LhuC~S27N22)G888?l|6;m| z?vT)qj34iw!wcW~-nX-&WT04OsR00x%7Kgn`}1=L?!wUkddJFoaSd)t=w*DcGULKT}b}RsJvy|9gf%@uq zd~Tht&FA;_Mw+zs-0U0u4qB@mqbUMdzP_I1ky=*IRjT7wg@OM?N)Wq2{4K7KrZD_` zZt|emkJ~RkkUY{yAOS($6R;yGLJ*TYtm^Y$TKv9)WPN~jmON$>_@l}AI7)_Vu%YMl z$wuzm+khMYrQOFjfYvyc7PIYQ`=htbFJx>!L=?;X%jRT3b7s*oKMe;orw^Jl_;=0i z(Fe`V2F7^(I1135=Z6R)`GrWW4_gY#e?E$!Q60ztb2mWZ{3EMN1+@ri;nn5RIp|BlZ__VwyQ}0S;D;f_D_M6@dJqOJ1tMN zr|LUFv4)rTc4)knuY7psstm{q3fj8b7O$V^d-6`iY-y^ec;Vu>>3dKz%)}Z1_K~1w zD&fw_MvoTp@Xg`ml|wrR_}Mi3({5)6KQj^d9rKS@O$J9kB(M%e3s^1t%7~SV?$^Xg zW3P5OE7p;(3g+x2i!5Kr6Ztl?@%?1uft~E9!nJtM^rgMCX%~G{*7prVXmE$(fV!x_ zB*niI>9b^j7hQW%`D|`t^RqU=;UzA49HvZL$Id-#C9*ZV`J zCddBWVL{@{0={VY@mKc{4@`D3M{UXHqu;Vj%kQZ;+g~WR>iDMcR;d^ye~8eM`*$+y zu|L4(=7(6a$b$E6mkX#i}obfM@q*&-k>f+q8^R`5cp_;6eD>~w{&%Zm7 zn4lBMPL1=2y>ixXx1*D&KA&n8+le#8(;-`2 z0P$jHgRY(2T8wX-7V4<4fIa%(b+p+NtjRhf=Z|+7SmCPQqa#YM{5u(32N5a)3f1!0 zC3#SJh8_X}?SnY=ngeb_$0t3njwU#=WI|b-!@+|1j3A zWt{#Em~1!7U;l+r5X?tq))7rWFIz^V6a6La%QQ_>gTu7K6@l)~t}Zb?R*QeGfKc4O zPhoZ( zPzJX+&gTE#{M&({4(M7c02Fw7d^$z51r#ts@$5<1Szp1_?ju%ALldIRKWzNJSyj+^ zGdHg}EB%YKKkZ-O-+jfQQbNb4xB3#?MUH)-V9TFy@Ka@7HSHN`x4Z@Yts?$FfO{V* zEl?G1zV^dL{AuRD_vP#ZXzM;nIrGCW3>GP;0O%}LWpdcGQ(9J8`!U?q>_^S-dn-Ra zG+;Nx zD*y!!lV_yr|BvV3uX|{7q-Ofy_#sR)3jKKO{?O|k*eK_{B43M~NLG}Yo5Wwo#p=!0DzH&Au@kUIE zM`k%;V#=mC=%3#mY``)Nx))-eFFd$7$vDNcF+c#{4&);~9m43$^5REOr4 z`uN|+`SbX|C(Sp(7C#vr_|M<_3mE{I1+qvfg|r`agkQe#CyChVxgZTVCq5ameH$_` z*&s-RbGdSDAR}7s*XV%%_J+#leS)L_&pW#S*d&85ddskH=E(xA^jwolAhT!g^RL7G zf7{P3NqT(4VE*f8uE`i4$aKKp|Be|r@S<`bd-SZda*L-1ug90SSGktDEi&JY;Ptk7 znEz|@TSL3ZcNQco$U$OPHq@XYD{SCiz2{FS;vTI5z|ObP90Rc3R^p8*poF%Y9Hpsa z4eCUk`rQAptRO^50I+P|FW5B=8(@PG0Nf|@s&C(`4-q1lskZ}QIuDZZm7gpf2d*TT zqeyfg$3M2j{*)mvI`a9q@({7rx}4oob~SzM|1wA0hA9Y;36|D(phVlPh5GjoGJ)Xq zI_OLPe`#Zf*C^N(je%4Dw;h^H4gA-Gvk(8AvcEqP{`Nb~I$)Ow%s=PNsFWQLls{F@Q{r{MymgC0=uIh=azYFny}YUuU<%y0*w8mJn9 zc56fiRIe)*WQo3yiQHEaMUyX7wY}@o=(BM zC`@Zi*Vv*XES`Ue*#Bk0vlzkv(l$46Zu$AVULRdfbxrC9K&3bT^PzoWx1hcr&JsBC ziQW%Pq?iFz^bZMm#BOU|{-)5n*L+W-t0?3giB}*8sdfC>3Wzty6J#o#8F$B|{p3OX zyY1LqKsGM0Zhu^Lrfu$^aQCGjR=n)DSum%HB#;2=x(q7mi8&Cay0rUnCq%CB* znr%E5qUHbt`w|v1n%p3Qxz-Q2o1(?E3E%@B2x<9Jj@h9tvBg~A@N@-4$O=h~ual$W z4Zk@8Na?ZZf>2>%hmE-&RoWhT;@0^1AY)BqIKR;f1WL0KZP(S^8vB2iQiflJ#>L6d zpj6KkNGNk#QMX!e_Ju7bKhRQ)pt-5D2xuN})M*3ETF!J%J+IptB+KV|f8LU@EDBRu zMmE8)?((sNHqIBZSAe&aVxo$5eRi-K24!c|Ks;deev?Bk-fDo@el_94>mr`=*rNO6 zUm{FF2Jys@E6QT`DR<&KKKOY2P&Zq!SSBL27V*uZfQ^2da zP|V${@z+jxNGHX)P)V=OHZ(?w;7CjLP~-;#h$%(N*YTP9F&VxNdzox2_p8-vZ-E^D z%bDQy`bZ~!XVPo&*9+eT7(B%5lAnq`b~^__T7{@_Td&Copr+Kg6I!_S%X^WU))Ige zBSH$Dp)0|U{@sL7kCG#u%P&10z%UJm$apJA?U{OU7+Ca*6DTDzT#v2-Yjv;HJXCG4 zVd&81mqVoa1` zeF33(m2J%TZ1z&x>aU5B7N-vA#gIFWsy-Ihp1%hpH}Vp579T2vdLGq1Nwr$`6-% zo$E`72Id`^UbEUeW!iMr>oU8&ckH_t_L2O^l`CW~xt{Kug(06y&4BJ=dd|HhM(01y z%>=x(*e0HHYU0W$^rBSI14-y|baB2M ztAtc9aXrTyefz%dRu1V50vEaaVS0V!_J!G62W3<|EA*Rq%s!pNB6X{4J>avJr9(~s4ic>9mGN_n4}O@U<4rP z5Z8IvjHhA=NS`+W88X$nYDf2$zjQcMWZsUL>zV+Zc#>hehjWb6%dnV{W-!z4DfM{ikOPUq>f_3(mcegHU)f8wRffo?@*6iW~Qg7OLJgU1h>94KD|Ja zRCsJ4N!bG4cdFpnm0&~Gc^JIdbYXfFl~iaoiW%bz7Dd;xxTQ^lDpkE5`l$Z(3GHQL zqn0=;li?Rj0mkLbVQJ;gNJ6)T#QXw3bKGZ$sEd_%{kb=k35^MdRiWL-F0zV~=4x4S z)O3pHQ9&TUQz*f$XDJZH`o#WIxAkJIG(jdnF=2SgWX*QU-lnM)wrzTTb*TJd3Au7L zuld)OTUB~&|2l&;8KBK{3$`^`+*oW?)L#OHN?pxW2kV;HKSV;bL`ihJPGzq{2`;QQ zomsCX&O}Tf#cj;`31OkiznDs%ynb1MmOL#vCl>Ul15k)CsAH`52$2~Y21$eaA84t!*sL|mFPL=uiqd~J5bV5tqI>)=|{3@)8is~0Urxm zFBO&P+Me10_&+jxo6X$W+*iSoQE8X6<`{*PFJa*t9UkSz z#;9;;yA;waedfMZ?s4l_D@c$LZ{eDXq zb+j9MN+Yh?WCp*16LfB%3h!=GUDqQ-OzQoOlx-^dghF}~phRAAi{8n65*>EchtK_W zf+(FJ<#=DZ%P^coz+%6!1S|u$WD@hAIuNt;CM2~dF z>91DnN5ArHs=i-BbvgvkCgFQ)>1z38ekLl_B(~nzh=uliD|X_xOBm3@ZC$djnMGrO z7f^z)uq{XGt7oEG2vA~Wwlklsw4c!t zt3(`cA>GPz=F};BA-6+!FwXzT>2tOXI4pfh6yvPh4z@L3Tj=)V6o$m^-Z03#EMnXJ zuw++cc4MPRzhpW0lv0o939K|AeRp`<$6C9DYHOq3LZgm!I!kGbJx8gjc6r}KJ|pT0MM{!YXnTnh+YTb2 z_BPQ=cjII%G-LOn)1a-g&SyFmP5i9rF&}&{fT96uKPe^ib@Wj6$?UfoJ-XEGpH~{R>=KXf)FUpDIGPD{?%TN}fwE zm--qH3sPOvq1umD3K3M}!NJsB#YJL51sFzkx#ux28Loas+J6k^)+w?zD%tDi9-4$T z>#I%rhkI=I7#f@)Kb5R>fc#Q*ImiI> zu+Tbl0`dIdCFw}3Ts_T{v_Oh`vhC?P4mgjc(%@A3rUu;6lZiBWVlXlq;)ro;${QWI z^s}l3@I@}pcg73Er7;b1srh#1U}xD4|1@yQk8{U-5A38+AT zE`i;F^TxVa9z|azH#hf5_M2XX_%NTk&G#&<-8C)=SqN|(F7b!o5|g!LTxr{HN{8_u zzVslo$o&L%>8lVc%&w_1TA#puchuDl6mY~G&u2tC_lOuTohOe?;4}sKqKgvUPiM8s z4@ZdwX9B(sg&3Rkg5y2{3oDm5TJ2{(Qbdi0p(ED;8xlshJ-0)6u-np2i_uPDV-mSO zS!NQ;m95w#!11jAg^Kq`?yxZ~>dz6McAzI~(FX|?lV}_REl071++Jq@hO{`3DcDf@- z`)EL7WRdI8<+gg;$5MPF_Cvm!5$j-&yXQP6>YqSOPn=cVeSH1R^v&s_zbtFK2$}TS zxMJ!BRVc+%BR`R1cSDp&roe87k}7g)`KLFpXZwx5x$G}&3G(4ADLv&~SLbToyidFd z1Z8XDxm5W**H@dyupnQs>?99n4zL#nq6%3j55blP(m9^AsC|ZtG)Wk0m7UU5rc)PR zXb?a%c`Of(&uZ7o3Z)ymaZq$ArDf3$#v4ixGf+1HyQ3xuJ>)lP$x+6_22QC8sI69A8~x&$3RyX)tdnu_}Th7Yef zK`R45Wt;8+geXqZq_KpT3#bR3!ib9%fHDyS3Lu0co&2Un1XxXsz53H^fGfs=tCapl z7k@wSC(M`?*aXJD=XloreCAPNoYVL*HMPt9BzK6#&u2E2SGQYlF<=2AE)fy5M^=Z^ z)`~QpTsOENkkM$VLWmAT^{B?&)0GTnqtS6JAC(4V>@MwN#Z2f~i1AAz$KD@z94eks zx-oXa8R*uQ_xh64I8CPX(+VPL5Gw*FETm@wEyZitIE73Xy4<`^({pP!=j(Qb*E$8M zUd`pwJT}Z?6wZoHR*%XL@eD?NU3Hg_bDc6?L6vC3WGI|391cwug}KBic6(9pg9EB7it}_y)^cQo9TX^3pTxuRixnh zbj&j<^-I-tswvhkqVopjL8~jnt5+PEKjPhqBVnweRD#v8bn;f90)7aq z2i&7Y8HXM6&<${U%)zgz+^^aj@JH3WhKcPM{&HYcxCLD7*$C5f9bY5z``e98rLjX|a}Wnjks*VSPumb|G9zy}Zi5)7HrO*Hz+1znc1DM}og+8{yUz8}-_giZ~ z$>AH`xMZW|8mH4hrEM<$Bh(DH{Or7XgNXlLdi~`zYoCQ zBogM$J+#(=Wr$TnG!ShEOV78%kBrVqoy72x`B!7RK-@)4XroKroy8QZwCe6}_qoFu zXE)Pzzl&A8X!gVYFw=g0!_qO09K=`MVR40i{zPMVkaX5FoPC-iMg!h)>5Q0!V_7ZM zlOS~p+4GN#eXrNN06f$tcV)Z0kBN9uq<_8W(PB$ZHh%{xfWmqwz)}pnohqwCJeIwj<}NBgP*9U} z+Pv=kZbxCPORdbyn=ersr`2UrC7G?Dk?Z(2L*xu{WBs$%Ea!(4L|E9w?4Mo{&3Z}$47+Xus{)J=^Eu{)9C_$aQg7A; zW64&P-F@1_F2|NGsLCoV=!QI4;H93e*RCn)UmX=uJ72j9E06Jj=qRrxz!!ElFvKke zlnTw%i{d&(+z40u2n$BBbNui83v3rZn5MXT|T4oy%B z(1n>U0Q$a~$3VT(W2@{~!@UMH|9ozXsSI?V3u(O)0ALB%lXd%|Q+0_PD_rn`jBdMP zYjy$MBR>v#hX%->csdZ`rD zazz=I^7R+YiSYUldVuf3)yeqlY5_kp%6m1(xkiL?wgM}K(~9U%>KX^!@}(2e{ZNf7 zUX1h%amYR+q9R1<(J<@`sg_@RAGI9goJt2;lg@;CJ|o}b3^%Ij^;C)9di7c~CyJ0v zi9vgWNo7t*h538lIjK)PN77%t@xs$uZkE5lKUpTqllP-k6g>3nl0V$9-_uZQl(yA4 zbGeCn=a(FZt{hQ4_t@I}C?5aA=EBUlabj0Oe|B1|Qrgl__|9MXae!)D;;Cek?06IT zmwQ;B%-9Q&BU1?}r~ItV0mHcQYmcb?p2S~PZMxQ8d|Gbyq*~m>A+8PqPW2Q&tK3Ri zJ0yiE4Ob~`Ax9IMvO+#mFvTQ`y;~FM0S{iU6%$f9$s@5|0@za2r~DS0G%hNfZ?)o> zDslkT!D3R5=$NK^m`;P89|d++q-^ffwWatnf?jTxdm|1*KzrGq{SygelkS z@2ihSS_$adNP*Sy;E2{d9&6o(OZ#A3QJy@ZnKl)!uOA&m>5q@yhwq@p)S)spv)^#G ziMtV|zAOZ+DVt>=#BW#3+g40lmK4J42{wx?=Nl+QYq5&1)`jm3T(lFiE!#}e;=~=y z+wnyJ3cQnO6GHuQ6&S(icrpf^=`K;6Lo|za;r#SmM zNP0&wZriQQEr0({AO(gxvR(7n6)zIK@!QfqyqgDuU4Zb^C;^`B z#F47qkKQqydmwxHg=|4urj zB&~uF4ie<9B&tE=N@}djm3!3zQb;DlA|C~LlpHS^e{zr8%h@3K4BM-31u>5bU9>jd zSp<~N`}%x=q-NG7-2|gW2Y4zPm5tK7 z65Cbkht9lTQ#DN5MOD;LhpI2=Ky!P0{ zY=btSx_+Nx=bymjnr8uHtn`_{+fL1iY0}hR0%5f!?pJaxwd-B^W~XgDCCJJa%<~T~ zsUS4NtxHKuy6I~x_AZWVZzmq-9@kx1vs)8H_+jF(!pa!Vm0dgCKAidx0r8Ior7qR( zRIYA~;kZ*g0@AG_`l4X6JNUalZBTnHrv*N^Pkzwf%438}UrSx5BY9%J6x3!NJ`RT^ zo*k^Y-;h|bpC(wEVWGO&m`Q-sD-nkKp zjvK|ow1ZHE5&i6mtKbW_jA9R9pmpvWS%V;R(Pi zZel@~Q8eVoB|fqHrgHK`vEhJWJ3?(Z7dXcm(ug$oF(E-hFbO?!*@}%dT>taNrO`DI z#=y{>j7@HK=!Y*U+{(Fgbp@2CKb^D?qe>@uZD+3*$Jd+;?gMR6z$YI^k@itB7asHs zN{A~u{XxOFouJG>)NpgPbQ`{D69-()PEK}k@>k$Os2<^u`*2YW6c@-fQByn3jS(R_ z_!ulqLR>gd!PU`j^_kMu^<84UQIqUa7dr@}$2s!WW93ar7$=EL33S8L%E=9tWX0p=C)!2MuU7XTW$99kZNg%f43J@Xv6^AvS&>L&h=jbW=Xf5v zD8X|(QK~U%Qa;FQkNm5xeCt;MQ4r#T1cx(*&Gwaam@0n;qC{JZkq9>|nbK;(tYmZ& zWKif5k1uPIna+(%gyUi$i?Q%@!pwk1w2CWlK|3Ymp+zy%>7-drwfyRQ3$*%f=G^JM z3vj^Frw!Hj%`mv-*yB9f=9&m>k4I{+tBiuB9JLE@2IWb%Zox3QC%n5CW@d21a>-c? z%>lFhP`#%v<2WVaaBY4}T<|#eTZYz6-4LqZM>*Rs)Qq<1%1z9S6R38x!B4cm+$=w2 z^a>tS4h2oZ5j$$f9m^pFZmZi30;V3}GEjapMO&8# z;e7e#Zy1peyS2{pY75`Q0kk}Vw3Oe5ZOR$G{Cj%NNLP+w7F%f2wUAsD+H!~Lth<`; z&T2TR)pr)89oOW>O{Qv&aCMh%dDBw;tmK@(vVpKb*)*mwI0o|Hjj15aJCB`A(hNhq zbWmgL1s8K?=O_S9+%?UPNzOQS{+YYMZ$S`c73bv8+=?6Q!yCvhq4IOgg+YAVjDB8k zDSF;=-kJ2<2~PLw6F0b#fb7#$)>!~^dSks91B6>>48#6Gx*&I!ZilO=}}!i}3&6|Wn60Q|8YN=G zvf@SM9zU^gB4Z<&pm~5r?up=rFfRt$9 z4#GgbkIY8W$hL6)wkXmMk_gHTj?MXBtC}NU{7d3gAh}F6USW2?86hEel7 zpL8ZNcyR6K(}QYkw_4PKYHCgpudD>4kA-!~cwz+g(9`K*cCz2*^rl*Y_SLF)K;&{3 z8$MgEJ$1-~`lEaZN_^fcisDMyN-qvJ!@4oY${I9a=*^^3ogQT9P-ZyruG3L}luaib z@fJ_fd-)lM{KEOrG3`a6{SkMtjPF~gmNz4;tHf$yrD|^dcf8&ECN1Npq^5GmD=NYQ zwHJ9Fdiyfn`xHd+-rGqBVld}(UHo0`R5Z96*d1y}X{^+jNpN3Mx1Vm>D;A=ptQa;Z$s(qdzK3vx7Ag z3KLJh;nUKdlU#;)hKF12t+YI*hL2wz7UA0{dxF*BKOC0dieAd%dfYbDIVXRe_Bjqk zq8n_u)5o@YycPy-BEl8tbcVA5b+P;zL{x5;{B1N$S_MXG35LChC9;35{jF&YsN0iI z;;mdAtwEjgssh=8b7V;3Bu7EL9#B~@uHIt)Xb1P1^jrDn?j|fN)dIqtT&7lSZZ-rL zTG?u>n!5*WT)kbIbLdBx(cl%s&YarfkL4mzXoOMNa%^rdP0pI~z`cvWDonXIS+KhH zOdoAICgRhaTA}R@0evDi%03rr3&*U_R@S&n``w;fOzRJ24bBnf{zsV>zYLbbk389N zHT#xI?&~W1Cb1+$w;}n#`I8|OJLx1C&IeGz$1c{^&eI%r6=l5w(l`@R3xd~;G5UbC zx1KGU;eDQ=%xN+>!S-8x+H(Eupv@KgB()X zA4(t$e z;}LX=H6Es`ZKx4>_>kiP(RQ(zA8FQUkE)q?g zv~=DZUpJE^+93nOzF7m1Ju??agg&&pj6kHs%v5RarHsokcA$B6_tIt#Z6p{%k@E5EKB^ z>mAGT_j+P7OrAfal!>=l0R0^ntJ7vnqwZp2m(SeW1v>h>Kso6Ra&}`%skkV!ABQMB z;ShalPFX9O38Z_{Z>>Iy>2|2~bSsn!ekpwWXxP##kEA-sqK?jAEXfIQoaMn>B+7hk zVpDjlSa2QQO5MHK zBL`HjIBX9UMM0mEZ_cINBZNgzDaKgeB3Ffutbk%i+UDlqAT`5Kt3NKCPz!!%#o75m z3rl~K$~aSXf(=WBHC-W{6*k~)n|Mi`tG?tWRWmNLzhnQ1omye5n)+RmT#(h__*p`* ziq1RiWtFfBGjg>6GzvZ&&uO`fwv*D$3~^FV%-%YQD6_*LuNY?dA%+0qE0KT8L-MR49tyRdn9YEe;L%wK8-$unp zeg}-&3pN4`@rXsLqJi1@W;~A~Z#=EdJ7MfrX?*)AA{c;oqG+tX$;B=^!|q69%mIW; zzJ}Rc@^N9(nR9u@*5#oGdbf?$meuPZbi?Zu@Wm$`3?JRQZg#wW`~Le`G2j^J+$j{qOLVS~qN&(2`!n`lgwP9Tz|3e=sg4WBHiM@g+bRNIq;Zr5xWgL$FAWJT2qk zMYjZ8qd(6J%5yWywW{ahD$r5&+0uZKi6pAM66`@htei}kSDG&fw5jI`)W|FDkAT{Y zz`}c-j{uSwwShb`R@J1S_8mnuSTgEz79y*iGq0IoTLe1jYleW$#9jQuI%}hg7p-d6 z&h1{SUEO2#_ge=X3_+53bblEDp{`yC6qF2}-&@>g-TF(plL}Gk{60aq&!jS43M@v~ znoGrzK%thI2`ndYHPmXKk(e9Mvb}D=l5_%JZuQ#%{E=WZ3kL;&QPop3+8xREpb#2< zG@}|oDK7$a!~RC}R8|1q#G@YKTC{J7)gi!{Rk@{k0FB^b`Q~s0fLse#qfVxJWC-C| z^>YcfUB~je_nhkCyz(fWP+&#P-$K3N+&#d8Vf9pcjH=1I%EUtRJ^fhRGsFW!57J#3 zs*#Qkzy+ObF`Hxwsq))?-QA{;||r> zc=cJ}@PHK6xd>GY#jpUk@R4dQ&xPrN;tWC1wPIFdUM=?4vgH7ezWr#A+No8!J@}W^ zP@u&KzY7NqsL2)ErID>Ggn0wT!(v^J%cuYid|lpn(iR)0f(25Jzly`~npku{fR3_cIuL|t2Ak1< zw1ssrSono%f@Yfec(nys*nw1e6-w%9309%8I@C>J;k-15&g!$BuZ&lAVP2c~MUTq{ z$2246He&v))sIs|1nkWCGX6w(5WKwH?hbg*^h}GzrlNP1+hKg3^brE;ilpQ6ACILo zYsAzB_F7ug=W6acYNzR$p8ZtT?|6O$=Cxj=Wd?p?i)xOR0F9H8Os0`W zPqyaYIS0OLz(tl*zx$v3>br}#HQ3cy&6c2sDxZKPD6PPOjr5ZKXGL9u!n&Abj{Of@ zF;w=w05RYI9vdDVBeli_@K56d%0MjCj;g4P7QaZEXCuH4JmQ4=>KOdBbNyywHb*x` z3*JqCBl6Ygzxn`Q7#oWO=D+uK!*Ne z$n_pq>NL=Db7{CqE6fx{T|1k3TX2w2vE)?y~=mGm@IAUucd`S zu$r-xSpCoaPM4sN-(NiWsmlZMl58oV@5;Z4fxfIlL_N??wMI0|>8D@*O3;5U2H!EZ zEUlJ1N_syX@Gm_ANSbMcv&bEio`Khf(Y{F>2A=}%{>b-Var}Ws>ia=_m3CYElXL*v zl>e$iuOja1x^^Wcdjx7Cu-4uxytRQ$G-*z{B}S#om>@g zIA{m}P|XSeWH^f!Qc67wiko&z)`YpaKRLf9cgU&jx23L5T^bnm!U$4;Tg=N?0B0q_ zvFl4mfZK!?Yg0npHqEIxFZ@MCN=-9;@Gc$^(TYh2i#b(-0(ll^~ z*zff4o9P3p!`N2>_~d1P<^AL*9vuT|pWeJqXu!KWy8*Lca{M##7&~NVM@qqU6B9%%1O56e*Rd6ClKmveRAfsjO2vKVWnQx^(s^tECsF>g zmcVoofA2*lzF*$te6~O^aL}zjUGkT|^1Vs``rPFYM5T57E?*s*|NF=N-%x&L8U9Zy z|0k7SjjR4oSN=~|{{N{fc3OkWN|rwvyCoa3a#m;w%d}Enf*Ij+htUogS#fsG8A~>w zoVd}2aQf>obSPPjCm@8ZB;)uiF_*L<5En0V>b`%@-I~)|LKJGJB!QN#sa?9`aMsi%gl8mPd^LX_dg~h zfbfhcP;~j5T*12SrWOUmbK{ueB6x@Qf1cbA>t*wi{SEn(N1k7WVdhlOy7ntdpOZ|# zpR;L8KE69w>Z;hi_S^|Pt4pcY-PZPBj;g;}mzz@3_AQTSs^WGQz-@F5&D1#IA$8!w1RO(?Jf*Wx>m$q#ePG-0ti+5X{#dKO9oFawHS@8T zt={-{9(Y#$slib+$#Tibequ#1n>M`gATql()hvK2p=T($`X`itVMPGwtv8TO zFc#g$R}=R7vL9^^t>f|WCk8VfY2#1G%s{gq)kI4##x|qSlk^=r$fhUl6`>8s%Egj0 zf=%PV#CBO9t5I70oF&1iIQksXhTT%LF$Y2 zHD2e>60oV_jNU6Z&0|l$rISnbdByd|2Whs4ORH!R6G^3VyGyj)eF7fHYqk^l{(|Pb z(c)m>4&+&N;5YgM!CrLF^v(`qrAfvcgA$*T4*xJro#ptB*_)xEoBI`&xW5+Q7xnno z=0O+$eZ-81KIsSJxMF7W?!}#ScuJZ|;5_aMQC#HGk*%j1#5$k@2GsU4aEj$3&2#eU zt%kO%!P}0;XgG=)iQWTk?puz_Zb>~&t!Y$+#T77ClApBXTK|%k--@mu+~2c9@JIf> zqrAXp^LjiN^^>*)0=#bLENCuxd)67Xvs5OR#Bett=+ncWLsEs|6z$qhX z4$taO_Xx8r-r6$Tbe7}XeYtpb&@Cjz}XZmL3DRG z=?TNl*!-7fxF`yl9^H&9xY+sn+f@Ko>K0lfKeL*imlccrvsHuxaDB4;Kr*(!A93tP zYN`7t=o6U_QjmLS#yR`Bo2u&*Nb$|al0lYQMlYK=w^(_$%(M`~Yw{<@4lekwOz614 zJSq<4|B)Ceb8sOL>n9epAh#0O0IhrGJrx*b!m&5&;pDre(Kpf;aCz$MYZ)o#8F?Wy z$O)sU>bH-Q3}NRWgI6!fXx`r~$ElIw^Rf)K)zv7g*3@$>X|}*3eI+@(ojh2%UESW! zubasId?>BiWt9SN3|n4Og^K;d;d%6;y)^gc*SVBgROz=UAh#xM|5-^ko~0 zJW$37j(w(@rRfmy`#}}ckaTcw*vm6?d3DFL<|fqEt2a#;OLmq|IUAm)O zkbnJb$#Kn`CMxffS7JIhN<37&nuXM}^WN^En|}-+HNNAL{&Ikq&?zQ);&bKoYkTy= z=Bd92>#w(*H?lBr|1jq!JFzFnrB zZQpmMpzC+%Q-sA~%LZ&fC;DmJ`aSR4g82rkgjOk#AcKtxK%Ceool^V2Xr3pHns)f^sOxy?c;o|7b z&^J{rM&Y3s!t|$n*+r!oD^0`1r#So7_tvGlVvw#f5TPykzK6G|E}GeGqE`NCwlf=lkuQl5`d)#<=j=y8J_IL@;532Bad|!TmIB*0p5)I3P zv7hslKs5{K2C7E`+TDjcyS�HZeM~ZKY4_2 zW;>$`6swpRKcF?k9B{qCz5n51o!LEdF1>HMv$U)cHVrp`X0*XQ=ahH zrY&%gasYBK+l#&dOS8jsGJXJ)SP#%R!mHr^WC`Ed^tHPPo6ke?5Q8&f`3jO@C0-mD z2Yk6@ws*rZsi_s`<^ybb1EW+!nN-}ZFLM57bl)l@MD@@|fHG9~9GV#J9R&S!b@ybh zc>U@lu9Fh>>n{q|My*Vg{B5Qo+r+je$dr3J2<@*cQ3dXtV9L-paO(d#3a5 zz4hIg+UoX?>h$@;&kZJKYnNry`Tu1EpZ^50mAWtL*wGp(gX$DHvCes!SJVj{pS-rQ zHpgnL99Yb`qJ;yXXB8~hDxLh-X);|I`Z$m_59$f0^mZK617YR7XdML176)O0zjN## z!XX_bl-R(~{2vo`1FAT~lhO$ECs!VYnRA3iOI5_wP`{6wF+$IURPZ8g&yJvqJu(Fb zC0-c)Cj_X?378W0<#IXocYp4CC9T0mg5z|@ z+WW&?YmHAQ?)Z>h-{k6lv1;B?ubuunG?jbTtC_=3|7x#XFSOGX>Fsk^I7gZEfnE^Q z<91R89GyAQS6TSnC9C_!htup^DW}kjckIM+1>x3!SM2m9t2qXBZk=q|63!`+k%Ew@ zON8MJEM%Wej;B!?S^-OF_^yUh+zK-vu}fV=mQ68{uAw^kBzSjASx;SL!EkN-@W9Ed_BI^PdhEtA88|EN^CxJ%tTN{8DSN(}aTq4dA<N8-AG=(?jRtt@{q^L%6D>q!V(nQJser!Vbx<~>D>{H5TbX; zzuF*6GsrIIOKHQAi8OLSyd>Fu(vBdMSi?iih`W<)9kTpTsP)#HHsy<<=Z*XmRS|HP z#~f6S19^MY329ZMcbR0;hEeNqSJ$67oo}}vp!~NA>OYL(yy#zcl164Y`%{<60yWC3 zV~vmLg*q>gpn_~qJ=Nn!l-n|QhqJj9_2y~WDCVb{z9mCUpZhbiCBP-A8 znU*uoshkgXS(jSYDcKuNwV7;+A(e}!zYL{NyjJtv%t9nW3z-FfgfTD$`73<;`|=Jc z?XpaIGt61tq=i~ zjJVOF2t|n$;kyrekD-UH?`T7@V3RcUVnfmV%e$() ze1g$;TU&(9qtnA*rAsM?cr!&Hsk3*s{B#9N9NEEcdsSzj5JlQUgI=ojfYoFi8avvv z=&_9%dp2r)ZUf2J$YzH@m$<$w98PrY#4Bo!98#zTh4$#@2`JO9kD7?FIEoCmFr3p@^tsJ_-~G?y6;Khp?Pl*5B3pz?i@C*#f)h~n9mxF+d0TP#t+q2JVyjp@BayV5@lp+;Cy<(N z!X3ujUdG@}dI{eSbfjZU^`Y731XtfMgXV8DKt`@#hWJ%1!*_+PwN9RTTPy73GT&I+ z6FJGCGGRdz6$PfoJVT&mV#G_a|7>0mBK)G0Qt6rA(rVMul%E0j+o)!$zTw;40I zNEfrq6}}(lV0ad;>*TQeFSIUXKhWA}F6MMy9DTUqijhDu5JVo%x8Pn7(@YTqd~qK? zkL&U!{ZOB&0ipbA>s@85rYBT)8}+8U~nrXTF-~`;#2j z$YSpmkwn?eX~3mg#J!fsFY^;sxraJsOmZo)b_8qvGn6+zJe^W|7pA0dhn=}D>w`6K zdb~bTIcUBv!K>WL;PHY;?lW?imhn53Z`MG9da#Ro7U(no{WqJw-gC!bSgf z_E^6M{j*)$2SnY*tG;ixrS|yGj&%(@=*Q?EBt@jJf#_`XHi?^+y^jnEWzly22}IDa zX7BeHR-LViQ~QVv0=##v^hJ6 ziF*K|Amv)bSxTS$!K%O&ky*Fr`Qxjxp<<*R7^8P5)A9a(k;lsyqn<{oZHcYdFzgav zR1tM?w+?cgh#W@UD?k!NSmD_skMMH&9-uw>w3QQ!k)3|@K7-c7KP^}3Ii|^^KNq_1 z_eGok)Ci4Yc6apCPzGxsFS$4>e_3Fl^@5Ey1{PCX<2GKjMWNypdSjtkdCn{|9JHES zLxU^t{VLwG(c8F+5!CB+@m-zs;oi~V7I97Wub3BT;RDlf*l3?v`xNJ3m=ppWLXalm z45oltU=Lw-YNIDus!*oel4HI>iQnvu&2Q}Qc+#VxJ^}WaES^5MP*#ll(x0+aH-8=D z>VA#mb0Gco54Rp@7qfJmG3Wz~)&Z-Fa~rsG8PjWB)PYV(W1=6ssPU5>;h0@$Lz#%* zJr}l4--CUnk<#^SacXcM?b_2b@uKvAwXpz;)#VTI>T&D`y;s;$mpU+v{do_c&Bq~r zX!io9@R=ynaKA4A*LqLh0Kkj;-Ggr)pzQ6S@9Glh$jT*u78m=KodGTs@{vBgecSuj zRO7FyrZwW(>~cEuP!pHU!McSgNWzzIePveo&a#;g#JUTg9quz)GbHQSnv87-GImEc z<2%UNg1fthbT;%mf0@+L9fJ(i?&d^^&cv7ui^_Tj#5aJ$y`0g&RG6m`w#;opE+XCDPACTxcX}61iXnhGZHhV$RQ?+O}yH2}B1J$#^>mPp1EB(^>@h@GI zUSKh1GWe$Uf316e?IQJ!(axjA!sb0Yff=8%S$O}tDZ60hS9s>7FR&_muQjHQ{PV}V|=8|`p`41!r9;* zeDZADI?|G71OK55{C5whO8{q9{$8OUrwEWrNh3j;_HUqR23YvwofcSMoKXfI8JOp9 z2JlQd>D#!`7zxKoG^3|3?(F5YUn%By@Ayh03zgSLwWofT_u52*G+#Em7 zf}u9OocJ}qn{Vd_Y1o|%G(9=^Cve~Uz3TyfX~eb2GoQEVdhrsVoNjdy_gCV z)XXoR^s!sr{LxnK^Wo`xv3&cEZ)|17zOIpxu<(^oCLF-KCL;iXCXZap-MOBV@0>I> zWOml9i6~g(?Mta^_gF**u$AY)~DQ$3nt(<(sgJrByQE!bzB`LBN11Vk6RJp(=;bpH!g`l4lgEI!Af zb6ftuIFsx3Y(Uh&Au#ggvHw9Gek!zEfM4TQF!%vY{9nzhL<6W>t&39luO#{XhaqEt zwl>A|{x7rmvZmr&w{}_7k8SyTvNmOG*2^s>{ptWIx|SZoq;}2Zefh?Jmftw1%JTd8 zC??gKN!_$kteD4)8TdT<_-%v0UCEb5df}_AzBYp!gaR@JfUClBK&u}8aQ_$Ew1yNO zZ~O4`bkOIg{PYLDBOgCx#bqoE1MJ=$>Hz&i1{}BySUeO)BcU5zklKveU|* z53H{DPniEm7wb>B#dYCACbKT=6FytTlkfuB-z~cJmH(u^$Rcp}9IIxzqoWqhs4>V0 zd4?p1=IRZ+DQM;(JZ zYh`E*4;c1izCoCq-7(kBnaC&u;vFrW!1r}l%FL>)N9oX6!Pe@SVu^_~g&C3*1`(RK z^vX4|UVP*Ga^D6IshVQ)rwhj_t;&~1pf3aWP#C+<9i_;HS1r-x4z~C&U`9rQM@A2- zkR`I+kO5;yLvp1SKE~Fo0LHL`GM(~W<@{!y!}Mlwd&<*gR+Ao;z>%q@dW*rSDtcCH#^vOm4_*h_#7PjEg8JY?Qe$)55j3R+jdkru;A0r8E2NJD z;7)~5SUJA~o}LbG?}(%yww*vcyzZ@;(jz3`#?O2f>;E`T=2nF44)IRz*dD$-;U$?2 zPcM9J>bSE<>8QeZ6{1gYFuD&}Gtrp5`$HwTl~wGx@w!xbTfvK@{>T--;*Rf|rw>pO<@o*$M&)m=svTV#}5(rFj1h3ty9 zCW8Tg?`*w){HrwKpD%9S9x$t)ea)m}(?F6pw%r6E2r9WUh-6Q0TLKZijtR@%%ld3k-W+XUERj2D>gO>*!C4{@#=E9q?ov%U1L}Oy4<3W&%CZ~nh|{M7{(B#>29GA;4r$Baz1cFc> zem~{S7LZ)fsg4L)(o?Ma`+xVr<;OnOTV`$0EGstw3%QD-+(VVb2YtPH1$F8jp4%(p zOsDxQ^sd*havl0mE7CiB0v;ht5e#2M&vM9{=aaD2{(HgcZv4=3K%tY*K;+6#I@$f8 zG=IG1=V9&Kv9VUzZz7*>bALOH@AhrE`2F7;ZzP3-11TM7>QLGEnJiGO+p-U+wHg|C!UC;b}k94BJ%ymR;iycnzmn*K=QBbUYq7c4FnR2x2 z!({k97wFMrrX`k1l4_Oy^>C$;ssVO(-SlZ_?y`9Na-y>IW?DvJLi+8JO3#0PUjwBZm)tZI&>_hh-8K^IfkZ9=V zscI`alks+`k|V*s!+V0QdFooKXN+;y-t?k@8P$i?Md}`88p8x7mgEJlY*l*yAZ$EA zvAGs;cS(IVuh3n>9!{Fw6LoSxt#nUK(p7JNKjDe6y)Q*T@70_|ZxYiO3N`tUgbNr9 zfb-7BvcGCpVQJv1PVHhfG*-o#jLfCCiGbox*t?GRrbWnY-SG}0(Tt8?9`JNsC#Ps{wHTS-EM#qUIiX!^SLh^xO7 zdr3o=m!r3L6%wF?90T+0;x;iz89U~x9Qjmgn`*;bmFfEK%Pu6piRG+oX2d z`C!~&wtF}6Th@%+^9SVEFdLp(NPpUhQEOEuuwQc`23CT^KX z4JCN(e9FFlH2l;tv=11L8pmKZ3CF%+$o9YH&QLI9>Q{{%^XWbAu+*ut-KpKq^mWj% zZ}%tHhhU=L`Ev_*c~`f@G)=z!H+mOHpXhy0%v;Hamb(Ak-e%4$M7ozsz zr#qYGA}Bbp&`gRon?~TFwnrG1#Gwu9%;5HhSGJTG-Nx&sX4-kjNzp+}0;9ba8tnf_ z4fEI<*HQcMgf_l5rH6{st5k%tR zfKM&Wwt3ia`ymgp@gX}p=vnd5l3B6W%`!Tv@C7kqn+!re4xvU=oLC7t8x^U6$4x2K z4MM}IgY)HYs^l4}N`f_uW%q`deL>%jvS=?A4d*<2?By(hmQp#E~Jg+h?142vO) z9eZmgsP{Ip^{XD)3Xr~NMp7)U`t?lCH9e*u;VPf(HcH&yG2^i`A7gZV(Qzd%;0rqD zC+@la5W5v6Dr@PXr}nfzX;MzxmFs!*-n;zSwa!KHijqgtuMa$+ z-#865x#7xn{BU$d^20jfrS~TX2r0HuNJVY($El;BIGO(QeeFT9dpl-?FN5z1f_a{i zLK5fcG8gw`le}=|uaVg5(xM6u*`#rqowN|{0i))gOY>${(@UDe%~eaSCCiv;Dw&^w zCA&EG%C#=l8-#;r%~|u^t`}Tw`CJMx0Osg*{AbxO_jyE zeD=9rJ;oNheJtIgIHHrbpJ=VZX$JNnVNEKy=JY_YrTM5BXuw~v7@xt>3Onu))!tAh z5@Nz3wmX=)Seb;ds(qF2M#Gy;6P0eGdcodwZ-h~t<1y$IGDd|5m77Fyw3{u6Hs7yd z^Q8XNrqQ6U;EjJpoXNV7b|MN>ONWGZIu5kjabuSPm=DZnk4^CFF{7p;G!$S&b<{^c z%}B1@R`XMl7!msH6OsJm>NS-EuoAmz?pr24g=hiu$cr8Ue#{4<)`S!y^N9;_%2lCA zVxo~s>o15q^enJvI6EZtt@;WyT>F?*fe`302~GCU!Iq+yUJXe;2QR8H-!EQrTtPBo zLkZaaC|2b2&+-Yla1`$` z^&fXd-E3HLlR6w1B;hUmqJk9mYHw~kNO*53!Y?(;y0pXr)|q0Tb~D?xknZQh?DMhk zZyu3pnvJZL%N_4Cz@!rK;!(q5@Op9cNvmm~6X`{&&t(mnCny9NzJhG%yfmO>zj--! zc@R%55TT`2AF5C-d{22uZtv|(rZ|ZaJ6+MmIGD3?2Gqzhbb^6eat#h=WV_ekVdt;Q zg5*OTCo;&QW&vMFF6PdAe=+}fi_VVP)nWO3?BfvW|xdBw<|i6UD()-b?_5cP*G>BGc+^(%ac zwvck7gJzNLVZx5GDV_@XKJ&KHid4)qZM;BFIGc{{lk7I-Cl!c&=8a9d12HFZ*)zOB zv!fAX+cWmQJmi-G=|dsZMpq(L5KKBs!9xAEv$fh;v@*z$pw;738zXbAQtbsq z0`&&$tlB6gUj0v&kfh!?U32FX=Z7tN;G3@XXF3bwR?Iran{HHrd|K!a$nA)Sv`i*J z+q@Pw?nPX&m{i^eB}99byhkEjWfoVX+d4;(y^z)w`ddoTz~c`I$5r6H5=x)uXp zs~*f$%$uUS>@qD+5%HM)c5$!QyKOqexy;z4eO{xyAY^PLv=eN3dBeI5O^==JTVXDk z=Kbh(vv+rs@T20w=ab<@6_GNR)nldTlt@Sm11zapun}o|s-5v>=VW0gMhzsNAb_5s z&@x`frYa^4>-~iaUOR$+zcG)9+`s=y7!BKPpmX~mBwj_NVo`&aaqj%NZ1r<*lyS6C zSjjb<6H3ygl4EuS56vEEYP{@4?^RxsJ6|P&L21fjx4HN0)Q;#b{UP|sEyeCeJeLSO zfjt$e=?WT{V6@Rw>&k!MV-_=iv0xfrcJ0 z2_o%j_(k11Isqjv6AN4!TUtU36cf{TqHrzrL2Dda`15#LIvx3EOw zV8p@~J|^ejpmdqoLa%;g(R-o2h#n_AoH{2Nuk;>zTs|S>2yV71#BoapYRac;)ZN_t zc{~}DL+* zwXyoRxQV0LuI=9R#SQuCn#_>mVDNz9zZuJ|$u$~{kF9IK0cb9I?_t}xgL*jr6{k(P zz0@67oi~{ues)67UfQ!qz4GLiO>ZYc%=w!dmFc0nMB>cvgXkvb#^~w|-g;Y5aktWi z{X3fa54t{}AxI;jjaRuhb?3Ch0yh(Vh7>R6hY5agCl=Qgr?z?P-na``$K1YN5FTFQ zE&_p9boV=2dW5SG!a89O0(}#P#DIu+=$<9z^-|yfJ%RkL*Ljm*Kgl27EjRKq&0PIj z%&kxdZ}Nn4Imsub^P0)W(7|LpuHBEThFgqUJG%2>+aOXi=_bgLgzBFhXA(#5J7|&s zN7f);EAo%==QcDHtSL1#v-;R}lcT?$d zL_1I?SGF(5T^ua6Z`{&0BPgjER(&`meyiPOzVea7Wn!51=ze#&DWw>&Su;Vn4gbt`hHoxvHwkFZi zIt{`-y+-%e9$XF!o=U}cz=r0A3P7&OKDvPZ8 z`Zo6`S&!rkD0)`Fo#3TJ@8#x5%*yED%*W|Qm!)jmRLFU3nLNg07yh*Z2BAycm)0`x zvOAWglX#B(IYnlh&FmeUZS5Z^`SDX>`BYj1L0`gu7#Yr%vM1c!#?w<0M3%uc zkfUMbWc~Fwt8*z%n}oo_O&~kVmN^*XtR-P)V+zJQ>0klW9(1^&Re#{*s6A*RZ<=t8 zzKN$ylFJp*7uT09eDp9hdvL~#;$bqn=U@l}x8k2x@3Iqc*D(d|9p74X8(z*D53OS+ zhUj+KbCspMoUB?q<>o=i+$N)wo|KhI1nx#^J3M#EDXEVpWx7(eA$@xYy}2pdmzwHY zR_-X|_gc;jWf9&QY7|iZpYrS%tZarp0{E>R`_7vlii@~4pXVPiQ(T#1WVe#X;SdfC#6G|o7jR{$I2hk&_zsyjnQ-*lED?`$MFHTG6KaU;pac>Ksw5} zcuI{=Z>;fKDr0sy3@KRGdN8?aD--m|#TLToax3hRfw^aS_2Qd2Fjb)=Em7@ZsJW?0 z=x%sIh~q?Q??Wg*eO)WNE(&~7H=Noz5>rf~W(2Dk2VMhdVY|W4$HA&VzHn<-+C-lW z`1{>WVk1P)Z!$My|hO4kk4K>^_-;8x<{$< zaRZn8W#g189+x<1A_vF<#e(qf68hif3s?qKHdS(##BVC>C+U1} zG%N5>#p7U+rEUa|+^AL-qCf}|2ykws4J62Yhm|YQ<|r$$2kTq71%9~m(rOC%l2gFv zW1WdTU2@s?m`OUmHh!|sWLCAz3v>)SMtQg;+oBHssMsW2@##;)wYAfsbSN8F*r7`b zd`BPGJ(z`V(>>5uzFkJgwBXogd2MShbd0$-Gi@nxQE;^x^Uxfqtd za1t{m1#QAJD;}{g7$d88n_LN)BRPW9s2v7Y48+T*0ZRE%)wOh?M4tx-NH93B*^!@G1{%y+_qX3VIJ?1s!=>VQf!AKkR>@7?Tly47Bvn#Ii zUiEZnboCE$NVCc*o-O=6AXl&KQDA9XXsADx3@W=x+JaVk?CH>7?i%$b`aBlRwrn`{g6|ZAJ!!NBl35X?TM$!c1r! z;auZmF6TPh;v_|JB__WeNJxjMDNDs(xu{%LJ9$$N0Zq-8F}rEU?JP8BZ!Xq)W_9w- zWdEXSil4Tyi6I>t?hTx|8WU4v$*N>?6#ZO((4cB}82tN`+?NsrODcsC8k#~}j^Kod zAn+(QIAjSQY)$y&%J2+hGqU`>spIev64#_hg}GZAAIJH*N)4uFzFF^2oz1m~C+5O8 zo8!G2+b!22ozt1#v96|rfoaz#Px>Xfa$`B>;>j)^5)_?u+ocP^n`jw(95b|_C1fh~ z!Fe)l&rL+{1Vw;v*s!A+H5My6gxxN5;X^r4K?8?0{FV{c!#jDQ z%CowaF}P>piKr89SJx0D-2kjoGE_cPSsU?3<;=9|ba`t3V!!m0c8Xp;*v!%d>KwMK z%MI-H=v#q(vsvmH+h5H-wzS7b<)h(Yhc&sg=#MozQWAn?yYJKW*d#)@d*)^lLL#ZK{3XbFWScUz9W^{ZE;>6T- zhZXZ_#~hHPj;fmY(VFe9L$Z@ANy6_5ZrU{~r&GDy!3iO`pO$+LzaMhh0XP?sn0wuK z&V`$O``(bH(MR5W)$Q@;@6X-!2|`K9_YIb!Hd2im>T({ASF45kCa|;PZ``Y%O$Jgc%pbJJ%g9kKzmD+733fKWZliFP%28m#oyDX!Tqn<|?th{~al$a$07#AlsWT=9GSdpj@mSA&uWt85UJU6+xX zOIg3ecK47=T&I8YtTi_4p^O-45BOv9)WdI4Nh*-Qt)?ekR|H#>U%vf@~Smo_+HMihIzLLy|)Z`h#Ik3(8Y1+>slq@Mc?d>M|P za5ge6d;UH^=y^Ocb-;wEUu2(w(!P;GuB$D$<@2vnyb!NpeooX5Xn@e9h4Z6-EO5*{ zt7-3NljGbA)L}=D!C<4j8QQd_MiW2fo=+;`JLTOfk+!H8x=m@Qe)V;Ih<#U>gDCJG zQn3QLILd62(rYwtw)Z8fAjVmFfS0e$REz5wHwryl2P!KULUd#m+L}nuK~THYq0vPo zWrb14tT2(oZI6%Vgb7tEq=L7!m!`F5!BUqA-G=B4vpQvUYR6(}juj3#rF`HTJk^uF zc8*N0sqfEk-IRh1?Jv)Oqo%5WA}VVWX_RZQ1(MO3%NDU#b59NGJUiE$}rQ?mwjR`fH5m$AMfQnG`-k{I{rIN{B44g(#qhu0@{Q9&q8?tYz1bNPv*#wShv zhnAW&p#x;`!$P{KNCyipy_}0C=c_6}t6auFMr))m6{vtW6{MKA#O7F6JqdQ~@u(;? z8NS+Y@gvj8SHZr`BFA=dGu?*!5ve#$Wv&nQN#&`PLF2Pr zE?ZpfvOCF0_{w37U_-;qd{UQ*IiK8Eb>BkZ)RnjhG^)RbQ7B7#%ilDxYHLC)4}{hE z<7OWW1$()o(B76w&UJP;nB}q35XX!qr{Leb1|5$)=|zx-q61Cy{03{@VHY2F5ag7Z z;Dlu6Dj6OQD-IvGqReCrArSa{@GTO13fvXn;Qxk*vwtT5N!XRgh+(d0A)^N13*~*> zDH12R*C1KO+HardX5@$EUhq+Tcl%)C$6&t{yzgIzuB}|-21IvVTTlnr*2!+ek)=vq ztzb;qy-D5OM#_rD;Sc0Y-&l3{CHOPj>m19o0C0qK=*T?M>a8zjWu$6H*y@YPeDrkb zqxrY-B$M1?mFW{z<@Prom@9z=bTtsJOPy`|*L5NuUUIRVe(OfBV=AgmiFN8u3{HQt z?{rn_QBJIPoBR(E37yT-7Rs)Bi_|Yqml5!Y;G$HJsuC05QRgd3{Ee??or>$qDqF9Z z$2kWl>X>krj~Kx~VbyWSSvZ1tB(%mAQyYDF|1kT84TOhOy|i_IvtE5y1kmvYlh$nz_&6e32-s%e64)fIPk5;A3WqG&{Eiy@uUjsY zW^eOFH)D4-w$`mp4TQT#~~wd z{({lniRouiH78(hxwk)xtbXsJ8Hv)cvpH5$> zocgZF{?%?`c?O!+zWqrJ8fL2hkG=Pfr?USa$M4*fQAs6a6`>Hy-da>b#<5q)9>+X3 z9g@ntD|=VgF%FKsM^V-h*?VsX2M5P-ewT{7Tiw0u{r>&+eSH4A9_PBwYdl}i*K?2O zgl~?=-!e%VNZ?3#`AI?lTos~S<+wmGPQmqFNxpL(Yfxd*TN6u}MOKIVy_Ai&V@$aR zaS-m(9(#pPXVd47g-NMg&CHX%>Zc<*Cf8f)o8c+JNHRTvK;K-2ALGR&N%iM8nS1)P zl{6hCqhu}YJUP(II2v<3Zo_{J`+7e1!;-9ImUVIm9qk%TPu$?8Zlb)|$s4tCXCBn5 zb2KVXZj*0}y6uinl)oChK@*I$uYNAv$zNNgZ`OIV)D*pn&kzj# zYOzMaqC-+>hsfmm2^=?O3 z04)aXtWLH>C$|gimhLbjTt1X-mL<6TIigfvZ0W6}2+$FcF)E^p_WWl#HvBSlt~gvq z>n3mA2`9S4Q!Iy_x+i^6^4*j?bZ>4B@!YG;x2y+?$y$4k`=Ckjh`4!h4=K{zd&Nxnh|ui(Tr+1^EvWuN}L}dYZ!BU#FE=m&j3bMZII+=Rg+?~h6Spa9FhUP_sztfh#2sxTW$ED`j!@w2;H+VZOy4%T?`RAv)+KmVv zk(_3Y7B*YIG;f%$bKqSuQlwGH!pZ@cIVqAZR4)_-0cx8!7sg?RC;GW(MJ$m8DkV;} zW-oQFBTl7?E=0aTZ9CAg@bwDl?gc#m5Jl8Apd!&ZvmGBdQ)jvPOzbqpeW$MvnewA&fd+{r(B$BlTpKXpJE5L2{bT^Kns|kz$>32_eMB9k?;k zl=4G$IEmZ1El%q3fjj-woD;?}wVIws-QqrROh!~*g?gVVU)?Low0o#L8qm!65uxE? zLUP3HeMo}^M>1$KA7v$>r5Cq!F5YSSv96Z)eBuCLIee}oTHxlsR3erX_lSJ9JW#lh zG?<~4R%;?=4UYHqnV)ou>O8MX<60d8X#e#-v$EaxTUX(Pv=!ER{1q@%W-B;vBUed4 z&GKF92bd+7&V1+OCiZDttVbZH;b?KOG)j2XW9q}WMwrh<*YBLC-!L$J55k4=Ja@HR zn;O1`Zq=*Iac*iCk}cTB)73(A)*6*M01t)ufe3%pLhtSFjp?!jsgF{7yqHLy1F>#W zp8y&5xCdS08(e<53`rN~>ZbptE3d^yAe%*r(OX+efg;&2uLX9AdiP|mncH={zH@@N zdTK?D4k+Wq9WyLDPtU^^{t~lg%#ef|x1s*Z``~n_PJF%GlhYe_u}=J@O>Vy=&b^?l zd6h&XF+dI=O1v9=4>DIHjblY6iZSTt`Nb1OC7WVLLUTU~Gy~m^`y8}j*J?$r;=Jt| zu`YD0+Gt^zY@67u9mi6ip@b86=5@S7RD`2@(6}gTTyo)xr(m+xjNy^X3)`s4;+XtN zn@-Cj3CGpw%W-btj<~388zcD$1%{3B1JkbR)0-BFF^abrD#Vs?l<2BBA5&(759{V z(yzl|e=c#$IqOk)%%_b(=EzK&FZD4SVU>xDQ$(ktYU3(5Qc4H}bx=FCfTSr3*A*7f z828sw8FyoV_F^0SI63&V=jhKxogZG-9c+TOp9zkU=>&-euc4y5`B9%{VWJ;mxJqiL zKUciHBR>@X!6EV23d4Or$qTBRSrJ(xxy4&N&V8*B4u$0jtPqu&HD->n}Hu}kE3)!=W4$d^}h<%pM2a9v$rQ3>VS zUU2~W1J*csAUZR%*+J0!3m?=cB`n_>=hnM>WYp^rqnmY2)gi`G>|zc1pg2*@Wx}5_ z%YQDbvXAuK-Ho@*iKQzS6CczyCcd1Dz7Sn>@=7Nl-swXK8Ftcu0K6XSVL!AOX!c19 z&_<}hO;bdCuj6-3UaXwfKzb&ANf~IzVLrVE^t$XvI{{74Q6k&xqj;<8Yaf3ea`(^k z)CZBw6=%HccMP%Z;BXDH@rqOs)2we+2+P6MDlwFMg0dravhP(hDi``o^zPzZ@sor@ z5C1$`nB!8MQ%|@BRLPaVW)MWCt>yCoQTjXE)%PS(@jOBg@O6T_Af-hZm7W@#5XObBcvK-Va zTU6k3?oH|rj4Ef2IZY+_3IHbQ*MitL?Q^KGhh_^Jg1Qh_OKDAvK z$YeV6bH=_8X&N}K6)1}vuYIvtcoVcs-*JUB(}~4m+N~nN+HLmLmv&JC8ge4VL%DV{ zzXMP=7#Rj2&0k^kAMtYcv_AvXmf#v-MgWROf5`BO{Uxw{`}c3=f(ipEBhfE>`2MHF zMtxf#Q2hm>=p#1XRQTup`flIQyEPRFM+14zW9h4VMb&8vA?Ne!IZr6+H;KvDNAE2W zc;E@FjE&*-;jKHX9QKt2@jRFEI3T^9p7={7CtPMHC|nz4_YH5>e*iskG!4?+$7Ab2 zxfl0Qd-CQ@Ue5`oZ>RrPNHj(PbgwicW#gMg@PtYc{3%1n*TKTRCtUiU1)y+y!!fG1 zQ0klFTtDF)ygO`$nanW!%QuzUBw}3xQ9If0Sj$N|pv}n!QO=7tWNh))yxCv7R2c~M zMt5u`Qj^^%-JkXOqwR!KKpE}*(N_*M9i`vPa_2agm6y?f?WpirdA?oXi8EPS1d{F} z%LS=7c5w-61oe{#ODudbJ^$c#ehV(BDdlIclchnLfJw2U6hdw%fA;fgDoIIpDj$F| zw$J37XKl=^8^{1f5Spt-2Y^{^fmvJY^D+$gX7wRJih2yYqJFfK?-p^Vq!Q3YaE==V z+uoyhSoNDC`B5iZ=w2?xeuY(5H34ATB|{&|4pZxQi+6G3_f!|1%c@z>EU@a=qjy`Z z!fsVr`uGA}NYXTiR$i;EuE_2Fmq!smoH!FlkzWDwnXCuUEn56&kmPp$HFEKls6+Jj zE!Pyl9V>dUJ5rQKoQ5;KL;JiB?rp2~)O*IaFh7rrRDhwQjIjZ6^4Vg)R5H$`+weX?1w5 zdIP)|n3pf^U&6NbAK&gcdkbIllky7ZcGBSvFVZ_0ue^Jm{7J^Bw8p|T$CkJ~6JCP1 zN(0hxNbNqjGy={q#Yd1UeU9G;Az;>%G*TOI$s=(oR>U{+47n znd!jlyLWlR>;x}%!f+ntNc?oP?=I=Fa98LNNwszQe^IfvnQ(`1|IF>WDPccTFK*4lewq6od^Kmv@q&ZO6nFkaqvh zPe|~OUN!nx4%dY|A9}c#(hPXJHV~@Yjfuy?1pppnszounx0mmC{G(s=lL(JfJ9Q-R z@;~t2bt5#sl-f>T_3CW;6nq2{LQI!?d%`sG>w=)E$JguC%5CR@JXT(Fq+QW*1Nt2? zI<{OnTz3h-qJYm`>qdI4Wn7JHNJ#%R_5THh&@>xsTafPFrfv(POO+PZ z=|~7(oLC=xuvE-h`om46s52;il9+JT~$I*PXM5uj_~ML(Ply;eieU8Ww^<>3H`Py;D;n@A8J>Yl8DW=I7j`p zC&whI4K0o)Ia){y6c8M8Xq;33hm5fA@BcEz)ue}PyR`uJ(=a)}-Xg~ilzaHm&Hb10 z_K!g*0_eY@)_VaH-@V_%l%GBD0hSVhRH6O3l)pFF6hQyxDs7(q>dJq(pq6t$k)Jms zJI;k4zW*gq#a{!Ofd5%{;eQ$9q0|c?bNj`!uTfe5<))xV0dn|1mrwdXMEU;M{|`}q zfZhMkA&OASXteTvN&p3MEOxyn4@32Nf;T2~M5(CL#fQgi*Z-0UQAT!U4Hf=IQN4f7 z7v+R+IYlpo+SAtLLgR0AO_3JyeeoR*8D4a z%U2pKyA#SB8JD&voP42v~2wwRL4 zom?$g=+P+G5HE(Tr(a6|m(BFJXFC3p67hxisqgqOLJ;kj{{g3C;m*(_v`8-J!yMgD zb1uej$bz>s*oU0zvshU@w(UGWGBj(uj$9beP}5Of7E?c-)aN!GRWFn2u23|OU}O|4 zo5aZpYO4|P$&lYEk2gcJz`OdoRFASQZd92WH|NJ2HA|}c$dF6k-}K7LcwxIMO74O2 zUmqHGN|*X`#}Ds6LBA947hYP9SF=CtKG~c;%cx3p_JmlIRis?P2XOuztEQghf*oY^ zj{XX{$7rkgmBu8Xg=L8g#7FE9{8l_#6f>yB;5s&JEN__Hrc4W2c1x;eclv9!Pp4=l zOc~jCW~+yMr#<^U6=J@a?>N=cvRQD=~~Rh?C+Lm5zy?MdT8g7>&9Xx#==fYRuQ zxpsou{R4+!7_z^s6g?@3Dt=x1CKpv5af$V%vz>#xS7NsVBJ}}PGb5ZJp$4)#SFx6( zCzOnz=Y=EP$8U_Q4Z4i;qM~%&7R6B({ZChLab0VTEIVW^!@wg+X?4WWbDkduZa8mn z^E|I8%ww8YOY_ex64UKIZe1l0w^2Wlni4V*%w9aoe?p=OO~9L%8P++rPojgqBR=;& zJbonW`I*Vb0mg!=TCUX>0_wtSc|=X~iTFwglBan)S?)v@IfO*xdn~muV)-ho2sP60ixSp41Y!)e9o6|#560<{Ps-A){Gl&% z12@P;q8q3@5ZkGN=EdEn5TSyUDD z5W~9qp3Vdvr!?u^xLmennAbaYXb{^he&F5syn|_mJ1Tqam=OeG!OmE;Fk{e!#__kOiu$t+UYrh6BA>OMx$( zx$-da)|8Corc^Hvx$syp`0sM2>blUd())JC-XueYK&{E`QE(W*RU1?u@mD}*C$;KI z*WSLs2#48tW|BrhLgxM`zSq`$&5;22K2J@-=Sruxv^d7Nvpm_3>(UNA455m4y^<`u z@E0}5ev#mxH0f`JiYJc1mmbn3*lQGOQF+CZjefVl_AzxDC{@M!JJe1k+HBBlMfYG$ zf-l2n)0dbCgWZ@24z}RC_ZdVB1_!!7bXxUlF5kRmjrznZFh{b0Td$>Zc#K)o&H^&B zGDICA3y*{gnWq-8s0&(|6`2l%$+1NVrQ?oxlPbFMwZx2Z=8MDcP@ocdBejnOx(=4+ zQ5?>%Dh8uq&UsDq82p&Qj)ahVG_m2*EH({XW{Y(HI4HI7S3W(6H}KxQ!R`ECHV^`? z521;01Bk@xCuO9|%10R_HTCMD=SKj~%iX2Wuc{0W2^1)WJ2~jN(V$nJJu~aY93-|J zmS#P%AjbN!;Hwo2T1G%JS_ZIJ`-P;!0!X(qcU7H8Rz&b95;wxaak|Adom6^2d)`af zf~}EI2HPMxw;t8u%a&%aRuHEyN^R_J4`Q+I0gsm#Dwq`3z|JL0lEywx36H4@A zf*dGG3{{ipv$Z>!8pqT#CSRUGX~Bz=KC)o0X)DS6M+;H|i#1LL&LO(Jy|!$!ioqC1 zLsW~#@+x%Y-5^+QPTfq8Jj60V2V^{86}WfM@l!%;T?Y8fP0Th%9Ei*@X9Rk=;&t;X z@<@%Xg%NP8*OY$k9bS_ZHf~|=)Yp!-3iYYZf zS_MXNySKgaj*Kf=dh8CVyCb#i8YI?wI%kd%Sp+XNiPImR+#Y$n%}%DvW+6n~oX+uf zY@7;z`vX^q9Lw;hDjpN%GE=co9Vsw&u8!6haxc##!c}Y9cB56#ilW8B`{$*Bp-+kX z@Rj1@3vd)?kl5yXuWfm^wGZR|lUC z!~4fA`;C3_7 zkBro+F;d)boGmH)dUM!bhSO8jT`Xd~(gf~zka5OE4G1iZk4LpghI0mfKXK|uVr$qu*U+2fZ#zjsuK(D zNs8S2n8&^wpLG+8#ZSjBcWdRpL~geO)p3o~gb}2sjW~9yi5Nrn# zAiCYu7^RiO4ckte52`RmrcPqE20>FR@U_SCGW1&%zKkGwO*Nu`G@a{6ajbE@Y;(E( zCs{TnxVdiJdYdI#Z7{tewkBfrL;Ad)+f2>49GDtE82!o8X~%*O#Q_l(MfkbZeX-%h zcm9&9c62^xfk|XfkKh?Byw_Awx>PfsJyY=4_KX%h`h8;#nGvLh?yz>g4=-;DsUs4)*EV9ip_K74S0^w1r@ z%E#=L;WD=g+y_ftjk`U1JH$)01&B@^s&nr(me7?KcfYpLZAMie!bxM`6%Q2IUD=2M z7vK-!CZlaSZq|t8^_U_|%e!Oj0O99?xq^`48%R=W>jE}P=W;T+s%Sh{;+rD}ni7eN zcPZNsnJiS1a3P(*r2-%4={gk{p<~JNW+Ty3s{sUb&$PY1N@f`{eY|U(yT@~B`DwfS zb2*l?wRrV@D!FmWNj(*#OO0K8VRQ{vFHl7b^sW#ZoTLXj$Y_SaN~@xgqe}U+USXsR zh&ckCO)0y)`zw=zk`PC`Ogw%r1L?SPOP^QN++%@TqK{fP-8Xl9b5@maM`m`>GRDeP z)w@{u(%U@1<)EDzY95n>W~y|%50>%LXzE-bpWpS0|L`6F4oVEZO?>>Bq?6q(YH%t` z2}M!{epa$S>r;|;MI%9!$H<)RgemRq>O$Q3TjMw-kEO{dPmLAkcJXW+3XFnpH_irt zT+!;62m5LeC;6ItCN34KYV^u(x5JU6mm_up%T#>;i5jME^kTo(7J4oIsD+VZ<0Bq0 zj6sg2tky5o$fL z(=|b=TQPK_8ZH$ad{pqnt@{t9S_p4=9keHA_9DG}Uy3W1_n18)_tFBJ5SPZ$XMrMQ zVbl|}(ag0=@o1XG=%wQaY>v@+ofjmzxp=kZj{{ea-#iDkCqDQX&qCirQGd zhA3jIPz!n2y7~b%>`nIebWvC~01;TJcN4G66T^*$R*wsI3&$XY2{r?<-Wga1w- zwHzRAMjbc(4ne2bc_#gxyW=|2>#fQc>N7>#LVZys1>+AV<_zTDAH~atG?yZXfkvte z*yVzl4oNM0=e5m(*a4PL5rXW#;^_Ho4|ey_q!2@8(uku4hFiMa^2)I7fCP%?^G%l_ zeVJv#ecAs8?=Rwj$$9Jf05wDN4hf~+Bp{}KuB)^8!z;~^!fdSyPZ|&X zQFi4}%#m7*jU`gZP`9pApDymwj?r5R1AwChJVCtAlBNHI?E2y*g5Yr$uK>Nmm1oNn zJs4j)8x>0_UYN<6(bGzOH&6iYCJy5#5f_0r6<#pc?{daF-hs=ef0ol#P*i5WI`~hp#DfVl3ny}V0*#XH8mWx?4XHUt#CVw- zM=uX>!oZo%>E@LPaUUT#?j1;jaEy~MKde#~3pAR11bTp2Oi*f9D8lpA}so53nRS{$`iZ*6o`z^2*{fmV8mX2$af4t_Fq_k<~R^|M^H3zEo( zwcTr5iy4><5jr#@7Q=d33cMiO$yZ*R7tpYFyVIoSQ%41(q|`OKlgUr9f^b$%s#bsY zC`B8DXo$XVO&O(~E&>8tGjU-+KZKFJ9So2W;^MBP{nfQCD7#9oykDI0 zAzpYI5(gK%+ti@%M2Rp* zxh}g##Tsu5N`&cP&>U&yi>Z~(5$>|7XMyFK;>Oy(ey7~>+cwe$-WH9d6^@}ZX~DSxOS!h- z7>Bi|7tVF9PM#=kld-XIfbZNvnY>P7me8<5Mz!Slkpprbs>~Kt+tycPhKeLn!^`W- znBkMUAlXKg|BFe`{7mk}iHfP@uw>Uwm?nnUl;JPfWG&9wTF&reI3DjbI4imuQ}J{Z zKRVkv2{!Mf;Mrbuw&TFmp*^R!GBEarf6@XBk;fnKQ~7>;$G5+jT0B2g`ao0M#bPlZ z6r^duRvIViB164Ycj3J=+M#{0@~NTd4l6v(trAbBhBFDu+tqpNHjH>V> zEr$hY&#B>7r=zpgi5o)qJ;i939OnLFQ#lwRDrSDQ*TyZp-Fag2sd1K7g!pVqu}=Pu zz~2RU0*{u+nqB>JBP#D6FGM$sVq7<;lO21VCu8EMZ;uM7euhVuIFW~Y!-z%y>$GC= zM+J@UsQg8pM=LX4E+1_OmjFHn3l!ibmt^-N{VV(W&1G^&?hmhe?t}DmUMp@Y5FViQ zkwQZ<(qF?nlj{RPRh2^9gWQ|iYd*3i+qG4KNd}n;_u61K(o##$k$Cqt$%z<5)49!O z^B?s<<4s+RMj*7ybd_(1YPFlwMp^fb$#O{$LClM?MQ%zq#&WQRa*dE)e`|_}DdE*Y z=QU%|S{n3uwIVSwqC05>ksk$Wo!5xM?1fotm-Ig5ES%mUq5XF)_lyI78xVF$zz(~D z6ZQ1ewy#kfC?e*Qrq1lXd=XSIw{Se+gB^Yvmv^?bc$+D=U`SN&1A|9vHrHJR(8XWcvq zB8wjF+A8(`AhN2!t-WZS=5k-_HpZxzKrHhCV~ACcL#K{sZ%0SI%OAeODxc9p|0e16 zA@1_x61weL;TSJRaD*r~(dvL&uN>i;Rk=X<4E|El!jN>k;B262Zkb}&q24R-(uc=yqzs7 zroc^GWiDOo6`b3{X(7KKzu4X&;&Yq%yo)T%4PZE8sPq#BM2gJewD*QetTeT0?3)yh z59^WbQxCs6#vR(eDSHN{D7}~k+cb&S4_A#&Dq=tP{2P`Upz)A~= zE>8j-@WX}b$yi%@z{)oO2~T~1-(*0~rpeITh;u_~WZ;=K7<7~SD#8ZIPg*AZ1Ysq- zZitwH9O+t1$?tw)ZDjM%hP(jW6CNWD-!x`@W{I73P^gL6aALAJePtHzaqnL8tn=Jo zT7MRU;x1k!vR7V2m_>xLN7R-X0tOJEgR2P`9JliJghJ_Z1s+@B*mKX9enC6u!G}MQ z;+Vef9qZOB`p0e8n|6I0JSPdak2i1KJ3Y&=;iP=mZf>XPW(##kZHu7z`)>SXx1{yP&0acJ+>1CQ zjY|xcP;z$7ziNL2V<}xhpCtEUdnvlKkS-=KAEvftm zbb$1FFwDwyaOHtaUOl2&;!=r8)npE_Du^g^CJ^3RzUVt>qWy+xdaj}FP|h>ZtI zLUt7^o4ysB?eIX=E4*siyQ=u%=t{h@BP@Vcu$dZYhbQNN-K8^|s%NSlvbPG8iVYl* z0@&~qIrvMc(SGst#I*pJiA0Ep!T9QhyXure?)YTxMlKPId-pZ*6p=`B&S=~Yid(OS(eyUyE zwfOC-)kJGsIsI<@&JT&*AJA8oT0x@XB?3O=v_#y@4;|(MmK+T05-3U|1stSF?=pnU z$LR`^DxN}8!kOJ1`t>$1p!__VolzUzRTsKcwVBQo=?`yldf5O{{Od4X`y0-7bPvbXN-Q_-#= z1PK&8nPl6l{WbU2eN+PSxo*;4`Cy}y}L?3j?LO$r&BB6f<~_Z`L#G-yeA=(8}+@i;+f!#XnxowX&yAHS-2u( zLfq_y@A28A+Zv=MsvsBtQ3;17L;4W$*}#lm2J~i$okXt^@ue+^)pnnYqL0;cmH zc_G#hKtxU9sDVRw6gqLwL+iBoPCuE|5sTYRru!Gt_hiP2;@MpDaS(oPef%1WAjl){07^)jOLWsBtD$$F)yz(|3}ZPp-2EJ47YwllZz zZS*K2(JYm0xYqc3Kf?8nNWl)nVV2WhxfzwUvEMl5&V4K)PZdU!?=nH$=RQBvt7SQ0 zJb(1oaO3*3@!@d{MCFY(W(qc^V4m-BZOZ3D3sr*zRspFiWNOzo@(|U^He3=@Jrpnk_i!EJKuGHH`2p%*4j6Ru-$RJDFPV+FKpk0o+PdL~$u$55? z=?_kKt5sz2XsyJB8B<&}Kbe~@sz#Xh>Xp$WI%aDP-P1<B-ij_uw$nXj#wBqSFSi z7c~&UY7FcgzD@VJXa&VJVq4>#2Kz}<{uG`v2#RjAX@XUUcP3%ewX^y9W(iz;8GD2| zyX(ccG#87wnmWYtVWXPTs0=!<1=Z}{&)6waHLeveksM|r&oS60~ z%q3sgEQP!D9|*1ok#XpNR5|LV%cOMmnHhhp$ZGt z?be+bPv)KCC2zIOPVC00?)n~!nU4*Z50|dw&OC6ubFh^M-rOCt6w_5oH zdH^fTX4Z}%2<;qj0zn#{zw2&wovG1wnABVMCZcbrYZxvmQPu;=Mq`TO95cN%+B4bz zI5p2S1v*>+^5H;l*HcoU=ifP~yr#R|P<3HNP(7?LpJF?Mltub(mRrzUoNC^6^_%14Qm$#!MI@Fr@4N#U*v6Y37J(!Dbi$LeyAdj+&uy5;3u zKf`}D83b)fd8JXlEm@Ln9?si*f@_?|m}9bY$BBJS2LMQl-j&gx?{P^8G8#t2ZUot?=M=)Z^<*A84$v?nU%41LcZb(%75K~6<>mO( zie~0(sCdyoF*NW#Go{NN**AGj$gSgJh&z|wN8vg8D~rX6A@v0gb)U(30w>^TehH7w z26nZNcJ3nWz7yHo5R?>3Y!SYoX!qXg9h^C;d2JS*K$!Z_Pl zkb0}p$1xfM@-1|jlgC9!p}Fthma(^GkgUj&EuaUTP#7rQm|zjK?`EVm zV(3Db2UZIL&mSojI2OZEuxqDgT!?v%5c$^7(E5- z`ylg^@ulE*=#Vq$HPEa~o49(xooJpSE44T)@JZ=1Nl>nsz8R_-2J)UydAM1V>B{ty zHjbZSF>n%5dVTd%@l4uy{^xrmL<$%`>i(OWA3U6dOeyL|8{fTMkUg8Rz-g{Tj0j2O zqVDLd`atY`5l+&0QNhk!HN&pTv0Ta2+6h)mJ>0Gun)1>~O70AQV33V}?symTq{=~O zaQW!tK+;fvb8izLUi&0btKny|hFO=Lf*a%Y5hbfdU~tP&l`wHQwEL zjJqVA8$0a9)%%S0zJ#CBI_Kefy?2l$m%c8Wak<`sLEE|!OL&^@R!Y){38;5CXMRyb zMooTv!G3-=6R)Lp_^m3WkDOMN{YuA5$yBn=HNSUBHsE*SpuFpe@1-e4(gLTa^Q8}r zo448NQTA}fa#Tl*8#50SfL(IB(i>)rXBk0!;9Chu*myYWy^k;h3m{PqP^W*_iPl=V8kFF^{LU% zHe4)V2u18@wxZkgz7B5gV~i80O6miJR#G@&-l`WV&Y7Q-z$tnM>j<|LcRr$0i+N?x zTg}LslAcRFT(ChVp=PeyJA9^Z$pm)1Cx*of3hEqB>ZLN4ELp0r&ooLl7Y+|C4!-Aa zqe$9c%d1$Ry%KIrQ2rJh-k6TlDxgNOrNZWW^;<(JPiS!MM14$)g;`0PXA_jUU_x0_Aq??*-{-HJdK1I zLNj%yizoB$fjqHjV%34IuzKHNwH3~Sra?w6MT$!cdE=?1s|fB^$NOFK`bvoYS>P5J@IW(a%n-s z0`Zg%U{?x(mI`%hOh$K6jMQ^X-Uz8BCXjvtw@MXJc%(p;Xci8tf=?wgFGgIAQ>3&T zO$w0X(2P~2FqtJjmc;Hken!hCngZenUp@{+O4o(-g5emOptpJHw*KbJ8!A`$_2fks zRxAd3C1Wcxv}K6ui;r1sJTwRtODHwHTN-3N+B#SPx8>ZiA%hn3Mfz(376y6cBLs)8 zd=fL!q&nS%>Mb?1KnT-CWr8^F_0*7y7vH;^_r&FXaU3T=N~os^*i8agM1kgx|A|5G z=NtNW0TFWUVQL%J&EGg$g;7KlWkA)Ty5JAJZo)}^R~L)sa6M_|r$3yGk0Xm}=73>t zq-1_PE>WkV;^A*_8pLGr$rv<*P{hs`!C^Co?M^$Yr@u9FLv&8O) z1y6NWd0opx{Ppwv!+J%`5yAbL{Vr@N`99` zgnQS=rbwVIWA1AYi(~D^$XHA_L%$Zq;vDgXTILb@DPN5|Tx`C_l z&T9!W4#~2XJI*BwB5Cs8h=~6pYlzy2fI>)g!oe;lv7&+*+Z~{mwE8@W*FS5FLXl!Q z&o0MXE5%=Jj;H!wSaSu_j)PBAL@zgJ#*gBUfV-w?vV`xK(b~YJ?Os-y&bE5GaUGk| z*gfNRpOd24f6W0W!^3+uIzuHWowj$aFZPfb)%Fl=catM$X8KDSNKmFuyM1`ubFdR% zaRorNPXpR|ya?J5kpp;pf^k!k4G6$Tq$G-86c!L?qu8=s9e~ZJlRLh(qr`w44HYA6 znq*H2&XpBlY@>~L1Pj+d)6^Uj{|}$@GBpH933l&TWhE&Pk};3u7a4tdK{?YRcTj?$ zj3V5vx%I?p`ij|)V6$A;u6Zr{t*of$B)cT-U|!`dHS(F^)s3N8?X9-Q?wOI2ZFoHY z$($E|Kx0YYczT+xb7xd?M)Eug3&@}x=tR(K)NNjGU;uuMy$*Df|7wuabvZEfR8k^5L_QQnnl zJ0(zS!s!PCv7JptSoxuPb~$M+T3+|Bb)m?J|zT1B>oHTXfrD|UZyKUUra*00|t zX!$AX_qRPMww|Hsw{ps3Z%l48ank7F9AZoH&BpY)C?@~z7%3y?HHyFtEv9&3m9T;0 z!;hWG-`W*kB66J#^;W*2^x3@u_{$Fv?w;@ul+&NQf@+^(2M?4!u-VRU6RC#6*dRavd4QFr789N{!W1fJWh}zTxOLEkG`>P3kU#4 zWS&{^kWiV!!!r?iFHR4Oo^qSy&>-YCFoocPgqI&tWEyS)Tx1GR`?|YpM8DIwf3l_B zSCvmFOaPa{sRL!IVLM#4J*nr&0ceS5#W}x+R&M-StmRYhV95g4a^n7gQm|#!Jc-IC z`F-tjXEu9cPPv^~0QMLr7ri*58f7j>NSIj$6keBcZgxe2i!ye4a#LRb0^^v+Z%481 zF7bEHD*l```Z?`wE!ZG~-55zX4I46Tz;rg4@(F2V1}8An+jU%|+LMN^N=X?fO6PnG6q_onh33ea2`u=D`95}kMJzuE2I zI+n{>0JF)&e1BgH`v!TKl>tHIfvzKB*TwX^qSj{&`G0*W`S8k-;x<%noBZs|TKCU7 zF#g+xIUFsuNrTTj(wwg@g@6X?d_6|!_A#f0qDcw0POz3%ue$@*;KASo@AH{S9xPk;w?d4Pem&MBSU81D_kZ^?i{1g4D=~$M=PJn}O?w zX?FQ0VpabMu^0?8f2>I9@t39n#D@<-v2k=q5#O~h{4ri2$%suPz{8Z^UdTH`f}W@E zoeR8la_BFz6Z9i53y9oTHFSzIlkei(&19rP)=-9F@=C>+pZ(P z;t&+?BGka(ZYCPtb>WxLY~?jTaV1A)z9}97t>RwfmPMrFBB~_inRh{d7zABUq#nf8 z+@&wG`4%ew3W*e8)#(M@bi6luA?Ip}|dHnf9K zx}f9Ew-6>i42BYu=SsdXOfKVV=-G;ET`cc1`s#FFDFMKrQSrw$A;e&6%)f%*n}gIB zC0)-RoqvM*^vxm;b3s$yIM2>xoNW@E6ECba;`{m%n!vOeC281Q(HCMEB*CvDZLvQB z^>3(tyFV9J;KJ|<%Ip#&0I7KH5HZ~Z4zxhkZ8Pnu#+urT91FaTGN>u$@$@6P-Hv1} zve0#`vK!7wC-fb6=@Z!4e{g+%JsajL04qDEZD{uuO%5hj0<;uC7|>vo&;BgkXztRa~fPe`VBh&1o`(~9n{rtOOhMKZ%s-DDF{DACLy?i zsr1T(q_eMW)$P@?;mIP94dpDd|CFNGnG8qw_VyZ!0og(_Thj`jA}0DW!xrBhz>iSu zpPK)dkENKQ4znF)mpvvVJ=P>I|M3^m&4`D7Bh-|9v>&>612Lu!L071<(QyEg=55fC z1d_MfTJ?HjyX}zTVIdf2gXvBAU$Kd_> z<4wJx#$shL+)A5k=R9J^w)MOFqZWdyJV})W%mA*iHyiQ?nzU^oSGxd zIL;kn(J!$VC-EDTK%pm0mU*|aBqm4u@~l~ZbA68^DwFDbyC2=zB_upgi1IBM-g@)q zQd|H;SSIe0-xcaws0b7?P=2~Ad$}$x&ni!(X__V;0oDrGQH9Kn_b00Fq2Z4o^utNg z%fR7s@9lTrd#mfWqYf?&9k#p70B7UvVMjx{A_>;z`!WnH})#U{pddY0Ly@Qu&qt3 z#;GfEd%=5Bcw&IKFW}(Y(^_ys7iNGq(TdmortHi!LiFl+TbU&7(&0aLVT)tU;>795 zt~Pp%w%c$6k;$&m$-BRaSHzDh-31Lb2oLSpJ-dGoZ&_CoIQFkb z(C`{rh%LWo7UUClySbp7eg9oExy1TV_{b2Z-*K?%s>hAL<}ohQt%;Vj0v1y%yh86> zFI7jNoRO|Z;sE2Kw>-tID`vC3wc*$lEsSu-2Dr>dq}6UeQ!9Pt4g{{c8My{oo{z&X z)iE-*blXhp(qUL#E{C=LaHFyAj6VA<>uc%pbY_r#M@t8GS`j%lmDPe?xk2 zzgajUraAlR#4!1y&6%|1v9kp*#Q;VieXp;`PAwYJV`>gtBX75qT(2T$bw{}lMrqRF zWh9pWGQ1EkoIaruJ$Tmz2h_?(a^FfA?)Nj;9_RMlK>vS)U3omz>-R6Eq*aI#+GQu% zv$aqmg(2%$vhUfAv6VJkx3VvzWE;!acg7ORE-@HP$j%G~V+`Z>O!wC9F2C=+e|XJ( zO`rLEKF@QWv%JsyoU;kn?hqI$UGf>N4~C@&OcqqNuj%WCZ56Z%RYC&ttaQ)OeVZw? zMK5pN#V-`2;0tkw{T3e`X3&easQQ;+QDlWy95Es;X7*n?NW^USnZ*_G4Bkx@?sGDb zm)UgBB-o(7OQ9?x@o{~g`xGF&0}@?y_oVZEJ2Eovk4UiKRJ=BV_6tcRORYuMtfX>i zHFiZdIy7v#;}^kbH8V4Q*D#MI_u0(!Tq!VhOQ-0en$zHiscDF=k$7f*^F0;L;x*7> z4XQgd`GYF{mxDPBy!82+*t7pr*l7C_xbsNa=5i|!&F4z&9@e^XmpDxDBfTX~b)xwp zy!HhA(jfD+YM@x>71xPX3{*k%@Ntz?jAzw2=V8)>bcrq$NE*A*q4T*$l^$(38LgG2 zh`YGgYumseF>6ClR09dUy%pY4w#E6`u>9df%(8nNkY>xB?RaC+g&+F!7q#F9<^|8& zn*B63|F5>mOQh!lEm}o!o0F2VkV*bSHuaD9X{4jt7Zw&$v_z0OWx~cZXDy{umQeMm zW@`aVz?({f9SX4xo{;uYxV(FeS~>QD-!X*miH*0iwU@PFsg4RcRTw@KP~ki&R5`z_ z=BsmqwU?D&r>JpCvmD1@L%SbG@cCc7v|pB&{REv6wcE-10QTa)yw+cp0^p}Cc1QTR zSwdoF+MWD}Er;RL*Z5z&ZDnvZe)#FUmevkOv+i?z$Nc6DaB&X-?;my1krY?Ec0`JH z_U$8xGFIFBd`XqK#QW5t=YHh{HQYRtCPZ0q&Ei{Nn|pM8xy=2CVAXOOj|D@fUSOCyHU}{^B}IJp$2%uR zpK{lnhKINF?dckKzw#(73CovNmgM4}HsyA$mpoSJ){BIgM+rkmQd<^*uCIpqC0@`- zsw&41$&r0CHhi;T9YoP%oW!a8vK(2sPMGwD&x|UxLbU0g`}Q^#y@h?VNfcIa>XllC zlf_=5Bizq6o5`a7DXLGR6{G#naT@oC(ctU9%I)7Rze&cv&6RY8L~Smj9h5RC4jFAT zt7HheajNj7?~7CF(l41!5&oOa{t3SY`B$=0F4oknkA)OU5%vPTzPF{Wg{C8>9 zX8@ZCp%?>Lv3=Etwt)p`6+Ybs>x##gai8=39X79ohuZ#-INzB7JhS-#xg#+{0&KnF_Z&KiGesA@EiACB(s zTwfZO>`avPykV3qv=I`Ze}eFZWg}j5UctE87tCuZi$svytfHbx#T)W~@ghCZ+_ZWT zpT%h1By79tjOV#a34 zM`(&H2P})}vQCC3yOeiE_}HWVej%5=&K?uBd=0F$BbD2P%wtr zPjfJsqr9>ARd$r%I}=yR%SoJ`L!vePHMUn8w~T*;qJIj(0S(~DjCvcj|7SPJ1A2i- z#e0v>8N}Y*jQ~!^5bsx@{aZw5`VW$q!h*uQ<9#^;lW6l^D@#vws4AsKrze9$7vT-f zztby|?l@HD;^tKE(ygK0s5;t~3E7$7&yA(M0N0zVp{;imwpLnf<7nGv^(`<}D$Vh^ z1i^Po)tL@5+E1btVR<6I}lS-Z)1a zQPegiPbz=ZqLg1{6iWDR_-y1oA@ux2k7_-Y)b@&6n|vI*Y6Z6y&FeBp(&cooeYbAP zBvXiUp;tK7cQ_IDZr}<>m>7NPVQY(|950waD-VHFVjT_jkaQ@!OY1xA~e29FV4Y40=h02J+&y6-bm z##Rz)DqGi9r2A(2Gd}8Vx}L^Ukj|F)$cVRP;hoK!-r;ulB-HB`T*%Zh7Z=2vN2x$A z^>t5b|QU}BzsRJECJ)IxDc}9&+I8_48#6G7^kmzr8KXct=9&RwGjiuqgknIXTUkbk(nmPdFT7 zjszwrb?`SGGkurAzR@IEPotLCle;Gm+Vh-ijLL|FW-Mb7#|F-d(M+owhWp}8*#9TXI&Yu%30B!uZ+Y* z8$P@hU29YEw67yx(&+}*(0`8jU!QkeQ2S3Sg_%wr9(wThnUT?uk$AwQ**R&Y~6|fdKBr--c>0xm@yB67a z*a^KQF=-xg#DX7TGr`!rM2-oMkAXE#*|@ajD_l(_!(StWCx1hCU}%S>TEgGqpDbaK zg54FqTILVbarVDj|1P~#^)cM)3b&VEuz8H&f6AU>vErs#$aGi$Tn9bU)N9ZAcdqT()7H zMSB0j#dBh`+M4O~JC^=I!vpM%Yv)y?LL+u)$u}dvVj4lTr7P-tVo#)9S^ zV!6Vs%0K!kN3hU-u*il3J2;r+J)hq!lRHDD5YYK2--MDv*o2d`v%lTH0v*xqm4ToQ zG*7y=p<85-VNsn1cwsv08;_<-bJ24sw4YfawPj1vhx_e^ho?YHJqo=dgikH=4+;GE zuy#Jmz%esh5j#8dV#;ns2A{g_16&hjNHM>0w6Fhewbs*>&Kj7d+$!}UPc}p6x&k-c zf??HRv!t9o<_$zzf~^7+B8GPms#z+GI5CA@Ni>ItzXeai`EQq1sTaD3W)5BOZ)(As z=mw-F6=#N`D}}MrI2Mb7`$^vV;-mE(7x^1aTQ3$ga4e(qe6U2x*&^g?^q|z&CUIZ-RePiQCF;b(fyaNGYK| zb2gbPuxB%_d5Ut2CvnA@9GC7qw>(B390c#De6 zYtTG%H1D4Fh5VU3*1!*D7x|3YvTBC`;cA??mLFb&4ARdRhEy4n8-@K`3>3w#x;Exn z6=fQ{FfFW*$d?PwtZ-n0+|Ft`*-NkW)z!?KnyHB^1H(ri7&KNddl|14L_1{6p?nw4 z?7$$E$X6hQtgDg!lv4l70;I!GC5S!lLk|ca+hvIcBM~dL*I-+7P^cXw$)H!7Vr$Ub zKiQFJpf_-tK2i7mso@feP}9oaK85V-HXx2>9cgNGM6X6AgO)XdOeLb z>}%OFX^sYuPiW=YOaZ6LOHKQB*jyanY#4t;I(~g@&1|)5Y>nX-qKZXRa$uI@V3|&#@LN#f|4m?GN{csCskMMu}#(9W1bzQ zQ*)A4qX#1+w`M1!xG|WyF)3or9P*Iz-CRSs=&)oWQg{+xQ~(Zl#s~J%Ifi0oivgW* zhhp{ohZb4QZs|tyPnU^3(NpRO4lF*^*WN|LeTsNGSfu$qEbHt6PJ~utfaR4r@B0;o ztYX1+x-41S$FdHj-+hp7=l?Zuuj4a{B)565j65c#z|s@tjZCVlkP2T6t6ARR2}!QN z6EkcLOMcmBU}?tt0mIw- zK|HvUQ=4%wCFxf18(Z|@GKaDIY3~`IF>8Lz zRdp^NSZZI3-u1q_Mt0n;&wsuXfnZ_4-?OfYbY;P6Lqza(Qw<&7>>DxW;d;?Y+q+&& z(LDHK*u1cAW9TWDjRbZCl(=5?jNF`0E~!H3R*kVn?p$3rM2|kdZfjOnG zF>erPnzg@b++Ae2Pl7LfGE&}P2Kvt!J8+bzYl3_DDURjWz1c~(N(Wnb#byRm zBMw(2>^=h$&2a*-mCTXVacf$@Zf#_;GTrTe=XBd3VHcxyiDM?($LB1ucnZR z>ZEWXIt7|kAD+Dx+?JH&nhZ*Hj5k&DoE4w2^vZn4%Qgz?q4JB$ZyT!AT@v?dhhSfz zJb|}s6+(F0GpBs|u}mEE1lI$Jd2Tn7C?>wet%e>s-x` zfX_!vIIp0ob7-!+hq#VKJP()wT}iuRx0W_pI<{0M zg;teF4!iZNUrCO=T9(+fQV?Bjf6WL=D-Hh(I0{&K2Lg?^QwBepTvGi7lEv*56l3=! zW!e34E3!V;MNTsyXX}QrPxoYW)wlB;DMzifFXdER@Pw8?I2kRw8aC8edFTxbnlN#87bkjUnG#GQHY4L@Ck+eHI!k(ooq&{D3rIa2mI?UZmG-M zs>2)4&W7LDtty!zS{gp4oE6bO>3LGYsw1J-eXIYU{4$YCyJfbn;XcL`=>3SDN-7mM zl`(QiWl`HN85@X%ESXxsu=P2Aq*n}==ZUIt7WsMJ_S2!*(W}vBMV@5Q&SQuAz9)1l z1Yh!5D-Vx3us(0$eE;$jp7-O@b?-`A;LWZ^_ubbuOXg{cy6UT?bOk9>ai$@SwOZ@(4|#|tr?%3%z;q2P&wdqxwk zT?ehjX#tx?b4A(pu6bam9Ho!kzfyu<6)YVpfJuLR6N>R&evL3RK6EwB&H$snuomM_ zj++RhY0hv)IGJ)^a=-TPE_bb!%Ck~0!zv-&wh#xno{JdWqi!n~>4`U5IvD!9Aqy=i zty6+En4%ng(|J_ZEIZ{zIX2YU)?=d4X{wWby!SG9qarLq~d+9Hkfa zR5}Ffx6y;R!&ei5u}XCBTdtb5s1c@yeuPTuBS4gA_iApZcRai6V=)jkt=&Q7EKR8l zPu=y){uhTP@5nQRS7xheF3$A6TKBmhh}Sh$6PICU02x}LO^XjTd(ds2TGYk*J@r#? z%l)Z10`JiA%;RQqBxyDi5Si{N72YH9SxbD*j{uzy&b)l;{$l+3*B%AxxPs&UHWtzZ zO1NsV-e#gpYqvERW%n}ttJZG&_M}qjnAi5vAU?;zHJPA?Oi~6FZZ-ywXG#{Vm&YRfH_fA8K0q3h z6r~N14X>O#=hdSw>CWgi(U2LxT|>cR&+m@qW}ahNM6QIEM-wuw5jd@-ic(c=R{@gC zLNVsfMWFVz^bUY6gbDUK1U`>NC61DSf}uvE^}d%l&TWzlwgVouYZc}o5C zXCZ_|V`nwPDYl5`7y`)facBGZ`RLme4f$6QB08UHXBM@}#p0{)oF061NG4_q)qDacrt<%EIDhE> z1HyqTVpJolIv>K6udC>$q8KLc2V3{ROT~?y<%K=a4_p@!LJqh$d~8DoBY3%;bXz=& zx{(TN-TqTOVt;4?lXLs4#)8j!uT9e0TLiM+d>j9ySG4EwlIOmK1M>`tw8Erz`ZMb+ zy<;tcDH|4y+BFw~EWCH{^(|2W^)=poD$&zpUvYb)Y$-PK^jSp+TYx}>4XipsQByka zglP-l7Lg_GT0T0!zd@LVA(x^d4c0NVsnQOmqqg+%#sGM}U-Y~^aFJJlCj99b0>T2@|%7&Tovm?u1 zn{W{@uJSS~m|h`GuWY(+2nZ&%+WlhZe?Q)Vqi0`I9Vn$sh17}TH!hffJkR=2iT^yG zKMii)5`%;&>zuDtY9{I;5@S!dOA{Ln3by?AO6Ta}6XMhLb#MI{2i9M(%c9&Eht z2t(kO=lD-oL*y!1ozy7=d~AsW9Zr%og+X9fps~C)?vo%_iGo7ntPLrV`v%dv$enJlmQ_ ztU1lYyR-|*2;b#Thb3ouaBN$tbLeJ3w|W7(BMrN^Nxr z{8YBBxw!l?21^UB6o4C?LMWd~a)B5(z6fG+49|m-sSfUr?M?b4+~yI^HcQ4YFf#** ztmaO3cCbk?kWyKe5<*EG4@6fXtT|5icyBnssw}R$&$F z`UgT7l#_to&l(>IgAqU|xi$jeTTWb}gJ^nb^@0Qc3ye^B#M1T{8#;y^nzIru--+id z39-ssmp4wYol-(lJeHquu6l~O%^{hR>O|11gMgz3%c1AvG+Ro z?NXEg^ii4r3&i1>6Ckj$=Xs;RJtm_Amp=(+t#Q1-R7-^yp|rj()4-jL%cW+o9Z=)) z8M6uw{>b~!B|9KhllNTKwl@*mVyS!|&^g4=+sne+1(*5GL^W9EtN?F>Vy_0-BO7GuO{sciAbOGI zZ9ICnye#Clz|)Rp`8};NaFnUTWeKUzY(40Hx= zj(!vjS`$=!Sv5FxTBTCMcZ|99UA-kaW_f6ABu2!vesYX>S3WJ01n@3G(?f1D{P@&O zxIOGp&z7rGuh{VPNC+k6q>26IT$g)~!JP zq~XJ|uBJ3(G0|muMS+P+_zB(k$g|nZ3F1?i!p@Hj>ALOWXr41i;`Ux9VV%$n4QtcH z(MQ~yUw2I`HBuT5$=buEKg5;t>*|EXQ$uUji`7V ztxny@S4U1}`&cr4_=n1>6=4H=xj{;WHecq^Nb)svsgPy)kFlV&UB_59t626$60}}K_I%&>5oJ@JVr4a%5AN#jpLkMR- z5NWx7gN*Dlr@SgEEsq@8ZfM5kURQD%9SPhnomSV-8qFIOl`TpIG7)(ZEkW)S;(|+# zrk9-&wWim-&A%!1cp@JmG9paWA0(tV9K2z@lyCWG>JuQ8We3PxoG%ob{XPHSAdx=i zJ+={j?PIJPM*2Nw4(~HP4Bq2sf;a~(t=>D zh~sfNG{miUkP9}SZx_$$r0^p=_z9)degs4JP9Db$2>gV|f4G#tpGw-lRDP+*Xd`hT z`^wS>W+P;D*eNcp^NJ?V_FYfr4~~ht@zMq$S#!v%@}jBzT&8H2hXzMYGb?PA{kPYg zwmnpg0_MOh&7mW2n|QU-wD)w(ZVYo_8&dhMvmVReqA5SlFuF*ldi^rzQ3uoRkKzP= zKCHV{(mg#9SMB zmV6~(er8GD6wA3PG!n*7Z&Mmp&qk;pRwJFAvYnsy8w^`Nq=UV?*{j=9hzI=>H`x*M}LDeE5S-I?0 zDPjeq7evSjsXUkCdU93JncaBPQm5{v2FKeMuKxiZuz#WBF_O!8ikW%@d$^>*u~u$N zZR6*V$a@X8v--$QrDrn{fOimDA*31LI@}7SF2~QVVQDJ0PAJc9=5xtG4vA1>8VQO) zGmXzH9(FX!dvmE-Wg8?DZ9@EL*+i=|n_6sM9BmiKSIk0zt3?sx4P9~5m~^3$0;x1E z;2kAu_oxdPsOm8P+%6Kb6ql;-NW#M^H1qbi(90#y8~x7OM?S^25S@-qXU!65%r|j_ zohOAqJWCilHU5kuwy}_FARkqQ@WS<2ohM`sRCwj;5E{p-yD=oAP)Rgue3draxqM)Y zX<@_cli*nF3+mX=a5*8w{Njn#75R&6(Gh|r#XcI}!nc;lcTXBXt2&xbz*pB?=V^)Q zHUJ5_BSlWs4Io?6;i4XJV1rC9?iY}8)oehhu(!C1dHm^!JyQSr-YI8|xCguRPA%yQ z`NPwSxXW-K zqN8Q!KFwsdsrnJ6yH(^2&z$G2t)x4nf+pF|N?0S&e6G^!-t>0b&CL8_z}_mXo!!18~UCzx38 zpD)2WW=Yuh=V=TJe6IOK7w0bXCtMbKJ&?gdex>W$`0OM#w$pbqsRI7zw?D(HP&I%h z|K>g1{-eC$rwjb&2a}lnYB3_CZ$VRO^>~Ree<1hGD#h)lcT9c$T$MORka^u@ej->5 zw^mY`b62jAH)Rj)>$|7(dSV3P*D!h#e%k_AiwFUZN~;@Z<9{w}fna>${Bww2$p&d= z&Qq^s#^vJfCr+u44LE^gSY zH|EFco5U~=#@PGM_C zqi0rMCAeMCpk#={VQ%mbc&ntecFveoQOwM9M-8p8O|}5ZorM)DS*{%lSuMpnR?1;F zZwdl1s)G(>Le`(G=q+NwF%4^-k~VJ&4Ff3N$V;m6mRijp8(4Ja2&-5+`t;v3bMl1+ z_MclzpIjzTEIK!wSpoxTR*u19>PL9}>%#tcjXX{eLA^pbvUK?Zx6RWB6(pYq9ubG_6W_CCUfsj zLyNXrzIRUh*(NZV1acI@@8T@8qqnk2TQh-*{tWY7+=;U^wfv`W{gjp8KLjoazod(s z8yp<$lQ?k;oH+#28vi9D4F1n6+UegtOmnt$`>PJKKAZiv^m{!)a?qqn6<^aI zM&bZ05YSCsBeto8ZFvRtmG@u(^}Mvt$}|sP21Zx_qS&}rgWvLnf70khlIdn}iCm7L zukc+@(B+ccb?vY^Lc(Ft>E}lOxIOI=yY8FJC+Qul+xcg*?R!~<&bCmigxrY2)?6g0 zZdxhamd$~p{Wbv7Hg&5M=SN8ds%B&LknH?o`S*IyjO2lv9rAyylcEB{d*?~N8DVQr zd2krGRiP9)K$fihUZ@0u`}t=p4bGJ-4ZQCEJX0b;^nj1J*>y*Dp(v9{3HeTXfyMyE z{p*sh(lN33+o)~%!G6Az56=;QjL$@7^;`q!!guC~!ua-dN<f*d`=&U6gwNEhd)Cti1IsvXPsF1Sw{8q=RpZ)POUL)!QH7) zUMELiJVlR#@=xcig7Nxl8{E=;*zwP0#W9BB6k3%jsqF9&WN8{*=EKQQ^lmZP;xIME zLBHPuEP0MO{kYAR@Js3$56xjcV3FS4R^kj__@_9@9kWh-F$p*kO$wWf4Lv@-NB90f zqJR7hFblQsqr|Zl9ILGhsvlxMkw1johyn*Yfqf(3g`|vWgJAeW>rz789c~md|P^sVWnsgdLye3 zkt}3%ySixbMl>TeA}K}Lpz+wESLzFWdV{Ky`8s!VkFlJidv)`j;ZY&_i0vt{wOfb* z@3o{@L#tOLW4j?S%Cey`jPM&h`CG^iItD2^x$)T^VX@C0C;L&Nswav`5@n)=I?(36WBhswqkqJH4x&N7Yg8%wVjcX zk=HaioBe*gz~3+V`Gd(~`vJkeO&3xAZ;$rp%elz}(xTP{^kyr1{-*d+jzQ_6kphd> z0PW^{?w`N*|J`Of8?2e^T%^^=|G!?ednM|abR{eK%Y6;lwU$oTU*%0)dVE=n_rLET zlLc0)!)GE^@_+2esQ|@v)}Jdiv*XBTHI?V)e=hvLe@Yf(1S=G(n<)JsE94WnbJw11 zg>Nsf^`-B6`;vB~Z}&(?{pSsK1a_POlh6wdZ6=@pFM$G&e>1tL$PMD>=cjI6NHT{& zdPQj)T_rp4?0;VfzID60lP)fC@tv5(f5=33ZL-p%5&7xlM;-&6E_1YvrWN^$Qq~q^ zFXE-vPXCJt|0yTmcTp)>)hgzk>-GOn9DYAkJ9eT2_F3U+Sy49hHkC4Q!7Fx3VHRNk z*t|WT0k?XM^NQCZ$8e=5ZmUzS>e}zW7TCeJIADcv_g?RkEsDP`DC+*rAH4vi{#`tNzN0lyU{zI>QS9T(tltbloz(QT!*Xsp`&6@S(oK5= z{}9Uu&uc-+jyo--KqXwV zxIK{)A+PTSzBrsup%q56wS((tbU_#UEe`{OY}PZwHE@`|0@NMQ+4@RX*9YqZXLZpP{+sJdks4Q)u0KE5 zCT!QQ;4=21C9h?+H;c$>;#NA>e=kKDGBq{DQy*=sN*lf5L3F#o<~M-)$ycBiSuYLaP`Ump;a8A0fK z_6QEgUfi7W>w__`77*S9kjEgl3;Xw@I!Db1=L$2~^__O5p11~w z!`Z|LzBn)1#EHJkk$!1RfpSlfim&MBMztf1Hn^=ZZEqGf0q(v?hVl zq)Xobd*kCY?wG^fLW5FAER2NTdb>~eOAMc0CHBErx1c{H!9mD*ee@}zoBwrqNJz-p z2;B@(jw}shkWk}(++1wh@Wc`1gWP`0Ib(ZJ`xX(fSOr#s?=FaD|FI-LmCf&ue5#cG z(uT^Hp(MT(mA`%U_x}x4qgRW}SPc#ih7i!(e&iZBW%-hve`k_hHHazPs=VnL?ItHC zdgE$uK$Mi~4lz@QqHSO&X%g(VClG+HInl_2afFd4FCL}wEhYVSR>g7u-iCTEz;6+7 zDLr`n(tCWHSZDSYpdeJxc;z>2wOF_B0H#x1SyxQcBB+Sso-eV$ISp47XJI?(*$nff zkylMzC(S6T#eGBCHcOGZ#xvEfQyotb!M8915XvA*o~4NL_0eI*OEcG|>keYoOkQ5zfw?4RQqB3WhVgso8L0}=qYhElB2xTpO#JEy-XP!X1{h@= z4d_9nVv-&(V{84eW%3k4_<-)vNl8aTNP?=WOqsdbRCQ1$@{GQb(Qtcc%11enjvbNi z?`R!%#Mup9%0MD#ElX3)lV(Q>90rQ353Lo#!ni4b@c|Cta$2ed(TW}+n5SgWno4kCbm zzL`Lszo@*xA-46~c#Xj0|KYU+C>rd`h?@ky1snJeoh71Uu&Sy6)_98!_^+*EqrcSw z8Ua;#EkdGFIpem^%ww_Pd;Ie&VDT?Npl&2AX)?}jzwSyQMc>>3In7$qXE?M(D;~U2 z6Ogj+@Vq2i%>)I@h6{`7VLLPX7`w^!v9{1&E=Zur&=VvSSzzH+Ng3FD_h{3N?zamo z9*b?UVjT25>duAnSD)87r%e*pEO2vPxFOawbt{1q&YWHyq;y4dX&z_sn zfH}$#K&o{pL*G(KN$In=&5QD;94r1r(V_`aG<6lVS2DpoID`C*uTF?W~M zlS?+nO%`6H-s17>6lU;Yg9}bWWu$Cmxqmg9$*a482`{~e0`TL3b&!kL!ynV@Qw>Hz zF?@Sf3s{?scDA+~aYqawLSdD1%{~CUlSJ;2GN}!y09gq8VcztF0;9kykh%kV1=Vln zf6(sB3eQruYS3a-4Ld1aP?C{h9g!I{lbt_gL?8It^mGhRXY?MM+{-cQl>v5i4iX;&n0)FGO5|O+@PYV9nhO zhYGB_-@RL;&h(@UyLRdZEQ5lfn&8BK6VHQ%+`f| z!({2q&na?u=0MSS?tM&sb(5~4%Z*rA=!ickydJj4N8jd5M?SgGrTd=JaL^@g(favu z*tHvXj?-v5_da5bg|!6jBKAFT@9|~~seq3FUwBsv5?0YXQyq(eey=daYzMO$-<&0Y zVygS@ZKBOzZ2Z$yhg?(g!4g!5%vAcXmy5pbP--&0m9~{CV~iiAXilAU`M`9L7;;H+ zJX4}qUvgScbG`Sml8nNsxE`1M-_@ZJs4L7{&K2m+5C^K$gKA%d&YhaESR zI1_Vei&|8nSLu6eak7>8$ihj0(W93TDyOm#6(KJxWwX-XKR%Rb>p$tvRvG`<59j~& z>nUNhiu2~Jl%RrTtw&dxS=5U!rz;dg?|%_y_Z@on;bhN@aIaVYFAlh(>+YfCw0)5$ z^Fgw(i2t>CI<(`)j==e2B1-4!;%to11SizLy%L;2S!gc7SpTc4R55&aAq})_Y}+VK2+A2@}+bE=b4Sl$tVY{2he(!*gRMAQiT6d??H!D zS+?SoQ$rYVYzHeUDuj?nkPa6Vbtd-IeCaI47*`6NJVkR+G`sFjDGQFyeMb9l`;;C| zo7?RcX3?NhEehU!BnE@zy6$=18}i3efmfIOU=Pf<@Uq`rTBXOQ|DvH75k1Nj9O zEZDx*E~8UdvRKv>!3~`m*;U~vV;srR?(W3k5&X!-sfKKsQlchOHd1X|(Luv*XSuhg zRT_r^#ET%0Fw48jR`Lz#fbz`we24b|J zfsP1pMBZRNNgfj;(Ro&83iM5kM=0PegUTCof0LX1qNSn!m}7OoDmOVd$q814r)NH6 z1P8KmxYX2mVLxvF+IrM|tlig2<%)=Tzfu%n*JPq710=bW@*yC#S?cRWZHcN<0`nye zlm|PRGp0KGKArQux+BozXz~ju*}9*x^mkM64Nz{|6Ux*M9Q~WE4(#AfJ~i&@%14*e zW8{`?%orP* z;f(L8&MoRWeb9>WF{xi1v_n!~1HOXV#M>!f=`S&y>XN3X)d#{8T_JQFWuWGIuwT#tk|i(unm~4hTonL>!+q&(?->x95ePIaUldltw_`|sO42;3kigm@PSVtLcAoBfi-jxQF?!vdqN2-D`h?Oy zBzurx0Lv~PsmavGOv3~)QypC+2YUKOaz6v|*<6^jewKLx%ndE(R z5%GEBh{<+``dDbvyCdV-$0hgL=?d&?(nyNScsTH_>5`PoQjpanPuzW$P3Kwlx}}Mf zOHze4Px;to7V2G(ntmx%J5^jLNQj@~fGn*-d7!K-!kj|`H)DiDk!KE{WLB`cE(ujeUR*!Qy-&!N& zk~TyZYTbhIb1fxb)wN1+QO-dbwKuW_gvN)UI4jksVj1B^x+r6#H%W$&_X)skJs;4er9+)KE-74xZK- zw$H6*u+Ln)_vT!^(vVu4J2bd?eq{eB+=1*p(Gp1>rK+Vi?*c@5y`v+!opXITsxroJ zM_a%Q3y0O=ZycZ>xh#M-k?K;u+n~6zu9G~`a>G1m=mg#hW=El|JmP~ddtwL&@Y@r;7v6ij-j(;U z4{19KIV(5_oKO&+ObCvmnbdrgs*b!;gz(ag55eR4x z3W^Tnbn_9E&v7PJ4X9+*>UWDz7Y%BjW41t33r;3Sjkou!)x>+A?8w+>>$tsEiZ)`+ z%{?x!iy$s9pW(j~e-~$rllF+;C?*u^bP1lEb|XE-#oN7+f_jX?Cu{6j7!Gj17DP0V z!kSn~Lq!v1?zpU@voyD6pn4lVIq4lXuY10C09~b*9HEj2wKi`2n_{{V)jAxdLg?AA&r=k|om_8q51btiR)Y zFJo(UFUcmP{N=!XSDAr*tam5cq8P0Pe?!Kl(Yb>lSXKdbl4S+rK) z$$Vhi5&0V4pnY{?&uClUn>2^r4>c4O%5si;qQS-;)!kN|&sgy-ZkHKlEPU=5oaAP^ zuDxx!J*Cds40<_*sNHBD1$_6bE_RQ_#B%{Sy8+NN&*xY3Gn;Jq9M&}5+g&@Pr{<6c z*gbs{LO7;F>>j~C(W!eozB0JE{d!+_Ult=0PVPAHR1Ds19iOQjwM69VJ%*Ld4Je=L zqq+Q809YHU=S1MH>xBDK|a-3n=&C(GJ$jg`<2Tdw$XJ z-(R`lW^$REGtE4_Ijg_c^v)zYlV!%>votzS1Ff9SXR@B|?aJYB*oj@l*|`htb~9Px z@)PwrOxl49d}SFW8nRAT%gXyZAGIp)eiUJ+eerbnlyZ-g;SR0H%iOWvsv;H}Tlw%Z z*_4f}tp_19uIhO%!}_E}Wdb5zi|K%nDjKbPFmLCdHZ72SC$rS?0??kaPW0)6B2|S4 zBgJ+Y&I{W44cdD*D)k8SpHo}qA&j5-Q<|jM!FAK8=+rY`TJfDoJ#eIiKH};_{JQ7D zAS=a{*K#{h{dhDV(+FUdU#p)&Zoj?u)KQp^Z_qrb-hEqr6R;*^EBLZo;T=Qv)h z*WoOImAJj$Z<2|<14AFi+2P@sLG#M_f>wDc0FRysdZ<8MifC0+B$;4QP0Nc7huJh@ zFQtBV4AD=&ghHX5K8qdgh1xmNfJfUshfc_%D0; zUAq(|D9%G4ml{eI{dJ>hUzVS7_9bU1qO@Dpw2ogw>W?2zA9^#pqD*0R^X=GudHh%~ z+qU~MH`p1Z`3q^`VT-T%wM6FhGcv}ahov5lEDKhTpU?SNc<;@!J8-JQ~>9jbZp z^$|-~MQOI3yJa3L5=N>?eP6zuqaO!p>0)EY9c_sjeBu>|)tdM3A2@j#z1ti^Tex+3P?ailVfy~paILqpxO}{*k3Y!gMm{cue-B53TqAQJfy*>Zu2*%-cAj51 zw@niBuJ*Acq)sd|D6`&2=7OyN&BmwLSx=cGwIvz-xqPPI9>icC56;$;RArPDu{B13 zA2JH7KdsV!)^><7yoNj(e`{QRJXFj!Wzw2rlT+;Nxb~QU$e3!9^a%FsDaU+1PK#mg zdk?!~#CKnI?*JmEdj*uA^OZ)V#Z-2_9$dho{q1*X?lj|MGj=m-z{U~DAg!OfAMxGh zNkSZY4()&1IVJYX8vd#6%lQ@~4LPO8mH&ZmhM!*?n%`^2bGh&FImq+RY#m>o2j771 zcWXQ7+4=myHRQVqL{CQ7aoLw$9n0P3?Pd6od9A1DaudJl>@@!`SDebMJj`nDc$6|`9`r);*;qk+g$A2`#>j3GfgsL~q|zem;>=OC;7hvndKK7(EUc|tDy^U)dIQ!@5&#+!j0Pt*u^L>#X+czcf99CV<7>O+EY_HcQ#z=-RT3m`uc;5#+32F z&s18944eP-nhzsvmfiE-gbJw;j=DP!l1_3T;EnCwNf>=FPgJg?8_vBtbn*UdxBFa-IvhWx;Ed0+nIfKAcx<0~9SVw`qt%moW4YB~l< zpdFp0ZEI4`o7I4wyVjl%C;;|L=@xUq_Qkky&-xX0{x;lv;!g$l=O+NLS$E^YqvqKE z5jcY6xXRbo+2~GXkKC^ohODZj57b?I_gck`BQnZ*hKCl7S%rHXvPR#tII+ZS_IWd( z$?|mE$g^k&A6BRD>gh;4a)nE@d2m*cSNY^Qqz|=mw+c?&^iJ@llw*)F0dBa5^Q(RD z(hAio7f(95YaAcm=n~6U&j>;y6E=iB>&k;TH#6F1UB>{b5i}snDzSwwbpd{=)s+%p$Gi5nk=HI%rKN0AVz@ z^pS6-VKa%hzJkCh$9puG?bTHmWR2&>OgiRGWTg1+W2_Q1w=kvUHyYw?YbVT{*P{EC z@8mOkRQb1w330}oEg#sNRWY}BYSNR3#?>1?eg{}(JmU|1@h|)QcHh{7OT>OOtvB1# z81txd)?-#}|3}zc$2GmT|Kp0FG6Yc=D2T{W5kW#aBt!v`mJN_pQM$WENr;q+)JTaj zhJmT*{&RRx));i|Mbg<3DPL!)=hv%A9QQs1NGC5S#zNb>?j3*N7uCtx}`e+BNj~CkN^>l{& z_0hYou+lV?e-xw*#SA9Q)@Y&+f4y?xT?8>)BKU5qTYXFY6b0^hoI2Uq(nJMSgq)S&Bk?T?lbHO}-v-;eO)c0O1bjQ`F_=nY-JA)FM$l|z4DGf+x%sIZn2tSBnav@~vrD*?mgqweZHLlUDF_?5m6 z25lw@+jz7NZK^7Hvi(iPO{YGF9Jc6>>z=m(OizNuHGJ~0!!d6U+swTHXxp2;gLf!?Fv7l$qMD~ZY!OOjwF8;!Z~ zuzL=7Y<#D`Om`n!G`*gSAR;3)FZGc#Tb`h~pp#|!&C^D(3^vd*U^*f^?)>HZX~}i< zkfE}XTla2NB?=tt2F< zfUFqeiTnV)p+!+~P%ikbrgYwea)I z9CovM!nu0*siPeYY2Mhpvv`-jGQFFA^2QIk9W(+)Q+EFfcX2EJf=u`j$D{3UfRlGM)0a{-k7NRD8%a&vM3bc$N?i+Nx2@Uehhq`kH64s(JvtqO zmF5>vwLzFSDoLT)S`{}&?NgllAHpZ^gJWU)X^7#ZaKmKx>H!)DS&ctpoJl!I?GzbO z#lBe%QX1Je%bep6jrs?Ad!68Ro#fn6WHzPLRhuOnKqv2zOZk+coESP5++u+*u+*&i z(5(e8#yg!R2}N~8KQcOx&)*7^=PjS`?$_6a_%7y1_B9HFx)*$!(-vm6n~#lf4}l8W!So}=X%fQSDPYZ$_OB$ zW5RdO$3c!&rEPv-`T39iB5tJCJ?-V+DxcJ-dQz6+vJ&v9ZGE>U|8l$h$K(VmiD}ss z_igH0Uuknr6>8JU@Z!77Hl9PP2d)A(<_|=BA`FNGM46$rbm8yr$3Zvs`lPbvMou#< z+anz)gP@b26R~?BUYLAXV*+&4<7=#k-&xzC`u9!GL0FJ4U$@i0x<9)$b20sre(xat zl4jF=yaLKmqY9}cDr$yb%Z1Vk}F@)2Oj*P_rhMrtJXcvH=}6>29G2V z&RJ_VDbsa@QrjPnwrvFiqohS1an;AeF?llco3B@P zQ6rX+3=@a^ObG^-tnZ|tQfqpBI8>!935DEk&fUG-CyB9~p>nM>E+km<4SCb#g9Rih z1e^Bt^B;(jwmddf)&I(GUrHdK@@_U7IzomVaw<9ZtMPV%_yJM;VG>m63!ouvUJkdo z{8?4SF?G!wmdD_H>)glgpAf0weEj&!fPX#vi+Rs)--xTu1MjU9q{3+8o8bdi7Fh}5 zdcEB>sUVi(4`sMm50d(vs3>Osqf4OR0FTjGPvyL&Ui~qHY7U3;O6>?<)@Zk;ii~OI zAxeo~6SLoqGp&M&<_ByJKytgUMZ+TQ^kMt)!SIdv1?1QP19r1-1HWQVgz=a-T}R#?}a+Hj1>CcbfCD#cGpftL~dcLaNTS zgQZh9zS@F8>()Zgm}jNo5Pe<|O|E+8eBCV=*`|a$u1oEo>4?uDi=H9+zd{ruy|e#Kgi2QZ#%O z&MK}2z2B$=lU|ta4^F0JO@Q@qZ1joSC9H#U=Ss2U%2Q+7ld{EqV&PkI$mSukX2#n z;SxzBr>k(O#}1YKwqmjMa-@D@Y;0MMvpmQ=BaN)>vAno(pzewVB45|Vp`zIXpl%|V z-+%QX^Qtsy1O$VfGVIGDN$LjVhf6AOl@BGeKY-e4W4OZ6l(C~kC~0Y=Zy1 zA#B6ES;G=pLwo=xgjnju)j_>AZ?jL^K`o;&N6$#qt`!RT+*++A9;_&wT5-n5ATIVG zqB$8ml53bd z!rk%bo%Jf3EXBL;U=_E~Zf*s) zcFWjU9c+Ul%`>h5X?Ai9$JGnL0m4Gum_YuerO}*Ox2`vxD|E=}nU{+MfHMQN?U+ zWW_0)XYe88%O;qh!pZ!?Y51AxT@$K+h&GDlHoPm-Bm3d6gUm1Sj82)&Xb1^&S2C>wA;5FGnquZE z;w=uR{uKuJ`z8SViw3!s1_~fpV@sVOzNnn~-wpKNCFs(X2`XjIxQePgp4_^p?32pQ z273GUy30X9@mq1k$caa8DYDP8a<>~{(-PRd-U&*_#F-0*V+do7KhWpKlBrTe@&IMy zHC#dWK=rY2RwYXHK~-UQ$)n#@&f#`lfIy^B?Y9zbabs>C9`7(&A?@;Njo_IO_jtB6zX+V1*+uDULN z`QwB!nC-skR%58+^Cl%j%9k|DjA2sWtk&)yGTL1eY7S-xGv{=i6TERCh-9Jr)icYzjIC16_c*KP3oTFqS`>!4H~hP<`DDs(WF!vt>}u|6mq zX3Xo2gINporP0p5o)I-_)wCY){$Z~^c#U{)c284a1ue&>RP%rv@_5HeTBuKT?LMU$ z>W8uPubZj1j--Vqm8;9$=P4&YJG~V>{&xrUpRX=y9t~WbsSy;3Beqmf*8{Rly7osz zs@F%3@w`V(o=W~hYTD%O9pV-m>T4_bnJX?_iSFCQiq!kp2eTbZlGkfKX{Z#`P?K|- zjK`NVT4_U;7KW8;52R#~41q#qC!d1VIUVn-uADmgpFb9eu&>(POYwe9m$&~^=_}T1 z{GHv*+j(NiC%(P`026+t*0<4TWD&e^<7KJqiHolK)_pOFr_5|#+Pgn(?pRqD@UHz7 zAh8?EemK(+#ym;>>&m7^Q@9YuMiGEdG2ed|XlKG@bPD-z&CI=%iQ9zB30K}hJQ1Em zs-3t63y3X?YwxNmbV`G7dDzHcsU$(rhX1iZzVezd=Sk7sY>4gU(;Z&y9Q=Ju%iX=Z z!^tTt9t&R+91C~S{of4iFTA zs;w{pyFLYmtB&{Or%sXm&xPcoWjw$a+o-5ETriU2+#+U+P+$rMhn2SDik^Ru$`a1b zcWPmDO~jZL{#~=aCf5NWbnSOAsItDb_`1Kdp=WN$togTvVU=oqq0jOVS`!iV07nhC%Jz}hw(Qn^5MG^{Z)CYT#4DU9*-2K z$HmGgO18}d1%%F*?V$X9HQIODN|w)dg)ymNmRDRS{0EX%0+gYhT3vzzF&N~W(O2x4 zS4$D;?GACu$O!1=pPH8a{m}eb^HZZvqIc5Ce5-EVt_??>eOKB-L0%MMZa4G-(92OZ z(KmWnOb`8@KR=pz=M7DM?t!RI)yQGwvEf)QDaEL%W4|k%OckZq`WJ=g#ASSJti_Q( z%c102<3EfRX%yI?U`JOJwwtVU24Q39McGzY6K zV)eybgw||A-5;9NVix9+7?g(bV+rt1X&El1o@bc+UzE1E!dEs#;Z%x1#XjG1b68~2hCx&`$mttt&0JNlIk-*F>#Ns(<&tO>-THnkWQrF(DEPZ(QW38 ziPO{{+EjQ0?+6%py&F`<&y5|2%L=e)I!4;Q%*4;K%_RR_dkf)@fDUn#6ejX@{N&X6 zCAQ!Tg#a?YBBC_xIn&7g>p}d-x8>J)E%jBmb8Y37^4b2O+ukSkTst~l<>KuX=-h^2 zo?&|Qtz50VCt>jKqG~dlaK4R11#XX(U1Xh+0m4At)E{p{(HZJ(7rpIWE{ZJ`7(`U@$qLze@w7)z1I+4w6+FL)T*PmTD>N3_$p^!SkZ(F&QuX`p~GI_vLXtIEu#{8<^pr1T8*&4(7GxYP2^=*QU!glxi#&{W*Suhty2Xk7Pqi z!5orQ%L4$FO*^EG!yNrrQ_`hZSIHo@9iHYkeDj{4YQfbEYT=`u>m{@A6JSMdD^F-C z!=8<-7Vg<9H6$=e#YUck?v21AiZh-XqHx3w?({c=3NRUJnCTp42J zH+Fa@ryKH)DOXKi%}=d^@le}R`@;~|UsPFrPiwwb+RYFy$yvU0@Y0P=;>u9AzZr4Q zKeg&%j^ytK^il!^CMSpa@F||xr&kW&hMUeGbxwX6=Yq~Om&$Rj zT3EUs-p{h^E=`o6V+zz-&Tu}w;pObjw>uB1%KqXJF{CXlDAIrqKaL~u!Iw^u+yHfQ zPhR}vEB;w)fhN9)-QexXxou8Kiv!4|elTc=T29INVPu0Cld>RDJ}=Sy+0)Krd~{Df z_g&3!u6|0FXS=Mx{y~_=$rr~1!Moqy*``#i0yZgB`YhnS&VDORDmVtsk+p7YG zxS;25&wp{E#m{{)rYra|Ufw)QO(92Z;6_B28xI0S_YKw@mXc3G5ShW$Hn65Vv5Q!5*gWs3udd^c%_m1F?e5b>=|e;*_spZ5 z6T|Msu$0LPG=C7z-4cd?1KkFCP9C_^H)t| z1dta$Nsy{^f`(%+|Gp{u~vd&&{)FYO$CET4T3)Bc^>l)7quQH+P#lFGubcTFjz0Ed9ax zr{=!gus?_cE~h!!i++@KgM?81A(}15IfrZ;(9YJJ zjfp(ZeCr}zVP82TZ&%KDX(x{L`GnZvaNQl&Gpr|TmVbm$XC0U=bcD3Uxin4`o~i$i zdO1@S$~dG#Z5cj|H8M=%)2P#YHxLk7A)StSz3|mGiHJL3Vw$G@RUo=L$>w3WpPo9B zwQ>0ttn%MR7n#&gWRTByx#duhCnITH<6$rL{&*g=QUMX0&%EzEe>`YuTU?>O2rUET z)4M|KHS{+Uy!R2@7gvzxWEL8e$`rw{=-x68y9~$1qtfFa#N~NA++UjW!bLw11XZaF zm`z%SALb5SOyB;DE*JY^RB4j!kFnToch^t+zEL{e7E`j4Wi;mOJlv>A^oBp*tmrD~ zT(7w2Df7_b5j)OT-$`vjObXO{|25@;suBjo2~Hgr=&k*aFp3CWdVa*C%_MWl0c)`= z^mln{HDYp~>k`?TL0ar*b~WVioP<^~WN-(&=!7lJ+ELXzD9hBiL){kf@^rg=aw`pZ z0!93Gc6P85E=!^ZK8Hk~(>rb2*dLv5t||$~)sOH$`S>EZw%aB>&G>gi5e3=1oVZ;a ze^4J&M=rDmfG(FQl3IRQ_%A!Ela`-Pjhh8u9jw*rliclUpCm81lJHQT^}gN9L)HdC z4)~Y#zzfhN5?{Sk4!zaO1ww;)mN1+t!{cwS+8AmqU+;}y*)RM8TRg=po#>(Y;9J+K zxBK3wI1E!(zy0LrA2&^1U(nhO`r>|-(_OL|#sHSr77R^IP4WB3-@>R1|68;DbIS7* zW{mJAL3pc$*_Uyb zVjAKhB0FUH5PS0**t!QJI)cHA%FfDgb*qK6n=OF?qb{{egtNBasxqdP2VrYpzR%yN z9E13Nn@UrE+(a7tgWnl58L^1*0Pe=nm9pzSgm$;;Ntc}j_3vAsG#eAPNn`fUZlk!W4lL%? zDhDXLq5ZLU9wv!2yT3?=e@@>Hw`C@a(5qu{nw>O1I%=tQV(yldm;@Z}Lp4Zd%WB65 zP$8yaZm`MA9YqyNe>~k%@M%?74QY!)4I8;>xG5T&-G9|rnu&!TZ+H44w)O{Dbr92F z1}#cI7E%b~;Of~nqk%mCHvA(vcE*JMuC;2MmM}(na74JULkB0L**N0Dv(u@#fp{Eg zJzv7>luO`+Z+%`Dvui<#mAGEg9#@G!t~@F>w>zap*L&Khh33Zj3)_d0P?Wz3=9&B5 z7n---N;-hlrsDD=?`G*A??@p4Hh-kXOANeu{Z}_A({knAzm zGHi9Msx=j#>cuF?p`VqZ?4RKSMeOp2F<5Z=Z)kbI&S^j|HK5AL*ai3FXe)iber5}5DhGL0r2o;+AVcLQ)onP13&x($(PvArb6J4Kx zCgs1T5r96H{*6XgXBh{%fc=OZ)*$3kC+ibg9|%{(_RLUyhJDoYA7|3ZN}weisq{1; z{H25!UapRSy34*UrOt(>BDZDMFlRZ#pp3`_k1r}?_8hO!s}J;FC_TRH9!<@1#?rYK z^TOj`v_Hvm3&B~t`hBxV)?Wkh?5s}lvN`uLgC2c7hH9iCpBB-6MDooS$H&R}9EbXA zQK89xu+U`V^G)29K1e$DFiQy@!E}T=ndal|47`vreNpK%;_DPkOP8RpG_T$XWK8E&9yWGFSm&7KZNLJ7e-(_h zr}m=nKwrFFbSz>$*`KF#wpYvN!Y8&K+j!0l2%E`S8Q9!+5);Fau(&z01hHiedGw6R zfJ-7v!DMWTI?KZUMBKniWzv|tSv4d-`Ki8BKDXhPRYr(Q>l8`82ZouhueA17Cw>wx zKi{(My+=R|{NY(!cJh#Hm*DTV`5#zHmjxL{myxDpurns#(1QZ`?N=7S*@sYdzc#eR zD{-Ig@fi8!9QBzDg3v)z830Z~-uG6lZfu8lY8>I@A;)y}d{xw@Xo)}a)_@_-;x(px zo@$eWHY1iyGoFVjw3)SJ@Dj$h)?XXKyUh^(tnF)ay=u~Q4n5izKuJ+PcG3A_1Yzb= z(F60SKNjj5k6(+>FLl3OZ4M;WCd}=V=WBobjS}wPgwL$dGhq;t#AeUG=^?g9C)CX95Z+4 zL9Y~`rs%b~VSL)_z||ICR)304$8ZaCIKDYL&7^A9oB$9++U-;5haK%>ygTo=ukXz{ ze(@evdUj`Dy64@#%0nmHW(w)u0NDw9$8G_;>BFka^HPdJ*C?*GB;FE!CR1|VF;rZ^ zF@lPI(Qu%|p5TfQnNM`8HC9LvlN&V+jm4e~lX~{v)h#rZ=ZDQevtx%V72tK9ZU97p zWzmD5`PVu63(px=mg&2Ww>YmQ#o49Q4kq~L!)j8((X@+aQU$`kMnqez#yVZG- zu0%_Hb!_%rKEQ=W+7i}pziotp=*}9mYm8f!nN5jC|?!h`pM(0BGp5acbE&| ztit*^cIgCNbLEZ-8gV1`1%-Wco=P>y?z+HQ7uSx+@UW%j^L&UU=brBFr;UB0@2s#@~#moPm5)nS%Q0m(pXMrFb-?Jl_6I^40~79h9q`FLyF*ZXSgJwnm(^tBw}=yp{-0gMP%G;)sjGG`jryrFr;_5IkQc;KPYJC}{a*MO^n327o~voLWN zE()Xom&q>0lf&D>yTQ1V|1&(L7J>E~Wq5=8S{DP#+P#DR2)wJXLP@Fk%g9YTso(wY z1wYa{2iuYD(Mo6h7_ddL*tZm%{=3rs{mM`OtooeXWD!4ImvRXQnqlr414Sqpp0ALJ zLU3SoPtQJWB&2AxWgn5v!B~Q>%o<+f#?XollglCA@xiG(oGSXrUwavANkF8UDKIcG z{)LfG>;+6^97{Wel*U0hJD)i7e(0C01h%K`bZ^8x$xHXQ!!|J{BE;COvI;P{UFU6h z;YO3wMe{{uCic*0%Q~ZVxp|)Zd6g!Tj2iV1@kTuFr^#w6ThhrqkodcFcMT7c56ARv z8W0`_$SRJLXp0gI2Xje4EuCh^^@a25yY`N{TNcyz8#Ih9LY6hy?v>=WVKqWWpw*{* zMCRQLVpr3AOY;|2m~DCQdmRQu4j}RuaM*9v0(+C5;~%W<9Pt}DbBT0#zx;K0|7vFb zQD1+;JFiOX06D$W#G5B?d;dZ%T-lN2Af_=$<@~&@jGdN+W)Fg)ZPn zU~0d19wnJTixWd&`&9K5=g9VOBvoNk;Bv1P3bDOo8)-d$PKvX?O9UnANZcy-9F^qJ z9?wa8((4eB-F&WW&iji}v|?juLq2$F?iX7Wbp|9MChf`$0v)eKRJD#i_3!xtz1@=( zMX2Z}rW?+WNhm&VTYZjANW(^M)TCIP%1W@yB~;S8`LA7zpKW36dRueBDSY%Q&k@hW z?2qlB3t~|N!o-#;)aU=^ss6s@NUu_(sNxpl1Ho!(xusf)O_1?X8YOTO@h|nokLE_| zL?^Gxw|nrrVL7zt6yCaaI=&ZBk zP4P0VK@Vcu4F6tC?X&fo@`3yfOiZlBcX&asn7!1baO8_@3ya8Qe3el_o_E&%xr&1y zl{=A9?ilr0rU(p*ambuu=^pf!itCHXS=q@Z^nJhi()i^T#1kx)SE&E!v7T~~EF+&< z!g^TgcEhWAVZQn5PvI+z=vNMvj^dpGsPyLIshZ5&U#@>Yy6)5hn77^wPO9SLA3P#9 z?wfvbeeR#PkxYn#qNYqlQ_n*eREQGnNjL2QbNn<`W=XouWI+A=?}7He@WkJL%(z?t zq9+>4r@^}JQb}H3TkVmXOTPk#N})PfFL$iR4KA)6wZ5Y5XQvEE8%*0_pI5p;SmJ)m z1xIBA0InH&8nRmtIqHb0$;<%HFpoMHn5H~c!3K@xQaOYCXfExUp9%}3{RM3zewhWq zO}D0Wd$WpYqL3o6_UothpHWY}$~lp-`i{(($}oZTMi}~J)=MOWF7TM(iW#)>;p)!b z-II>n3v(E&6|w9w?EyhhD{8uz`Ku&QRLNZ4zrO`lU|#EFle7zhlSqkXsHmAoMjiRZM*ptWG2*%?2m%T zs6&#HDsweuNP3kNqtbsM&?#!X7A`VY-YFSF(9qZe8H~|OV>MNiyRwpDtkPHq zlD)UmgyiggXl-p>*3i%(SvKaeh(USB7B98xCB=G=C8_GxmLGOLMfqEiM9$CqA-#e2NZ8&HYZv`sghXA*)Pv+ zKaS9t6@2EYe^QFKqt1nWpB>{MHM(_*qHp7Kt9~e1g2s3PAaTdakCp;xH<#2h96a$2KMS7Z})DSWUX^CbOQSf&Dn zKo7NEC4zD9^3yq+_9i05HnmUYz>~&-LuuIKUTqCHRG?iU?EZR*+x#E4DZ?qMeNPCV ztN_>Yo)H{(8?i5r{ws6wyV6{Gg{|vMlJNBY-o*IfkVZ#cz2NdbgBZ!ZJeNoY7#}j= z5z+ADd~Cwx+P!{SpfE-w^!Zpy(~md}BqMNh6zE$2(2CEV0m4;C#492~Ye ze8V`%4#~meS!y#nyxgtCJDR$D?D(lcOQL0NDSwUW=$bn#cd99#+7$D0zV-EGOO>l@ zJeir9&L9gd#8LwWd+Q{5f|}_q9nNR{v%t79rtI42bbMLe`M*FSUzr`UYw<_IcvG_( z`V%gpn7b19*N2{ZV&Z>cBz<}w^t~HXI35d{90=`9qT4!gq!RpaDrBI`)ClxlNGao%22?XEE)PwY$4}2M|mc zS>qPbmZJ$Iq5NmpnR=4DU--OJZv{W^U!Sp6%CDTSFIY8GnZk?#yZPRgtdwkY&NjkY ztL~c34eRqZ-Ck`fXbuZ(Q3{4{SB*Lih`+XGs4_U;ihN5;s16#czA23=9II>-GN(o$ zp0&KM#LWJ|IWh78C#PHY&_%shK;2r_*SbXcpuX1x!CEoh>l&43ia<>JnpZkLn2@x% zE_C}#sm@Lu0fo*ikzL(6Y*@y8Kv`c>L z*>0!mdynDz2N{`f_S z1ClYh>-e({$=9}#z%wk(x8PAeTMnA=M$7RLO@l}~AluZEo?J}Mw%0@mNfF2TXHg?} z77izaS$X=m`}+D6;Vy^3+z(yIMC4U@Mr>w!xO`nF#kD-bV^>l@tU^h%6fxe=Xe0aT zt;2Hra$@>UB&MHfU9KCyIoRSp#z|FSylvnCc)kW7C z3VQ$huxx?o@wAxoSJ9FRx0}o5CaaxfLrTNfu##+X`%Zy?)%31|wZQuB8`a%gd$=`R zq}YN#o$c?iDVjT43YCIC65xCxwwwJj)oUx;k4$TYzZv!}6!Z1rO;35gXFpU{Cd0>! zq^#eFbfG_h8VnDQunnb#WXVx{rVnF5{1}v{VT#RbzcAf96yr}1mD|vF`g(Qcyw0QK zo}LbYvw&j6-Rn(jOI$8_8+ie`JxWhJWmawP$QerMUAnHnfyh08Q3_OZJQZt%9gn~S zWOtPlZk5n!$7}AUuLQ@c(3W9bLTMCr*OP_~qaQ>aZvfUuGdM`MTe9ghG`sMBl<&Wl z(sw7;aMIEodFea`l}n*`+|Mjfze|Ia&X(GXj~c>Clwx^Q$n!}$O1Yz)%rS*60R!UA z)n{)jEDPK&MuL5O*T9mV9B=eQH?Q~iP&W3r16(60DQU1sAPWG1C4SZPg@kp)**gNDa}RO<-mAfpfkOv$X9@6uUZEQL#KktW-sfHzLNEqRcP9 zV2ZN7V@c7dEYZY%OM5B7=xv$xG+6GwVA--dO7M0q8Zyj9m~`$hyLi6uH^J9?3|X&i z*x|m^ST-ha>Qt!;5z7}JNMw*J+r&P39 zUYNnMJ}DzPI71+2oB=kqvrdWBx(oWF(xu^ScY>}^bR!1R#BfC`rv+xt(nY8Sm|EAa z4C~|m9Eb`F`8ks+`Tmk%UJ51$Sl8X-AyPMY>5-uj{E#{4rRn3rBNJ(o@|Gp(n+d@SiJQ;-b)6u6dHL)ay0;WF&V~fi=)kGWrZW+-}O9QK+(+DN;X;tU6b6 ztkgn!<$TvUZ}a4YP?bTqVoHl)IbtoDzXqEOg}4Bv9^OUIB9}I;dBQVqS%9xEAb<2x z)r_F0q1@L*uxDkO$0C~z)fa*FObaV97%=&fk*!F~BWtoJT44x-=-u1n^Vp_+pGaG2 z5ImY{d{S^ni4bv<+vNXmBAcbZ2klxKE?HdZyxvGMQ~0e@00-rudPR3YDu4-#P$>2@ z!-DnY{;;De6x~*~q{v`>5Gi#hPPLC?S;|!s>|;$MnSqWWj!F|n>DF)T4dJ|Fq)D!E z>`Ob0u(@nRJBa;UrVaewfNxBJ#sKq)Y5Gfq zja-iuVrMCYsy|yrqOAOt2}XEn(8?Fbc%knmq}af|3Hl6sBn{m7%ZIgKnNS4ZfSaP| zh{Z~N&_W#Mtp(1p3~!As@sxB~9(GQZL=_hcUO#7AX39?_vW z7Fjo)ZzqC;B#B`JJIR)U1%_n&O?;W{&xk_#`bI!v1^J>^-ocDDJd+Lc!)c-E(0SW zY^q_`c6_;46&5JSto%S!t>x=1BRMPb5lU8BBl_BObLNr$41!7owYj0_#sxZur8Dcx zqr7N-Kh1D93yqWA)P8a-j3oy9$`x~{yL`Q_VPx`{t?Zjs?RVGQw>?4X8Piz1oZq#; z8Y?*&3RCDpC{oFB_Dh#L-FPco9uh4Z2Z$%t;yg%pqeWYl>`&-;Svs2+$^Y3bT zbhJ?l8>?gJb1Vw5kjhFCr`i!)%oL3v{ANxWa>7kn$cWl_{ko}$u^_jj#Ym#yfu)MC z*P|)V0);1I+1QlznxX!8nh3&2$#%d2WV)Lv3Y{pK4SJBCp~iHxjoD^{Wjv8!W#mZ$ zeV6E051#3{&_rwekLK{dT1Od9zx`d}q0-1rFj~<<1*d&U%CscIOBZ-Jd3eSooaVZ$ zg~QgHnQiIi;cw~2NDZU*p zOeFbG6BHsYR4jvRCA_ih!%>i0S%GyqWpOwQ7NR_I?6fFj35*7&1eY){4j+QZ8Pm16 zo5mLOklur=6z|Gbt!_;T_AU6+S!0mqywR&^Nq^TdXU>2$s#!s+4Qo8E2Ih_&AP7*b zLu33;)Ais7 zl5NS-O2UPOCICPu8u)MxxV!tdFx~3n6V4C@(81X0i^eTd1)F>G3r0&3(YZf;)}?)# z&IS$dq(^NxJ5#;4`ZF87#rFouq~77Nai3IO=UJEv=cwi-pE-qWs^2k=DX?H*Ed_ z{JKz!ONrlbl&ZLS)wa~V!EvxvRAH#A^h35V&N905OPc3yyX)W{7LExU|rKUNcI&Gu}~?X3h6X&IMt z7T*accyNRL5n8k~<&~3WyGeYcq!9ywaJ_NcQe@VWH!zxRh>X8hfn3l#{VVJJRRS4A zIq+DpvGOC$+jory+o)%^P2StRlTDxJ!Srvmxm|yY+2K`CDWB9Tgav@*L;N2Ik(JE4L1eaj5<0l*CdCc zEfc}CaAcTx>l^ZRubcItc$>oPyx1x{<5ZbgbAUh*TXAe>Vj7T)&VJoZre^KYP3duu z>4^_sc^s(K^KdE|O7z-4{3EF@%aexiGc^sUQD>Zudw(G^|Mf`y`lA~K7NoKd`W(BG zI{(c0GMG=hF4593UZ-6LtGqxgiwej4cae6T<~5{gV^D3AWgw_T%)3W%SFjx7RgcUy5QIOc&PniQ~3$Y7ZYi z{6oitEM4)C_oiR@f}KozgosV<_xMt#1|Va@9E>_1oY~Ve#$2H(!jGyamR5LsNRwhf zNy$&{X3BUFaXZ;LDg3eY>8Cdh1+Niit%#>gt1|wkcE;Ppl;>H&09N z+1YPNIdZ9CRL0{v!D3C_9@U8;dPZJDuY&n&8m~2Rk-2xxBa~phedXBg4qN%-I-`7P zoURLQRdZ76sl(ozl0_!tE`hA0o~;)NV_YtJBg5q9Hk8EAPSa>__PXyJtR~fhxcFmt zaJr9VKU2316U038Dq5JanohMrI2EF9+^l&mGgfH4aoa{l6IbZz6Sw-EpSZ1ATWKVy z&1`o7&M)R>la}^h0z`4FuYaI4F@OnvTZ65tydYXlf$a)hwLK#(Yv)11k4hthHyQ;3 zBZoleD+2SQBDAkNVq|(gztr>hv`I>WfgHdE`Z~>m60y*k*VKNQK8CTO0uY9_yvS_K z(3x0(G^WqIpM4)mna1t4F@(M&{&6$L?f5zi|Mm&ZqUQ9>nclOL-%)9E*d!qD>)45a zi)z+?cjEHJsErb{$ts?)FLeTDE9uSzSCTRE^M406{vTt)J#KL8&Yue0Sc-@EX1__; zU&Nd?jNRZ+>!Oz)F}}Ho8s^Cso|B;C2Uu+ zaWXx*bPJ|#;_w%=qk9#JZcIZBVR$GQ>0ioMo&TZcGEiVM+S?C$OscTFM7wyEP=89F_FM+3|N-di;l zSORv^W2{X2;n|O0fY6u#mct{s|fb?dGmE=RXXgN!1-e>fB4F5p1iWp zfL%JzaQU~5^B>sa@8R_CzZ*8Jqh=g>=?YoAPW$YRA;_jN@(gUWg`g_>D4~NrbE9?% z!*;kHF`JVesSU_2)uJ%sUn-jp`$N)3`p zs@SByEwNnoShz-eg0~ZPR5nn}`8|W{9{UoWb}tM7wa%7zN}BCj3GEEEd-=>dn%`ty zLE5)0CnFp=hGF$K?7dH>c`Jl#ru+ZDWQW=GUF(Jr4{*qNJnjnGjQP`*l zI?kWp)|?I*WS0IbBRMdkKZ6Wq=)KdZzXCt-oM{rPuWTzZqz{zD?QRB4R1=h6obvQg zJ7o>ycraP!s3K96;&Dj_fU8#DomE5d0oTTH#dG&e-n`y%E=sc}eU8Q1!VWuVBXB+S2dR-t z-1Hmz7X=}Vd6 z9K#JvXWJ$C!$bGyZNBg!F}Yn*Sho~gJ+n>u1_z zeXi7P<(1Zw(n$ymEt=jgNpTrA$G6Qyl|*`G_U~SmxR$J)r~lA#j&Jz?BkjB6sb2rU zZ&Dpe$ThM<$d*yI1~M{k_Ac2wdv{7yX33r@BYW@Th@vY?-rU)FtT>CA zM8PT)hksSIseDq1)eD}ys%d?`bCT1V6zyxrPA4AQWNfuW#6h!GbwXaD*b+4LZR$KP z8#Y5$zfIxM^KA$lbeq+t&MTvbljyPjKf;M-pEr14ml~pyU+1IV-?iF&X`1w5efz2k zVLOF9@q4!GFBsI$qjXz`Y>munV5UY+g$1MBC>W=QOW z(1r8e6Dx@P=+UdmMz( zw7fhaDHa+J-ExxZU%ZtfCtH0%6j|tb+(#&7Yr|)utdmd0llnNhITwoj$tGQ;>?gw8 zjcb8ab56H4TnkTe#9CjULT7-V^~^r|17`2GJv-gagT>aq@w z)rc#_UK|>ra_Vo1JND>~SEZT0C~p@S*2HvuWt3*Oc5ew<6|U2P<4) z&~)eBEGHQ1P5jPM%B+SnSDe?CAyhb7(-T!uuO_=Ojrzi7IrDUjt#r`yCgJ$&h7*QJ)5)yj zdSg*-%DP2!1y<1&oJPY5{8a&#>Tz@|q#iE`S+8$EUPRI94yF+Z3q;q6uPPee&jC2R z6PIzS+GzBho#B1KA+<3PW%ksFVi6mmtvi~k;f^-QGM6! zU=3N;c9~{()!O_e8}pJqZZ|%I4XzJTZ*}x;^@(POzb59l#D@6OK%a~nzfqO>&+8{( zCQUtsVO^NWp!E&52jZs0jc+s*OqUS``CTALF;BGq#Xyu-?W{kAOj11v7q6(UrJoX$ zpj`lszqiU#gCiQ5b}K-3LlHzanHWbe|IYiTgHPkv`9qJd2b)#uWM*TgFiF+ChQVN$ zm?L8;0tsJyZN~SW6u7J-F{7N&y?OjDuL@3@p!q%os)?qU&)|)|&&^0Q8Y^Q#QcQYO z-WdVL{bhP{F~wm{bG0Q(yOR%R)So$wxh|Z8&r~=E=IDr0Mxt5MsK@)pgT_|zR~-aB z<5A(eTc?uI^kewT#gcu{ED3Mf(M=A#ViMJk0CYLTeCNI1*88dWwRcRe@K>*_fmk^>BakDHFcSY228zrK7EqW*zEzHePw@f)u^t;-!%^X*wOo!*g36smf zuu6PPe|6*6*(u2*rJ|u^aA5RNJ50Xxoy*G5)-Y8(n^TWW>Fm0FCMd$o8{K;H2~R7R zQM}C^GSAQSGy(#dk5}8=;p@$}4Qcs?INY{tXm)anSxmKqX2?~uP*LVtF0?`^VH55p z>@;Om%wN}Kig6foXmC@Y z2|073PfhbeUe|e;kH^(Vh92*?Ur;spni}X;%1l*1!gYJ-tFgId$9|-GOC-|grR=qu zj*a^4+`K$1PthLGKuB#Br-x*KRiiI&V$JFUjjRqM8YEI(Ro%Xn)??JghRZLtIpfAc z^O-Fz?yMy%x(lLIyJOLy=U2~?tr0y_8l~6C*!jXUj7A1N8n@Pw?b$){vU|<*%~s{+ zoDtljB}=Mdf6mB|pQj{&zaDi=Wom!x(W(tk99f`h3jzU@DDcrC?x#vza$7#z{6P^TKqwbkN2qM(b=; zgKyj?XOb2Fu0jh;xn4zvjyHZ=y{%B*YABLW`>7O3m4B%xN^2-;Gr-#Yl~X0g;b3f7 zm%q4pobX2GDRskHp9RXr?d=%17`mKwFbLbomc%AtB2_Nx(L0uOT@WHFROn7OIc<6) z{n7`LE>`mpRot0vsz`M;zVexvyosfuT1u zlcAr&^H?efQyYgKVun|ZBiL!i{hz*^-+s1h5esS&VV3!Jp9H+%s-C)18=9Z%8Y|I* zAS$q`j31cWO0dxnbf=fa_r_O2kgF6c%7ricr(w7Ws?ZZ&F#ab`Bj?FXqJ=h_KlgXV zi7E2b;SiWygdW+2W`FE77dS|_zrCQppjV;pB_<$R=8@L;9>;Xj(v759yWG)o6V%Lw zhUe?6V>7bW1g$An2#tlvpWgrsvJj7Tir_`X2dSBi=N^=AV_ayy-CzioOUG!t+A9>oM6z z&P5cY&d@UL z(N^L;{m!hsR->`rSNHA+>Y5tX+w>Qh-csO0VDbt#6+v)DG0Sl-ymBe2CJ%YTGsZoK zbK8A6OH4~|%#OTTNU%@stTr_>Lu@Q5vJe}>ivE}<6V{@(BH&jE97_Eu_lzs=SXFKq z7i9Lch;16K%8a>4plg_LO(Y5UGu7SH3s^UH>MP?vxzVM~8x1)qndZ-wjibBjWs*a? z==8=4?`0Kg`_AX7CjHEMxYv4kkTDuvG8(u7-|mC!Y%zH)Fs0Pd_vtOg z;9p2OlHqx-z2ZvCe4;4pszk~3t@w@hT$-IPzIvF(xRs3KYCVi@dK&E9G|mlbt9~mT z{&ercvW+y)whMta;jT5wwzG-Tcldo1CluU25!LPV#BcX}%nhtxPr2PSSlL>ot3{r} zibt5d%@&xJG=Jl$8SGp=84pc;=Ba!`yEKx8hTeB}qUu^_IhwLXdIuf*EMcMQqaL2P z;Shw8T@ww(q=TS5dYjU+D?_8r7`DDhk4@fzmv7sOyo!c7_uJMjukbV%YUbW~uQcV+ z>c-BR-aU?fnHX&EDG%;^aa)3*DC6p+xJP5GP_Yv%w-%BNUt?tuacxxy4&BBVRVJq z+C#DKsAa-)sgP(xbp8ayL_(2EthnHx38MA+I55HDBc=oGxTHE4wc$t&gvtn-F)5~Z z`yvHrtd#7EAWbJ?rDK8eWg+C&AV&RFI>L=NLhOUQ6Q^+uK6#095n5cKM~VMR{aQtn zb&G;`_kwx)DTL&)mZhkb)Jp@7hb1wpx|(NcV9bKUNQe{=u9^~mXj^zWZK7qL{ccCI$eoLKv*K?R zq<`hY?WVPv_mz1?wiXGSd|vD<=@qr>>zTcUk6Ds|QjK6OWZm+_fp1M@Yv%BZ6?Og0 ztZ6xO#(Gjhq~a$(pr=>MGA%Xlt>*`I&k+nk7KQQZCcnELcdf59I~;5bZ&sfBum0W zxBq^GZvCq>3!`!?d;2>`J}R>xlEnmhS6G2c-Lh5Ep*s&wJTlvD09AyD7xQvb zZma-9yo|87g+fO?i)C zENe%Lgo(8+l_H$3dXITgnsG!RsY)**5YHYyo-HA|6&V}vmF38e>Ap<#0x2qXo5Umj zUj2o>d~|vJW(IRbG!60>;ljm-rx&-`i~GDT&YiiZ!r@kH&-xvOw$l95H%TZ9nFZ$8 z+Cmm}-8@@61v4{nH*pBaPGDh0jSkak(fudyQPcs-yt2kThma6n)a-``F1ef!?ye8( zbY_J$YZq*T(a3NPy>0Glll5lRPCen2bLCR3HIcbu)w+Z-2rSE7P8P&_dR;Xu!c$t6 z?(0OMo1@!cmNbkVUJ1F9#DC({->GRctauF$%2}*paQ96}m&E%9nL77LE<8Pn;5?oU z$SZqGk7~abJ#WKTWhT#*D6{RK7D|L7o!`yZXCj1pi8DFJRX~=w80ZHuxhNzgG19Ok zDAzdt_c^$`LyLu%@a`v4_~b3qd}a(6xy(7cJM8=pwdDw0oike?4{f`l9`y_(0It@7 zEY_$Pc&Fj$brX)Op%SR4n|2Lh>>+JwaU!cWJ$ykfcenp;yrh>@0CWmHsjo`C3&>zv z#?>+2?r2pbapu^pr~?hlRn)cti*kztNgHu9%lh#cUs)X2y`74BeS61@i-@!FZ6%dG z^Ys(Zxvs6k4-ejkdfY{)ufN~^=PY*Cia?;vDiau&Je?$;2NgM_x}StXbag9d(w@Qw z0aHlG7LWIunRWXh^gk#OYXrce4$a)~=V|JWdxWIRQ6{m^IMo>XC@m07TO1&4-Kr+7 zv{5FJYzU${m&xngx!wil4g@Ky-a{1oxm-_R(R;?@C5)N?zQUnV!p;Vo26$6-044+E zHsRBTz@!fG6U#!3M>APBFlp1WAc1TkrfKR;eXy=_1fn)@B9)wMF>v~c1hmNP9L!xT zvJGS};w#iR0i0dp4Rgw|LS#Vks!6qAX)LNY^#5U?=fqx*Qd)rR5Jcm zInVQ?V~ADJ@ZUL}CM=+MKW8D%|72E+bxT-woEE!3*||pGFVa!)SWedy0d9C|6wc=+ zFr{x5gwcx^snE`KVI`bE&*WTI?eTX@n%N*}e05K6Y*kUYm%SX>R^-vCmg#Ebe{0s0 zYRa6jOBjz1y;BTE8NO<(FWbIa%N<`Lc6_7K&yoK(_f$h1!PS2{Mqy85;JOS2@SDkW zl-!^pvd(nu=fSIPY&R*+q6*OiNFZs`~A{) z%FW`VRbxKy?xwSRragjnjrhjy_M7S5-T32v?z^XmyIg=EA~S?SxFvEH-=xG%<48&t zmh&Q3{!wzy?p3A+V?jQeu6;=uSs{WJq%JuF#y`h_YpW71<;bR`hK-{KQZkOxtu2GD z8~2P0MZap6V924DyJ2S?W_*Fdc(C4(VnE`MyBL_`nMU#;fFGogR*txmE{kYxe(II% z=+?}xQ=H)bXHsGg4_r z%qV5%LEoWZyy=wnqK(%N}0*unhEH90OCx#P}%aG7EYlVJmX_ z8Mv=IxbS!0;(KzLgUF&Cm}tFZiSd5YuxPbCC1wo-&3&~LBnC_tF@6C94J{x8eg#Lj z7#7hgGDq_K_gDFwLsbmZtxZjPR2>nXzd_w^kgswkbYAH(#;@;8Gt*}rDLsn~f&xCT zDi>qXltnFTg73BFjhTZhWoYi%7CpG6Os?vA!3`bx zo8v<_Ag|%0FK|-x_j&=q3+r#BD>r8(juL#oK7C&7mAL`8Wp5m!Fp}kg&d#Dr6S&7d zW*q(iooC1alfMT~MlFsv_KC!GT4gq}e`yKwTxx0Hgl~O@nAFP9d!G$jSy_quVyLFp z^?F8~asI2H84S%{H(43v`3Y~n19O=uLe#^x4)m8X3iV&}QfX#;mK**3L|mF!*`CYk zYDpe&c05zjxBzZ2BYy5IkI@zzo{3e{ipzIz>mErT*s{MA6bzv%9P5HP&wq+tU)3cd zYrtZPwg1OhlW!5q8{EU>9JBMF>&pBGU!D}X$b|)r9``OBzBP8Db|I<}v|l}ZcU9^n z5yCDDMIfns$D;MMv`(pmg@PV@7RUzmHxG>D-^+gg3vn3srxUsM8KGj^Qwj=^AkW+w zGfia+-+VdB$M!dS{SFB{rr;gE1rb7-2F8^%HCP&t+iavb59Iod#V{?a^{KAPmBP}m zJ{}R!p*AF6-^lx75RgK#b->TxbiO$6ajklogoRa@D1|4`?GltRNIZ4Ys{(%-ySDgM0XPD&0eN(hbp@?fA zO8@quSsN_Z=pd5mb6~kE5PL_akDNt#pRjN4Ga4TTo7Gwd7o)CVd51Fx;QgEX{RR}M z4>9Pa*ez>t=fETF*M=8S&tET&x%%Hd^&Ls8*8YAh_H@3`w{D_0^M7HW38lw?>Akt3 zNp)Z!MmUVChFj}d|(2tde z+>LzQ&f0U|{-8Eo+?&VR!`(fz$7~-q|AGazK~+Z%$4sF2pb&if$`}T(GA`-fEiaid z#lXFtnGsCR46dHw^5!wGY6X*850m~c-{>Pwt`&}QyG_Z({P+#}jO4LQlvqy%=j-*2 z8mTg;?LC~X^{wKJlYNd93uZvhkkgZ~ z^i8)2_=Y*+*G_KD7>j8|$y-dV%=VE|IS)hoG_|za^o)xLX`7j`2rrf_&wB((MuxcT z!SP?N5u{Ue`U+C|9#5auejSru6DBmszBOOtgZq|JU`a{(_Hs72G%4&U*Ch&xbw0dj5bJ zP)0()rk>-Pp8fA<4Ac2zdceKh-U@a37G-t#Y{@=n21S~R9 z(H2+2_T-p}KJ+HsZ1`hjZ^_>T&6MHc1Bw3&FFdeyG8|~#+}S6(OIP+_sOVP}rq}iV zx68Q!>AcxoMy(e=z^SNTgA93%T0b5WaUsAQaClpfb@sSD(CoeZ2Zba=VwaVdYo%ox z1HEdXBT(p9js@JgoA5{m!uEoFHs>EGzLn8oyE?g)sRqnF0F%HtyMF@-Z*Z0Pk;W%P zOeanFo0l&VA3~c17wp96x9V1-j73zhe&3`CFVwd+zEBxyQILK|^c-!%l<2=Pn`QIR=d-9|qG%;fl(bJ&YzpV+~9pRpv3$ zu5L57xf?~=Y%zl}a6G)%gA`*%GC4gRrJFhb`D2Kavd|pa!5_b3Sk;$fiOVTiR_VA?W?Myy62yFtQn=d7DsKDJB7ml;nuZwTvR)B1wWyN3U=%L@wY0c znLy=*qFUi-;Qr0;Ee!GZ7stk-QzRhfn}`h-4ODnOwW!iTc~%GZ{fS0q0x_}K-Z%!W zE_8at*$y5{?Aix_#MMh=#&7)evY$_%a2y)0=jkF-Xmo|)v09WMX)tKxc)>mu0REI zyHK&e$ZtMyIUaMI>lc9a&M@7KY8SEWEg(%RwDtdKnO`?%MhbY;fXto+^V_HKSifv7 zB9ZC*rJyhSjm!Du!M~vQ&$}mk4IoYXmY3-Vq5lH%=Eqn%Iy$o*<9rU&?U}!&{Gb2& zA>gKzG2xv*-`CIUlFRFNW$D}kg_s^Tg-^gJR7{HxR&>1I$%}v_@0V zDkeIe%IUvu>^LV-4xM?7e>%gVdov+}f~+6g4S;0$S^O`7-3&2NJ$mmymcB*+AdD4t z>z6$q06Fi|s`18XQsw9dFu$%04XEmT3i`B#P{~Px&kF+k4yBJ0$=F z;|rPK{lhDp*|0c44ayRz;)e_3nHCwDgB+EVG7@%8dn70yaWvcnX&}wcSQMA6w1t~9 zTC0|QpuLynf5x_7;Pem>6J;QNni|yZXOE09YFhueg4jE9g^_|(1Ru4%g z-36qn-OfpSKJPRFJ^C12BwtuJ`)qD{LySciKF}MZd-7Axi-kkX9qsL7JgRY+wsJsI z6d^AJ2yBpFO9-2e3}I3juh$`NhXXO;?^-S(KL8k?3k0_ja6th) zBkGHYz?i*Lk}+Y;`?7yBPH}c0_GTz`GkESkd;3ab?!EPf>d2lg`q!l(?`o=AC-Si| zR={~h*<}Q90M(J3cN*;}F2COkbeu4vTUa*t%z-UHPALpOcop)wx9g`rSVn)p+lG=DxZH%&prvTT|5xPkaOR;HAHYWy!voW?E~f+*ZIBC!Ps>73%;k zbWJLVBM6URQBhGDa^IvjEBkvw3YVx0U1Fa_p`<>Id=&?q%hQYXH?e>9z0nM9NmJw!xzY&QCPpf|y z@HDAfCC&q+>#qbAxYcSip2#ie(za){`yYWqOly(aMYRNEa+mEeS{P^-hKQ<-DAgdK z4aNbbz2^0p`Fxk%^j0!ljUxTG4=j1`mEUQDOaN$o&+^-e4scTgMOv(*mM8q*K8e2g z{cC-HNI@aPN4;2HNyfg>Tt2Yy@3wMEL0sI<*|TZygr_9*-Fl?K+}%kIAtSLPSoE9(p)tB%YadqA zrS^~oT8WiywkpNF@w9z6*2ZYNG2jO9k;b_%e0*$JYhEaUoUTG_;N2) zwGRk~$;;RGAaWi!hPSEho3BJS1okN0ulj&nVKnz)_05mh-+|%=UKq4SPvSz111ob0 zA??>_@r*fKch)CPZ1Km6xH(E`Udd0Vw!3)H_x799N9oXRQ|)FNn#?sHSc~u~+LN4|g#z8ec)K<4WU(*X{trHo=hw=qVm_D4QU(!XejEO7j zSYV`RR=D;2_kBXkP9jV*Q8veAk9qS99LJ8jrr(x)Q_5nnVmHHq*Ro%dO zhkwUZ5ACHWokMlQxj=!W}1%ohdu7S z)xQELp&z2BpB*~m-tX-y0JpRHkJEFpd{r=7TUu-#$y+Tl4evvYIkZb`96-W{8vE>j zp9drLU2ci|A@2lQh66F~4Cocdmb|GyS{r~H=dscw@zszs1n8joqTt^FRt1=X$ycWE zdnBn!g#e~;GF=|0{pK)ewq-p8@_{~K+-#aBh?_E0Wd0-E?OzGtG)X}L{R5o*G1&At zWI9-U;G35Al`D!bM!Y@65+gvyZn>w*{GPP9Hh|0fm9+)-A5f1g5vw|qzWxmlmIJ8$ z7zdqvV8ftLUdRX;C&K>lY)NLOB?=Q)X2dgf#2**_kGF~IFJS~9QuPNf`*~aX?*Olm zic$8(meirme9;ppIzEd*t+&T{4DR_--utj|43}insX&-2#~@7cM(*Q_4?*bONTHzAR~DuUeXv$xAw#`Iv1#xRImouVt z*XZ`$?+;XU6FwHRAoOadqt14>dv3Aj^4z|kJypOlYj`d8&HeE;*ox{O*tfwA@ym9n zbl7fDg<}zZ=m)Ca5^u0TdVYSsN9s$&DQmzcg<8`h&4FLIJkKNUR~)GI5m!cNFKsY9 z35NbqtW2<^V!{{}<-18+wRcBfE|0KbEd#3~!#9t6PiZE`0?luR{4t4}YDwjsGOQO6 z!l2W>E@*#Hd(BkETZi~2>`;K=iA{3!eQ^WGbqEhNAS?k|JbifuJ(?2Wzn#K(WtK4B zSK)v1{nH|)s9o;X-B?cfRZoO&;IO$~d(I|b116w-M;hn|?mL=_$7WIUTg|IJL-Ev* zQ!2FE1G`}$jK;Y!Ywaau4eD4{Z$@y9>;UhQt_Lt8L^%=!lvO77xSJ1iun$j=yqEaq z4(Qew6v&|qs@9z;w`TH@MF7P&sn0c@s}|gc5QcT$WZ{aiF(P>VHa9FVFi_0wpVJL= z&FxsA-=|g($Rj?X+-Nb~U}5_+V&4}h!o5BwH-ccStP1;Xm(E;*rpgb(grt>Q`>n(E zwee$isB2#=Ic+253{!pHH2pNu&upsu*DLwQIisv}`FQjD|%UYRGOU<|r@oNt;w z7|hgF>bU_F;aS7FnLQoio8Xvd`tpuQp+e@e-Ik6ME43IFAtHvySiWv+eesfiyo%O^ z!xAGw;20fO^TkquE+dt_8dfva7BpDGP;LijF*n`Z@8%)BAQn9Dp^U(P} zukz3HZ2OY@l-cm|%E8EhKIO?7Krn-swTsRZnYcoWii$Ep3#4x5h@PeJUaUi;0=11n~qge=|{>sQ^4qVK#U*>}J1ADD|78usy_Sr+#m zZdP$&YZ{*(y_<4|>=>}5l*Bvswa!BVn(P8}sx1XgCU=7e%K(!KAY!^)Nh)b}dgI>} zif_wIa&qPFa=87thdr=<`vxj`=EGGmk3-JcCBbDDxFE)!Nl^=If?SChQAI6KR`Cl& zfBD9T130Seg^d42FEahA7yW4udm#A>8U=*9`JL7SLHPaOFdt^Tj+|@U_QFH_g4g?S z-v1B`93Vz#ej~8H?xKo}fS{G~DCx()|MP@UTM!fw;NZxY`27LJd2k@6{B0ctBzw~2 zr#&A8mwpCt6b5#%8V~*f<+6@>^VTho6+8duQVB-@s3?Z%BC!7OHnOMpgU1!yWB%Po z^YxF(&SFe?+jiVPEY;14bv0`9(LloQcfAjC@Bs?uY2Q5f#la02iT@miq1=b`JulSEC#r@Si%k)gLc9cz?8j zW7tz1{N}(xpp0h-S}hX&OfUT5ML(VuzXnu&{-rT)fj`_cmoq^0x6uLzyjOqP9Tz6Q z;_Xw@{Y=S2AgH~M0eZ=evDVQ!J(xfFK{8IVSShX#HbGdjVuco z8#c#c|FkP|b@3bdP|msl98 zz1`us^FA8MEL<`9x-Dd^OS@}Ay{@eAW1*UR4zf~numCB-YZ@;kCgA=y@$Sfz6s8s@ z^S%O2`PsH{R@N+e)gcG-c#p!0C%LC1FNq1-;8Zd5ye+u(s#V$gGvh21CMP zcwR4e@=6C_4x4ZRJ1=;=24Bp51?YU~JH=2;>>ZT#(;L$`_1mt>Mf1--O8zSc@`r0a z0N*NRi1PM%e%#p|9rowc?F01v?Zq-kj;$gfl4d=s?-Zoy7a<8aAT`s66 zS4Qo@-LqyQmABEP;@HmRu!UD z=%NCaDbndPGL{7myUQrCa0~6B7HiF0t<%XgGTGmZg%zAr{I5$rw>Q+{ZK`p^EP&Z> z^xudIbW1h;J43~TzhF<4EbRlo-L+@3t}GUvZiY%Ni@mI(5!dw#sI{>9vSFXDZ5n1S ztLqhV)5V+}3=K+bHY)VQgcz!v3HHU{vZIqzu~lD@<)HX14bMi0 z?Tu8!Iuxg?@fo`h)`V*amP_NSYLz>K_0b_AO`1_`f>TTN*OJf;wQd|b*2+&ZNcaOr zR|g%m?sb+8f^!F0aodeRK=cQ@IR{OSr4~=Hk^S>FBb;oSQTL!=DCB)h|{DJskKHvm)S25=SzE z?3n5~B}`>C#Y%TIk-BaA zrzO$zO$^G{b^F;ok;&}o6y(bsFH7*^>zXMs29WaSgR;F|2mbQd7GMZPHHuY70(De7 z7Pcz)LzwIX`S6EkHE^12U#DMAL;5)9^MZM0@K&2I=gq`CqcM_m^={}2%Nr`Ztea`> zH0K&8%PsmRT7&ga4@^T-@Yc7VFLK$P=o&2?g<7 zvp8_wdm3l5PxR7Jy3P{Quvx4OHi(Jp8zNbUyl#(Z-#OioU7D3L6ya1rVdCfLH9yX? z!JBS)I@hPqx=geuLe+@9EUx7?!uVq;>8X-9(T8q8Z-E{sejGdw0wP;5Fm=#z5DceG zRsgZyKG4HK@5Z&L0X#v&wmm!TUnpkA3HoHy{n;K!3>x1kWi%87+^88?sNL6xLB zA3J>+&5w4s$$MG*__NT=LcE{1{p8tbIMZ&2SrQ6vZ7j#5a0DbfkdTXEmbMnlvBfI| z0Z(H)dc&5vRafeI>9om%GESQI^pCE=v)7!1WGg@>op{1oY~baBt$&~onu!2SbNELP zMkR@zzax~N@6bOPNKupN>Ah^}y}#(T#!?bkcx*sQ97uD!%o6$H#2H+LG+X1%{&l`0 z%1EPYXF0DvR=UmmAoAe=U8)PX53~AUBjtuu;ctD|^A#s%FX@V@%g_G8K@MTc-e&Yq zVLX!~e#X<^9;oX68J_x>^oaqL#TCE7h4SsrmB3dsE+lM zGE(YR-DB7=;T>hWdp1eaw z9j>zH;g&RGw|Y|ZBdEejc)_+PKipB)NXf|MAb2Vv|W#}k*uXb1faPw`6r)%RN8 z<$<^ecGKli|Da^C*DwwbZBVMPqUh$fDKa&>qpc4AAwe~1wH&A~TLW$MFk28%fC7z5Z9#W<(@L!ood5eG$tEx8oZLBL_g3o^2{gvjvi-p!wL@9R&BMLpM!XucJLb> zer|_E+ild~?^GZ+x1vMBV?w;N);2!phpph!8R1<@KG&E_-ppnfxU8IB6_p7?B#pi; z#ELrm93%OD3+F>JkM|AW1tGfX4TnX5q-p}&2ek%frP#c%96fdqy!P=g2BhaDLTN5# zc%?42L(ZNqka)a^>hj9U>8Y)&X9bEyv$)VDQPsIT!OSdyW|EQiM9a}vW7{N!#lIFM z9ooj;R%_z`v+gc8GCC}q+nIAL8`_fC0rz1Q;eURjNuee(w1Z75Z`WNf8$KB;?R`ZH zx09qpw4n&%aJoPRHzIJ1>r+wVdk(@6RPxNl>2?$1uLBQy9)G_BzLOR%D^s77L-pi3 zx6LdsI<0Jh?ijkkqD|TJ7L8HT`eRPk@^d=nEK@V?+!{9RpFTe?)(IOV^5t(kllkZ` zC^sYUbJTJ~Oda-f6yhr5o-abi>bXf>GdX+iBScoxs?xH8fjq?a-Dl*zB7k=H44T8e8!5_Kmm94qd0U`{`63@ zmsPG@!Zzr%*4rep>eNPTB5!<-5<0r;kk|X`8)d$&OSDqZ&EqwV?JcgKIJ%l4^AzjR zW?!kv&dM*A#ZM?nOZ1qaV>4VY0!EcPAv;tlciH?MuT=4?OYlv9LYk^&8rxQ%*)P4E zx&stV2!(~(-3rmtNiP_WsjQdUtDa)wH*a;sDjb>{EX-rW5Yc?_l-AEr>f#4&RHV`~ zQGvVapr->WesYqi330l1xAwY2$5^;d=Hkb43G>G^Q{-=^Gms#8 zs-X{YsH_I^-juu&ob}LO#+Q*21Qu_rfy9ZYSRoqa7c6gu0A-r7#ki0qOk-0sZg=fr z`07%mwOe1z`bVG}#1D0BZmdLSDb!VFt$K|4rRHfAb-3#Ir5Q`cXHIR@O_QwJDNXXN z(0I-a&poTSqD)cv@8H5*cMWOxg2g&IK0|?(S@KJ>DjR`{6phD4YO0U1yLRShUUot* z#c%d5`YD(U!*YG{W?Pu3S%mIltW-%Ikm%9=1n-b)P#act&a~O4=GFV%gi`JSv53Du z-9q_o;yi0PoipIpWog>HG<9{0zLj=NzmD^y9El?s#5feJI<~b_AB}tT5f!SFF?T$_ ziGAn9lG)o{%`B7;OV>Rai6rF6nVH`8Pd4SL>st|SO5%&3^TQd@8grbiou}TM`*)dF z`>g6ATsOLZEfa;Sw$*v5l1Jm-Mr*Z!>SL@)EsWDR~6 zJ1Wn~t1xFak;r^k_60?!SbLvwi(iSOp*gdeSigrMhvCTJNZ^F~f3RY*O|0l*E1Axu zbB&2o#$8Rh@T%ilZ_it6sa}5N*UB~1uVKKXuU_(ayMQN6Nq1g>Mn+HwwJKHMTizbh zD)R=@UCDExAPKHu_py%?RXlVWysuprm@T@kdzC?ZbZ2mV7>JIrCf+pOLEZEAkz(^0 z{$23Euz*7De3Lu;C@fGw*X_NpOkH4oq^wMu-05~FddeV{D8mjhdSx zf>ImPlZUv=9^2pB9|&+rV=r2jtc1l)KCx5P%-Nmkm3RKlY7JE@3liwZYlcNaX!k z0{Y^5UQ~=dZ#enz0pUNJz?HD--C2J*NIfUjOrkDtv3{ja`;utyv+IwLkOq~$!F#6j zdMX)?^7K@GEK#{W*%@ojBL$V=$9Z4X8)?^Uk-ThzyeCT^l zSzbqV{Ex@WcweM{Y>WbVT-RScz3b^$AEA}lin8uh&3s5BFF%YK2#V;O?a2S~C(!9B0uHkf z=j+4hFT56!#{@3{s}FBsY}0i>BK-4E=aL}SgD&0qx1yHx5vAr}GUt8mcptb|{^ttZ zTKi>$#Z9FnOPfQL7kYwy{$VZFc_Xdd!gf+C&SCCYQWw*M;#`$D(h)@7Uj|B>-J~xY zonNTD@Fy_UMxLK?XH@Mrl+nTaTxk zTP~k*M(uhUn;!d^`rM@p-&)pctFv+l_d-Lhhkv{D{6Udw8h8W z11(VoKwQ_7OC ztZ&plr*@oe1KUxqeilpo|Ih^r1L`6vZ5j^*&wm;eYi)4o<3i+ zGd3+!CSdW(yUQeVzz1bM#pegi*IbKuA$Ur9s*I+pG#~l(UBj-6wL$uKdy3BCEm|?- z98tq{3R~_HWx5(}j*DMcmiLz#_C+=K?M;tfnDM%bv~o3@rn!1nelVh^X)&Rpldkyu-F^^Vk;R#0(R^~* zMKq7Cwd=9Gdf(+rPAOErqJ4Z(p}Z{UG_uPwOw#yhmS{=9P`V1Jbq(VY|zTF@$XN65Y8cY%h z0|^L&#b9bl9hfjtzJ)1HzK|f`I_J9Q-}w9FmT1g+=GI%@)Sfah>03E@4!hmt&_T8GY~}Q?7I0EGrsA$C(m^x!_`MVP z614UX|I!)~McQVC9#@Y>W#tZZ)B-x3u#X;7=d^W9zwet4Jgwi+y~@L?VZGXs4U^?ndXXhxENqtn#ed z*9!1n<*@Y13+^m^j)GH^MCl^NtbKc=TGp-&s5#EQf>WsW|6@j2XT60)$+DgTJx4}A zmS&5HY0SS*Zt ztySZ0jX&FE`>L<^O^JxSKwcel?%7mth!rbiFLjztOItO?9=RhjkyK|n@zDQ7u{ zE&Gtu`lCm2wmV(fsLi?>zj5Mt_-cyB-U~C>@S~O7>aJS4i7AtXQi9pxOmmu zt768$fyRlU!fa}kJ^aOP&BC;hAFJV9c~%!5s%#F|SQSmrq9QqI%cX^w4f0hVR+V}ueUfh1-&xSm4?I|Wx0i>-O@rPUZN`> z>e;LB8um>WiZKhd8+&=j)EAvkiNEE{JWd5Ihg@G#E^koT&JaHLK$Vc70-)xL{!kx9 zzaq#ZDy@Isa-}D$+3R`^O~+@~!)F&a`guQVqG$71M!KUbm*2NeUB8irF#U+WrkTVP zR0S;|9gXu3Hqp>$^Lb*>13P@k6&u`AdiQe z>^|9@uy&oBEjj%v7jHTLma64FE<1$(Xm6OukoPV3EWb+Y<2;?>mh`-2t9Csrh|Zga zzOE07uC4E!#i?nP#v2jOj4v!vo!9U~Eqq+sVJo}jhE5CDt+XwF1Fp# zFTTvA{VE7r^wyhtbZ4VEG@eS;hL=UH^Ip7_`mW+gJ5u3j5@Ak8Qc(TrPcaZ$PH9$` z-XAL0PeSjTyV67s3hBB2A(f3;MF0g+Q917KdR5?j=p3E68oNFzn2}9api;no<7kM| z`P_ScUxuZ!Dqbg7DeUw|$YS#~uz1Ef^tQS$ie{_rx)0}=7A8yq!>ls}?ppDr{-t4u z6upHCNkkbpo^_Z`u_3z5T{)%l(?+^mmO|$0UH-@tPI_&PzbPAfmEEYHAg>zk&bvI} z>eKH!v;D5{iTJ!?*DZnY84q{IdX^_fmQUkGJs%?*3#XRPPLr6gD|>IYR+{xxTNhl5 zvNLYvjFssTUQM|@b@zk|Z8gG{W(hkw-Mi1PEP%kaKU!j_&pK0ecJ0#96F`%*=ppG4 z!jwq_if;(*epWzoT_(JQTFs!;bKX${6WqJbmj7D5lVE#HblK|!4Yi-Rf}zPw z28+t%@w7yZ%sagj))lX5biE(a-4%#ouXdNXl5e-0D*V^d@LwZ|To+EVy%&BZqo>qt zf7v{BxgQwdY^JiiLiR0=x2{OEtJmq6I_H}Rab{u(Mxh?t81-~ZEWYU{g_c47I-T^~ z2)pSx#cQ?=w!3yubLMPn9_7Zxxg^~#d)A$YY|`(Fq!D@mlZcOXkIw7rcmPkDczv!h zkJh$F;8m%Y7e!!uuV|#_Dt;Z`W`@d+^%doF9GjJINc54Ng;}579Oq`Pg%HW^5QsZw z0WTK0?C|~CsKB1XSQ@}WFj9OTbbYkYnG*A{b}yjs2^F>O%X>4i9=xP(Aw`+bEO2*l zi{XJ2(36H&vYj%{&Y047?udlzg&tqbBG279K5fEKOOd6ajojiJSV1IzE@j``aW&9x z>nwWnv3jZO)R?OgD#(qg({=s?C%V)+Z@a}<>3q{j*>%NB)V4vjFmm&!4h2Yof@C*4 z8NqCXp_Uop>Y7Q(-P3#N>A^tN)q9}NN?gON6uJ}WUuyRN;;R2IQ)+@ zJ3M0x9K3}Lj>NKTAa)$uDKO_q;TE$lVzkM8oEp9TuT=5F>)_n~*Y)EQgZ(VI6}YyEcv z9#;Z^U_-KPeWO6eO1IQ~@uQf0k1y}J`LM8e#8&1+)U&|g#2p#PRjd2hL=Q$D zzdTig@Ybr5PPIKnMk$MRU3QTCag9mrof@sN81A=e;a5G5^2yAf2w(MAg%Rw0xpztq z_J7!W>!_%yocMj7A4e`^1YS^qwm@YC2(mhJv+b($>UxCSXB zOgp*MBjAk?(?fo1ZR5l1>D|2zBgCQAiocg%2?EONMJp?udQ+?McX8u-5T!|Mrx!F*7zA^;|{r!F6|7U{Xa3Nb^?Cs-=x}Uj|=E3CdCbM^EH3 zMp385GmA3X3KvI|Cjdco>3zGN&4oL1s3z}2r8uH&)S--XY5G}|k z7%p7?CZfKwN^Q5Z$+G61se37+Q6!&g5D&E{k#Fx=aPb_ltbQ&cwR&d|d0Uy>K`C=A zzGy_oBM$I&{5MOu_?=HH?F8H8yAXUpF^-W(?y4P@5?bHqq3Qf(Jjg zT38XrF~7(lhEpR_nrQoaS7_RW7vDxa%CuW^$&e`@^%~QC5NE{kQR`JX=CLIqI&E@! z6?G9oT-4?(Fwmi++9LF5W-zeVjzvp0XBIB-v2YP}NveI4j`p4l8wEq_4TsaIfec7( zyCwc1blqaB&3kG&wu=&{Cc0-vkhMqhbE{X()RFFtwAdN#vYQHPr-M1FoG}*JqazB8 zjD7Q+vD33+Q|Nf>u%MB4{ss8ULl>COcxo+MsC5Ma7idaP@Z}UF+2sG$;r!7A{Pl92 z3v`Hu<Iyw28=fx1{v{?1l6ZITPawf2Rxd*(h*D_Ogsow45 zL2_0m>VZ$43RKOIKm^XkSz%fQ)SV~ZEb6FR8>-0(v^^%NFv{^ZXHR-OF%SbOg*zH+ z=y8!)Xp!?2=QH@|7(9V{+OK(`;1sy4t}Uu-@GHG;lUNN3p}>dyWf4S4<*xN^@M3!} zR$S;tj#%+{8xcn@+f19i*F-2eyQ58(OwcZMsMiH(mjoyJ? zYtu3iE1(&H`ug?Pahdnc3a@>V4Mv@1DqBd@tcsV`LuqYbG8eme2Td0>IC0BrhgE{& zywq^B!vS)UoWW*(x7(Z?!8+yHdl&#PPGG``5L|0)rFD!wm}Ceqez475h+t) zB;3M9GG;1Hc7ACKadW0!a^NQK_KEn$U^|;Kc+u6fn38e>@zEGq3`H=B zM0eRn!VBbe7k^TWqqDBx@?EDE3`O;98bnKdP3VkK-lse79y@Aq*dF7VISRn)#L+2%4u(T(Q}uxQY|t@E$qSAS>zqQbcYXfv1`bM?oGn6nc+wNe4_LN(O~T3Sv12v)qx|E8j4cmjq@zj>f_VCIoCQGR@G|`YZj$5qZ^zL$gomp-G@e}~!xn%~2|9D3B1F62aOWW!L;<5;jb+}w( z(3}V5Q?Qa|uk51akhCzZ)Hfd0pB`CJGW%OUkjqH%)NgT`UgKq_ zw#&3dms+&Pf%$!P6xC`uE5i_`O}TMa36G$6_JPM03$h@0kyAMA!X;#<81>#(Yph#8 zCXn{N)*x&#lH{EhR>U)?Y(zx-RBvyC)W-&X#Ch(G4%st<`cgboSu0*#Q$T3TQx^+O zspxzd;^}G~TLXaodR#=LTtwOWd3mK56pjpZwie`E(~-&2DoZ}s(V`%+(O@O$y1J_G zj2%1bt4T1)!cZbc&20Eod-5YO#i%l1jCxA!LBG1V_(NQ><&Z#QXdlEi9Bl7ugO5KT zv9Z~3vAkEE@|dQT0miM#KRF>8rNuJHK?)UOxE3jFuIDm(bXrccNBTL@ov|usr~V{v znc98Q9<8sXub%x7rY)fPnap**&DY*|gBUGD#q7V_Zj`m+;X3A}YniTY<}WW}TELw} zU)-lKu18-+-|6o-=CLg0{<(&SMe7QDv?o&~h09%6>SRwn$LGcR1;1Fa`p|>d>!s%w zktu0s%jrVyy-0q3*AYgRQKs#)-YqqsURc96qqio;0&UdT<+}dP;=p7DP!#TY&g7bE z!~5eqEw}k*o-636blj`^D~|vcp*1>kt^%Z{UufdE&=7CdiE6Xn`v#8j(AaYUF(9V{ z6V47MiHMnFC$&}`e}ycLzxH`OCUP+>Vx|tN8O&!3Kia?Yt~bzCH9>hC z`Y5DZ$IUJ_*aT$6j~N$%6!1mqdfB#E+?V4Z0^F?*cWQ((`NpSD!x{?>q6G}WG2~#g)HM1ou(kH^@Ms~JgH6Ey^}=D_n0Ubi<9Fjt=2T+&-8ar zckAw_Ynx_BolbSsh7TYmL9TFL*U3V_vet&Iw!SZ+AFo1TF%{-&nr*qS*$yxsZOrPP z>&~ruimSW*u5q7CJx2%d)gh+YiKNPB>g=lZpkW!Ccs)A-O?%v1N3D05Y<5Ubam(eu=BsO?Bi_YIs23Q#LrH!lO3 zS?Veczg?y>0I*m)?ThNm*|QlHpoyU7IVO)3G0oO9=Uz_|3MNeR@sPZJ3#ZDGujY46 z3*Kw1J~H3G=)=cF`k@+GW3Bn=;{xh=FA;VX9ev(aVFu$DTk2H1*g=8oFUu(3h(G7B z${29#hMEL#Rt##?!n4H#CFdy-fN|03NW>PBsa-$5yM$tuoZ8+qtu)bU%t=ZC48ens z2;5Q~t*uv|bTU)Z``ymrU$2v-1CY11)%4dgA~~tg`z;E=?X>Ug(pDoDUI`GRJ<=X{ zq-NE)-S`Q3m^2g=Yvg3=IvYH4on;Lz0QbuhWq;Mvi7B2H8>V!AfOUV{buCbPBr8{# zo18GY^W(b@SBvTGjc*S35Ap}ZL<6E3BU#WQ5Gk2MX$E9M9^w;y!TJ#?^xq@AV#+q1^OTcYUYHj&X6>YSA%`TyM`FE<@RjoMPgpDU_q!{-=62cLU5?iS%?sJh&7aj2 zU?XHWS^$K43yK@akz7E>aFt{wtn_TgoDjVsT;6I#B1ZyHne{rruW8lfhSaRmOUCx$ z7rh#hxR_^~1PHHt{;xbLbxGp$A_d z3@>sDGbvfqjnH-;g|JhOI!tWTx6`MlhrKu)>CH0V-N|L}DU|lxg-JhBqnVUrHsZh; zOsGD-AJf;PO=+Q|5l9?%oAo+O-2PnQFjgt}d&1lOrQ1@VBxCJjs6L4ell|(`P*=)|dy{ zBSuM2Uwb~noI5R7j^b1gfJ;P4Y$yDN7FrC_yBjPIvo-^I&qz5}1wG;%mRo38S(djH zI`?>io2#CqSZmL#g%N5nWHt0WEKaL3SEyBW9O*ZH(Zv43W1K=kMm;^e_X7Yb z$UE^0t{kD4VLz7FspR+As|6Xn;!J+`3GGLR#pqp7W&p}@;B?jI{UzI?)C&p#;H zoKT_-rtxJU^K%^Dbd4K6a?}Vilo&iEVy@9E29j^2$%oITbdH6$-U0HHG4lZwrn--3 z-Ul7jC_W8_%(bf?K(P$;I5uXyBZ)q*a?$pI4el+nC#*x_MkE_yyOL&yyuc%$5b)qr zd0!z!xihjULph*5h-l%CX>tsLGsL*{rlV+ey4Da^F|W!pRbRsy798>XQ$Tt18ge`T za6$jiYlQNjrg#xWEE0lvj}b_h^@eTCw?p3u>x6>+ocn!8oWAj`oSx7U3Rco4P}6mCta~ z4%XGH1x5GNoA!A;YJv4K0)F6SJLa-9Sx&KW^u z32U^-((C$HG8SvpCv8bt-bxx(yv{0lqWe1>_PV$+)kw1fnp}!?7X96I~s_(kWeAqZ;uE^~|1wb`<-&#XOO*zyP6Y?_a!xwq z8k3i>WG!zcpn?y}Xc`Wf} znTP`B$98HzCim5bxe<=3J!%jLEpm>F9a?v{2yeGa`wSOt^3>?Sb}Y4kWA z6P-JYGc_)!tA^(fxS`=p66AzEFf2$SIM6S1ys^MI)NaXicH;zND~PQ*9l@JDg_(>+ zlUwlMR-E68Xv=WfAIR(zDPLCpTt1x=C$^6_;`E=(EPs?h=yTb->v{**6IVDonO_uX zhzgu@QHxe*;G*D(PATemD7_D9J6|TJQ>YH@Q^|-&BUO@z#X@kOX{+4ZhGV;=KG$rR zDdu8Q1YrOqG|&kFXK{K9I`wyA@MFE=0d142pf>hmQGHPXE3-|rdd_6BygOVwQ0huJ z+~}n`wfH!00nnE%Q~-+F{6xTS>znYd;P=j#|(4FG9Kv zN=Q5(2drZNwbRa1Uc=@iU=yo+$JhP&IJeC{P%FA7ddy|%>j%JqcSf{lx;6F% zrEO4b0?_$++G3v#8{ZTV{@1K=@A}2swifyK9{_6ZX%F{PMt`AjpOO`Oxmhku-G4zZoro z-EpbUce>$xL=XTeb=1omG<$V@*$imUJluInhylFi^U@uKF3EARSWl_~MU@|b;z^eQ z382$-r*WISCC&Yv;CTE<)H=c>)!22V5+m?JE1R+B=frY}wfPURnao+YL7J5kUpd|6 zFk#QeI#%Xblo-j({o^ws6&NqIEvE8+UNHq`6MFiamL=OH=%x{CR?@O>rz6OpH4f!r zu^kAlnT-GmGeom#*9m^%2&fN*`&h7#&OM>6(SG;CU0+rfV@DdhO-Sf02xK5mQQRFj z@I01qYUbI9yp!Yk9c|UBqFg*RavD&s$U~6S*0WDJe0Jh!i0D+T?RET-8F$)eOxP?8I zMe+u6cpw(i3WJL{?8tCzqB`USY`@g(zXzH!c$|-qj3@8J*Mp3NlN9APsWD>Kt3SCX z`y=lGDgO9P;ySr(%kck2+{+i?BAL&1zkamzByh3EMHSnb-Wa+gDmW87i;!qg+s1Sh zqYgk_cDeDN;}j~gc_#xgCDn-E*LMtAPo{%?Pu@|PzGr#>MA z6)1a~x4jJ9PfU5a{A`5mt{^g6Ab%JnjAsuc%B5vL-9^yk*w0iPJc-vM?2}2YIu{ljakFBYpX$9ckKCc z3H0-Ampg&RQ_Qu-uuYuq_tTIK92{s-|5kyh+nBm`l~3&(h|-YztNiPE#FXIFx>1LZojUG9-sCek%&#{9l`6x ze`2hG#Xy#-ScXei#$Yw=K@k=N(vjL9R_~BRESxFBtD+*_nbeOIkktW}k(Z08f8mZ0 z`$x$dJ+J~`*Tp@JE@7q#1!43(c+JOl{P9NU8I_9%7pfT?lrBxef6~3`7tHaEpmbu; zeUJgjZ2&FPkd*D8hZ5VIC-5=A0f`jJ1UD+DRQXaTx7a>;1 zPbjYfxSfOP0eE2Ktyg~kLpFB*gqKjgt8}Y{-!_6Cb|3EJLSu0JqWtRg?EoUpz{;Gy zuAgJi*5ZY*yc>*p95!H{wH`HZi92 zeIQ)|yYOqfsr>2TsvCe-UR(_uFalUZ&(jHZ6DK~b%~ zJgr9$%{j$q#iddgh2PDsm;Ugh*@i%W8kyT}+?eaZQkQ$4d>Vm@_eC!^5||+JTxzW?CdHXY#y|V z+}u#7Mw3}7RzQ*L2!`$Z4IgEK5+Aw{$I4;Nj7we~ALNp_mY)_;>b$q{`IqgXvw|+I zSxqbIE>`C6p%zH+Op=eI1(Nz+eH`IHa_=84N(um7y<@jAUI809=}@`tUj+|`b<7YG z{X)O(bd&>!05$lg?^oz+c*gquC~-M}LuSUN@cXy^WcKy}pm}8dGxxr+_)ZtGZQN#n zao{;m*#0Sde$PpFfXyOuTG|2D*l!4A$px@iM=j;HJ=-?X?+5(lJJ7R$(zzq*{cobQ zZ!{330q!Q+4(^H=(V1-_~Q?~p)QK+G*%jMjLGd)~5%n@B-=Q$|tR@VpU3xZ-} zWNxxiQ*NweXu0ckz>oE1Hro-eL47ulE^1)b%G*ej#|`w5*l@LGZjdaRuvRfuk4g(uVYht1?<4ypmc0r9OW-Mw-9fKS2$_UtfXeQ}uBW}(S zwEli;qwe$aEi~_G6&#RCv$Ec{@L%)Iikita8J@a`txo_ynjgs~-biu;ab6F^r`-fk zP;Bh>Uo!lCNi|+Vn}YzRTXWaU*k-ezHJ%Yvp{SLr3Yp%UO9x|rFm=RrCwy>48 z=F|Cv3}RmG-rhE9JA-^bwwWR8dbP}YTe(lnll@_$PW>(bGVZqEg3EE`b8-#uwUNOp zZ#Ib3q4IQP0Q(jVbWp}rZT5vd@8dK+ck`yIi2-Q|_JLEWw;#SX%Ri-};WV3g)azdl zzKzKb=mYcE7)=Q3d9MB58w7L-fw;qTK0uHHyFCOy%_p-T^de;1l7u`iit-0T>|hR+ zt}-yrZNQLC)?{#R(uzp@69tjY+$k_7P`m(AVJ=WCaQw3t01iuO0KhN*BLd71Pc#6S z*_EA%K-)%GAHK)o?>6q&n;W+uaPCe%X8c}jZd>)%f`0cS1<+9GtusGh{Qd4feqxuJ z?*dku>LS_yW=cM8LV#E=ZSmUoytKoGS)K!|^#0?%|8NCAjAad^t!#w6|4q{W8$${L z0J|u{r{}*t`8Sh70GbU!FO3h#|J}zT0FZiHf_F!ENW`CPF+d=w9>8#V2V=L{vY)^B zTjxrdSjoDd?%V#{)cIr~gF~q~lr0aZm7vWfTqoQ|faY9A(qkzJF`|Qy&o8>VpX&ZM zalIYMAOr^)Rpc!doJO=8Nw@;1wK9=!0ILX@U<9BQL>>(CB3$d|1-Z+-eCG;N9a-e^m-Kl_Om5CQ$&wEP{aYEb` zzlfsajv8sbk|iFN*0GcSg6k?CkSK8+nLM?-@eorne!~CaJAnF>0|ZEpV-v9O-|5-E z{_8T}1t>aB{0PbQ&t`TQ2t#O6JGRn^|7t>~05A})*IRzVzxoF2mE){&x-YLW{8m!` zMDDl?fT|^|;n{%&{Pj4pPXN>LO0lT?tyQKDIgo=dv)_1AgoPbQ2m@ww07#^DN(5`I#QhTm*&C_`+%rIUGS z>cCh*(0!*hMsIwi@eA(RrqKp;fsCT0G1%t2e}Ou&J8pDJz`fejc@7?Ei@)&6=>vFH zFO*w+`gX{j2n1LNCsv)V5!J9Ka2)eWUUoj08WurjEi9q3P)MvQ-@$LxN42{pv7She zL{SU(2s=8`BcUa7pj-?2aF(SzFK6!20-42xb!T(o zcjSO;aFn&UVeWPzCVH+h>2nc5tL|ot5CbPobl=-}9|k+W3Nwuw0K0m58HVOgFLS~m zP;hiitu()*reak$VkPNvEj;m=HCbk0>B21cat9|oB~$E>-OB)lYswk^v#>6S${e}L z{#E8M0XL%-9`uehKCm2NOuDWoP7+VenWq0&{AGQIpRBSA#srxl14IaMv{U-JW<(`$D@n=OXym zFEX@edI-u)cjZWVOfF7%nhPd_YTGYcW3%gOM2!9jjr?op<)*sq z-bVYsfhqgv$_fMvBr8S7G>SPH37fS!q5Q+)aEk)FMpx+#^hCHMt4`Zg(PWZs&#C~& zNHCLjxkJxs(m4#xM+bY)F0W~w=tha5{G%hu!b(l;*caxZ2T)9!yk;2z1hJGl2JSuY zub-&z*r-hkIKPtB>*#GSX)$$)dH_@t_)1Q8zU%gKJJuKnei>j>v$*rv(w`Qv-Lp3m zGoF2?v8tnG332haL1}V)m?+65+P?B7gWmowhn}aI2VRMgi}rZcOrp#=wOV8KR-`J! zM|fE-GJi-Jv$#t$Kz;NLsPnni2ZliGWUC1K`H-9@q8s(`Vl@WSje8=@C-da|I7gbo zB^+u^oqRNoagQgc$=YkEsD8-r%7|Ic>UuJfOi!WA+*}=KPuH%sH{-r#!nx1x z4stxvKA`I2oP`~Rj3#-68qJK{9s^scx4%>fl!s(>Y}Qv1W|3Lg*Yg?g8JH8s`5Ml_n;T;irp4>7r_gH63EKnL>p5!z@`f4gWtvS+b_?Hf;sM6}W( zl9H%eRcN_ivFaCIw;FqV7F|B`nUr+8ca;5H6;Lq$M835pelal%A`;1uk)6RtiWrA# z^C}yck1ZD%NG-)!g2?&~X=*2kTX(U`ai7a=XY0b@d<@$0uJUkXx6NtuU?$GBl;fENzMt$t|sd8ZRMMz2Xe2SYNZ%(WC&>Lac7g8pI<-a9F$T z+J=aInXuodA+}|YwXS2VD{oZ|b@o3@stnIrzg!`bCChNqDR9TJL@9gRZP2u#fWQwq zjYI;<)yta2{%H>zwfNJS2A4_z0Cdi*jP9E=7{Hd3`AiM^o<6ZQg(`(TJI^#>Q=N`_ z_sCZQxWkvdaxH4c(n#n`tKLBiEu1c(5+>G5=B}yXG?{Nmy0rAi8`?S8w2N|RI=^sQ%YV0ko5HouNXOt?rGecnWR8G$|e zpXZ2*IDd=8npFv&k@c2m#kPGQx1nsF@P%0({Nnq{s_x(HDE4^`hmE}=_<1wSsoLWD z#qP**5+J1!LLN(27Q8$ehr-4AZ%6xua4Ant)h$L#+NV!35ygnyM~DUO-pNCzLb z4LMuQmif)>u!Ubf`U?~2QJx|tD|1-CtyM(dY8KlaLKY!kn8m<-?nbKcKu5v(7s%%g zc7TfS%)BiMm;<}Lmg>&-d8L{Ig$4AQO_JI7QK+7h`0Hs;Z5qZiTSd&BhnwmvVeR^a zD)lkNDUWmwN18@HP}{@GCbdi^T@*0ic{|(OAwo~>Poq@W$};o>-yRQZ&Dlg;TIm~1G+ z{P@);m#6^meW4%od4m|`&(D0@u3hw;e`=h$!3MQRm-wJ`*t6odi{mozk{M6=x3%uU zds&HI2fgOSX1$-2}q@se@{A0Fdv& zNL-*da-26M9=H_{`0ZA}d_YA`^7?Ez+ek@SvIEV>^Q2-xZgAag9lMU)tX>kBvyRw^ zQU#kaH+9h|QZygfi>Eyw34z1fxqK(w;-rOtB~U54nZ|VDpa^EI*VB+J85-lPBRk!N z1TiTUb^HT3EaXf~eNOH^>b|)bS^76r%^Bmwcyt z-R9nA*-i$a7Du>Xa^Wh{%Y#6}-%;aR)_+S}gLx=gmy-mEtz08nZ$CCSt<9Y^n;J3p z^gtawzc`6nxNJ(CiITOvJ3+&(EB>-Kr{o1gb$K19Aq@iLO%q)pSS+GOz3_y^A)S!g zZ-sdr9lv5RW@LZzqrP!CqNrz7q_QeuEnRD50Dq+PlQsEQP2Dv58rlP`y;6=QGWEFp6OZ+g5*oY`b!?$665Ba2_^ zg}sG!FJ3cJbFJ(8JQ*`3`75>raH@${QS7dEUSQJ<}_G%GI&Fd$DwFLTaJCt<`rlH0T6R2!8CfZ2)geFdE9$pM1-FaK*L$ zeEAPMyu}Z)4*M^hXdIv|Tj_#y34wc@gP2{t9U6OVzd2(5Wff1RJ=X3CY)Zls{-Afk$uzN&d3(_DYVD?Tj)vbn7X$3*puocPUl%3q>U$%N22%$L@NpS%lE;V@?>eD7o6oMdYF}bD}aKIl8pa z1PN6Z05vrQHth+;+$bP65=I{*Jc3Dc@WMC_n??Fu+3(plZ8N{tBLsshdr;)31Z&Qx z%anbnHrLcOD{ah+=d%$Q2^ca1HAF;585Lt~5LF2n+|}Q3=N(x>p^f=|Lv(*D`FPI0 z?K1fDqreqe)^qn~A2pkS{rI}~*i17XdYmqkIf_g07|l*ODDr>?T%+Q9QZuWNswYd06*H_-kDOY0%oQ=XZ zDY}+pmM7nV5fU-oS_Vgj0>hnbolW1A7DtfYX$wR*BF%%%w7Z&n);b%P|JJ_f2a);4 z+~S;kIq>e!KWcnBQUcOYE@hPgoQJFcHGxv}yvZd;$EL2E?!2wWEsL8MI5bW)rD!Yz zLAG3SKxclKL)u$!b<+E~I?2efBGTn5+*ExG)Hu&Xow3tvd7+z-bIg5plz5*<5K{T- z>sHVRr7PvI|Epww5`NpQ`zOC7`4{yIRom=szo2Ncowqilbqs*`j5$ zijHki^C!T8dvYL9u8=27#3OX^JZyT9ml^O9WSa|?f}*8?gAw6Ut% zll~)I)CP7*SM3P32bNdnEO;8rfVdV82>A(B%x0s8se1P&~XFgYKISamhOW_=Bmk|sBocyc8AnB?+9 zDC{XFAV;LTAam{!YwxVHY8|K{DjIQ(u~k6g$nA{#ZtAA(&u8N?AzB2va@aRe$3bdT zuyLVNvw;~d!+6DDj@jRZTQB!!?TH8x$l2UO!_b_}^e*^xeURVcL_T{i(X^uWXT~$K zqzpjgF{FISwTX8hlE{m`WEEIF-#%uB1zT%(IgYbF8-uEu3TTGA0%7T$>Xew@cpyLc zB=V}CfFt3^xeu}H^Lg0vjkO>Ri=%P6!87<8ce=CC#z+y~dS6^8gF^|>MV7bZG1KN{ zsLlIH<;g11D_z7YRaZ8pym^Fx@{ONk$AU*ZIXtn!N@-NFy7=Nzs5rh4>yHFYNQeve`beNlNuUa4fZ3nYd!{xUO@Bs`- zc(kowh{0pSDD9C6Et~5Ghi~}vSvSDaHLJ=3fXo?rVr4SrK084bYcg8nmLk-whb$b$ zk%$~@6(83(*vQ3H4X&@21z1PT8iC-WC8SSz76w*!yyk9d09ki619DdY#Ny?Gg{W&Jy5X4yemYXEUS8`|L2L z>SgoYEuvHXoLc$b$m&v$`36+0sh(%KyNS7ajZCqfCH2R`b+wFqu9qmK5ho-h{+);5 zhgh@kea>I2cN2F44_QoUD)ULDu^cD#wh7w@fXy^6BJpjldTDZG_$1m-!S%%!(`g$!RwCfe# zOm#Xp_zh5oZgDl`d)pD|2VT>+)COj(U@vO=_W7zB<`t$2Nnr+?Z-K&?3tbEHnT!Ii z*o&lfw;4I?xWpt*2)gR98gyFBZ1&~T=&kAlJR!g*DURl+L=`T~`of7s1j)qY=v?Q~+L@~zCw*S+S_VpD0V)rJHs zpXT&Dv903I>`~kda?4}$uS>YC3X3i142XH`;y?Fb_7zI&AWd)iV$;MrAm@y1ZOx~P zb<_!kfPGCG1dAMv^-dQW*6O{ce^;A!xP1faT^2OhUY>sMZ6ziIG-7n~k}1S|q*LL? z^SEEhXaX+uPvTNkCTm$wMcniorHA zooQYtPEzm||!$l&HFYt^mf!;O1aiFE9X)3~S4bE>iJmJkW zOHbdxrLRcn?Ua=UdIy((XJm>l? zr25s83FWmv{RJD)YYdAMD{8M9{pMk9Zn%lY-eZHp?==||TwW&#x@*+>Ys(Zo(HXc% z?>dH>@m|0fI^eTQ+p|@8UfK3Bf1t7E08_=vH*fsc_V*|M{`KVypqwqAWBAWK&wsP$ zCS99HUpW0;zZT}-{5Sqj&1pc51?*bjFEe((Uc@)5RF?woU}5>*UH^s_Tc7!lC_lKO zn|t&hQU2d1%F+g^n2Jwg?2Pd$`_U)IqaT|P5gb2s;No?~j-vu+E)d-(CD>C5<{_jl z;Sdj8V)?XED{zOEt?8`{$pXYHkb2%RAwE3G9&w6 zmD!anK$(^PkIL-+rZUU^UzOQ^MEQx_{zsJmkBHJtPEZiKAm%wgnxFgcKt&p}T_6h7g!l`&%iViy(K% zc}p`ckf0Ns&ccGar4}BbwdKY|9M9fZ#~Fv-bm<0Ty9=<-Ppg+L17+QuxKPB&fO8^$ zS9^baA}a*lPjym~R)#^?HmuOPHBEH_j+9pXFreA2bfN_B)UKTURI!KLTSpYm^2z1W zCnjj9k-`>uO*0qNg(0%_na@tVFk(R?*3_g|;tWmx%!Gmr)9G^CxNYCV3PtO7vZtKp zVP7U*afQMi)OaQAp4iWb_CrR5m|`gb(26YF>04n15dAd}GJBbaDRl&dT;u{>p=b5 zvI42iwwDhG05s$buIapwdZ~;*RR;v5T+b-AWZqNeX1d}wI{li^;LXxF-@=G(MG_{T zNWHz(5_9c8RInsd;&*f(Om_9EzYRo0N5P?M+eCg%i#p&+Nxj{~wkt9wbi@}I{&- zcYQBiWjI(RW6usq4P3&UK?dR|jlXn){}QPj;MxQ%iKOi%v+}X*te}r$!a*Twt6h?0T~I;+fsFHDVl= zTF>D4)O9lv!8_wOP3RI2OzLuyF=TDw$UEasVY||WHq{}l$Cs4!KU=h*w#mX+Yq5Pt zcAwO;(KDrr-s7!;+OW9r(Ak);5ppw@AUVWkb`wv86K#RdYyEo5{=UFwN$5)o^-xDp zr`Od>7%GB@)cg2q3)yFcPkW!|sOxHP-c~C7*JgKgxOZt9I4CZ$dBMH|VcDiTzh@4U z2b(|)Pe`rkzkmKumJ5LRU;wU-w8;2xD%*9*e^mLqX#B@3c!Tu4-ujPM{^OOObH-Pz zw2eIf7xIcf{V@#R!R>}jP$TZdGDNYaq~IzFj<||)oj}VRoRl^DYNnt^k7e7dC(bq4 z1lKtjDfwt=aPXE&UpNW+l^u)QO%T~jFSe4=$}Pab(Az5BpTS*i@8djJxK9wa|Le#V z%~W)+Jj~4fl(PcpFx7r+dOhx@Z)h0SNbkOI3-%rK2YjI^T>!Iua{&yNqD5euHJkdd$_$mQ93 z7XU3;B497&-EVPH2I&0r!_ zlK40h%#rQ!X0&m)#DmLt z0>UAiX&q=a>4g)?CskIH%L;*-yA&Q4W^viVek*+{1SzgEH z=hX$NTUiX~HK)0!tg}#A%Elo6lKh8Qp11-=hXrSXV6KZ;K^zkag zMzFcSB@#hH_Bh?7Z%5lfg!vuU`~;qsKj3Z@iM2JB0We&WG3ZhNTV%K#`gVxcfmw$& z%(F*I6+nUuN!#2|?~adoM$Mq$MHKt`vBlRfBUz5ikk=TuRR=N^U!NO%=Ty0O^n5ZSLQo6k;(9`ZA@8Z0e4-cDAa;&d8s)a=Bkr@u2SF z27zgc@pa5s6}!*BVpv3Bg}P#ww?x4jVEy#n|10E0I&j#aRVDu8{{KMpzYV@Mi_IT#`+zJ2{r?KoQVX2G{6~~+ zyU(peJ&VTz*whyP*AWP+Cd4>EfmejkeWa4}&F7!>c#daao`Qn(bFRH@1H{+U4uCUK zwF9!=St5m;ja#Dod!GD`fu#;#T%X(+ZG~wg-3J0hlB8yUY;^z~e}CT-HiejSq%@9; zx_RPg+Llq4qP|!eE^z{Kw%87URFRNlh!nPa6#J03eD%h-Fxu8R=rKsuJbK5)EZ>wY zJ^SYUra{^k%ixRL-JMT9rS>e-Wzgp7@(5i?ZV1S9Rc&AM$c$i;4dA=Rx#JfN-meqGt41wc*G~Cv@rJgRy z5Sc6E2qgNxvFFq#B+OV&4YQ5abE`ZwtzGrfm{kEKR`rQT_=gy;saN*n83jEW`Ms_L zcXU~$&-1(*d}ip4N&Wk7uWK+}h z8UW}##+g~z|70S+uVg(q%iA0o%&Bc3F0{0e1p!+C%>g}o@(~D^^M_uR@CF7sf_xyl z65V#H=t)1}gy~58qEsPq-=GL91vWNXBRR z5_@!Be5cbQC7lw1NRPYOczgN!f>d2~$#fYm^AT92*Bj%CG6V9g)vLJj4czlhh<&6* zf&NeVPZk1X0vCOYq<^~QTSVa7MHs?kD4xU>b)<^wmes18^I}vh|hmgsC#z)ahC0%KhwI5|{>o&;|2YHA6mvmz%lc`N4%JF?Y}5Zg_Vin5ZdO zJV#$#LJfG*+c)O7pchDa3Qb0YY}#(FqQgT%LX<~<9q;eSA7AYxqM$*x`Y~A=VSIJBYo7^;mGuAN>%GI8+P3at529i_ ziVBESMMSA8N)bX(1f(dU^cEE9y$c~h6hWmaNH0Nua8VXwW`nq|x}#{`t|;?~KGeodjBhr#F>291bFD;DI7H#=_kM^7z= z`uOGdWKXbt!^_S}Z(Oe>XGpj2%5apngaQKSQH*Hb{vuQTzFm`RK0Eqap%k>l_qWad zudw0Qz=@8P-{qzxaPvI1g!L<-* ze|_(RqIjWEKN&&NbC&|oG#8B3cYbF(mc>r#%h!Kg@d%+~w3J7z{FOt6l5 z>2ekTc2A!49kJ}tZ25eCG_Jf21Q!@2pRwCpE zt2dA|LJeeG9<>&gw?58NY`>5QP?UQqnTzqpR*Ing4kU#urdP-w)J6Gb#kqIkf+=YN znxT0@0rPLxD(ul#sgrK$E!Ny8!Ek!6(;V^ku6nbEf3yt!w*B%fQIdY|-vbc-+o*FK zG7Cv~!zV#=ugkg|@QvD89%XJQI9fWHnH~}HGk6Wj;IIJZSPZV?(jU*h?1HbyA#~Ah z&A^Q?YdGj|?m<<7^YDk|&7BQi`?NC2v6lzZIM?ZuMEHo6lxu6~{?tDKx%>E`r*ah1 zY?{v@P7~U)Uhp;BFR!?4vUUj7<8GgTlZu_|d=7|&dFD|xQu8tbzi*hkH~BuedtSVj z<;LS?YkihWm>i!N>xs?y6Qw$67-b=`raSsw11kHwg%hvqrXOQjp>bIHwE@Mv%#Sdp zuO;k_!Py~>-Bp?bz6RzlIz+;J z9pT=79|oN=o`b$;O6%8P$eykKV&4jwo(6G(SoKi-XZx?LZiWkut>2TStv3XHqWt*J{R;`S(7 zNT;0n2ja=4F8Amni_-OJ?MAboAxDeHQQ&lm)rZ=g`El%Ba(-{(sn67M+pg*l+-&tT zVSKs87Ij`-n`w`uo-EoXTFPy;gBfd^K{+3p+cC_fYp!FJzRZ>29c25fv7VZdv9bEo zHzfL}j=+CByYsGgN#aJ1(00o{qacJgFQf9j(RYasP}-J#Y#uVaqxYDy)Cwo?kQf^Fm{! z6-XS))DT*e%>CFwM~xz+FD3YZtTqUm=Lt$!O7G^`v{A>YWyKlK<($M}7#0k;dGmxQ ziIN9?5ascJ?A46+jA)5;W9q35y^^7CXLS{>GI>)30Fc`l%AY$ z*nV+bj~L>#@zQ&?{tIkC7e_Y%AftbH0)Qwp0q{G*X#&=ae+^YmYOpyfcu#zddR`Iz zdT~?V^74h}?PI@WrU8gn2EG;{9n$sb2$=pQX>hGw2rF88((v3$y1Rk%%4!-%LRv6` zGAURC-=XRQ5twhy$4?G2`cUtK+CbVOayWlPqeJOyLsRW*Ync0lq|wA6!8@zc3WDvTii#TgT`uE(<} zCk$V&c9kuRmn@(w%b}TgUJhKyF_j+l2=rfK2Q|yg5-k6LtDE@)9)1p1vO6@_LCbDHq{S;uChl~!xzlu8_A3;Wg8`|)MK=6d9nwW9!U zQx6(V0ZBItp6>fhmM?=%H3sanC2KAW0EUI!;bUHnPJ+~fU{P~=psjB?Gh88M^GVAu zv2T5X8_&gKauFV_`z0Q_VF+6vG)3D2qlMhs+d$?90)8Ys#+lERbA%GIPjG3S=bNP; zCMO&DSS3Q7AOJ)^XeOXyzExh!^RSyUtye|%QaFcJFyOMyzb$!cLbXckcTh|qW~$S< zms~x_&sZfgR@b&&Ud&aGITb}az2~g#ioQf@uRwI$cv2PhuOylgX$~R+#>bwHE744O z5T;t9W13lLlkz$3R(IKr5#?y+Kq6|>fU3;E+k;bq;D`SHzVPLeu6^L`kMYZ+ShqTQ zaCZ4aIKy-ErC3HSUPOp;i-zlYy650I(U5OgN8rD z;zAYj#JCK_>^0w7JWKAdABGL7sAV1SN~-{Jr|O+$1Y^0=BnJJJj?;J1Yb&$7#{9+r zRu0MA0gSq4-Wm*e7K=1``4dw0Y@=CX(h8vlJGJb6u{UbP8(-G0BIMeJxW3l4|6!0i zs){u9Vs2JNo0zk$%QF1qO#1C{>H2+60efeybP5Zk(G11d>g9jUNm0Ng7`&3X)W0K{ zExS1LuL6k}%+ChF1~RKHv7%;kZ52q5Gv^i?+)M>(k%2;WuIQs z+G^i7_(ZP~!S2JoLuN9t_O_p1dkUPX<)sx`#sOBLSUE}XxQ!Ou%_8P^B*SSKcxHK( zNkOFlglGHwl|yeQt*SFZpC+UO&Mv(*v1Y=nYyMYiiSF2EZlhbZd3$`?(kXyz18+sj_L?LBk_676_>(KH&{83x2c=mD z%GUU|?A+E|?9dS4Qss*wg1mz6^>{d)TI^iaQyVIi+TV1$Yc*mENY98NwZ?I;N3!No zQ}W|hDx-<+dGf?TXhTj;j*f|f_>){(1#JGApC^_@bK1zl%Nkrs3|ysU!3Qs$AVfIF zDfrf_Tq@!4&TVhsI60+dJETvUejt~bM7mE(vFN(<2Uy z>Q9yVF=qw?k;eKBpJ3+q)T#~O#V0#1+B|NaOdGPK*o57Kj#&WyT++E-Ap~^ZU=PO zyyU+)DAqUnPKE@wCa+*mS=KEL?eGnj8U5VQmR;OmjYA^e*-5N@pl&joJ`7lzce-OW?7v@$&Qdw;&lyG)klPGEHSTqSc#X zQ%)3F;ys<{GE~D6g#y%XvIh!b>VH(*L@Varzj$uk&V7W{u=^*ivN%xplduw_@-VXM z;7!}%Am8EgiWuefuej_$YYaofO)uje7slE`IgvuzF!ZdTi9AV1zHWHb5gTm{A&uH0 zc|i88d28=^tR6qm?KiOkX0F{qYe_vIX8F~R8_mnIayfO}7kiC+1wO8%se%Pr=`rm> zAHTXkhn`M@nG|&J{VQSqW8ZxspK)#&oPR&g!9QW#rQ&v;hr_k#q+oW+|*pV8uiD8lGAY@>8GlWrI#8&mU^v9eC0DaK2VIafs@3z@rk{!Y#I&* zEsiSzFuk$e?i9}Rfq*kH8=#zvr(82Ud8h_cVb8O-a^00Y51Yyp%Vj|q+(RX5Ri5c^ z>awMH0=EDY(6_R;>nF`rO0mVM8}8vZF zbtVzATB1GDA;a_Dm0iAi?dF?`W5x-Nh^Qc`dKDmKv00Wa1;7Q=8}`$DilO!6;EV-ipiTcPk$rYoRl)nH)fF`sxjH15V6F^v{W^(9?Q9(l2yE$5H)wF*4 zvQfeK^KlpT@|=9ah2W1L_*QE~Ul=#i)2+abG*~%b{W`0X!7a{(tu5D z<}5em3FMf9x%r9SAO;235V|(tw|9JHtjZa>Lo`X@y0hZA9Z+g{eD2?Jb>OMLvo$e} zj1Q&O{4Wsiim|FfMcq^&tIQelQS`MziwmLWg-GM$5ljEux<%RvRfYyVl2AYlXQk#V zDrU=RsCT`65v!Rb)$CeST>bqRTaQp&FxY=}f(s*_LZ0-8JeIO5wZ5L`VV9Q3zG1Y8 zcAuvOnN*79M)9LPTqFvv)R8iu{pr-z3u6IBZ81X4j=gD$MfF8tNg!mx)=waNvzB8I zbA(BS9O>R07WewcduL>mpSH@;YrsI-0qqb+C}t%8Lkdi2g>^X{eZSDlU=$UX4FU@> zL)TPR`d~7^(lBhCJs4DzG2(Q+FH1Xft1=x_E%t5*fF%9av{!SaM?m9xzzz3f-ZgWd z-*OD=+Nbg(gbQ#>mObczii{AuZcCwmv8j8X0jwA6TJ5&qBX|DJ!33&(SNC(+4}YE) zX4%`5xon*H&akGy&eulq_*Htjusu6^J^qjEVkaPL6>AGn=UQRG+vmVY4tZ{Y@yR5X z{ffstvD@T3{UKqw>x3YrNKv$t4r&K*y55#>a|R1% z!it8H8?ZZWL5$kX9YFeTG=<$wi9yf{^%YSSB5Ue@ZOB0PI}YahDoy$D@9dcQz+$a; z-p^A%oIhpWzjfi7bVIQzTD2c^G+1tnEc?2u^xxzT08Yc3bZp@Ns>8);BTirYr?VDeyf9&J$%ejGL z1)qdhRPoDE&SpLzT%T!9f4i>-Q_1MZzYw{S7R>E8=9qVwLX(S*cTYD8SGRY6mbz3~ z2DnC_2nbR%iDQjIhc?DpxE;NMHhayF%*)d*6!hbxWybjPgFMw5rI*L8>f!zBJUw)v z1U0x8H^HZrLpxKMRFa1Ta0aH;HU$QtHvSZgJF7*~xIDt4$`M{!J0D)>%XzJJZ88#H zAqaZVtBeqTadF%c*KOImK1Y-RR3xt6hu#}z2ik4BGyboelyfF?S^6J$;IC^Fa$QC^ zO>s%)-A})#Ds=E>t=Rs@KKrN7e$3DW3RbTQ!IWuZ17FF5aNE2$p?mYJynC*uvt8!Q zdUfClX6|8Ag7DpA?5U@4_UI_jn_!G<*;MK-TLY=?>cr51T-+yRz@aZ68}7`wj}A2O zk~jcS|56#Gq`p`Gdga$j`Mnf)6HzFHV-rwCaW_SgYmcmxbs4BAZw8u40W0BR0N>J; zdk%d&4|h4bXKJv4h=L|Q@je!t_BQm7ygb5}6)bZHOSJfARB7B*4vdPHe)ow(ON{Hf z(sRPARhk2Mb%%v60aZ8zh=yc*N0M|t{7H3Z5}FCdI#}EG&lOfDHkD^WkJlSKYy^B> z-aL4&bwP-^CIlcfSfIwmkD}6#s_83E-fTNP~QGK zCqTPB-9rP$tVA+GvOG^r?$*aBGI5YJ^UXv2P<+`w?y7%CmmX3M0V+fWB~*-U{2Z9Dz6G$~h)=?^|3v)%{Q<}hkM{Bl^R!-M{oGph;0Z&M z$ijH7oDTVVzU_%RZ{wQ^XQ37b(GkLie&+pD(L{^OvIVMjlRyE!Vg`6{!8mri0}|Aq z)kiZQxSu)un=_$REJU@cveHG|Sw?)w_LCh(&dD?;6Rii-CZbF4sqEs4zu@dCu_D2S z#K_s~97k+_Ml}G@!1tt)I$TDBLhoTLhm-o(^R5zC0Z>?_^o*y;77fdU2N_)Hspe@9 z`v_Duzlq*WsGjrv!SUHQa+jOjS^g2FLWc~`HeP|5p8RUw>uva^9~0i_s2J!9tEBr1 zNWS5p0O(7(;QU>{<7lcNn({=16PoqZBnwaqAb2coC2DJB#GMnyC1Cts2~OXZHdJI~ zD8x7Hi(}6sAk=|GI3jwcb}kyKQg|bma1*?SZ-*iFCL)5?JJvet(ii#Kg@Wm8U4t7= z0k_+lFDaJXU+Ce0of{GxS1atWAD!#J6KebE0@L&)!gGd-A~(4c02e7Ip3#o4dgVPA zpj)EWGe?~l1J_CJPxn(M_iG&6J1Mh?9D#4-+M3Ic(vmO3I&>tcgQX23Un%_>o@ zu#q;{QP1j>&Hc)@ED+sMx zIkJ?qB={A)n`K1XSarAi8)S23Vw7ME>A#Lg<{F!X6+`V~vg#xodFop8`m+d>+2g7Hyfh<<$NGJuSFc!1 zab@xLTrmF~w0nBF+QL%_q#o8N!>Y2>YYl@SJjNzU@B}fb+AGycSE|s#sI`#j3(qxc zHy`b<8NM)XOj3F5W;>jw7Plo(@0!cGb33)n*|zsVyTR-bFr+HvqcmW?Mv<9otZW#V z9O4G_&=A&PEU?*9JbEGKC7JU@XL#(H(9MzHosq6Hl?Fa{Ty#D?=R6~R;8+e$)Nm>x z=i>(-bH>%yD_Yi0uAy9UEw>Z3Gcj{6;6vZLRjVuqe5#%T9i&TOXxfhw>m^iNC>^-aNSh z08w8fmMe~|oHvB^5J8~Xrt|G%C$|uoYaOkl^mVOKI#@t4ybjR=2mtoJ42shve|L7$}J`ue6_GVVbt4OF>IfCzBbi0Pi)2W z$cd`)$tG^^uDvzTfg11soTWgS9}dS#sb2T?BOMeMMDh&pD54m|0v*6vZep(z}iH#d}XYdq5m00hRguN8@o6v7~AFU zRpH9PkJl*A{}|P{kh8P%z1~?I!fb6M9VM)b>d6-d5P*A;xy;s@d|PbfG|LVjx)+k8 zlgMpUqP&=7<8-BXv>?1385?Bzrc%W4->&DZA( zYhko;td)UZ(3l9HVBI#HrE!e-)EyCmBy#S=h zbn2vWrQndYNO$VqqZRF+y-%R+{mkK@g7Vtx1e|w7E1Z6k zzX<>>9zgNPmVH{9)?XuzP~I5r{F0asdFd1et9rj<=|6ZiUM5Wz=|#o%6iHewLaC^A zK}kZ%W6JY^cPi9Jp27{A>`JU738?5B^x?@m*8k7U`;eMF+!J1E3o}qR2%$|p|R38j43vQWJePgoS&Y7G)Q3A8W!*y zeIPS@JU5ag-ArHK*G#HH_5i*`OsVHWtEpI;N9%e9`@4ZPJ4g(evCT#K?pwy(4OC5E zWnDBUO{@+V0ry`^^y3=F!+;;K=_A<0ZkW^hwX2XOnckPeCI*)yOHJL|c?hO^GgOZ? zS|k|s<4-({bPDXK*m_7(jIUuQciT-Dy@MPYcb)XY)-5QZOq)Q&bEOriy#@VSPaZ< zARU*=m%PQJVL&?EepW^R;k~?(RIA(3@ZL3CFUStgqLXF75(amwP#V+gXeJ$P%oqgk z3`!3zB9zHG6=YS^j%kHmafG#F_ZooWCneRy%vFr|TnrBTyrosr^Q^=B(i%_+Nuqbl zq9bD{t`$9Ud?a883@0ZyJYD<>7I>F*kdOCfQSq$&A-!;NHxP!JnxYYT7)7(c71}cI z)h(3pjRoJKEt$s8MK95a%RFG3&%)-}e9Yjh!e=`vQd)~bGox7xGRK*UTDF5Tr8l`o z%0&x{B{V$xHV#5~=Uo%R0G@B0vb{5%>S%6-(fdk&)s8y7@hQZ~XTD zc*Ssm$+sch&ELyOaFsN6weZ1mm9ps9PW_j0r8ckR0R8oU1Z#a9H-&Si?rOumIFG$V z&`GOPnkMJiq_w!vwm^Z$0&4peAnSRm>8a`TPjMMrtlcu$Q=HcXVNyr@{p5%7j3u$c zH=?l0aOePx^R3nhbR(s{5kUGP1`oi1$#oNNHz^vXqhhV{YZVUtSqT7dGv?LwC?K~` z!Fb&as;tMfq`yg8jLD=SGifmj+neLT40aJ6XPP|z+iPI zr$NMzxu4L?R*cUf%j zB>`_K^35~|+P7qZafkSvZW1xoju7b}Z5KGc#O0VdROM<+DV}c{E-=^22qD6V(3o$7 z_M}n&#eoIE7xtMBk{IvezrpEu5vr$7xoF&y)$kkA!!j}$Z|A~C$eSy%fD?P_*zYxZ z`V$UH<;a#cd90bZYoS-`ak>8KA$2{;4>$K1|Ll_91hio6uzV{af8!Rj&<5eVH7(6B zvU$8Ed8}sOnr(PJn$WSIb07$7MKknEuY%~^@&6MzM=9ro(=b<@ezEOC!VUmg8T{0c zL-u%A%u0HnA%NT%2)G(N@2za+NF3rj(;0e6sgRmO2oQbElTT)JA`mF_g#U7`Rnzde zm0m`C#-Y+FPg|7;>Sln;JYCisKX{4!xmg}}^TpMtG_Cl)HRq8Mfp~+LmZseFDD5l? zDt6aKD#aB;=B>dm<`&DZ3p$Kt`u^XHdh4SHZr<`nl8MGIUt7o~a5!pIeb(5so^r_! zc16Rwb6!B4he62Ex=V(L$Dodzfbg%gCE9lqQOMb`BwmM~9WUho3(EBHKM`?NHFmQ+ z7f7=AV{$X5)b)#yw#3Qa4B48?(gkNQlb5R(2sTcHjXF_1LzZPO#hB3~mFukMD%1Uo z@vt8g($EB%fckZd_2U~d=2@|eM`To*z1p5*rIg-xk;)lkR)O!DkmXKq9M$@vn z`2jFA#*OswfdgTjC-|AY{y&BmFT(NT*gG=CA{N zNk*@vD8;52#yC@O!j!x3Lk)VhDnwXjm)jTL0G)wTe2w9H2S7n^mN-JRvI ztyMX0=8OVm^^(Bv1$pOkc54?pMkD0ir>+Bab3Jn%ovz$bl*df#a2A@vBE1F#X8i7@ z2bS>6G*fiHL&jS2YI9!mLJ1}3kDj?`g}U+)H_K;_Y^Cp4W8USeAb}h@=i}Evnk1i2 zJ*@4HtVA9^gaLvXNHi`%dfkuc<>DSeMDFr}E1Z0mN}9Q}&Tr0k^~zk0+1c7m6e!wS zJa~l)cV!&f{0T6^PG2mSIW_dxFz3G!2vo^zoT18dtvV8Oh4j4xSWtZ_EzC*z%#9BS zTBp1OQA-?}AQdwKgHgB_;(cyg#>gZQ^#=#*X!B6VK6J zeA7E_)(Zko;CD8CSn>JFxD4L`EitJs;|DtA02aI)!r)N=FhGQxtLx-zp$@eppl^Wy z;H&o%0lci^ddi-r>%7fpf-}f}i+2xMhHzwBZPz3knH2`t8tl*R1WRKpKaXR&{;dov1# zNvsC4!@lDotyl&oE-dYD-G_e}#JkO^q36JlCpzNu@uro^iJ|mUb&9aaGrFm%4%Vhs8V*Z3$!ZoG{0NJYRdZ^N{*p^cDe`UMN{aR^& z=N56jd)+c7pIJIrw#z8-1Q01_3i{+SpF_%Av_2&9acxHH9J<1c73 zV>B->CYO{a@r$qdn%BJ$xq`=hHoelItDV&kSYsKY0Hqk0_qo--4&~qM2lR4+zlp)%!J3Px^k7Zn+6 zZD;YRywvGhOuk(Gbi#JsyLFt_MRNY<9J4(`o61P`up%Jv_GnsP{0S*P)1OYVi8e(6 z;b<6)nda`!Dp*hl7P5tQmNo!Dk5~xMSDk`3kMH!PDS8u5hx3=$%g~18SkHRpj_{2X zV++qOBKlm4PswQIjqYuLlpn1HeR0>$t9z`8JOv$M6;P|UhRw;#2r0+rzc)XeOkxY) z!Sn<6g-fQn@5gmb)lwJJksk6U=c9(D@(l^jmKC>`!shgw!s~Bi(uQ4^N*YLe*BL8r z^|`PN+Xo+g@H2j0mTTT>3qQ^_298~@H!99d$-r&7hLpd4^hS@wP|8c~EK|qX*Qhr` z6mV~~{YT`X(JUJHW}@mRl<*32|I+_cF#=i{+oBMC-!5!cdfBi`bv=DQbnfW8&-og> zNTEAyFV$QNs>JQ#Q_Z?J(vQg0W&^%4u`oBeeJw-vjBwhr+%JsynNDUu*Vj{%R{klR z-(L#FUv7viXPxTZ5aHG>Hqvh9HQt|T?k`is;C}Hv$hK=N_WN7g_K|W>p+kby(9=ZD zO39*4(_t%@7`g0Iwv8FF21I@*9d;x4+iZzj(wqa4M`xY~LzkZvDtJzo$KAzF|XeWs2MDeM-i7YVwsG%6YxmY)LBad}_YJ91!z;+4nt%haPkG zJ;gHq%KZ~a_G7FX`yX;{^KG5XiN)R!dwC@Fwcz9F5Sv1w2Qoj;cD{i|j9?QAXevww z>LyY%zty&uoI@76644IM&QKyC#M8dz3mN;BWbC%I1`edmDu5!!h{o4KgqCcss<5$t z=gF7%FbY1Bj?N#3n3_~J-IzyDF*2IGovWH7p4dx*4tESq-QS3A#2316oli@SzS#PV zlhH8$w8&sUSO0(&j|{Yay^6U5K0x}0y0F^JtF&sCT!Eb!)6^ zxjYx%k<0JO$!T>2@Pqr+l6ob~C}OB_S9Do=i^s9ibCjm55J$^C!Fv8X8*;yV_uX?x zXI`)<=P{x>33z?K$e%jVEE}r9A!*h47`+V*_plSWQuXttt6jGSx|GI2l=--DR%eM# zcxzC1$gYrHHl5fXrkKmNsU_IdL;>>^5|n#NKhQxxm<4PulncR%Hq%BqKlYk75R3ue z1{hP3vpn%f!&|*{j!iVIGUJ2wu(3gULJwND_otSN-beuz=$Z{r-5nPsWA{vk%Fdyb z=;&xi|3Aq<5}00MUX$zMKSOdFsr|vu$MSgXY#lPL0VN+IzV6NcN24$xqx1xM&hXwj z(H>?nM!GGMcVlAM+Pu)O_GuDdL@{F;Nz? zr*h*ZBgWF@vR8QI!HwJWEVc0(V0Pi0ecFg%ukMjoD$*)6@Az_>=vc#a=gQ!xR4R2% z7G3mNPm=RQ(>5N>O=7;3Z8lTfF3mnj{?e8-j)Ys$bM)9{v$dDPqm}9gDW1LlaZbtV zArp{u*U?893mx%4DvzFAWfMx>t_5sv^ZxFizU{ysR%0A*M=&_(62(zMxdnhjetG~^ z8TQy+okmE2KmvvKhyH31Z+U&^q$a<*yQK+x=@mt!~E6_dCj$Mza{wjKp=~a-K_t+Cn!v%@`wbTvfN|h6Y5v z3y5*^FR$#-wsgLH&7Vp(`VnbA-Nn312kj*1!K#2HZ2>!I>>c@J`a*lUk>YBz4r50c;C6OBBkA?bvZ%}X0{eNnyC7+CWK<}=r<(&srQhE}L9 z1-O~UGW2nxAHQ+s`bH}9g0g&c)CO9C&`5gXL7L!T<9TkC9f>+0h)qH9cl`zFcBB)VP{UilI;%rWpIza$TTs19DUb&&l$;v>0v%?rSx8^wRE!n5_ocNyyffi$WY2vR_!14CL z2S_tq;*Xwtf~WR4DRKR_EryWZQ!(SZB)i�yRl zR$}c}j_4xw*j_zzd`Zju@YGhB4?;gZn3RCW`~dH zjJDM=I4xON%iFGL_)#{tGev#wi-vqo@`hh16ix=)WulJY%GZSGI8A>g{N+T_3VA?Cym*{D+^WHK^bhv1 z7cB!($0ZuvF>*KUY<@|`WR|h9cm;gpS;N00T=#>Om6adt{_^}M4n_)rr-SB=97h6ikVDYl;Xl4YwkZCgK9 z-!yDL8QdR>R5kO_P1a%GH+O2-yC-5yNPGN@wQ1$et!}flGahM295kRh38Lh!)0529 zR|;|^#wxY^<5Ga_J(&-HDZ95iPxAbXQ+`EpESr3BX;0wsq{z;~R>ONV*=i`>4&(G~D16lX69gDPV!1FEfC4lb(&LL81@f&I2ASk1C z{fpi~2a*Z;rJDM5Ly?^^11INSn5AeSogctDW~!gqr&#(A$rm5AIv;kvtM*rn5fZ7o z9w9t7OXNcWeD}z1yP}`JupT|=0yLNNu_#yV;UM;1Y|n0G$^%EyE}&EMj`NrcTA5H} z$>z>^Qu5##4Ts`{Cl>6>ZcP;{|ke4 zf+Ou2p)oPG#R=oJlD^U9=j$TVz%5Z|@hLhEYpSSF7yk2w=>jk8*|HPwf24GNC2bC` zRYRF90LtH)QxH{O^X9h}fJ9-KiND&NeDR|rVuhv}TOB9>p^QOzT8XkHQfwDqt;<{l zNZ$!gWK(vNeKx8UgfCu+!3}uxs?xWD8`S!$92#Euq6NDZ+}mQo*){kcMSBHwBjwXV zR;n0l%M7?qf&w?G9dTkZ$pC>$*6>K>?`g$-Iw1fDM416d%C2lxS67n(2AijaOse-U z{fLv_*f_iS0o9G~%Y%8~%fK(Uo&{ds3$|uILzlPp+QANLZhy!>HTxua^eFEw3q-yh z=5h(KIWGp)OYaVN&c)W%>iUr%H&os|T1Mv)1;TH%YI*%$f!d=@_CePfynp(*oaY$>oHnVWYnv&B{I6^6>DDTWK(S6r)<)p?eQ zL|Wb-3tFkJf_a*_3O>6Ud2$F0Y}{sX3(yZa#5G{S9A4_&BY`tWa2qRh-)CgM;_TL3 z_nlY9;!4p9Qo1BCEd8$&_}7idbl<~jsW=O#R`dJ^>J7_lc@WNTskpFBZO#MJgjCE; zH^-lUI$o?*5#9OLKF!bSe&KmR_}5GEgDQb`j$dU8Er5Rc;gdfETtZsPDRwo+MclZ7(;%^rw$nT7K| z_!=bIoqvzAnKdi3@(?0h=reo`-VQ*K!V-7&Zn4^X;=RwwoP2${2cP!;Cq;0GKZL_h z!@&K*K@V6o&-fo=cf z3>|U^$!dAz*P{P?eNrpmiR?*Znh4&d8F5>Nx-NS8L{C z*w$Qb7nHqP5kgbv%+lO}icQO1E`ZulXgu8bd#iq1F*pxk+vT8lIl1Z6o?^yu&mr6A zmdyF`2<_b|ad~fp*X~O_PA25Ls#ADwHtoL*yr``$=LUFLJUCaM*lxJL1WuB`eyDU? z(Rr?6>Kv{LEWZB8KmN(zO}7&l@c)Jb-Lj)2F3xxcdwMMtBDjL}f`{~Ein=lK`(JR= zy`}*Y3gD6#KiHa<9>OJxT1VuNJ&|4Ge2=_g*0%pP!tzl4%l(GV8@ zv%UH(o5+RVvBCd6#39!ZupV2=+yT_+OH<9ha>+*CKRU}dGR)~dwy=-xv~C@houyWK zZZvr?)+w$^@>1I>)eQBXelXXJnvY8=knL;-#$N^qS7oU1>pTI7fmhzwF^X4%anrRx zKQm6(>Mq9dn{ztf+F$y<|L3KEEbsT?0Ws8Qnv9rnr}$otZ9+W|Yx8Tdb9S|cMZ`_p z>Kpb3sl}W#yw;V#tCSFoO$Uj!jaov6s2$ZqFSdY`&U{R_O4Vsu%kS-h?pxxq+)_Fj zu2aoj=f7j+09$nE5g?fp6672C&zX6`eY-+9%mjTq9do31*6W?McfYQ{bxSD|x6Y>3 zIeZj&P8*2QlQA0=+;tmk56P}~P@$U^XDv3>bfYt-96@YpF_N`SgVm^@jf}II$wJUE ztO$8nE}G+Qo1WCnV5KVnS~Wa*4J1&zehNtXV= zaOas)DZKYm*#7&V<@Obj{drW$?bU3jE~^gMy~=N=j@}_g)gI|u{gOp;1^C23%Q|r6 zyN%JK|IOwBHstDon_NA^7nDv23Owi|@Acz>CXcHdR*qTNrM){zf9)rd7r6Q{ zTwu@^vhtSD;6h_foe*yLeho5RqqN_&zT);%twXPq9G)I+Db><=ocScOrS_fP&45?W zUaW9L?^#gu{CGj~;`Zml2PZj`?}er8>zr;?yL+anoa5#6(MMWOR39GGy5%o+I(6a8c;9f;A3S3&QG&R?ZM^|@(Un|UR zKTL#(Mh_WnL|$AT0sESbjO?**Y}%|Nqv|%-jvpb6mFx^|G!Y8d*~8ufTl6|`V(USGF5}gzAD!#qJn(9M1~?B$7+(vPy0KX2HQb66s{LkVLv?@3;;TMC-{p zt_QB%oQi3x``#4)T_AGAs2Kk4VGR$zm(R>rQU#d47XN&tTnx>`Rro7}`zo{>OOfqX z%6^um&H^4MDI)>(m&Z9Q_M=bjNY4ZymRuXgm-MT=1;BXsri0VHA7J3|=IXLW^^!dJ z$RQyaB_>|*bdLfP38Cc);s)EYQO~$H>HBt??0arUY>sNY*aTLgYP_^DH4Zm>g=9h( zi<};G9g1p|9Whi~*+H6vJmBpLL9eFM0E32}?rDhpPM#$*W za9NHPGSIi*wU<-)HRsWRZtKy%Sn;QBSYygtg@kEm}%%Q52G5dQ(l*E6%&{N?5iT_emtK?_a~&VM zTzv)Fmga^#wUAkrQ{{2qvG4MtZqNem-UlNyH^$`SuHdr?SiGm+l@q?|s|5HTBRAD=!{G&xFE}>+q-ghMw=(%_cB%;HY{P3fi zz$gWy;kiJCsY0()-5-~K9@VmtxuX_ZNYQy?P=i~Js6qc42{l0wq*&djX(6IE9>$6Ff_ zajO@i99KU)9!y%4$~kxrYhLfr^K_v6POwnknS_X6Tc_&S5i2SMs4x&o-kX5hiPKK+ zfI*Q=YqEVtz~Vf5_Do;TQj(>*Et8%-E+Kqzw^#26D;lH6X^cHu8ZvA z`PhM>bzi7D3(kwNwy0{ESDK(XY%ecY8_cgpi{Kl8@^*4;ci_1qXCus)to&&Jx4$Qb-XJU4qte!_9q2iBP4nF zbMMM;9m&jocB}pN3gQgV9QgAbhnzI=v6q)3K#Z z@M$>h{bQ=4SL#b=d{clrbb+mi5|{z4#}O|BVl1<}F>7Zny_aEJk zc=9?o`LCd1GrWZd(8>wu5E|l3E@oAHP$JNY)E%d-o#}nxq>M1x!9buF0C8s$^JEdA zFexY>w$I%XJ>65#LCFidH;vZ>G=9DTrD(W@)6sFu!zjCza;yRyOMWNUPP2lgT_Qi> z@#*bZg{CvmDV5)G%CECB$`zswkOWl(Q`tw>CAix>L-z%5&jCIF$=#_-Yn*;gmS zj2AMcT75)&l0QLCi7U7LHL>FmTS&qEJhx7NZ~SN($S9z3DJ#Mb;Xf7NT>+uc2Il&+ zHOaNX=by{o-)9b_m;es5`M9~Vx|*b5tYaBvagND*LSjp9{c+TPg?BKiqamMzcFB&n zRoUK1;?$TJ;u6fB^gd{`)Lkt!)59S_TI7;26)eSmY^t->#Bh8VUN>70-v>Pr@dWn; zQk!)`;__;z#H#ydpLJD0;+FZkiQdZNwuWoWtSE0Z)oa8Fi6ODxq;={3v(0l568LQg z+iji$4u4jQ6*m86-$Xe0@4Fo}uXaf`SWVgZ%U^|{j^&@wjud{VfAZ2;w8sK87I`VT zImN^oF*_9lE2BbgM)u9MOV?H|_SuAL*!ZH;Vd^GT3AB-tK-9N4^e5US zd}kOe^+1Mw9dR9SN>32>$^WITyp*GwbNAtgbEaU-XgO-qBls51&CT|3L2(GGT@*4rzlGvQT%b6{QTPN$&jpsH+!yZdyhPscR-&dnK^=W{9 z)r~RC-M3iA99|2Aftfa9#A%aBjk1rkZ9DD3lOmnn4Mx5lQ%X02NtW=@N1S_0|o(H5t;42^8AtJbqL$ajWtgBvU$4M(=v|Vb1`Ug^fGw`5eFI-P-F3I2G zHXpAp<1Ks?R5cY6q`IH2BXbk0j|!Foew)YJJ2AzActc=CXSN+E#)2UbQq%(ZFb#f@d{Et@HZCWX z)-7LF4v^<458I-%GGaIUj*9xtJVHcKJX16vJPa+uFg*$S$P#`Cg<2b5B4yUT_o*p? z9yc){gH})#)J7HpgGehN#+u%Jq$`g_FUSvI>{oi-*`IwJB=TK8-N! zBOtlh*s4FwN%P&*D}6|D6PNO3MJ6gz6y~ykE>$k9;sMtcIUy(Ma?mqrB{aWX{f^=3 zqJ@tYluwm_b*S%jSa@}0I05PIB1)`;QtS@he9Nd>O4BEpm%C~?_Hrd$^>y)A%Se_KN1Fe%0`$6m#i!+$fjT5H7~eGY(5{WZ8z5JWIt-Js5A;$d}@h zELKjr@S3V*qLVkib>Lhbi8oxywv?S!xN&zbmGXuUMqg{p4l-$}IzUSkpBc)_sI{ST0BO~_J|nOJ>Uu7|*goo|BE{IL z+0!SpgU0FUS=vr^2Z9r=XjJ5o0a4`(Us}2Roes=06nFM##aTY7ZErG^%`vIJRM-6m z3cp34s)jRPJ|g7FZCMeS0#lzUaBe&EW~ zghGh!G3!z?|AJFj+f}M^tj*15HL2{YN6brH@+Ny9T$z$79_BG_PA!`9zGvcLT0+!% zUB7cF2;Q%I+|2quahiHo{Lt!#Y9qJOE+hT>#otl$Y*_$|>?3Q(b6kd4j}4*NhJi{w zDv7a&{p*tTFVuBMzWjEYA1j?z4b?8ZZ$3@Gy;j+tyA5yDN|)=6pj(N$N72M)vE`5cKBgh*b%wk(nqYI(ZpLI}*?GNm`d`|sFjO%|}LztxAiryV;( zH?WOcePg=84XSbT@CjMgk<+uGUOvsHG}bzJShpCE^p@caYu7Mklby|;r4WzGC?dVw`qiSo8 ziP_#94;;$5FdYmNBNIW(*bA>mm56CUo8WNKx)?Ecohb@lYym$&>ypRAyrsk!vPAVz zjn9nV!Eq(MdS&=vB`2{t)H_<9t%0uxE|`}F6E0eFlg>1rZMGlHlfdv*S42MF&R7~N zQOqFuVL9M6Tw@FYY1vHbS(5^|B!71PzA8Hh6(M>A3Z)*D!#N1E03$4ftpGFOf~)K8v?@oy1e*J`y>(Ducg!oNs4C=>+?~|=^YpM zr7TDomSD#siXPp^r_Ouf3qWgX4y-WvU_b$28_`<--=Jl2pL#@_Iq8Gkk$g~=`rxakvftbokb(V^Sn7f+b zaJjP&OgJ+Dtb&OOG+N8WJz*9UZ9g3+!9yshkT%Lya0?Niay$Y}H1rZ!OJIjhR=M>_ zNGh3Zt}R4K4;-)VX2RT+ddE|(Z2t`I`2pZ4<`rw2u|M(*0YD0A@vGvwZPYC?n2S?| z;65pPcjdW)n}G)4lq(B#GSzjTTq}@EL4NZpIqcm8LxhD74>hgJSlgvLW*x&X^1UFd)x41}cm*MZ_pTZsEXk zTeO3wn$-t^Yo*emwl0nt#x<|&vChhKm`iiMh1sy0@B|07jm=v26x-v^453vK#|(nG7(aJ2t{+v%H?ai^y`gJkNI)jUU8eL zEO@7SIh5Qufb4*&8>pF{B`@~INMxciGLw8=B7ye-Gls8v&8c~k*DUI>Ew=eVjAjvE zB-(e)YH~S#)>IS|wjUyrFVo+2>m({=y_d0*eEIxv=$+Q5DA9b7sp@sNEc7ub|B^bE zhU_C6SIPE2p^<(}`ZrsfrA+M}(t01$+mj+ERudD0DwL*+pTE^U87^vuT^wb^YPv1lND6xa`g*wh)IsUSI|K_W)k_vHJ1E-3``$dSA{eUKPKYL*OU-bp!QJ5Z!o~to_g$ z;Lk@$`P21<(Mu9q;4vFli8SED)B~Zk9gCxwO1x*s2cXv7#bU6-s0?;JcM(6vS_%YG zv&ZXRhl-jGkI=Q8wz&e(e(O!gRMhd-3VV<+jpE`PkQAP`YY?HTY}NdL#JX6D+`8t; zM%tdDDoQ*f{|=O;qy!fMHhrUf#Y^QJ;|Bx#r6t4pl2sdjmqmvg5qj8a zHJ92g8#2^Bd!Yotv368+O z()AI;a>lSp_&I>j(UUDg!cnJv8L>Vww@)AT6D@ap?i@%j>xTLW!(xDCyN7@L1=++x z$MqbFJ)wW_xl-?0UU+h&`6r{BL&xZ-{A@nRs5KXV^|;jA_GJisf8-SVJy2{fUw!CZ z|4Lqd`Wn6l)otkGbDizG{v6$)?x&9}b~z_z%WD0p*ybRac^J{*3vn@YgW*IE@c>T> zcqMC%PnS%39Zf|llgir+j>>JQiNq%Pe2E9j>tUwPwqt zysp&A;r8|V0UQZg0*^vTU(|^{CengUYYl{N0k~kObb@2ExO(gASIy>30yz2QlA8;( zHDt-K8gKV9h)}#Qxi8i?7UPQdapBf&Mr{fw6DPY|nq4<6B357k`O~t06}6fUpjh2Z zvkUK9E*^CuB*ECfO*)=zN%+A}U@TMxKmtZd^FLTynrtb0^c(<@O8cLvlc5FM4 zlYNNFQw44#^=a+pom(0~_1k7b)d{l+u;-3=806lXx&*(rc z?Rm&FwMY>t1)H)?f+03CT-MIb7g*h(u`CDr$_^^q@xYu*)F+7CT z3yib+U&$&of@?3hp+NPQNVK2W`YDJ`Vgvh}_o_3YNXr%5jQq@86r;beol5gq;k#{M zZA8Ctr?bW3ah*qI-jy*7%rmRi^m^HqIOBo(`XYz>@r7Epd14YVugqf<_y;|ZN61;3 zH;;NXG#ZuHm7BX~$6S@z*SfjE-|dSHC$X&}~{9{j5FAIrodkw`A$sWh)fO)06$FP#?=@0oHQKNIf< zDx2#Pb()W&JmKZQFDhCux85IzH!|i19`t5-Mrmw79T)5GHo|zwWZKITtESfxk}2jM zxx(o#>Icz*u*5_|4qugQWSz!WyyY=L_;GW9-{uFqVsEc~WO3?xsHO>Zj3C?yHremI zkS4mEtT4L@yyp%_ZnEhX^IyvX#sTSskBe%iZXa@J(oz=_o@a#~()36sXVc{7p;l)* zTrAOra(kkb?K0JzThAdl^o+5c$xw*j^7IDwv$>0cBQ-`yLuawdP4O*rDTV!t9&S`G z__Z+rlP$PJ+|4F0_taSa)vVPsP6989xc5d59}aP0OznLxtOp-AH>p(OhT1K^Y=&Q$ zPx!rS^)~Nka#*#CM3J;!H^!bN8k3@uDp{`G31HcZ9;E_k&)IN#TZP;1mR32Lz{t$f z;^$dE71#dJXe^Y|P>_*`dNlCi=%>~zuI|v42L53mrkuFXq4N|v_mxaVnb$z=Jxc3~ zkm|$Q{5#XV)dOm?{3HR1qbuE(nRNA>o=njX;(4YcQO7?d1>7+?mLUIf2y<>5?sLxs z2cwxq0q<=8S5;McI2A~^ky*pJ8!>^UX8HQ|tsx}C7Y%2~?fh?G-Tg_btz$oFSr?ddoA56^e9zY-{W6u$~oNDg1SC^W6p#+h2xwS?!{Q$$vOOmx9YN?a&rn2ltWZ6r&S=qJ$9>_A0EkJEFukn5)Aw6O0oZYRP z&!M8JP&hli-t016P?xDoY3)9ADn>nc{yJgKEy2mxWY|XC!a`k?o6A=~b#@oWtVJVU zIm%H+w}^g<9;?r6uA*qPi1TQ}@~Z9cN`$|8`{33pL2S;c3n%e8n>muo*h>}bEueM! zCFDv8UOByv%Nf`l;~UPIt$=&%^B!|g6Q)jeH~A3QWjiun_x=!lab8li8KXwfJ&BXW zJqx;CvAv6xRS>KOkCB(b?BHXbe#qgXc99H*r($pL~U$C zx2k||R-$Xo?bE<12xhFI+*Wwr2w80dlN;;ua8u`Vg}R|eHt0KsxtJc6a&}~o1_tRf zk-_K^j009oBLNt{PHJ}Icswqiw|RO`bMC~aBlkD%O5x&v)seQ5h@gbToVP60_ge`a zcYruy1j7UD#4G>2i#>x`Ls}je0y%E^|EB5KTV)Z>)-~Lz_g4RX;bsB9pQ55@<4g9A zj^)wm`T1dxPn>JCU#m$sEhU5`*LdR|z|YF4I>e2E5SY|d!qZ&B#3(9368W@dLe_+4 zfqf=nx8%k5*-BL@j;{cirvOW|EBpz{ZgsT{OY~&9f?4B2wt+ZTa%u_lJ*q7>&CyIg zdtR$%6<}ip@bLqzxsDM)uBCB+2v_uGLbIt@S`|s_*kv42$ILs`E~xaO%F26j(wm)-s2gd&Q?{oPMDQ0)CJ7~55{Yq1Hms8|N*K7HG+%2HI-c%hpS`i%09?nPV;hmW) zhqNY4ZMib4n(BMc-0cD+{gzCPWanZ!6gFMG$?_~S&8J`rxZ@%Ng5~o$q1pCK{i{zw z4~uT~=r7k8v}!noRO|K@T(YI|{2O%M-Kx?z+pIC2%+klxR)mV%zpY>g73w;sRV z-!+Zh!b7MPiMhi-iLJ3%Cc}#e_81bk3YM&_GAku|jQvGbX?%{m8o1FCTdo__k8F&F ze)DPm!8$}#oHVmZ8>A%pu^)f@z|0QJLZQ6bwXH8UPt=_JF7=_4E9W0LL59EY<%B!J z=s+1jX`lYAKFda(+uattaYdaBmaM902b<1VDL~I>a(ilC4}!H-KA8JH)=S1s0%WZVc9hu+wY!XLS_$ zt_g3fSlDL>G@v2?HE&<5TYwsWOm`b5wdIr)FkGW%a~VHyI6~DbTuTB zr^l*gjAMgZ7DojI1z9qVg|QEOl{(YI3&WMG>cm&5?7If2KOGv17pt=H*diC)sx=k0 z*Z&<4&`|`(J0V_*uAYAbBo~ z46mJRja>NZO0Wt8Z8Sbt;X&9TprAER8XTedk@IpL0n0VPzFS1wbO4cHn&EsnI#0+C zQkM=S=gZ|JWF~1d9<6Y01As4zPU6e%BWpX_W$HNxP>VsCwOhd2&VSv`%M#>`bpzFi zDkM#b4$7M6xY+L4^t89P8`_Mk`N-oovMvb+Y}@#3<2`8D$u}`JFd&F4LQ=Ve8D3MZ zzJv@5@7k81E&!L!;qxcIdw&1S`i&C=q|KX^VkHUpCz65^s2FuwwpPca6Go$kWoCO0 zE*V_+#i{#zLw3GTe1mxs-?!oA=rgj0fP3vjAg$7>KHC4G$qGMO3_v&6;rk}!ozW(= z_bSsMm1I5q#AJGAdOh2r!%&R)og>DZcN_FfDYD|91fIZ2(i4`TYXRxvj5kW^AuGLP zq?kJ{9A6daKd!bY2T~iGjOrYeudIKd$2ERnCJtP=mx0VO^0TgP_)zXmkxzHO@oFD| zpE(Tsn@Oa?0Fy++6m~p@otoL#^b5dePY^0&35xFF5MrI7;MwY@n-312otgCF>KdwUq#YEFL4i}MHm+EG2$kPGR{Qi z=g$)b8aKSzASIVsZJ7o5PND*R4K`5V_Oyv>oI&14XHLsbr+4rYsF7X)uu-Wbl55Pa zm;2ZcmtF?WS9zBb_I%RnnvT^bfA~^Z{0nucnqXZ=PtPzocLcQ^tKl8RiIv4QA(xzl zq5Z{l5Fy-@8k!|CB5U0U6|HW~E#kD)B(?fL6;M>+u1?m;3H%LgEAZ@6?-JyZj}pkZ zz+lF};e(_xRZG2NA5-?|4JE|Nc}&Yk!*8^(Lx7F4I# zGYjg~6flgpUY@3bT$lV!RL@k2Uq~-;f}eQKF=8XAU&z*deKQ_9Da@S0Cz1~k9WF_X z8sIK&&rU1|kVDwstd5P#O_6pO*56QEOG(Yp1Tb}nGUex`^C7Bf%+yx5YC8X%wu(QJ z9QO}6ZZfVlUf{6%#gW`G$|*k)Q1e<%Eac1*jcm?2p&`^Ky%)}>9?Pf+k$x1~qPJSu zfh+;Opn;m8lq2)LiU#l}Rc>K8{>xW1-`yMZ`I!7vNr@x7 zU9`LeG(NJ=FV#KyG7642|DK=F&{U}1ju(g!jtK((4I#<19M|k73)E>j*I~dQnN#1o zLIC~hRLzwulz(I~-MqC~{9NS#X8E--8dyiQ^+o4lTh_H5)Hd(#%48E*}uT2DsRjn>U4BB5MZ5_p~nJAa9512cKR>{Qe_lV6Vdt(hbB( znGY-L*p`#!;4dP`LR}AAhLNDO&33krs;%31ZV4Exc*JDyLo%=8F=^*O!!AJwycW!L zS)NjoHcPLpwp>mEUe|bg=|(d{QJ>(nqYo5MrdauND4kTD%97Dn60w~F67`Fh5n0ov zE{;1hQZOhS6QL#_!E4Ki@!!i!r0ASSQlf~TRFt&o0#K1z(${z=?#gx<1?nyL zqvs2~f%*eW_}GX_j4LwFamMR+#{J0CPV?roGg6M-=)jrUn#)YT3Ug*q_;2RPYi$0o~~1H!jY{P}#Z*&l6QtScGQ^}=v2rH+oibfZ>V>h zIo`ICp;xZ;Nk6!6xyV|mN?iBUGPNzLB-(?suedp0Dt4F#NHpxE z^Z73!EZcjv^clE_o8qw&q6VCeUZY@`&Ijm*e5-PE? z5)?X1W;pFD+iC!d-Mi^h&&270#vTskd_L70%*sy z7pgX_q!nHd*7h#d(rZ^sFL_6I^%W(wARB+PlZQM^T&-mB zHI1~D^gp5MB7*i+)LQ$PQ>8bZI?S!8nvQxspPCIBR)GvqbQqS`YK|F&dd_C#QJq79 zD?^VgiwMSwn$sP0XBsLeh1W(atfH}XP~5rR=3$E-N~vP#;^>ezbWDE9a*>s*!=w{-rHE9om?p z^V+-{0IWasrH(Oswea>P##k*tcKQ>Pu{elOyF(X9buOnUB9cbPab`&Na)FTz3d;F3;J2P^ z6p?8n4AhLv^Yz^y03G1?5byQY><&GMx0gM%MY=Sfo&Flg$3v^X+_aab9m3K8Y)*(1&zI2l z4vLEb)eBz2I`&==mo-XxWhI$r*=wnBZK+7=n;5#k=`X)pgUN43TW#{z61D@8@ zl+c$A>&&}!q{zg$Dk&6GtgnmoQD7u#f8J?!ofA1kBBG0}WG88fI|J0qUG9PS+N>{4 ziY4Fg;~^+w;F#^b;I21`%c?9!HjjE1ISxN3;XA*7=Qp5S#|h^q?v&Xelz+F0ouwUH zR<sg5?yrND5Hj()nFm41_K^|eA4pMr$Kg?RN z;=!D>dVYFlg+@C2g0R>Z#BrKvHi~oEsTqY9wl0@vwP@z2+~lUy^5lDt`ackL1r}_g z%++d{<&w1_?+=FMAJncnBo6pxS2f8lUC1#^lDj(Wjh#G{tnY? zo6fm7KvDUP`lX*KItvXf$_FYbHyODJzN?ke(vy_Du!NZW<7raOjV01JlB}<3D^?Sg z(0hAr+fVa{vX>z1q?X%-SDjgcJsCdCcLp+)bB6m-8BnQmGDk<=P_?+~+pS&n%c>SR z%}6=D^^pQK;MnT80-K&q7t#@J8N2LyBX%{2?2J=E#)MiTREP&9=k7R#TS}A@b9B}= zkJ`%8LAin0F+D7orz{Dy%KK20u1I~Z+ifGO+61SaUI`nenKe$cv=GGzbiHXXQBylp z=krQoL*sHW=|k@-IMv#|vmF$lV!H2dpocK*Ztt`y(F^a_1rG3YU8 z!m62TR*miJ0LDhq)~$xu(t*5DAX_H&Oys98KabR|_i#)Q7H%2N z#ZH$T`+H&f-3>-bNbog?xmr9fQiBgJQgzK`=oC3BgLbW;l@f?yJA+1t?Df$(J5ASj zCjR}U`>)43>)*f5zUORqu0}h*;m#|?U+OnoVsJ~%>ZCcrzvHu)r!xzuQVyAd@MuBs zV)d@Y?E1Ml4Cn|AJ!tw)D%h{zw_jNwe~Pop?&i6+B+92=x*1YZDTDQUGZIuM=_~>SJuV`_Huhjg#F8z0A3^x&{m305v=j&`duj8Slh<|R<>hOdFNQ}% z4q^M|AI)6FqX_X0 zR;dFMZSWz&eh%a6m$Iv!hW;~rmJU--O#XNXe!UU9*by97knRZMMS(8Q+;C8eK_3n- zs@b{4WZZX%wZ3mjsm%#~&~ccayuO#@OZfROUZpX-@jo~yDMWlD*ai8T_7@wdsE0_r z+p}rAvL0ahJ$;_Cnn1p1>tLB899QH#143-mIfJzmehDWFToLD(zASm3<1^Zi@5%DlgMo-+Xk?8QP^LrLez$-3i|aoam)##rQ7Eqe6x1Xi zJ1n$o*N^fbq;SHml2*mv|B2{h`qC3rlxfZO3!x6$cAK3kFt&DY&$QWDFvw-+_IJZR zLDO|HzTLndxNWY+{X5@+Svm%mDg@6adh+bB2IV6Hv2FN~EnAN{TmCJrGuXZ@K{O)sKnCnfYh6Cb62pwrB_GZFlxTLBu{{@JL6=HyIB zkmjaX!n)XRY~SBPa-k6gvV(rR&Yu%Um-_yPy!yijaS{Ug;SRC>)?B20k0+;ngiIZL zf80SXiJi?FCCuZ44xEIT9ySd=Wd}b?w3g_8R`>wyC*R?*GC#_Mqjj($FUGW1&YaL` zCjLIh(%4fEMj8^D^C?1P+`IWF3Nt?JqVMjB#43Ots%uV?hsaV_)OVrGNBUv6lVx^h zaa}GJ&uNLo)8rv56Eli?LNoQ7V3|y+ zh_n=ec=sL^q3`>w|Mu|5RfUD+Pu;gK;XX^G$;?UYB_zOT&q8r~LgI@hYhUt0o{H&q zb6Z#}@)-BD-yM#~QMkWN4DDaUCQr47^t^@h^Y$3E9oO-eikpx^QD zW;QkzzwBJ!S~Wi7(>w~3lP6b3rprJkWC7l5F@OW%wtjSdUn9+T(*1%?JNxv9-BrA* zKiiFjJ{!RL4{Z4#6*t-!AXjQ^>rKWDDJ|GJGZV)VBh*<(@}UE`LAO4Tvm6=Z*3vFu zJM=LDYq@s@;%+(g*J&ZvzhXkw1Eh_W`uuPs0?~-H#Df0A;m%aw?_YR;(zSa97kNR9 zMXkWH{udJbuaDmKpXF0G$qlAR>*cf*RGT+nJTytUyCbuc0>u|Yu9yT{T1>a68&>Ps zNAID4c0KA3G}~EQQjB=ez(UNWSPisk+=bmoe)p;QH@gvg71(6dBUjISg$Dmmf4%bt zMKOR|u&!bG6|`f|-QJn`F2S(#*lgm;0)q5#ix^ zBMo>MfdAMCa`YBAeWKbyY^K_1yJL1VDiC;Aw+Y#edtB_%GRFH^;={2!I>Yl^fn6HehE&031JP zhS;zW+nv1C2~z|XGhWGO0KFAna1ramkJ6w9;CpuhnG{fl{vsLICm2_c~Q2aoWTx9^?%{`V81R0lb5k=*9ZADU7@sINq%M+jnO!t)c|;UDI_H*Z*gCU0r` zq)B(?x?}6?J^B|mn7Aq^14+I6|8lXOReTIw3M4nZelEl8G=kHW+d=hA&5ArVM8|Q* zj{*1`appiC(mF}quJ+Ry8`+U}zv%z^2a0lh2Hv1Un~cp@e=Zir^d-gCHCHVq-M%h{ zvoNSA82X;;9m$v%B zTyTSb2p1Oo*<}`>Ij&gIqDJSBg?^Ds(9Cyo3>Kt=m&$|(z0m#%d!Tss1jN))*vP^OyARKMmP_a4|RQ>MftoAs>-&fD^1hYUb4__y*E&Va<*NZ1P z&ryu1Fks%b}k&gVAK&Wjoi-4S#7Qm)bF1(k(&xwRPjD?`ScxBfTUA>N;T z;lX8kaUix21>0B&>%v_etn~wNY7D?KOY_>ooqjO$#MclvPNu+qqIpKa*x{$cVa;3I zgKHZz)6r|WEXVb|1IV8!^9SkyguVdru?f%_Yuh?|Hjm@h$!6_f5AK0p;Rl}aZ@v#j zRGfGg#Dy8GrPOfyumaj;IqMqwG&3K3EWT;5Mn>PefmoARc;Bc8`+0gmh0>7g+*-dD zzx`X$t6Tr9uRT-5v+c%u-T1j!8BV>3MAse;zwTf{$@fi2zwIH!w=JLutYA9ra25+W zqounwrM8WZx2z|fVBZHZUkOQb`N@MXWmN0AkL<~c9JvPs^ZESMOVW+oE1Ky71!X@- zGFA4e_EB{UO74Vf)>6go%{PKY!Ugp#%)5*23|hu0R?NDy7c$jmNjqT#AfNPsR`dFo zDs z6<}v>*Ofl&Je6~sg3O1mtl@d;X!!y)*PfcmGrP2=N6H6o)AJ4+k>?-E{gT$_8#XrZ zvF8vNM(~OVB^1DtW5?20R=aP)m^&&k69e+}TJtP=PatlvP&3#M2V74Psh6 zjJ?nvplFQM`qQL?nHRKS{j%;C&`Ts6?gb=&~Yf zyHqXC?EBga3%^4B@dE}bbHU?fyX7NdU?BjlqmJPZaDg3i;9Jo05iL;ShVf zjb)#E&q^X`i>I}^Aiqm`2*76$|AEi&ZD$k#=U>Az4J@XZieZDBb9hdxdHnMD|1ecK zMh+N^$_>_@6C?TUJNdTGei>Q`7O3mVgJuPoh<#463po((RB(`NH+g?8&wo5xT%YJj zaWU-U1cfY{y(b4EZbu}nt9&lEX0so1&463q7$tPP2G+vV*bBPM?#W|2Y`L3Wc=3Ty z)^E!TF6fbwXKXh7;SENh$ezt3qkDL5-~;U`yaYv;L0ZJLr^Vk1oS#$vF$Mi+hd;{P zqR#X0c71ki;O!2NIh^Xug?)ToKU;@mmhAh;qwEcgCN`O0q!0XhJ+b1S%hMU(kVQIr z?F@>g2R&OX!`hCwr394T!bgX>qwuXR_L$s{S^oJ0&(BX9;76dKop0}2M0#63HfLQ2E$#NE*Izd6j0Et+Dn-Ax{qr{@khcJV)7hMZ zOXw3nMXH5K!!Oc%_I%M4%X{>$K{+kkc<`d)vT&mZ6P z4_iUVUH31h`!^2}X9s4gD{&(K|LZa0;w?0PS>a!{@9$RjKXUwG1O7*j|B>U@2kOt< z;iwXuoNTU9Ac#lyRr-k$`3D;Q!*K+m1(q#8ccc9v7PZQn`yca+A_3YTFbrGg?{(gN3KK|P-yTV&=dozb0j-3!!^P(Jsw4WR)c}mV zwS{4NsJXdwO6;g5NUSRU{AibIXT1mVv*9Z^5WeR$9}5MgrFR1Fjdib0jhm?K+(v#) z^S_dB=^DN{oBu`hJlYPVMh13wcW21j=)CmcqL3gX2#@=`lbO&-LXhcpJ#XR(g)aXC zKJLu#eN6wgn#Ie_*n^1sN{RTILA`o%Xgyu$jv@5ddHt*ZBmw(TqwnTUw#VOSh`;$t zoDT$rZD@}DonZgx*|Y%-luCW+>gVkoC-z3i*5$r0PS;-a5=V*$Ts#+g^AQnoi2kY8 zkh8Ht-sKn4Skf4h4it;aIt>AlxD0ptjjef(7tEf%_O}pS_BibJ<64{T0Lx!+SW@`-AeB*$su(!Bavyj%A|Fs*viJZtI#fZI{h{OT0vzqP2=e=o(F z!gEg|GFEJquG%zY4YSC*ZflHw?y_gupuKOFU|t)8%#ZN2*)AA1A+L8|$zoEy72|q! zP~eczK)mOR*|s{Tw&E>q ztZ}GZ!A@yV~sZ|GISV71SKCUgALAnNb9(4?e9Q7@FkBRMT^ zU8tCq*Xk-9a+--xgs@6 zzEp4UeiK1>vWL@mmKNtb4B%(?GhO(gvjwVh{WXgmt&Kx;9J_=KK0e!~1<@N!A3w?U ze|r?gg$Nl4^PJ05>*5lOy(xI~sNR1ZR@jPwQ?yzgiby0BR5?rVs6*HBZc$kh>6nii zAt|GNI0>lL92w$cpq&oM?`<3%b{Ol$z(jHupKrzmH>Ae66s4HdT*c>(PJAE$1)*m) zsv(&)n-$d18Nqv>OP|t#BIh@Oqq+}(&eGv}dpxtJc}HTD-2R+?Z_NEdAa&3!4q}UA zI%xRTAh@R3$oM<|TS<-RXMej!k$-{gSVMA}?xnY_8}q?byoKU~ueNdCZ;+74Fdcgj zA$Q?zt)Pg^LT=Z0H7iA~#r4`Zl@DL;SrJNdQaQ*L@n#r5{i7gnv0`9dil1v13My$g zE@q~JoHd*P*buKD8v+t_a-NK8VW7=&FoXRHx!kd2vf*qOqRx8a)R^W)$DaKIbA59FPX%bGjtwrp_t4rAja0Vy0c znSzb#hAN|V?8YD6n$6KPc=|b{m-=YfABND4N%_X=H??b1*{I+R(RfchEsBZN1OC zph0lVqxz$f&4P%Zb>EQ&6*}n@8_~$(>bwITI&E$`UD)_xrbtKCh!09__RH0yL2D#Q zc|86h%84}V?KG*#S(5RxmZE(hTG*RGXR1QBOb&%uytrRoWX-3-0ulb(b zo?xCkH@7uLda@ej}~2- ziq7JN*%z9Gx0#m2c|Ohv_7n}!s$vC3X9a80Q`hSn&`n~MPU+0rRMTFE{f!4}@Aoa} z2yRe^a6jd4G3;7h6U}Fe4J+YA$EZg7oHfxHtuF_XQB9m{Bl06$d0-~ZltXMgV>1%& z^eWrDrGGg5>D0_XK}IAR1^8VNB*1E19R9aDVn@t?^)jCb1(F(cjea!t~~14FdRTsY^-rZZV`y#<_> z`dg>?u9fOIvul#~oE6gIMbom>D+tV8717G|);DazoI<>>@4qE#sXK|GyILM9Rr|(j znq;8wg7k}}N(@?szg(eiLsh52Y`sq>Z!P+~hc1n7=6KQRts7*m@oaO}Zct0>s3xg& zPEdvs>keX`D-9bqZNJ>(U+MS8s|b;S6rAdPXJn&FuK$ZhWQdOX8P)0)Dnw#A`dNo{ z5Rglq8L=j=70>e)H1GAP1htIoHl9?htv5DZc{Px2@u&?z3 z%7MN$+~#61wS{gJJfwM`fGB^=U5e3zDzS+d{p4zTsipQQL`$}{>Pf|Xpetiv5$qRo ziJRWVApcTSiMyXxFUjV=Pe#5$tE}4uwLN*li{+lgxmTKgq`HMO#r9K$yk(lSR7_)J z9V$mIwuhVI+|px*1;+Jmt1ny`TU^x>PS3b!;#m9cGJ&5^j;E%5y+7Z!C31c;B5z!o z#MES?1VWtG=hl|cb$!dx{nMAh1WWg|ehCK{Q~YBhELjP|S_fIr3k$LP1(hj9HUg=Ri|^k@b%k%-WZ_Wl={|Ltb((3NIrV{t zqkPjsl9d`8v$M?Yb9UEm8*`w`1*b_~jb+MK9`-%mf`!N@sPs05hhhr0!<`Rk!q$@V&GhN@2(HoR>$Gl zIcxl$v;_@dWx6J-iQh!E6}QJ9M3(uS3RET$b*xEd<-!k5f! zMR9f63#Bj)g4>l$SF2ZSvf7DW2R|8Mc&6D7MRFJxdTw@8Fzx$9lut&*UW`lmI8|L3 za$?$#&Bsq>j4JLe5m90gk9WmQAw9c}M`atgAx2#^wOcg`dBS3CbFzY}?yh3E)|`OP zqg^T?w5wwwRb14WokId)FM82i0f!^AVnkO}geG4HwxKYbH)u}bXOjhOke+(u zt^kQA`^xV}Ce4K%Pc9$lk0udMF#PE1@kTIPLNS+>pZ8ocj$&VH_H4+u4h_qZ)O(k& zfO`#b-M+4PhZ~`(%#A9%a2o$Clzm-#or)-9F_~cnC4~;mauIGYnIJLzG3$!=1T*Up znPH-q&+4*KI+Eo=;_Su;*U*Kb_W`a&dCrNLYq%Vfp;0%JjS zs1y^TF59}RWK@N_hV_`J!7U9ZKm1+F23#)-lezz6t7jhp^ze;Qq()_QBMm>x;e#eo z3?8QkQSJp>i0TBszP@6-N{@J~*5!!ZqI_irIlQTIgh}FUI_oF0%2zTvP2|HbRo=5& z&{x_NPBn)IN!Db*E)qwJ-Z|mnyP~v}6K+o^HVi*)O{#0%pvso(B9qZ=o;Lv4)OZGH zRQ2amVG>%s8##d~X?gh|CE@;hF*HcD2Aa>>@BL-jcsxp{fPvVGyf1YqbxQ2aKoI`g zrskjCzMZE1iH}7g*cyo{YP*)IWS(D?rw#>VgBzyQaS>D-56mWMNA?Z5{(k&j;&=^e z+!*6EZ9=QF8S(qdBt9y?OmsBm&F{Sbv7rC}hk6K<`q)x1<&bnjK1g!5x~2Eo+r`xc zfs@OmD=aB5!=f9|QXFY!-nQ}UhDf&hkS8B?H8I-86C*>hW~c_d2|n|?7+s7Z9jRMd z-W*e)*HZ~Cq@rpbj4*!)K9aw}e=AZLIYnc5ne-sr5m>tGpnp(e$v}puhV_i*;M=!e zJVCxedZzAcG!0X&kB_CZ7SBDEe$vq+m^-qT;W0TWz1;mc@NhD)UPr?&jKp4hf;HKaBtVjOzMGnP{cP<(knkJD0#pZ^2 z8Wn!ErN!! zJB(I`*V&{`m|HL6>`pGZj3ti-8LwVuIjUovDGR>JmI*l(Pa!>Umi|bGQZ9bzeRSn8fd6h3J7kVXq;$EsD^dN`#b%*pb z7wJ_)lnH$uje~y6fxUdvlx@A<0~eMe%@D@rqLWz_9wB4{fO+@f8R=WpmE_k{K~~cR z$2Epm{DMk&QHQ$N#+1lsB0~ug(_JgF*NP?f&5oh$5rZ!4(>EjB5^AjImp2bekkvhC z%c;9n7O9lXhc0&+-Uvp=7^5LrM=Z__q}Yg;fa=I)8S|exW&hTl3)75MRpfl6q2!yM zW~Zn8!Y9RvUO2hfK-=E9_WX@pE9u+i?8%X<&6tKDPsnt+-xSPPOW9+_FP-)58N&wA zm5*a7fygn^eW}21u>zedI{j>nw;XfPE81#fx94HWOug;V*rkNL1y~eqW}74c!vnykEIil;;l1?KcGk~o$`_69j^1k8Z3v+D$cZDK(lvwW$0vOOyp=L zbSCllglTCi#IKUb$A{Ukq5T9FIA1*~6|BY_y>xDvMw)S~kOyG`m1N*3x!7ELX+gO@rS z?p$~u??6UN9iV(5-PH07S4Ol+_j!WJRm@sGH$(0_s|Aq+#FQENU`bKnys;F^0E$Ph zE`Q7`#-2S100IiJtdmsbKW`vaXYJ8-i4!i?ag;Zu&vc@lrOHpsw(6a?x=_y)csLcv zvOrC=lthOBxGEzU5D1Awv_EqL|D@Oc#^CTe5YI3IybY|vROdciK&v;7^&&CsX}$N` z5@rvZwo_YmXBWI%G>VX3`ivmTZ9kl7)Bi5(kZGsT)BfV;(o*xaKEM(9rlBa-uBk0w zmEnb2oHs25loGm%)DRHqB?N4! z2&f21M^Qj}3%w~#={14S1f&xX0tq1mzLObo#;G{J^{w^3YrTKWOorUtd+s^=?DFh= z_QUqBCAqaH^jf9uyRoBH_uXpRJxg19jvrkfdlaF1P`1B5g`?#K;s&;w8cVwxDsF3v z;qBbANkjeH3oT0e9a3R8FpLnPG2@b(3=!hd*3A_>(b;~Y=i$B{DkwV=f&t1aRj|nE ztOx=caS8)oD<418myY4JaxOC zu=!Kf#lMFSXK406`$?~daG6P2y?~BaSpD`x3!}SbmK=z4*Y1@8tUOmd@Q^;%4#WbX zvD1(C@8Hwj&1G7eoHboyU-a?}0v-JxRlCh=mSPoZr6=g%1W$9AtQ>-gD<|fu46o?7c34rzpuRL&Eo85t7*6S45o!Z4_ znPwH#-=AnRQ&>O73{SPNS54Wa>}xl*Se2rAG9{ZZo^Duq%Is}EV@wLdt%2q~$whDX zJeu6!MC=)8>8dpdqs>o^3C=!NZMvAI@**c~YPS0IZOgVf)4QeI2RP0)y}~7jXbQ>9 z90am2BX}ySO27EY4|}e3i&y+?yM+92q@dGnYAbBq|PibFP z+A9m}+DDae3IA=}`@)bogEul(o`}+x3;b5fQlj~Eca?9ZSO>stVwpC20i2q^9cNau zYK*+%ta_YYlqI&2{qZHeMg7!-ZzxLR$4=RJ!7yd%66za z%?PTuTMlg`FWPHmh0`a`>P0y{=BhYv(c+o@#lfmcVWlVYVyn9&N2qUt###X%WG?y4 zM|X)~H@=FRIi=NEhyjy*tY_;>k{Z>VRch`8m01Vk0yePNO)K zAEx-$l`*3m3j$i)`fr`TW-UfzVKLIbSfv(~I?TKj&RIgLCpC4+R*-A12vB!MJ%Fcr zR*Q#a%~YeD$zBE%V!TXS@@$7t0>V>89&WNap<4pZx!d3i3sC1CGoniXl+mt+Ep@Yc zlHK&_qo3_rT(T5fg|w0py9jw!nQU9JQ;C9W%wA4^@F+~lXtlO4det%vUZL*8P=79Q zKd+WRNg8Pxzt;WrkZol8<@x z(O4LPHB=~fL@7&%=BmX|vhBOVFh4cdAjo7$s7jb1KYa@|fUoa_VYi=$u~JYv13>o2SB>uW-$`@-J%YxI;M@I8TZYVdi(7ofeV#?YhrR=LX0{jh$HTk@a##_J5 z=f9b?30glPasKu$(drph}I;7u`&g;8L6;{W)0Wh}e4zCD_hs zfsmz^vgLZc@OyR7WLXb13(*8<9}+!haAkjP_p!SLGXqNZ%*7-xtU0Z|MTX20K6vTu zPuDwpipF;SVyZuj$I^#t*=wyJCPI~jyAyJ@G>wsC`tY`)XGV-sc#DvUheyoYj5VcU zrf<^PVcuFD3Sj9pohR=H9r`TB8~xpD6V_-JSIPY)lZm0b(4MS?NHA{tMtM27s%3u z7Ei27X`P$Ix>2NjTz~Mc*GqQS`Z_AMEj3#1FgGsEt==zY{ct=7TbC-)oyN9 z6>jtW!9Je0UU;`J^^r%LZ1JfCBSUACRnyL0_i9}jTl1)xumH%5mz>j$`{6Zh6`?(L z@W9c^3i3ObH(N^Swxjq?bPxDm=3D_8q&!&Z;tEvlZV6Ttvxv2wW6T%aeMyPA4JJ~O z)ilbeSvoOgq^8kp{6xA{clyJgw%LBdKnGn+OrPIXhY~)tBJ15DOvqeMGbHXB+aP8D z8k3hWSg{xpJm;h3!04Gy@Pfj9935nss^wFZM?W2Os-59ZrN>d5R{)!x{2y($s2|-q z@jwp!h*KVh78Q5)!uC?0-($!X({6GkoaPhrXADs} zIiE9n`CHPU1NqlxFBI0g!D`c_bp?vYgr}bdPp)9`{egpF?&Y2hVF>gzX;%3Ze)&qv z)R(e|$W<1Rw47x+Z?_r;qtK%`VE?+Ju;-q_#5JE?uVL_02U zroLmGXT2Z(di;2q%A|v7nh0ffHvF!r?1O1e zUVidooF{n})}rLoj~J4kobt*O-Z=^|^Z?t~_Yq2Gf*3&+ImpYTa#Q{qY~I8O;$^q7 zm=denhl*wQn8`5mfuw#e4Zk&^#|U=qhxhfbFSZh-s8eqY65{pCA06~)eQwOlht{|a z=oMEQsKj0JY^K(NIo}5vSF00KcQ!G^zY-ZgVP^M*wl|>w8Pmla1UZej$?*oPp~|#$ zGj}U1V+zr4{^Q`m`?CQ5`%LcsgEDqMk3P>GvtXdslq-gV)>y7PQ#CgnSKVzap)r73 z(*zS5`)_}g%4$6T3|;@Y=>DyTGUT|nk)yU zZ+%|iH(4{=(!?*Lx#40KpZoNsioxvpA~}1@*6ngJ1O-r91U?1E%!^@hlgZJbm3 zlQjQzsOu-W?fxE)HulnJDGOVHXLJ_INANQa#+QqLIv3b~YurejKxI(E9XKfG{-s!+ z&^@vSigqlVJSU9|e1n^!rSV~BC(q7(Th@NQee3(wluJedmw~K1Xp9tII>Iq$O{y~_ zHod>_?XpdMIDGyp2m<-%bEsCWWZV6{94p?X`S$(AWWeR4;PT<9zg$f7*=E{* z#qXdUAP*2Bg3&!&zuf;106K2pg%lh65BEh!E^lda{mFLoharALOn%$+bX&G)wEQ^a z^4kr-d&dCe0!Q2NW1{@W?RzAC^3Y$e|GzoT8^8MRAo1^?01Ebg;F!f9-vWrVpDU;f z$ltHNi4LKE@#~GD`1&SV{gwLK`2HV$`t_?;O@N-b-nP;FpKi0Sb#c${7yHL=hCO*I zIR+>Gt;TGEhuWSDsoCBY4LByX5OuNx+4d8yFQ;YR!utQqqhffnKyUm+Dp8UKXhLSB z8XmA$VfBkr8){eN%c~oXgL7`>9R`T|lJAzSvzn%?c7Trx+aOZmT@Bds7Gv#W?+^Xe z_SlfEzZsVwKMiQZB`dWyrm#j(IP=rfZ5PgL39mWMZ>{I&^g9LoQK4G6JKMbO5UISt zuIG$2Nu`%SRa6gGrQE6v7W(1ol#TBoBg{Y*ulHSvx@jrnd07>I1r+Ap|5lhM3H-D0GXx>FsU?gV zm*Ec-=lyO%0Ky*ij15Fxc-f6yF#FT#pk;Mm~|w`BX7@BjYqy5sk+ z6KO>MJQh%sy_g z(Y7=mvujVMZRnHLoP-Pr=?Y`^{42 zfYT~rV;VQE`4^Sbx?|gYJyRphj&KXrub29no;>CKDK2(8bie3ZAAuwBJq`|K_kIwU z0O!*ac9gDkHWP+CH#Uji3a#s4wuJ^l2z9KLnhNP3u{*Hwy;#?s79z)u!8v@2LJTa4?e(E`Kq@CC1*>hWd58wSH`y< zuqRj#LVM=116xf^Ob6Z{qLJqY6C*mS{Oy9x34MGp-OtC9M=KgM{ z@FuO~*q&+ofSt#|+;INBt?#B5bLMsBi?eL{v(h&Mo{VYA6mR%yPguLnD-%amml~56 z>JYrGY_!{#?yLS%hr6l!Zb;N&ldCh8^bI>o=T`{f{O6N!$$J(Huz^13n>O0bYWw+x za%3t|kGyl1(QnT@`iYAo?i>B@y&%3H2gqt`t2%YE8O0&5)jfEdIol1tUWWNC$^9k2 z@{?aLCMYw_EWg(m7c~g64OX0^YA^(``tkSo`d2+@ebujjyZxYC_QFC{@4&%4ZwlL; zI{U*??u~H+-4;Yi{;jU?PZkjytx4h=Xt&e5n>&?Kca5ZHWvbS3a;8hqRTZ(bB|yEEyQt$fUiLeT$H!%OEVpl}Mb*&h7s zZ2W@|PY8hbLyT$~?%3p3{mX@Dg;V#vGW^Jo&eDbyQtt|;1!Vj~Wo`bFjpX-N{*!`L zECAUiS2mR2Uk>#5=J6k1*suH;&;$CjuU$6#*uPwZe%@2by~=0y{lk;~{wu}copwDr z79Xx?$-8_2-k@^%+RAiE(81HgBl{3gQudC50tCNh3IYAspbPvGjtDd_DuzT4DkT<%G4$YMy@#OY=v$3&Wlcd zI9+swsbcPOdMy*PXmFh#iEQ*Mmb_$Iw2|jqU5} z#;ac)u6`(B2Do>Qf|#!Tvt86@QBrS@!`AFW93N5kVn0#7(gY&OR6YEAwXEhMgUw0E@jTeiJL!~vr-B+MO;M<%OBgh zEizM=$^L=9nL+U8wFqDZKG^*sL~Ng4WyAOJl*iH0W zEqq(R|M21e4dt&)&i`4nvS;ey*+A8=Ms;HDm-D8{R2IbB)kCiV3;4`w>(+RE00S>o z3zy8~ys7BjIGp-d@Ah|+Iw3^!ad2&}7*H&}MXq$j)k46LO$K^!Qg6s_>kd z-(xiU%;T%kr6?cSX*CE0l^at>BpV8{-sSM~(_W0CdE z(*FhgbB?P7J?ZLn55a?cEtxrzHlA(5b1Efmkf*c=_JhXm>&*JuGauBk$kV2Y)OC*j zpZcrQ9RS`L%Ue)y@poeK55DTRuabdxX0YwIZl&LJ){lHpdwhgRe^pQThY9F?H{u@7LQRe=L1x%J7>^Z9`I$c{|q zQY7TYQD$-}`nB~xV*jZ1#^vy9zcR9abNihm6z_6UePP7(p{oGv?oCpU$eEu=2sV{P ztSo9Q8Fv`K$6DePCX)b){n{8=QZo)xXF9ZEPG=~~BTB3$Viu$Ip;fYXJ~^xt9P~lX z%G}&)@y)-pcWi8sRugJybsWzA-8@WSXaF_h%qPBB_v=JYMo!O(mx)mhyRXVr0k|jGPw%v$&Av{bv>#n1VoWqn zTJWu1QCe!M4OQ!s>Lb!EMV-dfK|hIOkbM(|eqgn%G(bm9Qr^r7D$#ICk<)la{kH(& z+gkkXhrdB>Ty|3fs8-PL%(Bn9Lxbp|J6f9D3EFoSzw1#I7Z-$BLu0nK5RR+>Ip6o|@JWTW z5d~gBlj6LSy=!V_EA9J7>Vie~kf?1mqjKQ5O#^s-%KJ{Nau+MVD3t!b>71W3E470T zTI{EYjN=d_*gOcrs{rB1TXh_6kF|p9$nWp%p5A4hVTiIVSS;qbQ6$vwFh_2EdA^`v zJaVS+7lE-#MJVgGSjBoIdI*6oJAHcT6*Jwkxnnb)vI#BFDuK+>9JR#~QQjV(SD8T> z*|{qZrPbpgWnwxJa;fGCppaAEi?BjymX#fhnO7TUq;%oc-w?}1Yt`#C$&XubE*Hqw zb6)67**f@~9O`#S%0DfUVgktKNle9vI()x#I%v$6-?QqCZjIDd5TpLFQsjAoVhF&sypW`UJ;sFBs zvLVonX0^kkK`L(0zI49!w8A>6rH(gL*R3U%?aYl2gsQ!=b|&(apD&0wKJx0cgtS=+ zrOp)gXLI>jwCD&`#CRmu*V4yP8Hn8+D;|}LOgde;afR@>mJ+b57`dd6M9FZq2l+ri z3a{nEAU<#1-M+(0a%CBVq+l#2i`*UZ$T2Y`o83`jk&3Ab-FA5&qeOnEUcgS9NTp$< zQRla_Hv+9aQhf(Oj^3?l2e}+@e`}F?T71wcSWEQr+otmuZ{G+Ju2@~LAWi4OdvoI$ zw8t_7ea+7dV?4Z*3zOkTmoq6c<%!4852%O2-gt_Z-M|SQUBa8YNLh&-r(VgI4 z%;nb!MV3O==7TdMK^MW4MPmYm(CgrE5iKUfb+sv9H67~}mxFLd`z#+Xzf!-VMzKwo zMIw3-8of$S7T)g`@z#2JW!d`|g*lm^yYEa{{)GIj*+N+~3x*{o*zuWF?nzTXFz+8n z8I!CidX;SA72JQbir)NL<=FFAF0Tc@J0J_TiBBJyEYxZZe~Lz!4MF5h&K-G24~`&svjQ%cf7ZfO`+` z6i4n`q?>p{(f0~=ZG)VP>B80&y`CEFHZ-p@YzAGAw?1024OT5Yt}B%EbG-1N{$27~ z%Q{J+qv3r7iEw)SAZR|aLYj4}FghsHSPp$O~-%*}~&jH?tZrd&dt($_|W)-m{exs!6O z&u&m2QIYGEy~$Qwpny7=q+$_Rdulsi!H%Lne@Jp#KFW~udG9WMRuBZ20R_^qfG zc-j&$qpo%7n{hY;LlXS(h@Pj$4Bxdp8({g@2^ZL9mp|RX)RA|Klx7(*onT`oPolv# zUh>_#xBH0?C#cAo&gMFs_3Fq7wT;*{!b}g$ybpBJwCkMnA(n(q`DKUA6xzg*h{=~C z6v8O%N6Wo$I(~R^w0FEQBG+=JI~ySDYovGJ(Pmd%o7&bQVHt-M+-CdU^M}~1?`9RY z+eubhYNz|a(tqdXqelT;%auC}?dsL9+lyK?8?(ME=ZTjQl+8RSnZmJFW42mTY^T(m zT>8Qx++<`9xlSG$dLCoc7hJ`l;EizAq*5(MU3~5s90Xj2@w#BHilrW_I1YAQ(OmNy zpLWcPoch?ex>gn8q_TC&oS72{?!*)l7!+1-78dNv;~n%XDfeYCs(eMp!VQvuA+9ZDN9i1B-304^BGxLNq@o+}n)sTEMtHSPBjV%LI z?65ZCEr1-cfp;F%aKr)U%Fu`5@T5=DG+~qR6R>^&(A3lolezo0+pGrT_zxq@lBEiji+Vp6HQY4#ZI_U zjf2d{W6{{aC1s`e^lTD)_;<}KJy=|55HXXmX@3p3QBfu9YLA{_lM4J|fi=SluXCCs zKXY?=5OxEjmeMKBFQ)va!MpeM+)&S{8&6f41dYitbKX`SSpCJP2elgR?=f$*JF@VL zQd+U!nO`feM7gV^W7D{OONfW&#j#HI(!gmSa_?aN6klvG&%R>8<}ws~`HR0o>Fo0> znjQ{Q;H(~)_(ZW2FC=EBh{x5!@*-i6-NquUGCnkO$7WV%J|n7~tJf&9%ItFPKrzc- zVZ7VyRaes{!8ReZU@!i`i0hS!tB<2pY};$>O#6(}KHM`D`xAOLm2NQ;hZWAFGc!)? z6bdPBom4#2Hw?84bgmeT&R+lCW%=GVd?_0laV|0I##9I1CvBXcr{=3Kv)4VMK|p@B5B_T#Uls# zy%LZ89L>f3_EOPFE?>cgW;50}fp;QCY%(kexZVcBT;vp84pUEIv%6fCz))OIdH_{AAy9`-+tHl90 zy^}IzKKX8yNW3<%D341>8mQtmwHQ%xpAR##x7qL8Xvkt>gp0UHQ=OhtTf4*;<9u0d zpG>cr9L%F*hSZIm$*wchr3p+aP-;1w7q~WjsCm0U$lS%$`n0x;0U?Eg0iTL#lW^DX zw9(&3AQMeALdZScQG7P`-~S?BVK>j&3~_Cb)37YdrpR|aE!lCjb8B+Qv>AMgZYuWf zt_G}Sa0THgZk+`H-igMZDQkurs1l7Me zJamhCpiF4M)2i_gWHvlBAg~IL{h-&Zt__HcJGs{#R_uN{6{F@>#y3=B;%1q~^B8m7 zQt4gGP?f(vy$egadDVS-S@{Y(@sHG4^-+<9K+;&9#_cDJ_xmV8va<(~HO%^Ufm4x6 zEki}aCMzR9J~oYQV}&XRq?7Nk6<$pv1pLYAw*%npu49_VB0?CF8zGh zn@=+uYRG&hM$OO!ucENhw!8>+D+6(G$DQ$}D9HpvDN*#LMUKe~X^HnzlN5VfTdX0h zT;8Js*0gE1ZLvp{n);U3&+kS4nlAgMt0&+z2`a$@D}D^#SI^62^7!Vj=5=U#Ijl$z zZ~<4UO?6v!e=cr#dBAI~Oq|P-s%gsr8>&i)fTS{V$=Se0Y*JY;nK8?t{^yEQSQ}=5(+vXRc z?Sq6F8D8}lS(Ah7ltC`_7PmSt&x(X&lT%%(JBYR9evZAh-)85ZKPb9UD~9}YPX8Vl z1Lf)*G~g8-XeBT_evPMl#;6hH>(9&FJ?3+sm=cMxUf`;kS1p`vo)M49RpWVZhXl^wak`e@e{}#Af4jonsxv1Ylk_Ted%J`ObY(|KWb`EjpiB=rY4ZY=qK4iGyZsGi?yiZkB4qXV>#j>$T zSZzy;tebAR$KAE^`9KGCH4L>yB@V=%6DxL5A*6%HtgHPZW`^OFUuprNWxf@L+o>t76nR&f`;mC zBef25#^HKRQYB0gm0>aWJaZhV5b_ z%fyOxiVYPeeq>iDM&scqm+~MHQ|m=5*3mLA_nJJ<87ghn5?cl-Q*jhLcf03NjH6&a zT}*iqMsytkKy0^`VDBn=$;Ybbep?Na1dd|7sIJ5XLhA9o0sOIyHwFqFN8)AYN}bfp z>#f?LR8%n+M0D(N2;~s|HzD@{mzz9W5Iqs!EIa25Af-crWV22OLN^GD$U$ zP>~hB8iAb-_EZ2No~N?FNJ5YWPNn*@yyM+7J>4UcvJgS5s1gU9s02Rs7p?3w0*576 z)>Z)(k+Zz{0o21IpMm9%T?Q}!Id+DWnpy67@$RQ*m4-Q=HSWBcxb9BZpH>(PO@DEa%tiX365DiN48V>~OtXD5o{JN3)%aUCm&eGD z6|Wse3+(!$tng8O1@A8L>bkiOTK$e+Px-4ju}@L*1G;3!i^3_2kviGl4ms%oj`|tK z(xuiJva(4~tGm_#v)Z(r_?LCwCu9_S7Q^MNQimhdTi&#sWfG2MYO(I2sPUI(G(dJc zQnu`1Z{^itC!XHv*8BjkdeBShZV1>Rb*1p{eYC%sb%1sW&}=2wpG*5gO*AMepz}~t zs$KOw_K7+4V8=*DlGfnj8xh3h!$l{8{Chh_oko9AZaTL%C02^V;X67!Q5(GgJ~x>F;00d8!Nve_mV2TJ2qvu2Q;zAV!PT*agWO(%goI!^ z&RVZEj&LgV&dXgMYTDote*} zOpMnltj)K3D_G!U@$PbLC^Xx6f+x%>D2l+`(n)R3zAjYkHZT8pTnPIb2P;$gATegt zBI*f{l{9){j#ZwZ`yr=goCC6#DMw?@t?lrmvEC43i8TbA7~IgW|M($Za+eO7ZT-Xc zJrjW;5`15ExuO|M;rbf6B6Riq%F=_>RqPBV2znG7F@q46862?UU%3!{ zzh>o`SH3t~w0cT_rrIn#b?)OYse>K~gK%4-NNihFObVJgVMkHQ$`$K;_A7eJ5v%8t9X{}-g z56L<*$>v*C)HObFv`Q?|baByYnryj{5HTy`q8ZadBD|fNT57B%T_wJE-tTT8)-Swj`4x4&Fn*-iS&koWc}M?3%Az(HT?qhy-Swqwz2VX zVs#Uvs~dd1YJPOPo2HxmzAvlz7BhCYlQG5M#moxFW4+d}fzM~}_ryd;%w8Y164&5*6WZN03`i|l2V6W2CvM_uY3*wYtiNnNu zXlz*JTGOkb5jWrX*cfC1H~_07>^m0JK)-C^qNyM2ReAw&8r1H^)DQ@JUJ< zBo+VQv{2QSpXD~q7#Y;$N4~hel2Y{KD8uTv+}EkYen}u-O|YJP2XNL#5VWMmynXw& zK&0sNGb@qeiC3&Dx!Vl?P|C5X*VK;?B3&#O7 zgTkl1k(5Qj4HYgXnDru>WUV7xqT|A2YabaGS22Vu7#t{GjIP+!1HYe{O6<;PDaY%* z^CNX2bJX}I{lVwPnECYtEdc9iFo}ihtZp3Zd93*3gbeZRDi zHIFcfxuv7A)z#H*z^EmTczpGkD!UYI$fSisOuuS=^Q3y;?9IWKipC>IkKnPs zv$;Ehl>Wn1{5DuW=52jvos?L#Hmt?>bN1VX|183KtWV;LiUW`TuVVpI^lN5@%m#8Bb+6wh|A#(6O|E(_DTV!6W9F%T0{CIKC&*5! zwZzKHmRU4}u~K)~2pkLP-8^q+t*YYfF{!}(@;@%$wB9Ew_QZGWtP|$)4pSe}XezZ} zq+({EjNJ2P{F|u%d1!z7i!$FS>Egt1v|PVUz$KMWAD(iTg!5Smcg=(CJEz$Y#z|KD zZ7KdudLC#E!t=zmEWu6c>?&Qt|2Rkgup|ET)j?yhdY^un2ljjMs8t6yc|l(|`$qx( zp|`uU`$8*w-zEC5Kk_s7Bbf?B%edHH$s7&aWPtnKxT=_?JQhBWL4+FBz(MO9r@v0% zRXQ4fuPzesqP<^ZZf(}5`~A%M4ehFK3Kzz8yuY?H5^+~>BR#X{>?gOfsmBgI-2<>9 ziywOVUoWn_xlI$8H;YUbUS8h4s;x7C1m(9;JMNRfq++S!KfSuTI%{enxOs2xx53=! zzPY+Q-w%2>^>ii?1~2@6YT|ADK7RbTReRh!(-VN(IDrw($SAMS?8pB>#H{s>*ca!K znj{DNIx^AE*^Zpeje9n_vAFlQ5pccX&qTRqb#d?Czi)&A2;Ro6edf)#7yfQ3e;fW^ z?H6m!BmL5N;I&hnD-QGV@^W4*+R{PUW%wtuC9dOrzci4VETaZ^Us+^FL4z?J#N#zxrFC*<&DM7Cycn}47qu?sQp zhVRL>vYP5_>y){UyYmeE!>b|J@pGEexz+sTev|gnFs4qXI(eozWW!e~&JOz5dQApqGnDZQcMj&G$*oN0 z>942DA|Id@d&tQ_m=zOb77UY7QI!9Ma_FrF#!H+LHijbB<$qjn_qxNI5n$cml6De3 z?3t-Re~V*!I-h?J_Y3V8?OiJBr@B_%tnU#h4)}{Wi~&A~|eP-}Imk z^D+qb*M5FZIk(!ZXOi^rmZMekTlWqp8{?nL;3KtxBDFh9JEWHqcV~^5 zxlOb`Do}UYgcEjJLgkf~Rcc05eJBg;sZ@#Nb+}vab)kVQu3!fIK>eYp_Ul3>ax4{I zY7rPy#8MaAbxso0lYZ>+bXL7^GfcMHFiG@6S`91rBKxZg%2P$&Z|>PZ9#O{q%_~mt zucOUO(@DfQWw#WaMksdXLjyvpGiyGUq=~#d0XGdWM+tBbKzee3yw&XHuc0=FSuI-j za%3}=wP6bzVC$4NRm*0nvx~D9oZ9arC-1TP<%>#Yge6 z^?sLe@oY3qM56mlHlf_?E#9zkD{J{+1B#s42@Sw=h}8DEo>7sgF=R*jNUX8sG6YJm zMP9y+0}xBGv`KPzJ|Y=9?c6?(y`F{|?Xz;MgFWr6;BHPYGp;XX8GjBrFh{>;He1x! zemy-9Z+JFaB4ofn5gHJ%x)$jq_oO~w96el!b2h$9Qnp84e1wu}DU>c_(3rF6y{W#h z_sMm501(<+mXDi|fg>n}f@^l|(>xp)Obq5S(-rSALeBwMQD)J#=d7@~)Y=z~dEjo# zWB2-|j~!DkP+E8&2oFF>A&ZU+n>MfAE`COM3I1QKAaNv0Eb}2slh5SNeir>i(mdtR zb=+EjyEG9Zwr0tdDHI#L;>ZAMI>BM} z1~Ktd_E_ZP{rkt86S#t4$JR;yAb(!+w*KS&DP8(+`Z2Mx96=r%Iqw_QvBhvKCGbG- z{)bV+Jgc*P_3aNk`&^W@Ap?76FK~Sr&10Un3zS5a+(IAH?UC}!;wwmB#Oc`>J7L&d zNqHLC@E*r2m(!H&?A1=o*iFkU)yZW^x|K=P8OC@B)h31F6~TXN3@@sGZ@~H|?(d(xF?ixSUqRsWn=vJts#NuHutRUw>0$t?7;ktuq3C=-k^j;#ipl`u26gmKg~ z`C#lKq4AM8gr=}V!xY%BF`C7S<*z-`n?0U+wuKa+haqCqrFJ%W!)X2PHZ(MV_?*0; zyx14M(+X)C*Q*?}Fqs>%2obb0$qq}!#y5$kn!MB1udc>0ft$Q4UQH$6^oj0M=NzjI})`E0ZgO4XnB@I}ggi2(hq|xnb+>+>53cdc!v3u*X(B6Ecc zq&$Wu0|k!WH^lwY(~ooP7WrVkSa#T?TnSWw4}G2UgJ*i+g3A?f56;0nglT{WzkuuY z0c)Jqk(20K3Qms}4C105FQBgQp|PtGLDb*0TkU}dq55F9=y#=IOGV1FeW&X^gotJD zWFDZ>Ucc@`be^c=#ho|zmKe+H8G{DE8)V9Dywa3rZp4rez@(qbL3xC${}kcqilj z}-mZTjX;4r#MgaN2}AO!~jnIxi0 zkAt3&!qhElRZIU#NJ>5#AX0Ly7P-RK$%e%E(Q3mIbE^JcaSep_N?RN6F-K&hXQ2TO z3#%824(6=3!-Blx@YN=P|Sodv;jRJATRo)J65c1CJO2 z*0nU#YP$P4=@qaSM$RX{woIcm?2~x&l;7O6gq!dZuPXqnaZ}Hl8g-6QBXI?Srh@uJI`e z&{TeLcj;_`vkXDKE%TJ708#VoV)WG}LQl{#1oc=d3O^z#}~w=$Gy5+@`W_`jcM# zxqHV@$cAXlUgd(E^2)@Nu3r|2_!9UV^<|QMH>-@h9D@+nk5Fa04Z%6a#&?`jUL&l% z4>g!a;IU}embfSc0D~B3L}em%-=h_ z4hO&tQ4f(`J0Izh&X49Fy?o2E*l7&3WpFDjc_3@;8sNUss{yE%=V?qk?8vVscPRIG zv!CFsw{bY_2ZLC}Fowr8*obICIX|3KsLz=^0^z$R3^!T?XK`+^IbrJqQ4tXlRoWHM zhO-$4dT9?)kuO8afW?UZ+}Nqu2&?#LZ~e2t3k(bAVMZ5MQJ3pNhd;{j)(<4V(_1!a zo&wJDTaomB|5^gahe@sHO+s-72+HuA8pGLWS#W}l)$@9~51p>5(`odrbOv4ftJT|_ z1`D3Ez)r_Har0*O8QV~$vGCS-!qw<-RdRG6#!z$r*3dv)RKwdNrm*yw9k00jZ!!6? zl4H8o*;CIp07ZU!&ax&5$|iO@CDTk4og#T^_?h_ibksQAZTpPvW-%_dVj&gv!;tKS zM@6Fo`hAz)IR>F>C^+Nu&ja;C*kp@F*#) zxZPZ~6~DoeS)ILTjIzZf>O?olM|a#>OhVxe+0~MWtD#61g_e3x2c4n?%UzZ=hGIR~ z^6GAO(^cby9QA5L`*i_~y!AWaO|Ja%upP%UOMRN4Fub_b4t_VtE^q+t(C0MKdhoC= zj2AOAj1l7$ksV_M$z55g>43@bF-oBhNbd6}^a-dk5q0B)%9%!S&FazXkd4Q%MWdpr znP#P6GtL_V?P^db@Ww=xZOQd3_tz|?${ZhUts&nk;h63ZDQSLCukggH{aW^FYx?w}!oX`wS(TZ-xLOqO z28^lR0OtI`8+GHS$k}PL#o1vl?Y9iP&QtW$m=D36&eKOmhGHJ07Sm1qVG`1LU5&7q z=3$7lz4eE!I>w^t@=i2VjZ9<@%AY&0FRNN)$ThMog;N;UGb#^j!33hZ$4IEY*-)(J zJQwRbxxDtAu2`58Ro&=cPOI^MV`d0v*Ykpm1?2@njp&nKj!#z`dWV1lyw#WYC0@4K z0;i^L_p(|PX4oCK_UyXQuxJdQ&1h-0FNAR>ZZl|locu#uvc zgR6$wVPgbsTFpR-9CIO)iC*+tXPuykRxA>P@v_sp%Map@TOn+?qV#doShdr73yA zV=#{%qG-lZTLa?c_4i_G5EE6Q`Um0fW=4kF2`}IEqdjnbz$1_{Gi+QkowVSnsaGh2jlkh*ue53GNP01~TRL!EqNc%S4&P=kXDyr+qfy2O*{hcM7T;_qkcIH^Luo zB`@-x;n0X>HKL$`+gg_j>1~cla}pLnM+#O`&)r;XQE!bd{`_hSdx) zLx?q(=Le49FuBM^SkDb<0l^x>bRv9Ptzq%LF|{r3Cw4eOEjqjpj0?^_#8j3Q!K>#r zE)GjcX4VwTJlI&nehht|I2<7$gl_lx=$s)K zo|Xqyi`#~pafb`n-atwX#>q-dmYroAM{R*9$hiexkm3oESQP|u_i0Ch7FHi6gl>c( zxoX8SYsjyi)lY@XXH^+oi-)S=4SO>J=n};;`=c7V-g^kSydV$6EEuh&zOvR54k^n20~W0qe-q&K_ZYHfzu^;`0OU9J z(*MWadxtfBwST}BLlJjz4}?~R2!e_%nbs<@6=X^PMTvlbjIaX+pGs8(WeOyKvScI3 z2qQqPATubC$VyN)Aw&rwh7fp9P<+bJ(&u+w?;r1L|L7G%^36H-xzFd`_x;7W*9bho z*NErueR<=5c%k+dxW(5ASats|zR@o$iUF~L_Oi6y^U>P>VIe;t|Kt|Bx?QER)#Ii2{%R(9lblMj8W19bwWxup|jawxFVc)O9EB~MP-is5bicSCb zlT81%#seS*WAk=(rq43;`rF681lE>)0ldq6$71CS_y1oAd$t%5_D>!Y#)^M-nZN*Y z0Py{HKv@{S_zoybx%NAtEaVZ+rAzn@C`<78JD@Bh7`_9_cR*PRA4}i)4k$|%qVIt6 z9Z*(eD}2{bz5~iq_*nYRcR=|LC@TaMs}knHrH+f8Qb=_Hgqyp!x3|;8RLVzXw@!y5 zev=%oG${iEgCad`?NM_o!ZgR)s&u6;DJ#U9GtK4#y_dxoeFGV}_P1X_R&I23&5rHc z-6b8~fdZnt&mZ&@&*CpQDL=)xBztf7MP8O~Qnuc6DMe@!5>@PE1UcXvjikf1H^w z82IM{JjqG^J!ZCTaYIIH!DcDjr*w@NcBpjJy|+5`GmJ&O?G~@>Z~m2?KEQ=!Ex`4| z-`?YV99hEU46A*<4e#I(YIEAfW@O;eT7==s6XJvJ0bkD3U3UD7_ZPEW-gTe>dHeS5 z=i5dcprJOp;NiUvMcwWRzp8Fqc}s7l~*{ zi-IF}cp9>;_K}&U z)){t87?y48d3AoQ%VJOD62@D*6*x(I5=It}y2_R1a?p7lj>5=(NHARKP7hoF-o^Ib z439C8%Xsq^(r@P;4zo(P9$#Fj7o?eRNFydxT3zN{$4XfU z=?wO%5S*BeTfDSpZv1f#1DAp3K$8`Z`#U_q$%j|^!R_-*n=j|HGp^E1*jBS?FY#ge zO50jN)<}SwI`h!?OOopkLy+f0IZyjjFg^4i={3KIOhIs0xVP#p36I2V-D${SHW76l z=prh7{ox5k;A#_9A{WL4b{@+9b-ot>IJMnB?R4in`SdM~l~?p6a4ID0&aYkgWbm{f zx9l|HJgutwMaRn584R9w+z!8lAzHUS2}^3vNdpabRQ6r5VMW~Sr-g-u$)!3xIcxOO zN;w;N%L2g;a zfOowD=f=D|t$%XyAHVjz!;YLAVcPu(S ztM0YOP#m1;J{_=OrR6$E`Y+(Zlm~@V7Dt=z?6`UWY}Dq%gU2^ly3ytz0cttyz6%N#Qs@y1CaX|6THXzbQn@1M+dOv$dP4hLU=@WJchkT*ZSVO`L4-X@3 zO~u%)D{r8l8wW`tv{ZK(EhbfE@!C;R#q9M7#BA}TWyMPOenYJj0_rjy_FwXuKlZOs zX`b{;IE!;_k$6r(o4vVRZSlIkj_peynBV}eX{YQjg@OO(TZ^A_wH$C7e$#^ui!ao_ z+F*wWxa8l-@^?(;97>1C;qJl>dCGH4Vuh&$tpwyi?jD@g*Vi|=ef##w>OAxZ#nQ5% z+2uLVY7{b%SQ7|Jmo}n-RU`+BvlKYxBNHfrZ*xu%r}FOQ6PdZ8hw(iOXQ z5W04e8-dZ#G*Y)jl+PWwT07V9-Ra2`sY$KD2dSy40!pCI-AQK)CYI7!Bp_Kz_Wowp zg4zX$NN3*9g`c_?2_fBT8aRzleVmUpx;me0?EY}RZ zF^s0ym2cmqvm9{dmmzajtd__%+!TH8ZDOeOo-2m)C4Tc8{)8pfW>z0iw8XI_1^mSX z+P9W}>mZPoPs$E*ge%gI>j6rE+!W0Y|5Ad#kVeSkTv{HlwFe)QGoARq&0P~f)U|8X z9OZm!X9=f-&ZA4gb*N$YV*dY3^tDN@&BNvsZ@7lOJ;naymWTVy8V`Odn?yj~?WyHU-3#+u+9!y@NB8WZ3Z? zh>4+BJcUjqzhX<%`fu~qS;I>HV;P!abBum(9jK$5U{{ZW`p2fx(QAVz1*Xmpg0{|) zsP>Nsp4?v+ddYe{0qZ1(z_jW#(1^a!b?|-*rq56HL9^-by49>UYlW|AUY|}l5;Enl zk2(L^a_$tG6V$qtUEMEUeA{GUn6l1})8XFrc6522>8D0JOSr37{64lz3ayoWKZz+d z+%@r0bNJgosKb#)X6F$cUOKB`WoI`s>BkM4*mr4=0>-{3TqgL=42HHS^sA`mOG`^5 za5{{%=a;_CHq$4;ZBjijJ$G!0TmNu6I%}RYnUb2?t&qRt{*~of`FfmMN!S2rgW^ea z6;~Saa`gUvJnq|CS!Fs9jK;}N=kCodv0U(9kuiH4cDRf%@|6_0%AISkbrnB_<*?AP zW0<_(mtV`L;{iR|IQ-B3Zmy9~khT>pC(_2o#`{p=*UDji)vQ2YNCD4m@@+IUMETp2 zR?Pt@r3J&8b1t>jYa1rbECXz$zE*!~C5!}mQAC`@j5*G=rGDMiVk>vim1F~d#N?K| z6}udka2JO%&B8$1ulwudw~u=vyewgPHC3=r_J6*DMoT`v>_vmDaRcV~DA$MO@8P#k z@xPR5)&mf%`tv{F!u;v~_j?Q9fdZ~8Ra5%*>3(G!UuZP}T#4;^FJ1m`q>TcSQF8O9 zZ{ys;)i0&hcUD>Eq`$MuayRokt9)mbe?qp;5ci!`zO%}AR#_@-SNhKX_XJR-8^L<9 zs)CH+0$nW6G|DKV#j}ea=Yz@QO$7vt3#A*yvsIB`?wnhk=eyev96j$GahBD0xwphI zzpUO04D3fhNn6Kn(!IcfK)zb%OTIv|OL_(7B|dcp!|&Wwz^Jr%t&VF+`Vr6c1%#~*CZ((4ohGg*zBX+->{lUvePgK^BPRc(7=GRipc-h*RF2ucP|Z|}RMTvp2D5NFn8SMh zF$EU4e-GhT#B1En5NGdI_47?mRaUox@@8%)rER(73*C@>Z*d@c`LnZH4_bjHgp@2w zHNclwZqZYE#UwJYMPsZ-D-H{SO@iPoaOQ?TSmaQ?T2RSp--da2M_eWM-ms(BaJDCB zIG;*xChKq{V@TMTMF&XwVDi{K3?( z2T6Kn^F3yt`b99%J)2aIYR2q-ea%0U|IKMZg|$r$r)3PSLbaU=s@4bxcN~J8FzVR8 zHEj0BORc*MGv4GH?lE+~n8eQB%W~{UV6STvqlRt4B2pRjGn+`RakOb)-02^b4O zy5YATQ1qV7X#-2d@_Bj;qCJd2cWi$rG{l7nW@ok?D(ZTDq2^|z@co23&M1mZjX_9T z*?y>Ps9#Bk_`fK+64@c|GcIEG#UlFrB7ghK;TWEcdw1^gWr9A=4c=GTE4}n{JJJ5R z2hu3kd~DHv$->vcATDFj1pP9o)YpS=d=Mt<8am)Lh$b-0OdooOs7wuM`jgmW9>yKX z2z{SJ_xa-=J;YOfmXNm#^93hgkZMbEg-e5B>HG!?bmEY*94 zj-W}~JE&HGVXMY?LM8#upMkQ7`EV(o)t7|QjfTGvW500NXE3_YtM5Ssoj}!cI80%M zDr>|;(=c+oL|G`tW8(9N0!p5_98g#RtJhjZ_v$`7`T9Z?5lzlW!CT zg;f?q5W@1$HU?cII1ww}|GBPwRm?C9^+V$$L0pg_Zoj?851sO2Cw{MO3}>$AuDxe% z$k>(9=~Pi(0veO*@y^%>W7@OxvmrD0ya&gdw5PB_H=a7pj+Eb~!c=I{5sVVssB$l` zo7hw01Tma1&9BHHu8n%4x=|6W)|li>!nnsbvLMH8MyJqMRqEl@A+LmV69?M%CfbMO zVY7c|Y!D_<9>uRNFs?pB0zIk*e^Xr-u2u^R*Hcp2d1FrsRigkXQmYNwpHsP5@Cf~;>ciz^{Q8D{s zFx=cYfF@#EpGl0GXxWBpmy2q}vAV&FHW42mko^T$j(H+MRUe4%+5z5sn~5r!+IKK^ za!_q5b5Lm$m2v+8Y~g|yx{v<`t`C2|@k68OfssX{1{%)xfF{@R=|x}?p}(-_p;bmL zDbI8&iDpv|-A7y6C5=o6g^9eug5QLGZ)mfG~;#DXG z4VRAaf_`Z2aCA$G?Vw7dXZ~(`qpGZy%o8ge*>r6?;JVl=sSRNZ_;UN{o}pKXH|>?d zP##^cxP(l=FzoPg+qEM<-mXXij zCr7O(miv%9pQ>7VzWx0mGOss9BS4`Ok)2FQO0_Ah$)@TN7<;B8=qYLu1*cV2W-e+z2KU7;q+CC!3*eO$t@{8(VnwUl>qmojvU- zJJN@PmbzzU0>Kk7aVtQqcS~xvNB&qMTcOpm)R9ZGCe5;9HS-#l)XuQw+R%F}9f~!s z)d16tuiA%$2m> z8nr^c5e>)RT)(jlg4d98S%u+ z)F?p-(KH~?on49{k0-esI5SS2czqSypE!d=#793AB3P4#!>Q=kBGw)S_bjJ$Ivelb zB1V;2@@(3tbOpy5!*WpJM}!#iHpL?|$FWq2>c+*>qT>1ojfPXTgn}a%H&o{a(?SFG zN!LuV9w2IY?vT<{N(Y+IlN)4684X3z9Q7{;rQ0FrIN%0`LB*k9#MpsST1LfG zM&lUKrMp0`aqUUuU(th{nV2qJB~UC0OzU-pw;3A4XCz)S9A5WymN><)kYEozkokiM zBz{q7P4=c*Kmuo&RYYa>Bc?mI)+Bd8ay;Zp|3qnaB?k3aZsb1=kFbFQm~-(PxVz}w zFnlntqdiY=8(F&ofy{=Z?~Qwbum=$?bT)^~U*BaA7xpVlpY~TB_Bgbkw?TWeBiEiS zR?*Jm(KqVNMbG9*9Vi-;qIz=KlY1J%2al7ZCnstkitgNfDby*SHipXOE}P~n9j$2_ zhq91ps4E#bOP)|EazDNCx-(APah(c+!jOGm$a$a{UvWmiE8)|sGhL3OqiP-v50RcvaE zW{u3n(^g^tAmt#CtKM7whPc4=ue9C#aMG=6pq1|r{Ki7OaHh)B3MHu9&$it^n2}h`v#TL;Q2*u=WAAM(-gAD!4`=UL#j+E*Xe}4o9Xx*C& z+%4mVSgiOL4 z(0iaANM*)>DKpq?qQ1&R_T@5X{wb`%E{VeYjekrx2dcFC{ApWV1}2LbbDfrU90jx8 zo*oS>YgwEOxp)&_v>0tkK{Zzw=|hXpW82Hy9$-%PpkmG5F?>0>(;uZQp-NFF0bZ^e2^KnVYy#IxYu^k%ul!-7?`F8bK7_ z-k0g|L%%me)qbRbF;+^oP&ntjABQlaeiR}F-WxqKvG4LdX0$U+wXZzs)j#{uHuDsR}sBF*~2DFp=G zy(q6L?j7f&%w1~J__JMWGXqxVk2$wwR`2yFGbL!%nqt07lchZyoar$=h3XTM5SvC&yJFh|o(}mu8ErqBs#{i)t8VfrGEyBC_2PM(MqQr}qQfq5jFa*~WvZ!H zjf+49XEt$6UwJy~Lj53fFrK7Hdc-JH9uR^D5}79J5u%;FlifKUx%Pg+}aqCc&6^6d?VXWP2X~%G@(npM6 zsMcIlx45>#l#(BG3m0RgHk21pWW!o@dR#5*7(btgi50$r<;*+O%pTl(x36pyXP{M& z;saR)4cDwxXS_9Qg-W-rc9$7xHj!JA`kIoZD_o-Qx{uzawl9JULutoT#g* zUBTPBJKY0VAB+wDnqC33x2Dqf^a)k8pj9RwZK7|C7A!b*<|J8rGYO11V{X`nidNpW z_EzT2_3D)FV$$y=@#jbxB}5x`!&Dwg;Uev}XxtN*fYGyO9jApBE?`+&&oQ37q1ugs zG!e~(piybN4a|?(XH^kpR);oM<_Y%%hO(dSC;02E3pYSn8#B z^dkG2&0@i#;!PhfUFGLkyl)cQSPzsnZuCT()V~RHFx(qMZZ19VK?4xo8kI_M1tVu} zT5sS!OxVB}>%L$aOpo?Rma;l>3qh)JAM{ckcTDzk=?LCZ*)<01Vok)G^JD`P48cFL zzbb~QAhc42y7DsDpso?rVG%j3lp!v62F`9a4QK{{b(R|%G5WI7(q8PHxDF!7=>a5prWsAa-2#jg=qm-w>*2ZqYR}& zLyWF_7j&w6rU9nXqBseZ!7e8ME*Fl__0ikP?=2^dLxn3GBRzthbRGX%cEA?__4&nJ z3E-(XMMT&yNQy;n*ni(D7jkkk8S+TjBl%Gnl~2eWfR_7@x05TB_Gm&+IGs#gmy#3Y z1$59X2nwIdGqANHNXD-05vH%5bNep{TMHA?_;aIwc=pKP7fv^6yP*jjL{y|QUrPA? zb?H>36vAeMCLO`oI-S6)?~=XVj8NF5}_tXz+RH;S|Hsh$m&WtY~N7 z_ct>n(IP__@f#SA$~GQT7_GcX9=_YV$iQhR>6H?7-D#cKld7>J9}o+Tfv@7`SM3G=>!HQG>|4)q_U?x$`Cy!O(5XigCnLeKg zszw=~(lk(sb5NSGKfHQ`8BiY8;^ZtvgdHu_$3Hwm4u1+Plwy}y=71uRQQma?XigCN zh<=4%k+tHpibSrAH5T)f%4*XC;W80tD-E?>nN`p!q$YU+W~zlAfp@!i zI>29v#oJ1|g${^q(5yOJ2{mR*8%84bti99_w~<0lIuV?22CMEaaw65GWwuO2BXAz} zR~?}20mb_X)sK2!Xt1;o!&r)4ds!ZSgC5m0j?XGu5(CQegHc-*HSTmb`-%>0K^H9k z>)L2TY-KyGP>{UHaTjZ9b>P5JvgTQ9Lai^aN`~I+3*@OS>pegN$8zD^r`@n>t^57Q z#Oxb*{aTWOVwD`d$7@CP(qgj|#gFiSAxz#{&@2$<;%N>3rGf=>e%5Ubb@!sWv+8I z8y>R2Y|KtfP{YM6xmWf{8Ed0jXVyYHl z+UAw|RHKJtRdC`!=%80lwGPGL80>>1Y_x2DZ-YmdSNbB8bD<>pulkAf+PXPGA*9q! zXMsYPo5p<_{U6R4Q0Af30ht}8AU8E4AzfqjFyFO@Ka@dW!D|KWgFSjGkx#k!$yU{^ zmiFnZ2da6GUgOD;snHee1eX30!{&e-=DVm9Q56h;9-#+kl zc3Ob8m8f+nnL%>C5{DPxByjad{b4B(6JrV4_xi(UxPJ45%cIL#o!XiWx{%)1J>=Vi zM=;$~u5GhH0C9U24pgq9OeyOt&|Ql5dm@g`Hi#nVru3{U z=SlhAaRor12}5^ZkrLfdr=xCa&*j$}rCduCej!D^cQN2BxxAhR#Gp^IE=vIFY7(MQ zRMUvSpG$2hh;xEQ;>vv(MobHMGUT`5wLy-B^*;I)9uxyJX?KYcsv)teAgMutYJ)eS z>P^+pm;?8S;XoW28}4o!U;dK*gqe~fS%IC2nAhiIAFI)Dfl!*bfAF|R67+E0a{Thp z2l+g3)25l3v9az_HlqdOzfNK~#IY=1jiV`9be|y5i2bE`U*aVzq zP&(xjAGm$V?!2DD4Y?XO%zt><*|mE(O3>-uT)k^iijJq~e_QH2f1w0cbP0Or#$%E%UqZSYFNoChE5rI9w z_T1XzXu|t?G)7yub^3jvsyP&N@oxh|9Q5ZLYE>xEU)hB|lo(>f+q_qkVD8%3Y>iv_ zFXw6CZe&zD-=tc1rOf?>$YuuwgAvS>E&5maJ7DkfMZf%end2n zZ=BKkn=4j&Z*AV3fcd$wN@(edPxA`N&lw6E_bJJ@*~Y-F1~T<}_sTfoR%jusS*dV0 zp>bDCw=E%AW!YMDaH@vmVE%IV2xzOF83)*D1PrEirn9O3vxl^>eW6~Ag z-%f5``fCf{u{sWd3@sSjQ(yNheBA(>hXILPzzW<%U#$fy`w|*2LzTaOCS?ndvFKQ% zg$w+5>#F1ezIXGU#v->B^YJp<`%aYaM49L9Z(s25obsJhzH`dA@5nb0{QvFi!$&F@ znePR#RKNK0&UZ<)j12xxlauPIgo{;W;u(B&p?*PX2E034c z98qU=k$WZ$Vm&j2k>iryvAycgdCPOlnlg)-kVE7Cb`Pe#zH9nZ(- zpT5l9ShLyW05C(>6?AW(8)z1LszY!aL3O&q_D;KW{h~A=v0K zGwz0v(9Cf1XLYt&hbS8fzf}9;7kQ}LGn^Wq4e~drsdpt2Fb zlGQ1Iip;I!uHf}|FXRHGcU;WE&*xp6I3Wpjvu|I7)Y--`yYk@W>YXUI=wWHoFF$Qk zS_x)E>LYshke-Z3tLZEm*1Sk%9=Omm%Cv}Un>##Yqwv{y6b57CFz+Zp-jllDQtNM~ zD;7mO2>!;z>;JcBmHoDtv#Y9mLsYSN$7laweIqw;GC*!R-5=)sQsuif(=DpU6t~P2jpo!3X?8h|C#tm_|`M`ZDtyT|B1t<*RE+sk;)6^a%|pQ z<`UJctR$;;UJjF;4|r6H@OfrUo08RW4v%?rXy+^FSx$zW#I@rgkA3DD{M}mMZWeFj zr0u`p&i#iVgTxJv`{B)HElvQ5L#{B?%uI#jv{%eri86=P^Vdy-E2x<;@HiFKH!;zo zCw2TLecr8$hxW9?;ZNIDYl!vwCqtHoU% zQ4iUNKBrgm#W}W9`2EM;kdX9u|KzT@rq9XxbnDfQ<*@32R!>{hpuMuuyf^sGORm|E zVfU0uTcqVy#iZ7>ADI8~HA=JwX~8c#?D8+Hbb&9qX}H>KJIC{KO%mxp&1#gf%%878 zxMqX&p9*YLVzoE0LHB_C;WJX7pTCN0KQ{-69>CB4gTaGr6a#$bIu>inA#f#%w`?X~ z;llm?c`HFSw-PtwyjpMUm<|ODCkEchUAN}1rP_@Yk8juuoIlaT!PEU1_+_2%|FE<# z?j|Ih4SrmfH*y)%1DrsFpS`#(G#$=n8N$CxOH(M-jYLI4xx|=d^^`S zE0Htv0Rz9Xxv-YQz$g`PCsJ`8|JBa^#Q`E)B(INQ2C*Jjo52uo=#7ER_dgYFB&e(1 zu-O#!4~*Eqk@dwmgb!9t_at^#_0?2Ena^mTKQGfMcMghUiO~E_g&+hur zW&P>qC!7S!8ILXAa(q^ZAUAZXjea>V9r<>(J$Qx#+|m zu0s+md?@87*Lkt&g!nz)W1r!r`4C7*?K~y+zkrQZ%Q~fxJvXTb?|$rQ{k3g!-THz_l^s(KpoDg_WAIbb$Jr{e6oPY?l9>*QN-guva#z3dia>#7|h#mkJofzceA;r#3niGTrC1ajyieT(<88qKsNQk z^)^pu=Maivk4cBFG-rDF)Ou|S9p5+zZNiN;epHFF)k8&U-d%mq2vd>Pcgob?dRS5~ zQ4QnN-sovC<>DRNO#;UFrrUn5U@~Uk#b5C%2 zjyyYWndw)(zlyIug8>`2ZtcSLb;(Y>aVR}U%Ua#JG2%|FaIw8!w0*#xSTXA4FF&@r zAqcK@T{9w0d(C0!cEpT^7#U2Bt`<|Pdutnj1?^{Kk#7zC_(VuIp ztgZocvNlMYH`=}>g%0mWQj+6sZk)*Pgv>}pD3L8^oPwX8%hq$#PRhtk?6@V>VQN!c zDpTL@5-(A1C`kGpQYBPOE)0#*id=I|2Ye3t^kSEfcLbgnVn)76cbd6fz!tSC4tuRk=|5eb>zdq9B{V%=>R&L>ad(z@~ TLqZz#%b=w1kh1@p6z ziZGv@20ZEYk%4c@3+}V2+ZT6rd$9$tk>jkQB=yfS?yELblCcXrZqTi#KXfj202oCu zG#p>CFUG}dhW=Acs0-&m6c)FnumrW5KL^R4*} z1(=S6J-p@JRC}K0&SyyQ-qIH)(O9HrT-jfk*N2NJYc=!cx+ui8=Y-&@KPd48smMIG zaM4Xkn#v&L%_OU|^<2@`MjboFhQ>c7{!^K*#wA@oXu$&{&9zHNK3@e-ZyVE&5O*q( z0%_DKt4W#5Nrzd0I~`40E&XktIKjQo_kEQI+Ouno8x1yQ2jvpEj^&8M3yMimZZ?NThyx^Q@wRMJ2%xK zs=M;dh|e61?>Tn>&hm+>Ps2yMBg7C=5vZpl&br~`USYiv(->{k(IyAsn&f?|=)U8u z*gxqbgAsT%Rtz%VHVNR5|`=}Lfm$$K}fsZ*;w`MhJ&)ZqD`yd4*e z%y)v^C1l>Tb6L^yDFc}|O@yh!?e0_4}5g!75qvWPzqaCycaRr1;7JYhC1bMna z!&Dl5K#n21&Wuo6kDwT;rYq-XPj-yJ;N6q35twdRc0souzUaKmR2^I&AIe~#scpZj zp+EJ+;a!KWSL94sq*jwWRE#}AxiVnLc-7_}nirIRe%y>;iIcN$f}`I>F-3|DCJ$pw zE3(7l0G#{q`iAo{-1$&Yrke@D_j z31&IHZ=d(jqe0Ee0VfMk9f)hYq5=f`;Xp2CKimDd$y$Bl`v24-{KWi+qNq7e1+`K$ zqHjd1gnTr0SvHzXms$i;!?s0Ry{_?Xr~%P0(pyX`;m=1v;49f`R-VAOYY*qxH>MR8 z^-&t@G6=(>xT7S<^oGVO7rX!zPY|?+_mgioz8$#9n^THE@A2RW+1b8x%9Pz+n`%uB|RFbb=Y#O!v8eXHcLDvQ|dgPOQ z>Ji2Q$saG<;d9pMweH}LAEx3%V<}T3sk(TBilYAULur0IqV2TSMr@aXi|a<-VqLGP zYmrf%+i=+mDHcSu`<)A~n?g%7OSOw4N}$w>QyRMq@N#zLA87MnK>QAV8HE)E77>1 z<#^m?W8>CAlSzst8!B%!(&y8ImZPP8XWFlIJiA3 zr~;9EdRBFuMz*RIoysWd*O*d1>oVG5t0#8GvYx^-#!>uwbdW{m6bDwFzmIQzLT|d# zY<}>i&qhlngbSv3*7z$8{^d7t@ow)bfs-|RtoYR);y?q6%<%YIViJFCHa2%YMNiX1 zq?ZgmzMBpjQf7IQd})nsQqzA*N&Gc+Xs%s-Q>I#gw51QFpyEKq4|L*yw##fjXiFmH zl4q0OB?GjLfir>?S1Sq%;(!`p*{a%g5a*zHAR)0%>{O{%EitszFIqJsN^?fPmbZDQ zsBrPmCw@SPxoZ0(dg%qRNlLx2Aj+{&j`H#vo zYRnGqI7!YV!x7az8Nx72_2hGLi5(#{C0ct&x@Trr{MCpnPI(?)J5HC|Ck{X>c(jsp z9)){dDGO56(dlC9@n2kS)|8OME z23NX1KN4bB*rH!*MfZcLdj-^&Xdh3HljwkE=UGD8=*;tyr?X`2@0bz^+4P8aVPbH7 zkMreW8}Qd3ls7P}Y=czrM{_cTdxP?4$eQI?y53RJXsw*)z5ru|SEioqJII<$=`JK@U>Wi(*MvUPQ9Yk)3;<=o`f=99 zNvvaMbeDQa;a&tB3YgQFP$yQ2UX459d-97`pBZ1dX=com?o;IJlD>+_biI&1JGrCC zXa{?QmF_kJk$Ew!N{xp;}?CLXVEWjFiQX#5b zfDXNg^x3C$zMCen5pFa^qJBJ07q2L`@HfUQB>noyHtbo?D|CQH@MjZ@0}gLFEFbRj zXRkC)$v~Ms(b5L`&?ug7%io8DToh5uM-x8;dz=R;KfgKY$sGV^xj&dfD6@;nYj+Q5QS`p`7Pw*lVkLfT1N!>O4m@4xde^NTps(RH|r= zPlz9z6`ZkoG0oFKCY4djHT`*m-;gd?Pw^ZfUud~KE@AJO(j|KKU5l`QlZwe9oVj}P zBejro4ylN^Bce>LKOVt1HvSw5{gHRCww-FdJdYL;9Vo3kTx#!BN@RY#M&0S(T1J~0 zP);)-4wnf~;CNiAibv$1K>~r!E%4+^J`U09Sl608==F`Fbn8~#VL4n0Dh4hc=!}n^ z;qxS*jH?^HORJ?`h#JIERlVfcr+f)ycF6N5@QFrWjM5pF&7I*WO_lTG4?<%d``s^_ z;gm_x)41uW*KfxYC}sKK$z|xs4(@(GOyadC2kaXw>_s%Z1oXnY{3;lcc@$;-WIvw} z13BwKp=!G3NuPE(n*n%2-?YR-p%+(RdN;G_gUUm@McHoU`)f44rfR1sYS1DIENbI^$- zlIx2K$BH20tA~v_eS@!gBai6erafZ)9&P^==#k}wCpP5rrhNJ*kifZ5A%0T~(RA31 z2-AfArf5?Rqy{l+iFiCU;S@q+?A~L4$Y$Q*FPN(U0kNx)^PJi&z9a=*&FdEtc{TyZ z1bjxH9y}5I`XkrL)XN){_xM9(=4@xshXGV}pUy~jDeo%w03Az^UO!!(4fVqpl$8|k z@0YH4Nm?IthTWA4)?HG|`%M1)_=h$YyFZ_Q`aU)+B)ltXL^jRUsdhML)4~ZnK8pJT*AEeT{sjp7^UeL z97YcEPwKNZFpm}M{p*1J69arSeP8xEBUOVUdm>BAOF0$mB^7bJapq{qKt~b<48>-StcTpWV_MDPIF_6+V z?Q9AKznA*ars4RZh`WUbamhKJ)o&5PMT3TSM0BGKd^>H8sQ#4AIQh$CV)cVh!l!JF z8RrNgI)2qc{fZOip|qK#nGd0Xuj9sZ9b(;iw6Yn#Y39^J7*i?AX^IzA)joslC`O>8 zj_SrGXX-NdxhJEu{>*g67|MrWA}xZt8@O_~oS}QG}_M zYzYBz+q7wE@)L6AR`==sD)d>_2c!!c8#A2Z680hVopEYIzHCnYh*z6Wv==o?AluJI z*RXgjoKn4vjRn07r3w7s_>u~0i2bYDmQzGLU$L_z~3B< zcu8QR==qI@iC0CoOh&3T-j%`@Pt_S?^~*nA^3yxDTfGOwlPFmtZwjKSS95^aB(V}w z6}@XX2QQBr0RMjT2e5PXDVFItsTMhZ1=SOq2oYV{7@X9Hkl1n6V8?@)cIueRY+Gni zRF}4x0DT?XD{f}QEz>+nf?Yt!e>Ror+aPqsk8)&VWS-BSa?zcMlkF`B^m6}<47Cq* zzkVj&hM!V!C@L?zAmZIq{c5cl4RuO53`=oClqPh+bm%4H#c^ci{^R8ImL``6sKG@2 zju(eW)Ba&AmIr);(n)7r)tezd7K z0%zyN+^G$>jMh@TLZs8C+6!G?#Tmz4+1OaZNXbnqck)F|!#ehe6+%z>pvG;pc2 z?(ns6R5WPF&wiF;z*Uu>J)jr|i&keNYRf;d`GHi}%nNc(h04(T4*MK9TVUP#!uh_; zL)+y`OHKani*-Ok>}KAgnTq`X%?_x%2JvHf_)OPhPGM8R8Ef9S$@u4>gAPyYY#s%YIh;4 z6e%j!-MYiq(@eiR%cHoPjz-}#V`e(U*d7sj#|iEg6qfsYt$=NOADbge>Y{dU+fvr7 z3l%Z#H16C+U}DRg))V~X^dklDWy6EXaXt4k75v}28q^Y^P%1dL4t9!bbRjKPJAbV9=OQfvvRmcrd@Y5Eik4PFe9W`x=LtTS%UxU2UfsVtV2mp?&E4&9VB@W?TimNlqqM}+FuE8py6e{76{Azo0ZCr1uNq3CYO z*-VLuJI+IzIvGk-JJL0eOs|$=6=LyN$>@k2i$KT*dh8VCAbGbqE!f|<&V*2~?=LdZ z$dopDon})ldZpLtSY<~%CaW*#NPX)*QAACll<<>0 z{vd(DbF`7&u&ZoSd&L*;f2-Xk9^Y7wqswVFF(h&Mx6C(XB`aCD)+tHn_}VB_#l2c_ z@AZ?V4|zmlp9W8QOA{pwqFVHK31Vz_br$P}zD^PEXC2^pTGc`-Z*EfgNF2ZFkLwM4 zp^H<}c>77jHv9%WJK8(pzs`sFa-$)VGt@%kC}>HmLO*P_!n)0W%0J}1D%*A@?y(|* zjiYW$XxB;n66&$iMxs2ULG!wa(R^Gs>OJTQIrIK<0Y?aTU|eBzP@c=WY)bouE%N65 zhZ+H=?WOxR|FJD+m0$>mFRdE6!hVEtlEx~SA42@6bMQ*J8#%i02S{XHc;T}Y!`a7v ziY5u-f9yZOA81A?btL!P&4!7wG-@eceORj0k0S~x4vNV-0g#v~X$rQ}L8RP?5%qLZ zyIG?ft58$Id{WRx$FuU|tX)x$IA86Iy;oCAG#xQFc2Oy<7D&8%JEN<$Fk_&jEXbeK}Sd`D(8osR`_IF>H=PHb2R(xo1gPB z-zBoJRX@}VOm}}6*+eZX@J@l)yC=ubux}rP`}OajF}DA=(-5+j8?-Nr;=3Om#=j+@ zT~`d4A~i+kKCml5P68OMh6&{JPawbcwWd42E?yOr zIHjqk#$}lFii>yj&C!yM7<<%M#r5_JHs(BcGrh*8hXj$AoQW+X;tV;NIu}xQi)YzI zDeH1`7lvh-LxXL6FavAhMKEEGIYhc8X&+M%BlWKqcEaiG@8_3qEheprqN8G6Yb#*m z2yHb}MSjN}LC&ff<@}<5I0p@1dwCFgnymb4)Hz@~jpo)G&oeG5G>BF)88-u3TU?Es zy=f~kl*YeX^MfwBuTwK_z{fB~gM+WlqSrx`W|V``6d#MIc%Ly$g|X#)j}@E!AeBcp z*!xS`*Telth=t$VP1y77u|bt~A23z410|#;E$TAUL$%1{>oQICnCXgqU4tJ%Q&HU{ zMfyG0S2+XJAXz=lA4dI|ojde&<&DVYw26uFK1Jnax6fBqd^>fTauqH$rp$O z=e#;jqGI{Scd`B=icG81J1!JCW)W#|jPtuhG2(*o(%w;A#bSs(Z})UW?vy*&%ReY=xN6%} z(Rn7YLul288YA_gDFM&K%+t#8p5w|Jf*IkAZ64g>@T{B+M1XZR+4KISSJC(mg(LNY z$WYKol-Ge$i5{>V8y)kE!(54r_83rYDl0|ded1eYXE??N`sl3t@m9&5#Z)`hvxrgk zu*pukZm^;W!Q`aRYZ)VBf!<)%^HQ{{*ub<{k0DRV^vQ=gf9*+D>SGxqRgw1P%uoan zg&rF#;QjEnxLI2#YNd0@VAV-+(J0x~rm-7lPDQh7R7!lV@HdWUlP4HXGeara>TR=h zYP^c+%$p*C^ckv?z*tuzv8?+s(cVJVi2D$ z3E~X~>B$s<*$)Ca;nX)z6Q}w_RWW>2D*T&4 z?vke3nC_Dr6fj82ltIWEi~;q|y=ZNP@mTL`Ly#L#WH{?avdQVR9U9c=lyRtOXUIQm zk-*0@1uPneRej>wwMzLrCEPOm&Z)?6x(ny{b>Zl zB2!ogxhz8`(bHz5maypceDpitT@B2N!f0$wBdG6=BujO+s_jMginz_B30v++&E+wzsmrL^*c0ReZsYmy_ zT1^$mc5!QM#_BA4jQ@Lus@2}n@z&55xE_p{qazk z!S(6g+WksHn&!4yG}7zQ!Hr2vx$CU@+PzEOgvY%q&xlJjW2nW z|CnrEg$So(LE?;Q5k6BqJ;2#=nV`Kmq6-j9V2`0_a6Tdt?|U^jw`}71<#OR3J{$K0 zhO>pJ2pOBgOnbRep!D0sG-nHL)Bw82%P%3lvu=&tu(qJCvAL_4RaIi3%K@6hlK6IQ%m|s7ZrsOq=D-!3;~~!LhO4>O z$iQwmR3k#rEA(3>?4JCOVh#9r3H3ciK2*|F;IYrTVc8PONlr5-o>9nMxvyNKa@{-;v0L8hd znQo=o_Z+yucSxkMcU##mUWD4cl=!1T7b~~b#vf9#cliyjrF)D>Zj_x7P7iAGfwS*S4^Yzq+(dpUEyy+5W;f`gwQVBI@KYJ}8?r<`I@=^MY z^_OPtZ^m0IjG;$~s;5nToX1jL6Sy|(XrLyg!dSWbf)Neqv4o~P`4RYh?>4!1P_7n{ zMA2bWHHl%l!NPp`@P2i(r% zt>>)WGuC#N71QY*gf> z$O(I)JB#6?6CK5T`D&&rv$-`UVE%&-6@xj5=z=vgW-oC)kxSUOq_1yZ=;302oVyE3B-s@xkWiMza_CG%d`&>WeFJca4-TCX21wp2N=0 ztVHNM*QoT(#Nq7ciUfC>RDyOP1=agy7cCvyJizM}`@Ve=xj6-E18T<5wwaWi%7t6S zA6Mt^jE?@%Z{1yDCjrC}1F}ScsNS;L;JwWu0ozoTY&BeHGg{JRww0hvc zucQ-P1i?h)7LYYOnAqFeNn7r+xReLis*Um8`{eCSzC==k;(?A;WDQlt#oxGy+upUy zeJQ-(@LJv$$mNy!m`Vg)tLoB}fkx(n))}`zOWk-Y{lJ5hS3QB58~3g&CAUeguS?a( zX2ic%(k`7xeF8mdN)zr$w{w?^*wQq!(~Zw509o%JEQ}zt2={%LcG?sL`LzSmql1;+ z|1PF;BDYV}2CT_MXBNW1boIViN2*TCI9K%vc5}{noufmt>yiv+E4!Z=dftJV?X>x6 z%qdwS8g=5uOtg_vA)10>a9`Uf_jgRC#ZG%dNxZo%{pY|kf~ zG-@3a%M@zXbC<>9{Zh%01B{)CL_wLH!n?&bPhRAT zIQUwzvMDO|p*iD}lplUZo0lzc{QN$1qIcSFlW!cL9%-*Rw#=9N-5hQfL(#<&R$-f# znNJ#{SNhpBpoU#^@P|35+&0mX#oPzk!ikMHVjIBC@@z~`>A|l{uvG$r$)KbrJj8XCsK+tiL>GaT|z%IYFu5U5oPyazUn za>G#tAw&=p#Rn1E=uECjGlP^nI4pP`Xy<4gC~ZHH2+#1L$p{u0+k#b3(`U5XgRfm` z61SDXTo&`_mBbp)nhRNu@=W8&nl>KXBRn(r3~74(^MzB@Osm9)w5yFw`=+EsamAu`u69RMF2?m2j4G zOhbJKh58@56oBK21ufHR z@zT=NUztNk+pNo0(qZTrf3iQ-w;yUL6ahgC(R!*2N6T0HHY=N=LMWL z)4|coZC&>byoyp{Q4fmN({3<3za=Mh&CTT!zu1N{_vdVI2OQ%{3i2q%$0mrwChMNp zy)SW{o;BPt0hx*=Vb{DtHyQf}3bI=8Dfo8RpS=K5QhVLXXEyK<>!uog8g}*XO9Jw= zgYF?W0x9a4e8!Jdn;xv2l9D_IoSh@N?MtXt3V8S+YCyZtlsyjV_(7iAt3ZQA>#oT; z-#ORgwh!6Wm7ai#ONhGzB@NT3YnGnO^*=2S8B0cp>?;K%gEWCI_E9|m65pH%&1^4= z^?5(;}7e@fgiC9wLKw ziFL|6gC;bUH@(SVx>6!!g@@UkAGy+(vB9W??1&SOF35I;WnFzlq?JF%_ds{YXyuHV z{g!O^g2QdHh52H!TU}T?ZBmpmxR6uylSj76741Y})U{3t(!{X&v@Bn*%X!nslSVSu zvJa;Xc$-}Fss>!t2jrq=8t`1rPwqgnjy&CMXImPMb5WCMZpfe@M$vIK-Nf6-Cq3qo zOz{a0=G{(rW{1x*?m5gW=x@=_ON8y_{qe*YjOT%x7`Xy89D6I~qho#Vs!fhk5jf9k6PA3fBVr!>vHsP`Ao z?VLNpf@p$<6yK=hrVJMLw%PKa5k~E=7FC*SU*KPz6WH_)KFtz<0D*hmU8V*aOv`FL zwhXr_lTUXgb89x0t+(TY^>PHE6AMXJa1TgbEUj73ZsKk-DwQpvwk{AL@I=TK*y*ZKQ4chVlDUQ~h95SG z+2JUkwq8mXG%T6w+J8CTz#HFJyT882-D&w7tFQ^VqOZq+Op@E*oP5zI4DN8e zvJDKfS?@G`CML!|hrJ@Acjc@Vi$M=GhaAY0{g;B{hgv`^s=h=m(mwqMks_ zfL~CvRH8oBA49ckRm*y@Lt-3|j&`muO$sqH7)f&aFpBok#g0IV0Bn)495>UQwOT&Q z!O%(m`A@w*2>9=PyENTBV5T_jg>ccn{fWSxR-U8b@4YZA&wkIFGQv$>TzC}B{ldVU z!{SfUCdva)vkCJH8hpj$J-b!z4`p*z%84Up!yx6)z8AHKBM${j(}yJ;nkobc5a~0K zFHV(ebK1W z5?5D#Ig7Rm14)S|zuENB2M5%y>=%Z^UdC{Rv`>qKNE0e7s~?Qj_rwX4xb6E!HOFQY%NgQ>R?p$-!Aw=0Q~!*kUYkC7HA&m%%Xh zq#<<|za*ZSy?1wn<^?qxrfs!gzt`-(Asih+{w_A$PVI7J%o2;jGD|6Tyw$^?uI9eUL(A>X{U>jZT&26byH^Ca)V{zSW%l0St%J4*k4_)oYlFAyR2(p+Hw$(u z6c2}>@s{yf;C;~({a*Nz(lrlF`(v1_Y*j-iA&c##T4ZxU!VP`zUc&KQUu{yU-^`rt zk{vsG=DX1miKjZ8vgJ+kC3$=ECAey()19&>IcNi&PtiMuUw3LZOq+r!;FU#Q`}t?#2b(r z6lP0o^k$Q!hVGBkD10FT#dG@O7v0YAwTon38Vpm)$vQ!{4Jpo{Hkc+;2=u0^73pT` zMz0!t)lOF_gT$5Lh0y?{W&z|hD)`Ow z+kBelHDzP&DjZZ7x2_XhpkWrKIQvPJh-N4Ps%NKB&I$_9aWw+r3@ zVO)(i~M%W^^()vsg^_pBQv z-9eBis%2}5vlTY7r!1>>SR;&b-OY`3(^_}_?8kXTubay{JIuOF-SFPp%dJkj8dm>~ zq_D26-ul`vzdzc==B2|ri&g6bdCR6j6n`ni5+|ZNn3Yx>L;8KLtXE+*;f74i+0Sx= ziDG^d5Lu^&*cEkf&h;*c3;+E@jaYJsyRu3j_D)!oD0*^4>*{STZ!P&qmo5XXr!!$m z5*!kD6>5XkSJQ>3N3S9i$0EhxLoZi)Q7{`#NcV&6I6tJK?}F5;LL2+xm@tb5sYkW5 zWU$_q)GC9J;J=7v6eLtWbKNHKCg**@4>#pXjfSmf2Ch9l@|OQl1w(m zr?-Ub8LbQSU8&SH>5!yMBgpo@d^I8*Yk_uM5h%%`#ka0Q_h$vG=X1;RMU&n7-O9ID z5?TVq;R@`tp$WGfM@k{18%Ez3E(w%HKI7W@pu7#aB1ugszRTQ74)>@^;qv@|e_qVp zVpN;4cbM_cUVn!KIvkVbfi%?=HaZ-1{bU}S2i(X@Puk{~dDbZ+jrGY?{c|3Snu7EB z^w!$Uw%Ur;1Gk3U?5~vj2ug`7@KCT=yYFAoKBGBUbe+#VDDVoR1_&?zrj#9nalwJF zlgbRjdthI|TNKq%>zu30;ecY&JQ1To{xF$3k|BoZzmZ2p$!4g9M}9!^C%}=Y8*+h6 zPi-P(963AA*t@G2DO1oOV7Pc~E7@S}=`*X7RjN4H>!COJ0F=d^k_D-g$&!^-d@@Zz zYsf$ZJ#y-fjUld^M_jV$!>Y5E15(5G@p6Y`hMhNND?*$6*b#=jao-Da z(JRSh8;{G^IZ=A0^hbX)@R7%RZlp^-b>_k@)O1Tq*9y0Sx1HqFyfZv4aPw7=sQzd% z*mW$^^oM+4K0)wQ&uxTVQCmy_&5SH;$0)tI2i0r{i)ep1#QmP-%>- zJZ@X^h&K;QP5C4aT&hxJ#1diJ_*E;`teZAb&DDHz4Z$m^E^SAvyM|2Pl}z->G7blC z`L-wTyQgn_2+~UABCPB_MbNmXdrb*}bB)mj(RTqnW%aw6pWlA9&4o&Br)fH4-iJUJvF+Id#rax?0?8l~|p7B-9+W1CG+gLv$FXsmt6%+6we*OuHPSc~-!{qIW!vhmyQN?Ihn z1sW2cb{|z2$D=5!T7)XIYFjSZ_fYW;xD`YL1sjgt4#Jhqj4!6dHeYg_EBE-)0o2P0 z!pxQ@fYNn4H@o73VV-vdtfy3JTlp4cRkpCwD`CdBnpN!UlZ@SGc304~!w_KV9}Q!G zpKXX)k5Y&S0Ft5&Ili`s{C&doqw&dE(=~}t2c^ZTL)q2j#2PM=SQTCd(;QW@En{8H?H+wl4v_A5H}c&EG3Dx3eeJCFk#aRgh+B{`Ii}>QyN} z{OrFx?!#BFPn69hdPAiEPnNE=${~jJIG+7hOTjnlsp-^Fw0-m%jQbnDqBUAm9rEro zZAf~Mtp?&MfJ`Qk7hnvDRhDCmqwO`euz6_Q!t<@A(~G3N>w~_lq?-I%=jM-5JdbKt zZ`fvn6JnbRSu?;=uWLL^_G+LIGf5)bc4JW?FQU7fwNA!1-gvG!7W2v37%%|Z6|RALGw7wB$We3T2T<0S|IhdM@q!4p-fJ*-BaKreLRsB?r=)}n!KXrCfp z4|%Y^R}Hl46&{^SN&=jZmgx^tae?P57fx2Z4Vq}8Xs;xE<58dF_` z8xofLEg}RR5!r|25_t>I?jH`?S1;|y4+Co2R@vzoi_!RFCt?P6(c0@etoxG+`;*Us z{zq%G+ZLqD-?U4e?J>6G^08 zYoAyxka)t!lXTr_y zAziKpLvcXK~z&Yv#m!8Nx1(lCNfFShLNs$Blu4S`XOg^ zE&*FxTjfPN1f(~x6=Si94Ci80EVu@0d?88+yx(_G>UXO6aLrox%)hv?uHtn67Oc{X zul6mcRI^b0R7?$7gT}jd9imHK+${9XJc$`7(Y9c3eksGZxe{Kq`p(8PV7;cKq5Z?z z?>EmoOLYj4w}Adso&$?7EloizCqGEjhm72ar{bOrf2Ce&?YB2?YIqTOhTk=c8=BE_;-!pkIBG4QKn2OYCI#;uWt{mc zQX(&?7L%o4WKPEbNb5Ty=~WxY*gMXWp6bspg&<`+yc=Mpf^rq>8}VL2?#~`7Hy&(v zrLWrsY* zUgWrM|9QHmBeU%__r1iIaqb-#72(C&LyK{*=XPimHkC*~zbsDRh*zSQ?No)%y~F4D zvd(~C6Fht*V9aoW&Eqztzx?h}%K^)SQiU%ZHC(V?*uV}L_$wA6JsoomJ6m&!AnkGt zrxyIOOIOQV_pmx;jI*3t;D3We2_A0G~2< zHAnal!THX0h5U-lR@;@CEQvr_5zGFn!oli`cu9M6<<<*t zhp_UHi^GJ?{HHgcmVDDPhZhoQpgLHJh;WM=IbB=Tp|=PeZ{o0^wwiw0t_E?COcN%W zelgzfxLzOvWW_UywJ!R>=W$+A0N zlofDql>Hs-6J-Tv@N%yYAGB_cp5YAUqyJ{J?m_$R?(Q5Dp7Rg`NH9ws1_cuKPt4lS za{2l_JYG>q|6R`<(mp&!aocf=j2$~LLHix-%<)LlLUe$jH1j4zH-DB#w^$CDEt!YNnfEzx_x44vpO%uIt$&-x*f8&yd^AyQ?rf-d*I@U_`aj6>_dGrj^wH}g z5we^SKh)hem3_V6VJ38jvfKT0Ym|j1Zvaxg{<*#VREbo9;idW%(6Is-!603k%eQFo zuw;%3q0LqpqR=5~L;KW(8m05j-SH1d;aJc)7iJ+#1jr>Lb}@Tppnp zH`o4LExlIa-JC?6Pgup4u0j18qb-S;y}?t-i1q@*J^H{i1E1kDxkQ64k>M@U!K7Rd z;8g+{g(J7Gf0BS$LfQIG&bxg^pmUs(uaE{3K7KrW;6pJxrcDKL zKNPS6geY@Mwu88K%_b%XYmrD`iZ4EM!viSl7a~5^XRXV%$;O$D9Qvv~^8JD+@`b(Y zZwj{3VB3gx@6kf@QuW^1&%s=awc4sr@jB`+SI3FfFz}Omq)kyY;CiGsQRRP z*0(LSy8+9(z+d9&!TR3yy<};3xScA9W8=v2)AaeF=7M|c zDfHEuLbcelm}a3!kSOD8zt8IM7nE^fTVyTGS$yVLX;!W9qUo2B0ur{#K}bz0DFq8d z5`C+4_kDfIP%0sqQi|j4`mm`uQOe8(HLtBkh|U5lZZWPjmAe}|!dnSy4VP(GS|9AC zrU|@5$KBT3N;tHyrfBRI!(7+TC|WfYLb=7D?qcBu+Q@|Sbbnlo5ho4bjy#+V=>@t} zLJZfVhwdI4L`SqFZfzc@KdWAg$o4Mg;5)-pA6&ea!nOBkLMgJ?udF#d8T3*zHfnv4 z3ffX&oJ$vHf2`x75lH!P@OujtY-smODMPR2u=;AM<0y5YV9O0B-uVytYE=Sb+r6c@ zA(O9IjDh*~!P4vsqfpJ~`4T8R}FnQn58}xfL_~^{t zX-i>94VlR%y|H%mV5=#CuSIe~BH#tO)=fFrW=6e9QC@ug<~CBh4s7x0j%Biqb~$zj zgf&67y#P}z589px6geYc5kC9J6xm}etMB}y^+F^9NdmOohWL8oZL6Z5t7zw$6U~x1 zgkcAmc;YdlrDkN$XGO!&hCz%Y&2j!aI;e9!md7&T)+ceGQNEfJstyq@Y1=+LT>ZQm zv~eO;f9T1p zcl-#~7n(;CzJO6V&X6j2_Q$|kyP4zR4Lo57(CvyM6yRndS*5wHq-$eXtj;-_H+0^Ws_sDT^Q@%g^spbv* z6(V*Y;>g&#)+cUqS~Th3^??9@UW}9`j{gu0;0}Y-_yNh%A{KKY#AjjS!7>4BMtqB9 z3lHR0L5g|bduW*H?#j###8jjv#?Ra*|^Bz6xRg5aHf zPmN-()(^$WeFjfdT2p!#MaVg02#c?w;sDskDs%Had4&|X6C`h(EMy2#S3s= z=GXoou#YY5`C1Bgf#KjShI=sg4m)~K8?mruF8MJvDOTkW)S6uk$W1kX^Yj$G0w^XD zLZ=vqxNlzK-=VL7nu?qXk5w$MBkrY|q)T8FL z-_#4gNMap!`42%!Oh+moZi+-1(MR@pj?=Pj-v$<^0N zqch~HfY4!e5~2}Yto)4|fLj6dqIG(jTI~3rl=qvx zT60jX&YBk@;l(E{>X?I^PtLy&$Eb%S-x-Z?K54Pnoi5)q*e*ph)CHCw;})>S^wy83 z?Gut&VxFG3drC7ovrc(*qoj0;sjt#jANun_&1^xe9vM3yx*7TdE+^L&(J#%spa+kk zR;XtoU)~>jj@LGY#H7SSV!lx(#vIVZ>7L8%6+d`2xo(h-+2=MlcYQ4AcJE2Z?~E*| z2q4kjCG?7vDIu}MS?>?BIVmDzXD)O=b|e|+(|^e$zF&zkLbl=RdW@cO$dSsdO>2x~ zPWB_@0^ag~;u$+Du-0tqc9U;CSTP+HHFwncDn9_l^nudKRi^!Mrlwwc^~SL3mqzZCF6hgQig3U!Ay4s>saI5nK|_GEhwk= zUq<+(I;VG*SkW##OsD|8EWkeOwd=pZEinHcn*G%~1QOnz3eUFP2L%@c?+tOceWJ}y z^QRK$j&xt%bjS6jBl*2X7}T1u4W7t~7mJ(M&ti26p5KXQwEk{CAnh?1atFUM^9qBm+A1q)@V|C z#n?{z2J!~fmr7e$ZN1mR+y~S?x@=uauGuEuk$UH%}j5h@eo~ zKEIUT!WeC7`nrlYZ@HjF2xj-n|9vqnXX8{?(!Q%g$8Qb5f!$1JHCZ#Y%?I-Q&m<+^ z3&r(&==06x%QMNXb(}Cwm!fGu)T1`6W~F7oK;ZE}AcC|Ax8dY-jcMruxmC0n(SSq$ zwoPB%le}35+ULk06&ByTmbwlq<>ST;$G+(WHN|mY{*q5kcC2pAN|b$s_2Pi` zj>~ZTD-Y|Qu$MGby=R0yW z((n9-m-433RO;=wE8R|ZNFUE|wPz%MnpaC#4zyhSoyl_zRaQa@$sFR)Z40pTIyiFb%$=jQcx`1pCH zXAAG8)RM=NM`uazSu_^N%C$x6%olvi=_k3XO_07K538Ln=9>(NDW(OlQZE64U6V8kvc#Qt3^kGfKv@#mUvX}@EbaVNjfT(zu_jD6MH_+BTYp+=ag89Ktw zW+LThDb#P-MNZG<#>@S>YyZ3zKM?GQ$2xa}>;Ked-*oqXzSR@>+Repupvb0+I-@on zvWB37IGpSrc$0PWhsOWUZ+#O*v**CdFcXdNFaPrB{CSd8M{ROm6juM+y49(UK7w}H zO6wew=zrb!@E=m1N7^7{)aEn#`k@YKEX^?!B8_?VqvDVX~O! zupY*&?!VGU)}YgueW4AKzfw{2w1{Hi;)L2;0bLR@S?t^OtiYu}oZ56myp9or=?yPdW za%I!u0@EFcc7Q6)Z*!Zn8~TPxFl`7(Gd!*&{drii5xJmxr|Wo=m>|hT+V8N&?H^mE z#|t2IF-GBk;W0pWE&^QUURsd)O%_>B_Qwqlymmoz5cscao}z?;IJ0kxF#Fo8Nb@#T zo(SrETmMpK#<%>BFFxmuU#EkYg;+G3je6&d6M4Csy&h6arY~;gB+N^NvA_Qa@lCei z2>q3uc@ET)*+Va-MgEnZX2(FZox_JxYx7RSgKd%SD?n~K+G^;+wmRfG2+vNQ9FDp1a+_kHMqvRCSTltAq)aT2}0qgBSsnN@OkDK9bPIVEyV>ke!f8I0kE@mO}=MqfIaFO zI4=>zm|AaSc!rs@GKy;PKnjhl%0X$*aTjNck2w>_?1Y)Vjwhr+F~QVx*V5Q)(O_}3 z7-cNTYPv`;VJVU2neBh9{_>$_#aY6?g<^h?{+FFNe4EEf&CqESkvZ`Vg<1i}&=SjW zva~n;pcX#yv&bn%TIqD1ys49B9z!NTtPP4y)yNY%|*%z>k))$yn zSk*YHl(UQPiBA{cMJ8|e?AUm3ucI1QeIA|F@RLVFV~$J;bd|VT%uKZL1{nnxz`^2+ z7|+u&hBlZajg@C(izqVd3rYZ|U2>HMX=ecYrM8LRs7s>J8MG6u6<=1C`6O*TAFf(4NGSV2~Kb_AftO^ks z$Wm!9gzz^dgn#8zJubk??vBVpG*(T_^_LteJV>K&FHnh&jnigRLRkppT6={Lexj z;~V2YW4603CbHZK#{w8=!&bMDZwQtD%MrhOe}UTDkw3GE#!-n;kbl-=rgs zWpBql7TiOHtk~NK$+g0CqAgkx!(o}2bA&TIjP@id5=A9wx;(AxzRH?5)*5#%v@az` zHM=}}b~*=DcwZk&tiIABX*^kZjiCLUDobTn=8^1GXMO@qzzxwP>+W*$B%vMBRq9z?<(3)(BsJz<@#*IvR%<*L+w8?ZqG9|!kcIQN?3iTTV4*Jt>!;TOZ~f$ z9i#rCt-b)-YX84#E6KMMkgL%)HC3OSsv#qMikGJiM3@P**b91@f+ud@QXJSQ`Te>q zPjdLi^wI7&rh#=hio$l?xf9QHu!C~b2BR~hy>D0cU45m7TP%d;pI%T+2W5yV%uU^+ z&%v}Xg<51sJh?Y*cGuw*x>C#H;g!LY7L~#TqWu%zr7R<+I9Z@(d)O^RU5u|cdz!07 zq8gpAHY82DYXAQI@W%UdvpzA)428UFZL%$*Q;XNqSw^Y1bJI9xr`y2VIngdV&3&Bs z57iA(i1AL;<^ujSLPDWkeRAn1iu+;sSq{s0%u$j*qL%-g1*`bYBBw)H6TjIAk*5^( zHkL~)mAOO`(0q$-z z?9sQ5=#3b|wrtfAB}>odjZ;rVMs)}YI>d`;E@NkkkoSXuvZ*OW%ki=md3>5|t2gR- z{I3Q$M*h%;c5GwM{{en~knLA8sfG9}#c3C4G9J2SOl>rXG{v1Y~PjWS!B0?jclgNaa_zoh&7Rvq?y2*yRNs72~_k*+*a_247U6t}GD z=x3S#o5w~fBxX_)uK=iOl=o0?7Qzdh2-}JkrFou7GN5?pi_f0(Q0f3@F+%+F z<-jZtPjy8*DV;f4uV-mqwT1AzHR93-ZE~|0%Jal%C^!9{Yyu5?SrPWSDAGmRF)+m? z$*>EdeL3l_Fz+;rU|G}rCh820jmJUXY2+JOOIr&Ay(>EM>4MwgzM_)77qRWlq0#Ur z6`^_UCp!aA=P~Znubm!Zy#I7FNr7}#_e)yvH7^I-9?`JL>_z5$h|zZxo3WfQDHj5< zHx;y&yQU}frM6bx9?}Y5ofv(C%2kiumL{6WhLD`>kHfb-QzHhAJkoaZndZ8i3WZ1b zW?ZEb#(#hN0`pFlvxrwWT`b=;Yy(>*L5P`H+P3D&UXH)4uF6xfU*+ir{Dc*z5WAbJqJCd>r|tR%k}%HYT|;38|A}3 zdd~RGISE+jR_wTE7^%t0L#am}dKyG~;+_QmiF^03Vv*TCqwdwkD|t5TVK2G)12HZW zvNVAwD0Fxe+l5EN)^RQ|qS3>*q=mL$*qk?xq`5RGs9jYW$$2vCH6u|1u#B7u=cr?x#E5)}+hizBYd*`#X;+ryh@PC- z|J_eddc_VyPU)PgsC+W8(TH$)|85%PAe?3#YOOwBd#{7#S9{%C=nqU!LAbHU|C=^w zMb$AY#hJ!tgh0Mm{My)|G4ti|iAu=C-S89QI595V@%S&fYGL+T z8IruypHP5WRxr5Q(?W(N74C*jiZ7c#TOE{TEa_J0Ua{-t%uht9>nn^lmZK2YVDt4} z1v^$-Lg|J-YF~Z|81}kZmn%cp-GAdBpmgoLV&pVdJznT`A)-PuB_&*DZfK~~v9@%h z)%%;}vQrE&aAKoWD5d~Y`OvzAZarnR0@04diYbK_yF;!zzYm@Ae<#IE_4WhMWg8OX z!tnGhL&oqWRI(VZ>4u@VHm_oy9VB|*1*)kNJI(4iCE7T%x@>+N-*;V;V}D0WC|i$a zv=6gVktaEsqv`<94zJW!4nq!hi3_qw4X@Zmb1m-+rB*=*L~!9M%%*;j<+0s=I32ds z!%A>lG(O;GVbZTw_j~xJuISiQ!qp_?{+73vpIahLeJqf`zFHsugMyw){uEqPUgi|1 zXAHGRlU&qL0wnuTYSwle@pR(sL+cva=3!PPFHnel^h(0#t+MoDvz$t;lr_j5^U>}R z_RHdADP2y%CDl7g8qzd3?^?rf3+|^`?4xaTE0iiN|9qx~?2cEJKFW-3`3;PIL3EZ+ zTG@DebzbwF#$CIqmWHUf^m~g0!}!&YXE{!5DIls{&{_IWNSBIhE4lDoZx$1LFpA4v zcEv;!38V}zjFX=-a^yjMpcTB+wK_I()xt0d>(Li3qgB?$?JO2?rdQf`&H`SHXlq4N z#eZO6r}u!XCOe@zPVqzW{3F!xlbHaJ!gCC8G^h6pS65fj>67QQO*SJAHY0Km+jVO= z-eCHkFH{VrsH9osPb5M6bkl}U(V{}p0e-^~0e+Sp=i14FR(SXYW}88xZyh(MYI}=6B!@|7?i0z#Icb~b zx%cub=jE*n+~U}BS0&(dBJZ|f^YuNR1Y4MKO`&s`eY<(N4P-3#sF5F^QT$@DuL-Q( z6Rq|u2dQP(VKX?&k9^OF{V!Sp@fs^dvz-kh84ED&6M>wvKgV0o=xL{abIY6qw(f+2 z?1_I2N0hp!hKhMUtNVkE`$oqDHQ7vRe-18s^>Lp!owuZW^&Y}1xIct0M_b?twBe!P zzK`UIs?#fNjTYG?y+m`%WOnkRTKSdcJ*?=;6>R0iO&I_X8sRKW*Tge!a2?t;)M_&O zba7F&%c>$!Tj9{N-J%qj1&@vEO>-5T@0r$|kN1LuSstBPO?I0Rha|a_FV5=JCKT-Z zaXv1RPPmp$*O)ghP1JNR*4olf;o25zPTEOo;S+byl3rjFX^w0BOzHMD+x+*)Xk7&> zV7iQjBZ9uCb^Z@Bedju}2730}RK@;6fyd}JF8E)e$skbVjLeSapjvKhm2{u#cDrww zM%iwwq;E9TI72Gw zJt-`IrMdofg0TEz(urr!`ck$0ba5MRmHkQ}2`Jd_dj^UyB1aoB%;llF({PkacCB6D zgIL`9l=N!93G0;{7(Cf=v@PaQrV(G_jA&!Q@@{NnsPF8Dil+B5EeR6jW~$H`&+h5w z;YBrRBvc-a2UngAK}0Wx%}%3Q@`+F~R0YARZC^dpdBY>U>JlNw>46;1BSehgahm*} z%=My9R9jq&2FMEk%6ES!@8AD>?!Lc&PC2SYkuRquImb0Kj+Qnh0e~%`fRE(?N*qZN zYcEMt8`l+76dEykiAxqgwgBDAN6~3koVTQ^{1EoUKMmvQr;Gy$w57L7Ob+CGCNipq zEJuYbcOo$wR|*wOQdf_F9R(H%Ed^J|FnHzVk#r8+%<>|1M&06egih)cSHAEd>1J2! zDz=qfr!-k#qI&F>$l?}C#Urgsjv(cZ2dkdJ&8*)}Z_)BIjUHj22o#l*xq)~tW^!`! za#y%(&<;?I5bqTFo3`PmD@xau*eK@6>iWH2O7~NIY3L%zu7H^rh@$i(kCx9z} z50NN?i_R=hd6lclPrI+IUyLZKE_@^sLCkkOh((RPa+$q%PhS^J@Va_@v0!c7441`p z<{-vX;X{@;Deik$yag zn|ltO!D@7)*ymL}ft04G@tK2{Zd!)Y=nI&g9!rx_Cq znG6HB2S_BC`qagEq#NObD+oK04uY2k$4Xs`CHdBxy&~DJ%}33=ms_AS5(+|tA&-n7 zc?%Ib!@Q>q-j2lEG8rt2TFD=QJQvd|oJRN+?ZlxbJ*CE?TnwMzvM1c~ZR#&gXK%h~ zXoM!Sc2<|8tVQ$Xy|smAT8$8W6W$-I#fU1`Rt(VXRlnvh%r1i@)f@RazK5LufB4wW zl`_yXN4>nn`(ga?0JH8)YRVJu-IB9cCJG^4FFBTvUfRBJEiJn-=v?Qz$m$#WxvOc| z8W=hDT7Vni^JL2c-ic9WLm`GS?X}^`&0q^dWLQdx14o?kM1FSKn0+BZU-jGNKU$No}(x3|HESXoAZ@F%L2N zRdNXF#+P#B(y*S92`VhBr_{ zR0;?r8@ganRQ%$7+2`z}k=J`Va($INOH{(~s^gueG-I)BQ{;DC>;h+qY>x z3MC;AcCIZgB>XH*$lIVoZU!UEHWD1hIcs-DNG16FqAutv>9*k$pKlTWx_ig$)Kf;Q zV(6Yc< zj8n}GY`rZr4~H($l0JIv4GS?k_b~Z5c%EMM{s1Zbq#j(}a)p9IkwWE$(mfrH5yoHO zR(M#Qs4~{j`~E*uJ%4GZ|MH6Wg2+e3{5_U4pF&?SKuXxZY?{;0lf(Q4RxY->m>FUO ziJkiwyZCFeKIhF#eH3LH(n*}W*n5dA_pumn9}YKiocsunO+`4s4I;M0Q$7~uBv1Y# z&R?#W`CD0ErvG;r;%|bkcH2zZHkex|P+VHLYY#Yr`d>o;dX9%t?9$(yW&ifopOW-H z{#Iv4Z>Qch)Fak-eRja71_zh{Z}6X$dmvzSsIz2^}c>pGOO;B@Iaon$Hb4j*TvD>$#}I@8hLOe0*BJ)9n=_s zih^(ViMbyz84hvKNuRFz+l|?j&2ruVQQxHT)}Z6<)&DiqT32yW%F6gfQ~fvc_g%lgvjvoTg)~Hx5bQrU0e+nSyH#teZDI*w&AE3jf>H%{r+-7O(zUuJHros1*Zv zo3r}6LN&Vu3Rghf;+?qqgMtBIW~s&ZV795tOv^x(t095Y&g2KdHM##^dv6|>boTv^ zm)T-jHrb-NHZ5k0rslq7OxEyyLr!hmS*~V|NA|rKYA#>c-?!?J?GqWp7$&p(t&)Oh3?O(QD5M$ z`WOiSuL5ltzxnaaIY8ZzH~1kN|IGFh!yBL3$URlumG1__XSr!w?RL#5QG^TxEyu-x zLUvYN{QS_dh`kX&!>=~Hw9V|&=2G#Idw*+99038M(B6B;Kw&;Q#2#<>PAB|K^FcUK5k7Hr)1bz$9ALYvo?Wq=u9PQJ5c!`_`CqB= zCyGVJ3fR;)1BE~U6u>6+FIV@zetkRQURnQ>&vP!`^TBqhXHYBYNT-CMzDwBjtLeng z@vnd{BfWK)cX=vP-|Sr4@7?h~4o7~vjM4<2mtT(Uds5%HO;6+r!?)%74lEdgKaj@rB``E|R^Er(;Y z+TXhXRbBvYGn)P}wju6Mb?tA24VWj{e)xICWc$#k3EndMbP@wKTrpuDRQg8lgy|BV zBB0suV5FQy_LAXb{sMiYcDTx~$y7JD>oHW^)-{H`o>reo#*V#jzj#ch{v_5V(=^{w{-Ra#d1Q~QZOqrq2x2BZ-t zYqMU*{f6Gj59*WZX0wNuOXkik*TCVrE;Kt>Kfjpf$QDDx1?%5(xELgUsZS4R*}NE5 z4qmYP%0Yp_B1!=0Q9i9>&8LB7T!!Un^QYJiYn9|{B7j2ggLo7_54E!b*ik_BrbSq=1@h(v(!+>Vga9)&Z^o z!}3sb!v|Qh3FNap7y!;_J>Vppyn-taj|3&C;w5+{R?#T_=6HUXbv1N46X& zJw`KAqoyqX|FBuRfyhXG&5UiIRI!X3P|;W3OUKg3<&NhM-lWp?mXB6M!1TXqI(c2i zs>^pn*aS$)DHSLOeQxB{4!7Ey7?y+~rjhL;Hk7OXHV{bKvCr+`dY)W#eCg?Z4llFE zikN_U=lQ_p7-wgQtWC(w&_6ine=h^>8vzU1Oeyp;UvCtnEi!cFGLOqIYTq#5Q9~@l2VbEnWX-DANwlTL8o}Vz)S7INx@I8|2fUJN31=J6@=w?W+&-Bi( zvgf7PZkp2wL_20EjFfi4+`1T!@+m44WC+lyl-nzzvBpO+J%3SX{iuB2c56Uo)OOQi5>DrEtFSO1&jlvO*CZ+9Se*?@;N)_hl)GH|oY3J)|K zpj%8%JEq?Z+!sq+f|^lpC9WAcleN4+IYVB=*K$(vNMq%3iNX2_m{g8VS9+#UAOpauE#NT$NGJ^CN@_GLC5IjYnNWR+aeG#{0un?W(>Kt z-a2DqF|F&yYR^s+v+wo4iSgU%qKuw=&L+OcJADj6_-p&+kAj^X4gh7I$k>dh9}PK! zZ9kexO9pMh?JvzzPFb->Oruev@kxeJ;}tP;^TCBfaSG8vV!1N9lNGY=-zipM&J#2I z90g}qE5{maZ+sx_H~h;(Z5b{;-Odo|Oqb_`HKue`vn^)5;OgcXp1#QR5V`E7c{N)C z%TqTF+PSYhgQ{*katjw`-dNcvtn-?Q4VMHpz*B4;c+MtDVA?{>T#9<67H^`j3q)b| zoVD^vpd^5>Xcwa9J)QSHy`jO-@wifZtO*efj*ojWXLuGl`;G15&^tUD?^IIz8|(I; znFIAl*UM|iMuxV2e7sBjK`0Sc=eOPE&h`Frn-^tkmBNavz|3~hIf={j;|>IanPS3h zwmR1z&m}7olLPlu|CG_5YKf_xY0icL^_Cz6`3Aj`B6b+lu%vGrGa);p@+DAs$8w@+ zZn>U#3%|u<-HIDK;j=A%pbtQXX|0mp2|1<3;k9r!f`u%56oKW!9;Y#DE&I|}$cQ-x-_Y_512QU{)Giw*g3#L!_{ZHyPP?*L-C->` zKcZh*xXQ4WyoG(l$L#7vKsd`u@WXOg{)K5$7(*+Z4)hmz1bVnT6&E$b#?41q&=A$(k$==|-nGecX)WJEMIjo=HHCcjw_c z^%hN|XY%yJrb#gokWEQwj{jw3fBlUPzWT<>(Pv|2X*4M^Cf##!%I8L^feSL{2x(rZ z;OB_(L1VA?U9MQ|8Cns`-iq2w-j^F(w6O4kcVPj1Z>De+y`kXnC=Wg7_-=5xOtTdt zPopmmG^-MrL4Gr}^J?z|6=AfoN08^vw1Mj;mH6Eh7l=#9KvtLzaZH^u+B=JV>qz1L zT=>7xmyE-cMJ;qG9tgN^BkVqW{tuAp??o@-p*V1nxku;Vea~|Ls^6d>ZuxGwW$};_U2omhUF+_HtX&%CfD_qxM}Se{q~uP+jT)hMoMhmRrg3SW zqniS{;|*;uWFE`vH*FtLB)wOugaZn)qqX#|)h2P5Irr(G+l;2vE*G=_`H3%56^p8A zJrB4lx1Voc*UdN{)xEcCN5gj>XB)^CRbHrizqL-7B!zmME)k^&*g* z5%G4=jBAn)$>3#)wqxgYSFLuCvU4q|?DGA|O*_G%*)Btr$iPz~q(>>Ac+-x0}qqCw6HLwi)v&_bc_>6DcX4 z;umyQ&s;z}@KZeD|A-Y_IE{<&gicI?DP}V@A`Dfqf_gnl&o%-p7cE1eh{Pe`f!Ra5BiI&RdNbZe>Q<3{D zkDQd_;_CK&Q+{l zM~&RziCN;5hrat=U3JO|e&; z3Fp6_d>1TS|29dc_@!UESM(W{ttYXptj416@Yg0u}3!gtuIRB7^Tov`&MQP`V0qc!HnB+VuWA%HD=`D%#XuTi_vmpk}MVB3vus)P(b#n z(1gCI?>RWa^hhS{3y-5J`6Zyt7zqTNL~vVZ!l*h$K1zbH(XfNqco`;RlfD zjciu(g^qy>!U5~`osMs;(J$bcEz=_M7J9RXULqS5#%>{5IacZ91`lN;!`P|h>cxQs zRKYwV={mGMNO4pqIHmug_B}SZtG{g1o0703T;Xb=Ev87J`6Xn}>f^yaClAnG1smD@ zh>Gq!yn5_#Y}V{}&D5J%{hpx)y*168xFpr~??c}sleZEZpbMf7dn}?tbK1Bt+&oml zc0o-ORh?tC$wQD;XPX`5>=Ty8kM}u=?fen?9jl+Wl6@uJXTe%hps<5_)v^$j(p+(v zK-{lHY)f7f?z-R2BFM-JWz`=iobHpWB+O_vc|NoBkVXG5)CpAW`9M?f!_t*NPL_YA z7=BeCGW(0Y-6enw{EypSpTF*9Mx_a$a=F$(lM!-joUMKd$bM*7JiLmA5OktLu#)DX z*JBL9CDG27s`GnX=OCwB3|$YyJEp&FSDiXwZ@&c8XY5tdGDMUdbSgT8(`LL>^YFMI zu0cu*sDr-pztw%E>P77dd7=A7Rsbo}xTVIOs2OZMn*=GyGNH#+Vx7G+@BA>6l?{@I z`yH}a?PNW(3BL6;uI%wE*$w2Fih-gSmjh)74Sg=CwI@|p#~G?OLgJWXO4y)FXA?Yj z5K1$gmC@cun@IYVlbNqMmoNj+_>7t0k-_{n33e?`-h+dCNCGdlKJ|`uq=`m|F@jD!nql+x-4ja-A8at(TZz#E& ztdp1*`#oa>A|RJxEerT`LNReGadr9dF~&|62>DA4%|A>HQ>hHf5pne0R?9;$d8FVv_k^>YkoBe(^RoKB$Wh!S1o?fmXu-M51ec)`s}kSx4-oDD zRSQQB0}!)y%UONv7Md~%OB1ntm{u&dk{2E`#&r)c3P;Wx~A~4BGv@_?Xd^SD6gjE;Ce;H3gw>%PDyS#xa!_jLMwKA!XxTinMv;g zU-h`?8IK39jw%Mk`YJQWf&=%3)3*~_@W}`f6NwnpL{q1=&?L}8%KZiy79kI= zb1-bwzL7>b!nRBMhHVi>r1KamlO?r$9>I}b!A-7@jL&uOMlcAna_ z<*I8sxV1sMTYZ(qRZ}CM8IXB}{Ql#Cub&K>fu2}SJkpt&dYGU;S>Bb1_TjXIlQT!L z49^l2V0J!)K`rH%?Ha^~%{aSFH?-D#yXAHYHIM65r&VGp*%TXbp~TXN6bcmv-Ul5f zZi_tOty0G;-$pq&wg2*(XN?+x?Scz%&yh`G%cY+REaWYGQK7O9p}4m{$nhsXEL=rb zAV9)OaOjOz_V!6h7>dfj?=v*#*e29KSKC9=p@-8lnZdUhrQ&zrnip>mr}VdR^)BeZ zgB4ncw|mSY+_KHnbvdp37L3~{vyM4AT=kY$KK;>|t%Sp`re7^E4T2;`2ZB?~h`px{ zS-_!%3A+Nzymfn>)d5p76U7AiC$WMDN;YOnY5r_!{bs+&MsiI!ag<*HT13f6^5ddS zZN|#doqSE(wJuK^Cx&}Pa>5i?OpYEiOkIh?jAhNIye8?-STl5LW_K`UsBf9pB2kWU zXvL_ZlomgZ)>D%C^q@*2<0TN|tqF4AU~^}m_#*e-q?D|7Dr znlmqh5=g;HFXTb+$i|cI>&%ipIxZ9uG^?Nan3iWqx4(F%C+fA{WHQ!oKem(DUN!@z zgi0jdZ!i*{4tsw>Y1|>#s&$=z{_5#hE^pTbMw|Kj36nsvE01Y3JuliAn%T;gF?V%p zREiAtF(keUV#2VPdF=Bx{UjfQ(nkGr_cX=rL#?J=o^CSh3L^G+Svn4#Y}A`Dl%>5; z3!#UN^uK~Um`+R_Xi-f(%si7~Mgkj7w3>I=D@uc3bFTQdM!BQ=`$rARPxk30&09;Z ze-b^}VV@3B+`v;MUc%*|*$DZAoFZtW35U67D4O}EjwN$7yq%srqeUKOqyMuTCz@r zRhN!C@zZ@t{UP9pUJD95m4qF=E!(_h_Q?KMGbQSGbZgdhOO8h}HDvCxG(Y?R-_v-a zLn5U=|*Y&m_c=-995O_+#UrliM?dXt~-?yEX11M=j^A-@?7Fr zGsgo4k%uYsE^L?sdyX1_L71ehVjHuOk|PtHPP6wp0r_$*MD9Jaz%Z4U?C(p9dQa)w zG=~ZgX$~!W|FP_Y5m#$5%f5IidoTY-poFSnTzrNf^}->icEhNyha z)y2`{*OX*9SGH(Wnl1FUKM9HRpdxgL!R4}o7*v}YJ=WtaMh(?=UH}^KKrR}6tB0>8 z$t*x$E*-ng#>;HoNo0S$UM*U#uUB-CS^W`h%ekz)=4AQm;O>30k)dl=$DA`|d%c1V zTtQ2Eu{yW=9nIFul?l9%sB&!g+MW)Tm1YUV2$oUYGAfdHL-wV#-~j6I#j`3waoE9m zqfF_e(k(>&@4#Z`)+tY&)Yk$jJBb~7I2<)rJJq*^FueRRu@S!*m&AUhM+=G^ zS~A)mSK_N^5td1!7LN2v+&UBU_xIhL&gsnC2NIK!~ph54L-}q>b z8&W-{KGxX%AL#e*1d@CKxVEY2u2lczes5oW_1t$(%H|t=IgGXnY7cx?T42CT2PZba zQhsYcMAaVZJj>(@Okl9}k-p5EQPL)tiO{zGRN2yUVKLZZQ3zhbq~a?K#n z>b9Ff&Gh%MYqk2x_YK4wiVZ82G8yDbcGF!rxT}2Ojm2hTOXrTeHS1(XYyd<$8f%J_)|xUKwGkUdE%mmWWXZ2`qK3}GdSdgMx;@|uhb7UP|AT7WtMRXnAEqlr_}4PanH_#2-X&j+u(CA@jY5BNVeHnwd?K;$+!`;*RJ%j8t+$e>%BR&; zLRZI_?X<#mj?TPL1a&yb-h4#8kK0oRV3?P6GM#?_9lcr?)IKfik;XrOssL^_rHS^H zvXNIoD>jBF+^g(wemNa4eeJYqNs-VoRL*3@JO4OJTA7+9vVCnGV zXXJkl?`nUXe2P+i%45mT$Lc``mYGQ<>AU~f@RD?DB3CD>QaeYDl;%6;* zM*Fw;>2Qg{Qc~}BL!ZW@Ot&`5_>s1i?=N}>@yGrStqx(>3mw4 z`y-}vfG3JLOrRJ#nnu_Hi zzD%G5ooh{u*|BQkll01k;aC3gxhMn-8TBH2P1l*E+XI(OGM5%fON*VOPmYy4A6c_> zBx+t%Y%4{sMAm%tOIqT3oV@fto5lP3?c9=%LSy~EUPhAj-az5ICAe^Jh6%0h5@$GD1zK5wpKLBA0+?aSR z&vxJOdjVn^c%?D8*rB`vekOE0qNcm+@QgnDSsnJ+rDpDKv*-D_t@&*UE%>`huxd}B z_}+5E*qmnZ=?j(Pt&y{1Bd?;R3ZGt@%UXLIR$Y?R7dpr+mj{__`>w!%?;k1@!ZH;c zSwDIQtBWu%r`8R~2DvcM=z!Wa%m?&YW6cS3Lk20JJD0cYF5OW|kn9^I>u zeHkT`G|?=rdXXGY2%4s{bU9n z@!W}-!B)XqZ}sgxL+^(o%koS?Z8E`xxW&0Rc8`|lm-ys&EL0z~RWC^1u!yw$dEnye zxjQm$q}UN}5poF0%z)TeWH}rUb3i+%WF?0suCPCDg_D;s+*{unf7f3W}zxTcVxm zI37`VbFA}*B=ow&OM{%+@xE^CaeHB(ovDCRSGVQB*}x(tSz9R**OMN?&LH&1!FH{F0>eei9dztX$R!NlY*|B%otwuxppH?D{~@K zS5dZ$%c4-KY_H#N9nndB_k9UTV&S5U-;JRQ=3?3U0fr+e7)w_R#R->--&;9mfuLTX z`~*59N3D~V^?|s}P~Qmp3AVPC_=)%FLA06>A1zU2VV;P#(fgoT-TGWI(sQ;rh;8FS zl0Cc-+rmC0budRHL#auWj5oiX#~jy|v%nUe+s{ z)H)y%PCMK4?GN_$y|}_HY~Q9V_aX)A`t*^r!-H=rQTki9ri|OrzCW}wSwsBMl4ssx zw#_!hGpKPHNE8b}FN5Wxqz_p>crIqjJ>>U{B=OT|O`2t!#rI;ljnzf%H8hgMeXE`~ zRQ6~t+Lk!hm8*2iE-pmNZ_f&C?IqcOOs;|~3y(lA$h=6|)?ZL+>&o>VH%hc|BkDBr zU}?4pS=-}wwxoP?DkmY$Ky#>i;(|H3?UEXbXmZWfC)^>;TZJ9Ji5oVR9+Dhl2(c4V zEjeLM3L4G)=9)2vZTMkQiF)|qfV3plN4>G(qS-DR-JSr}3$Hrp752}JcPz}(5<%KM zKeM*%onfYqR%JF(&F>j94>^uYo8#9$lUh4QyhPG@w9~EsG>z3HuVUn6PVSaTMSDVZ zNsZdt2qa>m#f^NBwWQW$2ueBdKtM&%F6{GDTZmCEm4qh()Mdc1$Nztv@N=+rzMO7_-;%r{Sx|H>=mpj~K)x*HkG;SYK1Y$U{9P z)&1cCNrEw(*T&G3_YQhDNISTQQSw+Uod^x*mI*t zR7?3c#BMCDHrCHh!40u6I!>jD<`{4pj0q7MAZa~U(+DdK%|Y1SaNW{xE%f#zm@qTC zQM)}jRg+EWqk?nh&HL`AhiWD*w0u+G=VM6fa_u*6UChnIW>r0;waj`a(Wbf`*$e|v zT4{TkFiw=wPpTXrClGA?aswQb9BuV41PIlps&e?w6iDq*9yIoR=BWB4JNTL+P!isc z65=pvF9fqpJ!&kt_@PN=-KN|{SYK(YA=b6@RDNcDRvn#Mm!|6GA=N)r$rJ2+j?n+L z?I|F5aKkk(ygw zEn5A`&l9zbKjWR@TkF?(DUzUFK3_T-i06l~^j`1qegEOU36%#59cWj4jRAaa0x(_t zMmbA`JrGmF_x?Aj;}Fz8X3_s@DWJ$`Cek3v!|oFU*O#dUPLI6miIvkOOQL`P;qlIF zivo?Xh1V*mLN({=;(TP5==CEN2ha9&D0wXA|1xB+*|B5bwR=u}GMysmDuGi2SgT`N zIPXkTB;xUk>!RR2yHu=1&xU%|t^Z{tN3h>vyafdg82{8(87;B_0J4-VpH<`ZcMIKlwk${;56>=I z_4?8Gac|pP8cnnd-vs7clF1o{5PR?4K6}l{ua`^y_5cCWqI!8tyc=)11945dkq^J(uM&%9KyK}s_h)yeYwdHybHHC#N>Wy->Z_iS?~mF`Gy!)%htyQG2joL z%yb1Fl7+`YnvamKavq@;ulbc7PInA>mmc^52+P1CFf=wLJbX?-MN3y&W>l21DucJR zw{i;U!e$5KK_7~XF3aU>-06?Azq!)TD|92}(|*WqZkh@TS?7`Xa@vIVq+iB)AmEyC zaAM#5GezUm2HWykyXuvI9K(XHTpQCP32@$2(Uw-$t~&9}oCV+jmr5}9SJJFB$Z2#X z@u4>|_N1qD+;EdtO)`*PEK)cuooIEWjIoEwVUjRt7aTdQ*O|xHgwWeFQg8wu8v}_b zGU!T*-l2}R&M>G*y_|$^zp?)*wN=pFn{U}3Ueuk;2Y;I9R|r@yfHZ*}R7XD=RQ0yX z56;=%u?dmqxnGW@JDS9sRpfmbNw+~R^*Fd?9OUbUlLh+PjUpqK!P8&z=*yi@-HF5r z@~r{FT3lRsa~4eifR&2tJR3g%wx85$Md@VACe4-2>udK-q!RLuc+g5TBbtDFl>%KH z*4o{O^H9Nv1sVV4`wayw3dXcMO0l$X{g$a(7tPK=~5$U5W70fRooe5DwvoEXNc zWXZvRk~Pb$n{e#T8Hvq%C+v1*!^k9DB8xqHuFI~eC`kb$jW~;fReK*QYhk*KzwQlH zt+Ifx4I1Yvo^;zpjhar_0(Y*KFtanWTkcS_x_ZRKn6i%Vl5d4Np%RG6{XF?QdPJF{lT)nR~E|tYXJIXhG z+ELnRW!%fXmI=FYd=K-Q3HPKU7gooVf}N!{k0L^Uv`D@o8JIl)XcEQ#jYrsFO9C3w zD?#D_9za>s1OTW5_u}EiHKl7(*GKI2dc4^|%Il(s>Jo6rj5ggj%Zqkf9C?~C-AMs@ zbrD=0QSqht*n+o6zk8n7Gt}Zmqd1RA=rS*d-)}@Ip? z*4jg?p#dx*EqKgS=5*5*{&P-iz!fw`Kuq)^_>@2b|q?h7YMYBgP&N%oSVFo32)gAO~wx@a{ z{dct0*>{pkFjW3Kldsf);yL1gADBI&`0;zUB*l!&6CRusiv{%-L={~y@c^8>#dCUE zgKZo@qD?lJ=L>L>xmAxJ*!~jhNy>DIde*r4l9-DGbrgywW<@=@5b%qe1cM8M%}+e1 zMuQ3u4EG2egj3;TKp5EK0>_D%$-GGH?zMH8qBvV|mr0G7HE0Z-(Pt@}l`Gn@z`d;g z&~RpZMq5^`laFscNfz9gpedYhkU|tM=*@vS!%1o6|Rz0R@ zQl2K5rx~{#H9u)u5jWyM${ioG9t$XX?CP+DuB}7xObdzwH z?NK2HHhvwIHbB+hoHBev!Io7*y3)LF|7CNj8ZzF1Cz>d=A2DQ?JcX@o^bLFfxsL$>(41LBE%7~H#nryibPZzmQZag1>qC0*NU{iE=s(3$(qy7u%A;c&S}%npt@Z7VBpF$L}^B84AS_(#X|59Va3h9b64X2#Y?`_ zUa)Bd&V_kEC+U$7vfg6vZHKqHweYdd>?pD8 z66t%BQ?l+r@My(5%^V{OV|*)r6u)$9>*U@eJOFMsc2CjRtLJFW*Isi}`Z+aVVl3c} zyZ!}pMhW8(_%ZZ3He=kJ@$Jga_1JyB`fHAYoSrtdHatG)pjd37&=Y^-pfC^d4wjVF zm|BXpcB=9pgekw@LA-HrRFkoI@qO`Hzb@v~!W)yuHEbYRkM{>aXK3VS$w z+jt>7FW~i?k9I=s+EYXwO{Rnm`C%QUy*MObYT!hU>J!#qRR?y za>siPR1O7|Ck-0);+o)nZ!{ZTD`v_wZ>Zf(HdwaZ@+zYSV5W@FR7(Y8=VW~aV!5~b z$hUrTKyP5%05>gqKMZJNrh9m{!bKN;&fnkiBEpErJ=$)8v}b1{h3X!iQGhz8N3c&a z0w}v1`gTJ24+eKuDGY)Z)#8L11)fgA5YrGYpq9bRHyDxwijFnlmucp~K?*`h?$UL; z1wW=}s2YvC5}-a>j}+p|skA||6z^*l!4Z`YivuS}AB~L_5$3x)PMk2lrdvsV z0h6$gU71x9wq&&9#?BL$q3Yo^LG;F&`?YB+uFzhWP%>D4;j-+24Iak%a||OkjX;n+ zCFPl|j;Bd{)2?6(8n>Ue%2=R=4&Wf{r{*A2#_>!jmPFU1NnJDBi^baa$)Q<8N$fCqLZ`Ryn<`vBr^NylwVXcrd7>$9gF85RBG z5lw|zHKvtSEliDctc6RK8w%qxq$JR;GmXQWDp3_#<0t_y59wfg-QS^o;^!3i>wSBY z(;nQ4`(zKWj*B9HC!c={7i|C_-yQC%XFqaW+}S5liHzgt@y=ovz;Qo_-2j?@9+lcy zZ+l>}q2zAbrha=VGph>QRksEvvj>N&6t@?+-)NRUdX%y%Y;8t?MuJY2PA5fiMMjx* z-}HMCE(ROrM6BpJ3`ccdrx|NSbO{@e&Xpn8&iKkRdxz#l^ZFnw_W*BG{=o9-To^hB z=8X##h?-8XU%oJj%46}lEa~h}LXQB;a?%YL8rT}^XWEFRR)}Om*cwIy1R^NSd-q%F zvg?ieDZ_@8u3si{<%#6Ub@5$a>m8ENfR9^d$U9}dObX2Y7^6njdOQHN-(<34bPG|5wpm>I&*eHr6Ex?}bi=elf6i&`q^-IqE;r#v&}>ik^? zm_Ns>p3Lokf3fv3n{rnSPec{@B+WHyI-USkW0S^w_VIY&0*FuBJ1`?`U|W^k z94!-O$~x3Ae3_1|1H#f)83s)CC*^mgd@VoN0!OIrfvHcxhWY*ngQ^?{V&#)_>W@l+ zV=CWa)6FS>4o4gU*g!&|E1;kJnW3<7!DP4NQ&*M$1a4}DvV#B9MIlp{w!5<=;RF?S|hZ_yn43TygKrQMp2DP({X^dvAw^;L3s3waYc3Tt7lhfcAoZo2 zia$FEYMjZv+qV%u8x82KQyVZ?_4+4(naunwn)TY64g&~H+Q2~ zmM6Kw#vWEt1lqcyH^#0O@mM}{d^`e&4TjEfP)myu-&#=RDKA$&-lzoIe3TWKUo=n< zylu9C1Z4tltip}KNf4W9hZ8QKS$R~r*_qWr4mo9_ghlTRi{cyPgv3lXr>FVZ4}qZ znyUJE+^IkOm4t|USPv#X$JBh%8ky@O3?Wm#jU|Vj6U0DI^48*Xwv|UKl5bQ|l8n2{ zi`o>o4q}SLpI1H}6Uq>e%oUgf6cl7CorHshWSu(%)J`|@F>7DfxDjZy zB9@=uEMmgJTx#WYYq+4Ny%JoDgMQze)10e>FPcCbgv^G702hH5X)ZwrYIOl81MlAx zenE%C*K1_jauwdWR>hhJfD6?d`b;2$1@U`B=3qqFoFL2&#Kt|n?(BeZ4Szm%&;jj> zh)2wop^93Zs{^mts!h?SQlQl>?Dm|W@X>{3-EQW;q|nntU(_+iGZ0g6+eNO;6Fh$m z@oTkwwNvm?c;>rs`2Cn9gb_Ccbf{wFOK#ETvD+YIw+pbgPAF zoUTSY%^C39?{NJywBo6Ze2NAIFn#$3mv_#}F;)Gz{CteQXDjy*y{-MOt+|_N9!7Ge z-R@REe%!RHSfsIJAN6#f=nx9$W}?*d5QdwsWM6frUj*n79y_tK9nE95n`_T40u4h` zq)g_ApVCregaE3NHucQ1=$;V{&^-)C!h4o)I?h#%wU?l3+?}SawQXXOMmJHx*VQNz z?RlIb1l!*6|Is*#I3{(N`+;m{n`?s_8nC{l+EBdy)TkL+dYxRPRa%k=_U42Y^|-IZ z&_yrRaLbM|o_0iWIZF8=cUK5Ekn)oPXH%!^kiHij9{{>^=t}WUc+-~Kmi5KQ1Gg!& zZ~_m92E^>V;x*l@HvrgK?>U{Ts%&@RL_-51Zb((#IL`i6@nB(78IWb}cfT7_ zLN;gUa1>tDB(dkIxyB4nUKBKa`yMy zCv)hZAO;cHVkGr&Gw3J1FdQgmTzz!SYGSJNdJ8Y~(3$6XYZn`5BzDI>B_xbJ&GGZw z=lhuFv$kHmH0QWu&-LThpwlJ%6iwTwMKE1vWO`rd!4pBFp^P8}^b90Bf ztMgKiK$t!#PBa*Tv5L6P7dsB^s#8p#WHSxOAZ0CKQ@X?En@*-PQY1Fy2em?^-6$>hy!KK63X@oE_N+<+>j6v5^N?U7w^WoqT zX}iJ)qXUqjaoj`yS?y|z>OeHhTz_s>msTVWv}T39XFZ$ZfywQa#h|6O*M`RBRMvY+ z3azkA@rOwgcyMEtFp&!xNhg>j`h`!iv7hg*|A|4r{7k(XfP4*{JR|#&nt|VmNnp4u zsA^_UC(c#5H6330EP-0-bVW+LZFS$4m{jUs4asdkpM`_m(d=%0igl2hHyf~n$|l->!8APn?DNnl^VWQbS>%*27$>8TNSf?Qvjh15M2UE4JXk=Wtyqr!`a zO*nP|$9<}TTYsC34}S0Ifyj8MtGSZTAT>1ZA~~cVg3L z7UI^2R0|J%WJkRN5%|HLy37KWH_+ZSy$_N-uzfbI^vtEhIB!NeY>V~T{fEsk*p6Pa zeoHwC*S(t`XME@+N2}LW`>Pw?^xtr5G-G{FwhgYGp5>2`d&aiK#Uw(xdkyV?po^wn zPJ22Sj{*iP)l#tMo+g=)mjCUKzT+RtM{{^c*Cd_B$LC5LV*lb~&;c^G&aX`GV z&Q5zfZY5{&wCIXLj!W|Z<5KC+rmo!DG(`4f|K8HNXbGmj!2ccI#4~D=oh1(^yONPo z-!+;VR^-qmu9K~CSkrBpQ{bc$8-)d7vjBWuh!+{R3-=OG@tp;{H@`nZK3rS(4i(a- z0ADI>TRLU1_T86bH4Hb*D=9&8E<9Ma@Zv5EJ8tw+%zj$4&ghKT0ulzN$Li|1^aoVE zwldp6yf6%aacRX+v0wU($^Sv0|I59%E&x6NDj}ugi}sKWp`K&2v^nR`3t;AwW+vne|Dz3u zZ;K_VySauhP7|f@LO_3GtTT-kI>L4Txz7BoSL?g>eHiG{QKo;g5&=8%R=HT8F<8=b zUjlTpUmJJ8b&{*{z} zCFQqL@Gmv~rN&?BgnxPCU*7naHvo*}Uwq>?Z1Dd}YJ8~LGS78>0Ti-UVk*KvMGXBB ztW?|rbb1hd=)k{ioG?vOZ2lWqFv4-=$~H$uspWW^;cwQ5X*lqfD;0ksA1g{cbUtY* ze7eKJ|I5l3Kv>06*WTsqTn5$Tt%sKr76@SN#knd%27KbLuqDI49V|8i9FbCZX|pLvTMP?EnM5-rPg2Q;$l9qCB^*#yw)Q^ zF3L*!iz#fk>mLGer=mpG*^h8|Uj0E#?N5OWQxd+47oh1T6cCnh8Aq89{yY(`UQ6vk zhSn0@R0MjA%rSzb>jjMT z8`Nuy`3zkGRzw|D@c1L+Eq^jRwsjsz^{D0#vJqAM$p9pdFJvPLUCKO>KIb59p&e4! zn^%1N%Mj{sb1R46NC24`ycyTYCC;0QC)fXyz+-u~xkIC026rQ}w%(fBf6#WvN0j%{ zfnr{O{!%W$Wnm?=#-o1`aR%JwEqHb;c)r0UT>P6Xn*T|rRr}C<5VOcH05Xr(?rPhe zdvVvFV#}G(h{ZByKp0(a=>c-Puobl8GrIbx!ZqBqTKs5yy50B7BrLXbXD?|mqVW*X z`P1OM^qD`WYq8ZZW~p^SiNMKVhm{n?2>$%B&$I&qJny}zopAX`>c9lC;juP**oN?;p4F9-_i^_)HnMTl=$9OT* z!OKmn{^FZQ)IW4Br*RS1d$#X}ehNhS^LgB^f4h3(3G~(p?PVI)@7~MKf;xpJ%T|PxfeN&Goq&`=wp4e{@Ls$-*8|T-|c~RQ(P0 z=L-_TnHODETA+|LJz#t_QN!Soo*N5*{gb$xl6b0rOF@0DUD~ nUmLIeQ;zv{&5CLDORF9zE@BNiPgGX`|IVDW{tkWI{m%af86zy! literal 563199 zcmeFacUV)|_CJgmL~J-J0#YrANCyRJ0mrcbVibnnjetlA5JQIu&d7{XRGQRafk+9x zLnxw&QWB*k0--1+Lg*n0Aq0MhnLGF1nZfU)*Y}V2kHLp0$CGn*S$nO|DtoQXua_^K z-?{C;HXa_HorV{FFy-Odg#vybZ`}gi=|80B3VeXvPMe(O;VFsRzT(UW{9hV+!PJC@ zC-^82&#j+$c$R@%w?6UkAXIpGCY^YAv>);C2>YbhUeN`<_{qh}(AC6*=Qwb^m4|QB z9-hs>)h6H{&!z)B>#YG-JVu+u{(Wt_>Da%X;pO3pa_0g4>lqv1bN%N&@Voxb@1L8q zHvOl?EZ#q!-i6BA{O{|>>#zMdqRkI{2>4vEhV$_3ms$VaWN3P14rtBV{YR^tRwfs< zp)fBc=WDR5E=qx3KI?Ds=mu&7mtHP6ouvc4JiX!CfqI92dqNwyUcaq;Ncy)&ZhGh) zvNE|WeFo;|BCVmMqNH*NyiHnKTG#KItG4M6=l=CN@ISpn*KgkR(N)7$RF+e-~xyGx%=F7hj~k{x9fZrhPbJB z=+Jsc|Ni-XoHyNF|I?E<{9n@oCaAprjk2neit@kP242-&zpD-Lb9VuHUT+_)s{7lM zf4cXtesq=BJO8i2{65p)?gCQ)c=lsDip{NePEft#iVAkjx&W#~^` z)!mMp;&G^VC}F;^FGU)p5nd!&B-96l^`- zkVI_jZ0;c)Jgqz(zy;mNX3-y}!^w>i#n7Fu{J9kd^JJFPj)GB%5)Qk?%2l0FxyTpP(C`oIpL*GQ*DeSG`F02$U&$ltmd4Rfc3JTwS6Lpym26GdG zf}420MGko)4g=IZzdz~QCKRG9y>xRniihW$WU=W1K;6UJjlXR|SmE8FwX8FM^7)p* z3||1K``~ApZ)xLJ)8O{4-~rA-o^KKWX`ds~OaH*j-^KqQc-fe*{(+Ybf%PAF*%(;= zftQUng}8v7u1$HlGOs>&0^(NGxVo%>YUEDC1XIIU0|7+Iz~PAAM0rbB2$(&pFk~D& zmT0+aA$;jWRM~l{u$#==QY%@W3xbwyU+`H8Xygps&Uyn2r>EKGc3Fcj@S32) zmnUu;be^5A4(Bcx1cF%*HqPV3_*qdc zPtipVA=4+R%e!BxZA{m{1Nk3!m=~R7Z$tKiSe?eoiaQ^QGkeYm>YWH#na2x8UWuY9 z4(+)xJOPc<^Iyv8QcVVl+12?^JHeSjbItr|)b4ao2)PlfE*&fH$*O*iGvYb)K? zd{p@Hq0^Ix3*%)a{k(;0&8Y4K3j`cTt9d zs2NZgxV?YsA$lghfGB4AyXAAau+Fl`0pX=0zBT<}lYCLVS_q@ZGERc~I7%{Ak26(< zCsj0zW)?EeJ4ynqZ{bh-QY!r+7Y0rckpH2j#q4BCLQRvzD9 zHpym435x1mU3D^^NsHphUhk1QAiB3K^J|5UbI@n9869+(`lP9AHk?(*4;yKxs$5os zO|(M>AN2*>n$^xupi!9uKcz@)KYFZX`Q3Rby>V+286}|mi*v!=m-oXj@Z|k)t7&HI zX#K^xw}ubt%SVE#(4m!*hz|(=_j&DW>>A$@Tyt8vEqTC`h|nCnKs9rECt{ubYCOd} zp%Nua2PwTSe>{2bV_M`m1d=C5}x$PxEfGmLKZJ6Kvvgl>vb9KQE13a-Q0W zR>m%N&iweJ$yYPrZ=85kAl+upeK4B2Oe-RqYr}e4#ULTK50?$~`r+!IZwz==Ca z?Yjm^%S$71QiaBumJUHxGcv zSrr+_9e3OlwRg~y4Msw9!q|pVXuY72!Nyfuqa?h5hAPbrp3H>?8L^4_Yb#T?1;NK0 z1;O|Q$+ktL8sAoED$#i=PsHS~~l7 zqBT*TpF602M_2+jS=n8bE-VVoj@6RA`T+j%8N%+`6++`9S8=5@c{Tqo*_IQe#ui-{ zE$Csc>cugNRH2wHpuf;m4VU_tlLgO6S{muHldH$!kcs^C5mDiLrfskKYEnv0ZlMLaJwo=kO`zA6-+Skgq=x5sc4>_s z=UKt~MBjwSBKtZGOH#?^@OhV0nu#N_5YedY*@ZCc8w^M08-#Ojx>>6?qkpU|*==3v zpH3oGAgZwmWvy;)h-BRBCmQ7ht|XNtu1{iG3}&pF@^p%x5!I-q-`V>lxcYIUaJZtCo?9jLPzke?68KMAepL&k$L~Y$z?=8 z=(QdvTCW~8+^;LGFT)+zY}Bf>jod#uj9t9aSFe!0s~4H#()U2k_?AunsynP;auGWl z2J@$ncR=(1#X_cdZ7VHC4Pcho0W|AGxY{GNofv2Gs0nfgB1&Ib~1C`@7Pi-%F|K!BMU4uhP}%Khr0liD)1|C7PGLIl&`7^ zZ;NGNU|}9g#za*=B%=$J((s z$2o7#d<`@K7#(3RRPA#>NG#+R9l`jb!xgR8`yV~bx&>0voqxI4__j+ zmaJh=wce)7h+^aXcF@nd3$G8$^Y@pxzF({@myI}=ODj##)n9%WcgeGQ>Qq`^CfI|| zTv5jXcWt?3SCVbHV~J7mt4hK|Ely-5ZnQBqe7NL^?FyAFjGU#+-ojN zCYl!^TQ<8$wu{*Lhe^$tEr)t49EB0yk)*6%+v#bLcf?)cKjUgUV|-^M)KkgI#ruF{ z{z>8N)fVVZx~=#2MZ0?e69>rN9ZXUZ2Q^67yrZf=frS$)%x52~K?;I9?mA5-tzh7u z7f;d8C{zZ;X;=u;zFMvCiZBxZd+~MaF1|fu4?Aqry;T3<1PpOtb+p4Bnyageiu!=g z(e-RN_Q>T*jg~j}Xv=G1$WB_n7)X_(*(OkV z;qpt3&IIPG!x5DHXYn?pR`+;~Y?`C;qsuJjuDcVTc*zjo>snT##)x~Iy87>=k6;Wk z+t)BzluU#AMR%I6c*tgZfy@l;C?&Cgp|w>OH88kH6$*V$?FfS>zAq69f+NNs4JNQ% zda}wadPVQuE9?ylan=jCR-n))i#L?2!Uf7ds$fK^*@O+|A+5>V(h2M%7^VAQ`>|9N z1y$-=Ws$ELHP0DKt`WZtx?hRo9LF1m_{~6e8kjUP2)QnU4zAX`A1&R_%R|PGZhEdL z`n4wMDGxv`KYf9zYV0{J*b*0?nBNDzmHcb0O_rdcgl7 zs##$y#wA(FURyd4a17n%jT*GaKCpGA9r-IpW8BUVyQ_8;T#%3g{KeYWdy$U&F4*>2 z#B!SXrNmDqIi;1O8Mx}bmN#zmJ#)O#U#_h04hf&E;&nxVFxPA|I$;xO^(R#w-t0w@ zL|%(r^f?oW(M;^D?9|sfH<_&JfCB&#eG*&-j<|Afuqm0l=Tu**NNh5wU$OMq*t&l- zXQy~H$oLwe!}&m^dv$nq{V_;o4ByElH5>R3;}7Zg)n<%P*(fzvV}sFkw^hZVYYmeC zUs-0*@EVC~lLk*h9Z!Vc`MErD&J?XSw1e(iAI+!hiV{~xv8^>`{FK}%J#sGHBTD#= zY7qjF5#BP3@o*tBT&ze(li~ISW_q(d{cSAmTPL887j5fXPsy|CDf62C;UxHV-dFKe z2yhP4uf7DXMJ8##Zj63Y0v2~58fTbY>iZGh&X3@j5zDn0Hc734d2~!Lp_?;3!fH2b zDM?@-B1gkQN5uHK#h)ZSdps!b8Q`$=h698v6Kf>kGNXn**^?hNkig9hU3k+n+gl|` zeN&dJb(mp@olNi_d*rJyati(fE?6Ep{*huConeMxvmN5NSFLAE_A_jmUIRMGBiA_Z z83*C7=7N*qCr6~IVFQ)rn$$o@osmT7o()4xpZ6}DEJ2l$p{e{8w#`R^=2lLa@)}MK z$8{f$I22@iL*D6#Aj+-Lna3hGM4;ffASIarMYTlr?ET?U6$UWXui2bd%ng}T*LC1( zRER&_1!`-dr)|CL-lIBgD6#j5YJrRTpx>P+}G6SC6FOLV@HY7vQL!AwBECN&sqgj%p zhhfVw4AbB-uMyecWc>Ku&RwXlb%ov|BDMp@8tvdpxAPJYSA&+o-$F}>YRB_Jj0Ztm zM^7(m%UC^U3AH09I>%eAO zv5^>_SLx0e{yC^Ff#Lfm(0J~J)!lc1QS)|(pL@)Q62F`RWv&^o!=#$gfKC5i>COXt zx|QpvQ|tPMh$z4w$AIth~DHpx;G zd^TtnUW$YnNxyqS5B7|0_r--yY8_(S7{ky~!7#@8!Fo&dS$enCeW%uABZWP2q5+C6 zq-tA@N~193LOd$rRSS_+BB+_!`MoYJA$%&=!*g$-#(t2tLgUFHm$mlC_X-b+#$j%~ zTeQt@_iJxIFNb{88O6}eRDEB1T>@@p;St^KB1jiZrsQfgsO2-0wgwMI~i zY~m2qwk5GL+nY0JdyL1W$z(4K_&B*bxIx~_=0v7&Oi$^W2H2Kyj8RBTb`JBCO4Gk~ z1ub%^CV+r7pbb_h=#LH7AQTO??u{q=Nm;Tc-oHP_p#M9@_j%9uPiPTgFZ@1u&RyO> z_5x#bfB!Ax%VxCZInX_Y;J}7%#fWW~s6jmMgVu0{TjW)nv2OOB;|IlET+*N5#h+2+$ zIu?jAi1qZaF3@%;MYdfnpjhnw_=KlOdsvl`N5pDFV(m@k-{uJ^*e;+J)p0?zzHU?r z_&`26kDH)XD)hEz;Z2DR-AO*HsL(QB*^ff1_UbUxqx$foCrj?ri_E?AiCs(*!Yxsw zqBWn@Kh8=&gP~UoU9NfVknaG;Pgw+w+>Av9Ri3nTi;n4dJV7H-lBzU!vD~pA)JF17 zZi(8D(M-?DXeo_ixA|385uQ?HJ=Mly(#@zTCM4Psmnz<9+p!AV>4lgM6sE?brv~mx ziIK=RA2Puh*V(|W2qVGXo;?StXFZhKuyBZx7KUbQe{L2_2SQx7!m4$l>;+0~@Y%jh z+L`b@?JIy=KrD1@ba10*d>*eiHkRFtoM_GHx@TR%WpooQ(>yLHudtk5n5klsdrSPbh&MHf=PDcL;o8m_O_gVvQ)?w;7Kt&gMFo_=v}Iaj<vL47ZqSI(0n?tDbIRr?;lb~h<<)%e|{GsKhLo);OE zy)NyE^uyd#RCIE5Ro6v^6~zAPdv&JGF4g=Z?7hC4$$E)064p=;ucS@NLyl%s0@-F{*d?@_VjfGQu&4@jWUUKy{2@%qmGe&h5VF(>t9HsTkQ6Zq*-7cswTU(DM^rW zE3iV*`V{;^y#ax1&XEfNmcYDdv)RnA3mWh0_25fgW<%`#s8AD+)ybNp&$hUqp;2HR z?=T1Or9Hx!dTVlPe`*naVcbrtP2d0GS34g*k|3tW(us(pm|GDRm*17fdh^99Y`-Sw zGQMefr65(wv7!D32{Z0dQN<`;D>X9db+b-MqYUl^b#8nANNuptu11ag%!Kc(XP&;z zezVv_I2v)OJkr*d>Ms8_dr%X9;r_+^A{!3MVtAO6_5OhnhK)JNN}8D%IUD5pyAhuMt9b=*b_Mz5Wvddj~p6}qlxihYxh3jFx%?WRt= zWJm!!Wm>s$W#Lo5fVvbIh+W&`9TB@a9=WGfjJLQ5UC(I4Xt`TmnzZH*$hlOK$Ld(3 z3E+$eNg|>;kkW>eGq%$QDw_d{PlHj=zEqN(ic4XN|6<3qc^t#8ZXsD+y= zs~QSksG1QnE#j97og4NdssiRr6r%j%#+dS1%OHX-?c>`YBND=+E9e*J)&GNptzay5 zDSyk09klLk;l16P7h6VVI{oson5IY<#3iXCkLJcZ(%MQhYo;+y3H7QliIE0#rqX6C zXQmF`lcwfi`nqwYt+72OnH1Qbrb4g8Ip3)1X?`m6{3thJ%z4hlV-28q&g~ah10D{) z91JSbTzebZ>(}>y2k(5B{{G|>p-0;Lmso(~vg4kfRi^e#CmO-yBXVIbB8BCj~#JyH0>Z;dKGeeAe!eY0stWfn){hbE_;3@v0ue7Oe zNmw{7v`@ouoL2uKC@?cwdvryaoWAH*xLJ!;T2F)Dbie)8d0~rNJ@uAuPJNit9mRI= z(`^Oc#`SoKUiWCU@S&CZ5f+$n;N|Ou%VxKaE8Eweup|Z9KkzMuL1n^f2=tIRJ%7X>jA!vnWhZo_Todg<-fvXlhBcd*;O)fWbURBw$yR(iS|V(^qEj-Ek^ZWiEegS zi~n@Xf_9N_-Dm|N1WP(~Ani<**Ib`RkwkhNgAr;KXBVOGNU&h0@floAjq%`@}rWbVsqZ1&Y82w zV}~Q$%uHL;wa=A0($Z5*1v$H|j=T-7qd!@}_FHK2hqR?X)QA7TdpU%VPuYHCHv?ev z^z}WH5O&nr9IO7Qud@{*2KKMpc&BV4#4uSHudeCVGqe5PEbUm${q5@6o?Ml)UP#u2 zsB)0Jb;cbSL0n1JkxS~d*!@9;r<8H-h5Zikf}Q@;A-w)HgZlTRuz>|{tjWzQoJlp| zF}*jH7MHI|Tu!46t31-e-vi`aQP|$qvEpONg;C@j3>x^TW!+7YkU)GG2@ z9^}*0oFh|wT|zLE+HnSP*);O?`X)llc%|f_qRra7)RnET^OY7nl`!5_2kc@i<^LEw z8J?dImKtQ!YzAyd>TOlh=?KoimDuh#BQ^#Mg#{D}VCXt2t^Isa_*T0s<9C7wU)!0Z zLBTRSm}l)SGQ%a|9xjvbjz68El_}n5m-$~p$$Tmbbj^HTba>vI>wDWT!8lnd5%4{7 zVcnh`X7|RqATXdS+M@6s-{WjWb=Y8WOLk^?N7IYo3~1~lCp9inK{ znv+sDr$TM~ACV|^Q{r|O<3}se%6orGO#rtej*&CPG`-vHZ{NW~2G_Scr7t6^2funl zo$#h%F7%rgb^pV`9J-F~!>qXS}T@h(2y-4c(+*?HJdS-Z&;+c>BC9%m_m* z+QZX(pibtpUty$$g3xuo?wv#XY$#ED6@yCJ6bDvVrHMpCQp4IVkBWheRG`pLoafvci}xFgxal)+&!G)mZ`P%IJW~9 z4xiJ~fF!R8idOdjPZR{9j$VEur0_s9eCKB09E0)Gv!u<_h$bsZX&4`WId5uG&(jKG zp}s+5feE(12rzD{j3rK}CqFKE(i0Hlx!tmY_a4swby|L9qRnYB+V$DW$wtCRInJ1- zYvbPz!j|u_9ZN2?fjzuvU>WO3)Cb^yP@i*cNZUsR@4;7;6ue}ou$vPcOGx|PSZe3y zE5?Rx^|sXEZeQ}YY8#DNGE|nKG<`vDQq6Xxs2ni_#uxTt=-w$NwCTrf%SvHpjfp4l zHU86ml>Vz-$!2ShaID5PF0_XjsJscyRv2l#*2hv^prh96FHd#5(GHw&DeTQX7j`9u z6l7W$fkk))m5+ZK^sCCyr#cNrFMqtJtRaZ);IzB)6&(3OhxZR8Xc7Qjl36;z@WRR* z6D)>=L9J8+fsMVkk00D5lVE(@a!Ehs2!kjcWowZwcXpIj#%fZ+2a}-I{CBfsu$xW+ zJG`dC9fm_$DNdDM+1fnX_zv4(mTCoW&K^q7wsY2_U9BiO);wGeeUf$LR>iKXV)BPa z>IajCACj!{=!x1(b|zWj@$TdOi{>5$FKdNFPU@PRx2^gLu%RSda!*pfTJo|TWYwa##ZNM1s^kOt_81T@UCbido_1R|D(zI} z?KZ^-VZh2>o_rnaIW;k+1VSDu>`XoqXVV=YP!MfW0E_c5Y8&uq4I{mf%{R?vK~HqoR_Oej;_{aZ^Cf7<+!PGT zSrph9j1RekM%kA6Cde_8$9S;)3N#md&O<>4B42!?;3AF6XG6cfYG6RCx9@h$9$hr_ zAbir|S3h4dc*{EOSHJcTZXQ$FiYfe)(zPY-m4}i58X?%ji|_VqtzeK37^?X>ps9iWSStA$0yL~jd8#p)`$LF zOD(25tK&E#;VX6jCSJYuB}g?&YKp0S5p*m};eI(GZ8peCw>c1V>u24q4vl(62@jke zSopl(3(+kxox2*_AAAdZ`Z8yUXW0sggInLa78zoblwE`a)0_yS#`g)OJaOG_)|n;H z%xhut*AGuSoVD@=nVsd>Q<@Yft8f3l^{wEpG#)?sunI+D?UixzvBpkLBZkmkLGqz`=WsJ#lMDXr z5ItdZp|3~ANQ?hys25{Qh3KwaHU5)%pT*?BHits|xi>mY>$sGXP(7M@R1Z`ST5djM zQB&hkIo?mAyzfKC(@cxX4@2e2KX+F!*7idY7uHC*C*692LS?@eYYMle-RZ-57C#PE+jT# zgth19U5Z?BZ%emcK>=zBYyJxy0azDyjxlrmgW zTZo}q(mE(DeoRCSf~caQxhtj>p~tmClfn$%#0TXJ%EHe`97{$3;8J*ov6?+qLadz{ z_26sDh|+SMIv~liX!6n$gg49tw^GcBj=Au@%BcgEGs%-0O54ELP_|zNcR16dNB@&b z75(+yc1KJ}W>A691$_nAsX;9&WPHBs5(a)8L9nt*>O?atw3SSqN?}$JV5DAWkz+;Qy4(hz~DTv`3S>_S8Cyr^bSpGq@{6|5ikG3 zaG=2c){?!U-P`sX)o8g+))dK26Vn821&5Ox?5@$<)rsw^+@ZBF_n{=Us~O-M05u(O z2BMk>>;kjaVmDL{Ie^MNKX~7gUkU9XkYkv!_tpdHhib8E`@0&V>qw6vS*CC5W|qBc z>p>4+J@K|&KC)j+AJFW6mt#hM%hp=1m5M*O-d89H|36@zRxopG^cU)+6p z^1V@RTWJltVyGJ-DmAoBs>+!OFLuP)EL4 z)4d=0WxCieBdo}Fb!8YtQ4*J?DInNJ8TXsaK-Ff7M&%+WQ#{V>=yGJs(T%Z?$qd@0 z#w=f@`MECCo@pm^1 zvNQRa^fIH?mZf}2c;W)#Y9^@Thzgo37OYxLx?pU{Dg@$7~`#vJiKpxDc*_Cxj+zGoPhbL4ie^dLhOW(pNTJpF)Sn zxOYtZ+F#Qt@F>)R(%ojXY*D*7-%kz-G0dnBNeJ+p+MG^v~ z@-z1ubng{0<&18kmq;gR&jzhIEN96+l0JPTh&GXsFd|d^R95Db>d17tX=H*Kbug>K zIc$XUV!QGV%ZxW;per)Jxa6H()~CY2A*PY%@tw!v%};LOGfVU>_-S#V{XvDDmgi+8 z6f+jZ)3s+zZ+8d13v@i85oc4}XgrpR{UmOe6Ys%%;&F)=ve#4N;so8L`PxK3>5(V5 zB*M9uvG7FoAyZjfcCyr;8`4+XUg3SFukrcX>TC1g__4kORtX{Z(As_M(y_9j{muJx#=F3VEg%f4sYbVSiflbK) zu^$pNj#|-mL7Ds4Ko3kxE;zb2l9rCU#D&H36)J99K9H0+-=*y>N^Yr7f*ifya6rc~ zgotuBY1OK31+pQ-bI%u^6b;C4*K}!IR)<^2XJcgLs?5iO?2^M@>sA{T4-|99Qp*6q z$m*)clway~OKdRAn4C|&)o4EGV;!5q6^?oEaJD`a=ik%N&JG|IB4x2SjM|Lael>4D zWSOUf0_?Qj#F8P_4@C|c%A~8nua6JgU#zJt`e;SgTcuTlyT_Kl8v48TR8P~DJKZHh zdwqXPa13AWLJ_QTXe0xr_-tyOc;_4hDx!R|0JKK z?Ew`}s&)mqP!g&_#;mdjTl|8Tk06j-205-LziKTO08rD&3>&CkZ%%AY^T8yg!ly;# zE4V}V0^KO%6k{Kg2Go(UPzC6-1T&l=yWvw=&){NDX%p(Ki&B45372FGQ*0w)!#pM3 zMO_FsJq?K1Y(Igw6NZX3xv^*oc-n{(;(|Vy`5p@IF}yr*6c5>TiX^MY)wY}$vbg45 zNM)KAoo&18NIh9+P84r+Yp=w4%rdTeMlae4CfCGx=>s9X5nLe!ITm6%&TYRUU?EP> z!_XGqi&JWm2ikPTJ15DR9_L!^T?!3T5VrWq6P4f*bhjq{;$3?Mn$tVP`%w`s*JUMC z_H3&!G{c`Us8h8Z*jn?Wqb9yEi2w5Kwb3PaGlh{8o|dIR_F)HhOnb(7OH}2Buhs8n z!tW=ByUfUR@oFE>uZ&L;Vw+x- zne}vGa(SAj*<={5?E&i@((E*>pZ10!@$0K)g~amOrlWX!-tDv#q4IES2MZiQ_vv_@ zwx4z_y894ygmaXd+O=9e?!e4AbGMt#+q$%+0&X4&B%MUgrAvudKP4HKyA2o-9E0C^&oH*PYKt86NDA-Jnw z{8u3$1>89z*)cq*kQsC)tHwLl1!g(gXN_L@?hbwV=$l$h!`?sbZvWxz|KIUawDNEV z8a>2M&DkQLYjU|~&I`RRHDkB%JoYDPBxI|{WK0-d);z-a zG^6D%)hmfyt&xi5G3p8lTS1sF-iKHtc$SBJ_Xcz zojD=ZV7vviU&%-S2f2j}@_z6l_=l=L&I0IU4(W+HY)u2-c8TLU&o@qNx6oM zkFyz{e1JY5N$3cDU^d)xcp`k)LCjGfZ_r>Uz2j#u!{J;W&d)zk!$)jk*oxwqnj8mg zu({8|_cCH%o6QJ}FT!LiP%Hb>WM*=TQwoh-M05z9e>HO}gC0(^n-dKvWUCD`f_|38~zuIc-s7yA)N;P zWr1ZY-Fz~r&K3-8`?lOh9eT)<1|p48fgJX-`uQJ$67r^??*geA0j|H5gHf?+LmA0T zcl;Z^=m+s)$0NSJ@7-37Kk9f zI$qvo*|3nF#aFRVuR3Wd)M=(g_U&^(D$>sc#b&fg&9OP`@)I zk={=`g+g~bS3~;fYpX+RX}ZGKyla8T_SAY=3uDz9Z&z##w;hjEvqXEDbt-l6xkCzd z%&3v&`s56t>_c$8Qtr0%8?bD~cC{+*GPzMhSiv{5Gzd`ZoOHQ`{OJ)ewK|@YJ|an5 zsf?{@3L|KTj0RfIz+*$EKCZQ7jIISysN%Cjh;UmxWgP65q32hxz|z9&0e4we)G9BInvFMf)kGn+mZaDy%3O)}hgDT{}AtHM^#YVV9(d8i!WFHqcj&BrGE@d9ye zg*b59jV(h~MzY(wvaAE!%c+23`m}m}6{HRXO39|YJ)7rHdDr*CRiA?NQowlCBe%QcE{m{pB>ZJUMlJEnmCc-l{1Dw!P`2*2<7u#b;+Fc-sUwi;0p;YE_;AVQG=tp z^!;GA<0v(G%#KHdI}mU0a>aw69FkY`lCi3kFHO`qpgK zaKW{J5j!C=+L2oKXrYogxbODjyTWWW)*?wBej0{iNn(egY_{L0p7+<7iU+%72#NpNlJfbrhWSMPNwc?Uz$I{J1tmpoj#ko7V3y8 z67AD7@SGS_CYC~_bo!yX)NkZa5h(Sv8e$4KJeYYC1()Y}-AG-GPMrusujt1ii77J! zWoS;it<4NP_*}lD;pryv_Sq}yMXzXmDIko4QPp-DGY)nsuSLcfPy$)3S7zEy&5Bj*xf1iqrH!Y)IClCIyz^nj01^;-r(8^#I z@iL5Xx7eeV6rwb>V3npOyckP7SyJ@l#exCq)S%Rv;~CT;_)5qn(d}ug>1tIB!gQK< zOYw>v`GFi~M_kRDu|e7|oOBZ=F0>a*eW4UrAqPJ_yOb_WS&!C+!zyatopdZk5+^uM zOX!hlw(7qPLerANeu%a^pEIS79PKDz58oE7-R6(#dWHDd{zoejob>pek5?WifgaB+ z%%(y}--m2$$TdA`dR4NM=74gPPl_}mrfq8lnqgBEld%nr~RJKdSdTm)09rz=ra z%oR2fIWvi}U*j{GJ)>6_zPgyM(+?I7jtl7bszSt63`V^Tp}{*>w1k6~-I9?L68GA% zdegm()n5aMZ0IkW| z%n?B7V>1T1g#JckdKI&JolQe7K{`;knld?+_G{Q*hHM$!?})i0u9M+Fb4XM?{G)K= z(yJ-d>IBNwk=<&UASnp4z5RgS{Kr?lfEFAp4696G z!`7Ivx?KTyiGcP!C(813$;&`K;!sbHcz1qPICgr-bp)=oScwh@^)Ay37z}b_eekbA z26M*iJNU5hkN_&mCu-2KmN~BP%&7Gz+TEY;iVw!SL3(97(wK`5!T~`_pY((&)byJm z#`KVmzdxH|*cL(~_pgEn;>Y|^>irXI)CmcX8TciC@Z!us$WUimV-;BT%`DihiptB< z0)XxaHDI;@OO|A5VPAC7IjnU0N#RApbk})8xn9VuZ7>~@-%}1iL^Ux*!!KvLhZ7P( zXRi5RS>JUfpl5q*^;ue7m=M-Y)Cd?I(4Kw-IU8mSTaE9=1URy^&;h7;H)J>?-!Y?A zDq~hccHuKz7Yx#neDJ8zC$%yB5%MQ+OoF2>1+WzcqE;s@8~d$_ z0(n9+6W);U@6x#bs;}6v)p1yDp8rH=c1GCTS_5Z>cEeZ=4O6=mpg5+x)JJY0*<(Z& zx8x$EuD#f0My-?!(|#O0P&fJ^IeojHJDFNJSR)O$Ejk@XHe3LVT55A4fzNk|)40a* zj%}Z})_svP+TmXyS=Vg-G zeT!p9$S((xsD+SxAt!QzOY6yZVT9DV2=|p;mPV&-_Oo=4Bu3|y%F>aEc^{40Lco77ojIxbY(6Q9oLr0 zhAstgbh&Kf#q>R&(t}4&-&rpm&4T$q)(g6PsBtuPLD&mcH(hy~`AkA9ptG>+qKne& znl26*Yc?BQw$j72Pu*^cT7=9h|Js$ga+ZB6Vf9Td@Q}B0h?;+}8E&$$!z*Qb4%qIp zYNSgcN*6Y_Qj&;+2_?10({k&EnXTRgz>Ghz#sYwv zP{34reRZ#K3ZU`D-_#PdO5eXU4F&9jhX_>JuiyFq=o-omAv}me{{9UcDft_0Xs9;a zaY?G_Xrxk1=V!HA-j%G5sa1`YY1R-YglKJ!PNv*OQ@^Znw_@TCo+G#nl;N6Q1ewgauySzH!gRbY8KYU@oHw zsmE!NS}opv5UF><`9-9?TKM$&#c#@!*<=7A!bY=f%@_UD) zx7)q{k-N5#+*q(LFnEp2+O9kBqwKNdFYz&&?((un=7W-Ckr%_Sv`RfCmYrVrjW@vN zbjOHSYo?)*{*7y^9Ag$i3^H3i5}VDw_8;fz|MHQY=)6EL#6<-o0o{&2&PMp#3#S@+ z#kPaFpPt6;&$F)&d?yAG-u8tww{S_Vw|WKaIE@IJqw4a7pBsaN%d4DQ;XpMXzeMBK@6Uv#3{7)$bY7nFPtYw9+(l5 zd|;c>_U&cQ%T_8rN^iift^5!|hwwJD>pu z*|8S`0YiGV9b3Lk^e;IM1Lm|S=H(N&+vfsGKNHR*L^t6gA+tbWbHP*53Rz`;;uKxvMTKiNK@W6!PQUzRE7qXAm4{`f5lSqB`P<;EHenVm9rT<+|B zUTw3n;%K@S5yOv4N(IcQ5SMpfc>0Fh#jNn{lcMpn;3=#B@+L+P)^W^^tlv!sC=G^&{3jT{lzwpif8hr#^3D~o!XB9KQY$-NeWndcG zz+tWb5N3m=`2QDSoaCF)D4@K43c1EY>g37De;EhX9lGy^T-fnB9~C%q>o*}k$pC-_ zHBcV}X9B@{N%4<>0ayn3d9ZbH_nN%lD)Tw^`4b{KneeXB_1Dzb-5C`??uomM>bcB* zw`66<%mE;v;GrFP^-nMSo1dM8f3vlL6TLdZ0h3juKNN6Jh%>+jPK-mb&DSS<@8w`5ux1YJb3)rKSG`0H6 zqJPy~fQNU7-q`Vta}fs|E4^pMU(5{~4^eulTjU$(a%vxN^7{qn&)91ltipy9H<-&+ z{l>ZY90QDi`!9IEjp=U& zICq|{a)Hi6crc^;w*5@3_pJ+>ACD%FUb^)1!mla$@lkJeM~!6fL_Od&eEaUmsRMhS zoDwXNGS~(Zh`M%21bW~3Vt+F#fLm2I)l-*Gau~p}X0UZgnUf)`<>z^f{GR=Jc}SuE z3-X%Lga6mpUjR}Obl%O|!S-dY9qjLG8w+eI@;LX0zRVC6IT!&HySRD4-<=h9A!>c* zz|s+AmEz&9Hswa${4(HB+9@sBzsc=}>dPuLVyBqKHTijAuF)@<3tjolK232s-xkSGn|TQ> zzh}#n@qgvtze@OTWQkDS`%A{<&-`HtD@oqHZ6m6BGG8{v4HpA2BMig4byBi~> zxgR(Q7*XQdk$RBy{gsW^NyRfFf)90Wcw+rT{Y!7%xsQ(?J$iTjlzraIv}0eE{Vbvy zu~nA~?CiZ4(8gGL0i_MEqQHv>H$6w}+Ze!$UxJQqVdw(+U~6Fcxf88-g?2+v{_tgg z)hXhgP#|zRw<}-fIWGtbY+nzYWAN10_vFTDz!7}wsJsYNSF~Fw`JYYvGQ=0LkC>R4 z@EijcB}tD8`YW}6x7VW^o0=jaY1gl^%)W5s^ZR}ofP4-cYkBYO39Y@Ur6;;^cN=S+ zzpWXV25@rqzNwk4A^;sZt#az$1ddICz@G?`m}Q!Ud{Z+9j=-FliDs@Fv+#zB z=?=`ff%w0KKB=nd?yqI9UYUPUsSE6i{Ejtm$GD8`nkgc(gY-49IhFO1~>85*iar=Jz{qg&~ zUf=(ina}fip7WgZKFf2?d0dz@*UDiy4IXvKFMjoCIiCF!1)TVn{l|U%CUxRZsPgl= zYd%`hc>A+N=?a)M$fRvFI)2s2GGTgf`5lIGHGvZ3pL{~!Szap}x>(B7&Ts*?24Iy1 zo>Tf9R`pJ7+-))r>IZ$cfpCXCyG@VKa(G17j&3(*XXTH~7O~u-`aQ`lHmPbn*&#$p zBTrP{+`Gcit6py5LyhSgkP{xcOr-zUDn@?d8zhH`yv)|#;9R?_T;!ajvFe?p|VFYy0e zDgBKCs)nxs=)AW}be?3VsnLn?eAJ_i`9_3RHfcX=C%2^(ij!G)&eZtdK~vmVnL==6 zQCKxs6w!kv?kp{;;{haI33g`;~5JN9gd&`+= z7uWAzaa9Fv6VYCeIm+VL8b$`(XFMuKRW9J$@tOsO4qyuKp~cMVnhW4tKv@G=;jq_7y@5u#7WwCP`!+$c$R6ptD1SvK?Q%E_pu#woyZAg_k_o-8O9$0|FL~bW)C;5C6qXmU8Jg$u=%=e)8$r8HW%c1{3(%ZO5pnD?Zj# z6P-J{_uE3Nh_qL^&CkFO^{K2;+gAL~DWIum>i7Pf6-0vV6GgE*oV_|-0+}v{h<}c& zKr8g!Cv8xut#-)*(RFgqyk9@yIt&8Nfbi8sc_R~`1`kmieke3J7=ozSJFj(7baqJ0 z{Cd1Xq2=&I>bccjO+Ars+40nJIskP&By#lWDo1_&`nj4iC4l{b`6{)x0c@tI+^c8{ zS{!Q`>;&!~0UEW-c?4O0SpjZSTPmP6TAu-{UhUi+NJtxVj7Z{DjR@;5j0Ayb6C*$@ z{@-pLwFskaN_>60f#Xa}=HG?h;w-Qe>@{fHRSL!fJJlTQ&>|Xv7#%{t{vc{xBzq$E zFHZlvVe-3>#deZwW%MuFNcMm|!P_S<_}>&Ju7VOh6Gtu}=wJMW!q=bc8nUlpj&J+) zjWb&Tj8`r5(~bDGVN8HEy~FAs{5!dRatf<@fk)XQh3brXF1+IWwP8wuHQk@gIlTrB zHp1gINLhhJ$!T@^3wSBL~8JVt|%2tS+z>TeqdDF3XNgJp|Ck_2fV z@ksLpdMSrk)kU!0XXF z`tFH>mqSoFYA~j03@DJKaOxJ!|6C5rb4D7~2u>Mp-|NkyqqK)*Jzs&}`>fAnhL+SA zKM3e{RH$2kf3ZOw#}6z~HMUD#Q`1feS9{3C`d^~^ZRwhJUQO{bQ5))`A1M$j_UUw8 zy1nzKL8Qr^_1Vbc#n+RGn~2`E*5?oN{CDmU52T`sl)=$og9B?SsyMd2;`p^;mZ_-X zl6ztOt@;~(tdW%;7G3q8DuG>TS`xoD%p4U}P$t1Y48IOd%M6-qS9<|$LIB7kAT%QT zS|i!=--q06m@ib+ghBVMYWV+dG+t^_xOLn`#QGez8HN8&f_K36-?D)o$Nz2t{Oq%T zP5h!h5bk*|86L8}E%Nsl{`Js5C;mJ2Ui9VBE34kukCL_7vww{imJO)=M@|P>e=TaX z+Zod<-X&LVxPGJgD_JIgix0tkS0IJ8}GLU{}pmUj!=Q&Wa%LN z;=W}A-T!T{z0=R@OGs&ZSyncJ6ZBDsZ*4!9tvqYxt8r1t!*mla!g z3a3hfbBU2cf6BydWHjX7Q@Wz+i^!l*fl z5{{?!fIdXZVvx?W?znb?(7SMolf(*?;BTrpw@@HtD~Q;e;|*1>UsRO5<;}zkkYF63vR$*V{yu~ zFTmr6DAzb;iC0kbkC`{wldUw##{sx4>OSuT$n+;4NP6Om7C-%)*#jS3t!ag~>Fr$zrL$ zZ$^h&9Uy|IZ=ADJSP4S^xeUWA)jU~U0&*n)%@Nwh=r0gvi9K?*dN=*?H{IqK#k{>) z6TDt~TQuX+LyRe-I#daFPz4=612HYpY|7N`kpvH#a|?Nc2O|pXhv=m%edZxX&6DfG z+dKBo0@A4EUGmVEcafKZOP(;$IhW069(WTB8$X{1?>=z%W_RCdHq~Cj$EXp@yGhU7 z;O2knneQ9<*B=}~0NM|seowS`O7D2$F5@gz?fK`E_A^G22d3eZ#a)o#j(Y`V%k4OC zcEXa9>EUM>8PL>COpPX&!$+&yJz%5#5HqI=G$HbFlrQ*kcAVtZ*V60hA7uteLQ+L? zr+30VVdHBe^=e05i!w-7kPixxnl?!a_#C<VBp0K^Rjg8E|J-r!N5lqpm{H*PAs;)Rv!GlPP(^9Zk*MyBTPh3m zH?z~VJP&yj(j1@hjkJ^4<}14ePIn(;x30jUHJb#gq!UM`hg9u|PIaQ?#wefZbD6S> z0ryFJcayfVuCp$SoeUS0Myi!6e91fOG9piQn9F~i#n6Y`9)3Bib2=!3{(M6x=``Lx znL9vnd|=jGc+l=0eviuXn`sZElsvZ+?yt@G=kjj?_C--;w9rmr0Z3nDU`{7tp-b)r zxYVSJSWV!bk#|sk_Mq=%(lW9xWQM1vlqa`xBsuA7uI*u#Jx7^NMo-wJG#S(-`j6HR zzR1Yahc_)(yb;DF))TMhGv9>b*frVUL~L7qnW`=F@zx><$d|&AkeRqVbLE_~9MpGsySz?ESrPZ6fHYs-OxK)kk{Qp5b>mj@S!ApecEBQMik7H6GdK za0x%yt=arg2M>W>MRI{AyId|@V3N&`nDlfh4^7Zr*;}ir0K&cCUW$LduR2C)8DoV| z8?k=eUVdQZOl1;wz8f6r9p7D8ZWSeXs=r>&rCi9NwK(1k*=G#H1^M9G>OWY%)QH=u zh$+FgxgW>hz;_7sE`odIRyu~^0$9ROK#^+2Ho_7md*NdrdI%Rgwtx1lPWj>xDl-jj zPnb2$BuA`+0UWB3H1cbIii-(*xqTWwIoV~lFepHkifyeZ(mTqNsgg(s%7`50$@Gpq zG}fFvsS0#?U+#ab+7ZJQy7gj^qab3rI=shaX3lbs+>s&X}D}{9>qtg1(wm z@;JcVxl}!Qh%m()yA=F7NhaEVMJoJ;#!OjWrx6UUAy-@Ldv%7Ci?qY($|M>rq0_Z{ z$cycj>#guRcirR#m@51a2YTW25c(;6s}%W0?d>3`^XlRclBjxx`R*`wKg-dh?5jKVvlH4YZyS8)qhHpdFbMYsi%4JzM7V8eF!Z!1v%n zzKtN9UO8;2k}pV}@D^gUqQ66tSl!Q}n(5FJSlg5$A;By4%wqd)6oE7vPRcJ4NztdGvLA`%45}u#8>a>cGRI< zh$-aSA;ZTp__&Oi%Gs(mthrra%SSUcs>8%w}KJ1HZ{aC;N?>nUHmZvCQgE zuP~2wIS^kQOuy8}9csQLG*{FRJkxQ9NIii%ybkxb0Qk$$Fu+KwMI~1T>vGlOe z`h$G}cQA^S5!0?<#y%u6DDv`NN=~oD=`+;>O&6}+@|yJ!N#x~wFx+~M=BS6CGi*My zH{&P`OSz7GK#{qQg$+)jW7ci!i-BPd2~jtnUcsbDj#%q<+yjw$JF-0 z7%lLW_(4*(6Cosvn5>A|ok2&JCvaEB1CmQv!p+2eq`Pymi)2PTIUh&~SOB%xgmLE?h%NHcusdJ4d*0i2pNk)2HAUE66=m9n!y+iNXaD9`DW%sn1@b)ck^=Pcnmm<@$?9D`Qut&4MD_AdY=IPH;?kf z+FWSg47A{NewbTE+T%m!ApzQs*7U*!p&5*zZ+UFO`uw#xbC` z*h!=vHMCYWxa$H_NB_xKSH+9~CYb%aYFp-@))H)+rd`%21y^o%Z+%6v9TOe``g4XhersnY)S+qCZ7R}yDm5{xFJ9|X&l zfT!9JfO*hN*J8tGUZYUJVlyK%>DPn~NKdqR=$N-3+nB>--gjv0<45K_iyzFD`aIk< zMf13KyW-l;2OoCyz>ak^xtVvK$*D3MISgiaYN0oBDydoWET)AF-D#)yRKjR7IO${W z(_(+}#525I#Ws!cF800FnsLOaRJVV2Jg|7WOWtJ0Up8rf`F(FOnwWz^4=Q+HA~`+&c{?D~HH@zfaGO~Re|x2{FHVml1j#bC>p7@!^A#}m|m z^}Qzafn(q!pRNo{yKA4z&Q?Hrs#!*lq{&ZY>DO71M1mH^-4W<4*^&!YH+3v-?S5OA z0`Z?S*bPpn;moS%hFW}rs>hDe?zh#aL|ooc?tPW5z}+kQWkdjsa%suPlICrlT1l+1 zc4{nnE*LR5;XN!_@Is~F;10z%pjoeYTI(e?r3H*umwt<)!%~hX1Nh789 zr}>2e6Ap!Z*K1T-5;aMK^_FP&E+*y8;x#c7 zmpjq5c%b?4R(M>lwA5Z!r2g!sK$nBu4}4B^zz=VQ^+6gQ8KiIwEmORc78HGkdxMhq z4DxrV%3~}0&^`y8{JAYnQWdxBjF^jnV;kgZ54aD}>!CcOHA$yfkC`gX$^i(27sre(sWi(KhLbPXurZ9$PxO}drnHRnllPIl;sk7hjR(Gw2rka?}cdic^z$5 zH?y)0F&b&cVKMQT;v4@oAu-^{;ZLl0anRtc+~k3KJW#3~ zhCD)k;ttq;PV=F5A<_N!p;>lK(ut?|%)B(4g6$pzD?ZZ3UF`AP5stdPy+JdYWlCEB z=b~p47x&6`Uh_)pKV$I_EmmpiNOIrG66hkza`6mun`E-N6n@N-cm$c=RXJ%(D>q8B zJq}P;3=Jwt_IB#YpD!^JW7S$>z?v(ZeFBNR_y`Y%kTkZs&;V@)i{Dkk>e|^`vl>2N zHELJR3WK5O;EdXP%sN9-dZs!_%$JBGCw*mbTxY@=e^bpwDb9zu-R%w74|<2acX|?A zR%kLX*M+tdqvJw7+e0+<#XVWt9r%BwdQ0@CX|a7E58LsN*dCmJq`PyA8PwDk_n0B5w)C8H!N)Z6lJAq=W$pM- z<#FAH!;IxKn8bDx)vtSwqG7)64>a~>n+5vahQi5{@R^TW_xX0a*sQGM*aF&gk#>9W z!uXg%=0RqjPx{XVEKbee>~1`*cM-7qHAWv;Ww4feY@+gxH;EVZ*z>Sj`*13muW z8_3~DaVc8Oyf9TBi@5o+*|^zR=yUk{ym7z5!0cy<0l8MGc5(Y>FXg$r3q4UKx7GDK z>wH{saChRI=AJdux$*{cjyMR4s6Ur6&;X^KmF$2vLet>Mhmokq@hSSvQg=pl%6Z|Y z+ns#UO^ip$ISm@}r&iL9Kd*N<+_duo+$t9(nft1#Wcq%@z0){(#pvO1%-tD_x9x^1 zULHQ?u5E)J%#K})oR93B`5UF#0Y&n`!GDJ1RPX{;H(aefQV)eLTpoD`#BmB(xrfUqbA}a zhp_vb4?4yAQwC+qQEjDCIAR9RxWCb+l?7wzK-d?2t0A;%A9JVYh+eqnYiQldOxz*< zAkO8ku$^pfvxTN|`}9{-o*Vi2=iEqd&KVKSsnn*eO}nEx1iL$OYY@BhFh+qrjGaYg z0$EFf@^qKxB2ylh!V{nI{n4KH0TeVxo*lkw6Io{+GCp1+SMCFJ%Dsv9`~83?2kVDu zr0vL3>_=v~GSOoyTO9J*9qy>-5hl?(ESeMOI2bAbx$V@|I=QH4hAiw}@T^nL*`(I} z@rV7Iu?o31efY^)@?6i<8z+6A$og{{<;kBQ$&dHb!Hps>c70053(M#AJ?iIqIJp=I(G1FvY?*0sDkk9*UH4MD}>W6bfSDR49W zMGd;viwS@^gbF+Q4F3nZY}v+|bLhx|Mhit22^(zp)%00m0Bq6<@4(@-;X5zgW|Yi= z-jt>ZbxKCm5%x12OzS>UqC9Lsj&!NbQP61{yx%8PCkltcA^xA-aUk$!CorF=3DP9C zXl}^XT}691vJ7tMKwmFdrUM>9UsiysxPjoDP$Cdo+cnxJpx=KrHFk^%^0Kn^%$}{8 zdC}#8-s!z5cds&aJDtjFqHF2b&V8Wx(Q|g#AmA#Ie!;Mj;4?xCG}J6qlFPUei*3@# zejxkN>*xpZ$x03zAP(g6**ZNo{tq=Ln!=&}MuXvPExeQ)MdxQ+K zAQo+wl0laWuE2xkThM$;fct#0=gdE2+{wq7Ab+$dNyhBo8khXg{Vb>@h#iE&7ToE* zUoBGNhN0itPwJ$6^>(uFMJ1t{} zH-v#Q2?R{nqFFI00@^+_G-CZicWzv#SzgA<2V!R~{qW=G;iO}scmGLoUeSlw2b^oN z0%86dXF&x4_N?v5qB!eC2JiHeLwIGW=<>qi%TQAj9a5rJ^YUe^=EZz_5IfR@X^r34^U*^I5K* zCp$&6BNI;3we0oBd>D(1;OV5gE)c+`X)ST;zYhpEF4gXX+MwND0oGy85+tf|#;wqQ zDM?^@gX*I{dFtK%{DpDxH_<8<2N-k#l_%t_gnLVF3Ta~Az0x{st}ZxzV%uA70Y2H9 znS{RaPhZ$rwl&0=Ig~n+x)%W_e}xyzxg&_u^K#kap%dunrAlY!K)|sEOM!tVxoJYV zf|BO2)Xt?Blg2wr6c^tkZE4$5Cs<)YMx&Kj5ci3GO232L^kO6S(64{kvO->0Hte=mH6)Yh3*O0rBnS+O|Fm{Q*uGmSOe|*a&?k1vj}nR zHjfM9H{o}o$ra0TeS`(>M*j-@3=Otk8Os2W+F^N}EKv(-8s_$xiIPag%KGL$WX1&r zrZ;9;z0NNVeNL^TAM7tlM~M>nCZQ>CG#mIMHlTmLK$A6qE9qIZ5vj`^6jk6m8c0w} z*7Q6t!}ah=i&W)!g9ze`4cwD&3QA@gP1 zJhkSeNCad0zM<>P*EmT_5_~!?lM7N$%q3M1JtnUcWm+|Dw?J-CQ*Y9WU(*YFKn^w3 zGi01yxcYq5so?bjB;{J$Z^86ofdZ_7*SDwYZNt{9Qv&Cv-QAT%5j;VHBS3f>`!Oov zvT*p>B4qmAn>r)ykxnPJ4bDI(A@~<`AjSn<;|pn+UO6QDC?{;f!`{x$(23AoltSZcJVMQ#%PiH3E#X20!ya0iQMTUR zKpTHI_}FZi#G{!q{qh^NQ0Vp+Tke06Qj1_@BxaYUnhcz#Nz)lG^j6R)klrN0L)-#TY1_6x0V?R&X`MxOG+H5MW}fG8 z#70^zJQc@~-Bp`bWbo6Fu%OYfUo7$i=5=w+%!1O;aw@HM%QX z3#HJk;}!Q4tuh$YAM$C7%z%;!HZ`|#QrKu5@6 zb@F9*+4TbT3QmNs`6?C^G8@tA|{2|2*#UW|(r*>or6?K-o z1xEmvjXXoI*w`V*eylI^8vDAI__sWz*z~Fz`B{%c02_}AU(+C8>MPANX<6xVw@`>K z27>q#uISEU_1ib&iS|$yd!3NWw9vD}QZcC&o+iX_q;5$4RzTApDsFZ`w&}_+C_G^h z?A1~=S-?28DT4(FJHQVIO0(Z;_Mw+smYy@={LiB0E8Z;0i_x`S`6E z@^j^#vbgz#Nod;6Gn&LntNMX%{{u=V@-A0yD{#1_6JoJ4v)`GyJ(1v(oRQn-x3Z4M zv;{)mRrB(0#(vNe5aD(aU=RP8O27C~WB@phB0s#ooR?@|5~T)(^^_`hNFAsH$ja_3 zdnMHTqAB4K+et+xD<0@QHLDwMP0DBdh>xs0q|BkIzH{XJQRtW43hepM%8ua7sE#GO z)~qf(Q0Jj%=I*+6MCZHXyQl_Kyupu+oWHFs1nC`)ybs6a3||O0+cqKfWNQNSGL5Ff zLh{swuvb%z4FiaF9&mhUFgG-CDA0MnPBX~t$y555;lVpKqAnk8*1B}4A>m}4_SDg? z=KWi%G{%3QbZJVAsCw5+k{Gx1fp+@}dfj>cq5k-XBZyrS&>}RU(C0{QE)cG8c*bX~ z=eIa{>dp&~>RjgC-KR77`;lpIOq%Rye;^qz8WkRT@2aRmuR-ohXq&lj67dBADMD@++X1>;n4P)fWDsDg^uCK8P;m6 zYYNf+dtTM?kbqF-qdm%@JGc7;&A?6?&YWX1dt3=bN1BFz(|zhDECqR9rq~cpwT{E; zavx+Ye);|IbsZ!lzBBD4NAU^%Ue9zxBSKSx4=b~9Pl9Dh9lc?^W{7hCjAUfsTQM41 z7m~+A>k2gX^*iYiPF$_rLaGb#e8J>W{ekI#e8;=@xyZL9$L4B3IzNAe)>ga0o|wVY zN8dmMtdZ!fH$is4`*(9^+Q*NhsqS!Cvzip z&w`lgI}^06m=efs?wInl{S3Dh3BFJZAZi>VZ)J=Ku~YWBiq$j8nn z2n9Nzml@>xvBJam0h2pX%1gAHAFRE%V_DgU;=QD8Yqk z7qgx9KZJb>9GsWh%|qIgKgzNJ_aEac00CbI%4B_Ln@7rwt>sb4Ct9_p>M!N846vJI||5z;5iAOr5xsSs43UkW&qwb~Jt530W@tGWC)^rTLB7=t$CyQxA5A(Tb!O{{CNKV|pfVNWKg}cYt27DZ zo|-%NoDz?){hqbMyclYC4LN)VuRZd{=$a@#n>YUy>*4{wS{mP$`y8aUNB&qXRUWH2 z#fh=Fu-gOerK;)AyMrz|VLn{%U?aXkE-M3vBXHL@4=wUwUpTTZWA~^6;Ya;h5khBH zdlApAMXjKUk4pVd%>;5YfQxXtbrS;m(DH!B*nUJ@LBW($&O4i$UN7qrBnsS4es({v z=08qDzgkH^Uzp&t9V3h5Z3v)6iebfKs~X~vONADvf`5^8;Ib>GPKjI~?J@fCc}O&H zNM^;u6s6Ri68ove_U)D3OUNA*9Y5f7Bvzh9NduDZ#1Fo3Kw>3XgLJf6vN}7%pK+p7 zgu6VS#nI=0o-!H@546MJaDi!s=Lr4otrw!Zwf7u-Py=5USBi4>zkucc3ojRkgjhE1=1+LM)rjnzbu|@mQ(;B~+%kne(h3R%&FO z<||bvb^`L{G|_I0`S2dy{~C~}6_1RGBo#m9~3Mxqa{)tBUB;_GXxdut=uI# zo>F82y}g0Ta*?i$*S6Y2&1k6+EzWp+J-g^s(?dUQu9byzaTyh5kq8c*xOTovWg3dP zKq=Z!jDsu@^VRHwIKIJW}lmEOwX zdQ5=x@gz^Vr=Hv6sW@}g_M_5HM+EpHsR8lp8pH?g-B-yR2)#PqYqmJKK4hwO3% zywjbY#p{f)M|o;*O_6xYdqyCoEU(c{{gdHME~kbA2nRkO>QT{MP8R;cz9Ot2;v?ye za9ZFRnUF@pF~w(7`6$CRhu4W;hzCL>0S~{q&!M0^a}+2iJ0SO-mQx>z#mD!0q2lpK zC1cU;okA)}=vN}(uB;{x1ym#kGBz2`GpO6Wu*};3Tc@_YlKFOsXekU);#Ly;o9epde4PYJ08EROixbz`jG9TkOMBv|^j(olAN0+ugvqTZ54m zv)xm}VP@F455w{3M5TuxMfqYcB%oOWIimdCS=9cxCsGXB*WZ7W{O-WZHRt5a671UAs|dfr954`NQ0Qt z3M8wtwzUW!}VDdQaKTv*oiG8(eW!@1_3Z4JLCa~Zgjkd8iH)=Mw|H{Ol;QQ;G}HJy(T}`E?iw=llGo_-OmoaQ+1MEdJ!*#aJX+SvKP^OD9`is zS0~>e`(`Ah)j;G#?CY0(r1!{>N+pUGb~3Cvww-C~!=Z<7C#cDQdn?Jen4@?F({pT; zXL(wIOu|khl3cef5U5J1KkDHW^?vBn7lS6G4BwEWVR=Ct>~1EGN0?2hIdy=2_7=Kw z8hrdi3_Fq_3aOpF75)0E_IgAp`JjX$s>KWsD3?zn@9XKB=|*i z3J)-S;j<8aFwqb?ISQOTm2M81~QR&nf{0*%%?I%$yWTcy{lV5_2`v%CRp z;F*{w0dw|EHYO38n%p8>B(iRCS+|th&<0&}sNPEz6Wvsx>;*>^W*%`e4K-~P^Tj;| zaY>By1!1ZAuI4t7J?lZ_?qp#yyhtPQ)L~XEQ8-t?r#*aeih&TyPsSEx->z3OI=F5> zx7g$=oso0CZFLdecz(cQdP5ZkZ_Edd^!()!P6+$TJcy7a+OyEHFip72t@O+Z)o9=> zU}<2w0a|}0VwEM3{BJtNc1;nm8hDw6!s@Q3W7>oeHCrI|m5<~3#jn#e!(5+BJg+e8 ziS4zS*EFqJH=4_Kl&Rc;3n(1WH<|*Rl$>0TmN9zbb53Lb;v4)u{u{|If&>hg%>mOv`%E`M|g$FsXJhv3^Il$;82R`E+r= z^fH0nct>JCzD1KAICh2FC5mz!hIFX)PYyp58mxrt$0`?0mraKwsi^qXZ2X=qO8o-@ zr6=B^v?++8R_f(K42kYQF^58)SM|-EQ$3WzL{_|O*DNvm>Z!Q}`$*UH zq}iMlj@;Im1;;ECVAT<|ABZBD<#mX+o%b46flHQn%WVv6AbYRoPE3#=LJv{Q=sde< zT5I^*=|md2Vw7%$ez8L?$mcPrnN5MSxmeF(U5@xFnA+dq|NZ*#ze=v>E;N(HT;s-O zC%<>K_)5AKR-hWb%qjU>1p$(D0G6;`&Ex_7!r5N4yfS_CyztK;=c!zjanH7yzIg4bt;pCk~_6#}S^ ztPM|}__blcz?!B@UJ+Lj_P-m=N*E~D2|J|Ou?b@R#2ZM!nz~)I)=zHuX_2Tk1gaxB zq!KgN^m+N29bWSrJkYeP2=#LQ*Ge_R3aCY0&hmQe_+>x2)l}AB1e%uF!&OFpvFn5t z5bU?=_09Ze)Z;&x3)BCAW+MRjzXmka?z%v0Nvn@9e@?!E7E(Yec^aFDi{TGlqrM3= zM1qOKkP%bnHTgOc?mgZ8pELwM`$!WKkovmd-c5Y|BD7Ou^Z851Iu%Mm1_ z`BQ8K)K-}QAr|VBdRh9cKp#)+KCpY_2B%g)PlfOVO{K*bjI3C_y;gN?S-EAIhL!$j z{#hlkuF|+@IPfx5RM2uOK6XJTHI~71`VEpzqx_{la)Vo&Ab?*5_=WFYk%4g9Ba@wO z95!MdCnG3?YzaMZ==XUm_8 z=+L+O#*$TryVOlQ{e>rUTGv3ixDU{I%0tRy$G5S8#A`eXEmR_n+bM6#>65z7i9C=` zCP91QH__kylNwB*OV&y5f9zSE8Bm`Jv?^OHt658Q!=u!$O_$F5@BVW-7Q)n4N-C!^ zj;%hp24aD_q_2Q9mL=+E7v_++%Igr!K0|2JTkfF_%Uf!H!+ppK!&p!fJV9<%&3I64 zE&~bV21pP2LaptMSWv!VB;i&ZTe{q?JpbfdS0}&|qk}{rLJ8<+D|&pn?Xrei`6<+H zQ{$sp*FQh5q6b=#alfd&#=3#ze*)@Nix{kX!Id}LJpbOz3Q|p9LvhG~E^6MbH_2V| z5}@QA=qvSC$@`DQ``g05QqPcDB41ZwZ;&mklU+8o9IJG1Vs+sc4J^D?DA&Ce4)-l- zt?6UB`wGw-?78*GDjlVP?oxem8_DHGYIDq+C7M~?Ik4e`quXu1cjW@k|FU6InuyGK z%A4;W{yDEi>ZaS32i*F$>2tvUJ6y79H=tGiHHaQVV-+d+2-CJxh?=g!_D63JU8jUD zCTrhXb+$QlAgm)41H>Q~jb>fZR=qXdXh78VW~%C|-K9R50V{kRM7QPp;ozD-0B;^( zg5=r>y$(YNr~@B`sOM#8PmeHbpLGALf7m`6A!MT9XA=q2Y(o&A+vg)|CT|!)U7}T1 zz_-p*0M6r4n;4YhhF|-ZcOGpT0S~`_bYp*Vm=Z(0!WpgjL^IQP#o{#Sg{CXzFZ@rf z8bt>n^d}Px^~ffHuM6Akv&%%+o+?A)fe=o7*lN2upk57+vhx>?Mv0bBy-uA!k$88l zT&)toAK?G#t;46+m%i0stxiJa$a1^!x|{(S;myDGDbkuJ40ZAT9Q1leR=oDe566I4l*=(1C>%(PZb1TKNs?G+j zETYKMD9OBv`34Oy%D@h#QYdiGtV{Rk29x}ehB2B0Z;)m^#JT%Q6&V)Xq%l<~_>u$M zyG_z%mCS2EKzX2)w%_m7g!KSaOkTt6K-kQ-*875YJy#KK?T>$i1nGn-KqpC5HlsTX z%=?Cq{5YF$=!MzE>4+J}!6_t_GohO7_EVdAZr>TeRe;tkh=fJBe}p{-OT0e3{#0B? zX!jN`FXoi=U$5~6?l)$~b*&2V=5MK*W;ZOavzzXJ-ec~5eEr`-3ct?Wh+))sjXbXZ z>rJ>E63U*xyg1l6vQE~>k3`*M@X{h0wj{IeG%fL8nobph!7$JtGwS|p-DFIzZw=KH zb80*BYrT;M2I+(qD}6m=*0lkCnmVF6Rd3XcPtsBSB}nqV<$6u<>y`8%e0n2LZztsf z+;cffCd{G&i9_6|UJ$NNRZlZ|{Zbhq6-mH?NILpvWNl-_wG24W#60&Q-RG)t7FDA= z$0<7pu6!F)jDwU_MqY{tMPcLYZOy+pP^PVE{-YSL}QvIBv1 zVeq89^!D`u>dz_n+5?>5Z!eMy+jK!2lH=P`5LSR?4P2+zgw8fy$a=5)-(-H^qwi$@ zA7%bWnT_Q9f0X$jWdLRHe+z+k7zg^#R^mjj_XEm2l<;#lrSiZM1JJ#A)=0R90BBMK z$oo5Vt@)#>gI&6Fux$r-psN-dXy{ors3^CYdiv|(QW6agxFp;1h$6lvQglN#nhUF{ zW=k54(F_`r0$ZITH;l`nR+<`ti&x=B1ikhw&CJzC*PCl6V4MIHp}$d8asE-`8waGb zE?*u6MIi+7 zl-~^D+=t3wIxJ{50L3a;@N#`4vC4>+xO?1ak#jZ7u!#}9$yd@R0rMa-`>fvmf0@(f zyx__P4AcA)ZTO!G{F=2_J=zIa>DGHPW!JMo*8Fs{*+L5GfnnGb>ei>+W{>`T8za=K z2HSWYu61l=GymKq<5hrR3ddxg{Oo(zrL?OxU=4B^-Ob$l_bIOX(;toQzte3%7#Jo| zrMcke=Kl9b|0W9%UaGD8{-Cbce>{P|jRKg=%+kw)ZAqjlyEv(SU#kTmN7flkUPwwx z&5roF=D-7Y=-it%XGrx5%24)8>+?Beh`rSNy&w!fkrg)^L?K9RPslSZFNOlw(MwT* z>qud=H~ zu_V}1w?kYI2^mybFn4+j)kUkfSOmN^v8?; z?@(Gk>ol*vhPK}~SoMT!J|dkOUO8$2W7b-qMnAr7V18G2-_XKDR-Re^9ia`ba)~z@ zun5&e1uirq-jbH3m%Y)nr$hj+vEO>{&k=8`0nT^)GzBK#@g{~D;baUy++5x+2Q7KHs1OnPVm9OJWA+FWyszNo5GTq-gyi z)WfTlF;%6qdPT@a;_&A((pklae6P#YZT_Nxee~7^_FNm-NUMO=q&AR%j(+I*RpzSx zsOm1sLID8+wfkNFZPHPd6B9KSP(D-UP$0{8P^7gJIADS#@Am~vT=vP4xXyn)(5iA` z^~IH=Dq|@>6?EY8wOA8$7+9tSwlC62ak-kYU%McXi-^yo;6-|zHqt2Hcns1bmhT-I zDRvM>nog!&m+_=is^q|!53a9v!ziR#7iy(Z+#m2+7(vpHp89|*dS?aIQ=lFs#(i~7 z7=xDI#Sv!Vl&167tTtyKlOqtMc@QY7j)N<3u37{3o8kHs1{A6E*kD_JCHAv%9QB^s zej*a^3PuwHX1XdC5_S*@I)C%0!Shj#Un3*H?YJ)*%lompJ-Yk4 z*7t#{RCaO(V(j%&g0@*Y;WqFbexP5~2zx0&C()oI(GS<>?k1J0=7)(4$rt_x|LYTA zQ}L}k0w{L3qU7tV9RA-82h3)$&Ev*n`b}TSF6d7o}0K{l< z*Nm>jtj=ds5 zNm-6;lT}(CxXbqZs*U4MosYZ9{0TX5;s>}o!$J?7)U)x!Rc`bZ3)ec9(LrQ1BE_7V z->^{(`o}f966k+i~stN-Wo-##%p zzu{NF$QFEa$=sxy3nf8>k~nG`JN|MMg^Y9I@*RLQ&Jvqu9l?_&;7RKqa|+hnW&S-( ziTF;bHxS>Jlz7~x=Kvj`I$d1I^I{bDD9M#R6sfO~MN{6bc7G&pjsrAw2qisU;+HV@ z={#e?V%MT6)y|30vWRK!{b1;9v*980zq?0GMm!8#;Mg3O1mRnRCLfr`AO38nqmNXa zlJM>6SJ|Km9>pccp~5Ffg-V1%`+g(qXNYu#rWiPJBnpvX#3>M;R0XFH;4X@km1fi> zanLMPml9jJNiE?{X2eKkHnnur=a+3Q$4T=~?Gg`2nXVwm8H{eq{Vu$P(qT^OaBE8q zNN}jj4)+$gIbr*VAgWznSML`!`BC%;k}Nz5n*uq;l$oSS%kWPyZ1;yMuGDKfCxY?g zjZ=ZmF#O2};CS3xLH`@807*3f`0JmoTTLGP2Q;XPU4zR$y_c?bgz(z+7(*{?86jpi zeorPtl}qhNs3QyhWr<^GG$Q?xG@Pl8>$Ty>!L~TPR_?+r{sNpsd5NP2!35~Dh1u6) zyFZ>QH)WSwT2dzoD^3gA1td+@ccXiRu~y63aUGN1j#(-TYJNz&31He#XUzB?@zWbk zyUK_f2g!Oqv{7ahB$=(Vn5ob}k-?V>wAd1L4`SfvW&sY*7qgx8`k2>$+*-oiJl~pG z9r+C2{I*;y@C$>~bQn4YwwM}MJkq$0QQq}Kv6aasKegky-uxWYXPR7vsLHu9O~sYr z`aGe?188<*F~XhJf(kQkc$FR{yIftQXu8{LH|GzmB%X`#f~2=d#E~r z_byV1h7`jc!^UpgVojVx9$g>{iaMITkY31L{4g7cmMckNDG`3qM819+q?V#q`~{Dl zOegDoQqyNeK)2D(8^w5Jftd+=U(G}HC6GB}qle9HCgt-_A37i<0yEA74I-a9ZD{bj zLaA%&olf?&+yA~%^y%Ek8a+PwB;Uc{LsB*I6887kXRxYA48sOxCu`*yjOhO`Kl*{@ zQP^3#>QTop#^4blOm6GjM=DvK@=TJ@(w*rwV5m8StOE?+XjMdtAnWRN8kJJhaPorSuPOHeiSlaMvs+=FX zPiaIE8%H5KxaKqlq%KtOxSpYPe|HVm7_|GTYxACfw;jx}riFR)>@>p*{8CBaNn?~O z6nZ*I2AaVqr7&_)8?-pFsB!#S>ht#kD-+4Kb^ z>4<=#MI}6$_a9RJjS(U5sJ0*nvM2EtAMSOhI~y1iYR-v}dT3Xz={$VkJl|=DleuE* z8Wp9nrCf*#KGzjG_jl*ui8fy{5a}`S>Dqlwxm_!7Z)bTg7$_RgBeoaDoozK(nB?? zU!I*Lqr&2+QI8}-Z}_XrSrkj#?$W9ML)w>zC7pKtKTk8wOpk4olV)x?m1b_K-V3R%9rnb-{+kBoXPf*{pG?f9FGex zj0`Izx$j3&;g4)^sLDEPhNTFEZKBQ<#No_r2*;0ZCgS-aiq{G5J?Hr`5lLNZp!);w z5~<5L8A?TvZj-XPl9IyoiwyxeK*I&o^1B;9ib{|7RF1*p#!p8HBaekXWPT}D8*yXd z8gUSCwWxjMa3|>fnxSVySbJ#3yJmDmoL;4cx$+)j&Q6w>ZxAVcWr2w{9l(N(HiP|{ zwzQl`f%-OL6RX9EmF?s`ISSZZm$c#}u-0?zx8E+RmPMA`yo2XE7)pf(7>M(Tc!8d!N*tR=qp+@z^6~V4X z*&$zK#v`#37#FMvs#1Q109Tm zuyQACsG&k}NJ%q`@j5NF2N zW0~(0DFq1qdYD<%U*L;=6AT0&tp{zu2pKyJH~+yCj@bYhV+rFx*&w^+N=6CGda>sq zZ0276=`=UVP2rYHmF4{MQkApsvV1?_?Ts-atJu_S9KJHS53IV@lQJQlATKNi_-Bzoe8 z@gr;>gLV43?a2F&_SRu4xAK97us&PpJ3WfC?a3 zq0XQiz<7}vo8&i=tfBku&=xM5>B(jRB;JH&a*G`V1EV_8endX!k)}&F0Jqro4j38( z^9nUG>xv|yM~Z0cyOa**AN{M#U@Zw_%TUYauIWS^-J7aCc(0|qjr)fi<6qbJ+qsXW z8Pc%`cv`DRxnXKiXd(>mK;Lb^^;E1&7zlAM0()#;y_x>w+1QVmMCyxwOe0&kPrdDD zXYt9DY0aM{9m^iG?Us;^wCb$?fj9+wrmmm!-?jE?FhrAc<&7(5+qLB7n@6+|#hHAl zjw56{v7_n0d^^8Pc$z$eW=@2?3!2IZb16gh(U`<~8KWo8&EVD!c)C4(-J8musy3)r zL$%vvsT0`&=f_ObJFF}$C0d-w=J~z*SNfTPCHjhSkj94rjjt*;%`-zPBFM`{picU_ zFm_66)tBXgYWmTUca=xj(NN)|pz+rorbn}BXty$zF3%^rtRJo&f_1l6S(o{vxnqhU zNc9Aq>m5SB4vp1bVF^tggi3U^{wqV#aUsv%kV;AdogBN$ve~Ekb^vquy5Qb%4#0dl z!&T#ND~}QSCCVOw>Ecj(YnZ$z;_EPrLD=Ntlif+~Nt_4F3i$cC#^v^6xSN-4c(mS& zgdLuoWk~ME=!W$Q``f{3OL%spMaIlNFn)IIgdTO-L0S@mNGkKXpy6X>VihJrrhxgoXZ1kAzZXLCFtkl#LZ!yjE1?Hq(kEe__cho~l0IuA5Y(wWJ1tq| zhm&EKJPV>Z$Q~<2Sifm7YOcB}YUrTatMD04;f8^%st;7IUX*Wbz}Yi3yd#NxI7(mt z&Sr5Gb3k!cAH95NLTo`OT!9&xNeX`4o_&27pTl0C(8;6Y4zHFT-fml-t$jEPOm%C}@Lsqgh6G{Wj7< z=JF(@v7_nF&Tt)^qI_u)CDMn>tfBUZJp{0k_oNf8c@F~rL7@s|9Zzq{Syak?3n}B^ z%*H$vn6$@sqn(z420D7rzVw(7yR4m6=oFnTJyo!@&xjK~VC2%@?H| z3Y2BgKKsI|o@=2D;?}f}{?=9TOfYMtc$k!*A_Lu(#Mi+W_818cPunYF*Vo;( zX9Eioh!P-J!}3=78^!Zce_C6oMLD5wEK=pQ3CHqdq&ItF2c(cV6fo$kGWhq*y4~3u zpxyMB#`Kp05f0rRmo0Vcz|^~M5-j%GU2v{7FZ;{z@x{leIDo6><*crnprrD9X;y4o z&z)i4A~-kDvh2JVS8H`2?4!Py5r&y!T=Sk>FT;7-wx@Zzn+h+nes4~Hd*dPXdgFM* z=A)hN!C{KPM93JCtbQpi&GLp*r+4EB+ymTa4= z33VDL`Mt+aP*Ga5SXZGn$VLGxiE+s?U;W<}1E}+E4ybvKrgwu=xB)+))Rqlaw$LZy zN`HHk@auO#j0^x9X=xcqx10=UctXooKnZ!Xt6DjB9Don)dg1yYzD5_SOmv3`qzR$^ zxaHaw?ao|8)P-)8^{onRpQ8iwI^C2OK)%hR^#_zB>JByl?&GrW_C@n+F2 z>xUfa83z0xqAqKln#}zd1gWo`f&5yTUGHHi&21PiAIM+p8hGNA~M$)6>;~^f0HI z)*#v#{kVxplBkygYhcbpOuB(QZS**VGwRFiZR7=0xm}S;(LIRdwZ8T zlNPo5{#r~;TFw%QEj1Jss3^(s&8#uB`^swq(nG6P_t#}^#-$Z_^4xhy7fMf<9}}(< zgTwd463N3$X?V0Uxz2{&q8bgdo8d&WlG@iFg_O~c6{5y5g{;QjDO%`eIVgPxi|M6Z z?j?P#2$Rt-uItoBc5*A+wZQtq64nVLUsRa8BmaBgX5QISlfAYKBITH@;3ZaiGu?^h zbIY>a2?Fk>3?Z7kNkj2*fQ+naID(J!>BP9!f=!UYJ<*_sFRO|Fy7vDK#QJz^;5=0T z=3sls*h4FWp;LzWR`((OJqiC-uq`(Ktx_4r4EIaZ4=ok&{*QJp?io-u>(rO zrEqlt#F@r&o2`Z-R;KaE;sBvfT9M71t>XpCFrtZSh@)f55*Zma4X)Hs|9etgGvv4< zfbOe(n99!lyudRh^s1u9EhL?mn4t3%xFtenf zeyU#7+h`n5U0^jru;N}#MJR+N)?2BtK&Tl*^_(wIyQKE~1@8cf7f9?v9oVtc6&9wv7L`t2d1?07nhb67nfpn zQ_2{|@Lkn#eN7i!1bBb#dzg+GO*4k_wsu=XKI727ynJsf)>((?fUc>+%gTlia+m~p z0&?u?2%<*M4Sk%x+_>Cmx-yRRIvmZjNBP^+tjfYCr_Vfaq!gE?fZR_MKFqyyNe`m* zZq3jRQ+NjmPr1=?d|C5i9ROB~an@2?ji4vhID16xHX*D#bn< z1rw>@+c8lYJBf)|YyGlC4t**RZAw?gON(v5Se+FiJiSXa2Er zu&6cC)3*umrtpWWRz$DWE0>+rzhhJ2U7ugaUlGy`Crpp`{z8s4$V*1QI|npW1MeBp z(3e7FD0~``eR&MD|Aeu9(9ic0BWin#!>4E%*mFci5MeMB`;935($$odfp1wl$Rp$) zMC6+bud4YcUfdxHkx`!Azx0KioY77XF+>jnh>~jYIqm5$GI8o~(bt=}T@2vndMH0| z#)nZ2r+)oNHY^Fmk5zH=he5r#m{*1<`lTQjN=r@x2le&JP`uehdC}HZBK*8eijaYi zf>C`MUoQ@RnTP4YJ-&YMMfU)56^fS)oUjq)%S95@wVkh=1cPBs`Jp{U7C#naXLQD8 z*b9Q$JX~jHcP>yX5JG~B120E*Ry%@<1&{hOqZH?sJu{TG@%(pIekA~{8i|p1; zKhKBPkGn~^P(@!2EjwIL9*m}3Om4BD-6CXU%5vD6g{_?Z+@{FG!SQv$0w;8dQK9XE^rw%MOgXT_*&BRhM*>o9;=b_O; zU=miKXipT)%CK|aEb*Y!LyLycWo#^OCL8)u%_U`?6$ShoZ!84nQf_(cw5=?!yvQm; z2^(1n=XjTm=ljHVDGo2rySXR}dvGP0-m~Rw-Ixi+1NMz%8|m?wzIp2=JlP(jVZr&d zpT-W5%6{I+<~CGSqc(1dF0GS07kd@+i}V@9+x?owx=0X78dDYQmj1j6QF3}}d||gD zBk#(1xF3~so&vHTk<O2w(~ZK7ts%HrK4ZoPd12!iR%+4Jc>Ud}Cp{5QGJ+Fp}-+P|??Ko#M$X(ez5 zv*<1@mQ#$N<h_U$wJKJQG_?opddMG0u{7~@VA z@FJi+f2TIml(~6eT47x@v^zR#3~eTKy!w#lhQ&E}e9Tie$k--gJ1>x7CR6F-xyBy>h!Q zGbgk2{P4|Q)6F5f1a3TnEzMNz3wrmPV*Y3kx$69)x&;YFcfVW}9IdNx>-1DIp?fSu z*u-VYCDT(gjSQrCzofg7Nb>B6&{tfW%)XC*!7fUaX{Rtr1)jm`^7fp_nS2)HH&DFG zB&4LW1GLXZCIacwu1g%E69b7h=f)!l$d<{Km{`tBA;mtt*`q{uy=K?!>WwyYwjrY> zM~OO={V~R`eB_KD1BKPCNOdIn4^I+;NGn@2_qGC!79F5I4N*TTubytWmIwQ^boX|zWlJm0{8=*GBDvh0f- z26TL~HrV#$@2_@jWQzi%?<33Leo=?^OX`p({7~f)5G)ZmvtVnQ8J!Ex^4Qe;L{i=k z?C#>GI-4qYuz54+4I5E9%&Os-TYTKQWn?dRg8mJY>L3AEILKn@nXW!I$ z60DWiZRbam%G=x+j!{~-dz?;EF3dmZ9qZ*OUv0zjSB0Q+rO{89$xCuyNE0!-?;{>+ z$`)OZpk>jKMg(}Ub(r?4Oxb);z&Y%i1+CT|~2j1{v-?%QO9@`boc` z8Fa?op{277%KaTU8$y7loB2!v(y%M-+m5QW9epWs5*?jzV$1=^_6H&Z^Bz|x$){ka z=9nCFScOHVzz`oHL|fBmHTCFiou(5ui+Kp}H$@`Q`UL}i@Z`$P5ak)-9jXv%*ho)~ z2_AFU=yZoE8ug(DK~pn#9m*NLo3-o0GdJc5$0!Yv3a4!J<1B5>GS!`YAo5L$!2#QI z8L^LeLVLOt{>EEdx;1LTL}S8ct#6>>O`HvEG9=G4qIQS(f>WIHB61yYN#O8xiKVHu z^a(0FBdLqEv|lrD7Cq*SCamCtSv7iWU}&}vZQiXj(S>7JzZ4i-m{_R{Hwc?kYlAMu zJXDQQESIWsF=apWE*V2)D>;eMn?(?G;(FvF1iMb#y&|p`8FS~?br`=cZED2^546jZ z>x3AQHeRuVi~`;YUZEk6?p%A7KGZn}G(m1B`!_r*@RMaLja0DVQDo0Cla;!Z%o*vY z$(Ss+11Xw(#H%Gl*U+&PWJ6|9!ATlSzAv2ixp-wJBKiKtNIg#>iAYh_b9kYo6=SG= zdY7U?j1M=BokbqGo$+_+Ij;Ch zS}c#r6a3u9a)9}TwL_B){9s+=7=QYNw(wkH>x;Q&shu!d<*vj1<rg7Hb|YVU5s zfFK%Y$?IwClI-*5R#2>Ij&PM1RGG3CG4ODD0$3|=69iUveQ3mKR*b0FooH_uYyR%?s13W#Qr; z5@?LKCI6++K>Y!6*;~fWbjJQr`f5?IAjXg$A4(4_Jc;kn&Bl97hc#K{;nzsK==*G# zQ8LsPZ0d2V(wV!I6+eEVfPJ#Pyjc8yt*3q z*_j@!whawg(?iK$WVRecQ@O8Cj6nPvT7=++Q@j(%=2EHB^g+MvN);kAw!i(_*O%f- z18TrMqxCVNzyeHfY@D=;J{XB{fV zykHcEhgJcXOPXU;x!g-q10~_BBq7jRt6o*1`8`UPQz? z$BLc}*|t_bK_l5Ivc^kdUi8fh(L94{hmMp>(SC!XxLXre61Mn-cSPB;0b#i zRdhq4-N?8d`Vxn1mLQ%t8qLgzZ4eRR!g(A{I)URWC2f3SFJBJHc8<$SDyUbm+E!7; zIGaqYKR`bmz!7&@@-}_;NFAcTq>nPs{upRhnGIaXWuHuEA3~9&+oU>V;gwNl z{{iDiar7>@lzh$JVBc&RBfgC%-UeT)52`(vv51*SF7h?T)&eoJ;ra zdYQ85<_d|+GOf5PBHENh2D$N?6@}w9`q%TCpY;h8TQos{aQSASz_AJaBOnbdbS|0e`>a|evd7k5!Dc=0G{m0-=yaI_FTw5 zN@pT_RO2AZPndTs;I-0H-b>=EJ4l~Y>pT^yceSBtnKWvq#DSWO1tW0E`eLdVk$QWh zH4HqIzsg;owe{Kv7tse)#SNs_kM-k0lT{1og#!&*yXJ36E3)8WR8@*6id{+-LAZk) z==fsc4@TPIU~#c!20LLS!Zap#x;?TdAgISu#>$B93vQ~%nX* zS`lQDmDEy(9!yf(eLEv}~FoXx5)ig;X5l3B~Mx|c*AbSZo%@pNwN zd|y&fyLaLESGn|tnVNM^g%f!xI>?^hk!X+ntY>vIXP&T3gZoTLOAuG@UmYmW3%B(@ z+&TW$@pNuBIEjm3oL*iE6!)!pJ)kt1r z`?@ohdfPfG$KtRs#j$FHSEM(ijEHujWl7YKyl)8^!ePzQnYMorU)i-RHaS-{H0p$i z9e7u(&(3ZU19)oaXMJ_%M9boH76Yypk@-vSiCG4H;zdrb|1PZ;#VtYEwn=zM-fUeN zaka&a*64}XI)$UZVm9_@-j&Aa$2zOq0E-jOLnYywBC<^EXj4VMKhLwtdZkX8lI{jD1d>`sUIib>`!f9{JMumQv&GH60 z-?IP-+eAfr1!be-=dHUBqQh+P*hnHkgV1LZA%wWyGWHsK&^LIN-pI}u)MSOpz?vQ* zm+{e40e&t@D2oLs!zC#1dE@P+GkXfcw-1safEEje0MTi&ys14sdX=>_nvMyX*(cOX zAG)-@dAesWH#B?5nmSvm3hm>zgV%ceqvY<@=rk73u#~-ao<41l{M;BmzY`UyEm{85 z5&O5OVbn_n&MQ02!{+6*_n~beMn55gr)1lz$|g@!32B4r11rsIVd8n!SREiXfb$BV z{t(;MXNmp5u?;rFyN`r>AIrPLyE0qn$;N{_dy&-hmo!pXkwx7QmKEN=BieG>w4Z$g zkzLgNe*8#`kz-t5$Yd3lPpjXzh@4a%lPEXauJ!Ei+`3%vArzCq5vW;ER;N6+dWF1Inq3Pg6TnEGMCynYXgA|3K zDEhpQjK4S>(aU9MovK$M)(}a2Bu%a1To+ep`939`6%b80JB3gvfEe`G0n8+Ew-Mr; zxu+}Ktg~e2sJOBf@&Fof3@j^%bJb#k=iH989*SpXbyAGs8n#AP#%Bao_{qY)Ol9-} z@{F+$GaV$p!|6MyHnnrFclIO;lD|^^5D0TW|#DNpx8$T80#03QY-rl=J zreUQMOQS9F0eL{*0FxfmP@a+{>&ywSWZxHaaBKDPPINc4SXsKds$t~xqrY7E4!7?WcWb@X?!@8gs#OEgA{0kL4>|d3uw*{zrODskd2iiqVZ(%{S zmbaIKI@mWtb*(u?X%AX*AcY#&`gsjCtwYq)|{LUH>Ah>>T1|0 zb|QaoAgIb}KYtO|RWjq~Sv;}WkTE{(*&^@xt&B^r7uc`5Pis!wTMk`pyTbS(x5#b z^RR5FCgbj4I4)V~fo%^=p$r&Lu6v=m||?XC(zv6ZdH%i1hb9?HPy zbyvV6ERcI{V=jB@d1GHoLe(Z3KgSO$2pJLZRWkvGy4Q_C?+CjhDR|&)+zA3#DKiy%m zQZ^E(Z7Nj|WsUnRq;KZkP=u>p{78)w8RKb%yt1qsxrsx61ZfTSX^QEOz)9AXIL2B8 z{-gZTs8D+7GN}($I(yGiVcJDvZ~8I~;i6pd-30^IvfV&dt>khywQ5E+Y4y)tf@{&L z8st!%^!u2eAKWP(%XJ2MPS`Gv%_U0Q!xs@;(sI*l2<+R$!cfDC0h7KS4F>xG4lQvX zLuKR*v^N@ZN5?f^zWm+m&Vbl0k#_~|@jNWI;r6Js#4hGVcP^OO1F9B;`wfadh1ydM|fC zORa0Fb)z*gyJW@HBtcenK^u=z{lK#HeUk-Js+p4$EXTG>H~rOE0*8*Bbj+j7P7 zVEVqzN2nZjF*~3#F+_QPQh&-G_3~no#G%rDQ{Fag&{J^Sx>B2Xn2-@x9|9f-Y*>Cc zI?X!JDt$PuO6*rawpVlNbeU&31O3gHbdb7Zvu$vFH?mPbpmM(gP5DV;Me^M)ZZ8)4 z>sOT)#E&e-IE#>wcA9kUezONvR#~cUOCjc7AMz?k!THFJE&C=dz50@VLxpOb-pq-g1AlsB>78 z1v~pSRRJjOo5Oifhzr}A9XAFh^j?X<4=Ko01vzN!TU4bJ+B*(+#Dh(DU2y-AUks=& zPJ79ojvY2p)VQ+O?<-fw9Zj@)P6I%iHS_1LDq7P7NYU zR4l%dvrDWhccnZ*Q5h*euE{z7K zi}x`UPZ|%hI_`Z%kO0y<=+|?>Q7-59LzFZY1Vg5TIsn3itbvbJiHW6MGQ9!GevV2_ zR;r=YvhrR14LiDR6*OVIobNpzI)Jn2OrZg}6hP3CdpshL%49RDF`u2|>TfP%^=LQQ zXfAA$F}7Bsinp5ahm=D=bO%Oi%VJ=%X3@O3=^*uIW7zEC!a1aI=|-!3esR;mCMBLhJ8(6n%!EscOa>F6(M5A*(QQuNj0}is zgb|A?D3~>8Sh{suXO%AfTwc`dP0bJtCHz1@vmhzoLk8;z`Dmwawt55OSm-ZmOTzw=rGBn^Lc;cw)F%#`PWtv1v{I?Mzu? zT97n#tcb6ZN6CrCU!_KGl32tTQ!U@X*r*DpC4G8L&(W}R9ToCL&h4X%k&LBtlWStq za(YI4#rEj^XkvZqa2u6B$Q$UvLzp|4OiJcT3MN4u6Bwa@D8@Rk@WNvQt`c-OI}#Hi zWrB2PjEpfGNaM}LPF3g%i3hXxdeiJwzV}`r!@iQK-CDJijTw8K{mvXUFARpwwqhahcE~N&W)JUKE7d6y_U>a1E_V!+uZ8-CZ&)T!2$3;0HRq9?ZYc1v_^SH zTFI*!K`##)HC(~G!x(F^TB=1W_}`KE!Cjkbxn+NqkN+xI@1v9B6@;rfg#DWeu>+Fb zV`lvA=sDfIkdu_ixOJLLhc$T4;e=~*VYp#V)6dX#())^KtMkRj875bzj^vq297Y)t;2OG6~Ua7J?GUYPq2&mtMty3(u!!yfVsSl z;TNPdhTf)C2c!Qh`<13POVaR26?WP)a00*$rMNw^*~hEQWX`f}7YMHJEu%E1Gr8q> zn;uf*uEUtpAYLP1`lQGNl}#$}DqZ2V?@=5Liu$Q{&F0n+F!J~<%qdS-y(w(_rrco#(vjxp4HKOdhGCQrNu8dMWP`KxPi-GL2?#n`K573Y4W1zCMTSV|kwlh#YocRiCy(mp zV(-1ML~LiB5E%XOXwRgsM+QTF;K_&`1KdYEE(@J;(M*(4a3%OUE62ihTtimP14Nr} zL%CyR{Ny+98Vq6?>(2v6{kVW|V&O;|BB;}PqtT0ui%&F$dm-_d;cQ*uBzVz>)eN%b zRs}mRE-3*s`?B4zVwX~N@3I>q^qYxj&z*p(6z{4?v>hY>jf*f=45>cJj?7&^wXjHu zX2X|AXuQp66~c(1Dnywf3rTk2^DQ*+iU{J2FK4}2)ncxQ#2Eb-AxsXdy^5X9ZQ({L z-1kY?t&z|LR|HFf=u1lOWY~9jjZfdT%8pDbq!cxu;f8Ro)Cud{(f>;$$jlxUR1(ud z53T6_C7-=TRsPYo$0%?1#IyVi;#Y^VDZiI%9$iz_k>?qeB<+Wc-}_FtwLjFT^JB+! zYkn2I|8k{dr!hpMG-D?yA@`L7_O+L?sqJvK-kjl$2!@cddR%bD;5@UtHIgrlxZmG) zpo(uv@gl$c-NMElfV%SBLb^}rO^+w%$NLqQPYi?nE{t0M`3 z=Pfu`_g`i#r_Nbh;z9j$PC?)J&750zcVM;OrQB_%lf1}R8WT0d6?!~MkHw6G&|^=* z$UMrgVMtZ&*pZvkbHed#O_ZyxU^-cg(Y`!fUa*0eP&B@k#Y~TeoWdoR7%_mVre%QZ zx2#)FKu4CCR65e?t{4#Jp=6Fgu(dkIK64Z=m&DE;gQQ`KD(+*+T%!nWpy?9$(|z8I z<@S6N4cLoN%1iFb{@o?bGZEio#KqEr#^3@dFr|jzJKpRzm%r}4(SsZbjqO{-Ehm94 zdn*k@cdx7KCCxX&#s}qxCzfB8r4$hGgY6p@uS(J8GG1QPT*2uUw&ug+GK&h(%zH+o zo+e(VBsMMEO@4wx{w?*?S3}$nw_Owu2J5IC32rINY4e%>`m^qRV|Av)#vVX}mE!Ki>}hMVIk6z*Rfjsln8J`$j(FyuOpdO& z%O8TfL&t5CN}ZTzh$V=^9>?B;C>pwOpcqjQX@d=1s_|N0r*BQ$8=tI44QnMCQB4g4 z=hWIQjg>Z+szptRZYL!m{oqQ-#iHYg_}`FYrkA>n6wI?UdB6LhU&}r-`k|MGw%7U_ zOg7bdDI4{0cf{hIJbt1wS6c1=|$o^K*`^1wE|bymA0baD?Q-O`{x(a_v*J-Qrg_dE7~@yo7~zew0>8ai&=Y45dO4Qz4pN;~q4O zwI9xs3Aj}vB1R8G;@f|d&!~m)N|vPT)fFgE!A?JN%jw_1tUvHtw0gWPZ8d{x;XxNk z2d?4MUa>C^fbK!QC+2mx>qnjksjSFp5HSv-*n_!{XqMDXpz_#8?J=;(Wci_xl~V0b))*0 zjn|rN(O_J+Ejk{LRE2Du7PCluVZ3kIoDZ)*knJxbj*O%cg%8GGh6o)&2b^x1&X4ie z1Lw3M_xMYR_?W}gRr;gb4)l>^I%E$OQ*nKqB8nZu2sHP>@A8Y!Xq;=17Fk9W7)O#3 zkG5vG(IbQUIaq}l0q2IxR<4Sk6z>$mDDzyEVd{!&6|=^Y%9lxQWZ#fIKn0|+aIr3n7*{5(24Q0&fVRka&?&jUSes*l zs)&N4t-k0eW?mTRPI4I^}_-n#%Qa_DoOmldA1*_c;t^ zowzdC*e6QQB}F)M4oxa`YxG(h+^mhH0Rqf9Oi+ziB;(uOa_}u)OY2kyBi6YFX{-uD z)T=pTC*s`UqFAx3(gc6hf9$9E6>=H08y?rtFZY|O+=+S_K8ugJ;Ak$rSx$tzIL=zi zN}fzs)aRWQyW=XXvQfT{!_bRk#;`;64nPSY)|8_|&5!dUWC=v)!yd(`>cG(JOqz0C z)pVvXohF*DWnHQcO;f*Z8crZJ0Ca1eyjOJaviCDxjc)hl2rhTG&fY*j}%H+TZU7io4)WhF~i_gST4>9CU;Bh!|*#_e)%TBw@o zH;q2rRIv{fmOO59u~KLMv%MZi_)en{u(8UsJ$z3X*+Bkd&;2#Z7HoW%)Awi;$9rxq zx7MgEVQSiqQaClLYII6<{Qja12Ajxtz}ji{W0*lC$fsiw@ve! zw~d>pE~;3ZYe6Yf>iB>OgwY=~@IO^0I3)E~rC1OWKhc6xF}hY-u^MzuIWUaPzqp%< zw{viX!hBo+B}SJC;|B@rS;F|D>5ikd0V763jx{mcmbbVW52Bqr~b z^FLP?;i>U1MFa;su1VjE6W-sy9c-k=`6re>*UOToxr~vX%*+rmqA+-Hmbu zIL>E>rHKEgMt*u|tN8T&b(%c+{1F0IMUJ(1BJz6C%HAFJ|8AT<9>(^)T^1N|Fa8$O zPBo_{b?=sK(+X_+FJW#w552G5ec<(uEsL5Kp*rWH>ALaTofi)L`2o&vPffe&=9_J0 zlZnE5NB_aT|30_Mz_2 zrJyJ79z6Tx*DrT1ocRax6F~aEcIRosp5mWYkLRwb@tw>=JKAb5di*#0^+oyTVz={S zxfbqM=z~swv66pwkQQu_NF*V8>}|e(&Y6`uVQ_5_PdyrB>HBW5{zpB8zJEio*7|JE zli~GK&m&tW{PY7Q!syo4*(~2f#~@o?08HrF`uIlBK6BNJR{H_Ww2Q z>_w|B&#UsHhmZc(+CE8pRG$BC_4jZwRTa^nzQF(dI@Qg+dYz`xckTc0IeFjg29%aJkpBOkVr_UJ*#V*!-u7<-^{0#f zB+>lGe@=D%$5(hyZ-34o|L}j@lKv^2RFLa>L80x;FCv z?WD>tL{>c!-LhA96rv1rB^7mfW%sK}_?W`o7iJP9j_j%LK zO&MZyq*FC=?pJy1L|jn3>N49ka_GyRH64b0;gHmaCxzh_jmWn0;-CWGH@ zzO8ISMU7SZx2u^`C;s>{|J;kX;-@d4S8b}sOAVTtnr@#Nqo$-3aesdFi7b6$OTOAY z`j6Bbe^Xzm?LDYs0-=UTgsKbJ>(`5c=x2djZpESr@ua8e7L?JMySYD4sabS9);UxU zElU!xp(?sFHz5zDtOYBt?oO!V^em~$fEtqCrhX~*#{T@YmOya`An*CyJmjU53`C^s zrzC&CA!ib*TYc~;Du#v~&xf$!=R+Sk);vpVP+uQ-{Z(+=wfl>|vZyrL9wHzHBwS-uLn zuTD}*S%^oQDr&Kb50fPmW;r3&Zmz#sIu?=0c#;9l8_1|GDYfw#dwqRu4?y>IhBDjc zeNg<5ad!Ptk3eMarh_6+3oK&Gdc`zaPvjgjkYxDXMd&tDb90&J`?=xTPCo9>bzJ3m z76+^@t16j09l)5iutj^LKbOz{kn)V61F4OqLoZt=Kft#5M}9c&7&NOQ!}-W6cH@Bc zz~|bk4#IAjzPK;T;(o`tiE(UBbJ>q4`zk!MjK+(9ggvi`pNM6}4Bses`(UvG+V;J< z|A)(_TR`a!zn8_jJ#v}_6#_g@rx!uUQ<(sMcsOh^iZ^0vx0YP~s-3zex$$A?iMiuPe3N-p{?YWx8 z^=dqed^mZ3wiSQR%L(WB+t`2kuYcV5xGL3ExDXsq{8RtopL#KWH1*Q=gCFVnLcZ7* z+NsJ%nlx0$R|iMO+}Szw1^bc@7WduBw1-;~*|DwWwOjX{ZSig8NoiZ>PJqm&Oa6B4 z&Ai$552o#( z3aoMzW8XIcP^y8^QKMOpVoT*xm1YJ|Lom*2j^{~VY&(0DW0aFbFef%8MLExw%ASO( z3mXUhSjqp3VA*_okw2LEsQuQ*<&T(MTNrO&c(DsOzvnx%nPtJ?M72*X9fZo# z3|lgxa?|OYBfC0!bfMVGSvnLmvH$)~=48sIQhV%`r4kydYF0Y!!Hkr zRLCk=&vUys@b9X?Yu5JHwF1)ReAJE-PRwV+=^4hn?t`Kh(Uk_Fbl^!vX-fk12&igo zMO7%H*Vdu3uoEBof1dp`7;0=;>pUlYL~vEA!m0=H>tW8!6z7$ey0confn^GLcVO5& zsJ3Mv{lJPBt%QY|e&RIJG&?gnP~7W$A>|A+G~(>UDNy#ls-eG&#(}Wf{IO0-WoWH; zE5_6D|FQSo0Wtso<0O=k@TO>pB&0#K7v4gpP}<{?%2ih?*S>P{meJsy28}~1X=`a8 zQ8Z~?>l#w&uBonZt>5z%E$*&(|33eH{dKO_y`InKtJ~8Uzut zzU)|6(u$3*jHJ8#VKqqV1y9WH$?i*xkvM0&JHiSJ+&z?Uw&frVNjr2{SW{Ttz z?ry1X@4312Fky8c(xnbzZln;-YSI}Pha#p(ftz%7tWLA?FE84(pAXl8dZbZu8(JybYa zC;8-!q2cR8?Yh2wMx6Ud{jbqeQ$B}sYz`d#e7?^7(4?VpWkZqE7yY7%`(yTDJVfSJ z&vXG}rfpW%a9nn!!CkAm58I_c{jPhNd3vf;q!+odRQdtgu`--fqgnuyl5r^}s=`0e z?_W|ho@h>%k?iC{7iWYd2efK=cuLzAWf;fpBV`{FODNm{kJgoxm2J|I#6(x}^B9gh z$+S6Cr;5b7`G3*vjLwm@?bgQaLRQFgGU822Zu%t$V1h`R3faYB#ggU|fFB)j%TeH< zOfTQrQS0U!;hc!%?=!=1t_>EqH5s`b?;R@boH`u5nWCn{>LFKKD}>;Xb#+Nlguz8y z;;Rawxw`C)3RmKpf`(S+Z;}|REpts}ui1~_PToQmL&RI zn?pF$$d6Klf6wZ0jCaTy=tr_EN|GFGVjS8XH9z#n=&(s~q*`kE-uO~?J`NAlJxWF?jv==^dm6_z{-k$WuOhxK z9-p0RXI4-AFEEM3K`kW=iaC?TJXFN$k@kdGyyuww%(D0*X=_d%IC$n*t{Dd${8L* z8QT{W52WQzbU&V;&ro0$FmmilELc^58$0>N0(pub5uSS}J~`mv10i^RsF3y>i|_~5 z4~F6K#r&@ulec6JUZ^{bXO$lB%M%^+Ywe8ZR6S<4O*Okz+<@?``-Xhdz$HDKtfA8M zWM6Ur(G*F~J-Y+sj5z28h<-%kW1HfEQ?jz4LA|ZhS=Z4b1G{d^f7^69x}x)Lwz)_S zH~4gh6-yhzaR<=Zc0J+QIURL^NbS}^-^4HX{}pdXI%BGa%?NEdBhc(u3fW8q}B4(dY;(D+UWJXd#SEf@on@yN<_zu!nOd`Nl1DY&~Vi>w=0mR%lqVr)QwbSU-ZR!7YF z)e}Y4>0UCEL#0l=&yWkujMH2f?o2vWIdW3BXE(~Mh z<8i3cAcXK2SzbdfLukTcm_qk(`E%(UQ$u3X1(svUn%Aw7@D+wY5kpqEG8!1`*FHpQ zzKRjKyutv9iO!D8vw-uqym4Ymmodx?E~+^cI^@zFKo;L|mwt~TUMc`)PIz#B7-Pg( z>~|L4SdgCVHyr-OfiwJV81jYvQ>7{3aWirO9V--s-8<}LQji?X2RNSe?Vafbz>-3$ zUuF~qtd&@i!GLsJOG5)@n=P;t$b%S1oVkA5Ly2g=YO#sr{7&BCV|W#3SZ9E<4a+bA}_o@CYKLQt?B-6FY(-)smM)yr zJU&~!G0q{bAjp@8IrZu1?M#&jP{A=&E;6WrvFh;4K*=*=s$Rd!m`Z*avPrQ|Ak)MD z$cr()_@w;sSY6+fiSGmJnswMfkI=W0K6aeqP2N_TY{psP*@j4)IM2j*{dRqY@j5;E zqI9VO>lz251S+1m%#M5-mK^`qK~q*-eYJ0u-<*)1Li#pZqWmiSl60L!n{K*CA-io>yk&X>%F>N9S$+x(B*<_%U7dTwftVg~ zEH1j>zMQFE9l2W!m$X&OCnx23{pl%$tg+H)u|J1-(Lq{r$af=fOn64CQ`G9et9TJ| zkMVl(^p7^F9Y9Bm3~JrfyMD*f;Mg<9i&cg(<@)In^jY6zmM0lLsXi}S#(2fwy7F~u zhO%Qw>dBQu3fV*HM=l>XM@*#Ts00cPL?1^3(aeO2wL@Juf#=p#+I~os5R%yM^3Xb^ zRY|8!lkJOzy{<(^6-!)fL4f&9tpHN#=+NYc#PfAR`i#mQ5JzI+Ii(X9kFm||NNoH! z_onlqVe(ZJ7%L&xb9fw83O5481j|K zaFvip#y|sGN_T>DcwAFXT!)`6sVtm4`QC-l2Y2?V9(Hv#Nf{!sdem0hr5Ds$SGC5K zrI>%p@iFx*GEKHDpxUVpAaE=ID1N(X_Kd8cpmbZf%W-(Va92fs}Z-e&Qk2Kk4JpXPYf zEi=N~;nlqhavlH!Cn<}4FtOGdk)GIo0`UlW+5PqzQezrYGTok7rrmo&nzwG5Lr>

q^Lv`;O*sYFFTjX0ocvJY3xpB_gCgyya;M{YSGx2`+z-teQjQ&=gLU zQuxSkq%1}R*_-;DZg>-YT&vmGWn$dWn`<_tiZa zul$9y7{iP$kR!27un6T&w-oUQ13a&SQsT!hAGZ#l)DAT#=Gax&X;h~_NR4&s=}xyP z5ep@b{uS?)tV36nZl}2{8IdGnR#s(Hn0~HRK@zEx7eg3;TWN-{@2FCD6{zfv+4|-{ zcbj;4d|7MTqQjuuzI*y=a_m#L2cZLOlNp~>GRY>IY7rw zb_S0B071ox@fbeY-t)YvVXlq*23<5p5nv-$4q0TZT>sskJhSEiKR@E-$^eRyFW4(N zMw2!Rj$nmbQLY9a3I}h1dzy;=vTT~+rpfb^6E|-pa$Tp^_$p`UqwiSgBysE2=lOBoJ93GXzfPr>g@IV zaJDh^(KzcGR!(@;0~+AF(AmjwV8Z<&vWL0Tf$Y@Y_V#gJkX0$7ug+cbt`--xVL`gVFXX#!{!U*vLm&L z2{|GtSyH8{d$W4I1|q>yZ#ZYbT-TvIG9)Gdx{=TiimZH)SN6_S2yn0xZcs@?BEVd$nOnMZ9lrDG0t4l`&>y+## z5zBhbNEPh~=RM#>tO}10BdTRp4>g|WC2nv1CW9h`@oA~*9|Rmiv!q97(3W9)OB6Ei4B3FWe!^?V@o5025hGtqMk>=e~jcRDJt)L z^mPfUY{4&%-)B6>Q}bY%={`tHzr(DBZ-0)}*Q}sBb%ymsFf(kl1!u5 z*9N$n2eC(w6^%LZ*J0wt4FV3uv76UN5v$^bJ;vF=n1IMkoW65xQR(yW2c!POKlK+{ z;0MkZ1Thm=Res2MhLu=ZCny**U{gg=HxN?eS{|K|jE)?d0IigBvcfJM(_xgZ;&BVm znnIa4qb71C}~sIFW>qixk@0y*khe1wo5iE?|=ENaQMW(XP)8WqD+HL1Sqwg73+Dr`S5! zC28-vCkWnNVh*9tI4Wo?-qI@8yu38ZPNAMu8XF$}EjYajGr`{Uwc}-vs4d5qy|J-{ z%1=8b3+k^~c}K?B<;GPBAgatik=tApWR8>S+)#spZmF^>2%}Ts{u(sQiq=icG8_TV z?50^m9>f}&`ceca4n2{>V9j1Xrw(f)N7)Xv<(d0z)=0oT?Qyp z)f08=LX@855T1{3mE;$>>`-{pjTD_UU2Vz9qTKN!8}n|as3P7Rr*mV;B0*YrtK(fn z1_mtEu80n+>k&qA1=Ks4F)*|G0CmEFJ>?kWSPf#<)YWZxTP5&QQ~vK)h`oY7_d3ev z1joO81)Ith9HRM=_kaa>pe0qJ*^gO|?O9>qCYk6J4vZPqt*7ddV%?y&F}DSk@7Jtx z>>nNrf1_@u`{LF9H$K12gk>t4>cpck2mL-8(81u5{ETl>(Vyz9H8BTY@RyswBSl!Z zu9^hd5-+80c^iUZf0ed!(1_61UAH+dtK2N9FL@YC-kUu6$mf8=GPT>&j1O5fYWNx-T+~nQQ0^(o z8O5QT7uN7DAdLiTbh?)TL1EfE4vg}aiheP(e-<#K@0v53ZKe9!zHmD_Bjn?K1q8iQ z133>;l83*B`Pe~j#mzHy0(!sywnt~y;$$YbC%TXzJbZEMk(Zmev&YZ zF)hN2ozF0~T$$sq;=~6cSNySNocn;o#cFk#`6#!fWVJG!yH}Bmzcs4EUtDTputM}O z{-*urQwPv_$pPkvBAxW%Trzp>TYaPoEpNg3eApFFOCmAi{xU?aOWxs9!1q$r{RLIG zZ-6b;GB01P%uRFeOAeJpMK?s0J1XxOs=J}WzUO|qNh8iXeFGQ|lb#xMp{YQc>78}h z#9OK5#TV7aOh7dhqPOXg_d2OzMNU+>h*HSt=;)RUMcKZa-&vjrk7r6otk>~{l7Vhs zv1}g%RWmV{dw{gedVR4b`{n1Sp)30LVS>){49jzv2o`vFi4*I$2au!j@j$XZDj6|m zPv<>fDDCff$zt2d>ZokYn5*)J?fp~+4?(&iR+GNVMPjSG*Ytl(=r_seX=~RhZH}W% zF>BBg>{TqDX2-P|kMdjwZl2}IIatkOVTi!PhA(bJe$!Q;Gh$TXxg`>_`+fDzH|6qn zZ5HmDj6HtqXnr=b%Gs-dJYwM@*paW z_RGhbO2>(%OuXgwahg!n>1J2Z$!iZtd=}zl86IM21WfgT{oNhup>B;E)~;xGP{6B8 z=Ej>}#V4e9WJsA66!Q}gS||ZmbQ$BuG+bO7=2eQ(-W=jKtL&{P0b>Dp+Jiya7}xAQ z=6XKK;xVzT#@_v$>Nb-ax#TLYQ+htJDI9j)&y61H=zV**L;WU6xJyO=S1kfsg;`wX zFIOi9SSLT}a~b+JARuc*7!#Mp7&x^2bN_Yg;FD=>d!c#r-QPsdV4)AGFQS#xsZyRt zxt3Svd2H}`!gGe=Z<>kt0Rpq8f#%`YvGnqaui$E|d`QKhHpf6@-CoJj?155A(HktA zmldVc$JTw+#H*KPgGpcR9GjAiE?w6|o|a@ZtXf`5cA1bsze>J;@|YDcPnctKOlpXO zelkhN4JG3*`lgfqu_q>IS99YoS-^Wi&W^6Wd&+iW&!`|S?S}@$2S^31!;#+PBWAAA zUi)mLdvBAGb;_fl-@ME55Rq%c$k=#$i`cUD=6uMLCDN&I?%|7U2?7%_B=Ly{&WVjH zkKh83K6tZ<2mL0o9x1+MhCP_7x_z9{RYfBT_?$8~I=^sb@{S9TM?Ls_{sJ%rNhc0rl%oJNa&+!Y8!?`aK^NY4_kRo^P+lS$PL!pip~Q zIq!b6eIZhKUF9{@zrgsDo74d zyfW4yJ2m<(LEpJMC9z?+XnoH;mWq)9OOKC_R-ut=!N|we-0`D5_PLTjHaioao53+= zE}=|doP^+0gl)jCyY`|%FaAp>OA0Q1XS6?I=GnEL+(M6p+QjJmNUuc3oMHzGneHLC zrPjB;Y8Q#KJJgs`8XsD3m&4i7aI(ZmSD@9*v{EyTp!?=uM*pGiah?48A<~K;I$+V& zF@xfKW!8qme9^|i3uM5&9b%QY0JljLpSeDGBJd!(C_vC&QBe`!5Il9bq^6uos*3uS z_sS2EP<{m=O@DKs7Mea91B}WZkom@03@Uf^zux>O+V&er*X_~=v)|g%Q!}RoFn!l4 zh?$wwWB+0}HKO!-7wa@By6|6_93SoZ^1)Y(B9P=@9*mWen7U6_JotMAFv@mP{I4s{ zN`cHyy<_3P@6r6NG(;T3p+a` z=+QS+R9|MoQSoWEMRBya%KQ zpldgY+4txMFu#~qX{nJHg&Uti25j|O28?BPIwxf1!M333Rmw23xeEM|6s^8rj`!=y z18+dtN6y1N-5kB4(wm8?X)4nxEwEHbnb08`C)3dv*<0Xxbb2jo#JNT2TaIsDqSTq%G%JJQ5-ZmvN$byl z>r_$gqVW9&W3+(EZys^}{tP@QUu*^Uv<3pwb2OPkO)lZ$^w`)zhFD-IdOIUc@C)+_ zeF{+lBgPurc1XqRXG@HnEUmZ9jD@7+P}hCOkaWp+*8mWNj?)DQ8uWat0ZF0|qj_!R zh8H<53cZZ>gv77H=);+hBZ|w)>^+z`2;Q915)RU$qKQ+7ht?NZ(>||K zIQDt(h$q?dqndL5O1QT|Ax{2?+^N zcIug8N2?`!UWG}b$XC;>nsTaM42PCEOhJgk{8+E7Cq8?faqY<&>p6q>0c1=p z4HmBegz|)~Vt?t5+*A>O~!8>zv`r|qr=x%`?%q?8ZAa{K@uA{sygV8j? z3(j}YZ5VH#2}Y;bgADkZk9{_%YS%i2V>v)wP!AZh<~A&i8G9z*{%UZviH}KKH z9THbBGapmAr%st1X>uxh5rG8L)_{zEr%6yLK+f*yIAq7xWFO4jS$ga=thcK+iETS! z2e6>n=p5P1E?s9a9b!2!vSOp8{&o`__%iEX|0;V?)V>o?`adp!uW(CCvi zzwgZdq>UanHPJMMV%`)w$du1!ZL^;Cekegda3#naDt)tm8#naZ7{%tAL?b;;#?cUQ z+X$#UDkH9mP`JZw+!`>ZP9!oY0iRsPw^?DtDm(M6e!7jZ-q!ka={GohIHfbuIbudLDex#I^R!RcYf#)%>kx9kM>ft=^J7tm8_Wz1goqN29;bJ)^Xp`4Vse=d$}3 zOFq9+65ifE%{L_VAKy5;IYN zubl4G`fB0Wqxh}|P9VJ)X^`f}^2JrRH!gCULAywIX1{=dfL(9SnB_1C%rn`sDa+~o z2{Ng#>C$q1zj2yF08YB;UglU&W~SSShuhbl%-$S`X7Nvsdx-p%%H~m?gBn}4^OaXJ zNz`pXlr7z&DDHHEU?Y*AQN~0sBK?w!Rwl`x-dyzJ%SKlbZP}qw7mH_?PJWsg8@BpV z&Y#;}mtyYDOwh5)u4?-pQuvuD7s0cJy&&tFO*#vT45RgS-{XR13!B=V7zaZQR~sfv zb)f8;vRo&~%?C?E#5R8$%NNc0gc=BHYB+oAV9^7P{kg;0y-2r_yd4>kC&x@(;7KvP ziV8+1yX7Fyd)6>v(^91>%SVj+cYushp($j{-6X9Mg%D`r~oI5;aMt}Kw(>f>cCe6*W1>*YcX4s z;^oha%?azlnd+~_DbA3`A8iVo3{`m&3t3tI=;t#hfUyAuGi|wE0L{y! zc}EZ}!htV5q}uP`pQ^dvSI3Gl6eEsfGUhNiftw!U7?2?hJX*jIY}#mhi1GIU$K^uc zoV$tyWwbdi4hczah?3j*hP&%=s1C`d&Tlb`9rageqqVly2p74F+RbgNerI21(?rkB zW_bQRIReOUaI-A9GDxvD>eu(p|0aJwa5<|hd(9f7U02cn{PPdQdv-{a(4Pg4Puam> z_us!fm^!$3Q{!+?-&su94}tomcPl8OVs~sjJ$IU=zFnvrBG#N^`LhLeLKo<4ZEd*= zjD{=jODQknnwZ(h44r^r?m7lwY-iZ_Ha2$l)(R(DI*(nQ6L(lKdT$QN>e#Jv(r%OE zVj1PD=0k3Qgo5d;lt&eqR@%F#B0oy}+;ijmqv%Ai*h;5nEV^+ya19QJ+Rj_*@Y>xD zPM_c2zJEN+Wz;6XgSzWF&=?Jw>GmT_aMw1GtJ5-2V?(jbg#o0Awt+QUSI=(SJ6OiU7L^tC8E8$=Y(f7{%ZQ^M*rF0G?FhWUpfFq8i3REy#$RrjL_nm+Vk%{ zc+P-t@8s^Qk9z6aB#(yKod{_c-$unJ8gm9_iKr4$=X3iI%yCu~^ga-C7@7<2qeHmv z391K6+Q-@NXAFgOZJ?s`#I{mQlAA_SSlvp{gsfPwJqtJ-B2lmAFma*SFxnJY1M=;* zW9C&>D}@8?A$p}EL{ff6qI;>r`&T^u@r{rIC~$k=Z97LV@(c~26$W>y9UfE>OHqw- zF5KMQ&mm+0MczQ@SYPnGJ+m%s4}|w3Ho;J|5k$RCR$KppkW~r-@;N#7R{t!z6nkPD z8gwCt+WpooG8`XTcT=UOITD@O)c0?co`9GBC2(iwEWaxD#sVczo@oe72j2E)Tm=Df zmDFANvwmbDRl4YImyB1h#8d|kYX1H`{Ui(+(Le>guOZ0KkA!@cS_OZ?`p!U`Ox~V9 z%NT@gA=ZaSuUIYbJyz()$6Y4*2mC+cG(f3G>Uo-TeBpd^YP}_!xFx6w`tk=C9|1MI zDBSw?%G?`OV6LvNUmmjn?jLIZC#d8LZvAlV&BQrWdInIb;k~s%t}E(`Bk!z+KD*{( zAFziRJtzIgS>-`0D8?>8K#u_Gi>teVYfT5C@%-S`sChbo&i;hDsaDs?(GDF6&X8Hm zo88RJhx~ngp!OfB5wG7Jr<-2R0fK6hHecS01>v?*Ms%eo*uV24dvm8Ixg5ZZDM;tX zqF3NU>>IV19OptKLIcz2n4Elg!1gfZH-Rm{?AJhD0*VANf^ES4=H3T2FuE}RJ@dH$ zngbX&=WQi`PjUV0igFd#wV&VJWht6p&upR(>ut>D?zjTtZ}&Sw=5(g{?}4_X6egF` zs=8XGh*eN8qcQ}PYi5zCl$%MOgQm%G!Vok8cOVgdiE6!1b*#p@-3EL9(ziC97cow1g7BNX2ns0~cjD820~W;L-TqRGNVEwaIx zs)LA&#Of$+VQxX86d=}AGY_x&-tplV_%HJF8QQFI0%wX9#Z5b+XV~#?zYJyuX+n1J zb)E~4`kOCIAb~UKSjCby!z%dMRj-1QHX(TGm-1{6Neg7un44{xY^|ubQcW-i@OA-S$c*9Rl zj0F_90qYBjHxcE#?_}uKuKoQh65^q=RXxO%H@7qp&%kxs{q2=qcO6V%Y^XbERGjKG zmbst(e1>d-f-oK8-b>&aavU#czLrML;IJS^B!! zW^sSSc!adT!9I}9LjDs~0iFC!q;QJvsy_$-%{zHu3}9QAP${5kd8Bp6R1IpR z#Y1$^4Mb9*aGfaoz;s(8ikBp`mTojo#dZ0_KWkYs#_38Q0JlwnWqO;xR^au6l#v9x z3d*l2arhQc0>az|P|DrwQk7$oY`Q!Fvr3Cnww#?L!aZ`^Rqv9LlJz+^4w8I@-mV^j2a&}`+Z(BDK>4qlq%FR6nfCE`d5XnKug%vpVl{bCkC^FI9QbNP9lc@I^rgK2F2m|a*sM`K2`BiK@72hIGa=sMC^s3L+cb69LeIeJ zfMAV8obdFR&-0daHS?E9@S?Nz?HL1o@}L&C8Pkbkpr2z#kX4RjxtdQ)J%&9P#2sPN#mI~XBQlx2FXtp6Ct;yAymcM#F5V2R+ z>Sj447IC)$hp&5wFRzLn$fjYUAoaSG(9*t-s^7eMbEg?jE;Nug$Z>Hzk2ecg z;?WpffP1Itbwx({_#raj;y4c~eJjx%dxR4EIzfd>r6P|@ogxhv@H}J#6#|eu;#|}E zM|WPc%{ej_oWVi?a(O_PV-EukRjOSN7yJl9lChOwUgO=yqn;ADMWk1$=QT8Cwz?!Z zK`S2ssk8#B4u7C?&&SAxj?X`$FwLzXjV6L-J<1XeB{xzj{YT5sVQa#HzNtj}DXcZe zFb7r?dz;H~7uTkZm$_Euzuay5^Vpukt|$ zgP6X~jsNieHWyfU%r}ueKO@pSgk8#?(A7V*nKI1^t0p zOiV1$6TO{wHp1q8K;ge%Wb%>L(HV+gVq02T4yZIW(A4Nz6M>Yzg+|h-Z~)h(x4fYMFu>({R@t*hKib8CU807Bo^6>+DjTLD$y z&febCk=#yIy@$4ny#;(kC)dR+lJK)m2WU_=PsucWY>z=tZ~h}vbJ{4S>%@Yx#P04h z*uCp%dfL#ZAy;svpRnZ&%+QIOzFw8^YK2FeOP!|B_y)ZS?e6Y=b!u|rrnU!70CHWi z0TA?MBcNwFuN=WH(`yarN)3-ur64n!U(sb|W)?`FSOiS$ir}6#b+^yioX=StfHqPw zI?#c6uB)keij9p;h25S4kz*^?GysDFu7c#G&DB2RyDpLa;$3(U zmX;BqFaKc;_!N zA`(|nszigS(T$Cbbpp3k7(qXmCJi!wWh}OylT4J?{=l3-?7S4?OS3>D@G98hX@jG! zG?5NwLJ#UR-5)-TzD-lDxMBx5w5e%tA?@9>YQpU8Me(4RqIqaL%@@iw!vT3=)Jq*{ zzftT2I!M$i^mCQ&omrHm@Bt*w0HSEC61AUq`@f2SJ;z{fZn6j~E0wpJ>uH83(H}r? zB4qr?;T1Gr7@-RTq1i&y%T6?p;R%H`#pZ`KDKf*yyI{DAHMeLdPJdhyw$914`R3>~?dRcmArl-zl7Yinv=rbyxoemKPo!>QU&r=tdkV*&B9 z3A%y8xO|B%lmQ?#O2@qx6BiS6m;l;=i&RG~hTKz|Us<=VS~CsxD<*V6kM_b@j#-{< zJ-z?e`-HxMU8I-aDuV*;u*(Sqv;FqsAwfZkMMXtX2#w0y_l3{WygvrdvoLdWzV7aB zuf8=uO!96zyk*+39!5FRwo(YR=^DWFa>z=2rBZOD6oNHy6PCIj6&o8H4pMg`#)f;L z`cKmJ=No_2%TU1AANTZFYZ@OdEk#7nerGt!r@8E8y<`vXm_pnsxXU6K0TK#SGct-O z;>$Ix7Nh53m+iiH3`7b9LpLxnm700S&ACmRE9t@1kPwh>UXiKqvdzfYxUDj-``E8H zRk4$KD%Ghq->WmwQ)^oIsWH6W5tMtS2&&By%-DJgzKLqpp2x>r+2n@ zWxITBdd?i@Exse?vNK^_XuD%?PtOqD^U)Ma@fZYMzjMThyU9c$ne3FihcNehN}%nl z1pH3rOvm4I*yFb46)=Sj4AesL8OUgxx0G@&Ro1-iy)Pmviivs7uJv7}`GqY~Ckt}` zOXVe1Zl0lC>^ewwI#N2>-26CEnUXwbu4!ykhKf4yEMXO$&p@flFd}mK%E1(Jc15qN=JY zIW@JqJZS$MROj$!j=I;Kd@LMnIY?XgT~1f9v8Jw0At)$lMM!zKT?I?-$UAhM+4r8( zb1z$XyJ%k!YYSETI7(^VxktqyeejBpx8B@dDZ(3r1^vg$+uKd< zgs80EcRkX5FPx@AgWXFn&nY7N?ppsJ=oQOS@7g=9l-`QRgw2$uj zIf)SE442WD2FEb{Pcx-xf+LLO7KbwT)$LOzPQkkzoY?sh5Lv@2={AaGqsHv+EHirm zXf`}0B_%m4ONyXKq~a+nJqx?kQZW*4JAT|u>+=o`S@PE~eTFK5=i#0mG;dt#uH1O$ zR{(3LClwB^!7pFE3WTzY#zd=HgCqH;_s;qcwx`FkH&e#AX~PZ~C6EK;DtN<;rSg2f zEk!a=3c$X96A3EQ48tn%nfAVYaBiRP;*gre-*XmbY8sg)tUG?RvGu01QATuhbmv{r zaGbuh;odYrv{!zXlsUsQ`SE%m+}FF6;*kPf(D(mQ0eAoLc~V*$PBU^YXO$vH@!iF| zvjPats~x2wf3;LZ?h8@ojg60w1i+3I$BR#|0lP$(SOiy1x9`DS>PO~~c_A}Il-KyMl>4!|y>#v8uh z7B8A1kP}!5?1xKyHcEJ54E<`luNoN{Y2rH<@!=i^Q;s;chkH|he+6GcZZ1X!^w;{! zXJgJ?SR?p%PEPQRBVe-b(72QcK~$%rog{~+;%vbSMf@+717}(HQIEO`E7U_LDJj_r zQYBCKvl^>DQ+1aKi3hJEBo`T3_0Tx-qwIFSBGY$aly*7P-O+F8}xp z*PC!KK(DLYVtZy#T}$#AMcQ>mzTgxRx1&vpXV3NX2lVolL&L)rU?!dKE|(Xec0N$< zhGIuYhqEkHfz^F!yW}H*0|%a&Vo<5WVwx)2v>iXNL%{yywZ(fU`mUb$^t05dli81rqdS@V_^)+po=lp>wqHK5GrqNq1ZB!QDgbBs zlo;s!d{JNtvSU>NlTf#fv}Kx0g+?*ux9d1gc*L$H9L zV5FblmduADJH@FJ*N@#sKn7nSOU)p)6QgT4IsjFryd+4}N4iBh(iiG2tpD|}oy7Ng z{hujnz8pc1l z$qOk$Ng1Es8EnnU&^-x8ul4*>MGaW*(UfikY*SQNH8i`9|}sFmBrxF+h+Y;JCH%&G`g2{zx z85pPl_uYz=s#~;h?fa?k0enchLCHk>ekN?-+APr43T|(2|M*-EXx+EZPI_@X2Ijz) zK*=7)IvR#ZaL%+=49H}4MnZF^oYMBiQDHq0f$N2s=H4piEf-kc5EJ`aKM36>xK&g= zd_Fx>!K}+bH$haKo2{mjgUO+RqE^{$hq;^$Se}T8NT^uPPnXB4_QN+qLgeJ+gno9z z?4LzDsvm%bbyc|zJupw&o{9oSs)oKJ4{*Fi0;d4y=`M$itgN47;!-Kt$w}9`hK4TZ zNdn=8tZSvlY1-a5h&*6t0slQ3o;>G&7rKTmEL6C&lY<1bSpzKM`U6u)w3?Ai{wto&JMA&vm@(wf#^JNa16_j9b3YUtUCb2t&rbMs_#Zu zYzF2n!8wscBK;+~B*+^A+m=aH)qwgtcQU+5O9V!ec`06fd*3jGoiTTHZoMDy369%w=*ZiZgy=jXS?qn~5&Jm3N~R><$S zlL(>ejRfZeo?_te-auA%1LwD5n}-F#YR#ZAKfLSBj^prW=P1NFz>h&10PvTBk%nG! zpgiA_mcKOc0vg~t6m_ZYtS2S=ot%x)VVPHg@<=vk9X&k+)i?MG3cc)uyY%mLePIlT z@6*e;8s$`DPSIk7L?O0#E%3ArA4wp>4R*~P>gI0drh(fSv)jG&{DOiS8>lrUR^9z^ zTbph*4yW36jSLzu4o@l!r`vXvgS;|%$I~>tJA2fdOG6}MjnasqE$}Qdp*J%8{r)iB za}XNp1l1qXOi3{HFL*rOadXW?;oeNr!F#Wt;7h)14Zrz5WL@xIyfO zLp*WqEO3giV?!kEw?}T1eEgFLdwk|`)0CaAzP_cT9&H0@nybQ|17IC*tDGHMjg48u z&dz>VIXgD4fA_)|2*@|xDAhfj%aMuiDRv0lI|JVZxIh0Yt_*>fo93>P{~2m?=SaXd zHtG|*xE<;`uP*8;pI&I4D&Vz&kI2+pFtDqFAVe<76J$-LRY%kIzJGt^q9Jeg~E>a%ggiiQQJUWeC_+|mD`jnF(w0VX`VgHY=9Kr+4uER zSj8((^I1qO_<#*$xGFF14a$?Bfhf&YQ0vxc3>=*ICcyw=5$S#q5zXd1W z%neohrFf@QZ0nTmNY>YxqpE4k1#*Bjt#AV4iz`5OUO7un-#=G-8pOpYA4KRK9e4fc zAZWhT2|D%4tO>noIKGJtTHKxLSA_qhv&`QKSGcR>DKH|Hb2d=03@yA7v&0in z9lRU3CK)C`=Qy`;5Q6GBPK8i_K?K5OUb$Bt92`dIwOr7jL6=X;f%hMXDs-2w|DVa! zLtrALdhDDPhkZ{k1Kgx_vi_Tz7|EEaQOtckjRMMN2ABRan z+&*Ady`J;pH!IO|0-vOVo+L)3{5eH45UU1B|GJ3HnM+ZVATm^nkn3^_hlTa<7X5VaAdFo<;;`%?mko5%=QV>V}x3Z}~3&=~MFB?YP zPNWQtg}YgI0Wg#2!4h-I_HTjY$HPjg;7FI^F`wqFs--~U=Vxw04K37^X_V>CXRg#X zx(8xrFL7mG=NT+Nue5~s90y4`9Qz|nm+&ZM5}DqgFF!a^Ezxw4#xslm3H<~z1pHJ@ z7k`w7OhSKvJVRY1VJFI3)DnS&Jqzr8kHRS7|Mr$kAZt~5h`ddj#*P>N(=XzCA$l)` z1i&+}myqkydBXGe%eCgChmabe$tO01|6?;h)8_xN8EVA!zhW~+yP!t9`S-78;%OPr zR4EMB0NjuT^XnX7yH=`eXs{Jz0~75RN7+&c%@gV>@@jrp5v6Bx^h!7!4#VoquA`;p z`1#czCwS4y->2+eCrCIqJg&dW|<)OS{>$e!`=@aP0hHlSP;8+*X(jW5nO474tU)KSXliSlvHz{3w@8v$wiC%L!=eB4W@Z)v-BZAUgr$pr87jUk5UM=#at8@usn!GGO-!-Xb^HmW5M8BM@l;w^L#P0+;(-dm6KYHaIT9n1kfm zG5U*<6(i}OH~0Kt<{KJYTiX+OFQ-NNN{Fg#e~uh26d8>K^Nl z`Lm_raxnIlz`tA$3fluf+PZTd=zo4nFstvFw!S`RLCf|zYmh2){&~IUTM`D~{CC~w zfalH2{JMfo)RKLrN^4im#9(Y%qr$n!Mb1ruBcV@25PjfxNO_j^C2j?7Y%_KP8pQeY z{^lbQb{mM9g>K9$nk5;~BDuaN0)eauhb@wgHUB+7HY)_hb1D++~4B;OecKpE<<-B-hr z$P3GkggGpUa|qo8920xt~4W}LxTmZ`av&}vD%#*JxY#jPS9uGIUalP+QM^^xEu{6q7 zV@W7am2Y@LoquZnbLSsr1CZG@SfWR>1ZdHF1UXZ0B8~oYvz`AH0%3PEUX=(ry*(~* zma8vqM=-YomrAeyz zo=EF15M~d2FTRa>H#TbMRvZBk!XhqHYu3xPP77vexHJ1(As=L5WQTHJh4NA)w;~tG zv0lI(ek>RG7rOM>x=OJ*YVypKyP*`XmnqVdcUWfTD2rmsEF?behjmn_bNc;E9!q}% zcoi7P1>}D$Nkr%OH!!;sFx4g+OtqO8PW-Js%sh;>0GdN-wNuddG~8ds@6x_`3|yY` zgST^-IJ3|az5&y}Kz|+c?2`Z1U*{w6c-9q$&BZ&Hu=FqJDWn53NWZuWrrw>iv9!DtfXIqiqC&TdN5`#*2AP?n zrRnwEi&v`sxb)_(mB1lTDR!$P)H#k~xeoN8QVyhuf(A5aKzAV(2BbvDmw+;r1hFL$ z8nDk}=s`;Ac^6!y_GihXK&!9H)1MV83+^1W#*rGWZ`pYUWWv~XDjJZ_X8`ToX{67v zw*%y1>~q}*h8MjoCf<{eXIm17PT~iKA;Uv3AWxKoo&8zvXi#n^YM6I&?*y3SYS9`< z*&Pq6B0)LDmAlIbP%M-a#5Wg7aGs$}m<|1|Yh*A0WOx;DMznp{_Ub-mLc-prw>avw zONN&+9A@6P7-Nfo=q#hU!eSmzn&Afv089IYyqmrTf3=v|iwb`q=rkK4JJG4qiMMY$ z1C?^z!9jPA8Efb$R}{>CpzqTEF0yBAH}7Q21~-SULE!CTD>GW1&3Z>JXLVs|1b(c{ zZPK>aRj`A7m<-BjbU45LNryMFaQl@IlXe4U zqZo~dgZ^}-oo-{+SZ$eWb$wfM6YQeL`yEpw1=;rq#Q5CC`i&_~;?q@pk8|a^#3u4~ zObWg0ut<5EXfQ>_Wn(l9P)DHAE?d3hb~*lLdn0V++Tt@4>(1Pp-oEE;xvn8r!}3(T zGV$j2ol(80UgwmZQ5i$tQ2MA`63BvIJ)z{qY<5FUCF!kl%v9fosVjr3_eBhm0V>(YR*chA+Ibqo=J3D#j&bU3+XX#O^GXozEE*{CM?!q8qsaQ)qH>c@;yB{H-In0!P7|k&Ab*7itTPc+;|;*Jr0lgnk>$NIdbJ&u+Vv z@@>Z(M#W(bi9+q0Q16UXqrAmkxOKO-ZEzbo9^cf^Q5CJ>jQkW4_je}Y(c6^VNmBgq zBaN}5>N68ndfYprGu30Xbe0KJXE?>b)2)v)NRvl){GD4RcU62?s>i|Qk@Z{0gB_Y3 zSBiOh0!H9L$1T}>KAm(dD@eR@SLSn$)qZ4STeh}dz3Z?-1@e)10jYJ;+qDR!J8qC2 z7eZ#@3%o^1zCIlTpAY8t+Tw*cjg+ia{%$(h?$D)Cc<^1e@OyCtDxdXf*~qr!T*BC} zWYef}H_yfOpHcVf3ywh3{OZcOUb@>TeL7j=dHi-isHEkL)p7_yMtQ?Oj(t6xAJW_V zs`~M8HQcl4$nP=BV8{-Fn`KUS#x8y)cVwKEAs?5EdkK+s*@C{b~gd%Df7)M3Cmpq^bTLQ=f>u z`R7dkE%QlD|GVA+lmF_)Fe>@BBd0wgug$q>Oh4!EJIqd=>FoABNlq#$_>S~E2OscI ztJjfRDdYgR(SZCh-rz4}noO)d!(;IR z)Bi~%pL1A6=fhC{i`1}YAM6qWJI)S1mxc1*QklM;_ zCe<>*87DETh(tH#s#LsA-u9j^--3{v8{kvE>bn7H}>*!#}7rn2qr5wS2Tj^GGN zvmq9Wfb?b=MMXeCdLKlj1cVqufPmQ0kzxTtkBWe_gqn~90yd%qh|&TH0TDtZA)$sA z%6p=7?>P6$-0?qO-w*zTB;=g4_TH;LYduiLg5>n^t*Un;JzZ!ofTJB?#BS`zw@Xm( zLR8V4(EWMJkm#B+W7-nEc7ZO*VrrjL7`fiLwN!O@8$Sqr9-U61B%D*|t6aP3#7x+| z@d@P8{GD*3p<0Kw>`qagOZ!M$CkkkTf}AsWOjr*lZV-jS6; zulLle50y6o)tiqz#7sNNTXrij`3*sd6hYh$9^Jn8;O(;)U~VT&+68#zk?N(7dBwjV zA&-Y5EJ6}+C$8#57AV#x6p$u3&k~UR$=ZTo=OB|`e$qu$C&SEtjrW>4#G^V(Aq|)U z16LM)Jfj<0WGS9E=*jeSeJLFds5Gruza$n(LHC(p#Inn~dn4>jP<4Pgz35|xu1Uwi zp6iwqF)~j!{sn058x9!I1=AQ8TnCg{eZs>D)2o&`Z8(5`nO&Xn1%g-CDfTLAsX*~X zq+YjmaUl`4?(O-N=i9*_AvYec-nXg9z~T;Y&RjP%GZ)!M%OFQc-NZR*&%$)S8}|#M zpX%zoIIlhuxubaPrsMCPx!v(IEy;Jwr*Ep@Wvo@%5X>0w#*f-+-AkdHJ}Yr#^N_yj zYr!_uiU2OVW9M7}Dk}868N;wayU+R7%Le>7OjM22f!(*+A=8d`;6k zbUAjxdyCx&__?YRvE}+5_AFi78ft%N<`I|CL$!7d#QyHf{*Dy9dVQMqR@M{%BsMV$ zQ-;1V)Sp2psiO>Yr7c^HT(TsmO&QYTvSf@pHpR2@{79+cEnmVBH`A#04?eL<*D^Nw z$FaQbOh+-CC-hmk^CX*M3b$av4sEkg{dVEJU}GV>s)52TaGJ%3DI`JK$6gybt~T|Q z-6XpK?R)jmT)xvwcGUH>o{e2k*1xPT#UGB;O|oTH6>w5WHqDxD?TmO2geg7&0Z(z% zY`?HCQ08WcyY(M*}Gdh6Otm~@s-c4&#Y9f?dNsSL-$7;79bdE z9WfsIWT`4-Yi=>o?umJ$PUMqUl{>o`71w>y=fMcC1lIwJSPFRyDokjf4y#Uhp*sDu=k4v6*egk$xDLEue0jglHYg zq?Q@hUP7mN>*Bti3p*MKbboRnFG>3;^^9!=x+ZB0j z4UJ>93rsqIQ~0`*bGka_W6xd4ZRFaF_L?=cSoT~KsSMtIAZTPj0!-l`=mU5*>-5&F zyV~uuq|y{qJ)Z3FUHp;Lv1+_AdxX%rsaY&Dmn}@T&(pXq4HhGe8*Q411Cu@5BR@ha z(e^PKueO24@d&uhNL+za2K0dyk@XSZcTOd!$hr2i!jx_SRdyiqcKBo2z#^MjoK??V zroL@&?>Pj^I_y<1T@(GnUlEbbZFz}5)8-i3)DjnzvetT@5gz9Sp6SkTjc)s`69 z>RDwYSUaNe&Q_;>El=E$-La=W^}3_i-eQ_}D9I>sgyc)txN2*pQyZ^6J0GFUE45GP zEUi#x&ec~JP6ul3PNu{ydS-cTFKt%ACXjUV0st+bHEJ7QIPBR*DO_E8(S~ezi(S>< zJ#O5Vf!NVk_DC2AITUJ9>5XR+GlZ2MjBl*T`KCEGCl3w`0I5p-3;M2%A9E} z1B|~7mS4QU==?3u)=4w#njcA`{oFP*o);9XjtYib?^U609G3;xCwB z+6!}>`K+{OoL^#Y`&k>UgHqte=kLqVxvZ|;9qNejZSCr;caB}!>l?tqz#iz#)iy`r zMp~X4c2r#S(p9A)CYo4?1as;}^s@tK>uF;Z!M65^g6D;3A}utZT_tETfo`7u5X8&V zMOWORj=6@?teVy9TPjrFNAYXqrURS=K=6c_i&WucBYl^=;D!{WHFJy&x9iv-fboqw zCwqS5)Gz#GGTWol%W4l-?9d#{5+u}x8YY1It7l^OQ>(XC6{mY=$Y{^bz0V!a=4C__ ztw+|Ex-E_)EN@tnD`P7Q32P=664B|<({YQt*2;+EE}-XW-!|eGkADEB2L%-XUe>ZO zE%))yXs(EDnqN|0N>b0(88PpXAJtGR(H!Wz#ar)Hujw%ZZfuhOZM#zsOm$7-cx7;% zQmy=?`rIAPFK;T=@7)j<=|aGa+GqM@Ms?Qe7A>DyzxE!qSK&kCr9GKa%zNeE*o zqXqT3S%_A4innrZJB~_sy1qs})O~PIW0({PR-YGO*9$x7w@dQ`U)L*s;lmn}6v#A4 z&@6E~1NX7O9c3-1-@!Ul3A1$T;OUL-N-)%z7^B0%=6g932b(I(Gx~Aj7ZwL-_e@2G zyqv`CBeztnq1X@7?oU*-F_Kf6aM}aUL_g~+YiMfW)`$4T$sB(_PSkKI3BN`m;<6uV z_f^NE&-5(hyG#-ojm)X4p6^R`+C!pO7WN$GegW%ql;266&mU3MDGr2t(OTSC3snKm0 zdw2D{h*5|P<-CXXR8}%A-r_8hMm-5|bgx>=0alAbfd9X zlJuj+5Tj-CU7FY>q#4tifpz+LwcIR-NsXpYPebky~uO<~L* zHmL1%PwG#Kq(1JcZk8TEmGB?HwAu^=QWU(2SW^3l8P3pKwxP6@V#uD#X*A@%i7Z!z z_w|Ub7IaV?S@F7c`-n$Nut&TAKy;`C$q$`cFsX3tI=feLzA^Qf0OdRQT2*11;lEb`Gs2O2I( zBLV2+!F;%gauaJ{>EfLtF>NqKmDES)KFodMiHi@-}L{^BS`5 z^eWeKBWh3CfWrP1W^-B2d=*R7%#08`UyV9e))n|B^O2@$3#RNT1J}$9bD|+x-76qH zFnjjYcgnPVm3UFu%F2Y#`@D!y2Ly7^D?6Z;9Dpc$U&>GB;fN}Kv$}mA={EKfhkdVG zh9=4nxnc_C(@(M9D1-KUkP@3R{8{tLkferue4h-t#Nd9~h>IMKMM zr$FQM74a<&*eO6AyJ-8p1gIme?7j3>q{O1R%;^+jEC_>`wR1BNpi)5wTQ(V*8#ql@ zWG|A|eN-RPPc&v`>`Q2w9?yVFo&b$padeY1bD(@Xgk5fzY6~fbT2Gvh66QPInW7Sr zJ}Zy-TzHX(3wJ!Krs$k_*tw$@fMwRKDC~Y6kd&-_I1xjQE~!}_Hhc{WgE6g+nElF;s$3Y2!sfZk-%H#1i z*L=Eql0kGww*3G&{v37(g!EJ`BV`OW`g{!muuqQ!LzYpr1t7&eB-E0}wOQ3|NoRxQ z!epsS_@LBuZfHAQY7C!sAYTm{&U0#spX&A@S5AxrRjGix{^7{E7E;I^Yj{&bDXFrM zp)Ni=3hG{5)eUxwDPsTvOB5N~;7k zmiAM}j)d?4(jn>?UIlciwpa;H(b|z>*brW;65Gd4z!UO%@z!1@mrP-Hg#&=;a z0zhzhAC|E?g@$R{QFw@0BQq2)Ztn2DXKR^CPyF=Lesfw!2O)hLwB5in{j5*D))9=M z#uf+aEm_X?j{&sH#?zpe(4nY72wbV5g_xleblY?=LJ!$6b=(-c<4r~(SMUDVNdsDt z5B+{n0eV+{;YjnlAoV;`;d9jjo zk^zxv?bW`N1s_lNxq{mq$<Eydje0KgBav`Imy!fE_T^war_)<2UR;WN{f%Z;?5xE48PBd=-eHBJ-ux!{7Zyi zxc}axhPMxu!dF_CSLi_>_^mu%K8zjKU^YJleJYT})(AWtOt^X;PqcND&sxcx`HfTM znP70@g#+wD?F~mImGTs&OG$VM=QP`1fE(Iy=(06d@m(qg8(m)3U-8IhpU#jT>C-yZ zTqNkj{{CL6-^>;u&-_}(LI^5wi@ilPWd9y4hwYhTa(A?VW9Wv~w3IAU@fc_%-N*-v zC#jS1h7AwO#7tHFGBhj`6ikRJZJARSh_8&nRTbC@pKdTa4DhZnt1g03%yYc5)VT&g z$G$ZTp!BsthC55o>EaU22;(PR;QXh~Q-v$rVaRdCACL24#muP-9kp`8=Ny0$>nxZ1&LIz+TehJv`yGaf@q-RxVaN&s>uqfcgy>4)#m@L%{co% zH0N>jgK3}3oPJ98-klYB29qz_J@8;bqQv2~m-AKh2EPqH;V-Ne6A$^+iniQR^|6~u zAKW?}1TRcT4GZ?B`s;zo#f}=$nU*Yx z#xqVA^{AT2781sP$W6wzQQ8D(x~?&==AZ~Co_B_L`q;^7oJkEH4zcj=G558cGGC&B z_wS(inDuIvbb2Y9$#8;-IgRrHlsl&;c08ZacXnd?QUp`*IizuN4&1GS^eA&3B>Z&L zU}=LojhJiRkFv}$hgsl4TytE+9w(m-c128iAswQ$pB8;*vRWT#G(b&!@-YyiIEpe4 zU(*x&Me&p75bBZGtKA>Qfqo3`+TkL{JbImzkK45~kiGduNG4A7T7A3AH7}5~e=^>B zkHAZo_Q4*L!xNpLJvxtxbJ9o#UCmEa;aB!OD}#TU0IYO4bgOr}Q|OBZ;t!6$DV0!F zx8`XpCu@}7Aky$50^`1(3_Cb?AH>_KAy%f)DnJgYxn+pH`+DL&YEsR%Y*{tXHYh62 zV56Y^(T&5_-fr-&Jo)}fX!nB&bt*N8Wu8jMm0zNDLW@tyXdvp_?_(~6hc^$ZrnM%^ zMp-esO!x=_7{m8k@?rhbkT`n~wQm6Z2mNvlSp=!*0HqS!!;w^TJ(QI-15CU_wsWoH&ybbd34kQ=T3Xil~!{}Ed4X> zW%{nsh6Cs`!;MuX^jDeMmppmb5QG9|fS=g&0d>{06$K0;FeVDia8L&ftKTM1ne<;1 z!z4vyK28An((MG0isGg7wrvp0a*A{gn*ZRim58-hKF92*Lh*nk4FW8l1Yk32vVXgg z*Ai)_qmOLReRV*UEPdAoqslV(>94@KG^kAAVow3~m$fJu=?zh86NciNTG=QygW-#@ zQ4{IC{&Jcuf0X($3IiX{sPHP>u{8Z8)(d6gV_hoKLbNi?HxT5;vHbE$0h>Vkp!-x7 zx|;Y0n*ruS8lFC6*pnld^+%#*{ie}{uAfxA#D03V%Gtzs16uf&`&JR41~>Q0w|2T_ z#JoG;+rj?YB6QtzJ_w)uS+hqs{j_(*qZ+(q-;?%WZ~P4iThSx)xTvMI_q9{xihYX^ z0dyklJ--q(B=9T~b@vR=Qz{wOD;IAr{Po^DPuhc=k?uE@yQufdCK(M!|(f9t3J z@k7ZV08{fbzMA%>QNB6m@HJyGO-1`;gXT(dz)>rZOAj>L-R8wvu^~Q8$=_>7iLVIG zcmS0vmMCu!;&1v$jgE|*8v-?HBd|fCn%C<9zzl(_aJUN4E*Cq^Hhtfg6wMV5X_GAb zox`wm$7q|iW!$wq1MLXh&c|)QfJJoRLkM{704h>QXhiTnnlBRW3G>%Y5D`nhxR^{x z9~7@qOmXGern1UX$j4ty9E$EOl8Zu@4T-;A++{xlf`Fg zx-b1GENg6)F^oHXEl=#e!TaE|icfDBwNQwfALE&t z%$*wvIlz*XW@Qpi?g`!h$pBecldN`c`Pq)G z_kuk5PJG*e??V+dssJ_*+}ia8CqHZ%4Rm3IK)ZuX?L-cXE$ns%Sm?0DyHAQ-=0BKf zCS2&n5WQkD;}uMLYUbF5PSA80$OsI?#iokjw0GOj5qcK_4kb)DCj*39IKo7;0bx!& z-z(i)q+c|6!x{Hkz*iX_*Eb0tPmmv|{BEI%Igh?ZkUtg(3UYhhApF!phYx(J8`Ay*fFtO6 z#noO0CpY(_tbK2;-!lC%e;4Cc_XG&mrBn+354iHLqN}=XLSs7i!AJjh?Bus2fp5s* zPkY1tJ)ke{Zn07LXWtSh%s+&V9{Oiwr6rdD$infv1z$q$zbnuG%tMvb3sszjTiOzXv}4)$Z#MjuMVrW7+zL+5Rg*{^w2nYwhj=gEd?#p3VL1 z_rJR2@}KcjE~yw5&h)IRSN?nZ#yx7CtZqq#i3+W^BbW%YyaI|%mI{xZ3>7qq|0&CE; zaJU?%ub>dcb_x7rj?$lwvj45RmKS-wi&I#F5cxE0EEp~aSGA6hnPnFCu;OI^aS#$U^HKp%FTedme~509uy>p}v^3slvNT}=71A{r;aB<|%|kc`pPG&fjL0T@dU99W>|EgI zHLm+@?fgfn+Rh)da!-ksE8g23f#13E>DF-7k_Of<*Gh#Qzth0rZYazpIRg!oH41CX zyt}T!IJ8;z4PSrbgoncVD%Ee=0C#gy35|sgEU~?2VT#TGhG-x9G1E1q%gbf)+}u3q z-ZJJ)+s@smuk{|&Y|tsN2J#eewMRgxCt05lQ1s86E>mBPtsI+dwG3Q0m^*N6qtT(r z7%`{Fsd6L)cfg}Y)*xiKy0>y1FlQNvQrO?-LC`+6eMKAK*9ElY0F}A0hxlBzZ=arnN8I!K zTE$3}zYp)WzgCwJIhhTDHjx>U<;^YJD#C>`gBy^GfEP973g@?jig0GkS#ka3x?dS3 zqL$O(nJYh2?%c4LNb%aolsL*L%mMWRbLenr*1Ix>)5s}O`XL2gRewB>WwJCI&xjg- zh#a=}UiGJq{5O=tpS;bY`-fj7P>iOX5tlEx3gM1^ZDHn$C85za21-4^uX4{@MK1`) z?m|uDWru*8Xm8xL7R3wF_p2?g&P>q*-3;$-qZA(QjX3#E7rYa!LkH{h=VgWY7H0Mj z9&2EEe0!rVf6H|{fwm>7$Irw+yQ(F>iU?*c5C^n3rG??JE9LyQgQM_)1kbnMGwA{+>oWLKS&JQE2t`eHjwfCD}FGWpj3 zm<|75`cwHBpnta(u)lO_vQ7ydNEwDA+IU_L+WlVWU-AozsX%khE`6d(jqDFU*H+bDKt=I9orMfky3Zcki>ej{{AN1A>7;GHtCy`N}NN`qrzsul2 zr`*(~V{`X0Og&HBkK6)!;#8vnX;9Ihb!^Z^&ajx%1WVU*7_=OO&}tF!cQc&4RG)6d z@%A_yjFi2>4}z{QEN@l5b(;L205*6}e1Wm>@YfN4K6wc(etz}N=ULhjY45CgRd(0T zz}<12Utd^=$y@yBHN{Pbh>>&RZ`|FZ!p&5mmvxyuCJ{e)HW&-jol}Yx?W<=cPWu|M z=QyAt&eO?9Hx($tg{4`j*?~f{9BcZEiyZIh$)ecx;$F4)p5#8$@Dq&Rj!u z*{W>>7}Yv(_wa&2??LEPAU!ecR~woQHJuuSTUr!gZCNuwkk;LSDUNHuJJTM`ZcNXJ zsf7LJZDH;x5w8MLop@Y>v7|+1fr1)lnA=*K@5VX}9v%!bxCJLQEaHd*?>l}brvQm3 zBZEj+etRWduh%XQ@~w6I3-#j<^gJ_oeP1SCc7{gZ2$6W?`_cq1XZdcQ2THW)qL@^Y zz68&AWvrKzAR}1JqjE=CqL~bMzMC1?^1wJL?4sCp^8&xE^cJH2W}PAFA=4MG$C{Md z^*9*fqroCUvy&>k`1-AW_FLI1z;u{;eDc{*69ifBfINJWrX6tVwr+n~P#VPN<*im; z)*NsYp|CTK5(8#VBo!Y|S{hidk3lT?wYfY|274jAm;WTtC4U!P9zOZLxa5L^TNb!F z2yC>2j5mV0U=8A#on5wW>8EuyN%_-n1&QYAdt5BbqU80YBqWLvqPsOO@~hu)PVM+8 zTP{CcQ7L|v%C{s;_yX0;eO!mZ2V-wNyB`p}7IUKd2W`7_yn?e3K?gWwaEEu+;QhMG zZkMVOo77uTL697m@(vsJG?DJ|!V=zB*)3Mqt*-I7;zk3t)y|ii!xWj$KNVpuUSG|#E|V=@(L@vxpTZL_Sak?kM_e8PRZHI zP^)AO%-q~nc}$DD5W*aLf6rD{g-Tzw{tOjM3FuHP=};XC96S;)m!R#Q3Q0vCHf1XZk3*LqAB(pkYV>1*syzx+z=m1W#jeWfW-bBIBwmAK8_QcH z95PyB%(9B4J%DqFdoI~irv1%QKc-G^ZHQlS{Pr5Q+J|;2$ZfOukXj)z`=1AC%ogL$$Bi-VJ2 zs(2h2(7vR5*uS3&t?^x1mAcN$&}`}B`8D=}VQWl)T|E=mavBZ5y~JE7S6%VeI}3L43gR_BFduv4IgOxjv9|0C&9n;BLEx$ z1|(izqn$N9(?3P7YJ1!n+|vQpdxh~=F~__Ip-6p<=X!}JaSP`%w5eQq9jtu# za48RP)fwy)^|={nrvtSS=Mo%HJQGDtMH^Z{V=hz@jFJS6aR5GmQlA!NJqF{(xwbW5R%l(c=u_I+^G6*fdK}8c3#PLR$6q~Ub{C|i3z z5hAvke>29)o1K3wT1>w9h1Ht=)8P^WY>w$1;)9LcTmwfmk2dO*@AsY(G`ucBWllFA z9T;0LM~DrS>uFrDh+quu&My9I7+^240&1!}M^LK*tPQ$ep405?#K{S?Xs6pTA#>W~?$bC8ai4HFt1AfpmR}TW=d{Pz zWN|D3Yimico_N}?DD4zDBEVHZwyP~CwPn2QPe2dR?t4<$8hargs7AN(lk`?f*s0sa-0+$jID^+4(Ay+9)dT4a&>?-I z>pX9o>dq%C-bn9HaMBn7>%2FlnhA(Km`_yDOvOl=b$nMAa%-y5)}YhQ3!L{E%8c~e)C-Ow*gidXLNk~~oj^lh)c zsUUgi^iPEwAc|KKOU}xRWnVlsy4T}L_li>S9Z6Tap1oUI@V45ER>hu1x3WS~H~SZD zXo!SE5s4XEIw7x^h^2?{E-qoBpuO>-O9u+nlL)YLQ}fvJupxS0#6 zq!RUV8NPrN%MaNJ#@iOSmRV{*RpPxTF>Uw{29iHz6*)Ug+D3o+3J{f@I8PMFkL~_zS_=9|H+DNSu#{g zl9$;W4C2skOqbHt%*41&^j^RkQ3xCu9eraTNo#v_{ak#e@Q(J*=%6B+kxE&izuG;o z3xZGxk=TAm1)U==B*GfyPMI+jOYAX-k}#NsTvvyxm{l?%2}8d{w3KOJ*p&yyXJV4a z3ej+}<9pWY`Rs$IpTDSv^$IWord4N0a;K_F!v<5mPnbw*tmZ$6B&j6Cn$H7Dy2Bu{ zOD(xSlK8XFRo4632X|k&Dj68iC)ETRJrpVA0fc_2i{`Nl(LIMPT)xa_=j^z*-RD{W&eQ#< zm6(P3k0y%G(tfa+q{gaFBc?oR zat$s{6<^QuA~Nw0s4*KAyXz#U91U^s?_+tu9lv5^9jUHf9|5OO!6KF*6Uhgs-R6=dP=(myuuHzq?!2~qYlu!r zbpT0sgmiNf$cyD3I4xaq$OQaYZLb5yGOU@1^SkU29I$5;PDF$_gH8KG7)78WRwT-D z2%Ic&G{NNsl1Z~+tI){;L+bO^YD%UqRL0$+Hdqw_Hl$W&Y=pR15$gx5_!?J?E1&`J z`7sj7)r{T09-evml3bR{K(}ucFA*uG9_!|i1%%h{GtHEm00w!a6zsw&m;CI;J4NKs z0ddr9%m(Fe$B_q-hZpO;yT_XiMu1shFH65Y_*iE9Wp@Yo%)mp-dRzF^a91ha|95qr ztaR_NJ8ZXmqN#(#z^QxtS71czX*uG%D(UR$oJG-SKo!R3oH^>D_~yLGF+Nf3N3WrE z-W}1XFl2Req@HcOp2}n=kI*;`-%%xT-Y-F>S2T*AgO0~Ey4Fx+eGtUOr)rRUMGU2p zKmr#7D$E1oa_f3*<3rHTMbFbiTv-;W6RLb%x_&)FF}P=rvv4aE+pj-VU7YZK8jm_K zk?m}D+8x{Ds*o3$l?(@G4ENgQqBpd5R7TIo`pEr=qIY(*H^<;Ng1V{$Nf7`5Y^s~l z)ZI{(!(hH|&KcL-0aYrF+Vj+z^S+~fTMnx2{v#jWC8y*tULs^URS*(=Dym;|DDe74 zlWPyYE%cHC5i@`~+c&22?&rNZ>>VwsWO2o0_O0cK1R)HNoV{V&>%5TwaQTf&3F-ZO zVJoy;`;yQE+*&1wKi2^OQ5qXU6;m8y@C|da6GEdacYxG52IN|KWw4K6xs&PkC0+J3 z2ed_9zRTRvfPK^D$b}*m8q*?*+k%a9x=0fcL(J*k-BVK*ar+R&wjHH68Z`!6leI$; zuh-#pfZm370Bwq{y|X%&we@k}j_Fhj{S)D+je3@}pr(0gDyCuw zy*|#1cCNWHEI#S5HzoXXxiXkbj0helLoU z5H}B1CcW7eT|xZeB7+E&pLx2!(9%rV4ZA#^wlP*eVuzhpghy9QmK&bNIb;FTU#qk2 zfm2-Y(h=TQK569Dx@aiTQFPraXB-I9o>gZI;nZT2J#!Xi1Fh`+l2=aNeAz-3;wd-J z0Lb=m)4q}r!#Q@qvG9El?|Ig1?h(uPQmyCb=Vj5(9q*MM*;{e#01cKIbjpODGg<56 z)`NxC#5!=Y^y_cdni;_k_&aRAaWwLniK_T~|5Qv=jKqyaT~0RU7L(;s-|IMXQ^*c`bo^oC8j z&2!F;0-_?z!$_e&b3wzdHGVFw6T9>jQrZwi*PlZj0~s+Lt>&b!cj$B2ih_ans$v6{ zgyg(9T=?ahSM$JA(jAi~s;e$|O`Y0X-8l$13h^QlA^EJCv3@7kl_9rl!-|J92@eM6 z>_?DX&~4pjAX7^1sH~_sz%g?XV+`UQsXrHnxF%_bf7_@oyRh!nR}GNy*xwy-|EG1H z2}as`Z$Et34ETsp(Z>3|-H#GIcV9WgdGP30k<;7J9Jia$M(e8Ibo`i)ZF3P zA1Uw&eGgo$rCW)bN1ZSmknU5DA2BqOgC*Ae8q0wp``eyZ2g!@w$FeTdY}u+1AYadq zm7$hJvG)qRYlE2O#R1_xtnNaD_GQK`YqPG#bfBvur$UM1<-;k&CTRdCOZpJ^OzlMn zjd-rhO*6Vk?zf39UKE$y()(Fz}H znF2Ex_~ZOJX)fo+qu@sU2%CnAV;@tV3>yq( zs7xH-7IV^H@8@H=+k(XhLd70gl${oo)qvcF=ueQ~nkLE}V@g;z4X360%B>!UCbmrZ zA7IwItg{NC;T~$d_IqQJac^N6PvX`o1bB7KWdZhpn2=cZdZ3trA426m_6oKa_4 zGbh&8LVW!3cvIT>!E;%x8skL$kXBOJ$j&UXp_$7>C>9h76xmFnAC&ouReB>{V2cF$SW-anyfh=I{p)ZQ{q7MSoX4!KUpW<~+oO8n~`( zm21=j|4z(I&oogdi0~Pn|KCC?Ap!svjzNec0APu(+%!s3^V2-P?X)nIT)8S3OA&U} z`JuZrue`~$#D+|MMJ*l;SNR|)ha1i7Te{ncpcDun%RiflMj_Gt$_G2Y=^J&Pjb153 zQ)7HhYE@^oDwx#-cu4+oyP#v$Tnru4^JV_fH^1WBiG*m#&$?Bp4b*@?WFoqDxbm<_ z9y5Mt?aXU6yfDZr6vOrVh&=n=#OB%}0#Hc9Cp?<^3d~aCEmA9Bj9?ht3R&I9twMZZ zHUB$n41mbD=$3R8Q$zoB+mGvj$z7QKOW5vUGwArhTRBegx1V}h&3&~F|6|p}5I#O5 z64|5LK$>+5z3fnjm-u9^P~ z|Fm8>oOUqh`^V3IeUt9l0M<<>EEMtwd)NQriMAg+1C-xW5G`Ln=6{Ipf4>zS2cVxA zpZePMzTT@}-|ey@{rXyU2LbVVxSsxMTmH9J`k$|83o&ZhF?Ouw_tgJ>B7iUY|8JOY z3h@7Lm}Pe0OHpz01E{YLb-!qHhF&W`-nU=}otqru4R@6bv#hOfmO<~3DsJFG5W)UC zgIeJcx3vJOq;>%(5B-~o+Ffpygdu=;vLgudZJQ0v6?$N-%=dWz^6x%_KSVW*`tgu4Cf$wpWB1c&&T3;&$jagR#1cKSuDI zMkVHegz8|>U}Gw8VY+uj760jpqU`a%IpbUT*av``!bKiHI zj?M`&`AgF570X}gZ^+o)1MvUXWuN~xYV%L0;V;a)`+^XYAGMzU7oYhXZOrSAF7_CvW(D8_;!0Wh_)1wb*GGJyJHx676H z$30Iw{yjglu0SkeahAmxYRx08Q>}VraOKmxPk~o$i{og^u+ZH7+1__XNae#8PKAYt zJxXQ*%8EB$vb;X~dZ9{aBElM#5cmuHEfK&DXV(iuK_DsQf~9Ss>VJFRbtctCyKs#> zSkN9=o?u}ls#Ya5?c=P5kl{9^B+vZs?evVm==nH6FYJBZ8ur%Y1d_i@tkvlpopaOD zGE-m6mMd%_>;!55y{EgpxGI?18bp3tyI~tPf&cBhDlryj;Dwk~&z}MFtobL~02m^m zKT(zrOs}i@by#~D-7nmFh5JX}Dj{P*G~vYv55F>If0DQM=X8JE)mwikSo^DW8+5u4 zVv=P7tAqaX8sB~ZAbu|ZR2GVM`_jLQn01an4m9U2%_J;!x&Y04PF#~KpUzG*Mk2B4 zSM1t~U%37~0e*c306e&E)lTla^?z&$KefwETGT7B3_bA0HiVff?gCfv^!w@hN|pd6 zH{F}UQU8~Es(Y~Nh6Q4M(f6~G+85MC=X9Wg|G3HJg!WeoFS-)w!*eO@Yq9@F-%}S1 zs5%6vFyxs}1371g)u&_5%& zC~*d~H*>DwANFP00*~aU<-F~mv0T^-$8iV4+y7x-)&by=Dz~Y|{WF>iWji2R#Swk~ zSzlIBQr+`P-{ShOv`kQRxi=*Qs0s!^`)*2wxCv-fyzt1rb}E8>{~2)?X1PK(j{KqA z8dXLGy-P&k-$E})&>Pwx#{kq?$-faK-?M4mlU9i<7Y5;4Tc0uky3WjsF6}>#ke}jc zhf^STZC36|v25a4y^LSG)L#f)sGN4bsHokLR#m=SVsl)mm4);AB@LFawF{t+Azw8K z6+NsIj-)Sb%B%nlTl|ITY0j<#^6eU9pM>83^4*$Y>y%X@!aluwd`APQV`fz`PWFNnS8B3+?hheOAWiA5Wh~X`tr`hi#LCP zMyH*;uuLQS*MAEnl8q$a^p2k)aD28stld!d=QsbQ%<2Yz1Z0->VF-wpHP7)TC?+F4 zq5T`6hclo3&8sli4aDcoI%Un9Q=TeDNgm=VBpb-pjo|dN~=8N2-ErJ@WZpzq z9V-J|{)&}xJX6Jh^Z66|UDj<00y*VS^oW!$W9s-)8SsBV*&8UK1~Y5yeLuUj24y~< z0R|%35LhE&_%$m75Hvh@5cF~B<*YHQ@bR=B>%iUPwX_O~9)S;hC-&OI>1p8NlrJ}9 ztPR6TA;BT?l~GMQjag4k6e32S!Z_h&u15FY!!NM2)?cVhGj4oZZ%qa{6sT_>w`x8OQr>!8L#m%QjI(o)17{ z+80he8@jemRr<=Oc?l*!5His)sZ?75pdAxT`wCzp@i?b|xx_GAkGJ#9wIXSXwY#_B z=K;W&>?$qI=E9NzDVy2;j`?d^wXbB#F7yiNNwUXWau#}OvihaErsupbB-Ut%{Y@thnp0=Rulwa z5a~a|x=+#5RBv+G%PObnv1S@7n^+mRyw+E86XgdVBj%$LD0(g|aPzC7GEST^E8_Sk zK?Yhmd2BybyO$NA$ocBGjE7AMB&0sXmr_gFs)I_O(Ni)pX+clS!ka6W@-q0E%m5Y*(A9CwddZT&8VZg;cMn2qXc2Ws?Ub<`mabb34j*av9y0Q6d-fuJ#p5L2;T8CsE z_OIXLkt=-t^<%U38Yc=d1BNMiCb%sZdTpErjW!Odcittk5)d)2dB5J9#r$T5YCVPq z&91!rm^xj<2GC-dN$;Q0tJKrIdy3eVD)q*!A|5LP*8CoZ9+{B!`(!-fye^`7Yk{E~ z3<)gFY=&m<{8l`IqQ}@<#{)ONOVzBd27dXpbli@=v?&7F8n>v>F|GHK!hIY*lL5By z&ss{5^EI-B^|CSq&Lss@Hf%|uS$Kt89s=M4!tWTl9=xB5UzL7{tjhY(n)_mSNzhSwK)Tx-dmX~=R)xh*ZLV5sxsCw1enAKOu z$wZrlm3KqM7hYnzLEcFMYo2r(v8inLyNU+#yD4Tug)QVQ?jR+?seQ50(`a(86aiP5 zBk2`Jsz~b_4^j539iwDEUg#wgS&j$W!fCabS_C&R;b#ue>GVcpl4ksr$4Hh7%Nz&v z!ACM9Dv9M7W?TU;j0DMq70ZXIIP?6wTm^<5$IuG&gsN_+F>5BHynE}E4cC~pz7`Xe zgPpfKhPD=NN4R7AYvH4I72<}#&Aw4sgDVlXvzm~>$#+Yp(zK--{lH*ZBpBFj> z?zfe7BgInzHzJVb_@x9R3g!OeC1eFuliO|bPGcbS%L4!x*}A|;;_I>I;mxOjY1`?6 z@(UZ@@lL$&S;l~=imaI~cpM`xw{3wFBQ!f}*4T&8>jCbQCqR!%p*QN{C$+cUsL&&; zHp=QAd}bnSbOugp+$uTvSo?s~=JZ3xcFsY^g+``nePzLtM&wW(;79Z@=QAM=OkA?@ z`c%L2so97mvy!NjQR8dGgbk|{J8+&n^iq`VY(hzE7g?3y|8Axz*j{ttZRPd^2LynP zhK@4ayo6UIrQB=wT zB!)o|>Fy2%lp4BW2w|w91{i8)-i_yx@TiCLJm31(df#>a-3)i^eeJ8W*lT^VOt+Q` zDoejLLg>hTf)AICkOD$ zn8PiqkyO{Ou5!)0cFU|jo)QcI6<`O=+Y5)$RaRGnUL)R{ma)RKd}|tZHLzj~BTUO0 zmih0UpUyU0;hNV}9R`2r4cXLN7&hF;Fs#@(Y4L0T+t1tBqt?z7F-{TvA zIgs5AHg`txOelSw`-w6u;b2)nj`!B(uKB@5vCX1+Lt|6NQ9t#EL9&i@G|w25c@d@V<i`OQ(yNL0?V;+vp+1OH~ zn4`5xloxt#cmT9i9ftEiWbO(U1lSbN{FbAt8;t9XSu!2(>^kF(QC_x@-D@}M(7KH01A3JJ-CopJn|l89Fq^$H zVRYgu%#jl!lE1ma4%y093SFtyh&-Gs>p{0-T(>40j zhcT@$<|=I6ox(&7a=~aSNgYKU(Dbqww0UTB1FlLPig2`2F)?T%F*ADP=wsY19`9PJ z1)wbQ<%4|6*j11xJYrTcXfNe)H*ls$NN2q2l-o@m5$t?(1&>*MXj9PIySovhEAW$G zC|R|F$3+n^V!AUtNwvpfOb++PFhX=nitYaSdwnor7yHvIuS8#e*7QL)43|RoMB(mf zUTmkd7CB;mRjXK&1PF@{jaeW1cxxtn&gaM0aB!-OsXzA!xikbYkllmxrQ}GLwstpA zOg}#DK>!V*pceX8YGgcKtNT9P8@?GGTr3N+o>jAZFihtRz88V*ZFo!VXSkBV+Wx>c zQnPzb$d(1Bp&Ttb+!Z8R7>-nbj;=(8zs=BfUN&yeU+ zO;5AY2f7;k$I}N#0V3d$`@?}MBm*mZw5|l5Kp+oB2<>rD{eSKD& zfTs}F2ep8>RWwswzR&*Iq1D~eZfZ3g4Q~IB;zQkUBb$`g(a!I1Uk2@x06HXMltqx| z>>~oZs`2QhA|)h7S^t)_WBme)M}bWRg^DkZcNmmCoWS;ZM8MGGhxL9ji9Ru;lt|~X zaEWRLuj%=91Oh*-&ybTdn+0QYO8(Q;tnG4XmIa-}jctZxYA68?cAuw8Jb^gzq31-E zfbYv+^f~$yMOEb>134iYaCZ})pX2UUp8dO^Kp_y`9)Of=aO}+NA%n0J2=2w zR`uU6yxLAdJ6*+pp5lB6{3!>oKl_J|{ji)xAMh4;YGdrqO#EL#=eKEDTN5;Xw`B)u1(djV{I?59Do^}l$mpdS9&G&J4qXp4s{J$&Qw1?Vu|kk~S8y(~H!S^=MnW4i}rD=?fWQ0|@+b=prg!Do?oeV}60?%-v*Oo*O(-W&^7isHUM7@tV%pS=9X~N6a zllbd)d#Q5cSA(sH{wEH<3*rvaolwDn7dO(Kc6x%_M0Y7K5I7cl(xtZj`uh$1bxVXR z;$Senj&k*-|4oK=ulHR)^!fZRDl32T;hz!3C>4lsxvQ}Z{cqZZ*}AI3%UD48Ujg8n5a{`~GiwSLz|4zIA&}9^D}fwrT_4mjZ$q|8F7*Pr2~i^#s(W0Nnwol4tgi2$7CEg; z7dw#Hm9%<*dZRO`m=1Bcs7JAFI0(|P_Zsfo_~4E&V#7SaC@tkrjvG|Ba!c3RI?c96 zN=hnvb@Jy(_uJRoft2#3?q|n0GD0?y^|#M$Cxb|DKpn#WnJxZbtm4nNiS+_foya~_ z`HLK;?cdy#;6E&R^euqWky)+KAAbL5>yqaKOe{a?$?X5en4Qlux^`W44gN3W)RyhG zfaxQd7HoHgw*2ETP%VqxW6{XiaKoMIohyOqg<`>OWRW7=gCfyQPLh;4J5b3oi!WZhA&`x@w3!MQ*&# zK8v2;Y-cC`f&!HvRTxMAkGHZ-mvv(UDr1h6VgF7(`OAAC^`Mr+zEANN!9 z#p^BUx}&+Qej&hq|M+*FFNOpO&VrWlKOYdiQ%zP3v97*fA4>#;YXr@u>$35 z-C<7NFCZLg3AVIqKXx$uzgooi6K`+=W=4J3_@ARob_$6fKiQB2w&Ye|yZ3)fO&%=- zmJ?ED;oHciU+nw)!he16qZ*JG#dLX)&1&4(kkY}yy8!$A$R-YfV7unfmJKi(=n*3~?uY z6BfosXP_w7x?{Gzar|QI;i|=&o7BwTDMBoXC@45sswyWlQ!yWY`1@zR|9j)fUtavH zUi?aG{Aibnt7{hLR^rN%zV zsW4!LX``6MBGvkdRAOvbuiea5$`6EwxE3oE?cgpL?bt?4 zdR!X9pe;Q%#qi!1A8>o6#g7H$G@@JIoVc;3-(4KcC{_9>L(yh@%&wgV=;RT7v zdIGf$p?Ese9~bg-L4Gg@gvxZ2VmkiwvIV*Yx+H|d6+GsyjCZCDmybHOGITK>^fKi&*U2I`po zBc+%h|MBxv+l0$DW&pt*16zXIahdE00KfW{m4YZ3Dg>F@7y`b&cPAWTi_7W*x2YE_IP%) z?s3}@{QA5~p98b{@bV$um5q->DF9fdW*hz_0Z19uQj%~I@)8F9I$g4}vBX{Lri$eZ zzDY|{c8mdbZo=BmW!`D2lcjg5#t-LVY}Z}kAvZP;za=o++-j|~F!Lbc_A|-0t~>*@ z=3ILxy0&%p9<~ClGLl?qDuStwU`x4J<9OZ_HGkW7N}}>8;I5NoYRJhy*yZdpqUujm&Os@%^ZI< zi7b1qr*n?f#Oo5G5MLb|pBzHhDikcbj0@zKB+c$T$FSskq3QxE^SG3+u!p;SpTx?S z`lm=&ojUYqhW0gqdY>$cYvw_-Kkpm-;}#(9phXl4*~<0T;%G=Q=@WTOJkZd}H$CzP7w%>%T@FcI!ME$53$p^=lAy;%h{W9wV;J2OoHE%Mz=jZb*BD#(@r-(9pw3zH#aEQ4bf4jB* zxPu~joq7n8&aVL(Oj8x)hxNcq-GnXQX{#BDC|UbN@p1Gd!3U09XKYtxHXmPksx^nv z)^%=0ogZw;QN#804{c$+zsk2*KQS)`rpb^jN4mH04)>~Jvk4P1?kmqk3mx?}a7s3! z%WnE9OkbUsI!!SWqjOUXiHGznd6+tAC{&sL2+1P8-Pd<~2y2+ZUgTk6|5@lG_k(OT zpESwgwv<|ZjW!WJOoqLs%k*HVIGC?D^jgIJqX{X`1Pg2AV>imBy6l}s@qwdKvsLaP zkMhqB{LJ%|z7RiQ;6XC0YgJ;3rEV2ra#U+M#oc+r-}k^fvag9QKBPwI!cewii}n-c z%TR>2Xv9c$dN&V!`(LEq&n19Z4B*^?r{frY@_izLy31c4T+Pm8A&9C|l4H1(lYPLn zkw~OnahQ8$%=T>dXg;)~&Ai#q_d?~-zGZvUsG~^|fA6zdKhED#S{KPNB7vy81~KXi z_&OySpJa+EZtqKBR};mN3(gvf{N~BFT|xmUdc6z>LZ`5*++Mx=!arI4&oIbLJaU%j ztltkv^ld>F#MgGs254s%Bjaa`Pw3dn76&7s#kV@SANbdyys5%+j+F#hfBl$XcSO2U z6Jc$I)r=o;ndo~xsLNQ-3d?XX9dnD(R?;rUU zD|)_5Pa{K2@m`&ZzIh+RG}An_k`&Jl4}cVCoipFG&J8?aWIumC`K+&>U*mT`X;MBJ z5BHeEwkgRC<>pBR%dxq>NXZQGfYP04z3h{1xSD|+VSPu17w*1|M_PfVWo;2`feQF6 zXAzXD(gG=k+D=z<@Fh@X8IwNbZP3QNqOQBUh}*OaLW+chgl*`_%-H&{W6)E+x!F4J zKfd5pVFI%IzLJ^5Oe1@ql3BPS9J)!o+?SueF20!4B`1hq8>m>26t8F?Hk9!3G#0r> zqxYpes4h@ka%pRU^YhLqKP0(_GK!oo!ojI5FC6G@CsOj!K_0#Z7Wbyf$?or|9Ty!^VD zAJ&ASr5^5-P%7y70D>60@`Ps|7mhl3oy=%3B9y~dwFCzG&3r|z-pVhrmX6Wz;%1T# zJ@Te6A9HhwI~fy4o8onc>GevzWz4*WOIyGnB#D&~=dOp*1x|~0x2=UA>EWI39$h6K z=)(`SW(;->gfM&z!=%*fMPcoSmJp8hUD`~Jp+v6jQ`9{UaF1NHO*emN(I@ zI;O7S?yXa=?}qJ+nTTPClE-nUH8=aLmG+a=*4Dn3O*hdQyJ3Iub?M~Yn+(E%O*Ql~ zW1=wWF-wEn0K4v7E5)ZgvCb_~I11}l&>0OTW9K%kJ7k+-7nB~s8>+(L}x$qDGSIvq~^wrR;y zq0IuO%HUNu9WeAP-T~L>lkBCQQ9Q^`k~xx7(Sr_DM6dFq1%$#rCf4ols+%w9w0U>H zR8uq@&0g8@#R<8(=*;tk#-o7=m+HOKgCV5Rd9i)Bk)@>Sl z>bcTH?Y=*v?i&&EB$PibnGIhkYZ&2|L@bvY6VfvYg_g8M7=DRO0qS0|D4` z7q2qXX2DM55x$DRHJiW?xc1f|%e7&)lkKiYj?|7I>_+TrFA$`v)x`Vr1_*aE!1txx z7?Xk5ShBd&4YZ}(R~5gu09uXZB`?bt`o3xWf4B@wrwE)Ttqf|^fV|+L9cG0-^ zPh`bk)hUQ{WPgG|=Xv-xp_57txlO`?9T<8L6P9Lk7(BLDhLPYMnP#o`F(yVpJi%~o zg81236EcfhZ@HlkV!5f_7fqHZH5UUy?jeP?cPSXR97jt{rt(yv9HDT^ZW3=6a1xhN zo7t~?AS0-QGYjEozbq&jWSCZUgjK;%HKHny*bai$XFYM^-bUTQWY3z5Qx2jcQ%tY@7KO~W0{K}0d&Nf8?o6+Xq;7F+ziSI$o zeBCw!1WLa2IZmRLy{x$&@{M!zP&sx+p$>6Act$3B&Qxi&y52ZT_`wSYyzTV7G5_u;ikwBbamiAZP`{>2WrXHVO(oOHGm(s-X|8VN`EaOCCP%jU zdv%l6H1MkA-oheU(Y8^?Ec=Lpm#7 zPlu|U#-{hORIVL}3-OJS_Sfv1HV00hk2yDt*;V|MjT1gh2fv-KHg3v(^wGrwP~xkD333(X z*jeoY#01Df69$)U3k@oTWs&95tVX}K=!Q12!J3tW5C3VaYf*hBh}9~2PD0w@Ra#8P zQZe+w^!CblN#bL9Dtu9X)T&3~igDKSqHQ$2-66F3uP*Z3_@a*|whyz?Cm@kx!Pc2| z_O+tOgxuh0BDsV>Fznz@-RBs|Cx+=K@LRJX@$nUg>5nArw11|V{)F2kf#zElb@0y3 z&l8hg4+yvPBc+gwx*xnj;i>$PrE?UpxOnw7h3AqZ@&2g+zd_Z_e?jblQP8b$e_b?g z$SPLCVt$>pj5O0VYSsv4lFsk_t&HS=qES3EKCTy#vt*|1mc2885qo*g#I0^^L6X|D?o?I@x1$KhrTq43?hXdMZfjhDHO>op!WJs0OT|`ds zCUvG-R)yyDZD@UFm-}au$6pz8C{5=CZ-Qa#?l-{j=LMt7aAU7e8qN{sv zEM<08X#-v_+3!@o_%P#*!4=&-1TMIbdk;^Qz8!+cPQ7n6%-FiW?|SdXdbVEtn0fMj zA#`L*N(0UQm&U!sO7^dHWvrTis{DQ=zkQ*n*m_ei>zdlx@!-RG~tQmPN$TyyLvjr`2S`$PQj&GV~xgps-Lg53#*4=(sE-Iy$=gX@I}K@>I?aicuO4 zfwx=4j&IzmJ4zTa>uac3zf4uKBtGmexRs2=bT5H?6mOf}y1z|(Z_xtDx%e5W5 zHT+2fTdd}k4&8X@mlqHjkP&5Zw0?^Rc#Z(2D59mUT@M@F4%dTurAy7C(FYH!RAQ0$mIX-fL~B^t$~-_NXo;{;K8W<-Y=de{EfzlC0{?&X(`9zWh(E z8(=84+V2|>pdzcf^yBjfp<)RLat&+*zpd_>zn`~Z2I_FevK0zQzcYl=NRrHzTUM@d zj!sTa4b-*UMS2&hs-~ti@LdE-X0Hfm%-!2gxj!c-jrF;@1QEA4$cgwX(V$crNFiO8 znb3v_I#~4n&}LS5i7>)>Jg)i%U@>O~ns1)^`_Dkm1N^ZkQ)%D8u#e2CpggJi1{?tT zM>h5NYJY7AS0H(Bk&DBR?C0m3=v|LweMm0e*u-O5T|}{4piKk}Cier&)^#L0ubKOt zl9G~j_u^Eq#*Ym2r#K|W2MDYnF2V9U3xK>O@5r+;1UY7L;h1GKk`2>+W82yuvReVq zQT2X*0Hi=Uwx^TZNbviCe&;ja9?d@oIE21#?BVc2Gb%w_@*>M*yWZIMcC5datN1U)7P(GJ?je5%}+V>8ARQMDs0*+ zD=V8`FiGB04B3)d)}o~gqF}EVdVHsW`(a&j?CM@u%;UojBb zo(eGc-$ER3OTU2YfqWc>1*xvU>+ZuSS8sYRr6WVN(-| zyb-As7#i#DJk^u;A)~O41Tc)G)tBzsqHBcmT!%J&0d~heKZu#_%!(B!o-KbwB3@ud zs|&G@kC;M~cz6;?|Gm=x*CN+ZHptVbPr29G`$#&+Ta^gzYl0d|ycA+|@50IyzmtI5 znFdzJP#Htu(sUVfA|~vLbEYYgtek#D^Hbd0JaM3aMz#ZvR;0bVeZvKCTov-=%a`iB zb+FyXr%szu^c`Z@-EyZys`mRi%8NqmAI4m`UqaquiOuJKH&hjnGg;g^{eoT4Y8#qw z`_#taM_vWrqz}U^nXq@do}cnm%uANZwJSc(x$EZVEitvs zcDcRZdjb4nNxFhW>K;BWf|5h(n|JJ$W@K&exnIN1Qv8H|_m`!Y%RpDyXBN~OCac}G&9oS{$)6I`G-Uw_T*M<-)R0cmKlH+qfa&NaH@b*|BH#%=arbvh* z>=C)JlyxI?&N#sybdy!~?%2WXkPc;_ahVU>U)ZuJUM5D*d}r^zFhd28dC6lLE@`m;-(dqa+pU<%W`fCl|teMn=aj zqL$s`b3pd600U2b{XpY4kYi&pf4TTewgULfO(H^hDdWvT*$#=_WzFWFranqR1s%>q z1?=L7KT87a0{EsukNo=+@f70#X1UATsn9J)W~MH-%dXj0c0;m^dV;i`eWd$xeTX9> zgq+fos3j_zV|TWRvz)i8E>mx7rxZ_^zH2;9uc~Qo?tbfAV`F0$8Ng-Z;^K}WjR_ws z=*}YCgA9t%a$`*;TAEzgS>%)qIo#5VKEkdp6xByMDhbJj!vyfx1RM+u>Si2-CdO@h zr*v+R?>p0OhIzbx2xO!}y}n&D;TbRb#~^$5HQ}(U-utSgHx6YRR&KBg;D9V%PZ%mV z&852qZLWyzYIPHfRA+qP7=T0RM31G2ydHt$ZHCLp#M~-Obzq14W?pjl5sw*zHU^AS z=xJ$>B5RoF8v_sSSA%Y9KF=54hFQo;>dc06FAoL>(Pdk#e$>h35N>fimKD&4cQ9Vd zb2oTqX2!(%gy2EU!`ygiSaWTy^fO68cK6^s+{#2Zf6Ij}$MY9N`Exgr2;jk4^zD1J zWtScCp1a1CiJ+oS2*`?kQhVBI%9`ypycThD5l50v;6nKdPZzD(ImAEiIv+9Qe8#Gf zEYZEcPfl^KEc&4j%x_GRUeoE?=M{5?rCgI(C&rZhq_M|Hg_6Efk3&Jl_81rj%@QAx z-TWU(-L=DYu2(_4MpXQ4ouI2AVmW4hS;z%FDyxkqD8J4ll16g zMBza6SgT)YBCiku*{LE7)ASAN63c9Hp8kL$>;g-9+Z3#hRUn{rhL||wFkIcz_5)B? z#=u-qmWXa+G9h8-d822Be=i>y z0ZpyTRp)kCpGH{qbN$O7V|C*W1&H;8!Ca@ivyY|Ln~HZhD|lpWvZvf^cXP9!fWp^o>1 zEFpTV{ShOYg&VBkmuzvbT;xJd`aa8ggKHZE z6*)~bNCKaIGR_ai$)l=m5OVQ*$bo|tn4eNLH8p|42D@ASL-s35jI5VMtPsNN-lB_% zrcGacbV8GRiyVeKV(LX-)I&q!4hBo?TF78?0k`E)AY4ikWk-OJ=}0 zDSo2!nCc6R|1isSOPQZf5XpdBOlk57=qsG#dTEZ9_5^NofDxD#syY#O56~gu#(E!v zF0Fi-isoB1e_wnC2?d!`ZLW}mo5qotHt1e(;hQqbYA-7-{r=0B8z)=#2JJGz`Oi8Z zC#1)f>nQG>JLQF`ED%wpi4Vh#UmY9Z=uzpanhY>#0@PTjq3wX=vVunZa4{DGX1NGWDj`2ELqkIqda^6RR{f<7 zDs#ug%%|P&E8%u+7>F)Zx4-{FtNn7yT=9}{J8>vwmN(5n zi{E28Dq5x6QTgM86|khSi%Sm1FL3!ZjhuwiJj!F#L~s$Nmo=>`(bk)#oaCOf)&M=$)1=z z*Jm%c2kwK;JnKmf1b%kD%F^TNvl(@pf|iap*|Qw=*b$~9(d1PO8vMn1ut_(82$ckJBZ_y%UKq4HWI!Lv09Y zj__W2B1t>Y^YJ!cilAt>JWst~-`rGn!&Jevqtif^19!3;d{2NuuqtM))D5N@CsAM_ zsrPYJ1YOb8Z&r(Ll%VJinNEIu&Zj=WJWYhJXfS(zFfN!PS*|slDVG|fm5}{HWUzx+ zC@8BNu`-ptCo08QQNnMPKYp1qYY0Ch-|a>LfZ{vTqvK%6ns9*M#o)umRLVQW zmvYW&2J1ug1d_d&QMZ_ngTPyjLUBNngWjxcW*$G_!CKQ#};_g`AFLO-YO6fwKaSZ4~~HTv&{K z*%|MQ9FyS8Nt6K^8c)G9vy46OoTnr-6oU>WoT^eTL)fQKU}^!`We1%^zQYanU`m!9 zXfWO0tPis^)Y<{_T}!x<-0W9f4J$!j6~Ahh#~z0776H6T%(h1Mgcz`A2<39f3ibs* z^E4J33|Ri8UNu2Nbw07s9|JW}KylOWz$gZ3GQ1en!sU=6r%lanlnJ6$V4tMO>Gw=X z!+4fx!Vx$E%%j5&L1}k4?AdqtJ+RadK~?N#)?Fu)latk&@&4VT#Y-1gfbb6u4OQPi zYBBFxMc#29@~&Ug9yL<^qH|FhP9_9p-46?b76k6nY%?SrIMvftcOW+GP=tY=ulyjA zR_R>IYV$&?IJ4#1!!Ttc>L^wdr7&R)&E8Ct-XnBwo%!brvP8%f&y$>}>WMFpA(K8A zA4>C3l-mv+y31DSQAhmElnKUA-X2_#LyQ!aM_Z=d0&2;|XHUnYeZgiuW;5J~-aQ!i zQ{tpKXG!T>b!*npZi+?zc28JK9eUlS^FJytnqPDbwW9>71wgICFL3D?sqN}0t9?!k9HKE-y${FP3;Z!*zSW4?gyj~M1q3*fX+C@j zW!qGz+^I&}Ie4mqSLDJkS?8^cE4SYM}puOVV6!V!--c(h)Z zgRV=wg?R2{qXbW5I&WJnC;vixcav$~OiD zt5kx7*C96rA5LShvCt|fBNMk#E- zJBMVU_z_Y}_a02|?G72usKg2^Emm^4MUduX_eYrz%jiK7w*2-}uhrYqaZ%Hb(nWLG z<(_8Yh;am&etRmk)PDab!y=FhoMWn)+{{3rr>Do}k$MJaBvS~=Mz%n5L&w{8@$gLK z+*o8%?DEE~2Q$T73-!br zltjuIoLcS{WS@K`75Yr;JuyrdRqyhlc0_hVV-$%d>?NJGJz}DLOXuQ4LHutK#d66*_zZQRL7& zThvEdHkeNNwr-@~_yldYw)XuLankv?O1N6F@WQLCY4mF7!~y2AIeJ_3n>L|cT>&-S4XKJpn*gn zqGS-mSqAz6^6a1=VD_oh<@;AP^5Si_Shu53#9YVt>CtHPSWlh}OR<;^W?Tkn>KdV| zb8~Y+^@z`3>~eZOYo3r|)t5t5(LO%*zB!su5#T^_Oy-PF32LG@&h~bHOJ(~v(55YZ)VcLEb5(JwZXclHzNuI#VvaDb3r_ zcTP$~@C<9mGxE&e#Qhpsuz=qeRc8)TNb?d@4@8=bk@ZmH1P`GY4A(`1O+|MrU2kQ| zr6a(b$A=s_w|Q$8#go!|l%c-QVmtNj+frQI7WA+aLywFd47R!AD9D;|BZeU9(Qgu<~34j%Sl-nS{oeXM0X7T%70Y%eNl ziB(r`34ItzHqMqnKy#=0oU1xzv722~_4po)+ugcoWq)(U&=Ve0CKa{md1kzsolh5@ znuOL3)t_lRk?)6!A$gFKR%CWq>2gha)>GVg*QpMdxY-O+QF7}e^%2XWY)ZB@ZP`Zj zulNdWPw!GccGRB-TjL^5JOO0R~pg*E$u8F6BIOn(-JCD|v6H@bEmwfrOIZWl zDH{?npXs?9L|{UgAa>oi)D$hn23KRW1F_T7Z}KxUUxOC8$fb)8iif*Eahc>w-Ic_3 zN6!Us*_MA#s?7*V?lyUd!VNb#GfonOLv)&E*R=fAka6v5B0ScPI|5)XAd}VJESW zSZGvE(wMkSp;+r}q34=LkGxr4weEZ@XW>?ntz+Q!z&%~-RxkEnJ=w;7?v!J1VR0C> z?VFOdvDN7DwOo6lck0HOslKJ7Eo_#igtv5VspfG{Ob501sX1~Ot`6~!kO!>66$rJN zeAShyc|3~S3C9^pJ&p~32(!2e{5s@fNgp5B8XuhP6rl&PUN+eD5Py8%x*>4dHosNW zzd8EO#742)FJ%>DgAH)LMQ}iNZzvL^9U>57NTnWW*QZa{)_tP{@y*T6=1T5$z-Kzx z;vb;5a$DCG-j}%)wXpm1n>yEIb%Pv3syq3>R?a5QwL7KSj+(WP$G?jYBg=Qm?I$4H zbuf$=4+XY^o#Z_w(IdPMT$p1RG&1m-Q5Q!V=R+j|YbCO3B^pv<^^sJlZvTa+oO-os zdC+j2bN&$fbaCPGyhDlIvK>y`%d%#KbhTQ&2We+MFgrsv&1O6H>5Wb!G0Z(i;YRLc z#Myj_9+C^mW=Zb?5EhC(><5-4qWfYiX(6M2nThyVUx9T6GC>EwFYsi$-#ki{p!et# zxGU}c$d$y7q`(G_4Q=(;7oZbTa(uU^??xiRI&7i9S&MrAp?Lfc&NTd^=#MN1E{z=V zm+yq(v3SF2+?78HrUW6dCl*h-ZXJ1F#>IpYGkDN-&r7(R{(6qCO1hb-)B8t$XkBXQ zHQgIW`iRt=IXek&gqh8pPd^w|Iu5^@zFVB6@6ji&E~=XBwTrzZQP=dCAkH(=x&}%1 zZF=$=V`@zq_a;=Dpe>3B4<)Tuw}dIA*qAcHW-1TqTA%cR6brREkD<6+UU(7nw%b13 zA9@bIl%OL`#%+3g#&+MQeaxrCLa4s_jCY(&cPX5=$8@a1$ZIh69=A@bLVB2nnp@fe}hOs`~^f*6t-WU?xyg zPBHGY-*e=pO7a32t`D}R&&McWhDS^gRt}+QCtj<_+PTZQj+x3GqNDetQz%(jki0!z zU*d$Z_7@`up$n7ACu&OBIXMOR*c+}@iW^MfcNfwbVhcLW(&)*$EuLpc9PqY6$A`_a zU!M_p@3twd|iwGMf+6x}K7o3JcGE%q@KOydVNQ3t27gC*1Zzen(H%Tb9h!g;gFa zDcScmu7nyL==ucbDb0w38oa$EF3aXfLV*QO>jiG#V6j#Iq!lS@m-YM&hvKf$a-?PdrDf4Q1`@Yq57QHZYV)7b1BSIprt_8>%Xvb+vdkDi~2S>XDRD zO!lr`!>7kbkU0vUiYpRzW8sU`w1uJx7q2psM1oWSUab=MB3oi$kLl~5uCP1sYf{+o z+wFoFgZvF>r4kSGraUBk*&pYv+eM@-;$k8xe<93t$0~o_ zsQ`hpl3bCLo{$U;lg#dk1+}R}JBy|Hhm5wq%p94=ZKgc3SCDGQ%>3+45rSM+OWYA? zG*LmS#B=+Oeq&!`H-`|dch6B%Y@Rp0ESdZi;$+UKO>nmY;tQv*A-_vRR0^@6gANpG zk0yW@Y28Elw4JP^fekx~Kiy^G)iM;~>!Ro1;5#Zz5Kc=c`*To4T{v!S+>Fg3kf%f72?tV6oBGpSZ#7c`n z9a>qjpWHB9wxNCrw0}$zqED^0={&P{L|O8U!kr3&B^c6VodlB>_u&Rtrtz&ce7%cv z6*&cvk}z5KnU76XA}<{B3rGws#F1YwwK3b<)pft+eh@$=!0xPFZ7*C`sRN+3(mEX> zTLTl}k>8ay$zQS>v6|j}*zVkctiIk(>ctnLjs~$J`-;xGb9`cBn_Vku+|P-}6l>XK ztX!%@cjC`2wqc3`X3Ppt9SaX^Re`@((RMzG$)Ge()>Maw3LG^m^xS1K6#RMDmW^*! zs5Ws4;M?N${vhG}fbLD11d5#G2nppdUY#;Dr$`IVQU(%-yG=|4e4XMAai|NCwK`{s ztTv*(+|)18LGVhQW><>5~HSsCPd(4%^Oy4oku_EVG7Od}C| zcvI*ugGpS6&dSvyY<;6hd8`vgmxO9FHeDp4p@ zW`2I?pkVBd#>wc062{}54MGh}&u>9J=`4U+iX16lhKaA8<XB}zUucanhgcP6_n?9IA>5fXOC9i!&HBFuB=`49=q)B?Gpkx0W z`iQ8uqg#h70Q?lOUgcrfos~G*NRE`RC~X?l%AWU~Q&~lB=iDY?4vCY(Fbu9fqL&># zj;>cqlIxYX&_;;2i7rh9-=6gB(uuzkU4&xlIDTim@TloBL-9(3A5w@TmS!=H%djuw z`2ux&#hXfn_?{BPg?J5mJX8+l7&O>*d{qzOSezQ>n61qc>t}d@Z6F*Yc)Dw?5#|w7 z@X@?28*{t>K^fSG^Xa-I7imnOwrgRsGh=LJVIult4M8j$8yidV?QI14E6qrHy{9~P z;yeB=IM~o@&T0>RCW=d81vy$bE=AtFfqlOYSb`7OvP!cxvdFa*xJcmLs;Y`9*%0pn zrFPsvk?rzecdr&pMz&KG@z-J0o7|ZJL4i7l$J&TXtLiH~S9QMh#$6;ZN4Vp{oO0rX zs37n{e(kBrQW{9PS$m!7G8 zTRc5A8L!czqDc;SEPQ7!ltaQG5}u613T8#1b8%^wLR8*qud`HuJcO3??!R1xR?azR zeZSfMSDW*!4iKKYhgtS63Bmy(9bA8=-25S7 zPkKE)7HgQE!$;@x(WHoiOx~yWik@MEk z+E^Opv{??|7jpdaCVuu*K<95%Rk@m~H~>q0eh z3ETg5A`rX4`vjR~CgajgSrjmVF3)Kcc@UxjEyc{m$k|QVnx;_rvs5Z!xX8>Y2xQ1f#mu{Q*0H@*8{{-h1!k^pL3d6{kn)n2 zI&ND|s4TK7=HOlRuCybydAX@Q;wITjEgM+U9m=K2lz``^liBKu&j_5wQA4i1Vk5({ zMwunoQqL2(h`;@O?oAj~+vGIc1LuTVbf40q&`+g+2}v zOLD>6eZ3*3Y79kG-c?BYY6M++juw8E2^wkca1IJpMOQx^o}1D4Qh}!w2RRt?S>-vJ zvE(G@>&UAc$xPb+zeeQx9X+_uLi=QKgsth(ERw7ScJtvbGOB3i3b zSgyxLM;$jG2Z5oR{8w2ggkr3}q{5Z$3nnw@?;x`LFAH&K5WzL5}ewLp3r$+bY z4~WikjBLpJ-L&6gLDCVWAd+@-pWAp#T$6L)H(e!CCGu%mGvch2n%!Rf;L|>8M>*YT zqEpZ9qshU1bj);*EjsT=Z`*$V^M{IDzRE!D+@Elc2Kqo(*CwI1Nj7ku3BpGI6I$^_ z8b%%-N}^TacP%cYys0Vop1xjUKRP4!HV32S?hJeiHp59dy?tX7Rt`PQ$0ECH7M6!R z(DHYVFE`dt<&cTdNdgsL$VCG`)8{uOi48}L=8l9NzbzD1GU_Uljx+^a{&*)c+2J@A zZqrhM1JSP z_-faU&X!t^8Qq=X zeth0l-DWorlUO7L=xBh&a)`bWY$w(cSw%5?ZQ}>I?2yZZi-N8+dLXa(UPb15i3P-Z z{}O(B=w<8g9UVE0+eqOLVs0Ksf&KQCpxY~?=$I-%vH{doF|xQ^fC6mb4L1aoVA#Ti zG4De{LaN_d{>gYObhFaa_WpK*-?vP|D34XSaOn8^liz;<+_}L5NFV!@l1_5Q22DuE zux%1KFZOd<^b{k<+S0;2w!}HlsuY+jN~$sInKiG@0?iqumWCzklxPb)I_H_6p8j%B z;3s`KwpkkA#DLfcqIK+0GX2q$N#Mjo>pYf>GiGIIc1{_76J2O;r z!%*89^HU-bmIvx0j zDeEMNUjTlZ=3si4bY%@cut?6QK$o>M_^^U-skImLo6g^vS^fcJ0P@=DZ|SYQ3t~If z!!H=&e0Uwkx)2gk=c2Yz5&Y*NF8r-&nzj~cHd ze%gUV*Aa;Aa8vi#oLrk_4~TF|`m;wP#tCJowezMcoh;YEK?$U%^Lo(-RAypLkImeg zYbVnkAqGHq;x!faUC)U9&tXH35Q6%Yo9u*gQcjAXBu;mdU;|lp69^KG@0AC0vQyD_ z4R^LdvHqaFzGb9aZ%)0+h|~43u&}6FzI4(tv}W*+?_U>txSsc0D~&7JO^vWSLNC-2 zNk+Rfgz*49w6KOGTZhvdJr^UC4h{}>07nuqzs~yCF8q0j-}V~$1z=_tou@PQ8Qf+>u2f(+s8M!nIKj!N_@m08H4sIeTjpq|))8)0waG?^phG zl=OGt{&~hmF{SLN@NBh>N}tU|Zsnbu2(kU~@ArHKm@^W0X$KW7-=Fx&cZ}kI-6TcT zm$?(y%I0=|e3KJ^krQkEmL%L?OZ8u_MjdF8T}_Yp%)b-D&-eY~x3{3d`oF|L4X<&; zGn*fN{yS)He=8&iFu!cu0hzFW_S_FEeh&IogvJbRPW}4f|2qOwWHbOSyOv|~|2Ey} zUv&8?;{A&*KgY>`(dGYNbb&PPuZ0I;7SJB&QdBmwJmq!z=d$Lql@N8+Dasqa{+4Zs zft2xY3fjh9sZx*%9ro$|wSwUVlMOyUPNMioj><9#5gfELR{0fV){hii+PVrz7eR?r zWZ@XXBB(uKqYgWk!)nEF*xbXWxKMkes{8kRv=y+pRtfd3OgK`pKZo-Fu=m|zO`cz% zia|jX6|IOYTLnaABglqoMK*%$StBDtK!~ic47QFkm9PW?iV)ed!VE(NWJcK}5Ku-W zA*`_H{bE}cRItyz&;9H7m!BbdzxO@oyk`&f^j5-n@-%i$pLp@pQpyFDbAG56+*(eV zMY~7dRC@c?eFNx6+z-42wc|_SGOE{~w@d#~g3$P&Ts(J)u+?ejq)&10MB`)S8oqW( zMT+SQqmM`9e?V8DJA_{Xl7sa$N%qV4_#E3`)#|_Uz%?XuEviLADQCy^;)kaHd_%ch zdDQc0U-El71Cs@6b+giLas7^8xxalazl0F|ZEm1t4sC8e=$E2d_veWrupp3Z7a{%E z^H=^$5cNLl9|An1qml5zjybC#qtt&JrH;!9oV z*o%E@Lr=G*3H;ls?m0U{xi|ICT<`A#_w&m6mx0ul;B=?vFJ2pD&_7?sty{Z01NJW& zsU9OtN|t*Ie(|kMRu7^(2=Y<&oZJ zIqFkL2I&m&F6w@Uz$WL|eOA_7e@ z{&MC(sav(i54K_b1Vm+hMkfgQ%TZRJ{`6lS0OuDFBqsK7e`54M2F8DH(m$XM1|~8= zM_Y~@`SNW4d8Pkt=6i(n{|qwGkkQwBg1({Nz-DK0B3%l$mMyGcq)s-->MsI|Uc{ZT>!PFwCv zvGBb}=|9va#8#C28|DOsp(S_rhg7(pQ9Y#52^W))nroSRQ~M+@EMQ@clyc> z*rrcv$ETGmk5#n>sckzOeq$XU-Ef{yTHeP8Dln%2iZhKB-0-b8R}sGhaE#h^o&VjB z&)vfR3>f4gZc-W>@RC@~P|A$5b!2!J^T&^f+rN(+?FVEFj#z;uHXg_HjObqg5C#4l zN=5*0Q~cP>S-Gz_m$V0E8}uJHXG!0jg_*>c@{qo7U~?hB<^=!a=IAL+&2DEmDpCOC z27t|F{Kw5H(l=+OFY&1(!#~7sdgeJhKqN;0jYwMg01d^00+IS8;{Se74rJWPjB0Lf zHdJqFY`lUwpqzQ4Ws95p#S)rvfFOP)6tn#+zn1&%JxAp&Oia4F)%s$*$BG4*6K5aK z|M)Pvd}TlZVhnWr>x;M1SwZDZmOTgM;}a6HFWi@6cov~~^oJP)A{F2d@g;m`f8Izw zK#!T-DBC;#4MX;!fYZsl1HZ9(0YdQL5swMU0bsoQ39cWO$jWl`E{r+Nw(FY;ftWO7 zDlHjxB&4>tX}LU^!cB60_3CfAIS%3WhUE8arj3?{=~~Fk<6n; z6O!OV|LLsXRK@9d7PVnm;+AhZ$EYj8{NocHMdJY@ueCVKc6~oiI_Q-30S=h{-#B0j zP)vDqv7;?$gSZ6nYHteQ^{4-K)|&vc*Y1Qr`rPK`Z$1s2RSPKZYy59S7tKRw3nm&8 z8&%B|&BPG^uV()duK>4~<)+vl-gwK9%$n)|UfKWKS?TTq?bV}?K1LnCxR;`TG63Zg z8Uz9%LLxRkUW=Yr^&(-(V&~q(8ZIDcRNnW}-G9TS+=K}w(#u`1~LW!$A4O zB|r&^cxkT(^iUW*w!JMH+-R^7SQ{|=rQm!7FiL#JjOfvg+fl~%^kiJ22U0nw6SudG z%KkWkDkpLP6xw9GD`|tm0%GdfZ)|K_G^seQ6@DAt?Me9<<_WWS|KkFiN%8^!jh|V5 zKk^kgG>-+u!eFrOP-$)fAmX#P=+v#FFnP}j>yDlu=Op{>?*V-7{NWd(UqLPAQ=sQ~ zMlldR{iRJtkdGyC_AX?A6rJ=#p`E|6EU9Ci;&op9myIyrhG4QI`me1(z~JLhCnxvY z&vG>ELHYuj7q%662m^iZdbd$eG~2X{2LD(iS308i90y1~=#j%$r|~{<188D&C>wIJ zRWb@s0!1}Nv};NAasi!9LvW8tvv*4+~~JM&3E zI}>_(`3K4|H^GrT;CFy5b@T-Nuvq^jDZhO96W|7aN}l=-)V}=YCdm4pv9q2sH(B80 zpAvNe<`H(0@xP$;s|_al0tcd+!6g3gqE&|goAYqXvrXXt1Aoe=%LZQur<$!!zKMJR z;{U$_ck$Pw^mLUUc;|P%^IZ$_zb&Z?I2TPXC4F+HZo2XB;qiaW<(oiP{vUJs>NeBq z>wnDUn=@c$=sNsM6t%!uS2fEgi_X|&N;UeAdU;s6&H=XTqii`ypxLVX8& zb=Wu0_K!H#1jb2@91==NUH^s+?Dh>S!l5%OLc6UQoh(n!O#8kteg-s2%G{>6dFl{Q zDt3kHBP$`%n*THB=ZW+i-um$+2TuTMtxBNHv&|37glKAN(z^#VszG+7Z*tfTCa{OJ4t?jX!y#{1J*F*PWcQ z@-07gf8F@CzhPSsXoo zYYRXgLZlmIN3z-g?FF_3WE!x;^gr4*H$D=7riU0l0#fqD)-(=y7fg4k9sDLQ{e&n< zm45ozfe}%9%JT$7@PYcK-@i_8kEh)7xe44i=|XFNk>}*q5m8nidE+gq(hWE|X z#|*V&vlO9G}{#ODO!MI4sY1zvnka_pF+r%qJReE zH`9h4#lH!jfA>C`4KVf9#ZtL%G1Sk$+|3B=QdU|z>M%Py%aZQqCL}@yu)lZx)Vgj2 z)aSMS-MaUQ=NOEk7n(k~Luv~bw)K7hm@4@nGxEQ`(@Gv@06*w1U}jv`OunY-=E)@A z%2@dtSwU*YfJT;znWx+pGTHPt^>0*)0<8Vzv*Isun!mMIFk2UqsO{k35P=mrbLMGv zb#=Y_R>#++AHO>Pb1v?;?nmVj#;dih!0FR~ZedT-?!z}FC8j;}c*vpHz<=@aHHPS) zh{6#}D9e(Ysks9Hq9moIjk>khB@=xOvhTW=*1bXWDk6|wB!wx#FoG%m;{26Og~u(R z9_X(s`^dghx`AJ!=g3W(YnFZWf53OfgAhwO2PPxw58N*y~$p`eJ}u6SCbP>Z_Nj?LP-J#)i|H zq+xfDu6tcOLrxy#53S=jkG^aDU47J*-r&e*AMZun*^P^=J6zCtfNr?b7Qa$3HE$^| z|L#5N0|)vh#a`qr6P9 zw+M)gmI8!TzOHl7KZ1Bxr$4K7OdV*GJTlgDs8pz$w;T`-qkXq}Vm`4W zIMbt)Bl^Uc!FDmJ?~6A?4fBN}$zM~VM69%xmb!6&XmJ+) z+Qg~*hc+-srse(ntF)bVUo?vSmIQnaq?9zNxNOFdl`E7-ol1amtt|86UvA(-2S`BC z-MeW(Is6q}EUUfA(Sf?DYXE@wvqN$=VHu;P0Ih+eTA30~fzm*La$Nd*D?Ocw{{L@n z`CpxGfAj@laW(U^;7w3;1Xx_Vv$M0cqobp1d}wF55YX4{_O5;I9x^~?fzD*!=CLb; z8a)qXuwBA^6D&NS^D+`HfnAoncy#*ak#{XjF*VI8-41YDJO0g&a7k^xP5<+?ThGqu zhfh4dUoP$I7b&wJ0aGr(u@z>FR9#wVYUHMw|S^o*bh0f8=8zgLU)`LIq zFO5e5^D%(n-q`grAfWg0M*Nzx#Vr7eNUzYbY$3DRMeK^GtPW&v{gZ{gWp;K}cLm7& zeDnA`#Kq-u*UghE?3)lD{UktcCQ#&AB3`pGtKf@cib^4*`+OuUN^U~>SHY?PSNw>S zt#^MB*geGD0Jbr?=L^by{nI@QZCt!u6kX1mS=|)>6|EY|LoI)g-JCc9UY}wDaQH_? zojqSH_vwE8^WenvN#Rhbr;q%I_aMgnp}p&J>&C3Kjlbllul~>o*R_d%>pC-#qytpl zT>^$tY^lfqojk$;cSh`&JtM!`xzM2_lAcHDR6qUUZIV!%xXt(P-rwRb?BPTz`s=&% z=@aYgj63(Dnwy&FgSHN-ZXrWJO!)?Y>79AnnfP6T25MS?O~MCXKcFj~hvc?mRlr52 zUqYy*FYNoqjb=_|F^r@K(xo5)8|2VdvJTkXR_sI6jlsEm!IqxSa5np(fcDd_nJo+u zIy)e;7cqj?DH2~?1iGdPVWYcTN&sg@rXVw_<7&&jjqGFtOEcvMWLYkww8eKZSt^5&4-w+0mo{%$W!)!<^w6r1`Az-rGk?wWN<7{aPb6l=5iLA=BSN@j^tQC> z0GUOs|v+(mTuHvm3e8XX&};X(AWvys~}qgk22=r@!gn@nXI{^-3J z`01XKw(#l6TFSpX+S(WqE}+Be0|6!d@*$tS@BA-`Gu0w~E=&YOQ^q5M}DMpacA zmVVifsI*J)m5NvNE$LVpDE6JI6VNz+r$9EX`u&a)tt*FFAf>Z_4)h%wJmK+ z&d!8n0bCqCs_V^l&Bw}rB+w@`I)z>DDWziP-v|C#)tVUG%kUG!lHmS?yQ;jt`R>m} zYmWZ@ipiih3p>E-Li+QkKQVJ-_r2cz$*xznQ;<$+i|_XNN27pbO$C;d`@|KYbego5 zWxQ%Pmd4hH1;$w;w{Q;wTwspTY5N8b8UECML>klE;JmVxS%O?iXeAL~Xf6BvCT@?h zX2=~qr(zunx&!1EpAYQSJN`;x45#a^REuRl!tePgSR9opfbx7I>61|4_P4=O3dlvB zLJUT|^!}Sv|M_I(r7a=^O#6$}Dx1;LF7y9Z;{44)_$~Tp3C=n=d0L}Z>%B1Z(H9gysE7Pqb$x)VM4B_&~t5>^UJz}Q1EjIYh z^+qX9-q(4`R6i5R)K<-#ZbS_@w7mmpN$9hUaIOhOUHBP5Azcg0YwoY*4Qak*yzxXaQ_N~K1BB!NAMM7D&~ zbG#}qoc(CASc6_g^3FY~3U_07>P?;>$9m*-{8Y#RnehveaTlVBO!oX%RI%paxXiV^ z6}Uz2s;`w$!Jh8#@x76kJ*U@JkId$^_2Hh%>z7*W=ma=y;(Z1;cLfVzxM>b8b?aNv z2K181bWUDR2%1I8qiyVnQl_}s$R`t!KLUR_7s1{V`20G^R3~1x;P~jaO1DUPNVXv2=2M2MbC+i(?*Geg z(Ze^m#Iac{gvbW-`|$X#dyurl!Oj}2w+5)?{ZGR=fmbVhGt|1xbIZlUi^?lPnL?{g zFH~lpy1=z!1HSJzo&b)16}{Mbf>U)|EDq=Zw>o(tR+iF6FnYU`n^R*B&X^-Et#y|s zM31B`DfWYxYow$m@ccOrwUSz=yV)dT^YxUC|H^%q%GVGZU_WZ0l5g^B<530&rZHh= zakJ|F7@o{oBR-;U448lM;Wh#Y`NoFo)RY&;p!@!%zIu?IHne&FBb(f zugN!Ozf=D_p00zqi%j^h;?_*e>^tE1w@^v|2bjQ(?xIoG^>Q9T6MDm{il zGLy+voo)KFE5z{?qWBSr(J8?>TEg10H5Q@~Fw%mN`T#ZHRDW)gEizPuG^&U0NPj2* z)p+hWm2nDnhPV~ zsXa4d1aMd`oT_F~7cQk0&kHfbKTpeaQRCFBJyns9)~f5HSTP_vlR;V!{4vRWk2ekNnIXIDAvz-! zJE^{s95<+e#a|9$k=C22$oblGRy5%;Bp{ zWgl%Hwqoy!TA@rK#al@ri0?v!m8Dl<)u2Bh=Q?)QrBsM%dQpv$+w!%v)RmpaLqb!* zt;dQ6PY>WRf(WPc+pkwYlNYcWlZs6wNp(FR98s|2*~3_0un_o`f8cTmRpvy0E_<9s zh#+p#emvT2wjBo^z7nFbip19WWKkeiwcy4hHqB*=CF1N z+4aEuTZ6xG;@JH3y%#L&H1DEAAUNW8-i6nyAtk8(B(^rM{K-sq=FwAC$%08(m^H&5 zjbq034HgXH53^b0G<6NRZyJ)dQ6RYvFPKlNbZs(G>X@*~W#*$4#^|B>r_+L=kCCqW z+Oc{b_(xKF#+j_f4VY;!i~U!7i7hpBYT0hKHmS5)3vRl!&D4P{5Om;a8JAJv>0Ri! z{L&yJOtL?;92u@$j0~4$yJ=o1Bn*wk%L~fY3RsIn)n$qYuJw*PHpH3QMdUuzQzd8V z;~&YYo3&<@WTt|{Cr{d7hU~nl22)zT+626eL75UD5YNQBI^}~Og4KZ*$}pZ}=Q=a= zxjhAQ@9y#{+J+CP_sR(S>R=13YEBPDY-^C+pVvlsR4}elo-aMrNp+y5D9o%*mpbXx zpQ4@e(zlfxuCv178W%bwU^$+VvqMD~g(06)Uig)6%fiAziUK=@SguuA;M?Rf`3%=7 zr6ZQM11G_ri`BNV9FnP;%=D!^0>iX1f-ni%iIrfZ`c#Vg(nEonOLX({2Asiv#>l@Q z_lAdpMICtki2H9K)L8J?{7t^l&jVpUE^?BAdH3Q=rRA3gw_A=_adWk?7^*8@<2)2o z`9$_o0jsfkm?3kUx~MUC7*aWTku|VdTIH%>k~S88@RDI)orn!u$gR@A;^K-dLRUs{ zrOAc4Og(Ms@|1vX?(}0vjT;6$e96wxFpF*@B?0?U#4et5uG&i89%mhQknS)jtbGVw zwdc5JNVX?LP`eES6!fh)dJ7#j_FL<5-!dIm z5wwf>y+0w_XXte8>@@ySVquRj24#l5RRv}=aK;x$TFiLq+Qd(bJ3;F`+uV@F=Aqt; z;eIEqxM)D){~QQ9*PJw%+1q*t8ByY}H0VIG?$MZlObr*|C85tK8HC>1v$gFco!CP6 z*Euq46r`9))u@ek&2nDCilbMlPji{DgFc>!YJkAvDAP^OetCYSJ}bpI-!XeLXQ!tM zOPbVW4%uCBo*C1w(%TNroh3>x8f%oCEDH(uOtp>{xbU?Mi4>Dq3KC4n$(r;2==CQs zpO}~qmL?jTyjEHxt@-@Oh;zj6+pEworDoS5yHe)Rr3q8cZC4oZ@Lsk3m$~n??JTzO zXC6xn)loKL2qZ572d&8pMa{#3@CbM~_Rbc$ip?k-1BCi)^;E+K30W=XcAhZ)F*y4rT9%l;8!=lGC$!3Ub*0h$_~{p^>pUlp$(+x0A+%XDpjz7rypc z{Owd}s31)SHzR-Dm*CzxV`~*7f%Rcd%WUl|pDj2DCOW|I7Puk!a(Kmz=2AFXINdT& zozssd?VndRsu(3F>EVHTQG-&I%cl87s6L8VFhb)W6Hzh`X_?colU6b*?jnS%RsnIa zW`P2zu$KZ|+E+S(I(lcO-&Y3)re~F0myQtJ(kEmdz!0D#Ql-+l&Kt#*s~ivjud>7{ z3W%Om3E&$ll6v+G^dv%l2FCE3teoY#TvC}_5>%!wYQn7>2_0e$^6E{I5*2}3vfnhG z%M;GV4qTnhOfQ|ywCWs+?3|=9THAQXnU1@fV>%K3-6+>PctZwo!=#rsM`{vJk|PfD z*flqMFFAv7IiOWfTMe+w`^4Xf4m?z?zhvgUB3zr{ZRzHdlS%-jWnNcB)>@1l^JuTl z_3@iBl52W)<2@meZWOH)yTgtlMx%mUoB-vBl7C3{#k!nwJ0r0+phT&WheA5<>sbj3 zK(i>qu;i?4V!}Xf_H-(;RWVBWgZmPs+=_Idvm*(r)7&YmBkx*E0PRHg*$7z}7>&o_ z9zCQfdL(IaRA;+85#B4%WzeXlwZ+6p_S$0hc)1?mrr`p*b4lZp^27+AWLJs$C;uJ& z!I|ZR^+}J?(<!TPgt-hx`Y@kv#$al~!RfPy=G!r1ZmSgkm2ApOqw=iKamEw2 zYjg|#%0=dj8pNKDP!U0YpizQg6s8>} z=Jr%;sOORy-laJ{g!HJTBVQ&|kY~h<(uc~qar$DI`5M^jA4E>WmzN3&O9iD}}^+NW; z^D?K~=CECj(MT~J!b545dr)HIW6OF^yPm=kReaA*^++jnbBS;AUgoeYeGy|>aJ2i( zu$J$ru+{i`u1lg$_;RvOunteEh%c@fPvns44D1nevlp&SL57!z@03ZgE7mw}1Ni*= z^$uT}7)iT1`M$c^yKjkTU^2R~{&$^A@gu!;Fqva)D|+ct^|Sl2-<}}R4mlYMW8DcFtUj+x(s z(W`|!q2*lRlg&lhM``)VQdyKVt3nTPA*ePgKUG^WPdXGn(86ODrC*`#-x@V_NtcvT z8|nH!CmnW-cv>25*llrX0q4K^s;h9JjP4#p zj4)6Fbh67A$s>QtZIRXqz{PlX5iRxpXW-Dmwu?_U0I!Z_yD>dK5X#HKpnl6JAP`^K zW~qCb;Q<`sp1f=!KgWP=!C-t#pQQ^8{B=6ZURr3!Y45`V;;8p`EW>*9aEfxNHJH#5 zvjEjXHNgQu$uQo@!e1m33W^&l-Ycc409*tAk~mcgL%({zB>~g7(%WaT6K9i!%rW_? zr<iPWii{*OED5&ZQJ8UGy-hU zDX8B##`SEckR=jQHp>k@Cl~5rR3w!78uT`|z9k1O)MxOxDtNUU=QnG-rXDi`tHHR< z=P51a{Wf+3Z(3MYkR0deOiKwqztG^~)eMhy$$ciHYUXGLk?)~byNMxstg|N*vt$GS^A!B`^Ccw(8KoH zu|>Cl2K@937Loi|?V%L`z>Rcp2ypQ9$?tZT%Yo@|-qB=xV-RWr(GI9)vo=DrSwHHp zlnoOG%U;p;UFOejjYKA>4(sdHuVMR^um@oR+ppIZo+|LYL~Lccr5$z+-?Fo*TCB=d zVW4FU#Ez+LU#TyjEvxH22jfAx*UOj}X7bDlx}nRA+qVD3oRQJjxjlw?`3xewu65_{ zDP?T(=6L_YSN;H&x|~j#enf{M@$jYo z5l+A_JA0=&9mvvh$KXE?&R!>dVt4xtaP}Gd%%odc3@$A7t*uTyr)v%_zzkwxAfutA z8VITtzg~J+KAkKgL@QsOY6y&VF86Y25Gq7kpaAsU;Ab$YK>1A7RUg!mcX8xi>Z(=5 zm^X}-P_llr%vJ|?zPQT+x1Xds`+K{fI$zZCcsoMeQA^LSYf_IZTbBWRd(t-K3zh^> z35-9i5-m?oOkq27rOzUt-QF-D6JF)n9aWh;+Hib(xSLn3_)r(dS8xsp7<|~7Xk$gr zqG;`JLs}Pr8VXW-lJj~|bIe(Pfm7vd`99=E`I9jyHRj=^7wqLXGP*!zeD-;)o*6=H z%7?RMlX;;sHfw;kf!%XKgQM8tdJVtL(^XehTv_w+73YRJmzZ75N4aD5Y-3$(>!p&j z2|F>#!Nss^@p{7~rL~1>-j%n!ZX|s!!nRVbg#H!-!8_P13E|k4^8~nd9Ra0U7e(V6 z=uA1n|3Nf0$Ze_s+JrGc#JR1OWsywfF1it0P)1h11!eN^ERu6~^lS&L%yC@7PT?7W z>vl(monF1V9L>H~psG#~UD(X$EKiV15lJVXa*HHc_WO>{x3yxjkq=0trxDK~Fdjj) zMRu+bMU`q0rN7H8s(dJ`)+9;2o)SIX9Q?3W;-k)@-CwJ;I$8gM%@h7Ez{)@KLT>oi zx2|$KAQt$me$!D}nHKL7P*GB24r)A(c-U#>zasv|-XiSn_8iSIbp|b(+yuzHK(M15 zRSPZbbwA|usPCZS)a&D_-FZqwC!TA_oHPizA5w{O3|Y^;9E zG9Z|I>p3X8z$$}pe-1mcfZ0A^j;x&47F%kEQMtued3s4hy)>nRz%q5lt*t6MRYcg$ z+JbBaD75% zZ#DIFR5np)2rvMxOd>C@g)fNl6?i<+TG*$wJaOOpMUG7^KodKAt49EnZB%?-6slcu zaDUeMaPF`JoRjN9*IeaBXr@E-gs$x7MDzO>F$S*2g6ijJot20dRU%h%tduVbSw-P!xKMf>2nmm45D~s15zuth!HM1!lqxgGnHD(*F_UwG*fESr zIPuvCPvcPo;kgw;0&ajeb8R(eTbnzyF()~wERwELSbH$g0|@mmge#V(B9^FMrDg%& z=@$h}sV*}=tfQqNSBg*D=`rxIfsoc$MxH7MWIADII+El-sK&`aA!f-l+s$NBSmlLk zPk0J;%=BJvP{fgpj(NO<-oDS~BQQU`95V8_z^B#ij6>I(f@3y5i>(QY2VQlV4$bG* z44F#gALf5uFzC<_-MR#Vb|BEnP#IDlD&a0|8ECd^B|p~#OCD(;p@D#t`8=<~G@=aR z{2|O~Z*c8nE30PjHBbW2YqeC)b-L1X(_;v8uY8q@%)h8xL)4fpHLML7Le$kO^#Uf< zk6mV%#NWyoTdZcGa-A&u5)&>h-;Wl8F!LE&rpU( zkLH0YhQyFp+cBpRSD_P@^_MD*7mXP{;Kd1*^-||#77i{SO=o)(Ddt!!xFp3apRt2g z!_0M8JBT&X-PR8?6jcUJ7?=W_ZSLbw9{IJ=a*W&;Bespm4zX5p+%5^8tn<-c`)j5o zS0hF+T}Wi9KHf%un0IZGS0qoss`;+0sQe6{Gp1UUE&KL${9MWqd?f(5=_=>tg}{J;p|_e^6wq;c%Bci~$-cmNWPQ14dad!2?fLmdQ} zGN9@)^62LL9M<8}O9y)-rHazI%uxDv0dp;LQki5J!y=ptZRi^I4d{bcd8OBn%J4^L zNUw?oLl?VK#M#MI!6aaYLqai9RZd$F&3YrN!NE#kB8&Y{v@76buh)qwWpdPz;aIYa zhZ68}981&b@jC=1wtGYWf{mP)A&CpeJ|%WV4B&G#dKF^DJFu0l(~tKW3lE`{uwuAX z%cZ+#?qW#G(7pQZ95j$@3bjt+%EhU|)K1JpyH?kS+0r%1aRxY!Jc9wLn~r$w=}@9+ z7+hjaeH+BPJY@`I6NQ}2?u(-G%}WjC!$iGW=AfO!dQozCdF*IJ>D$aw!bk}#N!W>57>|i_n~6iOy;ZsDw1U1res`R(AiZl8+mpV7zKGfPpD66 z^3}oK{&u3N=gYm)ToDguoa}|=%=Tn4%>@Xh1WAM1XEfws-HtDP z^Z;Fxf%DYMNs6@AJiaxjXWv|$qml@z)m^KND}{LA3+qadvnj;5yvc+|9bQkZVm*UQ z^jkZo3#8dw=CsHf91ucQ7PFuZJvR%`xw9))7wI}Tkc4t&yzHBtSr^0u|M0k)t_QvC z{U9|03qZ2nYiB9y8Js`gK$~vW@hF|1$@cf4NwamCMRC*<7GLe^}IbPR1tp0 zT9EJ%cwN6EV{UUnXdd+KNQdGy@9t~Ca3J&;g_t&}omyIZTpBrBe`#Wf-{JRF!(>)s zBc;t3rPnc5vd;w9nr&%K^&&@M*p5AqztvaiOd{E@GyBhh5mJ?qlU-?&5?1#VR_6zX zsBd8mU1YGvbE7ePqcO)QdAgIG^ zaMMy-tkke@kpHZmKc;NycQa>(RW^C4D~4uv*(f5WZKWXF7wTnH+2bbWE8-^bMr?-v zoWsc?VJf5+eDa*wOd*wvtb-AVKD}^P^SxMGR!MeUl?#vPS^ zdPbm+f9BQ6$PrbS=HhUdQ#IYh*`M8}^~Bah)`lv$3WTUf>JwaBJKTd>?o9JhyYfYt z6&;u2<^<7Nf`wH5scV@>)Tz<6d=6TRhJ_L~LCmt+Ywr!vEpu=}NvBLohDL#%2_d&4 z|18xa;(f=wh4sszi0s`iGC;*OIpHb2m7?sE9mBBk>q zv)1aTdw{+AhoY>?T`Sgm>i^-OaY_i#J-YVBgJwrI6RxoWVD zT(MHP=KgLBO>(a*RBL4^4bRZ(;?2+#k|ZR#B8>;~u$$g0UJ-XZeoYj2PxK@@+`D zYlUl zcKT5}wWp!>@~kV1uEZse?)wk&*C&ho?f5~!gu+VE!&yzxdJA*Dk2mZFiqVh}m14!9 zgQI=8zAjzrpWlQtFrOeZ2KkZo6HJLvSa@YC@{v!d;-dW=tLM_RCZN7- zv_`fPQe2%3P3UskEDDH_**!Q0vsxh==}2bwOx|?Vy&U2_|L$(7hqA+Xq{kCI&c8QL ze>LFaW~XCE{2TkYeQ=(4ZNUGGYi;Y}n?Ssim74o8;{N&9UpmZgRgQk-luog(yIOMq z#WInth+eJ~sntO0u{c|m6-!h*yNhovTt~6kb8!UC4kRT_z2!F5SLG3;M4CB`>@4L; zFN24>(uwbS!&R@s4uW&VioMyC&xnSVX-9&4l-x^8Z)!n9nRM^X)?YmCSVUYk3()|~ zZ!Lh7j6IgY^ zP#@5HC@{(ro?2$1xNk@ya)h^Uu(@aw2sL&rtvHA{FY1O`m9brkFB`Gbt2vE$o2~~0 znvO((9nio6PA1LKGG%GysY@;8u9nwABBX}n?)}z$A4({ye-h^})+BFUXn1YRR+B6# zS?-3Kl7$@~xQuok>m=N<^nb@mrjzFJ^tT(+8WUjTK^a5Q?cWh_n~;>}Yn(E-LafrGo=#kSPKSCf5X z{B3%TrRNOK3iyV+dvhdZw5`>$(=fsWZ%%@c49Obh^XR=X8p&40iaqWGXs^RHi{Z3R z!E9tgNqtwOOH+X?RJP$tb3!B5-KVuVXtE0@aDIhjN_Ym)ZXf41znt|bTQHQ}x3~S` zM-8chp?Ik|Z8`?$W83buw2qLhgDX#Gm*vjK_btRbWdV<_3oIv;yxqJU>0%l1eDs&r zz@)4neWR|&`iXMDQKz!WnuDsO(1r0bTJu3dtrLa6WhruuH3KnDrcP&xv0g zp_L$|2It)X=~I6OA%vYpSL9r86;N8Js|L82ha*jw2##5u)WUb|JdIY+QJ87FKZ-50 zS#GJFE+AP>#hskU+{-}$y;cD1e{8P+rod1@+%f0(c4KsWcLEJ;aTKQAW|JHewX3pcw-8Z?eiq7J7{Zs4-x#X2J2QP2)-c{&gXQcPxaS^#d_4aQSrd5uC z*nAczL;aVH5xgrORM{(*N-Ij|ffU-Z{hsik8qRgv&?ip^{Q(ifvWL<6gf5sp)kvE` z)i9Z@-=&t@!|_lV;6JjqWq=$!lB1?!c+gnftg-slq9Sg;R^R#E0YaKaFUy@x>Uc)hq)G0T-IN!wd1r>Du z?*{!Nx)C|Aj|2fLndpadUavJTj4DS(5!Tk#C#T+qVkgJRJFB{ytrxiDC679WN? zv>-2C^UHvoZCq=LZ_}g}Hf8vrkE}tn%Qs9G+h4+zTj}BYK&3UBk`mm9>R@H&$AR)? z`&wRn`UF8c@rLE9N&ic3fIn(#RsKpdy_!|Cla4vUy^iJiL)T*6aB90 zfFI!Mk#P0cT99Fopnq%`wzLSUXSrvVqb*l0R;n&MhnMqMq+iJ1HyMP7${4PSP|0Nf z$xHn>eu!CMTS0v;yH81-JcThday0{QG_@xaX0z6V%3}>?4%1v}t?hEoW97T#=&0M* zGkOP~N9_@=bsmsw!)RdyK8Tan+K>zRq5WloFj1OsI3{B4$kj9z6P8-b<9dCNZ0yKd z7fvB25PVyWrV}drJbK+abI7hf)R=8S7=OqBke2N|T4YgX^3x@= zMMJVLkh&VFV#jw$WQ7AJU1E{%K@b-g&ZO2V&gL8^OpgG8@!GUHvGY}O9ECwmXFJXF z;$Sk0iddO2ndttyormB~mR|@)VP~-DEQhL}&KIlOR@j!|Xpl=5tC_FI4T~&4~3SXX}r@@&7BV zn72?|k)tneJm!3+^Dt!C*E!Dp?R`wMyY}?37Lb*oVWqBAKRXo%zPm?HhvTJd$kTDC zx1M3QqU|1i5AGw67ISA;$=R#qDIe3B?!;-Y2rosse1}UT9?pKlJzB-dO6N&_f?xtE zdM{mVG%<5sMZy%Q4cwW8g($C>nIRw^%L>}g!X?TAL7 zyZx;(`@)9TY2#nJpuhU0U+=)BFm=vX$Z~;a@6YH3$icTCVZK<`tLLpE$ZS~W!dz~@ zq!;i^UHMgsVmpG3`Ik|~(BvSHbbi(E-If7%6LP>C=N9I*h|e;EXvCw9YSN&B5`rpM z#LR8NePTj~qRT`Cq0e^MG|VDnCj(VVwV%eh%RiJ3edwx5c_fuZhLs*3p2sw$g4?-- zWOxF4Z?db9DvFwUo8C2aPh zhdfR35BqNuZ$~$rL+Q|Dt_SVbmfkHH*XKZVMPjlv2!*)c^vKRbQxmCy2zOOxM zWpXT74WB^Ek7ASTCPd+W<`{T<1s_go)r=9rE}+V16?e5mITkY{Z^m<_IfR$9wi^_Z z%E}J=z%4JTZ<*h^@nYWSXTaXNd$XARnG609GiZddI)g=Ch^nr9No4;o+i#p-IaAw# zW4=a>&?nVV9^Z3Q+Hm@^lkj}Ns=jjTjyfYwTK--+)JktRPZwHs` zG1~J?EX4+2HqsLU4H(7eUoXdac}xPLCqe0QBOoVWSItTv=PUW1gbk*mQP=aRqrNeP zl--);L^ml~R-vD*mUb!ab%7vE-eE@fn7xJn9yrX$UMM3p)5rpf8Q0GAh5gV>iGaL;m}gPOZcJC{5)-waPL(t<+l*d-G*5WfPbuDWTsTX zU3;7{p&25XzhyGlI#ZR7DcheX`c?`4a&JRGLHQ~y0^$ao@a>P87ma_4Hsmh%DTe6c zb(I@*Z>gE#Amuuoa0GYk&ZK0hOJCc2$t7{js1|`MN$RAS?-=8Sy#+tR64`G_*p}~& z=p`uHYO>vGWqIKRusiKTy?K{X#8k9$K6KA8tleR#f~(j;0ME8ex!ZWt99OJ3!52c| zS8QEyayr*GNnWBIO5%h ze8~+1`Fh?88h!W~4~t%`!+DVp81}aK5~+B7NNpD;(_zVEl-&n@m`whbFZ4Ug%-;$R z!h|J%J1fLdSg%OV|bH9OPMo{37J1P-{o=yV66{g>u4+Qe)oz)MJ z-bY(BQS-(e$CVgfAE9TD1&a8*V`(VeF_-mt$!V@Du>#10K$#xQW3^kBsI6FR&vr7v zb&Lg$Zbz-l|#mn?mg%V-lm@8l)* zIKPZ0eCg3zFQ2|J(E2AB?=YNTdnKMfE_ns6BB8&73B$az$1XwVWe&2N#jl4ydIHcH zPXET+2orh3r(#|jy#t#|+S6Hjx*xglP;s@xd8Ok?Jixo7<=*uI{+wE4xD#~3p7}!k zxgj@h^Den^54)cPD^u&%Wh4Uu^J8l+gPYvcXD z+eqlow(lujWY-})28 zrMZ%{mNp-3H5^cuRrp0d*b_%}kJUbby-j6f9Lyv}%R zYMIiMXSq$kxwVI{fc1*jev@U2IKKbwVo0i&#jXU!g~9NT)eH9U*?>2!3dcnJiW|UZ zuE!ofB+?939tO%!%Zg??%%Z9y&cBS_)+qlmy(Mo@UL$dip2*;|1SDC*2goY64yD5uU*VqZeE7@h6KA!naMvC zlgM=Rd&aN&0kLpP;$=+d-1!d!$vt;LZ3>GYk^<=# z75GlvLFP8Vg~Z8ToCo8aD0ESgs54%CSn3=SGXU;L_H}m~14`Q#Os*zmk+8y5Xp%3e zAmK;R`7f8)b>dCw%aQ2Bkk%*X##O}8L%C|jrDc>Tm#z!us9!{F%LhY(fSf0Y+6=|f zVce8n9Gt*}%D!y`o5M-9SEWnRZ#dQ_=CA?|Rlw}|KdfDKK$F}1R|FNjf{h3WUIPRH35PIBQLzZ6q|r%^ zQKM^4uX2@C=^7|0B`uA51r^xn!AOaX8bfO2_B-=?G44fg{r3*v->8#q0NY_1RnSk2wlfAdOXO>1;-Hmr;aa_07c)A&K<;Fo?W@Cj z^t+dG@v=WgwpmNE^LCwIr^{^<6`#rMHr{W0y;xI^n>nm1m~mz1?Nd&rJkhGb;XdM7 zvFGNTE0)h>Tr;MAoMML6h z!FF-e!vSYYX|7vjQ@CAaib!XI9WHOPzFMt_CUDhs6?nC}9kH9Z6$MR=O9?69cZHIZ zVw&|fISLHEm?65A?wNTnEt_e&v}E(jX7u7Z zt?1;s@Q}uhSIs&bWMasX>CVp$vAuGR*uwR&a%htIiuE0JO$)n;{Wtoo7NZJET;q=X zN|o#WDDK_iOc?6waqe`{HpYg^?YO0P6`K~rS$xnoI#(=c+DYMNV9`-;A8?3?(^mBG zwk%TB^GxAsZtL{q8-UCzzzW=x%P8Kq7mPF&HpNll3uc<@cz+DSxE3=pt10uZ7cA!w zQQ7aF$lV~7yp`2{gyrlZ(+o9M`(c*Uq4}IN*UMtJZrBu)j-n>k;ggMz8%L*j_i~p) za3$1o)87(cj`#}iB;)v6(Z$m2IZAF^kJm`7%Gl`Tcn#chU7w@r>=DA9KzH0Xvp3|{ z=rBkj3?MHPdNyVyj~h=~r%lT#QtPJqHW`khQ@EOYy5N*l&$t?&RI-e&qwjlWi@B@V zoaqpcu`9RJJ>jq1M|CN(En{OP3bAbkNL{i4o;J?67}I9Zs}ri5wLX2S&KuL$TpScU z_m6k^J9fSp3NuifIf<%5^?Fld+ZD`TGj5^p?AU4Au+jgprr6sASA5}479H*;qOpc* zcE#xPJDyy%#>ed_6AtOJ^af>)OoI1~-a=QdE(?uo-0NboEv^l6jl~;!8n*OZ!I@MlJ91%aoL~ben&?@7*hMd{_J<)3TiPza~vF$Iab7 z$AD3IG}Ml?^Sr&;!;A;|+~YC-U1N+0gn3{;jXwi4@T{@o>}!TA?x{TS^+(G2eOtmybXm?PRSa4+ zYeXU{l)W$?$5{$~6NiQ5_#5 zQxQ~mH`I5w8fq$ikrr`!8{@*7cHUYXtE7$j^>Ds99P}wQ>#IG-ANW^11NRS8>7I8=3%8|5~w${e@I}k!jPt9SQ1BB%* zxR7x*PgTuqNpfQABi~pK^QiZz5^oydTc~O2(v>^3B4_1cG1C&$#}K%K_{QWcasc1&g zyS^QBPKcy#djf8~3mGvyzj0AMOA+;bkbF`!>C4`aaCYt@uOtto!g{NoM95%e! zUM5q51rryR;rOSWrX=UvZnbGk&BAhOImKvWLgCVr3{pjvRGWQ4QAMZV02Y97cyf4FMtr~;(UVp<6EgM;YwlN$;@dtedd@@JK9^e^z5@XA(&t>33AAuxW0mG zgQ5k9_X|ZMMiRAU!szn|y>e>$Z57{%RDcr4ustIBRt_^?2AgervO0;}F0ql- zzf0jCdYbVe*T+Wb7_Re)I-s*U3Dx=`cs#8s=N-1#jmC z`ebmhtHonCDG{n|x0$oqlf;pzRDb8r=IRXSSW~mQV!3E-;)*7IEZ?0^;jwJNz#WOA zfqY7Fxu5N2`RvgW*DL3YdK647>XNfA>2)Hhqs1vRcCE6I78;MVOF6F)ymihI(Vm=@ z@i@9`MTT8Qw^LDEBkh_?63^x zM>7iqY=xYUKOg8hnwApgTD-5bZpWd=@ejqF!>jHoZ&ug~FBC#mA4EUo3Sy2r+@7cU zPIEaKC_IVUu8y1IJB~ea4_m}Z9A0+<-2~h4v8jfc&U3oY>Z5ueZkM0GS>RZG_SLzD zX^jSL;@}bFL3fYYFn4(^ifEBVw;ty$Stn92qVq~yohr!=0Gk+F!_C@~>l#%jk`1a4 z>2TqBirz)(1a{6&w~LF;;*wU9;4j=~*_jze}Xr*I|3BHb&Fhu^c@^hZ+sK|B8`Y76e79S&Ap zRJXsnUmb)p`nh}OtNR&x|In>bkRqobE44870^G0(bDg+Y)h>GV_PHsy@tm4H0K)3G ze#Rx9+=-I$mT09X%xC@6q+f1B^l29cTwqgKsMuT`7dc<`x}=?euda@w_b#H%&w=BW-TS)$$yLz=*E53v(4(kFK;^yzjcu zphaBP1)(=H)J4pV)-Ai>BnJZYO|HM*D9$~+G^35=_Fgs4U%RdKs!CiZB*a@LIUL*s z>}-P;+FXK;PAhg6>1~mghiqg70&?@YWO2=Of9*vrgU~`se=(^bi^I%c(zy5tv82m5 zsJU?P($YXFxmczJPoLzYy}mzvVm9ystoHoEP{|`2NluugnG!LuDFS`d zwIdxuYemn{Waf*{--VdoBU@L@1kwft6pP(JxINHW&Q&aZgM1)au0fi$zt&5Vw5K+{ zJm-}8CRq{l-pq{9Sr02(*8bcW63N*XKTuW@?psh4H$ZY8XE!@zDBvpjXu_+6TP0}? zzWcrl@kzHG7UI8UjoQ$=F)o>SsnJBExf2=qrgIMx6^fj_Drb@sSnD3w89sV4dO*`+ zX(9-UBjF}aB!|0o%qa7&mGttLp`~_1e%HI60H}SCLQG^olB1$gs#1~mUHpP&4xkmrz3srTQd57C#i>A8Bey_=wji*vUvI)5#gdVrK$v)0$`RRXd zLf>;1Q63lSOyGCM_aiBbh_0%a?k#%@?qC894?=s!3Lsy!)=%zY$>_86J*+3|2S6gH z!C+v@=TxLBA7*CEM2()vAC2+%*8Z#LyVAknTUSpdZGBL*>ep~>HiX=PSTg;Mmwzxl zKqzJm_9nm7ogX~(*FPQKgx-R*`~~uvV&m$476AXbpMkm9AF6Atw>)2?XuJ#*q2A5T z!VwUJB=xUQQ1t$%AY-oIh~j}y>~BhDWZ`!dUSJuYjGy@sj#>!kWB>vk36H8^>}4+v zyt_L-%*euY{FuPuZ7Fk3^TG0nI;v#8l1`%xyB1ZyJTXZy((NHW6DsDkju zu-0Qq8Z|AwsUT}*)`UJAnZ1FFlmXX!IxTmYmr&xOk0dj8Lo!j)_y)%1=Grmr@SR>+ ze#|Auo(Q<+j1C|2*D-wsPh;=d)^w=CbG#wV31M;9{@Wfu@j*| zb$J;GBH^P$&zn*NzCbw!9%;AWvyk!FnLNL_&LPVPS%1RMP(3BFP7;ZD(6tC-w=$}w zUKt50p7V3S47l#^T(&u$;w*y9Tvli)ne(GKq5%5BF-6owKec{LH>*{q&pp$}Td<6{u5d@~LMg5ESHn%cD-*6_j0=ZD)Cenl3neUh#-bC} zv#`l739-dN?h{jAJ3QG<@o{aPc*D5(`pFoZN;3^@T4vrxoAgyQ+!$9uTO9KPAjn98 z-H9>FQ_?2GP zkAE+gT~~k+tym%3iP1jr(XQ_qn<>QLB|yhdiw%{hkMKL;6I&rzLm$WspwQ|HiWIWVvSMfXs39*qU5q@5krrVXDsjeLq}QFN z$*`8n%(vXPNd*-ijoDgPAkpkf_c{+~@^m>6bgt_&qK`pn_Lfv?X z>6}82AIN}n;b#P2SPXs;j;tXqJBB!Xv$QZaDyuQH13nGD6vwQQ_ zBcE&--Q2rp;)YSJyR?m&Gup zj$40qrp-BwyY4OJTbVr^xFk%T9eVdU+Id_Oy{r^0cD-^o(@x}$rrMHUyVqVU9V-nP zy3{X|?DY^M_Mkd(5Od>rGB^;OR#}E=Rv#IVEee6CMoMc2cBu5G0KIdc?uw$iE?M>r z%kJ1L4XJm}Qk6+b;gM{!xkyVxicBK{M;h7+a;A^qXLD-C;XFIrrRMg@n)ytmD~2zY zgcU>ZaBM<-LE0F>3WdcuW~nZ8@UKLSkqW@em2wfVC_t9Fgt~$>MfGvmF(kWxIqZ5? z0ur#w!QXO@;*F4q48r_!BpgP$c9I0hTUmVseAS-M_zE{tj4haXZ5TZl+m+uTIgy%% zLS*pc+`>NDxqT84x?qNgWHgZP zFip#W*E{80&W{mFpt}l>BaJsTwdIhbr%BO(T(AvdHE|YXLwPb4M#8o)r*zXwmh%xd zrmtd_BwexsjHIngz03B)|EA_2Y>A@O+ZEnQUp2p~azVXdd-7yXd9IL^GBc^IRY*57Iyq6)x5K`}mKkui}E>+eS9|u>h0NdIy*2P_( zS`2aVs`k0J7iv=YPO(r7iGjmV?9tP*!SLbsUbsIm4nf4W!)o+#-e5NP>N!*f1q>6B z6~G&v(dg^6^#m9McQr3OtA2@ct;Tp~4UtdUK#hn+{SwFDB9pDisRrrXvl=QwD{p(t z@oE8+g6n@h4DIVzUK?^LSU3hdQeW{YK6(d8>J)sPB0jy_qsk6GSpg2gC;Cg;VCb2jS_Xt*f zWUM--xxLtBk77{3$4l#~A}}V7TUP*JjzaQ-@}c?@jfS1v)ZqtHd8dfDwW9_)|JHTjDbqq|;VlKAYr!oxJgH&U*QX_ylT;mlM2O6-bJAtYx$u4+p*hx36B?U7~ z^+z$X*RV6h5i3V}U!3P!-8wL1_4)ZuFL2kTNc#juMr#Sm7H{!=h~ znoLkV5R*ds&PV}Xh*_5EGfVYN0kKfnG$oC@*1E2MN`CC=WCU7|!K1y5xuS_(m>djn z#A1>Ap!jNHuSIVS@VR)dXOZoGsm8|UEKu=}-}HkCz?Ld;ITsjjwl6P@fBYY8JAY!0~(PK@%S!WrMP(~uO!{34zuo&?g3ounV`MJ_@adHQQ z(q55BhoMj<2<{plMVATxdc|asPGT(J8K24*pS}coZ;1L6jF5-u$!Q}J3i~ThDxj9= zoT!hS7LLtn&hp#5O4Q!2#(k?~cD|+ShtXFCGicI<%Np}EY9%V4(5h=9zZl`oV-Ipi z8ck9MFZnSx5q$OBMm4)gdv6+&!hn0=B{PHO@G`YE(krYnG&ojQuyVN`n65079jbcx zTz25yqADWces6pgW)eEE1q`g6mO~LsC!B1ydHA^d0B?s#;6bs56}XIxag*fmjw^ei z_$lN|LlPl-`F*y({-#In4E=^P^*sq>;wo~6Il`?kf zH?r^zN0Es4IF+aB4Xm3k7vIA=XPH&p4A>V$1p%8~Ge3<uu;S4v63((0Gf`F zA~_@88$xTHGrQJ1+qxb{k@(6&t1q*;e-hxTYiNeR3Ue%gP2>OWEBo)9f63wV+-+ef zyoNXbPS?V1VU*SifQ)yW;k%i#xV+<-i9{vHj`EZ7vc&R*k~aN%wDR~x)O(J_5gg-s zs*P-O2;aoiT}nIspEJy~%?WpNtl>o_Zurns4dsA1{3AbRs;UGs7k#@#%N>>~*5 z$zjtYq`>0BlZ#J9#t0L*=nOb3a~)skglASc0NE9WO3ek$UcI&$EH;ts9-uJ|7pv$MnH&YpNC_<6~SK1sMtw?SF)8 zTKFjz7l&NzFdY~3Zwi;d=bi%>|HnFkL#RxBfxjy8S{pjYHS&D6W9&tg2a@cTO`R59c{giry>9M67JO*Yy$#g$WAI;Q!zVt!wvyxSs5 z2M6%EOS_b>;irm^U|5rvd7@~1U`*7z$fYuu^T2D|QcpQklMGxx)Ra2yT_UAp+UO}z z4SQ_j6!9}&#*%oSkI)bXYnQLYC}c;%?J(hb_$l}7<&5dMxIB05is=ZCts=m!X2mW- zZ*MjS#J@R?nu~$~UW#1=&Uq}H3v*PF`zDYAqANc#3O?jI9H|_g%wTyn+pIA{GVCg; z7KgZiTrB-HMw&>tv9MxCG-$gu=c+ZkcVf)Bt-~uYZeQxj8emm7BpJbYI1om{C`tLE zVi!yBj~QdT5GV}Gqx5oz^aiLdaCy|poH#;(_MAT1S;@oKtpABS`wZC_*Pn$uR~WZM zKcT6DP^U?*&zM0kVfdEU_9(Hsska=dzlVJQY6T{iiqO?#OXD#r~B zz5gN@bX>cSaglRMQFjS&`wIutCA;NnyUU9lS5gWcS{*ob$oWC5@tHm^*1@clv8yzd zurzx5a7ixtFH3E#(fc01t`SI3*Y!nEOF;k7X6J6BHUN}K_izBWuIg@6a`p00AN(AV zE8H^=z~~CyKEC194Fk8!831*DAYV7D&SG_@e|==~C3O9q8@;?0MGI3zHCGB9KEj`~ z9(g|9K-PDU^_TGNIVKQO3Th+P@~TfOrhGyy{wh$mN{b)$T18`?Dq3EMrfDBVrxYuX z@;vHmmhr#+IeO*7KlxrbJLA~UtGin!+)A##{c9M@KXnH{l#4fvdiG4mh3;k`atl)_ z@RYu0?+fXxB@^x6{||R*U)u`DQDKh4HPF2Nax(4u087lX_q~MA@&I3US7mnWZFTD5 z%>BRnwpB;BEQ6dKBfZz9AmH-tamJrU{5>M7=`z4l)j`pfW<=G!q%8{F+b*tFfUD|a z0Vn{NOq>4Fp4qH_-9aB9w6O3sPVVPZeY_L9yh@ZWpZ%x#XWz~TTMFRmrWI}zepom5 zuj!irn&G`6^rK>Qf7uAXeGdyWCXTwjWz|jj>sQuVj4F1}%)~a$D{BbtXMz0759nz| zSiLMLe(u{M1OGIR>>>yb6?`Ke{Gf{17r9<*I-iIT;|h?b|5dK?H$-@@44Q%drnT#z z&f*(#^_4MDFDM67SH5ZdyMzB6?f&)ynis$qbstE6@=fF4^5@_9iDU#&hu!&3{VOH@ zrTuXY&opYO) zM~{le(&zo&m-&9X7C&qsx(jR`zEU;Vt9^`v3DendBO+4Q#!30rEOES zKl;VCyU*1T&Z~+{?Mk0A-(rL52vFEd8>tOL(~^s~BW^O}FnXI!?_O;Nb=8q^-#gIt(&f8y}jvi*HBp)XzLf0?piK!+SY(gzM{ zEK3(I_h4+gBc+s+K9i-Bt!z4$Vz^w3S`gzDtC;Vf`UonKczw)rEr&nkNCIS}^K`V~ zKYo7UZ+|f5WLn^+qZUDBmQTk=3=>+*eZ>fb&;7bWgcyDSNFzPYMpz|YdqNf1<(0o3 z@Ks#?zl-)Ms8m(YxT;lr9u3X^D~J*AIxyO`ht{%rr|-1G~jdF}xl@_MgI`RXG6 z0}lO)UgKwg9INf!{nrJFe$@WSpMawD6%X|IH{AE7;r9DrPO-;@e))Hn?Dx0q_X2Ie z0pppy{hyk7zLTN+uWN1op|F2N$}jWyYDoaZB><1CJ~_(rpPDfhU}(5ksoVaWhP%EQ zSR#LimT!xsd^OxJ+VBUot5RbY9Z%eK_w$77&h>pdj2%`{)GuQko>9w4@_w~qm0l1; z^S>E#A14zyn+xJ(Ac+2qW8C_h66fT8nS$hEC9jTlT&WLeyqR??a_tMBeOJgp20L+LzVr7%B`WcF~KMI~DQ+iJOgo#f1+-J=2KAtUu zcg(rnq9z8FhZ(24$Sz6Mf3Yp{Js4d1Q4Cb0%BB(RXyza9@GZypIGJaId{3_O2dj3d zbT=c}aGwX?MF4yHZ)Qhh)>#Rl`-xS&sJxevdSP;eji+=~m5?s zL!cw;Hl3edCE34N0tS&7e!*9k``@)@4*YB<;)X=`e>aHV-$HvcoXM2Jl7Bad)wd*p z$0R$wzDe%CsU-!*4n)(y=)X-V61ds13+t@*|2IvG0h;zJ@8<`4@CQFt)qyEty>3Z; zj-q_an5zW*GGm&eCw0S3UG2UlpTi@G7hGxU9!lM3eZ>6aDC_-KnbC$VA04j$s;hJ+ z)!^2KYekmF8Xb2WGc99c3f!>A$-IYO{d6}I*9J;hy#LKz_kQA32`Te<@*#-RlK+Zq z;8>>1%ztYg)1Ut+onYCF z(b0@X9$53|wO;wbcg~`qSwS{Q7_Rs%}mP)Z(Ksm_iEoZ3znPi{=v^5)OEg3>O{U6Ey zX)vRPpwe}$34e+2Kc>+dM9|U%t(_>4;rxGD0}|6O>SN1Hjq?AU)wU_cM=>E<<+#?Q znxzjqcGJ0t8fiW=wpoe-NvL<0=i2(`v1mx5 zQ+jz{KS(*zO!{qe%Q>a>Er5pF(T|Zjf4_s&h;<*DA2c={|8x5d`b^9X`ePn|@EKLL zP{R17xb1&i>BL`P-i(2~yL)r*8WhQ7X`9%mJtk`J!@MmO4F<3;9(nO^k6Gv#P+YI7 zfPMJ$nAebswKenVyHbxp_vcFVXLkR;sKMu;HMR}Sa{mt_<8L?*B#?W=x>0wPH2h~x zTT-tymLF7^LYVCG<^3~hSEu#kNo!r69R!qHm+FUX_A5b zc-Y_nwc!R6sMrfxG(uGh?mX^1s)a(T_HdAmR7+l7_`zQf2TlHR+i}FLLqA| zwb)|TS1FNcslTq$xux<}#k&@^RH4NqA-7k*{Qd;L!`HI{@#{vxMe6XecJUe>062HZ zOW!s87xp#Wjn?fAiiYIg%1T)Q_^Z5QvK5o@ka0-0!i@sOkLzL8yBD&ZppR6j*p5?>~k8gK&xSi>)&09LI2WK()RlAuq!Mw}u zr+*xPjdpl3yNs7r!-w%d6MOBsDu{n=`z>#x9|m-}F9xo$wi+c>?*uS5`HN{L`H1SD z1e}L;`@9>OAZ{b~Wc+LoyPMT3!$TpEJRxRTA zfg;ri_a#>-D9`b;{#wuSk0S=5bEIrx%RFc%hQ?hi~EH0IF3T`ZSzT(5Dh z>nQc$Sl|pl(cNLkqSv7`?y;q82se_-twK0D)GD?Zw0G2v<+A!d=^27`v`$g$iNt>* zl>rRf^e}tBx5^sxN#$ODmv8r6{@Lu^i!F10DV>?V8=kNot;iX83!#Sg29}D==^wx^ zsE{by!&7s*)5?*uDYvur(b@+t80<OU7*e)rhGQxf+A1a?lZdwGpJ9tr7DV|-r%hRPGL>xD-E=H;aZ(^ z#h6Y1K(z{n115F6(8Ru`9bLa(QIIQDB14tUe=$9d_CgG`yRCtBf~q5<4IN^Ca}R3} zhzNy zwQ4vV77w&FI280GYpbntu?%m;&?epS8s|Uwr>kJd9`|!1<>ZQn|)x!^U zDrlat<#ks2-YApd<=o4qSRd}PwfOUU&fVw*{>gN!S%7`?#ZqZxRG~L)s#~H|+PRPk zX4U>&FknKBY<9MMX<6`;()yYpUhl!G$JL}wP;#8fOt^H&UN#H?x!WUa_CbQx%F>`i z_2mmpF@PTDr3O1%#Gvpe*0^Uz-jcG8gXbk3`hRnbxd+*%WV)BBlNxj!R|X|4+Zsf> zBP^mvdL^4IxmkcXS?)nw@zzT`dhf5Cj-+)9-_@1ZF5g<(wA7cCKT=VsV&&Y>;8NPF zu$2Dm#7R?X3q3D}_Hp)ATyf|X4*HUflZIZ#lT8B9{GZ|J;ms&bnxdOz1vxmf$)~~V z#lWqF`QN;W%{3E}gmZs;*71!jg}|xWE9YGEX~;rwkV¥vVt z)qVhlI%>c_!?{u|m-E3Msz+O@4ooP>zmfVXQiv_0s2sB>RI0i-Ow$OgH7F7sykxSBiSKQHY=ga zqZ=dF&!;5SPEPq$Cg?exc-5#+llUwM`o>D>vBq<+m~W?uDDGSb!X`SqHSDKr zyceF*o9?SH#V>f?qpO`#EfTzDtvjH#xyi`cnbuhCMZO8!)#K#1IG)wU#fI_e-!QR# zAzS&nPG!LI!Q9H`y^voHBdd-3|z94=h8;)DZjdS^fd>B-->(}4RPo!Ib| z;D2JvpGVi?xS{=;gum9?p+q4JBXM;VHeu1WNa7nte&`cV?WpVAnG5_L|dU~xQ zC@4On(sO8%EtM_Q+Ds?bWax>NFQ%JrU1=~r8f#0Zn`1w;p6d>N7MO$9p}Mi0>kifG z2H=Nx3!7|NxS;o^o{IxkJr9efAae)@|KlH z_T;PaUXKu&7p3()U5ZUSgc?4Zo7SI+Z~(piAV=gw@}|1f!18x6443$#Y3jbtZA$$7 zO7l{;ULE;{t>d-UXI7k@%-50+WCRzZE>&f&O6hhv{Z?G3tk@VD)_#5I&uQFOkLBy9 zFg^1~+?@w=$$P-X&;7%&xaP+`7Ey zqGw8Q+UfWSx50&RsPCPE1f5pbN_v8a)raO|HR<(B^pjG*am#Xcz85ytRWeeri{|Qe zNi7R#-nVKQz8xH6ah(r6N5M-ws6E%7u47>sf&U3zycBvvXH7&mR3*BxW?TZXlN!>t zS>-^(&rAmmZpQqy^YeqBl+BAOBRF((oQ`4SPDYynhfQ@koIQ;MUyQVg%+2kXyq3A+-nzO%e>NZc&R1o*5tNLQ(?6R<<;}w! zUjBRCgLi9i_ggo<)8FiWG9*MlCIb00gB9`vs~+qYzPgEVPc?bMLV#)W&7BNTe@$U* zjEtnSB6PcwsT)&KS)OXdJs*gI6c2I_#-+Yy-3$vI?zww7yDf+`^n_k7AH794d z^ZX+fTuxf_U;7_{A8C=_l;$nW$Dv(Wom1cGJx~9(J<()T74l~cx zKow%@8lk;XM?`Lw07s))-aDMDx4PFb<2UE{&raeWmkK?)W!%&5*vsb8Jmk6G*VFO< zT6vR7ggj6=S3nWshEy&grVbGEG)F#R*o`lOyKOf>(rj$>cJbAbJM3nC!tK*mH3_@pGO_< zz`{OZTf6d-Bl9-!Q_%;R4hEGC{vn91bd;&GGi<*?Y{)Xt`E=*6Vl(#yfDTdxIot*d z(SBA6eu3Gz zQ%1;HgCrpA^i{X-4^HN=j*!bBz$zL23i#>^<-Yk8@Uy+?Ep2t~A^k@6)g|ykZz!Gj zzEfTKz(2kV^jRx%(evvD8XTEcJe%lv>&5o4gV(E8e^PqGOjN&YSJFT=A5qEU{6;l? zc3~JQWpVq-7Xm9m*YWD=Bdn{7+Az=LJC{NiwHycv-p;R4w$AnJM{^$ZH#?OMtrvs(cdZHRr2g1el9K;*#-B{EB(UA8yh z@cLCktTyodE<<#|IgGo!)z&|g*isM8v0VYt0moGt81yOb?YtDToi4 zmp$`m{d3Ey=&IW=VC0>)s?{Cct`u+1R6-)Dr*@3Ui2wbOYcWoc?wVTd`E&c0C(utH zp{z>!?=Wi^kV_a=q^M(|{|(F<-XhYj*NA57Y~QRbI$CdXTZoqiXS) znf2qnm5Ky0vL^300SBp|s%6&d;ZvWteD4nj&)NCQZlYIT6SX3I{`za#{)4^*ewC_pKZ9Mb=K*_bCazO1<**>i3`d@-*X9E|7)QeLZ>y3tQ$% z4a+yTcc|B1Uz>><&M=j_Qq*`=6HvaFEY0Ad!a5i)_I+U zh)dl#weOhq_y)cl*pMc1^BN2L^?H12a)=?v3YYXhN#3uU{rAhu-ZpJBUBv>(B~22& zm*$ebXInS(KSz?VTEAei*p`*?Z+BqdSswH_P?LEES3WI7{24Us&LfHYi=D^Xe$W8h zUG*T@QNiHvH2JNB#9wCUVde{xpC;&l4h#&O$KJ%vkvo5|{O#qQu0p3hJv~Q#T)wXq zzgiq67jP`vk(qj*K~jw;N@1buR7$VOjWM2keQAi1rij$ zvwmN(GWrQH=X>6qHDf%AzRH|GWo2MsFq&XcWUKmJ2Cy_j$3k6`*^TM6_KuE7ec!*y zX-53=tRdyR*8iJ+u+VXb{xf-IwPBXLAKliUK!i2lgQVCI7h8Itn(-gB?(hFqs$~UssQ4207BK#3!e+s1QFB{vSS?vM!?0@{ zxHI0G{rNeA$FhcldKso4t+PYpq@Y$wNlDbtf{CVSr;}_y))d}+w__Sq?;Lyvkk@va zzrMGX2)H?^Dzk4;#UF2`-q@}6@MXf(RTW%KVm7Ij%^ z{m;@ogY0&+<%Q&wl$!3A;OyNu%LW3WQ;S)qX?^x<{79$0v(I9L zoYh!beL&*)#@99zGMpm%Hvuqhct5SO3wxpzz2ElM$y$e`wnm{lKD`Vk z%`Z8a1Yu%3+Nte;-~d%RWS1V1*tT>5RIN0Nh!b!fThuU8YQ{a9uot==1eQ&vmnnAG zlLJ3JWo#J#sG2Oz(GL%*MBUlM(Kfq{71K65lz?Q+7RfriNfU$|{n)JmfBhbKe6FOT z;@eT-?fJYPh|ZnPj?ag*U)H&$vb_n^PLUvqjGNOrY*hVtk{;` zw5xM>@YUceXvpqzMv0E78#eoX8*NSZ{lz}t(Nb`)j^8P`w!Y$_kR(3Ht!pC<2@@Mo zEH%o$?AsOU9Uls5sl1e^hZkvi?0-SB9>VA1aUWKmWba(Od_{0R@v+)_avQ`uAZNDV zw7>^NlR#?dwuYE##iG)Zk_c32Rr2Rez-RrHDvTC~RY!D}x^7yM@>!nmo3pk9r^5(` zPbU)j&#Puenl)di7!=xwdsv2Q0WsPob{s*FYVPcW-kjB3IUB+OpnKj(zuo>xfqwHx zDS*XgqRVRI#*Lt2*t}FIL&-JVWXjq05PF%#H%i{?*+;OQ3_Z3xrseWTCPO^sBQa#+k=eR&u8IqxCnp^QU>*db`|XS}H;Df%@59?`unf z$PZE{a>~{^8w5&Zid7KW+}o>obGEs#5Q6N#FAzpK^V;(MKle-v95r2|l;P!fN z@2W(hW|UTL1Fun#1G??}?uPd%c@{Vb3e2&TqS6Ktj961h5k&#-#?)} zc3rFV@wP6Sp#&^@-VoXjo{4|Qd?P{8HA3G=Ls+r!^j^(VN96@uw`s5o3e!Ue}5K}H)DYMXOuojdv7-^bwN1&=I!lWJQ?F- zZ~-} zW?GD!1C`590B4ElN!U|H`>EJz{fa%JIaxJr>+?}7Ar8jmSy^@+oAuKPp4otATS>}1 zmUcXz?`A8TD`x&T0mpjbo2k3CcHhu$tdPW>Jh*S>r-GEpM_W%WkgYKLU$X`ZRSoYc zNK%4jSRUKg3~ZFlNzu|=6LIexvgPH%;rV=Ir-v2J8gHyJ+bBk`cpW8+DVQBg<25oU z3bIZ&SzU4uBTX_w zOO2@W7X)GlZTEQ@T}F+cnh>W&XxA8Xl&e9DvQm0YjCKZG;wTqYc?gqHIM@>2u&i3T z-b|W_LdP>0CFC+tbL&|6;1V zYegyYkgL)ZpKF;*wD%lh+4B`fKo;wRwKSZgHIqmHufjH(*GnyW!#>SoBB77tuQdoxm!z@qr5Pw zfhtn zCE;xu?^ra1yEzFe@sTVus^CDyyy8`+BxL2uM{s2!X6dju)Otld>~tI3ldE6p=S&0}SebF6!|Ru9(Jofjnr57?v6+7y4U#n z-X5|Gi=IuyTU#V%H!&B@UTTEqXK@6$9F(Ek#xAAaGyo@o+48ZSKd3v4q~ZB2g}+l( zx;tbGfAK5^6lmx&Xk{%RwFQ*VEoE20e@gh7uhmr<;Gg@6mI!j5o4O-yD}VRqU|-SG zkEz~wk6#k8ZsvR38Ri*aM)Xy8UIsNaVHug88B6*#d)PJ<&ywNw^E+p0qEib5{RU5wr$tLDAA;{{1*M&G+}z6(Cgx3grCT%=DDq&HGZU1P(&&p7`4IK%kEn^xA8nYrI7oXx% zKrx0BoEv9qo_bqr9+pxWcSG(jqyIv1B$*CNDj}6?ifi7#;lNm<5@g~F??Lfh2NqUx zmu?C^J&nnp^9YsbJ&jo}n=+P0d)rdb3~9|nWt^rUK2|C`Gd>{ZZC+%TSxo z4sT;?J-Ym1qq~jCuC`xU#BE|5@|bua!Mi%Mk6&xs!4_9iQ+-?7Hugh>4&SoUA+Umiy;lDk7%uq{tqT z>S_2ty52k<%Kh&jFQphsN465`v{@3eWgT%!Su$D1zLe|+Wh;z9mQ%8v3fX2%vKvdx zVC*`mEMptXj3tR-#+GduX6AdTbME`|d)%Mje;$vr%yqq&*Xy~xR3>OX_YhSZ*37W3E+dBM<%!QQNICh z|K1@tcF3s80|LI+6AT?vg%4Yl6oNfm@jmTgn8Jt6o7lnZT~^(T^h2Kd>v?^4KM22t z`0Bkz!%6vd*(&968dJI@v$5JJU3wE^PITT1VLN}O@<-|id-}apg3g2l-Ut07<*`HJ ze}MyRi~;DR#QssoK6yVB`LoUlMH5Yc3DVdh^|J?-9;6AAjQ~(-^<}f3b;Xs1K zt_Nm?*$=j47Eglo^0B{(x{(yn2Ta{(>mi~apj@Bf-5JU<<;BWd9}SD&M|jPLNZmF+ z?%UI9bzL^VVUx%gv(pOMB=h;l9f%nIHVyrS5$NFE?wF`;OB*|iU$*RqXWr3*#F8X!*q(0>U z+B_C|w8zxsNPGD5F6GObwhDdEd2@_5btpXBvqA1*n#xgKdh?v&Jnat!=YCD;AvvsY ziDlwW{_d27<9wB55Mp~|nB8s4W)ehTGM4>JXm^<0td~n2!$9M|Tm!iP7{xd+|FaCx znc+6dRO#8++R6Z08FvbnQ55b}lwvCN^ZPJTka^)BumhWK%+N_ z!hI(2DHfu#M+jWkIjo^tFhEiUXfuNnzg+}gZ{IivC|WZ5n~>^tej9tE*5n7!OVtNY za#{mT&KsUQ_e>5`Rvp%ObMNa5GC1@lBPaPCK-O^H+JmIGfxA*={rM!eywZ23#hHr> z3|cuM=4>Fx<~>T#p<d?LP^ECX#Q=o#cE5-t<5E1gl_Lr9WdK2E*e+; zxR7_ZjxBy#y+Evh_X#QI6|Ic*|pZT~v@a`%6O@9m6f=DASa6IQVu8xAc;a4LTYBC19 z#wTbmOti=`ySc)|v$Vvi>%cU$RMi?~UqPYZ_zovRuJ$g48}1X$;el?c4;62OqL#9n zfc`BmT60O87)YsRED<;nce^H4`>cRWBKEbFNego2?>tlbfyyga@$>J-@2~w>QLvX0 zqn+MfH$6&I{KMbuI9lz!x@Uc#TT$aJPXf}6Jib$iGanCMP}IAL@(pJzHCM%U`X^jx z|CqoU(w~nH<s~0HJx=hzE`;}v`frbzkpmrRcp=59fS1{ho_fwhJAqnDq2!VABNTA4 z7bRCEPWy5x+J7`T4Y=^Vmihc+=88h)@JC~tn!K8KmGuGxCdOG_-k{_3jg8u#AE*Cs zL#LAy0o3jsI*Y%^lb0=vV^!~lDQQQYOdM=y*ovK6gaasuo zJ<^i_y^##Ke<Rd-D4u z@`rN0gHoJ#?f4p@t2axm@CVPtOf8NoLBUz?{UyKW=ETc>7|?^I*gVXA@C@vuL2{#$ zm#DVxKJG>;PKEdk8OEep$sPR7TgxKjaF$oF<QcZzA6<=1<*{uXTYNHWZw*1w!yU z@#)6(fO$yosMf7b!QRK^DOA$aGTa8&rXd*)#)^T2>d)OJ-U|iE(n8@0JwmDi`CH0I zdR%Px|@SN)o=NKX(mjBj=)qmY(@xjEVtB`0gg1qK3V)qwaLx$rND~7 z?<+^f7tahx=d<<#DSv5AB93nwuD3UbFYi?~o!cE{enpKS%AZn`ECM$=4=LTURT2(N zOs>S3^|*09n%Mn_B(I!uOBkH9nL zs<5Upuk664BEID?^WEiwmH-(u=Kv{doC*@xtmCEuWyLBxiolV;)K_ijEm!Z29F-58swCh6BZ{MHLxb7AsJsj z0^qT`=|R<1*SPtk9^NOuERXn0zMWqVc9hxs%~Nmsuf8qF*&dil=UBvBpx{k{%%7M2 z{!JV;i;cPzo^#9jPtN;$KNhS+q1>B>OWOyvHf23LNEVp$OzBLUWC` zEr9-^;pw4U%)J=_^D5_|D#XIKDos@#0*vkf=68*{bALlndP{{8pu@Wt zyC?zk>z94hW z8D{tYBY2dLO)*L5{CTk{pX}p1g9Lc>p>;0+{ZQ`Gy+IthHTn}^?n~wXJPLE?C3gPo zf1zqKt%RxI@XR>A`ya>4If&7!`4p`;U9sTw#J4kCN^e?_TA|%QNo`R8=m7wC|5k-5b`K_vk(?e_Su&H11Y3=&+0Q@^-gOFB-6Skh9eiWvR!h4 zv^DOOG?D+~^M#>uh*PI{0h~3u*z_2jHlWH@{~|2_?HRB<6%%D+ohWOr@9!|uek5zi zB%vk?ryd7R!pf?c?CnCF{g@BvIk;Va(@4pfBOZpR0_^8ocRqb0Ka1rI+dlyU6e)zuc5lI;zw( z%3K*4Q69p|%ql`g6oc&C^Gq~^w9@>6tsGJd!_#wipO$FTCWD(}M?-tGI<}POeCTP6 zMaQGqlMLi1oCL$+eFpvI($W9cJe=RBNWYipPwhj~M}+&R;vw!agH~fTz9?&~XUfh{ zfws#=eEPpo`TXLdQbE>Z(7~Z${Nl_1A^Y5~M?QE~z!0~bq5*B}*FPhexw`teXh-9> z@~uWlO|^#C7+}%pyasLGP~tVa!2>?5>xW%~L^Fta3xp za37H_-;z-}8drLA7`LH?G$_PC*syw!UGMD2TJ@3V$gVcG6^3dcqBvQ)nm{2T^y*B6+#-WToTauSG1Ww|VR2M^q7e9{cm`J@o1u z5`>8Y0^RG9J%(w8Gvn{%)7yf4P_w=t3&JbRIy)FMI9sY$jRY>CTHe9kv5=RX3O`P~ zQy;we2n}=#3l7{9a$BQ)%233E&cAUbjn(k2u-UNVb$OfTHqy;{Sr0vAl=K7a=8^qj zd_6m(Pj$sB@ylCEiZu@NfpwHjZPd6<5zJA$?62j}W}n4%V`kY9<&RIAK?%g9zB5-g znDL3Z{|l)8?^kDjJKOI6ca-I?ZFr)OPYfB(SQt{|J9g~5uKreBR#D2>uWcB>aTt=h z{Oa1-fAQX&qQhKB72@ned1Zll8ch)Zt*(wf8>?~?F4g1QZyVDO3w!`zfXlJR7JyL$ z@*xkUZ2r2^MX-9o`!Sm1tTp3giStKfC9~aIE*Ln33as;%*2zU%yVD!S2Oo+Wd|(cb zgE+UUiz)AJ#(QJO*Y{g|o)o<31WWRJ^~2Av8Y*7f);KuU`y0>v703Ign4t2NT7Jy^ znVpY)j5c-xW(JFfo-n^n-yb8Bj4yUHxf=M!a1Tv z=x}ei_9#J(Tz+NBe-z)YP4*WK&9ZGi1FK#7Z*`RWK5^C)9&<`!pE#p%h>3~aYL*`+ zlQT(!07G-iRu%jEF9bBhG~$4#nFI95|5(G68Vb}mCMzAf7QyY6i#ytf9k;YMiG6%ex)g-JB}JnT1(<- zw6tBW^g!{cPhvzp%aJuP;{uv5;aY{1%2^ce(st5qezD9geEMe zq+6uqT;J4`?_>xK6IEb3zY%@%uB25GaQ8&$RB^vKA6ATNl@xh!$XDS!*!|lu&ytLQ z5U-dsdE=Qh$)Q*Nw&cTNn6+*#aQdqa$<>oGF*Dk69dpZa6t9?wy|ejkI+YPlg;SpA z4ew?8KukN`O9|S$-hM83Ym7CHPQaF*66L@Z1x%pGrzJoA&4zmvR`YfQeZs70{cohI z5?vg=aj#y3?)}UPFNwD!YF!q(s7fD4=6dv2%v>en%*ubE2W+^2Zlu$D zs%he-1h`44APMRJFaV$#es&*)?^=LaBt9e(h;4kB8DSuE4gzR!uT%is?l|8b5YHm$ zjCg7`6>SQr`2k5-&ziC`o5h?1DsmMNC-7hY?O;ww769AtvF89(hR2&!{khb-D*tRG zOTuq?ypEH0?;xjM%m)Rrz?v9#!0Zt3- z+4HYmdNUI^@87Z#r)A=Pw**mEj-i3$w9gM{R|zx>dsb~tmwl&^7wjr`<&{!(QF-B0 zUOUM$~N(GU1L`0?6XnpCqzS~SKifzr2^*i+ND)fcu- z-YCzmpJE$@0Ask;Vljl=WSB$V{f2wHEDD4~mqU9M3;O(mJ^tNizff~6?)hLQ8%V;< zsF?~UySL)f96~-zo`lH7ta>!saWnR{VAZwztl|zZ6(j3TdEr44FwcD`{ zIA@;aT5kKS&-K(KqLC|xA9)pS*>oBJ3CP>dXUq^5y9Lv zVy0`u@%>)_8V9)Ah=+CW--)>u5)xu60n8(sI8h8a;Bq_f;j^gda3|w)C6I_uyt&b& z0UR*rQ)(26I8N*tKvG>~eQNJ@N?Oew=@<`ES_UZcOdvM-i{0bT7w5Va31^OhV{|=1 z=cFJDN8bw=@g($USr(P+EqQ8h-*?`WQtE~1TnPxXVJp?_^(FO=OiW~FYGhP}l*j45 zqsDFRz%5aFkpOBQcU}HY6el*vqk2?nG2DHPrngSh?s&?fUng^6>2$**xDf`!MAG$;zX-_5I^q?1}@dX=_SO z*)VP5fr^jA)S{kin1#@jg%nD{+}IlGYM0iA4LNAJ8}})eirJ$JKI<&Wwjh9=hxdwt zKiyVBq%r5OuIIH=D07=%95EuMalF{yo=DdTg$)mNAgcfg9voPBkd1oQQ9kiAi=%*~ z%0E3K#5$sQmEZrFJ%#hv!U0T73eK^oL`3AhM#^NL{LXAKK&y-C0fNwv9JG;6HX5)f zPbvbJOAIJ7|F?>R<{0nd@}nN@Wf37?qzc~lIriVxNQDF4$`cM-l`>VhS4dA;wtje# zuQ%oTV87aAxAtarhv*5dUr3D1!Ki}3K(%?JLp(s&n|;mYMY?*R=b@z3vi+5u#}ggp zjP84mI3jxN(IN8?3?xCK`bUz*liTNh7p)x%1xMsN58ailovkTYO(7#mj}IB(nmCNn zCtgiBeyM7cx)vZN;9&apW+I4Ch(IT2OH`QJhOYuzke3fJ0)CGO76zy#1+-I=?xQV6 z-MK!QvfAHkPUmVt3DlDCR9A|j`^(}2;y&r?s;(fqN)GDqk-~;0h5RDw)JHBO*#=r8fbLckv94u=ON+u=jF3=B*n&ggm2E zutfO;Oe4!6mxiEsjb{dHy(^5H$|7NA{xV)WUo4wm)yGXRwwj=$cflro@b8Yn#9+dC z4XyEzwL!{9p#FS30x6NEvAF6;b@N-f4vsWNVKZy|6&av8GU}U^ZfV>Nz8ll=p4pU5 zU065g>(Qubgou6|3j*@FDfX(^JOWbKG3=3F6OA?SgjsI?u}&g(kYdoSicJr~>=Di- zXlncOMf}OL`hQSgZq#}N5YR&Cwbw<1C1qH|JW*qawFOTM5h)c_>nYq zpBD>@BEGKS?m-s#M(-W_xysAp;+i9wzMC1suOVNTruHHi)DsZ}V$st#`#CaZl9;rQ zbvs!9v*Op5Sl_U7QT|uCape)kQTZ9KD+e|si{@B);I1X;>PGBJxLRG!akfJqGO(0n zJr4IT<;GdwaN03Bel%&RXuGtMU-LXr`hezx_nh;Zo2P)=R~uLFN#;gD6EaTzq}3n( zwhbh!dE#K?RFCvkAc&C9b*c&Oy0u8%`)H8LGCLY+16m|uWkMK$P(q(xc_{LhAaD{F zS|)~{hlEE?3ZqozN<%tILp)8YE4OPK41M)DAG5?ao8l2v39Li z8nm&wnZD0y4xZX%!xi0nyUo)Ke$`%*-qT0Y7q`7v+nSQJ;-b!h&PqG+%Yf1(&*u5> zo)cxi?V}cli*Z5(#HELjx@UcoyL=0V=s0_@WRbjqWby-ob5hmHW@%1*luDDKyLZs| z@{jhW;m!4r_8_OvX0w2J>r6u`h!m}>k^x4mJ>31>U-Www`GaPcF8uT9!<*!xr_74% zIiy6`D-871Mts`~bRXK*WCX&;4zcEAVxN$YW?Q!EbDB+5YSEJIw$%fK>+ zH}WTC^RM7Fivwi#ONgVuWP;$tA=cB4^g^}ogt}^isD0+>nHSmh;y4;(p7tCJ-RzmT zbl#qBb-O?DqQC*{?)a7xSXpiyhI1$);3bsB*^_tbebm!B@@G6Pq!p$Dz@voQ!FDQd zslM^{Bc@=P09GF*W$86*sxKT@jBJ}>Q9Cn4S=fMGjQ`LYz7GB`xdhd@-%xFMp3 zzYSMiVpTzj)d%$vj%rhK3#=fY<8P{ZJgf6g%m=erqPGry)O8u=o}M~7Of9r&t%lrl zBB#!R8|9wZBN@b*Iq+rrtK}lkwCd1n7&#DHf*mP!=LGX(9pM06Xvpl2Xj)qf<5<9rxbFbKoo49ilw@6PoTiS?EOd%r711OD zdJX1%LQPLiQ$Uk7_VG=B9eL2t?|#8^LKAac;j;U|gG}%kAZbCWJt0j_`pk8w4{}^P z_8U-ja`8wy%?QU_+G~03*x6Lmst$0Kl{tT6USBlIZHa^Cb`S7zit@y04k4ou)}$)t zl{xEkmAY_0vKd&Hc@HeeFEeD4ZIU!C6a%k*@Ss%k!lDr8UoX_kjb1!@M93RaSD|TE zbdu^$s+Vs86kOrF_$T$=>WFFt;P`3f*-KEC(pQc_O}L|&%am|1Z{rrCsq zQ~`U#t-G#xJwKXEQzmyH?o%WH#@oi-+ z)LK2CV512IRud1JOn&U5we#(dvK4hvchI5zz9UT|nqGfb)GUF2;Z;3SIcFzQ40{PN z3m{IDi#d=~4*wAZo%--%XGubv?d(<2S1FdxdHj_4?D(ag%N0u8H{7_9p5M`a*ruyRu9y$S(&%Na;DYTn`=|fokNf7q46nb?V};7aI)m;8Ia%bha_u4J7Vpwpc6{ou#^Tcj`H&6wDyLSCDo>)cqP#q0^)1$GBqKpobuRJq zX&c#5$zLSO>02#FAdW!RYZT%o@Rf<$tU&Gza2@mkF49a^*P2T@M*;etbZzkos=thc zYMNZrm=RTd%~D8jvjhv9$ZVYJq{pyrF3aGcG-*F^U~QdsjQHx&badr}i`-E$ZY}6W7E#%PqRMfI$r=QE-fMTK+%M%E*x4Ab*LMJJ*`+-tRs!AFDtl2p$kW8Q249*xK&lU-pZ&Y7KCGe zUk^*d{6VT(OzpN0u)LccX15l4_Vebklp?YnRVoI%K+k77PPcqVM0s zk+m`-Dxdu3FYPY{evb3UFXmmm_2ul(4*c|8oz}t9gXS8w0Nf`EnE0#TwX753*yz7) zy0g>_8a$W+771Ry<#{GAhe0WkQPbXfohR@g2d_4kP46l-jT zS7BDDbfB(P@{`T zqGdu?qH&~7Liy;sAoCB~0%V+Hvz10dk9h7#&`XbzKCoNm%92`OmV?Y&bN9)=d(k?t zS*xYUuKwT}Uz}s5KY3}`1fHC^6gS~$LI}EBVsaYQhR93Z@A8B%1tihIqT}$qCR~&C zibNpi^_2HE8UOC(y(`a|Y84i%%0yH{qLC*~mmTq62TPR5Lt^Gbx< znTQJ@3bL;He2Xg zb`Z&!K>yJqI995@AikCxrr`g{k3P@`==Su5AmOU@97AG3O@hUcYU)wEb zcs$2{^n~_|tLbwnYaGS#-MFLSP||nx&RoIrK|%JDm}`Pr4y@O^FQL^I_nugxmt3Vm zW1cr>$tMZ7r0_n9U?uXNEx!&HrEGaI(n<7|&znbm`@X*%3&50t`;y|CwO?011HIwb zA-*Uw0W+)9RbVzgg67y?&Lwx=gB*pJN7<)bXdriszAG|F&x?a&1xVM9pv12GjrEmN z^P>k>%B}IQKshW;Yvav#%U%;bzof?Q_kgBWHe~u#koDo}wj$jE+K4dSa*`XF8iTs^ zFCquHL!jjj*}ES#)aL=oZx2R=rjm2Q?~2v@@Jyf=m!x+H;LD}(LjB(ZN>yQz;9&Q5 zvmUt`d6XTm!#^O8P6_uF+etG&7b6Tql@>jA=c|8l`d*}z>!1eHwFl*(=zB>9oS)(X z#&>lyKY6%9`M*o+f5zmK9!@tru6>WKT&-@F*9cy^UGnPiB9716Vpu%KE4=t*TQ!;K z))RkAhE<%4V}la$t!A*AbEdZXgz%i9iQolF{dyv|Sh;*|RAK_8m-YRr>tp`yp!hwN zODImzbjKA7cKZdp68+St-*JvzBQ}vxzMsoihq)i5$@cn#Z=YOC6$a|cDb`kvD}Yz0 zYgKa;i$_BgU*Fp=3Ee@!!#93(>eOM58<9uTCi%yGRHgkGV}|wqt!DK-@Nl15(E6vw z;G24d?5)v{b3>e{MDZ0|yVuW}b50O2hc}F*{$&BxK@YN6EW3I0@_4C}myG27=eiYO zu)Wb@5mn&i{s$@hDEMTx^=RDT!xJjywckK=*>YPuosxUKC@|Q!*L$?0)eeZIu3G}7 z6}wvu^-1Hq3xrTQ$ABYjzdRNadP237d56~PdTh=AuHLEt;?o=I^(G~!J!d;oK7%4F zA5X2-pY|kv9KC)zFf{nX184L*+V=Q5;c$tReC>8|2iNT*Ml&(_^;X=@ zyL$|^?)%5p8Z0`s4oC5FolU+2RAc~9c`o@f;MRcx?jxb9r|Yg}-t*?X#_8AE=cg9` zBUgba*e9LJ`trtyuW2<#?yY~XTIa;yUWdB_N9^5FuUKDum@-~ncR{7+;@ruTTtA;R zAXT^cioPH(BxAF*vE@6NY5PM7+F3R}no=5aiU&!YDUJ(jzZE?DCH?c4veW)~2J=}S z_nQnha~(()UpMpEOpV;+d?;tngWs+VJ&}elQQNOzB-Vi60xmaDwy&11G$2tT${ZEw zR+!E=an|25`?82(DC>M;j^UzE+)p#lMZg4EboKJHec57$J3Lp31~(NGa6$Ct`4eKP({yai=3yMLRT$y1mIl zq1eOA$F<4fTTL4c{iC`!FU46VG=7;6EY-|@N$>1h1}!^;?KbxJ`AlUvtWT6XoYwSl zc)ZjUHj~{7Cl%5JsPxhAjE%i*#Lc9t8S&-KJEH!nEmi7ohdbJ;2wgp$^E#sd5N!c$ zCL0T%yTf0BcpV>rH)sHaaJQxhO_bU0s>Q)R$U%eC*c^wSTIrL;@O+b5{3C zY&~NPVoapCwmEDjssZ=X9sp-6nP~64Zw~zwIyZQN|KGqyop^3{qFGG+gW3G@sr1vD zfk|eoi+PqPRZvFkm*R&O#+V#y&wJqJ>g~O+)9N))H(7H5j?hI%2^AT(mbOof2a#Y1 zMx-pLm#sGQO|4FpJaZ1(t$wr~vQ9A3_Wr&UYY#&ZfP<=tLaSRzeNRXtQ~N1MmnoHy z(RY>O%^Pl8Fbkw|N8VkD@z;Q+`8b=^l8K-y+whK{WT+*KMPd6Ipy|J_6u0L*j<0&P zTES5Y)TpoKv4%7hdD!fEjku5X027u=1hcywvzL7mo3w z=49s7-d6h8aZ`BRmFvvGxl)rX(ZC;M+0Dke#$^TjD#%lXotIWmNCkTJM`}Ebk}lHY z%L3=a@3k8wN-b5*Et+Jfc?de~T31QeUG;4uYFt;L$8Z!fO6$(1msftpb|7Y7tv^Gm zvm%iw!DH*i3GwBu=5aH=reU{n<{i^2QJt|f3)##JZ^z#t7l}N%1Ib$OZzCE(Y+9;{nQuUn7m`*?l?` z{iwtTO{-d6^v{iz)1-G9p((;ptz0wCu5?uWh1%={fd7O8*Dg_&@-pFKPDRo3NoIXU zTYlb=yGw zy40o5fc@*mfGiP*IWuk979;`pml=Z!4^4)@?c0RNG)Dq$18yyKX$EayOjmQ%er znc|_pbGKi-QCj`(>zG;dz|5nWBew?=?~rS*aXU}$=GL1MO8ir3VIJ_JI5U1v{US=AT=zmHkm+W3 z5|mR6(;~}L0au(q+B~W#Pul+sa7sXIf!iIsNm=B2qjy%ep`hX+$uqlh-7$=a&G&^} zAH81WWw0o}UgKD=Bz!jk`sX5~Wj#)7syD_RoEZ&~u@?xk;HnyZcc7RfJ>Hkydcso8 z>*gq=&`hQzT;=hH>Ijdki-`z29PphX%d$yZ57cMu}z|V_FZ_yYl&LjFV zrFS!xHAeFj$3A#8rYk)yo*MrenjohV{xr5j>xsM^P$_x>xNOO-p666Mor8mijvf~g zRl*YR`Wup#{hkGvv;1`HGIIBuw*!EGT;R;w$AXJ0DH^5YOS}bg`@wT#hXbal=n5%L z!1}9%D65;xFg-pi^3U4P$+>t~z|Mf@qJ7A;#Z3*#!+At8y^pjFLH&T6^37!-nsSs54pU=V%nQ+G?#H_>}jCf2JzO!PlCSVP}HSHaNg zS91F%3il)Xau7ekQ-}7ix;Bn|PaNR%QUpeLM2!Ky*@}zaB7uNY@}p1ukrRcgku27> zBeuAvX+Ywzr&Nw(1po-8^+*+Dz1n+b?Iv5_R`;9ER|1EPg(B3zUd=R8SL=n8%?~9U zzuRz-0Ep?tU!5hvW#S6Ug*2KzE5O;uNT*G%x~%uqr%~GSgX)ojj4+?szUE%Cur=De zQ}S&F6lhdpf1)c%Nk0N`aYO_p|zA%V}`X5={{kkAVw{&K<{q&|-%Lv;J@~Zpl(X z8I?aylTkQkM|<#`Za!L_cpO>Gmj_sS+1L*`B*+2m=vwx}7{Y`2r~o&_xABbF`4>z6 z!wdp*Ijz;{@%(ndD?w*NULFEc6)N#V=b8$ThG-Y`COy-|7HPf-6&ZM z3VK;0DjehCD>Lm-In!U&R#J2E#*pcMxCn-v(v z2YM~<9@F{{2T+Dy3(NKuYhIC!96B@d=HC7^0omdlu=l5xv*u=vTNG1yIjAcVGA>~d zMDDNje_dfdKRsO1;l-&o2o1K#@tXGdOelCA*G$SGgR%F#PpkoqR_~eW07BjYk~8}> zd#u^Err&`Eh{-@!+HXuPN0xw_-R)|91<;BKyo*oiL>iUp4LB$Y#PIoUFQ@SUPk|W6 z!`V3dD#-U(r;P0Aa`}s5FEh#an96yUQN2EK%5-^f`sJV&)W06GYChA4y(5EXr(HS+ zZO#${HiC>n95e&hNwfKT3&r?rd*%D+%+r1H_4Lh%6d(`B;8z|_WE6+ZL5m~+mq-T| z=uaqD+A_Y+nTViAQ%S~R_-SgMtpQS;SYF zafj~$-ZeDKE3>Us<VkZ%kH3$t8yB&UD zHUrOm!RfAi1gt|7?*v-E!o-#gWv}gLV^F@Sb7_@t)%* zr2j>ZVH#Y6PGS>&LR7z>Q*QQ=owPlfZCj#-UpG2e_sE%#UDg5=YgbRdt^b;37$p<5 zb*28ICw^^A@EH>HqwYo%d(CnhA!=3|_yg4gFWJY$j;eYjw(DZ)a!l*iifJdkQx4yw zs-@_dxo*z*S85sEih?~97cljC?C%l=jBsk!H_HuUTJdtWup=)!F(xr{mXn;u-e{V~ z4mbL5x{S>AEa*B*Z)qEg8V0vv;hfQNFluFv-)`=yyvc1^Y~ZSeA*P4C!k2sRIK5rMsuG${rFhGPhUok z_F=&LZ7m^&7Ulw6f<}=4q;_J(MFkh%iH<%5K4vnMFDp-{!Y=0KGtV>gf!OLkp2xV1M zK$r~A@-#q%MzBq8e&9~ptedBL<&IFkm88}7%r$P66QZhmd&s_1-x(~|>lesr(QeKo z&Hy<(b_qz?iaZV4Z+4V5H46T5kVisK^u16i^&A9QW+?oF9{|$1Rk*#3olD1`IRt0|QApfK| z#1f&vTHmZrxz6+-qJ{Q6Pr2iy02S~VGN@1i{xyT}I8g89@(NB~(O9X$} z{Bt=?T!dT@z5{=pG_&tg=yM0s^+@iPFIhjIz(b)58MM#XhxUE$8sL30fW#RWZRCre z4FlJ_ToRyw&I#vK@8D(L|8t70ziiC<^8L%UqtYgg)(FkB3)}sxS-YrZHh7sm=48PM z3SJt$FJQ`xY4eb|OU-!Tc>F2Uy>k4b%3TbpNYG^PMbw8W#=wpqfW??1TnMizNLL0& zWLF<3pElg2^1i3<2!c2SNhXR1KYk1!H>GZ-t2pDxMw4D_#=N>rE$!&*z&@T5BzNz# zk@GTm>f14YaM@)5o*J?OB8?JKOuWK)uWS8#Q2dJ!0UuhDW3TB>uALO)xelCXRfB62 z4xhJw#36UF6%XkLMS?2YUvNCO`LPCwc(mRdl=Tq!#?DOSSco!H#9=O+oPrMR`C4b=JRvp$Hceb*JOZ(M^0Oa$2L-8aDY&(ErUrlz6+ zhbCy&vwhIYIx9N6x%$cciftjwuzasK0DdhT{5NT%hBnzJT~WDH%3w=zJJjEl8Si+} zAy6M2U_^Smm-5V+A~~`(>Xtwn2@5{dx~wKBNj(2BpJ-Iy`~+jGRkQZkU74c#+Txks z&2{Y|9QEqn6PAPppBO;}I6-s%0>Dz00ph#zpKtRbw^4@D=Xvyp`yXS+pPlu*^X4ad zU7Z!dWb{8i$)fe^(zF@ITTOqh8Yg>1_NN=NUM zLE+g?FU)KBwifgZCe4=rS&VyJlHz0Id&yXP@7YN)QBYB=ZdUlHl8TThN8s*qbJ@_Q zwcl1<>m!=Fmy30?Komg+##sz%1e2%^2y2d+dPfu|Q9Es=LWcl-Z%9y*})J+6EUNQ>rJ!2c$ z=UW45@w&m^5g+q0Na=>t03DJeFS|_}842a2yCVI*(+}zfRvVYNca%L{e0z(86!P1! zJi6I=(Ld&l>ZM56W&uUQGPB>_HLK=#49Q&7nxiSr;fclMf^*5^V$)%Tm}QC0n~~k4 z@T`&N_kn~3eC5;2>$>Yq|2rbu0rnk%FGUBc#trhoVjtApt?+U7T+Hqgm;6c>IR&f9+;IdzAt`G;SgQq1szygU+lL_j3-e&C=D zpJB=UWm2UUx8qi(Y$l@zuUvjH$>Agq1p2NS{(0v?9x!>@0e>DB>KEEs`{=XCk*VWN zeOCEBnrp&$3kVrv_M97=!U(rZ*@4#q(>dd2$(!)44?gQNF2S=)Hq1=7mrzISP0BIB z8VNKL4V%Sld!TI*fmWQp&LfCc>lno7>C;DnMA@7@j?1X957vz#$|a~&RI1QF8d;zf z*dz0s?MqX2zOpNVn{T99#AFxN80)D{RAZ_G$QXH!7mtd$-&iRpD=2n2RbO)dGlQ?i zE<3EE$HJG$Y4++1Z-%>%v<x+TN zooXOz`_o>4feF_Mt9u6#&nn)H-^F!v(7~gu-SMm~+h-M44m`3`JIf!5I|&CIZ0)(T z6F@~lJ%7Gs92XO3YHZ-v@2=ww<*YNtgida00A$v)!))Y}wI5X5XFpiv=6YC0ebYP+ zPHPR-pozrtYt(30P16zU&gZv88h0X*yPiY+=?gWd{tkO6p9s51Z@&(w^7v9Rte&rW zSgtBD4R&v(bRF6Ku6*}Stx`D-;t|!*v+Ch$0+UIU#F+WTzlvH>yIwn@5O=OG7%%@{zO5KSk;@LB{HsQtoiV5$Lm}Doa zd@dbOFTOIe{l?nT3{e&4;-}TX_)?Ns?!z;gny}EU8_^QL^-$=;UUx8kBA6%VZfCOl zufd;hMI+t7yJJKk#mWpefe-Xyyg&c%EI#a2NH}8q>oY!RlGfH+HnMtHj*EF&K2irM zk*NYJzFPa01My5glB~H%QmJxS7-8LLS!-LneW(nywboX* zW4bY~Q@fQiPfXa;C+|({&?gj0cWqWmmr#BFws(^KNQO}bBYSJe*BR+!cgSCA(fwis z@>tNepS`1G^?DAc_dL&cB%*g9sV4?Z6xVKCM{3;lgpYXFSvGA^UvFWffU$Q~SI>s2 z)Bc%gUGb1($2qw{fTK#t3(Q0vRV@Hw!quJx7 z?*dF?Se@f=s{UEOnBY;KBrC3vODKeP6e*TJT+tV%0Z-~6B1rob0Y#@ye#x*gVDrIi+G)2{5VyeoE2yH2jXWos?q<4x{6Zm1p8 zsWN!}Q+QidmxZg=+j_gJhW5U?1*n~P+Y&+;Yq<4F#bw07byJiti59PKYkfPX27{cn zN=rwS*F81~oTY`Y-5fJ~ifn2Mekwb=W0_ml#qJR#_8{=|_hxQFUpMNyaajcWgX27o zTWhZqYyQt$(24jtj&K9Sh1^;jz3p`AFe&PV$CLDPRdUJOskBMUSt2x?W;x|&df?hF zmeb*+_g-VLy&1MAWDH7gC=b1(&lND`bZJyX%j-a&(A~zbZEmddp{{K2*z3(qjGJx& z3{8Bpm9SoOG?JJZKC^T(!9+Lbb)uVYO;1n(tfwicCoE&N2-pA{+(!I5#%Hf6=3T0w zb{XXRUcvs^a)sx@IMR}ptmXm`ZJqUIZG}gVpD8>pu31|s@98=}21FYLPR9s~gGYXx ze5&{Bqx|P9h-i7moi(B;<2dCVZa92E@VEIBqwIM-;tH$Nv3wb^nm*MZyy&|526W-T zPKKq!J?6mK0DSJ{@7j4iD5`7wdVwP_^>AUykx8SjNgzCQ$VP<=R*A}&%(VVKtsl|C z!5M8L%tevkKYjk0FPrbEvl_tYyv@V?@_e6=`ISyMQ>JD!mcJ_;)-~6i>4JihgHvlh zx@^@isD{HHLKN;jjIi5Pyic_l0Mio6*@w^JcKh0 zWgqY%V^b7r7uUv^Ti_l;_~xUKCRN-^td>fs!aI8a_jx zbXY=E!{_?JjET%7Lifny`BxaykA`J-+1pj(gD+c1ys%lhGvar@brkEzr>`Cyi3Ew4 z?N8a?@`!cM&Tj5J8%YR76!_yhQA669D+5!wG0pmA?CkukOIky*dhU#`h6*bD7M59R z|M5|+-(U36lZNtxu=IlgYG*ny{!)zopfbawGs$iNRpWsKvCfYLj&(D*xw&ad7h-D@ zL&IFqiD)V1;X?H?{=XySF&t3^m@82Jw|64T#x4z}lbg5esKVuAipO;C4%C%JI8&cY zpS7}==}1{gIFHp|}C-ssaK0_MB{xK3AU zcRr)#5TChz;+djez>AQoRr=pX*g7e2WU9gzvTn$2PVN&u6_ zYS~h`WLmq1wX}%mO&zB79Lw5m-i5%4tIXO+Qd9b)UF5;b*?zyt;OO0pcy|5LxxJfN zK2PSoj#OnXGhc%>i!z#-_2go&sjVhz-`NK8=9#8d7di04b->+qR-TWetzcdL1>>L7 zYJan}a04&vvfs9j(;O%Nd{^l^Se5ssitXp3hyn&yl;!j;oRyX|Fsm#I9<{*rIs} zwSqDgNFoFX79o-lh7d*|oYF*6q3M0-*RFAQ85OQ}f6*dgFn!grzz2UW=S8bs z4>W?CyG3*8ye$dA>X2-`+yfowHz94%WpzPP9=zuDecDN+2L*ey(j-n$&sI&sovqmX z3AuIZW-t7@(V<<^8{Mx;MLtQDRXyWuuwIpLOdF}Z=SdvZ+aL=GB)BBp1_ zr}gyB(Kd#owylk}aC}i&g`tgQ_sC&8-S4Zh;3_3WiHS}Ze`ENV&6gLQbE-C_n&(O2 zBNJ*&sSktLaEeDOtvAk~iBL2FYr3nW2-%c$5G!T`S~F*YHQh%VY9{JxnmaN;HHNT_ zwalZJktg9(Kii6W{Ft7l7;>#2r0U5pGmYi6TkHN1-hYU;s7=pAL(yfo2g)n;ODHz% zHv9lh+tqEho*Rwy*7dQc$U60si;KfK#0TxkCtrPYCBy6Sh3jkKIz@$1MpU2M5Zl=` zyv}MlTpIlXQ{*(COb;gn`-$oBe#7v`{4`oy|7(vy3$g&q_5F3y@C-{yi7+SA+@sw)s$j#NgrhUHkL&Y==CDSO@@{9dwljj$zkFoX3j<@@=C!}H}z$CHdkCrB(NWe|SYbl+qS{bCsM zq&oJgd&s*RS9wCi^?}0sQ#n*aAX|g&{7=i2E4C(AcTEtD&hcs?7R&T+>gSgz#dY^W z=Zcq{IQ9G*ThT;V)85I@*@YoA%kyzc+f+@4Y`6o`nukVHy1Cq1>EX`4`tapu_$>eO z{V^(WtaSP9#BwNYyyy&>A_e5IiUI5__@~+HbE(vLBr)x#uz$pN&QOCW?TP8(oBK;{rTh$ zx{i&^7?&Ov#v#zFtGQ%v`bl1MG0%xJv0Q0;y8hiPK9woMyx-u!FtU7k&Dg=6VLq*r zgO=S@7xEosZq3vBc}+Z9^lW1x^4M>Ya<&ComN3~fv#nNrP%d{yRene57|Yl_jeQ^_ zXnELWthafAQCp7SOa;QIPi&XRiTQ|QulfuVNlWydh69qoQfN)RG&x!ueSdkyWB__J z6UZ{}fWg49w)K173d}AljgG#OtZR1hU8eLrhgm6|tJqoSmY*ZfG^JlC-w`*Q0}2g8Ll(Ch2G{Z+P8uFaw#eJYOnD!P zIADcQnQdCj254mJaM{?4&5spmE$@CYgF^>)!ij6FVv#u-&wpo6pMs+9yMB9$dqvCx(R;<1D53(k00OD-REY z#@ov-nqGE++*@vxxm7i1x$L)1&Eh_jKVQH0b?YN8L1MjGy1X`PbP5#|>9tWRBK$=x zoF$r(qcrO3IGTE@0>K})3qICi9?uWlRM_TIw7*Qpl{H%yR8h)l`%m(%v(%&t8;vXS zc*w@O{IX%lCCrFOC9XvOOdm;;f5xNX(4($+(X03u4IbiZE-iY^%bm5x?QU!fMZk09ZYy2v#b zIIBO{8QzShxPM|TuI~ms%Gy34o&?7VAH__i=#x|vbLJp!8ds7tPm8%MJuRS9svR%K zA~>?;$@WL+wTxrbDHNFQHjok^zgn*~@aE`nStC28t+0SoyrGmZ!{$BCJ-N>BYQvYO@o608!;RFkrj(1=h%=o-2FAl$SE^sJX^E-Z<9WgFH z>36}i&2g|-e}c8)T*A*{SVo;oits}|lSIk$ANwf%mb`ucSD@YH)P z#39C+esyHHW8k7Kl9l#4aGR*K@KZd$Hk~Yf9lveutwk<+*c;5j9xpa%?G8B4%oYj<>0t^}+?4mq#pWfUbMqc{uOX`ma?ZV8*f>?z0GPPO9{W_- zQgR9@q1Ul}(qWn%)&_X}^|3KbSBO`FE3+li)_9E;TxEU8YLsyu=OmyHoF`v$vz z(>$olazeAc;kpBNg!dtf~Adiz!kl z=ht20&vKYg_E3!*U)r4@PkM@C-8MfPBO^LymYj+|Nb>@vTa(=r{1M}(Z!=DG_6n~l z4u{PZUW)6kxP?Z}8}ePWYFtp1M^?6%9fz(}I;*Y^jZTR!>8?p@iGsSjwE5sOn_+W( zhc+X2lH0knR8jZv+6Buw;#vjqW3?A1kknwq*XSc*Fjw^B7**~r*Lp?@D?fF1`Gm(t zvDRAtqj5iXZNC%(;}p92Awxa?+|qQbee|8_fn{?2IBA)Cna$B)*z28GNIskqFfllB zLo97V{z8?H@-%S4S7Af8*lBj8cWHhip++2mnOE0jJFz|hvd1M^;$-44dt4S$F##x# zNj1i^!g!J7DiyZ*t$@yV3Ep%~(SR5oUpkLnKPE83Gfejd9Fjc>zk zHBxWUlsK23$$E7)#xhUo9`!=ATVj1gTL0M5OAU8L?yh2L?J89H#w)@GP=buIqEJW# z7y=wZ?(x9u+r)_(kr=qJ#$M_Pf!S6PAOs{CnnQ*PWuhN-r5#$GDSW;Rqw1sPd-EO2 zx9r?(tNs3D((F-b?h8n9WbqcO-}(#X5BGTJRqX_JUexh%Y1oMMh+6#0RvIe|SI{ zP|zeF|I}2-`^X^-iZ;3{N(Ci(Jli%(sPCl^`FI=1Xm(*>~b%M6Z9xWE~jwc7|mmfdzL6GIm1j zVRYM(rrfmPG-5h>U=3Mhozm4+*o94-jM8H-bc+ai!v@n(?eG1~2irhs#tv{7eLLVs zLBOElw>4rZtx-jB*EnK&r15IjmLH7JQ#aw^k9~?E`$-J_3HxvloBP-7&_K!?zJ}u0 zT)g96PL5ZeEWaykxmBgT%0SGnZK?&P66cH3+e^YF)j*P$bti`GN zj#|4Pa6XTJ*D9e|UgbnJX~zdCys?jq!1yWW#I3!rgc*LTB#SR^AAWaAKsgE4Eb9Ek``?WjYDd{m*trpc=V=f?Y?v?wcd zQ|~b#K0rxIg|}^d^2rI{eBI6sd3*1AKCtI)bc4rtR254JyepU2LXfrYTe=8$R-JN& z?5eoB-fR^o!O?d#{}&X`ks8F0<;eMnXY+!Q$86EPvDF6t{cq-h zVX>VKmHbI=Z^;sn4GaUzO?nf-W3OK0;1NL{zlY&Owj4KNs~d*>#HkEk3gp;grhAy} z$N+x(A-U(~xy2HZ87d<5t5;m!l*dOtCeWtq&fwqs+_Z^@MU^+Q4eMvB3vBdXP{=PL zIS2Wgwx`4RZyMW|v!pHc7UuoJtC`6Z&M1BMuuSm;*NiU+hg>_%Ag4_ES1gGcojAF4 z6Ej`K?5OiI3*^h3?}Pppu&ljR^czywMNC2vW8pUSA-XvV7h+>!jrW%tu}2LL_Dm&r zY{aRwlIpTnJGsV&@nKoo?ntVHx!##c(aF3e8VF+ASUJM`#koPhzfOW(?dU{8&p>2V!}^NxJyDd*&V?m>HIe4q~Ea@*DddJ z#!yQ4+ryXJZzo+eiov-1_dHROb$t64m1Pk8kX+0{+00ip9R#IG2n9ZIt( zLpHu3YIM`ms>SZZ#)B#=TxBWb#gu79Tf?D?{lF*mNL10C$QtUlPu?KBK22tlSd5>X z%G!vTQ>E*A_FEB>8u2EHr5NUaj9d`w_1-<(?Yicq_-T^Bj@uxqQMh3nX^-+1q2vt@ z3`86*pBI7bYImXPriOFKws>P@Tir5SR(Qv&qEFN%cF<9Sq;McB+w^ z4-Mhp+lW4|m3e;p4UB3`h#q;!cs0U#S%`dqPwn`nJJI75&IA~^BI0(|(~;q}f4xp3=@k z)1DKXdX9gHo+n8O#uJ~8HC%4RygE)q(BCCPV`EriMz=O&~hPSh-O>X)hHpSDKNDf%Ls>ZhWSPLx}YyB|LGmsp=A#&DlyNzw?R)s6WDbWUgrFE93J*}&Nzj-JC~HrU_QAk6 zQ06{_mn8kQiO#ZIlO|tL3Tj)mMJ}X$SmN$Bh% z2Z;QT8B%R&hOZ9Omvl^6v_~z{d4Y1jO0HFXA_!2~6*e?ROBU=ljw!b(^X$r@aO6o= z^8wjU(^uqJiMbF^6l0=zgT=bWr!#Bklgx!mBe_4q3F`qsWmBwXpIWy6Il8x8EzL0b-K5zuu5uv};2C+#6^-HwTz zbmLfcYnu0PB@E^Rtr-EG)jT7JdQX z!j>K(Gv(>vJJY)+*^d-*`E1on8+z?@4458Cx9OjeL`v69F#FeRt*iBp@j+%g)~s()y1#CiKNv#UD*vCAmKSO$BGFlhXp*+np) zT0b3I1;P)$+cueKWfy1R3X1EhRkbL38u#KN{i;nL?}corNY`X_j?@`7-{;n}(<%&j zH-DmQqkLw~RvlvCv$8A^fx&AknSqIuPLB;Zwlswh&d`>32J9V-lxGo#o@ov9wA{Lr z+}ue{;$3!~v);ud;ajW|)g{q)M+*UV! zXKY>A!!g}<70$4OXKGJHL^zd4-tvpZi&FbuQ4~7imOq+5QU_s^zsdJ((dvloPL6P+ z@31y?^eb0%N#k`Tj-c<(zKM{oH206rDT28k8n?@aX*2e8Tza}3MlOH*EiQp4cK*b} z2L(}KhUL*nQoDcAubJ909NxQ#)37$)*2R!rL-zGCi|z2o?J)Ggg9y$r&Z(70rXHjT zH5$@z3>`fug_!_dx?S?O8jLTW%QT&BiNb-{9PNm`>>vmi zYndKUA=904s z_In|Tr0MjDLSGOA5qCylYe%&A^3qsY?3CmBh%G&pN`26F!{_QRH@}b%ESgbaOE5wS zmGX;n=DNN&T&GiF=YHA>Q?uEeyjo?E0&g2U+uQA)I;}RRDA#r*54d8*ZP|0mHfB6~v7Yv|?7ovqM8s$XR(=97wdQ0l*V`qpR)_DnJM@Eq60aE5>1%dmFMS_DM~w|Wx&n2s z8}r$I%tCT~fXJSQw{0JvM22>yUc)AbpV+5zI6Cw>8jp}Y9mj5)JjbkB=CWef4U}4{ zo{rNI<33-gHidBa7~NTA)1DlNcvM+f(6OA1BDOtCB+6b&Uga=r;&(qSw?Jx$!2eaw z;KCi-UY_*w6U=>68AW!hHfr4Jo%ZSnXB{Y&inPln+2cf>tt*WCO7xL>@r}rNF|GVL zxgm~7{iF!g(dGV3W)yUG|Gnxu?_b8^4s~dqqr1P@?>a*WCKaTeeWOD4aTjab2E4jZ zlNx`vrdbswg~g&8oBJ!OvBe&ml7^h57bb?K#eE9mBI00MO+FH;fm%Yr#^x}*!n54@(IlBKkR#RV!NE39)O&z7-u4)_b4t5kc8Mi6vA1B$v$7w^GDFeUmD(==C zt+%c4imA82TdDXy%`YFCKVcXVM|_%j_qS699`;;&!t*h4JQodP7SE{$R>CZ+>RMW# zY7?}F{3yfmL5jmD!a(jwy*(!)VM<}nnWtk><4>ndB!`kh>XW8gInIs6-KmRO)U&*0 zujQrNLFy9={uiP?jy=c1)LIek#RNQpefsTK*kCFd%i9=Txc5<)H-?`{ z&S`TzHtxMn2;2?q(z%MMSvM8^TKevYhy8m^CQ|~6W|?DU9fUeg5t5@JSB9_qZFBM4 z{-$FfxeAxTCIg>*=SH8bpCG@f9X(}_Z!m_8zCm42n@WM#RT*@z+axj2k4*hM|UflW%l;Q zA@VA{3Ey?Qm9Denfqu#?w;!(jp%vT5oU4^qcMZ ziRDFoaP7U>qlxGgUi=lAyio{aG2}6c2_FfjD%>^MwXSsGA)Lp%&L$qhN)v`PFexmJ_)6cUp*W`70qbe z#U7XUq#oguyb3h=2E$O(3*Ip%s9M@`y63Da0#Q>uU05(zW>A+c71F*rx3Fbd;>uDg zRB5eC>YSRt=$vPxhkK_f?y3If`ZM;1#p=;kbx2xMtcr&E}=|ue&)p2dh zGHFhAD!ZAngE~85PEqHxy?4U#ZECb?ZZcxjn-}_gv0RaQb`%8^E!!)M;?_FkG>24G z;wS_qv+_NYB62pg-C_8lD6}1^L?Rm=GqJtnlp*Hs5UVB1emrqL{?1%mM(7u0arN6V z%*;IyUYp^=o{c<8yah)Mk@=3U;FQG&;Cvb1Qi4#YHZGK zBT%%O*w%>9$-zehzWSiZ=5a3Rh=!OQ8cR@mcwXdov=@7sw|M>aJ>ma~>6s|!NOVd- zjfspt&MFgL(kXUxRjMpDnRrLplIgwHr+1d^V7pN$9^J_ZeRaREqZC{$GH8e9+lSD% zTyEyP*zE5!E}d96XivCK@cz&1oP!hOS??NyUZJa=9*)Ng*z@FZYi&%U=1_u$d)13Y zQa6?8BS|e}`Fjq)IgG>OoRJEvdVb34x5BGfyMCQf>WJ#3hlVvl!Ws*9qy`Q5A$SGU z)ahX;y?9_`jOG)}?cuZ*P+Q4}AM#=!sXb9@4gAs4$(J4eIhhtclpwmP%B3I@*00=$T}3P@7$~tIOq&#k`No zV9M#X!j_8xK7vdJHv5N%=fNN;GeM2fL!qIyCyjZny5kFDg4*uv_YIB};L1EExW#C^ zkTRB=uBNdGR76L5h{>1^mP#x+oR5R()Z!6? z$~D>5k57r@VIDM^uMU_>p{af`$bw3CuL8s2 zt;$?8eCa9tG@if2uw>GXu*P%=K)B0Q)u&M1j(Br!og*^H;ot2kr-`&92YK{bG z?`20jI>NbJXQFJD9TGK=OYpbot{hGxx;W<*RQYhvh0!Xy^$2W~BcFTuI)dTpZOL=W z?%)K9py`~aBAHC@)FKVn7dx)kg?4sCd8gW^n!#Z$U@ohIjhCKrG>WJ>(ec}h9XH2P z{VuvE;I_~@Z9Y9DcWaq@ovhhfq=sZM8JwNnYLGA5Y!vkEAGjCZyY-p$Z^*uf4+NF} zChJ6SxF65{UStkVy5TM)>e~$8S0(p)firx!!T|*cU^1#fPhx3T`(+R&hiR8KNZ+xf- za-T$V5H34&r!EV3ih6;@xjkt|dyvP<)YAi;s@>)L5cT)0OA0G zG0Ac~^Dt1?(C%Hyxw#6fz3CZWu47DagCuLL?a`HW1+^;H`Jmi+Y5h537x9I$&_2Ov z+IVFrA^YU-{XkHlfHEbvgXLwU??p)ru2#ADZgFBQEM8yTSMNH(0}(;e6r0@ zGTLl?;KL__n3M#2{_WWCEcJ^i(~Nj;ecviMGhTMxh|16{G)vWc1pPRd6Q$zC3wg$uV_N z=FC`a@Az=2<2zNeUi_5RA5v&V93>bV%?E@ykxf@30DyMI*6%qV`dl{gw4gZr-3D4R zgac+e6uvVq5mf*Ez6REQ(=%xn1(RcOT%NULt}Bw68!b#BzHf&S#EODvyO#KYue&PH z>2G;UkUinO3duJV9+iaJj~bb(UP>eetWgtx=ehPd6Cuq&JG!WxNecBtriC73$DOnR zQel-t%mVPU4yhcEJ9Pe9cd74w+N&+w&HR+Mcvt+or#Li8VSJ%)1WF{6_JV-g$B23!D~mW!RHU9JA>wdKCpbFdwf&&z1wy{-=W@i0 z<98nNkQ{vQFuC;LP^$eFmh8|)kmtbv(C0nS!Et3ybd7N9JdI6N)%rGz7E+-YkVPsF zX)jmgl*0-_>fFN|O){$Ndzt6Q%X;xN+(MP}-i1zV=XK)pEH4$r_zW$78yI$MfAGSM zMoJ_G>UYr^QHSP6AF^Z4M2zn<40|JSm-vQW%SAggTX+iL4r&UJm6KUHD>J1M-_e58 zyFa2{px$jF}4dsfCQENf>L z4T0%m>wLw-v2`M*`8I_kEJ?o3)ZPUcn7AL408kcdZkD|qkb z>le+LCz(lC-5j6g?Q}1kyT{f+po*leG4vq5?0@6!wOH5+?x7I;1uqdZ%27nyqCU?{ zgvLqF4H>v#khtkQnqIdk&yxzos5k9F7hEqZBSi+LE+bs2KCX`Im0Y_D<UaAMo)KRL#CmF|Y zLzOv6XG0OL&P2DuYFr>EtZxKs zfG^J&ypePYE6iAI26`c%XgE8r+o&NVoa2}wk;1HQs(E~%g@pG~GmhOAmVx`KEI~m}oF_Z{vn1K5eck zXPQQ43Cj`SHf-PVUJ#w=IG3AaLK#l+8mEoe#&q!RvhpXEy+oFV=dGBuRBB)u9fDU< z`!#)ec8#Z5Sg8+jH!J1Qlk!aVLLz$6lx9~cp?S1APnDstdWrae`E8TjrhWxPN9Tw^ z*So5Pr7@;QZ)#ZKa$y*!0FGXAKuS`bToDEcJ|Rkc-03aq;80I3Pz*%IX+q)%>1EK8 zRWw}a;qXo+eh%>}JhdZ+IGxM3g`+tobqX}xQACrV5AIV|16=juU`ZXiqT%IcA)Eu(suGL1*yOS12v?1YpUL~9~ri}%)^t=?#6N~X& zdq!*(_h$Y4%`-`R*}fwA3R$pGZ?4nEH*fkNk7UE+W`Wo5h*+IY9JB@XSkt&UQ5FH* zP1cQhvO#l3Dm2`&*Ky-3DSF8>&E({Y(d~1f-D`S&p>teIjaI*dofquU6eGoneKP0i z-Iy0S+bDIDXk@)4?$n&baB{PG5#C-fZdGp}w#8gVZS~6$_0%8>=AG%iFJ8^GF@%YY z`?Zmtn4bEO`rP`e5!VF7=+VXsMIR^TeI+m-$%(HOj`z+MmO!O%Wt3;{{2|u*aXDn< z;G1PrlC~xHg-y!p_HaThoR>6G*Fy;^dYTjE(JNgXWsFK=25Qn74)-fFdzMX#@kZ{e#6vkn~RjXcHYE`Vi6Je@PeqpZM-ZI8gmzmA(ZMiV4ZHv($$Ff54Q$7Zo zogL-5PRN2oIK9DZ}WJE@p zxJ*fw5X4XIiqt}%6IHZG(Q~)M0kgMRimT#bsjt(^6&E#+Iw_K83C#;)4SCeKO=dzr zqR-TBqg+uY$t_GZmM`!oFc?8nE%=u~hdf<|BjJ|q5$J>S&fjG2=*-4Q z1f1;&Q$PSts%=J|Oa)imq&3M9VzpPne&cvNx`q&29=L1u{c^=7Ss%)nH;E3LsA*5l zuzzr%iP%4(jWHz^yYaayls5a@T?3sXt=lAr?h22ktgh@fWL7s%!CX@&9e5Fn2s6HF z1jp(~94BxXO=~UB%M3wh!4a<~FGiOhV3@+s4pd-N|7#Z`>5=SVI=#K^0*vZG%*MB& zMoLDaOY$!z6Ci_H|LPzYo+GmGC=%URU zte-7;$+zm%&EWMZ@5_ikn6{E%X81QkM&UHEw}AM+usn}yRFHk2hP78GQj|L z96bQrRZGn9WO}izDHUuys%}VX;=F#&04}NvB%IQUS;?s!5t4Ifj(=N}qj67to9x^% zLgIy%td6J)EZ8^?RE0DaCsjyTdcCN`5J&`-QPe?>`Ow9YYF4OCAcwS6V^1H@u=b(N zcgIfQzLd5lDMAY{){~8f;d&QSh;MFg<}Xk1>vY2BC%rV-^HoVSAqgjz-Sg;nXt+YD;$l`24BZ|vg`f>UgK6BlL(N12E3+JRH+a@Nfv{?P&zTPQ^kGzQ zn#S;sA*W2(Vpd(GN|QvvlH_e~7aOw>Vhp&BysEgx06}$_dQLp$-XqsRCxAgAIaa}R z|LskxR5&-8RXE`gb#(SQ?^T}?jY);$An1D>gWaEH3*S?={I1EjnSf;+`R*or2Wj-> zAQUG*Jc1It)(zS|mi3Wa%mi)8!2y&?aH%u%C#6tu)3PM+tkW9gmuIU;o0q13BBdfe z=A@HO4kF+ahJzCkBVjz81%tZ0OCAj5a_x%lnrM4STu;-SdwhiOoXgu;FDRlLAl;xR5~FE3 zXK`-M*&9SgTYimBpS;vb=}Yv4yPLtz>smLFfjwa*BKG*^BdY|Jz1jUDBqWPxxoD~{ zqHfo0a4--yTz4GbRo_W9>9B4sZ7t|l&9l#wW5CBygqeHYRj-Kg+yt*=mKwi3G05Vb z`M#zRZH>Gss|vV2K&GAPhgvBsoEhvRa-kKYdKl!Oj-B@VQl#l~;3i5_#@0K5JIh5S zBP|nGL*qX@izRP*3wrJJ8K4N*ORYs4QV0RD4fR8 zAPL{!Lv4-W7K5s1W}ojjD&mVNC9oj$p-a9FE`T`^!!YD8fcUgrEGW?X1Mn5$Q&`ea zz1aZY^%3MhKLW&(s}Ptec?@||^?lL!@5p_jG&!t}sui?R1o>8CzY4RwqRU8E z{FY#Y6~BDtY(9Njb#FG?u-#_ePx`t9b!LRrY*gopnid4aH48dj_X4VTVx5B#Fiejjx-qf!p zr;^z-Pn9Ar1it)ftA*w6ia**VK3&~#%UizUp}l{%D`84)!~JB-*d5xXBhjl?FnbJ= zhFM;KI{y)=_!MUM!!G>_YF0q*uN=`=e%R?_PpRSsb1pdB8Lgk;;!B+lSmX`Bj@gO) zBYy|#w5%Vv4r?apZC);p+3)+AEB_U;X-xne=o6htd7ohX6#h>hw!5%e6;IHr692o0 zfN+F@o_gDO`t!ft^50c53uI{uPxr~!f1WI#kA7Vb*O=({kxT`0F}IPkNJpV@B=itE75zU{T|NU z$mbRqTWb9Za`eB$gI%+Ji5y(Otl1qwRb_gVtx2Qo`UBLDFbjUTK!qtt{ptgZK&uth zI{cvJ7N@jqcXNo)!2>(x84y2iNAN~gLji8_iI?Cw$LBn*NL0`2_tf0{Llo-^E!cws z_pY)hv6>{NdA;cNqH`NpKwCNZ-_JK`4c4P*@l=JcD}U?Rjw6QUD_yY{Ff95|gj9IOE|=TKBPd8Z`3Kd558Bo(mN8 z;}G)0@Y^CldlP{Z9NeRd`vb(4#YFs@>G)QgA07e-uk=_*vS*Ihw?s;nP#&_l5d z*WP{0bL`u1*W(E?#6Rj7fv&3;($&<1!78SoJzM1^{GI6KANV2kC5N}~=Nt(RQeBwP z8&clfaqjC1=6wp)x^ibxel8x$n+&^xtg`tCXM*`)H)CfWh2fzHlJqv%z#?zZvi%Wq zkfXb?W;P9-)hj!x{2=wCZFF<~GrWUa3Ml%O_6%wNHW9$6LWu=YpY-*JVl+9LRL*szE4Uwyhzzy+9U z9d_Xp@+f1+j&@4?WMt1t>f>ju4}!AfB-SIH8xW6AR%sa>RpLfeoM8+>Df@-jM{Th) z4BZ;`k!A%y8ukcn^@;G(TBOh>2CVc0x`UU^&w9XD`1_%dTch=(t_x2Esnkz4@DVH1 zdv0y=a%ZWyQuU(q>;70e>ELS28vQRcXX_24BbzkgGaY28ZfvVbY`~QdYbxst*|PO? zmh8|MA+18 zX7yHm`~KNid1PCD2s&`$9*6wImbIj-gg4OMdsQ63>X3(9scBatj_^7)nky zEG#{-lKcAud!Neg6|}o70I`-xe&mehgnn2QI5m76C zK*A{(5SUG`0F%f%#{bV>Kx2mLK}0Fu`*=rkq-B_&&q}>o>m8$rhQ2Bk!^9$D9EEp8 z^pp-~acuq`tzX}ayb`#+gK_}FqANTX_Ms7rszRX##qjtto&6utRk|MBdRY((!qc|; zVCEqC-qGLN)BpyUrDSEG%)}}4AfQ?3cB(B_cnfihH|T+TD{vA zwo+)mf~xhK<{ub2PL>azTiYFJRTc|+u>UEB3iW~gU7#jSi0b+U7F;%nM2YJu>IvQd>G7SWQZSh)J__k{nFq%LvZ)Q+`xertC*eo4*FoGCAmFacg;zWpMNhBwsRFS`(97++`l^?1t%Fy zY~qdFQu75c7gJ00o`FCPf=LOTdFwL>ju+>4d}KS&aJTTNY^RJL(-VSO&S=hbs-{V@0XIn zJiftH*wXC!nv*vpKP&G3T;hCO^!Fc0N`Q+Nwp)_Ev=AsI4SODSaah#YyW2gaS9jlz z3R+>XzhTM`|56p$L#U%UkG|XyHg3({4Y=_E(&8J_?cSxatGvE>YW#&b`0Mj6SqsLA zP#a`e|M^TB0ZWH2Bm%+tf+?PROlQA0l6rpbqYL}RlV4&Dyc-N$Q;3+|hUpJaF?ntXGgKHsR>$Q<&TYgzb$^8cEl z8yrA2FwA>5q5cc8)6gxlL(4BiP?P#B=!ErTxmwVjRZK9MuVCh@BND%a^n>8b5gb}| z<5BM~@UmJ+VBQ})VD1W54((j!rQQC|&6rI|-vJ3cx^3N`v$H$4g4Wjcr|D4zU1|0#w-a0|OD7dNf^S3fgWl%$n(M4iqoAeYnNN+ak2U(;FVBeP3 z{BzAAqbv&qr?twalt1M__6fM8CRzAt#P16+@=tWDT^K;PH?o!UVRG0%dFLz7yx0%IT_zuMcYlqGFEra{g!h-m z{J&eyC>I3W<)XiuDE#NxtpMgm^=zY4>^~M2U&VepK(CLrAYlVcKn0}vGL;jF!hPaCv%GmQ;BOmH-0HPKY8{a{HuW}@Y-=C)fLa_ufF^D zYvr5(x|4bB$1DH0*H_*u5O8|vZ2Ol1iLapjZ@4%~2dLaUNwEzp!NGs``pU|M0#;}C z=&Jtx)>mNvDkFmI2@_bBxxUBMzO*b?KJ(9jD+vYCtH5L8f92*^B+A!U$L0wds;YOr zl=R z7O@{&;x%((h2ZTRupqph4(zrHhT};wqpz2z{EtH>Z`A??fsjXCoxeP}zR?!UI#QCh z4cs4IoxgPA#E0Xw)4?`LV`|G(UU!|?F1d`E9alWwRa&x@*P{H*H&5O+_-*=e+c%GH zolkE_Z`BHHkppF?qhl}zrtu5VnaaZWQmW#W+HZLA?x=~?! zw)Vg0&rMVitFM@4zPxmKU8|qp+UsYuS_j85skvzG=$vlg9F-S1H<9O6Hxah6n{C{J@0+ShgFd%YNVE+%jd6kHg)8mMiqrxnB#$f?WyfS=scz zIJxzO_ZmP{cr7t#X?_a3Nb$e^|JeKXc&7XJ|2yd*m2Mr~NPS8wp;C?^xjUecaz1to zIgA*V!?>k#R}Pg^j!Tk+&2h3ZI+5ebX>4XnjLkNh8Jlgt_wM_yRO)trKL7mw`2P2P z@ZS6NdR?#UbzRr%Iy|rOQCm;1oAX*0-#Pl>Th-A$!;z9&q9hIiUzX=%P>npcb7{Gv-PZ!dlaT$`-uHHiq204pTiMk4EBy z*epZ@w14~Ym-2ePp#%czrV8eX;8(i_$yb5NR3)6lNd%gXqTf)2Z=%{S`?=?&NN~4| zrvC#1Aj2Sdk37)BY^g7T;6LCL%cFokx7cJcH<}RXw4yIUz#{^_WN!1SF0^RP74q&| z5l}9lT^pgh(rRk^@&GQaG9^BpQz2@q`bt#9<@VkIH!%bGfuw!iL-%hgQ{c6HPDsZr zH%0)IZQ2GXoj;DutDb4~&5B^b!Xt&=b1neITYZ7-n&Qx1Lv>)-_E=ud>otQ{^0;i@ zG%D!az5X>LKfhvwpV1@^jUP^NKeH>ie;BQaz1ycM=BD`LJ@~ZSJrsav?RYEphR@kx zONT8_J4Ed`Mwe9vub4L9@D7xHZt0#rIgRSKxg>{>+i5v)^RF_ACP*`X;?FoUZM1Jr7%Q-S|kKMD+hgVMVHX~2p_7+& z2d6ye?4+A-c?v(Lk1l+oW^zw{QMYN>yR|oCgs?u5ih4Ub)0|H^w6|%1y2zJmr$odw zyA+3ZOeZGkQ}67h#H#mO`=-@y@IU39d?z$#)v<1uW=h6jav?vJL-EHsKw@Pbi?9T5 z#-O!cj(^Q5#j#9xbE4%QMin_LzoN2txapGR@hzlW8hf-jjVaSKAy(+Ngzh0)MxD|@ zEO=3O<$*=nq^*L^Q4G${#kUvkFHF2h*{+W|$Lg(|SYmWoV^PPI3;=-}l^>nycAEBd znVfxlQDrTU##}^svQqq^vgVs>ks|7(FlJb>a>1P)?`2%B*14^}d*G6-_I3>@0aO_X zB%Lp#wDvF11a@u)vO0WH^VQ7ea8LJeIAe5q zk84G9DQJUZndEP~&_OiY<-8v>7dT zxT?wO)So`8U@7---?hh_Y+oueZ=arlw9{}~Y!BIWb(hD2j=5SPV7_0=)RLX!mT~SD zExqqyCu!X{RhVUIB(ia)uaYx*5NBU@eyGB~A4m`H9a4~Ixv`$5`=C5d6Nh@LckDg$ zOx=SD6eb+53FSjM$z5+TvqLH>D_*&|AJNie2#dmJx$+9?(&kop1L#g~)2&pFF9cH)xy0{D4=FX7_=y)xpD|uRT${ zj#I91e-nor4xzjxmv+*0QkS4<3WF1Ur^`&m2Ee#|&Ofkz#O(nITKi6kEJPREUx z4{+G+;Ix@BbTo72%q&@t6j~D-lKh~SW$*5sn>p63`nV<WA zIHbVXlH_9rY3=FfbXRsqw?^M*I&@siIpahrYL>{DTgdJD6aF4e^ye*k&CE){FV&xYLOOUH1xnJ~d;Kw;eb8i0a;s zJg$?{q@z8`QY-9l@e-L1R+B&5YxN;!CpH7abL}@b%`ybtLNGGCn;}n&D*LrAu&oKl z9nK7GKJ~=Er>0*`ZA@!t;P732>;MwO0cSOjvhR_NkPZ9wgmt2`%qrc8PVN(={G!+T zKo@Fnky}!xq2V^H3Yiq#Io+WrLym}{S$#xKmX&KbXZTQU$_tFLly7LOu(1?tE0dwB zl8@%`av42p2QqXkY2B+H&@t}b!`q=gwap!5jF~UxdZ?Xw^jvFWjxPJ^xC7x*!Vc}e zFG~$yE8JRRBpq~OWSjm&Or3%B{gDE28sXZK5)Qs~LM(1FN%YsXYktW~EH-(zHOI)3 z&^+$Th$7X<6dBS~!6f9Yo)I)*vs0U0D{k`K+3|88#AKChXxw#1@$c4l zSTu=8zYVs8sVXuQq}(|fgG^PAM$IUC4hH2v`-E*tnrZH}ghyA$o!OxiZk?I%#H8Kl za#YT+A})fSjsbuP(1j1R;tbocItlJg8m?z+k9FNf*4I327xd-OAYJ#=bU)mVkC6d$ z^n9SXnOByseNQV>Zs{wnDLw9+^yLmdBMuCxlukKt+^o>*6!98fJQUB2~dfF;}IW zkiGvL?;{q#R29n*Rz~Ac5h`6Rm8l?*VR{wa-z1DeJ>OoEN3wDV>$TO?A z1Q53(xR}l)-3q29&Vqh312)L1w}GcryM+@t{wAEW!}n;$+$uz7`>`rUyGbZ<*w%=I zd;EU$g$AuQRsz$XcmAa7=3}iM6eW2VMtXFNPFs~4KKO)QLlusW;nLe%W_jr-yqD6l z2bl8HdgM~2>`vtQ{tiTpIyjk0x#MmRZSCSVaXJ0F2s?sLrTh6BkJIA0sLQ#)w6}pZy?XN+@y{c~r|q*J@j8kGgBujz&O9l{5fM zkD-~)F@CiV`f8JBSv8{8r3qU43$|c-Rj6``rpjPT39Di)!oH#6w9~5tWHP!8bDZ-m zi^W96pvxT`T`b_~7)>nm-lgFuE$4I)&{{|mKS`~LYO8BtobI?F1J-*fAc0%=-mIT< z$E!n$m+PknJQDTzpsOFR)sg@bGf5mcs+(sIAqFxLVh-h7%R8-bsf&$&+D@xv<+W;^ z&~%#Ui=fmQ_67kqYU{H6CUR$bS35Sll{UM12ES7uS?wF&h`FNQyw5`w>TPw!m?srFYDKE<59iWuifH+@HQlJN z(1t|SYj}pHGS%LvG9~Gw;^S_!AdiMD-AZOUwPZDHM<*_MN~@7?jqCS&Wf}_DmqXx; z=1uJk{9Z0NwiBETdTx}jSg;$pIu)n2#)4w_N1@V0V}%tw%3cwwc+x}?MfFl(nn%~v zS26Gy_!Jpa*Qeq3#=}%nVWVmil4y}2q$@ZzrYOm~DObfi@ zwU=pTRNu8ZA^d%wvZeyI%DjpBSO-3aa01hTB0b`eoY<@2;H;Q4wq+R|Q$@ZRgHuXi zGrg!YR`9_O5{nac>-PjEb922Jp{-!IME9)F)V!duDz%1S_~c9%+s3JOM{jZoa_OiQ zJpuJTIKit>nFTSZGPUGXH_24gN|&<@Tfj;wgCAnNA~wEapQLr_#y4wF_MNxmY7!{H z6!F7ko6{usTqhR9Cj;oa01YnUX7EN`h?aOCZl>3+!3BD}?%D$vRDV_Xx!zOf+lPfS+hfx?utIP9M)t?#|| zsvRbIzmS{k=Vm{Y)ri@Y8@HdqnxJtn<;8I@ifnV}7yzAG{(=vL5LjE!K%L@!tqq>T zVduy!8dW^+rRQr_@=vxzY+qRpyi)5@n(q0w{nylFdan6W_u6Z!K)sBI_YeYxp&z4j4~K+ zY?fKtCk|z1%oHkteYiU5pn}u=lMmGad`I4{x9u&a^|!dCE&4U6OZkP2G;ajLe@p}6 zQ2=!u;xwAt?T64HuJ9p$Z<0Mws!Gbqjcu{Zg1Uy$N+$Bj2S9H9Oj(=ZY7E?{CLd8l zy5Sqws2MnYfY2T^dR*6iB})_N11k?(zc4LS4>)IJNlmxsS_LEPFFaqP`Dm5)_L$qh z|0+9TynLJfbuEoIgt~QVJ9c(#Ox|@${`H${hnp}T@Edh&D31%8=tmK(74EJL#Z%yu zP8#wA?z7;MJ-IY1=_|V$h7O*4JllCLsl`xiWU?Xs??7pKL_gblhCO)h!rPki}MDV1!$k;coS7BM(JSSAWE%OlH)*PZ5qxm0DkJm}#)QJ%!}E<$$Y30GE7*Wcc#WnW`MXWm!&L!%JhVnI#Rx|XTx z?R4;pYi;Z)%hRXy+ABYljja%{USN{)sCDm*s0gfS&5Z25nC!54lbjk1_dH;oaS~zv zL~`1r2!-nry`*azW$!>WMi<41DHGj0tnB@c^8DU#IlWfH+K9nq(LyR$g{J~Fk)<(Q zs;;S;e6J{EE{%aCh9MxFr;Kg2nR`0!Zagu5Uq$1#nFsoYm53zB(Cq$dlX7kzOLNgJ z06nFwk}-(vRj2!5Gl%`4Z3*R8%i1JYnp{AxMwbT;{qoAxCSRq&^p|oF)xMEz$j!KD zVhJwfR+~RhnvAHy%5Hcj zh)KL`=deGrfdznf2<{II`ctF=Oi0$zt*#`!pH4^b=i(a=rZBFCVNIzVsuv`e(2mmz z!*{2U3_n0`G0M#)QSqnS6kU|K+#|1{=ddzD5V7+w!TnZ{Q81^w&5ktTYQHdZW6dU@ zAV>@U>gTyM+O%^#6&v;t;w1K;DSDyWjy<;z+ma{=UFQloYWlHuzBPdtGR4v!_{uxC zLoUkxI!dUuLCPnl&Pb_iBpfz>79jL5p?-dV6?2x~)OF1dZz7*)@vI{7rwW}ma+272 zWy$HyXZ`i$-yfu4qyzY#K2B6>-j%nO;FT2HJ-4Wy8;r8lZS=v`n+{;%ed0Fj12yGw zXDE*ducn!M#>CUY2Nug&x3@g%DpkF9niOxdD4>tDBssu&m0EdZ`+?MbFX0$Rqu*6Y zQA2WFJF)q*eDjoybQmg86G1IxlcB@fOf?F3H`Ir$M&7=cFa>xxaskZLxpw?_PBOqy zfMZ^n)Ry`Mv7{0=MUV7{G8{U_M}Vq^g$<) z0gF-6e>QZ@w1X%r&m`KWlxM0POTw%f6sqHkwjy_FWm}+aOjUM(l!1wL>$nFgg9J2w zbr6eI4!C$(J@DRvJl8Q=;O%|6FW^@I{M82JYACdEcO{LnBEO&|m@bG>3XER?dq~W% z(lcdBcs@wP%}9U+jT-)-1txp#aRN-8nV`82K^RBDrNq+;dh!p&rzu^^Vq#s9cPITS!c>n-L1c>! z2NV?>ksEq-ObFF8Vi=E5i)j#xsidFW`YX3KcsFl)2(6iF zwHmHwXq|%9@1oVDaPXv~Mm$neE{i7rd7Wi&dniZ4v=KDXn`-dK5x1i97Q> zM*fo7ty2N#VAE{Isn7bXZo`HP&&{(>XbcK*OdsD_kEY!E_3~QzN%hGW7Cpi5U)`3k zSh?cF)Djvcf$-XBO1>wd?zpt$bqi^{XFOmPG;)Iik?jZw5VkOW91FEcQhJ&_IjSDP zR3}Fr>tzeY6+fdIYkEW#q$4I;aqezL;vf#SUBkwbs|am7*n6#Lf81o13}LElm6U75 z@I|w`3b+7x%Jh)J4p2Hs+KX4^s|(-()v_>s=`$XToA$M!i^?t|;#VqM3aBbv{4L8~ zT?$6A;nd(kmln#cT{&=={kAALU|l4m@at2fi_BA9z(py=PE}b7AV}v#l^W1D221T* zR)sVMT0REHH9Y8BX0u4OVVLQe5>ut*fkxDL`y!tD(<%c`a>0anjNb!^iWxwQO;mtW zLi}kDBxvA6Tz?*!dyfZivd8hf8*Tx8a12ClH!Fdp^A$){H0ERbcqpwLJ7gbEd%~sH z;B~L%ma`2=)1G-5IQ2MGn>oa>0Xp>(l}Qlxz%d>My=GewAF}5PoB6!lf9={zp(RLn z`K!6!->)rQ(YYwr-|TW8X!`z`BBGa+MOez^JTnqoBOh=ZDt3EP_6+`&7v<#PZ4ESh zg%`iC8Yv$culC^0((?rH2Tk((CtCJ*Ubg|LI0tI)cpeGvO>xm>S7DVN|7UR1Q2EFe zG2QJa6ZYYFMslS^tABNi;NX{DpzJ;O>{_5sYNhD!?ZmF8OQfu6Jh*i{YRlm8Q#a9O&!$T5$ge^o-SMOQWZzkBM2YMj# zLP)mNrUHUF9p;T-!0gvb88}EDF0dMo1(Q7gkaC|*Ib-e)mCcQt%z>)y$)gWtt*x9& zgT3c?C~=10s={VkW-F4s@(wNbca+|7)8H9NXd`WiS?1sifOlY14n0rydYzS`2`6ud zz5;JkRPP>C!kw5(xx)kXAja%Qy{c`?+AD>=$!y;$I>Ff&?}!LJfcq7+t}+acNb>fA z?P{Jt%?zibA+=oMO}w#A750O7v+6!<^=!_{sy1pcoZv++rh5S>RtNN0tXtS%$G9_i zz(qo00v(I61(Rr~GI=(p1PW(C6>_mNh7nvNZp;nbmb^}qdNQ)V#n*1X91UU>dXfhq zi*qMNO(RhKI(n6?us!(Ek2M&d&+fdc%mvU~ai@k3&%IX6ns0e~U9Ir;Jp-{bybrH( z8Il|igRNqxI~Qe0iWFi^UcIlE_RSy#G%Ho^Ss}rah4GUH*FG@5AP+sM@nE%J`}l2_ z4)*D-87RGch3pKqp2Tqe8#&%-=*S&5;O=f*q}X#STt1+4X+%5riNeLii98tSx~Z6J zZkF0e!l1B4!OUx`xKlc=bPB4zW&;I$t%i|aS?(~b4oHC8x@4#ZMAtIU0LbGkzB%atxw3rUSj8klcL(z`u=u=hoKtreY z%5ylML(O2gE<~xH-0!WVdaY12;}#TSN98Gwo}s_lB!99$x#e6qo?51(jE(Mo%s?r- zoG9i2xbDVB`am@-@@Z^=Xr`+BE-1FZ57u1O0EAyNSUOH}9lGcpnrf^`D8w}!9Glz) z1Gk!Jky8_)(&+ZCz zi*VYKD+4P&=HTz`lsR}nAJ62f_WvI1uSh0v<8@|d@9`zy}da*N`cqQE2-Ql;s?lTOhHg2b8%UE{wX4^+<`hzjK zO1aoz5I19x;A}pzb1M>snI6h3QfOG|S*sg?XRN(NQQb+~5nySQiogu2VlexLGeQCz z&2jf|GPP-J;=LeCmr#1T?oEH*qyrOZszbmYBtUqHgOv4a&K$pd87dEwK=n(a=u}@P zon~TkXbvKFGM^D{r0q44(Oi~aJCUht6>5 zDe?+&C2xVmgS1+!Xou*i$A)qr4tW_PD_JkKNn%n4j!eyNC`k?k1swe>rVeemw*v{& ziq=V4M#O2V(AY^BzWX64h&-!b8#M{tn4*b@Aa9zI#Z9R|H+4G3$+FocNJrR$e1dDN z_W-GYJXKD~9<)@w|>Si5WrN>HnvTJ@qNs%}3J{C%hk%_w%$#Heh#ZLx#8e@~xf zG_pxEO2oX^Ne;H<)gx!DMnhr{cuZqa@s*>J??=U%i6~2EU|)D{>lJIsO`yeYqhMtG zhuu6A9XW1KLvrVtDa8AOgHr3-@}q)tu~Bg#?%oSyn#%e)ehq8UfQ1KgdZJxcb6#<)n^EM)X{sn^>_4EAH8WJEo(Pp_&iI>|3iDkvPS zLTZ&_YcNy5%@qen(2x7JMP;ev=h&-i2A!3%aN<_)#tv!3?jAjE8M4_;cf_Wf9cskE zL&A`3Kzt3Mq`Ub~8p>T{0~igiJ$>b@>5sW)-&d@_ozl5R^cpW#Q0!f2JH@^N!zNXD zn|;oz>G*jXDEjLWwpFM}V)WObwW)<=A#7ozwD%%5B?XST<(+$X+nN!B* zQcl>3!GJ1_EzvE}yOmKR_apU@o#}(ko*rW7CS_rVJuUaO_(`1+i{JhzVT~b4W9`(4 zcvcINqyWg_V@zun%_`-ahU}tjHXHYVeaXQJ0E~~x=3~5IUO8|? z*Cj{SJu}x`TiS;owW|xFFjibllyT^DywpMRgs~n)vRNPdhl~J#Ft5-J<3suTVqzSG znHG_wV(%ew=UiVidY`wI{6lJ(-RXfw1=yId5VAj;K}1&)0Ax@GrlN0W7%CZ$|CoMz z^7O#;#2`_alOc>!*mX8d(FkY&=e&{tq}bi3eNkxPylutymXOwixILqsCj|;Bns5FT z-e z$J;<1MLgruyX(Z<6i2))02S6;d-;yjF{U_KSjg%F;7u2h?)@@XU=^Jj#Kh=|<- z$}>axVgT^GVK_S5@RrHep!5ElLN)LcgRD^{g; zyRNwFk!nk`N^RKM*lx2Qk5L>X0>E{0@CVi0j0yFJKBXVeJCz@Q>d)cr4g-fm{AB6Y zAD@aJvL`ThJ%CUqYt`iUX~qA|L!{CcKw&T0(YxkbDlK3spN16XFU2ViX)J8NzVqd} z4FDnoQ6$0pk5AwIZyqB3mLTIp?+tz$MeSPM+vm~f*+W3%Mi}lYP0x@~V<$X~h=#mT zllwHCg+D~H)?S*OXdrLQ+O0F)Xd2$037zUCDmqTwDD`k~sx0!N{_-hJ%KBjB?ET)Q zre|gVV8briLzgag;ZOhBv2XzgXzrAX!y;#61pvWP&W`uE#0SRfaz^gZs3rQ-0Xm%( zA8W4fUOo(DfgR{z8+-JUlfINd3mVW`JMvt_px}LiDcs@swesy@TA~fgAI-*Nl9%{1 zPHJh@p% z=J3y#rh46*3GxW64!iHpCwPp72w^*6dAe6i+39a)IWOaVeOf@A8YTE_;W}cBY384}8>{#{@%x&IX_RiKCBwR1gI!w<2Z$hlBFy6rHFo zFdhL4PEml}4iRF@Rk}39b@`fozFW@y`j3xh-3t-1tR3gmYG<&(l>uD(Q={lgyY+$Z zu327u)_!4Z#cuHKkEf)Lv*LY9OX2Tn{=mI;#!B$1g2vhouzmm+?xgrK6jv~Fkv&u; z2cWXH%8#cpO=^=qb|CSU`7d9NX;>fNHty-gy0XGc=$98+j5nu(C3>2kBI0ymE71cO(1KKc%C ze!+Rj@;aoFPDs?Ji_2#M7T*xLoLBHi{%#RfWwU3)rm{M^gF0Pbmh*jn`%A%<0ECT9 ze1=!fLjYq@K32fFvfec15zxL6EWZ7B&YN0pN~_L^oUiKo<{`lHH9dEPn!z8xD(#DP z2-oUdu|zk76xjtghXSPeDH7P7@uefV$_uiA?h5U?{VK=jsb3mdKV2^Y8~qc1J>71g z`B`3i=;c^pN7Z>}_?affM}bPp%8?h+YXA7^m*o5MyZ1~FPnVm%1p0a{WJkaAPTdB; zK|#E~*0<+>`N~g`x_~a!T~GMVDE~~8KNo6uR%k?L?c@pz#t^6 z{#3UA>^B|;mw26SVRKFgkw>{10F<4>Tu<5H@-b~M_ew^~nFh`B(CLXB;&W3O+2FCH zl&pOp?&>d-(c&Co*FBG3MsqBOl2Y>mtoR%$hx&_eQ?=0s$KxTUvccJChTSqW7sKl~ z+OV4Y8b|VLBSpM5M(N}!^I`UK(@(J|gX3{Z2h<1f+emf|?;YI%p@$$I8V8F! zVneykYQh%B>Ra<9|zx08}zQ`8pj7kOuzA6tuu+Q;y=WSWlbfqF*Q`lYqQM= zUA1zUCWK^@7XXS-t+&FE8QjN?RsOiDau~y=7anN?^VC3=D5IIiz@!?fV9ps|$$Uhq({}W>aRgW3~Xk^OD!*->c zx~?l^^$5K{H26V5HK^6DbIZq*UUyb>wT#Bz;(i#CLluNVp43oXfRIO@!*@s z`A}92nzr$22QGGHCXyw;C%u@mz2GJ?u!TZqw-(*iDj2*G3XhK$O!&6!hJ`Q4^0iit zB*P-Yo$a2NE?R7w_H1>t-O0~gXg;kBhzN`q)N%@lizN=dmIZoloQ9PBhoa~-({z*& z)`J(3I5b;Ef312Gk)RmCi*Zbpz%X&BS`OZYn7!?0ysrd?VW$UDXNB`Q_5`TBq6g5u z&T4b`?1dDV=x=OBs3B>q!{s!mi1!!SDNazp!@dW!XE2|e=;s;+YJ39Z9-fqFi3M4Y z0vX1G9aEmkUZn94^w)0&iLtQRyskpa&mDF?9gz7R3QOzSYfWs2mY)3<&0uf32w-pd zS4If#t%2yD?PQz6n8xPob+jOyLX{m?EZLwp>p(bNfU-cq98R|~U zaH=RT8aIG(pN8G5Sk?FtCf9<|#+06Cbzf0idyn`?J`yXzx)K&4sBE)kZ*?8&nq-h> z8w7dHy9+>7R9S?l`pkkNyua721iTV$ug{On6UK^+-SN6IWXKh)=x9=4A3Q2${J72N zagHVDAQK-hJa9TR4_?X?E*_#PGj>G$vb0X3Q=+Qt#-Rs6Mc-9Mbv3?mv9^ zfwd*dx7eb16Yd&}qhjsa`(Uj_by_BdW@W4N-B=wwuH*i;QPtp++F3SZ=Q%waXL(V$ zOx2sju8$c5-w2Q|H*gqm88|GRkFodIIg@O(fdty56L}V#%l82}KVaP|FFFI1LV7or za8)!wjmX&2bAqeVISfd|=o|S5zE376T-(OM$|QM`B@|wr7|^^E4Rh{awRnaA*Tvo0^DfTE*h) z`1V#lsAWT`dB(^JX?jRQ0ia$TFQ}``01cxi;*F6??go9TR;*djdG^pIjlWx9{CM7V z$0V(1Q*5R4$(;FOe|2fg$4Hf-hT1lMOda1UAYQm8{M}7stExi96F*Jh)vK%fJGr`% zFORB6QH`54erKSbf-tjcdT0Mz9>; zncnBus~UfG4KK1)kG`+;Sqx;Wm;jjIFL zvy}>0PgPD=I8O^#UA%9}=1bG=4zla2Kj5&|`)~P0S0LRm=7O9 z{_~PLe*KH;mM>+?oZSV0h+alym#1FybW6nE2(ptN9vYy0>0>7uX)B>hgedpT zbX;8&_SV#i(6y*jbSnw41Id=Eyu7O}4_U)E!CO1D!qS4;Q?$ZDp4%yp^fQyiH=-`G zH%1()-93US3sR;)H1Dm3!OsVFsjac4IE_+OER&!YveN+j^}Z(K<_2BzDP0nq?Bq}m zO4hBWt|BXqw&5biCjmeG%8e(MAJh|cNMlF&xB`_;;l(v`SnnH;-lv6HZYc&WA!~gR zzFWMc6hA7>kM|YJTD`9HFB8(+KC-a1H(45va#mi4DkD}?V1f??@k;rs`W+~mv@RP@^B~@qHVI3df;?4Jlm~1TYorp{IBUITR^Z$fsn<&88nu zp4_*nuka`BoAPQnOt{DNfkCrmg>l$0-!Fw%$zv08($Di6j{a&|W z<8*y|)@c7k$ui!)*$uU;SHgrMMh$V;QtH%&GDqHl9Nx5CEh=;{(Ta3(`oOt2A*_xo z1_I_O!9y-vZaTUOifwx?cBFj>S>Jhq~u_c3Mci#vV+mSp>8# z%c1r{ZGSS`<}~Z|Z5P_``Un$^DFg7+)*x0#JeD<)#F*i($JM5-7wThTgW$b-@>!c< zzsA+l^+4;G$s#$92|FL+)F(WZ4Z7IKc{i?SkBEwlW;T~j4ho8gdWAyXPk@+u>8{@O zpCy=cg=o+iCm6!H+JI&{a>F2eFQ<{9Ox8P3i=r&0EdYs>_BLKS@rmaF)TIx{$1mr3 z?SlV>0#&RlA_hUa7Fm+2{d`MRmuW{s;W(;Wp0?w>ZTN3@k}j_0^PUye zuKWqd`{kfItE69I!#JAlEFJoZ8RtCoREvnEg};p>65aU?Iz)9nUi0|qux!cg&-T1E z<}m+F@@$lnMA(N;x_|?7!t-k7fI3+p8(ng;c1Kg5oln!M&zP)rlcHH^c2^Y(REFXQ z{;pXR`huRMUK|QdD|WFQtoD6D$rDrL&t{RN#dj(eA`9}}x>`)bCK`z7{_zh-10VDk z@-yzvL*~2`*|-EF zc$t8bgSsAPQwrjPQmS8)xF*U^D%y%ajCQB_=6uFC-)j-6E#RDf+L6Da;IF=MEy;CU zI`on8@=|3R-T_4?6STc{1_F_-WGNH=TE zj0S{teX>J}14SJ#4PTid6$$+4azUq;uUrevf3GZe4i9Xy+Y&L(f1@I^i8@USZ5u(t zf~WehHbgOPo*bOtero?mEC846zv57CjsxRR7;Hut9<*#(5k`1n>~alk_ec>n6Ix_d z7V0W#Px1@XICTmFkAYzM!yHT%ip1hDmu|+t1^6Qz85=bu;{(EVYE{i=OQGGPM(RD8*>bs>b;%E&#NN6 z6ifpyS)ot#eaY&1&5*idYwtQuOm^@w&N;2={7>$}7G#~eUQHRnk8;!Ua3;;e7T0ex z6W}m&@G}&iGjn-$gilw;>7gq?HeTk&+Q-_i0xz^I*=frqtrabQL1Ps!5-q*qisp=B z%1lNj@%A_Gbm=+GWYscsCvuOc6pGm5O$9>rJTy2$m31D+aO0oGJZ_ka)%AIITkh1|Zm0|-mH($>&#CL5n^1ZGC(^f# zw@qax({Af)g^SOyWFyk*&#phU z*9=1m0v-5&IR0e^rk{3JgokO}WZoU1VpL5>r^Yx(%~ZC&iiT-u)vmZ8Qo`DuFP4j$ zh(nw#|AovKhd=;+f0LVOfUVvucR-1Sy&tVx6kB(|QWq4Om1G7B9#AA=<7K@dN@3xn zyA*;X`uuECtb`}DW6cu*pBrr%Iy00aLG)Gl+JbV{6cNyJ(5UFzOYQz9fve~I-(`6Q zj|z@308`)Yiwk(=xgv}aN|LrE`trJcR}pJBXdf4x8TEQ24w|FLi?f#i{k4}JpAx)> zZWPOkJL~_K1-+%%JaVRZ)PA5GaXzWDa0Lgj&_mC$myu??h;m^Aa>LK_#igUGZLDjU z1cTM3H|y4keu#gPQO$Tq?_DPFaHh>1KlcGW6EU5sx@@z{vN^N-te4d89JX|pJVZR9 z`VjHyuhORnN_;^KM-BfYl`bg9~MIi;4X`nDrhqlz=%CHXL- zE*^u*ncFZ{ba^4X4#IbH2gD>-@RZ#JG6YE*Iunjj3NfFK8xXEd7a>hgs2XSowfC(! zHP;YU+}PtctZAS)GaS#;yL?TgcfL?;-8IQelLZQ(M|{ej&x?%RJw9Dok{6>fK8b5*}6+23R%J3uNOy*zaJ;HMrV0{!$p6} zSGSV`1KSkZtm6YdUj*xh*J*rsa`)|UMsHGVlSRpXJ@+}D?!5}*oo@yWWRaOucZ8?r zv!C1fP$Wp(R4QcP(T@kbx=o?w>j44peg+fOep(C$Kl^&-6DRyP50R&~0~s6FcXZ5? zirH;C@IogK;WTKw#uF)8sh3@<;pFX}d&tJTSFvX|TbC-UbZ&18hM7yoFn1BS6Lk<+35)th-+`^uX zOUbM>De_AG`+$C?{TIse??W&N_&4(03*5e0U8K_Xi_fNL#9dq`h2K$Ehx^Pbk%uqm z<+Tx+bJ_O0w1{loSqxQO-E?=JB^5^3Av5y=(BWhjQC#rh0{dBf_-ok+jyv_uDv;zB zAQUT9z$Sg*kd&^twOUs5eBxVzc^_L8Ayp>j-u3s0kxILYfyM)Lps23KMQg?V4r3z)S^#;2#j__Wq6XL?EBO`n8eep;J2pfp&S~ zgz5#lA-)*D+w|USkpM`t->7wZ|00FVfc9rdRv5E6tH@oY{8Pzm@oteBS7sL?JP-n4 z+|q%O*J(Mdw@CVS2ma|VkzMOg{KUE}t~}xxHt~{P-eF=_zNU+UEU(5FhM^9ryMMH{ z-E0S5tTkPCD05V*UGp2x{3Q6k_wYIp$jDEx8t@oCI^EedN8o+2`UNo+;8+mmD<6LQ zP4|p>4$}`l|ND5p*T4J4Hy?A>2O^4*&;CVr;JgFAJ%jt^)APRgUAos@2J&-6uBw0c z=znitzLZ4I^56@5@w?+hE&(Ltk`-Tf&-u4s1suGKzdOdlJ|+%C?8Vphe>?zc@pV9e z2{&~7zd4m|Rs%qTl##69;nY;>z*H*r_Ue!4V)-7s0RV8E_*_D-PgXBH3==2p(EtcJ z8UQa;F{YLINxpqa>L0ESuv>%yU?I$R=)}v7WJO&dO9o|C{cb%mODEK_GTXJ=ZK%Wb zndZk!*Iq9X0D7G+L@U2K0QhEs_%j`-)Fc9(bli*3oCQVczT`OMgTwrKy$Gt)!#n zc&2A-nAVcB79Z`iZUg6@TAvSNWmx#}l=A;ZZX6H+u1{uC$*VR6v>iZ-!%Pe;GJiwJ5&#oB3F_L)d!q+GDN%?JLs4q=qPy44*ls-oN0qkBfZ> zWXo!;vIzW0_kXjH&(u_V1c;%fnHt0el{9^KnkR*M#J@bI%&}3wWX=W6&f5$SMXR*@ zP@mN1cL)4Ph55dFSD5;E;OzgXvwH3U;z&B+T|oNxCH;WFoxzV%QWDpGsz*3*;C1;u z;-b+<2h2LQ+n`TfxBK~)nAUWT$jWTvJ+c3m=eoCvx5E3-40`ZXH;4;LBsvR(mvCfCej{)^HAR`VzS zI$ss`SATuI1N2=b`~98!%$;@SKytP6)&KQWD+*8b)&KcaCm(U=7=^uWY!efkX$QayS=zagok5AHW&xL1cGH6frn1bH?bI!7j1O!xgnF z+ITp-5Jrs-Sdb1z*5)M2^`CAUJ`?)%kqoQvsd-j-xfK>NmF!Pa4QUl8N-5i2>cs%$RX}qML z`ylkvaI{fx@Y^xROAoPAg}$L0>UTH#+l2xvp|{=PHX$2O~QR zuT`=YYjpBzY7)zoi{iB=v-Wygwh+L)Y*5Fnhu!)EeP&C7(v9G^XW&NGX!R~>*fNGE z-i5F?5co4`*7dYnX#zAS#g+`qm4UfyO5HiZ~3H#bx%)%z_ zfs~oP!KkMlF)FO{T)M=`pz`1#iKV6;Io{ZsgCzI2=a1(GiildK0fNyeeIM_$zxgi# zdrWeAR&$%I+T=a$&2T>UJ=dtp!)X_(KqUVkZmE{&!?geuC1p~`G)DwJk3ydFfffCfSMEG+_@dS&xf)AY`3 zzS;%0sU@^DUlgM3h6jO_S=D+YfhVs&hP*Q#DDtRd^9^sRz#qieFPA4Fc5lZ4Sdx0) zMEsJN(0Bz6Vi3(Ol#80ti>vEW?%wb|%C zh*y?bSH66^J>J3}Bn}G_Q|iYQ-b=GOa$D@Osn_zr&Yyil0@=46u$^?(jqbiy+=i8- z+;@|Ql>m9R6S!qre539*=??^^8#Q`9CW91*o>wM)NVG6(u3+qRB@eq*V`)l5;0R(h z_S;mLFRYhBwa6Y#26gFwm`gT+LS)g|f)oFMNl}biBKd-{+a`72R#f$e zDxj0jP~zJ~-TaVt$B3Ui7*==#XNY50mo|6#NgyoP<1MZ}oMyE{;Z_|_Ls8chp4X~G z*36(5$c4PX84D~VrtKJrS< zu~mvYE+tx>$&cE9io3M3qR3n0Qs04aq8cBCAXSG1odA$0402e0b|yu7tx#XvQFwlw zOp3F4qw&^aBT;*tvHI=ce)X%D;va=a@6ac~ouR~n)~+%y^3{%?dkVP++PKce5gFhV zPLDlzCPzdld3Fe^Pj&^2--Gp zbn=ryWSuHvdT4J*kGx{3>&qt(OBro)qFd90;MpKC38nHq$7IE6QB1Kl)=&|#60B&q z-L>SOJhLY91O<+pDu#+v*Qey2t9Xs%|JCS-xz<{}wj<-{R|H#QT_Zx$GHZ(VmEOFE zwjvMiD7$STS?ku~B4T+v&T_aZ2N6B?(&uwKPg@!m#k2p6BqL zu;oE$^Yz?}nu@B4!doF@Kj$6-d{BITQG-Q8W@V8TF0QqP=^t+N3?59Ii8lAaTQ$)n zu-=yk0^TerH)Aqt zqKn|$XJzF0+^A3)&M5~QWA*AAd`2=WAQ3|jv5Kr0lLZfZ)?KH6lw z$5v*0|6`rc*N(4*u~1x8lt?WuA#i(#zLhd2I z2s>I0%2YQeu{AIG4wC|23lHJEaV*{q8Y>8I!&{izYEawFC6Pw?q)?|;o^RYKX`cLG zBQkU2W;`H93}DOjT%9aaX)2n6wu055#vWv5@CcP}%2iD9vy^W+^gbzQFlk?X4e|yX zGG%EANiOZSbd5F0@PhTMbTr-TaBs8v~71r?AXvPTeGQMMoigb)w`0mF)b5J*Hp+NyxckQuGA2|HnL1=%Wu zKmr6rh$KJ|2!Vto??YQ`)z<#ozVEm9i&rjup7We@pZomIz3;-piBzD%7paS(O1A6? zE68$j47)U9g=)E9Ww@s|lq992$nmg;1iz4>v^?R}Q44+M^lXJXG~Bk{NMNX7$R)hW zS7dr#tVlk zAUKb{m>7L2s58k(kbRRpE)rrghZPDFk|gs2x{WPLbDpH1ZOZZ}$3*jNtR0vKHoU-% ze@QZLP%GrlTj0@ROomSqCwNC*Rrlh`Pt>U3DbmiMm~RXuGSU_=?_W5ExLEhuR6M60 z;RUgF5|@m=n&}jl*j(DjkXa3SD$J+Az_D~GS0b;9+#a-ubhUgHC7z<+ISi!=)P*42 zcME8&PAgppQ zuWVZ4iyRF6iqFsN|M|A=BT5Zb3IFirL-VDW*Y_8QlLe@B6-B}Q>JUWI{SZh0Z4~0} zL#YW`a3AT1YPPTH%hJHCr0uT{6MCI=7gn@5d!J<%RCko{^qy<Hz>(_XJ@+##OoRM(t19^y}oXHbCu{uTb)gDwonq!M)+zCu9&R$e$QwY0Nm}NX7WDl-`yOMyqC~|pXur7H zm+a43P4cb7`N3a;dDA7Q55G;5q6;;br9sQ%V@*&Er8CR;BHhMj+|C2lEs4HXj)I;O z*uBODH-b3l;cwvsS6%Kubh*4sWWYrCu_Lb%37?@5B{I7FS`w?^m?yU_gXqtvSUv{+ zkp1o45x1J^I@@*(7#H=D9n+(uD)5FKlLI0w9QPb%1m6!S1Y=CeDlpQy;pr`X^uZyXj`8q7heY8?c!4f|&&l7tB0L-cq;J_R@f`z!|yA zr67N7E{gA{Zt;{_(?5#5J@UZXA4p_?^}@+@iwJjXkIKNljsUK7jF)#AM=!K`AG>j15Ys=}R+$6IhjN4l7!9wzjh}O;_Zq^tR3`Wfy z(07^wTxW^hHeDax4Gpr}2hL&~iPp(YIf9ywXF2#+&khHC!5BEO>oIOB??7I&TRh>} zVL`OaZlcXAGo5c9PitYSG0!fYl=x_*4@G)$k<-__ZRcn&US_0n3yscPbyGItGuX0? zAb$#!kQ*HlH7WL!__UQlSaVbK4T{MEp>k5B(;?s2*5Kwsj$FZlrXsGnsdtOuiwr0% zyxAj-;4BH_bZb<1V+!MO3)MJ6Kp}refu5UdU*j=R`Fw-N3qS#KnlXf)O4%Pao2QdwqrYY^=8#nDW zU+XPC9w_$fNeUn1qxjJD+hPm?+D$(%n+4?*xtFcmBJ<)#zSJ{fU z7tybsYP6KxyByvE$i>0N3{SZn9vlT}AK}!3TLS&C-_iyT;WpXy_Rk_H(WRJeq|Y7k z?GNf3G{&CuyHz#)+#?}BQAec|n(MrvnHwk`Lcf$qHhJ#d!-!&mDp*kBWw{%zlNF2m zPhhxVQ-=2Xd3tsAcerqNdCWp^-<(DMD@T^PyhHM}5jwPAY+NHOsl_Fzrd)e*buQg< zK9}+>;e-jPAga@k3gibpj=>ec7ggM(k``3lrzlQSR4-m}C6}t~tvT@`-I>tz=s?zZ zuK_z{fg~RVk;66^;X1K>ARglZm6hdSR)!5v|)q@)>wHAxdjTByyae`mm;UGsY};I)}B&q6uNSt(0>1!RJ6n4j~EB;#9MC6-J>xZ*#n4+Nqf za{Gq4Ty~<&WxU!*6Bd zCX_t+2$S|~NKgLakXojLRIoQL-eD7m3?@d?h?0c`>|;IGhI*#Po!WpUX3|$AljyYp zIn7TPgd6lAN7Xsqhn_0rR{x%7k7kfcR@_bV``aGeEb-o}^+@`+DFc@Ow==xp`s9XQFp&0eGrCI@Tm6_;u)_EQ<@^h~dB zU3|90%IruUwYEQVDevexLZBHgtJb03LmM88oPal7goWkMj4gbMF4}`ZuTBjE7ye-S z(oO6js=F-Aj7+nbsYqZ1yaZ*+khvU4!c?mzKbB2`-tJ*+egFyBrYA~lx}9@?;M2>9 z4|~TV9-`ck5;72-r$CisO`$ZdTP4h-tx%3i_AuMKDiT4<1Keo>S^^z4lA)brKd2s%gYT{ zU*mUON{Dg!dfJQQ>(py_{nZ=A)Pt8pCS0dJ} zS{i&St!~^6tfnoB@@A2qzj~(gESy>sB8790oDLZ|GsBRP*EHHaPn1;}+;JP@C3)za z9a`lModWZsTW>veL@*K;FOlL-Z!^k(NoU#>2P&C3NTDl9rS;tQPlUt|tP1zHpVn|q z9W@?q^@>{{MxQx++4jsOjF;J_9-riL)`QytaoZhOj9GGi&-p!c;Stpuw5A&+ zvN97rJU@u^rW@jm@=s2y+L|wqv9yRrxNI;%05*~y%Y!GfYVn7 zN;#1F{w*~)iA1^tz>`t@B?EnD4JE9jfeL0P#j@VqpPPy^iSYi|<0oh6#H{T)@hoj) zcq{j7SL@!hM$yI=B`^lQ(PH9ofZ4dRHWWXSm+z2l?Pz!eX5)_5U{7mH9+@bSC@p88 z;^#bUo&xoslPAM`c6xIhcj|n;8PbCq{p+%@{Rxqa3eIT}fhAhhm{gMFh}~(i-mBi= zIVFyS^zMXlB(G!@eCDuRIH^MB36>*q%j;M>7SyiHsikh-6fKfq0+CbJPuQs%6@NB5 zhn5X)#?(uOO5y#D^Ty(`ury^MJr!idc+l}v+fGg%NV%pqC59y~2BUYx>yJt(p5M7iays5-~Q7eX_CZIQIVf`rt>=D&P2*G#284 zugP_#U}^CO;M!yEJU_1~IN0Kd(0ByB|DJt81`JP)s=O)kLx-xWd}zgPy)Bho647VN zor&eM6wo7Ffv=N2>HbjNKtiEL9pd=onaTcBnFSn41_z?}4^H%>v!%%S7`dsoJ>ahhFnkNV>H&x-1gghALZXz74An#o|koXS9diD6F0B<)gPh=k#_hF5C@ zNy8+6B=m<{AB@GHE@e%Gc3AavF-<64hNA-qCe!0rssTOJ!S57vb2hw3r_8l=(z4_j z?HS3qavEnTnTwoz{P7Y0fYeHWJr;XVUSoGcQeC=PreVj|=g$9hSNezk9aqFMF#PP6 zqm{_+RSS0et?~YH%V=~A-e?cWp9!xc(13qam;9wh77&1ZRMGbgThZ6FPzZuAFwEoT z`(wI6576}Q?FQAH`?L#7M5wFo%}M+TW=_MetTCU2bT(Ys?0^I_2nz)%oRAKwxK}&3 z1G@PU)9{ul@kfqWK|tJ!Lsu1-`+E>V%hRAfAcPn8C#pcfkHqHB!F#xe$mzGo*)#x8msE+)4yDNMM61&F5=$D_J+@0c`D+2J(rfl7(wO4yj5w zvF}lHlu#$^?V5h4n5Gwmz#Y5_q!(n-Jx0(NaxOJ=ICGL?rws4&f2BNQh@`J9g~@rC zPmT_3>(b@U!Qv-$xUVn6VeoRd^j9qt)@*mQZM%K$zNv07V}v3(Tqh0Jold?4B1wMM z(~w}WZ$mff0hX!T z`$dHp3$jx0FJxi2rjY!ulOSUa9um9@OJ26Ih}5|$jaG&J-6bIt1ie8=`<6tPn-G;5 z)y`p+ZVjm4>d*r1Xh*HA=T_qE9o$R+G?7*7g%r67y{#Ww=Yxx{y3>`lWTV_=lxc6a zhsXA?IUBaT@fM;M%NPXE^pq%2^{%V!><4VRh6vl2hel*gmRU;{7q8zWjMxi+?XTYz zEW<^blW^+AfdbZ|sSeY}e%uK`=Ngm&x27)7qJ8AhE<_xhX8grcOIR(qHi$AgA}$jf zvXqyH_bcy1B$ELzDdh6!phD?LxCDL1du3M98Wgkolan#{hr`zex4TLYU>&LqItAYh zhfK7q<~B#b!Yey@hoylA?4AAoQ=2)@r1kKH$y<-!_c!4szINkeJ+ZQc6{jAV5&~z-l^vFA^@DrIhqV>GVJ5HAIb3MKeMZn#< zI(h!%K%mTX`@)}_^IVUBQ(q1>MjTf}S^3~QGY>4y7V_P)zEqrZ5z%cf29X|X#aXy@ zSC8K+;(;Jh>FXA#7SbI@m$j4FF!Nb-U zd39TFz*8WMp=73WQg34Ap2h2;QEwB#7yVf0aWX=w9^+96`+gh{hdLMR64lDlpy*ga zs1ZSG$8J>G?zd~`$Avz$|FF5>qdthFEE z`2DeX^Xlsnfa`0MiBCxO@V@=eAX!*?Av5%>MNZD{) zuuP!gRV#o=BfSL+QRrI#=+jOGLK{^XA(Y4&xmA2?kU+B~ugJ*`(sR5{cuUPTdsp89 zDzaB;vS7u08F%y|fy^wxJF{c#XV6i0lSry;W#XxKv$-zBrGUu&y@az(xaNYwP4x34 zXN6NJXD5r~uB<%WxFBWD>R;;YTDaWjZh1X-$|br-j^NhoSvZ&w7L0FoTMbr~fX2x8 zbQhw2t}WD52mq>InZ#U+2g36e7T3l2^>sWD36IzYLYX1l6;Lim%0W6oD4Z_Cf!&@_ zeIe5G@!9Y>a8!K>6M6Z*21#k@O0o`_Nc8UD#nFl|QJ7lY!e_O;r z%%;_nP7ZQsY)aKOxNDcD9FD_1gk2B!nnF$`$MBP?fv%9?WE;omv1(Ll-co#JVO=1x z;I0G0&#Su5-!ai6T^UAEh__8oa+ka;3>K<(7pZ_DCNq1Q`Kp^+cJ|;9T1+pS%d@h| zC_*8YOsEF=KG(@}Ebp2bw$^R7@$DMIVrpuJ7KpAF0K<2N?aJ=~4YuF&t;PIT((Bmm zK#@`_$*ZH`^Un{&#GzPOsPo?+IR0xgeUT2Ipsre^F|A)Tx-%~)bha=B5Jg=Xy(tRW zHlz8-)9SXC(4~NQbKb;It(_oNZuNm0{VG(^1i{5Q){9QBjxXdb0A<#<9)eBO=7@t~yg6FR(jrcJYijY~ zkB{2A*8YnUXi~2ajyBRf^R%!ho1%97no>5{{^aJ zTZWv|`NA&;)ao1zA%yd!;Evi_uZ*XQ(i`4He7mXj-irAHf6TBVWWj3F(dy_Q?XHIf ze4$(*C>I#HTt&4PWLKqcWH9hMoH}*Ynk!h9LKMwP$&;S;s?uy_ubM3cis_VvZnuf`LG0sHAmMHhHBxs2wO_WUF?0 zU~WF}x0=|1{TY1jL=WzoN4K{IYzB~K5E~1muP}uPeT?B3-_kdB`=28l}uZHCjUGw_3?6va( zAeFjW^TqDr;tZDD9sK5Eh~pHPmz$%Km!fw}dn<{2KjLCgU1413@CfQHMj<7bcouvA zi_0X3%xG>Pi?*2bq3!=80B!r~V1vr;ggnH(IdIbn!SC>LdD6c3$3<_R$@V@P&!029 zQtKF71RE-DlPfr)OdR@Jwq3b+W;4*R#zT>}d{yxQ>56IJhSL1$#3C?X4c3@12_h$E zMydb|jI%NPv2eN$=MtUkv3U#dH<_2{d=VXar6h|BR!V*%97wbpJm$^H%fPOS>;lDZ zM`v}?&Eb>xLt8E~hz0a-rcegyQ!bn^nV!x}_cJ_k`4$zGo~b_3g-lB*N>gS-PpI(o z1^E*%rfJl1r?)t-i8p;KD)qxO<7jOQU2`in39?rf26)g7vY#mac)P7BpJL5ilgZp7 z(0U;x*mjeU_+g+`8p;Ye-HOZ?_xp}vd{tDTDN8i{i>`I|(k^2sa$Q*I^{jx}mDaah z4!fftb5i6eLvZ9b@57$({DdU1{THev(Mj>GQZjFs$3S9rxtG9K{e3r!WSUr%VjK`q zL{ZsHDtE>XgZ0|^lIy|-kga&(Kp2~QxL7iX{EPzfWWjXGbQ zTd7m5`!+eSKm(p?6XLQbmG{om_r3A#PdD|}(YevInZ}f|c;AOR#e{PXoep>{Rs~k> zdfD9M6y+%|9bOvmDAGnG>(W#Xwl5NYPqZ07e( z4{v>~XNsx|4xm@!@qta~tbhQd6VygiVj5b&ybP)w4??;TJp`MCj=!5v%o}63cHDRu z-tZM4(B?kK7&TX>Cw=Rzv{+FXg0bZ%Q3aaJP~GHv#cJ1?eW-~in2XlyeI$270c%xY zJii)X`I8sKAeV8Cm<6_0-aW^~JA;q98k1i++RUVy1ND1A+qKLjJk$%%8aJVDNOQb5 z-x88krxJ4Vj%-g>mbq4C>lznqmyhfFY`#ImTRwI!dW+ll&3DsKtHycWO^hjDS+|z?I z1IYff+w~x3FxYw$hs?nji{G4;>D$@$s}E$Sw357oW~nSCdUC(?7s2mhUtC&9io(e# z1@}uOlmzh}!C+{S{Gl)((#YhDCh}2ZPyW1?=hcAL$w}lB;Vm)b9$_KbeeUP=O>7~@7R|Y2^3kn^z+2^(Q z%A{CwhiaTfztNE?dT5hp5-nb&2-02od?*Gk^>mJ@Xx}ZVfU*z9g|1L`ErntVdxsKx zEsnLWq~Fz_4mF-c>M=)(mOS%n6rc1F-0XE3%;;y!;{xx*DRp+wD^iV}GQPUV==C@Z zBvEzAM!zW@0@%B{^3ap1K+J`~Po{Eyf%qifiw1E(_VM0nldvf-@N$WF zsgS3Tn0;6%0U`0U#wB8>MT(6chGtd|ML`yFGZ@M+x`(#S<9u#%<@4h4?lZ($bmCdQ zMi>YC*;07n89TFYsIzCqF=?#j$eW6WUNEf~qaO}Gs$9vxm<^J1Sg!>D-jr?Q;(Muw zkr4{Jtpta?+|{4lJ*X%hUKcTXs&bPE&iJjjYB%#jm-%JDGvwa4qw|(?80Kl%{tYe9 zs0)?^m2TC3a^k>Kl?}rlg6aL7j)nc4y%TjgJ#C0E;iKQrm3bfPdC1x;&J2zlU#NA8 z^HOPTand7ezap^o=5%u0yS2loL~TJ~kXHvj)=nFm1gZ=kjPq|2E$H-2vYRNwq@J4r zjJ3f&Ko95pa}xzXJkpmmpwftrrIC$&?Yl=Sh22SkBKi3wt)(Ai#j76?%5Q5k=-lc- zhC3pKaM%X$VNYW+Qp+)MX@$u%@h>K4Vr<6qh_it6mx4amzG4mW^DOZcGX`@Qb=<($ z$9ub#Go}YDrCuV;>(L=dze(4?uFnR?6ov3h)|7^+R{PyBxMc_CQ--oH9-J$67K`8c=mm?{cE(TiNctb5J#Ctq85U4$p zX+K)e_OVWyRiH|&i-Zk_`GAgo<`ie3!w{2~8Yt;;DEys(BLmL!p`1zS4mPA9wco?| zSKD_(MjK#wpN1=OsO1^nBbP!503?84T)lp!tNVVB7A?P<6ZmmZ4$v}Yxn3b;q9RKp z{TDFGw+#n;rIE@hU&bnNvhy_6(|p!KaZi1{ELDi`k82h$Jq?sKd@%>!%cAN5wSw7o z$(^kM_dRU#J}cRNC?2h^aP5mWXnmX8!czyk~d0yqFo6f0eX zgl!{S`olukA?UBi{9VV9kJdMM4A^MDksS6nI?`HG6&GP{B{^c%zDb=wu=FM3xj;wTb|5Pvy3KEsBn@*f`Gse< zhjw8B5Yo#yME_+=oPvP@z=;HVuYb2ed8bEHz=`vv^}~7(`Ay9c2s$3wH>8WGf3*eE zJ?ygOSHgva2N;thcKy$^`tah*Hw))56a8uNx3qBx9|h@0Hotm>O^kq`)cf}c3jdBu zx!X_ME>>n4Ytl|;T+HZ=jLW|&d$nr&3Ch|jXt=PJnsf7Kt$#P?{<4O;YNJ7({ttwW+y?^oBEB_`J@|QragBl^s#E?Rawz1~Q zZA&%u`S!0{<4T;zr;7nkxHTGC7Dt~xGI5t0|3$9BFD|{z?}22Y^KJ&9f44B3I}Od& z505MUx&uJ;et=wY@1NG#_;3$DdpL@Y1Nm;oPpN8Y|1G;w{thtAtBTwYDz5$G^%Z>!9CGlRvZ>E& zGJiL&lgC=bT#Gg4?;iZXdHnIi;X982hT3nlOtbzaYX8Ou#y})#)$sz)&l#pamP+!KLxc)xQo28hoE9U>`0K9)V;S?~8hr{p1y#9VuKHaA6ws!%Hkn<;A`LwA1|3s7D z2>Aa9YQih|48{GP4&4C_lsGrv><B|tr{*)FQxW_vv=Dtd zZ}0olYAX_su`f?JYLAPfhtUxeN$%-K02+R$NzHzo@Z@Oxzk%Nc(d=)MwXV)NX#%D0 z-H}XG@~(6dy)<%-*7_oquzZ54Zae$d%2s=_vt2%as{d@qoG@GRq4jlTnCn^|DFOFq zul-58$Umk1U$K3rA#grICJoI0(OaK9Ecy*lAz*pO+kb=1TBQ`p>=CAso|NCy zuO}+TqvfKckjp<~AAS2Tt|ljEKE>Ka%V26wR=Y}%j+JEC;!A%Z(kdQ6fbKV6?6O&S zoq9C1N+bHWur|PP<}kWKK`XBL0@@G|pe$46T3L?-0G-Z$fj#x^_wt5+&4VAEH<`n8 zKVc*DNT$+!0nIG}_h@y`^ zvVJP>f3wzU!d<|eCMhkt))W&DHCu!%U-^0Ueg94QbbWBc;%MWITZGu;_4j^f{lEQ7 zc<`1hoM@n}E}H_OUq}a9F+WJAu7~cMSd0P=l*=# zdj5BZ+N2T?W#i0aXV(p>f4jtWdFBI@O0WXpQWJ~)B=7MrkIJ8Y=Yc-}P)E@FhCj|c z`?H7tdSv;m2G+!7lixe00~=^d;}gr{?F?*e%cw!ZkF-kR5tsnc@%1VI#|6bhAH{9r z702-?FR2XMBQYS-l{na6?7S0fvpDi1&_&w1eUciqJzA?E?lH7dP2%>t7^Gw}imrpU zgY+!hAEWGRxtVe9>EeMm0r!0$ATVJgfRwA>mn8p4|9U2GX`A)iMQh`MA9B~_!@Se` zP-O>rf$cODtJspeNH<;q@yxyo*lAk)=+8I1L5E-D80Q^e*v(qd7(VjbH^Nm9#e#@; zK?8RQD4tbDC|l9El5QSpK^Tg3YFJn+t@lmJ{okhplvAu~5Fiw7UZwi}MHA@lwrzZNQ&-p|qmN$qBHOm-<$wwPK8Qze_Le3 zze-&=pX4$AhxibuZ~1uhXzRvaYR3Cz$~!oXkJVaRETmgo{8sk&6N~`{!|`ren&n;3 zdLPORm}}=-bxJmSj?g*xBMDhw0)f3w!=4fk{Qk)APOtb>p3hzCrk^ zU(Bk#@%#0E#BW|F_N~2A5Sg@|WbITbP?8(U#Q?K@A-^w_IDO#*o7Ap@zN=^PKV^}= zITv|MQ@MLv~TJKs3_zh~W3XJE4sa#GRp!}IMhd4f#v}Ecuyy2H z|G(en`0Q)owZgFR*L@l96V1Z|!@CY8mW)WPUfNXR-nFK34d$r({^6h`7>yn>v&~J$ z8?SG@(qZ2djE(#LDjgyJR5+OT)>AxQd401ptw#G)vPz*L-#e|f1H0cx_+y8yJj>BT zj^|$XaO8mGTO~fP(*P!JGsQjn zgU}2FG#skG5KMgeoW{sOOnkqr!#m~M4Fw>~3}9U9aMkLh^5uOH+C z$bFH6{ll%>AiHCr0=ZMDJ$C&#Tgd`UXGK&V{_~yKz_(?G#_Dqco6#%lgbu$8aNNZ6 zD6QCrS{Y!uO3=kI3l+}Dk{Pz;)>)ZG7YCq(X55H!s0*vD2 zmb)$PpMCwqQT8c00DDq#_rTxI`lI(goT}HF^4w*D4gbT=e)z;+Qsa-~-UOQ6390+@ z|M74Ccw$anYo#8Na?~u=cko{g*We3Wye0_qtQi2=C^5|sI!OHEi50m48XTeXoY>*d ze(UeXb*cc)yzc?S&z+RN-?;wUz$nQ{o*Un*{eS@&$|}<$<0+UKQrw)q+hh z9|Z(|7%bllN;_j*baMHMpoR5%QNjli4T6VKE!GlEG)<)f`p&v8Om@L>q<_Q2^7ZoMs35}gcPt53P6Q*}q2 z#e`HX_j~?9F8W_#b77}#xi@66D!@zAcT_(ZsQlQ$VgN4bRtfcmWS_KKVd-;I7jEUo z{05{-&f)p~$%OmndYWVDmwxpq{xkl%B>LPa>quefgd9mIX<#Wp)XT2<{hs~1A67t> zCanOgpHKd~*MEB}ybVZ6Fza^g_-~`+0CC-ERYzX#|8EHU27rJ=?uD-ZZIr&XB@M^D z{f`~Q{nx~wQo^zS21nF2yOg)lmH*a3TuBqSHQENfJ{z9*w-Z$g0G4E>F0J)xMel!d zejlVZu-a5H?{_IYWBWio3ibXdttDlv!H8u$y0U+7RP(>fB(~S|kxU+&%tNl(UEBa` zC;%~AvSEJaJM|zA=Gb*fRYqp+^)1B&1iiLghdo`Y$lTA{-UTu!_Z~jqk12i2=}^-9 zXNPnRLBjyxl4Yd8?2 zbBrdH&TuN>16qu{ms0tPq? zI|1JMiD}_~zdY}MJ-~_gY9Fbu%@WtS`Y_f1mB++uCbB4X?xg*p-aQzF+-sGPb7t{t z^w$SUT~Uwy?_>YIw#lz_mYz0GG)B$JnM;L+^w)_Z-#+zkr{NOsh^coGXKzjITJBUu zA1)u_;uE!ldF8Wmh}?Zt-n*RP$$8iK_?5BbVQ>PiK5)1rt&pYco`ut#rV%Q2TV|6Zv=YMiAbhW=E6^7)-(2>EX-~G@LYBZ#V_Pwz3P91F(nEviQ zo-&4dbVZqn=sH5`*h6u&m@oJn=5J`Q>=zPiggAy&aa zVWaOL7;Z?*6v%EQl%@GNy-L0{;0`SYMSnq0e4=94h64d3DZ$x>(E0+0d2UR9O3g3a z3}l%^n76+6SNa&koLB-P2fO4N2YKvdxsE+P^$$~n-fc46{HWXg3TK8h#URAbXqzj7 z5N(E$7L*%P;-9}dOiquEHg0rfG6=_S4iKy2@H-cXoG3yZ1Qgcx(>5jC9UoN~>S1yg zZeAZ-HFI8W6I#;(QXM=D_Aaowq3hhypX9YXRN4de+YzJp?z9)Wda{;rQ2Q6*t3eo8 z0%Y^=O!lit7H+NJOXz|g<&o3MV!vZPSl*GWs0r6RNUf_#4zTV}KA za!_uXoS1zu385hCqcNV^5~lWf^~uSSj|m=YHs?^F;#IFaz&sIs&aG-6Iq>Q{-gUgi z6cR;L-w-YV@(=OKJ9JL&np!;nao))Q$nki1Pu;`(rw`qFZA*^kMIa}Wp=djaB`}Xd zK7W?rOImex5X1v{AOH_J)d82rLOfjZldTaD)UoG85*5LD4S^~^5ZI$*8~svpwH=>lI&7<0^j#mC{i$Z>~DZL;@rXeeF` zL7_~RqFB<<4P?@$hP+z3_s|ceITnRWVAkZV2-|@m5K$nHVTD50&SlxSv|WX7D}1s& zU{bBHv9f*0akW><;ZE;GleKRZnefpPawNJwJryS54T*(yCDW+sF<06dzHHcuPFGsQ z%|D;$dkOQQ_2@i#`Nhxt=Cm(G^oKd|BT{k&<-us7aDG|EP|Eiz`}^{LSXn|LPwXtI zX{SEe*jp-6I0ofFk$KZ0bZNyNSX1_7pwor0UnFanEkJ$6%f}9VJiGfM1EEbnPTVdR zhH4%gYsWQ=i*;*ci35jBGhZBA9MqW&L$bpW9b__yU3jA(cAMxHwpzp_q*m3gE~oS) z!3W47U+798gSt75=p$}11d1A9f6TiyM{b0<6mQ|-Y@c# zA4<}E>SUx#@br&MAg7vQ*5C?>?2l}dO>7k(W^0DnG}qA5L2_%b*?-o7ho!Yg(krsx zgt~_CtJ%P>wy{B4x)SGKrysneeRZ2;KGNrPxa>aN3Zu79-~t{iV4^Dvty22)+tE6Y zRV{cmElV*e*wlr$_~Y7LYLf}5WbLWywI2nhcv(6v2-Jxx(ihprW=4;mjJ^&;8aA(JJm^*@J1Z9`-AbJ)yH3e+x^p2CfdQ)sbg~k_xWO$+u=xEUL-3|e}6K)UCLs)G@;=W|upt_i1^H9JmPrJChOJL9xX@Zfe<{}x4A zySvz&Pf_G3>nZoryW4Zqa`Niy&a$>g z*%#Iqg9cJ22r6l2ont-TTSfdo09_(i(htd zgom{&a^BHu@s&ZtaQn)YB{BENVV1C&Ha(c|%(XS9rWlZan%Q`iH%D`3$P&{MLK!X( zz`@(kWX0bivl}1HgiZ$Oo%LQ>DD21ggz(16)rfw=4d@d^-mJQU#E{McgBQ|Pmg!qtsX&~=`FA$9plpK{U8CR7t|ztZfm7pP+9(0 zDerjG89r&&L7eZqdGq-4ekiW)kPc^|-rsMWJH&%7n=t7i$I~wzSi6lnjR7O0<7Kl? zEVm~04STFLN{@!Jn773B?zDhN?^|D2B|@>K9?xT^R+l(Vz>ns)b|d%`x`M;7tG8sYtXjq2!drMrd>$fi%gtRO{}k2S z-9^1?+F0wH_x)t*Fac^+z#|4UCm&{l^Rkhdo4=DOTTTyxoKpZUijzG#!oLV&JvJv^ zX3n{VnQ+nr=c`th3KPzrL@+AvhoS|q+l;k(9MMKT(Tq*y4hQt0x24rb2$Qa7J^u2s zA@=k>e|J2PfSY1uGpCDnWenttuWDBpimwoJ3&$MnZ)_OP#3g#!UoWi$UMUR#m4KM1 z9DP9S>n*WMx805R=~7zryGp$eF`eu+$M1j!aUDRWHsBBB1EOCovSi;|V&30~nfgwZ z;D%Hmgy3D|(!8;}LxB6FULFx%e5FbodK2FCKD004VHtdf&Tb zMTq7Cl{~Vfd7``nHGc9yOh$b=zZPnY3?15?KLhf9g)X)9Xu8pRuA4(C1$)oXNzk$g z9d^v%0+dql#GVc+->j<;2#6A9;??c;vP@{U4Mm)xmm~IEHFdjZ!T6a({s#CR%6X|> zIug@feA$)d{))m0>fpS`xcFKLxIKE|ko7Q3dJO&xawnJrjJT4I{Y0;}wF!66lM<14 zUs=+zu`->z@@VYkvuqd5v{N2(k9w=UJ$TOTMOq@AwN$HmjX>W3+uEhiYIi`ULdj2; z2-GLMF%a)UC70F=mX-h?bjBvVIKQ(g#pg`@%}8d*j03Ui`s86)PkzODOfrjC8pLZ% zu#QZ7t3L46m6O};tHRw~_zxEbuiMm>4L*Lm*gB_*rvFWrCMnki#@t^d*sZ;{cLSLBXGcloXu1S2^d@-|EvrFr-x~N9n!p~nH;?@IpJ=UFGp3x<~ zdylVY4Vp6I2 z?JhUiJn|-mztQol_(eo$vV(%k8+yv2oCN373Xh82p6Anub>ro$ZBmP08i*=rGtp4n zG}QrJzj5W^6QvQ%Dg)0c)b5|eIv*9@-aI-<F>x@V6Xe`|MjlcPb%RLvk*xje zXmvt_r+g8@rM*62yYfJ)P@|x#kJ#6HO|!MfNcX>VZmYXDeDa%bM~4aSnu)_^?Aeo4 zSINgs>CI^lVjE@xykhdrr~@lk&n++0Zm14hD`?SQ6<9^DF$#u#yGb}_Nr`?-rNB45ouG;_Qs zBMn2piVE;_Y3+;vm6J;_MsEx4O5ks#MwB>|r%6^V0IBwNvP+<3OX-7&_o~W6S;AVa zOG(;3nC>Y-Y9OQZL96JF)n_N1f|@%Vm&adJX0g*r+T;5V#yS|Z`JGv=z&xdwKuNCx zJ+I2cuFROF?1K}!vmuSW$CKx#LKE}z>h#o)Hx&q)AKFKoJNw_X#^l$KS`_r^8)&fzz2*9^iPt=h7rtnB=Hc!EN+0;|>2PqBmQ` zTbT}wKQq9*pD|P4w4xo9hs3A zMW>B@i}qZs4%q&dCJTGi_NY052{zmsSb3TBqd&!|4#v5{C?05aDGN~Iiey5jxg=JH ztv{4_Jxv&y#}-Z@BgoJ)RrOR-=%#C;FHDun@-9O9H^vLX0wc3}Pm%U^6Isvc$O}cH zbZz^M+09NAG`U~w&CFi%<(NbIBKJtGN1*KyZ5-x@Lt+s5|~l z)?4tqasd*%sTHD)b~}297>R{BM6c<_4MY4w>7&(XPept*Y7N95V9CYfmw2h4+K_Aq4f>L7NaahNmOZCYau7FNHE0I1z;*9A{&*#4%Ffp`!upzz3ZQx564rQmfx~CB|iD>Y&EttWYw^ zbLS0mVA30Kb;DYsMKoE#hh`Vf=pS=#JhM4{SC+~quRP4O`1HNOT}CFu1#`}U0ckz= zkT=6$q_ac%X(LJ*9o1r9804|)sX)xwP)d+PKUalQ_EMD+!d_TmjhwJ3%e%bNg@I&! zsr}kfLpkFTPUC@T^tXn<>h97AV*BVm!jdquf zoHoennHeUD@f~F-z7-5g&|*+3XD_8dOj0I_qj;IYZySI!kj!dM*?0&!|Luu>?2RJV z$su`|HcE|VLS<_N-QjgY>zv*cRXf~d`t*$BS=(m9NA7OR`>cJv;iqpjrXs9z$-KFv zc=y>Fj8Q{@;&;TzyDtVv<#nzVCokAHlq%L}c1I@&mSAU6S);t7~7>Q^T&s4_Zs%GfxuWP*mewI#$3G1hRD(yxea*RNWNip8k?o&CdYBrNnT& zsQLMZg<1OS-jR-J4I)^C8b({OY9)Ll0_%t2(njGFv!WaOF5fP(dTWr_3Dn$tLXI%5 z<|}h`sMpCBZFcim&~aZ7zz?H>4NIwWk`z64cF3GPG{vS|T!Voh=iO!a-*I1~@`GyN zejeI}{e%L5{#+SxqV(}wMaXeR)PXIU%N^xNC!#`T&o-pftDPnC8`{shXwBrS+b~CT zIh%HPu#3}#trbD<;?A0y46Oh*Qx;gCwy`rceMp59rOwa_E0iL=i=Fe3iiLj&avxn3 zTZ6hgyV1d++zxbJT?jcbcT+uH;vDVU>WN-b6ioF-Bvh&lZzHl?!&c0ibtKvp9vw;u z5iG{vK)@PbzH)>g>hQ1Orb50;w9*XN?wQ(m50T;o4{U`cMC?oPI!MD{4t_<%-g2|& z_~&ED{@#6Xl6Q@^R^S=kcRRC8wpik@=n#lY`;fazD-Owu4(QrXxGg$o`cNar&!`C} z*oTXRl(Ib*xTvv?UX<`b&eM!N=OnUF0c*02(=1?&gRA%PePoQA6AkAVBlzfew@3=M zU}r99j^A{6As5TO4>?`x1#IAA0B|1{ipanc=rglIXD6%tjL2HX8bO*j&C#JhlO|%y zQJ2LNy0v;{NTlFy!H-YJhc9F-hp$mbAe4@LE4-kVIsAQ zP|RPHQvJ>?EfB-;qc_W$FDG^HpG5@vAq(o=xA)J=8gA7)umG8d+>?k;k!Duy(SzBG zR(dNNRCc`!{>9d=2v`Ts3x2fo4K;$P0o?-lLPwly%S zX)0b}o-?K0wMA7xZ=3E|8XSR63OO+|%-S{{naG|jcDRu+h_(JaC^kG1yy)JgV`L%k z+&6tYB&by(au4cy2)dSr^X%}cV>eu>3RKXwa1Mvce^=xk9#!*gGVhtnhy~1NkaLW- z-?@1@I>~aR+_Y*BKP*p0s#V0SZu;k=`0pvuW0=a?8}9<+545Zv7&Xk-{WG& zLzH(fZ3~RobLElNuvJMI&f9HhW4%?2uwEiFV-aQ`5H2fbgDM`_? z6^m#KTZG8@ShiZ{$~ni9k;4!&&ZLyx4s>v4jJBK^=W!S_bfR(?Im}=%gqav)Fvc)r z_&w9cYP0+KzCPbSf8T%hHA|j(?)$#(>%Ok*e!t&W<*5j^{pydplzzGrk_2iye${Zx z+@EUBO1q(;dOj;_*DabOpB7bv9-8*5YaLCV@k1;0f2h3;4KUWPqSSw(J(QLLdw`Ez z82C>sZLH_3ymN{Sy~^lF=I45z3#H!;;f+pmv>-=ZO>SqbkQc8FnSYH zipNPJ@>hm{XXZc!Ss#Tyz*_@Je2oiS&F+AENsla!=tS`bb{XbcMv%@uT+Mc!{za=m zob-JrYT&BbuS*#Zy4p|o^dWtz!!*s+Vwv8s7MM2- zJ7dH1l0Mf*?O&R2ec4|7SM~%2ymMzC`MZl{McHVC;^(5D(q5n8J-yO-CfPCy(lRf> z|Dw+vOu&lhM)Wm}YKBeoC1Mpq{eu_+SBZk1MU2Nd%(OU_=hrqeh!zPp|AhgivaVG{ zzUI?=1U1FO|9czhTMXN*^kCEk_7I$J3`x0CZJDp&Nxpfy0VHrSn6fktkJ<%;ET0;R znbw^{!mgnrRe9otmtTGwB&0{W-74kHmT!{3cfSWSZ)Zk)%)J{AX=wGyeOn+KzL@kf zGy~i>mu@dm)X;~x04MXsPA?;4jjD!7u@Xz^?KDwmEF1YF^g!FEU!6M^MqZk|kU?GX zIW>Sdv?mD8emdbUsNO#Pj<yzuFt8TsWSKe<1Y^;eX`gf2~TP#Gnk2NVdi7)Tr9JIpF~fqb;<;C2Tb_nSPDA~Q5dPC-g=>3`5?ECY z!qeLQ`*a6qjW~pZMyc&==AX83t_>=+pKzz99aJ^n z%Z_NEf5aNoQoSnf+aDB&BzsYCZI^L)><)1bNGDo^PfUAM)?qUrBKc_VL`h|gF<<)u z&0F~zQT=wlay>cPdTKjw>jqPuO*F9Kw2s>hD@UytAe&xLN~Nz%cS+<*KpRn@-dsXp zfR(+CdVu*h=hR}Q#zH4)o3psD7;g*l!mXw24!LZ4et|I*I59IjRNasr%J5yjNRL|mfDwSf255`B z&*mTd_9gytS6_H)xI0tvv&;@;lypp=jbILICW=XEm%PRmNOzPq7n}OYF3QRq9OW_aUrLyGRg530urkW1m{b>1x(I)>SlvOJbC2cT)I%9v-K6o7D&bW zqpUL{eV67Ju;NNWQ+Nbh??zhH!;p*d6p^WE&8JT~T=5Z05>f2zNj_)v^Q!!c9Sr{` zMm9H~Sgv-1lC|3*79Yh6fqy`kfkI)4RYq zCDr`8_wU=uv#X9n2O}a&bt`<*VQ<3)#sUadXWI@j%G=}#hrnLB6xQ=X-)7Fi?lQuS zm2>F2^nDg?yN8SS3Gwlks})BEmhvh10>n+vxWO4Ms<)F;ILrkEp@uI3p@J7r)MHhx z$8o!EuS~kx-wjOPBmL-7|Fz5()`Qt04BNFV1_P1{U=3uhza5s@KY^xzY7~fjqlxP$B(}pYJ;D5 zpOpEr|A4v|!fwbtw#7J#Ej~_(CdCM>&cp5PU*DY|Q|t*!yYmvo1uBrB({a4NKoSv= zf<^3Bmjhjh^Y;BBckOthu~VQr2C&UfEpmV&~1F}A?!PC212vCFWYz;`c{zq zZhPDv_f^a6@T&1;J1vmy_v>7>2ZW@fd&_-Vd>Wn;uTKvxu4_9V!q9*@JQ&O?Gd!0aTLn}CAuJ?79qr7m;86@P6X?odj>hyqW zZwXz-c5~%8`DDMQT>k&`W3u*=FRPzAePr`M+_hLO@{|1CC`Pqzf9Sd$9lwTM9@d=qWBI%oCe zBnWlcC8%^8QGLAIrokt}^S+ZzfbhQZwz?0R2d5|dgfiOuFBMeHpkI;{4}C^InT<~~ z02*}Ntgh0UzGRfnH;d|4m2T$POqR3$VkM#3?rX^0SpGxs$NNs*8ra(c3mCMSn9N^> z6&>=!Z|}+!t^?&hJ#4@Ett2{B&tCSSdN9+@x2XK~HRq*q;DGf7cCD8(A{nNRlqg@g z<42CD+I~*R3B^1tLEV#u#eWWkI=bQ^8I%I*m-OSi)mpRSLW|+U4Xi&#e4f)(SjUr5 z$Pew$9i_C6OoFg3YR#z$-PBzb?JuBj z3s~4_nmWUiM9}H3Gw=+^7;TM^KGXwZ-Jgx@?iY36&1*vpD7BQ@N{L^dZa%l;JgX@= z@G+)Y9hsQ}olgzZD!AIlp@9MWJECEfki5s%MD%FP+ivWEuS@Q-bvw4inb5}sI*4du zG}bs8DGJf(Mz_;R;8QL0(BaQ-Z#VbbExVk+p=l9=dY@$jjI(G^D*JP9bUXKzbCeI4 z`hCL8_6B8;VFT=7`V`tdN98fpTu5IBu+3bkC`rF53aF=^SO{FKrMAjQ})D(fPkLgv^q;m(qXD5{7T;?a5qGU4Qe*0&o!o|Dj7^qoX| z0yJHVoUqT&Vy)lrFgdO9S%Sw+aL1M1>j8DZfyEJlC|k-93K=?GODd>$LPEd*E8v_J zkA(MYRxR1{nfY+G4I6{*>Ur!N9zb16gv=>7ly`!z>T)(+cyu#F+ft{NGQw&cr1N5!tf!`Qg~@ib?#`^~h=tTsidTHASnr!- zpJ5L3>y=-sp8nkvZE%IPgFPk2Z4eX{gext11a^p8u4h!S!s2bhI?p|aJp^t6GP+D| z6@#m*DxKTG!j;I*S2whHv@)cxr3OB(dgQ1mbWFV3yJ6h*OZB%Z^i?XARUD7VOrO8~ z){P+gQq^lo4UkdCG7j`kIwl14fh^c#l|=5?aD zf|glJUS1lAc?F*^PYwPsyLgS4UEcbM1h(GitlM`RSPg!oO_OI7LO=f6+R~mYU6Vz@Sg(BZuSs`+kdfDtd(6^n4%&ZBMS2=ATr5Ev5g1U}y zH@N&$Me5r{v1##`Bmk6p8+w%kttpa@R`J4Gl5r&xW*S=0%r2E}$G#Z+Vf4SN3g0-- zwUY;Un11wBN+>nL*%NAaD;|RK&bB+jqZfb!TS0hyWc%y_vnhfDs^*;2vowQy3gD4X zCzbs-8uOni*IH}>@J8=8qo-<)z3dc^*R~v-o1j1sufBDwCwq`ySTFrSiJC7v_N+7E z0w9NnbFTSNWdZ|U`YDIs5yE)$&o12m>6X?vX3HfPLIuW>S0c_{o=p#WU~h$TlboUZ z4%tYBXEf)P&!&u0LbZ0i4*}*?F1qohaYwHFe=gwq2Kna)>(a*Cw`WFb#yNMR;PAfL zQEMAtk)53Cx@cH}Jz;jGj9l;=XKwCu`ici*L%)OT{A+-)J{(}Zb^*80tovoekan^{ zkvyyFxNDD<$I{NLq%J?BTg|y><^#Wif-jn^_vK1Kk6B&oii7`R0h@no^%$+i()_@y8Lz^O8Vsc!;SD@G^m-0RD#GoNzau=EB{kTiBL`EuRy z&*}Nw;{N6P?g{lWrj&1=9}z8p0@gth)?T25fz+G1`OP&)5+=K0ISZD_xhG{0WCdW&57v#dX}GK;&WKzLx%r)*I0gRSkr*WvIpRn{A@;lf zr!MmUJ&S-il2=lWJ!*Y>$|W>%JdLcYkR)IDX>jnZ+9yr(^uq7L|Bv7@&+4La0L#S=qUnp#_?N98dwBjFV6& zZvQ{qvKx#Yu&GKebKRw@^!YAx3E?+zM`XbsQB})yRj}rD@1xFQ^$AdN`kGw>1^9)j zK4q!kOPAX9&XQLpk2mXlS8mvRWZ$@~`wAWOu$A}Q$4>A9qZ6FIb>i>QWuZqsDl|sA za(-ug^Pb-)p_}{!&|hOlHa94UmZm%hI6Nlch&43${`14JddrvH$t(tys!jUe@O(>y z*8=zYAFLAr-kv9UO*CnfSNUeZn~y}1!^RehyuEvk{`bFoOlb=6nEUy~3jYg(`}-{$ zV*m!U+2S50?f<*STmj%8@;M0f|A857J}X})L5RaT9#MNY^MCi4`y3&?lz!&_>L6IN z$(<$~rf&>E^7a49zpXz;j)N=ze@64S$*s8+Kuh%h8O{1+eEZ@5FGiCDYs@4i5mFwe zd>wzO!}bOCwc5CWntzEF^&1*1%;~V8q_qhHPN&HE<>jhuDK1%#hHLhKA#FpDpvgV2q$oJLp&#`r_u8$^-D#=O_Jb=Dg*QIstZ_X6xb+~x;g(sT zq01{kPeEpRhsZ|CRg1X`A--Tz)Lg#7PxQpsh{C0oH+;6Npr1D2FIqLb9{#NRwl5!| zXMqI>x6)af2@dR8ceyF3#^=t31@5pkHXVMX^dd)SbrPzw@w7^^90t%sR;&euiM==0 z7$UYGxt4BAtkUtaq4%W!t=~}r%eSN;=5HCI=sQ0EIyncKpI%iKTXD5G0*h2jIJGV< z1-z!q&)dtlB`d!9b?B$tU*FOCcm0)OH(b{~e`V8u(HYhR{s?E_{8^i_9yv6MZC?S+ z_#Q`Qw*T;PT-F-+s<%Uzgf^TJF8SN1gKf72=2N3r{xag|#G^pxR`DpL5(#9z`FiPR z9WA9rSz4X`VIBP2xV&pDK3rRSu{!DWO?_lz+QRF&ZNP+^B|j zwpv|^=Gf2NPt_m4dHJ>N3tV9>3BKdcGY=2gs~=%u1r8kyuPRt8Q3CQt!TvK^PzJ%t z3Zq+9M+76dL4c@;rl<;TqZPW`<>ED5Ch<7;=93SoTK6c3*;|!p`#Qh;^V=wewkSs<0n8W@vXx2)RdG$h#{%= zt@fdBqA|IwM)TEqa~m)cMpXFI1dwPuaGja9<~uj8>R;bd^iwo7oTSxbsy28sTzmG7 zP$6hYdeg)(I`QXHKxMW7%;@42a)4|m?RO7&>hBkX|K7eC+vk$aBd1A`@K8X=q%ap2 zS;vfxT8y3SFc2tqS}0GpiWT#Jmx0G^K5alv@ee@Be?~u1k}y4pEJTGdtVPv)isIBi z{XRMN)EsW6MX5|wA3t{aZELlY64fEG5`m=GuJyI2Kt_@^+vBkas+o7eImr zS>q94QFtFy#dx+3JS79Y(K(}B_2a1B(Fh_fbd}AJSeznic@EYE_Dtl$oMs)52K8xw zZ#dTJ`loXgqLx|;IhkR9wJ$;O_fSAF*QPI_z}Kex?G2#lwJ|BOm0W$-s;6o(7k~aQ zV&M0azBfhw(W41UH9r&71FaQwiWIE!7xb*$E@7)`ub>K-!OcF zt1R18OmNKfe0au_L0?+UWI^Hnx5o(2+sdF33w>4x*S+&b^N{5z)s7DsE3ci-o6P6e zmki|=OfpKjkt21e8&LSQ1cVo6X^cHZAMAT zQV*$zuDQd$+NT%|-1*$Fn$XT{^n_#L+W73s7t$CWfD{h^So;IM7O!l4HDgI272^I} zw|T6y(IM=&$(p*--{Zv<9&)6nXFu~;bSd|Fn-B6&9rwqXBlNKZUHGT97IA>vmi&eSatd&7%jc zmCz103huB7NMeVb5u~;rxFO)5x>3U^lGoGP$=)SH?IuoY&CX4k=%(Wyhg~0@>Ps!F z>~dH1VP!j+l(Sq1HRVs-ceF9ADTy?lbQ8b&08GQAu=>61odY~dyavXDiDHD%{E|fG z>|7{gdhqpm*NCAqBmFXwYjU_s9TJm8ZCJhO+&Z*ORFkmH1>+tB$bpHGN%V^i(y)h2 zlH%oAcxRO~ND~8J2+($YV8EuOj8@FH2GTFW+%+=k^#E9s$|TpMMN@J_vQpu%>( z7_VA5fI-upu%Qv+iGDdKrIm0@V1)Y{-yDJfm=N!XL?)d`@*A%WKS*u{b%O9IUDi#H zSX~PuAEIQ_$hBZGHb*>KKoWdxT5IuUn`5r1RY>1ZW!O&r67Z?2zdX)0E!s9}}ahBp} zhKJ!y3Ai{R%O8chKvtq$-R(EIi!TS&dMGd;DqV_J3rL*AGAcuS1{n0=E3~xMXSxJL z*d@5{P;4i*h9*ZxW}Yji*3Lf->|3519}1tjEiuI|dSQlcnLH~Jbs7tFuC*Nu9)0+F z7=qVsVYY@|yHs6F?>swoKME~@$9DbFP?=bjKz+w#7&xhslIcSW5ec;_dI9{52<1+0=qdf_^!44vI!B*xg9ewdl7F67(i*@|^%;})4h)vdU z!?xx)#>R`hM-(l&F3?Y$G_axv&~d!Gq--stj{I^-fmcN8YA@CtfVdGtNKoij3}~=k zqQ~df1XDe$aX#{RJ?>bLRaRD_EtOR$0`65-wxeuqhdw2J%kgHIb@Den0@-Z%l z(rtP@DB~g#r;;NUZ_X7lnsBi}wls-$;+=dBpH(M>DO@G5oHT$84oqxCiM%MpnYxrw znW2MAk&f6m;jI6;QV-Vr)uXm2;wrR3<$|%W$-AOHDRaO5USW5yCoeEr zp>K&=<+r8}0--fZlmp#Y^gO9}ECuj<+z`hlZCryy z`emF$7bM=;9_;EJm)re4z7t4TIEp0)j4$c^WA?uHmyLh&T}^%mdOv+*l)KK~@pM7; zP$)U!T)?>ocn64?M;)?hdYsj%{tO<2yBK6?Xj^!^=Hz4@bE)!#nKN%4qR04`lG^lZ z9#Qf;vL9;a61ZQcNl}9AWOid!;GtSTvoYLz@<8>4QnF9f#3esFi?ZyP-vA;Tt=IeF2Tw{75bBa)imAO>m=3)oDwHlH; z-a;vkdmlOeshOt7hwKXWa%EeX(QDWG)OczvLK4(fbo_kUNR_y6q`T@W@=;)C(NhF- zI)ohnEA^&TB+VishLq97*%+HK_qTwVk`-xl@39W2%V~ zSmu{R@gLOy4gV=%MpHw1pK}f!o-~Yh+SaO8a+()hQ|dGj+BKm%+$ms1d?x zm4T^>c;pZrUQo1J^X8cAFH(nIcFSgJ;O0#RTZ?UbNY=iEl^X2<8G@Cq^u9iXlfPbh zQoj+t_oAMwv2EFdhNaZ^fp$S|nP4z3UWN5OP=eVJn^QzhAsxgSGus$1)w9Eg$bsow zJDIhq==Q}lsp+y~{Hg8%@FgEZRDwX{%L)aVhsyx&y9>|op`>2vSqe1N;k^o zu9X_{feJw~lm9d4Zu0w;+V~S&#psxbG^s;>E*&Fdi$(7eJIyD^I@AzMw4x2uFsg0u z#WO@kL#c6$Frd zs_&p=G;n6#bFX;VhmJQ_<`x+R-BfN?f)6~s_$jIMa;*%QT;Sy+m0;VS_C6qkw%8oC z+>C88azR8Y`M4cV7S8khm-%`bmZsuWV8E|&H9E9Y?q8NMB|JLx zeEtK(adoTqwt0={Y|yp*;)gLQpi6@9Ja?FPosCo3W(uZd7)J4G_T0`L@8^bh+Mw9= zaOx0l|BcpOyb&`$wr@_8@-V=B@>CrHfsE^E9{wIWxI2N8h@qrCIuAM0hL7L&3ZDqa*LYNc)rB5u3Vm`kCsM^`Iu6hG!R zAP2Mtg3a0%=5zzVcTeIc+s18qs{qs)%jD`b(0;V!cnSHSqgPh9V;+f^_L*6fy$Z~; zT_Js8@)V}tCqRyN&xRL<7-Yrx8H+G7C2n+_8h?T%Jx~MpG$&##BXq_cA`W`wJ*cR< z!1H~OY@N}lxBOa9Y;kbaKtQK5boRcp_KAQWb)hNtmnFY$g6LYlslJNbFZnC?d1Fpb zk3#K#m9PG3dq0;0U2^1f%GKnzF@JQL-#Wvq3E&^S;<69kEr5CP0WfC_G4S+7N2ybJ zpbmuq6OX$&{&J)=WHvF_sCN2Jkis%Sn7&Kh=yxA;Okp7FTf(_1}6?i=MC&Ai6oUT_mu}BH>;>bWPe)okt1+ zc{;2%R>V014mKN&D=9+FX<$P0Vt;N1=XQIsOse~mnY394;-kp9cO)5FDh7c1=ReS3 zw=S>_d6i6OXk2YwGEoUqHf^LeiTcV7nrRRmwA>=Z@&@MqTycCF*^DCbc4JBQ^({KS z%9G5MYa&UT$XK>G3z>#+^`<@4MprgVA2mG2%-?Rc1(od@EbpwDG_vO0u z^YeH!uU}S$+xYW1!lIP{n>F$fwvk*F?E)GQXcdwiCONX z$S_s^g6e=f)K^T>{ZK6U8p(_gTehyQZG!l&9e@X zYl~`Q?vtZCE0d{18NPQ5g)G}<{V`p>BIX)NWQ)4fEgo7FP!P$V!e{efH7b3i%OO>@ z#jLW;&s_(yy}p@hW%`{9j~0AJ2_d8@A=k7&x4S4fB(eJFn zIcYsF9rtFXy&>=aIR>YK;cmKu+8eR3eVN%F_^@a8y--R^gvqeR)}g)~dz(LA<7*}& z3yuo|@xG09+i=k7RQh?h0QAy;H&AssrK{&iOBW~!6+Q9c`HJ{?qC=)~Qn%sE$wTeT z*?L_7>y)#nI>w$X2#``{YlWQ>A(cC?pX*hds*tJ|UnVhf?4Y}thfIl(u-A^dG>Qs=(bhn9sDRGt z;!eJf8h21WnKBBF%U&^o;hCsU_hg%VawtsZ+u8$;qZF2FK3#SHCwd<1P-ciE zPIsi`q9o1dndt<9+24(i@_q(Q)0dK|Fwo$XQooqRP%<;S4LMy`s1lr3M-R&^1NW6@ zJ7AYG7RUs{aRJG(+FE&FE|=RO8Q)ci_S)KU=`D{4XvrkBhB`=tD|6gY|y3@I0D zz2q&|Z#A|l+M(KOO1dIbEof=tT9A_hrhE%3vSVqW#gguP>Kog*Hd2%Ue%i38uF0aQ zV_^W4UNz8TjUVXmhsL{#7_b8pF|N2?e>m9Nk(L*)K-kyzgbszu;=|JdnYEMO_}_cJ=-X(3XUK$cdM zGo}n(+Lw;N_$vpek<(UD@5;h)34=y7-E0r$tB(__YPg=D3vI#v&grA=q28jH`TgRX zR8~sWx!6&e!G29y2fp(c8x3FD!KE#2rNN6eDzO^;%H1UxfNO!G%Z)t-C11j(E&+Rq z|HBff=9iHy!HeE}N>W$5_aF4+LkH4PKQ`lES&N(_N)&>QZfy=e`PvICKhCTH*u55l~H9G1{U`#lxw)e3G+39`5oOzFBq$LOPwM5IDy^zp6ckELw`N4muV9jwFns zPu|YW$1m3>kkc_D=V(J9Q(}OP0@$lAa%i*s`~GpDSkn86x#1$}yCQw*?(JtO?-0HO zw41uDfwaC$)y^aHUHcW8-MP9}j-eCTuR9!ge;C);iU11K)|_5vIX|?4n$g@1{jYqx zesX@bO~h6CLHgc)j*|sj(zp1SslG<>2C2Mu$$rc|0S8j=NpWiMxxn{Q$(FvMUFnx@ z`(;Ol`0%}{+HM{|?Y{-dhQdjR6S>f$+W^I*xR@G>f-m^g&o+ftjgXi4GqO>{MZvq^ zfcIqs_XnO1#A^>R&26HJi<>Kcrqg$V~Ad4f} zwoClQ5-sGM0KEHi2jzB#f&HTj-G*=i4i`1}Y~CVD{!|aM%+DD!mZ{eKcvbpjak}+r zoPo|J=E^74u}b>mK!FYAU+%g7vgpzxZhoElj-lCIu!T8w!<&uVJL^e0RFNGKX@`pI z8>Z{XO+Q_RpbKMff0%~R?+XE*;V9imUyh>2Dt1;rS|ZeBI*gd=NXF66+laU;-xN)b zDV+=yx@RnWJi0LW$koJBt6T1LplA9m|K~*=46a8a0Zd`Q z$i?^Kn_vs&6_-<;lSx2NqyflMQT$siSCiH3t8A&?M5)017Y;lH{eF_paiacx9Y2ry z!U^1m0`$(cQS=R5(Z7X>L`57Q4?O*;R$-|%k)F&5>Bd=3N|8L zyY*Tk0G?bSMz6#*o!n)Hb<))WCq+;Y(3Wt2Y8u#WSp%y*ggqMvq~72U`Tnp;9wE5~ zVw%@o7%UY53+tBii!)_@_(}G1OKrH`kE0;x+G;w>Nslm)Sfk*O7KR5sb)~yp<81}W zr-td`Y7YPct6929Omb`XLEVy){BC2INc?6A=M$j7A~WG5{8umD?~e%1PojDEUE>q! zjs-MyfOxJ@#cO$I`Sd3h06ly75w(oFT(HsWZe){)+v&?v^VX9xa^1TdvMDj9>CxDE z!tTaIi1diYsj?Ve<&~IsbwhaWo`g{m=L$Awk2zPA z$us=Amn}*(R*!CDzfb?vx9^cG?nN>Bxg<)T# z#_RfuQ2yW$G;qOjSD|@NS`zs~09UqOK{9CO1j!#(P6h)sv0z4GQ6Hik?Xs;LLFss4_5b*8Rzn(1;ZD5qdXHLVWJ5L- z5ti?i&%svRp2-E0N zA-LmJnv|qBqZB8d29oci-SqD$1sf*KMP%321BK{00M^NXLgIkfQs~g5o7RvWCcnwP ze2&;+u_JAiS8_0vT#R~FT$wy$Z*%>ZL;0z92a|Rkd)9!^x03^EdG8bgKPBF@f_Zs( zWn8xz{CWS`q`5UM09+Mi(stUWJzl7^u-YyPT53NXQjxHP8Pg@Eb^G$A_u$F?o^h8| zsV%}+upMyV4^?fVzu1|x+5$a#J)hKrA}7hf$Pu&=@0ITuB~Lm#ny_uEV+Jo zTiIOSH7`AIvpgH)ew1kU6wFRSe{!BgY*#QwRVq)?x~g{=X^q!b;)r$vJCm6ru1k@> zG^b&dYt6x4WnL@bz^))0_FUh4F&-a8Dzt=%FTa;Ies$W+s?&ztOma2}31IEH$Yy{-SxTrQ);OGnYDH4C|GZ zhpR=5dJbM2_~*do`9&QdEr*(l0c4dPFDF`BJIxFzQMz2*E(kKVJ%&6cy(OW!>7l5* z_CV!hM5h_oSzgtu?GHf%Ge0|@CqDL3Ug6Y7tq;GOj`fg@uYB5w^>)B(mJljBr)#jB z`-ec_Kc*h4r^*F?O`llih|&*6t+Flpjo-mz-cM56AYfCE@Fd?4>gBo?ph@ex zX-w{r&9pBTlgDy!7Nw!4l}P3AmSuO=(mT5H(YHTij=qgdIA<>r_`DB(I}{1jru=#^ z)hPM6TF9Yk3wv0Fj&)NS`997Y-(T)#Oovj#-9L=;vJu;RaxLfX0`pgBJKW&tKYuI} zmH+oGo2^51lpo&WK7QmF6-;V}qPW~M{LWIB-m2GvPH2Ao?{=*%&XOaYXy8^&cMxa+ zPz8D@VIaSX1n=OsPS)p*Pn;R?c86`T>QC{~ssLata9LW4R~X-fqBEli97j`G?OX`2 zw&{mX1c)>{P>ns@bJ&=i6>sLHcU6xyT6=s|`D;O{`yC_Nsy})+AuQt@r6Zb2UPZi- zYPWMIg3$fc^xK#zn+zmA?$JmM!as4{v>?>%U`0BJ~I>WMbx#kNhnVv;T30RHg3IsJXv=!$y2`9AV19D7qB}PnkLhre4o~2R77$n(|Cb;z`T`ek zYNqZY2GIRlKLQ)CMK6DhTgD%aU!~a;Onxk}>M?Ns@wE8y+#S&cg1S|^HcY!@X(QKx zl^X!U%c9`e)?Mpp4HpQPZ)k`W`&H8cuDqaS%2faLeVln|jn}`G+bkAf0x%MW&3_F_ zphhx~JwQht#ohT3OTWKRmU5|$eeN(FaP`ZFqCBet&2lZkWt$BY(mz}xfHivM2E1vZ zy(EF}%QeANWGK+FQ=ma1{9Ms=)#ZgR4o)AUsWWbBmAK{3dSIof6>VBlSm4SN#jUlq z8_H;f@3Hy8_BdB0J)~;DgSJ-R;aGzq_sV$Tj+b384c2qQ6l7zafm82x6-?juFJeg1 z*+RArkrBR&Cy{^Zt}Kqe-ZI(w@Zw*`VwR%|(6PhnAPpdMaWwuqepFxRb&Wm6;2!!5 z(4{EBmAmY3#cq`h{<}+QtD|I8>tSRTamg30$XKZ4NEV9KUz7oTqgZI`89fr0dn?yC zLUewu525~sK7_z~sdJbY+Ds$JS<{`H2sfpq>qE5nX+zVW6|U`5Fjt?I?ke`;&b`-w zhE3ogzi&FI1qk+DUvz2ivLJTH++X_>ZU88<-j&c+Ga6uL%tJDVC!WXa_S-ibewTkl zM@Cnjv-t)-_-f}E;nI>?^68t6Hvn+Mgmm2BcVxgSv~%$q6xl12KquGv2OWn>rymtC zgGwms6JI(d$lcR_l?yZ`vGsM1*INnZutgYHKMu`t-J^W@kYz7<`F8{6s!YoCedzk4 z3LkwG`Y*HIJWe0{eO>jVFJCXK!_9Gl3AzO(oD zR(f>3JJid*apdv$tq-iDry8p!0*iCS*3B#BTr?eUQ7S9L&D!@oJ+nEA-U(VB2RFR0 z$%94(?~IgZ!aLVI$y+`L^~J4^zSy#{jAHwAZr{=k9Nf`Z?YHlVE=l=~WhG8I+tj?j zj-*lPNA-yV$s<{NQX9DdHif)mDRF%?0A4JDtKs_8WO{|jn#%yXD5@wp7G(Z)jdErf zfQ`v3Xu%{x#vV`d=q;Z5tE{xXDt~>*;S*y8bj53|Z@5xLF0#2p3Z%-&MT7ILB&7S) z#!fnr`J%*eT{O%)9o?=(mElVe?n$FC@5HI4G;70olX< zg$Dr`U!2ltl}A_3V^@5IyEz>w*~b;-{!`HIAG5ntt{6aFcQVP)^|62dfzw`XBt{6J z$YCF5v~XfPssFJHa^o1laWI=kolsgE(LeVNCmLum8ty5H46FjRr9F0CS*UI}epB0?_X%1X@NC@SpLb%Ze>swp?Z;rBH4q?f?SmwWmRd{;%jgWa!96)a? zBi03w+9v_7xcL9U!__$tA1(UNLLw0TxJNCx7XpP`?;;Joxp#+q05f!;5E`P2n8!9i z`Zvtrx*0US+ErxNOWfG(bNzSg9~wP>v;}kr=xMn69A=Xm`hpGsay-m?Flu>r62PSu znd#8GIY?7+JLj*f>oUG;Y7kjnM}{K{fC{fA2hbJ>RB9e(cuz)>vLeF*KMfX7+3%y9ZS)R7tcX=8TH zW+M33=^W7oM@oNHVPHQ;YXOj{j6u4rDJ?{Y?0x5~_FlnV8!$Gj$P)@~ZD}e!0QS}b zI0+BlRN25q`D*KmGSNUYAfj4>9R&cfP9Xq>sKxl97){mGdw}VrT#Jq|7s@G2o|^h4 z{L%rt!4jb#Irl^b=8Ti{?IuD{*#?7!@Vt zWk#(mi3mgy&=Eb=4Q$FtAn%_m-RA7>QdGTDMN|AK_uZ3RfM`gi{wvQu!xKo|q;dc@ zJL1#b)?u&VoC&1O=1Iw~NmIhL0Pgr0QdwFoS(T=FxdtIF)AE)ugO8!pc{;`_-$ zBB*_QX#S2;?#YFxsvx9Oe}6%|4C!3kiNHznA*zsA1Rg(>l+4rKgQLy78D1R#GAS$U zB_pB(cFYFABOfK}k-D4+{D0mr!z#rgo|KUS9-T;7N(fCgc3!Nk-Qho|PJE8Fo@mf! z3_dUVSeaaQ(im&N%a6nPR5;UUhwlO?lA|WQKF$qZ;}D)*SoGGBj%Q zjg>Gm{hCC20GFvWussmbCi8n*Gr;=3YkK5n8q^Aib?p-sJ%<`TpHUDrfgUdh(stV< zF5XBfN$l>D#P?$kytRpsoHT4Q)3;W1YXLcMA&0`S^HH`B+85dXZb>Pr-X{rAZX9RU zwr2PF;#o07B@#EG|ARURj7xNt8n$^AG9JvXEs1v^K+FYqqJg6$ce_QGPn>i3?Asoo z5N<~W^^>{HIIi$9*$vqGhi^yKI&(n$2`U$)1jOAF+=AyZJ`n&l80-WhKkBG^QZ`^(K?{VWFfaO=jH}mpj_+xyx)`JvQUuoX}5veZoJ8& z(#zK%!@OeIEh&*{$cw5aB@N~*@XM}Bn4>11Ie~v)UWsyTjw^ehgjH<`?Wn4>%S4`z z05A~|WCx{YgsxE-7}Ezy2v$%I@bIAQ?C?IXh&~yY)cmK--Bp7TT9I zh^P{V6`gSdamDL0uT=q(=4W%hk2jeO7gE=FK*@t|QvARC?B7x1 zy#u|amkkn|Gj+lWmahO|gkqT~kvQ#sNj5FlOZQQGLs4A4*xvP5Npuy~hS; zzUOu_&LN;J!FAje?;zOS+Ws&AYCLfmlNyG)8p)~f+>ICuZi0$Cr@zFUM z_K8$EDV%!AG%J`W)L7_NV90tM3G_E_NeR%U$mrYp$~GfEfU5^pwdt&eRn}{$0-5fQ zDaX27lyAFUk$^F6%Jc*A^bsRk>lRo0!tgGI1+s*&suL&t&v#wX4^F6j^vHJKn)Z2tzIfmgc z;i7VHElm_%e%$xcrC&Bn`bY>iYGmMnGA6^Tm>s&HOHwO9cu|&=h{6pTxSvO6^qxcQ9t3dgg*xslC1&Ht!kH`Gnk{yS* zfv(fA`neCX?~@yr$NB$AQ9QI|>rVYGTzhYB;g$n{Pf|)8ev@VFCqS zY1RV83n|RIlWXra@vXd_Kfsbkk8e#@P*1pN{7P3w{l+bMs}q4&E`|hMQTv0R*1FVH zRpbGVSXn0N@#H=bQ3mOUIm!E6N7cTI4>qi+4WbV1()xpuF>LBu+5YF5`#XLgJ#tsp zYX$vV?={>bi87oz<>9FPS(E(W;+r;HXO^a?r`s2L-sb7-xB0`^tzcoIIa_#2qyt?$ zYrVUu!u3qloa`$0$j-_?FH$Pdvhqmyo0v3mdmep+fUFSwsZbS1#k8<8gRlddbFxh< z0f%>dcuTPv(tM^X`@*t8J@5FBPnpo`7K}qg&6X8ATZFe=(*Qg>MTI~qURL=qa8MnB z_4SVb@xIDzw_TY-Al!hI3vh8nG3RR;u#eB490&pC7HXis8pd~fZGyi}V|4qWn~RkJ z3-^BeZVA4bXwJeY%JGH+6gaV@kf$fPC9gkfl+m62FY+2;oc>o#)F>T|Npfl z7T2>{CxHww{EpDco52~m)Vtoo3BppB9#9C>xLI&WzpT&CTO6h(y|2kg*XQmL!WvD& zM04Fvkj!Pb(PS$Z6-;$=Ryl-Ho&Y+jENIUXHropkdZbZhAFsD#_lZPtN>TL+Ocmx7 zxOs<}uC7o3f3RO>(m7Dp~rWaQ;ijbR5k~3J-RY3!@_d`zWPJ z-dZ|hy8Sd0D8;VkhXUh8qnqRjk@wvcY4+UK9KS&5T zPaf&9OMIgLuAC%94{;xEZNLA41MzTMJT^rObuZm?<=q{@7=)ado;aB-^L_v^i$Ya( z^))%H#*vy08t*g8_90r-EYaS#nC#r3uvj+1+$MCtCd?J6bu6G`ECp>3PiH(j!Y(iy@N1nh) zKDvtpWNQhXU#6ngfD5b$A@15EcDWz4^8e|aaK+wUn(C!045GpLvr%avr)8>oeB*o?BT#4;C&ve5taynX1?qV7_C%*t_>3yn?;H-i6!ywn>KX(zdu&7H*18^@F}HvxO2)&f zwUZ1a36qOsf6B8`@J*)u)%AZn;om-D@}=Dp?}7b6qQr~$|MnxVt`j-~ zUAy5EK%ZU9y4U$JlkDl0vn-{wPc;+H0=_n(r2qN5ey_oYyMq`Hx2>b)d@d%9(=<3f z`_8`J5#I}^(*}CMFc0fNQSP_EM|9)hi4tA094xz$VQJlboT?UZq|bxs0U9%TlQq4f zvTzq;SoMp*$f_hEuQP8OEc^Fn6bubQXw$wJ1y~&K*5dvoy=p*O^P&f3S-$V$a!e$! zTGL%?8`WKyGmD51=+qhF&|pb0xda_=R1PYx}5E8w66tVQs9MK9s5$_m%_0==?3Hx#6(}w`g{hhpUUG4sCw64P5+L)#)10dBlumy%j8dA`+=eALWUpROB z=Qs!)51cr>kElG7qEK#Dh$6{WPY$OLG5&mnCWGMaVWpHJ3F&gP8*uO3p?vHm6+NLt zllO_h1?mXF7maJ;S)hkU$Mj*SrUpHi%|_xhs-<~xj5?j5eh~8$TY^IZd~SUk#+O2C zy$XEHacOlrX>|ebygc=~ki`$ zwq{yd4mPLRHnYKrdKVx3o()G+q{qg2F4lO|vJQ>1KFVlKSk(hPIeOr)t}n{-0Dn2b zT6g8CQW8q(NDtzb5U)E2zL(^id?aO`9YVNg`iQ<{d3l+vAn&BQFr~CFQ%FVZ!IYk# z=b1~(Htjj61?)IG*?fPBxyRr;%>k@b{W$xBwMmfKu>0*eGQCX4S?lS352+b+VQCCf zF1O`QKrLC+DkiVUYP}__1gX6 z*FzpAXWk+X><4cZDsR9Hpl(v`q$mOn>t~pc%H|((9)C@o>r4_7I%d+YV(+1+p}U`S zH%&1<$mVcs_A)rb%!|Tpg_Vz~I*C?Gv0WsbX-hc~*$42|n z^2Ve8#Y9)dg(D&QQJJ?sc9=@?)$Nr(gl_(|-2Xzo|MXu8C@BjUFGd~A)b5Xy0W!#+ z;+Y@iw;2E#$#vnMmvB@$di?un`j^($6lmDP2Nkinv`bqO(V!&128$qr<%UQ{OX4KG z^`)g&RIpix+OwMvm`qHbwT}4PC4Nz4>dS2PN2}&{Hbj>eg|Z+XT8?jJuUkC=@P)Zd zger|7R?8-=0II(`hQuK*-zt3Ddsn}(+l2?<_}N5~^`Mc`jmz;(+;%)>md0_*d*?aeuZ z#gs|B=4X{XF5QopR!oF;pPI)_$0IK%(z5~?-!}MA>dkUKv(hfmoXkd5)x`J!VY0dn zKJOU3EM$fGUm(dVZji7$FS%1&NfcW*I zvRFv~oVbREIUZZTodsv019kfOdM$+mTCj4}a{2PmFY<4B8tDp$Khes9Sxcyi@dr+B zM1#IBPRDb@o?z^@Io9iMvXCpXzOaUjYPEeU9YQ<%Crxc_7fjpNSq#0Xdy3B*RhPOH z)!Ix<+*;=wBA7N5)op)iIeo48ht*SI3%zj-u}5k+W*;lvkb0v;`%{ep zxyvhpG?yIS&Gg11A0mo83bU4-RACXf1lX*Q;UuW=(R(|*5Fz(9LzVF6(q|HnHlNbDP7aDmwxtI;1YCLW26HO2Y0rp?=Iln+V&7cbO3iFY>DmF?hs+xO0&06`fF0;CEm z&#u8fexdAU!hOkdC{&pj5_4EOdX~~(Ik)~nLvrTwpC2EN|58Iy>f|02ymopEGE?Qg zAABA)0-*=C#|I9|f;+nozW!jCs-n&MYeP(!a1b>>g(VzD6!}qZDi=XW&*>OOTJw~S zURXs-zbWt`W!d)FQKi&MmP=3(v93F-KCM^B%#7^-jAB+dA^=tYOsybU7X|W_ab9TO z>~UHxJb{~Qyrh1m>et^03t%A*agS^%99E0x84szAolgmKIk2fdMLXVdk}S10M0QZ0 zcP2F<3}ff}1wssy!cs{Veqjio&L1SH`}4?80RGbiTRr=N%~(rGAEafyrN_ zUpv`9_Toz4HZPwkvmA*c`_Y%JVt1_B<6^@2;PtKlha>mO`5v$)yskS7IaAr-q+cL} zvfCL~!GzbaHKK_x|67{4CAO(=MGF;_*}r4nQroT(42dl)WCdMa>b?E|$dM2H8%J{X z6oP7%Y`BgB`={~=yX1>IpLqT+4zb$|_hhCF+n|2uKaKvMkkdEsFF^S)!5x^m^ZCU^ znJ9d7x;dJ(jq?BD%>XxKB8bzF*|`WyHBm#1f;AMLpv1bxwqyfWH-Sv_0eGJK)S_urx)uWKKY5y>lnWEg9Qn3 zT=PV~fN#H~V0#w3Q7IkCIkw_HpF5M%ybj^CI+A`dSF9hdo|%;BIk!jlE&3}}0o_>i zJg23Um*=Kum9?(i1NYNZ`;ewv3eR(H01uTccAZjiH8hA??!Oj7nEu{i^cn4HHJ=mB zNV(-A@m^Msez=nU&LoS~u}}79+ghSEt)`AEW@6=AwIp40x_d}`_xT61)2sgp`sHZ~ z0Iqi?xBT|m<%F8gcad{FDgUP(Goz*SnT(@fgY@$|dP&%mZaM5aS;=NV5+5$f=(xJ5 z6m5O*Xqnp~WkV>Q&t|~X%Y8E^FlMg}1rTr!)d4@<_2A0n+ADZR@Ns0~mGX#&@5Aw$ zc{Mk2Q19xAfOQ8dT~oc6?#KOu=g2~O<7J*#T3K$@+mU@@j-U2geAWd@0z|%Mw*7Ad zP@vS-b$`ZZd4d%o0}&ezKW4I9O4RLS^WCuJozgU0IsKC9bq}{I5aBQGEku~I6}zK% z?~$@x?GmWublDubg@|dETlS(dbl=*ERmT+CcpkrczNi25Z~k6*9`q|G2bl0$DDHKL z>}$Qd{}>H~6Yc_`P&qixIDB6+bPkZN+~RO44=K;S#Ni zQ-Gb(Ajnk(2Z_md@);j1G^N8h6S1y&V<$xe$hBqOBC|~KWYtl3X}Tk(Rv1=RETgs? zc|UgiUMKu)1L?ofSGow+MR}U-ckgj+WA>5D;k!Z}=}WYue2PS(^hw;MtDPb`IzmVL zNxN;T>uiWnk8lPxm|1n5OZG&g)30-N5OZltB^dV~-o=6NU^DJG{H5yNtUuK%HOS6N zE3@lK%g&IoDzj)QrghxBBS+Z;Jgybr1m0Xu{X7u$ASFt>IVk)&R8+yE;pN+r%A3__ z&|6;Js@ASF^wAB!TC3oGFPrK2D{1b_>LZ6tRb_EDO8h&2gIy)aFI`?|+XjHF%I{{< zn|l0~g`TvV&8)xihR+$EWH5QGmh+_FDQSqn-k|5iAwaJDEx@wB|1$2ePOqsuU@Ti? z)B9drG{?nm?n#vefliHZayFjT$$Xm(K4e!5ax$8ZQ<&psX8Ck7n{F7D4dQ9C7%|tp zD&bBVkeM}xxjZ1SD@B(axuHcptWaF;RsDo?t8C{{h{(mm2qyq%m7C1TR0J0}N z81q<|KN3`iU)uFE=At=YZ;b9|Y9}~kHVcnYfyvXh@-v>Yk2EZek1v1XDmw*NCRbNY z#2mcCjIiOD=dxCnme-U#)vl&jg7v}G&=1S0GtK&)X=j-yt-oW!kUrCN1SdFf6DG?) zUN2eYy2S(r7$f=Z&dqPX+^Eg;?K8TAdVGT4S!%KRNz3pFt^y2B+BfWjqP&yT7 zndaeuHJYozL@dE-31Z1#@o2~+O=| zkwSTxsM~R#>|<98m@U@HYB|g4XH1E|L;KY!xs^vB!#w@iOF8d&gDd0)~s9$Hzk7NJGRB3qVp=IrmB219UtL)%tAah zO>>P#TSvG0himO#?zv0(E_>~*nyx;cX_Th;^ARR^K0x7#!39tY+|&+w#K-wi$kTn2 z`|95g%iq6D*2b6ec4+K~rg76eu^Vul716qD!i5XTfbnk2>4|w%{m>m1;GqxD=EsALuM&S!_Z=PqV17SlJZOPK5x zXD=ayL-<}R+cwo4R{X$Dw(F18`2*QiUr;i->JO{xT+?J(>dZfxL?> znvuZjg5gQ|ur=Kxs`$s&emksxy^9IH4{Oq+XsP=TiY)UjrOQ5JPaQFY=YH+xkHy?c z^0`b z4YhK73=2c4$4%w0m5KW6W88>`wDv1_DiUzmc?q4T>$!9TnSS;ruV#ENxG=>(wO^NS zOcsy7&-cq}L$n$IlvAX=lh$r`c+fKb_krxaE>#jk&mS4HwXUp`;TuHt`t#g)IkisD z_PZUHLJDmMNRi26DQuQI91#g)zSG3>8m=B%~qI0s&a9XNRRmZV?<#aO%l2E@8O@qkt_9g@Dy zW{RY&t^W<9`8ZNNrz677!k)nl>oDv4l8tVlEK7L_6lnAHT@wzU&%{LM@i!7DV-D;! zzzywu=eeDkO3SPG&=(FE`UrRU{>sR720_K`()rU-p6#?qAqUU?b9+kw#cX=j6@gdz z78^S64&NS>`&TZLd>=rXpP#b=Wx?Mb_0KNf3(eYWzB5MQmjcd|wXS3=H(T^!b)pwq zs1`tD9@>`Kj6G?&GA1ChX=dUc%b9x&nb3?K-C6Zh+FW5|i6l;Xkej{x40BWl-Eg%j zxv>;wUt5eD{8-xslDzw>cNA(s2Fk6vr=h8@faGMWT=Zgk({Y;TGBx0N8GZ1Bpb0g1 zwAT5k1tYMoN*%VrMN^eaKysCf>KTfi9OQoIGI{#-f1A`7N{}M97bq`1=fXu?&=N^} z?*Y^M^BRBuvV;r=#=+2xy0AMRFoiyJiiI}O^FPwQ&*nOW3#)t3|KeKO)Q4WB%ePBKbPA-_nYSw_pA1Q z2{X&=;^m9wG`Gs$$UExi`MS+0Bx~JrE}wuBN1GK=Rc}r_R*(!5+z|VE?3xcjcQ);J zbwo1^X~dE=NMLPYSol1R0q9cOfcnj6twcT_=6?KT9%fXE8B2>ZE#c-i9pr!CvA^vj z0WS^$kpVfCDVi%R*g(m7gN$CDJN9GfIy+5!)5d(602FvRzN7Yrr2O@4WZYIZN|8SAS46!j+U{Xkmw*tBlzjU<+4go0Cims5w}PYyH}lmU&#Y zLVkKGbW-|=w06IF(SqTnaqYfV68z?^^LU)*)}SEmM{PC6!s`Kc^Gs3~P@5q-=G<(A zRv61C=k}l|H~YG-F;CZ3KKj}aOzBR-tB z3H+AuC4@qQh?Y_*-PamBc!gLy4tDicN7(bNK$mSXZHH11Dx$f@m9dY>ESwm*YG3au z5aCS}ZZ=U8rec#`seCJ3b(5Wa6aDlX#phIMd}5EA2;EcGQuq81n*n58=~F+)8Cb|d zrUqW7D#BU?T#n>M1k%@NJx^`G{I^!qqa4 z^-ZX^xMd;uGs;oD>}WtW0lPadjpb~WLi9LR4=hVrlTv}7_UOgG@KJzD4q^dhnw@pJ59V9 z3car>V}Tl_Da!3{P{HcMu-F?3=-qFBm96eR*#LwoO;zC4>E@99QM>7M}ekb zJF%j`OcYG%AKPGy`mPpWx>g1)iBzTPJ7fkaRN0)t-nLrnmOdv+9#51z(c-`3r2~wK zAP-G!Z>RxfX@|k-nL%Ag=8V@m&@UshVzvR?-EnzY`;+^6Q>3)&(K?MD-My5- zsE(J%kETG|6AG)XrR&GFpT$u7m4lIjAt3TQ9B9cbE4zW%mE*J3mOOikDj?%rHCymN zcI&YET6kzs?X0nv6?OS+_n;C+U0qaRZncwMIuGvq&vmFI?LpT!(LZFm&iLR&AzXFj zdEZZdumm(_qS7A~+r=@62j@xynfdb)d;l*FAIm!aIpV+Ln9uur&eK?CC0+U?-r^-x zrY&91(vG@anrD1Zp_}o^wRa%I?Xp<}L8jcfjQnJx&Dx1UYf0?a%I43wKP5Gp1I>w$ z!-KP8#;AuxcB{O(HTf{-B|UfjI90TxvZ> z$QXq^Rf-Xul|A>zf@W^L%JNHdH114JFZy`@8mPHZuk38qgDy~Wh>S>hsa?xvn-+F+ zE#lh>c)Hx?R{yCOWRxP;ez_SMve9>_EYZ@F^eCQ5uF*}bafbk^!owL+KF(8AvoB$y z^JG}Ge(|#2@bZ#ve!||`2%$&+lC6$y(Rc{zy9RpE!$x0&XfQv9i4`>-04hJ)Q`R_S zKdhPFXZT3hpHzEI(hN7t6NO8P-_}}o|`^yGxD82tl{Y>_w%X2}Nn|1f2 z-V{Eh!+F&%`N&Oiqe_6jOqyOkx6*Ysi**{*amOQ0>0Yr$6R)NO5k&hoDk|O>08+IX z;1n0ZYiNkxaLv4eo0F|ZDLje)nc=~0c<`T`0Z63=OU+eZZ$Jf@#TzdDV|4W4q@%YcuH8{zY-K70kw3#?u*3*bFk?o%*p|cX zBLZR$S9$?Nw73SGFF>qK7ARKFh+n(~ej+19t3#j2%@GZQzh;OspPEj3;uOWw>APsx8Jh>sweV~7l)OpmdNK5!%)b8okRak79u&aTOeYA%Muy$ zYJppF^Tx%#0rCZMcOPypt4hEWB(QHH1CXoKDe1`4uddH%qMm_}Q7+9g-b;1*w1e1V zA%o#>HQTwhA9o=_pUZU3DE!}XUaUdzrAWvl{Jj4%6rAfbpzpaxJV(jiF9upDoz}(= z;ak%m>g!BlDe`7-KkilTnumLYQM{2};WgX&O0nZnVEogX-TpfbW(5!Jx9Pz+CG;IS z9uTDyk8iAf2HGBXm^MW8-xvbuo*$dVS5Iqe2MqVmyr2lE-p`n)|jE z@dfEK-^v>={{SbUB1l2Z(ktm9ct~uVp3(`cN+)Yrq_`o-$WN}2Y4tIK29_M=yDL8> zk03*5pDc*ygT8ohH;X>B5)9&b*^VX$q;d~;%n2cmDrIeLH#FpgeYSo7`Tj5=0!an@@Opf&9_c^>dxE8=xVb`+)g1B+3w|BjtQ3eyPmUm))9i2x3X(S zU3#2m>0cXv3^;O#Qs6BtJl7F5W`p$c4ii?)&!!vyj5}X1^PEp-$jkw61XlV@Y0geC zsC2sMnI<}{1_`WVG5W@zc^W&1n&!PgxidAJhqrpzyW}UBFN8%tl7zzU!zQT*|E)wK zP{O4U$BU2|fUgsLX4y1E7QA4m-yWg-`nmtS%fXxw_9+lwq;x!DG3fM`H|Vli2QZW! zJTX@Kgp-{pJ2+^sRP1GLAZ>RbLW-7O+qF#_!BQjeEY}mY7hhNVydnv;lMO*u6hDfY zZQNLBbxR#n^|YS7L`TY`a2~NY7Gb*?yL5OO0`+$7uV2g3<^7Wf2&>~(JFP2R=tKG3 zM=LrHW}j9{cmH#l{CPUQ0dCpHFH8~6bUDY$U~ZYl2$#JdEL?`vPjzQ__=vc8eG-Ju zr>ytH8#6&0hf(xzA~$y2xboT?f*i+Jdgti~mBVJw4>GTmRob2#fHR=M*cdzw)NS)C zA00iBgAlv^%(sJ~(mAdGV}8@Y@NHM#y(i&BIA75Xx_V4Ln(8-mX+?&1vUOW*0}!Gx zk8a{5Gu^F~D8}`?>slNNxX{%$X?ol>;}8_ zs%dfOGg~bDwByxDebcQTa@vR;zf7xwVeC1;n`*1nE!#ozR!ufd7nm5o=4W7K_2v5V zjg=zx#Jb|$k)K6=>EnKdgsgC3C2VhAUfvFcoISSkM(;m7@J0OY7Q~}j2&3Fghq`MR zpt$1}!sEnM_y8uDkXV}JJ{$gOiDcFd6RE+(q^>f+gTj;G@B&?#muU1t_zduN-?%cE#Br|)x#m6UyQzqYpOVr$8$ZvQc_ zzmSe1tnuCz+&&|fPv6-f3$f)GJt6b25-ws_cUDKXJr#ed!dJjJlRN5@6UyAL3OP+p zu1>4|xbc~a@tg6{N@Yu0m{}PMe>D~1>-X;EZtHaul$(4wI?PA+#&c#5Pe6cKNPKOzu$13seWv8?iwh{4 z{1ESM66ZUx;6JR!0tqf?>Qt<&v=U1r)*|(WkySUhY$vMPEOFRoTQ9KOdgK#=N(}!I z7uA`j*O)Wxkl$)5{imRbm*cuC+J07RzW7m|b-I=wozYRB*?LB#_e(j3vq{I?v)Bv4 z(8Ydy>88Js=w3*+y5x7V(t=x8GYS8JAiMbKL^#@j01a0RWv+DSxI31X#)Pj2d*Ls(+%bgB#-rAg* zE!mX(4|-);gpvYzJhX;3%pMcBiQI0h(T8`SF5t- ztC9zIH^QEzySPr}}x{ldqSc_%Ko6N>qbuvWg{Zi>0w&?6+B_usbUW zsmFKGM$e(Xl>vhwDl_{eh}c1h3!@zT8QI^-IkE@FMY-ow)KqCkCFxeX=eRqM4q2Mr}HQa3GyT`ZY!F~H|oK2SgTZ)wwe5+DB8 z=?z|nU|1R9Cm=8>JX=_khDH{{=&0s^vL{`*LL8~qRt4dd(Dl(;wi7azcfrHyg&#Ms z@d%M9!g^msm3t+EOGXpn^p;VzBPrB#Mw?$)e&>l;!h^c={qs2mUO)=8pDR4C3t?=RhR1eC%#b57FwPppw#v!lJe;j?+Lh;5*!C9a$j`NzQs%LwaA5w(|eY6GUJ1!!SZ^Y z{F8dm2T93jc@qI9_gCS~+$=$Fm^jP5QlLX@HP@df!Yu8faip}^&7Qw#0m|+&JU}`f zPc{N**KPmWQi25(iT}5YZpNLxy?$TudNxF10(QFX@F%bR^{ltqgh((W;-T1-if*?t zzEpdTe;jYIf-~w2i&mu%c)&~w$8s`98%@aCqafcey4i9LfiAY3>nf!mhL<(`R#F^> z3*~u+osgI(f|kvR)O5c+G;Q(?FP6{PIZ-S(ZJ9DKx3g+HvHTO+`C*a4^73R7?2fkb zwHM*SEAP);)Jsq+id{)3^>{m47p#IbQka$B&ZMkNMrw$`6(o!j%@ofx^h&t(b#Lu#T#t?5GVIe_J8rqWme0576|o!g~Ls z9pG0Kk>2ua*_`;aUtdgSmPZZtF=sE|-2+9c|3Z%z4mX*-a@Zbi*FdAyoFl z8t?r2w$F1MMtkvU#- zC+nx)8-FSD*%4n#preGKB(qA(?C*X45LH0;Av&4utA*O&nzYlEQy>v~8XM#3+6zV* z`ntH(v%ps3M`^BND~Qk>ArndMe0H83y+wukf_%@=oSM50A@n9^uhhmdE2pm@*`d7h zp=#jlkZZXWnFsF2U4BS38C(m#RGCE=4DTt5G^uSpJ>b2B-htL|YXgFEq z!3%?syd~MjOs5Z3H%24_`KiO+6!+};wWz$CQpqj0Ieo%`fY1UIc)a@@{v)ie!R~Xx zHD76^{c5Mxk9$MGTxFJpy2oQ7yk!a9K-A4W{wiO0>51+Z`0QEj=dx{5b$_Ej&!$M^ zb5SI7s_}jH;c;sSg&kE7kT()&;!>q#;~BElY>3hwFy53*6=qbh+fHEU@UU)112@AD z>PL2W@^81d3UCDhMEVraLxF@fL`Ye0PBmVBa3T0Vf_>5|GLW_f?ozr#l6lw`#Vq^S zedDX#C6X!NcIEbWcW>R*ZY}iv>gu&JTFIuw(Korlv}mz(nu)@+^4P=8 z-*(dc^{`ib_)`Ya8THu>BFjmxGz&wp+X=hncFQ1^*~T9-lTll-$Qv1Yhk5P=EUV`- zAi{SjWnC!?#;=n<0!Yt`4}NB_7ZfsPQcv{{c*4v+Tjn=0o2``#3Gd%wbs>t1zR@!jot~PAB|kUqu^Z=Dj#4-3$@GnX~CPR zf^WCYU(+!COAIL%`vs74rHOXZt88W;(MmFzcg=pJ1_W&}b?j$mV8O`eoKPwiB1zrB z3Mw9#qxK>yE{}w%AcP@N{?W;ed>4^Z?hb)x`~s8=o$thu~ucw+9s4a)@xn12^k;*Y=1bD%{1neASnlUY5Mz@4>{t#LQW_>+!!Xh(I4(k4z-KEz+a4-0-HZQF= z!XNI;L!*UFxclwiqEP!y^&Sn-IwrHvr$)&!=Z@=V} zxP_ker?{4OeXuovykAlXC;oln6J>-`zkYZea2{B;yzx%xLm(_KB1gW;uriGa0a2hJz6;wQ6hRW!aZM1BCsfVfof8MI2qpVk!3s<3|>P=9b75B<% zlFFJBxAZ)J<=!ilX3f046e8FFDOFj^#2>Rd+N(EMt6wu1Ua1tpN%Vb# z5(ncL%H5}*e8oWo4G`@@w`a$obLlinbZSpg2QGlj6H#?2GO^l1mTx89sqscBG+du4 z#jL%->Br20bwf}`KB8oI6f#_0Iu_;{_l%eoaK+n`P}1I6|L9Yef@HUPM$ zLswlWv6Ckh^}mPoM}+`QZIEn`fh&M>>j$ zY)g>=6G)uZpkm2(gdp9 zb6{weiR+Z=Rk+n!pvIbG@Enl<-&8udytA$|1bNHm6Rf&!D1Ao==s>e+=uF$5&2tfK zY!SHZe+mrebL_p^pxmYdO^A&jJj|L+d^KwO+n)+w1BHHJL_dpxuLP(gz1us&q}aM> z_?ezm*bB}9=~{{FqQFF*0Gg8&1bLbS6p*Jzcd8#CF0H;=)~we+DCtx8M&8+@?S&l5 zP;bVR4w>$L!Lav-?&hw@M>*<}Eul(0j!}Lhg&BH_XLFw;ZE|bEHlEQTHN$Vj7r1Il_mC!Q0eYWU^1LpcnVL4Mfmfbw`;O#n`Wy)%a2vxmQtUZ=#J&4JgMQXoI#BoHKO*at!kKDuSO04Mb&E- zJ?SkfX+&~&avY=`jp{;!!)psyRa@+qr-1w1m=q=6`4+o!?(__Q2;oniIOH=IaRLk0 zI(xrVea%f1fqey&41(Q%3>41mIIePM;{0JR?%zH5MsXI(Cn|Kk@fTL4l>2hyl;*@X z^#vlHMj1-m%^&W)0!&^)6BG(=&6$nOwnZCH6}KALJ;7N3Z0b{E0P(y(b-+oEPAzZz z#K_1}dI94)4~J7;q2RDFT{rmXU=2D*30K|2y;tyJ;CQ4FV|p&Tr~4D1+7YoJyDr3@ ztVQA&Flc0rv-=<%!hLHv~3f>RBMzMfll;gT*e*I}}HRcRcF+|~dv4o{^3;y~!bp_&o)avWci>&X24hgx5o?av>z+?-*jEnh+D--7cRH0_%-9AzSO6XE?O zHYXMPdC`8I8sd5L#=pay$yFQ#0j+yAPwpF15Wz49tdbR4+Y`LG4&x{dOO=`zLbo4w zpNf1<#q&Tlfklj}W2VMVM&FBig0`1bf)c}yZX?*xoA*f3wE_6y`hfwyUt8s2uV@XT z7Tbwt$wpq{Yt#A%$BHMD4J@*4aGlD;XxWc@)SUyb8x-4LwK#GUJVv~y6)ng1R(%!? zSvc&`YHmPO6OBYgbIukWR=ZpqKr^-9`i(&DX1)CaTxgX!+H>*eU(^#fRWeC?EE_%A zV6njtv^t9~#nJ3vPV@Z-xiPAq_yvqC;y^|e#ji3e);KUQK%A3|!XS}IQK8nC(>WAC z(nuh2cx=}wc1RS9r-#~MP)g)b4TD;uE}?CX8ro;0=!KcLCf%zY5(+v?tI?WmiFXFp zbg>g-V~Lx45?)c&tHrArp?&R|70*GyK!OHJ<3?eIu+&ZsCdjDi=`3sB`}K=fP<#S0 zTxhirub4!kX^rnsUa?Ll&4CA1!{DT|gl;5Iyla#q63-QKgNxb>awZa*7w!k@7V>Z^ zxF>8tJy*A1C#mit%1b3z{I=u}SrPRK z9~C|IB3Ba@Wa`C&7MDn4YvTMBXuJJk1RVjgQ$;{?OD9pXCwe{s`o%@u_M-8lT!l4P z?_(?;68`f68L{~QuPjRyCt>aTCMo_>fQM9XFFQ|#s?n!dWG$g9q}pkz;?XkpU5vINeaLD>7+i;x4eh5-Kzdp!2V^$$Bba-rd+P zccV9#@pFO?*f070n_v2?4g^%pw(zCMs{jZU4$QgKDy3xUDsBj1oqRQ3Q{=Jbp}X$z zbrRM7bW@kjH~;GuS#}-UUCW2lt1y4rZ7oQWgX30E3CgTE=c7$leU5LLwbjTc3oRkV zoy92v#B=SW+9iTU-%?N&_`Jp;hsEtYD1b$NEhym;U*|YQl0U=&N%MfYXw@_lYufU4 z0*=}oK95%pbF%Q{m|6o!+hE(L{z0C9GLE0u@1GVGJ09Jtd1mxW7cuPPP2}|SF@7e^ zk?j;6EMccHjMECgWmFB3z}^p^xrv_y#qYiWPrRf;%^4IegkPKBtug_l-K?HC&C}*3 zqsKuK23GFUHmN+0qo+_2j&myQ zato^l+zWePl{`9eWLuegp)Ju{Z#LD0tZI&OlA)`lnIT=h{?J)ff`miNDYyC9&B85@ zq4}=D-eZY%zQz=`jADk~{XxF3jhz?y)y2W`Nr4FKJ;xW$?NDgU0;#|EHGn&t%vZSK z)6;%rHb)g5j&73`wPqLcfbuOp1fKCaY(r^Fbr?bB(hGctvMOw>*_yKT%&dX1o6r-5 znc2A+Z8v3{l~AroS`j0GoM_DMRP-uqqR7ly+5z0`XXyb1)-0FT9MOhv=E5PW8IjdoKVpM8ZanaeS z$mk~_E&=BeJzW%Ckg;XWbxTLp^AhkA1n=v8pDW@cHt;Pbh0L0lT)gDp3Z z7DOt13i}ESbHmyk!i-Htm{D^2;2%!-mC!_p9j&wd)Bw5&e#=Wa4*l4FRKm)O zGYm{s0SC^Av4VBUssUkzm)W-d5B?5f`dQ*F+A@s#Wc&!%EPYt&2}7P?Th#6}vq;() z*LjUPCN4kZ(fZ!^-Jwl*U#8j^rn=&E)Pb`>NtHO?R<*rfv~tArTxVHLBx`RhQKCFp z{OcLU9La%CKIQ_ip8FnhP&F@V$*EJgb!w6)Ahu1Gqu)yZNSfLElT6-c@V}|pL?50V`PWvziNAp_kc9>JC%^`-pYtHO+aC?5(Avp1= zj(J&^*MzCoP;GZ*iIF;L470wYZ7f#E-Px)tXyJ~z)A8*$*+~NE2}){aTdS|p_2e3%|pIWBr>-qQuicR9Jn1u>lxrA3OchuK0!@&;Li>SB6!!b&V>55(W)|gaJr{ z(zOvm5J~AqknV1_TS25zB&0){y^-z^2?6QuX4Bny*Y*f{IO2KV@4LV5{ll{!_F8j} zIcknM#+YNQq)!*Sz6g-&L@|0cRh!Dw_rPazvs%7tL;H#gL2)bRynq!~LZh4;lueyi zuf1I~;Nc+A%H?Siz~yFn#21UlLmVV?+ifLxD$U9XxPH^Q;n(TJAGe(qq>`K1!`OJc`#Szfi?yvjs_ z-z85wovwh(tF!yP(0Uj0AnjC4GzK#z|w7ZqUA!`A9$ zhN&r_Ek-0i5x9p|>zoO0Htq9nQBT8@VeIVZVd$T0QGJ@ zjKHGX*S#AhFQ@A_l7(*#HV<0ntldeM32NS3DhGMj)tG3v-q?6-Oz8F4MgCJ_spZ~i z*P45heCSk7flWGQYqJoN@SF;B;hNUL^ia*mCHZf9YcdkCCG&j}id3L7C5_p&@ytRa zMgh5Jtde`r;C=R;(Rx~1-B@1;wLRGu)K#Le1^Q?rR!6O@Ex!8W$@atfwQ1)XJt0>u-C^Ef58|awaVIV94V1Rcd871Zx}}m`r&t&7 zNdKO_%4#DanCmxFADCBj=~5Npu@g~q8!I3n*=aQ4!?NtH*Z?`&qIde~@{k~8@!?_% zojBGsR!?~|ag>}+FZH!9tiS}$PGPypr$NtL0+%ffXh@+#BK^wDuFRnPRcB@Jy~I#p9i zp|S>2hmwI@uc3Hz`DTLh`3;39={6Eqmi7(D^>`3AsPGF7(7cE_;u6PC{rLScMi&Wt zI%RA!I3!9kN=1Wim!8eS{mxWI4fAT3dp~hZDv`(dg2! z6u4T~`+{6%9Mp(aA9AvIMOwZ?wXqpqXtmlRFbJ-f%iKw1L$gXs*gGP-HW*zJun3Ow ztj_7R3cTMGNwyxs9>RB8&Fk|(0?b7#DLqRgG@n#*&^A5A#ct{~^p}`;?rvD7DQ4vi ziR|+F(3NAMm>C5Uc1Q+IH2d?ibmtnBDmVH|(rFphy6KiJiwopRNiaN;^Uk5XY6_fW z2yjXZcTA(o_6j*-qjv9@W@~rqiWfdsocrd5x8UHtV-A;C)7I|L(_XLb9bjdnVV2W4 zhGeemki$lIW4}VQhwre4un~;}*ssRDufy*+>43=^O~jrh%jo$%PUt1-!Erq4Mo<&-i!?2RoWTht*e2vUruH)ydWik9nn<` z+b~#?%aznBVD%^4KcdgmSZIG5>}pfqYam7yX)l@ucyg=?IW@ukVTkJ+|%>Isa+A-A^I19fxnLdf>nY2!F+n>TX_F4D!l(s8_>` zl_b-?1~RG{Xj`IS&kyR34G0|i0O)7kr7#=GgyuCF|A|}aTZ7iK9T|6AW)2s9_ru9c z+3z&fAb2>(3%FDu|5lgeG;_SDz@#FF3|PB7g+vIxMO@!>4p84(7?i1V7TkSUI8G^+ zs)R}PVB~1GwVCG7uvD7jYgS@CY~i_tTWV;P{T3{Lmsx&qg-T4+kI&Xv?xk2`;FXKx z7ih`$GjLQ=t0xPb;C}NwDV8&%xBW#Z#rYDZtS02&-IXPSj=Gfq8U8(;4U^mJ19JmA z%{73tr=4g0`duy?i=s5G7GcVj^+h%AcXl9rINLjK6@S{(lF9P=1s+TZ5>lmssNtFS zM$pt1?~xpnjjsE1W-t+LY*cPQK*Q$T5PD0x*~Si132-hHl)FjcDjUr>)D{t-RGz1- zrEjbrj+bsQusYcgs2A57UPKX_nz!N;S-tB$_YDv_crHWFs@vh~_#KV9v&P%Aic4g=^UliHdTLU!PE0Mdq0 z7svRa(BRS= zu@8^chZ?RLRu#4s3zDHpZ}>sC25}oC_fj=%KOH7LdplPs%j+8(57emA#|DDC;z-^q z|73P^AlE(`r|yd0)y5{ZAn}ds^<7>!RO&uSH(zY-mg3u(_!%KUh|OhIB>5XU)ymlS zIag8`mETJ>$T0=Q)O$^)leZA~0GuZ%BlMC#Iv1pVO9V)sP!y}I0kR|X$QtGNl;J?l zt_HP+doA0_;w#jYDp>NDNrW>kwU{-krn++WR|Q|0mNX2y6GIJv6V&W*?sRtqeY?t(~PR zU`6+E!=t8uyMEDQsbNw0EoytU0g#xRUSN@##`~o!#L{+Un)AIGch_oma~82tH!W92 zmxA+QYf<{^8glIqmH0UOulyB`&!o`wp7TEhK0dX93Y|NlDsxEyU4D z8E60|&rqX$;!Z{+>-}@5{pG)!1(?g#67q_=DCXFvoSy@GfKKitc!Jm}%F;m_2K}s` zcbDB$@H~cmBehYqh$xR-TwFfHw1)?~$kAcP0|j!(Gx2B^6p1tX4p`@V?rl8@rmL$e za9s?e^~1It0z8;XVr=a2{ycZL7p4)#yPeo-lcFF-_OkiTMSr{=_f?v?c7N*k(RgU} zX8JyTtWAEoTjAXvc@;D&!C_Wg4E%P&2No3ni@<5FHLC~ zQisvC2JLs=l0PY9RmZzRv7Pmj&o^jWR{Ov!p6>#!fR&M~6CRF>Do+s&Y3!R0#bhQL2Pm@7HS}r^IdfDD$TEP`LUOBy12l@tyveoSrjYNCK z^8MBMgSZvt;ZlvOJ{-#$o{QDJWzizq*ILN=2YGR;T@r*Ca!~d zeKHaR|Aq;jTQSJ~I!5qs+oZYp^%lNpV(#;741DBAKbesK&h0< zM4IzlH$$qVU0wCMvId?0UCc?^OUK!EtMH(vo6$-n=B1 z9RGlGTZ@S}Fs)!Z_!Ey>c&VuB)aJtl!0b%1?pIAG%)A%lMLgHw-)a|ce`ni9_afM*oS=-OvxXkzP&VJwQo8z{zpE_!;kf?s@#>hh&ZEjc)Er+U7QMEl z-Xr5kcL9M(mUqBaE8@pE8YkLTGXQP>aI0L>buE1O4p3SA38GFom71DbogUxXhl#-G z{Rwj6n$?r{e-3}Fd(J^dg)7hpok!p6D~^V_Ny}d@GVaYfU*WZHaE1NR%W{e*!Izgu ziC~3OM0VkF+u3pAXzhr4^IkoA`>Uf7(*I|w6;x6+_RW!^X1uUYWPc@!dm97@_oXioXinM-OZWy*YsTD{DU2tuP{mA6t@=+zF5&ujT$tquLuJj_14g(Jy>)u?vspn!wor?WN_uEg* z_}QCn@(HTBhH};Akuo_7eO9yqxy|l3lwGm!D6i<~eD*h^d&oKiw=L__eOBzMfr{~k2S4eu3!G_oy*2g`c}rV?pu-ja zIz%jG{;-jKSnP1w1JqG|j`Ua-f4}`Ed%eIDc6XCD#PE!eWoEi#oQ0GVp!p5`9>qY` z*kgi%Dmh+WUcAqteH4dTb1A!tZlAm~$fyjh_^fS^?oqMH^rH}{#ykPFbLa`l@eUTW z*lf&pD&;d!-dP(2%Ovtb}-;gPOrY zmK3N0W;58^nSn|D?30?xs|n$_2gL-#2a9%lJDKpt#U$bh_!0);Acq>1@o0Xxa4ubO zvB{qUQA};oNFJ?S9t&zM2ozR&2=7JD8D#N%3Jq-qyRNJDSYh_l?<7Y<3S57c=q^ z5cn4>zg7mZ3@twHJqQ2~19I8PNLnv+xG^x3x->XA*sIh=s27_(w(AA6g=xpLMThVA z*abT=>Zg+xtF&iHhd0+kllY=N`qFz#rHV;1YzFouEZm#2rrt!m913t6-uSyYiJ;Wo zhnjG1pd6Y;|2yuSw7EAQfocNJN4txyY7seo)(k)e;9>i5-wB{t_}9aQa+Y(zrLiWK z^KBP%UPGQ`NVX(g-w#GT%-sx{DQ-8pbsmGNn&nz8Zt) zY2f1)3TVf=Ds8V`&s=BFAx~p&9B9%3s6_i*K*1ApjV9X=c7G=Tv&Ev#=JQJwrLwUY zjywF;2Vn$b(*?;IFWDO{d?qyJ-ehjXXL{YQastfFpv*9;XVLo{S5x2Jl~%!`YRufJ z3kiKfPNk9QlFi(k9UBTQkQmlsyXtby*J2#de;nb(QzG;Fw1K-f9`40D2qmr=xF@9U zr;4U=fyMwg0!X1xA<|+Y_uC4d6>mta%hQsw0tG85`90Y>S?!44HGHjP3!#XH-KPxo zt>{!i84bNVt#S^Y@!5*TFwl}=a||&7PGFxMgqYZ=J7qYl)ea<4Oc1-3HpS7Tuj@5>V3)s_W?iWG$s;u*zEA`9wpYS8K9e=1GS%B6&lKc+-Xir z{Ga!@8*j!Otz6Hx-D#xC+}1y%_VZtg1vtE5Gb*jQ%fKX&sAz59$57vye#cbr8PCE# zC5gvn(kbBylQp^j9D8P`QpPv%lV}_htty6Ggf-vfZOU6Re1O?4b9HwSISf`hP4hV- zI>fiRi2!7=%-P5BKAy1NgV237a9Pa3ozQ?cI?yt(Kp{Gy+TO_cE~pxB6>oJsIv-QR zsYweioT(@sUFPBD;<`vgb!2-bw=SnEOQ+%Dd@W>X|H!Mfps&;q8XsE4OlgUGJHI)T zSAnI;AMDxzkG`2({mt?+n%rRa$W+K+V2kTl51c{e^QmjlwAI4>)dmw8TQV-%3m1im z1bnoby+QKBYse9sbnZPprKlVI0SoHe`_}6CjOqiD0dq~B8>5R9@>eXZ4^;nYV(6fX z$o93nn0$x@+Q1>dW;%bMRT2ucLSyXeY_kOtVX7Oy8`$4fr=~foo9pfR5y8sTKW~x` zV$zvJ1t_WT0|{v<$8yG~u`YY|b}*1(tBa;5r6!d<)~B$Dq*0hc%ft0>=CsiL>OW-^ zkt$X54XyQkJTkb+IrF2Dznb@I8;|eXP;sMOB*9`bqO=~oeB>8?<$aNpXqbb9Y9v%U z%iU7tW9H1%WubVJR3I;VRaE$uF%OsmCwf=CPk@EdVnC#z}Ut>PsV$-Da8ygUDAp;i#z#q zfz}i`B=d}i5z5@i0+)Zm;szF??kemR8V=>eW;+_h5%ost#LV3Q6GxD~8Pb|-$IuEZSJ4(b&)d1xLGD8pQ_%N|*@hI$-|jb0NCerV|CKMld3$-x zn^9gc8e8o#9X>YYln_H}a#frJk8&EBXWbp5z^@Gi&`IdhR-MOMg45)<)@p6h(yrA! z&^5tUBM@j|SWx+S3cfGfAmRrla|y{%P8BWMpPhsfD(m!Jt5&fE8TzJ4&uzQjxtp%j zY}BaD1gA$>C+Fo~ih6ctzCspgwxC~Xd_`LL7dVb+`%61ur3`PsDDb8@2?^illS*h1 zzuU`SK{l#iuUy$KA3iF6z57Lp4+7L8pS&8%Wn*XxrsV<>8qw?1e>Q3O^R^D`2NxkP z1Z_6tX9E>wqa6=AZdF~r87T6pPth1pv@u`cOOiO3_i-(NN0Z%mK@8=FR+lpk<-#}f zr1!!Jtm3;2-ba@xsti(%W_*iUkh+Y>J5MOYbCOp|e`rdyal=le$nE#nna@E~kvt|g z+s^p)L~;IY4Unr;F`^+&vTt!;RY={8nXN(OBxPxSemMa!T7&o;aLo@Y%hXi?^jiYi z@tkoLAGi^?OvyjlK3aP8{5Xx`r`dJJE(vG=9td!UsrcRPPEy*t1wiM`J9lk5#S}8s z5$!oB^r9Se<)J+ZRFGN3btXiUCm1zORBAodKezkiDaaoICqzZINvQVfCSe?5gPt)jP`r>`|H2c zB1nh}h@ce%Vaf+Bn0FtH04han{qxxau)M6e>1+P-pBGF1i&>AE<^&nB56-R3wDbsP zo&M!du>ae;R}k%yZW3Dj%pp5_RVQbRf0^+0MZop?P@Aj{=|A;|{L6p{kXYP+;Kggr zDzyKcZvVD+OhO{yHtbbjmpd5$1ylYTtSy+ptuo@5SX9T1|DU4m4~W;)#{{bVvuwVl z`@>7ejPh>)9t#COqL{M@>Z6GN3jiL^4f%hbNw<%Bi;pxp=eRVMhsCcVzvFik(RzyJ z7yG7$LLV!i(!v9a)hGD1#*ooMfc>D6iN$i)Y-yloX9A%vTmm+8z3P_^B2jWye!5DL0yMPOWUm7;c}Do6uafMpJ47WFH_z|^f96y=t+&?3 z_ngZ!;0{+W?Uw94d~wo#@NW-&x5%CQ@E=9~u4DJ<#;s?+v-^;LI|tMhuXOe+f9eQ( z{MG*_z_bV8#L5dbQ(!=tlHMB6&U%QF^#F&^8B%V>cHzl0o$M2ezD6U6+ zZe(re(X2~fEE{x3-@0(;C%Iy}k*|_0@nD^fV<%AlEB^65=PiB_y%S4?&ej{caX^-^r z%=8lykk19oY0mSb?NQu17sY;p$Ipnm->6M}<;qs2i0|8Dx`!jJxRV|2beD44##8@>e1pCp0{wI`w{XT66Nv_C+QyuUigwCT8&?OXeRo$l^2E{X&rw6ax*!MUkAqZ=br|VmbaDvWZ?5;>;6x0879M zy$reE%#*$R2?)R2juv^U#v*qK8gkcxb0mO3pai8u3}b->5}zMy20>znqqi-ueQrPG&es(@jg!B4ZW76fRLo#I_kFM{ zPlAjD?Qoa!34E52VZCyN>JTT?s9mjVuonT>7@Ng&15kPA2>aGT#z!zOR>;+N$=NPdhFYY{jnf18V+akF)ifVfzb5*YzTpH?Q`WBrO|+Kd=%0F@2~p z!i39cMu z`+%CX_*xRK#uQfP1nV&de^BpubxfVWXjsoYlihY4* zQvL|gOnxKFuYZpG=lA~sAOfvSxj=X7q|F_6r!#PQYSP~h!vCTI70_E)H-^qc#t8}k z^pKeMVtJ;6?@0G|eYF4cWfI;bcjkKeh4_EBq7HmazQ{iK@cjRdOt+EUB!$iG&oZLU zz~`yOhV~&OlXfbq~<~%}B@D zlo`aiGbzGSRI<5Y;b zK^+xO0&?Xc;k3L%!spCUdUUWP*`6dBogN#>14FKSjLvvWgHn3Ta{I1}l4;qV8jmy_ zXA)*rn*YSE$KRcLr{WHJ)$q2$tEAj7Z^ZbYUnq)2i?;ou#B}k;D)@Ps@O+BQ~hE${0|@jCXQ(UlyC7q^7S)}_x}(!&0D}QR8RXe&tS;^5YcK3 zfGs^q^>z7wHw+Fnpnc!=`3e2caPs4;X-i;3VE{dNeQY!Q3wxYF|4Xj@AUzWgk1CfN1On9QlE?lt!2D)tz`3Gp=iZ4G_`4P0Ff7*) zo4qHs+FhSXn1lXuPWv5lAw$@Jq(Rqoa{eS~l&T}S-RiWwiS?_KoEG0- zXZjsO^cJ1f)S4rXp5O4=lFZUT`1d+M|o%Vi9LH&#h>Rvkt{SKK-Sopz} z%9$k*gDItj1r4)f^txhgyKFLdFJ1k(zK_#89xcPQ`?UPqHy%`Lb-;D9R^#^zr=Ej| zwyY0>$uT0MuDm*y`lR;hEW2fED&3*fzqClvlYA z`g;oYQDWX~zjm006Wg9=lY0Aj8zaN03bCysu&o*|Kav#%4zUK!uLP1^oa@D*zJR%6 zQq_U?D*{)M8TR7eA37U|V#TzasF)hcw3N~p<){aah}`K{Va2G#@5_NTG1huMq!PL-mTl-Yrg<-#S87qz`4)(%j~FPdHe}u zDI+t_qc7I}IDhX-k(UkJcI|FM46Uj4y?0UDg~ku}ldMaFPF8sGFpl%aE9qs@`28IA zA8?UNlBd?!E-4e8N7?}>u)`4is}|B!MOu?+rio%8Q6R8AIq}`adUMWjzbOH+Tz)+i zKQd4hf)^YyN86v0{uArt*r5*cqF7!(Dadsjv)rh9Nfnqh9@vM3!xg_X{xSDjUD8@l#p$;xmQQ2;*m42`J)lav=@z)%AIenS_{9b?Hi8ygW3YQ)mR1mnbc<7{21KNix zK_b8I7gRH0A%S_oxBSKkPl$EXTxs)sz$1i8h{OVTTNE&i=@(SDbKcjA{sQ!OKr0H6 zhjNWoi~B#EOo;+n;~S`~VWVIY0yJ{cS5G$aU%sN081WxwwWzhc^W&ctvIGVEpG#9* z(GVwI65O70FxX(}!i5V4iv#JGbH9Ue0vh6>1q)(VT7G+Q_Wkjc3%9<_lD)pUixBJk_y&XEKG{C-5o8AUUynSg6f+xx)rpbdeJS0D}vc zt2a^f`0ek~`E6B08Rx>n-D7SO(;S*1EK<_c*T2iVGZ7dxVqg;ibbu9U2w{|5Nyj2@ zDMf1L+cW<1xiOqQW0Z~UpPMvcaRqgfuZxD$2|aTtnby*~^72_BDdbEhG-7Qx{;7-p zVlZGQd^0k$I9M!I6a%= z6V1MyF?~H}%Kj@*d$&O*F71<7^p#`guN~?(hILwl*iKnD+IaeG_CyDJW}TTd{r-Sz zvRxV)Ts{Ynax(p5Vtg7OCoJ>hp&ALu9-~%O%7d9FT}=nfqI0PX$7Bn<$pk*!X8~T2 z_Tby-kZD)ai)1w{MERRU@W(_VL6IfLiMilSk^N0y=Dg2A*ih$zG@Vi)H!^`Y#ZkFl z`=1-a-%uZh{pN+iJ{0W2J??YAt=AQbQo$pf^irW_k3>%-6TK z|8nF-+A4c#@SXB-wLFH%zf1z;IOxcAVZwf0{009U62e*eovBIWcuho}U-&a?vEYWX znJ6O;*OO*P<4<1RenSM_8y44?qId3FX6ZYYt`-%fl?GiNb>I{{L{!jv0xkl*{F3N7 zL_DPTg5Qt+ybOs>65eoUQBb2oS`O74rqO+O(3!sWl65yw18ECqA#%IS1X(0o)+XD;I z#+QGi|Id|(g}xY>ag*l8g!rM~;4mlW-J8$8;*S;EZq>}2KWh6MJ#-=?hzH0a0{&<# z1IjZ10ip;mlSrs+&mrO5G6z&_4siGJbuAGgAwu(+{Rf072ey^HIp;8hMfel!pXi(h z7GO}TZzHBDfO5-zcTVG|C`FqAa6b!8{a;U|og0#mg6LI) z$PLdYcwYi+O!CS=af&*8`G4``@`HfG-{x8`EBhIfFiD*M+-`x?7s*e6dimP5Bp_pl zQmC_Cw-31R&;}$QhV^!^{T8RkivYIYB!GWh9JR#H2ppmMDDW>^m%QAhV%qsG?}+9O zi2YUOmFLI|aQ{Vy$LL?CV6s6tdKU}XtWr<6UVp@HH(uB#jk{i*rK9F z#{(aw?)_CFew2ZPa-KK~SQ-GE(YpU%H zT%O@Lzi=EXoTh~EI&FTuE$rt*_;mm6D4>Jea}3%a(QTb_n@^yjMopzCK8j&S9&7k| z%en}BbQpY*&b|*j#P@jL_&rE1_>c>iu6_j4$mMoZr_Ldqslg0tVTqE_L&4fUNjRhJ zE7QFpKlB0+zikGtIwc{Tv`hpRZnZC@Ks7n-&A- zyVqme?FU7<*S_6v2Ux1D;)VYe6^m^8KZ{2Va0BKEW8~$iu1y>{scWP>iq!ma#m@KC z_i!EVb&woev@Pc$+mqSJLK`xp?YBr8{s? zi-F|0oac4#hQbT5&Iqgi04}B$B{fK5EfMfn5-_NS<{JuxphZjE&3|<)cwAJNcoN=y z;bvt@IrXQ)%;fg7MC2_Gk)(TB`1GBDQtdKslC^Dd^)o<4@8Yp9^_f1ye7~p5F{@46 zK(^=elS@}>h=tN9tqYfD+$^~X&p_NX!+AW(;yGu+D-cJ>b_MfdJK`ol(5D&23rU@> zdW~U0!SpJ@y5B;j)h14?^E1>Qst@3fAraC#Irp5}8$yWyoh>uY6Rxv`Ay~muR+vY` z0_CgaCGxk;O}2GhEQIH!aUc9t!9Uf-@zQ|*@RK35(@GudDNEtx6{$NdqRTA1Z=pH90&fl)%97G-P?=Dnl>wY@}6wMn*PFst3 zJR}~`YG~HQ{B9BmNn$Y@DlsKXT{-5Z-|bxpG=-o89=sV(=Cd4uEz}U8aAc;8+FZyv z$YWd%grM#3thq~2t=!;X`7?fYg#i3$G<|e93qO=77cX7}bZJ|?E^?6?`6Aq^iIWNu zw?&-o`#p@D&sg#?W3}7{wg+CzxXZ^9dqUkG4>?aXyV8{q0T%-WyWN}onlDjqnIkl~ z0!>8C!HuP}nB!!e7K!uGg84Es8fQQfa|yW#bhN*org0#;(N4;t@LGf%`IagdU_*=Q zv?rUUR;J9IW&0dsg^M2W(-}NFI73@N7;r+FwI3BB%u2wHM3E|vmisCI^7NL9+UMHG>)nO z8`Vn2jGl#{6;#w1KjG%GGidb7u#iJs{e8Kq15UH-Gs7iA*vS{A05dT%uF^m$O`acN z&p(|{`ja3{%Ryc-&P#5Y7E zF1Tc`)L=ob`+0X&rNz3w0)VjfG9dV}6#el2X*xNIjOcHIk~Mhj$rt*I^{SHLO)3Gp zO?5$a z=U_zhuWu54K}Itkuy*QO{nAL~zqy|6MAKbq!ahLp!trS}kl~XU2Ux1IJabdOq~9P| zj8bW2bfLd(c-Ugi&1VdBFcL!LpAFAcn`xTM;N239B!$wxt! za@yO!{`(+rVi-SiRoSP*)jUb3LA{G8&3&-G4_84OW_%r+evwCcfwm?dc0*PTbt47~ zpzUbhFok=* zL$`1A)n0qkrLjy_XwiCB;=|;|b+z(FE6JtDEB4lKzx5;IlG5?oG*H=hzj;d}5>oP@ zgSyWj92PO9NS8D?q~ zhLT59DRFYafCOoZ0_hPFp6$l(PKir}AckNMOKSR~0;_a-q-1Gon*$R&aS^#Tj-d?K z%-b%TeRFN8ouymPDikBr_Jr_yBm39N8`su|O;cq(p{8?)ZU2CQ{6*iA9>R%unw9_h z55yGLe&18gpxuSo%EPvr3MP>zullaIsWKDo8%Xbg*KDwZiF%%dkvjQ}r5<~$q9c#3 zMB<|{VuM3YjPPNHcli;~a_01g@W{QPljVqoV`sBGK1F~R70Bp<%j;c?P-2DU9IgQ% zqF?RG0=q;9w_m-e44|HPVN|8VluUlB+&l>a3yMFKM%5miFy7CG79n zVF%_grM^)I&kQ63+KX?s)FN@Y2>7qKJ=7ZU1xoRPhd<~LJe)G{0c91GMMCgV>FgWyofJg z+S)n=Xsu}e@eJCfa?Wt9Q+5DT9g<$NMu5B;*DmpeIgebkB^me5hoDch?^vuhuWuBK z?d~N*d!L`uTC*YOBL5Tz&iP^mvIZsv1x%iaX6Z8nkH zZXsEA*%wnUBgZECy4cEhPydJsaKOu_FFC!NP>N{Itm09V`YOv}x-8D{7KQ`zb4AJC z>e*sZo$B_;LG|bM!Zm`#jr_r&vBEMTDeK0f&+C!JOCsF)W>5_^;O?*!dtw3s+YzMp zQZ}CgOg*q)fzF42E}D zTu2TrpGqu?jP?w|;5eG(>%!K5G~y+xuBNziKQ-L+XeTdcrp(t}Z7>{KY_7BhhCl6j zi-%x9CIi6E3VgIwaf%!HLFj^Vt#O+(bgE$lJWx}xBmSz7l!@$vMhv$_TGTQ5Ewc^I z)Z|Bmn}8gqxrwc9g6Yy~l<_s8!&H^2jHEmPer1jm6RF8k#dnjC=IX8_R(Nwnd)yD{ z%bPAqcv+fDu8u?AvH@sAHL%y^fZrQ6K+@@w+2+UCcr&mmQK#%2Evjv+x$tEQ0UZx@ z!krymMqhB%^Ab*KDX1c6Yqw6)qI=1lb=SB1ZSU+P)hEYFn8m9~WxxZT9J;bTzBI8G zye2!+hXlEx%_`5?Wa$2UTJ#gu3LNI>Kz31L^@%~FKo^s|XUau@ka_{OvqUS7S>I{2 z=poNuc%3V(B=^)kr$`N1>h}C~IgPpgOu8P2?Uutld1qgydEtx_t}T0ueHW)_QCb;` zjgB5lq$JQ_Rv~tnuVIPVXm2EnYzu4&dl0eLwW4Birv6d z#Rr?;x7@v=HJ~vwo~9(jU3-i1@>1ujFx?tVNPDu|-tvWh^e?4Y{0G~3M(sNdj5Jp$ z{W%KQ0f0jV&!6vjTxF+!T5S?XG5;5W35$7n}EbS@&P@O(U;SJRIlP`^tT& z7=jnMH@y^Y=bX`UtIKS6v8J*i-d;9>zhIQ`{BS5HaKVCKpcuD_x8@-X|- zzWRpAqLpf(ifc*X)7X0gE)Mj&o>nr}CS6N16VgtMH=Lh=i$KMRwU&$>WEs1BQ>zsq z(_qVS>mIj*uhUFO!8)nMZbuhX(Pn9}AAk0yf@uj}3!X zteyaoSpIB41{+0t{Z2~(lLQ3S;1O!Jw0FR4+vLvC8hEj!l}vzbHlua7TIpO?a*(@$ zcJ!s}76W7*ZBrfkE>Mw`@MI=^KOYS&SPnuzm)751t@`DTF;Ol&%PUE+ZqdJW2C~YbK4A_A0cUNONDru-?<6M=uU+ zWG7Z8VU5rjrpY_sv6J)Ji=xX3BS?o1-xPR`<(e+f<8w~V#k->4L20sXI=_rn1;qk> zn|s!dcgNKReimVc7Xk`dvX> zktxj;)LK4m1MN~f*!Dzc!h>bq8tmG`J`HdJ(*&VQ)xl;DPWRMdiNO?MqbUyLYeAGZ zQiq4DQ_QEdIu^Pc9fa~MP8rp?N(Wo~p;uu2OtXFIZb`%Wah3;N*C;mq*ND1pl$_@4 zgwYi=LN}nmAtDA3VgNNZR`~}qA(SkE=s$p_yjZPCLpdpF`EmgP2Z`dsf)z^}mH zjV^m3`N9R?@^MRhdk(-6!M$fY6bp;=hn#Vofvlhke*Gl9oRfEiiu_11B~K1X7zGlC zdI?{yEo~D^`wh8*y2?BE2e+A&hi?(?OcHmq;qgER*=w+GcEo*}ulHt18Fa3ii}c?& zuG%YM*SXm@*}zcWpAg>=H)bT=*@OBH55O@04s%R!S(Q1u+*H z!aYUbv4`07nyVq>tqEAC9a&oobr|aTv!hA`x$DP2)l`3z*Jno+-R+WCKr~&tWpcx2 zI<$6^E;Ov0p)obz){+#9hn~xJ$bL3NNRg@17c1Q;S11(L8K6H@D#dGx{FZ%kTfUop z?Z#S)kJ06|y18=4r5vv2zOq|65q3)*rZVeAbRDV%lK3O^=#L2&+Uq6*O?qI3F06aK zAkyyHQu(8$m&v4RvMvR55gL)*+9)7Bcyu-sJ>&MfSF>e^Lz5J6H$|Co>>sB&z>!6( z09G$pu*CIoQ`z2Z>Vu$M)YeV~3tvs0 z`S9+_v~&RLx1G6^=xN$v#fD5<%UFDA*J6bDnKFd7jTZD^bt;{~I?|I_boNAW)*Iu} z)_z*#lAvNLlbw~Xvn9S43E_Fk^*Zq`b4%{Cn>wG{L!ZcgB-tOZ396l?>rm;?QiV2A zWn>iCvAOQ~mB>+r_`-)cdmn%HPJX9k>xyBUM%RS#IK*VQzNi#ME+pQ6H)i8Gao)X* zER%8dwDP67e1D@@*Taqes$2&+?`<$?ZFBhc)&q5K?O>EIwgL++0qW>I z`sMeq+<#;r@W)U<5(r=-D?MvHu(kuz!NS|sx0R8x2&w1U1NRShGElA; zZWatTPsy?5XB=n@Ke2-2T{396F~0BWdLSM&7iVi};fpI*>1)A)ey@9Tk`>`|kO9p7 z!BQtXA|SbrL^R!hfuUgJ<-EV1Zjh!KFtMhDR2&u(#l@dGbr!^zVA&$rX9Oc;>QA z{qk+@IBbEo@+~o}&_K|pM3jRDBMlz~ddtmbCfet6(<8j@l7;bt%#yp?inwuC!aGr( zrT48UXxNSI3%4)}yxWjN9}mTv2do{>=2C5!RtNucMh82nOZI}^Mq^FB>#Z|pSFa1wWy zlT|dHRDXkMVB)&cPxm)UnlAF*c&4;@|4!cZCm3^aJ3`>KVb0Yj z&BWJhN~QMhbHG|{iTrf@HukC_8eXF^d4hWv4X?ATA zLz?Vmza(Rg>;on(HxVCCn9JRrcKUE)c_v>eW0Sp&aev$zBdX zFCS%^ASVYuzxfd`k9qC73CGvUc>|i#c6?YXGaMkrJ#4AcQ|@dHG=rVZR01+O=X3i_ z3yfqr?p3}6Zx9S8yE&{0croWC(pM)^A3ddT5(DiQsP1XlIj`5W+D*Q1gx@ZN@#FbVCV zJL*k*luep$JNy?=XpYm}VsF|)i52eWmRF272o<)oR!Z;p6>JVs7iH9H zMGy%3eKM2fEX)3wYB8XZ`?<-nJhNoDAf*7?*v(B_wX;k7btkj$WZ^Waf7uw(VSmOT zcWOWCbH=*G&n3}hnHI=PM&PpAxdPL*%2aX;V~Xdzv(qW7OK}CH2!DJI4HLAJ z#Q4{=s=wR|QVdd8Zuqfs5X!L}9r}g0`)U;M@Rsl%sXT5FHrHBsrLx#4@TuF+-ua-x zi1t8ztJhyX)p^SOL7Gbj;B=FYt-G{Db^!XC)-N28#b>XqMnFkcYB|B4EZ<#i#cHoo zoUWiQywMdmn;EUn&Qbr#R$YhT+R<~MYr`fXa17!dG(az z<9KVCPOd0wzU+sp*hxx$6$e{Xq9dsXrAG->1{rEhP5Gr3yP zyYeyCdNF0%ghI#c1<6d8))Mb2Y0@|~8S7~@HBu{@Fa=qVFDI_MQ-)f8Y`k`9d5ox* z?ALD?QSz5$Y)$izN^+Z_itSMrn@207p$#YeW&fL6sdEaqGq0e7%<`~izT&w0@Q9y>Uh}l*s zVH=D`lYMQeNd#p}3nK>BoTOhiUQwl9fM0>ieJSBnR+2wjgV_!fXUDio)9&rOB`ER7 z1gq~=Gulni!({gxG2YhJY-k7u^h4YMk@||Y95lvx7ysAn>@UyHM)#`4w=#ECJ|+=H*&Ox1XVx=~mvnE>Wh+`p+VO}3Y17^iK* zd?=Yws#~>)l{FB8qP^BPmM&m8FVn>rp#Zv%;?RkQb>UzBZ#Fnc~LVIAAZ$ zP%fqHrl5&7LPRY9MYz?*`yz!3W2hr)OMDTAjjfh!fB- zDKOJv^ViMyJ@gjH+33X4?yob(dbwA*+aP@9=G5-GS=l{92f8;>n)cSILPB+M{JQaT z_iJ$BY#H@h>q=nthN+fmMWJp%_2{)GrGWf`EaP@Nc6pj;^<65XN2*qxByp9`i~A)> ziCiS*{Vg2u2N;Z)qnMhC$tpQWg+4Fsx)NW{P+oakdCpok)Ffe2PTCheD?|5yrM@W=9bC5-xH{~nfwMKTUOZdGnO!X_12F>w-dLMs@O3OuvUCB6!yPWozKln%Z zP16$jmLj1)D)uA1c2t^2$vHurf%M_+t+5L2@NNRIw>IqoYad%`2=MbRlYul4wdFpl ze0%hedx_Y$cLcexrvV6ITu@r6`G$V>5 zH5*MGQ$m`;w!xpxpUYC3JcG}T-LTezp-07BJ-(j7U#A>3=(M_7;!(1-3Ygd0``P_*#y-jn0Rx+U-NnG|LPgouoIc47PS^s| zH;iJwsDl#dwP<{oLjK(U!`@p*MY+8Jql%y?A|jlKFC-~n#W!T63CUBk0W^p=W01E4tbr`a}EdEL?y0JLI+UkDcl4CfA{?O zqYg|W6N`HC&8YOPJ%5o>CCN`Apg-mju|8NtSYcW&N1md0#1P%tRlo|DJpsD_Xn2WI z;>9`-q6;yFga~Sj{A4W{jSJzyikqGDP0g~x)2B3C@;_pHIIp8XB1MnY%$l&oJ``?T zJh8OqrPh0BJ1@B@)AF9pxuUM+8Ec36+_f-8;eNq`16p1r4vfZs4Qr)DXywH7v=$^D zCh_D;NnO{cODV*(OR1TK#sznK%9zi!_IYVmKi`Om6TH~0rKr^1+cy;GWhUESP?_ea zlw8DkEI^oCW6er5N~5~5R0NoJ+42{YAZ_m|1D2PHMHk@d%*%KWu1EGByp6L>j4 zM^C#hrU8d6HJJo1i-MCx)cMILaN`DSEg7#uLs*sPQ!zd+Yh~SSn~3Jg529f#h3gqh z`Q%T0a06$gxHdPTp~pX3*4!us5d%MdmPhMg{$ossirvh|f#Dl}kJJXO;W>L3T7Pz8 z|AZnH2whG#fly@cC&%858&Xx>AVeAU6wh}ia#AZB+}DN)VNoJZye~#iAoh5DsQhN9 ziHb#umv%(#x|*81!&pjKba^8fMkFM|vi#CJRbTaOUSRwsxk9m`S#W0*>etHOorcV; zC6H?u_W5HBby>K-AE%mL(Q0$d<;%*Bej|G*9=E8Nx$tm@ibZ{%K%7m7r3JrcM9U=W zf|AU^eANck%{qCj5w(I(-p1SR3B*fo>heu?TDQycCYvVBM#lObqTsIj+!aM_VT-sz z^vB=~s+P^;C+N=chtr}*zLRpghpebvTAxadoq)y4B33{O?wW5$FVn3-m=QZx6-uSh z@#aSt-yZiu#I-1Hp88yc0a$ABIdSYLA!!(9fFqyX$LzSr`5^jAMH@G2C|O9C5YR5m z83mvLn=~hRhz`TdB6fpghJ-kc0LQa;fr(oFM0b%ktlim16Qm>qh&0( zz-F&N&ffLPSz@uPhJZ3Lbky*gpJuX5%BBgcr-wX6GA};C^(<>C+G;{)9Y*_p*Yx9= zV2Tb4O+6w)|0&G-P$!eMq-6-*t?tY_nG)x6+gA7ql{_{^K|qOE_CWS{UZ!36Dc$A| z-Pzn|FJuv&ZN5#qnd&`V8rPEAPOot$tP)DU=v#Z&ct889xkMZ6L+-kn<%7mPkh)Hf zwgAT)3pNwgWS2Oa-5ppuJDzjxuf5#8%!g1e(}=0qdY->4A1IAnVcmtX6Y~=ZZT``| z#?rFMkwU9WAZ(pnLb|Yt6hFeLdA3q&*#!~~FR}}`L%pzz6*h9_mz!7Bk{i1~q&oA= zOihS1`lD(X2*_)27j`3)DU>OhtY&-gadwJcb|oKt7JxdU6lgba#}jZ2tNPl?B%}&z z^(73=q-EB!d}WT_W=($s%meW}X_aw0ze>5BZTltd0g0_F1%j;0>=rg6z8w{Z#421d zulI#XzRGdDEYbY1){9Lx;dOgzP#oNp-XpfY_HmeZZ@YsQQ!)a^BJZ;Fa>+Zl;&rk+ z_2Y(){`JbGdalxr8Y8M)dMsr&5*PYJZu?LC$}8t*dn47xlVIAhHl2-uaaVipSqwQ| zai=hs;0o-W3(={~Jn4uYH`P5XHp_X2mwp{yKAH3>71T=rhar*&|CoFMC5B>J2<2s# z2O|g$*|xv4m8R4 z^pADO%KAvl^57078F7@1JwKjLnE%#>G2?9i^t8xcnC=cWmr0#;x$`(^wwqlqp{=YL zSo0*=421a7SRRvBg3$Kj(oPUa+p4%B?~)ov;G7||{XVc~URR3CV_w%O=954UZY0lK z?_IYOZ1J^hy;fq;5B0A-`LNXML4Eu$-VnXT3^T>nc3GNdgsF^Osoj3n%XSl$3+xNI zNA1FTy+a#Py0sk_rCd8~28+5lZXRF(_VQ^qfmT6yLphP_p-xIK)uP_N>B>4i4Cl>A zx@1@~RgW(UthAZI%`Hh;@!lpI^-nMQhShCbl`}f#QzD~vcLWC_ryy;DA@PrUr#~19 zKjNRmx;M2&9q>c;TsRlHYlZhSoLMovGfxd(FRU%I5g46{XpK~xjD+JuKHw6_lVqEG zfSV&M-Td+4%KdX@Vtmr2I;|TSFQz~SM!wp@-|*3uCc`lvs~3bncTb{}xNJ1Rb1|4_ z1!+^vWj8C!=V;=(h{}tK4(N>Vvut1H)H29;O>vp{U<>AKTQ25_sw-B!8BvbXBU=Q@ zO3UVUG7i^LN9wQT6fTA;equH5&WPicZw4ZsK3iboSw0UAU?SrE3{dKZW6q7_SyLz1v8Z`rUUR0(i)j@YGS%^<_DreK$Y%4;jh;OyxdCf~o!jk1n zo-0y)w2{)rY^_adT+(OhW`OzKdivpKgnk#`b4~ z^pBV7$IaryHRScp=gjq;`!hH^G?n>I6FN`4p`2Z0@6a>^Qdc_1%}}3wVKFT!8H{P4 zos4r*Ub<$k>5n*GAL0VcK=Wjf^VAVad}yc2@GBf_MZ)Rq*O43;PJ%8T#W@Lr9-)>- zjoVLK=j8(NTF$z`Vmp+*T`NK~uebOnx|N>Gy_`in>?S_)1Wp7Ie?{~(WFrN`S#qO+ zCwJ^H%P@O?r?v2)qlU8S>e?aaLLrLW@uIiEBp7#qd!#a?Lp7)b5uH6z#i$gD=#Ax- zvO&5Ju)K8ll>6+tB*`0U7KAai`c?)-9LA;vX%{GnxRQ#-|L)oPYtWC}hyh#FS9(s# zLc&HoYdjCWtz%{skapQxk$v^3!UF&Gakdks=dgIH@)l|EtJZ;IC@Ow3Bi&HNF8ew= zJ>vk$*4uzuw4gRagocdA!dn-Mm<(O@&I56?I)?0znE z7+1sXics6T3|1~IE~0Gt*hU70Hj}jk9Oe6YB2jkQFb6pPZ1;F5eNXxk*(3yPGfex6 zugVp7rmcj>6gud)Y8^$Z9OR@}@{=OHP(ZeoNWLj>fGi?biLo*{>=AU*c0G)Pt_Dk$9u{CBj1Ch=WQ zGaA$9`pku+@2FbHZ!Hpp8QAy4)tzx@%ZbzrPh>1fvdr{T^%~n0wx}vX<;Q?eoUe0ExH|zU@*A)8hji~`<@v3bn=FSV z-R{n8(pGVs8csAVP3~qI8q?WKD%2RJw<(nJV_CNnby8WJ4sA#f9?Oo$*J}tW)dapg zF_60H;AguxJ;qj!qQZSaCp&p_H4rzVLM)ZEPQayu&=ODmZ3xa=%58`M(QH8S>QccF zPI%1?KtFE+=fBP#C*if&mrud=xH*Qzm1#` zEow}&{H@STAdp}soBqZSgnXfc6LD$U;3v=qJ1g<2VA%Ey6hBnZ5acQb9lIkWjdrS!xoZHDFz@+N8{rA(>5{VSF4dNbgD7 z#+PUa!UB|4XUel8hpS3(UECIl2j5NR_Xc5fe5&wi)4<2zPMqReQ^Jq&&@ieIDC>rl z&MvsH^%^vmrI;8z0HH)Z{Ev zD|KDNb-9NWT-wLAb(UmF6jG*r7QKAsE88Nc3LO`V!qk_$t%0)^3TjbVGG7}0D9-}% zTpp8t*etjNgX zu1ng(s6b5tF1ua~3kj<$f2$fHKfS($2%~`Lf)XLON1A@-!AeX#R@iwL7Wp<-w<;oO zv0Of%?TavpmW&GhB<>(oDA;ZRW@!4?E&2eJM;t+Pc=UhwOzevsMIw zr5?B~HchigLxL@fQV(ysuDhmb*A08x8KrO!S#;W`tY#((hr~vfxcODD>6#a_+0ETN zog<+tI6OWwvh~-8aTPZ+{0@Pru!se-^Jw|?S(x)sdPDcUyc9oY~9u}8HdQL3UHlLIZHT$GKpNtiRzSod%YYEd*e_ymxS-LKy5G+kZ zDyCl*FA;uiZdF|sU#Gsiq=2p>FRW(8Fop+S7b+1{c?ASP-~pb>-SWY6mMVPN4tBrQ zx%uag-W-T~)qY2uiROVP+bUr>3^2jMR}s=Vx~x(KoLFX-iiIG0KYD^%KqXsRERm!> z&_*c282v)6z~B0*db4Izv5-ZnWfQ8f;k?{l6Ipf5Hg6JEYuvGwRKySocFyGHB<3oM zWPNV)t;jH1J{yau`ap&L61%aK7|#wblI17rg|pfE9m*Z%mpMJDgqb&_u>mwp{k8oKXJi5=Fv1U#>NcCekOvQWE3R?tqprH2rD`klHQLE zu``Z7udnQn-CtG2TRJ!zgXV`jUNktz%0fDRJas|J#e>P{T6tqpP3)BgL3s)*kTc7| z)2ER1oV`E0dhxe;_|U$SE@cwvY_(l~)6vPPI%FDb$Pqz{mY=YBQOBJgOvenZ`k|87GueI zTF+*$cFyOjmgbI3R>(4&GAi}GWi2-GI86zvuFf$vk-lL%_Sq>9pa``*dKTF>ip!FY zl*g92KA7WL$io`ynMnn{FQSy+4ec(Y(#w*S`nhOftJzyP#{GWh(*lS-Ce5*~Y?Rg9 zZK=82fiH70xnG-mj?!cew!s$r=7=yv4x~Cj(sVV}J1~4@DW})cX;Vb|`_08PLp2xO zC?;y!^l6}Nk$QQ+cdFIQ+1 zMTZnR`ps@PkDAXrH;0kPa(PnpM?*3$CD&AC6kR`^Qy{iwrdhf%>0h$NyY4w`eizHj zuC(xq6+14OzLbdB77JT6NUF1JMc``nej2WKj(CSTiZs)8hjZuNHPm}bY*arsv0eV~ zQYjU)(h#KHR<3!>Pd5l#empFlNSZs`BeOC2c5z@V<*w`l-@9xM@X)1I@4`E&Fm}f} zzQ+xwjtbbf*tigr#fu;Cyk6VQb<1(a%x{@k8m2bPhNbs$)q5uT=S&@WvuRU;Kb}HWO-y)Ddgk!CKvEO-sfgU3&CgKfNX8wDdZden~zqx z-Xt<} zpiHw}9e~!DN!<$Jf?QX~dN2`?0Bv7Uc2H(9k#v_8+9W!CVw#_|H1VR znTpId-pR(bI{D1*$@|L-_ta>PDXl$;XPKhpa#Z3RB-(D=j`(Ts5P-hp1kmk`$@ncc zMt_H5*#;le6>om0^HGtb<^5#0ZU|?pX~@_-T$#{*eG!tyOwVDZs~EEm@}Od3Gc`VD zm#(`ROI0M>OvOxQu;ZADs?>)*%VyEb?CtOIMI zP^OxR1w(VkWFKIs%X#NR69a>IkVeH~*6RBa zoO4Berj7Kv8;y%MQY0?2S9EoKz{o+2e1Ok9dPW{Wis8x2>K? zJ^k43o5Vuz%!|zQgvmo#+rBo8+{03Lguegj6&L!VU>{QJTyTlvjAF*o^r8oAz$d=O;fPnsO@M*vrjl zHB})QoKu+}xnTnhA~Y^efw3i}CSiHYR_qb~7ivQJWK}iQGRF>u~+EqKnMt?Tz)BzUW8Y7i;cW*jgA*jKCR)};Aq90q!Me9K~7rm zDiZ+)$op9_SC_fX(gkary&Y6inEqn0Ml6Z`^Dp&M&jZIX(TOAj$>^rg+b%#=0A9Q`5cbcGd!=9y_x(-dgdY0SH(Uo&QUGEoBaTF}@k8*=rsOALRTJ3sH%4G5)-M3efrA(kbY0ma=d(6>x zWtI<1ImpHr{InqJHCdkpYcvR~_^|j)j8a$dZNXx<24XoXVSfpdEOKz0&13objgV04v5?%qEFWn`EF2V zk@E>_*K;2_18$0w29zI4sD%8WAMHZbo!|WK0UCeNM4iyx_1R};k&JaS&iu`QNb;Nx z4mfv~yqZGL28{F{Z~;X`zxXkJ9Ap{q{QGO>C^_?=*5fY(MgHCN2|Lp2zpe6TGk>mW zUlcm9tv%QG*K|SyH#9XMBO+m1P2;kpsQj^<%lM}lT(5adX`-EQXD%0gLHzmvaZHrN z@#G2J_m^Elfs?F-{+#oLFJG5D;@I81^gAf0t&c=_Vq#)iQbR*S z1urQ&CbNo~Nz#G_@lHNHg{s=e2M7z<9d-PBDZ$@{A><|HfH8?`MkOUY@G*U|HKE1% zTpH+Pre#y;fGDuk0xNIT{!zPCd5-TXnnauj*)nr_Bl)PT*l27N$~J z*y%yapNY1Rglz>A1V0+t{?2eel?V8)c)?MA*L16wDH~gqO@B?RI^l@;{ zDE5L-;+M6VgrOb0!NUj0P$%7sLl+5FXF~rbj6rqVC_}?%Uxg42MAF5#qTyckI21R; zwVh2U{|JFVNX<#Lb`>XE&*@ZN7~LUK9S?r{ckVbr&7NmDS^{s^3xJj)&>1_)^{O^+ zhQb};)PxT0IKiSWe&ZL$0Q3~5{rsIf9rn@a&X>RC=Ak`vgdKLvdfRdo1g}p7xq^AU zt}Sh2A7L$q&mZr))wqJPckg}r&LphUw4xGqFPD~qE~><5X(1srds^1*F#1efb{o3r z2pp}&*V;SFX`N4->!9}Fglk`VFl&eh6k^s+o!VVXglD7iS<^6%@6xSo-_`r@n}9foHgkEtit)bd$%Gwue$!d#YEt&b$f&!a6q+>Xzn#2(A|dSC zH_-dX-X2w|I2qkTEci7Y2J0pTuRh1JIn*FVbMJM2*$aOJe{fm$Ms$S{AdauEnBiNq zZ6uAf!Z^;`+LwbmQHBr6*-X1=a#T@m;|N;ZV)2pDugF3e16nlX&M61zXVUC?5w#+6 zX(kD^Mp|mY%K|$wQ=KIK&6i#{8I50ho06{iD}P4^P$5h(p5vp`o&G$|Xrt{T?U?s9 zzHZTwj_Kj2X>#~UZo^?!w7Wk=S^l77(~ca`lGXPox9@;K7rK(@wWxkI%(n&}tmM-m z@}3RoKHU zRSh!Jz@i;|*`cQ|4_(R>0;h2OT)f3oi&*U(7^21CoY>jD5XPjhICPm1ETkbUxjqw` zNflBR9}7AN!SFzT_E7J_-51$(5;-!X-)^Pt#X;=vJ6!GFJc{bGLin97uWZg`rsgOX zVeB&0nodCl>0eb|_}ND&Q1AZTJ?BCF%l9Opgtx5JKi2-BINL8i{O)&~hym%gvj^>r zV7dwg^8{j>o12+gS^Yq_BUpxw$SG?dC;9S7C4=Pxy<$6|9x@d zQ!S%dadELn;9sJ{>}%$t_GGAaeT0z>Rl$hbIi-1K8ZL`TDc31VO3D#xsf)io&`)SI5_Dx0NENNQzD3s;CF{(ekH219*nB0s$)kuET`qv!%qBy4eh<3-Ny;HKm#3# zCEO$>YC+0yZ5oyy3W;~WwSTnoxe0c7fh6Mif7r{nU*SIk`n3Gn%r}7Sh`c|L`4#E> zfy^Js{9E4j2WS3I!5PjPaVO&4(zA&Ht+#XA*|3Brnlb5KeC*? zMJ@Q~o8b@;QdU*sW29ig`l!HRZn|n7f0xPpn_q(A&9{wBaO8j2kT>(xYE_&3JhL4# zSMUqXm=TSu*stKXT6;-~|6`ZMFA7B!X65}S|UUoyN96EXYo2Fi? zNuS3ud=KTH=@(7N4Byeb-D^TwiN+`DM7d{-&CqLiR4NGyw77*=$UZCoyeNP80tiZZ zu(6!q4YK=A=L)#^cQ(O%H{8zj4#dVGQ;3aW_j@P+?Lg}519Sz$@o zq%tv_)~_ggx?>OL@eg3pZk2ms@o(;Lx7WdLu^%%Z|GEpc5)9C*RYp!gTieeGw8_$W zRVI?C!0P)PwKGG;w6%mBsssC3UHl64E<^t7v?1HhM-|Tkn?M8-U24baFnS|AH#gS= z^Z@ZETA2W4VGC$%%AKoMJa#-LFBs>YYd@tH{=$O)9!TLyXtXj(m+6vYV`G2jE?Vdi zX-`)4XDC@6GRve>$hw@YkWIs}wsiJ6ixo7_C5YN@mpEJSEmZXYz zVsfly9WM;u8KCwAqoAMwU5vy)k9`*sq3-p2VE%yUO*&A_5I=frVtssG!zED?ukUyA zI{^JeOp2=m$~$Hp+On@>{&H~-BvE9=E$s6Qzd%_6uuAg$D0RsHbfhL7a3mo&;y-{v z;rv%{{=Wnm!OtDtwHtz|CoTWW&0U6;z4xYqfvUQ@;_sa=nk%hFh3()`0v&R?(+M)} zfFT|QVPWBdAy?Y_+S=N_{?V5Io_5m0(ShCE0{X5?7R`ZC81(WP7m^io87wR;eE$j& z<)yD=y^LxD%wz?{qY{1HTWA%A6nV^2 zXpW0P{jY(u<)>Et%51M9JD8y%d~Cz~m&EoP29b=%Zog_W_yAOjGEVDjKAYF2&8|mH zveStyo1Zrs9Iy5yrJaVMeCNN}_7DHc5>+!WNHWRzsTA3{vw!uF0MZ&1+Cn5zGoXIp zcPJSCu$kTP2|o&irwBjGg*_<0ua9?rGCTpSBHhbjvCDP$?^gJ{R3HV&)Yv6n{}nuT zUj74^oqPHI;s0B}nBk2V4Au1_=EpaL2d4O^pqnllKn9N^kJuAGxzKe{P(NoqtswLqB+LOJJsUpY(A@gDSpns(z@ONS$ zK0;q+AIGE<@d!|`wb-m}SFyV~_modAWX+ImHp zXZ_G^FBFu(mrTC=_U)FF6H<3(x*6@eO6-hBc73($#b2?QJB&@+#$K_FSmAz-VfZ_` zxHvtuaeE>iKP;OCO%RP#kTm7rva9gpXsUUOatbY58%qt0oUr#V#e5?!uzcH6-0QNT zX)}vpYZ_~X_cQvs%@wiqBdo|Qw0%M3>q42hE{xTX(YsVIF22$WGh3=ejarzE-+o0$ z9~!DJ7R_g)cELi`G$xsp&e0YyV3^rMRBU;FxN{I~k?y4G-=!0c!ji#G1>0dnv4^&c zE|9K4h&ZqS!Mg0Xaxn?08lV?l!vfWS|R&&HmkK{4o=%*Xk= zwpLOZ#IM=#Z{c5&!_+!TcOm#c03bVT}cX=?To~^f_=U=2KWg*9fE{|&M zSlC}Rf>DV9ZTT0ABdUl8?F2XZ7s<&W7iJtcmd(ff42NUA8*J0gaOX`q&rEp8TE=YT z@B|y3&9gZy)-cI-!?>`pHBpD}K}U2J7&!?c_{W6XAHYPToocMyZJ zBH4aaeU8-k;A)yhYve}gbS)39JY~9hni(w+vK*zYNXSo0az<2at3EgLz$B&aK)VRG ze6`e*Rg^sy*ft7%{k z44HogQZY7bLi=ue30Z$aUQNsLbE5X7DKQ8A)Z15tTGJqnv(z{IackVu+4@Z3ZwDt4 zJ&>(+B(~m$zYX5VkS#XR4Suvyp8KC;SP5peK6)S1#`xU8O9MKYTz1CPf|w6n-~>Ww51 zZ#ORlP+bo>P)_r zyJ^%|kE)JF+LXhrO-2&hsAtz2aKdPh+g9CvT^d;RKEVR(RTGEFR7_F|71o%0x2nV7 z+EKB3M77+QmE+R%s;!%l&0<@KpmKgkBOgx=p^AsMa(D4a{#%y)8#z9LW$$A(JCE+9 z44~L3HW9m>-o#3UDW#Oc+*0!*`Ltq3SV>^-_F`-)1TkW^?Fo~J!s|?(WPQ6sl?EgX&e=I;CYLCv}O zzV1>6x(kmTuVK46Uc`EAsd=!zh!9#4QGUoq*{q-)V0gtCymZ@0z2AV#==AEt!6?ZP z1!8sB_9hWL22xj%xcoTw%Jrq~H^W}9F?~w{F|HClwBx`EK`e(k7;+y_#OL-{_Iehr z`hnNzKK?_MccSgT%7Z{%#W(SXY~9$X66f^wNK91Fl$4Z;F-G8u`aIk0=@w`;0QD{G!!`;u;&%u)`ZxYiq)6wHac^tt$Gt;s)Rjp#CUVPcj75F+Zbey<5=x_TbP{X`dA5P>>Hs2%ac>>v52V-B46=WQ|W$e zmNRroxruh2`4%Uz$u676uQ9w9H#+CK-!y@&=Vc%>BM>?E3M8*RG^!*eC7r0DO}+OL z`|=GuUivo-aXXo46wtOr+1OgfQf?1V&lu#avG~G5F2Ms}WGs?_&0J<$d2ce9!5E}D zpJh^Z$r6Z%ZMw6?&F4M?S>#Zyeq93`hg$F_34g%6dGrK{F-Dg zZ{u=;jEV`+Dur zDoi^0j0c-Hw1X{ath-K2Mj?3yKMTeQ9K-_i{Bv3tZ?VKCl?H)lg(^KNa(cn1x?ETT zLvF1n8l>1pGzE-3g$6MO%+||V5k9>|X#XFch&t zMZZw5%vD`~$s+H^eg5h%zx1HQoO*}#L}=W68uTV3I2>|&o>}h9@$}r=0;#jaHaO}&~wu)E;!i8t#R6D+tq()Dg zYw@>X;J>GKaM78-{tTiwu-~g~@OzdiRfK1I-!OY>SQE`P2Qg`(j?s`md6ki!7~?H< zyks_JoJvTqKarY8`m@70uYGwEV~JzTx1MDdxGA9D8fKApd!!pWGdS(jm6BZ%E4em- zih2E$OoHYEv$dhO33Crl@E^rsn3|wZ($kq&Q&;WeI{z8j6z^-*S@gF*Gkf!TqmS`~ zM2eEM0mN}|d6r~-UhU$W*o~_+=a<0=QvKW$>iGK9VYNt6vz zbz6IPa}j+Kg9It|F19nJzau$fB)V$rnr35~NJJK1huQQJqH0?l7= zutrwZn%A&sc=n8JG1AyeAqs1Bm<8-kjEf?W=r9kY$(N@X7?%)Gg&)d#9^H2MDbjc{ z;()l~$GSPf8%z91ny_=N1?Med=o#m^U{^R5O$w&&=?6}2Wu|jO8fr88kM5h%VP=8u z`B?-t-_n)80((?&;3=JnJU*|(TItpUnL!w+ZI2JPN!FjpD5}i|?JC0a*;p6;LgzMq zkCulUSFg_%YR8Ec#_QYRE0aQVLI4a84cMrA>t>2(C=v8rv-$L*DUWCmy&imfxu502 zEhXlXsXch{YfS*;l)4eKyfFQNBsK9)=NU?>-^QibT7&g7PB%_jXN%4=3p_KuuiMro z3l#O{_X)T?9xP+oa>m7DpF&?*8$zzHG7F@`vd?ZkupUbDc1$697-GJ7ma&y9#C&_B zQoWl)bjoxuP5*LlP2wQJ^ze2D zU0*B&62edupDW&4&x$!wh&d`WBe()1ekZbTaH{zMqbJj85j8n9+#L-h zFWv$pDMgHn7OGY^gvlLzL_@jdtM0dbN&Zy0WU^7*Pjmc`5H4L-pif`Y5Y z!j_G|_n>+j-CdI37$~rP!@hYkApakeA3=jPF`Dhs86Pi5f6wi)w<%ALTi4UzGLwGk z4*Xt~Jcz^w5bWZsJqBDSaLDNFnJbFej`sw2ldF%##jCi98*Qd+&8YTxmu%FhMjx3g zxVW_@Tgr@3`6zG9y?>od6e<}j8ok=Ey>{l&J9M9D3!mtd-^`Ob5enW1B^$Ga6Pq|e zZ{EDoH87xCURj9&)3O^4(ZoLc(x9%#ZZa(;!i{e8K?+t|Ta+0M#1>q=xjT}IFC|Y; zh}@7bV|x79bZ9~qA3LYK^)K9s6*N-krlT#CFK!O#8ZLFI-jFXYD1ZiZDHMHyTj#O2??bmUw5^ON<~OfU>JX>C%3|NT z#z@EEeWk|4IO&|IwFlG4Tf&I<>|4wNIe3anw8xU4Y6kb6iD=Tn9SW&oGxoH$9LN!w z(6&H(D*;a-8e-vCIsVP=uF9@>U;_Bnh;EkIL_)*%h&+@?+{2Y9no`g}wzKnH za#B+Ip9KX$2)<;z7 zReJ zSdO^VSdrZBVbyYI&?e6Icr6;t%BYidA!EPC;191rTP_(^Wh7~;xrh~(bH7_@=PJHD z08iA-vV{^uuR2cr(}UHRA)*96!Eon>j7Qybo%dHirV!a0l>@L)Y_$gGZV zfA2Q>71V(O0F^mrp7rpm*$*GoP%r_~r#qQPU7WA4ZM$4KR(;6VX0Ti#85iM(cbPJP zqXUmuU&C*ir=2Jjc#v#_>XDLms*!Jjr6P2&V7QY!w%52c^yvxG%Su`SeSe3LksPdj zt&?@#PFfLmO^jPX=Tp3auSVGMu@uV5V&m>Nx;I8o zmFgqy6rEF~>gj_yBD%vJbD+#M~^M`-{#9b9p+D_ehR zW$FSG5wsRDydA%>nh~@u(u;6zU#m@J$Rd!(fv%kVu#K2yX11o_D*xn-MOZYNfH3d$ zEzU2mz%p8Ta{(GSA#QnfT+Z^UPOwr}zPbEl>8u+zmQ2;z>;V&WwxE33D`Is-`p^5l zfd*qBhqwP;S18GuWe**BYcs4t2h4QVmgcNu*JM%{OdI^t@U=i(uSN zFe=@T;}E(=@F7!MtQW04RaG^&lmMg(7&>Qg>`_giEm&{g$1JoEQ#Bof$;`?-DUz6e zGNi21>0vnYLo29XnLe2J2<4d9{-)i7+IwmGm!E&VgBfJEfD|s{-v4Qxubnsj_Z;*$ zDF3s6{n^V-4CuRuKXCaD96Ol$2QGi$@^3iKAAI?PFaHC+ls(3i%Xn~mFp!gz^FOEE z$$_?AgAa&Q?M>BHX}O%l6ypsUzWNjR@i1gkl;qjhGc;@e`}zgux`Pk=l`Z9ex_+uk zh^?*drTUZQFalbcdj+#-KNG||9QNlAO}5Zg&uwH?rtT2C4^75FO&wCr%L3RtZ+qa% zWon5il-S#VnQo#Wjqt9&(!<-6)6)iZ1426q+xs;-!48SfpS%tO5h%0%Ew3lBL(+aA ze&QD*j!M=JzmArT6D;g`R=3IJ>3>?E{^T=}N?K6?dPPO4oX4%d9uB^*O*27&4`or? zSZm*&qMxa0{1c$a@ow(LW2nXrKxGS`M0=tktqNU7soib3r#a+96r}f;a8CpFCEZDF z@hu~ZLi`N0yt&3FK^%pJBN)7=Q#Mc0{hU|q-0_!(U+i)2Y|8qvolXLAo@M&vGO;qg zyMFd(2mYeF#<>CyskG&tkX=6|C8V~|_x&bSxTMxD%I!j{>wZRe@ply~Bb!)= z#w<06x5-90qK>|Xq0$%DG9b4$C3S8;bOB8O3(FW*x9*xw!+#OoabD&QWh{+E!g#n=41Feu?NC>}X_L&|il_1>4ukrMpe%OH!U zFnV9s$0FsEPO>JAoh< zXgYyLN!5rj#VLnbelXPEo5J%G?oDR^y{6sp+KUgt9>Q*V-eIX(Sa#Byal|-=nLXzKp~lgj^Zw?+kltjnH6B^Yjz5>picC-kJr7fgSGw+_ zi#v+2jZsC)qyhyTc6YOx(gj(L7=$`Ju2Hgdh^!M5#tb^_^B9a>RxlrJF@h( zqBoSeAuO+6eZ3HIE$HedeyY{e`>uSWxUui`f3ur!{~~-0DqyyezB!SXM_mlc0$KF+ z{6}Y$SIzszMZO}}Nu8uJkN}T$#J%*%MJ%B3puO6R*W0I$M4Wo1Ne}XDI z)b-B~7eOj5{n}yb|E)Hp=??J!%jgAtS6uh)7WTPC@rPiQzl~pf+UNVf09`UZNIm-l zm>??zolM#@=jm%s9lXOjB$yW6sf5kS zcy;iY+))*NgR#oWE2AP^&7|j#Q+hB}ystS?B})8eUChg4W_pc4N>bUOA%1dpG6B{b zCQOqs$uY(a;f+oBcoVVyE$dw^1&gi$A^V|X+k3<=mV;4H-*^1(wdJW zy!8Hh{gKXLxjWUupBh@eef~RRuFM={#)v*kxPr1wcuofJK^zNA1_fs8un1Q*R2kew z(UkFB!Y3dq-p-<_lS8j#P&R3u8gx~dYp79lVHF4B-O@)%z2#-)EUrCIpS_wFhq$*4(USg{8bZ*WesmuM3gw_PSsU>unso$yp`5D=Y=F@f)HRAa z+r6l=Pb0OGs;d2YXBdi?T3Y-2`BGGY)1eo472W|+h^M8o`qm*q5>L+leJmu$l~3c_ zAAi&~zWqfjf!|4ti0X}UkE^V%7zqZ}J zp#>;oM_vSCG8I7+!fkUkgv0ETvSp`c_Fq!9e)NfT0?uNzX0&vugy5z#P%yH{3lzSZ zYw?5BMkZ>grdtMxIlpGGz(twP{3K|&{9E2F1KVx6-&(_n1o;>kBYJsXn3V-z|`m^n}DrlsE17hrXr=T6k#n z^Cj*I_J==4lUQEL@g-0SxQL3xYP~A!U)eaqr`1WHO}cv@zc3-7u7H+gJ_^YlMgalr zBU5-_&aW}F_`}h!e*|6}l2WN<0tIsLhmQ#}k*Hn({|F-JD=G?m&c)eR1iNavfbm#b zSTKZ@#r<`MWpt-jyA!pVwG2?b+kPRhzrs%tIGSi5Qqn#71~h0V<$UzE#>#Z1C~8yE zL~`x2UpI~V+c#|9^Os+3v=WP^gufO=-F4>y+Wb%Z+y&-e?q$zA;ut`3(ez;G?~vJl zdXPePGCR*!adpqh_x###ArIg!jqKG|p`3?)Cg6M=&4@muXinW{0LA|NO zV!U|QFNg5hu_8%XcVVcKl(>^=zi`^MbN*O#At9j_Fif~5UNW|&CHgLmKvtOAgthRI}OXJPJTVTrt zyh!wqYe6{w?WhfoKPt;N8#^YPZ@uu>;FTlaefEt}{|-N(vqyvZASEUlV3s#N z+0-b&bEE&+`(O%IaqXwrq1k_PgWt|zj;s^hC0qa7DpE>dl_9ow|D!9U7q~)ZV*Xbj z5dpH_>?(E!itGOFW`2s_pP|Fg1~SD9zeR!m<0_S46py{2vw&H6)s)&V78y$QhEg09N`;V z@wadsYe*d>Bgqv1(vKjo1%^RixJy~_qxx*6D7YA>jeZ%d&Jc~ehaHLF;Z z6>_&acyYR&s--D31o;-8nX<*QYnI-!YAi`d-`_^WN*xWF@py~a4>pQT=lyQa%WLy%6+-e$o?Cu!;nKp_EUD6D=&leTIM~L*U*RiN7`nUJPXXt!v>$4c=>L$D= z>g=dsFX1O*B4n-FM|(`RW3pCOuwhrN`s|-{Dotf_?6c({QlhHOA`5*&>Vmzj)NjcP(sZ<}IMEHKQ&Ay4Gxb zpU~nphuQaC%8NdUrU|JAlg`9TOGp~;WA=)(?xam%q22XopbyprhJkbS*X^KRVl??! z{3KgkD_0=ggVrM-@(M$(u@1_RbB!;b?f(~K8LkvwT3WhdwcQxT$2a=c8H*@JKP6x5 zo@#0zm}GUQujnfrpeL}DY$u|1)zm18w-FoJCnu3@1J~ErTYP0zUX9jE&X>IDd5ScA zq4F2fM)jv!4k?n=_DayB2TGszC>sGZnLl<@+vzG?>v|KWrD#?q%U12DZLdhooD-U6 za}4n&1#n-YOJ{lM0~y=NpzZ#a+|qd-CLm1t(e&pk%g-(-3*Y6uB<@un)1jN3R95hbp2G_93s*uagCIe)(7TQA!YmCTpp?W6pzCdL+v@YRtw>=aV}jw z=P3%d+myW%9J{z>7B?`%t3C)WItE~z-jHE5EHP-AJ2Lknz>;tKo_f^U` zEPJZ7+hU2?m~3@$djs)bIE7*TFFhX+SS-$JA3r^HrpQ5~cFX-$56Lg&=8t+t({-o~ z>DgNGy;lvDr$2e{{Sh+TBonVAD|58mtiFfbGL9v6XhYvdT7GOQkG$bMOP&{DT@v>f zDCren8}f|RJJ=A{PJFIDlCb)zO0PT@8%?rbh$3^kK@(Q8<;iqGeXn7@{&nm6 ziz@reGeGi+@NSTF)Jw>Q^mXm#9ZXRekwaq%Q->eIPhKw{9IjNa1w~-f)2bzr_1Cz} zx*m+WJ<^nV3TFAAlk4&D2>yp(I8O7ufB`Ln<^RIZR$(I9{N$@OS)iAhzTKR<(QXhK=S%$1AofeQw2!rQ+kK)nP|+xLFxY))S`# z0fS>P%6m!o4$1dgc!J2ttnQ&C*Ulb)`7oaKs3taqkcDgyRxnLr)Kr9OM%2GAyV+J3 z3t1|zxT`@=E9-^*gfO&cs0^uuXy@`uoId7JyGY|d>&VM@lX%Sdoj@#ZfI*5S@s^c8 zIyJmx(_V=;N)cUWu}kF1REr-~t{3S2n6KLSxB&M~z5b2VS(@a?Kr0X4?@@j)7VP3= zOlJ=Iicv+467T(jp9nn?ZQQMq+xI*^Al2iXF9`=*MhOpg;PA0`$)uUi%#c(osmS=U zJWiKb$chte`jou2@sQSyjMqG^ov(R|puTMeff-7O@p7(jN&Np|@4e%p@c#$!@}`t` zNrlSlol4ndZwl}ykd)@opX}s(G zQSaaH@%a7m{qG*!y~gwP+;i;KHo(jl*Dc#cLzBD-$mR*DWNMuv!|mkQ&sQY+o%0$Z zLCRZWk&flLZ@vk?L@K%8%_b2puM}l{a9g^M1a@WdULF$^S(8UCx4Wn8di@Z#Yz=)1 z%Y;cgSduVnGd&?>)$UKDg;bUdqPk*cxs>}sZ1I}9SbiD)Na$U=@;^Ma73Mb0{Slx| zow!Zzwr}a1I+x+Z&Xaj%r`u8<B`7c41MwMCTc1=FzTLR7(13eFv6wmryjHqQIk|i?xk?$IyA?u={2e1 zlr%-9j<=Xw?^ew*dj0gjdtXCeoa6`k{W~8%?ULLXO%7V?0tljj^HmgcxqTXXx+tH) zajLFUN7aJIl1|g6t@d4xfS9@1>Y1{O_xuz0ib^{WRJpEJZ~7VUQ|p$vW&yQkzzxJ( z##%4(rPtSf9pmA5g1%G;e2vGjG2JhmtL3@|20;Jy=&=qICZJAhh)Y~VrSVU?EqXCj z%Itf@yLs;9(h_?)EC8#bNjxOxl|7@WuPKBbq>de?ayPrxJa_5g#c1fJK^UgBGYL8$!|J=beI_7CK7%K@2pi8hDD$ng#SeU$efJgBBpHtwE%(Bd{foB$LX z&*Rn=hyH?ytPVJFb>6nH{tF~=$b7x`et)cKpPUV|@8OYjtzN;iiBtE*=kMzY6!7AB z4(deV;FRwCyY`if}M{^~$Z8o_*R)j1m5xq8K>zRJOcN9U=tO#aI(s|DQjh|3KJ zJ2o%O>XDR}3@~S`m3|xIKn@>z{gTbBTO-Ya{Ce%g@x_A{g1($tpVYhWQ2aM6w%!`L zBtewp$=>=dQBHg#51H~fH~;C=S6v%`f1V~#?C*7oj@?vah?iXLdD}G>aAR%X4h>@8 z6{6^=CC3Nzi`dR!A9GAocXbN)QSp}LdC)W9uCnn+dyZvFX6fo#Tg|y%9lKW@^C+~) zU`8yrU{|A;lv<}?Q73A}7`Q{#)s*uP!} z{+K}&=)ir1x&V58!Cl*jFIRlgLWrzwKHfKKP-diSP|BWSrSxiwGpY5UaoTF@V5(xC z_PKjXb;D)2j1}!&Dm4Qtr3*;z+u9$En%vIRik1USvDmI$MR3p@qV>eJ_kM&zlNGLi zCeB4s`JsnK?t@ku4!1WS5>6CI)>!Cn-kf_)8a|+{x$E16Z$X+gt>TPAs|7FB_Ab4> zCs?FTdCUT}ZYNh@mD|4LSd^%3YI{}{Nn;mvQI%xjPTGyKoaAH<98Z)}(_!a77_2gn z3V*9JS7haNPOI{xI!U0vyOv?MGbTjstQ7x(d!MMiAxR}+#V)*!@3r;}K<#*2C1!8i zL6hc8m_D#+D$xcKByaDn$ZsshQD516XIHX!M#%A`SV#{%6Q+2m&r}tp zs?$DK@8=FLPAX^J^4M)ag@HmBvi>^$y6Jg{stgahBJ(u9r1=J=x*tV(pBe*afXBhD zbtNGpwwV57Ziz^OQATLC;Vpf?J=R(ugs|c2US>*B+)^ep0lR#vW4a0F`?3g7HVB@G zGMjF(^J1?YkZ|#aE&9&De&TI(4Bt8`8~(HDi(YRdcdXX_J&zqos@{{<{-`7GdS)fygJi$ zIQ8U^&tiDBl_x|;*!dm@2kOWN&Hbi8HUn$_Rk4WF$HruV{>b9;wVUbvraeaNU4_B| zw!dptx%HJn09ty0o`gx#DB$6;>0s9?5XyXH>D73kd{n<`)uc_8*6hqs1y$Rbx;v@3 z!iboaP`Oyaa&fE4RMrgtH)BXf115)MV0>Rxc`Im_d0lK_Jj2n8;fnvG(w6&yY?rrt zm-69PMfHdGR&UBy7N|4jktglU`qm>w*$zjxglnA4nG9EA_Nxui ziSE)*ZALwuP2rcHJjv>ou0A!tY&N$$p&(NwIWI{Lp3lnJNMnr5^gER&x$L+$RWL%$ zAKD-=eWytr`FqC2-$VwnsiWbefp4rNc&zUSmdgx(T#8hHVd5Eft5CsMjr?oNO@yzf zZQfmF3;brz=Q^3cxdS{&mU8ZhZUHCFW9Rtp=RP}&S+@Ak3;>0EnotroV`=snho|3u zoc-_%jo?MZN|Bf1+kWM{i9^QceOj_*&3cGNHuy`~;x<|b^4&6AFa#S1jYn^+IqtO3 zN-nrwKjGT-O8iT+@ZVYXeh}tLq#h+lW67v!*bf?1tr8)SGKN~e_GcEjEu+J1t2eF& z^K(dy*l2~#tjKurR?b`7q*H{FjP7Dwk}T8P{`lJDLPjs-!S;Jrk6ThMA8kGulewL3 zt>*dJtSR*gDWDy8CD?sPiII18JRO58IR38fu8q23gWm1UR9pNl>-o<>srE@?#=ZgS z7HGhZ^C$SuI&H@gZBXSL?yN<*H=q0GXo6zRor9_qN`uJJDlns z`%%d@4+akcFteU6maU#et<=(3EOo3jAYh(sG4m1I>@L{t1`T9AhL#*Z`dQa+WPD|U#aI<(R%U1 zlC{LrTvU#Y!s5AD4+=A-m`e)TS9<coihf|&HntjvyUlP@8iLi>o; z^0$Sg2M}YYTfD?#;FlN*CPD?=aQh5aYP{AB#^l(DGV2)&1$V!FmT#=ZzmTz%Ues~) z${2-h+46AfK(}bpoQ25qhK)>%PY9cPY){F}f{H6(%OpssQ zv=nrcobvxi=dJJW`B{v7BUpk#&^~?8ChNqv7V>xZ{L#b8+JRgrj{#ft|F+68Qn=ks zhx^e_ZT{_-o0)*1>?w%&dPLIC0{hAZu!>?2gC99>@rNM%5m5d**Z-l+4*(BPhGD@} zJ7-hXi(euw{01fO>N3sP(sEsEG7U{@p-j`o5#E#wf(I4aKfO_ofgzER7|GC3{De0K z!mF3n`^<5Sk++d}8T|)zH&B$Fsat*flp zcUfkaDhi)xXy4>bFK|3h?UdJLxDuvL(%FWDzU-*~ujoQXve&#fS6AOHye*VFNwI&! zii8hRN=rg42utsdjg52PF0y{xS+lF3lfnTc%{c~inWHyR*+<@i^el#^JDJx8v$ba& zO*48@$X<@Ny}pq80a~+_Y{*AreQo=iKVb}JLX@0G`7_U2W$piI5;xzIq#>-R58femghC;Q|Gke4ByMEl%@(rwwWjx#v04MKZ#JFN zn@S_@l<>UvJ2~e(ES)s&-A6}<6aw6AHd|6OTw#PSxhFo&_Y<$=zep7Txz)+t{lZ2~ zt+(}}-+J7Ogo~l-MxE~xg9~;ski~FV5xh2->zY0evBaoC?B^pIjqf`^Za@1k@)rCH znz6&vGj56RrHc*SaWW6Br-NQ&WUPN0g)&v6B&@8ER;Hq1cx9DYnzy%ZKNzoU^JZhp z?nkQlxiQRY1Ljo~WaubobcSZu5xrXvAyoF`@8rMa2;T~Tje|8yL7)1~7mK`jL1sb@ zy1iX;r;5dhbfbhtMqb^p_$_LyQS0u0+;BKtmNWH{woE=#(~-_E_*M1Kj*RE^T}{2PhVf>OJZaWN>fpq#NM+^x={cSmu^(#(!I-o>Zl&<)&lv--J28 z7+9vJu<$>w!UedD*^mwFhEh~3xQi7Rl0|~U#oh%D2di@D&DE|mkz$iyWJLH;08;xC%qY9S&faRL zcSD38dWxdD>9O0yF0#4`7u>lzJt(-_)_hYhgg9{%q*pjDPIfxZ-M|s|*59${%8w%- zm$HcaCK!aiKwQBlQpd{cyfHjev^rO370An1=}0-83orK!YsD-!Sx`ifD-|3s_lmGN z+HmgMl!-7J2Crs=M1qv)r$=rdngV|Q%XOiA%AlrWqJ#O`!9Rx($)klKpZL<1KcIbm zeU3{reJ#Bf+*6?RFyM=b zm{$vY72Od{mp-u%Xd&kt{GXu0X?T2kid^&ZZwPJpdgu8zM7%Qqbo@EJDMslj&iooO zMk6?`sCO@5h*Ox?c1G;`4nN_Vp|wkJBzR8$@wo#9%N}3I%mAbW4Tb(rmN@@@-#QAF zArOsI`^YKyk75H5Lpx8!d)-&dMaSlooJ)ElyQ+1u4Y9L(&&AC&FbPuwh?_I+j3Q3~ zB{5vJy&cOETR(Dk(^`F6!!%HqQrU&*y*OFDQO2>sgunMe^|IlaHijEgU;Z!bG6mgZ zQ7`EP2*gX#Z;kIwr=!)>r@+f76h5Xby;dznsqAsvPH__y0Tnyenh?V&fM4k)kz$sgtCkYsHH zJQh4{kMEQBG9@^Rgp6{X=vItgRBLF6Y1pU>5bh;AG%34Za|I}8LdcnyRy%BOJySlLXiEo+w=F??dKh!oIC4N`{UDoBKhun z=ol*kz))&0!bRp?pLh6)zr+TCRf0=+7`{zQ{9m{DdXG_mkR52()$ncL;^$ULdIeTF zX6GljDem_@p#1f0?(CrLA(P9`+jL(+kn<#%Nmzq6QuzXtf9^V@144U%<8`sBJMF)% zq6iwQtIy?WZgTMR4>tQhl=%^Z`F{&#-oyr_X8*Di%QOo90>Oc>;wyjB(^bxg4qOyPWL;RIWWv9Y^h zopE8cqmusNciwbc>a8H_%>x!7A4ZPFs1DcpvL_lu_YR?Qa){3L^MS-M zMi{m(tZ{eg!&24{oVTVSP8yGPMw!@vtOZ2x6cfV#ZhkI(cx0{J`FnaAru1jq)AT}( zdN^V6UX|F6K<`DrQy06-&Dz6yE!GTIo$oK(xOD4a|4vhp0&|I{W_R&R{S&DF<1h6# zQ0jsxH|!0bCr*au2D{kLhE9O=nMj(r#wq1H-T14A-vu_=dKjHOgQiZYVm})~7j5(V zl=CgVStgYjD{LL#r4`R8U5|Oq2ehS#E+GQ(16DfozBp=(inQ^5N_S8xGbIN0jyL5?N9&_zRgLkv zrPGU^QC)wky7F4KW3Hq>%8;8NwE=?`9s$WY8q>L6KkGfY4S&4X_jV_8JzK0Y2lPZ* zAT=N#13AEQPA$oK1}173Ub@a%mQSZT9Bs0*tE9cI?hLnUU^m74yiY}b=h1;vpBgc50S7YmQ(>tS^dW*w7zf9 zpI;4H1|rggNJFiG0y)Sx^%UOZMF(iZn%l*V1B&S=T*(0t|o{!K`RrQCD$}+{F2{4m#x>Nd;CJz<|w|l-kJ7=YZLu8*C zpLhK`9c&5+$2_i~Unte%zYMCvXS&lUELD6el03y*7@)AEG*pMWzDRS+xG!DF3V*~v zeR9)pu5@{Nop(7y{8u7JCu}u^GLt(quGu1lZ08APgq5X?Au0u91C%APXEtaL3vtngU`*y?#>!VkT^iK+&eJw|?@nCT>{K``9ti#^SmzI`^(svssVjA(K zOVdgt-j6Q>dg3HCo*T2(r1=K0Kg6O9bg$QfzD0{L+*d}+JyZ{by9q~2%pKW2oM@+eE|6;xBRv3^*5 zBZI#9RLzUF9WxXB&i)X7F-oEwwdA~jBjrSHqciU5Zo+jxNeDWd^ z=ky;(E=%%vmkbtcpUM^GI~(B^6Vo?fd>1qIxP3elBmk%`xdrYqO=Cx1`Y?K(zWI~SObJ7_afjBa!}S@m!n=EgH^<7uY@Q+nKDxto*#*USYRG5R$Tp z__t{(AYyrAAiMx?e_6%P;mC~3V6(*7^krJcDB<74;8WyY0Eq;U;WYli`z66bf5Je2 z)vHmWJgRJoIir>{gVh^rI6bD~Q())hy(B2jHbs>GD1)DMn|ePY?UMCu^fA`f6GDpj z)}>Bh5(rpbN|y+T0=wa%*Y>s!GgXVR%M0+%Q~~_xdChsMtvsNzOjJ!UBtD{bE!fiP5HR; z+_JE9=vF`y_3m1-wW4J=lx|^Rq4C*bvI1i2-KM6@NmVeUsHTyMyhC zq}m53C`issBi`zAAa(vI({}{g`PuHsPf85bVvlB4{F1>3(uDcf*X7S`R-%C#`uKM} zJsNYV%W}Rv?`+(7-l;a3#(hZ6MIF!@s?QdF3I=6~o|0EdXpOg;BfLCvU5k1lIxTyo zHckA7gP&I(Q?5-}9??5{cSUtzNJgQw_rUz0i!Xc?gH6)A6+`@u&u_tX2f=j*3Uiim zvKL|{CI@n^s<+*G-EnDA09{ZH=tH#Uyn#!9F_W?6+DmL($_wGfa?_i71L#wkb$1f% zjUFEiEMZVfh~P>ej!Fy!LYwR6P_PDrt#@a($@jXW$f`<%R)$v9s$x+hcKU>V#_})* zK7C1l0jBWHlHThhGZt?+%WF;Ug_5#d`ex{!a9P^hP{!JVG;-9-w7tfZ;sa0H14>-p znA|)){AgCkCmpDB?+a!$dLre#uEW+IV7SC1g}cg=^V&=HX;TSlm_XZRicZqJ4Azp{ zllg(uu4mN4eq}JlKcqX9T3*SK1&6C-9d`HI87~(%{pMklw(6Saf)3_SKGQa%3h}f3 zrM4B-0Svrxb~UZ1s*Pw(&P<6Gvf2hVL9`<3N6M^A9x|hWEcN-Li6EL4n2oiGWGpwy zH0hhD%Cp4D_Kozyn4)mVYu1sO##1q(}U^_v+?QBptUqg6+`0ZT^p9P3V7rIcKSVfG>rL0j4rcmcp2b7g(eYah?^*j*@z7Wz@y#XpIPR{4Z%ZWy zNDMwLFTd2M!zGu$NJz(wvggREW~Ohrh=SM5S~)7%!$6zrPph~AyB-O`^2uU8T;VWk zp0FZp64%<0fDZ7;5m~9PV%PRmQa8n832C=1OEMtS7q^c!zs<&aUZR_@v^MEmC~5Lq zlTcr9^PGK=*a}(0Hi;;mn#vp~mdG_T>yxBo2*i4MVY3zqE+W|Yq*W%&+o}}?{Aue5 zoyS6+t7{+2C&P!&!SHeukFd^Ka&2929rqsQ=b+*(U!B_@`1I*h$4YvQS7l{oiegEg z+R5nar^wXaNPV9EBPjZEHs$|og5PEk8^qj>xQYU`xl2K{-^!Nm(IfsgJcOXj^ARvR zBC!{3_jnu4gx9PtO|aBLN7zlZHCNSbHoLWufh=Nz-aH^fxo(#Ma^zu3TEo^7SGG0( zz6=8MEc4qpHM!Jp8GQQHP1Ts#b#*>2mIbke(WKsN6ab||=Xh2l@&l<;hJ4x{4F?j# zCLXLW_-Q*Ksb5z{o~kCeF<*!=MA39{l1@J)>mwTXLu#EQ(s4|AT36QF}mW_ zi8s2r>u&-NTdMYYEk)~CotY@{P<33pu`=MTkW`!`1i4=)%|2V01aV=iPQ{CO+a3z6 z#;S=dqD0M9-~x>gF*yw~OEu;*f&`-}6Z$6u_@(sMk6s%zy-Sjtf@k`r#xQ7gEx?@Q zDo8`?WHV${&!lV52r_VbhIa z*Jnf5Bct7CVWh%@})!%t6)60s%qDfD>(iv8GcDh#CUFsBP_tabH4tRv{=P6@s=mX=p$-G*KN9!@dyGZWNt_(n9vTs%)9AFjlyR8DHIFJs(yajaHdApAN)l1yDPMOs#aM zT{Y3?qKOoWW{b-$U~8~B5pQycCUOXjI|Id+NdL&|Qp}QXabhzIeIN4L^k$wuwW!phf0?L;5qGzqu-V4Fo5>hZmBo5SE!Fi+v@^ zx7U5uR(QLXpEr6OlWD(i6yO*9cTzwLD$)={4mWJdH9^uH4Hs$7k4}#0ux0u*)pD-V zUwDsW*ZMH7+&TY{`@Qp$%XS3R0MPC8A%D7dMzs@qFMLh{0AH6gK_=&_Pk8aC_8**o z4vXKTj|oc9YJO87e#5I?AW;cv5a7m}@>+cORZ~w|$#mv?QT2k?A>Ibs-vh)>c{sd^ z4YG>VP<@+a|2RHYZ$Qjp%E>d}h-eY1`0}pSs6B+?Y?OKP>30L@oSjK3(1NIyW^>7w z!b6$<*fYj{PWye-HB9~(aYo^^WX1SA^_hxK{@&f_`b;db@T|qafvMGPayW!*E@E3w ztfi`^t!)-&sZ0pd6pslWo)52{Ck+V~AeGG>@8+@k=~Oc4L5^n5dk5oklHxT~?N4z+ ztRIheVHl^^H($mVU_L^V6nX3m+D$@KIA7mz?t+FKa7mcNBo2NRR zcjeBM6UBCNcS&@r3r^ptj`-jt$2-*%>U_szpH`E#xJX&%-PxtIY&%aGOhehV*-}f9 z!=zf}R={$*3M^kB`WE2l0s~iApHsa=m*Qu&YH4DsSnuaxLaP)@5Lua^hT@%_>dxsK zsTyY+i>qggQ3p8vF#+*6?NVziqI7ezND6W{aDgMfGtTpWi-Rji_Qbt*)rC}OT)l^! z)26)AZW_Ey$lhb=fL@uSv2bxNIq{^!lW6TG0|dtYGnrLaG<$kp3mg^iO4#|tZKZZX z=ee4LO(KrZprz5Gv4(OS(}at$IDdE^C>lQ3XGMALJj^t~)YYhR6RpETlwpeLI;>X9 z%XX|Mup+OPBVF09*T*mR&Gs9*w+KZ|+qtmqdy$`XHxq@5! z7^qDKoz#ZaoUS8(!P7q+B&#~d3`$t1L)c{tK|Sq2fK)N=;Q}Z@IKE%fMkH70*70(q z(E_=JH|+0<($D6D^!xF?ovC8D7l=#8Jfb4x*igp<*LqWQTfRi&fo^IMK@%G&!< znivXGr!Av+eCX-f>z&bh_yAjhlsE>TSb61I{qwT6AQg8Zw9^<=aUh6N#i$}%6$AUB zimF+UW%0Au%j=n^dlqi?ohF2E*Kn!?$T0s=Mygtu;fF?Nk3ZRW;I(mLK%^xff7i4d zi%thO^NBJIasl$lwpiLSp{yB;drf}Y>)G^UDNC#n3&Yx&PW9_k@j`-&8hs9IE9N49 zVhR?s+p{v4E`KO?+3vkY7{%K4%pSn!*?ALJbcF+r0V4}L39wXPNJ)!>Y{&g?^!y|| z>fNEiS_NrIUSU)`6Fg@_i*uSyRQwL3QJHoh(jOn_LpW=%&(ZrN?qZYCcC{AY-Su28 z!qdUrV7j^7ec8ux0OeHZ;ZKvH?R;4rRQuSsR}u3h3%zvLFOB*(>*@Q>C|9G3`4o2h zm$T1r)_&bkLc*9RDr~k@1gvI=N{T+6(S2b_nf&N%fF04@z>+@1 z?=~g}9sMEd2(sWbjTH<543LxQO{{3v&Pbi7{8hegW$TEMTU>uIP|c!tS?1+b*~TCs zxJQn|rL$^E3fY!V=mMBPi-Oi;a`fGWUA6C?HPGKTi@(c8mwUQ4zeB)ksIGaYWs#>}MTa#7xqeMDMe}?Pr)ILKn>LOxx?B2<6 z*u)&~1zfD@^xON5)RC10_Q#C#s&RUdbM^&}_<0G%&;uU6y*;|Nvr;Ds+&-7JX0ls& zxa;0UPN_@TFy~y$tOMGTRlxFqOVVgg4`)YLGOk**J@j7E15{Ek^N8U3;`z{3|yNV+DPV%BAy{kJPHFgOGzVMLB^Lr+pae*E~=-R-om zMKGQMYeamxGGwWOjnt7Mkw5<8rU3>zUEcJxufAqMDw-P8R$KO?spAx{npMAED4Lj+ z4k~m=R<;2u3&tPIFh9vjeOJB>6j5Qqc4UkAuROF2aPek1ZzIjuvpzn=c{7wHf;~dwF+#T@)*HEC03YWZ(mWiVGlxP zyt}A)x7z9J`tUd2?poi*WBpoh0Y6mFBtG_pZ1F9e0i&M!gn`G({jPz`(z&ysbzK9` zw9~3Ism*CvlI-f*I;ayx5~m?Iwh(a!>q1eIFV)-A1(V>{vif7L|C+Slqtp;6Bq5^Oz>EGI}69 zUiPLjf1Y6>0?E!Z#9h(t3Qc-+$Rm1es*-z;q{=#}SfLw~ zu6Mh4?C(Y^%b+8yVkRPx85bchd=5{LT<~e9M;qTY8LpMs-WQy35SCVu6`S_z!SfTm zSG!jbAsjKRYo706Eo^;*C06~ek3}^1)IT0TwAiiCdr|{hbjb~68oSp6%=;3HtnN+qq#Fq%{-Kuj^Zaki- zea_Fw=9f6%o?s=k9gI4?m!(Frd4NUi>huz2}yR zdK~{S=gy2uX1YCGDV&pXDJ#fgSWTwl-8zt)*h7(W#;b71Ppo@(~6Q4Th{^wJSaQU#yESu^ml0kyv-nE2zseE z5VC3(hk;h%4g*2L^9t);Y9v~$3Xy;C6&oTv8 z;^<1aErCIY63(M;kvE5>RXX9|!_BD@3Z-)yolhEM+Pnt+C7za1f6O3o-_&r{>xv+h zX2!T6dW#5kVr#3tv{f1N>2%4C zBd!OxcEvON(K>wCIugTqTU$`y7&7^ik^V4K`xVGqd1rCHW=)EKOm8vP5%Iv*{C9*6 z{5RHofjQSm_<3WFr|_Div;xh17g)DkekIut~{`x}FiU&_nh#ym)kFalFdBL1` zgrKx>M7tGZCMS9kr%~;xzcSBzVU$IPEx^*C>hG>euweZk7m;>YA_QZf;w6$ zB=Q|6gh{CNT148f0N#6b!>~$;ud!ImHsM zh=!r--Q_{;w!I!UKCN6?7i!%ncW0ga$5%BqDZ^Pr{0X@led@40EEW9j~flDzZNn2NpHvE@O( zdpg!Fyqq?cIu2?F$EBQBq7*z%UEy<)h?Zqxd^n*wETmSASNHcfZJH1rgG|{bxF%O8 zMbEdE6JRS@Tn`fwVR&yW8!J=zjr9+}{TsY~qPOgL>WYqTZ>H{gBLfyXYxwXMWQ>~zm@bYxs;l8{V`hNV!BgO=# z%NTih2`i=4_Sv1r3&`Mm1FO3@3wNfzN1Qnw%`R*BlroR+s@Vd$!Nn$>d|yz&vz?x6 zoifZtep(y^S{q*~5~ZBqsv+HdUbpxkJyO0jg~_JFceVtv`NDT&`Q@{oxW3{H{hH+! zjC&jbDN-h!+Y&?6!PDxQlC(GmIoY|f_{XojH@WOTcD%wpQ^Dq$?@sJAt3pj*iz&>! zHH64YN;`iW&cN7FR*BAB{sJ9;ZWnVN{&CL4hN$Uc?*zh13?z5?`3hJ}Q*&!gB8^0@ z_@+h8Hz$CffZ~;7()5W$znAJ-dW*$@()uh#xDVsTF2E9f^MOKwvCx6=tE+E;UZ>z& zHyn76I2tKE=V6dxyE58xy?9oV1a2h&?svPAcW;pM&q3rce*nD4i>u9mSnt)QW5=BN z7oV{Wx`#kx#kJRl?Yc2KWkqmO|9kF-w+9i&4w`rWWc}903mc}xTMWt*Yh(V3XIW9@ zWqOTn3=H^r22Q#t{4~v<(t5)!?Jhr0pkLs)Yz(-X^d8#H+I$;V`sza+_u*y77YYWL z|F(=5MUe7}tmLmk`R^lf=YSiTuzGosO9y@uEj|HfVaK1+Q@_nV`L);i^s6`Z;6|Zt z3pnz`yDuRB6AL$U9A3_)eShvhz4ZSf%nu;`e+ct^3ic*@?^AcD~aBW_+3D*3!s z^dM`vw#6x8`P0j9^RE5;^_s87mNkC_;7-WVm3y1J`q=lD#zY0i6-H>Lw=3_pM7 zFW4_UWX}`NqGR_jux~)=7mx_FU!{BEDb8dD`}{VV=Fs0fTpmwihG=`(zBUu8_7yme z4}PE*5f^4F%=*%}`26$3psP+dn$Iak>JT}5SMvsx1g%Ka-b`is3j0i^z-Azrv9aXwpv z?{8iDjVFaizMgKG(!?p~F3O`Zwp(s|nMch;vx<7^#jYXFx9s>T@QZs?(Tn0=mLDh_ z&+HZ^ba)O{F_1lMUjrAUg)Q32V3HTj$)#L|PpNiKO6Gs)Mu6I$*c+arbha+mox<2(KPCQ>k<4&*({$y| zTf;oi3A^*JAgJpVfO_lM)%Lk?$S{sF$d%BWXvf-_SjWh#YF374(U4_HzVUf#GZYxl z{bMh%YZroz$5oD14>GMK^1sZ>e@v#Nufb8oG4oU^G4*I1=f(*m*q<1uR}{;1L`I>x zpgg=luk)jg9sb;1ZuAkHJ*L#D;`LzloZ0$n!uUe|x`q=GHjr_zC@zeCr{K z8Y3PT5;29heqS?VIv!m$7PGqe)MTjD?z^PRohF+BcXDlCp+U>AYz#}%Ib5xs;VzC< zxdPFka(0GYM|}~eg(LSC3^YfNKP_Lr*me!FfV#h{+;Ql^0^4e5jBP>m=i^ZCIiP%a z{otj58v5_0LN;@U4qgPUrE^hCQ?RQcNB;Unhzi7$CUCwIlom(mHQswEDUERhv z$4$mPxcWX)Lp>Z}B2xofir3E^D|W$V>}HkJoC4w{)k)4HKMC%EHAtIYbAf2D4W>Kj zK2Z|;ICh2WCY+i&uG-%5oZfr>O?$BxAwr&HS~l{DvjV~if^X&X8g zohOnzk=j%C#_WQ7S_B!p$97I)yyFNToDx&J(Y%*ksu$&BuN;1uSRKfg zc?->bL2_-WTBheArD{!L!&7^5f8#ekRNf0O+0^VxaY#6;u1mL5>H1ca-m}VkJ1C)S zCGM{Y-Dch=wmR*zp4#YMaa)$>$$P{)VL4DOro_fz?YYhm9(*tKXk3}gbq(CKPj}l& zsEcaG{i374WqvxcY?f@$rTP5q0ncErsNs~volsutlI7uuwwh-g+l5U`OcKQ17e?VG zIi9yhxVf$|ZlJ^Pj*^w>;&U!N5TTE8T-vgRiWJMU9vNkWJCm+az`p2m?M0E{irU`) znR>}fkboL;>F|#I7otD>Z8820ML2Sws25?OSw2S0!E`iRi?>6%uJ+>wHN0`7VC2(h zE}94J?RNo}1hnCA+VFuaTD7r5=0k;3cdmTSXL<9SBG7XYIqm}?JmjqI0=T`w1b*}Z z9N++sXPyi4vSKEJ)Uyd3}4ihZ!FoZUO_zCtzeG zwbsT`%~E1Yyz<WYdZU<0RQxt0U)_pnrgKF(=yNml4i8OBJJ6KTV@tW@qm#VJfETT3+utJQUf=~ zqwB~E|7{spV2D>cWHW5w;jer!JPEGETgg9h^jChpA$tuap-}_rrvC&CRBpeh$D%c^ zf{pk_+>7Ao1d-F85pu}Etl!|^TXfz{2L)Epd>cf zBP_ptCir`b%#yiU%T@~qGvL_IxS#Sv?EQQ*;k`2}cm3~i|Lwxjxduod$t;ro57Bsu zdu9=BN84RJhDdzCo3jDoAAh()v$S@Gr|<9H58NTZRaALMx%4xG_yn6va)&i!)V|;~ zKjH?@NU%QYp7%Fjou>!JfB^)y2`=(4Yl|NP?w)HEapZLDUqd$N^3Fe{qcY1;|INOM z+WW*4mE6~S;M<4YBuo1HQQ@8dKN{N&rar&%zX0Gz|AH!!oN^y;ZWs+eerGa{fA8H4 z%K$SNnaFhhPgepa%+VNUOHsiuY=B>QDSiWB(9PpCHmZ<*3a;cY$6fxBoxLY7?aY`R(g9NEXmqo6`S2_rKhB^f|ba(yj+p zKehKizC6qYETJ-@<$rT3J1WY~StQ;+w_$ev8aaH+W?mnEym0MdTkwoVYpK92e(dprv*2mwjO?cr2TC=Vg&@ z!S8MWES2#P9a}Apb9;*KU{i# zAJ8deJcRzEPC*JGIh>0>^J|Cr^egBx5WrC}rQ!ckr`XrgS;%0qhb%5-t)L+5P90Fa zywh;~i*ex8ZzHa)qy`5EBUf_1Zy^6WQ2D)}zzS9)`D2`>y9&pF=R0jTi}=Tt2=B{N zizk+IqaxDDD@5)4uyy1jU+G7QnKULm=t-slh*Zf5ZIiEt&MzMIn(8Na3i~&u;u~77 zzt{_Eh}&ids#Cj=LxVNXO8rz=q}+2+S;h)$3thG*hwJ_IE6HFT+c^jq*pak$Z2QY) z%$1*S;R&3IM2f->ssgjQwk^Q>lhSSgDfJd@*QrT#7}5~?1ZP8c3T)ZRbaT`NX%(<>5md_hXR_@BuA z&3E9Fl=5p;5LH|Fq_(EoSF8VmC;+>I##TT{^Smv%={XJGJv9GCz~pj1s&9CCe(5x^ z10*F)S~mQP{#?JXP*?(Ba$1(D8#4vJLA}jEz1bdIiG}TO1KH8Kxu1PY0`*q`-{yw3 zZFr%+{lcb}9W4M?3ZQ*5OlQb*>JhmYz|UgOSFkia33zx2YW%;6B}d?OvZ&tv=lplk zV$*lc*$;U5MH{F8CYHp3H$HdZw^wf8P|a8O{+|bhYLV>1FO<7qTaASg*oCuOTYsUs z$QNLPbCc}C&tcb}=Sd_afd+tFn5m^L78|Wxe-0#M{ul!2^J|7S*^y;D*h3nE`E@Sf zrmz|u4L-axQp&^m1{KrLw#Qwrk7$m?DA6G@$d5F?pA^OZFy0g?_D!|7lntnpzeNBhLGqk8K&S@*Qg zhS%2CemEq()O&XvxRIC&1HK3clJEIHQ4BszJt(pUx{w|yocF)=o4l=LrB9G@qOXO< zr=LRIb}~!4z5(L1`or--$e&{1z8{>pel%pJmFa56iqrAiG zoRu8R7B|=>zX4Rot`z1DW=F^iAK9J?A|2{{TXCe60B3BE9?9u92+CZ@$J;DgfP;a6 zs0^e`++p|<7P|(C|$Lk%iB!DY|$!2L=@L55LbYkEfV zcs+O1TUm{Sc@jNWrt(wemYF$`$N;P$+mOK9qw}cvO6`D`4$_=!;V!2#(^;T$k71GX zqwflpvyk1Ibz*nw5zB0-d9k?5H6_Q9s1G(J4M$2JJc7Xnx+@)6{ce?nXx8E5#5hd! zi`{ueFe*dyN{nS9A3C}m5tq}O+#IKhEwh|$Y%h8~gjum7O3d_iQackgBdXjMGa9U( z5x1GONHaN_=zSgy(GL@D zNtGbGH6L-riD!+VwfLeomgXUE{cp36t-P=B zATzv|+k}xuqA9r-auw6sINTgAUC}N&WCc>R^=1P@7;N)4{PZEBJXv zm3AX!*z?xdGOXmmab(dgY0Fm4l`&-qN}^}torh9C=WOTXx(Ti$-uidsnD>SFY;b6=-Joa9jcCmo28V%gjmM~@k&SBLgqux^5l@T@L!V39L)ZmKb$HW|-V%vu z%J#0Ax~Eqk4V+`b27&tu$?yWv4 z%pC+T9TK^}?m|IO5bl{HvNDL)HQ|`?Gy5s+3lXUImm_RUTkyhJA^T2Ucs*rw;fSuq z*sU~}+vWVu*B{dw2sXw%945t@00+4IBRuK!iyG3ZPEB!o(KbY?gU^JV$$4#~^i-^v zAA{909mGQG6~6hswnkt(s!H4Y@W;y5OWhZ(rgjlf#l9W{)3*39R{a#QEEdn6PC=ZlG~ zsN=}i#0>f@XQ3VW4fgN3tFjyH?e(ny1G*4?(yO$=$oh0956bNB)e(Se!Xtz4wF_m3 z(cslwQ~@%OZfsm~Yiy1uNOHh6y%-y3l)f6NyPO)^&0sSO<1K%X_YfwG&PDK|Il-Ri z6cu~y6a!}!7iDUSY>arkW?97_5?s;99Z3V}UQX$}>piKL(@Y|GtF%$iX~dt0@UmqF z6RXao1qXN+;{ea}u12+KTFrZ8@>T<6veJuge;4~}pgy{M?MFSqr9r@b!W?%=AjiXKlLt5rgl zSe^Z)v|yrdVcpuvH6ut1xJ2OP9vMaBbjRtiA*;j%siO{#p_p?QF%F9DF+&}`LRrG8 zu5}acPlsWx_$Rz<9>=#SjwH7dn>ZV1sye#F|38-+- zq~%GL2w{vseKyw5v4mlw)$MXx11}1ku+G8JC_UFpF96n>HAW~=7gr8#WXkbq(_PCb z5=0iQcE(;#b6S>Q$wD@)`-)_?v}#_AbP_`<8nly6A;S?GFv2}D)|%%eg;WgGP#k%y z6>vE~1N@r=7UFYOT1W7Y5pdyRb1pC1nu*s7FyZ1J)l#nQp&vPrin+&iG}40Cs@zXc zWv8P(hhy43%%fbxnQvzVN9kETStLtr>PrfSfJ>LIuMG}`8ceSxxr%$R*zt+Yl+IQ$ zRqHI*YLi%{Q~&#iS?w{nM-~PbAd1TRjYTpfVcl=sH8-A`8Bjc4-@ebPd+qJjJJ;8V zYeqK1nU7{Ub#vXO;LzXX*89$a=iqCsdKTrGuKTuRP%3c(8<#NesIlJO?|$Q=@f4U& zYF}zGVtcXLbfhsVN?IQc(oI^d6aXlX?vpq+kIJ(_o3(NwjY(gJ6 z2)f$Lih35O(3Pl5m35pFt~0%@RoZ3ElecP?p+RoqU>k$jrtI~EEaAGmV5FLOCIBZ% zo8TM}u%)vaP`q5$lMS#p^{sM-G?7(tcytyo9wX#3g;HCH&M_y^|3Wn^hdDV&b7I`= z4k~qFHC!`w$kd^DG7H(3+HA5gAEi_?s~tK5E6HFyiBxPFa>lI$x`))bEqWSA*#dqu zq-%O1&B@C;L<(6Xslcb5794GcC0KDdXxEe=hcF5cVGe2;DeY}R4uyVutwQ+>^po(- zM`?nY_c<=F%J!F&a0UIY)gi|1|6%XVbBS`+1Cg$ z_I;nGRG$)xkiD*uZR{h)m`Ndf*#=`P%P?c?>oEMz)KwYWbo>4B`+dLt(?c`wIq!2` z=k1u9cikF1l(~2L!mc__qQfUp_T9CmC5`(Q zl;y}BZ#RVLQ|k3ota7`9LlMWg?#s(H2u#1SFD-~qw<^7dtWzH;>Oaw}p5gByQ@Y`G zKu!1D<6y+?4z(}U3gm&H;;`rT_BLp=55nXahIhimY7R!17Q zgZ9s!eIxGIOIdhr2S$b~fuJQg_Vj|Ij~|WaXpl=mN~GS)9)@O#mQRM)WnWKMbIT8C zIcw0jV+P2;kh{{guP$-X>GKlMBb zyU9e2A|R>9qYG7|ydWNl#O^%OU}tf#fpDR5762g;%)+dN7Z7;@IvNA9++vu5j82jV zGOg3s3?4Zzs(kTsohRLU9!g1OKoKh(c7644fvM*+M z_GHye1o@fDx*yWb$+8T^%HhXlaT*z(07l^YHNmo2U;91@U9qS@MEbRv8U$bSAWE(z z-*nNZhZC|jc-}`^v*<@HHsN?q|RF>6RfddiI)-4t4^wuafh`NF(t=o_(Yn)gTSXA1C>Q&DbEZ_E&x4vYVe* z<_Ej(x4(eB@0vnD;rTBoQ$_^l?M#jM?5$+`$nMws7#cl}9B7dH^J!}ySU7qO!7h0( z&;zHgL8Vw6gc_tq9{F!)wCKrxa0z=~BgrlL6q5XU7f^4jpMkSx&l&K@@$*5!9#Or7 zd^I<#Ba~jkG*ubWsi(xSQ?8r6Pz9$dYb}4UaJtiIrHHego_umB*69lPR9Au>@JMjy zW8uMP;ONtptd;^2G%U%LiU&vCG*3EWI;KguAx}&gyy=Zr!DfQtJ^Q}g7XE68Wr4HR zD5?P*oQlca`KBR8DPyAr8sTT3>r(jB#w4@K(D3+ZkL0*AXE|rq{>hv6*+m!%cCPmWa}PHLB*N0Zu(rFd<8+TYNQxD5iCmJ%vv1 zRS>GU_MO26gTdK}lxFZVvtz~!TySx&+iH!(dTKxV7L z=m)_KMO1hllySr%EbF_=Ly~}@sMr#;XQMuds7A5t2YFq6TsCTaZmudyQae%_>h*C# zA@5d1ZyC%poN-?Qa_(t#0o74j)1#2@sif7-(E==+`;)3AO5{g#3J3M>v%PQJpB~JU z+2V-REz(yq5xH0UU=UpGz0rE@sO8K86kYTge0Hsg9?=je*19-m^>KzjN1L1RLsFs^OZyr84oIx+i7ImK|FZYA>%6piHQao% zV;!*$*il#~0HJB!^{PnnzUH3IX=8_@x7hvOnymp5EHTwX_Qi#}rG`$nL(wi4@hF&v zHcwc(W)?UByEAe5@`4Q`Vu$&Bgi{@lG#nQmrUdCv2PKX{gQ`yUcyd$vfC}28D|OeZ zU2hJ$QNS>{9{+cbr&o#}m_%2LxfvLz-1aYQRcg0JO69PY9wc-F6T~q;2v}!8DTfGA z*WC0}9^W)tkPZ;ODmB}ckp#5hnT$QmSpZP@8tkMXm;A7KyCCdyLwDVW5l-vdrY`A0 zbRT5BB-xZ~N_& z*Tvx2y0ZE5mLi9D--bdj98=%*>3nsLz<7XT?e>4TaQN2kfk^~DV%1I5w8C#3h+ki_ zO4lJr^!-&nxzdYZs=#xew0+>`<^jUmc6=uDe{$b{B0&-$tNM|a1z+5MoX|rL?)59J zb(N%2172MC<(CWj3jc9~_D^5={Xec@;f=|_x2+p%bN7eYVi5skMiO={jQAfXqyZwq z^5i~jT_ph*z5Xjh+~`s{_A|^5hE3xJ_aH%q)HK%rxRg(nD2+G#I<5aiT?18cQ^b8+ z{O9HYIKJpVz5eU$e*wu7PWb;kkZAD3JZC1hkcM6upApIUx|iQ&1&xgWtT!KfAhx7| z)nS&G;9ldd)d};acfPzoAnrR)14cgmdyLW&c`92MU?6t5bPSFh*gfUpx&`qAqayys zRHZatw_F-?^286rB{h7H03uye_1sC+GAX+CTSQte0<-$Mn0OA$>P6c?9^hkZ!0Wj8 zv{DFeD>y!!fUY9&_Y3j&)8URSA;A*XqJ7a~KzsoXjs_;HrFzQ`jidAP2Zs)`O?NG1 z=fKb1&<5)P)~LC=W}z+VciD4U2Ehmcp2hOE{M^kvFAC^Ov5afi{QC|pJA<$DhCu-0 zrfR}X#)61jy-b^*i{(fg11k!VqF?iKybA}BP$-iRKY8Qa z2l$`gbK{!t?80K9S@N(B2oZCuERb2OjKt&&gJGNf2%juAVOWLqU<- zfynZG%s9T7fqH{wm_(ypdqUH92mMtIYC28?NZN~+2MGI_$AdU4zjHZ6w~0MJl0?0zN174Gqo8xskM6~r`J8^b^TJ27fW-Jqpgn@9Z!2$$)W;g@z^<{`BdccR z<&Nueu7_O(ciFvM%+;Ul;XFyWAK#=j(sx+0e4~PX$88q97vLfo(KDE&Pa%x)WSn2J zd5bCe1(zB#0L13>zcZuhtNuh`zq-_HAxlBpz^4BNk{n4537u2Josg)CdbMaTavwpw zeOhU}#lBirN;jtSNBjjK{81d=PS5vc3jh2OcjO_@J+HaZX#LD`uz|T{L0e{+PX+D? z!_Q##Gl%IJFIz)JK^~`hp&8Sq9dwGYl6~$L*H1ebj)%9;n%IvM?r}xE*vc-I-;+x| zWvKWAmUbCH_Tca)nhFbUg3pYk}B0yQ) zRRZJDT!3ArTSzpW#VuH2Iv-Ay##ILVmBEp=MNY?kxQHc*W47BoP%~9C;2jzB8{-w= zFocfwwNV5-`{e7f1rynh)%bf7?K%@+n^Tg+NwVT9&QO%Bl1J~eyXzamDW*8162I;N zb6GU8Kzg)7Fli<^T3>g#EOJbg*p-+l~fx1ThSdcf?q~@KeIC4Nr7}QnBwPawy%K^`{E+j-_JF zimecy~SrjfsxDB#goOBFIX4R{>3%OJ`oN9Y==~b0(Os2XQ7(VyD9NHKyYk%hD{*y`GwAsl2$NBG zxjlNo-iqCG?ENEkMN2F3i`!&F(0@|@j3Kw8DQUJTSf5k* z8$^wpUNcJP^Ot6}IlZ%NW}UPUfAKu(f#Mv~Z~l@KjZf?EN6Tl}&8{DhY10fTMp^}~ zkcmwzv>Ug9#C8-V4)GVtg}t|c>6h7 ztMP)%)&Y}t$V;NOAK&Eh1WZ^5CY?SsZ4(hNo-ubaShhtTeJ*J1fb9KSa`$ALnbCDk z`UG2ZJ=bh#WKZYSdqIxcC4KG_>R9msa;30Brx!_NpdiC5KvjgBt*Gv#(lOTHh-Q6g zLnYBdeh`2bYOUbL(KwolGI@3aU^Pc^c?=q`Le z!9|3R=vikJf`}bx>9LMsnw%Ram!!7oqf*C+z3*d^2JVHD%StqJG&9=3)$(wgO69Zx zkFRs4^uTJ*c+53$>Tr!_3N1dB8jsV-3d^6?fy&ls3YNm9H3iB8u7r&f0=&!Tl44Be zr{yo}Gfj?!l;obio_TG$(_gyHBheXp5ocFa)E}=|Q((dtJ}!)fw50~FsU6^uiBopv zhsyRs1_W@Nrv?+^qX?}HGo^@JIb%YSJd-?;QeQpZ9_N=FNP^%kSkQ9;^zX!u94}uV z$^kp-HC{j%4`Xw2y|Y7{636GzS~DTusEP<(_TX(%xiSGr!}MC&XXqR?_3<=Hjb>_V-d9 zib%;xwVuI=5lhlb+tZlBQ$4zQh&x62uzdL=f9<(bbOr5|JQEFmWdJ#^2Os`w+s_<=Pym> z5M2BTfyV#7#4p>tKP?@oP`(7Y9z}=#68JdHjp7D<#adFV$VrHwf`eOIOf#$E(T)tz>&Y>|*Of+l57&3Hm-&dBV zj1lzrO@`=9U+zO-I7;t_w`P{GL-UYKmpZ#f<^`AL5 z+EuHoO18a*f5e>#!@G#!K1eMF>92&MIS@B09O@{G51ekIX|Cs>w4cGS(z})eSSU^w zisFGDVcz*YZkh*h6I=w!F#Ei15|0%;!RFS6yNv95ImPM)BSGd7UB!-UJEh)7cd_2W zN4djo1Zwp?FaE6`&SS7OPmAyyqr^M;!x7Kxa|6ug0xX^+`5dyc3rC+KdGv&ux)B-8 zt2s!!vPmrHsUk;9*^2mi=XOtL0eEc`J{sz!+v49mc&?mm#7)GTr{5|*Q4S(lpZhA- z=JSt`pBN{UhZE!rXca>=!^vPyNN|U3&mZmPnBi0?1)^z*8#EJ7 z1(sL8lQx5Wl(_SNALg2ZU_qpvBDCpDea-n^M6(_aPmYp9CF|A>zWCh^ksU;A+FXCp z#W4~YrTqr=fHU=3%H*FtiHfTi{v}Z_9=NL!<7+b z0T)d?N#*VgXH5KJEqiw1DnzQUNk4ylwSiuYNPIkaEX6-TEF=Sc79}!X?@(w(PW87( z8kyr%(i7*4y+*^^6-fLf)siQ<#**O^9=Tp-SuHV5(e;$0*{|pIuLd=^H;5*z+KHP9 z8tqo~Jg2FaqG1N}e#dl0{(7dCome-Ub-wM)Wjgcmr`o5z8A#pJ^h_#DUh>)ul5vk; zy`e!!sOdSmR+FFxq}2IU z7qvBT0xfu(QtD{T79PHL+YRI|@IA{kzrpva*t;u{^HffL**hJ&>-GC}2*GQy1p84B zE3rtS4-MdBLlt!2!D_2)j;?87A}gMDuNP*jsEnv}W*tdxtHxL4nyaJHt%Hh?;PhEC z79Ew}++6)KL(RAppOG@6#d<}dm42&{He+O*)lF1FV1UyI_Zi>ZU{jzaCMPMQ@5r3Z77Oy)&=9g#)~Xi-rS_ZNChJ;@uyh;ielVa+^~r^s*j zS!$!{m217SAEV<5*~vHo=yZ8$>@4d;N`@R!H`1q?=B!xpcuDhw>Ef(UZ>D)3!@ZFM z6D*^N;>cIq(#!cI_^64B>_q_>%A8Usj}yorDkMELtj(;2bMj7&lnaQg-(G8~f;JO8 zm3w@TXo^2#hM|{}S3@AwR1{A}jZN3c3)Bltk|p7mhb;GI`|>DRK6_n}e#9k=EV?&a zD?=nKzxLeeAlKB8y3`z%)Xe_@YKFP?Y=56$mTrabYC+iIa~kSE1})))YXdPB71wT^ zdp^7&wNjF(#rRxprrbJ(Hz}*F`w40he5|-=kOwxg&RaRh`o+4%_>^{>jvwc9Oo*tyC zX%CvV4aUl4qJuM*%~OdaE|~}rJC96O##$%vT?v~jyJ#g9LTo*8wePyG&M=dGBx6PQJ zQu8mggeAu%jg;nDp^jC3;uOSqr0GavaPrxxq>z-x6QR#Znhk$9L&Upoex0^TC>E3M_8%b!)lM0!6ro}bm)T|-cPM=&Z8F9=cN;5oPgcPb% z%@f-_N zElhEJmo>jLx2=2E_m~BfwvI4wdBHPlbXJ6I+;pLSbuia{k30$YvM!5zKh=#%O-`bz`3^LG3)4mj1*fd$CjclUy1|uCu$}i?c>cie3_qwkMb= zF?j+NXn?NtNL+V9Om}5OmzE@JcK*QX>%{aw1_!Q^EOBXMjsYJ%b+`YVPlTL~H=ZV0 zL&X_l4teK+Eh_Dnrt~QnfqXPgjvHEhz^SA$p0sMHkufL%LgyTzbC(8efSelbd|MhT z+C2txo}3i~GZGzD;s7!!!$OYp=Xi;f|>00j9LF?tQ%suDe95tf&Vp3Cbni+{XOY4N*y zb(#ttn|S>ruSHtk=OrYEW1NAj;UmZ@;Fp@|&-@77d%RMVv05BGP-2eQwadom$a*X@ zq7n;4>$yJTGk@Te&fJfd*ZN8ryQH{F1 z?%;|WKNoJ|!@NyOHzFnY=SJb7!n&Qj31(TgSnaOCih!ohU!_+5bE5=Nmz2vXXh0*U zKPG6HkD%`)i)oVa&y7+BmIQAJU_JWp{ILvveQVts*aG?V$*iZj?OiQl|9Q7TH@&c$ z)thC6{9O{JK1tn&h)re5v1;Ys=P~rk(B3{1J0bJ~%}$bofvA|LguGvp;O(~KrCqn& za1NS6atdennz}k1Ip`68(xLYq2_p6FI={0;M9wq_Dh`5J${(>Zr{n88`m%`Ko`Xxj zUFj3dOK_%^pbAWu*pk`PTlXVzu1m-H1u?W>{SS?PLCjKS`Si&zh*|!m z`2{g6AoMSY`2{g6u*NTlS%EcvLCgxQv5Yzebhuv-vjQLe(qdNNqhDIg|1TiMz-W8s z(Iv(#X5%`m);v`mv={27+qijpZmy;T$fDp8FR$okpPxE!JK9qj6kT4%e-pN9_YI5{ zc!Ny6FZ+JAus+LFS|A;RnO=d1D^mmSOe@OWd3fkGqjF(*cebjF@{NgV=-jBTy{N~O z%_Gs(XE5Brq|rNVft);dW(j|8gSiczz%pGxIrPXW+9|A>c92AH@TGPd1W;#xVpj#^UE z%fgf0ZjEC@huI-e8nmE6G;hg+%X2w(XL*6c#X)qy?Q0vUf4n;`a3a^^b4Kd}R z6ZRE4Kj0rS&;Xv3*IJA*OFRVICtK{5sjS1o#>S>1bjN{?An~f!&QFEw1>FkZz0BOx zI>GqjO7JE9b1@FE%F4=*cco`Pl!3dtEm8YK?Vi8g^CMGtp-x?!`QSq7pD(@<1$s5k z8{97Dua~%Xmp_fceVHwAeEUHpD`^{w>S+2v(B4sTy^ZA-Sn z7|c#pPts^fkCfT-2A9@ed8L9|eaZ6Vc(4s_aHJ;fS#*%OQErXn?pLw$A@{X&tQ3>f zK$MhZ(W8Us4;^Ss2vS`}{#PQvdI13QQ=G?TXki{>K{vYoVth8(AH}zxwBN2s-=j)^ z0JiWXOrgE7KQq6o|>)T>f)kss%5sq%i}dM1OIea!$U) zz9me*An8kR<`xUMjF@F&T_RZqUa+(4!EkteM&%WMy@W|rnZTuCZ2fUHS^{DA(D`fx z+*p;qCUN!Xw_^tw?)`1SZ@TJzekF#N&XYPj(?8UgMvu@k;llPO7Xbbtq&{O^vL3N@ zWa{Lcn2@q7{dmc5&T#@xN$ftsO1o5b^{t&&IL#Wa>|a|4wAYfNTZ~dC z|G3aQ#@0S{ZkSrG&Q6RFmhnV*VLsm{q&v(vn`O-cT^AT>n}!j!e>DrE^z6{?%}>Nu zJ>LF{EH)!%x^J9mdFHz_`SNP;2WB^j*@6#$4F7=_FImEVnWy~wJ+xScS0AsnLC~)6*>N~ z>ImNj9$q{x2rmfbDE6@?{Mfr`Xamc`oTJ?QEUN~4=?ln&q>rQ3($V<^vm@nyrs}BB zJpT_P8hEaw*6p*fuu#wgT^y|+sl&fxQE7+(#BkKM9R*4}CTuguH8&7Y`LU-myf6+@ zz@o6wdw1~~9bvNvZ|i#u7j*@p&nq{pf>@r| z{CK|c127T8cwR0OVEGLn!5&dBS+5;X{1hcOu=6dHehg$ql;4YYu6?<}g}?Upx9yVp zD7X4{N$dC3OO*0O5S4rf2#R@f;3ew$go&Wj_Z$ymR>q%DSpf@7m=7zgnhQ< zrLEB+Z$J%V5w++;3rO=WD!wzX8Nr~)xh$$axYFSxQ1E2-^_|SQ-|kK$dnMf`re?Yy z4Q!}gVxWDqy=hf+mxYP>z&A+`mS1_HFT0pSiTw6CYh(>4neJ3bWLkOmuBy7<6*_zg+oA$q9)t29+ z8hc@A47Oq4HVM)dyTGq>{AOQ?d=HrwN1aQj#k=7F=)kC*7fEhy->Lud`=zHd^D1I* z{$OMNG*a)jDNq_xd|+-cCBh{Pnya^x1b~SlyJjQp)MbYpg3;jv=C8l^CPiRaT<0;A zpaNnVAIxkXR$W|thgms?v;XR{8~y}CYSQvNm9huZbq zLzV~orz!?UMlqvvSzs4D8o!h5^!r7y3pacWFZ|rGWK4}Pl-EQ5+$d{-Hn`R1((m_{ zW#`q7oyH4}F5^<-r#)GoMBhN`H}bOR1xIDTC~NueAE33<7Cp82h*{>VU|8=XRy&Xf1^ezcKp4IX(gWe*WFnd(m)fao8Y+(1W!J^2w zv3l+)C%tA}sQicSp1Hs28egV}$&n@=%Xq`MNYE*aF5{kuL;#ik(F zycd)FscHwPj8&wfELra+{j6{lU(LcIpl6X1_z*O3D$t4$b4<+kV@u+Ei0Qq(nZ;zc zgHl1|J~QsotlF`B$l{@B0QDP|1iWLusb8z|DjQARto=uQWR%W&ez?sNw_d&-$ew1H z%Ifc5z#9y<0G`ZS?_+U)@mxAUH|!$n^&Jpd5yLL;x`-Qjxw%a)Xt!hIfKO4f?(86$ zsw-C_Iv@?A2YPXG?}N?`e;oSoy8gVlw5f;XfyM{KTznMKLrP@SquGp`Ro+$3qBycv zul%wfdREV~T8B6p?eg(n>1^V7m{bXOd{rE}5$~>dL{#;}=zW!DAKWha{x;xIDxEE- zT;6Trh`y#+W1^A(S0tB;nd(1=>>9PlS7pQXrxhA_s=IyzE#X367_ zK0$k=U3VF&K!uAEKR64|@Xs`j3xeC$M_2ac)Qfg|d0F@6q`XNWRl{m{23ZHez z^J$7QcC}WB0Up?M&Q)5+G9i(GIfGf!6Zf6lopq2wb9P0@<7pu<=ipfc za&FIIRL%KjDd^m+4s_?0k{-cT3O|TEF~Hj8)ze;#rPb0gbUOxluffTkwgu?f#qn3L zK~plPWt6CWoXgnz^Mjk#Ry7wV*2_2Yk1BRp?Mw3BJ*sp1e@S}B?}AzbZcGvpru?3y zkgVG65|(W81XHNUI_2=F(&i{hcSK)<4mLyjcvXJ$&3MHv6Ww)nPT1^}Injs0<;VQ5 zLY-N2mt?^$4>hoKs;|eGvyvtiTHz0Bd)~*pD{}<&@=r4Ka7rNR15BCEwJ5P^liazY zeN=lym3yGo<$G$KbkrUrRdYM~?4ZzhVabx7j0FV`zgh}Y)R z-aDfPnzp7E+(c@J-l8e4wHW5UMS&G-m)LZd1yv1OTUoU^O2aZirK34GQ9JkI9V}w^ z;TE}Q@o5F6+Z9JrJs;DLA($=tjegfQI~bp1CE}tr5l*oqkM)fZD?YK}qisXU#!*kr zQI#YK@ja6~}fxPcYLoi3Y!*(pe3 zv`$5N2Q@MMijN95jH7W1ocb-ts^AlMZLFK`rT9zFOM)B^eky3h3uV^~iD(h!yROYHKP_qW zKUM8gjZtKoOHy}}X>?=+H?G0D*kN{R7}r@*kT4Kw4V}T&_Y6$6WC_=A(ml}kU^LRX zEw|NrTF0v$=v=%}9wVj2(wj%z!$mZ75Tq3@GL|X=I|b4p!@9jRRcyCu1k2Frff`w% z-VJ%h@3zxhZqAL3q_46wzp8ThXgs@;cvDsq32wV}Tu=Q;8VJb~JM>bWad+^j0@Ct8 zTSnEzwp5+m8Zm$GZQ&Cd#Zg4j57{YKly_Su)jCK%tEGRy+^pbog3={YWX%MCG_gl?TGj-1KII;?>S9-8p#k#2IqRdbv>r&9XGRX;k$j1Pjj=R-a5z ztB?pgjXhR@625EB_T4%k3y_MjqaMI}oKcHClrTMdyXLDZL&r{K(IZW^@E>{zD$jH~ zu6xaN6SDbjY^3)L(;P%x^Ek=WqW+?O_Pi=NB2W~U%=E@`Q@bjj_Ua(5neg=D4kA(u-$G*VNt01w0RP7>8)B*>Ur`)Er1nJ?00Hx z;z`I=4w^I53YHSJNt1N=0MhN@30MgtU`-S6RZxPfX{VGTE{Q48!v1jT{0BzpVd=JU zDIb-6giWFo>BY`lEMBpcJ-q6vpY1qP$`zf}+FUd4?HV5xA=9jy0gVqz9+db{OD}{g z3~Tx=)6LjIk;2bihXN6mYWE);>{NQ2m2geKfdqs{XSIDCVBOUEEYK|vz7cWiUh*pL z|BxGDs3o8aD=~}L2)2yXyJ@P(bs|nlo!yu%X~+vebi-9Wq*Kb1@e^gjNt)5td*7_F z=C~2+Y1>y5`{#joQurtPyLb;&B`a!|wnfJJdUG@GIeF0o9FLZYt+psg>T|T_-exbA zK3;_9T}gJ=u15`lX0>>5{VdJ!Iuz?{`oz+MPpD_<;Dcrb`{ zc9%b7R!iX;m9VmpN9l2Xdqit?YY{iS6WVJ2lm(}hQDIXZA(~0Ll$xPJSIqFFM^dR9 zf;+r-O9j*J%1%$xFukDZmT0GSaOT2Dr`?c}EbDeTjAK-LFKL6g6vuO~x!LK4{jU4? zun4ic4-OKCfoaGxooUdJ-M8z$_F~4Mq4GD2Njn2Ptm5=3G^H$$ZihuExDe_RN*Qij z8WA?tRszeQ4dsr@d*WTMWetDld-m=bmR7I!I@UpO0E>w-*uOOzg!osFy6?(3kCl46 zXVkP9G;~KMwmJ%2#pRdDn9uct>f_fR9Zg!{rg!O#U+)B-=n3+!y$e$QSsHqE_peRM zM`-mh;4HHlt10RRL3BP;y9o4Hmkcu)hN?fK)JmZ5s%n*!ANcPT7tTFly(YU^Y2y5} z+dwY4{t(fYA?<@T?IgM#1lepvCr{90Cm8z~!mUv=v% zzOu_m9P=kT9jKBOdnH(jPI z2{rL}`YXFHrNZ)`yoPLAf4~>EQHa?|D zv3eJ2mIZ0>os$Ig(M_6mrKyVf`{fQ$ zPyZ~IAwD;xc60d6q|l3nFv}0Mu7yszutG#Z&TnLJ;#%T|`6O{W3>CK7yuXU!+meUB z%f!*&%+ln~z~gjVz6%Sa#T!n-qGr@{yT9V^N9ye#FB&e0&rRpcT)74m7 zC(j|lUb!n2m~X8rSIP^%SKsOjY|EhOkYr0GS`!tsjh<DWYb_6NR*7 z((`I_cZO$<_2Qs^YPK65PtS&I=4P*Acp$F3kBU?L%oy#vHA2<&+o|P_PpwnVJfwT7 z`nZg!CCP-s_n4$GqZ>4?HZD0@?uNfsM{QsEwiK-k>zw*dl+0H}{wTE`(^a_7rN!5U zFw4z*#GR7IuhpK2QrUnj)K``m{tGhC00TXa)5pDB55^}s1;O|0)!L^Pkj-nmaacPv zajX)z!+q|ZkU#aFxTmdb{B0P=?8^ta6%vhFMeuYdQfx*juwtIizBC#HmM@_{i6=r= z%7v;%cPb15H^bG6T?ooPqOU3Rnsuy~o~u)^jT0(T6CF><2Q}Ns{F4xMHio}@st>Fl zs+A3l#_w3XpON&ja(0#c2+2bPfH@!T`_u8pd4}X zee)z0R;Jkc>}G+lN=x}BsX3h0ROuvXw>1_8Kek$HY%N{+4x5oaJIXjs=+aK^hflR{ zMp<&MMdpXeVej2$z(`WY=8XpRj4YD2ioY6kQSixOwo!PXczk`S14fpk|H3=rSMS$^ zUchifzS+opR*5%FdhGhqrxLv9cV%;(d$cy^5WCCa>e6-7&lwJgZ&!s3j=r!bG$fGu`fRG2{KuzKJe_vf%w_XiuJ5?4 zKj9ms_SD)!^=(~{Fm!|qYA30nt>#%l@G*m2b~o}YEl@`hRBzpVo+2Ta@cIP<);DFq z72vOvQ4->iOXv{cqU;5`pmI~G(a=`|A^W>K*2=d$axKRjC12BP12_h+)`t^yHZVNz z5v#}+QFfg~woAHboyHlxs!6Zb_T&uKvH6H`e{+?s5ziZw`HSy_ z$NgKw;5NDzQwF4q)?pl7>BoG8C>mFsl7ahG(9-BVY%15Zua zB`3w!*ZwX)mJ$4$nAIdr6bcblOmjc{IJ8<>N_{%w4bQ7y(9+ zerOJMW!rq+M5(05v0)AV@8VFWROCP&s5gsG5FCxFZfI=O8t)N&i0RQdYTqEnd?iKt zH3b3fG4(PbRG*`SMr}8!KABNC$jj+uM2U>$FIjAOEY?`Q0xWPreq5)QKE+*6v(}9k zBCvFfDLD*d0y$emPb}N?zwo^(H@$M&y=D$PtIVs)3R%-9!D&=c<}>;@E4(DDdv0d1 z-R3%3vefmp>_N86*hKHq<2j>M+8c%K2R44Vg3KWINQ?#_gZ3M-hbQ`ypW0bTV|3UB z%V+8Ws~a>*vmZOfA7Kcb7~C*zQDJnVPK^wD6J3l%tTxCLV+aB$ScnP2iyaebeCrO~ z<|$F@Ryb*W`MN{RQ)c0rPU*Q${v<&qZq0jk4eyNo+WWbmF*GT$t*2_`;jb^S3$xY8 z%N$)FzE?T(mVC<-TV+ACBa2;I@~AF0y=gK%%6LxR#jcqcTaP|l_sDIuN$H{eW&I3k zY<*U&9>w7gtW$H9&~Zg*JSo0&L2aXf_$6X#AWDr-uvMjTvNbx<1*#pTM7B>yo>3F; zXY454ETF^qpmH~p!o%Yq3h9-(Zg-MNo?QpoL%H8*-V77<$}|o>YOuG0m=pQ1Eu>&9 zHkU4lfvK2a1E+6hFXv4aWXT*uRkS)WG#$DY2_T4L^c{DT9vts_6X6({+anjA=^=Gl zc{rT&t*HFNS)%^DTWjmM%ve6wiLBjkvX^+ruW_kLw8AIyEK_i(E|0wR*?*cE`_N|? zVl{?2@yGVgd?pNx#BBrmnKL?(xV%1cnP^##P}{a+Hw6W)k4q3h+jDwM-&6MZyPQaN zPMfU?de|n4kErF$3VYX-AKTslns;x#W5hfw&&Ke2f>?e3dGvIJX;@_>xMd+y%m$K$ zO+2D0{iewCKwWt_9Gmih$I{dyP>viu_Z)s8=~=o$qWh&8!3Ju;pr&q*T?59JyG(=G z#81D6!#;!wT^CB^U5h*J+%%6vQ*gwRy7}wlS6MybxXPIaF^|Wx$8s#nM}@FDwcYmh z+zjqYn>;70%N;Mnk#3HyhU!x4x$8w#YVbPYtVW^Hbs@yz$0|yFHIwN#EUU_=Lw)k2 z>e}n-M{pIpA{L@`8qHyIgLhL9qsZlr5?JeD8{iyzuyy8dAO78~)?A;(I!zL=ehxmr z_fsLSiX$E6()NX--z0{@a_Nf;;~5(DoLe33>xp0DonR!c4z#p2TJ-(F#ZvQmLlJku z1>MAx4XDp};j`1F=x?4Y>`So(rn=*L%12S*V7H>`xpXyhKg30GF?6mh21y)4WvYba zf@SbZ!y5y3I8WK*BeQN{jB6x5BS7_Zj6S(0Bv1Ckd)ZU<_En;$f9R@iSURH>K54WA z`XnD0cK?#^F&}nbNE-vm3%zbbSp)KgFGBR(%$#RPInLA=SYj)25U3BZfiMW%Y@ob2 z!g->}lyM-3#;5#^9ZM?`7N%6IK|-9oB!O&y+6kCGIaXhb@hM{WTe%n3oKX2!$I1Hew{x2EYLbd+sw)MhF2%AW?xFjtq?caHfOX>o%y0>NJLm+@ zPGs7tdqq|^LD2C#5zgP7PX?-hx78hc#+E6`T1&^toA^BHoTx)j*XY) zy`xm#-g8}P=^7hF=@_EC`sDQqRzRW1RXfG^toCf`-+A`lzTQhS zCcrE0ci5-R9iiTkAgR#f4!Zf|0VH#vc5XUQ8EIS0+Il2DqNaNqfPKFo@O+<{a9@4$ zshTd>>w43R^Gh{Cpk!Y(+c)SniDc1AEnAi@w0uitX-wkAd_z^S#OS3P|3jaYgCscJ zg7lrMe(|#8<^jpIdB;^^V}9t}v=4uF__b?nru||GGAuiZe|`lE0_hLBp$RpYR?T?J z5_kkKd5Co~O^Nd59{rcuV9LNv7rf$1-{Bux1MR~G(^O4Fq~Qm$yqB4%fiX3P+a%H9 z@xRRY`(LGb0NCtigV0_ae1i}xh~T$O25P;7g295SV*j2GLQ4tSku|7^jU&F<%Pg1n z(SMnr1}j)nP$>7_Wx(MFM&_jkE=(6|{mYwH@m2Bzu%t4DAirgf-&Op4;lK+9>AZO! zMtlqZ|CacxUz6H7uq5L+x${er>qiFs1v4v93-b$RR)FbWFtZYX{eqd5VDJ~r{DPSu zJnw$N%rBVvzRtT?VfudyW`@dw`Vtn@yv;kNLZAbA_<1;SZnz0PgNG9GtmivVC#f%l zZyS_s^uW&7InMX=!o^3B=uww$bkngjxEfgg)JLCI5W$Hhfy-8Ra4Cyr*KS_xyWm++ z`>O+Z`}>tZJm5fuV6_f3!lsacr^deZJCRkeNDiPw2Ab4re1a9scDi=G&0$_dv?rH? zSkZ^A3x;~X8w{#D6SH^v)?QbM(Q&vq`3+orpbO4?I&z@K1$1oA^M}rMwt`Etc=1=4 z7VI=#{vptqDrJ7)aeMSY!OXw_pS7#J^V~Gv`Sc6qY~fLl6%>Pi_QHZ%@?hsJh~KB( z+oJ@-H>in84!K}CWuAS(fC{dm!a&{0nw-3Wsq8g`W2vF3eyw&5)SiV_gKa2Xy6s@Xg5j8anulYmkVEIKx)CJ{L(%L2KGCDmqV4<8ed3>W!F#fMMp0=|(b&yV7-YE?<- zFRm9vAO@XGIp%Mjl5#T)->HX;bOQ~u1KyeK`}+2tb<~jU0XTAiFcPsX@w)*K!F)sa zjYXb%eI`=J(B{WGlo_GQV++!pmPwzHI6DeSD(AVoiTYhD;Y*AJ#$??{i6n@_E2vcK z{0^Bx4R&f}wm%>J_L&FFH+#%PC%fb|3%;2AyptFwmJ4fy(Dp~#|Df)5vJ1g*fkeEQ zKs}P#s@O04vBDoPV~`KaucF@inTBi|C6GJsOktsI>-WB2Fu*Zefq-PUXBUjOJN0(- z>}o(ww&6f`S9$x0zU>RF0yCrkM8-}~1m(nCG1}5$3-kIijS4=HZYmPV{K>k(Ot8G& zq$41aOPNVnXp#g|Wtl25Me-l0Yt_r3!-BFZFLA677K%coIlw40lgPrdwzYN+7Jom4l zI(z{~Obs=u_FR(TCt}-7t()t+{knaFK`H}zL1&sN(boC zt#{p%`@8;8Phg1`+`)ckgu4v0MCrk_wX9qJS-Jt+=Gjqc%g!pxOISU(zF0nUS-~%) zFN}wOk3t%805py}*00(X{$=oQ|Ij!FCb=X0XzNe93#d_Hp?L(FOp$Njv_RW0lwA5p zGBsuAzT%UCpL7=-0Z^}?>$r@&comaan3kFXSW?j;1?Qi17XV1rjf3a?+$cPUz>*A^ zXl4LviiAE?o)dT zHG22)|EEbTAc8?C)hk)2D)Muq6j8mB7KIK!SH<9;HgSnd?<9U?%hC*~UPolC2&f< zexDRnm?DVtwFJSP z76Kv_95NG;Y?9wSzn2@|LY~S*x#A!V;(B|shgg}>=Uei|2I^GZ+#EjZ@QZPG>0Z-( zl18CFv`*Ro>c_IbFzOAnK zNNgm?so<$~rrrl&taiSo%-BcIw1~Yj4$&2OO!tCY8r_e2|(H2x1VPI%N-$@EIN=@<1z^{ZB8&kK?&iO zmI8A&=EmNTPCs!g$!l7ORwtaL?!MR-Fw0hulm+q`UY0*EU>}&X#7{tw=>>->GVjAW z8}K4)2_zempQ`{wUlI@6r)rY+`MFVJLisx>p!Kxd&^|qQXJ(ZcgfkWIx`$Z|HPH-V zj3Q50Lkp1I!P-uhQ;b_%eE4>}#q&qM@@lFWR2WC`j872D*-NH6Hb}dq<>u=b4<1R0 zK0@)@(|?17y65$`ZB?=*Z8!fSCX>+O2J)G0w~J2JNN`Zp@!V4U(9I zU&x=<2C)&?vb&AP5tI3N$-BP`oVpL9pvOB98HRdI5AB)gU1xCZdcu1Vcv(+ri@n;g zI}oI-uF}*AZ1E0to%G|cvO&{U6mn(&$;he&C$;X{Y3|t|P%!mzAdd(ae`8wTek~$& zvL%Nwqz$!TIDj6F9MsW2kdF3@M=5Pg)&Cf{##~KC6 zGGWFew2ufyQVleO8P% zq>Fa>R1zKal~EfY+~p$UIqDv-ss8)c7K$*UoY=tqD8&*Ni_RQ7c%WGQV!5F{ZfinKah5Mt09%o?&KhDl8{8ZolwhvGL^Akev5MFnr$g# z-}*L2KZDzz$GcJ5BnMSR$(v&hff&T!Rvw)u&A)n>Oz6i?Ss|N!L)O3||4f6<&%J*Z z;ZP&{4ZKmS98W|al>ClEOdE)gVkV9mCD1dlQEt?Eeh7VyL-_6Kerv-AdwlejXmjzG)_D7#K z5Z~A(rPH2jkIn<~B1|u5ucJ1QlG?7*E`H2ItH+efKjp#u(Se;8dg~kukg029xMU2* z{~yBMJF3Zaiyj^o$B7LG$HLHb6i`7B5HPf$T!*2f2uKY|6Y0dzlMISrK|rOq3?oHK zi1eOd18E5oNa#T+kpu`3l0ZU|?~OWh@9$e*`A?T?xsvyNa-MVc-e>QfI8HtG$^Op| zP9%Q;D!sYax6k;^lR8T&|Nr{|cdTz$$8Uvk`-73SF~F*I%S;Lc$Hy`GxCNW=lfbug zxOVJDNsB9hluQCMG2+9#M21@HVvR||aPV>)i@-i~wU;AtvIh*hRE$wBh`fp5R(Hvd zw+ohn753SBrQ?uhALu~AcBZBc1n|}Yt7HtG*mG{QF?;%!%1FA3T!I^#$u3QHQ0UE~|KOZ#mHWOa*oE@kJ{X3i>UXJ@rxdr>vBWi#-{Xi23vq|# z7X{ZwXXyDxS?hyV-zy?cD`H`S{cbK8ByD2j~T{9wXwjFug@6KdzE)bo3^R+LS3Xpv~Js&^ylrX%R9LZHQ z2O|a7PL$qEYd*zI2KH;BZ;Du>FD>Z38;oZR_6dc}KO(vnGi7U3W{#>z2QSND{LjHI zTyuuGS3M7#OxFV>=RInaD~PikluzB*X>P3$_t|OwWjz*;5$Vy2Y>J_yjz+voun7b13Q{nqb!9#zhZ@79HM-MiA)@GhjXA9WJ>-{P(cCdh z8Sesfh-TGLCYtoPrNr5@TCAAUzkE#8zY4ra8M)-?g;Oct?v?*PHG{+DX)&Of+4a;^ zzFGJlSWM!E+du^C<#(VEaTn|He&>GK3j>D0h7030Ni*$5icyO`kn-GWAXY++0ITIn zLyE^=2H1rBoz`YE?V)--)!0&$7mt>j>f=Zl(?kAfP`;q`OA9^m_ra8SZ>gFOoM7K>rKb}pMbk2BWIq-Tsl@vShPSL^pV|tc77z%4JBa9jP>J^ zXn=wZe6*>*!O6nkvN$=ZFsX4Q12GqMYq>|51Pj>T8|q1HR?{TcXeq$lHYE&u+^rU!$)o8`) z3wCbw0Y?sPBR(ymirW`Tmyv8h{lufb-m6J^%Spke#SsK~#D?5kco%^P$nU5MPA z%T&0T74tg?&Dl3d9x&AHLaf|VP@M#CxC%QiE_fktkPqflQ*Hg0Z zxN%eZ8AJ9d#VAXjqj{&}rAcp>PTd9MGf&?o$1=RgpnpTl)X)EmbN&!@(7iLd_iUr= z8rZKt25iLU$dM9}4`HgTqq+Ev`KiH{3?7>eEhS7S(4Q^kZf0kv!UWR&hQ-S+u7gO> z1G3;06DI0mdYHiMl2wRhy4>juM_y`+rqS0$k%XN}lew^YK=GyN8fW;eZ2_b_Z8yE6 z%l}_APC)M?ah!F(Nh(Q|2-N9$9>>aldG_A+uTXMwMB58}_K+O~f9?>iqN=5wU%=cf zxYrf=Eo&k}F?D)D04(GDv2s4pTl?-V`N+TcoJM?mWyvrwh{nA=lX~Fd8)?C_0pm+Q zVT_#|@^kBF^CXTrU%Wq*erzI!%AeXNIC@+8^%G=Pk&#+q(va?uJ7UX#NfO3Pu?ij* zCT}R+(O%yRkb**7O9Ie6I-C0Pq^n> zk?eGZMFJ#Z2KqcmK44~OdyEm>rID6022I{NS)A$Kf-Aq+PK^0Bp`417 zGC%;o*rX$n8-NyLFsXxdNqqzGL z?LqBqvT%MM_TX5KQc)JKhVJ4Z=XU4e=s=d#-EtG@DD>;M> zF2O6;PTeKAEicu>W?s4Cv$e}wa~XDg{e}DGkV*)Kp}$l*wU~P+xCt1Oa$s&L$JvUf zoK$P^eK7@H<{X-P&1g*@1G4{lr^b+I0?ml=$gZuVN0Oa<A-Vjc}J zlW44a9#zHEYR1*Jt6^;Ez?|i%pu;mlbPGH)H18lJCwE+p=snAQ?3(Lz5$5C_pq4mh ziNC42Knq47T@x-PU{;UtTk;Fh+Z5N)!eMmgn%1$UK9_`f>_mh!W$FA<3AQ@>+Evkc zJlC?kbP65qg4cR?2IZ2$9{H1l)s@z$Mu#aW#EmXQzX%+_)}cPx7~ZEildu$eAHO zw=p^$>wM1O;IUUPBdn^Ld_ubKW|IJAW0g(^w3kz zLanW1NU>&7xAubciUkslbYpYg#O}Q%?RwK0JXk=d^BWbmK|?2a2peFd4_{G*6{hfTw%sv_Ta{0w1hm#A^Uk4!Z)e72qo>vGrHCT&l^57 z^9!TTbAs_qXVB+#D5KG_p|ol+h;9RM?n<92jj~2(L0Ms^>Aa#G@GS)MA{|0v@hmT$Z78_0nu&jw&2sB zeHM7HJn0!#MQ&wFQ9)g%(HtwI84IDZufq`JuC!>)lC-`n^FCQ>+Hf-h3X_@74j*XMfj1=uB05JHmKm`MREr9{%? z4`<%IVk9}2H})cc+Q)h;32FPZ9&4@H5QZsIU=xQUt$Eqcnl0r*iA|b>SoemTt};J* z?-2L#wjMe5Hh?$Amt{5}=HH!co%tPE1k6(XEZ+am#*oXgRQqeSXXe_WO{J}$1dVr; z5m@_Ejeoiw{9b9}+>WQdT2Rb%t&u;OAJG9SEC?U-n`8>6m>AT8-&Az?c$7N86Hce@ zjN0Y5Cb-Sdl%^>$qX^-&j!#&J00k5@Uy6R||!Gp7PD2 z;#t_$ODznUXwiqZVTwo9rqEC)k*4<`m>NC?CN>MEU9g+%Og1rlXk7Bt{9kRvES@)+ zh-%hlGd^5r{N>4u238s5*J{-fJ=#uV0olXscPhzjfj-4?X`E>n<+g0ttT3$jnpA^d z^hY3TvCED|u+wZqZO42sO{f}#kd@FYg{9P8Pph5q{&3b?c5 z&Il~yOxF;1MdH4eZ}DtfoeLGh=dOeW2=ZWBUB%Ec-5K)>4f3qNQ8s2G`m^c`oEMar z$uNLDU5c8`L0=1VHzaP#6~iHPl)KWfKLj|Y;g117e1mhLF9qn!2PMP5mEL0jqUT<{ z6!Y@lzgN9Pc$4v^mkPWuogydP+r+@gfB(hemq<$MRDIdB--5FPy)QGUC-bkKaN^tT zn|ECuo?vg`^5l7ZjhZA6dwuN?$lnP20F#IxMTu1 z`@t*Y*~;&bbz6efPZ%{tRr_Ej-Ub0T6JVBVIrUYINa}9c^kX)N0RI?j+y1|1w=&E+ z$>kM6!B3ft(2`|`Q>QPcIZ#XBHb<2`t&LA#%-3IT@-+E!>*-8RLzP6oR8RMrhnVVF zi%+C={o}(e>y7meFMEB@Rly&^1mN3lCIXfeJ@EeBH77rWyR*QrKX~lajdEnn*$SaB zk5rDW$3PnTOyvwL+krXgGM>k#m{4XDcI?tgoAyL;2Yk;3)*BrW;JA#_SeSb+ei6N% z$2w?R#iW?fyxpZLD;&=dRxx14u4q2IWK!?IM?Jie^6^F9*pdQ?2euQb-l`|nFexth zDn_5sVL)Tth2phfQuTgKud8J5FsUV6$xVS;7Ro_27~yLtY&1*Aw8~{OhSoE1AN%7O zHasW%s;M~xpYK!PEciftuvPhioo&i!@vEnfW#Gu%72X&j3d3kXNd^z+2V(q<;PuE( zE=v7qd2q%O#z=VrnmeDflv@&vf$;-rIC~;&s?q4NcQT(A18~Z5ld7p`k<;d#%IoYq zmR&~Q+N&I(HFWEbBKd#)tGNEiDZOF_R#23GPSJS(ErDqqXle(Zt>SJ~>9yxAig-tS4330`v~xpU14;{Q8P z2{=IO0RD3QgF@+uk3Z>3)y$>dQy7iT z*jqRk*2i+sF7;1?8Vk+hk-I)?P*3Dim zMe#}nO3FCv=~rr?fPFg^Tm%mhvd+c9>4N9;f_0Kju)S7fVER25HX+(7qeaQEajb`? zDa1TO4plUCRvdCyr8VAl_NLYm7i_jif~J-3WOZx|7^LgLEa#i>zj-q9E)${_6PD$Q zp&EUWJc`{UmWQARAQCL{F*NeT{{GAKV8PS6p>baGGn}MA_2qbfbu-j5%~N?^zQD*U zk0o4`-rboIV@6k3TvDs4%hOCY;AK=>p?pqbUWE|Qcl!GV6FkND%)y;fdVzwi$}T+y zqS=W0tphjq-~)_o(El#|#T`0yVTn&2$rofa>c-$jSp1k^6NPvgBit0NLOkd@AOhux z-DvWusec*!zLTlx<_C@BRQOybR5UmWm<_;JUXiTz0|gfP%7EtUb)eu#neN3N01(IG zM;SlIU0?lmTg_Lc2~c+YSJv}jgaz?(lT~Adcx?;VH?FK3mV^|c=6b8(2mU@}3-}Di z{J0}PP@UmnhH??X<@CC7>nh_e#p~7eSP3Vd0NXX97n~6YNBH@l3K=SItjr?sp0WJZ zr2^+2P|=m8(|K1BbFSw+v}&1a__{`7V{PI#9<}(lyYiouGYh72>;1CIb#{r-gVfl= zQuORn>e**-Ps$k52;XPpVk2sDz;||1#weQf#-|iaxQ`qPpYQsZZK%66`|F1n%$z8q zdHGy4F*NsdZhKstj?tCtH3 zk)z^Bjma}BKn7=oq`^wZyH8?g#z|nOm-ny>{GCs}eirEMhjY~1|CN`FbZ##d5=&DO zO!1qNDG|U$Q$LBTKX$vqK=h{8Eg8HptlStr{@*o5kH3vC6`3gBAXR?IUh#9Q2?Vrm zjMu}3EA-r{b)_3UzY@NkyO1mi2^-0SZ9bp_BN^KT=S&woF3CFu2IOc4Zrr)*2EtqJ zR<|nmY+MZ9>5!qpad>r0dMQospx&8_Sv5-`M#>VI9=4F5GKI4U$g3PKTO+ZSN@|c} zNc6ZAcKb0#=rhjSy1m(j!(`y%Z>^j^>>dm%DE>U*f(6*7eJX)-zn=O;x*y>|*iB-# z%+f54QkTNIS+~DCa=v%|K<|L4gd1T%k=~4WOmlMh1Sm_4p_Oyg?2y zb(yqKZ?C&S9Y~Nx+uNn+(O=$66bnB4(|7Kdf7N|t^9`5b&TUa!n*F$YJgDa3Swn=% zUVflg)uTxV)Rh>E8`{9Zh&y!nfPvemZW4UE#9_765HponJqr_%%1MdA-Fw-L>|eaH z*<6}gm(A{~b$-JGiqq+Uj90&dw)$&7Pn_(%oTLn|%Gki8`=bRNcZ4sEMJ+vy z36(^G%8d@c{==cJM!He!5Xnt&Iu4-X2AO7%7-z)o{ydH z2)rx>%`If{#$7ytW#Q=d(N&;+0sIr(Dcz8j+bflHkBJ5R4yP=*rzz5Gd_SBjX- zc^)+h4D|?#Tf`*qQHivF)#J#9F*W!s?Gn=TG`=)#>8rB`5ED2Ng9qpitIA{CDF8l> z{v5jhpSNlQC>+@Hmj5$!Uq5!EYY(CQC4U_~0p^}6fbPjd@@gZ(p+a>@I10x(dZrX} z|7TIALTi&47MkC!pAo(+cw@*=sc9JNjucMjQm69qIwcCc*H2L0jc`KcIBt`h5`pK* zFy$8C+6dlxPo_g4TSox%Jepl2276&#a)HBNed~{ah$bFWx;|2;qVsvkIo&DJ*suU1 z;@;cU$P|1woD>0IK`t!q&(%4Ru%~QH|N5t~$7Zl+p>51ZjQJcUQs4di6;q)C=!TW| zh9d#F;5|N1U-(&F__wrCzXnLjdN*3>LnL6GwLjsy9g$=MnJk8YTIbnCYhvs(rq^Yv z=F_V@KHw`CiQs4Z7BmYL-^IJ}=Q2^7nG`-kz@~6@6=L)M^2WV8UpD(V*wGDc&w5pP zCg$xvUD*k4E`Bq27nBPXM>I1kh@8fHcN@>Fs0TObv9nK2orf(a4wDQt8|s`gFV|h6 zEEtN3umEf0l{+vbLCM&I20A%W{ovWTw?#kL-ra9OO`P13_J{#ade2F3l`0S*T4cqG1e0y)T!%m2f z@(qg@8EAK-7lOdY(fR(ZB7JiMQsS0;*043>Ssy4a9wI9JQ?zwlIOoPi2AmVQn8kR zy~u&v_+%kN+?)4$zDzr0>!Q-qsXDHVNgdN`tONK+ZhB@evVeT<#z%=D)`wVukSP*g zyEt{{oM$s2RHir<%P~UmPb3h*&2t%L<3}qfUnhht8{nWC>H7YB>=i)5#@&nkq`mDy z_0`04CHs&k&kssM(sZ1UkNDvt^@oBQDBd|dI;?X_*@GmCz)Q^@-K~D8Ha?xV?Rgsk zENGFcduRrlTIXL${ENpwEYK5}i+DHc*R?#mHyDFCU3&3O=;z!rJVY4K8->y7+@1{% z{#dMCBBZ?#{uaf{H+ADBuyJifFdLrxr=QBZ!xhnNiY#UAOrRTrJsuuiJ(q_p@bIgWw0+(*)3~PstBjqJlYfmdgTI8o9iIVg_!~Nbsl6r zubRxVH`>JpXEWn}<|`JqHPr=NW!mBgMXn|qHpX|J`Ur&m(U8*+G!I_aNv5JH7~)LZ zOo~-DH4JT|a5LR>UNyy429O|azV;-ggt@yDot?QWWa5+)<7^kL<+fmo#B(xw5>*zF zLtBd?Dx7(6Mb<(lig1ErK3^@0vX~S=g3ejFB#ZYQ;u<5-uIC1c#oO64vz3*rSEEtDr zAG8B25s47|;XKzpF$5ApAc+V<+#ifTdBmO*8y)z5u>L?`Mc#V5a)d$?{RGBsvfaNT zSx6tF7kR3@ZLqdHb^cR-9wfMVfx{>b(p~blr!=LcXZaX_kvY#c39+ZXfe{_c2amd3 zK40qZ|>qk-=C2A$~|*8OhUZ!$677NC*1)_X6JY3W>0P4Z5g-cYBH@RxZ2 znr70vKL|z2ow~CE7u=jmH)TZEykQt5Y}P;>yw5_jDj7?7n4;Um%8 zUXw7o6d-AO9D1xU-eLM=g^oC~;6;kWQJ!L9f`gmDb4~A40&I(W(N(OR=3yM}U4JdsTd!U&rj{?`1Dl))LAqCRT7&D!b|&mU}tm`e#dz)v9e=;I>*zX)D$h{k+;M z$pEh~)#*e(+Ba( zR{;qYCMJOX08Uro)?Fq>3H7ZEalG1898qQ}U=r_{w#u=vbm6iG8_5Pm1!UQxs(2+& z4j}>u6Zl>f=1%!oFs3GRde zoRcxg`i5aaAb7YdsXch~i5!$Oms7r@%H;RQLPJH0ivg_ty;cg(C>z;eWNHGr*V_c( z`GCyLD^9{jv`7>Nti}18&T?}qW6Qsblk^=sdP?;pf}Z@VDD;p4xGkoF!rq<2*7|gl zMDsWC06{fAuw2&Q3m>G!GW|^*jjck$vwAzKnw>9v59S%)ec5h;%*#4~w!q?r<{q)A#h_iKi70^B-!KnT&08_AZ zFv!=w6H9U)*|-Z+r$-RKLnbCaWdK@~~^8y3ojY|deWeS6E zoAW`c(_@g*wgRQd98cE!m$Ku|ayp+#O?%U8^ltm3`noRRF)-(GDTB$rOwM4}Q6ykI zBe!T%6&LI0KLvpO#L7QgM%CN<$9K^H)vAZ??w<;lJDqfWwo8=!9J%o+QCBvj!(1ia zRv|0BhJL{7uA^eAodOkwUNP}g78#|YD7VrbzEl9@Z2DGmf$(Ik<~3;N(C$bwyMN8d z^TP|OsLdKR$c>G=fam(U1f~nuP5i*PL(w@t0k!MRvg5qB`U{?0kL)e&%&F$ar^cm< z%w8%MzL2H<>Iv56E2qmo-()mC9k}8^Rb^%9xWrAE!EI_$WK`zju6R1KO9Q5myZG4Z zk_CL@<+5XPAjUig=J}NO`T4M^mW@CPuL%__nPA24X8Tljl@RLE56RgLqWch#kaP}< z+26cufzqsUZ51^4ZX#Z^LA@T@EuRoP6Vh@lse|0M6oHRLr&9_RCxkKmciNDMepR9< z{)O38dp(xZX*6phk-m94P$`Y9&eqOiea>O{SI`UsllwpUR8@x|DBQ^=Z#9^l_u}T_ zaQJ2{?TWd-yymWj7*HrJ=QMXD%)P)@&ZMez>|`8a5FOi~)sPmgR*RWs={rb9%vI`IB@^ zRknmB>G{ZV_-21 zckoewXm}<5GCt5YR0vHEJ}Vq6}-o zrm9WlbX&IjUV5gBy?;G8QiOpYw8M+meV1kBU=9X`Wj`DAHyvz|RVfv8$h6v_rq|&w zD$995mZgp)arY~H1j)^+Vjko#Q+spK!26E75uE>$Ya5fDc;WlfQpd8?2YLbM=>GKB zlC|+?J;93Vl07u$J9ql1hJu& zhY0-*60pR(SWlG~Q$Q00Z}dSb;LT?K5RvdnQ7=!*0(&}{I{RQ#_m8+=xO3Yvwji2b z#*XSaGI|y2R&$nh-p016s`o1(k)?VpQg8Ib&j9P`9;bIe`k`KjM$vQI-x0{|dlj2> z?zq3%3lKD21EHYbEq4bhzI?j!A38lz#Tj0Llf{40{N=MhCSx>M|3~QnUQBL!J zu4;BO0a11+SykWUoKwl0ZaRuSJm>g(yE7My20RxjAuwoevJ9NN}y_uSCYmT z>K@GmGLejIZ4UNP`?_V9WpfO#&qbl+E9L;zHB;<|Rc*5PT^1hx0MJqH&;H}>_c8dV z0~fZoql8~f7=^tKHZ|%ht_|jIQbBg|usi(6Cqz+!_I-t6n|OTK+eg_TIi){Go#V9l zoT&&Kt{o(F^tiqC?xvCyM|Y$Z*Q7n&xVDED7!wqbpeu?EWPdd9aRZ;vA8S1Pm)xGv z5`|KPNJer26;z_cQ-314izBQHCZfpXt- zcmMsnUGsBO^@scudo;Ra8|9URWg_@l+qQ5)QGtkANQ{W6#5~g^Xv^3##D zr?@_6se-;Jf%?^9Xms?->s`A7r`Ah!;iJ?uo+4H(FjQmgN~Uy98|VHRf?FZ$n%QbY zi*DaHN!+Vt0~%>CpFaf~mZWAN>*sa(1c18!IDFG(Y2+*FR|^8-m*?kz>Jy%6jAUX> zq<_xR=_Bn{SDHxGJGgQ549MSS7$d|-40S1~Ub%FfjT7?Y^`s)ZcRvt#Toz@uS-ZhI z$^qYL?q);@kP>VuYlj!EgO5LN@#4dXhK~w9&%>il{PlP`*`XkST$u+pBlc-DYv*`s`-QmFP<9f(g$Jt2s({ zNp4*z$^9LBPZ-r4G~bLPFs zIdX*0iZW}$?q~FmHLgWr-rh1{&+@Q49+`9ng~v2Il0P+@v3)G(CU_%G*w@}qbSWP6 zD(uH~-EoG<$3De#kUxY1L}Qguswd@2nKID&``5dumgXl8J#BD-r*oW%Ac_6ivm4jv zXt2`@!NLn;*CT6Xb7^G5Dm>~7ysC67U}SNFL{0NUb-q`p`1fkSy@#jB#L5Z%8beqP z&ITq)M4aWmaWZfAIn0hBss_?VT=%SYBM^hcmscYIOVy^tOpdtS@=yk~0kON20BSVm zJxucJ0mcc#)s%8;yA;oFb3@$lfyno_@7Sq-!zjN38mPE<3oi20^8AZK23E$abQQ>m z0IJaPqWO`p^s25%_;8+{dn7MrHDTJ1VD^*7@!rC<`ubyDZc<~iXFvr$he*hk^Ih&C z%a6OgX8K>77h7m-5es8QKT3Gkf>0ClTB zK9I$e3b#_=-{?W=d#W^YQW$t^W7bzMz;@7;4AZfN%t}s9>g|f8o#BZNM*T-M3;NSE z-u8LoPPw=!o^(mUP!ppM4fkDX$H*#F#6GQ8FaVU6D*Ob8aJh2q5aX-wtd8=r$QCff z7tph?cFH3+KJB|_`A6ZQ>5-7>u>^@T&J{PUb|)1HC4!u3C4$OM`%4Cxa7G|l`C@at zBK=w5CO6KBUctzkM@ZX^Nw2B6M@)p8YDGGanO#@<5fiOh5cS5qc$o(l?a#F}-^*A7 zmO6%V$$U9RUgm0@IWJ4t)vldD279}NS_&{%=d~`DW6ntXj`dFn7tlgKmUE9rc4jrw zcglr;2`$2f$?eUz<7qEM-yWt?Gd6A91ke7w`UYF7n~R&Rk$v06CVgMd0UQb?Wtr-yk6#_ImU+4=zI#AVg`fFqqjyYeew!Z+ zj*8*F6>;=Gz4KGCu4=j0G{b}xi9u@V#SF|tx86hVpjLLF&h5@M_PSdIH@mR@RzbLO{Kkifwi&s5o@T~c zuSt3aP863Z$>H>H*4(?6*~eC5xV1e>AQ1D)^S8?Yv=u*UU{v@qkEE_~boWZ<4b=(W z9{kE4H-`X>1);mS*sFNd;iYc4?nH zsi55dsSa^Q&<*SPjZx4b$&zhMLT2jq`YIk~x!SOjO5ucXhRuTKX4@>R=8zGajh-fJ zLSA_1kqk1yJuoBmY8D4JS&p}-)-cU5$bk0^Yp^1eh;W^Dnyp=v#2=}oAhLTgO=#7d zTYx^wxq$0yRi@0k5T0_XYYy!F5#~^Z9cs@edJ)i#Y5qPcRdG@LF9yH~t;{hNZY)5B zbI@==8Ibd=qilNN{MD~u5}<9jm`>OCzwrCN+`qAhwgd-*G0HI&`mCB^jhgu#W94~H zH||{Rt|p~bZU-8B>ZXFl^JJ=s0+rhvTfmxcwAmXd4E8S^s3bUNGILgm6BBp%?0bR- z{nr6Ku_UH0$Ch?J2-K@2>zoN_bI@cypLy^vIh8V6R{bF}7Z^!%qEScJL{TL#Ieify zNPN=Y&`GFG`8K(XNN)#SRhrEb`NfK@Im9$_-wumon$QO8rt|RnH~E-pzh9#P-%RC( z%s;*4;VYUqx&l<7zvW!}C}y-4#|NS|Ya#{3OxfIUt%B(EkA)iZd4M!^&Tsjdx(;PV zJ-t}L^EF8}bGQH?u_)zJj&XpAQ(o6~)jq zTw*PTGr$~UCEfhU?k6SYX$9Ms1qEMW53w7jl#`yXOsIO3XMD?I3WR-EMK#H8zvDBn z(0n@alRUf5nsjt#U2`7;pX4`1yG;D}HzPN~)g^T5H&k-Kdu>ey9G?zrez2-ujwg|| zmO@$Xj~}<;=9k`9Qu^AKE{LB@>&0mx1;$qlw_2A$55$=8@&o>buZr7p;KwVByf~1K7X%mSqoL4>`kPoTIUwu86DpNyO zQl|#8BYz^1d;SKiSF~F1P9(D_%&z(0*fwXtJ~=Z9+v_y40CkPS!uW{xxiTi_E4uVM z00%x%YWR*QeS0$BN8?vV<0?aP(u>4YTK~1e=><#I{oiN#{1__K%UxPqJ!p zdytEtml2MxlmMgGJ(cBAU8O-XdlRPajPGjIjTOlNz!L%)s7-3;PLdFTfx|-()Oz9T z^h>$r& zC#6U|tBtxLdx$u4h^_REW3dLF9Qae-f64v-Zk>0$G`>^{%A0>msZA5FTna>ra-r{j zuFadj{_XI2>;hyZ%YSvB|F1#Hl1fP5$1V(Ze@^BD;775*4J32bfofw$}S~=ZC zi&twTbbIYrnzHHAmxSlx9}>oeD<#W`qNUtcu~GO>lT3SY9$?9vY|uNk)(HRxa`Vpvjrc%&26{?CXtmZP z%%hf<4QK%RS#|+(f+mI$KvBu!yDEzp7>p^Pf|lLDLw(i0Q@qc&JnCD@53VL9&Gx8Z z4Q5}>B+CecS&6b=_Wk?%zW(9pfj>shi}E!p@-n(Q3he@ogc~!hTZLpX8DBml_dRoV zQEXV759#{--{sp^`*u#P2udY6bS7XLb#|`zNxE$>PQn^Rf79E-0`y4rA>J{H!(odf zEdSpLf_aF6MmYTvH$C-M`ih?mzd?UXWd^D28=`nb}??f)#hu$@xp`e(+eLQeF+ zd91iRu_>F(q{nB1V`pSq4gM(^#(=499TuP@zu#v+#GRGe7^B8|muD=aHemOfb6eh4Qa>q&9PFr=z3xpHYh+9@X*5mx_TewKH_jKzVZeI`w-tDuB4! zemEERQLJwJbYlQ0yddSgS1TMJQdaDpH`UT6a%)MBcT1hN)!QGIE|=T0!g2HnWSPU$m*$8vH4%p{FL;=Sy$>X;jdo}>&R#%2zMpD z8Z00AJ9$jC;oaR6!$aCLFGo<7s9}ehlY2J0f(9$&TBa_|<#UUPx@e{r4bYI_eQ*%> zlsnDb0#+WaivgzX?`(?_4wEGRq&ep8uW#>k8vb_qx!i z@UXqwwigb`8-%d2s(TBBD>kJOf0yUuSyVZC++cYea5WRcU*|pRR?A^+e~8*hL^aU|V{OI}eiuKKh1{kq4@3gh zik-QC^ffyINsCarhf#KW6}JQQEO|+mhvT*f*A1gYOp%}@g`oo7>@-QTQpzpkh!;l_#=80 z8VlP9)+Jv(^7g(JFSqRz2kxfIIs8+b#ErPwv?+x5agiAjLCWj954_A1sedg1Mjbkf zR6L4n*<<z)M+m?kxy_kGtg0ThFF984VALK{bV}`hi>UVO}>9ot3pDy z_J!~E7XVW(r+d)24e*>ulu)BB-3A|S+oFhgP~w=C3}Ukt#bxdnr>!Jb=U>w5lu+q1 z55Jgm#96M@r@gD@xj!#QlQBN|C{*!)!6BpmCaJAhV5iaHegbXNyAN>yJX4V4%OkX> z9`l1r8T9MTx2rch3McXW2*C~NSNTs|ha_s_?N04Hpk42nk`k}|-nZeBpXHwYepz_f z{Io$8#oWxcde)JA@B?aVK^zRIHyNtp+wt`~O|JvSe+BNS|Ayr){uT!@_?g%1e`2md z#2F~>rEWT^$w;j&TI`cAArM7dxKAn8i8g;=hkT$nix^x`BJFs-Ey=(?FIR#&tI{2w4CE3BOj(PCav`WlxP%up`qFAxKH)u<9;<-; zK#mNj&-$;@8n1xf1e=4uOfEkAAz;sHa(#ZapdHWU`g|fqir%Piy?K)wqF`jz3bcWJ zsvq>orsJzR`X%$j2W#j3_Vscfd2BpDr>#No(Zj&0XE#%Blb(C2uUwq2;Qk;tBsi>J99Nss>3N^i&ZAv{UU+r z&iI@9zP8)ldTq3K$qi`HXJ5t*^tX{B&P^?K+GG1mU1}_=gmC`i+iE#Wl393P8z8Gv z-jN4t^Kl&ZHV=1{8;^r!`%_$$Z&1A3G#fCxU3>_jY^6o8{pSk}JN%#`pdDY3?8o`i zNKwZrWMp`k+qIid`IcXmJ@tF?VwRiVilaa zhnoIR45+rM*sJkl{Mp)Z+V4H4!TJVX6S-HU9_0UO6RslIB`F6k%Z+5~e<---_c~5O zmua-VYL(k{cX_@bc}}ziF*w&q80j8I&J3(%iUxOjmdgG^#WfpmPso*?w!F3aP`Mzh zf|CNs;R=?rz>R}avizCGyK_IvoOUW*EYh==I@&L& ze)_Ch_#CxnGta4g%5f7fqED)=JjQQ4zBg$T&Oeh2qz?7&o`rNgLxCLrxeI~zV_ZTk zp4$iXEBfK%b$yAzO3Ink5IHRIAH;j&WUqd{rF8?-!2K8#)ZG74}Yx}BNqWX zDE(X2d;g8W^WcI`Ue8YTyju!F0oc@RbH)$!;!M}@n_OaRSB`U}>cuVz+k**i{@t#^ zM!e{QS!-ieeZDh9DMHQwoHkDPQYLqa-oIF4^u%1Mh)^_WNj?@>wTZDR=<4YpZywig z@v-bBD6>RQMDuSMi~Zi;>uk`0KQ`7Cgl|zzh37mkC4f|n0RMxxHpsQ-&8lU5V5rCF zk7VWB!vt;9vlH6_R%XSDu={5%m$q6~-YBYgEsMS=2wrr{`OvhV58NjEW&asKK98*& zb+)+F0zBVW72-LzgC`-*8Qjl|BF0GAQo3ko0P^mkF>;SsBKHYc5TGh*Y3}=PPocc0 z4o~Z+io~q_$OGf;MVn{4Q5_2a&#%B?0-J8sVTvoPf5jiq@vnX52jBu|rTBjoJQ6x~ z(|!E`mj4_1+jr!TCK#2-l&RYCcO-@@wXgl>Wk~k3AL#mOQIwTg68cx555#Fjn}svB zo-k|{c~QSbHa&f&p|qDD$DO242oS?lF zV(83T1*qRj(NKlrj7WxwyL~~J?wcqQysL+7q2@(<)|!n9$DxqW$#7L^=-t;TB9`Y{ zig3yCcN%N~YPPbm@@f%LFGusU{Qg$vK_~k*T<~lclkkH*qRl)mbmKnsI&f$bK=*{X zC|2;{1Z#e$)a|X$NAMS7r*|k^AA!C}Sx_z{c!$d`@yGg@pg=J^{oG0^AnMHBYK=`_ z(IUG4Qkz)k9Wbf13;y{(oxk9-)OY_x39sS%EoM5Ex@NM0xyaX=uQv=9=K;s%tEQsN zRJRQQSWi$Spjtj+ttbj}63%I~?ocbb`hSZ=2~dgKf^D|_PqzY8kZWFWYw-CY9%H+XqLkhwLZlY*q#xbE0zx3u) zK8juQDPQ?+qKiF_gNc{JL$+3kQ$K~25YdpI|3=Urx;Y$lm;@C^^k!+Lh`UA~*2w?G z+Iz<}m2L0Cia5%(4&FiOdKIxy1O!ByCrf=NL-CXc4J8H&qyj%_!C-aX1z&L`iv2J0Nurg3 z{h3|KTU~K}J@k-sb^@3^)^Q@Ctjlj;jo{!*orQ9+A7((chDY%FW$rt96A8w;5uAm} z-B)#4mGP$}rWFJbAl$j7poal$i++>Kk?POqzI+iH72aHw11Z`2(OH^27QS$N(N$}D z_2viD0S&)03bNBr7k32zW*w`v$MeF(&W|a|@71)A<;eGCnxex)iCy%nk9_d-UVG6{OAS4yUNs(K)keo@(`rz*n-b#M>a$(tNqFXB~diQdQr&4Pr%j{4M* z?YR2NKnrt(Ug>6hvi`ZN2Xz6-%fs=S5)D;J?jVsLJ1>D2(WA?zYty(l4Pu3*-g#0z z|M6MRPRqWSjPRGzdcUBxUr$Axqt5#1sGlDqK9(!L{@2eF6Bj8bcVBQm_rn_RuARD` zQDiM0?JZqZ)9tlppXK>GJ@-VPxBy;1Jv*FaN^h}RvkNPyz(xZ=qi5H;Fny4+YibP4 z&x!PZaPe>)c0WG*`q|z6nw9Ta$WEss@BSavN-{noSB!gA_kR7>qM7iaE>dNmaLk{MAd3G^1n7QA9G-!A+0A2Hvhhy zef^F1mNi{{VZm6wSIkXqV0&?0>r?y1$!cbXtfQevMGCW8lR}_!ymA$Ybz1>11TH3{ z84#GG9KM@S!cvQOVI*36N8A*L-lciZrbV4$#deZ&D}2~tB@-jTDW@*54y>R5{sL%x z44r9S+fYHvR4hEaM;Nz6Ba?Tfj`riWZ%q`wxHA()xB1iYf*7PLr+Xoaopo(Kr&-q1 zcJ|%O)Qgb}Z!2AB_ty7st>>|vf}&sRBl#)%v19W@R)}ht)G0&0M6s*{7fGrL5k`QG z1s(^xPAz(A)w501*QP1yY5h(_b5ekXTgt%{@`=-MeH=$r@5#^m#vxsFD`w^kJUj3CTj00r}zU$w2y9ecD5J~NqMZL#cy)@zz=vx~z2S&CoZK#I^!lgqqkE>4b`xHV$cp46wFiy0OV*3ufMD5^DKhf0~9 zA1;~kN+hfO!W&{WmXoM z%5!aZ?ZDyHm%q ze&KRAbKU@#f4Qucwwnku9kygEOuY{r-5%=Hk~Q-qZ8Y*uf*v%u8fx%JJPlL3)CW`5 zb!C;E^Dd-E1X%=!KP~2L3g*<+2L?1Qo_bQ-*M_}^#iJhN;rO*y4Ei)&TD&}tK9&1~ zis-}+${cva6sO*Xn#kxo$eV?68pPeW{I~AUIwNI4;EOjepDrWN?zGYU+HSu2($ZX~ zg$rq2PjK+}(|lPD`mj1Dq%J_qXSeZ){1Nx1`0juWRrseKaz_<@F6=xWaI#4y%uZ@$ ze*zc!kfzoqM4vHuK^h;=#wVwFV7P`DtM>G>zJuX%X=qJ_t4ZCe%P@srD^&dK(d0xk z^L5FKsbgxDkR_`$JQUJ>gP@cw=T4y(5r_}8N?Nqd-u|E{ug1D=AT(r~Ogxx|+vO!1 ztQ1UK?pvgAr7#JrBlLnvHw~FP(Me!NM>KXty?y=j32*-abT1=MtTBks^Q_uT=KeBu zFU3PJ*|G|AKDaZlP*}`JDz^*P7lls<4CdWJ#~R8I zY;-3)!z9q=ta$Q8i|}cCMDJ9Y?_tG(2|ks1ZX&L4nIoXRdT=mVEvw#{nXOZo5r{G8 z!KJ}xpeb#~A6MlJUJwJufyh9$w7MSqt9;NTYz6M+LNky+OA(b)^beYd@}DwR+QtN`@YRTL5GW5-F9GC4HiJGDM(L> z+a*tBZ)*y^X~^Y*LGW~|gkRj{?r>RXn2bN?AETg5G$eAzdomqkb#CoOqG71Jd@|pV zr}a+@HnE*>ZS2*6!vlQ!I)BsNhIaRiIgQ5zXW&A{20!v>e?8;S|HVHQ;zjmqtq!bAF*Nv zz)iircEO4~8U1Ki;JRgBy6eABQu^xEdpzZAK9osz9Q4syhkUqrZF}vh;3CDuu}dcv zntW?$v9tQ~Ba`5`tJ4eJRN|E(b`%w2|( z)ymC1Cl+}UI^Jf$yLAVPE=HhdLd(2XVEmRmVj{(|yu_*ORQl}nou+CQC3jjZknVaO zVr!l6VM>ILsS@U2;$)3`?G_t;ZHNY$k(X;qf@Vy_$a(e;tcGf_Yf9PSSp9o*hTxz3 z#g^u03;AMOA5&6<6TjX1Mf+U-Rc~wt(Woy>k^H2j_2kCb)te%L<%~|d!p?N_e*_U#2wsjM4#LLDUJs+@L6rvg5DKK|>?v(h( z78TIworC8h$ME|TRwk{qBq~7W$8d9FI#;v(Pmh^t1~={f`X%h~IV|U2UQGPrbm!mS z0QgIVuFSasR6$i%Dy)S@$u=zVsxh+}v5~t3_VcDw9y;3Zi@Od>>&0WG+8uBmwRBsB ztHQm{Z|Yf{TYsmXi1I79$uy8|TA$9>oPBiAi8q}!r}(cnNDN`qjviZ8N6m@0*?3>p ztdlibNW%JgD1^{&;5`xDC#qJTGS4^IET5g~Zp(g7m6Uo*$80g^2Ni^yqPaeoo~kPj zA|A_hnTFr;$bvo;pIjxH&Y)2rNDK;i>;a5}yP3D-Nssuc7pXyLEX+qdDlI=+nlmho zde!HWxno0{N>C8&JS(^ctKv=>NNE(-w4>N&`Z`$#{$#-uPQxn~3KM6C%`p>A1Za0= zIoqh}*541pGyI|E4JMp?4uFHL7kcEOdy$M=nV`?m)3lo%xj+@@ zMt4hB-?iXMtEPCNu_&#X+**2V4HAy4<`}lV%yyn~iz1p<>&^s@pbb=EvJHlcS4cHek84P5! z(Lk%%Zcn+s?zqdPv2>f9L#*W?YkpQX^1e0lmg-|wv@(a3kA3ZLpTfwQ`hCGj8F zWjHr}r8lEb0u@d5L@?3)HP_FvXH!mWzec$^crhl#bx{6k)tW$E;T#WhlV)em%PM0K z2+E|!KyuzYvlm@ucF1DSx1>zrWAsgDO?v<1?C__b75;z zOCM5chbM6zrU*CJ&1Y0_9;#K*5ENma?u4dBtf80gCCp_HSO_ze9eDn|)F~|VF~VT< z(oa}&ypLouzDDyuTnA1-6yt><3z?-D#3?}soQ7RdJa zF2@nb6r9$*2Wi6-OGtSW88JcbLQD8Wcu@!1WZJ@ac_a~jSaX_6CZ!|#OJ>h}qeL@) zT81C0kNP(De6zsDL4eqqteHVI29O;u2Sny?CS@9OkMO3AvmKs?z2671VA0wl^D$2TD+av%F1S!d%>^{&OW_%=@vIbJN@HaIW zoQldrS&0y9BFePB6K3bOMaW2F(va>_{QA@8&VwM<>?;kxH8v!XyhvFX*!o%m3spTF zscCLXKS1`|h-qz(4qmR%JWXw-)g@Z4LU<^woEAkjUxtc&#T^g=;gz_)(3bhQO8CC^ zlU9cE(pBq+P^vW@=7WfJMQ_mUcN_h=5$wEDA(F{~wkGGj%}MPq;#lIK90(#4Rb;06 zLEr4N7r7i5O7z`U{5!h&o1pV?B?KsF5CSn$JFx=hANdny1S2<@rR_4719AjiHtJfb z>7KhdY4UF<%{PqS(fG^^IP?V(;5-ms&M+%R!ua#1dLN&QR}?CI2hi(qh=GJTrZF!% zFI-bcolBxSsFF`4Ywch$a!PWB(WBw!_Dgj){2G&tCO6~}qBWP*Y4!C|Hwp{)U4nX% z=iMmP_a|Ipb;p_e?h}%V5u=`5<5>%n1bl;|>BFx0LtNNVNpJtolW*`s``h)64Vu(? zM# z)6rhM%A+6!Kk1gNZWeZW=Ji4A-8rG`Tq=5WQGwJWaEP$VeHyXm*YQ@sz9O_7&ihC3 zG~?~?quGO+=<_ECJ+-OUha@X-g)wmoa6Ou#dNYv%si&5pfOqO|d#X=^_lJBlc zNM8IeiAiCDXyHSeowov?vTZmd?$z6ygz}i#cK{0$G!iod$iFRB^4p^Bk%j4rqktdY zwQHoqH_+2CKT1=#N^i=Rgx<456hP^j7~Ulmoz}@PK4dKd6)T$!V{flFu=<|+O{CPh zga24)7k5#*%DD^O&81TvGxlw$hl50dU2SL)B zC2BVt4w>U+XL8aEOxhA7fdRuLk~?6-Q5`!u^f2m7n>8bEztKdDry(xBQsOgh$Tj@o zZ6`UK;Szv^atf1u+atddqju0;1rG{OAAZwEGj8WZitNiv56m|7YC-uePewOFOQ9Wj zt35eTQo(7o;?oIE?(B$FSz{;^4rEP9&h)79`u8A>FDEce&R@s*@LyE3K5rDpt>WUJ zDXv#%3E=}lYr@(Py6sNf&9~_ZhTPd{GmyuQE2X_nV;r}+TAn^0Uza|6kLO`@qEM`1 zo*$Xgv9*;lRzz({Se4@C*t&*8b0@ZQ^@rEF*Z8s^u4DN0c|x zW0v;_R+HZ646F6d-v91RnO5febM7yTc&cl`G2DYYO8=FguI_m#r?6Y=Oh$$Kz8r-e zNoi^hsXK&9i-)a*#SR_KC!xVw9+_N*qK2Imf5em0%U_vkWrP_&V)nyKJHjkucK`~2 z0B;(011Gr?;I9*5-hF`SAeHUmDlr~8>zM$(oH}NgQM_P+HdUZ%b<_a*Gpnaw@%%Vr z)5!z+5>mu+^jqI7`-vV z%{Tg+vpv-{5nT=rw~~xs1ip8!3iNwP)7neDjj{860ut|)op*1rk>Q6@9B{>Hr3YuC zhU0jalZRFM!O?AK$T7R@&v*>50@uV!YBGuoJ2xxLaHu)*#mXP9dr7_$<-0FFQfo4e z5!G^5fn1PxtNQwF+5uY-Aa3pP8{nk9?JtiMc02n+UD$Pz!6DtX@g|M)Qa;s7R&rjv zX>CVnpiTf6;0LWn&&vg>dR}6l5p>`m=yf6K8;9GXPUq*G^QM6s7RRKutm6QqAPMWu zeSj4y!-7Lzk(0G~r*&8_%pUU(KB=Ti%HHTn?Ih|j(aDJ{Uc~{@Emrl{X414idTg^S zvxxK58uFfVCFeF5m0CuBD!T^}E=(3rjyerOnV(9>$3fm!f)`?>0uI)cF5{h+UD2m% zv6ZNn+JWpX;}Jb|xCS3FMqjTMyIhCbZ>}=?OC8?NV?^dRy+4afPV3b*#7M%r4x0)S zqCXAgvnR_20AyOv%m23Fzl)vVw7^wvaJDo2%H4x0kdo1^5sQ8C03Jb z<^13Mb`bM$YLW&$m#;d3rvL4vtu5SvTALivL=p;d|Z}_k;?B6tLWKGKP zgX(=;a^rZqXDQSm{#4%2&+>r6Q_(M~=+C3eUA>E2R<-N%|F2&ER3ZAsGVj;P^;1G{ zz@ec5+Fdr7WB%~OTu1vXJFJ`b@i-d!OH-D$>GJtmYu>NdRX-xaW&CdSvsm-c_8iNX z02=#_Iv-t?)2;F8g*IJn0=~W@jP}Khquhr;d3Zk(aO0;r`>pQfy_FpiDO!Dj_4<9h zE;%4WW7g9?c&fSWkiTd}%e;s(Uqrl139k4w2YFj2)8XMS@0*6VX8>{9$$oxJI9#<` z6@o90Z@66CKgD{g$b)_fkU`UzNl~@SN0x_s1`==UTIrrmA_v8*;4n#)zpvZR`ri8c369?_}^^i(-l9u zNRCV<-X`_qqGP^yz4`5Yp*Q(^P_o4E;=fnj`0=_v5`}kty)9=4yw$H@W_x+2M4rhn z@f*u!fHwgEe@}uytjxQ05>17>{$|Hopqi4jx+CU4=RjD$HlL9w>hMX8^2I8 z9un88feP}y=qixclc9ssplvaal52(GrYGm}JYJp!t8OynWUux1G0cyV=}Ml?i-tyb z2~7pc?GxDGq;zHK>sRW3&nGJm%6Il`6zn|wet;E4@(n_4C^oVoM|si}&av}I?e~x| zQI^-IKRE5+^te2(W2?E+wzg%orjtmk{t4=@Z;V*A#;eqKSBF_MQeXRZZZU@uE3YG{ zp~tuP?u{zq|I0Jh`sIy0h>TkOg{=G=b&wGs>F)ZFPK_`|iET04$F_fDJymYW4QcsuiF$%w^U}c=G6uGh=m*2n%@N z-pzNK0)*q^j9j858$x~gHutgKHCb|&s;&cDEqt4J0QdcUs`R(D-t}5rYJet|j(t`` z2$2o!^8)ch`_^|DPVE3$ex5=K6Uh%Y8 zee?~v+l;W9_Qsi?mz`@ur0*+I6|lxj9lE9U%3QCOY;(&VmrK>N0w}q$79lO1+qks% zq_Me4P34J)UDcST)7urYw{zFthmi&(P$`-8SIOE}Ry}lFwnF~H_rs$B8zlbVR6-h2oOXnkcqpX!P0Lg9+nw@(JI- zBxW|7?9K3PtyB)aha(WX#yCu2*$I*rzpazJyPPm6e4Akf$X0S{ajg?rw?Y5E6T{<# z3iYE!+E2uKh#x-KVT_#d4kME~U%9U(UjM|UHKrBZ-;y?Y4^9P zDrt1meoq@g-FGt;vR%+_)F6}GKB120w_3Orn?LYsq1#h5Gpf6+bMPIzPx}wx zZ=iO;K>x|$*_IVXEi#_90x@X#H8yH^^JKeoGC+a^vB_b#C1+nfy55Vv-eMqqp3$(g z^eCSYNj;q7NY->)dyP#SJB&Ri?jRc?LWx|~I*Nx;5i+($%#94CqA6~6OsdqKKObd< zsnXyLbW|y4;0=ZLw83ONH%tfSeF@pIX_(jA=ONHx!*wG&t!5ssDpz~L_x0A+cGMr{ zVcHTmh&(*f^F%apQId@Q!2?D4Il1mg@-gR6yA0V9 z*mPjAIF`~~Q}a63Zd!=`qk6>e>q`?-sX{P{^iqd@sH$**YG7fSN@rkedL-r_uc~2i ztA}avd)+Fk^I&|0n!@W%Lun$XbY+%|G13YBh8*hutf%V;C4UG)8SwUQ&4WujqiY)` zwq%PHjwVU3`J1J~M~jH4p{BT@2lmN>h)bT7C3?FAXCoBzxC9paP zA`jHORD`QbVb#{_XFHD3&U!R3ZUDtU&Nd~XYf13wWQB^6=;m~oZf!$NdGM>~<%XSo z3@OuJeXOTYr_0a1D!P3Bl%Hij99lpmooVkd=CNb215|ZB4OIpu(@^>iP10JkA;qn(&C!}1yU=HXM)619gRdH5Rw<#4h6f|~SVSRklQB7-(c2_|d+ zS1_c5jR?8Q%%T4vR`(lF_U~`~4|B~nkVfc*7Hs|yTfUbwzPd~4p4-l!ewr^I` zeR_S;hJ`jntT{inU$5A4k)?vi2#RtO`KI=}T}6~zyA_r;fZn{DcOH&k?X|U@ew*RR zaa*@}VVaUv`#Qt&nDK6Xfql-_fQ@^x9t>ui1vCx1byT19ykG#J>kV18MvNj19a3sa zy8W);3O;NXBw)MNaK3+j6gWpBIX9=&ZiYTunTf47sNo9+U^|Lc*l^0TqYWlr-*(zay!Y&9YHt>ud942%pVe`cK4Q`Kxh=a{h{h22; zV*=s30ZzbQ#F-jyUE2wcXc@+xXlKvX{L)1HKxo!}q?v`N5ANSpA_|u~6KN8~Fqy}T z=rM#x|?PyZldu+Sq7)cZZ?gGL^F+yB#U7zFOpCGam=ZvJ$8V9NN#MF z+~ESBuRgY)DXfKYiUzo7S`aE>SI4r5LS7Umv6nsv>yL5}@=mMGCOttJmxw${yO0Mb zB*oNIlLbF5*K3z5k(h2;M>r&uV*l_7UAIi>G^(?tB? zK8YlJc+>a0ywxX`t!#ozJWO&$IS1t3%^IMMG@Nr8i4gdCvZenJ`v15(X zH_s7J8#zYP@eIYVK&{rm)%tNwQNT~#rR`hMn`Vx)0yw4qvB9OX?`>%fysbCLMRXXq zI)(+4{NJF1AjOX1q7F-U&aDL}%8pU!yIQM~&)ERxV8biZLB8r?joml6@OdKYw&s2; zD;7c;H5VLuyiP)(P9<)D+t|F`&OOFBeKZq}eDPD`y+)G^wNhBmM3K1fR}1)r-5AY4 zWIn~tmXCMOG&Bh)O|zc4WPL`{IcdX^3|CR#!E-QnZF#5GpyMg}1ir_Q7f4Rr3Js#3 zVA{<~$ukFF!?8R@=y(mO+*|ypw7&@dWP5A2Go6TSjlgvsWJNn}gm*;0LG>i3m?aX3 z1E`Xk()p8demRnY^8M^=<1+#Wa^S5gLS(fhd|b31u#N|pyUtrUU|&U$tXkh#q8+4^ zq;6hp%NVn;;{k!tA-WZn^2%ePMf`4Bkg^}`#Uxj>S7jM6=E6cp@;&Tg@tyTlY8? zgWYU)6s*F%^4JF&F7|~GXcb42wa<4Ux0MRhr5+sGlAl4iK>4*Rv?VU)95W>a5sxjh zW$mJKambk#{)9MPlZ|6}_ zD|Yxoq*50gH{9O-LP=VmI}~o4WBkwVi6jr_MaQ!wG!_4TE~G)K!k7$N5l_I6SUS~m zD)n@?I03{HWWj?ZGk8{1j2LkrYReKd=Mwm1{nl%+URWcfW}%mqm-UZ{-|l3+r9zRA zpaTBgaukWft;*qw5mda2U%N z;H`JA&zE?*12#gT=#(@mm{Bxu!3eM>(I81h-J);ce}5i^D(XSK_l;BFheL~CeXwb0 zTS@%RSWziJYhec72V#!dVY40GXncVP)H^BlqB>}Qy@A%Do9DFDTsX$vNX`0D&h;bh z#{)<%?C5>gj?#jZ-E6TLgFeZxM;@#3B5hesTe1Z%H7vL?6_tWSvu{m84$qF%0>Ifgu}&XA~Ni-BxTzxmu7;amNXBv({C?= z#S(C8IF6IvuBi>waC%uXDPQ!de*fj>^L?iAN2`ht8bF)*hRz?)Jy=I?ueztZ=GQZE zrSTSlPoZ8-T5#OS>nebjQe_YKlB-!G{TQd4Lb6xYU62+z0v~Wc3#d%*WHB8&56}8) z*DGDLIa@gRW0j`+iiO=)T?be~BZOYV%*!-BT6K0ntY*$&GdsIun0Vg-xTmV)fUFqN zdGTnk=lP>K#;3E+2EhEw2IumN5rI7qt~3SaiEDca!fTG|Fza%a=)>m11|T#+9)nb% zdx*&!F!092ej^0u*K2xpXUgr=?Sid&ejXjXN7px2A>Ty%mP4g1CBM3Y!ueJ<-xUm!Q_K^ z;p|>}CYsq$L~XFg#(Lvo98ldx0*v$6%-B1YF=Dy2&n@pqJ|W4?lt;i9LiQCql4gk9 zKzGDAFB%ofW23AmmFPR{kt{*|6{g|`$ocy3*oi6V@Xs~wdMD-xQI-~!pAZKmWThG{1 zF2d?>6&8b%f#b4w1%5dG2wE1WVqr71(R_!VyW$?0)}7?Yg&DNclh>^l9BX}sfuYMr z$i$j69tz}5KFlSR6fyUbQQP!QqWez*H(T}C;G)H_^x)EPER7ju`H?)LMbnlclzLO^3R!>h8ZT9L|uW+k>DU6(>P!|g6lD6iQl5;!m@Ek3}V}TmtsVj zCk6xExg&7(aBm!FO;%FwCIT70C^`p6*OYj$9?gn5{&ML8TV7RYkr%_gyUzIkFw^uf z&1t9ZT5ATS%2hfN(^;zgs=;Q#gUc6Kg1kLrG#6%O{oi_fWu8Nc1n-ys_)yLO=aw|} zjj+knSyRLvN5(ck#owoifmozt`if<`V;ecJr&@!OBS(`9PFpC@UZov5qVC z_*JGVBN9TeM%HVF1{ZnX#dG0h#G|-S61xD>IA@lAjPtCf>KUrGyiJv?JI{zo3T>25 zzv#h3?^6BQsS+zu?27w(UGBmX0j7>f$8jAO#mpYQ-?$9zPDqN$FD8vwWlmWES=O5( z*uJy1-qy0BfY{Sk6A>(qWK8)Ud>L6l=W#qGnG8x#ZDb4~rvJw(%t0)}su664c*7-} z%}XQ;h7EbxolaIX|7{8GlRGi61r}1m`jeeP-+W$uoz(IKt5_5?ctGOS>b)Y+96MnM zJeP*!>9}#+!Ur%N1TSV8n(hzJnxgL}GYqNhC`sD`$=n;x(TgJKRH8ww#)x%t>L6Jq z0z3RSxU z5M%o;hQrLg#aEvDH$#dw6QV$5 z$IY{^DhpP=2a@L!8%cj-OHvM} zZ{j)vW-N!8Ft&-(dJS&TKmrs!&7etc*D(y*-D@5=vG8?mR@ao>$=)n<_EUd#f6DaG zrBy3?w-VBdpZa-L0o?3A~~hE6f$w^`&Mq^3-7%6U#+c&C?Z#&l3oiV3csL%mz}IEvrv%PwE} zAD790-_ZNuWb~heA56Vvt_V8Qj3*8B?-^b>JKgJ_qOM_?9uw#-D_9phFWQmwy zezD&eq^Q{F2c(U=@gpPs2;*+&&0@g8Sk_)ctO=`#K2%YX7J0H0Ch}eH`nD9IS%LdZ} zX$DeC1IcStO0`(wCEI#k>J0 z8|fmIGu%Z#VzG6k5njz;L!bo~GEjPy?auL_7EB!Xmexi(DJ<&73xnx5jZ)e_aRD@i zu2@o#(r^zOi5QzPRlIF)4a!%^WdhnnS$E}?+hanZ;JBtRBDl)SeA*1553-@&Vv~eG zYr^mu`%;+a-G=!{Sl$Afj4YwI^zt3UOmPq`hQi(vngkE-bm%R_2(OeY{v1>wu7UC_ zq4(k3{g;i~d&`wkxZvY_ry9)`mprE$EJETnh`JeL39}aDXSv~s7^?A1J|97r@Ks&s ztBp?tVjM*WNhTYpPU67{H5`Kq4-HNv`{yIdp~TwoF=@6xYBN2oC!Q0J$p;tbt`uCQZKT1PC`Li7a37#X~x-2SqIAtv%p4U>BOcA-!@5#C5b=ep96 zte@5q@}x{W=rANt5E)}NqD0GJ&&ZLqDrccXUVEcTH5W9`0&Q$66LO(aGd!3hLrXki zsGR*7wL+~U$DzK`jsvu*4Ov-X1rOI~rYop2#6p3-^tnDZ+Vh{4upeL*TjBRb4)mg! z*l~O-)33Q*=6@*}(ZH*q=gKNQge22}j@TqR{4v~|xz$ohd5q1`?Q8)%4JQ%d5- zVf)8b{niq~XjyD2E7?DhkfesA?kRP~{5Ce&$+28n8++w7zpmj zJJ?RL@0g5>D>5go7`2V-Eg5h1q!!$<&=$Hz-W8h8WfQZH#-{j}2|$!S(lJkWmmR8BY=zM+g!Bj~lMNsI9F!t&U+&K}S4XFD>qF|4{G2;Fcc z_LWNmD2+-zSocNY%}$6F&mpmBvHLa8i54g3I<8t*4BLfYB)^1J&m?r?2scp%(9Wvs zM|`aq+%XOvf@XI?CP;}Ja87|+3|hNlbd_WCivmyZFIBT_qf5^vGY}3EM8CkJdhiw# zQeOJqY{R&b#^7|lFHeGePCs6Z-YFu+)NUT8N>9X+TIu=-E`lqSmQ!h&!D5@oOi?F- ze5`2V35)H-FMcp$+Bk5K>?u7Q!1aj5JP$D{IY}8Wabo{a3zBeW^~0#rE$-H zqy|vBZBv!yqN`e*qYF>pnVF4c2UB9(tYBv~+a z>M-_IO-*BYp5X5lCam6*K)DVUlz)Jpu^et+*-AN3lXFQSVWqkX6B4AbMFSjiCHhR@ zR#!s} z>XqzVE^rbr_VqHpPZ#C!6}D2+rKO9gVxw>|t&)U2L+Z#8y@Jwj=j9 z@^`JwT0+@g%|v@uvO6q1NNPl_HZVy>dZMiXHNn#*E>$_c+o4{(z8=)F)NVL*xQxS< zrZpYk7fCn`F<$3F6=JH0%5ZNArJE5j$U=AZ!7W5Vl&2GS)!Hmmos)&FMpvvZWWd;I zguVnQH=US~I#zL zeFau0USg1}P`?IFB)82i$SD0Cu>ecBMF5&@_NU9c(YlT5h%#Z8N);A?;S<{AX@4!*5W>E@cK-Q+N$3q70r1A>n|g=X7W>Mi6_39vELzMBd*gdJd0Xl2NbfAyv| zI}vNQ%p$qtTuBGAzCl|abb#?1!5%QzB;>)1D<_Jwq2`%ZiW4gC^X;abF-SJAPCP)r zyDFc!=TxaVySp=qED{>g8&c-#n4C;+_ALo|+yhpMjT}o#Yd6(vtG+HN#AWcM>nh86 zb0O$LjK`pPwLmZc*JL;3IlD<53(c&%4AvDeGtcLGs&eMW>P|1`Djyu|yk(OE z%GN#Zk5#nS_1R7oTdf}G9AV~i`Neayvw&f~TQ5uMnhF!|#_mgYkTw)R#2#&-9(nHN zDd)&3YiDV7f;o>866kW9ZCbRdtg&7&*w@Ju9>lS3tL&HFOFuQg4IgVmDP(U9a6dbUp8d;w_sk zMhjEGMkidU+Mea8HP;)btHpTxu)Ua@Zk9i_$wvS(?d5Ad&p*@I)Jru$*F=rZ1HM!* zV|L&zd;w&;urKNzlkD7D-5zotJMYKH(LO{=A$WE*GEBnsAc$~A!yHYNC;@aG+h0(8 z8I45n(%Cl_bki(p6Qt^@0f{zuP|kfcblcT#iW^toO@xdk+zz8efYaClhBlgQ#d@UT zU$1;neLp+%=~=Rf`Hn8mM{OZ(B&K>WJ*q>{ngJV0IkIED78x7X8#PL4`MGlL{yPM0 zLtdXbv~g>&r{W<8$*BLcOu$v+VABuU3F$i2{o9LkE+E7|IeKlyXV=xhtpHzKQdulB z%Q;YUmfW71KFfpT@R-q^eUvhAW?D?8{fk9+l1kON=1`dEc)1OU7k=)UFS>!GCsIS+eI-15hXv>1jJx$@Wv33Nsn8 zeM?z3Ll2i|s%b>M22cydTThZBKO>mGv>~i3rk2(=DeIpqVs}t#(ckEH)Ri|*QJ74djBhUPAtva8Itv%b~jA}|w^4@1J;O@w~ zP1iRbyi$aTi83JoUf7%#8HUBmMLePpNFkzUCZ8hr^?>G+vp_p-{J={1C$#jRPuAyj z`TYmv9gs8Yc^r5A_+uhuXqpx3t$^`cO9QlFD-|->X*c!+CfD2;cCeWGKgrm)WLJNh zk$<{Z1#fX@&-BKfdp=E{iQZ0Fq%lLuRSXu(-8SvydDSLdf@fNxGh!1(6h zMScRI|EF6bi<^{5=e-I63Hn!7_;=ncxN*fwfT~5@u8sfSuHp`G!r|N}*=zrovF!0t z2Y^`a9=O8)c9j}HSvNsXGuHoTO8;+<_BZ<^zj=wDo}ek@2LR8-ZijjOwPAkx%^!?6 z4gtbf`JxW3|LrRM+rZ|>-I-qhA4dBJcmAV6aaRLWz>;jc|LrQI697bAQ(hMNAN=5t z?)(RjPnXd@tlXLLHx2(Aze1LRAQ$54D)@hikiXAE*?#a$>Sy%6gmL|sllsM@jXMFS z?60e2|8LIilF*dJeL(qSGjX+Yvg**JY-x~5^j(n!IT`l)icGL`!Wi;tQThFG{+l@s zS_KBn!>>HB_rq#&83-GJ8gTw%2X4HK-8g#G&buTbdSIcP!fH+Hm}rydWiMnX>$mse z`q2PNoz?BIU=|ePT*ORA*D1ijsG)%x2h_Gkt?h)g_e)xrgLQvHa)USM1*wAR0d5A@ zo~Y{QD=i+h_q7&wt0s3pCJU27qoId1Yn_jUVLSjkQcK*TB~I9fJwjg3rBzlvR>=)G z|KJ!=cx<>*uEQmu`O}h$@GLxz<3&^Tjn*Rm-V?80584?uKCS^KKdxU`=^jc(XdQA= zl|hub&Y1A4P1@G8kJEej1_e1hL_eCUR}#5Wv3X#H zuP!`Ppl;M&+apsGGRi3)3V?0oD_F$>a*bS1=M)B2I9JwMWTky5+k}-|?X!^Mi@n+=(wXJLzndM!@iqfwH;?!)$_K&<O}BJxqFO)8eLEB$${CaN zpl=KX$kht-50R_0j=)(z?c6&Q4`F4$k`6t*)B?8UM@cTT9;`N|(7fD_=LM>Ny%S_? zN8$)LDsBPjaErwL3_=I}sN8R^B2e7i9f=d!<~UmNKQ%%A*Go9^28dD+H(lt5P6^iW z^>NtvI=9}@J0z17^1FeANy^16LG+kV22!stDH3|9b9&UcvwaMO|F69-k4rN9{x35d z>ti+9)MVK*Gi96FrnrTUPT8h5IpTs_<0J_p7K1yQ)z~zawyL@2R1ylJDWIZaO=*o= zrGScCS)veb2q=htuUY=G(UzItpZeGHlIMZ@ocq4#o_m(}IS_Rf5I$pB)=Bk8umsaN zo@m{}1dhYO+^!w*S-dkKJHA2qH}CYb zoR#%~RE4$XXlVpE>sxDBs9m6`EON#J$7IB-b`#3$1y!AJ3j2;S`xG6r@Td|Zcfp%u zd3cldg~xXHepEe9ox!d<7fZIMki*H@Gu%eguCg|Hq~9eMS8Z#F_0qz^)0(#_$Yn$t zW0^;N2WTW4aKBjE&H437X0)Pl8x6*%CTwkIcX<|a0;LQ)Hnuav)J@*~SG0mk?Yfg9 zD012vTU5--X!pWiyVT2p@+$GJ!K!%LYA^oUlE7DW*_X{zsOL}bLWM1W4!G|u>dSAw z;qk2Y>K|Ir@8aS^;b$$H$oZNnPV`p~opw4YB+YJgcFSFM)cZ6cADv(CrNAWhiM_gI z{%eyZYp+s$lkWG#E3Zo9l9Y2q?k8c|CRa5_kOmvea&p{G{){)!7W;tk=ViZR6?*mn zaC>i9e<8TEU&qmK7^H(I=AsVYOH;jaes<%cZ}yv!BdVP|h$D9wg!)SK!b>T5AxcYl zG%g#YdKU>V)yq94v0LvOpxKvvxwUzyB4YM0(E2Zr|F|4YerjzRL8PWDcv#d8x9%m^ zLH=ho3>lECnILtgSQVYyB(?KPcvWWd(hp>-U-fORi)RmSkIrrSyKX0^iX}C8!P>`! zA5nv(S%W+SJ+Wd0)9n-V;&zq(49F?%H9s6!eB?{jg@W~e8-3qg_BZsR^oPHUE;@Rw zMQskm7zRhax>!VCF*1X)0}XE4Q_3E~^MtfmOJ4 zt*56G(xseGRDzZK*xyn}I7n6sf%KI=PVL?;tMoT$5qk&5ETUCNNh(@cpC(25@)2ot z=qoEMMM_gt+)}a3VGkzddX3)5!Ex3XvJ1~Xl~uI zuvbEY*l}+Xo-9BfPyXD^UB0okk{~bG#vijY2#arrla#M7V!t}&t+yve;)PYn#DtTC z4Qn_pAjv^}%^kncghc`eRo}IFfrEW7kIWz~$XiQ_S$#MY!E8a6Y*MVNi+OxlNKg@^ zt<;UmMn0oDxn(fehbX+E-rnAZd|r^i<7ijsCLY&Gjg{p?Mru-{Llal<4EH?DjOgKO zu#4G3(|{g#+y*HP;eETk!Vn~|6)5=jOeakVE>mX+qa~(k&n!EwLa&!?l?So~3To=G zoQJ(#S(jhY_WVKQ{*hGP`cR?lpebvEn1;9|v16{Xz~^EW8Z;3jB&``{8@hCDZK2Sw z^XVUnTzSannj-FQvkM1* zb+g|+)+nv@ijto4Rd+XYxT@#c3$Y9B)x2(@PbO<8#-IY#-S63|9;V7|_nDss4ER+W z>tYwegCh^C9a%fXQS#}eM8#$!@kHWpcNh5`$lDG_THoG*$s)mvAUs=JT5ZDC?a?xo z`^2*SUqD2AE0^ht8}qRUM~mT$1;G1^ruh(2w_}!EI`Bp2>}TxCojmn*jeg`qZX>X= z{)dnS}k|z(l4mDuvs<`#^k@hPGk8%&$gC08$zBP@u7;~TcrCntcwaXO`nrn8CqHpEbThG&|?MH z!7J8~N0_}4^}B(deRM7cu4ce)#WJ9h`pr*0JC>!-EK3zoyZdo~K!Zh;wO6qo=@~m_ z3>z;_DR`-tsAu5Jj3m2&CND`oXb2t}GT_VlrKZtdt=t+(ELQmcxnn2GCrO|qE&}xS zD3J1#_G7Yq=zcNTrufFS{Ub@YtM?`QFaN|d&$zwXuH(Bys(SkkdB8weIMn3omcy%J zyvgcm$Y)uniEJt(NQ`70`RclJQox;>Xv4+I#-0j&@BUm?M@k+0GUTM7_KBmV8m!Tab?+Bd?PS*wjCs9MtS&s4Rh> z(BtLYib_Pm`Cs1=2=>TR{m3b))lR{1LaLdoDa@rim$FjmNN%H+AdO>({pyiP7JyS2 z^)+qPx2R-yFoVItH!#K!iQ}x?YZfkLer_@n4~6!+tijKLNRoW;QF!*SXsAdb;odM+ zUBn?br!<@iLCHgzRkxTiZ5lsNsvjNX24zAm6?i?fcoex^L*L2;SLD=!EB2_~hw8rk z+4@-roF=@Y`xKpf}UTr zq%W;*s{Y1yKgxu8%q;KkWy3M#0`kmar?R@`<~5dT)}B^!L$b=(b&uk3jax_h;VIXK z>w`dg3GCZi1S5&GrX<^tDp4Tt$ub;~(|{*ZhHqLS^8$LGpY7ho#&ES$TlKqZFVMX+ zx#^Z8F0TZd0))$mFhrJ)s;i2|OF}`eqeis&M~dEMzs&9%!_7qIb|*P5MO-|bpBaHG z%*{wvrEz3@{4#noBXd6Qv(mc(M6>EVwuJNvStSZ-mUj{=M!3r!J| z3HUvrNc+95t<6qb;P>;@3w?EovS9cZCOlEdxj-rBP9~b9A*sODR!Q5?*v2`a z#ZiVdLqM%m;9V37MWa9*`l^@`DI?;Jv2{(bexhCmPDXcLW> z(gL=KB*7)WVYm2nz1H&$a3#9kEY2Pi#eJ}m+nowlY|%Txa$9b^axRQj!hRe_(A{@wL3xPr8fl}^nM8wusQ7)h{R(ib7gHBJJ4shTm)+N&Y@Neh%+ z>?+Wdhw5u`@=Z~038fkZ$%xwvd^mpMYmWx4e1y%CiWdd~4#iQA#0+jw1Xe8y@~IAx zV44bW&(9ON?5DE+y&pXUOgt!s<3}BboU1>Mxm4?ZT#fmv(uT|a?K(0cwX(TE_6pj%JO`dpW7 z#R1@O^PHFFJf^R$udCcyl<2fHIX#@-FW!8ZXyhqtSgb4`tPTt1_aaMBT;HbUn8M!1 zvJBk$N~V7_CzI?xet$m7^pI5FKU-CBO5=DX)?f#$it49*zb*<} zJ=z=~lOvpuO0sBU3%F1W_k4&9rf1^V(r^ut0d=zw)gP(d(C!*W0X89z_zbQwjXIA+Zp^Pj%oDSyr=*vr*MHI?}_>Wjn341^-ibvJ#TJOh*Q*wN7Tp`$+!- zont>2FG5X;cZqWV;5oNU?w zyLVX7P-`SJ?8i~taCoY~_8bIePtKvC+Bnsqg9SY@a;dIP7;;ahj3p8`)0jTzoXXOm z$daunr!q_%Nq){>4>PkURYJTGb(Q{nK3be#;NRW+XYp6q^>GHZWsmcbcKE0I9KMN6 zV4+BAccz}V)XeGDO>HgkV`WsW#j`_4*OZN(RJMd$A!rBLP-^%#P>Ixi12ko$l|1`m8K9)^!LC5meGHsFWhSe1ZkLHI) z3*u{s8$wO#eo!g8fKC;EzQP(MB9VS|2=o>Nr-!;jU@0QEpgSb{V|B>ZT5(q&!{^~& znoHFE1Qzg&gkievEVw`^NcAh484P*gcPcwR3tnoohs3&2jPymvLNwXEi=bT3!bWUE zFA|MksPjEtUwUC}8d()V-z{uRe40tNI~j}?oJyod=Mr%@ zV_=r|?oyj^sD{!`(^b%rJR_FuQ31`6p1tT2`EF~5Jtg@I+f1XtJGPu#5wT~KPK%4P z6|$jQE~eER{z~+~y=VaZ)ePj*;z;4(!v@bHkGiUt3ltoZaV5*KRols5G-Q zlLtsGZL*4_qd(2(b8Wbt!-hy6{br#+Ror#TS0VF!=Jo)l3O_;fHpf|Tk2OW7i%Xk*t`Vsx97+X$oe-;K zc(m>K)1_2C&=zf3wmgRVdopLR1;~%iGv?m9xgBC|D&{ar-^>=Gz`cH6cO4nRg zrueiJ7lnv^mhJ7?m`XlfSE_W3uxz{F@?&K3ZA>lL~fn9EW?zKKTL*3bk4 zg=HBkM0|%ZtFn-F2@>gPihT$I4{=zAX-d8>hE$1wXSm3J$2TvjH;=#oDzR<-4F?1X z-<7d%vRRTdY+{wM(2op}76Jm@a>NdK_C5!ZBh3lX4tP5mi(9-ICYb6&wp~^(%NRvX zIrydOCa%(^hj?6NGPRj!C^ZQV92V8n26$==qH$`CB;rNls<{yyDhl79Qc2!fqYw}0 zg+^o1u`MapH5rteH=FBt=&^^#CHk!+{JSToOP8Rsjoo4hul3l=3af6v_j>2op z*%M)dh()`T7S=5f4ZZ+rAx1&{M{HEGtE44GdSq?w zSh#J914hY$HNIVEzP|tUYb?JuC9J>o1r|CB9r*2$k(j5fUB(FW)&?pnqsMDqZF5iX zx^;*}|L^80zV^L0i@ONI5$BfdC%$vy8@;dX@Tiq$%@Z6fQ z6pjk>)fnp)+`c8drgA3L*#QLke^v8A-*vd*ycL!C0n~AEPduG`>Ur+KCeXivOlbb> z`JOOSIiLk-lDKcf2S@zTA#EW8wB{xUy=9&KcW+eT1eP(ooG`}G^+_n0@GfIZr6d<* zy3_>m$1Kl(Hxi&lP{3{AsGIWqb3HQ?hg}1fmbHNRu~vj1UPmP)aBfEwh5YfkR`^8B zPXlIhFiZnxB2LDoG!2+>QB1g)2Fx^IrjWn{oQ&Ty4VZCJOuU%ZFw=mUTmlnuGJelA zV8%r;;bL0DOao>L2~5Dr_&w8r0iy8n)*hZQL%n0~58wYZnS*9p+f0LJatVyDqlp*O zfSFue)7oYtPR6D5E?`<`&s(8+e#C~`Ru=8%`&-21-k$J$)euo7$-QcF4N)+D%vzR{~nroA?Fxc09T9L@?FE;jZpAVRbzq(yq{s`mh6R zf}iaAQiHJJkTCxJ-q9wM&+BGR;W(`Ot_QSHjn@AXs`>KR2is_bF9Qy=D&HqpUU!@k z%pNTO5HC$}9+U|vOWi>0gQLrrPBB0;^@lB2AVq_}*0iL--Jnz4^=4kSECueqd=en& z1=4fh6h1T$YH8UvB8nL?SAZ}z!!AtYAK`*Ai9VYzcq0ydr4}h;)7h|SrcYJc8oYB4jNd|S4gvcSQK=1OF zn-GQNmt|f4A8~cc*Y`Y?+R*Tu4_Lk4iR=dI~!KvA?u+w7V~XMQAH9=>#=Z@;-E#Naj90<4t+6Nn>Ehp_ip z+LOa?^N30kbJxd)yaf1MtDmRGtB-!k=BTKsC8ml_o7o3<&YR3q01o4Pv*ETggUf#% zUV{Fx8@$AEanDFZ@&h|Ptz{wrK;g6Jugn`@kX-C*O{`mJ;IZMM!3Thk`_52rTFqbhl@)Irg1r^i zyOUV51|-6)?BgdGzkScQWBI@^|M}5%bpw8s=7)9tKc9NPmE4PK(E!mDrg`7t;ayPl5ak;MUCG*#l;-Z>Mf`w62qSY$nQz< z-R From f7e1600fa3f417409df6d722b48a21e95e108e59 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Wed, 6 Nov 2024 17:44:55 -0800 Subject: [PATCH 369/523] rm timeout section from direct response docs (#4649) Signed-off-by: Arko Dasgupta --- .../en/docs/tasks/traffic/direct-response.md | 81 ------------------- .../latest/tasks/traffic/direct-response.md | 81 ------------------- .../en/v1.2/tasks/traffic/direct-response.md | 81 ------------------- 3 files changed, 243 deletions(-) diff --git a/site/content/en/docs/tasks/traffic/direct-response.md b/site/content/en/docs/tasks/traffic/direct-response.md index 4b9aaa5551e..dfaa6755d4d 100644 --- a/site/content/en/docs/tasks/traffic/direct-response.md +++ b/site/content/en/docs/tasks/traffic/direct-response.md @@ -160,87 +160,6 @@ spec: {{% /tab %}} {{< /tabpane >}} -```shell -curl --header "Host: timeout.example.com" http://${GATEWAY_HOST}/?delay=3s -I -``` - -```console -HTTP/1.1 200 OK -content-type: application/json -x-content-type-options: nosniff -date: Mon, 04 Mar 2024 02:34:21 GMT -content-length: 480 -``` - -Then we set the request timeout to 2 seconds. In this case, Envoy Gateway will respond with a timeout. - -{{< tabpane text=true >}} -{{% tab header="Apply from stdin" %}} - -```shell -cat <}} - ```shell curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/inline ``` diff --git a/site/content/en/latest/tasks/traffic/direct-response.md b/site/content/en/latest/tasks/traffic/direct-response.md index 4b9aaa5551e..dfaa6755d4d 100644 --- a/site/content/en/latest/tasks/traffic/direct-response.md +++ b/site/content/en/latest/tasks/traffic/direct-response.md @@ -160,87 +160,6 @@ spec: {{% /tab %}} {{< /tabpane >}} -```shell -curl --header "Host: timeout.example.com" http://${GATEWAY_HOST}/?delay=3s -I -``` - -```console -HTTP/1.1 200 OK -content-type: application/json -x-content-type-options: nosniff -date: Mon, 04 Mar 2024 02:34:21 GMT -content-length: 480 -``` - -Then we set the request timeout to 2 seconds. In this case, Envoy Gateway will respond with a timeout. - -{{< tabpane text=true >}} -{{% tab header="Apply from stdin" %}} - -```shell -cat <}} - ```shell curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/inline ``` diff --git a/site/content/en/v1.2/tasks/traffic/direct-response.md b/site/content/en/v1.2/tasks/traffic/direct-response.md index 4b9aaa5551e..dfaa6755d4d 100644 --- a/site/content/en/v1.2/tasks/traffic/direct-response.md +++ b/site/content/en/v1.2/tasks/traffic/direct-response.md @@ -160,87 +160,6 @@ spec: {{% /tab %}} {{< /tabpane >}} -```shell -curl --header "Host: timeout.example.com" http://${GATEWAY_HOST}/?delay=3s -I -``` - -```console -HTTP/1.1 200 OK -content-type: application/json -x-content-type-options: nosniff -date: Mon, 04 Mar 2024 02:34:21 GMT -content-length: 480 -``` - -Then we set the request timeout to 2 seconds. In this case, Envoy Gateway will respond with a timeout. - -{{< tabpane text=true >}} -{{% tab header="Apply from stdin" %}} - -```shell -cat <}} - ```shell curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/inline ``` From 7f03dd57245485120a54161febd639e759990a81 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Wed, 6 Nov 2024 17:47:07 -0800 Subject: [PATCH 370/523] docs: update upgrade notes (#4651) * update upgrade notes Signed-off-by: Arko Dasgupta * lint Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta --- site/content/en/docs/install/install-helm.md | 4 ++++ site/content/en/docs/install/install-yaml.md | 19 ++++++------------- .../content/en/latest/install/install-helm.md | 4 ++++ .../content/en/latest/install/install-yaml.md | 19 ++++++------------- site/content/en/v1.2/install/install-helm.md | 4 ++++ site/content/en/v1.2/install/install-yaml.md | 19 ++++++------------- 6 files changed, 30 insertions(+), 39 deletions(-) diff --git a/site/content/en/docs/install/install-helm.md b/site/content/en/docs/install/install-helm.md index 277856b9aac..b9768eca129 100644 --- a/site/content/en/docs/install/install-helm.md +++ b/site/content/en/docs/install/install-helm.md @@ -59,6 +59,10 @@ consideration when debugging. [`quickstart.yaml`]: https://github.com/envoyproxy/gateway/releases/download/{{< yaml-version >}}/quickstart.yaml +## Upgrading from a previous version + +Follow the steps outlined in [this](./install-yaml.md#upgrading-from-v1.1) section if you're upgrading from a previous version. + ## Helm chart customizations Some of the quick ways of using the helm install command for envoy gateway installation are below. diff --git a/site/content/en/docs/install/install-yaml.md b/site/content/en/docs/install/install-yaml.md index c0a8d1caa72..0da5ca9cca1 100644 --- a/site/content/en/docs/install/install-yaml.md +++ b/site/content/en/docs/install/install-yaml.md @@ -13,7 +13,7 @@ installation, it is recommended that you use helm. Envoy Gateway is designed to run in Kubernetes for production. The most essential requirements are: -* Kubernetes 1.27 or later +* Kubernetes 1.28 or later * The `kubectl` command-line tool {{% alert title="Compatibility Matrix" color="warning" %}} @@ -38,15 +38,12 @@ Refer to the [Developer Guide](../../contributions/develop) to learn more. Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [Tasks](/latest/tasks). -## Upgrading from v1.0 +## Upgrading from v1.1 -Due to breaking changes in Gateway API v1.1, some manual migration steps are required to upgrade Envoy Gateway to v1.1. +Some manual migration steps are required to upgrade Envoy Gateway to v1.2. -1. Delete `BackendTLSPolicy` CRD (and resources): - -```shell -kubectl delete crd backendtlspolicies.gateway.networking.k8s.io -``` +1. Update your `GRPCRoute` and `ReferenceGrant` resources if the storage version being used is `v1alpha2`. +Follow the steps in Gateway-API [v1.2 Upgrade Notes](https://gateway-api.sigs.k8s.io/guides/#v12-upgrade-notes) 2. Update Gateway-API and Envoy Gateway CRDs: @@ -56,11 +53,7 @@ kubectl apply --force-conflicts --server-side -f ./gateway-helm/crds/gatewayapi- kubectl apply --force-conflicts --server-side -f ./gateway-helm/crds/generated ``` -3. Update your `BackendTLSPolicy` and `GRPCRoute` resources according to Gateway-API [v1.1 Upgrade Notes](https://gateway-api.sigs.k8s.io/guides/#v11-upgrade-notes) - -4. Update your Envoy Gateway xPolicy resources: remove the namespace section from targetRef. - -5. Install Envoy Gateway {{< yaml-version >}}: +3. Install Envoy Gateway {{< yaml-version >}}: ```shell helm upgrade eg oci://docker.io/envoyproxy/gateway-helm --version {{< yaml-version >}} -n envoy-gateway-system diff --git a/site/content/en/latest/install/install-helm.md b/site/content/en/latest/install/install-helm.md index 277856b9aac..b9768eca129 100644 --- a/site/content/en/latest/install/install-helm.md +++ b/site/content/en/latest/install/install-helm.md @@ -59,6 +59,10 @@ consideration when debugging. [`quickstart.yaml`]: https://github.com/envoyproxy/gateway/releases/download/{{< yaml-version >}}/quickstart.yaml +## Upgrading from a previous version + +Follow the steps outlined in [this](./install-yaml.md#upgrading-from-v1.1) section if you're upgrading from a previous version. + ## Helm chart customizations Some of the quick ways of using the helm install command for envoy gateway installation are below. diff --git a/site/content/en/latest/install/install-yaml.md b/site/content/en/latest/install/install-yaml.md index c0a8d1caa72..0da5ca9cca1 100644 --- a/site/content/en/latest/install/install-yaml.md +++ b/site/content/en/latest/install/install-yaml.md @@ -13,7 +13,7 @@ installation, it is recommended that you use helm. Envoy Gateway is designed to run in Kubernetes for production. The most essential requirements are: -* Kubernetes 1.27 or later +* Kubernetes 1.28 or later * The `kubectl` command-line tool {{% alert title="Compatibility Matrix" color="warning" %}} @@ -38,15 +38,12 @@ Refer to the [Developer Guide](../../contributions/develop) to learn more. Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [Tasks](/latest/tasks). -## Upgrading from v1.0 +## Upgrading from v1.1 -Due to breaking changes in Gateway API v1.1, some manual migration steps are required to upgrade Envoy Gateway to v1.1. +Some manual migration steps are required to upgrade Envoy Gateway to v1.2. -1. Delete `BackendTLSPolicy` CRD (and resources): - -```shell -kubectl delete crd backendtlspolicies.gateway.networking.k8s.io -``` +1. Update your `GRPCRoute` and `ReferenceGrant` resources if the storage version being used is `v1alpha2`. +Follow the steps in Gateway-API [v1.2 Upgrade Notes](https://gateway-api.sigs.k8s.io/guides/#v12-upgrade-notes) 2. Update Gateway-API and Envoy Gateway CRDs: @@ -56,11 +53,7 @@ kubectl apply --force-conflicts --server-side -f ./gateway-helm/crds/gatewayapi- kubectl apply --force-conflicts --server-side -f ./gateway-helm/crds/generated ``` -3. Update your `BackendTLSPolicy` and `GRPCRoute` resources according to Gateway-API [v1.1 Upgrade Notes](https://gateway-api.sigs.k8s.io/guides/#v11-upgrade-notes) - -4. Update your Envoy Gateway xPolicy resources: remove the namespace section from targetRef. - -5. Install Envoy Gateway {{< yaml-version >}}: +3. Install Envoy Gateway {{< yaml-version >}}: ```shell helm upgrade eg oci://docker.io/envoyproxy/gateway-helm --version {{< yaml-version >}} -n envoy-gateway-system diff --git a/site/content/en/v1.2/install/install-helm.md b/site/content/en/v1.2/install/install-helm.md index 277856b9aac..b9768eca129 100644 --- a/site/content/en/v1.2/install/install-helm.md +++ b/site/content/en/v1.2/install/install-helm.md @@ -59,6 +59,10 @@ consideration when debugging. [`quickstart.yaml`]: https://github.com/envoyproxy/gateway/releases/download/{{< yaml-version >}}/quickstart.yaml +## Upgrading from a previous version + +Follow the steps outlined in [this](./install-yaml.md#upgrading-from-v1.1) section if you're upgrading from a previous version. + ## Helm chart customizations Some of the quick ways of using the helm install command for envoy gateway installation are below. diff --git a/site/content/en/v1.2/install/install-yaml.md b/site/content/en/v1.2/install/install-yaml.md index c0a8d1caa72..0da5ca9cca1 100644 --- a/site/content/en/v1.2/install/install-yaml.md +++ b/site/content/en/v1.2/install/install-yaml.md @@ -13,7 +13,7 @@ installation, it is recommended that you use helm. Envoy Gateway is designed to run in Kubernetes for production. The most essential requirements are: -* Kubernetes 1.27 or later +* Kubernetes 1.28 or later * The `kubectl` command-line tool {{% alert title="Compatibility Matrix" color="warning" %}} @@ -38,15 +38,12 @@ Refer to the [Developer Guide](../../contributions/develop) to learn more. Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [Tasks](/latest/tasks). -## Upgrading from v1.0 +## Upgrading from v1.1 -Due to breaking changes in Gateway API v1.1, some manual migration steps are required to upgrade Envoy Gateway to v1.1. +Some manual migration steps are required to upgrade Envoy Gateway to v1.2. -1. Delete `BackendTLSPolicy` CRD (and resources): - -```shell -kubectl delete crd backendtlspolicies.gateway.networking.k8s.io -``` +1. Update your `GRPCRoute` and `ReferenceGrant` resources if the storage version being used is `v1alpha2`. +Follow the steps in Gateway-API [v1.2 Upgrade Notes](https://gateway-api.sigs.k8s.io/guides/#v12-upgrade-notes) 2. Update Gateway-API and Envoy Gateway CRDs: @@ -56,11 +53,7 @@ kubectl apply --force-conflicts --server-side -f ./gateway-helm/crds/gatewayapi- kubectl apply --force-conflicts --server-side -f ./gateway-helm/crds/generated ``` -3. Update your `BackendTLSPolicy` and `GRPCRoute` resources according to Gateway-API [v1.1 Upgrade Notes](https://gateway-api.sigs.k8s.io/guides/#v11-upgrade-notes) - -4. Update your Envoy Gateway xPolicy resources: remove the namespace section from targetRef. - -5. Install Envoy Gateway {{< yaml-version >}}: +3. Install Envoy Gateway {{< yaml-version >}}: ```shell helm upgrade eg oci://docker.io/envoyproxy/gateway-helm --version {{< yaml-version >}} -n envoy-gateway-system From 3b1518ea31493cd310ac581852afcbeaab990fd2 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Wed, 6 Nov 2024 18:01:20 -0800 Subject: [PATCH 371/523] v1.2.1 release notes (#4655) Signed-off-by: Arko Dasgupta --- release-notes/v1.2.1.yaml | 4 ++++ site/content/en/news/releases/notes/v1.2.1.md | 9 +++++++++ 2 files changed, 13 insertions(+) create mode 100644 release-notes/v1.2.1.yaml create mode 100644 site/content/en/news/releases/notes/v1.2.1.md diff --git a/release-notes/v1.2.1.yaml b/release-notes/v1.2.1.yaml new file mode 100644 index 00000000000..39ba67fa2ab --- /dev/null +++ b/release-notes/v1.2.1.yaml @@ -0,0 +1,4 @@ +date: November 7, 2024 + +bug fixes: | + Fixed a panic in the provider goroutine when the body in the direct response configuration was nil. diff --git a/site/content/en/news/releases/notes/v1.2.1.md b/site/content/en/news/releases/notes/v1.2.1.md new file mode 100644 index 00000000000..991183eca78 --- /dev/null +++ b/site/content/en/news/releases/notes/v1.2.1.md @@ -0,0 +1,9 @@ +--- +title: "v1.2.1" +publishdate: 2024-11-07 +--- + +Date: November 7, 2024 + +## Bug fixes +- Fixed a panic in the provider goroutine when the body in the direct response configuration was nil. From 6458ae9b6855249e2b53988be52eaa2d7275dd08 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Thu, 7 Nov 2024 10:06:47 +0800 Subject: [PATCH 372/523] docs: unhide cookiedomain for OIDC (#4653) unhide cookiedomain for OIDC Signed-off-by: Huabing Zhao --- api/v1alpha1/oidc_types.go | 1 - site/content/en/docs/api/extension_types.md | 1 + site/content/en/latest/api/extension_types.md | 1 + site/content/en/v1.2/api/extension_types.md | 1 + site/content/zh/latest/api/extension_types.md | 1 + 5 files changed, 4 insertions(+), 1 deletion(-) diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go index dfe7a4604f4..8591cc20f0d 100644 --- a/api/v1alpha1/oidc_types.go +++ b/api/v1alpha1/oidc_types.go @@ -42,7 +42,6 @@ type OIDC struct { // If set, the cookies will be set on the specified domain and all subdomains. // This means that requests to any subdomain will not require reauthentication after users log in to the parent domain. // +optional - // +notImplementedHide // +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$` CookieDomain *string `json:"cookieDomain,omitempty"` diff --git a/site/content/en/docs/api/extension_types.md b/site/content/en/docs/api/extension_types.md index 23f69fd832a..8ab8f50c81f 100644 --- a/site/content/en/docs/api/extension_types.md +++ b/site/content/en/docs/api/extension_types.md @@ -2648,6 +2648,7 @@ _Appears in:_ | `clientID` | _string_ | true | The client ID to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | | `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the OIDC client secret to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).

This is an Opaque secret. The client secret should be stored in the key
"client-secret". | | `cookieNames` | _[OIDCCookieNames](#oidccookienames)_ | false | The optional cookie name overrides to be used for Bearer and IdToken cookies in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses a randomly generated suffix | +| `cookieDomain` | _string_ | false | The optional domain to set the access and ID token cookies on.
If not set, the cookies will default to the host of the request, not including the subdomains.
If set, the cookies will be set on the specified domain and all subdomains.
This means that requests to any subdomain will not require reauthentication after users log in to the parent domain. | | `scopes` | _string array_ | false | The OIDC scopes to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
The "openid" scope is always added to the list of scopes if not already
specified. | | `resources` | _string array_ | false | The OIDC resources to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | | `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" | diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 23f69fd832a..8ab8f50c81f 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -2648,6 +2648,7 @@ _Appears in:_ | `clientID` | _string_ | true | The client ID to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | | `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the OIDC client secret to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).

This is an Opaque secret. The client secret should be stored in the key
"client-secret". | | `cookieNames` | _[OIDCCookieNames](#oidccookienames)_ | false | The optional cookie name overrides to be used for Bearer and IdToken cookies in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses a randomly generated suffix | +| `cookieDomain` | _string_ | false | The optional domain to set the access and ID token cookies on.
If not set, the cookies will default to the host of the request, not including the subdomains.
If set, the cookies will be set on the specified domain and all subdomains.
This means that requests to any subdomain will not require reauthentication after users log in to the parent domain. | | `scopes` | _string array_ | false | The OIDC scopes to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
The "openid" scope is always added to the list of scopes if not already
specified. | | `resources` | _string array_ | false | The OIDC resources to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | | `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" | diff --git a/site/content/en/v1.2/api/extension_types.md b/site/content/en/v1.2/api/extension_types.md index 23f69fd832a..8ab8f50c81f 100644 --- a/site/content/en/v1.2/api/extension_types.md +++ b/site/content/en/v1.2/api/extension_types.md @@ -2648,6 +2648,7 @@ _Appears in:_ | `clientID` | _string_ | true | The client ID to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | | `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the OIDC client secret to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).

This is an Opaque secret. The client secret should be stored in the key
"client-secret". | | `cookieNames` | _[OIDCCookieNames](#oidccookienames)_ | false | The optional cookie name overrides to be used for Bearer and IdToken cookies in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses a randomly generated suffix | +| `cookieDomain` | _string_ | false | The optional domain to set the access and ID token cookies on.
If not set, the cookies will default to the host of the request, not including the subdomains.
If set, the cookies will be set on the specified domain and all subdomains.
This means that requests to any subdomain will not require reauthentication after users log in to the parent domain. | | `scopes` | _string array_ | false | The OIDC scopes to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
The "openid" scope is always added to the list of scopes if not already
specified. | | `resources` | _string array_ | false | The OIDC resources to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | | `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" | diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 23f69fd832a..8ab8f50c81f 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -2648,6 +2648,7 @@ _Appears in:_ | `clientID` | _string_ | true | The client ID to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | | `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the OIDC client secret to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).

This is an Opaque secret. The client secret should be stored in the key
"client-secret". | | `cookieNames` | _[OIDCCookieNames](#oidccookienames)_ | false | The optional cookie name overrides to be used for Bearer and IdToken cookies in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses a randomly generated suffix | +| `cookieDomain` | _string_ | false | The optional domain to set the access and ID token cookies on.
If not set, the cookies will default to the host of the request, not including the subdomains.
If set, the cookies will be set on the specified domain and all subdomains.
This means that requests to any subdomain will not require reauthentication after users log in to the parent domain. | | `scopes` | _string array_ | false | The OIDC scopes to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
The "openid" scope is always added to the list of scopes if not already
specified. | | `resources` | _string array_ | false | The OIDC resources to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | | `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" | From 5373efe3d89b5e32b84fb68eec1a99b1f38357e7 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Thu, 7 Nov 2024 10:13:21 +0800 Subject: [PATCH 373/523] fix release build (#4645) (#4652) (cherry picked from commit dd1c66fb024e1ce76f59fe1480900307e9ae480d) Signed-off-by: Huabing Zhao --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 6c4d715edc8..2235d0e573c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -57,7 +57,7 @@ jobs: shell: bash run: | echo "release_tag=$(echo ${GITHUB_REF##*/})" >> $GITHUB_ENV - echo "without_v_release_tag=${release_tag:1}" >> $GITHUB_ENV + echo "without_v_release_tag=$(echo ${GITHUB_REF##*/v})" >> $GITHUB_ENV echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV - name: Login to DockerHub From 2b494e4aada31ddc05a776fa69e89e1501c51a75 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Wed, 6 Nov 2024 18:19:04 -0800 Subject: [PATCH 374/523] bump version to v1.2.1 (#4656) Signed-off-by: Arko Dasgupta --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 79127d85a49..6a5e98a744e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v1.2.0 +v1.2.1 From aeb68487e73674286b323ff402ff8425f1c6fc53 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Thu, 7 Nov 2024 15:40:49 +0800 Subject: [PATCH 375/523] v1.2.1: update helm version short code (#4664) update helm version short code Signed-off-by: Huabing Zhao --- site/layouts/shortcodes/helm-version.html | 4 ++-- site/layouts/shortcodes/yaml-version.html | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/site/layouts/shortcodes/helm-version.html b/site/layouts/shortcodes/helm-version.html index 9ee7d09e6ab..b28198f58ee 100644 --- a/site/layouts/shortcodes/helm-version.html +++ b/site/layouts/shortcodes/helm-version.html @@ -6,8 +6,8 @@ {{- "v1.1.3" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} -{{- "v1.2.0" -}} +{{- "v1.2.1" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.2.0" -}} +{{- "v1.2.1" -}} {{- end -}} diff --git a/site/layouts/shortcodes/yaml-version.html b/site/layouts/shortcodes/yaml-version.html index 36f702f75e0..55d18309a95 100644 --- a/site/layouts/shortcodes/yaml-version.html +++ b/site/layouts/shortcodes/yaml-version.html @@ -6,8 +6,8 @@ {{- "v1.1.3" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} -{{- "v1.2.0" -}} +{{- "v1.2.1" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.2.0" -}} +{{- "v1.2.1" -}} {{- end -}} From 77ffb7118e1d6de21db85339465f4d71cfdedc88 Mon Sep 17 00:00:00 2001 From: Joost Naaijen Date: Thu, 7 Nov 2024 19:42:12 +0100 Subject: [PATCH 376/523] Docs: fix incorrect namespace mention (#4563) * Update metadata.md The namespace is incorrect Signed-off-by: Joost Naaijen * Update metadata.md Signed-off-by: Joost Naaijen * Update metadata.md Signed-off-by: Joost Naaijen --------- Signed-off-by: Joost Naaijen --- .../en/contributions/design/metadata.md | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/site/content/en/contributions/design/metadata.md b/site/content/en/contributions/design/metadata.md index 143f5b2797d..f6564f3ccd5 100644 --- a/site/content/en/contributions/design/metadata.md +++ b/site/content/en/contributions/design/metadata.md @@ -25,7 +25,27 @@ Future enhancements may include: ## Translation -Envoy Gateway uses the following namespace for envoy resource metadata: `io.envoyproxy.gateway.metadata`. For example, an envoy [route][] resource may have the following metadata structure: +Envoy Gateway uses the following namespace for envoy resource metadata: `gateway.envoyproxy.io/`. For example, an envoy [route][] resource may have the following metadata structure: + +Kubernetes resource: + +```yaml +kind: HTTPRoute +apiVersion: gateway.networking.k8s.io/v1 +metadata: + annotations: + gateway.envoyproxy.io/foo: bar + name: myroute + namespace: gateway-conformance-infra +spec: + rules: + matches: + - path: + type: PathPrefix + value: /mypath +``` + +Metadata structure: ```yaml name: httproute/gateway-conformance-infra/myroute/rule/0/match/0/* From a9636c824ee2246ea393ed5427e10bc790fa9517 Mon Sep 17 00:00:00 2001 From: Ido Itzkovich Date: Thu, 7 Nov 2024 21:34:10 +0200 Subject: [PATCH 377/523] Feat: add HTTPRoute-rule name to envoy route metadata (#4561) * add route-rule name to envoy route metadata Signed-off-by: Ido Itzkovich * add rule name to metadata even when no matchers exist Signed-off-by: Ido Itzkovich Co-authored-by: Guy Daich --- internal/gatewayapi/route.go | 16 ++++++--- .../testdata/grpcroute-with-backend.in.yaml | 1 + .../testdata/grpcroute-with-backend.out.yaml | 3 ++ .../testdata/httproute-with-metadata.in.yaml | 11 +++++- .../testdata/httproute-with-metadata.out.yaml | 34 +++++++++++++++++++ 5 files changed, 59 insertions(+), 6 deletions(-) diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index e51947411d8..26627a07285 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -302,6 +302,7 @@ func (t *Translator) processHTTPRouteRule(httpRoute *HTTPRouteContext, ruleIdx i irRoute := &ir.HTTPRoute{ Name: irRouteName(httpRoute, ruleIdx, -1), } + irRoute.Metadata = buildRouteMetadata(httpRoute, rule.Name) processRouteTimeout(irRoute, rule) applyHTTPFiltersContextToIRRoute(httpFiltersContext, irRoute) ruleRoutes = append(ruleRoutes, irRoute) @@ -362,6 +363,7 @@ func (t *Translator) processHTTPRouteRule(httpRoute *HTTPRouteContext, ruleIdx i Name: irRouteName(httpRoute, ruleIdx, matchIdx), SessionPersistence: sessionPersistence, } + irRoute.Metadata = buildRouteMetadata(httpRoute, rule.Name) processRouteTimeout(irRoute, rule) if match.Path != nil { @@ -595,6 +597,7 @@ func (t *Translator) processGRPCRouteRule(grpcRoute *GRPCRouteContext, ruleIdx i irRoute := &ir.HTTPRoute{ Name: irRouteName(grpcRoute, ruleIdx, -1), } + irRoute.Metadata = buildRouteMetadata(grpcRoute, rule.Name) applyHTTPFiltersContextToIRRoute(httpFiltersContext, irRoute) ruleRoutes = append(ruleRoutes, irRoute) } @@ -606,7 +609,7 @@ func (t *Translator) processGRPCRouteRule(grpcRoute *GRPCRouteContext, ruleIdx i irRoute := &ir.HTTPRoute{ Name: irRouteName(grpcRoute, ruleIdx, matchIdx), } - + irRoute.Metadata = buildRouteMetadata(grpcRoute, rule.Name) for _, headerMatch := range match.Headers { switch GRPCHeaderMatchTypeDerefOr(headerMatch.Type, gwapiv1.GRPCHeaderMatchExact) { case gwapiv1.GRPCHeaderMatchExact: @@ -696,7 +699,6 @@ func (t *Translator) processHTTPRouteParentRefListener(route RouteContext, route continue } hasHostnameIntersection = true - routeMetadata := buildRouteMetadata(route) var perHostRoutes []*ir.HTTPRoute for _, host := range hosts { @@ -723,7 +725,7 @@ func (t *Translator) processHTTPRouteParentRefListener(route RouteContext, route underscoredHost := strings.ReplaceAll(host, ".", "_") hostRoute := &ir.HTTPRoute{ Name: fmt.Sprintf("%s/%s", routeRoute.Name, underscoredHost), - Metadata: routeMetadata, + Metadata: routeRoute.Metadata, Hostname: host, PathMatch: routeRoute.PathMatch, HeaderMatches: routeRoute.HeaderMatches, @@ -764,13 +766,17 @@ func (t *Translator) processHTTPRouteParentRefListener(route RouteContext, route return hasHostnameIntersection } -func buildRouteMetadata(route RouteContext) *ir.ResourceMetadata { - return &ir.ResourceMetadata{ +func buildRouteMetadata(route RouteContext, sectionName *gwapiv1.SectionName) *ir.ResourceMetadata { + metadata := &ir.ResourceMetadata{ Kind: route.GetObjectKind().GroupVersionKind().Kind, Name: route.GetName(), Namespace: route.GetNamespace(), Annotations: filterEGPrefix(route.GetAnnotations()), } + if sectionName != nil { + metadata.SectionName = string(*sectionName) + } + return metadata } func filterEGPrefix(in map[string]string) map[string]string { diff --git a/internal/gatewayapi/testdata/grpcroute-with-backend.in.yaml b/internal/gatewayapi/testdata/grpcroute-with-backend.in.yaml index a02496321ec..d4fec0ea572 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-backend.in.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-backend.in.yaml @@ -36,6 +36,7 @@ grpcRoutes: - group: gateway.envoyproxy.io kind: Backend name: backend-ip + name: grpcrule-1 backends: - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend diff --git a/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml index ba9f13c3136..8981d87b085 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml @@ -82,6 +82,7 @@ grpcRoutes: - method: service: com.[A-Z]+ type: RegularExpression + name: grpcrule-1 status: parents: - conditions: @@ -150,6 +151,7 @@ xdsIR: kind: GRPCRoute name: grpcroute-1 namespace: default + sectionName: grpcrule-1 name: grpcroute/default/grpcroute-1/rule/0/match/1/* pathMatch: distinct: false @@ -167,6 +169,7 @@ xdsIR: kind: GRPCRoute name: grpcroute-1 namespace: default + sectionName: grpcrule-1 name: grpcroute/default/grpcroute-1/rule/0/match/0/* pathMatch: distinct: false diff --git a/internal/gatewayapi/testdata/httproute-with-metadata.in.yaml b/internal/gatewayapi/testdata/httproute-with-metadata.in.yaml index 24f9fa568ad..c215c01004c 100644 --- a/internal/gatewayapi/testdata/httproute-with-metadata.in.yaml +++ b/internal/gatewayapi/testdata/httproute-with-metadata.in.yaml @@ -31,4 +31,13 @@ httpRoutes: - backendRefs: - name: service-1 port: 8080 - + name: rule-1 + - backendRefs: + - name: service-1 + port: 8080 + matches: + - headers: + - type: Exact + name: foo + value: bar + name: rule-2 diff --git a/internal/gatewayapi/testdata/httproute-with-metadata.out.yaml b/internal/gatewayapi/testdata/httproute-with-metadata.out.yaml index 8d86bec237a..9049ebe41de 100644 --- a/internal/gatewayapi/testdata/httproute-with-metadata.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-metadata.out.yaml @@ -58,6 +58,16 @@ httpRoutes: - backendRefs: - name: service-1 port: 8080 + name: rule-1 + - backendRefs: + - name: service-1 + port: 8080 + matches: + - headers: + - name: foo + type: Exact + value: bar + name: rule-2 status: parents: - conditions: @@ -113,6 +123,29 @@ xdsIR: mergeSlashes: true port: 10080 routes: + - destination: + name: httproute/default/httproute-1/rule/1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + headerMatches: + - distinct: false + exact: bar + name: foo + hostname: '*' + isHTTP2: false + metadata: + annotations: + foo: bar + kind: HTTPRoute + name: httproute-1 + namespace: default + sectionName: rule-2 + name: httproute/default/httproute-1/rule/1/match/0/* - destination: name: httproute/default/httproute-1/rule/0 settings: @@ -130,4 +163,5 @@ xdsIR: kind: HTTPRoute name: httproute-1 namespace: default + sectionName: rule-1 name: httproute/default/httproute-1/rule/0/match/-1/* From b82b26be64f856462818816cc2f514019d0cbc30 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Fri, 8 Nov 2024 05:33:29 +0800 Subject: [PATCH 378/523] update the lastVersionTag of the upgrade test (#4666) Signed-off-by: Huabing Zhao --- test/e2e/tests/eg_upgrade.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/tests/eg_upgrade.go b/test/e2e/tests/eg_upgrade.go index 721b22d4c9c..75bd3fb2a42 100644 --- a/test/e2e/tests/eg_upgrade.go +++ b/test/e2e/tests/eg_upgrade.go @@ -52,7 +52,7 @@ var EGUpgradeTest = suite.ConformanceTest{ chartPath := "../../../charts/gateway-helm" relName := "eg" depNS := "envoy-gateway-system" - lastVersionTag := "v1.1.2" // Default version tag if not specified + lastVersionTag := "v1.2.1" // the latest prior release t.Logf("Upgrading from version: %s", lastVersionTag) From 001704378d2131827307b22b765f4eff5c30ecd0 Mon Sep 17 00:00:00 2001 From: Rudrakh Panigrahi Date: Fri, 8 Nov 2024 03:15:49 +0530 Subject: [PATCH 379/523] api: support setting trusted CIDRs (#4500) support setting trusted CIDRs Signed-off-by: Rudrakh Panigrahi --- api/v1alpha1/clienttrafficpolicy_types.go | 19 ++++- api/v1alpha1/zz_generated.deepcopy.go | 5 ++ ...y.envoyproxy.io_clienttrafficpolicies.yaml | 25 +++++- release-notes/current.yaml | 2 +- site/content/en/latest/api/extension_types.md | 5 +- site/content/zh/latest/api/extension_types.md | 5 +- .../clienttrafficpolicy_test.go | 83 +++++++++++++++++++ 7 files changed, 137 insertions(+), 7 deletions(-) diff --git a/api/v1alpha1/clienttrafficpolicy_types.go b/api/v1alpha1/clienttrafficpolicy_types.go index 63b2c91fb2e..6c7129da060 100644 --- a/api/v1alpha1/clienttrafficpolicy_types.go +++ b/api/v1alpha1/clienttrafficpolicy_types.go @@ -237,14 +237,29 @@ type ClientIPDetectionSettings struct { } // XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. +// Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for +// for more details. +// +kubebuilder:validation:XValidation:rule="(has(self.numTrustedHops) && !has(self.trustedCIDRs)) || (!has(self.numTrustedHops) && has(self.trustedCIDRs))", message="only one of numTrustedHops or trustedCIDRs must be set" type XForwardedForSettings struct { // NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP // headers to trust when determining the origin client's IP address. - // Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for - // for more details. + // Only one of NumTrustedHops and TrustedCIDRs must be set. // // +optional NumTrustedHops *uint32 `json:"numTrustedHops,omitempty"` + + // TrustedCIDRs is a list of CIDR ranges to trust when evaluating + // the remote IP address to determine the original client’s IP address. + // When the remote IP address matches a trusted CIDR and the x-forwarded-for header was sent, + // each entry in the x-forwarded-for header is evaluated from right to left + // and the first public non-trusted address is used as the original client address. + // If all addresses in x-forwarded-for are within the trusted list, the first (leftmost) entry is used. + // Only one of NumTrustedHops and TrustedCIDRs must be set. + // + // +optional + // +kubebuilder:validation:MinItems=1 + // +notImplementedHide + TrustedCIDRs []CIDR `json:"trustedCIDRs,omitempty"` } // CustomHeaderExtensionSettings provides configuration for determining the client IP address for a request based on diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 321a143df9c..3368e73dd70 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -5579,6 +5579,11 @@ func (in *XForwardedForSettings) DeepCopyInto(out *XForwardedForSettings) { *out = new(uint32) **out = **in } + if in.TrustedCIDRs != nil { + in, out := &in.TrustedCIDRs, &out.TrustedCIDRs + *out = make([]CIDR, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new XForwardedForSettings. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml index 3e626f3f88a..ad17b8101d2 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -85,11 +85,32 @@ spec: description: |- NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP headers to trust when determining the origin client's IP address. - Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for - for more details. + Only one of NumTrustedHops and TrustedCIDRs must be set. format: int32 type: integer + trustedCIDRs: + description: |- + TrustedCIDRs is a list of CIDR ranges to trust when evaluating + the remote IP address to determine the original client’s IP address. + When the remote IP address matches a trusted CIDR and the x-forwarded-for header was sent, + each entry in the x-forwarded-for header is evaluated from right to left + and the first public non-trusted address is used as the original client address. + If all addresses in x-forwarded-for are within the trusted list, the first (leftmost) entry is used. + Only one of NumTrustedHops and TrustedCIDRs must be set. + items: + description: |- + CIDR defines a CIDR Address range. + A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64". + pattern: ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+)) + type: string + minItems: 1 + type: array type: object + x-kubernetes-validations: + - message: only one of numTrustedHops or trustedCIDRs must be + set + rule: (has(self.numTrustedHops) && !has(self.trustedCIDRs)) + || (!has(self.numTrustedHops) && has(self.trustedCIDRs)) type: object x-kubernetes-validations: - message: customHeader cannot be used in conjunction with xForwardedFor diff --git a/release-notes/current.yaml b/release-notes/current.yaml index bfc711148bd..39e8a900c47 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -10,7 +10,7 @@ security updates: | # New features or capabilities added in this release. new features: | - Add a new feature here + - Added support for trusted CIDRs in the ClientIPDetectionSettings API # Fixes for bugs identified in previous versions. bug fixes: | diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 8ab8f50c81f..fcbba2ca40a 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -484,6 +484,7 @@ A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address _Appears in:_ - [Principal](#principal) +- [XForwardedForSettings](#xforwardedforsettings) @@ -4142,13 +4143,15 @@ _Appears in:_ XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. +Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for +for more details. _Appears in:_ - [ClientIPDetectionSettings](#clientipdetectionsettings) | Field | Type | Required | Description | | --- | --- | --- | --- | -| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details. | +| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Only one of NumTrustedHops and TrustedCIDRs must be set. | #### ZipkinTracingProvider diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 8ab8f50c81f..fcbba2ca40a 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -484,6 +484,7 @@ A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address _Appears in:_ - [Principal](#principal) +- [XForwardedForSettings](#xforwardedforsettings) @@ -4142,13 +4143,15 @@ _Appears in:_ XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. +Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for +for more details. _Appears in:_ - [ClientIPDetectionSettings](#clientipdetectionsettings) | Field | Type | Required | Description | | --- | --- | --- | --- | -| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details. | +| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Only one of NumTrustedHops and TrustedCIDRs must be set. | #### ZipkinTracingProvider diff --git a/test/cel-validation/clienttrafficpolicy_test.go b/test/cel-validation/clienttrafficpolicy_test.go index 3558d1848f9..942afea1646 100644 --- a/test/cel-validation/clienttrafficpolicy_test.go +++ b/test/cel-validation/clienttrafficpolicy_test.go @@ -221,6 +221,89 @@ func TestClientTrafficPolicyTarget(t *testing.T) { "spec.clientIPDetection: Invalid value: \"object\": customHeader cannot be used in conjunction with xForwardedFor", }, }, + { + desc: "clientIPDetection numTrustedHops and trustedCIDRs", + mutate: func(ctp *egv1a1.ClientTrafficPolicy) { + ctp.Spec = egv1a1.ClientTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + ClientIPDetection: &egv1a1.ClientIPDetectionSettings{ + XForwardedFor: &egv1a1.XForwardedForSettings{ + NumTrustedHops: ptr.To(uint32(1)), + TrustedCIDRs: []egv1a1.CIDR{ + "192.168.1.0/24", + "10.0.0.0/16", + "172.16.0.0/12", + }, + }, + }, + } + }, + wantErrors: []string{ + "spec.clientIPDetection.xForwardedFor: Invalid value: \"object\": only one of numTrustedHops or trustedCIDRs must be set", + }, + }, + { + desc: "clientIPDetection invalid trustedCIDRs", + mutate: func(ctp *egv1a1.ClientTrafficPolicy) { + ctp.Spec = egv1a1.ClientTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + ClientIPDetection: &egv1a1.ClientIPDetectionSettings{ + XForwardedFor: &egv1a1.XForwardedForSettings{ + TrustedCIDRs: []egv1a1.CIDR{ + "192.0124.1.0/24", + "10.0.0.0/1645", + "17212.16.0.0/123", + }, + }, + }, + } + }, + wantErrors: []string{ + "spec.clientIPDetection.xForwardedFor.trustedCIDRs[0]: Invalid value: \"192.0124.1.0/24\": spec.clientIPDetection.xForwardedFor.trustedCIDRs[0] in body should match '((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\\/([0-9]+))'", + }, + }, + { + desc: "clientIPDetection valid trustedCIDRs", + mutate: func(ctp *egv1a1.ClientTrafficPolicy) { + ctp.Spec = egv1a1.ClientTrafficPolicySpec{ + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: gwapiv1a2.Group("gateway.networking.k8s.io"), + Kind: gwapiv1a2.Kind("Gateway"), + Name: gwapiv1a2.ObjectName("eg"), + }, + }, + }, + ClientIPDetection: &egv1a1.ClientIPDetectionSettings{ + XForwardedFor: &egv1a1.XForwardedForSettings{ + TrustedCIDRs: []egv1a1.CIDR{ + "192.168.1.0/24", + "10.0.0.0/16", + "172.16.0.0/12", + }, + }, + }, + } + }, + wantErrors: []string{}, + }, { desc: "http3 enabled and ALPN protocols not set with other TLS parameters set", mutate: func(ctp *egv1a1.ClientTrafficPolicy) { From 697b9255d35710685e2437385e06971c649a4a37 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Thu, 7 Nov 2024 16:25:36 -0800 Subject: [PATCH 380/523] add link to install EG in release news (#4674) * add link to install EG in release news Lesser steps for a user to install Envoy Gateway Signed-off-by: Arko Dasgupta * make it a relative link Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta --- site/content/en/news/releases/v1.2.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/content/en/news/releases/v1.2.md b/site/content/en/news/releases/v1.2.md index ea39fe44262..4c04b1dfcac 100644 --- a/site/content/en/news/releases/v1.2.md +++ b/site/content/en/news/releases/v1.2.md @@ -14,7 +14,7 @@ This release represents a significant achievement, and we extend our heartfelt g Thank you for being an integral part of this journey. We are excited to see how Envoy Gateway v1.2.0 will empower your operations and look forward to continuing our work together to drive the future of Cloud Native API Gateway. -| [Release Notes][] | [Docs][docs] | [Compatibility Matrix][matrix] | [Download][] | +| [Release Notes][] | [Docs][docs] | [Compatibility Matrix][matrix] | [Install][] | |-------------------|--------------|--------------------------------|--------------| ## What's New @@ -92,4 +92,4 @@ The release adds a ton of features and functionality. Here are some highlights: [Release Notes]: ./notes/v1.2.0 [matrix]: ./matrix [docs]: /v1.2/ -[Download]: https://github.com/envoyproxy/gateway/releases/tag/v1.2.0 +[Install]: /v1.2/install From 3c5f27a03d755cd122b3fcc6660317946841c306 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Fri, 8 Nov 2024 09:16:05 +0800 Subject: [PATCH 381/523] docs: unhide jwt claim authz (#4676) unhide jwt claim authz Signed-off-by: Huabing Zhao --- api/v1alpha1/authorization_types.go | 1 - site/content/en/docs/api/extension_types.md | 6 +++++- site/content/en/latest/api/extension_types.md | 1 + site/content/en/v1.2/api/extension_types.md | 6 +++++- site/content/zh/latest/api/extension_types.md | 1 + 5 files changed, 12 insertions(+), 3 deletions(-) diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go index 56e8d44e1b3..5a99b4401a4 100644 --- a/api/v1alpha1/authorization_types.go +++ b/api/v1alpha1/authorization_types.go @@ -71,7 +71,6 @@ type Principal struct { // Note: in order to use JWT claims for authorization, you must configure the // JWT authentication in the same `SecurityPolicy`. // +optional - // +notImplementedHide JWT *JWTPrincipal `json:"jwt,omitempty"` } diff --git a/site/content/en/docs/api/extension_types.md b/site/content/en/docs/api/extension_types.md index 8ab8f50c81f..6855d7a0ded 100644 --- a/site/content/en/docs/api/extension_types.md +++ b/site/content/en/docs/api/extension_types.md @@ -484,6 +484,7 @@ A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address _Appears in:_ - [Principal](#principal) +- [XForwardedForSettings](#xforwardedforsettings) @@ -2836,6 +2837,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `clientCIDRs` | _[CIDR](#cidr) array_ | false | ClientCIDRs are the IP CIDR ranges of the client.
Valid examples are "192.168.1.0/24" or "2001:db8::/64"

If multiple CIDR ranges are specified, one of the CIDR ranges must match
the client IP for the rule to match.

The client IP is inferred from the X-Forwarded-For header, a custom header,
or the proxy protocol.
You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
the `ClientTrafficPolicy` to configure how the client IP is detected. | +| `jwt` | _[JWTPrincipal](#jwtprincipal)_ | false | JWT authorize the request based on the JWT claims and scopes.
Note: in order to use JWT claims for authorization, you must configure the
JWT authentication in the same `SecurityPolicy`. | #### ProcessingModeOptions @@ -4142,13 +4144,15 @@ _Appears in:_ XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. +Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for +for more details. _Appears in:_ - [ClientIPDetectionSettings](#clientipdetectionsettings) | Field | Type | Required | Description | | --- | --- | --- | --- | -| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details. | +| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Only one of NumTrustedHops and TrustedCIDRs must be set. | #### ZipkinTracingProvider diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index fcbba2ca40a..6855d7a0ded 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -2837,6 +2837,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `clientCIDRs` | _[CIDR](#cidr) array_ | false | ClientCIDRs are the IP CIDR ranges of the client.
Valid examples are "192.168.1.0/24" or "2001:db8::/64"

If multiple CIDR ranges are specified, one of the CIDR ranges must match
the client IP for the rule to match.

The client IP is inferred from the X-Forwarded-For header, a custom header,
or the proxy protocol.
You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
the `ClientTrafficPolicy` to configure how the client IP is detected. | +| `jwt` | _[JWTPrincipal](#jwtprincipal)_ | false | JWT authorize the request based on the JWT claims and scopes.
Note: in order to use JWT claims for authorization, you must configure the
JWT authentication in the same `SecurityPolicy`. | #### ProcessingModeOptions diff --git a/site/content/en/v1.2/api/extension_types.md b/site/content/en/v1.2/api/extension_types.md index 8ab8f50c81f..6855d7a0ded 100644 --- a/site/content/en/v1.2/api/extension_types.md +++ b/site/content/en/v1.2/api/extension_types.md @@ -484,6 +484,7 @@ A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address _Appears in:_ - [Principal](#principal) +- [XForwardedForSettings](#xforwardedforsettings) @@ -2836,6 +2837,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `clientCIDRs` | _[CIDR](#cidr) array_ | false | ClientCIDRs are the IP CIDR ranges of the client.
Valid examples are "192.168.1.0/24" or "2001:db8::/64"

If multiple CIDR ranges are specified, one of the CIDR ranges must match
the client IP for the rule to match.

The client IP is inferred from the X-Forwarded-For header, a custom header,
or the proxy protocol.
You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
the `ClientTrafficPolicy` to configure how the client IP is detected. | +| `jwt` | _[JWTPrincipal](#jwtprincipal)_ | false | JWT authorize the request based on the JWT claims and scopes.
Note: in order to use JWT claims for authorization, you must configure the
JWT authentication in the same `SecurityPolicy`. | #### ProcessingModeOptions @@ -4142,13 +4144,15 @@ _Appears in:_ XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address. +Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for +for more details. _Appears in:_ - [ClientIPDetectionSettings](#clientipdetectionsettings) | Field | Type | Required | Description | | --- | --- | --- | --- | -| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details. | +| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Only one of NumTrustedHops and TrustedCIDRs must be set. | #### ZipkinTracingProvider diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index fcbba2ca40a..6855d7a0ded 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -2837,6 +2837,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `clientCIDRs` | _[CIDR](#cidr) array_ | false | ClientCIDRs are the IP CIDR ranges of the client.
Valid examples are "192.168.1.0/24" or "2001:db8::/64"

If multiple CIDR ranges are specified, one of the CIDR ranges must match
the client IP for the rule to match.

The client IP is inferred from the X-Forwarded-For header, a custom header,
or the proxy protocol.
You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
the `ClientTrafficPolicy` to configure how the client IP is detected. | +| `jwt` | _[JWTPrincipal](#jwtprincipal)_ | false | JWT authorize the request based on the JWT claims and scopes.
Note: in order to use JWT claims for authorization, you must configure the
JWT authentication in the same `SecurityPolicy`. | #### ProcessingModeOptions From 5d3df775812de3b87d8c2c95d14a19fc5dce1a16 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Thu, 7 Nov 2024 17:49:35 -0800 Subject: [PATCH 382/523] docs: add a note of helm not updating CRDs in the upgrade section (#4675) * add a note of helm not updating CRDs in the upgrade section Signed-off-by: Arko Dasgupta * fix link Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta --- site/content/en/docs/install/install-helm.md | 4 +++- site/content/en/latest/install/install-helm.md | 4 +++- site/content/en/v1.2/install/install-helm.md | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/site/content/en/docs/install/install-helm.md b/site/content/en/docs/install/install-helm.md index b9768eca129..16975efc84d 100644 --- a/site/content/en/docs/install/install-helm.md +++ b/site/content/en/docs/install/install-helm.md @@ -61,7 +61,9 @@ consideration when debugging. ## Upgrading from a previous version -Follow the steps outlined in [this](./install-yaml.md#upgrading-from-v1.1) section if you're upgrading from a previous version. +[Helm](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations) does not update CRDs +that live in the `/crds` folder in the Helm Chart. So you will manually need to update the CRDs. +Follow the steps outlined in [this](./install-yaml/#upgrading-from-v1.1) section if you're upgrading from a previous version. ## Helm chart customizations diff --git a/site/content/en/latest/install/install-helm.md b/site/content/en/latest/install/install-helm.md index b9768eca129..16975efc84d 100644 --- a/site/content/en/latest/install/install-helm.md +++ b/site/content/en/latest/install/install-helm.md @@ -61,7 +61,9 @@ consideration when debugging. ## Upgrading from a previous version -Follow the steps outlined in [this](./install-yaml.md#upgrading-from-v1.1) section if you're upgrading from a previous version. +[Helm](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations) does not update CRDs +that live in the `/crds` folder in the Helm Chart. So you will manually need to update the CRDs. +Follow the steps outlined in [this](./install-yaml/#upgrading-from-v1.1) section if you're upgrading from a previous version. ## Helm chart customizations diff --git a/site/content/en/v1.2/install/install-helm.md b/site/content/en/v1.2/install/install-helm.md index b9768eca129..16975efc84d 100644 --- a/site/content/en/v1.2/install/install-helm.md +++ b/site/content/en/v1.2/install/install-helm.md @@ -61,7 +61,9 @@ consideration when debugging. ## Upgrading from a previous version -Follow the steps outlined in [this](./install-yaml.md#upgrading-from-v1.1) section if you're upgrading from a previous version. +[Helm](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations) does not update CRDs +that live in the `/crds` folder in the Helm Chart. So you will manually need to update the CRDs. +Follow the steps outlined in [this](./install-yaml/#upgrading-from-v1.1) section if you're upgrading from a previous version. ## Helm chart customizations From 52ccf65fde6c17125bf48a702443f642d62501da Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Fri, 8 Nov 2024 18:18:28 +0800 Subject: [PATCH 383/523] docs: response override (#4668) * docs for response override Signed-off-by: Huabing Zhao * add docs to v1.2 Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- .../docs/tasks/traffic/response-override.md | 157 ++++++++++++++++++ .../latest/tasks/traffic/response-override.md | 157 ++++++++++++++++++ .../v1.2/tasks/traffic/response-override.md | 157 ++++++++++++++++++ 3 files changed, 471 insertions(+) create mode 100644 site/content/en/docs/tasks/traffic/response-override.md create mode 100644 site/content/en/latest/tasks/traffic/response-override.md create mode 100644 site/content/en/v1.2/tasks/traffic/response-override.md diff --git a/site/content/en/docs/tasks/traffic/response-override.md b/site/content/en/docs/tasks/traffic/response-override.md new file mode 100644 index 00000000000..ea8121bfe89 --- /dev/null +++ b/site/content/en/docs/tasks/traffic/response-override.md @@ -0,0 +1,157 @@ +--- +title: "Response Override" +--- + +Response Override allows you to override the response from the backend with a custom one. This can be useful for scenarios such as returning a custom 404 page when the requested resource is not found or a custom 500 error message when the backend is failing. + +## Installation + +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. +Before proceeding, you should be able to query the example backend using HTTP. + +## Testing Response Override + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +```shell +curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/status/404 +``` + +```console +* Trying 127.0.0.1:80... +* Connected to 172.18.0.200 (172.18.0.200) port 80 +> GET /status/404 HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.5.0 +> Accept: */* +> +< HTTP/1.1 404 Not Found +< content-type: text/plain +< content-length: 32 +< date: Thu, 07 Nov 2024 09:22:29 GMT +< +* Connection #0 to host 172.18.0.200 left intact +Oops! Your request is not found. +``` + +```shell +curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/status/500 +``` + +```console +* Trying 127.0.0.1:80... +* Connected to 172.18.0.200 (172.18.0.200) port 80 +> GET /status/500 HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.5.0 +> Accept: */* +> +< HTTP/1.1 500 Internal Server Error +< content-type: application/json +< content-length: 34 +< date: Thu, 07 Nov 2024 09:23:02 GMT +< +* Connection #0 to host 172.18.0.200 left intact +{"error": "Internal Server Error"} +``` \ No newline at end of file diff --git a/site/content/en/latest/tasks/traffic/response-override.md b/site/content/en/latest/tasks/traffic/response-override.md new file mode 100644 index 00000000000..ea8121bfe89 --- /dev/null +++ b/site/content/en/latest/tasks/traffic/response-override.md @@ -0,0 +1,157 @@ +--- +title: "Response Override" +--- + +Response Override allows you to override the response from the backend with a custom one. This can be useful for scenarios such as returning a custom 404 page when the requested resource is not found or a custom 500 error message when the backend is failing. + +## Installation + +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. +Before proceeding, you should be able to query the example backend using HTTP. + +## Testing Response Override + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +```shell +curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/status/404 +``` + +```console +* Trying 127.0.0.1:80... +* Connected to 172.18.0.200 (172.18.0.200) port 80 +> GET /status/404 HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.5.0 +> Accept: */* +> +< HTTP/1.1 404 Not Found +< content-type: text/plain +< content-length: 32 +< date: Thu, 07 Nov 2024 09:22:29 GMT +< +* Connection #0 to host 172.18.0.200 left intact +Oops! Your request is not found. +``` + +```shell +curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/status/500 +``` + +```console +* Trying 127.0.0.1:80... +* Connected to 172.18.0.200 (172.18.0.200) port 80 +> GET /status/500 HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.5.0 +> Accept: */* +> +< HTTP/1.1 500 Internal Server Error +< content-type: application/json +< content-length: 34 +< date: Thu, 07 Nov 2024 09:23:02 GMT +< +* Connection #0 to host 172.18.0.200 left intact +{"error": "Internal Server Error"} +``` \ No newline at end of file diff --git a/site/content/en/v1.2/tasks/traffic/response-override.md b/site/content/en/v1.2/tasks/traffic/response-override.md new file mode 100644 index 00000000000..ea8121bfe89 --- /dev/null +++ b/site/content/en/v1.2/tasks/traffic/response-override.md @@ -0,0 +1,157 @@ +--- +title: "Response Override" +--- + +Response Override allows you to override the response from the backend with a custom one. This can be useful for scenarios such as returning a custom 404 page when the requested resource is not found or a custom 500 error message when the backend is failing. + +## Installation + +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. +Before proceeding, you should be able to query the example backend using HTTP. + +## Testing Response Override + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +```shell +curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/status/404 +``` + +```console +* Trying 127.0.0.1:80... +* Connected to 172.18.0.200 (172.18.0.200) port 80 +> GET /status/404 HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.5.0 +> Accept: */* +> +< HTTP/1.1 404 Not Found +< content-type: text/plain +< content-length: 32 +< date: Thu, 07 Nov 2024 09:22:29 GMT +< +* Connection #0 to host 172.18.0.200 left intact +Oops! Your request is not found. +``` + +```shell +curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/status/500 +``` + +```console +* Trying 127.0.0.1:80... +* Connected to 172.18.0.200 (172.18.0.200) port 80 +> GET /status/500 HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/8.5.0 +> Accept: */* +> +< HTTP/1.1 500 Internal Server Error +< content-type: application/json +< content-length: 34 +< date: Thu, 07 Nov 2024 09:23:02 GMT +< +* Connection #0 to host 172.18.0.200 left intact +{"error": "Internal Server Error"} +``` \ No newline at end of file From 2c986175211df64a269e19111b9ed480646c285a Mon Sep 17 00:00:00 2001 From: Evan Anderson Date: Fri, 8 Nov 2024 15:16:06 -0800 Subject: [PATCH 384/523] Use custom marshaller to clarify redactions (#4506) --- ...nttrafficpolicy-for-tcp-listeners.out.yaml | 4 +- .../clienttrafficpolicy-http3.out.yaml | 2 +- ...icpolicy-mtls-client-verification.out.yaml | 4 +- ...s-forward-client-cert-custom-data.out.yaml | 10 +- ...icpolicy-mtls-forward-client-cert.out.yaml | 10 +- .../clienttrafficpolicy-mtls.out.yaml | 4 +- .../clienttrafficpolicy-tls-settings.out.yaml | 2 +- .../testdata/custom-filter-order.out.yaml | 2 +- ...nvoyproxy-tls-settings-invalid-ns.out.yaml | 6 +- .../envoyproxy-tls-settings-invalid.out.yaml | 6 +- .../testdata/envoyproxy-tls-settings.out.yaml | 10 +- .../testdata/gateway-infrastructure.out.yaml | 2 +- ...her-namespace-allowed-by-refgrant.out.yaml | 2 +- ...ith-tls-terminate-and-passthrough.out.yaml | 2 +- ...ith-same-algorithm-different-fqdn.out.yaml | 4 +- ...-valid-multiple-tls-configuration.out.yaml | 4 +- ...ener-with-valid-tls-configuration.out.yaml | 2 +- ...teway-with-stale-status-condition.out.yaml | 2 +- ...wo-listeners-with-different-ports.out.yaml | 2 +- .../securitypolicy-with-basic-auth.out.yaml | 6 +- ...typolicy-with-oidc-backendcluster.out.yaml | 4 +- ...typolicy-with-oidc-custom-cookies.out.yaml | 4 +- .../securitypolicy-with-oidc.out.yaml | 8 +- ...teway-with-listener-tls-terminate.out.yaml | 8 +- internal/gatewayapi/translator_test.go | 43 +++++++++ internal/ir/xds.go | 91 +++++++++++-------- internal/ir/xds_test.go | 61 ++++++++++++- internal/ir/zz_generated.deepcopy.go | 8 +- 28 files changed, 210 insertions(+), 103 deletions(-) diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml index efd290c9b1a..bb695decae7 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml @@ -210,7 +210,7 @@ xdsIR: - h2 certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= ciphers: - cipher1 @@ -234,7 +234,7 @@ xdsIR: - h2 certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= ciphers: - cipher1 diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml index 814335baf87..c946f22c841 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml @@ -172,7 +172,7 @@ xdsIR: alpnProtocols: null certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= maxVersion: "1.3" minVersion: "1.2" diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml index 4cac0b62d34..22692261be3 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml @@ -253,7 +253,7 @@ xdsIR: name: envoy-gateway/target-gateway-1/ca.crt certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzc3aHZBUEFlRlJucS8KdHBHVmRKTmVjYWFqSzZrUXlDalk1ci9wWHhOQmE5dldWUUhVbkNXVk95bHBFZGg2T2ZZbUdnb0phdE1UVFlBWAorVml2TFM5WHBIOG5QQ1lhWm9CZGkyUDQxZGtuazJSekZabWwvWFI1SFp0RFpqZURPM3d2Qkpvbm0rTXhQN0JrCjVMZ2U5aEZIUndqRWJMY1k3dys3enE4QkRBeUlIdjdPSjNhN3g5L2pYMlJaRnU3TzVyNXlmRVE2RnNLY3pURG8Kb0N4ZFVrTklndHBWQ29ETEt2Ykw2MW5kTnVsZTMvbURtL3YyU3lUSHVkMVM1ZHFzcDhrSmR1OFhVUmZjMllFbApGS1d2QnRuamgvanJMTVhGY2FoVi9veEpyQ0h1dC9QQ0xiQlRBalRldVNEYXVTN09IYkpSREt3bUg3b1Z2eUlDCmFJeWFZY1pOQWdNQkFBRUNnZ0VBSG1McVd4NHZCbk9ybHFLMGVNLzM5c1lLOEVpTTlra0c5eHRJWGVSTGxCWnIKM2dTeUNSTStXRzk2ZGZkaFkxSDFPa1ZDUGpJOFNEQzRkMzA2Ymw0Ris2RW93TXFrUytjcTlrcDYzYTg3aE5TbQpOMGdxSnl3TGV5YzRXdll2ZFA2c25scnd6MXE3Vk5QbXpQUXJ6b1hIQVc2N2tpeHA1cFF3OG1oVzVQcHlidkp5Clo2TERCZGRSZkVma2ZXVnZUUk5YWUVDUEllUStST05jR3JvVzZ5RXRrbk1BWUJjdjRlNUhCQkkrcHdyYmsrOVMKY2FQYUVjdm4vS0lyT3NpVW1FT2wwb3JXVnhkbjRmMy9MNmlFZFgyZHhIdXlwYkFiL0Qwak1MSzBwb3kyaXYyTApyOGI5VUQrRVZFNmFTVnp0MFRHbVpJYUdRVVZDQnVDTDhodlYwSU9PV1FLQmdRRGplL3JXdmk4Rndia3BRNDA0CnFQcitBaEFwaG1pV3l1a1B1VmJLN2Q5ZkdURzRHOW9Bd2wzYlFoRGVUNHhjMzd0cjlkcCtpamJuWnpKWHczL1cKcm5xTDlGWkZsVXZCYXN6c05VK1lRNmJVOE9zTXl6cURSdGJaaytVWEowUEx6QzZKWHFkNTFZdVVDM3NwL2lmNwpqWEZrME55aHcrdkY3VU51N0ZFSzVuWEUwd0tCZ1FEVGZOT0RLYmZyalNkZEhkV05iOHhkN2pGMlZSY3hTTnRUCit0L0FmbkRjZG8zK1NBUnJaRi9TM0hZWUxxL0l4dmZ5ZHdIblUxdC9INkxDZjBnQ2RXS2NXL1hway93ZUo1QXYKWmdaZjBPTXZsOXF0THJhTU44OG1HblV4K2IxdHZLWm4xQVcySFNuYXd2Z0kvMWVjSldNRUJiYkREbkx4cUpMegowTHJhT2pYVVh3S0JnRGlBbE44OXdjUTJSOTFkNy9mQTBRYkNVRzFmK3g1cEs5WkIvTExPdm9xS1lYVVBSZWltClhsV1ZaVWN5anZTS2hhemRGZllVTW1ycmtPK0htWHNqUDBELzRXWExIVlBmU1NMcVl1aTQ5UGt6RmM3SnM3RGoKcVgzRlpFT0o5eWJwZ2kyUW14eUIwL2RqbXFYbGdOelVWdlBwaE1PUlBFQ2ZHLzZ6SjdZRFpBRU5Bb0dBSElVcQo2UGRKVEVTKzJEbmJ3TFVnOUZIWTdjSlAzRitjNUZoaXNFemMzMzVGYTlNK2RWVVY3eE80QVU3YWVkTUxRUEYzCm1rQ05pRGsxODlEQ1gwS0JSK0RHNnZiLyt2a080clY1aXBaYTdPSW5wVTgxWXZkcndoR3pXRWY3bWI3bEdmOW4KdmNWMURZRlpmYTBoblhjVlFVZWIrL1lJM2pvRGgwblF5UGtzcFRVQ2dZRUF0NERNajdZbStRS2J2bTJXaWNlcAo1Q2s3YWFMSUxuVHZqbGRLMkdjM2loOGVGRlE2Vy9pcUc1UUEzeHMwem8xVnhlUkhPWGkrK01xWjVWTVZMZFRWCjMxWXZOeUdPbVByTitZemVINmlTYXd5VXo2dW1UN1ZkMXRuUEJ1SmdPMFM3RnRlb01BckE3TGtDcUVhMDc4bS8KRXNxNzZjYW1WdW5kRXFTRWhGMllYNkU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0RENDQWNnQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeApNalV5TXpFMU16RmFNRDh4R1RBWEJnTlZCQU1NRUdWa1oyVXVaWGhoYlhCc1pTNWpiMjB4SWpBZ0JnTlZCQW9NCkdXVmtaMlVnWlhoaGJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUIKRHdBd2dnRUtBb0lCQVFDNzdodkFQQWVGUm5xL3RwR1ZkSk5lY2Fhaks2a1F5Q2pZNXIvcFh4TkJhOXZXVlFIVQpuQ1dWT3lscEVkaDZPZlltR2dvSmF0TVRUWUFYK1ZpdkxTOVhwSDhuUENZYVpvQmRpMlA0MWRrbmsyUnpGWm1sCi9YUjVIWnREWmplRE8zd3ZCSm9ubStNeFA3Qms1TGdlOWhGSFJ3akViTGNZN3crN3pxOEJEQXlJSHY3T0ozYTcKeDkvalgyUlpGdTdPNXI1eWZFUTZGc0tjelREb29DeGRVa05JZ3RwVkNvRExLdmJMNjFuZE51bGUzL21EbS92MgpTeVRIdWQxUzVkcXNwOGtKZHU4WFVSZmMyWUVsRktXdkJ0bmpoL2pyTE1YRmNhaFYvb3hKckNIdXQvUENMYkJUCkFqVGV1U0RhdVM3T0hiSlJES3dtSDdvVnZ5SUNhSXlhWWNaTkFnTUJBQUV3RFFZSktvWklodmNOQVFFTEJRQUQKZ2dFQkFHeW5yNGNPMWFZbjRNQk90aVJ2WHFJdllHNnpxZXNrNGpQbU96TjdiUTdyRzdNUngzSVQ2SW4zVFI4RApHbFAxVE54TTg5cXZRcXp4VERsdER3bXluTlV1SEdEUW4yV1Z1OFEyK0RqRnFoc3B1WHp0NnhVK2RoVVBxUnV1Ckt6c1l4TDNpMVlWZ2pDQWtBUmp4SGhMWHYwdkFUWUVRMlJ6Uko5c2ZGcWVCMHVxSk5WL0lHamJFSzQ2eTQ5QU0KNzU4TUY4T0R6cVR2Q3hMRjJYd3BScjdjSDFuZ2J4eUJ6cEdlbkpsVTI2Q2hJT1BMZUV1NTUyUVJYVGwrU2JlQQpXUzNpS01Pb3F5NGV0b0ExNWFueW43Zm01YnpINEcyZ3Yxd1pWYlBkT1dNQWRZU2I5NDIvR09CSWUzSnIyVHo3CjRJdDRROWFERnF1aG9iOTVQMUhHQkxSQ2Y5QT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= maxVersion: "1.3" minVersion: "1.2" @@ -298,7 +298,7 @@ xdsIR: name: envoy-gateway/target-gateway-2/ca.crt certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzc3aHZBUEFlRlJucS8KdHBHVmRKTmVjYWFqSzZrUXlDalk1ci9wWHhOQmE5dldWUUhVbkNXVk95bHBFZGg2T2ZZbUdnb0phdE1UVFlBWAorVml2TFM5WHBIOG5QQ1lhWm9CZGkyUDQxZGtuazJSekZabWwvWFI1SFp0RFpqZURPM3d2Qkpvbm0rTXhQN0JrCjVMZ2U5aEZIUndqRWJMY1k3dys3enE4QkRBeUlIdjdPSjNhN3g5L2pYMlJaRnU3TzVyNXlmRVE2RnNLY3pURG8Kb0N4ZFVrTklndHBWQ29ETEt2Ykw2MW5kTnVsZTMvbURtL3YyU3lUSHVkMVM1ZHFzcDhrSmR1OFhVUmZjMllFbApGS1d2QnRuamgvanJMTVhGY2FoVi9veEpyQ0h1dC9QQ0xiQlRBalRldVNEYXVTN09IYkpSREt3bUg3b1Z2eUlDCmFJeWFZY1pOQWdNQkFBRUNnZ0VBSG1McVd4NHZCbk9ybHFLMGVNLzM5c1lLOEVpTTlra0c5eHRJWGVSTGxCWnIKM2dTeUNSTStXRzk2ZGZkaFkxSDFPa1ZDUGpJOFNEQzRkMzA2Ymw0Ris2RW93TXFrUytjcTlrcDYzYTg3aE5TbQpOMGdxSnl3TGV5YzRXdll2ZFA2c25scnd6MXE3Vk5QbXpQUXJ6b1hIQVc2N2tpeHA1cFF3OG1oVzVQcHlidkp5Clo2TERCZGRSZkVma2ZXVnZUUk5YWUVDUEllUStST05jR3JvVzZ5RXRrbk1BWUJjdjRlNUhCQkkrcHdyYmsrOVMKY2FQYUVjdm4vS0lyT3NpVW1FT2wwb3JXVnhkbjRmMy9MNmlFZFgyZHhIdXlwYkFiL0Qwak1MSzBwb3kyaXYyTApyOGI5VUQrRVZFNmFTVnp0MFRHbVpJYUdRVVZDQnVDTDhodlYwSU9PV1FLQmdRRGplL3JXdmk4Rndia3BRNDA0CnFQcitBaEFwaG1pV3l1a1B1VmJLN2Q5ZkdURzRHOW9Bd2wzYlFoRGVUNHhjMzd0cjlkcCtpamJuWnpKWHczL1cKcm5xTDlGWkZsVXZCYXN6c05VK1lRNmJVOE9zTXl6cURSdGJaaytVWEowUEx6QzZKWHFkNTFZdVVDM3NwL2lmNwpqWEZrME55aHcrdkY3VU51N0ZFSzVuWEUwd0tCZ1FEVGZOT0RLYmZyalNkZEhkV05iOHhkN2pGMlZSY3hTTnRUCit0L0FmbkRjZG8zK1NBUnJaRi9TM0hZWUxxL0l4dmZ5ZHdIblUxdC9INkxDZjBnQ2RXS2NXL1hway93ZUo1QXYKWmdaZjBPTXZsOXF0THJhTU44OG1HblV4K2IxdHZLWm4xQVcySFNuYXd2Z0kvMWVjSldNRUJiYkREbkx4cUpMegowTHJhT2pYVVh3S0JnRGlBbE44OXdjUTJSOTFkNy9mQTBRYkNVRzFmK3g1cEs5WkIvTExPdm9xS1lYVVBSZWltClhsV1ZaVWN5anZTS2hhemRGZllVTW1ycmtPK0htWHNqUDBELzRXWExIVlBmU1NMcVl1aTQ5UGt6RmM3SnM3RGoKcVgzRlpFT0o5eWJwZ2kyUW14eUIwL2RqbXFYbGdOelVWdlBwaE1PUlBFQ2ZHLzZ6SjdZRFpBRU5Bb0dBSElVcQo2UGRKVEVTKzJEbmJ3TFVnOUZIWTdjSlAzRitjNUZoaXNFemMzMzVGYTlNK2RWVVY3eE80QVU3YWVkTUxRUEYzCm1rQ05pRGsxODlEQ1gwS0JSK0RHNnZiLyt2a080clY1aXBaYTdPSW5wVTgxWXZkcndoR3pXRWY3bWI3bEdmOW4KdmNWMURZRlpmYTBoblhjVlFVZWIrL1lJM2pvRGgwblF5UGtzcFRVQ2dZRUF0NERNajdZbStRS2J2bTJXaWNlcAo1Q2s3YWFMSUxuVHZqbGRLMkdjM2loOGVGRlE2Vy9pcUc1UUEzeHMwem8xVnhlUkhPWGkrK01xWjVWTVZMZFRWCjMxWXZOeUdPbVByTitZemVINmlTYXd5VXo2dW1UN1ZkMXRuUEJ1SmdPMFM3RnRlb01BckE3TGtDcUVhMDc4bS8KRXNxNzZjYW1WdW5kRXFTRWhGMllYNkU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0RENDQWNnQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeApNalV5TXpFMU16RmFNRDh4R1RBWEJnTlZCQU1NRUdWa1oyVXVaWGhoYlhCc1pTNWpiMjB4SWpBZ0JnTlZCQW9NCkdXVmtaMlVnWlhoaGJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUIKRHdBd2dnRUtBb0lCQVFDNzdodkFQQWVGUm5xL3RwR1ZkSk5lY2Fhaks2a1F5Q2pZNXIvcFh4TkJhOXZXVlFIVQpuQ1dWT3lscEVkaDZPZlltR2dvSmF0TVRUWUFYK1ZpdkxTOVhwSDhuUENZYVpvQmRpMlA0MWRrbmsyUnpGWm1sCi9YUjVIWnREWmplRE8zd3ZCSm9ubStNeFA3Qms1TGdlOWhGSFJ3akViTGNZN3crN3pxOEJEQXlJSHY3T0ozYTcKeDkvalgyUlpGdTdPNXI1eWZFUTZGc0tjelREb29DeGRVa05JZ3RwVkNvRExLdmJMNjFuZE51bGUzL21EbS92MgpTeVRIdWQxUzVkcXNwOGtKZHU4WFVSZmMyWUVsRktXdkJ0bmpoL2pyTE1YRmNhaFYvb3hKckNIdXQvUENMYkJUCkFqVGV1U0RhdVM3T0hiSlJES3dtSDdvVnZ5SUNhSXlhWWNaTkFnTUJBQUV3RFFZSktvWklodmNOQVFFTEJRQUQKZ2dFQkFHeW5yNGNPMWFZbjRNQk90aVJ2WHFJdllHNnpxZXNrNGpQbU96TjdiUTdyRzdNUngzSVQ2SW4zVFI4RApHbFAxVE54TTg5cXZRcXp4VERsdER3bXluTlV1SEdEUW4yV1Z1OFEyK0RqRnFoc3B1WHp0NnhVK2RoVVBxUnV1Ckt6c1l4TDNpMVlWZ2pDQWtBUmp4SGhMWHYwdkFUWUVRMlJ6Uko5c2ZGcWVCMHVxSk5WL0lHamJFSzQ2eTQ5QU0KNzU4TUY4T0R6cVR2Q3hMRjJYd3BScjdjSDFuZ2J4eUJ6cEdlbkpsVTI2Q2hJT1BMZUV1NTUyUVJYVGwrU2JlQQpXUzNpS01Pb3F5NGV0b0ExNWFueW43Zm01YnpINEcyZ3Yxd1pWYlBkT1dNQWRZU2I5NDIvR09CSWUzSnIyVHo3CjRJdDRROWFERnF1aG9iOTVQMUhHQkxSQ2Y5QT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= maxVersion: "1.3" minVersion: "1.2" diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml index 6e47f653078..285a35daf25 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml @@ -569,7 +569,7 @@ xdsIR: name: envoy-gateway/target-gateway-1/ca.crt certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzc3aHZBUEFlRlJucS8KdHBHVmRKTmVjYWFqSzZrUXlDalk1ci9wWHhOQmE5dldWUUhVbkNXVk95bHBFZGg2T2ZZbUdnb0phdE1UVFlBWAorVml2TFM5WHBIOG5QQ1lhWm9CZGkyUDQxZGtuazJSekZabWwvWFI1SFp0RFpqZURPM3d2Qkpvbm0rTXhQN0JrCjVMZ2U5aEZIUndqRWJMY1k3dys3enE4QkRBeUlIdjdPSjNhN3g5L2pYMlJaRnU3TzVyNXlmRVE2RnNLY3pURG8Kb0N4ZFVrTklndHBWQ29ETEt2Ykw2MW5kTnVsZTMvbURtL3YyU3lUSHVkMVM1ZHFzcDhrSmR1OFhVUmZjMllFbApGS1d2QnRuamgvanJMTVhGY2FoVi9veEpyQ0h1dC9QQ0xiQlRBalRldVNEYXVTN09IYkpSREt3bUg3b1Z2eUlDCmFJeWFZY1pOQWdNQkFBRUNnZ0VBSG1McVd4NHZCbk9ybHFLMGVNLzM5c1lLOEVpTTlra0c5eHRJWGVSTGxCWnIKM2dTeUNSTStXRzk2ZGZkaFkxSDFPa1ZDUGpJOFNEQzRkMzA2Ymw0Ris2RW93TXFrUytjcTlrcDYzYTg3aE5TbQpOMGdxSnl3TGV5YzRXdll2ZFA2c25scnd6MXE3Vk5QbXpQUXJ6b1hIQVc2N2tpeHA1cFF3OG1oVzVQcHlidkp5Clo2TERCZGRSZkVma2ZXVnZUUk5YWUVDUEllUStST05jR3JvVzZ5RXRrbk1BWUJjdjRlNUhCQkkrcHdyYmsrOVMKY2FQYUVjdm4vS0lyT3NpVW1FT2wwb3JXVnhkbjRmMy9MNmlFZFgyZHhIdXlwYkFiL0Qwak1MSzBwb3kyaXYyTApyOGI5VUQrRVZFNmFTVnp0MFRHbVpJYUdRVVZDQnVDTDhodlYwSU9PV1FLQmdRRGplL3JXdmk4Rndia3BRNDA0CnFQcitBaEFwaG1pV3l1a1B1VmJLN2Q5ZkdURzRHOW9Bd2wzYlFoRGVUNHhjMzd0cjlkcCtpamJuWnpKWHczL1cKcm5xTDlGWkZsVXZCYXN6c05VK1lRNmJVOE9zTXl6cURSdGJaaytVWEowUEx6QzZKWHFkNTFZdVVDM3NwL2lmNwpqWEZrME55aHcrdkY3VU51N0ZFSzVuWEUwd0tCZ1FEVGZOT0RLYmZyalNkZEhkV05iOHhkN2pGMlZSY3hTTnRUCit0L0FmbkRjZG8zK1NBUnJaRi9TM0hZWUxxL0l4dmZ5ZHdIblUxdC9INkxDZjBnQ2RXS2NXL1hway93ZUo1QXYKWmdaZjBPTXZsOXF0THJhTU44OG1HblV4K2IxdHZLWm4xQVcySFNuYXd2Z0kvMWVjSldNRUJiYkREbkx4cUpMegowTHJhT2pYVVh3S0JnRGlBbE44OXdjUTJSOTFkNy9mQTBRYkNVRzFmK3g1cEs5WkIvTExPdm9xS1lYVVBSZWltClhsV1ZaVWN5anZTS2hhemRGZllVTW1ycmtPK0htWHNqUDBELzRXWExIVlBmU1NMcVl1aTQ5UGt6RmM3SnM3RGoKcVgzRlpFT0o5eWJwZ2kyUW14eUIwL2RqbXFYbGdOelVWdlBwaE1PUlBFQ2ZHLzZ6SjdZRFpBRU5Bb0dBSElVcQo2UGRKVEVTKzJEbmJ3TFVnOUZIWTdjSlAzRitjNUZoaXNFemMzMzVGYTlNK2RWVVY3eE80QVU3YWVkTUxRUEYzCm1rQ05pRGsxODlEQ1gwS0JSK0RHNnZiLyt2a080clY1aXBaYTdPSW5wVTgxWXZkcndoR3pXRWY3bWI3bEdmOW4KdmNWMURZRlpmYTBoblhjVlFVZWIrL1lJM2pvRGgwblF5UGtzcFRVQ2dZRUF0NERNajdZbStRS2J2bTJXaWNlcAo1Q2s3YWFMSUxuVHZqbGRLMkdjM2loOGVGRlE2Vy9pcUc1UUEzeHMwem8xVnhlUkhPWGkrK01xWjVWTVZMZFRWCjMxWXZOeUdPbVByTitZemVINmlTYXd5VXo2dW1UN1ZkMXRuUEJ1SmdPMFM3RnRlb01BckE3TGtDcUVhMDc4bS8KRXNxNzZjYW1WdW5kRXFTRWhGMllYNkU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0RENDQWNnQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeApNalV5TXpFMU16RmFNRDh4R1RBWEJnTlZCQU1NRUdWa1oyVXVaWGhoYlhCc1pTNWpiMjB4SWpBZ0JnTlZCQW9NCkdXVmtaMlVnWlhoaGJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUIKRHdBd2dnRUtBb0lCQVFDNzdodkFQQWVGUm5xL3RwR1ZkSk5lY2Fhaks2a1F5Q2pZNXIvcFh4TkJhOXZXVlFIVQpuQ1dWT3lscEVkaDZPZlltR2dvSmF0TVRUWUFYK1ZpdkxTOVhwSDhuUENZYVpvQmRpMlA0MWRrbmsyUnpGWm1sCi9YUjVIWnREWmplRE8zd3ZCSm9ubStNeFA3Qms1TGdlOWhGSFJ3akViTGNZN3crN3pxOEJEQXlJSHY3T0ozYTcKeDkvalgyUlpGdTdPNXI1eWZFUTZGc0tjelREb29DeGRVa05JZ3RwVkNvRExLdmJMNjFuZE51bGUzL21EbS92MgpTeVRIdWQxUzVkcXNwOGtKZHU4WFVSZmMyWUVsRktXdkJ0bmpoL2pyTE1YRmNhaFYvb3hKckNIdXQvUENMYkJUCkFqVGV1U0RhdVM3T0hiSlJES3dtSDdvVnZ5SUNhSXlhWWNaTkFnTUJBQUV3RFFZSktvWklodmNOQVFFTEJRQUQKZ2dFQkFHeW5yNGNPMWFZbjRNQk90aVJ2WHFJdllHNnpxZXNrNGpQbU96TjdiUTdyRzdNUngzSVQ2SW4zVFI4RApHbFAxVE54TTg5cXZRcXp4VERsdER3bXluTlV1SEdEUW4yV1Z1OFEyK0RqRnFoc3B1WHp0NnhVK2RoVVBxUnV1Ckt6c1l4TDNpMVlWZ2pDQWtBUmp4SGhMWHYwdkFUWUVRMlJ6Uko5c2ZGcWVCMHVxSk5WL0lHamJFSzQ2eTQ5QU0KNzU4TUY4T0R6cVR2Q3hMRjJYd3BScjdjSDFuZ2J4eUJ6cEdlbkpsVTI2Q2hJT1BMZUV1NTUyUVJYVGwrU2JlQQpXUzNpS01Pb3F5NGV0b0ExNWFueW43Zm01YnpINEcyZ3Yxd1pWYlBkT1dNQWRZU2I5NDIvR09CSWUzSnIyVHo3CjRJdDRROWFERnF1aG9iOTVQMUhHQkxSQ2Y5QT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= maxVersion: "1.3" minVersion: "1.2" @@ -622,7 +622,7 @@ xdsIR: name: envoy-gateway/target-gateway-2/ca.crt certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzc3aHZBUEFlRlJucS8KdHBHVmRKTmVjYWFqSzZrUXlDalk1ci9wWHhOQmE5dldWUUhVbkNXVk95bHBFZGg2T2ZZbUdnb0phdE1UVFlBWAorVml2TFM5WHBIOG5QQ1lhWm9CZGkyUDQxZGtuazJSekZabWwvWFI1SFp0RFpqZURPM3d2Qkpvbm0rTXhQN0JrCjVMZ2U5aEZIUndqRWJMY1k3dys3enE4QkRBeUlIdjdPSjNhN3g5L2pYMlJaRnU3TzVyNXlmRVE2RnNLY3pURG8Kb0N4ZFVrTklndHBWQ29ETEt2Ykw2MW5kTnVsZTMvbURtL3YyU3lUSHVkMVM1ZHFzcDhrSmR1OFhVUmZjMllFbApGS1d2QnRuamgvanJMTVhGY2FoVi9veEpyQ0h1dC9QQ0xiQlRBalRldVNEYXVTN09IYkpSREt3bUg3b1Z2eUlDCmFJeWFZY1pOQWdNQkFBRUNnZ0VBSG1McVd4NHZCbk9ybHFLMGVNLzM5c1lLOEVpTTlra0c5eHRJWGVSTGxCWnIKM2dTeUNSTStXRzk2ZGZkaFkxSDFPa1ZDUGpJOFNEQzRkMzA2Ymw0Ris2RW93TXFrUytjcTlrcDYzYTg3aE5TbQpOMGdxSnl3TGV5YzRXdll2ZFA2c25scnd6MXE3Vk5QbXpQUXJ6b1hIQVc2N2tpeHA1cFF3OG1oVzVQcHlidkp5Clo2TERCZGRSZkVma2ZXVnZUUk5YWUVDUEllUStST05jR3JvVzZ5RXRrbk1BWUJjdjRlNUhCQkkrcHdyYmsrOVMKY2FQYUVjdm4vS0lyT3NpVW1FT2wwb3JXVnhkbjRmMy9MNmlFZFgyZHhIdXlwYkFiL0Qwak1MSzBwb3kyaXYyTApyOGI5VUQrRVZFNmFTVnp0MFRHbVpJYUdRVVZDQnVDTDhodlYwSU9PV1FLQmdRRGplL3JXdmk4Rndia3BRNDA0CnFQcitBaEFwaG1pV3l1a1B1VmJLN2Q5ZkdURzRHOW9Bd2wzYlFoRGVUNHhjMzd0cjlkcCtpamJuWnpKWHczL1cKcm5xTDlGWkZsVXZCYXN6c05VK1lRNmJVOE9zTXl6cURSdGJaaytVWEowUEx6QzZKWHFkNTFZdVVDM3NwL2lmNwpqWEZrME55aHcrdkY3VU51N0ZFSzVuWEUwd0tCZ1FEVGZOT0RLYmZyalNkZEhkV05iOHhkN2pGMlZSY3hTTnRUCit0L0FmbkRjZG8zK1NBUnJaRi9TM0hZWUxxL0l4dmZ5ZHdIblUxdC9INkxDZjBnQ2RXS2NXL1hway93ZUo1QXYKWmdaZjBPTXZsOXF0THJhTU44OG1HblV4K2IxdHZLWm4xQVcySFNuYXd2Z0kvMWVjSldNRUJiYkREbkx4cUpMegowTHJhT2pYVVh3S0JnRGlBbE44OXdjUTJSOTFkNy9mQTBRYkNVRzFmK3g1cEs5WkIvTExPdm9xS1lYVVBSZWltClhsV1ZaVWN5anZTS2hhemRGZllVTW1ycmtPK0htWHNqUDBELzRXWExIVlBmU1NMcVl1aTQ5UGt6RmM3SnM3RGoKcVgzRlpFT0o5eWJwZ2kyUW14eUIwL2RqbXFYbGdOelVWdlBwaE1PUlBFQ2ZHLzZ6SjdZRFpBRU5Bb0dBSElVcQo2UGRKVEVTKzJEbmJ3TFVnOUZIWTdjSlAzRitjNUZoaXNFemMzMzVGYTlNK2RWVVY3eE80QVU3YWVkTUxRUEYzCm1rQ05pRGsxODlEQ1gwS0JSK0RHNnZiLyt2a080clY1aXBaYTdPSW5wVTgxWXZkcndoR3pXRWY3bWI3bEdmOW4KdmNWMURZRlpmYTBoblhjVlFVZWIrL1lJM2pvRGgwblF5UGtzcFRVQ2dZRUF0NERNajdZbStRS2J2bTJXaWNlcAo1Q2s3YWFMSUxuVHZqbGRLMkdjM2loOGVGRlE2Vy9pcUc1UUEzeHMwem8xVnhlUkhPWGkrK01xWjVWTVZMZFRWCjMxWXZOeUdPbVByTitZemVINmlTYXd5VXo2dW1UN1ZkMXRuUEJ1SmdPMFM3RnRlb01BckE3TGtDcUVhMDc4bS8KRXNxNzZjYW1WdW5kRXFTRWhGMllYNkU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0RENDQWNnQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeApNalV5TXpFMU16RmFNRDh4R1RBWEJnTlZCQU1NRUdWa1oyVXVaWGhoYlhCc1pTNWpiMjB4SWpBZ0JnTlZCQW9NCkdXVmtaMlVnWlhoaGJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUIKRHdBd2dnRUtBb0lCQVFDNzdodkFQQWVGUm5xL3RwR1ZkSk5lY2Fhaks2a1F5Q2pZNXIvcFh4TkJhOXZXVlFIVQpuQ1dWT3lscEVkaDZPZlltR2dvSmF0TVRUWUFYK1ZpdkxTOVhwSDhuUENZYVpvQmRpMlA0MWRrbmsyUnpGWm1sCi9YUjVIWnREWmplRE8zd3ZCSm9ubStNeFA3Qms1TGdlOWhGSFJ3akViTGNZN3crN3pxOEJEQXlJSHY3T0ozYTcKeDkvalgyUlpGdTdPNXI1eWZFUTZGc0tjelREb29DeGRVa05JZ3RwVkNvRExLdmJMNjFuZE51bGUzL21EbS92MgpTeVRIdWQxUzVkcXNwOGtKZHU4WFVSZmMyWUVsRktXdkJ0bmpoL2pyTE1YRmNhaFYvb3hKckNIdXQvUENMYkJUCkFqVGV1U0RhdVM3T0hiSlJES3dtSDdvVnZ5SUNhSXlhWWNaTkFnTUJBQUV3RFFZSktvWklodmNOQVFFTEJRQUQKZ2dFQkFHeW5yNGNPMWFZbjRNQk90aVJ2WHFJdllHNnpxZXNrNGpQbU96TjdiUTdyRzdNUngzSVQ2SW4zVFI4RApHbFAxVE54TTg5cXZRcXp4VERsdER3bXluTlV1SEdEUW4yV1Z1OFEyK0RqRnFoc3B1WHp0NnhVK2RoVVBxUnV1Ckt6c1l4TDNpMVlWZ2pDQWtBUmp4SGhMWHYwdkFUWUVRMlJ6Uko5c2ZGcWVCMHVxSk5WL0lHamJFSzQ2eTQ5QU0KNzU4TUY4T0R6cVR2Q3hMRjJYd3BScjdjSDFuZ2J4eUJ6cEdlbkpsVTI2Q2hJT1BMZUV1NTUyUVJYVGwrU2JlQQpXUzNpS01Pb3F5NGV0b0ExNWFueW43Zm01YnpINEcyZ3Yxd1pWYlBkT1dNQWRZU2I5NDIvR09CSWUzSnIyVHo3CjRJdDRROWFERnF1aG9iOTVQMUhHQkxSQ2Y5QT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= maxVersion: "1.3" minVersion: "1.2" @@ -659,7 +659,7 @@ xdsIR: name: envoy-gateway/target-gateway-3/ca.crt certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzc3aHZBUEFlRlJucS8KdHBHVmRKTmVjYWFqSzZrUXlDalk1ci9wWHhOQmE5dldWUUhVbkNXVk95bHBFZGg2T2ZZbUdnb0phdE1UVFlBWAorVml2TFM5WHBIOG5QQ1lhWm9CZGkyUDQxZGtuazJSekZabWwvWFI1SFp0RFpqZURPM3d2Qkpvbm0rTXhQN0JrCjVMZ2U5aEZIUndqRWJMY1k3dys3enE4QkRBeUlIdjdPSjNhN3g5L2pYMlJaRnU3TzVyNXlmRVE2RnNLY3pURG8Kb0N4ZFVrTklndHBWQ29ETEt2Ykw2MW5kTnVsZTMvbURtL3YyU3lUSHVkMVM1ZHFzcDhrSmR1OFhVUmZjMllFbApGS1d2QnRuamgvanJMTVhGY2FoVi9veEpyQ0h1dC9QQ0xiQlRBalRldVNEYXVTN09IYkpSREt3bUg3b1Z2eUlDCmFJeWFZY1pOQWdNQkFBRUNnZ0VBSG1McVd4NHZCbk9ybHFLMGVNLzM5c1lLOEVpTTlra0c5eHRJWGVSTGxCWnIKM2dTeUNSTStXRzk2ZGZkaFkxSDFPa1ZDUGpJOFNEQzRkMzA2Ymw0Ris2RW93TXFrUytjcTlrcDYzYTg3aE5TbQpOMGdxSnl3TGV5YzRXdll2ZFA2c25scnd6MXE3Vk5QbXpQUXJ6b1hIQVc2N2tpeHA1cFF3OG1oVzVQcHlidkp5Clo2TERCZGRSZkVma2ZXVnZUUk5YWUVDUEllUStST05jR3JvVzZ5RXRrbk1BWUJjdjRlNUhCQkkrcHdyYmsrOVMKY2FQYUVjdm4vS0lyT3NpVW1FT2wwb3JXVnhkbjRmMy9MNmlFZFgyZHhIdXlwYkFiL0Qwak1MSzBwb3kyaXYyTApyOGI5VUQrRVZFNmFTVnp0MFRHbVpJYUdRVVZDQnVDTDhodlYwSU9PV1FLQmdRRGplL3JXdmk4Rndia3BRNDA0CnFQcitBaEFwaG1pV3l1a1B1VmJLN2Q5ZkdURzRHOW9Bd2wzYlFoRGVUNHhjMzd0cjlkcCtpamJuWnpKWHczL1cKcm5xTDlGWkZsVXZCYXN6c05VK1lRNmJVOE9zTXl6cURSdGJaaytVWEowUEx6QzZKWHFkNTFZdVVDM3NwL2lmNwpqWEZrME55aHcrdkY3VU51N0ZFSzVuWEUwd0tCZ1FEVGZOT0RLYmZyalNkZEhkV05iOHhkN2pGMlZSY3hTTnRUCit0L0FmbkRjZG8zK1NBUnJaRi9TM0hZWUxxL0l4dmZ5ZHdIblUxdC9INkxDZjBnQ2RXS2NXL1hway93ZUo1QXYKWmdaZjBPTXZsOXF0THJhTU44OG1HblV4K2IxdHZLWm4xQVcySFNuYXd2Z0kvMWVjSldNRUJiYkREbkx4cUpMegowTHJhT2pYVVh3S0JnRGlBbE44OXdjUTJSOTFkNy9mQTBRYkNVRzFmK3g1cEs5WkIvTExPdm9xS1lYVVBSZWltClhsV1ZaVWN5anZTS2hhemRGZllVTW1ycmtPK0htWHNqUDBELzRXWExIVlBmU1NMcVl1aTQ5UGt6RmM3SnM3RGoKcVgzRlpFT0o5eWJwZ2kyUW14eUIwL2RqbXFYbGdOelVWdlBwaE1PUlBFQ2ZHLzZ6SjdZRFpBRU5Bb0dBSElVcQo2UGRKVEVTKzJEbmJ3TFVnOUZIWTdjSlAzRitjNUZoaXNFemMzMzVGYTlNK2RWVVY3eE80QVU3YWVkTUxRUEYzCm1rQ05pRGsxODlEQ1gwS0JSK0RHNnZiLyt2a080clY1aXBaYTdPSW5wVTgxWXZkcndoR3pXRWY3bWI3bEdmOW4KdmNWMURZRlpmYTBoblhjVlFVZWIrL1lJM2pvRGgwblF5UGtzcFRVQ2dZRUF0NERNajdZbStRS2J2bTJXaWNlcAo1Q2s3YWFMSUxuVHZqbGRLMkdjM2loOGVGRlE2Vy9pcUc1UUEzeHMwem8xVnhlUkhPWGkrK01xWjVWTVZMZFRWCjMxWXZOeUdPbVByTitZemVINmlTYXd5VXo2dW1UN1ZkMXRuUEJ1SmdPMFM3RnRlb01BckE3TGtDcUVhMDc4bS8KRXNxNzZjYW1WdW5kRXFTRWhGMllYNkU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0RENDQWNnQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeApNalV5TXpFMU16RmFNRDh4R1RBWEJnTlZCQU1NRUdWa1oyVXVaWGhoYlhCc1pTNWpiMjB4SWpBZ0JnTlZCQW9NCkdXVmtaMlVnWlhoaGJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUIKRHdBd2dnRUtBb0lCQVFDNzdodkFQQWVGUm5xL3RwR1ZkSk5lY2Fhaks2a1F5Q2pZNXIvcFh4TkJhOXZXVlFIVQpuQ1dWT3lscEVkaDZPZlltR2dvSmF0TVRUWUFYK1ZpdkxTOVhwSDhuUENZYVpvQmRpMlA0MWRrbmsyUnpGWm1sCi9YUjVIWnREWmplRE8zd3ZCSm9ubStNeFA3Qms1TGdlOWhGSFJ3akViTGNZN3crN3pxOEJEQXlJSHY3T0ozYTcKeDkvalgyUlpGdTdPNXI1eWZFUTZGc0tjelREb29DeGRVa05JZ3RwVkNvRExLdmJMNjFuZE51bGUzL21EbS92MgpTeVRIdWQxUzVkcXNwOGtKZHU4WFVSZmMyWUVsRktXdkJ0bmpoL2pyTE1YRmNhaFYvb3hKckNIdXQvUENMYkJUCkFqVGV1U0RhdVM3T0hiSlJES3dtSDdvVnZ5SUNhSXlhWWNaTkFnTUJBQUV3RFFZSktvWklodmNOQVFFTEJRQUQKZ2dFQkFHeW5yNGNPMWFZbjRNQk90aVJ2WHFJdllHNnpxZXNrNGpQbU96TjdiUTdyRzdNUngzSVQ2SW4zVFI4RApHbFAxVE54TTg5cXZRcXp4VERsdER3bXluTlV1SEdEUW4yV1Z1OFEyK0RqRnFoc3B1WHp0NnhVK2RoVVBxUnV1Ckt6c1l4TDNpMVlWZ2pDQWtBUmp4SGhMWHYwdkFUWUVRMlJ6Uko5c2ZGcWVCMHVxSk5WL0lHamJFSzQ2eTQ5QU0KNzU4TUY4T0R6cVR2Q3hMRjJYd3BScjdjSDFuZ2J4eUJ6cEdlbkpsVTI2Q2hJT1BMZUV1NTUyUVJYVGwrU2JlQQpXUzNpS01Pb3F5NGV0b0ExNWFueW43Zm01YnpINEcyZ3Yxd1pWYlBkT1dNQWRZU2I5NDIvR09CSWUzSnIyVHo3CjRJdDRROWFERnF1aG9iOTVQMUhHQkxSQ2Y5QT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= maxVersion: "1.3" minVersion: "1.2" @@ -698,7 +698,7 @@ xdsIR: name: envoy-gateway/target-gateway-4/ca.crt certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzc3aHZBUEFlRlJucS8KdHBHVmRKTmVjYWFqSzZrUXlDalk1ci9wWHhOQmE5dldWUUhVbkNXVk95bHBFZGg2T2ZZbUdnb0phdE1UVFlBWAorVml2TFM5WHBIOG5QQ1lhWm9CZGkyUDQxZGtuazJSekZabWwvWFI1SFp0RFpqZURPM3d2Qkpvbm0rTXhQN0JrCjVMZ2U5aEZIUndqRWJMY1k3dys3enE4QkRBeUlIdjdPSjNhN3g5L2pYMlJaRnU3TzVyNXlmRVE2RnNLY3pURG8Kb0N4ZFVrTklndHBWQ29ETEt2Ykw2MW5kTnVsZTMvbURtL3YyU3lUSHVkMVM1ZHFzcDhrSmR1OFhVUmZjMllFbApGS1d2QnRuamgvanJMTVhGY2FoVi9veEpyQ0h1dC9QQ0xiQlRBalRldVNEYXVTN09IYkpSREt3bUg3b1Z2eUlDCmFJeWFZY1pOQWdNQkFBRUNnZ0VBSG1McVd4NHZCbk9ybHFLMGVNLzM5c1lLOEVpTTlra0c5eHRJWGVSTGxCWnIKM2dTeUNSTStXRzk2ZGZkaFkxSDFPa1ZDUGpJOFNEQzRkMzA2Ymw0Ris2RW93TXFrUytjcTlrcDYzYTg3aE5TbQpOMGdxSnl3TGV5YzRXdll2ZFA2c25scnd6MXE3Vk5QbXpQUXJ6b1hIQVc2N2tpeHA1cFF3OG1oVzVQcHlidkp5Clo2TERCZGRSZkVma2ZXVnZUUk5YWUVDUEllUStST05jR3JvVzZ5RXRrbk1BWUJjdjRlNUhCQkkrcHdyYmsrOVMKY2FQYUVjdm4vS0lyT3NpVW1FT2wwb3JXVnhkbjRmMy9MNmlFZFgyZHhIdXlwYkFiL0Qwak1MSzBwb3kyaXYyTApyOGI5VUQrRVZFNmFTVnp0MFRHbVpJYUdRVVZDQnVDTDhodlYwSU9PV1FLQmdRRGplL3JXdmk4Rndia3BRNDA0CnFQcitBaEFwaG1pV3l1a1B1VmJLN2Q5ZkdURzRHOW9Bd2wzYlFoRGVUNHhjMzd0cjlkcCtpamJuWnpKWHczL1cKcm5xTDlGWkZsVXZCYXN6c05VK1lRNmJVOE9zTXl6cURSdGJaaytVWEowUEx6QzZKWHFkNTFZdVVDM3NwL2lmNwpqWEZrME55aHcrdkY3VU51N0ZFSzVuWEUwd0tCZ1FEVGZOT0RLYmZyalNkZEhkV05iOHhkN2pGMlZSY3hTTnRUCit0L0FmbkRjZG8zK1NBUnJaRi9TM0hZWUxxL0l4dmZ5ZHdIblUxdC9INkxDZjBnQ2RXS2NXL1hway93ZUo1QXYKWmdaZjBPTXZsOXF0THJhTU44OG1HblV4K2IxdHZLWm4xQVcySFNuYXd2Z0kvMWVjSldNRUJiYkREbkx4cUpMegowTHJhT2pYVVh3S0JnRGlBbE44OXdjUTJSOTFkNy9mQTBRYkNVRzFmK3g1cEs5WkIvTExPdm9xS1lYVVBSZWltClhsV1ZaVWN5anZTS2hhemRGZllVTW1ycmtPK0htWHNqUDBELzRXWExIVlBmU1NMcVl1aTQ5UGt6RmM3SnM3RGoKcVgzRlpFT0o5eWJwZ2kyUW14eUIwL2RqbXFYbGdOelVWdlBwaE1PUlBFQ2ZHLzZ6SjdZRFpBRU5Bb0dBSElVcQo2UGRKVEVTKzJEbmJ3TFVnOUZIWTdjSlAzRitjNUZoaXNFemMzMzVGYTlNK2RWVVY3eE80QVU3YWVkTUxRUEYzCm1rQ05pRGsxODlEQ1gwS0JSK0RHNnZiLyt2a080clY1aXBaYTdPSW5wVTgxWXZkcndoR3pXRWY3bWI3bEdmOW4KdmNWMURZRlpmYTBoblhjVlFVZWIrL1lJM2pvRGgwblF5UGtzcFRVQ2dZRUF0NERNajdZbStRS2J2bTJXaWNlcAo1Q2s3YWFMSUxuVHZqbGRLMkdjM2loOGVGRlE2Vy9pcUc1UUEzeHMwem8xVnhlUkhPWGkrK01xWjVWTVZMZFRWCjMxWXZOeUdPbVByTitZemVINmlTYXd5VXo2dW1UN1ZkMXRuUEJ1SmdPMFM3RnRlb01BckE3TGtDcUVhMDc4bS8KRXNxNzZjYW1WdW5kRXFTRWhGMllYNkU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0RENDQWNnQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeApNalV5TXpFMU16RmFNRDh4R1RBWEJnTlZCQU1NRUdWa1oyVXVaWGhoYlhCc1pTNWpiMjB4SWpBZ0JnTlZCQW9NCkdXVmtaMlVnWlhoaGJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUIKRHdBd2dnRUtBb0lCQVFDNzdodkFQQWVGUm5xL3RwR1ZkSk5lY2Fhaks2a1F5Q2pZNXIvcFh4TkJhOXZXVlFIVQpuQ1dWT3lscEVkaDZPZlltR2dvSmF0TVRUWUFYK1ZpdkxTOVhwSDhuUENZYVpvQmRpMlA0MWRrbmsyUnpGWm1sCi9YUjVIWnREWmplRE8zd3ZCSm9ubStNeFA3Qms1TGdlOWhGSFJ3akViTGNZN3crN3pxOEJEQXlJSHY3T0ozYTcKeDkvalgyUlpGdTdPNXI1eWZFUTZGc0tjelREb29DeGRVa05JZ3RwVkNvRExLdmJMNjFuZE51bGUzL21EbS92MgpTeVRIdWQxUzVkcXNwOGtKZHU4WFVSZmMyWUVsRktXdkJ0bmpoL2pyTE1YRmNhaFYvb3hKckNIdXQvUENMYkJUCkFqVGV1U0RhdVM3T0hiSlJES3dtSDdvVnZ5SUNhSXlhWWNaTkFnTUJBQUV3RFFZSktvWklodmNOQVFFTEJRQUQKZ2dFQkFHeW5yNGNPMWFZbjRNQk90aVJ2WHFJdllHNnpxZXNrNGpQbU96TjdiUTdyRzdNUngzSVQ2SW4zVFI4RApHbFAxVE54TTg5cXZRcXp4VERsdER3bXluTlV1SEdEUW4yV1Z1OFEyK0RqRnFoc3B1WHp0NnhVK2RoVVBxUnV1Ckt6c1l4TDNpMVlWZ2pDQWtBUmp4SGhMWHYwdkFUWUVRMlJ6Uko5c2ZGcWVCMHVxSk5WL0lHamJFSzQ2eTQ5QU0KNzU4TUY4T0R6cVR2Q3hMRjJYd3BScjdjSDFuZ2J4eUJ6cEdlbkpsVTI2Q2hJT1BMZUV1NTUyUVJYVGwrU2JlQQpXUzNpS01Pb3F5NGV0b0ExNWFueW43Zm01YnpINEcyZ3Yxd1pWYlBkT1dNQWRZU2I5NDIvR09CSWUzSnIyVHo3CjRJdDRROWFERnF1aG9iOTVQMUhHQkxSQ2Y5QT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= maxVersion: "1.3" minVersion: "1.2" @@ -739,7 +739,7 @@ xdsIR: name: envoy-gateway/target-gateway-5/ca.crt certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzc3aHZBUEFlRlJucS8KdHBHVmRKTmVjYWFqSzZrUXlDalk1ci9wWHhOQmE5dldWUUhVbkNXVk95bHBFZGg2T2ZZbUdnb0phdE1UVFlBWAorVml2TFM5WHBIOG5QQ1lhWm9CZGkyUDQxZGtuazJSekZabWwvWFI1SFp0RFpqZURPM3d2Qkpvbm0rTXhQN0JrCjVMZ2U5aEZIUndqRWJMY1k3dys3enE4QkRBeUlIdjdPSjNhN3g5L2pYMlJaRnU3TzVyNXlmRVE2RnNLY3pURG8Kb0N4ZFVrTklndHBWQ29ETEt2Ykw2MW5kTnVsZTMvbURtL3YyU3lUSHVkMVM1ZHFzcDhrSmR1OFhVUmZjMllFbApGS1d2QnRuamgvanJMTVhGY2FoVi9veEpyQ0h1dC9QQ0xiQlRBalRldVNEYXVTN09IYkpSREt3bUg3b1Z2eUlDCmFJeWFZY1pOQWdNQkFBRUNnZ0VBSG1McVd4NHZCbk9ybHFLMGVNLzM5c1lLOEVpTTlra0c5eHRJWGVSTGxCWnIKM2dTeUNSTStXRzk2ZGZkaFkxSDFPa1ZDUGpJOFNEQzRkMzA2Ymw0Ris2RW93TXFrUytjcTlrcDYzYTg3aE5TbQpOMGdxSnl3TGV5YzRXdll2ZFA2c25scnd6MXE3Vk5QbXpQUXJ6b1hIQVc2N2tpeHA1cFF3OG1oVzVQcHlidkp5Clo2TERCZGRSZkVma2ZXVnZUUk5YWUVDUEllUStST05jR3JvVzZ5RXRrbk1BWUJjdjRlNUhCQkkrcHdyYmsrOVMKY2FQYUVjdm4vS0lyT3NpVW1FT2wwb3JXVnhkbjRmMy9MNmlFZFgyZHhIdXlwYkFiL0Qwak1MSzBwb3kyaXYyTApyOGI5VUQrRVZFNmFTVnp0MFRHbVpJYUdRVVZDQnVDTDhodlYwSU9PV1FLQmdRRGplL3JXdmk4Rndia3BRNDA0CnFQcitBaEFwaG1pV3l1a1B1VmJLN2Q5ZkdURzRHOW9Bd2wzYlFoRGVUNHhjMzd0cjlkcCtpamJuWnpKWHczL1cKcm5xTDlGWkZsVXZCYXN6c05VK1lRNmJVOE9zTXl6cURSdGJaaytVWEowUEx6QzZKWHFkNTFZdVVDM3NwL2lmNwpqWEZrME55aHcrdkY3VU51N0ZFSzVuWEUwd0tCZ1FEVGZOT0RLYmZyalNkZEhkV05iOHhkN2pGMlZSY3hTTnRUCit0L0FmbkRjZG8zK1NBUnJaRi9TM0hZWUxxL0l4dmZ5ZHdIblUxdC9INkxDZjBnQ2RXS2NXL1hway93ZUo1QXYKWmdaZjBPTXZsOXF0THJhTU44OG1HblV4K2IxdHZLWm4xQVcySFNuYXd2Z0kvMWVjSldNRUJiYkREbkx4cUpMegowTHJhT2pYVVh3S0JnRGlBbE44OXdjUTJSOTFkNy9mQTBRYkNVRzFmK3g1cEs5WkIvTExPdm9xS1lYVVBSZWltClhsV1ZaVWN5anZTS2hhemRGZllVTW1ycmtPK0htWHNqUDBELzRXWExIVlBmU1NMcVl1aTQ5UGt6RmM3SnM3RGoKcVgzRlpFT0o5eWJwZ2kyUW14eUIwL2RqbXFYbGdOelVWdlBwaE1PUlBFQ2ZHLzZ6SjdZRFpBRU5Bb0dBSElVcQo2UGRKVEVTKzJEbmJ3TFVnOUZIWTdjSlAzRitjNUZoaXNFemMzMzVGYTlNK2RWVVY3eE80QVU3YWVkTUxRUEYzCm1rQ05pRGsxODlEQ1gwS0JSK0RHNnZiLyt2a080clY1aXBaYTdPSW5wVTgxWXZkcndoR3pXRWY3bWI3bEdmOW4KdmNWMURZRlpmYTBoblhjVlFVZWIrL1lJM2pvRGgwblF5UGtzcFRVQ2dZRUF0NERNajdZbStRS2J2bTJXaWNlcAo1Q2s3YWFMSUxuVHZqbGRLMkdjM2loOGVGRlE2Vy9pcUc1UUEzeHMwem8xVnhlUkhPWGkrK01xWjVWTVZMZFRWCjMxWXZOeUdPbVByTitZemVINmlTYXd5VXo2dW1UN1ZkMXRuUEJ1SmdPMFM3RnRlb01BckE3TGtDcUVhMDc4bS8KRXNxNzZjYW1WdW5kRXFTRWhGMllYNkU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0RENDQWNnQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeApNalV5TXpFMU16RmFNRDh4R1RBWEJnTlZCQU1NRUdWa1oyVXVaWGhoYlhCc1pTNWpiMjB4SWpBZ0JnTlZCQW9NCkdXVmtaMlVnWlhoaGJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUIKRHdBd2dnRUtBb0lCQVFDNzdodkFQQWVGUm5xL3RwR1ZkSk5lY2Fhaks2a1F5Q2pZNXIvcFh4TkJhOXZXVlFIVQpuQ1dWT3lscEVkaDZPZlltR2dvSmF0TVRUWUFYK1ZpdkxTOVhwSDhuUENZYVpvQmRpMlA0MWRrbmsyUnpGWm1sCi9YUjVIWnREWmplRE8zd3ZCSm9ubStNeFA3Qms1TGdlOWhGSFJ3akViTGNZN3crN3pxOEJEQXlJSHY3T0ozYTcKeDkvalgyUlpGdTdPNXI1eWZFUTZGc0tjelREb29DeGRVa05JZ3RwVkNvRExLdmJMNjFuZE51bGUzL21EbS92MgpTeVRIdWQxUzVkcXNwOGtKZHU4WFVSZmMyWUVsRktXdkJ0bmpoL2pyTE1YRmNhaFYvb3hKckNIdXQvUENMYkJUCkFqVGV1U0RhdVM3T0hiSlJES3dtSDdvVnZ5SUNhSXlhWWNaTkFnTUJBQUV3RFFZSktvWklodmNOQVFFTEJRQUQKZ2dFQkFHeW5yNGNPMWFZbjRNQk90aVJ2WHFJdllHNnpxZXNrNGpQbU96TjdiUTdyRzdNUngzSVQ2SW4zVFI4RApHbFAxVE54TTg5cXZRcXp4VERsdER3bXluTlV1SEdEUW4yV1Z1OFEyK0RqRnFoc3B1WHp0NnhVK2RoVVBxUnV1Ckt6c1l4TDNpMVlWZ2pDQWtBUmp4SGhMWHYwdkFUWUVRMlJ6Uko5c2ZGcWVCMHVxSk5WL0lHamJFSzQ2eTQ5QU0KNzU4TUY4T0R6cVR2Q3hMRjJYd3BScjdjSDFuZ2J4eUJ6cEdlbkpsVTI2Q2hJT1BMZUV1NTUyUVJYVGwrU2JlQQpXUzNpS01Pb3F5NGV0b0ExNWFueW43Zm01YnpINEcyZ3Yxd1pWYlBkT1dNQWRZU2I5NDIvR09CSWUzSnIyVHo3CjRJdDRROWFERnF1aG9iOTVQMUhHQkxSQ2Y5QT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= maxVersion: "1.3" minVersion: "1.2" diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml index 8d84753bcea..85042934396 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml @@ -556,7 +556,7 @@ xdsIR: name: envoy-gateway/target-gateway-1/ca.crt certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzc3aHZBUEFlRlJucS8KdHBHVmRKTmVjYWFqSzZrUXlDalk1ci9wWHhOQmE5dldWUUhVbkNXVk95bHBFZGg2T2ZZbUdnb0phdE1UVFlBWAorVml2TFM5WHBIOG5QQ1lhWm9CZGkyUDQxZGtuazJSekZabWwvWFI1SFp0RFpqZURPM3d2Qkpvbm0rTXhQN0JrCjVMZ2U5aEZIUndqRWJMY1k3dys3enE4QkRBeUlIdjdPSjNhN3g5L2pYMlJaRnU3TzVyNXlmRVE2RnNLY3pURG8Kb0N4ZFVrTklndHBWQ29ETEt2Ykw2MW5kTnVsZTMvbURtL3YyU3lUSHVkMVM1ZHFzcDhrSmR1OFhVUmZjMllFbApGS1d2QnRuamgvanJMTVhGY2FoVi9veEpyQ0h1dC9QQ0xiQlRBalRldVNEYXVTN09IYkpSREt3bUg3b1Z2eUlDCmFJeWFZY1pOQWdNQkFBRUNnZ0VBSG1McVd4NHZCbk9ybHFLMGVNLzM5c1lLOEVpTTlra0c5eHRJWGVSTGxCWnIKM2dTeUNSTStXRzk2ZGZkaFkxSDFPa1ZDUGpJOFNEQzRkMzA2Ymw0Ris2RW93TXFrUytjcTlrcDYzYTg3aE5TbQpOMGdxSnl3TGV5YzRXdll2ZFA2c25scnd6MXE3Vk5QbXpQUXJ6b1hIQVc2N2tpeHA1cFF3OG1oVzVQcHlidkp5Clo2TERCZGRSZkVma2ZXVnZUUk5YWUVDUEllUStST05jR3JvVzZ5RXRrbk1BWUJjdjRlNUhCQkkrcHdyYmsrOVMKY2FQYUVjdm4vS0lyT3NpVW1FT2wwb3JXVnhkbjRmMy9MNmlFZFgyZHhIdXlwYkFiL0Qwak1MSzBwb3kyaXYyTApyOGI5VUQrRVZFNmFTVnp0MFRHbVpJYUdRVVZDQnVDTDhodlYwSU9PV1FLQmdRRGplL3JXdmk4Rndia3BRNDA0CnFQcitBaEFwaG1pV3l1a1B1VmJLN2Q5ZkdURzRHOW9Bd2wzYlFoRGVUNHhjMzd0cjlkcCtpamJuWnpKWHczL1cKcm5xTDlGWkZsVXZCYXN6c05VK1lRNmJVOE9zTXl6cURSdGJaaytVWEowUEx6QzZKWHFkNTFZdVVDM3NwL2lmNwpqWEZrME55aHcrdkY3VU51N0ZFSzVuWEUwd0tCZ1FEVGZOT0RLYmZyalNkZEhkV05iOHhkN2pGMlZSY3hTTnRUCit0L0FmbkRjZG8zK1NBUnJaRi9TM0hZWUxxL0l4dmZ5ZHdIblUxdC9INkxDZjBnQ2RXS2NXL1hway93ZUo1QXYKWmdaZjBPTXZsOXF0THJhTU44OG1HblV4K2IxdHZLWm4xQVcySFNuYXd2Z0kvMWVjSldNRUJiYkREbkx4cUpMegowTHJhT2pYVVh3S0JnRGlBbE44OXdjUTJSOTFkNy9mQTBRYkNVRzFmK3g1cEs5WkIvTExPdm9xS1lYVVBSZWltClhsV1ZaVWN5anZTS2hhemRGZllVTW1ycmtPK0htWHNqUDBELzRXWExIVlBmU1NMcVl1aTQ5UGt6RmM3SnM3RGoKcVgzRlpFT0o5eWJwZ2kyUW14eUIwL2RqbXFYbGdOelVWdlBwaE1PUlBFQ2ZHLzZ6SjdZRFpBRU5Bb0dBSElVcQo2UGRKVEVTKzJEbmJ3TFVnOUZIWTdjSlAzRitjNUZoaXNFemMzMzVGYTlNK2RWVVY3eE80QVU3YWVkTUxRUEYzCm1rQ05pRGsxODlEQ1gwS0JSK0RHNnZiLyt2a080clY1aXBaYTdPSW5wVTgxWXZkcndoR3pXRWY3bWI3bEdmOW4KdmNWMURZRlpmYTBoblhjVlFVZWIrL1lJM2pvRGgwblF5UGtzcFRVQ2dZRUF0NERNajdZbStRS2J2bTJXaWNlcAo1Q2s3YWFMSUxuVHZqbGRLMkdjM2loOGVGRlE2Vy9pcUc1UUEzeHMwem8xVnhlUkhPWGkrK01xWjVWTVZMZFRWCjMxWXZOeUdPbVByTitZemVINmlTYXd5VXo2dW1UN1ZkMXRuUEJ1SmdPMFM3RnRlb01BckE3TGtDcUVhMDc4bS8KRXNxNzZjYW1WdW5kRXFTRWhGMllYNkU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0RENDQWNnQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeApNalV5TXpFMU16RmFNRDh4R1RBWEJnTlZCQU1NRUdWa1oyVXVaWGhoYlhCc1pTNWpiMjB4SWpBZ0JnTlZCQW9NCkdXVmtaMlVnWlhoaGJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUIKRHdBd2dnRUtBb0lCQVFDNzdodkFQQWVGUm5xL3RwR1ZkSk5lY2Fhaks2a1F5Q2pZNXIvcFh4TkJhOXZXVlFIVQpuQ1dWT3lscEVkaDZPZlltR2dvSmF0TVRUWUFYK1ZpdkxTOVhwSDhuUENZYVpvQmRpMlA0MWRrbmsyUnpGWm1sCi9YUjVIWnREWmplRE8zd3ZCSm9ubStNeFA3Qms1TGdlOWhGSFJ3akViTGNZN3crN3pxOEJEQXlJSHY3T0ozYTcKeDkvalgyUlpGdTdPNXI1eWZFUTZGc0tjelREb29DeGRVa05JZ3RwVkNvRExLdmJMNjFuZE51bGUzL21EbS92MgpTeVRIdWQxUzVkcXNwOGtKZHU4WFVSZmMyWUVsRktXdkJ0bmpoL2pyTE1YRmNhaFYvb3hKckNIdXQvUENMYkJUCkFqVGV1U0RhdVM3T0hiSlJES3dtSDdvVnZ5SUNhSXlhWWNaTkFnTUJBQUV3RFFZSktvWklodmNOQVFFTEJRQUQKZ2dFQkFHeW5yNGNPMWFZbjRNQk90aVJ2WHFJdllHNnpxZXNrNGpQbU96TjdiUTdyRzdNUngzSVQ2SW4zVFI4RApHbFAxVE54TTg5cXZRcXp4VERsdER3bXluTlV1SEdEUW4yV1Z1OFEyK0RqRnFoc3B1WHp0NnhVK2RoVVBxUnV1Ckt6c1l4TDNpMVlWZ2pDQWtBUmp4SGhMWHYwdkFUWUVRMlJ6Uko5c2ZGcWVCMHVxSk5WL0lHamJFSzQ2eTQ5QU0KNzU4TUY4T0R6cVR2Q3hMRjJYd3BScjdjSDFuZ2J4eUJ6cEdlbkpsVTI2Q2hJT1BMZUV1NTUyUVJYVGwrU2JlQQpXUzNpS01Pb3F5NGV0b0ExNWFueW43Zm01YnpINEcyZ3Yxd1pWYlBkT1dNQWRZU2I5NDIvR09CSWUzSnIyVHo3CjRJdDRROWFERnF1aG9iOTVQMUhHQkxSQ2Y5QT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= maxVersion: "1.3" minVersion: "1.2" @@ -609,7 +609,7 @@ xdsIR: name: envoy-gateway/target-gateway-2/ca.crt certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzc3aHZBUEFlRlJucS8KdHBHVmRKTmVjYWFqSzZrUXlDalk1ci9wWHhOQmE5dldWUUhVbkNXVk95bHBFZGg2T2ZZbUdnb0phdE1UVFlBWAorVml2TFM5WHBIOG5QQ1lhWm9CZGkyUDQxZGtuazJSekZabWwvWFI1SFp0RFpqZURPM3d2Qkpvbm0rTXhQN0JrCjVMZ2U5aEZIUndqRWJMY1k3dys3enE4QkRBeUlIdjdPSjNhN3g5L2pYMlJaRnU3TzVyNXlmRVE2RnNLY3pURG8Kb0N4ZFVrTklndHBWQ29ETEt2Ykw2MW5kTnVsZTMvbURtL3YyU3lUSHVkMVM1ZHFzcDhrSmR1OFhVUmZjMllFbApGS1d2QnRuamgvanJMTVhGY2FoVi9veEpyQ0h1dC9QQ0xiQlRBalRldVNEYXVTN09IYkpSREt3bUg3b1Z2eUlDCmFJeWFZY1pOQWdNQkFBRUNnZ0VBSG1McVd4NHZCbk9ybHFLMGVNLzM5c1lLOEVpTTlra0c5eHRJWGVSTGxCWnIKM2dTeUNSTStXRzk2ZGZkaFkxSDFPa1ZDUGpJOFNEQzRkMzA2Ymw0Ris2RW93TXFrUytjcTlrcDYzYTg3aE5TbQpOMGdxSnl3TGV5YzRXdll2ZFA2c25scnd6MXE3Vk5QbXpQUXJ6b1hIQVc2N2tpeHA1cFF3OG1oVzVQcHlidkp5Clo2TERCZGRSZkVma2ZXVnZUUk5YWUVDUEllUStST05jR3JvVzZ5RXRrbk1BWUJjdjRlNUhCQkkrcHdyYmsrOVMKY2FQYUVjdm4vS0lyT3NpVW1FT2wwb3JXVnhkbjRmMy9MNmlFZFgyZHhIdXlwYkFiL0Qwak1MSzBwb3kyaXYyTApyOGI5VUQrRVZFNmFTVnp0MFRHbVpJYUdRVVZDQnVDTDhodlYwSU9PV1FLQmdRRGplL3JXdmk4Rndia3BRNDA0CnFQcitBaEFwaG1pV3l1a1B1VmJLN2Q5ZkdURzRHOW9Bd2wzYlFoRGVUNHhjMzd0cjlkcCtpamJuWnpKWHczL1cKcm5xTDlGWkZsVXZCYXN6c05VK1lRNmJVOE9zTXl6cURSdGJaaytVWEowUEx6QzZKWHFkNTFZdVVDM3NwL2lmNwpqWEZrME55aHcrdkY3VU51N0ZFSzVuWEUwd0tCZ1FEVGZOT0RLYmZyalNkZEhkV05iOHhkN2pGMlZSY3hTTnRUCit0L0FmbkRjZG8zK1NBUnJaRi9TM0hZWUxxL0l4dmZ5ZHdIblUxdC9INkxDZjBnQ2RXS2NXL1hway93ZUo1QXYKWmdaZjBPTXZsOXF0THJhTU44OG1HblV4K2IxdHZLWm4xQVcySFNuYXd2Z0kvMWVjSldNRUJiYkREbkx4cUpMegowTHJhT2pYVVh3S0JnRGlBbE44OXdjUTJSOTFkNy9mQTBRYkNVRzFmK3g1cEs5WkIvTExPdm9xS1lYVVBSZWltClhsV1ZaVWN5anZTS2hhemRGZllVTW1ycmtPK0htWHNqUDBELzRXWExIVlBmU1NMcVl1aTQ5UGt6RmM3SnM3RGoKcVgzRlpFT0o5eWJwZ2kyUW14eUIwL2RqbXFYbGdOelVWdlBwaE1PUlBFQ2ZHLzZ6SjdZRFpBRU5Bb0dBSElVcQo2UGRKVEVTKzJEbmJ3TFVnOUZIWTdjSlAzRitjNUZoaXNFemMzMzVGYTlNK2RWVVY3eE80QVU3YWVkTUxRUEYzCm1rQ05pRGsxODlEQ1gwS0JSK0RHNnZiLyt2a080clY1aXBaYTdPSW5wVTgxWXZkcndoR3pXRWY3bWI3bEdmOW4KdmNWMURZRlpmYTBoblhjVlFVZWIrL1lJM2pvRGgwblF5UGtzcFRVQ2dZRUF0NERNajdZbStRS2J2bTJXaWNlcAo1Q2s3YWFMSUxuVHZqbGRLMkdjM2loOGVGRlE2Vy9pcUc1UUEzeHMwem8xVnhlUkhPWGkrK01xWjVWTVZMZFRWCjMxWXZOeUdPbVByTitZemVINmlTYXd5VXo2dW1UN1ZkMXRuUEJ1SmdPMFM3RnRlb01BckE3TGtDcUVhMDc4bS8KRXNxNzZjYW1WdW5kRXFTRWhGMllYNkU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0RENDQWNnQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeApNalV5TXpFMU16RmFNRDh4R1RBWEJnTlZCQU1NRUdWa1oyVXVaWGhoYlhCc1pTNWpiMjB4SWpBZ0JnTlZCQW9NCkdXVmtaMlVnWlhoaGJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUIKRHdBd2dnRUtBb0lCQVFDNzdodkFQQWVGUm5xL3RwR1ZkSk5lY2Fhaks2a1F5Q2pZNXIvcFh4TkJhOXZXVlFIVQpuQ1dWT3lscEVkaDZPZlltR2dvSmF0TVRUWUFYK1ZpdkxTOVhwSDhuUENZYVpvQmRpMlA0MWRrbmsyUnpGWm1sCi9YUjVIWnREWmplRE8zd3ZCSm9ubStNeFA3Qms1TGdlOWhGSFJ3akViTGNZN3crN3pxOEJEQXlJSHY3T0ozYTcKeDkvalgyUlpGdTdPNXI1eWZFUTZGc0tjelREb29DeGRVa05JZ3RwVkNvRExLdmJMNjFuZE51bGUzL21EbS92MgpTeVRIdWQxUzVkcXNwOGtKZHU4WFVSZmMyWUVsRktXdkJ0bmpoL2pyTE1YRmNhaFYvb3hKckNIdXQvUENMYkJUCkFqVGV1U0RhdVM3T0hiSlJES3dtSDdvVnZ5SUNhSXlhWWNaTkFnTUJBQUV3RFFZSktvWklodmNOQVFFTEJRQUQKZ2dFQkFHeW5yNGNPMWFZbjRNQk90aVJ2WHFJdllHNnpxZXNrNGpQbU96TjdiUTdyRzdNUngzSVQ2SW4zVFI4RApHbFAxVE54TTg5cXZRcXp4VERsdER3bXluTlV1SEdEUW4yV1Z1OFEyK0RqRnFoc3B1WHp0NnhVK2RoVVBxUnV1Ckt6c1l4TDNpMVlWZ2pDQWtBUmp4SGhMWHYwdkFUWUVRMlJ6Uko5c2ZGcWVCMHVxSk5WL0lHamJFSzQ2eTQ5QU0KNzU4TUY4T0R6cVR2Q3hMRjJYd3BScjdjSDFuZ2J4eUJ6cEdlbkpsVTI2Q2hJT1BMZUV1NTUyUVJYVGwrU2JlQQpXUzNpS01Pb3F5NGV0b0ExNWFueW43Zm01YnpINEcyZ3Yxd1pWYlBkT1dNQWRZU2I5NDIvR09CSWUzSnIyVHo3CjRJdDRROWFERnF1aG9iOTVQMUhHQkxSQ2Y5QT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= maxVersion: "1.3" minVersion: "1.2" @@ -644,7 +644,7 @@ xdsIR: name: envoy-gateway/target-gateway-3/ca.crt certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzc3aHZBUEFlRlJucS8KdHBHVmRKTmVjYWFqSzZrUXlDalk1ci9wWHhOQmE5dldWUUhVbkNXVk95bHBFZGg2T2ZZbUdnb0phdE1UVFlBWAorVml2TFM5WHBIOG5QQ1lhWm9CZGkyUDQxZGtuazJSekZabWwvWFI1SFp0RFpqZURPM3d2Qkpvbm0rTXhQN0JrCjVMZ2U5aEZIUndqRWJMY1k3dys3enE4QkRBeUlIdjdPSjNhN3g5L2pYMlJaRnU3TzVyNXlmRVE2RnNLY3pURG8Kb0N4ZFVrTklndHBWQ29ETEt2Ykw2MW5kTnVsZTMvbURtL3YyU3lUSHVkMVM1ZHFzcDhrSmR1OFhVUmZjMllFbApGS1d2QnRuamgvanJMTVhGY2FoVi9veEpyQ0h1dC9QQ0xiQlRBalRldVNEYXVTN09IYkpSREt3bUg3b1Z2eUlDCmFJeWFZY1pOQWdNQkFBRUNnZ0VBSG1McVd4NHZCbk9ybHFLMGVNLzM5c1lLOEVpTTlra0c5eHRJWGVSTGxCWnIKM2dTeUNSTStXRzk2ZGZkaFkxSDFPa1ZDUGpJOFNEQzRkMzA2Ymw0Ris2RW93TXFrUytjcTlrcDYzYTg3aE5TbQpOMGdxSnl3TGV5YzRXdll2ZFA2c25scnd6MXE3Vk5QbXpQUXJ6b1hIQVc2N2tpeHA1cFF3OG1oVzVQcHlidkp5Clo2TERCZGRSZkVma2ZXVnZUUk5YWUVDUEllUStST05jR3JvVzZ5RXRrbk1BWUJjdjRlNUhCQkkrcHdyYmsrOVMKY2FQYUVjdm4vS0lyT3NpVW1FT2wwb3JXVnhkbjRmMy9MNmlFZFgyZHhIdXlwYkFiL0Qwak1MSzBwb3kyaXYyTApyOGI5VUQrRVZFNmFTVnp0MFRHbVpJYUdRVVZDQnVDTDhodlYwSU9PV1FLQmdRRGplL3JXdmk4Rndia3BRNDA0CnFQcitBaEFwaG1pV3l1a1B1VmJLN2Q5ZkdURzRHOW9Bd2wzYlFoRGVUNHhjMzd0cjlkcCtpamJuWnpKWHczL1cKcm5xTDlGWkZsVXZCYXN6c05VK1lRNmJVOE9zTXl6cURSdGJaaytVWEowUEx6QzZKWHFkNTFZdVVDM3NwL2lmNwpqWEZrME55aHcrdkY3VU51N0ZFSzVuWEUwd0tCZ1FEVGZOT0RLYmZyalNkZEhkV05iOHhkN2pGMlZSY3hTTnRUCit0L0FmbkRjZG8zK1NBUnJaRi9TM0hZWUxxL0l4dmZ5ZHdIblUxdC9INkxDZjBnQ2RXS2NXL1hway93ZUo1QXYKWmdaZjBPTXZsOXF0THJhTU44OG1HblV4K2IxdHZLWm4xQVcySFNuYXd2Z0kvMWVjSldNRUJiYkREbkx4cUpMegowTHJhT2pYVVh3S0JnRGlBbE44OXdjUTJSOTFkNy9mQTBRYkNVRzFmK3g1cEs5WkIvTExPdm9xS1lYVVBSZWltClhsV1ZaVWN5anZTS2hhemRGZllVTW1ycmtPK0htWHNqUDBELzRXWExIVlBmU1NMcVl1aTQ5UGt6RmM3SnM3RGoKcVgzRlpFT0o5eWJwZ2kyUW14eUIwL2RqbXFYbGdOelVWdlBwaE1PUlBFQ2ZHLzZ6SjdZRFpBRU5Bb0dBSElVcQo2UGRKVEVTKzJEbmJ3TFVnOUZIWTdjSlAzRitjNUZoaXNFemMzMzVGYTlNK2RWVVY3eE80QVU3YWVkTUxRUEYzCm1rQ05pRGsxODlEQ1gwS0JSK0RHNnZiLyt2a080clY1aXBaYTdPSW5wVTgxWXZkcndoR3pXRWY3bWI3bEdmOW4KdmNWMURZRlpmYTBoblhjVlFVZWIrL1lJM2pvRGgwblF5UGtzcFRVQ2dZRUF0NERNajdZbStRS2J2bTJXaWNlcAo1Q2s3YWFMSUxuVHZqbGRLMkdjM2loOGVGRlE2Vy9pcUc1UUEzeHMwem8xVnhlUkhPWGkrK01xWjVWTVZMZFRWCjMxWXZOeUdPbVByTitZemVINmlTYXd5VXo2dW1UN1ZkMXRuUEJ1SmdPMFM3RnRlb01BckE3TGtDcUVhMDc4bS8KRXNxNzZjYW1WdW5kRXFTRWhGMllYNkU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0RENDQWNnQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeApNalV5TXpFMU16RmFNRDh4R1RBWEJnTlZCQU1NRUdWa1oyVXVaWGhoYlhCc1pTNWpiMjB4SWpBZ0JnTlZCQW9NCkdXVmtaMlVnWlhoaGJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUIKRHdBd2dnRUtBb0lCQVFDNzdodkFQQWVGUm5xL3RwR1ZkSk5lY2Fhaks2a1F5Q2pZNXIvcFh4TkJhOXZXVlFIVQpuQ1dWT3lscEVkaDZPZlltR2dvSmF0TVRUWUFYK1ZpdkxTOVhwSDhuUENZYVpvQmRpMlA0MWRrbmsyUnpGWm1sCi9YUjVIWnREWmplRE8zd3ZCSm9ubStNeFA3Qms1TGdlOWhGSFJ3akViTGNZN3crN3pxOEJEQXlJSHY3T0ozYTcKeDkvalgyUlpGdTdPNXI1eWZFUTZGc0tjelREb29DeGRVa05JZ3RwVkNvRExLdmJMNjFuZE51bGUzL21EbS92MgpTeVRIdWQxUzVkcXNwOGtKZHU4WFVSZmMyWUVsRktXdkJ0bmpoL2pyTE1YRmNhaFYvb3hKckNIdXQvUENMYkJUCkFqVGV1U0RhdVM3T0hiSlJES3dtSDdvVnZ5SUNhSXlhWWNaTkFnTUJBQUV3RFFZSktvWklodmNOQVFFTEJRQUQKZ2dFQkFHeW5yNGNPMWFZbjRNQk90aVJ2WHFJdllHNnpxZXNrNGpQbU96TjdiUTdyRzdNUngzSVQ2SW4zVFI4RApHbFAxVE54TTg5cXZRcXp4VERsdER3bXluTlV1SEdEUW4yV1Z1OFEyK0RqRnFoc3B1WHp0NnhVK2RoVVBxUnV1Ckt6c1l4TDNpMVlWZ2pDQWtBUmp4SGhMWHYwdkFUWUVRMlJ6Uko5c2ZGcWVCMHVxSk5WL0lHamJFSzQ2eTQ5QU0KNzU4TUY4T0R6cVR2Q3hMRjJYd3BScjdjSDFuZ2J4eUJ6cEdlbkpsVTI2Q2hJT1BMZUV1NTUyUVJYVGwrU2JlQQpXUzNpS01Pb3F5NGV0b0ExNWFueW43Zm01YnpINEcyZ3Yxd1pWYlBkT1dNQWRZU2I5NDIvR09CSWUzSnIyVHo3CjRJdDRROWFERnF1aG9iOTVQMUhHQkxSQ2Y5QT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= maxVersion: "1.3" minVersion: "1.2" @@ -679,7 +679,7 @@ xdsIR: name: envoy-gateway/target-gateway-4/ca.crt certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzc3aHZBUEFlRlJucS8KdHBHVmRKTmVjYWFqSzZrUXlDalk1ci9wWHhOQmE5dldWUUhVbkNXVk95bHBFZGg2T2ZZbUdnb0phdE1UVFlBWAorVml2TFM5WHBIOG5QQ1lhWm9CZGkyUDQxZGtuazJSekZabWwvWFI1SFp0RFpqZURPM3d2Qkpvbm0rTXhQN0JrCjVMZ2U5aEZIUndqRWJMY1k3dys3enE4QkRBeUlIdjdPSjNhN3g5L2pYMlJaRnU3TzVyNXlmRVE2RnNLY3pURG8Kb0N4ZFVrTklndHBWQ29ETEt2Ykw2MW5kTnVsZTMvbURtL3YyU3lUSHVkMVM1ZHFzcDhrSmR1OFhVUmZjMllFbApGS1d2QnRuamgvanJMTVhGY2FoVi9veEpyQ0h1dC9QQ0xiQlRBalRldVNEYXVTN09IYkpSREt3bUg3b1Z2eUlDCmFJeWFZY1pOQWdNQkFBRUNnZ0VBSG1McVd4NHZCbk9ybHFLMGVNLzM5c1lLOEVpTTlra0c5eHRJWGVSTGxCWnIKM2dTeUNSTStXRzk2ZGZkaFkxSDFPa1ZDUGpJOFNEQzRkMzA2Ymw0Ris2RW93TXFrUytjcTlrcDYzYTg3aE5TbQpOMGdxSnl3TGV5YzRXdll2ZFA2c25scnd6MXE3Vk5QbXpQUXJ6b1hIQVc2N2tpeHA1cFF3OG1oVzVQcHlidkp5Clo2TERCZGRSZkVma2ZXVnZUUk5YWUVDUEllUStST05jR3JvVzZ5RXRrbk1BWUJjdjRlNUhCQkkrcHdyYmsrOVMKY2FQYUVjdm4vS0lyT3NpVW1FT2wwb3JXVnhkbjRmMy9MNmlFZFgyZHhIdXlwYkFiL0Qwak1MSzBwb3kyaXYyTApyOGI5VUQrRVZFNmFTVnp0MFRHbVpJYUdRVVZDQnVDTDhodlYwSU9PV1FLQmdRRGplL3JXdmk4Rndia3BRNDA0CnFQcitBaEFwaG1pV3l1a1B1VmJLN2Q5ZkdURzRHOW9Bd2wzYlFoRGVUNHhjMzd0cjlkcCtpamJuWnpKWHczL1cKcm5xTDlGWkZsVXZCYXN6c05VK1lRNmJVOE9zTXl6cURSdGJaaytVWEowUEx6QzZKWHFkNTFZdVVDM3NwL2lmNwpqWEZrME55aHcrdkY3VU51N0ZFSzVuWEUwd0tCZ1FEVGZOT0RLYmZyalNkZEhkV05iOHhkN2pGMlZSY3hTTnRUCit0L0FmbkRjZG8zK1NBUnJaRi9TM0hZWUxxL0l4dmZ5ZHdIblUxdC9INkxDZjBnQ2RXS2NXL1hway93ZUo1QXYKWmdaZjBPTXZsOXF0THJhTU44OG1HblV4K2IxdHZLWm4xQVcySFNuYXd2Z0kvMWVjSldNRUJiYkREbkx4cUpMegowTHJhT2pYVVh3S0JnRGlBbE44OXdjUTJSOTFkNy9mQTBRYkNVRzFmK3g1cEs5WkIvTExPdm9xS1lYVVBSZWltClhsV1ZaVWN5anZTS2hhemRGZllVTW1ycmtPK0htWHNqUDBELzRXWExIVlBmU1NMcVl1aTQ5UGt6RmM3SnM3RGoKcVgzRlpFT0o5eWJwZ2kyUW14eUIwL2RqbXFYbGdOelVWdlBwaE1PUlBFQ2ZHLzZ6SjdZRFpBRU5Bb0dBSElVcQo2UGRKVEVTKzJEbmJ3TFVnOUZIWTdjSlAzRitjNUZoaXNFemMzMzVGYTlNK2RWVVY3eE80QVU3YWVkTUxRUEYzCm1rQ05pRGsxODlEQ1gwS0JSK0RHNnZiLyt2a080clY1aXBaYTdPSW5wVTgxWXZkcndoR3pXRWY3bWI3bEdmOW4KdmNWMURZRlpmYTBoblhjVlFVZWIrL1lJM2pvRGgwblF5UGtzcFRVQ2dZRUF0NERNajdZbStRS2J2bTJXaWNlcAo1Q2s3YWFMSUxuVHZqbGRLMkdjM2loOGVGRlE2Vy9pcUc1UUEzeHMwem8xVnhlUkhPWGkrK01xWjVWTVZMZFRWCjMxWXZOeUdPbVByTitZemVINmlTYXd5VXo2dW1UN1ZkMXRuUEJ1SmdPMFM3RnRlb01BckE3TGtDcUVhMDc4bS8KRXNxNzZjYW1WdW5kRXFTRWhGMllYNkU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0RENDQWNnQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeApNalV5TXpFMU16RmFNRDh4R1RBWEJnTlZCQU1NRUdWa1oyVXVaWGhoYlhCc1pTNWpiMjB4SWpBZ0JnTlZCQW9NCkdXVmtaMlVnWlhoaGJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUIKRHdBd2dnRUtBb0lCQVFDNzdodkFQQWVGUm5xL3RwR1ZkSk5lY2Fhaks2a1F5Q2pZNXIvcFh4TkJhOXZXVlFIVQpuQ1dWT3lscEVkaDZPZlltR2dvSmF0TVRUWUFYK1ZpdkxTOVhwSDhuUENZYVpvQmRpMlA0MWRrbmsyUnpGWm1sCi9YUjVIWnREWmplRE8zd3ZCSm9ubStNeFA3Qms1TGdlOWhGSFJ3akViTGNZN3crN3pxOEJEQXlJSHY3T0ozYTcKeDkvalgyUlpGdTdPNXI1eWZFUTZGc0tjelREb29DeGRVa05JZ3RwVkNvRExLdmJMNjFuZE51bGUzL21EbS92MgpTeVRIdWQxUzVkcXNwOGtKZHU4WFVSZmMyWUVsRktXdkJ0bmpoL2pyTE1YRmNhaFYvb3hKckNIdXQvUENMYkJUCkFqVGV1U0RhdVM3T0hiSlJES3dtSDdvVnZ5SUNhSXlhWWNaTkFnTUJBQUV3RFFZSktvWklodmNOQVFFTEJRQUQKZ2dFQkFHeW5yNGNPMWFZbjRNQk90aVJ2WHFJdllHNnpxZXNrNGpQbU96TjdiUTdyRzdNUngzSVQ2SW4zVFI4RApHbFAxVE54TTg5cXZRcXp4VERsdER3bXluTlV1SEdEUW4yV1Z1OFEyK0RqRnFoc3B1WHp0NnhVK2RoVVBxUnV1Ckt6c1l4TDNpMVlWZ2pDQWtBUmp4SGhMWHYwdkFUWUVRMlJ6Uko5c2ZGcWVCMHVxSk5WL0lHamJFSzQ2eTQ5QU0KNzU4TUY4T0R6cVR2Q3hMRjJYd3BScjdjSDFuZ2J4eUJ6cEdlbkpsVTI2Q2hJT1BMZUV1NTUyUVJYVGwrU2JlQQpXUzNpS01Pb3F5NGV0b0ExNWFueW43Zm01YnpINEcyZ3Yxd1pWYlBkT1dNQWRZU2I5NDIvR09CSWUzSnIyVHo3CjRJdDRROWFERnF1aG9iOTVQMUhHQkxSQ2Y5QT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= maxVersion: "1.3" minVersion: "1.2" @@ -714,7 +714,7 @@ xdsIR: name: envoy-gateway/target-gateway-5/ca.crt certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzc3aHZBUEFlRlJucS8KdHBHVmRKTmVjYWFqSzZrUXlDalk1ci9wWHhOQmE5dldWUUhVbkNXVk95bHBFZGg2T2ZZbUdnb0phdE1UVFlBWAorVml2TFM5WHBIOG5QQ1lhWm9CZGkyUDQxZGtuazJSekZabWwvWFI1SFp0RFpqZURPM3d2Qkpvbm0rTXhQN0JrCjVMZ2U5aEZIUndqRWJMY1k3dys3enE4QkRBeUlIdjdPSjNhN3g5L2pYMlJaRnU3TzVyNXlmRVE2RnNLY3pURG8Kb0N4ZFVrTklndHBWQ29ETEt2Ykw2MW5kTnVsZTMvbURtL3YyU3lUSHVkMVM1ZHFzcDhrSmR1OFhVUmZjMllFbApGS1d2QnRuamgvanJMTVhGY2FoVi9veEpyQ0h1dC9QQ0xiQlRBalRldVNEYXVTN09IYkpSREt3bUg3b1Z2eUlDCmFJeWFZY1pOQWdNQkFBRUNnZ0VBSG1McVd4NHZCbk9ybHFLMGVNLzM5c1lLOEVpTTlra0c5eHRJWGVSTGxCWnIKM2dTeUNSTStXRzk2ZGZkaFkxSDFPa1ZDUGpJOFNEQzRkMzA2Ymw0Ris2RW93TXFrUytjcTlrcDYzYTg3aE5TbQpOMGdxSnl3TGV5YzRXdll2ZFA2c25scnd6MXE3Vk5QbXpQUXJ6b1hIQVc2N2tpeHA1cFF3OG1oVzVQcHlidkp5Clo2TERCZGRSZkVma2ZXVnZUUk5YWUVDUEllUStST05jR3JvVzZ5RXRrbk1BWUJjdjRlNUhCQkkrcHdyYmsrOVMKY2FQYUVjdm4vS0lyT3NpVW1FT2wwb3JXVnhkbjRmMy9MNmlFZFgyZHhIdXlwYkFiL0Qwak1MSzBwb3kyaXYyTApyOGI5VUQrRVZFNmFTVnp0MFRHbVpJYUdRVVZDQnVDTDhodlYwSU9PV1FLQmdRRGplL3JXdmk4Rndia3BRNDA0CnFQcitBaEFwaG1pV3l1a1B1VmJLN2Q5ZkdURzRHOW9Bd2wzYlFoRGVUNHhjMzd0cjlkcCtpamJuWnpKWHczL1cKcm5xTDlGWkZsVXZCYXN6c05VK1lRNmJVOE9zTXl6cURSdGJaaytVWEowUEx6QzZKWHFkNTFZdVVDM3NwL2lmNwpqWEZrME55aHcrdkY3VU51N0ZFSzVuWEUwd0tCZ1FEVGZOT0RLYmZyalNkZEhkV05iOHhkN2pGMlZSY3hTTnRUCit0L0FmbkRjZG8zK1NBUnJaRi9TM0hZWUxxL0l4dmZ5ZHdIblUxdC9INkxDZjBnQ2RXS2NXL1hway93ZUo1QXYKWmdaZjBPTXZsOXF0THJhTU44OG1HblV4K2IxdHZLWm4xQVcySFNuYXd2Z0kvMWVjSldNRUJiYkREbkx4cUpMegowTHJhT2pYVVh3S0JnRGlBbE44OXdjUTJSOTFkNy9mQTBRYkNVRzFmK3g1cEs5WkIvTExPdm9xS1lYVVBSZWltClhsV1ZaVWN5anZTS2hhemRGZllVTW1ycmtPK0htWHNqUDBELzRXWExIVlBmU1NMcVl1aTQ5UGt6RmM3SnM3RGoKcVgzRlpFT0o5eWJwZ2kyUW14eUIwL2RqbXFYbGdOelVWdlBwaE1PUlBFQ2ZHLzZ6SjdZRFpBRU5Bb0dBSElVcQo2UGRKVEVTKzJEbmJ3TFVnOUZIWTdjSlAzRitjNUZoaXNFemMzMzVGYTlNK2RWVVY3eE80QVU3YWVkTUxRUEYzCm1rQ05pRGsxODlEQ1gwS0JSK0RHNnZiLyt2a080clY1aXBaYTdPSW5wVTgxWXZkcndoR3pXRWY3bWI3bEdmOW4KdmNWMURZRlpmYTBoblhjVlFVZWIrL1lJM2pvRGgwblF5UGtzcFRVQ2dZRUF0NERNajdZbStRS2J2bTJXaWNlcAo1Q2s3YWFMSUxuVHZqbGRLMkdjM2loOGVGRlE2Vy9pcUc1UUEzeHMwem8xVnhlUkhPWGkrK01xWjVWTVZMZFRWCjMxWXZOeUdPbVByTitZemVINmlTYXd5VXo2dW1UN1ZkMXRuUEJ1SmdPMFM3RnRlb01BckE3TGtDcUVhMDc4bS8KRXNxNzZjYW1WdW5kRXFTRWhGMllYNkU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0RENDQWNnQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeApNalV5TXpFMU16RmFNRDh4R1RBWEJnTlZCQU1NRUdWa1oyVXVaWGhoYlhCc1pTNWpiMjB4SWpBZ0JnTlZCQW9NCkdXVmtaMlVnWlhoaGJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUIKRHdBd2dnRUtBb0lCQVFDNzdodkFQQWVGUm5xL3RwR1ZkSk5lY2Fhaks2a1F5Q2pZNXIvcFh4TkJhOXZXVlFIVQpuQ1dWT3lscEVkaDZPZlltR2dvSmF0TVRUWUFYK1ZpdkxTOVhwSDhuUENZYVpvQmRpMlA0MWRrbmsyUnpGWm1sCi9YUjVIWnREWmplRE8zd3ZCSm9ubStNeFA3Qms1TGdlOWhGSFJ3akViTGNZN3crN3pxOEJEQXlJSHY3T0ozYTcKeDkvalgyUlpGdTdPNXI1eWZFUTZGc0tjelREb29DeGRVa05JZ3RwVkNvRExLdmJMNjFuZE51bGUzL21EbS92MgpTeVRIdWQxUzVkcXNwOGtKZHU4WFVSZmMyWUVsRktXdkJ0bmpoL2pyTE1YRmNhaFYvb3hKckNIdXQvUENMYkJUCkFqVGV1U0RhdVM3T0hiSlJES3dtSDdvVnZ5SUNhSXlhWWNaTkFnTUJBQUV3RFFZSktvWklodmNOQVFFTEJRQUQKZ2dFQkFHeW5yNGNPMWFZbjRNQk90aVJ2WHFJdllHNnpxZXNrNGpQbU96TjdiUTdyRzdNUngzSVQ2SW4zVFI4RApHbFAxVE54TTg5cXZRcXp4VERsdER3bXluTlV1SEdEUW4yV1Z1OFEyK0RqRnFoc3B1WHp0NnhVK2RoVVBxUnV1Ckt6c1l4TDNpMVlWZ2pDQWtBUmp4SGhMWHYwdkFUWUVRMlJ6Uko5c2ZGcWVCMHVxSk5WL0lHamJFSzQ2eTQ5QU0KNzU4TUY4T0R6cVR2Q3hMRjJYd3BScjdjSDFuZ2J4eUJ6cEdlbkpsVTI2Q2hJT1BMZUV1NTUyUVJYVGwrU2JlQQpXUzNpS01Pb3F5NGV0b0ExNWFueW43Zm01YnpINEcyZ3Yxd1pWYlBkT1dNQWRZU2I5NDIvR09CSWUzSnIyVHo3CjRJdDRROWFERnF1aG9iOTVQMUhHQkxSQ2Y5QT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= maxVersion: "1.3" minVersion: "1.2" diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml index 0ee4643dab6..08dcf5bef70 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml @@ -252,7 +252,7 @@ xdsIR: name: envoy-gateway/target-gateway-1/ca.crt certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzc3aHZBUEFlRlJucS8KdHBHVmRKTmVjYWFqSzZrUXlDalk1ci9wWHhOQmE5dldWUUhVbkNXVk95bHBFZGg2T2ZZbUdnb0phdE1UVFlBWAorVml2TFM5WHBIOG5QQ1lhWm9CZGkyUDQxZGtuazJSekZabWwvWFI1SFp0RFpqZURPM3d2Qkpvbm0rTXhQN0JrCjVMZ2U5aEZIUndqRWJMY1k3dys3enE4QkRBeUlIdjdPSjNhN3g5L2pYMlJaRnU3TzVyNXlmRVE2RnNLY3pURG8Kb0N4ZFVrTklndHBWQ29ETEt2Ykw2MW5kTnVsZTMvbURtL3YyU3lUSHVkMVM1ZHFzcDhrSmR1OFhVUmZjMllFbApGS1d2QnRuamgvanJMTVhGY2FoVi9veEpyQ0h1dC9QQ0xiQlRBalRldVNEYXVTN09IYkpSREt3bUg3b1Z2eUlDCmFJeWFZY1pOQWdNQkFBRUNnZ0VBSG1McVd4NHZCbk9ybHFLMGVNLzM5c1lLOEVpTTlra0c5eHRJWGVSTGxCWnIKM2dTeUNSTStXRzk2ZGZkaFkxSDFPa1ZDUGpJOFNEQzRkMzA2Ymw0Ris2RW93TXFrUytjcTlrcDYzYTg3aE5TbQpOMGdxSnl3TGV5YzRXdll2ZFA2c25scnd6MXE3Vk5QbXpQUXJ6b1hIQVc2N2tpeHA1cFF3OG1oVzVQcHlidkp5Clo2TERCZGRSZkVma2ZXVnZUUk5YWUVDUEllUStST05jR3JvVzZ5RXRrbk1BWUJjdjRlNUhCQkkrcHdyYmsrOVMKY2FQYUVjdm4vS0lyT3NpVW1FT2wwb3JXVnhkbjRmMy9MNmlFZFgyZHhIdXlwYkFiL0Qwak1MSzBwb3kyaXYyTApyOGI5VUQrRVZFNmFTVnp0MFRHbVpJYUdRVVZDQnVDTDhodlYwSU9PV1FLQmdRRGplL3JXdmk4Rndia3BRNDA0CnFQcitBaEFwaG1pV3l1a1B1VmJLN2Q5ZkdURzRHOW9Bd2wzYlFoRGVUNHhjMzd0cjlkcCtpamJuWnpKWHczL1cKcm5xTDlGWkZsVXZCYXN6c05VK1lRNmJVOE9zTXl6cURSdGJaaytVWEowUEx6QzZKWHFkNTFZdVVDM3NwL2lmNwpqWEZrME55aHcrdkY3VU51N0ZFSzVuWEUwd0tCZ1FEVGZOT0RLYmZyalNkZEhkV05iOHhkN2pGMlZSY3hTTnRUCit0L0FmbkRjZG8zK1NBUnJaRi9TM0hZWUxxL0l4dmZ5ZHdIblUxdC9INkxDZjBnQ2RXS2NXL1hway93ZUo1QXYKWmdaZjBPTXZsOXF0THJhTU44OG1HblV4K2IxdHZLWm4xQVcySFNuYXd2Z0kvMWVjSldNRUJiYkREbkx4cUpMegowTHJhT2pYVVh3S0JnRGlBbE44OXdjUTJSOTFkNy9mQTBRYkNVRzFmK3g1cEs5WkIvTExPdm9xS1lYVVBSZWltClhsV1ZaVWN5anZTS2hhemRGZllVTW1ycmtPK0htWHNqUDBELzRXWExIVlBmU1NMcVl1aTQ5UGt6RmM3SnM3RGoKcVgzRlpFT0o5eWJwZ2kyUW14eUIwL2RqbXFYbGdOelVWdlBwaE1PUlBFQ2ZHLzZ6SjdZRFpBRU5Bb0dBSElVcQo2UGRKVEVTKzJEbmJ3TFVnOUZIWTdjSlAzRitjNUZoaXNFemMzMzVGYTlNK2RWVVY3eE80QVU3YWVkTUxRUEYzCm1rQ05pRGsxODlEQ1gwS0JSK0RHNnZiLyt2a080clY1aXBaYTdPSW5wVTgxWXZkcndoR3pXRWY3bWI3bEdmOW4KdmNWMURZRlpmYTBoblhjVlFVZWIrL1lJM2pvRGgwblF5UGtzcFRVQ2dZRUF0NERNajdZbStRS2J2bTJXaWNlcAo1Q2s3YWFMSUxuVHZqbGRLMkdjM2loOGVGRlE2Vy9pcUc1UUEzeHMwem8xVnhlUkhPWGkrK01xWjVWTVZMZFRWCjMxWXZOeUdPbVByTitZemVINmlTYXd5VXo2dW1UN1ZkMXRuUEJ1SmdPMFM3RnRlb01BckE3TGtDcUVhMDc4bS8KRXNxNzZjYW1WdW5kRXFTRWhGMllYNkU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0RENDQWNnQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeApNalV5TXpFMU16RmFNRDh4R1RBWEJnTlZCQU1NRUdWa1oyVXVaWGhoYlhCc1pTNWpiMjB4SWpBZ0JnTlZCQW9NCkdXVmtaMlVnWlhoaGJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUIKRHdBd2dnRUtBb0lCQVFDNzdodkFQQWVGUm5xL3RwR1ZkSk5lY2Fhaks2a1F5Q2pZNXIvcFh4TkJhOXZXVlFIVQpuQ1dWT3lscEVkaDZPZlltR2dvSmF0TVRUWUFYK1ZpdkxTOVhwSDhuUENZYVpvQmRpMlA0MWRrbmsyUnpGWm1sCi9YUjVIWnREWmplRE8zd3ZCSm9ubStNeFA3Qms1TGdlOWhGSFJ3akViTGNZN3crN3pxOEJEQXlJSHY3T0ozYTcKeDkvalgyUlpGdTdPNXI1eWZFUTZGc0tjelREb29DeGRVa05JZ3RwVkNvRExLdmJMNjFuZE51bGUzL21EbS92MgpTeVRIdWQxUzVkcXNwOGtKZHU4WFVSZmMyWUVsRktXdkJ0bmpoL2pyTE1YRmNhaFYvb3hKckNIdXQvUENMYkJUCkFqVGV1U0RhdVM3T0hiSlJES3dtSDdvVnZ5SUNhSXlhWWNaTkFnTUJBQUV3RFFZSktvWklodmNOQVFFTEJRQUQKZ2dFQkFHeW5yNGNPMWFZbjRNQk90aVJ2WHFJdllHNnpxZXNrNGpQbU96TjdiUTdyRzdNUngzSVQ2SW4zVFI4RApHbFAxVE54TTg5cXZRcXp4VERsdER3bXluTlV1SEdEUW4yV1Z1OFEyK0RqRnFoc3B1WHp0NnhVK2RoVVBxUnV1Ckt6c1l4TDNpMVlWZ2pDQWtBUmp4SGhMWHYwdkFUWUVRMlJ6Uko5c2ZGcWVCMHVxSk5WL0lHamJFSzQ2eTQ5QU0KNzU4TUY4T0R6cVR2Q3hMRjJYd3BScjdjSDFuZ2J4eUJ6cEdlbkpsVTI2Q2hJT1BMZUV1NTUyUVJYVGwrU2JlQQpXUzNpS01Pb3F5NGV0b0ExNWFueW43Zm01YnpINEcyZ3Yxd1pWYlBkT1dNQWRZU2I5NDIvR09CSWUzSnIyVHo3CjRJdDRROWFERnF1aG9iOTVQMUhHQkxSQ2Y5QT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= maxVersion: "1.3" minVersion: "1.2" @@ -297,7 +297,7 @@ xdsIR: name: envoy-gateway/target-gateway-2/ca.crt certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzc3aHZBUEFlRlJucS8KdHBHVmRKTmVjYWFqSzZrUXlDalk1ci9wWHhOQmE5dldWUUhVbkNXVk95bHBFZGg2T2ZZbUdnb0phdE1UVFlBWAorVml2TFM5WHBIOG5QQ1lhWm9CZGkyUDQxZGtuazJSekZabWwvWFI1SFp0RFpqZURPM3d2Qkpvbm0rTXhQN0JrCjVMZ2U5aEZIUndqRWJMY1k3dys3enE4QkRBeUlIdjdPSjNhN3g5L2pYMlJaRnU3TzVyNXlmRVE2RnNLY3pURG8Kb0N4ZFVrTklndHBWQ29ETEt2Ykw2MW5kTnVsZTMvbURtL3YyU3lUSHVkMVM1ZHFzcDhrSmR1OFhVUmZjMllFbApGS1d2QnRuamgvanJMTVhGY2FoVi9veEpyQ0h1dC9QQ0xiQlRBalRldVNEYXVTN09IYkpSREt3bUg3b1Z2eUlDCmFJeWFZY1pOQWdNQkFBRUNnZ0VBSG1McVd4NHZCbk9ybHFLMGVNLzM5c1lLOEVpTTlra0c5eHRJWGVSTGxCWnIKM2dTeUNSTStXRzk2ZGZkaFkxSDFPa1ZDUGpJOFNEQzRkMzA2Ymw0Ris2RW93TXFrUytjcTlrcDYzYTg3aE5TbQpOMGdxSnl3TGV5YzRXdll2ZFA2c25scnd6MXE3Vk5QbXpQUXJ6b1hIQVc2N2tpeHA1cFF3OG1oVzVQcHlidkp5Clo2TERCZGRSZkVma2ZXVnZUUk5YWUVDUEllUStST05jR3JvVzZ5RXRrbk1BWUJjdjRlNUhCQkkrcHdyYmsrOVMKY2FQYUVjdm4vS0lyT3NpVW1FT2wwb3JXVnhkbjRmMy9MNmlFZFgyZHhIdXlwYkFiL0Qwak1MSzBwb3kyaXYyTApyOGI5VUQrRVZFNmFTVnp0MFRHbVpJYUdRVVZDQnVDTDhodlYwSU9PV1FLQmdRRGplL3JXdmk4Rndia3BRNDA0CnFQcitBaEFwaG1pV3l1a1B1VmJLN2Q5ZkdURzRHOW9Bd2wzYlFoRGVUNHhjMzd0cjlkcCtpamJuWnpKWHczL1cKcm5xTDlGWkZsVXZCYXN6c05VK1lRNmJVOE9zTXl6cURSdGJaaytVWEowUEx6QzZKWHFkNTFZdVVDM3NwL2lmNwpqWEZrME55aHcrdkY3VU51N0ZFSzVuWEUwd0tCZ1FEVGZOT0RLYmZyalNkZEhkV05iOHhkN2pGMlZSY3hTTnRUCit0L0FmbkRjZG8zK1NBUnJaRi9TM0hZWUxxL0l4dmZ5ZHdIblUxdC9INkxDZjBnQ2RXS2NXL1hway93ZUo1QXYKWmdaZjBPTXZsOXF0THJhTU44OG1HblV4K2IxdHZLWm4xQVcySFNuYXd2Z0kvMWVjSldNRUJiYkREbkx4cUpMegowTHJhT2pYVVh3S0JnRGlBbE44OXdjUTJSOTFkNy9mQTBRYkNVRzFmK3g1cEs5WkIvTExPdm9xS1lYVVBSZWltClhsV1ZaVWN5anZTS2hhemRGZllVTW1ycmtPK0htWHNqUDBELzRXWExIVlBmU1NMcVl1aTQ5UGt6RmM3SnM3RGoKcVgzRlpFT0o5eWJwZ2kyUW14eUIwL2RqbXFYbGdOelVWdlBwaE1PUlBFQ2ZHLzZ6SjdZRFpBRU5Bb0dBSElVcQo2UGRKVEVTKzJEbmJ3TFVnOUZIWTdjSlAzRitjNUZoaXNFemMzMzVGYTlNK2RWVVY3eE80QVU3YWVkTUxRUEYzCm1rQ05pRGsxODlEQ1gwS0JSK0RHNnZiLyt2a080clY1aXBaYTdPSW5wVTgxWXZkcndoR3pXRWY3bWI3bEdmOW4KdmNWMURZRlpmYTBoblhjVlFVZWIrL1lJM2pvRGgwblF5UGtzcFRVQ2dZRUF0NERNajdZbStRS2J2bTJXaWNlcAo1Q2s3YWFMSUxuVHZqbGRLMkdjM2loOGVGRlE2Vy9pcUc1UUEzeHMwem8xVnhlUkhPWGkrK01xWjVWTVZMZFRWCjMxWXZOeUdPbVByTitZemVINmlTYXd5VXo2dW1UN1ZkMXRuUEJ1SmdPMFM3RnRlb01BckE3TGtDcUVhMDc4bS8KRXNxNzZjYW1WdW5kRXFTRWhGMllYNkU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM0RENDQWNnQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5EQXhNall5TXpFMU16RmFGdzB5TlRBeApNalV5TXpFMU16RmFNRDh4R1RBWEJnTlZCQU1NRUdWa1oyVXVaWGhoYlhCc1pTNWpiMjB4SWpBZ0JnTlZCQW9NCkdXVmtaMlVnWlhoaGJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUIKRHdBd2dnRUtBb0lCQVFDNzdodkFQQWVGUm5xL3RwR1ZkSk5lY2Fhaks2a1F5Q2pZNXIvcFh4TkJhOXZXVlFIVQpuQ1dWT3lscEVkaDZPZlltR2dvSmF0TVRUWUFYK1ZpdkxTOVhwSDhuUENZYVpvQmRpMlA0MWRrbmsyUnpGWm1sCi9YUjVIWnREWmplRE8zd3ZCSm9ubStNeFA3Qms1TGdlOWhGSFJ3akViTGNZN3crN3pxOEJEQXlJSHY3T0ozYTcKeDkvalgyUlpGdTdPNXI1eWZFUTZGc0tjelREb29DeGRVa05JZ3RwVkNvRExLdmJMNjFuZE51bGUzL21EbS92MgpTeVRIdWQxUzVkcXNwOGtKZHU4WFVSZmMyWUVsRktXdkJ0bmpoL2pyTE1YRmNhaFYvb3hKckNIdXQvUENMYkJUCkFqVGV1U0RhdVM3T0hiSlJES3dtSDdvVnZ5SUNhSXlhWWNaTkFnTUJBQUV3RFFZSktvWklodmNOQVFFTEJRQUQKZ2dFQkFHeW5yNGNPMWFZbjRNQk90aVJ2WHFJdllHNnpxZXNrNGpQbU96TjdiUTdyRzdNUngzSVQ2SW4zVFI4RApHbFAxVE54TTg5cXZRcXp4VERsdER3bXluTlV1SEdEUW4yV1Z1OFEyK0RqRnFoc3B1WHp0NnhVK2RoVVBxUnV1Ckt6c1l4TDNpMVlWZ2pDQWtBUmp4SGhMWHYwdkFUWUVRMlJ6Uko5c2ZGcWVCMHVxSk5WL0lHamJFSzQ2eTQ5QU0KNzU4TUY4T0R6cVR2Q3hMRjJYd3BScjdjSDFuZ2J4eUJ6cEdlbkpsVTI2Q2hJT1BMZUV1NTUyUVJYVGwrU2JlQQpXUzNpS01Pb3F5NGV0b0ExNWFueW43Zm01YnpINEcyZ3Yxd1pWYlBkT1dNQWRZU2I5NDIvR09CSWUzSnIyVHo3CjRJdDRROWFERnF1aG9iOTVQMUhHQkxSQ2Y5QT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= maxVersion: "1.3" minVersion: "1.2" diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml index ed684f328b4..ad3ed484f56 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml @@ -166,7 +166,7 @@ xdsIR: - h2 certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= ciphers: - cipher1 diff --git a/internal/gatewayapi/testdata/custom-filter-order.out.yaml b/internal/gatewayapi/testdata/custom-filter-order.out.yaml index 043eeab1543..a8c4413a399 100644 --- a/internal/gatewayapi/testdata/custom-filter-order.out.yaml +++ b/internal/gatewayapi/testdata/custom-filter-order.out.yaml @@ -284,7 +284,7 @@ xdsIR: security: basicAuth: name: securitypolicy/envoy-gateway/policy-for-gateway - users: dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo= + users: '[redacted]' cors: allowMethods: - GET diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml index b70ae56fce4..7e86495fc41 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml @@ -279,7 +279,7 @@ xdsIR: alpnProtocols: null certificates: - name: envoy-gateway/default-cert - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tcp: - address: 0.0.0.0 @@ -318,11 +318,11 @@ xdsIR: alpnProtocols: [] certificates: - name: envoy-gateway/default-cert - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tls: alpnProtocols: [] certificates: - name: envoy-gateway/default-cert - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml index 80c15494330..868620d8d74 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml @@ -278,7 +278,7 @@ xdsIR: alpnProtocols: null certificates: - name: envoy-gateway/default-cert - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tcp: - address: 0.0.0.0 @@ -317,11 +317,11 @@ xdsIR: alpnProtocols: [] certificates: - name: envoy-gateway/default-cert - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tls: alpnProtocols: [] certificates: - name: envoy-gateway/default-cert - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml index 137941240af..e65df0254f4 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml @@ -257,7 +257,7 @@ xdsIR: - ECDHE-ECDSA-AES256-GCM-SHA384 clientCertificates: - name: envoy-gateway-system/client-auth - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= ecdhCurves: - ECDHE-RSA-AES128-GCM-SHA256 @@ -281,7 +281,7 @@ xdsIR: alpnProtocols: null certificates: - name: envoy-gateway/default-cert - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tcp: - address: 0.0.0.0 @@ -305,7 +305,7 @@ xdsIR: - ECDHE-ECDSA-AES256-GCM-SHA384 clientCertificates: - name: envoy-gateway-system/client-auth - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= ecdhCurves: - ECDHE-RSA-AES128-GCM-SHA256 @@ -324,11 +324,11 @@ xdsIR: alpnProtocols: [] certificates: - name: envoy-gateway/default-cert - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tls: alpnProtocols: [] certificates: - name: envoy-gateway/default-cert - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= diff --git a/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml b/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml index 7616aff3b9e..0b38b962b89 100644 --- a/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml +++ b/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml @@ -153,5 +153,5 @@ xdsIR: alpnProtocols: null certificates: - name: default/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml index 649a4555722..6e35700c58e 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml @@ -142,5 +142,5 @@ xdsIR: alpnProtocols: null certificates: - name: default/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml index 9d4d0a7528e..9e2db8004e5 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml @@ -211,7 +211,7 @@ xdsIR: alpnProtocols: null certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= tcp: - address: 0.0.0.0 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml index cb443c09c8b..a9939722a0d 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml @@ -144,8 +144,8 @@ xdsIR: alpnProtocols: null certificates: - name: envoy-gateway/tls-secret-ecdsa-1 - privateKey: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUxEbnZNM1RKM3NHYm9EeTF4T3dqSVppVFNWeWZXVWF5YVExcWdrdUdacEtvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSDVWdHJjenJQS091alV5RTMyaDU2UnVrdHUzSVhTVnJJMkNibXh5UUpqcEY3di9rNVNqTQpSVXZjUnBCdmpnQWROaGhUNGNUMXV4YW1TMFlmQ2JXMVhRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJnVENDQVNlZ0F3SUJBZ0lVRm1sOExCRzBvL1FLNFErWjdrODI0c0MyaUZ3d0NnWUlLb1pJemowRUF3SXcKRmpFVU1CSUdBMVVFQXd3TFptOXZMbUpoY2k1amIyMHdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVdNUlF3RWdZRFZRUUREQXRtYjI4dVltRnlMbU52YlRCWk1CTUdCeXFHU000OUFnRUdDQ3FHClNNNDlBd0VIQTBJQUJMYVl2cUt1VlZveERvNTJlV3p2WUI1anc3RU1GODZybXlvaTVadWF5emRNdnBnNHpCcjgKUktCak5zK1QxakI4T0t1Y1MvN1JVRHgwcHorOTc2ek0zaU9qVXpCUk1CMEdBMVVkRGdRV0JCVE82K2NnMFIwZAp3dHJ6SlFQRzZnNzZoQkJVelRBZkJnTlZIU01FR0RBV2dCVE82K2NnMFIwZHd0cnpKUVBHNmc3NmhCQlV6VEFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFDMlhwUFFnUXpXYWUzYjVwWnQKR2N1TWZESjBjME9QS2NuZWdrWFoyQzRCM2dJZ1Uvc1Jrd0lwTFFOUlYrRWFZdzRQNVQ1Z1BFNlkrVnBtQzk4aApvVmpaL3pRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t - name: envoy-gateway/tls-secret-ecdsa-2 - privateKey: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1JR2tBZ0VCQkRDUUE5VWo0SkR5c0Q0MlJIMGI2cjU5NTlXTmlXU2ZKZlMxK2RvTjk0TzZCUGdaQUJiUTI4eTIKUTZsM3pZdklLeFNnQndZRks0RUVBQ0toWkFOaUFBUjR5MGNMZUVoNnJaQ3gyUzFLTDlrMUg4d28xcTlLYmNjMgpmdTBhaUIrcHFxZndCS0FjaHJ2SlJUNzQreWdNUHFSLzc0Sjd1NngzU1pBN1ZLZDFnaGFQWkF1SWpQUTFrZndICjlDdmlMc25RZ3JDeENWU2U2ZG1xL2twajFNdEJyU2M9Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ5RENDQVU2Z0F3SUJBZ0lVUWltVUFlSExNdHo0dEdSdG5oNG9qWHRhVXpzd0NnWUlLb1pJemowRUF3SXcKR3pFWk1CY0dBMVVFQXd3UWRHVnpkQzVsZUdGdGNHeGxMbU52YlRBZUZ3MHlOREExTWpVd09URXhNemRhRncwegpOREExTWpNd09URXhNemRhTUJzeEdUQVhCZ05WQkFNTUVIUmxjM1F1WlhoaGJYQnNaUzVqYjIwd2RqQVFCZ2NxCmhrak9QUUlCQmdVcmdRUUFJZ05pQUFSNHkwY0xlRWg2clpDeDJTMUtMOWsxSDh3bzFxOUtiY2MyZnUwYWlCK3AKcXFmd0JLQWNocnZKUlQ3NCt5Z01QcVIvNzRKN3U2eDNTWkE3VktkMWdoYVBaQXVJalBRMWtmd0g5Q3ZpTHNuUQpnckN4Q1ZTZTZkbXEva3BqMU10QnJTZWpVekJSTUIwR0ExVWREZ1FXQkJUYVNlb1RtY3JlRU5Kd0t5ZmlZS3JnCjlIdnFVREFmQmdOVkhTTUVHREFXZ0JUYVNlb1RtY3JlRU5Kd0t5ZmlZS3JnOUh2cVVEQVBCZ05WSFJNQkFmOEUKQlRBREFRSC9NQW9HQ0NxR1NNNDlCQU1DQTJnQU1HVUNNRzFPSlUrRTlEaCt4TjdJMFZVTXIwdmt3S0h6V2Q3NwpTQXFXQjJVcG4vNThQTzd3eWNvWHZNMjlwREU0SkUvRzVRSXhBT2FhemxKZ1M3Z081eU50aW1tZ0llWFJ1K2pwCkNXb3kxb3hZU2ZSMmh1YkJ1Q1RUUkFqNkhPODBjTUVrZHFrMWp3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml index 754923d89fe..6fdbe779e25 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml @@ -144,8 +144,8 @@ xdsIR: alpnProtocols: null certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= - name: envoy-gateway/tls-secret-ecdsa-1 - privateKey: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUxEbnZNM1RKM3NHYm9EeTF4T3dqSVppVFNWeWZXVWF5YVExcWdrdUdacEtvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSDVWdHJjenJQS091alV5RTMyaDU2UnVrdHUzSVhTVnJJMkNibXh5UUpqcEY3di9rNVNqTQpSVXZjUnBCdmpnQWROaGhUNGNUMXV4YW1TMFlmQ2JXMVhRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJnVENDQVNlZ0F3SUJBZ0lVRm1sOExCRzBvL1FLNFErWjdrODI0c0MyaUZ3d0NnWUlLb1pJemowRUF3SXcKRmpFVU1CSUdBMVVFQXd3TFptOXZMbUpoY2k1amIyMHdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVdNUlF3RWdZRFZRUUREQXRtYjI4dVltRnlMbU52YlRCWk1CTUdCeXFHU000OUFnRUdDQ3FHClNNNDlBd0VIQTBJQUJMYVl2cUt1VlZveERvNTJlV3p2WUI1anc3RU1GODZybXlvaTVadWF5emRNdnBnNHpCcjgKUktCak5zK1QxakI4T0t1Y1MvN1JVRHgwcHorOTc2ek0zaU9qVXpCUk1CMEdBMVVkRGdRV0JCVE82K2NnMFIwZAp3dHJ6SlFQRzZnNzZoQkJVelRBZkJnTlZIU01FR0RBV2dCVE82K2NnMFIwZHd0cnpKUVBHNmc3NmhCQlV6VEFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFDMlhwUFFnUXpXYWUzYjVwWnQKR2N1TWZESjBjME9QS2NuZWdrWFoyQzRCM2dJZ1Uvc1Jrd0lwTFFOUlYrRWFZdzRQNVQ1Z1BFNlkrVnBtQzk4aApvVmpaL3pRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml index 5b692e70ab2..680ff1bf524 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml @@ -141,5 +141,5 @@ xdsIR: alpnProtocols: null certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= diff --git a/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml b/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml index 10f483e7293..bafbb34668b 100644 --- a/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml @@ -141,5 +141,5 @@ xdsIR: alpnProtocols: null certificates: - name: default/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml index bec756628f7..2b7899d4f75 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml @@ -212,5 +212,5 @@ xdsIR: alpnProtocols: null certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= diff --git a/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml index b690cb20370..02fd1a6ddd1 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml @@ -250,7 +250,7 @@ xdsIR: security: basicAuth: name: securitypolicy/default/policy-for-http-route-1 - users: dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo= + users: '[redacted]' - destination: name: httproute/default/httproute-1/rule/1 settings: @@ -274,7 +274,7 @@ xdsIR: security: basicAuth: name: securitypolicy/default/policy-for-http-route-1 - users: dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo= + users: '[redacted]' - destination: name: httproute/default/httproute-2/rule/0 settings: @@ -298,4 +298,4 @@ xdsIR: security: basicAuth: name: securitypolicy/default/policy-for-gateway-1 - users: Zm9vOntTSEF9WXMyM0FnLzVJT1dxWkN3OVFHYVZEZEh3SDAwPQpmb28xOntTSEF9ZGpaMTFxSFkwS09pamV5bUs3YUt2WXV2aHZNPQo= + users: '[redacted]' diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml index d6f0c4dbc47..eb518ba7c3c 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml @@ -217,12 +217,12 @@ xdsIR: security: oidc: clientID: client1.apps.googleusercontent.com - clientSecret: Y2xpZW50MTpzZWNyZXQK + clientSecret: '[redacted]' cookieSuffix: b0a1b740 defaultRefreshTokenTTL: 24h0m0s defaultTokenTTL: 30m0s forwardAccessToken: true - hmacSecret: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY= + hmacSecret: '[redacted]' logoutPath: /bar/logout name: securitypolicy/envoy-gateway/policy-for-gateway provider: diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies.out.yaml index 2482d1bc05b..a42e482a758 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies.out.yaml @@ -178,12 +178,12 @@ xdsIR: security: oidc: clientID: client1.apps.googleusercontent.com - clientSecret: Y2xpZW50MTpzZWNyZXQK + clientSecret: '[redacted]' cookieNameOverrides: accessToken: CustomAccessTokenCookie idToken: CustomIdTokenCookie cookieSuffix: b0a1b740 - hmacSecret: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY= + hmacSecret: '[redacted]' logoutPath: /bar/logout name: securitypolicy/envoy-gateway/policy-for-gateway provider: diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml index 5f327af8752..1d9093a8d38 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml @@ -273,13 +273,13 @@ xdsIR: security: oidc: clientID: client2.oauth.foo.com - clientSecret: Y2xpZW50MTpzZWNyZXQK + clientSecret: '[redacted]' cookieDomain: example.com cookieSuffix: 5f93c2e4 defaultRefreshTokenTTL: 48h0m0s defaultTokenTTL: 1h0m0s forwardAccessToken: true - hmacSecret: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY= + hmacSecret: '[redacted]' logoutPath: /foo/logout name: securitypolicy/default/policy-for-http-route provider: @@ -317,12 +317,12 @@ xdsIR: security: oidc: clientID: client1.apps.googleusercontent.com - clientSecret: Y2xpZW50MTpzZWNyZXQK + clientSecret: '[redacted]' cookieSuffix: b0a1b740 defaultRefreshTokenTTL: 24h0m0s defaultTokenTTL: 30m0s forwardAccessToken: true - hmacSecret: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY= + hmacSecret: '[redacted]' logoutPath: /bar/logout name: securitypolicy/envoy-gateway/policy-for-gateway provider: diff --git a/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml b/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml index 7a4f2288ace..d3a6e8bdc19 100644 --- a/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml +++ b/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml @@ -185,13 +185,13 @@ xdsIR: alpnProtocols: [] certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= tls: alpnProtocols: [] certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= - address: 0.0.0.0 name: envoy-gateway/gateway-1/tls-hostname @@ -215,11 +215,11 @@ xdsIR: alpnProtocols: [] certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= tls: alpnProtocols: [] certificates: - name: envoy-gateway/tls-secret-1 - privateKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2QwZlBDYWtweE1nUnUKT0VXQjFiQk5FM3ZseW55aTZWbkV2VWF1OUhvakR2UHVPTFJIaGI4MmoyY1ovMHhnL1lKR09LelBuV2JERkxGNApHdWh3dDRENmFUR0xYNklPODEwTDZ0SXZIWGZNUXRJS2VwdTZ3K3p1WVo4bG1yejB1RjZlWEtqamVIbHhyb2ZrCnVNekM3OUVaU0lYZlZlczJ1SmdVRSs4VGFzSDUzQ2Y4MFNSRGlIeEdxckttdVNjWCtwejBreGdCZ1VWYTVVS20KUWdTZDFmVUxLOUEwNXAxOXkrdURPM204bVhRNkxVQ0N1STFwZHNROGFlNS9zamlxa0VjWlJjMTdWYVgxWjVVaQpvcGZnNW9SY05VTG9VTHNiek9aNTR0YlVDUmdSV2VLbGZxaElINEZ6OUlkVlUyR3dFdEdhMmV6TjgyMVBaQ3QzCjZhbVRIelJsQWdNQkFBRUNnZ0VBWTFGTUlLNDVXTkVNUHJ6RTZUY3NNdVV2RkdhQVZ4bVk5NW5SMEtwajdvb3IKY21CVys2ZXN0TTQ4S1AwaitPbXd3VFpMY29Cd3VoWGN0V1Bob1lXcDhteWUxRUlEdjNyaHRHMDdocEQ1NGg2dgpCZzh3ejdFYStzMk9sT0N6UnlKNzBSY281YlhjWDNGaGJjdnFlRWJwaFFyQnpOSEtLMjZ4cmZqNWZIT3p6T1FGCmJHdUZ3SDVic3JGdFhlajJXM3c4eW90N0ZQSDV3S3RpdnhvSWU5RjMyOXNnOU9EQnZqWnpiaG1LVTArckFTK1kKRGVield2bFJyaEUrbXVmQTN6M0N0QXhDOFJpNzNscFNoTDRQQWlvcG1SUXlxZXRXMjYzOFFxcnM0R3hnNzhwbApJUXJXTmNBc2s3Slg5d3RZenV6UFBXSXRWTTFscFJiQVRhNTJqdFl2NVFLQmdRRE5tMTFtZTRYam1ZSFV2cStZCmFTUzdwK2UybXZEMHVaOU9JeFluQnBWMGkrckNlYnFFMkE1Rm5hcDQ5Yld4QTgwUElldlVkeUpCL2pUUkoxcVMKRUpXQkpMWm1LVkg2K1QwdWw1ZUtOcWxFTFZHU0dCSXNpeE9SUXpDZHBoMkx0UmtBMHVjSVUzY3hiUmVMZkZCRQpiSkdZWENCdlNGcWd0VDlvZTFldVpMVmFOd0tCZ1FERWdENzJENk81eGIweEQ1NDQ1M0RPMUJhZmd6aThCWDRTCk1SaVd2LzFUQ0w5N05sRWtoeXovNmtQd1owbXJRcE5CMzZFdkpKZFVteHdkU2MyWDhrOGcxMC85NVlLQkdWQWoKL3d0YVZYbE9WeEFvK0ZSelpZeFpyQ29uWWFSMHVwUzFybDRtenN4REhlZU9mUVZUTUgwUjdZN0pnbTA5dXQ4SwplanAvSXZBb1F3S0JnQjNaRWlRUWhvMVYrWjBTMlpiOG5KS0plMy9zMmxJTXFHM0ZkaS9RS3Q0eWViQWx6OGY5ClBZVXBzRmZEQTg5Z3grSU1nSm5sZVptdTk2ZnRXSjZmdmJSenllN216TG5zZU05TXZua1lHbGFGWmJRWnZubXMKN3ZoRmtzY3dHRlh4d21GMlBJZmU1Z3pNMDRBeVdjeTFIaVhLS2dNOXM3cGsxWUdyZGowZzdacmRBb0dCQUtLNApDR3MrbkRmMEZTMFJYOWFEWVJrRTdBNy9YUFhtSG5YMkRnU1h5N0Q4NTRPaWdTTWNoUmtPNTErbVNJejNQbllvCk41T1FXM2lHVVl1M1YvYmhnc0VSUzM1V2xmRk9BdDBzRUR5bjF5SVdXcDF5dG93d3BUNkVvUXVuZ2NYZjA5RjMKS1NROXowd3M4VmsvRWkvSFVXcU5LOWFXbU51cmFaT0ZqL2REK1ZkOUFvR0FMWFN3dEE3K043RDRkN0VEMURSRQpHTWdZNVd3OHFvdDZSdUNlNkpUY0FnU3B1MkhNU3JVY2dXclpiQnJZb09FUnVNQjFoMVJydk5ybU1qQlM0VW9FClgyZC8vbGhpOG1wL2VESWN3UDNRa2puanBJRFJWMFN1eWxrUkVaZURKZjVZb3R6eDdFdkJhbzFIbkQrWEg4eUIKVUtmWGJTaHZKVUdhRmgxT3Q1Y3JoM1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= diff --git a/internal/gatewayapi/translator_test.go b/internal/gatewayapi/translator_test.go index 39200342a5f..61e0025fbdd 100644 --- a/internal/gatewayapi/translator_test.go +++ b/internal/gatewayapi/translator_test.go @@ -14,6 +14,7 @@ import ( "fmt" "os" "path/filepath" + "reflect" "strconv" "strings" "testing" @@ -34,6 +35,7 @@ import ( egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/gatewayapi/resource" + "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/utils/field" "github.com/envoyproxy/gateway/internal/utils/file" "github.com/envoyproxy/gateway/internal/wasm" @@ -318,6 +320,8 @@ func TestTranslate(t *testing.T) { opts := []cmp.Option{ cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime"), + cmp.Transformer("ClearXdsEqual", xdsWithoutEqual), + cmpopts.IgnoreTypes(ir.PrivateBytes{}), cmpopts.EquateEmpty(), } @@ -848,3 +852,42 @@ func (m *mockWasmCache) Get(downloadURL string, options wasm.GetOptions) (url st } func (m *mockWasmCache) Cleanup() {} + +// ir.Xds implements a custom Equal method which ensures exact equality, even +// over redacted fields. This function is used to remove the Equal method from +// the type, but ensure that the set of fields is the same. +// This allows us to use cmp.Diff to compare the types with field-level cmpopts. +func xdsWithoutEqual(a *ir.Xds) any { + ret := struct { + AccessLog *ir.AccessLog + Tracing *ir.Tracing + Metrics *ir.Metrics + HTTP []*ir.HTTPListener + TCP []*ir.TCPListener + UDP []*ir.UDPListener + EnvoyPatchPolicies []*ir.EnvoyPatchPolicy + FilterOrder []egv1a1.FilterPosition + }{ + AccessLog: a.AccessLog, + Tracing: a.Tracing, + Metrics: a.Metrics, + HTTP: a.HTTP, + TCP: a.TCP, + UDP: a.UDP, + EnvoyPatchPolicies: a.EnvoyPatchPolicies, + FilterOrder: a.FilterOrder, + } + + // Ensure we didn't drop an exported field. + ta, tr := reflect.TypeOf(*a), reflect.TypeOf(ret) + for i := 0; i < ta.NumField(); i++ { + aField := ta.Field(i) + if rField, ok := tr.FieldByName(aField.Name); !ok || aField.Type != rField.Type { + // We panic here because this is test code, and it would be hard to + // plumb the error out. + panic(fmt.Sprintf("field %q is missing or has wrong type in the ir.Xds mirror", aField.Name)) + } + } + + return ret +} diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 5e26af0f479..5103d3ea81a 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -7,6 +7,7 @@ package ir import ( "cmp" + "encoding" "encoding/json" "errors" "fmt" @@ -77,6 +78,51 @@ var ( redacted = []byte("[redacted]") ) +// PrivateBytes implements a custom []byte type so that we can override the +// various string-ish printing functions to redact the contents. +type PrivateBytes []byte + +var ( + _ fmt.Stringer = PrivateBytes{} + _ encoding.TextMarshaler = PrivateBytes{} +) + +// MarshalText redacts the contents of the PrivateBytes type. +// Note that MarshalJSON will call MarshalText if it exists, so we don't +// need to implement MarshalJSON. +func (p PrivateBytes) MarshalText() ([]byte, error) { + if len(p) == 0 { + return nil, nil + } + return redacted, nil +} + +// String redacts the contents of the PrivateBytes type. +func (p PrivateBytes) String() string { + if len(p) == 0 { + return "" + } + return string(redacted) +} + +func (p *PrivateBytes) UnmarshalJSON(data []byte) error { + if len(data) == 0 { + *p = nil + return nil + } + if string(data) == `"`+string(redacted)+`"` { + *p = redacted + return nil + } + var b []byte + err := json.Unmarshal(data, &b) + if err != nil { + return fmt.Errorf("UnmarshalJSON failed: %w, %q", err, string(data)) + } + *p = b + return err +} + // Xds holds the intermediate representation of a Gateway and is // used by the xDS Translator to convert it into xDS resources. // +k8s:deepcopy-gen=true @@ -176,36 +222,15 @@ func (x *Xds) GetUDPListener(name string) *UDPListener { } func (x *Xds) YAMLString() string { - y, _ := yaml.Marshal(x.Printable()) + y, _ := yaml.Marshal(x) return string(y) } func (x *Xds) JSONString() string { - j, _ := json.Marshal(x.Printable()) + j, _ := json.Marshal(x) return string(j) } -// Printable returns a deep copy of the resource that can be safely logged. -func (x *Xds) Printable() *Xds { - out := x.DeepCopy() - for _, listener := range out.HTTP { - // Omit field - if listener.TLS != nil { - for i := range listener.TLS.Certificates { - listener.TLS.Certificates[i].PrivateKey = redacted - } - } - - for _, route := range listener.Routes { - // Omit field - if route.Security != nil { - route.Security = route.Security.Printable() - } - } - } - return out -} - type Listener interface { GetName() string GetAddress() string @@ -378,7 +403,7 @@ type TLSCertificate struct { // Certificate can be either a client or server certificate. Certificate []byte `json:"serverCertificate,omitempty" yaml:"serverCertificate,omitempty"` // PrivateKey for the server. - PrivateKey []byte `json:"privateKey,omitempty" yaml:"privateKey,omitempty"` + PrivateKey PrivateBytes `json:"privateKey,omitempty" yaml:"privateKey,omitempty"` } // TLSCACertificate holds CA Certificate to validate clients @@ -778,18 +803,6 @@ type SecurityFeatures struct { Authorization *Authorization `json:"authorization,omitempty" yaml:"authorization,omitempty"` } -func (s *SecurityFeatures) Printable() *SecurityFeatures { - out := s.DeepCopy() - if out.OIDC != nil { - out.OIDC.ClientSecret = redacted - out.OIDC.HMACSecret = redacted - } - if out.BasicAuth != nil { - out.BasicAuth.Users = redacted - } - return out -} - func (s *SecurityFeatures) Validate() error { var errs error @@ -883,10 +896,10 @@ type OIDC struct { // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). // // This is an Opaque secret. The client secret should be stored in the key "client-secret". - ClientSecret []byte `json:"clientSecret,omitempty" yaml:"clientSecret,omitempty"` + ClientSecret PrivateBytes `json:"clientSecret,omitempty" yaml:"clientSecret,omitempty"` // HMACSecret is the secret used to sign the HMAC of the OAuth2 filter cookies. - HMACSecret []byte `json:"hmacSecret,omitempty" yaml:"hmacSecret,omitempty"` + HMACSecret PrivateBytes `json:"hmacSecret,omitempty" yaml:"hmacSecret,omitempty"` // The OIDC scopes to be used in the // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). @@ -959,7 +972,7 @@ type BasicAuth struct { Name string `json:"name" yaml:"name"` // The username-password pairs in htpasswd format. - Users []byte `json:"users,omitempty" yaml:"users,omitempty"` + Users PrivateBytes `json:"users,omitempty" yaml:"users,omitempty"` } // ExtAuth defines the schema for the external authorization. diff --git a/internal/ir/xds_test.go b/internal/ir/xds_test.go index 7a81491417d..c73faf7eb44 100644 --- a/internal/ir/xds_test.go +++ b/internal/ir/xds_test.go @@ -6,6 +6,7 @@ package ir import ( + "encoding/json" "net/http" "testing" "time" @@ -1331,11 +1332,12 @@ func TestValidateLoadBalancer(t *testing.T) { } } -func TestPrintable(t *testing.T) { +func TestRedaction(t *testing.T) { tests := []struct { - name string - input Xds - want *Xds + name string + input Xds + want *Xds + wantStr string }{ { name: "empty", @@ -1360,10 +1362,59 @@ func TestPrintable(t *testing.T) { HTTP: []*HTTPListener{&redactedHappyHTTPSListener}, }, }, + { + name: "explicit string check", + input: Xds{ + HTTP: []*HTTPListener{{ + TLS: &TLSConfig{ + Certificates: []TLSCertificate{{ + Name: "server", + Certificate: []byte("---"), + PrivateKey: []byte("secret"), + }}, + ClientCertificates: []TLSCertificate{{ + Name: "client", + Certificate: []byte("---"), + PrivateKey: []byte("secret"), + }}, + }, + Routes: []*HTTPRoute{{ + Security: &SecurityFeatures{ + OIDC: &OIDC{ + ClientSecret: []byte("secret"), + HMACSecret: []byte("secret"), + }, + BasicAuth: &BasicAuth{ + Users: []byte("secret"), + }, + }, + }}, + }}, + }, + wantStr: `{"http":[{"name":"","address":"","port":0,"hostnames":null,` + + `"tls":{` + + `"certificates":[{"name":"server","serverCertificate":"LS0t","privateKey":"[redacted]"}],` + + `"clientCertificates":[{"name":"client","serverCertificate":"LS0t","privateKey":"[redacted]"}],` + + `"alpnProtocols":null},` + + `"routes":[{` + + `"name":"","hostname":"","isHTTP2":false,"security":{` + + `"oidc":{"name":"","provider":{},"clientID":"","clientSecret":"[redacted]","hmacSecret":"[redacted]"},` + + `"basicAuth":{"name":"","users":"[redacted]"}` + + `}}],` + + `"isHTTP2":false,"path":{"mergeSlashes":false,"escapedSlashesAction":""}}]}`, + }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) { - assert.Equal(t, *test.want, *test.input.Printable()) + if test.want != nil { + if test.wantStr != "" { + t.Fatalf("Don't set both want and wantStr") + } + wantJSON, err := json.Marshal(test.want) + require.NoError(t, err) + test.wantStr = string(wantJSON) + } + assert.Equal(t, test.wantStr, test.input.JSONString()) }) } } diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 85a26447ecb..59f1973b22a 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -315,7 +315,7 @@ func (in *BasicAuth) DeepCopyInto(out *BasicAuth) { *out = *in if in.Users != nil { in, out := &in.Users, &out.Users - *out = make([]byte, len(*in)) + *out = make(PrivateBytes, len(*in)) copy(*out, *in) } } @@ -1975,12 +1975,12 @@ func (in *OIDC) DeepCopyInto(out *OIDC) { in.Provider.DeepCopyInto(&out.Provider) if in.ClientSecret != nil { in, out := &in.ClientSecret, &out.ClientSecret - *out = make([]byte, len(*in)) + *out = make(PrivateBytes, len(*in)) copy(*out, *in) } if in.HMACSecret != nil { in, out := &in.HMACSecret, &out.HMACSecret - *out = make([]byte, len(*in)) + *out = make(PrivateBytes, len(*in)) copy(*out, *in) } if in.Scopes != nil { @@ -3028,7 +3028,7 @@ func (in *TLSCertificate) DeepCopyInto(out *TLSCertificate) { } if in.PrivateKey != nil { in, out := &in.PrivateKey, &out.PrivateKey - *out = make([]byte, len(*in)) + *out = make(PrivateBytes, len(*in)) copy(*out, *in) } } From a7d6526d022b62b1bad0fd268a8534dc535bc596 Mon Sep 17 00:00:00 2001 From: zirain Date: Mon, 11 Nov 2024 11:14:35 +0800 Subject: [PATCH 385/523] chore: net.JoinHostPort (#4692) Signed-off-by: zirain --- test/e2e/tests/gatewayt-with-envoyproxy.go | 3 ++- test/e2e/tests/utils.go | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/test/e2e/tests/gatewayt-with-envoyproxy.go b/test/e2e/tests/gatewayt-with-envoyproxy.go index ec9f7252a5e..e3100105f71 100644 --- a/test/e2e/tests/gatewayt-with-envoyproxy.go +++ b/test/e2e/tests/gatewayt-with-envoyproxy.go @@ -9,6 +9,7 @@ package tests import ( "context" + "net" "testing" "github.com/stretchr/testify/require" @@ -47,7 +48,7 @@ var GatewayWithEnvoyProxy = suite.ConformanceTest{ // Verify that the RouteType is set to Service by the attached EnvoyProxy Headers: map[string]string{ - "upstream-host": svc.Spec.ClusterIP + ":8080", + "upstream-host": net.JoinHostPort(svc.Spec.ClusterIP, "8080"), }, }, Namespace: ns, diff --git a/test/e2e/tests/utils.go b/test/e2e/tests/utils.go index 53aeb8b96a7..c63cad1e579 100644 --- a/test/e2e/tests/utils.go +++ b/test/e2e/tests/utils.go @@ -14,6 +14,7 @@ import ( "net" "net/http" "net/url" + "strconv" "strings" "testing" "time" @@ -400,7 +401,7 @@ func RetrieveURL(c client.Client, nn types.NamespacedName, port int32, path stri default: host = fmt.Sprintf("%s.%s.svc", nn.Name, nn.Namespace) } - return fmt.Sprintf("http://%s:%d%s", host, port, path), nil + return fmt.Sprintf("http://%s%s", net.JoinHostPort(host, strconv.Itoa(int(port))), path), nil } var metricParser = &expfmt.TextParser{} @@ -560,7 +561,7 @@ func QueryLogCountFromLoki(t *testing.T, c client.Client, keyValues map[string]s params := url.Values{} params.Add("query", q) params.Add("start", fmt.Sprintf("%d", time.Now().Add(-10*time.Minute).Unix())) // query logs from last 10 minutes - lokiQueryURL := fmt.Sprintf("http://%s:3100/loki/api/v1/query_range?%s", lokiHost, params.Encode()) + lokiQueryURL := fmt.Sprintf("http://%s/loki/api/v1/query_range?%s", net.JoinHostPort(lokiHost, "3100"), params.Encode()) res, err := http.DefaultClient.Get(lokiQueryURL) if err != nil { return -1, err From ec56a83e216735176e52aa3e7a5a04bab6db981e Mon Sep 17 00:00:00 2001 From: zirain Date: Mon, 11 Nov 2024 15:24:16 +0800 Subject: [PATCH 386/523] chore: dnsSearch on kind cluster (#4691) Signed-off-by: zirain --- tools/hack/create-cluster.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/hack/create-cluster.sh b/tools/hack/create-cluster.sh index ad3cff1cd92..d1601cb83b6 100755 --- a/tools/hack/create-cluster.sh +++ b/tools/hack/create-cluster.sh @@ -14,6 +14,9 @@ kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 networking: ipFamily: ${IP_FAMILY} + # it's to prevent inherit search domains from the host which slows down DNS resolution + # and cause problems to IPv6 only clusters running on IPv4 host. + dnsSearch: [] nodes: - role: control-plane EOM From c0b2c87f53553b3591a5ba8e71bb10763b01ea9b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 18:48:03 -0800 Subject: [PATCH 387/523] build(deps): bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#4696) * build(deps): bump google.golang.org/grpc from 1.67.1 to 1.68.0 Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.67.1 to 1.68.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.67.1...v1.68.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * lint Signed-off-by: zirain --------- Signed-off-by: dependabot[bot] Signed-off-by: zirain Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- examples/extension-server/go.mod | 6 +++--- examples/extension-server/go.sum | 14 ++++++++------ go.mod | 6 +++--- go.sum | 12 ++++++------ 4 files changed, 20 insertions(+), 18 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 7b09ae7320b..d08fe02ac24 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -6,7 +6,7 @@ require ( github.com/envoyproxy/gateway v1.0.2 github.com/envoyproxy/go-control-plane v0.13.1 github.com/urfave/cli/v2 v2.27.5 - google.golang.org/grpc v1.67.1 + google.golang.org/grpc v1.68.0 google.golang.org/protobuf v1.35.1 k8s.io/apimachinery v0.31.2 sigs.k8s.io/controller-runtime v0.19.1 @@ -14,9 +14,9 @@ require ( ) require ( - cel.dev/expr v0.16.0 // indirect + cel.dev/expr v0.16.1 // indirect github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect - github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 // indirect + github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 42db960b446..e3e50a30b90 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -1,9 +1,9 @@ -cel.dev/expr v0.16.0 h1:yloc84fytn4zmJX2GU3TkXGsaieaV7dQ057Qs4sIG2Y= -cel.dev/expr v0.16.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg= +cel.dev/expr v0.16.1 h1:NR0+oFYzR1CqLFhTAqg3ql59G9VfN8fKq1TCHJ6gq1g= +cel.dev/expr v0.16.1/go.mod h1:AsGA5zb3WruAEQeQng1RZdGEXmBj0jvMWh6l5SnNuC8= github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g= github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= -github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 h1:N+3sFI5GUjRKBi+i0TxYVST9h4Ie192jJWpHvthBBgg= -github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 h1:QVw89YDxXxEe+l8gU8ETbOasdwEV+avkR75ZzsVV9WI= +github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc= github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= @@ -23,6 +23,8 @@ github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1v github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -109,8 +111,8 @@ google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 h1: google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:wp2WsuBYj6j8wUdo3ToZsdxxixbvQNAHqVJrTgi5E5M= google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 h1:QCqS/PdaHTSWGvupk2F/ehwHtGc0/GYkT+3GAcR1CCc= google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= -google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= -google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0= +google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA= google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/go.mod b/go.mod index 68fd42b5a31..b5c05d514b0 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( fortio.org/fortio v1.67.1 fortio.org/log v1.17.1 github.com/Masterminds/semver/v3 v3.3.0 - github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 + github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/docker/cli v27.3.1+incompatible github.com/dominikbraun/graph v0.23.0 @@ -65,12 +65,12 @@ require ( github.com/docker/docker v27.3.1+incompatible github.com/replicatedhq/troubleshoot v0.107.5 github.com/tetratelabs/func-e v1.1.5-0.20240822223546-c85a098d5bf0 - google.golang.org/grpc v1.67.1 + google.golang.org/grpc v1.68.0 sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 ) require ( - cel.dev/expr v0.16.0 // indirect + cel.dev/expr v0.16.1 // indirect dario.cat/mergo v1.0.1 // indirect filippo.io/edwards25519 v1.1.0 // indirect fortio.org/cli v1.9.2 // indirect diff --git a/go.sum b/go.sum index 00d7b32bb36..26902bde34a 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -cel.dev/expr v0.16.0 h1:yloc84fytn4zmJX2GU3TkXGsaieaV7dQ057Qs4sIG2Y= -cel.dev/expr v0.16.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg= +cel.dev/expr v0.16.1 h1:NR0+oFYzR1CqLFhTAqg3ql59G9VfN8fKq1TCHJ6gq1g= +cel.dev/expr v0.16.1/go.mod h1:AsGA5zb3WruAEQeQng1RZdGEXmBj0jvMWh6l5SnNuC8= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= @@ -123,8 +123,8 @@ github.com/cilium/ebpf v0.16.0 h1:+BiEnHL6Z7lXnlGUsXQPPAE7+kenAd4ES8MQ5min0Ok= github.com/cilium/ebpf v0.16.0/go.mod h1:L7u2Blt2jMM/vLAVgjxluxtBKlz3/GWjB0dMOEngfwE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 h1:N+3sFI5GUjRKBi+i0TxYVST9h4Ie192jJWpHvthBBgg= -github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 h1:QVw89YDxXxEe+l8gU8ETbOasdwEV+avkR75ZzsVV9WI= +github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= @@ -1100,8 +1100,8 @@ google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQ google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= -google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0= +google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= From a9ff26987668b53274ec6be03b78e23de5d86ebc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 18:48:49 -0800 Subject: [PATCH 388/523] build(deps): bump github/codeql-action from 3.27.0 to 3.27.1 (#4701) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.0 to 3.27.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/662472033e021d55d94146f66f6058822b0b39fd...4f3212b61783c3c68e8309a0f18a699764811cda) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2027c7548aa..faca9d0eb1b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,14 +36,14 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + uses: github/codeql-action/init@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + uses: github/codeql-action/autobuild@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 6e816b5460f..79f040fba97 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 with: sarif_file: results.sarif From df8fa0f8bbdecdb5e472c9b9787857a6679230f9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 18:49:05 -0800 Subject: [PATCH 389/523] build(deps): bump sigs.k8s.io/kind from 0.24.0 to 0.25.0 in /tools/src/kind (#4700) build(deps): bump sigs.k8s.io/kind in /tools/src/kind Bumps [sigs.k8s.io/kind](https://github.com/kubernetes-sigs/kind) from 0.24.0 to 0.25.0. - [Release notes](https://github.com/kubernetes-sigs/kind/releases) - [Commits](https://github.com/kubernetes-sigs/kind/compare/v0.24.0...v0.25.0) --- updated-dependencies: - dependency-name: sigs.k8s.io/kind dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- tools/src/kind/go.mod | 2 +- tools/src/kind/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/src/kind/go.mod b/tools/src/kind/go.mod index 969589cce84..42dd6426e94 100644 --- a/tools/src/kind/go.mod +++ b/tools/src/kind/go.mod @@ -2,7 +2,7 @@ module github.com/envoyproxy/gateway/tools/src/kind go 1.23.1 -require sigs.k8s.io/kind v0.24.0 +require sigs.k8s.io/kind v0.25.0 require ( github.com/BurntSushi/toml v1.4.0 // indirect diff --git a/tools/src/kind/go.sum b/tools/src/kind/go.sum index e811249cb1e..43de9d29a84 100644 --- a/tools/src/kind/go.sum +++ b/tools/src/kind/go.sum @@ -36,7 +36,7 @@ gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLF gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -sigs.k8s.io/kind v0.24.0 h1:g4y4eu0qa+SCeKESLpESgMmVFBebL0BDa6f777OIWrg= -sigs.k8s.io/kind v0.24.0/go.mod h1:t7ueEpzPYJvHA8aeLtI52rtFftNgUYUaCwvxjk7phfw= +sigs.k8s.io/kind v0.25.0 h1:ugUvgesHKKA0yKmD6QtYTiEev+kPUpGxdTPbMGf8VTU= +sigs.k8s.io/kind v0.25.0/go.mod h1:t7ueEpzPYJvHA8aeLtI52rtFftNgUYUaCwvxjk7phfw= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= From 879da46901ca852e22152bcbf267d0842ba6735e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 18:49:27 -0800 Subject: [PATCH 390/523] build(deps): bump github.com/golangci/golangci-lint from 1.61.0 to 1.62.0 in /tools/src/golangci-lint (#4699) * build(deps): bump github.com/golangci/golangci-lint Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.61.0 to 1.62.0. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](https://github.com/golangci/golangci-lint/compare/v1.61.0...v1.62.0) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * fix Signed-off-by: zirain --------- Signed-off-by: dependabot[bot] Signed-off-by: zirain Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- internal/utils/jsonpatch/patch_test.go | 2 +- tools/src/golangci-lint/go.mod | 73 ++++++------ tools/src/golangci-lint/go.sum | 153 +++++++++++++------------ 3 files changed, 118 insertions(+), 110 deletions(-) diff --git a/internal/utils/jsonpatch/patch_test.go b/internal/utils/jsonpatch/patch_test.go index dbdd63fc527..cfd4ec8e2e4 100644 --- a/internal/utils/jsonpatch/patch_test.go +++ b/internal/utils/jsonpatch/patch_test.go @@ -241,7 +241,7 @@ func TestApplyJSONPatches(t *testing.T) { t.Error(err) } - require.Equal(t, expectedJSON, resultJSON) + require.JSONEq(t, expectedJSON, resultJSON) } require.NoError(t, err) } diff --git a/tools/src/golangci-lint/go.mod b/tools/src/golangci-lint/go.mod index e73d754d4b9..e88d8a1a325 100644 --- a/tools/src/golangci-lint/go.mod +++ b/tools/src/golangci-lint/go.mod @@ -2,34 +2,34 @@ module local go 1.23.1 -require github.com/golangci/golangci-lint v1.61.0 +require github.com/golangci/golangci-lint v1.62.0 require ( 4d63.com/gocheckcompilerdirectives v1.2.1 // indirect 4d63.com/gochecknoglobals v0.2.1 // indirect github.com/4meepo/tagalign v1.3.4 // indirect - github.com/Abirdcfly/dupword v0.1.1 // indirect - github.com/Antonboom/errname v0.1.13 // indirect - github.com/Antonboom/nilnil v0.1.9 // indirect - github.com/Antonboom/testifylint v1.4.3 // indirect + github.com/Abirdcfly/dupword v0.1.3 // indirect + github.com/Antonboom/errname v1.0.0 // indirect + github.com/Antonboom/nilnil v1.0.0 // indirect + github.com/Antonboom/testifylint v1.5.0 // indirect github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c // indirect github.com/Crocmagnon/fatcontext v0.5.2 // indirect github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 // indirect github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0 // indirect github.com/Masterminds/semver/v3 v3.3.0 // indirect github.com/OpenPeeDeeP/depguard/v2 v2.2.0 // indirect - github.com/alecthomas/go-check-sumtype v0.1.4 // indirect - github.com/alexkohler/nakedret/v2 v2.0.4 // indirect + github.com/alecthomas/go-check-sumtype v0.2.0 // indirect + github.com/alexkohler/nakedret/v2 v2.0.5 // indirect github.com/alexkohler/prealloc v1.0.0 // indirect github.com/alingse/asasalint v0.0.11 // indirect github.com/ashanbrown/forbidigo v1.6.0 // indirect github.com/ashanbrown/makezero v1.1.1 // indirect github.com/beorn7/perks v1.0.1 // indirect - github.com/bkielbasa/cyclop v1.2.1 // indirect + github.com/bkielbasa/cyclop v1.2.3 // indirect github.com/blizzy78/varnamelen v0.8.0 // indirect github.com/bombsimon/wsl/v4 v4.4.1 // indirect - github.com/breml/bidichk v0.2.7 // indirect - github.com/breml/errchkjson v0.3.6 // indirect + github.com/breml/bidichk v0.3.2 // indirect + github.com/breml/errchkjson v0.4.0 // indirect github.com/butuzov/ireturn v0.3.0 // indirect github.com/butuzov/mirror v1.2.0 // indirect github.com/catenacyber/perfsprint v0.7.1 // indirect @@ -37,19 +37,19 @@ require ( github.com/cespare/xxhash/v2 v2.1.2 // indirect github.com/charithe/durationcheck v0.0.10 // indirect github.com/chavacava/garif v0.1.0 // indirect - github.com/ckaznocha/intrange v0.2.0 // indirect + github.com/ckaznocha/intrange v0.2.1 // indirect github.com/curioswitch/go-reassign v0.2.0 // indirect github.com/daixiang0/gci v0.13.5 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/denis-tingaikin/go-header v0.5.0 // indirect github.com/ettle/strcase v0.2.0 // indirect - github.com/fatih/color v1.17.0 // indirect + github.com/fatih/color v1.18.0 // indirect github.com/fatih/structtag v1.2.0 // indirect github.com/firefart/nonamedreturns v1.0.5 // indirect github.com/fsnotify/fsnotify v1.5.4 // indirect github.com/fzipp/gocyclo v0.6.0 // indirect - github.com/ghostiam/protogetter v0.3.6 // indirect - github.com/go-critic/go-critic v0.11.4 // indirect + github.com/ghostiam/protogetter v0.3.8 // indirect + github.com/go-critic/go-critic v0.11.5 // indirect github.com/go-toolsmith/astcast v1.1.0 // indirect github.com/go-toolsmith/astcopy v1.1.0 // indirect github.com/go-toolsmith/astequal v1.2.0 // indirect @@ -57,12 +57,13 @@ require ( github.com/go-toolsmith/astp v1.1.0 // indirect github.com/go-toolsmith/strparse v1.1.0 // indirect github.com/go-toolsmith/typep v1.1.0 // indirect - github.com/go-viper/mapstructure/v2 v2.1.0 // indirect + github.com/go-viper/mapstructure/v2 v2.2.1 // indirect github.com/go-xmlfmt/xmlfmt v1.1.2 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gofrs/flock v0.12.1 // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a // indirect + github.com/golangci/go-printf-func-name v0.1.0 // indirect github.com/golangci/gofmt v0.0.0-20240816233607-d8596aa466a9 // indirect github.com/golangci/misspell v0.6.0 // indirect github.com/golangci/modinfo v0.3.4 // indirect @@ -81,20 +82,18 @@ require ( github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jgautheron/goconst v1.7.1 // indirect github.com/jingyugao/rowserrcheck v1.1.1 // indirect - github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af // indirect github.com/jjti/go-spancheck v0.6.2 // indirect github.com/julz/importas v0.1.0 // indirect github.com/karamaru-alpha/copyloopvar v1.1.0 // indirect - github.com/kisielk/errcheck v1.7.0 // indirect + github.com/kisielk/errcheck v1.8.0 // indirect github.com/kkHAIKE/contextcheck v1.1.5 // indirect github.com/kulti/thelper v0.6.3 // indirect github.com/kunwardeep/paralleltest v1.0.10 // indirect github.com/kyoh86/exportloopref v0.1.11 // indirect - github.com/lasiar/canonicalheader v1.1.1 // indirect + github.com/lasiar/canonicalheader v1.1.2 // indirect github.com/ldez/gomoddirectives v0.2.4 // indirect github.com/ldez/tagliatelle v0.5.0 // indirect github.com/leonklingele/grouper v1.1.2 // indirect - github.com/lufeee/execinquery v1.2.1 // indirect github.com/macabu/inamedparam v0.1.3 // indirect github.com/magiconair/properties v1.8.6 // indirect github.com/maratori/testableexamples v1.0.0 // indirect @@ -102,16 +101,16 @@ require ( github.com/matoous/godox v0.0.0-20230222163458-006bad1f9d26 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect - github.com/mattn/go-runewidth v0.0.9 // indirect + github.com/mattn/go-runewidth v0.0.16 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect - github.com/mgechev/revive v1.3.9 // indirect + github.com/mgechev/revive v1.5.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/moricho/tparallel v0.3.2 // indirect github.com/nakabonne/nestif v0.3.1 // indirect github.com/nishanths/exhaustive v0.12.0 // indirect github.com/nishanths/predeclared v0.2.2 // indirect - github.com/nunnatsa/ginkgolinter v0.16.2 // indirect + github.com/nunnatsa/ginkgolinter v0.18.0 // indirect github.com/olekukonko/tablewriter v0.0.5 // indirect github.com/pelletier/go-toml v1.9.5 // indirect github.com/pelletier/go-toml/v2 v2.2.3 // indirect @@ -126,18 +125,21 @@ require ( github.com/quasilyte/gogrep v0.5.0 // indirect github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 // indirect github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 // indirect + github.com/raeperd/recvcheck v0.1.2 // indirect + github.com/rivo/uniseg v0.4.7 // indirect + github.com/rogpeppe/go-internal v1.13.1 // indirect github.com/ryancurrah/gomodguard v1.3.5 // indirect github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect github.com/sanposhiho/wastedassign/v2 v2.0.7 // indirect github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect github.com/sashamelentyev/interfacebloat v1.1.0 // indirect github.com/sashamelentyev/usestdlibvars v1.27.0 // indirect - github.com/securego/gosec/v2 v2.21.2 // indirect + github.com/securego/gosec/v2 v2.21.4 // indirect github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/sivchari/containedctx v1.0.3 // indirect - github.com/sivchari/tenv v1.10.0 // indirect - github.com/sonatard/noctx v0.0.2 // indirect + github.com/sivchari/tenv v1.12.1 // indirect + github.com/sonatard/noctx v0.1.0 // indirect github.com/sourcegraph/go-diff v0.7.0 // indirect github.com/spf13/afero v1.11.0 // indirect github.com/spf13/cast v1.5.0 // indirect @@ -151,32 +153,33 @@ require ( github.com/stretchr/testify v1.9.0 // indirect github.com/subosito/gotenv v1.4.1 // indirect github.com/tdakkota/asciicheck v0.2.0 // indirect - github.com/tetafro/godot v1.4.17 // indirect + github.com/tetafro/godot v1.4.18 // indirect github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966 // indirect - github.com/timonwong/loggercheck v0.9.4 // indirect + github.com/timonwong/loggercheck v0.10.1 // indirect github.com/tomarrell/wrapcheck/v2 v2.9.0 // indirect github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect github.com/ultraware/funlen v0.1.0 // indirect github.com/ultraware/whitespace v0.1.1 // indirect github.com/uudashr/gocognit v1.1.3 // indirect + github.com/uudashr/iface v1.2.0 // indirect github.com/xen0n/gosmopolitan v1.2.2 // indirect github.com/yagipy/maintidx v1.0.0 // indirect github.com/yeya24/promlinter v0.3.0 // indirect github.com/ykadowak/zerologlint v0.1.5 // indirect gitlab.com/bosi/decorder v0.4.2 // indirect - go-simpler.org/musttag v0.12.2 // indirect + go-simpler.org/musttag v0.13.0 // indirect go-simpler.org/sloglint v0.7.2 // indirect go.uber.org/atomic v1.7.0 // indirect - go.uber.org/automaxprocs v1.5.3 // indirect + go.uber.org/automaxprocs v1.6.0 // indirect go.uber.org/multierr v1.6.0 // indirect go.uber.org/zap v1.24.0 // indirect - golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e // indirect - golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect - golang.org/x/mod v0.21.0 // indirect - golang.org/x/sync v0.8.0 // indirect - golang.org/x/sys v0.25.0 // indirect + golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect + golang.org/x/exp/typeparams v0.0.0-20240909161429-701f63a606c0 // indirect + golang.org/x/mod v0.22.0 // indirect + golang.org/x/sync v0.9.0 // indirect + golang.org/x/sys v0.27.0 // indirect golang.org/x/text v0.18.0 // indirect - golang.org/x/tools v0.24.0 // indirect + golang.org/x/tools v0.27.0 // indirect google.golang.org/protobuf v1.34.2 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/tools/src/golangci-lint/go.sum b/tools/src/golangci-lint/go.sum index de6bd9d31a7..c8205a75d73 100644 --- a/tools/src/golangci-lint/go.sum +++ b/tools/src/golangci-lint/go.sum @@ -37,14 +37,14 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/4meepo/tagalign v1.3.4 h1:P51VcvBnf04YkHzjfclN6BbsopfJR5rxs1n+5zHt+w8= github.com/4meepo/tagalign v1.3.4/go.mod h1:M+pnkHH2vG8+qhE5bVc/zeP7HS/j910Fwa9TUSyZVI0= -github.com/Abirdcfly/dupword v0.1.1 h1:Bsxe0fIw6OwBtXMIncaTxCLHYO5BB+3mcsR5E8VXloY= -github.com/Abirdcfly/dupword v0.1.1/go.mod h1:B49AcJdTYYkpd4HjgAcutNGG9HZ2JWwKunH9Y2BA6sM= -github.com/Antonboom/errname v0.1.13 h1:JHICqsewj/fNckzrfVSe+T33svwQxmjC+1ntDsHOVvM= -github.com/Antonboom/errname v0.1.13/go.mod h1:uWyefRYRN54lBg6HseYCFhs6Qjcy41Y3Jl/dVhA87Ns= -github.com/Antonboom/nilnil v0.1.9 h1:eKFMejSxPSA9eLSensFmjW2XTgTwJMjZ8hUHtV4s/SQ= -github.com/Antonboom/nilnil v0.1.9/go.mod h1:iGe2rYwCq5/Me1khrysB4nwI7swQvjclR8/YRPl5ihQ= -github.com/Antonboom/testifylint v1.4.3 h1:ohMt6AHuHgttaQ1xb6SSnxCeK4/rnK7KKzbvs7DmEck= -github.com/Antonboom/testifylint v1.4.3/go.mod h1:+8Q9+AOLsz5ZiQiiYujJKs9mNz398+M6UgslP4qgJLA= +github.com/Abirdcfly/dupword v0.1.3 h1:9Pa1NuAsZvpFPi9Pqkd93I7LIYRURj+A//dFd5tgBeE= +github.com/Abirdcfly/dupword v0.1.3/go.mod h1:8VbB2t7e10KRNdwTVoxdBaxla6avbhGzb8sCTygUMhw= +github.com/Antonboom/errname v1.0.0 h1:oJOOWR07vS1kRusl6YRSlat7HFnb3mSfMl6sDMRoTBA= +github.com/Antonboom/errname v1.0.0/go.mod h1:gMOBFzK/vrTiXN9Oh+HFs+e6Ndl0eTFbtsRTSRdXyGI= +github.com/Antonboom/nilnil v1.0.0 h1:n+v+B12dsE5tbAqRODXmEKfZv9j2KcTBrp+LkoM4HZk= +github.com/Antonboom/nilnil v1.0.0/go.mod h1:fDJ1FSFoLN6yoG65ANb1WihItf6qt9PJVTn/s2IrcII= +github.com/Antonboom/testifylint v1.5.0 h1:dlUIsDMtCrZWUnvkaCz3quJCoIjaGi41GzjPBGkkJ8A= +github.com/Antonboom/testifylint v1.5.0/go.mod h1:wqaJbu0Blb5Wag2wv7Z5xt+CIV+eVLxtGZrlK13z3AE= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c h1:pxW6RcqyfI9/kWtOwnv/G+AzdKuy2ZrqINhenH4HyNs= github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= @@ -61,8 +61,8 @@ github.com/OpenPeeDeeP/depguard/v2 v2.2.0 h1:vDfG60vDtIuf0MEOhmLlLLSzqaRM8EMcgJP github.com/OpenPeeDeeP/depguard/v2 v2.2.0/go.mod h1:CIzddKRvLBC4Au5aYP/i3nyaWQ+ClszLIuVocRiCYFQ= github.com/alecthomas/assert/v2 v2.2.2 h1:Z/iVC0xZfWTaFNE6bA3z07T86hd45Xe2eLt6WVy2bbk= github.com/alecthomas/assert/v2 v2.2.2/go.mod h1:pXcQ2Asjp247dahGEmsZ6ru0UVwnkhktn7S0bBDLxvQ= -github.com/alecthomas/go-check-sumtype v0.1.4 h1:WCvlB3l5Vq5dZQTFmodqL2g68uHiSwwlWcT5a2FGK0c= -github.com/alecthomas/go-check-sumtype v0.1.4/go.mod h1:WyYPfhfkdhyrdaligV6svFopZV8Lqdzn5pyVBaV6jhQ= +github.com/alecthomas/go-check-sumtype v0.2.0 h1:Bo+e4DFf3rs7ME9w/0SU/g6nmzJaphduP8Cjiz0gbwY= +github.com/alecthomas/go-check-sumtype v0.2.0/go.mod h1:WyYPfhfkdhyrdaligV6svFopZV8Lqdzn5pyVBaV6jhQ= github.com/alecthomas/repr v0.2.0 h1:HAzS41CIzNW5syS8Mf9UwXhNH1J9aix/BvDRf1Ml2Yk= github.com/alecthomas/repr v0.2.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= @@ -70,8 +70,8 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= -github.com/alexkohler/nakedret/v2 v2.0.4 h1:yZuKmjqGi0pSmjGpOC016LtPJysIL0WEUiaXW5SUnNg= -github.com/alexkohler/nakedret/v2 v2.0.4/go.mod h1:bF5i0zF2Wo2o4X4USt9ntUWve6JbFv02Ff4vlkmS/VU= +github.com/alexkohler/nakedret/v2 v2.0.5 h1:fP5qLgtwbx9EJE8dGEERT02YwS8En4r9nnZ71RK+EVU= +github.com/alexkohler/nakedret/v2 v2.0.5/go.mod h1:bF5i0zF2Wo2o4X4USt9ntUWve6JbFv02Ff4vlkmS/VU= github.com/alexkohler/prealloc v1.0.0 h1:Hbq0/3fJPQhNkN0dR95AVrr6R7tou91y0uHG5pOcUuw= github.com/alexkohler/prealloc v1.0.0/go.mod h1:VetnK3dIgFBBKmg0YnD9F9x6Icjd+9cvfHR56wJVlKE= github.com/alingse/asasalint v0.0.11 h1:SFwnQXJ49Kx/1GghOFz1XGqHYKp21Kq1nHad/0WQRnw= @@ -86,16 +86,16 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= -github.com/bkielbasa/cyclop v1.2.1 h1:AeF71HZDob1P2/pRm1so9cd1alZnrpyc4q2uP2l0gJY= -github.com/bkielbasa/cyclop v1.2.1/go.mod h1:K/dT/M0FPAiYjBgQGau7tz+3TMh4FWAEqlMhzFWCrgM= +github.com/bkielbasa/cyclop v1.2.3 h1:faIVMIGDIANuGPWH031CZJTi2ymOQBULs9H21HSMa5w= +github.com/bkielbasa/cyclop v1.2.3/go.mod h1:kHTwA9Q0uZqOADdupvcFJQtp/ksSnytRMe8ztxG8Fuo= github.com/blizzy78/varnamelen v0.8.0 h1:oqSblyuQvFsW1hbBHh1zfwrKe3kcSj0rnXkKzsQ089M= github.com/blizzy78/varnamelen v0.8.0/go.mod h1:V9TzQZ4fLJ1DSrjVDfl89H7aMnTvKkApdHeyESmyR7k= github.com/bombsimon/wsl/v4 v4.4.1 h1:jfUaCkN+aUpobrMO24zwyAMwMAV5eSziCkOKEauOLdw= github.com/bombsimon/wsl/v4 v4.4.1/go.mod h1:Xu/kDxGZTofQcDGCtQe9KCzhHphIe0fDuyWTxER9Feo= -github.com/breml/bidichk v0.2.7 h1:dAkKQPLl/Qrk7hnP6P+E0xOodrq8Us7+U0o4UBOAlQY= -github.com/breml/bidichk v0.2.7/go.mod h1:YodjipAGI9fGcYM7II6wFvGhdMYsC5pHDlGzqvEW3tQ= -github.com/breml/errchkjson v0.3.6 h1:VLhVkqSBH96AvXEyclMR37rZslRrY2kcyq+31HCsVrA= -github.com/breml/errchkjson v0.3.6/go.mod h1:jhSDoFheAF2RSDOlCfhHO9KqhZgAYLyvHe7bRCX8f/U= +github.com/breml/bidichk v0.3.2 h1:xV4flJ9V5xWTqxL+/PMFF6dtJPvZLPsyixAoPe8BGJs= +github.com/breml/bidichk v0.3.2/go.mod h1:VzFLBxuYtT23z5+iVkamXO386OB+/sVwZOpIj6zXGos= +github.com/breml/errchkjson v0.4.0 h1:gftf6uWZMtIa/Is3XJgibewBm2ksAQSY/kABDNFTAdk= +github.com/breml/errchkjson v0.4.0/go.mod h1:AuBOSTHyLSaaAFlWsRSuRBIroCh3eh7ZHh5YeelDIk8= github.com/butuzov/ireturn v0.3.0 h1:hTjMqWw3y5JC3kpnC5vXmFJAWI/m31jaCYQqzkS6PL0= github.com/butuzov/ireturn v0.3.0/go.mod h1:A09nIiwiqzN/IoVo9ogpa0Hzi9fex1kd9PSD6edP5ZA= github.com/butuzov/mirror v1.2.0 h1:9YVK1qIjNspaqWutSv8gsge2e/Xpq1eqEkslEUHy5cs= @@ -115,8 +115,8 @@ github.com/chavacava/garif v0.1.0/go.mod h1:XMyYCkEL58DF0oyW4qDjjnPWONs2HBqYKI+U github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/ckaznocha/intrange v0.2.0 h1:FykcZuJ8BD7oX93YbO1UY9oZtkRbp+1/kJcDjkefYLs= -github.com/ckaznocha/intrange v0.2.0/go.mod h1:r5I7nUlAAG56xmkOpw4XVr16BXhwYTUdcuRFeevn1oE= +github.com/ckaznocha/intrange v0.2.1 h1:M07spnNEQoALOJhwrImSrJLaxwuiQK+hA2DeajBlwYk= +github.com/ckaznocha/intrange v0.2.1/go.mod h1:7NEhVyf8fzZO5Ds7CRaqPEm52Ut83hsTiL5zbER/HYk= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= @@ -135,8 +135,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/ettle/strcase v0.2.0 h1:fGNiVF21fHXpX1niBgk0aROov1LagYsOwV/xqKDKR/Q= github.com/ettle/strcase v0.2.0/go.mod h1:DajmHElDSaX76ITe3/VHVyMin4LWSJN5Z909Wp+ED1A= -github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= -github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= +github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM= +github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU= github.com/fatih/structtag v1.2.0 h1:/OdNE99OxoI/PqaW/SuSK9uxxT3f/tcSZgon/ssNSx4= github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94= github.com/firefart/nonamedreturns v1.0.5 h1:tM+Me2ZaXs8tfdDw3X6DOX++wMCOqzYUho6tUTYIdRA= @@ -147,10 +147,10 @@ github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwV github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= github.com/fzipp/gocyclo v0.6.0 h1:lsblElZG7d3ALtGMx9fmxeTKZaLLpU8mET09yN4BBLo= github.com/fzipp/gocyclo v0.6.0/go.mod h1:rXPyn8fnlpa0R2csP/31uerbiVBugk5whMdlyaLkLoA= -github.com/ghostiam/protogetter v0.3.6 h1:R7qEWaSgFCsy20yYHNIJsU9ZOb8TziSRRxuAOTVKeOk= -github.com/ghostiam/protogetter v0.3.6/go.mod h1:7lpeDnEJ1ZjL/YtyoN99ljO4z0pd3H0d18/t2dPBxHw= -github.com/go-critic/go-critic v0.11.4 h1:O7kGOCx0NDIni4czrkRIXTnit0mkyKOCePh3My6OyEU= -github.com/go-critic/go-critic v0.11.4/go.mod h1:2QAdo4iuLik5S9YG0rT4wcZ8QxwHYkrr6/2MWAiv/vc= +github.com/ghostiam/protogetter v0.3.8 h1:LYcXbYvybUyTIxN2Mj9h6rHrDZBDwZloPoKctWrFyJY= +github.com/ghostiam/protogetter v0.3.8/go.mod h1:WZ0nw9pfzsgxuRsPOFQomgDVSWtDLJRfQJEhsGbmQMA= +github.com/go-critic/go-critic v0.11.5 h1:TkDTOn5v7EEngMxu8KbuFqFR43USaaH8XRJLz1jhVYA= +github.com/go-critic/go-critic v0.11.5/go.mod h1:wu6U7ny9PiaHaZHcvMDmdysMqvDem162Rh3zWTrqk8M= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= @@ -186,8 +186,8 @@ github.com/go-toolsmith/strparse v1.1.0 h1:GAioeZUK9TGxnLS+qfdqNbA4z0SSm5zVNtCQi github.com/go-toolsmith/strparse v1.1.0/go.mod h1:7ksGy58fsaQkGQlY8WVoBFNyEPMGuJin1rfoPS4lBSQ= github.com/go-toolsmith/typep v1.1.0 h1:fIRYDyF+JywLfqzyhdiHzRop/GQDxxNhLGQ6gFUNHus= github.com/go-toolsmith/typep v1.1.0/go.mod h1:fVIw+7zjdsMxDA3ITWnH1yOiw1rnTQKCsF/sk2H/qig= -github.com/go-viper/mapstructure/v2 v2.1.0 h1:gHnMa2Y/pIxElCH2GlZZ1lZSsn6XMtufpGyP1XxdC/w= -github.com/go-viper/mapstructure/v2 v2.1.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= +github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss= +github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= github.com/go-xmlfmt/xmlfmt v1.1.2 h1:Nea7b4icn8s57fTx1M5AI4qQT5HEM3rVUO8MuE6g80U= github.com/go-xmlfmt/xmlfmt v1.1.2/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= @@ -226,10 +226,12 @@ github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a h1:w8hkcTqaFpzKqonE9uMCefW1WDie15eSP/4MssdenaM= github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a/go.mod h1:ryS0uhF+x9jgbj/N71xsEqODy9BN81/GonCZiOzirOk= +github.com/golangci/go-printf-func-name v0.1.0 h1:dVokQP+NMTO7jwO4bwsRwLWeudOVUPPyAKJuzv8pEJU= +github.com/golangci/go-printf-func-name v0.1.0/go.mod h1:wqhWFH5mUdJQhweRnldEywnR5021wTdZSNgwYceV14s= github.com/golangci/gofmt v0.0.0-20240816233607-d8596aa466a9 h1:/1322Qns6BtQxUZDTAT4SdcoxknUki7IAoK4SAXr8ME= github.com/golangci/gofmt v0.0.0-20240816233607-d8596aa466a9/go.mod h1:Oesb/0uFAyWoaw1U1qS5zyjCg5NP9C9iwjnI4tIsXEE= -github.com/golangci/golangci-lint v1.61.0 h1:VvbOLaRVWmyxCnUIMTbf1kDsaJbTzH20FAMXTAlQGu8= -github.com/golangci/golangci-lint v1.61.0/go.mod h1:e4lztIrJJgLPhWvFPDkhiMwEFRrWlmFbrZea3FsJyN8= +github.com/golangci/golangci-lint v1.62.0 h1:/G0g+bi1BhmGJqLdNQkKBWjcim8HjOPc4tsKuHDOhcI= +github.com/golangci/golangci-lint v1.62.0/go.mod h1:jtoOhQcKTz8B6dGNFyfQV3WZkQk+YvBDewDtNpiAJts= github.com/golangci/misspell v0.6.0 h1:JCle2HUTNWirNlDIAUO44hUsKhOFqGPoC4LZxlaSXDs= github.com/golangci/misspell v0.6.0/go.mod h1:keMNyY6R9isGaSAu+4Q8NMBwMPkh15Gtc8UCVoDtAWo= github.com/golangci/modinfo v0.3.4 h1:oU5huX3fbxqQXdfspamej74DFX0kyGLkw1ppvXoJ8GA= @@ -301,8 +303,6 @@ github.com/jgautheron/goconst v1.7.1 h1:VpdAG7Ca7yvvJk5n8dMwQhfEZJh95kl/Hl9S1OI5 github.com/jgautheron/goconst v1.7.1/go.mod h1:aAosetZ5zaeC/2EfMeRswtxUFBpe2Hr7HzkgX4fanO4= github.com/jingyugao/rowserrcheck v1.1.1 h1:zibz55j/MJtLsjP1OF4bSdgXxwL1b+Vn7Tjzq7gFzUs= github.com/jingyugao/rowserrcheck v1.1.1/go.mod h1:4yvlZSDb3IyDTUZJUmpZfm2Hwok+Dtp+nu2qOq+er9c= -github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af h1:KA9BjwUk7KlCh6S9EAGWBt1oExIUv9WyNCiRz5amv48= -github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af/go.mod h1:HEWGJkRDzjJY2sqdDwxccsGicWEf9BQOZsq2tV+xzM0= github.com/jjti/go-spancheck v0.6.2 h1:iYtoxqPMzHUPp7St+5yA8+cONdyXD3ug6KK15n7Pklk= github.com/jjti/go-spancheck v0.6.2/go.mod h1:+X7lvIrR5ZdUTkxFYqzJ0abr8Sb5LOo80uOhWNqIrYA= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= @@ -318,8 +318,8 @@ github.com/julz/importas v0.1.0 h1:F78HnrsjY3cR7j0etXy5+TU1Zuy7Xt08X/1aJnH5xXY= github.com/julz/importas v0.1.0/go.mod h1:oSFU2R4XK/P7kNBrnL/FEQlDGN1/6WoxXEjSSXO0DV0= github.com/karamaru-alpha/copyloopvar v1.1.0 h1:x7gNyKcC2vRBO1H2Mks5u1VxQtYvFiym7fCjIP8RPos= github.com/karamaru-alpha/copyloopvar v1.1.0/go.mod h1:u7CIfztblY0jZLOQZgH3oYsJzpC2A7S6u/lfgSXHy0k= -github.com/kisielk/errcheck v1.7.0 h1:+SbscKmWJ5mOK/bO1zS60F5I9WwZDWOfRsC4RwfwRV0= -github.com/kisielk/errcheck v1.7.0/go.mod h1:1kLL+jV4e+CFfueBmI1dSK2ADDyQnlrnrY/FqKluHJQ= +github.com/kisielk/errcheck v1.8.0 h1:ZX/URYa7ilESY19ik/vBmCn6zdGQLxACwjAcWbHlYlg= +github.com/kisielk/errcheck v1.8.0/go.mod h1:1kLL+jV4e+CFfueBmI1dSK2ADDyQnlrnrY/FqKluHJQ= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/kkHAIKE/contextcheck v1.1.5 h1:CdnJh63tcDe53vG+RebdpdXJTc9atMgGqdx8LXxiilg= github.com/kkHAIKE/contextcheck v1.1.5/go.mod h1:O930cpht4xb1YQpK+1+AgoM3mFsvxr7uyFptcnWTYUA= @@ -339,16 +339,14 @@ github.com/kunwardeep/paralleltest v1.0.10 h1:wrodoaKYzS2mdNVnc4/w31YaXFtsc21PCT github.com/kunwardeep/paralleltest v1.0.10/go.mod h1:2C7s65hONVqY7Q5Efj5aLzRCNLjw2h4eMc9EcypGjcY= github.com/kyoh86/exportloopref v0.1.11 h1:1Z0bcmTypkL3Q4k+IDHMWTcnCliEZcaPiIe0/ymEyhQ= github.com/kyoh86/exportloopref v0.1.11/go.mod h1:qkV4UF1zGl6EkF1ox8L5t9SwyeBAZ3qLMd6up458uqA= -github.com/lasiar/canonicalheader v1.1.1 h1:wC+dY9ZfiqiPwAexUApFush/csSPXeIi4QqyxXmng8I= -github.com/lasiar/canonicalheader v1.1.1/go.mod h1:cXkb3Dlk6XXy+8MVQnF23CYKWlyA7kfQhSw2CcZtZb0= +github.com/lasiar/canonicalheader v1.1.2 h1:vZ5uqwvDbyJCnMhmFYimgMZnJMjwljN5VGY0VKbMXb4= +github.com/lasiar/canonicalheader v1.1.2/go.mod h1:qJCeLFS0G/QlLQ506T+Fk/fWMa2VmBUiEI2cuMK4djI= github.com/ldez/gomoddirectives v0.2.4 h1:j3YjBIjEBbqZ0NKtBNzr8rtMHTOrLPeiwTkfUJZ3alg= github.com/ldez/gomoddirectives v0.2.4/go.mod h1:oWu9i62VcQDYp9EQ0ONTfqLNh+mDLWWDO+SO0qSQw5g= github.com/ldez/tagliatelle v0.5.0 h1:epgfuYt9v0CG3fms0pEgIMNPuFf/LpPIfjk4kyqSioo= github.com/ldez/tagliatelle v0.5.0/go.mod h1:rj1HmWiL1MiKQuOONhd09iySTEkUuE/8+5jtPYz9xa4= github.com/leonklingele/grouper v1.1.2 h1:o1ARBDLOmmasUaNDesWqWCIFH3u7hoFlM84YrjT3mIY= github.com/leonklingele/grouper v1.1.2/go.mod h1:6D0M/HVkhs2yRKRFZUoGjeDy7EZTfFBE9gl4kjmIGkA= -github.com/lufeee/execinquery v1.2.1 h1:hf0Ems4SHcUGBxpGN7Jz78z1ppVkP/837ZlETPCEtOM= -github.com/lufeee/execinquery v1.2.1/go.mod h1:EC7DrEKView09ocscGHC+apXMIaorh4xqSxS/dy8SbM= github.com/macabu/inamedparam v0.1.3 h1:2tk/phHkMlEL/1GNe/Yf6kkR/hkcUdAEY3L0hjYV1Mk= github.com/macabu/inamedparam v0.1.3/go.mod h1:93FLICAIk/quk7eaPPQvbzihUdn/QkGDwIZEoLtpH6I= github.com/magiconair/properties v1.8.6 h1:5ibWZ6iY0NctNGWo87LalDlEZ6R41TqbbDamhfG/Qzo= @@ -366,12 +364,13 @@ github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovk github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= -github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0= github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= +github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc= +github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/mgechev/revive v1.3.9 h1:18Y3R4a2USSBF+QZKFQwVkBROUda7uoBlkEuBD+YD1A= -github.com/mgechev/revive v1.3.9/go.mod h1:+uxEIr5UH0TjXWHTno3xh4u7eg6jDpXKzQccA9UGhHU= +github.com/mgechev/revive v1.5.0 h1:oaSmjA7rP8+HyoRuCgC531VHwnLH1AlJdjj+1AnQceQ= +github.com/mgechev/revive v1.5.0/go.mod h1:L6T3H8EoerRO86c7WuGpvohIUmiploGiyoYbtIWFmV8= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= @@ -391,8 +390,8 @@ github.com/nishanths/exhaustive v0.12.0 h1:vIY9sALmw6T/yxiASewa4TQcFsVYZQQRUQJhK github.com/nishanths/exhaustive v0.12.0/go.mod h1:mEZ95wPIZW+x8kC4TgC+9YCUgiST7ecevsVDTgc2obs= github.com/nishanths/predeclared v0.2.2 h1:V2EPdZPliZymNAn79T8RkNApBjMmVKh5XRpLm/w98Vk= github.com/nishanths/predeclared v0.2.2/go.mod h1:RROzoN6TnGQupbC+lqggsOlcgysk3LMK/HI84Mp280c= -github.com/nunnatsa/ginkgolinter v0.16.2 h1:8iLqHIZvN4fTLDC0Ke9tbSZVcyVHoBs0HIbnVSxfHJk= -github.com/nunnatsa/ginkgolinter v0.16.2/go.mod h1:4tWRinDN1FeJgU+iJANW/kz7xKN5nYRAOfJDQUS9dOQ= +github.com/nunnatsa/ginkgolinter v0.18.0 h1:ZXO1wKhPg3A6LpbN5dMuqwhfOjN5c3ous8YdKOuqk9k= +github.com/nunnatsa/ginkgolinter v0.18.0/go.mod h1:vPrWafSULmjMGCMsfGA908if95VnHQNAahvSBOjTuWs= github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= github.com/onsi/ginkgo/v2 v2.20.2 h1:7NVCeyIWROIAheY21RLS+3j2bb52W0W82tkberYytp4= @@ -452,9 +451,14 @@ github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 h1:TCg2WBOl github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727/go.mod h1:rlzQ04UMyJXu/aOvhd8qT+hvDrFpiwqp8MRXDY9szc0= github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 h1:M8mH9eK4OUR4lu7Gd+PU1fV2/qnDNfzT635KRSObncs= github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567/go.mod h1:DWNGW8A4Y+GyBgPuaQJuWiy0XYftx4Xm/y5Jqk9I6VQ= +github.com/raeperd/recvcheck v0.1.2 h1:SjdquRsRXJc26eSonWIo8b7IMtKD3OAT2Lb5G3ZX1+4= +github.com/raeperd/recvcheck v0.1.2/go.mod h1:n04eYkwIR0JbgD73wT8wL4JjPC3wm0nFtzBnWNocnYU= +github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= +github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= +github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= -github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= +github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryancurrah/gomodguard v1.3.5 h1:cShyguSwUEeC0jS7ylOiG/idnd1TpJ1LfHGpV3oJmPU= github.com/ryancurrah/gomodguard v1.3.5/go.mod h1:MXlEPQRxgfPQa62O8wzK3Ozbkv9Rkqr+wKjSxTdsNJE= @@ -468,8 +472,8 @@ github.com/sashamelentyev/interfacebloat v1.1.0 h1:xdRdJp0irL086OyW1H/RTZTr1h/tM github.com/sashamelentyev/interfacebloat v1.1.0/go.mod h1:+Y9yU5YdTkrNvoX0xHc84dxiN1iBi9+G8zZIhPVoNjQ= github.com/sashamelentyev/usestdlibvars v1.27.0 h1:t/3jZpSXtRPRf2xr0m63i32ZrusyurIGT9E5wAvXQnI= github.com/sashamelentyev/usestdlibvars v1.27.0/go.mod h1:9nl0jgOfHKWNFS43Ojw0i7aRoS4j6EBye3YBhmAIRF8= -github.com/securego/gosec/v2 v2.21.2 h1:deZp5zmYf3TWwU7A7cR2+SolbTpZ3HQiwFqnzQyEl3M= -github.com/securego/gosec/v2 v2.21.2/go.mod h1:au33kg78rNseF5PwPnTWhuYBFf534bvJRvOrgZ/bFzU= +github.com/securego/gosec/v2 v2.21.4 h1:Le8MSj0PDmOnHJgUATjD96PaXRvCpKC+DGJvwyy0Mlk= +github.com/securego/gosec/v2 v2.21.4/go.mod h1:Jtb/MwRQfRxCXyCm1rfM1BEiiiTfUOdyzzAhlr6lUTA= github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c h1:W65qqJCIOVP4jpqPQ0YvHYKwcMEMVWIzWC5iNQQfBTU= github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAxekIXwN8qQyfc5gl2NlkB3CQlkizAbOkeBs= github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk= @@ -481,10 +485,10 @@ github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/sivchari/containedctx v1.0.3 h1:x+etemjbsh2fB5ewm5FeLNi5bUjK0V8n0RB+Wwfd0XE= github.com/sivchari/containedctx v1.0.3/go.mod h1:c1RDvCbnJLtH4lLcYD/GqwiBSSf4F5Qk0xld2rBqzJ4= -github.com/sivchari/tenv v1.10.0 h1:g/hzMA+dBCKqGXgW8AV/1xIWhAvDrx0zFKNR48NFMg0= -github.com/sivchari/tenv v1.10.0/go.mod h1:tdY24masnVoZFxYrHv/nD6Tc8FbkEtAQEEziXpyMgqY= -github.com/sonatard/noctx v0.0.2 h1:L7Dz4De2zDQhW8S0t+KUjY0MAQJd6SgVwhzNIc4ok00= -github.com/sonatard/noctx v0.0.2/go.mod h1:kzFz+CzWSjQ2OzIm46uJZoXuBpa2+0y3T36U18dWqIo= +github.com/sivchari/tenv v1.12.1 h1:+E0QzjktdnExv/wwsnnyk4oqZBUfuh89YMQT1cyuvSY= +github.com/sivchari/tenv v1.12.1/go.mod h1:1LjSOUCc25snIr5n3DtGGrENhX3LuWefcplwVGC24mw= +github.com/sonatard/noctx v0.1.0 h1:JjqOc2WN16ISWAjAk8M5ej0RfExEXtkEyExl2hLW+OM= +github.com/sonatard/noctx v0.1.0/go.mod h1:0RvBxqY8D4j9cTTTWE8ylt2vqj2EPI8fHmrxHdsaZ2c= github.com/sourcegraph/go-diff v0.7.0 h1:9uLlrd5T46OXs5qpp8L/MTltk0zikUGi0sNNyCpA8G0= github.com/sourcegraph/go-diff v0.7.0/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs= github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= @@ -527,12 +531,12 @@ github.com/tenntenn/modver v1.0.1 h1:2klLppGhDgzJrScMpkj9Ujy3rXPUspSjAcev9tSEBgA github.com/tenntenn/modver v1.0.1/go.mod h1:bePIyQPb7UeioSRkw3Q0XeMhYZSMx9B8ePqg6SAMGH0= github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3 h1:f+jULpRQGxTSkNYKJ51yaw6ChIqO+Je8UqsTKN/cDag= github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3/go.mod h1:ON8b8w4BN/kE1EOhwT0o+d62W65a6aPw1nouo9LMgyY= -github.com/tetafro/godot v1.4.17 h1:pGzu+Ye7ZUEFx7LHU0dAKmCOXWsPjl7qA6iMGndsjPs= -github.com/tetafro/godot v1.4.17/go.mod h1:2oVxTBSftRTh4+MVfUaUXR6bn2GDXCaMcOG4Dk3rfio= +github.com/tetafro/godot v1.4.18 h1:ouX3XGiziKDypbpXqShBfnNLTSjR8r3/HVzrtJ+bHlI= +github.com/tetafro/godot v1.4.18/go.mod h1:2oVxTBSftRTh4+MVfUaUXR6bn2GDXCaMcOG4Dk3rfio= github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966 h1:quvGphlmUVU+nhpFa4gg4yJyTRJ13reZMDHrKwYw53M= github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966/go.mod h1:27bSVNWSBOHm+qRp1T9qzaIpsWEP6TbUnei/43HK+PQ= -github.com/timonwong/loggercheck v0.9.4 h1:HKKhqrjcVj8sxL7K77beXh0adEm6DLjV/QOGeMXEVi4= -github.com/timonwong/loggercheck v0.9.4/go.mod h1:caz4zlPcgvpEkXgVnAJGowHAMW2NwHaNlpS8xDbVhTg= +github.com/timonwong/loggercheck v0.10.1 h1:uVZYClxQFpw55eh+PIoqM7uAOHMrhVcDoWDery9R8Lg= +github.com/timonwong/loggercheck v0.10.1/go.mod h1:HEAWU8djynujaAVX7QI65Myb8qgfcZ1uKbdpg3ZzKl8= github.com/tomarrell/wrapcheck/v2 v2.9.0 h1:801U2YCAjLhdN8zhZ/7tdjB3EnAoRlJHt/s+9hijLQ4= github.com/tomarrell/wrapcheck/v2 v2.9.0/go.mod h1:g9vNIyhb5/9TQgumxQyOEqDHsmGYcGsVMOx/xGkqdMo= github.com/tommy-muehle/go-mnd/v2 v2.5.1 h1:NowYhSdyE/1zwK9QCLeRb6USWdoif80Ie+v+yU8u1Zw= @@ -543,6 +547,8 @@ github.com/ultraware/whitespace v0.1.1 h1:bTPOGejYFulW3PkcrqkeQwOd6NKOOXvmGD9bo/ github.com/ultraware/whitespace v0.1.1/go.mod h1:XcP1RLD81eV4BW8UhQlpaR+SDc2givTvyI8a586WjW8= github.com/uudashr/gocognit v1.1.3 h1:l+a111VcDbKfynh+airAy/DJQKaXh2m9vkoysMPSZyM= github.com/uudashr/gocognit v1.1.3/go.mod h1:aKH8/e8xbTRBwjbCkwZ8qt4l2EpKXl31KMHgSS+lZ2U= +github.com/uudashr/iface v1.2.0 h1:ECJjh5q/1Zmnv/2yFpWV6H3oMg5+Mo+vL0aqw9Gjazo= +github.com/uudashr/iface v1.2.0/go.mod h1:Ux/7d/rAF3owK4m53cTVXL4YoVHKNqnoOeQHn2xrlp0= github.com/xen0n/gosmopolitan v1.2.2 h1:/p2KTnMzwRexIW8GlKawsTWOxn7UHA+jCMF/V8HHtvU= github.com/xen0n/gosmopolitan v1.2.2/go.mod h1:7XX7Mj61uLYrj0qmeN0zi7XDon9JRAEhYQqAPLVNTeg= github.com/yagipy/maintidx v1.0.0 h1:h5NvIsCz+nRDapQ0exNv4aJ0yXSI0420omVANTv3GJM= @@ -562,8 +568,8 @@ gitlab.com/bosi/decorder v0.4.2 h1:qbQaV3zgwnBZ4zPMhGLW4KZe7A7NwxEhJx39R3shffo= gitlab.com/bosi/decorder v0.4.2/go.mod h1:muuhHoaJkA9QLcYHq4Mj8FJUwDZ+EirSHRiaTcTf6T8= go-simpler.org/assert v0.9.0 h1:PfpmcSvL7yAnWyChSjOz6Sp6m9j5lyK8Ok9pEL31YkQ= go-simpler.org/assert v0.9.0/go.mod h1:74Eqh5eI6vCK6Y5l3PI8ZYFXG4Sa+tkr70OIPJAUr28= -go-simpler.org/musttag v0.12.2 h1:J7lRc2ysXOq7eM8rwaTYnNrHd5JwjppzB6mScysB2Cs= -go-simpler.org/musttag v0.12.2/go.mod h1:uN1DVIasMTQKk6XSik7yrJoEysGtR2GRqvWnI9S7TYM= +go-simpler.org/musttag v0.13.0 h1:Q/YAW0AHvaoaIbsPj3bvEI5/QFP7w696IMUpnKXQfCE= +go-simpler.org/musttag v0.13.0/go.mod h1:FTzIGeK6OkKlUDVpj0iQUXZLUO1Js9+mvykDQy9C5yM= go-simpler.org/sloglint v0.7.2 h1:Wc9Em/Zeuu7JYpl+oKoYOsQSy2X560aVueCW/m6IijY= go-simpler.org/sloglint v0.7.2/go.mod h1:US+9C80ppl7VsThQclkM7BkCHQAzuz8kHLsW3ppuluo= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= @@ -573,8 +579,8 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= -go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8= -go.uber.org/automaxprocs v1.5.3/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0= +go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= +go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI= go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= @@ -599,12 +605,12 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e h1:I88y4caeGeuDQxgdoFPUq097j7kNfw6uvuiNxUBfcBk= -golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= +golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk= +golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY= golang.org/x/exp/typeparams v0.0.0-20220428152302-39d4317da171/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk= golang.org/x/exp/typeparams v0.0.0-20230203172020-98cc5a0785f9/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk= -golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f h1:phY1HzDcf18Aq9A8KkmRtY9WvOFIxN8wgfvy6Zm1DV8= -golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk= +golang.org/x/exp/typeparams v0.0.0-20240909161429-701f63a606c0 h1:bVwtbF629Xlyxk6xLQq2TDYmqP0uiWaet5LwRebuY0k= +golang.org/x/exp/typeparams v0.0.0-20240909161429-701f63a606c0/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -633,8 +639,8 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91 golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0= -golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= +golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4= +golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -673,8 +679,8 @@ golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= -golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= +golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -694,8 +700,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= -golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ= +golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -749,8 +755,8 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= -golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= +golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -789,7 +795,6 @@ golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20190910044552-dd2b5c81c578/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= @@ -832,8 +837,8 @@ golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA= golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k= golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= -golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= +golang.org/x/tools v0.27.0 h1:qEKojBykQkQ4EynWy4S8Weg69NumxKdn40Fce3uc/8o= +golang.org/x/tools v0.27.0/go.mod h1:sUi0ZgbwW9ZPAq26Ekut+weQPR5eIM6GQLQ1Yjm1H0Q= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From 13b74875b338cfa5447ecf768767dc6ef6addf11 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 20:57:26 -0800 Subject: [PATCH 391/523] build(deps): bump the golang-org group across 2 directories with 2 updates (#4694) Bumps the golang-org group with 2 updates in the / directory: [golang.org/x/sys](https://github.com/golang/sys) and [golang.org/x/net](https://github.com/golang/net). Bumps the golang-org group with 2 updates in the /examples/extension-server directory: [golang.org/x/sys](https://github.com/golang/sys) and [golang.org/x/net](https://github.com/golang/net). Updates `golang.org/x/sys` from 0.26.0 to 0.27.0 - [Commits](https://github.com/golang/sys/compare/v0.26.0...v0.27.0) Updates `golang.org/x/net` from 0.30.0 to 0.31.0 - [Commits](https://github.com/golang/net/compare/v0.30.0...v0.31.0) Updates `golang.org/x/sys` from 0.26.0 to 0.27.0 - [Commits](https://github.com/golang/sys/compare/v0.26.0...v0.27.0) Updates `golang.org/x/net` from 0.30.0 to 0.31.0 - [Commits](https://github.com/golang/net/compare/v0.30.0...v0.31.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org - dependency-name: golang.org/x/net dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org - dependency-name: golang.org/x/sys dependency-type: indirect update-type: version-update:semver-minor dependency-group: golang-org - dependency-name: golang.org/x/net dependency-type: indirect update-type: version-update:semver-minor dependency-group: golang-org ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- examples/extension-server/go.mod | 6 +++--- examples/extension-server/go.sum | 12 ++++++------ go.mod | 12 ++++++------ go.sum | 24 ++++++++++++------------ 4 files changed, 27 insertions(+), 27 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index d08fe02ac24..a28c5b211ed 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -31,9 +31,9 @@ require ( github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect - golang.org/x/net v0.30.0 // indirect - golang.org/x/sys v0.26.0 // indirect - golang.org/x/text v0.19.0 // indirect + golang.org/x/net v0.31.0 // indirect + golang.org/x/sys v0.27.0 // indirect + golang.org/x/text v0.20.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index e3e50a30b90..2ac0aecd2b4 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -83,20 +83,20 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= -golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= +golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= +golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= -golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= +golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= -golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug= +golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= diff --git a/go.mod b/go.mod index b5c05d514b0..caa50aed2e7 100644 --- a/go.mod +++ b/go.mod @@ -44,7 +44,7 @@ require ( go.opentelemetry.io/proto/otlp v1.3.1 go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e - golang.org/x/sys v0.26.0 + golang.org/x/sys v0.27.0 google.golang.org/protobuf v1.35.1 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.2 @@ -208,7 +208,7 @@ require ( go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect - golang.org/x/crypto v0.28.0 // indirect + golang.org/x/crypto v0.29.0 // indirect golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect @@ -277,11 +277,11 @@ require ( go.starlark.net v0.0.0-20240520160348-046347dcd104 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/mod v0.21.0 // indirect - golang.org/x/net v0.30.0 + golang.org/x/net v0.31.0 golang.org/x/oauth2 v0.23.0 // indirect - golang.org/x/sync v0.8.0 // indirect - golang.org/x/term v0.25.0 // indirect - golang.org/x/text v0.19.0 // indirect + golang.org/x/sync v0.9.0 // indirect + golang.org/x/term v0.26.0 // indirect + golang.org/x/text v0.20.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.24.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum index 26902bde34a..5263e6a6446 100644 --- a/go.sum +++ b/go.sum @@ -944,8 +944,8 @@ golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= -golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= +golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ= +golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg= golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 h1:vKHSxFhPLnBEYu9R8DcQ4gXq9EqU0VVhC9pq9wmtYsg= golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -982,8 +982,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= -golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= +golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= +golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -996,8 +996,8 @@ golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= -golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ= +golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1035,17 +1035,17 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= -golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= -golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= +golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= +golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU= +golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= -golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug= +golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From 36d0193e721894cb46bffdbcde775c2d97277720 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Nov 2024 07:20:36 -0700 Subject: [PATCH 392/523] build(deps): bump github.com/google/cel-go from 0.21.0 to 0.22.0 (#4695) Bumps [github.com/google/cel-go](https://github.com/google/cel-go) from 0.21.0 to 0.22.0. - [Release notes](https://github.com/google/cel-go/releases) - [Commits](https://github.com/google/cel-go/compare/v0.21.0...v0.22.0) --- updated-dependencies: - dependency-name: github.com/google/cel-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/extension-server/go.mod | 2 +- examples/extension-server/go.sum | 4 ++-- go.mod | 4 ++-- go.sum | 8 ++++---- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index a28c5b211ed..13edb3f3877 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -14,7 +14,7 @@ require ( ) require ( - cel.dev/expr v0.16.1 // indirect + cel.dev/expr v0.18.0 // indirect github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 2ac0aecd2b4..c572782b694 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -1,5 +1,5 @@ -cel.dev/expr v0.16.1 h1:NR0+oFYzR1CqLFhTAqg3ql59G9VfN8fKq1TCHJ6gq1g= -cel.dev/expr v0.16.1/go.mod h1:AsGA5zb3WruAEQeQng1RZdGEXmBj0jvMWh6l5SnNuC8= +cel.dev/expr v0.18.0 h1:CJ6drgk+Hf96lkLikr4rFf19WrU0BOWEihyZnI2TAzo= +cel.dev/expr v0.18.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g= github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 h1:QVw89YDxXxEe+l8gU8ETbOasdwEV+avkR75ZzsVV9WI= diff --git a/go.mod b/go.mod index caa50aed2e7..74bb7f24aca 100644 --- a/go.mod +++ b/go.mod @@ -21,7 +21,7 @@ require ( github.com/go-logr/zapr v1.3.0 github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/protobuf v1.5.4 - github.com/google/cel-go v0.21.0 + github.com/google/cel-go v0.22.0 github.com/google/go-cmp v0.6.0 github.com/google/go-containerregistry v0.20.2 github.com/hashicorp/go-multierror v1.1.1 @@ -70,7 +70,7 @@ require ( ) require ( - cel.dev/expr v0.16.1 // indirect + cel.dev/expr v0.18.0 // indirect dario.cat/mergo v1.0.1 // indirect filippo.io/edwards25519 v1.1.0 // indirect fortio.org/cli v1.9.2 // indirect diff --git a/go.sum b/go.sum index 5263e6a6446..449ba4b60db 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -cel.dev/expr v0.16.1 h1:NR0+oFYzR1CqLFhTAqg3ql59G9VfN8fKq1TCHJ6gq1g= -cel.dev/expr v0.16.1/go.mod h1:AsGA5zb3WruAEQeQng1RZdGEXmBj0jvMWh6l5SnNuC8= +cel.dev/expr v0.18.0 h1:CJ6drgk+Hf96lkLikr4rFf19WrU0BOWEihyZnI2TAzo= +cel.dev/expr v0.18.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= @@ -386,8 +386,8 @@ github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Z github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= -github.com/google/cel-go v0.21.0 h1:cl6uW/gxN+Hy50tNYvI691+sXxioCnstFzLp2WO4GCI= -github.com/google/cel-go v0.21.0/go.mod h1:rHUlWCcBKgyEk+eV03RPdZUekPp6YcJwV0FxuUksYxc= +github.com/google/cel-go v0.22.0 h1:b3FJZxpiv1vTMo2/5RDUqAHPxkT8mmMfJIrq1llbf7g= +github.com/google/cel-go v0.22.0/go.mod h1:BuznPXXfQDpXKWQ9sPW3TzlAJN5zzFe+i9tIs0yC4s8= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= From 639a441e05a1aca94b6064d9d838a09be375bd8a Mon Sep 17 00:00:00 2001 From: zirain Date: Thu, 14 Nov 2024 09:51:07 +0800 Subject: [PATCH 393/523] docs: fix api doc (#4711) * docs: fix api doc Signed-off-by: zirain * v1.2 Signed-off-by: zirain --------- Signed-off-by: zirain --- site/content/en/docs/api/extension_types.md | 200 ++++++++++++++++++ site/content/en/latest/api/extension_types.md | 200 ++++++++++++++++++ site/content/en/v1.2/api/extension_types.md | 200 ++++++++++++++++++ site/content/zh/latest/api/extension_types.md | 200 ++++++++++++++++++ tools/make/docs.mk | 2 +- 5 files changed, 801 insertions(+), 1 deletion(-) diff --git a/site/content/en/docs/api/extension_types.md b/site/content/en/docs/api/extension_types.md index 6855d7a0ded..a519fc34ea7 100644 --- a/site/content/en/docs/api/extension_types.md +++ b/site/content/en/docs/api/extension_types.md @@ -300,6 +300,19 @@ _Appears in:_ +#### BackendConnection + + + +BackendConnection allows users to configure connection-level settings of backend + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes. | #### BackendEndpoint @@ -507,6 +520,23 @@ _Appears in:_ | `allowCredentials` | _boolean_ | false | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates.
It specifies the value in the Access-Control-Allow-Credentials CORS response header. | +#### CircuitBreaker + + + +CircuitBreaker defines the Circuit Breaker configuration. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `maxConnections` | _integer_ | false | The maximum number of connections that Envoy will establish to the referenced backend defined within a xRoute rule. | +| `maxPendingRequests` | _integer_ | false | The maximum number of pending requests that Envoy will queue to the referenced backend defined within a xRoute rule. | +| `maxParallelRequests` | _integer_ | false | The maximum number of parallel requests that Envoy will make to the referenced backend defined within a xRoute rule. | +| `maxParallelRetries` | _integer_ | false | The maximum number of parallel retries that Envoy will make to the referenced backend defined within a xRoute rule. | +| `maxRequestsPerConnection` | _integer_ | false | The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
Default: unlimited. | #### ClaimToHeader @@ -877,6 +907,20 @@ _Appears in:_ | `RequestHeader` | CustomTagTypeRequestHeader adds value from request header to each span.
| +#### DNS + + + + + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `dnsRefreshRate` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds. | +| `respectDnsTtl` | _boolean_ | true | RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
Defaults to true. | #### EnvironmentCustomTag @@ -1790,6 +1834,23 @@ _Appears in:_ | `http10` | _[HTTP10Settings](#http10settings)_ | false | HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 requests. | +#### HTTP2Settings + + + +HTTP2Settings provides HTTP/2 configuration for listeners and backends. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `initialStreamWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
If not set, the default value is 64 KiB(64*1024). | +| `initialConnectionWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
If not set, the default value is 1 MiB. | +| `maxConcurrentStreams` | _integer_ | false | MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
If not set, the default value is 100. | +| `onInvalidMessage` | _[InvalidMessageAction](#invalidmessageaction)_ | false | OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
It's recommended for L2 Envoy deployments to set this value to TerminateStream.
https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
Default: TerminateConnection | #### HTTP3Settings @@ -2033,6 +2094,21 @@ _Appears in:_ | `name` | _string_ | true | Name of the header to hash. | +#### HeaderMatch + + + +HeaderMatch defines the match attributes within the HTTP Headers of the request. + +_Appears in:_ +- [RateLimitSelectCondition](#ratelimitselectcondition) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[HeaderMatchType](#headermatchtype)_ | false | Type specifies how to match against the value of the header. | +| `name` | _string_ | true | Name of the HTTP header. | +| `value` | _string_ | false | Value within the HTTP header. Due to the
case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
Do not set this field when Type="Distinct", implying matching on any/all unique
values within the header. | +| `invert` | _boolean_ | false | Invert specifies whether the value match result will be inverted.
Do not set this field when Type="Distinct", implying matching on any/all unique
values within the header. | #### HeaderMatchType @@ -2071,6 +2147,21 @@ _Appears in:_ | `earlyRequestHeaders` | _[HTTPHeaderFilter](#httpheaderfilter)_ | false | EarlyRequestHeaders defines settings for early request header modification, before envoy performs
routing, tracing and built-in header manipulation. | +#### HealthCheck + + + +HealthCheck configuration to decide which endpoints +are healthy and can be used for routing. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `active` | _[ActiveHealthCheck](#activehealthcheck)_ | false | Active health check configuration | +| `passive` | _[PassiveHealthCheck](#passivehealthcheck)_ | false | Passive passive check configuration | #### HealthCheckSettings @@ -2566,6 +2657,21 @@ _Appears in:_ | `value` | _string_ | true | Value defines the hard-coded value to add to each span. | +#### LoadBalancer + + + +LoadBalancer defines the load balancer policy to be applied. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[LoadBalancerType](#loadbalancertype)_ | true | Type decides the type of Load Balancer policy.
Valid LoadBalancerType values are
"ConsistentHash",
"LeastRequest",
"Random",
"RoundRobin". | +| `consistentHash` | _[ConsistentHash](#consistenthash)_ | false | ConsistentHash defines the configuration when the load balancer type is
set to ConsistentHash | +| `slowStart` | _[SlowStart](#slowstart)_ | false | SlowStart defines the configuration related to the slow start load balancer policy.
If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
Currently this is only supported for RoundRobin and LeastRequest load balancers | #### LoadBalancerType @@ -2617,6 +2723,19 @@ _Appears in:_ | `error` | LogLevelError defines the "Error" logging level.
| +#### MergeType + +_Underlying type:_ _string_ + +MergeType defines the type of merge operation + +_Appears in:_ +- [KubernetesPatchSpec](#kubernetespatchspec) + +| Value | Description | +| ----- | ----------- | +| `StrategicMerge` | StrategicMerge indicates a strategic merge patch type
| +| `JSONMerge` | JSONMerge indicates a JSON merge patch type
| #### MetricSinkType @@ -3103,6 +3222,20 @@ _Appears in:_ | `compression` | _[Compression](#compression)_ | false | Configure the compression on Prometheus endpoint. Compression is useful in situations when bandwidth is scarce and large payloads can be effectively compressed at the expense of higher CPU load. | +#### ProxyProtocol + + + +ProxyProtocol defines the configuration related to the proxy protocol +when communicating with the backend. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `version` | _[ProxyProtocolVersion](#proxyprotocolversion)_ | true | Version of ProxyProtol
Valid ProxyProtocolVersion values are
"V1"
"V2" | #### ProxyProtocolVersion @@ -3340,6 +3473,15 @@ _Appears in:_ | `url` | _string_ | true | URL is the endpoint of the trace collector that supports the OTLP protocol | +#### RateLimitTracingProviderType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [RateLimitTracingProvider](#ratelimittracingprovider) + #### RateLimitType @@ -3493,6 +3635,21 @@ _Appears in:_ | `ValueRef` | ResponseValueTypeValueRef defines the "ValueRef" response body type.
| +#### Retry + + + +Retry defines the retry strategy to be applied. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `numRetries` | _integer_ | false | NumRetries is the number of retries to be attempted. Defaults to 2. | +| `retryOn` | _[RetryOn](#retryon)_ | false | RetryOn specifies the retry trigger condition.

If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). | +| `perRetry` | _[PerRetryPolicy](#perretrypolicy)_ | false | PerRetry is the retry policy to be applied per retry attempt. | #### RetryOn @@ -3670,6 +3827,19 @@ _Appears in:_ | `window` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | Window defines the duration of the warm up period for newly added host.
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig | +#### SourceMatch + + + + + +_Appears in:_ +- [RateLimitSelectCondition](#ratelimitselectcondition) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[SourceMatchType](#sourcematchtype)_ | false | | +| `value` | _string_ | true | Value is the IP CIDR that represents the range of Source IP Addresses of the client.
These could also be the intermediate addresses through which the request has flown through and is part of the `X-Forwarded-For` header.
For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`. | #### SourceMatchType @@ -3828,6 +3998,22 @@ _Appears in:_ | `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | IdleTimeout for a TCP connection. Idle time is defined as a period in which there are no
bytes sent or received on either the upstream or downstream connection.
Default: 1 hour. | +#### TCPKeepalive + + + +TCPKeepalive define the TCP Keepalive configuration. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `probes` | _integer_ | false | The total number of unacknowledged probes to send before deciding
the connection is dead.
Defaults to 9. | +| `idleTime` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The duration a connection needs to be idle before keep-alive
probes start being sent.
The duration format is
Defaults to `7200s`. | +| `interval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The duration between keep-alive probes.
Defaults to `75s`. | #### TCPTimeout @@ -3904,6 +4090,20 @@ _Appears in:_ | `matchLabels` | _object (keys:string, values:string)_ | true | MatchLabels are the set of label selectors for identifying the targeted resource | +#### Timeout + + + +Timeout defines configuration for timeouts related to connections. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `tcp` | _[TCPTimeout](#tcptimeout)_ | false | Timeout settings for TCP. | +| `http` | _[HTTPTimeout](#httptimeout)_ | false | Timeout settings for HTTP. | #### TracingProvider diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 6855d7a0ded..a519fc34ea7 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -300,6 +300,19 @@ _Appears in:_ +#### BackendConnection + + + +BackendConnection allows users to configure connection-level settings of backend + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes. | #### BackendEndpoint @@ -507,6 +520,23 @@ _Appears in:_ | `allowCredentials` | _boolean_ | false | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates.
It specifies the value in the Access-Control-Allow-Credentials CORS response header. | +#### CircuitBreaker + + + +CircuitBreaker defines the Circuit Breaker configuration. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `maxConnections` | _integer_ | false | The maximum number of connections that Envoy will establish to the referenced backend defined within a xRoute rule. | +| `maxPendingRequests` | _integer_ | false | The maximum number of pending requests that Envoy will queue to the referenced backend defined within a xRoute rule. | +| `maxParallelRequests` | _integer_ | false | The maximum number of parallel requests that Envoy will make to the referenced backend defined within a xRoute rule. | +| `maxParallelRetries` | _integer_ | false | The maximum number of parallel retries that Envoy will make to the referenced backend defined within a xRoute rule. | +| `maxRequestsPerConnection` | _integer_ | false | The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
Default: unlimited. | #### ClaimToHeader @@ -877,6 +907,20 @@ _Appears in:_ | `RequestHeader` | CustomTagTypeRequestHeader adds value from request header to each span.
| +#### DNS + + + + + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `dnsRefreshRate` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds. | +| `respectDnsTtl` | _boolean_ | true | RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
Defaults to true. | #### EnvironmentCustomTag @@ -1790,6 +1834,23 @@ _Appears in:_ | `http10` | _[HTTP10Settings](#http10settings)_ | false | HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 requests. | +#### HTTP2Settings + + + +HTTP2Settings provides HTTP/2 configuration for listeners and backends. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `initialStreamWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
If not set, the default value is 64 KiB(64*1024). | +| `initialConnectionWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
If not set, the default value is 1 MiB. | +| `maxConcurrentStreams` | _integer_ | false | MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
If not set, the default value is 100. | +| `onInvalidMessage` | _[InvalidMessageAction](#invalidmessageaction)_ | false | OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
It's recommended for L2 Envoy deployments to set this value to TerminateStream.
https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
Default: TerminateConnection | #### HTTP3Settings @@ -2033,6 +2094,21 @@ _Appears in:_ | `name` | _string_ | true | Name of the header to hash. | +#### HeaderMatch + + + +HeaderMatch defines the match attributes within the HTTP Headers of the request. + +_Appears in:_ +- [RateLimitSelectCondition](#ratelimitselectcondition) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[HeaderMatchType](#headermatchtype)_ | false | Type specifies how to match against the value of the header. | +| `name` | _string_ | true | Name of the HTTP header. | +| `value` | _string_ | false | Value within the HTTP header. Due to the
case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
Do not set this field when Type="Distinct", implying matching on any/all unique
values within the header. | +| `invert` | _boolean_ | false | Invert specifies whether the value match result will be inverted.
Do not set this field when Type="Distinct", implying matching on any/all unique
values within the header. | #### HeaderMatchType @@ -2071,6 +2147,21 @@ _Appears in:_ | `earlyRequestHeaders` | _[HTTPHeaderFilter](#httpheaderfilter)_ | false | EarlyRequestHeaders defines settings for early request header modification, before envoy performs
routing, tracing and built-in header manipulation. | +#### HealthCheck + + + +HealthCheck configuration to decide which endpoints +are healthy and can be used for routing. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `active` | _[ActiveHealthCheck](#activehealthcheck)_ | false | Active health check configuration | +| `passive` | _[PassiveHealthCheck](#passivehealthcheck)_ | false | Passive passive check configuration | #### HealthCheckSettings @@ -2566,6 +2657,21 @@ _Appears in:_ | `value` | _string_ | true | Value defines the hard-coded value to add to each span. | +#### LoadBalancer + + + +LoadBalancer defines the load balancer policy to be applied. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[LoadBalancerType](#loadbalancertype)_ | true | Type decides the type of Load Balancer policy.
Valid LoadBalancerType values are
"ConsistentHash",
"LeastRequest",
"Random",
"RoundRobin". | +| `consistentHash` | _[ConsistentHash](#consistenthash)_ | false | ConsistentHash defines the configuration when the load balancer type is
set to ConsistentHash | +| `slowStart` | _[SlowStart](#slowstart)_ | false | SlowStart defines the configuration related to the slow start load balancer policy.
If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
Currently this is only supported for RoundRobin and LeastRequest load balancers | #### LoadBalancerType @@ -2617,6 +2723,19 @@ _Appears in:_ | `error` | LogLevelError defines the "Error" logging level.
| +#### MergeType + +_Underlying type:_ _string_ + +MergeType defines the type of merge operation + +_Appears in:_ +- [KubernetesPatchSpec](#kubernetespatchspec) + +| Value | Description | +| ----- | ----------- | +| `StrategicMerge` | StrategicMerge indicates a strategic merge patch type
| +| `JSONMerge` | JSONMerge indicates a JSON merge patch type
| #### MetricSinkType @@ -3103,6 +3222,20 @@ _Appears in:_ | `compression` | _[Compression](#compression)_ | false | Configure the compression on Prometheus endpoint. Compression is useful in situations when bandwidth is scarce and large payloads can be effectively compressed at the expense of higher CPU load. | +#### ProxyProtocol + + + +ProxyProtocol defines the configuration related to the proxy protocol +when communicating with the backend. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `version` | _[ProxyProtocolVersion](#proxyprotocolversion)_ | true | Version of ProxyProtol
Valid ProxyProtocolVersion values are
"V1"
"V2" | #### ProxyProtocolVersion @@ -3340,6 +3473,15 @@ _Appears in:_ | `url` | _string_ | true | URL is the endpoint of the trace collector that supports the OTLP protocol | +#### RateLimitTracingProviderType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [RateLimitTracingProvider](#ratelimittracingprovider) + #### RateLimitType @@ -3493,6 +3635,21 @@ _Appears in:_ | `ValueRef` | ResponseValueTypeValueRef defines the "ValueRef" response body type.
| +#### Retry + + + +Retry defines the retry strategy to be applied. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `numRetries` | _integer_ | false | NumRetries is the number of retries to be attempted. Defaults to 2. | +| `retryOn` | _[RetryOn](#retryon)_ | false | RetryOn specifies the retry trigger condition.

If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). | +| `perRetry` | _[PerRetryPolicy](#perretrypolicy)_ | false | PerRetry is the retry policy to be applied per retry attempt. | #### RetryOn @@ -3670,6 +3827,19 @@ _Appears in:_ | `window` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | Window defines the duration of the warm up period for newly added host.
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig | +#### SourceMatch + + + + + +_Appears in:_ +- [RateLimitSelectCondition](#ratelimitselectcondition) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[SourceMatchType](#sourcematchtype)_ | false | | +| `value` | _string_ | true | Value is the IP CIDR that represents the range of Source IP Addresses of the client.
These could also be the intermediate addresses through which the request has flown through and is part of the `X-Forwarded-For` header.
For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`. | #### SourceMatchType @@ -3828,6 +3998,22 @@ _Appears in:_ | `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | IdleTimeout for a TCP connection. Idle time is defined as a period in which there are no
bytes sent or received on either the upstream or downstream connection.
Default: 1 hour. | +#### TCPKeepalive + + + +TCPKeepalive define the TCP Keepalive configuration. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `probes` | _integer_ | false | The total number of unacknowledged probes to send before deciding
the connection is dead.
Defaults to 9. | +| `idleTime` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The duration a connection needs to be idle before keep-alive
probes start being sent.
The duration format is
Defaults to `7200s`. | +| `interval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The duration between keep-alive probes.
Defaults to `75s`. | #### TCPTimeout @@ -3904,6 +4090,20 @@ _Appears in:_ | `matchLabels` | _object (keys:string, values:string)_ | true | MatchLabels are the set of label selectors for identifying the targeted resource | +#### Timeout + + + +Timeout defines configuration for timeouts related to connections. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `tcp` | _[TCPTimeout](#tcptimeout)_ | false | Timeout settings for TCP. | +| `http` | _[HTTPTimeout](#httptimeout)_ | false | Timeout settings for HTTP. | #### TracingProvider diff --git a/site/content/en/v1.2/api/extension_types.md b/site/content/en/v1.2/api/extension_types.md index 6855d7a0ded..a519fc34ea7 100644 --- a/site/content/en/v1.2/api/extension_types.md +++ b/site/content/en/v1.2/api/extension_types.md @@ -300,6 +300,19 @@ _Appears in:_ +#### BackendConnection + + + +BackendConnection allows users to configure connection-level settings of backend + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes. | #### BackendEndpoint @@ -507,6 +520,23 @@ _Appears in:_ | `allowCredentials` | _boolean_ | false | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates.
It specifies the value in the Access-Control-Allow-Credentials CORS response header. | +#### CircuitBreaker + + + +CircuitBreaker defines the Circuit Breaker configuration. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `maxConnections` | _integer_ | false | The maximum number of connections that Envoy will establish to the referenced backend defined within a xRoute rule. | +| `maxPendingRequests` | _integer_ | false | The maximum number of pending requests that Envoy will queue to the referenced backend defined within a xRoute rule. | +| `maxParallelRequests` | _integer_ | false | The maximum number of parallel requests that Envoy will make to the referenced backend defined within a xRoute rule. | +| `maxParallelRetries` | _integer_ | false | The maximum number of parallel retries that Envoy will make to the referenced backend defined within a xRoute rule. | +| `maxRequestsPerConnection` | _integer_ | false | The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
Default: unlimited. | #### ClaimToHeader @@ -877,6 +907,20 @@ _Appears in:_ | `RequestHeader` | CustomTagTypeRequestHeader adds value from request header to each span.
| +#### DNS + + + + + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `dnsRefreshRate` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds. | +| `respectDnsTtl` | _boolean_ | true | RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
Defaults to true. | #### EnvironmentCustomTag @@ -1790,6 +1834,23 @@ _Appears in:_ | `http10` | _[HTTP10Settings](#http10settings)_ | false | HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 requests. | +#### HTTP2Settings + + + +HTTP2Settings provides HTTP/2 configuration for listeners and backends. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `initialStreamWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
If not set, the default value is 64 KiB(64*1024). | +| `initialConnectionWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
If not set, the default value is 1 MiB. | +| `maxConcurrentStreams` | _integer_ | false | MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
If not set, the default value is 100. | +| `onInvalidMessage` | _[InvalidMessageAction](#invalidmessageaction)_ | false | OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
It's recommended for L2 Envoy deployments to set this value to TerminateStream.
https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
Default: TerminateConnection | #### HTTP3Settings @@ -2033,6 +2094,21 @@ _Appears in:_ | `name` | _string_ | true | Name of the header to hash. | +#### HeaderMatch + + + +HeaderMatch defines the match attributes within the HTTP Headers of the request. + +_Appears in:_ +- [RateLimitSelectCondition](#ratelimitselectcondition) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[HeaderMatchType](#headermatchtype)_ | false | Type specifies how to match against the value of the header. | +| `name` | _string_ | true | Name of the HTTP header. | +| `value` | _string_ | false | Value within the HTTP header. Due to the
case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
Do not set this field when Type="Distinct", implying matching on any/all unique
values within the header. | +| `invert` | _boolean_ | false | Invert specifies whether the value match result will be inverted.
Do not set this field when Type="Distinct", implying matching on any/all unique
values within the header. | #### HeaderMatchType @@ -2071,6 +2147,21 @@ _Appears in:_ | `earlyRequestHeaders` | _[HTTPHeaderFilter](#httpheaderfilter)_ | false | EarlyRequestHeaders defines settings for early request header modification, before envoy performs
routing, tracing and built-in header manipulation. | +#### HealthCheck + + + +HealthCheck configuration to decide which endpoints +are healthy and can be used for routing. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `active` | _[ActiveHealthCheck](#activehealthcheck)_ | false | Active health check configuration | +| `passive` | _[PassiveHealthCheck](#passivehealthcheck)_ | false | Passive passive check configuration | #### HealthCheckSettings @@ -2566,6 +2657,21 @@ _Appears in:_ | `value` | _string_ | true | Value defines the hard-coded value to add to each span. | +#### LoadBalancer + + + +LoadBalancer defines the load balancer policy to be applied. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[LoadBalancerType](#loadbalancertype)_ | true | Type decides the type of Load Balancer policy.
Valid LoadBalancerType values are
"ConsistentHash",
"LeastRequest",
"Random",
"RoundRobin". | +| `consistentHash` | _[ConsistentHash](#consistenthash)_ | false | ConsistentHash defines the configuration when the load balancer type is
set to ConsistentHash | +| `slowStart` | _[SlowStart](#slowstart)_ | false | SlowStart defines the configuration related to the slow start load balancer policy.
If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
Currently this is only supported for RoundRobin and LeastRequest load balancers | #### LoadBalancerType @@ -2617,6 +2723,19 @@ _Appears in:_ | `error` | LogLevelError defines the "Error" logging level.
| +#### MergeType + +_Underlying type:_ _string_ + +MergeType defines the type of merge operation + +_Appears in:_ +- [KubernetesPatchSpec](#kubernetespatchspec) + +| Value | Description | +| ----- | ----------- | +| `StrategicMerge` | StrategicMerge indicates a strategic merge patch type
| +| `JSONMerge` | JSONMerge indicates a JSON merge patch type
| #### MetricSinkType @@ -3103,6 +3222,20 @@ _Appears in:_ | `compression` | _[Compression](#compression)_ | false | Configure the compression on Prometheus endpoint. Compression is useful in situations when bandwidth is scarce and large payloads can be effectively compressed at the expense of higher CPU load. | +#### ProxyProtocol + + + +ProxyProtocol defines the configuration related to the proxy protocol +when communicating with the backend. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `version` | _[ProxyProtocolVersion](#proxyprotocolversion)_ | true | Version of ProxyProtol
Valid ProxyProtocolVersion values are
"V1"
"V2" | #### ProxyProtocolVersion @@ -3340,6 +3473,15 @@ _Appears in:_ | `url` | _string_ | true | URL is the endpoint of the trace collector that supports the OTLP protocol | +#### RateLimitTracingProviderType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [RateLimitTracingProvider](#ratelimittracingprovider) + #### RateLimitType @@ -3493,6 +3635,21 @@ _Appears in:_ | `ValueRef` | ResponseValueTypeValueRef defines the "ValueRef" response body type.
| +#### Retry + + + +Retry defines the retry strategy to be applied. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `numRetries` | _integer_ | false | NumRetries is the number of retries to be attempted. Defaults to 2. | +| `retryOn` | _[RetryOn](#retryon)_ | false | RetryOn specifies the retry trigger condition.

If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). | +| `perRetry` | _[PerRetryPolicy](#perretrypolicy)_ | false | PerRetry is the retry policy to be applied per retry attempt. | #### RetryOn @@ -3670,6 +3827,19 @@ _Appears in:_ | `window` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | Window defines the duration of the warm up period for newly added host.
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig | +#### SourceMatch + + + + + +_Appears in:_ +- [RateLimitSelectCondition](#ratelimitselectcondition) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[SourceMatchType](#sourcematchtype)_ | false | | +| `value` | _string_ | true | Value is the IP CIDR that represents the range of Source IP Addresses of the client.
These could also be the intermediate addresses through which the request has flown through and is part of the `X-Forwarded-For` header.
For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`. | #### SourceMatchType @@ -3828,6 +3998,22 @@ _Appears in:_ | `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | IdleTimeout for a TCP connection. Idle time is defined as a period in which there are no
bytes sent or received on either the upstream or downstream connection.
Default: 1 hour. | +#### TCPKeepalive + + + +TCPKeepalive define the TCP Keepalive configuration. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `probes` | _integer_ | false | The total number of unacknowledged probes to send before deciding
the connection is dead.
Defaults to 9. | +| `idleTime` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The duration a connection needs to be idle before keep-alive
probes start being sent.
The duration format is
Defaults to `7200s`. | +| `interval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The duration between keep-alive probes.
Defaults to `75s`. | #### TCPTimeout @@ -3904,6 +4090,20 @@ _Appears in:_ | `matchLabels` | _object (keys:string, values:string)_ | true | MatchLabels are the set of label selectors for identifying the targeted resource | +#### Timeout + + + +Timeout defines configuration for timeouts related to connections. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `tcp` | _[TCPTimeout](#tcptimeout)_ | false | Timeout settings for TCP. | +| `http` | _[HTTPTimeout](#httptimeout)_ | false | Timeout settings for HTTP. | #### TracingProvider diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 6855d7a0ded..a519fc34ea7 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -300,6 +300,19 @@ _Appears in:_ +#### BackendConnection + + + +BackendConnection allows users to configure connection-level settings of backend + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `bufferLimit` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
If unspecified, an implementation defined default is applied (32768 bytes).
For example, 20Mi, 1Gi, 256Ki etc.
Note: that when the suffix is not provided, the value is interpreted as bytes. | #### BackendEndpoint @@ -507,6 +520,23 @@ _Appears in:_ | `allowCredentials` | _boolean_ | false | AllowCredentials indicates whether a request can include user credentials
like cookies, authentication headers, or TLS client certificates.
It specifies the value in the Access-Control-Allow-Credentials CORS response header. | +#### CircuitBreaker + + + +CircuitBreaker defines the Circuit Breaker configuration. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `maxConnections` | _integer_ | false | The maximum number of connections that Envoy will establish to the referenced backend defined within a xRoute rule. | +| `maxPendingRequests` | _integer_ | false | The maximum number of pending requests that Envoy will queue to the referenced backend defined within a xRoute rule. | +| `maxParallelRequests` | _integer_ | false | The maximum number of parallel requests that Envoy will make to the referenced backend defined within a xRoute rule. | +| `maxParallelRetries` | _integer_ | false | The maximum number of parallel retries that Envoy will make to the referenced backend defined within a xRoute rule. | +| `maxRequestsPerConnection` | _integer_ | false | The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
Default: unlimited. | #### ClaimToHeader @@ -877,6 +907,20 @@ _Appears in:_ | `RequestHeader` | CustomTagTypeRequestHeader adds value from request header to each span.
| +#### DNS + + + + + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `dnsRefreshRate` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | DNSRefreshRate specifies the rate at which DNS records should be refreshed.
Defaults to 30 seconds. | +| `respectDnsTtl` | _boolean_ | true | RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
Defaults to true. | #### EnvironmentCustomTag @@ -1790,6 +1834,23 @@ _Appears in:_ | `http10` | _[HTTP10Settings](#http10settings)_ | false | HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 requests. | +#### HTTP2Settings + + + +HTTP2Settings provides HTTP/2 configuration for listeners and backends. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `initialStreamWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
If not set, the default value is 64 KiB(64*1024). | +| `initialConnectionWindowSize` | _[Quantity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#quantity-resource-api)_ | false | InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
If not set, the default value is 1 MiB. | +| `maxConcurrentStreams` | _integer_ | false | MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
If not set, the default value is 100. | +| `onInvalidMessage` | _[InvalidMessageAction](#invalidmessageaction)_ | false | OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
It's recommended for L2 Envoy deployments to set this value to TerminateStream.
https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
Default: TerminateConnection | #### HTTP3Settings @@ -2033,6 +2094,21 @@ _Appears in:_ | `name` | _string_ | true | Name of the header to hash. | +#### HeaderMatch + + + +HeaderMatch defines the match attributes within the HTTP Headers of the request. + +_Appears in:_ +- [RateLimitSelectCondition](#ratelimitselectcondition) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[HeaderMatchType](#headermatchtype)_ | false | Type specifies how to match against the value of the header. | +| `name` | _string_ | true | Name of the HTTP header. | +| `value` | _string_ | false | Value within the HTTP header. Due to the
case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
Do not set this field when Type="Distinct", implying matching on any/all unique
values within the header. | +| `invert` | _boolean_ | false | Invert specifies whether the value match result will be inverted.
Do not set this field when Type="Distinct", implying matching on any/all unique
values within the header. | #### HeaderMatchType @@ -2071,6 +2147,21 @@ _Appears in:_ | `earlyRequestHeaders` | _[HTTPHeaderFilter](#httpheaderfilter)_ | false | EarlyRequestHeaders defines settings for early request header modification, before envoy performs
routing, tracing and built-in header manipulation. | +#### HealthCheck + + + +HealthCheck configuration to decide which endpoints +are healthy and can be used for routing. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `active` | _[ActiveHealthCheck](#activehealthcheck)_ | false | Active health check configuration | +| `passive` | _[PassiveHealthCheck](#passivehealthcheck)_ | false | Passive passive check configuration | #### HealthCheckSettings @@ -2566,6 +2657,21 @@ _Appears in:_ | `value` | _string_ | true | Value defines the hard-coded value to add to each span. | +#### LoadBalancer + + + +LoadBalancer defines the load balancer policy to be applied. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[LoadBalancerType](#loadbalancertype)_ | true | Type decides the type of Load Balancer policy.
Valid LoadBalancerType values are
"ConsistentHash",
"LeastRequest",
"Random",
"RoundRobin". | +| `consistentHash` | _[ConsistentHash](#consistenthash)_ | false | ConsistentHash defines the configuration when the load balancer type is
set to ConsistentHash | +| `slowStart` | _[SlowStart](#slowstart)_ | false | SlowStart defines the configuration related to the slow start load balancer policy.
If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
Currently this is only supported for RoundRobin and LeastRequest load balancers | #### LoadBalancerType @@ -2617,6 +2723,19 @@ _Appears in:_ | `error` | LogLevelError defines the "Error" logging level.
| +#### MergeType + +_Underlying type:_ _string_ + +MergeType defines the type of merge operation + +_Appears in:_ +- [KubernetesPatchSpec](#kubernetespatchspec) + +| Value | Description | +| ----- | ----------- | +| `StrategicMerge` | StrategicMerge indicates a strategic merge patch type
| +| `JSONMerge` | JSONMerge indicates a JSON merge patch type
| #### MetricSinkType @@ -3103,6 +3222,20 @@ _Appears in:_ | `compression` | _[Compression](#compression)_ | false | Configure the compression on Prometheus endpoint. Compression is useful in situations when bandwidth is scarce and large payloads can be effectively compressed at the expense of higher CPU load. | +#### ProxyProtocol + + + +ProxyProtocol defines the configuration related to the proxy protocol +when communicating with the backend. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `version` | _[ProxyProtocolVersion](#proxyprotocolversion)_ | true | Version of ProxyProtol
Valid ProxyProtocolVersion values are
"V1"
"V2" | #### ProxyProtocolVersion @@ -3340,6 +3473,15 @@ _Appears in:_ | `url` | _string_ | true | URL is the endpoint of the trace collector that supports the OTLP protocol | +#### RateLimitTracingProviderType + +_Underlying type:_ _string_ + + + +_Appears in:_ +- [RateLimitTracingProvider](#ratelimittracingprovider) + #### RateLimitType @@ -3493,6 +3635,21 @@ _Appears in:_ | `ValueRef` | ResponseValueTypeValueRef defines the "ValueRef" response body type.
| +#### Retry + + + +Retry defines the retry strategy to be applied. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `numRetries` | _integer_ | false | NumRetries is the number of retries to be attempted. Defaults to 2. | +| `retryOn` | _[RetryOn](#retryon)_ | false | RetryOn specifies the retry trigger condition.

If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503). | +| `perRetry` | _[PerRetryPolicy](#perretrypolicy)_ | false | PerRetry is the retry policy to be applied per retry attempt. | #### RetryOn @@ -3670,6 +3827,19 @@ _Appears in:_ | `window` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#duration-v1-meta)_ | true | Window defines the duration of the warm up period for newly added host.
During slow start window, traffic sent to the newly added hosts will gradually increase.
Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig | +#### SourceMatch + + + + + +_Appears in:_ +- [RateLimitSelectCondition](#ratelimitselectcondition) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[SourceMatchType](#sourcematchtype)_ | false | | +| `value` | _string_ | true | Value is the IP CIDR that represents the range of Source IP Addresses of the client.
These could also be the intermediate addresses through which the request has flown through and is part of the `X-Forwarded-For` header.
For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`. | #### SourceMatchType @@ -3828,6 +3998,22 @@ _Appears in:_ | `idleTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | IdleTimeout for a TCP connection. Idle time is defined as a period in which there are no
bytes sent or received on either the upstream or downstream connection.
Default: 1 hour. | +#### TCPKeepalive + + + +TCPKeepalive define the TCP Keepalive configuration. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClientTrafficPolicySpec](#clienttrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `probes` | _integer_ | false | The total number of unacknowledged probes to send before deciding
the connection is dead.
Defaults to 9. | +| `idleTime` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The duration a connection needs to be idle before keep-alive
probes start being sent.
The duration format is
Defaults to `7200s`. | +| `interval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The duration between keep-alive probes.
Defaults to `75s`. | #### TCPTimeout @@ -3904,6 +4090,20 @@ _Appears in:_ | `matchLabels` | _object (keys:string, values:string)_ | true | MatchLabels are the set of label selectors for identifying the targeted resource | +#### Timeout + + + +Timeout defines configuration for timeouts related to connections. + +_Appears in:_ +- [BackendTrafficPolicySpec](#backendtrafficpolicyspec) +- [ClusterSettings](#clustersettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `tcp` | _[TCPTimeout](#tcptimeout)_ | false | Timeout settings for TCP. | +| `http` | _[HTTPTimeout](#httptimeout)_ | false | Timeout settings for HTTP. | #### TracingProvider diff --git a/tools/make/docs.mk b/tools/make/docs.mk index 761fb183d75..d6fcfe8832c 100644 --- a/tools/make/docs.mk +++ b/tools/make/docs.mk @@ -89,7 +89,7 @@ docs-api-gen: $(tools/crd-ref-docs) --config=tools/crd-ref-docs/config.yaml \ --templates-dir=tools/crd-ref-docs/templates \ --output-path=site/content/en/latest/api/extension_types.md \ - --max-depth 10 \ + --max-depth 100 \ --renderer=markdown # below line copy command for sync English api doc into Chinese cp site/content/en/latest/api/extension_types.md site/content/zh/latest/api/extension_types.md From 798966742dc1cb214b2eef549ca5c918af9dcd2d Mon Sep 17 00:00:00 2001 From: zirain Date: Thu, 14 Nov 2024 23:02:55 +0800 Subject: [PATCH 394/523] chore: bump golang to 1.23.3 (#4716) Signed-off-by: zirain --- examples/envoy-als/Dockerfile | 2 +- examples/envoy-als/go.mod | 2 +- examples/extension-server/go.mod | 2 +- examples/grpc-ext-auth/Dockerfile | 2 +- examples/grpc-ext-auth/go.mod | 2 +- examples/grpc-ext-proc/Dockerfile | 2 +- examples/grpc-ext-proc/go.mod | 2 +- examples/preserve-case-backend/Dockerfile | 2 +- examples/preserve-case-backend/go.mod | 2 +- go.mod | 2 +- tools/make/examples.mk | 9 +++++++++ tools/make/golang.mk | 2 +- tools/src/buf/go.mod | 2 +- tools/src/crd-ref-docs/go.mod | 2 +- tools/src/gci/go.mod | 2 +- tools/src/golangci-lint/go.mod | 2 +- tools/src/helm-docs/go.mod | 2 +- tools/src/jb/go.mod | 2 +- tools/src/jsonnet/go.mod | 2 +- tools/src/kind/go.mod | 2 +- tools/src/protoc-gen-go-grpc/go.mod | 2 +- tools/src/protoc-gen-go/go.mod | 2 +- tools/src/setup-envtest/go.mod | 2 +- 23 files changed, 31 insertions(+), 22 deletions(-) diff --git a/examples/envoy-als/Dockerfile b/examples/envoy-als/Dockerfile index 0ad9437f993..835a8200716 100644 --- a/examples/envoy-als/Dockerfile +++ b/examples/envoy-als/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.23.1 AS builder +FROM golang:1.23.3 AS builder ARG GO_LDFLAGS="" diff --git a/examples/envoy-als/go.mod b/examples/envoy-als/go.mod index 610090483ad..df62679506a 100644 --- a/examples/envoy-als/go.mod +++ b/examples/envoy-als/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway-envoy-als -go 1.23.1 +go 1.23.3 require ( github.com/envoyproxy/go-control-plane v0.13.1 diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 13edb3f3877..24e910c1ddf 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -1,6 +1,6 @@ module github.com/exampleorg/envoygateway-extension -go 1.23.1 +go 1.23.3 require ( github.com/envoyproxy/gateway v1.0.2 diff --git a/examples/grpc-ext-auth/Dockerfile b/examples/grpc-ext-auth/Dockerfile index 4f6ea6ff545..f90bb04d8cb 100644 --- a/examples/grpc-ext-auth/Dockerfile +++ b/examples/grpc-ext-auth/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.23.1 AS builder +FROM golang:1.23.3 AS builder ARG GO_LDFLAGS="" diff --git a/examples/grpc-ext-auth/go.mod b/examples/grpc-ext-auth/go.mod index 8e3fcb7e061..fe656cdc112 100644 --- a/examples/grpc-ext-auth/go.mod +++ b/examples/grpc-ext-auth/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway-grcp-ext-auth -go 1.23.1 +go 1.23.3 require ( github.com/envoyproxy/go-control-plane v0.13.1 diff --git a/examples/grpc-ext-proc/Dockerfile b/examples/grpc-ext-proc/Dockerfile index a07ab13f48b..cd0f7db820b 100644 --- a/examples/grpc-ext-proc/Dockerfile +++ b/examples/grpc-ext-proc/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.23.1 AS builder +FROM golang:1.23.3 AS builder ARG GO_LDFLAGS="" diff --git a/examples/grpc-ext-proc/go.mod b/examples/grpc-ext-proc/go.mod index bb18254c721..5c7b98ee08e 100644 --- a/examples/grpc-ext-proc/go.mod +++ b/examples/grpc-ext-proc/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway-grpc-ext-proc -go 1.23.1 +go 1.23.3 require ( github.com/envoyproxy/go-control-plane v0.13.1 diff --git a/examples/preserve-case-backend/Dockerfile b/examples/preserve-case-backend/Dockerfile index 4616d465cb6..46d71ff22b5 100644 --- a/examples/preserve-case-backend/Dockerfile +++ b/examples/preserve-case-backend/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.23.1 AS builder +FROM golang:1.23.3 AS builder ARG GO_LDFLAGS="" diff --git a/examples/preserve-case-backend/go.mod b/examples/preserve-case-backend/go.mod index 7a9712aa341..22c616a7ba3 100644 --- a/examples/preserve-case-backend/go.mod +++ b/examples/preserve-case-backend/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway-preserve-case-backend -go 1.23.1 +go 1.23.3 require github.com/valyala/fasthttp v1.51.0 diff --git a/go.mod b/go.mod index 74bb7f24aca..59d3ffde5fb 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway -go 1.23.1 +go 1.23.3 replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.16 diff --git a/tools/make/examples.mk b/tools/make/examples.mk index 5caf9846e63..e0e01e190d6 100644 --- a/tools/make/examples.mk +++ b/tools/make/examples.mk @@ -17,4 +17,13 @@ kube-install-examples-image: kube-build-examples-image @$(LOG_TARGET) @for app in $(EXAMPLE_APPS); do \ tools/hack/kind-load-image.sh $(EXAMPLE_IMAGE_PREFIX)$$app $(EXAMPLE_TAG); \ + done + +.PHONY: go.mod.tidy.examples +go.mod.tidy.examples: + @$(LOG_TARGET) + @for app in $(EXAMPLE_APPS); do \ + pushd $(ROOT_DIR)/examples/$$app; \ + go mod tidy -compat=$(GO_VERSION); \ + popd; \ done \ No newline at end of file diff --git a/tools/make/golang.mk b/tools/make/golang.mk index 4c0d38bf83e..4f4dce00faa 100644 --- a/tools/make/golang.mk +++ b/tools/make/golang.mk @@ -84,7 +84,7 @@ go.mod.tidy: ## Update and check dependences with go mod tidy. .PHONY: go.mod.lint lint: go.mod.lint -go.mod.lint: go.mod.tidy ## Check if go.mod is clean +go.mod.lint: go.mod.tidy go.mod.tidy.examples ## Check if go.mod is clean @$(LOG_TARGET) @if test -n "$$(git status -s -- go.mod go.sum)"; then \ git diff --exit-code go.mod; \ diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index d8bea4a9f7c..b276538c15a 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -1,6 +1,6 @@ module local -go 1.23.1 +go 1.23.3 require github.com/bufbuild/buf v1.46.0 diff --git a/tools/src/crd-ref-docs/go.mod b/tools/src/crd-ref-docs/go.mod index 017b54837b8..5d5bcd374a3 100644 --- a/tools/src/crd-ref-docs/go.mod +++ b/tools/src/crd-ref-docs/go.mod @@ -1,6 +1,6 @@ module local -go 1.23.1 +go 1.23.3 require github.com/elastic/crd-ref-docs v0.1.0 diff --git a/tools/src/gci/go.mod b/tools/src/gci/go.mod index 382ffae2274..bf8d0ac7a5c 100644 --- a/tools/src/gci/go.mod +++ b/tools/src/gci/go.mod @@ -1,6 +1,6 @@ module local -go 1.23.1 +go 1.23.3 require github.com/daixiang0/gci v0.13.4 diff --git a/tools/src/golangci-lint/go.mod b/tools/src/golangci-lint/go.mod index e88d8a1a325..d7d2cdce1f2 100644 --- a/tools/src/golangci-lint/go.mod +++ b/tools/src/golangci-lint/go.mod @@ -1,6 +1,6 @@ module local -go 1.23.1 +go 1.23.3 require github.com/golangci/golangci-lint v1.62.0 diff --git a/tools/src/helm-docs/go.mod b/tools/src/helm-docs/go.mod index 2f61f2bf33a..05180f8b0f0 100644 --- a/tools/src/helm-docs/go.mod +++ b/tools/src/helm-docs/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway/tools/src/helm-docs -go 1.23.1 +go 1.23.3 require github.com/norwoodj/helm-docs v1.14.2 diff --git a/tools/src/jb/go.mod b/tools/src/jb/go.mod index fb8807bab20..9915adc8bfd 100644 --- a/tools/src/jb/go.mod +++ b/tools/src/jb/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway/tools/src/jb -go 1.23.1 +go 1.23.3 require github.com/jsonnet-bundler/jsonnet-bundler v0.5.1 diff --git a/tools/src/jsonnet/go.mod b/tools/src/jsonnet/go.mod index 2cf5cfd4c7b..aec5a71feeb 100644 --- a/tools/src/jsonnet/go.mod +++ b/tools/src/jsonnet/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway/tools/src/jsonnet -go 1.23.1 +go 1.23.3 require github.com/google/go-jsonnet v0.20.0 diff --git a/tools/src/kind/go.mod b/tools/src/kind/go.mod index 42dd6426e94..398e0d90a29 100644 --- a/tools/src/kind/go.mod +++ b/tools/src/kind/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway/tools/src/kind -go 1.23.1 +go 1.23.3 require sigs.k8s.io/kind v0.25.0 diff --git a/tools/src/protoc-gen-go-grpc/go.mod b/tools/src/protoc-gen-go-grpc/go.mod index 11e0bc567bd..1b6f5e9f0c6 100644 --- a/tools/src/protoc-gen-go-grpc/go.mod +++ b/tools/src/protoc-gen-go-grpc/go.mod @@ -1,6 +1,6 @@ module github.com/envoyproxy/gateway/tools/src/protoc-gen-go-grpc -go 1.23.1 +go 1.23.3 require google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0 diff --git a/tools/src/protoc-gen-go/go.mod b/tools/src/protoc-gen-go/go.mod index 588c433426f..86ccc619362 100644 --- a/tools/src/protoc-gen-go/go.mod +++ b/tools/src/protoc-gen-go/go.mod @@ -1,5 +1,5 @@ module github.com/envoyproxy/gateway/tools/src/protoc-gen-go -go 1.23.1 +go 1.23.3 require google.golang.org/protobuf v1.33.0 diff --git a/tools/src/setup-envtest/go.mod b/tools/src/setup-envtest/go.mod index 33e82a774e7..53ea509481f 100644 --- a/tools/src/setup-envtest/go.mod +++ b/tools/src/setup-envtest/go.mod @@ -1,6 +1,6 @@ module local -go 1.23.1 +go 1.23.3 require sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20240813183042-b901db121e1f From 1c29f66f851ae4bc76f5e270331b0059f56a9efe Mon Sep 17 00:00:00 2001 From: Lior Okman Date: Thu, 14 Nov 2024 18:00:22 +0200 Subject: [PATCH 395/523] fix: recover from panics that occur during envoy gateway's reconciliation (#4643) * Added a panic recovery flow for HandleSubscription. Signed-off-by: Lior Okman * Panic recovery should not be a one-off occurrence Signed-off-by: Lior Okman * Added a metric for recovered panics Signed-off-by: Lior Okman * Verify that the correct number of calls were received by the HandleSubscription handler function, Signed-off-by: Lior Okman * Typo and align the metric name with other metrics in the same area. Signed-off-by: Lior Okman --------- Signed-off-by: Lior Okman --- internal/message/metrics.go | 5 ++++ internal/message/watchutil.go | 37 ++++++++++++++++++++++-------- internal/message/watchutil_test.go | 28 ++++++++++++++++++++++ 3 files changed, 61 insertions(+), 9 deletions(-) diff --git a/internal/message/metrics.go b/internal/message/metrics.go index 5f120124191..de744f47aa8 100644 --- a/internal/message/metrics.go +++ b/internal/message/metrics.go @@ -13,6 +13,11 @@ var ( "Current depth of watchable queue.", ) + panicCounter = metrics.NewCounter( + "watchable_panics_recovered_total", + "Total number of panics recovered while handling items in queue.", + ) + watchableSubscribeDurationSeconds = metrics.NewHistogram( "watchable_subscribe_duration_seconds", "How long in seconds a subscribed watchable queue is handled.", diff --git a/internal/message/watchutil.go b/internal/message/watchutil.go index f8391cbc47a..77caa4af3d9 100644 --- a/internal/message/watchutil.go +++ b/internal/message/watchutil.go @@ -6,6 +6,8 @@ package message import ( + "fmt" + "runtime/debug" "time" "github.com/telepresenceio/watchable" @@ -36,6 +38,28 @@ func (m Metadata) LabelValues() []metrics.LabelValue { return labels } +// handleWithCrashRecovery calls the provided handle function and gracefully recovers from any panics +// that might occur when the handle function is called. +func handleWithCrashRecovery[K comparable, V any]( + handle func(updateFunc Update[K, V], errChans chan error), + update Update[K, V], + meta Metadata, + errChans chan error, +) { + defer func() { + if r := recover(); r != nil { + logger.WithValues("runner", meta.Runner).Error(fmt.Errorf("%+v", r), "observed a panic", + "stackTrace", string(debug.Stack())) + watchableSubscribeTotal.WithFailure(metrics.ReasonError, meta.LabelValues()...).Increment() + panicCounter.WithFailure(metrics.ReasonError, meta.LabelValues()...).Increment() + } + }() + startHandleTime := time.Now() + handle(update, errChans) + watchableSubscribeTotal.WithSuccess(meta.LabelValues()...).Increment() + watchableSubscribeDurationSeconds.With(meta.LabelValues()...).Record(time.Since(startHandleTime).Seconds()) +} + // HandleSubscription takes a channel returned by // watchable.Map.Subscribe() (or .SubscribeSubset()), and calls the // given function for each initial value in the map, and for any @@ -57,25 +81,20 @@ func HandleSubscription[K comparable, V any]( watchableSubscribeTotal.WithFailure(metrics.ReasonError, meta.LabelValues()...).Increment() } }() + defer close(errChans) if snapshot, ok := <-subscription; ok { for k, v := range snapshot.State { - startHandleTime := time.Now() - handle(Update[K, V]{ + handleWithCrashRecovery(handle, Update[K, V]{ Key: k, Value: v, - }, errChans) - watchableSubscribeTotal.WithSuccess(meta.LabelValues()...).Increment() - watchableSubscribeDurationSeconds.With(meta.LabelValues()...).Record(time.Since(startHandleTime).Seconds()) + }, meta, errChans) } } for snapshot := range subscription { watchableDepth.With(meta.LabelValues()...).Record(float64(len(subscription))) for _, update := range snapshot.Updates { - startHandleTime := time.Now() - handle(Update[K, V](update), errChans) - watchableSubscribeTotal.WithSuccess(meta.LabelValues()...).Increment() - watchableSubscribeDurationSeconds.With(meta.LabelValues()...).Record(time.Since(startHandleTime).Seconds()) + handleWithCrashRecovery(handle, Update[K, V](update), meta, errChans) } } } diff --git a/internal/message/watchutil_test.go b/internal/message/watchutil_test.go index 2c08821b211..6e6472d14f0 100644 --- a/internal/message/watchutil_test.go +++ b/internal/message/watchutil_test.go @@ -30,6 +30,34 @@ func TestHandleSubscriptionAlreadyClosed(t *testing.T) { assert.Equal(t, 0, calls) } +func TestPanicInSubscriptionHandler(t *testing.T) { + defer func() { + if r := recover(); r != nil { + assert.Fail(t, "recovered from an unexpected panic") + } + }() + var m watchable.Map[string, any] + m.Store("foo", "bar") + + go func() { + time.Sleep(100 * time.Millisecond) + m.Store("baz", "qux") + time.Sleep(100 * time.Millisecond) + m.Close() + }() + + numCalls := 0 + message.HandleSubscription[string, any]( + message.Metadata{Runner: "demo", Message: "demo"}, + m.Subscribe(context.Background()), + func(update message.Update[string, any], errChans chan error) { + numCalls++ + panic("oops " + update.Key) + }, + ) + assert.Equal(t, 2, numCalls) +} + func TestHandleSubscriptionAlreadyInitialized(t *testing.T) { var m watchable.Map[string, any] m.Store("foo", "bar") From c2b0ee38e84666f41486dfdaba092f4dfdd1e480 Mon Sep 17 00:00:00 2001 From: Steve Gargan Date: Thu, 14 Nov 2024 17:25:40 +0000 Subject: [PATCH 396/523] feat(translator): allow configuration of hostEnvKeys on WASM extensions (#4470) feat(translation): allow configuration of hostEnvKeys on WASM extensions exposes the hostEnvKeys configuration for WASM extensons through envoy extension policies. This enables access to env vars that are set on the host envoy processes and is a convenient way to share secret meterial with WASM extensions. Signed-off-by: Steve Gargan --- api/v1alpha1/wasm_types.go | 12 + api/v1alpha1/zz_generated.deepcopy.go | 25 ++ ....envoyproxy.io_envoyextensionpolicies.yaml | 11 + internal/gatewayapi/envoyextensionpolicy.go | 4 + ...extensionpolicy-with-wasm-env-vars.in.yaml | 123 +++++++ ...xtensionpolicy-with-wasm-env-vars.out.yaml | 342 ++++++++++++++++++ internal/ir/xds.go | 4 + internal/ir/zz_generated.deepcopy.go | 5 + .../translator/testdata/in/xds-ir/wasm.yaml | 3 + .../testdata/out/xds-ir/wasm.listeners.yaml | 4 + internal/xds/translator/wasm.go | 48 ++- site/content/en/latest/api/extension_types.md | 15 + .../en/v1.1/tasks/extensibility/wasm.md | 143 +++++++- site/content/zh/latest/api/extension_types.md | 15 + 14 files changed, 732 insertions(+), 22 deletions(-) create mode 100644 internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.in.yaml create mode 100644 internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml diff --git a/api/v1alpha1/wasm_types.go b/api/v1alpha1/wasm_types.go index 66c0e1fc84f..8913486d6f1 100644 --- a/api/v1alpha1/wasm_types.go +++ b/api/v1alpha1/wasm_types.go @@ -10,6 +10,14 @@ import ( gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" ) +// WasmEnv defines the environment variables for the VM of a Wasm extension +type WasmEnv struct { + // HostKeys is a list of keys for environment variables from the host envoy process + // that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions. + // +optional + HostKeys []string `json:"hostKeys,omitempty"` +} + // Wasm defines a Wasm extension. // // Note: at the moment, Envoy Gateway does not support configuring Wasm runtime. @@ -52,6 +60,10 @@ type Wasm struct { // Priority defines the location of the Wasm extension in the HTTP filter chain. // If not specified, the Wasm extension will be inserted before the router filter. // Priority *uint32 `json:"priority,omitempty"` + + // Env configures the environment for the Wasm extension + // +optional + Env *WasmEnv `json:"env,omitempty"` } // WasmCodeSource defines the source of the Wasm code. diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 3368e73dd70..12f634586c6 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -5479,6 +5479,11 @@ func (in *Wasm) DeepCopyInto(out *Wasm) { *out = new(bool) **out = **in } + if in.Env != nil { + in, out := &in.Env, &out.Env + *out = new(WasmEnv) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Wasm. @@ -5521,6 +5526,26 @@ func (in *WasmCodeSource) DeepCopy() *WasmCodeSource { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WasmEnv) DeepCopyInto(out *WasmEnv) { + *out = *in + if in.HostKeys != nil { + in, out := &in.HostKeys, &out.HostKeys + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WasmEnv. +func (in *WasmEnv) DeepCopy() *WasmEnv { + if in == nil { + return nil + } + out := new(WasmEnv) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *XDSTranslatorHooks) DeepCopyInto(out *XDSTranslatorHooks) { *out = *in diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml index 6baa2842c0c..e6cb298d3a8 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml @@ -1232,6 +1232,17 @@ spec: Config is the configuration for the Wasm extension. This configuration will be passed as a JSON string to the Wasm extension. x-kubernetes-preserve-unknown-fields: true + env: + description: Env configures the environment for the Wasm extension + properties: + hostKeys: + description: |- + HostKeys is a list of keys for environment variables from the host envoy process + that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions. + items: + type: string + type: array + type: object failOpen: default: false description: |- diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index 9ba561f1b5d..64e0f9e9a2a 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -675,6 +675,10 @@ func (t *Translator) buildWasm( Code: code, } + if config.Env != nil && len(config.Env.HostKeys) > 0 { + wasmIR.HostKeys = config.Env.HostKeys + } + return wasmIR, nil } diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.in.yaml new file mode 100644 index 00000000000..c4184d15476 --- /dev/null +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.in.yaml @@ -0,0 +1,123 @@ +secrets: +- apiVersion: v1 + kind: Secret + metadata: + namespace: envoy-gateway + name: my-pull-secret + data: + .dockerconfigjson: VGhpc0lzTm90QVJlYWxEb2NrZXJDb25maWdKc29u +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - www.example.com + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/foo" + backendRefs: + - name: service-1 + port: 8080 +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-2 + spec: + hostnames: + - www.example.com + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/bar" + backendRefs: + - name: service-1 + port: 8080 +envoyextensionpolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyExtensionPolicy + metadata: + namespace: envoy-gateway + name: policy-for-gateway # This policy should attach httproute-2 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + wasm: + - name: wasm-filter-1 + code: + type: HTTP + http: + url: https://www.example.com/wasm-filter-1.wasm + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 + env: + hostKeys: + - SOME_KEY + - ANOTHER_KEY + - name: wasm-filter-2 + rootID: "my-root-id" + code: + type: Image + image: + url: oci://www.example.com/wasm-filter-2:v1.0.0 + pullSecretRef: + name: my-pull-secret + sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 + env: + hostKeys: + - SOME_KEY + - ANOTHER_KEY + - code: + type: Image + image: + url: www.example.com:8080/wasm-filter-3 +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyExtensionPolicy + metadata: + namespace: default + name: policy-for-http-route # This policy should attach httproute-1 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + wasm: + - name: wasm-filter-4 + code: + type: HTTP + http: + url: https://www.test.com/wasm-filter-4.wasm + sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463 + failOpen: true + env: + hostKeys: + - SOME_KEY + - ANOTHER_KEY diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml new file mode 100644 index 00000000000..4a19852eea0 --- /dev/null +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml @@ -0,0 +1,342 @@ +envoyExtensionPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyExtensionPolicy + metadata: + creationTimestamp: null + name: policy-for-http-route + namespace: default + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + wasm: + - code: + http: + sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463 + url: https://www.test.com/wasm-filter-4.wasm + type: HTTP + env: + hostKeys: + - SOME_KEY + - ANOTHER_KEY + failOpen: true + name: wasm-filter-4 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyExtensionPolicy + metadata: + creationTimestamp: null + name: policy-for-gateway + namespace: envoy-gateway + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + wasm: + - code: + http: + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 + url: https://www.example.com/wasm-filter-1.wasm + type: HTTP + env: + hostKeys: + - SOME_KEY + - ANOTHER_KEY + name: wasm-filter-1 + - code: + image: + pullSecretRef: + group: null + kind: null + name: my-pull-secret + sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 + url: oci://www.example.com/wasm-filter-2:v1.0.0 + type: Image + env: + hostKeys: + - SOME_KEY + - ANOTHER_KEY + name: wasm-filter-2 + rootID: my-root-id + - code: + image: + sha256: null + url: www.example.com:8080/wasm-filter-3 + type: Image + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: 'This policy is being overridden by other envoyExtensionPolicies + for these routes: [default/httproute-1]' + reason: Overridden + status: "True" + type: Overridden + controllerName: gateway.envoyproxy.io/gatewayclass-controller +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 2 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - www.example.com + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: /foo + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-2 + namespace: default + spec: + hostnames: + - www.example.com + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: /bar + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http +infraIR: + envoy-gateway/gateway-1: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-1 +xdsIR: + envoy-gateway/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + envoyExtensions: + wasms: + - config: null + failOpen: true + hostKeys: + - SOME_KEY + - ANOTHER_KEY + httpWasmCode: + originalDownloadingURL: https://www.test.com/wasm-filter-4.wasm + servingURL: https://envoy-gateway:18002/fe571e7b1ef5dc626ceb2c2c86782a134a92989a2643485238951696ae4334c3.wasm + sha256: b6922722ab58109abfaa8d9eb16f339b38b2bb1c17076b083b34438b934e7463 + name: envoyextensionpolicy/default/policy-for-http-route/wasm/0 + wasmName: wasm-filter-4 + hostname: www.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + pathMatch: + distinct: false + name: "" + prefix: /foo + - destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + envoyExtensions: + wasms: + - config: null + failOpen: false + hostKeys: + - SOME_KEY + - ANOTHER_KEY + httpWasmCode: + originalDownloadingURL: https://www.example.com/wasm-filter-1.wasm + servingURL: https://envoy-gateway:18002/5c90b9a82642ce00a7753923fabead306b9d9a54a7c0bd2463a1af3efcfb110b.wasm + sha256: 2d89c4c6ab2a1c615c7696ed37ade9e50654ac70384b5d45100eb08e62130ff4 + name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/0 + wasmName: wasm-filter-1 + - config: null + failOpen: false + hostKeys: + - SOME_KEY + - ANOTHER_KEY + httpWasmCode: + originalDownloadingURL: oci://www.example.com/wasm-filter-2:v1.0.0 + servingURL: https://envoy-gateway:18002/7abf116e5cd5a20389604a5ba0f3bd04fdf76f92181fe67506b42c2ee596d3fd.wasm + sha256: 314100af781b98a8ca175d5bf90a8bf76576e20a2f397a88223404edc6ebfd46 + name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/1 + rootID: my-root-id + wasmName: wasm-filter-2 + - config: null + failOpen: false + httpWasmCode: + originalDownloadingURL: oci://www.example.com:8080/wasm-filter-3:latest + servingURL: https://envoy-gateway:18002/42d30b4a4cc631415e6e48c02d244700da327201eb273f752cacf745715b31d9.wasm + sha256: 2a19e4f337e5223d7287e7fccd933fb01905deaff804292e5257f8c681b82bee + name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/2 + wasmName: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/2 + hostname: www.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_example_com + pathMatch: + distinct: false + name: "" + prefix: /bar diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 5103d3ea81a..b0b9a1594b1 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -2634,6 +2634,10 @@ type Wasm struct { // original URL(either an HTTP URL or an OCI image) and serves it through the // local HTTP server. Code *HTTPWasmCode `json:"httpWasmCode,omitempty"` + + // HostKeys is a list of keys for environment variables from the host envoy process + // that should be passed into the Wasm VM. + HostKeys []string `json:"hostKeys,omitempty"` } // HTTPWasmCode holds the information associated with the HTTP Wasm code source. diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 59f1973b22a..de0be09ff0f 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -3425,6 +3425,11 @@ func (in *Wasm) DeepCopyInto(out *Wasm) { *out = new(HTTPWasmCode) **out = **in } + if in.HostKeys != nil { + in, out := &in.HostKeys, &out.HostKeys + *out = make([]string, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Wasm. diff --git a/internal/xds/translator/testdata/in/xds-ir/wasm.yaml b/internal/xds/translator/testdata/in/xds-ir/wasm.yaml index 9afa2c97c9c..756e38952fa 100644 --- a/internal/xds/translator/testdata/in/xds-ir/wasm.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/wasm.yaml @@ -89,3 +89,6 @@ http: sha256: 2a19e4f337e5223d7287e7fccd933fb01905deaff804292e5257f8c681b82bee name: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/2 wasmName: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/2 + hostKeys: + - SOME_KEY + - ANOTHER_KEY diff --git a/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml index a4545e62e2c..e3a679d1ae0 100755 --- a/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml @@ -90,6 +90,10 @@ timeout: 10s uri: https://envoy-gateway:18002/42d30b4a4cc631415e6e48c02d244700da327201eb273f752cacf745715b31d9.wasm sha256: 2a19e4f337e5223d7287e7fccd933fb01905deaff804292e5257f8c681b82bee + environmentVariables: + hostEnvKeys: + - SOME_KEY + - ANOTHER_KEY runtime: envoy.wasm.runtime.v8 vmId: envoyextensionpolicy/envoy-gateway/policy-for-gateway/wasm/2 - name: envoy.filters.http.router diff --git a/internal/xds/translator/wasm.go b/internal/xds/translator/wasm.go index b8777e3805c..34b1087d5cc 100644 --- a/internal/xds/translator/wasm.go +++ b/internal/xds/translator/wasm.go @@ -118,30 +118,38 @@ func wasmConfig(wasm ir.Wasm) (*wasmfilterv3.Wasm, error) { return nil, err } + vmConfig := &wasmv3.VmConfig{ + VmId: wasm.Name, // Do not share VMs across different filters + Runtime: vmRuntimeV8, + Code: &corev3.AsyncDataSource{ + Specifier: &corev3.AsyncDataSource_Remote{ + Remote: &corev3.RemoteDataSource{ + HttpUri: &corev3.HttpUri{ + Uri: wasm.Code.ServingURL, + HttpUpstreamType: &corev3.HttpUri_Cluster{ + Cluster: wasmHTTPServerCluster, + }, + Timeout: &durationpb.Duration{ + Seconds: defaultExtServiceRequestTimeout, + }, + }, + Sha256: wasm.Code.SHA256, + }, + }, + }, + } + + if wasm.HostKeys != nil { + vmConfig.EnvironmentVariables = &wasmv3.EnvironmentVariables{ + HostEnvKeys: wasm.HostKeys, + } + } + filterConfig = &wasmfilterv3.Wasm{ Config: &wasmv3.PluginConfig{ Name: wasm.WasmName, Vm: &wasmv3.PluginConfig_VmConfig{ - VmConfig: &wasmv3.VmConfig{ - VmId: wasm.Name, // Do not share VMs across different filters - Runtime: vmRuntimeV8, - Code: &corev3.AsyncDataSource{ - Specifier: &corev3.AsyncDataSource_Remote{ - Remote: &corev3.RemoteDataSource{ - HttpUri: &corev3.HttpUri{ - Uri: wasm.Code.ServingURL, - HttpUpstreamType: &corev3.HttpUri_Cluster{ - Cluster: wasmHTTPServerCluster, - }, - Timeout: &durationpb.Duration{ - Seconds: defaultExtServiceRequestTimeout, - }, - }, - Sha256: wasm.Code.SHA256, - }, - }, - }, - }, + VmConfig: vmConfig, }, Configuration: configAny, FailOpen: wasm.FailOpen, diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index a519fc34ea7..77a28384c06 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -4204,6 +4204,7 @@ _Appears in:_ | `code` | _[WasmCodeSource](#wasmcodesource)_ | true | Code is the Wasm code for the extension. | | `config` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | Config is the configuration for the Wasm extension.
This configuration will be passed as a JSON string to the Wasm extension. | | `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a fatal error occurs
during the initialization or the execution of the Wasm extension.
If FailOpen is set to true, the system bypasses the Wasm extension and
allows the traffic to pass through. Otherwise, if it is set to false or
not set (defaulting to false), the system blocks the traffic and returns
an HTTP 5xx error. | +| `env` | _[WasmEnv](#wasmenv)_ | false | Env configures the environment for the Wasm extension | #### WasmCodeSource @@ -4238,6 +4239,20 @@ _Appears in:_ | `Image` | ImageWasmCodeSourceType allows the user to specify the Wasm code in an OCI image.
| +#### WasmEnv + + + +WasmEnv defines the environment variables for the VM of a Wasm extension + +_Appears in:_ +- [Wasm](#wasm) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `hostKeys` | _string array_ | false | HostKeys is a list of keys for environment variables from the host envoy process
that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions. | + + #### WithUnderscoresAction _Underlying type:_ _string_ diff --git a/site/content/en/v1.1/tasks/extensibility/wasm.md b/site/content/en/v1.1/tasks/extensibility/wasm.md index 1b1d32f9ecb..5d2495cf566 100644 --- a/site/content/en/v1.1/tasks/extensibility/wasm.md +++ b/site/content/en/v1.1/tasks/extensibility/wasm.md @@ -90,7 +90,7 @@ spec: Verify the EnvoyExtensionPolicy status: ```shell -kubectl get envoyextensionpolicy/http-wasm-source-test -o yaml +kubectl get envoyextensionpolicy/wasm-test -o yaml ``` ### Image Wasm Extension @@ -151,9 +151,148 @@ spec: Verify the EnvoyExtensionPolicy status: ```shell -kubectl get envoyextensionpolicy/http-wasm-source-test -o yaml +kubectl get envoyextensionpolicy/wasm-test -o yaml ``` +### Wasm Extension Configuration + +This [EnvoyExtensionPolicy][] configuration fetches the Wasm extension from an OCI image and uses a config block to pass parameters to the extension when it's loaded. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Verify the EnvoyExtensionPolicy status: + +```shell +kubectl get envoyextensionpolicy/wasm-test-o yaml +``` + +### Wasm Extension Configuration through Environment variables + +It is also possible to configure a wasm extension using environment variables from the host envoy process. Keys for the env vars to be shared are defined in a `hostKeys` block. + +This is especially useful for sharing secure data from environment vars on the envoy process set using [valueFrom](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) a Kubernetes secret. + +Note that setting an env var on the envoy process requires a custom [EnvoyProxy](../../api/extension_types#envoyproxy) configuration. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + + ### Testing Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index a519fc34ea7..77a28384c06 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -4204,6 +4204,7 @@ _Appears in:_ | `code` | _[WasmCodeSource](#wasmcodesource)_ | true | Code is the Wasm code for the extension. | | `config` | _[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#json-v1-apiextensions-k8s-io)_ | false | Config is the configuration for the Wasm extension.
This configuration will be passed as a JSON string to the Wasm extension. | | `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a fatal error occurs
during the initialization or the execution of the Wasm extension.
If FailOpen is set to true, the system bypasses the Wasm extension and
allows the traffic to pass through. Otherwise, if it is set to false or
not set (defaulting to false), the system blocks the traffic and returns
an HTTP 5xx error. | +| `env` | _[WasmEnv](#wasmenv)_ | false | Env configures the environment for the Wasm extension | #### WasmCodeSource @@ -4238,6 +4239,20 @@ _Appears in:_ | `Image` | ImageWasmCodeSourceType allows the user to specify the Wasm code in an OCI image.
| +#### WasmEnv + + + +WasmEnv defines the environment variables for the VM of a Wasm extension + +_Appears in:_ +- [Wasm](#wasm) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `hostKeys` | _string array_ | false | HostKeys is a list of keys for environment variables from the host envoy process
that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions. | + + #### WithUnderscoresAction _Underlying type:_ _string_ From 5068698ef07c0bad91352df6c262e3df9c8171c5 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Thu, 14 Nov 2024 16:09:45 -0700 Subject: [PATCH 397/523] fix: remove backendrefs validation (#4705) * remove backendrefs validation Signed-off-by: Huabing Zhao * add tests Signed-off-by: Huabing Zhao * add tests Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao Co-authored-by: zirain --- api/v1alpha1/ext_auth_types.go | 2 - ...ateway.envoyproxy.io_securitypolicies.yaml | 4 - internal/gatewayapi/securitypolicy.go | 51 ++-- ...ecuritypolicy-with-extauth-backend.in.yaml | 75 ++++++ ...curitypolicy-with-extauth-backend.out.yaml | 217 +++++++++++++++++- release-notes/current.yaml | 1 + test/cel-validation/securitypolicy_test.go | 80 ++----- .../ext-auth-http-securitypolicy.yaml | 4 +- 8 files changed, 352 insertions(+), 82 deletions(-) diff --git a/api/v1alpha1/ext_auth_types.go b/api/v1alpha1/ext_auth_types.go index 0670ed4b676..faa0897e300 100644 --- a/api/v1alpha1/ext_auth_types.go +++ b/api/v1alpha1/ext_auth_types.go @@ -56,7 +56,6 @@ type ExtAuth struct { // The authorization request message is defined in // https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto // +kubebuilder:validation:XValidation:message="backendRef or backendRefs needs to be set",rule="has(self.backendRef) || self.backendRefs.size() > 0" -// +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)" // +kubebuilder:validation:XValidation:message="BackendRefs only supports Service and Backend kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service' || f.kind == 'Backend') : true" // +kubebuilder:validation:XValidation:message="BackendRefs only supports Core and gateway.envoyproxy.io group.",rule="has(self.backendRefs) ? (self.backendRefs.all(f, f.group == \"\" || f.group == 'gateway.envoyproxy.io')) : true" type GRPCExtAuthService struct { @@ -67,7 +66,6 @@ type GRPCExtAuthService struct { // HTTPExtAuthService defines the HTTP External Authorization service // // +kubebuilder:validation:XValidation:message="backendRef or backendRefs needs to be set",rule="has(self.backendRef) || self.backendRefs.size() > 0" -// +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)" // +kubebuilder:validation:XValidation:message="BackendRefs only supports Service and Backend kind.",rule="has(self.backendRefs) ? self.backendRefs.all(f, f.kind == 'Service' || f.kind == 'Backend') : true" // +kubebuilder:validation:XValidation:message="BackendRefs only supports Core and gateway.envoyproxy.io group.",rule="has(self.backendRefs) ? (self.backendRefs.all(f, f.group == \"\" || f.group == 'gateway.envoyproxy.io')) : true" type HTTPExtAuthService struct { diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index b6a040f8c42..840c8d59d30 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -1204,8 +1204,6 @@ spec: x-kubernetes-validations: - message: backendRef or backendRefs needs to be set rule: has(self.backendRef) || self.backendRefs.size() > 0 - - message: BackendRefs must be used, backendRef is not supported. - rule: '!has(self.backendRef)' - message: BackendRefs only supports Service and Backend kind. rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind == ''Service'' || f.kind == ''Backend'') : true' @@ -2103,8 +2101,6 @@ spec: x-kubernetes-validations: - message: backendRef or backendRefs needs to be set rule: has(self.backendRef) || self.backendRefs.size() > 0 - - message: BackendRefs must be used, backendRef is not supported. - rule: '!has(self.backendRef)' - message: BackendRefs only supports Service and Backend kind. rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind == ''Service'' || f.kind == ''Backend'') : true' diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 3c2d2af31ed..8635d216457 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -841,14 +841,15 @@ func (t *Translator) buildBasicAuth( func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy) (*ir.ExtAuth, error) { var ( - http = policy.Spec.ExtAuth.HTTP - grpc = policy.Spec.ExtAuth.GRPC - backends *egv1a1.BackendCluster - protocol ir.AppProtocol - rd *ir.RouteDestination - authority string - err error - traffic *ir.TrafficFeatures + http = policy.Spec.ExtAuth.HTTP + grpc = policy.Spec.ExtAuth.GRPC + backendRefs []egv1a1.BackendRef + backendSettings *egv1a1.ClusterSettings + protocol ir.AppProtocol + rd *ir.RouteDestination + authority string + err error + traffic *ir.TrafficFeatures ) // These are sanity checks, they should never happen because the API server @@ -861,18 +862,42 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso switch { case http != nil: - backends = &http.BackendCluster protocol = ir.HTTP + switch { + case len(http.BackendRefs) > 0: + backendRefs = http.BackendCluster.BackendRefs + case http.BackendRef != nil: + backendRefs = []egv1a1.BackendRef{ + { + BackendObjectReference: *http.BackendRef, + }, + } + default: + // This is a sanity check, it should never happen because the API server should have caught it + return nil, errors.New("http backend refs must be specified") + } case grpc != nil: - backends = &grpc.BackendCluster protocol = ir.GRPC + switch { + case len(grpc.BackendCluster.BackendRefs) > 0: + backendRefs = grpc.BackendRefs + case grpc.BackendRef != nil: + backendRefs = []egv1a1.BackendRef{ + { + BackendObjectReference: *grpc.BackendRef, + }, + } + default: + // This is a sanity check, it should never happen because the API server should have caught it + return nil, errors.New("grpc backend refs must be specified") + } } - if rd, err = t.translateExtServiceBackendRefs(policy, backends.BackendRefs, protocol, resources, envoyProxy, 0); err != nil { + if rd, err = t.translateExtServiceBackendRefs(policy, backendRefs, protocol, resources, envoyProxy, 0); err != nil { return nil, err } - for _, backendRef := range backends.BackendRefs { + for _, backendRef := range backendRefs { // Authority is the calculated hostname that will be used as the Authority header. // If there are multiple backend referenced, simply use the first one - there are no good answers here. // When translated to XDS, the authority is used on the filter level not on the cluster level. @@ -882,7 +907,7 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso } } - if traffic, err = translateTrafficFeatures(backends.BackendSettings); err != nil { + if traffic, err = translateTrafficFeatures(backendSettings); err != nil { return nil, err } extAuth := &ir.ExtAuth{ diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml index 78529bf6d73..5d756b3b981 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml @@ -58,6 +58,44 @@ httpRoutes: backendRefs: - name: service-3 port: 8080 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-3 + spec: + hostnames: + - www.baz.com + parentRefs: + - namespace: default + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: /baz + backendRefs: + - name: service-4 + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-4 + spec: + hostnames: + - www.qux.com + parentRefs: + - namespace: default + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: /qux + backendRefs: + - name: service-5 + port: 8080 backends: - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend @@ -108,3 +146,40 @@ securityPolicies: kind: Backend group: gateway.envoyproxy.io port: 3000 + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + namespace: default + name: policy-for-http-route-3--grpc-backendref + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-3 + extAuth: + failOpen: true + headersToExtAuth: + - header3 + - header4 + grpc: + backendRef: + name: service-2 + kind: Service + port: 8080 + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + namespace: default + name: policy-for-http-route-3-http-backendref + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-4 + extAuth: + http: + backendRef: + name: backend-fqdn + kind: Backend + group: gateway.envoyproxy.io + port: 3000 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml index 05086bae4c8..d304f6c13eb 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml @@ -35,7 +35,7 @@ gateways: protocol: HTTP status: listeners: - - attachedRoutes: 2 + - attachedRoutes: 4 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane @@ -141,6 +141,82 @@ httpRoutes: name: gateway-1 namespace: default sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-3 + namespace: default + spec: + hostnames: + - www.baz.com + parentRefs: + - name: gateway-1 + namespace: default + sectionName: http + rules: + - backendRefs: + - name: service-4 + port: 8080 + matches: + - path: + value: /baz + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: default + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-4 + namespace: default + spec: + hostnames: + - www.qux.com + parentRefs: + - name: gateway-1 + namespace: default + sectionName: http + rules: + - backendRefs: + - name: service-5 + port: 8080 + matches: + - path: + value: /qux + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Service default/service-5 not found + reason: BackendNotFound + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: default + sectionName: http infraIR: default/gateway-1: proxy: @@ -198,6 +274,75 @@ securityPolicies: status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + creationTimestamp: null + name: policy-for-http-route-3--grpc-backendref + namespace: default + spec: + extAuth: + failOpen: true + grpc: + backendRef: + kind: Service + name: service-2 + port: 8080 + headersToExtAuth: + - header3 + - header4 + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-3 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + creationTimestamp: null + name: policy-for-http-route-3-http-backendref + namespace: default + spec: + extAuth: + http: + backendRef: + group: gateway.envoyproxy.io + kind: Backend + name: backend-fqdn + port: 3000 + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-4 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller xdsIR: default/gateway-1: accessLog: @@ -327,3 +472,73 @@ xdsIR: distinct: false name: "" prefix: /bar + - destination: + name: httproute/default/httproute-3/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.baz.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-3 + namespace: default + name: httproute/default/httproute-3/rule/0/match/0/www_baz_com + pathMatch: + distinct: false + name: "" + prefix: /baz + security: + extAuth: + failOpen: true + grpc: + authority: service-2.default:8080 + destination: + name: securitypolicy/default/policy-for-http-route-3--grpc-backendref/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header3 + - header4 + name: securitypolicy/default/policy-for-http-route-3--grpc-backendref + - destination: + name: httproute/default/httproute-4/rule/0 + settings: + - weight: 1 + directResponse: + statusCode: 500 + hostname: www.qux.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-4 + namespace: default + name: httproute/default/httproute-4/rule/0/match/0/www_qux_com + pathMatch: + distinct: false + name: "" + prefix: /qux + security: + extAuth: + http: + authority: primary.foo.com:3000 + destination: + name: securitypolicy/default/policy-for-http-route-3-http-backendref/0 + settings: + - addressType: FQDN + endpoints: + - host: primary.foo.com + port: 3000 + protocol: HTTP + weight: 1 + path: "" + name: securitypolicy/default/policy-for-http-route-3-http-backendref diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 39e8a900c47..2e2df4724ab 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -15,6 +15,7 @@ new features: | # Fixes for bugs identified in previous versions. bug fixes: | Add a bug fix here + Fixed failed to update SecurityPolicy resources with the `backendRef` field specified # Enhancements that improve performance. performance improvements: | diff --git a/test/cel-validation/securitypolicy_test.go b/test/cel-validation/securitypolicy_test.go index f00ee84260c..033726f2b56 100644 --- a/test/cel-validation/securitypolicy_test.go +++ b/test/cel-validation/securitypolicy_test.go @@ -566,6 +566,26 @@ func TestSecurityPolicyTarget(t *testing.T) { }, wantErrors: []string{}, }, + { + desc: "empty HTTP external auth service", + mutate: func(sp *egv1a1.SecurityPolicy) { + sp.Spec = egv1a1.SecurityPolicySpec{ + ExtAuth: &egv1a1.ExtAuth{ + HTTP: &egv1a1.HTTPExtAuthService{}, + }, + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: "gateway.networking.k8s.io", + Kind: "Gateway", + Name: "eg", + }, + }, + }, + } + }, + wantErrors: []string{" backendRef or backendRefs needs to be set"}, + }, { desc: "no extAuth", mutate: func(sp *egv1a1.SecurityPolicy) { @@ -657,36 +677,6 @@ func TestSecurityPolicyTarget(t *testing.T) { " BackendRefs only supports Core and gateway.envoyproxy.io group.", }, }, - { - desc: "http extAuth service invalid Kind", - mutate: func(sp *egv1a1.SecurityPolicy) { - sp.Spec = egv1a1.SecurityPolicySpec{ - ExtAuth: &egv1a1.ExtAuth{ - HTTP: &egv1a1.HTTPExtAuthService{ - BackendCluster: egv1a1.BackendCluster{ - BackendRef: &gwapiv1.BackendObjectReference{ - Kind: ptr.To(gwapiv1.Kind("unsupported")), - Name: "http-auth-service", - Port: ptr.To(gwapiv1.PortNumber(15001)), - }, - }, - }, - }, - PolicyTargetReferences: egv1a1.PolicyTargetReferences{ - TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ - LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ - Group: "gateway.networking.k8s.io", - Kind: "Gateway", - Name: "eg", - }, - }, - }, - } - }, - wantErrors: []string{ - "BackendRefs must be used, backendRef is not supported.", - }, - }, { desc: "http extAuth service backendRefs invalid Kind", mutate: func(sp *egv1a1.SecurityPolicy) { @@ -753,36 +743,6 @@ func TestSecurityPolicyTarget(t *testing.T) { "BackendRefs only supports Core and gateway.envoyproxy.io group.", }, }, - { - desc: "grpc extAuth service invalid Kind", - mutate: func(sp *egv1a1.SecurityPolicy) { - sp.Spec = egv1a1.SecurityPolicySpec{ - ExtAuth: &egv1a1.ExtAuth{ - GRPC: &egv1a1.GRPCExtAuthService{ - BackendCluster: egv1a1.BackendCluster{ - BackendRef: &gwapiv1.BackendObjectReference{ - Kind: ptr.To(gwapiv1.Kind("unsupported")), - Name: "http-auth-service", - Port: ptr.To(gwapiv1.PortNumber(15001)), - }, - }, - }, - }, - PolicyTargetReferences: egv1a1.PolicyTargetReferences{ - TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ - LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ - Group: "gateway.networking.k8s.io", - Kind: "Gateway", - Name: "eg", - }, - }, - }, - } - }, - wantErrors: []string{ - "BackendRefs must be used, backendRef is not supported.", - }, - }, { desc: "grpc extAuth service backendRefs invalid Kind", mutate: func(sp *egv1a1.SecurityPolicy) { diff --git a/test/e2e/testdata/ext-auth-http-securitypolicy.yaml b/test/e2e/testdata/ext-auth-http-securitypolicy.yaml index c6a1e73c6a6..f79bbaf8745 100644 --- a/test/e2e/testdata/ext-auth-http-securitypolicy.yaml +++ b/test/e2e/testdata/ext-auth-http-securitypolicy.yaml @@ -47,8 +47,8 @@ spec: name: http-with-ext-auth extAuth: http: - backendRefs: - - name: http-ext-auth + backendRef: + name: http-ext-auth namespace: gateway-conformance-infra port: 9002 headersToBackend: ["x-current-user"] From e48fecf03141b45279f5a3d5ac16e288d960c20f Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 15 Nov 2024 13:55:23 +0800 Subject: [PATCH 398/523] ci: use static file server instead of `github.com` (#4715) * ci: use static file server instead of github.com Signed-off-by: zirain * new-line-at-end-of-file Signed-off-by: zirain * fix Signed-off-by: zirain * nit Signed-off-by: zirain * 1.23.3 Signed-off-by: zirain --------- Signed-off-by: zirain --- examples/static-file-server/Dockerfile | 23 +++++ examples/static-file-server/Makefile | 8 ++ examples/static-file-server/README.md | 10 ++ .../static-file-server/files/jwt/jwks.json | 22 ++++ .../wasm/envoy_filter_http_wasm_example.wasm | Bin 0 -> 59641 bytes examples/static-file-server/go.mod | 3 + examples/static-file-server/go.sum | 0 examples/static-file-server/main.go | 39 +++++++ .../static-file-server/manifests/http.yaml | 33 ++++++ .../manifests/httproute.yaml | 22 ++++ .../static-file-server/manifests/tls.yaml | 95 ++++++++++++++++++ test/e2e/base/manifests.yaml | 35 +++++++ test/e2e/testdata/authorization-jwt.yaml | 6 +- test/e2e/testdata/jwt-optional.yaml | 2 +- test/e2e/testdata/jwt.yaml | 2 +- .../testdata/ratelimit-based-jwt-claims.yaml | 2 +- test/e2e/testdata/wasm-http.yaml | 4 +- tools/make/examples.mk | 4 +- 18 files changed, 300 insertions(+), 10 deletions(-) create mode 100644 examples/static-file-server/Dockerfile create mode 100644 examples/static-file-server/Makefile create mode 100644 examples/static-file-server/README.md create mode 100644 examples/static-file-server/files/jwt/jwks.json create mode 100644 examples/static-file-server/files/wasm/envoy_filter_http_wasm_example.wasm create mode 100644 examples/static-file-server/go.mod create mode 100644 examples/static-file-server/go.sum create mode 100644 examples/static-file-server/main.go create mode 100644 examples/static-file-server/manifests/http.yaml create mode 100644 examples/static-file-server/manifests/httproute.yaml create mode 100644 examples/static-file-server/manifests/tls.yaml diff --git a/examples/static-file-server/Dockerfile b/examples/static-file-server/Dockerfile new file mode 100644 index 00000000000..1f1268a2197 --- /dev/null +++ b/examples/static-file-server/Dockerfile @@ -0,0 +1,23 @@ +FROM golang:1.23.3 AS builder + +ARG GO_LDFLAGS="" + +WORKDIR /workspace +COPY go.mod go.sum ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + go mod download + +COPY . ./ +RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ + CGO_ENABLED=0 \ + GOOS=${TARGETOS} \ + GOARCH=${TARGETARCH} \ + go build -o /bin/static-file-server -ldflags "${GO_LDFLAGS}" . + +# Need root user for UDS +FROM gcr.io/distroless/static-debian11 +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=builder /bin/static-file-server / +COPY files/ files/ + +ENTRYPOINT ["/static-file-server"] diff --git a/examples/static-file-server/Makefile b/examples/static-file-server/Makefile new file mode 100644 index 00000000000..a4e59d1e3dd --- /dev/null +++ b/examples/static-file-server/Makefile @@ -0,0 +1,8 @@ + +IMAGE_PREFIX ?= envoyproxy/gateway- +APP_NAME ?= static-file-server +TAG ?= latest + +.PHONY: docker-buildx +docker-buildx: + docker buildx build . -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --build-arg GO_LDFLAGS="$(GO_LDFLAGS)" --load diff --git a/examples/static-file-server/README.md b/examples/static-file-server/README.md new file mode 100644 index 00000000000..7cb2417e3cd --- /dev/null +++ b/examples/static-file-server/README.md @@ -0,0 +1,10 @@ +# Static File Server + +This example demonstrates how to create a simple static file server using the `http` package. +Which serves files used by e2e tests. + +- test/e2e/testdata/authorization-jwt.yaml +- test/e2e/testdata/jwt.yaml +- test/e2e/testdata/jwt-optional.yaml +- test/e2e/testdata/ratelimit-based-jwt-claims.yaml +- test/e2e/testdata/wasm-http.yaml \ No newline at end of file diff --git a/examples/static-file-server/files/jwt/jwks.json b/examples/static-file-server/files/jwt/jwks.json new file mode 100644 index 00000000000..b58d8e04fb3 --- /dev/null +++ b/examples/static-file-server/files/jwt/jwks.json @@ -0,0 +1,22 @@ +{ + "keys": [ + { + "kty": "RSA", + "n": "u1SU1LfVLPHCozMxH2Mo4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0_IzW7yWR7QkrmBL7jTKEn5u-qKhbwKfBstIs-bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyehkd3qqGElvW_VDL5AaWTg0nLVkjRo9z-40RQzuVaE8AkAFmxZzow3x-VJYKdjykkJ0iT9wCS0DRTXu269V264Vf_3jvredZiKRkgwlL9xNAwxXFg0x_XFw005UWVRIkdgcKWTjpBP2dPwVZ4WWC-9aGVd-Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbcmw", + "e": "AQAB", + "alg": "RS256", + "use": "sig" + }, + { + "alg": "RS256", + "e": "AQAB", + "key_ops": [ + "verify" + ], + "kty": "RSA", + "n": "xOHb-i1WDfeAvsbXTSOtosl3hCUDHQ8fRDqX_Rt998-hZDJmAoPOu4J-wcwq5aZtSn_iWUYLcK2WmC_1n-p1eyc-Pl4CBnxF7LUjCk-WGhniaCzXC5I5RON6c5N-MdE0UfukK0PM0zD3iQonZq0fIsnOYyFdYdWvQ5XW-C2aLlq2FUKrjmhAav10jIC0KGd2dHRzauzfLMUmt_iMnpU84Xrur1zRYzBO4D90rN0ypC2HH7o_zI8Osx4o1L8BScW78545sWyVbaprhBV1I2Sa4SH3NAc25ej3RIh-f13Yu97FVfO0AIG4VfFiaMmsTqNTCiBkM20tXD2Z-cHJTKemXzFgInJoqFLAkHLzJ0lPvAkKOgAOufLHa7RA-C276OXd72IXPsL1UOLN4sjhGqTtaynVa00yuHdi3f4-aoy9F9SUJeWfPg--nZNLzuI0eyufsTFywnx1bTQ_kdYlEr0dRE5sujlMk3cZ7FmOQRvcjA9MxFzoVKMmlZc6LMCgqw-P", + "use": "sig", + "kid": "b520b3c2c4bd75a10e9cebc9576933dc" + } + ] +} \ No newline at end of file diff --git a/examples/static-file-server/files/wasm/envoy_filter_http_wasm_example.wasm b/examples/static-file-server/files/wasm/envoy_filter_http_wasm_example.wasm new file mode 100644 index 0000000000000000000000000000000000000000..df2554e971e8538ce58066a2bdacfddf4c1b1bab GIT binary patch literal 59641 zcmeIb3zS{gS?9UWIrmj{?yb6#O17j@;&U&OQ;wxXP8`{h9bCr`S+bp2N!-LVFy*pT zwyR1i)l0J6ajZ&W(t-pqO@I)>poBCrN!++QVL><0(J;`RSq;;MFioamx($;>vw*e6 z3|T{F$l&??zrD|W)XR24z-zGOQ|H`$_T$^%{$Bgr-`>YfE}e>;bI}K)k^7?ajw?EU zUvmC@adY>@=Sk)d=_S(nQPz#SbN5y3v6EKhvHN3>so-NOSoPUdhF_KQkLov1$zyhl zAA2l%^uGAf^Ug@E?!`G;e;}cWork9;l9b3C~@H9WQxcrDq z_2M%BVu{M{Kl8u?RDS;>%Tr6vAPFzk^4gcL@+B9iPMtnG)eG6#$&+WMJm{}3^30!{ zJibmQYbEq=^2CX?wOEFB7slo3Oak`}uC(+h=y<9F+mOrtc;!@tZh7MP;uN*HAC9`O=B6H2C3929 zt?I|49i3WEoPKz2X_+FYCIDj6eJBdVM2%Z3@({m4Yv;NZ_T=rJ#zAxI=Uxy#r?~g`0$qd<NoTs%9MwLMC|1zqaqEn}jyXyzeMlO%i?|4&d_lbObrnUROyXw2Y>mRpv@7#Is z?spw~$3NQr_IKX%FQTWS+iv^O=)=*q7o*nL&QC`>cm7=T#y7rk=l&<6e;$1@`kCkx z(Z{3DAWc3M{cP0QJ=Xf^=)aGCD*9M7)^6|L|C7;cJ{rB|C!*K-`N_tUm zM~6$}`Bz)~PqF;5EPi<5VC?EiN`~lQT+gDcbTF>f<5c-~v?@SkAW&4TST(hFtd?Rb z+?8f=Q7~4)C{>AkWTwq)fTb%*-t7L$T`M9}Lh)8LE7A4dtPxpTR5%tlRW!}2xdXm5 ztAL9Fl-=|zUd}(cXQo}E4SM8(2WgEc|5}UxS9h+GH}jFKLbX|PcyvY(ll!&?-Hfuz z!FY#y+ib^F6=n3J>3g-qurSh&H4^q>B)p&tS$QlL{K-O|+}?2c*ISuj&B~13V_+3j zF~HHHo~!~VZPGlf6_8H)3z46 z^%mpbNNCx97K?Nz)0MWqo3?R3UHe)K=~1<= zA#K&eMB-tGbu)MQPHKtH&hqz)!=uYyI3dFjV3EX6$ynuZLqNakY>SG4hFoHi(!xx; z3K7C^?Z~8=8UP`pcgdClZ9<~jqrO_(a9XDVr82bO6!D}Y0mHR4|8SfCsWv|!M1n&A z{mR}}0$4~g*9O}&EyjaZmH9mVO4B-{AbdC9&}^iykK*%;LzKDEmPTl>J?!K2-{$h>Y`e0@DSJEFNA2!N>Ac#kX-J>1E&x(FA57b2sxLB- z8B7^Q_X9_}1Um1Q29Z<;icpV-UD*=KXC>rx7B@#FA5b6~#NHY;O1{o4Iz+87n>*x& z$z7hwD*N5=A?Ilo?o|z0c^0H1azMbh8*9$&ahXfsSBjGJ4BN^jCzy=kns3b<1PlVe zqWYReOH#-s;fWDGqKvKBdgRkPKU*UqW?DuSbRkRbMv#J-u&j{YdNFj|b zm1L!%>&ctUGKMP}zLofBI~r}iID zfs9>NfirCSn+QB%Tas^{yQQMa=k@5DhKBO43o@z~t)j zVevoRw!SyN^R|C5_^z#oZzXzs|8MoE7W6;~;)H3DLK^SndQzT4!bC^gwNa)P5I(Xyk8-9ECwDeb zw0Sg(pQjX|&b}0x5~bp~Huk_#6uSy1Cw-GiJ~-2+8)_%KqF#e0q01Y-Vg|HPsjVBo zx@_ZDyElII>WyD9W!eagv5jB7cH>vC+xXSB8^1cV@v9p*e)Vh2e>Q^t-)-{li<`Xr zpEr5;JDa@w@+R+|-Q?X@HhK5Qo4oteP2T-u>7n?>@H4yH9NL?q@f7_v9w;KD)`gf3?ZG&u{YX-)!>k-){2m(kAbI zeUo?pZj*P<^u0?Eb{1f+Se9W#sk@K#ydQGO}hnKHQMM^GI3 zb4qDm=hDBxXMa9=jK*zxM4eJ17+V;o){<`6_cG^`{ITA2bV&Z5-UQ7Ut3KnSz3Es< z`GC@$6xS@1g*K+MOkB*w{Jrmcymqp117UK`f}b`}NT2zRhtf6~Xa1-}O-9d!*HOOQ z$+**+R}RfExsCXnrl=Yvip_V5o$Ne4)Ok8lR7K}X3;B-4c7)BEX9oUL?efjp2eR_x zkO94C7LbhdP`)nN;crcUtNEKypZTf6eb{FC6*7*~4Q=83dTrtNM{(lE#ofHZf6aR| z)~zyRrZ#2lMG%6!d2j`w1|NIRr}6`fHe@$z*80=YcgVHXV(iprR{oS+f!&fCs=+x% zdhq0ICRjM z?>Gb2-I3AO0HTGCH6S#J0;)~20dqlTvGU7BWckV69vr>BAvU5w6_8^FYJf5gVX$g{ zvcb`8pgGcD5+fh7d47HVtn@-Pi>fGwJY&uPQ5 zOT9HnFKYOPJSg#Kn=&qIw5!~@8RKy(9Te>jsuA);EgaLbYvZhmYn<^{iNnyJfkWMi zxx|^-*hCCA##;bIweZm~?##1~Srxr84(Cs$To$SSvw zk}Q8*7D>0|&gQk9B2iJKtnp$}tNATA=C_bk<#w$s^p%d%ya}6^gnV2ZP^$@8e#@PM zfR>cDM3=8z`C9VS@~>+;&nSPcH4u-(KkB{k{<#ll1K*QJOZr){+W zi~Nn27vaC9&(y{3IH#fO+If!QU^8fa2z$i z2f@9Iv@E(R#$|0!482AsYQ81CUOp8kXST}GAWo0wTPV}3o=G1Y0kFjOJOQ~c1t{r(!)XZ zj57xn1PB@31)X0v)7r-E`k7WUcS3Q(P-P8dqwwkB%o?+Ic$?}iLe=?JLwX^~8c12> z#8`Y+dq73)A1t``Up9dBX;-8v{mZN(8>L+p1w>xYRP(*JBfR(p!{LpI{BJFiVYO5R zZbcFeMTAoi$yjYg2)(@$YSK~zaxzL$I0!kClPqd%1=!)7Dh*1bAc4D&%8$+DgLkWs zRF?07bF;`NTY)WkB4sCY1gliI0y|pbB$I0o<=7pA*c}Fa)v(b*%4UPhB!Ay;m$Xzz zF9f?pufd)TE(&%U>6WLz^rE+*Izux<`D;xjN}^@eUU&`NtALJ|@mlAX9-~VPknc#c zj3Je;yhpOOmF7`v3&12Zf^|y+Pe*GD7j#J%;At{p7?x(NxRvk&3;3yZKTGrTcd%;Y zvUHYWl^iEH{ZV!0{5Rc9^Om+e{0&?Gx(k*E^EKg%fzMxO=+%&_S4!On(u)x&dX#jA zLF#{XkF-MF)1#Up7jsu*BXzZ(<4YdC8PNFWmZM)|}7lpW>6tVrYQin6VE zyYeS7Acpentt_>Si|{m1>NGT6F;dUJ-$?cJw&%cXqly7#~ z$a~r&(76DHTI)z&D7cB~VJUy8l>CoU`G8RY3+?)-))Z7p)@+`l+6oK8w;_9KSi1wZ z&O0M87>=59*7BOJJNc=s$gTWq5JXW0Xvh|tCp+~p&!FmKObif-XK8f?oe+bXBo!UO z<)*uGmZfn*_x_WqJv&roj#;XgD~<-hS=NB1>kNJO2eUQ*=UDoK+X z35GQ&$KwoH=_$O9fB~C>B-gURBctshbQx5EJmZJto!HA|!&#lRDm*!iKWWTZOX3M7 z3?Uz!Wn%0tQ&wa$#t}<^Q&AVT35!)(J^jB2;#B55%Q(>Ne$39^$w#|1+O9G+;jN=8 zeqq>VRi>^bEy~&tbIeC$&gDP)rGNil$|te7BS}I%wyv1t+gk^eY^-RESgU1KDQ`7P&5jm<=^U*<>2uN=vt8`mAtF)PmGvyFx zAbn_RK$t?fLVpr~67?8wVo@{(HIQAFn@ErvN=naY13}pw;Wzk`bdDNKr(DXIsPnBx zZy$2RRMuF?>de5RZw&C#CV(TnUIgIGoBIIQzz4vg>>bTIbX1!`LQjiWy@QQ;!3cP? zInRe}1~-&Hp-~1gpKA?^0Q?MY$YyZE#SD%~q0qI#3=Zp*@EOhHhO;5&aYJDqr@Qm> zxS?VmhsT9~@lpHM33QhMX%_F|;ij3w8Ge;KS&U>&w zms>A3Z&Nc&`c+oxX9!=J3O{#MV7>j0o^aqTHe!= zhlbJiZ3r;6A$6RBu+C5`Epu6zcv_YpiWFgjjxid*sjcC#6>8x2eubdpeaxq1if1Ai zBVsUp1ce9?epv!f&;P%F{V=or6}-XcRGAnF9u*p5vq>{vvt7WIf<NPLCi*)TA8S#y zsQ;MvaGEP;EWY)ds`SR9QsPZC#G%py-AV-;AnuR=6pTFMf?E&3v7)ZAzPfgQBXx}w zb;0o+xc0ei-Zu$0Y6fZg7T5fFLQ?md?*Ipezpq>=_wU!4*^5+t+T-E=;qJS%?3&-^ z!rw3MkJ7O0o+=b&y?@~UtF{Jj(Y-joq^;8#i%`o`#6nrIe$E0n9qRlU?lZ5VKzq~WYO0)F~YK|ir$h< zy-l=Af>|YH(4tMWVbR~Rj4F=NoQYplhX)is3V=RyoOi4v>9c{;>loC>Th%#rZ z4A%D@nDjzvGYlsgvQgw<;r!vK*<0`LNIM`axcqCvQ zv)m>K%-{)atyySm&4;!k@LSHt2+w{o9M}^w4HC$$qGbj0FgnzMNkp=SP(}yiOZclI zUWF!kA20|AEM=e)oYKpTpw~a(b5UT#S#24J={1~Qg`+hP{`bbbP7d+9gxE{u^)41# zQqLl~WW1N`WR(a=vC$}91WrBRJXVJYea#|JOLtQv0@S~BcpSp%%d7z~K)yU+BW{O5~T2S$<;fYNsG3rYMEUrsv(}>t-q($2=0q#4riEBu- z3IAK1KQvTkjt~Tki^sv9cr0%!714m?a1s@eDMF7Q!a!%!LWGH{G~Rl_CJ}g{ZEaB6 z?!079Wm2A}ekl*8O)`pCYzu?n!RN#e4~Wd8{6lU2x2_8aYf#olv2&u3soknvO8~td zjRZ&i=3a_YMyg(irN5V4{ z|KAx#EPBuP^qEF8clW3y-s8}`>Xekte`&9_9l8ATdo8hu(a%59_5`hWmpoM_;7Qh5 zEJKCfnt8%|9-kz^m=@75<&)V`CCpXH?=@vamvch$H88aqo|qY8i>UGsi36eHz-~#0 z-J+SCi11SWL_7Zjp@Yow_`3bBjyp~=M|4E%qF#`uLB{c0QjJM|E=xj-TH&@9u`Z3x zSK4746Zi&O=qq&s^n|9VaGj=Q?gVTqT%y2Y7AYE4%Q&qVB(|KGuJ{MWY&dK!Jq(MF z^bNg`__tERtyqk<#g~3Okt;o%iK=6^Bc)*@#Z6=G`wVF3)}UCDp^#ZI@8f`wI3PqK z5`QXY0a6S-AC!}Q?S;&tjq~^#M zt%%!EsFHO3d${0&x||lipi0R2G6h!_v0;35e!)3fnqtrrG;|qZ)ti;+j^fcO(uEY2 zU{JsDg`%koP`SMy5;w9SwFOQ zkUZ?~AwBHjvKQLJ6<)9&(TXxm@EHkILsBVh8tjZUufxzW`rq_kEwu)5;Xc<*K46fe z8@yQ)ZB)C~={LAbYhCLUA>*x66#Cj-S~R{pt7--ea)XT~YdKiZNG0t-^Rpl}YGDr9 zEQoD{qG(MV%#5XOc4$T3jD;8(SzB7ccM>dFypjUXc4$%SGK3-ExyORh> z-bdEi!Ah!jxA;!j+>#Q39GSUxH-WbBX21BYgCa)>3&@dMm`Uqq;!VeFqVI!Vv};n5q36m zv_8-u0dM;TOGcH*Y^c(Cszj8nrOMJ_T;$GECApUwje;soj2Trjx$>I^MU>_z_6Rds z3*$oK@>>|K8e`P_3{?bdV%b<7FU5d{-N}>+MGW%{u*M;guv8SN6-jJjQW)*%DMi^r z{yeb`=gAyOm+B;`V?}Iew6nxk#O^vkh_xaS#4_x+8`H%j+eCdPN0Y}USTnIqj~>h1 z!-STI@B4*vY0bu36Uu%HMMaF6@JCgKKhn+Xz;C@6DP90koDa(ifYa0`jIO}B#3MM< z`auaJci1u%Uh^dD9NMtlpfgOG3Z-h=RBO8CrigR%lu+6w?lJXHdJ zKUK=&UqzL|P>%x=Gd55qdS zCMuu~VG@=>jF{U|y_RnQw9B|L)Uv#cF53gZ>CZ&`%?X%)6P+_#I@SuLC0(loY$>@1 zNzfiu8@?Uf_(fcLt{JOx9SBdV>7c^GGTEnkv!fm7{#hVE7WnphO2DaBMN!ZiK1c%; z-NQVJM$`0rh{96>zN|i2B!dGiwg-VxDO%0x29OCWJG6Ju>gN`U^wvH|V*jCG|Mes12!A?R106^%RzkkG90xHo|g=q@z*| zah~3tDtL<*I9`}#`E8fn(!-Y@=4f(H<6D=X(9VEiqCdu0CLzdhtoigLwQ_q(e00ce~4 z9=3cpx4CqfH&o_F=xu2_rYC9doD&G>hUO%`g@{0|j6b#J!kZJ9{-?{5E$3rS>;m~u z1M2{|8qo0U1MktVwlDXgG0{ic(XX~H&!ZMm9>WrfYzPivF(di^u9WUk?H2@Qj9D?dJRQtC{Gr(LgC^g9Y+gAFIGw zZR;?D=qCcW&*sMgE&8;^$tX;5=Fbez0Cm=|T_yM>e(~cyor^$)0wwUlsnS_VAV-=4 zcaq%Qp^0wD?%bpnM9TT=wAGyu5BvkrcjxW>LXaQsL0fvapm0U>YF5i=_JelMj=KV^$@$Go&L5dJp}kz0XW}4ZI?q35ZVW%58*xneiy=j2xah; zLobf_NZJmhlOh^n+@e7O`J9+(r#fYz=+M*oCm79K3kWP1Fhuey4&=|knmEdcM{2Zc zi~#bfQ{=h)c<0%<2W%npGa3s*illNFN9Hv)v-l-H2vfiHTlpt?$r&7iedLbLaj4-} zZ?r7jmm7_x`KxrX=|m)4Q`8V{Q$?cJpK9&6*|jbwQw4rRU_L+m{;cvQ8r|`MN86W+ zM?d^$e~_%e>h|#1d%m4_l~4t11Zj5pr%)->Wzk6ZWPvzU57mZbuVvPD37HKrn&B|3 z&w9L7=omePVtB^_l(xbQ<~wKdfm6^|YdcYFf9wuxqfU557QIkR2k6=QUI@F3GXLOePe{+YGcKZVKOrwoZVgB%p zNP<;1Z5kc|s}_AlOnm64`M`$((KjrI{@YBwII z-AdLJmbM?xngVnfW@B?XtV12!*mV;)=GmLV!*j*M*KW$TQ8`Q5^~0m#C25sxJL_xP zvii}{*3MfalhNb1g!kjOWW=HpBrKUj$d$`3GifRlYv)H1vk|g1B{Xn2+cw+g1QA4! zq-r!t2JQPpwHp_K1Ca$3Ll4u1jgA*(pZ^ic%B?`i>o+i5 zhA<5b^gw)PC5_KR(V()8%L?!PE`~sCX>8)ac-m^xUyZAI8YRHDLfQ}m#?N_%I%3Bc zELOXNq<7yT9Vp*1yQ?tZc`hr6O>)1z6@4{eqO2+GsU3~l5I;2fkYWW456&B{g{=#W zrD!dgClfuc_tF!DAuTDk#AEAPTL~6QhSQ|+5*|LzRNZ`v_qjHQ9zz@z0Q@gbmXkS1;%f%D=Kn( zR$gB}ZppUK3W|}LY3I&-(YE;<_LViX+;n|D@54cYkv1!B^W6`=<0J8lNI$}X&)GV4zq7NwaLop_ko7yqG7Cj)x1aTv)38qG$mE-#emWZ2w@mK;S z>b3p~&aJoQIHTz~;;08DLR>>+SYfmWv&tRTH4^AUko;wjGj@@P@)aCBm~WlQw*~`Y zJ7l#T#LH(hXk$T+3WlQ8Q?qGBWV)LD;e+l6u$?tiR3fK29T`n8#?AtpZbIx|)AfcgFrL-f` zpgZABlUvz`G16*=e9X9b>vv80Ef8_~Sj=g&INN@;o!orwg-sM{H@%G~CJDS4!9*L3VR1u`>!4mY?u7m-h4f^1}zW5OYE zBUDGvE=8}(gbb!RI(Un~C|hSIKol_XKUsjN^Jgbfom{kp&=%pSc2*Z@3P%m~S}1DR z-Y8Fz;?X-$5Ojs$h$B#aD}7c@Tq17l5RA|+EXyq*FshKl_Xe)HUsPTn6P=H%r(*aAd4s^ja z7lHxMQb9ksMl7BPyn(_d7{BRw3*rqJbI~N7Z$6fOK5WakGB%&{2a|aMEBO%MR?OWy z{^S~nRriG}jldu-A0=$Nc-A25eqX+=0UJB30Sv(xs@d<$C!3ZtZ8sZx z^wo^|6u^n-Z3mo)wxlvu1P(}vD~xH&%t}CEKNMX+Ikzj^x*6kfDlIlbP~m$bB2jK8G#;Z-eUXb`f9Qz}Ri-qy#O-`&O5Pv|OyYCFPmf=@ik~j{gf#uvkq+E=4{k%rV!zn{*5bL? zY~ZxnASzC$)66z%a;93$-G>yiE^?Gpz0Ug$+n@8h-q~$Xy2aT}b={rc;ZO=Y99pcN zPyyys7Ek-#1~i^$)~t3LxIFAOu+|+-MX=OpoBWzNy5`|DeIgDzg_;maif`sdT*Pc% zI+I0y!V_!xky5(Jd#D^3feM#F9MZ|2JuF}V>~g3jg1dAE>yq);qRPrjgmHud((VoI z{Uk?{Cuf*1vv20;s1|CTM;%j0k2e9Qo%&G}mHWP=vq2ya%tQ84%rFzCbrN4KGJ6|H zg*S15a-a=Bq5*h^k`=^=b^ilZ;Z*WEI7v8z>^cMSdBRLW`gF@RLxIOaxOV zx=q2hVt6|?380`LW)iAF3+5c^KqW{iIJH|T!me}viO#mvcLH=-+q;Z_D zWcEk0t~msq5#nx#J`rBPUHrpRK@8ia=~rUT=7Rjm1TFJG`I$`dnIsXqXlx9NS;dGz zZ_??UUVm7mUdU6G*nGjZRsjZ9z9gbFySy7gZEIl)4U9Iig@2vT>xGAO4RJ1bnSEJo zGdh6$2Y|#N3Kb#Q?NndhDn63j%7~K+m<703zlldO#ADwg>%DRok-Q`KZQH6X;yY&*dtaJfphsP$`OIHh+wa0);V)4rUr zAll5`4Uw&f7g&sQG*%B5MZ<4W|8oknq_W>#i*@KjL=Ad6jJ?7ZwVrrNwg)y!eM(4yL z_`gKYdXk$0a%X7sFK^S@KkVrv4L}+Z_yo1(E`N5_O&Swf2o>TFiz5LUmj{YJnA38YVk;HLQ$)4 zLuAU+fd(Ve!9PzFH@f9~4##Es*65u%bvB%X*EORZU+CfTXm;XOo(jSX( zjd}T279!>F(z2458#eHO$5{)dWIQ%UP49d2l+bZ4etP#3H6YCZJpT;K-_6&zL9^^| z65ooRF~$QS-G}V-l<1Lb#rMnZotYzbUvr7-UBH`~cq0 z&gTa}K15vIiuA4V8n5NMc z_eZphA}Ba;=&hstLGALM831z4d@%(8P^`GnVB~4@uN5GNELv+8GDG@6G(BG{AVP&L z!589AgbzfWpJorjrr|x6{_q|^4dFdJ(VJD_J!OUW$kPO^;tkPS^igw-m_4AFpn;bh z-c#)f?_tK*3Fpy-*Sf166>v#6mZt){gEr$j#~e=cX&=kuImpNAz~n2nbP@^Vc^rMh z!1u>Ec}=2t5cm**=RXb6GbFJBf`*h}Z--2z}JYB`Ij(3P#vi&JFA7T(Zn%+pI(l;aC+Senh zl^|#V#d2lD#DjX2gJCsuCH=+7)8j=poPi_&XDif&X8wdS$KwJ9ESUSJs)!85I7cmv zyZoo65VbG>(AWCgZjxD!;ebC{MAoQHsc)OapaK;mY58|pJJ3+loNLh!DO&utoNque z9(Ej_6#_*|3dRnH{;9S6V&pCTYw5@_{Ktuhkdp3GI!!DDH^t$|+|q?M*nNlT>?qy8 zULp1~6bI}keYyWkr%o_R&wv|EIN*YV@o!?BVIU*|1ew{-yplk%%UDRd8fVFPZ7{ZC)H>~+2L zI}f-um1#s3dm|W%;Z&rw#gOQYYr`uF%_W&6`lC(q%qi&|fZBLQ>62pC80J(UYY9Fq zVa7D)Aq=HJ@loHGC|Z6WOerT`@Ate}4Vc?XD8R5VJM zD2%zzd*MYDVJvZScfi{ry5zf21tY+Pvd4^KZj|Tj^4@no{njl6 zS*(*jzCrqt4btyY`p5fFqeB&CVSCghA@l=)JZiMo#%8>L8VL!^ET+D65jF1ECt%Fj3@{ooBBPk36Phl8jIn~>=VHC9+YU{9p6r8V5C!rwy{a4?T zX%?c3uf8D^knNhH=sbK|3RFw-A9}8k&1gki)tL3o?piH;1UUY)zvu-`6X+2(wP`zWwvUT~ z;ADr=15RJsD|aj5Ql(a8T?)&;RB3hrz0gXnIunclTd6fjEZ*d$mMqCcx5j-P0k=Mm zEcA$NN1X^VYaUZd5oGjC?*4*L)j9tG5LG4c5M@-3z*8ID^X;`*Yxu3V!pk~ZOPKR~ z=ND@gsFao@%)kGNxWVzOn862ZQtFKn$<*F|a%|{31rQ3&@hJ{XL|OOI4O`M+Scm-j ziBD_Of#mv#uk$emBe^P}8o(=}wTNF&2(pBD61MCs3i?sVqf{nIk&OWtbyhuLa)U5+ zj!oEuM=8;R9XxcUzNRqT`7Xfc2o=|)$jn2WBYaJvS)9cgNKQa;YRc_E*Zr1)Tsnl! z6QMGEi?aw7-JOq68Sb9J$;>q)3Z?j#f_%q7iglq7^U2?$Fg32y$|DS;Yd zBXx`UvdBx3HdG-x;G+umnV4#bI;07>&+JoCui6TPC#z7=i|aJh+l*BwSePODHh@Y^ ztp28gEOC7?RGt@jsKjwP%`0gRj${u&S5oPVf$c%gM3glvx62@25W=|ZGe+2|B@q)o z3+8c2QwYpd-6ZWPdb1CWOHx)(%$VlU2SMi@bgjA}@c#|8x1v^}w zr$bI2Bs(I+ThfGLGZ|Lo3@F0wfYF1S^dkzH;)GlHpbj4Zj~IZncV1=u78pUGBEnTa zJ0sUHo<`ilc7lN87uaaUc_dH)Lj46{BUx#`)0xYCL1}Frge-JgRtrM|FI7bsnYTzk zY(+R8bDgu0YdQwdD7h`dY(?eEeZ<<$s!RCJEa3l#6fR$Z-S8YO(Il;}cfEpBG@WDVqeIR1cm zMMWoS`(P&=kZmA#7IG}Fx1epYZ&5Zsv769sJE42*2kD%J>@lTtl6ey;v!-xKRwp{Y1??!+=t~AEG-i&ozW2;<1FNR;ulvweSW=4;NyGGtpNe2e zg&=fj+dNl%cQ@)1vFwb(0*fHxUM1)O5;;pq6QLMc4Vtk4y^(mJWNa1mVV8VSiJTE< zpxB~juTIT;3`5bD?qlG-M;%UTDJan=>uAfN8`3T>pRgfjdVo=^ z0UCrl1dM&GP(nenRC}WMw2lFzeOn$Fbi4;9v&Q-IykH=7K{v=t-PC!%dwdGpqx9m& z?hC%Gt(05+?O6B4T|VXBZpwY2h^{E`8kP{w`F`$|M$nq#N-;&InAWHz4KPJabL&s@ z8Y^X5(o!WH|9`KRq=-xz16dZZ>Zi~&S2nyt1euXvHtVL(11W(-(s z$sqR3iDr^pMeJxHI8sRFLG&4DU*GRt` zr>UPawma3;Rh?+G?kh*{p_mKW_ih7qG7gn*w6`k#tFm9oeVUcrh!q;s(5ut1D*U?GaLAExOY=Q+cq5=NRQ4pUuDCoBQ5QZd9TaWH&b^N&b7T zxy4%1nlQ|pQANhnes^`d=lh!&_Pj**BI%lq4k!m>nMNI3(L7q_W5

?y#PhKmAEtSunBwRr_OqWmv+HTSeJ*$kgM zNOFeHre70vS=`0v6Reoibses#*}5j1t~=r3yQI9-ifJso6jeScKzyASdGL_?N^?Zn zSWIf9rFvEP8HjLoji02Hs$}LywB2X0inac31!X^zHrh!ti<*>RW0Oh2d&={Z-Ess@ z__Pmp(^iVKcX#TV54mPLDffkxt2-%KNcpZ#%CV4gXD4Mmq}tM7jYQ6!gYs_GR29m}kkm+eRggKO62WbpYG}GiWb1r@V&Zwej zi04-E5Tt25bRW4rDfThZ3zK3W7i~(4ifYK;68H$B)HofZQDdq7?z`49(mksgX>-br zh~(YFO2r^#xIE^eSxRfE5N|?Gt(El1um^BkY}1BmCX zCZq9*(W}^S?KEZhsDCsjI^?z*`Y(Z$INu6~Bnpc|h<#bLC&qQp@ZdS58rV*s@ay5$ zXFN)wf4zWX?(Ah4FPd%@ZFm;+Qu0sKfM>yHdFT}$Ij_cIQlSgaf`8V>g1*MDP)b#L z7W}g=+dNya&02E*{cf&jEEnEmG2(ydre7*b|8h6&=^|}CMqiJK*RtL>#@52O;eq=z zY~d;}qVShyw96)|Y{nC^S}Z8&=^0#?_?Bh9IkIyTra^D=Y!r_Ns|yk21DHLAlja>V zqIFDzc3fy%7)R%EUI;D%mr#gpb~uu(9c@ZMF1t2F!b+SuP?f+^Ko~U+zveizjDRrw zEKDx-Ek1&OaO!A+sW~w-Ni23;?#jU+%8!je)D)6h(TFA)U{TVE^zI zY~rpukWMqnP-K@N@!98BXO}L%ROnZ_qQ znKJSZznR;>A$LP2=n*;m#k?8lQJr7x0(5C@{W49)Vp!8?McYlAeAkFtBwXi@At_FKVZL0sjiw{!~JmnTD7^JELg23_qlII zI;*!yuokANu@)($LH>cWyhw)e0x=&e zkezfnON0%F9#SH8fyj93&9md3o4%}f|#9?3CilG1+}5s_;CLG3xy z5sMZ4j1GkBtCN0FhYBRMGj8&uY5L65A$K($wvB^|OtjTh;$QuC=&-0mzF@6x$YI3< zVHKL!l@^^|0a&KRCQ~0x+CV}O&zN8Q&tH45c{0_mmlAZUWKzOoYh5YPsh3{Xe5G)w zrj&*)^Dfn1EVig1=s01^!V3*sAPu~3j;bJxgnr18&)sy*dygmFkNxDht|apPc_B&U zYcxsJu~ycTL}`cLi|N67l4!J(s~JrA^(4_+srH$!HFL4BW`44p_7bNbYvti=2d-j5 z(l482Wv!BNF`R&)Dx3DthR`v6_(R`>`VY+4V zjk&%be_4S-gqD!8<*Kshm}@YJQ2?KOM7sW>>i0HiBJY^U^YWnPcy@mRy3U=dvl*Y0 zG2bkE;|fC1WUz(POHWUjafP8H#r=C7G&n-T-GltVu5cldQ0IX&BuHtlAW5#!6B5y`8#`t*)DT zB;L(bDY8G*$$sBD*%9jb^P0aD+0S*d&##kR0^7uCksX0u;AI6a?ColZ&iIktHf7Q0 zY<|E$vK%c5q-`wV9)qF`Ni;eTAkvE}pIB9;T#q`{jvJ8!lr{+@gCao!<@1DTnDShA z;hjo5GP*_+h#LU#^Ikkx-pv`?o{+Xyzj2f!rq@|}H@G1#jgD$C+0*aD;SJ`smpz3) z3C%-mHWj7aD!^_X_@Uh+BTED}u?zY*5{0_h1Iahv%rwS&H z#l+sJDMcLTTVC-yjK!AbPigl&^c?ni?%7IN8Zd?cOn6&o29Rtd=0O-9SSB7YK)OLH3kd*hpsW+ z5d}g0k;~K{xxN|Uu%0LgDpwR3M8OLShmJC*l*EkI1=ctnWKJbqjJo&g9l^+xl}w7! z`nS^ca9v<7nDS-ec?hiacj$S*V3fsM(lET@c>n`lL9~wN!TdC@cpifFzkx6s?N|-X zAS%`qMr#Gzi?vw~f*@GUZhnsaav=Qw_2otQzw>uP z_+Ng7@DXw^VJ7>xO!!;mw?h!||GitBW7paL_4gkm_WEG%zC2XGfBn1Rgg<$O6aHQ~ zp#~o`uSIeEb&8`k9`FAr9@*Ds4*|Id$hWh$m?xIm|D&^(%iaCE5uqYFcu;38m*>-V zt=IzP&vJ&mCqj&aq zG*rluQ#vG}%CHjOZySPo$U;c75ePfi_)!;uYCT@TZ!NwbPD@%*6iR6cM!Uy8?gvUM zo$nfGhgs&rmS;{Ou}_52Y{fP`Q|6d@ZYMPKY)03%bgE(FtH@b(1ah`!IHO(U3}tX2 zdDsj^O)NXv4s;&b*eJ36;i(`OTX!)m8aiDd6K&2S)pPR^C8EU;{DE8O^>k$FvDEZFc_vsWEP`_gR~O%eHrsJEPy}s}JlqNX7r2xPg`J&}@)0uoFR2 zYKP%6E+nHLuD)*T43aL`J%^L3TPPG^K`G{$*xaeuRL(rGXSW7%_%DZ0DyV+Iz45XgfcQ$vB2SXxSQ~ zdTAv~a$Z>bHhcwo{oeb~yyTxhV+m=d<|Wj$_a5$Jho(Mn7pPH_TB8~#=wK-OX-%-* zgnZx4Kp%|1TO(A5BWx{zKzi$==RO}nFIQ&zyJe1P>=*suglwA&|E>h-7ycayVmsG8 zmx_jB9fTbP5_X(IXua#G>)XW}SKg z;h#HE?n@N@FVI^_0fa(F`1gDxfg^P6=mSMW6vAKMNazgRD&fz09NP71pGt7OLuY!M zp?%51zqYyXw@)rm?@JK=!k{PZrjBMw|2*=C%8_=Dw?25164W^ZvR{&3C5R{rO0e(z zk%CVVAYSALB32#R+YX;ZCJej<1EYr1Ll|$GGYbYH6kN7Xr4aeOg$TU&7L3k@fZ~hO zM~d3UZzGaH~HFeIpABA;WlxJ+a z#udL<~v&`@&IsQwDj2@(tFyb zSO5$$7XbGt^8On5+KCktEeAZU>Zi3Ij=L$ocH&0~cEa=m69}fRB9Bqz;nPGR)=Yz+ z@8*O}=?(;^KT9Mi(%!F~=##HtluBhxWU=XS>jIy9urSY7+y&+`KvI^|)x&Ta`WxNi_*NqK>4;{qZ%KjeKT$JQE%}->%>pRgU8V^h$mI zX~`es`a~x#&M(&S0eD-iBftz?5qM^C!bR-X7^yy_E$ffmvfSCKkhV<%;PU-=F4O{X z!SswLg)r%xN}Urcd@LIy+8@hyqyqv{v^RLnsw1$uFO=g;C1G2(eFnMe(m^^7G*vf@^f;t$o|eh1P!HTS{wvwf_U9HQciQ=if86jlEo`?MJ_*)Yez~KQL;`|D@U+ z(0SK{^b&WalcxOE952)i44^@iTu`W7?YlQup zIwlMiSW>)<4pQNq7^T$6W#2K}Jkv*fCcG5!xRgk}-Q4eLoVsVHeerFBuy?acoj3_) zci^#Mj|z%aHblh=mi!(Sox`9#Dmn`%!2+%I#6NQmoh*&2oy4D2?Tg;}rTFJ+dyxE0 z95KQa|6HkQA1jxUY2_5Be!+*H$OyT;x?Ih5=$F#BPLftANx z=P)o1wK|(silexgm~{^Wy>QMq*H1c!k! zHN%M`6o5VE@x@_ad{KZ%f#Ucte)Sy&#_!(4zyPA}+^>?({VFYmARIfA#oQXYyv?wHL7 zsN32@*-#hhmC-E4t%b?RQDDO&fqGWasVk`t@~YYAJ$sJ=8xo%QL_Ft-`J=!9T8G`$ zvtjMx90nJ~QDD?iQhG)kwJdFp*f}LKRoi7w&%~F-h}blE3&we;4_H5yYzqg0-9D-_ ziN6uRImT;4z(LB309*(pN=m`jDvt{RH;sGWB8eCiQg?hA>sxY5!ptQX>5|VR zUtBQ{dr^(4#?X)-BZin1s?_9@Mz{|ct{CEQ3`xDk*9Z{Igqi79f_1p*2sX}?bZrNu zxZ6+}azz`-h;l00eh24dEjTr68dWg`)Cu>J!}e_k{OE=lKd<9FO3ZeBB1-ZUt-~4Qc` zACTGW1ASl`eV~If3w=NhCHMhP3LDe(?duKo!Ejd}#J8gl_`)G)aIMh?FB))IZ9~9= zK6nAZIYF%t@NZ5ZWNY=opw|Zw!3*hw`lkB8y####C-M&g%+6P@5A=K0hpmk;S&x)H z7=(3AA5cpAfMZpUwrUWq!2VpOKD>ZF;QL%Lw4|~@A3!g8W?on61C|fGJ_x!<096E_ zZ_og+19V{;ln1ouOdlYII}Woo`aql&^nqk;p$|w#f9sG<(+52C>I1|T_*tb7HgC*W z*f+GHJ{UAy1$|&^YeTjus1wonscnheqz{G!s!pt8VWFcBkgn1Pc=>wt0SD}0Wk?_3 zMO~#2qTuKAM|}0@10=t`j^#JU{z$B2eas1p{IT}^nQG>j!cQGen2gl2{HnmAjo|(u zkM73FRTGCYih}-N^Dvn)ML{7|L5+46h%`S>I%v{Q7tC=TPQ5Iq3kJh(?;>M2t7b!E zv>oP0dwj|Pf8&&i;srZRl=W7BJJx-1mruF3n}UBYf9`V80)xQKBLydw4n}5)(E}X1 z{`jtL#`HquJ*ONs?l%;3`d%Ft`s!sWEsy(plCvTiw<&(LB@YNwN_}jKN@nx;Oe;c?dKzNH zIJZ}WTc@|tSxt8I1$7chV#sX*c+^f2R*DXQu`;%3w=|=LCEMjHn_ZMcOhw5x-;}05 zxcya5-==%V((;Kzhwh&|G4a5ex#P>zr{^Y)Po6yK?7t%==VG1`E*{<6-nsn7iHSE{ zbKRQ!x8as{ZXcNr41lp(`k|yKSf*f=i}$X<1zOxTuFJVz#dQVOUaqUSuIA$0Bljk* z8@S%Wbqm++Tt~U?=6WaBcXCZ~O>sTQHOqC1Yk})L*ZaA?kL!b6Kg#vvTtCJ2GhCnI zdW!3FT))8e1+M>r>o>UmJ=d4GBCfwHcpssy)iD1MY3srLbENme{>%Jc4gYVGw*TrZ z%MRRo;G7$qJ9F~nRSb1KY{A}I6vG# zg+HmQsD#Spzgw}Fns=NHh8|n7Cs<%G__E*om`VDdn zQ5!i#5GDO_14H`j_{*#3$BLU`arq^*Sz74*S_iCb=SW+zxkG1Z#%sI zz`a)=xEG}EKXC5q1LrbuJ3aS+JNmZ6ZfbJ?QqHaC^_Vy(iB&`0VuY$>r0FH{SE@hYp2bQ)5fh|72=nIh(sG zd(GTyvZ-^&r>0IUWv3?3O`ke*DqA`;KYx00dFn)_eD3VjaVl`e#mYJ_7RIf$HT|^` ztmta$IhRoI&gD0Ev+(=NBxXhe&V4s`AxPNJc)WA@nrlv;eh{#y78hwiFYh9c>ePQv zg!~${kpB%Qr{*49eyAwG3(7o7KGjXz%a6=YO@Oo0DzCObM*7>XIWRGC{M@<8`=`%d zbIrktiKU08Pfc{P-ln{&=kw(K?3(=7QTF8I($cB|2fV6g_sKLR{! z^S^mwV*d2>-15|7UkUQxO8)D)^xrRW7ln#G#VaC5Nw~hgy#dLIh&?fRYHDtI^5p9J zo(S!qrQD-D|9Ysq7U~`$y{LOT&zEsYg6`nbe@B2xFzn>&&9{r+qg=bW`r!fZOVjJ3 zPx#KbXgh!QvNZm4c=ox=(%mbhoqA+q@$~8CiRlx53@?!O#yu0)xctMHr(cPG3Htdq zn%cv)m+MNd*KpzeGXeiv?pJf|kV9Q_d1?m zsNU2ut{9UeVuIYa#w)g`}5BYC~S}CIRuaXX`471uA8}pYU$5gxkTxQxo+n=!gZAE4z4@7?&5kY*W0-6<~qhDFc)F($GJ|=-FkX% zD%>)6WD3c(FMIg(;>i;vzGG@>{`B0^)RC#l6H|*zYg01!kbiY3bNB9l7r5Mi{LIqw z=~M3T-FLg=!pz+Ae(|Iej$S{1a&mg^hV1x5lZ#7J%WpZe{J{R}JK4OHu|^ioOf4wyG}po|LVsri&K;K-almSnrp*&cE=JN zJpq0+l-Cuh`NdbI|11{TG(2zTDuzd#FwS)qSHTJE4bMAxui<$omxkvaE)CB=;?nSZ z2iN?`GY?MBb(nE}@$|VzCLWwxp5SSIYH|6Iv37r!_CC`Xryp4J;;L+acFn%*%D~tY z^UI4pzocfa`diUe`LA4&R%BXz5yA4+ERDa6j=y+inq1m;%w4%{>eSNl#p!uyVdB)( c^5luh2Nf+*n*aa+ literal 0 HcmV?d00001 diff --git a/examples/static-file-server/go.mod b/examples/static-file-server/go.mod new file mode 100644 index 00000000000..69cc2a932da --- /dev/null +++ b/examples/static-file-server/go.mod @@ -0,0 +1,3 @@ +module github.com/envoyproxy/static-file-server + +go 1.23.3 diff --git a/examples/static-file-server/go.sum b/examples/static-file-server/go.sum new file mode 100644 index 00000000000..e69de29bb2d diff --git a/examples/static-file-server/main.go b/examples/static-file-server/main.go new file mode 100644 index 00000000000..1a82c1ae37f --- /dev/null +++ b/examples/static-file-server/main.go @@ -0,0 +1,39 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package main + +import ( + "flag" + "log" + "net/http" + "os" + "path" +) + +var ( + port string + directory string + certPath string +) + +func main() { + flag.StringVar(&port, "port", "8080", "port to serve on") + flag.StringVar(&directory, "dir", "./files", "the directory of static file to host") + flag.StringVar(&certPath, "certPath", "/etc/certs", "path to extProcServer certificate and private key") + flag.Parse() + + http.Handle("/", http.FileServer(http.Dir(directory))) + + if _, err := os.Stat(path.Join(certPath, "tls.crt")); err != nil { + log.Printf("Serving %s on HTTP port: %s\n", directory, port) + log.Fatal(http.ListenAndServe(":"+port, nil)) + return + } + + log.Printf("Serving %s on HTTPS port: %s\n", directory, port) + log.Fatal(http.ListenAndServeTLS(":"+port, + path.Join(certPath, "tls.crt"), path.Join(certPath, "tls.key"), nil)) +} diff --git a/examples/static-file-server/manifests/http.yaml b/examples/static-file-server/manifests/http.yaml new file mode 100644 index 00000000000..e21fec0179c --- /dev/null +++ b/examples/static-file-server/manifests/http.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: static-file-server +spec: + selector: + app: static-file-server + ports: + - protocol: TCP + port: 443 + targetPort: 8443 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: static-file-server + labels: + app: static-file-server +spec: + replicas: 1 + selector: + matchLabels: + app: static-file-server + template: + metadata: + labels: + app: static-file-server + spec: + containers: + - name: static-file-server + image: envoyproxy/gateway-static-file-server + imagePullPolicy: IfNotPresent diff --git a/examples/static-file-server/manifests/httproute.yaml b/examples/static-file-server/manifests/httproute.yaml new file mode 100644 index 00000000000..beaefdbb423 --- /dev/null +++ b/examples/static-file-server/manifests/httproute.yaml @@ -0,0 +1,22 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: backend +spec: + parentRefs: + - name: eg + rules: + - backendRefs: + - group: "" + kind: Service + name: static-file-server + port: 443 + weight: 1 + matches: + - path: + type: PathPrefix + value: /jwt + - path: + type: PathPrefix + value: /wasm +--- diff --git a/examples/static-file-server/manifests/tls.yaml b/examples/static-file-server/manifests/tls.yaml new file mode 100644 index 00000000000..d277452efd1 --- /dev/null +++ b/examples/static-file-server/manifests/tls.yaml @@ -0,0 +1,95 @@ +apiVersion: v1 +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZVENDQWttZ0F3SUJBZ0lSQUpiK2x5QTJqZCtlUmRMTzR4Sm5kWVF3RFFZSktvWklodmNOQVFFTEJRQXcKUWpFVE1CRUdBMVVFQ2hNS1JXNTJiM2xRY205NGVURVFNQTRHQTFVRUN4TUhSMkYwWlhkaGVURVpNQmNHQTFVRQpBeE1RUlc1MmIza2dSMkYwWlhkaGVTQkRRVEFnRncweU5EQXpNVEF4TlRNeU1UZGFHQTh5TVRJME1ETXhNREUyCk16SXhOMW93SkRFUU1BNEdBMVVFQ2hNSFFXTnRaU0JEYnpFUU1BNEdBMVVFQXhNSFpHVm1ZWFZzZERDQ0FTSXcKRFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtGUnI2cVV1WFN1N3J5bHcvVmZXbm1kM0RXWgpTcGxDUFR6QUh1V3NpOVVrbW5rTVhNOXN3Y1VQZFUyd2NNSHd1bDNpNGJwTlRkUGVWRG04K3JUVXNmaHMySWZuCmhHNW9WV0JnTkJXVEYzRnpiUmgvc3orK3p6MlBnZ0Fpb3NjYmEyVm5qaExyOUM3a0Q3QnRYNVlvSENGQ3lhT24Kem9WNVdNSnBBNHNCeGdOdkpXSU5aRUNnOUlmSWxSMDZMTGlNTXJCRTVRS2cvTG5EUkpuTEZEVFZCTDdzallpVQpZdVZtRWczMXJaOVpsNXViZ09xSU9uU2ROM2RNM1hhUnBCTWFGVXg5UDlQcmhjS3l5NVRkQ3g2MHBIYXMvaFIxCmFjcEp5VmdmRFVDdXNUUFphVFo1eXM0cmhib1l3WDN5cnZKN29lMHM4QmRZU2thT1NBTElDaU9PWGtVQ0F3RUEKQWFOdU1Hd3dEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUJNQXdHQTFVZApFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVVXBQMWFaMU0yS0l1UFBXck5QRFYyYzVDbmdvd0ZnWURWUjBSCkJBOHdEWUlMWlhoaGJYQnNaUzVqYjIwd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFBMkk1MmhrcEwwTXZmejQKeDk3ZjV6dlR5a1VtRWhDSVowN0g0anM0WVg2a1hLWVBzRDBlaGJFbzZUSWgyMkpWMkpyWnRuaWhMQnRGQStuUQp2Zk9QcE1LRnJMUU1DWVozMk9Na045T1pWbmNyMmpQNzNhaE9SaWloaGVBczJYTUtybHZmVWVKTFJrSlBlSVB6CnR2TlVacWExMmZ4T0Jsdy9hV1NqVk9lRDVMVm5nUStrQksydGRoL08xSjFWRGgzdVU3RHNZUThmRm1UcWR6ZzYKUWhtbjhaTXFIS3lNeitOdkt1d1h5eEtyeFZKVEl1QzJXZHhGWlZZMzdtZzJ5Vm9OdFhpSFNQMXpxVWV4SHNEKwpzUDBsZy9jUDdlaitOY3Q5WnpudUZBc2U4cUNDZnlaL2hPQ2NCblZabG1GUFgzRCtJSEpVWUpGaWVkYndsZHljCmw1eG1jaFU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBb1ZHdnFwUzVkSzd1dktYRDlWOWFlWjNjTlpsS21VSTlQTUFlNWF5TDFTU2FlUXhjCnoyekJ4UTkxVGJCd3dmQzZYZUxodWsxTjA5NVVPYno2dE5TeCtHelloK2VFYm1oVllHQTBGWk1YY1hOdEdIK3oKUDc3UFBZK0NBQ0tpeHh0clpXZU9FdXYwTHVRUHNHMWZsaWdjSVVMSm82Zk9oWGxZd21rRGl3SEdBMjhsWWcxawpRS0QwaDhpVkhUb3N1SXd5c0VUbEFxRDh1Y05FbWNzVU5OVUV2dXlOaUpSaTVXWVNEZld0bjFtWG01dUE2b2c2CmRKMDNkMHpkZHBHa0V4b1ZUSDAvMCt1RndyTExsTjBMSHJTa2RxeitGSFZweWtuSldCOE5RSzZ4TTlscE5ubksKeml1RnVoakJmZkt1OG51aDdTendGMWhLUm81SUFzZ0tJNDVlUlFJREFRQUJBb0lCQVFDVGlZUGh2TGVJa2R6aQpSN0RhbnVTK1NiUDJpVVlDdU9RTXhhRDhhVHhTS1hIbHQzckNjak1kcVMrZFovc1lSTFFOM2N5WWVNN3ZNRzFUCmlSUzVnYlZyQVJGZjZrdmlOaVd2U1EwWmxqZGdtVEp6cjRjZWk4STZDUi9hUTlNZnltSUVraHNNRHlSNkpqWjcKSXV6REJkZ0VTM0xpN0R3ak1vSU0rOEl6eGVGMWpTT1ErTjlLcTB3QzMzVzFuOVdIYXZWcWZvcjI0bmVySG9FcwozNmlUMncvdkU1dFJBTFlEbjh6MFp5YUM1d3Nnb3FyTG5UWXlMcnVKWnNGa1NxN25GWEE3cjhXL0dLQjBoL3ZaCmNzYkRlWU1WMjJNckdRTzhYSlAwM3J0cm9DQWJmUUhRd3lEbnpsTFJ3blNGRmhjV0F5UW9qbkozb0RQbzhZaXoKam1meVd5WlpBb0dCQU0vZGtqMGhFZm05SHBBL1dyTGVEb0V5WWtKL3N1R3RyWlpSNS9INnJieHphQ2FlQ3B0UApZQ25JcnBoMjRVYWFvaXFJY0pnazRXRjBmU3RhRnh0SkxSYXpBVElUUFlCZjF0OEEwYkhjN3UxMExiWlZkMG5uCk1lWVJPYlhzQXlvdmxNcm1ZclBPWWFXSEtJL1oyT3NLeC83UkhTcnEwZm1ZcUFYSXpzK2V1Ryt6QW9HQkFNYXMKem9YdlJwVDZGNndYaU5QemFqamc5MHJFMFhZZ0g3VkEvWHJsbUp5MVFRYy8rZzJ1ZXVYMGJ5aVhYY0FMY3BINAoybFlYcEZaelNPRkd6Z01DMEtuQkJyWmxsYWIweUczbWhsWjRtbkFhbmtSUFh4bWpDdmgvZmtkYStlQ1RCMFdHCjBOY3RQSFVvSk9GNWpLNmtxVy9rWVpkWVRPV1FjczNybURFWCtENG5Bb0dCQUwwdkhRenp6MGRyMzZoTGNRSUEKWmxVaUJSb2UzVERYQUhraWZLYllqMDFJQUErOW9VdXZWNGRQOWRBZnluS1hCR2NQbk9Kc0ZwQzdFN3prRnNtbgp0UmpHdkp6VnRCRGxxVXQzbEdKOEFSMHVzdmdUR3ltdytOSTY5VHBrM3BDRGs3bURLMndZdHZpUFpkUmU0alV4CnI4cDBpa1pvUjhrU0xrSnRmQVNzb1pKUEFvR0FWSTk4bjNrR082WnVxT3FqYkVMd2RTRWJZQkdCYlp1aW8wejAKRm5qZWllU0R0d2c5NzlEUnNrcGxmWXRmZGJ2cG1jT25lbms1a3lvaVhPLzhBMEFSZkE4U1FsUGViRjlIWjY5MApnaDEyN2p3R0hPRURneS9vSFhoMlVQeWgyam42SUZlUFQrYUxFdnB4S0I3S0NCTkJvc1E3M1dUUjVldWpVWTN6CkN3SSt3SVVDZ1lFQXJVQ0k4cng3MVd4S3A0dnNObTJpM2JlT3lYa3dVaFhKUmhmL0cwZk5vc2FhT0RvVEdNT1oKVlRRci9hVWJlQ2pWMlZENTEyVkJEQlZnYUNnZ1ZZS3pSMXpJSDFlMXZzVjhQVjN1Snh0Q2FLT3daTHV4OS9HQQp0QzJOKzFTY05GWkxtU3Z0MzU2WG5EL3VwRUcyeVMydmFURDU1K3FVUlVFWk1TWDlPdFpSL2JBPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + name: static-file-server-tls +type: kubernetes.io/tls +--- +apiVersion: v1 +kind: Service +metadata: + name: static-file-server +spec: + selector: + app: static-file-server + ports: + - protocol: TCP + port: 443 + targetPort: 8443 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: static-file-server + labels: + app: static-file-server +spec: + replicas: 1 + selector: + matchLabels: + app: static-file-server + template: + metadata: + labels: + app: static-file-server + spec: + containers: + - name: static-file-server + image: envoyproxy/gateway-static-file-server + imagePullPolicy: IfNotPresent + args: + - "--certPath=/app/certs" + - "--port=8443" + volumeMounts: + - name: secret-volume + mountPath: /app/certs + volumes: + - name: secret-volume + secret: + secretName: static-file-server-tls +--- +apiVersion: gateway.networking.k8s.io/v1alpha3 +kind: BackendTLSPolicy +metadata: + name: static-file-server +spec: + targetRefs: + - group: "" + kind: Service + name: static-file-server + sectionName: "443" + validation: + caCertificateRefs: + - name: backend-tls-checks-certificate + group: "" + kind: ConfigMap + hostname: example.com +--- +apiVersion: v1 +data: + ca.crt: | + -----BEGIN CERTIFICATE----- + MIIDQzCCAiugAwIBAgIBATANBgkqhkiG9w0BAQsFADBCMRMwEQYDVQQKEwpFbnZv + eVByb3h5MRAwDgYDVQQLEwdHYXRld2F5MRkwFwYDVQQDExBFbnZveSBHYXRld2F5 + IENBMCAXDTI0MDMxMDE1MzIxN1oYDzIxMjQwMzEwMTYzMjE3WjBCMRMwEQYDVQQK + EwpFbnZveVByb3h5MRAwDgYDVQQLEwdHYXRld2F5MRkwFwYDVQQDExBFbnZveSBH + YXRld2F5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7ZFmGB4e + m1KdGEohAZBfqydAEGLDHJ1YyfHWdd+vBAevdW64bZx3pggJOtgCnePuFd02rDQS + dlsJlX/6mFtoQilo6wvxDSJRfaTDbtfTjw+7k8yfd/Jsmh0RWG+UeyI7Na9sXAz7 + b57mpxsCoNowzeK5ETiOGGNWPcjENJkSnBarz5muN00xIZWBU+yN5PLJNxZvxpZJ + Ol/SSI8sno0e0PxAmp3fe7QaXiZj/TAGJPGuTJkUxrHqyZGJtYUxsS8A0dT1zBjj + izA5Dp+b5yzYo23Hh7BgpbZ7X4gsDThFuwCD6fHyepuv2zHPqvSsdqg2hAhDp91R + zrn7a9GxG2VSIwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw + AwEB/zAdBgNVHQ4EFgQUUpP1aZ1M2KIuPPWrNPDV2c5CngowDQYJKoZIhvcNAQEL + BQADggEBAGSEkAVz+Z0qS4FmA0q4SCpIIq64bsdEjiUzev7pK1LEK0/Y28QBPixV + cUXfax18VPR9pls1JgXto9qY+C0hnRZic6611QTJlWK1p6dinQ/eDdYCBC+nv5xx + ssASwmplIxMvj3S1qF6dr7sMI2ZVD5HElTWdO19UBLyhiKKZW2KxDsYj+5NRwGFe + G+JuDgq7njUM8mdyYk0NehefdBUEUUCQtnwUtW95/429XwqQROuRDteGT9kjD+Y5 + ea5mW4mfqLeuGJXZs9bdWjKKdLQPrn9IshPysWqz2Hz8dQ1f7N9/g8UWVSjd4cyx + S5EAolzVv0yB7wHCWCgfG/ckdOTUNnE= + -----END CERTIFICATE----- +kind: ConfigMap +metadata: + name: backend-tls-checks-certificate diff --git a/test/e2e/base/manifests.yaml b/test/e2e/base/manifests.yaml index c7390d6d70d..34ccc08390a 100644 --- a/test/e2e/base/manifests.yaml +++ b/test/e2e/base/manifests.yaml @@ -567,3 +567,38 @@ spec: protocol: TCP port: 19001 targetPort: 19001 +--- +apiVersion: v1 +kind: Service +metadata: + name: static-file-server + namespace: gateway-conformance-infra +spec: + selector: + app: static-file-server + ports: + - protocol: TCP + port: 80 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: static-file-server + namespace: gateway-conformance-infra + labels: + app: static-file-server +spec: + replicas: 1 + selector: + matchLabels: + app: static-file-server + template: + metadata: + labels: + app: static-file-server + spec: + containers: + - name: static-file-server + image: envoyproxy/gateway-static-file-server + imagePullPolicy: IfNotPresent diff --git a/test/e2e/testdata/authorization-jwt.yaml b/test/e2e/testdata/authorization-jwt.yaml index 5d3e31ea12e..0c1b5e27c66 100644 --- a/test/e2e/testdata/authorization-jwt.yaml +++ b/test/e2e/testdata/authorization-jwt.yaml @@ -64,7 +64,7 @@ spec: - name: example issuer: https://foo.bar.com remoteJWKS: - uri: https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/examples/kubernetes/jwt/jwks.json + uri: http://static-file-server.gateway-conformance-infra/jwt/jwks.json authorization: defaultAction: Deny rules: @@ -97,7 +97,7 @@ spec: - name: example issuer: https://foo.bar.com remoteJWKS: - uri: https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/examples/kubernetes/jwt/jwks.json + uri: http://static-file-server.gateway-conformance-infra/jwt/jwks.json authorization: defaultAction: Deny rules: @@ -123,7 +123,7 @@ spec: - name: example issuer: https://foo.bar.com remoteJWKS: - uri: https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/examples/kubernetes/jwt/jwks.json + uri: http://static-file-server.gateway-conformance-infra/jwt/jwks.json authorization: defaultAction: Deny rules: diff --git a/test/e2e/testdata/jwt-optional.yaml b/test/e2e/testdata/jwt-optional.yaml index d5ca319fa03..1a6d2e01c5c 100644 --- a/test/e2e/testdata/jwt-optional.yaml +++ b/test/e2e/testdata/jwt-optional.yaml @@ -19,7 +19,7 @@ spec: - claim: name header: x-name remoteJWKS: - uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json + uri: http://static-file-server.gateway-conformance-infra/jwt/jwks.json optional: true --- apiVersion: gateway.networking.k8s.io/v1 diff --git a/test/e2e/testdata/jwt.yaml b/test/e2e/testdata/jwt.yaml index 01cb370651d..32b1d96dcc0 100644 --- a/test/e2e/testdata/jwt.yaml +++ b/test/e2e/testdata/jwt.yaml @@ -20,7 +20,7 @@ spec: - claim: name header: x-name remoteJWKS: - uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json + uri: http://static-file-server.gateway-conformance-infra/jwt/jwks.json --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute diff --git a/test/e2e/testdata/ratelimit-based-jwt-claims.yaml b/test/e2e/testdata/ratelimit-based-jwt-claims.yaml index 2d01996c981..7c72421fed9 100644 --- a/test/e2e/testdata/ratelimit-based-jwt-claims.yaml +++ b/test/e2e/testdata/ratelimit-based-jwt-claims.yaml @@ -12,7 +12,7 @@ spec: providers: - name: example remoteJWKS: - uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json + uri: http://static-file-server.gateway-conformance-infra/jwt/jwks.json claimToHeaders: - claim: name header: x-claim-name diff --git a/test/e2e/testdata/wasm-http.yaml b/test/e2e/testdata/wasm-http.yaml index 856d381a517..080fa3e4976 100644 --- a/test/e2e/testdata/wasm-http.yaml +++ b/test/e2e/testdata/wasm-http.yaml @@ -69,7 +69,7 @@ spec: code: type: HTTP http: - url: https://raw.githubusercontent.com/envoyproxy/examples/main/wasm-cc/lib/envoy_filter_http_wasm_example.wasm + url: http://static-file-server.gateway-conformance-infra/wasm/envoy_filter_http_wasm_example.wasm sha256: 79c9f85128bb0177b6511afa85d587224efded376ac0ef76df56595f1e6315c0 --- apiVersion: gateway.envoyproxy.io/v1alpha1 @@ -88,4 +88,4 @@ spec: code: type: HTTP http: - url: https://raw.githubusercontent.com/envoyproxy/examples/main/wasm-cc/lib/envoy_filter_http_wasm_example.wasm + url: http://static-file-server.gateway-conformance-infra/wasm/envoy_filter_http_wasm_example.wasm diff --git a/tools/make/examples.mk b/tools/make/examples.mk index e0e01e190d6..839d376aa19 100644 --- a/tools/make/examples.mk +++ b/tools/make/examples.mk @@ -1,5 +1,5 @@ -EXAMPLE_APPS := grpc-ext-auth envoy-als grpc-ext-proc http-ext-auth preserve-case-backend +EXAMPLE_APPS := grpc-ext-auth envoy-als grpc-ext-proc http-ext-auth preserve-case-backend static-file-server EXAMPLE_IMAGE_PREFIX ?= envoyproxy/gateway- EXAMPLE_TAG ?= latest @@ -26,4 +26,4 @@ go.mod.tidy.examples: pushd $(ROOT_DIR)/examples/$$app; \ go mod tidy -compat=$(GO_VERSION); \ popd; \ - done \ No newline at end of file + done From 37ef109bead660733bcffe52f3b21415f6eee0d5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Nov 2024 17:46:39 +0800 Subject: [PATCH 399/523] build(deps): bump the go-opentelemetry-io group across 1 directory with 8 updates (#4693) * build(deps): bump the go-opentelemetry-io group across 1 directory with 8 updates Bumps the go-opentelemetry-io group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go) | `1.31.0` | `1.32.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc](https://github.com/open-telemetry/opentelemetry-go) | `1.31.0` | `1.32.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp](https://github.com/open-telemetry/opentelemetry-go) | `1.31.0` | `1.32.0` | | [go.opentelemetry.io/otel/exporters/prometheus](https://github.com/open-telemetry/opentelemetry-go) | `0.53.0` | `0.54.0` | | [go.opentelemetry.io/otel/exporters/stdout/stdoutmetric](https://github.com/open-telemetry/opentelemetry-go) | `1.31.0` | `1.32.0` | Updates `go.opentelemetry.io/otel` from 1.31.0 to 1.32.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.31.0...v1.32.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc` from 1.31.0 to 1.32.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.31.0...v1.32.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp` from 1.31.0 to 1.32.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.31.0...v1.32.0) Updates `go.opentelemetry.io/otel/exporters/prometheus` from 0.53.0 to 0.54.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/example/prometheus/v0.53.0...exporters/prometheus/v0.54.0) Updates `go.opentelemetry.io/otel/exporters/stdout/stdoutmetric` from 1.31.0 to 1.32.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.31.0...v1.32.0) Updates `go.opentelemetry.io/otel/metric` from 1.31.0 to 1.32.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.31.0...v1.32.0) Updates `go.opentelemetry.io/otel/sdk/metric` from 1.31.0 to 1.32.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.31.0...v1.32.0) Updates `go.opentelemetry.io/otel/sdk` from 1.31.0 to 1.32.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.31.0...v1.32.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/prometheus dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/stdout/stdoutmetric dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/metric dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/sdk/metric dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/sdk dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io ... Signed-off-by: dependabot[bot] * fix test Signed-off-by: zirain --------- Signed-off-by: dependabot[bot] Signed-off-by: zirain Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- examples/extension-server/go.mod | 4 +- examples/extension-server/go.sum | 8 ++-- go.mod | 24 +++++----- go.sum | 48 +++++++++---------- internal/metrics/testdata/counter_metric.json | 3 +- internal/metrics/testdata/gauge_metric.json | 3 +- .../metrics/testdata/histogram_metric.json | 3 +- 7 files changed, 48 insertions(+), 45 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 24e910c1ddf..6ee602741b3 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -34,8 +34,8 @@ require ( golang.org/x/net v0.31.0 // indirect golang.org/x/sys v0.27.0 // indirect golang.org/x/text v0.20.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/klog/v2 v2.130.1 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index c572782b694..023da3e9b9e 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -107,10 +107,10 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 h1:T6rh4haD3GVYsgEfWExoCZA2o2FmbNyKpTuAxbEFPTg= -google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:wp2WsuBYj6j8wUdo3ToZsdxxixbvQNAHqVJrTgi5E5M= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 h1:QCqS/PdaHTSWGvupk2F/ehwHtGc0/GYkT+3GAcR1CCc= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= +google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 h1:M0KvPgPmDZHPlbRbaNU1APr28TvwvvdUPlSv7PUvy8g= +google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:dguCy7UOdZhTvLzDyt15+rOrawrpM4q7DD9dQ1P11P4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 h1:XVhgTWWV3kGQlwJHR3upFWZeTsei6Oks1apkZSeonIE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0= google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA= google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= diff --git a/go.mod b/go.mod index 59d3ffde5fb..2519f4ab3e4 100644 --- a/go.mod +++ b/go.mod @@ -34,13 +34,13 @@ require ( github.com/stretchr/testify v1.9.0 github.com/telepresenceio/watchable v0.0.0-20220726211108-9bb86f92afa7 github.com/tsaarni/certyaml v0.10.0 - go.opentelemetry.io/otel v1.31.0 - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0 - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0 - go.opentelemetry.io/otel/exporters/prometheus v0.53.0 - go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.31.0 - go.opentelemetry.io/otel/metric v1.31.0 - go.opentelemetry.io/otel/sdk/metric v1.31.0 + go.opentelemetry.io/otel v1.32.0 + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 + go.opentelemetry.io/otel/exporters/prometheus v0.54.0 + go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.32.0 + go.opentelemetry.io/otel/metric v1.32.0 + go.opentelemetry.io/otel/sdk/metric v1.32.0 go.opentelemetry.io/proto/otlp v1.3.1 go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e @@ -246,7 +246,7 @@ require ( github.com/google/uuid v1.6.0 // indirect github.com/gorilla/websocket v1.5.1 // indirect github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0 // indirect github.com/imdario/mergo v1.0.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect @@ -272,8 +272,8 @@ require ( github.com/sirupsen/logrus v1.9.3 // indirect github.com/tsaarni/x500dn v1.0.0 // indirect github.com/xlab/treeprint v1.2.0 // indirect - go.opentelemetry.io/otel/sdk v1.31.0 - go.opentelemetry.io/otel/trace v1.31.0 // indirect + go.opentelemetry.io/otel/sdk v1.32.0 + go.opentelemetry.io/otel/trace v1.32.0 // indirect go.starlark.net v0.0.0-20240520160348-046347dcd104 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/mod v0.21.0 // indirect @@ -285,8 +285,8 @@ require ( golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.24.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 - google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 + google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/component-base v0.31.2 // indirect diff --git a/go.sum b/go.sum index 449ba4b60db..5d34e722723 100644 --- a/go.sum +++ b/go.sum @@ -447,8 +447,8 @@ github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0 h1:ad0vkEBuk23VJzZR9nkLVG0YAoN9coASF1GusYX6AlU= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0/go.mod h1:igFoXX2ELCW06bol23DWPB5BEWfZISOzSP5K2sbLea0= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -894,32 +894,32 @@ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.5 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= -go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY= -go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0 h1:FZ6ei8GFW7kyPYdxJaV2rgI6M+4tvZzhYsQ2wgyVC08= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0/go.mod h1:MdEu/mC6j3D+tTEfvI15b5Ci2Fn7NneJ71YMoiS3tpI= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0 h1:ZsXq73BERAiNuuFXYqP4MR5hBrjXfMGSO+Cx7qoOZiM= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0/go.mod h1:hg1zaDMpyZJuUzjFxFsRYBoccE86tM9Uf4IqNMUxvrY= +go.opentelemetry.io/otel v1.32.0 h1:WnBN+Xjcteh0zdk01SVqV55d/m62NJLJdIyb4y/WO5U= +go.opentelemetry.io/otel v1.32.0/go.mod h1:00DCVSB0RQcnzlwyTfqtxSm+DRr9hpYrHjNGiBHVQIg= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 h1:j7ZSD+5yn+lo3sGV69nW04rRR0jhYnBwjuX3r0HvnK0= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0/go.mod h1:WXbYJTUaZXAbYd8lbgGuvih0yuCfOFC5RJoYnoLcGz8= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 h1:t/Qur3vKSkUCcDVaSumWF2PKHt85pc7fRvFuoVT8qFU= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0/go.mod h1:Rl61tySSdcOJWoEgYZVtmnKdA0GeKrSqkHC1t+91CH8= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0 h1:digkEZCJWobwBqMwC0cwCq8/wkkRy/OowZg5OArWZrM= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0/go.mod h1:/OpE/y70qVkndM0TrxT4KBoN3RsFZP0QaofcfYrj76I= -go.opentelemetry.io/otel/exporters/prometheus v0.53.0 h1:QXobPHrwiGLM4ufrY3EOmDPJpo2P90UuFau4CDPJA/I= -go.opentelemetry.io/otel/exporters/prometheus v0.53.0/go.mod h1:WOAXGr3D00CfzmFxtTV1eR0GpoHuPEu+HJT8UWW2SIU= -go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.31.0 h1:HZgBIps9wH0RDrwjrmNa3DVbNRW60HEhdzqZFyAp3fI= -go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.31.0/go.mod h1:RDRhvt6TDG0eIXmonAx5bd9IcwpqCkziwkOClzWKwAQ= +go.opentelemetry.io/otel/exporters/prometheus v0.54.0 h1:rFwzp68QMgtzu9PgP3jm9XaMICI6TsofWWPcBDKwlsU= +go.opentelemetry.io/otel/exporters/prometheus v0.54.0/go.mod h1:QyjcV9qDP6VeK5qPyKETvNjmaaEc7+gqjh4SS0ZYzDU= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.32.0 h1:SZmDnHcgp3zwlPBS2JX2urGYe/jBKEIT6ZedHRUyCz8= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.32.0/go.mod h1:fdWW0HtZJ7+jNpTKUR0GpMEDP69nR8YBJQxNiVCE3jk= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.21.0 h1:VhlEQAPp9R1ktYfrPk5SOryw1e9LDDTZCbIPFrho0ec= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.21.0/go.mod h1:kB3ufRbfU+CQ4MlUcqtW8Z7YEOBeK2DJ6CmR5rYYF3E= -go.opentelemetry.io/otel/metric v1.31.0 h1:FSErL0ATQAmYHUIzSezZibnyVlft1ybhy4ozRPcF2fE= -go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY= -go.opentelemetry.io/otel/sdk v1.31.0 h1:xLY3abVHYZ5HSfOg3l2E5LUj2Cwva5Y7yGxnSW9H5Gk= -go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0= -go.opentelemetry.io/otel/sdk/metric v1.31.0 h1:i9hxxLJF/9kkvfHppyLL55aW7iIJz4JjxTeYusH7zMc= -go.opentelemetry.io/otel/sdk/metric v1.31.0/go.mod h1:CRInTMVvNhUKgSAMbKyTMxqOBC0zgyxzW55lZzX43Y8= -go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HYdmJys= -go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A= +go.opentelemetry.io/otel/metric v1.32.0 h1:xV2umtmNcThh2/a/aCP+h64Xx5wsj8qqnkYZktzNa0M= +go.opentelemetry.io/otel/metric v1.32.0/go.mod h1:jH7CIbbK6SH2V2wE16W05BHCtIDzauciCRLoc/SyMv8= +go.opentelemetry.io/otel/sdk v1.32.0 h1:RNxepc9vK59A8XsgZQouW8ue8Gkb4jpWtJm9ge5lEG4= +go.opentelemetry.io/otel/sdk v1.32.0/go.mod h1:LqgegDBjKMmb2GC6/PrTnteJG39I8/vJCAP9LlJXEjU= +go.opentelemetry.io/otel/sdk/metric v1.32.0 h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiyYCU9snn1CU= +go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ= +go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQDe03fM= +go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8= go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= go.starlark.net v0.0.0-20240520160348-046347dcd104 h1:3qhteRISupnJvaWshOmeqEUs2y9oc/+/ePPvDh3Eygg= @@ -1088,10 +1088,10 @@ google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY= google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:VUhTRKeHn9wwcdrk73nvdC9gF178Tzhmt/qyaFcPLSo= -google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 h1:T6rh4haD3GVYsgEfWExoCZA2o2FmbNyKpTuAxbEFPTg= -google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:wp2WsuBYj6j8wUdo3ToZsdxxixbvQNAHqVJrTgi5E5M= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 h1:QCqS/PdaHTSWGvupk2F/ehwHtGc0/GYkT+3GAcR1CCc= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= +google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 h1:M0KvPgPmDZHPlbRbaNU1APr28TvwvvdUPlSv7PUvy8g= +google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:dguCy7UOdZhTvLzDyt15+rOrawrpM4q7DD9dQ1P11P4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 h1:XVhgTWWV3kGQlwJHR3upFWZeTsei6Oks1apkZSeonIE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= diff --git a/internal/metrics/testdata/counter_metric.json b/internal/metrics/testdata/counter_metric.json index 2c1859a3d45..62b17ac82e1 100644 --- a/internal/metrics/testdata/counter_metric.json +++ b/internal/metrics/testdata/counter_metric.json @@ -20,7 +20,8 @@ "Scope": { "Name": "envoy-gateway", "Version": "", - "SchemaURL": "" + "SchemaURL": "", + "Attributes": null }, "Metrics": [ { diff --git a/internal/metrics/testdata/gauge_metric.json b/internal/metrics/testdata/gauge_metric.json index 7641f17cbee..976d5cf3e40 100644 --- a/internal/metrics/testdata/gauge_metric.json +++ b/internal/metrics/testdata/gauge_metric.json @@ -20,7 +20,8 @@ "Scope": { "Name": "envoy-gateway", "Version": "", - "SchemaURL": "" + "SchemaURL": "", + "Attributes": null }, "Metrics": [ { diff --git a/internal/metrics/testdata/histogram_metric.json b/internal/metrics/testdata/histogram_metric.json index 0054be03640..70571a68f2e 100644 --- a/internal/metrics/testdata/histogram_metric.json +++ b/internal/metrics/testdata/histogram_metric.json @@ -20,7 +20,8 @@ "Scope": { "Name": "envoy-gateway", "Version": "", - "SchemaURL": "" + "SchemaURL": "", + "Attributes": null }, "Metrics": [ { From c9ae04525da89f30fc8858d6d8e736ac2b364022 Mon Sep 17 00:00:00 2001 From: Ardika Date: Fri, 15 Nov 2024 16:47:04 +0700 Subject: [PATCH 400/523] fix: loosen JWT issuer validation (#4662) * fix: JWT issuer validation Signed-off-by: Ardika Bagus * docs: add release note Signed-off-by: Ardika Bagus --------- Signed-off-by: Ardika Bagus --- .../validation/securitypolicy_validate.go | 19 ++++++++--- .../securitypolicy_validate_test.go | 32 +++++++++++++++++-- release-notes/current.yaml | 2 +- 3 files changed, 45 insertions(+), 8 deletions(-) diff --git a/api/v1alpha1/validation/securitypolicy_validate.go b/api/v1alpha1/validation/securitypolicy_validate.go index 628d3f80173..64425afdd6a 100644 --- a/api/v1alpha1/validation/securitypolicy_validate.go +++ b/api/v1alpha1/validation/securitypolicy_validate.go @@ -10,6 +10,7 @@ import ( "fmt" "net/mail" "net/url" + "strings" utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apimachinery/pkg/util/validation" @@ -69,13 +70,21 @@ func ValidateJWTProvider(providers []egv1a1.JWTProvider) error { case len(provider.Name) == 0: errs = append(errs, errors.New("jwt provider cannot be an empty string")) case len(provider.Issuer) != 0: - // Issuer can take the format of a URL or an email address. - if _, err := url.ParseRequestURI(provider.Issuer); err != nil { - _, err := mail.ParseAddress(provider.Issuer) - if err != nil { - errs = append(errs, fmt.Errorf("invalid issuer; must be a URL or email address: %w", err)) + switch { + // Issuer follows StringOrURI format based on https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1. + // Hence, when it contains ':', it MUST be a valid URI. + case strings.Contains(provider.Issuer, ":"): + if _, err := url.ParseRequestURI(provider.Issuer); err != nil { + errs = append(errs, fmt.Errorf("invalid issuer; when issuer contains ':' character, it MUST be a valid URI")) + } + // Adding reserved character for '@', to represent an email address. + // Hence, when it contains '@', it MUST be a valid Email Address. + case strings.Contains(provider.Issuer, "@"): + if _, err := mail.ParseAddress(provider.Issuer); err != nil { + errs = append(errs, fmt.Errorf("invalid issuer; when issuer contains '@' character, it MUST be a valid Email Address format: %w", err)) } } + case len(provider.RemoteJWKS.URI) == 0: errs = append(errs, fmt.Errorf("uri must be set for remote JWKS provider: %s", provider.Name)) } diff --git a/api/v1alpha1/validation/securitypolicy_validate_test.go b/api/v1alpha1/validation/securitypolicy_validate_test.go index 489c7644f8b..460a0edbb79 100644 --- a/api/v1alpha1/validation/securitypolicy_validate_test.go +++ b/api/v1alpha1/validation/securitypolicy_validate_test.go @@ -41,7 +41,7 @@ func TestValidateSecurityPolicy(t *testing.T) { expected: false, }, { - name: "valid security policy with url", + name: "valid security policy with URI issuer", policy: &egv1a1.SecurityPolicy{ TypeMeta: metav1.TypeMeta{ Kind: egv1a1.KindSecurityPolicy, @@ -69,7 +69,7 @@ func TestValidateSecurityPolicy(t *testing.T) { expected: true, }, { - name: "valid security policy with email", + name: "valid security policy with Email issuer", policy: &egv1a1.SecurityPolicy{ TypeMeta: metav1.TypeMeta{ Kind: egv1a1.KindSecurityPolicy, @@ -96,6 +96,34 @@ func TestValidateSecurityPolicy(t *testing.T) { }, expected: true, }, + { + name: "valid security policy with non URI/Email Issuer", + policy: &egv1a1.SecurityPolicy{ + TypeMeta: metav1.TypeMeta{ + Kind: egv1a1.KindSecurityPolicy, + APIVersion: egv1a1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test", + Name: "test", + }, + Spec: egv1a1.SecurityPolicySpec{ + JWT: &egv1a1.JWT{ + Providers: []egv1a1.JWTProvider{ + { + Name: "test", + Issuer: "foo.bar.local", + Audiences: []string{"foo.bar.local"}, + RemoteJWKS: egv1a1.RemoteJWKS{ + URI: "https://test.local/jwt/public-key/jwks.json", + }, + }, + }, + }, + }, + }, + expected: true, + }, { name: "valid security policy with jwtClaimToHeader", policy: &egv1a1.SecurityPolicy{ diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 2e2df4724ab..8c68e85d4d0 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -27,4 +27,4 @@ deprecations: | # Other notable changes not covered by the above sections. Other changes: | - Add other changes here + [SecurityPolicy] Modify the JWT Provider Issuer validation constraint From 0f68219d191b2b1d5953d59945c5e174db229c1c Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 16 Nov 2024 00:34:41 +0800 Subject: [PATCH 401/523] e2e: skip some test on IPv6/non-dual (#4726) * skip test Signed-off-by: zirain --- test/e2e/e2e_test.go | 16 +++++++++++++--- test/e2e/tests/backend_dualstack.go | 15 +-------------- test/e2e/tests/httproute_dualstack.go | 16 +--------------- test/e2e/tests/ratelimit.go | 12 ++++++++++++ test/e2e/tests/utils.go | 3 +++ 5 files changed, 30 insertions(+), 32 deletions(-) diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index 7267bbd2d75..8e980152e3d 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -39,6 +39,18 @@ func TestE2E(t *testing.T) { *flags.GatewayClassName, *flags.CleanupBaseResources, *flags.ShowDebug) } + skipTests := []string{ + tests.GatewayInfraResourceTest.ShortName, // https://github.com/envoyproxy/gateway/issues/3191 + } + + // Skip test only work on DualStack cluster + if tests.IPFamily != "dual" { + skipTests = append(skipTests, + tests.BackendDualStackTest.ShortName, + tests.HTTPRouteDualStackTest.ShortName, + ) + } + cSuite, err := suite.NewConformanceTestSuite(suite.ConformanceOptions{ Client: c, RestConfig: cfg, @@ -50,9 +62,7 @@ func TestE2E(t *testing.T) { // SupportedFeatures cannot be empty, so we set it to SupportGateway // All e2e tests should leave Features empty. SupportedFeatures: sets.New[features.FeatureName](features.SupportGateway), - SkipTests: []string{ - tests.GatewayInfraResourceTest.ShortName, // https://github.com/envoyproxy/gateway/issues/3191 - }, + SkipTests: skipTests, AllowCRDsMismatch: *flags.AllowCRDsMismatch, }) if err != nil { diff --git a/test/e2e/tests/backend_dualstack.go b/test/e2e/tests/backend_dualstack.go index c7db450824e..63d23f69341 100644 --- a/test/e2e/tests/backend_dualstack.go +++ b/test/e2e/tests/backend_dualstack.go @@ -9,7 +9,6 @@ package tests import ( - "os" "testing" "k8s.io/apimachinery/pkg/types" @@ -20,11 +19,7 @@ import ( // If the environment is not dual, the IPv6 manifest cannot be applied, so the test will be skipped. func init() { - if os.Getenv("IP_FAMILY") == "dual" { - ConformanceTests = append(ConformanceTests, BackendDualStackTest) - } else { - ConformanceTests = append(ConformanceTests, SkipBackendDualStackTest) - } + ConformanceTests = append(ConformanceTests, BackendDualStackTest) } var BackendDualStackTest = suite.ConformanceTest{ @@ -63,11 +58,3 @@ func runBackendDualStackTest(t *testing.T, suite *suite.ConformanceTestSuite, ns http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) } - -var SkipBackendDualStackTest = suite.ConformanceTest{ - ShortName: "BackendDualStack", - Description: "Skipping BackendDualStack test as IP_FAMILY is not dual", - Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { - t.Skip("Skipping BackendDualStack test as IP_FAMILY is not dual") - }, -} diff --git a/test/e2e/tests/httproute_dualstack.go b/test/e2e/tests/httproute_dualstack.go index 0e969577870..b01fc392a12 100644 --- a/test/e2e/tests/httproute_dualstack.go +++ b/test/e2e/tests/httproute_dualstack.go @@ -9,7 +9,6 @@ package tests import ( - "os" "testing" "k8s.io/apimachinery/pkg/types" @@ -18,13 +17,8 @@ import ( "sigs.k8s.io/gateway-api/conformance/utils/suite" ) -// If the environment is not dual, the IPv6 manifest cannot be applied, so the test will be skipped. func init() { - if os.Getenv("IP_FAMILY") == "dual" { - ConformanceTests = append(ConformanceTests, HTTPRouteDualStackTest) - } else { - ConformanceTests = append(ConformanceTests, SkipHTTPRouteDualStackTest) - } + ConformanceTests = append(ConformanceTests, HTTPRouteDualStackTest) } var HTTPRouteDualStackTest = suite.ConformanceTest{ @@ -63,11 +57,3 @@ func runHTTPRouteTest(t *testing.T, suite *suite.ConformanceTestSuite, ns string http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse) } - -var SkipHTTPRouteDualStackTest = suite.ConformanceTest{ - ShortName: "HTTPRouteDualStack", - Description: "Skipping HTTPRouteDualStack test as IP_FAMILY is not dual", - Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { - t.Skip("Skipping HTTPRouteDualStack test as IP_FAMILY is not dual") - }, -} diff --git a/test/e2e/tests/ratelimit.go b/test/e2e/tests/ratelimit.go index 17ce6d245cf..799b6bbece0 100644 --- a/test/e2e/tests/ratelimit.go +++ b/test/e2e/tests/ratelimit.go @@ -37,6 +37,10 @@ var RateLimitCIDRMatchTest = suite.ConformanceTest{ Description: "Limit all requests that match CIDR", Manifests: []string{"testdata/ratelimit-cidr-match.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + if IPFamily == "ipv6" { + t.Skip("Skipping test as IP_FAMILY is IPv6") + } + t.Run("block all ips", func(t *testing.T) { ns := "gateway-conformance-infra" routeNN := types.NamespacedName{Name: "cidr-ratelimit", Namespace: ns} @@ -484,6 +488,10 @@ var RateLimitMultipleListenersTest = suite.ConformanceTest{ Description: "Limit requests on multiple listeners", Manifests: []string{"testdata/ratelimit-multiple-listeners.yaml"}, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { + if IPFamily == "ipv6" { + t.Skip("Skipping test as IP_FAMILY is IPv6") + } + t.Run("block all ips on listener 80 and 8080", func(t *testing.T) { ns := "gateway-conformance-infra" routeNN := types.NamespacedName{Name: "cidr-ratelimit", Namespace: ns} @@ -549,6 +557,10 @@ var RateLimitHeadersAndCIDRMatchTest = suite.ConformanceTest{ gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) t.Run("all matched both headers and cidr can got limited", func(t *testing.T) { + if IPFamily == "ipv6" { + t.Skip("Skipping test as IP_FAMILY is IPv6") + } + requestHeaders := map[string]string{ "x-user-id": "one", "x-user-org": "acme", diff --git a/test/e2e/tests/utils.go b/test/e2e/tests/utils.go index c63cad1e579..a7834fbaaa3 100644 --- a/test/e2e/tests/utils.go +++ b/test/e2e/tests/utils.go @@ -14,6 +14,7 @@ import ( "net" "net/http" "net/url" + "os" "strconv" "strings" "testing" @@ -44,6 +45,8 @@ import ( tb "github.com/envoyproxy/gateway/internal/troubleshoot" ) +var IPFamily = os.Getenv("IP_FAMILY") + const defaultServiceStartupTimeout = 5 * time.Minute var PodReady = corev1.PodCondition{Type: corev1.PodReady, Status: corev1.ConditionTrue} From 62f5df81f29b3bfc0f0279837fe40d93e9f18e3a Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 16 Nov 2024 01:23:26 +0800 Subject: [PATCH 402/523] e2e: fix EnvoyGatewayBackend/TLSRouteBackendIP test not working on IPv6 first cluster (#4727) * fix EnvoyGatewayBackend cluter IP test Signed-off-by: zirain --- .../e2e/testdata/httproute-to-backend-ip.yaml | 12 ------- test/e2e/testdata/tlsroute-to-backend-ip.yaml | 14 +------- test/e2e/tests/httproute_with_backend.go | 24 +++++++++++-- test/e2e/tests/tlsroute_with_backend.go | 24 +++++++++++-- test/e2e/tests/utils.go | 36 +++++++++++++++++++ 5 files changed, 81 insertions(+), 29 deletions(-) diff --git a/test/e2e/testdata/httproute-to-backend-ip.yaml b/test/e2e/testdata/httproute-to-backend-ip.yaml index de1116d3f8e..599cbd3b332 100644 --- a/test/e2e/testdata/httproute-to-backend-ip.yaml +++ b/test/e2e/testdata/httproute-to-backend-ip.yaml @@ -6,7 +6,6 @@ metadata: spec: selector: app: infra-backend-v1 - clusterIP: 10.96.96.96 ports: - protocol: TCP port: 8080 @@ -34,14 +33,3 @@ spec: - group: gateway.envoyproxy.io kind: Backend name: backend-ip ---- -apiVersion: gateway.envoyproxy.io/v1alpha1 -kind: Backend -metadata: - name: backend-ip - namespace: gateway-conformance-infra -spec: - endpoints: - - ip: - address: 10.96.96.96 - port: 8080 diff --git a/test/e2e/testdata/tlsroute-to-backend-ip.yaml b/test/e2e/testdata/tlsroute-to-backend-ip.yaml index 7206078e2b5..49a39d61f3f 100644 --- a/test/e2e/testdata/tlsroute-to-backend-ip.yaml +++ b/test/e2e/testdata/tlsroute-to-backend-ip.yaml @@ -13,18 +13,7 @@ spec: - backendRefs: - group: gateway.envoyproxy.io kind: Backend - name: backend-ip ---- -apiVersion: gateway.envoyproxy.io/v1alpha1 -kind: Backend -metadata: - name: backend-ip - namespace: gateway-conformance-infra -spec: - endpoints: - - ip: - address: 10.96.96.96 - port: 443 + name: backend-tls-ip --- apiVersion: v1 kind: Service @@ -34,7 +23,6 @@ metadata: spec: selector: app: tls-backend-2 - clusterIP: 10.96.96.96 ports: - protocol: TCP port: 443 diff --git a/test/e2e/tests/httproute_with_backend.go b/test/e2e/tests/httproute_with_backend.go index 7401e17c2f0..0bd7cc1ead1 100644 --- a/test/e2e/tests/httproute_with_backend.go +++ b/test/e2e/tests/httproute_with_backend.go @@ -21,7 +21,7 @@ func init() { } var EnvoyGatewayBackendTest = suite.ConformanceTest{ - ShortName: "EnvoyGatewayBackendTest", + ShortName: "EnvoyGatewayBackend", Description: "Routes with a backend ref to a backend", Manifests: []string{ "testdata/httproute-to-backend-fqdn.yaml", @@ -51,11 +51,31 @@ var EnvoyGatewayBackendTest = suite.ConformanceTest{ }) t.Run("of type IP", func(t *testing.T) { + svcNN := types.NamespacedName{ + Name: "infra-backend-v1-clusterip", + Namespace: "gateway-conformance-infra", + } + svc, err := GetService(suite.Client, svcNN) + if err != nil { + t.Fatalf("failed to get service %s: %v", svcNN, err) + } + + backendIPName := "backend-ip" ns := "gateway-conformance-infra" + err = CreateBackend(suite.Client, types.NamespacedName{Name: backendIPName, Namespace: ns}, svc.Spec.ClusterIP, 8080) + if err != nil { + t.Fatalf("failed to create backend %s: %v", backendIPName, err) + } + t.Cleanup(func() { + if err := DeleteBackend(suite.Client, types.NamespacedName{Name: backendIPName, Namespace: ns}); err != nil { + t.Fatalf("failed to delete backend %s: %v", backendIPName, err) + } + }) + routeNN := types.NamespacedName{Name: "httproute-to-backend-ip", Namespace: ns} gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) - BackendMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "backend-ip", Namespace: ns}) + BackendMustBeAccepted(t, suite.Client, types.NamespacedName{Name: backendIPName, Namespace: ns}) expectedResponse := http.ExpectedResponse{ Request: http.Request{ diff --git a/test/e2e/tests/tlsroute_with_backend.go b/test/e2e/tests/tlsroute_with_backend.go index c43162ee94f..34ed2896116 100644 --- a/test/e2e/tests/tlsroute_with_backend.go +++ b/test/e2e/tests/tlsroute_with_backend.go @@ -35,14 +35,34 @@ var TLSRouteBackendFQDNTest = suite.ConformanceTest{ } var TLSRouteBackendIPTest = suite.ConformanceTest{ - ShortName: "TLSRouteBackendIPTest", + ShortName: "TLSRouteBackendIP", Description: "TLSRoutes with a backend ref to a Backend", Manifests: []string{ "testdata/tlsroute-to-backend-ip.yaml", }, Test: func(t *testing.T, suite *suite.ConformanceTestSuite) { t.Run("TLSRoute with a IP type Backend", func(t *testing.T) { - testTLSRouteWithBackend(t, suite, "tlsroute-to-backend-ip", "backend-ip") + svcNN := types.NamespacedName{ + Name: "tls-backend-2-clusterip", + Namespace: "gateway-conformance-infra", + } + svc, err := GetService(suite.Client, svcNN) + if err != nil { + t.Fatalf("failed to get service %s: %v", svcNN, err) + } + + backendIPName := "backend-tls-ip" + ns := "gateway-conformance-infra" + err = CreateBackend(suite.Client, types.NamespacedName{Name: backendIPName, Namespace: ns}, svc.Spec.ClusterIP, 443) + if err != nil { + t.Fatalf("failed to create backend %s: %v", backendIPName, err) + } + t.Cleanup(func() { + if err := DeleteBackend(suite.Client, types.NamespacedName{Name: backendIPName, Namespace: ns}); err != nil { + t.Fatalf("failed to delete backend %s: %v", backendIPName, err) + } + }) + testTLSRouteWithBackend(t, suite, "tlsroute-to-backend-ip", backendIPName) }) }, } diff --git a/test/e2e/tests/utils.go b/test/e2e/tests/utils.go index a7834fbaaa3..484e41922e1 100644 --- a/test/e2e/tests/utils.go +++ b/test/e2e/tests/utils.go @@ -696,3 +696,39 @@ func CollectAndDump(t *testing.T, rest *rest.Config) { tlog.Logf(t, "\ndata: \n%s", data) } } + +func GetService(c client.Client, nn types.NamespacedName) (*corev1.Service, error) { + svc := &corev1.Service{} + if err := c.Get(context.Background(), nn, svc); err != nil { + return nil, err + } + return svc, nil +} + +func CreateBackend(c client.Client, nn types.NamespacedName, clusterIP string, port int32) error { + backend := &egv1a1.Backend{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: nn.Namespace, + Name: nn.Name, + }, + Spec: egv1a1.BackendSpec{ + Endpoints: []egv1a1.BackendEndpoint{ + { + IP: &egv1a1.IPEndpoint{ + Address: clusterIP, + Port: port, + }, + }, + }, + }, + } + return c.Create(context.TODO(), backend) +} + +func DeleteBackend(c client.Client, nn types.NamespacedName) error { + backend := &egv1a1.Backend{} + if err := c.Get(context.Background(), nn, backend); err != nil { + return err + } + return c.Delete(context.Background(), backend) +} From 7699578e222a0c7ce7cafbf8cad96d634e464dfb Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Fri, 15 Nov 2024 18:25:57 -0700 Subject: [PATCH 403/523] update OIDC docs (#4723) Signed-off-by: Huabing Zhao --- site/content/en/docs/tasks/security/oidc.md | 24 ++++++++++--------- site/content/en/latest/tasks/security/oidc.md | 24 ++++++++++--------- site/content/en/v1.2/tasks/security/oidc.md | 24 ++++++++++--------- 3 files changed, 39 insertions(+), 33 deletions(-) diff --git a/site/content/en/docs/tasks/security/oidc.md b/site/content/en/docs/tasks/security/oidc.md index 45adc554a90..f6ad61f8aa1 100644 --- a/site/content/en/docs/tasks/security/oidc.md +++ b/site/content/en/docs/tasks/security/oidc.md @@ -85,7 +85,7 @@ kubectl get httproute/myapp -o yaml ## OIDC Authentication for a HTTPRoute -OIDC can be configured at the Gateway level to authenticate all the HTTPRoutes that are associated with the Gateway with +OIDC can be configured at the Gateway level to authenticate all the HTTPRoutes that are associated with the Gateway with the same OIDC configuration, or at the HTTPRoute level to authenticate each HTTPRoute with different OIDC configurations. This section demonstrates how to configure OIDC authentication for a specific HTTPRoute. @@ -117,9 +117,9 @@ kubectl create secret generic my-app-client-secret --from-literal=client-secret= ### Create a SecurityPolicy **Please notice that the `redirectURL` and `logoutPath` must match the target HTTPRoute.** In this example, the target -HTTPRoute is configured to match the host `www.example.com` and the path `/myapp`, so the `redirectURL` must be prefixed -with `https://www.example.com:8443/myapp`, and `logoutPath` must be prefixed with`/myapp`, otherwise the OIDC authentication -will fail because the redirect and logout requests will not match the target HTTPRoute and therefore can't be processed +HTTPRoute is configured to match the host `www.example.com` and the path `/myapp`, so the `redirectURL` must be prefixed +with `https://www.example.com:8443/myapp`, and `logoutPath` must be prefixed with`/myapp`, otherwise the OIDC authentication +will fail because the redirect and logout requests will not match the target HTTPRoute and therefore can't be processed by the OAuth2 filter on that HTTPRoute. Note: please replace the ${CLIENT_ID} in the below yaml snippet with the actual Client ID that you got from the OIDC provider. @@ -200,8 +200,8 @@ Put www.example.com in the /etc/hosts file in your test machine, so we can use t 127.0.0.1 www.example.com ``` -Open a browser and navigate to the `https://www.example.com:8443/myapp` address. You should be redirected to the Google -login page. After you successfully login, you should see the response from the backend service. +Open a browser and navigate to the `https://www.example.com:8443/myapp` address. You should be redirected to the Google +login page. After you successfully login, you should see the response from the backend service. Clean the cookies in the browser and try to access `https://www.example.com:8443/foo` address. You should be able to see this page since the path `/foo` is not protected by the OIDC policy. @@ -284,16 +284,18 @@ kubectl get httproute/foo -o yaml ### Create a SecurityPolicy -Create or update the SecurityPolicy to target the Gateway instead of the HTTPRoute. **Please notice that the `redirectURL` -and `logoutPath` must match one of the HTTPRoutes associated with the Gateway.** In this example, the target Gateway has -three HTTPRoutes associated with it, one with the host `www.example.com` and the path `/myapp`, one with the host -`www.example.com` and the path `/`, and one with the host `foo.example.com` and the path `/`. Any of these HTTPRoutes +Create or update the SecurityPolicy to target the Gateway instead of the HTTPRoute. **Please notice that the `redirectURL` +and `logoutPath` must match one of the HTTPRoutes associated with the Gateway.** In this example, the target Gateway has +three HTTPRoutes associated with it, one with the host `www.example.com` and the path `/myapp`, one with the host +`www.example.com` and the path `/`, and one with the host `foo.example.com` and the path `/`. Any of these HTTPRoutes can be used to match the `redirectURL` and `logoutPath`. By default, the access token and ID token cookies are set to the host of the request, excluding subdomains. To allow the -token cookies to be shared across subdomains and prevent users from having to log in again when switching between subdomains, +token cookies to be shared across subdomains and prevent users from having to log in again when switching between subdomains, the `cookieDomain` field needs to be set to the root domain. In this example, the root domain is `example.com`. +Note: if a `cookieDomain` is added to an existing SecurityPolicy, the cookies in the browser must be cleared before sending a new request to the Gateway, otherwise the cookies with the old subdomain will take precedence and be sent to the Gateway, causing the OIDC authentication to fail. + {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} diff --git a/site/content/en/latest/tasks/security/oidc.md b/site/content/en/latest/tasks/security/oidc.md index 45adc554a90..f6ad61f8aa1 100644 --- a/site/content/en/latest/tasks/security/oidc.md +++ b/site/content/en/latest/tasks/security/oidc.md @@ -85,7 +85,7 @@ kubectl get httproute/myapp -o yaml ## OIDC Authentication for a HTTPRoute -OIDC can be configured at the Gateway level to authenticate all the HTTPRoutes that are associated with the Gateway with +OIDC can be configured at the Gateway level to authenticate all the HTTPRoutes that are associated with the Gateway with the same OIDC configuration, or at the HTTPRoute level to authenticate each HTTPRoute with different OIDC configurations. This section demonstrates how to configure OIDC authentication for a specific HTTPRoute. @@ -117,9 +117,9 @@ kubectl create secret generic my-app-client-secret --from-literal=client-secret= ### Create a SecurityPolicy **Please notice that the `redirectURL` and `logoutPath` must match the target HTTPRoute.** In this example, the target -HTTPRoute is configured to match the host `www.example.com` and the path `/myapp`, so the `redirectURL` must be prefixed -with `https://www.example.com:8443/myapp`, and `logoutPath` must be prefixed with`/myapp`, otherwise the OIDC authentication -will fail because the redirect and logout requests will not match the target HTTPRoute and therefore can't be processed +HTTPRoute is configured to match the host `www.example.com` and the path `/myapp`, so the `redirectURL` must be prefixed +with `https://www.example.com:8443/myapp`, and `logoutPath` must be prefixed with`/myapp`, otherwise the OIDC authentication +will fail because the redirect and logout requests will not match the target HTTPRoute and therefore can't be processed by the OAuth2 filter on that HTTPRoute. Note: please replace the ${CLIENT_ID} in the below yaml snippet with the actual Client ID that you got from the OIDC provider. @@ -200,8 +200,8 @@ Put www.example.com in the /etc/hosts file in your test machine, so we can use t 127.0.0.1 www.example.com ``` -Open a browser and navigate to the `https://www.example.com:8443/myapp` address. You should be redirected to the Google -login page. After you successfully login, you should see the response from the backend service. +Open a browser and navigate to the `https://www.example.com:8443/myapp` address. You should be redirected to the Google +login page. After you successfully login, you should see the response from the backend service. Clean the cookies in the browser and try to access `https://www.example.com:8443/foo` address. You should be able to see this page since the path `/foo` is not protected by the OIDC policy. @@ -284,16 +284,18 @@ kubectl get httproute/foo -o yaml ### Create a SecurityPolicy -Create or update the SecurityPolicy to target the Gateway instead of the HTTPRoute. **Please notice that the `redirectURL` -and `logoutPath` must match one of the HTTPRoutes associated with the Gateway.** In this example, the target Gateway has -three HTTPRoutes associated with it, one with the host `www.example.com` and the path `/myapp`, one with the host -`www.example.com` and the path `/`, and one with the host `foo.example.com` and the path `/`. Any of these HTTPRoutes +Create or update the SecurityPolicy to target the Gateway instead of the HTTPRoute. **Please notice that the `redirectURL` +and `logoutPath` must match one of the HTTPRoutes associated with the Gateway.** In this example, the target Gateway has +three HTTPRoutes associated with it, one with the host `www.example.com` and the path `/myapp`, one with the host +`www.example.com` and the path `/`, and one with the host `foo.example.com` and the path `/`. Any of these HTTPRoutes can be used to match the `redirectURL` and `logoutPath`. By default, the access token and ID token cookies are set to the host of the request, excluding subdomains. To allow the -token cookies to be shared across subdomains and prevent users from having to log in again when switching between subdomains, +token cookies to be shared across subdomains and prevent users from having to log in again when switching between subdomains, the `cookieDomain` field needs to be set to the root domain. In this example, the root domain is `example.com`. +Note: if a `cookieDomain` is added to an existing SecurityPolicy, the cookies in the browser must be cleared before sending a new request to the Gateway, otherwise the cookies with the old subdomain will take precedence and be sent to the Gateway, causing the OIDC authentication to fail. + {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} diff --git a/site/content/en/v1.2/tasks/security/oidc.md b/site/content/en/v1.2/tasks/security/oidc.md index 45adc554a90..f6ad61f8aa1 100644 --- a/site/content/en/v1.2/tasks/security/oidc.md +++ b/site/content/en/v1.2/tasks/security/oidc.md @@ -85,7 +85,7 @@ kubectl get httproute/myapp -o yaml ## OIDC Authentication for a HTTPRoute -OIDC can be configured at the Gateway level to authenticate all the HTTPRoutes that are associated with the Gateway with +OIDC can be configured at the Gateway level to authenticate all the HTTPRoutes that are associated with the Gateway with the same OIDC configuration, or at the HTTPRoute level to authenticate each HTTPRoute with different OIDC configurations. This section demonstrates how to configure OIDC authentication for a specific HTTPRoute. @@ -117,9 +117,9 @@ kubectl create secret generic my-app-client-secret --from-literal=client-secret= ### Create a SecurityPolicy **Please notice that the `redirectURL` and `logoutPath` must match the target HTTPRoute.** In this example, the target -HTTPRoute is configured to match the host `www.example.com` and the path `/myapp`, so the `redirectURL` must be prefixed -with `https://www.example.com:8443/myapp`, and `logoutPath` must be prefixed with`/myapp`, otherwise the OIDC authentication -will fail because the redirect and logout requests will not match the target HTTPRoute and therefore can't be processed +HTTPRoute is configured to match the host `www.example.com` and the path `/myapp`, so the `redirectURL` must be prefixed +with `https://www.example.com:8443/myapp`, and `logoutPath` must be prefixed with`/myapp`, otherwise the OIDC authentication +will fail because the redirect and logout requests will not match the target HTTPRoute and therefore can't be processed by the OAuth2 filter on that HTTPRoute. Note: please replace the ${CLIENT_ID} in the below yaml snippet with the actual Client ID that you got from the OIDC provider. @@ -200,8 +200,8 @@ Put www.example.com in the /etc/hosts file in your test machine, so we can use t 127.0.0.1 www.example.com ``` -Open a browser and navigate to the `https://www.example.com:8443/myapp` address. You should be redirected to the Google -login page. After you successfully login, you should see the response from the backend service. +Open a browser and navigate to the `https://www.example.com:8443/myapp` address. You should be redirected to the Google +login page. After you successfully login, you should see the response from the backend service. Clean the cookies in the browser and try to access `https://www.example.com:8443/foo` address. You should be able to see this page since the path `/foo` is not protected by the OIDC policy. @@ -284,16 +284,18 @@ kubectl get httproute/foo -o yaml ### Create a SecurityPolicy -Create or update the SecurityPolicy to target the Gateway instead of the HTTPRoute. **Please notice that the `redirectURL` -and `logoutPath` must match one of the HTTPRoutes associated with the Gateway.** In this example, the target Gateway has -three HTTPRoutes associated with it, one with the host `www.example.com` and the path `/myapp`, one with the host -`www.example.com` and the path `/`, and one with the host `foo.example.com` and the path `/`. Any of these HTTPRoutes +Create or update the SecurityPolicy to target the Gateway instead of the HTTPRoute. **Please notice that the `redirectURL` +and `logoutPath` must match one of the HTTPRoutes associated with the Gateway.** In this example, the target Gateway has +three HTTPRoutes associated with it, one with the host `www.example.com` and the path `/myapp`, one with the host +`www.example.com` and the path `/`, and one with the host `foo.example.com` and the path `/`. Any of these HTTPRoutes can be used to match the `redirectURL` and `logoutPath`. By default, the access token and ID token cookies are set to the host of the request, excluding subdomains. To allow the -token cookies to be shared across subdomains and prevent users from having to log in again when switching between subdomains, +token cookies to be shared across subdomains and prevent users from having to log in again when switching between subdomains, the `cookieDomain` field needs to be set to the root domain. In this example, the root domain is `example.com`. +Note: if a `cookieDomain` is added to an existing SecurityPolicy, the cookies in the browser must be cleared before sending a new request to the Gateway, otherwise the cookies with the old subdomain will take precedence and be sent to the Gateway, causing the OIDC authentication to fail. + {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} From 36b1232526fce72a044fb476993b17befbe8acbf Mon Sep 17 00:00:00 2001 From: sh2 Date: Mon, 18 Nov 2024 22:23:37 +0800 Subject: [PATCH 404/523] doc: add standalone deployment doc (#4518) * add standalone deployment doc Signed-off-by: shawnh2 * update standalone deployment doc Signed-off-by: shawnh2 * fix local address for backend Signed-off-by: shawnh2 * update standalone doc Signed-off-by: shawnh2 * address comments Signed-off-by: shawnh2 * fix typo Signed-off-by: shawnh2 * address comment Signed-off-by: shawnh2 --------- Signed-off-by: shawnh2 --- examples/standalone/quickstart.yaml | 46 +++++++ .../operations/standalone-deployment-mode.md | 123 +++++++++++++++++ .../operations/standalone-deployment-mode.md | 130 ++++++++++++++++++ .../operations/standalone-deployment-mode.md | 123 +++++++++++++++++ 4 files changed, 422 insertions(+) create mode 100644 examples/standalone/quickstart.yaml create mode 100644 site/content/en/docs/tasks/operations/standalone-deployment-mode.md create mode 100644 site/content/en/latest/tasks/operations/standalone-deployment-mode.md create mode 100644 site/content/en/v1.2/tasks/operations/standalone-deployment-mode.md diff --git a/examples/standalone/quickstart.yaml b/examples/standalone/quickstart.yaml new file mode 100644 index 00000000000..e7a5cda07e5 --- /dev/null +++ b/examples/standalone/quickstart.yaml @@ -0,0 +1,46 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: eg +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: eg +spec: + gatewayClassName: eg + listeners: + - name: http + protocol: HTTP + port: 8888 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: backend +spec: + parentRefs: + - name: eg + hostnames: + - "www.example.com" + rules: + - backendRefs: + - group: "gateway.envoyproxy.io" + kind: Backend + name: backend + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: backend +spec: + endpoints: + - ip: + address: 0.0.0.0 # this address is for demo purpose only, do not use it in production! + port: 3000 diff --git a/site/content/en/docs/tasks/operations/standalone-deployment-mode.md b/site/content/en/docs/tasks/operations/standalone-deployment-mode.md new file mode 100644 index 00000000000..cc8218a2905 --- /dev/null +++ b/site/content/en/docs/tasks/operations/standalone-deployment-mode.md @@ -0,0 +1,123 @@ +--- +title: "Standalone Deployment Mode" +--- + +{{% alert title="Notice" color="warning" %}} + +Standalone mode is an experimental feature, please **DO NOT** use it in production. + +{{% /alert %}} + +Envoy Gateway also supports running in standalone mode. In this mode, Envoy Gateway +does not need to rely on Kubernetes and can be deployed directly on bare metal or virtual machines. + +Currently, Envoy Gateway only support the file provider and the host infrastructure provider combinations. + +- The file provider will configure the Envoy Gateway to get all gateway-api resources from file system. +- The host infrastructure provider will configure the Envoy Gateway to deploy one Envoy Proxy as a host process. + +## Quick Start + +In this quick-start, we will run Envoy Gateway in standalone mode with the file provider +and the host infrastructure provider. + +### Prerequisites + +Create a local directory just for testing: + +```shell +mkdir -p /tmp/envoy-gateway-test +``` + +Download the Envoy Gateway binary from v1.2.x release. + +### Create Certificates + +All runners in Envoy Gateway are using TLS connection, so create these TLS certificates locally to +ensure the Envoy Gateway works properly. + +```shell +envoy-gateway certgen --local +``` + +### Start Envoy Gateway + +Start Envoy Gateway by the following command: + +```shell +envoy-gateway server --config-path standalone.yaml +``` + +with `standalone.yaml` configuration: + +```yaml +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyGateway +gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller +provider: + type: Custom + custom: + resource: + type: File + file: + paths: ["/tmp/envoy-gateway-test"] + infrastructure: + type: Host + host: {} +logging: + level: + default: info +extensionApis: + enableBackend: true +``` + +As you can see, we have enabled the [Backend][] API, this API will be used to represent our local endpoints. + +### Trigger an Update + +Any changes under watched `paths` will be considered as an update by the file provider. + +For instance, copying example file into `/tmp/envoy-gateway-test/` will trigger an update of gateway-api resources: + +```shell +cp examples/standalone/quickstart.yaml /tmp/envoy-gateway-test/quickstart.yaml +``` + +From the Envoy Gateway log, you should be able to observe that the Envoy Proxy has been started, and its admin address has been returned. + +### Test Connection + +Starts a simple local server as an endpoint: + +```shell +python3 -m http.server 3000 +``` + +Curl the example server through Envoy Proxy: + +```shell +curl --verbose --header "Host: www.example.com" http://0.0.0.0:8888/ +``` + +```console +* Trying 0.0.0.0:8888... +* Connected to 0.0.0.0 (127.0.0.1) port 8888 (#0) +> GET / HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/7.81.0 +> Accept: */* +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< server: SimpleHTTP/0.6 Python/3.10.12 +< date: Sat, 26 Oct 2024 13:20:34 GMT +< content-type: text/html; charset=utf-8 +< content-length: 1870 +< +... +* Connection #0 to host 0.0.0.0 left intact +``` + + +[Backend]: ../../../api/extension_types#backend diff --git a/site/content/en/latest/tasks/operations/standalone-deployment-mode.md b/site/content/en/latest/tasks/operations/standalone-deployment-mode.md new file mode 100644 index 00000000000..88a5c1b98c2 --- /dev/null +++ b/site/content/en/latest/tasks/operations/standalone-deployment-mode.md @@ -0,0 +1,130 @@ +--- +title: "Standalone Deployment Mode" +--- + +{{% alert title="Notice" color="warning" %}} + +Standalone mode is an experimental feature, please **DO NOT** use it in production. + +{{% /alert %}} + +Envoy Gateway also supports running in standalone mode. In this mode, Envoy Gateway +does not need to rely on Kubernetes and can be deployed directly on bare metal or virtual machines. + +Currently, Envoy Gateway only support the file provider and the host infrastructure provider combinations. + +- The file provider will configure the Envoy Gateway to get all gateway-api resources from file system. +- The host infrastructure provider will configure the Envoy Gateway to deploy one Envoy Proxy as a host process. + +## Quick Start + +In this quick-start, we will run Envoy Gateway in standalone mode with the file provider +and the host infrastructure provider. + +### Prerequisites + +Create a local directory just for testing: + +```shell +mkdir -p /tmp/envoy-gateway-test +``` + +As we do not provide the Envoy Gateway binary in latest release, +you can compile this binary on your own from project by using command: + +```shell +make build +``` + +The compiled binary lies in `bin/{os}/{arch}/envoy-gateway`. + +### Create Certificates + +All runners in Envoy Gateway are using TLS connection, so create these TLS certificates locally to +ensure the Envoy Gateway works properly. + +```shell +envoy-gateway certgen --local +``` + +### Start Envoy Gateway + +Start Envoy Gateway by the following command: + +```shell +envoy-gateway server --config-path standalone.yaml +``` + +with `standalone.yaml` configuration: + +```yaml +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyGateway +gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller +provider: + type: Custom + custom: + resource: + type: File + file: + paths: ["/tmp/envoy-gateway-test"] + infrastructure: + type: Host + host: {} +logging: + level: + default: info +extensionApis: + enableBackend: true +``` + +As you can see, we have enabled the [Backend][] API, this API will be used to represent our local endpoints. + +### Trigger an Update + +Any changes under watched `paths` will be considered as an update by the file provider. + +For instance, copying example file into `/tmp/envoy-gateway-test/` will trigger an update of gateway-api resources: + +```shell +cp examples/standalone/quickstart.yaml /tmp/envoy-gateway-test/quickstart.yaml +``` + +From the Envoy Gateway log, you should be able to observe that the Envoy Proxy has been started, and its admin address has been returned. + +### Test Connection + +Starts a simple local server as an endpoint: + +```shell +python3 -m http.server 3000 +``` + +Curl the example server through Envoy Proxy: + +```shell +curl --verbose --header "Host: www.example.com" http://0.0.0.0:8888/ +``` + +```console +* Trying 0.0.0.0:8888... +* Connected to 0.0.0.0 (127.0.0.1) port 8888 (#0) +> GET / HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/7.81.0 +> Accept: */* +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< server: SimpleHTTP/0.6 Python/3.10.12 +< date: Sat, 26 Oct 2024 13:20:34 GMT +< content-type: text/html; charset=utf-8 +< content-length: 1870 +< +... +* Connection #0 to host 0.0.0.0 left intact +``` + + +[Backend]: ../../../api/extension_types#backend diff --git a/site/content/en/v1.2/tasks/operations/standalone-deployment-mode.md b/site/content/en/v1.2/tasks/operations/standalone-deployment-mode.md new file mode 100644 index 00000000000..cc8218a2905 --- /dev/null +++ b/site/content/en/v1.2/tasks/operations/standalone-deployment-mode.md @@ -0,0 +1,123 @@ +--- +title: "Standalone Deployment Mode" +--- + +{{% alert title="Notice" color="warning" %}} + +Standalone mode is an experimental feature, please **DO NOT** use it in production. + +{{% /alert %}} + +Envoy Gateway also supports running in standalone mode. In this mode, Envoy Gateway +does not need to rely on Kubernetes and can be deployed directly on bare metal or virtual machines. + +Currently, Envoy Gateway only support the file provider and the host infrastructure provider combinations. + +- The file provider will configure the Envoy Gateway to get all gateway-api resources from file system. +- The host infrastructure provider will configure the Envoy Gateway to deploy one Envoy Proxy as a host process. + +## Quick Start + +In this quick-start, we will run Envoy Gateway in standalone mode with the file provider +and the host infrastructure provider. + +### Prerequisites + +Create a local directory just for testing: + +```shell +mkdir -p /tmp/envoy-gateway-test +``` + +Download the Envoy Gateway binary from v1.2.x release. + +### Create Certificates + +All runners in Envoy Gateway are using TLS connection, so create these TLS certificates locally to +ensure the Envoy Gateway works properly. + +```shell +envoy-gateway certgen --local +``` + +### Start Envoy Gateway + +Start Envoy Gateway by the following command: + +```shell +envoy-gateway server --config-path standalone.yaml +``` + +with `standalone.yaml` configuration: + +```yaml +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyGateway +gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller +provider: + type: Custom + custom: + resource: + type: File + file: + paths: ["/tmp/envoy-gateway-test"] + infrastructure: + type: Host + host: {} +logging: + level: + default: info +extensionApis: + enableBackend: true +``` + +As you can see, we have enabled the [Backend][] API, this API will be used to represent our local endpoints. + +### Trigger an Update + +Any changes under watched `paths` will be considered as an update by the file provider. + +For instance, copying example file into `/tmp/envoy-gateway-test/` will trigger an update of gateway-api resources: + +```shell +cp examples/standalone/quickstart.yaml /tmp/envoy-gateway-test/quickstart.yaml +``` + +From the Envoy Gateway log, you should be able to observe that the Envoy Proxy has been started, and its admin address has been returned. + +### Test Connection + +Starts a simple local server as an endpoint: + +```shell +python3 -m http.server 3000 +``` + +Curl the example server through Envoy Proxy: + +```shell +curl --verbose --header "Host: www.example.com" http://0.0.0.0:8888/ +``` + +```console +* Trying 0.0.0.0:8888... +* Connected to 0.0.0.0 (127.0.0.1) port 8888 (#0) +> GET / HTTP/1.1 +> Host: www.example.com +> User-Agent: curl/7.81.0 +> Accept: */* +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< server: SimpleHTTP/0.6 Python/3.10.12 +< date: Sat, 26 Oct 2024 13:20:34 GMT +< content-type: text/html; charset=utf-8 +< content-length: 1870 +< +... +* Connection #0 to host 0.0.0.0 left intact +``` + + +[Backend]: ../../../api/extension_types#backend From b7f6e0196650d747d58136923f1e30a46c06c972 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Nov 2024 17:40:17 -0800 Subject: [PATCH 405/523] build(deps): bump github/codeql-action from 3.27.1 to 3.27.4 (#4733) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.1 to 3.27.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/4f3212b61783c3c68e8309a0f18a699764811cda...ea9e4e37992a54ee68a9622e985e60c8e8f12d9f) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index faca9d0eb1b..c8c1884c937 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,14 +36,14 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 + uses: github/codeql-action/init@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 + uses: github/codeql-action/autobuild@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 + uses: github/codeql-action/analyze@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 79f040fba97..23235a9a5ba 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 + uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 with: sarif_file: results.sarif From 4bcda6c84cc76ab50ff994c2225cd853686e9b34 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Nov 2024 17:41:40 -0800 Subject: [PATCH 406/523] build(deps): bump distroless/static from `3a03fc0` to `d71f4b2` in /tools/docker/envoy-gateway (#4730) build(deps): bump distroless/static in /tools/docker/envoy-gateway Bumps distroless/static from `3a03fc0` to `d71f4b2`. --- updated-dependencies: - dependency-name: distroless/static dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/docker/envoy-gateway/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index 5fef537da10..44fff0beb98 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -4,7 +4,7 @@ RUN mkdir -p /var/lib/eg # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:nonroot@sha256:3a03fc0826340c7deb82d4755ca391bef5adcedb8892e58412e1a6008199fa91 +FROM gcr.io/distroless/static:nonroot@sha256:d71f4b239be2d412017b798a0a401c44c3049a3ca454838473a4c32ed076bfea ARG TARGETPLATFORM COPY $TARGETPLATFORM/envoy-gateway /usr/local/bin/ COPY --from=source --chown=65532:65532 /var/lib /var/lib From 0ba9330b4a8ed17ccce1eb205aa1c97ebd09ebf3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Nov 2024 18:11:12 -0800 Subject: [PATCH 407/523] build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 in /examples/extension-server (#4737) build(deps): bump google.golang.org/protobuf Bumps google.golang.org/protobuf from 1.35.1 to 1.35.2. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/extension-server/go.mod | 2 +- examples/extension-server/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 6ee602741b3..b484a19a6b7 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -7,7 +7,7 @@ require ( github.com/envoyproxy/go-control-plane v0.13.1 github.com/urfave/cli/v2 v2.27.5 google.golang.org/grpc v1.68.0 - google.golang.org/protobuf v1.35.1 + google.golang.org/protobuf v1.35.2 k8s.io/apimachinery v0.31.2 sigs.k8s.io/controller-runtime v0.19.1 sigs.k8s.io/gateway-api v1.2.0 diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 023da3e9b9e..8bac1672b4e 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -113,8 +113,8 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 h1: google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0= google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA= -google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= -google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= +google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= From c6190913cb0cabd9e4163b03bc5da7db664de3c5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Nov 2024 18:15:52 -0800 Subject: [PATCH 408/523] build(deps): bump helm.sh/helm/v3 from 3.16.2 to 3.16.3 (#4736) Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.16.2 to 3.16.3. - [Release notes](https://github.com/helm/helm/releases) - [Commits](https://github.com/helm/helm/compare/v3.16.2...v3.16.3) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 2519f4ab3e4..ce1f5d5cdf5 100644 --- a/go.mod +++ b/go.mod @@ -47,7 +47,7 @@ require ( golang.org/x/sys v0.27.0 google.golang.org/protobuf v1.35.1 gopkg.in/yaml.v3 v3.0.1 - helm.sh/helm/v3 v3.16.2 + helm.sh/helm/v3 v3.16.3 k8s.io/api v0.31.2 k8s.io/apiextensions-apiserver v0.31.2 k8s.io/apimachinery v0.31.2 @@ -95,8 +95,8 @@ require ( github.com/c9s/goprocinfo v0.0.0-20170724085704-0010a05ce49f // indirect github.com/cilium/ebpf v0.16.0 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect - github.com/containerd/containerd v1.7.20 // indirect - github.com/containerd/errdefs v0.1.0 // indirect + github.com/containerd/containerd v1.7.23 // indirect + github.com/containerd/errdefs v0.3.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect @@ -107,7 +107,7 @@ require ( github.com/coreos/go-semver v0.3.1 // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect - github.com/cyphar/filepath-securejoin v0.3.1 // indirect + github.com/cyphar/filepath-securejoin v0.3.4 // indirect github.com/distribution/distribution/v3 v3.0.0-beta.1 // indirect github.com/distribution/reference v0.6.0 // indirect github.com/docker/distribution v2.8.3+incompatible // indirect diff --git a/go.sum b/go.sum index 5d34e722723..fd359d6263c 100644 --- a/go.sum +++ b/go.sum @@ -128,12 +128,12 @@ github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78/go.mod h1:W+zGtBO5Y1Ig github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= -github.com/containerd/containerd v1.7.20 h1:Sl6jQYk3TRavaU83h66QMbI2Nqg9Jm6qzwX57Vsn1SQ= -github.com/containerd/containerd v1.7.20/go.mod h1:52GsS5CwquuqPuLncsXwG0t2CiUce+KsNHJZQJvAgR0= +github.com/containerd/containerd v1.7.23 h1:H2CClyUkmpKAGlhQp95g2WXHfLYc7whAuvZGBNYOOwQ= +github.com/containerd/containerd v1.7.23/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw= github.com/containerd/continuity v0.4.2 h1:v3y/4Yz5jwnvqPKJJ+7Wf93fyWoCB3F5EclWG023MDM= github.com/containerd/continuity v0.4.2/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ= -github.com/containerd/errdefs v0.1.0 h1:m0wCRBiu1WJT/Fr+iOoQHMQS/eP5myQ8lCv4Dz5ZURM= -github.com/containerd/errdefs v0.1.0/go.mod h1:YgWiiHtLmSeBrvpw+UfPijzbLaB77mEG1WwJTDETIV0= +github.com/containerd/errdefs v0.3.0 h1:FSZgGOeK4yuT/+DnF07/Olde/q4KBoMsaamhXxIMDp4= +github.com/containerd/errdefs v0.3.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= @@ -170,8 +170,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= -github.com/cyphar/filepath-securejoin v0.3.1 h1:1V7cHiaW+C+39wEfpH6XlLBQo3j/PciWFrgfCLS8XrE= -github.com/cyphar/filepath-securejoin v0.3.1/go.mod h1:F7i41x/9cBF7lzCrVsYs9fuzwRZm4NQsGTBdpp6mETc= +github.com/cyphar/filepath-securejoin v0.3.4 h1:VBWugsJh2ZxJmLFSM06/0qzQyiQX2Qs0ViKrUAcqdZ8= +github.com/cyphar/filepath-securejoin v0.3.4/go.mod h1:8s/MCNJREmFK0H02MF6Ihv1nakJe4L/w3WZLHNkvlYM= github.com/datawire/dlib v1.3.0 h1:KkmyXU1kwm3oPBk1ypR70YbcOlEXWzEbx5RE0iRXTGk= github.com/datawire/dlib v1.3.0/go.mod h1:NiGDmetmbkBvtznpWSx6C0vA0s0LK9aHna3LJDqjruk= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -1152,8 +1152,8 @@ gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= -helm.sh/helm/v3 v3.16.2 h1:Y9v7ry+ubQmi+cb5zw1Llx8OKHU9Hk9NQ/+P+LGBe2o= -helm.sh/helm/v3 v3.16.2/go.mod h1:SyTXgKBjNqi2NPsHCW5dDAsHqvGIu0kdNYNH9gQaw70= +helm.sh/helm/v3 v3.16.3 h1:kb8bSxMeRJ+knsK/ovvlaVPfdis0X3/ZhYCSFRP+YmY= +helm.sh/helm/v3 v3.16.3/go.mod h1:zeVWGDR4JJgiRbT3AnNsjYaX8OTJlIE9zC+Q7F7iUSU= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From 97a5d688639b28b8c5eed761568e9665468bdfe6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Nov 2024 19:02:05 -0800 Subject: [PATCH 409/523] build(deps): bump github.com/bufbuild/buf from 1.46.0 to 1.47.2 in /tools/src/buf (#4738) build(deps): bump github.com/bufbuild/buf in /tools/src/buf Bumps [github.com/bufbuild/buf](https://github.com/bufbuild/buf) from 1.46.0 to 1.47.2. - [Release notes](https://github.com/bufbuild/buf/releases) - [Changelog](https://github.com/bufbuild/buf/blob/main/CHANGELOG.md) - [Commits](https://github.com/bufbuild/buf/compare/v1.46.0...v1.47.2) --- updated-dependencies: - dependency-name: github.com/bufbuild/buf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/src/buf/go.mod | 55 ++++++++++---------- tools/src/buf/go.sum | 116 ++++++++++++++++++++++--------------------- 2 files changed, 88 insertions(+), 83 deletions(-) diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index b276538c15a..1b7b86cdd53 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -2,10 +2,10 @@ module local go 1.23.3 -require github.com/bufbuild/buf v1.46.0 +require github.com/bufbuild/buf v1.47.2 require ( - buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.1-20241023225133-42bdb4b67625.1 // indirect + buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.1-20241031151143-70f632351282.1 // indirect buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.1-20240920164238-5a7b106cbb87.1 // indirect buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241025140216-aa40f2c93090.1 // indirect buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.35.1-20241025140216-aa40f2c93090.1 // indirect @@ -13,24 +13,26 @@ require ( buf.build/go/bufplugin v0.6.0 // indirect buf.build/go/protoyaml v0.2.0 // indirect buf.build/go/spdx v0.2.0 // indirect + cel.dev/expr v0.18.0 // indirect connectrpc.com/connect v1.17.0 // indirect connectrpc.com/otelconnect v0.7.1 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect - github.com/Microsoft/hcsshim v0.12.7 // indirect + github.com/Microsoft/hcsshim v0.12.9 // indirect github.com/antlr4-go/antlr/v4 v4.13.1 // indirect github.com/bufbuild/protocompile v0.14.1 // indirect github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a // indirect github.com/bufbuild/protovalidate-go v0.7.3-0.20241015162221-1446f1e1d576 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect github.com/containerd/containerd v1.7.23 // indirect - github.com/containerd/continuity v0.4.3 // indirect - github.com/containerd/errdefs v0.3.0 // indirect + github.com/containerd/continuity v0.4.4 // indirect + github.com/containerd/errdefs v1.0.0 // indirect + github.com/containerd/errdefs/pkg v0.3.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect - github.com/containerd/ttrpc v1.2.5 // indirect - github.com/containerd/typeurl/v2 v2.2.0 // indirect + github.com/containerd/ttrpc v1.2.6 // indirect + github.com/containerd/typeurl/v2 v2.2.3 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect github.com/distribution/reference v0.6.0 // indirect github.com/docker/cli v27.3.1+incompatible // indirect @@ -48,9 +50,9 @@ require ( github.com/gofrs/flock v0.12.1 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/google/cel-go v0.21.0 // indirect + github.com/google/cel-go v0.22.0 // indirect github.com/google/go-containerregistry v0.20.2 // indirect - github.com/google/pprof v0.0.0-20241017200806-017d972448fc // indirect + github.com/google/pprof v0.0.0-20241101162523-b92577c0c142 // indirect github.com/google/uuid v1.6.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect @@ -69,7 +71,7 @@ require ( github.com/moby/sys/userns v0.1.0 // indirect github.com/moby/term v0.5.0 // indirect github.com/morikuni/aec v1.0.0 // indirect - github.com/onsi/ginkgo/v2 v2.20.2 // indirect + github.com/onsi/ginkgo/v2 v2.21.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect github.com/opencontainers/runtime-spec v1.2.0 // indirect @@ -94,29 +96,28 @@ require ( go.lsp.dev/protocol v0.12.0 // indirect go.lsp.dev/uri v0.3.0 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 // indirect - go.opentelemetry.io/otel v1.31.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.57.0 // indirect + go.opentelemetry.io/otel v1.32.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 // indirect - go.opentelemetry.io/otel/metric v1.31.0 // indirect + go.opentelemetry.io/otel/metric v1.32.0 // indirect go.opentelemetry.io/otel/sdk v1.30.0 // indirect - go.opentelemetry.io/otel/trace v1.31.0 // indirect - go.uber.org/atomic v1.11.0 // indirect + go.opentelemetry.io/otel/trace v1.32.0 // indirect go.uber.org/mock v0.5.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect go.uber.org/zap/exp v0.3.0 // indirect - golang.org/x/crypto v0.28.0 // indirect - golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c // indirect - golang.org/x/mod v0.21.0 // indirect - golang.org/x/net v0.30.0 // indirect - golang.org/x/sync v0.8.0 // indirect - golang.org/x/sys v0.26.0 // indirect - golang.org/x/term v0.25.0 // indirect - golang.org/x/text v0.19.0 // indirect - golang.org/x/tools v0.26.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f // indirect - google.golang.org/grpc v1.67.1 // indirect + golang.org/x/crypto v0.29.0 // indirect + golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect + golang.org/x/mod v0.22.0 // indirect + golang.org/x/net v0.31.0 // indirect + golang.org/x/sync v0.9.0 // indirect + golang.org/x/sys v0.27.0 // indirect + golang.org/x/term v0.26.0 // indirect + golang.org/x/text v0.20.0 // indirect + golang.org/x/tools v0.27.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect + google.golang.org/grpc v1.68.0 // indirect google.golang.org/protobuf v1.35.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect pluginrpc.com/pluginrpc v0.5.0 // indirect diff --git a/tools/src/buf/go.sum b/tools/src/buf/go.sum index b2a67028e40..9e7bf68b94e 100644 --- a/tools/src/buf/go.sum +++ b/tools/src/buf/go.sum @@ -1,5 +1,5 @@ -buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.1-20241023225133-42bdb4b67625.1 h1:O31Hu5Oho5suEWOD7FuMU9vfzeQT07ukTu4YuBVjLbw= -buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.1-20241023225133-42bdb4b67625.1/go.mod h1:rYPnjsUZ2lGpoQ/T322HWZQil9/MIZF2njP+/u/0GKg= +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.1-20241031151143-70f632351282.1 h1:APVDdZ4VfUvERVIj//yDjCWV7WezEOiK7+b6gvJ+iAk= +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.1-20241031151143-70f632351282.1/go.mod h1:rYPnjsUZ2lGpoQ/T322HWZQil9/MIZF2njP+/u/0GKg= buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.1-20240920164238-5a7b106cbb87.1 h1:9wP6ZZYWnF2Z0TxmII7m3XNykxnP4/w8oXeth6ekcRI= buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.1-20240920164238-5a7b106cbb87.1/go.mod h1:Duw/9JoXkXIydyASnLYIiufkzySThoqavOsF+IihqvM= buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241025140216-aa40f2c93090.1 h1:FHQXg3T7S2jp8yc7/bQJgqEH1yza/rrDHXITUK2Tm0g= @@ -14,6 +14,8 @@ buf.build/go/protoyaml v0.2.0 h1:2g3OHjtLDqXBREIOjpZGHmQ+U/4mkN1YiQjxNB68Ip8= buf.build/go/protoyaml v0.2.0/go.mod h1:L/9QvTDkTWcDTzAL6HMfN+mYC6CmZRm2KnsUA054iL0= buf.build/go/spdx v0.2.0 h1:IItqM0/cMxvFJJumcBuP8NrsIzMs/UYjp/6WSpq8LTw= buf.build/go/spdx v0.2.0/go.mod h1:bXdwQFem9Si3nsbNy8aJKGPoaPi5DKwdeEp5/ArZ6w8= +cel.dev/expr v0.18.0 h1:CJ6drgk+Hf96lkLikr4rFf19WrU0BOWEihyZnI2TAzo= +cel.dev/expr v0.18.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= connectrpc.com/connect v1.17.0 h1:W0ZqMhtVzn9Zhn2yATuUokDLO5N+gIuBWMOnsQrfmZk= connectrpc.com/connect v1.17.0/go.mod h1:0292hj1rnx8oFrStN7cB4jjVBeqs+Yx5yDIC2prWDO8= @@ -26,12 +28,12 @@ github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg6 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= -github.com/Microsoft/hcsshim v0.12.7 h1:MP6R1spmjxTE4EU4J3YsrTxn8CjvN9qwjTKJXldFaRg= -github.com/Microsoft/hcsshim v0.12.7/go.mod h1:HPbAuJ9BvQYYZbB4yEQcyGIsTP5L4yHKeO9XO149AEM= +github.com/Microsoft/hcsshim v0.12.9 h1:2zJy5KA+l0loz1HzEGqyNnjd3fyZA31ZBCGKacp6lLg= +github.com/Microsoft/hcsshim v0.12.9/go.mod h1:fJ0gkFAna6ukt0bLdKB8djt4XIJhF/vEPuoIWYVvZ8Y= github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ= github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw= -github.com/bufbuild/buf v1.46.0 h1:QqlFiy2l0F+hhyTF9xm7j91E7ovGyZVnneG2y38F0rk= -github.com/bufbuild/buf v1.46.0/go.mod h1:oN16LKwdlgji2eHLn3R07dxnQjxm9Q0pdUor5VXj3H8= +github.com/bufbuild/buf v1.47.2 h1:fA5e2yVQGabxAz7W5aNbO7Fku1P6TpoHhjs1wER1pOc= +github.com/bufbuild/buf v1.47.2/go.mod h1:1Xd0QG0a1uCGk7cODUenpQ8E5l7bj2Ry9tnUfERm1YI= github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/FBatYVw= github.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c= github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a h1:l3RhVoG0RtC61h6TVWnkniGj4TgBebuyPQRdleFAmTg= @@ -56,20 +58,22 @@ github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGD github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= github.com/containerd/containerd v1.7.23 h1:H2CClyUkmpKAGlhQp95g2WXHfLYc7whAuvZGBNYOOwQ= github.com/containerd/containerd v1.7.23/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw= -github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8= -github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ= -github.com/containerd/errdefs v0.3.0 h1:FSZgGOeK4yuT/+DnF07/Olde/q4KBoMsaamhXxIMDp4= -github.com/containerd/errdefs v0.3.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= +github.com/containerd/continuity v0.4.4 h1:/fNVfTJ7wIl/YPMHjf+5H32uFhl63JucB34PlCpMKII= +github.com/containerd/continuity v0.4.4/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE= +github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= +github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= +github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE= +github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw= github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G/ZW/0kEe2oEKCdS/ZxIyoCU= github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk= -github.com/containerd/ttrpc v1.2.5 h1:IFckT1EFQoFBMG4c3sMdT8EP3/aKfumK1msY+Ze4oLU= -github.com/containerd/ttrpc v1.2.5/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o= -github.com/containerd/typeurl/v2 v2.2.0 h1:6NBDbQzr7I5LHgp34xAXYF5DOTQDn05X58lsPEmzLso= -github.com/containerd/typeurl/v2 v2.2.0/go.mod h1:8XOOxnyatxSWuG8OfsZXVnAF4iZfedjS/8UHSPJnX4g= +github.com/containerd/ttrpc v1.2.6 h1:zG+Kn5EZ6MUYCS1t2Hmt2J4tMVaLSFEJVOraDQwNPC4= +github.com/containerd/ttrpc v1.2.6/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o= +github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40= +github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc= github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= @@ -133,8 +137,10 @@ github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:W github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= -github.com/google/cel-go v0.21.0 h1:cl6uW/gxN+Hy50tNYvI691+sXxioCnstFzLp2WO4GCI= -github.com/google/cel-go v0.21.0/go.mod h1:rHUlWCcBKgyEk+eV03RPdZUekPp6YcJwV0FxuUksYxc= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/cel-go v0.22.0 h1:b3FJZxpiv1vTMo2/5RDUqAHPxkT8mmMfJIrq1llbf7g= +github.com/google/cel-go v0.22.0/go.mod h1:BuznPXXfQDpXKWQ9sPW3TzlAJN5zzFe+i9tIs0yC4s8= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -147,8 +153,8 @@ github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg= github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= -github.com/google/pprof v0.0.0-20241017200806-017d972448fc h1:NGyrhhFhwvRAZg02jnYVg3GBQy0qGBKmFQJwaPmpmxs= -github.com/google/pprof v0.0.0-20241017200806-017d972448fc/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= +github.com/google/pprof v0.0.0-20241101162523-b92577c0c142 h1:sAGdeJj0bnMgUNVeUpp6AYlVdCt3/GdI3pGRqsNSQLs= +github.com/google/pprof v0.0.0-20241101162523-b92577c0c142/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -199,10 +205,10 @@ github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= -github.com/onsi/ginkgo/v2 v2.20.2 h1:7NVCeyIWROIAheY21RLS+3j2bb52W0W82tkberYytp4= -github.com/onsi/ginkgo/v2 v2.20.2/go.mod h1:K9gyxPIlb+aIvnZ8bd9Ak+YP18w3APlR+5coaZoE2ag= -github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k= -github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY= +github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM= +github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= +github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8= +github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= @@ -270,26 +276,24 @@ go.lsp.dev/uri v0.3.0 h1:KcZJmh6nFIBeJzTugn5JTU6OOyG0lDOo3R9KwTxTYbo= go.lsp.dev/uri v0.3.0/go.mod h1:P5sbO1IQR+qySTWOCnhnK7phBx+W3zbLqSMDJNTw88I= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 h1:UP6IpuHFkUgOQL9FFQFrZ+5LiwhhYRbi7VZSIx6Nj5s= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0/go.mod h1:qxuZLtbq5QDtdeSHsS7bcf6EH6uO6jUAgk764zd3rhM= -go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY= -go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.57.0 h1:DheMAlT6POBP+gh8RUH19EOTnQIor5QE0uSRPtzCpSw= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.57.0/go.mod h1:wZcGmeVO9nzP67aYSLDqXNWK87EZWhi7JWj1v7ZXf94= +go.opentelemetry.io/otel v1.32.0 h1:WnBN+Xjcteh0zdk01SVqV55d/m62NJLJdIyb4y/WO5U= +go.opentelemetry.io/otel v1.32.0/go.mod h1:00DCVSB0RQcnzlwyTfqtxSm+DRr9hpYrHjNGiBHVQIg= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 h1:9M3+rhx7kZCIQQhQRYaZCdNu1V73tm4TvXs2ntl98C4= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0/go.mod h1:noq80iT8rrHP1SfybmPiRGc9dc5M8RPmGvtwo7Oo7tc= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU= -go.opentelemetry.io/otel/metric v1.31.0 h1:FSErL0ATQAmYHUIzSezZibnyVlft1ybhy4ozRPcF2fE= -go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY= +go.opentelemetry.io/otel/metric v1.32.0 h1:xV2umtmNcThh2/a/aCP+h64Xx5wsj8qqnkYZktzNa0M= +go.opentelemetry.io/otel/metric v1.32.0/go.mod h1:jH7CIbbK6SH2V2wE16W05BHCtIDzauciCRLoc/SyMv8= go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE= go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg= go.opentelemetry.io/otel/sdk/metric v1.19.0 h1:EJoTO5qysMsYCa+w4UghwFV/ptQgqSL/8Ni+hx+8i1k= go.opentelemetry.io/otel/sdk/metric v1.19.0/go.mod h1:XjG0jQyFJrv2PbMvwND7LwCEhsJzCzV5210euduKcKY= -go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HYdmJys= -go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A= +go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQDe03fM= +go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8= go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= -go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= -go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU= @@ -303,18 +307,18 @@ go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= -golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= +golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ= +golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c h1:7dEasQXItcW1xKJ2+gg5VOiBnqWrJc+rq0DPKyvvdbY= -golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c/go.mod h1:NQtJDoLvd6faHhE7m4T/1IY708gDefGGjR/iUW8yQQ8= +golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f h1:XdNn9LlyWAhLVp6P/i8QYBW+hlyhrhei9uErw2B5GJo= +golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f/go.mod h1:D5SMRVC3C2/4+F/DB1wZsLRnSNimn2Sp/NPsCrsv8ak= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0= -golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= +golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4= +golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -324,16 +328,16 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= -golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= +golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= +golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= -golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ= +golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -344,14 +348,14 @@ golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= -golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= -golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= +golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= +golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU= +golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= -golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug= +golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -362,8 +366,8 @@ golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBn golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ= -golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0= +golang.org/x/tools v0.27.0 h1:qEKojBykQkQ4EynWy4S8Weg69NumxKdn40Fce3uc/8o= +golang.org/x/tools v0.27.0/go.mod h1:sUi0ZgbwW9ZPAq26Ekut+weQPR5eIM6GQLQ1Yjm1H0Q= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -373,17 +377,17 @@ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f h1:jTm13A2itBi3La6yTGqn8bVSrc3ZZ1r8ENHlIXBfnRA= -google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f/go.mod h1:CLGoBuH1VHxAUXVPP8FfPwPEVJB6lz3URE5mY2SuayE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f h1:cUMEy+8oS78BWIH9OWazBkzbr090Od9tWBNtZHkOhf0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 h1:M0KvPgPmDZHPlbRbaNU1APr28TvwvvdUPlSv7PUvy8g= +google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:dguCy7UOdZhTvLzDyt15+rOrawrpM4q7DD9dQ1P11P4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 h1:XVhgTWWV3kGQlwJHR3upFWZeTsei6Oks1apkZSeonIE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= -google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0= +google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= From baaecd126880edeec7014ccb01ba3c2366ff9823 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Nov 2024 20:30:19 -0800 Subject: [PATCH 410/523] build(deps): bump google.golang.org/protobuf from 1.35.1 to 1.35.2 (#4735) Bumps google.golang.org/protobuf from 1.35.1 to 1.35.2. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index ce1f5d5cdf5..1b902b94405 100644 --- a/go.mod +++ b/go.mod @@ -45,7 +45,7 @@ require ( go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e golang.org/x/sys v0.27.0 - google.golang.org/protobuf v1.35.1 + google.golang.org/protobuf v1.35.2 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.3 k8s.io/api v0.31.2 diff --git a/go.sum b/go.sum index fd359d6263c..69ff364cba2 100644 --- a/go.sum +++ b/go.sum @@ -1111,8 +1111,8 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= -google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= +google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20160105164936-4f90aeace3a2/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From b9c111fe3ac2882552129887afefacc9bf675f97 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Nov 2024 20:30:40 -0800 Subject: [PATCH 411/523] build(deps): bump fortio.org/fortio from 1.67.1 to 1.68.0 (#4734) Bumps [fortio.org/fortio](https://github.com/fortio/fortio) from 1.67.1 to 1.68.0. - [Release notes](https://github.com/fortio/fortio/releases) - [Commits](https://github.com/fortio/fortio/compare/v1.67.1...v1.68.0) --- updated-dependencies: - dependency-name: fortio.org/fortio dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 1b902b94405..7d45c395ef0 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.23.3 replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.16 require ( - fortio.org/fortio v1.67.1 + fortio.org/fortio v1.68.0 fortio.org/log v1.17.1 github.com/Masterminds/semver/v3 v3.3.0 github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 diff --git a/go.sum b/go.sum index 69ff364cba2..badf41ee3da 100644 --- a/go.sum +++ b/go.sum @@ -13,8 +13,8 @@ fortio.org/cli v1.9.2 h1:17eJ8QZPjXHcLBpeCe0QMO/0fj5Bw0ZTxVgL7V9jOqc= fortio.org/cli v1.9.2/go.mod h1:7r55OoTV8NXcTvJT4boWk8s3I2LP6TMZh/0LLMJEYw0= fortio.org/dflag v1.7.3 h1:yws+v+/fJ67bYgrgcWpLtgdZPEWkYuwdfqz/WyQ8UXo= fortio.org/dflag v1.7.3/go.mod h1:O1Pk4lKRolw9wwAGyjTo8IsNyqqNRQGKxPOfpOElMqM= -fortio.org/fortio v1.67.1 h1:KAYyeu6z/01d/QwJm2dCVIadAhd8jNsezJHhlkoOMwU= -fortio.org/fortio v1.67.1/go.mod h1:XfrXH/BJ/hhxBXHj9z8FaqvsBbnf46SLyoWtPgopDlU= +fortio.org/fortio v1.68.0 h1:2M9RuitiN+MgW6QlTJCHjW6PJLAPj/YCXegxSCLQ3rw= +fortio.org/fortio v1.68.0/go.mod h1:1IjDaEoT5crHBN7BRLBwrHE24pIT6rOPKrYG3jEIWaA= fortio.org/log v1.17.1 h1:YQoGyZBnXTVIs77/nZw7BppwSOIamP3I092PGBenBZs= fortio.org/log v1.17.1/go.mod h1:t58Spg9njjymvRioh5F6qKGSupEsnMjXLGWIS1i3khE= fortio.org/safecast v1.0.0 h1:dr3131WPX8iS1pTf76+39WeXbTrerDYLvi9s7Oi3wiY= From b7bd5ad485d6d34f8273791a106f3b1a429678fc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Nov 2024 20:30:55 -0800 Subject: [PATCH 412/523] build(deps): bump softprops/action-gh-release from 2.0.9 to 2.1.0 (#4731) Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2.0.9 to 2.1.0. - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](https://github.com/softprops/action-gh-release/compare/e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8...01570a1f39cb168c169c802c3bceb9e93fb10974) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/latest_release.yaml | 2 +- .github/workflows/release.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index 0b709f9fe1a..b6e7d4c6d3f 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -107,7 +107,7 @@ jobs: GITHUB_REPOSITORY: ${{ github.repository_owner }}/${{ github.event.repository.name }} - name: Recreate the Latest Release and Tag - uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v0.1.15 + uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v0.1.15 with: draft: false prerelease: true diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2235d0e573c..7aea9e9d700 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -96,7 +96,7 @@ jobs: tar -zcvf egctl_${{ env.release_tag }}_darwin_arm64.tar.gz bin/darwin/arm64/egctl - name: Upload Release Manifests - uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v0.1.15 + uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v0.1.15 with: files: | release-artifacts/install.yaml From 8a01dd68ae8c352c438292fdb93316d9badd35d8 Mon Sep 17 00:00:00 2001 From: zirain Date: Tue, 19 Nov 2024 15:51:32 +0800 Subject: [PATCH 413/523] e2e: fix some tests (#4729) * e2e: make timeout configurable Signed-off-by: zirain * skip upgrade tests Signed-off-by: zirain * timeout Signed-off-by: zirain --------- Signed-off-by: zirain --- test/e2e/tests/envoy_shutdown.go | 3 ++- test/e2e/upgrade/eg_upgrade_test.go | 10 +++++++++- test/utils/prometheus/prometheus.go | 3 ++- tools/make/kube.mk | 3 ++- 4 files changed, 15 insertions(+), 4 deletions(-) diff --git a/test/e2e/tests/envoy_shutdown.go b/test/e2e/tests/envoy_shutdown.go index 24e6b334637..7a249e01950 100644 --- a/test/e2e/tests/envoy_shutdown.go +++ b/test/e2e/tests/envoy_shutdown.go @@ -141,7 +141,8 @@ func restartProxyAndWaitForRollout(t *testing.T, timeoutConfig config.TimeoutCon return err } - return wait.PollUntilContextTimeout(ctx, 1*time.Second, timeoutConfig.CreateTimeout, true, func(ctx context.Context) (bool, error) { + // increase timeout for IPv6 first cluster + return wait.PollUntilContextTimeout(ctx, 2*time.Second, 2*timeoutConfig.CreateTimeout, true, func(ctx context.Context) (bool, error) { // wait for replicaset with the same annotation to reach ready status podList := &corev1.PodList{} listOpts := []client.ListOption{ diff --git a/test/e2e/upgrade/eg_upgrade_test.go b/test/e2e/upgrade/eg_upgrade_test.go index b93a3bab0df..6c3b9521e5f 100644 --- a/test/e2e/upgrade/eg_upgrade_test.go +++ b/test/e2e/upgrade/eg_upgrade_test.go @@ -36,6 +36,14 @@ func TestEGUpgrade(t *testing.T) { *flags.GatewayClassName, *flags.CleanupBaseResources, *flags.ShowDebug) } + var skipTests []string + // previous did not support ipv6, so skip upgrade tests for ipv6 + if tests.IPFamily == "ipv6" { + skipTests = append(skipTests, + tests.EGUpgradeTest.ShortName, + ) + } + cSuite, err := suite.NewConformanceTestSuite(suite.ConformanceOptions{ Client: c, RestConfig: cfg, @@ -46,7 +54,7 @@ func TestEGUpgrade(t *testing.T) { RunTest: *flags.RunTest, BaseManifests: "upgrade/manifests.yaml", SupportedFeatures: sets.New[features.FeatureName](features.SupportGateway), - SkipTests: []string{}, + SkipTests: skipTests, }) if err != nil { t.Fatalf("Failed to create test suite: %v", err) diff --git a/test/utils/prometheus/prometheus.go b/test/utils/prometheus/prometheus.go index c59a8f12ebb..bc62da2cc07 100644 --- a/test/utils/prometheus/prometheus.go +++ b/test/utils/prometheus/prometheus.go @@ -8,6 +8,7 @@ package prometheus import ( "context" "fmt" + "net" "time" prom "github.com/prometheus/client_golang/api" @@ -36,7 +37,7 @@ func NewClient(kubeClient client.Client, nn types.NamespacedName) (*Client, erro var addr string for _, ing := range svc.Status.LoadBalancer.Ingress { if len(ing.IP) > 0 { - addr = fmt.Sprintf("http://%s", ing.IP) + addr = fmt.Sprintf("http://%s", net.JoinHostPort(ing.IP, "80")) } } diff --git a/tools/make/kube.mk b/tools/make/kube.mk index d53c1931360..122e089b79e 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -22,7 +22,8 @@ BENCHMARK_REPORT_DIR ?= benchmark_report E2E_RUN_TEST ?= E2E_CLEANUP ?= true -E2E_TEST_ARGS ?= -v -tags e2e -timeout 20m +E2E_TIMEOUT ?= 20m +E2E_TEST_ARGS ?= -v -tags e2e -timeout $(E2E_TIMEOUT) # Set Kubernetes Resources Directory Path ifeq ($(origin KUBE_PROVIDER_DIR),undefined) From f99c36c80e7da2268f4af00da3cc8f325e2d51e3 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 20 Nov 2024 09:26:47 +0800 Subject: [PATCH 414/523] fix: tcp listener is rejected when no route attached (#4681) * fix: tcp listener is rejected when no route attached Signed-off-by: Huabing Zhao * change cluter name Signed-off-by: Huabing Zhao * fix listener connection limit test Signed-off-by: Huabing Zhao * fix listener connetcp keepalive test Signed-off-by: Huabing Zhao * fix tcp endpoint stats test Signed-off-by: Huabing Zhao * fix tcp-route-enable-req-resp-sizes-stats Signed-off-by: Huabing Zhao * fix extensionpolicy-tcp-udp-http test Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- .../extensionpolicy-tcp-udp-http.yaml | 16 +++++++ .../in/xds-ir/listener-connection-limit.yaml | 34 ++++++++------- .../in/xds-ir/listener-tcp-keepalive.yaml | 34 ++++++++------- .../in/xds-ir/listener-tcp-without-route.yaml | 17 ++++++++ .../in/xds-ir/tcp-endpoint-stats.yaml | 17 ++++---- .../in/xds-ir/tcp-req-resp-sizes-stats.yaml | 17 ++++---- ...extensionpolicy-tcp-udp-http.clusters.yaml | 36 ++++++++++++++++ ...xtensionpolicy-tcp-udp-http.endpoints.yaml | 24 +++++++++++ ...xtensionpolicy-tcp-udp-http.listeners.yaml | 7 ++++ .../extensionpolicy-tcp-udp-http.routes.yaml | 12 ++++++ .../listener-connection-limit.clusters.yaml | 36 ++++++++++++++++ .../listener-connection-limit.endpoints.yaml | 24 +++++++++++ .../listener-connection-limit.listeners.yaml | 32 ++++++++++++++ .../listener-tcp-keepalive.clusters.yaml | 36 ++++++++++++++++ .../listener-tcp-keepalive.endpoints.yaml | 24 +++++++++++ .../listener-tcp-keepalive.listeners.yaml | 21 ++++++++++ .../listener-tcp-without-route.clusters.yaml | 2 + .../listener-tcp-without-route.endpoints.yaml | 1 + .../listener-tcp-without-route.listeners.yaml | 42 +++++++++++++++++++ .../listener-tcp-without-route.routes.yaml | 1 + .../xds-ir/tcp-endpoint-stats.clusters.yaml | 21 +++++++++- .../xds-ir/tcp-endpoint-stats.endpoints.yaml | 19 ++++++++- .../xds-ir/tcp-endpoint-stats.listeners.yaml | 7 ++++ .../tcp-req-resp-sizes-stats.clusters.yaml | 21 +++++++++- .../tcp-req-resp-sizes-stats.endpoints.yaml | 19 ++++++++- .../tcp-req-resp-sizes-stats.listeners.yaml | 7 ++++ internal/xds/translator/translator.go | 31 +++++++++++++- release-notes/current.yaml | 2 +- 28 files changed, 506 insertions(+), 54 deletions(-) create mode 100644 internal/xds/translator/testdata/in/xds-ir/listener-tcp-without-route.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.routes.yaml diff --git a/internal/xds/translator/testdata/in/extension-xds-ir/extensionpolicy-tcp-udp-http.yaml b/internal/xds/translator/testdata/in/extension-xds-ir/extensionpolicy-tcp-udp-http.yaml index 77ced570f46..6a5d283ee44 100644 --- a/internal/xds/translator/testdata/in/extension-xds-ir/extensionpolicy-tcp-udp-http.yaml +++ b/internal/xds/translator/testdata/in/extension-xds-ir/extensionpolicy-tcp-udp-http.yaml @@ -35,6 +35,15 @@ http: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 + routes: + - name: "http-route" + hostname: "*" + destination: + name: "http-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 tcp: - address: 0.0.0.0 extensionRefs: @@ -66,6 +75,13 @@ tcp: controllerName: gateway.envoyproxy.io/gatewayclass-controller name: envoy-gateway/gateway-1/tcp1 port: 10080 + routes: + - destination: + name: "tcp-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 udp: - address: 0.0.0.0 route: diff --git a/internal/xds/translator/testdata/in/xds-ir/listener-connection-limit.yaml b/internal/xds/translator/testdata/in/xds-ir/listener-connection-limit.yaml index 049ec905b9a..b8022bc0357 100644 --- a/internal/xds/translator/testdata/in/xds-ir/listener-connection-limit.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/listener-connection-limit.yaml @@ -44,16 +44,17 @@ tcp: connection: limit: value: 3 - tls: - passthrough: - snis: - - bar.com - destination: - name: "tls-route-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 + routes: + - tls: + inspector: + snis: + - bar.com + destination: + name: "tls-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 - name: "fourth-listener" address: "0.0.0.0" connection: @@ -61,9 +62,10 @@ tcp: value: 10 closeDelay: 3s port: 10083 - destination: - name: "tcp-route-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 + routes: + - destination: + name: "tcp-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 diff --git a/internal/xds/translator/testdata/in/xds-ir/listener-tcp-keepalive.yaml b/internal/xds/translator/testdata/in/xds-ir/listener-tcp-keepalive.yaml index 9bdaf244912..19d7d3335d5 100644 --- a/internal/xds/translator/testdata/in/xds-ir/listener-tcp-keepalive.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/listener-tcp-keepalive.yaml @@ -43,24 +43,26 @@ tcp: address: "0.0.0.0" port: 10082 tcpKeepalive: {} - tls: - inspector: - snis: - - bar.com - destination: - name: "tls-route-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 + routes: + - tls: + inspector: + snis: + - bar.com + destination: + name: "tls-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 - name: "fourth-listener" address: "0.0.0.0" tcpKeepalive: probes: 10 port: 10083 - destination: - name: "tcp-route-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 + routes: + - destination: + name: "tcp-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 diff --git a/internal/xds/translator/testdata/in/xds-ir/listener-tcp-without-route.yaml b/internal/xds/translator/testdata/in/xds-ir/listener-tcp-without-route.yaml new file mode 100644 index 00000000000..cc24bfbdf00 --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/listener-tcp-without-route.yaml @@ -0,0 +1,17 @@ +tcp: +- address: 0.0.0.0 + connection: + bufferLimit: 50000000 + limit: + closeDelay: 10s + value: 3 + enableProxyProtocol: true + name: envoy-gateway/gateway-1/tls-1 + port: 10443 + tcpKeepalive: + idleTime: 1200 + interval: 60 + probes: 3 + timeout: + tcp: + idleTimeout: 20m0s diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-endpoint-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-endpoint-stats.yaml index 60176773c96..1bbe5a43371 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tcp-endpoint-stats.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tcp-endpoint-stats.yaml @@ -5,11 +5,12 @@ tcp: - name: "tcp-route-enable-endpoint-stats" address: "0.0.0.0" port: 10080 - destination: - name: "tcp-route-simple-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 - - host: "5.6.7.8" - port: 50001 + routes: + - destination: + name: "tcp-route-simple-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - host: "5.6.7.8" + port: 50001 diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-req-resp-sizes-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-req-resp-sizes-stats.yaml index 6d5d7fac73c..5c3cd2be7a0 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tcp-req-resp-sizes-stats.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tcp-req-resp-sizes-stats.yaml @@ -5,11 +5,12 @@ tcp: - name: "tcp-route-enable-req-resp-sizes-stats" address: "0.0.0.0" port: 10080 - destination: - name: "tcp-route-simple-dest" - settings: - - endpoints: - - host: "1.2.3.4" - port: 50000 - - host: "5.6.7.8" - port: 50001 + routes: + - destination: + name: "tcp-route-simple-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50000 + - host: "5.6.7.8" + port: 50001 diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml index cdbb352dd54..a6d3c9e969b 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml @@ -1,3 +1,39 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: http-route-dest + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: http-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: tcp-route-dest + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: tcp-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS - circuitBreakers: thresholds: - maxRetries: 1024 diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.endpoints.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.endpoints.yaml index 8869685de5e..9308c055cfe 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.endpoints.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.endpoints.yaml @@ -1,3 +1,27 @@ +- clusterName: http-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: http-route-dest/backend/0 +- clusterName: tcp-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: tcp-route-dest/backend/0 - clusterName: udp-route-dest endpoints: - lbEndpoints: diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml index 6901c9c7810..6fbaf5053ec 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml @@ -30,6 +30,13 @@ statPrefix: http-10080 useRemoteAddress: true name: envoy-gateway/gateway-1/http1 + filterChains: + - filters: + - name: envoy.filters.network.tcp_proxy + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + cluster: tcp-route-dest + statPrefix: tcp-10080 name: envoy-gateway/gateway-1/http1 perConnectionBufferLimitBytes: 32768 statPrefix: envoy-gateway/gateway-1/http1 diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.routes.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.routes.yaml index b03ec37faa6..bfcb22e483f 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.routes.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.routes.yaml @@ -1,2 +1,14 @@ - ignorePortInHostMatching: true name: envoy-gateway/gateway-1/http1 + virtualHosts: + - domains: + - '*' + name: envoy-gateway/gateway-1/http1/* + routes: + - match: + prefix: / + name: http-route + route: + cluster: http-route-dest + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml index 820f85f625b..ddded90e04f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml @@ -34,3 +34,39 @@ outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: tls-route-dest + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: tls-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: tcp-route-dest + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: tcp-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.endpoints.yaml index de95bf555b9..5b4fe89e58c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.endpoints.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.endpoints.yaml @@ -22,3 +22,27 @@ loadBalancingWeight: 1 locality: region: second-route-dest/backend/0 +- clusterName: tls-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: tls-route-dest/backend/0 +- clusterName: tcp-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: tcp-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml index 49a4bf7dc21..565878b1597 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml @@ -75,11 +75,43 @@ socketAddress: address: 0.0.0.0 portValue: 10082 + filterChains: + - filterChainMatch: + serverNames: + - bar.com + filters: + - name: envoy.filters.network.connection_limit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit + maxConnections: "3" + statPrefix: tls-passthrough-10082 + - name: envoy.filters.network.tcp_proxy + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + cluster: tls-route-dest + statPrefix: tls-passthrough-10082 + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector name: third-listener perConnectionBufferLimitBytes: 32768 - address: socketAddress: address: 0.0.0.0 portValue: 10083 + filterChains: + - filters: + - name: envoy.filters.network.connection_limit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit + delay: 3s + maxConnections: "10" + statPrefix: tcp-10083 + - name: envoy.filters.network.tcp_proxy + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + cluster: tcp-route-dest + statPrefix: tcp-10083 name: fourth-listener perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml index 820f85f625b..ddded90e04f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml @@ -34,3 +34,39 @@ outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: tls-route-dest + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: tls-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: tcp-route-dest + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: tcp-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.endpoints.yaml index de95bf555b9..5b4fe89e58c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.endpoints.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.endpoints.yaml @@ -22,3 +22,27 @@ loadBalancingWeight: 1 locality: region: second-route-dest/backend/0 +- clusterName: tls-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: tls-route-dest/backend/0 +- clusterName: tcp-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: tcp-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml index 11f91b65a34..06e77d90262 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml @@ -92,6 +92,20 @@ socketAddress: address: 0.0.0.0 portValue: 10082 + filterChains: + - filterChainMatch: + serverNames: + - bar.com + filters: + - name: envoy.filters.network.tcp_proxy + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + cluster: tls-route-dest + statPrefix: tls-passthrough-10082 + listenerFilters: + - name: envoy.filters.listener.tls_inspector + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector name: third-listener perConnectionBufferLimitBytes: 32768 socketOptions: @@ -103,6 +117,13 @@ socketAddress: address: 0.0.0.0 portValue: 10083 + filterChains: + - filters: + - name: envoy.filters.network.tcp_proxy + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + cluster: tcp-route-dest + statPrefix: tcp-10083 name: fourth-listener perConnectionBufferLimitBytes: 32768 socketOptions: diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.clusters.yaml new file mode 100644 index 00000000000..0764d46f0ed --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.clusters.yaml @@ -0,0 +1,2 @@ +- name: EmptyCluster + type: STATIC diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.endpoints.yaml new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.endpoints.yaml @@ -0,0 +1 @@ +[] diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.listeners.yaml new file mode 100644 index 00000000000..6539e7588ec --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.listeners.yaml @@ -0,0 +1,42 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10443 + filterChains: + - filters: + - name: envoy.filters.network.connection_limit + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit + delay: 10s + maxConnections: "3" + statPrefix: tcp-10443 + - name: envoy.filters.network.tcp_proxy + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + cluster: EmptyCluster + idleTimeout: 1200s + statPrefix: tcp-10443 + name: EmptyCluster + listenerFilters: + - name: envoy.filters.listener.proxy_protocol + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol + name: envoy-gateway/gateway-1/tls-1 + perConnectionBufferLimitBytes: 50000000 + socketOptions: + - description: socket option to enable tcp keep alive + intValue: "1" + level: "1" + name: "9" + - description: socket option for keep alive probes + intValue: "3" + level: "6" + name: "6" + - description: socket option for keep alive idle time + intValue: "1200" + level: "6" + name: "4" + - description: socket option for keep alive interval + intValue: "60" + level: "6" + name: "5" diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.routes.yaml new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.routes.yaml @@ -0,0 +1 @@ +[] diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.clusters.yaml index fe51488c706..c341dab16a6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.clusters.yaml @@ -1 +1,20 @@ -[] +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: tcp-route-simple-dest + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: tcp-route-simple-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + trackClusterStats: + perEndpointStats: true + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.endpoints.yaml index fe51488c706..7eb06a08f40 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.endpoints.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.endpoints.yaml @@ -1 +1,18 @@ -[] +- clusterName: tcp-route-simple-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + - endpoint: + address: + socketAddress: + address: 5.6.7.8 + portValue: 50001 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: tcp-route-simple-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.listeners.yaml index 2e300bdfaad..001e0b017d3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.listeners.yaml @@ -2,5 +2,12 @@ socketAddress: address: 0.0.0.0 portValue: 10080 + filterChains: + - filters: + - name: envoy.filters.network.tcp_proxy + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + cluster: tcp-route-simple-dest + statPrefix: tcp-10080 name: tcp-route-enable-endpoint-stats perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml index fe51488c706..5e82e21cc85 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml @@ -1 +1,20 @@ -[] +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: tcp-route-simple-dest + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: tcp-route-simple-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + trackClusterStats: + requestResponseSizes: true + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.endpoints.yaml index fe51488c706..7eb06a08f40 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.endpoints.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.endpoints.yaml @@ -1 +1,18 @@ -[] +- clusterName: tcp-route-simple-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50000 + loadBalancingWeight: 1 + - endpoint: + address: + socketAddress: + address: 5.6.7.8 + portValue: 50001 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: tcp-route-simple-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.listeners.yaml index 994341e55ec..ec70a00f0ed 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.listeners.yaml @@ -2,5 +2,12 @@ socketAddress: address: 0.0.0.0 portValue: 10080 + filterChains: + - filters: + - name: envoy.filters.network.tcp_proxy + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + cluster: tcp-route-simple-dest + statPrefix: tcp-10080 name: tcp-route-enable-req-resp-sizes-stats perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index 27c0d3c5a04..c06c7195d7c 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -39,7 +39,11 @@ var ( ErrXdsSecretExists = errors.New("xds secret exists") ) -const AuthorityHeaderKey = ":authority" +const ( + AuthorityHeaderKey = ":authority" + // The dummy cluster for TCP listeners that have no routes + emptyClusterName = "EmptyCluster" +) // Translator translates the xDS IR into xDS resources. type Translator struct { @@ -627,6 +631,31 @@ func (t *Translator) processTCPListenerXdsTranslation( errs = errors.Join(errs, err) } } + + // If there are no routes, add a route without a destination to the listener to create a filter chain + // This is needed because Envoy requires a filter chain to be present in the listener, otherwise it will reject the listener and report a warning + if len(tcpListener.Routes) == 0 { + emptyRouteCluster := &clusterv3.Cluster{ + Name: emptyClusterName, + ClusterDiscoveryType: &clusterv3.Cluster_Type{Type: clusterv3.Cluster_STATIC}, + } + + if findXdsCluster(tCtx, emptyClusterName) == nil { + if err := tCtx.AddXdsResource(resourcev3.ClusterType, emptyRouteCluster); err != nil { + errs = errors.Join(errs, err) + } + } + + emptyRoute := &ir.TCPRoute{ + Name: emptyClusterName, + Destination: &ir.RouteDestination{ + Name: emptyClusterName, + }, + } + if err := addXdsTCPFilterChain(xdsListener, emptyRoute, emptyClusterName, accesslog, tcpListener.Timeout, tcpListener.Connection); err != nil { + errs = errors.Join(errs, err) + } + } } return errs } diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 8c68e85d4d0..bfbed17a9d0 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -14,8 +14,8 @@ new features: | # Fixes for bugs identified in previous versions. bug fixes: | - Add a bug fix here Fixed failed to update SecurityPolicy resources with the `backendRef` field specified + Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes # Enhancements that improve performance. performance improvements: | From 86d750a16b9a3aeaa01f1e2ed2bfea0c5fc6d4c7 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 20 Nov 2024 10:24:31 +0800 Subject: [PATCH 415/523] fix: translator reports errors for existing clusters and secretes (#4707) * fix: existing clusters and secretes Signed-off-by: Huabing Zhao * fix cluster index for SP Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao * add comment Signed-off-by: Huabing Zhao * remove index Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- internal/gatewayapi/envoyextensionpolicy.go | 2 +- internal/gatewayapi/ext_service.go | 9 +- internal/gatewayapi/securitypolicy.go | 18 +-- ...yextensionpolicy-override-replace.out.yaml | 4 +- ...ith-extproc-with-backendtlspolicy.out.yaml | 4 +- ...extproc-with-multiple-backendrefs.out.yaml | 2 +- ...ith-extproc-with-traffic-features.out.yaml | 2 +- .../envoyproxy-priority-backend.out.yaml | 2 +- ...curitypolicy-with-extauth-backend.out.yaml | 8 +- ...itypolicy-with-extauth-backendref.out.yaml | 6 +- ...policy-with-extauth-recomputation.out.yaml | 4 +- ...ith-extauth-with-backendtlspolicy.out.yaml | 4 +- .../securitypolicy-with-extauth.out.yaml | 6 +- ...typolicy-with-oidc-backendcluster.out.yaml | 2 +- internal/xds/translator/accesslog.go | 5 +- internal/xds/translator/extauth.go | 6 +- internal/xds/translator/extproc.go | 3 +- internal/xds/translator/oidc.go | 9 +- internal/xds/translator/ratelimit.go | 9 +- .../securitypolicy-with-oidc-jwt-authz.yaml | 80 +++++++++++++ ...typolicy-with-oidc-jwt-authz.clusters.yaml | 54 +++++++++ ...ypolicy-with-oidc-jwt-authz.endpoints.yaml | 12 ++ ...ypolicy-with-oidc-jwt-authz.listeners.yaml | 107 ++++++++++++++++++ ...ritypolicy-with-oidc-jwt-authz.routes.yaml | 74 ++++++++++++ ...itypolicy-with-oidc-jwt-authz.secrets.yaml | 8 ++ internal/xds/translator/tracing.go | 8 +- internal/xds/translator/translator.go | 31 +++-- internal/xds/translator/utils.go | 13 +-- release-notes/current.yaml | 1 + 29 files changed, 403 insertions(+), 90 deletions(-) create mode 100644 internal/xds/translator/testdata/in/xds-ir/securitypolicy-with-oidc-jwt-authz.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.routes.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.secrets.yaml diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index 64e0f9e9a2a..bb5da8be140 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -434,7 +434,7 @@ func (t *Translator) buildExtProc( err error ) - if rd, err = t.translateExtServiceBackendRefs(policy, extProc.BackendRefs, ir.GRPC, resources, envoyProxy, extProcIdx); err != nil { + if rd, err = t.translateExtServiceBackendRefs(policy, extProc.BackendRefs, ir.GRPC, resources, envoyProxy, "extproc", extProcIdx); err != nil { return nil, err } diff --git a/internal/gatewayapi/ext_service.go b/internal/gatewayapi/ext_service.go index e7ab19036ee..39bd5aebe47 100644 --- a/internal/gatewayapi/ext_service.go +++ b/internal/gatewayapi/ext_service.go @@ -29,6 +29,7 @@ func (t *Translator) translateExtServiceBackendRefs( protocol ir.AppProtocol, resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy, + configType string, index int, // index is used to differentiate between multiple external services in the same policy ) (*ir.RouteDestination, error) { var ( @@ -66,7 +67,7 @@ func (t *Translator) translateExtServiceBackendRefs( } rs = &ir.RouteDestination{ - Name: irIndexedExtServiceDestinationName(pnn, policy.GetObjectKind().GroupVersionKind().Kind, index), + Name: irIndexedExtServiceDestinationName(pnn, policy.GetObjectKind().GroupVersionKind().Kind, configType, index), Settings: ds, } return rs, nil @@ -139,12 +140,12 @@ func (t *Translator) processExtServiceDestination( return ds, nil } -// TODO: also refer to extension type, as Wasm may also introduce destinations -func irIndexedExtServiceDestinationName(policyNamespacedName types.NamespacedName, policyKind string, idx int) string { +func irIndexedExtServiceDestinationName(policyNamespacedName types.NamespacedName, policyKind string, configType string, idx int) string { return strings.ToLower(fmt.Sprintf( - "%s/%s/%s/%d", + "%s/%s/%s/%s/%d", policyKind, policyNamespacedName.Namespace, policyNamespacedName.Name, + configType, idx)) } diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 8635d216457..3219f816da5 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -373,8 +373,7 @@ func (t *Translator) translateSecurityPolicyForRoute( if extAuth, err = t.buildExtAuth( policy, resources, - gtwCtx.envoyProxy, - ); err != nil { + gtwCtx.envoyProxy); err != nil { err = perr.WithMessage(err, "ExtAuth") errs = errors.Join(errs, err) } @@ -385,7 +384,7 @@ func (t *Translator) translateSecurityPolicyForRoute( if oidc, err = t.buildOIDC( policy, resources, - gtwCtx.envoyProxy); err != nil { + gtwCtx.envoyProxy); err != nil { // TODO zhaohuabing: Only the last EnvoyProxy is used err = perr.WithMessage(err, "OIDC") errs = errors.Join(errs, err) } @@ -468,8 +467,7 @@ func (t *Translator) translateSecurityPolicyForGateway( if extAuth, err = t.buildExtAuth( policy, resources, - gateway.envoyProxy, - ); err != nil { + gateway.envoyProxy); err != nil { err = perr.WithMessage(err, "ExtAuth") errs = errors.Join(errs, err) } @@ -705,7 +703,7 @@ func (t *Translator) buildOIDCProvider(policy *egv1a1.SecurityPolicy, resources } if len(provider.BackendRefs) > 0 { - if rd, err = t.translateExtServiceBackendRefs(policy, provider.BackendRefs, protocol, resources, envoyProxy, 0); err != nil { + if rd, err = t.translateExtServiceBackendRefs(policy, provider.BackendRefs, protocol, resources, envoyProxy, "oidc", 0); err != nil { return nil, err } } @@ -839,7 +837,11 @@ func (t *Translator) buildBasicAuth( }, nil } -func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy) (*ir.ExtAuth, error) { +func (t *Translator) buildExtAuth( + policy *egv1a1.SecurityPolicy, + resources *resource.Resources, + envoyProxy *egv1a1.EnvoyProxy, +) (*ir.ExtAuth, error) { var ( http = policy.Spec.ExtAuth.HTTP grpc = policy.Spec.ExtAuth.GRPC @@ -893,7 +895,7 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso } } - if rd, err = t.translateExtServiceBackendRefs(policy, backendRefs, protocol, resources, envoyProxy, 0); err != nil { + if rd, err = t.translateExtServiceBackendRefs(policy, backendRefs, protocol, resources, envoyProxy, "extauth", 0); err != nil { return nil, err } diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml index 4f055e7bc4d..2c6b006af93 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml @@ -296,7 +296,7 @@ xdsIR: extProcs: - authority: grpc-backend-2.default:8000 destination: - name: envoyextensionpolicy/default/policy-for-route-1/0 + name: envoyextensionpolicy/default/policy-for-route-1/extproc/0 settings: - protocol: GRPC weight: 1 @@ -325,7 +325,7 @@ xdsIR: extProcs: - authority: grpc-backend.envoy-gateway:9000 destination: - name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/0 + name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/extproc/0 settings: - protocol: GRPC weight: 1 diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml index 6b9ad5ee281..a1d7beec90b 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml @@ -308,7 +308,7 @@ xdsIR: extProcs: - authority: grpc-backend-2.default:9000 destination: - name: envoyextensionpolicy/default/policy-for-http-route/0 + name: envoyextensionpolicy/default/policy-for-http-route/extproc/0 settings: - addressType: IP endpoints: @@ -349,7 +349,7 @@ xdsIR: extProcs: - authority: grpc-backend.envoy-gateway:8000 destination: - name: envoyextensionpolicy/default/policy-for-gateway/0 + name: envoyextensionpolicy/default/policy-for-gateway/extproc/0 settings: - addressType: IP protocol: GRPC diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml index 021ae6a2cd5..a81a7cd4410 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml @@ -308,7 +308,7 @@ xdsIR: extProcs: - authority: grpc-backend.envoy-gateway:8000 destination: - name: envoyextensionpolicy/default/policy-for-http-route/0 + name: envoyextensionpolicy/default/policy-for-http-route/extproc/0 settings: - addressType: IP protocol: GRPC diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml index 4edde355292..21fb5de6103 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml @@ -337,7 +337,7 @@ xdsIR: extProcs: - authority: grpc-backend.envoy-gateway:8000 destination: - name: envoyextensionpolicy/default/policy-for-http-route/0 + name: envoyextensionpolicy/default/policy-for-http-route/extproc/0 settings: - addressType: IP protocol: GRPC diff --git a/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml index fda9d4ccca9..426268f6340 100644 --- a/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml @@ -311,7 +311,7 @@ xdsIR: extProcs: - authority: grpc-backend.envoy-gateway:8000 destination: - name: envoyextensionpolicy/default/policy-for-http-route/0 + name: envoyextensionpolicy/default/policy-for-http-route/extproc/0 settings: - addressType: IP protocol: GRPC diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml index d304f6c13eb..ccdb2458370 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml @@ -390,7 +390,7 @@ xdsIR: grpc: authority: service-2.default:8080 destination: - name: securitypolicy/default/policy-for-http-route-1/0 + name: securitypolicy/default/policy-for-http-route-1/extauth/0 settings: - addressType: IP endpoints: @@ -434,7 +434,7 @@ xdsIR: grpc: authority: service-2.default:8080 destination: - name: securitypolicy/default/policy-for-http-route-1/0 + name: securitypolicy/default/policy-for-http-route-1/extauth/0 settings: - addressType: IP endpoints: @@ -498,7 +498,7 @@ xdsIR: grpc: authority: service-2.default:8080 destination: - name: securitypolicy/default/policy-for-http-route-3--grpc-backendref/0 + name: securitypolicy/default/policy-for-http-route-3--grpc-backendref/extauth/0 settings: - addressType: IP endpoints: @@ -532,7 +532,7 @@ xdsIR: http: authority: primary.foo.com:3000 destination: - name: securitypolicy/default/policy-for-http-route-3-http-backendref/0 + name: securitypolicy/default/policy-for-http-route-3-http-backendref/extauth/0 settings: - addressType: FQDN endpoints: diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml index 905b81b3cba..d72cd182896 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml @@ -263,7 +263,7 @@ xdsIR: grpc: authority: grpc-backend.default:9000 destination: - name: securitypolicy/default/policy-for-http-route-1/0 + name: securitypolicy/default/policy-for-http-route-1/extauth/0 settings: - addressType: IP endpoints: @@ -301,7 +301,7 @@ xdsIR: grpc: authority: grpc-backend.default:9000 destination: - name: securitypolicy/default/policy-for-http-route-1/0 + name: securitypolicy/default/policy-for-http-route-1/extauth/0 settings: - addressType: IP endpoints: @@ -339,7 +339,7 @@ xdsIR: http: authority: http-backend.envoy-gateway:80 destination: - name: securitypolicy/default/policy-for-gateway-1/0 + name: securitypolicy/default/policy-for-gateway-1/extauth/0 settings: - addressType: IP endpoints: diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml index 94012ec739a..350fc8e908b 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml @@ -246,7 +246,7 @@ xdsIR: grpc: authority: service-2.default:8080 destination: - name: securitypolicy/default/policy-for-http-route-1/0 + name: securitypolicy/default/policy-for-http-route-1/extauth/0 settings: - addressType: IP endpoints: @@ -291,7 +291,7 @@ xdsIR: grpc: authority: service-2.default:8080 destination: - name: securitypolicy/default/policy-for-http-route-1/0 + name: securitypolicy/default/policy-for-http-route-1/extauth/0 settings: - addressType: IP endpoints: diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml index 7c4b2ce2739..b87c7992c90 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml @@ -322,7 +322,7 @@ xdsIR: grpc: authority: grpc-backend.default:9000 destination: - name: securitypolicy/default/policy-for-http-route/0 + name: securitypolicy/default/policy-for-http-route/extauth/0 settings: - addressType: IP endpoints: @@ -366,7 +366,7 @@ xdsIR: http: authority: http-backend.envoy-gateway:80 destination: - name: securitypolicy/default/policy-for-gateway/0 + name: securitypolicy/default/policy-for-gateway/extauth/0 settings: - addressType: IP endpoints: diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml index 905b81b3cba..d72cd182896 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml @@ -263,7 +263,7 @@ xdsIR: grpc: authority: grpc-backend.default:9000 destination: - name: securitypolicy/default/policy-for-http-route-1/0 + name: securitypolicy/default/policy-for-http-route-1/extauth/0 settings: - addressType: IP endpoints: @@ -301,7 +301,7 @@ xdsIR: grpc: authority: grpc-backend.default:9000 destination: - name: securitypolicy/default/policy-for-http-route-1/0 + name: securitypolicy/default/policy-for-http-route-1/extauth/0 settings: - addressType: IP endpoints: @@ -339,7 +339,7 @@ xdsIR: http: authority: http-backend.envoy-gateway:80 destination: - name: securitypolicy/default/policy-for-gateway-1/0 + name: securitypolicy/default/policy-for-gateway-1/extauth/0 settings: - addressType: IP endpoints: diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml index eb518ba7c3c..d878bcdb505 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml @@ -228,7 +228,7 @@ xdsIR: provider: authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth destination: - name: securitypolicy/envoy-gateway/policy-for-gateway/0 + name: securitypolicy/envoy-gateway/policy-for-gateway/oidc/0 settings: - addressType: FQDN endpoints: diff --git a/internal/xds/translator/accesslog.go b/internal/xds/translator/accesslog.go index 076eb659d83..265e3ed8a9c 100644 --- a/internal/xds/translator/accesslog.go +++ b/internal/xds/translator/accesslog.go @@ -6,7 +6,6 @@ package translator import ( - "errors" "sort" "strings" @@ -545,7 +544,7 @@ func processClusterForAccessLog(tCtx *types.ResourceVersionTable, al *ir.AccessL backendConnection: traffic.BackendConnection, dns: traffic.DNS, http2Settings: traffic.HTTP2, - }); err != nil && !errors.Is(err, ErrXdsClusterExists) { + }); err != nil { return err } } @@ -573,7 +572,7 @@ func processClusterForAccessLog(tCtx *types.ResourceVersionTable, al *ir.AccessL backendConnection: traffic.BackendConnection, dns: traffic.DNS, http2Settings: traffic.HTTP2, - }); err != nil && !errors.Is(err, ErrXdsClusterExists) { + }); err != nil { return err } } diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go index 7d7cc6a7227..2f8766fe91c 100644 --- a/internal/xds/translator/extauth.go +++ b/internal/xds/translator/extauth.go @@ -226,14 +226,12 @@ func (*extAuth) patchResources(tCtx *types.ResourceVersionTable, } if route.Security.ExtAuth.HTTP != nil { if err := createExtServiceXDSCluster( - &route.Security.ExtAuth.HTTP.Destination, route.Security.ExtAuth.Traffic, tCtx); err != nil && !errors.Is( - err, ErrXdsClusterExists) { + &route.Security.ExtAuth.HTTP.Destination, route.Security.ExtAuth.Traffic, tCtx); err != nil { errs = errors.Join(errs, err) } } else { if err := createExtServiceXDSCluster( - &route.Security.ExtAuth.GRPC.Destination, route.Security.ExtAuth.Traffic, tCtx); err != nil && !errors.Is( - err, ErrXdsClusterExists) { + &route.Security.ExtAuth.GRPC.Destination, route.Security.ExtAuth.Traffic, tCtx); err != nil { errs = errors.Join(errs, err) } } diff --git a/internal/xds/translator/extproc.go b/internal/xds/translator/extproc.go index 2bc6c4b6ba6..57cc9634d09 100644 --- a/internal/xds/translator/extproc.go +++ b/internal/xds/translator/extproc.go @@ -173,8 +173,7 @@ func (*extProc) patchResources(tCtx *types.ResourceVersionTable, for i := range route.EnvoyExtensions.ExtProcs { ep := route.EnvoyExtensions.ExtProcs[i] if err := createExtServiceXDSCluster( - &ep.Destination, ep.Traffic, tCtx); err != nil && !errors.Is( - err, ErrXdsClusterExists) { + &ep.Destination, ep.Traffic, tCtx); err != nil { errs = errors.Join(errs, err) } } diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go index a706cae662f..c51bbd75499 100644 --- a/internal/xds/translator/oidc.go +++ b/internal/xds/translator/oidc.go @@ -310,8 +310,7 @@ func createOAuthServerClusters(tCtx *types.ResourceVersionTable, // If the OIDC provider has a destination, use it. if oidc.Provider.Destination != nil && len(oidc.Provider.Destination.Settings) > 0 { if err := createExtServiceXDSCluster( - oidc.Provider.Destination, oidc.Provider.Traffic, tCtx); err != nil && !errors.Is( - err, ErrXdsClusterExists) { + oidc.Provider.Destination, oidc.Provider.Traffic, tCtx); err != nil { errs = errors.Join(errs, err) } } else { @@ -372,11 +371,7 @@ func createOAuth2TokenEndpointCluster(tCtx *types.ResourceVersionTable, clusterArgs.tSocket = tSocket } - if err = addXdsCluster(tCtx, clusterArgs); err != nil && !errors.Is(err, ErrXdsClusterExists) { - return err - } - - return err + return addXdsCluster(tCtx, clusterArgs) } // createOAuth2Secrets creates OAuth2 client and HMAC secrets from the provided diff --git a/internal/xds/translator/ratelimit.go b/internal/xds/translator/ratelimit.go index 06b37bc4589..eb6a1c4a2cd 100644 --- a/internal/xds/translator/ratelimit.go +++ b/internal/xds/translator/ratelimit.go @@ -7,7 +7,6 @@ package translator import ( "bytes" - "errors" "net/url" "strconv" "strings" @@ -492,17 +491,13 @@ func (t *Translator) createRateLimitServiceCluster(tCtx *types.ResourceVersionTa return err } - if err := addXdsCluster(tCtx, &xdsClusterArgs{ + return addXdsCluster(tCtx, &xdsClusterArgs{ name: clusterName, settings: []*ir.DestinationSetting{ds}, tSocket: tSocket, endpointType: EndpointTypeDNS, metrics: metrics, - }); err != nil && !errors.Is(err, ErrXdsClusterExists) { - return err - } - - return nil + }) } func getRouteRuleDescriptor(ruleIndex, matchIndex int) string { diff --git a/internal/xds/translator/testdata/in/xds-ir/securitypolicy-with-oidc-jwt-authz.yaml b/internal/xds/translator/testdata/in/xds-ir/securitypolicy-with-oidc-jwt-authz.yaml new file mode 100644 index 00000000000..fffcb7fd8bd --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/securitypolicy-with-oidc-jwt-authz.yaml @@ -0,0 +1,80 @@ +http: +- name: "envoy-gateway/gateway-1/http" + address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.example.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + pathMatch: + distinct: false + name: "" + prefix: /foo + security: + authorization: + defaultAction: Deny + rules: + - action: Allow + name: allow + principal: + jwt: + claims: + - name: groups + valueType: StringArray + values: + - foobar + provider: exjwt + jwt: + providers: + - claimToHeaders: + - claim: email + header: x-user-email + extractFrom: + cookies: + - IdToken + issuer: https://oidc.example.com/auth/realms/example + name: exjwt + remoteJWKS: + uri: https://oidc.example.com/auth/realms/example/protocol/openid-connect/certs + oidc: + clientID: prometheus + clientSecret: '[redacted]' + cookieNameOverrides: + idToken: IdToken + cookieSuffix: 5f93c2e4 + hmacSecret: '[redacted]' + logoutPath: /logout + name: securitypolicy/default/policy-for-http-route + provider: + authorizationEndpoint: https://oidc.example.com/authorize + tokenEndpoint: https://oidc.example.com/oauth/token + redirectPath: /oauth2/callback + redirectURL: '%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback' + scopes: + - openid + - email + - profile diff --git a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.clusters.yaml new file mode 100644 index 00000000000..1535201f87b --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.clusters.yaml @@ -0,0 +1,54 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: oidc_example_com_443 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: oidc.example.com + portValue: 443 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: oidc_example_com_443/backend/0 + name: oidc_example_com_443 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + validationContext: + trustedCa: + filename: /etc/ssl/certs/ca-certificates.crt + sni: oidc.example.com + type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.endpoints.yaml new file mode 100644 index 00000000000..29bb6b4e444 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.endpoints.yaml @@ -0,0 +1,12 @@ +- clusterName: httproute/default/httproute-1/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/0/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml new file mode 100644 index 00000000000..ada9749df63 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml @@ -0,0 +1,107 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - disabled: true + name: envoy.filters.http.oauth2/securitypolicy/default/policy-for-http-route + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 + config: + authScopes: + - openid + - email + - profile + authType: BASIC_AUTH + authorizationEndpoint: https://oidc.example.com/authorize + credentials: + clientId: prometheus + cookieNames: + bearerToken: AccessToken-5f93c2e4 + idToken: IdToken + oauthExpires: OauthExpires-5f93c2e4 + oauthHmac: OauthHMAC-5f93c2e4 + oauthNonce: OauthNonce-5f93c2e4 + refreshToken: RefreshToken-5f93c2e4 + hmacSecret: + name: oauth2/hmac_secret/securitypolicy/default/policy-for-http-route + sdsConfig: + ads: {} + resourceApiVersion: V3 + tokenSecret: + name: oauth2/client_secret/securitypolicy/default/policy-for-http-route + sdsConfig: + ads: {} + resourceApiVersion: V3 + preserveAuthorizationHeader: true + redirectPathMatcher: + path: + exact: /oauth2/callback + redirectUri: '%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback' + signoutPath: + path: + exact: /logout + tokenEndpoint: + cluster: oidc_example_com_443 + timeout: 10s + uri: https://oidc.example.com/oauth/token + useRefreshToken: false + - name: envoy.filters.http.jwt_authn + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication + providers: + httproute/default/httproute-1/rule/0/match/0/www_example_com/exjwt: + claimToHeaders: + - claimName: email + headerName: x-user-email + forward: true + fromCookies: + - IdToken + issuer: https://oidc.example.com/auth/realms/example + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: exjwt + remoteJwks: + asyncFetch: {} + cacheDuration: 300s + httpUri: + cluster: oidc_example_com_443 + timeout: 10s + uri: https://oidc.example.com/auth/realms/example/protocol/openid-connect/certs + retryPolicy: {} + requirementMap: + httproute/default/httproute-1/rule/0/match/0/www_example_com: + providerName: httproute/default/httproute-1/rule/0/match/0/www_example_com/exjwt + - name: envoy.filters.http.rbac + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: envoy-gateway/gateway-1/http + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: envoy-gateway/gateway-1/http + name: envoy-gateway/gateway-1/http + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.routes.yaml new file mode 100644 index 00000000000..9c66aad8e61 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.routes.yaml @@ -0,0 +1,74 @@ +- ignorePortInHostMatching: true + name: envoy-gateway/gateway-1/http + virtualHosts: + - domains: + - www.example.com + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: envoy-gateway + sectionName: http + name: envoy-gateway/gateway-1/http/www_example_com + routes: + - match: + pathSeparatedPrefix: /foo + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_example_com + route: + cluster: httproute/default/httproute-1/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.jwt_authn: + '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig + requirementName: httproute/default/httproute-1/rule/0/match/0/www_example_com + envoy.filters.http.oauth2/securitypolicy/default/policy-for-http-route: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} + envoy.filters.http.rbac: + '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute + rbac: + matcher: + matcherList: + matchers: + - onMatch: + action: + name: allow + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + name: ALLOW + predicate: + singlePredicate: + customMatch: + name: claim_matcher + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata + value: + listMatch: + oneOf: + stringMatch: + exact: foobar + input: + name: claim + typedConfig: + '@type': type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput + filter: envoy.filters.http.jwt_authn + path: + - key: exjwt + - key: groups + onNoMatch: + action: + name: default + typedConfig: + '@type': type.googleapis.com/envoy.config.rbac.v3.Action + action: DENY + name: DENY diff --git a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.secrets.yaml new file mode 100644 index 00000000000..8e76f23ccd3 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.secrets.yaml @@ -0,0 +1,8 @@ +- genericSecret: + secret: + inlineBytes: W3JlZGFjdGVkXQ== + name: oauth2/client_secret/securitypolicy/default/policy-for-http-route +- genericSecret: + secret: + inlineBytes: W3JlZGFjdGVkXQ== + name: oauth2/hmac_secret/securitypolicy/default/policy-for-http-route diff --git a/internal/xds/translator/tracing.go b/internal/xds/translator/tracing.go index 3e817bad1bf..ee3f4f5e907 100644 --- a/internal/xds/translator/tracing.go +++ b/internal/xds/translator/tracing.go @@ -6,7 +6,6 @@ package translator import ( - "errors" "fmt" "sort" @@ -176,7 +175,7 @@ func processClusterForTracing(tCtx *types.ResourceVersionTable, tracing *ir.Trac if traffic == nil { traffic = &ir.TrafficFeatures{} } - if err := addXdsCluster(tCtx, &xdsClusterArgs{ + return addXdsCluster(tCtx, &xdsClusterArgs{ name: tracing.Destination.Name, settings: tracing.Destination.Settings, tSocket: nil, @@ -191,8 +190,5 @@ func processClusterForTracing(tCtx *types.ResourceVersionTable, tracing *ir.Trac backendConnection: traffic.BackendConnection, dns: traffic.DNS, http2Settings: traffic.HTTP2, - }); err != nil && !errors.Is(err, ErrXdsClusterExists) { - return err - } - return nil + }) } diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index c06c7195d7c..29bc7d2f5ff 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -34,11 +34,6 @@ import ( "github.com/envoyproxy/gateway/internal/xds/types" ) -var ( - ErrXdsClusterExists = errors.New("xds cluster exists") - ErrXdsSecretExists = errors.New("xds secret exists") -) - const ( AuthorityHeaderKey = ":authority" // The dummy cluster for TCP listeners that have no routes @@ -491,7 +486,7 @@ func (t *Translator) addRouteToRouteConfig( tSocket: nil, endpointType: EndpointTypeStatic, metrics: metrics, - }); err != nil && !errors.Is(err, ErrXdsClusterExists) { + }); err != nil { errs = errors.Join(errs, err) } } @@ -602,7 +597,7 @@ func (t *Translator) processTCPListenerXdsTranslation( patchProxyProtocolFilter(xdsListener, tcpListener.EnableProxyProtocol) for _, route := range tcpListener.Routes { - if err := processXdsCluster(tCtx, &TCPRouteTranslator{route}, &ExtraArgs{metrics: metrics}); err != nil && !errors.Is(err, ErrXdsClusterExists) { + if err := processXdsCluster(tCtx, &TCPRouteTranslator{route}, &ExtraArgs{metrics: metrics}); err != nil { errs = errors.Join(errs, err) } if route.TLS != nil && route.TLS.Terminate != nil { @@ -689,7 +684,7 @@ func processUDPListenerXdsTranslation( } // 1:1 between IR UDPRoute and xDS Cluster - if err := processXdsCluster(tCtx, &UDPRouteTranslator{route}, &ExtraArgs{metrics: metrics}); err != nil && !errors.Is(err, ErrXdsClusterExists) { + if err := processXdsCluster(tCtx, &UDPRouteTranslator{route}, &ExtraArgs{metrics: metrics}); err != nil { errs = errors.Join(errs, err) } } @@ -783,10 +778,7 @@ func findXdsEndpoint(tCtx *types.ResourceVersionTable, name string) *endpointv3. // processXdsCluster processes xds cluster with args per route. func processXdsCluster(tCtx *types.ResourceVersionTable, route clusterArgs, extras *ExtraArgs) error { - if err := addXdsCluster(tCtx, route.asClusterArgs(extras)); err != nil && !errors.Is(err, ErrXdsClusterExists) { - return err - } - return nil + return addXdsCluster(tCtx, route.asClusterArgs(extras)) } // findXdsSecret finds a xds secret with the same name, and returns nil if there is no match. @@ -805,10 +797,12 @@ func findXdsSecret(tCtx *types.ResourceVersionTable, name string) *tlsv3.Secret return nil } +// addXdsSecret adds a xds secret with args. +// If the secret already exists, it skips adding the secret and returns nil func addXdsSecret(tCtx *types.ResourceVersionTable, secret *tlsv3.Secret) error { - // Return early if cluster with the same name exists + // Return early if secret with the same name exists if c := findXdsSecret(tCtx, secret.Name); c != nil { - return ErrXdsSecretExists + return nil } if err := tCtx.AddXdsResource(resourcev3.SecretType, secret); err != nil { @@ -817,10 +811,15 @@ func addXdsSecret(tCtx *types.ResourceVersionTable, secret *tlsv3.Secret) error return nil } +// addXdsCluster adds a xds cluster with args. +// If the cluster already exists, it skips adding the cluster and returns nil. func addXdsCluster(tCtx *types.ResourceVersionTable, args *xdsClusterArgs) error { - // Return early if cluster with the same name exists + // Return early if cluster with the same name exists. + // All the current callers can all safely assume the xdsClusterArgs is the same for the clusters with the same name. + // If this assumption changes, the callers should call findXdsCluster first to check if the cluster already exists + // before calling addXdsCluster. if c := findXdsCluster(tCtx, args.name); c != nil { - return ErrXdsClusterExists + return nil } xdsCluster := buildXdsCluster(args) diff --git a/internal/xds/translator/utils.go b/internal/xds/translator/utils.go index 23d455edd9c..882d9b1e926 100644 --- a/internal/xds/translator/utils.go +++ b/internal/xds/translator/utils.go @@ -133,7 +133,6 @@ func createExtServiceXDSCluster(rd *ir.RouteDestination, traffic *ir.TrafficFeat var ( endpointType EndpointType tSocket *corev3.TransportSocket - err error ) // Make sure that there are safe defaults for the traffic @@ -148,7 +147,7 @@ func createExtServiceXDSCluster(rd *ir.RouteDestination, traffic *ir.TrafficFeat } else { endpointType = EndpointTypeStatic } - if err = addXdsCluster(tCtx, &xdsClusterArgs{ + return addXdsCluster(tCtx, &xdsClusterArgs{ name: rd.Name, settings: rd.Settings, tSocket: tSocket, @@ -162,10 +161,7 @@ func createExtServiceXDSCluster(rd *ir.RouteDestination, traffic *ir.TrafficFeat endpointType: endpointType, dns: traffic.DNS, http2Settings: traffic.HTTP2, - }); err != nil && !errors.Is(err, ErrXdsClusterExists) { - return err - } - return nil + }) } // addClusterFromURL adds a cluster to the resource version table from the provided URL. @@ -198,8 +194,5 @@ func addClusterFromURL(url string, tCtx *types.ResourceVersionTable) error { clusterArgs.tSocket = tSocket } - if err = addXdsCluster(tCtx, clusterArgs); err != nil && !errors.Is(err, ErrXdsClusterExists) { - return err - } - return nil + return addXdsCluster(tCtx, clusterArgs) } diff --git a/release-notes/current.yaml b/release-notes/current.yaml index bfbed17a9d0..7ede985b9d7 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -16,6 +16,7 @@ new features: | bug fixes: | Fixed failed to update SecurityPolicy resources with the `backendRef` field specified Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes + Fixed xDS translation failed when oidc tokenEndpoint and jwt remoteJWKS are specified in the same SecurityPolicy and using the same hostname # Enhancements that improve performance. performance improvements: | From a924cec6cc3a1d8cb78be06b61b6d238472c199b Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 20 Nov 2024 11:51:43 +0800 Subject: [PATCH 416/523] xds: use Cluster_AUTO DnsLookupFamily (#4740) * xds: use Cluster_AUTO DnsLookupFamily Signed-off-by: zirain * nit Signed-off-by: zirain * gen Signed-off-by: zirain --------- Signed-off-by: zirain --- .../translate/out/default-resources.all.yaml | 5 ----- .../translate/out/echo-gateway-api.cluster.yaml | 1 - .../translate/out/from-gateway-api-to-xds.all.json | 5 ----- .../translate/out/from-gateway-api-to-xds.all.yaml | 5 ----- .../out/from-gateway-api-to-xds.cluster.yaml | 5 ----- .../jwt-single-route-single-match-to-xds.all.json | 2 -- .../jwt-single-route-single-match-to-xds.all.yaml | 2 -- ...wt-single-route-single-match-to-xds.cluster.yaml | 2 -- .../translate/out/no-service-cluster-ip.all.yaml | 1 - internal/xds/translator/cluster.go | 13 ++++++++++--- .../extensionpolicy-tcp-udp-http.clusters.yaml | 3 --- .../http-route-extension-filter.clusters.yaml | 1 - .../out/extension-xds-ir/http-route.clusters.yaml | 1 - .../out/xds-ir/accesslog-als-tcp.clusters.yaml | 1 - .../testdata/out/xds-ir/accesslog-cel.clusters.yaml | 2 -- .../xds-ir/accesslog-endpoint-stats.clusters.yaml | 2 -- .../out/xds-ir/accesslog-formatters.clusters.yaml | 2 -- .../out/xds-ir/accesslog-multi-cel.clusters.yaml | 2 -- .../out/xds-ir/accesslog-types.clusters.yaml | 10 ---------- .../xds-ir/accesslog-without-format.clusters.yaml | 3 --- .../testdata/out/xds-ir/accesslog.clusters.yaml | 3 --- .../xds-ir/authorization-client-cidr.clusters.yaml | 3 --- .../xds-ir/authorization-jwt-claim.clusters.yaml | 4 ---- .../xds-ir/authorization-jwt-scope.clusters.yaml | 4 ---- .../authorization-multiple-principals.clusters.yaml | 1 - .../out/xds-ir/backend-buffer-limit.clusters.yaml | 3 --- .../out/xds-ir/backend-priority.clusters.yaml | 3 --- .../testdata/out/xds-ir/basic-auth.clusters.yaml | 3 --- .../out/xds-ir/circuit-breaker.clusters.yaml | 1 - .../out/xds-ir/client-buffer-limit.clusters.yaml | 2 -- .../out/xds-ir/client-ip-detection.clusters.yaml | 3 --- .../out/xds-ir/client-timeout.clusters.yaml | 2 -- .../testdata/out/xds-ir/cors.clusters.yaml | 1 - .../out/xds-ir/custom-filter-order.clusters.yaml | 2 -- .../out/xds-ir/custom-response.clusters.yaml | 1 - .../out/xds-ir/ext-auth-backend.clusters.yaml | 5 ----- .../out/xds-ir/ext-auth-recomputation.clusters.yaml | 5 ----- .../testdata/out/xds-ir/ext-auth.clusters.yaml | 5 ----- .../ext-proc-with-traffic-settings.clusters.yaml | 3 --- .../testdata/out/xds-ir/ext-proc.clusters.yaml | 6 ------ .../out/xds-ir/fault-injection.clusters.yaml | 5 ----- ...headers-with-preserve-x-request-id.clusters.yaml | 2 -- .../headers-with-underscores-action.clusters.yaml | 4 ---- .../testdata/out/xds-ir/health-check.clusters.yaml | 5 ----- .../xds-ir/http-early-header-mutation.clusters.yaml | 2 -- .../out/xds-ir/http-endpoint-stats.clusters.yaml | 1 - .../out/xds-ir/http-health-check.clusters.yaml | 1 - .../http-preserve-client-protocol.clusters.yaml | 1 - .../xds-ir/http-req-resp-sizes-stats.clusters.yaml | 1 - .../xds-ir/http-route-direct-response.clusters.yaml | 1 - .../out/xds-ir/http-route-dns-cluster.clusters.yaml | 1 - .../out/xds-ir/http-route-mirror.clusters.yaml | 1 - .../http-route-multiple-matches.clusters.yaml | 7 ------- .../http-route-multiple-mirrors.clusters.yaml | 3 --- .../xds-ir/http-route-partial-invalid.clusters.yaml | 1 - .../out/xds-ir/http-route-redirect.clusters.yaml | 1 - .../out/xds-ir/http-route-regex.clusters.yaml | 1 - .../xds-ir/http-route-request-headers.clusters.yaml | 1 - .../http-route-response-add-headers.clusters.yaml | 1 - ...-route-response-add-remove-headers.clusters.yaml | 1 - ...http-route-response-remove-headers.clusters.yaml | 1 - ...route-rewrite-root-path-url-prefix.clusters.yaml | 1 - ...write-sufixx-with-slash-url-prefix.clusters.yaml | 1 - .../http-route-rewrite-url-fullpath.clusters.yaml | 1 - .../http-route-rewrite-url-host.clusters.yaml | 1 - .../http-route-rewrite-url-prefix.clusters.yaml | 1 - .../http-route-rewrite-url-regex.clusters.yaml | 1 - .../http-route-session-persistence.clusters.yaml | 1 - .../out/xds-ir/http-route-timeout.clusters.yaml | 3 --- ...http-route-weighted-backend-uds-ip.clusters.yaml | 1 - ...oute-weighted-backend-with-filters.clusters.yaml | 2 -- .../http-route-weighted-backend.clusters.yaml | 1 - ...ttp-route-weighted-invalid-backend.clusters.yaml | 1 - .../xds-ir/http-route-with-clientcert.clusters.yaml | 1 - .../xds-ir/http-route-with-metadata.clusters.yaml | 2 -- ...p-route-with-tls-system-truststore.clusters.yaml | 1 - ...oute-with-tlsbundle-multiple-certs.clusters.yaml | 2 -- .../xds-ir/http-route-with-tlsbundle.clusters.yaml | 1 - .../testdata/out/xds-ir/http-route.clusters.yaml | 1 - .../out/xds-ir/http1-preserve-case.clusters.yaml | 2 -- .../out/xds-ir/http1-trailers.clusters.yaml | 1 - .../testdata/out/xds-ir/http10.clusters.yaml | 1 - .../testdata/out/xds-ir/http2-route.clusters.yaml | 4 ---- .../testdata/out/xds-ir/http2.clusters.yaml | 1 - .../testdata/out/xds-ir/http3.clusters.yaml | 1 - .../xds-ir/jsonpatch-missing-resource.clusters.yaml | 1 - .../xds-ir/jsonpatch-with-jsonpath.clusters.yaml | 2 -- .../testdata/out/xds-ir/jsonpatch.clusters.yaml | 1 - .../out/xds-ir/jwt-custom-extractor.clusters.yaml | 2 -- .../jwt-multi-route-multi-provider.clusters.yaml | 4 ---- .../jwt-multi-route-single-provider.clusters.yaml | 3 --- .../testdata/out/xds-ir/jwt-optional.clusters.yaml | 2 -- .../testdata/out/xds-ir/jwt-ratelimit.clusters.yaml | 5 ----- .../jwt-single-route-single-match.clusters.yaml | 2 -- .../xds-ir/listener-connection-limit.clusters.yaml | 4 ---- .../xds-ir/listener-proxy-protocol.clusters.yaml | 2 -- .../out/xds-ir/listener-tcp-keepalive.clusters.yaml | 4 ---- .../testdata/out/xds-ir/load-balancer.clusters.yaml | 10 ---------- .../out/xds-ir/local-ratelimit.clusters.yaml | 3 --- .../out/xds-ir/metrics-virtual-host.clusters.yaml | 1 - .../out/xds-ir/mixed-tls-jwt-authn.clusters.yaml | 1 - ...s-same-port-with-different-filters.clusters.yaml | 5 ----- .../multiple-listeners-same-port.clusters.yaml | 6 ------ ...ultiple-simple-tcp-route-same-port.clusters.yaml | 5 ----- ...lient-certificate-with-custom-data.clusters.yaml | 5 ----- ...ual-tls-forward-client-certificate.clusters.yaml | 5 ----- ...quired-client-certificate-disabled.clusters.yaml | 2 -- .../testdata/out/xds-ir/mutual-tls.clusters.yaml | 2 -- .../oidc-backend-cluster-provider.clusters.yaml | 2 -- .../testdata/out/xds-ir/oidc.clusters.yaml | 4 ---- .../testdata/out/xds-ir/path-settings.clusters.yaml | 1 - .../xds-ir/proxy-protocol-upstream.clusters.yaml | 1 - .../xds-ir/ratelimit-custom-domain.clusters.yaml | 4 ---- .../xds-ir/ratelimit-disable-headers.clusters.yaml | 4 ---- .../xds-ir/ratelimit-endpoint-stats.clusters.yaml | 4 ---- .../xds-ir/ratelimit-headers-and-cidr.clusters.yaml | 4 ---- .../out/xds-ir/ratelimit-sourceip.clusters.yaml | 5 ----- .../testdata/out/xds-ir/ratelimit.clusters.yaml | 5 ----- .../out/xds-ir/retry-partial-invalid.clusters.yaml | 1 - ...securitypolicy-with-oidc-jwt-authz.clusters.yaml | 2 -- .../testdata/out/xds-ir/simple-tls.clusters.yaml | 1 - .../out/xds-ir/suppress-envoy-headers.clusters.yaml | 1 - .../out/xds-ir/tcp-endpoint-stats.clusters.yaml | 1 - .../out/xds-ir/tcp-listener-ipfamily.clusters.yaml | 1 - .../xds-ir/tcp-req-resp-sizes-stats.clusters.yaml | 1 - .../out/xds-ir/tcp-route-complex.clusters.yaml | 1 - .../out/xds-ir/tcp-route-simple.clusters.yaml | 1 - .../xds-ir/tcp-route-tls-terminate.clusters.yaml | 2 -- .../xds-ir/tcp-route-weighted-backend.clusters.yaml | 1 - .../testdata/out/xds-ir/timeout.clusters.yaml | 1 - .../out/xds-ir/tls-route-passthrough.clusters.yaml | 2 -- .../tls-with-ciphers-versions-alpn.clusters.yaml | 2 -- .../out/xds-ir/tracing-datadog.clusters.yaml | 2 -- .../out/xds-ir/tracing-endpoint-stats.clusters.yaml | 2 -- .../out/xds-ir/tracing-zipkin.clusters.yaml | 2 -- .../testdata/out/xds-ir/tracing.clusters.yaml | 2 -- .../out/xds-ir/udp-endpoint-stats.clusters.yaml | 1 - .../xds-ir/udp-req-resp-sizes-stats.clusters.yaml | 1 - .../testdata/out/xds-ir/udp-route.clusters.yaml | 1 - .../out/xds-ir/upstream-tcpkeepalive.clusters.yaml | 1 - .../testdata/out/xds-ir/wasm.clusters.yaml | 2 -- 141 files changed, 10 insertions(+), 336 deletions(-) diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index 26e42496459..63d685e9cd1 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -772,7 +772,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -792,7 +791,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -819,7 +817,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -839,7 +836,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -859,7 +855,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml index cc99b73a833..9bb0bc2ac1c 100644 --- a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml @@ -100,7 +100,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index a89e4bcdae3..b0524fac2b6 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -458,7 +458,6 @@ "localityWeightedLbConfig": {} }, "connectTimeout": "10s", - "dnsLookupFamily": "V4_ONLY", "edsClusterConfig": { "edsConfig": { "ads": {}, @@ -488,7 +487,6 @@ "localityWeightedLbConfig": {} }, "connectTimeout": "10s", - "dnsLookupFamily": "V4_ONLY", "edsClusterConfig": { "edsConfig": { "ads": {}, @@ -529,7 +527,6 @@ "localityWeightedLbConfig": {} }, "connectTimeout": "10s", - "dnsLookupFamily": "V4_ONLY", "edsClusterConfig": { "edsConfig": { "ads": {}, @@ -559,7 +556,6 @@ "localityWeightedLbConfig": {} }, "connectTimeout": "10s", - "dnsLookupFamily": "V4_ONLY", "edsClusterConfig": { "edsConfig": { "ads": {}, @@ -589,7 +585,6 @@ "localityWeightedLbConfig": {} }, "connectTimeout": "10s", - "dnsLookupFamily": "V4_ONLY", "edsClusterConfig": { "edsConfig": { "ads": {}, diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index fbb1df4f5b0..e4895ddc9df 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -251,7 +251,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -271,7 +270,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -298,7 +296,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -318,7 +315,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -338,7 +334,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml index 7545c4660d0..aa348c640c9 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml @@ -10,7 +10,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -30,7 +29,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -57,7 +55,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -77,7 +74,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -97,7 +93,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json index 6ce6ee01347..900c70f82ff 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json @@ -350,7 +350,6 @@ "localityWeightedLbConfig": {} }, "connectTimeout": "10s", - "dnsLookupFamily": "V4_ONLY", "edsClusterConfig": { "edsConfig": { "ads": {}, @@ -380,7 +379,6 @@ "localityWeightedLbConfig": {} }, "connectTimeout": "10s", - "dnsLookupFamily": "V4_ONLY", "dnsRefreshRate": "30s", "lbPolicy": "LEAST_REQUEST", "loadAssignment": { diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml index 237f0f3a4ac..a91da546cbb 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml @@ -195,7 +195,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -215,7 +214,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml index 9d93c93a8a4..ee8af9b7c15 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml @@ -10,7 +10,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -30,7 +29,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml index 517f3482f9f..3013f6d0a4e 100644 --- a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml @@ -195,7 +195,6 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index 5a13076e456..495640ff90a 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -84,9 +84,16 @@ func buildEndpointType(settings []*ir.DestinationSetting) EndpointType { } func buildXdsCluster(args *xdsClusterArgs) *clusterv3.Cluster { - dnsLookupFamily := clusterv3.Cluster_V4_ONLY - if args.ipFamily != nil && *args.ipFamily == egv1a1.DualStack { - dnsLookupFamily = clusterv3.Cluster_ALL + dnsLookupFamily := clusterv3.Cluster_AUTO + if args.ipFamily != nil { + switch *args.ipFamily { + case egv1a1.IPv4: + dnsLookupFamily = clusterv3.Cluster_V4_ONLY + case egv1a1.IPv6: + dnsLookupFamily = clusterv3.Cluster_V6_ONLY + case egv1a1.DualStack: + dnsLookupFamily = clusterv3.Cluster_ALL + } } cluster := &clusterv3.Cluster{ Name: args.name, diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml index a6d3c9e969b..ed3cb77ab01 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml index f986750be1b..dbfd7c8e2b2 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml index f986750be1b..dbfd7c8e2b2 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml index 9696a28a86c..85a1bf46bac 100755 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml @@ -5,7 +5,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 15s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml index 22d5e08aca3..7faf19f8bb4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml index 7709f2c4e9c..dae7cbc0d4a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -24,7 +23,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml index 22d5e08aca3..7faf19f8bb4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml index 22d5e08aca3..7faf19f8bb4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml index 5e41cf09397..98d56781cb2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -47,7 +45,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -72,7 +69,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -97,7 +93,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -122,7 +117,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -147,7 +141,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -172,7 +165,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: @@ -206,7 +198,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: @@ -240,7 +231,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml index dbf145e7d6d..967893fbd41 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -47,7 +45,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml index dbf145e7d6d..967893fbd41 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -47,7 +45,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml index 0002897cb8d..815e3e469ea 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml index f5211bc9922..3e81abb2f4e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: @@ -76,7 +73,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml index f5211bc9922..3e81abb2f4e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: @@ -76,7 +73,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml index 1c72d4f070f..a5da3995b99 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml index e36a7f976be..ae291870e19 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml index 4088295c2de..64ef05a8795 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml index 1c7cbaf45e0..e170f954954 100644 --- a/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml index 93e5ebb91b6..a39d931e4d8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml @@ -7,7 +7,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml index 045afb39e71..53d0ae1b88c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml index b7a2badfead..f36c0f1c777 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml index 820f85f625b..b3601621bf2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml index 9ada55d6523..ff1dac67640 100644 --- a/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.clusters.yaml index 0e10ab58f0c..7b61aaf5f37 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: @@ -40,7 +39,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml index 1c72d4f070f..a5da3995b99 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml index 18846488a59..db4efa180a8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -58,7 +55,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: @@ -92,7 +88,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml index 18846488a59..db4efa180a8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -58,7 +55,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: @@ -92,7 +88,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml index ba70eb86e94..4b9e2de2200 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -58,7 +55,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -83,7 +79,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml index 3bac84394be..d885aaddd66 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -41,7 +39,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 15s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml index ede262a5694..6fcc3830e4f 100755 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -65,7 +62,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -90,7 +86,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -115,7 +110,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml index ff3aedce52a..77dc55a8476 100644 --- a/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -58,7 +55,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -76,7 +72,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml index 820f85f625b..b3601621bf2 100755 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml index 0a3d6ba340e..754b5ae5d02 100755 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -58,7 +55,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml index 09b9396270a..1d42d3495d8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -43,7 +42,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -80,7 +78,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -114,7 +111,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -149,7 +145,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml index 35b68d18b32..1774ac35006 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -32,7 +31,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml index f1b16b07b54..8256f58d447 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml index 9ada55d6523..ff1dac67640 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml index 4f007ff7c47..73c0f3ee8b8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml index 9b420408aaa..d552d11a437 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml index 3e4300de532..90ea1e3123d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.clusters.yaml index 876e1084c87..d6f92da0027 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml index 0bd72d2b460..7b147f2cc9e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml index d76408ee96f..7dee2fae954 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -58,7 +55,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -76,7 +72,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -94,7 +89,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -112,7 +106,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml index 7be6b0f7ade..af01a8494ca 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml index 565c93fd5ff..3847b55b7e3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml index c8dc8147580..2e8d489ec0a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml index de1e5ced9a4..c3beb47b89f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml index 1e0be1f0405..db56b6185c5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml index f3b7838ceee..7b45637ccff 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml index f3b7838ceee..7b45637ccff 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml index f3b7838ceee..7b45637ccff 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml index 3041d18c4eb..48272f1f225 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml index 3041d18c4eb..48272f1f225 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml index 8290c2d1837..03f27845ffe 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml index 3041d18c4eb..48272f1f225 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml index 3041d18c4eb..48272f1f225 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml index 8290c2d1837..03f27845ffe 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml index de1e5ced9a4..c3beb47b89f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml index b7a2badfead..f36c0f1c777 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml index 9ada55d6523..ff1dac67640 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml index 820f85f625b..b3601621bf2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml index 9ada55d6523..ff1dac67640 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml index 9ada55d6523..ff1dac67640 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml index a9be418a101..390c26b1ab8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml index 820f85f625b..b3601621bf2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml index fccf18807c5..49c8eebc00e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml index 51702c7c79b..df5e85c34f2 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -63,7 +62,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml index 73cb7f276b2..2744cfc19d8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml index 9ada55d6523..ff1dac67640 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml index ee7ebf5a19f..4cfa7db1e7e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -32,7 +31,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml index 7fb571dc42f..1b3c2957d3f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml index de12099b7de..62a8d033f04 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml index 0a2796cd6ac..2c58afdaac7 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -31,7 +30,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -56,7 +54,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -84,7 +81,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml index 9ada55d6523..ff1dac67640 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml index 1c72d4f070f..a5da3995b99 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml index 9ada55d6523..ff1dac67640 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml index f9a046becf5..f1725d0f618 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml index 745719faa2b..009411dcdf4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml index 8f5d81ea045..95dbaeaeb9d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml index 308f92773e8..4af517cab1d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: @@ -67,7 +64,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml index 8555780dab4..081ef33d842 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml index 8f5d81ea045..95dbaeaeb9d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml index a5f1527ade9..6701b170b27 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -58,7 +55,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -85,7 +81,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml index 8f5d81ea045..95dbaeaeb9d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml index ddded90e04f..2f38dd9d3aa 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -58,7 +55,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml index c21b71ce6c5..6cae3947b35 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml index ddded90e04f..2f38dd9d3aa 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -58,7 +55,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml index 0c2202ce28f..5067244aeba 100644 --- a/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -21,7 +20,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -39,7 +37,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -57,7 +54,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -75,7 +71,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -96,7 +91,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -116,7 +110,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -134,7 +127,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -154,7 +146,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -172,7 +163,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml index b7a2badfead..f36c0f1c777 100644 --- a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml index 9ada55d6523..ff1dac67640 100644 --- a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml index 9ada55d6523..ff1dac67640 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml index c3b0666ab24..21ebdea126b 100755 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -58,7 +55,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -76,7 +72,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml index bd6b6e1ae2e..8d9e43d36cf 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -58,7 +55,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -76,7 +72,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -94,7 +89,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml index 19e6869eb5e..b98d486efea 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -58,7 +55,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -76,7 +72,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml index ff3aedce52a..77dc55a8476 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -58,7 +55,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -76,7 +72,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml index ff3aedce52a..77dc55a8476 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -58,7 +55,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -76,7 +72,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml index 16f6727a1a1..8d317defa13 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml index 16f6727a1a1..8d317defa13 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml index e467e24db53..ca2d3f5e3fb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml index f196a3fdd9a..52523fffbb8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: @@ -76,7 +73,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml index 9ada55d6523..ff1dac67640 100644 --- a/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml index 47b4007397e..c5555faa87a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml index 182245f1986..dc5c30ab312 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -58,7 +55,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml index d2577b68f8b..b74141720fa 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -58,7 +55,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml index 4e607e59dbb..4eab9980691 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -24,7 +23,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -44,7 +42,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -64,7 +61,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml index d2577b68f8b..b74141720fa 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -58,7 +55,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml index 8aff78e3195..a2926d67edd 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -58,7 +55,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -76,7 +72,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml index 8aff78e3195..a2926d67edd 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -40,7 +38,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -58,7 +55,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -76,7 +72,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml index 9ada55d6523..ff1dac67640 100644 --- a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.clusters.yaml index 1535201f87b..f4f58fe1cc9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml index 9ada55d6523..ff1dac67640 100644 --- a/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml index 9ada55d6523..ff1dac67640 100644 --- a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.clusters.yaml index c341dab16a6..d5e5aeaf991 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml index 1daefb357c5..394a72179b0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml index 5e82e21cc85..8fd985878cc 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml index c6291c77dd5..7c294e2efa3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml index aa8f0b0902b..2653bb96c8d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml index dbd196ef664..122e0dad7dc 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml index 2219185b250..da821625c09 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml index 4c2749a767a..109e9d1392c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 31s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml index c2659deb6c9..4cfa1289322 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml index 16f6727a1a1..8d317defa13 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml index 7597e1328d9..12088c45682 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml index 7ea8aa936c4..304574452d2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -24,7 +23,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml index f1a975a6e6a..d1459afe991 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml index 975086f5fff..f211422edc5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -23,7 +22,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 15s - dnsLookupFamily: V4_ONLY dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml index dd47af97cdd..6090f4f8ec2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml index 7ce45648946..2f1ed3604e8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml index e153c882fd6..14df838b6e6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml index eca236db657..5d663e5665e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml index 408fc9c218e..8e3ac051015 100755 --- a/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml @@ -4,7 +4,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} @@ -22,7 +21,6 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s - dnsLookupFamily: V4_ONLY edsClusterConfig: edsConfig: ads: {} From 950dde6adea9802e54b0dbf8cc8d5088a46783b5 Mon Sep 17 00:00:00 2001 From: Kebe Date: Wed, 20 Nov 2024 16:32:22 +0800 Subject: [PATCH 417/523] fix: remove container's ports field (#4714) Signed-off-by: Kebe --- .../kubernetes/proxy/resource.go | 21 ------------------- .../testdata/daemonsets/component-level.yaml | 6 ------ .../proxy/testdata/daemonsets/custom.yaml | 6 ------ .../testdata/daemonsets/default-env.yaml | 6 ------ .../proxy/testdata/daemonsets/default.yaml | 6 ------ .../daemonsets/disable-prometheus.yaml | 7 ------- .../testdata/daemonsets/extension-env.yaml | 6 ------ .../override-labels-and-annotations.yaml | 6 ------ .../testdata/daemonsets/patch-daemonset.yaml | 6 ------ .../testdata/daemonsets/shutdown-manager.yaml | 6 ------ .../proxy/testdata/daemonsets/volumes.yaml | 6 ------ .../testdata/daemonsets/with-annotations.yaml | 6 ------ .../testdata/daemonsets/with-concurrency.yaml | 6 ------ .../testdata/daemonsets/with-extra-args.yaml | 6 ------ .../daemonsets/with-image-pull-secrets.yaml | 6 ------ .../proxy/testdata/daemonsets/with-name.yaml | 6 ------ .../daemonsets/with-node-selector.yaml | 6 ------ .../with-topology-spread-constraints.yaml | 6 ------ .../proxy/testdata/deployments/bootstrap.yaml | 6 ------ .../testdata/deployments/component-level.yaml | 6 ------ .../proxy/testdata/deployments/custom.yaml | 6 ------ .../custom_with_initcontainers.yaml | 6 ------ .../testdata/deployments/default-env.yaml | 6 ------ .../proxy/testdata/deployments/default.yaml | 6 ------ .../deployments/disable-prometheus.yaml | 7 ------- .../testdata/deployments/extension-env.yaml | 6 ------ .../override-labels-and-annotations.yaml | 6 ------ .../deployments/patch-deployment.yaml | 6 ------ .../deployments/shutdown-manager.yaml | 6 ------ .../proxy/testdata/deployments/volumes.yaml | 6 ------ .../deployments/with-annotations.yaml | 6 ------ .../deployments/with-concurrency.yaml | 6 ------ .../deployments/with-empty-memory-limits.yaml | 6 ------ .../testdata/deployments/with-extra-args.yaml | 6 ------ .../deployments/with-image-pull-secrets.yaml | 6 ------ .../proxy/testdata/deployments/with-name.yaml | 6 ------ .../deployments/with-node-selector.yaml | 6 ------ .../with-topology-spread-constraints.yaml | 6 ------ release-notes/current.yaml | 2 +- 39 files changed, 1 insertion(+), 246 deletions(-) diff --git a/internal/infrastructure/kubernetes/proxy/resource.go b/internal/infrastructure/kubernetes/proxy/resource.go index aa5a4d64e70..55b3cb10623 100644 --- a/internal/infrastructure/kubernetes/proxy/resource.go +++ b/internal/infrastructure/kubernetes/proxy/resource.go @@ -89,27 +89,6 @@ func expectedProxyContainers(infra *ir.ProxyInfra, // Define slice to hold container ports var ports []corev1.ContainerPort - // Iterate over listeners and ports to get container ports - for _, listener := range infra.Listeners { - for _, p := range listener.Ports { - var protocol corev1.Protocol - switch p.Protocol { - case ir.HTTPProtocolType, ir.HTTPSProtocolType, ir.TLSProtocolType, ir.TCPProtocolType: - protocol = corev1.ProtocolTCP - case ir.UDPProtocolType: - protocol = corev1.ProtocolUDP - default: - return nil, fmt.Errorf("invalid protocol %q", p.Protocol) - } - port := corev1.ContainerPort{ - Name: p.Name, - ContainerPort: p.ContainerPort, - Protocol: protocol, - } - ports = append(ports, port) - } - } - if enablePrometheus(infra) { ports = append(ports, corev1.ContainerPort{ Name: "metrics", diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml index d68b1e56076..5b0f132f0b9 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml @@ -66,12 +66,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml index b3472d7ce4a..c776209328c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml @@ -249,12 +249,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml index 329cb6fcfdb..0b19c488769 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml @@ -248,12 +248,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml index 7fd747bfc54..56a589683bd 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml @@ -233,12 +233,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml index 8de53f5399b..2e0d28b8ae0 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml @@ -206,13 +206,6 @@ spec: port: 19002 scheme: HTTP name: envoy - ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP readinessProbe: failureThreshold: 1 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml index ae4f11bf6a4..300ad8663de 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml @@ -252,12 +252,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml index fd9dad594d2..9bd9262b00f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml @@ -242,12 +242,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml index 44303a333ff..9e2901ea793 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml @@ -233,12 +233,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml index f656e51276b..ee53271eedb 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml @@ -233,12 +233,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml index 268a27505a6..31900415e4e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml @@ -252,12 +252,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml index de2cfc52cb5..478248125c1 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml @@ -238,12 +238,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml index 35135058572..409d1ee542d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml @@ -66,12 +66,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml index bd684b6f4d5..abcf5df5843 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml @@ -235,12 +235,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml index 924d99cee9f..63f4b88837b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml @@ -233,12 +233,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml index 0f6bb5dcb83..00f4cde053f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml @@ -233,12 +233,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml index 69797a95a41..338aee23c5d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml @@ -233,12 +233,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml index b8cf4d12a6c..65d61d1f79d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml @@ -233,12 +233,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml index 9cb872f552a..b9d6973e3e5 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml @@ -69,12 +69,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml index 80fa00394ae..30172b63ce8 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml @@ -70,12 +70,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml index dff786a3515..a319317f707 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml @@ -254,12 +254,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml index 65079b2316e..8d2203c31bb 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml @@ -254,12 +254,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml index 88371d81d1f..b028a291e74 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml @@ -253,12 +253,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml index 57a62e569b5..2dd512c5fcb 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml @@ -237,12 +237,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml index e575a3f3111..e2afb845d04 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml @@ -210,13 +210,6 @@ spec: port: 19002 scheme: HTTP name: envoy - ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP readinessProbe: failureThreshold: 1 httpGet: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml index 9b84c2b4177..2c6bb786992 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml @@ -257,12 +257,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml index 6300b906552..cda0dd531da 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml @@ -246,12 +246,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml index 269909aec48..97c5760f631 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml @@ -237,12 +237,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml index 5774c9dc1d2..81c7fad6ea3 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml @@ -237,12 +237,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml index 9f6f50940c8..a1df598b9fe 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml @@ -257,12 +257,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml index 3924adc4869..e21f0f78ffa 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml @@ -242,12 +242,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml index 2086f2297a9..16df5efe6a3 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml @@ -70,12 +70,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml index ce6f8b7b5de..c2db49a1246 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml @@ -237,12 +237,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml index bc0a7e23a5a..402614eb808 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml @@ -239,12 +239,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml index 360253c560e..5eb37e92d77 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml @@ -237,12 +237,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml index 52ea316c857..5e6bbd62cb7 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml @@ -237,12 +237,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml index 6a8cfb126be..55137dfe205 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml @@ -237,12 +237,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml index 3bdf275ce09..adc7784549e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml @@ -237,12 +237,6 @@ spec: scheme: HTTP name: envoy ports: - - containerPort: 8080 - name: EnvoyHTTPPort - protocol: TCP - - containerPort: 8443 - name: EnvoyHTTPSPort - protocol: TCP - containerPort: 19001 name: metrics protocol: TCP diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 7ede985b9d7..dc452458a21 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -2,7 +2,7 @@ date: Pending # Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs. breaking changes: | - Add a breaking change here + The Container `ports` field of the gateway instance has been removed, which will cause the gateway Pod to be rebuilt when upgrading the version. # Updates addressing vulnerabilities, security flaws, or compliance requirements. security updates: | From 6c6633c2a8bfc772415ea3bf68e14ef20064cb22 Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Wed, 20 Nov 2024 08:10:52 -0600 Subject: [PATCH 418/523] api: support disable ALPN in CTP (#4515) * support disable ALPN in CTP Signed-off-by: Guy Daich * fix gen Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich --- api/v1alpha1/tls_types.go | 7 +- ...y.envoyproxy.io_clienttrafficpolicies.yaml | 7 +- .../gateway.envoyproxy.io_envoyproxies.yaml | 7 +- internal/gatewayapi/clienttrafficpolicy.go | 2 +- .../clienttrafficpolicy-tls-settings.in.yaml | 61 +++++ .../clienttrafficpolicy-tls-settings.out.yaml | 229 ++++++++++++++++++ release-notes/current.yaml | 2 + site/content/en/latest/api/extension_types.md | 6 +- site/content/zh/latest/api/extension_types.md | 6 +- 9 files changed, 317 insertions(+), 10 deletions(-) diff --git a/api/v1alpha1/tls_types.go b/api/v1alpha1/tls_types.go index b926558c525..bf2a1f50569 100644 --- a/api/v1alpha1/tls_types.go +++ b/api/v1alpha1/tls_types.go @@ -69,7 +69,12 @@ type TLSSettings struct { SignatureAlgorithms []string `json:"signatureAlgorithms,omitempty"` // ALPNProtocols supplies the list of ALPN protocols that should be - // exposed by the listener. By default h2 and http/1.1 are enabled. + // exposed by the listener or used by the proxy to connect to the backend. + // Defaults: + // 1. HTTPS Routes: h2 and http/1.1 are enabled in listener context. + // 2. Other Routes: ALPN is disabled. + // 3. Backends: proxy uses the appropriate ALPN options for the backend protocol. + // When an empty list is provided, the ALPN TLS extension is disabled. // Supported values are: // - http/1.0 // - http/1.1 diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml index ad17b8101d2..d3afb65b302 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -689,7 +689,12 @@ spec: alpnProtocols: description: |- ALPNProtocols supplies the list of ALPN protocols that should be - exposed by the listener. By default h2 and http/1.1 are enabled. + exposed by the listener or used by the proxy to connect to the backend. + Defaults: + 1. HTTPS Routes: h2 and http/1.1 are enabled in listener context. + 2. Other Routes: ALPN is disabled. + 3. Backends: proxy uses the appropriate ALPN options for the backend protocol. + When an empty list is provided, the ALPN TLS extension is disabled. Supported values are: - http/1.0 - http/1.1 diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 4277092874a..84fb126a79b 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -51,7 +51,12 @@ spec: alpnProtocols: description: |- ALPNProtocols supplies the list of ALPN protocols that should be - exposed by the listener. By default h2 and http/1.1 are enabled. + exposed by the listener or used by the proxy to connect to the backend. + Defaults: + 1. HTTPS Routes: h2 and http/1.1 are enabled in listener context. + 2. Other Routes: ALPN is disabled. + 3. Backends: proxy uses the appropriate ALPN options for the backend protocol. + When an empty list is provided, the ALPN TLS extension is disabled. Supported values are: - http/1.0 - http/1.1 diff --git a/internal/gatewayapi/clienttrafficpolicy.go b/internal/gatewayapi/clienttrafficpolicy.go index bded79d4cf9..1c8d0f8af4a 100644 --- a/internal/gatewayapi/clienttrafficpolicy.go +++ b/internal/gatewayapi/clienttrafficpolicy.go @@ -780,7 +780,7 @@ func (t *Translator) buildListenerTLSParameters(policy *egv1a1.ClientTrafficPoli return irTLSConfig, nil } - if len(tlsParams.ALPNProtocols) > 0 { + if tlsParams.ALPNProtocols != nil { irTLSConfig.ALPNProtocols = make([]string, len(tlsParams.ALPNProtocols)) for i := range tlsParams.ALPNProtocols { irTLSConfig.ALPNProtocols[i] = string(tlsParams.ALPNProtocols[i]) diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.in.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.in.yaml index bc5878a52f0..ffe526627f2 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.in.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.in.yaml @@ -26,6 +26,29 @@ clientTrafficPolicies: resumption: stateless: {} stateful: {} +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: ClientTrafficPolicy + metadata: + namespace: envoy-gateway + name: target-gateway-2 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-2 + tls: + alpnProtocols: [] +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: ClientTrafficPolicy + metadata: + namespace: envoy-gateway + name: target-gateway-3 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-3 + tls: gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway @@ -52,6 +75,44 @@ gateways: allowedRoutes: namespaces: from: Same +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-2 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http-1 + protocol: HTTPS + port: 443 + allowedRoutes: + namespaces: + from: Same + tls: + mode: Terminate + certificateRefs: + - name: tls-secret-1 + namespace: envoy-gateway +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: envoy-gateway + name: gateway-3 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http-1 + protocol: HTTPS + port: 443 + allowedRoutes: + namespaces: + from: Same + tls: + mode: Terminate + certificateRefs: + - name: tls-secret-1 + namespace: envoy-gateway secrets: - apiVersion: v1 kind: Secret diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml index ad3ed484f56..e673ed66b7a 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml @@ -41,6 +41,57 @@ clientTrafficPolicies: status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: ClientTrafficPolicy + metadata: + creationTimestamp: null + name: target-gateway-2 + namespace: envoy-gateway + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-2 + tls: {} + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-2 + namespace: envoy-gateway + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: ClientTrafficPolicy + metadata: + creationTimestamp: null + name: target-gateway-3 + namespace: envoy-gateway + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-3 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-3 + namespace: envoy-gateway + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway @@ -118,6 +169,100 @@ gateways: kind: HTTPRoute - group: gateway.networking.k8s.io kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-2 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: Same + name: http-1 + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - group: null + kind: null + name: tls-secret-1 + namespace: envoy-gateway + mode: Terminate + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http-1 + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-3 + namespace: envoy-gateway + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: Same + name: http-1 + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - group: null + kind: null + name: tls-secret-1 + namespace: envoy-gateway + mode: Terminate + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http-1 + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute infraIR: envoy-gateway/gateway-1: proxy: @@ -141,6 +286,36 @@ infraIR: gateway.envoyproxy.io/owning-gateway-name: gateway-1 gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway name: envoy-gateway/gateway-1 + envoy-gateway/gateway-2: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-2/http-1 + ports: + - containerPort: 10443 + name: https-443 + protocol: HTTPS + servicePort: 443 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-2 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-2 + envoy-gateway/gateway-3: + proxy: + listeners: + - address: null + name: envoy-gateway/gateway-3/http-1 + ports: + - containerPort: 10443 + name: https-443 + protocol: HTTPS + servicePort: 443 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-3 + gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway + name: envoy-gateway/gateway-3 xdsIR: envoy-gateway/gateway-1: accessLog: @@ -194,3 +369,57 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8080 + envoy-gateway/gateway-2: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-2 + namespace: envoy-gateway + sectionName: http-1 + name: envoy-gateway/gateway-2/http-1 + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10443 + tls: + alpnProtocols: [] + certificates: + - name: envoy-gateway/tls-secret-1 + privateKey: '[redacted]' + serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= + maxVersion: "1.3" + minVersion: "1.2" + envoy-gateway/gateway-3: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-3 + namespace: envoy-gateway + sectionName: http-1 + name: envoy-gateway/gateway-3/http-1 + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10443 + tls: + alpnProtocols: null + certificates: + - name: envoy-gateway/tls-secret-1 + privateKey: '[redacted]' + serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= + maxVersion: "1.3" + minVersion: "1.2" diff --git a/release-notes/current.yaml b/release-notes/current.yaml index dc452458a21..9288e5266fc 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -3,6 +3,8 @@ date: Pending # Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs. breaking changes: | The Container `ports` field of the gateway instance has been removed, which will cause the gateway Pod to be rebuilt when upgrading the version. + ClientTrafficPolicy previously treated an empty TLS ALPNProtocols list as being undefined and applied Envoy Gateway defaults. + An empty TLS ALPNProtocols list is now treated as user-defined disablement of the TLS ALPN extension. # Updates addressing vulnerabilities, security flaws, or compliance requirements. security updates: | diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 77a28384c06..99986f54b1f 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -407,7 +407,7 @@ _Appears in:_ | `ciphers` | _string array_ | false | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 | | `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 | | `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. | -| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener. By default h2 and http/1.1 are enabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | +| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener or used by the proxy to connect to the backend.
Defaults:
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | #### BackendTrafficPolicy @@ -601,7 +601,7 @@ _Appears in:_ | `ciphers` | _string array_ | false | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 | | `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 | | `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. | -| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener. By default h2 and http/1.1 are enabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | +| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener or used by the proxy to connect to the backend.
Defaults:
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | | `session` | _[Session](#session)_ | false | Session defines settings related to TLS session management. | @@ -4047,7 +4047,7 @@ _Appears in:_ | `ciphers` | _string array_ | false | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 | | `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 | | `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. | -| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener. By default h2 and http/1.1 are enabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | +| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener or used by the proxy to connect to the backend.
Defaults:
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | #### TLSVersion diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 77a28384c06..99986f54b1f 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -407,7 +407,7 @@ _Appears in:_ | `ciphers` | _string array_ | false | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 | | `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 | | `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. | -| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener. By default h2 and http/1.1 are enabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | +| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener or used by the proxy to connect to the backend.
Defaults:
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | #### BackendTrafficPolicy @@ -601,7 +601,7 @@ _Appears in:_ | `ciphers` | _string array_ | false | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 | | `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 | | `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. | -| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener. By default h2 and http/1.1 are enabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | +| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener or used by the proxy to connect to the backend.
Defaults:
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | | `session` | _[Session](#session)_ | false | Session defines settings related to TLS session management. | @@ -4047,7 +4047,7 @@ _Appears in:_ | `ciphers` | _string array_ | false | Ciphers specifies the set of cipher suites supported when
negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is:
- [ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384 | | `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 | | `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. | -| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener. By default h2 and http/1.1 are enabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | +| `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener or used by the proxy to connect to the backend.
Defaults:
1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
2. Other Routes: ALPN is disabled.
3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
When an empty list is provided, the ALPN TLS extension is disabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | #### TLSVersion From 2def6a4d93b18bbfb8b0ed08359897dc14c05df3 Mon Sep 17 00:00:00 2001 From: zirain Date: Thu, 21 Nov 2024 13:20:30 +0800 Subject: [PATCH 419/523] docs: fix wrong description on ALSEnvoyProxyAccessLog (#4751) Signed-off-by: zirain --- api/v1alpha1/accesslogging_types.go | 5 +---- site/content/en/latest/api/extension_types.md | 6 +----- site/content/zh/latest/api/extension_types.md | 6 +----- 3 files changed, 3 insertions(+), 14 deletions(-) diff --git a/api/v1alpha1/accesslogging_types.go b/api/v1alpha1/accesslogging_types.go index 31eac69f122..de34acdcd7d 100644 --- a/api/v1alpha1/accesslogging_types.go +++ b/api/v1alpha1/accesslogging_types.go @@ -138,10 +138,7 @@ const ( // The service must implement the Envoy gRPC Access Log Service streaming API: // https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/accesslog/v3/als.proto // Access log format information is passed in the form of gRPC metadata when the -// stream is established. Specifically, the following metadata is passed: -// -// - `x-accesslog-text` - The access log format string when a Text format is used. -// - `x-accesslog-attr` - JSON encoded key/value pairs when a JSON format is used. +// stream is established. // // +kubebuilder:validation:XValidation:rule="self.type == 'HTTP' || !has(self.http)",message="The http field may only be set when type is HTTP." // +kubebuilder:validation:XValidation:message="BackendRefs must be used, backendRef is not supported.",rule="!has(self.backendRef)" diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 99986f54b1f..80614c2645e 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -52,11 +52,7 @@ ALSEnvoyProxyAccessLog defines the gRPC Access Log Service (ALS) sink. The service must implement the Envoy gRPC Access Log Service streaming API: https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/accesslog/v3/als.proto Access log format information is passed in the form of gRPC metadata when the -stream is established. Specifically, the following metadata is passed: - - -- `x-accesslog-text` - The access log format string when a Text format is used. -- `x-accesslog-attr` - JSON encoded key/value pairs when a JSON format is used. +stream is established. _Appears in:_ - [ProxyAccessLogSink](#proxyaccesslogsink) diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 99986f54b1f..80614c2645e 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -52,11 +52,7 @@ ALSEnvoyProxyAccessLog defines the gRPC Access Log Service (ALS) sink. The service must implement the Envoy gRPC Access Log Service streaming API: https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/accesslog/v3/als.proto Access log format information is passed in the form of gRPC metadata when the -stream is established. Specifically, the following metadata is passed: - - -- `x-accesslog-text` - The access log format string when a Text format is used. -- `x-accesslog-attr` - JSON encoded key/value pairs when a JSON format is used. +stream is established. _Appears in:_ - [ProxyAccessLogSink](#proxyaccesslogsink) From 78da42c495494c43317dfcceb33bca724c34e743 Mon Sep 17 00:00:00 2001 From: zirain Date: Thu, 21 Nov 2024 17:08:14 +0800 Subject: [PATCH 420/523] xds: always use `::` and `IPv4Compact` for dynamic listener (#4743) * enable IPv4Compact Signed-off-by: zirain * fix xds test Signed-off-by: zirain * release-notes Signed-off-by: zirain * nit Signed-off-by: zirain * gen Signed-off-by: zirain --------- Signed-off-by: zirain --- .../translate/out/default-resources.all.yaml | 15 +++++--- .../out/from-gateway-api-to-xds.all.json | 15 +++++--- .../out/from-gateway-api-to-xds.all.yaml | 15 +++++--- .../out/from-gateway-api-to-xds.listener.yaml | 15 +++++--- ...-single-route-single-match-to-xds.all.json | 3 +- ...-single-route-single-match-to-xds.all.yaml | 3 +- ...le-route-single-match-to-xds.listener.yaml | 3 +- .../out/no-service-cluster-ip.all.yaml | 3 +- .../translate/out/quickstart.all.yaml | 2 +- internal/cmd/envoy/shutdown_manager.go | 4 +-- internal/gatewayapi/listener.go | 11 ++++-- .../backend-invalid-feature-disabled.out.yaml | 2 +- .../testdata/backend-with-fallback.out.yaml | 2 +- .../backendtlspolicy-across-ns.out.yaml | 2 +- .../backendtlspolicy-ca-only-secret.out.yaml | 2 +- .../backendtlspolicy-ca-only.out.yaml | 2 +- ...ndtlspolicy-default-ns-targetrefs.out.yaml | 4 +-- .../backendtlspolicy-default-ns.out.yaml | 2 +- .../backendtlspolicy-invalid-ca.out.yaml | 2 +- ...backendtlspolicy-multiple-targets.out.yaml | 2 +- ...ackendtlspolicy-system-truststore.out.yaml | 2 +- ...y-buffer-limit-out-of-range-error.out.yaml | 4 +-- ...y-buffer-limit-with-invalid-value.out.yaml | 4 +-- ...backendtrafficpolicy-buffer-limit.out.yaml | 4 +-- ...endtrafficpolicy-override-replace.out.yaml | 2 +- ...ndtrafficpolicy-status-conditions.out.yaml | 8 ++--- ...fficpolicy-status-fault-injection.out.yaml | 4 +-- ...trafficpolicy-use-client-protocol.out.yaml | 2 +- ...policy-with-circuitbreakers-error.out.yaml | 4 +-- ...rafficpolicy-with-circuitbreakers.out.yaml | 4 +-- ...ndtrafficpolicy-with-dns-settings.out.yaml | 4 +-- ...endtrafficpolicy-with-healthcheck.out.yaml | 4 +-- .../backendtrafficpolicy-with-http2.out.yaml | 4 +-- ...fficpolicy-with-httproute-timeout.out.yaml | 2 +- ...nvalid-consistent-hash-table-size.out.yaml | 2 +- ...ndtrafficpolicy-with-loadbalancer.out.yaml | 4 +-- ...telimit-default-route-level-limit.out.yaml | 2 +- ...ocal-ratelimit-invalid-limit-unit.out.yaml | 2 +- ...ocal-ratelimit-invalid-match-type.out.yaml | 2 +- ...valid-multiple-route-level-limits.out.yaml | 2 +- ...rafficpolicy-with-local-ratelimit.out.yaml | 2 +- ...dtrafficpolicy-with-proxyprotocol.out.yaml | 4 +-- ...ratelimit-invalid-distinct-invert.out.yaml | 2 +- ...licy-with-ratelimit-invalid-regex.out.yaml | 2 +- ...ckendtrafficpolicy-with-ratelimit.out.yaml | 4 +-- ...esponse-override-invalid-valueref.out.yaml | 4 +-- ...fficpolicy-with-response-override.out.yaml | 4 +-- ...backendtrafficpolicy-with-retries.out.yaml | 4 +-- ...olicy-with-same-prefix-httproutes.out.yaml | 2 +- ...cp-udp-listeners-apply-on-gateway.out.yaml | 4 +-- ...-tcp-udp-listeners-apply-on-route.out.yaml | 4 +-- ...ndtrafficpolicy-with-tcpkeepalive.out.yaml | 4 +-- ...dtrafficpolicy-with-timeout-error.out.yaml | 2 +- ...ficpolicy-with-timeout-targetrefs.out.yaml | 4 +-- ...backendtrafficpolicy-with-timeout.out.yaml | 4 +-- ...cy-buffer-limit-with-format-error.out.yaml | 4 +-- ...fer-limit-with-out-of-range-error.out.yaml | 4 +-- .../clienttrafficpolicy-buffer-limit.out.yaml | 4 +-- ...trafficpolicy-client-ip-detection.out.yaml | 8 ++--- ...fficpolicy-connection-limit-error.out.yaml | 4 +-- ...enttrafficpolicy-connection-limit.out.yaml | 4 +-- ...nttrafficpolicy-for-tcp-listeners.out.yaml | 4 +-- ...clienttrafficpolicy-headers-error.out.yaml | 2 +- .../clienttrafficpolicy-headers.out.yaml | 4 +-- ...nttrafficpolicy-http-health-check.out.yaml | 2 +- .../clienttrafficpolicy-http10.out.yaml | 10 +++--- .../clienttrafficpolicy-http2.out.yaml | 4 +-- .../clienttrafficpolicy-http3.out.yaml | 2 +- ...ficpolicy-idle-timeout-with-error.out.yaml | 2 +- .../clienttrafficpolicy-idle-timeout.out.yaml | 4 +-- ...icpolicy-mtls-client-verification.out.yaml | 6 ++-- ...s-forward-client-cert-custom-data.out.yaml | 12 +++---- ...icpolicy-mtls-forward-client-cert.out.yaml | 12 +++---- .../clienttrafficpolicy-mtls.out.yaml | 6 ++-- ...clienttrafficpolicy-path-settings.out.yaml | 4 +-- ...cy-preserve-case-multiple-targets.out.yaml | 6 ++-- ...clienttrafficpolicy-preserve-case.out.yaml | 4 +-- ...clienttrafficpolicy-proxyprotocol.out.yaml | 4 +-- ...enttrafficpolicy-ratelimitheaders.out.yaml | 4 +-- ...nttrafficpolicy-status-conditions.out.yaml | 10 +++--- ...clienttrafficpolicy-tcp-keepalive.out.yaml | 4 +-- ...ttrafficpolicy-timeout-with-error.out.yaml | 2 +- .../clienttrafficpolicy-timeout.out.yaml | 4 +-- .../clienttrafficpolicy-tls-settings.out.yaml | 8 ++--- .../clienttrafficpolicy-trailers.out.yaml | 4 +-- .../testdata/conflicting-policies.out.yaml | 4 +-- .../testdata/custom-filter-order.out.yaml | 2 +- .../testdata/disable-accesslog.out.yaml | 2 +- ...ensionpolicy-invalid-cross-ns-ref.out.yaml | 2 +- ...yextensionpolicy-override-replace.out.yaml | 2 +- ...extensionpolicy-status-conditions.out.yaml | 8 ++--- ...-extproc-invalid-no-matching-port.out.yaml | 2 +- ...licy-with-extproc-invalid-no-port.out.yaml | 2 +- ...xtproc-invalid-no-reference-grant.out.yaml | 2 +- ...y-with-extproc-invalid-no-service.out.yaml | 2 +- ...ith-extproc-with-backendtlspolicy.out.yaml | 2 +- ...extproc-with-multiple-backendrefs.out.yaml | 2 +- ...ith-extproc-with-traffic-features.out.yaml | 2 +- ...xtensionpolicy-with-wasm-env-vars.out.yaml | 2 +- ...ensionpolicy-with-wasm-targetrefs.out.yaml | 2 +- .../envoyextensionpolicy-with-wasm.out.yaml | 2 +- .../envoypatchpolicy-cross-ns-target.out.yaml | 2 +- ...chpolicy-invalid-feature-disabled.out.yaml | 2 +- ...nvalid-target-kind-merge-gateways.out.yaml | 2 +- ...oypatchpolicy-invalid-target-kind.out.yaml | 2 +- ...ypatchpolicy-valid-merge-gateways.out.yaml | 2 +- .../testdata/envoypatchpolicy-valid.out.yaml | 2 +- .../envoyproxy-accesslog-als-json.out.yaml | 2 +- ...oyproxy-accesslog-backend-invalid.out.yaml | 2 +- .../envoyproxy-accesslog-backend.out.yaml | 2 +- ...yproxy-accesslog-cel-with-invalid.out.yaml | 2 +- .../envoyproxy-accesslog-cel.out.yaml | 2 +- ...oxy-accesslog-file-json-no-format.out.yaml | 2 +- .../envoyproxy-accesslog-file-json.out.yaml | 2 +- .../envoyproxy-accesslog-types.out.yaml | 2 +- ...voyproxy-accesslog-with-bad-sinks.out.yaml | 2 +- ...envoyproxy-accesslog-with-traffic.out.yaml | 2 +- ...voyproxy-accesslog-without-format.out.yaml | 2 +- .../testdata/envoyproxy-accesslog.out.yaml | 2 +- ...roxy-endpoint-routing-for-gateway.out.yaml | 2 +- .../envoyproxy-endpoint-routing.out.yaml | 2 +- ...envoyproxy-metric-backend-invalid.out.yaml | 2 +- .../envoyproxy-metric-backend.out.yaml | 2 +- ...envoyproxy-metric-enabled-backend.out.yaml | 2 +- .../envoyproxy-priority-backend.out.yaml | 2 +- ...proxy-service-routing-for-gateway.out.yaml | 2 +- .../envoyproxy-service-routing.out.yaml | 2 +- ...nvoyproxy-tls-settings-invalid-ns.out.yaml | 4 +-- .../envoyproxy-tls-settings-invalid.out.yaml | 4 +-- .../testdata/envoyproxy-tls-settings.out.yaml | 4 +-- ...nvoyproxy-tracing-backend-invalid.out.yaml | 2 +- .../envoyproxy-tracing-backend.out.yaml | 2 +- .../testdata/envoyproxy-valid.out.yaml | 2 +- .../extensionpolicy-tcp-listener.out.yaml | 4 +-- .../extensionpolicy-udp-listener.out.yaml | 4 +-- ...tensionpolicy-with-invalid-target.out.yaml | 4 +-- ...ionpolicy-with-valid-target-array.out.yaml | 4 +-- ...extensionpolicy-with-valid-target.out.yaml | 4 +-- ...th-extension-filter-invalid-group.out.yaml | 2 +- ...ith-non-matching-extension-filter.out.yaml | 2 +- ...with-unsupported-extension-filter.out.yaml | 2 +- ...route-with-valid-extension-filter.out.yaml | 2 +- ...-namespace-with-allowed-httproute.out.yaml | 2 +- ...mespace-with-disallowed-httproute.out.yaml | 2 +- ...stener-with-hostname-intersection.out.yaml | 4 +-- .../testdata/gateway-infrastructure.out.yaml | 2 +- ...way-with-addresses-with-ipaddress.out.yaml | 2 +- ...with-infrastructure-parametersref.out.yaml | 2 +- ...ture-parametersref-does-not-exist.out.yaml | 2 +- ...astructure-parametersref-fallback.out.yaml | 2 +- ...route-with-mismatch-port-protocol.out.yaml | 2 +- ...h-tcproute-with-multiple-backends.out.yaml | 2 +- ...with-tcproute-with-multiple-rules.out.yaml | 2 +- ...her-namespace-allowed-by-refgrant.out.yaml | 2 +- ...ith-tls-terminate-and-passthrough.out.yaml | 4 +-- ...route-with-mismatch-port-protocol.out.yaml | 2 +- ...h-udproute-with-multiple-backends.out.yaml | 2 +- ...with-udproute-with-multiple-rules.out.yaml | 2 +- ...-listener-with-unmatched-tcproute.out.yaml | 2 +- ...-listener-with-unmatched-udproute.out.yaml | 2 +- ...ith-same-algorithm-different-fqdn.out.yaml | 2 +- ...-valid-multiple-tls-configuration.out.yaml | 2 +- ...ener-with-valid-tls-configuration.out.yaml | 2 +- ...with-preexisting-status-condition.out.yaml | 2 +- ...-listener-with-multiple-tcproutes.out.yaml | 2 +- ...-listener-with-multiple-udproutes.out.yaml | 2 +- ...teway-with-stale-status-condition.out.yaml | 2 +- ...listeners-on-same-tcp-or-tls-port.out.yaml | 2 +- ...th-two-listeners-on-same-udp-port.out.yaml | 2 +- ...isteners-with-multiple-httproutes.out.yaml | 4 +-- ...-with-same-port-http-tcp-protocol.out.yaml | 4 +-- ...-with-same-port-http-udp-protocol.out.yaml | 4 +-- ...s-with-tcproutes-with-sectionname.out.yaml | 4 +-- ...ith-tcproutes-without-sectionname.out.yaml | 4 +-- ...s-with-udproutes-with-sectionname.out.yaml | 4 +-- ...ith-udproutes-without-sectionname.out.yaml | 4 +-- .../testdata/grpcroute-with-backend.out.yaml | 2 +- .../grpcroute-with-empty-backends.out.yaml | 2 +- .../grpcroute-with-header-match.out.yaml | 2 +- ...ute-with-method-and-service-match.out.yaml | 2 +- .../grpcroute-with-method-match.out.yaml | 2 +- ...oute-with-request-header-modifier.out.yaml | 2 +- .../grpcroute-with-service-match.out.yaml | 2 +- ...dtrafficpolicy-with-timeout-error.out.yaml | 2 +- ...backendtrafficpolicy-with-timeout.out.yaml | 4 +-- ...way-with-more-different-listeners.out.yaml | 16 ++++----- ...ng-to-gateway-with-more-listeners.out.yaml | 16 ++++----- ...wo-listeners-with-different-ports.out.yaml | 4 +-- ...ing-to-gateway-with-two-listeners.out.yaml | 4 +-- .../httproute-attaching-to-gateway.out.yaml | 2 +- ...taching-to-listener-matching-port.out.yaml | 2 +- ...ner-on-gateway-with-two-listeners.out.yaml | 4 +-- ...with-backend-and-core-backendrefs.out.yaml | 2 +- ...end-backendref-mixed-address-type.out.yaml | 2 +- ...-listener-with-backend-backendref.out.yaml | 2 +- ...end-backendrefs-diff-address-type.out.yaml | 2 +- ...end-backendrefs-same-address-type.out.yaml | 2 +- ...ort-backendrefs-diff-address-type.out.yaml | 2 +- ...ort-backendrefs-same-address-type.out.yaml | 2 +- ...port-backendref-fqdn-address-type.out.yaml | 2 +- ...ort-backendref-mixed-address-type.out.yaml | 2 +- ...ner-with-serviceimport-backendref.out.yaml | 2 +- .../httproute-attaching-to-listener.out.yaml | 2 +- ...httproute-backend-request-timeout.out.yaml | 2 +- ...ing-to-listener-non-matching-port.out.yaml | 2 +- .../httproute-request-timeout.out.yaml | 2 +- ...ith-empty-backends-and-no-filters.out.yaml | 2 +- ...-multiple-backends-and-no-weights.out.yaml | 2 +- ...ith-multiple-backends-and-weights.out.yaml | 2 +- ...ervice-backends-and-app-protocols.out.yaml | 2 +- ...-non-service-backends-and-weights.out.yaml | 2 +- ...h-backendref-add-multiple-filters.out.yaml | 2 +- ...her-namespace-allowed-by-refgrant.out.yaml | 2 +- ...her-namespace-allowed-by-refgrant.out.yaml | 2 +- .../httproute-with-direct-response.out.yaml | 2 +- .../httproute-with-empty-matches.out.yaml | 2 +- ...er-duplicate-add-multiple-filters.out.yaml | 2 +- ...with-header-filter-duplicate-adds.out.yaml | 2 +- ...duplicate-remove-multiple-filters.out.yaml | 2 +- ...h-header-filter-duplicate-removes.out.yaml | 2 +- ...header-filter-empty-header-values.out.yaml | 2 +- ...-with-header-filter-empty-headers.out.yaml | 2 +- ...ith-header-filter-invalid-headers.out.yaml | 2 +- ...ute-with-header-filter-no-headers.out.yaml | 2 +- ...th-header-filter-no-valid-headers.out.yaml | 2 +- ...tproute-with-header-filter-remove.out.yaml | 2 +- ...with-invalid-backend-ref-bad-port.out.yaml | 2 +- ...invalid-backend-ref-invalid-group.out.yaml | 2 +- ...-invalid-backend-ref-invalid-kind.out.yaml | 2 +- ...-with-invalid-backend-ref-no-port.out.yaml | 2 +- ...lid-backend-ref-no-service.import.out.yaml | 2 +- ...th-invalid-backend-ref-no-service.out.yaml | 2 +- ...id-backend-ref-unsupported-filter.out.yaml | 2 +- ...lid-backendref-in-other-namespace.out.yaml | 2 +- .../httproute-with-invalid-regex.out.yaml | 4 +-- .../testdata/httproute-with-metadata.out.yaml | 2 +- ...ute-with-mirror-filter-duplicates.out.yaml | 2 +- ...route-with-mirror-filter-multiple.out.yaml | 2 +- ...ith-mirror-filter-service-no-port.out.yaml | 2 +- ...h-mirror-filter-service-not-found.out.yaml | 2 +- .../httproute-with-mirror-filter.out.yaml | 2 +- ...oute-with-multi-gateways-notmatch.out.yaml | 4 +-- ...ith-multi-gateways-with-same-name.out.yaml | 4 +-- ...ltiple-gateways-from-different-ns.out.yaml | 4 +-- ...th-multiple-gateways-from-same-ns.out.yaml | 4 +-- ...to-gateway-with-wildcard-hostname.out.yaml | 2 +- ...ct-filter-full-path-replace-https.out.yaml | 2 +- ...ute-with-redirect-filter-hostname.out.yaml | 2 +- ...direct-filter-invalid-filter-type.out.yaml | 2 +- ...th-redirect-filter-invalid-scheme.out.yaml | 2 +- ...th-redirect-filter-invalid-status.out.yaml | 2 +- ...ter-prefix-replace-with-port-http.out.yaml | 2 +- ...-with-response-header-filter-adds.out.yaml | 2 +- ...er-duplicate-add-multiple-filters.out.yaml | 2 +- ...onse-header-filter-duplicate-adds.out.yaml | 2 +- ...duplicate-remove-multiple-filters.out.yaml | 2 +- ...e-header-filter-duplicate-removes.out.yaml | 2 +- ...header-filter-empty-header-values.out.yaml | 2 +- ...ponse-header-filter-empty-headers.out.yaml | 2 +- ...nse-header-filter-invalid-headers.out.yaml | 2 +- ...response-header-filter-no-headers.out.yaml | 2 +- ...se-header-filter-no-valid-headers.out.yaml | 2 +- ...ith-response-header-filter-remove.out.yaml | 2 +- ...single-rule-with-exact-path-match.out.yaml | 2 +- ...ingle-rule-with-http-method-match.out.yaml | 2 +- ...h-single-rule-with-multiple-rules.out.yaml | 2 +- ...h-prefix-and-exact-header-matches.out.yaml | 2 +- ...e-invalid-backend-refs-no-service.out.yaml | 2 +- ...to-gateway-with-wildcard-hostname.out.yaml | 2 +- ...to-gateway-with-wildcard-hostname.out.yaml | 2 +- ...ite-filter-full-path-replace-http.out.yaml | 2 +- ...te-filter-hostname-prefix-replace.out.yaml | 2 +- ...e-with-urlrewrite-filter-hostname.out.yaml | 2 +- ...ewrite-filter-invalid-filter-type.out.yaml | 2 +- ...rlrewrite-filter-invalid-hostname.out.yaml | 2 +- ...e-filter-invalid-multiple-filters.out.yaml | 2 +- ...lrewrite-filter-invalid-path-type.out.yaml | 2 +- ...th-urlrewrite-filter-invalid-path.out.yaml | 2 +- ...th-urlrewrite-filter-missing-path.out.yaml | 2 +- ...ewrite-filter-prefix-replace-http.out.yaml | 2 +- ...e-filter-regex-match-replace-http.out.yaml | 2 +- ...ilter-regex-match-replace-invalid.out.yaml | 2 +- ...rlrewrite-hostname-filter-invalid.out.yaml | 2 +- ...e-with-urlrewrite-hostname-filter.out.yaml | 2 +- ...ng-to-gateway-with-unset-hostname.out.yaml | 2 +- .../httproutes-with-multiple-matches.out.yaml | 2 +- .../merge-invalid-multiple-gateways.out.yaml | 4 +-- ...ays-multiple-listeners-same-ports.out.yaml | 8 ++--- ...multiple-gateways-multiple-routes.out.yaml | 6 ++-- .../merge-valid-multiple-gateways.out.yaml | 6 ++-- .../merge-with-isolated-policies-2.out.yaml | 8 ++--- .../merge-with-isolated-policies.out.yaml | 4 +-- ...curitypolicy-invalid-cross-ns-ref.out.yaml | 2 +- .../securitypolicy-override-replace.out.yaml | 2 +- .../securitypolicy-status-conditions.out.yaml | 6 ++-- ...icy-with-authoriztion-client-cidr.out.yaml | 2 +- ...olicy-with-authoriztion-jwt-claim.out.yaml | 2 +- .../securitypolicy-with-basic-auth.out.yaml | 2 +- ...curitypolicy-with-cors-targetrefs.out.yaml | 6 ++-- .../securitypolicy-with-cors.out.yaml | 6 ++-- ...curitypolicy-with-extauth-backend.out.yaml | 2 +- ...itypolicy-with-extauth-backendref.out.yaml | 2 +- ...-extauth-invalid-no-matching-port.out.yaml | 2 +- ...licy-with-extauth-invalid-no-port.out.yaml | 2 +- ...xtauth-invalid-no-reference-grant.out.yaml | 2 +- ...y-with-extauth-invalid-no-service.out.yaml | 2 +- ...policy-with-extauth-recomputation.out.yaml | 2 +- ...ith-extauth-with-backendtlspolicy.out.yaml | 2 +- .../securitypolicy-with-extauth.out.yaml | 2 +- ...ypolicy-with-jwt-and-invalid-oidc.out.yaml | 2 +- .../securitypolicy-with-jwt-optional.out.yaml | 4 +-- ...cy-with-jwt-with-custom-extractor.out.yaml | 4 +-- .../testdata/securitypolicy-with-jwt.out.yaml | 4 +-- ...typolicy-with-oidc-backendcluster.out.yaml | 2 +- ...typolicy-with-oidc-custom-cookies.out.yaml | 2 +- ...typolicy-with-oidc-invalid-issuer.out.yaml | 2 +- ...olicy-with-oidc-invalid-secretref.out.yaml | 6 ++-- .../securitypolicy-with-oidc.out.yaml | 2 +- ...teway-with-listener-tls-terminate.out.yaml | 4 +-- .../testdata/tcproute-with-backend.out.yaml | 2 +- .../tlsroute-attaching-to-gateway.out.yaml | 2 +- .../testdata/tlsroute-multiple.out.yaml | 2 +- .../testdata/tlsroute-with-backend.out.yaml | 2 +- ...her-namespace-allowed-by-refgrant.out.yaml | 2 +- .../tlsroute-with-empty-hostname.out.yaml | 2 +- ...oute-with-empty-listener-hostname.out.yaml | 2 +- .../tracing-merged-multiple-routes.out.yaml | 6 ++-- .../testdata/tracing-multiple-routes.out.yaml | 6 ++-- internal/utils/net/ip.go | 10 ++++++ internal/xds/translator/listener.go | 36 ++----------------- .../testdata/in/xds-ir/accesslog-cel.yaml | 2 +- .../in/xds-ir/accesslog-endpoint-stats.yaml | 2 +- .../in/xds-ir/accesslog-formatters.yaml | 2 +- .../testdata/in/xds-ir/accesslog-invalid.yaml | 2 +- .../in/xds-ir/accesslog-multi-cel.yaml | 2 +- .../in/xds-ir/accesslog-without-format.yaml | 2 +- .../testdata/in/xds-ir/accesslog.yaml | 2 +- .../in/xds-ir/backend-buffer-limit.yaml | 6 ++-- .../testdata/in/xds-ir/circuit-breaker.yaml | 2 +- .../in/xds-ir/client-buffer-limit.yaml | 4 +-- .../in/xds-ir/client-ip-detection.yaml | 6 ++-- .../testdata/in/xds-ir/client-timeout.yaml | 4 +-- .../translator/testdata/in/xds-ir/cors.yaml | 2 +- .../testdata/in/xds-ir/fault-injection.yaml | 2 +- .../headers-with-preserve-x-request-id.yaml | 4 +-- .../headers-with-underscores-action.yaml | 8 ++--- .../testdata/in/xds-ir/health-check.yaml | 2 +- .../in/xds-ir/http-early-header-mutation.yaml | 4 +-- .../in/xds-ir/http-endpoint-stats.yaml | 2 +- .../testdata/in/xds-ir/http-health-check.yaml | 2 +- .../in/xds-ir/http-req-resp-sizes-stats.yaml | 2 +- .../in/xds-ir/http-route-direct-response.yaml | 2 +- .../in/xds-ir/http-route-dns-cluster.yaml | 2 +- .../testdata/in/xds-ir/http-route-mirror.yaml | 2 +- .../xds-ir/http-route-multiple-mirrors.yaml | 2 +- .../in/xds-ir/http-route-partial-invalid.yaml | 2 +- .../in/xds-ir/http-route-redirect.yaml | 2 +- .../testdata/in/xds-ir/http-route-regex.yaml | 2 +- .../in/xds-ir/http-route-request-headers.yaml | 2 +- .../http-route-response-add-headers.yaml | 2 +- ...ttp-route-response-add-remove-headers.yaml | 2 +- .../http-route-response-remove-headers.yaml | 2 +- ...tp-route-rewrite-root-path-url-prefix.yaml | 2 +- ...-rewrite-sufixx-with-slash-url-prefix.yaml | 2 +- .../http-route-rewrite-url-fullpath.yaml | 2 +- .../xds-ir/http-route-rewrite-url-host.yaml | 2 +- .../xds-ir/http-route-rewrite-url-prefix.yaml | 2 +- .../xds-ir/http-route-rewrite-url-regex.yaml | 2 +- .../http-route-session-persistence.yaml | 2 +- .../in/xds-ir/http-route-timeout.yaml | 2 +- .../http-route-weighted-backend-uds-ip.yaml | 2 +- ...p-route-weighted-backend-with-filters.yaml | 2 +- .../xds-ir/http-route-weighted-backend.yaml | 2 +- .../http-route-weighted-invalid-backend.yaml | 2 +- .../testdata/in/xds-ir/http-route.yaml | 2 +- .../in/xds-ir/http1-preserve-case.yaml | 4 +-- .../testdata/in/xds-ir/http1-trailers.yaml | 2 +- .../translator/testdata/in/xds-ir/http10.yaml | 2 +- .../testdata/in/xds-ir/http2-route.yaml | 2 +- .../translator/testdata/in/xds-ir/http2.yaml | 2 +- .../jsonpatch-add-op-empty-jsonpath.yaml | 2 +- .../jsonpatch-add-op-without-value.yaml | 2 +- .../in/xds-ir/jsonpatch-invalid-patch.yaml | 2 +- .../in/xds-ir/jsonpatch-missing-resource.yaml | 2 +- .../xds-ir/jsonpatch-move-op-with-value.yaml | 2 +- .../jsonpatch-with-jsonpath-invalid.yaml | 2 +- .../in/xds-ir/jsonpatch-with-jsonpath.yaml | 2 +- .../testdata/in/xds-ir/jsonpatch.yaml | 2 +- .../in/xds-ir/jwt-custom-extractor.yaml | 2 +- .../jwt-multi-route-multi-provider.yaml | 2 +- .../jwt-multi-route-single-provider.yaml | 2 +- .../testdata/in/xds-ir/jwt-optional.yaml | 2 +- .../testdata/in/xds-ir/jwt-ratelimit.yaml | 2 +- .../xds-ir/jwt-single-route-single-match.yaml | 2 +- .../in/xds-ir/listener-connection-limit.yaml | 8 ++--- .../in/xds-ir/listener-proxy-protocol.yaml | 4 +-- .../in/xds-ir/listener-tcp-keepalive.yaml | 8 ++--- .../testdata/in/xds-ir/load-balancer.yaml | 2 +- .../testdata/in/xds-ir/local-ratelimit.yaml | 2 +- .../in/xds-ir/metrics-virtual-host.yaml | 2 +- .../in/xds-ir/mixed-tls-jwt-authn.yaml | 2 +- .../xds-ir/multiple-listeners-same-port.yaml | 12 +++---- .../multiple-simple-tcp-route-same-port.yaml | 10 +++--- ...d-client-certificate-with-custom-data.yaml | 10 +++--- ...mutual-tls-forward-client-certificate.yaml | 10 +++--- ...-required-client-certificate-disabled.yaml | 4 +-- .../testdata/in/xds-ir/mutual-tls.yaml | 4 +-- .../xds-ir/oidc-backend-cluster-provider.yaml | 2 +- .../translator/testdata/in/xds-ir/oidc.yaml | 2 +- .../testdata/in/xds-ir/path-settings.yaml | 2 +- .../in/xds-ir/proxy-protocol-upstream.yaml | 2 +- .../in/xds-ir/ratelimit-custom-domain.yaml | 2 +- .../in/xds-ir/ratelimit-disable-headers.yaml | 2 +- .../in/xds-ir/ratelimit-endpoint-stats.yaml | 2 +- .../in/xds-ir/ratelimit-headers-and-cidr.yaml | 2 +- .../in/xds-ir/ratelimit-sourceip.yaml | 2 +- .../testdata/in/xds-ir/ratelimit.yaml | 2 +- .../in/xds-ir/retry-partial-invalid.yaml | 2 +- .../testdata/in/xds-ir/simple-tls.yaml | 2 +- .../in/xds-ir/suppress-envoy-headers.yaml | 2 +- .../in/xds-ir/tcp-endpoint-stats.yaml | 2 +- .../in/xds-ir/tcp-req-resp-sizes-stats.yaml | 2 +- .../testdata/in/xds-ir/tcp-route-complex.yaml | 2 +- .../in/xds-ir/tcp-route-invalid-endpoint.yaml | 2 +- .../testdata/in/xds-ir/tcp-route-simple.yaml | 2 +- .../in/xds-ir/tcp-route-tls-terminate.yaml | 4 +-- .../in/xds-ir/tcp-route-weighted-backend.yaml | 2 +- .../testdata/in/xds-ir/timeout.yaml | 2 +- .../in/xds-ir/tls-route-passthrough.yaml | 4 +-- .../tls-with-ciphers-versions-alpn.yaml | 4 +-- .../testdata/in/xds-ir/tracing-datadog.yaml | 2 +- .../in/xds-ir/tracing-endpoint-stats.yaml | 2 +- .../testdata/in/xds-ir/tracing-invalid.yaml | 2 +- .../xds-ir/tracing-unknown-provider-type.yaml | 2 +- .../testdata/in/xds-ir/tracing-zipkin.yaml | 2 +- .../testdata/in/xds-ir/tracing.yaml | 2 +- .../in/xds-ir/udp-endpoint-stats.yaml | 2 +- .../in/xds-ir/udp-req-resp-sizes-stats.yaml | 2 +- .../testdata/in/xds-ir/udp-route.yaml | 2 +- .../in/xds-ir/upstream-tcpkeepalive.yaml | 2 +- ...xtensionpolicy-tcp-udp-http.listeners.yaml | 2 ++ ...http-route-extension-filter.listeners.yaml | 1 + .../http-route.listeners.yaml | 1 + .../listener-policy.listeners.yaml | 1 + .../out/xds-ir/accesslog-cel.listeners.yaml | 3 +- .../accesslog-endpoint-stats.listeners.yaml | 3 +- .../accesslog-formatters.listeners.yaml | 3 +- .../xds-ir/accesslog-multi-cel.listeners.yaml | 3 +- .../out/xds-ir/accesslog-types.listeners.yaml | 1 + .../accesslog-without-format.listeners.yaml | 3 +- .../out/xds-ir/accesslog.listeners.yaml | 3 +- .../authorization-client-cidr.listeners.yaml | 1 + .../authorization-jwt-claim.listeners.yaml | 1 + .../authorization-jwt-scope.listeners.yaml | 1 + ...ization-multiple-principals.listeners.yaml | 1 + .../backend-buffer-limit.listeners.yaml | 9 +++-- .../xds-ir/backend-priority.listeners.yaml | 1 + .../out/xds-ir/basic-auth.listeners.yaml | 1 + .../out/xds-ir/circuit-breaker.listeners.yaml | 3 +- .../xds-ir/client-buffer-limit.listeners.yaml | 6 ++-- .../xds-ir/client-ip-detection.listeners.yaml | 9 +++-- .../out/xds-ir/client-timeout.listeners.yaml | 6 ++-- .../testdata/out/xds-ir/cors.listeners.yaml | 3 +- .../xds-ir/custom-filter-order.listeners.yaml | 1 + .../out/xds-ir/custom-response.listeners.yaml | 1 + .../xds-ir/ext-auth-backend.listeners.yaml | 1 + .../ext-auth-recomputation.listeners.yaml | 1 + .../out/xds-ir/ext-auth.listeners.yaml | 1 + ...-proc-with-traffic-settings.listeners.yaml | 1 + .../out/xds-ir/ext-proc.listeners.yaml | 1 + .../out/xds-ir/fault-injection.listeners.yaml | 3 +- ...-with-preserve-x-request-id.listeners.yaml | 6 ++-- ...ers-with-underscores-action.listeners.yaml | 12 ++++--- .../out/xds-ir/health-check.listeners.yaml | 3 +- .../http-early-header-mutation.listeners.yaml | 6 ++-- .../xds-ir/http-endpoint-stats.listeners.yaml | 3 +- .../xds-ir/http-health-check.listeners.yaml | 3 +- ...tp-preserve-client-protocol.listeners.yaml | 1 + .../http-req-resp-sizes-stats.listeners.yaml | 3 +- .../http-route-direct-response.listeners.yaml | 3 +- .../http-route-dns-cluster.listeners.yaml | 3 +- .../xds-ir/http-route-mirror.listeners.yaml | 3 +- ...http-route-multiple-matches.listeners.yaml | 1 + ...http-route-multiple-mirrors.listeners.yaml | 3 +- .../http-route-partial-invalid.listeners.yaml | 3 +- .../xds-ir/http-route-redirect.listeners.yaml | 3 +- .../xds-ir/http-route-regex.listeners.yaml | 3 +- .../http-route-request-headers.listeners.yaml | 3 +- ...-route-response-add-headers.listeners.yaml | 3 +- ...response-add-remove-headers.listeners.yaml | 3 +- ...ute-response-remove-headers.listeners.yaml | 3 +- ...ewrite-root-path-url-prefix.listeners.yaml | 3 +- ...ufixx-with-slash-url-prefix.listeners.yaml | 3 +- ...-route-rewrite-url-fullpath.listeners.yaml | 3 +- ...http-route-rewrite-url-host.listeners.yaml | 3 +- ...tp-route-rewrite-url-prefix.listeners.yaml | 3 +- ...ttp-route-rewrite-url-regex.listeners.yaml | 3 +- ...p-route-session-persistence.listeners.yaml | 3 +- .../xds-ir/http-route-timeout.listeners.yaml | 3 +- ...ute-weighted-backend-uds-ip.listeners.yaml | 3 +- ...ighted-backend-with-filters.listeners.yaml | 3 +- ...http-route-weighted-backend.listeners.yaml | 3 +- ...te-weighted-invalid-backend.listeners.yaml | 3 +- .../http-route-with-clientcert.listeners.yaml | 1 + .../http-route-with-metadata.listeners.yaml | 1 + ...-with-tls-system-truststore.listeners.yaml | 1 + ...th-tlsbundle-multiple-certs.listeners.yaml | 2 ++ .../http-route-with-tlsbundle.listeners.yaml | 1 + .../out/xds-ir/http-route.listeners.yaml | 3 +- .../xds-ir/http1-preserve-case.listeners.yaml | 6 ++-- .../out/xds-ir/http1-trailers.listeners.yaml | 3 +- .../testdata/out/xds-ir/http10.listeners.yaml | 3 +- .../out/xds-ir/http2-route.listeners.yaml | 3 +- .../testdata/out/xds-ir/http2.listeners.yaml | 3 +- .../testdata/out/xds-ir/http3.listeners.yaml | 2 ++ .../jsonpatch-missing-resource.listeners.yaml | 3 +- .../jsonpatch-with-jsonpath.listeners.yaml | 3 +- .../out/xds-ir/jsonpatch.listeners.yaml | 3 +- .../jwt-custom-extractor.listeners.yaml | 3 +- ...-multi-route-multi-provider.listeners.yaml | 3 +- ...multi-route-single-provider.listeners.yaml | 3 +- .../out/xds-ir/jwt-optional.listeners.yaml | 3 +- .../out/xds-ir/jwt-ratelimit.listeners.yaml | 3 +- ...t-single-route-single-match.listeners.yaml | 3 +- .../listener-connection-limit.listeners.yaml | 12 ++++--- .../listener-proxy-protocol.listeners.yaml | 6 ++-- .../listener-tcp-keepalive.listeners.yaml | 12 ++++--- .../listener-tcp-without-route.listeners.yaml | 1 + .../out/xds-ir/load-balancer.listeners.yaml | 3 +- .../out/xds-ir/local-ratelimit.listeners.yaml | 3 +- .../metrics-virtual-host.listeners.yaml | 3 +- .../xds-ir/mixed-tls-jwt-authn.listeners.yaml | 3 +- ...port-with-different-filters.listeners.yaml | 2 ++ ...ultiple-listeners-same-port.listeners.yaml | 3 +- ...-simple-tcp-route-same-port.listeners.yaml | 3 +- ...ertificate-with-custom-data.listeners.yaml | 15 +++++--- ...-forward-client-certificate.listeners.yaml | 15 +++++--- ...client-certificate-disabled.listeners.yaml | 6 ++-- .../out/xds-ir/mutual-tls.listeners.yaml | 6 ++-- ...dc-backend-cluster-provider.listeners.yaml | 3 +- .../testdata/out/xds-ir/oidc.listeners.yaml | 3 +- .../out/xds-ir/path-settings.listeners.yaml | 3 +- .../proxy-protocol-upstream.listeners.yaml | 3 +- .../ratelimit-custom-domain.listeners.yaml | 3 +- .../ratelimit-disable-headers.listeners.yaml | 3 +- .../ratelimit-endpoint-stats.listeners.yaml | 3 +- .../ratelimit-headers-and-cidr.listeners.yaml | 3 +- .../xds-ir/ratelimit-sourceip.listeners.yaml | 3 +- .../out/xds-ir/ratelimit.listeners.yaml | 3 +- .../retry-partial-invalid.listeners.yaml | 3 +- ...ypolicy-with-oidc-jwt-authz.listeners.yaml | 1 + .../out/xds-ir/simple-tls.listeners.yaml | 3 +- .../suppress-envoy-headers.listeners.yaml | 3 +- .../xds-ir/tcp-endpoint-stats.listeners.yaml | 3 +- .../tcp-listener-ipfamily.listeners.yaml | 8 ++--- .../tcp-req-resp-sizes-stats.listeners.yaml | 3 +- .../xds-ir/tcp-route-complex.listeners.yaml | 3 +- .../xds-ir/tcp-route-simple.listeners.yaml | 3 +- .../tcp-route-tls-terminate.listeners.yaml | 3 +- .../tcp-route-weighted-backend.listeners.yaml | 3 +- .../out/xds-ir/timeout.listeners.yaml | 3 +- .../tls-route-passthrough.listeners.yaml | 6 ++-- ...-with-ciphers-versions-alpn.listeners.yaml | 6 ++-- .../out/xds-ir/tracing-datadog.listeners.yaml | 3 +- .../tracing-endpoint-stats.listeners.yaml | 3 +- .../out/xds-ir/tracing-zipkin.listeners.yaml | 3 +- .../out/xds-ir/tracing.listeners.yaml | 3 +- .../xds-ir/udp-endpoint-stats.listeners.yaml | 3 +- .../udp-req-resp-sizes-stats.listeners.yaml | 3 +- .../out/xds-ir/udp-route.listeners.yaml | 3 +- .../upstream-tcpkeepalive.listeners.yaml | 3 +- .../testdata/out/xds-ir/wasm.listeners.yaml | 1 + internal/xds/translator/translator.go | 4 +-- release-notes/current.yaml | 1 + test/e2e/tests/envoy_shutdown.go | 5 ++- test/e2e/upgrade/eg_upgrade_test.go | 4 +++ 576 files changed, 993 insertions(+), 814 deletions(-) create mode 100644 internal/utils/net/ip.go diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index 63d685e9cd1..e81c777ee74 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -886,7 +886,8 @@ xds: path: /dev/stdout address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -945,7 +946,8 @@ xds: path: /dev/stdout address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 8080 defaultFilterChain: filters: @@ -1012,7 +1014,8 @@ xds: path: /dev/stdout address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 1234 filterChains: - filters: @@ -1051,7 +1054,8 @@ xds: path: /dev/stdout address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 8443 filterChains: - filterChainMatch: @@ -1097,7 +1101,8 @@ xds: path: /dev/stdout address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 1234 protocol: UDP listenerFilters: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index b0524fac2b6..96f794bb456 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -632,7 +632,8 @@ ], "address": { "socketAddress": { - "address": "0.0.0.0", + "address": "::", + "ipv4Compat": true, "portValue": 10080 } }, @@ -723,7 +724,8 @@ ], "address": { "socketAddress": { - "address": "0.0.0.0", + "address": "::", + "ipv4Compat": true, "portValue": 8080 } }, @@ -828,7 +830,8 @@ ], "address": { "socketAddress": { - "address": "0.0.0.0", + "address": "::", + "ipv4Compat": true, "portValue": 1234 } }, @@ -893,7 +896,8 @@ ], "address": { "socketAddress": { - "address": "0.0.0.0", + "address": "::", + "ipv4Compat": true, "portValue": 8443 } }, @@ -971,7 +975,8 @@ ], "address": { "socketAddress": { - "address": "0.0.0.0", + "address": "::", + "ipv4Compat": true, "portValue": 1234, "protocol": "UDP" } diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index e4895ddc9df..e4490080e3d 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -365,7 +365,8 @@ xds: path: /dev/stdout address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -424,7 +425,8 @@ xds: path: /dev/stdout address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 8080 defaultFilterChain: filters: @@ -491,7 +493,8 @@ xds: path: /dev/stdout address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 1234 filterChains: - filters: @@ -530,7 +533,8 @@ xds: path: /dev/stdout address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 8443 filterChains: - filterChainMatch: @@ -576,7 +580,8 @@ xds: path: /dev/stdout address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 1234 protocol: UDP listenerFilters: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml index b6c94a95ae8..99b3a3f2cf5 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml @@ -20,7 +20,8 @@ xds: path: /dev/stdout address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -79,7 +80,8 @@ xds: path: /dev/stdout address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 8080 defaultFilterChain: filters: @@ -146,7 +148,8 @@ xds: path: /dev/stdout address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 1234 filterChains: - filters: @@ -185,7 +188,8 @@ xds: path: /dev/stdout address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 8443 filterChains: - filterChainMatch: @@ -231,7 +235,8 @@ xds: path: /dev/stdout address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 1234 protocol: UDP listenerFilters: diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json index 900c70f82ff..a777f5cdc56 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json @@ -458,7 +458,8 @@ ], "address": { "socketAddress": { - "address": "0.0.0.0", + "address": "::", + "ipv4Compat": true, "portValue": 10080 } }, diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml index a91da546cbb..c3ee0ddf26a 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml @@ -263,7 +263,8 @@ xds: path: /dev/stdout address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml index 347f3302124..ed90fc0e3e2 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml @@ -20,7 +20,8 @@ xds: path: /dev/stdout address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml index 3013f6d0a4e..6edf19677ad 100644 --- a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml @@ -226,7 +226,8 @@ xds: path: /dev/stdout address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml b/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml index de96e757e8e..862c8e8b795 100644 --- a/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml @@ -95,7 +95,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/cmd/envoy/shutdown_manager.go b/internal/cmd/envoy/shutdown_manager.go index 48f624bb67a..e0b8204a61d 100644 --- a/internal/cmd/envoy/shutdown_manager.go +++ b/internal/cmd/envoy/shutdown_manager.go @@ -171,7 +171,7 @@ func Shutdown(drainTimeout time.Duration, minDrainDuration time.Duration, exitAt // postEnvoyAdminAPI sends a POST request to the Envoy admin API func postEnvoyAdminAPI(path string) error { if resp, err := http.Post(fmt.Sprintf("http://%s:%d/%s", - bootstrap.EnvoyAdminAddress, bootstrap.EnvoyAdminPort, path), "application/json", nil); err != nil { + "localhost", bootstrap.EnvoyAdminPort, path), "application/json", nil); err != nil { return err } else { defer resp.Body.Close() @@ -187,7 +187,7 @@ func postEnvoyAdminAPI(path string) error { func getTotalConnections() (*int, error) { // Send request to Envoy admin API to retrieve server.total_connections stat if resp, err := http.Get(fmt.Sprintf("http://%s:%d//stats?filter=^server\\.total_connections$&format=json", - bootstrap.EnvoyAdminAddress, bootstrap.EnvoyAdminPort)); err != nil { + "localhost", bootstrap.EnvoyAdminPort)); err != nil { return nil, err } else { defer resp.Body.Close() diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index 30e75ad6197..71235414814 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -22,6 +22,7 @@ import ( "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/utils" "github.com/envoyproxy/gateway/internal/utils/naming" + "github.com/envoyproxy/gateway/internal/utils/net" ) var _ ListenersTranslator = (*Translator)(nil) @@ -99,6 +100,10 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource if !isReady { continue } + + // EG always use `::` and set ipv4_compact with true to support both IPv4 and IPv6 + address := net.IPv6ListenerAddress + // Add the listener to the Xds IR servicePort := &protocolPort{protocol: listener.Protocol, port: int32(listener.Port)} containerPort := servicePortToContainerPort(int32(listener.Port), gateway.envoyProxy) @@ -107,7 +112,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource irListener := &ir.HTTPListener{ CoreListenerDetails: ir.CoreListenerDetails{ Name: irListenerName(listener), - Address: "0.0.0.0", + Address: address, Port: uint32(containerPort), Metadata: buildListenerMetadata(listener, gateway), IPFamily: getIPFamily(gateway.envoyProxy), @@ -134,7 +139,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource irListener := &ir.TCPListener{ CoreListenerDetails: ir.CoreListenerDetails{ Name: irListenerName(listener), - Address: "0.0.0.0", + Address: address, Port: uint32(containerPort), IPFamily: getIPFamily(gateway.envoyProxy), }, @@ -150,7 +155,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource irListener := &ir.UDPListener{ CoreListenerDetails: ir.CoreListenerDetails{ Name: irListenerName(listener), - Address: "0.0.0.0", + Address: address, Port: uint32(containerPort), }, } diff --git a/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml b/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml index 49d35c60700..496795222d9 100644 --- a/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml +++ b/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml @@ -153,7 +153,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backend-with-fallback.out.yaml b/internal/gatewayapi/testdata/backend-with-fallback.out.yaml index 74bd61795fe..94b4d02065d 100644 --- a/internal/gatewayapi/testdata/backend-with-fallback.out.yaml +++ b/internal/gatewayapi/testdata/backend-with-fallback.out.yaml @@ -138,7 +138,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml index fde390c7efe..7d776a1784f 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml @@ -121,7 +121,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml index a5b87b3fa1f..a65ea66d0ab 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml @@ -132,7 +132,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml index 8489f047341..f85b9c73c3f 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml @@ -132,7 +132,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml index 9f4874f90f4..3467422f204 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml @@ -266,7 +266,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -323,7 +323,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml index 2e2186879f9..c8898169624 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml @@ -227,7 +227,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml index 100efbcab4f..cb968f9a6a0 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml @@ -132,7 +132,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml index 8ecd25a2418..207713455e8 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml @@ -174,7 +174,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml index f91dc4d768e..8438c8551ce 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml @@ -129,7 +129,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-out-of-range-error.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-out-of-range-error.out.yaml index bb171e01da7..b64b9faa39a 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-out-of-range-error.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-out-of-range-error.out.yaml @@ -249,7 +249,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -292,7 +292,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-with-invalid-value.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-with-invalid-value.out.yaml index 654c9bdab4a..b0b46e91d66 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-with-invalid-value.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-with-invalid-value.out.yaml @@ -249,7 +249,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -292,7 +292,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit.out.yaml index d95c8a0fcc0..0db555c1cfd 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit.out.yaml @@ -249,7 +249,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -292,7 +292,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-override-replace.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-override-replace.out.yaml index 8aafd70c0bb..a956f1b4706 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-override-replace.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-override-replace.out.yaml @@ -272,7 +272,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml index 1a054712d80..1e671f11044 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml @@ -521,7 +521,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -540,7 +540,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -578,7 +578,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -612,6 +612,6 @@ xdsIR: name: grpcroute/envoy-gateway/grpcroute-1/rule/0/match/0/* traffic: {} tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-2/tcp port: 10053 diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml index 02222719f3f..b263c244b51 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml @@ -329,7 +329,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -373,7 +373,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-use-client-protocol.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-use-client-protocol.out.yaml index 0a13771f373..678fc4dea50 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-use-client-protocol.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-use-client-protocol.out.yaml @@ -127,7 +127,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml index 2b49ea23741..80a166ac5d5 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml @@ -311,7 +311,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -349,7 +349,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.out.yaml index 575bfca2e1b..a1cf0fa2af5 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.out.yaml @@ -253,7 +253,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -296,7 +296,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.out.yaml index 12bbf12dbe7..04202343698 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.out.yaml @@ -318,7 +318,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -362,7 +362,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml index 4f964492673..792b473aba5 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml @@ -678,7 +678,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -787,7 +787,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-http2.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-http2.out.yaml index 35dbb164bf1..ca5371fc7df 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-http2.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-http2.out.yaml @@ -251,7 +251,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -293,7 +293,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.out.yaml index 245739ca233..371a3709c9f 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.out.yaml @@ -130,7 +130,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer-invalid-consistent-hash-table-size.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer-invalid-consistent-hash-table-size.out.yaml index dc2ba7fb3d3..0562588ff18 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer-invalid-consistent-hash-table-size.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer-invalid-consistent-hash-table-size.out.yaml @@ -201,7 +201,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml index b2378edf754..30918a9739b 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml @@ -421,7 +421,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -460,7 +460,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-default-route-level-limit.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-default-route-level-limit.out.yaml index d64aea61aee..bc398deeace 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-default-route-level-limit.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-default-route-level-limit.out.yaml @@ -150,7 +150,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml index 0be116e1ebf..3097821b6ae 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml @@ -154,7 +154,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml index 21cae9b09f3..f4b263b7c99 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml @@ -150,7 +150,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml index 0fd1f442bd8..f92bea8d0ca 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml @@ -157,7 +157,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit.out.yaml index f05856b9630..5f212860b63 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit.out.yaml @@ -153,7 +153,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-proxyprotocol.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-proxyprotocol.out.yaml index c65df985ac5..46398f5452d 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-proxyprotocol.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-proxyprotocol.out.yaml @@ -245,7 +245,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -284,7 +284,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.out.yaml index 4ea1623c867..75e47abd4ec 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.out.yaml @@ -134,7 +134,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml index 8b20cbc59c9..a19a2ed3b72 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml @@ -136,7 +136,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml index 07fa997e109..37763d7d92c 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml @@ -268,7 +268,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -321,7 +321,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override-invalid-valueref.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override-invalid-valueref.out.yaml index c1542d9caec..8001e10e433 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override-invalid-valueref.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override-invalid-valueref.out.yaml @@ -294,7 +294,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -332,7 +332,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override.out.yaml index 568a57af484..4f0f13c6740 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override.out.yaml @@ -293,7 +293,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -353,7 +353,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-retries.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-retries.out.yaml index 40ae88b602d..2ae6a02c282 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-retries.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-retries.out.yaml @@ -264,7 +264,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -310,7 +310,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-same-prefix-httproutes.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-same-prefix-httproutes.out.yaml index d032b952236..e8d3d65ed90 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-same-prefix-httproutes.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-same-prefix-httproutes.out.yaml @@ -169,7 +169,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml index 9fa8e7235c9..e96203a9214 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml @@ -233,7 +233,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' name: default/tcp-gateway/bar port: 8089 routes: @@ -292,7 +292,7 @@ xdsIR: tcp: connectTimeout: 15s udp: - - address: 0.0.0.0 + - address: '::' name: default/tcp-gateway/foo port: 8162 route: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml index 5b1707b6f1a..89f07548c29 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml @@ -306,7 +306,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' name: default/tcp-gateway/bar port: 8089 routes: @@ -365,7 +365,7 @@ xdsIR: tcp: connectTimeout: 15s udp: - - address: 0.0.0.0 + - address: '::' name: default/tcp-gateway/foo port: 8162 route: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcpkeepalive.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcpkeepalive.out.yaml index 0213525db48..bf91d10226e 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcpkeepalive.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcpkeepalive.out.yaml @@ -249,7 +249,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -290,7 +290,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml index dc80d9e73a8..ab1c94ff3c9 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml @@ -127,7 +127,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-targetrefs.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-targetrefs.out.yaml index ea546413a59..8a25a4a2fc8 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-targetrefs.out.yaml @@ -237,7 +237,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -277,7 +277,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml index 0fad514c5e8..0244bcea667 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml @@ -257,7 +257,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -301,7 +301,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml index a11ad751e08..2f2cc555d95 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml @@ -159,7 +159,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -173,7 +173,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: 0.0.0.0 + - address: '::' connection: {} hostnames: - '*' diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml index 9993a11f26d..20191e8b4ba 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml @@ -160,7 +160,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -174,7 +174,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: 0.0.0.0 + - address: '::' connection: {} hostnames: - '*' diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit.out.yaml index d897fac8887..bbccfc1a09e 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit.out.yaml @@ -159,7 +159,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' connection: bufferLimit: 50000000 hostnames: @@ -175,7 +175,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: 0.0.0.0 + - address: '::' connection: {} hostnames: - '*' diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-client-ip-detection.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-client-ip-detection.out.yaml index 898d87d0be0..46d7c08e297 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-client-ip-detection.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-client-ip-detection.out.yaml @@ -262,7 +262,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' clientIPDetection: xForwardedFor: numTrustedHops: 2 @@ -279,7 +279,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8081 - - address: 0.0.0.0 + - address: '::' clientIPDetection: customHeader: failClosed: false @@ -297,7 +297,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8082 - - address: 0.0.0.0 + - address: '::' clientIPDetection: customHeader: failClosed: true @@ -315,7 +315,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8083 - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml index 705e23a8d0e..d5d78569444 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml @@ -161,7 +161,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -175,7 +175,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit.out.yaml index e4f163f5963..6f99ddff5b9 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit.out.yaml @@ -161,7 +161,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' connection: limit: closeDelay: 10s @@ -179,7 +179,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: 0.0.0.0 + - address: '::' connection: {} hostnames: - '*' diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml index bb695decae7..94a5074c65b 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml @@ -184,7 +184,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' connection: bufferLimit: 50000000 limit: @@ -246,7 +246,7 @@ xdsIR: signatureAlgorithms: - sig1 - sig2 - - address: 0.0.0.0 + - address: '::' connection: bufferLimit: 50000000 limit: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-headers-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-headers-error.out.yaml index 9eee58d7df7..5a27962f198 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-headers-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-headers-error.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' headers: enableEnvoyHeaders: true preserveXRequestID: true diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-headers.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-headers.out.yaml index 4e66bd91c64..8cc87a5b639 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-headers.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-headers.out.yaml @@ -141,7 +141,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' headers: earlyAddRequestHeaders: - append: true @@ -170,7 +170,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: 0.0.0.0 + - address: '::' headers: earlyAddRequestHeaders: - append: true diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http-health-check.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http-health-check.out.yaml index f41c8fd3a2c..02f8f67aab8 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http-health-check.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http-health-check.out.yaml @@ -89,7 +89,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' healthCheck: path: /ready hostnames: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml index 8561d93004a..3343e3028ba 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml @@ -454,7 +454,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' http1: @@ -470,7 +470,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: 0.0.0.0 + - address: '::' hostnames: - www.example.com http1: @@ -487,7 +487,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8080 - - address: 0.0.0.0 + - address: '::' hostnames: - '*' http1: {} @@ -502,7 +502,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8081 - - address: 0.0.0.0 + - address: '::' hostnames: - '*' http1: @@ -537,7 +537,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - '*' http1: {} diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml index 3de4101c8c6..10aec8cce97 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml @@ -163,7 +163,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' http2: @@ -181,7 +181,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: 0.0.0.0 + - address: '::' hostnames: - www.example.com http2: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml index c946f22c841..3166e9aa700 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml @@ -131,7 +131,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' http3: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml index 94775b0aeab..8052587d753 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml @@ -90,7 +90,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout.out.yaml index e728cd78c63..af9a6f0c389 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout.out.yaml @@ -128,7 +128,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -145,7 +145,7 @@ xdsIR: timeout: http: idleTimeout: 10s - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml index 22692261be3..0846607806c 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml @@ -232,7 +232,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -258,7 +258,7 @@ xdsIR: maxVersion: "1.3" minVersion: "1.2" requireClientCertificate: true - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -277,7 +277,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml index 285a35daf25..f02d213a9c4 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml @@ -544,7 +544,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -574,7 +574,7 @@ xdsIR: maxVersion: "1.3" minVersion: "1.2" requireClientCertificate: true - - address: 0.0.0.0 + - address: '::' headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -597,7 +597,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -632,7 +632,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -669,7 +669,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -708,7 +708,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' headers: withUnderscoresAction: RejectRequest xForwardedClientCert: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml index 85042934396..386651702d9 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml @@ -531,7 +531,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -561,7 +561,7 @@ xdsIR: maxVersion: "1.3" minVersion: "1.2" requireClientCertificate: true - - address: 0.0.0.0 + - address: '::' headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -584,7 +584,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -619,7 +619,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -654,7 +654,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -689,7 +689,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' headers: withUnderscoresAction: RejectRequest xForwardedClientCert: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml index 08dcf5bef70..5398303d3cb 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml @@ -231,7 +231,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -257,7 +257,7 @@ xdsIR: maxVersion: "1.3" minVersion: "1.2" requireClientCertificate: true - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -276,7 +276,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-path-settings.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-path-settings.out.yaml index 2cf85c63b8b..38eeb8b5a52 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-path-settings.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-path-settings.out.yaml @@ -126,7 +126,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -140,7 +140,7 @@ xdsIR: escapedSlashesAction: KeepUnchanged mergeSlashes: false port: 10080 - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-preserve-case-multiple-targets.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-preserve-case-multiple-targets.out.yaml index 5f48ea0ed67..80d4350f638 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-preserve-case-multiple-targets.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-preserve-case-multiple-targets.out.yaml @@ -198,7 +198,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' http1: @@ -220,7 +220,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -234,7 +234,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: 0.0.0.0 + - address: '::' hostnames: - '*' http1: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-preserve-case.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-preserve-case.out.yaml index 4f6bfdbdf97..160cc58044c 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-preserve-case.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-preserve-case.out.yaml @@ -126,7 +126,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' http1: @@ -143,7 +143,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: 0.0.0.0 + - address: '::' hostnames: - '*' http1: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-proxyprotocol.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-proxyprotocol.out.yaml index 0d88cb4d8fd..bfac33d66db 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-proxyprotocol.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-proxyprotocol.out.yaml @@ -126,7 +126,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' enableProxyProtocol: true hostnames: - '*' @@ -141,7 +141,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-ratelimitheaders.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-ratelimitheaders.out.yaml index 51e89d7272b..d3daeca2460 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-ratelimitheaders.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-ratelimitheaders.out.yaml @@ -126,7 +126,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' headers: disableRateLimitHeaders: true enableEnvoyHeaders: true @@ -144,7 +144,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: 0.0.0.0 + - address: '::' headers: disableRateLimitHeaders: true enableEnvoyHeaders: true diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml index f4fcac96827..726b258d2b0 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml @@ -502,7 +502,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -521,7 +521,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -536,7 +536,7 @@ xdsIR: mergeSlashes: true port: 10080 tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-2/tcp port: 10053 envoy-gateway/gateway-3: @@ -544,7 +544,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -563,7 +563,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-tcp-keepalive.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-tcp-keepalive.out.yaml index 8b0e90b3848..b09699c1419 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-tcp-keepalive.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-tcp-keepalive.out.yaml @@ -161,7 +161,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -179,7 +179,7 @@ xdsIR: idleTime: 1200 interval: 60 probes: 3 - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml index 7d12e8b98ac..4554e319052 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml @@ -90,7 +90,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-timeout.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-timeout.out.yaml index 664f5fe1fc7..97416a04bab 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-timeout.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-timeout.out.yaml @@ -128,7 +128,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -145,7 +145,7 @@ xdsIR: timeout: http: requestReceivedTimeout: 5s - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml index e673ed66b7a..917547923a5 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml @@ -322,7 +322,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -355,7 +355,7 @@ xdsIR: - sig2 statefulSessionResumption: true statelessSessionResumption: true - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -374,7 +374,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -401,7 +401,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-trailers.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-trailers.out.yaml index 114af441730..354cec1af2d 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-trailers.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-trailers.out.yaml @@ -125,7 +125,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' http1: @@ -141,7 +141,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: 0.0.0.0 + - address: '::' hostnames: - '*' http1: diff --git a/internal/gatewayapi/testdata/conflicting-policies.out.yaml b/internal/gatewayapi/testdata/conflicting-policies.out.yaml index 8acabbca876..6933902b8f9 100644 --- a/internal/gatewayapi/testdata/conflicting-policies.out.yaml +++ b/internal/gatewayapi/testdata/conflicting-policies.out.yaml @@ -265,7 +265,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.192.168.0.15.nip.io' isHTTP2: false @@ -300,7 +300,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - qccbahgo.qccbahgo isHTTP2: false diff --git a/internal/gatewayapi/testdata/custom-filter-order.out.yaml b/internal/gatewayapi/testdata/custom-filter-order.out.yaml index a8c4413a399..c840462f271 100644 --- a/internal/gatewayapi/testdata/custom-filter-order.out.yaml +++ b/internal/gatewayapi/testdata/custom-filter-order.out.yaml @@ -225,7 +225,7 @@ xdsIR: - after: envoy.filters.http.basic_authn name: envoy.filters.http.cors http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/disable-accesslog.out.yaml b/internal/gatewayapi/testdata/disable-accesslog.out.yaml index b0dc0dd4bb1..2f152a026ac 100644 --- a/internal/gatewayapi/testdata/disable-accesslog.out.yaml +++ b/internal/gatewayapi/testdata/disable-accesslog.out.yaml @@ -119,7 +119,7 @@ infraIR: xdsIR: envoy-gateway/gateway-1: http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-invalid-cross-ns-ref.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-invalid-cross-ns-ref.out.yaml index df3a01d780f..85f79b1e55c 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-invalid-cross-ns-ref.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-invalid-cross-ns-ref.out.yaml @@ -79,7 +79,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml index 2c6b006af93..c0b88b42192 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml @@ -268,7 +268,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml index f4cc57f95ba..0db35ca4bb0 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml @@ -521,7 +521,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -540,7 +540,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -578,7 +578,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -612,6 +612,6 @@ xdsIR: namespace: envoy-gateway name: grpcroute/envoy-gateway/grpcroute-1/rule/0/match/0/* tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-2/tcp port: 10053 diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml index beac28da518..2d0a54ff2da 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml @@ -130,7 +130,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml index efd62e1e0ea..53232e5735c 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml @@ -130,7 +130,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml index ba93c2decdc..7a84bb226c8 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml @@ -132,7 +132,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml index 066917dd152..ba22f681a33 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml @@ -131,7 +131,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml index a1d7beec90b..81863d1acdf 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml @@ -280,7 +280,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml index a81a7cd4410..4789f8555e3 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml @@ -280,7 +280,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml index 21fb5de6103..93c24363c31 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml @@ -309,7 +309,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml index 4a19852eea0..f0dfd27144d 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml @@ -239,7 +239,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml index 8c65fb9cf65..12fad598a5c 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml @@ -207,7 +207,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml index 368c32a4055..71173c47bd0 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml @@ -241,7 +241,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoypatchpolicy-cross-ns-target.out.yaml b/internal/gatewayapi/testdata/envoypatchpolicy-cross-ns-target.out.yaml index e40792057eb..11011a07694 100644 --- a/internal/gatewayapi/testdata/envoypatchpolicy-cross-ns-target.out.yaml +++ b/internal/gatewayapi/testdata/envoypatchpolicy-cross-ns-target.out.yaml @@ -61,7 +61,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoypatchpolicy-invalid-feature-disabled.out.yaml b/internal/gatewayapi/testdata/envoypatchpolicy-invalid-feature-disabled.out.yaml index 4eff002f05f..f2a88d508ed 100644 --- a/internal/gatewayapi/testdata/envoypatchpolicy-invalid-feature-disabled.out.yaml +++ b/internal/gatewayapi/testdata/envoypatchpolicy-invalid-feature-disabled.out.yaml @@ -87,7 +87,7 @@ xdsIR: type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind-merge-gateways.out.yaml b/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind-merge-gateways.out.yaml index e36a5d543ac..694ba5cf0ae 100644 --- a/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind-merge-gateways.out.yaml +++ b/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind-merge-gateways.out.yaml @@ -89,7 +89,7 @@ xdsIR: type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind.out.yaml b/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind.out.yaml index 14addeb27dc..5e28ec9e9d4 100644 --- a/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind.out.yaml +++ b/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind.out.yaml @@ -80,7 +80,7 @@ xdsIR: type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoypatchpolicy-valid-merge-gateways.out.yaml b/internal/gatewayapi/testdata/envoypatchpolicy-valid-merge-gateways.out.yaml index 315fc208bad..a73b592ca7f 100644 --- a/internal/gatewayapi/testdata/envoypatchpolicy-valid-merge-gateways.out.yaml +++ b/internal/gatewayapi/testdata/envoypatchpolicy-valid-merge-gateways.out.yaml @@ -116,7 +116,7 @@ xdsIR: type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoypatchpolicy-valid.out.yaml b/internal/gatewayapi/testdata/envoypatchpolicy-valid.out.yaml index 6ac0112c140..cb05e3a5858 100644 --- a/internal/gatewayapi/testdata/envoypatchpolicy-valid.out.yaml +++ b/internal/gatewayapi/testdata/envoypatchpolicy-valid.out.yaml @@ -108,7 +108,7 @@ xdsIR: type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-als-json.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-als-json.out.yaml index 8695f47ecfa..eae92fd6677 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-als-json.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-als-json.out.yaml @@ -182,7 +182,7 @@ xdsIR: name: envoy-gateway-system/test type: TCP http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-backend-invalid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-backend-invalid.out.yaml index 6c3db20cff0..fe87871df9b 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-backend-invalid.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-backend-invalid.out.yaml @@ -142,7 +142,7 @@ infraIR: xdsIR: envoy-gateway/gateway-1: http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-backend.out.yaml index 94763fd2522..a676d131d70 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-backend.out.yaml @@ -153,7 +153,7 @@ xdsIR: [%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-cel-with-invalid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-cel-with-invalid.out.yaml index ce6e60861fc..4c9774307ba 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-cel-with-invalid.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-cel-with-invalid.out.yaml @@ -142,7 +142,7 @@ infraIR: xdsIR: envoy-gateway/gateway-1: http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-cel.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-cel.out.yaml index 4161575dd8a..6c41786f198 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-cel.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-cel.out.yaml @@ -177,7 +177,7 @@ xdsIR: [%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json-no-format.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json-no-format.out.yaml index f1fc863b98e..dfa7cb9e73a 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json-no-format.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json-no-format.out.yaml @@ -126,7 +126,7 @@ xdsIR: envoy-gateway/gateway-1: accessLog: {} http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json.out.yaml index cb2e10fc988..22351893208 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json.out.yaml @@ -134,7 +134,7 @@ xdsIR: protocol: '%PROTOCOL%' path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-types.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-types.out.yaml index 9c2c0d1cf82..481d5d35e0b 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-types.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-types.out.yaml @@ -426,7 +426,7 @@ xdsIR: this is a Global log path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-with-bad-sinks.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-with-bad-sinks.out.yaml index db14cc4b8e3..4d25ea17358 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-with-bad-sinks.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-with-bad-sinks.out.yaml @@ -128,7 +128,7 @@ xdsIR: envoy-gateway/gateway-1: accessLog: {} http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-with-traffic.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-with-traffic.out.yaml index 28ef831b03a..72234e5db1e 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-with-traffic.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-with-traffic.out.yaml @@ -310,7 +310,7 @@ xdsIR: [%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-without-format.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-without-format.out.yaml index 43505266ec0..f9db0b48736 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-without-format.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-without-format.out.yaml @@ -194,7 +194,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog.out.yaml index 9694dd07ad7..8c2bec37bde 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog.out.yaml @@ -206,7 +206,7 @@ xdsIR: [%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-endpoint-routing-for-gateway.out.yaml b/internal/gatewayapi/testdata/envoyproxy-endpoint-routing-for-gateway.out.yaml index 1b31bae27e7..0e4a18b66dc 100644 --- a/internal/gatewayapi/testdata/envoyproxy-endpoint-routing-for-gateway.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-endpoint-routing-for-gateway.out.yaml @@ -112,7 +112,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-endpoint-routing.out.yaml b/internal/gatewayapi/testdata/envoyproxy-endpoint-routing.out.yaml index 9f058d69051..537a739770c 100644 --- a/internal/gatewayapi/testdata/envoyproxy-endpoint-routing.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-endpoint-routing.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-metric-backend-invalid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-metric-backend-invalid.out.yaml index 0368e1a1a22..dcfabe29f4c 100644 --- a/internal/gatewayapi/testdata/envoyproxy-metric-backend-invalid.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-metric-backend-invalid.out.yaml @@ -135,7 +135,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-metric-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-metric-backend.out.yaml index 4bff8f998d5..91706f9afd4 100644 --- a/internal/gatewayapi/testdata/envoyproxy-metric-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-metric-backend.out.yaml @@ -128,7 +128,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.out.yaml index 7605114bf22..293488ec064 100644 --- a/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.out.yaml @@ -131,7 +131,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml index 426268f6340..f5c685bab24 100644 --- a/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml @@ -283,7 +283,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-service-routing-for-gateway.out.yaml b/internal/gatewayapi/testdata/envoyproxy-service-routing-for-gateway.out.yaml index 76859d37624..88618649c7e 100644 --- a/internal/gatewayapi/testdata/envoyproxy-service-routing-for-gateway.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-service-routing-for-gateway.out.yaml @@ -112,7 +112,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-service-routing.out.yaml b/internal/gatewayapi/testdata/envoyproxy-service-routing.out.yaml index a679b4aef60..1602dc38c8b 100644 --- a/internal/gatewayapi/testdata/envoyproxy-service-routing.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-service-routing.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml index 7e86495fc41..578ad17e948 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml @@ -228,7 +228,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -282,7 +282,7 @@ xdsIR: privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-tls/ port: 10445 routes: diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml index 868620d8d74..fc0b655ad12 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml @@ -227,7 +227,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -281,7 +281,7 @@ xdsIR: privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-tls/ port: 10445 routes: diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml index e65df0254f4..1157e1f7c7e 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml @@ -226,7 +226,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -284,7 +284,7 @@ xdsIR: privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-tls/ port: 10445 routes: diff --git a/internal/gatewayapi/testdata/envoyproxy-tracing-backend-invalid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tracing-backend-invalid.out.yaml index 3506b9a0aba..1a43989014b 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tracing-backend-invalid.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tracing-backend-invalid.out.yaml @@ -135,7 +135,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-tracing-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tracing-backend.out.yaml index b3a44d78fdc..cb5292b6d20 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tracing-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tracing-backend.out.yaml @@ -155,7 +155,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-valid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-valid.out.yaml index 5bd374167ee..6df12542bcc 100644 --- a/internal/gatewayapi/testdata/envoyproxy-valid.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-valid.out.yaml @@ -119,7 +119,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/extensions/extensionpolicy-tcp-listener.out.yaml b/internal/gatewayapi/testdata/extensions/extensionpolicy-tcp-listener.out.yaml index 0095b815fd7..731eebc1c72 100644 --- a/internal/gatewayapi/testdata/extensions/extensionpolicy-tcp-listener.out.yaml +++ b/internal/gatewayapi/testdata/extensions/extensionpolicy-tcp-listener.out.yaml @@ -146,7 +146,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' extensionRefs: - object: apiVersion: foo.example.io/v1alpha1 @@ -204,7 +204,7 @@ xdsIR: controllerName: gateway.envoyproxy.io/gatewayclass-controller name: envoy-gateway/gateway-1/tcp1 port: 10080 - - address: 0.0.0.0 + - address: '::' extensionRefs: - object: apiVersion: foo.example.io/v1alpha1 diff --git a/internal/gatewayapi/testdata/extensions/extensionpolicy-udp-listener.out.yaml b/internal/gatewayapi/testdata/extensions/extensionpolicy-udp-listener.out.yaml index 1ff835552d9..71e6d1cdfe6 100644 --- a/internal/gatewayapi/testdata/extensions/extensionpolicy-udp-listener.out.yaml +++ b/internal/gatewayapi/testdata/extensions/extensionpolicy-udp-listener.out.yaml @@ -146,7 +146,7 @@ xdsIR: text: - path: /dev/stdout udp: - - address: 0.0.0.0 + - address: '::' extensionRefs: - object: apiVersion: foo.example.io/v1alpha1 @@ -204,7 +204,7 @@ xdsIR: controllerName: gateway.envoyproxy.io/gatewayclass-controller name: envoy-gateway/gateway-1/udp1 port: 10162 - - address: 0.0.0.0 + - address: '::' extensionRefs: - object: apiVersion: foo.example.io/v1alpha1 diff --git a/internal/gatewayapi/testdata/extensions/extensionpolicy-with-invalid-target.out.yaml b/internal/gatewayapi/testdata/extensions/extensionpolicy-with-invalid-target.out.yaml index 8140d239ab5..066cd664242 100644 --- a/internal/gatewayapi/testdata/extensions/extensionpolicy-with-invalid-target.out.yaml +++ b/internal/gatewayapi/testdata/extensions/extensionpolicy-with-invalid-target.out.yaml @@ -97,7 +97,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -111,7 +111,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10081 - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/extensions/extensionpolicy-with-valid-target-array.out.yaml b/internal/gatewayapi/testdata/extensions/extensionpolicy-with-valid-target-array.out.yaml index 5a0b8ef2f97..0ba6cb4868c 100644 --- a/internal/gatewayapi/testdata/extensions/extensionpolicy-with-valid-target-array.out.yaml +++ b/internal/gatewayapi/testdata/extensions/extensionpolicy-with-valid-target-array.out.yaml @@ -157,7 +157,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' extensionRefs: - object: apiVersion: foo.example.io/v1alpha1 @@ -218,7 +218,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' extensionRefs: - object: apiVersion: foo.example.io/v1alpha1 diff --git a/internal/gatewayapi/testdata/extensions/extensionpolicy-with-valid-target.out.yaml b/internal/gatewayapi/testdata/extensions/extensionpolicy-with-valid-target.out.yaml index 29b482ae554..daa4b7e0095 100644 --- a/internal/gatewayapi/testdata/extensions/extensionpolicy-with-valid-target.out.yaml +++ b/internal/gatewayapi/testdata/extensions/extensionpolicy-with-valid-target.out.yaml @@ -150,7 +150,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' extensionRefs: - object: apiVersion: foo.example.io/v1alpha1 @@ -191,7 +191,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10081 - - address: 0.0.0.0 + - address: '::' extensionRefs: - object: apiVersion: foo.example.io/v1alpha1 diff --git a/internal/gatewayapi/testdata/extensions/httproute-with-extension-filter-invalid-group.out.yaml b/internal/gatewayapi/testdata/extensions/httproute-with-extension-filter-invalid-group.out.yaml index 79aeb1f3eeb..069d311948f 100644 --- a/internal/gatewayapi/testdata/extensions/httproute-with-extension-filter-invalid-group.out.yaml +++ b/internal/gatewayapi/testdata/extensions/httproute-with-extension-filter-invalid-group.out.yaml @@ -109,7 +109,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/extensions/httproute-with-non-matching-extension-filter.out.yaml b/internal/gatewayapi/testdata/extensions/httproute-with-non-matching-extension-filter.out.yaml index d70cea292b5..f2fcc7a5859 100644 --- a/internal/gatewayapi/testdata/extensions/httproute-with-non-matching-extension-filter.out.yaml +++ b/internal/gatewayapi/testdata/extensions/httproute-with-non-matching-extension-filter.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/extensions/httproute-with-unsupported-extension-filter.out.yaml b/internal/gatewayapi/testdata/extensions/httproute-with-unsupported-extension-filter.out.yaml index 1af974c72bb..13e693b41de 100644 --- a/internal/gatewayapi/testdata/extensions/httproute-with-unsupported-extension-filter.out.yaml +++ b/internal/gatewayapi/testdata/extensions/httproute-with-unsupported-extension-filter.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/extensions/httproute-with-valid-extension-filter.out.yaml b/internal/gatewayapi/testdata/extensions/httproute-with-valid-extension-filter.out.yaml index 1cb405e4dd8..73664fdf291 100644 --- a/internal/gatewayapi/testdata/extensions/httproute-with-valid-extension-filter.out.yaml +++ b/internal/gatewayapi/testdata/extensions/httproute-with-valid-extension-filter.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-allowed-httproute.out.yaml b/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-allowed-httproute.out.yaml index 2dd68040951..56b396fa4b6 100644 --- a/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-allowed-httproute.out.yaml +++ b/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-allowed-httproute.out.yaml @@ -96,7 +96,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-disallowed-httproute.out.yaml b/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-disallowed-httproute.out.yaml index 35383fcb502..6dda7c9d89c 100644 --- a/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-disallowed-httproute.out.yaml +++ b/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-disallowed-httproute.out.yaml @@ -96,7 +96,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.out.yaml b/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.out.yaml index cb47542a1c7..e384db96691 100644 --- a/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.out.yaml +++ b/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.out.yaml @@ -172,7 +172,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -204,7 +204,7 @@ xdsIR: distinct: false name: "" prefix: /empty-hostname - - address: 0.0.0.0 + - address: '::' hostnames: - '*.example.com' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml b/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml index 0b38b962b89..fc416f75db4 100644 --- a/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml +++ b/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml @@ -114,7 +114,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-addresses-with-ipaddress.out.yaml b/internal/gatewayapi/testdata/gateway-with-addresses-with-ipaddress.out.yaml index 798641857cd..2eb3f6ba8ea 100644 --- a/internal/gatewayapi/testdata/gateway-with-addresses-with-ipaddress.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-addresses-with-ipaddress.out.yaml @@ -66,6 +66,6 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tcp port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-infrastructure-parametersref.out.yaml b/internal/gatewayapi/testdata/gateway-with-infrastructure-parametersref.out.yaml index 8794f263e57..a4c79fa1d29 100644 --- a/internal/gatewayapi/testdata/gateway-with-infrastructure-parametersref.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-infrastructure-parametersref.out.yaml @@ -123,7 +123,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-does-not-exist.out.yaml b/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-does-not-exist.out.yaml index deed8d261b5..c458d7e982f 100644 --- a/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-does-not-exist.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-does-not-exist.out.yaml @@ -106,7 +106,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-fallback.out.yaml b/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-fallback.out.yaml index 0ec88f622c9..e9402d144eb 100644 --- a/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-fallback.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-fallback.out.yaml @@ -123,7 +123,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml index 866ca1e861a..d6fcc45aa78 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml @@ -91,7 +91,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tcp port: 10162 routes: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml index cbc01a3d11d..042f236965e 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml @@ -95,7 +95,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tcp port: 10080 routes: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-rules.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-rules.out.yaml index 7e583a73bda..15fcf27bc68 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-rules.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-rules.out.yaml @@ -96,6 +96,6 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tcp port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml index 6e35700c58e..cfbff1ff11a 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml @@ -103,7 +103,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml index 9e2db8004e5..3f680237131 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml @@ -172,7 +172,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - foo.bar.com isHTTP2: false @@ -214,7 +214,7 @@ xdsIR: privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tls-passthrough port: 10090 routes: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml index 03cf19502d7..88a7435683f 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml @@ -91,7 +91,7 @@ xdsIR: text: - path: /dev/stdout udp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/udp port: 10162 route: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.out.yaml index 70a5a2a8599..bf252dfb7e0 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.out.yaml @@ -95,7 +95,7 @@ xdsIR: text: - path: /dev/stdout udp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/udp port: 10080 route: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-rules.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-rules.out.yaml index 850f9e64cba..c87bc540bd1 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-rules.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-rules.out.yaml @@ -96,6 +96,6 @@ xdsIR: text: - path: /dev/stdout udp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/udp port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-tcproute.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-tcproute.out.yaml index 79295aded7b..a44c4ff584c 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-tcproute.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-tcproute.out.yaml @@ -59,6 +59,6 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tcp port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-udproute.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-udproute.out.yaml index a30d7cf5a5b..00233142fc1 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-udproute.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-udproute.out.yaml @@ -59,6 +59,6 @@ xdsIR: text: - path: /dev/stdout udp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/udp port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml index a9939722a0d..4198cb7db1d 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml @@ -105,7 +105,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml index 6fdbe779e25..da63240840e 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml @@ -105,7 +105,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml index 680ff1bf524..a984dbc8a91 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml @@ -102,7 +102,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-preexisting-status-condition.out.yaml b/internal/gatewayapi/testdata/gateway-with-preexisting-status-condition.out.yaml index 6598bfde8d4..2575bc79de1 100644 --- a/internal/gatewayapi/testdata/gateway-with-preexisting-status-condition.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-preexisting-status-condition.out.yaml @@ -96,7 +96,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml index f7fd4e2752c..7513e60bfb8 100644 --- a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml @@ -122,7 +122,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tcp port: 10162 routes: diff --git a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-udproutes.out.yaml b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-udproutes.out.yaml index 4f4555a87e8..c94a3f623a4 100644 --- a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-udproutes.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-udproutes.out.yaml @@ -122,7 +122,7 @@ xdsIR: text: - path: /dev/stdout udp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/udp port: 10162 route: diff --git a/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml b/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml index bafbb34668b..30f33008266 100644 --- a/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml @@ -102,7 +102,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml index e3bc11e2cc5..3bec02c1f8f 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml @@ -115,7 +115,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tcp1 port: 10162 routes: diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml index 5f904c3de3e..0a76a7d86a6 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml @@ -118,7 +118,7 @@ xdsIR: text: - path: /dev/stdout udp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/udp1 port: 10162 route: diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-multiple-httproutes.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-multiple-httproutes.out.yaml index d6b31a59f6a..248169c209b 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-multiple-httproutes.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-multiple-httproutes.out.yaml @@ -168,7 +168,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - foo.com isHTTP2: false @@ -223,7 +223,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - bar.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml index 67867078333..0238ba3007e 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml @@ -163,7 +163,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -199,7 +199,7 @@ xdsIR: name: "" prefix: / tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tcp port: 10080 routes: diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml index b7bdac0b389..6d8bd1f0905 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml @@ -163,7 +163,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -199,7 +199,7 @@ xdsIR: name: "" prefix: / udp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/udp port: 10080 route: diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml index d2d74cd296e..07e3e01a70c 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml @@ -160,7 +160,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tcp1 port: 10162 routes: @@ -174,7 +174,7 @@ xdsIR: protocol: TCP weight: 1 name: tcproute/default/tcproute-1 - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tcp2 port: 10163 routes: diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml index 20519f07857..b5a71ddbe5e 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml @@ -156,7 +156,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tcp1 port: 10161 routes: @@ -170,7 +170,7 @@ xdsIR: protocol: TCP weight: 1 name: tcproute/default/tcproute-1 - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tcp2 port: 10162 routes: diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-with-sectionname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-with-sectionname.out.yaml index 00a61415035..deac14645ab 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-with-sectionname.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-with-sectionname.out.yaml @@ -160,7 +160,7 @@ xdsIR: text: - path: /dev/stdout udp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/udp1 port: 10162 route: @@ -174,7 +174,7 @@ xdsIR: protocol: UDP weight: 1 name: udproute/default/udproute-1 - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/udp2 port: 10163 route: diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-without-sectionname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-without-sectionname.out.yaml index f6cb6959c4b..96ca8ca522c 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-without-sectionname.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-without-sectionname.out.yaml @@ -156,7 +156,7 @@ xdsIR: text: - path: /dev/stdout udp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/udp1 port: 10161 route: @@ -170,7 +170,7 @@ xdsIR: protocol: UDP weight: 1 name: udproute/default/udproute-1 - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/udp2 port: 10162 route: diff --git a/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml index 8981d87b085..5b9fe7b3a5f 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml @@ -124,7 +124,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/grpcroute-with-empty-backends.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-empty-backends.out.yaml index 2f633cb8a20..8c2660b6324 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-empty-backends.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-empty-backends.out.yaml @@ -96,7 +96,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/grpcroute-with-header-match.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-header-match.out.yaml index bc7697e2f18..a41913ed8fb 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-header-match.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-header-match.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/grpcroute-with-method-and-service-match.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-method-and-service-match.out.yaml index 765481a5838..fafd1fdbf56 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-method-and-service-match.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-method-and-service-match.out.yaml @@ -104,7 +104,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/grpcroute-with-method-match.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-method-match.out.yaml index 38b49dda801..a30cb02b50e 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-method-match.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-method-match.out.yaml @@ -102,7 +102,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml index 110d404c44f..43ada6439a9 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml @@ -106,7 +106,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/grpcroute-with-service-match.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-service-match.out.yaml index b8855487138..639603a07e6 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-service-match.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-service-match.out.yaml @@ -102,7 +102,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml index bda6f990dda..22a6796814c 100644 --- a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml +++ b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml @@ -134,7 +134,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml index 04843eba9aa..004456773c4 100644 --- a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml +++ b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml @@ -254,7 +254,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -297,7 +297,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-different-listeners.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-different-listeners.out.yaml index e532697a7b4..cad7873ad13 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-different-listeners.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-different-listeners.out.yaml @@ -356,7 +356,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - foo.com isHTTP2: false @@ -391,7 +391,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - bar.com isHTTP2: false @@ -426,7 +426,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - foo1.com isHTTP2: false @@ -461,7 +461,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - bar1.com isHTTP2: false @@ -496,7 +496,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - foo2.com isHTTP2: false @@ -531,7 +531,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - bar2.com isHTTP2: false @@ -566,7 +566,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - foo3.com isHTTP2: false @@ -601,7 +601,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - bar3.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-listeners.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-listeners.out.yaml index 5bc5e17485a..ff94451e5bc 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-listeners.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-listeners.out.yaml @@ -307,7 +307,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - foo.com isHTTP2: false @@ -342,7 +342,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - bar.com isHTTP2: false @@ -377,7 +377,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - foo1.com isHTTP2: false @@ -412,7 +412,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - bar1.com isHTTP2: false @@ -447,7 +447,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - foo2.com isHTTP2: false @@ -482,7 +482,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - bar2.com isHTTP2: false @@ -517,7 +517,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - foo3.com isHTTP2: false @@ -552,7 +552,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - bar3.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml index 2b7899d4f75..647d620d729 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml @@ -138,7 +138,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -173,7 +173,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners.out.yaml index 4d3310f2614..07bb66f43b7 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners.out.yaml @@ -127,7 +127,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - foo.com isHTTP2: false @@ -162,7 +162,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - bar.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway.out.yaml index 817bc24013a..ee8dccb4256 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway.out.yaml @@ -96,7 +96,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-matching-port.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-matching-port.out.yaml index 4abbc554d9d..5ce4b0143c2 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-matching-port.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-matching-port.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-on-gateway-with-two-listeners.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-on-gateway-with-two-listeners.out.yaml index 5b4bf8d4bb9..8897f06d841 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-on-gateway-with-two-listeners.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-on-gateway-with-two-listeners.out.yaml @@ -129,7 +129,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - foo.com isHTTP2: false @@ -143,7 +143,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: 0.0.0.0 + - address: '::' hostnames: - bar.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-and-core-backendrefs.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-and-core-backendrefs.out.yaml index 484fe119154..f4a6b3f6334 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-and-core-backendrefs.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-and-core-backendrefs.out.yaml @@ -202,7 +202,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml index 80b6f6627b2..f5bf64e50d7 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml @@ -259,7 +259,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml index cdbbe788086..f4b38eead2f 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml @@ -342,7 +342,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml index 3b5ddfa6298..e758629820c 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml @@ -281,7 +281,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-same-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-same-address-type.out.yaml index 5a413ae4630..8f302d19c11 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-same-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-same-address-type.out.yaml @@ -290,7 +290,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-diff-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-diff-address-type.out.yaml index 7b2b55fe1c0..a673d3342dd 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-diff-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-diff-address-type.out.yaml @@ -104,7 +104,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-same-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-same-address-type.out.yaml index 5667491636e..8c02b288f1d 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-same-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-same-address-type.out.yaml @@ -104,7 +104,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-fqdn-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-fqdn-address-type.out.yaml index e29f978c85e..73f0582b114 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-fqdn-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-fqdn-address-type.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-mixed-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-mixed-address-type.out.yaml index 38c70c4a8d2..6de22de9901 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-mixed-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-mixed-address-type.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref.out.yaml index 144ccbd3c57..7efbce03645 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener.out.yaml index 3bdc7cc4697..865bc78af93 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener.out.yaml @@ -98,7 +98,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-backend-request-timeout.out.yaml b/internal/gatewayapi/testdata/httproute-backend-request-timeout.out.yaml index c49d551e867..99d9d4f7725 100644 --- a/internal/gatewayapi/testdata/httproute-backend-request-timeout.out.yaml +++ b/internal/gatewayapi/testdata/httproute-backend-request-timeout.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-not-attaching-to-listener-non-matching-port.out.yaml b/internal/gatewayapi/testdata/httproute-not-attaching-to-listener-non-matching-port.out.yaml index 9cd60408345..3138c613b78 100644 --- a/internal/gatewayapi/testdata/httproute-not-attaching-to-listener-non-matching-port.out.yaml +++ b/internal/gatewayapi/testdata/httproute-not-attaching-to-listener-non-matching-port.out.yaml @@ -99,7 +99,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - foo.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-request-timeout.out.yaml b/internal/gatewayapi/testdata/httproute-request-timeout.out.yaml index dc1c9cb950d..242028fb5bc 100644 --- a/internal/gatewayapi/testdata/httproute-request-timeout.out.yaml +++ b/internal/gatewayapi/testdata/httproute-request-timeout.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.out.yaml b/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.out.yaml index c7fd7b9e40e..ddc5eec76b5 100644 --- a/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.out.yaml @@ -93,7 +93,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-no-weights.out.yaml b/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-no-weights.out.yaml index 11634b9f050..dbd5d70f62f 100644 --- a/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-no-weights.out.yaml +++ b/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-no-weights.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-weights.out.yaml b/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-weights.out.yaml index e9a785e0d1b..2f4fc1349a0 100644 --- a/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-weights.out.yaml +++ b/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-weights.out.yaml @@ -106,7 +106,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-app-protocols.out.yaml b/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-app-protocols.out.yaml index 4c5fcd5e8e2..5e89675b3e5 100644 --- a/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-app-protocols.out.yaml +++ b/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-app-protocols.out.yaml @@ -175,7 +175,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-weights.out.yaml b/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-weights.out.yaml index d56407b0dd9..3e9f0b780d4 100644 --- a/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-weights.out.yaml +++ b/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-weights.out.yaml @@ -173,7 +173,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-backendref-add-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-backendref-add-multiple-filters.out.yaml index 122d09efdeb..3828541e423 100644 --- a/internal/gatewayapi/testdata/httproute-with-backendref-add-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-backendref-add-multiple-filters.out.yaml @@ -121,7 +121,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml b/internal/gatewayapi/testdata/httproute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml index d708b748380..290787479f9 100644 --- a/internal/gatewayapi/testdata/httproute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml @@ -98,7 +98,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-backendref-serviceimport-in-other-namespace-allowed-by-refgrant.out.yaml b/internal/gatewayapi/testdata/httproute-with-backendref-serviceimport-in-other-namespace-allowed-by-refgrant.out.yaml index 9b175f032c4..58c0c38d89d 100644 --- a/internal/gatewayapi/testdata/httproute-with-backendref-serviceimport-in-other-namespace-allowed-by-refgrant.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-backendref-serviceimport-in-other-namespace-allowed-by-refgrant.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml b/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml index 29b6b051366..8be2bc8a4e6 100644 --- a/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml @@ -153,7 +153,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-empty-matches.out.yaml b/internal/gatewayapi/testdata/httproute-with-empty-matches.out.yaml index 6853b8172b3..6b21dddcd4e 100644 --- a/internal/gatewayapi/testdata/httproute-with-empty-matches.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-empty-matches.out.yaml @@ -95,7 +95,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml index 605aa384f3e..3ab8edd3fb0 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml @@ -116,7 +116,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml index f122fc17d5b..0f06a777a42 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml @@ -126,7 +126,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-remove-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-remove-multiple-filters.out.yaml index e3ea3d5158b..92a45ab8ea5 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-remove-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-remove-multiple-filters.out.yaml @@ -112,7 +112,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-removes.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-removes.out.yaml index 23567e22077..5b8b7e76f2f 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-removes.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-removes.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml index 67c14e133a7..af3f6e189d5 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml @@ -110,7 +110,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-headers.out.yaml index 7549c52cbb1..f49fa9e41e9 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-headers.out.yaml @@ -112,7 +112,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-headers.out.yaml index 5405ad66246..2b0623b7710 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-headers.out.yaml @@ -113,7 +113,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-no-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-no-headers.out.yaml index a8986f5d429..faaa608b996 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-no-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-no-headers.out.yaml @@ -104,7 +104,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-no-valid-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-no-valid-headers.out.yaml index 36f621f095c..9a73541ccec 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-no-valid-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-no-valid-headers.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-remove.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-remove.out.yaml index b111af6e08b..f345d70ae45 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-remove.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-remove.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml index 2ca033356bb..6c390846d3a 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml @@ -97,7 +97,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml index e7c2869de1c..26bffbc4231 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml @@ -101,7 +101,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml index a1c5683d27a..818ac56cde8 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml @@ -99,7 +99,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml index ed62f94f257..fb9ee9fbe2d 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml @@ -97,7 +97,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.import.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.import.out.yaml index 794a5d87c3a..b26a993bf21 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.import.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.import.out.yaml @@ -99,7 +99,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml index 18019d56e70..f0af70dfcd6 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml @@ -97,7 +97,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml index f9ee3bb21fa..10fbc26ad4f 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml @@ -104,7 +104,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml index 3500d3be9cc..e52f15b3ac1 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml @@ -98,7 +98,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-regex.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-regex.out.yaml index 05617ca8192..07e602727f7 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-regex.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-regex.out.yaml @@ -148,7 +148,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -167,7 +167,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-metadata.out.yaml b/internal/gatewayapi/testdata/httproute-with-metadata.out.yaml index 9049ebe41de..fedcd5f5181 100644 --- a/internal/gatewayapi/testdata/httproute-with-metadata.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-metadata.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter-duplicates.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter-duplicates.out.yaml index 29d9dd320a5..7b213e66450 100644 --- a/internal/gatewayapi/testdata/httproute-with-mirror-filter-duplicates.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter-duplicates.out.yaml @@ -114,7 +114,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml index c6e534c9c63..7251228643b 100644 --- a/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml @@ -126,7 +126,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml index 50105a1e054..ad035eb7c47 100644 --- a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml index c0c193e034a..44ab3461292 100644 --- a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter.out.yaml index e9f94617b4e..e1f711349e6 100644 --- a/internal/gatewayapi/testdata/httproute-with-mirror-filter.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-multi-gateways-notmatch.out.yaml b/internal/gatewayapi/testdata/httproute-with-multi-gateways-notmatch.out.yaml index c7801a560d0..d0f71d4d6a1 100644 --- a/internal/gatewayapi/testdata/httproute-with-multi-gateways-notmatch.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-multi-gateways-notmatch.out.yaml @@ -116,7 +116,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -135,7 +135,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-multi-gateways-with-same-name.out.yaml b/internal/gatewayapi/testdata/httproute-with-multi-gateways-with-same-name.out.yaml index f3c1a6b1ed4..84dae610113 100644 --- a/internal/gatewayapi/testdata/httproute-with-multi-gateways-with-same-name.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-multi-gateways-with-same-name.out.yaml @@ -149,7 +149,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -189,7 +189,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.out.yaml b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.out.yaml index ba2f58b8667..61b67c75d89 100644 --- a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.out.yaml @@ -178,7 +178,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.a.example.com' isHTTP2: false @@ -215,7 +215,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.b.example.com' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.out.yaml b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.out.yaml index 4e6bef64b9e..03f487b3aa4 100644 --- a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.out.yaml @@ -176,7 +176,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.a.example.com' isHTTP2: false @@ -213,7 +213,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.b.example.com' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-non-matching-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-non-matching-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml index 810a78ccb87..878e6bd1574 100644 --- a/internal/gatewayapi/testdata/httproute-with-non-matching-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-non-matching-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml index d40408b2b02..9cdddc09c08 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml @@ -106,7 +106,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml index d7496698338..9d122032e5e 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml @@ -104,7 +104,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-filter-type.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-filter-type.out.yaml index 63b32e64bb8..06dc740e0f6 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-filter-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-filter-type.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml index 43ca155587d..440d12ac4a3 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml @@ -104,7 +104,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml index 588877b155e..104daac410d 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml @@ -103,7 +103,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml index 9676b5d7688..265050323ef 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml index 6dcb4b28779..636bcf1289e 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml @@ -122,7 +122,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml index 47d61c9fcfa..f89d8bdc91a 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml @@ -116,7 +116,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml index 1d2f4f7124c..5e03bbf8f52 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml @@ -126,7 +126,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-remove-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-remove-multiple-filters.out.yaml index b0dbd71c18d..a5915c1f9d1 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-remove-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-remove-multiple-filters.out.yaml @@ -112,7 +112,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-removes.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-removes.out.yaml index 893ce8cc969..7b6b7508258 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-removes.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-removes.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml index 723cabbe6f7..0a032d52b85 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml @@ -110,7 +110,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-headers.out.yaml index 6c8c063716d..17b26b97dc9 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-headers.out.yaml @@ -112,7 +112,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-headers.out.yaml index f46e5ae3977..b3c0c252310 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-headers.out.yaml @@ -113,7 +113,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-headers.out.yaml index e8d2f720d19..f50cbfec103 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-headers.out.yaml @@ -104,7 +104,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-valid-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-valid-headers.out.yaml index cd89f06e995..6a8bec12323 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-valid-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-valid-headers.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-remove.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-remove.out.yaml index e0f78c08c9d..aff1b276aa8 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-remove.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-remove.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-single-rule-with-exact-path-match.out.yaml b/internal/gatewayapi/testdata/httproute-with-single-rule-with-exact-path-match.out.yaml index a73f169aad1..0e7d3803555 100644 --- a/internal/gatewayapi/testdata/httproute-with-single-rule-with-exact-path-match.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-single-rule-with-exact-path-match.out.yaml @@ -97,7 +97,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-single-rule-with-http-method-match.out.yaml b/internal/gatewayapi/testdata/httproute-with-single-rule-with-http-method-match.out.yaml index d4bf9af1612..c1005576fe9 100644 --- a/internal/gatewayapi/testdata/httproute-with-single-rule-with-http-method-match.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-single-rule-with-http-method-match.out.yaml @@ -95,7 +95,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml b/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml index 48706fbfb0c..ab30a3cb5db 100644 --- a/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml @@ -123,7 +123,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-single-rule-with-path-prefix-and-exact-header-matches.out.yaml b/internal/gatewayapi/testdata/httproute-with-single-rule-with-path-prefix-and-exact-header-matches.out.yaml index 0be3cbea1d2..75b4de50088 100644 --- a/internal/gatewayapi/testdata/httproute-with-single-rule-with-path-prefix-and-exact-header-matches.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-single-rule-with-path-prefix-and-exact-header-matches.out.yaml @@ -101,7 +101,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml b/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml index ff9f5d272a8..97753e5fcee 100644 --- a/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml @@ -101,7 +101,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml index 34ec33802bf..291ce9105ae 100644 --- a/internal/gatewayapi/testdata/httproute-with-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml @@ -99,7 +99,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-two-specific-hostnames-attaching-to-gateway-with-wildcard-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-two-specific-hostnames-attaching-to-gateway-with-wildcard-hostname.out.yaml index 2213aa315cb..4e4afb6be35 100644 --- a/internal/gatewayapi/testdata/httproute-with-two-specific-hostnames-attaching-to-gateway-with-wildcard-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-two-specific-hostnames-attaching-to-gateway-with-wildcard-hostname.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-full-path-replace-http.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-full-path-replace-http.out.yaml index 3d8c69a6178..5b9bb7fd74d 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-full-path-replace-http.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-full-path-replace-http.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml index 8e3079c9bbe..4aed1840d42 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml index c0d8cce8b8a..7dc2cb30469 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml @@ -105,7 +105,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml index 7cbff74f25b..0c8665dc24d 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml @@ -105,7 +105,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-hostname.out.yaml index e1905ea7933..f30c9859523 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-hostname.out.yaml @@ -111,7 +111,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-multiple-filters.out.yaml index 3dcffc8edbb..46d54b18956 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-multiple-filters.out.yaml @@ -113,7 +113,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path-type.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path-type.out.yaml index c51f0b56107..fcb1f1ea710 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path-type.out.yaml @@ -109,7 +109,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path.out.yaml index 25991b658fa..20023c84cf8 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-missing-path.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-missing-path.out.yaml index 86b8fce36bd..9e55e63c72a 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-missing-path.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-missing-path.out.yaml @@ -106,7 +106,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-prefix-replace-http.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-prefix-replace-http.out.yaml index dd20383d2ea..d6c093778ea 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-prefix-replace-http.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-prefix-replace-http.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.out.yaml index c42f3934568..bb60b64605c 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.out.yaml @@ -245,7 +245,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml index 17ffc680f52..24f1e8043f8 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml @@ -342,7 +342,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml index ab24ec0e81d..93a4d218056 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml @@ -348,7 +348,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter.out.yaml index 916f7d0cefe..2979fabc641 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter.out.yaml @@ -249,7 +249,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-wildcard-hostname-attaching-to-gateway-with-unset-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-wildcard-hostname-attaching-to-gateway-with-unset-hostname.out.yaml index 821a30d4cb3..636d864e709 100644 --- a/internal/gatewayapi/testdata/httproute-with-wildcard-hostname-attaching-to-gateway-with-unset-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-wildcard-hostname-attaching-to-gateway-with-unset-hostname.out.yaml @@ -98,7 +98,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproutes-with-multiple-matches.out.yaml b/internal/gatewayapi/testdata/httproutes-with-multiple-matches.out.yaml index a21561696f2..ec627ecda95 100644 --- a/internal/gatewayapi/testdata/httproutes-with-multiple-matches.out.yaml +++ b/internal/gatewayapi/testdata/httproutes-with-multiple-matches.out.yaml @@ -283,7 +283,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.out.yaml b/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.out.yaml index d8d24642dd3..33ab0632ce2 100644 --- a/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.out.yaml +++ b/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.out.yaml @@ -136,7 +136,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -151,6 +151,6 @@ xdsIR: mergeSlashes: true port: 10080 udp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-2/udp port: 10080 diff --git a/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-listeners-same-ports.out.yaml b/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-listeners-same-ports.out.yaml index 0e015155214..27f75da25ec 100644 --- a/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-listeners-same-ports.out.yaml +++ b/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-listeners-same-ports.out.yaml @@ -172,7 +172,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -186,7 +186,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: 0.0.0.0 + - address: '::' hostnames: - company.com isHTTP2: false @@ -200,7 +200,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8888 - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -214,7 +214,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8888 - - address: 0.0.0.0 + - address: '::' hostnames: - example.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-routes.out.yaml b/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-routes.out.yaml index 4c48dd68694..dba5580e6a7 100644 --- a/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-routes.out.yaml +++ b/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-routes.out.yaml @@ -223,7 +223,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false @@ -258,7 +258,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -272,7 +272,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8888 - - address: 0.0.0.0 + - address: '::' hostnames: - example.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/merge-valid-multiple-gateways.out.yaml b/internal/gatewayapi/testdata/merge-valid-multiple-gateways.out.yaml index 7afe665224b..b5fb3b7915b 100644 --- a/internal/gatewayapi/testdata/merge-valid-multiple-gateways.out.yaml +++ b/internal/gatewayapi/testdata/merge-valid-multiple-gateways.out.yaml @@ -145,7 +145,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -159,7 +159,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -173,7 +173,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8888 - - address: 0.0.0.0 + - address: '::' hostnames: - example.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml b/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml index b0e8b627fe8..1c828fc13bf 100644 --- a/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml +++ b/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml @@ -501,7 +501,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - bar.example.com isHTTP2: false @@ -560,7 +560,7 @@ xdsIR: timeout: http: requestReceivedTimeout: 5s - - address: 0.0.0.0 + - address: '::' hostnames: - foo.example.com isHTTP2: false @@ -619,7 +619,7 @@ xdsIR: timeout: http: requestReceivedTimeout: 5s - - address: 0.0.0.0 + - address: '::' hostnames: - bar.example.com isHTTP2: false @@ -670,7 +670,7 @@ xdsIR: - x-header-7 - x-header-8 maxAge: 33m20s - - address: 0.0.0.0 + - address: '::' hostnames: - foo.example.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/merge-with-isolated-policies.out.yaml b/internal/gatewayapi/testdata/merge-with-isolated-policies.out.yaml index 8e62bb597d5..92ca64456d4 100644 --- a/internal/gatewayapi/testdata/merge-with-isolated-policies.out.yaml +++ b/internal/gatewayapi/testdata/merge-with-isolated-policies.out.yaml @@ -293,7 +293,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -349,7 +349,7 @@ xdsIR: idleTime: 1200 interval: 60 probes: 3 - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-invalid-cross-ns-ref.out.yaml b/internal/gatewayapi/testdata/securitypolicy-invalid-cross-ns-ref.out.yaml index 5ce63e62453..d1f9b18c250 100644 --- a/internal/gatewayapi/testdata/securitypolicy-invalid-cross-ns-ref.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-invalid-cross-ns-ref.out.yaml @@ -90,7 +90,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-override-replace.out.yaml b/internal/gatewayapi/testdata/securitypolicy-override-replace.out.yaml index c6f72065531..7b56ed6a0f9 100644 --- a/internal/gatewayapi/testdata/securitypolicy-override-replace.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-override-replace.out.yaml @@ -300,7 +300,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml index 607330a824c..e4898317537 100644 --- a/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml @@ -406,7 +406,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -444,7 +444,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -478,6 +478,6 @@ xdsIR: name: grpcroute/envoy-gateway/grpcroute-1/rule/0/match/0/* security: {} tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-2/tcp port: 10053 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-client-cidr.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-client-cidr.out.yaml index 82281af294a..01a3b8426dc 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-client-cidr.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-client-cidr.out.yaml @@ -285,7 +285,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.out.yaml index ed422e70031..95885020f69 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.out.yaml @@ -154,7 +154,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml index 02fd1a6ddd1..3c0d7e09c02 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml @@ -212,7 +212,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-cors-targetrefs.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-cors-targetrefs.out.yaml index 789da05196b..2842832ec14 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-cors-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-cors-targetrefs.out.yaml @@ -339,7 +339,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -394,7 +394,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -431,7 +431,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-cors.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-cors.out.yaml index 3f58304e886..ad7f13fd7bb 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-cors.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-cors.out.yaml @@ -402,7 +402,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -460,7 +460,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -519,7 +519,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml index ccdb2458370..a2128bd6085 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml @@ -349,7 +349,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml index d72cd182896..ded079e5c9c 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml @@ -222,7 +222,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml index c5bf4237f52..d27a3cb2db2 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml @@ -136,7 +136,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml index 3f5e60f11e8..2bab8201c1d 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml @@ -136,7 +136,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml index 1f8fd280ad6..c85015431dc 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml @@ -137,7 +137,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml index 294267b90e0..fecdfd343c3 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml @@ -136,7 +136,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml index 350fc8e908b..8485328ac78 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml @@ -205,7 +205,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml index b87c7992c90..4eca64d1a07 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml @@ -281,7 +281,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml index d72cd182896..ded079e5c9c 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml @@ -222,7 +222,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml index d5731870d17..37aa96f24a1 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml @@ -234,7 +234,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml index 711d30f0d14..fcbe359dce5 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml @@ -281,7 +281,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -338,7 +338,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-with-custom-extractor.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-with-custom-extractor.out.yaml index c892bef7e4f..180b40be7f3 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-with-custom-extractor.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-with-custom-extractor.out.yaml @@ -280,7 +280,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -337,7 +337,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml index 704961a0476..54a652f4e27 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml @@ -272,7 +272,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: true @@ -329,7 +329,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml index d878bcdb505..092a2169ed7 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml @@ -179,7 +179,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies.out.yaml index a42e482a758..4f58b2a71f4 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies.out.yaml @@ -140,7 +140,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml index caf951bcc40..4c64216743a 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml @@ -97,7 +97,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml index 319d6bcfe58..d5025efe61f 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml @@ -281,7 +281,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -300,7 +300,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -319,7 +319,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml index 1d9093a8d38..edba4b82b0d 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml @@ -235,7 +235,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml b/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml index d3a6e8bdc19..acb5295b43b 100644 --- a/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml +++ b/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml @@ -166,7 +166,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tls port: 10090 routes: @@ -193,7 +193,7 @@ xdsIR: - name: envoy-gateway/tls-secret-1 privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tls-hostname port: 10090 routes: diff --git a/internal/gatewayapi/testdata/tcproute-with-backend.out.yaml b/internal/gatewayapi/testdata/tcproute-with-backend.out.yaml index 29a124844e5..5bf2c388a30 100644 --- a/internal/gatewayapi/testdata/tcproute-with-backend.out.yaml +++ b/internal/gatewayapi/testdata/tcproute-with-backend.out.yaml @@ -112,7 +112,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tcp port: 10090 routes: diff --git a/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.out.yaml b/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.out.yaml index a3dc7519ecd..12021806303 100644 --- a/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.out.yaml @@ -94,7 +94,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tls port: 10090 routes: diff --git a/internal/gatewayapi/testdata/tlsroute-multiple.out.yaml b/internal/gatewayapi/testdata/tlsroute-multiple.out.yaml index 5a065e6d6bb..802c84636ad 100644 --- a/internal/gatewayapi/testdata/tlsroute-multiple.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-multiple.out.yaml @@ -128,7 +128,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tls port: 10091 routes: diff --git a/internal/gatewayapi/testdata/tlsroute-with-backend.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-backend.out.yaml index 97bce6d0acf..48e11662a57 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-backend.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-backend.out.yaml @@ -114,7 +114,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tls port: 10090 routes: diff --git a/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml index 1f8515c6532..072357e7937 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml @@ -95,7 +95,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tls port: 10090 routes: diff --git a/internal/gatewayapi/testdata/tlsroute-with-empty-hostname.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-empty-hostname.out.yaml index 09664c0e41c..dbb35bfecef 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-empty-hostname.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-empty-hostname.out.yaml @@ -93,7 +93,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tls port: 10091 routes: diff --git a/internal/gatewayapi/testdata/tlsroute-with-empty-listener-hostname.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-empty-listener-hostname.out.yaml index d40d0927396..f696db74016 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-empty-listener-hostname.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-empty-listener-hostname.out.yaml @@ -95,7 +95,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: 0.0.0.0 + - address: '::' name: envoy-gateway/gateway-1/tls port: 10091 routes: diff --git a/internal/gatewayapi/testdata/tracing-merged-multiple-routes.out.yaml b/internal/gatewayapi/testdata/tracing-merged-multiple-routes.out.yaml index 9c0610b4051..4ed723d6985 100644 --- a/internal/gatewayapi/testdata/tracing-merged-multiple-routes.out.yaml +++ b/internal/gatewayapi/testdata/tracing-merged-multiple-routes.out.yaml @@ -230,7 +230,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false @@ -265,7 +265,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -279,7 +279,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8888 - - address: 0.0.0.0 + - address: '::' hostnames: - example.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/tracing-multiple-routes.out.yaml b/internal/gatewayapi/testdata/tracing-multiple-routes.out.yaml index 4bd1415e464..d51b333e647 100644 --- a/internal/gatewayapi/testdata/tracing-multiple-routes.out.yaml +++ b/internal/gatewayapi/testdata/tracing-multiple-routes.out.yaml @@ -255,7 +255,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*.envoyproxy.io' isHTTP2: false @@ -311,7 +311,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: 0.0.0.0 + - address: '::' hostnames: - '*' isHTTP2: false @@ -325,7 +325,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8888 - - address: 0.0.0.0 + - address: '::' hostnames: - example.com isHTTP2: false diff --git a/internal/utils/net/ip.go b/internal/utils/net/ip.go new file mode 100644 index 00000000000..4c496936801 --- /dev/null +++ b/internal/utils/net/ip.go @@ -0,0 +1,10 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package net + +const ( + IPv6ListenerAddress = "::" +) diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go index 9a68c5f3c1f..098cc896145 100644 --- a/internal/xds/translator/listener.go +++ b/internal/xds/translator/listener.go @@ -146,42 +146,11 @@ func originalIPDetectionExtensions(clientIPDetection *ir.ClientIPDetectionSettin return extensionConfig } -func setAddressByIPFamily(socketAddress *corev3.SocketAddress, ipFamily *ir.IPFamily, port uint32) []*listenerv3.AdditionalAddress { - if ipFamily == nil { - return nil - } - switch *ipFamily { - case ir.IPv4: - socketAddress.Address = "0.0.0.0" - case ir.IPv6: - socketAddress.Address = "::" - case ir.Dualstack: - socketAddress.Address = "0.0.0.0" - return []*listenerv3.AdditionalAddress{ - { - Address: &corev3.Address{ - Address: &corev3.Address_SocketAddress{ - SocketAddress: &corev3.SocketAddress{ - Protocol: socketAddress.Protocol, - Address: "::", - PortSpecifier: &corev3.SocketAddress_PortValue{ - PortValue: port, - }, - }, - }, - }, - }, - } - } - return nil -} - // buildXdsTCPListener creates a xds Listener resource // TODO: Improve function parameters func buildXdsTCPListener( name, address string, port uint32, - ipFamily *ir.IPFamily, keepalive *ir.TCPKeepalive, connection *ir.ClientConnection, accesslog *ir.AccessLog, @@ -205,13 +174,12 @@ func buildXdsTCPListener( PortSpecifier: &corev3.SocketAddress_PortValue{ PortValue: port, }, + Ipv4Compat: true, }, }, }, } - socketAddress := listener.Address.GetSocketAddress() - listener.AdditionalAddresses = setAddressByIPFamily(socketAddress, ipFamily, port) return listener, nil } @@ -239,6 +207,7 @@ func buildXdsQuicListener(name, address string, port uint32, accesslog *ir.Acces PortSpecifier: &corev3.SocketAddress_PortValue{ PortValue: port, }, + Ipv4Compat: true, }, }, }, @@ -880,6 +849,7 @@ func buildXdsUDPListener(clusterName string, udpListener *ir.UDPListener, access PortSpecifier: &corev3.SocketAddress_PortValue{ PortValue: udpListener.Port, }, + Ipv4Compat: true, }, }, }, diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog-cel.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog-cel.yaml index 405c2372d91..8a0497c3fb8 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog-cel.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog-cel.yaml @@ -35,7 +35,7 @@ accesslog: protocol: "GRPC" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog-endpoint-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog-endpoint-stats.yaml index 2355c6504cf..623c3b6d594 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog-endpoint-stats.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog-endpoint-stats.yaml @@ -31,7 +31,7 @@ accesslog: protocol: "GRPC" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog-formatters.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog-formatters.yaml index e4e088d349b..4ba42ea82bb 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog-formatters.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog-formatters.yaml @@ -39,7 +39,7 @@ accesslog: protocol: "GRPC" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog-invalid.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog-invalid.yaml index 10768da4354..8c8161e2e33 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog-invalid.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog-invalid.yaml @@ -27,7 +27,7 @@ accesslog: port: 4317 http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog-multi-cel.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog-multi-cel.yaml index 95b4971cd39..d84151866f2 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog-multi-cel.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog-multi-cel.yaml @@ -39,7 +39,7 @@ accesslog: protocol: "GRPC" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml index 434f2fb524c..1492b397569 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog-without-format.yaml @@ -44,7 +44,7 @@ accesslog: protocol: "GRPC" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml b/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml index 3f84816fdcf..38d5e8a74be 100644 --- a/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/accesslog.yaml @@ -53,7 +53,7 @@ accesslog: protocol: "GRPC" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/backend-buffer-limit.yaml b/internal/xds/translator/testdata/in/xds-ir/backend-buffer-limit.yaml index 493180389ad..4cb9541775b 100644 --- a/internal/xds/translator/testdata/in/xds-ir/backend-buffer-limit.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/backend-buffer-limit.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" @@ -21,7 +21,7 @@ http: bufferLimit: 100000000 tcp: - name: "second-listener" - address: "0.0.0.0" + address: "::" connection: bufferLimit: 1500 port: 10081 @@ -37,7 +37,7 @@ tcp: bufferLimit: 100000000 udp: - name: "udp-route" - address: "0.0.0.0" + address: "::" port: 10080 route: name: "udp-route" diff --git a/internal/xds/translator/testdata/in/xds-ir/circuit-breaker.yaml b/internal/xds/translator/testdata/in/xds-ir/circuit-breaker.yaml index f4dd3bbaa99..1eb6f7b7010 100644 --- a/internal/xds/translator/testdata/in/xds-ir/circuit-breaker.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/circuit-breaker.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/client-buffer-limit.yaml b/internal/xds/translator/testdata/in/xds-ir/client-buffer-limit.yaml index c7af759ecf9..6604d37dc47 100644 --- a/internal/xds/translator/testdata/in/xds-ir/client-buffer-limit.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/client-buffer-limit.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" @@ -20,7 +20,7 @@ http: bufferLimit: 1500 tcp: - name: "second-listener" - address: "0.0.0.0" + address: "::" connection: bufferLimit: 1500 port: 10081 diff --git a/internal/xds/translator/testdata/in/xds-ir/client-ip-detection.yaml b/internal/xds/translator/testdata/in/xds-ir/client-ip-detection.yaml index de3236a8622..1894902a0ba 100644 --- a/internal/xds/translator/testdata/in/xds-ir/client-ip-detection.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/client-ip-detection.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 8081 hostnames: - "*" @@ -17,7 +17,7 @@ http: xForwardedFor: numTrustedHops: 2 - name: "second-listener" - address: "0.0.0.0" + address: "::" port: 8082 hostnames: - "*" @@ -35,7 +35,7 @@ http: name: "x-my-custom-header" failClosed: false - name: "third-listener" - address: "0.0.0.0" + address: "::" port: 8083 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/client-timeout.yaml b/internal/xds/translator/testdata/in/xds-ir/client-timeout.yaml index 741f2d46451..6ce11179029 100644 --- a/internal/xds/translator/testdata/in/xds-ir/client-timeout.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/client-timeout.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" @@ -22,7 +22,7 @@ http: idleTimeout: "10s" tcp: - name: "second-listener" - address: "0.0.0.0" + address: "::" port: 10081 routes: - name: "second-route" diff --git a/internal/xds/translator/testdata/in/xds-ir/cors.yaml b/internal/xds/translator/testdata/in/xds-ir/cors.yaml index 0e046110a00..2d7fedf0513 100644 --- a/internal/xds/translator/testdata/in/xds-ir/cors.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/cors.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/fault-injection.yaml b/internal/xds/translator/testdata/in/xds-ir/fault-injection.yaml index 39b351eb6ec..163e3507cae 100644 --- a/internal/xds/translator/testdata/in/xds-ir/fault-injection.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/fault-injection.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 path: mergeSlashes: true diff --git a/internal/xds/translator/testdata/in/xds-ir/headers-with-preserve-x-request-id.yaml b/internal/xds/translator/testdata/in/xds-ir/headers-with-preserve-x-request-id.yaml index 1376be42e14..d2599bc005c 100644 --- a/internal/xds/translator/testdata/in/xds-ir/headers-with-preserve-x-request-id.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/headers-with-preserve-x-request-id.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 8081 hostnames: - "*" @@ -16,7 +16,7 @@ http: headers: preserveXRequestID: true - name: "second-listener" - address: "0.0.0.0" + address: "::" port: 8082 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/headers-with-underscores-action.yaml b/internal/xds/translator/testdata/in/xds-ir/headers-with-underscores-action.yaml index 53b7076925c..0787ec0780a 100644 --- a/internal/xds/translator/testdata/in/xds-ir/headers-with-underscores-action.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/headers-with-underscores-action.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 8081 hostnames: - "*" @@ -14,7 +14,7 @@ http: - host: "1.1.1.1" port: 8081 - name: "second-listener" - address: "0.0.0.0" + address: "::" port: 8082 hostnames: - "*" @@ -30,7 +30,7 @@ http: headers: withUnderscoresAction: Allow - name: "third-listener" - address: "0.0.0.0" + address: "::" port: 8083 hostnames: - "*" @@ -46,7 +46,7 @@ http: headers: withUnderscoresAction: RejectRequest - name: "fourth-listener" - address: "0.0.0.0" + address: "::" port: 8084 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/health-check.yaml b/internal/xds/translator/testdata/in/xds-ir/health-check.yaml index 12f62f86414..b78270a421a 100644 --- a/internal/xds/translator/testdata/in/xds-ir/health-check.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/health-check.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" path: mergeSlashes: true escapedSlashesAction: UnescapeAndRedirect diff --git a/internal/xds/translator/testdata/in/xds-ir/http-early-header-mutation.yaml b/internal/xds/translator/testdata/in/xds-ir/http-early-header-mutation.yaml index 6301153cd1c..84b0e2f5673 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-early-header-mutation.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-early-header-mutation.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" @@ -19,7 +19,7 @@ http: - host: "1.2.3.4" port: 50000 - name: "second-listener" - address: "0.0.0.0" + address: "::" port: 10081 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-endpoint-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/http-endpoint-stats.yaml index 12fc177bde8..076e1427e39 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-endpoint-stats.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-endpoint-stats.yaml @@ -3,7 +3,7 @@ metrics: enablePerEndpointStats: true http: - name: "listener-enable-endpoint-stats" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-health-check.yaml b/internal/xds/translator/testdata/in/xds-ir/http-health-check.yaml index a4bdd70a384..2a22775b7c0 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-health-check.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-health-check.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-req-resp-sizes-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/http-req-resp-sizes-stats.yaml index 5c174e363ef..3831d1a6bd4 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-req-resp-sizes-stats.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-req-resp-sizes-stats.yaml @@ -3,7 +3,7 @@ metrics: enableRequestResponseSizesStats: true http: - name: "listener-enable-req-resp-sizes-stats" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-direct-response.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-direct-response.yaml index 9db15c7fb9d..c51cf53a389 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-direct-response.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-direct-response.yaml @@ -1,7 +1,7 @@ name: "http-route" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-dns-cluster.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-dns-cluster.yaml index 1cb0be3ec26..12986c3ed86 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-dns-cluster.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-dns-cluster.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-mirror.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-mirror.yaml index b00449b384f..5d000b85bdf 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-mirror.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-mirror.yaml @@ -1,7 +1,7 @@ name: "http-route" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-multiple-mirrors.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-multiple-mirrors.yaml index 3d13de381be..02724f765d7 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-multiple-mirrors.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-multiple-mirrors.yaml @@ -1,7 +1,7 @@ name: "http-route" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-partial-invalid.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-partial-invalid.yaml index d72ec1d2c68..ad06367ef75 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-partial-invalid.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-partial-invalid.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-redirect.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-redirect.yaml index 1c541a9caac..dd2a5aaeb1c 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-redirect.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-redirect.yaml @@ -1,7 +1,7 @@ name: "http-route" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-regex.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-regex.yaml index d9558ad99a2..cfa271c3e98 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-regex.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-regex.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-request-headers.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-request-headers.yaml index fb45b8db724..7bd5a5013cf 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-request-headers.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-request-headers.yaml @@ -1,7 +1,7 @@ name: "http-route" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-response-add-headers.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-response-add-headers.yaml index 3cfaf5e4945..c27f02da065 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-response-add-headers.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-response-add-headers.yaml @@ -1,7 +1,7 @@ name: "http-route" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-response-add-remove-headers.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-response-add-remove-headers.yaml index c97d927dff6..d04cc086e90 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-response-add-remove-headers.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-response-add-remove-headers.yaml @@ -1,7 +1,7 @@ name: "http-route" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-response-remove-headers.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-response-remove-headers.yaml index f7b30b3d7d6..8ecd2bb4c74 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-response-remove-headers.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-response-remove-headers.yaml @@ -1,7 +1,7 @@ name: "http-route" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-root-path-url-prefix.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-root-path-url-prefix.yaml index f4307644514..97e92bd1f25 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-root-path-url-prefix.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-root-path-url-prefix.yaml @@ -1,7 +1,7 @@ name: "http-route" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.yaml index 97d0b5457cd..3dce5f3d6a9 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.yaml @@ -1,7 +1,7 @@ name: "http-route" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-fullpath.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-fullpath.yaml index 4d08acb93ee..a3c9eef83cf 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-fullpath.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-fullpath.yaml @@ -1,7 +1,7 @@ name: "http-route" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-host.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-host.yaml index 525a22210b9..7e971a596c6 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-host.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-host.yaml @@ -1,7 +1,7 @@ name: "http-route" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-prefix.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-prefix.yaml index df4f2e9c2bf..de751b8680b 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-prefix.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-prefix.yaml @@ -1,7 +1,7 @@ name: "http-route" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-regex.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-regex.yaml index 0389201186e..531ac4a2941 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-regex.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-rewrite-url-regex.yaml @@ -1,7 +1,7 @@ name: "http-route" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-session-persistence.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-session-persistence.yaml index 536c5ad50cb..d5cfffa0e4b 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-session-persistence.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-session-persistence.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-timeout.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-timeout.yaml index 746d4922542..b3ab173f745 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-timeout.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-timeout.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-backend-uds-ip.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-backend-uds-ip.yaml index 711913d4dfd..90bf39f5ad0 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-backend-uds-ip.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-backend-uds-ip.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-backend-with-filters.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-backend-with-filters.yaml index 8745e9893bc..5789434790e 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-backend-with-filters.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-backend-with-filters.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" hostnames: - '*' path: diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-backend.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-backend.yaml index 2540dec625a..3a3df9cd596 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-backend.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-backend.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-invalid-backend.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-invalid-backend.yaml index d883bac1fa1..c342dc30383 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-invalid-backend.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-weighted-invalid-backend.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route.yaml index 0c89d5a1840..dff106a6ff1 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http1-preserve-case.yaml b/internal/xds/translator/testdata/in/xds-ir/http1-preserve-case.yaml index f857ac8f854..1b6382fc71a 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http1-preserve-case.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http1-preserve-case.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" @@ -19,7 +19,7 @@ http: - host: "1.2.3.4" port: 50000 - name: "second-listener" - address: "0.0.0.0" + address: "::" port: 10081 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http1-trailers.yaml b/internal/xds/translator/testdata/in/xds-ir/http1-trailers.yaml index 51174744979..83fa599cfd0 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http1-trailers.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http1-trailers.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http10.yaml b/internal/xds/translator/testdata/in/xds-ir/http10.yaml index 47f57a04422..fea6bafa0e5 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http10.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http10.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "foo.com" diff --git a/internal/xds/translator/testdata/in/xds-ir/http2-route.yaml b/internal/xds/translator/testdata/in/xds-ir/http2-route.yaml index 5d271080918..1f11535ee18 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http2-route.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http2-route.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/http2.yaml b/internal/xds/translator/testdata/in/xds-ir/http2.yaml index c95bc0442c0..ffa5e487a7a 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http2.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http2.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "foo.com" diff --git a/internal/xds/translator/testdata/in/xds-ir/jsonpatch-add-op-empty-jsonpath.yaml b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-add-op-empty-jsonpath.yaml index 9c248772920..8d78880b81b 100644 --- a/internal/xds/translator/testdata/in/xds-ir/jsonpatch-add-op-empty-jsonpath.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-add-op-empty-jsonpath.yaml @@ -28,7 +28,7 @@ envoyPatchPolicies: region: second-route-dest/backend/0 http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/jsonpatch-add-op-without-value.yaml b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-add-op-without-value.yaml index b4659755214..2dea53dcc3c 100644 --- a/internal/xds/translator/testdata/in/xds-ir/jsonpatch-add-op-without-value.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-add-op-without-value.yaml @@ -33,7 +33,7 @@ envoyPatchPolicies: path: "/virtual_hosts/0/rate_limits" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/jsonpatch-invalid-patch.yaml b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-invalid-patch.yaml index 551bdd6dda6..70ae0f10710 100644 --- a/internal/xds/translator/testdata/in/xds-ir/jsonpatch-invalid-patch.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-invalid-patch.yaml @@ -28,7 +28,7 @@ envoyPatchPolicies: transport_api_version: V3 http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/jsonpatch-missing-resource.yaml b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-missing-resource.yaml index 3f50ddf7aaf..f10bf20addc 100644 --- a/internal/xds/translator/testdata/in/xds-ir/jsonpatch-missing-resource.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-missing-resource.yaml @@ -28,7 +28,7 @@ envoyPatchPolicies: transport_api_version: V3 http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/jsonpatch-move-op-with-value.yaml b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-move-op-with-value.yaml index d66eaa633db..dd586aec3ea 100644 --- a/internal/xds/translator/testdata/in/xds-ir/jsonpatch-move-op-with-value.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-move-op-with-value.yaml @@ -36,7 +36,7 @@ envoyPatchPolicies: test: "abc" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/jsonpatch-with-jsonpath-invalid.yaml b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-with-jsonpath-invalid.yaml index 5b677788a22..9b0d7b4937b 100644 --- a/internal/xds/translator/testdata/in/xds-ir/jsonpatch-with-jsonpath-invalid.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-with-jsonpath-invalid.yaml @@ -17,7 +17,7 @@ envoyPatchPolicies: value: "50" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/jsonpatch-with-jsonpath.yaml b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-with-jsonpath.yaml index a02cad99d67..34ca0aff98c 100644 --- a/internal/xds/translator/testdata/in/xds-ir/jsonpatch-with-jsonpath.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/jsonpatch-with-jsonpath.yaml @@ -121,7 +121,7 @@ envoyPatchPolicies: path: "/endpoints/0/load_balancing_weight" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/jsonpatch.yaml b/internal/xds/translator/testdata/in/xds-ir/jsonpatch.yaml index 1aa76efdfab..04b88fca088 100644 --- a/internal/xds/translator/testdata/in/xds-ir/jsonpatch.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/jsonpatch.yaml @@ -109,7 +109,7 @@ envoyPatchPolicies: path: "/endpoints/0/load_balancing_weight" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/jwt-custom-extractor.yaml b/internal/xds/translator/testdata/in/xds-ir/jwt-custom-extractor.yaml index 8d24373fd6a..1f0ff2189ec 100644 --- a/internal/xds/translator/testdata/in/xds-ir/jwt-custom-extractor.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/jwt-custom-extractor.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-multi-provider.yaml b/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-multi-provider.yaml index 88f88f5aa35..3d52645831e 100644 --- a/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-multi-provider.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-multi-provider.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-single-provider.yaml b/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-single-provider.yaml index 324f54d9311..1e0a31975d4 100644 --- a/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-single-provider.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-single-provider.yaml @@ -3,7 +3,7 @@ accesslog: - path: "/dev/stdout" http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/jwt-optional.yaml b/internal/xds/translator/testdata/in/xds-ir/jwt-optional.yaml index b43dd005257..7ab85e6928e 100644 --- a/internal/xds/translator/testdata/in/xds-ir/jwt-optional.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/jwt-optional.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/jwt-ratelimit.yaml b/internal/xds/translator/testdata/in/xds-ir/jwt-ratelimit.yaml index 008b5b9bde6..18957afe903 100644 --- a/internal/xds/translator/testdata/in/xds-ir/jwt-ratelimit.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/jwt-ratelimit.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/jwt-single-route-single-match.yaml b/internal/xds/translator/testdata/in/xds-ir/jwt-single-route-single-match.yaml index a5b72e0ff53..4df3cf34798 100644 --- a/internal/xds/translator/testdata/in/xds-ir/jwt-single-route-single-match.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/jwt-single-route-single-match.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/listener-connection-limit.yaml b/internal/xds/translator/testdata/in/xds-ir/listener-connection-limit.yaml index b8022bc0357..b758db9918b 100644 --- a/internal/xds/translator/testdata/in/xds-ir/listener-connection-limit.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/listener-connection-limit.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "foo.com" @@ -18,7 +18,7 @@ http: - host: "1.2.3.4" port: 50000 - name: "second-listener" - address: "0.0.0.0" + address: "::" port: 10081 hostnames: - "foo.net" @@ -39,7 +39,7 @@ http: port: 50000 tcp: - name: "third-listener" - address: "0.0.0.0" + address: "::" port: 10082 connection: limit: @@ -56,7 +56,7 @@ tcp: - host: "1.2.3.4" port: 50000 - name: "fourth-listener" - address: "0.0.0.0" + address: "::" connection: limit: value: 10 diff --git a/internal/xds/translator/testdata/in/xds-ir/listener-proxy-protocol.yaml b/internal/xds/translator/testdata/in/xds-ir/listener-proxy-protocol.yaml index 35f4e744093..f9f26a8103a 100644 --- a/internal/xds/translator/testdata/in/xds-ir/listener-proxy-protocol.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/listener-proxy-protocol.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "foo.com" @@ -32,7 +32,7 @@ http: port: 50000 tcp: - name: "second-listener" - address: "0.0.0.0" + address: "::" port: 10081 enableProxyProtocol: true routes: diff --git a/internal/xds/translator/testdata/in/xds-ir/listener-tcp-keepalive.yaml b/internal/xds/translator/testdata/in/xds-ir/listener-tcp-keepalive.yaml index 19d7d3335d5..e9da0aa245f 100644 --- a/internal/xds/translator/testdata/in/xds-ir/listener-tcp-keepalive.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/listener-tcp-keepalive.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "foo.com" @@ -18,7 +18,7 @@ http: - host: "1.2.3.4" port: 50000 - name: "second-listener" - address: "0.0.0.0" + address: "::" port: 10081 hostnames: - "foo.net" @@ -40,7 +40,7 @@ http: port: 50000 tcp: - name: "third-listener" - address: "0.0.0.0" + address: "::" port: 10082 tcpKeepalive: {} routes: @@ -55,7 +55,7 @@ tcp: - host: "1.2.3.4" port: 50000 - name: "fourth-listener" - address: "0.0.0.0" + address: "::" tcpKeepalive: probes: 10 port: 10083 diff --git a/internal/xds/translator/testdata/in/xds-ir/load-balancer.yaml b/internal/xds/translator/testdata/in/xds-ir/load-balancer.yaml index d2b754bf16b..17a09c845b5 100644 --- a/internal/xds/translator/testdata/in/xds-ir/load-balancer.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/load-balancer.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/local-ratelimit.yaml b/internal/xds/translator/testdata/in/xds-ir/local-ratelimit.yaml index fb7baf05cd6..8299d0f0823 100644 --- a/internal/xds/translator/testdata/in/xds-ir/local-ratelimit.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/local-ratelimit.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/metrics-virtual-host.yaml b/internal/xds/translator/testdata/in/xds-ir/metrics-virtual-host.yaml index 39f1a23dc7f..e326e5667cf 100644 --- a/internal/xds/translator/testdata/in/xds-ir/metrics-virtual-host.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/metrics-virtual-host.yaml @@ -3,7 +3,7 @@ metrics: enableVirtualHostStats: true http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/mixed-tls-jwt-authn.yaml b/internal/xds/translator/testdata/in/xds-ir/mixed-tls-jwt-authn.yaml index e77e1262245..e1d7f0658fb 100644 --- a/internal/xds/translator/testdata/in/xds-ir/mixed-tls-jwt-authn.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/mixed-tls-jwt-authn.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/multiple-listeners-same-port.yaml b/internal/xds/translator/testdata/in/xds-ir/multiple-listeners-same-port.yaml index b694ac5aab0..3aca8e48b0b 100644 --- a/internal/xds/translator/testdata/in/xds-ir/multiple-listeners-same-port.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/multiple-listeners-same-port.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "foo.com" @@ -27,7 +27,7 @@ http: - host: "1.2.3.4" port: 50000 - name: "second-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "foo.net" @@ -54,7 +54,7 @@ http: - host: "1.2.3.4" port: 50000 - name: "third-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "example.com" @@ -71,7 +71,7 @@ http: - host: "1.2.3.4" port: 50000 - name: "fourth-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "example.net" @@ -89,7 +89,7 @@ http: port: 50000 tcp: - name: "fifth-listener" - address: "0.0.0.0" + address: "::" port: 10080 routes: - name: "fifth-route" @@ -104,7 +104,7 @@ tcp: - host: "1.2.3.4" port: 50000 - name: "sixth-listener" - address: "0.0.0.0" + address: "::" port: 10080 routes: - name: "sixth-route" diff --git a/internal/xds/translator/testdata/in/xds-ir/multiple-simple-tcp-route-same-port.yaml b/internal/xds/translator/testdata/in/xds-ir/multiple-simple-tcp-route-same-port.yaml index 19ad6357e9a..ba1eff21400 100644 --- a/internal/xds/translator/testdata/in/xds-ir/multiple-simple-tcp-route-same-port.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/multiple-simple-tcp-route-same-port.yaml @@ -1,6 +1,6 @@ tcp: - name: "tcp-listener-simple" - address: "0.0.0.0" + address: "::" port: 10080 routes: - name: "tcp-route-simple" @@ -13,7 +13,7 @@ tcp: - host: "5.6.7.8" port: 50001 - name: "tcp-listener-simple-1" - address: "0.0.0.0" + address: "::" port: 10080 routes: - name: "tcp-route-simple-1" @@ -26,7 +26,7 @@ tcp: - host: "5.6.7.8" port: 50001 - name: "tcp-listener-simple-2" - address: "0.0.0.0" + address: "::" port: 10080 routes: - name: "tcp-route-simple-2" @@ -39,7 +39,7 @@ tcp: - host: "5.6.7.8" port: 50001 - name: "tcp-listener-simple-3" - address: "0.0.0.0" + address: "::" port: 10080 routes: - name: "tcp-route-simple-3" @@ -52,7 +52,7 @@ tcp: - host: "5.6.7.8" port: 50001 - name: "tcp-listener-simple-4" - address: "0.0.0.0" + address: "::" port: 10080 routes: - name: "tcp-route-simple-4" diff --git a/internal/xds/translator/testdata/in/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.yaml b/internal/xds/translator/testdata/in/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.yaml index aac60cf7c41..b975466c27a 100644 --- a/internal/xds/translator/testdata/in/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10001 hostnames: - "*" @@ -36,7 +36,7 @@ http: - host: "10.0.0.1" port: 10001 - name: "second-listener" - address: "0.0.0.0" + address: "::" port: 10002 hostnames: - "*" @@ -73,7 +73,7 @@ http: - host: "10.0.0.1" port: 10002 - name: "third-listener" - address: "0.0.0.0" + address: "::" port: 10003 hostnames: - "*" @@ -111,7 +111,7 @@ http: - host: "10.0.0.1" port: 10003 - name: "fourth-listener" - address: "0.0.0.0" + address: "::" port: 10004 hostnames: - "*" @@ -151,7 +151,7 @@ http: - host: "10.0.0.1" port: 10004 - name: "fifth-listener" - address: "0.0.0.0" + address: "::" port: 10005 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/mutual-tls-forward-client-certificate.yaml b/internal/xds/translator/testdata/in/xds-ir/mutual-tls-forward-client-certificate.yaml index 72eaea1f58e..5f50492e526 100644 --- a/internal/xds/translator/testdata/in/xds-ir/mutual-tls-forward-client-certificate.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/mutual-tls-forward-client-certificate.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10001 hostnames: - "*" @@ -36,7 +36,7 @@ http: - host: "10.0.0.1" port: 10001 - name: "second-listener" - address: "0.0.0.0" + address: "::" port: 10002 hostnames: - "*" @@ -72,7 +72,7 @@ http: - host: "10.0.0.1" port: 10002 - name: "third-listener" - address: "0.0.0.0" + address: "::" port: 10003 hostnames: - "*" @@ -108,7 +108,7 @@ http: - host: "10.0.0.1" port: 10003 - name: "fourth-listener" - address: "0.0.0.0" + address: "::" port: 10004 hostnames: - "*" @@ -144,7 +144,7 @@ http: - host: "10.0.0.1" port: 10004 - name: "fifth-listener" - address: "0.0.0.0" + address: "::" port: 10005 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/mutual-tls-required-client-certificate-disabled.yaml b/internal/xds/translator/testdata/in/xds-ir/mutual-tls-required-client-certificate-disabled.yaml index 61f67998deb..cfe94ba32f3 100644 --- a/internal/xds/translator/testdata/in/xds-ir/mutual-tls-required-client-certificate-disabled.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/mutual-tls-required-client-certificate-disabled.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" @@ -35,7 +35,7 @@ http: port: 50000 tcp: - name: "second-listener" - address: "0.0.0.0" + address: "::" port: 10081 tls: certificates: diff --git a/internal/xds/translator/testdata/in/xds-ir/mutual-tls.yaml b/internal/xds/translator/testdata/in/xds-ir/mutual-tls.yaml index 01103c9e5ec..d4ba0f617e9 100644 --- a/internal/xds/translator/testdata/in/xds-ir/mutual-tls.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/mutual-tls.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" @@ -35,7 +35,7 @@ http: port: 50000 tcp: - name: "second-listener" - address: "0.0.0.0" + address: "::" port: 10081 tls: certificates: diff --git a/internal/xds/translator/testdata/in/xds-ir/oidc-backend-cluster-provider.yaml b/internal/xds/translator/testdata/in/xds-ir/oidc-backend-cluster-provider.yaml index 6fc9a045bca..993f775947a 100644 --- a/internal/xds/translator/testdata/in/xds-ir/oidc-backend-cluster-provider.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/oidc-backend-cluster-provider.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/oidc.yaml b/internal/xds/translator/testdata/in/xds-ir/oidc.yaml index 828da7c2fb1..c2e75b916d0 100644 --- a/internal/xds/translator/testdata/in/xds-ir/oidc.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/oidc.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/path-settings.yaml b/internal/xds/translator/testdata/in/xds-ir/path-settings.yaml index 1eddbaab253..e3752799fc6 100644 --- a/internal/xds/translator/testdata/in/xds-ir/path-settings.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/path-settings.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/proxy-protocol-upstream.yaml b/internal/xds/translator/testdata/in/xds-ir/proxy-protocol-upstream.yaml index 47df0026b9f..c1e4c9dd632 100644 --- a/internal/xds/translator/testdata/in/xds-ir/proxy-protocol-upstream.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/proxy-protocol-upstream.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/ratelimit-custom-domain.yaml b/internal/xds/translator/testdata/in/xds-ir/ratelimit-custom-domain.yaml index 271d39cfdcb..663dda6eb06 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ratelimit-custom-domain.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ratelimit-custom-domain.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/ratelimit-disable-headers.yaml b/internal/xds/translator/testdata/in/xds-ir/ratelimit-disable-headers.yaml index 7c48e227ecc..56028c4162c 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ratelimit-disable-headers.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ratelimit-disable-headers.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/ratelimit-endpoint-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/ratelimit-endpoint-stats.yaml index 32f95117283..d7e2dea2ac1 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ratelimit-endpoint-stats.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ratelimit-endpoint-stats.yaml @@ -2,7 +2,7 @@ metrics: enablePerEndpointStats: true http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/ratelimit-headers-and-cidr.yaml b/internal/xds/translator/testdata/in/xds-ir/ratelimit-headers-and-cidr.yaml index fa9b6f31ae5..d6b6a9b3245 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ratelimit-headers-and-cidr.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ratelimit-headers-and-cidr.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/ratelimit-sourceip.yaml b/internal/xds/translator/testdata/in/xds-ir/ratelimit-sourceip.yaml index 495fa9b7a1f..289104b1df3 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ratelimit-sourceip.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ratelimit-sourceip.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/ratelimit.yaml b/internal/xds/translator/testdata/in/xds-ir/ratelimit.yaml index 2279315caed..7af166fca4d 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ratelimit.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ratelimit.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/retry-partial-invalid.yaml b/internal/xds/translator/testdata/in/xds-ir/retry-partial-invalid.yaml index 7483356722d..cb883565f8c 100644 --- a/internal/xds/translator/testdata/in/xds-ir/retry-partial-invalid.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/retry-partial-invalid.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/simple-tls.yaml b/internal/xds/translator/testdata/in/xds-ir/simple-tls.yaml index 7309020334a..fd1408fdf2d 100644 --- a/internal/xds/translator/testdata/in/xds-ir/simple-tls.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/simple-tls.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/suppress-envoy-headers.yaml b/internal/xds/translator/testdata/in/xds-ir/suppress-envoy-headers.yaml index f26d13b084e..d01294ed199 100644 --- a/internal/xds/translator/testdata/in/xds-ir/suppress-envoy-headers.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/suppress-envoy-headers.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "foo.com" diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-endpoint-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-endpoint-stats.yaml index 1bbe5a43371..28ee60724bf 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tcp-endpoint-stats.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tcp-endpoint-stats.yaml @@ -3,7 +3,7 @@ metrics: enablePerEndpointStats: true tcp: - name: "tcp-route-enable-endpoint-stats" - address: "0.0.0.0" + address: "::" port: 10080 routes: - destination: diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-req-resp-sizes-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-req-resp-sizes-stats.yaml index 5c3cd2be7a0..1b915c58433 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tcp-req-resp-sizes-stats.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tcp-req-resp-sizes-stats.yaml @@ -3,7 +3,7 @@ metrics: enableRequestResponseSizesStats: true tcp: - name: "tcp-route-enable-req-resp-sizes-stats" - address: "0.0.0.0" + address: "::" port: 10080 routes: - destination: diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-route-complex.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-route-complex.yaml index 901c0f66f40..48f58cd84dc 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tcp-route-complex.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tcp-route-complex.yaml @@ -1,6 +1,6 @@ tcp: - name: "tcp-listener-complex" - address: "0.0.0.0" + address: "::" port: 10080 routes: - name: "tcp-route-complex" diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-route-invalid-endpoint.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-route-invalid-endpoint.yaml index 427472d6832..80511b12899 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tcp-route-invalid-endpoint.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tcp-route-invalid-endpoint.yaml @@ -1,6 +1,6 @@ tcp: - name: "tcp-listener-simple" - address: "0.0.0.0" + address: "::" port: 10080 routes: - name: "tcp-route-simple" diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-route-simple.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-route-simple.yaml index 58f1ec03892..ae3ab3fc127 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tcp-route-simple.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tcp-route-simple.yaml @@ -1,6 +1,6 @@ tcp: - name: "tcp-listener-simple" - address: "0.0.0.0" + address: "::" port: 10080 routes: - name: "tcp-route-simple" diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-route-tls-terminate.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-route-tls-terminate.yaml index 2acfdc391ea..86d0101d657 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tcp-route-tls-terminate.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tcp-route-tls-terminate.yaml @@ -1,6 +1,6 @@ tcp: - name: "tls-listener-terminate" - address: "0.0.0.0" + address: "::" port: 10080 routes: - name: "tls-route-terminate" @@ -20,7 +20,7 @@ tcp: - host: "5.6.7.8" port: 50001 - name: "tls-terminate-hostname" - address: "0.0.0.0" + address: "::" port: 10080 tls: inspector: diff --git a/internal/xds/translator/testdata/in/xds-ir/tcp-route-weighted-backend.yaml b/internal/xds/translator/testdata/in/xds-ir/tcp-route-weighted-backend.yaml index 73081048864..2e5e133bc25 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tcp-route-weighted-backend.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tcp-route-weighted-backend.yaml @@ -1,6 +1,6 @@ tcp: - name: "tcp-listener-weighted-backend" - address: "0.0.0.0" + address: "::" port: 10080 routes: - name: "tcp-route-weighted-backend" diff --git a/internal/xds/translator/testdata/in/xds-ir/timeout.yaml b/internal/xds/translator/testdata/in/xds-ir/timeout.yaml index 8abc0af3cdd..f33270a0dd5 100644 --- a/internal/xds/translator/testdata/in/xds-ir/timeout.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/timeout.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/tls-route-passthrough.yaml b/internal/xds/translator/testdata/in/xds-ir/tls-route-passthrough.yaml index 285927c9017..54da9ebef28 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tls-route-passthrough.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tls-route-passthrough.yaml @@ -1,6 +1,6 @@ tcp: - name: "tls-passthrough-foo" - address: "0.0.0.0" + address: "::" port: 10080 routes: - name: "tls-route-passthrough-foo" @@ -17,7 +17,7 @@ tcp: - host: "5.6.7.8" port: 50001 - name: "tls-passthrough-bar" - address: "0.0.0.0" + address: "::" port: 10081 routes: - name: "tls-route-passthrough-bar" diff --git a/internal/xds/translator/testdata/in/xds-ir/tls-with-ciphers-versions-alpn.yaml b/internal/xds/translator/testdata/in/xds-ir/tls-with-ciphers-versions-alpn.yaml index afcf3322715..6e70e3afba0 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tls-with-ciphers-versions-alpn.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tls-with-ciphers-versions-alpn.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" path: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true @@ -51,7 +51,7 @@ http: port: 50000 tcp: - name: "second-listener" - address: "0.0.0.0" + address: "::" port: 10081 tls: ciphers: diff --git a/internal/xds/translator/testdata/in/xds-ir/tracing-datadog.yaml b/internal/xds/translator/testdata/in/xds-ir/tracing-datadog.yaml index 1ed5b3aef3c..55c83e0bd0d 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tracing-datadog.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tracing-datadog.yaml @@ -28,7 +28,7 @@ tracing: type: Datadog http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/tracing-endpoint-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/tracing-endpoint-stats.yaml index 1d8c4b7a338..c5ddea6b9ab 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tracing-endpoint-stats.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tracing-endpoint-stats.yaml @@ -33,7 +33,7 @@ tracing: type: OpenTelemetry http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/tracing-invalid.yaml b/internal/xds/translator/testdata/in/xds-ir/tracing-invalid.yaml index d8b23c5d21e..3a9a50904f6 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tracing-invalid.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tracing-invalid.yaml @@ -22,7 +22,7 @@ tracing: port: 4317 http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/tracing-unknown-provider-type.yaml b/internal/xds/translator/testdata/in/xds-ir/tracing-unknown-provider-type.yaml index 02623bc0c7a..dad1fdba41b 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tracing-unknown-provider-type.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tracing-unknown-provider-type.yaml @@ -30,7 +30,7 @@ tracing: type: AwesomeTelemetry http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/tracing-zipkin.yaml b/internal/xds/translator/testdata/in/xds-ir/tracing-zipkin.yaml index dded17dd193..52f559c907b 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tracing-zipkin.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tracing-zipkin.yaml @@ -34,7 +34,7 @@ tracing: disableSharedSpanContext: true http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/tracing.yaml b/internal/xds/translator/testdata/in/xds-ir/tracing.yaml index b5cccf6dbab..7762d44b525 100644 --- a/internal/xds/translator/testdata/in/xds-ir/tracing.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/tracing.yaml @@ -52,7 +52,7 @@ tracing: type: OpenTelemetry http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/in/xds-ir/udp-endpoint-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/udp-endpoint-stats.yaml index fc597f28928..9e27ffc95aa 100644 --- a/internal/xds/translator/testdata/in/xds-ir/udp-endpoint-stats.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/udp-endpoint-stats.yaml @@ -3,7 +3,7 @@ metrics: enablePerEndpointStats: true udp: - name: "udp-route-enable-endpoint-stats" - address: "0.0.0.0" + address: "::" port: 10080 route: name: "udp-route" diff --git a/internal/xds/translator/testdata/in/xds-ir/udp-req-resp-sizes-stats.yaml b/internal/xds/translator/testdata/in/xds-ir/udp-req-resp-sizes-stats.yaml index 1e7e0d9fb53..39f7cf99cf2 100644 --- a/internal/xds/translator/testdata/in/xds-ir/udp-req-resp-sizes-stats.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/udp-req-resp-sizes-stats.yaml @@ -3,7 +3,7 @@ metrics: enableRequestResponseSizesStats: true udp: - name: "udp-route-enable-req-resp-sizes-stats" - address: "0.0.0.0" + address: "::" port: 10080 route: name: "udp-route" diff --git a/internal/xds/translator/testdata/in/xds-ir/udp-route.yaml b/internal/xds/translator/testdata/in/xds-ir/udp-route.yaml index a933bdd78a4..8f59089835b 100644 --- a/internal/xds/translator/testdata/in/xds-ir/udp-route.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/udp-route.yaml @@ -1,6 +1,6 @@ udp: - name: "udp-route" - address: "0.0.0.0" + address: "::" port: 10080 route: name: "udp-route" diff --git a/internal/xds/translator/testdata/in/xds-ir/upstream-tcpkeepalive.yaml b/internal/xds/translator/testdata/in/xds-ir/upstream-tcpkeepalive.yaml index b00f5e55a3b..c66533226d8 100644 --- a/internal/xds/translator/testdata/in/xds-ir/upstream-tcpkeepalive.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/upstream-tcpkeepalive.yaml @@ -1,6 +1,6 @@ http: - name: "first-listener" - address: "0.0.0.0" + address: "::" port: 10080 hostnames: - "*" diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml index 6fbaf5053ec..026cd70e650 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -43,6 +44,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10162 protocol: UDP listenerFilters: diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.listeners.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.listeners.yaml index e6777ebece3..507aaab00f5 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.listeners.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.listeners.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.listeners.yaml index c3fb113017a..9c25f196445 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.listeners.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/listener-policy.listeners.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/listener-policy.listeners.yaml index 7837e1509fc..5b2e1a6719a 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/listener-policy.listeners.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/listener-policy.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10081 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.listeners.yaml index d9795d2be43..1bb613cbfcd 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.listeners.yaml @@ -82,7 +82,8 @@ stringValue: cluster1 address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.listeners.yaml index 6a7ebeda5c3..78d5f7abe9f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.listeners.yaml @@ -61,7 +61,8 @@ stringValue: cluster1 address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.listeners.yaml index cb6e3ef7759..2532b596f44 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.listeners.yaml @@ -105,7 +105,8 @@ stringValue: cluster1 address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.listeners.yaml index 3677e6bec6b..713a4137c31 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.listeners.yaml @@ -97,7 +97,8 @@ stringValue: cluster1 address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml index dbb30726378..8bdbfafa21e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml @@ -142,6 +142,7 @@ address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml index 9df135e671c..27da99342c3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml @@ -80,7 +80,8 @@ stringValue: cluster1 address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml index 0ef9cdc5fab..c43406cbaea 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml @@ -80,7 +80,8 @@ stringValue: cluster1 address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.listeners.yaml index 907d28f78b7..1a6a6c94ebf 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml index f34bcbe362f..c3144002dc5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml index f34bcbe362f..c3144002dc5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.listeners.yaml index 907d28f78b7..1a6a6c94ebf 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.listeners.yaml index 1fadbe977d8..39d16f0162e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -34,7 +35,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10081 filterChains: - filters: @@ -48,7 +50,8 @@ perConnectionBufferLimitBytes: 1500 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 protocol: UDP listenerFilters: diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml index 55e2fde715b..fec7e1ade2f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml index a7accc0ef6c..3f5b5976eb0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.listeners.yaml index 96f06388ed3..91c886e41b1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -34,7 +35,8 @@ perConnectionBufferLimitBytes: 1500 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10081 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml index 885e958a3e6..76e8d8b7cf5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 8081 defaultFilterChain: filters: @@ -33,7 +34,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 8082 defaultFilterChain: filters: @@ -71,7 +73,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 8083 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml index 03fe43687b2..0becefcb07b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -36,7 +37,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10081 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/cors.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/cors.listeners.yaml index 03c1932b68e..d4b97c1941b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/cors.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/cors.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml index 0a50c1bb280..7a61b6197b2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml index 19c56586960..29be8f0b25c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.listeners.yaml index 0ccea8c2bcb..4f7cd0b8af7 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.listeners.yaml index e2054562760..71ebe76cb1e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml index 84b95081c80..167e96f53e0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml index 55e2fde715b..fec7e1ade2f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml index acf4c0a40f6..1f010cbb726 100755 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml index 5053c959bfc..6c1a233f5b2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.listeners.yaml index 5041136d090..f9ce7d84e7c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 8081 defaultFilterChain: filters: @@ -33,7 +34,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 8082 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.listeners.yaml index f9b4ee27bf6..f89d388819d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 8081 defaultFilterChain: filters: @@ -32,7 +33,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 8082 defaultFilterChain: filters: @@ -63,7 +65,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 8083 defaultFilterChain: filters: @@ -95,7 +98,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 8084 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/health-check.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/health-check.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/health-check.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/health-check.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.listeners.yaml index 4a3daf7b5eb..93320e1347b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -40,7 +41,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10081 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.listeners.yaml index cc61653cdf6..6c2ec38ab4f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-health-check.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-health-check.listeners.yaml index 13b18487b29..858a6a99df5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-health-check.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-health-check.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.listeners.yaml index 09426a31773..cc24216073a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.listeners.yaml index 2d688753f05..cefa3f8fcfd 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.listeners.yaml index c3fb113017a..9c25f196445 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.listeners.yaml index 3c8062f0a29..a857be906cd 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.listeners.yaml index 657d2b42a82..725b879b355 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml index c3fb113017a..9c25f196445 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml index 657d2b42a82..725b879b355 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.listeners.yaml index 5a43997887d..09c1f7373da 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -35,6 +36,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10081 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml index 657d2b42a82..725b879b355 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.listeners.yaml index 87cd9f2a9d7..7d466743074 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -40,7 +41,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10081 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.listeners.yaml index 7efdb2940f8..952475f29ec 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http10.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http10.listeners.yaml index 7935c97f7f4..39cef2f193b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http10.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http10.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml index fc499431884..ba98a10f789 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http2.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http2.listeners.yaml index 25230ccd9b5..d150efd0384 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http2.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml index 49a651da85e..98b2a58f8ef 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10443 protocol: UDP drainType: MODIFY_ONLY @@ -56,6 +57,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10443 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml index fb7bceafa22..1825eb14ab6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml index fb7bceafa22..1825eb14ab6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml index 9172af8519b..25c76bcef2f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml index bbfa00a53ea..0ac893c74ea 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml index a48a09b2dd7..82dbfaae02c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml @@ -13,7 +13,8 @@ path: /dev/stdout address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml index 51d778b9cea..393caa96eb5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml index ead8b20d402..15f08c52173 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml index c839763d975..1eb896e1a7d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml index 565878b1597..7286927497c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -34,7 +35,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10081 defaultFilterChain: filters: @@ -73,7 +75,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10082 filterChains: - filterChainMatch: @@ -98,7 +101,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10083 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml index 210069d7019..016786b37f5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 filterChains: - filterChainMatch: @@ -63,7 +64,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10081 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml index 06e77d90262..8b7b4013e4f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -39,7 +40,8 @@ name: "9" - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10081 defaultFilterChain: filters: @@ -90,7 +92,8 @@ name: "5" - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10082 filterChains: - filterChainMatch: @@ -115,7 +118,8 @@ name: "9" - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10083 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.listeners.yaml index 6539e7588ec..93a9663d159 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10443 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/load-balancer.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/load-balancer.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/load-balancer.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/load-balancer.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.listeners.yaml index 1f27366aa32..d23d6e5323a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml index 1426aeaa71f..565ad98228f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml index 39bfe9f587b..44ffd11e130 100755 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 protocol: UDP defaultFilterChain: @@ -66,6 +67,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml index 86002534182..bfed5797031 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml index 2df07dabd56..cf89025ba17 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml index 7d177b2e092..8cc49659b0a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10001 filterChains: - filters: @@ -59,7 +60,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10002 filterChains: - filters: @@ -119,7 +121,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10003 filterChains: - filters: @@ -181,7 +184,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10004 filterChains: - filters: @@ -245,7 +249,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10005 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml index 33262561948..5404e9c4612 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10001 filterChains: - filters: @@ -59,7 +60,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10002 filterChains: - filters: @@ -119,7 +121,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10003 filterChains: - filters: @@ -179,7 +182,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10004 filterChains: - filters: @@ -239,7 +243,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10005 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml index bae66f2ff21..ff623ed0918 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 filterChains: - filters: @@ -59,7 +60,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10081 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml index cdb0e351dec..5322382f349 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 filterChains: - filters: @@ -59,7 +60,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10081 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.listeners.yaml index 3addb294484..995d70e1811 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml index 37178ddfe5f..f02d5214210 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/path-settings.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/path-settings.listeners.yaml index c8eda3875ed..11e2a389c0d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/path-settings.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/path-settings.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml index a80f448f017..2f68d5d848d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml index 973d90913b4..821bf6ee840 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml index a80f448f017..2f68d5d848d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.listeners.yaml index a80f448f017..2f68d5d848d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml index a80f448f017..2f68d5d848d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml index a80f448f017..2f68d5d848d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml index ada9749df63..d8e6bbf9091 100644 --- a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml index 3d65ed1a895..9f852cd8701 100644 --- a/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml index 4c624b8788f..2488a8f083c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 filterChains: - filterChainMatch: diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.listeners.yaml index 001e0b017d3..12011f9ae49 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.listeners.yaml index 0615ffcff8a..33d35dcfdbc 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.listeners.yaml @@ -1,11 +1,7 @@ -- additionalAddresses: - - address: - socketAddress: - address: '::' - portValue: 8082 - address: +- address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 8082 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.listeners.yaml index ec70a00f0ed..c70b6728097 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml index 336e84c9eab..5023b077b09 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 filterChains: - filterChainMatch: diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml index 4dc8055463a..72f40213b1b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml index b3f30d194ed..4423eb58f5b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml index 7c84083a0ba..4ec20d0cc11 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 filterChains: - filterChainMatch: diff --git a/internal/xds/translator/testdata/out/xds-ir/timeout.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/timeout.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/timeout.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/timeout.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml index d5d32d6ee55..dab6fe543f3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 filterChains: - filterChainMatch: @@ -21,7 +22,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10081 filterChains: - filterChainMatch: diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml index 7eee7e167c0..64028f1420d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 filterChains: - filterChainMatch: @@ -79,7 +80,8 @@ perConnectionBufferLimitBytes: 32768 - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10081 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.listeners.yaml index 07a3d581575..7f41a9bed98 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.listeners.yaml index a98dfd0d9d4..e19a79d30dc 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.listeners.yaml index 6efe38a6b12..e5532223241 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing.listeners.yaml index 599eb3b58af..5832f199bc9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.listeners.yaml index 8d9eaea1141..09c7681d79e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 protocol: UDP listenerFilters: diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.listeners.yaml index 6bf13465916..cc92fbd6ed6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 protocol: UDP listenerFilters: diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-route.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-route.listeners.yaml index 317a7ddc4dd..71f29a0035a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-route.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-route.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 protocol: UDP listenerFilters: diff --git a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.listeners.yaml index c3fb113017a..a9b9065d238 100644 --- a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml index e3a679d1ae0..bbb4b7109a8 100755 --- a/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml @@ -1,6 +1,7 @@ - address: socketAddress: address: 0.0.0.0 + ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index 29bc7d2f5ff..a76382dd569 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -229,7 +229,7 @@ func (t *Translator) processHTTPListenerXdsTranslation( // Create a new TCP listener for HTTP1/HTTP2 traffic. if tcpXDSListener, err = buildXdsTCPListener( - httpListener.Name, httpListener.Address, httpListener.Port, httpListener.IPFamily, + httpListener.Name, httpListener.Address, httpListener.Port, httpListener.TCPKeepalive, httpListener.Connection, accessLog); err != nil { errs = errors.Join(errs, err) continue @@ -575,7 +575,7 @@ func (t *Translator) processTCPListenerXdsTranslation( xdsListener := findXdsListenerByHostPort(tCtx, tcpListener.Address, tcpListener.Port, corev3.SocketAddress_TCP) if xdsListener == nil { if xdsListener, err = buildXdsTCPListener( - tcpListener.Name, tcpListener.Address, tcpListener.Port, tcpListener.IPFamily, + tcpListener.Name, tcpListener.Address, tcpListener.Port, tcpListener.TCPKeepalive, tcpListener.Connection, accesslog); err != nil { // skip this listener if failed to build xds listener errs = errors.Join(errs, err) diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 9288e5266fc..c0f8dfc0e5b 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -5,6 +5,7 @@ breaking changes: | The Container `ports` field of the gateway instance has been removed, which will cause the gateway Pod to be rebuilt when upgrading the version. ClientTrafficPolicy previously treated an empty TLS ALPNProtocols list as being undefined and applied Envoy Gateway defaults. An empty TLS ALPNProtocols list is now treated as user-defined disablement of the TLS ALPN extension. + Always use `::` and `IPv4Compact` enabled on dynamic listeners. # Updates addressing vulnerabilities, security flaws, or compliance requirements. security updates: | diff --git a/test/e2e/tests/envoy_shutdown.go b/test/e2e/tests/envoy_shutdown.go index 7a249e01950..14a223ddef5 100644 --- a/test/e2e/tests/envoy_shutdown.go +++ b/test/e2e/tests/envoy_shutdown.go @@ -51,6 +51,9 @@ var EnvoyShutdownTest = suite.ConformanceTest{ t.Errorf("Failed to get proxy deployment") } + // Wait for the grpc ext auth service pod to be ready + WaitForPods(t, suite.Client, "envoy-gateway-system", map[string]string{"gateway.envoyproxy.io/owning-gateway-name": name}, corev1.PodRunning, PodReady) + // wait for route to be programmed on envoy expectedResponse := http.ExpectedResponse{ Request: http.Request{ @@ -79,7 +82,7 @@ var EnvoyShutdownTest = suite.ConformanceTest{ aborter.Abort(false) // abort the load either way if err != nil { - t.Errorf("Failed to rollout proxy deployment") + t.Errorf("Failed to rollout proxy deployment: %v", err) } // Wait for the goroutine to finish diff --git a/test/e2e/upgrade/eg_upgrade_test.go b/test/e2e/upgrade/eg_upgrade_test.go index 6c3b9521e5f..9af99c81c90 100644 --- a/test/e2e/upgrade/eg_upgrade_test.go +++ b/test/e2e/upgrade/eg_upgrade_test.go @@ -10,9 +10,12 @@ package upgrade import ( "flag" "io/fs" + "os" "testing" "k8s.io/apimachinery/pkg/util/sets" + "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" "sigs.k8s.io/gateway-api/conformance/utils/flags" "sigs.k8s.io/gateway-api/conformance/utils/suite" "sigs.k8s.io/gateway-api/conformance/utils/tlog" @@ -25,6 +28,7 @@ import ( func TestEGUpgrade(t *testing.T) { flag.Parse() + log.SetLogger(zap.New(zap.WriteTo(os.Stderr), zap.UseDevMode(true))) c, cfg := kubetest.NewClient(t) From f8c7056378043cc422552d5728a1bfb76a6711b1 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Thu, 21 Nov 2024 16:43:03 -0800 Subject: [PATCH 421/523] dont run docs workflows on release branches (#4755) Docs are based off `main` Signed-off-by: Arko Dasgupta --- .github/workflows/docs.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 22437cb9cd8..b147f5e5cf0 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -3,14 +3,12 @@ on: push: branches: - "main" - - "release/v*" paths: - 'site/**' - 'tools/make/docs.mk' pull_request: branches: - "main" - - "release/v*" paths: - 'site/**' - 'tools/make/docs.mk' From 71c0b5408f7f80ef8b9d1e0bcf511891839edecd Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 22 Nov 2024 11:05:12 +0800 Subject: [PATCH 422/523] chore: fix unchanged files with check annotations (#4763) chore: fix github warning Signed-off-by: zirain --- examples/standalone/quickstart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/standalone/quickstart.yaml b/examples/standalone/quickstart.yaml index e7a5cda07e5..4ccf2ce8efd 100644 --- a/examples/standalone/quickstart.yaml +++ b/examples/standalone/quickstart.yaml @@ -42,5 +42,5 @@ metadata: spec: endpoints: - ip: - address: 0.0.0.0 # this address is for demo purpose only, do not use it in production! + address: 0.0.0.0 # this address is for demo purpose only, do not use it in production! port: 3000 From 05aa9fd64b07068cb14943401c28acfb20ccff29 Mon Sep 17 00:00:00 2001 From: Evgeniya Pankova Date: Mon, 25 Nov 2024 07:01:21 +0300 Subject: [PATCH 423/523] docs: added JSONPatch example for modifying Bootstrap config using the EnvoyProxy resource (#4772) docs: added JSONPatch example for modifying Bootstrap config using the EnvoyProxy resource (#4742) Signed-off-by: Evgeniya Pankova --- .../tasks/operations/customize-envoyproxy.md | 46 +++++++++++++++++-- .../tasks/operations/customize-envoyproxy.md | 46 +++++++++++++++++-- .../tasks/operations/customize-envoyproxy.md | 46 +++++++++++++++++-- 3 files changed, 129 insertions(+), 9 deletions(-) diff --git a/site/content/en/docs/tasks/operations/customize-envoyproxy.md b/site/content/en/docs/tasks/operations/customize-envoyproxy.md index 892c3496ff0..55ea32557c7 100644 --- a/site/content/en/docs/tasks/operations/customize-envoyproxy.md +++ b/site/content/en/docs/tasks/operations/customize-envoyproxy.md @@ -498,13 +498,14 @@ After applying the config, you can get the envoyproxy service, and see annotatio ## Customize EnvoyProxy Bootstrap Config You can customize the EnvoyProxy bootstrap config via EnvoyProxy Config. -There are two ways to customize it: +There are three ways to customize it: * Replace: the whole bootstrap config will be replaced by the config you provided. * Merge: the config you provided will be merged into the default bootstrap config. +* JSONPatch: the list of JSON Patches you provided will be applied to the bootstrap config. JSON Patch is a standard format specified in [RFC 6902](https://datatracker.ietf.org/doc/html/rfc6902/). {{< tabpane text=true >}} -{{% tab header="Apply from stdin" %}} +{{% tab header="Replace: apply from stdin" %}} ```shell cat <}} diff --git a/site/content/en/latest/tasks/operations/customize-envoyproxy.md b/site/content/en/latest/tasks/operations/customize-envoyproxy.md index 892c3496ff0..55ea32557c7 100644 --- a/site/content/en/latest/tasks/operations/customize-envoyproxy.md +++ b/site/content/en/latest/tasks/operations/customize-envoyproxy.md @@ -498,13 +498,14 @@ After applying the config, you can get the envoyproxy service, and see annotatio ## Customize EnvoyProxy Bootstrap Config You can customize the EnvoyProxy bootstrap config via EnvoyProxy Config. -There are two ways to customize it: +There are three ways to customize it: * Replace: the whole bootstrap config will be replaced by the config you provided. * Merge: the config you provided will be merged into the default bootstrap config. +* JSONPatch: the list of JSON Patches you provided will be applied to the bootstrap config. JSON Patch is a standard format specified in [RFC 6902](https://datatracker.ietf.org/doc/html/rfc6902/). {{< tabpane text=true >}} -{{% tab header="Apply from stdin" %}} +{{% tab header="Replace: apply from stdin" %}} ```shell cat <}} diff --git a/site/content/en/v1.2/tasks/operations/customize-envoyproxy.md b/site/content/en/v1.2/tasks/operations/customize-envoyproxy.md index 892c3496ff0..55ea32557c7 100644 --- a/site/content/en/v1.2/tasks/operations/customize-envoyproxy.md +++ b/site/content/en/v1.2/tasks/operations/customize-envoyproxy.md @@ -498,13 +498,14 @@ After applying the config, you can get the envoyproxy service, and see annotatio ## Customize EnvoyProxy Bootstrap Config You can customize the EnvoyProxy bootstrap config via EnvoyProxy Config. -There are two ways to customize it: +There are three ways to customize it: * Replace: the whole bootstrap config will be replaced by the config you provided. * Merge: the config you provided will be merged into the default bootstrap config. +* JSONPatch: the list of JSON Patches you provided will be applied to the bootstrap config. JSON Patch is a standard format specified in [RFC 6902](https://datatracker.ietf.org/doc/html/rfc6902/). {{< tabpane text=true >}} -{{% tab header="Apply from stdin" %}} +{{% tab header="Replace: apply from stdin" %}} ```shell cat <}} From 767c763d1782ea4aa9a836851cf158f9a4470865 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Nov 2024 15:51:45 +0800 Subject: [PATCH 424/523] build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2 (#4732) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.6.0 to 5.0.2. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238...5c47607acb93fed5485fdbf7232e8a31425f672a) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- .github/workflows/build_and_test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index cd49c5a82c7..b810cdc08ea 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -55,7 +55,7 @@ jobs: - name: Run Coverage Tests run: make go.test.coverage - name: Upload coverage to Codecov - uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 + uses: codecov/codecov-action@5c47607acb93fed5485fdbf7232e8a31425f672a # v5.0.2 with: fail_ci_if_error: true files: ./coverage.xml From cb3305784e44ca91f3792720434daac249965bc1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Nov 2024 10:50:04 -0800 Subject: [PATCH 425/523] build(deps): bump github.com/Masterminds/semver/v3 from 3.3.0 to 3.3.1 (#4778) Bumps [github.com/Masterminds/semver/v3](https://github.com/Masterminds/semver) from 3.3.0 to 3.3.1. - [Release notes](https://github.com/Masterminds/semver/releases) - [Changelog](https://github.com/Masterminds/semver/blob/master/CHANGELOG.md) - [Commits](https://github.com/Masterminds/semver/compare/v3.3.0...v3.3.1) --- updated-dependencies: - dependency-name: github.com/Masterminds/semver/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 7d45c395ef0..1e117020606 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.16 require ( fortio.org/fortio v1.68.0 fortio.org/log v1.17.1 - github.com/Masterminds/semver/v3 v3.3.0 + github.com/Masterminds/semver/v3 v3.3.1 github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/docker/cli v27.3.1+incompatible diff --git a/go.sum b/go.sum index badf41ee3da..e2a21dcda80 100644 --- a/go.sum +++ b/go.sum @@ -62,8 +62,8 @@ github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= -github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0= -github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= +github.com/Masterminds/semver/v3 v3.3.1 h1:QtNSWtVZ3nBfk8mAOu/B6v7FMJ+NHTIgUPi7rj+4nv4= +github.com/Masterminds/semver/v3 v3.3.1/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs= github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0= github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8afzqM= From ddd2c34d458be01900bf6db458d348d811ae6aee Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Nov 2024 10:52:21 -0800 Subject: [PATCH 426/523] build(deps): bump github/codeql-action from 3.27.4 to 3.27.5 (#4775) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.4 to 3.27.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/ea9e4e37992a54ee68a9622e985e60c8e8f12d9f...f09c1c0a94de965c15400f5634aa42fac8fb8f88) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c8c1884c937..ab76a5d9772 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,14 +36,14 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 + uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 + uses: github/codeql-action/autobuild@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 + uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 23235a9a5ba..0e659ff28ae 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 + uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 with: sarif_file: results.sarif From 6a1fd8a6ebae8ab05e0361f1079a96e0155f1a82 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Nov 2024 10:53:59 -0800 Subject: [PATCH 427/523] build(deps): bump github.com/google/cel-go from 0.22.0 to 0.22.1 (#4777) Bumps [github.com/google/cel-go](https://github.com/google/cel-go) from 0.22.0 to 0.22.1. - [Release notes](https://github.com/google/cel-go/releases) - [Commits](https://github.com/google/cel-go/compare/v0.22.0...v0.22.1) --- updated-dependencies: - dependency-name: github.com/google/cel-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 1e117020606..c37471842dd 100644 --- a/go.mod +++ b/go.mod @@ -21,7 +21,7 @@ require ( github.com/go-logr/zapr v1.3.0 github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/protobuf v1.5.4 - github.com/google/cel-go v0.22.0 + github.com/google/cel-go v0.22.1 github.com/google/go-cmp v0.6.0 github.com/google/go-containerregistry v0.20.2 github.com/hashicorp/go-multierror v1.1.1 diff --git a/go.sum b/go.sum index e2a21dcda80..84f9b879a84 100644 --- a/go.sum +++ b/go.sum @@ -386,8 +386,8 @@ github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Z github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= -github.com/google/cel-go v0.22.0 h1:b3FJZxpiv1vTMo2/5RDUqAHPxkT8mmMfJIrq1llbf7g= -github.com/google/cel-go v0.22.0/go.mod h1:BuznPXXfQDpXKWQ9sPW3TzlAJN5zzFe+i9tIs0yC4s8= +github.com/google/cel-go v0.22.1 h1:AfVXx3chM2qwoSbM7Da8g8hX8OVSkBFwX+rz2+PcK40= +github.com/google/cel-go v0.22.1/go.mod h1:BuznPXXfQDpXKWQ9sPW3TzlAJN5zzFe+i9tIs0yC4s8= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= From 48a0310082ceeaf4d3af17e6b6844c7d0fb5db0b Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 26 Nov 2024 16:36:20 +0800 Subject: [PATCH 428/523] Revert "build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2" (#4783) Revert "build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2 (#4732)" This reverts commit 767c763d1782ea4aa9a836851cf158f9a4470865. --- .github/workflows/build_and_test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index b810cdc08ea..cd49c5a82c7 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -55,7 +55,7 @@ jobs: - name: Run Coverage Tests run: make go.test.coverage - name: Upload coverage to Codecov - uses: codecov/codecov-action@5c47607acb93fed5485fdbf7232e8a31425f672a # v5.0.2 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 with: fail_ci_if_error: true files: ./coverage.xml From 0130b7784d568ebb4f7377bf6d96245725942ee9 Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 27 Nov 2024 03:29:16 +0800 Subject: [PATCH 429/523] xds: use V4_PREFERRED dnsLookupFamily by default (#4745) * use Cluster_V4_PREFERRED Signed-off-by: zirain * release notes Signed-off-by: zirain --------- Signed-off-by: zirain --- .../testdata/translate/out/default-resources.all.yaml | 5 +++++ .../translate/out/echo-gateway-api.cluster.yaml | 1 + .../translate/out/from-gateway-api-to-xds.all.json | 5 +++++ .../translate/out/from-gateway-api-to-xds.all.yaml | 5 +++++ .../translate/out/from-gateway-api-to-xds.cluster.yaml | 5 +++++ .../out/jwt-single-route-single-match-to-xds.all.json | 2 ++ .../out/jwt-single-route-single-match-to-xds.all.yaml | 2 ++ .../jwt-single-route-single-match-to-xds.cluster.yaml | 2 ++ .../translate/out/no-service-cluster-ip.all.yaml | 1 + internal/xds/translator/cluster.go | 2 +- .../extensionpolicy-tcp-udp-http.clusters.yaml | 3 +++ .../http-route-extension-filter.clusters.yaml | 1 + .../out/extension-xds-ir/http-route.clusters.yaml | 1 + .../out/xds-ir/accesslog-als-tcp.clusters.yaml | 1 + .../testdata/out/xds-ir/accesslog-cel.clusters.yaml | 2 ++ .../out/xds-ir/accesslog-endpoint-stats.clusters.yaml | 2 ++ .../out/xds-ir/accesslog-formatters.clusters.yaml | 2 ++ .../out/xds-ir/accesslog-multi-cel.clusters.yaml | 2 ++ .../testdata/out/xds-ir/accesslog-types.clusters.yaml | 10 ++++++++++ .../out/xds-ir/accesslog-without-format.clusters.yaml | 3 +++ .../testdata/out/xds-ir/accesslog.clusters.yaml | 3 +++ .../out/xds-ir/authorization-client-cidr.clusters.yaml | 3 +++ .../out/xds-ir/authorization-jwt-claim.clusters.yaml | 4 ++++ .../out/xds-ir/authorization-jwt-scope.clusters.yaml | 4 ++++ .../authorization-multiple-principals.clusters.yaml | 1 + .../out/xds-ir/backend-buffer-limit.clusters.yaml | 3 +++ .../testdata/out/xds-ir/backend-priority.clusters.yaml | 3 +++ .../testdata/out/xds-ir/basic-auth.clusters.yaml | 3 +++ .../testdata/out/xds-ir/circuit-breaker.clusters.yaml | 1 + .../out/xds-ir/client-buffer-limit.clusters.yaml | 2 ++ .../out/xds-ir/client-ip-detection.clusters.yaml | 3 +++ .../testdata/out/xds-ir/client-timeout.clusters.yaml | 2 ++ .../translator/testdata/out/xds-ir/cors.clusters.yaml | 1 + .../out/xds-ir/custom-filter-order.clusters.yaml | 2 ++ .../testdata/out/xds-ir/custom-response.clusters.yaml | 1 + .../testdata/out/xds-ir/ext-auth-backend.clusters.yaml | 5 +++++ .../out/xds-ir/ext-auth-recomputation.clusters.yaml | 5 +++++ .../testdata/out/xds-ir/ext-auth.clusters.yaml | 5 +++++ .../ext-proc-with-traffic-settings.clusters.yaml | 3 +++ .../testdata/out/xds-ir/ext-proc.clusters.yaml | 6 ++++++ .../testdata/out/xds-ir/fault-injection.clusters.yaml | 5 +++++ .../headers-with-preserve-x-request-id.clusters.yaml | 2 ++ .../headers-with-underscores-action.clusters.yaml | 4 ++++ .../testdata/out/xds-ir/health-check.clusters.yaml | 5 +++++ .../xds-ir/http-early-header-mutation.clusters.yaml | 2 ++ .../out/xds-ir/http-endpoint-stats.clusters.yaml | 1 + .../out/xds-ir/http-health-check.clusters.yaml | 1 + .../xds-ir/http-preserve-client-protocol.clusters.yaml | 1 + .../out/xds-ir/http-req-resp-sizes-stats.clusters.yaml | 1 + .../xds-ir/http-route-direct-response.clusters.yaml | 1 + .../out/xds-ir/http-route-dns-cluster.clusters.yaml | 1 + .../out/xds-ir/http-route-mirror.clusters.yaml | 1 + .../xds-ir/http-route-multiple-matches.clusters.yaml | 7 +++++++ .../xds-ir/http-route-multiple-mirrors.clusters.yaml | 3 +++ .../xds-ir/http-route-partial-invalid.clusters.yaml | 1 + .../out/xds-ir/http-route-redirect.clusters.yaml | 1 + .../testdata/out/xds-ir/http-route-regex.clusters.yaml | 1 + .../xds-ir/http-route-request-headers.clusters.yaml | 1 + .../http-route-response-add-headers.clusters.yaml | 1 + ...ttp-route-response-add-remove-headers.clusters.yaml | 1 + .../http-route-response-remove-headers.clusters.yaml | 1 + ...tp-route-rewrite-root-path-url-prefix.clusters.yaml | 1 + ...-rewrite-sufixx-with-slash-url-prefix.clusters.yaml | 1 + .../http-route-rewrite-url-fullpath.clusters.yaml | 1 + .../xds-ir/http-route-rewrite-url-host.clusters.yaml | 1 + .../xds-ir/http-route-rewrite-url-prefix.clusters.yaml | 1 + .../xds-ir/http-route-rewrite-url-regex.clusters.yaml | 1 + .../http-route-session-persistence.clusters.yaml | 1 + .../out/xds-ir/http-route-timeout.clusters.yaml | 3 +++ .../http-route-weighted-backend-uds-ip.clusters.yaml | 1 + ...p-route-weighted-backend-with-filters.clusters.yaml | 2 ++ .../xds-ir/http-route-weighted-backend.clusters.yaml | 1 + .../http-route-weighted-invalid-backend.clusters.yaml | 1 + .../xds-ir/http-route-with-clientcert.clusters.yaml | 1 + .../out/xds-ir/http-route-with-metadata.clusters.yaml | 2 ++ ...http-route-with-tls-system-truststore.clusters.yaml | 1 + ...p-route-with-tlsbundle-multiple-certs.clusters.yaml | 2 ++ .../out/xds-ir/http-route-with-tlsbundle.clusters.yaml | 1 + .../testdata/out/xds-ir/http-route.clusters.yaml | 1 + .../out/xds-ir/http1-preserve-case.clusters.yaml | 2 ++ .../testdata/out/xds-ir/http1-trailers.clusters.yaml | 1 + .../testdata/out/xds-ir/http10.clusters.yaml | 1 + .../testdata/out/xds-ir/http2-route.clusters.yaml | 4 ++++ .../translator/testdata/out/xds-ir/http2.clusters.yaml | 1 + .../translator/testdata/out/xds-ir/http3.clusters.yaml | 1 + .../xds-ir/jsonpatch-missing-resource.clusters.yaml | 1 + .../out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml | 2 ++ .../testdata/out/xds-ir/jsonpatch.clusters.yaml | 1 + .../out/xds-ir/jwt-custom-extractor.clusters.yaml | 2 ++ .../jwt-multi-route-multi-provider.clusters.yaml | 4 ++++ .../jwt-multi-route-single-provider.clusters.yaml | 3 +++ .../testdata/out/xds-ir/jwt-optional.clusters.yaml | 2 ++ .../testdata/out/xds-ir/jwt-ratelimit.clusters.yaml | 5 +++++ .../xds-ir/jwt-single-route-single-match.clusters.yaml | 2 ++ .../out/xds-ir/listener-connection-limit.clusters.yaml | 4 ++++ .../out/xds-ir/listener-proxy-protocol.clusters.yaml | 2 ++ .../out/xds-ir/listener-tcp-keepalive.clusters.yaml | 4 ++++ .../testdata/out/xds-ir/load-balancer.clusters.yaml | 10 ++++++++++ .../testdata/out/xds-ir/local-ratelimit.clusters.yaml | 3 +++ .../out/xds-ir/metrics-virtual-host.clusters.yaml | 1 + .../out/xds-ir/mixed-tls-jwt-authn.clusters.yaml | 1 + ...ners-same-port-with-different-filters.clusters.yaml | 5 +++++ .../xds-ir/multiple-listeners-same-port.clusters.yaml | 6 ++++++ .../multiple-simple-tcp-route-same-port.clusters.yaml | 5 +++++ ...d-client-certificate-with-custom-data.clusters.yaml | 5 +++++ ...mutual-tls-forward-client-certificate.clusters.yaml | 5 +++++ ...-required-client-certificate-disabled.clusters.yaml | 2 ++ .../testdata/out/xds-ir/mutual-tls.clusters.yaml | 2 ++ .../xds-ir/oidc-backend-cluster-provider.clusters.yaml | 2 ++ .../translator/testdata/out/xds-ir/oidc.clusters.yaml | 4 ++++ .../testdata/out/xds-ir/path-settings.clusters.yaml | 1 + .../out/xds-ir/proxy-protocol-upstream.clusters.yaml | 1 + .../out/xds-ir/ratelimit-custom-domain.clusters.yaml | 4 ++++ .../out/xds-ir/ratelimit-disable-headers.clusters.yaml | 4 ++++ .../out/xds-ir/ratelimit-endpoint-stats.clusters.yaml | 4 ++++ .../xds-ir/ratelimit-headers-and-cidr.clusters.yaml | 4 ++++ .../out/xds-ir/ratelimit-sourceip.clusters.yaml | 5 +++++ .../testdata/out/xds-ir/ratelimit.clusters.yaml | 5 +++++ .../out/xds-ir/retry-partial-invalid.clusters.yaml | 1 + .../securitypolicy-with-oidc-jwt-authz.clusters.yaml | 2 ++ .../testdata/out/xds-ir/simple-tls.clusters.yaml | 1 + .../out/xds-ir/suppress-envoy-headers.clusters.yaml | 1 + .../out/xds-ir/tcp-endpoint-stats.clusters.yaml | 1 + .../out/xds-ir/tcp-listener-ipfamily.clusters.yaml | 1 + .../out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml | 1 + .../out/xds-ir/tcp-route-complex.clusters.yaml | 1 + .../testdata/out/xds-ir/tcp-route-simple.clusters.yaml | 1 + .../out/xds-ir/tcp-route-tls-terminate.clusters.yaml | 2 ++ .../xds-ir/tcp-route-weighted-backend.clusters.yaml | 1 + .../testdata/out/xds-ir/timeout.clusters.yaml | 1 + .../out/xds-ir/tls-route-passthrough.clusters.yaml | 2 ++ .../tls-with-ciphers-versions-alpn.clusters.yaml | 2 ++ .../testdata/out/xds-ir/tracing-datadog.clusters.yaml | 2 ++ .../out/xds-ir/tracing-endpoint-stats.clusters.yaml | 2 ++ .../testdata/out/xds-ir/tracing-zipkin.clusters.yaml | 2 ++ .../testdata/out/xds-ir/tracing.clusters.yaml | 2 ++ .../out/xds-ir/udp-endpoint-stats.clusters.yaml | 1 + .../out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml | 1 + .../testdata/out/xds-ir/udp-route.clusters.yaml | 1 + .../out/xds-ir/upstream-tcpkeepalive.clusters.yaml | 1 + .../translator/testdata/out/xds-ir/wasm.clusters.yaml | 2 ++ release-notes/current.yaml | 1 + 142 files changed, 335 insertions(+), 1 deletion(-) diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index e81c777ee74..80934209fce 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -772,6 +772,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -791,6 +792,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -817,6 +819,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -836,6 +839,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -855,6 +859,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml index 9bb0bc2ac1c..5b6162b655f 100644 --- a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml @@ -100,6 +100,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index 96f794bb456..0cfb690977f 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -458,6 +458,7 @@ "localityWeightedLbConfig": {} }, "connectTimeout": "10s", + "dnsLookupFamily": "V4_PREFERRED", "edsClusterConfig": { "edsConfig": { "ads": {}, @@ -487,6 +488,7 @@ "localityWeightedLbConfig": {} }, "connectTimeout": "10s", + "dnsLookupFamily": "V4_PREFERRED", "edsClusterConfig": { "edsConfig": { "ads": {}, @@ -527,6 +529,7 @@ "localityWeightedLbConfig": {} }, "connectTimeout": "10s", + "dnsLookupFamily": "V4_PREFERRED", "edsClusterConfig": { "edsConfig": { "ads": {}, @@ -556,6 +559,7 @@ "localityWeightedLbConfig": {} }, "connectTimeout": "10s", + "dnsLookupFamily": "V4_PREFERRED", "edsClusterConfig": { "edsConfig": { "ads": {}, @@ -585,6 +589,7 @@ "localityWeightedLbConfig": {} }, "connectTimeout": "10s", + "dnsLookupFamily": "V4_PREFERRED", "edsClusterConfig": { "edsConfig": { "ads": {}, diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index e4490080e3d..124e0fd65e0 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -251,6 +251,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -270,6 +271,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -296,6 +298,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -315,6 +318,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -334,6 +338,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml index aa348c640c9..714656cffaf 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml @@ -10,6 +10,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -29,6 +30,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +57,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -74,6 +77,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -93,6 +97,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json index a777f5cdc56..5042c9d1f03 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json @@ -350,6 +350,7 @@ "localityWeightedLbConfig": {} }, "connectTimeout": "10s", + "dnsLookupFamily": "V4_PREFERRED", "edsClusterConfig": { "edsConfig": { "ads": {}, @@ -379,6 +380,7 @@ "localityWeightedLbConfig": {} }, "connectTimeout": "10s", + "dnsLookupFamily": "V4_PREFERRED", "dnsRefreshRate": "30s", "lbPolicy": "LEAST_REQUEST", "loadAssignment": { diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml index c3ee0ddf26a..2644bf5babc 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml @@ -195,6 +195,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -214,6 +215,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml index ee8af9b7c15..9fce4f70e3e 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml @@ -10,6 +10,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -29,6 +30,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml index 6edf19677ad..df906c98211 100644 --- a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml @@ -195,6 +195,7 @@ xds: commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index 495640ff90a..c5064c29eef 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -84,7 +84,7 @@ func buildEndpointType(settings []*ir.DestinationSetting) EndpointType { } func buildXdsCluster(args *xdsClusterArgs) *clusterv3.Cluster { - dnsLookupFamily := clusterv3.Cluster_AUTO + dnsLookupFamily := clusterv3.Cluster_V4_PREFERRED if args.ipFamily != nil { switch *args.ipFamily { case egv1a1.IPv4: diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml index ed3cb77ab01..b8a8e059069 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml index dbfd7c8e2b2..f8ee95fc7f6 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml index dbfd7c8e2b2..f8ee95fc7f6 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml index 85a1bf46bac..86fb50d1d4e 100755 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-als-tcp.clusters.yaml @@ -5,6 +5,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 15s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml index 7faf19f8bb4..090b3919f81 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml index dae7cbc0d4a..74a6fc0bb0c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -23,6 +24,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml index 7faf19f8bb4..090b3919f81 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml index 7faf19f8bb4..090b3919f81 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml index 98d56781cb2..112aa95870f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -45,6 +47,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -69,6 +72,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -93,6 +97,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -117,6 +122,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -141,6 +147,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -165,6 +172,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: @@ -198,6 +206,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: @@ -231,6 +240,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml index 967893fbd41..4212b175848 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -45,6 +47,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml index 967893fbd41..4212b175848 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -45,6 +47,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml index 815e3e469ea..ec8ef8e0674 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml index 3e81abb2f4e..8b4149cfe83 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: @@ -73,6 +76,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml index 3e81abb2f4e..8b4149cfe83 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: @@ -73,6 +76,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml index a5da3995b99..4b0cccf2c2c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml index ae291870e19..611cbe7292a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml index 64ef05a8795..66c3bf73ad7 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml index e170f954954..df23031f8bb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml index a39d931e4d8..dd1fce78e8b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml @@ -7,6 +7,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml index 53d0ae1b88c..d1f95214f16 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml index f36c0f1c777..ab0b4fca62c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml index b3601621bf2..e7ef5350995 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml index ff1dac67640..6091e5e97b1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.clusters.yaml index 7b61aaf5f37..03fa483d156 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: @@ -39,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml index a5da3995b99..4b0cccf2c2c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml index db4efa180a8..79e1aed5ebe 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +58,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: @@ -88,6 +92,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml index db4efa180a8..79e1aed5ebe 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +58,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: @@ -88,6 +92,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml index 4b9e2de2200..ff9b672a1cc 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +58,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -79,6 +83,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml index d885aaddd66..99dc8b48184 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -39,6 +41,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 15s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml index 6fcc3830e4f..4e40762dace 100755 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -62,6 +65,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -86,6 +90,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -110,6 +115,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml index 77dc55a8476..348c3693e0f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +58,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -72,6 +76,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml index b3601621bf2..e7ef5350995 100755 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml index 754b5ae5d02..58a2b85afd9 100755 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +58,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml index 1d42d3495d8..6db525c99eb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -42,6 +43,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -78,6 +80,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -111,6 +114,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -145,6 +149,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml index 1774ac35006..41a3c942e6a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -31,6 +32,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml index 8256f58d447..1be553489ce 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml index ff1dac67640..6091e5e97b1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml index 73c0f3ee8b8..7706960228b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml index d552d11a437..2dc04da7256 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml index 90ea1e3123d..c3282c53e19 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.clusters.yaml index d6f92da0027..d2964ca5282 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml index 7b147f2cc9e..2ee151ece25 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml index 7dee2fae954..758292acfcd 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +58,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -72,6 +76,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -89,6 +94,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -106,6 +112,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml index af01a8494ca..0b5a779d918 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml index 3847b55b7e3..759c732f54a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml index 2e8d489ec0a..8bf69668b44 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml index c3beb47b89f..8906cb55b30 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml index db56b6185c5..9d7d6d0c663 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml index 7b45637ccff..c1d3a9aedbb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml index 7b45637ccff..c1d3a9aedbb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml index 7b45637ccff..c1d3a9aedbb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml index 48272f1f225..7311c3bbcbe 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml index 48272f1f225..7311c3bbcbe 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml index 03f27845ffe..929e5fb44bb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml index 48272f1f225..7311c3bbcbe 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml index 48272f1f225..7311c3bbcbe 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml index 03f27845ffe..929e5fb44bb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml index c3beb47b89f..8906cb55b30 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml index f36c0f1c777..ab0b4fca62c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml index ff1dac67640..6091e5e97b1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml index b3601621bf2..e7ef5350995 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml index ff1dac67640..6091e5e97b1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml index ff1dac67640..6091e5e97b1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml index 390c26b1ab8..aa5b2a1bb20 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml index b3601621bf2..e7ef5350995 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml index 49c8eebc00e..82bc9604a7d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml index df5e85c34f2..3aab01e6684 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -62,6 +63,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml index 2744cfc19d8..ba9cb4c4fe4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml index ff1dac67640..6091e5e97b1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml index 4cfa7db1e7e..b93477f78ca 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -31,6 +32,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml index 1b3c2957d3f..7f270a11d04 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml index 62a8d033f04..8222dcd6ccb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml index 2c58afdaac7..76e7c3dcb95 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -30,6 +31,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -54,6 +56,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -81,6 +84,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml index ff1dac67640..6091e5e97b1 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml index a5da3995b99..4b0cccf2c2c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml index ff1dac67640..6091e5e97b1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml index f1725d0f618..cb9e6eb5d11 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml index 009411dcdf4..2867550caba 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml index 95dbaeaeb9d..f3998fb3b59 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml index 4af517cab1d..30d656a16fe 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: @@ -64,6 +67,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml index 081ef33d842..599db139ea2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml index 95dbaeaeb9d..f3998fb3b59 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml index 6701b170b27..b1433b1be87 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +58,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -81,6 +85,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml index 95dbaeaeb9d..f3998fb3b59 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml index 2f38dd9d3aa..290beff3671 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +58,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml index 6cae3947b35..e56073d06d5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml index 2f38dd9d3aa..290beff3671 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +58,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml index 5067244aeba..3b4bde72aeb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -20,6 +21,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -37,6 +39,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -54,6 +57,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -71,6 +75,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -91,6 +96,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -110,6 +116,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -127,6 +134,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -146,6 +154,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -163,6 +172,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml index f36c0f1c777..ab0b4fca62c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml index ff1dac67640..6091e5e97b1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml index ff1dac67640..6091e5e97b1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml index 21ebdea126b..307f4cbc565 100755 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +58,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -72,6 +76,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml index 8d9e43d36cf..8ad066c0640 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +58,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -72,6 +76,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -89,6 +94,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml index b98d486efea..91395a135f6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +58,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -72,6 +76,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml index 77dc55a8476..348c3693e0f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +58,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -72,6 +76,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml index 77dc55a8476..348c3693e0f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +58,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -72,6 +76,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml index 8d317defa13..1207329f055 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml index 8d317defa13..1207329f055 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml index ca2d3f5e3fb..9d60e8e0bed 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml index 52523fffbb8..cb505645ff8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: @@ -73,6 +76,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml index ff1dac67640..6091e5e97b1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml index c5555faa87a..6c7503a8669 100644 --- a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml index dc5c30ab312..b031b37db0e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +58,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml index b74141720fa..a75716855d1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +58,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml index 4eab9980691..e3f20b743ad 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -23,6 +24,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -42,6 +44,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -61,6 +64,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml index b74141720fa..a75716855d1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +58,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml index a2926d67edd..79e1c96f69b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +58,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -72,6 +76,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml index a2926d67edd..79e1c96f69b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -38,6 +40,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -55,6 +58,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -72,6 +76,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml index ff1dac67640..6091e5e97b1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.clusters.yaml index f4f58fe1cc9..91bbe4fa396 100644 --- a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml index ff1dac67640..6091e5e97b1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml index ff1dac67640..6091e5e97b1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.clusters.yaml index d5e5aeaf991..0fd3d280a1b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml index 394a72179b0..d0ab3efc743 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml index 8fd985878cc..d0b09155386 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml index 7c294e2efa3..6b6fc7289f0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml index 2653bb96c8d..79872344524 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml index 122e0dad7dc..111eac1e7b2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml index da821625c09..f1717a49d2b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml index 109e9d1392c..6414d365d02 100644 --- a/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 31s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml index 4cfa1289322..c3ef51c0b2f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml index 8d317defa13..1207329f055 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml index 12088c45682..7b7149b3f33 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml index 304574452d2..bdf3cadd2ba 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -23,6 +24,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml index d1459afe991..4ce2f4cfdc0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml index f211422edc5..cc1305448af 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -22,6 +23,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 15s + dnsLookupFamily: V4_PREFERRED dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml index 6090f4f8ec2..586e95fc0e9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml index 2f1ed3604e8..ae84a44c505 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml index 14df838b6e6..54c7ebf435e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml index 5d663e5665e..74800020855 100644 --- a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml index 8e3ac051015..480aca4bb47 100755 --- a/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml @@ -4,6 +4,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} @@ -21,6 +22,7 @@ commonLbConfig: localityWeightedLbConfig: {} connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED edsClusterConfig: edsConfig: ads: {} diff --git a/release-notes/current.yaml b/release-notes/current.yaml index c0f8dfc0e5b..eea29e8b78b 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -6,6 +6,7 @@ breaking changes: | ClientTrafficPolicy previously treated an empty TLS ALPNProtocols list as being undefined and applied Envoy Gateway defaults. An empty TLS ALPNProtocols list is now treated as user-defined disablement of the TLS ALPN extension. Always use `::` and `IPv4Compact` enabled on dynamic listeners. + Use `V4_PREFERRED` instead of `V4_ONLY` by default for the cluster's `DnsLookupFamily`. # Updates addressing vulnerabilities, security flaws, or compliance requirements. security updates: | From 29b5eaa6a209adb4e336b3c773dc92bdb647c891 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Tue, 26 Nov 2024 11:29:50 -0800 Subject: [PATCH 430/523] [docs] Add Teleport as an Adopter (#4785) * [docs] Add Teleport as an Adopter Signed-off-by: Arko Dasgupta * Update site/data/adopters.yaml Co-authored-by: David Boslee Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta Signed-off-by: Arko Dasgupta Co-authored-by: David Boslee --- site/data/adopters.yaml | 4 ++++ site/static/logos/teleport.svg | 16 ++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 site/static/logos/teleport.svg diff --git a/site/data/adopters.yaml b/site/data/adopters.yaml index 542e381d1c3..16cf7893339 100644 --- a/site/data/adopters.yaml +++ b/site/data/adopters.yaml @@ -11,3 +11,7 @@ adopters: logo: "/logos/airspacelink.svg" url: "https://airspacelink.com/" description: "Airspace Link is using Envoy Gateway to route all public APIs to Kubernetes clusters, developers are manipulating routes descriptions using agnostic manifest files, which are then automatically provisioned using Envoy Gateway." + - name: "Teleport" + logo: "/logos/teleport.svg" + url: "https://goteleport.com/" + description: "Teleport is using Envoy Gateway to manage dynamic routing for all traffic to the Teleport Cloud Platform." diff --git a/site/static/logos/teleport.svg b/site/static/logos/teleport.svg new file mode 100644 index 00000000000..ad19786b556 --- /dev/null +++ b/site/static/logos/teleport.svg @@ -0,0 +1,16 @@ + + \ No newline at end of file From cda2dcb68e3503f625aa08e34c1e37e18a5f2adc Mon Sep 17 00:00:00 2001 From: Xunzhuo Date: Wed, 27 Nov 2024 10:48:27 +0800 Subject: [PATCH 431/523] community: add tencent cloud as an adopter (#4786) Signed-off-by: bitliu --- ADOPTERS.md | 13 +++++++++++++ site/data/adopters.yaml | 4 ++++ site/static/logos/tencent-cloud.png | Bin 0 -> 49618 bytes 3 files changed, 17 insertions(+) create mode 100644 site/static/logos/tencent-cloud.png diff --git a/ADOPTERS.md b/ADOPTERS.md index 5914f698e7b..54d7d933ad0 100644 --- a/ADOPTERS.md +++ b/ADOPTERS.md @@ -23,6 +23,7 @@ This page contains a list of organizations who are users of Envoy Gateway, follo If you would like to be included in this table, please submit a PR to this file or comment to [this issue](https://github.com/envoyproxy/gateway/issues/2781) and your information will be added. ## AllFactors + * Website https://allfactors.com * Category: End User * Environments: @@ -33,6 +34,7 @@ If you would like to be included in this table, please submit a PR to this file * Logo: https://allfactors.com/AllFactors-Logo.svg ## Tetrate + * Website: https://www.tetrate.io * Category: Service Provider * Environments: AWS @@ -43,6 +45,7 @@ If you would like to be included in this table, please submit a PR to this file * (Option) Description: ## Airspace Link + * Organizatioin: Airspace Link * Website: https://airspacelink.com/ * Category: End User @@ -51,3 +54,13 @@ If you would like to be included in this table, please submit a PR to this file - Airspace Link is using Envoy Gateway to route all public APIs to Kubernetes clusters, developers are manipulating routes descriptions using agnostic manifest files, which are then automatically provisioned using Envoy Gateway. * Status: production * Logo: https://airhub.airspacelink.com/images/asl-flat-logo.png + +## Tencent Cloud + +* Organizatioin: Tencent Cloud +* Website: https://www.tencentcloud.com +* Category: Service Provider +* Environments: Tencent Kubernetes Engine (TKE) +* Use Cases: + - Tencent Cloud is using Envoy Gateway as a Kubernetes Cluster Network Addon to manage dynamic routing in the Tencent Kubernetes Engine. +* Status: production diff --git a/site/data/adopters.yaml b/site/data/adopters.yaml index 16cf7893339..ef6bcfb8221 100644 --- a/site/data/adopters.yaml +++ b/site/data/adopters.yaml @@ -15,3 +15,7 @@ adopters: logo: "/logos/teleport.svg" url: "https://goteleport.com/" description: "Teleport is using Envoy Gateway to manage dynamic routing for all traffic to the Teleport Cloud Platform." + - name: "Tencent Cloud" + logo: "/logos/tencent-cloud.png" + url: "https://www.tencentcloud.com" + description: "Tencent Cloud is using Envoy Gateway as a Kubernetes Cluster Network Addon to manage dynamic routing in the Tencent Kubernetes Engine." diff --git a/site/static/logos/tencent-cloud.png b/site/static/logos/tencent-cloud.png new file mode 100644 index 0000000000000000000000000000000000000000..464fad1545c9c07865cba714af34f4e33fb25e5a GIT binary patch literal 49618 zcmb@tbx>4)^f!KYSz5Z0SW;3NDQT3FmPSIl1q8`m8U*Q-6r>~tq#L9gDQOYu?%I7; zKi}UoznS06^ZfIhdC&5`_r6b`^Ezkm4v`va&+%}maR30oQ&N=I0st)37Q~B%hWbOA zVeSV2;4=+X9fjwvs=|fyd{M)UFB8xqm~!)Xg79ep-$~xLL%bgSk6pXComw9|w{tl( za@y5#+I{1&{>o|dmCNSqe;ZDl8ZP?=)YHcytGFGTCE71IZK_b*IBjZq-gNWVEb{jJf&c(YMbszy|Fcm0 z|HDEZ`#(JW|Mw9}7RLWe-2YYd|MdV$z5jjYe{)9N;e6Zv|J9t+yh?fv$r$;aA-m^k z$)4D!Um{scPcnW!$y^jpn-%^z|MxR(7IpLQCUqKhK)U9fVe&V0;3sX5`E7MUFRfS%Lr}b zAZ^0{ZGAsoeLrn|A6*!w{nui&GY={@`2q#U77jFGM*)uCyb|jLy!1QxhviuNr zALR#nl;&+?D8-{J zBoc|(`<7&c2ZpU5B9O@W5@L=s1TqpEd5@F>qk+*NXjo*t&o!;wq9eRzAL6kIy$Jr? zJ36~_jX+*5j2FL@hx`-&tTbT=iQFJ?MIaH#t7dlFu)}-gk_D}r4^piS z(V$?76zmBTGoj){Xb!nmHI!c?FRjnUyaAv!UP)d?=N)Ko{-wp42qDCbDy*}j!dxr# zvt`S`eQfxy?S2r-TRxv5#Vd+nD$?$5Wq>*gvmhE(2rLlr(f(qe>kuwh@*o86A@z1pl9SQy8>lF0&4j7PHu zc`3(IV+rbg+a9L>6fTfggs5(5GULJH`7CO-f2Qb+{wkm6v3AKZ31JjL5ga`FfncC1 zI-UKqhAz6IJ-aXt#pXZfQf3^MCV7#UtJo!6;&9u3c#T-8o6lMaSCcmJCSFC!@kjn_ z_meDp>^YY5)0qhb4F%cd$%8*ru}3mPc(tk(@-E2e}W`bkC8Tqk86KRRHNgja?M+?U(Q>_`@1-578=1$Z>1J>gv-{RbxZqw zH^yDp$d-P=OTiowKa}Ftkz2w%Je>RtEs<NYR3;vuscSaVr$ z)1QAuwl+6x@r4uwr^0EJDDd-vC**SG)0I7rj=uu$Ee@7ouBThwn-v4FKryb2aos?2gB@Z%k7u6+F&w!b5N2qn+gKYP{N4SY*8Gi|sQ=k&$a)KAwm9^Lh$qa^dg%K7Se-To# z(~-eTTbOzy+S;HC3W%5dN4vj+EZSTNXnbnD-4x6~omf?9wQU zaWLqsJ;oUBOds9kIi(*9ICsAU{fkMn*WsW2snpcdZ8Q6~ECs7og{*dFX4@9uc?WP* z(yO5~RB!EYD>>X{RKAdva_)QFoLqM&W_U>*vVi_Zr%n$6^E=%+y%xcRZnigiSINP1CjQcnA;T-xQrB}ej2cNb zIH>pq9XbY#Ka+iQu;6B6kl(_Q=F-SzV3VQ#(dis}y0Kv60?Rhuoo1$&5$m3^ZA=b!}M5ewT@zoYBv z{EVCiysCfX&6w@JcQ*?|+r^B!`u54Jlqr02`n?>l*}oH(S(R%klr!T6O+=F=p)u$W z{`4 z-MGRA4aR6ITAz=4M5p+KLM^y>$SPO3p($vlYx4a|W+qBu#jj>$LKOpi$K3V8YKNy#>#5MCdByBzPD`JqMT1UJ|UO0 zsx-Z%^E==pX(EX{nr@?Aeg2Ql;lYZ8_wj}Z2N52t0Qu=`ET(|+hw)ry9lZ~uzwI^3 zds2kvRD%*@xI6O{^%zws%0jsWAp`3}8|P1+T*4M*;QvB7g;Ymj!)H=WGil@U2VZ0` zQonKql6ANWHP-ejGH6j!z1P>oA>mM@{;8vCH*6SOYOY~2v=Dq53;Xdu9EM<$h@t7BRS1U!SS*2|~f0RmA)6tuY+asqA<=s>zzz zI$14j0oFWzLKCzq-Ga$s=AmR};j#%X6FDpFzU!;C49rWH0LZ@x*CQo-=9P>blm*cf zr*loxIW#$0N$@(@Q_KbVUdmYr=bAUTGVl+{aJ4JhTY1+dTuFyD+>aaz0{s zbW?&gO^bb@mLlhe$>d}_bS1-zz@VAv&7s@yC&*V6X8$~Mv9c1-x80&c%x0NFsq$K; zLiV$5nwy5+XJ&bMEuo$33%^UQNHtDs6$ZzIfzGa8j4}pmZe8ln^JK!MzgF*EF3#cq z__&xLZqIARQeP`iRommSRDf&O?LUBGPy>^1&>s@=3VpCX5xx@&iEws5F9svqP|h6*N3 zMu$G0-G3ulfr(6I|Ge&Vkb__Lk`9Iq@%R{oUQ(wV#Xs)KA{?Be!Oc)^iN7Lsb7>F! z3*IR*Sw_VGqa-L-NoLjXb5s)NhZ6Iar)u?Y8-G;B9%J6}6LrO!6;zr49V)vJ8f zhV-j?oGOwNb1F+d^6`u#x-geL^d<9)FQpxq>H1D?o4b)CMJr49y_lDWu(z8_t-i>6 z`lic+rSsFvL#c+_d=$Fe+C%2cn1KO;#gD6Q7&#E~A+q7)KRZ-v!XVlMxMA=u0k zBBycjW5M?xxKJ^PgF=ad(2!xS@b;Tbp46$R+4k${oLTI9rXlZx`vSV7?fGz*=EeIk zYu+s!t|>|yH)28TG-$ULGISZNL)mEmx&=%a3A^*J z7wPFaem5~WsVPxcrR9*RE>ap3KYR5nRl${zCzxWC#r znMIEEA=^p8i|viq``tE&YkpAD@3~DqovxF$MAKiC-eQdQZCo#8z#1<8b)(xmnmVLOo4SN2T^yJEUy?M*QGu!=+!05{71+zL!qQgyA0!EB$`np!&Xz*~1*aJ9jeV z%Ef^p#=E;6Db%dQ%2c3L&96=Fz}@>2>pd~8->vm?02%k!%x16CbFUm17tIvSsEKhh znR111ilGt8n!Eyax4`jiTHEv8@pbo^e{JXyhl(k`qQ@*&u_n7QEdKs zOA0vh!>3p^<91_DK{HcuFt_^I@y57f9w~Hp0m4plOQY)oMk>^yiZX24$hjaW}n{JpC4QC zcRxKSY79A~2Df<6zsV5RCy^H{HYPK$LZ_ZtJI(m(hXq8;?Gq{Em`{p<1N_7tI6C1S zzj;nCHYwDd50;Q6Zu`3~0cUp$LvMD!1Z@x-*^%ipLrE$sR#V2*FDU;TYn=$3mouHm z__d2MR!PxC8ZkcV1HxJAsbgaSzV3%bj&&=|8R+lsPTXiT&~T>$Ikk;gXY3>G=V=bI zI{s>KQNOe?zhXMtfhDA=EgU8URTjX~am!Tap@aFKPPgVtJw3h|Fvjxm5Nc)en|}ecQdg zMVBhj*QhhiFrxc$hFL81JPzg`gYI7ZrKSV)ZJ60`wD8Eg^OS3gb;RjYQ(X{ufXu*EV;G1!AUCpM2&oFw5;a}+ z8!Woc7|aL;Z)j8#&RAgPLcuhHc~HwiTKrcm@p;ms#-5kX6Dp4U7z*rK63@TVh_PZv4p$TrO(vKe_jWTF21cV!DYqB0#D>C+5f=2;LR9IUh+KO5P)vB}ELW zHGaOE)G9NOMGF{Y-Pc30A*E4MA`RJdeUt@IV0)Of+uBUdbPb2>!z}B9RYmxd*MQ7~ zT!wxnX((2LhK;9>_9C_`ER;}dhovU?k$P5u|Ju&&U1zQo<%2I@5G4~fcsKcDUv>m+ zOapdXMQeUUiL~=rps!XqgRE__C8H(iPqlmZ)huE;L)8?vQM^(|tT32d8C$ z8OA&Ym6SihSFf)+>sdS(l#awn)K(0(8Fp%ww?4R!yIT;kt{fUFa zkn~gqb4C38V4~^EZfEY7Lm8p>p#+k5TPK~CRy_0kNf*l*hlq=%9Lj*Zg?guDStb_W zgNvN%PcL(HrH-n^s0JY+suB2>2~=t_!}!?5P>-KA4p#_RE$LCa*WQjNU=1?!e4vC6 zm&Z_$38G=9QSh=?cgKOwH$K_<;vDfs^2P!pjm0T(YASir!>LEU)7fR)kEDA!ZT1x$ z(|SDFm&#Rey#eVstoSkQw6fRrNZ966e1gA^b;+adFQ(v@7oiX_MLa7-D4R4s5g{;v z9_O^T+|YZw!^-M(%CuBxoCp1N!$}(`t;L)LRUn(2$Sj8sJoeYU#KfDZ6U&s<>GPeGajxlaT{Z zqUo3bhC7>&Jo}TMct&|7+e>{^_4+_xm`o)Sxy~nBF*;J~V}T!i%kO~*B6!Yd@u6L?T4UM?wzq|)f z03ZxI>2ZiUMV!AczIpi)Ii?p|q?1Af5CNRr^W+|@dB2GnG$zl}-?FQ~nIrOWRQEH} z?0P5A7n*4!pwdC2XvWOobS>6xwLzA*O{L9bykKZZoR1yiB=Yp!?6{;=_L)1VFW^?m zuJsj4S3qA$pzh6^r?lvb^O3^}d2BLJ=}4-6IF9O*4dW%Mg=;7daR|TCq9RD9XA2G6 zwKLi1oh?}<{6J9^+2&@4b^CJgKc=G1X9MASI{_~% zg96$SH&GO0^Tz)a9Uud^urRTt-K0s`tgRWvu>t|?Z{oKPJ!+OeJ7vmd7!WH-hpdwR zrh-=ZGs))-YAD)#^9<^DRDa^X<=@B# z{f=g6RD8s)l^daIrC5G&FiqL^*YKo^#i?oAGZ@*+`UN<9{P+};9hCDgCPhk|0E-=1EX#F~{9HGUT}D*4$+QP-c+IH% z^~&pywP*zS{Rwi+Y%-)E{$?}}nIx41ZVB7nGCNkM8j7T-`S>+AFDws5w{aE`>8|Ou zA3n`BSa3pWp7~1Ca?BC2Uy|p0IfFU1tFcfUIXasoHz=QDvp$yni z=5f&bBo*k-#c!RgWp5_)jV?;?G#Lw2gTTK@6(b<&@g{p7XBs4bco~5%%3lNnW7M8K z{&s!peg*^q*V}E~v*N|h_aUJZkM1n)Z|*1_l~aItW3b>fCyq0PrGxMr<6#;Nui=Z00{i?>v@#*dpOZHxfSXA6T9Vgr$89cR}bmuq5Cw+4$t33RrQ_#$r`~ z<3}b5;Jna(geh_onf%X#(a$&AoWmKh z`xyq)*}ZTE6EYzT)mxG+v({ztGxKsB@*<&J@r>#0eR1*|4`k!&U+&fah~9-`PFGK> zl%zOl(3|{u+rc0Yd`@aBhB==ix4iaO2X{^V-L9|KPYag*#P;R1-wiyeeC1tEccZ`r z3cl%DqXePS%z*%ks|l8{u>?WFnY9c=aos?UPaH8joWwy*=$VXI@uVFO#)7akMCEcj zWSfP{?+K-=-EAHUfnC|aPICjQSnH|L7_Vy>a( zm+nuEJdP%hrTkAer|6BvFAiINij2~X#ou!Gq8-BW<@>Snfh11R(Fyk@7beuxj} zd&fSmw|T2$Tn1P~z~${#yUR{!^Wl7DyB~7f3!hcRy)|ia?8T!b_k#I5(`?wU4cvTO z_(9&6_J4(K^Sgy9-pvc_I*F}mhC$DD+n9PoUL%N_-U^KTPwCtyu(z~fr; zx1VKV=#TQu((ivSKr?d=m`?~rshv43L9yGpRD_5PIQLh!-rzx+=%x$|Bd(SoRnn9m zh&|Bwj@3cQ2neff3bTXUEEK`)leD>V#OxHgtV)951?qvc3$swC+xqy zw>UAWLOl(tB^K7bLgx&p%bNs$hYG1e@pRUE zfYJ!%wt>ALvTy4Lkht_u9R{?jH`u0rp{Kfk<&+fjuILcVe$K2O`lbX!;)dkh5dy{>SMx&pB{mBJX>GVG{`OYN!gV?+7pX4lej0lBf6Ikz32i(K zqRb3vQszM$nNt;&%3D?vgqA{_=BCeQ+Di6~@Eu#OOA-YHNRVBL+PDzN7Jy5%>|K>;lyVsyMmCLRn z*MvhO()*JV<)6K|o%jBb!usfu<2kB15rX3Ou57&g5INU+7 zBY0KMHl8Y>S=t_pk!?^()-}@U;Gs$Gte=41%H_h&-?0mvTg$V9$U4~aUi2BzHT-xu zFSP(Xf-wOo7yM1PR}I~ej$FyxVS5Q= zxRzb28g0q#OGrl=BVg?~a)Qzf73cm09a_E743K+!XL?1#7qoU!WyJ)-ymH@jRPpcYMa;}!7Mq*qIQ#wRL#Qn zmUmxY6*B_8M4&30riGN>L1EPmir_#8Sa?L2ms2zuFsty-uZ{;LO@=o<%YBZcx_UeF z15t0=|0W{kCSuXwJ~2H>K0ci>v)`2sH#h2)Ykhf5{D0!?#*7Vo?vUqlGd0sGfA*%N zaw>2CdUM@4XTcMi2xlVkI#=ik>;_7I9seg7!7qTr8) z2oR_uU_nqI6yg+PSQ-k(0)l)r>c$w zV0wCc(LW_z8-_Y-^lPf@`s0zfJ092!<)lOF+CV?N3OCE&ix`l>0o_YvjTf2m2TpUr zwPANJulj^v&YiM}zjUA~U37IKZ#x$b47|L&V2BwL*mMRDc6Nmh0j6`SlFfl%inw;h zkSUm1NQsg@aVqDIGW$myE_l@dUTauz&ezuQr$2SPx!2lAT=GX?GyrS}7YiPy@s(^eh4-!3@Mk~kn#@}wg6)V|0L7Enzw&2c?=GY01N4i+=-WbI z7(w*tKJLzl2hhksLecB3qI3T23}XRC zsZ{KrsGxQ6FoMrP8kSlM*M{nP-)ya0Fw&!v`JyX_nhi zs@Wu%S#jkx+t^P3{3~V3OA@=1_!`6dW)*5A7 z15RsET}46GfsDP2J76gKQzA_fgctsoBwMD8=e8tADSXOFfQDmwHJ1i&g3-F0-ut;@ z5p0F8UDJC8+HtRvhzsUoBOkt=yO6iXujJSbq_(mu@K~kHOy4kR6%Lqhu=~XWD84x9 zJ2?a@j4qc?@E!^~W=7&YOo3f25lG#^SMcBMrjBhc(}V01$a=?|ezsVln%aWb-r_gk z*yz?~&x5%(|CJf;j7!cxipn!wSn$3;FniQh=BI4s%IS_Topap!#zF#>%;7>ktFHx0>&cdC`}nS{bQ1Ew`n`$KZ`*2|*XUKiKKBs`MSynn41Mz zH}WZ~3p=`*mBI*2q@!xnODe*m`1)zDzUW&yEOM_G+mld{xc7sY1;h>DTo%LJdIMbG zX=s{0m{gh(0;kbrTRP-)Pe*r1wo4He;jF;Er$bWmsuuj2Sfs~@qP~+Gxgp#((`QT@ z8alyAQSy{OCIy(;-(D`>pkWd?&Aq!iT4Q?77t@*Sw@JAu74*b$vFfgw=g6W%kB3Of z-8TCH39P~U;OY;_Bd=^R|37<;?wg~gajtYZs6kW8>tJ|WTU_0F{;p5GnviJ#9Ykn2 zTo`TjcB}C?KzdLuaKQ2hyAjvMwP%D)NY~w)Z<#`+h53BqyrOK4=3kt0-)d}Yh7YI~ zS!fCKR`8Zc1osq8(%#=V>xSZ(1>rgfHoNUBOc*D{`M8YjRc5-r=S$M|h!(Hpp)6#{ zr4}VG{}`wcV_+E+dhKl8au)9PzH_muko(Hf8o=OY5}=AM8=%q=t)TMb{!sek6P@N- z;R>OHna#QLTf#`u;qRt^BAvXNQQ}sXEvc-Ao5UjJqZ`tmin6as{T48Tfk^{>WBJ_T zyMos%WrZrbJWLuPCG$FVS*n=l!-58bzR#zUQhO8t+k`dV)Vobn81nQGM!{p!8-B}) z`c1CUXa8nn7e16)Y1$lc|1-H%uYyM0bMK@;CH&aF;~}O{8olVF!U1O0dnF6xhm3m9 z=rJJIMGn}b0S@eRWS^vlPYjqb3`;0%I-Z}88SZZbgeumDl#ZAO|idpASEbWs!K zGqgg>BhTM9(l{ZV%%MkLmtIbpSI@DQa)cT=^*f*FuHobL_PO#=eUL5?ZI6{s5*8jJ zWMgXX9X7|o2)0PkFn&;_U7wcWRAkvn&)$I_8W7uPbm^hShh1Kf-&vI@OLYD?CF6i3 zhC7GYmXP7Q=txkY75&(Eh>pmo#sY*vCinpcUWXZm&Mlu#iQLn?uF(P zK>ElqU?MKNTbEaPty0^o@wYpzjd#*W@R~;2>s4-*5GsBC1`+B%g%O6GVl_^q$wbZz zyw~buCtIRy(hO5FPqOhbMopCKRo)8!0k6U?+HRX8U*F#n9UiIwmbzMIw6-F7?b=B; z9OLx9veva38M0Lo7@K^6{vxZha7-=qKXVx;(+=%WhXv!md zEPJwRS+yfSDT{ZgS+NxaBMbWAb$l(uXsxzAOm1^AvMh%7+glkJf?c~+mqcz`xp;|<0kT`gJ?5vh0_2Qiz5T;sKB#DJ|I z|Klnc#*;UT`ZJ$3unH^v?k;#>EX*OHxX6|q@bc}sOSa#-1jY53`&PS;xiJL)HV6{Z z{jR5-k?d+;NVUNggbrHfb47e`Z@-51gUGMjp#X;lo-RJ^pQEuitSe7=4O>)KCVf_T zHFm;)t<#`%9}|)fuP4^<6RECspS?eN9`sUwW?}TQ;ze`AdDf*yXi!b2kuaP$}N&9 zsmB||3P46Ztx18fz$7UUl-l*YPK(Bz z8km8kuDQsM2SVs~f(3+xJNOlqJ-?nr0lDVQzhMEFw_fey4lkY+K4Q&hyIDwNlpp^| z;fou4J(Iu%4J0~_5E7?-p+Dm#h3I~Q?8C(U@ld+>Ap!DFdTcMx2d1+8P9ARm#S-p3 zsg=;1@ z3Rl0J)jML!O4K64$2_(kJL8fQg&>Dxfb2e}dNCEtnz}#G7`#c~p`QVbxfqO+U`*+B5&-=9MAb`CzY_gPQ=5-1izIxR4fueI5+)V^nsuT^mid4oJ9qoyZODZSD`xU)(!L2eS3LocI+>qgvN-C=xnfM9DPHd z&r2tD!Np^zZtT5Tpnl|sJF0l$K8!#hVL=NBy)pN*cHw}hVR2GYt}Ur^Ils}&$pXuO zWVp(@wo9h(Su7jt6)ImyIh>_hv=ioo(D)Jl4(dR`G9i%Hd9-D%mpp-&cs}i{ePMlE zF?K#=^fo}tD=wst-{DZarHwcl^5iW4lXX-@vps3=!vffAG6pgfX+U;T;BymtKwa!It#hd9rvSB#o)P^`oDGZ=o(w&S2*@}RVVk!2x zc`nhLkd93wNZaMB-&-y()Ksw+V{;>2o?E-x%tulcpv_TsenUcHQ_}zVq1iCTM;c_W zQ^0O$=@r|n7B}t!;NhmoiSX2}b#00+n#u0L!Oe#VY|izZhxd25D<`z9ulj7WS;(Up zs8;iOKki|Q>fF3s`U!z+DEnM&50j0v1)nN9u}ri;fsn44*K9u;D+XuKUPY@h zCrNAD$dFf}t(n%`B9tXe0(TtH%N(ZCZ--7*>Sy-=WeF&d#B|!rNFBPJks74y1A%wU zFKyQVp>tH@gIRzEP9H(o5w<7tF7&_&{2_%FlzS(?bfr&mtSh2bLoDcm4H)jKyt+DV z*2}9QnVKjLa(CdT`yfxWx34I{f;r3_`^(SfSmH`Ztozj5BWVg85EI#-EOo!9ht-5z zvWw)2mGVEH{PE*u%r4C|(FM^i%R%@Xp1MhF02_W6vrWkxNN>(O3wo@UC3QKwse#@Q ziVaMg-B);$bNp$I(mm<08&{lwK!Mj@<@_)5v4*YugUP#{}~+_ z(j|YUtcWhSw=@vV`0%?#1D&9uASgFPvWms>3$vb&{3aVi?GG$C#!Dx=b3TJhpJFx_ zur$Z2j{8G__pjSA9K`EDf?B!|xb*i(=nXsRTZgna#W+~!aR5{dvA;Vd2T!Pnz74d6!ukc8etj(bG9cuE%%MW5w+?tMqU`~?D!`+85i z^XBnR{K2Y64yg)I``*5_|7Y5;qol#-$Y-D2&f?Jeyz-UL=y%JxRu2fNix-AfYp$Mc zA21}5DglC%-#a_Fs#%|pMuXV-z|w1@s$l83M@d2;=px(P@Y%2V$^qe=+>jI^REmGR z64?2!ep&(Oyi)+~Z0}*aCuL9h#2u85D45~Rck2Nd25>C<)J$w>kZH(LY*_mp$M}k@ zVMi;dY+LWu%|kAD41i>Ow>8}d^V_EPtEGQ(pS(#=pfsK;D@}aFB864@!roPSuYR4w z#FF9w7;Cxk`mJ8i3@U~vFOG9lBNdWwGMc416M(Y{JhE6{jD;4=+PvRLJZ@((sjP6- zo!jM~uN3oXoM!O|9=q%~#5kjsi-3X4Skf`V7s2SM#9CSqxa>V3Fm+{RYJx&CycGNc zPJI#&jZe{JHj%o*s4CZXxK01$d#q;0ty1y?0^sR8->W}kEkr-bpQo3B$DV$mRj8#{ zM--g!pd%YXjlN_2BAQ2sW5-8?f()we$Q4;^w%{?R1X7&u$?uz1AXPz=X}o6dypjn^T5t^yH!Kcm%-^uGLY zZh<_&vFag)v*Sp?pfQTFY3&-h-e z-Q&yU95Sr2z*iXPN19(h6vZT9NTp)(HnU)2TCfjw+3w*fCM)2WnOt{AjdgF9B;0l) zFZ-5hHjjA5jdGiJuJl%O_)itcB_fVn-OyJ*f{?}(=>-;0sWg%ESQTyc`_reWY_&jT z>r;`F1@WYXIoyv%V6*D@onN1xE#cxm9)guU}n+Rm0n3(MVhD z3$D7p@E?B2&D*0*q4t6sH&8Or4_GrD#N_B}>(u+w@wIek3ICBxga;Rv zAT>1NE4C_`B$#pX4}^iAkMA}L#?!ce$`^lM-`R~6g}vS3cz#ML`!4#mr<--ou6ZYj za236Hh?}v!_P`rNC0`rS6QnFc_?7SRBjb&jP<75Fy1$92$CH9I+N~#PGrt zBR3iw_;jU(#it%TP?sC*8c729nb!F_P~~P#X0x|J-`v?$x;`|)|D)pCQa61hCDg=Y z!BVEQHe>UgL@8c6nm7Vi5{gEyCqoPj!?76yQZCW%E=jH={6G|)$h%d$#|TcOKO*%9 zvb#hyKqQQF3|PdTra#55O3iB@j@mw@47|dP(hN);l{%+*EWF5%s+2EGqQ@(O(Qzev zzQ)IlkLLF9fH%*9mT%4I6bzy5%m*Ey!@W~RfRy@xyFqg}v!U7HL4*o8H;Qsh5KgVE z5{ep=dcPgj>Pp~HCvk(YIy9sNT487PI&vu6WEHhdvo8{iIrzrtnk=y3Ib4Y8oJ!Zz z6>{n}{yo0j?=D6(h<&VZ#5+dDFa*PImBThgK~XuvfQ`OWR_uteRdV%5!J(wkn?ar& z7N@|JCKxMnr7v8`G%yVj+rs6-leHNI) z4a%*xcW{m)!7B&T?KIB6Ga?(;Vg+n@&NqC7H&pBqH@OvMku9lrp{B3u9$0jPHT(HVj=aC~iHcN56*cJHeUk?Gb7QOlJ@(`yd^H{JmkrdzHwG9k2^A z(FM%;c7Yu`RfRhYAf%M+k2Y3$AF4}R>Tg!dKF@Y3gjruFzQX)=|Me>p;OVK8Yhk!O z;gTn`Ko$`Gs$qC9t_Nn<1LwZEHGN_tfe4E)C0(e00A^7Iu$*>=5bGN1Z4*x>n|v=j z6vN#P-8(@i#^(e9=chx7i+OaHB zpvFAX=nHB`xWj5=0e1pNsQ=;VgdHu`xV$2jLw4EU(fw-u4eDZmyMw557QJUWYRPT;H#XOQ@CA*-zUM13 z1ImhBxX*K-$A3K5acNOYycSvOn0$XpyEHv-ebTc>JW=5ToyUTk7ovxY{l>xAT{xr@ z#fqjK9jBJb)+mI)|C~tiZJ^DpEP1=m_U4aBKrWpn-W@8o(@a}iPq*vl0EX2Nc-IAy z^&fpmi~sJQ{ERPZ^mDE|zXxu@!Yb)aJ#DJK<(sfj5T3~QxwHkZpCwPVeLog2`Hj2T zek})1R6)#PtER-jCq$5W<75(@*0iT$|+tWd_mDa#f1D2-YQd9z}!*@*gv zMdoY3hC7+Y{d571-vOFCKscVT>W|zqApMAW8`#zahO7~xy>GL6ONOJCX(Ry)oDMqz-F2BK( zi|UgY$(v$0fc*zRq6a&qanbd_d=G=o0W58<R+JCGedLaD?-zoHK?edA6`t79&8O_e=eDxp1F-M5?JeLw)3fNQz>2lev^&p_fIY zL0|A+yu>`jsZMZuI77R%NMRvH5L!nS`o;6lBAd~&{SM>k2QY8TrfVPd=Cf@H+#V7z zJPNP=aXZY)Fh9Z`UHEM8XSjDJSstDm8AH{Xs=JSVd?Z=OGIg2VD3QJWLpUiPUR*kU z(et`wP7qXM`!0jDyyEg3{>*eNi^(rGjILm_fYwJJF|Vf29Xn`5glu;9x9Swo)4K2V>HA+Rcq+Lnj9wHBO)>}_(zcDQi%_EXkax^Z8 zs;7S-aOM?+H|A2gg6QMr{%C4r4a9K_dHrJ4E9!;av5ASN@PWp2@ws1OMl~O*q7f!o z5m9|1g5L=E$4pJ93uO}mq-2;gcxWJQe?p>9`f@*4jqyOjyMeNZd_Rw;8P@_@3nHw; zE*}!2>sg?AXn6V0Z+n_@(7#cIlBi*%IaeV*PNhA1o?k|@@7nZGOx$oS6bvtNDUl=L z?KXktkq7otPkFP6x=aN>(TccDyzdHF+@HQUoyevd6c2VKunR(dH#SXS^_%rv}i4I?BPBEtnKbq6s$SC8I!ek;K`ZZZzqUXNurrz^F-h_^@397Q>%F|X^$CP0{D zyUl+9Ne`jO_f(>2?|KeTlX*~OwtH4Mn=YymE@hYS`Wr6}nW>jy-K?e4Z6NszV0@?b z@Uz);jM@C-8*-@#PS!s9oPs}GqJdwWVNXENUDCVV-h@J|P`NeG-{8~ra z97s%>YX5jbfJTh<>9mhG5lYO@M6Nks8HH6L-g4djeU%4=X)*%1qWWIpA33lKuDPS$ z);T*_%f+J2P{uK0!v{PcAEFaOMN7Xff1w$W1OZF642mwO$LJxo6L z6)}om8-C(c17wF==@;!ihn`GE(cr&KGNy2E`9R;%|0F;iFwRAj*rJ9~+G#<93 zWr_^ef`N&c0wnN^a^OLskfI{tpc^Xb%3N%k@~>gGwBayicgahScT3hb=5ZfrFtzL< zz^-7I>gM*??uq^`ia(#k$4k;E(Q~BB$powhYq87uIj^3K{&foVjMr;r`Db5V-^~p+ ztFtOp0py)@-~mF*FCY3E3UlKyt!?&W+r71IMlXqwrYj91EUj1QI-EsMg*K#Q8!|^O znnFj;y$c*37gDIei0#02n%;8O6kAf#3~wZW^!Lc3wE6Rh52 z(by)w0@a3oyQudNsxu}ZX8TR>e(B&nxOwkq12wSWUyA>YsU9hDjiKrEQ^OacvN>%{ zDqLm}7RfU%-2~I=e{|w~xqu+uASs>t5=u)f0;05nbR#J#UAy0Y|6s3sXXczab7meX z!ERQ2tKM%i^l%dI+d}znXD!~aZYjJLD#P{gdkLu4VdMpk{pa$cLczCfVmdOveGs#2 zYw=t_+>MK!_4Hs#btp*)s`Yst;BO>ps&REu0OgjWi#vRJjf?k6R)5)BD0afVlL zv=efN@9Yx2+>k*iM(9CArN?6RVd!mgV}mR#WCILowfIEiM1?`Y`Nyn}vv|RfEprf} zod-Cc*Zx;mG^zZ+Oe#YEQIg6r&??^+n z((%D>Bg5`pw6&PfoHP1}mAF|Q;r+bMcU)qoM;}h}7*a$wTyNG-HZINuw!t=U$$wJ5 zWZ%B&)6@z*M9IB{IYdiPT_z%XywK!Qw+%fryr0vx(@E<(!G?;4?NUra91 z3#7|T-J(g5pL9Q&JzlV*5(`i-H#X{s{QH6RHZS5!_UTzVe}w1xlaB89p6pbn&u-hv z=&Y?}R@$~!oBtp9r?$=LoQ5A)`v+>yZ_A{MPZFwK@es9t2Yi80JA)?ylMrc2v71z& zGTq3lL2!{T!C;J-NfBtoaE7Q zLaUdQps%kbJN27$3ye=5iclu^yDyLE5o<&dKI`61{_ltX!;Wx`@C+&ln`p<}4+*Q+ zK?Gt%M-NG&ygPZJE0O3cn!;P7oV{NN)dxW9Hs;?-p@BYZz-^npeiA@(1%kgy|7a!aZd1- z=0kC!zIzaOYHOC>i{J-+0zAppvE(1}D-NX$BsU3AIj$4U}TrZpLf_hIv_VNVj? zU9h0T-Z-P*q{sZH2G&9~v-buabX>}+M8wtcR8x}qp0Y&;Sva}U6@9%lfUAp227%=o z<+l}I$8MQj1)f0N9qfOGo;@_`{sdR?(swAnkI9hH>oF>Vc1V??>wax-4m?EVrx{re zvF;lYsVrgxk8kBe4+S(cfBLLDld-w7gf*A~9u338lf%;E2MU3NU0JAc0Y;Bx$I#0gL;J@a43AK>7O}*O!`?dJ_DEXp zrY`@x5%^?=B}%R{Ly?o&A-{!oyQlOgT9ykcwJ);YupS9Z|R+PS|41ql&!LpV1CK&a$gm~W>d;!Qm5V;FeZAx zcjVD-64)NDq8I28e}fevnBkG{crOK83qW^XmwX=ohpD^YeVB&N4rJkrhMWF8_wUyP z-GpZlK#j(|8^A12@sutKQ~mJti=(39HTYg>iANNKXE>Fu;>E@f<7$Y^ED;`ubnxn}!#|c< z_=VnTo9D~iL!BLy{wrr{xcwFR?-Vx3O8G|CE|(}5y_xjrAG<0qL0+{-Un+a$ljAkR%hhzxZ_6to1^}WKWaBO8&q!6#~`@{B$&z z?fW9D2pm2r&Cvr##bLrAFl8Ytv=w^ef}%#dST5qX;jA{7GAv~`*%h*Kd1!)plSul*)k~#+3!T^Q6q>E*8631uby4u zaU+>hZ?5>6B3kh2R&LhUn@Z;)>FI^Rgs9#+2BLiICY(t3AGh~Qm?p5nwq||KYK%S* zSdp;6EVish^@S%f zHv~AoKtP{lj5}yuYQhIevu8@6h(`a--x0svS8f6s^onlf)R%eYLc1%vb&GUTqTjjU zET3(u-L1tMJjD`-`$+z{wEJIknS#N-Jyd z@J$M0^1N(MjP(ybS(AL|W1kbnErDB?HHohdkU_+Z79aNG1}xzR$1tj*A=!=X$T$8>*Z>sHmgK!@YNU{7@7 zu={9ZbAW8ZTObh1*;oav*lsX+CKIP$`*O6cE41i?FAnHr0>+Ye00gqs2VS3M4O&)p z`i5mmeb#x32gdsoB|^DrCMO1E@4gm&eUr(J1?pO}4F1^oavJOW7aW>9su~ckJcxB9 zXT}8MK>FcxGeL+I;#fEE)b*Du=z4S}aO$lExf39cR;Hr|uoCHVIC{)~SnxN)H`%6} z(qWX!_b%?AkZLr7AEbBj^AIQXqthv~gRv^4v=227!a7t>Ce?MdCu~PW-@@^;g8|&0 z7xx@;X3G5MyG7oB0M^$BzR|RvpoE6^LdL=z5@c6+Xl2z+duyblgUcMYd-iN7 z{h5qL_4Ho@F*sMxA4vVqZyw5jj3gt}ua*<~hRODM_*3TS6+X7q`48AESezF! z?1(-XSXg_aEp=qlIO_T}s%bnXn5TbY`LNi{r zF8};CCKO4r#~0MH>%Z2ie?_We_O=yqoYXSNAJS@EEZW^i`}`l-_m7GL%!Jn1YINS; zkobQNDDO`Q-JqR0Z3pt2#GhS}Go;vu^%_?0$<|z!I(2!D@+M|Ctp>{#4s{;JU#Q5* z=htnhFG;H+qGGww;!-rhKw%%DML;*c#n6Dz3!T?aRhI!pX?J^YfAe=uEW1&c zr>$+1lutpCe|YfH@=s*D|gyJ3krvJ|(KR26M2)9UM zZ|3kt=!c0tRTpU0(wt0Z^#pxtq<`9ENU`W(9*qmOHmDE^1e;_T87$XdzV% zPld=rPvUKa%Q=D)M2C$qvCN%JP4y;+G;e5FqW*p!ct3MJmG`84HDAm?oJgJgV=4?D zf%k&?b@V6jDyhsMD7a4T9y8D#O5OuQGo@^{yFTFM)e;8)X2}lC;&kQ<3uDF;Ln2gx zeGFBh-a@fYT9r7f7^rvbnc|;@oqPVIBnN`duPhNo#mQ2UL33>caCtEqptjtGC_m;v zzuRR4<>N1V_ep@n&qywYQH?gmZJ}k6YWFy5Zpca$D^vX3-D*EKtaF=o^Jz3n5kQ!_ zJ>ndHACQj4cnhG=l||^{oF6Rj#%xnzWj3&+VBe|F@2SL%`*Ex)kV4GGG6@e|YE^ty}A)1SSHgTpzCdJIaa z`|q!AH|qRMYpEOQB68~t$i#SC|4<=x`HI##2~Az=tU1k#LFi$IQI*zlm91KJ7dwL;vR8`1fRf>GGUWd_w>Jm-dhyr(5JCVX|w$`hT)gaIpN7 z6p*{@II4i$cOSle=w6^(I>}YjddrW{$YwkiQg?MCq6IOhZ&-*yzMp+OfQ!B!QBa?u zEGM>PO~vhJ&ov%gXrisv_tJeBejdAOorpQO`I)p4D>@}G&Q^*0TSj1D zn0CouR&M9NJbSk*t#{@8g1}Rv9^sh%_|<^Gjh{5OGu6(WKO3Lu3a-po2CP5ig0&@$ zz%8II>+|1!d>Ys=)v^nta4IS)l+@{(4T9Er!k50wjfVgD&Nvo!Irnt2hm@+AwTk`w z(bq~=xr>&LXV5Xx23#C#oLdEjD#(e#NzbpN=1S$qs{lx@Vb6A@WY&J4UZiYKXS-Zt zEGGbd##)a5C0gGf2>qO3w3YE-d~91Lg|45yD&0Z+Y_n=sCYR|nDwJ_79#iM%f@(O) zi(=s#D;T)`+Y43*UI#)zYa6}MDS`tRJbNPw*5j}Mg5@ak=y`%V^6KL{4tRAueTO|% zx$P00iyqYZb+>4JPYqQn$xp3mlC{1!cX4IGJA2^mwUK`i?RoQeYYbJbTW>poeBvv7ncAB9AYa{>e^OMkhwgSmd$OrVjME4txX7sqS@U(p^6H!rQp z()*OXa-PpE@B{$qbx%jw?<%6=nD-qkn zq|kEA2(9t2wT6rZZv>JIZbMBKq1cA2o$s_Ms<)5PIxSm?`LB|CKg$b0kTbcO9BUyj zt$fR8dV#!V6}ej-QhkHi5J?jH_51ki1#4I4P%@o(sMTPZVh-k_;2PP#Ap)&1CM80v z?4T~%YFii>*Ex+6L14G@Yx#}^u$z0y)k)(4(RO>Up>LZxlA?S*E$)&M9HPjoCqFCz zk=SBWSa(dDz%wj(cxmb+9qZBxK>Q0Q#}=CtpyNfwi_5kJ5@P>jiHXVau@waV-f__oak> zjqTm^-Pjjz8|d2M-DjnPyAH6g6$86R1}}{>{~)u@D*cLLIlrO17t=+qc7nsPSu!pa z1T>`LKG8mdY9?kR%;^^%P*>NU9$P00A9@@$kPeea2BR7kPuvXHW90RJ5xktoqSSP= zxoRPa^DcqF$Coujn(6!V_+IBa1aCpWVS(!_znA^wwg2w7rt}08Nz?3*ciXwbTB;xO zYHBNm`Nr11B9{S@O^@g@axGJt@xIuRIcV#W0EF#WBNX7l%?E<*_6dCCDM#vaBE$ID zd`)41z(T3$SHgmb7}lN1{~N*JI=XFioDvwnxWpv{2HriAsDXuuLar4WRUtq0&{$dD z@aFq466i1$Pv<2G8^V@>$t(W1m?xiv3`EuO?Y=r(4$*HD^|N7d>>#m%+ab=akX871 z6+@wcNYhPZ%1aUr^Da^c;^d$fR9uj9cR^G0SV!+trZ{rpO*=64U2r2w}>B>awZIYaKsL|L#-GCv)vIl8MMU zw;3+#KvFiMvBRWY*&r0J62fU-ez8+CMkZJL{JK*LEOmShwqaC9-h& zUxb=ZIrkCam+r@V{~<4*b{2YH=Jh>c!q{2%VSp-O;k~Lde-8k@GZ9BZ`-XNcjVuk` zq8V8AM;67B*dQ(*yz(pfwu}{Yc>pmg9DByOn;WC-PMghYpKq>N^DKa!ZBd7>7l8|E z7*~!|88;=`<#?j-c&}stIfIJq_uwc0mCuvLr8HxM;DFle=#)wpQlJ(e*5NQ+pmJ(? z4iPqFZ1Y2L4A3)rMFx-x@1fSbQs0wFS@Q4CerN4=3g>9Gy7>dgScG=pdy=KZY$sqh zK@z#K&YoQmlKLw(ptX8i8bi`pcSl9`!{`ey-VmUYYKCD?(3Hz%dX(2uc=US<|I9{3 z)lP=O6zS5~=}L<)Zbu^RA9eqRF~#Blqx;IMepPW!;>^Oj;qs=ZEb_oOs09j+Ox3+t z+#(i6?Q+Q1$hxNdMT5+fAGZuEC$JCc%0I*fTmR`}SVguqa+L~-AfdF179z4p=&;J9 zqwS&U67so$A}l;O<(RZB4Wb|(Ph4qWm#ng&8k+JZ0S)B~#^tAfezStbBw#3eZ*T9~ zxXfxumG)EW#ligki;NSUSZp~Fgn*<&DLK$e#YLvd;Z1ukoee^g=TYylLd5Y|UtOim z7AiuJ;FADr`DUsYl6RveESJK(nkIC0R8k#Hiq%uL19MkUf@fffx?aa4o(z^>Skjuu zl0XFQYI`*d%>P0*1V~QB;!K-c|;*hi0xKYRcr z6j^yNgsVr9`UJ+HjJiXQxl&zwjJ3-9dqws=g(jg`d0%b& zbqJ3z&fZ#%Yf@k2;EYb}TcN+d!|L%6uh8hblQzASb%()g>FS#yJ@R+4#mRxELwMn- zW3NNXnl@q8Io998=s7u~-_TC-e5bXhE3<_YIhakcW<|Hi3+lyUgWTs$Z!RBw zJTZ88DUx!@as2-J?pmbp8!q0_#J9UdDVxg?w^YaR+_Juey7zR#^o@`RdfPkPotR5W zc2u;N8y5q}_ks07-HUVQdFv*B8puF_Zi;Qr_goFkH@g|E8V zuDu;h%=hH~1YXN;kLoPk2;V)a%ISukEZ^+aGB3V}zb?!NtcSjWagfXR2r&slqyeN3 zW&h!!GG0eZ1i!+E`kV1F{_Tvcxlff3IY!*p)(Kk?)!U@mh%6+T>V-usx}`IEwTTz7 z>9{F#fJRwjq~Jtz=g8B8)#xxlS7aNQ7(Vd>8~ioIm?AeE;u9*=#;=`47ba^1D2kkH z(p&HH06=BY55}K5WlZx8(!0hhAg`NL!M&qg#dI4bLrn&QGmebzPo*^LQFV+RDy+JIKL?U4W1pMLdP zZ;Zu;7yWIN{*R?2^?I4b<$2peN*N8uAS;x~zh+fIW204l^JVcpYOuWmAu2=>jBOEB zI=jX}K~c6fMr|P`)9b9G5u<^K!i<9}1|vWH)QBU3{I@9sn55S6alv=&1=d}DpHT@I zFvA%X|LvkmZ;YcUjnKS-g7+L$A%JR+u^BHN7c8#XO>^Wf6TA=kR={7qsJIf$^Dk^D z;H*ylRNiANUIrw&%Vl~UQ6ACEwC-iZ!BZWAc?;$ zXFT^;8j(-3?zqKuyZyi~z?1`)-{}&;1tTT0iZ`@*ZaV;JJzF(yhm#pDi6gPJZ6W{t$ET<$)8`OTd1;gAy`3uWXju|>DAPJ!;9 zcKODixRumk<-Tr8bE&^o)$nRg(L5C>3RaQg!&yh0y1RfB8rIIg#@ISv46CJ*-2!Qu zHL-9c6(XG$o6coR#h-PW?#Z6Mw|PK7>Y@nguX)2o5<%XlW$Zy9ymY>ZgQsyFcd-A#_RVs4glESedLTcXHZFLIZWf8$Rk>%8bWqovd#~;1iyRrCdQ0{T1}{Cu z5f#5xihv-adyZzOx(&N# zkCEStE1Ce`@sUlCXSDZU{eVK-jouQ@9JK#&Brr&~9DIEvQJ_~7{$&M5$3Dtl2t|+q zse7W(8ko}EOA-?hiv+>aXF`aNjf8eIgLpr-CTfC0VJ9s_-0GSfB#B_{cA#j;Z2% zJLF||sT?>DdEv~{1$BktqtE&HUVj@nq!y~bqlCCOsLjSm(EPwQlc^z0-S>B!CM*?^ zWYkp8Kc(A6k04t`C@)yVpx0c%1}M_r{1RCCzws7c5#1Zugz34zGY%Ayt+$Gc!cB<8 zf%0uEk(vL%0&E3a?WP~7w5M-PrD2F5SL?K*t#5eXQW{>U_i}qUY#9RN!#M5;=>Of? zNt$EidIgms$x%HXz+fc)bKvcpr3!#Z2GtG`zob5~tLavsllY*N*JLF^S72-*@sh7+ zx%?-uZY<7FI|eP6+p_Z1^~T}8byUo>^QF%aF?i3zA>fFaV##V@kySpJ=tkaBT&)g= z&sPms5QeMPq;cJ{aP)19$mX&-a*%?Fjun^@EATt6}BL6TE_E*so&MBy+-zgCE z1U@eSSCmBfVgs{vss&#+q-l+*Hip|Q?<>->eOW!Jdz_8WlETrCo!@?fKh#}X#B$Wn z%JhM49z_j#aQl>~h(HIPItP*V?e9^8=MuMoUr&d7#qUEBVw1rQ094^Ihcs zBa(?QDJ0%V{A9VKDvM~a8}`=|)+e>5d=RVRI@ZDr#?3Cuue^b{XIB<-B*gU#F)YK z^~}fDf)&L2iyUtnqKch|C1z?5F|t$r z!RvhQ^tdE4Mw4$#8IgF%8QyAB9ZWGqlT6CDLH77%4%9l){=Xt7UNu}4Iufr)0#E*P zx{Mr&A&u-|3YnLSUA@F5-W^nZR z7mP>LFOHiP9DU50Or>1Wy{cUpHruak76CwY&FP>yD9;*<4=rarH9D9H@#c{m2ou)D zwp!gTLq-^~1&VKFlqk4rz4cb0n+&){ULQGTo9` zpLX&%twhsWjAjnYnp$LcoZdA0uZnh1D6kZvt$(>B7QsjS@G}1C5c~%N96PzT5X8N} zU>P_AUk+WA(JnJU5?w1qb6GcyW5#&d@#?A%zZc8>%H##`5jJW|qT!T-bqJ6G1miUd z0xZij@2n6skF|fJ`>IZw^lq|`)51s;0bT<+BzNVv(T&Y-r(V9*Nui6vk$rTfJQli( zZ~unj`P_|?JefKnn;?P@?=p~e%cwfxXeE#IpUSA@DP~=fi#QjaprS|K5mk%C#{zR1 z0MYXXf(YLW7Lo&S8u(syPGvks7>Nm8eL23J_~NzUO*;o1+y^l0D#psy}oF4vw z5Bn%xadEn3yPcEo(j2!=j)2!-frA=meDHyv68KZM*>u}In87=CqNKnpTUjxe;B>-K z`DI;Mi4Hj zKy3NeO%|xgFNtlNsj5I?sL4q2DoA*RFyp`r%P?;QaE#Z+=2XaoGdyj0(J0U#xOitg zEE9d_rkf}Gt6A^I*YoJX{*GW_Nl)+$Z8ZP&qn-}~lJZKA6XOs$z6X#giQJ74A} zcGKbpY-)^QT_$-@@Vy#S5+GpYj8C7_bL8VIVo>EOiK%XsA3`8Vw=6HPvN;3b>Xhil z|HPnxWZM@SB4Pr88KQpfCcm26G_)iFiUY})0!y1|Xwir5Ol066T0f*fvzC)u z;Qz;S^D4>WtsOw3Qq4Zw%ZnSuMyYrZppz&?6jX~E=`>aDXA#+CGX{&$2MLIVe3 zE(1eYKXu-DXYM@7IGP>F-b$CE)$4hS4lG`qMUUY5vCO(AO*#>~%Bw@meBlyyILzVS z?y11a_x5rUT zfv-#=aevAIL*y;fcF+&>%DJ*1yo$?(q(&AQ-XGrTPF7y5=o_u{yyudsqC6YhN1}8^ z0LLl6ZFW;?Psf@O2itEz3iij3MD;K**#g@o6)0_DjFKyWApa377S;l*S6IOPJR=a0 zWuV+Dm#n7iB-Hl^nq{M-e)Ffo=Cl_B9&r1<$bfa7#@ZyZ^LPx`wnyQ>5bNo{gath& zwuj#Gyf^EeynQE{&RJ`oTh_0d3&~Vx?JGr#eRWfHivIZIOdI?3-ubaB~ zgFivwF@RGtVtUWA6W|RH&?ttbBXGXhSPRW&rUk7cp`>t2LK%P|os-}aAcfTdSvE=m z3N~Ob(8r!GyS%^e`F1#&CRH93e8Y=qn2ev=D*2G(d*}4UB*OX~snb>R(|^tS`30T_ zFL{v)=r2=&s2sFKa%4&X0bOB>VOYP zQI)1~u_B*}nD(~|nSyotM`dky%lB9o?XPdq;Wvf$PJc`WGV+mWxrIJ%BpZcTca{lh z6hSSUcZ$ltE+iEDpqk70aH+T_o9k8rg?p>+mV_(4=ej{JIImN31$9PhBB*n9<9{yc|@>hlE*Z6CX79scN&i*XBE^B)wSq{e8(ZKZvv^vrHbEhE@g{qOYrwu@^zmTsqqNoAHD0S#SHeJH)1NX zkr1A9M<(q6J{Yy2lH(=RNxJ)gFcf09M!zP|Q7HKXL-@43eI4=Fz)u?SFhn}o`oCO( zK$~;Sz?1-FlP<@S>aaXsGf&}C9KNj7m)AQFGY|%f2hWFZ*b&ce3bLEHs9{W=LPNeW zc{88IRQgT-l-H{EL{4=a*vuZ%JB}3B~?>2z(C2n zx>X`6)l+RsQ2&Ss(0tSlIe)c=GW{G`+#41*Zi5Br`sWc|!zSM=h1`Kv*RPP$`}^E@ zVDGLcJiXwJBO)Z75g9IHc^^CrIBz7r}DFu{l^aw^jw2Y!dH zK>^lvc9NwS6ydWKb?7JH=7Rfwpq@G1-Gdtw50mHYK)`4_d$0z=t~O8-b=@I4ZcMCW ziunv8s_XybLfbx<%gqeGNc$KyI&v#WmB9i6kJqs$QW5SL1_e>wxINpgi5sv&s*e%t z24+LE=m5!NMZIeJWY-58ZKabPL^YH>U3@+tT(JI(WX4iC@}dnE&gJiF4mB#+WvTFP z-odOD`HjlnW0&6+QsRNo&i4}!ctn9!?B(?*jWsMVEsV#Sfy!HN5ykLy*310yicV}o zULA>JU^T(4Ny49YLRGjSK*v&aubt*TX!UrR{y9Yln2!ZtLobA2iP+ z%z4W*QW~4Dyc;Bk`2=?&dTUWF|8O2akXF3x0I#1_jJPW!i~{-p>h+}d>BsS&PCR3NC2jUTyTI~^S!%ntq%EYdphACQO8W-jr%o%{p6@uzXbg(_`hiNxa{Xj)y`%U-U*HS&`-RV98C0C%*eA-&Ks1Bk~W6>$2@@rK1lNl{!o z?Vt>ZFF=e-)jV|jL0{tV0wCh2qJQsSJ7;1Jw{<+^)j5sLl*qYokstHPG zQFsnM{ypv`b>88-c`DsPn*67VgiQ@gf=@YBkJdB#YSWpcKonyL`am1S>@oCaT-z8F zy1-)wSelb_lkz({PZ1m$ z|3{TVlebP)g!E?&2&Y5o9wf)YK=9A`!4KNDAO+tmV=dInBi{!&h~jQsyoO?^Bpau2 z?-X6TeX&jy%4i3&BJxB+W>nLa4x6#<>9&j{ORsi^Z{+s#XK`f2V3?r5hi*{i`2e$( zgOo~NjQ`KS*k(W>#cwj7|ZkSFC&bTy1hmEgM#&eja~ zm9Pc321dv^FC4_Y_{Fqd$UHWAbC+oOq+1iU4uyrp3j!_2 znoIIJ45(Xh=!7*HGYL=-7r}&q+HXF?0fKF$pPG04L#i3{lYl4ZlY}#&y!3F?J7*LV zml{MurD6(I84V8ufERaCnJd%)tW8iS61m-|c=OyI@5w6*-fvn2y3YZ`pedJjaF*@KyD`nO1>2A zhdJtIk0|hktiV!8-F{v^vYXGVNX>J)DXbr=SJ*%)nX-A&!5+eFp$u1~78*KFqy33X`pr^mn@Qq$6d>4gfAd*ArJK8k!GG}>EwW+fsVsCy4s&Ge*1mIzJ|=e1tq zaAU9F{Fyy^7x}NcbqMpn+Ufm2ZFJf2~jq~zRz9j-7DAXmfxT*UpOrB z$r2K2tw{t1lLyhmA^9 z`xc+R6T#qe;FcIzd2Q~AQYy+{RLd~4n$uE@va5)6Q5MgkS9DICFdt6#~V9t+b z6)=o*E#AHWSn~D5L`8(>f_dLi!+1@3fphf zF8!=BYs6S!;E=2GjsxScmhHqb)bzCNO$H2@%P569ZfL$$sJX$O0jjV*KN7jft4mMO zqh^0oc$p9Zz`Km6BY5(F%Ia=J791+};ue4(uoZ(CGPp2{PZtiU)%*@RU5-(_j95!X zK0{uI_+0C{Qbu~WO+GCQom~BJ99?1>eD-dY39FZ+gj(S%hX*}LXQ2!!ShLbZ-zewt zC{J&{z*wu{wtYKH!`+!O84YDQmV;G`0S&AfB*5`N)}l`!x#f`dh08gb!BO;#1>vj^ zFs2JR<^NkXECpO&+5d93=9@-bVI~oe63XdRlz=mV2@awkt3aNB^szw+UV?A0t4ZY%1Tt3Hv z@F2TG#1zM1m7W$8z1JKj-H@j=e+mQc17aPLgwMYKyuo-|fGBr~n||HU<`>IzFDV-9 z5k~hQGx0vOWwvS>V2+u@$N`6gB@5bC;ytFK+AWavGiIB(%`Xk{$Iv8)JT z^e_PK?4w`Yqx+sH>aPMegCDUo8;WtCIO`K>O-Cb$5UmKIn*v`A2#{QHC?_xFZYm$X z<$;hhL0Es(D@y48t_6Y|=@_AJ9pe-Aj`Mjt@EekV7n?R1le@ZyDtCP~& ze!*1vy<6ljBT}k_32a;Mu$`2L&ng-<{*6%ypDs50zG7DEz$)V@WVaxaunR$=%*J-N z?eZqevaI19F>J^3WOQhorB5~HMKbUYzkGp}J^z`??Dxzc{v?_qx$KHyat3>lN+V&_ zw*d`#>B};joU$m=Mi4_>rSb}aiYPXNVg$*N7B9QQnww>(_Ewi?zOm!;tQd4I?9K5@ z{}Z_tf8S6HS2;j~#^1=u-mOz@8}lDL58QOm1r>XHPerhiI0xlv-WveSdi*s32`5U* zI7pa_WWPl*v%Do=LdFA*i5HN2h76dI2Z{b%DJenc83VjstAS$|00j~djG~@TodxfU zq(#SjhW4?+xb`yVuLr?zrG8)a4v`-7;6to()Ao*B7|Kbl&@EcTz3CXR8|_vyh^Z7m z!>Pzp-YlfV2M1w!oyxp!=(C~BJIsPbaGv`S=kW6m{nPiFpSeCyT)jVuYY_=;iaYSb z{QMjh-w;ZerBP7I0LqU=T2UeaP|enf-=ejOIz5%=g7ZSEmi9ZED68 zM@DkMhJ&DB$6=P`IyHcx5MYapq z$1ca#*QGih9JHbDG5`lmIA<)3ztP|ZkB{7X%2f|ETx6#pGZJ$x6Xr zhm6JR4^b6U)gcNG`2d2Hv}Wx1TUQKORFTrFOx%qU+)sDR7$9MFmm&^lPyEIGfS@S; z^QO5DqY*LKHeLNp+Wj{_>kuDrTjY-(c(=@Zy7}e$pnrI^t22`(ihlQsnjFNic;JTU z94GQ~K0LWDRDy3jnNOyUx9OT?y@WAzAbfjX-3KYZ>}66JOSHojE-Y*E31xPqoa&8A z{hU-#BO=ex%MStDnenKqnA94IJ+F}a?tN6#8z^Yad*|+)SC>XqWt6{mb%&D%1KR5g zk$38)N4b?7BC2{=hfphu2CGwBgZC;t-382h{(#%8#>4qOrRTmBN2%6a^!@j!F%lws z9%A6gFhNeX9JFFPm$JKd(^au4LqFh>+%XX~717O{%^?m}q@ij3Wi2%H_)a3mufyKTmXN9XO&mFkn5Ikn}j6Bl|BHp@PvuUsGfeNnq6t1@tzBa z3?}qei}rZH(G{Fp6ZuO(!2}m*8hh($xNxr&z>U+bQIkBkLXvNR|B zja5hFT>n;HPnOJ(RP>x?pblU!0{yBu`U2rF`wV(b>>=kRx*F{8WE;Ts&ahS+70@0jbbv+nOIj@c=6_vsC5;C;?}8rowC? z?*^qYHj=jG7yf^2dGy>vB2z_MDrp!)wwFqM{BKT#rb@o&hst|1Hs7TAA|pRN)8h9% z+zkEL1p_Y>fmg8wy+YTJkHAW;5nrInN7K&)d-A&w;CJ3I=+WOd)@_l1Aqb@WhI25+LyvQFufD&1w#CeJkQOY~i?yB=|aoO&X z$mNJ^#GFqneF@VfBX>`1^&T3p5J!oKDe_$`^dOU5Ie9T_Io_Aks7=!6b9V~Y){3zR zHr}6GgG*BuQ~wezCK|uc68V$KV}UIF{*lJXt)-)r?~M*@2mqLzbAr9F?KOE!wbB2lR=vsaYNMg%uxs zL&d-1PREN;t4a<33Ok`0LBGePwfT(?1DC%TuC=%0w=B5CUufL?S<*-i(HRhAn0K)( zd>1n_v8#~tznZ=>F3Rrt`&znNx};GAq`RaW5v3cXyQFpr>FzEOkd$s%MY_AYyF2#T z`}hAm@2+>}T+?UfJ2UPM#PzxGT9%8daQ%qI^`8R4mGpwQwJ$zkckj;$Fjf>m1Tb8I zw{?lRnihjONFiR`_YxAqGg%eEqwy4NX4zx(x9T~e?kYq8T69T5^G8VLk5dXPEC0Qb zUO2j9R;@aMOJW}H_ns-aL%7`gEacS99V=|@qf9pBCPz< za?^OYUad?Ee%HAbeDm&N8BbP^B$}Tg0BG z1gwaX$4uCdbp||bUl$_4v$8MnvEFaXquHz<*92>CXI&pxpYZvmj9oZM@rq@*B3sbu zP3#bfCHd&)prld5h&R5YJ6V^Ny??DP6WSDxI#;?Ahju8L9C2oiI!hhM%*ZWXzt`h- zsMkd}$P!w<{+x}G=p)yz)}uX7N&H3W-FISh24F2J-F^uDwb7NV_&fa{S%E#?PrhF1 z>Ae(XHTHbWmib$;3;41(mLS0VUdiC6Sr__gp+vd9=TQ(~KJBrAkhpOsz9x77*SHm0 zqd)~nY_)fl4+XG*^v1t)=pQC`uN*DD>B0OihmeVYfo15PmaHQ)j8VRP4zP-Bb7j9`$J-;{RgvSo5XPV6Cg2a)@$fwRFCVD zLoZ`r>%=!@`Juf=85!_G@W@==DJ6Y3I4w)Io#d67?V+PZpPc^vRXSR?2G?i-aRh_& z46g$>slXEeQ4*vqI=V_!A-t|BW)=jX5dmrVH%AnuKBT+v@9hMF+3J((gyn610l<3e zWLeGgKfDyp!kV47!(dY`fKeG^Eht`M%V*fh=?53{UwARZ8M=B00OaHg%7hZ#%YBpL zE^Os?8X8+@Vb6y#suI909#HbuKTETC&8V`{cc=KsN@xxy1{>)C%ObUZexi{h9e(g> zQ>XQV!U7r#^Ph2nvj!TD$1qJ7#9(76-%t1?leN~>A#DKiST<7Fs^hoHqnx(KX5f); zEkz7jAj1UG%nh?Xlw8agy^YV5yvzBdq5ZX2O_q&2ydEd*pQ*6TXfFd1g-kq+E?_(_ zXxR2iIhMn_#9`^&8~_SS(sz^MW#jBsK19iVPGVbH#+FGFMli^*5sj#l zsC^{5&qo5%h7X6NaJ>lzp2qCX3l>4C;p!Hn(}e(lG?d9fi06Q$x5$QJE4#vgwz^er z+EUl^THb00faYKU0Df|R5umNrE3^x>)TZh!EX8TH<3f797$d_#%+{@-85>-D%msXI zLVw3mZ!-T67ZAA2U_N=$JXbktSBtAiAbLZ{fU*T(W2H$*xx$g!m7dglx0zLBx8F6WJe$z8E7Wo>d zw*StTG-quBEwjQtS_+oy^jS((W2a2gpmDrPd8>szC(jZ}43xO^W|^QXURGq=*RyN! zSsE~41DxRo0k=a*Rtw!*%QYD26KM3@o33Ku{H76$Gk78o!fmZiyfe5ec9X<7>x(?W zyrjE*m8J(@8$z_Nn=n^yKx{eG6sgx$ZThYxhye~s9b0z$_<4AD$8Oab%U|4Ipv=vi zcBwDSZ-3X8BcA}kf~hm+X|hj9=g3Sa6)2AzOVwvwNXnO@nKUz#$E{&V9<0J^E7lJ9*3JSKSM}UO@;|M&c~jN}ko~=j{@Uo^*GK z&&n`wGf?o~zZlm!IWXzCL4-KW}hcnkpZ=uJdt+u#ZW|>L~MGSa^4Hbh6m3eC|ts~Crl4wdC zVNw0h(HO^!H;VxgXg{SS(QzjCwMfb?Zv3U>X3JCx z;eMVRjlWQH+^ZRF%xbt1_a&z>z#yH*jK1iUr3YHDM4W8*7a^SgS(|^V>8unYAA;?h zN)c|@$8%%{^$)K#GEHjD#QDu)niazMS>Q?+?Q)OWU7V4v%0%1c2EFeY%*6xc4np!Dut zkkx(MjS4uT-JI~1vDjbkzVQ|fb^-@}>iyju2Uo`IMe`z8YlXM%WmPC6Hn1>Sm z_+BCM_p*vi^sMd(OVMZyVllG2#`^c5{87Wlz~j;LCaR zC${lh(qCsfrkjRTet-OUID)A7jBx|Dm{T#r7&``)M+Ox9T`TdWb8Ie$MzH-kRi}QG=ADH#*eh3AayQG(~ z-f$s4X;HfWrp%ninTIMnn7kj!C+w#s#sEMR%BQ>_>7z>R$NHDkil>$NI<4NNMF&S1 z9p=gkS6qoD`{noab1R}=ZCMnnEANQ*KPg=oX5R7mt!#g#1lH_M?LAG}$Tf2a0LXaO z5zgr_V@|N2X}OmNOXu6shcSdL*XQkI(cMVZIv+|GtMTAjn5y|WGb#X`JWl9-L3C+) z$PqD2za8VK%i2HKKLRe69f?YhSi&qB6^<102Oih)J%^8wITmG7E(W`?G5lV`d#-Yr zn&fV>DMD@Uo~*0BANzAsRylYQipLY0<+e2vEIsvtuJYK&4tf^6&#qSvI8J<%MLnDz zU>u7eBNnw7RjG8BU<@ouyan;uC0IbL|9ksmaCEh&KL_a)VCan15$I}ztz1{Z`~K6?Qss2^GN}fGsSKa<(lK;YDo^PWs!vJPqOZ5-kO`K z^xh@@9G-k<@qM-krRPB8wP&7WHQXs^?L`0WD<^5MrX~T<^&d6N8;)g@8R974wb{5YK!^PPm>;Rc=h6 zL<~r<+f|ew#Y#w=-1Jn(v~H$GL{!!5V(*RGQjS=QKt}-J&EA(z{K)e5@ zcxK|-$N+6J%>`(wRn9Rw8zna3r>wFCClVa$<||)pDXJ(ULqc$inIGcO#on=9@m8~GZQ@VW%*mjZh(4G z57QAHLB7CSZag6PS5Afv0Kwt5KRJ87v!3#u^L|YE-aBGVQkz-)sL-gSAG!Do#eYb={t91m!pl1%6nkhV;205Swi?!AB5}#dUu<*hr7tO@N8@3m zEM|H%YjuY^G5y@r9*t^cyu63g=7Q=2pw_}*!gDa$c5tW0CVwF;04*@r;Ugn-E!DT9 zt^uZjyoTB6homhv1Djw{BySJl522xTdPIz>#X04;+&JGg&TnuD8NlEtPb*p%iUpIrzD2!ADD9@?o2zs4UQ#*62d z`F8-yi_UF9o51jVe&%%jF+h0J4uUdwfPmjEA$AfMPlxRR`H%aQQ~|U89<=LMI$7%TFa=~FZtADJ+^g=1FW+^Cy|5~Li+#Ed^{W&Ao{jtP?P!Hz6I_6# z|ESNomlB=MhsIa0(&9R~za>3vbdJUH4|4kUj3cJke91K^mi7$q8cEhPr(t}VgoWf3 zN&)#HfdA7avcvP8V@NNZUn1ZqOA}i3VpG}8lTFYgB9MN5W zz9HVeP(}jeg=_=SbG$xok@wIO3^XZyCg32F@xazi|HlPKZSoh90eO!#i}|H4Z{)SM zZcGyl5x3uCwN4g8WK^?1>zysj;P@ zqv#rGOc%*P@^N+irM0nO8+2BV_#1Y5n18YOlI`bz_4JJ%ne!7l(Ax=LB1rNGvpxpy z=7twR1BPdb&yGl(q}h-_D>+-_U{wJAAEdi81tI_5P~@YHPGJqMr=tTUn@Xm;|K_sn zBE~k7T`&&_*ol1P1cMX80SQxs$QpTm01^l=Vp|0yf0FX;H@ALko{9kgfXGMYx8a{$ z39}RanIY+<%q!?9#J%KNApchloN@liZE_-+KhwCK4uX&VKz}#o7${X}jlhiEs@H5q$1vM)C!zT}iy!+i!+gY4AS@34-SRkE61R(S3 z-ql^)JXlrb6Ly6fQhjGM6o%@4#UFs;3o?3Ggvrfa4xZUTAYbu7z)n2U897Q(DBr`= zs$VjdARJNW+=JPI|1~R2+v5F<)QlqhaWiB;Um_}r2M~WSi~TM$JC>Rp9k0I8_>$cH z<{&c>P79tx`40df=xiIV_m7q3Qb_7%9G}1dUfkBF&~istcP*ux)p|d&+4keIXA`Nb z)M-k&b}8!)1Z>Ky2LByA%@OP(2L!4oGBjJOHbT&zJ z0y01E&Amkp)Fs%$^?vjefLZr0jpaYg00*#D|54X{dl=%P`LhqJ#EE~Y-4%H~M-gR+ zx?#{wcIK%F4>b_+C@2Uysdvt7t~sXLeq$j77$?Zo{)rY0_t9nQxzvdv%2sD9x1FOF zM~sN0VjlRVqP~LwjOYi;)|pD0<7mi zXaMA3Z|${~T6U;M&Xtz~g((~GLhWAe&?`CFDc4*!HLSy8O$_`>Mle87~d_mId-;p`1NKA{1d5xiv~~+ zn|0G{4|D9|xZA{@X4X;G8FRJZJ-Pcn;W3SoZ_WcqT$YjxnA44TiR6$25`6iM#-Gxf zY&W#|J-+U~vf;|K0VLKvhs|QA@5&<1n>TPqYK-T6D6Qb59EW^

lHmQLd53CdR?MC|H5VkA!`)HC7xM~t_XP}L?)I7y10YPA+ zF_cVz1a9>o!}8%d-e~yC-#NVY0|H=-oZW2r7Bl~!$rEO?=RsX{D1|7ZA!lAs9}tz~ z&5ZuvBXslVua!CRuhKp#kLyAVATC_jQ1ne?Fk`q`R?K*#H(BxbL~lT1u(Oavn_;H@ zYuQQQ>RWt<>U-PzyPxmZKgRz=-&1-{xHnC94YJ-tAob$N%&PZMEqgR{w9R`N`An%*q^=N8k8pt#5b1oS^ zAh~9G^~}ifgIUDxunVK@?v1cFJO-RGJ4wbbR^)Z~(K%0*X#e5WR)q-sC8Ha;JABi; zO}Zmp#K#*`UBDh=9Uje4`JU4_RFV`PR<1M*K4Y+PPH1vU+QdTrm>TjRx2;d_qgo3~&G{Ppv-L%e28zpuY-N}K2M;H&Cq(EZ z0C8>SkWKg}0L?$4LoFR(e0e>it4kjl)|wcwH#o30h3&0RMGXLfATz%f+-OxQn>rns zlm~870~d8HJ`&1^zNe`~1o<-454Of!D-&~TN)!N+^lPHuuUsM@N!%r>p7+O*z72X& zOZ{0^cHS2e6IW6xvwrJ`v8%cIUFMVWUdsd?)Z?gAhxt5L_)Q|4A4>+A;ImPD4QHYy*?Nr&@DSN?m)rs{rbkuZOEVBe~Fw!|E ztBa>tV!@OgNzsBe#K&{#a?0HeXIMVUZ0Q%HE^D#yBh#n!rtpltUJ)}!3+^Zd4Gv1h zluz9bpcXh>n-<*=Qre-Q6JvV(tKGA#Wkc_tX(RV7huZ>OEAH8=^gadSFP{Yu;dIk;tCLeGDfLvC{ArT1(_W*R%{*&k~Fj!^k& z`!f4<+n9TA|Avs9Vdf+M=hn!c169r(EMXMVwO{Kf_()?oT4|fU$C`5_mFo%CJ=m$A zg}eaorSMAt!pY37#;<}BdQ8jg+N9$=8};R!Q&!&%%Z+ckpB7Cf`1x|=+>Gs@0yTVD z+jk0)7MBSD_;k7sDiIzjEUAE|xV9TBx?3fT$!k!yAn)u^HQl+r-Hc)z4WhmC-YM&` ztp>E@+(r)aw#=)&3b

(`Mi!tiIynLd+O)S|dK(r7mXO4L?@;=O<)BR|LeeDNYCY zce@vS8$m%!r|X4paC~=Kgt;#9=mpDxf^e5tA=PP>*o~8Z)+ZSRZDOEm)}{PpQv07)$>vbTboov{6;F3X=uFDV$_TjkV?}#h3Yb6)OO!fr`q=xzO^7> zKIW27BQObGX_!yMysOsF;mqeu(OdawASV@n`)WYi=npo><~Zi}+Ixx*v18ks=kQO> z)Yr$M=r{>`6%tBcTv2&-apO0S%=I*Mz95?*g;S9_mmu{E8!R1r(H4b~3$6cK;q($z zi;!`V_Kp3Cn_(hi*h^cr*SuBtc0C8J)UR&O#xM<4s;zA+aUI%xq6~RAiM^v@UmS69bp{H6p`0kQslET zwckJb8(^sj`6c2D2zf0{Juwgmrqi(e4?R!Z;QkTdc~szW&z?q`?}?l=WVJKA+LVPh z%i+;asqy8nfN-01=8P-1=xpz4jJGni(cf`S5nit$;n-mJa4L@i!D{b8#o`BYqWP%c zipP^FW2G{!K;AT@{Hs+KO2^Xkk|L>nTMCifFOo*$SqutMqq(J}IYRICC$;q!ogHkR zbhTy?in8=vyvRAzy5^SBYYqs1IM8EKh1AYQ zUFl^X)0WN=DY(>jCGcnN7BX~ape!P@W!ci8k$l9UZH1R3;JA>G8oZ?I-?0@uX=g*E z(lkBEjaNxzFx*Z90DFbANK)8&KC*ZafBk7ZC~mHqPJdJ!Eb}wNtQ`9bs^3dswSO?O zRC+*&I3OQz1WtKzOM1TfZh-)7ouS?e%&*K(3*7a1KKi5`BoVAeY7_K_X0-;#d2UqGV#p=#MfN$e!deD=p80J>trU7r~1zwcbw<@o!T*OFR49H*Qy4 zve11=1{N{b{L+Q}8q9S0qk_<7lH{*ZG|{dpi3}3#<4X76_vg>obyG1h)wGti9~(~A z6aMZ~RLty!;`JiL@qDg~y;VWURhIhfMDN9fT9hMJB%awsG>+8WZWs0LIRZ2FYuRIu zx9Hc=och5Cs;4;{RV?DGPdBIB+&&S?jV+y5?iI{uQ5|4(#Zg?bY6DH z)x?+8o|=TOu+Ht(!2tEY;Iq{rKM0jH+MhcCC*coAFnV1SsC^PYU6m}_A5wgfY!baY z!VAAo6qWae{y=`ji?2h+>LL6|zqPx2`-$C)(1u5@k!H>SZC$E4vv zj0+$3A+N{XeR?H=ugF+iM|cD2m8eqbxj%Y0G9_8EcE>i5bl4WMtda~V6(u|8^kr<7 zOwK;}x|vlxoyYlg({;0RwFb_T^6`tcn|(A-p!Tymq(LvZrfB$y3x=%8mghoLcc z`@c`Aypm9EE2zKtJ2qVtkEex=yo6(gu?vf!-kodF*TP0H#6i^*7>o?|tlr*fZy@tU;s z;wH2sHygk70{!Nm1o1U@t`)^yj~Z(<(W%7Pf7!Dwn{TzERzGQ->28>q&1799^1t23 zs=s__{fSf@->uIh81hJW`B}Wr_qaF=OVwj3Bx(;zrU;#S^7PrAw~&j!y7#HS@(PL+&u%&uplPI!OTvP(jxv)O^(5E*>l&xfLG`In zk&w*2%myWlCq90#ySN`)-4y1Tp7(RC$X3*?XRJQIboHA_HGHjj?;}V5U1yfZUG;q5 zFQ`Yrd(@#$-^Wkd1KS&?EA1}oYtQuKTgSMK;{Uj7+Hqu>Z`WYoG4nPBVn~s%ovQ2i z?5K%jE;~6@T32WEqF$ooY=?CtY|&aI7s^f?I~zR7k6>M?zi4N!{Q}%N#CKVvKkm2` zCUv((sQP-H?R?#f&GJQsi=Qn^< z(O~(PFiKX@rY=~s8ZW+No`T&oeNHbjBQ4Z;#9viO^J>MF<<|)Y%1@mdb@;tGf?ebu zzg$sX6Sw0jkwWxQ&|~a}Kj<9@qq5nXk=2EiYvPaT~bXZ2^N(r=pn6uSz`^*)hcE|Gl$C&Ewz@@g?tp4NhS7OdCC}6nH@$|Dq56h1auNdwrW4$GS=;C;Hp%w=W_fy3Fy|x~^?!1*CZEUAS}H>XDN@xDE&OTG#llEmfcw06%5H)j4JzlKFyfQB4@)c*uK;K71U&IxwWjd@G+Z}Ps@u&CIo9R#~0Z2?G0{i zc5DJ3J|&FRQVBP*cwuEDIh~{|J@uI%@@cvS1hdhO(o~YqNtGGKk3kg zgjv|B`2FBk8FyJW&B!T<=@N247-duuJorB+#`Q~)@r@l#fLT8OKHza3y@Os%o9ndQh zzZLh%#=&f00so?vIY!C*+p-pbyW16nDeQT&2xl?n?$E}MUx;J0L~$AZ7SMEvdkZoa_Y-;2qRrHlP*`<;JhP~Z8g`}+#2WLPbnijeQfl-n~q$%MKczV z#9s}@Wtc(6UBuEpGWs@n+zB@VuAz+xGg>5nWeZ*$YpQYc$!yLaM(bZEOHCplzmg9% zZmr0Dn(cpO?CDwm)Y%x{I=UpnGIgs4N&k|VMr(qR6ZG13%d|?wC$P8gu7;_2&SCy>5(ABtFxD~v zgA}FkeA03~u9o}Ke{jqWbKHd)wRRXK0f?LW2}GDc38yQ=#J)>-B6#0?6jn7NZ`FOu zp8V*SYX)-}Dl!ax4z9q7`WBm3TH74Z6*PFesgYn|{>(H>WSTsz}CgIpfE{(Fy0ng=Srj7a_2GOeiVy z9lzvY=6_jrao-tA@7`En9M#|Z#WGZ_1`So9c1GZoYi4OI`K-}#zMOr!1h=dL9fWI} z4=i@Z=b^eE_c7%|YN!dd8=G+gDRF)uSHA3bpLTn^(_~(Q*+oCqAEJsTC$ZAc!@-?= zcXTRS5s>ef9Z%cA4heefo}*iTaaRovn)fjOR?0|o^jvke@UN9s|HDu0BNlrInkDh~ zx;6NZv?QQPkHxrQALvJL>&OZ)hX8j+V`2e&64ew7_F7uQt?zOk=5iqIiWEXj zupQG-71Cuy@R#%a*wVeK(_NsPCSxBYhraR?Tv9 znJ?KHLnO=-;=_wh*>Q4O^~R(B6VO$3PP>`;Velk&7$U?OEWd>Za$lUW(ymIZGr;{o z(PBScG;?wsEB5W`5w@axf?#&eG15`Jnu>0)9~&&{9~Os-Rt76q0G=oSgSUCSF#r_xASN&1s!! zhYN%AlQP79(VAtA56g5T`#XrIMLV)vd1!m*4}g^`5!-t zM%dP$eB2;Z8ue>#dV2Hp*lfXv51}D=uy0<-g-wSS4Mj__B+)8w*!QTH>rgXA&YXup zA5(Tbk|?~W;+~z<&cw&+K41CbNgv!Bq%k!jnQ!`Uyzq<6*lgDlFKT1ckLj&z zUYaqQir?Zcsoeh03@ig3@S#y&3X38)G#_72*?V9SsX=KgK4N&wN@PdaD}Fd(50+)d z;QM7b+bp`87_qo>ek*Hv8Q*0k@YT}VwW!OVLZkSmi|%!J0LIp5-dB@c=ymFk8f78- zPbH>Wzq!_VFBkQ&Xk?A(ew->foe#?N{m8Lq$;g^aQVLXKj|}W=ExTET6X%>7dTYd^ zRlL_GCi~#7h({v85JJi3HHIUBmRU5&aPM7mNu?s}MiGp&$M@k)aOH~mV{RzSn-iy3 zfJ_Rj#f1B(st(8Cv_p!GfsTy+fg`>~0%(BbM-JE|_*+9t$>GJr7n8rqk=li`y%ILE z`m2BVF1CxxQ%|{=#YH|OZ4+nbOE4kCOm0SIf}!IBa7z{AdW(bX^|MlF{xp@~_1<(v zSCPX{3Op%Hg&ahQ&^%k`1ScjQ_eDGNUFcZ-L`fNj%B`d02@T<>8uXQ&hf#F#!i$~B ztGR*q{X@#d!NzOzZYm@AiXt?*gf(0Qzp`VzGe0qR#WK&q!&hXX_bLAhxHg*qSzgEg zh#)4K69SdS@t&*tpzh{&EaCwFT}K$f-@R;Q#~6~IUEbD%qWsz5ov(1At{yX)-3yZs zT5zSRImmpOR)I8cTIAXhwk#%R8M4f-VVbEl`>|mSAVjvQHc3eT6z|sICtVDcJ#Q!j z3ap3)8f6aOa;k17N6Bkx=Yl>^*+)Q*+_|JhQsS-oxFs&;mXNOXqv_e6tCOZ*2V4<` zDLEl*Pzb>`09OZMDh}g=u}0Y?y^&ea z5hMJr=o~zzYvQ7zSDFOz3gFa%B{OK3GQ64&+rWhvHQ@dvD_9V|7t#iE(%zcM=Q>?7 zH=?v!A+UbGAZX0ZR+>h|4FpxZvMw={(=?M%?CE>IXhIe|t~BQje2;V% zX8bq5YXHwZZhR}w$lv8OwWRbHVY316M{gHNmq$*%XNS&Zk<#zH&g)f+hA{&sj2eIQnPj%+sdig1iNa&JS)Zw~wRCH|PHgS6p_02EDXP_pi1v z&b@rh{Te60boFOWF|13MVzInAeldeR3=^uM3*)eF&o&u+?}_`?j?b5xEKd8=7Qw4D zzfZB@#?stTnPKXUIS^x6Uxqt8*(>2soHNkivP=7C^7G zxLd8$MlETj6eyu`ic%+s!MnB^=P$LJ>1*N5MbY^Fb<-~R+Ox)7Kg~5Sly~IvA`1Df zqt_fER_!6}c(vciOZXgAw@|of#4cGF1_tmu5$)t4?VCIbkjA2U!e6H}-iKRr;Qz%p z@L}3DLR{S9g;MNF$O^Ir$TRua?qcFrR2l9mrcAV+pq8R#w`IhFyi7=*a{g^`o@b!sq9T?oThMs^fNd$iPheN z3OZs1Ip}t?_9&DFtbXT&W8C;Y|7XzztzCgu8h`ySTuoKBWGkWdNt#SW9ph*qIt2wn zb46MM`sESvxx7=^XpexZY@*wzQL_3jJVLXR9Qtz>!4u-X z76k85#a&C?*@Irzzi~P?!AIkH{|aLXhVk3cdMa87AfLb6<3kJZbZAgW`h;YR427I8 zVgH$qN05lOmN#(Cq_&M2#Bj(y$7!^kF}*BXcF0*rKp}8AWsp4s!>uV3jol8G0gRJ| zya@N*#1s^|t}lne)G#kJu6n+a&|$7m(x^-qtsqD8Ss8-g3@m)c3UouNd|u4-uo>lPRV{?i_wP$|nOhrIMU@a{LP-;tbwQ7?^w1H#(UNpw zLK})HjvU9J;7F>S56}^ziNryAKN&Wg?ce2#!lD}nZcDF|&S?cov}H8JC|8$nXLFZz zmRbdz{|i4)P|vOwuWw4Q8*ar%uZpn{lyR&CY2$kw42s(fm1eL_nr==f?{b-#{cHaY z)#}`%eNfThKa#mZVQXXGK)qNJ1X827$ViT0OW5ked@_2tq|UhewLFxPl@n-;Imn1R zePgvF2ov8R#x>oDZE^ciY>lp2l%#dP1lX#48-&u&|3?lZEd(j|!!+cjHgMB1_yKS;;A885x>aydwaQ4#V%mrg^+> zF4-lStluh+MB(R&=6*M5jpq|9AaAz!jy(V;+Rq zpKlo}x;V=b5fCiwTqQ;plcv8t(S+Nri!Q1RbuG5}u`w5>%LSCdH3O!7k5c zSJBwp+@mw_f9fHOu;jIGV_@&TOjG`jRDzU`<-2hukoh|Vo@B6DR@en;NAvtSlkI0= z{)Z4%6M`1Z+MsYP--N0On-T1jCMuz13}DZs;->+p*=6ED5Z0T^Bbwn00F1}1|A~5V z(=JY=5s`9$@+;pC1ybXwyadRs8u_mU!0{OP9{O_ajHUY^H%G!=L@7X#hUz=KJL`jL1Nt6O)LXNqhCUi?%Mw2hRSlUvXWf z<98l!or{-|oH$mVwA~q~n864M!g;S#Kke#~)WbNReZks>id`^5hyOdex#_elwQ5@H z)y0;0))T@TstKW=duR-KwAVWeoiO~Ol%ahbbc&=(c{(KW$z?E`!Lc@N3V< z|K#YI`gzywKgT@?wC1)=Xvx*$KxrkxdPJ=aCwAlFo+wUnc}FlaDk*N6cTAjK%mYf# zq*Iv&xySj;?tkbbcg$Y<=1Ij7j<%9`SjLuYEE!DaZ2ePy6E-+N zcM{ug&sf?zoW~k3u@rO13^EM%A?Y|@|DUH+oLe?%JG&5GEVU8Bb7_$z55cJhEkHuX z3PtQD?_hHwS3;o<{?2KZp?DZ25v0b+kRewZx<}qRPPT>&?TU{!T-*BNsz|QHTx=aS zm_p%>N@#HleFpW#D0K<%6vH5MJF%@nn-E z@(V@|{w~@uCQPSgA5#5ARGBQQ)Ohk)N8>b6nMN&G)>w%IKDx@Pb1&Tdwaj$rA;Q(U zhVLB7cIMa9L>S|LMtGO!9>M=%J++1=&;I>lY@t1W8XoD#naXZ#&RRdI9a!s`=%IF!SP*FjDZ)EUh9vc}=igQ*5G@9e%h9@DyUZKu{?@g-p zoA1TH!_U8CfQk;{cK8+Bl-ev#8=yt^ARgGTGTDeS3(Uj7o#N363ZtEp$wz(Q5DVTa zG3c+N9zOnf>|u9m$i-O`HJR~d4oeu9AnE>*YM1{dQk}!Sf zVzfn}nFzTQb$E@c#+Bc=(H-l%m(!N#|3!$5t%KXqY8_3w{57mjlWwd!jT2;6dZaJ3 z#mIwq;JS4#75wKg`vZ}xl*lmk!3dkL*HNNr-wxS~|46tjS{8>05e&3g(jIVbzt=sL z=-n|_MMgMplee5Yhop7i&q(fr4GB6@ba z)y})^ipsK>2EFu0#|%{~OaA~hl|z_W3xH)8j2&vw?UW&q@$PfHJP;qV|1OWZ1#hP; z_1`^?D|9fL^T~Yh$wQx(R{oqkfgrr5`=rb61KVrLWA+i1&wRxnxQag*T&vx#MMrjs zv)oo@`5bn1Pmug)WwJDfUFx;j#l7|;nKO$NvLSdi%n-_F!j@=h6r9Cg$C#mb0={)e zGce|fZR<{d1hM2u+mfk*+ zJSy!tV~+PzyC0usm32$O$i=AYIC5d2yiJrlwDKmSe@I}H4L1J`hEA=7>>+kx*QAPM zPce7db_v*uFAxW6tVW-UM3Vi}IQdKcoi#$Tt~>JIQIN^4OSZ31)dWij)SZ_YA5iW@PCc!M;3`rm>wKuZ@k z)p9`D*?cZTWv#|_IhfjzE*Rs*mJ=wlD%gzZRHyE5UPh!|N87zeI+ySvtKs%XB4{p) zik9^uXCNpj(=i8po0+|RYJGP4U#vqqeIjzPA!oGIGBf3#T#V3QAmIJ9V}5+x=bwUE zM830B&O|gdg;@8MrP!>LaLVMz_1ud5K|6_N(STjGUwGKDm}D!3&9TXMn(Bc(ig_4C-`f$a>qm zza+Pl*b7-FgH07?BFE7E>DsUjxh@#!GDbK>ltW;>9ctS_LC??Pou2m-G}KMiwc1NQ zJGVl2|EZcUwK3zoUu?(Sr5V_7_n>}wlmAvw=TA_(p@1^OVOjzW<_89e!wCnML7a-P z&u{0R3qX;$1?+#7aBd-NP>VRmJrp8t%TeXDu{5LyjrQNOGz0z7ud~G=+@*&v6}C3{cMN-^$q_hY#CvxHBup-FycRk bJ&`EsTd^Va)Jwt9zJP*^s&u84ap3<0>PxC% literal 0 HcmV?d00001 From 8ec3095f7af87917f7528aaed7429ffc5566539c Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 27 Nov 2024 10:54:32 +0800 Subject: [PATCH 432/523] Fix: frequent 503 errors when connecting to a Service experiencing high Pod churn (#4754) * Revert "fix: some status updates are discarded by the status updater (#4337)" This reverts commit 14830c7b7a7fa20cd3c5e82625c355485bcbd961. Signed-off-by: Huabing Zhao * store update events and process it later Signed-off-by: Huabing Zhao * rename method Signed-off-by: Huabing Zhao * add release note Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- .../provider/kubernetes/status_updater.go | 51 +++++++++++++++++-- release-notes/current.yaml | 1 + 2 files changed, 47 insertions(+), 5 deletions(-) diff --git a/internal/provider/kubernetes/status_updater.go b/internal/provider/kubernetes/status_updater.go index 24adaedd563..ee5cbce59d2 100644 --- a/internal/provider/kubernetes/status_updater.go +++ b/internal/provider/kubernetes/status_updater.go @@ -7,6 +7,7 @@ package kubernetes import ( "context" + "errors" "time" "github.com/go-logr/logr" @@ -56,14 +57,25 @@ func (m MutatorFunc) Mutate(old client.Object) client.Object { type UpdateHandler struct { log logr.Logger client client.Client + sendUpdates chan struct{} updateChannel chan Update + writer *UpdateWriter } func NewUpdateHandler(log logr.Logger, client client.Client) *UpdateHandler { + sendUpdates := make(chan struct{}) + updateChannel := make(chan Update, 100) return &UpdateHandler{ log: log, client: client, - updateChannel: make(chan Update, 100), + sendUpdates: sendUpdates, + updateChannel: updateChannel, + writer: &UpdateWriter{ + log: log, + enabled: sendUpdates, + updateChannel: updateChannel, + eventsBeforeEnabled: make(chan Update, 1000), + }, } } @@ -127,6 +139,10 @@ func (u *UpdateHandler) Start(ctx context.Context) error { u.log.Info("started status update handler") defer u.log.Info("stopped status update handler") + // Enable Updaters to start sending updates to this handler. + close(u.sendUpdates) + u.writer.handleEventsReceivedBeforeEnabled() + for { select { case <-ctx.Done(): @@ -142,9 +158,7 @@ func (u *UpdateHandler) Start(ctx context.Context) error { // Writer retrieves the interface that should be used to write to the UpdateHandler. func (u *UpdateHandler) Writer() Updater { - return &UpdateWriter{ - updateChannel: u.updateChannel, - } + return u.writer } // Updater describes an interface to send status updates somewhere. @@ -154,13 +168,40 @@ type Updater interface { // UpdateWriter takes status updates and sends these to the UpdateHandler via a channel. type UpdateWriter struct { + log logr.Logger + enabled <-chan struct{} updateChannel chan<- Update + // a temporary buffer to store events received before the Updater is enabled. + // These events will be sent to the update channel once the Updater is enabled. + eventsBeforeEnabled chan Update } // Send sends the given Update off to the update channel for writing by the UpdateHandler. func (u *UpdateWriter) Send(update Update) { // Non-blocking receive to see if we should pass along update. - u.updateChannel <- update + select { + case <-u.enabled: + u.updateChannel <- update + default: + if len(u.eventsBeforeEnabled) < cap(u.eventsBeforeEnabled) { + u.log.Info("received a status update while disabled, storing for later", "event", update.NamespacedName) + u.eventsBeforeEnabled <- update + } else { + // If the buffer is full, drop the event to avoid blocking the sender. + u.log.Error(errors.New("dropping status update, buffer full"), "event", update.NamespacedName) + } + } +} + +// handleEventsReceivedBeforeEnabled sends the events received before the Updater was enabled to the update channel. +func (u *UpdateWriter) handleEventsReceivedBeforeEnabled() { + go func() { + for e := range u.eventsBeforeEnabled { + u.log.Info("sending stored status update", "event", e.NamespacedName) + u.updateChannel <- e + } + close(u.eventsBeforeEnabled) + }() } // isStatusEqual checks if two objects have equivalent status. diff --git a/release-notes/current.yaml b/release-notes/current.yaml index eea29e8b78b..7b9d547d839 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -21,6 +21,7 @@ bug fixes: | Fixed failed to update SecurityPolicy resources with the `backendRef` field specified Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes Fixed xDS translation failed when oidc tokenEndpoint and jwt remoteJWKS are specified in the same SecurityPolicy and using the same hostname + Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn # Enhancements that improve performance. performance improvements: | From a383dd97e4c7fe726f064c03f48a06e8b049001f Mon Sep 17 00:00:00 2001 From: Xunzhuo Date: Wed, 27 Nov 2024 10:57:17 +0800 Subject: [PATCH 433/523] chore: remove adopters.md (#4787) Signed-off-by: bitliu --- ADOPTERS.md | 66 ----------------------------------------------------- 1 file changed, 66 deletions(-) delete mode 100644 ADOPTERS.md diff --git a/ADOPTERS.md b/ADOPTERS.md deleted file mode 100644 index 54d7d933ad0..00000000000 --- a/ADOPTERS.md +++ /dev/null @@ -1,66 +0,0 @@ - - - -# Envoy Gateway Adopters - -This page contains a list of organizations who are users of Envoy Gateway, following the [definitions provided by the CNCF](https://github.com/cncf/toc/blob/main/FAQ.md#what-is-the-definition-of-an-adopter). - -If you would like to be included in this table, please submit a PR to this file or comment to [this issue](https://github.com/envoyproxy/gateway/issues/2781) and your information will be added. - -## AllFactors - -* Website https://allfactors.com -* Category: End User -* Environments: -* Use Case: - - Routing all customer traffic to our various backends. Every time a new customer signs up we dynamically add a - route to a new hostname so Envoy Gateway is deeply integrated with our product. -* Status: production -* Logo: https://allfactors.com/AllFactors-Logo.svg - -## Tetrate - -* Website: https://www.tetrate.io -* Category: Service Provider -* Environments: AWS -* Use Cases: - - Tetrate provides Enterprise Gateway (TEG) to end users, which includes a 100% upstream distribution of Envoy Gateway, and management to deliver applications securely, authenticate user traffic, protect services with rate limiting and WAF, and integrate with your observability stack to monitor and observe activity. -* Status: production -* (Option) https://tetrate.io/wp-content/uploads/2023/03/tetrate-logo-dark.svg -* (Option) Description: - -## Airspace Link - -* Organizatioin: Airspace Link -* Website: https://airspacelink.com/ -* Category: End User -* Environments: Azure -* Use Cases: - - Airspace Link is using Envoy Gateway to route all public APIs to Kubernetes clusters, developers are manipulating routes descriptions using agnostic manifest files, which are then automatically provisioned using Envoy Gateway. -* Status: production -* Logo: https://airhub.airspacelink.com/images/asl-flat-logo.png - -## Tencent Cloud - -* Organizatioin: Tencent Cloud -* Website: https://www.tencentcloud.com -* Category: Service Provider -* Environments: Tencent Kubernetes Engine (TKE) -* Use Cases: - - Tencent Cloud is using Envoy Gateway as a Kubernetes Cluster Network Addon to manage dynamic routing in the Tencent Kubernetes Engine. -* Status: production From 98457b52c17fd230f3c5b7606de41377f9cbc7ac Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Wed, 27 Nov 2024 18:10:33 -0600 Subject: [PATCH 434/523] api: ext-proc attributes (#4794) * api: ext-proc attributes Signed-off-by: Guy Daich * fix lint Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich --- api/v1alpha1/ext_proc_types.go | 10 ++ api/v1alpha1/zz_generated.deepcopy.go | 5 + ....envoyproxy.io_envoyextensionpolicies.yaml | 20 +++ release-notes/current.yaml | 3 +- site/content/en/latest/api/extension_types.md | 2 + site/content/zh/latest/api/extension_types.md | 2 + .../envoyextensionpolicy_test.go | 151 ++++++++++++++++++ 7 files changed, 192 insertions(+), 1 deletion(-) diff --git a/api/v1alpha1/ext_proc_types.go b/api/v1alpha1/ext_proc_types.go index cbdaf97ba45..ca78b619c4d 100644 --- a/api/v1alpha1/ext_proc_types.go +++ b/api/v1alpha1/ext_proc_types.go @@ -22,11 +22,21 @@ const ( ) // ProcessingModeOptions defines if headers or body should be processed by the external service +// and which attributes are sent to the processor type ProcessingModeOptions struct { // Defines body processing mode // // +optional Body *ExtProcBodyProcessingMode `json:"body,omitempty"` + + // Defines which attributes are sent to the external processor. Envoy Gateway currently + // supports only the following attribute prefixes: connection, source, destination, + // request, response, upstream and xds.route. + // https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + // + // +optional + // +kubebuilder:validation:items:Pattern=`^(connection\.|source\.|destination\.|request\.|response\.|upstream\.|xds\.route_)[a-z_1-9]*$` + Attributes []string `json:"attributes,omitempty"` } // ExtProcProcessingMode defines if and how headers and bodies are sent to the service. diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 12f634586c6..457afa58ac4 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -4124,6 +4124,11 @@ func (in *ProcessingModeOptions) DeepCopyInto(out *ProcessingModeOptions) { *out = new(ExtProcBodyProcessingMode) **out = **in } + if in.Attributes != nil { + in, out := &in.Attributes, &out.Attributes + *out = make([]string, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProcessingModeOptions. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml index e6cb298d3a8..0fbbcafe94e 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml @@ -918,6 +918,16 @@ spec: Defines processing mode for requests. If present, request headers are sent. Request body is processed according to the specified mode. properties: + attributes: + description: |- + Defines which attributes are sent to the external processor. Envoy Gateway currently + supports only the following attribute prefixes: connection, source, destination, + request, response, upstream and xds.route. + https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + items: + pattern: ^(connection\.|source\.|destination\.|request\.|response\.|upstream\.|xds\.route_)[a-z_1-9]*$ + type: string + type: array body: description: Defines body processing mode enum: @@ -931,6 +941,16 @@ spec: Defines processing mode for responses. If present, response headers are sent. Response body is processed according to the specified mode. properties: + attributes: + description: |- + Defines which attributes are sent to the external processor. Envoy Gateway currently + supports only the following attribute prefixes: connection, source, destination, + request, response, upstream and xds.route. + https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes + items: + pattern: ^(connection\.|source\.|destination\.|request\.|response\.|upstream\.|xds\.route_)[a-z_1-9]*$ + type: string + type: array body: description: Defines body processing mode enum: diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 7b9d547d839..9ec82fc249b 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -14,7 +14,8 @@ security updates: | # New features or capabilities added in this release. new features: | - - Added support for trusted CIDRs in the ClientIPDetectionSettings API + Added support for trusted CIDRs in the ClientIPDetectionSettings API + Added support for sending attributes to external processor in EnvoyExtensionPolicy API # Fixes for bugs identified in previous versions. bug fixes: | diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 80614c2645e..fc7142446c1 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -2960,6 +2960,7 @@ _Appears in:_ ProcessingModeOptions defines if headers or body should be processed by the external service +and which attributes are sent to the processor _Appears in:_ - [ExtProcProcessingMode](#extprocprocessingmode) @@ -2967,6 +2968,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `body` | _[ExtProcBodyProcessingMode](#extprocbodyprocessingmode)_ | false | Defines body processing mode | +| `attributes` | _string array_ | false | Defines which attributes are sent to the external processor. Envoy Gateway currently
supports only the following attribute prefixes: connection, source, destination,
request, response, upstream and xds.route.
https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes | #### ProviderType diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 80614c2645e..fc7142446c1 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -2960,6 +2960,7 @@ _Appears in:_ ProcessingModeOptions defines if headers or body should be processed by the external service +and which attributes are sent to the processor _Appears in:_ - [ExtProcProcessingMode](#extprocprocessingmode) @@ -2967,6 +2968,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `body` | _[ExtProcBodyProcessingMode](#extprocbodyprocessingmode)_ | false | Defines body processing mode | +| `attributes` | _string array_ | false | Defines which attributes are sent to the external processor. Envoy Gateway currently
supports only the following attribute prefixes: connection, source, destination,
request, response, upstream and xds.route.
https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes | #### ProviderType diff --git a/test/cel-validation/envoyextensionpolicy_test.go b/test/cel-validation/envoyextensionpolicy_test.go index 7c9c168df10..a1d435e55dc 100644 --- a/test/cel-validation/envoyextensionpolicy_test.go +++ b/test/cel-validation/envoyextensionpolicy_test.go @@ -433,6 +433,157 @@ func TestEnvoyExtensionPolicyTarget(t *testing.T) { }, wantErrors: []string{}, }, + { + desc: "ExtProc with valid attributes", + mutate: func(sp *egv1a1.EnvoyExtensionPolicy) { + sp.Spec = egv1a1.EnvoyExtensionPolicySpec{ + ExtProc: []egv1a1.ExtProc{ + { + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "grpc-proc-service", + Port: ptr.To(gwapiv1.PortNumber(80)), + }, + }, + }, + }, + ProcessingMode: &egv1a1.ExtProcProcessingMode{ + Request: &egv1a1.ProcessingModeOptions{ + Attributes: []string{ + "request.path", + "request.url_path", + "request.host", + "request.scheme", + "request.method", + "request.headers", + "request.referer", + "request.useragent", + "request.time", + "request.id", + "request.protocol", + "request.query", + "request.duration", + "request.size", + "request.total_size", + "response.code", + "response.code_details", + "response.flags", + "response.grpc_status", + "response.headers", + "response.trailers", + "response.size", + "response.total_size", + "response.backend_latency", + "source.address", + "source.port", + "destination.address", + "destination.port", + }, + }, + Response: &egv1a1.ProcessingModeOptions{ + Attributes: []string{ + "connection.id", + "connection.mtls", + "connection.requested_server_name", + "connection.tls_version", + "connection.subject_local_certificate", + "connection.subject_peer_certificate", + "connection.dns_san_local_certificate", + "connection.dns_san_peer_certificate", + "connection.uri_san_local_certificate", + "connection.uri_san_peer_certificate", + "connection.sha256_peer_certificate_digest", + "connection.transport_failure_reason", + "connection.termination_details", + "upstream.address", + "upstream.port", + "upstream.tls_version", + "upstream.subject_local_certificate", + "upstream.subject_peer_certificate", + "upstream.dns_san_local_certificate", + "upstream.dns_san_peer_certificate", + "upstream.uri_san_local_certificate", + "upstream.uri_san_peer_certificate", + "upstream.sha256_peer_certificate_digest", + "upstream.local_address", + "upstream.transport_failure_reason", + "upstream.request_attempt_count", + }, + }, + }, + }, + }, + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: "gateway.networking.k8s.io", + Kind: "Gateway", + Name: "eg", + }, + }, + }, + } + }, + wantErrors: []string{}, + }, + { + desc: "ExtProc with invalid attributes", + mutate: func(sp *egv1a1.EnvoyExtensionPolicy) { + sp.Spec = egv1a1.EnvoyExtensionPolicySpec{ + ExtProc: []egv1a1.ExtProc{ + { + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Name: "grpc-proc-service", + Port: ptr.To(gwapiv1.PortNumber(80)), + }, + }, + }, + }, + ProcessingMode: &egv1a1.ExtProcProcessingMode{ + Request: &egv1a1.ProcessingModeOptions{ + Attributes: []string{ + "xds.node", + "metadata", + "filter_state", + "upstream_filter_state", + }, + }, + Response: &egv1a1.ProcessingModeOptions{ + Attributes: []string{ + "xds.node", + "xds.cluster", + "plugin_name", + }, + }, + }, + }, + }, + PolicyTargetReferences: egv1a1.PolicyTargetReferences{ + TargetRef: &gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ + LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ + Group: "gateway.networking.k8s.io", + Kind: "Gateway", + Name: "eg", + }, + }, + }, + } + }, + wantErrors: []string{ + "spec.extProc[0].processingMode.request.attributes[0]: Invalid value: \"xds.node\": spec.extProc[0].processingMode.request.attributes[0] in body should match '^(connection\\.|source\\.|destination\\.|request\\.|response\\.|upstream\\.|xds\\.route_)[a-z_1-9]*$'", + "spec.extProc[0].processingMode.request.attributes[1]: Invalid value: \"metadata\": spec.extProc[0].processingMode.request.attributes[1] in body should match '^(connection\\.|source\\.|destination\\.|request\\.|response\\.|upstream\\.|xds\\.route_)[a-z_1-9]*$'", + "spec.extProc[0].processingMode.request.attributes[2]: Invalid value: \"filter_state\": spec.extProc[0].processingMode.request.attributes[2] in body should match '^(connection\\.|source\\.|destination\\.|request\\.|response\\.|upstream\\.|xds\\.route_)[a-z_1-9]*$'", + "spec.extProc[0].processingMode.request.attributes[3]: Invalid value: \"upstream_filter_state\": spec.extProc[0].processingMode.request.attributes[3] in body should match '^(connection\\.|source\\.|destination\\.|request\\.|response\\.|upstream\\.|xds\\.route_)[a-z_1-9]*$'", + "spec.extProc[0].processingMode.response.attributes[0]: Invalid value: \"xds.node\": spec.extProc[0].processingMode.response.attributes[0] in body should match '^(connection\\.|source\\.|destination\\.|request\\.|response\\.|upstream\\.|xds\\.route_)[a-z_1-9]*$'", + "spec.extProc[0].processingMode.response.attributes[1]: Invalid value: \"xds.cluster\": spec.extProc[0].processingMode.response.attributes[1] in body should match '^(connection\\.|source\\.|destination\\.|request\\.|response\\.|upstream\\.|xds\\.route_)[a-z_1-9]*$'", + "spec.extProc[0].processingMode.response.attributes[2]: Invalid value: \"plugin_name\": spec.extProc[0].processingMode.response.attributes[2] in body should match '^(connection\\.|source\\.|destination\\.|request\\.|response\\.|upstream\\.|xds\\.route_)[a-z_1-9]*$'", + }, + }, } for _, tc := range cases { From 7f3f5d043cc33db620464e718c186fe441b25127 Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Wed, 27 Nov 2024 19:03:51 -0600 Subject: [PATCH 435/523] [release/v1.1] release: v1.1.4 (#4795) release: v1.1.4 Signed-off-by: Guy Daich --- release-notes/v1.1.4.yaml | 22 ++++++++++++++++ site/content/en/news/releases/notes/v1.1.4.md | 25 +++++++++++++++++++ site/layouts/shortcodes/helm-version.html | 2 +- site/layouts/shortcodes/yaml-version.html | 2 +- 4 files changed, 49 insertions(+), 2 deletions(-) create mode 100644 release-notes/v1.1.4.yaml create mode 100644 site/content/en/news/releases/notes/v1.1.4.md diff --git a/release-notes/v1.1.4.yaml b/release-notes/v1.1.4.yaml new file mode 100644 index 00000000000..29f47c99fd2 --- /dev/null +++ b/release-notes/v1.1.4.yaml @@ -0,0 +1,22 @@ +date: November 27, 2024 + +# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs. +breaking changes: | + +# New features or capabilities added in this release. +new features: | + +# Fixes for bugs identified in previous versions. +bug fixes: | + Fixed validate proto messages before converting them to anypb.Any + Fixed BackendTlsPolicy specify multiple targetRefs of the same service, only one will work + Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes + Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn + +# Enhancements that improve performance. +performance improvements: | + +# Other notable changes not covered by the above sections. +Other changes: | + Bumped Rate Limit to 49af5cca + diff --git a/site/content/en/news/releases/notes/v1.1.4.md b/site/content/en/news/releases/notes/v1.1.4.md new file mode 100644 index 00000000000..b439d29c4a9 --- /dev/null +++ b/site/content/en/news/releases/notes/v1.1.4.md @@ -0,0 +1,25 @@ +--- +title: "v1.1.4" +publishdate: 2024-27-01 +--- + +Date: November 27, 2024 + +## Breaking changes +- + +## New features +- + +## Bug fixes +- Fixed validate proto messages before converting them to anypb.Any +- Fixed BackendTlsPolicy specify multiple targetRefs of the same service, only one will work +- Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes +- Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn + +## Performance improvements +- + +## Other changes +- Bumped Rate Limit to 49af5cca + diff --git a/site/layouts/shortcodes/helm-version.html b/site/layouts/shortcodes/helm-version.html index b28198f58ee..e2249104e21 100644 --- a/site/layouts/shortcodes/helm-version.html +++ b/site/layouts/shortcodes/helm-version.html @@ -3,7 +3,7 @@ {{- "v0.0.0-latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.3" -}} +{{- "v1.1.4" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} {{- "v1.2.1" -}} diff --git a/site/layouts/shortcodes/yaml-version.html b/site/layouts/shortcodes/yaml-version.html index 55d18309a95..77a156eac0d 100644 --- a/site/layouts/shortcodes/yaml-version.html +++ b/site/layouts/shortcodes/yaml-version.html @@ -3,7 +3,7 @@ {{- "latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.3" -}} +{{- "v1.1.4" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} {{- "v1.2.1" -}} From 215bc84ee004dd9e7c9c16c988502266031ff4ea Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Thu, 28 Nov 2024 09:15:54 +0800 Subject: [PATCH 436/523] v1.2.2 release note (#4788) * v1.2.2 release note Signed-off-by: Huabing Zhao * Update release-notes/v1.2.2.yaml Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao * Update release-notes/v1.2.2.yaml Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao * Update release-notes/v1.2.2.yaml Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao * Update release-notes/v1.2.2.yaml Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao * Update release-notes/v1.2.2.yaml Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao * Update release-notes/v1.2.2.yaml Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao Co-authored-by: Arko Dasgupta --- VERSION | 2 +- release-notes/current.yaml | 7 +------ release-notes/v1.2.2.yaml | 12 ++++++++++++ site/content/en/news/releases/notes/v1.2.2.md | 17 +++++++++++++++++ site/layouts/shortcodes/helm-version.html | 4 ++-- site/layouts/shortcodes/yaml-version.html | 4 ++-- 6 files changed, 35 insertions(+), 11 deletions(-) create mode 100644 release-notes/v1.2.2.yaml create mode 100644 site/content/en/news/releases/notes/v1.2.2.md diff --git a/VERSION b/VERSION index 6a5e98a744e..cc904638af8 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v1.2.1 +v1.2.2 diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 9ec82fc249b..bda2ef94be5 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -5,8 +5,6 @@ breaking changes: | The Container `ports` field of the gateway instance has been removed, which will cause the gateway Pod to be rebuilt when upgrading the version. ClientTrafficPolicy previously treated an empty TLS ALPNProtocols list as being undefined and applied Envoy Gateway defaults. An empty TLS ALPNProtocols list is now treated as user-defined disablement of the TLS ALPN extension. - Always use `::` and `IPv4Compact` enabled on dynamic listeners. - Use `V4_PREFERRED` instead of `V4_ONLY` by default for the cluster's `DnsLookupFamily`. # Updates addressing vulnerabilities, security flaws, or compliance requirements. security updates: | @@ -19,10 +17,7 @@ new features: | # Fixes for bugs identified in previous versions. bug fixes: | - Fixed failed to update SecurityPolicy resources with the `backendRef` field specified - Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes - Fixed xDS translation failed when oidc tokenEndpoint and jwt remoteJWKS are specified in the same SecurityPolicy and using the same hostname - Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn + Add a bug fix here # Enhancements that improve performance. performance improvements: | diff --git a/release-notes/v1.2.2.yaml b/release-notes/v1.2.2.yaml new file mode 100644 index 00000000000..7df6ef2da32 --- /dev/null +++ b/release-notes/v1.2.2.yaml @@ -0,0 +1,12 @@ +date: November 28, 2024 + +bug fixes: | + Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes. + Fixed failed to update SecurityPolicy resources with the `backendRef` field specified. + Fixed xDS translation failed when oidc tokenEndpoint and jwt remoteJWKS are specified in the same SecurityPolicy and using the same hostname. + Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn. + +Other changes: | + Bump the RateLimit image to 49af5cca. + Always use `::` and `IPv4Compact` enabled on dynamic listeners. + Use `V4_PREFERRED` instead of `V4_ONLY` by default for the cluster's `DnsLookupFamily`. diff --git a/site/content/en/news/releases/notes/v1.2.2.md b/site/content/en/news/releases/notes/v1.2.2.md new file mode 100644 index 00000000000..2aba0440826 --- /dev/null +++ b/site/content/en/news/releases/notes/v1.2.2.md @@ -0,0 +1,17 @@ +--- +title: "v1.2.2" +publishdate: 2024-11-28 +--- + +Date: November 28, 2024 + +## Bug fixes +- Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes. +- Fixed failed to update SecurityPolicy resources with the `backendRef` field specified. +- Fixed xDS translation failed when oidc tokenEndpoint and jwt remoteJWKS are specified in the same SecurityPolicy and using the same hostname. +- Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn. + +## Other changes +- Bump the RateLimit image to 49af5cca. +- Always use `::` and `IPv4Compact` enabled on dynamic listeners. +- Use `V4_PREFERRED` instead of `V4_ONLY` by default for the cluster's `DnsLookupFamily`. diff --git a/site/layouts/shortcodes/helm-version.html b/site/layouts/shortcodes/helm-version.html index e2249104e21..9ba708d50fc 100644 --- a/site/layouts/shortcodes/helm-version.html +++ b/site/layouts/shortcodes/helm-version.html @@ -6,8 +6,8 @@ {{- "v1.1.4" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} -{{- "v1.2.1" -}} +{{- "v1.2.2" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.2.1" -}} +{{- "v1.2.2" -}} {{- end -}} diff --git a/site/layouts/shortcodes/yaml-version.html b/site/layouts/shortcodes/yaml-version.html index 77a156eac0d..1c46423c3e0 100644 --- a/site/layouts/shortcodes/yaml-version.html +++ b/site/layouts/shortcodes/yaml-version.html @@ -6,8 +6,8 @@ {{- "v1.1.4" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} -{{- "v1.2.1" -}} +{{- "v1.2.2" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.2.1" -}} +{{- "v1.2.2" -}} {{- end -}} From f8f74b7d67f5ec02eca193a636a7c1a395faea4b Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Thu, 28 Nov 2024 09:53:11 +0800 Subject: [PATCH 437/523] update release process (#4665) * update release process Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- site/content/en/contributions/RELEASING.md | 174 ++++++++++++++++++--- 1 file changed, 151 insertions(+), 23 deletions(-) diff --git a/site/content/en/contributions/RELEASING.md b/site/content/en/contributions/RELEASING.md index ec2365a15dc..2267522dc34 100644 --- a/site/content/en/contributions/RELEASING.md +++ b/site/content/en/contributions/RELEASING.md @@ -52,7 +52,8 @@ export GITHUB_REMOTE=origin git push ${GITHUB_REMOTE} release/v${MAJOR_VERSION}.${MINOR_VERSION} ``` -7. Create a topic branch for updating the Envoy proxy image and Envoy Ratelimit image to the tag supported by the release. Reference [PR #2098][] +7. Create a topic branch for updating the Envoy proxy image and Envoy Ratelimit image to the tag supported by the release. + Please note that the tags should be updated in both the source code and the Helm chart. Reference [PR #2098][] for additional details on updating the image tag. 8. Sign, commit, and push your changes to your fork. 9. Submit a [Pull Request][] to merge the changes into the `release/v${MAJOR_VERSION}.${MINOR_VERSION}` branch. Do not @@ -111,19 +112,7 @@ export GITHUB_REMOTE=origin make docs-release TAG=v${MAJOR_VERSION}.${MINOR_VERSION}.0 ``` - 1. Update the `Documentation` referred link on the menu in `site/hugo.toml`: - - **DON'T FORGOT TO MOVE IT UNDER `LATEST`** - - ```shell - [[menu.main]] - name = "Documentation" - weight = -101 - pre = "" - url = "/v1.1" - ``` - - 1. Update `site/layouts/shortcodes/helm-version.html` base on latest minor version. + 1. Update `site/layouts/shortcodes/helm-version.html`, add the latest version of the minor release, and update the short code for `{{- with (strings.HasPrefix $pagePrefix "doc") -}}` to the latest minor version. ```console {{- $pagePrefix := (index (split $.Page.File.Dir "/") 0) -}} @@ -131,14 +120,17 @@ export GITHUB_REMOTE=origin {{- "v0.0.0-latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} - {{- "v1.1.0" -}} + {{- "v1.1.3" -}} + {{- end -}} + {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} + {{- "v1.2.0" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} - {{- "v1.1.0" -}} + {{- "v1.2.0" -}} {{- end -}} ``` - 1. Update `site/layouts/shortcodes/yaml-version.html` base on latest minor version. + 1. Update `site/layouts/shortcodes/yaml-version.html`, add the latest version of the minor release, and update the short code for `{{- with (strings.HasPrefix $pagePrefix "doc") -}}` to the latest minor version. ```console {{- $pagePrefix := (index (split $.Page.File.Dir "/") 0) -}} @@ -146,14 +138,16 @@ export GITHUB_REMOTE=origin {{- "latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} - {{- "v1.1.0" -}} + {{- "v1.1.3" -}} + {{- end -}} + {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} + {{- "v1.2.0" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} - {{- "v1.1.0" -}} + {{- "v1.2.0" -}} {{- end -}} ``` - 3. Sign, commit, and push your changes to your fork. 4. Submit a [Pull Request][] to merge the changes into the `main` branch. Do not proceed until all your PRs have merged and the [Build and Test][] has completed for your final PR. @@ -161,7 +155,7 @@ export GITHUB_REMOTE=origin 5. Checkout the release branch. ```shell - git checkout -b release/v${MAJOR_VERSION}.${MINOR_VERSION} $GITHUB_REMOTE/release/v${MAJOR_VERSION}.${MINOR_VERSION} + git checkout release/v${MAJOR_VERSION}.${MINOR_VERSION} $GITHUB_REMOTE/release/v${MAJOR_VERSION}.${MINOR_VERSION} ``` 6. If the tip of the release branch does not match the tip of `main`, perform the following: @@ -209,12 +203,14 @@ export GITHUB_REMOTE=origin # Release Announcement Check out the [v${MAJOR_VERSION}.${MINOR_VERSION} release announcement] - (https://gateway.envoyproxy.io/releases/v${MAJOR_VERSION}.${MINOR_VERSION}.html) to learn more about the release. + (https://gateway.envoyproxy.io/news/releases/notes/v${MAJOR_VERSION}.${MINOR_VERSION}.html) to learn more about the release. ``` +15. Update the `lastVersionTag` in `test/e2e/tests/eg_upgrade.go` to reflect the latest prior release. Refer to [PR #4666] as an example. + If you find any bugs in this process, please create an issue. -## Announce the Release +### Announce the Release It's important that the world knows about the release. Use the following steps to announce the release. @@ -236,6 +232,137 @@ It's important that the world knows about the release. Use the following steps t Link to the GitHub release and release announcement page that highlights the release. +## Patch Release + +The following steps should be used for creating a patch release. + +### Prerequisites + +- Permissions to push to the Envoy Gateway repository. +- A minor release has already been released. Refer to the [Minor Release](#minor-candidate) section for additional details on releasing a minor release. + +Set environment variables for use in subsequent steps: + +```shell +export MAJOR_VERSION=1 +export MINOR_VERSION=2 +export PATCH_VERSION=1 +export GITHUB_REMOTE=origin +``` + +1. Clone the repo, checkout the `main` branch, ensure it’s up-to-date, and your local branch is clean. +2. Create a topic branch for adding the release notes. + + 1. Create the release notes. The release note should only include the changes since the last minor or patch release. + 1. Create a release announcement. Refer to [PR #635] as an example release announcement. + 1. Update `site/layouts/shortcodes/helm-version.html`, update the short code for `{{- with (strings.HasPrefix $pagePrefix "doc") -}}` to the latest patch version. For example: + + ```console + {{- $pagePrefix := (index (split $.Page.File.Dir "/") 0) -}} + {{- with (eq $pagePrefix "latest") -}} + {{- "v0.0.0-latest" -}} + {{- end -}} + {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} + {{- "v1.1.3" -}} + {{- end -}} + {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} + {{- "v1.2.1" -}} + {{- end -}} + {{- with (strings.HasPrefix $pagePrefix "doc") -}} + {{- "v1.2.1" -}} + {{- end -}} + ``` + + 1. Update `site/layouts/shortcodes/yaml-version.html`, update the short code for `{{- with (strings.HasPrefix $pagePrefix "doc") -}}` to the latest patch version. For example: + + ```console + {{- $pagePrefix := (index (split $.Page.File.Dir "/") 0) -}} + {{- with (eq $pagePrefix "latest") -}} + {{- "latest" -}} + {{- end -}} + {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} + {{- "v1.1.3" -}} + {{- end -}} + {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} + {{- "v1.2.1" -}} + {{- end -}} + {{- with (strings.HasPrefix $pagePrefix "doc") -}} + {{- "v1.2.1" -}} + {{- end -}} + ``` + +3. Sign, commit, and push your changes to your fork. +4. Submit a [Pull Request][] to merge the changes into the `main` branch. Do not proceed until all your PRs have merged + and the [Build and Test][] has completed for your final PR. + +5. Checkout the release branch. + + ```shell + git checkout release/v${MAJOR_VERSION}.${MINOR_VERSION} $GITHUB_REMOTE/release/v${MAJOR_VERSION}.${MINOR_VERSION} + ``` + +6. Cherry-pick the release note and release announcement that you created in the previous step to the release branch. The release note will be included in the release artifacts. + 1. Create a topic branch from the release branch. + 2. Cherry-pick the release note and release announcement commit from `main` to the topic branch. + 3. Submit a PR to merge the topic from of your fork into the release branch. + +7. Cherry-pick the commits that you want to include in the patch release. + 1. Create a topic branch from the release branch. + 2. Cherry-pick the commits from `main` that you want to include in the patch release. + 3. Run tests locally, e.g. `make lint`. + 4. Sign, commit, and push your topic branch to your Envoy Gateway fork. + 5. Submit a PR to merge the topic from of your fork into the release branch. + 6. Do not proceed until the PR has merged and CI passes for the merged PR. + 7. If you are still on your topic branch, change to the release branch: + + ```shell + git checkout release/v${MAJOR_VERSION}.${MINOR_VERSION} + ``` + + 8. Ensure your local release branch is up-to-date: + + ```shell + git pull $GITHUB_REMOTE release/v${MAJOR_VERSION}.${MINOR_VERSION} + ``` + +7. Tag the head of your release branch with the release tag. For example: + + ```shell + git tag -a v${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION} -m 'Envoy Gateway v${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION} Release' + ``` + +8. Push the tag to the Envoy Gateway repository. + + ```shell + git push origin v${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION + ``` + +9. This will trigger the [release GitHub action][] that generates the release, release artifacts, etc. +10. Confirm that the [release workflow][] completed successfully. +11. Confirm that the Envoy Gateway [image][] with the correct release tag was published to Docker Hub. +12. Confirm that the [release][] was created. +13. Confirm that the steps in the [Quickstart][] work as expected. +14. [Generate][] the GitHub changelog and include the following text at the beginning of the release page: + + ```console + # Release Announcement + + Check out the [v${MAJOR_VERSION}.${MINOR_VERSION}.${MINOR_VERSION} release announcement] + (https://gateway.envoyproxy.io/news/releases/notes/v${MAJOR_VERSION}.${MINOR_VERSION}.${MINOR_VERSION}.html) to learn more about the release. + ``` + +15. If this patch release is the latest release, update the `lastVersionTag` in `test/e2e/tests/eg_upgrade.go` to reflect the latest prior release. Refer to [PR #4666] as an example. + +### Announce the Release + +It's important that the world knows about the release. Use the following steps to announce the release. + +1. Set the release information in the Envoy Gateway Slack channel. For example: + + ```shell + Envoy Gateway v${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION} has been released: https://github.com/envoyproxy/gateway/releases/tag/v${MAJOR_VERSION}.${MINOR_VERSION}.${PATCH_VERSION} + ``` + [release notes]: https://github.com/envoyproxy/gateway/tree/main/release-notes [Pull Request]: https://github.com/envoyproxy/gateway/pulls [Quickstart]: https://github.com/envoyproxy/gateway/blob/main/docs/user/quickstart.md @@ -248,4 +375,5 @@ It's important that the world knows about the release. Use the following steps t [PR #635]: https://github.com/envoyproxy/gateway/pull/635 [PR #2098]: https://github.com/envoyproxy/gateway/pull/2098 [PR #1002]: https://github.com/envoyproxy/gateway/pull/1002 +[PR #4666]: https://github.com/envoyproxy/gateway/pull/4666 [VERSION]: https://github.com/envoyproxy/gateway/blob/main/VERSION From 9f9de74a4a90ec6439918404fdd29cb7d2d89e96 Mon Sep 17 00:00:00 2001 From: zirain Date: Thu, 28 Nov 2024 10:53:01 +0800 Subject: [PATCH 438/523] xds: use IPv4Compat on ready server (#4798) Signed-off-by: zirain --- .../testdata/translate/out/default-resources.all.yaml | 10 ++++++---- .../translate/out/from-gateway-api-to-xds.all.json | 5 +++-- .../translate/out/from-gateway-api-to-xds.all.yaml | 5 +++-- .../out/from-gateway-api-to-xds.bootstrap.yaml | 5 +++-- .../out/jwt-single-route-single-match-to-xds.all.json | 5 +++-- .../out/jwt-single-route-single-match-to-xds.all.yaml | 5 +++-- ...jwt-single-route-single-match-to-xds.bootstrap.yaml | 5 +++-- .../translate/out/no-service-cluster-ip.all.yaml | 5 +++-- .../kubernetes/proxy/testdata/daemonsets/custom.yaml | 5 +++-- .../proxy/testdata/daemonsets/default-env.yaml | 5 +++-- .../kubernetes/proxy/testdata/daemonsets/default.yaml | 5 +++-- .../proxy/testdata/daemonsets/disable-prometheus.yaml | 5 +++-- .../proxy/testdata/daemonsets/extension-env.yaml | 5 +++-- .../daemonsets/override-labels-and-annotations.yaml | 5 +++-- .../proxy/testdata/daemonsets/patch-daemonset.yaml | 5 +++-- .../proxy/testdata/daemonsets/shutdown-manager.yaml | 5 +++-- .../kubernetes/proxy/testdata/daemonsets/volumes.yaml | 5 +++-- .../proxy/testdata/daemonsets/with-annotations.yaml | 5 +++-- .../proxy/testdata/daemonsets/with-extra-args.yaml | 5 +++-- .../testdata/daemonsets/with-image-pull-secrets.yaml | 5 +++-- .../proxy/testdata/daemonsets/with-name.yaml | 5 +++-- .../proxy/testdata/daemonsets/with-node-selector.yaml | 5 +++-- .../daemonsets/with-topology-spread-constraints.yaml | 5 +++-- .../kubernetes/proxy/testdata/deployments/custom.yaml | 5 +++-- .../deployments/custom_with_initcontainers.yaml | 5 +++-- .../proxy/testdata/deployments/default-env.yaml | 5 +++-- .../kubernetes/proxy/testdata/deployments/default.yaml | 5 +++-- .../proxy/testdata/deployments/disable-prometheus.yaml | 5 +++-- .../proxy/testdata/deployments/extension-env.yaml | 5 +++-- .../deployments/override-labels-and-annotations.yaml | 5 +++-- .../proxy/testdata/deployments/patch-deployment.yaml | 5 +++-- .../proxy/testdata/deployments/shutdown-manager.yaml | 5 +++-- .../kubernetes/proxy/testdata/deployments/volumes.yaml | 5 +++-- .../proxy/testdata/deployments/with-annotations.yaml | 5 +++-- .../testdata/deployments/with-empty-memory-limits.yaml | 5 +++-- .../proxy/testdata/deployments/with-extra-args.yaml | 5 +++-- .../testdata/deployments/with-image-pull-secrets.yaml | 5 +++-- .../proxy/testdata/deployments/with-name.yaml | 5 +++-- .../proxy/testdata/deployments/with-node-selector.yaml | 5 +++-- .../deployments/with-topology-spread-constraints.yaml | 5 +++-- internal/xds/bootstrap/bootstrap.go | 2 +- internal/xds/bootstrap/bootstrap.yaml.tpl | 3 ++- internal/xds/bootstrap/testdata/merge/default.out.yaml | 5 +++-- .../testdata/merge/merge-user-bootstrap.out.yaml | 5 +++-- .../testdata/merge/patch-global-config.out.yaml | 5 +++-- .../xds/bootstrap/testdata/merge/stats_sinks.out.yaml | 5 +++-- .../bootstrap/testdata/render/custom-server-port.yaml | 5 +++-- .../testdata/render/custom-stats-matcher.yaml | 5 +++-- .../bootstrap/testdata/render/disable-prometheus.yaml | 5 +++-- .../render/enable-prometheus-gzip-compression.yaml | 5 +++-- .../bootstrap/testdata/render/enable-prometheus.yaml | 5 +++-- .../testdata/render/otel-metrics-backendref.yaml | 5 +++-- .../xds/bootstrap/testdata/render/otel-metrics.yaml | 5 +++-- .../testdata/render/with-max-heap-size-bytes.yaml | 5 +++-- 54 files changed, 162 insertions(+), 108 deletions(-) diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index 80934209fce..231b0d46dd7 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -40,12 +40,13 @@ envoyProxyForGatewayClass: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager @@ -658,7 +659,8 @@ xds: listeners: - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 19001 filterChains: - filters: @@ -689,7 +691,7 @@ xds: route: cluster: prometheus_stats statPrefix: eg-ready-http - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + name: envoy-gateway-proxy-ready-::-19001 - '@type': type.googleapis.com/envoy.admin.v3.EndpointsConfigDump dynamicEndpointConfigs: - endpointConfig: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index 0cfb690977f..0e9e4a813c5 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -234,7 +234,8 @@ { "address": { "socketAddress": { - "address": "0.0.0.0", + "address": "::", + "ipv4Compat": true, "portValue": 19001 } }, @@ -295,7 +296,7 @@ ] } ], - "name": "envoy-gateway-proxy-ready-0.0.0.0-19001" + "name": "envoy-gateway-proxy-ready-::-19001" } ] } diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index 124e0fd65e0..bbb0fe7664d 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -137,7 +137,8 @@ xds: listeners: - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 19001 filterChains: - filters: @@ -168,7 +169,7 @@ xds: route: cluster: prometheus_stats statPrefix: eg-ready-http - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + name: envoy-gateway-proxy-ready-::-19001 - '@type': type.googleapis.com/envoy.admin.v3.EndpointsConfigDump dynamicEndpointConfigs: - endpointConfig: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml index b378fdc17b5..ae66cada56d 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml @@ -136,7 +136,8 @@ xds: listeners: - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 19001 filterChains: - filters: @@ -167,4 +168,4 @@ xds: route: cluster: prometheus_stats statPrefix: eg-ready-http - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + name: envoy-gateway-proxy-ready-::-19001 diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json index 5042c9d1f03..3f1a434e466 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json @@ -234,7 +234,8 @@ { "address": { "socketAddress": { - "address": "0.0.0.0", + "address": "::", + "ipv4Compat": true, "portValue": 19001 } }, @@ -295,7 +296,7 @@ ] } ], - "name": "envoy-gateway-proxy-ready-0.0.0.0-19001" + "name": "envoy-gateway-proxy-ready-::-19001" } ] } diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml index 2644bf5babc..8ae3da4019b 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml @@ -137,7 +137,8 @@ xds: listeners: - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 19001 filterChains: - filters: @@ -168,7 +169,7 @@ xds: route: cluster: prometheus_stats statPrefix: eg-ready-http - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + name: envoy-gateway-proxy-ready-::-19001 - '@type': type.googleapis.com/envoy.admin.v3.EndpointsConfigDump dynamicEndpointConfigs: - endpointConfig: diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.bootstrap.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.bootstrap.yaml index f2838d95bc9..a4c85fd324a 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.bootstrap.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.bootstrap.yaml @@ -136,7 +136,8 @@ xds: listeners: - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 19001 filterChains: - filters: @@ -167,4 +168,4 @@ xds: route: cluster: prometheus_stats statPrefix: eg-ready-http - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + name: envoy-gateway-proxy-ready-::-19001 diff --git a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml index df906c98211..5737d7ef4ff 100644 --- a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml @@ -137,7 +137,8 @@ xds: listeners: - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 19001 filterChains: - filters: @@ -168,7 +169,7 @@ xds: route: cluster: prometheus_stats statPrefix: eg-ready-http - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + name: envoy-gateway-proxy-ready-::-19001 - '@type': type.googleapis.com/envoy.admin.v3.EndpointsConfigDump dynamicEndpointConfigs: - endpointConfig: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml index c776209328c..a66007f9e40 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml @@ -72,12 +72,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml index 0b19c488769..4615d7f718b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml @@ -71,12 +71,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml index 56a589683bd..5da9f50d6dd 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml @@ -71,12 +71,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml index 2e0d28b8ae0..e4d59420525 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml @@ -67,12 +67,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml index 300ad8663de..ec82abe3818 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml @@ -71,12 +71,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml index 9bd9262b00f..17cad5ec022 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml @@ -80,12 +80,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml index 9e2901ea793..4d4c0d8dd48 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml @@ -71,12 +71,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml index ee53271eedb..b53a798d1f8 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml @@ -71,12 +71,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml index 31900415e4e..67492f7c449 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml @@ -71,12 +71,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml index 478248125c1..30f7180689f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml @@ -76,12 +76,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml index abcf5df5843..7f8c8768ac0 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml @@ -71,12 +71,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml index 63f4b88837b..baad28a12ef 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml @@ -71,12 +71,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml index 00f4cde053f..50c3d0e48b2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml @@ -71,12 +71,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml index 338aee23c5d..8c1dfe25191 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml @@ -71,12 +71,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml index 65d61d1f79d..82765fb7148 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml @@ -71,12 +71,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml index a319317f707..324cd2956c9 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml @@ -77,12 +77,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml index 8d2203c31bb..0f5e18d3783 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml @@ -77,12 +77,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml index b028a291e74..d827b17e6e9 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml @@ -76,12 +76,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml index 2dd512c5fcb..fe8d8f8ecfe 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml @@ -75,12 +75,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml index e2afb845d04..00d0827a364 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml @@ -71,12 +71,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml index 2c6bb786992..e79d29d1f91 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml @@ -76,12 +76,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml index cda0dd531da..f168dc2f7aa 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml @@ -84,12 +84,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml index 97c5760f631..323ab8236ed 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml @@ -75,12 +75,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml index 81c7fad6ea3..bfa255fb513 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml @@ -75,12 +75,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml index a1df598b9fe..8a1c223ef7b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml @@ -76,12 +76,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml index e21f0f78ffa..3d464d43840 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml @@ -80,12 +80,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml index c2db49a1246..3c051ab5c5c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml @@ -75,12 +75,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml index 402614eb808..db80416291c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml @@ -75,12 +75,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml index 5eb37e92d77..b52eb1d3196 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml @@ -75,12 +75,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml index 5e6bbd62cb7..c1c3fb550aa 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml @@ -75,12 +75,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml index 55137dfe205..69ee693dd17 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml @@ -75,12 +75,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml index adc7784549e..6445a17b8e2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml @@ -75,12 +75,13 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/bootstrap/bootstrap.go b/internal/xds/bootstrap/bootstrap.go index e8aab4d836a..b1af89d60ac 100644 --- a/internal/xds/bootstrap/bootstrap.go +++ b/internal/xds/bootstrap/bootstrap.go @@ -41,7 +41,7 @@ const ( // DefaultWasmServerPort is the default listening port of the wasm HTTP server. wasmServerPort = 18002 - envoyReadinessAddress = "0.0.0.0" + envoyReadinessAddress = "::" EnvoyReadinessPort = 19001 EnvoyReadinessPath = "/ready" diff --git a/internal/xds/bootstrap/bootstrap.yaml.tpl b/internal/xds/bootstrap/bootstrap.yaml.tpl index d243b7777ec..9e7fd739871 100644 --- a/internal/xds/bootstrap/bootstrap.yaml.tpl +++ b/internal/xds/bootstrap/bootstrap.yaml.tpl @@ -65,9 +65,10 @@ static_resources: - name: envoy-gateway-proxy-ready-{{ .ReadyServer.Address }}-{{ .ReadyServer.Port }} address: socket_address: - address: {{ .ReadyServer.Address }} + address: '{{ .ReadyServer.Address }}' port_value: {{ .ReadyServer.Port }} protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/bootstrap/testdata/merge/default.out.yaml b/internal/xds/bootstrap/testdata/merge/default.out.yaml index e0a187fd8bc..b70801eebc7 100644 --- a/internal/xds/bootstrap/testdata/merge/default.out.yaml +++ b/internal/xds/bootstrap/testdata/merge/default.out.yaml @@ -138,7 +138,8 @@ staticResources: listeners: - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 19001 filterChains: - filters: @@ -169,4 +170,4 @@ staticResources: route: cluster: prometheus_stats statPrefix: eg-ready-http - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + name: envoy-gateway-proxy-ready-::-19001 diff --git a/internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.out.yaml b/internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.out.yaml index 7fcb292368a..0438c5a675e 100644 --- a/internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.out.yaml +++ b/internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.out.yaml @@ -144,7 +144,8 @@ staticResources: listeners: - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 19001 filterChains: - filters: @@ -175,4 +176,4 @@ staticResources: route: cluster: prometheus_stats statPrefix: eg-ready-http - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + name: envoy-gateway-proxy-ready-::-19001 diff --git a/internal/xds/bootstrap/testdata/merge/patch-global-config.out.yaml b/internal/xds/bootstrap/testdata/merge/patch-global-config.out.yaml index 63915cc277a..5844b3ea114 100644 --- a/internal/xds/bootstrap/testdata/merge/patch-global-config.out.yaml +++ b/internal/xds/bootstrap/testdata/merge/patch-global-config.out.yaml @@ -134,7 +134,8 @@ static_resources: listeners: - address: socket_address: - address: 0.0.0.0 + address: '::' + ipv4_compat: true port_value: 19001 protocol: TCP filter_chains: @@ -166,4 +167,4 @@ static_resources: route: cluster: prometheus_stats stat_prefix: eg-ready-http - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + name: envoy-gateway-proxy-ready-::-19001 diff --git a/internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml b/internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml index 40d2392a98d..5920dcb0b07 100644 --- a/internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml +++ b/internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml @@ -155,7 +155,8 @@ staticResources: listeners: - address: socketAddress: - address: 0.0.0.0 + address: '::' + ipv4Compat: true portValue: 19001 filterChains: - filters: @@ -186,7 +187,7 @@ staticResources: route: cluster: prometheus_stats statPrefix: eg-ready-http - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + name: envoy-gateway-proxy-ready-::-19001 statsSinks: - name: envoy.stat_sinks.metrics_service typedConfig: diff --git a/internal/xds/bootstrap/testdata/render/custom-server-port.yaml b/internal/xds/bootstrap/testdata/render/custom-server-port.yaml index 23cd059a2a6..9346a397bfb 100644 --- a/internal/xds/bootstrap/testdata/render/custom-server-port.yaml +++ b/internal/xds/bootstrap/testdata/render/custom-server-port.yaml @@ -31,12 +31,13 @@ dynamic_resources: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-3333 + - name: envoy-gateway-proxy-ready-::-3333 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 3333 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml b/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml index 370b66914e3..8ce0164d9fa 100644 --- a/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml +++ b/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml @@ -42,12 +42,13 @@ dynamic_resources: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml b/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml index 1b5be570ce3..f901046d629 100644 --- a/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml +++ b/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml @@ -31,12 +31,13 @@ dynamic_resources: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/bootstrap/testdata/render/enable-prometheus-gzip-compression.yaml b/internal/xds/bootstrap/testdata/render/enable-prometheus-gzip-compression.yaml index 93829b713f1..99b9af18513 100644 --- a/internal/xds/bootstrap/testdata/render/enable-prometheus-gzip-compression.yaml +++ b/internal/xds/bootstrap/testdata/render/enable-prometheus-gzip-compression.yaml @@ -31,12 +31,13 @@ dynamic_resources: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml b/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml index 5d17a89534f..0b56c4508a5 100644 --- a/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml +++ b/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml @@ -31,12 +31,13 @@ dynamic_resources: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/bootstrap/testdata/render/otel-metrics-backendref.yaml b/internal/xds/bootstrap/testdata/render/otel-metrics-backendref.yaml index 3f6c0259a7e..2d375423456 100644 --- a/internal/xds/bootstrap/testdata/render/otel-metrics-backendref.yaml +++ b/internal/xds/bootstrap/testdata/render/otel-metrics-backendref.yaml @@ -38,12 +38,13 @@ stats_sinks: cluster_name: otel_metric_sink_0 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/bootstrap/testdata/render/otel-metrics.yaml b/internal/xds/bootstrap/testdata/render/otel-metrics.yaml index 3f6c0259a7e..2d375423456 100644 --- a/internal/xds/bootstrap/testdata/render/otel-metrics.yaml +++ b/internal/xds/bootstrap/testdata/render/otel-metrics.yaml @@ -38,12 +38,13 @@ stats_sinks: cluster_name: otel_metric_sink_0 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml b/internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml index 854b8a28988..9680192c5e5 100644 --- a/internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml +++ b/internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml @@ -31,12 +31,13 @@ dynamic_resources: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-0.0.0.0-19001 + - name: envoy-gateway-proxy-ready-::-19001 address: socket_address: - address: 0.0.0.0 + address: '::' port_value: 19001 protocol: TCP + ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager From 17e932c7bd7ed62d3fa91d4f1afd176a69bd83eb Mon Sep 17 00:00:00 2001 From: zirain Date: Thu, 28 Nov 2024 11:35:06 +0800 Subject: [PATCH 439/523] xds: use `::1` if IPFamily is IPv6 on admin server (#4801) xds: use if IPFamily is IPv6 Signed-off-by: zirain --- internal/infrastructure/common/proxy_args.go | 13 + .../proxy/resource_provider_test.go | 33 +- .../proxy/testdata/deployments/ipv6.yaml | 375 ++++++++++++++++++ internal/xds/bootstrap/bootstrap.go | 10 +- internal/xds/bootstrap/bootstrap_test.go | 6 + .../xds/bootstrap/testdata/render/ipv6.yaml | 169 ++++++++ 6 files changed, 595 insertions(+), 11 deletions(-) create mode 100644 internal/infrastructure/kubernetes/proxy/testdata/deployments/ipv6.yaml create mode 100644 internal/xds/bootstrap/testdata/render/ipv6.yaml diff --git a/internal/infrastructure/common/proxy_args.go b/internal/infrastructure/common/proxy_args.go index 0ffaa36c64e..165d004e5fe 100644 --- a/internal/infrastructure/common/proxy_args.go +++ b/internal/infrastructure/common/proxy_args.go @@ -13,6 +13,14 @@ import ( "github.com/envoyproxy/gateway/internal/xds/bootstrap" ) +func getIPFamily(infra *ir.ProxyInfra) *egv1a1.IPFamily { + if infra == nil || infra.Config == nil { + return nil + } + + return infra.Config.Spec.IPFamily +} + // BuildProxyArgs builds command arguments for proxy infrastructure. func BuildProxyArgs( infra *ir.ProxyInfra, @@ -20,6 +28,11 @@ func BuildProxyArgs( bootstrapConfigOptions *bootstrap.RenderBootstrapConfigOptions, serviceNode string, ) ([]string, error) { + // If IPFamily is not set, try to determine it from the infrastructure. + if bootstrapConfigOptions != nil && bootstrapConfigOptions.IPFamily == nil { + bootstrapConfigOptions.IPFamily = getIPFamily(infra) + } + bootstrapConfigurations, err := bootstrap.GetRenderedBootstrapConfig(bootstrapConfigOptions) if err != nil { return nil, err diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go index 0cf54a40427..ca3e45d1523 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go @@ -44,6 +44,16 @@ func newTestInfra() *ir.Infra { return newTestInfraWithAnnotations(nil) } +func newTestIPv6Infra() *ir.Infra { + i := newTestInfra() + i.Proxy.Config = &egv1a1.EnvoyProxy{ + Spec: egv1a1.EnvoyProxySpec{ + IPFamily: ptr.To(egv1a1.IPv6), + }, + } + return i +} + func newTestInfraWithAnnotations(annotations map[string]string) *ir.Infra { return newTestInfraWithAnnotationsAndLabels(annotations, nil) } @@ -200,6 +210,11 @@ func TestDeployment(t *testing.T) { deploy: nil, bootstrap: `test bootstrap config`, }, + { + caseName: "ipv6", + infra: newTestIPv6Infra(), + deploy: nil, + }, { caseName: "extension-env", infra: newTestInfra(), @@ -568,15 +583,6 @@ func TestDeployment(t *testing.T) { dp, err := r.Deployment() require.NoError(t, err) - expected, err := loadDeployment(tc.caseName) - require.NoError(t, err) - - sortEnv := func(env []corev1.EnvVar) { - sort.Slice(env, func(i, j int) bool { - return env[i].Name > env[j].Name - }) - } - if *overrideTestData { deploymentYAML, err := yaml.Marshal(dp) require.NoError(t, err) @@ -586,8 +592,17 @@ func TestDeployment(t *testing.T) { return } + expected, err := loadDeployment(tc.caseName) + require.NoError(t, err) + + sortEnv := func(env []corev1.EnvVar) { + sort.Slice(env, func(i, j int) bool { + return env[i].Name > env[j].Name + }) + } sortEnv(dp.Spec.Template.Spec.Containers[0].Env) sortEnv(expected.Spec.Template.Spec.Containers[0].Env) + assert.Equal(t, expected, dp) }) } diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/ipv6.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/ipv6.yaml new file mode 100644 index 00000000000..da324336017 --- /dev/null +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/ipv6.yaml @@ -0,0 +1,375 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: default + gateway.envoyproxy.io/owning-gateway-namespace: default + name: envoy-default-37a8eec1 + namespace: envoy-gateway-system +spec: + progressDeadlineSeconds: 600 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: default + gateway.envoyproxy.io/owning-gateway-namespace: default + strategy: + type: RollingUpdate + template: + metadata: + annotations: + prometheus.io/path: /stats/prometheus + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: default + gateway.envoyproxy.io/owning-gateway-namespace: default + spec: + automountServiceAccountToken: false + containers: + - args: + - --service-cluster default + - --service-node $(ENVOY_POD_NAME) + - | + --config-yaml admin: + access_log: + - name: envoy.access_loggers.file + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + path: /dev/null + address: + socket_address: + address: ::1 + port_value: 19000 + layered_runtime: + layers: + - name: global_config + static_layer: + envoy.restart_features.use_eds_cache_for_ads: true + re2.max_program_size.error_level: 4294967295 + re2.max_program_size.warn_level: 1000 + dynamic_resources: + ads_config: + api_type: DELTA_GRPC + transport_api_version: V3 + grpc_services: + - envoy_grpc: + cluster_name: xds_cluster + set_node_on_first_message_only: true + lds_config: + ads: {} + resource_api_version: V3 + cds_config: + ads: {} + resource_api_version: V3 + static_resources: + listeners: + - name: envoy-gateway-proxy-ready-::-19001 + address: + socket_address: + address: '::' + port_value: 19001 + protocol: TCP + ipv4_compat: true + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: eg-ready-http + route_config: + name: local_route + virtual_hosts: + - name: prometheus_stats + domains: + - "*" + routes: + - match: + prefix: /stats/prometheus + route: + cluster: prometheus_stats + http_filters: + - name: envoy.filters.http.health_check + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck + pass_through_mode: false + headers: + - name: ":path" + string_match: + exact: /ready + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + clusters: + - name: prometheus_stats + connect_timeout: 0.250s + type: STATIC + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: prometheus_stats + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: ::1 + port_value: 19000 + - connect_timeout: 10s + load_assignment: + cluster_name: xds_cluster + endpoints: + - load_balancing_weight: 1 + lb_endpoints: + - load_balancing_weight: 1 + endpoint: + address: + socket_address: + address: envoy-gateway.envoy-gateway-system.svc.cluster.local + port_value: 18000 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + explicit_http_config: + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s + name: xds_cluster + type: STRICT_DNS + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + common_tls_context: + tls_params: + tls_maximum_protocol_version: TLSv1_3 + tls_certificate_sds_secret_configs: + - name: xds_certificate + sds_config: + path_config_source: + path: /sds/xds-certificate.json + resource_api_version: V3 + validation_context_sds_secret_config: + name: xds_trusted_ca + sds_config: + path_config_source: + path: /sds/xds-trusted-ca.json + resource_api_version: V3 + - name: wasm_cluster + type: STRICT_DNS + connect_timeout: 10s + load_assignment: + cluster_name: wasm_cluster + endpoints: + - load_balancing_weight: 1 + lb_endpoints: + - load_balancing_weight: 1 + endpoint: + address: + socket_address: + address: envoy-gateway + port_value: 18002 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + explicit_http_config: + http2_protocol_options: {} + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + common_tls_context: + tls_params: + tls_maximum_protocol_version: TLSv1_3 + tls_certificate_sds_secret_configs: + - name: xds_certificate + sds_config: + path_config_source: + path: /sds/xds-certificate.json + resource_api_version: V3 + validation_context_sds_secret_config: + name: xds_trusted_ca + sds_config: + path_config_source: + path: /sds/xds-trusted-ca.json + resource_api_version: V3 + overload_manager: + refresh_interval: 0.25s + resource_monitors: + - name: "envoy.resource_monitors.global_downstream_max_connections" + typed_config: + "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig + max_active_downstream_connections: 50000 + - --log-level warn + - --cpuset-threads + - --drain-strategy immediate + - --drain-time-s 60 + command: + - envoy + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: ENVOY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + image: docker.io/envoyproxy/envoy:distroless-dev + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + httpGet: + path: /shutdown/ready + port: 19002 + scheme: HTTP + name: envoy + ports: + - containerPort: 19001 + name: metrics + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /ready + port: 19001 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /ready + port: 19001 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /sds + name: sds + - args: + - envoy + - shutdown-manager + command: + - envoy-gateway + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: ENVOY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - envoy-gateway + - envoy + - shutdown + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 19002 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: shutdown-manager + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 19002 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 10m + memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz + port: 19002 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + serviceAccountName: envoy-default-37a8eec1 + terminationGracePeriodSeconds: 360 + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: envoy + - configMap: + defaultMode: 420 + items: + - key: xds-trusted-ca.json + path: xds-trusted-ca.json + - key: xds-certificate.json + path: xds-certificate.json + name: envoy-default-37a8eec1 + optional: false + name: sds +status: {} diff --git a/internal/xds/bootstrap/bootstrap.go b/internal/xds/bootstrap/bootstrap.go index b1af89d60ac..45847d4a6bf 100644 --- a/internal/xds/bootstrap/bootstrap.go +++ b/internal/xds/bootstrap/bootstrap.go @@ -27,8 +27,9 @@ const ( // envoyGatewayXdsServerHost is the DNS name of the Xds Server within Envoy Gateway. // It defaults to the Envoy Gateway Kubernetes service. envoyGatewayXdsServerHost = "envoy-gateway" - // EnvoyAdminAddress is the listening address of the envoy admin interface. - EnvoyAdminAddress = "127.0.0.1" + // EnvoyAdminAddress is the listening v4 address of the envoy admin interface. + EnvoyAdminAddress = "127.0.0.1" + EnvoyAdminAddressV6 = "::1" // EnvoyAdminPort is the port used to expose admin interface. EnvoyAdminPort = 19000 // envoyAdminAccessLogPath is the path used to expose admin access log. @@ -140,6 +141,7 @@ type overloadManagerParameters struct { } type RenderBootstrapConfigOptions struct { + IPFamily *egv1a1.IPFamily ProxyMetrics *egv1a1.ProxyMetrics SdsConfig SdsConfigPath XdsServerHost *string @@ -301,6 +303,10 @@ func GetRenderedBootstrapConfig(opts *RenderBootstrapConfigOptions) (string, err cfg.parameters.WasmServer.Port = *opts.WasmServerPort } + if opts.IPFamily != nil && *opts.IPFamily == egv1a1.IPv6 { + cfg.parameters.AdminServer.Address = EnvoyAdminAddressV6 + } + cfg.parameters.OverloadManager.MaxHeapSizeBytes = opts.MaxHeapSizeBytes } diff --git a/internal/xds/bootstrap/bootstrap_test.go b/internal/xds/bootstrap/bootstrap_test.go index 3c334eeaeb5..d72220a0141 100644 --- a/internal/xds/bootstrap/bootstrap_test.go +++ b/internal/xds/bootstrap/bootstrap_test.go @@ -161,6 +161,12 @@ func TestGetRenderedBootstrapConfig(t *testing.T) { SdsConfig: sds, }, }, + { + name: "ipv6", + opts: &RenderBootstrapConfigOptions{ + IPFamily: ptr.To(egv1a1.IPv6), + }, + }, } for _, tc := range cases { diff --git a/internal/xds/bootstrap/testdata/render/ipv6.yaml b/internal/xds/bootstrap/testdata/render/ipv6.yaml new file mode 100644 index 00000000000..ab63a3e7439 --- /dev/null +++ b/internal/xds/bootstrap/testdata/render/ipv6.yaml @@ -0,0 +1,169 @@ +admin: + access_log: + - name: envoy.access_loggers.file + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + path: /dev/null + address: + socket_address: + address: ::1 + port_value: 19000 +layered_runtime: + layers: + - name: global_config + static_layer: + envoy.restart_features.use_eds_cache_for_ads: true + re2.max_program_size.error_level: 4294967295 + re2.max_program_size.warn_level: 1000 +dynamic_resources: + ads_config: + api_type: DELTA_GRPC + transport_api_version: V3 + grpc_services: + - envoy_grpc: + cluster_name: xds_cluster + set_node_on_first_message_only: true + lds_config: + ads: {} + resource_api_version: V3 + cds_config: + ads: {} + resource_api_version: V3 +static_resources: + listeners: + - name: envoy-gateway-proxy-ready-::-19001 + address: + socket_address: + address: '::' + port_value: 19001 + protocol: TCP + ipv4_compat: true + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: eg-ready-http + route_config: + name: local_route + virtual_hosts: + - name: prometheus_stats + domains: + - "*" + routes: + - match: + prefix: /stats/prometheus + route: + cluster: prometheus_stats + http_filters: + - name: envoy.filters.http.health_check + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck + pass_through_mode: false + headers: + - name: ":path" + string_match: + exact: /ready + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + clusters: + - name: prometheus_stats + connect_timeout: 0.250s + type: STATIC + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: prometheus_stats + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: ::1 + port_value: 19000 + - connect_timeout: 10s + load_assignment: + cluster_name: xds_cluster + endpoints: + - load_balancing_weight: 1 + lb_endpoints: + - load_balancing_weight: 1 + endpoint: + address: + socket_address: + address: envoy-gateway + port_value: 18000 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + explicit_http_config: + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s + name: xds_cluster + type: STRICT_DNS + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + common_tls_context: + tls_params: + tls_maximum_protocol_version: TLSv1_3 + tls_certificate_sds_secret_configs: + - name: xds_certificate + sds_config: + path_config_source: + path: /sds/xds-certificate.json + resource_api_version: V3 + validation_context_sds_secret_config: + name: xds_trusted_ca + sds_config: + path_config_source: + path: /sds/xds-trusted-ca.json + resource_api_version: V3 + - name: wasm_cluster + type: STRICT_DNS + connect_timeout: 10s + load_assignment: + cluster_name: wasm_cluster + endpoints: + - load_balancing_weight: 1 + lb_endpoints: + - load_balancing_weight: 1 + endpoint: + address: + socket_address: + address: envoy-gateway + port_value: 18002 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + explicit_http_config: + http2_protocol_options: {} + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + common_tls_context: + tls_params: + tls_maximum_protocol_version: TLSv1_3 + tls_certificate_sds_secret_configs: + - name: xds_certificate + sds_config: + path_config_source: + path: /sds/xds-certificate.json + resource_api_version: V3 + validation_context_sds_secret_config: + name: xds_trusted_ca + sds_config: + path_config_source: + path: /sds/xds-trusted-ca.json + resource_api_version: V3 +overload_manager: + refresh_interval: 0.25s + resource_monitors: + - name: "envoy.resource_monitors.global_downstream_max_connections" + typed_config: + "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig + max_active_downstream_connections: 50000 From c490c747837c4ec10b95a5a7e1563e024582128c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 29 Nov 2024 11:36:43 +0800 Subject: [PATCH 440/523] build(deps): bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 (#4774) Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.28.0 to 0.29.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2...18f2510ee396bbf400402947b394f2dd8c87dbb0) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 077dfa44fcb..bd3d3bde934 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -25,7 +25,7 @@ jobs: IMAGE=envoy-proxy/gateway-dev TAG=${{ github.sha }} make image - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 + uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 with: image-ref: envoy-proxy/gateway-dev:${{ github.sha }} exit-code: '1' From 79c784ef8e4051c593a42bd489505ec953ae7f01 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 29 Nov 2024 11:36:58 +0800 Subject: [PATCH 441/523] build(deps): bump busybox from `768e5c6` to `db142d4` in /tools/docker/envoy-gateway (#4773) build(deps): bump busybox in /tools/docker/envoy-gateway Bumps busybox from `768e5c6` to `db142d4`. --- updated-dependencies: - dependency-name: busybox dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Huabing Zhao Co-authored-by: zirain --- tools/docker/envoy-gateway/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index 44fff0beb98..880ce0abf34 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -1,4 +1,4 @@ -FROM busybox@sha256:768e5c6f5cb6db0794eec98dc7a967f40631746c32232b78a3105fb946f3ab83 AS source +FROM busybox@sha256:db142d433cdde11f10ae479dbf92f3b13d693fd1c91053da9979728cceb1dc68 AS source # Create the data directory for eg RUN mkdir -p /var/lib/eg From 36939dc4f93f237f031364c7dc32f4c0dbf56545 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Thu, 28 Nov 2024 20:31:52 -0800 Subject: [PATCH 442/523] use a waitGroup instead of an enabled channel in the status updater (#4809) use a waitGroup instead of a channel in the status updater * use a waitGroup to synchronize to the `Send` method that the status updater is enabled and ready for updates Signed-off-by: Arko Dasgupta --- .../provider/kubernetes/status_updater.go | 64 ++++++------------- 1 file changed, 18 insertions(+), 46 deletions(-) diff --git a/internal/provider/kubernetes/status_updater.go b/internal/provider/kubernetes/status_updater.go index ee5cbce59d2..1bafe23668b 100644 --- a/internal/provider/kubernetes/status_updater.go +++ b/internal/provider/kubernetes/status_updater.go @@ -7,7 +7,7 @@ package kubernetes import ( "context" - "errors" + "sync" "time" "github.com/go-logr/logr" @@ -57,26 +57,21 @@ func (m MutatorFunc) Mutate(old client.Object) client.Object { type UpdateHandler struct { log logr.Logger client client.Client - sendUpdates chan struct{} updateChannel chan Update - writer *UpdateWriter + wg *sync.WaitGroup } func NewUpdateHandler(log logr.Logger, client client.Client) *UpdateHandler { - sendUpdates := make(chan struct{}) - updateChannel := make(chan Update, 100) - return &UpdateHandler{ + u := &UpdateHandler{ log: log, client: client, - sendUpdates: sendUpdates, - updateChannel: updateChannel, - writer: &UpdateWriter{ - log: log, - enabled: sendUpdates, - updateChannel: updateChannel, - eventsBeforeEnabled: make(chan Update, 1000), - }, + updateChannel: make(chan Update, 1000), + wg: new(sync.WaitGroup), } + + u.wg.Add(1) + + return u } func (u *UpdateHandler) apply(update Update) { @@ -140,8 +135,7 @@ func (u *UpdateHandler) Start(ctx context.Context) error { defer u.log.Info("stopped status update handler") // Enable Updaters to start sending updates to this handler. - close(u.sendUpdates) - u.writer.handleEventsReceivedBeforeEnabled() + u.wg.Done() for { select { @@ -158,7 +152,10 @@ func (u *UpdateHandler) Start(ctx context.Context) error { // Writer retrieves the interface that should be used to write to the UpdateHandler. func (u *UpdateHandler) Writer() Updater { - return u.writer + return &UpdateWriter{ + updateChannel: u.updateChannel, + wg: u.wg, + } } // Updater describes an interface to send status updates somewhere. @@ -168,40 +165,15 @@ type Updater interface { // UpdateWriter takes status updates and sends these to the UpdateHandler via a channel. type UpdateWriter struct { - log logr.Logger - enabled <-chan struct{} updateChannel chan<- Update - // a temporary buffer to store events received before the Updater is enabled. - // These events will be sent to the update channel once the Updater is enabled. - eventsBeforeEnabled chan Update + wg *sync.WaitGroup } // Send sends the given Update off to the update channel for writing by the UpdateHandler. func (u *UpdateWriter) Send(update Update) { - // Non-blocking receive to see if we should pass along update. - select { - case <-u.enabled: - u.updateChannel <- update - default: - if len(u.eventsBeforeEnabled) < cap(u.eventsBeforeEnabled) { - u.log.Info("received a status update while disabled, storing for later", "event", update.NamespacedName) - u.eventsBeforeEnabled <- update - } else { - // If the buffer is full, drop the event to avoid blocking the sender. - u.log.Error(errors.New("dropping status update, buffer full"), "event", update.NamespacedName) - } - } -} - -// handleEventsReceivedBeforeEnabled sends the events received before the Updater was enabled to the update channel. -func (u *UpdateWriter) handleEventsReceivedBeforeEnabled() { - go func() { - for e := range u.eventsBeforeEnabled { - u.log.Info("sending stored status update", "event", e.NamespacedName) - u.updateChannel <- e - } - close(u.eventsBeforeEnabled) - }() + // Wait until updater is ready + u.wg.Wait() + u.updateChannel <- update } // isStatusEqual checks if two objects have equivalent status. From 526a05f92de02f53a4d7ea6fe37441db2933a0c4 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Fri, 29 Nov 2024 13:48:54 +0800 Subject: [PATCH 443/523] fix: remove the default retry policy for jwks fetch (#4802) * remove the default retry policy for jwks fetch Signed-off-by: Huabing Zhao * fix gen Signed-off-by: Huabing Zhao * Update release-notes/current.yaml Co-authored-by: Arko Dasgupta Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao Co-authored-by: Arko Dasgupta --- .../out/jwt-single-route-single-match-to-xds.all.json | 3 +-- .../out/jwt-single-route-single-match-to-xds.all.yaml | 1 - .../out/jwt-single-route-single-match-to-xds.listener.yaml | 1 - internal/xds/translator/jwt.go | 1 - .../out/xds-ir/authorization-jwt-claim.listeners.yaml | 2 -- .../out/xds-ir/authorization-jwt-scope.listeners.yaml | 2 -- .../testdata/out/xds-ir/custom-filter-order.listeners.yaml | 2 -- .../testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml | 1 - .../out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml | 4 ---- .../out/xds-ir/jwt-multi-route-single-provider.listeners.yaml | 2 -- .../testdata/out/xds-ir/jwt-optional.listeners.yaml | 1 - .../testdata/out/xds-ir/jwt-ratelimit.listeners.yaml | 1 - .../out/xds-ir/jwt-single-route-single-match.listeners.yaml | 1 - .../xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml | 1 - release-notes/current.yaml | 2 +- 15 files changed, 2 insertions(+), 23 deletions(-) diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json index 3f1a434e466..5b8e401907a 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json @@ -515,8 +515,7 @@ "cluster": "raw_githubusercontent_com_443", "timeout": "10s", "uri": "https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json" - }, - "retryPolicy": {} + } } } }, diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml index 8ae3da4019b..11bc52b64f2 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml @@ -307,7 +307,6 @@ xds: cluster: raw_githubusercontent_com_443 timeout: 10s uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json - retryPolicy: {} requirementMap: httproute/envoy-gateway-system/backend/rule/0/match/0/www_example_com: providerName: httproute/envoy-gateway-system/backend/rule/0/match/0/www_example_com/example diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml index ed90fc0e3e2..fc47046f781 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml @@ -61,7 +61,6 @@ xds: cluster: raw_githubusercontent_com_443 timeout: 10s uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json - retryPolicy: {} requirementMap: httproute/envoy-gateway-system/backend/rule/0/match/0/www_example_com: providerName: httproute/envoy-gateway-system/backend/rule/0/match/0/www_example_com/example diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go index f3f16b20c6f..bc3e8d1b16e 100644 --- a/internal/xds/translator/jwt.go +++ b/internal/xds/translator/jwt.go @@ -120,7 +120,6 @@ func buildJWTAuthn(irListener *ir.HTTPListener) (*jwtauthnv3.JwtAuthentication, }, CacheDuration: &durationpb.Duration{Seconds: 5 * 60}, AsyncFetch: &jwtauthnv3.JwksAsyncFetch{}, - RetryPolicy: &corev3.RetryPolicy{}, }, } diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml index c3144002dc5..8c489a928e8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml @@ -35,7 +35,6 @@ cluster: two_example_com_443 timeout: 10s uri: https://two.example.com/jwt/public-key/jwks.json - retryPolicy: {} httproute/default/httproute-2/rule/0/match/0/www_example_com/example1: audiences: - one.foo.com @@ -52,7 +51,6 @@ cluster: one_example_com_443 timeout: 10s uri: https://one.example.com/jwt/public-key/jwks.json - retryPolicy: {} requirementMap: httproute/default/httproute-1/rule/0/match/0/www_example_com: providerName: httproute/default/httproute-1/rule/0/match/0/www_example_com/example1 diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml index c3144002dc5..8c489a928e8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml @@ -35,7 +35,6 @@ cluster: two_example_com_443 timeout: 10s uri: https://two.example.com/jwt/public-key/jwks.json - retryPolicy: {} httproute/default/httproute-2/rule/0/match/0/www_example_com/example1: audiences: - one.foo.com @@ -52,7 +51,6 @@ cluster: one_example_com_443 timeout: 10s uri: https://one.example.com/jwt/public-key/jwks.json - retryPolicy: {} requirementMap: httproute/default/httproute-1/rule/0/match/0/www_example_com: providerName: httproute/default/httproute-1/rule/0/match/0/www_example_com/example1 diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml index 7a61b6197b2..0f5111a8afa 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml @@ -85,7 +85,6 @@ cluster: one_example_com_443 timeout: 10s uri: https://one.example.com/jwt/public-key/jwks.json - retryPolicy: {} httproute/envoy-gateway/httproute-1/rule/0/match/0/www_example_com/example2: audiences: - two.foo.com @@ -105,7 +104,6 @@ cluster: two_example_com_80 timeout: 10s uri: http://two.example.com/jwt/public-key/jwks.json - retryPolicy: {} requirementMap: httproute/envoy-gateway/httproute-1/rule/0/match/0/www_example_com: requiresAny: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml index 25c76bcef2f..89174e27343 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml @@ -42,7 +42,6 @@ cluster: localhost_443 timeout: 10s uri: https://localhost/jwt/public-key/jwks.json - retryPolicy: {} requirementMap: first-route: providerName: first-route/example diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml index 0ac893c74ea..a54a698f87b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml @@ -38,7 +38,6 @@ cluster: localhost_80 timeout: 10s uri: http://localhost/jwt/public-key/jwks.json - retryPolicy: {} first-route-www.test.com/example2: audiences: - one.foo.com @@ -62,7 +61,6 @@ cluster: "192_168_1_250_8080" timeout: 10s uri: https://192.168.1.250:8080/jwt/public-key/jwks.json - retryPolicy: {} second-route-www.test.com/example: audiences: - foo.com @@ -82,7 +80,6 @@ cluster: localhost_80 timeout: 10s uri: http://localhost/jwt/public-key/jwks.json - retryPolicy: {} second-route-www.test.com/example2: audiences: - one.foo.com @@ -100,7 +97,6 @@ cluster: "192_168_1_250_8080" timeout: 10s uri: https://192.168.1.250:8080/jwt/public-key/jwks.json - retryPolicy: {} requirementMap: first-route-www.test.com: requiresAny: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml index 82dbfaae02c..668235d7cb2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml @@ -60,7 +60,6 @@ cluster: localhost_443 timeout: 10s uri: https://localhost/jwt/public-key/jwks.json - retryPolicy: {} second-route/example: audiences: - foo.com @@ -77,7 +76,6 @@ cluster: localhost_443 timeout: 10s uri: https://localhost/jwt/public-key/jwks.json - retryPolicy: {} requirementMap: first-route: providerName: first-route/example diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml index 393caa96eb5..8862e7f0425 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml @@ -42,7 +42,6 @@ cluster: localhost_443 timeout: 10s uri: https://localhost/jwt/public-key/jwks.json - retryPolicy: {} requirementMap: first-route: requiresAny: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml index 15f08c52173..c3eccbda5ef 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml @@ -35,7 +35,6 @@ cluster: "192_168_1_250_443" timeout: 10s uri: https://192.168.1.250/jwt/public-key/jwks.json - retryPolicy: {} requirementMap: first-route: providerName: first-route/example diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml index 1eb896e1a7d..b05cedcd164 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml @@ -35,7 +35,6 @@ cluster: localhost_443 timeout: 10s uri: https://localhost/jwt/public-key/jwks.json - retryPolicy: {} requirementMap: first-route: providerName: first-route/example diff --git a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml index d8e6bbf9091..349f027d1bf 100644 --- a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml @@ -81,7 +81,6 @@ cluster: oidc_example_com_443 timeout: 10s uri: https://oidc.example.com/auth/realms/example/protocol/openid-connect/certs - retryPolicy: {} requirementMap: httproute/default/httproute-1/rule/0/match/0/www_example_com: providerName: httproute/default/httproute-1/rule/0/match/0/www_example_com/exjwt diff --git a/release-notes/current.yaml b/release-notes/current.yaml index bda2ef94be5..58ffa73ccb0 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -17,7 +17,7 @@ new features: | # Fixes for bugs identified in previous versions. bug fixes: | - Add a bug fix here + Disabled the retry policy for the JWT provider to reduce requests sent to the JWKS endpoint. Failed async fetches will retry every 1s. # Enhancements that improve performance. performance improvements: | From f69a5c9d126cb8aa09b294ebc42be6680984440a Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Fri, 29 Nov 2024 23:51:39 +0800 Subject: [PATCH 444/523] [release/v1.2] release note for v1.2.3 (#4813) * release note for v1.2.3 Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- VERSION | 2 +- release-notes/current.yaml | 1 - release-notes/v1.2.3.yaml | 5 +++++ site/content/en/news/releases/notes/v1.2.3.md | 10 ++++++++++ site/layouts/shortcodes/helm-version.html | 4 ++-- site/layouts/shortcodes/yaml-version.html | 4 ++-- 6 files changed, 20 insertions(+), 6 deletions(-) create mode 100644 release-notes/v1.2.3.yaml create mode 100644 site/content/en/news/releases/notes/v1.2.3.md diff --git a/VERSION b/VERSION index cc904638af8..4367f900087 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v1.2.2 +v1.2.3 diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 58ffa73ccb0..d1c6dd95c06 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -17,7 +17,6 @@ new features: | # Fixes for bugs identified in previous versions. bug fixes: | - Disabled the retry policy for the JWT provider to reduce requests sent to the JWKS endpoint. Failed async fetches will retry every 1s. # Enhancements that improve performance. performance improvements: | diff --git a/release-notes/v1.2.3.yaml b/release-notes/v1.2.3.yaml new file mode 100644 index 00000000000..1fbe762596c --- /dev/null +++ b/release-notes/v1.2.3.yaml @@ -0,0 +1,5 @@ +date: November 30, 2024 + +bug fixes: | + Disabled the retry policy for the JWT provider to reduce requests sent to the JWKS endpoint. Failed async fetches will retry every 1s. + Used a waitGroup instead of an enabled channel in the status updater. diff --git a/site/content/en/news/releases/notes/v1.2.3.md b/site/content/en/news/releases/notes/v1.2.3.md new file mode 100644 index 00000000000..94e09abdc7e --- /dev/null +++ b/site/content/en/news/releases/notes/v1.2.3.md @@ -0,0 +1,10 @@ +--- +title: "v1.2.3" +publishdate: 2024-11-30 +--- + +Date: November 30, 2024 + +## Bug fixes +- Disabled the retry policy for the JWT provider to reduce requests sent to the JWKS endpoint. Failed async fetches will retry every 1s. +- Used a waitGroup instead of an enabled channel in the status updater. diff --git a/site/layouts/shortcodes/helm-version.html b/site/layouts/shortcodes/helm-version.html index 9ba708d50fc..b21ca9586b8 100644 --- a/site/layouts/shortcodes/helm-version.html +++ b/site/layouts/shortcodes/helm-version.html @@ -6,8 +6,8 @@ {{- "v1.1.4" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} -{{- "v1.2.2" -}} +{{- "v1.2.3" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.2.2" -}} +{{- "v1.2.3" -}} {{- end -}} diff --git a/site/layouts/shortcodes/yaml-version.html b/site/layouts/shortcodes/yaml-version.html index 1c46423c3e0..d68a435454c 100644 --- a/site/layouts/shortcodes/yaml-version.html +++ b/site/layouts/shortcodes/yaml-version.html @@ -6,8 +6,8 @@ {{- "v1.1.4" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} -{{- "v1.2.2" -}} +{{- "v1.2.3" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.2.2" -}} +{{- "v1.2.3" -}} {{- end -}} From 6177ec72f7aee5a4acbc2a4717f9a278ca280444 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Fri, 29 Nov 2024 11:28:55 -0800 Subject: [PATCH 445/523] Revert "[release/v1.2] release note for v1.2.3 (#4813)" (#4816) This reverts commit f69a5c9d126cb8aa09b294ebc42be6680984440a. Signed-off-by: Arko Dasgupta --- VERSION | 2 +- release-notes/current.yaml | 1 + release-notes/v1.2.3.yaml | 5 ----- site/content/en/news/releases/notes/v1.2.3.md | 10 ---------- site/layouts/shortcodes/helm-version.html | 4 ++-- site/layouts/shortcodes/yaml-version.html | 4 ++-- 6 files changed, 6 insertions(+), 20 deletions(-) delete mode 100644 release-notes/v1.2.3.yaml delete mode 100644 site/content/en/news/releases/notes/v1.2.3.md diff --git a/VERSION b/VERSION index 4367f900087..cc904638af8 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v1.2.3 +v1.2.2 diff --git a/release-notes/current.yaml b/release-notes/current.yaml index d1c6dd95c06..58ffa73ccb0 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -17,6 +17,7 @@ new features: | # Fixes for bugs identified in previous versions. bug fixes: | + Disabled the retry policy for the JWT provider to reduce requests sent to the JWKS endpoint. Failed async fetches will retry every 1s. # Enhancements that improve performance. performance improvements: | diff --git a/release-notes/v1.2.3.yaml b/release-notes/v1.2.3.yaml deleted file mode 100644 index 1fbe762596c..00000000000 --- a/release-notes/v1.2.3.yaml +++ /dev/null @@ -1,5 +0,0 @@ -date: November 30, 2024 - -bug fixes: | - Disabled the retry policy for the JWT provider to reduce requests sent to the JWKS endpoint. Failed async fetches will retry every 1s. - Used a waitGroup instead of an enabled channel in the status updater. diff --git a/site/content/en/news/releases/notes/v1.2.3.md b/site/content/en/news/releases/notes/v1.2.3.md deleted file mode 100644 index 94e09abdc7e..00000000000 --- a/site/content/en/news/releases/notes/v1.2.3.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -title: "v1.2.3" -publishdate: 2024-11-30 ---- - -Date: November 30, 2024 - -## Bug fixes -- Disabled the retry policy for the JWT provider to reduce requests sent to the JWKS endpoint. Failed async fetches will retry every 1s. -- Used a waitGroup instead of an enabled channel in the status updater. diff --git a/site/layouts/shortcodes/helm-version.html b/site/layouts/shortcodes/helm-version.html index b21ca9586b8..9ba708d50fc 100644 --- a/site/layouts/shortcodes/helm-version.html +++ b/site/layouts/shortcodes/helm-version.html @@ -6,8 +6,8 @@ {{- "v1.1.4" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} -{{- "v1.2.3" -}} +{{- "v1.2.2" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.2.3" -}} +{{- "v1.2.2" -}} {{- end -}} diff --git a/site/layouts/shortcodes/yaml-version.html b/site/layouts/shortcodes/yaml-version.html index d68a435454c..1c46423c3e0 100644 --- a/site/layouts/shortcodes/yaml-version.html +++ b/site/layouts/shortcodes/yaml-version.html @@ -6,8 +6,8 @@ {{- "v1.1.4" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} -{{- "v1.2.3" -}} +{{- "v1.2.2" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.2.3" -}} +{{- "v1.2.2" -}} {{- end -}} From d1a8c4720315d5feb80c066643c463845f4b2ec7 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Fri, 29 Nov 2024 17:20:07 -0800 Subject: [PATCH 446/523] listen on ipv4 addresses by default (#4817) * listen on `::` if the listener IPFamily is `IPv6` or `DualStack` * Set `ipv4_compat` to `true` if `IPFamily` is `DualStack` Signed-off-by: Arko Dasgupta --- .../translate/out/default-resources.all.yaml | 25 +- .../out/from-gateway-api-to-xds.all.json | 20 +- .../out/from-gateway-api-to-xds.all.yaml | 20 +- .../from-gateway-api-to-xds.bootstrap.yaml | 5 +- .../out/from-gateway-api-to-xds.listener.yaml | 15 +- ...-single-route-single-match-to-xds.all.json | 8 +- ...-single-route-single-match-to-xds.all.yaml | 8 +- ...e-route-single-match-to-xds.bootstrap.yaml | 5 +- ...le-route-single-match-to-xds.listener.yaml | 3 +- .../out/no-service-cluster-ip.all.yaml | 8 +- .../translate/out/quickstart.all.yaml | 2 +- internal/gatewayapi/helpers.go | 2 +- internal/gatewayapi/listener.go | 7 +- .../backend-invalid-feature-disabled.out.yaml | 2 +- .../testdata/backend-with-fallback.out.yaml | 2 +- .../backendtlspolicy-across-ns.out.yaml | 2 +- .../backendtlspolicy-ca-only-secret.out.yaml | 2 +- .../backendtlspolicy-ca-only.out.yaml | 2 +- ...ndtlspolicy-default-ns-targetrefs.out.yaml | 4 +- .../backendtlspolicy-default-ns.out.yaml | 2 +- .../backendtlspolicy-invalid-ca.out.yaml | 2 +- ...backendtlspolicy-multiple-targets.out.yaml | 2 +- ...ackendtlspolicy-system-truststore.out.yaml | 2 +- ...y-buffer-limit-out-of-range-error.out.yaml | 4 +- ...y-buffer-limit-with-invalid-value.out.yaml | 4 +- ...backendtrafficpolicy-buffer-limit.out.yaml | 4 +- ...endtrafficpolicy-override-replace.out.yaml | 2 +- ...ndtrafficpolicy-status-conditions.out.yaml | 8 +- ...fficpolicy-status-fault-injection.out.yaml | 4 +- ...trafficpolicy-use-client-protocol.out.yaml | 2 +- ...policy-with-circuitbreakers-error.out.yaml | 4 +- ...rafficpolicy-with-circuitbreakers.out.yaml | 4 +- ...ndtrafficpolicy-with-dns-settings.out.yaml | 4 +- ...endtrafficpolicy-with-healthcheck.out.yaml | 4 +- .../backendtrafficpolicy-with-http2.out.yaml | 4 +- ...fficpolicy-with-httproute-timeout.out.yaml | 2 +- ...nvalid-consistent-hash-table-size.out.yaml | 2 +- ...ndtrafficpolicy-with-loadbalancer.out.yaml | 4 +- ...telimit-default-route-level-limit.out.yaml | 2 +- ...ocal-ratelimit-invalid-limit-unit.out.yaml | 2 +- ...ocal-ratelimit-invalid-match-type.out.yaml | 2 +- ...valid-multiple-route-level-limits.out.yaml | 2 +- ...rafficpolicy-with-local-ratelimit.out.yaml | 2 +- ...dtrafficpolicy-with-proxyprotocol.out.yaml | 4 +- ...ratelimit-invalid-distinct-invert.out.yaml | 2 +- ...licy-with-ratelimit-invalid-regex.out.yaml | 2 +- ...ckendtrafficpolicy-with-ratelimit.out.yaml | 4 +- ...esponse-override-invalid-valueref.out.yaml | 4 +- ...fficpolicy-with-response-override.out.yaml | 4 +- ...backendtrafficpolicy-with-retries.out.yaml | 4 +- ...olicy-with-same-prefix-httproutes.out.yaml | 2 +- ...cp-udp-listeners-apply-on-gateway.out.yaml | 4 +- ...-tcp-udp-listeners-apply-on-route.out.yaml | 4 +- ...ndtrafficpolicy-with-tcpkeepalive.out.yaml | 4 +- ...dtrafficpolicy-with-timeout-error.out.yaml | 2 +- ...ficpolicy-with-timeout-targetrefs.out.yaml | 4 +- ...backendtrafficpolicy-with-timeout.out.yaml | 4 +- ...cy-buffer-limit-with-format-error.out.yaml | 4 +- ...fer-limit-with-out-of-range-error.out.yaml | 4 +- .../clienttrafficpolicy-buffer-limit.out.yaml | 4 +- ...trafficpolicy-client-ip-detection.out.yaml | 8 +- ...fficpolicy-connection-limit-error.out.yaml | 4 +- ...enttrafficpolicy-connection-limit.out.yaml | 4 +- ...nttrafficpolicy-for-tcp-listeners.out.yaml | 4 +- ...clienttrafficpolicy-headers-error.out.yaml | 2 +- .../clienttrafficpolicy-headers.out.yaml | 4 +- ...nttrafficpolicy-http-health-check.out.yaml | 2 +- .../clienttrafficpolicy-http10.out.yaml | 10 +- .../clienttrafficpolicy-http2.out.yaml | 4 +- .../clienttrafficpolicy-http3.out.yaml | 2 +- ...ficpolicy-idle-timeout-with-error.out.yaml | 2 +- .../clienttrafficpolicy-idle-timeout.out.yaml | 4 +- ...icpolicy-mtls-client-verification.out.yaml | 6 +- ...s-forward-client-cert-custom-data.out.yaml | 12 +- ...icpolicy-mtls-forward-client-cert.out.yaml | 12 +- .../clienttrafficpolicy-mtls.out.yaml | 6 +- ...clienttrafficpolicy-path-settings.out.yaml | 4 +- ...cy-preserve-case-multiple-targets.out.yaml | 6 +- ...clienttrafficpolicy-preserve-case.out.yaml | 4 +- ...clienttrafficpolicy-proxyprotocol.out.yaml | 4 +- ...enttrafficpolicy-ratelimitheaders.out.yaml | 4 +- ...nttrafficpolicy-status-conditions.out.yaml | 10 +- ...clienttrafficpolicy-tcp-keepalive.out.yaml | 4 +- ...ttrafficpolicy-timeout-with-error.out.yaml | 2 +- .../clienttrafficpolicy-timeout.out.yaml | 4 +- .../clienttrafficpolicy-tls-settings.out.yaml | 8 +- .../clienttrafficpolicy-trailers.out.yaml | 4 +- .../testdata/conflicting-policies.out.yaml | 4 +- .../testdata/custom-filter-order.out.yaml | 2 +- .../testdata/disable-accesslog.out.yaml | 2 +- ...ensionpolicy-invalid-cross-ns-ref.out.yaml | 2 +- ...yextensionpolicy-override-replace.out.yaml | 2 +- ...extensionpolicy-status-conditions.out.yaml | 8 +- ...-extproc-invalid-no-matching-port.out.yaml | 2 +- ...licy-with-extproc-invalid-no-port.out.yaml | 2 +- ...xtproc-invalid-no-reference-grant.out.yaml | 2 +- ...y-with-extproc-invalid-no-service.out.yaml | 2 +- ...ith-extproc-with-backendtlspolicy.out.yaml | 2 +- ...extproc-with-multiple-backendrefs.out.yaml | 2 +- ...ith-extproc-with-traffic-features.out.yaml | 2 +- ...xtensionpolicy-with-wasm-env-vars.out.yaml | 2 +- ...ensionpolicy-with-wasm-targetrefs.out.yaml | 2 +- .../envoyextensionpolicy-with-wasm.out.yaml | 2 +- .../envoypatchpolicy-cross-ns-target.out.yaml | 2 +- ...chpolicy-invalid-feature-disabled.out.yaml | 2 +- ...nvalid-target-kind-merge-gateways.out.yaml | 2 +- ...oypatchpolicy-invalid-target-kind.out.yaml | 2 +- ...ypatchpolicy-valid-merge-gateways.out.yaml | 2 +- .../testdata/envoypatchpolicy-valid.out.yaml | 2 +- .../envoyproxy-accesslog-als-json.out.yaml | 2 +- ...oyproxy-accesslog-backend-invalid.out.yaml | 2 +- .../envoyproxy-accesslog-backend.out.yaml | 2 +- ...yproxy-accesslog-cel-with-invalid.out.yaml | 2 +- .../envoyproxy-accesslog-cel.out.yaml | 2 +- ...oxy-accesslog-file-json-no-format.out.yaml | 2 +- .../envoyproxy-accesslog-file-json.out.yaml | 2 +- .../envoyproxy-accesslog-types.out.yaml | 2 +- ...voyproxy-accesslog-with-bad-sinks.out.yaml | 2 +- ...envoyproxy-accesslog-with-traffic.out.yaml | 2 +- ...voyproxy-accesslog-without-format.out.yaml | 2 +- .../testdata/envoyproxy-accesslog.out.yaml | 2 +- ...roxy-endpoint-routing-for-gateway.out.yaml | 2 +- .../envoyproxy-endpoint-routing.out.yaml | 2 +- ...envoyproxy-metric-backend-invalid.out.yaml | 2 +- .../envoyproxy-metric-backend.out.yaml | 2 +- ...envoyproxy-metric-enabled-backend.out.yaml | 2 +- .../envoyproxy-priority-backend.out.yaml | 2 +- ...proxy-service-routing-for-gateway.out.yaml | 2 +- .../envoyproxy-service-routing.out.yaml | 2 +- ...nvoyproxy-tls-settings-invalid-ns.out.yaml | 4 +- .../envoyproxy-tls-settings-invalid.out.yaml | 4 +- .../testdata/envoyproxy-tls-settings.out.yaml | 4 +- ...nvoyproxy-tracing-backend-invalid.out.yaml | 2 +- .../envoyproxy-tracing-backend.out.yaml | 2 +- .../testdata/envoyproxy-valid.out.yaml | 2 +- .../extensionpolicy-tcp-listener.out.yaml | 4 +- .../extensionpolicy-udp-listener.out.yaml | 4 +- ...tensionpolicy-with-invalid-target.out.yaml | 4 +- ...ionpolicy-with-valid-target-array.out.yaml | 4 +- ...extensionpolicy-with-valid-target.out.yaml | 4 +- ...th-extension-filter-invalid-group.out.yaml | 2 +- ...ith-non-matching-extension-filter.out.yaml | 2 +- ...with-unsupported-extension-filter.out.yaml | 2 +- ...route-with-valid-extension-filter.out.yaml | 2 +- ...-namespace-with-allowed-httproute.out.yaml | 2 +- ...mespace-with-disallowed-httproute.out.yaml | 2 +- ...stener-with-hostname-intersection.out.yaml | 4 +- .../testdata/gateway-infrastructure.out.yaml | 2 +- ...way-with-addresses-with-ipaddress.out.yaml | 2 +- ...with-infrastructure-parametersref.out.yaml | 2 +- ...ture-parametersref-does-not-exist.out.yaml | 2 +- ...astructure-parametersref-fallback.out.yaml | 2 +- ...route-with-mismatch-port-protocol.out.yaml | 2 +- ...h-tcproute-with-multiple-backends.out.yaml | 2 +- ...with-tcproute-with-multiple-rules.out.yaml | 2 +- ...her-namespace-allowed-by-refgrant.out.yaml | 2 +- ...ith-tls-terminate-and-passthrough.out.yaml | 4 +- ...route-with-mismatch-port-protocol.out.yaml | 2 +- ...h-udproute-with-multiple-backends.out.yaml | 2 +- ...with-udproute-with-multiple-rules.out.yaml | 2 +- ...-listener-with-unmatched-tcproute.out.yaml | 2 +- ...-listener-with-unmatched-udproute.out.yaml | 2 +- ...ith-same-algorithm-different-fqdn.out.yaml | 2 +- ...-valid-multiple-tls-configuration.out.yaml | 2 +- ...ener-with-valid-tls-configuration.out.yaml | 2 +- ...with-preexisting-status-condition.out.yaml | 2 +- ...-listener-with-multiple-tcproutes.out.yaml | 2 +- ...-listener-with-multiple-udproutes.out.yaml | 2 +- ...teway-with-stale-status-condition.out.yaml | 2 +- ...listeners-on-same-tcp-or-tls-port.out.yaml | 2 +- ...th-two-listeners-on-same-udp-port.out.yaml | 2 +- ...isteners-with-multiple-httproutes.out.yaml | 4 +- ...-with-same-port-http-tcp-protocol.out.yaml | 4 +- ...-with-same-port-http-udp-protocol.out.yaml | 4 +- ...s-with-tcproutes-with-sectionname.out.yaml | 4 +- ...ith-tcproutes-without-sectionname.out.yaml | 4 +- ...s-with-udproutes-with-sectionname.out.yaml | 4 +- ...ith-udproutes-without-sectionname.out.yaml | 4 +- .../testdata/grpcroute-with-backend.out.yaml | 2 +- .../grpcroute-with-empty-backends.out.yaml | 2 +- .../grpcroute-with-header-match.out.yaml | 2 +- ...ute-with-method-and-service-match.out.yaml | 2 +- .../grpcroute-with-method-match.out.yaml | 2 +- ...oute-with-request-header-modifier.out.yaml | 2 +- .../grpcroute-with-service-match.out.yaml | 2 +- ...dtrafficpolicy-with-timeout-error.out.yaml | 2 +- ...backendtrafficpolicy-with-timeout.out.yaml | 4 +- ...way-with-more-different-listeners.out.yaml | 16 +- ...ng-to-gateway-with-more-listeners.out.yaml | 16 +- ...wo-listeners-with-different-ports.out.yaml | 4 +- ...ing-to-gateway-with-two-listeners.out.yaml | 4 +- .../httproute-attaching-to-gateway.out.yaml | 2 +- ...taching-to-listener-matching-port.out.yaml | 2 +- ...ner-on-gateway-with-two-listeners.out.yaml | 4 +- ...with-backend-and-core-backendrefs.out.yaml | 2 +- ...end-backendref-mixed-address-type.out.yaml | 2 +- ...-listener-with-backend-backendref.out.yaml | 2 +- ...end-backendrefs-diff-address-type.out.yaml | 2 +- ...end-backendrefs-same-address-type.out.yaml | 2 +- ...ort-backendrefs-diff-address-type.out.yaml | 2 +- ...ort-backendrefs-same-address-type.out.yaml | 2 +- ...port-backendref-fqdn-address-type.out.yaml | 2 +- ...ort-backendref-mixed-address-type.out.yaml | 2 +- ...ner-with-serviceimport-backendref.out.yaml | 2 +- .../httproute-attaching-to-listener.out.yaml | 2 +- ...httproute-backend-request-timeout.out.yaml | 2 +- ...ing-to-listener-non-matching-port.out.yaml | 2 +- .../httproute-request-timeout.out.yaml | 2 +- ...ith-empty-backends-and-no-filters.out.yaml | 2 +- ...-multiple-backends-and-no-weights.out.yaml | 2 +- ...ith-multiple-backends-and-weights.out.yaml | 2 +- ...ervice-backends-and-app-protocols.out.yaml | 2 +- ...-non-service-backends-and-weights.out.yaml | 2 +- ...h-backendref-add-multiple-filters.out.yaml | 2 +- ...her-namespace-allowed-by-refgrant.out.yaml | 2 +- ...her-namespace-allowed-by-refgrant.out.yaml | 2 +- .../httproute-with-direct-response.out.yaml | 2 +- .../httproute-with-empty-matches.out.yaml | 2 +- ...er-duplicate-add-multiple-filters.out.yaml | 2 +- ...with-header-filter-duplicate-adds.out.yaml | 2 +- ...duplicate-remove-multiple-filters.out.yaml | 2 +- ...h-header-filter-duplicate-removes.out.yaml | 2 +- ...header-filter-empty-header-values.out.yaml | 2 +- ...-with-header-filter-empty-headers.out.yaml | 2 +- ...ith-header-filter-invalid-headers.out.yaml | 2 +- ...ute-with-header-filter-no-headers.out.yaml | 2 +- ...th-header-filter-no-valid-headers.out.yaml | 2 +- ...tproute-with-header-filter-remove.out.yaml | 2 +- ...with-invalid-backend-ref-bad-port.out.yaml | 2 +- ...invalid-backend-ref-invalid-group.out.yaml | 2 +- ...-invalid-backend-ref-invalid-kind.out.yaml | 2 +- ...-with-invalid-backend-ref-no-port.out.yaml | 2 +- ...lid-backend-ref-no-service.import.out.yaml | 2 +- ...th-invalid-backend-ref-no-service.out.yaml | 2 +- ...id-backend-ref-unsupported-filter.out.yaml | 2 +- ...lid-backendref-in-other-namespace.out.yaml | 2 +- .../httproute-with-invalid-regex.out.yaml | 4 +- .../testdata/httproute-with-metadata.out.yaml | 2 +- ...ute-with-mirror-filter-duplicates.out.yaml | 2 +- ...route-with-mirror-filter-multiple.out.yaml | 2 +- ...ith-mirror-filter-service-no-port.out.yaml | 2 +- ...h-mirror-filter-service-not-found.out.yaml | 2 +- .../httproute-with-mirror-filter.out.yaml | 2 +- ...oute-with-multi-gateways-notmatch.out.yaml | 4 +- ...ith-multi-gateways-with-same-name.out.yaml | 4 +- ...ltiple-gateways-from-different-ns.out.yaml | 4 +- ...th-multiple-gateways-from-same-ns.out.yaml | 4 +- ...to-gateway-with-wildcard-hostname.out.yaml | 2 +- ...ct-filter-full-path-replace-https.out.yaml | 2 +- ...ute-with-redirect-filter-hostname.out.yaml | 2 +- ...direct-filter-invalid-filter-type.out.yaml | 2 +- ...th-redirect-filter-invalid-scheme.out.yaml | 2 +- ...th-redirect-filter-invalid-status.out.yaml | 2 +- ...ter-prefix-replace-with-port-http.out.yaml | 2 +- ...-with-response-header-filter-adds.out.yaml | 2 +- ...er-duplicate-add-multiple-filters.out.yaml | 2 +- ...onse-header-filter-duplicate-adds.out.yaml | 2 +- ...duplicate-remove-multiple-filters.out.yaml | 2 +- ...e-header-filter-duplicate-removes.out.yaml | 2 +- ...header-filter-empty-header-values.out.yaml | 2 +- ...ponse-header-filter-empty-headers.out.yaml | 2 +- ...nse-header-filter-invalid-headers.out.yaml | 2 +- ...response-header-filter-no-headers.out.yaml | 2 +- ...se-header-filter-no-valid-headers.out.yaml | 2 +- ...ith-response-header-filter-remove.out.yaml | 2 +- ...single-rule-with-exact-path-match.out.yaml | 2 +- ...ingle-rule-with-http-method-match.out.yaml | 2 +- ...h-single-rule-with-multiple-rules.out.yaml | 2 +- ...h-prefix-and-exact-header-matches.out.yaml | 2 +- ...e-invalid-backend-refs-no-service.out.yaml | 2 +- ...to-gateway-with-wildcard-hostname.out.yaml | 2 +- ...to-gateway-with-wildcard-hostname.out.yaml | 2 +- ...ite-filter-full-path-replace-http.out.yaml | 2 +- ...te-filter-hostname-prefix-replace.out.yaml | 2 +- ...e-with-urlrewrite-filter-hostname.out.yaml | 2 +- ...ewrite-filter-invalid-filter-type.out.yaml | 2 +- ...rlrewrite-filter-invalid-hostname.out.yaml | 2 +- ...e-filter-invalid-multiple-filters.out.yaml | 2 +- ...lrewrite-filter-invalid-path-type.out.yaml | 2 +- ...th-urlrewrite-filter-invalid-path.out.yaml | 2 +- ...th-urlrewrite-filter-missing-path.out.yaml | 2 +- ...ewrite-filter-prefix-replace-http.out.yaml | 2 +- ...e-filter-regex-match-replace-http.out.yaml | 2 +- ...ilter-regex-match-replace-invalid.out.yaml | 2 +- ...rlrewrite-hostname-filter-invalid.out.yaml | 2 +- ...e-with-urlrewrite-hostname-filter.out.yaml | 2 +- ...ng-to-gateway-with-unset-hostname.out.yaml | 2 +- .../httproutes-with-multiple-matches.out.yaml | 2 +- .../merge-invalid-multiple-gateways.out.yaml | 4 +- ...ays-multiple-listeners-same-ports.out.yaml | 8 +- ...multiple-gateways-multiple-routes.out.yaml | 6 +- .../merge-valid-multiple-gateways.out.yaml | 6 +- .../merge-with-isolated-policies-2.out.yaml | 8 +- .../merge-with-isolated-policies.out.yaml | 4 +- ...curitypolicy-invalid-cross-ns-ref.out.yaml | 2 +- .../securitypolicy-override-replace.out.yaml | 2 +- .../securitypolicy-status-conditions.out.yaml | 6 +- ...icy-with-authoriztion-client-cidr.out.yaml | 2 +- ...olicy-with-authoriztion-jwt-claim.out.yaml | 2 +- .../securitypolicy-with-basic-auth.out.yaml | 2 +- ...curitypolicy-with-cors-targetrefs.out.yaml | 6 +- .../securitypolicy-with-cors.out.yaml | 6 +- ...curitypolicy-with-extauth-backend.out.yaml | 2 +- ...itypolicy-with-extauth-backendref.out.yaml | 2 +- ...-extauth-invalid-no-matching-port.out.yaml | 2 +- ...licy-with-extauth-invalid-no-port.out.yaml | 2 +- ...xtauth-invalid-no-reference-grant.out.yaml | 2 +- ...y-with-extauth-invalid-no-service.out.yaml | 2 +- ...policy-with-extauth-recomputation.out.yaml | 2 +- ...ith-extauth-with-backendtlspolicy.out.yaml | 2 +- .../securitypolicy-with-extauth.out.yaml | 2 +- ...ypolicy-with-jwt-and-invalid-oidc.out.yaml | 2 +- .../securitypolicy-with-jwt-optional.out.yaml | 4 +- ...cy-with-jwt-with-custom-extractor.out.yaml | 4 +- .../testdata/securitypolicy-with-jwt.out.yaml | 4 +- ...typolicy-with-oidc-backendcluster.out.yaml | 2 +- ...typolicy-with-oidc-custom-cookies.out.yaml | 2 +- ...typolicy-with-oidc-invalid-issuer.out.yaml | 2 +- ...olicy-with-oidc-invalid-secretref.out.yaml | 6 +- .../securitypolicy-with-oidc.out.yaml | 2 +- ...teway-with-listener-tls-terminate.out.yaml | 4 +- .../testdata/tcproute-with-backend.out.yaml | 2 +- .../tlsroute-attaching-to-gateway.out.yaml | 2 +- .../testdata/tlsroute-multiple.out.yaml | 2 +- .../testdata/tlsroute-with-backend.out.yaml | 2 +- ...her-namespace-allowed-by-refgrant.out.yaml | 2 +- .../tlsroute-with-empty-hostname.out.yaml | 2 +- ...oute-with-empty-listener-hostname.out.yaml | 2 +- .../tracing-merged-multiple-routes.out.yaml | 6 +- .../testdata/tracing-multiple-routes.out.yaml | 6 +- .../proxy/resource_provider_test.go | 15 + .../proxy/testdata/daemonsets/custom.yaml | 5 +- .../testdata/daemonsets/default-env.yaml | 5 +- .../proxy/testdata/daemonsets/default.yaml | 5 +- .../daemonsets/disable-prometheus.yaml | 5 +- .../testdata/daemonsets/extension-env.yaml | 5 +- .../override-labels-and-annotations.yaml | 5 +- .../testdata/daemonsets/patch-daemonset.yaml | 5 +- .../testdata/daemonsets/shutdown-manager.yaml | 5 +- .../proxy/testdata/daemonsets/volumes.yaml | 5 +- .../testdata/daemonsets/with-annotations.yaml | 5 +- .../testdata/daemonsets/with-extra-args.yaml | 5 +- .../daemonsets/with-image-pull-secrets.yaml | 5 +- .../proxy/testdata/daemonsets/with-name.yaml | 5 +- .../daemonsets/with-node-selector.yaml | 5 +- .../with-topology-spread-constraints.yaml | 5 +- .../proxy/testdata/deployments/custom.yaml | 5 +- .../custom_with_initcontainers.yaml | 5 +- .../testdata/deployments/default-env.yaml | 5 +- .../proxy/testdata/deployments/default.yaml | 5 +- .../deployments/disable-prometheus.yaml | 5 +- .../testdata/deployments/dual-stack.yaml | 375 ++++++++++++++++++ .../testdata/deployments/extension-env.yaml | 5 +- .../proxy/testdata/deployments/ipv6.yaml | 1 - .../override-labels-and-annotations.yaml | 5 +- .../deployments/patch-deployment.yaml | 5 +- .../deployments/shutdown-manager.yaml | 5 +- .../proxy/testdata/deployments/volumes.yaml | 5 +- .../deployments/with-annotations.yaml | 5 +- .../deployments/with-empty-memory-limits.yaml | 5 +- .../testdata/deployments/with-extra-args.yaml | 5 +- .../deployments/with-image-pull-secrets.yaml | 5 +- .../proxy/testdata/deployments/with-name.yaml | 5 +- .../deployments/with-node-selector.yaml | 5 +- .../with-topology-spread-constraints.yaml | 5 +- internal/ir/xds.go | 4 +- internal/utils/net/ip.go | 1 + internal/xds/bootstrap/bootstrap.go | 23 +- internal/xds/bootstrap/bootstrap.yaml.tpl | 2 + .../bootstrap/testdata/merge/default.out.yaml | 5 +- .../merge/merge-user-bootstrap.out.yaml | 5 +- .../merge/patch-global-config.out.yaml | 5 +- .../testdata/merge/stats_sinks.out.yaml | 5 +- .../testdata/render/custom-server-port.yaml | 5 +- .../testdata/render/custom-stats-matcher.yaml | 5 +- .../testdata/render/disable-prometheus.yaml | 5 +- .../enable-prometheus-gzip-compression.yaml | 5 +- .../testdata/render/enable-prometheus.yaml | 5 +- .../xds/bootstrap/testdata/render/ipv6.yaml | 1 - .../render/otel-metrics-backendref.yaml | 5 +- .../testdata/render/otel-metrics.yaml | 5 +- .../render/with-max-heap-size-bytes.yaml | 5 +- internal/xds/translator/listener.go | 21 +- ...xtensionpolicy-tcp-udp-http.listeners.yaml | 2 - ...http-route-extension-filter.listeners.yaml | 1 - .../http-route.listeners.yaml | 1 - .../listener-policy.listeners.yaml | 1 - .../out/xds-ir/accesslog-cel.listeners.yaml | 1 - .../accesslog-endpoint-stats.listeners.yaml | 1 - .../accesslog-formatters.listeners.yaml | 1 - .../xds-ir/accesslog-multi-cel.listeners.yaml | 1 - .../out/xds-ir/accesslog-types.listeners.yaml | 1 - .../accesslog-without-format.listeners.yaml | 1 - .../out/xds-ir/accesslog.listeners.yaml | 1 - .../authorization-client-cidr.listeners.yaml | 1 - .../authorization-jwt-claim.listeners.yaml | 1 - .../authorization-jwt-scope.listeners.yaml | 1 - ...ization-multiple-principals.listeners.yaml | 1 - .../backend-buffer-limit.listeners.yaml | 3 - .../xds-ir/backend-priority.listeners.yaml | 1 - .../out/xds-ir/basic-auth.listeners.yaml | 1 - .../out/xds-ir/circuit-breaker.listeners.yaml | 1 - .../xds-ir/client-buffer-limit.listeners.yaml | 2 - .../xds-ir/client-ip-detection.listeners.yaml | 3 - .../out/xds-ir/client-timeout.listeners.yaml | 2 - .../testdata/out/xds-ir/cors.listeners.yaml | 1 - .../xds-ir/custom-filter-order.listeners.yaml | 1 - .../out/xds-ir/custom-response.listeners.yaml | 1 - .../xds-ir/ext-auth-backend.listeners.yaml | 1 - .../ext-auth-recomputation.listeners.yaml | 1 - .../out/xds-ir/ext-auth.listeners.yaml | 1 - ...-proc-with-traffic-settings.listeners.yaml | 1 - .../out/xds-ir/ext-proc.listeners.yaml | 1 - .../out/xds-ir/fault-injection.listeners.yaml | 1 - ...-with-preserve-x-request-id.listeners.yaml | 2 - ...ers-with-underscores-action.listeners.yaml | 4 - .../out/xds-ir/health-check.listeners.yaml | 1 - .../http-early-header-mutation.listeners.yaml | 2 - .../xds-ir/http-endpoint-stats.listeners.yaml | 1 - .../xds-ir/http-health-check.listeners.yaml | 1 - ...tp-preserve-client-protocol.listeners.yaml | 1 - .../http-req-resp-sizes-stats.listeners.yaml | 1 - .../http-route-direct-response.listeners.yaml | 1 - .../http-route-dns-cluster.listeners.yaml | 1 - .../xds-ir/http-route-mirror.listeners.yaml | 1 - ...http-route-multiple-matches.listeners.yaml | 1 - ...http-route-multiple-mirrors.listeners.yaml | 1 - .../http-route-partial-invalid.listeners.yaml | 1 - .../xds-ir/http-route-redirect.listeners.yaml | 1 - .../xds-ir/http-route-regex.listeners.yaml | 1 - .../http-route-request-headers.listeners.yaml | 1 - ...-route-response-add-headers.listeners.yaml | 1 - ...response-add-remove-headers.listeners.yaml | 1 - ...ute-response-remove-headers.listeners.yaml | 1 - ...ewrite-root-path-url-prefix.listeners.yaml | 1 - ...ufixx-with-slash-url-prefix.listeners.yaml | 1 - ...-route-rewrite-url-fullpath.listeners.yaml | 1 - ...http-route-rewrite-url-host.listeners.yaml | 1 - ...tp-route-rewrite-url-prefix.listeners.yaml | 1 - ...ttp-route-rewrite-url-regex.listeners.yaml | 1 - ...p-route-session-persistence.listeners.yaml | 1 - .../xds-ir/http-route-timeout.listeners.yaml | 1 - ...ute-weighted-backend-uds-ip.listeners.yaml | 1 - ...ighted-backend-with-filters.listeners.yaml | 1 - ...http-route-weighted-backend.listeners.yaml | 1 - ...te-weighted-invalid-backend.listeners.yaml | 1 - .../http-route-with-clientcert.listeners.yaml | 1 - .../http-route-with-metadata.listeners.yaml | 1 - ...-with-tls-system-truststore.listeners.yaml | 1 - ...th-tlsbundle-multiple-certs.listeners.yaml | 2 - .../http-route-with-tlsbundle.listeners.yaml | 1 - .../out/xds-ir/http-route.listeners.yaml | 1 - .../xds-ir/http1-preserve-case.listeners.yaml | 2 - .../out/xds-ir/http1-trailers.listeners.yaml | 1 - .../testdata/out/xds-ir/http10.listeners.yaml | 1 - .../out/xds-ir/http2-route.listeners.yaml | 1 - .../testdata/out/xds-ir/http2.listeners.yaml | 1 - .../testdata/out/xds-ir/http3.listeners.yaml | 2 - .../jsonpatch-missing-resource.listeners.yaml | 1 - .../jsonpatch-with-jsonpath.listeners.yaml | 1 - .../out/xds-ir/jsonpatch.listeners.yaml | 1 - .../jwt-custom-extractor.listeners.yaml | 1 - ...-multi-route-multi-provider.listeners.yaml | 1 - ...multi-route-single-provider.listeners.yaml | 1 - .../out/xds-ir/jwt-optional.listeners.yaml | 1 - .../out/xds-ir/jwt-ratelimit.listeners.yaml | 1 - ...t-single-route-single-match.listeners.yaml | 1 - .../listener-connection-limit.listeners.yaml | 4 - .../listener-proxy-protocol.listeners.yaml | 2 - .../listener-tcp-keepalive.listeners.yaml | 4 - .../listener-tcp-without-route.listeners.yaml | 1 - .../out/xds-ir/load-balancer.listeners.yaml | 1 - .../out/xds-ir/local-ratelimit.listeners.yaml | 1 - .../metrics-virtual-host.listeners.yaml | 1 - .../xds-ir/mixed-tls-jwt-authn.listeners.yaml | 1 - ...port-with-different-filters.listeners.yaml | 2 - ...ultiple-listeners-same-port.listeners.yaml | 1 - ...-simple-tcp-route-same-port.listeners.yaml | 1 - ...ertificate-with-custom-data.listeners.yaml | 5 - ...-forward-client-certificate.listeners.yaml | 5 - ...client-certificate-disabled.listeners.yaml | 2 - .../out/xds-ir/mutual-tls.listeners.yaml | 2 - ...dc-backend-cluster-provider.listeners.yaml | 1 - .../testdata/out/xds-ir/oidc.listeners.yaml | 1 - .../out/xds-ir/path-settings.listeners.yaml | 1 - .../proxy-protocol-upstream.listeners.yaml | 1 - .../ratelimit-custom-domain.listeners.yaml | 1 - .../ratelimit-disable-headers.listeners.yaml | 1 - .../ratelimit-endpoint-stats.listeners.yaml | 1 - .../ratelimit-headers-and-cidr.listeners.yaml | 1 - .../xds-ir/ratelimit-sourceip.listeners.yaml | 1 - .../out/xds-ir/ratelimit.listeners.yaml | 1 - .../retry-partial-invalid.listeners.yaml | 1 - ...ypolicy-with-oidc-jwt-authz.listeners.yaml | 1 - .../out/xds-ir/simple-tls.listeners.yaml | 1 - .../suppress-envoy-headers.listeners.yaml | 1 - .../xds-ir/tcp-endpoint-stats.listeners.yaml | 1 - .../tcp-req-resp-sizes-stats.listeners.yaml | 1 - .../xds-ir/tcp-route-complex.listeners.yaml | 1 - .../xds-ir/tcp-route-simple.listeners.yaml | 1 - .../tcp-route-tls-terminate.listeners.yaml | 1 - .../tcp-route-weighted-backend.listeners.yaml | 1 - .../out/xds-ir/timeout.listeners.yaml | 1 - .../tls-route-passthrough.listeners.yaml | 2 - ...-with-ciphers-versions-alpn.listeners.yaml | 2 - .../out/xds-ir/tracing-datadog.listeners.yaml | 1 - .../tracing-endpoint-stats.listeners.yaml | 1 - .../out/xds-ir/tracing-zipkin.listeners.yaml | 1 - .../out/xds-ir/tracing.listeners.yaml | 1 - .../xds-ir/udp-endpoint-stats.listeners.yaml | 1 - .../udp-req-resp-sizes-stats.listeners.yaml | 1 - .../out/xds-ir/udp-route.listeners.yaml | 1 - .../upstream-tcpkeepalive.listeners.yaml | 1 - .../testdata/out/xds-ir/wasm.listeners.yaml | 1 - internal/xds/translator/translator.go | 7 +- 515 files changed, 1029 insertions(+), 853 deletions(-) create mode 100644 internal/infrastructure/kubernetes/proxy/testdata/deployments/dual-stack.yaml diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index 231b0d46dd7..01c6b368d19 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -40,13 +40,12 @@ envoyProxyForGatewayClass: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager @@ -659,8 +658,7 @@ xds: listeners: - address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 19001 filterChains: - filters: @@ -691,7 +689,7 @@ xds: route: cluster: prometheus_stats statPrefix: eg-ready-http - name: envoy-gateway-proxy-ready-::-19001 + name: envoy-gateway-proxy-ready-0.0.0.0-19001 - '@type': type.googleapis.com/envoy.admin.v3.EndpointsConfigDump dynamicEndpointConfigs: - endpointConfig: @@ -893,8 +891,7 @@ xds: path: /dev/stdout address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 10080 defaultFilterChain: filters: @@ -953,8 +950,7 @@ xds: path: /dev/stdout address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 8080 defaultFilterChain: filters: @@ -1021,8 +1017,7 @@ xds: path: /dev/stdout address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 1234 filterChains: - filters: @@ -1061,8 +1056,7 @@ xds: path: /dev/stdout address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 8443 filterChains: - filterChainMatch: @@ -1108,8 +1102,7 @@ xds: path: /dev/stdout address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 1234 protocol: UDP listenerFilters: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index 0e9e4a813c5..0e4a954a7f0 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -234,8 +234,7 @@ { "address": { "socketAddress": { - "address": "::", - "ipv4Compat": true, + "address": "0.0.0.0", "portValue": 19001 } }, @@ -296,7 +295,7 @@ ] } ], - "name": "envoy-gateway-proxy-ready-::-19001" + "name": "envoy-gateway-proxy-ready-0.0.0.0-19001" } ] } @@ -638,8 +637,7 @@ ], "address": { "socketAddress": { - "address": "::", - "ipv4Compat": true, + "address": "0.0.0.0", "portValue": 10080 } }, @@ -730,8 +728,7 @@ ], "address": { "socketAddress": { - "address": "::", - "ipv4Compat": true, + "address": "0.0.0.0", "portValue": 8080 } }, @@ -836,8 +833,7 @@ ], "address": { "socketAddress": { - "address": "::", - "ipv4Compat": true, + "address": "0.0.0.0", "portValue": 1234 } }, @@ -902,8 +898,7 @@ ], "address": { "socketAddress": { - "address": "::", - "ipv4Compat": true, + "address": "0.0.0.0", "portValue": 8443 } }, @@ -981,8 +976,7 @@ ], "address": { "socketAddress": { - "address": "::", - "ipv4Compat": true, + "address": "0.0.0.0", "portValue": 1234, "protocol": "UDP" } diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index bbb0fe7664d..1df8c3966e6 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -137,8 +137,7 @@ xds: listeners: - address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 19001 filterChains: - filters: @@ -169,7 +168,7 @@ xds: route: cluster: prometheus_stats statPrefix: eg-ready-http - name: envoy-gateway-proxy-ready-::-19001 + name: envoy-gateway-proxy-ready-0.0.0.0-19001 - '@type': type.googleapis.com/envoy.admin.v3.EndpointsConfigDump dynamicEndpointConfigs: - endpointConfig: @@ -371,8 +370,7 @@ xds: path: /dev/stdout address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 10080 defaultFilterChain: filters: @@ -431,8 +429,7 @@ xds: path: /dev/stdout address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 8080 defaultFilterChain: filters: @@ -499,8 +496,7 @@ xds: path: /dev/stdout address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 1234 filterChains: - filters: @@ -539,8 +535,7 @@ xds: path: /dev/stdout address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 8443 filterChains: - filterChainMatch: @@ -586,8 +581,7 @@ xds: path: /dev/stdout address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 1234 protocol: UDP listenerFilters: diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml index ae66cada56d..b378fdc17b5 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.bootstrap.yaml @@ -136,8 +136,7 @@ xds: listeners: - address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 19001 filterChains: - filters: @@ -168,4 +167,4 @@ xds: route: cluster: prometheus_stats statPrefix: eg-ready-http - name: envoy-gateway-proxy-ready-::-19001 + name: envoy-gateway-proxy-ready-0.0.0.0-19001 diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml index 99b3a3f2cf5..b6c94a95ae8 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml @@ -20,8 +20,7 @@ xds: path: /dev/stdout address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 10080 defaultFilterChain: filters: @@ -80,8 +79,7 @@ xds: path: /dev/stdout address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 8080 defaultFilterChain: filters: @@ -148,8 +146,7 @@ xds: path: /dev/stdout address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 1234 filterChains: - filters: @@ -188,8 +185,7 @@ xds: path: /dev/stdout address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 8443 filterChains: - filterChainMatch: @@ -235,8 +231,7 @@ xds: path: /dev/stdout address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 1234 protocol: UDP listenerFilters: diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json index 5b8e401907a..4364e67b7fd 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json @@ -234,8 +234,7 @@ { "address": { "socketAddress": { - "address": "::", - "ipv4Compat": true, + "address": "0.0.0.0", "portValue": 19001 } }, @@ -296,7 +295,7 @@ ] } ], - "name": "envoy-gateway-proxy-ready-::-19001" + "name": "envoy-gateway-proxy-ready-0.0.0.0-19001" } ] } @@ -461,8 +460,7 @@ ], "address": { "socketAddress": { - "address": "::", - "ipv4Compat": true, + "address": "0.0.0.0", "portValue": 10080 } }, diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml index 11bc52b64f2..56654aa018f 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml @@ -137,8 +137,7 @@ xds: listeners: - address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 19001 filterChains: - filters: @@ -169,7 +168,7 @@ xds: route: cluster: prometheus_stats statPrefix: eg-ready-http - name: envoy-gateway-proxy-ready-::-19001 + name: envoy-gateway-proxy-ready-0.0.0.0-19001 - '@type': type.googleapis.com/envoy.admin.v3.EndpointsConfigDump dynamicEndpointConfigs: - endpointConfig: @@ -266,8 +265,7 @@ xds: path: /dev/stdout address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 10080 defaultFilterChain: filters: diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.bootstrap.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.bootstrap.yaml index a4c85fd324a..f2838d95bc9 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.bootstrap.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.bootstrap.yaml @@ -136,8 +136,7 @@ xds: listeners: - address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 19001 filterChains: - filters: @@ -168,4 +167,4 @@ xds: route: cluster: prometheus_stats statPrefix: eg-ready-http - name: envoy-gateway-proxy-ready-::-19001 + name: envoy-gateway-proxy-ready-0.0.0.0-19001 diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml index fc47046f781..c9ee8194bf9 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml @@ -20,8 +20,7 @@ xds: path: /dev/stdout address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 10080 defaultFilterChain: filters: diff --git a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml index 5737d7ef4ff..1a88c9245c7 100644 --- a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml @@ -137,8 +137,7 @@ xds: listeners: - address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 19001 filterChains: - filters: @@ -169,7 +168,7 @@ xds: route: cluster: prometheus_stats statPrefix: eg-ready-http - name: envoy-gateway-proxy-ready-::-19001 + name: envoy-gateway-proxy-ready-0.0.0.0-19001 - '@type': type.googleapis.com/envoy.admin.v3.EndpointsConfigDump dynamicEndpointConfigs: - endpointConfig: @@ -228,8 +227,7 @@ xds: path: /dev/stdout address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 10080 defaultFilterChain: filters: diff --git a/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml b/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml index 862c8e8b795..de96e757e8e 100644 --- a/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml @@ -95,7 +95,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index 366a24b827e..6ed1d7699a6 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -621,7 +621,7 @@ func getIPFamily(envoyProxy *egv1a1.EnvoyProxy) *ir.IPFamily { case egv1a1.IPv6: result = ir.IPv6 case egv1a1.DualStack: - result = ir.Dualstack + result = ir.DualStack default: return nil } diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index 71235414814..bf369e7b827 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -101,8 +101,11 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource continue } - // EG always use `::` and set ipv4_compact with true to support both IPv4 and IPv6 - address := net.IPv6ListenerAddress + address := net.IPv4ListenerAddress + ipFamily := getIPFamily(gateway.envoyProxy) + if ipFamily != nil && (*ipFamily == ir.IPv6 || *ipFamily == ir.DualStack) { + address = net.IPv6ListenerAddress + } // Add the listener to the Xds IR servicePort := &protocolPort{protocol: listener.Protocol, port: int32(listener.Port)} diff --git a/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml b/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml index 496795222d9..49d35c60700 100644 --- a/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml +++ b/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml @@ -153,7 +153,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backend-with-fallback.out.yaml b/internal/gatewayapi/testdata/backend-with-fallback.out.yaml index 94b4d02065d..74bd61795fe 100644 --- a/internal/gatewayapi/testdata/backend-with-fallback.out.yaml +++ b/internal/gatewayapi/testdata/backend-with-fallback.out.yaml @@ -138,7 +138,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml index 7d776a1784f..fde390c7efe 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml @@ -121,7 +121,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml index a65ea66d0ab..a5b87b3fa1f 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml @@ -132,7 +132,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml index f85b9c73c3f..8489f047341 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml @@ -132,7 +132,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml index 3467422f204..9f4874f90f4 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml @@ -266,7 +266,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -323,7 +323,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml index c8898169624..2e2186879f9 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml @@ -227,7 +227,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml index cb968f9a6a0..100efbcab4f 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml @@ -132,7 +132,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml index 207713455e8..8ecd25a2418 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml @@ -174,7 +174,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml index 8438c8551ce..f91dc4d768e 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml @@ -129,7 +129,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-out-of-range-error.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-out-of-range-error.out.yaml index b64b9faa39a..bb171e01da7 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-out-of-range-error.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-out-of-range-error.out.yaml @@ -249,7 +249,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -292,7 +292,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-with-invalid-value.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-with-invalid-value.out.yaml index b0b46e91d66..654c9bdab4a 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-with-invalid-value.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit-with-invalid-value.out.yaml @@ -249,7 +249,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -292,7 +292,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit.out.yaml index 0db555c1cfd..d95c8a0fcc0 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-buffer-limit.out.yaml @@ -249,7 +249,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -292,7 +292,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-override-replace.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-override-replace.out.yaml index a956f1b4706..8aafd70c0bb 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-override-replace.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-override-replace.out.yaml @@ -272,7 +272,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml index 1e671f11044..1a054712d80 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml @@ -521,7 +521,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -540,7 +540,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -578,7 +578,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -612,6 +612,6 @@ xdsIR: name: grpcroute/envoy-gateway/grpcroute-1/rule/0/match/0/* traffic: {} tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-2/tcp port: 10053 diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml index b263c244b51..02222719f3f 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-status-fault-injection.out.yaml @@ -329,7 +329,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -373,7 +373,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-use-client-protocol.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-use-client-protocol.out.yaml index 678fc4dea50..0a13771f373 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-use-client-protocol.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-use-client-protocol.out.yaml @@ -127,7 +127,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml index 80a166ac5d5..2b49ea23741 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers-error.out.yaml @@ -311,7 +311,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -349,7 +349,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.out.yaml index a1cf0fa2af5..575bfca2e1b 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-circuitbreakers.out.yaml @@ -253,7 +253,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -296,7 +296,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.out.yaml index 04202343698..12bbf12dbe7 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-dns-settings.out.yaml @@ -318,7 +318,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -362,7 +362,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml index 792b473aba5..4f964492673 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-healthcheck.out.yaml @@ -678,7 +678,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -787,7 +787,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-http2.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-http2.out.yaml index ca5371fc7df..35dbb164bf1 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-http2.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-http2.out.yaml @@ -251,7 +251,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -293,7 +293,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.out.yaml index 371a3709c9f..245739ca233 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.out.yaml @@ -130,7 +130,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer-invalid-consistent-hash-table-size.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer-invalid-consistent-hash-table-size.out.yaml index 0562588ff18..dc2ba7fb3d3 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer-invalid-consistent-hash-table-size.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer-invalid-consistent-hash-table-size.out.yaml @@ -201,7 +201,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml index 30918a9739b..b2378edf754 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-loadbalancer.out.yaml @@ -421,7 +421,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -460,7 +460,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-default-route-level-limit.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-default-route-level-limit.out.yaml index bc398deeace..d64aea61aee 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-default-route-level-limit.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-default-route-level-limit.out.yaml @@ -150,7 +150,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml index 3097821b6ae..0be116e1ebf 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-limit-unit.out.yaml @@ -154,7 +154,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml index f4b263b7c99..21cae9b09f3 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-match-type.out.yaml @@ -150,7 +150,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml index f92bea8d0ca..0fd1f442bd8 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit-invalid-multiple-route-level-limits.out.yaml @@ -157,7 +157,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit.out.yaml index 5f212860b63..f05856b9630 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit.out.yaml @@ -153,7 +153,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-proxyprotocol.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-proxyprotocol.out.yaml index 46398f5452d..c65df985ac5 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-proxyprotocol.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-proxyprotocol.out.yaml @@ -245,7 +245,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -284,7 +284,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.out.yaml index 75e47abd4ec..4ea1623c867 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.out.yaml @@ -134,7 +134,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml index a19a2ed3b72..8b20cbc59c9 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-regex.out.yaml @@ -136,7 +136,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml index 37763d7d92c..07fa997e109 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml @@ -268,7 +268,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -321,7 +321,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override-invalid-valueref.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override-invalid-valueref.out.yaml index 8001e10e433..c1542d9caec 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override-invalid-valueref.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override-invalid-valueref.out.yaml @@ -294,7 +294,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -332,7 +332,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override.out.yaml index 4f0f13c6740..568a57af484 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-response-override.out.yaml @@ -293,7 +293,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -353,7 +353,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-retries.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-retries.out.yaml index 2ae6a02c282..40ae88b602d 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-retries.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-retries.out.yaml @@ -264,7 +264,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -310,7 +310,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-same-prefix-httproutes.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-same-prefix-httproutes.out.yaml index e8d3d65ed90..d032b952236 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-same-prefix-httproutes.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-same-prefix-httproutes.out.yaml @@ -169,7 +169,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml index e96203a9214..9fa8e7235c9 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-gateway.out.yaml @@ -233,7 +233,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 name: default/tcp-gateway/bar port: 8089 routes: @@ -292,7 +292,7 @@ xdsIR: tcp: connectTimeout: 15s udp: - - address: '::' + - address: 0.0.0.0 name: default/tcp-gateway/foo port: 8162 route: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml index 89f07548c29..5b1707b6f1a 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcp-udp-listeners-apply-on-route.out.yaml @@ -306,7 +306,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 name: default/tcp-gateway/bar port: 8089 routes: @@ -365,7 +365,7 @@ xdsIR: tcp: connectTimeout: 15s udp: - - address: '::' + - address: 0.0.0.0 name: default/tcp-gateway/foo port: 8162 route: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcpkeepalive.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcpkeepalive.out.yaml index bf91d10226e..0213525db48 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcpkeepalive.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-tcpkeepalive.out.yaml @@ -249,7 +249,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -290,7 +290,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml index ab1c94ff3c9..dc80d9e73a8 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-error.out.yaml @@ -127,7 +127,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-targetrefs.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-targetrefs.out.yaml index 8a25a4a2fc8..ea546413a59 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-targetrefs.out.yaml @@ -237,7 +237,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -277,7 +277,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml index 0244bcea667..0fad514c5e8 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml @@ -257,7 +257,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -301,7 +301,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml index 2f2cc555d95..a11ad751e08 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-format-error.out.yaml @@ -159,7 +159,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -173,7 +173,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: '::' + - address: 0.0.0.0 connection: {} hostnames: - '*' diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml index 20191e8b4ba..9993a11f26d 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit-with-out-of-range-error.out.yaml @@ -160,7 +160,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -174,7 +174,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: '::' + - address: 0.0.0.0 connection: {} hostnames: - '*' diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit.out.yaml index bbccfc1a09e..d897fac8887 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-buffer-limit.out.yaml @@ -159,7 +159,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 connection: bufferLimit: 50000000 hostnames: @@ -175,7 +175,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: '::' + - address: 0.0.0.0 connection: {} hostnames: - '*' diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-client-ip-detection.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-client-ip-detection.out.yaml index 46d7c08e297..898d87d0be0 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-client-ip-detection.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-client-ip-detection.out.yaml @@ -262,7 +262,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 clientIPDetection: xForwardedFor: numTrustedHops: 2 @@ -279,7 +279,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8081 - - address: '::' + - address: 0.0.0.0 clientIPDetection: customHeader: failClosed: false @@ -297,7 +297,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8082 - - address: '::' + - address: 0.0.0.0 clientIPDetection: customHeader: failClosed: true @@ -315,7 +315,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8083 - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml index d5d78569444..705e23a8d0e 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit-error.out.yaml @@ -161,7 +161,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -175,7 +175,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit.out.yaml index 6f99ddff5b9..e4f163f5963 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-connection-limit.out.yaml @@ -161,7 +161,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 connection: limit: closeDelay: 10s @@ -179,7 +179,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: '::' + - address: 0.0.0.0 connection: {} hostnames: - '*' diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml index 94a5074c65b..bb695decae7 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-for-tcp-listeners.out.yaml @@ -184,7 +184,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 connection: bufferLimit: 50000000 limit: @@ -246,7 +246,7 @@ xdsIR: signatureAlgorithms: - sig1 - sig2 - - address: '::' + - address: 0.0.0.0 connection: bufferLimit: 50000000 limit: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-headers-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-headers-error.out.yaml index 5a27962f198..9eee58d7df7 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-headers-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-headers-error.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 headers: enableEnvoyHeaders: true preserveXRequestID: true diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-headers.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-headers.out.yaml index 8cc87a5b639..4e66bd91c64 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-headers.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-headers.out.yaml @@ -141,7 +141,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 headers: earlyAddRequestHeaders: - append: true @@ -170,7 +170,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: '::' + - address: 0.0.0.0 headers: earlyAddRequestHeaders: - append: true diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http-health-check.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http-health-check.out.yaml index 02f8f67aab8..f41c8fd3a2c 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http-health-check.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http-health-check.out.yaml @@ -89,7 +89,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 healthCheck: path: /ready hostnames: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml index 3343e3028ba..8561d93004a 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml @@ -454,7 +454,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' http1: @@ -470,7 +470,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: '::' + - address: 0.0.0.0 hostnames: - www.example.com http1: @@ -487,7 +487,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8080 - - address: '::' + - address: 0.0.0.0 hostnames: - '*' http1: {} @@ -502,7 +502,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8081 - - address: '::' + - address: 0.0.0.0 hostnames: - '*' http1: @@ -537,7 +537,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - '*' http1: {} diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml index 10aec8cce97..3de4101c8c6 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http2.out.yaml @@ -163,7 +163,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' http2: @@ -181,7 +181,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: '::' + - address: 0.0.0.0 hostnames: - www.example.com http2: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml index 3166e9aa700..c946f22c841 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http3.out.yaml @@ -131,7 +131,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' http3: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml index 8052587d753..94775b0aeab 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout-with-error.out.yaml @@ -90,7 +90,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout.out.yaml index af9a6f0c389..e728cd78c63 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-idle-timeout.out.yaml @@ -128,7 +128,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -145,7 +145,7 @@ xdsIR: timeout: http: idleTimeout: 10s - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml index 0846607806c..22692261be3 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-client-verification.out.yaml @@ -232,7 +232,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -258,7 +258,7 @@ xdsIR: maxVersion: "1.3" minVersion: "1.2" requireClientCertificate: true - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -277,7 +277,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml index f02d213a9c4..285a35daf25 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert-custom-data.out.yaml @@ -544,7 +544,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -574,7 +574,7 @@ xdsIR: maxVersion: "1.3" minVersion: "1.2" requireClientCertificate: true - - address: '::' + - address: 0.0.0.0 headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -597,7 +597,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -632,7 +632,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -669,7 +669,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -708,7 +708,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 headers: withUnderscoresAction: RejectRequest xForwardedClientCert: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml index 386651702d9..85042934396 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls-forward-client-cert.out.yaml @@ -531,7 +531,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -561,7 +561,7 @@ xdsIR: maxVersion: "1.3" minVersion: "1.2" requireClientCertificate: true - - address: '::' + - address: 0.0.0.0 headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -584,7 +584,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -619,7 +619,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -654,7 +654,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 headers: withUnderscoresAction: RejectRequest xForwardedClientCert: @@ -689,7 +689,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 headers: withUnderscoresAction: RejectRequest xForwardedClientCert: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml index 5398303d3cb..08dcf5bef70 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-mtls.out.yaml @@ -231,7 +231,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -257,7 +257,7 @@ xdsIR: maxVersion: "1.3" minVersion: "1.2" requireClientCertificate: true - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -276,7 +276,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-path-settings.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-path-settings.out.yaml index 38eeb8b5a52..2cf85c63b8b 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-path-settings.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-path-settings.out.yaml @@ -126,7 +126,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -140,7 +140,7 @@ xdsIR: escapedSlashesAction: KeepUnchanged mergeSlashes: false port: 10080 - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-preserve-case-multiple-targets.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-preserve-case-multiple-targets.out.yaml index 80d4350f638..5f48ea0ed67 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-preserve-case-multiple-targets.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-preserve-case-multiple-targets.out.yaml @@ -198,7 +198,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' http1: @@ -220,7 +220,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -234,7 +234,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: '::' + - address: 0.0.0.0 hostnames: - '*' http1: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-preserve-case.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-preserve-case.out.yaml index 160cc58044c..4f6bfdbdf97 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-preserve-case.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-preserve-case.out.yaml @@ -126,7 +126,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' http1: @@ -143,7 +143,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: '::' + - address: 0.0.0.0 hostnames: - '*' http1: diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-proxyprotocol.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-proxyprotocol.out.yaml index bfac33d66db..0d88cb4d8fd 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-proxyprotocol.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-proxyprotocol.out.yaml @@ -126,7 +126,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 enableProxyProtocol: true hostnames: - '*' @@ -141,7 +141,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-ratelimitheaders.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-ratelimitheaders.out.yaml index d3daeca2460..51e89d7272b 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-ratelimitheaders.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-ratelimitheaders.out.yaml @@ -126,7 +126,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 headers: disableRateLimitHeaders: true enableEnvoyHeaders: true @@ -144,7 +144,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: '::' + - address: 0.0.0.0 headers: disableRateLimitHeaders: true enableEnvoyHeaders: true diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml index 726b258d2b0..f4fcac96827 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-status-conditions.out.yaml @@ -502,7 +502,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -521,7 +521,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -536,7 +536,7 @@ xdsIR: mergeSlashes: true port: 10080 tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-2/tcp port: 10053 envoy-gateway/gateway-3: @@ -544,7 +544,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -563,7 +563,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-tcp-keepalive.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-tcp-keepalive.out.yaml index b09699c1419..8b0e90b3848 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-tcp-keepalive.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-tcp-keepalive.out.yaml @@ -161,7 +161,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -179,7 +179,7 @@ xdsIR: idleTime: 1200 interval: 60 probes: 3 - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml index 4554e319052..7d12e8b98ac 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-timeout-with-error.out.yaml @@ -90,7 +90,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-timeout.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-timeout.out.yaml index 97416a04bab..664f5fe1fc7 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-timeout.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-timeout.out.yaml @@ -128,7 +128,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -145,7 +145,7 @@ xdsIR: timeout: http: requestReceivedTimeout: 5s - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml index 917547923a5..e673ed66b7a 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-tls-settings.out.yaml @@ -322,7 +322,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -355,7 +355,7 @@ xdsIR: - sig2 statefulSessionResumption: true statelessSessionResumption: true - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -374,7 +374,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -401,7 +401,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-trailers.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-trailers.out.yaml index 354cec1af2d..114af441730 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-trailers.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-trailers.out.yaml @@ -125,7 +125,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' http1: @@ -141,7 +141,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: '::' + - address: 0.0.0.0 hostnames: - '*' http1: diff --git a/internal/gatewayapi/testdata/conflicting-policies.out.yaml b/internal/gatewayapi/testdata/conflicting-policies.out.yaml index 6933902b8f9..8acabbca876 100644 --- a/internal/gatewayapi/testdata/conflicting-policies.out.yaml +++ b/internal/gatewayapi/testdata/conflicting-policies.out.yaml @@ -265,7 +265,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.192.168.0.15.nip.io' isHTTP2: false @@ -300,7 +300,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - qccbahgo.qccbahgo isHTTP2: false diff --git a/internal/gatewayapi/testdata/custom-filter-order.out.yaml b/internal/gatewayapi/testdata/custom-filter-order.out.yaml index c840462f271..a8c4413a399 100644 --- a/internal/gatewayapi/testdata/custom-filter-order.out.yaml +++ b/internal/gatewayapi/testdata/custom-filter-order.out.yaml @@ -225,7 +225,7 @@ xdsIR: - after: envoy.filters.http.basic_authn name: envoy.filters.http.cors http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/disable-accesslog.out.yaml b/internal/gatewayapi/testdata/disable-accesslog.out.yaml index 2f152a026ac..b0dc0dd4bb1 100644 --- a/internal/gatewayapi/testdata/disable-accesslog.out.yaml +++ b/internal/gatewayapi/testdata/disable-accesslog.out.yaml @@ -119,7 +119,7 @@ infraIR: xdsIR: envoy-gateway/gateway-1: http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-invalid-cross-ns-ref.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-invalid-cross-ns-ref.out.yaml index 85f79b1e55c..df3a01d780f 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-invalid-cross-ns-ref.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-invalid-cross-ns-ref.out.yaml @@ -79,7 +79,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml index c0b88b42192..2c6b006af93 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-override-replace.out.yaml @@ -268,7 +268,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml index 0db35ca4bb0..f4cc57f95ba 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml @@ -521,7 +521,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -540,7 +540,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -578,7 +578,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -612,6 +612,6 @@ xdsIR: namespace: envoy-gateway name: grpcroute/envoy-gateway/grpcroute-1/rule/0/match/0/* tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-2/tcp port: 10053 diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml index 2d0a54ff2da..beac28da518 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-matching-port.out.yaml @@ -130,7 +130,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml index 53232e5735c..efd62e1e0ea 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-port.out.yaml @@ -130,7 +130,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml index 7a84bb226c8..ba93c2decdc 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-reference-grant.out.yaml @@ -132,7 +132,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml index ba22f681a33..066917dd152 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-invalid-no-service.out.yaml @@ -131,7 +131,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml index 81863d1acdf..a1d7beec90b 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml @@ -280,7 +280,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml index 4789f8555e3..a81a7cd4410 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml @@ -280,7 +280,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml index 93c24363c31..21fb5de6103 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml @@ -309,7 +309,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml index f0dfd27144d..4a19852eea0 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-env-vars.out.yaml @@ -239,7 +239,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml index 12fad598a5c..8c65fb9cf65 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml @@ -207,7 +207,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml index 71173c47bd0..368c32a4055 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm.out.yaml @@ -241,7 +241,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoypatchpolicy-cross-ns-target.out.yaml b/internal/gatewayapi/testdata/envoypatchpolicy-cross-ns-target.out.yaml index 11011a07694..e40792057eb 100644 --- a/internal/gatewayapi/testdata/envoypatchpolicy-cross-ns-target.out.yaml +++ b/internal/gatewayapi/testdata/envoypatchpolicy-cross-ns-target.out.yaml @@ -61,7 +61,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoypatchpolicy-invalid-feature-disabled.out.yaml b/internal/gatewayapi/testdata/envoypatchpolicy-invalid-feature-disabled.out.yaml index f2a88d508ed..4eff002f05f 100644 --- a/internal/gatewayapi/testdata/envoypatchpolicy-invalid-feature-disabled.out.yaml +++ b/internal/gatewayapi/testdata/envoypatchpolicy-invalid-feature-disabled.out.yaml @@ -87,7 +87,7 @@ xdsIR: type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind-merge-gateways.out.yaml b/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind-merge-gateways.out.yaml index 694ba5cf0ae..e36a5d543ac 100644 --- a/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind-merge-gateways.out.yaml +++ b/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind-merge-gateways.out.yaml @@ -89,7 +89,7 @@ xdsIR: type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind.out.yaml b/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind.out.yaml index 5e28ec9e9d4..14addeb27dc 100644 --- a/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind.out.yaml +++ b/internal/gatewayapi/testdata/envoypatchpolicy-invalid-target-kind.out.yaml @@ -80,7 +80,7 @@ xdsIR: type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoypatchpolicy-valid-merge-gateways.out.yaml b/internal/gatewayapi/testdata/envoypatchpolicy-valid-merge-gateways.out.yaml index a73b592ca7f..315fc208bad 100644 --- a/internal/gatewayapi/testdata/envoypatchpolicy-valid-merge-gateways.out.yaml +++ b/internal/gatewayapi/testdata/envoypatchpolicy-valid-merge-gateways.out.yaml @@ -116,7 +116,7 @@ xdsIR: type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoypatchpolicy-valid.out.yaml b/internal/gatewayapi/testdata/envoypatchpolicy-valid.out.yaml index cb05e3a5858..6ac0112c140 100644 --- a/internal/gatewayapi/testdata/envoypatchpolicy-valid.out.yaml +++ b/internal/gatewayapi/testdata/envoypatchpolicy-valid.out.yaml @@ -108,7 +108,7 @@ xdsIR: type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-als-json.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-als-json.out.yaml index eae92fd6677..8695f47ecfa 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-als-json.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-als-json.out.yaml @@ -182,7 +182,7 @@ xdsIR: name: envoy-gateway-system/test type: TCP http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-backend-invalid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-backend-invalid.out.yaml index fe87871df9b..6c3db20cff0 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-backend-invalid.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-backend-invalid.out.yaml @@ -142,7 +142,7 @@ infraIR: xdsIR: envoy-gateway/gateway-1: http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-backend.out.yaml index a676d131d70..94763fd2522 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-backend.out.yaml @@ -153,7 +153,7 @@ xdsIR: [%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-cel-with-invalid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-cel-with-invalid.out.yaml index 4c9774307ba..ce6e60861fc 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-cel-with-invalid.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-cel-with-invalid.out.yaml @@ -142,7 +142,7 @@ infraIR: xdsIR: envoy-gateway/gateway-1: http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-cel.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-cel.out.yaml index 6c41786f198..4161575dd8a 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-cel.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-cel.out.yaml @@ -177,7 +177,7 @@ xdsIR: [%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json-no-format.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json-no-format.out.yaml index dfa7cb9e73a..f1fc863b98e 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json-no-format.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json-no-format.out.yaml @@ -126,7 +126,7 @@ xdsIR: envoy-gateway/gateway-1: accessLog: {} http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json.out.yaml index 22351893208..cb2e10fc988 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-file-json.out.yaml @@ -134,7 +134,7 @@ xdsIR: protocol: '%PROTOCOL%' path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-types.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-types.out.yaml index 481d5d35e0b..9c2c0d1cf82 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-types.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-types.out.yaml @@ -426,7 +426,7 @@ xdsIR: this is a Global log path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-with-bad-sinks.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-with-bad-sinks.out.yaml index 4d25ea17358..db14cc4b8e3 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-with-bad-sinks.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-with-bad-sinks.out.yaml @@ -128,7 +128,7 @@ xdsIR: envoy-gateway/gateway-1: accessLog: {} http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-with-traffic.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-with-traffic.out.yaml index 72234e5db1e..28ef831b03a 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-with-traffic.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-with-traffic.out.yaml @@ -310,7 +310,7 @@ xdsIR: [%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-without-format.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-without-format.out.yaml index f9db0b48736..43505266ec0 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-without-format.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-without-format.out.yaml @@ -194,7 +194,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog.out.yaml index 8c2bec37bde..9694dd07ad7 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog.out.yaml @@ -206,7 +206,7 @@ xdsIR: [%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-endpoint-routing-for-gateway.out.yaml b/internal/gatewayapi/testdata/envoyproxy-endpoint-routing-for-gateway.out.yaml index 0e4a18b66dc..1b31bae27e7 100644 --- a/internal/gatewayapi/testdata/envoyproxy-endpoint-routing-for-gateway.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-endpoint-routing-for-gateway.out.yaml @@ -112,7 +112,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-endpoint-routing.out.yaml b/internal/gatewayapi/testdata/envoyproxy-endpoint-routing.out.yaml index 537a739770c..9f058d69051 100644 --- a/internal/gatewayapi/testdata/envoyproxy-endpoint-routing.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-endpoint-routing.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-metric-backend-invalid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-metric-backend-invalid.out.yaml index dcfabe29f4c..0368e1a1a22 100644 --- a/internal/gatewayapi/testdata/envoyproxy-metric-backend-invalid.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-metric-backend-invalid.out.yaml @@ -135,7 +135,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-metric-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-metric-backend.out.yaml index 91706f9afd4..4bff8f998d5 100644 --- a/internal/gatewayapi/testdata/envoyproxy-metric-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-metric-backend.out.yaml @@ -128,7 +128,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.out.yaml index 293488ec064..7605114bf22 100644 --- a/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-metric-enabled-backend.out.yaml @@ -131,7 +131,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml index f5c685bab24..426268f6340 100644 --- a/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml @@ -283,7 +283,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-service-routing-for-gateway.out.yaml b/internal/gatewayapi/testdata/envoyproxy-service-routing-for-gateway.out.yaml index 88618649c7e..76859d37624 100644 --- a/internal/gatewayapi/testdata/envoyproxy-service-routing-for-gateway.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-service-routing-for-gateway.out.yaml @@ -112,7 +112,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-service-routing.out.yaml b/internal/gatewayapi/testdata/envoyproxy-service-routing.out.yaml index 1602dc38c8b..a679b4aef60 100644 --- a/internal/gatewayapi/testdata/envoyproxy-service-routing.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-service-routing.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml index 578ad17e948..7e86495fc41 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml @@ -228,7 +228,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -282,7 +282,7 @@ xdsIR: privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-tls/ port: 10445 routes: diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml index fc0b655ad12..868620d8d74 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml @@ -227,7 +227,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -281,7 +281,7 @@ xdsIR: privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-tls/ port: 10445 routes: diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml index 1157e1f7c7e..e65df0254f4 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings.out.yaml @@ -226,7 +226,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -284,7 +284,7 @@ xdsIR: privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-tls/ port: 10445 routes: diff --git a/internal/gatewayapi/testdata/envoyproxy-tracing-backend-invalid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tracing-backend-invalid.out.yaml index 1a43989014b..3506b9a0aba 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tracing-backend-invalid.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tracing-backend-invalid.out.yaml @@ -135,7 +135,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-tracing-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tracing-backend.out.yaml index cb5292b6d20..b3a44d78fdc 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tracing-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tracing-backend.out.yaml @@ -155,7 +155,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-valid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-valid.out.yaml index 6df12542bcc..5bd374167ee 100644 --- a/internal/gatewayapi/testdata/envoyproxy-valid.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-valid.out.yaml @@ -119,7 +119,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/extensions/extensionpolicy-tcp-listener.out.yaml b/internal/gatewayapi/testdata/extensions/extensionpolicy-tcp-listener.out.yaml index 731eebc1c72..0095b815fd7 100644 --- a/internal/gatewayapi/testdata/extensions/extensionpolicy-tcp-listener.out.yaml +++ b/internal/gatewayapi/testdata/extensions/extensionpolicy-tcp-listener.out.yaml @@ -146,7 +146,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 extensionRefs: - object: apiVersion: foo.example.io/v1alpha1 @@ -204,7 +204,7 @@ xdsIR: controllerName: gateway.envoyproxy.io/gatewayclass-controller name: envoy-gateway/gateway-1/tcp1 port: 10080 - - address: '::' + - address: 0.0.0.0 extensionRefs: - object: apiVersion: foo.example.io/v1alpha1 diff --git a/internal/gatewayapi/testdata/extensions/extensionpolicy-udp-listener.out.yaml b/internal/gatewayapi/testdata/extensions/extensionpolicy-udp-listener.out.yaml index 71e6d1cdfe6..1ff835552d9 100644 --- a/internal/gatewayapi/testdata/extensions/extensionpolicy-udp-listener.out.yaml +++ b/internal/gatewayapi/testdata/extensions/extensionpolicy-udp-listener.out.yaml @@ -146,7 +146,7 @@ xdsIR: text: - path: /dev/stdout udp: - - address: '::' + - address: 0.0.0.0 extensionRefs: - object: apiVersion: foo.example.io/v1alpha1 @@ -204,7 +204,7 @@ xdsIR: controllerName: gateway.envoyproxy.io/gatewayclass-controller name: envoy-gateway/gateway-1/udp1 port: 10162 - - address: '::' + - address: 0.0.0.0 extensionRefs: - object: apiVersion: foo.example.io/v1alpha1 diff --git a/internal/gatewayapi/testdata/extensions/extensionpolicy-with-invalid-target.out.yaml b/internal/gatewayapi/testdata/extensions/extensionpolicy-with-invalid-target.out.yaml index 066cd664242..8140d239ab5 100644 --- a/internal/gatewayapi/testdata/extensions/extensionpolicy-with-invalid-target.out.yaml +++ b/internal/gatewayapi/testdata/extensions/extensionpolicy-with-invalid-target.out.yaml @@ -97,7 +97,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -111,7 +111,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10081 - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/extensions/extensionpolicy-with-valid-target-array.out.yaml b/internal/gatewayapi/testdata/extensions/extensionpolicy-with-valid-target-array.out.yaml index 0ba6cb4868c..5a0b8ef2f97 100644 --- a/internal/gatewayapi/testdata/extensions/extensionpolicy-with-valid-target-array.out.yaml +++ b/internal/gatewayapi/testdata/extensions/extensionpolicy-with-valid-target-array.out.yaml @@ -157,7 +157,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 extensionRefs: - object: apiVersion: foo.example.io/v1alpha1 @@ -218,7 +218,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 extensionRefs: - object: apiVersion: foo.example.io/v1alpha1 diff --git a/internal/gatewayapi/testdata/extensions/extensionpolicy-with-valid-target.out.yaml b/internal/gatewayapi/testdata/extensions/extensionpolicy-with-valid-target.out.yaml index daa4b7e0095..29b482ae554 100644 --- a/internal/gatewayapi/testdata/extensions/extensionpolicy-with-valid-target.out.yaml +++ b/internal/gatewayapi/testdata/extensions/extensionpolicy-with-valid-target.out.yaml @@ -150,7 +150,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 extensionRefs: - object: apiVersion: foo.example.io/v1alpha1 @@ -191,7 +191,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10081 - - address: '::' + - address: 0.0.0.0 extensionRefs: - object: apiVersion: foo.example.io/v1alpha1 diff --git a/internal/gatewayapi/testdata/extensions/httproute-with-extension-filter-invalid-group.out.yaml b/internal/gatewayapi/testdata/extensions/httproute-with-extension-filter-invalid-group.out.yaml index 069d311948f..79aeb1f3eeb 100644 --- a/internal/gatewayapi/testdata/extensions/httproute-with-extension-filter-invalid-group.out.yaml +++ b/internal/gatewayapi/testdata/extensions/httproute-with-extension-filter-invalid-group.out.yaml @@ -109,7 +109,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/extensions/httproute-with-non-matching-extension-filter.out.yaml b/internal/gatewayapi/testdata/extensions/httproute-with-non-matching-extension-filter.out.yaml index f2fcc7a5859..d70cea292b5 100644 --- a/internal/gatewayapi/testdata/extensions/httproute-with-non-matching-extension-filter.out.yaml +++ b/internal/gatewayapi/testdata/extensions/httproute-with-non-matching-extension-filter.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/extensions/httproute-with-unsupported-extension-filter.out.yaml b/internal/gatewayapi/testdata/extensions/httproute-with-unsupported-extension-filter.out.yaml index 13e693b41de..1af974c72bb 100644 --- a/internal/gatewayapi/testdata/extensions/httproute-with-unsupported-extension-filter.out.yaml +++ b/internal/gatewayapi/testdata/extensions/httproute-with-unsupported-extension-filter.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/extensions/httproute-with-valid-extension-filter.out.yaml b/internal/gatewayapi/testdata/extensions/httproute-with-valid-extension-filter.out.yaml index 73664fdf291..1cb405e4dd8 100644 --- a/internal/gatewayapi/testdata/extensions/httproute-with-valid-extension-filter.out.yaml +++ b/internal/gatewayapi/testdata/extensions/httproute-with-valid-extension-filter.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-allowed-httproute.out.yaml b/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-allowed-httproute.out.yaml index 56b396fa4b6..2dd68040951 100644 --- a/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-allowed-httproute.out.yaml +++ b/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-allowed-httproute.out.yaml @@ -96,7 +96,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-disallowed-httproute.out.yaml b/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-disallowed-httproute.out.yaml index 6dda7c9d89c..35383fcb502 100644 --- a/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-disallowed-httproute.out.yaml +++ b/internal/gatewayapi/testdata/gateway-allows-same-namespace-with-disallowed-httproute.out.yaml @@ -96,7 +96,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.out.yaml b/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.out.yaml index e384db96691..cb47542a1c7 100644 --- a/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.out.yaml +++ b/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.out.yaml @@ -172,7 +172,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -204,7 +204,7 @@ xdsIR: distinct: false name: "" prefix: /empty-hostname - - address: '::' + - address: 0.0.0.0 hostnames: - '*.example.com' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml b/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml index fc416f75db4..0b38b962b89 100644 --- a/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml +++ b/internal/gatewayapi/testdata/gateway-infrastructure.out.yaml @@ -114,7 +114,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-addresses-with-ipaddress.out.yaml b/internal/gatewayapi/testdata/gateway-with-addresses-with-ipaddress.out.yaml index 2eb3f6ba8ea..798641857cd 100644 --- a/internal/gatewayapi/testdata/gateway-with-addresses-with-ipaddress.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-addresses-with-ipaddress.out.yaml @@ -66,6 +66,6 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-infrastructure-parametersref.out.yaml b/internal/gatewayapi/testdata/gateway-with-infrastructure-parametersref.out.yaml index a4c79fa1d29..8794f263e57 100644 --- a/internal/gatewayapi/testdata/gateway-with-infrastructure-parametersref.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-infrastructure-parametersref.out.yaml @@ -123,7 +123,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-does-not-exist.out.yaml b/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-does-not-exist.out.yaml index c458d7e982f..deed8d261b5 100644 --- a/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-does-not-exist.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-does-not-exist.out.yaml @@ -106,7 +106,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-fallback.out.yaml b/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-fallback.out.yaml index e9402d144eb..0ec88f622c9 100644 --- a/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-fallback.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-invalid-infrastructure-parametersref-fallback.out.yaml @@ -123,7 +123,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml index d6fcc45aa78..866ca1e861a 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml @@ -91,7 +91,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp port: 10162 routes: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml index 042f236965e..cbc01a3d11d 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-backends.out.yaml @@ -95,7 +95,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp port: 10080 routes: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-rules.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-rules.out.yaml index 15fcf27bc68..7e583a73bda 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-rules.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-multiple-rules.out.yaml @@ -96,6 +96,6 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml index cfbff1ff11a..6e35700c58e 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-secret-in-other-namespace-allowed-by-refgrant.out.yaml @@ -103,7 +103,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml index 3f680237131..9e2db8004e5 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tls-terminate-and-passthrough.out.yaml @@ -172,7 +172,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - foo.bar.com isHTTP2: false @@ -214,7 +214,7 @@ xdsIR: privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tls-passthrough port: 10090 routes: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml index 88a7435683f..03cf19502d7 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml @@ -91,7 +91,7 @@ xdsIR: text: - path: /dev/stdout udp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/udp port: 10162 route: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.out.yaml index bf252dfb7e0..70a5a2a8599 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-backends.out.yaml @@ -95,7 +95,7 @@ xdsIR: text: - path: /dev/stdout udp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/udp port: 10080 route: diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-rules.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-rules.out.yaml index c87bc540bd1..850f9e64cba 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-rules.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-multiple-rules.out.yaml @@ -96,6 +96,6 @@ xdsIR: text: - path: /dev/stdout udp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/udp port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-tcproute.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-tcproute.out.yaml index a44c4ff584c..79295aded7b 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-tcproute.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-tcproute.out.yaml @@ -59,6 +59,6 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-udproute.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-udproute.out.yaml index 00233142fc1..a30d7cf5a5b 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-udproute.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-unmatched-udproute.out.yaml @@ -59,6 +59,6 @@ xdsIR: text: - path: /dev/stdout udp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/udp port: 10080 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml index 4198cb7db1d..a9939722a0d 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration-with-same-algorithm-different-fqdn.out.yaml @@ -105,7 +105,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml index da63240840e..6fdbe779e25 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-multiple-tls-configuration.out.yaml @@ -105,7 +105,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml index a984dbc8a91..680ff1bf524 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-valid-tls-configuration.out.yaml @@ -102,7 +102,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-preexisting-status-condition.out.yaml b/internal/gatewayapi/testdata/gateway-with-preexisting-status-condition.out.yaml index 2575bc79de1..6598bfde8d4 100644 --- a/internal/gatewayapi/testdata/gateway-with-preexisting-status-condition.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-preexisting-status-condition.out.yaml @@ -96,7 +96,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml index 7513e60bfb8..f7fd4e2752c 100644 --- a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-tcproutes.out.yaml @@ -122,7 +122,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp port: 10162 routes: diff --git a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-udproutes.out.yaml b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-udproutes.out.yaml index c94a3f623a4..4f4555a87e8 100644 --- a/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-udproutes.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-single-listener-with-multiple-udproutes.out.yaml @@ -122,7 +122,7 @@ xdsIR: text: - path: /dev/stdout udp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/udp port: 10162 route: diff --git a/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml b/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml index 30f33008266..bafbb34668b 100644 --- a/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-stale-status-condition.out.yaml @@ -102,7 +102,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml index 3bec02c1f8f..e3bc11e2cc5 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-tcp-or-tls-port.out.yaml @@ -115,7 +115,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp1 port: 10162 routes: diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml index 0a76a7d86a6..5f904c3de3e 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-on-same-udp-port.out.yaml @@ -118,7 +118,7 @@ xdsIR: text: - path: /dev/stdout udp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/udp1 port: 10162 route: diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-multiple-httproutes.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-multiple-httproutes.out.yaml index 248169c209b..d6b31a59f6a 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-multiple-httproutes.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-multiple-httproutes.out.yaml @@ -168,7 +168,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - foo.com isHTTP2: false @@ -223,7 +223,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - bar.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml index 0238ba3007e..67867078333 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-tcp-protocol.out.yaml @@ -163,7 +163,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -199,7 +199,7 @@ xdsIR: name: "" prefix: / tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp port: 10080 routes: diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml index 6d8bd1f0905..b7bdac0b389 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-same-port-http-udp-protocol.out.yaml @@ -163,7 +163,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -199,7 +199,7 @@ xdsIR: name: "" prefix: / udp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/udp port: 10080 route: diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml index 07e3e01a70c..d2d74cd296e 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-with-sectionname.out.yaml @@ -160,7 +160,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp1 port: 10162 routes: @@ -174,7 +174,7 @@ xdsIR: protocol: TCP weight: 1 name: tcproute/default/tcproute-1 - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp2 port: 10163 routes: diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml index b5a71ddbe5e..20519f07857 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-tcproutes-without-sectionname.out.yaml @@ -156,7 +156,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp1 port: 10161 routes: @@ -170,7 +170,7 @@ xdsIR: protocol: TCP weight: 1 name: tcproute/default/tcproute-1 - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp2 port: 10162 routes: diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-with-sectionname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-with-sectionname.out.yaml index deac14645ab..00a61415035 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-with-sectionname.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-with-sectionname.out.yaml @@ -160,7 +160,7 @@ xdsIR: text: - path: /dev/stdout udp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/udp1 port: 10162 route: @@ -174,7 +174,7 @@ xdsIR: protocol: UDP weight: 1 name: udproute/default/udproute-1 - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/udp2 port: 10163 route: diff --git a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-without-sectionname.out.yaml b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-without-sectionname.out.yaml index 96ca8ca522c..f6cb6959c4b 100644 --- a/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-without-sectionname.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-two-listeners-with-udproutes-without-sectionname.out.yaml @@ -156,7 +156,7 @@ xdsIR: text: - path: /dev/stdout udp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/udp1 port: 10161 route: @@ -170,7 +170,7 @@ xdsIR: protocol: UDP weight: 1 name: udproute/default/udproute-1 - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/udp2 port: 10162 route: diff --git a/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml index 5b9fe7b3a5f..8981d87b085 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml @@ -124,7 +124,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/grpcroute-with-empty-backends.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-empty-backends.out.yaml index 8c2660b6324..2f633cb8a20 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-empty-backends.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-empty-backends.out.yaml @@ -96,7 +96,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/grpcroute-with-header-match.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-header-match.out.yaml index a41913ed8fb..bc7697e2f18 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-header-match.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-header-match.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/grpcroute-with-method-and-service-match.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-method-and-service-match.out.yaml index fafd1fdbf56..765481a5838 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-method-and-service-match.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-method-and-service-match.out.yaml @@ -104,7 +104,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/grpcroute-with-method-match.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-method-match.out.yaml index a30cb02b50e..38b49dda801 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-method-match.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-method-match.out.yaml @@ -102,7 +102,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml index 43ada6439a9..110d404c44f 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-request-header-modifier.out.yaml @@ -106,7 +106,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/grpcroute-with-service-match.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-service-match.out.yaml index 639603a07e6..b8855487138 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-service-match.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-service-match.out.yaml @@ -102,7 +102,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml index 22a6796814c..bda6f990dda 100644 --- a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml +++ b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml @@ -134,7 +134,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml index 004456773c4..04843eba9aa 100644 --- a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml +++ b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml @@ -254,7 +254,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -297,7 +297,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-different-listeners.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-different-listeners.out.yaml index cad7873ad13..e532697a7b4 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-different-listeners.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-different-listeners.out.yaml @@ -356,7 +356,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - foo.com isHTTP2: false @@ -391,7 +391,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - bar.com isHTTP2: false @@ -426,7 +426,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - foo1.com isHTTP2: false @@ -461,7 +461,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - bar1.com isHTTP2: false @@ -496,7 +496,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - foo2.com isHTTP2: false @@ -531,7 +531,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - bar2.com isHTTP2: false @@ -566,7 +566,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - foo3.com isHTTP2: false @@ -601,7 +601,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - bar3.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-listeners.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-listeners.out.yaml index ff94451e5bc..5bc5e17485a 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-listeners.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-more-listeners.out.yaml @@ -307,7 +307,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - foo.com isHTTP2: false @@ -342,7 +342,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - bar.com isHTTP2: false @@ -377,7 +377,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - foo1.com isHTTP2: false @@ -412,7 +412,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - bar1.com isHTTP2: false @@ -447,7 +447,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - foo2.com isHTTP2: false @@ -482,7 +482,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - bar2.com isHTTP2: false @@ -517,7 +517,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - foo3.com isHTTP2: false @@ -552,7 +552,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - bar3.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml index 647d620d729..2b7899d4f75 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners-with-different-ports.out.yaml @@ -138,7 +138,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -173,7 +173,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners.out.yaml index 07bb66f43b7..4d3310f2614 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway-with-two-listeners.out.yaml @@ -127,7 +127,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - foo.com isHTTP2: false @@ -162,7 +162,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - bar.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-gateway.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-gateway.out.yaml index ee8dccb4256..817bc24013a 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-gateway.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-gateway.out.yaml @@ -96,7 +96,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-matching-port.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-matching-port.out.yaml index 5ce4b0143c2..4abbc554d9d 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-matching-port.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-matching-port.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-on-gateway-with-two-listeners.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-on-gateway-with-two-listeners.out.yaml index 8897f06d841..5b4bf8d4bb9 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-on-gateway-with-two-listeners.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-on-gateway-with-two-listeners.out.yaml @@ -129,7 +129,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - foo.com isHTTP2: false @@ -143,7 +143,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: '::' + - address: 0.0.0.0 hostnames: - bar.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-and-core-backendrefs.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-and-core-backendrefs.out.yaml index f4a6b3f6334..484fe119154 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-and-core-backendrefs.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-and-core-backendrefs.out.yaml @@ -202,7 +202,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml index f5bf64e50d7..80b6f6627b2 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml @@ -259,7 +259,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml index f4b38eead2f..cdbbe788086 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml @@ -342,7 +342,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml index e758629820c..3b5ddfa6298 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml @@ -281,7 +281,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-same-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-same-address-type.out.yaml index 8f302d19c11..5a413ae4630 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-same-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-same-address-type.out.yaml @@ -290,7 +290,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-diff-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-diff-address-type.out.yaml index a673d3342dd..7b2b55fe1c0 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-diff-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-diff-address-type.out.yaml @@ -104,7 +104,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-same-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-same-address-type.out.yaml index 8c02b288f1d..5667491636e 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-same-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-serviceimport-backendrefs-same-address-type.out.yaml @@ -104,7 +104,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-fqdn-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-fqdn-address-type.out.yaml index 73f0582b114..e29f978c85e 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-fqdn-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-fqdn-address-type.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-mixed-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-mixed-address-type.out.yaml index 6de22de9901..38c70c4a8d2 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-mixed-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-mixed-address-type.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref.out.yaml index 7efbce03645..144ccbd3c57 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener.out.yaml index 865bc78af93..3bdc7cc4697 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener.out.yaml @@ -98,7 +98,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-backend-request-timeout.out.yaml b/internal/gatewayapi/testdata/httproute-backend-request-timeout.out.yaml index 99d9d4f7725..c49d551e867 100644 --- a/internal/gatewayapi/testdata/httproute-backend-request-timeout.out.yaml +++ b/internal/gatewayapi/testdata/httproute-backend-request-timeout.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-not-attaching-to-listener-non-matching-port.out.yaml b/internal/gatewayapi/testdata/httproute-not-attaching-to-listener-non-matching-port.out.yaml index 3138c613b78..9cd60408345 100644 --- a/internal/gatewayapi/testdata/httproute-not-attaching-to-listener-non-matching-port.out.yaml +++ b/internal/gatewayapi/testdata/httproute-not-attaching-to-listener-non-matching-port.out.yaml @@ -99,7 +99,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - foo.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-request-timeout.out.yaml b/internal/gatewayapi/testdata/httproute-request-timeout.out.yaml index 242028fb5bc..dc1c9cb950d 100644 --- a/internal/gatewayapi/testdata/httproute-request-timeout.out.yaml +++ b/internal/gatewayapi/testdata/httproute-request-timeout.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.out.yaml b/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.out.yaml index ddc5eec76b5..c7fd7b9e40e 100644 --- a/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-rule-with-empty-backends-and-no-filters.out.yaml @@ -93,7 +93,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-no-weights.out.yaml b/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-no-weights.out.yaml index dbd5d70f62f..11634b9f050 100644 --- a/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-no-weights.out.yaml +++ b/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-no-weights.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-weights.out.yaml b/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-weights.out.yaml index 2f4fc1349a0..e9a785e0d1b 100644 --- a/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-weights.out.yaml +++ b/internal/gatewayapi/testdata/httproute-rule-with-multiple-backends-and-weights.out.yaml @@ -106,7 +106,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-app-protocols.out.yaml b/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-app-protocols.out.yaml index 5e89675b3e5..4c5fcd5e8e2 100644 --- a/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-app-protocols.out.yaml +++ b/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-app-protocols.out.yaml @@ -175,7 +175,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-weights.out.yaml b/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-weights.out.yaml index 3e9f0b780d4..d56407b0dd9 100644 --- a/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-weights.out.yaml +++ b/internal/gatewayapi/testdata/httproute-rule-with-non-service-backends-and-weights.out.yaml @@ -173,7 +173,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-backendref-add-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-backendref-add-multiple-filters.out.yaml index 3828541e423..122d09efdeb 100644 --- a/internal/gatewayapi/testdata/httproute-with-backendref-add-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-backendref-add-multiple-filters.out.yaml @@ -121,7 +121,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml b/internal/gatewayapi/testdata/httproute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml index 290787479f9..d708b748380 100644 --- a/internal/gatewayapi/testdata/httproute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml @@ -98,7 +98,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-backendref-serviceimport-in-other-namespace-allowed-by-refgrant.out.yaml b/internal/gatewayapi/testdata/httproute-with-backendref-serviceimport-in-other-namespace-allowed-by-refgrant.out.yaml index 58c0c38d89d..9b175f032c4 100644 --- a/internal/gatewayapi/testdata/httproute-with-backendref-serviceimport-in-other-namespace-allowed-by-refgrant.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-backendref-serviceimport-in-other-namespace-allowed-by-refgrant.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml b/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml index 8be2bc8a4e6..29b6b051366 100644 --- a/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-direct-response.out.yaml @@ -153,7 +153,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-empty-matches.out.yaml b/internal/gatewayapi/testdata/httproute-with-empty-matches.out.yaml index 6b21dddcd4e..6853b8172b3 100644 --- a/internal/gatewayapi/testdata/httproute-with-empty-matches.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-empty-matches.out.yaml @@ -95,7 +95,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml index 3ab8edd3fb0..605aa384f3e 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-add-multiple-filters.out.yaml @@ -116,7 +116,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml index 0f06a777a42..f122fc17d5b 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-adds.out.yaml @@ -126,7 +126,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-remove-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-remove-multiple-filters.out.yaml index 92a45ab8ea5..e3ea3d5158b 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-remove-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-remove-multiple-filters.out.yaml @@ -112,7 +112,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-removes.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-removes.out.yaml index 5b8b7e76f2f..23567e22077 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-removes.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-duplicate-removes.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml index af3f6e189d5..67c14e133a7 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-header-values.out.yaml @@ -110,7 +110,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-headers.out.yaml index f49fa9e41e9..7549c52cbb1 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-empty-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-empty-headers.out.yaml @@ -112,7 +112,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-headers.out.yaml index 2b0623b7710..5405ad66246 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-invalid-headers.out.yaml @@ -113,7 +113,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-no-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-no-headers.out.yaml index faaa608b996..a8986f5d429 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-no-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-no-headers.out.yaml @@ -104,7 +104,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-no-valid-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-no-valid-headers.out.yaml index 9a73541ccec..36f621f095c 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-no-valid-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-no-valid-headers.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-header-filter-remove.out.yaml b/internal/gatewayapi/testdata/httproute-with-header-filter-remove.out.yaml index f345d70ae45..b111af6e08b 100644 --- a/internal/gatewayapi/testdata/httproute-with-header-filter-remove.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-header-filter-remove.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml index 6c390846d3a..2ca033356bb 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml @@ -97,7 +97,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml index 26bffbc4231..e7c2869de1c 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml @@ -101,7 +101,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml index 818ac56cde8..a1c5683d27a 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml @@ -99,7 +99,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml index fb9ee9fbe2d..ed62f94f257 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml @@ -97,7 +97,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.import.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.import.out.yaml index b26a993bf21..794a5d87c3a 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.import.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.import.out.yaml @@ -99,7 +99,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml index f0af70dfcd6..18019d56e70 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml @@ -97,7 +97,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml index 10fbc26ad4f..f9ee3bb21fa 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml @@ -104,7 +104,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml index e52f15b3ac1..3500d3be9cc 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml @@ -98,7 +98,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-regex.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-regex.out.yaml index 07e602727f7..05617ca8192 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-regex.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-regex.out.yaml @@ -148,7 +148,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -167,7 +167,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-metadata.out.yaml b/internal/gatewayapi/testdata/httproute-with-metadata.out.yaml index fedcd5f5181..9049ebe41de 100644 --- a/internal/gatewayapi/testdata/httproute-with-metadata.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-metadata.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter-duplicates.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter-duplicates.out.yaml index 7b213e66450..29d9dd320a5 100644 --- a/internal/gatewayapi/testdata/httproute-with-mirror-filter-duplicates.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter-duplicates.out.yaml @@ -114,7 +114,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml index 7251228643b..c6e534c9c63 100644 --- a/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter-multiple.out.yaml @@ -126,7 +126,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml index ad035eb7c47..50105a1e054 100644 --- a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml index 44ab3461292..c0c193e034a 100644 --- a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter.out.yaml index e1f711349e6..e9f94617b4e 100644 --- a/internal/gatewayapi/testdata/httproute-with-mirror-filter.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-multi-gateways-notmatch.out.yaml b/internal/gatewayapi/testdata/httproute-with-multi-gateways-notmatch.out.yaml index d0f71d4d6a1..c7801a560d0 100644 --- a/internal/gatewayapi/testdata/httproute-with-multi-gateways-notmatch.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-multi-gateways-notmatch.out.yaml @@ -116,7 +116,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -135,7 +135,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-multi-gateways-with-same-name.out.yaml b/internal/gatewayapi/testdata/httproute-with-multi-gateways-with-same-name.out.yaml index 84dae610113..f3c1a6b1ed4 100644 --- a/internal/gatewayapi/testdata/httproute-with-multi-gateways-with-same-name.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-multi-gateways-with-same-name.out.yaml @@ -149,7 +149,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -189,7 +189,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.out.yaml b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.out.yaml index 61b67c75d89..ba2f58b8667 100644 --- a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-different-ns.out.yaml @@ -178,7 +178,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.a.example.com' isHTTP2: false @@ -215,7 +215,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.b.example.com' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.out.yaml b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.out.yaml index 03f487b3aa4..4e6bef64b9e 100644 --- a/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-multiple-gateways-from-same-ns.out.yaml @@ -176,7 +176,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.a.example.com' isHTTP2: false @@ -213,7 +213,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.b.example.com' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-non-matching-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-non-matching-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml index 878e6bd1574..810a78ccb87 100644 --- a/internal/gatewayapi/testdata/httproute-with-non-matching-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-non-matching-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml index 9cdddc09c08..d40408b2b02 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml @@ -106,7 +106,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml index 9d122032e5e..d7496698338 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-hostname.out.yaml @@ -104,7 +104,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-filter-type.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-filter-type.out.yaml index 06dc740e0f6..63b32e64bb8 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-filter-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-filter-type.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml index 440d12ac4a3..43ca155587d 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-scheme.out.yaml @@ -104,7 +104,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml index 104daac410d..588877b155e 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-invalid-status.out.yaml @@ -103,7 +103,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml b/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml index 265050323ef..9676b5d7688 100644 --- a/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-redirect-filter-prefix-replace-with-port-http.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml index 636bcf1289e..6dcb4b28779 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-adds.out.yaml @@ -122,7 +122,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml index f89d8bdc91a..47d61c9fcfa 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-add-multiple-filters.out.yaml @@ -116,7 +116,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml index 5e03bbf8f52..1d2f4f7124c 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-adds.out.yaml @@ -126,7 +126,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-remove-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-remove-multiple-filters.out.yaml index a5915c1f9d1..b0dbd71c18d 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-remove-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-remove-multiple-filters.out.yaml @@ -112,7 +112,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-removes.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-removes.out.yaml index 7b6b7508258..893ce8cc969 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-removes.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-duplicate-removes.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml index 0a032d52b85..723cabbe6f7 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-header-values.out.yaml @@ -110,7 +110,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-headers.out.yaml index 17b26b97dc9..6c8c063716d 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-empty-headers.out.yaml @@ -112,7 +112,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-headers.out.yaml index b3c0c252310..f46e5ae3977 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-invalid-headers.out.yaml @@ -113,7 +113,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-headers.out.yaml index f50cbfec103..e8d2f720d19 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-headers.out.yaml @@ -104,7 +104,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-valid-headers.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-valid-headers.out.yaml index 6a8bec12323..cd89f06e995 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-valid-headers.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-no-valid-headers.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-response-header-filter-remove.out.yaml b/internal/gatewayapi/testdata/httproute-with-response-header-filter-remove.out.yaml index aff1b276aa8..e0f78c08c9d 100644 --- a/internal/gatewayapi/testdata/httproute-with-response-header-filter-remove.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-response-header-filter-remove.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-single-rule-with-exact-path-match.out.yaml b/internal/gatewayapi/testdata/httproute-with-single-rule-with-exact-path-match.out.yaml index 0e7d3803555..a73f169aad1 100644 --- a/internal/gatewayapi/testdata/httproute-with-single-rule-with-exact-path-match.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-single-rule-with-exact-path-match.out.yaml @@ -97,7 +97,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-single-rule-with-http-method-match.out.yaml b/internal/gatewayapi/testdata/httproute-with-single-rule-with-http-method-match.out.yaml index c1005576fe9..d4bf9af1612 100644 --- a/internal/gatewayapi/testdata/httproute-with-single-rule-with-http-method-match.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-single-rule-with-http-method-match.out.yaml @@ -95,7 +95,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml b/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml index ab30a3cb5db..48706fbfb0c 100644 --- a/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-single-rule-with-multiple-rules.out.yaml @@ -123,7 +123,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-single-rule-with-path-prefix-and-exact-header-matches.out.yaml b/internal/gatewayapi/testdata/httproute-with-single-rule-with-path-prefix-and-exact-header-matches.out.yaml index 75b4de50088..0be3cbea1d2 100644 --- a/internal/gatewayapi/testdata/httproute-with-single-rule-with-path-prefix-and-exact-header-matches.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-single-rule-with-path-prefix-and-exact-header-matches.out.yaml @@ -101,7 +101,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml b/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml index 97753e5fcee..ff9f5d272a8 100644 --- a/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml @@ -101,7 +101,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml index 291ce9105ae..34ec33802bf 100644 --- a/internal/gatewayapi/testdata/httproute-with-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-specific-hostname-attaching-to-gateway-with-wildcard-hostname.out.yaml @@ -99,7 +99,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-two-specific-hostnames-attaching-to-gateway-with-wildcard-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-two-specific-hostnames-attaching-to-gateway-with-wildcard-hostname.out.yaml index 4e4afb6be35..2213aa315cb 100644 --- a/internal/gatewayapi/testdata/httproute-with-two-specific-hostnames-attaching-to-gateway-with-wildcard-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-two-specific-hostnames-attaching-to-gateway-with-wildcard-hostname.out.yaml @@ -100,7 +100,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-full-path-replace-http.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-full-path-replace-http.out.yaml index 5b9bb7fd74d..3d8c69a6178 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-full-path-replace-http.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-full-path-replace-http.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml index 4aed1840d42..8e3079c9bbe 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname-prefix-replace.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml index 7dc2cb30469..c0d8cce8b8a 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-hostname.out.yaml @@ -105,7 +105,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml index 0c8665dc24d..7cbff74f25b 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-filter-type.out.yaml @@ -105,7 +105,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-hostname.out.yaml index f30c9859523..e1905ea7933 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-hostname.out.yaml @@ -111,7 +111,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-multiple-filters.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-multiple-filters.out.yaml index 46d54b18956..3dcffc8edbb 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-multiple-filters.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-multiple-filters.out.yaml @@ -113,7 +113,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path-type.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path-type.out.yaml index fcb1f1ea710..c51f0b56107 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path-type.out.yaml @@ -109,7 +109,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path.out.yaml index 20023c84cf8..25991b658fa 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-invalid-path.out.yaml @@ -108,7 +108,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-missing-path.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-missing-path.out.yaml index 9e55e63c72a..86b8fce36bd 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-missing-path.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-missing-path.out.yaml @@ -106,7 +106,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-prefix-replace-http.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-prefix-replace-http.out.yaml index d6c093778ea..dd20383d2ea 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-prefix-replace-http.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-prefix-replace-http.out.yaml @@ -107,7 +107,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.out.yaml index bb60b64605c..c42f3934568 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-http.out.yaml @@ -245,7 +245,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml index 24f1e8043f8..17ffc680f52 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-filter-regex-match-replace-invalid.out.yaml @@ -342,7 +342,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml index 93a4d218056..ab24ec0e81d 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter-invalid.out.yaml @@ -348,7 +348,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter.out.yaml b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter.out.yaml index 2979fabc641..916f7d0cefe 100644 --- a/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-urlrewrite-hostname-filter.out.yaml @@ -249,7 +249,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-wildcard-hostname-attaching-to-gateway-with-unset-hostname.out.yaml b/internal/gatewayapi/testdata/httproute-with-wildcard-hostname-attaching-to-gateway-with-unset-hostname.out.yaml index 636d864e709..821a30d4cb3 100644 --- a/internal/gatewayapi/testdata/httproute-with-wildcard-hostname-attaching-to-gateway-with-unset-hostname.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-wildcard-hostname-attaching-to-gateway-with-unset-hostname.out.yaml @@ -98,7 +98,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproutes-with-multiple-matches.out.yaml b/internal/gatewayapi/testdata/httproutes-with-multiple-matches.out.yaml index ec627ecda95..a21561696f2 100644 --- a/internal/gatewayapi/testdata/httproutes-with-multiple-matches.out.yaml +++ b/internal/gatewayapi/testdata/httproutes-with-multiple-matches.out.yaml @@ -283,7 +283,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.out.yaml b/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.out.yaml index 33ab0632ce2..d8d24642dd3 100644 --- a/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.out.yaml +++ b/internal/gatewayapi/testdata/merge-invalid-multiple-gateways.out.yaml @@ -136,7 +136,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -151,6 +151,6 @@ xdsIR: mergeSlashes: true port: 10080 udp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-2/udp port: 10080 diff --git a/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-listeners-same-ports.out.yaml b/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-listeners-same-ports.out.yaml index 27f75da25ec..0e015155214 100644 --- a/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-listeners-same-ports.out.yaml +++ b/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-listeners-same-ports.out.yaml @@ -172,7 +172,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -186,7 +186,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: '::' + - address: 0.0.0.0 hostnames: - company.com isHTTP2: false @@ -200,7 +200,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8888 - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -214,7 +214,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8888 - - address: '::' + - address: 0.0.0.0 hostnames: - example.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-routes.out.yaml b/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-routes.out.yaml index dba5580e6a7..4c48dd68694 100644 --- a/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-routes.out.yaml +++ b/internal/gatewayapi/testdata/merge-valid-multiple-gateways-multiple-routes.out.yaml @@ -223,7 +223,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false @@ -258,7 +258,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -272,7 +272,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8888 - - address: '::' + - address: 0.0.0.0 hostnames: - example.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/merge-valid-multiple-gateways.out.yaml b/internal/gatewayapi/testdata/merge-valid-multiple-gateways.out.yaml index b5fb3b7915b..7afe665224b 100644 --- a/internal/gatewayapi/testdata/merge-valid-multiple-gateways.out.yaml +++ b/internal/gatewayapi/testdata/merge-valid-multiple-gateways.out.yaml @@ -145,7 +145,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -159,7 +159,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -173,7 +173,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8888 - - address: '::' + - address: 0.0.0.0 hostnames: - example.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml b/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml index 1c828fc13bf..b0e8b627fe8 100644 --- a/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml +++ b/internal/gatewayapi/testdata/merge-with-isolated-policies-2.out.yaml @@ -501,7 +501,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - bar.example.com isHTTP2: false @@ -560,7 +560,7 @@ xdsIR: timeout: http: requestReceivedTimeout: 5s - - address: '::' + - address: 0.0.0.0 hostnames: - foo.example.com isHTTP2: false @@ -619,7 +619,7 @@ xdsIR: timeout: http: requestReceivedTimeout: 5s - - address: '::' + - address: 0.0.0.0 hostnames: - bar.example.com isHTTP2: false @@ -670,7 +670,7 @@ xdsIR: - x-header-7 - x-header-8 maxAge: 33m20s - - address: '::' + - address: 0.0.0.0 hostnames: - foo.example.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/merge-with-isolated-policies.out.yaml b/internal/gatewayapi/testdata/merge-with-isolated-policies.out.yaml index 92ca64456d4..8e62bb597d5 100644 --- a/internal/gatewayapi/testdata/merge-with-isolated-policies.out.yaml +++ b/internal/gatewayapi/testdata/merge-with-isolated-policies.out.yaml @@ -293,7 +293,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -349,7 +349,7 @@ xdsIR: idleTime: 1200 interval: 60 probes: 3 - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-invalid-cross-ns-ref.out.yaml b/internal/gatewayapi/testdata/securitypolicy-invalid-cross-ns-ref.out.yaml index d1f9b18c250..5ce63e62453 100644 --- a/internal/gatewayapi/testdata/securitypolicy-invalid-cross-ns-ref.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-invalid-cross-ns-ref.out.yaml @@ -90,7 +90,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-override-replace.out.yaml b/internal/gatewayapi/testdata/securitypolicy-override-replace.out.yaml index 7b56ed6a0f9..c6f72065531 100644 --- a/internal/gatewayapi/testdata/securitypolicy-override-replace.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-override-replace.out.yaml @@ -300,7 +300,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml index e4898317537..607330a824c 100644 --- a/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml @@ -406,7 +406,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -444,7 +444,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -478,6 +478,6 @@ xdsIR: name: grpcroute/envoy-gateway/grpcroute-1/rule/0/match/0/* security: {} tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-2/tcp port: 10053 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-client-cidr.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-client-cidr.out.yaml index 01a3b8426dc..82281af294a 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-client-cidr.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-client-cidr.out.yaml @@ -285,7 +285,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.out.yaml index 95885020f69..ed422e70031 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-authoriztion-jwt-claim.out.yaml @@ -154,7 +154,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml index 3c0d7e09c02..02fd1a6ddd1 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-basic-auth.out.yaml @@ -212,7 +212,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-cors-targetrefs.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-cors-targetrefs.out.yaml index 2842832ec14..789da05196b 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-cors-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-cors-targetrefs.out.yaml @@ -339,7 +339,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -394,7 +394,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -431,7 +431,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-cors.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-cors.out.yaml index ad7f13fd7bb..3f58304e886 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-cors.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-cors.out.yaml @@ -402,7 +402,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -460,7 +460,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -519,7 +519,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml index a2128bd6085..ccdb2458370 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml @@ -349,7 +349,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml index ded079e5c9c..d72cd182896 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backendref.out.yaml @@ -222,7 +222,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml index d27a3cb2db2..c5bf4237f52 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml @@ -136,7 +136,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml index 2bab8201c1d..3f5e60f11e8 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml @@ -136,7 +136,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml index c85015431dc..1f8fd280ad6 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml @@ -137,7 +137,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml index fecdfd343c3..294267b90e0 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml @@ -136,7 +136,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml index 8485328ac78..350fc8e908b 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-recomputation.out.yaml @@ -205,7 +205,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml index 4eca64d1a07..b87c7992c90 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml @@ -281,7 +281,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml index ded079e5c9c..d72cd182896 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml @@ -222,7 +222,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml index 37aa96f24a1..d5731870d17 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml @@ -234,7 +234,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml index fcbe359dce5..711d30f0d14 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml @@ -281,7 +281,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -338,7 +338,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-with-custom-extractor.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-with-custom-extractor.out.yaml index 180b40be7f3..c892bef7e4f 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-with-custom-extractor.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-with-custom-extractor.out.yaml @@ -280,7 +280,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -337,7 +337,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml index 54a652f4e27..704961a0476 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml @@ -272,7 +272,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: true @@ -329,7 +329,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml index 092a2169ed7..d878bcdb505 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml @@ -179,7 +179,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies.out.yaml index 4f58b2a71f4..a42e482a758 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies.out.yaml @@ -140,7 +140,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml index 4c64216743a..caf951bcc40 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml @@ -97,7 +97,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml index d5025efe61f..319d6bcfe58 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml @@ -281,7 +281,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -300,7 +300,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -319,7 +319,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml index edba4b82b0d..1d9093a8d38 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml @@ -235,7 +235,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml b/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml index acb5295b43b..d3a6e8bdc19 100644 --- a/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml +++ b/internal/gatewayapi/testdata/tcproute-attaching-to-gateway-with-listener-tls-terminate.out.yaml @@ -166,7 +166,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tls port: 10090 routes: @@ -193,7 +193,7 @@ xdsIR: - name: envoy-gateway/tls-secret-1 privateKey: '[redacted]' serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREVENDQWZXZ0F3SUJBZ0lVRUZNaFA5ZUo5WEFCV3NRNVptNmJSazJjTE5Rd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF3d0xabTl2TG1KaGNpNWpiMjB3SGhjTk1qUXdNakk1TURrek1ERXdXaGNOTXpRdwpNakkyTURrek1ERXdXakFXTVJRd0VnWURWUVFEREF0bWIyOHVZbUZ5TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbEk2WXhFOVprQ1BzNnBDUXhickNtZWl4OVA1RGZ4OVJ1NUxENFQKSm1kVzdJS2R0UVYvd2ZMbXRzdTc2QithVGRDaldlMEJUZmVPT1JCYlIzY1BBRzZFbFFMaWNsUVVydW4zcStncwpKcEsrSTdjSStqNXc4STY4WEg1V1E3clZVdGJ3SHBxYncrY1ZuQnFJVU9MaUlhdGpJZjdLWDUxTTF1RjljZkVICkU0RG5jSDZyYnI1OS9SRlpCc2toeHM1T3p3Sklmb2hreXZGd2V1VHd4Sy9WcGpJKzdPYzQ4QUJDWHBOTzlEL3EKRWgrck9hdWpBTWNYZ0hRSVRrQ2lpVVRjVW82TFNIOXZMWlB0YXFmem9acTZuaE1xcFc2NUUxcEF3RjNqeVRUeAphNUk4SmNmU0Zqa2llWjIwTFVRTW43TThVNHhIamFvL2d2SDBDQWZkQjdSTFUyc0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRk9SQ0U4dS8xRERXN2loWnA3Y3g5dFNtUG02T01COEdBMVVkSXdRWU1CYUFGT1JDRTh1LzFERFcKN2loWnA3Y3g5dFNtUG02T01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQgpBRnQ1M3pqc3FUYUg1YThFMmNodm1XQWdDcnhSSzhiVkxNeGl3TkdqYm1FUFJ6K3c2TngrazBBOEtFY0lEc0tjClNYY2k1OHU0b1didFZKQmx6YS9adWpIUjZQMUJuT3BsK2FveTc4NGJiZDRQMzl3VExvWGZNZmJCQ20xdmV2aDkKQUpLbncyWnRxcjRta2JMY3hFcWxxM3NCTEZBUzlzUUxuS05DZTJjR0xkVHAyYm9HK3FjZ3lRZ0NJTTZmOEVNdgpXUGlmQ01NR3V6Sy9HUkY0YlBPL1lGNDhld0R1M1VlaWgwWFhkVUFPRTlDdFVhOE5JaGMxVVBhT3pQcnRZVnFyClpPR2t2L0t1K0I3OGg4U0VzTzlYclFjdXdiT25KeDZLdFIrYWV5a3ZBcFhDUTNmWkMvYllLQUFSK1A4QUpvUVoKYndJVW1YaTRnajVtK2JLUGhlK2lyK0U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tls-hostname port: 10090 routes: diff --git a/internal/gatewayapi/testdata/tcproute-with-backend.out.yaml b/internal/gatewayapi/testdata/tcproute-with-backend.out.yaml index 5bf2c388a30..29a124844e5 100644 --- a/internal/gatewayapi/testdata/tcproute-with-backend.out.yaml +++ b/internal/gatewayapi/testdata/tcproute-with-backend.out.yaml @@ -112,7 +112,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp port: 10090 routes: diff --git a/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.out.yaml b/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.out.yaml index 12021806303..a3dc7519ecd 100644 --- a/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-attaching-to-gateway.out.yaml @@ -94,7 +94,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tls port: 10090 routes: diff --git a/internal/gatewayapi/testdata/tlsroute-multiple.out.yaml b/internal/gatewayapi/testdata/tlsroute-multiple.out.yaml index 802c84636ad..5a065e6d6bb 100644 --- a/internal/gatewayapi/testdata/tlsroute-multiple.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-multiple.out.yaml @@ -128,7 +128,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tls port: 10091 routes: diff --git a/internal/gatewayapi/testdata/tlsroute-with-backend.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-backend.out.yaml index 48e11662a57..97bce6d0acf 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-backend.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-backend.out.yaml @@ -114,7 +114,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tls port: 10090 routes: diff --git a/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml index 072357e7937..1f8515c6532 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-backendref-in-other-namespace-allowed-by-refgrant.out.yaml @@ -95,7 +95,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tls port: 10090 routes: diff --git a/internal/gatewayapi/testdata/tlsroute-with-empty-hostname.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-empty-hostname.out.yaml index dbb35bfecef..09664c0e41c 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-empty-hostname.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-empty-hostname.out.yaml @@ -93,7 +93,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tls port: 10091 routes: diff --git a/internal/gatewayapi/testdata/tlsroute-with-empty-listener-hostname.out.yaml b/internal/gatewayapi/testdata/tlsroute-with-empty-listener-hostname.out.yaml index f696db74016..d40d0927396 100644 --- a/internal/gatewayapi/testdata/tlsroute-with-empty-listener-hostname.out.yaml +++ b/internal/gatewayapi/testdata/tlsroute-with-empty-listener-hostname.out.yaml @@ -95,7 +95,7 @@ xdsIR: text: - path: /dev/stdout tcp: - - address: '::' + - address: 0.0.0.0 name: envoy-gateway/gateway-1/tls port: 10091 routes: diff --git a/internal/gatewayapi/testdata/tracing-merged-multiple-routes.out.yaml b/internal/gatewayapi/testdata/tracing-merged-multiple-routes.out.yaml index 4ed723d6985..9c0610b4051 100644 --- a/internal/gatewayapi/testdata/tracing-merged-multiple-routes.out.yaml +++ b/internal/gatewayapi/testdata/tracing-merged-multiple-routes.out.yaml @@ -230,7 +230,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false @@ -265,7 +265,7 @@ xdsIR: distinct: false name: "" prefix: / - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -279,7 +279,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8888 - - address: '::' + - address: 0.0.0.0 hostnames: - example.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/tracing-multiple-routes.out.yaml b/internal/gatewayapi/testdata/tracing-multiple-routes.out.yaml index d51b333e647..4bd1415e464 100644 --- a/internal/gatewayapi/testdata/tracing-multiple-routes.out.yaml +++ b/internal/gatewayapi/testdata/tracing-multiple-routes.out.yaml @@ -255,7 +255,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*.envoyproxy.io' isHTTP2: false @@ -311,7 +311,7 @@ xdsIR: text: - path: /dev/stdout http: - - address: '::' + - address: 0.0.0.0 hostnames: - '*' isHTTP2: false @@ -325,7 +325,7 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 8888 - - address: '::' + - address: 0.0.0.0 hostnames: - example.com isHTTP2: false diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go index ca3e45d1523..ad286bfc930 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go @@ -54,6 +54,16 @@ func newTestIPv6Infra() *ir.Infra { return i } +func newTestDualStackInfra() *ir.Infra { + i := newTestInfra() + i.Proxy.Config = &egv1a1.EnvoyProxy{ + Spec: egv1a1.EnvoyProxySpec{ + IPFamily: ptr.To(egv1a1.DualStack), + }, + } + return i +} + func newTestInfraWithAnnotations(annotations map[string]string) *ir.Infra { return newTestInfraWithAnnotationsAndLabels(annotations, nil) } @@ -215,6 +225,11 @@ func TestDeployment(t *testing.T) { infra: newTestIPv6Infra(), deploy: nil, }, + { + caseName: "dual-stack", + infra: newTestDualStackInfra(), + deploy: nil, + }, { caseName: "extension-env", infra: newTestInfra(), diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml index a66007f9e40..87727e4be1c 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml @@ -72,13 +72,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml index 4615d7f718b..7827b9eccc7 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml @@ -71,13 +71,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml index 5da9f50d6dd..95f186cb8a4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml @@ -71,13 +71,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml index e4d59420525..54e8c6d53f4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml @@ -67,13 +67,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml index ec82abe3818..b75e8ec22ad 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml @@ -71,13 +71,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml index 17cad5ec022..1d033190e83 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml @@ -80,13 +80,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml index 4d4c0d8dd48..0e9f6e598c7 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml @@ -71,13 +71,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml index b53a798d1f8..99647fce436 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml @@ -71,13 +71,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml index 67492f7c449..53ec48429c1 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml @@ -71,13 +71,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml index 30f7180689f..b9beaa023ff 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml @@ -76,13 +76,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml index 7f8c8768ac0..a9616129ff9 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml @@ -71,13 +71,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml index baad28a12ef..b3d3c8301e6 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml @@ -71,13 +71,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml index 50c3d0e48b2..ac554d2f387 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml @@ -71,13 +71,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml index 8c1dfe25191..c51e2a86ec3 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml @@ -71,13 +71,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml index 82765fb7148..cf8ef7144a5 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml @@ -71,13 +71,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml index 324cd2956c9..a312bb39a61 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml @@ -77,13 +77,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml index 0f5e18d3783..e4518aa9be7 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml @@ -77,13 +77,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml index d827b17e6e9..5d34ac37081 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml @@ -76,13 +76,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml index fe8d8f8ecfe..d257b62dd62 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml @@ -75,13 +75,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml index 00d0827a364..c8a9d5b4240 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml @@ -71,13 +71,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/dual-stack.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/dual-stack.yaml new file mode 100644 index 00000000000..fe8d8f8ecfe --- /dev/null +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/dual-stack.yaml @@ -0,0 +1,375 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: default + gateway.envoyproxy.io/owning-gateway-namespace: default + name: envoy-default-37a8eec1 + namespace: envoy-gateway-system +spec: + progressDeadlineSeconds: 600 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: default + gateway.envoyproxy.io/owning-gateway-namespace: default + strategy: + type: RollingUpdate + template: + metadata: + annotations: + prometheus.io/path: /stats/prometheus + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: default + gateway.envoyproxy.io/owning-gateway-namespace: default + spec: + automountServiceAccountToken: false + containers: + - args: + - --service-cluster default + - --service-node $(ENVOY_POD_NAME) + - | + --config-yaml admin: + access_log: + - name: envoy.access_loggers.file + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + path: /dev/null + address: + socket_address: + address: 127.0.0.1 + port_value: 19000 + layered_runtime: + layers: + - name: global_config + static_layer: + envoy.restart_features.use_eds_cache_for_ads: true + re2.max_program_size.error_level: 4294967295 + re2.max_program_size.warn_level: 1000 + dynamic_resources: + ads_config: + api_type: DELTA_GRPC + transport_api_version: V3 + grpc_services: + - envoy_grpc: + cluster_name: xds_cluster + set_node_on_first_message_only: true + lds_config: + ads: {} + resource_api_version: V3 + cds_config: + ads: {} + resource_api_version: V3 + static_resources: + listeners: + - name: envoy-gateway-proxy-ready-::-19001 + address: + socket_address: + address: '::' + port_value: 19001 + protocol: TCP + ipv4_compat: true + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: eg-ready-http + route_config: + name: local_route + virtual_hosts: + - name: prometheus_stats + domains: + - "*" + routes: + - match: + prefix: /stats/prometheus + route: + cluster: prometheus_stats + http_filters: + - name: envoy.filters.http.health_check + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck + pass_through_mode: false + headers: + - name: ":path" + string_match: + exact: /ready + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + clusters: + - name: prometheus_stats + connect_timeout: 0.250s + type: STATIC + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: prometheus_stats + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 19000 + - connect_timeout: 10s + load_assignment: + cluster_name: xds_cluster + endpoints: + - load_balancing_weight: 1 + lb_endpoints: + - load_balancing_weight: 1 + endpoint: + address: + socket_address: + address: envoy-gateway.envoy-gateway-system.svc.cluster.local + port_value: 18000 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + explicit_http_config: + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s + name: xds_cluster + type: STRICT_DNS + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + common_tls_context: + tls_params: + tls_maximum_protocol_version: TLSv1_3 + tls_certificate_sds_secret_configs: + - name: xds_certificate + sds_config: + path_config_source: + path: /sds/xds-certificate.json + resource_api_version: V3 + validation_context_sds_secret_config: + name: xds_trusted_ca + sds_config: + path_config_source: + path: /sds/xds-trusted-ca.json + resource_api_version: V3 + - name: wasm_cluster + type: STRICT_DNS + connect_timeout: 10s + load_assignment: + cluster_name: wasm_cluster + endpoints: + - load_balancing_weight: 1 + lb_endpoints: + - load_balancing_weight: 1 + endpoint: + address: + socket_address: + address: envoy-gateway + port_value: 18002 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + explicit_http_config: + http2_protocol_options: {} + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + common_tls_context: + tls_params: + tls_maximum_protocol_version: TLSv1_3 + tls_certificate_sds_secret_configs: + - name: xds_certificate + sds_config: + path_config_source: + path: /sds/xds-certificate.json + resource_api_version: V3 + validation_context_sds_secret_config: + name: xds_trusted_ca + sds_config: + path_config_source: + path: /sds/xds-trusted-ca.json + resource_api_version: V3 + overload_manager: + refresh_interval: 0.25s + resource_monitors: + - name: "envoy.resource_monitors.global_downstream_max_connections" + typed_config: + "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig + max_active_downstream_connections: 50000 + - --log-level warn + - --cpuset-threads + - --drain-strategy immediate + - --drain-time-s 60 + command: + - envoy + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: ENVOY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + image: docker.io/envoyproxy/envoy:distroless-dev + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + httpGet: + path: /shutdown/ready + port: 19002 + scheme: HTTP + name: envoy + ports: + - containerPort: 19001 + name: metrics + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /ready + port: 19001 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /ready + port: 19001 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /sds + name: sds + - args: + - envoy + - shutdown-manager + command: + - envoy-gateway + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: ENVOY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - envoy-gateway + - envoy + - shutdown + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 19002 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: shutdown-manager + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 19002 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 10m + memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz + port: 19002 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + serviceAccountName: envoy-default-37a8eec1 + terminationGracePeriodSeconds: 360 + volumes: + - name: certs + secret: + defaultMode: 420 + secretName: envoy + - configMap: + defaultMode: 420 + items: + - key: xds-trusted-ca.json + path: xds-trusted-ca.json + - key: xds-certificate.json + path: xds-certificate.json + name: envoy-default-37a8eec1 + optional: false + name: sds +status: {} diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml index e79d29d1f91..232fa80b00f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml @@ -76,13 +76,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/ipv6.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/ipv6.yaml index da324336017..cde8a785717 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/ipv6.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/ipv6.yaml @@ -81,7 +81,6 @@ spec: address: '::' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml index f168dc2f7aa..3777fa8a88e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml @@ -84,13 +84,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml index 323ab8236ed..e751dfc8cb1 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml @@ -75,13 +75,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml index bfa255fb513..53473970538 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml @@ -75,13 +75,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml index 8a1c223ef7b..282e038d84b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml @@ -76,13 +76,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml index 3d464d43840..02c028e82e4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml @@ -80,13 +80,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml index 3c051ab5c5c..b3275c38bcc 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml @@ -75,13 +75,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml index db80416291c..3a8ed4422e2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml @@ -75,13 +75,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml index b52eb1d3196..3759d793c85 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml @@ -75,13 +75,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml index c1c3fb550aa..78bea6e40b0 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml @@ -75,13 +75,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml index 69ee693dd17..5afc2475eda 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml @@ -75,13 +75,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml index 6445a17b8e2..4dffb567e81 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml @@ -75,13 +75,12 @@ spec: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/ir/xds.go b/internal/ir/xds.go index b0b9a1594b1..c9fb1dd56b8 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -251,7 +251,7 @@ type CoreListenerDetails struct { // Metadata is used to enrich envoy resource metadata with user and provider-specific information Metadata *ResourceMetadata `json:"metadata,omitempty" yaml:"metadata,omitempty"` // IPFamily specifies the IP address family for the gateway. - // It can be IPv4, IPv6, or Dual. + // It can be IPv4, IPv6, or DualStack. IPFamily *IPFamily `json:"ipFamily,omitempty" yaml:"ipFamily,omitempty"` } @@ -261,7 +261,7 @@ type IPFamily string const ( IPv4 IPFamily = "IPv4" IPv6 IPFamily = "IPv6" - Dualstack IPFamily = "DualStack" + DualStack IPFamily = "DualStack" ) func (l CoreListenerDetails) GetName() string { diff --git a/internal/utils/net/ip.go b/internal/utils/net/ip.go index 4c496936801..042a655417e 100644 --- a/internal/utils/net/ip.go +++ b/internal/utils/net/ip.go @@ -6,5 +6,6 @@ package net const ( + IPv4ListenerAddress = "0.0.0.0" IPv6ListenerAddress = "::" ) diff --git a/internal/xds/bootstrap/bootstrap.go b/internal/xds/bootstrap/bootstrap.go index 45847d4a6bf..0b043bd163b 100644 --- a/internal/xds/bootstrap/bootstrap.go +++ b/internal/xds/bootstrap/bootstrap.go @@ -42,9 +42,11 @@ const ( // DefaultWasmServerPort is the default listening port of the wasm HTTP server. wasmServerPort = 18002 - envoyReadinessAddress = "::" - EnvoyReadinessPort = 19001 - EnvoyReadinessPath = "/ready" + envoyReadinessAddressv4 = "0.0.0.0" + envoyReadinessAddressv6 = "::" + + EnvoyReadinessPort = 19001 + EnvoyReadinessPath = "/ready" defaultSdsTrustedCAPath = "/sds/xds-trusted-ca.json" defaultSdsCertificatePath = "/sds/xds-certificate.json" @@ -95,6 +97,9 @@ type bootstrapParameters struct { StatsMatcher *StatsMatcherParameters // OverloadManager defines the configuration of the Envoy overload manager. OverloadManager overloadManagerParameters + + // IPFamily of the Listener + IPFamily string } type serverParameters struct { @@ -258,7 +263,7 @@ func GetRenderedBootstrapConfig(opts *RenderBootstrapConfigOptions) (string, err AccessLogPath: envoyAdminAccessLogPath, }, ReadyServer: readyServerParameters{ - Address: envoyReadinessAddress, + Address: envoyReadinessAddressv4, Port: EnvoyReadinessPort, ReadinessPath: EnvoyReadinessPath, }, @@ -303,8 +308,14 @@ func GetRenderedBootstrapConfig(opts *RenderBootstrapConfigOptions) (string, err cfg.parameters.WasmServer.Port = *opts.WasmServerPort } - if opts.IPFamily != nil && *opts.IPFamily == egv1a1.IPv6 { - cfg.parameters.AdminServer.Address = EnvoyAdminAddressV6 + if opts.IPFamily != nil { + cfg.parameters.IPFamily = string(*opts.IPFamily) + if *opts.IPFamily == egv1a1.IPv6 { + cfg.parameters.AdminServer.Address = EnvoyAdminAddressV6 + cfg.parameters.ReadyServer.Address = envoyReadinessAddressv6 + } else if *opts.IPFamily == egv1a1.DualStack { + cfg.parameters.ReadyServer.Address = envoyReadinessAddressv6 + } } cfg.parameters.OverloadManager.MaxHeapSizeBytes = opts.MaxHeapSizeBytes diff --git a/internal/xds/bootstrap/bootstrap.yaml.tpl b/internal/xds/bootstrap/bootstrap.yaml.tpl index 9e7fd739871..e10ab4d83f0 100644 --- a/internal/xds/bootstrap/bootstrap.yaml.tpl +++ b/internal/xds/bootstrap/bootstrap.yaml.tpl @@ -68,7 +68,9 @@ static_resources: address: '{{ .ReadyServer.Address }}' port_value: {{ .ReadyServer.Port }} protocol: TCP + {{- if eq .IPFamily "DualStack"}} ipv4_compat: true + {{- end }} filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/bootstrap/testdata/merge/default.out.yaml b/internal/xds/bootstrap/testdata/merge/default.out.yaml index b70801eebc7..e0a187fd8bc 100644 --- a/internal/xds/bootstrap/testdata/merge/default.out.yaml +++ b/internal/xds/bootstrap/testdata/merge/default.out.yaml @@ -138,8 +138,7 @@ staticResources: listeners: - address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 19001 filterChains: - filters: @@ -170,4 +169,4 @@ staticResources: route: cluster: prometheus_stats statPrefix: eg-ready-http - name: envoy-gateway-proxy-ready-::-19001 + name: envoy-gateway-proxy-ready-0.0.0.0-19001 diff --git a/internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.out.yaml b/internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.out.yaml index 0438c5a675e..7fcb292368a 100644 --- a/internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.out.yaml +++ b/internal/xds/bootstrap/testdata/merge/merge-user-bootstrap.out.yaml @@ -144,8 +144,7 @@ staticResources: listeners: - address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 19001 filterChains: - filters: @@ -176,4 +175,4 @@ staticResources: route: cluster: prometheus_stats statPrefix: eg-ready-http - name: envoy-gateway-proxy-ready-::-19001 + name: envoy-gateway-proxy-ready-0.0.0.0-19001 diff --git a/internal/xds/bootstrap/testdata/merge/patch-global-config.out.yaml b/internal/xds/bootstrap/testdata/merge/patch-global-config.out.yaml index 5844b3ea114..63915cc277a 100644 --- a/internal/xds/bootstrap/testdata/merge/patch-global-config.out.yaml +++ b/internal/xds/bootstrap/testdata/merge/patch-global-config.out.yaml @@ -134,8 +134,7 @@ static_resources: listeners: - address: socket_address: - address: '::' - ipv4_compat: true + address: 0.0.0.0 port_value: 19001 protocol: TCP filter_chains: @@ -167,4 +166,4 @@ static_resources: route: cluster: prometheus_stats stat_prefix: eg-ready-http - name: envoy-gateway-proxy-ready-::-19001 + name: envoy-gateway-proxy-ready-0.0.0.0-19001 diff --git a/internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml b/internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml index 5920dcb0b07..40d2392a98d 100644 --- a/internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml +++ b/internal/xds/bootstrap/testdata/merge/stats_sinks.out.yaml @@ -155,8 +155,7 @@ staticResources: listeners: - address: socketAddress: - address: '::' - ipv4Compat: true + address: 0.0.0.0 portValue: 19001 filterChains: - filters: @@ -187,7 +186,7 @@ staticResources: route: cluster: prometheus_stats statPrefix: eg-ready-http - name: envoy-gateway-proxy-ready-::-19001 + name: envoy-gateway-proxy-ready-0.0.0.0-19001 statsSinks: - name: envoy.stat_sinks.metrics_service typedConfig: diff --git a/internal/xds/bootstrap/testdata/render/custom-server-port.yaml b/internal/xds/bootstrap/testdata/render/custom-server-port.yaml index 9346a397bfb..cc3b56b399c 100644 --- a/internal/xds/bootstrap/testdata/render/custom-server-port.yaml +++ b/internal/xds/bootstrap/testdata/render/custom-server-port.yaml @@ -31,13 +31,12 @@ dynamic_resources: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-3333 + - name: envoy-gateway-proxy-ready-0.0.0.0-3333 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 3333 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml b/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml index 8ce0164d9fa..27258e741ea 100644 --- a/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml +++ b/internal/xds/bootstrap/testdata/render/custom-stats-matcher.yaml @@ -42,13 +42,12 @@ dynamic_resources: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml b/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml index f901046d629..1e3ba1994dd 100644 --- a/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml +++ b/internal/xds/bootstrap/testdata/render/disable-prometheus.yaml @@ -31,13 +31,12 @@ dynamic_resources: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/bootstrap/testdata/render/enable-prometheus-gzip-compression.yaml b/internal/xds/bootstrap/testdata/render/enable-prometheus-gzip-compression.yaml index 99b9af18513..20eedcb3be8 100644 --- a/internal/xds/bootstrap/testdata/render/enable-prometheus-gzip-compression.yaml +++ b/internal/xds/bootstrap/testdata/render/enable-prometheus-gzip-compression.yaml @@ -31,13 +31,12 @@ dynamic_resources: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml b/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml index 0b56c4508a5..162569bcaf9 100644 --- a/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml +++ b/internal/xds/bootstrap/testdata/render/enable-prometheus.yaml @@ -31,13 +31,12 @@ dynamic_resources: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/bootstrap/testdata/render/ipv6.yaml b/internal/xds/bootstrap/testdata/render/ipv6.yaml index ab63a3e7439..63395e20f7a 100644 --- a/internal/xds/bootstrap/testdata/render/ipv6.yaml +++ b/internal/xds/bootstrap/testdata/render/ipv6.yaml @@ -37,7 +37,6 @@ static_resources: address: '::' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/bootstrap/testdata/render/otel-metrics-backendref.yaml b/internal/xds/bootstrap/testdata/render/otel-metrics-backendref.yaml index 2d375423456..27521b3c3fa 100644 --- a/internal/xds/bootstrap/testdata/render/otel-metrics-backendref.yaml +++ b/internal/xds/bootstrap/testdata/render/otel-metrics-backendref.yaml @@ -38,13 +38,12 @@ stats_sinks: cluster_name: otel_metric_sink_0 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/bootstrap/testdata/render/otel-metrics.yaml b/internal/xds/bootstrap/testdata/render/otel-metrics.yaml index 2d375423456..27521b3c3fa 100644 --- a/internal/xds/bootstrap/testdata/render/otel-metrics.yaml +++ b/internal/xds/bootstrap/testdata/render/otel-metrics.yaml @@ -38,13 +38,12 @@ stats_sinks: cluster_name: otel_metric_sink_0 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml b/internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml index 9680192c5e5..a50a221b48f 100644 --- a/internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml +++ b/internal/xds/bootstrap/testdata/render/with-max-heap-size-bytes.yaml @@ -31,13 +31,12 @@ dynamic_resources: resource_api_version: V3 static_resources: listeners: - - name: envoy-gateway-proxy-ready-::-19001 + - name: envoy-gateway-proxy-ready-0.0.0.0-19001 address: socket_address: - address: '::' + address: '0.0.0.0' port_value: 19001 protocol: TCP - ipv4_compat: true filter_chains: - filters: - name: envoy.filters.network.http_connection_manager diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go index 098cc896145..1568ed3e570 100644 --- a/internal/xds/translator/listener.go +++ b/internal/xds/translator/listener.go @@ -151,6 +151,7 @@ func originalIPDetectionExtensions(clientIPDetection *ir.ClientIPDetectionSettin func buildXdsTCPListener( name, address string, port uint32, + ipFamily *ir.IPFamily, keepalive *ir.TCPKeepalive, connection *ir.ClientConnection, accesslog *ir.AccessLog, @@ -174,12 +175,16 @@ func buildXdsTCPListener( PortSpecifier: &corev3.SocketAddress_PortValue{ PortValue: port, }, - Ipv4Compat: true, }, }, }, } + if ipFamily != nil && *ipFamily == ir.DualStack { + socketAddress := listener.Address.GetSocketAddress() + socketAddress.Ipv4Compat = true + } + return listener, nil } @@ -191,7 +196,7 @@ func buildPerConnectionBufferLimitBytes(connection *ir.ClientConnection) *wrappe } // buildXdsQuicListener creates a xds Listener resource for quic -func buildXdsQuicListener(name, address string, port uint32, accesslog *ir.AccessLog) (*listenerv3.Listener, error) { +func buildXdsQuicListener(name, address string, port uint32, ipFamily *ir.IPFamily, accesslog *ir.AccessLog) (*listenerv3.Listener, error) { log, err := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeListener) if err != nil { return nil, err @@ -207,7 +212,6 @@ func buildXdsQuicListener(name, address string, port uint32, accesslog *ir.Acces PortSpecifier: &corev3.SocketAddress_PortValue{ PortValue: port, }, - Ipv4Compat: true, }, }, }, @@ -220,6 +224,11 @@ func buildXdsQuicListener(name, address string, port uint32, accesslog *ir.Acces DrainType: listenerv3.Listener_MODIFY_ONLY, } + if ipFamily != nil && *ipFamily == ir.DualStack { + socketAddress := xdsListener.Address.GetSocketAddress() + socketAddress.Ipv4Compat = true + } + return xdsListener, nil } @@ -849,7 +858,6 @@ func buildXdsUDPListener(clusterName string, udpListener *ir.UDPListener, access PortSpecifier: &corev3.SocketAddress_PortValue{ PortValue: udpListener.Port, }, - Ipv4Compat: true, }, }, }, @@ -861,6 +869,11 @@ func buildXdsUDPListener(clusterName string, udpListener *ir.UDPListener, access }}, } + if udpListener.IPFamily != nil && *udpListener.IPFamily == ir.DualStack { + socketAddress := xdsListener.Address.GetSocketAddress() + socketAddress.Ipv4Compat = true + } + return xdsListener, nil } diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml index 026cd70e650..6fbaf5053ec 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -44,7 +43,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10162 protocol: UDP listenerFilters: diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.listeners.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.listeners.yaml index 507aaab00f5..e6777ebece3 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.listeners.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.listeners.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.listeners.yaml index 9c25f196445..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.listeners.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/listener-policy.listeners.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/listener-policy.listeners.yaml index 5b2e1a6719a..7837e1509fc 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/listener-policy.listeners.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/listener-policy.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10081 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.listeners.yaml index 1bb613cbfcd..82af12d1330 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.listeners.yaml @@ -83,7 +83,6 @@ address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.listeners.yaml index 78d5f7abe9f..ac530c829eb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.listeners.yaml @@ -62,7 +62,6 @@ address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.listeners.yaml index 2532b596f44..6efcf6de185 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.listeners.yaml @@ -106,7 +106,6 @@ address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.listeners.yaml index 713a4137c31..f1efd677973 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.listeners.yaml @@ -98,7 +98,6 @@ address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml index 8bdbfafa21e..dbb30726378 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.listeners.yaml @@ -142,7 +142,6 @@ address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml index 27da99342c3..541d20c663d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.listeners.yaml @@ -81,7 +81,6 @@ address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml index c43406cbaea..71f4affea97 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog.listeners.yaml @@ -81,7 +81,6 @@ address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.listeners.yaml index 1a6a6c94ebf..907d28f78b7 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml index 8c489a928e8..2bfa9b51303 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml index 8c489a928e8..2bfa9b51303 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.listeners.yaml index 1a6a6c94ebf..907d28f78b7 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.listeners.yaml index 39d16f0162e..688cef1f74b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -36,7 +35,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10081 filterChains: - filters: @@ -51,7 +49,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 protocol: UDP listenerFilters: diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml index fec7e1ade2f..55e2fde715b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-priority.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml index 3f5b5976eb0..a7accc0ef6c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/basic-auth.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.listeners.yaml index 91c886e41b1..9ae223623db 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -36,7 +35,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10081 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml index 76e8d8b7cf5..4515aa70761 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 8081 defaultFilterChain: filters: @@ -35,7 +34,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 8082 defaultFilterChain: filters: @@ -74,7 +72,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 8083 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml index 0becefcb07b..59b7902b54a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-timeout.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -38,7 +37,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10081 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/cors.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/cors.listeners.yaml index d4b97c1941b..e43d6e27f7a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/cors.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/cors.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml index 0f5111a8afa..9758fe7f17c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml index 29be8f0b25c..19c56586960 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-response.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.listeners.yaml index 4f7cd0b8af7..0ccea8c2bcb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.listeners.yaml index 71ebe76cb1e..e2054562760 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml index 167e96f53e0..84b95081c80 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml index fec7e1ade2f..55e2fde715b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml index 1f010cbb726..acf4c0a40f6 100755 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml index 6c1a233f5b2..72f0a0a1239 100644 --- a/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/fault-injection.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.listeners.yaml index f9ce7d84e7c..de527446ae0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 8081 defaultFilterChain: filters: @@ -35,7 +34,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 8082 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.listeners.yaml index f89d388819d..d0509c239cf 100644 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 8081 defaultFilterChain: filters: @@ -34,7 +33,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 8082 defaultFilterChain: filters: @@ -66,7 +64,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 8083 defaultFilterChain: filters: @@ -99,7 +96,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 8084 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/health-check.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/health-check.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/health-check.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/health-check.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.listeners.yaml index 93320e1347b..73dcc99a8b9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -42,7 +41,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10081 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.listeners.yaml index 6c2ec38ab4f..8b810de954d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-health-check.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-health-check.listeners.yaml index 858a6a99df5..1548f88fd66 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-health-check.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-health-check.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.listeners.yaml index cc24216073a..09426a31773 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.listeners.yaml index cefa3f8fcfd..ac62b3d7a0b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.listeners.yaml index 9c25f196445..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.listeners.yaml index a857be906cd..ed3356f4a2d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.listeners.yaml index 725b879b355..657d2b42a82 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml index 9c25f196445..c3fb113017a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml index 725b879b355..657d2b42a82 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.listeners.yaml index 09c1f7373da..5a43997887d 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -36,7 +35,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10081 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml index 725b879b355..657d2b42a82 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.listeners.yaml index 7d466743074..8cebad7030e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -42,7 +41,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10081 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.listeners.yaml index 952475f29ec..eb0e689ae97 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http10.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http10.listeners.yaml index 39cef2f193b..61260cb9507 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http10.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http10.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml index ba98a10f789..460fcf1fc0b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2-route.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http2.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http2.listeners.yaml index d150efd0384..0ac436eeb75 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http2.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml index 98b2a58f8ef..49a651da85e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10443 protocol: UDP drainType: MODIFY_ONLY @@ -57,7 +56,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10443 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml index 1825eb14ab6..8aaea6d5fd4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml index 1825eb14ab6..8aaea6d5fd4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml index 89174e27343..d5b2dfa8ee2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml index a54a698f87b..95c52f2a86a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml index 668235d7cb2..e715f2945c4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.listeners.yaml @@ -14,7 +14,6 @@ address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml index 8862e7f0425..4a6a9a06315 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml index c3eccbda5ef..53af66649b7 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml index b05cedcd164..eb828bbc9d4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml index 7286927497c..079ca70cfd3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -36,7 +35,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10081 defaultFilterChain: filters: @@ -76,7 +74,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10082 filterChains: - filterChainMatch: @@ -102,7 +99,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10083 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml index 016786b37f5..89258f90704 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 filterChains: - filterChainMatch: @@ -65,7 +64,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10081 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml index 8b7b4013e4f..afcd96ff6b0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: @@ -41,7 +40,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10081 defaultFilterChain: filters: @@ -93,7 +91,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10082 filterChains: - filterChainMatch: @@ -119,7 +116,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10083 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.listeners.yaml index 93a9663d159..6539e7588ec 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-without-route.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10443 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/load-balancer.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/load-balancer.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/load-balancer.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/load-balancer.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.listeners.yaml index d23d6e5323a..aff3d89b5f5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml index 565ad98228f..65814a64bd0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml index 44ffd11e130..39bfe9f587b 100755 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 protocol: UDP defaultFilterChain: @@ -67,7 +66,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml index bfed5797031..5c84e82a4ac 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml index cf89025ba17..df909c5396f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml index 8cc49659b0a..13aea564d39 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10001 filterChains: - filters: @@ -61,7 +60,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10002 filterChains: - filters: @@ -122,7 +120,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10003 filterChains: - filters: @@ -185,7 +182,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10004 filterChains: - filters: @@ -250,7 +246,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10005 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml index 5404e9c4612..483ada817be 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10001 filterChains: - filters: @@ -61,7 +60,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10002 filterChains: - filters: @@ -122,7 +120,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10003 filterChains: - filters: @@ -183,7 +180,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10004 filterChains: - filters: @@ -244,7 +240,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10005 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml index ff623ed0918..20dbf81f07a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 filterChains: - filters: @@ -61,7 +60,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10081 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml index 5322382f349..b51e1c7c927 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 filterChains: - filters: @@ -61,7 +60,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10081 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.listeners.yaml index 995d70e1811..ab9e55eadf0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml index f02d5214210..714f4f17ec3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/path-settings.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/path-settings.listeners.yaml index 11e2a389c0d..d20c59f8564 100644 --- a/internal/xds/translator/testdata/out/xds-ir/path-settings.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/path-settings.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml index 2f68d5d848d..0e7cb96a26f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml index 821bf6ee840..cd3d911b020 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml index 2f68d5d848d..0e7cb96a26f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.listeners.yaml index 2f68d5d848d..0e7cb96a26f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml index 2f68d5d848d..0e7cb96a26f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml index 2f68d5d848d..0e7cb96a26f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml index 349f027d1bf..eb5f36cb40e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml index 9f852cd8701..ff45c0826a6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/simple-tls.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml index 2488a8f083c..e56e13cfd68 100644 --- a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 filterChains: - filterChainMatch: diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.listeners.yaml index 12011f9ae49..05e2fc8ffe2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.listeners.yaml index c70b6728097..a2ac23f3a12 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml index 5023b077b09..515bc6416b2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 filterChains: - filterChainMatch: diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml index 72f40213b1b..7ea9adf25bb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml index 4423eb58f5b..dc0e37419c9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml index 4ec20d0cc11..9f8af189de4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 filterChains: - filterChainMatch: diff --git a/internal/xds/translator/testdata/out/xds-ir/timeout.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/timeout.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/timeout.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/timeout.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml index dab6fe543f3..f209ec6bd68 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 filterChains: - filterChainMatch: @@ -23,7 +22,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10081 filterChains: - filterChainMatch: diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml index 64028f1420d..8d7f6399806 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 filterChains: - filterChainMatch: @@ -81,7 +80,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10081 filterChains: - filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.listeners.yaml index 7f41a9bed98..32f1b0230ff 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.listeners.yaml index e19a79d30dc..abac7a833a4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.listeners.yaml index e5532223241..a944c425639 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing.listeners.yaml index 5832f199bc9..3bd86857b6f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.listeners.yaml index 09c7681d79e..2f969eb7e95 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 protocol: UDP listenerFilters: diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.listeners.yaml index cc92fbd6ed6..3d1cb7b1c7d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 protocol: UDP listenerFilters: diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-route.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-route.listeners.yaml index 71f29a0035a..cfcd4df467f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-route.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-route.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 protocol: UDP listenerFilters: diff --git a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.listeners.yaml index a9b9065d238..80ae84fd104 100644 --- a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: '::' - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml index bbb4b7109a8..e3a679d1ae0 100755 --- a/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/wasm.listeners.yaml @@ -1,7 +1,6 @@ - address: socketAddress: address: 0.0.0.0 - ipv4Compat: true portValue: 10080 defaultFilterChain: filters: diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index a76382dd569..1e0ae77e915 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -216,7 +216,8 @@ func (t *Translator) processHTTPListenerXdsTranslation( case !xdsListenerOnSameAddressPortExists: // Create a new UDP(QUIC) listener for HTTP3 traffic if HTTP3 is enabled if http3Enabled { - if quicXDSListener, err = buildXdsQuicListener(httpListener.Name, httpListener.Address, httpListener.Port, accessLog); err != nil { + if quicXDSListener, err = buildXdsQuicListener(httpListener.Name, httpListener.Address, + httpListener.Port, httpListener.IPFamily, accessLog); err != nil { errs = errors.Join(errs, err) continue } @@ -229,7 +230,7 @@ func (t *Translator) processHTTPListenerXdsTranslation( // Create a new TCP listener for HTTP1/HTTP2 traffic. if tcpXDSListener, err = buildXdsTCPListener( - httpListener.Name, httpListener.Address, httpListener.Port, + httpListener.Name, httpListener.Address, httpListener.Port, httpListener.IPFamily, httpListener.TCPKeepalive, httpListener.Connection, accessLog); err != nil { errs = errors.Join(errs, err) continue @@ -575,7 +576,7 @@ func (t *Translator) processTCPListenerXdsTranslation( xdsListener := findXdsListenerByHostPort(tCtx, tcpListener.Address, tcpListener.Port, corev3.SocketAddress_TCP) if xdsListener == nil { if xdsListener, err = buildXdsTCPListener( - tcpListener.Name, tcpListener.Address, tcpListener.Port, + tcpListener.Name, tcpListener.Address, tcpListener.Port, tcpListener.IPFamily, tcpListener.TCPKeepalive, tcpListener.Connection, accesslog); err != nil { // skip this listener if failed to build xds listener errs = errors.Join(errs, err) From 56b0cea72fdbb02f73dadfa9da8830375e0c2445 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Mon, 2 Dec 2024 08:05:58 +0800 Subject: [PATCH 447/523] fix license check (#4821) * fix license check Signed-off-by: Huabing Zhao * upgrade groupcache Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index c37471842dd..9a8cd125fef 100644 --- a/go.mod +++ b/go.mod @@ -238,7 +238,7 @@ require ( github.com/go-openapi/jsonpointer v0.21.0 // indirect github.com/go-openapi/jsonreference v0.21.0 // indirect github.com/go-openapi/swag v0.23.0 // indirect - github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect + github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect github.com/google/btree v1.1.2 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/gofuzz v1.2.0 // indirect diff --git a/go.sum b/go.sum index 84f9b879a84..1e7f9e7a000 100644 --- a/go.sum +++ b/go.sum @@ -364,8 +364,8 @@ github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfU github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= -github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ= +github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= From 81faf424939a8d72ba5d1fd14714c7296bf530c0 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Mon, 2 Dec 2024 09:36:57 +0800 Subject: [PATCH 448/523] [release/v1.2] release note for v1.2.3 (#4820) * [release/v1.2] release note for v1.2.3 (#4813) * release note for v1.2.3 Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao Co-authored-by: Arko Dasgupta --- VERSION | 2 +- release-notes/current.yaml | 1 - release-notes/v1.2.3.yaml | 9 +++++++++ site/content/en/news/releases/notes/v1.2.3.md | 13 +++++++++++++ 4 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 release-notes/v1.2.3.yaml create mode 100644 site/content/en/news/releases/notes/v1.2.3.md diff --git a/VERSION b/VERSION index cc904638af8..4367f900087 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v1.2.2 +v1.2.3 diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 58ffa73ccb0..d1c6dd95c06 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -17,7 +17,6 @@ new features: | # Fixes for bugs identified in previous versions. bug fixes: | - Disabled the retry policy for the JWT provider to reduce requests sent to the JWKS endpoint. Failed async fetches will retry every 1s. # Enhancements that improve performance. performance improvements: | diff --git a/release-notes/v1.2.3.yaml b/release-notes/v1.2.3.yaml new file mode 100644 index 00000000000..b5fc7bf6fa1 --- /dev/null +++ b/release-notes/v1.2.3.yaml @@ -0,0 +1,9 @@ +date: December 2, 2024 + +bug fixes: | + Disabled the retry policy for the JWT provider to reduce requests sent to the JWKS endpoint. Failed async fetches will retry every 1s. + Used a waitGroup instead of an enabled channel in the status updater. + +Other changes: | + EG Listens on IPv4 by default, but if IPFamily is set to IPv6 or DualStack, it listens on :: and enables ipv4_compat for DualStack. + diff --git a/site/content/en/news/releases/notes/v1.2.3.md b/site/content/en/news/releases/notes/v1.2.3.md new file mode 100644 index 00000000000..4e2500ba3a6 --- /dev/null +++ b/site/content/en/news/releases/notes/v1.2.3.md @@ -0,0 +1,13 @@ +--- +title: "v1.2.3" +publishdate: 2024-12-02 +--- + +Date: December 2, 2024 + +## Bug fixes +- Disabled the retry policy for the JWT provider to reduce requests sent to the JWKS endpoint. Failed async fetches will retry every 1s. +- Used a waitGroup instead of an enabled channel in the status updater. + +## Other changes +- EG Listens on IPv4 by default, but if IPFamily is set to IPv6 or DualStack, it listens on :: and enables ipv4_compat for DualStack. From cf75b1683a5cc42b16d3c2fb230309b40cc9e9af Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Dec 2024 12:15:49 +0800 Subject: [PATCH 449/523] build(deps): bump the k8s-io group across 2 directories with 6 updates (#4776) * build(deps): bump the k8s-io group across 2 directories with 6 updates Bumps the k8s-io group with 4 updates in the / directory: [k8s.io/api](https://github.com/kubernetes/api), [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver), [k8s.io/cli-runtime](https://github.com/kubernetes/cli-runtime) and [k8s.io/kubectl](https://github.com/kubernetes/kubectl). Bumps the k8s-io group with 1 update in the /examples/extension-server directory: [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery). Updates `k8s.io/api` from 0.31.2 to 0.31.3 - [Commits](https://github.com/kubernetes/api/compare/v0.31.2...v0.31.3) Updates `k8s.io/apiextensions-apiserver` from 0.31.2 to 0.31.3 - [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases) - [Commits](https://github.com/kubernetes/apiextensions-apiserver/compare/v0.31.2...v0.31.3) Updates `k8s.io/apimachinery` from 0.31.2 to 0.31.3 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.31.2...v0.31.3) Updates `k8s.io/cli-runtime` from 0.31.2 to 0.31.3 - [Commits](https://github.com/kubernetes/cli-runtime/compare/v0.31.2...v0.31.3) Updates `k8s.io/client-go` from 0.31.2 to 0.31.3 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.31.2...v0.31.3) Updates `k8s.io/kubectl` from 0.31.2 to 0.31.3 - [Commits](https://github.com/kubernetes/kubectl/compare/v0.31.2...v0.31.3) Updates `k8s.io/apimachinery` from 0.31.2 to 0.31.3 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.31.2...v0.31.3) --- updated-dependencies: - dependency-name: k8s.io/api dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/apiextensions-apiserver dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/cli-runtime dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kubectl dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io ... Signed-off-by: dependabot[bot] * build(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.9.0 to 1.10.0. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.9.0...v1.10.0) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * build(deps): bump sigs.k8s.io/controller-runtime from 0.19.1 to 0.19.2 Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.19.1 to 0.19.2. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.19.1...v0.19.2) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * fix gen Signed-off-by: zirain --------- Signed-off-by: dependabot[bot] Signed-off-by: zirain Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain Co-authored-by: Huabing Zhao --- examples/extension-server/go.mod | 4 +-- examples/extension-server/go.sum | 16 +++++------ go.mod | 22 +++++++-------- go.sum | 47 ++++++++++++++++---------------- 4 files changed, 45 insertions(+), 44 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index b484a19a6b7..ab324559b23 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -8,8 +8,8 @@ require ( github.com/urfave/cli/v2 v2.27.5 google.golang.org/grpc v1.68.0 google.golang.org/protobuf v1.35.2 - k8s.io/apimachinery v0.31.2 - sigs.k8s.io/controller-runtime v0.19.1 + k8s.io/apimachinery v0.31.3 + sigs.k8s.io/controller-runtime v0.19.2 sigs.k8s.io/gateway-api v1.2.0 ) diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 8bac1672b4e..4524585da9e 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -64,8 +64,8 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= -github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= +github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/urfave/cli/v2 v2.27.5 h1:WoHEJLdsXr6dDWoJgMq/CboDmyY/8HMMH1fTECbih+w= github.com/urfave/cli/v2 v2.27.5/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= @@ -125,16 +125,16 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0= -k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk= -k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw= -k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/api v0.31.3 h1:umzm5o8lFbdN/hIXbrK9oRpOproJO62CV1zqxXrLgk8= +k8s.io/api v0.31.3/go.mod h1:UJrkIp9pnMOI9K2nlL6vwpxRzzEX5sWgn8kGQe92kCE= +k8s.io/apimachinery v0.31.3 h1:6l0WhcYgasZ/wk9ktLq5vLaoXJJr5ts6lkaQzgeYPq4= +k8s.io/apimachinery v0.31.3/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2duqHWf5OX9S3zjI= k8s.io/utils v0.0.0-20240821151609-f90d01438635/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.19.1 h1:Son+Q40+Be3QWb+niBXAg2vFiYWolDjjRfO8hn/cxOk= -sigs.k8s.io/controller-runtime v0.19.1/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= +sigs.k8s.io/controller-runtime v0.19.2 h1:3sPrF58XQEPzbE8T81TN6selQIMGbtYwuaJ6eDssDF8= +sigs.k8s.io/controller-runtime v0.19.2/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/gateway-api v1.2.0 h1:LrToiFwtqKTKZcZtoQPTuo3FxhrrhTgzQG0Te+YGSo8= sigs.k8s.io/gateway-api v1.2.0/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= diff --git a/go.mod b/go.mod index 9a8cd125fef..fb8b8877663 100644 --- a/go.mod +++ b/go.mod @@ -31,7 +31,7 @@ require ( github.com/prometheus/common v0.60.1 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 - github.com/stretchr/testify v1.9.0 + github.com/stretchr/testify v1.10.0 github.com/telepresenceio/watchable v0.0.0-20220726211108-9bb86f92afa7 github.com/tsaarni/certyaml v0.10.0 go.opentelemetry.io/otel v1.32.0 @@ -48,14 +48,14 @@ require ( google.golang.org/protobuf v1.35.2 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.3 - k8s.io/api v0.31.2 - k8s.io/apiextensions-apiserver v0.31.2 - k8s.io/apimachinery v0.31.2 - k8s.io/cli-runtime v0.31.2 - k8s.io/client-go v0.31.2 - k8s.io/kubectl v0.31.2 + k8s.io/api v0.31.3 + k8s.io/apiextensions-apiserver v0.31.3 + k8s.io/apimachinery v0.31.3 + k8s.io/cli-runtime v0.31.3 + k8s.io/client-go v0.31.3 + k8s.io/kubectl v0.31.3 k8s.io/utils v0.0.0-20240821151609-f90d01438635 - sigs.k8s.io/controller-runtime v0.19.1 + sigs.k8s.io/controller-runtime v0.19.2 sigs.k8s.io/gateway-api v1.2.0 sigs.k8s.io/mcs-api v0.1.0 sigs.k8s.io/yaml v1.4.0 @@ -212,8 +212,8 @@ require ( golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect - k8s.io/apiserver v0.31.2 // indirect - k8s.io/metrics v0.31.2 // indirect + k8s.io/apiserver v0.31.3 // indirect + k8s.io/metrics v0.31.3 // indirect oras.land/oras-go v1.2.6 // indirect periph.io/x/host/v3 v3.8.2 // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect @@ -289,7 +289,7 @@ require ( google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - k8s.io/component-base v0.31.2 // indirect + k8s.io/component-base v0.31.3 // indirect k8s.io/klog/v2 v2.130.1 k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect diff --git a/go.sum b/go.sum index 1e7f9e7a000..fcddf672a39 100644 --- a/go.sum +++ b/go.sum @@ -803,8 +803,9 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= -github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= +github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= github.com/sylabs/sif/v2 v2.18.0 h1:eXugsS1qx7St2Wu/AJ21KnsQiVCpouPlTigABh+6KYI= @@ -1159,32 +1160,32 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78= k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4= -k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0= -k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk= +k8s.io/api v0.31.3 h1:umzm5o8lFbdN/hIXbrK9oRpOproJO62CV1zqxXrLgk8= +k8s.io/api v0.31.3/go.mod h1:UJrkIp9pnMOI9K2nlL6vwpxRzzEX5sWgn8kGQe92kCE= k8s.io/apiextensions-apiserver v0.18.2/go.mod h1:q3faSnRGmYimiocj6cHQ1I3WpLqmDgJFlKL37fC4ZvY= k8s.io/apiextensions-apiserver v0.18.4/go.mod h1:NYeyeYq4SIpFlPxSAB6jHPIdvu3hL0pc36wuRChybio= -k8s.io/apiextensions-apiserver v0.31.2 h1:W8EwUb8+WXBLu56ser5IudT2cOho0gAKeTOnywBLxd0= -k8s.io/apiextensions-apiserver v0.31.2/go.mod h1:i+Geh+nGCJEGiCGR3MlBDkS7koHIIKWVfWeRFiOsUcM= +k8s.io/apiextensions-apiserver v0.31.3 h1:+GFGj2qFiU7rGCsA5o+p/rul1OQIq6oYpQw4+u+nciE= +k8s.io/apiextensions-apiserver v0.31.3/go.mod h1:2DSpFhUZZJmn/cr/RweH1cEVVbzFw9YBu4T+U3mf1e4= k8s.io/apimachinery v0.18.2/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftcA= k8s.io/apimachinery v0.18.4/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko= -k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw= -k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apimachinery v0.31.3 h1:6l0WhcYgasZ/wk9ktLq5vLaoXJJr5ts6lkaQzgeYPq4= +k8s.io/apimachinery v0.31.3/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= k8s.io/apiserver v0.18.2/go.mod h1:Xbh066NqrZO8cbsoenCwyDJ1OSi8Ag8I2lezeHxzwzw= k8s.io/apiserver v0.18.4/go.mod h1:q+zoFct5ABNnYkGIaGQ3bcbUNdmPyOCoEBcg51LChY8= -k8s.io/apiserver v0.31.2 h1:VUzOEUGRCDi6kX1OyQ801m4A7AUPglpsmGvdsekmcI4= -k8s.io/apiserver v0.31.2/go.mod h1:o3nKZR7lPlJqkU5I3Ove+Zx3JuoFjQobGX1Gctw6XuE= -k8s.io/cli-runtime v0.31.2 h1:7FQt4C4Xnqx8V1GJqymInK0FFsoC+fAZtbLqgXYVOLQ= -k8s.io/cli-runtime v0.31.2/go.mod h1:XROyicf+G7rQ6FQJMbeDV9jqxzkWXTYD6Uxd15noe0Q= +k8s.io/apiserver v0.31.3 h1:+1oHTtCB+OheqFEz375D0IlzHZ5VeQKX1KGXnx+TTuY= +k8s.io/apiserver v0.31.3/go.mod h1:PrxVbebxrxQPFhJk4powDISIROkNMKHibTg9lTRQ0Qg= +k8s.io/cli-runtime v0.31.3 h1:fEQD9Xokir78y7pVK/fCJN090/iYNrLHpFbGU4ul9TI= +k8s.io/cli-runtime v0.31.3/go.mod h1:Q2jkyTpl+f6AtodQvgDI8io3jrfr+Z0LyQBPJJ2Btq8= k8s.io/client-go v0.18.2/go.mod h1:Xcm5wVGXX9HAA2JJ2sSBUn3tCJ+4SVlCbl2MNNv+CIU= k8s.io/client-go v0.18.4/go.mod h1:f5sXwL4yAZRkAtzOxRWUhA/N8XzGCb+nPZI8PfobZ9g= -k8s.io/client-go v0.31.2 h1:Y2F4dxU5d3AQj+ybwSMqQnpZH9F30//1ObxOKlTI9yc= -k8s.io/client-go v0.31.2/go.mod h1:NPa74jSVR/+eez2dFsEIHNa+3o09vtNaWwWwb1qSxSs= +k8s.io/client-go v0.31.3 h1:CAlZuM+PH2cm+86LOBemaJI/lQ5linJ6UFxKX/SoG+4= +k8s.io/client-go v0.31.3/go.mod h1:2CgjPUTpv3fE5dNygAr2NcM8nhHzXvxB8KL5gYc3kJs= k8s.io/code-generator v0.18.2/go.mod h1:+UHX5rSbxmR8kzS+FAv7um6dtYrZokQvjHpDSYRVkTc= k8s.io/code-generator v0.18.4/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c= k8s.io/component-base v0.18.2/go.mod h1:kqLlMuhJNHQ9lz8Z7V5bxUUtjFZnrypArGl58gmDfUM= k8s.io/component-base v0.18.4/go.mod h1:7jr/Ef5PGmKwQhyAz/pjByxJbC58mhKAhiaDu0vXfPk= -k8s.io/component-base v0.31.2 h1:Z1J1LIaC0AV+nzcPRFqfK09af6bZ4D1nAOpWsy9owlA= -k8s.io/component-base v0.31.2/go.mod h1:9PeyyFN/drHjtJZMCTkSpQJS3U9OXORnHQqMLDz0sUQ= +k8s.io/component-base v0.31.3 h1:DMCXXVx546Rfvhj+3cOm2EUxhS+EyztH423j+8sOwhQ= +k8s.io/component-base v0.31.3/go.mod h1:xME6BHfUOafRgT0rGVBGl7TuSg8Z9/deT7qq6w7qjIU= k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= @@ -1193,16 +1194,16 @@ k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kms v0.31.2 h1:pyx7l2qVOkClzFMIWMVF/FxsSkgd+OIGH7DecpbscJI= -k8s.io/kms v0.31.2/go.mod h1:OZKwl1fan3n3N5FFxnW5C4V3ygrah/3YXeJWS3O6+94= +k8s.io/kms v0.31.3 h1:XCFmiJn5CCKs8xoOLpCmu42Ubm/KW85wNHybGFcSAYc= +k8s.io/kms v0.31.3/go.mod h1:OZKwl1fan3n3N5FFxnW5C4V3ygrah/3YXeJWS3O6+94= k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5TxDkI7OGJjBNBzq5fJtLA= k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a/go.mod h1:UxDHUPsUwTOOxSU+oXURfFBcAS6JwiRXTYqYwfuGowc= -k8s.io/kubectl v0.31.2 h1:gTxbvRkMBwvTSAlobiTVqsH6S8Aa1aGyBcu5xYLsn8M= -k8s.io/kubectl v0.31.2/go.mod h1:EyASYVU6PY+032RrTh5ahtSOMgoDRIux9V1JLKtG5xM= -k8s.io/metrics v0.31.2 h1:sQhujR9m3HN/Nu/0fTfTscjnswQl0qkQAodEdGBS0N4= -k8s.io/metrics v0.31.2/go.mod h1:QqqyReApEWO1UEgXOSXiHCQod6yTxYctbAAQBWZkboU= +k8s.io/kubectl v0.31.3 h1:3r111pCjPsvnR98oLLxDMwAeM6OPGmPty6gSKaLTQes= +k8s.io/kubectl v0.31.3/go.mod h1:lhMECDCbJN8He12qcKqs2QfmVo9Pue30geovBVpH5fs= +k8s.io/metrics v0.31.3 h1:DkT9I3gFlb2/z+/4BMY7WrQ/PnbukuV4Yli82v/KBCM= +k8s.io/metrics v0.31.3/go.mod h1:2w9gpd8z+13oJmaPR6p3kDyrDqnxSyoKpnOw2qLIdhI= k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= k8s.io/utils v0.0.0-20200603063816-c1c6865ac451/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2duqHWf5OX9S3zjI= @@ -1215,8 +1216,8 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gEORz0efEja7A= -sigs.k8s.io/controller-runtime v0.19.1 h1:Son+Q40+Be3QWb+niBXAg2vFiYWolDjjRfO8hn/cxOk= -sigs.k8s.io/controller-runtime v0.19.1/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= +sigs.k8s.io/controller-runtime v0.19.2 h1:3sPrF58XQEPzbE8T81TN6selQIMGbtYwuaJ6eDssDF8= +sigs.k8s.io/controller-runtime v0.19.2/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI= sigs.k8s.io/gateway-api v1.2.0 h1:LrToiFwtqKTKZcZtoQPTuo3FxhrrhTgzQG0Te+YGSo8= sigs.k8s.io/gateway-api v1.2.0/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= From 93ac05551fd1d4c8d0878545eabfe24d0e4cc90d Mon Sep 17 00:00:00 2001 From: Taufik Mulyana <17433202+nothinux@users.noreply.github.com> Date: Mon, 2 Dec 2024 11:21:14 +0700 Subject: [PATCH 450/523] chore: increase backend endpoints max items to 64 (#4822) * chore: increase backend endpoints max item to 64 Signed-off-by: Taufik Mulyana * fix test Signed-off-by: Taufik Mulyana --------- Signed-off-by: Taufik Mulyana Co-authored-by: Huabing Zhao --- api/v1alpha1/backend_types.go | 2 +- .../crds/generated/gateway.envoyproxy.io_backends.yaml | 2 +- test/cel-validation/backend_test.go | 6 ++++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/api/v1alpha1/backend_types.go b/api/v1alpha1/backend_types.go index 563bb5d2019..6afbcf9d182 100644 --- a/api/v1alpha1/backend_types.go +++ b/api/v1alpha1/backend_types.go @@ -116,7 +116,7 @@ type BackendSpec struct { // Endpoints defines the endpoints to be used when connecting to the backend. // // +kubebuilder:validation:MinItems=1 - // +kubebuilder:validation:MaxItems=4 + // +kubebuilder:validation:MaxItems=64 // +kubebuilder:validation:XValidation:rule="self.all(f, has(f.fqdn)) || !self.exists(f, has(f.fqdn))",message="fqdn addresses cannot be mixed with other address types" Endpoints []BackendEndpoint `json:"endpoints,omitempty"` diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml index 7d0da8385be..9dd148bf42b 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml @@ -132,7 +132,7 @@ spec: rule: ((has(self.fqdn) && !(has(self.ip) || has(self.unix))) || (has(self.ip) && !(has(self.fqdn) || has(self.unix))) || (has(self.unix) && !(has(self.ip) || has(self.fqdn)))) - maxItems: 4 + maxItems: 64 minItems: 1 type: array x-kubernetes-validations: diff --git a/test/cel-validation/backend_test.go b/test/cel-validation/backend_test.go index a46a2d4078a..069a9f74f78 100644 --- a/test/cel-validation/backend_test.go +++ b/test/cel-validation/backend_test.go @@ -75,6 +75,12 @@ func TestBackend(t *testing.T) { Port: 443, }, }, + { + FQDN: &egv1a1.FQDNEndpoint{ + Hostname: "sub1.sub.sub.example.com", + Port: 443, + }, + }, }, } }, From c4d2fd12de70786ccf116886de7bed90db83b99d Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Mon, 2 Dec 2024 12:38:32 +0800 Subject: [PATCH 451/523] update EG website docs links to 1.2.3 (#4825) update docs links to 1.2.3 Signed-off-by: Huabing Zhao --- site/layouts/shortcodes/helm-version.html | 4 ++-- site/layouts/shortcodes/yaml-version.html | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/site/layouts/shortcodes/helm-version.html b/site/layouts/shortcodes/helm-version.html index 9ba708d50fc..b21ca9586b8 100644 --- a/site/layouts/shortcodes/helm-version.html +++ b/site/layouts/shortcodes/helm-version.html @@ -6,8 +6,8 @@ {{- "v1.1.4" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} -{{- "v1.2.2" -}} +{{- "v1.2.3" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.2.2" -}} +{{- "v1.2.3" -}} {{- end -}} diff --git a/site/layouts/shortcodes/yaml-version.html b/site/layouts/shortcodes/yaml-version.html index 1c46423c3e0..d68a435454c 100644 --- a/site/layouts/shortcodes/yaml-version.html +++ b/site/layouts/shortcodes/yaml-version.html @@ -6,8 +6,8 @@ {{- "v1.1.4" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} -{{- "v1.2.2" -}} +{{- "v1.2.3" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.2.2" -}} +{{- "v1.2.3" -}} {{- end -}} From bce2acf5e7e0a9bdc00273c99b64f31f4f06b675 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Mon, 2 Dec 2024 14:44:39 +0800 Subject: [PATCH 452/523] chore: Bump gateway api to 1.2.1 (#4832) * update the lastVersionTag for the upgrade test Signed-off-by: Huabing Zhao * bump gateway api to 1.2.1 Signed-off-by: Huabing Zhao * bump gateway api to 1.2.1 Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- charts/gateway-helm/crds/gatewayapi-crds.yaml | 20 +++++++++---------- examples/extension-server/go.mod | 2 +- examples/extension-server/go.sum | 4 ++-- go.mod | 2 +- go.sum | 4 ++-- test/e2e/tests/eg_upgrade.go | 2 +- 6 files changed, 17 insertions(+), 17 deletions(-) diff --git a/charts/gateway-helm/crds/gatewayapi-crds.yaml b/charts/gateway-helm/crds/gatewayapi-crds.yaml index 57595956279..f311060d1f3 100644 --- a/charts/gateway-helm/crds/gatewayapi-crds.yaml +++ b/charts/gateway-helm/crds/gatewayapi-crds.yaml @@ -24,7 +24,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.2.0 + gateway.networking.k8s.io/bundle-version: v1.2.1 gateway.networking.k8s.io/channel: experimental creationTimestamp: null labels: @@ -525,7 +525,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.2.0 + gateway.networking.k8s.io/bundle-version: v1.2.1 gateway.networking.k8s.io/channel: experimental creationTimestamp: null labels: @@ -1154,7 +1154,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.2.0 + gateway.networking.k8s.io/bundle-version: v1.2.1 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: gatewayclasses.gateway.networking.k8s.io @@ -1674,7 +1674,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.2.0 + gateway.networking.k8s.io/bundle-version: v1.2.1 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: gateways.gateway.networking.k8s.io @@ -4090,7 +4090,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.2.0 + gateway.networking.k8s.io/bundle-version: v1.2.1 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: grpcroutes.gateway.networking.k8s.io @@ -6328,7 +6328,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.2.0 + gateway.networking.k8s.io/bundle-version: v1.2.1 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: httproutes.gateway.networking.k8s.io @@ -12490,7 +12490,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.2.0 + gateway.networking.k8s.io/bundle-version: v1.2.1 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: referencegrants.gateway.networking.k8s.io @@ -12683,7 +12683,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.2.0 + gateway.networking.k8s.io/bundle-version: v1.2.1 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: tcproutes.gateway.networking.k8s.io @@ -13428,7 +13428,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.2.0 + gateway.networking.k8s.io/bundle-version: v1.2.1 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: tlsroutes.gateway.networking.k8s.io @@ -14236,7 +14236,7 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 - gateway.networking.k8s.io/bundle-version: v1.2.0 + gateway.networking.k8s.io/bundle-version: v1.2.1 gateway.networking.k8s.io/channel: experimental creationTimestamp: null name: udproutes.gateway.networking.k8s.io diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index ab324559b23..2391d48906d 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -10,7 +10,7 @@ require ( google.golang.org/protobuf v1.35.2 k8s.io/apimachinery v0.31.3 sigs.k8s.io/controller-runtime v0.19.2 - sigs.k8s.io/gateway-api v1.2.0 + sigs.k8s.io/gateway-api v1.2.1 ) require ( diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 4524585da9e..2b7ea881bf0 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -135,8 +135,8 @@ k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2d k8s.io/utils v0.0.0-20240821151609-f90d01438635/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/controller-runtime v0.19.2 h1:3sPrF58XQEPzbE8T81TN6selQIMGbtYwuaJ6eDssDF8= sigs.k8s.io/controller-runtime v0.19.2/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= -sigs.k8s.io/gateway-api v1.2.0 h1:LrToiFwtqKTKZcZtoQPTuo3FxhrrhTgzQG0Te+YGSo8= -sigs.k8s.io/gateway-api v1.2.0/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= +sigs.k8s.io/gateway-api v1.2.1 h1:fZZ/+RyRb+Y5tGkwxFKuYuSRQHu9dZtbjenblleOLHM= +sigs.k8s.io/gateway-api v1.2.1/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/go.mod b/go.mod index fb8b8877663..dddca4d3e27 100644 --- a/go.mod +++ b/go.mod @@ -56,7 +56,7 @@ require ( k8s.io/kubectl v0.31.3 k8s.io/utils v0.0.0-20240821151609-f90d01438635 sigs.k8s.io/controller-runtime v0.19.2 - sigs.k8s.io/gateway-api v1.2.0 + sigs.k8s.io/gateway-api v1.2.1 sigs.k8s.io/mcs-api v0.1.0 sigs.k8s.io/yaml v1.4.0 ) diff --git a/go.sum b/go.sum index fcddf672a39..105d8619670 100644 --- a/go.sum +++ b/go.sum @@ -1219,8 +1219,8 @@ sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gE sigs.k8s.io/controller-runtime v0.19.2 h1:3sPrF58XQEPzbE8T81TN6selQIMGbtYwuaJ6eDssDF8= sigs.k8s.io/controller-runtime v0.19.2/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI= -sigs.k8s.io/gateway-api v1.2.0 h1:LrToiFwtqKTKZcZtoQPTuo3FxhrrhTgzQG0Te+YGSo8= -sigs.k8s.io/gateway-api v1.2.0/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= +sigs.k8s.io/gateway-api v1.2.1 h1:fZZ/+RyRb+Y5tGkwxFKuYuSRQHu9dZtbjenblleOLHM= +sigs.k8s.io/gateway-api v1.2.1/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kind v0.8.1/go.mod h1:oNKTxUVPYkV9lWzY6CVMNluVq8cBsyq+UgPJdvA3uu4= diff --git a/test/e2e/tests/eg_upgrade.go b/test/e2e/tests/eg_upgrade.go index 75bd3fb2a42..3418259943c 100644 --- a/test/e2e/tests/eg_upgrade.go +++ b/test/e2e/tests/eg_upgrade.go @@ -52,7 +52,7 @@ var EGUpgradeTest = suite.ConformanceTest{ chartPath := "../../../charts/gateway-helm" relName := "eg" depNS := "envoy-gateway-system" - lastVersionTag := "v1.2.1" // the latest prior release + lastVersionTag := "v1.2.3" // the latest prior release t.Logf("Upgrading from version: %s", lastVersionTag) From a98b09659382d2103d5386e204710f4e7c057bc0 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Mon, 2 Dec 2024 14:44:52 +0800 Subject: [PATCH 453/523] Update v1.2.3 release note (#4833) update release note Signed-off-by: Huabing Zhao --- release-notes/v1.2.3.yaml | 2 +- site/content/en/news/releases/notes/v1.2.3.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/release-notes/v1.2.3.yaml b/release-notes/v1.2.3.yaml index b5fc7bf6fa1..ddb7795740e 100644 --- a/release-notes/v1.2.3.yaml +++ b/release-notes/v1.2.3.yaml @@ -6,4 +6,4 @@ bug fixes: | Other changes: | EG Listens on IPv4 by default, but if IPFamily is set to IPv6 or DualStack, it listens on :: and enables ipv4_compat for DualStack. - + Bumped Gateway API to v1.2.1. diff --git a/site/content/en/news/releases/notes/v1.2.3.md b/site/content/en/news/releases/notes/v1.2.3.md index 4e2500ba3a6..1fc38d7088d 100644 --- a/site/content/en/news/releases/notes/v1.2.3.md +++ b/site/content/en/news/releases/notes/v1.2.3.md @@ -11,3 +11,4 @@ Date: December 2, 2024 ## Other changes - EG Listens on IPv4 by default, but if IPFamily is set to IPv6 or DualStack, it listens on :: and enables ipv4_compat for DualStack. +- Bumped Gateway API to v1.2.1. From 4bfbebc7d88054dd63e367250930a5df2c405f62 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Mon, 2 Dec 2024 16:20:28 +0800 Subject: [PATCH 454/523] Update upgrade test (#4830) update the lastVersionTag for the upgrade test Signed-off-by: Huabing Zhao From 9d050dd114b93b384e6558ae0afaf3c1c325e192 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Mon, 2 Dec 2024 09:07:18 -0800 Subject: [PATCH 455/523] [docs] Add QuantCo as an Adopter (#4834) * [docs] Add QuantCo as an Adopter Signed-off-by: Arko Dasgupta * typo Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta --- site/data/adopters.yaml | 4 ++++ site/static/logos/quantco.png | Bin 0 -> 22045 bytes 2 files changed, 4 insertions(+) create mode 100644 site/static/logos/quantco.png diff --git a/site/data/adopters.yaml b/site/data/adopters.yaml index ef6bcfb8221..02eafe113b8 100644 --- a/site/data/adopters.yaml +++ b/site/data/adopters.yaml @@ -19,3 +19,7 @@ adopters: logo: "/logos/tencent-cloud.png" url: "https://www.tencentcloud.com" description: "Tencent Cloud is using Envoy Gateway as a Kubernetes Cluster Network Addon to manage dynamic routing in the Tencent Kubernetes Engine." + - name: "QuantCo" + logo: "/logos/quantco.png" + url: "https://www.quantco.com" + description: "QuantCo is using Envoy Gateway to expose various services from our K8s clusters in a secure and flexible way, where developers can deploy and manage their apps and cluster administrators can enforce common security policies like OIDC authentication." diff --git a/site/static/logos/quantco.png b/site/static/logos/quantco.png new file mode 100644 index 0000000000000000000000000000000000000000..0569a10b897243a9a95be5fabbf155e6bf5f61a9 GIT binary patch literal 22045 zcmeHvdpy(q`~QfDgpzY6ib^GlAx1fMR_VT#vs5aF(Q?XWlN`#i)SVjESqH}?=WR}t z!YYNrHitIlu+6Z|W`6Hsb$`F#zkZM3KfmAO_wnfN*6VP+uGe)vuj_SPufzNL(Id_Z za+-1=5J+MFK8NEVkPH(9TDC%VIZ&daRpbTyPuG9n@xvfc63{4B0VE+^0Ro{%K%nE& zAc?geAdq=62n60E`LXW;2=rIweuq6LqP~yyd&CtSsDA#*M{@P?g+G~@s~7(O|I9?k zhwGSs&F}Iw8@<)Mar=;;buPI-Ky{B&lgt?bn`A2ij4Jxc`2ZIGDuq}q0@)E{mVT1} zFa4s#Tx#{F?sxOwb)etPf7ktK{=4pX^FMXJoByu+52*#g|CY!9L$aDv{vR;#ZR{LpQGe0T|1Xk6H!VBXv{A2!u@W35{LHOK1Fn(nZSj>gR_8vTPHAQPCT6%81p1Z%gn9TdA55mof z0kBhG+(=!nqAYiT1Sr~pA2GL*zu}77_45u++tQ^L9Ya>&8hZ6IrT&OistjtpS$FgU&vb}?6PLi1T7o7=ya+F-_ zhRJB;dNCRFmd3fQnpx-H;jLUGP*RKYs7%^roq!MzbS*|{Qep|sc9ltr)_Q}3wab?Z zbSpwpY03Mip4vUmR20i$)d0@R)^hvQ@z)#m5|hv8aK!R>qB?<@Za))t_xs*h*edbl zbnir=JnWx6I9T{Bx$?f^Z=D$R@pEIi6`um8_be^@7N&iCPbfloY7SE+DHdnl5Rw7s zF}IPD&$nxdM+#auVH}vLa&91CIb2q(HIHUKreb2i%>XtOzXS$qVGPq8D(V(j?iwh?Q>nJrz)@igI;*v{)bK!FvD%9no@9RA>!Nx63b$A^k zhPCF#b#7s_!V)98q$u0uyrZ`rn`D;s`OcV}aoSKti?y4rEoMJT@ySC7MNH<27NEn( z*Ug8OSmH@5F(j11OC;@TWq$3vFE7?uQ;gkj+DeS(|MIVYcT(FDhp)V6^rxGyLY?KB zC7Qkz^t_6}pXSuQC|kK(=wvbAbji!2tM5CDJHNfoi3hC^G^|!GFt6V%PmZ@gO)g zhGCp?&$sp*c`>U3*|IslHaq?gWZ7Y{#r&mNfD=z7ZqR1!O?F9yD zBP|VL7tF#<*Kq8v=F!fJn>~wSL^9%TE6^^AOa4Kl)MVqDyxO~ExkA}R-*}~#acz&e zsbdp+S?v9|ZEeb*vMZDqBW(2XA*6oMWcw!Dg6iZ-CkOtAut=}zQ52(6$Y>MN5T|!V z>Mwcbr^^LNy6+>hZ>o+^hC*b|u=)p-vuruKOdX)N{kcomVg{VwU2vqMdK z?+D!IASmED8#>(VoDB3M^vp+yXRofNemP=wgdVs*$KY1k zGZnSFyQkMn!|43mzpY61X4x8{17D69ZAAN5@%v+CtQV|Dwizgsj``V-@6YF`T-Zev zbLMIPEcsLq1Ijm@f<#1dUKd>-t0ChpvK z^=U;qTagn_5s(G7=aKgw$;Pu%#U{9VvrL>zCA||qtT!A$a@)M53iQ^7VZDhJ99dpM zjAoZK5Daqe@+K54Y zdP@p;L3D;G1*~3IXPG0Y+Qr>`Bd9O+)DkLn%c(u`(b0(Ql&E%EPIc5K1Nju}1F_dV zo{|RT=f2$xEP`eq;G?u)gd$PAf*>F}R!QbnCRebGB2E4l&$z7d^w2o<32Kz=!TC{_ z1`Eo+u*+$w5(J~L{SHml^fl+f3$X=ERk3E!6%6)AE$m-8F^c~E9$c|;kZ~@ZgIT<< zx$)2!jBVm2$j)MF26@^5+g3c|IhK<`ZV-E`TBLCouP)}Z1=vHG@|y}koAuWCXU^R$ zctiAxC9Fj8^M?9UogEOc0kQ87cis!5V2dHD%B;Esu`l_uPA10hNUd`d-9vLoc}dtk zJ6Co*%8ANICRMB?>Mc<$aZ?(TvSjHfV__bt_F`96tj<*#u5C?8&X9qLwF}qxHEPN| zw`;jFtISLzeo4QCE{RZ;!KRqkDA|CpBe{bYSBkagfvYnTc&>SW;k`O@wtmqocG@fv6+)F1;Tk*OFItYsF}X zhS=r?Cf!flE%s0qH(@Gd!QbYNdA;qkt_mGBL!N0i;z~%I%jMln1uuL|hH+4oos78r zab>rBNGvCBki@QmGmh$f7JDpjxtOe;i0u08#wzawa<=`_vK^~AwS8}|pMigR7Kzgp zJ%SMH@3X>{_>Z(so(26|bMv3(tJ&vnw&$~7{K|plaFVJt;9`kI+UJojfc?{xiP`!O z;q$+0t!aG_vRF6_r`j4qL~=)zem#4Bpl_;EL+lQ%BuD{oIGkNw`=$hVho(X8{{H?b zF?YBdkx(ouHHGEWz$Q?&r!|nw#ULKdZp~&m2Wbjih~o!`pC^eh$R7`)giJ0v7MT+I|BN0duc1h2*#>&RN5m6gE{8ODNtgBS0=OcrtAiud%2)|YvYK|P z#Q45VNn$w;z@3MzIZUyEmjqvnNj?k3D$+8ZTqde5Dd&p@RkgHD>kV^IFtBr$ub%pQ z2xFYrHB&4p$){~S^f5joe{lr66&O-?d=y3wwCSwE*A*gq_#EfF4&Jzi$ASWeXWzEW zJt5&blueR(AUoRVi<+Y}HjnusdYG0&aSU7(MrNnMG0Zzg`4RK;5+GQ|WGwQ0(6MjU zgZUPS)X-m;9qXg?_4n)*nHK?bnw$;-{W|4ZE_sjS z-RQ)=jveYDcP`fI-mPE+7lA;6Sg)@u&R{%Jx3w7tH81rfX11>dJ;)3Hs+$=cvg_^h zs3Rsa+($AC5;4CojR2w5y8m(sYa?xmvuw_hTqp4Fl`Xk);j&KAFzc+^94_m_tstmXu2)Mzfsw?}C;5SGAN zCy^;(((?{Lm>l2Uzr>3a0)XJAn8W4Cr!iMF-Iy*wgbwZL^Zhq3ghayf;x>~q%lc(| z7ZfJT70r#)kJlUf;+qx zgl_A0C8taK@Tm5MOZ+PYh}eMJOe-~-PwyzA`oItQdoy>g`>(^fm;|}T15>yca1I_H zy_i=?_yDTqUa{Gj82oBy5#cU0A_7wMM`CsadZ5~n++-E(!Hmr@lUm! zUl%%*;MsW(Y;LCEwltPGOagRF0oL4L1V0=Y8;ZX!vJx~JW-krW?JPg>%xOqYXhq4^ zfBRK^u}jZoRY1Ifn}s0&*tV}di`9D`~_+oyg8ttISa{o*T{lMUP zTnxlVu$bLp>;MsE{&YVeRVIvoOv7NJ_Y#~%xV0lx#L0tnsbD{oXVgv}?P6Zfm&U~b z>sXt}a7zZI(3c1&l4|mC##4*Ge;De$80cPE=V^0Kkwemuqt|Dx7?; zeeHzhLinM?41NXzoq3b~{shdk{w}+t({mti&4PE*BAL5_KvIG_uQVg>C9+2QTH3lr z7+V8C1?~M#-cDQ_6}oScSHg0UaGCF|-scw-&QV9A>F01gCj!LK=xve)Ng)d6sCT02 z7jZpbeE(hX{-ksJVE4H^qKXJ$3+#qyi%{>@eQfY9T9KAl+n=`i&-9c&0U2+$Bs?Q2 zX+hzkLz@6AsC}JSE$ajIS1@e1jm6oEMF_|VL@sdyx+zsgH&w)|S4g2cVF2+4#!c>DKa) z{w4(6M{O7dpC7VCd6@}|K&`fgf={)!4oyQTRr6KC0HFXsN}1z$3vyeh`p(Z^3Q4uK z0Fyfsx+o_AFn#-p8`o5>0Jpiqh>ArNH@K=y$Xk3`g)qL9D@e5E=!SG*MRGa%L;K8x zi1~+=3Rq!(JFAu>In{4)vqUiz@q{toqhxb-=b#sL40%6AuG@he0vhmwjcoc87#vvCuQ7ITo>W#Th-%7(YH6saj{gQ`1#6ge>!AG($St00+DCccqY1|V-rHRmwEQpr@7{EH)#<*kNjgl{ zN%U9^#(w}SeyI{(jWWoKvy_D^NkX-&B`%Xj_V=_@OMKB5ME=6_?zI-yI=*~X!iqRG z??qaZV;W&%~_7AsR_xB7%koQvptD!l^@kvoWrBONt!YBSX1>3SxZ!3rT!Q` z2tR$plTr~qGI4VcQ*cCSUAxa$GLheMtzG5zKh zI;zm^*wGHutC?YZ=W69TNSFCMX7-W&761Odq1f~DZwGuD6`JPBMIDtKJ0$MG%+chKcX0Q+bou%qqz8*&tTf~PRy?h`P|1H3r*F=){?JGHkBlAprRO~#yXdH z{9f+i^+SIVAROAvnvFWI$;|v_hok-wcG53F!5T^E%znb0|Jzi+ah4pbYe}1&#-Lo) zoPl*S647`5i~po~tcC=oYI1z~XrQ+P!FCK9e5n?Bs;Q^B`+*WOmm}&9ctc5OxEJDz zTG}}3V0W{~+SY*;&;RwJ7*Tsxi`i|g%-ieeIMly96%9)rESn{UY~!!drTSx~3Shec zXU6Q^R<16MfLsVcNFg9a&FRKDc(z*2jzWtSj+5GL@Iyc1(U77?xhm?R70!n?fc0@ zNW`}}!+G6COBzjEtpngbT2>0t6camJ(~<_@NuHbTvX`FP-g&K9Q8L!*A&DgWbsa01 zAj>6gz&d>Fz{Qo02CnwaQ|t^)R!C zVLjY$7;BViJNarUCN7DU5}FvgJobH~^))mj16|ozb2xCRyLC=8U*Uv=ZQ4geGXHXM zny-Wps5w50Sj3W-#Dy+bsdNt30a6U?U$j@h`!vN|4&Wg@W%3Q1F}qcN0`8o_<-V2!Uy#pJJg&gaxLw?SIxfxk*9xxW zd1X%Y;pP~5VhFAKEdPuM&%pXw>_|x3wSB9i+A=AG{3;2`-M{v|_xwdeHAsMM*ZJw6 zBt)VTA@|a}ws7|wNAg}qA5{d12l!Pf(E5LJo!!3v5iIG$RAc5$@Qs+Z*g0c~nJ zCK>y4dTt^cW4km%nj*g(@J@XB_s#jIm6_Wtqy&1)a243T0wDMqev{^FDt|O~mWXMK zeY--jJ1!hkw?~OticLpn$lp-7yucg2WN3|YZggAzRH3a>b&yn+8-ddaajaR3>wwj% zADwCpFPz&cg@}mtNbvm2I6z|u2rUZLz)1IP=cW#?{l2%GODw`( z1&x~j?johL^|LfWg2H++7753Wx=601g!;_0UE^T3UQ&pQE2Pb@zSu$K|J3sNQaZEY zY-G#@S?2Up-K|)W%Y^n<>}95|pd<1Y=VwUE2|?{At~rPdRLl z^t*d$%OtSIloRE|2Z^IK#*a0!aKG+;ReLCW_7C3vrq9g>l}H&5kg!*x-b4VQxXWWb zs)zQeP+4wAoPxQ%v7w-D`#o<(XRW{}`T5%>qnzBGb1x4rXAks;P3~NO&-(*II%(Dq zIZ}r7Lq>beGY%^7?TFX|3^`V9sT~1B6zfp=xOA{-YNQ3*Z zp9MZHiVr!FCR4N5L*_{RMpaIIrug)VjW#1?&@bP{qvq7*Q+R6pz)BJjAuft7iZ5(| z?JAh>Kn1HHU$a7yoZEu_(>@E>3Vt*(&o6%AIMP;>5ua8**wEGM{$%ch;SGwA!k@OC ze?F4NBwO!!;j?vf=yrrd(|A5?8>$pnbynC3!8#5R!v#}G`}y(nA;|UJuw#nsEHrQo zHWR4KtncMeP^V)*9L|i?a>_!(!p_vMr}D4;Jjb3k8^8~>d$gK&MXZwMY$L^)O>m@f z-|mhP2WB}lF+YC#1cqp|#e406_Xac6>pCJU8g#rhP3saP8|pG)JJ*R+0B94gOO2;I z=Z`65OgzB%pG6J@t1`ExZv|j4HUHMK=}EvU*!@CyotC;*poi_59vyY51A^YS*V8B! zGKOSa-x; zJ+HE9AmDbjTroxxr(nbJr_9%+TcW!9d-|tGkyU~Mry^y_Gph-}@&SL;Wk*Q5YFnK1 z^&D3Q@*S|V!FPZyRqQ#|6-Dx8(fYV7VgxrVV5yZa^go2&%3?R4LXchkEo ziqkF=i)89d$)wV%bUv_22INa7O3a5;5M zeH1QksRmd%yN=}9QStOPrL2Q$WOb?_-&C^(exW-#JQuGH94^&#OT~N<1+P(o9~C0& zw45Yyz|0sAAHIal?nLr0l$O#W!*`-U@4BH<0{8TQ?aCpW#u#~>)91`1yuhZy(;cUa zT4rBZbOZt+YPTK`pnB5ImzL) z{T`)sJNMzt!P6+bClous6|t)IhhI%sPR6wBsZ`*ELqx3+s+N*OGX1uwHbHedNprH; zIh1{N>~B>jxGS|Q)%-y)O_jUxF6RmgrFi4)Y(JrmoEN`l6OglQVNa6(O@L;xADIc}Dk~FIlK& zS%OCmCBSX=i`wT3_I^6IYehx^IK`kW2?!wpNP;Id@%D)*QlF&oXuUdkr8~i$YbU%SI zKhA%4)g-U85t}O_!#PWe<~GdQV!A0!fh8()wr)m&Y5w`teHD5^>>-Nkm$ITXClg z+_uX_gqOvjA``ah)dc60>8!$@1@|EXV0_-z_3Tie;j>`7-nK&6Tv=tF;aT&Dal_%* zTyu{9+y($6Fky*L3R;neJC*sv5M?xLdUXNA@xUVI+?N_&|7rP~_P&Ph{EYYM`x#Lx zJ0q}nI*csGHoqy7IBC0rdz5AU<(@5KEpX0q3BPY@tqz8)=d}=qI~fE%m&Co!z)y4cq-I!WH%j)%$l^IHj>y#MnEQxJXLkVqByU&qvP1gyme5 zUkIHoEI-?tM$3B=I6vLGPl#p|eP$d;2?nzI8qhpxcs5$GsI!veKuBs+ed*G&dCriQ zhJ*lHTpB(yHPeX~JndP>xe94$25bwpms@(|vQD)9KZV2)Sbs=tSZZi2)pNN7rOr?i z`laG%-R>hlVK>zIqD*S_{P(u<*ZYjA9tpM z`R^f zWP>lhF&4;hE5E(vzM4qvJ$%2^ms8I_jYdu8s5Q`7KrM?%HVppJ-CKpmv=_)Z|Y zje+MzLaG6Vd8`&YZtZRDk)PVAr zbLv&zkJVZ>r;JXGScDBC^JALEFB8`;lBn;TEMNEPTi9x5u&E_f8qA15mI>E))jVuv zCU$jS6)kL6a8uC}6Bajr_LSemw1j^TYv3JQ?$ZeZYJkM(VwIi6k!Wor2_Ik|oab2L z(|4xwp)#}moB0}PL?Du`L@Wx=7?SELm4u!!m*HL5Hws)nQDUw$YS~YSTr{2U35w;l(!l;93(F%tG0z+Ofql-*7*)|AhSc8dwajh4>#yU*t4BXoQK zKTx>2|DA`C9JgbAs@JGaOKZ6#Jt^j}9U+o*6|I=C{Wv&13-B}^1S@DO_TXcT6lRNf zq+`Uzku(R~O0B};NQJZ^k;WBLY9Q$OE?Qf;+`l8?G$$YaSqs<~2T=3vSE2_&?V6Mz@M+6a_B{kWEtP)oCLVQe6gK7bZM}>TQ7Vg+LQ=+E8CzE+<2GvVrt;)MHrJu)d>sD8 z*|cm|gzX+-Hrak)6X%#?>m|Btrs>DO5!QGlV_<;uN8W>ILqKsd9`l-J^6R zI{WHS1`RNX}w-`@_G4tWzvX62;`1vPsY6cVj7XKK?1mV#ope7nVD8p zVuqCke=?+cY*?{Z5=WxZ-`1B1y%NJiDpjBX@?0SGrMQ2x`eZq*-H^A}tL5id-SVA z!xnprd|te3Yp#@(px}UeP`8n5=w$~1If^!<@beyTrHwz*r$0!}xx_y9CRBKv_@rcr z6yLF)uGCNh^pDG=31vMo?YjZ+@AYeBKw5rHSO8lzxFL1}rSz132O=5t>GjXL zfMXvRG&Hrz8Sq<|Z+r^dtKKndu`PWK;!66|;N5aar8)gWHZXH1iluwY0l=)K5iR*W zVZsYr-%Yn70fPrT>-F>G(tDGQLmZ{<9rFyf?(?DB&2?WJ!y4+~$0mqt&!B=keg)== zkZV30bfZ^YnVE)^|CS>en~v@9=?d)J$Y#Z;`AH#0RRDkCO)wt89U`>2&GmUy9nq)y z_k(EK@KvG+U>1w*XriQ)*06uNf?fF=ESim92$)$Ma~L>cW69;GJ(LDX{>} zVA~QApCOO$S!bK6LSv0ZX1Q!HA#(i9KgP`2@pe^f_3>HiVXp&Fw+X%MDz#PjVXE+J zHX1-is7K`wd(FE1ILn0u3lI*UTj+k?TV{58K28gQrvPsE^s-|F!w>w|pThJy`7cW+ z{ijN>pl0i_TWdy_zl$8djY%m5_)u`e6y?1)8cFOWId4D)os+=7;|=-^iCli6Vd2JC zIWd|XFUJC&A*L|QgI=>U{VRNq0_$^&-Z7ihVmOWMcK2MiZ`kvv;|{oS)K7g|(ZO3D zQ5A_e;!5B|PH(vQxqdr~ce-dJ^-QSOS^#gNNG;tWqu?+KM?CODB4uMav}{E9gi8XNje4^a&|}00kX9w?6R5 z7T-g*!Lt@R3%2VvXW&f7y~>t}Op?p^V6VRU^cZbz|p`+RgmShk{O?n>|i= z{5kr^08Z|G%yk3(E;N%8ea-}u9RTFeZwwCw!1Uy~vCxKPj^_7Y^LyLP_cyDFgyZUi zJU{h!6DQp-t5x$kt897EPmQ7hwVQ;y8wi+Eojgh7(X}nzz>y{E+6#qCkY4HK0uKWe zrOV(2Z_`jHy!gC;w%Qvozcm0c2!p%&m@>X@qB^ewdD4JW6nvK5`Za#-(cu&w%X?`? z?KY#vpL)UG2bQiG0l9xntaosxuzBSZKlD3RfVU;6g|QXPd*<$ z$vu@bNp`PuGspI|8y+14NL@(X#>~v*9|8h$eO1UE?W}Ljp94}ZUO8=9k@U9|!f)pg zX`39EScPT;`@wK>GSFx*;#^Os`xoS2H27N}mfE_U3sb+g+&gH+IdOC< zMQ6UJC1EQ)yE%uN{~eI^u>8B@mz3NodB6>k`iIY4T^x4QLvwLCSk+~!BiFl^!EPlRkf!RBQp#UEmw|?juj!`#*yzIr z+>qK$B)I{v61DO*ay6;aw&~mpHESgh*GCpXLs7}(D4kK3=$ zjfYIUDmXm%My_MMb<+x(YK#eBA{?!284W_=VTVJKxFmy%?%8K%60^{ZNT-7ujgq*k zQx-ED4Pm}dQ9jf{H3_R4nN6lO6&J@xWv?9leAfh7E^`a(VE~US2Qs@am)HN4pY08p zQ}L#u_&HDtly@2Dd-s&JmM3H}8dQsh_iEj>h5l0|s6A!kDPQCnRl@RRLTsgyR+fr11jk^OCy zL#%T<#*rcI71FBu*G$c*SRb8gq2SmRNn7wof4wrHYI;4+2RxNauv(TjDjxYhdd&_x zrOtR0mD1$zlcU5$et!9=!c+`=kI zNv!VUkB*eBYoi6kk|5fx8byxgTZqRSHYEvan1Aymc5l%S@ZVe(QBy5Ld++L?} zrJMOG%Y>QSlfiOTPUg~mQ7gEQ?x2llt+qqUF9hGGdwhUd`B<=f+cYTt*Q265-X3{e znt=U5fC5p)mzZO%dV|H-^PUH)&sSTP9h*&S|CFC_`YT4jk)&N;Jy?fk5RVaz=T8pL zY-T!dR*a5*x2rfA%L+%%_+Bfy&C0=Nv%^CE3N(4U1N*=cIJWD@-nj2d-nC_VGg*>| zz_1S=eGfA!z^{cS8QP=`r0NIkVR;iEK;)`8aaOAgN<^TiQK$%esft6*}H@LA=V#oT%L@w?X(Ef>g6eC zx`s=dJzraJkd`ZeZ3+QWU>=Jl5FJ@A-`ASb4kouBl*2sTC_Lm~AThsrkTKaQ^)&4) z;N{eqbw6%)lKgG-PxpM=#xjmlxM%Bog;h}i-~Is@#P#LFXykLcU)j1gKk|KPANKQ} zb}kS^&B(VM{rDs{>Yb1A$FB&z7Q=unZFYq|<>M(xR!BnZcH6sX?1$RAVI^yM;nizE zm?zKu0nX@n))C0|f7H#%p){asCKLm3mfr7Ntj=@D>T|Ge(oe+`kR9L-&#jG)0AlB0Hd?0K9*@&wJY8$ z5&kLXJ>~U3SZk3Bl%NDm@w$)=8%u{yeQ*4l5pGl6vg{d5@$UA7v{r-8s^{BApfA~f z*}^D8o!x?11z*ImR_#k+IR55UqBHF`bF_EtHF-Hkg4T)y8LX-1N=OHL1(%ZwaV$0@ zpZKa$y%1m(4`q9Lz4~y);|*2jaQ?Ivg5Mhdm7()|qI=qv7JCpwq-gIk4gM(%{$LPy|JQ~mt|BOB* z>N(_-zk9Dsc)QNCj`?km%?{jEuNMkl`mh_WyqPMV-L`jKS0y(UdZz=N1@9LCuSCcV z&IHbFv#Va$F)K5|?aTT{7?W@JxbqEC7nDw()$N=vB=Owg_cLB2n8Pk+!6THhR|8KC z5Kdq$sf9ENu!RW@3e{xGa(~1+4p!lEfs-xbsA1yQMpu#~u5wWQFKwnxvIlk6d>eKu%aol55Lwn z_p6wLc~>1AZS4mYEamRkVW0jI{b#h5txZSRSPfL`0(FAjghC!{w-VR z=`oTs{7}ztRRNr5sAn*gvX{Pc^zx{@6vE<%0(VZXDoF}I_>+m7s+J3g9(RG=-(@ZP2tFB|joK&4 zv*vo+$y3UV;7eI(a=B`tSKGQ1P`4gia}iMFSDRb7MAB0$gaW$LPp%$x8bJ^vl%7%(d_k|6fcN ze__S)A#gS$M?I9mEa8XJ-I_A7jhfdieJrF#HH4?lfji0d%Y9$tS+{11mCfqAM^gB7rKBO{(%8hCG|cr4vHg$)io@Ei70IvLZ@9p7Pv)^E)cuwZo|G&5^xLu5 z8!$!09o+qn*27LF?5lO<$o^E|98ZarmBx|8CHssXz7G(xrIV;~0G0u^JsRb?E4&!% zDDZZ0{}Ag(PhEBQff%f0?S+&ICX4Wp-IW78_<%;cO&=~rV-Zbidm@toe*iItbKCj& zxx~VysUN-|VOy`@WHJ>MiI0R8y8pVOwxxgG#5hVGEU^Bu$GA;B5Lne#ycwpvS7O$+ zdX6kJnuCz5mB(tM@BJWNU7`Z<24s=)r(%PA2M;t2v+pUt?6D_Y`qfSN=%?4$>K=s=!Vk zwstoXo_{SZ%zw_O<<~h+RIL6?zrtaO`P;0RQj_X-SkID3)IvRL?o&)(ZAh$k>4jeL zZU-k>qfd7t@W#L?#!jXNl5>*k*Hgx!q?!SyZho=4HI|iiLlReEe^HS791Zi|MX&g| z;E>gr@>kR=x&j-X-tr%lx0Vs?QmL`N{A)BoYu@@c>F;>b2!A|~+ojoLdH>zP4B)oH zTQv(<8QMG4Db* z6yAL5x;s;2&Vi>VJAp((fn6Y`WyfXxOp&b2P)@r(8Eb4^8!Cekv%uV=1b1c-hqt|%&h@|GMLGK&CC zh`0qfmo30qsAub}-<{Y-JO*Of$!iMP<{#B}`mye(D*mm3p1{@K#!+Rv=lq9hC`$Wi z>BngVBd2I^Pnug-Wdl+N+r?3OPvICKwtx{%wy%=XQX#9|!MhoCQNXqGuU>)!X?roj zOj)kpc_*yTSR@zobc+9v>p14^sCu5OR_dh06b?y z(oCi+EWYQ?dp|yTcUWD=CTO}4a>6z0Jbk+o3<{QQya0ae7`odmCw#PTwr%WiPk!KB zzT(sVEpm@KXBp*jCy71lwxsgdv%YssR`T1o?d=U?-<#HmHGh1|tkNV2t!SP!Q*9Xn zL@2-tmci*Gzej1$skU5Kfhp!)mJy~UW_7S1#Zq>~xeU!BF3q;QqsMjD z{q5OpMk?tzOuE)pnI!}DcE>~Idv_p`XTGNPAIEQD?MfW@XxZ!rT_teOGikX_pB>Sj zayzZo|@W(#_~D(tlf1N zcGsNa3vImW>6P)tE??i(SqBtFs?n+I$1L@!_B2QjY!Aw6fX0n=BB(H5#k!8CDm?ws zf9@z>z9}{}7;Z#mv&)arK}!^GfMhpW zPV50f4Z!plK1cGlr!26kwo?x`(sGJkhb8rNoIkX1=|FTT8wB#0=;e8h!4K&{ak!gx zuUOYacO({WR)d17V3EoLN7%cTvzSM4iUaD-qB}#PTin1^`S6%XXuU#B4yS!~qbz+O z@X8P{pU^dn(;?`@MCPg+4!ZuRqBsFhn*^obxB%M4EY0-cF^-nXU_~Z#TYM=H0*FT( zt3q|BT+)Mn&6|&BGkSsNqp83Vqh z)Q$fzNjN3}Qy#g+oVpisBzu`V9GwJQB#;0WJK(NA2m~8o`(!1PR>18Tee4+<(d{15 zJ$n#{x(y)&o>6u63{#`26aS+Q+NFi*>Ez4+CsIp~5XlWKT7)l_iftXc>A(ZGf6;-O zN3Y3VMvv>VR7-&aC;DQgGH147rJKnXKOR&)C>9{JQi0%0JWadGA)^dn=6|iqmM7i- z{}Yz}FLkw!jYiAc&JlVvUTN=8I|Mw^`a{$r(uc9-Rsh>v*qnW~rRu>cu=)@lcC|ZqC4+6C6{L|5jCx;g&ojFMMHcF>Y(?T6Q)4U??D~7Div3F_F{6l_U zG>Wl3m9Dm4|B+ejH$SMlylrF-sjKi6Y67x zRvXe#t_y27reAw_n_bTWcKyT7|{zMgENXEl@y>sT>v74n)dnJ@(SPBA`j zm(c01v*FDGsNQ`!y*I{6wL;G5PHl=?%fEEH$&W5-6ai0n zWBHQ$O%^TxI0WW%M*41V_rb2(w$unS~-aeLvbFHPz8o|M_V`lb(7 zt=dP>4;Cf@6YI6U&|7FSzYj8?BcgUInS0fEq&5}rC~tI;LkfODt>?Ffwf*C_urKr6%I|!RSJtJ1OeY; zpkwqNg@uSek&zkL1it1YXKGa}rtr>kkkeo+U1j;F#AeWV&^V#;zqF~)gC?8=D0%;; z6w`#2@|D|Rng5%T%^*aXrGnl}7|B__@CXS6dT=e%R*scXV$PL)zE0!ogt_ z@uyWXrAYb2N&`2z!>*11v8)dya}PUMC-|DqT;Be>`|)?+Yrdutkve}$n((tvpcTR$(EJV?DPif3nIDbGK>RFh$DGbeE&UkoNC!-vHz8IiYS~s7N;!E9YsVpk~vd zb0HmGzxhbxb|+^i_?cb`pICfy2>|_K6HM>4QetZp;1lTE#ho`M34r7Dxa^gO0JDev z9@}P^(p8a@aQe8pm5;da`FfGKl&kiBFa$vwCZcE@o%>wMunhKnYXEzeziYrPz&c?Nc5hv~a##vLS!Rhc$R|nAMW6mQ8_Cdr1djzA%))?# z!1Z|6-%vcFH$`SVh&OQI4DlUoQ>Wr5EuA}HAwj9*u1iGmc_hrCvXV6yHrPP-xgM56{CjSr0K)# zfO_lzmQr`jwqSmu%i{NZE=2{-&rY<@Ra9`Wuf9OT=Mfy$xn9ha8?5v9G|h0Ws5#wP z*ubm|tYev2@W4yM#m_W>#9{;iFA^6-Cwh9i=x_d2_q+L@y5G%z*Zqgof&hQZ_I9tgjK>ZfYA8GwZk|NpshSC4IKRkMC a9s;7cx5QPsObv@@?{_@nP_)i+_lQ#()q literal 0 HcmV?d00001 From 221bb50e96839051956b477ed538ac16cf7cd0ec Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Mon, 2 Dec 2024 11:30:25 -0600 Subject: [PATCH 456/523] Revert "[release/v1.1] release: v1.1.4 (#4795)" (#4836) This reverts commit 7f3f5d043cc33db620464e718c186fe441b25127. Signed-off-by: Guy Daich --- release-notes/v1.1.4.yaml | 22 ---------------- site/content/en/news/releases/notes/v1.1.4.md | 25 ------------------- site/layouts/shortcodes/helm-version.html | 2 +- site/layouts/shortcodes/yaml-version.html | 2 +- 4 files changed, 2 insertions(+), 49 deletions(-) delete mode 100644 release-notes/v1.1.4.yaml delete mode 100644 site/content/en/news/releases/notes/v1.1.4.md diff --git a/release-notes/v1.1.4.yaml b/release-notes/v1.1.4.yaml deleted file mode 100644 index 29f47c99fd2..00000000000 --- a/release-notes/v1.1.4.yaml +++ /dev/null @@ -1,22 +0,0 @@ -date: November 27, 2024 - -# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs. -breaking changes: | - -# New features or capabilities added in this release. -new features: | - -# Fixes for bugs identified in previous versions. -bug fixes: | - Fixed validate proto messages before converting them to anypb.Any - Fixed BackendTlsPolicy specify multiple targetRefs of the same service, only one will work - Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes - Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn - -# Enhancements that improve performance. -performance improvements: | - -# Other notable changes not covered by the above sections. -Other changes: | - Bumped Rate Limit to 49af5cca - diff --git a/site/content/en/news/releases/notes/v1.1.4.md b/site/content/en/news/releases/notes/v1.1.4.md deleted file mode 100644 index b439d29c4a9..00000000000 --- a/site/content/en/news/releases/notes/v1.1.4.md +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: "v1.1.4" -publishdate: 2024-27-01 ---- - -Date: November 27, 2024 - -## Breaking changes -- - -## New features -- - -## Bug fixes -- Fixed validate proto messages before converting them to anypb.Any -- Fixed BackendTlsPolicy specify multiple targetRefs of the same service, only one will work -- Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes -- Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn - -## Performance improvements -- - -## Other changes -- Bumped Rate Limit to 49af5cca - diff --git a/site/layouts/shortcodes/helm-version.html b/site/layouts/shortcodes/helm-version.html index b21ca9586b8..421a5cae3d2 100644 --- a/site/layouts/shortcodes/helm-version.html +++ b/site/layouts/shortcodes/helm-version.html @@ -3,7 +3,7 @@ {{- "v0.0.0-latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.4" -}} +{{- "v1.1.3" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} {{- "v1.2.3" -}} diff --git a/site/layouts/shortcodes/yaml-version.html b/site/layouts/shortcodes/yaml-version.html index d68a435454c..d5f7514e571 100644 --- a/site/layouts/shortcodes/yaml-version.html +++ b/site/layouts/shortcodes/yaml-version.html @@ -3,7 +3,7 @@ {{- "latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.4" -}} +{{- "v1.1.3" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} {{- "v1.2.3" -}} From b890071460380d9ffb5ffaad2ab39d88d06067c2 Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Mon, 2 Dec 2024 19:56:14 -0600 Subject: [PATCH 457/523] feat(translator): ext-proc attributes (#4796) Signed-off-by: Guy Daich --- examples/grpc-ext-proc/main.go | 33 +++++++++++++++++++ internal/gatewayapi/envoyextensionpolicy.go | 8 +++++ ...with-extproc-with-backendtlspolicy.in.yaml | 5 +++ ...ith-extproc-with-backendtlspolicy.out.yaml | 10 ++++++ internal/ir/xds.go | 8 +++++ internal/ir/zz_generated.deepcopy.go | 10 ++++++ internal/xds/translator/extproc.go | 12 +++++++ .../testdata/in/xds-ir/ext-proc.yaml | 10 ++++++ .../out/xds-ir/ext-proc.listeners.yaml | 10 ++++++ .../ext-proc-envoyextensionpolicy.yaml | 8 +++-- test/e2e/tests/ext_proc.go | 16 ++++++--- 11 files changed, 124 insertions(+), 6 deletions(-) diff --git a/examples/grpc-ext-proc/main.go b/examples/grpc-ext-proc/main.go index 785480f1d20..ecdac6bd6be 100644 --- a/examples/grpc-ext-proc/main.go +++ b/examples/grpc-ext-proc/main.go @@ -210,6 +210,16 @@ func (s *extProcServer) Process(srv envoy_service_proc_v3.ExternalProcessor_Proc resp := &envoy_service_proc_v3.ProcessingResponse{} switch v := req.Request.(type) { case *envoy_service_proc_v3.ProcessingRequest_RequestHeaders: + xdsRouteName := "" + + if req.Attributes != nil { + if epa, ok := req.Attributes["envoy.filters.http.ext_proc"]; ok { + if rqa, ok := epa.Fields["xds.route_name"]; ok { + xdsRouteName = rqa.GetStringValue() + } + } + } + xrch := "" if v.RequestHeaders != nil { hdrs := v.RequestHeaders.Headers.GetHeaders() @@ -230,6 +240,12 @@ func (s *extProcServer) Process(srv envoy_service_proc_v3.ExternalProcessor_Proc RawValue: []byte("true"), }, }, + { + Header: &envoy_api_v3_core.HeaderValue{ + Key: "x-request-xds-route-name", + RawValue: []byte(xdsRouteName), + }, + }, }, }, }, @@ -257,8 +273,19 @@ func (s *extProcServer) Process(srv envoy_service_proc_v3.ExternalProcessor_Proc RequestHeaders: rhq, }, } + break case *envoy_service_proc_v3.ProcessingRequest_ResponseHeaders: + + respXDSRouteName := "" + + if req.Attributes != nil { + if epa, ok := req.Attributes["envoy.filters.http.ext_proc"]; ok { + if rsa, ok := epa.Fields["xds.route_name"]; ok { + respXDSRouteName = rsa.GetStringValue() + } + } + } rhq := &envoy_service_proc_v3.HeadersResponse{ Response: &envoy_service_proc_v3.CommonResponse{ HeaderMutation: &envoy_service_proc_v3.HeaderMutation{ @@ -269,6 +296,12 @@ func (s *extProcServer) Process(srv envoy_service_proc_v3.ExternalProcessor_Proc RawValue: []byte("true"), }, }, + { + Header: &envoy_api_v3_core.HeaderValue{ + Key: "x-response-xds-route-name", + RawValue: []byte(respXDSRouteName), + }, + }, }, }, }, diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go index bb5da8be140..72133f83ace 100644 --- a/internal/gatewayapi/envoyextensionpolicy.go +++ b/internal/gatewayapi/envoyextensionpolicy.go @@ -481,6 +481,10 @@ func (t *Translator) buildExtProc( if extProc.ProcessingMode.Request.Body != nil { extProcIR.RequestBodyProcessingMode = ptr.To(ir.ExtProcBodyProcessingMode(*extProc.ProcessingMode.Request.Body)) } + + if extProc.ProcessingMode.Request.Attributes != nil { + extProcIR.RequestAttributes = append(extProcIR.RequestAttributes, extProc.ProcessingMode.Request.Attributes...) + } } if extProc.ProcessingMode.Response != nil { @@ -488,6 +492,10 @@ func (t *Translator) buildExtProc( if extProc.ProcessingMode.Response.Body != nil { extProcIR.ResponseBodyProcessingMode = ptr.To(ir.ExtProcBodyProcessingMode(*extProc.ProcessingMode.Response.Body)) } + + if extProc.ProcessingMode.Response.Attributes != nil { + extProcIR.ResponseAttributes = append(extProcIR.ResponseAttributes, extProc.ProcessingMode.Response.Attributes...) + } } } diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml index ca3297a5fae..95e8b95701f 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml @@ -203,8 +203,13 @@ envoyExtensionPolicies: processingMode: request: body: Buffered + attributes: + - request.path response: body: Streamed + attributes: + - xds.route_metadata + - connection.requested_server_name messageTimeout: 5s failOpen: true - apiVersion: gateway.envoyproxy.io/v1alpha1 diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml index a1d7beec90b..3fd129b8047 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml @@ -113,8 +113,13 @@ envoyExtensionPolicies: messageTimeout: 5s processingMode: request: + attributes: + - request.path body: Buffered response: + attributes: + - xds.route_metadata + - connection.requested_server_name body: Streamed targetRef: group: gateway.networking.k8s.io @@ -363,8 +368,13 @@ xdsIR: failOpen: true messageTimeout: 5s name: envoyextensionpolicy/default/policy-for-gateway/extproc/0 + requestAttributes: + - request.path requestBodyProcessingMode: Buffered requestHeaderProcessing: true + responseAttributes: + - xds.route_metadata + - connection.requested_server_name responseBodyProcessingMode: Streamed responseHeaderProcessing: true hostname: www.bar.com diff --git a/internal/ir/xds.go b/internal/ir/xds.go index c9fb1dd56b8..7114afc1f22 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -2602,6 +2602,14 @@ type ExtProc struct { // ResponseBodyProcessingMode Defines response body processing ResponseBodyProcessingMode *ExtProcBodyProcessingMode `json:"responseBodyProcessingMode,omitempty" yaml:"responseBodyProcessingMode,omitempty"` + + // RequestAttributes defines which envoy attributes are provided as context to external processor + // when processing requests + RequestAttributes []string `json:"requestAttributes,omitempty" yaml:"requestAttributes,omitempty"` + + // ResponseAttributes defines which envoy attributes are provided as context to external processor + // when processing responses + ResponseAttributes []string `json:"responseAttributes,omitempty" yaml:"responseAttributes,omitempty"` } // Wasm holds the information associated with the Wasm extensions. diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index de0be09ff0f..f7384181dff 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -944,6 +944,16 @@ func (in *ExtProc) DeepCopyInto(out *ExtProc) { *out = new(ExtProcBodyProcessingMode) **out = **in } + if in.RequestAttributes != nil { + in, out := &in.RequestAttributes, &out.RequestAttributes + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.ResponseAttributes != nil { + in, out := &in.ResponseAttributes, &out.ResponseAttributes + *out = make([]string, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtProc. diff --git a/internal/xds/translator/extproc.go b/internal/xds/translator/extproc.go index 57cc9634d09..2270b2fb79d 100644 --- a/internal/xds/translator/extproc.go +++ b/internal/xds/translator/extproc.go @@ -137,6 +137,18 @@ func extProcConfig(extProc ir.ExtProc) *extprocv3.ExternalProcessor { config.ProcessingMode.ResponseHeaderMode = extprocv3.ProcessingMode_SEND } + if extProc.RequestAttributes != nil { + var attrs []string + attrs = append(attrs, extProc.RequestAttributes...) + config.RequestAttributes = attrs + } + + if extProc.ResponseAttributes != nil { + var attrs []string + attrs = append(attrs, extProc.ResponseAttributes...) + config.ResponseAttributes = attrs + } + return config } diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-proc.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-proc.yaml index 3fa4cd8bcc7..da4939c228d 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ext-proc.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ext-proc.yaml @@ -23,8 +23,13 @@ http: - name: envoyextensionpolicy/default/policy-for-route-2/extproc/0 failOpen: true messageTimeout: 5s + requestAttributes: + - xds.route_metadata + - connection.requested_server_name requestHeaderProcessing: true requestBodyProcessingMode: Buffered + responseAttributes: + - request.path responseBodyProcessingMode: Streamed authority: grpc-backend-4.default:4000 destination: @@ -71,6 +76,11 @@ http: - name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/extproc/0 failOpen: false messageTimeout: 15s + requestAttributes: + - xds.route_metadata + - connection.requested_server_name + responseAttributes: + - request.path authority: grpc-backend.envoy-gateway:9000 destination: name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/0/grpc-backend diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml index acf4c0a40f6..a75f1ccc268 100755 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc.listeners.yaml @@ -32,6 +32,11 @@ responseBodyMode: STREAMED responseHeaderMode: SKIP responseTrailerMode: SKIP + requestAttributes: + - xds.route_metadata + - connection.requested_server_name + responseAttributes: + - request.path - disabled: true name: envoy.filters.http.ext_proc/envoyextensionpolicy/default/policy-for-route-1/extproc/0 typedConfig: @@ -78,6 +83,11 @@ requestTrailerMode: SKIP responseHeaderMode: SKIP responseTrailerMode: SKIP + requestAttributes: + - xds.route_metadata + - connection.requested_server_name + responseAttributes: + - request.path - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router diff --git a/test/e2e/testdata/ext-proc-envoyextensionpolicy.yaml b/test/e2e/testdata/ext-proc-envoyextensionpolicy.yaml index 3663e19b610..90d25613be5 100644 --- a/test/e2e/testdata/ext-proc-envoyextensionpolicy.yaml +++ b/test/e2e/testdata/ext-proc-envoyextensionpolicy.yaml @@ -51,8 +51,12 @@ spec: namespace: gateway-conformance-infra port: 9002 processingMode: - request: {} - response: {} + request: + attributes: + - xds.route_name + response: + attributes: + - xds.route_name --- apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyExtensionPolicy diff --git a/test/e2e/tests/ext_proc.go b/test/e2e/tests/ext_proc.go index 033da67f6bd..aa1ec549335 100644 --- a/test/e2e/tests/ext_proc.go +++ b/test/e2e/tests/ext_proc.go @@ -63,16 +63,24 @@ var ExtProcTest = suite.ConformanceTest{ Request: http.Request{ Path: "/processor", Headers: map[string]string{ - "x-request-ext-processed": "true", // header added by ext-processor to backend-bound request - "x-request-client-header-received": "original", // this is the original client header preserved by ext-proc in a new header - "x-request-client-header": "mutated", // this is the mutated value expected to reach upstream + // header added by ext-processor to backend-bound request + "x-request-ext-processed": "true", + // this is the original client header preserved by ext-proc in a new header + "x-request-client-header-received": "original", + // this is the mutated value expected to reach upstream + "x-request-client-header": "mutated", + // header added by ext-processor to request based on the xds.route_name attribute + "x-request-xds-route-name": "httproute/gateway-conformance-infra/http-with-ext-proc/rule/0/match/0/www_example_com", }, }, }, Response: http.Response{ StatusCode: 200, Headers: map[string]string{ - "x-response-ext-processed": "true", // header added by ext-processor to client-bound response + // header added by ext-processor to client-bound response + "x-response-ext-processed": "true", + // header added by ext-processor to response based on the xds.cluster_name attribute + "x-response-xds-route-name": "httproute/gateway-conformance-infra/http-with-ext-proc/rule/0/match/0/www_example_com", }, }, Namespace: ns, From 4a4c17993245cf02c7ef16a289124e60b2325b36 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Dec 2024 10:00:45 +0800 Subject: [PATCH 458/523] build(deps): bump sigs.k8s.io/gateway-api from 1.2.0 to 1.2.1 in /examples/extension-server (#4827) build(deps): bump sigs.k8s.io/gateway-api in /examples/extension-server Bumps [sigs.k8s.io/gateway-api](https://github.com/kubernetes-sigs/gateway-api) from 1.2.0 to 1.2.1. - [Release notes](https://github.com/kubernetes-sigs/gateway-api/releases) - [Changelog](https://github.com/kubernetes-sigs/gateway-api/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/gateway-api/compare/v1.2.0...v1.2.1) --- updated-dependencies: - dependency-name: sigs.k8s.io/gateway-api dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Huabing Zhao From bcb4b4d03ae6f92160cd3a8fcba5068ef51f860b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Dec 2024 10:58:49 +0800 Subject: [PATCH 459/523] build(deps): bump distroless/static from `d71f4b2` to `6cd937e` in /tools/docker/envoy-gateway (#4828) build(deps): bump distroless/static in /tools/docker/envoy-gateway Bumps distroless/static from `d71f4b2` to `6cd937e`. --- updated-dependencies: - dependency-name: distroless/static dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/docker/envoy-gateway/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index 880ce0abf34..78ba6679419 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -4,7 +4,7 @@ RUN mkdir -p /var/lib/eg # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:nonroot@sha256:d71f4b239be2d412017b798a0a401c44c3049a3ca454838473a4c32ed076bfea +FROM gcr.io/distroless/static:nonroot@sha256:6cd937e9155bdfd805d1b94e037f9d6a899603306030936a3b11680af0c2ed58 ARG TARGETPLATFORM COPY $TARGETPLATFORM/envoy-gateway /usr/local/bin/ COPY --from=source --chown=65532:65532 /var/lib /var/lib From c5f7fc1ae06976376169914be91c13d1928dce15 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Dec 2024 15:48:41 -0800 Subject: [PATCH 460/523] build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.7 (#4829) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.6.0 to 5.0.7. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238...015f24e6818733317a2da2edd6290ab26238649a) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- .github/workflows/build_and_test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index cd49c5a82c7..1c5e826076b 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -55,7 +55,7 @@ jobs: - name: Run Coverage Tests run: make go.test.coverage - name: Upload coverage to Codecov - uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 + uses: codecov/codecov-action@015f24e6818733317a2da2edd6290ab26238649a # v5.0.7 with: fail_ci_if_error: true files: ./coverage.xml From 226082b52c9dcbf85b22bd3c01f35509dc0cce2f Mon Sep 17 00:00:00 2001 From: Kevin Date: Thu, 5 Dec 2024 09:17:29 +0900 Subject: [PATCH 461/523] xds: fix ipFamily always nil (#4782) * chore: fix ipFamily always nil Signed-off-by: Juwon Hwang (Kevin) * chore: fix ipFamily always nil Signed-off-by: Juwon Hwang (Kevin) * chore: fix ipFamily always nil Signed-off-by: Juwon Hwang (Kevin) * chore: fix ipFamily always nil Signed-off-by: Juwon Hwang (Kevin) * chore: fix ipFamily always nil Signed-off-by: Juwon Hwang (Kevin) * chore: fix ipFamily always nil Signed-off-by: Juwon Hwang (Kevin) * chore: fix ipFamily always nil Signed-off-by: Juwon Hwang (Kevin) * chore: fix ipFamily always nil Signed-off-by: Juwon Hwang (Kevin) * chore: fix ipFamily always nil Signed-off-by: Juwon Hwang (Kevin) * chore: fix ipFamily always nil Signed-off-by: Juwon Hwang (Kevin) * chore: fix ipFamily always nil Signed-off-by: Juwon Hwang (Kevin) --------- Signed-off-by: Juwon Hwang (Kevin) Co-authored-by: zirain --- internal/gatewayapi/helpers.go | 48 +++++++-- internal/gatewayapi/helpers_test.go | 65 ++++++++++++ internal/gatewayapi/listener.go | 11 +- internal/gatewayapi/route.go | 4 +- internal/ir/xds.go | 20 ++-- internal/ir/zz_generated.deepcopy.go | 7 +- internal/xds/translator/cluster.go | 4 + internal/xds/translator/listener.go | 6 +- internal/xds/translator/translator.go | 1 + internal/xds/translator/utils.go | 40 ++++++++ internal/xds/translator/utils_test.go | 112 +++++++++++++++++++++ test/e2e/testdata/httproute-dualstack.yaml | 32 ++++++ test/e2e/tests/httproute_dualstack.go | 3 + 13 files changed, 323 insertions(+), 30 deletions(-) create mode 100644 internal/xds/translator/utils_test.go diff --git a/internal/gatewayapi/helpers.go b/internal/gatewayapi/helpers.go index 6ed1d7699a6..2626e1b4be3 100644 --- a/internal/gatewayapi/helpers.go +++ b/internal/gatewayapi/helpers.go @@ -610,20 +610,56 @@ func setIfNil[T any](target **T, value *T) { } } -func getIPFamily(envoyProxy *egv1a1.EnvoyProxy) *ir.IPFamily { +// getServiceIPFamily returns the IP family configuration from a Kubernetes Service +// following the dual-stack service configuration scenarios: +// https://kubernetes.io/docs/concepts/services-networking/dual-stack/#dual-stack-service-configuration-scenarios +// +// The IP family is determined in the following order: +// 1. Service.Spec.IPFamilyPolicy == RequireDualStack -> DualStack +// 2. Service.Spec.IPFamilies length > 1 -> DualStack +// 3. Service.Spec.IPFamilies[0] -> IPv4 or IPv6 +// 4. nil if not specified +func getServiceIPFamily(service *corev1.Service) *egv1a1.IPFamily { + if service == nil { + return nil + } + + // If ipFamilyPolicy is RequireDualStack, return DualStack + if service.Spec.IPFamilyPolicy != nil && + *service.Spec.IPFamilyPolicy == corev1.IPFamilyPolicyRequireDualStack { + return ptr.To(egv1a1.DualStack) + } + + // Check ipFamilies array + if len(service.Spec.IPFamilies) > 0 { + if len(service.Spec.IPFamilies) > 1 { + return ptr.To(egv1a1.DualStack) + } + switch service.Spec.IPFamilies[0] { + case corev1.IPv4Protocol: + return ptr.To(egv1a1.IPv4) + case corev1.IPv6Protocol: + return ptr.To(egv1a1.IPv6) + } + } + + return nil +} + +// getEnvoyIPFamily returns the IPFamily configuration from EnvoyProxy +func getEnvoyIPFamily(envoyProxy *egv1a1.EnvoyProxy) *egv1a1.IPFamily { if envoyProxy == nil || envoyProxy.Spec.IPFamily == nil { return nil } - var result ir.IPFamily + switch *envoyProxy.Spec.IPFamily { case egv1a1.IPv4: - result = ir.IPv4 + return ptr.To(egv1a1.IPv4) case egv1a1.IPv6: - result = ir.IPv6 + return ptr.To(egv1a1.IPv6) case egv1a1.DualStack: - result = ir.DualStack + return ptr.To(egv1a1.DualStack) default: return nil } - return &result } diff --git a/internal/gatewayapi/helpers_test.go b/internal/gatewayapi/helpers_test.go index 5698867c3ca..6403279a5a9 100644 --- a/internal/gatewayapi/helpers_test.go +++ b/internal/gatewayapi/helpers_test.go @@ -15,6 +15,7 @@ import ( "testing" "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/types" @@ -551,3 +552,67 @@ func TestIsRefToGateway(t *testing.T) { }) } } + +func TestGetServiceIPFamily(t *testing.T) { + testCases := []struct { + name string + service *corev1.Service + expected *egv1a1.IPFamily + }{ + { + name: "nil service", + service: nil, + expected: nil, + }, + { + name: "require dual stack", + service: &corev1.Service{ + Spec: corev1.ServiceSpec{ + IPFamilyPolicy: ptr.To(corev1.IPFamilyPolicyRequireDualStack), + }, + }, + expected: ptr.To(egv1a1.DualStack), + }, + { + name: "multiple ip families", + service: &corev1.Service{ + Spec: corev1.ServiceSpec{ + IPFamilies: []corev1.IPFamily{corev1.IPv4Protocol, corev1.IPv6Protocol}, + }, + }, + expected: ptr.To(egv1a1.DualStack), + }, + { + name: "ipv4 only", + service: &corev1.Service{ + Spec: corev1.ServiceSpec{ + IPFamilies: []corev1.IPFamily{corev1.IPv4Protocol}, + }, + }, + expected: ptr.To(egv1a1.IPv4), + }, + { + name: "ipv6 only", + service: &corev1.Service{ + Spec: corev1.ServiceSpec{ + IPFamilies: []corev1.IPFamily{corev1.IPv6Protocol}, + }, + }, + expected: ptr.To(egv1a1.IPv6), + }, + { + name: "no ip family specified", + service: &corev1.Service{ + Spec: corev1.ServiceSpec{}, + }, + expected: nil, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + result := getServiceIPFamily(tc.service) + require.Equal(t, tc.expected, result) + }) + } +} diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index bf369e7b827..75739609609 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -102,8 +102,8 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource } address := net.IPv4ListenerAddress - ipFamily := getIPFamily(gateway.envoyProxy) - if ipFamily != nil && (*ipFamily == ir.IPv6 || *ipFamily == ir.DualStack) { + ipFamily := getEnvoyIPFamily(gateway.envoyProxy) + if ipFamily != nil && (*ipFamily == egv1a1.IPv6 || *ipFamily == egv1a1.DualStack) { address = net.IPv6ListenerAddress } @@ -118,7 +118,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource Address: address, Port: uint32(containerPort), Metadata: buildListenerMetadata(listener, gateway), - IPFamily: getIPFamily(gateway.envoyProxy), + IPFamily: ipFamily, }, TLS: irTLSConfigs(listener.tlsSecrets...), Path: ir.PathSettings{ @@ -126,9 +126,6 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource EscapedSlashesAction: ir.UnescapeAndRedirect, }, } - if ipFamily := getIPFamily(gateway.envoyProxy); ipFamily != nil { - irListener.CoreListenerDetails.IPFamily = ipFamily - } if listener.Hostname != nil { irListener.Hostnames = append(irListener.Hostnames, string(*listener.Hostname)) } else { @@ -144,7 +141,7 @@ func (t *Translator) ProcessListeners(gateways []*GatewayContext, xdsIR resource Name: irListenerName(listener), Address: address, Port: uint32(containerPort), - IPFamily: getIPFamily(gateway.envoyProxy), + IPFamily: ipFamily, }, // Gateway is processed firstly, then ClientTrafficPolicy, then xRoute. diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 26627a07285..ddada5f17b6 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -1232,6 +1232,7 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, addrType *ir.DestinationAddressType ) protocol := inspectAppProtocolByRouteKind(routeType) + switch KindDerefOr(backendRef.Kind, resource.KindService) { case resource.KindServiceImport: serviceImport := resources.GetServiceImport(backendNamespace, string(backendRef.Name)) @@ -1262,9 +1263,9 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, Endpoints: endpoints, AddressType: addrType, } + case resource.KindService: ds = t.processServiceDestinationSetting(backendRef.BackendObjectReference, backendNamespace, protocol, resources, envoyProxy) - ds.TLS = t.applyBackendTLSSetting( backendRef.BackendObjectReference, backendNamespace, @@ -1280,6 +1281,7 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, envoyProxy, ) ds.Filters = t.processDestinationFilters(routeType, backendRefContext, parentRef, route, resources) + ds.IPFamily = getServiceIPFamily(resources.GetService(backendNamespace, string(backendRef.Name))) case egv1a1.KindBackend: ds = t.processBackendDestinationSetting(backendRef.BackendObjectReference, backendNamespace, resources) diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 7114afc1f22..486b7514cd4 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -250,19 +250,12 @@ type CoreListenerDetails struct { ExtensionRefs []*UnstructuredRef `json:"extensionRefs,omitempty" yaml:"extensionRefs,omitempty"` // Metadata is used to enrich envoy resource metadata with user and provider-specific information Metadata *ResourceMetadata `json:"metadata,omitempty" yaml:"metadata,omitempty"` - // IPFamily specifies the IP address family for the gateway. - // It can be IPv4, IPv6, or DualStack. + // IPFamily specifies the IP address family used by the Gateway for its listening ports. IPFamily *IPFamily `json:"ipFamily,omitempty" yaml:"ipFamily,omitempty"` } // IPFamily specifies the IP address family used by the Gateway for its listening ports. -type IPFamily string - -const ( - IPv4 IPFamily = "IPv4" - IPv6 IPFamily = "IPv6" - DualStack IPFamily = "DualStack" -) +type IPFamily = egv1a1.IPFamily func (l CoreListenerDetails) GetName() string { return l.Name @@ -1308,9 +1301,11 @@ type DestinationSetting struct { Endpoints []*DestinationEndpoint `json:"endpoints,omitempty" yaml:"endpoints,omitempty"` // AddressTypeState specifies the state of DestinationEndpoint address type. AddressType *DestinationAddressType `json:"addressType,omitempty" yaml:"addressType,omitempty"` - - TLS *TLSUpstreamConfig `json:"tls,omitempty" yaml:"tls,omitempty"` - Filters *DestinationFilters `json:"filters,omitempty" yaml:"filters,omitempty"` + // IPFamily specifies the IP family (IPv4 or IPv6) to use for this destination's endpoints. + // This is derived from the backend service and endpoint slice information. + IPFamily *IPFamily `json:"ipFamily,omitempty" yaml:"ipFamily,omitempty"` + TLS *TLSUpstreamConfig `json:"tls,omitempty" yaml:"tls,omitempty"` + Filters *DestinationFilters `json:"filters,omitempty" yaml:"filters,omitempty"` } // Validate the fields within the RouteDestination structure @@ -1686,6 +1681,7 @@ func (t TCPListener) Validate() error { func (t TCPRoute) Validate() error { var errs error + if t.Name == "" { errs = errors.Join(errs, ErrRouteNameEmpty) } diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index f7384181dff..6db14262456 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -592,7 +592,7 @@ func (in *CoreListenerDetails) DeepCopyInto(out *CoreListenerDetails) { } if in.IPFamily != nil { in, out := &in.IPFamily, &out.IPFamily - *out = new(IPFamily) + *out = new(v1alpha1.IPFamily) **out = **in } } @@ -772,6 +772,11 @@ func (in *DestinationSetting) DeepCopyInto(out *DestinationSetting) { *out = new(DestinationAddressType) **out = **in } + if in.IPFamily != nil { + in, out := &in.IPFamily, &out.IPFamily + *out = new(v1alpha1.IPFamily) + **out = **in + } if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSUpstreamConfig) diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index c5064c29eef..10792bae24b 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -698,6 +698,7 @@ type ExtraArgs struct { metrics *ir.Metrics http1Settings *ir.HTTP1Settings http2Settings *ir.HTTP2Settings + ipFamily *egv1a1.IPFamily } type clusterArgs interface { @@ -716,6 +717,7 @@ func (route *UDPRouteTranslator) asClusterArgs(extra *ExtraArgs) *xdsClusterArgs endpointType: buildEndpointType(route.Destination.Settings), metrics: extra.metrics, dns: route.DNS, + ipFamily: extra.ipFamily, } } @@ -737,6 +739,7 @@ func (route *TCPRouteTranslator) asClusterArgs(extra *ExtraArgs) *xdsClusterArgs metrics: extra.metrics, backendConnection: route.BackendConnection, dns: route.DNS, + ipFamily: extra.ipFamily, } } @@ -754,6 +757,7 @@ func (httpRoute *HTTPRouteTranslator) asClusterArgs(extra *ExtraArgs) *xdsCluste http1Settings: extra.http1Settings, http2Settings: extra.http2Settings, useClientProtocol: ptr.Deref(httpRoute.UseClientProtocol, false), + ipFamily: extra.ipFamily, } // Populate traffic features. diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go index 1568ed3e570..36cf9a8953b 100644 --- a/internal/xds/translator/listener.go +++ b/internal/xds/translator/listener.go @@ -180,7 +180,7 @@ func buildXdsTCPListener( }, } - if ipFamily != nil && *ipFamily == ir.DualStack { + if ipFamily != nil && *ipFamily == egv1a1.DualStack { socketAddress := listener.Address.GetSocketAddress() socketAddress.Ipv4Compat = true } @@ -224,7 +224,7 @@ func buildXdsQuicListener(name, address string, port uint32, ipFamily *ir.IPFami DrainType: listenerv3.Listener_MODIFY_ONLY, } - if ipFamily != nil && *ipFamily == ir.DualStack { + if ipFamily != nil && *ipFamily == egv1a1.DualStack { socketAddress := xdsListener.Address.GetSocketAddress() socketAddress.Ipv4Compat = true } @@ -869,7 +869,7 @@ func buildXdsUDPListener(clusterName string, udpListener *ir.UDPListener, access }}, } - if udpListener.IPFamily != nil && *udpListener.IPFamily == ir.DualStack { + if udpListener.IPFamily != nil && *udpListener.IPFamily == egv1a1.DualStack { socketAddress := xdsListener.Address.GetSocketAddress() socketAddress.Ipv4Compat = true } diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go index 1e0ae77e915..79f16d5d1b5 100644 --- a/internal/xds/translator/translator.go +++ b/internal/xds/translator/translator.go @@ -464,6 +464,7 @@ func (t *Translator) addRouteToRouteConfig( ea := &ExtraArgs{ metrics: metrics, http1Settings: httpListener.HTTP1, + ipFamily: determineIPFamily(httpRoute.Destination.Settings), } if httpRoute.Traffic != nil && httpRoute.Traffic.HTTP2 != nil { diff --git a/internal/xds/translator/utils.go b/internal/xds/translator/utils.go index 882d9b1e926..30c2f771ef0 100644 --- a/internal/xds/translator/utils.go +++ b/internal/xds/translator/utils.go @@ -196,3 +196,43 @@ func addClusterFromURL(url string, tCtx *types.ResourceVersionTable) error { return addXdsCluster(tCtx, clusterArgs) } + +// determineIPFamily determines the IP family based on multiple destination settings +func determineIPFamily(settings []*ir.DestinationSetting) *egv1a1.IPFamily { + // If there's only one setting, return its IPFamily directly + if len(settings) == 1 { + return settings[0].IPFamily + } + + hasIPv4 := false + hasIPv6 := false + hasDualStack := false + + for _, setting := range settings { + if setting.IPFamily == nil { + continue + } + + switch *setting.IPFamily { + case egv1a1.IPv4: + hasIPv4 = true + case egv1a1.IPv6: + hasIPv6 = true + case egv1a1.DualStack: + hasDualStack = true + } + } + + switch { + case hasDualStack: + return ptr.To(egv1a1.DualStack) + case hasIPv4 && hasIPv6: + return ptr.To(egv1a1.DualStack) + case hasIPv4: + return ptr.To(egv1a1.IPv4) + case hasIPv6: + return ptr.To(egv1a1.IPv6) + default: + return nil + } +} diff --git a/internal/xds/translator/utils_test.go b/internal/xds/translator/utils_test.go new file mode 100644 index 00000000000..588c68690b6 --- /dev/null +++ b/internal/xds/translator/utils_test.go @@ -0,0 +1,112 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package translator + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "k8s.io/utils/ptr" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/ir" +) + +func TestDetermineIPFamily(t *testing.T) { + tests := []struct { + name string + settings []*ir.DestinationSetting + want *egv1a1.IPFamily + }{ + { + name: "nil settings should return nil", + settings: nil, + want: nil, + }, + { + name: "empty settings should return nil", + settings: []*ir.DestinationSetting{}, + want: nil, + }, + { + name: "single IPv4 setting", + settings: []*ir.DestinationSetting{ + {IPFamily: ptr.To(egv1a1.IPv4)}, + }, + want: ptr.To(egv1a1.IPv4), + }, + { + name: "single IPv6 setting", + settings: []*ir.DestinationSetting{ + {IPFamily: ptr.To(egv1a1.IPv6)}, + }, + want: ptr.To(egv1a1.IPv6), + }, + { + name: "single DualStack setting", + settings: []*ir.DestinationSetting{ + {IPFamily: ptr.To(egv1a1.DualStack)}, + }, + want: ptr.To(egv1a1.DualStack), + }, + { + name: "mixed IPv4 and IPv6 should return DualStack", + settings: []*ir.DestinationSetting{ + {IPFamily: ptr.To(egv1a1.IPv4)}, + {IPFamily: ptr.To(egv1a1.IPv6)}, + }, + want: ptr.To(egv1a1.DualStack), + }, + { + name: "DualStack with IPv4 should return DualStack", + settings: []*ir.DestinationSetting{ + {IPFamily: ptr.To(egv1a1.DualStack)}, + {IPFamily: ptr.To(egv1a1.IPv4)}, + }, + want: ptr.To(egv1a1.DualStack), + }, + { + name: "DualStack with IPv6 should return DualStack", + settings: []*ir.DestinationSetting{ + {IPFamily: ptr.To(egv1a1.DualStack)}, + {IPFamily: ptr.To(egv1a1.IPv6)}, + }, + want: ptr.To(egv1a1.DualStack), + }, + { + name: "mixed with nil IPFamily should be ignored", + settings: []*ir.DestinationSetting{ + {IPFamily: ptr.To(egv1a1.IPv4)}, + {IPFamily: nil}, + {IPFamily: ptr.To(egv1a1.IPv6)}, + }, + want: ptr.To(egv1a1.DualStack), + }, + { + name: "multiple IPv4 settings should return IPv4", + settings: []*ir.DestinationSetting{ + {IPFamily: ptr.To(egv1a1.IPv4)}, + {IPFamily: ptr.To(egv1a1.IPv4)}, + }, + want: ptr.To(egv1a1.IPv4), + }, + { + name: "multiple IPv6 settings should return IPv6", + settings: []*ir.DestinationSetting{ + {IPFamily: ptr.To(egv1a1.IPv6)}, + {IPFamily: ptr.To(egv1a1.IPv6)}, + }, + want: ptr.To(egv1a1.IPv6), + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got := determineIPFamily(tt.settings) + assert.Equal(t, tt.want, got) + }) + } +} diff --git a/test/e2e/testdata/httproute-dualstack.yaml b/test/e2e/testdata/httproute-dualstack.yaml index e1289dac50e..97a79c78ac3 100644 --- a/test/e2e/testdata/httproute-dualstack.yaml +++ b/test/e2e/testdata/httproute-dualstack.yaml @@ -95,6 +95,30 @@ spec: selector: app: infra-backend-v1 --- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: infra-backend-v1-httproute-all-stacks + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: dualstack-gateway + rules: + - backendRefs: + - name: infra-backend-v1-service-ipv4 + port: 8080 + weight: 30 + - name: infra-backend-v1-service-ipv6 + port: 8080 + weight: 30 + - name: infra-backend-v1-service-dualstack + port: 8080 + weight: 40 + matches: + - path: + type: PathPrefix + value: /all-stacks +--- apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: @@ -119,3 +143,11 @@ spec: - name: http port: 80 protocol: HTTP +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: envoy-gateway + namespace: gateway-conformance-infra +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller diff --git a/test/e2e/tests/httproute_dualstack.go b/test/e2e/tests/httproute_dualstack.go index b01fc392a12..f765b08cd1a 100644 --- a/test/e2e/tests/httproute_dualstack.go +++ b/test/e2e/tests/httproute_dualstack.go @@ -38,6 +38,9 @@ var HTTPRouteDualStackTest = suite.ConformanceTest{ t.Run("HTTPRoute to IPv4 only service", func(t *testing.T) { runHTTPRouteTest(t, suite, ns, gwNN, "infra-backend-v1-httproute-ipv4", "/ipv4-only") }) + t.Run("HTTPRoute to All-stacks services", func(t *testing.T) { + runHTTPRouteTest(t, suite, ns, gwNN, "infra-backend-v1-httproute-all-stacks", "/all-stacks") + }) }, } From e6d3526f025ee2d924a49b63e03422021b106fa4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 5 Dec 2024 09:38:12 +0800 Subject: [PATCH 462/523] build(deps): bump github.com/golangci/golangci-lint from 1.62.0 to 1.62.2 in /tools/src/golangci-lint (#4831) build(deps): bump github.com/golangci/golangci-lint Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.62.0 to 1.62.2. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](https://github.com/golangci/golangci-lint/compare/v1.62.0...v1.62.2) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/src/golangci-lint/go.mod | 18 ++++++++--------- tools/src/golangci-lint/go.sum | 36 +++++++++++++++++----------------- 2 files changed, 27 insertions(+), 27 deletions(-) diff --git a/tools/src/golangci-lint/go.mod b/tools/src/golangci-lint/go.mod index d7d2cdce1f2..f84bb3bc267 100644 --- a/tools/src/golangci-lint/go.mod +++ b/tools/src/golangci-lint/go.mod @@ -2,7 +2,7 @@ module local go 1.23.3 -require github.com/golangci/golangci-lint v1.62.0 +require github.com/golangci/golangci-lint v1.62.2 require ( 4d63.com/gocheckcompilerdirectives v1.2.1 // indirect @@ -11,9 +11,9 @@ require ( github.com/Abirdcfly/dupword v0.1.3 // indirect github.com/Antonboom/errname v1.0.0 // indirect github.com/Antonboom/nilnil v1.0.0 // indirect - github.com/Antonboom/testifylint v1.5.0 // indirect + github.com/Antonboom/testifylint v1.5.2 // indirect github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c // indirect - github.com/Crocmagnon/fatcontext v0.5.2 // indirect + github.com/Crocmagnon/fatcontext v0.5.3 // indirect github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 // indirect github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0 // indirect github.com/Masterminds/semver/v3 v3.3.0 // indirect @@ -103,19 +103,19 @@ require ( github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-runewidth v0.0.16 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect - github.com/mgechev/revive v1.5.0 // indirect + github.com/mgechev/revive v1.5.1 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/moricho/tparallel v0.3.2 // indirect github.com/nakabonne/nestif v0.3.1 // indirect github.com/nishanths/exhaustive v0.12.0 // indirect github.com/nishanths/predeclared v0.2.2 // indirect - github.com/nunnatsa/ginkgolinter v0.18.0 // indirect + github.com/nunnatsa/ginkgolinter v0.18.3 // indirect github.com/olekukonko/tablewriter v0.0.5 // indirect github.com/pelletier/go-toml v1.9.5 // indirect github.com/pelletier/go-toml/v2 v2.2.3 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - github.com/polyfloyd/go-errorlint v1.6.0 // indirect + github.com/polyfloyd/go-errorlint v1.7.0 // indirect github.com/prometheus/client_golang v1.12.1 // indirect github.com/prometheus/client_model v0.2.0 // indirect github.com/prometheus/common v0.32.1 // indirect @@ -150,7 +150,7 @@ require ( github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect github.com/stbenjam/no-sprintf-host-port v0.1.1 // indirect github.com/stretchr/objx v0.5.2 // indirect - github.com/stretchr/testify v1.9.0 // indirect + github.com/stretchr/testify v1.10.0 // indirect github.com/subosito/gotenv v1.4.1 // indirect github.com/tdakkota/asciicheck v0.2.0 // indirect github.com/tetafro/godot v1.4.18 // indirect @@ -161,7 +161,7 @@ require ( github.com/ultraware/funlen v0.1.0 // indirect github.com/ultraware/whitespace v0.1.1 // indirect github.com/uudashr/gocognit v1.1.3 // indirect - github.com/uudashr/iface v1.2.0 // indirect + github.com/uudashr/iface v1.2.1 // indirect github.com/xen0n/gosmopolitan v1.2.2 // indirect github.com/yagipy/maintidx v1.0.0 // indirect github.com/yeya24/promlinter v0.3.0 // indirect @@ -174,7 +174,7 @@ require ( go.uber.org/multierr v1.6.0 // indirect go.uber.org/zap v1.24.0 // indirect golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect - golang.org/x/exp/typeparams v0.0.0-20240909161429-701f63a606c0 // indirect + golang.org/x/exp/typeparams v0.0.0-20241108190413-2d47ceb2692f // indirect golang.org/x/mod v0.22.0 // indirect golang.org/x/sync v0.9.0 // indirect golang.org/x/sys v0.27.0 // indirect diff --git a/tools/src/golangci-lint/go.sum b/tools/src/golangci-lint/go.sum index c8205a75d73..20fd8682dca 100644 --- a/tools/src/golangci-lint/go.sum +++ b/tools/src/golangci-lint/go.sum @@ -43,14 +43,14 @@ github.com/Antonboom/errname v1.0.0 h1:oJOOWR07vS1kRusl6YRSlat7HFnb3mSfMl6sDMRoT github.com/Antonboom/errname v1.0.0/go.mod h1:gMOBFzK/vrTiXN9Oh+HFs+e6Ndl0eTFbtsRTSRdXyGI= github.com/Antonboom/nilnil v1.0.0 h1:n+v+B12dsE5tbAqRODXmEKfZv9j2KcTBrp+LkoM4HZk= github.com/Antonboom/nilnil v1.0.0/go.mod h1:fDJ1FSFoLN6yoG65ANb1WihItf6qt9PJVTn/s2IrcII= -github.com/Antonboom/testifylint v1.5.0 h1:dlUIsDMtCrZWUnvkaCz3quJCoIjaGi41GzjPBGkkJ8A= -github.com/Antonboom/testifylint v1.5.0/go.mod h1:wqaJbu0Blb5Wag2wv7Z5xt+CIV+eVLxtGZrlK13z3AE= +github.com/Antonboom/testifylint v1.5.2 h1:4s3Xhuv5AvdIgbd8wOOEeo0uZG7PbDKQyKY5lGoQazk= +github.com/Antonboom/testifylint v1.5.2/go.mod h1:vxy8VJ0bc6NavlYqjZfmp6EfqXMtBgQ4+mhCojwC1P8= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c h1:pxW6RcqyfI9/kWtOwnv/G+AzdKuy2ZrqINhenH4HyNs= github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/Crocmagnon/fatcontext v0.5.2 h1:vhSEg8Gqng8awhPju2w7MKHqMlg4/NI+gSDHtR3xgwA= -github.com/Crocmagnon/fatcontext v0.5.2/go.mod h1:87XhRMaInHP44Q7Tlc7jkgKKB7kZAOPiDkFMdKCC+74= +github.com/Crocmagnon/fatcontext v0.5.3 h1:zCh/wjc9oyeF+Gmp+V60wetm8ph2tlsxocgg/J0hOps= +github.com/Crocmagnon/fatcontext v0.5.3/go.mod h1:XoCQYY1J+XTfyv74qLXvNw4xFunr3L1wkopIIKG7wGM= github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 h1:sHglBQTwgx+rWPdisA5ynNEsoARbiCBOyGcJM4/OzsM= github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs= github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0 h1:/fTUt5vmbkAcMBt4YQiuC23cV0kEsN1MVMNqeOW43cU= @@ -230,8 +230,8 @@ github.com/golangci/go-printf-func-name v0.1.0 h1:dVokQP+NMTO7jwO4bwsRwLWeudOVUP github.com/golangci/go-printf-func-name v0.1.0/go.mod h1:wqhWFH5mUdJQhweRnldEywnR5021wTdZSNgwYceV14s= github.com/golangci/gofmt v0.0.0-20240816233607-d8596aa466a9 h1:/1322Qns6BtQxUZDTAT4SdcoxknUki7IAoK4SAXr8ME= github.com/golangci/gofmt v0.0.0-20240816233607-d8596aa466a9/go.mod h1:Oesb/0uFAyWoaw1U1qS5zyjCg5NP9C9iwjnI4tIsXEE= -github.com/golangci/golangci-lint v1.62.0 h1:/G0g+bi1BhmGJqLdNQkKBWjcim8HjOPc4tsKuHDOhcI= -github.com/golangci/golangci-lint v1.62.0/go.mod h1:jtoOhQcKTz8B6dGNFyfQV3WZkQk+YvBDewDtNpiAJts= +github.com/golangci/golangci-lint v1.62.2 h1:b8K5K9PN+rZN1+mKLtsZHz2XXS9aYKzQ9i25x3Qnxxw= +github.com/golangci/golangci-lint v1.62.2/go.mod h1:ILWWyeFUrctpHVGMa1dg2xZPKoMUTc5OIMgW7HZr34g= github.com/golangci/misspell v0.6.0 h1:JCle2HUTNWirNlDIAUO44hUsKhOFqGPoC4LZxlaSXDs= github.com/golangci/misspell v0.6.0/go.mod h1:keMNyY6R9isGaSAu+4Q8NMBwMPkh15Gtc8UCVoDtAWo= github.com/golangci/modinfo v0.3.4 h1:oU5huX3fbxqQXdfspamej74DFX0kyGLkw1ppvXoJ8GA= @@ -369,8 +369,8 @@ github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6T github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/mgechev/revive v1.5.0 h1:oaSmjA7rP8+HyoRuCgC531VHwnLH1AlJdjj+1AnQceQ= -github.com/mgechev/revive v1.5.0/go.mod h1:L6T3H8EoerRO86c7WuGpvohIUmiploGiyoYbtIWFmV8= +github.com/mgechev/revive v1.5.1 h1:hE+QPeq0/wIzJwOphdVyUJ82njdd8Khp4fUIHGZHW3M= +github.com/mgechev/revive v1.5.1/go.mod h1:lC9AhkJIBs5zwx8wkudyHrU+IJkrEKmpCmGMnIJPk4o= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= @@ -390,8 +390,8 @@ github.com/nishanths/exhaustive v0.12.0 h1:vIY9sALmw6T/yxiASewa4TQcFsVYZQQRUQJhK github.com/nishanths/exhaustive v0.12.0/go.mod h1:mEZ95wPIZW+x8kC4TgC+9YCUgiST7ecevsVDTgc2obs= github.com/nishanths/predeclared v0.2.2 h1:V2EPdZPliZymNAn79T8RkNApBjMmVKh5XRpLm/w98Vk= github.com/nishanths/predeclared v0.2.2/go.mod h1:RROzoN6TnGQupbC+lqggsOlcgysk3LMK/HI84Mp280c= -github.com/nunnatsa/ginkgolinter v0.18.0 h1:ZXO1wKhPg3A6LpbN5dMuqwhfOjN5c3ous8YdKOuqk9k= -github.com/nunnatsa/ginkgolinter v0.18.0/go.mod h1:vPrWafSULmjMGCMsfGA908if95VnHQNAahvSBOjTuWs= +github.com/nunnatsa/ginkgolinter v0.18.3 h1:WgS7X3zzmni3vwHSBhvSgqrRgUecN6PQUcfB0j1noDw= +github.com/nunnatsa/ginkgolinter v0.18.3/go.mod h1:BE1xyB/PNtXXG1azrvrqJW5eFH0hSRylNzFy8QHPwzs= github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= github.com/onsi/ginkgo/v2 v2.20.2 h1:7NVCeyIWROIAheY21RLS+3j2bb52W0W82tkberYytp4= @@ -415,8 +415,8 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/polyfloyd/go-errorlint v1.6.0 h1:tftWV9DE7txiFzPpztTAwyoRLKNj9gpVm2cg8/OwcYY= -github.com/polyfloyd/go-errorlint v1.6.0/go.mod h1:HR7u8wuP1kb1NeN1zqTd1ZMlqUKPPHF+Id4vIPvDqVw= +github.com/polyfloyd/go-errorlint v1.7.0 h1:Zp6lzCK4hpBDj8y8a237YK4EPrMXQWvOe3nGoH4pFrU= +github.com/polyfloyd/go-errorlint v1.7.0/go.mod h1:dGWKu85mGHnegQ2SWpEybFityCg3j7ZbwsVUxAOk9gY= github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g= github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= @@ -521,8 +521,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= -github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= -github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= +github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs= github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0= github.com/tdakkota/asciicheck v0.2.0 h1:o8jvnUANo0qXtnslk2d3nMKTFNlOnJjRrNcj0j9qkHM= @@ -547,8 +547,8 @@ github.com/ultraware/whitespace v0.1.1 h1:bTPOGejYFulW3PkcrqkeQwOd6NKOOXvmGD9bo/ github.com/ultraware/whitespace v0.1.1/go.mod h1:XcP1RLD81eV4BW8UhQlpaR+SDc2givTvyI8a586WjW8= github.com/uudashr/gocognit v1.1.3 h1:l+a111VcDbKfynh+airAy/DJQKaXh2m9vkoysMPSZyM= github.com/uudashr/gocognit v1.1.3/go.mod h1:aKH8/e8xbTRBwjbCkwZ8qt4l2EpKXl31KMHgSS+lZ2U= -github.com/uudashr/iface v1.2.0 h1:ECJjh5q/1Zmnv/2yFpWV6H3oMg5+Mo+vL0aqw9Gjazo= -github.com/uudashr/iface v1.2.0/go.mod h1:Ux/7d/rAF3owK4m53cTVXL4YoVHKNqnoOeQHn2xrlp0= +github.com/uudashr/iface v1.2.1 h1:vHHyzAUmWZ64Olq6NZT3vg/z1Ws56kyPdBOd5kTXDF8= +github.com/uudashr/iface v1.2.1/go.mod h1:4QvspiRd3JLPAEXBQ9AiZpLbJlrWWgRChOKDJEuQTdg= github.com/xen0n/gosmopolitan v1.2.2 h1:/p2KTnMzwRexIW8GlKawsTWOxn7UHA+jCMF/V8HHtvU= github.com/xen0n/gosmopolitan v1.2.2/go.mod h1:7XX7Mj61uLYrj0qmeN0zi7XDon9JRAEhYQqAPLVNTeg= github.com/yagipy/maintidx v1.0.0 h1:h5NvIsCz+nRDapQ0exNv4aJ0yXSI0420omVANTv3GJM= @@ -609,8 +609,8 @@ golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWB golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY= golang.org/x/exp/typeparams v0.0.0-20220428152302-39d4317da171/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk= golang.org/x/exp/typeparams v0.0.0-20230203172020-98cc5a0785f9/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk= -golang.org/x/exp/typeparams v0.0.0-20240909161429-701f63a606c0 h1:bVwtbF629Xlyxk6xLQq2TDYmqP0uiWaet5LwRebuY0k= -golang.org/x/exp/typeparams v0.0.0-20240909161429-701f63a606c0/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk= +golang.org/x/exp/typeparams v0.0.0-20241108190413-2d47ceb2692f h1:WTyX8eCCyfdqiPYkRGm0MqElSfYFH3yR1+rl/mct9sA= +golang.org/x/exp/typeparams v0.0.0-20241108190413-2d47ceb2692f/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= From 30748007ebc4f5cd46c8dfe567e5a43ac0390700 Mon Sep 17 00:00:00 2001 From: sh2 Date: Thu, 5 Dec 2024 15:43:42 +0800 Subject: [PATCH 463/523] refactor: reuse the filewatcher for file-provider (#4807) reuse filewatcher Signed-off-by: shawnh2 Co-authored-by: zirain --- internal/filewatcher/filewatcher.go | 19 +- internal/filewatcher/filewatcher_test.go | 65 +++- internal/filewatcher/worker.go | 43 ++- internal/provider/file/file.go | 104 ++++-- internal/provider/file/notifier.go | 316 ------------------ internal/provider/file/path.go | 47 --- internal/provider/file/store.go | 21 +- internal/provider/file/testdata/paths/dir/bar | 1 - internal/provider/file/testdata/paths/foo | 1 - internal/utils/path/path.go | 34 ++ .../file => utils/path}/path_test.go | 32 +- 11 files changed, 233 insertions(+), 450 deletions(-) delete mode 100644 internal/provider/file/notifier.go delete mode 100644 internal/provider/file/path.go delete mode 100644 internal/provider/file/testdata/paths/dir/bar delete mode 100644 internal/provider/file/testdata/paths/foo rename internal/{provider/file => utils/path}/path_test.go (51%) diff --git a/internal/filewatcher/filewatcher.go b/internal/filewatcher/filewatcher.go index 4fce5e9aba4..b7b5555aee7 100644 --- a/internal/filewatcher/filewatcher.go +++ b/internal/filewatcher/filewatcher.go @@ -8,6 +8,7 @@ package filewatcher import ( "errors" "fmt" + "os" "path/filepath" "sync" @@ -90,7 +91,6 @@ func (fw *fileWatcher) Add(path string) error { return err } -// Stop watching a path func (fw *fileWatcher) Remove(path string) error { fw.mu.Lock() defer fw.mu.Unlock() @@ -142,9 +142,7 @@ func (fw *fileWatcher) getWorker(path string) (*workerState, string, string, err return nil, "", "", errors.New("using a closed watcher") } - cleanedPath := filepath.Clean(path) - parentPath, _ := filepath.Split(cleanedPath) - + cleanedPath, parentPath := getPath(path) ws, workerExists := fw.workers[parentPath] if !workerExists { wk, err := newWorker(parentPath, fw.funcs) @@ -167,8 +165,7 @@ func (fw *fileWatcher) findWorker(path string) (*workerState, string, error) { return nil, "", errors.New("using a closed watcher") } - cleanedPath := filepath.Clean(path) - parentPath, _ := filepath.Split(cleanedPath) + cleanedPath, parentPath := getPath(path) ws, workerExists := fw.workers[parentPath] if !workerExists { @@ -177,3 +174,13 @@ func (fw *fileWatcher) findWorker(path string) (*workerState, string, error) { return ws, cleanedPath, nil } + +func getPath(path string) (cleanedPath, parentPath string) { + cleanedPath = filepath.Clean(path) + parentPath, _ = filepath.Split(cleanedPath) + if f, err := os.Lstat(cleanedPath); err == nil && f.IsDir() { + parentPath = cleanedPath + } + + return +} diff --git a/internal/filewatcher/filewatcher_test.go b/internal/filewatcher/filewatcher_test.go index 5230d7c05ad..5b451fa0df7 100644 --- a/internal/filewatcher/filewatcher_test.go +++ b/internal/filewatcher/filewatcher_test.go @@ -14,6 +14,7 @@ import ( "runtime" "sync" "testing" + "time" "github.com/fsnotify/fsnotify" "github.com/stretchr/testify/require" @@ -173,6 +174,44 @@ func TestWatchFile(t *testing.T) { }) } +func TestWatchDir(t *testing.T) { + // Given a file being watched + watchFile := newWatchFile(t) + _, err := os.Stat(watchFile) + require.NoError(t, err) + + w := NewWatcher() + defer func() { + _ = w.Close() + }() + d := path.Dir(watchFile) + require.NoError(t, w.Add(d)) + + timeout := time.After(5 * time.Second) + + wg := sync.WaitGroup{} + var timeoutErr error + wg.Add(1) + go func() { + select { + case <-w.Events(d): + + case <-w.Events(watchFile): + + case <-timeout: + timeoutErr = errors.New("timeout") + } + wg.Done() + }() + + // Overwriting the file and waiting its event to be received. + err = os.WriteFile(watchFile, []byte("foo: baz\n"), 0o600) + require.NoError(t, err) + wg.Wait() + + require.NoErrorf(t, timeoutErr, "timeout waiting for event") +} + func TestWatcherLifecycle(t *testing.T) { watchFile1, watchFile2 := newTwoWatchFile(t) @@ -295,27 +334,23 @@ func TestBadAddWatcher(t *testing.T) { func TestDuplicateAdd(t *testing.T) { w := NewWatcher() - name := newWatchFile(t) + defer func() { + _ = w.Close() + _ = os.Remove(name) + }() - if err := w.Add(name); err != nil { - t.Errorf("Expecting nil, got %v", err) - } - - if err := w.Add(name); err == nil { - t.Errorf("Expecting error, got nil") - } - - _ = w.Close() + require.NoError(t, w.Add(name)) + require.Error(t, w.Add(name)) } func TestBogusRemove(t *testing.T) { w := NewWatcher() - name := newWatchFile(t) - if err := w.Remove(name); err == nil { - t.Errorf("Expecting error, got nil") - } + defer func() { + _ = w.Close() + _ = os.Remove(name) + }() - _ = w.Close() + require.Error(t, w.Remove(name)) } diff --git a/internal/filewatcher/worker.go b/internal/filewatcher/worker.go index 6ae9c9f77ba..e5ed5e283f4 100644 --- a/internal/filewatcher/worker.go +++ b/internal/filewatcher/worker.go @@ -20,7 +20,7 @@ import ( type worker struct { mu sync.RWMutex - // watcher is an fsnotify watcher that watches the parent + // watcher is a fsnotify watcher that watches the parent // dir of watchedFiles. dirWatcher *fsnotify.Watcher @@ -96,10 +96,9 @@ func (wk *worker) loop() { continue } - sum := getHashSum(path) - if !bytes.Equal(sum, ft.hash) { + sum, isDir := getHashSum(path) + if isDir || !bytes.Equal(sum, ft.hash) { ft.hash = sum - select { case ft.events <- event: // nothing to do @@ -141,7 +140,7 @@ func (wk *worker) loop() { } } -// used only by the worker goroutine +// drainRetiringTrackers used only by the worker goroutine func (wk *worker) drainRetiringTrackers() { // cleanup any trackers that were in the process // of being retired, but didn't get processed due @@ -156,7 +155,7 @@ func (wk *worker) drainRetiringTrackers() { } } -// make a local copy of the set of trackers to avoid contention with callers +// getTrackers make a local copy of the set of trackers to avoid contention with callers // used only by the worker goroutine func (wk *worker) getTrackers() map[string]*fileTracker { wk.mu.RLock() @@ -184,36 +183,34 @@ func (wk *worker) terminate() { func (wk *worker) addPath(path string) error { wk.mu.Lock() + defer wk.mu.Unlock() ft := wk.watchedFiles[path] if ft != nil { - wk.mu.Unlock() return fmt.Errorf("path %s is already being watched", path) } + h, _ := getHashSum(path) ft = &fileTracker{ events: make(chan fsnotify.Event), errors: make(chan error), - hash: getHashSum(path), + hash: h, } - wk.watchedFiles[path] = ft - wk.mu.Unlock() return nil } func (wk *worker) removePath(path string) error { wk.mu.Lock() + defer wk.mu.Unlock() ft := wk.watchedFiles[path] if ft == nil { - wk.mu.Unlock() return fmt.Errorf("path %s not found", path) } delete(wk.watchedFiles, path) - wk.mu.Unlock() wk.retireTrackerCh <- ft return nil @@ -241,16 +238,26 @@ func (wk *worker) errorChannel(path string) chan error { return nil } -// gets the hash of the given file, or nil if there's a problem -func getHashSum(file string) []byte { +// getHashSum return the hash of the given file, or nil if there's a problem, or it's a directory. +func getHashSum(file string) ([]byte, bool) { f, err := os.Open(file) if err != nil { - return nil + return nil, false } - defer f.Close() - r := bufio.NewReader(f) + defer func() { + _ = f.Close() + }() + fi, err := f.Stat() + if err != nil { + return nil, false + } + if fi.IsDir() { + return nil, true + } + + r := bufio.NewReader(f) h := sha256.New() _, _ = io.Copy(h, r) - return h.Sum(nil) + return h.Sum(nil), false } diff --git a/internal/provider/file/file.go b/internal/provider/file/file.go index 79ccd04e763..4dcb2c61842 100644 --- a/internal/provider/file/file.go +++ b/internal/provider/file/file.go @@ -9,36 +9,41 @@ import ( "context" "fmt" "net/http" + "os" + "path/filepath" + "strings" "time" "github.com/fsnotify/fsnotify" "github.com/go-logr/logr" + "k8s.io/apimachinery/pkg/util/sets" "sigs.k8s.io/controller-runtime/pkg/healthz" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway/config" + "github.com/envoyproxy/gateway/internal/filewatcher" "github.com/envoyproxy/gateway/internal/message" + "github.com/envoyproxy/gateway/internal/utils/path" ) type Provider struct { paths []string logger logr.Logger - notifier *Notifier + watcher filewatcher.FileWatcher resourcesStore *resourcesStore } func New(svr *config.Server, resources *message.ProviderResources) (*Provider, error) { logger := svr.Logger.Logger - - notifier, err := NewNotifier(logger) - if err != nil { - return nil, err + paths := sets.New[string]() + if svr.EnvoyGateway.Provider.Custom.Resource.File != nil { + paths.Insert(svr.EnvoyGateway.Provider.Custom.Resource.File.Paths...) } return &Provider{ - paths: svr.EnvoyGateway.Provider.Custom.Resource.File.Paths, + paths: paths.UnsortedList(), logger: logger, - notifier: notifier, + watcher: filewatcher.NewWatcher(), resourcesStore: newResourcesStore(svr.EnvoyGateway.Gateway.ControllerName, resources, logger), }, nil } @@ -48,38 +53,91 @@ func (p *Provider) Type() egv1a1.ProviderType { } func (p *Provider) Start(ctx context.Context) error { - dirs, files, err := getDirsAndFilesForWatcher(p.paths) - if err != nil { - return fmt.Errorf("failed to get directories and files for the watcher: %w", err) - } + defer func() { + _ = p.watcher.Close() + }() // Start runnable servers. go p.startHealthProbeServer(ctx) + initDirs, initFiles := path.ListDirsAndFiles(p.paths) // Initially load resources from paths on host. - if err = p.resourcesStore.LoadAndStore(files.UnsortedList(), dirs.UnsortedList()); err != nil { + if err := p.resourcesStore.LoadAndStore(initFiles.UnsortedList(), initDirs.UnsortedList()); err != nil { return fmt.Errorf("failed to load resources into store: %w", err) } - // Start watchers in notifier. - p.notifier.Watch(ctx, dirs, files) - defer p.notifier.Close() + // Add paths to the watcher, and aggregate all path channels into one. + aggCh := make(chan fsnotify.Event) + for _, path := range p.paths { + if err := p.watcher.Add(path); err != nil { + p.logger.Error(err, "failed to add watch", "path", path) + } else { + p.logger.Info("Watching path added", "path", path) + } + + ch := p.watcher.Events(path) + go func(c chan fsnotify.Event) { + for msg := range c { + aggCh <- msg + } + }(ch) + } + curDirs, curFiles := initDirs.Clone(), initFiles.Clone() for { select { case <-ctx.Done(): return nil - case event := <-p.notifier.Events: + case event := <-aggCh: + // Ignore the irrelevant event. + if event.Has(fsnotify.Chmod) { + continue + } + + // If a file change event is detected, regardless of the event type, it will be processed + // as a Remove event if the file does not exist, and as a Write event if the file exists. + // + // The reason to do so is quite straightforward, for text edit tools like vi/vim etc. + // They always create a temporary file, remove the existing one and replace it with the + // temporary file when file is saved. So the watcher will only receive: + // - Create event, with name "filename~". + // - Remove event, with name "filename", but the file actually exist. + if initFiles.Has(event.Name) { + p.logger.Info("file changed", "op", event.Op, "name", event.Name) + + // For Write event, the file definitely exist. + if event.Has(fsnotify.Write) { + goto handle + } + + _, err := os.Lstat(event.Name) + if err != nil && os.IsNotExist(err) { + curFiles.Delete(event.Name) + } else { + curFiles.Insert(event.Name) + } + goto handle + } + + // Ignore the hidden or temporary file related change event under a directory. + if _, name := filepath.Split(event.Name); strings.HasPrefix(name, ".") || + strings.HasSuffix(name, "~") { + continue + } + p.logger.Info("file changed", "op", event.Op, "name", event.Name) + switch event.Op { - case fsnotify.Create: - dirs.Insert(event.Name) - files.Insert(event.Name) - case fsnotify.Remove: - dirs.Delete(event.Name) - files.Delete(event.Name) + case fsnotify.Create, fsnotify.Write, fsnotify.Remove: + // Since we do not watch any events in the subdirectories, any events involving files + // modifications in current directory will trigger the event handling. + goto handle + default: + // do nothing + continue } - p.resourcesStore.HandleEvent(event, files.UnsortedList(), dirs.UnsortedList()) + handle: + p.resourcesStore.HandleEvent(curFiles.UnsortedList(), curDirs.UnsortedList()) } } } diff --git a/internal/provider/file/notifier.go b/internal/provider/file/notifier.go deleted file mode 100644 index fca8465e3af..00000000000 --- a/internal/provider/file/notifier.go +++ /dev/null @@ -1,316 +0,0 @@ -// Copyright Envoy Gateway Authors -// SPDX-License-Identifier: Apache-2.0 -// The full text of the Apache license is available in the LICENSE file at -// the root of the repo. - -package file - -import ( - "context" - "os" - "path/filepath" - "strings" - "time" - - "github.com/fsnotify/fsnotify" - "github.com/go-logr/logr" - "k8s.io/apimachinery/pkg/util/sets" -) - -const ( - defaultCleanUpRemoveEventsPeriod = 300 * time.Millisecond -) - -type Notifier struct { - // Events record events used to update ResourcesStore, - // which only include two types of events: Write/Remove. - Events chan fsnotify.Event - - filesWatcher *fsnotify.Watcher - dirsWatcher *fsnotify.Watcher - cleanUpRemoveEventsPeriod time.Duration - - logger logr.Logger -} - -func NewNotifier(logger logr.Logger) (*Notifier, error) { - fw, err := fsnotify.NewBufferedWatcher(10) - if err != nil { - return nil, err - } - - dw, err := fsnotify.NewBufferedWatcher(10) - if err != nil { - return nil, err - } - - return &Notifier{ - Events: make(chan fsnotify.Event), - filesWatcher: fw, - dirsWatcher: dw, - cleanUpRemoveEventsPeriod: defaultCleanUpRemoveEventsPeriod, - logger: logger, - }, nil -} - -func (n *Notifier) Watch(ctx context.Context, dirs, files sets.Set[string]) { - n.watchDirs(ctx, dirs) - n.watchFiles(ctx, files) -} - -func (n *Notifier) Close() error { - if err := n.filesWatcher.Close(); err != nil { - return err - } - if err := n.dirsWatcher.Close(); err != nil { - return err - } - return nil -} - -// watchFiles watches one or more files, but instead of watching the file directly, -// it watches its parent directory. This solves various issues where files are -// frequently renamed. -func (n *Notifier) watchFiles(ctx context.Context, files sets.Set[string]) { - if len(files) < 1 { - return - } - - go n.runFilesWatcher(ctx, files) - - for p := range files { - if err := n.filesWatcher.Add(filepath.Dir(p)); err != nil { - n.logger.Error(err, "error adding file to notifier", "path", p) - - continue - } - } -} - -func (n *Notifier) runFilesWatcher(ctx context.Context, files sets.Set[string]) { - var ( - cleanUpTicker = time.NewTicker(n.cleanUpRemoveEventsPeriod) - - // This map records the exact previous Op of one event. - preEventOp = make(map[string]fsnotify.Op) - // This set records the name of event that related to Remove Op. - curRemoveEvents = sets.NewString() - ) - - for { - select { - case <-ctx.Done(): - return - - case err, ok := <-n.filesWatcher.Errors: - if !ok { - return - } - n.logger.Error(err, "error from files watcher in notifier") - - case event, ok := <-n.filesWatcher.Events: - if !ok { - return - } - - // Ignore file and operation the watcher not interested in. - if !files.Has(event.Name) || event.Has(fsnotify.Chmod) { - continue - } - - // This logic is trying to avoid files be removed and then created - // frequently by considering Remove/Rename and the follow Create - // Op as one Write Notifier.Event. - // - // Actually, this approach is also suitable for commands like vi/vim. - // It creates a temporary file, removes the existing one and replace - // it with the temporary file when file is saved. So instead of Write - // Op, the watcher will receive Rename and Create Op. - - var writeEvent bool - switch event.Op { - case fsnotify.Create: - if op, ok := preEventOp[event.Name]; ok && - op.Has(fsnotify.Rename) || op.Has(fsnotify.Remove) { - writeEvent = true - // If the exact previous Op of Create is Rename/Remove, - // then consider them as a Write Notifier.Event instead of Remove. - curRemoveEvents.Delete(event.Name) - } - case fsnotify.Write: - writeEvent = true - case fsnotify.Remove, fsnotify.Rename: - curRemoveEvents.Insert(event.Name) - } - - if writeEvent { - n.logger.Info("sending write event", - "name", event.Name, "watcher", "files") - - n.Events <- fsnotify.Event{ - Name: event.Name, - Op: fsnotify.Write, - } - } - preEventOp[event.Name] = event.Op - - case <-cleanUpTicker.C: - // As for collected Remove Notifier.Event, clean them up - // in a period of time to avoid neglect of dealing with - // Remove/Rename Op. - for e := range curRemoveEvents { - n.logger.Info("sending remove event", - "name", e, "watcher", "files") - - n.Events <- fsnotify.Event{ - Name: e, - Op: fsnotify.Remove, - } - } - curRemoveEvents = sets.NewString() - } - } -} - -// watchDirs watches one or more directories. -func (n *Notifier) watchDirs(ctx context.Context, dirs sets.Set[string]) { - if len(dirs) < 1 { - return - } - - // This map maintains the subdirectories ignored by each directory. - ignoredSubDirs := make(map[string]sets.Set[string]) - - for p := range dirs { - if err := n.dirsWatcher.Add(p); err != nil { - n.logger.Error(err, "error adding dir to notifier", "path", p) - - continue - } - - // Find current exist subdirectories to init ignored subdirectories set. - entries, err := os.ReadDir(p) - if err != nil { - n.logger.Error(err, "error reading dir in notifier", "path", p) - - if err = n.dirsWatcher.Remove(p); err != nil { - n.logger.Error(err, "error removing dir from notifier", "path", p) - } - - continue - } - - ignoredSubDirs[p] = sets.New[string]() - for _, entry := range entries { - if entry.IsDir() { - // The entry name is dir name, not dir path. - ignoredSubDirs[p].Insert(entry.Name()) - } - } - } - - go n.runDirsWatcher(ctx, ignoredSubDirs) -} - -func (n *Notifier) runDirsWatcher(ctx context.Context, ignoredSubDirs map[string]sets.Set[string]) { - var ( - cleanUpTicker = time.NewTicker(n.cleanUpRemoveEventsPeriod) - - // This map records the exact previous Op of one event. - preEventOp = make(map[string]fsnotify.Op) - // This set records the name of event that related to Remove Op. - curRemoveEvents = sets.NewString() - ) - - for { - select { - case <-ctx.Done(): - return - - case err, ok := <-n.dirsWatcher.Errors: - if !ok { - return - } - n.logger.Error(err, "error from dirs watcher in notifier") - - case event, ok := <-n.dirsWatcher.Events: - if !ok { - return - } - - // Ignore the hidden or temporary file related event. - _, name := filepath.Split(event.Name) - if event.Has(fsnotify.Chmod) || - strings.HasPrefix(name, ".") || - strings.HasSuffix(name, "~") { - continue - } - - // Ignore any subdirectory related event. - switch event.Op { - case fsnotify.Create: - if fi, err := os.Lstat(event.Name); err == nil && fi.IsDir() { - parentDir := filepath.Dir(event.Name) - if _, ok := ignoredSubDirs[parentDir]; ok { - ignoredSubDirs[parentDir].Insert(name) - continue - } - } - case fsnotify.Remove, fsnotify.Rename: - parentDir := filepath.Dir(event.Name) - if sub, ok := ignoredSubDirs[parentDir]; ok && sub.Has(name) { - ignoredSubDirs[parentDir].Delete(name) - continue - } - } - - // Share the similar logic as in files watcher. - var writeEvent bool - switch event.Op { - case fsnotify.Create: - if op, ok := preEventOp[event.Name]; ok && - op.Has(fsnotify.Rename) || op.Has(fsnotify.Remove) { - curRemoveEvents.Delete(event.Name) - } - // Since the watcher watches the whole dir, the creation of file - // should also be able to trigger the Write event. - writeEvent = true - case fsnotify.Write: - writeEvent = true - case fsnotify.Remove, fsnotify.Rename: - curRemoveEvents.Insert(event.Name) - } - - if writeEvent { - n.logger.Info("sending write event", - "name", event.Name, "watcher", "dirs") - - n.Events <- fsnotify.Event{ - Name: event.Name, - Op: fsnotify.Write, - } - } - preEventOp[event.Name] = event.Op - - case <-cleanUpTicker.C: - // Merge files to be removed in the same parent directory - // to suppress events, because the file has already been - // removed and is unnecessary to send event for each of them. - parentDirs := sets.NewString() - for e := range curRemoveEvents { - parentDirs.Insert(filepath.Dir(e)) - } - - for parentDir := range parentDirs { - n.logger.Info("sending remove event", - "name", parentDir, "watcher", "dirs") - - n.Events <- fsnotify.Event{ - Name: parentDir, - Op: fsnotify.Remove, - } - } - curRemoveEvents = sets.NewString() - } - } -} diff --git a/internal/provider/file/path.go b/internal/provider/file/path.go deleted file mode 100644 index fe3ad7539f6..00000000000 --- a/internal/provider/file/path.go +++ /dev/null @@ -1,47 +0,0 @@ -// Copyright Envoy Gateway Authors -// SPDX-License-Identifier: Apache-2.0 -// The full text of the Apache license is available in the LICENSE file at -// the root of the repo. - -package file - -import ( - "os" - "path/filepath" - - "k8s.io/apimachinery/pkg/util/sets" -) - -// getDirsAndFilesForWatcher prepares dirs and files for the watcher in notifier. -func getDirsAndFilesForWatcher(paths []string) ( - dirs sets.Set[string], files sets.Set[string], err error, -) { - dirs, files = sets.New[string](), sets.New[string]() - - // Separate paths by whether is a directory or not. - paths = sets.NewString(paths...).List() - for _, path := range paths { - var p os.FileInfo - p, err = os.Lstat(path) - if err != nil { - return - } - - if p.IsDir() { - dirs.Insert(path) - } else { - files.Insert(path) - } - } - - // Ignore filepath if its parent directory is also be watched. - var ignoreFiles []string - for fp := range files { - if dirs.Has(filepath.Dir(fp)) { - ignoreFiles = append(ignoreFiles, fp) - } - } - files.Delete(ignoreFiles...) - - return -} diff --git a/internal/provider/file/store.go b/internal/provider/file/store.go index 90c520564b6..448f1807cf0 100644 --- a/internal/provider/file/store.go +++ b/internal/provider/file/store.go @@ -6,7 +6,6 @@ package file import ( - "github.com/fsnotify/fsnotify" "github.com/go-logr/logr" "github.com/envoyproxy/gateway/internal/gatewayapi/resource" @@ -28,19 +27,15 @@ func newResourcesStore(name string, resources *message.ProviderResources, logger } } -func (r *resourcesStore) HandleEvent(event fsnotify.Event, files, dirs []string) { - r.logger.Info("receive an event", "name", event.Name, "op", event.Op.String()) +// HandleEvent simply removes all the resources and triggers a resources reload from files +// and directories despite of the event type. +// TODO: Enhance this method by respecting the event type, and add support for multiple GatewayClass. +func (r *resourcesStore) HandleEvent(files, dirs []string) { + r.logger.Info("reload all resources") - // TODO(sh2): Support multiple GatewayClass. - switch event.Op { - case fsnotify.Write: - if err := r.LoadAndStore(files, dirs); err != nil { - r.logger.Error(err, "failed to load and store resources") - } - case fsnotify.Remove: - // Under our current assumption, one file only contains one GatewayClass and - // all its other related resources, so we can remove them safely. - r.resources.GatewayAPIResources.Delete(r.name) + r.resources.GatewayAPIResources.Delete(r.name) + if err := r.LoadAndStore(files, dirs); err != nil { + r.logger.Error(err, "failed to load and store resources") } } diff --git a/internal/provider/file/testdata/paths/dir/bar b/internal/provider/file/testdata/paths/dir/bar deleted file mode 100644 index e1878797a7c..00000000000 --- a/internal/provider/file/testdata/paths/dir/bar +++ /dev/null @@ -1 +0,0 @@ -THIS FILE IS FOR TEST ONLY \ No newline at end of file diff --git a/internal/provider/file/testdata/paths/foo b/internal/provider/file/testdata/paths/foo deleted file mode 100644 index e1878797a7c..00000000000 --- a/internal/provider/file/testdata/paths/foo +++ /dev/null @@ -1 +0,0 @@ -THIS FILE IS FOR TEST ONLY \ No newline at end of file diff --git a/internal/utils/path/path.go b/internal/utils/path/path.go index e333a7f5971..4291dd58848 100644 --- a/internal/utils/path/path.go +++ b/internal/utils/path/path.go @@ -8,6 +8,8 @@ package path import ( "os" "path/filepath" + + "k8s.io/apimachinery/pkg/util/sets" ) // ValidateOutputPath takes an output file path and returns it as an absolute path. @@ -22,3 +24,35 @@ func ValidateOutputPath(outputPath string) (string, error) { } return outputPath, nil } + +// ListDirsAndFiles return a list of directories and files from a list of paths recursively. +func ListDirsAndFiles(paths []string) (dirs sets.Set[string], files sets.Set[string]) { + dirs, files = sets.New[string](), sets.New[string]() + // Separate paths by whether is a directory or not. + paths = sets.NewString(paths...).UnsortedList() + for _, path := range paths { + var p os.FileInfo + p, err := os.Lstat(path) + if err != nil { + // skip + continue + } + + if p.IsDir() { + dirs.Insert(path) + } else { + files.Insert(path) + } + } + + // Ignore filepath if its parent directory is also be watched. + var ignoreFiles []string + for fp := range files { + if dirs.Has(filepath.Dir(fp)) { + ignoreFiles = append(ignoreFiles, fp) + } + } + files.Delete(ignoreFiles...) + + return +} diff --git a/internal/provider/file/path_test.go b/internal/utils/path/path_test.go similarity index 51% rename from internal/provider/file/path_test.go rename to internal/utils/path/path_test.go index 183c24efa97..8b3db14784d 100644 --- a/internal/provider/file/path_test.go +++ b/internal/utils/path/path_test.go @@ -3,17 +3,28 @@ // The full text of the Apache license is available in the LICENSE file at // the root of the repo. -package file +package path import ( + "os" "path" "testing" "github.com/stretchr/testify/require" ) -func TestGetDirsAndFilesForWatcher(t *testing.T) { - testPath := path.Join("testdata", "paths") +func TestListDirsAndFiles(t *testing.T) { + basePath, _ := os.MkdirTemp(os.TempDir(), "list-test") + defer func() { + _ = os.RemoveAll(basePath) + }() + paths, err := os.MkdirTemp(basePath, "paths") + require.NoError(t, err) + dirPath, err := os.MkdirTemp(paths, "dir") + require.NoError(t, err) + require.NoError(t, os.WriteFile(path.Join(paths, "foo"), []byte("foo"), 0o700)) // nolint: gosec + require.NoError(t, os.WriteFile(path.Join(dirPath, "bar"), []byte("bar"), 0o700)) // nolint: gosec + testCases := []struct { name string paths []string @@ -23,22 +34,23 @@ func TestGetDirsAndFilesForWatcher(t *testing.T) { { name: "get file and dir path", paths: []string{ - path.Join(testPath, "dir"), path.Join(testPath, "foo"), + dirPath, + path.Join(paths, "foo"), }, expectDirs: []string{ - path.Join(testPath, "dir"), + dirPath, }, expectFiles: []string{ - path.Join(testPath, "foo"), + path.Join(paths, "foo"), }, }, { name: "overlap file path will be ignored", paths: []string{ - path.Join(testPath, "dir"), path.Join(testPath, "dir", "bar"), + dirPath, path.Join(dirPath, "bar"), }, expectDirs: []string{ - path.Join(testPath, "dir"), + dirPath, }, expectFiles: []string{}, }, @@ -46,9 +58,9 @@ func TestGetDirsAndFilesForWatcher(t *testing.T) { for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { - dirs, paths, _ := getDirsAndFilesForWatcher(tc.paths) + dirs, files := ListDirsAndFiles(tc.paths) require.ElementsMatch(t, dirs.UnsortedList(), tc.expectDirs) - require.ElementsMatch(t, paths.UnsortedList(), tc.expectFiles) + require.ElementsMatch(t, files.UnsortedList(), tc.expectFiles) }) } } From 905405e72ed5da070ef2d041e524efb8511d837f Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Thu, 5 Dec 2024 05:57:49 -0600 Subject: [PATCH 464/523] fix: EnvoyExtensionPolicy reference grant (#4851) * fix: EnvoyExtensionPolicy reference grant Signed-off-by: Guy Daich * fix lint, add release note Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich --- internal/provider/kubernetes/controller.go | 2 +- .../provider/kubernetes/controller_test.go | 161 ++++++++++++++++++ internal/provider/kubernetes/indexers.go | 12 +- release-notes/current.yaml | 1 + 4 files changed, 171 insertions(+), 5 deletions(-) diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index 28a0eafaa77..f71ebee9520 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -2088,7 +2088,7 @@ func (r *gatewayAPIReconciler) processEnvoyExtensionPolicyObjectRefs( if backendNamespace != policy.Namespace { from := ObjectKindNamespacedName{ - kind: resource.KindHTTPRoute, + kind: resource.KindEnvoyExtensionPolicy, namespace: policy.Namespace, name: policy.Name, } diff --git a/internal/provider/kubernetes/controller_test.go b/internal/provider/kubernetes/controller_test.go index c1cece27733..d008e7b2f70 100644 --- a/internal/provider/kubernetes/controller_test.go +++ b/internal/provider/kubernetes/controller_test.go @@ -12,8 +12,10 @@ import ( "github.com/stretchr/testify/require" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" + gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway" @@ -288,3 +290,162 @@ func TestProcessGatewayClassParamsRef(t *testing.T) { }) } } + +func TestProcessEnvoyExtensionPolicyObjectRefs(t *testing.T) { + testCases := []struct { + name string + envoyExtensionPolicy *egv1a1.EnvoyExtensionPolicy + backend *egv1a1.Backend + referenceGrant *gwapiv1b1.ReferenceGrant + shouldBeAdded bool + }{ + { + name: "valid envoy extension policy with proper ref grant to backend", + envoyExtensionPolicy: &egv1a1.EnvoyExtensionPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns-1", + Name: "test-policy", + }, + Spec: egv1a1.EnvoyExtensionPolicySpec{ + ExtProc: []egv1a1.ExtProc{ + { + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Namespace: gatewayapi.NamespacePtr("ns-2"), + Name: "test-backend", + Kind: gatewayapi.KindPtr(resource.KindBackend), + Group: gatewayapi.GroupPtr(egv1a1.GroupName), + }, + }, + }, + }, + }, + }, + }, + }, + backend: &egv1a1.Backend{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns-2", + Name: "test-backend", + }, + }, + referenceGrant: &gwapiv1b1.ReferenceGrant{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns-2", + Name: "test-grant", + }, + Spec: gwapiv1b1.ReferenceGrantSpec{ + From: []gwapiv1b1.ReferenceGrantFrom{ + { + Namespace: gwapiv1.Namespace("ns-1"), + Kind: gwapiv1.Kind(resource.KindEnvoyExtensionPolicy), + Group: gwapiv1.Group(egv1a1.GroupName), + }, + }, + To: []gwapiv1b1.ReferenceGrantTo{ + { + Name: gatewayapi.ObjectNamePtr("test-backend"), + Kind: gwapiv1.Kind(resource.KindBackend), + Group: gwapiv1.Group(egv1a1.GroupName), + }, + }, + }, + }, + shouldBeAdded: true, + }, + { + name: "valid envoy extension policy with wrong from kind in ref grant to backend", + envoyExtensionPolicy: &egv1a1.EnvoyExtensionPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns-1", + Name: "test-policy", + }, + Spec: egv1a1.EnvoyExtensionPolicySpec{ + ExtProc: []egv1a1.ExtProc{ + { + BackendCluster: egv1a1.BackendCluster{ + BackendRefs: []egv1a1.BackendRef{ + { + BackendObjectReference: gwapiv1.BackendObjectReference{ + Namespace: gatewayapi.NamespacePtr("ns-2"), + Name: "test-backend", + Kind: gatewayapi.KindPtr(resource.KindBackend), + Group: gatewayapi.GroupPtr(egv1a1.GroupName), + }, + }, + }, + }, + }, + }, + }, + }, + backend: &egv1a1.Backend{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns-2", + Name: "test-backend", + }, + }, + referenceGrant: &gwapiv1b1.ReferenceGrant{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns-2", + Name: "test-grant", + }, + Spec: gwapiv1b1.ReferenceGrantSpec{ + From: []gwapiv1b1.ReferenceGrantFrom{ + { + Namespace: gwapiv1.Namespace("ns-1"), + Kind: gwapiv1.Kind(resource.KindHTTPRoute), + Group: gwapiv1.Group(gwapiv1.GroupName), + }, + }, + To: []gwapiv1b1.ReferenceGrantTo{ + { + Name: gatewayapi.ObjectNamePtr("test-backend"), + Kind: gwapiv1.Kind(resource.KindBackend), + Group: gwapiv1.Group(egv1a1.GroupName), + }, + }, + }, + }, + shouldBeAdded: false, + }, + } + + for i := range testCases { + tc := testCases[i] + // Run the test cases. + t.Run(tc.name, func(t *testing.T) { + // Add objects referenced by test cases. + objs := []client.Object{tc.envoyExtensionPolicy, tc.backend, tc.referenceGrant} + + // Create the reconciler. + logger := logging.DefaultLogger(egv1a1.LogLevelInfo) + + ctx := context.Background() + + r := &gatewayAPIReconciler{ + log: logger, + classController: "some-gateway-class", + } + + r.client = fakeclient.NewClientBuilder(). + WithScheme(envoygateway.GetScheme()). + WithObjects(objs...). + WithIndex(&gwapiv1b1.ReferenceGrant{}, targetRefGrantRouteIndex, getReferenceGrantIndexerFunc()). + Build() + + resourceTree := resource.NewResources() + resourceMap := newResourceMapping() + + err := r.processEnvoyExtensionPolicies(ctx, resourceTree, resourceMap) + require.NoError(t, err) + if tc.shouldBeAdded { + require.Contains(t, resourceTree.ReferenceGrants, tc.referenceGrant) + } else { + require.NotContains(t, resourceTree.ReferenceGrants, tc.referenceGrant) + } + }) + } +} diff --git a/internal/provider/kubernetes/indexers.go b/internal/provider/kubernetes/indexers.go index 031a2657a9c..7626ea32d52 100644 --- a/internal/provider/kubernetes/indexers.go +++ b/internal/provider/kubernetes/indexers.go @@ -52,17 +52,21 @@ const ( ) func addReferenceGrantIndexers(ctx context.Context, mgr manager.Manager) error { - if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1b1.ReferenceGrant{}, targetRefGrantRouteIndex, func(rawObj client.Object) []string { + if err := mgr.GetFieldIndexer().IndexField(ctx, &gwapiv1b1.ReferenceGrant{}, targetRefGrantRouteIndex, getReferenceGrantIndexerFunc()); err != nil { + return err + } + return nil +} + +func getReferenceGrantIndexerFunc() func(rawObj client.Object) []string { + return func(rawObj client.Object) []string { refGrant := rawObj.(*gwapiv1b1.ReferenceGrant) var referredServices []string for _, target := range refGrant.Spec.To { referredServices = append(referredServices, string(target.Kind)) } return referredServices - }); err != nil { - return err } - return nil } // addHTTPRouteIndexers adds indexing on HTTPRoute. diff --git a/release-notes/current.yaml b/release-notes/current.yaml index d1c6dd95c06..6ba9c2ee5cb 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -17,6 +17,7 @@ new features: | # Fixes for bugs identified in previous versions. bug fixes: | + Fixed reference grant from EnvoyExtensionPolicy to referenced ext-proc backend not respected # Enhancements that improve performance. performance improvements: | From ac86045216b4c2a432d39ca365664f6aabdf2923 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Pillevesse?= Date: Fri, 6 Dec 2024 00:15:10 +0100 Subject: [PATCH 465/523] feat: add body to ext auth (#4671) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add BodyToExtAuth Signed-off-by: Aurélien Pillevesse --- api/v1alpha1/ext_auth_types.go | 15 + api/v1alpha1/zz_generated.deepcopy.go | 20 ++ ...ateway.envoyproxy.io_securitypolicies.yaml | 15 + internal/gatewayapi/securitypolicy.go | 7 + .../securitypolicy-with-extauth-body.in.yaml | 112 ++++++ .../securitypolicy-with-extauth-body.out.yaml | 335 ++++++++++++++++++ internal/ir/xds.go | 14 + internal/ir/zz_generated.deepcopy.go | 20 ++ internal/xds/translator/extauth.go | 6 + .../testdata/in/xds-ir/ext-auth-body.yaml | 125 +++++++ .../out/xds-ir/ext-auth-body.clusters.yaml | 115 ++++++ .../out/xds-ir/ext-auth-body.endpoints.yaml | 36 ++ .../out/xds-ir/ext-auth-body.listeners.yaml | 71 ++++ .../out/xds-ir/ext-auth-body.routes.yaml | 44 +++ site/content/en/latest/api/extension_types.md | 15 + site/content/zh/latest/api/extension_types.md | 15 + 16 files changed, 965 insertions(+) create mode 100644 internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml create mode 100644 internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml create mode 100644 internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth-body.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth-body.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth-body.routes.yaml diff --git a/api/v1alpha1/ext_auth_types.go b/api/v1alpha1/ext_auth_types.go index faa0897e300..16652c9fd28 100644 --- a/api/v1alpha1/ext_auth_types.go +++ b/api/v1alpha1/ext_auth_types.go @@ -33,6 +33,10 @@ type ExtAuth struct { // +optional HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"` + // BodyToExtAuth defines the Body to Ext Auth configuration. + // +optional + BodyToExtAuth *BodyToExtAuth `json:"bodyToExtAuth,omitempty"` + // FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained. // If FailOpen is set to true, the system allows the traffic to pass through. // Otherwise, if it is set to false or not set (defaulting to false), @@ -85,3 +89,14 @@ type HTTPExtAuthService struct { // +optional HeadersToBackend []string `json:"headersToBackend,omitempty"` } + +// BodyToExtAuth defines the Body to Ext Auth configuration +type BodyToExtAuth struct { + // MaxRequestBytes is the maximum size of a message body that the filter will hold in memory. + // Envoy will return HTTP 413 and will not initiate the authorization process when buffer + // reaches the number set in this field. + // Note that this setting will have precedence over failOpen mode. + // + // +kubebuilder:validation:Minimum=1 + MaxRequestBytes uint32 `json:"maxRequestBytes"` +} diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 457afa58ac4..742ffed1b25 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -595,6 +595,21 @@ func (in *BasicAuth) DeepCopy() *BasicAuth { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BodyToExtAuth) DeepCopyInto(out *BodyToExtAuth) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BodyToExtAuth. +func (in *BodyToExtAuth) DeepCopy() *BodyToExtAuth { + if in == nil { + return nil + } + out := new(BodyToExtAuth) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CORS) DeepCopyInto(out *CORS) { *out = *in @@ -2115,6 +2130,11 @@ func (in *ExtAuth) DeepCopyInto(out *ExtAuth) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.BodyToExtAuth != nil { + in, out := &in.BodyToExtAuth, &out.BodyToExtAuth + *out = new(BodyToExtAuth) + **out = **in + } if in.FailOpen != nil { in, out := &in.FailOpen, &out.FailOpen *out = new(bool) diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 840c8d59d30..e611a00ce10 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -336,6 +336,21 @@ spec: extAuth: description: ExtAuth defines the configuration for External Authorization. properties: + bodyToExtAuth: + description: BodyToExtAuth defines the Body to Ext Auth configuration. + properties: + maxRequestBytes: + description: |- + MaxRequestBytes is the maximum size of a message body that the filter will hold in memory. + Envoy will return HTTP 413 and will not initiate the authorization process when buffer + reaches the number set in this field. + Note that this setting will have precedence over failOpen mode. + format: int32 + minimum: 1 + type: integer + required: + - maxRequestBytes + type: object failOpen: default: false description: |- diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 3219f816da5..d21f240f1fa 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -933,6 +933,13 @@ func (t *Translator) buildExtAuth( Authority: authority, } } + + if policy.Spec.ExtAuth.BodyToExtAuth != nil { + extAuth.BodyToExtAuth = &ir.BodyToExtAuth{ + MaxRequestBytes: policy.Spec.ExtAuth.BodyToExtAuth.MaxRequestBytes, + } + } + return extAuth, nil } diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml new file mode 100644 index 00000000000..d45b50c8835 --- /dev/null +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml @@ -0,0 +1,112 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: default + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - www.foo.com + parentRefs: + - namespace: default + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: /foo1 + backendRefs: + - name: service-1 + port: 8080 + - matches: + - path: + value: /foo2 + backendRefs: + - name: service-2 + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-2 + spec: + hostnames: + - www.bar.com + parentRefs: + - namespace: default + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: /bar + backendRefs: + - name: service-3 + port: 8080 +backends: + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + name: backend-fqdn + namespace: default + spec: + endpoints: + - fqdn: + hostname: 'primary.foo.com' + port: 3000 +referenceGrants: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: ReferenceGrant + metadata: + namespace: envoy-gateway + name: referencegrant-1 + spec: + from: + - group: gateway.envoyproxy.io + kind: SecurityPolicy + namespace: default + to: + - group: "" + kind: Service +securityPolicies: + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + namespace: default + name: policy-for-http-route-1 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + extAuth: + failOpen: true + headersToExtAuth: + - header1 + - header2 + bodyToExtAuth: + maxRequestBytes: 32768 + grpc: + backendRefs: + - name: service-2 + kind: Service + port: 8080 + - name: backend-fqdn + kind: Backend + group: gateway.envoyproxy.io + port: 3000 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml new file mode 100644 index 00000000000..ac4dfe7f306 --- /dev/null +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml @@ -0,0 +1,335 @@ +backends: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + creationTimestamp: null + name: backend-fqdn + namespace: default + spec: + endpoints: + - fqdn: + hostname: primary.foo.com + port: 3000 + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Accepted +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: default + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 2 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - www.foo.com + parentRefs: + - name: gateway-1 + namespace: default + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: /foo1 + - backendRefs: + - name: service-2 + port: 8080 + matches: + - path: + value: /foo2 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: default + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-2 + namespace: default + spec: + hostnames: + - www.bar.com + parentRefs: + - name: gateway-1 + namespace: default + sectionName: http + rules: + - backendRefs: + - name: service-3 + port: 8080 + matches: + - path: + value: /bar + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: default + sectionName: http +infraIR: + default/gateway-1: + proxy: + listeners: + - address: null + name: default/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: default + name: default/gateway-1 +securityPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + creationTimestamp: null + name: policy-for-http-route-1 + namespace: default + spec: + extAuth: + bodyToExtAuth: + maxRequestBytes: 32768 + failOpen: true + grpc: + backendRefs: + - kind: Service + name: service-2 + port: 8080 + - group: gateway.envoyproxy.io + kind: Backend + name: backend-fqdn + port: 3000 + headersToExtAuth: + - header1 + - header2 + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +xdsIR: + default/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + name: default/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.foo.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + pathMatch: + distinct: false + name: "" + prefix: /foo1 + security: + extAuth: + bodyToExtAuth: + maxRequestBytes: 32768 + failOpen: true + grpc: + authority: service-2.default:8080 + destination: + name: securitypolicy/default/policy-for-http-route-1/extauth/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: GRPC + weight: 1 + - addressType: FQDN + endpoints: + - host: primary.foo.com + port: 3000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + name: securitypolicy/default/policy-for-http-route-1 + - destination: + name: httproute/default/httproute-1/rule/1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.foo.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/1/match/0/www_foo_com + pathMatch: + distinct: false + name: "" + prefix: /foo2 + security: + extAuth: + bodyToExtAuth: + maxRequestBytes: 32768 + failOpen: true + grpc: + authority: service-2.default:8080 + destination: + name: securitypolicy/default/policy-for-http-route-1/extauth/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: GRPC + weight: 1 + - addressType: FQDN + endpoints: + - host: primary.foo.com + port: 3000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + name: securitypolicy/default/policy-for-http-route-1 + - destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.bar.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + pathMatch: + distinct: false + name: "" + prefix: /bar diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 486b7514cd4..00924ed9f32 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -1000,6 +1000,10 @@ type ExtAuth struct { // +optional HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"` + // BodyToExtAuth defines the Body to Ext Auth configuration. + // +optional + BodyToExtAuth *BodyToExtAuth `json:"bodyToExtAuth,omitempty"` + // FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained. // If FailOpen is set to true, the system allows the traffic to pass through. // Otherwise, if it is set to false or not set (defaulting to false), @@ -1016,6 +1020,16 @@ type ExtAuth struct { RecomputeRoute *bool `json:"recomputeRoute,omitempty"` } +// BodyToExtAuth defines the Body to Ext Auth configuration +// +k8s:deepcopy-gen=true +type BodyToExtAuth struct { + // MaxRequestBytes is the maximum size of a message body that the filter will hold in memory. + // Envoy will return HTTP 413 and will not initiate the authorization process when buffer + // reaches the number set in this field. + // Note that this setting will have precedence over failOpen mode. + MaxRequestBytes uint32 `json:"maxRequestBytes"` +} + // HTTPExtAuthService defines the HTTP External Authorization service // +k8s:deepcopy-gen=true type HTTPExtAuthService struct { diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 6db14262456..fbdb444e430 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -330,6 +330,21 @@ func (in *BasicAuth) DeepCopy() *BasicAuth { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BodyToExtAuth) DeepCopyInto(out *BodyToExtAuth) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BodyToExtAuth. +func (in *BodyToExtAuth) DeepCopy() *BodyToExtAuth { + if in == nil { + return nil + } + out := new(BodyToExtAuth) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CORS) DeepCopyInto(out *CORS) { *out = *in @@ -898,6 +913,11 @@ func (in *ExtAuth) DeepCopyInto(out *ExtAuth) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.BodyToExtAuth != nil { + in, out := &in.BodyToExtAuth, &out.BodyToExtAuth + *out = new(BodyToExtAuth) + **out = **in + } if in.FailOpen != nil { in, out := &in.FailOpen, &out.FailOpen *out = new(bool) diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go index 2f8766fe91c..f65cc0875f3 100644 --- a/internal/xds/translator/extauth.go +++ b/internal/xds/translator/extauth.go @@ -117,6 +117,12 @@ func extAuthConfig(extAuth *ir.ExtAuth) *extauthv3.ExtAuthz { }) } + if extAuth.BodyToExtAuth != nil { + config.WithRequestBody = &extauthv3.BufferSettings{ + MaxRequestBytes: extAuth.BodyToExtAuth.MaxRequestBytes, + } + } + if len(headersToExtAuth) > 0 { config.AllowedHeaders = &matcherv3.ListStringMatcher{ Patterns: headersToExtAuth, diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml new file mode 100644 index 00000000000..f3ce1bd3477 --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml @@ -0,0 +1,125 @@ +http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + name: default/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + hostname: www.foo.com + isHTTP2: false + pathMatch: + distinct: false + name: "" + prefix: /foo1 + backendWeights: + invalid: 0 + valid: 0 + destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + security: + extAuth: + name: securitypolicy/default/policy-for-http-route-1 + failOpen: false + grpc: + authority: primary.foo.com + destination: + name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + settings: + - addressType: FQDN + endpoints: + - host: primary.foo.com + port: 9000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + - name: httproute/default/httproute-1/rule/1/match/0/www_foo_com + hostname: www.foo.com + isHTTP2: false + pathMatch: + distinct: false + name: "" + prefix: /foo2 + backendWeights: + invalid: 0 + valid: 0 + destination: + name: httproute/default/httproute-1/rule/1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + security: + extAuth: + name: securitypolicy/default/policy-for-http-route-1 + failOpen: false + grpc: + authority: primary.foo.com + destination: + name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + settings: + - addressType: IP + endpoints: + - host: primary.foo.com + port: 3000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + - name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + hostname: www.bar.com + isHTTP2: false + pathMatch: + distinct: false + name: "" + prefix: /bar + backendWeights: + invalid: 0 + valid: 0 + destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + security: + extAuth: + name: securitypolicy/default/policy-for-gateway-1 + failOpen: true + bodyToExtAuth: + maxRequestBytes: 32768 + http: + authority: primary.foo.com + destination: + name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + settings: + - addressType: FQDN + endpoints: + - host: primary.foo.com + port: 80 + protocol: HTTP + weight: 1 + headersToBackend: + - header1 + - header2 + path: /auth diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.clusters.yaml new file mode 100644 index 00000000000..79e1aed5ebe --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.clusters.yaml @@ -0,0 +1,115 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/1 + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/1 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-2/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: primary.foo.com + portValue: 9000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: securitypolicy/default/policy-for-http-route-1/default/grpc-backend/backend/0 + name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: primary.foo.com + portValue: 80 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend/backend/0 + name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.endpoints.yaml new file mode 100644 index 00000000000..bf9f0023789 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.endpoints.yaml @@ -0,0 +1,36 @@ +- clusterName: httproute/default/httproute-1/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/0/backend/0 +- clusterName: httproute/default/httproute-1/rule/1 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/1/backend/0 +- clusterName: httproute/default/httproute-2/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-2/rule/0/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml new file mode 100644 index 00000000000..84bea029d0b --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml @@ -0,0 +1,71 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - disabled: true + name: envoy.filters.http.ext_authz/securitypolicy/default/policy-for-http-route-1 + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + allowedHeaders: + patterns: + - exact: header1 + ignoreCase: true + - exact: header2 + ignoreCase: true + grpcService: + envoyGrpc: + authority: primary.foo.com + clusterName: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + timeout: 10s + transportApiVersion: V3 + - disabled: true + name: envoy.filters.http.ext_authz/securitypolicy/default/policy-for-gateway-1 + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + failureModeAllow: true + httpService: + authorizationResponse: + allowedUpstreamHeaders: + patterns: + - exact: header1 + ignoreCase: true + - exact: header2 + ignoreCase: true + pathPrefix: /auth + serverUri: + cluster: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + timeout: 10s + uri: http://primary.foo.com/auth + transportApiVersion: V3 + withRequestBody: + maxRequestBytes: 32768 + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: default/gateway-1/http + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: default/gateway-1/http + name: default/gateway-1/http + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.routes.yaml new file mode 100644 index 00000000000..08edfc3c406 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.routes.yaml @@ -0,0 +1,44 @@ +- ignorePortInHostMatching: true + name: default/gateway-1/http + virtualHosts: + - domains: + - www.foo.com + name: default/gateway-1/http/www_foo_com + routes: + - match: + pathSeparatedPrefix: /foo1 + name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + route: + cluster: httproute/default/httproute-1/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.ext_authz/securitypolicy/default/policy-for-http-route-1: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} + - match: + pathSeparatedPrefix: /foo2 + name: httproute/default/httproute-1/rule/1/match/0/www_foo_com + route: + cluster: httproute/default/httproute-1/rule/1 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.ext_authz/securitypolicy/default/policy-for-http-route-1: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} + - domains: + - www.bar.com + name: default/gateway-1/http/www_bar_com + routes: + - match: + pathSeparatedPrefix: /bar + name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + route: + cluster: httproute/default/httproute-2/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.ext_authz/securitypolicy/default/policy-for-gateway-1: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index fc7142446c1..c6a7121d7ca 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -468,6 +468,20 @@ _Appears in:_ | `users` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the username-password pairs in
htpasswd format, used to verify user credentials in the "Authorization"
header.

This is an Opaque secret. The username-password pairs should be stored in
the key ".htpasswd". As the key name indicates, the value needs to be the
htpasswd format, for example: "user1:\{SHA\}hashed_user1_password".
Right now, only SHA hash algorithm is supported.
Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
for more details.

Note: The secret must be in the same namespace as the SecurityPolicy. | +#### BodyToExtAuth + + + +BodyToExtAuth defines the Body to Ext Auth configuration + +_Appears in:_ +- [ExtAuth](#extauth) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `maxRequestBytes` | _integer_ | true | MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
Envoy will return HTTP 413 and will not initiate the authorization process when buffer
reaches the number set in this field.
Note that this setting will have precedence over failOpen mode. | + + #### BootstrapType _Underlying type:_ _string_ @@ -1478,6 +1492,7 @@ _Appears in:_ | `grpc` | _[GRPCExtAuthService](#grpcextauthservice)_ | true | GRPC defines the gRPC External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. | | `http` | _[HTTPExtAuthService](#httpextauthservice)_ | true | HTTP defines the HTTP External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. | | `headersToExtAuth` | _string array_ | false | HeadersToExtAuth defines the client request headers that will be included
in the request to the external authorization service.
Note: If not specified, the default behavior for gRPC and HTTP external
authorization services is different due to backward compatibility reasons.
All headers will be included in the check request to a gRPC authorization server.
Only the following headers will be included in the check request to an HTTP
authorization server: Host, Method, Path, Content-Length, and Authorization.
And these headers will always be included to the check request to an HTTP
authorization server by default, no matter whether they are specified
in HeadersToExtAuth or not. | +| `bodyToExtAuth` | _[BodyToExtAuth](#bodytoextauth)_ | false | BodyToExtAuth defines the Body to Ext Auth configuration. | | `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
If FailOpen is set to true, the system allows the traffic to pass through.
Otherwise, if it is set to false or not set (defaulting to false),
the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
This setting determines whether to prioritize accessibility over strict security in case of authorization service failure. | | `recomputeRoute` | _boolean_ | false | RecomputeRoute clears the route cache and recalculates the routing decision.
This field must be enabled if the headers added or modified by the ExtAuth are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied. | diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index fc7142446c1..c6a7121d7ca 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -468,6 +468,20 @@ _Appears in:_ | `users` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the username-password pairs in
htpasswd format, used to verify user credentials in the "Authorization"
header.

This is an Opaque secret. The username-password pairs should be stored in
the key ".htpasswd". As the key name indicates, the value needs to be the
htpasswd format, for example: "user1:\{SHA\}hashed_user1_password".
Right now, only SHA hash algorithm is supported.
Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
for more details.

Note: The secret must be in the same namespace as the SecurityPolicy. | +#### BodyToExtAuth + + + +BodyToExtAuth defines the Body to Ext Auth configuration + +_Appears in:_ +- [ExtAuth](#extauth) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `maxRequestBytes` | _integer_ | true | MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
Envoy will return HTTP 413 and will not initiate the authorization process when buffer
reaches the number set in this field.
Note that this setting will have precedence over failOpen mode. | + + #### BootstrapType _Underlying type:_ _string_ @@ -1478,6 +1492,7 @@ _Appears in:_ | `grpc` | _[GRPCExtAuthService](#grpcextauthservice)_ | true | GRPC defines the gRPC External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. | | `http` | _[HTTPExtAuthService](#httpextauthservice)_ | true | HTTP defines the HTTP External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. | | `headersToExtAuth` | _string array_ | false | HeadersToExtAuth defines the client request headers that will be included
in the request to the external authorization service.
Note: If not specified, the default behavior for gRPC and HTTP external
authorization services is different due to backward compatibility reasons.
All headers will be included in the check request to a gRPC authorization server.
Only the following headers will be included in the check request to an HTTP
authorization server: Host, Method, Path, Content-Length, and Authorization.
And these headers will always be included to the check request to an HTTP
authorization server by default, no matter whether they are specified
in HeadersToExtAuth or not. | +| `bodyToExtAuth` | _[BodyToExtAuth](#bodytoextauth)_ | false | BodyToExtAuth defines the Body to Ext Auth configuration. | | `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
If FailOpen is set to true, the system allows the traffic to pass through.
Otherwise, if it is set to false or not set (defaulting to false),
the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
This setting determines whether to prioritize accessibility over strict security in case of authorization service failure. | | `recomputeRoute` | _boolean_ | false | RecomputeRoute clears the route cache and recalculates the routing decision.
This field must be enabled if the headers added or modified by the ExtAuth are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied. | From 8cba9584ab08869c7381828b9d87a5aff507e7a9 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 6 Dec 2024 13:39:54 +0800 Subject: [PATCH 466/523] ci: enable ipv6 test (#4853) enable ipv6 test Signed-off-by: zirain --- .github/workflows/build_and_test.yaml | 6 ++---- test/config/gatewayclass.yaml | 13 ++++++++++++ test/e2e/testdata/envoyproxy-daemonset.yaml | 1 + .../e2e/testdata/gateway-with-envoyproxy.yaml | 1 + test/e2e/testdata/httproute-routingtype.yaml | 1 + test/e2e/testdata/tracing-datadog.yaml | 1 + test/e2e/testdata/tracing-zipkin.yaml | 1 + test/e2e/upgrade/manifests.yaml | 1 + tools/make/kube.mk | 21 +++++++++++++++---- 9 files changed, 38 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 1c5e826076b..fcb6631782e 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -120,10 +120,7 @@ jobs: - version: v1.29.8 ipFamily: ipv4 - version: v1.30.4 - ipFamily: ipv4 - # Enable these after https://github.com/envoyproxy/gateway/issues/4572 fixed - # - version: v1.31.0 - # ipFamily: ipv6 # only run ipv6 test on latest version to save time + ipFamily: ipv6 # only run ipv6 test on this version to save time # TODO: this's IPv4 first, need a way to test IPv6 first. - version: v1.31.0 ipFamily: dual # only run dual test on latest version to save time @@ -148,6 +145,7 @@ jobs: KIND_NODE_TAG: ${{ matrix.target.version }} IMAGE_PULL_POLICY: IfNotPresent IP_FAMILY: ${{ matrix.target.ipFamily }} + E2E_TIMEOUT: 1h run: make e2e benchmark-test: diff --git a/test/config/gatewayclass.yaml b/test/config/gatewayclass.yaml index 6e8acf3d0f8..d47d1e10a9a 100644 --- a/test/config/gatewayclass.yaml +++ b/test/config/gatewayclass.yaml @@ -16,6 +16,7 @@ metadata: name: proxy-config namespace: envoy-gateway-system spec: + ipFamily: IPv4 provider: type: Kubernetes kubernetes: @@ -124,6 +125,7 @@ metadata: name: upgrade-config namespace: envoy-gateway-system spec: + ipFamily: IPv4 provider: type: Kubernetes kubernetes: @@ -158,6 +160,7 @@ metadata: name: merge-gateways-config namespace: envoy-gateway-system spec: + ipFamily: IPv4 mergeGateways: true --- kind: GatewayClass @@ -166,6 +169,11 @@ metadata: name: internet spec: controllerName: gateway.envoyproxy.io/gatewayclass-controller + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: proxy-config + namespace: envoy-gateway-system --- kind: GatewayClass apiVersion: gateway.networking.k8s.io/v1 @@ -173,5 +181,10 @@ metadata: name: private spec: controllerName: gateway.envoyproxy.io/gatewayclass-controller + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: proxy-config + namespace: envoy-gateway-system --- diff --git a/test/e2e/testdata/envoyproxy-daemonset.yaml b/test/e2e/testdata/envoyproxy-daemonset.yaml index fabe93e5420..a7f1e4509cb 100644 --- a/test/e2e/testdata/envoyproxy-daemonset.yaml +++ b/test/e2e/testdata/envoyproxy-daemonset.yaml @@ -24,6 +24,7 @@ metadata: name: eg-daemonset namespace: gateway-conformance-infra spec: + ipFamily: IPv4 provider: type: Kubernetes kubernetes: diff --git a/test/e2e/testdata/gateway-with-envoyproxy.yaml b/test/e2e/testdata/gateway-with-envoyproxy.yaml index 0d04562c13d..c62d0cc8584 100644 --- a/test/e2e/testdata/gateway-with-envoyproxy.yaml +++ b/test/e2e/testdata/gateway-with-envoyproxy.yaml @@ -24,6 +24,7 @@ metadata: namespace: gateway-conformance-infra name: test spec: + ipFamily: IPv4 routingType: Service --- apiVersion: gateway.networking.k8s.io/v1 diff --git a/test/e2e/testdata/httproute-routingtype.yaml b/test/e2e/testdata/httproute-routingtype.yaml index 72cd366a630..8c0d889f220 100644 --- a/test/e2e/testdata/httproute-routingtype.yaml +++ b/test/e2e/testdata/httproute-routingtype.yaml @@ -4,6 +4,7 @@ metadata: name: custom-proxy-config namespace: gateway-conformance-infra spec: + ipFamily: IPv4 routingType: Service --- apiVersion: gateway.networking.k8s.io/v1 diff --git a/test/e2e/testdata/tracing-datadog.yaml b/test/e2e/testdata/tracing-datadog.yaml index e4f54a7eebe..fa6024ee81e 100644 --- a/test/e2e/testdata/tracing-datadog.yaml +++ b/test/e2e/testdata/tracing-datadog.yaml @@ -39,6 +39,7 @@ metadata: name: datadog-tracing namespace: gateway-conformance-infra spec: + ipFamily: IPv4 logging: level: default: debug diff --git a/test/e2e/testdata/tracing-zipkin.yaml b/test/e2e/testdata/tracing-zipkin.yaml index 1f7aaf0a66f..b2c04bd9761 100644 --- a/test/e2e/testdata/tracing-zipkin.yaml +++ b/test/e2e/testdata/tracing-zipkin.yaml @@ -26,6 +26,7 @@ metadata: name: zipkin-tracing namespace: gateway-conformance-infra spec: + ipFamily: IPv4 logging: level: default: debug diff --git a/test/e2e/upgrade/manifests.yaml b/test/e2e/upgrade/manifests.yaml index 363ede65779..3b59689dd24 100644 --- a/test/e2e/upgrade/manifests.yaml +++ b/test/e2e/upgrade/manifests.yaml @@ -18,6 +18,7 @@ metadata: name: upgrade-config namespace: envoy-gateway-system spec: + ipFamily: IPv4 provider: type: Kubernetes kubernetes: diff --git a/tools/make/kube.mk b/tools/make/kube.mk index 122e089b79e..ecb458e2791 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -12,6 +12,7 @@ GATEWAY_RELEASE_URL ?= https://github.com/kubernetes-sigs/gateway-api/releases/d WAIT_TIMEOUT ?= 15m +IP_FAMILY ?= ipv4 BENCHMARK_TIMEOUT ?= 60m BENCHMARK_CPU_LIMITS ?= 1000m BENCHMARK_MEMORY_LIMITS ?= 1024Mi @@ -35,11 +36,23 @@ ifeq ($(origin KUBE_INFRA_DIR),undefined) KUBE_INFRA_DIR := $(ROOT_DIR)/internal/infrastructure/kubernetes/config endif +ifeq ($(IP_FAMILY),ipv4) +ENVOY_PROXY_IP_FAMILY := IPv4 +else ifeq ($(IP_FAMILY),ipv6) +ENVOY_PROXY_IP_FAMILY := IPv6 +else ifeq ($(IP_FAMILY),dual) +ENVOY_PROXY_IP_FAMILY := DualStack +endif + ##@ Kubernetes Development YEAR := $(shell date +%Y) CONTROLLERGEN_OBJECT_FLAGS := object:headerFile="$(ROOT_DIR)/tools/boilerplate/boilerplate.generatego.txt",year=$(YEAR) +.PHONY: prepare-ip-family +prepare-ip-family: + @find ./test -type f -name "*.yaml" | xargs sed -i -e 's/ipFamily: IPv4/ipFamily: $(ENVOY_PROXY_IP_FAMILY)/g' + .PHONY: manifests manifests: $(tools/controller-gen) generate-gwapi-manifests ## Generate WebhookConfiguration and CustomResourceDefinition objects. @$(LOG_TARGET) @@ -145,7 +158,7 @@ install-ratelimit: kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-ratelimit --for=condition=Available .PHONY: e2e-prepare -e2e-prepare: ## Prepare the environment for running e2e tests +e2e-prepare: prepare-ip-family ## Prepare the environment for running e2e tests @$(LOG_TARGET) kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-ratelimit --for=condition=Available kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available @@ -165,7 +178,7 @@ else endif .PHONY: run-benchmark -run-benchmark: install-benchmark-server ## Run benchmark tests +run-benchmark: install-benchmark-server prepare-ip-family ## Run benchmark tests @$(LOG_TARGET) mkdir -p $(OUTPUT_DIR)/benchmark kubectl wait --timeout=$(WAIT_TIMEOUT) -n benchmark-test deployment/nighthawk-test-server --for=condition=Available @@ -221,7 +234,7 @@ kube-install-image: image.build $(tools/kind) ## Install the EG image to a kind tools/hack/kind-load-image.sh $(IMAGE) $(TAG) .PHONY: run-conformance -run-conformance: ## Run Gateway API conformance. +run-conformance: prepare-ip-family ## Run Gateway API conformance. @$(LOG_TARGET) kubectl wait --timeout=$(WAIT_TIMEOUT) -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available kubectl apply -f test/config/gatewayclass.yaml @@ -230,7 +243,7 @@ run-conformance: ## Run Gateway API conformance. CONFORMANCE_REPORT_PATH ?= .PHONY: run-experimental-conformance -run-experimental-conformance: ## Run Experimental Gateway API conformance. +run-experimental-conformance: prepare-ip-family ## Run Experimental Gateway API conformance. @$(LOG_TARGET) kubectl wait --timeout=$(WAIT_TIMEOUT) -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available kubectl apply -f test/config/gatewayclass.yaml From 14fb56e9b01da0aa333945be4caafb35cf2b7fbb Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 7 Dec 2024 04:08:05 +0800 Subject: [PATCH 467/523] chore: bump buf (#4855) Signed-off-by: zirain --- tools/src/buf/go.mod | 40 ++++++++++----------- tools/src/buf/go.sum | 84 ++++++++++++++++++++++---------------------- 2 files changed, 62 insertions(+), 62 deletions(-) diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index 1b7b86cdd53..b737e498e97 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -2,14 +2,14 @@ module local go 1.23.3 -require github.com/bufbuild/buf v1.47.2 +require github.com/bufbuild/buf v1.47.3-0.20241205173812-f93c18a3b7ff require ( - buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.1-20241031151143-70f632351282.1 // indirect - buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.1-20240920164238-5a7b106cbb87.1 // indirect - buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241025140216-aa40f2c93090.1 // indirect - buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.35.1-20241025140216-aa40f2c93090.1 // indirect - buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.35.1-20241007202033-cf42259fcbfc.1 // indirect + buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.2-20241031151143-70f632351282.1 // indirect + buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.2-20240920164238-5a7b106cbb87.1 // indirect + buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241125212318-4a305dc3b757.1 // indirect + buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.35.2-20241125212318-4a305dc3b757.1 // indirect + buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.35.2-20241007202033-cf42259fcbfc.1 // indirect buf.build/go/bufplugin v0.6.0 // indirect buf.build/go/protoyaml v0.2.0 // indirect buf.build/go/spdx v0.2.0 // indirect @@ -22,15 +22,15 @@ require ( github.com/antlr4-go/antlr/v4 v4.13.1 // indirect github.com/bufbuild/protocompile v0.14.1 // indirect github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a // indirect - github.com/bufbuild/protovalidate-go v0.7.3-0.20241015162221-1446f1e1d576 // indirect - github.com/containerd/cgroups/v3 v3.0.3 // indirect - github.com/containerd/containerd v1.7.23 // indirect - github.com/containerd/continuity v0.4.4 // indirect + github.com/bufbuild/protovalidate-go v0.7.3 // indirect + github.com/containerd/cgroups/v3 v3.0.4 // indirect + github.com/containerd/containerd v1.7.24 // indirect + github.com/containerd/continuity v0.4.5 // indirect github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/errdefs/pkg v0.3.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect - github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect + github.com/containerd/stargz-snapshotter/estargz v0.16.1 // indirect github.com/containerd/ttrpc v1.2.6 // indirect github.com/containerd/typeurl/v2 v2.2.3 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect @@ -50,9 +50,9 @@ require ( github.com/gofrs/flock v0.12.1 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/google/cel-go v0.22.0 // indirect + github.com/google/cel-go v0.22.1 // indirect github.com/google/go-containerregistry v0.20.2 // indirect - github.com/google/pprof v0.0.0-20241101162523-b92577c0c142 // indirect + github.com/google/pprof v0.0.0-20241122213907-cbe949e5a41b // indirect github.com/google/uuid v1.6.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect @@ -71,7 +71,7 @@ require ( github.com/moby/sys/userns v0.1.0 // indirect github.com/moby/term v0.5.0 // indirect github.com/morikuni/aec v1.0.0 // indirect - github.com/onsi/ginkgo/v2 v2.21.0 // indirect + github.com/onsi/ginkgo/v2 v2.22.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect github.com/opencontainers/runtime-spec v1.2.0 // indirect @@ -79,17 +79,17 @@ require ( github.com/pkg/errors v0.9.1 // indirect github.com/pkg/profile v1.7.0 // indirect github.com/quic-go/qpack v0.5.1 // indirect - github.com/quic-go/quic-go v0.48.1 // indirect + github.com/quic-go/quic-go v0.48.2 // indirect github.com/rogpeppe/go-internal v1.10.0 // indirect github.com/rs/cors v1.11.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/segmentio/asm v1.2.0 // indirect - github.com/segmentio/encoding v0.4.0 // indirect + github.com/segmentio/encoding v0.4.1 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/spf13/cobra v1.8.1 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/stoewer/go-strcase v1.3.0 // indirect - github.com/tetratelabs/wazero v1.8.1 // indirect + github.com/tetratelabs/wazero v1.8.2 // indirect github.com/vbatts/tar-split v0.11.6 // indirect go.lsp.dev/jsonrpc2 v0.10.0 // indirect go.lsp.dev/pkg v0.0.0-20210717090340-384b27a52fb2 // indirect @@ -115,10 +115,10 @@ require ( golang.org/x/term v0.26.0 // indirect golang.org/x/text v0.20.0 // indirect golang.org/x/tools v0.27.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697 // indirect google.golang.org/grpc v1.68.0 // indirect - google.golang.org/protobuf v1.35.1 // indirect + google.golang.org/protobuf v1.35.2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect pluginrpc.com/pluginrpc v0.5.0 // indirect ) diff --git a/tools/src/buf/go.sum b/tools/src/buf/go.sum index 9e7bf68b94e..c8862deb4da 100644 --- a/tools/src/buf/go.sum +++ b/tools/src/buf/go.sum @@ -1,13 +1,13 @@ -buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.1-20241031151143-70f632351282.1 h1:APVDdZ4VfUvERVIj//yDjCWV7WezEOiK7+b6gvJ+iAk= -buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.1-20241031151143-70f632351282.1/go.mod h1:rYPnjsUZ2lGpoQ/T322HWZQil9/MIZF2njP+/u/0GKg= -buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.1-20240920164238-5a7b106cbb87.1 h1:9wP6ZZYWnF2Z0TxmII7m3XNykxnP4/w8oXeth6ekcRI= -buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.1-20240920164238-5a7b106cbb87.1/go.mod h1:Duw/9JoXkXIydyASnLYIiufkzySThoqavOsF+IihqvM= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241025140216-aa40f2c93090.1 h1:FHQXg3T7S2jp8yc7/bQJgqEH1yza/rrDHXITUK2Tm0g= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241025140216-aa40f2c93090.1/go.mod h1:5iwF5l+9lKCnvr1zLvDgUHrv6X+vU5nNPjvig1sbnao= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.35.1-20241025140216-aa40f2c93090.1 h1:PyqnJojY+BXNuJHp5aEfN9wPiP1dzrobXVmgLrUMe+A= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.35.1-20241025140216-aa40f2c93090.1/go.mod h1:x5Mti5bhMO87zJxCkcEbr7Lz+bHiFsqpxnpqSB1okG0= -buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.35.1-20241007202033-cf42259fcbfc.1 h1:rPi3qs3qpDIXIl5QW2IPOaYZhppRkvuVKwEZrfhpy78= -buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.35.1-20241007202033-cf42259fcbfc.1/go.mod h1:4IVMTaeh4JIjBYcGFLlTorfWpKVEXDjDfHAgKTeR0Ds= +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.2-20241031151143-70f632351282.1 h1:d6K/z/RqVYxeAsAIGaIBDjFmmAz6A0Fp21pZXNlAxZs= +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.2-20241031151143-70f632351282.1/go.mod h1:vKDy7lD1bsN2UjeLhqklPEjIsHfHAPgMb/PbRx2EFDc= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.2-20240920164238-5a7b106cbb87.1 h1:7QIeAuTdLp173vC/9JojRMDFcpmqtoYrxPmvdHAOynw= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.2-20240920164238-5a7b106cbb87.1/go.mod h1:mnHCFccv4HwuIAOHNGdiIc5ZYbBCvbTWZcodLN5wITI= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241125212318-4a305dc3b757.1 h1:q3PKZJfOuSZR8KC0asyo7EFID/3613pDFzFYAAO+Gd4= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241125212318-4a305dc3b757.1/go.mod h1:w+XYJEgdkHK5XJ+44Eq2YD02DZVLFNFjfwFKPz0nZcg= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.35.2-20241125212318-4a305dc3b757.1 h1:m2QVURqXvfedovCeWV5CsWm3VIrD87RHL+9P9o7HB84= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.35.2-20241125212318-4a305dc3b757.1/go.mod h1:EQCcR04Wp6ffVPfxNb4ZXAVJXrZJopDNKQWp37BDCgU= +buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.35.2-20241007202033-cf42259fcbfc.1 h1:FcoYwX9eJhc73MdVlqyJjMOQ863akpHK0VEQ/+Zkt9U= +buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.35.2-20241007202033-cf42259fcbfc.1/go.mod h1:uTCf/J5B6H9XCTgHuI91LC9qaNqxJxQFh0kDY/GLn2k= buf.build/go/bufplugin v0.6.0 h1:3lhoh+0z+IUPS3ZajTPn/27LaLIkero2BDVnV7yXD1s= buf.build/go/bufplugin v0.6.0/go.mod h1:hWCjxxv24xdR6F5pNlQavZV2oo0J3uF4Ff1XEoyV6vU= buf.build/go/protoyaml v0.2.0 h1:2g3OHjtLDqXBREIOjpZGHmQ+U/4mkN1YiQjxNB68Ip8= @@ -32,14 +32,14 @@ github.com/Microsoft/hcsshim v0.12.9 h1:2zJy5KA+l0loz1HzEGqyNnjd3fyZA31ZBCGKacp6 github.com/Microsoft/hcsshim v0.12.9/go.mod h1:fJ0gkFAna6ukt0bLdKB8djt4XIJhF/vEPuoIWYVvZ8Y= github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ= github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw= -github.com/bufbuild/buf v1.47.2 h1:fA5e2yVQGabxAz7W5aNbO7Fku1P6TpoHhjs1wER1pOc= -github.com/bufbuild/buf v1.47.2/go.mod h1:1Xd0QG0a1uCGk7cODUenpQ8E5l7bj2Ry9tnUfERm1YI= +github.com/bufbuild/buf v1.47.3-0.20241205173812-f93c18a3b7ff h1:BC18kC7Ct9bKHle7IajnayVArjjfzCMoxqOTk8zcdQc= +github.com/bufbuild/buf v1.47.3-0.20241205173812-f93c18a3b7ff/go.mod h1:9HgwgXevh9xuFX0QJf8fl0SB6Ws52QwbWkS2bcRyGXE= github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/FBatYVw= github.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c= github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a h1:l3RhVoG0RtC61h6TVWnkniGj4TgBebuyPQRdleFAmTg= github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a/go.mod h1:c5D8gWRIZ2HLWO3gXYTtUfw/hbJyD8xikv2ooPxnklQ= -github.com/bufbuild/protovalidate-go v0.7.3-0.20241015162221-1446f1e1d576 h1:A4TfjZJqApnAvGKDgxHqA1rG6BK1OswyNcTcnSrDbJc= -github.com/bufbuild/protovalidate-go v0.7.3-0.20241015162221-1446f1e1d576/go.mod h1:R/UFeIPyFAh0eH7Ic/JJbO2ABdkxFuZZKDbzsI5UiwM= +github.com/bufbuild/protovalidate-go v0.7.3 h1:kKnoSueygR3xxppvuBpm9SEwIsP359MMRfMBGmRByPg= +github.com/bufbuild/protovalidate-go v0.7.3/go.mod h1:CFv34wMqiBzAHdQ4q/tWYi9ILFYKuaC3/4zh6eqdUck= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -54,12 +54,12 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= -github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= -github.com/containerd/containerd v1.7.23 h1:H2CClyUkmpKAGlhQp95g2WXHfLYc7whAuvZGBNYOOwQ= -github.com/containerd/containerd v1.7.23/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw= -github.com/containerd/continuity v0.4.4 h1:/fNVfTJ7wIl/YPMHjf+5H32uFhl63JucB34PlCpMKII= -github.com/containerd/continuity v0.4.4/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE= +github.com/containerd/cgroups/v3 v3.0.4 h1:2fs7l3P0Qxb1nKWuJNFiwhp2CqiKzho71DQkDrHJIo4= +github.com/containerd/cgroups/v3 v3.0.4/go.mod h1:SA5DLYnXO8pTGYiAHXz94qvLQTKfVM5GEVisn4jpins= +github.com/containerd/containerd v1.7.24 h1:zxszGrGjrra1yYJW/6rhm9cJ1ZQ8rkKBR48brqsa7nA= +github.com/containerd/containerd v1.7.24/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw= +github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4= +github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE= github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE= @@ -68,8 +68,8 @@ github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw= -github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G/ZW/0kEe2oEKCdS/ZxIyoCU= -github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk= +github.com/containerd/stargz-snapshotter/estargz v0.16.1 h1:7YswwU6746cJBN3p3l65JRk3+NZL7bap9Y6E3YeYowk= +github.com/containerd/stargz-snapshotter/estargz v0.16.1/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU= github.com/containerd/ttrpc v1.2.6 h1:zG+Kn5EZ6MUYCS1t2Hmt2J4tMVaLSFEJVOraDQwNPC4= github.com/containerd/ttrpc v1.2.6/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o= github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40= @@ -139,8 +139,8 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= -github.com/google/cel-go v0.22.0 h1:b3FJZxpiv1vTMo2/5RDUqAHPxkT8mmMfJIrq1llbf7g= -github.com/google/cel-go v0.22.0/go.mod h1:BuznPXXfQDpXKWQ9sPW3TzlAJN5zzFe+i9tIs0yC4s8= +github.com/google/cel-go v0.22.1 h1:AfVXx3chM2qwoSbM7Da8g8hX8OVSkBFwX+rz2+PcK40= +github.com/google/cel-go v0.22.1/go.mod h1:BuznPXXfQDpXKWQ9sPW3TzlAJN5zzFe+i9tIs0yC4s8= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -153,8 +153,8 @@ github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg= github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= -github.com/google/pprof v0.0.0-20241101162523-b92577c0c142 h1:sAGdeJj0bnMgUNVeUpp6AYlVdCt3/GdI3pGRqsNSQLs= -github.com/google/pprof v0.0.0-20241101162523-b92577c0c142/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= +github.com/google/pprof v0.0.0-20241122213907-cbe949e5a41b h1:SXO0REt4iu865upYCk8aKBBJQ4BqoE0ReP23ClMu60s= +github.com/google/pprof v0.0.0-20241122213907-cbe949e5a41b/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -205,8 +205,8 @@ github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= -github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM= -github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= +github.com/onsi/ginkgo/v2 v2.22.0 h1:Yed107/8DjTr0lKCNt7Dn8yQ6ybuDRQoMGrNFKzMfHg= +github.com/onsi/ginkgo/v2 v2.22.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8= github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= @@ -231,8 +231,8 @@ github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0leargg github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI= github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg= -github.com/quic-go/quic-go v0.48.1 h1:y/8xmfWI9qmGTc+lBr4jKRUWLGSlSigv847ULJ4hYXA= -github.com/quic-go/quic-go v0.48.1/go.mod h1:yBgs3rWBOADpga7F+jJsb6Ybg1LSYiQvwWlLX+/6HMs= +github.com/quic-go/quic-go v0.48.2 h1:wsKXZPeGWpMpCGSWqOcqpW2wZYic/8T3aqiOID0/KWE= +github.com/quic-go/quic-go v0.48.2/go.mod h1:yBgs3rWBOADpga7F+jJsb6Ybg1LSYiQvwWlLX+/6HMs= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA= @@ -241,8 +241,8 @@ github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys= github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs= -github.com/segmentio/encoding v0.4.0 h1:MEBYvRqiUB2nfR2criEXWqwdY6HJOUrCn5hboVOVmy8= -github.com/segmentio/encoding v0.4.0/go.mod h1:/d03Cd8PoaDeceuhUUUQWjU0KhWjrmYrWPgtJHYZSnI= +github.com/segmentio/encoding v0.4.1 h1:KLGaLSW0jrmhB58Nn4+98spfvPvmo4Ci1P/WIQ9wn7w= +github.com/segmentio/encoding v0.4.1/go.mod h1:/d03Cd8PoaDeceuhUUUQWjU0KhWjrmYrWPgtJHYZSnI= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= @@ -258,10 +258,10 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= -github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -github.com/tetratelabs/wazero v1.8.1 h1:NrcgVbWfkWvVc4UtT4LRLDf91PsOzDzefMdwhLfA550= -github.com/tetratelabs/wazero v1.8.1/go.mod h1:yAI0XTsMBhREkM/YDAK/zNou3GoiAce1P6+rp/wQhjs= +github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= +github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/tetratelabs/wazero v1.8.2 h1:yIgLR/b2bN31bjxwXHD8a3d+BogigR952csSDdLYEv4= +github.com/tetratelabs/wazero v1.8.2/go.mod h1:yAI0XTsMBhREkM/YDAK/zNou3GoiAce1P6+rp/wQhjs= github.com/vbatts/tar-split v0.11.6 h1:4SjTW5+PU11n6fZenf2IPoV8/tz3AaYHMWjf23envGs= github.com/vbatts/tar-split v0.11.6/go.mod h1:dqKNtesIOr2j2Qv3W/cHjnvk9I8+G7oAkFDFN6TCBEI= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -377,10 +377,10 @@ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 h1:M0KvPgPmDZHPlbRbaNU1APr28TvwvvdUPlSv7PUvy8g= -google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:dguCy7UOdZhTvLzDyt15+rOrawrpM4q7DD9dQ1P11P4= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 h1:XVhgTWWV3kGQlwJHR3upFWZeTsei6Oks1apkZSeonIE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= +google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 h1:pgr/4QbFyktUv9CtQ/Fq4gzEE6/Xs7iCXbktaGzLHbQ= +google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697/go.mod h1:+D9ySVjN8nY8YCVjc5O7PZDIdZporIDY3KaGfJunh88= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697 h1:LWZqQOEjDyONlF1H6afSWpAL/znlREo2tHfLoe+8LMA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= @@ -397,8 +397,8 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= -google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= +google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= From b9f9a9f8dca9c56f83e3356cfee89707312f8566 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Sat, 7 Dec 2024 05:55:46 +0800 Subject: [PATCH 468/523] fix: btlsp section name doesn't support port name (#4784) * fix btlsp section name Signed-off-by: Huabing Zhao * add release note Signed-off-by: Huabing Zhao * optmize service search Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * fix e2e Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao Co-authored-by: zirain --- internal/cmd/egctl/translate_test.go | 9 ++++-- internal/gatewayapi/backendtlspolicy.go | 12 +++++-- internal/gatewayapi/resource/resource.go | 19 +++++++++--- .../resource/zz_generated.deepcopy.go | 17 ++++++++++ internal/gatewayapi/route.go | 31 ++++++++++++++----- .../backendtlspolicy-across-ns.in.yaml | 2 +- .../backendtlspolicy-across-ns.out.yaml | 2 +- .../backendtlspolicy-ca-only-secret.in.yaml | 2 +- .../backendtlspolicy-ca-only-secret.out.yaml | 2 +- .../testdata/backendtlspolicy-ca-only.in.yaml | 2 +- .../backendtlspolicy-ca-only.out.yaml | 2 +- ...endtlspolicy-default-ns-targetrefs.in.yaml | 2 +- ...ndtlspolicy-default-ns-targetrefs.out.yaml | 2 +- .../backendtlspolicy-default-ns.in.yaml | 2 +- .../backendtlspolicy-default-ns.out.yaml | 2 +- .../backendtlspolicy-invalid-ca.in.yaml | 2 +- .../backendtlspolicy-invalid-ca.out.yaml | 2 +- .../backendtlspolicy-multiple-targets.in.yaml | 8 ++--- ...backendtlspolicy-multiple-targets.out.yaml | 4 +-- ...backendtlspolicy-system-truststore.in.yaml | 2 +- ...ackendtlspolicy-system-truststore.out.yaml | 2 +- ...with-extproc-with-backendtlspolicy.in.yaml | 4 +-- ...ith-extproc-with-backendtlspolicy.out.yaml | 4 +-- ...-extproc-with-multiple-backendrefs.in.yaml | 2 +- ...extproc-with-multiple-backendrefs.out.yaml | 2 +- ...with-extproc-with-traffic-features.in.yaml | 2 +- ...ith-extproc-with-traffic-features.out.yaml | 2 +- .../envoyproxy-priority-backend.in.yaml | 2 +- .../envoyproxy-priority-backend.out.yaml | 2 +- ...with-extauth-with-backendtlspolicy.in.yaml | 4 +-- ...ith-extauth-with-backendtlspolicy.out.yaml | 4 +-- internal/gatewayapi/translator_test.go | 9 ++++-- release-notes/current.yaml | 1 + test/e2e/base/manifests.yaml | 3 +- test/e2e/testdata/backend-tls-settings.yaml | 5 +-- test/e2e/testdata/backend-tls.yaml | 2 +- .../ext-auth-grpc-securitypolicy.yaml | 2 +- test/e2e/testdata/ext-auth-grpc-service.yaml | 1 + test/e2e/testdata/ext-auth-http-service.yaml | 1 + .../ext-proc-envoyextensionpolicy.yaml | 2 +- test/e2e/testdata/ext-proc-service.yaml | 1 + 41 files changed, 122 insertions(+), 61 deletions(-) diff --git a/internal/cmd/egctl/translate_test.go b/internal/cmd/egctl/translate_test.go index 20cf76d0162..e87167ce305 100644 --- a/internal/cmd/egctl/translate_test.go +++ b/internal/cmd/egctl/translate_test.go @@ -22,6 +22,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/yaml" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/utils/field" "github.com/envoyproxy/gateway/internal/utils/file" ) @@ -368,8 +369,12 @@ func TestTranslate(t *testing.T) { // want.GatewayClass.Status.SupportedFeatures = status.GatewaySupportedFeatures // } - opts := cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime") - require.Empty(t, cmp.Diff(want, got, opts)) + opts := []cmp.Option{ + cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime"), + cmpopts.IgnoreFields(resource.Resources{}, "serviceMap"), + } + + require.Empty(t, cmp.Diff(want, got, opts...)) }) } } diff --git a/internal/gatewayapi/backendtlspolicy.go b/internal/gatewayapi/backendtlspolicy.go index b76e215f99a..fbc9cafbf1a 100644 --- a/internal/gatewayapi/backendtlspolicy.go +++ b/internal/gatewayapi/backendtlspolicy.go @@ -32,7 +32,7 @@ func (t *Translator) processBackendTLSPolicy( resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy, ) (*ir.TLSUpstreamConfig, *gwapiv1a3.BackendTLSPolicy) { - policy := getBackendTLSPolicy(resources.BackendTLSPolicies, backendRef, backendNamespace) + policy := getBackendTLSPolicy(resources.BackendTLSPolicies, backendRef, backendNamespace, resources) if policy == nil { return nil, nil } @@ -157,8 +157,14 @@ func backendTLSTargetMatched(policy gwapiv1a3.BackendTLSPolicy, target gwapiv1a2 return false } -func getBackendTLSPolicy(policies []*gwapiv1a3.BackendTLSPolicy, backendRef gwapiv1a2.BackendObjectReference, backendNamespace string) *gwapiv1a3.BackendTLSPolicy { - target := getTargetBackendReference(backendRef) +func getBackendTLSPolicy( + policies []*gwapiv1a3.BackendTLSPolicy, + backendRef gwapiv1a2.BackendObjectReference, + backendNamespace string, + resources *resource.Resources, +) *gwapiv1a3.BackendTLSPolicy { + // SectionName is port number for EG Backend object + target := getTargetBackendReference(backendRef, backendNamespace, resources) for _, policy := range policies { if backendTLSTargetMatched(*policy, target, backendNamespace) { return policy diff --git a/internal/gatewayapi/resource/resource.go b/internal/gatewayapi/resource/resource.go index 97468511fa8..749e2efeef6 100644 --- a/internal/gatewayapi/resource/resource.go +++ b/internal/gatewayapi/resource/resource.go @@ -13,6 +13,7 @@ import ( corev1 "k8s.io/api/core/v1" discoveryv1 "k8s.io/api/discovery/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/types" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" gwapiv1a3 "sigs.k8s.io/gateway-api/apis/v1alpha3" @@ -64,6 +65,8 @@ type Resources struct { ExtensionServerPolicies []unstructured.Unstructured `json:"extensionServerPolicies,omitempty" yaml:"extensionServerPolicies,omitempty"` Backends []*egv1a1.Backend `json:"backends,omitempty" yaml:"backends,omitempty"` HTTPRouteFilters []*egv1a1.HTTPRouteFilter `json:"httpFilters,omitempty" yaml:"httpFilters,omitempty"` + + serviceMap map[types.NamespacedName]*corev1.Service } func NewResources() *Resources { @@ -111,14 +114,20 @@ func (r *Resources) GetEnvoyProxy(namespace, name string) *egv1a1.EnvoyProxy { return nil } +// GetService returns the Service with the given namespace and name. +// This function creates a HashMap of Services for faster lookup when it's called for the first time. +// Subsequent calls will use the HashMap for lookup. +// Note: +// - This function is not thread-safe. +// - This function should be called after all the Services are added to the Resources. func (r *Resources) GetService(namespace, name string) *corev1.Service { - for _, svc := range r.Services { - if svc.Namespace == namespace && svc.Name == name { - return svc + if r.serviceMap == nil { + r.serviceMap = make(map[types.NamespacedName]*corev1.Service) + for _, svc := range r.Services { + r.serviceMap[types.NamespacedName{Namespace: svc.Namespace, Name: svc.Name}] = svc } } - - return nil + return r.serviceMap[types.NamespacedName{Namespace: namespace, Name: name}] } func (r *Resources) GetServiceImport(namespace, name string) *mcsapiv1a1.ServiceImport { diff --git a/internal/gatewayapi/resource/zz_generated.deepcopy.go b/internal/gatewayapi/resource/zz_generated.deepcopy.go index 06925b1467d..3caecc292c8 100644 --- a/internal/gatewayapi/resource/zz_generated.deepcopy.go +++ b/internal/gatewayapi/resource/zz_generated.deepcopy.go @@ -14,6 +14,7 @@ import ( corev1 "k8s.io/api/core/v1" discoveryv1 "k8s.io/api/discovery/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/gateway-api/apis/v1" "sigs.k8s.io/gateway-api/apis/v1alpha2" "sigs.k8s.io/gateway-api/apis/v1alpha3" @@ -290,6 +291,22 @@ func (in *Resources) DeepCopyInto(out *Resources) { } } } + if in.serviceMap != nil { + in, out := &in.serviceMap, &out.serviceMap + *out = make(map[types.NamespacedName]*corev1.Service, len(*in)) + for key, val := range *in { + var outVal *corev1.Service + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = new(corev1.Service) + (*in).DeepCopyInto(*out) + } + (*out)[key] = outVal + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Resources. diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index ddada5f17b6..0fd60b0c51c 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -1598,30 +1598,45 @@ func getIREndpointsFromEndpointSlice(endpointSlice *discoveryv1.EndpointSlice, p return endpoints } -func getTargetBackendReference(backendRef gwapiv1a2.BackendObjectReference) gwapiv1a2.LocalPolicyTargetReferenceWithSectionName { +func getTargetBackendReference(backendRef gwapiv1a2.BackendObjectReference, backendNamespace string, resources *resource.Resources) gwapiv1a2.LocalPolicyTargetReferenceWithSectionName { ref := gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{ LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{ Group: func() gwapiv1a2.Group { - if backendRef.Group == nil { + if backendRef.Group == nil || *backendRef.Group == "" { return "" } return *backendRef.Group }(), Kind: func() gwapiv1.Kind { - if backendRef.Kind == nil { + if backendRef.Kind == nil || *backendRef.Kind == resource.KindService { return "Service" } return *backendRef.Kind }(), Name: backendRef.Name, }, - SectionName: func() *gwapiv1.SectionName { - if backendRef.Port != nil { - return SectionNamePtr(strconv.Itoa(int(*backendRef.Port))) + } + if backendRef.Port == nil { + return ref + } + + // Set the section name to the port name if the backend is a Kubernetes Service + if backendRef.Kind == nil || *backendRef.Kind == resource.KindService { + if service := resources.GetService(backendNamespace, string(backendRef.Name)); service != nil { + for _, port := range service.Spec.Ports { + if port.Port == int32(*backendRef.Port) { + if port.Name != "" { + ref.SectionName = SectionNamePtr(port.Name) + break + } + } } - return nil - }(), + } + } else { + // Set the section name to the port number if the backend is a EG Backend + ref.SectionName = SectionNamePtr(strconv.Itoa(int(*backendRef.Port))) } + return ref } diff --git a/internal/gatewayapi/testdata/backendtlspolicy-across-ns.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-across-ns.in.yaml index e87b3ad1cb9..efd69116641 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-across-ns.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-across-ns.in.yaml @@ -123,7 +123,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml index fde390c7efe..ae77deb8c62 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-across-ns.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.in.yaml index b701ad9800f..fd4caad15e4 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.in.yaml @@ -108,7 +108,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - name: ca-secret diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml index a5b87b3fa1f..cd7e70d8bfa 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only-secret.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.in.yaml index cc6c0f17c8f..2b6701762f7 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.in.yaml @@ -123,7 +123,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml index 8489f047341..a89dc859cdd 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-ca-only.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.in.yaml index a86b1a25930..2fd3adc48e7 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.in.yaml @@ -167,7 +167,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http - group: gateway.envoyproxy.io kind: Backend name: backend-ip-tls diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml index 9f4874f90f4..bbea6c79f5f 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns-targetrefs.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http - group: gateway.envoyproxy.io kind: Backend name: backend-ip-tls diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml index 5a13fba2fc2..10ac7095127 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.in.yaml @@ -134,7 +134,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml index 2e2186879f9..0fbf1d8d411 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-default-ns.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml index 7abc20d19c1..a5484a20358 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.in.yaml @@ -105,7 +105,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - name: no-ca-cmap diff --git a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml index 100efbcab4f..20e749d0e90 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml index d3458d06da8..96a97fcb0ca 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.in.yaml @@ -64,11 +64,11 @@ services: clusterIP: 10.11.12.13 ports: - port: 8080 - name: http + name: http1 protocol: TCP targetPort: 8080 - port: 8081 - name: http + name: http2 protocol: TCP targetPort: 8081 @@ -110,11 +110,11 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http1 - group: "" kind: Service name: http-backend - sectionName: "8081" + sectionName: http2 validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml index 8ecd25a2418..75f11c18849 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-multiple-targets.out.yaml @@ -10,11 +10,11 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http1 - group: "" kind: Service name: http-backend - sectionName: "8081" + sectionName: http2 validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml index 3b20aa31ee5..520065b82a4 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.in.yaml @@ -98,7 +98,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: wellKnownCACertificates: System hostname: example.com diff --git a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml index f91dc4d768e..dbe5fcb90f2 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-system-truststore.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "8080" + sectionName: http validation: hostname: example.com wellKnownCACertificates: System diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml index 95e8b95701f..a7c8128be50 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.in.yaml @@ -160,7 +160,7 @@ backendTLSPolicies: - group: '' kind: Service name: grpc-backend - sectionName: "8000" + sectionName: grpc validation: caCertificateRefs: - name: ca-cmap @@ -177,7 +177,7 @@ backendTLSPolicies: - group: '' kind: Service name: grpc-backend-2 - sectionName: "9000" + sectionName: grpc validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml index 3fd129b8047..06461f085fe 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-backendtlspolicy.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: grpc-backend - sectionName: "8000" + sectionName: grpc validation: caCertificateRefs: - group: "" @@ -42,7 +42,7 @@ backendTLSPolicies: - group: "" kind: Service name: grpc-backend-2 - sectionName: "9000" + sectionName: grpc validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.in.yaml index dad20362396..89be7cac752 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.in.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.in.yaml @@ -162,7 +162,7 @@ backendTLSPolicies: - group: '' kind: Service name: grpc-backend - sectionName: "8000" + sectionName: grpc validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml index a81a7cd4410..5f1cd880246 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-multiple-backendrefs.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: grpc-backend - sectionName: "8000" + sectionName: grpc validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.in.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.in.yaml index 1f25d8f7e0b..30af5a4dbd9 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.in.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.in.yaml @@ -162,7 +162,7 @@ backendTLSPolicies: - group: '' kind: Service name: grpc-backend - sectionName: "8000" + sectionName: grpc validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml index 21fb5de6103..df04fea804f 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-extproc-with-traffic-features.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: grpc-backend - sectionName: "8000" + sectionName: grpc validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml b/internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml index 64b0b7a3ae9..42e46b8990e 100644 --- a/internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-priority-backend.in.yaml @@ -162,7 +162,7 @@ backendTLSPolicies: - group: '' kind: Service name: grpc-backend - sectionName: "8000" + sectionName: grpc validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml index 426268f6340..8044e3874ed 100644 --- a/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-priority-backend.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: grpc-backend - sectionName: "8000" + sectionName: grpc validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml index d2aee51b27e..abd7ed641b9 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml @@ -160,7 +160,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "80" + sectionName: http validation: caCertificateRefs: - name: ca-cmap @@ -177,7 +177,7 @@ backendTLSPolicies: - group: "" kind: Service name: grpc-backend - sectionName: "9000" + sectionName: grpc validation: caCertificateRefs: - name: ca-cmap diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml index b87c7992c90..c4f0d3b6c99 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml @@ -10,7 +10,7 @@ backendTLSPolicies: - group: "" kind: Service name: http-backend - sectionName: "80" + sectionName: http validation: caCertificateRefs: - group: "" @@ -42,7 +42,7 @@ backendTLSPolicies: - group: "" kind: Service name: grpc-backend - sectionName: "9000" + sectionName: grpc validation: caCertificateRefs: - group: "" diff --git a/internal/gatewayapi/translator_test.go b/internal/gatewayapi/translator_test.go index 61e0025fbdd..96a88bfdec9 100644 --- a/internal/gatewayapi/translator_test.go +++ b/internal/gatewayapi/translator_test.go @@ -320,11 +320,11 @@ func TestTranslate(t *testing.T) { opts := []cmp.Option{ cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime"), + cmpopts.IgnoreFields(resource.Resources{}, "serviceMap"), cmp.Transformer("ClearXdsEqual", xdsWithoutEqual), cmpopts.IgnoreTypes(ir.PrivateBytes{}), cmpopts.EquateEmpty(), } - require.Empty(t, cmp.Diff(want, got, opts...)) }) } @@ -519,8 +519,11 @@ func TestTranslateWithExtensionKinds(t *testing.T) { want := &TranslateResult{} mustUnmarshal(t, output, want) - opts := cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime") - require.Empty(t, cmp.Diff(want, got, opts)) + opts := []cmp.Option{ + cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime"), + cmpopts.IgnoreFields(resource.Resources{}, "serviceMap"), + } + require.Empty(t, cmp.Diff(want, got, opts...)) }) } } diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 6ba9c2ee5cb..b2bfc794438 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -17,6 +17,7 @@ new features: | # Fixes for bugs identified in previous versions. bug fixes: | + Fixed BackendTLSPolicy didn't support using port name as the sectionName in the targetRefs Fixed reference grant from EnvoyExtensionPolicy to referenced ext-proc backend not respected # Enhancements that improve performance. diff --git a/test/e2e/base/manifests.yaml b/test/e2e/base/manifests.yaml index 34ccc08390a..ef3e9841c3b 100644 --- a/test/e2e/base/manifests.yaml +++ b/test/e2e/base/manifests.yaml @@ -480,7 +480,8 @@ spec: selector: app: tls-backend-2 ports: - - protocol: TCP + - name: https + protocol: TCP port: 443 targetPort: 8443 --- diff --git a/test/e2e/testdata/backend-tls-settings.yaml b/test/e2e/testdata/backend-tls-settings.yaml index 749255f82e5..b78ace739fe 100644 --- a/test/e2e/testdata/backend-tls-settings.yaml +++ b/test/e2e/testdata/backend-tls-settings.yaml @@ -62,7 +62,8 @@ spec: selector: app: tls-backend ports: - - protocol: TCP + - name: https + protocol: TCP port: 443 targetPort: 8443 --- @@ -137,7 +138,7 @@ spec: - group: "" kind: Service name: tls-backend - sectionName: "443" + sectionName: https validation: caCertificateRefs: - name: backend-tls-certificate diff --git a/test/e2e/testdata/backend-tls.yaml b/test/e2e/testdata/backend-tls.yaml index f00218ab99c..ad77871ea74 100644 --- a/test/e2e/testdata/backend-tls.yaml +++ b/test/e2e/testdata/backend-tls.yaml @@ -8,7 +8,7 @@ spec: - group: "" kind: Service name: tls-backend-2 - sectionName: "443" + sectionName: https validation: caCertificateRefs: - name: backend-tls-checks-certificate diff --git a/test/e2e/testdata/ext-auth-grpc-securitypolicy.yaml b/test/e2e/testdata/ext-auth-grpc-securitypolicy.yaml index c75ee250f09..2d49f69c50a 100644 --- a/test/e2e/testdata/ext-auth-grpc-securitypolicy.yaml +++ b/test/e2e/testdata/ext-auth-grpc-securitypolicy.yaml @@ -62,7 +62,7 @@ spec: - group: '' kind: Service name: grpc-ext-auth - sectionName: "9002" + sectionName: grpc validation: caCertificateRefs: - name: grpc-ext-auth-ca diff --git a/test/e2e/testdata/ext-auth-grpc-service.yaml b/test/e2e/testdata/ext-auth-grpc-service.yaml index 587dad8a860..da74439592f 100644 --- a/test/e2e/testdata/ext-auth-grpc-service.yaml +++ b/test/e2e/testdata/ext-auth-grpc-service.yaml @@ -103,3 +103,4 @@ spec: - protocol: TCP port: 9002 targetPort: 9002 + name: grpc diff --git a/test/e2e/testdata/ext-auth-http-service.yaml b/test/e2e/testdata/ext-auth-http-service.yaml index a4e96928292..cada07e4712 100644 --- a/test/e2e/testdata/ext-auth-http-service.yaml +++ b/test/e2e/testdata/ext-auth-http-service.yaml @@ -39,3 +39,4 @@ spec: - protocol: TCP port: 9002 targetPort: 9002 + name: http diff --git a/test/e2e/testdata/ext-proc-envoyextensionpolicy.yaml b/test/e2e/testdata/ext-proc-envoyextensionpolicy.yaml index 90d25613be5..0190225933d 100644 --- a/test/e2e/testdata/ext-proc-envoyextensionpolicy.yaml +++ b/test/e2e/testdata/ext-proc-envoyextensionpolicy.yaml @@ -84,7 +84,7 @@ spec: - group: '' kind: Service name: grpc-ext-proc - sectionName: "9002" + sectionName: grpc validation: caCertificateRefs: - name: grpc-ext-proc-ca diff --git a/test/e2e/testdata/ext-proc-service.yaml b/test/e2e/testdata/ext-proc-service.yaml index 3dc4796e123..57581a80c38 100644 --- a/test/e2e/testdata/ext-proc-service.yaml +++ b/test/e2e/testdata/ext-proc-service.yaml @@ -95,3 +95,4 @@ spec: - protocol: TCP port: 9002 targetPort: 9002 + name: grpc From 05ee5f4d696b855ebd0a8da3db777c8bff3ad770 Mon Sep 17 00:00:00 2001 From: Alex Volchok Date: Sun, 8 Dec 2024 15:55:08 +0100 Subject: [PATCH 469/523] refactor: return 500 when BackendTLSPolicy translation fails (#4363) Signed-off-by: Alexander Volchok --- internal/gatewayapi/backendtlspolicy.go | 74 ++++------ internal/gatewayapi/ext_service.go | 6 +- internal/gatewayapi/filters.go | 37 +++-- internal/gatewayapi/route.go | 129 +++++++++++----- .../backend-invalid-feature-disabled.out.yaml | 6 +- .../backendtlspolicy-invalid-ca.out.yaml | 11 +- ...ndtrafficpolicy-status-conditions.out.yaml | 12 +- ...ratelimit-invalid-distinct-invert.out.yaml | 6 +- ...ficpolicy-with-timeout-targetrefs.out.yaml | 12 +- .../clienttrafficpolicy-http10.out.yaml | 18 +-- .../testdata/custom-filter-order.out.yaml | 6 +- ...extensionpolicy-status-conditions.out.yaml | 12 +- ...ensionpolicy-with-wasm-targetrefs.out.yaml | 12 +- .../envoyproxy-accesslog-types.out.yaml | 6 +- ...nvoyproxy-tls-settings-invalid-ns.out.yaml | 73 +-------- .../envoyproxy-tls-settings-invalid.out.yaml | 74 +--------- ...stener-with-hostname-intersection.out.yaml | 12 +- ...route-with-mismatch-port-protocol.out.yaml | 13 +- ...route-with-mismatch-port-protocol.out.yaml | 13 +- .../testdata/grpcroute-with-backend.out.yaml | 12 +- ...end-backendref-mixed-address-type.out.yaml | 30 +--- ...-listener-with-backend-backendref.out.yaml | 18 +-- ...end-backendrefs-diff-address-type.out.yaml | 38 +---- ...end-backendrefs-same-address-type.out.yaml | 7 +- ...ort-backendref-mixed-address-type.out.yaml | 13 +- ...with-invalid-backend-ref-bad-port.out.yaml | 6 +- ...invalid-backend-ref-invalid-group.out.yaml | 6 +- ...-invalid-backend-ref-invalid-kind.out.yaml | 6 +- ...-with-invalid-backend-ref-no-port.out.yaml | 6 +- ...lid-backend-ref-no-service.import.out.yaml | 6 +- ...th-invalid-backend-ref-no-service.out.yaml | 6 +- ...id-backend-ref-unsupported-filter.out.yaml | 6 +- ...lid-backendref-in-other-namespace.out.yaml | 6 +- ...ith-mirror-filter-service-no-port.out.yaml | 28 +--- ...h-mirror-filter-service-not-found.out.yaml | 28 +--- ...e-invalid-backend-refs-no-service.out.yaml | 13 +- .../securitypolicy-status-conditions.out.yaml | 12 +- ...curitypolicy-with-cors-targetrefs.out.yaml | 18 +-- ...curitypolicy-with-extauth-backend.out.yaml | 6 +- .../testdata/tcproute-with-backend.out.yaml | 13 +- .../tlsroute-invalid-reference-grant.in.yaml | 139 ++++++++++++++++++ .../tlsroute-invalid-reference-grant.out.yaml | 102 +++++++++++++ internal/gatewayapi/validate.go | 96 ++++++------ 43 files changed, 530 insertions(+), 623 deletions(-) create mode 100644 internal/gatewayapi/testdata/tlsroute-invalid-reference-grant.in.yaml create mode 100644 internal/gatewayapi/testdata/tlsroute-invalid-reference-grant.out.yaml diff --git a/internal/gatewayapi/backendtlspolicy.go b/internal/gatewayapi/backendtlspolicy.go index fbc9cafbf1a..0f99145f5a9 100644 --- a/internal/gatewayapi/backendtlspolicy.go +++ b/internal/gatewayapi/backendtlspolicy.go @@ -9,6 +9,7 @@ import ( "fmt" "reflect" + "k8s.io/apimachinery/pkg/types" "k8s.io/utils/ptr" gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2" @@ -20,8 +21,11 @@ import ( "github.com/envoyproxy/gateway/internal/ir" ) -func (t *Translator) applyBackendTLSSetting(backendRef gwapiv1.BackendObjectReference, backendNamespace string, parent gwapiv1a2.ParentReference, resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy) *ir.TLSUpstreamConfig { - upstreamConfig, policy := t.processBackendTLSPolicy(backendRef, backendNamespace, parent, resources, envoyProxy) +func (t *Translator) applyBackendTLSSetting(backendRef gwapiv1.BackendObjectReference, backendNamespace string, parent gwapiv1a2.ParentReference, resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy) (*ir.TLSUpstreamConfig, error) { + upstreamConfig, policy, err := t.processBackendTLSPolicy(backendRef, backendNamespace, parent, resources) + if err != nil { + return nil, err + } return t.applyEnvoyProxyBackendTLSSetting(policy, upstreamConfig, resources, parent, envoyProxy) } @@ -30,18 +34,13 @@ func (t *Translator) processBackendTLSPolicy( backendNamespace string, parent gwapiv1a2.ParentReference, resources *resource.Resources, - envoyProxy *egv1a1.EnvoyProxy, -) (*ir.TLSUpstreamConfig, *gwapiv1a3.BackendTLSPolicy) { +) (*ir.TLSUpstreamConfig, *gwapiv1a3.BackendTLSPolicy, error) { policy := getBackendTLSPolicy(resources.BackendTLSPolicies, backendRef, backendNamespace, resources) if policy == nil { - return nil, nil + return nil, nil, nil } tlsBundle, err := getBackendTLSBundle(policy, resources) - if err == nil && tlsBundle == nil { - return nil, nil - } - ancestorRefs := getAncestorRefs(policy) ancestorRefs = append(ancestorRefs, parent) @@ -52,42 +51,16 @@ func (t *Translator) processBackendTLSPolicy( policy.Generation, status.Error2ConditionMsg(err), ) - return nil, nil + return nil, nil, err } status.SetAcceptedForPolicyAncestors(&policy.Status, ancestorRefs, t.GatewayControllerName) - // apply defaults as per envoyproxy - if envoyProxy != nil { - if envoyProxy.Spec.BackendTLS != nil { - if len(envoyProxy.Spec.BackendTLS.Ciphers) > 0 { - tlsBundle.Ciphers = envoyProxy.Spec.BackendTLS.Ciphers - } - if len(envoyProxy.Spec.BackendTLS.ECDHCurves) > 0 { - tlsBundle.ECDHCurves = envoyProxy.Spec.BackendTLS.ECDHCurves - } - if len(envoyProxy.Spec.BackendTLS.SignatureAlgorithms) > 0 { - tlsBundle.SignatureAlgorithms = envoyProxy.Spec.BackendTLS.SignatureAlgorithms - } - if envoyProxy.Spec.BackendTLS.MinVersion != nil { - tlsBundle.MinVersion = ptr.To(ir.TLSVersion(*envoyProxy.Spec.BackendTLS.MinVersion)) - } - if envoyProxy.Spec.BackendTLS.MaxVersion != nil { - tlsBundle.MaxVersion = ptr.To(ir.TLSVersion(*envoyProxy.Spec.BackendTLS.MaxVersion)) - } - if len(envoyProxy.Spec.BackendTLS.ALPNProtocols) > 0 { - tlsBundle.ALPNProtocols = make([]string, len(envoyProxy.Spec.BackendTLS.ALPNProtocols)) - for i := range envoyProxy.Spec.BackendTLS.ALPNProtocols { - tlsBundle.ALPNProtocols[i] = string(envoyProxy.Spec.BackendTLS.ALPNProtocols[i]) - } - } - } - } - return tlsBundle, policy + return tlsBundle, policy, nil } -func (t *Translator) applyEnvoyProxyBackendTLSSetting(policy *gwapiv1a3.BackendTLSPolicy, tlsConfig *ir.TLSUpstreamConfig, resources *resource.Resources, parent gwapiv1a2.ParentReference, ep *egv1a1.EnvoyProxy) *ir.TLSUpstreamConfig { +func (t *Translator) applyEnvoyProxyBackendTLSSetting(policy *gwapiv1a3.BackendTLSPolicy, tlsConfig *ir.TLSUpstreamConfig, resources *resource.Resources, parent gwapiv1a2.ParentReference, ep *egv1a1.EnvoyProxy) (*ir.TLSUpstreamConfig, error) { if ep == nil || ep.Spec.BackendTLS == nil || tlsConfig == nil { - return tlsConfig + return tlsConfig, nil } if len(ep.Spec.BackendTLS.Ciphers) > 0 { @@ -116,28 +89,41 @@ func (t *Translator) applyEnvoyProxyBackendTLSSetting(policy *gwapiv1a3.BackendT ancestorRefs := []gwapiv1a2.ParentReference{ parent, } + var err error if ns != ep.Namespace { + err = fmt.Errorf("ClientCertificateRef Secret is not located in the same namespace as Envoyproxy. Secret namespace: %s does not match Envoyproxy namespace: %s", ns, ep.Namespace) status.SetTranslationErrorForPolicyAncestors(&policy.Status, ancestorRefs, t.GatewayControllerName, policy.Generation, - status.Error2ConditionMsg(fmt.Errorf("client authentication TLS secret is not located in the same namespace as Envoyproxy. Secret namespace: %s does not match Envoyproxy namespace: %s", ns, ep.Namespace))) - return tlsConfig + status.Error2ConditionMsg(err)) + return tlsConfig, err } secret := resources.GetSecret(ns, string(ep.Spec.BackendTLS.ClientCertificateRef.Name)) if secret == nil { + err = fmt.Errorf( + "failed to locate TLS secret for client auth: %s specified in EnvoyProxy %s", + types.NamespacedName{ + Namespace: ep.Namespace, + Name: string(ep.Spec.BackendTLS.ClientCertificateRef.Name), + }.String(), + types.NamespacedName{ + Namespace: ep.Namespace, + Name: ep.Name, + }.String(), + ) status.SetTranslationErrorForPolicyAncestors(&policy.Status, ancestorRefs, t.GatewayControllerName, policy.Generation, - status.Error2ConditionMsg(fmt.Errorf("failed to locate TLS secret for client auth: %s in namespace: %s", ep.Spec.BackendTLS.ClientCertificateRef.Name, ns)), + status.Error2ConditionMsg(err), ) - return tlsConfig + return tlsConfig, err } tlsConf := irTLSConfigs(secret) tlsConfig.ClientCertificates = tlsConf.Certificates } - return tlsConfig + return tlsConfig, nil } func backendTLSTargetMatched(policy gwapiv1a3.BackendTLSPolicy, target gwapiv1a2.LocalPolicyTargetReferenceWithSectionName, backendNamespace string) bool { diff --git a/internal/gatewayapi/ext_service.go b/internal/gatewayapi/ext_service.go index 39bd5aebe47..b1111ffa0f4 100644 --- a/internal/gatewayapi/ext_service.go +++ b/internal/gatewayapi/ext_service.go @@ -110,7 +110,8 @@ func (t *Translator) processExtServiceDestination( "mixed endpointslice address type for the same backendRef is not supported") } - backendTLS = t.applyBackendTLSSetting( + var err error + backendTLS, err = t.applyBackendTLSSetting( backendRef.BackendObjectReference, backendNamespace, // Gateway is not the appropriate parent reference here because the owner @@ -126,6 +127,9 @@ func (t *Translator) processExtServiceDestination( resources, envoyProxy, ) + if err != nil { + return nil, err + } ds.TLS = backendTLS diff --git a/internal/gatewayapi/filters.go b/internal/gatewayapi/filters.go index 68bf84b33c2..7e1b5f0409a 100644 --- a/internal/gatewayapi/filters.go +++ b/internal/gatewayapi/filters.go @@ -31,8 +31,7 @@ type HTTPFiltersTranslator interface { processRedirectFilter(redirect *gwapiv1.HTTPRequestRedirectFilter, filterContext *HTTPFiltersContext) processRequestHeaderModifierFilter(headerModifier *gwapiv1.HTTPHeaderFilter, filterContext *HTTPFiltersContext) processResponseHeaderModifierFilter(headerModifier *gwapiv1.HTTPHeaderFilter, filterContext *HTTPFiltersContext) - processRequestMirrorFilter(filterIdx int, mirror *gwapiv1.HTTPRequestMirrorFilter, filterContext *HTTPFiltersContext, resources *resource.Resources) - processExtensionRefHTTPFilter(extRef *gwapiv1.LocalObjectReference, filterContext *HTTPFiltersContext, resources *resource.Resources) + processRequestMirrorFilter(filterIdx int, mirror *gwapiv1.HTTPRequestMirrorFilter, filterContext *HTTPFiltersContext, resources *resource.Resources) error processUnsupportedHTTPFilter(filterType string, filterContext *HTTPFiltersContext) } @@ -69,13 +68,14 @@ func (t *Translator) ProcessHTTPFilters(parentRef *RouteParentContext, filters []gwapiv1.HTTPRouteFilter, ruleIdx int, resources *resource.Resources, -) *HTTPFiltersContext { +) (*HTTPFiltersContext, error) { httpFiltersContext := &HTTPFiltersContext{ ParentRef: parentRef, Route: route, RuleIdx: ruleIdx, HTTPFilterIR: &HTTPFilterIR{}, } + var err error for i := range filters { filter := filters[i] // If an invalid filter type has been configured then skip processing any more filters @@ -97,7 +97,7 @@ func (t *Translator) ProcessHTTPFilters(parentRef *RouteParentContext, case gwapiv1.HTTPRouteFilterResponseHeaderModifier: t.processResponseHeaderModifierFilter(filter.ResponseHeaderModifier, httpFiltersContext) case gwapiv1.HTTPRouteFilterRequestMirror: - t.processRequestMirrorFilter(i, filter.RequestMirror, httpFiltersContext, resources) + err = t.processRequestMirrorFilter(i, filter.RequestMirror, httpFiltersContext, resources) case gwapiv1.HTTPRouteFilterExtensionRef: t.processExtensionRefHTTPFilter(filter.ExtensionRef, httpFiltersContext, resources) default: @@ -105,7 +105,7 @@ func (t *Translator) ProcessHTTPFilters(parentRef *RouteParentContext, } } - return httpFiltersContext + return httpFiltersContext, err } // ProcessGRPCFilters translates gateway api grpc filters to IRs. @@ -113,13 +113,14 @@ func (t *Translator) ProcessGRPCFilters(parentRef *RouteParentContext, route RouteContext, filters []gwapiv1.GRPCRouteFilter, resources *resource.Resources, -) *HTTPFiltersContext { +) (*HTTPFiltersContext, error) { httpFiltersContext := &HTTPFiltersContext{ ParentRef: parentRef, Route: route, HTTPFilterIR: &HTTPFilterIR{}, } + for i := range filters { filter := filters[i] // If an invalid filter type has been configured then skip processing any more filters @@ -137,7 +138,10 @@ func (t *Translator) ProcessGRPCFilters(parentRef *RouteParentContext, case gwapiv1.GRPCRouteFilterResponseHeaderModifier: t.processResponseHeaderModifierFilter(filter.ResponseHeaderModifier, httpFiltersContext) case gwapiv1.GRPCRouteFilterRequestMirror: - t.processRequestMirrorFilter(i, filter.RequestMirror, httpFiltersContext, resources) + err := t.processRequestMirrorFilter(i, filter.RequestMirror, httpFiltersContext, resources) + if err != nil { + return nil, err + } case gwapiv1.GRPCRouteFilterExtensionRef: t.processExtensionRefHTTPFilter(filter.ExtensionRef, httpFiltersContext, resources) default: @@ -145,7 +149,7 @@ func (t *Translator) ProcessGRPCFilters(parentRef *RouteParentContext, } } - return httpFiltersContext + return httpFiltersContext, nil } // Checks if the context and the rewrite both contain a core gw-api HTTP URL rewrite @@ -968,10 +972,10 @@ func (t *Translator) processRequestMirrorFilter( mirrorFilter *gwapiv1.HTTPRequestMirrorFilter, filterContext *HTTPFiltersContext, resources *resource.Resources, -) { +) error { // Make sure the config actually exists if mirrorFilter == nil { - return + return nil } mirrorBackend := mirrorFilter.BackendRef @@ -988,18 +992,23 @@ func (t *Translator) processRequestMirrorFilter( // This sets the status on the HTTPRoute, should the usage be changed so that the status message reflects that the backendRef is from the filter? filterNs := filterContext.Route.GetNamespace() serviceNamespace := NamespaceDerefOr(mirrorBackend.Namespace, filterNs) - if !t.validateBackendRef(mirrorBackendRef, filterContext.ParentRef, filterContext.Route, - resources, serviceNamespace, resource.KindHTTPRoute) { - return + err := t.validateBackendRef(mirrorBackendRef, filterContext.ParentRef, filterContext.Route, + resources, serviceNamespace, resource.KindHTTPRoute) + if err != nil { + return err } - ds := t.processDestination(mirrorBackendRef, filterContext.ParentRef, filterContext.Route, resources) + ds, err := t.processDestination(mirrorBackendRef, filterContext.ParentRef, filterContext.Route, resources) + if err != nil { + return err + } newMirror := &ir.RouteDestination{ Name: fmt.Sprintf("%s-mirror-%d", irRouteDestinationName(filterContext.Route, filterContext.RuleIdx), filterIdx), Settings: []*ir.DestinationSetting{ds}, } filterContext.Mirrors = append(filterContext.Mirrors, newMirror) + return nil } func (t *Translator) processUnresolvedHTTPFilter(errMsg string, filterContext *HTTPFiltersContext) { diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 0fd60b0c51c..544bb85d6e7 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -184,8 +184,10 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe // compute matches, filters, backends for ruleIdx, rule := range httpRoute.Spec.Rules { - httpFiltersContext := t.ProcessHTTPFilters(parentRef, httpRoute, rule.Filters, ruleIdx, resources) - + httpFiltersContext, err := t.ProcessHTTPFilters(parentRef, httpRoute, rule.Filters, ruleIdx, resources) + if err != nil { + return nil, err + } // A rule is matched if any one of its matches // is satisfied (i.e. a logical "OR"), so generate // a unique Xds IR HTTPRoute per match. @@ -197,16 +199,23 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe dstAddrTypeMap := make(map[ir.DestinationAddressType]int) for _, backendRef := range rule.BackendRefs { - ds := t.processDestination(backendRef, parentRef, httpRoute, resources) - + ds, err := t.processDestination(backendRef, parentRef, httpRoute, resources) if !t.IsEnvoyServiceRouting(envoyProxy) && ds != nil && len(ds.Endpoints) > 0 && ds.AddressType != nil { dstAddrTypeMap[*ds.AddressType]++ } - if ds == nil { - continue - } for _, route := range ruleRoutes { + // disable associated routes to a backend ref in case some of its config was invalid + if err != nil { + route.DirectResponse = &ir.CustomResponse{ + StatusCode: ptr.To(uint32(500)), + } + continue + } + + if ds == nil { + continue + } // If the route already has a direct response or redirect configured, then it was from a filter so skip // processing any destinations for this route. if route.DirectResponse != nil || route.Redirect != nil { @@ -536,8 +545,10 @@ func (t *Translator) processGRPCRouteRules(grpcRoute *GRPCRouteContext, parentRe // compute matches, filters, backends for ruleIdx, rule := range grpcRoute.Spec.Rules { - httpFiltersContext := t.ProcessGRPCFilters(parentRef, grpcRoute, rule.Filters, resources) - + httpFiltersContext, err := t.ProcessGRPCFilters(parentRef, grpcRoute, rule.Filters, resources) + if err != nil { + return nil, err + } // A rule is matched if any one of its matches // is satisfied (i.e. a logical "OR"), so generate // a unique Xds IR HTTPRoute per match. @@ -547,7 +558,7 @@ func (t *Translator) processGRPCRouteRules(grpcRoute *GRPCRouteContext, parentRe } for _, backendRef := range rule.BackendRefs { - ds := t.processDestination(backendRef, parentRef, grpcRoute, resources) + ds, err := t.processDestination(backendRef, parentRef, grpcRoute, resources) if ds == nil { continue } @@ -559,6 +570,13 @@ func (t *Translator) processGRPCRouteRules(grpcRoute *GRPCRouteContext, parentRe continue } + // disable associated routes to a backend ref in case some of its config was invalid + if err != nil { + route.DirectResponse = &ir.CustomResponse{ + StatusCode: ptr.To(uint32(500)), + } + } + if route.Destination == nil { route.Destination = &ir.RouteDestination{ Name: irRouteDestinationName(grpcRoute, ruleIdx), @@ -831,7 +849,8 @@ func (t *Translator) processTLSRouteParentRefs(tlsRoute *TLSRouteContext, resour // compute backends for _, rule := range tlsRoute.Spec.Rules { for _, backendRef := range rule.BackendRefs { - ds := t.processDestination(backendRef, parentRef, tlsRoute, resources) + // not yet handled, requires to align with the conformance test - TLSRouteInvalidReferenceGrant. + ds, _ := t.processDestination(backendRef, parentRef, tlsRoute, resources) if ds != nil { destSettings = append(destSettings, ds) } @@ -971,11 +990,20 @@ func (t *Translator) processUDPRouteParentRefs(udpRoute *UDPRouteContext, resour } for _, backendRef := range udpRoute.Spec.Rules[0].BackendRefs { - ds := t.processDestination(backendRef, parentRef, udpRoute, resources) - if ds == nil { + ds, err := t.processDestination(backendRef, parentRef, udpRoute, resources) + // skip adding the route and provide the reason via route status. + if err != nil { + routeStatus := GetRouteStatus(udpRoute) + status.SetRouteStatusCondition(routeStatus, + parentRef.routeParentStatusIdx, + udpRoute.GetGeneration(), + gwapiv1.RouteConditionAccepted, + metav1.ConditionFalse, + "Failed to process the settings associated with the UDP route.", + err.Error(), + ) continue } - destSettings = append(destSettings, ds) } @@ -1104,11 +1132,20 @@ func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resour } for _, backendRef := range tcpRoute.Spec.Rules[0].BackendRefs { - ds := t.processDestination(backendRef, parentRef, tcpRoute, resources) - if ds == nil { + ds, err := t.processDestination(backendRef, parentRef, tcpRoute, resources) + // skip adding the route and provide the reason via route status. + if err != nil { + routeStatus := GetRouteStatus(tcpRoute) + status.SetRouteStatusCondition(routeStatus, + parentRef.routeParentStatusIdx, + tcpRoute.GetGeneration(), + gwapiv1.RouteConditionAccepted, + metav1.ConditionFalse, + "Failed to process the settings associated with the TCP route.", + err.Error(), + ) continue } - destSettings = append(destSettings, ds) } @@ -1197,12 +1234,12 @@ func (t *Translator) processTCPRouteParentRefs(tcpRoute *TCPRouteContext, resour } } -// processDestination takes a backendRef and translates it into destination setting or sets error statuses and -// returns the weight for the backend so that 500 error responses can be returned for invalid backends in -// the same proportion as the backend would have otherwise received +// processDestination translates a backendRef into a destination settings. +// If an error occurs during this conversion, an error is returned, and the associated routes are expected to become inactive. +// This will result in a direct 500 response for HTTP-based requests. func (t *Translator) processDestination(backendRefContext BackendRefContext, parentRef *RouteParentContext, route RouteContext, resources *resource.Resources, -) (ds *ir.DestinationSetting) { +) (ds *ir.DestinationSetting, err error) { routeType := GetRouteType(route) weight := uint32(1) backendRef := GetBackendRef(backendRefContext) @@ -1211,14 +1248,17 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, } backendNamespace := NamespaceDerefOr(backendRef.Namespace, route.GetNamespace()) - if !t.validateBackendRef(backendRefContext, parentRef, route, resources, backendNamespace, routeType) { - // return with empty endpoint means the backend is invalid - return &ir.DestinationSetting{Weight: &weight} + err = t.validateBackendRef(backendRefContext, parentRef, route, resources, backendNamespace, routeType) + { + // return with empty endpoint means the backend is invalid and an error to fail the associated route. + if err != nil { + return nil, err + } } // Skip processing backends with 0 weight if weight == 0 { - return nil + return nil, nil } var envoyProxy *egv1a1.EnvoyProxy @@ -1266,7 +1306,7 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, case resource.KindService: ds = t.processServiceDestinationSetting(backendRef.BackendObjectReference, backendNamespace, protocol, resources, envoyProxy) - ds.TLS = t.applyBackendTLSSetting( + ds.TLS, err = t.applyBackendTLSSetting( backendRef.BackendObjectReference, backendNamespace, gwapiv1a2.ParentReference{ @@ -1280,12 +1320,17 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, resources, envoyProxy, ) - ds.Filters = t.processDestinationFilters(routeType, backendRefContext, parentRef, route, resources) + if err != nil { + return nil, err + } + ds.Filters, err = t.processDestinationFilters(routeType, backendRefContext, parentRef, route, resources) + if err != nil { + return nil, err + } ds.IPFamily = getServiceIPFamily(resources.GetService(backendNamespace, string(backendRef.Name))) case egv1a1.KindBackend: ds = t.processBackendDestinationSetting(backendRef.BackendObjectReference, backendNamespace, resources) - - ds.TLS = t.applyBackendTLSSetting( + ds.TLS, err = t.applyBackendTLSSetting( backendRef.BackendObjectReference, backendNamespace, gwapiv1a2.ParentReference{ @@ -1299,8 +1344,13 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, resources, envoyProxy, ) - - ds.Filters = t.processDestinationFilters(routeType, backendRefContext, parentRef, route, resources) + if err != nil { + return nil, err + } + ds.Filters, err = t.processDestinationFilters(routeType, backendRefContext, parentRef, route, resources) + if err != nil { + return nil, err + } } if err := validateDestinationSettings(ds, t.IsEnvoyServiceRouting(envoyProxy), backendRef.Kind); err != nil { @@ -1312,10 +1362,11 @@ func (t *Translator) processDestination(backendRefContext BackendRefContext, metav1.ConditionFalse, gwapiv1.RouteReasonResolvedRefs, err.Error()) + return nil, err } ds.Weight = &weight - return ds + return ds, nil } func validateDestinationSettings(destinationSettings *ir.DestinationSetting, endpointRoutingDisabled bool, kind *gwapiv1.Kind) error { @@ -1400,25 +1451,29 @@ func getBackendFilters(routeType gwapiv1.Kind, backendRefContext BackendRefConte return nil } -func (t *Translator) processDestinationFilters(routeType gwapiv1.Kind, backendRefContext BackendRefContext, parentRef *RouteParentContext, route RouteContext, resources *resource.Resources) *ir.DestinationFilters { +func (t *Translator) processDestinationFilters(routeType gwapiv1.Kind, backendRefContext BackendRefContext, parentRef *RouteParentContext, route RouteContext, resources *resource.Resources) (*ir.DestinationFilters, error) { backendFilters := getBackendFilters(routeType, backendRefContext) if backendFilters == nil { - return nil + return nil, nil } var httpFiltersContext *HTTPFiltersContext var destFilters ir.DestinationFilters + var err error switch filters := backendFilters.(type) { case []gwapiv1.HTTPRouteFilter: - httpFiltersContext = t.ProcessHTTPFilters(parentRef, route, filters, 0, resources) + httpFiltersContext, err = t.ProcessHTTPFilters(parentRef, route, filters, 0, resources) case []gwapiv1.GRPCRouteFilter: - httpFiltersContext = t.ProcessGRPCFilters(parentRef, route, filters, resources) + httpFiltersContext, err = t.ProcessGRPCFilters(parentRef, route, filters, resources) + if err != nil { + return &destFilters, err + } } applyHTTPFiltersContextToDestinationFilters(httpFiltersContext, &destFilters) - return &destFilters + return &destFilters, err } func applyHTTPFiltersContextToDestinationFilters(httpFiltersContext *HTTPFiltersContext, destFilters *ir.DestinationFilters) { diff --git a/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml b/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml index 49d35c60700..d942bf363a4 100644 --- a/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml +++ b/internal/gatewayapi/testdata/backend-invalid-feature-disabled.out.yaml @@ -168,11 +168,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/default/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml index 20e749d0e90..c4436b7f6cc 100644 --- a/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml +++ b/internal/gatewayapi/testdata/backendtlspolicy-invalid-ca.out.yaml @@ -147,15 +147,8 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/envoy-gateway/httproute-btls/rule/0 - settings: - - addressType: IP - endpoints: - - host: 10.244.0.11 - port: 8080 - protocol: HTTP - weight: 1 + - directResponse: + statusCode: 500 hostname: '*' isHTTP2: false metadata: diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml index 1a054712d80..7c63ff375ed 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-status-conditions.out.yaml @@ -555,11 +555,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/envoy-gateway/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: false @@ -593,11 +589,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: grpcroute/envoy-gateway/grpcroute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 headerMatches: - distinct: false diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.out.yaml index 4ea1623c867..d4c68adcb6f 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit-invalid-distinct-invert.out.yaml @@ -149,11 +149,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: grpcroute/default/grpcroute/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-targetrefs.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-targetrefs.out.yaml index ea546413a59..72646d946e0 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout-targetrefs.out.yaml @@ -252,11 +252,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: grpcroute/envoy-gateway/grpcroute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: true @@ -292,11 +288,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/envoy-gateway/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: gateway.envoyproxy.io isHTTP2: false diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml index 8561d93004a..f7816b6f701 100644 --- a/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml +++ b/internal/gatewayapi/testdata/clienttrafficpolicy-http10.out.yaml @@ -520,11 +520,7 @@ xdsIR: mergeSlashes: true port: 8082 routes: - - destination: - name: httproute/envoy-gateway/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: route.example.com isHTTP2: false @@ -553,11 +549,7 @@ xdsIR: mergeSlashes: true port: 8083 routes: - - destination: - name: httproute/envoy-gateway/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: route.example.com isHTTP2: false @@ -570,11 +562,7 @@ xdsIR: distinct: false name: "" prefix: / - - destination: - name: httproute/envoy-gateway/httproute-2/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: route2.example.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/custom-filter-order.out.yaml b/internal/gatewayapi/testdata/custom-filter-order.out.yaml index a8c4413a399..9e2aa540081 100644 --- a/internal/gatewayapi/testdata/custom-filter-order.out.yaml +++ b/internal/gatewayapi/testdata/custom-filter-order.out.yaml @@ -240,11 +240,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/envoy-gateway/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 envoyExtensions: wasms: diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml index f4cc57f95ba..51aa2de1c1b 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-status-conditions.out.yaml @@ -555,11 +555,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/envoy-gateway/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 envoyExtensions: {} hostname: '*' @@ -593,11 +589,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: grpcroute/envoy-gateway/grpcroute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 envoyExtensions: {} headerMatches: diff --git a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml index 8c65fb9cf65..f61cabdcffa 100644 --- a/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/envoyextensionpolicy-with-wasm-targetrefs.out.yaml @@ -222,11 +222,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/envoy-gateway/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 envoyExtensions: wasms: @@ -263,11 +259,7 @@ xdsIR: distinct: false name: "" prefix: /foo - - destination: - name: httproute/envoy-gateway/httproute-2/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 envoyExtensions: wasms: diff --git a/internal/gatewayapi/testdata/envoyproxy-accesslog-types.out.yaml b/internal/gatewayapi/testdata/envoyproxy-accesslog-types.out.yaml index 9c2c0d1cf82..ee6c126ab9b 100644 --- a/internal/gatewayapi/testdata/envoyproxy-accesslog-types.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-accesslog-types.out.yaml @@ -441,11 +441,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/envoy-gateway/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml index 7e86495fc41..306302e68e1 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml @@ -20,7 +20,7 @@ backendTLSPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: 'Client authentication TLS secret is not located in the same namespace + message: 'ClientCertificateRef Secret is not located in the same namespace as Envoyproxy. Secret namespace: envoy-gateway-user-ns does not match Envoyproxy namespace: envoy-gateway-system.' reason: Invalid @@ -209,9 +209,11 @@ tcpRoutes: parents: - conditions: - lastTransitionTime: null - message: Route is accepted - reason: Accepted - status: "True" + message: 'ClientCertificateRef Secret is not located in the same namespace + as Envoyproxy. Secret namespace: envoy-gateway-user-ns does not match Envoyproxy + namespace: envoy-gateway-system' + reason: Failed to process the settings associated with the TCP route. + status: "False" type: Accepted - lastTransitionTime: null message: Resolved all the Object references for the Route @@ -242,32 +244,8 @@ xdsIR: mergeSlashes: true port: 10443 routes: - - destination: - name: httproute/envoy-gateway/httproute-tls/rule/0 - settings: - - addressType: IP - endpoints: - - host: 10.244.0.11 - port: 443 - protocol: HTTP - tls: - alpnProtocols: - - HTTP/1.1 - - HTTP/2 - ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - ecdhCurves: - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - maxVersion: tls1.3 - minVersion: tls1.2 - signatureAlgorithms: - - RSA-PSS-RSAE-SHA256 - - ECDSA-SECP256R1-SHA256 - sni: example.com - useSystemTrustStore: true - weight: 1 + - directResponse: + statusCode: 500 hostname: '*' isHTTP2: false metadata: @@ -285,41 +263,6 @@ xdsIR: - address: 0.0.0.0 name: envoy-gateway/gateway-tls/ port: 10445 - routes: - - destination: - name: tcproute/envoy-gateway/envoy-gateway/rule/-1 - settings: - - addressType: IP - endpoints: - - host: 10.244.0.11 - port: 443 - protocol: TCP - tls: - alpnProtocols: - - HTTP/1.1 - - HTTP/2 - ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - ecdhCurves: - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - maxVersion: tls1.3 - minVersion: tls1.2 - signatureAlgorithms: - - RSA-PSS-RSAE-SHA256 - - ECDSA-SECP256R1-SHA256 - sni: example.com - useSystemTrustStore: true - weight: 1 - name: tcproute/envoy-gateway/envoy-gateway - tls: - terminate: - alpnProtocols: [] - certificates: - - name: envoy-gateway/default-cert - privateKey: '[redacted]' - serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tls: alpnProtocols: [] certificates: diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml index 868620d8d74..2078ceeb703 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml @@ -20,8 +20,8 @@ backendTLSPolicies: namespace: envoy-gateway conditions: - lastTransitionTime: null - message: 'Failed to locate TLS secret for client auth: client-auth-not-found - in namespace: envoy-gateway-system.' + message: 'Failed to locate TLS secret for client auth: envoy-gateway-system/client-auth-not-found + specified in EnvoyProxy envoy-gateway-system/test.' reason: Invalid status: "False" type: Accepted @@ -208,9 +208,10 @@ tcpRoutes: parents: - conditions: - lastTransitionTime: null - message: Route is accepted - reason: Accepted - status: "True" + message: 'failed to locate TLS secret for client auth: envoy-gateway-system/client-auth-not-found + specified in EnvoyProxy envoy-gateway-system/test' + reason: Failed to process the settings associated with the TCP route. + status: "False" type: Accepted - lastTransitionTime: null message: Resolved all the Object references for the Route @@ -241,32 +242,8 @@ xdsIR: mergeSlashes: true port: 10443 routes: - - destination: - name: httproute/envoy-gateway/httproute-tls/rule/0 - settings: - - addressType: IP - endpoints: - - host: 10.244.0.11 - port: 443 - protocol: HTTP - tls: - alpnProtocols: - - HTTP/1.1 - - HTTP/2 - ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - ecdhCurves: - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - maxVersion: tls1.3 - minVersion: tls1.2 - signatureAlgorithms: - - RSA-PSS-RSAE-SHA256 - - ECDSA-SECP256R1-SHA256 - sni: example.com - useSystemTrustStore: true - weight: 1 + - directResponse: + statusCode: 500 hostname: '*' isHTTP2: false metadata: @@ -284,41 +261,6 @@ xdsIR: - address: 0.0.0.0 name: envoy-gateway/gateway-tls/ port: 10445 - routes: - - destination: - name: tcproute/envoy-gateway/envoy-gateway/rule/-1 - settings: - - addressType: IP - endpoints: - - host: 10.244.0.11 - port: 443 - protocol: TCP - tls: - alpnProtocols: - - HTTP/1.1 - - HTTP/2 - ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - ecdhCurves: - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - maxVersion: tls1.3 - minVersion: tls1.2 - signatureAlgorithms: - - RSA-PSS-RSAE-SHA256 - - ECDSA-SECP256R1-SHA256 - sni: example.com - useSystemTrustStore: true - weight: 1 - name: tcproute/envoy-gateway/envoy-gateway - tls: - terminate: - alpnProtocols: [] - certificates: - - name: envoy-gateway/default-cert - privateKey: '[redacted]' - serverCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tls: alpnProtocols: [] certificates: diff --git a/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.out.yaml b/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.out.yaml index cb47542a1c7..ce41660893b 100644 --- a/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.out.yaml +++ b/internal/gatewayapi/testdata/gateway-http-listener-with-hostname-intersection.out.yaml @@ -187,11 +187,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/envoy-gateway/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: bar.com isHTTP2: false @@ -219,11 +215,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/envoy-gateway/httproute-2/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*.example.com' isHTTP2: false diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml index 866ca1e861a..64e9d93ead0 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-tcproute-with-mismatch-port-protocol.out.yaml @@ -72,9 +72,10 @@ tcpRoutes: parents: - conditions: - lastTransitionTime: null - message: Route is accepted - reason: Accepted - status: "True" + message: 'backend service validation failed: TCP Port 8081 not found on service + default/service-1' + reason: Failed to process the settings associated with the TCP route. + status: "False" type: Accepted - lastTransitionTime: null message: TCP Port 8081 not found on service default/service-1 @@ -94,9 +95,3 @@ xdsIR: - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp port: 10162 - routes: - - destination: - name: tcproute/default/tcproute-1/rule/-1 - settings: - - weight: 1 - name: tcproute/default/tcproute-1 diff --git a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml index 03cf19502d7..2e62a910d44 100644 --- a/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml +++ b/internal/gatewayapi/testdata/gateway-with-listener-with-udproute-with-mismatch-port-protocol.out.yaml @@ -72,9 +72,10 @@ udpRoutes: parents: - conditions: - lastTransitionTime: null - message: Route is accepted - reason: Accepted - status: "True" + message: 'backend service validation failed: UDP Port 8080 not found on service + default/service-1' + reason: Failed to process the settings associated with the UDP route. + status: "False" type: Accepted - lastTransitionTime: null message: UDP Port 8080 not found on service default/service-1 @@ -94,9 +95,3 @@ xdsIR: - address: 0.0.0.0 name: envoy-gateway/gateway-1/udp port: 10162 - route: - destination: - name: udproute/default/udproute-1/rule/-1 - settings: - - weight: 1 - name: udproute/default/udproute-1 diff --git a/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml b/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml index 8981d87b085..1d7cb30742e 100644 --- a/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml +++ b/internal/gatewayapi/testdata/grpcroute-with-backend.out.yaml @@ -139,11 +139,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: grpcroute/default/grpcroute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: true @@ -157,11 +153,7 @@ xdsIR: distinct: false name: "" safeRegex: /com.[A-Z]+/[A-Za-z_][A-Za-z_0-9]* - - destination: - name: grpcroute/default/grpcroute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: true diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml index 80b6f6627b2..64b578f98b5 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-mixed-address-type.out.yaml @@ -274,11 +274,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/default/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: false @@ -291,16 +287,8 @@ xdsIR: distinct: false name: "" prefix: /1 - - destination: - name: httproute/default/httproute-3/rule/0 - settings: - - addressType: Mixed - endpoints: - - host: primary.foo.com - port: 3000 - - host: 1.1.1.1 - port: 3001 - weight: 1 + - directResponse: + statusCode: 500 hostname: '*' isHTTP2: false metadata: @@ -312,16 +300,8 @@ xdsIR: distinct: false name: "" prefix: /3 - - destination: - name: httproute/default/httproute-2/rule/0 - settings: - - addressType: Mixed - endpoints: - - host: primary.foo.com - port: 3000 - - host: 1.1.1.1 - port: 3001 - weight: 1 + - directResponse: + statusCode: 500 hostname: '*' isHTTP2: false metadata: diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml index cdbbe788086..c252ac4d77f 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref.out.yaml @@ -357,11 +357,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/default/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: false @@ -412,11 +408,7 @@ xdsIR: distinct: false name: "" prefix: /2 - - destination: - name: httproute/default/httproute-4/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: false @@ -429,11 +421,7 @@ xdsIR: distinct: false name: "" prefix: /4 - - destination: - name: httproute/default/httproute-5/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml index 3b5ddfa6298..86255af66ce 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-diff-address-type.out.yaml @@ -296,20 +296,8 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/default/httproute-1/rule/0 - settings: - - weight: 1 - - addressType: IP - endpoints: - - host: 1.1.1.1 - port: 3001 - weight: 1 - - addressType: FQDN - endpoints: - - host: primary.foo.com - port: 3000 - weight: 1 + - directResponse: + statusCode: 500 hostname: '*' isHTTP2: false metadata: @@ -321,15 +309,8 @@ xdsIR: distinct: false name: "" prefix: /1 - - destination: - name: httproute/default/httproute-2/rule/0 - settings: - - weight: 1 - - addressType: IP - endpoints: - - host: 1.1.1.1 - port: 3001 - weight: 1 + - directResponse: + statusCode: 500 hostname: '*' isHTTP2: false metadata: @@ -365,15 +346,8 @@ xdsIR: distinct: false name: "" prefix: /3 - - destination: - name: httproute/default/httproute-3/rule/0 - settings: - - weight: 1 - - addressType: FQDN - endpoints: - - host: primary.foo.com - port: 3000 - weight: 1 + - directResponse: + statusCode: 500 hostname: '*' isHTTP2: false metadata: diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-same-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-same-address-type.out.yaml index 5a413ae4630..c16b8a064ca 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-same-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-multiple-backend-backendrefs-same-address-type.out.yaml @@ -305,12 +305,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/default/httproute-1/rule/0 - settings: - - weight: 1 - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-mixed-address-type.out.yaml b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-mixed-address-type.out.yaml index 38c70c4a8d2..9cf88550489 100644 --- a/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-mixed-address-type.out.yaml +++ b/internal/gatewayapi/testdata/httproute-attaching-to-listener-with-serviceimport-backendref-mixed-address-type.out.yaml @@ -115,17 +115,8 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/default/httproute-1/rule/0 - settings: - - addressType: Mixed - endpoints: - - host: 1.2.3.4 - port: 8080 - - host: foo.bar - port: 8081 - protocol: HTTP - weight: 1 + - directResponse: + statusCode: 500 hostname: '*' isHTTP2: false metadata: diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml index 2ca033356bb..57e337fd1f5 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-bad-port.out.yaml @@ -112,11 +112,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/default/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml index e7c2869de1c..c6090f5c196 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-group.out.yaml @@ -116,11 +116,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/default/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml index a1c5683d27a..984dc0c98b3 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-invalid-kind.out.yaml @@ -114,11 +114,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/default/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml index ed62f94f257..4274a5f8644 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-port.out.yaml @@ -112,11 +112,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/default/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.import.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.import.out.yaml index 794a5d87c3a..06a77064819 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.import.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.import.out.yaml @@ -114,11 +114,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/default/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml index 18019d56e70..ae96ef5ed30 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-no-service.out.yaml @@ -112,11 +112,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/default/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml index f9ee3bb21fa..df79cfc2e92 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backend-ref-unsupported-filter.out.yaml @@ -119,11 +119,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/default/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml b/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml index 3500d3be9cc..c22e21c8920 100644 --- a/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-invalid-backendref-in-other-namespace.out.yaml @@ -113,11 +113,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/default/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: false diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml index 50105a1e054..af0ed8f79e7 100644 --- a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-no-port.out.yaml @@ -71,9 +71,10 @@ httpRoutes: parents: - conditions: - lastTransitionTime: null - message: Route is accepted - reason: Accepted - status: "True" + message: 'Error validating backend port: port number not specified for backend + reference.' + reason: UnsupportedValue + status: "False" type: Accepted - lastTransitionTime: null message: A valid port number corresponding to a port on the Service must be @@ -122,24 +123,3 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - routes: - - destination: - name: httproute/default/httproute-1/rule/0 - settings: - - addressType: IP - endpoints: - - host: 7.7.7.7 - port: 8080 - protocol: HTTP - weight: 1 - hostname: gateway.envoyproxy.io - isHTTP2: false - metadata: - kind: HTTPRoute - name: httproute-1 - namespace: default - name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io - pathMatch: - distinct: false - name: "" - prefix: / diff --git a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml index c0c193e034a..85ff5860d40 100644 --- a/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-mirror-filter-service-not-found.out.yaml @@ -72,9 +72,10 @@ httpRoutes: parents: - conditions: - lastTransitionTime: null - message: Route is accepted - reason: Accepted - status: "True" + message: 'Backend service validation failed: Service default/service-unknown + not found.' + reason: UnsupportedValue + status: "False" type: Accepted - lastTransitionTime: null message: Service default/service-unknown not found @@ -122,24 +123,3 @@ xdsIR: escapedSlashesAction: UnescapeAndRedirect mergeSlashes: true port: 10080 - routes: - - destination: - name: httproute/default/httproute-1/rule/0 - settings: - - addressType: IP - endpoints: - - host: 7.7.7.7 - port: 8080 - protocol: HTTP - weight: 1 - hostname: gateway.envoyproxy.io - isHTTP2: false - metadata: - kind: HTTPRoute - name: httproute-1 - namespace: default - name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io - pathMatch: - distinct: false - name: "" - prefix: / diff --git a/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml b/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml index ff9f5d272a8..37776a693da 100644 --- a/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml +++ b/internal/gatewayapi/testdata/httproute-with-some-invalid-backend-refs-no-service.out.yaml @@ -116,17 +116,8 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/default/httproute-1/rule/0 - settings: - - weight: 1 - - weight: 1 - - addressType: IP - endpoints: - - host: 7.7.7.7 - port: 8080 - protocol: HTTP - weight: 1 + - directResponse: + statusCode: 500 hostname: '*' isHTTP2: false metadata: diff --git a/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml b/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml index 607330a824c..3dc5888bb34 100644 --- a/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-status-conditions.out.yaml @@ -421,11 +421,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/envoy-gateway/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: false @@ -459,11 +455,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: grpcroute/envoy-gateway/grpcroute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 headerMatches: - distinct: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-cors-targetrefs.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-cors-targetrefs.out.yaml index 789da05196b..5438cf7dca2 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-cors-targetrefs.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-cors-targetrefs.out.yaml @@ -354,11 +354,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: grpcroute/envoy-gateway/grpcroute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: '*' isHTTP2: true @@ -409,11 +405,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/envoy-gateway/httproute-1/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: gateway.envoyproxy.io isHTTP2: false @@ -446,11 +438,7 @@ xdsIR: mergeSlashes: true port: 10080 routes: - - destination: - name: httproute/envoy-gateway/httproute-2/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: gateway.envoyproxy.io isHTTP2: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml index ccdb2458370..d5326219c97 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml @@ -510,11 +510,7 @@ xdsIR: - header3 - header4 name: securitypolicy/default/policy-for-http-route-3--grpc-backendref - - destination: - name: httproute/default/httproute-4/rule/0 - settings: - - weight: 1 - directResponse: + - directResponse: statusCode: 500 hostname: www.qux.com isHTTP2: false diff --git a/internal/gatewayapi/testdata/tcproute-with-backend.out.yaml b/internal/gatewayapi/testdata/tcproute-with-backend.out.yaml index 29a124844e5..951d4c7529c 100644 --- a/internal/gatewayapi/testdata/tcproute-with-backend.out.yaml +++ b/internal/gatewayapi/testdata/tcproute-with-backend.out.yaml @@ -92,9 +92,10 @@ tcpRoutes: parents: - conditions: - lastTransitionTime: null - message: Route is accepted - reason: Accepted - status: "True" + message: 'backend reference validation failed: backend is not supported for + route kind: TCPRoute' + reason: Failed to process the settings associated with the TCP route. + status: "False" type: Accepted - lastTransitionTime: null message: Resource default/backend-ip of type Backend is not supported for @@ -115,9 +116,3 @@ xdsIR: - address: 0.0.0.0 name: envoy-gateway/gateway-1/tcp port: 10090 - routes: - - destination: - name: tcproute/default/tcproute-1/rule/-1 - settings: - - weight: 1 - name: tcproute/default/tcproute-1 diff --git a/internal/gatewayapi/testdata/tlsroute-invalid-reference-grant.in.yaml b/internal/gatewayapi/testdata/tlsroute-invalid-reference-grant.in.yaml new file mode 100644 index 00000000000..99d36258032 --- /dev/null +++ b/internal/gatewayapi/testdata/tlsroute-invalid-reference-grant.in.yaml @@ -0,0 +1,139 @@ +referenceGrants: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: ReferenceGrant + metadata: + name: reference-grant-wrong-namespace + namespace: gateway-conformance-infra + spec: + from: + - group: gateway.networking.k8s.io + kind: TLSRoute + namespace: gateway-conformance-infra + to: + - group: "" + kind: Service + name: tls-backend + + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: ReferenceGrant + metadata: + name: reference-grant-wrong-from-group + namespace: gateway-conformance-app-backend + spec: + from: + - group: not-the-group-youre-looking-for + kind: TLSRoute + namespace: gateway-conformance-infra + to: + - group: "" + kind: Service + name: tls-backend + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: ReferenceGrant + metadata: + name: reference-grant-wrong-from-kind + namespace: gateway-conformance-app-backend + spec: + from: + - group: gateway.networking.k8s.io + kind: Gateway + namespace: gateway-conformance-infra + to: + - group: "" + kind: Service + name: tls-backend + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: ReferenceGrant + metadata: + name: reference-grant-wrong-from-namespace + namespace: gateway-conformance-app-backend + spec: + from: + - group: gateway.networking.k8s.io + kind: TLSRoute + namespace: not-the-namespace-youre-looking-for + to: + - group: "" + kind: Service + name: tls-backend + + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: ReferenceGrant + metadata: + name: reference-grant-wrong-to-group + namespace: gateway-conformance-app-backend + spec: + from: + - group: gateway.networking.k8s.io + kind: TLSRoute + namespace: gateway-conformance-infra + to: + - group: not-the-group-youre-looking-for + kind: Service + name: tls-backend + + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: ReferenceGrant + metadata: + name: reference-grant-wrong-to-kind + namespace: gateway-conformance-app-backend + spec: + from: + - group: gateway.networking.k8s.io + kind: TLSRoute + namespace: gateway-conformance-infra + to: + - group: "" + kind: Secret + name: tls-backend + + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: ReferenceGrant + metadata: + name: reference-grant-wrong-to-name + namespace: gateway-conformance-app-backend + spec: + from: + - group: gateway.networking.k8s.io + kind: TLSRoute + namespace: gateway-conformance-infra + to: + - group: "" + kind: Service + name: not-the-service-youre-looking-for +tlsRoutes: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TLSRoute + metadata: + name: gateway-conformance-infra-test + namespace: gateway-conformance-infra + spec: + parentRefs: + - name: gateway-tlsroute-referencegrant + hostnames: + - abc.example.com + rules: + - backendRefs: + - name: tls-backend + namespace: gateway-conformance-app-backend + port: 443 +gateways: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + name: gateway-tlsroute-referencegrant + namespace: gateway-conformance-infra + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: https + port: 443 + protocol: TLS + hostname: "*.example.com" + allowedRoutes: + namespaces: + from: Same + kinds: + - kind: TLSRoute + tls: + mode: Passthrough diff --git a/internal/gatewayapi/testdata/tlsroute-invalid-reference-grant.out.yaml b/internal/gatewayapi/testdata/tlsroute-invalid-reference-grant.out.yaml new file mode 100644 index 00000000000..833bcd48919 --- /dev/null +++ b/internal/gatewayapi/testdata/tlsroute-invalid-reference-grant.out.yaml @@ -0,0 +1,102 @@ +gateways: +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-tlsroute-referencegrant + namespace: gateway-conformance-infra + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + kinds: + - kind: TLSRoute + namespaces: + from: Same + hostname: '*.example.com' + name: https + port: 443 + protocol: TLS + tls: + mode: Passthrough + status: + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: https + supportedKinds: + - kind: TLSRoute +infraIR: + gateway-conformance-infra/gateway-tlsroute-referencegrant: + proxy: + listeners: + - address: null + name: gateway-conformance-infra/gateway-tlsroute-referencegrant/https + ports: + - containerPort: 10443 + name: tls-443 + protocol: TLS + servicePort: 443 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-tlsroute-referencegrant + gateway.envoyproxy.io/owning-gateway-namespace: gateway-conformance-infra + name: gateway-conformance-infra/gateway-tlsroute-referencegrant +tlsRoutes: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: TLSRoute + metadata: + creationTimestamp: null + name: gateway-conformance-infra-test + namespace: gateway-conformance-infra + spec: + hostnames: + - abc.example.com + parentRefs: + - name: gateway-tlsroute-referencegrant + rules: + - backendRefs: + - name: tls-backend + namespace: gateway-conformance-app-backend + port: 443 + status: + parents: + - conditions: + - lastTransitionTime: null + message: No listeners included by this parent ref allowed this attachment. + reason: NotAllowedByListeners + status: "False" + type: Accepted + - lastTransitionTime: null + message: Backend ref to Service gateway-conformance-app-backend/tls-backend + not permitted by any ReferenceGrant. + reason: RefNotPermitted + status: "False" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-tlsroute-referencegrant +xdsIR: + gateway-conformance-infra/gateway-tlsroute-referencegrant: + accessLog: + text: + - path: /dev/stdout + tcp: + - address: 0.0.0.0 + name: gateway-conformance-infra/gateway-tlsroute-referencegrant/https + port: 10443 diff --git a/internal/gatewayapi/validate.go b/internal/gatewayapi/validate.go index fb5d4995700..37a007444e2 100644 --- a/internal/gatewayapi/validate.go +++ b/internal/gatewayapi/validate.go @@ -26,28 +26,30 @@ import ( func (t *Translator) validateBackendRef(backendRefContext BackendRefContext, parentRef *RouteParentContext, route RouteContext, resources *resource.Resources, backendNamespace string, routeKind gwapiv1.Kind, -) bool { +) error { backendRef := GetBackendRef(backendRefContext) - if !t.validateBackendRefFilters(backendRefContext, parentRef, route, routeKind) { - return false + if err := t.validateBackendRefFilters(backendRefContext, parentRef, route, routeKind); err != nil { + return fmt.Errorf("error validating backend filters: %w", err) } - if !t.validateBackendRefGroup(backendRef, parentRef, route) { - return false + if err := t.validateBackendRefGroup(backendRef, parentRef, route); err != nil { + return fmt.Errorf("error validating backend group: %w", err) } - if !t.validateBackendRefKind(backendRef, parentRef, route) { - return false + if err := t.validateBackendRefKind(backendRef, parentRef, route); err != nil { + return fmt.Errorf("error validating backend kind: %w", err) } - if !t.validateBackendNamespace(backendRef, parentRef, route, resources, routeKind) { - return false + if err := t.validateBackendNamespace(backendRef, parentRef, route, resources, routeKind); err != nil { + return fmt.Errorf("error validating backend namespace: %w", err) } - if !t.validateBackendPort(backendRef, parentRef, route) { - return false + if err := t.validateBackendPort(backendRef, parentRef, route); err != nil { + return fmt.Errorf("error validating backend port: %w", err) } + protocol := corev1.ProtocolTCP if routeKind == resource.KindUDPRoute { protocol = corev1.ProtocolUDP } + backendRefKind := KindDerefOr(backendRef.Kind, resource.KindService) switch backendRefKind { case resource.KindService: @@ -61,21 +63,21 @@ func (t *Translator) validateBackendRef(backendRefContext BackendRefContext, par gwapiv1.RouteReasonBackendNotFound, err.Error(), ) - return false + return fmt.Errorf("backend service validation failed: %w", err) } case resource.KindServiceImport: - if !t.validateBackendServiceImport(backendRef, parentRef, resources, backendNamespace, route, protocol) { - return false + if err := t.validateBackendServiceImport(backendRef, parentRef, resources, backendNamespace, route, protocol); err != nil { + return fmt.Errorf("backend service import validation failed: %w", err) } case egv1a1.KindBackend: - if !t.validateBackendRefBackend(backendRef, parentRef, resources, backendNamespace, route, routeKind) { - return false + if err := t.validateBackendRefBackend(backendRef, parentRef, resources, backendNamespace, route, routeKind); err != nil { + return fmt.Errorf("backend reference validation failed: %w", err) } } - return true + return nil } -func (t *Translator) validateBackendRefGroup(backendRef *gwapiv1a2.BackendRef, parentRef *RouteParentContext, route RouteContext) bool { +func (t *Translator) validateBackendRefGroup(backendRef *gwapiv1a2.BackendRef, parentRef *RouteParentContext, route RouteContext) error { if backendRef.Group != nil && *backendRef.Group != "" && *backendRef.Group != GroupMultiClusterService && *backendRef.Group != egv1a1.GroupName { routeStatus := GetRouteStatus(route) status.SetRouteStatusCondition(routeStatus, @@ -86,12 +88,12 @@ func (t *Translator) validateBackendRefGroup(backendRef *gwapiv1a2.BackendRef, p gwapiv1.RouteReasonInvalidKind, fmt.Sprintf("Group is invalid, only the core API group (specified by omitting the group field or setting it to an empty string), %s and %s are supported", GroupMultiClusterService, egv1a1.GroupName), ) - return false + return fmt.Errorf("unsupported backend reference group: %s", *backendRef.Group) } - return true + return nil } -func (t *Translator) validateBackendRefKind(backendRef *gwapiv1a2.BackendRef, parentRef *RouteParentContext, route RouteContext) bool { +func (t *Translator) validateBackendRefKind(backendRef *gwapiv1a2.BackendRef, parentRef *RouteParentContext, route RouteContext) error { if backendRef.Kind != nil && *backendRef.Kind != resource.KindService && *backendRef.Kind != resource.KindServiceImport && *backendRef.Kind != egv1a1.KindBackend { routeStatus := GetRouteStatus(route) status.SetRouteStatusCondition(routeStatus, @@ -102,12 +104,12 @@ func (t *Translator) validateBackendRefKind(backendRef *gwapiv1a2.BackendRef, pa gwapiv1.RouteReasonInvalidKind, "Kind is invalid, only Service, MCS ServiceImport and Envoy Gateway Backend are supported", ) - return false + return fmt.Errorf("unsupported backend reference kind: %s", *backendRef.Kind) } - return true + return nil } -func (t *Translator) validateBackendRefFilters(backendRef BackendRefContext, parentRef *RouteParentContext, route RouteContext, routeKind gwapiv1.Kind) bool { +func (t *Translator) validateBackendRefFilters(backendRef BackendRefContext, parentRef *RouteParentContext, route RouteContext, routeKind gwapiv1.Kind) error { filters := GetFilters(backendRef) var unsupportedFilters bool @@ -125,7 +127,7 @@ func (t *Translator) validateBackendRefFilters(backendRef BackendRefContext, par } } default: - return true + return nil } if unsupportedFilters { @@ -138,15 +140,15 @@ func (t *Translator) validateBackendRefFilters(backendRef BackendRefContext, par "UnsupportedRefValue", "Specific filter is not supported within BackendRef, only RequestHeaderModifier and ResponseHeaderModifier are supported", ) - return false + return errors.New("unsupported filter type in backend reference") } - return true + return nil } func (t *Translator) validateBackendNamespace(backendRef *gwapiv1a2.BackendRef, parentRef *RouteParentContext, route RouteContext, resources *resource.Resources, routeKind gwapiv1.Kind, -) bool { +) error { if backendRef.Namespace != nil && string(*backendRef.Namespace) != "" && string(*backendRef.Namespace) != route.GetNamespace() { if !t.validateCrossNamespaceRef( crossNamespaceFrom{ @@ -171,16 +173,15 @@ func (t *Translator) validateBackendNamespace(backendRef *gwapiv1a2.BackendRef, gwapiv1.RouteReasonRefNotPermitted, fmt.Sprintf("Backend ref to %s %s/%s not permitted by any ReferenceGrant.", KindDerefOr(backendRef.Kind, resource.KindService), *backendRef.Namespace, backendRef.Name), ) - return false + return fmt.Errorf("cross-namespace reference not permitted for backend: %s", backendRef.Name) } } - return true + return nil } -func (t *Translator) validateBackendPort(backendRef *gwapiv1a2.BackendRef, parentRef *RouteParentContext, route RouteContext) bool { - // Envoy Gateway Backends do not require a port in the backend ref +func (t *Translator) validateBackendPort(backendRef *gwapiv1a2.BackendRef, parentRef *RouteParentContext, route RouteContext) error { if backendRef != nil && backendRef.Kind != nil && string(*backendRef.Kind) == egv1a1.KindBackend { - return true + return nil } if backendRef.Port == nil { routeStatus := GetRouteStatus(route) @@ -192,9 +193,9 @@ func (t *Translator) validateBackendPort(backendRef *gwapiv1a2.BackendRef, paren "PortNotSpecified", "A valid port number corresponding to a port on the Service must be specified", ) - return false + return errors.New("port number not specified for backend reference") } - return true + return nil } func validateBackendService(backendRef gwapiv1a2.BackendObjectReference, resources *resource.Resources, @@ -226,7 +227,7 @@ func validateBackendService(backendRef gwapiv1a2.BackendObjectReference, resourc func (t *Translator) validateBackendServiceImport(backendRef *gwapiv1a2.BackendRef, parentRef *RouteParentContext, resources *resource.Resources, serviceImportNamespace string, route RouteContext, protocol corev1.Protocol, -) bool { +) error { serviceImport := resources.GetServiceImport(serviceImportNamespace, string(backendRef.Name)) if serviceImport == nil { routeStatus := GetRouteStatus(route) @@ -239,8 +240,9 @@ func (t *Translator) validateBackendServiceImport(backendRef *gwapiv1a2.BackendR fmt.Sprintf("ServiceImport %s/%s not found", NamespaceDerefOr(backendRef.Namespace, route.GetNamespace()), string(backendRef.Name)), ) - return false + return fmt.Errorf("service import %s/%s not found", serviceImportNamespace, backendRef.Name) } + var portFound bool for _, port := range serviceImport.Spec.Ports { portProtocol := port.Protocol @@ -264,15 +266,15 @@ func (t *Translator) validateBackendServiceImport(backendRef *gwapiv1a2.BackendR fmt.Sprintf(string(protocol)+" Port %d not found on ServiceImport %s/%s", *backendRef.Port, serviceImportNamespace, string(backendRef.Name)), ) - return false + return fmt.Errorf("%s port %d not found on service import %s/%s", string(protocol), *backendRef.Port, serviceImportNamespace, backendRef.Name) } - return true + + return nil } func (t *Translator) validateBackendRefBackend(backendRef *gwapiv1a2.BackendRef, parentRef *RouteParentContext, resources *resource.Resources, backendNamespace string, route RouteContext, kind gwapiv1.Kind, -) bool { - // TODO: support additional route kinds +) error { routeStatus := GetRouteStatus(route) if !t.BackendEnabled { @@ -285,7 +287,7 @@ func (t *Translator) validateBackendRefBackend(backendRef *gwapiv1a2.BackendRef, fmt.Sprintf("Resource %s/%s of type Backend cannot be used since Backend is disabled in Envoy Gateway configuration", NamespaceDerefOr(backendRef.Namespace, route.GetNamespace()), string(backendRef.Name)), ) - return false + return errors.New("backend is disabled in Envoy Gateway configuration") } if kind != resource.KindHTTPRoute && kind != resource.KindTLSRoute { @@ -298,7 +300,7 @@ func (t *Translator) validateBackendRefBackend(backendRef *gwapiv1a2.BackendRef, fmt.Sprintf("Resource %s/%s of type Backend is not supported for %s routes", NamespaceDerefOr(backendRef.Namespace, route.GetNamespace()), string(backendRef.Name), kind), ) - return false + return fmt.Errorf("backend is not supported for route kind: %s", kind) } backend := resources.GetBackend(backendNamespace, string(backendRef.Name)) @@ -312,7 +314,7 @@ func (t *Translator) validateBackendRefBackend(backendRef *gwapiv1a2.BackendRef, fmt.Sprintf("Backend %s/%s not found", NamespaceDerefOr(backendRef.Namespace, route.GetNamespace()), string(backendRef.Name)), ) - return false + return fmt.Errorf("backend %s/%s not found", backendNamespace, backendRef.Name) } if err := validateBackend(backend); err != nil { @@ -325,7 +327,7 @@ func (t *Translator) validateBackendRefBackend(backendRef *gwapiv1a2.BackendRef, fmt.Sprintf("Invalid Backend reference to Backend %s/%s found", backendNamespace, string(backendRef.Name)), ) - return false + return fmt.Errorf("invalid backend reference: %w", err) } for _, bep := range backend.Spec.Endpoints { @@ -339,11 +341,11 @@ func (t *Translator) validateBackendRefBackend(backendRef *gwapiv1a2.BackendRef, fmt.Sprintf("Unix domain socket found in Backend %s/%s is not supported for xRoute backendRefs", backendNamespace, string(backendRef.Name)), ) - return false + return errors.New("unix domain sockets are not supported in backend references") } } - return true + return nil } func (t *Translator) validateListenerConditions(listener *ListenerContext) (isReady bool) { From 337e5acdb2fddf5dd571b8436faa4c25f07dfbed Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Dec 2024 15:05:41 +0800 Subject: [PATCH 470/523] build(deps): bump google.golang.org/grpc from 1.68.0 to 1.68.1 (#4872) * build(deps): bump google.golang.org/grpc from 1.68.0 to 1.68.1 Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.68.0 to 1.68.1. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.68.0...v1.68.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * fix gen Signed-off-by: zirain --------- Signed-off-by: dependabot[bot] --- examples/extension-server/go.mod | 2 +- examples/extension-server/go.sum | 4 ++-- go.mod | 2 +- go.sum | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 2391d48906d..22453d4eefb 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -6,7 +6,7 @@ require ( github.com/envoyproxy/gateway v1.0.2 github.com/envoyproxy/go-control-plane v0.13.1 github.com/urfave/cli/v2 v2.27.5 - google.golang.org/grpc v1.68.0 + google.golang.org/grpc v1.68.1 google.golang.org/protobuf v1.35.2 k8s.io/apimachinery v0.31.3 sigs.k8s.io/controller-runtime v0.19.2 diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 2b7ea881bf0..e8f8328bccb 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -111,8 +111,8 @@ google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 h1: google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:dguCy7UOdZhTvLzDyt15+rOrawrpM4q7DD9dQ1P11P4= google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 h1:XVhgTWWV3kGQlwJHR3upFWZeTsei6Oks1apkZSeonIE= google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= -google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0= -google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA= +google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0= +google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw= google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/go.mod b/go.mod index dddca4d3e27..1c68afcc455 100644 --- a/go.mod +++ b/go.mod @@ -65,7 +65,7 @@ require ( github.com/docker/docker v27.3.1+incompatible github.com/replicatedhq/troubleshoot v0.107.5 github.com/tetratelabs/func-e v1.1.5-0.20240822223546-c85a098d5bf0 - google.golang.org/grpc v1.68.0 + google.golang.org/grpc v1.68.1 sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 ) diff --git a/go.sum b/go.sum index 105d8619670..46d10a73485 100644 --- a/go.sum +++ b/go.sum @@ -1101,8 +1101,8 @@ google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQ google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0= -google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA= +google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0= +google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= From 9ef758b1f044db4e02d05cbae1b160d91e81d598 Mon Sep 17 00:00:00 2001 From: Lior Okman Date: Mon, 9 Dec 2024 20:26:45 +0200 Subject: [PATCH 471/523] fix: Fix example documentation to include all the expected privileges for extension server policies (#4879) * Updated the documentation to also create a role and binding for updating the status section of the policy. Signed-off-by: Lior Okman * Removed an unneeded space Signed-off-by: Lior Okman * Make 'make gen-check' happy. Signed-off-by: Lior Okman * Update the correct copy of the document. Signed-off-by: Lior Okman --------- Signed-off-by: Lior Okman --- .../en/latest/tasks/extensibility/extension-server.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/site/content/en/latest/tasks/extensibility/extension-server.md b/site/content/en/latest/tasks/extensibility/extension-server.md index 6d16013d410..e1d6b471c11 100644 --- a/site/content/en/latest/tasks/extensibility/extension-server.md +++ b/site/content/en/latest/tasks/extensibility/extension-server.md @@ -88,6 +88,10 @@ image name and tag. * Grant Envoy Gateway's `ServiceAccount` permission to access the extension server's CRD ```shell + kubectl create clusterrole listener-context-example-status-update \ + --verb=update \ + --resource=ListenerContextExample/status + kubectl create clusterrole listener-context-example-viewer \ --verb=get,list,watch \ --resource=ListenerContextExample @@ -95,6 +99,10 @@ image name and tag. kubectl create clusterrolebinding envoy-gateway-listener-context \ --clusterrole=listener-context-example-viewer \ --serviceaccount=envoy-gateway-system:envoy-gateway + + kubectl create clusterrolebinding envoy-gateway-listener-context-status \ + --clusterrole=listener-context-example-status-update \ + --serviceaccount=envoy-gateway-system:envoy-gateway ``` * Configure Envoy Gateway to use the Extension Server From e5f1550ea949b82a98fc742fc465dcfb5a3ad10d Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 10 Dec 2024 09:39:36 +0800 Subject: [PATCH 472/523] docs: update BackendTLSPolicy docs (#4868) update btlsp docs Signed-off-by: Huabing Zhao --- .../en/docs/tasks/security/backend-tls.md | 20 +++++++++++-------- .../en/latest/tasks/security/backend-tls.md | 20 +++++++++++-------- .../en/v1.2/tasks/security/backend-tls.md | 20 +++++++++++-------- 3 files changed, 36 insertions(+), 24 deletions(-) diff --git a/site/content/en/docs/tasks/security/backend-tls.md b/site/content/en/docs/tasks/security/backend-tls.md index 7fca5ef8477..945a1f5ff98 100644 --- a/site/content/en/docs/tasks/security/backend-tls.md +++ b/site/content/en/docs/tasks/security/backend-tls.md @@ -17,7 +17,7 @@ Envoy Gateway supports the Gateway-API defined [BackendTLSPolicy][]. ## TLS Certificates -Generate the certificates and keys used by the backend to terminate TLS connections from the Gateways. +Generate the certificates and keys used by the backend to terminate TLS connections from the Gateways. Create a root certificate and private key to sign certificates: @@ -67,7 +67,7 @@ kubectl create configmap example-ca --from-file=ca.crt ## Setup TLS on the backend -Patch the existing quickstart backend to enable TLS. The patch will mount the TLS certificate secret into the backend as volume. +Patch the existing quickstart backend to enable TLS. The patch will mount the TLS certificate secret into the backend as volume. ```shell kubectl patch deployment backend --type=json --patch ' @@ -100,7 +100,7 @@ kubectl patch deployment backend --type=json --patch ' ' ``` -Create a service that exposes port 443 on the backend service. +Create a service that exposes port 443 on the backend service. {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} @@ -155,6 +155,9 @@ spec: Create a [BackendTLSPolicy][] instructing Envoy Gateway to establish a TLS connection with the backend and validate the backend certificate is issued by a trusted CA and contains an appropriate DNS SAN. +Note: SectionName is an optional field that specifies the name of the port in the target backend. This example uses a Kubernetes Service as the backend target, so the sectionName is set to `https` to match the port name in the Service. +If the target is a [Backend] resource, the `sectionName` field should be set to the port number of the backend. + {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} @@ -170,7 +173,7 @@ spec: - group: '' kind: Service name: tls-backend - sectionName: "443" + sectionName: https validation: caCertificateRefs: - name: example-ca @@ -196,7 +199,7 @@ spec: - group: '' kind: Service name: tls-backend - sectionName: "443" + sectionName: https validation: caCertificateRefs: - name: example-ca @@ -298,8 +301,8 @@ Inspect the output and see that the response contains the details of the TLS han ## Customize backend TLS Parameters -In addition to enablement of backend TLS with the Gateway-API BackendTLSPolicy, Envoy Gateway supports customizing TLS parameters. -To achieve this, the [EnvoyProxy][] resource can be used to specify TLS parameters. We will customize the TLS version in this example. +In addition to enablement of backend TLS with the Gateway-API BackendTLSPolicy, Envoy Gateway supports customizing TLS parameters. +To achieve this, the [EnvoyProxy][] resource can be used to specify TLS parameters. We will customize the TLS version in this example. First, you need to add ParametersRef in GatewayClass, and refer to EnvoyProxy Config: @@ -390,7 +393,7 @@ curl -v -HHost:www.example.com --resolve "www.example.com:80:127.0.0.1" \ http://www.example.com:80/get ``` -Inspect the output and see that the response contains the details of the TLS handshake between Envoy and the backend. +Inspect the output and see that the response contains the details of the TLS handshake between Envoy and the backend. The TLS version is now TLS1.3, as configured in the EnvoyProxy resource. The TLS cipher is also changed, since TLS1.3 supports different ciphers from TLS1.2. ```shell @@ -406,3 +409,4 @@ The TLS version is now TLS1.3, as configured in the EnvoyProxy resource. The TLS [BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ [EnvoyProxy]: ../../api/extension_types#envoyproxy +[Backend]: ../../api/extension_types#backend diff --git a/site/content/en/latest/tasks/security/backend-tls.md b/site/content/en/latest/tasks/security/backend-tls.md index 7fca5ef8477..945a1f5ff98 100644 --- a/site/content/en/latest/tasks/security/backend-tls.md +++ b/site/content/en/latest/tasks/security/backend-tls.md @@ -17,7 +17,7 @@ Envoy Gateway supports the Gateway-API defined [BackendTLSPolicy][]. ## TLS Certificates -Generate the certificates and keys used by the backend to terminate TLS connections from the Gateways. +Generate the certificates and keys used by the backend to terminate TLS connections from the Gateways. Create a root certificate and private key to sign certificates: @@ -67,7 +67,7 @@ kubectl create configmap example-ca --from-file=ca.crt ## Setup TLS on the backend -Patch the existing quickstart backend to enable TLS. The patch will mount the TLS certificate secret into the backend as volume. +Patch the existing quickstart backend to enable TLS. The patch will mount the TLS certificate secret into the backend as volume. ```shell kubectl patch deployment backend --type=json --patch ' @@ -100,7 +100,7 @@ kubectl patch deployment backend --type=json --patch ' ' ``` -Create a service that exposes port 443 on the backend service. +Create a service that exposes port 443 on the backend service. {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} @@ -155,6 +155,9 @@ spec: Create a [BackendTLSPolicy][] instructing Envoy Gateway to establish a TLS connection with the backend and validate the backend certificate is issued by a trusted CA and contains an appropriate DNS SAN. +Note: SectionName is an optional field that specifies the name of the port in the target backend. This example uses a Kubernetes Service as the backend target, so the sectionName is set to `https` to match the port name in the Service. +If the target is a [Backend] resource, the `sectionName` field should be set to the port number of the backend. + {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} @@ -170,7 +173,7 @@ spec: - group: '' kind: Service name: tls-backend - sectionName: "443" + sectionName: https validation: caCertificateRefs: - name: example-ca @@ -196,7 +199,7 @@ spec: - group: '' kind: Service name: tls-backend - sectionName: "443" + sectionName: https validation: caCertificateRefs: - name: example-ca @@ -298,8 +301,8 @@ Inspect the output and see that the response contains the details of the TLS han ## Customize backend TLS Parameters -In addition to enablement of backend TLS with the Gateway-API BackendTLSPolicy, Envoy Gateway supports customizing TLS parameters. -To achieve this, the [EnvoyProxy][] resource can be used to specify TLS parameters. We will customize the TLS version in this example. +In addition to enablement of backend TLS with the Gateway-API BackendTLSPolicy, Envoy Gateway supports customizing TLS parameters. +To achieve this, the [EnvoyProxy][] resource can be used to specify TLS parameters. We will customize the TLS version in this example. First, you need to add ParametersRef in GatewayClass, and refer to EnvoyProxy Config: @@ -390,7 +393,7 @@ curl -v -HHost:www.example.com --resolve "www.example.com:80:127.0.0.1" \ http://www.example.com:80/get ``` -Inspect the output and see that the response contains the details of the TLS handshake between Envoy and the backend. +Inspect the output and see that the response contains the details of the TLS handshake between Envoy and the backend. The TLS version is now TLS1.3, as configured in the EnvoyProxy resource. The TLS cipher is also changed, since TLS1.3 supports different ciphers from TLS1.2. ```shell @@ -406,3 +409,4 @@ The TLS version is now TLS1.3, as configured in the EnvoyProxy resource. The TLS [BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ [EnvoyProxy]: ../../api/extension_types#envoyproxy +[Backend]: ../../api/extension_types#backend diff --git a/site/content/en/v1.2/tasks/security/backend-tls.md b/site/content/en/v1.2/tasks/security/backend-tls.md index 7fca5ef8477..945a1f5ff98 100644 --- a/site/content/en/v1.2/tasks/security/backend-tls.md +++ b/site/content/en/v1.2/tasks/security/backend-tls.md @@ -17,7 +17,7 @@ Envoy Gateway supports the Gateway-API defined [BackendTLSPolicy][]. ## TLS Certificates -Generate the certificates and keys used by the backend to terminate TLS connections from the Gateways. +Generate the certificates and keys used by the backend to terminate TLS connections from the Gateways. Create a root certificate and private key to sign certificates: @@ -67,7 +67,7 @@ kubectl create configmap example-ca --from-file=ca.crt ## Setup TLS on the backend -Patch the existing quickstart backend to enable TLS. The patch will mount the TLS certificate secret into the backend as volume. +Patch the existing quickstart backend to enable TLS. The patch will mount the TLS certificate secret into the backend as volume. ```shell kubectl patch deployment backend --type=json --patch ' @@ -100,7 +100,7 @@ kubectl patch deployment backend --type=json --patch ' ' ``` -Create a service that exposes port 443 on the backend service. +Create a service that exposes port 443 on the backend service. {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} @@ -155,6 +155,9 @@ spec: Create a [BackendTLSPolicy][] instructing Envoy Gateway to establish a TLS connection with the backend and validate the backend certificate is issued by a trusted CA and contains an appropriate DNS SAN. +Note: SectionName is an optional field that specifies the name of the port in the target backend. This example uses a Kubernetes Service as the backend target, so the sectionName is set to `https` to match the port name in the Service. +If the target is a [Backend] resource, the `sectionName` field should be set to the port number of the backend. + {{< tabpane text=true >}} {{% tab header="Apply from stdin" %}} @@ -170,7 +173,7 @@ spec: - group: '' kind: Service name: tls-backend - sectionName: "443" + sectionName: https validation: caCertificateRefs: - name: example-ca @@ -196,7 +199,7 @@ spec: - group: '' kind: Service name: tls-backend - sectionName: "443" + sectionName: https validation: caCertificateRefs: - name: example-ca @@ -298,8 +301,8 @@ Inspect the output and see that the response contains the details of the TLS han ## Customize backend TLS Parameters -In addition to enablement of backend TLS with the Gateway-API BackendTLSPolicy, Envoy Gateway supports customizing TLS parameters. -To achieve this, the [EnvoyProxy][] resource can be used to specify TLS parameters. We will customize the TLS version in this example. +In addition to enablement of backend TLS with the Gateway-API BackendTLSPolicy, Envoy Gateway supports customizing TLS parameters. +To achieve this, the [EnvoyProxy][] resource can be used to specify TLS parameters. We will customize the TLS version in this example. First, you need to add ParametersRef in GatewayClass, and refer to EnvoyProxy Config: @@ -390,7 +393,7 @@ curl -v -HHost:www.example.com --resolve "www.example.com:80:127.0.0.1" \ http://www.example.com:80/get ``` -Inspect the output and see that the response contains the details of the TLS handshake between Envoy and the backend. +Inspect the output and see that the response contains the details of the TLS handshake between Envoy and the backend. The TLS version is now TLS1.3, as configured in the EnvoyProxy resource. The TLS cipher is also changed, since TLS1.3 supports different ciphers from TLS1.2. ```shell @@ -406,3 +409,4 @@ The TLS version is now TLS1.3, as configured in the EnvoyProxy resource. The TLS [BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ [EnvoyProxy]: ../../api/extension_types#envoyproxy +[Backend]: ../../api/extension_types#backend From 0898544d9777934b5afdcd27f65dd6f73d78a90e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lars=20Sj=C3=B6str=C3=B6m?= Date: Tue, 10 Dec 2024 18:36:41 +0100 Subject: [PATCH 473/523] fix: outlier detection disabled by default (#4856) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Passive health check need to explicitly enabled by a BackendTrafficPolicy Signed-off-by: Lars Sjöström --- .../testdata/translate/out/default-resources.all.yaml | 5 ----- .../translate/out/echo-gateway-api.cluster.yaml | 1 - .../translate/out/from-gateway-api-to-xds.all.json | 5 ----- .../translate/out/from-gateway-api-to-xds.all.yaml | 5 ----- .../translate/out/from-gateway-api-to-xds.cluster.yaml | 5 ----- .../out/jwt-single-route-single-match-to-xds.all.json | 2 -- .../out/jwt-single-route-single-match-to-xds.all.yaml | 2 -- .../jwt-single-route-single-match-to-xds.cluster.yaml | 2 -- .../translate/out/no-service-cluster-ip.all.yaml | 1 - internal/xds/translator/cluster.go | 1 - .../extensionpolicy-tcp-udp-http.clusters.yaml | 3 --- .../http-route-extension-filter.clusters.yaml | 1 - .../out/extension-xds-ir/http-route.clusters.yaml | 1 - .../testdata/out/xds-ir/accesslog-cel.clusters.yaml | 2 -- .../out/xds-ir/accesslog-endpoint-stats.clusters.yaml | 2 -- .../out/xds-ir/accesslog-formatters.clusters.yaml | 2 -- .../out/xds-ir/accesslog-multi-cel.clusters.yaml | 2 -- .../testdata/out/xds-ir/accesslog-types.clusters.yaml | 10 ---------- .../out/xds-ir/accesslog-without-format.clusters.yaml | 3 --- .../testdata/out/xds-ir/accesslog.clusters.yaml | 3 --- .../out/xds-ir/authorization-client-cidr.clusters.yaml | 3 --- .../out/xds-ir/authorization-jwt-claim.clusters.yaml | 4 ---- .../out/xds-ir/authorization-jwt-scope.clusters.yaml | 4 ---- .../authorization-multiple-principals.clusters.yaml | 1 - .../testdata/out/xds-ir/authorization.clusters.yaml | 3 --- .../out/xds-ir/backend-buffer-limit.clusters.yaml | 3 --- .../testdata/out/xds-ir/backend-priority.clusters.yaml | 3 --- .../testdata/out/xds-ir/basic-auth.clusters.yaml | 3 --- .../testdata/out/xds-ir/circuit-breaker.clusters.yaml | 1 - .../out/xds-ir/client-buffer-limit.clusters.yaml | 2 -- .../out/xds-ir/client-ip-detection.clusters.yaml | 3 --- .../testdata/out/xds-ir/client-timeout.clusters.yaml | 2 -- .../translator/testdata/out/xds-ir/cors.clusters.yaml | 1 - .../out/xds-ir/custom-filter-order.clusters.yaml | 2 -- .../testdata/out/xds-ir/custom-response.clusters.yaml | 1 - .../testdata/out/xds-ir/ext-auth-backend.clusters.yaml | 5 ----- .../testdata/out/xds-ir/ext-auth-body.clusters.yaml | 5 ----- .../out/xds-ir/ext-auth-recomputation.clusters.yaml | 5 ----- .../testdata/out/xds-ir/ext-auth.clusters.yaml | 5 ----- .../ext-proc-with-traffic-settings.clusters.yaml | 2 -- .../testdata/out/xds-ir/ext-proc.clusters.yaml | 6 ------ .../testdata/out/xds-ir/fault-injection.clusters.yaml | 5 ----- .../headers-with-preserve-x-request-id.clusters.yaml | 2 -- .../headers-with-underscores-action.clusters.yaml | 4 ---- .../testdata/out/xds-ir/health-check.clusters.yaml | 1 - .../xds-ir/http-early-header-mutation.clusters.yaml | 2 -- .../out/xds-ir/http-endpoint-stats.clusters.yaml | 1 - .../out/xds-ir/http-health-check.clusters.yaml | 1 - .../xds-ir/http-preserve-client-protocol.clusters.yaml | 1 - .../out/xds-ir/http-req-resp-sizes-stats.clusters.yaml | 1 - .../xds-ir/http-route-direct-response.clusters.yaml | 1 - .../out/xds-ir/http-route-dns-cluster.clusters.yaml | 1 - .../out/xds-ir/http-route-mirror.clusters.yaml | 1 - .../xds-ir/http-route-multiple-matches.clusters.yaml | 7 ------- .../xds-ir/http-route-multiple-mirrors.clusters.yaml | 3 --- .../xds-ir/http-route-partial-invalid.clusters.yaml | 1 - .../out/xds-ir/http-route-redirect.clusters.yaml | 1 - .../testdata/out/xds-ir/http-route-regex.clusters.yaml | 1 - .../xds-ir/http-route-request-headers.clusters.yaml | 1 - .../http-route-response-add-headers.clusters.yaml | 1 - ...ttp-route-response-add-remove-headers.clusters.yaml | 1 - .../http-route-response-remove-headers.clusters.yaml | 1 - ...tp-route-rewrite-root-path-url-prefix.clusters.yaml | 1 - ...-rewrite-sufixx-with-slash-url-prefix.clusters.yaml | 1 - .../http-route-rewrite-url-fullpath.clusters.yaml | 1 - .../xds-ir/http-route-rewrite-url-host.clusters.yaml | 1 - .../xds-ir/http-route-rewrite-url-prefix.clusters.yaml | 1 - .../xds-ir/http-route-rewrite-url-regex.clusters.yaml | 1 - .../http-route-session-persistence.clusters.yaml | 1 - .../out/xds-ir/http-route-timeout.clusters.yaml | 3 --- .../http-route-weighted-backend-uds-ip.clusters.yaml | 1 - ...p-route-weighted-backend-with-filters.clusters.yaml | 2 -- .../xds-ir/http-route-weighted-backend.clusters.yaml | 1 - .../http-route-weighted-invalid-backend.clusters.yaml | 1 - .../xds-ir/http-route-with-clientcert.clusters.yaml | 1 - .../out/xds-ir/http-route-with-metadata.clusters.yaml | 2 -- .../http-route-with-stripped-host-port.clusters.yaml | 1 - ...http-route-with-tls-system-truststore.clusters.yaml | 1 - ...p-route-with-tlsbundle-multiple-certs.clusters.yaml | 2 -- .../out/xds-ir/http-route-with-tlsbundle.clusters.yaml | 1 - .../testdata/out/xds-ir/http-route.clusters.yaml | 1 - .../out/xds-ir/http1-preserve-case.clusters.yaml | 2 -- .../testdata/out/xds-ir/http1-trailers.clusters.yaml | 1 - .../testdata/out/xds-ir/http10.clusters.yaml | 1 - .../testdata/out/xds-ir/http2-route.clusters.yaml | 4 ---- .../translator/testdata/out/xds-ir/http2.clusters.yaml | 1 - .../translator/testdata/out/xds-ir/http3.clusters.yaml | 1 - .../jsonpatch-add-op-empty-jsonpath.clusters.yaml | 1 - .../jsonpatch-add-op-without-value.clusters.yaml | 1 - .../out/xds-ir/jsonpatch-invalid-patch.clusters.yaml | 1 - .../xds-ir/jsonpatch-missing-resource.clusters.yaml | 1 - .../xds-ir/jsonpatch-move-op-with-value.clusters.yaml | 1 - .../out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml | 2 -- .../testdata/out/xds-ir/jsonpatch.clusters.yaml | 1 - .../out/xds-ir/jwt-custom-extractor.clusters.yaml | 2 -- .../jwt-multi-route-multi-provider.clusters.yaml | 4 ---- .../jwt-multi-route-single-provider.clusters.yaml | 3 --- .../testdata/out/xds-ir/jwt-optional.clusters.yaml | 2 -- .../testdata/out/xds-ir/jwt-ratelimit.clusters.yaml | 5 ----- .../xds-ir/jwt-single-route-single-match.clusters.yaml | 2 -- .../out/xds-ir/listener-connection-limit.clusters.yaml | 4 ---- .../out/xds-ir/listener-proxy-protocol.clusters.yaml | 2 -- .../out/xds-ir/listener-tcp-keepalive.clusters.yaml | 4 ---- .../testdata/out/xds-ir/load-balancer.clusters.yaml | 10 ---------- .../testdata/out/xds-ir/local-ratelimit.clusters.yaml | 3 --- .../out/xds-ir/metrics-virtual-host.clusters.yaml | 1 - .../out/xds-ir/mixed-tls-jwt-authn.clusters.yaml | 1 - ...ners-same-port-with-different-filters.clusters.yaml | 5 ----- .../xds-ir/multiple-listeners-same-port.clusters.yaml | 6 ------ .../multiple-simple-tcp-route-same-port.clusters.yaml | 5 ----- ...d-client-certificate-with-custom-data.clusters.yaml | 5 ----- ...mutual-tls-forward-client-certificate.clusters.yaml | 5 ----- ...-required-client-certificate-disabled.clusters.yaml | 2 -- .../testdata/out/xds-ir/mutual-tls.clusters.yaml | 2 -- .../xds-ir/oidc-backencluster-provider.clusters.yaml | 2 -- .../xds-ir/oidc-backend-cluster-provider.clusters.yaml | 2 -- .../translator/testdata/out/xds-ir/oidc.clusters.yaml | 4 ---- .../testdata/out/xds-ir/path-settings.clusters.yaml | 1 - .../out/xds-ir/proxy-protocol-upstream.clusters.yaml | 1 - .../out/xds-ir/ratelimit-custom-domain.clusters.yaml | 4 ---- .../out/xds-ir/ratelimit-disable-headers.clusters.yaml | 4 ---- .../out/xds-ir/ratelimit-endpoint-stats.clusters.yaml | 4 ---- .../xds-ir/ratelimit-headers-and-cidr.clusters.yaml | 4 ---- .../out/xds-ir/ratelimit-sourceip.clusters.yaml | 5 ----- .../testdata/out/xds-ir/ratelimit.clusters.yaml | 5 ----- .../out/xds-ir/retry-partial-invalid.clusters.yaml | 1 - .../securitypolicy-with-oidc-jwt-authz.clusters.yaml | 2 -- .../testdata/out/xds-ir/simple-tls.clusters.yaml | 1 - .../out/xds-ir/suppress-envoy-headers.clusters.yaml | 1 - .../out/xds-ir/tcp-endpoint-stats.clusters.yaml | 1 - .../out/xds-ir/tcp-listener-ipfamily.clusters.yaml | 1 - .../out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml | 1 - .../out/xds-ir/tcp-route-complex.clusters.yaml | 1 - .../testdata/out/xds-ir/tcp-route-simple.clusters.yaml | 1 - .../out/xds-ir/tcp-route-tls-terminate.clusters.yaml | 2 -- .../xds-ir/tcp-route-weighted-backend.clusters.yaml | 1 - .../testdata/out/xds-ir/timeout.clusters.yaml | 1 - .../out/xds-ir/tls-route-passthrough.clusters.yaml | 2 -- .../tls-with-ciphers-versions-alpn.clusters.yaml | 2 -- .../testdata/out/xds-ir/tracing-datadog.clusters.yaml | 2 -- .../out/xds-ir/tracing-endpoint-stats.clusters.yaml | 2 -- .../testdata/out/xds-ir/tracing-zipkin.clusters.yaml | 2 -- .../testdata/out/xds-ir/tracing.clusters.yaml | 1 - .../out/xds-ir/udp-endpoint-stats.clusters.yaml | 1 - .../out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml | 1 - .../testdata/out/xds-ir/udp-route.clusters.yaml | 1 - .../out/xds-ir/upstream-tcpkeepalive.clusters.yaml | 1 - .../translator/testdata/out/xds-ir/wasm.clusters.yaml | 2 -- release-notes/current.yaml | 2 ++ 149 files changed, 2 insertions(+), 342 deletions(-) diff --git a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml index 01c6b368d19..45694a36004 100644 --- a/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml @@ -781,7 +781,6 @@ xds: ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/backend/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - cluster: @@ -801,7 +800,6 @@ xds: ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: grpcroute/default/backend/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -828,7 +826,6 @@ xds: ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcproute/default/backend/rule/-1 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - cluster: @@ -848,7 +845,6 @@ xds: ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tlsroute/default/backend/rule/-1 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - cluster: @@ -868,7 +864,6 @@ xds: ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udproute/default/backend/rule/-1 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - '@type': type.googleapis.com/envoy.admin.v3.ListenersConfigDump diff --git a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml index 5b6162b655f..de5d16949be 100644 --- a/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/echo-gateway-api.cluster.yaml @@ -109,6 +109,5 @@ xds: ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway-system/backend/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json index 0e4a954a7f0..4e914e3e78d 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json @@ -469,7 +469,6 @@ "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "httproute/default/backend/rule/0", - "outlierDetection": {}, "perConnectionBufferLimitBytes": 32768, "type": "EDS" } @@ -499,7 +498,6 @@ "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "grpcroute/default/backend/rule/0", - "outlierDetection": {}, "perConnectionBufferLimitBytes": 32768, "type": "EDS", "typedExtensionProtocolOptions": { @@ -540,7 +538,6 @@ "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "tcproute/default/backend/rule/-1", - "outlierDetection": {}, "perConnectionBufferLimitBytes": 32768, "type": "EDS" } @@ -570,7 +567,6 @@ "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "tlsroute/default/backend/rule/-1", - "outlierDetection": {}, "perConnectionBufferLimitBytes": 32768, "type": "EDS" } @@ -600,7 +596,6 @@ "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "udproute/default/backend/rule/-1", - "outlierDetection": {}, "perConnectionBufferLimitBytes": 32768, "type": "EDS" } diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml index 1df8c3966e6..bcf16fe4f3a 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml @@ -260,7 +260,6 @@ xds: ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/backend/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - cluster: @@ -280,7 +279,6 @@ xds: ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: grpcroute/default/backend/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -307,7 +305,6 @@ xds: ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcproute/default/backend/rule/-1 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - cluster: @@ -327,7 +324,6 @@ xds: ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tlsroute/default/backend/rule/-1 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - cluster: @@ -347,7 +343,6 @@ xds: ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udproute/default/backend/rule/-1 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - '@type': type.googleapis.com/envoy.admin.v3.ListenersConfigDump diff --git a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml index 714656cffaf..d171965d1c9 100644 --- a/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.cluster.yaml @@ -19,7 +19,6 @@ xds: ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/backend/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - cluster: @@ -39,7 +38,6 @@ xds: ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: grpcroute/default/backend/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -66,7 +64,6 @@ xds: ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcproute/default/backend/rule/-1 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - cluster: @@ -86,7 +83,6 @@ xds: ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tlsroute/default/backend/rule/-1 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - cluster: @@ -106,6 +102,5 @@ xds: ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udproute/default/backend/rule/-1 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json index 4364e67b7fd..730686a71d1 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json @@ -361,7 +361,6 @@ "ignoreHealthOnHostRemoval": true, "lbPolicy": "LEAST_REQUEST", "name": "httproute/envoy-gateway-system/backend/rule/0", - "outlierDetection": {}, "perConnectionBufferLimitBytes": 32768, "type": "EDS" } @@ -408,7 +407,6 @@ ] }, "name": "raw_githubusercontent_com_443", - "outlierDetection": {}, "perConnectionBufferLimitBytes": 32768, "respectDnsTtl": true, "transportSocket": { diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml index 56654aa018f..9e6bbb5e316 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml @@ -204,7 +204,6 @@ xds: ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway-system/backend/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - cluster: @@ -232,7 +231,6 @@ xds: locality: region: raw_githubusercontent_com_443/backend/0 name: raw_githubusercontent_com_443 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml index 9fce4f70e3e..16c03a44810 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.cluster.yaml @@ -19,7 +19,6 @@ xds: ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway-system/backend/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - cluster: @@ -47,7 +46,6 @@ xds: locality: region: raw_githubusercontent_com_443/backend/0 name: raw_githubusercontent_com_443 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: diff --git a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml index 1a88c9245c7..b12a3c04939 100644 --- a/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/no-service-cluster-ip.all.yaml @@ -204,7 +204,6 @@ xds: ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway-system/routes/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - '@type': type.googleapis.com/envoy.admin.v3.ListenersConfigDump diff --git a/internal/xds/translator/cluster.go b/internal/xds/translator/cluster.go index 10792bae24b..eadb00fb56f 100644 --- a/internal/xds/translator/cluster.go +++ b/internal/xds/translator/cluster.go @@ -103,7 +103,6 @@ func buildXdsCluster(args *xdsClusterArgs) *clusterv3.Cluster { LocalityWeightedLbConfig: &clusterv3.Cluster_CommonLbConfig_LocalityWeightedLbConfig{}, }, }, - OutlierDetection: &clusterv3.OutlierDetection{}, PerConnectionBufferLimitBytes: buildBackandConnectionBufferLimitBytes(args.backendConnection), } diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml index b8a8e059069..4e46c1dfc61 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/extensionpolicy-tcp-udp-http.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: http-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - loadAssignment: diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml index f8ee95fc7f6..0dcc3b48190 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route-extension-filter.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - loadAssignment: diff --git a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml index f8ee95fc7f6..0dcc3b48190 100644 --- a/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/extension-xds-ir/http-route.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - loadAssignment: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml index 090b3919f81..81c121a400e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-cel.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -39,7 +38,6 @@ locality: region: accesslog-0/backend/0 name: accesslog-0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml index 74a6fc0bb0c..37bb1cef24f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-endpoint-stats.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 trackClusterStats: perEndpointStats: true @@ -41,7 +40,6 @@ locality: region: accesslog-0/backend/0 name: accesslog-0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true trackClusterStats: diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml index 090b3919f81..81c121a400e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-formatters.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -39,7 +38,6 @@ locality: region: accesslog-0/backend/0 name: accesslog-0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml index 090b3919f81..81c121a400e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-multi-cel.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -39,7 +38,6 @@ locality: region: accesslog-0/backend/0 name: accesslog-0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml index 112aa95870f..088632d3506 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-types.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_0_1 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -56,7 +54,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_0_2 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -81,7 +78,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_1_1 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -106,7 +102,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_1_2 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -131,7 +126,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_2_1 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -156,7 +150,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog_als_2_2 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -189,7 +182,6 @@ locality: region: accesslog_otel_0_3/backend/0 name: accesslog_otel_0_3 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS @@ -223,7 +215,6 @@ locality: region: accesslog_otel_1_3/backend/0 name: accesslog_otel_1_3 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS @@ -257,7 +248,6 @@ locality: region: accesslog_otel_2_3/backend/0 name: accesslog_otel_2_3 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml index 4212b175848..6df53f6698c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog-without-format.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog/monitoring/envoy-als/port/9000 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -64,7 +62,6 @@ locality: region: accesslog-0/backend/0 name: accesslog-0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml index 4212b175848..6df53f6698c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/accesslog.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: accesslog/monitoring/envoy-als/port/9000 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -64,7 +62,6 @@ locality: region: accesslog-0/backend/0 name: accesslog-0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml index ec8ef8e0674..b6e0c7f99af 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-client-cidr.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-3/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,6 +47,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml index 8b4149cfe83..66e1a3ca308 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-claim.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -57,7 +55,6 @@ locality: region: two_example_com_443/backend/0 name: two_example_com_443 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: @@ -93,7 +90,6 @@ locality: region: one_example_com_443/backend/0 name: one_example_com_443 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml index 8b4149cfe83..66e1a3ca308 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-jwt-scope.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -57,7 +55,6 @@ locality: region: two_example_com_443/backend/0 name: two_example_com_443 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: @@ -93,7 +90,6 @@ locality: region: one_example_com_443/backend/0 name: one_example_com_443 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml index 4b0cccf2c2c..c24d059eeaa 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization-multiple-principals.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/authorization.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/authorization.clusters.yaml index b3f75f0e04e..bd69f5a8445 100644 --- a/internal/xds/translator/testdata/out/xds-ir/authorization.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/authorization.clusters.yaml @@ -12,7 +12,6 @@ serviceName: httproute/default/httproute-3/rule/0 lbPolicy: LEAST_REQUEST name: httproute/default/httproute-3/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -29,7 +28,6 @@ serviceName: httproute/default/httproute-1/rule/0 lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -46,6 +44,5 @@ serviceName: httproute/default/httproute-2/rule/0 lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml index 611cbe7292a..baa860c9ffe 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-buffer-limit.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 100000000 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 100000000 type: EDS - circuitBreakers: @@ -49,6 +47,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml index 66c3bf73ad7..970324b2c9d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/backend-priority.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/default/policy-for-http-route/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 transportSocketMatches: - match: diff --git a/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml index df23031f8bb..c60ba5e19ae 100644 --- a/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/basic-auth.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/1 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,6 +47,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml index dd1fce78e8b..1767baed59c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/circuit-breaker.clusters.yaml @@ -16,7 +16,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: diff --git a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml index d1f95214f16..1b8a0dcfcdf 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-buffer-limit.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,6 +30,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml index ab0b4fca62c..121c8aad8bb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,6 +47,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml index e7ef5350995..ba595752d94 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-timeout.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,6 +30,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml index 6091e5e97b1..06e9a8da524 100644 --- a/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/cors.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.clusters.yaml index 03fa483d156..6d5d6f5e1f3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-filter-order.clusters.yaml @@ -21,7 +21,6 @@ locality: region: one_example_com_443/backend/0 name: one_example_com_443 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: @@ -57,7 +56,6 @@ locality: region: two_example_com_80/backend/0 name: two_example_com_80 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml index 4b0cccf2c2c..c24d059eeaa 100644 --- a/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/custom-response.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml index 79e1aed5ebe..3ff821f5efb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-backend.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/1 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -75,7 +72,6 @@ locality: region: securitypolicy/default/policy-for-http-route-1/default/grpc-backend/backend/0 name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS @@ -109,7 +105,6 @@ locality: region: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend/backend/0 name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.clusters.yaml index 79e1aed5ebe..3ff821f5efb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/1 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -75,7 +72,6 @@ locality: region: securitypolicy/default/policy-for-http-route-1/default/grpc-backend/backend/0 name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS @@ -109,7 +105,6 @@ locality: region: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend/backend/0 name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml index 79e1aed5ebe..3ff821f5efb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-recomputation.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/1 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -75,7 +72,6 @@ locality: region: securitypolicy/default/policy-for-http-route-1/default/grpc-backend/backend/0 name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS @@ -109,7 +105,6 @@ locality: region: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend/backend/0 name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml index ff9b672a1cc..4b69123192a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/1 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -67,7 +64,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -92,6 +88,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml index 99dc8b48184..fc5d51a1aea 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc-with-traffic-settings.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml index 4e40762dace..14ff9d61dfd 100755 --- a/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-proc.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/default/policy-for-route-2/0/grpc-backend-4 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -74,7 +71,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/default/policy-for-route-1/0/grpc-backend-2 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -99,7 +95,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-2/0/grpc-backend-3 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -124,7 +119,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: envoyextensionpolicy/envoy-gateway/policy-for-gateway-1/0/grpc-backend - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: diff --git a/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml index 348c3693e0f..cc411266ad8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/fault-injection.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -67,7 +64,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -85,6 +81,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml index e7ef5350995..ba595752d94 100755 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-preserve-x-request-id.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,6 +30,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml index 58a2b85afd9..dba5fc4a3cd 100755 --- a/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/headers-with-underscores-action.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -67,6 +64,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml index 6db525c99eb..db58cac6601 100644 --- a/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/health-check.clusters.yaml @@ -165,6 +165,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml index 41a3c942e6a..f015e69fceb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-early-header-mutation.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -41,6 +40,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml index 1be553489ce..d825e6d3757 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-endpoint-stats.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 trackClusterStats: perEndpointStats: true diff --git a/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml index 6091e5e97b1..06e9a8da524 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-health-check.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml index 7706960228b..b532b46bdb2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-preserve-client-protocol.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml index 2dc04da7256..5362244f7bf 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-req-resp-sizes-stats.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 trackClusterStats: requestResponseSizes: true diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml index c3282c53e19..df0e6b954a0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-direct-response.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.clusters.yaml index d2964ca5282..07757e5fded 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-dns-cluster.clusters.yaml @@ -27,7 +27,6 @@ locality: region: first-route-dest/backend/0 name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml index 2ee151ece25..ce54d3a35d3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-mirror.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml index 758292acfcd..b70cda2ec59 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-matches.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -67,7 +64,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -85,7 +81,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -103,7 +98,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: sixth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -121,6 +115,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: seventh-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml index 0b5a779d918..6ca132c714d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: mirror-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,6 +47,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: mirror-route-dest1 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml index 759c732f54a..5c4d68ac903 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-partial-invalid.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: valid-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml index 8bf69668b44..2410099664d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-redirect.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: redirect-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml index 8906cb55b30..058b9ac85b4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-regex.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: regex-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml index 9d7d6d0c663..b43604253d1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-request-headers.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: request-header-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml index c1d3a9aedbb..4d2ccc10e64 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-headers.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: response-header-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml index c1d3a9aedbb..4d2ccc10e64 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-add-remove-headers.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: response-header-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml index c1d3a9aedbb..4d2ccc10e64 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-response-remove-headers.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: response-header-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml index 7311c3bbcbe..ce7e7e58572 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml index 7311c3bbcbe..ce7e7e58572 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-sufixx-with-slash-url-prefix.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml index 929e5fb44bb..171998c0b51 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml index 7311c3bbcbe..ce7e7e58572 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml index 7311c3bbcbe..ce7e7e58572 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml index 929e5fb44bb..171998c0b51 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-regex.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: rewrite-route - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml index 8906cb55b30..058b9ac85b4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-session-persistence.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: regex-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml index ab0b4fca62c..121c8aad8bb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,6 +47,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml index 6091e5e97b1..06e9a8da524 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-uds-ip.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml index e7ef5350995..ba595752d94 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend-with-filters.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,6 +30,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml index 6091e5e97b1..06e9a8da524 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-backend.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml index 6091e5e97b1..06e9a8da524 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml index aa5b2a1bb20..8d1fa95bcc6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-clientcert.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 transportSocketMatches: - match: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml index e7ef5350995..ba595752d94 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-metadata.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,6 +30,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-stripped-host-port.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-stripped-host-port.clusters.yaml index 2c908f7ef69..83e21e58286 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-stripped-host-port.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-stripped-host-port.clusters.yaml @@ -8,6 +8,5 @@ resourceApiVersion: V3 serviceName: first-route name: first-route - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml index 82bc9604a7d..29d3e697c22 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 transportSocketMatches: - match: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml index 3aab01e6684..3061088f3eb 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle-multiple-certs.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 transportSocketMatches: - match: @@ -72,7 +71,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls-2/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 transportSocket: name: envoy.transport_sockets.upstream_proxy_protocol diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml index ba9cb4c4fe4..0ba4829c936 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-with-tlsbundle.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/envoy-gateway/httproute-btls/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 transportSocketMatches: - match: diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml index 6091e5e97b1..06e9a8da524 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml index b93477f78ca..d9d1f8189a5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-preserve-case.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -41,7 +40,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: diff --git a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml index 7f270a11d04..0bb16c7f4db 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http1-trailers.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: diff --git a/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml index 8222dcd6ccb..389a66ffb3a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http10.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: diff --git a/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml index 76e7c3dcb95..5db664bf32a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2-route.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -40,7 +39,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -65,7 +63,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: @@ -93,6 +90,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml index 6091e5e97b1..06e9a8da524 100755 --- a/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http2.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml index 4b0cccf2c2c..c24d059eeaa 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http3.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.clusters.yaml index d53a7a1b2ce..2471dd8cb4f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-empty-jsonpath.clusters.yaml @@ -12,6 +12,5 @@ serviceName: first-route-dest lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.clusters.yaml index d53a7a1b2ce..2471dd8cb4f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.clusters.yaml @@ -12,6 +12,5 @@ serviceName: first-route-dest lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.clusters.yaml index d53a7a1b2ce..2471dd8cb4f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-invalid-patch.clusters.yaml @@ -12,6 +12,5 @@ serviceName: first-route-dest lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml index 6091e5e97b1..06e9a8da524 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-missing-resource.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.clusters.yaml index d53a7a1b2ce..2471dd8cb4f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.clusters.yaml @@ -12,6 +12,5 @@ serviceName: first-route-dest lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml index cb9e6eb5d11..20e66b92760 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-with-jsonpath.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - connectTimeout: 10s diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml index 2867550caba..cfa4f05980c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - connectTimeout: 10s diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml index f3998fb3b59..0f65c235f33 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-custom-extractor.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -39,7 +38,6 @@ locality: region: localhost_443/backend/0 name: localhost_443 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml index 30d656a16fe..b5801be5702 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-www.test.com-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-www.test.com-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -57,7 +55,6 @@ locality: region: localhost_80/backend/0 name: localhost_80 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS @@ -76,7 +73,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: "192_168_1_250_8080" - outlierDetection: {} perConnectionBufferLimitBytes: 32768 transportSocket: name: envoy.transport_sockets.tls diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml index 599db139ea2..ead2234d08f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-single-provider.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -57,7 +55,6 @@ locality: region: localhost_443/backend/0 name: localhost_443 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml index f3998fb3b59..0f65c235f33 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-optional.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -39,7 +38,6 @@ locality: region: localhost_443/backend/0 name: localhost_443 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml index b1433b1be87..c68eced8a40 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -67,7 +64,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: "192_168_1_250_443" - outlierDetection: {} perConnectionBufferLimitBytes: 32768 transportSocket: name: envoy.transport_sockets.tls @@ -102,7 +98,6 @@ locality: region: ratelimit_cluster/backend/0 name: ratelimit_cluster - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml index f3998fb3b59..0f65c235f33 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-single-route-single-match.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -39,7 +38,6 @@ locality: region: localhost_443/backend/0 name: localhost_443 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml index 290beff3671..d4e79e5ab04 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-connection-limit.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -67,6 +64,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml index e56073d06d5..fd2f5440287 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-proxy-protocol.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,6 +30,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml index 290beff3671..d4e79e5ab04 100644 --- a/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/listener-tcp-keepalive.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -67,6 +64,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml index 3b4bde72aeb..449ed38b574 100644 --- a/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/load-balancer.clusters.yaml @@ -12,7 +12,6 @@ serviceName: first-route-dest ignoreHealthOnHostRemoval: true name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -30,7 +29,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: RANDOM name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -48,7 +46,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -66,7 +63,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: MAGLEV name: fourth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -87,7 +83,6 @@ slowStartConfig: slowStartWindow: 60s name: fifth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -104,7 +99,6 @@ serviceName: sixth-route-dest ignoreHealthOnHostRemoval: true name: sixth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 roundRobinLbConfig: slowStartConfig: @@ -125,7 +119,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: MAGLEV name: seventh-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -145,7 +138,6 @@ maglevLbConfig: tableSize: "524287" name: eighth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -163,7 +155,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: MAGLEV name: ninth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -181,6 +172,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: MAGLEV name: tenth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml index ab0b4fca62c..121c8aad8bb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/local-ratelimit.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,6 +47,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml index 6091e5e97b1..06e9a8da524 100644 --- a/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/metrics-virtual-host.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml index 6091e5e97b1..06e9a8da524 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mixed-tls-jwt-authn.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml index 307f4cbc565..7e8ec0664db 100755 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: securitypolicy/default/policy-for-http-route-2/envoy-gateway/http-backend - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -67,7 +64,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-3/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -93,7 +89,6 @@ locality: region: oauth_foo_com_443/backend/0 name: oauth_foo_com_443 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml index 8ad066c0640..cbe74c802d2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -67,7 +64,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -85,7 +81,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -103,6 +98,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml index 91395a135f6..f10d60e34b0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-simple-tcp-route-same-port.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-1-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-2-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -67,7 +64,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-3-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -85,6 +81,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-4-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml index 348c3693e0f..cc411266ad8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate-with-custom-data.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -67,7 +64,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -85,6 +81,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml index 348c3693e0f..cc411266ad8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-forward-client-certificate.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -67,7 +64,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -85,6 +81,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml index 1207329f055..4521d562efa 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls-required-client-certificate-disabled.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,6 +30,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml index 1207329f055..4521d562efa 100644 --- a/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/mutual-tls.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,6 +30,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.clusters.yaml index 863e761bf9a..430e4ae82ce 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backencluster-provider.clusters.yaml @@ -12,7 +12,6 @@ serviceName: third-route-dest lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -38,7 +37,6 @@ locality: region: securitypolicy/envoy-gateway/policy-for-gateway/0/backend/0 name: securitypolicy/envoy-gateway/policy-for-gateway/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml index 9d60e8e0bed..3f64db3ca35 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -39,7 +38,6 @@ locality: region: securitypolicy/envoy-gateway/policy-for-gateway/0/backend/0 name: securitypolicy/envoy-gateway/policy-for-gateway/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml index cb505645ff8..fd5ce16a3d2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -57,7 +55,6 @@ locality: region: oauth_foo_com_443/backend/0 name: oauth_foo_com_443 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: @@ -93,7 +90,6 @@ locality: region: oauth_bar_com_443/backend/0 name: oauth_bar_com_443 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml index 6091e5e97b1..06e9a8da524 100644 --- a/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/path-settings.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml index 6c7503a8669..2ca45156f18 100644 --- a/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/proxy-protocol-upstream.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 transportSocket: name: envoy.transport_sockets.upstream_proxy_protocol diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml index b031b37db0e..5f0229f4514 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -75,7 +72,6 @@ locality: region: ratelimit_cluster/backend/0 name: ratelimit_cluster - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml index a75716855d1..a0d3c8f99e6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -75,7 +72,6 @@ locality: region: ratelimit_cluster/backend/0 name: ratelimit_cluster - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml index e3f20b743ad..71cc68288cb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 trackClusterStats: perEndpointStats: true @@ -33,7 +32,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 trackClusterStats: perEndpointStats: true @@ -53,7 +51,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 trackClusterStats: perEndpointStats: true @@ -81,7 +78,6 @@ locality: region: ratelimit_cluster/backend/0 name: ratelimit_cluster - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true trackClusterStats: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml index a75716855d1..a0d3c8f99e6 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -75,7 +72,6 @@ locality: region: ratelimit_cluster/backend/0 name: ratelimit_cluster - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml index 79e1c96f69b..cc94e339c02 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -67,7 +64,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -93,7 +89,6 @@ locality: region: ratelimit_cluster/backend/0 name: ratelimit_cluster - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml index 79e1c96f69b..cc94e339c02 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,7 +30,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: second-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -49,7 +47,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: third-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -67,7 +64,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -93,7 +89,6 @@ locality: region: ratelimit_cluster/backend/0 name: ratelimit_cluster - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml index 6091e5e97b1..06e9a8da524 100644 --- a/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/retry-partial-invalid.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.clusters.yaml index 91bbe4fa396..61ac2dd68c3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -39,7 +38,6 @@ locality: region: oidc_example_com_443/backend/0 name: oidc_example_com_443 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true transportSocket: diff --git a/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml index 6091e5e97b1..06e9a8da524 100644 --- a/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/simple-tls.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml index 6091e5e97b1..06e9a8da524 100644 --- a/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/suppress-envoy-headers.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.clusters.yaml index 0fd3d280a1b..21044f7735a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-endpoint-stats.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 trackClusterStats: perEndpointStats: true diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml index d0ab3efc743..809de35dd5d 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-listener-ipfamily.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-dual-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml index d0b09155386..fc444f5c83a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-req-resp-sizes-stats.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 trackClusterStats: requestResponseSizes: true diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml index 6b6fc7289f0..e0827c74464 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-complex.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-complex-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml index 79872344524..c6f3d6e6090 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-simple.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-simple-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml index 111eac1e7b2..45324290030 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-tls-terminate.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,6 +30,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-hostname-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml index f1717a49d2b..d449d82d3f1 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tcp-route-weighted-backend.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tcp-route-weighted-backend-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml index 6414d365d02..17f4bb2b315 100644 --- a/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/timeout.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS typedExtensionProtocolOptions: diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml index c3ef51c0b2f..08ab482392a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-route-passthrough.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-passthrough-foo-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -39,7 +38,6 @@ locality: region: tls-passthrough-bar-dest/backend/0 name: tls-passthrough-bar-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml index 1207329f055..4521d562efa 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tls-with-ciphers-versions-alpn.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,6 +30,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: tls-terminate-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml index 7b7149b3f33..7d65a07f07e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-datadog.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -39,7 +38,6 @@ locality: region: tracing-0/backend/0 name: tracing-0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml index bdf3cadd2ba..69549cacd28 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-endpoint-stats.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 trackClusterStats: perEndpointStats: true @@ -41,7 +40,6 @@ locality: region: tracing-0/backend/0 name: tracing-0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true trackClusterStats: diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml index 4ce2f4cfdc0..222bb2c6c92 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing-zipkin.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -39,7 +38,6 @@ locality: region: tracing-0/backend/0 name: tracing-0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml index cc1305448af..58b42a23c8f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/tracing.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: direct-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml index 586e95fc0e9..15499f284eb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-endpoint-stats.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 trackClusterStats: perEndpointStats: true diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml index ae84a44c505..2dd1f522848 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-req-resp-sizes-stats.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 trackClusterStats: requestResponseSizes: true diff --git a/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml index 54c7ebf435e..0a153186663 100644 --- a/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/udp-route.clusters.yaml @@ -13,6 +13,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: udp-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml index 74800020855..1b1ee8d57b3 100644 --- a/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/upstream-tcpkeepalive.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: first-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS upstreamConnectionOptions: diff --git a/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml index 480aca4bb47..ba27dfd9d28 100755 --- a/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/wasm.clusters.yaml @@ -13,7 +13,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-1/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -31,6 +30,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: httproute/default/httproute-2/rule/0 - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS diff --git a/release-notes/current.yaml b/release-notes/current.yaml index b2bfc794438..66c24cba490 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -5,6 +5,8 @@ breaking changes: | The Container `ports` field of the gateway instance has been removed, which will cause the gateway Pod to be rebuilt when upgrading the version. ClientTrafficPolicy previously treated an empty TLS ALPNProtocols list as being undefined and applied Envoy Gateway defaults. An empty TLS ALPNProtocols list is now treated as user-defined disablement of the TLS ALPN extension. + Outlier detection (passive health check) is now disabled by default. + refer to https://gateway.envoyproxy.io/docs/api/extension_types/#backendtrafficpolicy for working with passive health checks. # Updates addressing vulnerabilities, security flaws, or compliance requirements. security updates: | From e6fce3454d9f39f4a881437db4d495faf1c30490 Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Tue, 10 Dec 2024 19:48:00 -0600 Subject: [PATCH 474/523] fix: Gateway-target BTP ignored when route timeout defined (#4860) * fix: Gateway-target BTP ignored when route timeout defined Signed-off-by: Guy Daich * fix gen, add note Signed-off-by: Guy Daich --------- Signed-off-by: Guy Daich --- internal/gatewayapi/backendtrafficpolicy.go | 9 +- internal/gatewayapi/clustersettings.go | 40 +------ internal/gatewayapi/route.go | 25 +--- ...afficpolicy-with-httproute-timeout.in.yaml | 39 +++++- ...fficpolicy-with-httproute-timeout.out.yaml | 111 +++++++++++++++++- ...backendtrafficpolicy-with-timeout.out.yaml | 3 +- ...dtrafficpolicy-with-timeout-error.out.yaml | 5 +- ...backendtrafficpolicy-with-timeout.out.yaml | 2 +- ...httproute-backend-request-timeout.out.yaml | 5 +- .../httproute-request-timeout.out.yaml | 5 +- internal/ir/xds.go | 2 + internal/ir/zz_generated.deepcopy.go | 5 + internal/xds/translator/route.go | 30 +++-- .../in/xds-ir/http-route-timeout.yaml | 44 +++++++ .../xds-ir/http-route-timeout.clusters.yaml | 72 ++++++++++++ .../xds-ir/http-route-timeout.endpoints.yaml | 48 ++++++++ .../out/xds-ir/http-route-timeout.routes.yaml | 36 ++++++ release-notes/current.yaml | 1 + 18 files changed, 391 insertions(+), 91 deletions(-) diff --git a/internal/gatewayapi/backendtrafficpolicy.go b/internal/gatewayapi/backendtrafficpolicy.go index 7a7cd1369b3..0934629428b 100644 --- a/internal/gatewayapi/backendtrafficpolicy.go +++ b/internal/gatewayapi/backendtrafficpolicy.go @@ -335,7 +335,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute( if policy.Spec.Retry != nil { rt = buildRetry(policy.Spec.Retry) } - if to, err = buildClusterSettingsTimeout(policy.Spec.ClusterSettings, nil); err != nil { + if to, err = buildClusterSettingsTimeout(policy.Spec.ClusterSettings); err != nil { err = perr.WithMessage(err, "Timeout") errs = errors.Join(errs, err) } @@ -399,8 +399,7 @@ func (t *Translator) translateBackendTrafficPolicyForRoute( continue } - // Some timeout setting originate from the route. - if localTo, err := buildClusterSettingsTimeout(policy.Spec.ClusterSettings, r.Traffic); err == nil { + if localTo, err := buildClusterSettingsTimeout(policy.Spec.ClusterSettings); err == nil { to = localTo } @@ -484,7 +483,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway( if policy.Spec.Retry != nil { rt = buildRetry(policy.Spec.Retry) } - if ct, err = buildClusterSettingsTimeout(policy.Spec.ClusterSettings, nil); err != nil { + if ct, err = buildClusterSettingsTimeout(policy.Spec.ClusterSettings); err != nil { err = perr.WithMessage(err, "Timeout") errs = errors.Join(errs, err) } @@ -585,7 +584,7 @@ func (t *Translator) translateBackendTrafficPolicyForGateway( // Update the Host field in HealthCheck, now that we have access to the Route Hostname. r.Traffic.HealthCheck.SetHTTPHostIfAbsent(r.Hostname) - if ct, err = buildClusterSettingsTimeout(policy.Spec.ClusterSettings, r.Traffic); err == nil { + if ct, err = buildClusterSettingsTimeout(policy.Spec.ClusterSettings); err == nil { r.Traffic.Timeout = ct } diff --git a/internal/gatewayapi/clustersettings.go b/internal/gatewayapi/clustersettings.go index 260c1db84d3..40266553b46 100644 --- a/internal/gatewayapi/clustersettings.go +++ b/internal/gatewayapi/clustersettings.go @@ -29,7 +29,7 @@ func translateTrafficFeatures(policy *egv1a1.ClusterSettings) (*ir.TrafficFeatur } ret := &ir.TrafficFeatures{} - if timeout, err := buildClusterSettingsTimeout(*policy, nil); err != nil { + if timeout, err := buildClusterSettingsTimeout(*policy); err != nil { return nil, err } else { ret.Timeout = timeout @@ -83,14 +83,11 @@ func translateTrafficFeatures(policy *egv1a1.ClusterSettings) (*ir.TrafficFeatur return ret, nil } -func buildClusterSettingsTimeout(policy egv1a1.ClusterSettings, routeTrafficFeatures *ir.TrafficFeatures) (*ir.Timeout, error) { +func buildClusterSettingsTimeout(policy egv1a1.ClusterSettings) (*ir.Timeout, error) { if policy.Timeout == nil { - if routeTrafficFeatures != nil { - // Don't lose any existing timeout definitions. - return mergeTimeoutSettings(nil, routeTrafficFeatures.Timeout), nil - } return nil, nil } + var ( errs error to = &ir.Timeout{} @@ -146,40 +143,9 @@ func buildClusterSettingsTimeout(policy egv1a1.ClusterSettings, routeTrafficFeat RequestTimeout: rt, } } - - // The timeout from route's TrafficFeatures takes precedence over the timeout in BTP - if routeTrafficFeatures != nil { - to = mergeTimeoutSettings(routeTrafficFeatures.Timeout, to) - } - return to, errs } -// merge secondary into main if both are not nil, otherwise return the -// one that is not nil. If both are nil, returns nil -func mergeTimeoutSettings(main, secondary *ir.Timeout) *ir.Timeout { - switch { - case main == nil && secondary == nil: - return nil - case main == nil: - return secondary.DeepCopy() - case secondary == nil: - return main - default: // Neither main nor secondary are nil here - if secondary.HTTP != nil { - setIfNil(&main.HTTP, &ir.HTTPTimeout{}) - setIfNil(&main.HTTP.RequestTimeout, secondary.HTTP.RequestTimeout) - setIfNil(&main.HTTP.ConnectionIdleTimeout, secondary.HTTP.ConnectionIdleTimeout) - setIfNil(&main.HTTP.MaxConnectionDuration, secondary.HTTP.MaxConnectionDuration) - } - if secondary.TCP != nil { - setIfNil(&main.TCP, &ir.TCPTimeout{}) - setIfNil(&main.TCP.ConnectTimeout, secondary.TCP.ConnectTimeout) - } - return main - } -} - func buildBackendConnection(policy egv1a1.ClusterSettings) (*ir.BackendConnection, error) { if policy.Connection == nil { return nil, nil diff --git a/internal/gatewayapi/route.go b/internal/gatewayapi/route.go index 544bb85d6e7..ba51d964e6e 100644 --- a/internal/gatewayapi/route.go +++ b/internal/gatewayapi/route.go @@ -266,14 +266,12 @@ func (t *Translator) processHTTPRouteRules(httpRoute *HTTPRouteContext, parentRe func processRouteTimeout(irRoute *ir.HTTPRoute, rule gwapiv1.HTTPRouteRule) { if rule.Timeouts != nil { - rto := &ir.Timeout{} - if rule.Timeouts.Request != nil { d, err := time.ParseDuration(string(*rule.Timeouts.Request)) if err != nil { d, _ = time.ParseDuration(HTTPRequestTimeout) } - setRequestTimeout(rto, metav1.Duration{Duration: d}) + irRoute.Timeout = ptr.To(metav1.Duration{Duration: d}) } // Also set the IR Route Timeout to the backend request timeout @@ -283,23 +281,8 @@ func processRouteTimeout(irRoute *ir.HTTPRoute, rule gwapiv1.HTTPRouteRule) { if err != nil { d, _ = time.ParseDuration(HTTPRequestTimeout) } - setRequestTimeout(rto, metav1.Duration{Duration: d}) - } - - irRoute.Traffic = &ir.TrafficFeatures{ - Timeout: rto, - } - } -} - -func setRequestTimeout(irTimeout *ir.Timeout, d metav1.Duration) { - switch { - case irTimeout.HTTP == nil: - irTimeout.HTTP = &ir.HTTPTimeout{ - RequestTimeout: ptr.To(d), + irRoute.Timeout = ptr.To(metav1.Duration{Duration: d}) } - default: - irTimeout.HTTP.RequestTimeout = ptr.To(d) } } @@ -760,11 +743,11 @@ func (t *Translator) processHTTPRouteParentRefListener(route RouteContext, route ExtensionRefs: routeRoute.ExtensionRefs, IsHTTP2: routeRoute.IsHTTP2, SessionPersistence: routeRoute.SessionPersistence, + Timeout: routeRoute.Timeout, } if routeRoute.Traffic != nil { hostRoute.Traffic = &ir.TrafficFeatures{ - Timeout: routeRoute.Traffic.Timeout, - Retry: routeRoute.Traffic.Retry, + Retry: routeRoute.Traffic.Retry, } } perHostRoutes = append(perHostRoutes, hostRoute) diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.in.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.in.yaml index e26f10c353f..33ae5c94859 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.in.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.in.yaml @@ -35,6 +35,27 @@ httpRoutes: port: 8080 timeouts: request: 130s +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-2 + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - namespace: envoy-gateway + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: "/" + backendRefs: + - name: service-1 + port: 8080 + timeouts: + request: 130s backendTrafficPolicies: - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: BackendTrafficPolicy @@ -47,4 +68,20 @@ backendTrafficPolicies: kind: HTTPRoute name: httproute-1 useClientProtocol: true - +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + namespace: envoy-gateway + name: policy-for-gateway + spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + useClientProtocol: true + loadBalancer: + type: ConsistentHash + consistentHash: + type: Cookie + cookie: + name: "test" diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.out.yaml index 245739ca233..c60ae5b2347 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-httproute-timeout.out.yaml @@ -26,6 +26,44 @@ backendTrafficPolicies: status: "True" type: Accepted controllerName: gateway.envoyproxy.io/gatewayclass-controller +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: BackendTrafficPolicy + metadata: + creationTimestamp: null + name: policy-for-gateway + namespace: envoy-gateway + spec: + loadBalancer: + consistentHash: + cookie: + name: test + type: Cookie + type: ConsistentHash + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + useClientProtocol: true + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: envoy-gateway + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: 'This policy is being overridden by other backendTrafficPolicies + for these routes: [default/httproute-1]' + reason: Overridden + status: "True" + type: Overridden + controllerName: gateway.envoyproxy.io/gatewayclass-controller gateways: - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway @@ -44,7 +82,7 @@ gateways: protocol: HTTP status: listeners: - - attachedRoutes: 1 + - attachedRoutes: 2 conditions: - lastTransitionTime: null message: Sending translated listener configuration to the data plane @@ -108,6 +146,46 @@ httpRoutes: name: gateway-1 namespace: envoy-gateway sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-2 + namespace: default + spec: + hostnames: + - gateway.envoyproxy.io + parentRefs: + - name: gateway-1 + namespace: envoy-gateway + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: / + timeouts: + request: 130s + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: envoy-gateway + sectionName: http infraIR: envoy-gateway/gateway-1: proxy: @@ -165,8 +243,33 @@ xdsIR: distinct: false name: "" prefix: / + timeout: 2m10s + traffic: {} + useClientProtocol: true + - destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / + timeout: 2m10s traffic: - timeout: - http: - requestTimeout: 2m10s + loadBalancer: + consistentHash: + cookie: + name: test useClientProtocol: true diff --git a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml index 0fad514c5e8..7177bcae009 100644 --- a/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml +++ b/internal/gatewayapi/testdata/backendtrafficpolicy-with-timeout.out.yaml @@ -336,11 +336,12 @@ xdsIR: distinct: false name: "" prefix: / + timeout: 1s traffic: timeout: http: connectionIdleTimeout: 21s maxConnectionDuration: 22s - requestTimeout: 1s + requestTimeout: 23s tcp: connectTimeout: 20s diff --git a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml index bda6f990dda..6cbe82eca0a 100644 --- a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml +++ b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout-error.out.yaml @@ -171,7 +171,4 @@ xdsIR: distinct: false name: "" prefix: / - traffic: - timeout: - http: - requestTimeout: 1s + timeout: 1s diff --git a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml index 04843eba9aa..60c001200b9 100644 --- a/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml +++ b/internal/gatewayapi/testdata/httproute-and-backendtrafficpolicy-with-timeout.out.yaml @@ -332,10 +332,10 @@ xdsIR: distinct: false name: "" prefix: / + timeout: 1s traffic: timeout: http: maxConnectionDuration: 22s - requestTimeout: 1s tcp: connectTimeout: 20s diff --git a/internal/gatewayapi/testdata/httproute-backend-request-timeout.out.yaml b/internal/gatewayapi/testdata/httproute-backend-request-timeout.out.yaml index c49d551e867..189c968899b 100644 --- a/internal/gatewayapi/testdata/httproute-backend-request-timeout.out.yaml +++ b/internal/gatewayapi/testdata/httproute-backend-request-timeout.out.yaml @@ -135,7 +135,4 @@ xdsIR: distinct: false name: "" prefix: / - traffic: - timeout: - http: - requestTimeout: 1s + timeout: 1s diff --git a/internal/gatewayapi/testdata/httproute-request-timeout.out.yaml b/internal/gatewayapi/testdata/httproute-request-timeout.out.yaml index dc1c9cb950d..88b1dc893f3 100644 --- a/internal/gatewayapi/testdata/httproute-request-timeout.out.yaml +++ b/internal/gatewayapi/testdata/httproute-request-timeout.out.yaml @@ -135,7 +135,4 @@ xdsIR: distinct: false name: "" prefix: / - traffic: - timeout: - http: - requestTimeout: 5s + timeout: 5s diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 00924ed9f32..4db7b8445aa 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -691,6 +691,8 @@ type HTTPRoute struct { Metadata *ResourceMetadata `json:"metadata,omitempty" yaml:"metadata,omitempty"` // SessionPersistence holds the configuration for session persistence. SessionPersistence *SessionPersistence `json:"sessionPersistence,omitempty" yaml:"sessionPersistence,omitempty"` + // Timeout is the time until which entire response is received from the upstream. + Timeout *metav1.Duration `json:"timeout,omitempty" yaml:"timeout,omitempty"` } // DNS contains configuration options for DNS resolution. diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index fbdb444e430..0c734dbec70 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -1569,6 +1569,11 @@ func (in *HTTPRoute) DeepCopyInto(out *HTTPRoute) { *out = new(SessionPersistence) (*in).DeepCopyInto(*out) } + if in.Timeout != nil { + in, out := &in.Timeout, &out.Timeout + *out = new(v1.Duration) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRoute. diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go index 3750194fb16..330484d41d6 100644 --- a/internal/xds/translator/route.go +++ b/internal/xds/translator/route.go @@ -16,6 +16,7 @@ import ( matcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" "google.golang.org/protobuf/types/known/durationpb" "google.golang.org/protobuf/types/known/wrapperspb" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "github.com/envoyproxy/gateway/internal/ir" "github.com/envoyproxy/gateway/internal/utils/protocov" @@ -96,12 +97,11 @@ func buildXdsRoute(httpRoute *ir.HTTPRoute) (*routev3.Route, error) { } // Timeouts - if router.GetRoute() != nil && - httpRoute.Traffic != nil && - httpRoute.Traffic.Timeout != nil && - httpRoute.Traffic.Timeout.HTTP != nil && - httpRoute.Traffic.Timeout.HTTP.RequestTimeout != nil { - router.GetRoute().Timeout = durationpb.New(httpRoute.Traffic.Timeout.HTTP.RequestTimeout.Duration) + if router.GetRoute() != nil { + rt := getEffectiveRequestTimeout(httpRoute) + if rt != nil { + router.GetRoute().Timeout = durationpb.New(rt.Duration) + } } // Retries @@ -292,14 +292,26 @@ func buildXdsWeightedRouteAction(backendWeights *ir.BackendWeights, settings []* } } -func idleTimeout(httpRoute *ir.HTTPRoute) *durationpb.Duration { +func getEffectiveRequestTimeout(httpRoute *ir.HTTPRoute) *metav1.Duration { + // gateway-api timeout takes precedence + if httpRoute.Timeout != nil { + return httpRoute.Timeout + } + if httpRoute.Traffic != nil && httpRoute.Traffic.Timeout != nil && httpRoute.Traffic.Timeout.HTTP != nil && httpRoute.Traffic.Timeout.HTTP.RequestTimeout != nil { - rt := httpRoute.Traffic.Timeout.HTTP.RequestTimeout - timeout := time.Hour // Default to 1 hour + return httpRoute.Traffic.Timeout.HTTP.RequestTimeout + } + return nil +} + +func idleTimeout(httpRoute *ir.HTTPRoute) *durationpb.Duration { + rt := getEffectiveRequestTimeout(httpRoute) + timeout := time.Hour // Default to 1 hour + if rt != nil { // Ensure is not less than the request timeout if timeout < rt.Duration { timeout = rt.Duration diff --git a/internal/xds/translator/testdata/in/xds-ir/http-route-timeout.yaml b/internal/xds/translator/testdata/in/xds-ir/http-route-timeout.yaml index b3ab173f745..f14367f482e 100644 --- a/internal/xds/translator/testdata/in/xds-ir/http-route-timeout.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/http-route-timeout.yaml @@ -48,3 +48,47 @@ http: - endpoints: - host: "1.2.3.4" port: 50002 + - name: "forth-route" + hostname: "*" + timeout: 10s + traffic: + timeout: + http: + requestTimeout: 5s + destination: + name: "fourth-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50002 + - name: "fifth-route" + hostname: "*" + timeout: 10s + destination: + name: "fifth-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50002 + - name: "sixth-route" + hostname: "*" + timeout: 0s + destination: + name: "sixth-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50002 + - name: "seventh-route" + hostname: "*" + timeout: 0s + traffic: + timeout: + http: + requestTimeout: 5s + destination: + name: "seventh-route-dest" + settings: + - endpoints: + - host: "1.2.3.4" + port: 50002 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml index 121c8aad8bb..a52b95baeae 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml @@ -49,3 +49,75 @@ name: third-route-dest perConnectionBufferLimitBytes: 32768 type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: fourth-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: fifth-route-dest + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: fifth-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: sixth-route-dest + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: sixth-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: seventh-route-dest + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: seventh-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.endpoints.yaml index 42a346c4041..59669a901a0 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.endpoints.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.endpoints.yaml @@ -34,3 +34,51 @@ loadBalancingWeight: 1 locality: region: third-route-dest/backend/0 +- clusterName: fourth-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50002 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: fourth-route-dest/backend/0 +- clusterName: fifth-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50002 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: fifth-route-dest/backend/0 +- clusterName: sixth-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50002 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: sixth-route-dest/backend/0 +- clusterName: seventh-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 1.2.3.4 + portValue: 50002 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: seventh-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.routes.yaml index 23d2bf4b701..1c335ad621e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.routes.yaml @@ -36,3 +36,39 @@ timeout: 0s upgradeConfigs: - upgradeType: websocket + - match: + prefix: / + name: forth-route + route: + cluster: fourth-route-dest + idleTimeout: 3600s + timeout: 10s + upgradeConfigs: + - upgradeType: websocket + - match: + prefix: / + name: fifth-route + route: + cluster: fifth-route-dest + idleTimeout: 3600s + timeout: 10s + upgradeConfigs: + - upgradeType: websocket + - match: + prefix: / + name: sixth-route + route: + cluster: sixth-route-dest + idleTimeout: 0s + timeout: 0s + upgradeConfigs: + - upgradeType: websocket + - match: + prefix: / + name: seventh-route + route: + cluster: seventh-route-dest + idleTimeout: 0s + timeout: 0s + upgradeConfigs: + - upgradeType: websocket diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 66c24cba490..123759f7a84 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -21,6 +21,7 @@ new features: | bug fixes: | Fixed BackendTLSPolicy didn't support using port name as the sectionName in the targetRefs Fixed reference grant from EnvoyExtensionPolicy to referenced ext-proc backend not respected + Fixed BackendTrafficPolicy not applying to Gateway Route when Route has a Request Timeout defined # Enhancements that improve performance. performance improvements: | From 566b8343f53be7e88b26a45a3aa9a6592214bd3b Mon Sep 17 00:00:00 2001 From: shahar-h Date: Wed, 11 Dec 2024 03:49:47 +0200 Subject: [PATCH 475/523] ci: fix license scan (#4887) Signed-off-by: shahar-h --- osv-scanner.toml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/osv-scanner.toml b/osv-scanner.toml index bed9a0c7a6a..9f37555bc29 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -68,6 +68,13 @@ ecosystem = "Go" license.ignore = true reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/cncf-exceptions-2023-08-31.spdx" +[[PackageOverrides]] +name = "github.com/golang/groupcache" +version = "0.0.0-20241129210726-2c02b8208cf8" +ecosystem = "Go" +license.override = ["Apache-2.0 "] +reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/119 is resolved" + [[PackageOverrides]] name = "stdlib" ecosystem = "Go" From 10285f1d0428f8459b926fc2868f40fcf033fae6 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Wed, 11 Dec 2024 11:28:35 +0800 Subject: [PATCH 476/523] chore: fix gen check (#4888) fix gen check Signed-off-by: Huabing Zhao --- .../testdata/out/xds-ir/http-route-timeout.clusters.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml index a52b95baeae..b70cda2ec59 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-timeout.clusters.yaml @@ -64,7 +64,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fourth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -82,7 +81,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: fifth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -100,7 +98,6 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: sixth-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS - circuitBreakers: @@ -118,6 +115,5 @@ ignoreHealthOnHostRemoval: true lbPolicy: LEAST_REQUEST name: seventh-route-dest - outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS From 4ec4d639e2109498eaaed048098877bb4c609bf9 Mon Sep 17 00:00:00 2001 From: shahar-h Date: Wed, 11 Dec 2024 08:54:18 +0200 Subject: [PATCH 477/523] chore: remove whitespace in osv-scanner config (#4890) Signed-off-by: shahar-h --- osv-scanner.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/osv-scanner.toml b/osv-scanner.toml index 9f37555bc29..9d5626b71ec 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -72,7 +72,7 @@ reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but name = "github.com/golang/groupcache" version = "0.0.0-20241129210726-2c02b8208cf8" ecosystem = "Go" -license.override = ["Apache-2.0 "] +license.override = ["Apache-2.0"] reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/119 is resolved" [[PackageOverrides]] From 23856723c58df0ad28e128481f558bce41078700 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 11 Dec 2024 15:40:51 +0800 Subject: [PATCH 478/523] build(deps): bump github/codeql-action from 3.27.5 to 3.27.6 (#4877) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.5 to 3.27.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/f09c1c0a94de965c15400f5634aa42fac8fb8f88...aa578102511db1f4524ed59b8cc2bae4f6e88195) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ab76a5d9772..d29fc81234f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,14 +36,14 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 + uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 + uses: github/codeql-action/autobuild@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 + uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 0e659ff28ae..07f19a968f2 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 + uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 with: sarif_file: results.sarif From 91fa69d31c59379a262c019e8ac47a4402523c54 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 11 Dec 2024 13:34:53 -0800 Subject: [PATCH 479/523] build(deps): bump codecov/codecov-action from 5.0.7 to 5.1.1 (#4876) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.0.7 to 5.1.1. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/015f24e6818733317a2da2edd6290ab26238649a...7f8b4b4bde536c465e797be725718b88c5d95e0e) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- .github/workflows/build_and_test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index fcb6631782e..7791b180b0c 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -55,7 +55,7 @@ jobs: - name: Run Coverage Tests run: make go.test.coverage - name: Upload coverage to Codecov - uses: codecov/codecov-action@015f24e6818733317a2da2edd6290ab26238649a # v5.0.7 + uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1 with: fail_ci_if_error: true files: ./coverage.xml From 7bb76247854f84bfe8181518d486624841d0dfbf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 11 Dec 2024 13:35:16 -0800 Subject: [PATCH 480/523] build(deps): bump the golang-org group across 2 directories with 2 updates (#4870) Bumps the golang-org group with 2 updates in the / directory: [golang.org/x/sys](https://github.com/golang/sys) and [golang.org/x/net](https://github.com/golang/net). Bumps the golang-org group with 2 updates in the /examples/extension-server directory: [golang.org/x/sys](https://github.com/golang/sys) and [golang.org/x/net](https://github.com/golang/net). Updates `golang.org/x/sys` from 0.27.0 to 0.28.0 - [Commits](https://github.com/golang/sys/compare/v0.27.0...v0.28.0) Updates `golang.org/x/net` from 0.31.0 to 0.32.0 - [Commits](https://github.com/golang/net/compare/v0.31.0...v0.32.0) Updates `golang.org/x/sys` from 0.27.0 to 0.28.0 - [Commits](https://github.com/golang/sys/compare/v0.27.0...v0.28.0) Updates `golang.org/x/net` from 0.31.0 to 0.32.0 - [Commits](https://github.com/golang/net/compare/v0.31.0...v0.32.0) --- updated-dependencies: - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org - dependency-name: golang.org/x/net dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org - dependency-name: golang.org/x/sys dependency-type: indirect update-type: version-update:semver-minor dependency-group: golang-org - dependency-name: golang.org/x/net dependency-type: indirect update-type: version-update:semver-minor dependency-group: golang-org ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- examples/extension-server/go.mod | 6 +++--- examples/extension-server/go.sum | 12 ++++++------ go.mod | 12 ++++++------ go.sum | 24 ++++++++++++------------ 4 files changed, 27 insertions(+), 27 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 22453d4eefb..1c648fd94fc 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -31,9 +31,9 @@ require ( github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect - golang.org/x/net v0.31.0 // indirect - golang.org/x/sys v0.27.0 // indirect - golang.org/x/text v0.20.0 // indirect + golang.org/x/net v0.32.0 // indirect + golang.org/x/sys v0.28.0 // indirect + golang.org/x/text v0.21.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index e8f8328bccb..5c1ada0e1c2 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -83,20 +83,20 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= -golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= +golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI= +golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= -golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug= -golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= diff --git a/go.mod b/go.mod index 1c68afcc455..31c89c92e00 100644 --- a/go.mod +++ b/go.mod @@ -44,7 +44,7 @@ require ( go.opentelemetry.io/proto/otlp v1.3.1 go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e - golang.org/x/sys v0.27.0 + golang.org/x/sys v0.28.0 google.golang.org/protobuf v1.35.2 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.3 @@ -208,7 +208,7 @@ require ( go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect - golang.org/x/crypto v0.29.0 // indirect + golang.org/x/crypto v0.30.0 // indirect golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect @@ -277,11 +277,11 @@ require ( go.starlark.net v0.0.0-20240520160348-046347dcd104 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/mod v0.21.0 // indirect - golang.org/x/net v0.31.0 + golang.org/x/net v0.32.0 golang.org/x/oauth2 v0.23.0 // indirect - golang.org/x/sync v0.9.0 // indirect - golang.org/x/term v0.26.0 // indirect - golang.org/x/text v0.20.0 // indirect + golang.org/x/sync v0.10.0 // indirect + golang.org/x/term v0.27.0 // indirect + golang.org/x/text v0.21.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.24.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum index 46d10a73485..69da8bbcde6 100644 --- a/go.sum +++ b/go.sum @@ -945,8 +945,8 @@ golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ= -golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg= +golang.org/x/crypto v0.30.0 h1:RwoQn3GkWiMkzlX562cLB7OxWvjH1L8xutO2WoJcRoY= +golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 h1:vKHSxFhPLnBEYu9R8DcQ4gXq9EqU0VVhC9pq9wmtYsg= golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -983,8 +983,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= -golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= +golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI= +golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -997,8 +997,8 @@ golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ= -golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= +golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1036,17 +1036,17 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= -golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU= -golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= +golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug= -golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From f467007ccf6ad27737b51395a0ad0af7c8f0e8aa Mon Sep 17 00:00:00 2001 From: shahar-h Date: Thu, 12 Dec 2024 02:54:49 +0200 Subject: [PATCH 481/523] ci: ignore vulnerabilities on license scan (#4895) * ci: ignore vulnerabilities on license scan Signed-off-by: Shahar Harari * remove space Signed-off-by: Shahar Harari * remove osv-scanner.toml Signed-off-by: Shahar Harari --------- Signed-off-by: Shahar Harari --- .github/workflows/license-scan.yml | 1 + .../osv-scanner/license-scan-config.toml | 5 +++++ 2 files changed, 6 insertions(+) rename osv-scanner.toml => tools/osv-scanner/license-scan-config.toml (96%) diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index 649f27fe979..834515bbeb0 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -23,4 +23,5 @@ jobs: scan-args: |- --skip-git --experimental-licenses=Apache-2.0,BSD-2-Clause,BSD-2-Clause-FreeBSD,BSD-3-Clause,MIT,ISC,Python-2.0,PostgreSQL,X11,Zlib + --config tools/osv-scanner/license-scan-config.yaml ./ diff --git a/osv-scanner.toml b/tools/osv-scanner/license-scan-config.toml similarity index 96% rename from osv-scanner.toml rename to tools/osv-scanner/license-scan-config.toml index 9d5626b71ec..79a579ff7f8 100644 --- a/osv-scanner.toml +++ b/tools/osv-scanner/license-scan-config.toml @@ -1,3 +1,8 @@ +# Ignore vulnerabilities on license scan +[[PackageOverrides]] +ecosystem = "Go" +vulnerability.ignore = true + [[PackageOverrides]] name = "github.com/AdaLogics/go-fuzz-headers" version = "0.0.0-20230811130428-ced1acdcaa24" From a41f1f1c1c3d3bcb0d6e55dc678ded2c444c4dcc Mon Sep 17 00:00:00 2001 From: Kevin Date: Thu, 12 Dec 2024 09:57:07 +0900 Subject: [PATCH 482/523] docs: customize envoyproxy dualstack (#4639) * docs: customize envoyproxy dualstack Signed-off-by: Juwon Hwang (Kevin) * docs: customize envoyproxy dualstack Signed-off-by: Juwon Hwang (Kevin) * docs: customize envoyproxy dualstack Signed-off-by: Juwon Hwang (Kevin) --------- Signed-off-by: Juwon Hwang (Kevin) --- .../tasks/operations/customize-envoyproxy.md | 53 +++++++++++++++++-- .../tasks/operations/customize-envoyproxy.md | 53 +++++++++++++++++-- .../tasks/operations/customize-envoyproxy.md | 53 +++++++++++++++++-- 3 files changed, 150 insertions(+), 9 deletions(-) diff --git a/site/content/en/docs/tasks/operations/customize-envoyproxy.md b/site/content/en/docs/tasks/operations/customize-envoyproxy.md index 55ea32557c7..9c5ab5fe177 100644 --- a/site/content/en/docs/tasks/operations/customize-envoyproxy.md +++ b/site/content/en/docs/tasks/operations/customize-envoyproxy.md @@ -720,12 +720,12 @@ spec: {{% /tab %}} {{< /tabpane >}} -You can use [egctl translate][] +You can use [egctl x translate][] to get the default xDS Bootstrap configuration used by Envoy Gateway. After applying the config, the bootstrap config will be overridden by the new config you provided. Any errors in the configuration will be surfaced as status within the `GatewayClass` resource. -You can also validate this configuration using [egctl translate][]. +You can also validate this configuration using [egctl x translate][]. ## Customize EnvoyProxy Horizontal Pod Autoscaler @@ -1043,6 +1043,53 @@ spec: {{% /tab %}} {{< /tabpane >}} +## Customize EnvoyProxy IP Family + +You can customize the IP family configuration for EnvoyProxy via the EnvoyProxy Config. +This allows the Envoy Proxy fleet to serve external clients over IPv4 as well as IPv6. + +The below configuration sets the `ipFamily` to `DualStack` to allow ingressing IPv4 as well as IPv6 traffic. + +**Note**: Envoy Gateway relies on the [Service](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services) spec of the BackendRef resource (linked to xRoutes) to decide which type of IP addresses to use to route to them. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +After applying the config, the EnvoyProxy deployment will be configured to use the specified IP family. When set to `DualStack`, both IPv4 and IPv6 networking will be enabled. + +**Note**: Your cluster must support the selected IP family configuration. For DualStack support, ensure your Kubernetes cluster is properly configured for dual-stack networking. + [Gateway API documentation]: https://gateway-api.sigs.k8s.io/ [EnvoyProxy]: ../../../api/extension_types#envoyproxy -[egctl translate]: ../egctl/#validating-gateway-api-configuration +[egctl x translate]: ../operations/egctl#egctl-experimental-translate \ No newline at end of file diff --git a/site/content/en/latest/tasks/operations/customize-envoyproxy.md b/site/content/en/latest/tasks/operations/customize-envoyproxy.md index 55ea32557c7..9c5ab5fe177 100644 --- a/site/content/en/latest/tasks/operations/customize-envoyproxy.md +++ b/site/content/en/latest/tasks/operations/customize-envoyproxy.md @@ -720,12 +720,12 @@ spec: {{% /tab %}} {{< /tabpane >}} -You can use [egctl translate][] +You can use [egctl x translate][] to get the default xDS Bootstrap configuration used by Envoy Gateway. After applying the config, the bootstrap config will be overridden by the new config you provided. Any errors in the configuration will be surfaced as status within the `GatewayClass` resource. -You can also validate this configuration using [egctl translate][]. +You can also validate this configuration using [egctl x translate][]. ## Customize EnvoyProxy Horizontal Pod Autoscaler @@ -1043,6 +1043,53 @@ spec: {{% /tab %}} {{< /tabpane >}} +## Customize EnvoyProxy IP Family + +You can customize the IP family configuration for EnvoyProxy via the EnvoyProxy Config. +This allows the Envoy Proxy fleet to serve external clients over IPv4 as well as IPv6. + +The below configuration sets the `ipFamily` to `DualStack` to allow ingressing IPv4 as well as IPv6 traffic. + +**Note**: Envoy Gateway relies on the [Service](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services) spec of the BackendRef resource (linked to xRoutes) to decide which type of IP addresses to use to route to them. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +After applying the config, the EnvoyProxy deployment will be configured to use the specified IP family. When set to `DualStack`, both IPv4 and IPv6 networking will be enabled. + +**Note**: Your cluster must support the selected IP family configuration. For DualStack support, ensure your Kubernetes cluster is properly configured for dual-stack networking. + [Gateway API documentation]: https://gateway-api.sigs.k8s.io/ [EnvoyProxy]: ../../../api/extension_types#envoyproxy -[egctl translate]: ../egctl/#validating-gateway-api-configuration +[egctl x translate]: ../operations/egctl#egctl-experimental-translate \ No newline at end of file diff --git a/site/content/en/v1.2/tasks/operations/customize-envoyproxy.md b/site/content/en/v1.2/tasks/operations/customize-envoyproxy.md index 55ea32557c7..9c5ab5fe177 100644 --- a/site/content/en/v1.2/tasks/operations/customize-envoyproxy.md +++ b/site/content/en/v1.2/tasks/operations/customize-envoyproxy.md @@ -720,12 +720,12 @@ spec: {{% /tab %}} {{< /tabpane >}} -You can use [egctl translate][] +You can use [egctl x translate][] to get the default xDS Bootstrap configuration used by Envoy Gateway. After applying the config, the bootstrap config will be overridden by the new config you provided. Any errors in the configuration will be surfaced as status within the `GatewayClass` resource. -You can also validate this configuration using [egctl translate][]. +You can also validate this configuration using [egctl x translate][]. ## Customize EnvoyProxy Horizontal Pod Autoscaler @@ -1043,6 +1043,53 @@ spec: {{% /tab %}} {{< /tabpane >}} +## Customize EnvoyProxy IP Family + +You can customize the IP family configuration for EnvoyProxy via the EnvoyProxy Config. +This allows the Envoy Proxy fleet to serve external clients over IPv4 as well as IPv6. + +The below configuration sets the `ipFamily` to `DualStack` to allow ingressing IPv4 as well as IPv6 traffic. + +**Note**: Envoy Gateway relies on the [Service](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services) spec of the BackendRef resource (linked to xRoutes) to decide which type of IP addresses to use to route to them. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +After applying the config, the EnvoyProxy deployment will be configured to use the specified IP family. When set to `DualStack`, both IPv4 and IPv6 networking will be enabled. + +**Note**: Your cluster must support the selected IP family configuration. For DualStack support, ensure your Kubernetes cluster is properly configured for dual-stack networking. + [Gateway API documentation]: https://gateway-api.sigs.k8s.io/ [EnvoyProxy]: ../../../api/extension_types#envoyproxy -[egctl translate]: ../egctl/#validating-gateway-api-configuration +[egctl x translate]: ../operations/egctl#egctl-experimental-translate \ No newline at end of file From d71ba7ba8e44c816218019924fa4bce8f8b299fb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 12 Dec 2024 11:15:43 +0800 Subject: [PATCH 483/523] build(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#4901) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.30.0 to 0.31.0. - [Commits](https://github.com/golang/crypto/compare/v0.30.0...v0.31.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 31c89c92e00..088ab71d004 100644 --- a/go.mod +++ b/go.mod @@ -208,7 +208,7 @@ require ( go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect - golang.org/x/crypto v0.30.0 // indirect + golang.org/x/crypto v0.31.0 // indirect golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect diff --git a/go.sum b/go.sum index 69da8bbcde6..41f3bb15890 100644 --- a/go.sum +++ b/go.sum @@ -945,8 +945,8 @@ golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.30.0 h1:RwoQn3GkWiMkzlX562cLB7OxWvjH1L8xutO2WoJcRoY= -golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= +golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= +golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 h1:vKHSxFhPLnBEYu9R8DcQ4gXq9EqU0VVhC9pq9wmtYsg= golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= From 9b60a676b18f6669d9a9c128c161027ab8948c40 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Wed, 11 Dec 2024 19:47:24 -0800 Subject: [PATCH 484/523] [docs] Add Titan Email as an Adopter (#4896) Signed-off-by: Arko Dasgupta Co-authored-by: Xunzhuo --- site/data/adopters.yaml | 4 ++++ site/static/logos/titan.svg | 14 ++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 site/static/logos/titan.svg diff --git a/site/data/adopters.yaml b/site/data/adopters.yaml index 02eafe113b8..26b1cb65525 100644 --- a/site/data/adopters.yaml +++ b/site/data/adopters.yaml @@ -23,3 +23,7 @@ adopters: logo: "/logos/quantco.png" url: "https://www.quantco.com" description: "QuantCo is using Envoy Gateway to expose various services from our K8s clusters in a secure and flexible way, where developers can deploy and manage their apps and cluster administrators can enforce common security policies like OIDC authentication." + - name: "Titan" + logo: "/logos/titan.svg" + url: "https://www.titan.email" + description: "" diff --git a/site/static/logos/titan.svg b/site/static/logos/titan.svg new file mode 100644 index 00000000000..c2e61168693 --- /dev/null +++ b/site/static/logos/titan.svg @@ -0,0 +1,14 @@ + + + logo/SVG/titan-logo + + + + \ No newline at end of file From 507ea5df8fa9cddb56ba0b38da226e3e5ad046ea Mon Sep 17 00:00:00 2001 From: shahar-h Date: Thu, 12 Dec 2024 15:50:50 +0200 Subject: [PATCH 485/523] chore: fix osv license scan config and add license override (#4906) * chore: fix osv license scan config and add license override Signed-off-by: Shahar Harari * rename config file Signed-off-by: Shahar Harari * comment out again Signed-off-by: Shahar Harari --------- Signed-off-by: Shahar Harari --- .github/workflows/license-scan.yml | 2 +- tools/osv-scanner/license-scan-config.toml | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index 834515bbeb0..c6dea873862 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -23,5 +23,5 @@ jobs: scan-args: |- --skip-git --experimental-licenses=Apache-2.0,BSD-2-Clause,BSD-2-Clause-FreeBSD,BSD-3-Clause,MIT,ISC,Python-2.0,PostgreSQL,X11,Zlib - --config tools/osv-scanner/license-scan-config.yaml + --config tools/osv-scanner/license-scan-config.toml ./ diff --git a/tools/osv-scanner/license-scan-config.toml b/tools/osv-scanner/license-scan-config.toml index 79a579ff7f8..3b96c10fe7e 100644 --- a/tools/osv-scanner/license-scan-config.toml +++ b/tools/osv-scanner/license-scan-config.toml @@ -1,7 +1,8 @@ # Ignore vulnerabilities on license scan [[PackageOverrides]] ecosystem = "Go" -vulnerability.ignore = true +# TODO uncomment once osv-scanner-action is updated to v1.9.1 +# vulnerability.ignore = true [[PackageOverrides]] name = "github.com/AdaLogics/go-fuzz-headers" @@ -80,6 +81,13 @@ ecosystem = "Go" license.override = ["Apache-2.0"] reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/119 is resolved" +[[PackageOverrides]] +name = "golang.org/x/crypto" +version = "0.31.0" +ecosystem = "Go" +license.override = ["BSD-3-Clause"] +reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/120 is resolved" + [[PackageOverrides]] name = "stdlib" ecosystem = "Go" From 76629adfbae5f88bfb56099675f31311e332ecb9 Mon Sep 17 00:00:00 2001 From: Luv Date: Thu, 12 Dec 2024 20:45:48 +0530 Subject: [PATCH 486/523] [docs] added desc for titan (#4905) added desc for titan Signed-off-by: Luv --- site/data/adopters.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/data/adopters.yaml b/site/data/adopters.yaml index 26b1cb65525..95d6d78f8cb 100644 --- a/site/data/adopters.yaml +++ b/site/data/adopters.yaml @@ -26,4 +26,4 @@ adopters: - name: "Titan" logo: "/logos/titan.svg" url: "https://www.titan.email" - description: "" + description: "Titan uses Envoy Gateway to enhance observability and centralize security for its Kubernetes services, managing critical policies like rate limiting, IP blocking, and access controls—freeing developers from the burden of handling service security." From 86f869f87566079dd3df126cdd285077c7ef1b14 Mon Sep 17 00:00:00 2001 From: shahar-h Date: Thu, 12 Dec 2024 17:36:54 +0200 Subject: [PATCH 487/523] chore: organize go.mod require sections (#4893) Signed-off-by: Shahar Harari --- examples/extension-server/go.sum | 1 - go.mod | 153 +++++++++++++++---------------- go.sum | 57 ++++++------ 3 files changed, 100 insertions(+), 111 deletions(-) diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 5c1ada0e1c2..3904c3d700d 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -46,7 +46,6 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= -github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= diff --git a/go.mod b/go.mod index 088ab71d004..08376c948bd 100644 --- a/go.mod +++ b/go.mod @@ -8,18 +8,21 @@ require ( fortio.org/fortio v1.68.0 fortio.org/log v1.17.1 github.com/Masterminds/semver/v3 v3.3.1 + github.com/cenkalti/backoff/v4 v4.3.0 github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/docker/cli v27.3.1+incompatible + github.com/docker/docker v27.3.1+incompatible github.com/dominikbraun/graph v0.23.0 github.com/envoyproxy/go-control-plane v0.13.1 github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 + github.com/evanphx/json-patch v5.9.0+incompatible github.com/evanphx/json-patch/v5 v5.9.0 github.com/fatih/color v1.18.0 + github.com/fsnotify/fsnotify v1.8.0 github.com/go-logfmt/logfmt v0.6.0 github.com/go-logr/logr v1.4.2 github.com/go-logr/zapr v1.3.0 - github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/protobuf v1.5.4 github.com/google/cel-go v0.22.1 github.com/google/go-cmp v0.6.0 @@ -27,12 +30,16 @@ require ( github.com/hashicorp/go-multierror v1.1.1 github.com/miekg/dns v1.1.62 github.com/ohler55/ojg v1.25.0 + github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.20.5 + github.com/prometheus/client_model v0.6.1 github.com/prometheus/common v0.60.1 + github.com/replicatedhq/troubleshoot v0.107.5 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.10.0 github.com/telepresenceio/watchable v0.0.0-20220726211108-9bb86f92afa7 + github.com/tetratelabs/func-e v1.1.5-0.20240822223546-c85a098d5bf0 github.com/tsaarni/certyaml v0.10.0 go.opentelemetry.io/otel v1.32.0 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 @@ -40,11 +47,15 @@ require ( go.opentelemetry.io/otel/exporters/prometheus v0.54.0 go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.32.0 go.opentelemetry.io/otel/metric v1.32.0 + go.opentelemetry.io/otel/sdk v1.32.0 go.opentelemetry.io/otel/sdk/metric v1.32.0 go.opentelemetry.io/proto/otlp v1.3.1 go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e + golang.org/x/net v0.32.0 golang.org/x/sys v0.28.0 + google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 + google.golang.org/grpc v1.68.1 google.golang.org/protobuf v1.35.2 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.3 @@ -53,22 +64,16 @@ require ( k8s.io/apimachinery v0.31.3 k8s.io/cli-runtime v0.31.3 k8s.io/client-go v0.31.3 + k8s.io/klog/v2 v2.130.1 k8s.io/kubectl v0.31.3 k8s.io/utils v0.0.0-20240821151609-f90d01438635 sigs.k8s.io/controller-runtime v0.19.2 sigs.k8s.io/gateway-api v1.2.1 + sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 sigs.k8s.io/mcs-api v0.1.0 sigs.k8s.io/yaml v1.4.0 ) -require ( - github.com/docker/docker v27.3.1+incompatible - github.com/replicatedhq/troubleshoot v0.107.5 - github.com/tetratelabs/func-e v1.1.5-0.20240822223546-c85a098d5bf0 - google.golang.org/grpc v1.68.1 - sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 -) - require ( cel.dev/expr v0.18.0 // indirect dario.cat/mergo v1.0.1 // indirect @@ -81,7 +86,9 @@ require ( fortio.org/struct2env v0.4.1 // indirect fortio.org/version v1.0.4 // indirect github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect + github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect github.com/BurntSushi/toml v1.4.0 // indirect + github.com/MakeNowJust/heredoc v1.0.0 // indirect github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/sprig/v3 v3.3.0 // indirect github.com/Masterminds/squirrel v1.5.4 // indirect @@ -91,8 +98,12 @@ require ( github.com/antlr4-go/antlr/v4 v4.13.0 // indirect github.com/apparentlymart/go-cidr v1.1.0 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect + github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/c9s/goprocinfo v0.0.0-20170724085704-0010a05ce49f // indirect + github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/chai2010/gettext-go v1.0.2 // indirect github.com/cilium/ebpf v0.16.0 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect github.com/containerd/containerd v1.7.23 // indirect @@ -115,28 +126,52 @@ require ( github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-metrics v0.0.1 // indirect github.com/docker/go-units v0.5.0 // indirect + github.com/emicklei/go-restful/v3 v3.12.0 // indirect + github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect + github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect + github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect + github.com/go-errors/errors v1.4.2 // indirect github.com/go-gorp/gorp/v3 v3.1.0 // indirect + github.com/go-logr/stdr v1.2.2 // indirect github.com/go-ole/go-ole v1.3.0 // indirect + github.com/go-openapi/jsonpointer v0.21.0 // indirect + github.com/go-openapi/jsonreference v0.21.0 // indirect + github.com/go-openapi/swag v0.23.0 // indirect github.com/go-redis/redis/v7 v7.4.1 // indirect github.com/go-sql-driver/mysql v1.8.1 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/godbus/dbus/v5 v5.1.0 // indirect + github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect github.com/golang-sql/sqlexp v0.1.0 // indirect + github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect + github.com/google/btree v1.0.1 // indirect + github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-intervals v0.0.2 // indirect + github.com/google/gofuzz v1.2.0 // indirect + github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect + github.com/google/uuid v1.6.0 // indirect github.com/gorilla/handlers v1.5.2 // indirect github.com/gorilla/mux v1.8.1 // indirect + github.com/gorilla/websocket v1.5.1 // indirect github.com/gosuri/uitable v0.0.4 // indirect + github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/huandu/xstrings v1.5.0 // indirect + github.com/imdario/mergo v0.3.16 // indirect + github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jackc/pgpassfile v1.0.0 // indirect github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect github.com/jackc/pgx/v5 v5.7.1 // indirect github.com/jmoiron/sqlx v1.4.0 // indirect + github.com/josharian/intern v1.0.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/kelseyhightower/envconfig v1.4.0 // indirect github.com/klauspost/compress v1.17.9 // indirect github.com/klauspost/pgzip v1.2.6 // indirect github.com/kortschak/goroutine v1.1.2 // indirect @@ -144,9 +179,12 @@ require ( github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect github.com/lib/pq v1.10.9 // indirect + github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect github.com/longhorn/go-iscsi-helper v0.0.0-20210330030558-49a327fb024e // indirect github.com/lufia/plan9stats v0.0.0-20220913051719-115f729f3c8c // indirect + github.com/lyft/gostats v0.4.1 // indirect github.com/magiconair/properties v1.8.7 // indirect + github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-runewidth v0.0.16 // indirect @@ -154,32 +192,44 @@ require ( github.com/mistifyio/go-zfs/v3 v3.0.1 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect + github.com/mitchellh/go-wordwrap v1.0.1 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/locker v1.0.1 // indirect github.com/moby/patternmatcher v0.6.0 // indirect + github.com/moby/spdystream v0.4.0 // indirect github.com/moby/sys/mountinfo v0.7.2 // indirect github.com/moby/sys/sequential v0.5.0 // indirect github.com/moby/sys/user v0.3.0 // indirect github.com/moby/sys/userns v0.1.0 // indirect - github.com/onsi/ginkgo v1.16.5 // indirect + github.com/moby/term v0.5.0 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect github.com/opencontainers/runtime-spec v1.2.0 // indirect github.com/opencontainers/selinux v1.11.0 // indirect github.com/ostreedev/ostree-go v0.0.0-20210805093236-719684c64e4f // indirect github.com/pelletier/go-toml/v2 v2.2.2 // indirect + github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/power-devops/perfstat v0.0.0-20221212215047-62379fc7944b // indirect + github.com/prometheus/procfs v0.15.1 // indirect github.com/rivo/uniseg v0.4.7 // indirect github.com/rubenv/sql-migrate v1.7.0 // indirect + github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/sagikazarmark/locafero v0.4.0 // indirect github.com/sagikazarmark/slog-shim v0.1.0 // indirect github.com/segmentio/ksuid v1.0.4 // indirect github.com/shirou/gopsutil/v3 v3.24.5 // indirect github.com/shoenig/go-m1cpu v0.1.6 // indirect github.com/shopspring/decimal v1.4.0 // indirect + github.com/sirupsen/logrus v1.9.3 // indirect github.com/sourcegraph/conc v0.3.0 // indirect github.com/spf13/afero v1.11.0 // indirect github.com/spf13/cast v1.7.0 // indirect @@ -191,6 +241,7 @@ require ( github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/tklauser/go-sysconf v0.3.12 // indirect github.com/tklauser/numcpus v0.6.1 // indirect + github.com/tsaarni/x500dn v1.0.0 // indirect github.com/ulikunitz/xz v0.5.12 // indirect github.com/urfave/cli/v2 v2.8.1 // indirect github.com/vbatts/tar-split v0.11.5 // indirect @@ -198,6 +249,7 @@ require ( github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect + github.com/xlab/treeprint v1.2.0 // indirect github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect go.etcd.io/etcd/api/v3 v3.5.14 // indirect @@ -208,76 +260,12 @@ require ( go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect - golang.org/x/crypto v0.31.0 // indirect - golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 // indirect - gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect - gopkg.in/ini.v1 v1.67.0 // indirect - k8s.io/apiserver v0.31.3 // indirect - k8s.io/metrics v0.31.3 // indirect - oras.land/oras-go v1.2.6 // indirect - periph.io/x/host/v3 v3.8.2 // indirect - sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect -) - -require ( - github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect - github.com/MakeNowJust/heredoc v1.0.0 // indirect - github.com/beorn7/perks v1.0.1 // indirect - github.com/cenkalti/backoff/v4 v4.3.0 - github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect - github.com/cespare/xxhash/v2 v2.3.0 // indirect - github.com/chai2010/gettext-go v1.0.3 // indirect - github.com/emicklei/go-restful/v3 v3.12.1 // indirect - github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect - github.com/evanphx/json-patch v5.9.0+incompatible - github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect - github.com/fsnotify/fsnotify v1.8.0 - github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect - github.com/go-errors/errors v1.5.1 // indirect - github.com/go-logr/stdr v1.2.2 // indirect - github.com/go-openapi/jsonpointer v0.21.0 // indirect - github.com/go-openapi/jsonreference v0.21.0 // indirect - github.com/go-openapi/swag v0.23.0 // indirect - github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect - github.com/google/btree v1.1.2 // indirect - github.com/google/gnostic-models v0.6.8 // indirect - github.com/google/gofuzz v1.2.0 // indirect - github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect - github.com/google/uuid v1.6.0 // indirect - github.com/gorilla/websocket v1.5.1 // indirect - github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0 // indirect - github.com/imdario/mergo v1.0.0 // indirect - github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/josharian/intern v1.0.0 // indirect - github.com/json-iterator/go v1.1.12 // indirect - github.com/kelseyhightower/envconfig v1.4.0 // indirect - github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect - github.com/lyft/gostats v0.4.14 // indirect - github.com/mailru/easyjson v0.7.7 // indirect - github.com/mitchellh/go-wordwrap v1.0.1 // indirect - github.com/moby/spdystream v0.4.0 // indirect - github.com/moby/term v0.5.0 // indirect - github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect - github.com/modern-go/reflect2 v1.0.2 // indirect - github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect - github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect - github.com/peterbourgon/diskv v2.0.1+incompatible // indirect - github.com/pkg/errors v0.9.1 - github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect - github.com/prometheus/client_model v0.6.1 - github.com/prometheus/procfs v0.15.1 // indirect - github.com/russross/blackfriday/v2 v2.1.0 // indirect - github.com/sirupsen/logrus v1.9.3 // indirect - github.com/tsaarni/x500dn v1.0.0 // indirect - github.com/xlab/treeprint v1.2.0 // indirect - go.opentelemetry.io/otel/sdk v1.32.0 go.opentelemetry.io/otel/trace v1.32.0 // indirect - go.starlark.net v0.0.0-20240520160348-046347dcd104 // indirect + go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect go.uber.org/multierr v1.11.0 // indirect + golang.org/x/crypto v0.31.0 // indirect + golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 // indirect golang.org/x/mod v0.21.0 // indirect - golang.org/x/net v0.32.0 golang.org/x/oauth2 v0.23.0 // indirect golang.org/x/sync v0.10.0 // indirect golang.org/x/term v0.27.0 // indirect @@ -285,13 +273,18 @@ require ( golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.24.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect + gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect + k8s.io/apiserver v0.31.3 // indirect k8s.io/component-base v0.31.3 // indirect - k8s.io/klog/v2 v2.130.1 - k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a // indirect + k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 // indirect + k8s.io/metrics v0.31.3 // indirect + oras.land/oras-go v1.2.6 // indirect + periph.io/x/host/v3 v3.8.2 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/kustomize/api v0.17.2 // indirect sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect diff --git a/go.sum b/go.sum index 41f3bb15890..08b3df5cc9f 100644 --- a/go.sum +++ b/go.sum @@ -42,8 +42,8 @@ github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1/go.mod h1: github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0/go.mod h1:bTSOgj05NGRuHHhQwAdPnYr9TOdNmKlZTgGLL6nyAdI= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= -github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= -github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= +github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= @@ -117,8 +117,11 @@ github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/chai2010/gettext-go v1.0.3 h1:9liNh8t+u26xl5ddmWLmsOsdNLwkdRTg5AG+JnTiM80= -github.com/chai2010/gettext-go v1.0.3/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= +github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk= +github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/cilium/ebpf v0.16.0 h1:+BiEnHL6Z7lXnlGUsXQPPAE7+kenAd4ES8MQ5min0Ok= github.com/cilium/ebpf v0.16.0/go.mod h1:L7u2Blt2jMM/vLAVgjxluxtBKlz3/GWjB0dMOEngfwE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= @@ -218,8 +221,8 @@ github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+m github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtzpL63nKAU= -github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk= +github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -237,8 +240,8 @@ github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLi github.com/evanphx/json-patch/v5 v5.0.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= -github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= -github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= +github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d h1:105gxyaGwCFad8crR9dcMQWvV9Hvulu6hwUh4tWPJnM= +github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZMPRZwes7CROmyNKgQzC3XPs6L/G2EJLHddWejkmf4= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM= github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU= @@ -260,8 +263,8 @@ github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0 github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA= github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= -github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk= -github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= +github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA= +github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs= github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= @@ -337,8 +340,6 @@ github.com/go-redis/redis/v7 v7.4.1/go.mod h1:JDNMw23GTyLNC4GZu9njt15ctBQVn7xjRf github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y= github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= -github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gobuffalo/flect v0.2.0/go.mod h1:W3K3X9ksuZfir8f/LrfVtWmCDQFfayuylOJ7sz/Fj80= @@ -384,8 +385,8 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= -github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= +github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= +github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= github.com/google/cel-go v0.22.1 h1:AfVXx3chM2qwoSbM7Da8g8hX8OVSkBFwX+rz2+PcK40= github.com/google/cel-go v0.22.1/go.mod h1:BuznPXXfQDpXKWQ9sPW3TzlAJN5zzFe+i9tIs0yC4s8= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= @@ -395,6 +396,7 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= @@ -434,9 +436,8 @@ github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/ github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY= github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= -github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 h1:+9834+KizmvFV7pXQGSXQTsaWhq2GjuNUt0aUU0YBYw= @@ -539,8 +540,8 @@ github.com/longhorn/go-iscsi-helper v0.0.0-20210330030558-49a327fb024e/go.mod h1 github.com/longhorn/nsfilelock v0.0.0-20200723175406-fa7c83ad0003/go.mod h1:0CLeXlf59Lg6C0kjLSDf47ft73Dh37CwymYRKWwAn04= github.com/lufia/plan9stats v0.0.0-20220913051719-115f729f3c8c h1:VtwQ41oftZwlMnOEbMWQtSEUgU64U4s+GHk7hZK+jtY= github.com/lufia/plan9stats v0.0.0-20220913051719-115f729f3c8c/go.mod h1:JKx41uQRwqlTZabZc+kILPrO/3jlKnQ2Z8b7YiVw5cE= -github.com/lyft/gostats v0.4.14 h1:xmP4yMfDvEKtlNZEcS2sYz0cvnps1ri337ZEEbw3ab8= -github.com/lyft/gostats v0.4.14/go.mod h1:cJWqEVL8JIewIJz/olUIios2F1q06Nc51hXejPQmBH0= +github.com/lyft/gostats v0.4.1 h1:oR6p4HRCGxt0nUntmZIWmYMgyothBi3eZH2A71vRjsc= +github.com/lyft/gostats v0.4.1/go.mod h1:Tpx2xRzz4t+T2Tx0xdVgIoBdR2UMVz+dKnE3X01XSd8= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= @@ -626,9 +627,8 @@ github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+ github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= -github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= -github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/ohler55/ojg v1.25.0 h1:sDwc4u4zex65Uz5Nm7O1QwDKTT+YRcpeZQTy1pffRkw= github.com/ohler55/ojg v1.25.0/go.mod h1:gQhDVpQLqrmnd2eqGAvJtn+NfKoYJbe/A4Sj3/Vro4o= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= @@ -638,9 +638,8 @@ github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= +github.com/onsi/ginkgo v1.14.0 h1:2mOpI4JVVPBN+WQRa0WKH2eXR+Ey+uK4n7Zj0aYpIQA= github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= -github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= @@ -796,8 +795,6 @@ github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= -github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= @@ -923,8 +920,8 @@ go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQD go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8= go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= -go.starlark.net v0.0.0-20240520160348-046347dcd104 h1:3qhteRISupnJvaWshOmeqEUs2y9oc/+/ePPvDh3Eygg= -go.starlark.net v0.0.0-20240520160348-046347dcd104/go.mod h1:YKMCv9b1WrfWmeqdV5MAuEHWsu5iC+fe6kYl2sQjdI8= +go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY= +go.starlark.net v0.0.0-20230525235612-a134d8f9ddca/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -1028,7 +1025,7 @@ golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1038,6 +1035,7 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1067,7 +1065,6 @@ golang.org/x/tools v0.0.0-20190617190820-da514acc4774/go.mod h1:/rFqwRUd4F7ZHNgw golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= @@ -1198,8 +1195,8 @@ k8s.io/kms v0.31.3 h1:XCFmiJn5CCKs8xoOLpCmu42Ubm/KW85wNHybGFcSAYc= k8s.io/kms v0.31.3/go.mod h1:OZKwl1fan3n3N5FFxnW5C4V3ygrah/3YXeJWS3O6+94= k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= -k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5TxDkI7OGJjBNBzq5fJtLA= -k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a/go.mod h1:UxDHUPsUwTOOxSU+oXURfFBcAS6JwiRXTYqYwfuGowc= +k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 h1:Q8Z7VlGhcJgBHJHYugJ/K/7iB8a2eSxCyxdVjJp+lLY= +k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= k8s.io/kubectl v0.31.3 h1:3r111pCjPsvnR98oLLxDMwAeM6OPGmPty6gSKaLTQes= k8s.io/kubectl v0.31.3/go.mod h1:lhMECDCbJN8He12qcKqs2QfmVo9Pue30geovBVpH5fs= k8s.io/metrics v0.31.3 h1:DkT9I3gFlb2/z+/4BMY7WrQ/PnbukuV4Yli82v/KBCM= From 685c5dd5149e9a2b6dac3347c90dbe1022b74c81 Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Thu, 12 Dec 2024 12:32:43 -0600 Subject: [PATCH 488/523] [release/v1.1] release: v1.1.4 (#4899) release: v1.1.4 Signed-off-by: Guy Daich --- release-notes/v1.1.4.yaml | 16 ++++++++++++++++ site/content/en/news/releases/notes/v1.1.4.md | 19 +++++++++++++++++++ site/layouts/shortcodes/helm-version.html | 2 +- site/layouts/shortcodes/yaml-version.html | 2 +- 4 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 release-notes/v1.1.4.yaml create mode 100644 site/content/en/news/releases/notes/v1.1.4.md diff --git a/release-notes/v1.1.4.yaml b/release-notes/v1.1.4.yaml new file mode 100644 index 00000000000..09b06e829e2 --- /dev/null +++ b/release-notes/v1.1.4.yaml @@ -0,0 +1,16 @@ +date: December 12, 2024 + +# Fixes for bugs identified in previous versions. +bug fixes: | + Fixed validate proto messages before converting them to anypb.Any + Fixed BackendTlsPolicy specify multiple targetRefs of the same service, only one will work + Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes + Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn + Fixed reference grant from EnvoyExtensionPolicy to referenced ext-proc backend not respected + Fixed BackendTrafficPolicy not applying to Gateway Route when Route has a Request Timeout defined + +# Other notable changes not covered by the above sections. +Other changes: | + Bumped Rate Limit to 49af5cca + Bumped golang.org/x/crypto to 0.31.0 + diff --git a/site/content/en/news/releases/notes/v1.1.4.md b/site/content/en/news/releases/notes/v1.1.4.md new file mode 100644 index 00000000000..338e5f833db --- /dev/null +++ b/site/content/en/news/releases/notes/v1.1.4.md @@ -0,0 +1,19 @@ +--- +title: "v1.1.4" +publishdate: 2024-12-12 +--- + +Date: December 12, 2024 + +## Bug fixes +- Fixed validate proto messages before converting them to anypb.Any +- Fixed BackendTlsPolicy specify multiple targetRefs of the same service, only one will work +- Fixed Envoy rejecting TCP Listeners that have no attached TCPRoutes +- Fixed frequent 503 errors when connecting to a Service experiencing high Pod churn +- Fixed reference grant from EnvoyExtensionPolicy to referenced ext-proc backend not respected +- Fixed BackendTrafficPolicy not applying to Gateway Route when Route has a Request Timeout defined + +## Other changes +- Bumped Rate Limit to 49af5cca +- Bumped golang.org/x/crypto to 0.31.0 + diff --git a/site/layouts/shortcodes/helm-version.html b/site/layouts/shortcodes/helm-version.html index 421a5cae3d2..b21ca9586b8 100644 --- a/site/layouts/shortcodes/helm-version.html +++ b/site/layouts/shortcodes/helm-version.html @@ -3,7 +3,7 @@ {{- "v0.0.0-latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.3" -}} +{{- "v1.1.4" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} {{- "v1.2.3" -}} diff --git a/site/layouts/shortcodes/yaml-version.html b/site/layouts/shortcodes/yaml-version.html index d5f7514e571..d68a435454c 100644 --- a/site/layouts/shortcodes/yaml-version.html +++ b/site/layouts/shortcodes/yaml-version.html @@ -3,7 +3,7 @@ {{- "latest" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.1") -}} -{{- "v1.1.3" -}} +{{- "v1.1.4" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} {{- "v1.2.3" -}} From c1ff13528080fbfa1240b54deea55f3223d4bd74 Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Fri, 13 Dec 2024 06:19:50 +0800 Subject: [PATCH 489/523] fix: decouple gateway status updates from the reconciler (#4767) * decoup gateway status update Signed-off-by: Huabing Zhao * decoup gatewayclass status update Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * add comment Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * fix test Signed-off-by: Huabing Zhao * revert gateway api runner Signed-off-by: Huabing Zhao * update address and programming status Signed-off-by: Huabing Zhao * Revert "update address and programming status" This reverts commit bf3d07ea76c681afab9dbfe16c702475c9b39a67. * avoid overriding the gateway status from Gateway API translator Signed-off-by: Huabing Zhao * minor wording Signed-off-by: Huabing Zhao * minor wording Signed-off-by: Huabing Zhao * only subscribe to status updates upon acquiring leadership Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao * minor wording Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * address comment Signed-off-by: Huabing Zhao * minor wording Signed-off-by: Huabing Zhao * fix lint Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * release note Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- internal/envoygateway/config/config.go | 12 ++-- internal/infrastructure/runner/runner.go | 8 +-- internal/message/types.go | 13 ++-- internal/provider/kubernetes/controller.go | 34 +++++++---- internal/provider/kubernetes/kubernetes.go | 33 +++++----- internal/provider/kubernetes/predicates.go | 26 +++++++- .../provider/kubernetes/predicates_test.go | 3 + internal/provider/kubernetes/status.go | 61 +++++++++---------- release-notes/current.yaml | 1 + 9 files changed, 112 insertions(+), 79 deletions(-) diff --git a/internal/envoygateway/config/config.go b/internal/envoygateway/config/config.go index c842c184e4c..af05dac0753 100644 --- a/internal/envoygateway/config/config.go +++ b/internal/envoygateway/config/config.go @@ -7,6 +7,7 @@ package config import ( "errors" + "sync" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/api/v1alpha1/validation" @@ -37,19 +38,22 @@ type Server struct { // Logger is the logr implementation used by Envoy Gateway. Logger logging.Logger // Elected chan is used to signal what a leader is elected - Elected chan struct{} + Elected *sync.WaitGroup } // New returns a Server with default parameters. func New() (*Server, error) { - return &Server{ + server := &Server{ EnvoyGateway: egv1a1.DefaultEnvoyGateway(), Namespace: env.Lookup("ENVOY_GATEWAY_NAMESPACE", DefaultNamespace), DNSDomain: env.Lookup("KUBERNETES_CLUSTER_DOMAIN", DefaultDNSDomain), // the default logger Logger: logging.DefaultLogger(egv1a1.LogLevelInfo), - Elected: make(chan struct{}), - }, nil + Elected: &sync.WaitGroup{}, + } + // Block the tasks that are waiting for the leader to be elected + server.Elected.Add(1) + return server, nil } // Validate validates a Server config. diff --git a/internal/infrastructure/runner/runner.go b/internal/infrastructure/runner/runner.go index 6896a6e5a16..3344ca0d349 100644 --- a/internal/infrastructure/runner/runner.go +++ b/internal/infrastructure/runner/runner.go @@ -72,12 +72,8 @@ func (r *Runner) Start(ctx context.Context) (err error) { if r.EnvoyGateway.Provider.Type == egv1a1.ProviderTypeKubernetes && !ptr.Deref(r.EnvoyGateway.Provider.Kubernetes.LeaderElection.Disable, false) { go func() { - select { - case <-ctx.Done(): - return - case <-r.Elected: - initInfra() - } + r.Elected.Wait() + initInfra() }() return } diff --git a/internal/message/types.go b/internal/message/types.go index 3e3923e6cb2..2eee7f90345 100644 --- a/internal/message/types.go +++ b/internal/message/types.go @@ -75,12 +75,13 @@ func (p *ProviderResources) Close() { // GatewayAPIStatuses contains gateway API resources statuses type GatewayAPIStatuses struct { - GatewayStatuses watchable.Map[types.NamespacedName, *gwapiv1.GatewayStatus] - HTTPRouteStatuses watchable.Map[types.NamespacedName, *gwapiv1.HTTPRouteStatus] - GRPCRouteStatuses watchable.Map[types.NamespacedName, *gwapiv1.GRPCRouteStatus] - TLSRouteStatuses watchable.Map[types.NamespacedName, *gwapiv1a2.TLSRouteStatus] - TCPRouteStatuses watchable.Map[types.NamespacedName, *gwapiv1a2.TCPRouteStatus] - UDPRouteStatuses watchable.Map[types.NamespacedName, *gwapiv1a2.UDPRouteStatus] + GatewayClassStatuses watchable.Map[types.NamespacedName, *gwapiv1.GatewayClassStatus] + GatewayStatuses watchable.Map[types.NamespacedName, *gwapiv1.GatewayStatus] + HTTPRouteStatuses watchable.Map[types.NamespacedName, *gwapiv1.HTTPRouteStatus] + GRPCRouteStatuses watchable.Map[types.NamespacedName, *gwapiv1.GRPCRouteStatus] + TLSRouteStatuses watchable.Map[types.NamespacedName, *gwapiv1a2.TLSRouteStatus] + TCPRouteStatuses watchable.Map[types.NamespacedName, *gwapiv1a2.TCPRouteStatus] + UDPRouteStatuses watchable.Map[types.NamespacedName, *gwapiv1a2.UDPRouteStatus] } func (s *GatewayAPIStatuses) Close() { diff --git a/internal/provider/kubernetes/controller.go b/internal/provider/kubernetes/controller.go index f71ebee9520..bcb6fa8772c 100644 --- a/internal/provider/kubernetes/controller.go +++ b/internal/provider/kubernetes/controller.go @@ -129,13 +129,21 @@ func newGatewayAPIController(mgr manager.Manager, cfg *config.Server, su Updater } r.log.Info("created gatewayapi controller") - // Subscribe to status updates - r.subscribeAndUpdateStatus(ctx, cfg.EnvoyGateway.EnvoyGatewaySpec.ExtensionManager != nil) - // Watch resources if err := r.watchResources(ctx, mgr, c); err != nil { return fmt.Errorf("error watching resources: %w", err) } + + // When leader election is enabled, only subscribe to status updates upon acquiring leadership. + if cfg.EnvoyGateway.Provider.Type == egv1a1.ProviderTypeKubernetes && + !ptr.Deref(cfg.EnvoyGateway.Provider.Kubernetes.LeaderElection.Disable, false) { + go func() { + cfg.Elected.Wait() + r.subscribeAndUpdateStatus(ctx, cfg.EnvoyGateway.EnvoyGatewaySpec.ExtensionManager != nil) + }() + } else { + r.subscribeAndUpdateStatus(ctx, cfg.EnvoyGateway.EnvoyGatewaySpec.ExtensionManager != nil) + } return nil } @@ -199,9 +207,12 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques if managedGC.Spec.ParametersRef != nil && managedGC.DeletionTimestamp == nil { if err := r.processGatewayClassParamsRef(ctx, managedGC, resourceMappings, gwcResource); err != nil { msg := fmt.Sprintf("%s: %v", status.MsgGatewayClassInvalidParams, err) - if err := r.updateStatusForGatewayClass(ctx, managedGC, false, string(gwapiv1.GatewayClassReasonInvalidParameters), msg); err != nil { - r.log.Error(err, "unable to update GatewayClass status") - } + gc := status.SetGatewayClassAccepted( + managedGC.DeepCopy(), + false, + string(gwapiv1.GatewayClassReasonInvalidParameters), + msg) + r.resources.GatewayClassStatuses.Store(utils.NamespacedName(gc), &gc.Status) r.log.Error(err, "failed to process parametersRef for gatewayclass", "name", managedGC.Name) return reconcile.Result{}, err } @@ -293,11 +304,12 @@ func (r *gatewayAPIReconciler) Reconcile(ctx context.Context, _ reconcile.Reques // process envoy gateway secret refs r.processEnvoyProxySecretRef(ctx, gwcResource) - - if err := r.updateStatusForGatewayClass(ctx, managedGC, true, string(gwapiv1.GatewayClassReasonAccepted), status.MsgValidGatewayClass); err != nil { - r.log.Error(err, "unable to update GatewayClass status") - return reconcile.Result{}, err - } + gc := status.SetGatewayClassAccepted( + managedGC.DeepCopy(), + true, + string(gwapiv1.GatewayClassReasonAccepted), + status.MsgValidGatewayClass) + r.resources.GatewayClassStatuses.Store(utils.NamespacedName(gc), &gc.Status) if len(gwcResource.Gateways) == 0 { r.log.Info("No gateways found for accepted gatewayclass") diff --git a/internal/provider/kubernetes/kubernetes.go b/internal/provider/kubernetes/kubernetes.go index 4fdbc329dd0..56f96e70a18 100644 --- a/internal/provider/kubernetes/kubernetes.go +++ b/internal/provider/kubernetes/kubernetes.go @@ -36,40 +36,40 @@ type Provider struct { } // New creates a new Provider from the provided EnvoyGateway. -func New(cfg *rest.Config, svr *ec.Server, resources *message.ProviderResources) (*Provider, error) { +func New(restCfg *rest.Config, svrCfg *ec.Server, resources *message.ProviderResources) (*Provider, error) { // TODO: Decide which mgr opts should be exposed through envoygateway.provider.kubernetes API. mgrOpts := manager.Options{ Scheme: envoygateway.GetScheme(), - Logger: svr.Logger.Logger, + Logger: svrCfg.Logger.Logger, HealthProbeBindAddress: ":8081", LeaderElectionID: "5b9825d2.gateway.envoyproxy.io", - LeaderElectionNamespace: svr.Namespace, + LeaderElectionNamespace: svrCfg.Namespace, } log.SetLogger(mgrOpts.Logger) klog.SetLogger(mgrOpts.Logger) - if !ptr.Deref(svr.EnvoyGateway.Provider.Kubernetes.LeaderElection.Disable, false) { + if !ptr.Deref(svrCfg.EnvoyGateway.Provider.Kubernetes.LeaderElection.Disable, false) { mgrOpts.LeaderElection = true - if svr.EnvoyGateway.Provider.Kubernetes.LeaderElection.LeaseDuration != nil { - ld, err := time.ParseDuration(string(*svr.EnvoyGateway.Provider.Kubernetes.LeaderElection.LeaseDuration)) + if svrCfg.EnvoyGateway.Provider.Kubernetes.LeaderElection.LeaseDuration != nil { + ld, err := time.ParseDuration(string(*svrCfg.EnvoyGateway.Provider.Kubernetes.LeaderElection.LeaseDuration)) if err != nil { return nil, err } mgrOpts.LeaseDuration = ptr.To(ld) } - if svr.EnvoyGateway.Provider.Kubernetes.LeaderElection.RetryPeriod != nil { - rp, err := time.ParseDuration(string(*svr.EnvoyGateway.Provider.Kubernetes.LeaderElection.RetryPeriod)) + if svrCfg.EnvoyGateway.Provider.Kubernetes.LeaderElection.RetryPeriod != nil { + rp, err := time.ParseDuration(string(*svrCfg.EnvoyGateway.Provider.Kubernetes.LeaderElection.RetryPeriod)) if err != nil { return nil, err } mgrOpts.RetryPeriod = ptr.To(rp) } - if svr.EnvoyGateway.Provider.Kubernetes.LeaderElection.RenewDeadline != nil { - rd, err := time.ParseDuration(string(*svr.EnvoyGateway.Provider.Kubernetes.LeaderElection.RenewDeadline)) + if svrCfg.EnvoyGateway.Provider.Kubernetes.LeaderElection.RenewDeadline != nil { + rd, err := time.ParseDuration(string(*svrCfg.EnvoyGateway.Provider.Kubernetes.LeaderElection.RenewDeadline)) if err != nil { return nil, err } @@ -78,13 +78,13 @@ func New(cfg *rest.Config, svr *ec.Server, resources *message.ProviderResources) mgrOpts.Controller = config.Controller{NeedLeaderElection: ptr.To(false)} } - if svr.EnvoyGateway.NamespaceMode() { + if svrCfg.EnvoyGateway.NamespaceMode() { mgrOpts.Cache.DefaultNamespaces = make(map[string]cache.Config) - for _, watchNS := range svr.EnvoyGateway.Provider.Kubernetes.Watch.Namespaces { + for _, watchNS := range svrCfg.EnvoyGateway.Provider.Kubernetes.Watch.Namespaces { mgrOpts.Cache.DefaultNamespaces[watchNS] = cache.Config{} } } - mgr, err := ctrl.NewManager(cfg, mgrOpts) + mgr, err := ctrl.NewManager(restCfg, mgrOpts) if err != nil { return nil, fmt.Errorf("failed to create manager: %w", err) } @@ -95,7 +95,7 @@ func New(cfg *rest.Config, svr *ec.Server, resources *message.ProviderResources) } // Create and register the controllers with the manager. - if err := newGatewayAPIController(mgr, svr, updateHandler.Writer(), resources); err != nil { + if err := newGatewayAPIController(mgr, svrCfg, updateHandler.Writer(), resources); err != nil { return nil, fmt.Errorf("failted to create gatewayapi controller: %w", err) } @@ -109,11 +109,10 @@ func New(cfg *rest.Config, svr *ec.Server, resources *message.ProviderResources) return nil, fmt.Errorf("unable to set up ready check: %w", err) } - // Emit elected & continue with envoyObjects of infra resources + // Emit elected & continue with the tasks that require leadership. go func() { <-mgr.Elected() - // WARN: DO NOT CLOSE IT - svr.Elected <- struct{}{} + svrCfg.Elected.Done() }() return &Provider{ diff --git a/internal/provider/kubernetes/predicates.go b/internal/provider/kubernetes/predicates.go index d25ec2fb7d4..16bb9361b04 100644 --- a/internal/provider/kubernetes/predicates.go +++ b/internal/provider/kubernetes/predicates.go @@ -294,7 +294,7 @@ func (r *gatewayAPIReconciler) validateServiceForReconcile(obj client.Object) bo // Check if the Service belongs to a Gateway, if so, update the Gateway status. gtw := r.findOwningGateway(ctx, labels) if gtw != nil { - r.updateStatusForGateway(ctx, gtw) + r.updateGatewayStatus(gtw) return false } @@ -528,7 +528,7 @@ func (r *gatewayAPIReconciler) validateObjectForReconcile(obj client.Object) boo // Check if the obj belongs to a Gateway, if so, update the Gateway status. gtw := r.findOwningGateway(ctx, labels) if gtw != nil { - r.updateStatusForGateway(ctx, gtw) + r.updateGatewayStatus(gtw) return false } } @@ -636,12 +636,32 @@ func (r *gatewayAPIReconciler) updateStatusForGatewaysUnderGatewayClass(ctx cont } for _, gateway := range gateways.Items { - r.updateStatusForGateway(ctx, &gateway) + r.updateGatewayStatus(&gateway) } return nil } +// updateGatewayStatus triggers a status update for the Gateway. +func (r *gatewayAPIReconciler) updateGatewayStatus(gateway *gwapiv1.Gateway) { + gwName := utils.NamespacedName(gateway) + status := &gateway.Status + // Use the existing status if it exists to avoid losing the status calculated by the Gateway API translator. + if existing, ok := r.resources.GatewayStatuses.Load(gwName); ok { + status = existing + } + + // Since the status does not reflect the actual changed status, we need to delete it first + // to prevent it from being considered unchanged. This ensures that subscribers receive the update event. + r.resources.GatewayStatuses.Delete(gwName) + // The status that is stored in the GatewayStatuses GatewayStatuses is solely used to trigger the status updater + // and does not reflect the real changed status. + // + // The status updater will check the Envoy Proxy service to get the addresses of the Gateway, + // and check the Envoy Proxy Deployment/DaemonSet to get the status of the Gateway workload. + r.resources.GatewayStatuses.Store(gwName, status) +} + func (r *gatewayAPIReconciler) handleNode(obj client.Object) bool { ctx := context.Background() node, ok := obj.(*corev1.Node) diff --git a/internal/provider/kubernetes/predicates_test.go b/internal/provider/kubernetes/predicates_test.go index d8abf845f4d..8ff155f46f4 100644 --- a/internal/provider/kubernetes/predicates_test.go +++ b/internal/provider/kubernetes/predicates_test.go @@ -26,6 +26,7 @@ import ( "github.com/envoyproxy/gateway/internal/gatewayapi/resource" "github.com/envoyproxy/gateway/internal/infrastructure/kubernetes/proxy" "github.com/envoyproxy/gateway/internal/logging" + "github.com/envoyproxy/gateway/internal/message" "github.com/envoyproxy/gateway/internal/provider/kubernetes/test" ) @@ -854,6 +855,7 @@ func TestValidateServiceForReconcile(t *testing.T) { classController: egv1a1.GatewayControllerName, log: logger, mergeGateways: sets.New[string]("test-mg"), + resources: &message.ProviderResources{}, grpcRouteCRDExists: true, tcpRouteCRDExists: true, udpRouteCRDExists: true, @@ -972,6 +974,7 @@ func TestValidateObjectForReconcile(t *testing.T) { classController: egv1a1.GatewayControllerName, log: logger, mergeGateways: sets.New[string]("test-mg"), + resources: &message.ProviderResources{}, } for _, tc := range testCases { diff --git a/internal/provider/kubernetes/status.go b/internal/provider/kubernetes/status.go index a59eb82f75a..d9ff03f9b66 100644 --- a/internal/provider/kubernetes/status.go +++ b/internal/provider/kubernetes/status.go @@ -10,7 +10,6 @@ import ( "fmt" "reflect" - kerrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/types" "sigs.k8s.io/controller-runtime/pkg/client" @@ -28,6 +27,35 @@ import ( // subscribeAndUpdateStatus subscribes to gateway API object status updates and // writes it into the Kubernetes API Server. func (r *gatewayAPIReconciler) subscribeAndUpdateStatus(ctx context.Context, extensionManagerEnabled bool) { + // GatewayClass object status updater + go func() { + message.HandleSubscription( + message.Metadata{Runner: string(egv1a1.LogComponentProviderRunner), Message: "gatewayclass-status"}, + r.resources.GatewayClassStatuses.Subscribe(ctx), + func(update message.Update[types.NamespacedName, *gwapiv1.GatewayClassStatus], errChan chan error) { + // skip delete updates. + if update.Delete { + return + } + + r.statusUpdater.Send(Update{ + NamespacedName: update.Key, + Resource: new(gwapiv1.GatewayClass), + Mutator: MutatorFunc(func(obj client.Object) client.Object { + gc, ok := obj.(*gwapiv1.GatewayClass) + if !ok { + panic(fmt.Sprintf("unsupported object type %T", obj)) + } + gcCopy := gc.DeepCopy() + gcCopy.Status = *update.Value + return gcCopy + }), + }) + }, + ) + r.log.Info("gatewayclass status subscriber shutting down") + }() + // Gateway object status updater go func() { message.HandleSubscription( @@ -564,34 +592,3 @@ func (r *gatewayAPIReconciler) updateStatusForGateway(ctx context.Context, gtw * }), }) } - -func (r *gatewayAPIReconciler) updateStatusForGatewayClass( - ctx context.Context, - gc *gwapiv1.GatewayClass, - accepted bool, - reason, - msg string, -) error { - if r.statusUpdater != nil { - r.statusUpdater.Send(Update{ - NamespacedName: types.NamespacedName{Name: gc.Name}, - Resource: &gwapiv1.GatewayClass{}, - Mutator: MutatorFunc(func(obj client.Object) client.Object { - gc, ok := obj.(*gwapiv1.GatewayClass) - if !ok { - panic(fmt.Sprintf("unsupported object type %T", obj)) - } - - return status.SetGatewayClassAccepted(gc.DeepCopy(), accepted, reason, msg) - }), - }) - } else { - // this branch makes testing easier by not going through the status.Updater. - duplicate := status.SetGatewayClassAccepted(gc.DeepCopy(), accepted, reason, msg) - - if err := r.client.Status().Update(ctx, duplicate); err != nil && !kerrors.IsNotFound(err) { - return fmt.Errorf("error updating status of gatewayclass %s: %w", duplicate.Name, err) - } - } - return nil -} diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 123759f7a84..3f281a27737 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -22,6 +22,7 @@ bug fixes: | Fixed BackendTLSPolicy didn't support using port name as the sectionName in the targetRefs Fixed reference grant from EnvoyExtensionPolicy to referenced ext-proc backend not respected Fixed BackendTrafficPolicy not applying to Gateway Route when Route has a Request Timeout defined + Fixed proxies connected to the secondary EG were not receiving xDS configuration # Enhancements that improve performance. performance improvements: | From 1843a611ed1e11643462a14bbb255afddc99f544 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 12 Dec 2024 18:11:49 -0800 Subject: [PATCH 490/523] build(deps): bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /tools/src/helm-docs (#4902) build(deps): bump golang.org/x/crypto in /tools/src/helm-docs Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.21.0 to 0.31.0. - [Commits](https://github.com/golang/crypto/compare/v0.21.0...v0.31.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- tools/src/helm-docs/go.mod | 6 +++--- tools/src/helm-docs/go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/tools/src/helm-docs/go.mod b/tools/src/helm-docs/go.mod index 05180f8b0f0..387049355d4 100644 --- a/tools/src/helm-docs/go.mod +++ b/tools/src/helm-docs/go.mod @@ -30,9 +30,9 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/spf13/viper v1.16.0 // indirect github.com/subosito/gotenv v1.4.2 // indirect - golang.org/x/crypto v0.21.0 // indirect - golang.org/x/sys v0.18.0 // indirect - golang.org/x/text v0.14.0 // indirect + golang.org/x/crypto v0.31.0 // indirect + golang.org/x/sys v0.28.0 // indirect + golang.org/x/text v0.21.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect helm.sh/helm/v3 v3.15.2 // indirect diff --git a/tools/src/helm-docs/go.sum b/tools/src/helm-docs/go.sum index 74600b6b954..9c334edb251 100644 --- a/tools/src/helm-docs/go.sum +++ b/tools/src/helm-docs/go.sum @@ -232,8 +232,8 @@ golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= -golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= +golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= +golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -362,8 +362,8 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= -golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= @@ -376,8 +376,8 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From b9ff29c7d31b32a9e2eebcc48bc4977e54e11aa9 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Thu, 12 Dec 2024 18:19:23 -0800 Subject: [PATCH 491/523] Fix Weighted Invalid Backend Logic (#4911) * Fix Weighted Invaid Backend Logic We were not adding valid clusters where there was a invalid cluster Regression from https://github.com/envoyproxy/gateway/pull/3246 Signed-off-by: Arko Dasgupta * add release note Signed-off-by: Arko Dasgupta --------- Signed-off-by: Arko Dasgupta --- internal/xds/translator/route.go | 36 ++++++++----------- ...route-weighted-invalid-backend.routes.yaml | 2 ++ release-notes/current.yaml | 1 + 3 files changed, 18 insertions(+), 21 deletions(-) diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go index 330484d41d6..414e76b8366 100644 --- a/internal/xds/translator/route.go +++ b/internal/xds/translator/route.go @@ -244,39 +244,33 @@ func buildXdsWeightedRouteAction(backendWeights *ir.BackendWeights, settings []* Weight: &wrapperspb.UInt32Value{Value: backendWeights.Invalid}, } weightedClusters = append(weightedClusters, invalidCluster) - return &routev3.RouteAction{ - // Intentionally route to a non-existent cluster and return a 500 error when it is not found - ClusterNotFoundResponseCode: routev3.RouteAction_INTERNAL_SERVER_ERROR, - ClusterSpecifier: &routev3.RouteAction_WeightedClusters{ - WeightedClusters: &routev3.WeightedCluster{ - Clusters: weightedClusters, - }, - }, - } } for _, destinationSetting := range settings { - if destinationSetting.Filters != nil { + if len(destinationSetting.Endpoints) > 0 { validCluster := &routev3.WeightedCluster_ClusterWeight{ Name: backendWeights.Name, Weight: &wrapperspb.UInt32Value{Value: *destinationSetting.Weight}, } - if len(destinationSetting.Filters.AddRequestHeaders) > 0 { - validCluster.RequestHeadersToAdd = append(validCluster.RequestHeadersToAdd, buildXdsAddedHeaders(destinationSetting.Filters.AddRequestHeaders)...) - } + if destinationSetting.Filters != nil { + if len(destinationSetting.Filters.AddRequestHeaders) > 0 { + validCluster.RequestHeadersToAdd = append(validCluster.RequestHeadersToAdd, buildXdsAddedHeaders(destinationSetting.Filters.AddRequestHeaders)...) + } - if len(destinationSetting.Filters.RemoveRequestHeaders) > 0 { - validCluster.RequestHeadersToRemove = append(validCluster.RequestHeadersToRemove, destinationSetting.Filters.RemoveRequestHeaders...) - } + if len(destinationSetting.Filters.RemoveRequestHeaders) > 0 { + validCluster.RequestHeadersToRemove = append(validCluster.RequestHeadersToRemove, destinationSetting.Filters.RemoveRequestHeaders...) + } - if len(destinationSetting.Filters.AddResponseHeaders) > 0 { - validCluster.ResponseHeadersToAdd = append(validCluster.ResponseHeadersToAdd, buildXdsAddedHeaders(destinationSetting.Filters.AddResponseHeaders)...) - } + if len(destinationSetting.Filters.AddResponseHeaders) > 0 { + validCluster.ResponseHeadersToAdd = append(validCluster.ResponseHeadersToAdd, buildXdsAddedHeaders(destinationSetting.Filters.AddResponseHeaders)...) + } - if len(destinationSetting.Filters.RemoveResponseHeaders) > 0 { - validCluster.ResponseHeadersToRemove = append(validCluster.ResponseHeadersToRemove, destinationSetting.Filters.RemoveResponseHeaders...) + if len(destinationSetting.Filters.RemoveResponseHeaders) > 0 { + validCluster.ResponseHeadersToRemove = append(validCluster.ResponseHeadersToRemove, destinationSetting.Filters.RemoveResponseHeaders...) + } } + weightedClusters = append(weightedClusters, validCluster) } } diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.routes.yaml index 6b53d359a22..235dea42729 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-weighted-invalid-backend.routes.yaml @@ -16,3 +16,5 @@ clusters: - name: invalid-backend-cluster weight: 1 + - name: first-route-dest + weight: 1 diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 3f281a27737..44d8f3fbc36 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -23,6 +23,7 @@ bug fixes: | Fixed reference grant from EnvoyExtensionPolicy to referenced ext-proc backend not respected Fixed BackendTrafficPolicy not applying to Gateway Route when Route has a Request Timeout defined Fixed proxies connected to the secondary EG were not receiving xDS configuration + Fixed traffic splitting when some backends were invalid # Enhancements that improve performance. performance improvements: | From 7ba17172b491434714af3dbf22eb17d03d900113 Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Fri, 13 Dec 2024 10:57:01 +0800 Subject: [PATCH 492/523] chore: support k8s v1.32.x (#4898) --- .github/workflows/build_and_test.yaml | 12 ++++++------ .github/workflows/experimental_conformance.yaml | 2 +- .github/workflows/latest_release.yaml | 2 +- .github/workflows/release.yaml | 2 +- release-notes/current.yaml | 1 + site/content/en/news/releases/matrix.md | 2 +- site/content/zh/latest/install/matrix.md | 2 +- tools/hack/create-cluster.sh | 2 +- 8 files changed, 13 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 7791b180b0c..222cfbc42bd 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -85,7 +85,7 @@ jobs: strategy: fail-fast: false matrix: - version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] + version: [ v1.29.10, v1.30.6, v1.31.4, v1.32.0 ] steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps @@ -115,14 +115,14 @@ jobs: fail-fast: false matrix: target: - - version: v1.28.13 + - version: v1.29.10 ipFamily: ipv4 - - version: v1.29.8 + - version: v1.30.6 ipFamily: ipv4 - - version: v1.30.4 + - version: v1.31.4 ipFamily: ipv6 # only run ipv6 test on this version to save time # TODO: this's IPv4 first, need a way to test IPv6 first. - - version: v1.31.0 + - version: v1.32.0 ipFamily: dual # only run dual test on latest version to save time steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -163,7 +163,7 @@ jobs: # Benchmark - name: Run Benchmark tests env: - KIND_NODE_TAG: v1.28.13 + KIND_NODE_TAG: v1.29.10 IMAGE_PULL_POLICY: IfNotPresent # Args for benchmark test BENCHMARK_RPS: 10000 diff --git a/.github/workflows/experimental_conformance.yaml b/.github/workflows/experimental_conformance.yaml index e2b43edfbba..f2de92a63b7 100644 --- a/.github/workflows/experimental_conformance.yaml +++ b/.github/workflows/experimental_conformance.yaml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] + version: [ v1.29.10, v1.30.6, v1.31.4, v1.32.0 ] steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./tools/github-actions/setup-deps diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index b6e7d4c6d3f..47de6b9af60 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -31,7 +31,7 @@ jobs: # Benchmark - name: Run Benchmark tests env: - KIND_NODE_TAG: v1.28.13 + KIND_NODE_TAG: v1.29.10 IMAGE_PULL_POLICY: IfNotPresent # Args for benchmark test BENCHMARK_RPS: 10000 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 7aea9e9d700..47636612dbf 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -24,7 +24,7 @@ jobs: # Benchmark - name: Run Benchmark tests env: - KIND_NODE_TAG: v1.28.13 + KIND_NODE_TAG: v1.29.10 IMAGE_PULL_POLICY: IfNotPresent # Args for benchmark test BENCHMARK_RPS: 10000 diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 44d8f3fbc36..c012a49f04a 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -36,3 +36,4 @@ deprecations: | # Other notable changes not covered by the above sections. Other changes: | [SecurityPolicy] Modify the JWT Provider Issuer validation constraint + Add support for Kubernetes 1.32.x in the test matrix, and remove support for Kubernetes 1.28.x. diff --git a/site/content/en/news/releases/matrix.md b/site/content/en/news/releases/matrix.md index 8fbb021322a..d798d85fb40 100644 --- a/site/content/en/news/releases/matrix.md +++ b/site/content/en/news/releases/matrix.md @@ -7,7 +7,7 @@ Envoy Gateway relies on the Envoy Proxy and the Gateway API, and runs within a K | Envoy Gateway version | Envoy Proxy version | Rate Limit version | Gateway API version | Kubernetes version | |-----------------------|-----------------------------|--------------------|---------------------|----------------------------| -| latest | **dev-latest** | **master** | **v1.2.0** | v1.28, v1.29, v1.30, v1.31 | +| latest | **dev-latest** | **master** | **v1.2.0** | v1.29, v1.30, v1.31, v1.32 | | v1.2 | **distroless-v1.32.1** | **28b1629a** | **v1.2.0** | v1.28, v1.29, v1.30, v1.31 | | v1.1 | **distroless-v1.31.0** | **91484c59** | **v1.1.0** | v1.27, v1.28, v1.29, v1.30 | | v1.0 | **distroless-v1.29.2** | **19f2079f** | **v1.0.0** | v1.26, v1.27, v1.28, v1.29 | diff --git a/site/content/zh/latest/install/matrix.md b/site/content/zh/latest/install/matrix.md index aa5a7e79cdd..54143a09df2 100644 --- a/site/content/zh/latest/install/matrix.md +++ b/site/content/zh/latest/install/matrix.md @@ -15,4 +15,4 @@ Envoy Gateway 依赖于 Envoy Proxy 和 Gateway API,并在 Kubernetes 集群 | v0.4.0 | **v1.26-latest** | **542a6047** | **v0.6.2** | v1.25, v1.26, v1.27 | | v0.3.0 | **v1.25-latest** | **f28024e3** | **v0.6.1** | v1.24, v1.25, v1.26 | | v0.2.0 | **v1.23-latest** | | **v0.5.1** | v1.24 | -| latest | **dev-latest** | **master** | **v1.0.0** | v1.26, v1.27, v1.28, v1.29 | +| latest | **dev-latest** | **master** | **v1.0.0** | v1.29, v1.30, v1.31, v1.32 | diff --git a/tools/hack/create-cluster.sh b/tools/hack/create-cluster.sh index d1601cb83b6..c779aa0d6f3 100755 --- a/tools/hack/create-cluster.sh +++ b/tools/hack/create-cluster.sh @@ -5,7 +5,7 @@ set -euo pipefail # Setup default values CLUSTER_NAME=${CLUSTER_NAME:-"envoy-gateway"} METALLB_VERSION=${METALLB_VERSION:-"v0.13.10"} -KIND_NODE_TAG=${KIND_NODE_TAG:-"v1.31.0"} +KIND_NODE_TAG=${KIND_NODE_TAG:-"v1.32.0"} NUM_WORKERS=${NUM_WORKERS:-""} IP_FAMILY=${IP_FAMILY:-"ipv4"} From 260e4e573b3dbd78202e40e960c74ee220f4a894 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Thu, 12 Dec 2024 18:59:20 -0800 Subject: [PATCH 493/523] update docsy version (#4914) update docsy Signed-off-by: Arko Dasgupta --- site/package.json | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/site/package.json b/site/package.json index 2ea4bc1f1ae..843d2e60434 100644 --- a/site/package.json +++ b/site/package.json @@ -1,25 +1,28 @@ { "name": "docsy-example-site", - "version": "0.7.1", + "version": "0.10.0", + "version.next": "0.10.1-dev.0-unreleased", "description": "Example site that uses Docsy theme for technical documentation.", "repository": "github:google/docsy-example", "homepage": "https://example.docsy.dev", "author": "Docsy Authors", "license": "Apache-2.0", "bugs": "https://github.com/google/docsy-example/issues", - "spelling": "cSpell:ignore HTMLTEST precheck postbuild -", + "spelling": "cSpell:ignore docsy hugo htmltest precheck postbuild rtlcss -", "scripts": { - "_build": "npm run _hugo-dev", + "_build": "npm run _hugo-dev --", "_check:links": "echo IMPLEMENTATION PENDING for check-links; echo", "_hugo": "hugo --cleanDestinationDir", - "_hugo-dev": "npm run _hugo -- -e dev -DFE --baseURL http://localhost --bind 0.0.0.0", - "_serve": "npm run _hugo-dev -- --minify serve", + "_hugo-dev": "npm run _hugo -- -e dev -DFE", + "_local": "npx cross-env HUGO_MODULE_WORKSPACE=docsy.work", + "_serve": "npm run _hugo-dev -- --minify serve --renderToMemory", "build:preview": "npm run _hugo-dev -- --minify --baseURL \"${DEPLOY_PRIME_URL:-/}\"", "build:production": "npm run _hugo -- --minify", - "build": "npm run _build", + "build": "npm run _build -- ", "check:links:all": "HTMLTEST_ARGS= npm run _check:links", "check:links": "npm run _check:links", "clean": "rm -Rf public/* resources", + "local": "npm run _local -- npm run", "make:public": "git init -b main public", "precheck:links:all": "npm run build", "precheck:links": "npm run build", @@ -27,12 +30,23 @@ "postbuild:production": "npm run _check:links", "serve": "npm run _serve", "test": "npm run check:links", - "update:pkg:dep": "npm install --save-dev autoprefixer@latest postcss-cli@latest", - "update:pkg:hugo": "npm install --save-dev --save-exact hugo-extended@latest" + "update:dep": "npm install --save-dev autoprefixer@latest postcss-cli@latest", + "update:hugo": "npm install --save-dev --save-exact hugo-extended@latest", + "update:pkgs": "npx npm-check-updates -u" }, "devDependencies": { - "autoprefixer": "^10.4.14", - "hugo-extended": "0.128.0", - "postcss-cli": "^11.0.0" + "autoprefixer": "^10.4.20", + "cross-env": "^7.0.3", + "hugo-extended": "0.136.2", + "postcss-cli": "^11.0.0", + "rtlcss": "^4.3.0" + }, + "optionalDependencies": { + "npm-check-updates": "^17.1.4" + }, + "private": true, + "prettier": { + "proseWrap": "always", + "singleQuote": true } } From 23d5c9fe8bb108a093270792dd1d8a8cd89bfc15 Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Fri, 13 Dec 2024 11:04:48 +0800 Subject: [PATCH 494/523] v1.2.4 release note (#4915) * v1.2.4 release note Signed-off-by: Huabing Zhao * fix grammar Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao * minor change Signed-off-by: Huabing Zhao --------- Signed-off-by: Huabing Zhao --- VERSION | 2 +- release-notes/current.yaml | 5 ----- release-notes/v1.2.4.yaml | 11 +++++++++++ site/content/en/news/releases/notes/v1.2.4.md | 16 ++++++++++++++++ 4 files changed, 28 insertions(+), 6 deletions(-) create mode 100644 release-notes/v1.2.4.yaml create mode 100644 site/content/en/news/releases/notes/v1.2.4.md diff --git a/VERSION b/VERSION index 4367f900087..c7cd5b26796 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v1.2.3 +v1.2.4 diff --git a/release-notes/current.yaml b/release-notes/current.yaml index c012a49f04a..29e3b8fbdb6 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -19,11 +19,6 @@ new features: | # Fixes for bugs identified in previous versions. bug fixes: | - Fixed BackendTLSPolicy didn't support using port name as the sectionName in the targetRefs - Fixed reference grant from EnvoyExtensionPolicy to referenced ext-proc backend not respected - Fixed BackendTrafficPolicy not applying to Gateway Route when Route has a Request Timeout defined - Fixed proxies connected to the secondary EG were not receiving xDS configuration - Fixed traffic splitting when some backends were invalid # Enhancements that improve performance. performance improvements: | diff --git a/release-notes/v1.2.4.yaml b/release-notes/v1.2.4.yaml new file mode 100644 index 00000000000..a188d54aec7 --- /dev/null +++ b/release-notes/v1.2.4.yaml @@ -0,0 +1,11 @@ +date: December 13, 2024 + +bug fixes: | + Fixed BackendTLSPolicy not supporting the use of a port name as the sectionName in targetRefs. + Fixed reference grant from EnvoyExtensionPolicy to the referenced ext-proc backend not being respected. + Fixed BackendTrafficPolicy not applying to Gateway Routes when a Route has a Request Timeout defined. + Fixed proxies connected to the secondary Envoy Gateway not receiving xDS configuration. + Fixed traffic splitting not working when some backends were invalid. + +Other changes: | + Bumped Envoy to version 1.32.2. diff --git a/site/content/en/news/releases/notes/v1.2.4.md b/site/content/en/news/releases/notes/v1.2.4.md new file mode 100644 index 00000000000..6ec26d2c2e6 --- /dev/null +++ b/site/content/en/news/releases/notes/v1.2.4.md @@ -0,0 +1,16 @@ +--- +title: "v1.2.4" +publishdate: 2024-12-13 +--- + +Date: December 13, 2024 + +## Bug fixes +- Fixed BackendTLSPolicy not supporting the use of a port name as the sectionName in targetRefs. +- Fixed reference grant from EnvoyExtensionPolicy to the referenced ext-proc backend not being respected. +- Fixed BackendTrafficPolicy not applying to Gateway Routes when a Route has a Request Timeout defined. +- Fixed proxies connected to the secondary Envoy Gateway not receiving xDS configuration. +- Fixed traffic splitting not working when some backends were invalid. + +## Other changes +- Bumped Envoy to version 1.32.2. From dede41502fc5799e1d22d52e42a7a4b23fb6a13b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 13 Dec 2024 11:30:43 +0800 Subject: [PATCH 495/523] build(deps): bump golang.org/x/crypto from 0.22.0 to 0.31.0 in /tools/src/crd-ref-docs (#4903) build(deps): bump golang.org/x/crypto in /tools/src/crd-ref-docs Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.22.0 to 0.31.0. - [Commits](https://github.com/golang/crypto/compare/v0.22.0...v0.31.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- tools/src/crd-ref-docs/go.mod | 12 ++++++------ tools/src/crd-ref-docs/go.sum | 24 ++++++++++++------------ 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/tools/src/crd-ref-docs/go.mod b/tools/src/crd-ref-docs/go.mod index 5d5bcd374a3..009bccd7145 100644 --- a/tools/src/crd-ref-docs/go.mod +++ b/tools/src/crd-ref-docs/go.mod @@ -29,13 +29,13 @@ require ( github.com/spf13/pflag v1.0.5 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/crypto v0.22.0 // indirect + golang.org/x/crypto v0.31.0 // indirect golang.org/x/mod v0.17.0 // indirect - golang.org/x/net v0.24.0 // indirect - golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.19.0 // indirect - golang.org/x/text v0.14.0 // indirect - golang.org/x/tools v0.20.0 // indirect + golang.org/x/net v0.25.0 // indirect + golang.org/x/sync v0.10.0 // indirect + golang.org/x/sys v0.28.0 // indirect + golang.org/x/text v0.21.0 // indirect + golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/tools/src/crd-ref-docs/go.sum b/tools/src/crd-ref-docs/go.sum index 8bfb30cec1a..57b2304c45a 100644 --- a/tools/src/crd-ref-docs/go.sum +++ b/tools/src/crd-ref-docs/go.sum @@ -95,8 +95,8 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= -golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= +golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= +golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= @@ -105,30 +105,30 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= -golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= +golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= +golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= +golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= -golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.20.0 h1:hz/CVckiOxybQvFw6h7b/q80NTr9IUQb4s1IIzW7KNY= -golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From d33b617d970771f3d04689812246e7165c1be6af Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Fri, 13 Dec 2024 12:39:11 +0800 Subject: [PATCH 496/523] docs: update site link to 1.2.4 (#4918) update site link to 1.2.4 Signed-off-by: Huabing Zhao --- site/layouts/shortcodes/helm-version.html | 4 ++-- site/layouts/shortcodes/yaml-version.html | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/site/layouts/shortcodes/helm-version.html b/site/layouts/shortcodes/helm-version.html index b21ca9586b8..433b5e1bf46 100644 --- a/site/layouts/shortcodes/helm-version.html +++ b/site/layouts/shortcodes/helm-version.html @@ -6,8 +6,8 @@ {{- "v1.1.4" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} -{{- "v1.2.3" -}} +{{- "v1.2.4" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.2.3" -}} +{{- "v1.2.4" -}} {{- end -}} diff --git a/site/layouts/shortcodes/yaml-version.html b/site/layouts/shortcodes/yaml-version.html index d68a435454c..6de788e0b65 100644 --- a/site/layouts/shortcodes/yaml-version.html +++ b/site/layouts/shortcodes/yaml-version.html @@ -6,8 +6,8 @@ {{- "v1.1.4" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "v1.2") -}} -{{- "v1.2.3" -}} +{{- "v1.2.4" -}} {{- end -}} {{- with (strings.HasPrefix $pagePrefix "doc") -}} -{{- "v1.2.3" -}} +{{- "v1.2.4" -}} {{- end -}} From e6a74f8ac825b272c656f1e80f82098d56f9da54 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 13 Dec 2024 12:47:53 +0800 Subject: [PATCH 497/523] chore: bump and fix gen (#4917) * build(deps): bump sigs.k8s.io/controller-runtime from 0.19.2 to 0.19.3 Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.19.2 to 0.19.3. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.19.2...v0.19.3) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * fix gen Signed-off-by: zirain * build(deps): bump go.opentelemetry.io/proto/otlp Bumps the go-opentelemetry-io group with 1 update in the / directory: [go.opentelemetry.io/proto/otlp](https://github.com/open-telemetry/opentelemetry-proto-go). Updates `go.opentelemetry.io/proto/otlp` from 1.3.1 to 1.4.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-proto-go/releases) - [Commits](https://github.com/open-telemetry/opentelemetry-proto-go/compare/v1.3.1...v1.4.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/proto/otlp dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io ... Signed-off-by: dependabot[bot] * fix gen Signed-off-by: zirain * add google.golang.org Signed-off-by: zirain --------- Signed-off-by: dependabot[bot] Signed-off-by: zirain Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/dependabot.yml | 2 ++ examples/extension-server/go.mod | 6 +++--- examples/extension-server/go.sum | 12 ++++++------ go.mod | 12 ++++++------ go.sum | 24 ++++++++++++------------ 5 files changed, 29 insertions(+), 27 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 938a0fa2c49..03b7824c4da 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -30,12 +30,14 @@ updates: k8s.io: patterns: - "k8s.io/*" + - "sigs.k8s.io/*" go.opentelemetry.io: patterns: - "go.opentelemetry.io/*" golang.org: patterns: - "golang.org/*" + - "google.golang.org/*" - package-ecosystem: pip directories: - /tools/src/codespell diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 1c648fd94fc..9d2994afdb0 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -9,7 +9,7 @@ require ( google.golang.org/grpc v1.68.1 google.golang.org/protobuf v1.35.2 k8s.io/apimachinery v0.31.3 - sigs.k8s.io/controller-runtime v0.19.2 + sigs.k8s.io/controller-runtime v0.19.3 sigs.k8s.io/gateway-api v1.2.1 ) @@ -34,8 +34,8 @@ require ( golang.org/x/net v0.32.0 // indirect golang.org/x/sys v0.28.0 // indirect golang.org/x/text v0.21.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/klog/v2 v2.130.1 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 3904c3d700d..2c209e9586d 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -106,10 +106,10 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 h1:M0KvPgPmDZHPlbRbaNU1APr28TvwvvdUPlSv7PUvy8g= -google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:dguCy7UOdZhTvLzDyt15+rOrawrpM4q7DD9dQ1P11P4= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 h1:XVhgTWWV3kGQlwJHR3upFWZeTsei6Oks1apkZSeonIE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= +google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 h1:pgr/4QbFyktUv9CtQ/Fq4gzEE6/Xs7iCXbktaGzLHbQ= +google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697/go.mod h1:+D9ySVjN8nY8YCVjc5O7PZDIdZporIDY3KaGfJunh88= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697 h1:LWZqQOEjDyONlF1H6afSWpAL/znlREo2tHfLoe+8LMA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0= google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw= google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= @@ -132,8 +132,8 @@ k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2duqHWf5OX9S3zjI= k8s.io/utils v0.0.0-20240821151609-f90d01438635/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.19.2 h1:3sPrF58XQEPzbE8T81TN6selQIMGbtYwuaJ6eDssDF8= -sigs.k8s.io/controller-runtime v0.19.2/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= +sigs.k8s.io/controller-runtime v0.19.3 h1:XO2GvC9OPftRst6xWCpTgBZO04S2cbp0Qqkj8bX1sPw= +sigs.k8s.io/controller-runtime v0.19.3/go.mod h1:j4j87DqtsThvwTv5/Tc5NFRyyF/RF0ip4+62tbTSIUM= sigs.k8s.io/gateway-api v1.2.1 h1:fZZ/+RyRb+Y5tGkwxFKuYuSRQHu9dZtbjenblleOLHM= sigs.k8s.io/gateway-api v1.2.1/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= diff --git a/go.mod b/go.mod index 08376c948bd..19e5233b471 100644 --- a/go.mod +++ b/go.mod @@ -49,12 +49,12 @@ require ( go.opentelemetry.io/otel/metric v1.32.0 go.opentelemetry.io/otel/sdk v1.32.0 go.opentelemetry.io/otel/sdk/metric v1.32.0 - go.opentelemetry.io/proto/otlp v1.3.1 + go.opentelemetry.io/proto/otlp v1.4.0 go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e golang.org/x/net v0.32.0 golang.org/x/sys v0.28.0 - google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 + google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 google.golang.org/grpc v1.68.1 google.golang.org/protobuf v1.35.2 gopkg.in/yaml.v3 v3.0.1 @@ -67,7 +67,7 @@ require ( k8s.io/klog/v2 v2.130.1 k8s.io/kubectl v0.31.3 k8s.io/utils v0.0.0-20240821151609-f90d01438635 - sigs.k8s.io/controller-runtime v0.19.2 + sigs.k8s.io/controller-runtime v0.19.3 sigs.k8s.io/gateway-api v1.2.1 sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 sigs.k8s.io/mcs-api v0.1.0 @@ -159,7 +159,7 @@ require ( github.com/gosuri/uitable v0.0.4 // indirect github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/huandu/xstrings v1.5.0 // indirect @@ -266,14 +266,14 @@ require ( golang.org/x/crypto v0.31.0 // indirect golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 // indirect golang.org/x/mod v0.21.0 // indirect - golang.org/x/oauth2 v0.23.0 // indirect + golang.org/x/oauth2 v0.24.0 // indirect golang.org/x/sync v0.10.0 // indirect golang.org/x/term v0.27.0 // indirect golang.org/x/text v0.21.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.24.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect diff --git a/go.sum b/go.sum index 08b3df5cc9f..93c0c577c2d 100644 --- a/go.sum +++ b/go.sum @@ -448,8 +448,8 @@ github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0 h1:ad0vkEBuk23VJzZR9nkLVG0YAoN9coASF1GusYX6AlU= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0/go.mod h1:igFoXX2ELCW06bol23DWPB5BEWfZISOzSP5K2sbLea0= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 h1:TmHmbvxPmaegwhDubVz0lICL0J5Ka2vwTzhoePEXsGE= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0/go.mod h1:qztMSjm835F2bXf+5HKAPIS5qsmQDqZna/PgVt4rWtI= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -918,8 +918,8 @@ go.opentelemetry.io/otel/sdk/metric v1.32.0 h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiy go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ= go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQDe03fM= go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8= -go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= -go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= +go.opentelemetry.io/proto/otlp v1.4.0 h1:TA9WRvW6zMwP+Ssb6fLoUIuirti1gGbP28GcKG1jgeg= +go.opentelemetry.io/proto/otlp v1.4.0/go.mod h1:PPBWZIP98o2ElSqI35IHfu7hIhSwvc5N38Jw8pXuGFY= go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY= go.starlark.net v0.0.0-20230525235612-a134d8f9ddca/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= @@ -985,8 +985,8 @@ golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= -golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE= +golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1086,10 +1086,10 @@ google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY= google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:VUhTRKeHn9wwcdrk73nvdC9gF178Tzhmt/qyaFcPLSo= -google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 h1:M0KvPgPmDZHPlbRbaNU1APr28TvwvvdUPlSv7PUvy8g= -google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:dguCy7UOdZhTvLzDyt15+rOrawrpM4q7DD9dQ1P11P4= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 h1:XVhgTWWV3kGQlwJHR3upFWZeTsei6Oks1apkZSeonIE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= +google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 h1:pgr/4QbFyktUv9CtQ/Fq4gzEE6/Xs7iCXbktaGzLHbQ= +google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697/go.mod h1:+D9ySVjN8nY8YCVjc5O7PZDIdZporIDY3KaGfJunh88= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697 h1:LWZqQOEjDyONlF1H6afSWpAL/znlREo2tHfLoe+8LMA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= @@ -1213,8 +1213,8 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gEORz0efEja7A= -sigs.k8s.io/controller-runtime v0.19.2 h1:3sPrF58XQEPzbE8T81TN6selQIMGbtYwuaJ6eDssDF8= -sigs.k8s.io/controller-runtime v0.19.2/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= +sigs.k8s.io/controller-runtime v0.19.3 h1:XO2GvC9OPftRst6xWCpTgBZO04S2cbp0Qqkj8bX1sPw= +sigs.k8s.io/controller-runtime v0.19.3/go.mod h1:j4j87DqtsThvwTv5/Tc5NFRyyF/RF0ip4+62tbTSIUM= sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI= sigs.k8s.io/gateway-api v1.2.1 h1:fZZ/+RyRb+Y5tGkwxFKuYuSRQHu9dZtbjenblleOLHM= sigs.k8s.io/gateway-api v1.2.1/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= From 920a13cafe16de646e7e260ea2ebb29a701b96b4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 14 Dec 2024 09:25:53 +0800 Subject: [PATCH 498/523] build(deps): bump github/codeql-action from 3.27.6 to 3.27.9 (#4921) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.6 to 3.27.9. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/aa578102511db1f4524ed59b8cc2bae4f6e88195...df409f7d9260372bd5f19e5b04e83cb3c43714ae) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d29fc81234f..a0f9fd211f1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,14 +36,14 @@ jobs: - uses: ./tools/github-actions/setup-deps - name: Initialize CodeQL - uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 + uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 + uses: github/codeql-action/autobuild@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 + uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 07f19a968f2..8023a5d51c0 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 + uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 with: sarif_file: results.sarif From 172cbb286fd391a42b54ff515e0d02a56a21eaf1 Mon Sep 17 00:00:00 2001 From: keithfz Date: Fri, 13 Dec 2024 20:27:06 -0500 Subject: [PATCH 499/523] feat: support patching on EnvoyProxy.spec.provider.kubernetes.envoyHpa and EnvoyProxy.spec.provider.kubernetes.envoyPDB (#4910) * Add patch field for envoyHPA and envoyPDB in EnvoyGateway API Signed-off-by: keithfz * It's actually currently the envoyPDB field, not envoyPdb Signed-off-by: keithfz * fix comment Signed-off-by: keithfz * fix error messages Signed-off-by: keithfz * Add validation for hpa and pdb Signed-off-by: keithfz * lint and gen-check Signed-off-by: keithfz * adding test coverage Signed-off-by: keithfz * lint Signed-off-by: keithfz --------- Signed-off-by: keithfz --- api/v1alpha1/kubernetes_helpers.go | 74 +++++++ api/v1alpha1/shared_types.go | 10 + .../validation/envoyproxy_validate.go | 38 ++++ .../validation/envoyproxy_validate_test.go | 186 ++++++++++++++++++ api/v1alpha1/zz_generated.deepcopy.go | 10 + .../gateway.envoyproxy.io_envoyproxies.yaml | 34 ++++ .../kubernetes/proxy/resource_provider.go | 23 ++- .../proxy/resource_provider_test.go | 52 +++++ .../proxy/testdata/hpa/patch-json-hpa.yaml | 21 ++ .../testdata/hpa/patch-strategic-hpa.yaml | 21 ++ .../proxy/testdata/pdb/patch-json-pdb.yaml | 15 ++ .../testdata/pdb/patch-strategic-pdb.yaml | 10 + release-notes/current.yaml | 1 + site/content/en/latest/api/extension_types.md | 4 + site/content/zh/latest/api/extension_types.md | 4 + 15 files changed, 497 insertions(+), 6 deletions(-) create mode 100644 internal/infrastructure/kubernetes/proxy/testdata/hpa/patch-json-hpa.yaml create mode 100644 internal/infrastructure/kubernetes/proxy/testdata/hpa/patch-strategic-hpa.yaml create mode 100644 internal/infrastructure/kubernetes/proxy/testdata/pdb/patch-json-pdb.yaml create mode 100644 internal/infrastructure/kubernetes/proxy/testdata/pdb/patch-strategic-pdb.yaml diff --git a/api/v1alpha1/kubernetes_helpers.go b/api/v1alpha1/kubernetes_helpers.go index 1ac790b9c13..761f880d29b 100644 --- a/api/v1alpha1/kubernetes_helpers.go +++ b/api/v1alpha1/kubernetes_helpers.go @@ -11,7 +11,9 @@ import ( jsonpatch "github.com/evanphx/json-patch" appsv1 "k8s.io/api/apps/v1" + autoscalingv2 "k8s.io/api/autoscaling/v2" corev1 "k8s.io/api/core/v1" + policyv1 "k8s.io/api/policy/v1" "k8s.io/apimachinery/pkg/api/resource" "k8s.io/apimachinery/pkg/util/strategicpatch" "k8s.io/utils/ptr" @@ -263,3 +265,75 @@ func (service *KubernetesServiceSpec) ApplyMergePatch(old *corev1.Service) (*cor return &patchedService, nil } + +// ApplyMergePatch applies a merge patch to a HorizontalPodAutoscaler based on the merge type +func (hpa *KubernetesHorizontalPodAutoscalerSpec) ApplyMergePatch(old *autoscalingv2.HorizontalPodAutoscaler) (*autoscalingv2.HorizontalPodAutoscaler, error) { + if hpa.Patch == nil { + return old, nil + } + + var patchedJSON []byte + var err error + + // Serialize the current HPA to JSON + originalJSON, err := json.Marshal(old) + if err != nil { + return nil, fmt.Errorf("error marshaling original HorizontalPodAutoscaler: %w", err) + } + + switch { + case hpa.Patch.Type == nil || *hpa.Patch.Type == StrategicMerge: + patchedJSON, err = strategicpatch.StrategicMergePatch(originalJSON, hpa.Patch.Value.Raw, autoscalingv2.HorizontalPodAutoscaler{}) + case *hpa.Patch.Type == JSONMerge: + patchedJSON, err = jsonpatch.MergePatch(originalJSON, hpa.Patch.Value.Raw) + default: + return nil, fmt.Errorf("unsupported merge type: %s", *hpa.Patch.Type) + } + if err != nil { + return nil, fmt.Errorf("error applying merge patch: %w", err) + } + + // Deserialize the patched JSON into a new HorizontalPodAutoscaler object + var patchedHpa autoscalingv2.HorizontalPodAutoscaler + if err := json.Unmarshal(patchedJSON, &patchedHpa); err != nil { + return nil, fmt.Errorf("error unmarshaling patched HorizontalPodAutoscaler: %w", err) + } + + return &patchedHpa, nil +} + +// ApplyMergePatch applies a merge patch to a PodDisruptionBudget based on the merge type +func (pdb *KubernetesPodDisruptionBudgetSpec) ApplyMergePatch(old *policyv1.PodDisruptionBudget) (*policyv1.PodDisruptionBudget, error) { + if pdb.Patch == nil { + return old, nil + } + + var patchedJSON []byte + var err error + + // Serialize the PDB deployment to JSON + originalJSON, err := json.Marshal(old) + if err != nil { + return nil, fmt.Errorf("error marshaling original PodDisruptionBudget: %w", err) + } + + switch { + case pdb.Patch.Type == nil || *pdb.Patch.Type == StrategicMerge: + patchedJSON, err = strategicpatch.StrategicMergePatch(originalJSON, pdb.Patch.Value.Raw, policyv1.PodDisruptionBudget{}) + case *pdb.Patch.Type == JSONMerge: + patchedJSON, err = jsonpatch.MergePatch(originalJSON, pdb.Patch.Value.Raw) + default: + return nil, fmt.Errorf("unsupported merge type: %s", *pdb.Patch.Type) + } + if err != nil { + return nil, fmt.Errorf("error applying merge patch: %w", err) + } + + // Deserialize the patched JSON into a new HorizontalPodAutoscaler object + var patchedPdb policyv1.PodDisruptionBudget + if err := json.Unmarshal(patchedJSON, &patchedPdb); err != nil { + return nil, fmt.Errorf("error unmarshaling patched PodDisruptionBudget: %w", err) + } + + return &patchedPdb, nil +} diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go index b79839a7dda..036054dc47e 100644 --- a/api/v1alpha1/shared_types.go +++ b/api/v1alpha1/shared_types.go @@ -406,6 +406,11 @@ type KubernetesPodDisruptionBudgetSpec struct { // and resilience during maintenance operations. // +optional MinAvailable *int32 `json:"minAvailable,omitempty"` + + // Patch defines how to perform the patch operation to the PodDisruptionBudget + // + // +optional + Patch *KubernetesPatchSpec `json:"patch,omitempty"` } // KubernetesHorizontalPodAutoscalerSpec defines Kubernetes Horizontal Pod Autoscaler settings of Envoy Proxy Deployment. @@ -443,6 +448,11 @@ type KubernetesHorizontalPodAutoscalerSpec struct { // // +optional Behavior *autoscalingv2.HorizontalPodAutoscalerBehavior `json:"behavior,omitempty"` + + // Patch defines how to perform the patch operation to the HorizontalPodAutoscaler + // + // +optional + Patch *KubernetesPatchSpec `json:"patch,omitempty"` } // HTTPStatus defines the http status code. diff --git a/api/v1alpha1/validation/envoyproxy_validate.go b/api/v1alpha1/validation/envoyproxy_validate.go index 74ce4e0451c..a13fdacbd3d 100644 --- a/api/v1alpha1/validation/envoyproxy_validate.go +++ b/api/v1alpha1/validation/envoyproxy_validate.go @@ -72,6 +72,14 @@ func validateProvider(spec *egv1a1.EnvoyProxySpec) []error { if len(validateDeploymentErrs) != 0 { errs = append(errs, validateDeploymentErrs...) } + validateHpaErrors := validateHpa(spec) + if len(validateHpaErrors) != 0 { + errs = append(errs, validateHpaErrors...) + } + validatePdbErrors := validatePdb(spec) + if len(validatePdbErrors) != 0 { + errs = append(errs, validatePdbErrors...) + } validateServiceErrs := validateService(spec) if len(validateServiceErrs) != 0 { errs = append(errs, validateServiceErrs...) @@ -95,6 +103,36 @@ func validateDeployment(spec *egv1a1.EnvoyProxySpec) []error { return errs } +func validateHpa(spec *egv1a1.EnvoyProxySpec) []error { + var errs []error + if spec.Provider.Kubernetes != nil && spec.Provider.Kubernetes.EnvoyHpa != nil { + if patch := spec.Provider.Kubernetes.EnvoyHpa.Patch; patch != nil { + if patch.Value.Raw == nil { + errs = append(errs, fmt.Errorf("envoy hpa patch object cannot be empty")) + } + if patch.Type != nil && *patch.Type != egv1a1.JSONMerge && *patch.Type != egv1a1.StrategicMerge { + errs = append(errs, fmt.Errorf("unsupported envoy hpa patch type %s", *patch.Type)) + } + } + } + return errs +} + +func validatePdb(spec *egv1a1.EnvoyProxySpec) []error { + var errs []error + if spec.Provider.Kubernetes != nil && spec.Provider.Kubernetes.EnvoyPDB != nil { + if patch := spec.Provider.Kubernetes.EnvoyPDB.Patch; patch != nil { + if patch.Value.Raw == nil { + errs = append(errs, fmt.Errorf("envoy pdb patch object cannot be empty")) + } + if patch.Type != nil && *patch.Type != egv1a1.JSONMerge && *patch.Type != egv1a1.StrategicMerge { + errs = append(errs, fmt.Errorf("unsupported envoy pdb patch type %s", *patch.Type)) + } + } + } + return errs +} + // TODO: remove this function if CEL validation became stable func validateService(spec *egv1a1.EnvoyProxySpec) []error { var errs []error diff --git a/api/v1alpha1/validation/envoyproxy_validate_test.go b/api/v1alpha1/validation/envoyproxy_validate_test.go index e4b400b34dd..8a784db59ab 100644 --- a/api/v1alpha1/validation/envoyproxy_validate_test.go +++ b/api/v1alpha1/validation/envoyproxy_validate_test.go @@ -450,6 +450,192 @@ func TestValidateEnvoyProxy(t *testing.T) { }, expected: true, }, + { + name: "should be valid when pdb patch type and patch are empty", + proxy: &egv1a1.EnvoyProxy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test", + Name: "test", + }, + Spec: egv1a1.EnvoyProxySpec{ + Provider: &egv1a1.EnvoyProxyProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ + EnvoyPDB: &egv1a1.KubernetesPodDisruptionBudgetSpec{ + Patch: &egv1a1.KubernetesPatchSpec{ + Value: apiextensionsv1.JSON{ + Raw: []byte{}, + }, + }, + }, + }, + }, + }, + }, + expected: true, + }, + { + name: "should be valid when pdb patch and type are set", + proxy: &egv1a1.EnvoyProxy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test", + Name: "test", + }, + Spec: egv1a1.EnvoyProxySpec{ + Provider: &egv1a1.EnvoyProxyProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ + EnvoyPDB: &egv1a1.KubernetesPodDisruptionBudgetSpec{ + Patch: &egv1a1.KubernetesPatchSpec{ + Type: ptr.To(egv1a1.StrategicMerge), + Value: apiextensionsv1.JSON{ + Raw: []byte("{}"), + }, + }, + }, + }, + }, + }, + }, + expected: true, + }, + { + name: "should be invalid when pdb patch not set", + proxy: &egv1a1.EnvoyProxy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test", + Name: "test", + }, + Spec: egv1a1.EnvoyProxySpec{ + Provider: &egv1a1.EnvoyProxyProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ + EnvoyPDB: &egv1a1.KubernetesPodDisruptionBudgetSpec{ + Patch: &egv1a1.KubernetesPatchSpec{ + Type: ptr.To(egv1a1.StrategicMerge), + }, + }, + }, + }, + }, + }, + expected: false, + }, + { + name: "should be invalid when pdb type not set", + proxy: &egv1a1.EnvoyProxy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test", + Name: "test", + }, + Spec: egv1a1.EnvoyProxySpec{ + Provider: &egv1a1.EnvoyProxyProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ + EnvoyPDB: &egv1a1.KubernetesPodDisruptionBudgetSpec{ + Patch: &egv1a1.KubernetesPatchSpec{ + Type: ptr.To(egv1a1.StrategicMerge), + }, + }, + }, + }, + }, + }, + expected: false, + }, + { + name: "should be valid when hpa patch and type are empty", + proxy: &egv1a1.EnvoyProxy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test", + Name: "test", + }, + Spec: egv1a1.EnvoyProxySpec{ + Provider: &egv1a1.EnvoyProxyProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ + EnvoyHpa: &egv1a1.KubernetesHorizontalPodAutoscalerSpec{ + Patch: &egv1a1.KubernetesPatchSpec{ + Value: apiextensionsv1.JSON{ + Raw: []byte{}, + }, + }, + }, + }, + }, + }, + }, + expected: true, + }, + { + name: "should be valid when hpa patch and type are set", + proxy: &egv1a1.EnvoyProxy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test", + Name: "test", + }, + Spec: egv1a1.EnvoyProxySpec{ + Provider: &egv1a1.EnvoyProxyProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ + EnvoyHpa: &egv1a1.KubernetesHorizontalPodAutoscalerSpec{ + Patch: &egv1a1.KubernetesPatchSpec{ + Type: ptr.To(egv1a1.StrategicMerge), + Value: apiextensionsv1.JSON{ + Raw: []byte("{}"), + }, + }, + }, + }, + }, + }, + }, + expected: true, + }, + { + name: "should be invalid when hpa patch not set", + proxy: &egv1a1.EnvoyProxy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test", + Name: "test", + }, + Spec: egv1a1.EnvoyProxySpec{ + Provider: &egv1a1.EnvoyProxyProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ + EnvoyHpa: &egv1a1.KubernetesHorizontalPodAutoscalerSpec{ + Patch: &egv1a1.KubernetesPatchSpec{ + Type: ptr.To(egv1a1.StrategicMerge), + }, + }, + }, + }, + }, + }, + expected: false, + }, + { + name: "should be invalid when hpa type not set", + proxy: &egv1a1.EnvoyProxy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test", + Name: "test", + }, + Spec: egv1a1.EnvoyProxySpec{ + Provider: &egv1a1.EnvoyProxyProvider{ + Type: egv1a1.ProviderTypeKubernetes, + Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ + EnvoyHpa: &egv1a1.KubernetesHorizontalPodAutoscalerSpec{ + Patch: &egv1a1.KubernetesPatchSpec{ + Type: ptr.To(egv1a1.StrategicMerge), + }, + }, + }, + }, + }, + }, + expected: false, + }, { name: "should invalid when patch object is empty", proxy: &egv1a1.EnvoyProxy{ diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 742ffed1b25..dbc28e6aca2 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -3515,6 +3515,11 @@ func (in *KubernetesHorizontalPodAutoscalerSpec) DeepCopyInto(out *KubernetesHor *out = new(v2.HorizontalPodAutoscalerBehavior) (*in).DeepCopyInto(*out) } + if in.Patch != nil { + in, out := &in.Patch, &out.Patch + *out = new(KubernetesPatchSpec) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesHorizontalPodAutoscalerSpec. @@ -3556,6 +3561,11 @@ func (in *KubernetesPodDisruptionBudgetSpec) DeepCopyInto(out *KubernetesPodDisr *out = new(int32) **out = **in } + if in.Patch != nil { + in, out := &in.Patch, &out.Patch + *out = new(KubernetesPatchSpec) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesPodDisruptionBudgetSpec. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 84fb126a79b..1a262dd466b 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -10109,6 +10109,23 @@ spec: x-kubernetes-validations: - message: minReplicas must be greater than 0 rule: self > 0 + patch: + description: Patch defines how to perform the patch operation + to the HorizontalPodAutoscaler + properties: + type: + description: |- + Type is the type of merge operation to perform + + By default, StrategicMerge is used as the patch type. + type: string + value: + description: Object contains the raw configuration + for merged object + x-kubernetes-preserve-unknown-fields: true + required: + - value + type: object required: - maxReplicas type: object @@ -10126,6 +10143,23 @@ spec: and resilience during maintenance operations. format: int32 type: integer + patch: + description: Patch defines how to perform the patch operation + to the PodDisruptionBudget + properties: + type: + description: |- + Type is the type of merge operation to perform + + By default, StrategicMerge is used as the patch type. + type: string + value: + description: Object contains the raw configuration + for merged object + x-kubernetes-preserve-unknown-fields: true + required: + - value + type: object type: object envoyService: description: |- diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider.go b/internal/infrastructure/kubernetes/proxy/resource_provider.go index 9830bafad71..9c25886a6bf 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider.go @@ -433,13 +433,13 @@ func (r *ResourceRender) PodDisruptionBudgetSpec() (*egv1a1.KubernetesPodDisrupt } func (r *ResourceRender) PodDisruptionBudget() (*policyv1.PodDisruptionBudget, error) { - podDisruptionBudget, er := r.PodDisruptionBudgetSpec() + podDisruptionBudgetConfig, err := r.PodDisruptionBudgetSpec() // If podDisruptionBudget config is nil or MinAvailable is nil, ignore PodDisruptionBudget. - if podDisruptionBudget == nil { - return nil, er + if podDisruptionBudgetConfig == nil { + return nil, err } - return &policyv1.PodDisruptionBudget{ + podDisruptionBudget := &policyv1.PodDisruptionBudget{ ObjectMeta: metav1.ObjectMeta{ Name: r.Name(), Namespace: r.Namespace, @@ -449,10 +449,17 @@ func (r *ResourceRender) PodDisruptionBudget() (*policyv1.PodDisruptionBudget, e Kind: "PodDisruptionBudget", }, Spec: policyv1.PodDisruptionBudgetSpec{ - MinAvailable: &intstr.IntOrString{IntVal: ptr.Deref(podDisruptionBudget.MinAvailable, 0)}, + MinAvailable: &intstr.IntOrString{IntVal: ptr.Deref(podDisruptionBudgetConfig.MinAvailable, 0)}, Selector: r.stableSelector(), }, - }, nil + } + + // apply merge patch to PodDisruptionBudget + if podDisruptionBudget, err = podDisruptionBudgetConfig.ApplyMergePatch(podDisruptionBudget); err != nil { + return nil, err + } + + return podDisruptionBudget, nil } // HorizontalPodAutoscalerSpec returns the `HorizontalPodAutoscaler` sets spec. @@ -506,6 +513,10 @@ func (r *ResourceRender) HorizontalPodAutoscaler() (*autoscalingv2.HorizontalPod hpa.Spec.ScaleTargetRef.Name = r.Name() } + if hpa, err = hpaConfig.ApplyMergePatch(hpa); err != nil { + return nil, err + } + return hpa, nil } diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go index ad286bfc930..0f5f6e3bf27 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go @@ -1298,6 +1298,32 @@ func TestPDB(t *testing.T) { MinAvailable: ptr.To(int32(1)), }, }, + { + caseName: "patch-json-pdb", + infra: newTestInfra(), + pdb: &egv1a1.KubernetesPodDisruptionBudgetSpec{ + MinAvailable: ptr.To(int32(1)), + Patch: &egv1a1.KubernetesPatchSpec{ + Type: ptr.To(egv1a1.JSONMerge), + Value: apiextensionsv1.JSON{ + Raw: []byte("{\"metadata\":{\"name\":\"foo\"}, \"spec\": {\"selector\": {\"matchLabels\": {\"app\": \"bar\"}}}}"), + }, + }, + }, + }, + { + caseName: "patch-strategic-pdb", + infra: newTestInfra(), + pdb: &egv1a1.KubernetesPodDisruptionBudgetSpec{ + MinAvailable: ptr.To(int32(1)), + Patch: &egv1a1.KubernetesPatchSpec{ + Type: ptr.To(egv1a1.StrategicMerge), + Value: apiextensionsv1.JSON{ + Raw: []byte("{\"metadata\":{\"name\":\"foo\"}, \"spec\": {\"selector\": {\"matchLabels\": {\"app\": \"bar\"}}}}"), + }, + }, + }, + }, } for _, tc := range cases { @@ -1375,6 +1401,32 @@ func TestHorizontalPodAutoscaler(t *testing.T) { }, }, }, + { + caseName: "patch-json-hpa", + infra: newTestInfra(), + hpa: &egv1a1.KubernetesHorizontalPodAutoscalerSpec{ + MaxReplicas: ptr.To[int32](1), + Patch: &egv1a1.KubernetesPatchSpec{ + Type: ptr.To(egv1a1.JSONMerge), + Value: apiextensionsv1.JSON{ + Raw: []byte("{\"metadata\":{\"name\":\"foo\"}, \"spec\": {\"scaleTargetRef\": {\"name\": \"bar\"}}}"), + }, + }, + }, + }, + { + caseName: "patch-strategic-hpa", + infra: newTestInfra(), + hpa: &egv1a1.KubernetesHorizontalPodAutoscalerSpec{ + MaxReplicas: ptr.To[int32](1), + Patch: &egv1a1.KubernetesPatchSpec{ + Type: ptr.To(egv1a1.StrategicMerge), + Value: apiextensionsv1.JSON{ + Raw: []byte("{\"metadata\":{\"name\":\"foo\"}, \"spec\": {\"metrics\": [{\"resource\": {\"name\": \"cpu\", \"target\": {\"averageUtilization\": 50, \"type\": \"Utilization\"}}, \"type\": \"Resource\"}]}}"), + }, + }, + }, + }, { caseName: "with-deployment-name", infra: newTestInfra(), diff --git a/internal/infrastructure/kubernetes/proxy/testdata/hpa/patch-json-hpa.yaml b/internal/infrastructure/kubernetes/proxy/testdata/hpa/patch-json-hpa.yaml new file mode 100644 index 00000000000..38d3d474d81 --- /dev/null +++ b/internal/infrastructure/kubernetes/proxy/testdata/hpa/patch-json-hpa.yaml @@ -0,0 +1,21 @@ +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: default + gateway.envoyproxy.io/owning-gateway-namespace: default + name: foo + namespace: envoy-gateway-system +spec: + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource + maxReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: bar diff --git a/internal/infrastructure/kubernetes/proxy/testdata/hpa/patch-strategic-hpa.yaml b/internal/infrastructure/kubernetes/proxy/testdata/hpa/patch-strategic-hpa.yaml new file mode 100644 index 00000000000..24a9f6f3a1d --- /dev/null +++ b/internal/infrastructure/kubernetes/proxy/testdata/hpa/patch-strategic-hpa.yaml @@ -0,0 +1,21 @@ +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: default + gateway.envoyproxy.io/owning-gateway-namespace: default + name: foo + namespace: envoy-gateway-system +spec: + metrics: + - resource: + name: cpu + target: + averageUtilization: 50 + type: Utilization + type: Resource + maxReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: envoy-default-37a8eec1 diff --git a/internal/infrastructure/kubernetes/proxy/testdata/pdb/patch-json-pdb.yaml b/internal/infrastructure/kubernetes/proxy/testdata/pdb/patch-json-pdb.yaml new file mode 100644 index 00000000000..cc4aa473337 --- /dev/null +++ b/internal/infrastructure/kubernetes/proxy/testdata/pdb/patch-json-pdb.yaml @@ -0,0 +1,15 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: foo + namespace: envoy-gateway-system +spec: + minAvailable: 1 + selector: + matchLabels: + app: bar + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: default + gateway.envoyproxy.io/owning-gateway-namespace: default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/pdb/patch-strategic-pdb.yaml b/internal/infrastructure/kubernetes/proxy/testdata/pdb/patch-strategic-pdb.yaml new file mode 100644 index 00000000000..20a25b7e1b0 --- /dev/null +++ b/internal/infrastructure/kubernetes/proxy/testdata/pdb/patch-strategic-pdb.yaml @@ -0,0 +1,10 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: foo + namespace: envoy-gateway-system +spec: + minAvailable: 1 + selector: + matchLabels: + app: bar diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 29e3b8fbdb6..4d61dd6b19f 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -16,6 +16,7 @@ security updates: | new features: | Added support for trusted CIDRs in the ClientIPDetectionSettings API Added support for sending attributes to external processor in EnvoyExtensionPolicy API + Added support for patching EnvoyProxy.spec.provider.kubernetes.envoyHpa and EnvoyProxy.spec.provider.kubernetes.envoyPDB # Fixes for bugs identified in previous versions. bug fixes: | diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index c6a7121d7ca..5119d756646 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -2529,6 +2529,7 @@ _Appears in:_ | `maxReplicas` | _integer_ | true | maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
It cannot be less that minReplicas. | | `metrics` | _[MetricSpec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#metricspec-v2-autoscaling) array_ | false | metrics contains the specifications for which to use to calculate the
desired replica count (the maximum replica count across all metrics will
be used).
If left empty, it defaults to being based on CPU utilization with average on 80% usage. | | `behavior` | _[HorizontalPodAutoscalerBehavior](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#horizontalpodautoscalerbehavior-v2-autoscaling)_ | false | behavior configures the scaling behavior of the target
in both Up and Down directions (scaleUp and scaleDown fields respectively).
If not set, the default HPAScalingRules for scale up and scale down are used.
See k8s.io.autoscaling.v2.HorizontalPodAutoScalerBehavior. | +| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to the HorizontalPodAutoscaler | #### KubernetesPatchSpec @@ -2542,6 +2543,8 @@ Note also that, currently, strings containing literal JSON are _rejected_. _Appears in:_ - [KubernetesDaemonSetSpec](#kubernetesdaemonsetspec) - [KubernetesDeploymentSpec](#kubernetesdeploymentspec) +- [KubernetesHorizontalPodAutoscalerSpec](#kuberneteshorizontalpodautoscalerspec) +- [KubernetesPodDisruptionBudgetSpec](#kubernetespoddisruptionbudgetspec) - [KubernetesServiceSpec](#kubernetesservicespec) | Field | Type | Required | Description | @@ -2562,6 +2565,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `minAvailable` | _integer_ | false | MinAvailable specifies the minimum number of pods that must be available at all times during voluntary disruptions,
such as node drains or updates. This setting ensures that your envoy proxy maintains a certain level of availability
and resilience during maintenance operations. | +| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to the PodDisruptionBudget | #### KubernetesPodSpec diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index c6a7121d7ca..5119d756646 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -2529,6 +2529,7 @@ _Appears in:_ | `maxReplicas` | _integer_ | true | maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
It cannot be less that minReplicas. | | `metrics` | _[MetricSpec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#metricspec-v2-autoscaling) array_ | false | metrics contains the specifications for which to use to calculate the
desired replica count (the maximum replica count across all metrics will
be used).
If left empty, it defaults to being based on CPU utilization with average on 80% usage. | | `behavior` | _[HorizontalPodAutoscalerBehavior](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#horizontalpodautoscalerbehavior-v2-autoscaling)_ | false | behavior configures the scaling behavior of the target
in both Up and Down directions (scaleUp and scaleDown fields respectively).
If not set, the default HPAScalingRules for scale up and scale down are used.
See k8s.io.autoscaling.v2.HorizontalPodAutoScalerBehavior. | +| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to the HorizontalPodAutoscaler | #### KubernetesPatchSpec @@ -2542,6 +2543,8 @@ Note also that, currently, strings containing literal JSON are _rejected_. _Appears in:_ - [KubernetesDaemonSetSpec](#kubernetesdaemonsetspec) - [KubernetesDeploymentSpec](#kubernetesdeploymentspec) +- [KubernetesHorizontalPodAutoscalerSpec](#kuberneteshorizontalpodautoscalerspec) +- [KubernetesPodDisruptionBudgetSpec](#kubernetespoddisruptionbudgetspec) - [KubernetesServiceSpec](#kubernetesservicespec) | Field | Type | Required | Description | @@ -2562,6 +2565,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | | `minAvailable` | _integer_ | false | MinAvailable specifies the minimum number of pods that must be available at all times during voluntary disruptions,
such as node drains or updates. This setting ensures that your envoy proxy maintains a certain level of availability
and resilience during maintenance operations. | +| `patch` | _[KubernetesPatchSpec](#kubernetespatchspec)_ | false | Patch defines how to perform the patch operation to the PodDisruptionBudget | #### KubernetesPodSpec From 469de2f9180d31fffa4524be45faedbf3469a1fb Mon Sep 17 00:00:00 2001 From: Alex Volchok Date: Sat, 14 Dec 2024 15:02:18 +0100 Subject: [PATCH 500/523] feat: data plane & envoyproxy resilience test suite (#4862) * adding resilience test suite Signed-off-by: Alexander Volchok * fix licensecheck Signed-off-by: Alexander Volchok * fixing lint Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updadting Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok * Update test/resilience/tests/envoygateway.go Co-authored-by: Huabing (Robin) Zhao Signed-off-by: Alex Volchok * updating Signed-off-by: Alexander Volchok * updating Signed-off-by: Alexander Volchok --------- Signed-off-by: Alexander Volchok Signed-off-by: Alex Volchok Co-authored-by: Huabing (Robin) Zhao --- .github/workflows/build_and_test.yaml | 13 + test/resilience/embed.go | 13 + test/resilience/resilience_test.go | 40 +++ test/resilience/suite/flags.go | 14 + test/resilience/suite/suite.go | 115 +++++++ test/resilience/testdata/base.yaml | 110 +++++++ test/resilience/testdata/route_changes.yaml | 16 + test/resilience/tests/envoygateway.go | 253 +++++++++++++++ test/resilience/tests/envoyproxy.go | 92 ++++++ test/resilience/tests/tests.go | 12 + test/utils/kubernetes/kube.go | 322 ++++++++++++++++++++ tools/hack/create-cluster.sh | 74 ++++- tools/make/kube.mk | 8 + 13 files changed, 1076 insertions(+), 6 deletions(-) create mode 100644 test/resilience/embed.go create mode 100644 test/resilience/resilience_test.go create mode 100644 test/resilience/suite/flags.go create mode 100644 test/resilience/suite/suite.go create mode 100644 test/resilience/testdata/base.yaml create mode 100644 test/resilience/testdata/route_changes.yaml create mode 100644 test/resilience/tests/envoygateway.go create mode 100644 test/resilience/tests/envoyproxy.go create mode 100644 test/resilience/tests/tests.go create mode 100644 test/utils/kubernetes/kube.go diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 222cfbc42bd..81a08eb76b3 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -176,6 +176,19 @@ jobs: - name: Read Benchmark report run: cat test/benchmark/benchmark_report/benchmark_report.md + resilience-test: + runs-on: ubuntu-latest + if: ${{ ! startsWith(github.event_name, 'push') }} + needs: [build] + steps: + - uses: actions/checkout@v4.2.2 + - uses: ./tools/github-actions/setup-deps + - name: Resilience Test + env: + KIND_NODE_TAG: v1.28.13 + IMAGE_PULL_POLICY: IfNotPresent + CUSTOM_CNI: "true" + run: make resilience publish: runs-on: ubuntu-latest diff --git a/test/resilience/embed.go b/test/resilience/embed.go new file mode 100644 index 00000000000..8594becb669 --- /dev/null +++ b/test/resilience/embed.go @@ -0,0 +1,13 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build resilience + +package resilience + +import "embed" + +//go:embed testdata/*.yaml +var Manifests embed.FS diff --git a/test/resilience/resilience_test.go b/test/resilience/resilience_test.go new file mode 100644 index 00000000000..6903860ed6e --- /dev/null +++ b/test/resilience/resilience_test.go @@ -0,0 +1,40 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build resilience + +package resilience + +import ( + "flag" + "io/fs" + "os" + "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/gateway-api/conformance/utils/flags" + "testing" + + "github.com/envoyproxy/gateway/test/resilience/suite" + "github.com/envoyproxy/gateway/test/resilience/tests" + kubetest "github.com/envoyproxy/gateway/test/utils/kubernetes" +) + +func TestResilience(t *testing.T) { + cli, _ := kubetest.NewClient(t) + // Parse benchmark options. + flag.Parse() + log.SetLogger(zap.New(zap.WriteTo(os.Stderr), zap.UseDevMode(true))) + bSuite, err := suite.NewResilienceTestSuite( + cli, + *suite.ReportSaveDir, + []fs.FS{Manifests}, + *flags.GatewayClassName, + ) + if err != nil { + t.Fatalf("Failed to create the resillience test suit: %v", err) + } + t.Logf("Running %d resilience tests", len(tests.ResilienceTests)) + bSuite.Run(t, tests.ResilienceTests) +} diff --git a/test/resilience/suite/flags.go b/test/resilience/suite/flags.go new file mode 100644 index 00000000000..1004548570d --- /dev/null +++ b/test/resilience/suite/flags.go @@ -0,0 +1,14 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build resilience + +package suite + +import "flag" + +var ( + ReportSaveDir = flag.String("report-save-dir", "benchmark_report", "The dir where to save the benchmark test report.") +) diff --git a/test/resilience/suite/suite.go b/test/resilience/suite/suite.go new file mode 100644 index 00000000000..ec60c4f4236 --- /dev/null +++ b/test/resilience/suite/suite.go @@ -0,0 +1,115 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build resilience + +package suite + +import ( + "context" + "github.com/envoyproxy/gateway/test/utils/kubernetes" + "io/fs" + "sigs.k8s.io/gateway-api/conformance/utils/roundtripper" + "testing" + "time" + + opt "github.com/envoyproxy/gateway/internal/cmd/options" + kube "github.com/envoyproxy/gateway/internal/kubernetes" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/gateway-api/conformance/utils/config" +) + +const ( + BenchmarkTestScaledKey = "benchmark-test/scaled" + BenchmarkTestClientKey = "benchmark-test/client" + DefaultControllerName = "gateway.envoyproxy.io/gatewayclass-controller" +) + +type ResilienceTest struct { + ShortName string + Description string + Test func(*testing.T, *ResilienceTestSuite) +} + +type ResilienceTestSuite struct { + Client client.Client + TimeoutConfig config.TimeoutConfig + ControllerName string + ReportSaveDir string + KubeActions *kubernetes.KubeActions + // Labels + scaledLabels map[string]string // indicate which resources are scaled + + // Clients that for internal usage. + kubeClient kube.CLIClient // required for getting logs from pod\ + ManifestFS []fs.FS + GatewayClassName string + RoundTripper roundtripper.RoundTripper +} + +func NewResilienceTestSuite(client client.Client, reportDir string, manifestFS []fs.FS, gcn string) (*ResilienceTestSuite, error) { + var ( + timeoutConfig = config.TimeoutConfig{} + ) + + // Reset some timeout config for the benchmark test. + config.SetupTimeoutConfig(&timeoutConfig) + timeoutConfig.RouteMustHaveParents = 180 * time.Second + roundTripper := &roundtripper.DefaultRoundTripper{Debug: true, TimeoutConfig: timeoutConfig} + // Initial various client. + kubeClient, err := kube.NewCLIClient(opt.DefaultConfigFlags.ToRawKubeConfigLoader()) + if err != nil { + return nil, err + } + KubeActions := kubernetes.NewKubeHelper(client, kubeClient) + return &ResilienceTestSuite{ + Client: client, + ManifestFS: manifestFS, + TimeoutConfig: timeoutConfig, + ControllerName: DefaultControllerName, + ReportSaveDir: reportDir, + GatewayClassName: gcn, + scaledLabels: map[string]string{ + BenchmarkTestScaledKey: "true", + }, + KubeActions: KubeActions, + kubeClient: kubeClient, + RoundTripper: roundTripper, + }, nil +} + +func (rts *ResilienceTestSuite) WithResCleanUp(ctx context.Context, t *testing.T, f func() (client.Object, error)) error { + res, err := f() + t.Cleanup(func() { + t.Logf("Start to cleanup resilsence test resources") + if deleteErr := rts.Client.Delete(ctx, res); deleteErr != nil { + } + + t.Logf("Clean up complete!") + }) + return err +} + +func (rts *ResilienceTestSuite) Kube() *kubernetes.KubeActions { + return rts.KubeActions +} + +func (rts *ResilienceTestSuite) Run(t *testing.T, tests []ResilienceTest) { + t.Logf("Running %d resilience tests", len(tests)) + for _, test := range tests { + t.Logf("Running resilience test: %s", test.ShortName) + test.Test(t, rts) + } +} + +func (rts *ResilienceTestSuite) RegisterCleanup(t *testing.T, ctx context.Context, object client.Object) { + t.Cleanup(func() { + t.Logf("Start to cleanup resilsence test resources") + if deleteErr := rts.Client.Delete(ctx, object); deleteErr != nil { + } + + t.Logf("Clean up complete!") + }) +} diff --git a/test/resilience/testdata/base.yaml b/test/resilience/testdata/base.yaml new file mode 100644 index 00000000000..1be77ba9602 --- /dev/null +++ b/test/resilience/testdata/base.yaml @@ -0,0 +1,110 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: gateway-resilience +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + namespace: gateway-resilience + name: envoy-gateway +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: custom-proxy-config + namespace: gateway-resilience +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: all-namespaces + namespace: gateway-resilience +spec: + gatewayClassName: "{GATEWAY_CLASS_NAME}" + listeners: + - name: http + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: All +--- +apiVersion: v1 +kind: Service +metadata: + name: backend + namespace: gateway-resilience +spec: + selector: + app: backend + ports: + - protocol: TCP + port: 8080 + name: http11 + targetPort: 3000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backend + namespace: gateway-resilience + labels: + app: backend +spec: + replicas: 2 + selector: + matchLabels: + app: backend + template: + metadata: + labels: + app: backend + spec: + containers: + - name: backend + # From https://github.com/kubernetes-sigs/gateway-api/blob/main/conformance/echo-basic/echo-basic.go + image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SERVICE_NAME + value: backend + resources: + requests: + cpu: 10m +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: backend + namespace: gateway-resilience +spec: + parentRefs: + - name: all-namespaces + rules: + - matches: + - path: + type: PathPrefix + value: /welcome + backendRefs: + - name: backend + port: 8080 +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + name: custom-proxy-config + namespace: gateway-resilience +spec: + provider: + type: Kubernetes + kubernetes: + diff --git a/test/resilience/testdata/route_changes.yaml b/test/resilience/testdata/route_changes.yaml new file mode 100644 index 00000000000..2c8d98c0e8c --- /dev/null +++ b/test/resilience/testdata/route_changes.yaml @@ -0,0 +1,16 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: backend + namespace: gateway-resilience +spec: + parentRefs: + - name: all-namespaces + rules: + - matches: + - path: + type: PathPrefix + value: /route-change + backendRefs: + - name: backend + port: 8080 diff --git a/test/resilience/tests/envoygateway.go b/test/resilience/tests/envoygateway.go new file mode 100644 index 00000000000..1d8b8787879 --- /dev/null +++ b/test/resilience/tests/envoygateway.go @@ -0,0 +1,253 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build resilience + +package tests + +import ( + "context" + "github.com/envoyproxy/gateway/test/resilience/suite" + "github.com/stretchr/testify/require" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/tlog" + "testing" + "time" +) + +const ( + namespace = "envoy-gateway-system" + envoygateway = "envoy-gateway" + targetString = "successfully acquired lease" + apiServerIP = "10.96.0.1" + timeout = 2 * time.Minute + policyName = "egress-rules" + leaseName = "5b9825d2.gateway.envoyproxy.io" + trashHold = 2 +) + +func init() { + ResilienceTests = append(ResilienceTests, EGResilience) +} + +var EGResilience = suite.ResilienceTest{ + ShortName: "EGResilience", + Description: "Envoygateway resilience test", + Test: func(t *testing.T, suite *suite.ResilienceTestSuite) { + ap := kubernetes.Applier{ + ManifestFS: suite.ManifestFS, + GatewayClass: suite.GatewayClassName, + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + } + ap.MustApplyWithCleanup(t, suite.Client, suite.TimeoutConfig, "testdata/base.yaml", true) + + //this test will fail until https://github.com/envoyproxy/gateway/pull/4767/files is merged + t.Run("Secondary EnvoyGateway instances can serve an up to date xDS", func(t *testing.T) { + ctx := context.Background() + t.Log("Scaling down the deployment to 0 replicas") + err := suite.Kube().ScaleDeploymentAndWait(ctx, envoygateway, namespace, 0, time.Minute, false) + require.NoError(t, err, "Failed to scale deployment replicas") + + t.Log("Scaling up the deployment to 3 replicas") + err = suite.Kube().ScaleDeploymentAndWait(ctx, envoygateway, namespace, 3, time.Minute, false) + require.NoError(t, err, "Failed to scale deployment replicas") + + t.Log("Waiting for leader election") + // Ensure leadership was taken + name, err := suite.Kube().GetElectedLeader(context.Background(), namespace, leaseName, metav1.Now(), time.Minute*2) + require.NoError(t, err, "unable to detect leader election") + + t.Log("Marking the identified pod as leader") + suite.Kube().MarkAsLeader(namespace, name) + + // Pods rely on connectivity to the API server to participate in leader election processes. + // Without this connectivity, they cannot become leaders, in this test we won't bring it back. + // The secondary pods will continue to operate using their last known good configuration (xDS) + // and share it with envoy proxies accordingly. + t.Log("Simulating API server connection failure for all pods") + err = suite.WithResCleanUp(ctx, t, func() (client.Object, error) { + return suite.Kube().ManageEgress(ctx, apiServerIP, namespace, policyName, true, map[string]string{"app.kubernetes.io/name": "gateway-helm"}) + }) + require.NoError(t, err, "Failed to simulate API server connection failure") + + // The leader pod should go down, the standby pods remain + // When a leader pod loses connectivity to the API server, Kubernetes does not immediately terminate or stop the pod. + // Instead, the pod itself detects the loss of connectivity, initiates a graceful teardown process, and restarts to attempt + // to reconnect to the API server. + // The replica count for the deployment remains at 3 throughout the process. + // Kubernetes does not schedule a new pod to replace the one that lost connectivity because the existing pod is not + // considered failed from Kubernetes’ perspective. It’s the responsibility of the application running inside the + // pod (e.g., the leader election logic) to handle reconnection attempts or restart itself. + t.Log("Verifying deployment scales down to 2 replica") + err = suite.Kube().CheckDeploymentReplicas(ctx, envoygateway, namespace, 2, time.Minute) + require.NoError(t, err, "Deployment did not scale down") + + ns := "gateway-resilience" + routeNN := types.NamespacedName{Name: "backend", Namespace: ns} + gwNN := types.NamespacedName{Name: "all-namespaces", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/welcome", + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + + req := http.MakeRequest(t, &expectedResponse, gwAddr, "http", "http") + http.AwaitConvergence(t, trashHold, timeout, func(elapsed time.Duration) bool { + cReq, cRes, err := suite.RoundTripper.CaptureRoundTrip(req) + if err != nil { + tlog.Logf(t, "Request failed, not ready yet: %v (after %v)", err.Error(), elapsed) + return false + } + + if err := http.CompareRequest(t, &req, cReq, cRes, expectedResponse); err != nil { + tlog.Logf(t, "Response expectation failed for request: %+v not ready yet: %v (after %v)", req, err, elapsed) + return false + } + return true + }) + }) + + t.Run("EnvoyGateway reconciles missed resources and sync xDS after api server connectivity is restored", func(t *testing.T) { + err := suite.Kube().ScaleDeploymentAndWait(context.Background(), envoygateway, namespace, 0, timeout, false) + require.NoError(t, err, "Failed to scale deployment") + err = suite.Kube().ScaleDeploymentAndWait(context.Background(), envoygateway, namespace, 1, timeout, false) + require.NoError(t, err, "Failed to scale deployment") + + // Ensure leadership was taken + _, err = suite.Kube().GetElectedLeader(context.Background(), namespace, leaseName, metav1.Now(), timeout) + require.NoError(t, err, "unable to detect leader election") + + t.Log("Simulating API server down for all pods") + err = suite.WithResCleanUp(context.Background(), t, func() (client.Object, error) { + return suite.Kube().ManageEgress(context.Background(), apiServerIP, namespace, policyName, true, map[string]string{}) + }) + require.NoError(t, err, "unable to block api server connectivity") + + ap.MustApplyWithCleanup(t, suite.Client, suite.TimeoutConfig, "testdata/route_changes.yaml", true) + t.Log("backend routes changed") + + t.Log("restore API server connectivity") + _, err = suite.Kube().ManageEgress(context.Background(), apiServerIP, namespace, policyName, false, map[string]string{}) + require.NoError(t, err, "unable to unblock api server connectivity") + + err = suite.Kube().WaitForDeploymentReplicaCount(context.Background(), envoygateway, namespace, 1, time.Minute, false) + require.NoError(t, err, "Failed to ensure that pod is online") + _, err = suite.Kube().GetElectedLeader(context.Background(), namespace, leaseName, metav1.Now(), time.Minute*2) + require.NoError(t, err, "unable to detect leader election") + t.Log("eg is online") + ns := "gateway-resilience" + routeNN := types.NamespacedName{Name: "backend", Namespace: ns} + gwNN := types.NamespacedName{Name: "all-namespaces", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/route-change", + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + + req := http.MakeRequest(t, &expectedResponse, gwAddr, "http", "http") + http.AwaitConvergence(t, trashHold, time.Minute, func(elapsed time.Duration) bool { + cReq, cRes, err := suite.RoundTripper.CaptureRoundTrip(req) + if err != nil { + tlog.Logf(t, "Request failed, not ready yet: %v (after %v)", err.Error(), elapsed) + return false + } + + if err := http.CompareRequest(t, &req, cReq, cRes, expectedResponse); err != nil { + tlog.Logf(t, "Response expectation failed for request: %+v not ready yet: %v (after %v)", req, err, elapsed) + return false + } + return true + }) + + require.NoError(t, err, "Failed during connectivity checkup") + }) + + t.Run("Leader election transitions when leader loses API server connection", func(t *testing.T) { + ctx := context.Background() + t.Log("Scaling down the deployment to 0 replicas") + err := suite.Kube().ScaleDeploymentAndWait(ctx, envoygateway, namespace, 0, time.Minute, false) + require.NoError(t, err, "Failed to scale deployment replicas") + + t.Log("Scaling up the deployment to 2 replicas") + err = suite.Kube().ScaleDeploymentAndWait(ctx, envoygateway, namespace, 2, time.Minute, false) + require.NoError(t, err, "Failed to scale deployment replicas") + + t.Log("Waiting for leader election") + // Ensure leadership was taken + name, err := suite.Kube().GetElectedLeader(context.Background(), namespace, leaseName, metav1.Now(), time.Minute*2) + require.NoError(t, err, "unable to detect leader election") + + t.Log("Marking the identified pod as leader") + suite.Kube().MarkAsLeader(namespace, name) + + t.Log("Simulating API server connection failure for the leader") + err = suite.WithResCleanUp(ctx, t, func() (client.Object, error) { + return suite.Kube().ManageEgress(ctx, apiServerIP, namespace, policyName, true, map[string]string{ + "leader": "true", + }) + }) + require.NoError(t, err, "Failed to simulate API server connection failure") + + // leader pod should go down, the standby remain + t.Log("Verifying deployment scales down to 1 replicas") + err = suite.Kube().CheckDeploymentReplicas(ctx, envoygateway, namespace, 1, time.Minute) + require.NoError(t, err, "Deployment did not scale down") + + // Ensure leadership was taken + newLeader, err := suite.Kube().GetElectedLeader(context.Background(), namespace, leaseName, metav1.Now(), time.Minute*2) + require.NoError(t, err, "unable to detect leader election") + require.NotEqual(t, newLeader, name, "new leader name should not be equal to the first leader") + ap.MustApplyWithCleanup(t, suite.Client, suite.TimeoutConfig, "testdata/route_changes.yaml", true) + t.Log("backend routes changed") + + ns := "gateway-resilience" + routeNN := types.NamespacedName{Name: "backend", Namespace: ns} + gwNN := types.NamespacedName{Name: "all-namespaces", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/route-change", + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + + req := http.MakeRequest(t, &expectedResponse, gwAddr, "http", "http") + + http.AwaitConvergence(t, trashHold, timeout, func(elapsed time.Duration) bool { + cReq, cRes, err := suite.RoundTripper.CaptureRoundTrip(req) + if err != nil { + tlog.Logf(t, "Request failed, not ready yet: %v (after %v)", err.Error(), elapsed) + return false + } + + if err := http.CompareRequest(t, &req, cReq, cRes, expectedResponse); err != nil { + tlog.Logf(t, "Response expectation failed for request: %+v not ready yet: %v (after %v)", req, err, elapsed) + return false + } + return true + }) + }) + }, +} diff --git a/test/resilience/tests/envoyproxy.go b/test/resilience/tests/envoyproxy.go new file mode 100644 index 00000000000..492e4530c4a --- /dev/null +++ b/test/resilience/tests/envoyproxy.go @@ -0,0 +1,92 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build resilience + +package tests + +import ( + "context" + "github.com/envoyproxy/gateway/test/resilience/suite" + "github.com/stretchr/testify/require" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/gateway-api/conformance/utils/http" + "sigs.k8s.io/gateway-api/conformance/utils/kubernetes" + "sigs.k8s.io/gateway-api/conformance/utils/tlog" + "testing" + "time" +) + +func init() { + ResilienceTests = append(ResilienceTests, EPResilience) +} + +var EPResilience = suite.ResilienceTest{ + ShortName: "EPResilience", + Description: "Envoyproxy resilience test", + Test: func(t *testing.T, suite *suite.ResilienceTestSuite) { + var () + + ap := kubernetes.Applier{ + ManifestFS: suite.ManifestFS, + GatewayClass: suite.GatewayClassName, + ControllerName: "gateway.envoyproxy.io/gatewayclass-controller", + } + + ap.MustApplyWithCleanup(t, suite.Client, suite.TimeoutConfig, "testdata/base.yaml", true) + + t.Run("Envoy proxies continue to work even when eg is offline", func(t *testing.T) { + ctx := context.Background() + + t.Log("Scaling down the deployment to 2 replicas") + err := suite.Kube().ScaleDeploymentAndWait(ctx, envoygateway, namespace, 2, time.Minute, false) + require.NoError(t, err, "Failed to scale deployment replicas") + + t.Log("ensure envoy proxy is running") + err = suite.Kube().CheckDeploymentReplicas(ctx, envoygateway, namespace, 2, time.Minute) + require.NoError(t, err, "Failed to check deployment replicas") + + t.Log("Scaling down the deployment to 0 replicas") + err = suite.Kube().ScaleDeploymentAndWait(ctx, envoygateway, namespace, 0, time.Minute, false) + require.NoError(t, err, "Failed to scale deployment to replicas") + + t.Cleanup(func() { + err := suite.Kube().ScaleDeploymentAndWait(ctx, envoygateway, namespace, 1, time.Minute, false) + require.NoError(t, err, "Failed to restore replica count.") + }) + + require.NoError(t, err, "failed to add cleanup") + + ns := "gateway-resilience" + routeNN := types.NamespacedName{Name: "backend", Namespace: ns} + gwNN := types.NamespacedName{Name: "all-namespaces", Namespace: ns} + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) + + expectedResponse := http.ExpectedResponse{ + Request: http.Request{ + Path: "/welcome", + }, + Response: http.Response{ + StatusCode: 200, + }, + Namespace: ns, + } + + req := http.MakeRequest(t, &expectedResponse, gwAddr, "http", "http") + http.AwaitConvergence(t, trashHold, timeout, func(elapsed time.Duration) bool { + cReq, cRes, err := suite.RoundTripper.CaptureRoundTrip(req) + if err != nil { + tlog.Logf(t, "Request failed, not ready yet: %v (after %v)", err.Error(), elapsed) + return false + } + if err := http.CompareRequest(t, &req, cReq, cRes, expectedResponse); err != nil { + tlog.Logf(t, "Response expectation failed for request: %+v not ready yet: %v (after %v)", req, err, elapsed) + return false + } + return true + }) + }) + }, +} diff --git a/test/resilience/tests/tests.go b/test/resilience/tests/tests.go new file mode 100644 index 00000000000..54a2d7bbde8 --- /dev/null +++ b/test/resilience/tests/tests.go @@ -0,0 +1,12 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +//go:build resilience + +package tests + +import "github.com/envoyproxy/gateway/test/resilience/suite" + +var ResilienceTests []suite.ResilienceTest diff --git a/test/utils/kubernetes/kube.go b/test/utils/kubernetes/kube.go new file mode 100644 index 00000000000..0660bfbc99e --- /dev/null +++ b/test/utils/kubernetes/kube.go @@ -0,0 +1,322 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package kubernetes + +import ( + "context" + "errors" + "fmt" + "strings" + "time" + + appsv1 "k8s.io/api/apps/v1" + coordinationv1 "k8s.io/api/coordination/v1" + networkingv1 "k8s.io/api/networking/v1" + kerrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "k8s.io/utils/ptr" + "sigs.k8s.io/controller-runtime/pkg/client" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + kube "github.com/envoyproxy/gateway/internal/kubernetes" +) + +// NewKubeHelper consolidates common Kubernetes operations, including deployments, traffic management, and log probing. +func NewKubeHelper(client client.Client, kubeClient kube.CLIClient) *KubeActions { + return &KubeActions{ + Client: client, + CLIClient: kubeClient, + } +} + +type KubeActions struct { + client.Client + kube.CLIClient +} + +func (ka *KubeActions) ManageEgress(ctx context.Context, ip, namespace, policyName string, blockTraffic bool, scope map[string]string) (*networkingv1.NetworkPolicy, error) { + // Retrieve the existing NetworkPolicy, if it exists + existingPolicy := &networkingv1.NetworkPolicy{} + err := ka.Get(ctx, client.ObjectKey{Name: policyName, Namespace: namespace}, existingPolicy) + if err != nil && !kerrors.IsNotFound(err) { + return nil, fmt.Errorf("failed to get existing NetworkPolicy: %w", err) + } + + // Define the Egress rule based on the enforce parameter + egressRule := networkingv1.NetworkPolicyEgressRule{ + To: []networkingv1.NetworkPolicyPeer{ + { + IPBlock: &networkingv1.IPBlock{ + CIDR: "0.0.0.0/0", + Except: []string{ + ip + "/32", + }, + }, + }, + }, + } + // Define the NetworkPolicy object + netPolicy := &networkingv1.NetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: policyName, + Namespace: namespace, + }, + Spec: networkingv1.NetworkPolicySpec{ + PodSelector: metav1.LabelSelector{ + MatchLabels: scope, + }, // Selects all pods in the namespace + PolicyTypes: []networkingv1.PolicyType{ + networkingv1.PolicyTypeEgress, + }, + Egress: []networkingv1.NetworkPolicyEgressRule{ + egressRule, + }, + }, + } + + // remove the policy + if !blockTraffic { + if err := ka.Client.Delete(ctx, netPolicy); err != nil { + return nil, fmt.Errorf("failed to delete NetworkPolicy: %w", err) + } + return nil, nil + } + + if kerrors.IsNotFound(err) { + // Create the NetworkPolicy if it doesn't exist + if err := ka.Client.Create(ctx, netPolicy); err != nil { + return nil, fmt.Errorf("failed to create NetworkPolicy: %w", err) + } + fmt.Printf("NetworkPolicy %s created.\n", netPolicy.Name) + } else { + // Update the existing NetworkPolicy + existingPolicy.Spec = netPolicy.Spec + if err := ka.Client.Update(ctx, existingPolicy); err != nil { + return nil, fmt.Errorf("failed to update NetworkPolicy: %w", err) + } + fmt.Printf("NetworkPolicy %s updated.\n", netPolicy.Name) + } + + return netPolicy, nil +} + +func (ka *KubeActions) ScaleDeploymentAndWait(ctx context.Context, deploymentName, namespace string, replicas int32, timeout time.Duration, prefix bool) error { + // Get the current deployment + deployment := &appsv1.Deployment{} + if prefix { + var err error + deployment, err = ka.getDepByPrefix(ctx, deploymentName, namespace) + if err != nil { + return err + } + } else { + err := ka.Client.Get(ctx, client.ObjectKey{Name: deploymentName, Namespace: namespace}, deployment) + if err != nil { + return err + } + } + + // Update the replicas count + deployment.Spec.Replicas = &replicas + + // Apply the update + err := ka.Client.Update(ctx, deployment) + if err != nil { + return err + } + + fmt.Printf("Deployment %s scaled to %d replicas\n", deployment.Name, replicas) + return ka.WaitForDeploymentReplicaCount(ctx, deployment.Name, namespace, replicas, timeout, false) +} + +func (ka *KubeActions) ScaleEnvoyProxy(envoyProxyName, namespace string, replicas int32) error { + ctx := context.Background() + + // Retrieve the existing EnvoyProxy resource + envoyProxy := &egv1a1.EnvoyProxy{} + err := ka.Client.Get(ctx, types.NamespacedName{Name: envoyProxyName, Namespace: namespace}, envoyProxy) + if err != nil { + return fmt.Errorf("failed to get EnvoyProxy: %w", err) + } + envoyProxy.Spec.Provider.Kubernetes = &egv1a1.EnvoyProxyKubernetesProvider{ + EnvoyDeployment: &egv1a1.KubernetesDeploymentSpec{ + Replicas: ptr.To[int32](replicas), + }, + } + + // Update the replicas count + envoyProxy.Spec.Provider.Kubernetes.EnvoyDeployment.Replicas = &replicas + + // Apply the update + err = ka.Client.Update(ctx, envoyProxy) + if err != nil { + return fmt.Errorf("failed to update EnvoyProxy: %w", err) + } + + return nil +} + +func (ka *KubeActions) MarkAsLeader(namespace, podName string) { + pod, err := ka.Kube().CoreV1().Pods(namespace).Get(context.TODO(), podName, metav1.GetOptions{}) + if err != nil { + panic(err.Error()) + } + + // Initialize the labels map if it's nil + if pod.Labels == nil { + pod.Labels = make(map[string]string) + } + + // Add or update the desired label + pod.Labels["leader"] = "true" + + // Update the Pod with the new label + updatedPod, err := ka.Kube().CoreV1().Pods(namespace).Update(context.TODO(), pod, metav1.UpdateOptions{}) + if err != nil { + panic(err.Error()) + } + + fmt.Printf("Pod %s updated with new label.\n", updatedPod.Name) +} + +func (ka *KubeActions) WaitForDeploymentReplicaCount(ctx context.Context, deploymentName, namespace string, replicas int32, timeout time.Duration, prefix bool) error { + start := time.Now() + + for { + // Check if the timeout has been reached + if time.Since(start) > timeout { + return errors.New("timeout reached waiting for deployment to scale") + } + + // Get the current deployment status + deployment := &appsv1.Deployment{} + + if prefix { + var err error + deployment, err = ka.getDepByPrefix(ctx, deploymentName, namespace) + if err != nil { + return err + } + } else { + err := ka.Get(ctx, client.ObjectKey{Name: deploymentName, Namespace: namespace}, deployment) + if err != nil { + return err + } + } + + // Check if the deployment has reached the desired number of replicas + if deployment.Status.ReadyReplicas == replicas { + fmt.Printf("Deployment %s scaled to %d replicas\n", deploymentName, replicas) + return nil + } + + // Wait before checking again + time.Sleep(5 * time.Second) + } +} + +func (ka *KubeActions) CheckDeploymentReplicas(ctx context.Context, prefix, namespace string, expectedReplicas int, timeout time.Duration) error { + ctx, cancel := context.WithTimeout(ctx, timeout) + defer cancel() + + deployment, err := ka.getDepByPrefix(ctx, prefix, namespace) + if err != nil { + return err + } + + if deployment != nil { + // Wait for the deployment to reach the expected replica count + for { + select { + case <-ctx.Done(): + return fmt.Errorf("timeout reached: deployment %q did not reach %d replicas", deployment.Name, expectedReplicas) + default: + // Fetch the current status of the deployment + deployment, err := ka.Kube().AppsV1().Deployments(namespace).Get(ctx, deployment.Name, metav1.GetOptions{}) + if err != nil { + return fmt.Errorf("failed to get deployment %q: %w", deployment.Name, err) + } + + // Check the ready replica count + if int(deployment.Status.ReadyReplicas) == expectedReplicas { + fmt.Printf("Deployment %q reached %d replicas as expected.\n", deployment.Name, expectedReplicas) + return nil + } + + fmt.Printf("Waiting for deployment %q: ready replicas %d/%d\n", + deployment.Name, deployment.Status.ReadyReplicas, expectedReplicas) + time.Sleep(1 * time.Second) // Retry interval + } + } + } + return errors.New("deployment was not found") +} + +func (ka *KubeActions) getDepByPrefix(ctx context.Context, prefix string, namespace string) (*appsv1.Deployment, error) { + deployments, err := ka.Kube().AppsV1().Deployments(namespace).List(ctx, metav1.ListOptions{}) + if err != nil { + return nil, fmt.Errorf("failed to list deployments: %w", err) + } + + // Search for the deployment with the specified prefix + for _, dep := range deployments.Items { + if len(dep.Name) >= len(prefix) && dep.Name[:len(prefix)] == prefix { + return &dep, nil + } + } + return nil, errors.New("deployment not found") +} + +func (ka *KubeActions) GetElectedLeader(ctx context.Context, namespace, leaseName string, afterTime metav1.Time, timeout time.Duration) (string, error) { + // Create a context with a timeout + ctxWithTimeout, cancel := context.WithTimeout(ctx, timeout) + defer cancel() + + for { + // Fetch the Lease object + lease, err := ka.getLease(ctxWithTimeout, namespace, leaseName) + if err != nil { + return "", fmt.Errorf("failed to get lease %s in namespace %s: %w", leaseName, namespace, err) + } + + // Check if RenewTime matches the condition + if lease.Spec.RenewTime != nil && lease.Spec.RenewTime.After(afterTime.Time) { + if lease.Spec.HolderIdentity == nil || *lease.Spec.HolderIdentity == "" { + return "", fmt.Errorf("lease %s does not have a valid holderIdentity", leaseName) + } + + // Return the leader pod name + hi := *lease.Spec.HolderIdentity + parts := strings.SplitN(hi, "_", 2) + + // Return the left part (pod name) + if len(parts) > 0 { + return parts[0], nil + } else { + return "", fmt.Errorf("lease %s does not have a valid holderIdentity", leaseName) + } + } + + // Sleep for a short interval before retrying to avoid excessive API calls + select { + case <-ctxWithTimeout.Done(): + return "", fmt.Errorf("timeout reached while waiting for lease renew time: %w", ctxWithTimeout.Err()) + case <-time.After(1 * time.Second): + // Retry after a delay + } + } +} + +func (ka *KubeActions) getLease(ctx context.Context, namespace, leaseName string) (*coordinationv1.Lease, error) { + // Fetch the Lease object + lease, err := ka.Kube().CoordinationV1().Leases(namespace).Get(ctx, leaseName, metav1.GetOptions{}) + if err != nil { + return nil, fmt.Errorf("failed to get lease %s in namespace %s: %w", leaseName, namespace, err) + } + + return lease, nil +} diff --git a/tools/hack/create-cluster.sh b/tools/hack/create-cluster.sh index c779aa0d6f3..ffb2408a669 100755 --- a/tools/hack/create-cluster.sh +++ b/tools/hack/create-cluster.sh @@ -8,11 +8,19 @@ METALLB_VERSION=${METALLB_VERSION:-"v0.13.10"} KIND_NODE_TAG=${KIND_NODE_TAG:-"v1.32.0"} NUM_WORKERS=${NUM_WORKERS:-""} IP_FAMILY=${IP_FAMILY:-"ipv4"} +CUSTOM_CNI=${CUSTOM_CNI:-"false"} + +if [ "$CUSTOM_CNI" = "true" ]; then + CNI_CONFIG="disableDefaultCNI: true" +else + CNI_CONFIG="disableDefaultCNI: false" +fi KIND_CFG=$(cat <<-EOM kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 networking: + ${CNI_CONFIG} ipFamily: ${IP_FAMILY} # it's to prevent inherit search domains from the host which slows down DNS resolution # and cause problems to IPv6 only clusters running on IPv4 host. @@ -44,7 +52,38 @@ ${KIND_CFG} EOF fi fi - +if [ "$CUSTOM_CNI" = "true" ]; then +## Install Calico +# Determine the operating system +OS=$(uname -s) +case $OS in + Darwin) + CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt) + CLI_ARCH=amd64 + if [ "$(uname -m)" = "arm64" ]; then CLI_ARCH=arm64; fi + curl -L --fail --remote-name-all "https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-darwin-${CLI_ARCH}.tar.gz"{,.sha256sum} + shasum -a 256 -c cilium-darwin-${CLI_ARCH}.tar.gz.sha256sum + tar xf cilium-darwin-${CLI_ARCH}.tar.gz + rm cilium-darwin-${CLI_ARCH}.tar.gz{,.sha256sum} + ;; + Linux) + CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt) + CLI_ARCH=amd64 + if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi + curl -L --fail --remote-name-all "https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz"{,.sha256sum} + sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum + tar xf cilium-linux-${CLI_ARCH}.tar.gz + rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum} + ;; + *) + echo "Unsupported operating system: $OS" + exit 1 + ;; +esac +mkdir -p bin +chmod +x cilium +mv cilium bin +fi ## Install MetalLB. kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/"${METALLB_VERSION}"/config/manifests/metallb-native.yaml @@ -53,9 +92,6 @@ if [ -z "$needCreate" ]; then kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)" fi -# Wait for MetalLB to become available. -kubectl rollout status -n metallb-system deployment/controller --timeout 5m -kubectl rollout status -n metallb-system daemonset/speaker --timeout 5m # Apply config with addresses based on docker network IPAM. address_ranges="" @@ -82,8 +118,8 @@ if [ -z "${address_ranges}" ]; then exit 1 fi -# Apply MetalLB IPAddressPool and L2Advertisement -kubectl apply -f - </dev/null 2>&1 apiVersion: metallb.io/v1beta1 kind: IPAddressPool metadata: @@ -102,3 +138,29 @@ spec: ipAddressPools: - kube-services EOF +} + +RETRY_INTERVAL=5 # seconds +TIMEOUT=120 # seconds +ELAPSED_TIME=0 + +if [ "$CUSTOM_CNI" = "true" ]; then + CILIUM_BIN="./bin/cilium" + $CILIUM_BIN install --wait --version 1.16.4 + $CILIUM_BIN status --wait +fi + +# Apply MetalLB IPAddressPool and L2Advertisement +echo "Applying configuration with retries..." + # Retry loop + while [ $ELAPSED_TIME -lt $TIMEOUT ]; do + if apply_metallb_ranges; then + echo "Configuration applied successfully." + exit 0 + else + echo "Trying to apply configuration. Retrying in $RETRY_INTERVAL seconds..." + fi + sleep $RETRY_INTERVAL + ELAPSED_TIME=$((ELAPSED_TIME + RETRY_INTERVAL)) + done + diff --git a/tools/make/kube.mk b/tools/make/kube.mk index ecb458e2791..ad9f04efc52 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -145,6 +145,9 @@ experimental-conformance: create-cluster kube-install-image kube-deploy run-expe .PHONY: benchmark benchmark: create-cluster kube-install-image kube-deploy-for-benchmark-test run-benchmark delete-cluster ## Create a kind cluster, deploy EG into it, run Envoy Gateway benchmark test, and clean up. +.PHONY: resilience +resilience: create-cluster kube-install-image kube-deploy run-resilience delete-cluster ## Create a kind cluster, deploy EG into it, run Envoy Gateway resilience test, and clean up. + .PHONY: e2e e2e: create-cluster kube-install-image kube-deploy \ install-ratelimit install-eg-addons kube-install-examples-image \ @@ -177,6 +180,11 @@ else --run-test $(E2E_RUN_TEST) endif +.PHONY: run-resilience +run-resilience: ## Run resilience tests + @$(LOG_TARGET) + go test -v -tags resilience ./test/resilience --gateway-class=envoy-gateway + .PHONY: run-benchmark run-benchmark: install-benchmark-server prepare-ip-family ## Run benchmark tests @$(LOG_TARGET) From 67bf63c61076e02342690ae841fada432558c8f7 Mon Sep 17 00:00:00 2001 From: Arko Dasgupta Date: Mon, 16 Dec 2024 07:42:43 -0800 Subject: [PATCH 501/523] docs: Set GA4 ID (#4919) * Use the same as the envoy proxy and envoy mobile websites Relates to https://github.com/envoyproxy/envoy-website/issues/273 & https://github.com/envoyproxy/envoy-mobile/issues/2680 Signed-off-by: Arko Dasgupta --- site/hugo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/hugo.toml b/site/hugo.toml index 6fabd7aa245..822ef19d0f5 100644 --- a/site/hugo.toml +++ b/site/hugo.toml @@ -53,7 +53,7 @@ anchor = "smart" [services] [services.googleAnalytics] # Comment out the next line to disable GA tracking. Also disables the feature described in [params.ui.feedback]. -id = "UA-00000000-0" +id = "G-DXJEH1ZRXX" # Language configuration From a9f6cd2b414e9f2c25012fb251c88088e745d1cb Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Tue, 17 Dec 2024 11:01:16 +0800 Subject: [PATCH 502/523] chore: set go version for the osv scanner (#4941) set go version for osv scanner Signed-off-by: Huabing Zhao --- .github/workflows/osv-scanner.yml | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index e43942d85c7..90dfcbfa9e6 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -19,27 +19,34 @@ permissions: jobs: scan-scheduled: if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@19ec1116569a47416e11a45848722b1af31a857b" # v1.9.0 + runs-on: ubuntu-latest + steps: + - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@19ec1116569a47416e11a45848722b1af31a857b" # v1.9.0 + with: + scan-args: |- + --skip-git + --recursive + ./ permissions: actions: read contents: read # Require writing security events to upload SARIF file to security tab security-events: write - with: - scan-args: |- - --skip-git - --recursive - ./ scan-pr: if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@19ec1116569a47416e11a45848722b1af31a857b" # v1.9.0 + runs-on: ubuntu-latest + steps: + - uses: actions/setup-go@v5 + with: + go-version: '1.23.4' # The Go version to download (if necessary) and use. + - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@19ec1116569a47416e11a45848722b1af31a857b" # v1.9.0 + with: + scan-args: |- + --skip-git + --recursive + ./ permissions: actions: read contents: read security-events: write - with: - scan-args: |- - --skip-git - --recursive - ./ From f2641b3ab3ac507e0b34bcea7762c6a85309304a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 17 Dec 2024 11:17:59 +0800 Subject: [PATCH 503/523] build(deps): bump softprops/action-gh-release from 2.1.0 to 2.2.0 (#4922) Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2.1.0 to 2.2.0. - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](https://github.com/softprops/action-gh-release/compare/01570a1f39cb168c169c802c3bceb9e93fb10974...7b4da11513bf3f43f9999e90eabced41ab8bb048) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain --- .github/workflows/latest_release.yaml | 2 +- .github/workflows/release.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index 47de6b9af60..27b7cf70670 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -107,7 +107,7 @@ jobs: GITHUB_REPOSITORY: ${{ github.repository_owner }}/${{ github.event.repository.name }} - name: Recreate the Latest Release and Tag - uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v0.1.15 + uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v0.1.15 with: draft: false prerelease: true diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 47636612dbf..5481116ae48 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -96,7 +96,7 @@ jobs: tar -zcvf egctl_${{ env.release_tag }}_darwin_arm64.tar.gz bin/darwin/arm64/egctl - name: Upload Release Manifests - uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v0.1.15 + uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v0.1.15 with: files: | release-artifacts/install.yaml From 4cba2e2703847bb106b8d3bf5cb0eb355aabf9e1 Mon Sep 17 00:00:00 2001 From: keithfz Date: Mon, 16 Dec 2024 22:43:43 -0500 Subject: [PATCH 504/523] fix: fixing some misleading unit test case names (#4934) --- api/v1alpha1/kubernetes_helpers.go | 4 +-- .../validation/envoyproxy_validate_test.go | 30 +++++++++++-------- 2 files changed, 19 insertions(+), 15 deletions(-) diff --git a/api/v1alpha1/kubernetes_helpers.go b/api/v1alpha1/kubernetes_helpers.go index 761f880d29b..6dd6b5fbfcc 100644 --- a/api/v1alpha1/kubernetes_helpers.go +++ b/api/v1alpha1/kubernetes_helpers.go @@ -239,10 +239,10 @@ func (service *KubernetesServiceSpec) ApplyMergePatch(old *corev1.Service) (*cor var patchedJSON []byte var err error - // Serialize the current deployment to JSON + // Serialize the current service to JSON originalJSON, err := json.Marshal(old) if err != nil { - return nil, fmt.Errorf("error marshaling original deployment: %w", err) + return nil, fmt.Errorf("error marshaling original service: %w", err) } switch { diff --git a/api/v1alpha1/validation/envoyproxy_validate_test.go b/api/v1alpha1/validation/envoyproxy_validate_test.go index 8a784db59ab..9c96792f541 100644 --- a/api/v1alpha1/validation/envoyproxy_validate_test.go +++ b/api/v1alpha1/validation/envoyproxy_validate_test.go @@ -403,7 +403,7 @@ func TestValidateEnvoyProxy(t *testing.T) { expected: true, }, { - name: "should be invalid when service patch type is empty", + name: "should be valid when service patch is empty", proxy: &egv1a1.EnvoyProxy{ ObjectMeta: metav1.ObjectMeta{ Namespace: "test", @@ -427,7 +427,7 @@ func TestValidateEnvoyProxy(t *testing.T) { expected: true, }, { - name: "should be invalid when deployment patch type is empty", + name: "should be valid when deployment patch is empty", proxy: &egv1a1.EnvoyProxy{ ObjectMeta: metav1.ObjectMeta{ Namespace: "test", @@ -500,7 +500,7 @@ func TestValidateEnvoyProxy(t *testing.T) { expected: true, }, { - name: "should be invalid when pdb patch not set", + name: "should be invalid when pdb patch object is empty", proxy: &egv1a1.EnvoyProxy{ ObjectMeta: metav1.ObjectMeta{ Namespace: "test", @@ -522,7 +522,7 @@ func TestValidateEnvoyProxy(t *testing.T) { expected: false, }, { - name: "should be invalid when pdb type not set", + name: "should be valid when pdb type not set", proxy: &egv1a1.EnvoyProxy{ ObjectMeta: metav1.ObjectMeta{ Namespace: "test", @@ -534,14 +534,16 @@ func TestValidateEnvoyProxy(t *testing.T) { Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ EnvoyPDB: &egv1a1.KubernetesPodDisruptionBudgetSpec{ Patch: &egv1a1.KubernetesPatchSpec{ - Type: ptr.To(egv1a1.StrategicMerge), + Value: apiextensionsv1.JSON{ + Raw: []byte("{}"), + }, }, }, }, }, }, }, - expected: false, + expected: true, }, { name: "should be valid when hpa patch and type are empty", @@ -593,7 +595,7 @@ func TestValidateEnvoyProxy(t *testing.T) { expected: true, }, { - name: "should be invalid when hpa patch not set", + name: "should be invalid when hpa patch object is empty", proxy: &egv1a1.EnvoyProxy{ ObjectMeta: metav1.ObjectMeta{ Namespace: "test", @@ -615,7 +617,7 @@ func TestValidateEnvoyProxy(t *testing.T) { expected: false, }, { - name: "should be invalid when hpa type not set", + name: "should be valid when hpa type not set", proxy: &egv1a1.EnvoyProxy{ ObjectMeta: metav1.ObjectMeta{ Namespace: "test", @@ -627,17 +629,19 @@ func TestValidateEnvoyProxy(t *testing.T) { Kubernetes: &egv1a1.EnvoyProxyKubernetesProvider{ EnvoyHpa: &egv1a1.KubernetesHorizontalPodAutoscalerSpec{ Patch: &egv1a1.KubernetesPatchSpec{ - Type: ptr.To(egv1a1.StrategicMerge), + Value: apiextensionsv1.JSON{ + Raw: []byte("{}"), + }, }, }, }, }, }, }, - expected: false, + expected: true, }, { - name: "should invalid when patch object is empty", + name: "should invalid when deployment patch object is empty", proxy: &egv1a1.EnvoyProxy{ ObjectMeta: metav1.ObjectMeta{ Namespace: "test", @@ -659,7 +663,7 @@ func TestValidateEnvoyProxy(t *testing.T) { expected: false, }, { - name: "should valid when patch type and object are both not empty", + name: "should valid when deployment patch type and object are both not empty", proxy: &egv1a1.EnvoyProxy{ ObjectMeta: metav1.ObjectMeta{ Namespace: "test", @@ -684,7 +688,7 @@ func TestValidateEnvoyProxy(t *testing.T) { expected: true, }, { - name: "should valid when patch type is empty and object is not empty", + name: "should valid when deployment patch type is empty and object is not empty", proxy: &egv1a1.EnvoyProxy{ ObjectMeta: metav1.ObjectMeta{ Namespace: "test", From ca2d80bc78354bca74c55cfed24b45bfb8c59c58 Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Wed, 18 Dec 2024 12:40:07 +0800 Subject: [PATCH 505/523] docs: how to connect to an OIDC provider with a self-signed cert (#4889) update oidc docs Signed-off-by: Huabing Zhao --- site/content/en/docs/tasks/security/oidc.md | 153 +++++++++++++++++- site/content/en/latest/tasks/security/oidc.md | 153 +++++++++++++++++- site/content/en/v1.2/tasks/security/oidc.md | 153 +++++++++++++++++- 3 files changed, 456 insertions(+), 3 deletions(-) diff --git a/site/content/en/docs/tasks/security/oidc.md b/site/content/en/docs/tasks/security/oidc.md index f6ad61f8aa1..d57e7d35ff3 100644 --- a/site/content/en/docs/tasks/security/oidc.md +++ b/site/content/en/docs/tasks/security/oidc.md @@ -392,6 +392,153 @@ You can also try to access `https://foo.example.com:8443` and `https://www.examp be able to see the response from the backend service since these HTTPRoutes are also protected by the same OIDC config, and the cookies are shared across subdomains. +## Connect to an OIDC Provider with Self-Signed Certificate + +In some scenarios, the OIDC provider may use a self-signed certificate. To connect to an OIDC provider with a self-signed certificate, you need to configure it using the [Backend] resource within the [SecurityPolicy]. Additionally, use the [BackendTLSPolicy] to specify the CA certificate required to authenticate the OIDC provider. + +The following example demonstrates how to configure the OIDC provider with a self-signed certificate. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +For more information about [Backend] and [BackendTLSPolicy], refer to the [Backend Routing][backend-routing] and [Backend TLS: Gateway to Backend][backend-tls] tasks. + ## Clean-Up Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. @@ -411,6 +558,10 @@ Checkout the [Developer Guide](../../../../contributions/develop) to get involve [oidc]: https://openid.net/connect/ [google-oidc]: https://developers.google.com/identity/protocols/oauth2/openid-connect -[SecurityPolicy]: ../../../../contributions/design/security-policy +[SecurityPolicy]: ../../../api/extension_types#securitypolicy [Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[Backend]: ../../../api/extension_types#backend +[BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ +[backend-routing]: ../traffic/backend +[backend-tls]: ../backend-tls diff --git a/site/content/en/latest/tasks/security/oidc.md b/site/content/en/latest/tasks/security/oidc.md index f6ad61f8aa1..d57e7d35ff3 100644 --- a/site/content/en/latest/tasks/security/oidc.md +++ b/site/content/en/latest/tasks/security/oidc.md @@ -392,6 +392,153 @@ You can also try to access `https://foo.example.com:8443` and `https://www.examp be able to see the response from the backend service since these HTTPRoutes are also protected by the same OIDC config, and the cookies are shared across subdomains. +## Connect to an OIDC Provider with Self-Signed Certificate + +In some scenarios, the OIDC provider may use a self-signed certificate. To connect to an OIDC provider with a self-signed certificate, you need to configure it using the [Backend] resource within the [SecurityPolicy]. Additionally, use the [BackendTLSPolicy] to specify the CA certificate required to authenticate the OIDC provider. + +The following example demonstrates how to configure the OIDC provider with a self-signed certificate. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +For more information about [Backend] and [BackendTLSPolicy], refer to the [Backend Routing][backend-routing] and [Backend TLS: Gateway to Backend][backend-tls] tasks. + ## Clean-Up Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. @@ -411,6 +558,10 @@ Checkout the [Developer Guide](../../../../contributions/develop) to get involve [oidc]: https://openid.net/connect/ [google-oidc]: https://developers.google.com/identity/protocols/oauth2/openid-connect -[SecurityPolicy]: ../../../../contributions/design/security-policy +[SecurityPolicy]: ../../../api/extension_types#securitypolicy [Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[Backend]: ../../../api/extension_types#backend +[BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ +[backend-routing]: ../traffic/backend +[backend-tls]: ../backend-tls diff --git a/site/content/en/v1.2/tasks/security/oidc.md b/site/content/en/v1.2/tasks/security/oidc.md index f6ad61f8aa1..d57e7d35ff3 100644 --- a/site/content/en/v1.2/tasks/security/oidc.md +++ b/site/content/en/v1.2/tasks/security/oidc.md @@ -392,6 +392,153 @@ You can also try to access `https://foo.example.com:8443` and `https://www.examp be able to see the response from the backend service since these HTTPRoutes are also protected by the same OIDC config, and the cookies are shared across subdomains. +## Connect to an OIDC Provider with Self-Signed Certificate + +In some scenarios, the OIDC provider may use a self-signed certificate. To connect to an OIDC provider with a self-signed certificate, you need to configure it using the [Backend] resource within the [SecurityPolicy]. Additionally, use the [BackendTLSPolicy] to specify the CA certificate required to authenticate the OIDC provider. + +The following example demonstrates how to configure the OIDC provider with a self-signed certificate. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +For more information about [Backend] and [BackendTLSPolicy], refer to the [Backend Routing][backend-routing] and [Backend TLS: Gateway to Backend][backend-tls] tasks. + ## Clean-Up Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. @@ -411,6 +558,10 @@ Checkout the [Developer Guide](../../../../contributions/develop) to get involve [oidc]: https://openid.net/connect/ [google-oidc]: https://developers.google.com/identity/protocols/oauth2/openid-connect -[SecurityPolicy]: ../../../../contributions/design/security-policy +[SecurityPolicy]: ../../../api/extension_types#securitypolicy [Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[Backend]: ../../../api/extension_types#backend +[BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ +[backend-routing]: ../traffic/backend +[backend-tls]: ../backend-tls From f5d01071984249fb494c6f67de0d4bd5680f1b31 Mon Sep 17 00:00:00 2001 From: Xunzhuo Date: Fri, 20 Dec 2024 10:40:50 +0800 Subject: [PATCH 506/523] docs(favicon): upload icons (#4949) Signed-off-by: bitliu --- site/static/favicons/android-144x144.png | Bin 0 -> 12492 bytes site/static/favicons/android-192x192.png | Bin 0 -> 19837 bytes site/static/favicons/android-36x36.png | Bin 0 -> 1438 bytes site/static/favicons/android-48x48.png | Bin 0 -> 2166 bytes site/static/favicons/android-72x72.png | Bin 0 -> 3944 bytes site/static/favicons/android-96x96.png | Bin 0 -> 6376 bytes .../favicons/apple-touch-icon-180x180.png | Bin 0 -> 20384 bytes 7 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 site/static/favicons/android-144x144.png create mode 100644 site/static/favicons/android-192x192.png create mode 100644 site/static/favicons/android-36x36.png create mode 100644 site/static/favicons/android-48x48.png create mode 100644 site/static/favicons/android-72x72.png create mode 100644 site/static/favicons/android-96x96.png create mode 100644 site/static/favicons/apple-touch-icon-180x180.png diff --git a/site/static/favicons/android-144x144.png b/site/static/favicons/android-144x144.png new file mode 100644 index 0000000000000000000000000000000000000000..27295057a1e5ea5a3b1f69b68575026a6dc23249 GIT binary patch literal 12492 zcmV;-Ff-4IP)PyA07*naRCr$Po!M_(cXsDL=XY1Rf6(@SV9W#qG%$}1G-CU$9}>(%S`Ps-owR$gC2ON7Ql!L96!)c;`#ZyP z?=4mpSroO9A|Z2Gqfr z$Nz^SzYC}zDKbCbOYe#x`i7rAN+<7)I}Zk&FZja!Ie%X7@eLtO?Mks*;e>;?6?xks z9g1N@rxdOUTz7=`i|C^wi*t%D_tBTL54@>hdP4!E@+%0kjAr_1IhsL_Lv%7EI2pl7 z!5;_d6=)=mGJXkos4ybvaFJ*jWH^r>RaVA^7%G0i2ay5kO}i7{C;(}kjR?PHB6FCg zMkqEp+y%wIC5Zk1f*^eYt)LB{fdN9GsOYL7Gaf%G$Sse*1@2o<{!TN^ON%Tn_tIMg zih}qz1xRlUfDAknOf-aq?M3Q4J;h$3coc%uf}Ryzzo2~zU4mv4+$8+S{sDMJbAnhp z8}Sr}1qK3wyTDkH;&`6?L|AbFo zYku_F0w@JRIK*s2k)`Gq8ruaurs#PH&VyVQ^fG9ZLoDJ16%|>Uff7n1o2iZc!oai& zEC}+gqSq9?oxUFyD9jcpEP4FuSndM1fwx52BT(2F; zer*6`p!tMP?CnMw%|t})(9|2EXG6kwL9YmMT98hlEul8{D(OI*uWk9{)cRfNXIk+O zodc$U0VVoM;kO0+V21qIGBRh?+Uu6qUJC$yjt1QfWlq!4(1`0U5*-7M3!E^{1N1xO zxT0N2X--2q)U03sO@-4_0%-m36kT!1lEx89?-9^QJ-x0nAdd5MoqDGMG1jzta%E#q-8i6+azxgq9%n{(vaLmE1Z z_@0o=QI9{XL>IwX)Hw=t2x`D7rK|O0PX1Ayo)YERN^o7zO@=s$6-9MV0#*85nu?G1 z<;IU5ODsa_J;C3M&_P8WfKG-m-AQ&1{$Wk1d^M}JR~10Pb*=|p^jWGpqxf@*oOf^< z+!64H1TitNNuWN7I$Lp^jX#fZQ&g}>5<|>^2n2#yZ&r2X{2Cj$1b?(Jd2>E6q5;%W{dxzW&EQ) z`b^C}0MPR=#1hA`YiA{SGtJp~a-DTFofPym=sV!QqtFu|ZHhL7WCaO{!DE-Q)P|^; zy5iP^MTaCRNWnOXT};pcMX!7O4UeBq_y3T?y%pfBXLbfKAayC45y)7iGmcc21U4Ua z(hiCDB?7hWSr>oNqqBmHdGwnQz6o)I3#<;;qq7~j9Q0chjHA(h1k}EaKz2baT{&EH zNMq+Jxn4)zQ3t0KJtc6)`d7qFPce=YR2YK?7dGd1$EGz~Dh4jnn znrLcnrnyZi^a!rcBm#kV1b0zU>#=oOG)iTH3W0KCdRvc(vC$|c>;;8|0Ia_@2KrF( zw}ERBxdEX#u}aJAzwvMR5BV?#(SC_W`vO2Eo5c(>4a;atBiW7u#ombMq!3&H-cC4= z9&(7O$Z2K0UYb`B*U~>LFO3tr~i$$TdN~wg{9X_h^NcMeAMF2qSi` zG7BuUEV9@g5S(!M?>OX=fJGw%cRO)Y);Ew;Z0q}3=0}@SYALnFX%%!PRkIDy)?d4& z1os`$_!2VHNaI2$oksLcbK3KWwC4aSfoB#PS6J+I=$Q~XRm5A{!Ib2q;Cq1fR6(|s zwPl*Bq0@N9=M|O(#s$oNG3a2>lwv`~9d2BZ`A0lj`8hu?e9EUaFHE|xnNdcYnh9GY zq$e?+sin2k0;d(ufF2ga)b6@cM0x^%s<4{)j^cftQJ56`LkLXKz6UZG;RZwU6YVT5 z!xw9UW$k@^9`5-(f3s%*GM+OUpWyk10NOdrEG`5iYdhR-rGSrsn6tzzhA&O9xPi>kKl}T1U_wAV(bjn8qc!ob>1^M;H@S z&<;uN;`OSk@@TiPSr~XM6C>E^-wST^(g0-P|0=k%jAmA8%ruZWqUhNS!8swa{?!G+^(ekgu#;`oRa_>!YM)N| zZY{SW;*)JqYKqX#0PR%tq~OjfdJgoQgMN>; zCt6Oa+4&?JMY&uy9Vg`u3m#?_nSy9k&;bXx1-VnCI6TVe%rE(6v=zsB+LN}`=S=YY zkjvp={-`q`)30Ea<2iw|=Cw9A07yG%v!L~snzsf}O<_G*B>uBr|>W+Ad7X&VXo-_iQ5KcOXTN9F!PBXvT zu5E4;*iX|tGeuBLS-!p+rgYiXCzM3^3d8Ng5HS8 z+zu#=w<8nKZ_Qj2Aj@~#i{2$0{(e^gWa;WFz6y?VG~;P*2=Q&!xAJjirSA${F?%U- zNp96jNq~D&byY6QEmfr@ukiy*Mb;X)@8UbseI1ei-72g1=a`%S4&O1`#GaJ9pYwU} z7Tpc4^tLw9VnqAq@U}e%RI~G&3Pf7^Sn20lF~j5 zdkC{3b)Am7UL~+pcAS`Ki;?Y<31?C>x*5?ubY9sD68`gg%yclhCuaPk4|%ir=vv|kk4aslv#gAao_?l%?5^a#0r zA5Xsqe@v{jTQtIKD5avoEF{}Rpk!<|IW1OsT4c7eUM;0PQ1o{KzqT2+I+z^i&iv2$ zbzvvd_zMB3q>EgKunn5)S?IC`C-|d^v+2%LMkLKrn(`bwNolmH6%=aqi(+-w8lFow zlU2k|xwtIH?zVvf{!Sg4ksR~Wee{{iTxvf&Z{XO~zq1DH18%lvY3*|4PAKkNKzLg5 zeKwaSh)Dw7CPW&^wi|6L-}Yv4GH%ycpKk`l-uH}X3(-AKFkSoCe24wQ0J_fgOqSmIMl!u2TvB*TP%Ft#dGv@$`x1v{Bgk5pRNGsoB6(vmm~Hl+9xPpUlB(!V86YpEO3v@pA=#yrJA^B_e;Hyq)&t&C4V{VH5} zp%njI0J6Kt+6vRGv=oTi6%GZ7`f7cl^FEgKty?W^=^a$n@Z5Z|OX67^i%m2vI9N8j zgQAw(r;OhKHyr+^Cm33Sp(WavFRz7d3&}efmY)_3&-=NG2@)A#AUsTclM?kuU`~UJ z68G1VDcQv16jy5orb=sWYK`2S?#tE>i$+$pF`JNVy=T2OVr#9H{qkrPKj#P*JDFP% z-h1Zg{mcL|V)*xb((K6{i71``Z~dRMpeK^DT&!&EOeQ_GJ{9}6+0HtEV&99o0j(=7 z=zWI_g5FiI1r5faI8jgiObadMqj}{`=_w5eC%D@Y;5tIW9*HA&tc#sBW!sE%f><<9 z)$At;kX1r!d_xLYF)^2#Lm=c*QazF?NJ&a89X!7U$)8eygWZMGB4)7`j{Rz*> z&hw}-An10nu3;fJjyjhVJ!%J-dXP=eiA`4a_fOu4+S#zh3oMix0bKFuBZuAvxefk? zgPXu;NVq)1%*r&=(Ulhrz0VsxcH{5t9DT)C;T5g~ql`8-vf7v-b395Yfkh)zwNIOE zBwaDYsDSaK3XgUz2_&|!*bSMUW8;T@)!dg>!D<}Q-Hjr}+n_^5{G*VDmBh$qiuMOl zx-P($hy7Flnt@hjr8OUq$V7d_Js-0(SlWs#@>sZSPnw3Yrc?F3+t^AiY%VD}r!bKm zn7b;MW$$b zq8{^p+t5J5kt$!ccv0mffR7Z(3p%6d10fuSXxPkjmgYP>s3V+cK<44}{C1r3X#f-q zF?&2q{c$K>_OS=Xopy1PkV6h__DDlAIui$*O=bB80F|1AW@7i?Z5VGdLLW+;pMyU@ zaUg??*Hb^;VB=m%2sTx9-x#TO3vf0QWGrxqtJ!w?>pfA6qrTJOkAR+6qVFbz+iWgk zgOXOQ#l5veyRU52u2X}OI9V$DjVhR})m+&J;_+~`58GhUr zK-bW^ZdTrl@c#+0>cCdCu#&S)kVa6u1J=K%+~C~u6x)tl)LAqI6_~WHvUQo$QJ0%V zR!8cno3-J)H0tc@%4+w(6oVlcwmUAPIE|JTCmZ-lqw8+WVMwg4JI8v>U8+QHwXW5S258K`Mz zIaxxm{HhJ0_yE%X=#s-NI&>sLjpN+$xO))Z&$Bq`X?fhh;=(9B`73*Q9DoV>-6{ z+Ug_L?KiPDo&R6wqffX_rJLJk*u0&0>#t2X-2ZA~^=HC&nHFfP>3^wGNSRph6=;Jf`f z2-6K)U$B7QuE$RW1WN-f=dRFe zoaluV(cQji`|102tx0>G55rDY!zOy_Bl69T!eNQiS=BBvZJM^EW>@V(N|;KG z*_{Va5`p4rgP8klOkrgJd24!Fs=7-&+hj)YV4#RT7W{OP#l-~{mR^Ov)lOaH-Tofy z4*V^Dn>kFbDWbvn(V>WfP1BwWkV_6RqHPnseTo0dUe)*QO8`)b162cPqe$rSww%c~ zg8oND^m~t9Zy*@lDG%~)UyN7%`%4~e&vf<>jc1hL?GSwz_#<09U6R$=DqhtbD7A*z znD=MPOzb2F+73YLopjT5{zcJ$2EJ}0W77||^qX;<*IGs1FW^g7B^d~($XRdgaDaTz z!Cxr)fyBMaS^z3}i>&u*+T1P!XtPHp0g!^tFMYYTaQ82+(|+y!*uSwimeT!lLHBAu z5~t@?H%IUH0{D^O{wi@pmQz?|@smcMy#)}+T}8hvlKaIm4u7*>SC!bSi~2IRTQdC3 zar4~(`4Pwu&5OMifMmUl-_-~dul82a@7ibrI{?tj1j&=O^(+8Nr+HHyXqNya6=nR! z6jmnFa@XU(EK)d#Kzod&jR2B30#&E5(k>=)N-QGADQwMMv9lz4ZL#bM9cc56_W^+R z7%eq6Uk1=O?*@d%fi|VEGJq-#`nv`oJzP#-Tg`VLM44nu264y=L2PtfyAn54;RQ97MMRW;3`q?s5JEa3X3xK%0wxZYp z2igZ9dVTuUCFmbP`gxq8UXkg&B$7H2_&R zzIws!iXAxs&>jP)wE2AoApMDr>?F<9$|`JAGyMQS`x-#iBzkiMN?I9f>pgz9%=Auj zpb~%*68(h7Bpm?gl?G5Lh3yJ}%#pZp@}gRaw&y@7{>wZE9B8j`RGGp;tc;f*D%(Y% zT>((|aUvvI3M)mRjSn4Jw*?#kXs?lzZvR;TRPqCY>-4n1wiRDI(HL5{wEfJwzsqzfb;-B zdkCD3exPy$s+`Iwe=2Qhq)K$z&auNJI!Xbw)#3{2_SYj&@gM^2F^D!tpnU_NTI&Oq zmFOge9RO&L@w2W(ClN?DaG>gDYVuTT<3S0DHcRU+MWF44!~+2BHFT2gS4W`j094%z zdx-$rBuJ$s`XB=BHH^vt`t7?)_#;;}8~>zUm_;CYSrO;}Kzj|8t+rncAeW}Fr*R}E zp6Es9cTR~`q6$AyEg`WySa^`a_6MY%1fb1Nir&b9b_hU|Og67Q$nE2ZqzWq=>Nh_B zyplv)8Gn$%_8LY{2cSwrS^SXb^{I>fgJkT+)kvhGJp~xv9wC-MkTrw5|duo0f6=^fMml0Q>FbZ zFS40LAoD~Y0BAp4#Xa1I%_&TNDC=WA)dQg~2|$}uSb2@T@>q{8FqJe@4|-vHh@T1_ zsFcDCK-E(jr4&}0$|wnm0=p4`N`r-ECHeqBdkK*zZ@YE`+6q9`LgFq0s9K5MxK6aq zg&jno{Q;_d4WO+bMSTFE{Q;lKR>syTtoGsxIw{C*rLZS^q7Nd_eu2;P0w`&w?l6G5 z)5+A*(L zstus>Dy^kwrtUC+G<{xJd70nZtF#_)pzSW}%lrLC03~BRPYWRP11-MzR7PTHJ@m0| z>xnLfL|dgb`m%69qF)|Tw%Af7fRcyqmH@P|@Uc`@S|6xXg;_7`06=?w5%+Qjo&`YV z)j3KjY}Wv^kppc!MLKA!bJ%0Q+qrWM-amNk_a33B^w{rZ+S12<^H)g<+Z=(Cx%f&F zy-NVvyu8b%op~VeFN*tTD1M!xZnBw$Irv>s_$b<=bNNPXR{1=D=5UFw4hRm{A>RZ3 z0`vpL9$Q-ZD$j*gKlXdi0HluvzESv(i0Jo9{(686c0vx$=F?pJMqSXCd9aqYhPaw- zqnORoamL}^7W7?^KU$j@ep{fe7J$lCSn||nVn^aGaG;G5D6s{UqmaT9FlqyaioflN zZUnf25I^mxo6ga+*iO5Brg#9Roq?8tW`KXHJ4;{V3aiaZvCAQcJehL=?hEA%qcZ08q!r#5z!Uw7KL5+Bnv; zVb@b@F!XaO0ohnY5}7KQf;Pk9dC=#MGa>VW1P+M(onHF=Qk z3BmUZa#EmA6Tz@iAS{ogZ%$pC2Mc#N0*y1?l*RuT^uH^5M9>faM_NxdYtjCv0`I#4`hv6M zn({0jab!*?TvB+)BWEmCDcUKh0mryb8gcA0*p;ePzQ;dHuM>9OEptq)eb+yP)c;KQ zuJP3^Uz@N0hL4Ug($I|jwZh*hoD}qsAkCmz5_G%DoVqz8t)o8KQ&@7SMWhi$Z#lRP z!99l`$x)cBCw#m}<6;k^`Gd4p8qN7CoMIu{M9>n_+2JYnK=A~~DTkZ`E+`m5Zc=jvN7h@|Hjo#Eql+uJ? zkgu9Lpe;mB25>RJofY(?PpYc!wa$6FtP^BSNpj_7ue>Hz*T)ER0d(1;Ga&aJdK3ID zA^3I3&~Jo~@-GA+MT2pMj%NvuD{@KD?~sJcBZ?lfT=aOVU)W+@A3uxkY3(t@UDRXlQ2uNQLukfJ#Aa)m=aBytx0cGuylmpdyegFUvdPzhzE0`8ci zCnB`p5u5;jLXbX%9uou=ZAxjx`eAQgx-R)u2|$WQCbei1aUM8y7-Tq#-_ZyZ9|+Mz z1NnLQ&-2?w|EB`bRjvm8^oMQuY#l8Pd2-!?o)+{%gufIZ7Zr{Q(gaek_&PxXV{Qh( z+PrA}nC*@zl7!M6_!UK`9PTb~ThSX9QZwjip4{>bEi2PZM^|2>vOkGBzX@R>m?zhm zA=?Oz$3w!49(_x2#&b@4)C9r?g{)OqiiS2~we?M7GK;99_95drc8*tl%t5`ioNffj z4MA?LP#h96kMg*c4i-#)DZ&Q^wwjHz(l)mR(8itnDL-|8&)+wD=6da}@c7dKa>gMh zV3}xj*eU^#7SQ_5VYSxbCTeyfEUIbg3xb*ec^_m@Pen*^D5<10Gs9q`r>?T+XW1ShSew5SA}vK$Sx zNqoST*5W&*#`daOAu-xr9AYg$>mrB|Z7ch&GWZs_8Ic=?!caSzWw;!D!Y69)?ZWL- zpOszyU;>&?;`aap;aR4dpz&lLPC;}rildGgK{k%rVLTJ00gNEW<#>gNTXSdAld6&N z9YL)tV1>#c$SqHF6WskGxoL-+Z6sWTaOHV)xaR^;nc1jZ=Zj316ZK7W9IYdJ$>B`_ zy&yv=2r-oCn0~C z%Z2?8q69qGGmn_fHV`&?3T+|Tt|Uzb=LNm2NwwRZfX1p^pGqYqKJ%ok5=ZfZpmq~3 zf?8>A1o<9tOVMw0$cPK>{Ot-SS@H}_XE(e^d zuea#Ez`wWFQQrmm6A@w!&(o&kSb<`|@o2Y;g}^xCtf#Cp@7NMR_KRq3ig;G=Gr&F5 z*#z!+7;*TA5i*&j@Ce41;QHFl`Dqf)p7ZrW0IH55Nmw4@@9Mf}Xf3dO#KA>@Kk?}I ztWp!ih<3)uWhYj4rfF>}e|5EHk;HCmjp$>It1|h6$NzhPyY2~wBjzX5v}W8Wl?!64 z=AOOEBj8^+cq;(klqcV#NdMX@CU1lLV}Z8?=_C#bwqS4kDqL2aUOoXroru8y5BJXm9Eg|d>&ljLVX);t!-#ekdVQCVig;c z-j8`A(=b{E>MgCMK&m0NZ@%`{8d20z+LDVS5kn?II%F845$m}%!b2#`!D?ai!x8kHpA&NJ?XiZNm%Qp>dK7lOTxvR5X9PbS zQg<&RH&nn)&J!;5a>dB>Gm+%&?z|lbP)f4hS9}#5Ag5;9YU#Efl4tE>;*F_4y&#`>Jh@0PyleXPSt>B1mg8$nP z(9qgMvuQc+g1)10&MGU99&&M~9BYnRsxnnSeU)#XtpQ{tSymK3n-&>gDf}MHR$Mn& z&*}n9ukoCR1$elo=s#P9^)$!1D*#G2Y#I<>@P+#Ur?ZW8#pP*%{DlB_(Zfj>dsVbM ztu$I)d?GD`SCdBjzUuXC*3*)O?zq2}EX!uRNbdMpig!aHGA8I$mT+c_*~Opn%hlbi z)-2+D!YA@${<1#Ax3&>_iiaIsvNcq@ff@~4QbecIq zXFNGR+b-)U^1u5p!Orz1E7 z-ugOcfpdzUbGVahPl#!kxax>GQq`-*f=KJXmzZQ%m;I77YX^kLNaTPg8ootg=9m03 zdRDFDY3@Y(jA>*aaydLqcW0K?{(#_Y0O!D)5ZEWkAw@fqX0)a6?fO>9mMbEVJ(Jr~ z){LM-Aa_9TfFFo(_Z>1_AV1Sgo5>r?JDsj-orjkKpi)|ct8SERrjhQ9C+ba_g4W-W z3yPk1NRQy#z%>b4pStH_Qd!>7nw;2vX!<||-pc+}O(K##zty7AO$T=h$XE^*x(F7N zyZFUD+6m9OnuWf)WuoSYe5;^G9cm@H6%qD-JI*dskdxL!(!1JfrQ6blN}`78IAW2+ z6l81pSmYT4xowfQNbz=vySqSfyo-W0sf#aj66U1=sDc;7+qC{#fOZRVq)5?9*yCn~ za_A|+Svh+c)JlKj2dQ|LKymY{g86QFC9P?Knh^AZayK|Ed`>^fXG@R?>K@Bfk)Jgiu2#K9v$?}2eb*BYqjYBg_ zSqJ*4M|;*x-sX9+ip^5n25wNZ+%J91E=JztjT4MZ%!|0|kb4ou;UYTTN@kq6`)vNB zU$3dzwX2n6P;VeJ&s0+#4XpuDPl2GP!3udJSy^Cb~)AH0$ab3L44wLxiXX~uOF z@V!O+Nr$^&f}5bHOlWh-T$8EUC0?{e<+6TYsmP|q#CxO*)?f4ZhrmMz*8aI;g}!JTaFV*{o0W7?`%kl;FQnWUxr| zFb9*K)j4Huv4>-^$$yHe*u-8>XPXe2IC@NRW~zIK*vjI&EM=L>o{-}*XWLBvH}W+M z*tVSohnr7SWPRw++YntV;06RY(MZqi7yMiPLq3c_^Rl_lR$$vV0IJ+UBc>Cy)eCLS zjWl(xk~vaGaMTf<60lTpmiR3#X-X?i9;^dqtEw$I@reLuPRF!bGb7t5$dD4<3vhQ8 zH`EZj0qhmFE|NPHBB#x1kXkMJ1htk#mo+^FZ;j7Xey9`y%gH(g*7^?;`61qiIZe{) zfTH&l?nUUs3^HC|bT6f5!mjq|? zRtDS?f?8Q_eij`Gl4uPV%qV5ty3iu;Btzk;fIj5!BX{9E5Oa1wXq)KHtZm zT6BsBF!xK;sXU|m5v>m!B|^k|Nq7pG`j) z&yjIURn~&Bx8Uv-DGb|W$`Wp>k3Y4()t)wjpN1p75&%leXE(vu^$i4BPtdB+5+rsR0cIA~5Iot5QgDGfF* zww^}5_4A&lOB*&fk+TTiqMb#xAqZk2&>=Sq1ow(8EjnajiMrKZ26Mtkuf*8*D*>R5 zcY;kJT<3bwhwlrKGfH61$#W8Olz8~jQcgN{6qo%^VaQs)*<+8kAW__9OCpPf0!xjX zMuV$Q;HH3Kz*+H$dtfe^xiS^m{NB+W#oei=;qG;=jeQHze&jgYMWI&}Kx_MLme9X# zo?)&%OL$1h9+t!wVQmA8NLKdurbad!IZB@)T8pP7$*4?ntvt37->PhHazOza{p~TI#uqDRd=R<7d_-m zb8_$?iiZMBE|A|Ui?^4_PT%7XEAR2+SAH#k*91VH2SapcIylr&kMAxJnq9&O?+K5Z zk*(i>4Mv(?W5%s?jhxDBZ-A&yLC+2#T>&xc?W1I(#1DZpquYH5N9xfBusl6PaiyQB z!d|r>4kA#EGf?v4e8T&2$G@KT_6&tyaAzI*eFxu{c#$RPOjqeD;UoS3a|38S_bF(b+B|tb zIGgLYvcH>TP|rk28`9fUt!?8$iW{C*xq;Z&(W7+I(*#N5I|GGy5@LR`Db|zT&%Fv| z`Ljl+*AhUfJ`=z|ILl(g61nD(u%m&@F$d=Z&%d?+DvNxd$W`8V zm&j-9=sT1l*B=tv7|o?bUBD}EK6C7bD@xwlC1c(S^w>lf5! z*Q{CEn=YRc_sKvWf{$&nR+@YK{T#*78J5R}p!fkFSbE#{y{o4cNNG|U zIcg?qsH3qxN8Uz?PlSj~ioTsLpk)A>OgrV*g=i!q`=}l_3vDZ(@PBfzJI{F%qTW~l zRSM2Y&ugqrrtq`&;r|a% WiUcO5!31>x0000PyA07*naRCr$Py~}f4*>&do+xwh+;Qb&$5F|*VSXC<7RNK+FbmQ7RkV>B1u-YC; zrLjl1|BNdA8+X(Lk5ux=-Jy}MN*-7d9WE=v7Tc1=B0&-)-tSjF&e{9cx6er+6UYPs z62yy{5hzx%5}D`hv)0~ged}A_GIU>Wbp@XAq&&)K?=ss1Wy*JB?6(~0cP!?n!w+U( z?$-?FMTGsg6!$2BnS^NTE<-y8Q+=x!_>Oj0}ehb4j($NTW4g7?`-U0ufff0l0aX37F$6}TY z=1Gd1DG2!e%8XQ$IL=9zsv4|$FDB4 zoPNy5slm8Yy7YJYW4aFT29G~8`mdrPhHT1kv7b`WQ7y$V0r6dMQwBR}@RJ6kpAnB6 z0D26>;3IA477~xI8;o}N4Ub##Fk>;#bt0s=r;t7`Qk*MNtX8Sk#u$^+$O&B68D9S( zb{*g~*G|Si&2-T*RPxkH{gnGmX50e~d)va4!@ZXq{%!F388A@HY(6BvVf{@W*2tJW zUPhlOE= z2Z|I&Qc5F+bR7ImkDUOo1owu)+%PceF(Vc;k&*?ii+>=Dde&6p2v^+fc%(#k5RZ&GMG{p^7xkBKR*eYksSv<%};`g!R$KxronFj zE5H+vpEj7M9zUy}0)?dwHfqWb9`o3J%BS5#`54bNKYfq+&Uf@}xxv~;JW{M*s8K8R z(9`274kT13Jkgy7vIG8o1Me%;0g4tA!kq>@+PZ|zNTyd9)b8cMH^L%?IqM$(*kB$R z%wu52Q-5B=%{kl_uv?%|9cR3rL#E0Px{&D+w%a`cj#!*5)S)mACC|2E{J|Ra>k)no z%ngej_xPJ&6#gjOx#2hO+XfPjn{Cx|f zU;^?3MEh&p8s2pBvHivG>;Ol+M|r}gfsM=w{MU~3_bKiVhImFvbDjE1joMa`Vr`!J zxSc$0tj4t&p8U2In_k zXL154L9T;Qeh@0jnIkyyiWUvbInr4b)C|#6hk0%=i>s{eBqY@bJW%1S>j3ZS8JH)g z+O_RG^Mzi<%Ue|XQg(+8+>J3G82pDGa}T(!9p7YFe!*nMu289A^f|P7YzJr*0-Baz zVSej=)S4T#wbe#!AM%8dCSYpd)|4E3cqx7n_&?N1zAjOC?n&2U-1Z<*1y&MRbnuC& z74M`oymKeOJ`PX3!AAcMJA;zRrcW_rCh&Hg;{97G?xqd@&kU38`gy3+#)eyt zfy4HsEgQUyRM6(0@#`TNyt3x(Upt;A2e+%1@5nwLQUhBCR76v5Ft3WT#mv-6=3=5n zN3s%ATmiQ+LVfcgo7)fg;+vD?^LLJ9_pUmCcKwo}d=uPFhn+C^+a7aUq%}ZXvfV|MJ}hUI>-0JyJh$Wtj&?5CaT0M4(PU_mK>pKvAbfK zDoJ+ubx*qLv5OY}5_kdTrNPZcBy$zk7sgqs!YA(>ujtA}=$193T%*!tSpERoz1!oKT!# z!GcUZJ{CJPBgxUoDeOLNq9aV2|BroVuoxw{I%V`{LdG^#vb^f?FHGPSxu=%+iHB)O zX0}MTd)Tb6Q>uT!2k94l;eWzU6k=WJ(CA7#fQiHy4E@ zWqhH~B^J;ni`9uEX9$VsZwl6)*+JN@D8H0c6F)NU+ zL$qGS>_$Yp4|!O*>S)oGb^sN!{+vHAmMM=Up;%?F$JkpAf7=CPcViZF-D0l!5biJ} zgh%L34r|Kj_SWbG4zRatW=1Dsn_Dx=xAAjeUZf;qe9AFo+&u;}Y%sSCC@i~Su=;N~ zgYu5-T}{`LogA;;oOJ{FNuv`-C&8wLH83LEEqk0AaTdVLMi~S3rGsThb#q z7}IH$gI3t%&HR5?!$OJWe!*TMl|` zU}=h@@1vZ)(6Z|vCj`!8lQfUC=Q{HIK`c1E}^e zYQwepyAfv6!-Tj+CM4wa`EU~WUfpBENn7)SPD%Meq$nICIpb7ek*k8)7G&x%Pa}A0 z;DsYmF>O{SMV0NXKJ3;2BNbS$!*7zS;s{s80itOr3`2Q`l>vttiSRcKR_%y4E%t^g zxduDtaN1Q>&>Gf`pC!2=(QOKKniI}rg&8s^HKqu8si>_{#^Xb{ql&DV2e;sGiz-Id zsV_O)_BPu}is`3c1vQ0U*JI)_iyiZ!zkqQQ$aUP*pFX?po;+j{y}Cp3ZU6d@s3qi1 zV00pgX{rQyDZ(zLuwY0RQql$W9sqNO+H4QywFi|u=zL{mV z=;-f>C=A57YgMZ1!F}Iir#$YC!CcE4Q)KjNM+|IDAv~cFmN#V`(*fiVDjJ1914&It zix1(9-^jQ*{u!9BMO{vDb1`NyC0%y7(A-|7y1U3?GQdDkdAP>4s7kdk#86qgy~Pe% z+%-=$W^kfi-1nIK7NZbOmFPj2CCa+~Mp16B!>rkTk8l9pfFivVgv^?%hd`}RzLM7v zR7ZGj;BkU`T!1-nD_iVr!qDy{lXBpktamvJX_w9c8iqg3bYYOeVx3|c(*6WL7zgDA zqsH^w1YUlKr*9LINk1e!zo~-TrZFWmoz_KZDOfcMSi$JE>t{Q@-LZIuH0s`35zHtD zNU1+AQWP_Dtx8o5EfvX|2x9z{PY>>%!4YSeDGV?mZqZ);HRt)hIX9H7yhG7WKo&AxsLgPUxRl_*>XGnQ9vZ;!foDI~#TC+q>-Ue!&;Xs}Pm^ z9^+M3C7IG+XM4Cnqy+w^B?=*tdJeMQ1E>5zKf@j`Ql7%O#;KM&^Kp1d2iGBlb2|#@ z41{|VO60Tqo3~h1mlqw;Vn01gRm{c^i#zbaHz(TX-z3SG2Q|9z4sZb7i58()g5m}n zqs5G%ro>UiHSu+B85r}5Dl*ZjUcxT9S6pghY-Z46yVrpepaH<=p^l1Kp=WnfP3pii zgL$UvswbU|iC=pBdX3t4AAMVc3|1fUDESS)Nsd!kYEI}ESu7+ZAuJl8)K?=>-g3+1 zZmG#WI}yy?{Jxbam$RmO6P!SwC5pxVJ$A}x4*k6n`ML?GT*q1{sSmlr=2{hMV}Y3WAQa-V)AVA8Mwh_>LV{amsW42r$CLCXR0j%_$HdgM#P=O; zir@t1rs92%8w6u*UcGJN|Fqoi5inw2q0O4qvqltCb9;!1+l&HM?w(uh*A6Geh8GSu z+e6Rnzw__aK?c)B7TqF?A>28sAvEVW4|!-SRN@c$u$+)gciE_wuF6!&TIzVIRpJ%>zm;QkQ@nB3(-&o=rSL8xsA9kMSBZq5g&*Dpb&`o?O7`of9GGrx# zi{PZv_R`>IL?IBmlj2q)yl4#@{q%3|uu~aleD`g^gQ{$Q!Y4f`X-|n#PmS785jSM8 zqe(!Em;^Uzf;5YpP+p`{!DMub2AAmo+qB&}w64qk=_OhRRdAsR2h67E)gB}Gbk5<` zd!VHGWlB0%r@pv}Ul+G14~as3@erruG_k=Wywf#~`38Z^1+gi1Qv9;PiB3H2NS{W; zk5l~9gx!~`xE;%8y+o<5E~`(@fK4eU5V0?-bXN=2(3Df|i->L)iKbl89gXgRxo1FV zm`=qWmkDykCUmZuP+4x+%Bw5NP0Wrgw%1=M7fQ1JgP>ugMEMCJ925$cO3m&?5wn;O z)rKk6_WKXMyfBIKg>V2J@6$||hM6iS?DRl1Sfx5r%!*axE^9#)U0J)Fxcd5YDA(LM zh=q691KLTCWDhnYj0yP&+#E@ghj7OQl*cb)g z41%&*A>)5coEiQ^m7q~MNfStA`;fW zZn0Z0c(L<<2g&Dr&a0r!6Q0V)e*0&9X7&9Kc^FSJ(B~)&fE@%kqIy9>Dzcxd$O?6#%LcLDDX0#hFu_*Nz}sD#e;n}Fks zzL4>D_7&SYuU}(#3w7I!JJ5KuSd!ZL_1`s%S=KS0YjQrZnE!CpRn47ENfqaBM?{qs zRuZ8*pIo3e!Upa86UOX3X(6FlwiNry6lLgQn0{ceACk$rHylY{+hpz#u<-m^c4pw^+7t2;Kg`UD`G=R{Em8Y4PJ4qS`nqUqXrel`iCA+ z=MAJK>>Z?s9)<~%Y?L4iF$y`=3VR}6ej&xEY91ie8p+EV z%=c5>+G1#Tf{E%`uJf5WfOe)wJSr9`_7)f%OfX{+(fby@?QkEd5nZsI%{cHuT2OK$ zChN#*QebF@@EqF#L|WUlca6b&({bBj}7 zBPQ6(t>7y=LoM#*qe2 z&4rT_6~%U4pofRk_GM%JJ?YoGL@Q-jA7OQeGdu;}iUTyMDce~n_CYyex3?M^KWZbM z!lC(4-MUDgrXUb!9RBRrxvrIQ@2308dKlu z5wjgzA!D2hX*%2!`WidK!C!e>4iLr#-GV|C21aa&uyrE}kenNrsBA)d6RgB!6^qLF z19!(jZ)cUY)sWuNaGO*DN-mZ9VFFSM6FP#T-4MbeFSjRoOiW8 z7lY9x91-kP9p3U;fl)om688-vzcy32ThIp8AGk;B%G2ub_uo8|( zgJc={ce5_EpX4X|DQx|Xgy}RsO2_M?tRt&fVzZPm&|9U}Z>b91(asX&N7RR#bM-~% zz2@_#l$^Atxb+n>Agz#b1Jcak%n)ZP=~Az&=m_HP1n!Q zlXbpw@6u3-MtJ%KUzq#cw`#`er@v5O`?@2!WhqRgcvam)CSQlW0N2II5| zk!uZ2+ZWaX5FJQ%8C4|foz5C^RD=v6k@}Fut$Jqg(+>Y!g|s5^dJVf(pu96cu?h=f zoC=h9m>>skn5Dnk$rS4po!D*Qf#JZkClLG2*O3ywJau!>oYSihCBdz4G= z@A|EHzIOX;tdPm7x63)2vk+l)w9ZA@SfRyUdeyYDI>N~2X)NGrY#`_T845Yqm=v}Uu)I-UysIY2bZ_iahhZOWF@#1TvhHyzjHzz0Y(vvc z=sgH6r4~0Y4aclYtsvRQ^%3qXG9Qtt5;O%hm`-qoL{)`Es?QkMbU4*#1eah42hS*l|nYmcdP0qC1{cgse#+3reI+2zMkq5=dA9 z+HBC3UwsjKi>DY+SbpH=H|A)meb2*E6h;Q=$LZ*NS|XlFNf!$gDitcVC6?+Bc;G(& zrfccE=nEIs<8oR>crJ@97E4r%HMYw!r5h1;G9i^}o^k{!R!pjuIakUq`;fzViF@hU zHj?E7x7zLm2;opBj~9l31k_IXfz&GWvtv*Xl+-lTcoaP|q%)56WlFSQuvg;m0Lo~< z`!z^*$`ATrIK~UDyXkQgHh;z$$u3lrgQ%FQ$%0KYKqFJLJD40F^>+shQH}a(M!gOk ztp&AX8tkl+h10;{#nalB!k)#fr+JPis5A-$Z5(U z+{ur{O^aD^I3>9+Jg67; zE1PJL?2Zs6XwNih3XcV$ipmoBMWVE*??8Zu{&azH8volMyT3L3X^@;e&g(=D@PyUj zBGLC_?DxQb*Jl$`@@8yl=WEvwDr;>Rn+;ZB`(&v3Vx?qkGSXVbf)v$W5=Q)J29}>o zL*>vfCDc}H6xNDFTd=V^&t&p(293QjK75?Td)MBh+(5ktqg3L4ZuS(Y^{3Q_>qMgl zt7`tZ!A+!DpZ28k!K{}<4LFJl0{yz_)v=hl_nzkbFeAx%^=?S9LX_(bgHuc92H1aw zqHJP!^X7&_P>JvD=_~>*}qy6UHCIJUfXQe!%@>y4$&3_V=71q zG-XXm&*%%G5nTdJ>cX1#AVJv|RqFFGb|Hn0exmIPL$&b?LTe0tyL94A$9hs1;7$7+ zuP+4#iRBV+uvAJY_Z2e{-!Z9fd(ufm^qxjdWo*+RQ8S%}lH_Pn!~Qzj;Q@do zFP>#2yG-rc>BN_+-9H)3|8ThfImjOg7&+GKL=G^^rgSTRt)P#g-T_eQmw>T{eukQIkDK(6|l7nc?YbB9ri?%F-)o>&4D`ogc^!wA-FVz(OHd1XwiOq=Kk*7kw%fTCY_>)Us?FM zd;2E~EiBhh8?5G6&BPRE4D}Z; zdAY0R^KN2$A#K0oMP&rZM}-?fvZZ!A4XPgL9k7yak+jXEW?r)?2mk;e07*naRI#Z6 z$7J&l#5m1oH8l4qckDxI^cZMA4Iz*@dk5Gb>)Gi9XmS8urMMoF5DzNK;^Uhjx|+_X zIX7Q;zT*EFr*_1(U-RqQaWpkAmwCJsR~uS0|A^62OnJBzP69Vt#|kMDTzaDrDDj$o zU`3o1(N4?)6;VU8ezr=T;L%2%Ak+#jq5~WxMJe=2cMMjP*B1u=T$2ig@Th6p5w8}o zo4ZuE1}W_Buv1lkXgAckyv`zi(I`Nkmp~&sU!Te!~ItBBdX#S za7!a${#3y7-&aeBgDk zA0&f8vk-`18KR#%&e;JD(;c#l&g1_XF#qI9ewC2?vm~`u%o<@t%`Bmi)lGIUzo8#> z2e}-h%tTE%y(zUmM{=Ww=+8X-z+nC?9|F=;HSW|)kkyg$dcgTQK<9yNdk!GfXWHQY z!D4?g&&IDGFsYJtw{m;6ZT={vC=|e6@V`ce82P@z|Ip$8A}gK+T6Ieje4uF6*!j=X z0UGiDLHfgCj)w-YbsgXxwe$|R-Jn*yi37Ce0B0TobseB<(yzY)Z{h%1J7tLdo08yj zbAW?fj42(;y1XNqa0v=qUTYCum%bwLgg8wKnJ-%ohi_*4gmfiOg9OB1GBk0zuM{mgQ_e2 zuyF#kOM;v4JeR)AVbF7RfKUKCq6eVs09VIkPxnp^JAnTo@E7@nn?oqj1#y7%M;>#C z4A(sYPS-fzg-`430L?IH^GdWUgf)5s8f3WY+pYx50mKH~r$ehRpfee+djh-*#{4?> zc)AXt9KihCafS}i+7NT}WX5bTg@|wF9}NB%^K5quVXtE~SLk=Humdz7Rm~?r!vXlk zJTHI!fCt@5@D(!Xlitcn9iUT7ZQfRUkxqc49H4;$bsgZO26NTk-`)XK2MA+c^CWox zt}mzqWGK+SkkV0gfWZCFVbHDvTs4C}>HS=C2O#tV1Q{<*L5F zvjen8f!au<)+R#JHS32`cgQ6&AC8X zCAb>`y}s#Ojo-Y)4&Xx}tThB`9t_fs3>Tyh0~e_409V6+-}EjHI)Fu$VE-4sr61t9 zN${D4K=r*!aBB$Eb$~ZDhpX)Scrypsn;^5-6mPL-bpi+l z%7n4@b%EN;qc@5dYKqTVBI%+)XJA~H;VW7lp!fSWG{l(D68Y*7NDj~{i*msoppgS~ z9pEw;=UH51*8#e0(6g|!3;P{czyXe<4&6+LRubGj0WPdXp7DiUaR+Eshu()lyAE*1 zc6MRE?)VOnZK8*j;m$n=cy%41vHD#HxUhD3ZWneu2RMu<<`=xj1Z`-8YC=pM_jcK! zSs|=}0_~|m92j!ei4NTjfzHj^F5nlR%mG>>3Q6c^vglHW3ytw%MADf#fZc0~KUx-L zf88?_2>1uzWrJQob3FS?>f`{LI`8pK9bpHDttcFl12l~Pk~x6XpawGn=TUExjH~2{OPO= zm#uB^;=K^a;(zgy`K~I&IT_wX`P$A7;M-P$n`|j>L(d#we?Z2WJpnG19iH38basH|B)Hw> z2^DJY2MEq^-VX38Ht0SK+I4_)v$+fP#fKe$ADVnXMte5sUOu^(1MD+GGjZHAssl7m zfRl59x+lPevcYq`m^X8PgCWp`bAVRN>!=Skxu^(o5?AkhToS z5FFbM2HmHxdIfBGAuJn`*DZuyGHZPcmwS8%XyyVnHrKTt^;)KKU;yL9N<-hvU7%I3l~TYG1a%512j&6h68kJiR?N+*T`SJ0-YV8c|gWd z{Q#|8pmTJ9zymtav)tUo+(3aECxH9KOP0HI=vUjwm3~Ki2XKF(5U4#HG&?u4qS!$$ zkpGpmLC^36(464*Ba&J@p@9N5l;IQtbsgYJTlO(;?&J>8TwiK0j(aW+a8Mk#>j1~J zfOq_DZ{`4pQJ`};0kRyRy#utyZu{Dx-4oy)xBI=@zw{2!NgevYG`~FK?}k8K!*5-I zE9C&Mo)X!0fUX0)nFAa(C>xXnM`xP^pKMHO*8#c?a77%z;eJeLiF_SpIFaG#!k}Gm zXj2HwI>I`^pcmu>uzS*ojo}#CpNH!Jje1{>-tG;^=sG~x`rB864?93-GTcEF=*&W( zt^;(<_jFdEH3^Qt?}-kb0GGf4n#Hl&EzH3}m{cLUA<*fV(B=M=({O-&Ww5dDwfkt3ziY(7BudorJNv4scbB^lje9n>awG4Z1%g>=HPD zuYg7*bx(k|X;hc#voEOw_#ZjUj}5Kr(9o<6+HOWzBLor*s`&tG-G-RUWUX)ETH8B- z8e-aqK&^;SYd^plo&fC};9y5s*8$#wyCxKOf-mpzQrbxa$Cy+7#Z+i+>Xb5DFw1sDT7s8V4}&4|J2@ zchlkz-1VC}K%*9*F{zmY*q>LiZ%-Y16X^o^ANhPzeAW)!2!q;Bh&jjwk^^}BFSc3x z^&}70vO#Cc=)13XZ3PZGfDMH(p+JogsIyr#%c5isATE#`VCU}!_}=1i*Yc2-&r!d4 zS`Hu>bffD4$9+au_I>Rfz@PycasbyfDgN*h9Cm;P8?@^HSJq&z+Ks)512jt`?uS6? z2|iN?c(pWQyAY^*0$epye!crS4F_mVg3rkT4(bAB%W)`vs~YSK@K28PR|)lhw#17O z{o5mq>;fr#{!KpcQ}=qy+5N4{umYaXEPQU@VFdNwU3U9Cg&PskpM5jt=m!S>X9mVS zzS#bL+6~AMB6KbxP!p8o^;$}?-<;l8q9aWe8-Sp0}~(q=$1`&Z&G}Qg`R^0 zbP~pD?*JqozYhM1#r)pk{$TKrJpSvH?dcWPwm)LL1|QVAsL%Jq*6Gd{C_!zaZl z3WXhZ1`H$b8KU>WeF)}51K%<*<#B@s6CLFM&6DCUumiM+nWi4UV_**a3oy?e=~Hmi z9{)7PuUgDzM6_AQRCXv-Czz-bSaw~Q^b*#6;7Jw=#4Cp0)kU_~rkK)+(9H`jp$B+;G|N||A?$Dr!xlH{@Z%nH z!-PM%3FfB7-0(2!@uR>XP|R(sT`n0`qSXOZ2H;l_(a(3z+5sAw{N5bn@GtrFnwEza zc5$5oHSkpp&IYy&ev>RTn(>$?7N#9`rbuC?M(M>9p6vcTf1m!en;c&%7f`tKDWArZ zxV{K~yFhZ=stMy@RQgDAhLkm*fNf zGU5*x*sayg~mA7h6j?4-v`g1=+%_ZVU(Mr>AwYjuE5CG3{JcS>FiUdCJlmJMdk;1@j1>c^4JT4IGo z%T=P~BDD=mytT%3Ws1eR;V0ifr`^|iuYf|G8Gc|aKZhs8oSOq=r$7dAWv_Pf=-K}{3}fX^kb2lPux)VL z2D=Jo*^{n!%X9 zmvwhJ!I~q$u)+5m=mXya-nR0|PT~N~{Q%+L-+m6T!OXQ3{wwfTz<=>jGMJ)x8$KLi zUPoAiAlGCY&4%Cn?TTV z@v9!c7E{^YU}$%e`2;?e19efO<66K8-skc5Az#F!^u+!2^c3jnx0Ht*cGQww_tHYjCvRbqg`L&PD}`snz8+Z7uP9D*xyMNB?vT8JqgS@n3oowd)%zS{2ttI z3vB$>@PEr@j`cdB1N@=1LHUjg-ksic@Sefw=dOnl@IwaE=R+aG7fgN{m~hgyAElaI z(C*nm!s9N}qW zZ=H)=VtHnE5W-`HITa5Ii&aZnHlRZ46N7!0h6uquFERGq@SzH*$9kR60erm0+(?CV zL`R;%-UTzI1xQJ6*etWx0t_nI0n=;3v8Vh%%`>hkG-|%SqxxY&e$a3eCCcI0b9fcc zW(r6z3H=X=Y|Oor@y9f zC)@RnkeyP73cZN~c%g!-6IDHK(`0#|m;$o~W>c7}2ljwpGO$vozBYu}T4Zi_ETD^n#1WxoH2o8WK=|Z8j-v(xW!)jDp0CDWU2mu2kvt| zciqZztAS=T8bvKZo2umY7`)KH0DxrA_wY&I z-q5tU1%WF)|A6k~XkN{Q+K{+oUg7SH#XMEWYcMk&|8f_*5R+`B)T$M1rNYZ(lGOzM zABD`vKIu>70Ed0ro6q^&h~YQLQ2B0MX@jbep*e~KR{QSNu3P3>L`Q_B5JwyE7xY~%x$ABtFcj+dS0$2F>4-!nIU zfgYyn2*VV&4Q#rMA~R1G>+46czKE2wy^Jq^&fnHQ4?QHuH~51O{J7WJ(NJ=1I9g-6 zA4)^uMpCNREq2Ucbxex`t&hGU06!$0!4UdFuRK?}Cx zG0WQd4R#*fLW-NS*f~dS0qm-$xH`i9%`RM;n{KGaP7lDwNS$QVg^UKmk1 z{F+Vz6+|-rhwdbx1&sym@TG^U$@&GsroxDGlAYPHu$eo=lB&oV<=Q??sLeT;tx{ha zr#JbEb@!OZ?o&Q}CyHqM#jGz3+_%$gM*U0_`dPmoQ=D)izEAIgz2`{Z19#mL4f-s( zRk%|ITg;%%=H35T#^2bq6zZq|Dx^;Z%qn<2r+JUj4zEyWx=y0n&q9P>ccj~O$~yy; zMWU?11BE(oT<Evg@7Pr&}ldolqi1ck4^Iht5mcnk4q_Rs|-J~~}VJ7|L3U{Ps z#{Xr2HC4skq*AW4(^H_gw?IJ!tUH$Ij>o^}v*-1`havIvvlw3n-ww$;R@ftON#SbP ztg>A{s0CI$UKE%)g|C_M^CS(=D|uR?whX(wu$911WEgL>nKh$Jnt9!VFbh-#R$M?6tOxmHIL^2IelSQIhzeAo>>%vr%=`4@@Gk{-0R70(%F2ffu|Gxe-*s(k;6~?csevb)pzCs;^sKP6>`?oDz zwcJAUF0FU(53?|JCAO;Lc-)e~Jht$)$2}G6*O9Iih*qJnwZYErAnZc5E(rT=)p6d6 z19UhQ%p)EZixhhYNe2`BSOKde_K!S#%iu$Z#CGRAw`uvG^U8o%)H>7{GS%r=iNtm6C`YVjmv z1z7K^;jcOD4NG*(!H3|#ZEzoY%r%P{$YcGchV)j7!mA7>*X+z6RM>#Db_#bSilE(p zNdSfD3&8Ip%)dL*uT%U=new_eD){(BQ0AL#Ag{WgH~H*C;npwtWi-lYsh8f~0Sf&+ z#N(DkRm59a;mnN#;{+~=AN4r3$Z021HCYV8lP1Y~*O2c@sw@g-+s&Oog_Re;ONU!f z5>~{{JIt~rSt(IigUU{pbp7x2Bn6h!T)2~dmgi>?{ISBw;x;?|1hu0GGdB_E%#koCIj)cCz)+|QeS zMcdyupYfS_zytFs_w6jV3MF=~MVN7in=m0X@*f$@w}d~FArbusTQoVVu+evrJ@DfI z1C6TV-kU>?kmU+;29{l5mGZ)4AA|dk8tG$$pY5Tz-a~PFmc{A{Qyk4Dsr{Nc4PrnOSA4?0St3?FE=Vw#FaE=t8q z;DxG=>OzaKiw3h2k*ubq8&%xa3;wY4fKQXp`JD5jRp>G--IjIV6zPZTohY1ZTfuz`!SG5A#haI#f1j-FR&=&+b3)0*GFK+%Cc;#4& zDXB6-P((ZMYJOlxoe}{xQZZ&1%nrB>Fl#15jC3mG z4pEzpurI5a`5MXc4E5T_=h%Rg!Oj0~G|8V8OYDqUiZ=^H0uvP1-_Cb?LChmA7`-3N z7`lP2S;|@x+d~$e{=T)|5<0Vl%`4Pd6H!gQ+*&V>d!d4(A)U7rRvm7w6eMxBD=@ix z63X(4jOm1LKJOD??{fFaSSr#C#Oo{+tC(VeSQzyk71JcA;WEfn1vSBVgG!JsCib{E zgX&tV$@@3>svJRT6#=!7YK8Iy=@BUbUV`+62}8cqrxx?14o?ddUM^DI>A}|5c~<{` zo^KeZp9t}IK@L#;*Mek76>!bTxG>ea}*_ttHwwU{Rwg==ur4mWMEFKW~m6MAdILG^DXfkk(b zn7J3m0rF+fPs1E3PF7EBWgYMx-nq=c+3AG#W9o z&+}n|NA`MEp0LL+%KJ{UYO>3^(R2#Tf_n*O#)d|HHz#zXg5M~I9HG2JXvF!G-M8fg z8M^aP8Ol8slHQbb$l->ffRD1IFAqqndC+|s)9C+^gYje;b_Hq2M zh#|iB8DVWJ6FGD1J~SvP){kafVBp%9hQiAlW^s-e>mTr!qB{io!+D212RD}sP`woyX=9BrMPGKuizFPc915-NY!LL z>`k>~I#@Hf5Zh+eWfT&u@d?sV_Qkz3Ux*+PZC0=%< zt0nyUJUv_E{E1G{oc4Ue_~Z=UeqkM8-z)=Dv9Lt7P$uq4hT0}cK?rkJxc?DB=wqR3X+Cn$B$(l5lA$?}BLN=a&eNo5G zrR>aYv0GhdFnth?dsX{SUP#+7WGRFnv$H&jC%9IwF(}EAn+eGzxceUSK6sG~hjW9^ zWBiPtpZ)9=4`0c#IpvPH%HEbaK|qUS3_^D?H3?=iL+SzYqU0EUKm#Az*dZf>0@`7S&=3-OF+x45b zgM6b<$P!|Fp8*5gHuU1EdM*lys<=k89-a&1HyJ3fR;5}SV=NR6<@6VM=WpEeg?E6~ zuqX^yP!bq#aM zTrduoX`8N^z-h6I8QIP+q#*jPpwrnper|wx9SYm+|m|)W0JA$%h-B)sT`n@*oxya%~)ZOo??;f<&?BPZ^T!B@(o9-t|b-I zgcjX4L2+310|_(9z%sNbzxg9`gaZpC1fZe_g`0RT`7;u9C{Me)8>v&wQGR+#_x5<8XaY}DW{ zmG`_+ch(t%{D;2c(m6m=ZlG%qMX*`ED)!UY<3ee_aLrMhh=>BqQQAeBT7|epQY{Fb zOl6@(t)W8u@_+kN!sKdpG8)t9Q&tU~CmU#z&LyED9<5c`-5O?c_X~cL z{Nx1c3+J)BALlzS?Fn!YGX0XzqbWX#v#{t|Nnue;q2H5^IQ*>$CR_-ITu2;kP%I90 zgObk@>&Rf#mZ|V)Z(WX;Cxoyee(kC%piPu?}xNa#=K01e_)IJs2ttGQ4C5AnWg93ree z1@odFI<$o6`?Z9vt(a(A>I>IHLF+fk>mXalG03xi&y{e1EH}V>{*9Q^=RwTrQ}c*l zL_^#yczXN#f+1BWTu?GIB7_M#RXjatp`T2xqAb~#ya6P~&BG@jV~rX`G>QFYYGxTF z*vZgVJx-I$l^9FNX&U(2k*q{SLBcP^^m~#qg>5cWx&2)U31l*ZQeOxIBXTCJYI|A3 z(Q%|EoB8?st%$yEuoaJ!;ctod;o+ICE5$vDU?#!L3FqHod3T)Kf;5{U-F(T<+FVcn z`;PH&Pyb8L>Jxv)&!RtPvRGzxq)aqIP_xT8MdA~=U|?2%r@~rZJPI18;Y2vPc+`3Z z9f&C#iKYHpMy~K86pxg$c+!`uqI#^tB@C%{_5g8eWKgEUV3e;6`JkZ#aMwI$$&)S_B2mFLk3l>BOG~^|CtY3S;o5&^x^`YnKDFEB9FNMo7&qM(h}4v0)cE_0;D~Ava=zED+on2!Hb#DuWAT^ zQzP+iQ^#!Bvl<|kUg=pTY;Cgs!gRpGz zNy4s1QEk^q>SOHIp(p)ltg+_=h2sdz7Q{(?D9H5bRNFYq1miif%9d2Hzj>XM5qFGNOHHKw{JjGD6C~m^%9qZSR}|G**9KBuYR_TG*uAld|0h#o>tbZjAZBV?Jz*`N?}|CEFqha<2%NeO{-= zk~|2@-m~}M_XS~_ZQ<2pf)1ZFjoyO{dCFC0YgxyYrs$}VC!kJ$0RPBPpV`K(#}u}A zSgY)#I~S+D^Q^t&oppc~)58lkEe>zG?KS|dhR5Lp6&kPzml%dPIOkkq(WLA}6-bVMjcL(HM6<4Rr)bw%Bo-^&coi z(sXl8JQM>{Kd(@;J8Wxj=m1KhmDq}{si`RvlYObC9gUmS31EXTaJ&@ZR*Iodx3Wdx z?WlY0>Z#wojt6xeAYZkt;UpNTg|95s;x&3oj(DJi8BIvWEs?sdKJ>V6n=l?q$_k-D zf1oKhIPe_y65Ufi0Yc?jjpZVxtpJZw%5W7z!58(ag4rKUSej@W}|_|qfE|G#;+z6af?O`cEsU=oM5hDB*p8HCp0-$ z8wY4U6*@wiO_C$x=NqZ3sqJzrLw16S#e&Ny4386%r<$y3Nmlz<+=RcXysZ|^w`G)P z`MF&OIMM->m_97PcxjvYK1VVLk;ru7;Y&AvT)hV(+_`KnxHNYp=G7psiG;V5P~Y4o*|{F1#LrG<@GK4Yw7#qB0Iyid zM%~~MkD{T_mKl{c+3YP74@5zN#M~)_NjSXc1IGyc^k;Ny2~QcdWVTu7<2gX4p-roTK)dR-bkas-I(ssYCb*%lvigDB(dYmAUIc=Xd~T4{`pZ37ocn#F_xaiUO| zOxb!f9}TL8ns9J*lPLtE6bRDYE%?^+&Pza%sLfwW9 z8l~oi4;5S$v%);&mzHERqGvN!-|ShU8kG$!E;v0#T8 zELJHLM<^)NnJ^UZLUPYyCp}KR2XX{SJ*tSNjxLejLhV3=HK|SH?TDIxtWZb2xHB60 zswS0`^f{QhgmQH-W0-1AR*)^}qCBtv5W5cW`fJznn+<2U#c;!0^xV1*a7qi=>0>-k%COzL#`-{+{=1NV%j5r(2|d4|@kY>%S|(o@+`oDJBPp)c oC~pnXvvW~o#NYBVo!iI%|Kc5;Rd@u>k^lez07*qoM6N<$f?Iu5HUIzs literal 0 HcmV?d00001 diff --git a/site/static/favicons/android-36x36.png b/site/static/favicons/android-36x36.png new file mode 100644 index 0000000000000000000000000000000000000000..0c479162f8271e8c81e448d810abd01f4900c1d0 GIT binary patch literal 1438 zcmV;P1!4M$P)Px)SV=@dR9Hv7m`!X{RTRg6=f3H*9SW3I8$h6Gu>s}FL=?kDh#C_U5Lhq^q^ww| z(WHqa_(4ng3JFnQV_;>9xUh?kgdG@&ACZL(2}saTEC^UiDRc^!Qt7)#?z}fJGeBvJ z?Mo&z$-H;(@BPm?_n!Y1p5UrO&HE(hDbxzqSIp)w+4WmJ^>(c_dMNkuf;46AW={FI)MT+$t95~7RUks*p7khpfY#1L4ribn$m$@vJRK5{~&lRl%HSRt|dj)&gpf%%}c21BK?W3*%ftqQH zO(j;ZNVTA4ZjcZrsp#fH^7f5mTxaIs?X;J9_-j1mQ_%6@{qDJT(1x>I-87&1w}u4N zOmnQ98A}y*D0WIZM?iZNdmw_WFQxS2KyTVbYq=8LF6a`_F~OU=#McX8*4@M$oXXVR z+%d8gy8G7N1+LF5B!55XY{f=`2dpp1nLcjEkMZN_m8|p!lc?Hkbw%BEe6LVOB2CjV7?m0~sY=HsV01sy)1hU_J*lCl@H$ z%kb zaOab8{FxBm8fFXoRl&s6Zf>>-TAntQu7$N|qL04XVqVQ|VcmU3zM^qqSEqoFSphh>}Sp>h6+2Qc*UX(*J-bx%#xuQ#Y`}z z&fH*irN!>dOI3v}4BdiN^sHcOI=FTu!c{3@#_NLpLZCA3{Xu&{4=edK1Px-FiAu~RA@uZnptd=*A>Tq=ZK7_A$^@OKog6AZ85EjE28J&$k45UeHy7l;EGbfAXX}ka|}X9Tc?H!~SXk z3*QkWITMiE28a?ZF%&HU^HYIMpmPK@&TzM=qH)E33MvK`j|Ve|XYt|!Z-V?`1Z}UT zdhm8YZW%z)P#67mNpzE7e+W`7sANtY&tg9YJ&|Pe6+ujdf<3_Z1YHI;l<|zJq8)-c z=rR1~`>Aca)%>_6fF5+7$G}bx-3GQEC`zBWd$-tb14j%T>!GK$j=B+NtfGZobk>9J z0NpM~MG#uSpQ6J8?}Ii8UQ-3Nz0>u^v;aEjD2B52VeCG^JSA`CXKbBMZigBH}sDi0J_k!1pQkTT&zAK*y7B_e#~Ao z=<5ni4^VMtre#pka4#KSRqPIfZUM^Dr8kvdLtxK>ceInL9h%)pTB%ceR zk1A3QYBHxmLb3l8?5`Ja-&vq7~8g5L#)+dy8qiaD~9vYy#8d@{H4yy<6a1w?j%{Q-yz z-SD`EXcg~L87peD0(8_e0h2R2}bH`sBFF4 zhL7K`mwz{eFwO2j-91Hp599#oq%R6uRmg8+c=eU{xQxa*-yo?n z8eF-(sQ|7-4JH*r7LU>TN^0(D9|!>VVAlLhV%KOg~q9J<-U8QqE2qpb0bgz@Rr6B-Fd%%ko(U=P$=6fJe9GnO81;8{1&nK#a7c1nE zn*jt>D1prj52UZtK_igpc#Cj3zsW62v z&t>6->zetUCy@bKRvWy%X3|5wps{c+5A^W4lfxfO%PQ_V7s!WBA=5(x#E;gn@{Yl1+p39G}nQxuwPQK{|0a zN_*X0%m&5o1(v3BDAiEBG0mt=uqPvg4;8WGw#40GT9<>j2V?`-B|s>ni~4u}PeO3e zL;q69UoTEe+#MecPF`Qi1B)z)Ul?Skfzp&Z?SD;t*-_gK{Pr6CN2_U^)|e>9-%96E zwF~qopkD%wj8moE(gTWjSP35};$Kl=@2$z}lS8_L_liro|C@sRJcK+fs1ttEDWHNK z0zDl<4ir&vPN>T|;85Di1{iEC@CPM)!wopn7e}|4_~B_=MoGL>%E-II`k4(lCW9#L z^9Jy~5B5n#>&KMhqVyQmg_gzZ4#8^)l5dm|Z519*jhNaB6I`pe6l}Ao^JK-ON#?Lc z-xoMG#K6%C*3a&UX*`H>JT$NNw!ZneiG0y}O&E)Px^B1uF+RCr$9oNIGb*Oi8!wNH1ebq5Ju%+*d1gM$nX#=$s%z-TV^R3_LlI3MTR z)cgu?RenZ(fPpb~GO1{)ED(a&##oq3372ggJ4lF|00~Lx+GnrPKIimB5|&y53A_7? zRHg3LKJR(g+H0-zzFT;TFGU4N+@!D0gWbRZ#j1ySZw&q02={x}vwmCdD9^4fLI7h8kqED=K>Y{ zo&vtN_{SA3E} z9f@*Ku^{e!IqM67GB5@@;A6iMI5xu2@dr%wZer8KV(fN{0#Fb4*2F1#&1d|r7~b<1 zT_uoojLOL`QND2$(JqA(f_~)V8-w{54|xq(t=M3V+0O;Mvl@V@J&Nr#=m$k4PnJ@1 z<4K3y69dRy{59^@6%%_!VK2ybL4N^K>X;DzqbcQ#3ih_b$6!zS_@5<6eBDpKlv29U zz;=PXg6t5e4cRm!H(7;;pkIQXRkSTh>TD^`x%~7*%7VuR$N@9Jz_MZN3xc-;bRXz1 z1*)g+Od&vS3kQ9m=w;wj1Fdo57b~gkOC#t)bdbTS5eBz&wb0t>Crt_SS zZJ@Mbg3{lDdD|dcEmR7c%*{Q*^$Z`vXGb_OdPG^=N*SRoO+jc^UhCs1M~@>6t7`pgNNs~ z?A-<$fGV(26+EL79tOQ?NgWYlr%Q-`Q$|^zAg<_J@T-H4_(rO##z}6lq?!!ofMDHP zinAA!TYT!cz&+p_A3bgHk5s|8l4sj8CqSKOqMD%w5B4ZDDZC`G3bZJ@E9E9k8I=GS zPFZZbV9wv8=SJfK=sg>XN@wCW<*VbtdUTIqnn2e}u&(SYTWsRi<=U1GAHThrSX+XJ z-^~?vKM0W9o$fI9oM3+m{;m)l-2@t&`k{c%sxSe1&7c<)dnSfyU(WI?kGqS^MKwje ze!g!6uL=C!io9rG4M>m=A5nKr2-<1Uc1!Ba7!w!kc;O#Ew9Xj-b)fOJJgiP(*9+cj zg1!NE6Ht=fVyE;>4wznns{(B){J+*yedRERN9Pmka{)2i-(7C}Z{8{{rlQdz|87v% z2(MRkg#;T%ZVeXPQ0wv&$Ys!$6#mH~{O?K`y(es&(%;Ph=zH$eCnfYUyy4}RZ2NNp3$Zv}oWQ19kYkEqdHFEa|Z*T=k5 z$%fBn1?VP&O$KQNymTMrKH&CI*G(%r0NSR|0%M<#P}Kb_%Us3!)W)KZ0#i9;y7*mX zIb~}McDup8ZegzpicB|6kf^`Qu*p}nxt!0HT5 zw|)MofO!O1a*InfMU-w*{2g)Fr?5?sikvx=yZH+PD7{U(uGuH`2O)Xl8OmKf<1aJ} zp2p|gZa2h*Doa_jU=IoMPwAW#CRgh#k}rd_6~xPS&;dzWZ*gt^7PdTm8W;Ga{%0p` zW$RekGI>2aqvkov@xHH^`2d6)phr7bVFMIir0?7L0i+Rw!rn>)26Yt#gP!A=mdWc0 z7!>8$AjI+nsISSxOiR**2$1fao`Wp5xtz^&?P6(w)N_OLFissnw)GZ01;U`Z7DWPp zqE;kg&^!Uk9di~QKrY0l1LW$UycpyPMVEuJNm|g>8wJ9kpHbIhgB-K~fO_e3BaI*j zr5O~p83hH966T;V#9S9(eL2apZwpsSz!Yd&ZOr7P;NILkg*^E%AE)03DC_Z8%z|_0EIN1 z9559eK)FfU6^b@L2HkAZ%*ZtqP)3njU;ydP9NnbTO9nIPJVIEC zbU7|byFxMZ%yYf~g^!*IB)H+1gaF+w5P+6t018FcZ3Y`gF^9Fv(JP2a5*TfgQiMF3J0KNENfBxs8CD~%p8N} z0gz-yt{MGdXA1p8l93bTTHzKr`ZnNKEDX!Av?2289#F zbS0fu%!cw87ix+<>rvfVL4}jQ{ODhUd{L7`Hd#`y3TB^0w+YOUzqp}&d~Sfco5*?e zoFmkBaq1+z0|F-%+cJjtd4h@V<@{{m$0(rcXMaTr{u&G04f48Tovyn~kyx&{GhDlS zsv&a&^nmW|7IQ?gwSq(vy!7MeOuR-CJUtEkDT)0eNun42I41KDX)gx#oU#mllN`mX zHQ22n``trAgRKXW(-bSw1}!6C?t%;N9W-dV{=eFoB2@h(w%e|3#*_3PhZW zy*8=1KMnrzQTVc+2mP?k{cTB=XQ7UuBQ`{QIiwon$eUny3$j+BOwdTgnVv(tDI!i1 z+;5>1^!*eg$II9|yNJ^%+1FBC9V78`A=M1LA@GZ|40xs)PMy`@u41oxcqc96Efox2 zIn4hqnGD#m<~FYuS5e)lm^U;Oy*CKDBJ__;@xf+fz=B*BXc>W%hKJvk^36Trzh;*K zXL~O-59of*S(_$(qPqlb3iZ-6h2(Cg8%k<%lHdzI{+R@}y_AhhA|!_|HjRba=v^Q$ zf;fA5+;svoMephW=$sUEwhR6lOX^~ho%svNr{{%EIuk2MZb%T@V?xRXRs_vR{`AE5azls}=JS$R2|@O~Di^!Zat)sBPcVee`M> z*ZYLMk7Z_2+G4P#D#h3a%fueV9w0Q<6sNUJQ^5`xb63FKw9{aYBv}6B%q+S8EVM)Y zXQGesm%;qrVBEI3O3*2Gs3_)L-n4{f-E+WuO8n#~T{mjjvmiSZoGKlpe02y(8thIQ zutxt+u}8;QcD|g6#W&PV&lAd5<@YIGYZ%`u=$jt0i;N|6YS@|3sXXWmZh~HL-iQhM z&Mafstd>mWld5sbcKfLFg>8}0$uq-}nSMg5&@0%}AkI5-ae!2J4Lg_Ck~x)4YI-=g zyppO$1!ukuOuYsTOue~o=jbAw6YzmSFQxF$y4Ix(?;?`cQ*Qa!2G0DE`-q9E0)qi@Dwl2Yxz7Q{-0TaK5~c zqIE^+elYt9Y@N>B=8mbzzB8K1q?3zFN7J`$7m}`qx(xP11Alr*fA?~l2cJ|pJ&I9_ z!l0SEoyPBTxh@8c?j!}b;|Z(_fl7y4Mh=(bunMOL;i)hD!=mpyYxyKAuQ&tTbo*pJ zAv53iED1nap4=$8&;4iPO#I3V61ln-;hFRSOEV3)?tmqF6g@TBO0-R2KOf>|*Ghg< zSO+Z4WK>&ngsK?elU$sTT8YT%8+KB6lZsPK@t zl_jeweI*u5``jUKx-L|E$u$FKET&};?_3SXCJ%Ybzde|57|r(nB@MAh?X4_k6s+6|>pZGp^ZO(&1a~I{zOX=^Me;{*wd%0000P)Py2qDe$SRCr$Pomp(0*LBB#=YBK8O%x?+m$lonEQyk=#a6sZb`zv&6CgF<=A}UM z8X!mz70^oj1?-~9Q=6^Yyvep!lhk5srzKLNM2eCqk~8z&Q=aep zhO>~WM2eDVX9h4NS~J7@-TyuNx&I@4d0wKZyTFARLe0_)nZH%Sr#)UB?gK^sXAn8R zgr@6)gkP4&k}tzTZR0=XQr&zqj|y&;qAh}MQgj)JfY-wkZB<0xJYr1TtIDH1YcoP(`z#R}}34Jrxk_%ah-qCVjM- z=9@%sHffn!uPFyW8=6_djp=<1EX0NBazqHA_YswGA6P0*JGw-jg+NK2&f{m7b&i!TBo zCJd-aL{8uua2E8>S+alhxb{bQq-QEg!ju4D7iVhMF>h9ufpw1HNr82sYe1Je+%%2U zjlFE6OE&a%Y-xCC03>=obD7IC@?;hU zk#`erbI8*Ij{yyddUus7C;8btoY+{Pk&7BXOsP7uzndrI?JqY$KL^?8$-k>`qMlUe zG;Z|4W7&r#6%P}D)J1w01f-r*bX$OIR&*g~lOT1V!RXT-Z?2+dc(a}`^7kE*5~M^* zDkUR&zrA-r&}$yO2>OZO_9*!eS~+>?C0@!u3~6}a0CdycsAT2~;S(XQ#o;#k*snKT zUkmDNi!1ee^0T>|H-L)*Cp^A00pJlu9~W2{tE_^ZDE*#zdj-758xUu~wJH9PL)!u} zCpx&?)k2GTOb_h!KmgdquGDt6r~B!j-pk;!45^I@+d(%uWVRypv0E7%+44o%CQ2SO ztLSy$4ERGK;T}Pb=EzB!bW4D|D7cLROBJ0CT4PdFsg}%TH6tyMQ?y^kvry~HJ1#nU1djz)q>1`kM+D z0{C2zHYM1jnG^O~}=mDT2ow?nMt<9jp+XB}aNbO6S1I|8 z0j&41#t|$Lm~A>aaX%9yS7sz_S3-~PHlN+2M<9O$(#NJzbFPub%j2+&a+%BXJbq~k zeL~SE1K6Ojy0DHBjaOmt6O|JxdRg%2^7!Kc?l8#VEcp}v%CEcMl7LTv7b70ND${-fMKX{f6JfIHA8LL)LEd@05jAj9@i)v6oObO?! z$}jju|C_v7skF!Q%r4I^t0!QTWq=WquV|EaC}7WorUcVz(!Y|Z2Ln8qamiT)0H=&2vXFL2bF zUj441PdQ|Hk~%2FOk)_j$p1F)W=L=y9)DQS-wu*Lc%AN!mPrulyE#jWX1Y1OG(~z# z2;X(c1_z6*z5t{w=@)-bQTP%EA#sb%R_Pgqk3oOypfyXbYc{I}%$phy5O)oLFwWOAKbbWwW{IFHQ9EQ4BEfrrCcFQ~_li(|$9SWZc`AY2!Jj28Z-rD=l7FeE`%F^tsv_JmLxfwvc(ooPZ9xHu+yi6mmG4MXtCkG zkg)X_$2zvNeOxEzUN*k+v-WHUIFMS*+$9-Ur-aWqWSxiQg3cGDv0%f>YYrm^%?_2R z%Cq1<1^q|~KNaL`o^;pU1ah|p;B7Q`6@n97sc9gyCPVO?Cp06wMsYI)>Mciawsfp7 zG2^9>w^Oh9;||_e*p+9nJx#jj9Onk7N^xXA`_s!=Ugx;p9FT4a$-fNxoFI>b*2iio zj@FB+DOOQ&NtCRhw>;rBL0dg;XCD8)l0QBNvT!sM{(elGc3S{0adTcC_oyS>WKpHU z8sITOXMV7kU2GnhAT-RHJOKbQod_H|CV0LwmAWr zM;)>TWW5#tL01sPG3L<~Y(w$SI3;c#owoq78#t+O)WN47IUEq2nZ}AsV=eNw0CaL= zo4_|b?j;CUSQHzd_;?W&Wx!}P3RZ=>?x0)I>c7s%r+wS(23 z>ZYMt$gj$feo@fP3acQTBhUygsYjRDxM+W4m840N0H*}q4Z;65vU1P30O;bz&xUo| z_klSIbp>@(_>vL;%piG?oJ6Od))2qf6CBDjc(Q@H-OXSI_Mzn4Cn_3o?x?rnIz8s1 zu2k40QO1?E#9F{WsE~+}gBhhYh@1}J9TNO{29N*KI05M2A?Ob@N}3hxuq6gI@@(ST zt0l4IlqJkU{1H#?u&3tSBBu8~D9>i18-1tGnW4VH@n%nY8R*6US+B5GQB%kBV<3v* zLq)PL3gi^|Wh1M8G)@3+>=+J|eo&deDLTke8%RIsRY492>~aL}cQbhYCg%n>v)RP#Fzls$3;z;O2WmkkpGfFD>M zr!;|P09X#)!Re6v5y5{5sdj<0%3#-g=9{nomDu<(z?S12pVmxjUVvZj@M|4B<8T{5 zmxEYsW8`DS?Cw1P5UZfLs8J}G#FZ)eeMs(i0qK1M^mZ<1`QXDioe%4GDrai@$S(Bg zvuWfN;2VW>MgfF4-{s9H|FVI#6H!621e8~mqE3TL!;$aLh3v1|X&-!;!PLV8zz*f^ zpqn|h4P<`o(Vq~hqgVox!)kr2R^ON?0Ga?$s@tq5fv(}2>sx#I)4#mRtNyE^>&FYG zspfZh$Ne?yUmGsu{4|ag$^nQa;GO{}q>~HDDe2NG02VV;0ATKEF))p7z&!&{Ucxgs zOVKVt-r8N2fCPY+*Bq`)0unWJF97t7xS^#5l_~&5MOBo5HLp2>1c0&>MFM~s;dSFR z!hJg&m2RksS8M|W|JH7HR&79J0}KF@0I_`0h! zuom3V2}?l11{4E~*alPqC|5xR8xTvtXaLraR|WO%a7ij6DK#d_FY<)ChC2$X5->^v zqLlSy0#FFV%Hx140EKNXxS<6VR1QGF251xsk5d9J)4PMj2$x2}aW1GT0r5F60uYP@ zVwDo0Q7WQ-A^^yU7gTyJs1ONPRnXl55C>wD41h_11!7e3Q~5B%51=s<8wpJ2wO=q>HDcD z-fNduRnUkL{u`cnO$dG(cZ^gPWW05VOay?Q9kCIv?5B^cd=!Z7WOp?c!8`7D0K`|J ztR_4`0NhAXzS!MdOhr%yAaO%u09+yg#avKwy=tNWTuCBfGs2Z_Xq=9&Nxq?)4U+^Pf=+|Ysq+*bff zQxSA&z)=oaG+JF%NED$RPpb!U4 zPz7~X1Y+fGsN$;tjMM{60?Gj>xl1=u8(;v8bwef!w!5kT6pQk)3bIJJ(3n-q_7SI} zCt!q20VuzwS_Poo3;K5ChB9(Lpin?Bs30E!@YMJMv0gfN=!gW22EgIp`cu^gL=~|D z0C7>i?3EBcO&EZ}9kEizt4O>q4U;ncJWKDd+UXwL&P#R??W=k1(7SHX#WhYD+0JW|g(4Uk{Mq=g9po&CtGHIy;y1(qGs$)m^oNG%SSR zS%FuKS0mw}E4?P2NPtXC1yur2l8`g{#?v9WBMKkZAZ;n+Y#%k3<}=^O_r9txxlCKb zbOz@s&bX6W1osRvBcpK)jd@YqQV|)pj^73t015Y7a#4Fk3QV+&O1NL~R|O6X^MmdT z$h?1nQyn*{{Yp|5Tw$Os-Uuiuy9j;f&g3?sR7h| zii}YSD@dnMeCV^981ad}q8ARMk{@-hOW_)xty>xE#gkN{)%N||f zU}iGEWlVbc_?Jf1zt=(Smmc@Xe#q_3k^Q_I876FcXP80d?#S#OmJ!imW)yfe)z7VF zBWX&JGLE3lpsOV2PHL>=PAX+rj9C+nncep&?sLKK@%Wu}JUc$Zrb}F!mm+6Vi#93V zsJm86#F1msUO8o1>1M@}VVs{41@S459tt8F;`C9+&C?BZUy+A2Ea6U|8fDpP*3QXL zyF!sQdDsvj#xeS6lIN*l3oE51h`5uClCxVPbu31|{AtXcGv}FeiPSoj+;}4v`^We zhJ4*1+AL&@%=Kk~XMt7mY=eljs)UHPwD2BDe%2_CJ^q@bZ-&A< z<0I`Wsej2e&NhX}0tdz#wZZr`0h5ZwQYHdq^E6=4!93P@~wyI z`r=_St;Ed+2U3t(oF!c6(Psp|4p^?Z`4SC+5NC{Gw;|W_2^q&(#kVT5FNlcx!gCoi zov`_i^9Sz88(IQ{`;ZT7R`JMkhbF|W+Tzf~N>qqwC=Z6q`sD3v43S$zqeFBb$S06% zOOZN%om;*0SpPtYTf5oakRsh&N9__1>rwo9i2 z9N~T;^KEq2jL(?jJqM`H4BE-CVv zLt7mjt|NV@o3mfcp?lzVM5lK$q__Kb$AqWp6bk#~om2DsKdLnnHvy|RGK_n*AG^5F_(c704+#gK$cj97^|h* z)7Qr{zCz<0JuguJ=XWdqa2nT9i(Gw!|Cl8D`fp9Er*2lBaB+Zc2DfdPG~6hd6Z-my zesYXiGtmh$;~9|?Dtg|d2bKIz2W_=vFW7*OdvUENBmtE`C~cWO8XJWCY>%#W=nFRW z)T66|Xn;eJ%6{|=7khFU^n?)^wnL8!x>w1+dy%?H8Q?IFnKmon1&4nT+!G!@E0$85 zv{aG2Onyw(Ss38ZuIRh=AGo6f1XpK}zV*-tIE*C`KjeG!Qe>Wp2RW$G!moC?C6+5M zB>=2^@R;B(;@G?_=uyQV0XZVLWA&uY3y{2S^f7<_oTA4RJrcm-A?l9*GyggDMwnC>>Hs=xu5x2$fP2hEY_s0nR^wux zDG?cVJTol*T!98Hl7ys>Mh1rS>wOBR9qa-=8l=CinVEgiHvn6V6ui6*IdUo6(=b>! z7!Cgn)+xc(;rYVm)7wOkXo$~Pn{TT~zR%ch`xU(g+9tSt!(Z9@5^Q@v-{Gfr% z`MU|EChCjdfz9oQ7KB54&jg#8S(IKOG zIJxelVV?dojZ}uc!bcpzO3;Ni^`gjaG3HQE8*gi~Ue0=GS2(E9mM8z&5CffadFiV+ z%yVoTp{X9)7Sxe?UeOm7Y-G8Ov$a8-Ho81Xe%)@)S419ONO0NUosn_2V-$|e*qetn z0NUr!3xa&21bahx|08<;a>m&fz=%)j$xJ_kGX%F#(I*7m2F`LamiBHCoK06v1~nHy z8B2v&A}sNQELT=J(WBrb6$d&Ce6IM91h+Rw_*nzFi_q5x-}=iN=v*olXV_Ico#xp! zQME~)1ZM++)@U@+Jeu#7obF1uwG@=%-%FBbR;9ZUGrLEzMXN&&*WlXD($_N;IyoM= z4fy}O29t`LoSdDfza>rTn^yRCV79@$87l$W=<<@X=x6{Wp3E1`3kGbcjty@9bC%p6 z6>V?i>7J=nr=C&(#OJ#$bA$BsJlTb5{K^2?;?b={BM2=`T$F|}W>O}j&b_6!55)81 z!~IJ3lqa~@NN`=)V!%w9*OUVw1|dp&%X!{wnoHx_5ZR*W)&OjnkPT{%isB_Mt0{bQ zQ!SU&5u&F+J_7c4a`os6-n#*BmQQw`A`nbT0E&v`b=S#vYE$^>^`z&g2&_TCrW!pJ zmqoqx;zXw&=n3GX5dUtT(7H0Z%%6up3^$QY-9~^Z4M2&<;c%-2X;IXs z8ZEa%o5P(1Js9BHLip?|`7;aHJUG=yW)%a(DI$({ScVy3oAK4u$KbLW_%_JXNmTnm qfcx(>sq?VT>adeKiS>SN&;J2Uf-NM+ERcTy0000PyA07*naRCr$Pz1fpwM|R%%bHB0XzGp32s48@|dI%ULaUfA6c9RXgNCt^5vk|TN zDw~)2Hvs$_e4B@PA*}TvQby}}5lC5+Eov|{8Lf-f-Dn_d&3)fuxz~N{bH6t;GBa{1 zAhR;FD#9$SfU3xdd;Ol{e$IEk^BqI)btx<0@dnUOb&k3Ilw`P!oiUXEk-`6#!QTM} z93F6+3CS~$`v;Hx^&YL4d!(BK_}v+1nxGFedSmZ(!7HE#)O%gf3dra`{no4I@s8ux!uCS;L+;mVFwjS3AcGN4I%X-28{BOJ_kef6 zj~h%)4q!05;Fmo-@$lTjoX4+NN~@0MMjw4!0}Si{jnDXuAM<0^bApR8w%!SF0qdBD zJN7Xoqfpvmb*!Ic+Tf-W%q@q%ZR4L)20sDF`1=i%J;obc%j0)EtQgEPumENb+`K27 zZ(|l5jl~kB^)=Sg_jpeyLC*;;;Mw&Y;2SPt-0?rN@A9r4XFO>#P&Txy{Zwm~WE#@@ zmgF4|_Y8ipl`NtMS?raY-O0?>IP}Ok4k?^YsgX_GT7T5e;?cfU`GFM zaCg8ATBvwPLS7paWxbT-I`GcpmGo{9!XRFNd*Sd;63i1|-sAOeTfoi~Q+t5kFK6f_ z%HQB|_D+CruxK7{zvRpEG}8kO{Afmd%wVT7{H+9g%j2iPPbJt%7i0Yq@FQSq21*Bp zA00rRAOjAbke>u#);w+^b}vxGjra^5HZ{zRt*=di(d^^i*DP^c~i%NBiw9n#)wBwhtcRlu=4~B0Zf_rFS7^qlG8Ax~h=np%fgM+917-^Rw8sn2p9ZFUKzYn0_&QLsm_#SW zkyE4y`#Zi_C&2NSLL-lN4yO|#HLzn~3Ctpx1%qF3AtZ7Oj%*2%MT=eOqi=JMz1=4~ zY5X~Vp7osI%L(?t?g}D>Xp4SvJpmkrE=pR@2RC41)J*&gXqKmFU2OzQpmy|*4V zed|tuj)c^F!54|DxC0E7GbZZL=+9`5CioeLQ>de#cL44BlR|eqz6!<~5VDgqK85mh zE@fv(b1b}(;dUXkIg@|J5qPxQsS<-Wq5{LMejVJv|g|&=i zeE@a_NcLvgNpq5&BUYr}I>zZ+X!Hy3_G{52Ss}VvC#j_V+UK-q7LTP@UFPFbZdyls;L4M;M zK=FN!>=;#WXP7C^u~o6SL5IJWU=`=zclZYhM*ppNf7oE^;AQZN?*(hx-1ze~>u%&- z96-h%x?V(cP`vK(`pNRYS2(0!(|3gLGqHent zzb3;M?b?RW$UcGWslmQjWOI80+uCKRJ;T3L?}7W2PyL%-LwKVd;1fQvYEHS&{aQv= zuQJ@XLt`X?VGHA;FeLc99&^{iZ3p7(Pk4O4$COP(c4Sl9osZBLIt}u`7>|3064i*- z2!#PQRnc|0hR3A}%Pdw9YM;dn0Yg3{+0-qzs!**s4UQJnPOcvm#5g&gagIzUj}qT) zgI|tRYn=cJjr@iaCo)YcoA-GpRsl1W|n8;usd(GKvZ{Auz7eo##*kCd^a zB`Omc?rx0j{cXkj7E|!^M+$@|hC15uU6JVKyX&b1t6~T4jDftz?aJUita<#BxH}eJ zW@H;NVGT8in!%3}Sfl2)#jDah3gjnI+}K~i0S|D-%Ub$ zq6|!hEYt6C!t=G;7W^G!&>nk`H>LE+;kRb(@C=P-iL~?!Z6>WBS-KdG~&6z zeC6@8CCm$lTc}W3*kf&Xn`-+3D;a#Sk2<|6HH0_90g5>P0S`(;3{~1xYE5;g$?$DJ5OW$hLRbX|JDptMrcN}s?6Hf6Y%wES zOfd5f<}GbCZB$G^*6OwvA{eoPFD%i0$shr@p!9VmEg-3Tx zXsi({mA>e>fpJ>o-W@fBV<*5-CkY91>^~49W%B+5bRViF>*QLtu`ToKjP|T37G+AS zyEL~f!+R^NwDbPtjy1Vi@+~*Y0XmFd554piYgN17j>vG8(pVZuYv!)Uy=&mUiOH_I zv4YX$aAt?mgaq@@IvieniMzjf2L3CD``Tc%ldh+v z(*9}O=C;}wi&(nT)68QYt1?~gqp!Bh?odK9nv&isM@N1LW+pnb7bQcEp!><4Ih7q5NJw^n&d(bk@sa8Pry?qO^Gtc2_4*Dw z14$6n%5Hh=ErmiR++PTdM8;DnClqVg2U1>4;B!alf?S=AV#Q-ZNwQ9Y;Mj8L1?~PG z7A#iHH;V?l=I?BlhHun|TNp>ju6tTBD=*WA;~^HZw97f1!ks+>n|b59kez2raD9Lh z)A+>`R!H!zEm4ya-f7fB| z*`PC|Q_iR#Avn3o8*w@s?@uk>9j{!61X<3iQ*KX5a!l%t!nnoQis@f~eOAUjbJzvT z-bNGOoZx$*8||j3Ra|Qa$c-U+4&@eWl>tQ7O#9okhRReX99|*8!-(uy#rop#D9Ii4 zp|TpPsfVD$Lovt6Fyek#U@)l)R>JIkC|QLJ+>S-;GYyw@bt2?biZ?p&TyvTcd9pqe1f+h7r7hQzu|f55!GQ&-&6*Q=|xzZ5q&|i zz6-m3;O&HBmgoZ>Qft3^1_0%Wh+uX(>5e20Uo~EB`flpZ5c;Lt)VlJ0pGAAs1=|?zRmL`eAKE z-;nTKS&E-}jjN zCPP;mj0-b0`-^* zXfE_IXq`exm_({ap-XgHt>Z8Xmcyo^RkS1g8(61071W&n!~~L^dE)TT+PD{%(sBjU z7-F*pl{RcR_&{ONwMdk&g#&2k|Bp}^fm#anHe16EFVfm*LNet@MOX{ReQZZ`0osfb zgZnsmp|^8F=y9?Gz&Do3Vi zs(p-&iU5}3RPukAPu_=HdPE6T6SB46tX5aawW6oZz>8Ltd5)d$(2 zp)}kM30tNDmJ}E6#aLg&Fzx!%+X=dwQd#RzUpPp0yD!+Gu%}pD;rKy%(7?72jpW*~ zq|a|c0ZWbK4xYN8)t|1cv9|j?z89*U*Clp6$v_I-(h;)C4sM{vpqia$d{nBQf$UB! zqzN%H;Uo}rs$ORkIZ;O%{7+I&C{BiBCq$;UOowY)?6$&4@FLjFdc0^Afn?{gOP2O# zlVmF)+ufnkT3{iSGrZ0n z(J@dV51WqqV#o~)UR7ajGU`uWBZzn@EV2tODBDTRF4Rt5=>HSSTie*ZU-HY=>y&J{ zWCsYeVm<})aiB-eRkomSguWp$Gc)W%3;!s?eK!fotyP1{c%G=Kh*Pl#M&AM79bNNN z9iZ6xg<}h~P@JlfL~2g?(&2w)F~4cz=1bVc61CNY=FT2_t&U+7c~R)~{_RT|uT%=g5mfE>vw_EbNpJ=vdBmpmZIp=f&&; zgY87sR6|f}=C8}}OBK^vI8DUa93tI?+4NKX(tZ3In)ENl0g4Bpv78o>Dn!Bsp$2_bwQ~+?#KMg$~MhGPhADYDTlwGU>>?awlh;6H*O+#YQTo^ zO};Po9uzV#r>*}%I2zHN&JZbV9Qx%}WSWK~SsT#Tku=CtOSYI|R>~x6CCb}vHur`Y z+9OtzFHOzv!X2QajGrvT9egljTTLBPNzQS%_~{hH)0cjJ;OOTPgIe&qkFjX}IuC)X z8&<6nyoN^vi4g5L;;<~n<`g5+ns95i0xq`6R#SGiHHYg>?Sn07CCmJ>UZ>KRQ6AhQ zoe+1*;-`G*KnsKWR8<$LaMIu>edHMFL@1=)&*T*yE-)T?kP3^$qY}|>OR9Ay%sxP> zc0uIVV;2%KJ*P#mD+Bax!^<}Od3G7HEf?khojiRhDyJ-z`{?iMhlzyj9wZN?z7U7R z1w4PsMP9p-+q{?+^fi;b7x#?QzSHO}KnXux!pvm&cWeM4VtXcd zo!IJG4(b>OvM^l*tqYl#Zktze3goS#AsiL8A|DH-8iELgJktyWa9>;8vq1(|V15t2 zO5w-)-O#LeQ6gR!;s6DOcbVl%O08C9px&f4U}=tI0dd%0)L{JL@qkg18xpP<=NB;j zaTxCKgYGQTM;I>G*pbl-sR_j_p*!kwibt(`l3-^g5m=)9a+BTpU6SPrlkE+@a4Kd! z=COYrG3Toq?M1&|PM}e)@A00|e6tp<()ajYIc0mI47bIo1sj||KUqAXRX|g2pq5N+ zSfW-GmG@(zYWKq00o^38zl0n?M7uZ$gk_z|DmZ4iXGuVfvN>jHuU6*$DWD4P*f#56qSQA z+Bsf_jX&bhVPSLry7>9wXT=5%yU}PN{W)&}>fn|{SgTT98(~DT{-x0t&T%u>;w?hw zKIUV)!PCJet+6WAQHKjHq$U*6TnLGLoPVH}%rNdL_9urzglBw3rC@he!c`&0bu*dQ0PE<%u;PM zG<8dP!E0Pl5S!9;L=BQ~xY39(s4*o}aI1Oq#u<7$$I+gguokxc*qs$1H;oaJ%*ULL z(Wr1Bs;+&Sg?PWcS)sDoq`6zB+!$j_{1sI%zt!Sh3k$x0izt|;f~ZqA>Q$0{PcoR` zH1O|Mi`IRMRX8-`g0O&^jZ{Mj&ob{q+b7wb5E~s|>W(l*~B62>XjTo3-twIJ1_OIT5eIP?$WN8@Pid9YDK(b zB7NZ<6|vN$0&YC-$f`!d+J5U^Zv2HUpY|m87q5WTLX0n+o4hk?Gtw0TeIbk%6)CF( z&qY(NP-zS?)cle!(?>k&jSlLv)Wu1lkaUTqa*dU03tLO5OiC#mxDQ5u&cuoLQpygr z6os)l(Ju5KB<5fw)JZ5^`1`^E@~0byfPhH}O-E=flyW#F%Fi9m8D7gHCD9fSAFY4p0f^& zm?(c{AM<`P%4n%fYgi#s38wXI4T-{{AlX8w9cW018ugu?vkGY)YIdF9*6px86w>Bz z7E4qILg-2pK~X{i+U6HjL5{7NK3Chwmdmhev1>Jw?Il`!ll)@Oyn96Htf?JD;m(aJWSwQCm;LVoBtGL$?Ie@teWq%4s(rio!2!xc z?U2JIW1hBjmS&VF`=GX`h9pVNgy*hPp?J=xz^2_CpwKP~;=ws(MJIs@m{w{PYc6Un zsW17N!Rb^`*t@(-b8VV`{7MZ;ujByF@bxOqyDi${oxkJo4<*^5qtWBXEDV{58*416 zxaT=iuwT^bx)>)=5EbsI0HWhCC@_eznHRB^2^0pNLMC|gc_nDsm@OIpAcHdcLYXZz zr}X0eS96<)%E>@KPiA>g>ZiYyv5}MPN<&FVl+$}QOvdCLX{)M1U#i*$L|iQLyplgA zEL>bmrvr4J5XG#5(4UltML~!lkn9X>WT6>Jd4bd_%+r+gnW6f0i0TW&JyBiG^?D@- zSiujq+50W#?^*1$BgR-{9#;&DgbKQT6UBee5GCkt7kPA$L#Dwl6!S}pMol>CKX~r(FTwuOQ~CQL z(tj{~SO0dd*DE=|OExDg{GNv&8q7a2*fAGrwS(Yv?B$(V1tM_x8cueALxn8;k9PZ} z!K(Fc+2cf36A~bv{(LJmsfbPJSIgAb6I$CUn|}f62eAqJT67zo>j~VTH>uw9n8&5} z7?oCO9qhn5+oG|LWwG}_Q0Z-*24bE@c}LZIM5!=Uak~y$GLLSCr#e7*vz}{I)DGQf za)eDa+GLSz_dgBhFSptL>pT22^(CL{^-2z~$hMl$|Bc1}JCFHYf{b|3)+}1>PSvzO z66@!89FTndw~!r$E&7q+Ycl#KIQ8B>v6Q~bNMCxgd8jRAv^G4Y-7-VX=@=%tPr-eB zjT^Af^+c}mn+{9Ve3>jU9MGaRWf}O0r9EjV3;a+w+Cv|N$pR>%(0D+O5Nih^H15zg z?Z*2mqK3{eNe)niMIk?E<$c>b9`m;z|6dxopHA_##r&r-{O5lD7tKaH*XxxW;2FzzE7X7F;g3B2`znd& zA7Fi8zMlT-qEwtYd}bq_zpAo#6q8lMggE*o2~90I(v>#JN;?d2=--}UNa&6VS(l-{ zaMo?~{{6@b#3rTZl`XdWGWQEam-KL3B=t<7ho2;G#DRSQuF;X0(NU10q^pEF^ zabxQYjShuLg-oUPK&f~9%#-}2$?l&`@K1#bo$Ga`(RO}H;q}u-zW@Lr07*naQ~==r z$U|^|`0qZSh<=s>1R+-4h4>%Z^>yJ5sW0Txd&=sy(?4^xpBu{0Q=02Fj1<-yn^ark z?>x$J{obyBu4jDdZ;GdZ&>~6?m@2&plWj`%Dp`Le=$kTA3f*W{U{T)TL{8ZTI7@c%IdCy050G$9_cL#{9Kda1r&69Gx_ zktFkw$f^xCDEs9DOHP%!$tAs&6koLighS|v7**F2w=_0))cl~zoyR}3*jZ2dL{rQm zS@E>DGuRrUEN#i=ZEm+d|31qvmJ4*J2WeiFNnXwO9w>+WNphdxpQvGf;Nc@Mzi$F$8W^RA zxMN2!`z|5S6`la+bAT{s>T@}Or~LE(#$T+SXKKpTJfhyWUiJzU0>3}xw3Mbqo2hg#0((J7w2ha)7bAZb>s+;urH`)Qfe?QKn3a<_aIH`0UD6G8`;3iq< zC12~=4se(u+Nn2`i*E%KC<<-~1$s>(5FK2ge2q@21MH(f`zL_wg+P~VS~uh4yEy>+ zA<*$0p!2Q{lHg!pSM2}_fx0t6i<&@8fZvwH03B_rIzG zbm=K~Id8HB_GfS8>eI{~hV@m+_@IN1R@ zxj+Y3+WiCw)01)-R3T9II#8hO5DL_Dfa_pRH}4wWDhG&icD)ej=9%f`UGc>@KxiI( zohLx)N1a@tgAnL+HmKCz3|>OEy(IYZZ0bgRa;F0fQu=|%e`N4~;11EDPY!`%PweIrYGLx1Uf4$w_$JjYeS2-Pdk0ipw( ztPIz4fH%~Bzx8choC9b;hLT|WI#Hk^2@W9VDavq%9Y75+Y0w4gHN<>t3%cPSaDE4f zr$DDR=z%a+XC2@*I)EoSKyKbAHpL%2qlf}&^tiM^)1Cv|aP$54mw%E2NE@`9I`m-& z2-9^nH&_?)`cHtK1AKb}c-udraDacyZ%tTY9l(YZLSx8@uxdLF(9L>ErrBW{Q#ZHaIY~5KHL&{ zUSX`51DMY}=}%L9PZs6kZR$pSVs{7dM?#>}9H8I=#g4EmaDYxO&}rhhVVGs;2#XHj zdJb@-O!aau_S-l>kpo0B+-r3J`=g`Mi09`5(Q|;yv85aNsi!+Yw-BhfP4xw+AK*$( zfSv=~NNc->7k$_P+z&kVBa8V1kL%hH6JgLIrz{+xP=~g!D+KE10O#cb^-h3mXopvJ zN#D)^A`E&E0$rH{g!MZo7pUg|S7vS3@QaT-03TWGiAiwxet?4sF|i?r%N53|ar6Y} zIlwivts8Mk-5o%MFlmDx?+HGwAts_gJqNfE559MiaRp9xfb&Wt96iR2HyMN@pN z1BeXQbAX-$c=H*b*~kSF3ZxvM=n0PU=!e6ePF_&Y0p51|x$*aZo)h3?2Pn8eF$q>b z0GFKuEc5KHrN3(kbk+$Vaa@f_?VSKO-fl1K22OW?m;@h5d^^88C&RsV2dMqX?GMUU zKfvi^xTAA|dk%16_H*Mu=p+YFKfnPB)SV7put7Vi5Ek>36#lG_fBNFQi__U-aOUsC z6QJh+XD(Fl4d+^c?hc?4Nu4Or>HPrLzySiFb&fHq8j{xwfzD+aZ^@fZcYyBNpvBU3 z;{v_r6QF2`JRSlaK30kuVVw>jI<)Q4q2CfiKj}6v#sLnvKv&`bg*>`$=D<4- zJsY~=D{%2A06$5wuL}k0)CD?^FjnsbxZ(DC;g|oa4sbFXRAW-@&n#Ew0Ot|L>N&uL zThI;vz>9H!A_-OwpgO=Mp8zFlKgvQO%zYm^2W6i$B{DvxUJh`>t@RQv|J59z+obrz zY|z)}0B(OurK2Zd8avMX^Iv2+^Tm zlLJ)p6CjRB&G+{s+MuVwpgjk;QC5117u$1y-hhltG_ULb(KpxuG$@+_NO&F_q z3KP;Ysm52Y5XO^QL{v z#W+Br4$aRXxf%yJO&F`=q3!xm3GST$Z<-;0)BAaY9pLy_8-+m80Salv9t!kL4d+ey zy-o)x)Bb_Oegyo13Bp)01UeAHI(FB22y`t@fTO}#JqLJGjPx?^;|+Cy!wn1tMYMMU zT&5}A%+EgC0Z!}&+aHi|FeLA_D zef-{K=>iD_8vK!mKXN%2D4*YL52HZGA4HrH79AjkpVqKH|BD_O?q*r+1z+t^2hfC= z0|)5V6WkdNMHDDZpTqAwmyF5Ed#ATWC#o?Fb% z4cT9L>=!B7LWyj5gme#{XYipjn80r8z23|fh}8MdEzBgaUEgD`zeM$x!~YAg9~$`Q z27k+QzDe;h2e`r$pg@5-mElfc@HK%2;1?zsfBFlHdzz6hmPwY^nQc6P6#mi~KIu8Z z8)*NYPb~aU?Xx8qsWoBJlTCxUZ!o`Y;RA<%-{2>Ja#twj;4dXbm?yzE!U236ST`{1 z;a48_YlHpLlYI^8GlSV2rP6{g+wftg`|O29Z-y5fY>uBNa|~AMY*oMwml(WX!afB1 z9pJkL_dSDo$K!`haFV01LoDMQ1q$!Ex*Xv26QJ{gO$u%Y%%X=E2KNlitRsB_JWFsZ z7PHl)yj{lc?NV;u=5`CndX8{29YKcw1z(hAC|9O~fI?c|qA`?^3?wj~VeVT>4=mjG zFynDE1||*k0ZF{;v*gha9Kc@%3e?R3qJr143s+dvu(0XzYYxBa@rwrL4SwFhg2yZ- zm_>tMZNPeiWc_dWo7Nxm$01R^nP%|TUbRuY|CrC~4;UVDq@yL0F^ies`MP1ym;@hIhU@MCA-Pq|rd_?^aeLsmEoRf< z)`6E6W`QRL{~{rI;jnXyG^9hHY(lF-r7ee$GxZ$ddN@Kf z{LhnFC_P}Rw8=)L4fO$%eoHc%;%C6jSnNH6d&flw(9T~6Uo|1&H3|3xta96Y_dhKM zDEa|jy94z9$YYKv!yTRva8k6g|Mx|VR5(J@z$%ypPqvs~=RC}L+ZU&wG*;p-Ic6dyjY|WT_VxU4i{~ zY7X`U!?HoS+9_G-pBuH?~AC;XQlUew**-o$^&gGBN^$KC!4e|Ww5uv-H{U* z%x!{=1jARfP*Jp?Na48QbsBwF2MC5wD3;Q4&@ixRLbTx5fd6Unf3-{FuZQ?o%jdnb zS8{+AR)$Kne=DW^+klD|GvMx7%yb5VulfwW8WWnr2|9QEvtzsb!ZYw~k53gA8O(;l z9`GxUY}rs!t}tgXFEZTo5-b|B^#*BUlJ`_`)*|)LqVrn88Sg8?oyR;bzXz3VnstvI zg>2elW=e1exa~u1A7cM;10xEddc&Y;w#;;Jh;o{Ks4T}+Q^1|a^ zdi<{v%70%b{RhMUwt3!LeW;z+(@eXcy@f)6QWT3Q<1e z$99tU&HMbYHpy7u2HS&W`iCs7F-v*O<8KMtH2C`te;4eep1q!X&g3kf^L{9NTG(?W z0Vrq=SrOwK*it0mVJ*Y080><>Jx?%CGTh5FLs!{(>9XU#=(q$86*#ZeGGSwJ>&B^K&TZt)r!C?oZXBkJ_`asVh)Jl@dZb^ zEco1F*J_lvm-upTGHjCPhsR&l0Rp#Un(5LEwbDH6wF-STNCz#+v?sd@%sBiz7T&R# zJ4%!drqAQ5hNJ|pl;gfS67%EMop>FG{~?4#Xq4 zWFe!ynNZzKNq1V%9HZ5M_u8+rQ0F>NZ|Ixi^Zbhnj8!44HK`1wxWOu=A;Fqi*vt@R zdB$Px=BN9J=nE0c7pUWnGA)nmg79=-n1k>(6tr5==*1WF+hDdtkZ1 zNKasf6&mHqRla!Vv7W-QBV3x_a0rd!01iQ7ta-d*L=o*4!7u2@jDNP5z^-}r)<*cJ zN~quZkmwUWu^;oXg})z!=4cx`>M&Cg*=yhS*y#j2=|YYtNYjqE5bFo-jyAC(#^2x2 z&u3Kokhf|;N^tc&)(v*W;g@`11-Jzhepqn$pXea1&NwjNE_QYVHdiM=)g{7d1H#8LCT+ zSsV}h#S#-8L7~yt9yc2iBmc~iK36B2p}t+lHD0pRta7*gfZ0^dIB%*G_)i)4XvC80c& zQ5i46l%+Cd$fgZ;+T*5uIBLBbAOc$C1BwtBf_XEn( zE25g<%_%jec$gI3C9*XO(%Sw;*YPMiXZW6IFLD3@7((%s+zQ28QZk$Og#_fz!a|$Y zlBK-ZhLwIwTku62=CaG6xm>sdbesl4jFK|t$~fb-I*mRk4?=rH^#TjZ36xm9D=eAV z38cho*oWPwh;H&@PqO1ftAPb^Z=!n&#tBA4+Ud1%+I64_5)}^kr zrbzJVdJ%5_OzpTLOU=v0?=~R9qKNLsbz?2W9wUDC?=wxAfjbFig78D#g-UW! zJ~u)ZbgdoLm zPJVDW&VN5yAT6sUagT;Vow1nYawo%o2kdtvaV?z00w(k$etr?#AF5HEWiWa`vUYwYe5TN2u!E}=2T zs(tkJO;Q=m@Y9vRBMJ2ak*KC)5zUSPqb?NMoOU72AxO^CDRg=VQE0>wiAu5Orhz#^ z(q-n}MZP%ZdHb`uI|(f9>Vzn?6#R-It9zeP4;F=H7{Je?_v z3+;$5bY=P5J`^w2nWgYE2s3LMv>fy4x4Z z$J*GfZIZoT^5?A&`S`WvVduD?3-f`{Ii|2kJIpxal_`?GjAXEc8%}9WxmZcQokfCO zK#jl%E$TDj!Nh8EyrQEg!0EM*f?q=9lw=;%gtM)-OafYja)fz{f0^N*TkI20^99sb z_Gs=-1}FF|z3xoYSkU^hlGVx*I|Fr$AnBP3WpVTG`N+^zwSLkBI2zHE`+XoW2F_0h zw0U%$&lBs1-i|<8^TGI?dcU6;pc?;8U)GuXU#3 zT;h`q`9X~9bt;VaH!!13%$Os+ElPzABs-=Ft#u|)Y#n~s2DYIp%E}RncDl3BiQ-um zW%ACdazH0Uwpx!}XbO!G&Gv-~XbE;H!zd(L+s18~*#cMbk-3^N0FCy*86j$g$3#h<6$%ApgW z*hpmff;1Jo3(gc%GpwWNDGnCO0eY4ypr6k$;_a-#)=rV!UL>sfs`h%74zPc%@!0;4 z6{&^ovelQdH{`J*SdF@X76nCtJEGjGkd}8Dg;Kn7gFHFz(n#I;z)lO1j1skGo*(RZ zoFF=hcqwKTbUNp7FKu*)Ig44?g4L(&HC05*o#5R3lUIF6-QHga%f8E+9pL@iefq~+ zxLakC+cp-n#LK#!@AhLZ79~}85kptuq?%J+5pF)@00nnPyS|cJ)mzkwHKzpE1ct7# z%WSbic~!KAjAW}XVEO}l@JLA8YhAN$>v%03AcszEei9_hG|N?drG>3I%%mZ^SD|vx z_|)Ic^x1QTr=Sa7un7UEmFJPE|_IP?}6l61edxeP=0Di z=i8X=HXH3RrdzO*T{h$NAi;gt!g#XELZwNmQYRUx1~9=YXS#351S@N;?&Pp$T?!r! zAHamuG5u3dfPMZ|-1QL!C3I#*EZ+!DeqzX;h>Mj5x_Y{tVjDvYw+P|mhJz23XooH^}-k_J$o|EW7apbIZnEU(aK9P5=N8LPMCZZ@Kxlf57`WR8zv=KBV%$dhxeVUCaB;(!Ym+T4vA6Mn!7Rvr2IS&X zt`m@OtsJ1!7!E1{1P}Z0$_w>n8bgNWu)(VTc-)Xp_`oNU;F3Zk@r`sM7?HHpfGsF5 zzqj)`z##_-&LDnKzQb)1_$VT4xfN9~RY-HV`2;J6m`iD`4AQp>kJe4-V!PN^bbw!! zci0*&(c~6A0klAS9xwQKO`)O3%&Rjm z3BB5W(Sa!GD-9a!mdeI9Yg^O&YcX}NEywEGIzS#4>H4HOQ(mK0sW4DWY4o>f4pm?x z!li1-6J0kXdMf3Q`#`-8&H38(I{TAPxZlI4LuVJ7oPeNMp&UWH6?Wp0ul&GE)c0$P z7l}wDu6fVi;vnqKvgHo%eCIcU1LqF_frYIE#uCW-c5t^!fl4AyzJ1_u?+WI$p%c#y zMe2gl2B0P+RdEZEg1oTRJ)i}QclwRV6GCkQZKbcSD6w%M&YhDVw-ZwVZYdm8sH4UsIe$!c z6#{yNfEBPsQ%aX`ryIQ4xh7%NW%MD&cd_9}!UWqs=()N@gPn5$5D-t_KWztMVP(BZ zqd5`sp*ZV7y&Kor_={Nk{O)qa@62(33x8AIBI&CzI^4uhlqgMPWK$M9rB=Osz(OE( z#UwBk(p2RPvK&WtyZnEfhJu9^->VgIA@)@SQR5{Qvvz5$3^Te8D|_%^Az67X65R8c z>$N`ty5t2&hf)~!8iUo8dVPpWe*=a~Se5%#=D(xRKq9O<6+DcXNWB&Wn4cv3+BB!c z#+^jFU`PQi%86ZVMt(HhPQ?i{V?2QF+vZ&V@Klke4&GQ)ljXME4 zLZaf@4Lnv6t-KxT2Z&@hUJ0dsE25oPj(3$9iVKquUI<1LMOj0Bu;0>muxKZtB1Q2m zup9MuDU}I6Rk$F|kP<|-@d*w2O@^CIaB~K`ycgtL(#d$v$Wt1sVRgOQ-BlEP7-M}S^h*iukj2QE72~UtTWn-qy6X;Cayw4H+?m5Y6x4A+ zn!)%ZX-%h_Xd&inhnvmt^OpK*oA%Zqi z6&s6Zp`A}X2qM}^=(h|@P12Qw`t}e>dzE!F#&EeoW3WjpgmaJtl{M}Dv87ZFt%|rA z_fcpn;QAfSDTlaGCtq`?V=EL>axW=LqavV;UZ>ZxhL{-qf(w7T`HXD7Oi6#PH>qx~ zv)*{X(i8Qx7W_cEM9BjpG| zweVP|6jrVtS2;nbAy~W;X0`gQRv8kiM3bGq z1Uufw-2?QKC-foK52#kI!zw`m^-6?T|7@o{4DCi3sIy^65`&>ZWyc3LtO@e;vDRT! z#Z^!4T1s;(p|R5h zD4eOsRWkbNtjDb+n4n;mk@OkTNk^jQ6tyFY10|iM2@@KGLVTZxYaxdz(4C`FYsV7$ zJkHPamoSqdsO&|3C1m(p9& z2+}P(im5G#7A(rOibmqgNaakGW{HWY=XOMuZi$PD#FiKJL|5)B#AFXo;yk|$y(A`m zOx~LYqlTa&SCQtM#@poy=DyI=8BBqrlGuTZl#hf` zdtc~JmZyhnhKn* zLoJ~)dKI!>3d>iLn}G;^D;eo#g4;-G@9dFDW$lgZkM4AmH`)QB(R^Y*=ZAS%w2`ba zT`7^49eyyu1qB3yRrAe#k9mh6+Y#B~ckewTd7bc640O@rTt7;?zf}R$+?iJ3(bFmy;AtL&9NdPY_V2Vx|Dk^?+64uj2J0{K3?J(g0mnZ{8|i!w5Lm5&wh?=9 zod%6aA8A!wo!ACSAgq;1UZy1T+iWdQ&{iSq(wfg-H8go$?|;i2peS@|%E|ARw-_HN zhu-A!u;krExbZ=+Na2uX)>`rERap)-gq&w1A+HdQM8v4G=+qsg?f6^SypWh9V_%D* z5m92W+i;Qmq&V_X;cxSr#QuO0oiYlw)ReL+1WG%+2vuURs)FmtR@L)dp|Y__YkP?G z9r)Y!>u5rMU50($?|G{nAcsN6k*SiV?%}?TqIi_uV*Y^T2dB!butJ>_?x+|SW+>Pw z`SKeuUs>FXUEF#?y3@et#kfdcxCy+S^BVQ5yzi}ZfbM&A(4tYgvK=-OW1b#jN zc2yNxjp%AhH_uXbmv^z->uk0jU68cks~FpLd~eSI_R$sbi)NBlsMg2^9F0-IqY0() zj7)vW)9O2rgo{EX!h{qx;zVi3lgIyDngayo1tqrztEQbr^)hRoT9kNkizSSPhAcbW zY6ZW(%Hqx#-)$C?b8Zr6=dzrq=KzNxMx#R7hmy`AEpJh&Wudn~)nqTGsUXuw2LD|X zS`XD=ZU+r+FmmtrPk}CBOg9?EL3q>s0Uze^L}+tg9$q~PYUCHDueQyv9sD{Y`wgK< z$1S#LuUX925dF=_+mXoE$8TMtdz$m~9N?7I5ywaqaSUd#7DQqt@$N*h6Fc*siL_)f zGc^_}s3+%bnHmGCwbewN6W910{RoAuV2N&va4p2anc9z-F5DS$Gy$N^+};RTcT3sMkJljHIbAw1`Ta zg5xFWSkw*-!3k;&5m)m_)Qla_?$d z(G0DE(AJG)SMZ0zfH)HsDH^l)d`f$>P9?M>_A{>2p$Y%@TUo{Z29NI8 zuk;+?8?NGkG~v5;oULSla=A^rTBTmA(Kl^yVN#~@0~1Hb&g5v(U{r5V-$9fnG+{Jo zG2aXgi&Jm$b4|PSc#VF2l94^zqrF%mX$&%uD@}aVDbjlyA?X|5<(vO&JqNgeXIw~` zJmzsS%4lhXMNMD{EtwiD4MuY0>g}B}LAXkjSdb*SD#>zyro?|-oLr;1pNkTkN<&AM znNP6`2EVw0TVJD|zQ=pP@Ov@-w|{s&2l)1D7(Ssm5hj^5?=w|{oq-{efk?E=lp~B= zyrwXQnY$VwuGY=y0GgQ<6I@UByo8zan3WRM)h2GUN_`6kc3`^k8J}?#V!Ri$OxNyX zdJb@bk3>$OaZrEA?c@Xgb)rd(I}G=gXbm|_6b^BeGFrLJu} P00000NkvXXu0mjfBA<6q literal 0 HcmV?d00001 From ebbe6caeb481cbba02d0926b197871b31d547282 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 20 Dec 2024 16:16:50 +0800 Subject: [PATCH 507/523] build(deps): bump github.com/prometheus/common from 0.60.1 to 0.61.0 (#4873) Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.60.1 to 0.61.0. - [Release notes](https://github.com/prometheus/common/releases) - [Changelog](https://github.com/prometheus/common/blob/main/RELEASE.md) - [Commits](https://github.com/prometheus/common/compare/v0.60.1...v0.61.0) --- updated-dependencies: - dependency-name: github.com/prometheus/common dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 19e5233b471..abf86c4b458 100644 --- a/go.mod +++ b/go.mod @@ -33,7 +33,7 @@ require ( github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.20.5 github.com/prometheus/client_model v0.6.1 - github.com/prometheus/common v0.60.1 + github.com/prometheus/common v0.61.0 github.com/replicatedhq/troubleshoot v0.107.5 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 diff --git a/go.sum b/go.sum index 93c0c577c2d..ce1d6446c9a 100644 --- a/go.sum +++ b/go.sum @@ -700,8 +700,8 @@ github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7q github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= -github.com/prometheus/common v0.60.1 h1:FUas6GcOw66yB/73KC+BOZoFJmbo/1pojoILArPAaSc= -github.com/prometheus/common v0.60.1/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw= +github.com/prometheus/common v0.61.0 h1:3gv/GThfX0cV2lpO7gkTUwZru38mxevy90Bj8YFSRQQ= +github.com/prometheus/common v0.61.0/go.mod h1:zr29OCN/2BsJRaFwG8QOBr41D6kkchKbpeNH7pAjb/s= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= From 99ed77493805a5b234d15fceb542cf18049b9c48 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 20 Dec 2024 16:17:35 +0800 Subject: [PATCH 508/523] build(deps): bump busybox from `db142d4` to `2919d01` in /tools/docker/envoy-gateway (#4920) build(deps): bump busybox in /tools/docker/envoy-gateway Bumps busybox from `db142d4` to `2919d01`. --- updated-dependencies: - dependency-name: busybox dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/docker/envoy-gateway/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/docker/envoy-gateway/Dockerfile b/tools/docker/envoy-gateway/Dockerfile index 78ba6679419..e55daffcf42 100644 --- a/tools/docker/envoy-gateway/Dockerfile +++ b/tools/docker/envoy-gateway/Dockerfile @@ -1,4 +1,4 @@ -FROM busybox@sha256:db142d433cdde11f10ae479dbf92f3b13d693fd1c91053da9979728cceb1dc68 AS source +FROM busybox@sha256:2919d0172f7524b2d8df9e50066a682669e6d170ac0f6a49676d54358fe970b5 AS source # Create the data directory for eg RUN mkdir -p /var/lib/eg From 575193bf83bcb74d548c479a36582990f7675064 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 20 Dec 2024 16:20:42 +0800 Subject: [PATCH 509/523] build(deps): bump actions/setup-go from 5.1.0 to 5.2.0 in /tools/github-actions/setup-deps (#4924) build(deps): bump actions/setup-go in /tools/github-actions/setup-deps Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.1.0 to 5.2.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed...3041bf56c941b39c61721a86cd11f3bb1338122a) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/github-actions/setup-deps/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/github-actions/setup-deps/action.yaml b/tools/github-actions/setup-deps/action.yaml index 6dca9f5e1c3..91657ffbc62 100644 --- a/tools/github-actions/setup-deps/action.yaml +++ b/tools/github-actions/setup-deps/action.yaml @@ -6,7 +6,7 @@ runs: steps: - shell: bash run: sudo apt-get install libbtrfs-dev -y - - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.0.1 + - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.0.1 with: go-version: 1.23.x cache: true From 37d3ce67e209b521a3613fa3463d954dc4882077 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 20 Dec 2024 16:23:07 +0800 Subject: [PATCH 510/523] build(deps): bump github.com/docker/cli from 27.3.1+incompatible to 27.4.0+incompatible (#4928) build(deps): bump github.com/docker/cli Bumps [github.com/docker/cli](https://github.com/docker/cli) from 27.3.1+incompatible to 27.4.0+incompatible. - [Commits](https://github.com/docker/cli/compare/v27.3.1...v27.4.0) --- updated-dependencies: - dependency-name: github.com/docker/cli dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index abf86c4b458..205d498fa23 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/cenkalti/backoff/v4 v4.3.0 github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc - github.com/docker/cli v27.3.1+incompatible + github.com/docker/cli v27.4.0+incompatible github.com/docker/docker v27.3.1+incompatible github.com/dominikbraun/graph v0.23.0 github.com/envoyproxy/go-control-plane v0.13.1 diff --git a/go.sum b/go.sum index ce1d6446c9a..5fe2db7bd07 100644 --- a/go.sum +++ b/go.sum @@ -189,8 +189,8 @@ github.com/distribution/distribution/v3 v3.0.0-beta.1 h1:X+ELTxPuZ1Xe5MsD3kp2wfG github.com/distribution/distribution/v3 v3.0.0-beta.1/go.mod h1:O9O8uamhHzWWQVTjuQpyYUVm/ShPHPUDgvQMpHGVBDs= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v27.3.1+incompatible h1:qEGdFBF3Xu6SCvCYhc7CzaQTlBmqDuzxPDpigSyeKQQ= -github.com/docker/cli v27.3.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.4.0+incompatible h1:/nJzWkcI1MDMN+U+px/YXnQWJqnu4J+QKGTfD6ptiTc= +github.com/docker/cli v27.4.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= From 2a10d474fdfe2f3a9689266355fa6d89a042daac Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Fri, 20 Dec 2024 18:03:17 +0800 Subject: [PATCH 511/523] chore: fix typo (#4958) fix typo Signed-off-by: Huabing Zhao --- .../en/docs/tasks/extensibility/envoy-patch-policy.md | 6 +++--- .../en/latest/tasks/extensibility/envoy-patch-policy.md | 6 +++--- site/content/en/v0.5/user/envoy-patch-policy.md | 6 +++--- site/content/en/v0.6/user/envoy-patch-policy.md | 6 +++--- .../en/v1.0/tasks/extensibility/envoy-patch-policy.md | 2 +- .../en/v1.1/tasks/extensibility/envoy-patch-policy.md | 2 +- .../en/v1.2/tasks/extensibility/envoy-patch-policy.md | 6 +++--- 7 files changed, 17 insertions(+), 17 deletions(-) diff --git a/site/content/en/docs/tasks/extensibility/envoy-patch-policy.md b/site/content/en/docs/tasks/extensibility/envoy-patch-policy.md index 54e69f41d0f..9fddf7dc576 100644 --- a/site/content/en/docs/tasks/extensibility/envoy-patch-policy.md +++ b/site/content/en/docs/tasks/extensibility/envoy-patch-policy.md @@ -299,7 +299,7 @@ spec: op: add # Every virtual_host that ends with 'www_example_com' (using RegEx Filter) jsonPath: "..virtual_hosts[?match(@.name, '.*www_example_com')]" - # If the property does not exists, it can not be selected with jsonPath + # If the property does not exists, it can not be selected with jsonPath # Therefore the new property must be set in path path: "include_attempt_count_in_response" value: true @@ -331,7 +331,7 @@ spec: op: add # Every virtual_host that ends with 'www_example_com' (using RegEx Filter) jsonPath: "..virtual_hosts[?match(@.name, '.*www_example_com')]" - # If the property does not exists, it can not be selected with jsonPath + # If the property does not exists, it can not be selected with jsonPath # Therefore the new property must be set in path path: "include_attempt_count_in_response" value: true @@ -414,7 +414,7 @@ status: ## Caveats -This API will always be an unstable API and the same outcome cannot be garunteed +This API will always be an unstable API and the same outcome cannot be guaranteed across versions for these reasons * The Envoy Proxy API might deprecate and remove API fields * Envoy Gateway might alter the xDS translation creating a different xDS output diff --git a/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md b/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md index 54e69f41d0f..9fddf7dc576 100644 --- a/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md +++ b/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md @@ -299,7 +299,7 @@ spec: op: add # Every virtual_host that ends with 'www_example_com' (using RegEx Filter) jsonPath: "..virtual_hosts[?match(@.name, '.*www_example_com')]" - # If the property does not exists, it can not be selected with jsonPath + # If the property does not exists, it can not be selected with jsonPath # Therefore the new property must be set in path path: "include_attempt_count_in_response" value: true @@ -331,7 +331,7 @@ spec: op: add # Every virtual_host that ends with 'www_example_com' (using RegEx Filter) jsonPath: "..virtual_hosts[?match(@.name, '.*www_example_com')]" - # If the property does not exists, it can not be selected with jsonPath + # If the property does not exists, it can not be selected with jsonPath # Therefore the new property must be set in path path: "include_attempt_count_in_response" value: true @@ -414,7 +414,7 @@ status: ## Caveats -This API will always be an unstable API and the same outcome cannot be garunteed +This API will always be an unstable API and the same outcome cannot be guaranteed across versions for these reasons * The Envoy Proxy API might deprecate and remove API fields * Envoy Gateway might alter the xDS translation creating a different xDS output diff --git a/site/content/en/v0.5/user/envoy-patch-policy.md b/site/content/en/v0.5/user/envoy-patch-policy.md index cf1f1d78abe..453f53d2ef9 100644 --- a/site/content/en/v0.5/user/envoy-patch-policy.md +++ b/site/content/en/v0.5/user/envoy-patch-policy.md @@ -10,7 +10,7 @@ is unstable and the outcome may change across versions. Use at your own risk. ## Introduction The [EnvoyPatchPolicy][] API allows user to modify the output [xDS][] -configuration generated by Envoy Gateway intended for EnvoyProxy, +configuration generated by Envoy Gateway intended for EnvoyProxy, using [JSON Patch][] semantics. ## Motivation @@ -30,7 +30,7 @@ Before proceeding, you should be able to query the example backend using HTTP. * By default EnvoyPatchPolicy][] is disabled. Lets enable it in the [EnvoyGateway][] startup configuration * The default installation of Envoy Gateway installs a default [EnvoyGateway][] configuration and attaches it -using a `ConfigMap`. In the next step, we will update this resource to enable EnvoyPatchPolicy. +using a `ConfigMap`. In the next step, we will update this resource to enable EnvoyPatchPolicy. ```shell @@ -188,7 +188,7 @@ status: ## Caveats -This API will always be an unstable API and the same outcome cannot be garunteed +This API will always be an unstable API and the same outcome cannot be guaranteed across versions for these reasons * The Envoy Proxy API might deprecate and remove API fields * Envoy Gateway might alter the xDS translation creating a different xDS output diff --git a/site/content/en/v0.6/user/envoy-patch-policy.md b/site/content/en/v0.6/user/envoy-patch-policy.md index da09f4a3263..f8a3efe848e 100644 --- a/site/content/en/v0.6/user/envoy-patch-policy.md +++ b/site/content/en/v0.6/user/envoy-patch-policy.md @@ -10,7 +10,7 @@ is unstable and the outcome may change across versions. Use at your own risk. ## Introduction The [EnvoyPatchPolicy][] API allows user to modify the output [xDS][] -configuration generated by Envoy Gateway intended for EnvoyProxy, +configuration generated by Envoy Gateway intended for EnvoyProxy, using [JSON Patch][] semantics. ## Motivation @@ -30,7 +30,7 @@ Before proceeding, you should be able to query the example backend using HTTP. * By default [EnvoyPatchPolicy][] is disabled. Lets enable it in the [EnvoyGateway][] startup configuration * The default installation of Envoy Gateway installs a default [EnvoyGateway][] configuration and attaches it -using a `ConfigMap`. In the next step, we will update this resource to enable EnvoyPatchPolicy. +using a `ConfigMap`. In the next step, we will update this resource to enable EnvoyPatchPolicy. ```shell @@ -188,7 +188,7 @@ status: ## Caveats -This API will always be an unstable API and the same outcome cannot be garunteed +This API will always be an unstable API and the same outcome cannot be guaranteed across versions for these reasons * The Envoy Proxy API might deprecate and remove API fields * Envoy Gateway might alter the xDS translation creating a different xDS output diff --git a/site/content/en/v1.0/tasks/extensibility/envoy-patch-policy.md b/site/content/en/v1.0/tasks/extensibility/envoy-patch-policy.md index 83b95065a82..6496adbf6e2 100644 --- a/site/content/en/v1.0/tasks/extensibility/envoy-patch-policy.md +++ b/site/content/en/v1.0/tasks/extensibility/envoy-patch-policy.md @@ -227,7 +227,7 @@ status: ## Caveats -This API will always be an unstable API and the same outcome cannot be garunteed +This API will always be an unstable API and the same outcome cannot be guaranteed across versions for these reasons * The Envoy Proxy API might deprecate and remove API fields * Envoy Gateway might alter the xDS translation creating a different xDS output diff --git a/site/content/en/v1.1/tasks/extensibility/envoy-patch-policy.md b/site/content/en/v1.1/tasks/extensibility/envoy-patch-policy.md index 3c4c0a4d068..318cfab8a31 100644 --- a/site/content/en/v1.1/tasks/extensibility/envoy-patch-policy.md +++ b/site/content/en/v1.1/tasks/extensibility/envoy-patch-policy.md @@ -340,7 +340,7 @@ status: ## Caveats -This API will always be an unstable API and the same outcome cannot be garunteed +This API will always be an unstable API and the same outcome cannot be guaranteed across versions for these reasons * The Envoy Proxy API might deprecate and remove API fields * Envoy Gateway might alter the xDS translation creating a different xDS output diff --git a/site/content/en/v1.2/tasks/extensibility/envoy-patch-policy.md b/site/content/en/v1.2/tasks/extensibility/envoy-patch-policy.md index 54e69f41d0f..9fddf7dc576 100644 --- a/site/content/en/v1.2/tasks/extensibility/envoy-patch-policy.md +++ b/site/content/en/v1.2/tasks/extensibility/envoy-patch-policy.md @@ -299,7 +299,7 @@ spec: op: add # Every virtual_host that ends with 'www_example_com' (using RegEx Filter) jsonPath: "..virtual_hosts[?match(@.name, '.*www_example_com')]" - # If the property does not exists, it can not be selected with jsonPath + # If the property does not exists, it can not be selected with jsonPath # Therefore the new property must be set in path path: "include_attempt_count_in_response" value: true @@ -331,7 +331,7 @@ spec: op: add # Every virtual_host that ends with 'www_example_com' (using RegEx Filter) jsonPath: "..virtual_hosts[?match(@.name, '.*www_example_com')]" - # If the property does not exists, it can not be selected with jsonPath + # If the property does not exists, it can not be selected with jsonPath # Therefore the new property must be set in path path: "include_attempt_count_in_response" value: true @@ -414,7 +414,7 @@ status: ## Caveats -This API will always be an unstable API and the same outcome cannot be garunteed +This API will always be an unstable API and the same outcome cannot be guaranteed across versions for these reasons * The Envoy Proxy API might deprecate and remove API fields * Envoy Gateway might alter the xDS translation creating a different xDS output From 4a64034107a38e2ef09a0b5c277b7134023110e7 Mon Sep 17 00:00:00 2001 From: sh2 Date: Mon, 23 Dec 2024 09:48:12 +0800 Subject: [PATCH 512/523] test: add test for file-provider (#4864) * add test for file-provider Signed-off-by: shawnh2 * fix lint & race test Signed-off-by: shawnh2 --------- Signed-off-by: shawnh2 --- internal/provider/file/file.go | 44 +++- internal/provider/file/file_test.go | 225 ++++++++++++++++++ .../provider/file/testdata/resources.all.yaml | 62 +++++ .../provider/file/testdata/resources.tmpl | 46 ++++ internal/utils/path/path.go | 9 + internal/utils/path/path_test.go | 59 +++++ 6 files changed, 432 insertions(+), 13 deletions(-) create mode 100644 internal/provider/file/file_test.go create mode 100644 internal/provider/file/testdata/resources.all.yaml create mode 100644 internal/provider/file/testdata/resources.tmpl diff --git a/internal/provider/file/file.go b/internal/provider/file/file.go index 4dcb2c61842..22452772fa2 100644 --- a/internal/provider/file/file.go +++ b/internal/provider/file/file.go @@ -12,6 +12,7 @@ import ( "os" "path/filepath" "strings" + "sync/atomic" "time" "github.com/fsnotify/fsnotify" @@ -31,6 +32,9 @@ type Provider struct { logger logr.Logger watcher filewatcher.FileWatcher resourcesStore *resourcesStore + + // ready indicates whether the provider can start watching filesystem events. + ready atomic.Bool } func New(svr *config.Server, resources *message.ProviderResources) (*Provider, error) { @@ -58,7 +62,13 @@ func (p *Provider) Start(ctx context.Context) error { }() // Start runnable servers. - go p.startHealthProbeServer(ctx) + var readyzChecker healthz.Checker = func(req *http.Request) error { + if !p.ready.Load() { + return fmt.Errorf("file provider not ready yet") + } + return nil + } + go p.startHealthProbeServer(ctx, readyzChecker) initDirs, initFiles := path.ListDirsAndFiles(p.paths) // Initially load resources from paths on host. @@ -83,7 +93,9 @@ func (p *Provider) Start(ctx context.Context) error { }(ch) } + p.ready.Store(true) curDirs, curFiles := initDirs.Clone(), initFiles.Clone() + initFilesParent := path.GetParentDirs(initFiles.UnsortedList()) for { select { case <-ctx.Done(): @@ -102,29 +114,35 @@ func (p *Provider) Start(ctx context.Context) error { // temporary file when file is saved. So the watcher will only receive: // - Create event, with name "filename~". // - Remove event, with name "filename", but the file actually exist. - if initFiles.Has(event.Name) { + if initFilesParent.Has(filepath.Dir(event.Name)) { p.logger.Info("file changed", "op", event.Op, "name", event.Name) // For Write event, the file definitely exist. - if event.Has(fsnotify.Write) { + if initFiles.Has(event.Name) && event.Has(fsnotify.Write) { goto handle } - _, err := os.Lstat(event.Name) - if err != nil && os.IsNotExist(err) { - curFiles.Delete(event.Name) - } else { - curFiles.Insert(event.Name) + // Iter over the watched files to see the different. + for f := range initFiles { + _, err := os.Lstat(f) + if err != nil { + if os.IsNotExist(err) { + curFiles.Delete(f) + } else { + p.logger.Error(err, "stat file error", "name", f) + } + } else { + curFiles.Insert(f) + } } goto handle } // Ignore the hidden or temporary file related change event under a directory. - if _, name := filepath.Split(event.Name); strings.HasPrefix(name, ".") || - strings.HasSuffix(name, "~") { + if _, name := filepath.Split(event.Name); strings.HasPrefix(name, ".") || strings.HasSuffix(name, "~") { continue } - p.logger.Info("file changed", "op", event.Op, "name", event.Name) + p.logger.Info("file changed", "op", event.Op, "name", event.Name, "dir", filepath.Dir(event.Name)) switch event.Op { case fsnotify.Create, fsnotify.Write, fsnotify.Remove: @@ -142,7 +160,7 @@ func (p *Provider) Start(ctx context.Context) error { } } -func (p *Provider) startHealthProbeServer(ctx context.Context) { +func (p *Provider) startHealthProbeServer(ctx context.Context, readyzChecker healthz.Checker) { const ( readyzEndpoint = "/readyz" healthzEndpoint = "/healthz" @@ -159,7 +177,7 @@ func (p *Provider) startHealthProbeServer(ctx context.Context) { readyzHandler := &healthz.Handler{ Checks: map[string]healthz.Checker{ - readyzEndpoint: healthz.Ping, + readyzEndpoint: readyzChecker, }, } mux.Handle(readyzEndpoint, http.StripPrefix(readyzEndpoint, readyzHandler)) diff --git a/internal/provider/file/file_test.go b/internal/provider/file/file_test.go new file mode 100644 index 00000000000..8f681d47d54 --- /dev/null +++ b/internal/provider/file/file_test.go @@ -0,0 +1,225 @@ +// Copyright Envoy Gateway Authors +// SPDX-License-Identifier: Apache-2.0 +// The full text of the Apache license is available in the LICENSE file at +// the root of the repo. + +package file + +import ( + "context" + "html/template" + "io" + "net/http" + "os" + "path/filepath" + "testing" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + "github.com/stretchr/testify/require" + "sigs.k8s.io/yaml" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" + "github.com/envoyproxy/gateway/internal/envoygateway/config" + "github.com/envoyproxy/gateway/internal/gatewayapi/resource" + "github.com/envoyproxy/gateway/internal/message" +) + +const ( + resourcesUpdateTimeout = 1 * time.Minute + resourcesUpdateTick = 1 * time.Second +) + +type resourcesParam struct { + GatewayClassName string + GatewayName string + GatewayListenerPort string + HTTPRouteName string + BackendName string +} + +func newDefaultResourcesParam() *resourcesParam { + return &resourcesParam{ + GatewayClassName: "eg", + GatewayName: "eg", + GatewayListenerPort: "8888", + HTTPRouteName: "backend", + BackendName: "backend", + } +} + +func newFileProviderConfig(paths []string) (*config.Server, error) { + cfg, err := config.New() + if err != nil { + return nil, err + } + + cfg.EnvoyGateway.Provider = &egv1a1.EnvoyGatewayProvider{ + Type: egv1a1.ProviderTypeCustom, + Custom: &egv1a1.EnvoyGatewayCustomProvider{ + Resource: egv1a1.EnvoyGatewayResourceProvider{ + Type: egv1a1.ResourceProviderTypeFile, + File: &egv1a1.EnvoyGatewayFileResourceProvider{ + Paths: paths, + }, + }, + }, + } + return cfg, nil +} + +func TestFileProvider(t *testing.T) { + watchFileBase, _ := os.MkdirTemp(os.TempDir(), "test-files-*") + watchFilePath := filepath.Join(watchFileBase, "test.yaml") + watchDirPath, _ := os.MkdirTemp(os.TempDir(), "test-dir-*") + // Prepare the watched test file. + writeResourcesFile(t, "testdata/resources.tmpl", watchFilePath, newDefaultResourcesParam()) + require.FileExists(t, watchFilePath) + require.DirExists(t, watchDirPath) + + cfg, err := newFileProviderConfig([]string{watchFilePath, watchDirPath}) + require.NoError(t, err) + pResources := new(message.ProviderResources) + fp, err := New(cfg, pResources) + require.NoError(t, err) + // Start file provider. + go func() { + if err := fp.Start(context.Background()); err != nil { + t.Errorf("failed to start file provider: %v", err) + } + }() + + // Wait for file provider to be ready. + waitFileProviderReady(t) + + require.Equal(t, "gateway.envoyproxy.io/gatewayclass-controller", fp.resourcesStore.name) + + t.Run("initial resource load", func(t *testing.T) { + require.NotZero(t, pResources.GatewayAPIResources.Len()) + resources := pResources.GetResourcesByGatewayClass("eg") + require.NotNil(t, resources) + + want := &resource.Resources{} + mustUnmarshal(t, "testdata/resources.all.yaml", want) + + opts := []cmp.Option{ + cmpopts.IgnoreFields(resource.Resources{}, "serviceMap"), + cmpopts.EquateEmpty(), + } + require.Empty(t, cmp.Diff(want, resources, opts...)) + }) + + t.Run("rename the watched file then rename it back", func(t *testing.T) { + // Rename it + renameFilePath := filepath.Join(watchFileBase, "foobar.yaml") + err := os.Rename(watchFilePath, renameFilePath) + require.NoError(t, err) + require.Eventually(t, func() bool { + return pResources.GetResourcesByGatewayClass("eg") == nil + }, resourcesUpdateTimeout, resourcesUpdateTick) + + // Rename it back + err = os.Rename(renameFilePath, watchFilePath) + require.NoError(t, err) + require.Eventually(t, func() bool { + return pResources.GetResourcesByGatewayClass("eg") != nil + }, resourcesUpdateTimeout, resourcesUpdateTick) + + resources := pResources.GetResourcesByGatewayClass("eg") + want := &resource.Resources{} + mustUnmarshal(t, "testdata/resources.all.yaml", want) + + opts := []cmp.Option{ + cmpopts.IgnoreFields(resource.Resources{}, "serviceMap"), + cmpopts.EquateEmpty(), + } + require.Empty(t, cmp.Diff(want, resources, opts...)) + }) + + t.Run("remove the watched file", func(t *testing.T) { + err := os.Remove(watchFilePath) + require.NoError(t, err) + require.Eventually(t, func() bool { + return pResources.GetResourcesByGatewayClass("eg") == nil + }, resourcesUpdateTimeout, resourcesUpdateTick) + }) + + t.Run("add a file in watched dir", func(t *testing.T) { + // Write a new file under watched directory. + newFilePath := filepath.Join(watchDirPath, "test.yaml") + writeResourcesFile(t, "testdata/resources.tmpl", newFilePath, newDefaultResourcesParam()) + + require.Eventually(t, func() bool { + return pResources.GetResourcesByGatewayClass("eg") != nil + }, resourcesUpdateTimeout, resourcesUpdateTick) + + resources := pResources.GetResourcesByGatewayClass("eg") + want := &resource.Resources{} + mustUnmarshal(t, "testdata/resources.all.yaml", want) + + opts := []cmp.Option{ + cmpopts.IgnoreFields(resource.Resources{}, "serviceMap"), + cmpopts.EquateEmpty(), + } + require.Empty(t, cmp.Diff(want, resources, opts...)) + }) + + t.Run("remove a file in watched dir", func(t *testing.T) { + newFilePath := filepath.Join(watchDirPath, "test.yaml") + err := os.Remove(newFilePath) + require.NoError(t, err) + require.Eventually(t, func() bool { + return pResources.GetResourcesByGatewayClass("eg") == nil + }, resourcesUpdateTimeout, resourcesUpdateTick) + }) + + t.Cleanup(func() { + _ = os.RemoveAll(watchFileBase) + _ = os.RemoveAll(watchDirPath) + }) +} + +func writeResourcesFile(t *testing.T, tmpl, dst string, params *resourcesParam) { + dstFile, err := os.Create(dst) + require.NoError(t, err) + + // Write parameters into target file. + tmplFile, err := template.ParseFiles(tmpl) + require.NoError(t, err) + + err = tmplFile.Execute(dstFile, params) + require.NoError(t, err) + require.NoError(t, dstFile.Close()) +} + +func waitFileProviderReady(t *testing.T) { + require.Eventually(t, func() bool { + resp, err := http.Get("http://localhost:8081/readyz") + if err != nil { + t.Logf("failed to get from heathlz server") + return false + } + + body, err := io.ReadAll(resp.Body) + defer resp.Body.Close() + if err != nil { + t.Logf("failed to get body from response") + return false + } + + if string(body) != "ok" { + t.Logf("the file provider is not ready yet") + return false + } + return true + }, 3*resourcesUpdateTimeout, resourcesUpdateTick) +} + +func mustUnmarshal(t *testing.T, path string, out interface{}) { + t.Helper() + + content, err := os.ReadFile(path) + require.NoError(t, err) + require.NoError(t, yaml.UnmarshalStrict(content, out, yaml.DisallowUnknownFields)) +} diff --git a/internal/provider/file/testdata/resources.all.yaml b/internal/provider/file/testdata/resources.all.yaml new file mode 100644 index 00000000000..079647dc6c0 --- /dev/null +++ b/internal/provider/file/testdata/resources.all.yaml @@ -0,0 +1,62 @@ +backends: +- kind: Backend + metadata: + creationTimestamp: null + name: backend + namespace: envoy-gateway-system + spec: + endpoints: + - ip: + address: 0.0.0.0 + port: 3000 + status: {} +gatewayClass: + kind: GatewayClass + metadata: + creationTimestamp: null + name: eg + namespace: envoy-gateway-system + spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + status: {} +gateways: +- kind: Gateway + metadata: + creationTimestamp: null + name: eg + namespace: envoy-gateway-system + spec: + gatewayClassName: eg + listeners: + - name: http + port: 8888 + protocol: HTTP + status: {} +httpRoutes: +- kind: HTTPRoute + metadata: + creationTimestamp: null + name: backend + namespace: envoy-gateway-system + spec: + hostnames: + - www.example.com + parentRefs: + - name: eg + rules: + - backendRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend + matches: + - path: + type: PathPrefix + value: / + status: + parents: null +namespaces: +- metadata: + creationTimestamp: null + name: envoy-gateway-system + spec: {} + status: {} diff --git a/internal/provider/file/testdata/resources.tmpl b/internal/provider/file/testdata/resources.tmpl new file mode 100644 index 00000000000..f34bf1e0c3c --- /dev/null +++ b/internal/provider/file/testdata/resources.tmpl @@ -0,0 +1,46 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: {{.GatewayClassName}} +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: {{.GatewayName}} +spec: + gatewayClassName: {{.GatewayClassName}} + listeners: + - name: http + protocol: HTTP + port: {{.GatewayListenerPort}} +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{.HTTPRouteName}} +spec: + parentRefs: + - name: {{.GatewayName}} + hostnames: + - "www.example.com" + rules: + - backendRefs: + - group: "gateway.envoyproxy.io" + kind: Backend + name: {{.BackendName}} + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: Backend +metadata: + name: {{.BackendName}} +spec: + endpoints: + - ip: + address: 0.0.0.0 + port: 3000 diff --git a/internal/utils/path/path.go b/internal/utils/path/path.go index 4291dd58848..5a0793eff1e 100644 --- a/internal/utils/path/path.go +++ b/internal/utils/path/path.go @@ -56,3 +56,12 @@ func ListDirsAndFiles(paths []string) (dirs sets.Set[string], files sets.Set[str return } + +// GetParentDirs returns all the parent directories of given files. +func GetParentDirs(files []string) sets.Set[string] { + parents := sets.New[string]() + for _, f := range files { + parents.Insert(filepath.Dir(f)) + } + return parents +} diff --git a/internal/utils/path/path_test.go b/internal/utils/path/path_test.go index 8b3db14784d..8d1883ea336 100644 --- a/internal/utils/path/path_test.go +++ b/internal/utils/path/path_test.go @@ -64,3 +64,62 @@ func TestListDirsAndFiles(t *testing.T) { }) } } + +func TestGetParentDirs(t *testing.T) { + aPaths := path.Join("a") + bPaths := path.Join("a", "b") + cPaths := path.Join("a", "b", "c") + + testCases := []struct { + name string + paths []string + expectParentDirs []string + }{ + { + name: "all files", + paths: []string{ + path.Join(cPaths, "foo"), + path.Join(bPaths, "bar"), + }, + expectParentDirs: []string{ + cPaths, + bPaths, + }, + }, + { + name: "all dirs", + paths: []string{ + bPaths + "/", + cPaths + "/", + }, + expectParentDirs: []string{ + bPaths, + cPaths, + }, + }, + { + name: "mixed files and dirs", + paths: []string{ + path.Join(cPaths, "foo"), + path.Join(cPaths, "bar"), + path.Join(bPaths, "foo"), + path.Join(bPaths, "bar"), + aPaths + "/", + bPaths + "/", + cPaths + "/", + }, + expectParentDirs: []string{ + cPaths, + bPaths, + aPaths, + }, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + parents := GetParentDirs(tc.paths) + require.ElementsMatch(t, parents.UnsortedList(), tc.expectParentDirs) + }) + } +} From ed0b2b6095607ef32658b4c2108329c80938ee49 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Dec 2024 15:23:22 +0800 Subject: [PATCH 513/523] build(deps): bump the go-opentelemetry-io group across 1 directory with 8 updates (#4926) * build(deps): bump the go-opentelemetry-io group across 1 directory with 8 updates Bumps the go-opentelemetry-io group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go) | `1.32.0` | `1.33.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc](https://github.com/open-telemetry/opentelemetry-go) | `1.32.0` | `1.33.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp](https://github.com/open-telemetry/opentelemetry-go) | `1.32.0` | `1.33.0` | | [go.opentelemetry.io/otel/exporters/prometheus](https://github.com/open-telemetry/opentelemetry-go) | `0.54.0` | `0.55.0` | | [go.opentelemetry.io/otel/exporters/stdout/stdoutmetric](https://github.com/open-telemetry/opentelemetry-go) | `1.32.0` | `1.33.0` | Updates `go.opentelemetry.io/otel` from 1.32.0 to 1.33.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.32.0...v1.33.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc` from 1.32.0 to 1.33.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.32.0...v1.33.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp` from 1.32.0 to 1.33.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.32.0...v1.33.0) Updates `go.opentelemetry.io/otel/exporters/prometheus` from 0.54.0 to 0.55.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/exporters/prometheus/v0.54.0...exporters/prometheus/v0.55.0) Updates `go.opentelemetry.io/otel/exporters/stdout/stdoutmetric` from 1.32.0 to 1.33.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.32.0...v1.33.0) Updates `go.opentelemetry.io/otel/metric` from 1.32.0 to 1.33.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.32.0...v1.33.0) Updates `go.opentelemetry.io/otel/sdk` from 1.32.0 to 1.33.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.32.0...v1.33.0) Updates `go.opentelemetry.io/otel/sdk/metric` from 1.32.0 to 1.33.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.32.0...v1.33.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/prometheus dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/exporters/stdout/stdoutmetric dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/metric dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/sdk dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io - dependency-name: go.opentelemetry.io/otel/sdk/metric dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io ... Signed-off-by: dependabot[bot] * fix gen Signed-off-by: zirain --------- Signed-off-by: dependabot[bot] Signed-off-by: zirain Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zirain Co-authored-by: Huabing (Robin) Zhao --- .github/dependabot.yml | 1 + examples/extension-server/go.mod | 4 +-- examples/extension-server/go.sum | 8 +++--- go.mod | 23 ++++++++-------- go.sum | 46 +++++++++++++++++--------------- 5 files changed, 43 insertions(+), 39 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 03b7824c4da..8e8d33c94f1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -38,6 +38,7 @@ updates: patterns: - "golang.org/*" - "google.golang.org/*" + - "google.golang.org/genproto/googleapis/*" - package-ecosystem: pip directories: - /tools/src/codespell diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 9d2994afdb0..8a388c6c51e 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -34,8 +34,8 @@ require ( golang.org/x/net v0.32.0 // indirect golang.org/x/sys v0.28.0 // indirect golang.org/x/text v0.21.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/klog/v2 v2.130.1 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 2c209e9586d..2fbdb6f13db 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -106,10 +106,10 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 h1:pgr/4QbFyktUv9CtQ/Fq4gzEE6/Xs7iCXbktaGzLHbQ= -google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697/go.mod h1:+D9ySVjN8nY8YCVjc5O7PZDIdZporIDY3KaGfJunh88= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697 h1:LWZqQOEjDyONlF1H6afSWpAL/znlREo2tHfLoe+8LMA= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= +google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 h1:CkkIfIt50+lT6NHAVoRYEyAvQGFM7xEwXUUywFvEb3Q= +google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576/go.mod h1:1R3kvZ1dtP3+4p4d3G8uJ8rFk/fWlScl38vanWACI08= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0= google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw= google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= diff --git a/go.mod b/go.mod index 205d498fa23..67e5d10411d 100644 --- a/go.mod +++ b/go.mod @@ -41,20 +41,20 @@ require ( github.com/telepresenceio/watchable v0.0.0-20220726211108-9bb86f92afa7 github.com/tetratelabs/func-e v1.1.5-0.20240822223546-c85a098d5bf0 github.com/tsaarni/certyaml v0.10.0 - go.opentelemetry.io/otel v1.32.0 - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 - go.opentelemetry.io/otel/exporters/prometheus v0.54.0 - go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.32.0 - go.opentelemetry.io/otel/metric v1.32.0 - go.opentelemetry.io/otel/sdk v1.32.0 - go.opentelemetry.io/otel/sdk/metric v1.32.0 + go.opentelemetry.io/otel v1.33.0 + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.33.0 + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.33.0 + go.opentelemetry.io/otel/exporters/prometheus v0.55.0 + go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.33.0 + go.opentelemetry.io/otel/metric v1.33.0 + go.opentelemetry.io/otel/sdk v1.33.0 + go.opentelemetry.io/otel/sdk/metric v1.33.0 go.opentelemetry.io/proto/otlp v1.4.0 go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e golang.org/x/net v0.32.0 golang.org/x/sys v0.28.0 - google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 + google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 google.golang.org/grpc v1.68.1 google.golang.org/protobuf v1.35.2 gopkg.in/yaml.v3 v3.0.1 @@ -256,11 +256,12 @@ require ( go.etcd.io/etcd/client/pkg/v3 v3.5.14 // indirect go.etcd.io/etcd/client/v3 v3.5.14 // indirect go.opencensus.io v0.24.0 // indirect + go.opentelemetry.io/auto/sdk v1.1.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect - go.opentelemetry.io/otel/trace v1.32.0 // indirect + go.opentelemetry.io/otel/trace v1.33.0 // indirect go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/crypto v0.31.0 // indirect @@ -273,7 +274,7 @@ require ( golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.24.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect diff --git a/go.sum b/go.sum index 5fe2db7bd07..39480ddb0e3 100644 --- a/go.sum +++ b/go.sum @@ -886,38 +886,40 @@ go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qL go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= +go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= go.opentelemetry.io/contrib/exporters/autoexport v0.46.1 h1:ysCfPZB9AjUlMa1UHYup3c9dAOCMQX/6sxSfPBUoxHw= go.opentelemetry.io/contrib/exporters/autoexport v0.46.1/go.mod h1:ha0aiYm+DOPsLHjh0zoQ8W8sLT+LJ58J3j47lGpSLrU= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 h1:9G6E0TXzGFVfTnawRzrPl83iHOAV7L8NJiR8RSGYV1g= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= -go.opentelemetry.io/otel v1.32.0 h1:WnBN+Xjcteh0zdk01SVqV55d/m62NJLJdIyb4y/WO5U= -go.opentelemetry.io/otel v1.32.0/go.mod h1:00DCVSB0RQcnzlwyTfqtxSm+DRr9hpYrHjNGiBHVQIg= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 h1:j7ZSD+5yn+lo3sGV69nW04rRR0jhYnBwjuX3r0HvnK0= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0/go.mod h1:WXbYJTUaZXAbYd8lbgGuvih0yuCfOFC5RJoYnoLcGz8= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 h1:t/Qur3vKSkUCcDVaSumWF2PKHt85pc7fRvFuoVT8qFU= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0/go.mod h1:Rl61tySSdcOJWoEgYZVtmnKdA0GeKrSqkHC1t+91CH8= +go.opentelemetry.io/otel v1.33.0 h1:/FerN9bax5LoK51X/sI0SVYrjSE0/yUL7DpxW4K3FWw= +go.opentelemetry.io/otel v1.33.0/go.mod h1:SUUkR6csvUQl+yjReHu5uM3EtVV7MBm5FHKRlNx4I8I= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.33.0 h1:7F29RDmnlqk6B5d+sUqemt8TBfDqxryYW5gX6L74RFA= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.33.0/go.mod h1:ZiGDq7xwDMKmWDrN1XsXAj0iC7hns+2DhxBFSncNHSE= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.33.0 h1:bSjzTvsXZbLSWU8hnZXcKmEVaJjjnandxD0PxThhVU8= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.33.0/go.mod h1:aj2rilHL8WjXY1I5V+ra+z8FELtk681deydgYT8ikxU= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0 h1:digkEZCJWobwBqMwC0cwCq8/wkkRy/OowZg5OArWZrM= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0/go.mod h1:/OpE/y70qVkndM0TrxT4KBoN3RsFZP0QaofcfYrj76I= -go.opentelemetry.io/otel/exporters/prometheus v0.54.0 h1:rFwzp68QMgtzu9PgP3jm9XaMICI6TsofWWPcBDKwlsU= -go.opentelemetry.io/otel/exporters/prometheus v0.54.0/go.mod h1:QyjcV9qDP6VeK5qPyKETvNjmaaEc7+gqjh4SS0ZYzDU= -go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.32.0 h1:SZmDnHcgp3zwlPBS2JX2urGYe/jBKEIT6ZedHRUyCz8= -go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.32.0/go.mod h1:fdWW0HtZJ7+jNpTKUR0GpMEDP69nR8YBJQxNiVCE3jk= +go.opentelemetry.io/otel/exporters/prometheus v0.55.0 h1:sSPw658Lk2NWAv74lkD3B/RSDb+xRFx46GjkrL3VUZo= +go.opentelemetry.io/otel/exporters/prometheus v0.55.0/go.mod h1:nC00vyCmQixoeaxF6KNyP42II/RHa9UdruK02qBmHvI= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.33.0 h1:FiOTYABOX4tdzi8A0+mtzcsTmi6WBOxk66u0f1Mj9Gs= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.33.0/go.mod h1:xyo5rS8DgzV0Jtsht+LCEMwyiDbjpsxBpWETwFRF0/4= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.21.0 h1:VhlEQAPp9R1ktYfrPk5SOryw1e9LDDTZCbIPFrho0ec= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.21.0/go.mod h1:kB3ufRbfU+CQ4MlUcqtW8Z7YEOBeK2DJ6CmR5rYYF3E= -go.opentelemetry.io/otel/metric v1.32.0 h1:xV2umtmNcThh2/a/aCP+h64Xx5wsj8qqnkYZktzNa0M= -go.opentelemetry.io/otel/metric v1.32.0/go.mod h1:jH7CIbbK6SH2V2wE16W05BHCtIDzauciCRLoc/SyMv8= -go.opentelemetry.io/otel/sdk v1.32.0 h1:RNxepc9vK59A8XsgZQouW8ue8Gkb4jpWtJm9ge5lEG4= -go.opentelemetry.io/otel/sdk v1.32.0/go.mod h1:LqgegDBjKMmb2GC6/PrTnteJG39I8/vJCAP9LlJXEjU= -go.opentelemetry.io/otel/sdk/metric v1.32.0 h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiyYCU9snn1CU= -go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ= -go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQDe03fM= -go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8= +go.opentelemetry.io/otel/metric v1.33.0 h1:r+JOocAyeRVXD8lZpjdQjzMadVZp2M4WmQ+5WtEnklQ= +go.opentelemetry.io/otel/metric v1.33.0/go.mod h1:L9+Fyctbp6HFTddIxClbQkjtubW6O9QS3Ann/M82u6M= +go.opentelemetry.io/otel/sdk v1.33.0 h1:iax7M131HuAm9QkZotNHEfstof92xM+N8sr3uHXc2IM= +go.opentelemetry.io/otel/sdk v1.33.0/go.mod h1:A1Q5oi7/9XaMlIWzPSxLRWOI8nG3FnzHJNbiENQuihM= +go.opentelemetry.io/otel/sdk/metric v1.33.0 h1:Gs5VK9/WUJhNXZgn8MR6ITatvAmKeIuCtNbsP3JkNqU= +go.opentelemetry.io/otel/sdk/metric v1.33.0/go.mod h1:dL5ykHZmm1B1nVRk9dDjChwDmt81MjVp3gLkQRwKf/Q= +go.opentelemetry.io/otel/trace v1.33.0 h1:cCJuF7LRjUFso9LPnEAHJDB2pqzp+hbO8eu1qqW2d/s= +go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37CbGV4fr1f2nBck= go.opentelemetry.io/proto/otlp v1.4.0 h1:TA9WRvW6zMwP+Ssb6fLoUIuirti1gGbP28GcKG1jgeg= go.opentelemetry.io/proto/otlp v1.4.0/go.mod h1:PPBWZIP98o2ElSqI35IHfu7hIhSwvc5N38Jw8pXuGFY= go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY= @@ -1086,10 +1088,10 @@ google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY= google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:VUhTRKeHn9wwcdrk73nvdC9gF178Tzhmt/qyaFcPLSo= -google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 h1:pgr/4QbFyktUv9CtQ/Fq4gzEE6/Xs7iCXbktaGzLHbQ= -google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697/go.mod h1:+D9ySVjN8nY8YCVjc5O7PZDIdZporIDY3KaGfJunh88= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697 h1:LWZqQOEjDyONlF1H6afSWpAL/znlREo2tHfLoe+8LMA= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= +google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 h1:CkkIfIt50+lT6NHAVoRYEyAvQGFM7xEwXUUywFvEb3Q= +google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576/go.mod h1:1R3kvZ1dtP3+4p4d3G8uJ8rFk/fWlScl38vanWACI08= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= From c84f9c36a61a0a809eede3d4102595943105e227 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Dec 2024 15:23:38 +0800 Subject: [PATCH 514/523] build(deps): bump helm.sh/helm/v3 from 3.16.3 to 3.16.4 (#4966) Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.16.3 to 3.16.4. - [Release notes](https://github.com/helm/helm/releases) - [Commits](https://github.com/helm/helm/compare/v3.16.3...v3.16.4) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 67e5d10411d..7d5391b011e 100644 --- a/go.mod +++ b/go.mod @@ -58,7 +58,7 @@ require ( google.golang.org/grpc v1.68.1 google.golang.org/protobuf v1.35.2 gopkg.in/yaml.v3 v3.0.1 - helm.sh/helm/v3 v3.16.3 + helm.sh/helm/v3 v3.16.4 k8s.io/api v0.31.3 k8s.io/apiextensions-apiserver v0.31.3 k8s.io/apimachinery v0.31.3 diff --git a/go.sum b/go.sum index 39480ddb0e3..ec760cecd2d 100644 --- a/go.sum +++ b/go.sum @@ -1152,8 +1152,8 @@ gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= -helm.sh/helm/v3 v3.16.3 h1:kb8bSxMeRJ+knsK/ovvlaVPfdis0X3/ZhYCSFRP+YmY= -helm.sh/helm/v3 v3.16.3/go.mod h1:zeVWGDR4JJgiRbT3AnNsjYaX8OTJlIE9zC+Q7F7iUSU= +helm.sh/helm/v3 v3.16.4 h1:rBn/h9MACw+QlhxQTjpl8Ifx+VTWaYsw3rguGBYBzr0= +helm.sh/helm/v3 v3.16.4/go.mod h1:k8QPotUt57wWbi90w3LNmg3/MWcLPigVv+0/X4B8BzA= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From 28e209f0629f17c0181d77957aa77749873faa87 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Dec 2024 15:23:49 +0800 Subject: [PATCH 515/523] build(deps): bump github.com/docker/docker from 27.3.1+incompatible to 27.4.1+incompatible (#4965) build(deps): bump github.com/docker/docker Bumps [github.com/docker/docker](https://github.com/docker/docker) from 27.3.1+incompatible to 27.4.1+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v27.3.1...v27.4.1) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 7d5391b011e..de7652479f0 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/docker/cli v27.4.0+incompatible - github.com/docker/docker v27.3.1+incompatible + github.com/docker/docker v27.4.1+incompatible github.com/dominikbraun/graph v0.23.0 github.com/envoyproxy/go-control-plane v0.13.1 github.com/envoyproxy/ratelimit v1.4.1-0.20230427142404-e2a87f41d3a7 diff --git a/go.sum b/go.sum index ec760cecd2d..c7a23fa61dd 100644 --- a/go.sum +++ b/go.sum @@ -194,8 +194,8 @@ github.com/docker/cli v27.4.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvM github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v27.3.1+incompatible h1:KttF0XoteNTicmUtBO0L2tP+J7FGRFTjaEF4k6WdhfI= -github.com/docker/docker v27.3.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v27.4.1+incompatible h1:ZJvcY7gfwHn1JF48PfbyXg7Jyt9ZCWDW+GGXOIxEwp4= +github.com/docker/docker v27.4.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= From 2f5357ca1a78ff990effe42eefdd2c900aad970f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Dec 2024 15:24:23 +0800 Subject: [PATCH 516/523] build(deps): bump github.com/bufbuild/buf from 1.47.3-0.20241205173812-f93c18a3b7ff to 1.48.0 in /tools/src/buf (#4963) build(deps): bump github.com/bufbuild/buf in /tools/src/buf Bumps [github.com/bufbuild/buf](https://github.com/bufbuild/buf) from 1.47.3-0.20241205173812-f93c18a3b7ff to 1.48.0. - [Release notes](https://github.com/bufbuild/buf/releases) - [Changelog](https://github.com/bufbuild/buf/blob/main/CHANGELOG.md) - [Commits](https://github.com/bufbuild/buf/commits/v1.48.0) --- updated-dependencies: - dependency-name: github.com/bufbuild/buf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/src/buf/go.mod | 69 ++++++++++---------- tools/src/buf/go.sum | 146 ++++++++++++++++++++++--------------------- 2 files changed, 108 insertions(+), 107 deletions(-) diff --git a/tools/src/buf/go.mod b/tools/src/buf/go.mod index b737e498e97..156daeac52e 100644 --- a/tools/src/buf/go.mod +++ b/tools/src/buf/go.mod @@ -2,18 +2,18 @@ module local go 1.23.3 -require github.com/bufbuild/buf v1.47.3-0.20241205173812-f93c18a3b7ff +require github.com/bufbuild/buf v1.48.0 require ( - buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.2-20241031151143-70f632351282.1 // indirect - buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.2-20240920164238-5a7b106cbb87.1 // indirect - buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241125212318-4a305dc3b757.1 // indirect - buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.35.2-20241125212318-4a305dc3b757.1 // indirect - buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.35.2-20241007202033-cf42259fcbfc.1 // indirect + buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.36.0-20241031151143-70f632351282.1 // indirect + buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.0-20241127180247-a33202765966.1 // indirect + buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241210175624-28487aef65cd.1 // indirect + buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.36.0-20241210175624-28487aef65cd.1 // indirect + buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.36.0-20241007202033-cf42259fcbfc.1 // indirect buf.build/go/bufplugin v0.6.0 // indirect - buf.build/go/protoyaml v0.2.0 // indirect + buf.build/go/protoyaml v0.3.1 // indirect buf.build/go/spdx v0.2.0 // indirect - cel.dev/expr v0.18.0 // indirect + cel.dev/expr v0.19.1 // indirect connectrpc.com/connect v1.17.0 // indirect connectrpc.com/otelconnect v0.7.1 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect @@ -22,37 +22,37 @@ require ( github.com/antlr4-go/antlr/v4 v4.13.1 // indirect github.com/bufbuild/protocompile v0.14.1 // indirect github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a // indirect - github.com/bufbuild/protovalidate-go v0.7.3 // indirect - github.com/containerd/cgroups/v3 v3.0.4 // indirect + github.com/bufbuild/protovalidate-go v0.8.0 // indirect + github.com/containerd/cgroups/v3 v3.0.5 // indirect github.com/containerd/containerd v1.7.24 // indirect github.com/containerd/continuity v0.4.5 // indirect github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/errdefs/pkg v0.3.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect - github.com/containerd/stargz-snapshotter/estargz v0.16.1 // indirect + github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect github.com/containerd/ttrpc v1.2.6 // indirect github.com/containerd/typeurl/v2 v2.2.3 // indirect - github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect + github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect github.com/distribution/reference v0.6.0 // indirect - github.com/docker/cli v27.3.1+incompatible // indirect + github.com/docker/cli v27.4.1+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v27.3.1+incompatible // indirect + github.com/docker/docker v27.4.1+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-units v0.5.0 // indirect github.com/felixge/fgprof v0.9.5 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect - github.com/go-chi/chi/v5 v5.1.0 // indirect + github.com/go-chi/chi/v5 v5.2.0 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/gofrs/flock v0.12.1 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect + github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect github.com/google/cel-go v0.22.1 // indirect github.com/google/go-containerregistry v0.20.2 // indirect - github.com/google/pprof v0.0.0-20241122213907-cbe949e5a41b // indirect + github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad // indirect github.com/google/uuid v1.6.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect @@ -80,7 +80,6 @@ require ( github.com/pkg/profile v1.7.0 // indirect github.com/quic-go/qpack v0.5.1 // indirect github.com/quic-go/quic-go v0.48.2 // indirect - github.com/rogpeppe/go-internal v1.10.0 // indirect github.com/rs/cors v1.11.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/segmentio/asm v1.2.0 // indirect @@ -96,29 +95,29 @@ require ( go.lsp.dev/protocol v0.12.0 // indirect go.lsp.dev/uri v0.3.0 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.57.0 // indirect - go.opentelemetry.io/otel v1.32.0 // indirect + go.opentelemetry.io/auto/sdk v1.1.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect + go.opentelemetry.io/otel v1.33.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 // indirect - go.opentelemetry.io/otel/metric v1.32.0 // indirect - go.opentelemetry.io/otel/sdk v1.30.0 // indirect - go.opentelemetry.io/otel/trace v1.32.0 // indirect + go.opentelemetry.io/otel/metric v1.33.0 // indirect + go.opentelemetry.io/otel/trace v1.33.0 // indirect go.uber.org/mock v0.5.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect go.uber.org/zap/exp v0.3.0 // indirect - golang.org/x/crypto v0.29.0 // indirect - golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect + golang.org/x/crypto v0.31.0 // indirect + golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67 // indirect golang.org/x/mod v0.22.0 // indirect - golang.org/x/net v0.31.0 // indirect - golang.org/x/sync v0.9.0 // indirect - golang.org/x/sys v0.27.0 // indirect - golang.org/x/term v0.26.0 // indirect - golang.org/x/text v0.20.0 // indirect - golang.org/x/tools v0.27.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697 // indirect - google.golang.org/grpc v1.68.0 // indirect - google.golang.org/protobuf v1.35.2 // indirect + golang.org/x/net v0.33.0 // indirect + golang.org/x/sync v0.10.0 // indirect + golang.org/x/sys v0.28.0 // indirect + golang.org/x/term v0.27.0 // indirect + golang.org/x/text v0.21.0 // indirect + golang.org/x/tools v0.28.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241219192143-6b3ec007d9bb // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241219192143-6b3ec007d9bb // indirect + google.golang.org/grpc v1.69.2 // indirect + google.golang.org/protobuf v1.36.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect pluginrpc.com/pluginrpc v0.5.0 // indirect ) diff --git a/tools/src/buf/go.sum b/tools/src/buf/go.sum index c8862deb4da..2b3201cf501 100644 --- a/tools/src/buf/go.sum +++ b/tools/src/buf/go.sum @@ -1,21 +1,21 @@ -buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.2-20241031151143-70f632351282.1 h1:d6K/z/RqVYxeAsAIGaIBDjFmmAz6A0Fp21pZXNlAxZs= -buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.35.2-20241031151143-70f632351282.1/go.mod h1:vKDy7lD1bsN2UjeLhqklPEjIsHfHAPgMb/PbRx2EFDc= -buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.2-20240920164238-5a7b106cbb87.1 h1:7QIeAuTdLp173vC/9JojRMDFcpmqtoYrxPmvdHAOynw= -buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.2-20240920164238-5a7b106cbb87.1/go.mod h1:mnHCFccv4HwuIAOHNGdiIc5ZYbBCvbTWZcodLN5wITI= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241125212318-4a305dc3b757.1 h1:q3PKZJfOuSZR8KC0asyo7EFID/3613pDFzFYAAO+Gd4= -buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241125212318-4a305dc3b757.1/go.mod h1:w+XYJEgdkHK5XJ+44Eq2YD02DZVLFNFjfwFKPz0nZcg= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.35.2-20241125212318-4a305dc3b757.1 h1:m2QVURqXvfedovCeWV5CsWm3VIrD87RHL+9P9o7HB84= -buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.35.2-20241125212318-4a305dc3b757.1/go.mod h1:EQCcR04Wp6ffVPfxNb4ZXAVJXrZJopDNKQWp37BDCgU= -buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.35.2-20241007202033-cf42259fcbfc.1 h1:FcoYwX9eJhc73MdVlqyJjMOQ863akpHK0VEQ/+Zkt9U= -buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.35.2-20241007202033-cf42259fcbfc.1/go.mod h1:uTCf/J5B6H9XCTgHuI91LC9qaNqxJxQFh0kDY/GLn2k= +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.36.0-20241031151143-70f632351282.1 h1:FXEFgDFrBYuXjn3twNRo/t80qSbdKmkfZSgR2JGTuyk= +buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.36.0-20241031151143-70f632351282.1/go.mod h1:/bPD5uslGsdRKBeVavIK7D7yr+3ISI0OoyUOkokSJTA= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.0-20241127180247-a33202765966.1 h1:ntAj16eF7AtUyzOOAFk5gvbAO52QmUKPKk7GmsIEORo= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.0-20241127180247-a33202765966.1/go.mod h1:AxRT+qTj5PJCz2nyQzsR/qxAcveW5USRhJTt/edTO5w= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241210175624-28487aef65cd.1 h1:x8cCitPNXODGzWbfApZMFc4ALtRe5LZJmTdAkNqk62A= +buf.build/gen/go/bufbuild/registry/connectrpc/go v1.17.0-20241210175624-28487aef65cd.1/go.mod h1:kDOQd1sZ0wRp33hvCTQeaz9KprnHNfJ+a8dcIQ/6+0k= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.36.0-20241210175624-28487aef65cd.1 h1:NOuNS+nCp3xc4CALIC7sNz7irT63UMcYAfofrxurUfE= +buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.36.0-20241210175624-28487aef65cd.1/go.mod h1:NeX3YCZgM9E/wNp9e3g/9u5bu8/OPntr7K0ygUlgrDE= +buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.36.0-20241007202033-cf42259fcbfc.1 h1:HuK77NuzllXrJNgB+lAtnG2dKrB7WAjd9QQ+n0zTQHc= +buf.build/gen/go/pluginrpc/pluginrpc/protocolbuffers/go v1.36.0-20241007202033-cf42259fcbfc.1/go.mod h1:BLQCnWbu3tZcKQfbU1f5ysbRk55FDFwOvjlyzN+uLXg= buf.build/go/bufplugin v0.6.0 h1:3lhoh+0z+IUPS3ZajTPn/27LaLIkero2BDVnV7yXD1s= buf.build/go/bufplugin v0.6.0/go.mod h1:hWCjxxv24xdR6F5pNlQavZV2oo0J3uF4Ff1XEoyV6vU= -buf.build/go/protoyaml v0.2.0 h1:2g3OHjtLDqXBREIOjpZGHmQ+U/4mkN1YiQjxNB68Ip8= -buf.build/go/protoyaml v0.2.0/go.mod h1:L/9QvTDkTWcDTzAL6HMfN+mYC6CmZRm2KnsUA054iL0= +buf.build/go/protoyaml v0.3.1 h1:ucyzE7DRnjX+mQ6AH4JzN0Kg50ByHHu+yrSKbgQn2D4= +buf.build/go/protoyaml v0.3.1/go.mod h1:0TzNpFQDXhwbkXb/ajLvxIijqbve+vMQvWY/b3/Dzxg= buf.build/go/spdx v0.2.0 h1:IItqM0/cMxvFJJumcBuP8NrsIzMs/UYjp/6WSpq8LTw= buf.build/go/spdx v0.2.0/go.mod h1:bXdwQFem9Si3nsbNy8aJKGPoaPi5DKwdeEp5/ArZ6w8= -cel.dev/expr v0.18.0 h1:CJ6drgk+Hf96lkLikr4rFf19WrU0BOWEihyZnI2TAzo= -cel.dev/expr v0.18.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= +cel.dev/expr v0.19.1 h1:NciYrtDRIR0lNCnH1LFJegdjspNx9fI59O7TWcua/W4= +cel.dev/expr v0.19.1/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= connectrpc.com/connect v1.17.0 h1:W0ZqMhtVzn9Zhn2yATuUokDLO5N+gIuBWMOnsQrfmZk= connectrpc.com/connect v1.17.0/go.mod h1:0292hj1rnx8oFrStN7cB4jjVBeqs+Yx5yDIC2prWDO8= @@ -32,14 +32,14 @@ github.com/Microsoft/hcsshim v0.12.9 h1:2zJy5KA+l0loz1HzEGqyNnjd3fyZA31ZBCGKacp6 github.com/Microsoft/hcsshim v0.12.9/go.mod h1:fJ0gkFAna6ukt0bLdKB8djt4XIJhF/vEPuoIWYVvZ8Y= github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ= github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw= -github.com/bufbuild/buf v1.47.3-0.20241205173812-f93c18a3b7ff h1:BC18kC7Ct9bKHle7IajnayVArjjfzCMoxqOTk8zcdQc= -github.com/bufbuild/buf v1.47.3-0.20241205173812-f93c18a3b7ff/go.mod h1:9HgwgXevh9xuFX0QJf8fl0SB6Ws52QwbWkS2bcRyGXE= +github.com/bufbuild/buf v1.48.0 h1:JiA1Ynz6DE/MBDcEsFvWNoaPhnjaSdLzKH00/5SWomg= +github.com/bufbuild/buf v1.48.0/go.mod h1:lHjK93s3FLn6GOec0f2uqFeREhfL0Qw5dvZ3eipclD8= github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/FBatYVw= github.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c= github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a h1:l3RhVoG0RtC61h6TVWnkniGj4TgBebuyPQRdleFAmTg= github.com/bufbuild/protoplugin v0.0.0-20240911180120-7bb73e41a54a/go.mod h1:c5D8gWRIZ2HLWO3gXYTtUfw/hbJyD8xikv2ooPxnklQ= -github.com/bufbuild/protovalidate-go v0.7.3 h1:kKnoSueygR3xxppvuBpm9SEwIsP359MMRfMBGmRByPg= -github.com/bufbuild/protovalidate-go v0.7.3/go.mod h1:CFv34wMqiBzAHdQ4q/tWYi9ILFYKuaC3/4zh6eqdUck= +github.com/bufbuild/protovalidate-go v0.8.0 h1:Xs3kCLCJ4tQiogJ0iOXm+ClKw/KviW3nLAryCGW2I3Y= +github.com/bufbuild/protovalidate-go v0.8.0/go.mod h1:JPWZInGm2y2NBg3vKDKdDIkvDjyLv31J3hLH5GIFc/Q= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -54,8 +54,8 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/containerd/cgroups/v3 v3.0.4 h1:2fs7l3P0Qxb1nKWuJNFiwhp2CqiKzho71DQkDrHJIo4= -github.com/containerd/cgroups/v3 v3.0.4/go.mod h1:SA5DLYnXO8pTGYiAHXz94qvLQTKfVM5GEVisn4jpins= +github.com/containerd/cgroups/v3 v3.0.5 h1:44na7Ud+VwyE7LIoJ8JTNQOa549a8543BmzaJHo6Bzo= +github.com/containerd/cgroups/v3 v3.0.5/go.mod h1:SA5DLYnXO8pTGYiAHXz94qvLQTKfVM5GEVisn4jpins= github.com/containerd/containerd v1.7.24 h1:zxszGrGjrra1yYJW/6rhm9cJ1ZQ8rkKBR48brqsa7nA= github.com/containerd/containerd v1.7.24/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw= github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4= @@ -68,15 +68,15 @@ github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw= -github.com/containerd/stargz-snapshotter/estargz v0.16.1 h1:7YswwU6746cJBN3p3l65JRk3+NZL7bap9Y6E3YeYowk= -github.com/containerd/stargz-snapshotter/estargz v0.16.1/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU= +github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8= +github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU= github.com/containerd/ttrpc v1.2.6 h1:zG+Kn5EZ6MUYCS1t2Hmt2J4tMVaLSFEJVOraDQwNPC4= github.com/containerd/ttrpc v1.2.6/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o= github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40= github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= -github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc= -github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0= +github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -84,12 +84,12 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v27.3.1+incompatible h1:qEGdFBF3Xu6SCvCYhc7CzaQTlBmqDuzxPDpigSyeKQQ= -github.com/docker/cli v27.3.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.4.1+incompatible h1:VzPiUlRJ/xh+otB75gva3r05isHMo5wXDfPRi5/b4hI= +github.com/docker/cli v27.4.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v27.3.1+incompatible h1:KttF0XoteNTicmUtBO0L2tP+J7FGRFTjaEF4k6WdhfI= -github.com/docker/docker v27.3.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v27.4.1+incompatible h1:ZJvcY7gfwHn1JF48PfbyXg7Jyt9ZCWDW+GGXOIxEwp4= +github.com/docker/docker v27.4.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= @@ -107,8 +107,8 @@ github.com/felixge/fgprof v0.9.5 h1:8+vR6yu2vvSKn08urWyEuxx75NWPEvybbkBirEpsbVY= github.com/felixge/fgprof v0.9.5/go.mod h1:yKl+ERSa++RYOs32d8K6WEXCB4uXdLls4ZaZPpayhMM= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= -github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw= -github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= +github.com/go-chi/chi/v5 v5.2.0 h1:Aj1EtB0qR2Rdo2dG4O94RIU35w2lvQSj6BRA4+qwFL0= +github.com/go-chi/chi/v5 v5.2.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= @@ -125,8 +125,8 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= -github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ= +github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -153,8 +153,8 @@ github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg= github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= -github.com/google/pprof v0.0.0-20241122213907-cbe949e5a41b h1:SXO0REt4iu865upYCk8aKBBJQ4BqoE0ReP23ClMu60s= -github.com/google/pprof v0.0.0-20241122213907-cbe949e5a41b/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= +github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad h1:a6HEuzUHeKH6hwfN/ZoQgRgVIWFJljSWa/zetS2WTvg= +github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -233,8 +233,8 @@ github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI= github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg= github.com/quic-go/quic-go v0.48.2 h1:wsKXZPeGWpMpCGSWqOcqpW2wZYic/8T3aqiOID0/KWE= github.com/quic-go/quic-go v0.48.2/go.mod h1:yBgs3rWBOADpga7F+jJsb6Ybg1LSYiQvwWlLX+/6HMs= -github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= -github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= +github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= +github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA= github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= @@ -276,22 +276,24 @@ go.lsp.dev/uri v0.3.0 h1:KcZJmh6nFIBeJzTugn5JTU6OOyG0lDOo3R9KwTxTYbo= go.lsp.dev/uri v0.3.0/go.mod h1:P5sbO1IQR+qySTWOCnhnK7phBx+W3zbLqSMDJNTw88I= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.57.0 h1:DheMAlT6POBP+gh8RUH19EOTnQIor5QE0uSRPtzCpSw= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.57.0/go.mod h1:wZcGmeVO9nzP67aYSLDqXNWK87EZWhi7JWj1v7ZXf94= -go.opentelemetry.io/otel v1.32.0 h1:WnBN+Xjcteh0zdk01SVqV55d/m62NJLJdIyb4y/WO5U= -go.opentelemetry.io/otel v1.32.0/go.mod h1:00DCVSB0RQcnzlwyTfqtxSm+DRr9hpYrHjNGiBHVQIg= +go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= +go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q= +go.opentelemetry.io/otel v1.33.0 h1:/FerN9bax5LoK51X/sI0SVYrjSE0/yUL7DpxW4K3FWw= +go.opentelemetry.io/otel v1.33.0/go.mod h1:SUUkR6csvUQl+yjReHu5uM3EtVV7MBm5FHKRlNx4I8I= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 h1:9M3+rhx7kZCIQQhQRYaZCdNu1V73tm4TvXs2ntl98C4= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0/go.mod h1:noq80iT8rrHP1SfybmPiRGc9dc5M8RPmGvtwo7Oo7tc= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU= -go.opentelemetry.io/otel/metric v1.32.0 h1:xV2umtmNcThh2/a/aCP+h64Xx5wsj8qqnkYZktzNa0M= -go.opentelemetry.io/otel/metric v1.32.0/go.mod h1:jH7CIbbK6SH2V2wE16W05BHCtIDzauciCRLoc/SyMv8= -go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE= -go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg= -go.opentelemetry.io/otel/sdk/metric v1.19.0 h1:EJoTO5qysMsYCa+w4UghwFV/ptQgqSL/8Ni+hx+8i1k= -go.opentelemetry.io/otel/sdk/metric v1.19.0/go.mod h1:XjG0jQyFJrv2PbMvwND7LwCEhsJzCzV5210euduKcKY= -go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQDe03fM= -go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8= +go.opentelemetry.io/otel/metric v1.33.0 h1:r+JOocAyeRVXD8lZpjdQjzMadVZp2M4WmQ+5WtEnklQ= +go.opentelemetry.io/otel/metric v1.33.0/go.mod h1:L9+Fyctbp6HFTddIxClbQkjtubW6O9QS3Ann/M82u6M= +go.opentelemetry.io/otel/sdk v1.31.0 h1:xLY3abVHYZ5HSfOg3l2E5LUj2Cwva5Y7yGxnSW9H5Gk= +go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0= +go.opentelemetry.io/otel/sdk/metric v1.31.0 h1:i9hxxLJF/9kkvfHppyLL55aW7iIJz4JjxTeYusH7zMc= +go.opentelemetry.io/otel/sdk/metric v1.31.0/go.mod h1:CRInTMVvNhUKgSAMbKyTMxqOBC0zgyxzW55lZzX43Y8= +go.opentelemetry.io/otel/trace v1.33.0 h1:cCJuF7LRjUFso9LPnEAHJDB2pqzp+hbO8eu1qqW2d/s= +go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37CbGV4fr1f2nBck= go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -307,11 +309,11 @@ go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ= -golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg= +golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= +golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f h1:XdNn9LlyWAhLVp6P/i8QYBW+hlyhrhei9uErw2B5GJo= -golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f/go.mod h1:D5SMRVC3C2/4+F/DB1wZsLRnSNimn2Sp/NPsCrsv8ak= +golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67 h1:1UoZQm6f0P/ZO0w1Ri+f+ifG/gXhegadRdwBIXEFWDo= +golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67/go.mod h1:qj5a5QZpwLU2NLQudwIN5koi3beDhSAlJwa67PuM98c= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= @@ -328,16 +330,16 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= -golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= +golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= +golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ= -golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= +golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -348,14 +350,14 @@ golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= -golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU= -golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= +golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug= -golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -366,8 +368,8 @@ golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBn golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.27.0 h1:qEKojBykQkQ4EynWy4S8Weg69NumxKdn40Fce3uc/8o= -golang.org/x/tools v0.27.0/go.mod h1:sUi0ZgbwW9ZPAq26Ekut+weQPR5eIM6GQLQ1Yjm1H0Q= +golang.org/x/tools v0.28.0 h1:WuB6qZ4RPCQo5aP3WdKZS7i595EdWqWR8vqJTlwTVK8= +golang.org/x/tools v0.28.0/go.mod h1:dcIOrVd3mfQKTgrDVQHqCPMWy6lnhfhtX3hLXYVLfRw= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -377,17 +379,17 @@ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 h1:pgr/4QbFyktUv9CtQ/Fq4gzEE6/Xs7iCXbktaGzLHbQ= -google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697/go.mod h1:+D9ySVjN8nY8YCVjc5O7PZDIdZporIDY3KaGfJunh88= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697 h1:LWZqQOEjDyONlF1H6afSWpAL/znlREo2tHfLoe+8LMA= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= +google.golang.org/genproto/googleapis/api v0.0.0-20241219192143-6b3ec007d9bb h1:B7GIB7sr443wZ/EAEl7VZjmh1V6qzkt5V+RYcUYtS1U= +google.golang.org/genproto/googleapis/api v0.0.0-20241219192143-6b3ec007d9bb/go.mod h1:E5//3O5ZIG2l71Xnt+P/CYUY8Bxs8E7WMoZ9tlcMbAY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241219192143-6b3ec007d9bb h1:3oy2tynMOP1QbTC0MsNNAV+Se8M2Bd0A5+x1QHyw+pI= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241219192143-6b3ec007d9bb/go.mod h1:lcTa1sDdWEIHMWlITnIczmw5w60CF9ffkb8Z+DVmmjA= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0= -google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA= +google.golang.org/grpc v1.69.2 h1:U3S9QEtbXC0bYNvRtcoklF3xGtLViumSYxWykJS+7AU= +google.golang.org/grpc v1.69.2/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -397,8 +399,8 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= -google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.36.0 h1:mjIs9gYtt56AzC4ZaffQuh88TZurBGhIJMBZGSxNerQ= +google.golang.org/protobuf v1.36.0/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= From 47c82ae69f137f4e9dd7d6c07825ae0cf7fc1552 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Dec 2024 15:26:29 +0800 Subject: [PATCH 517/523] build(deps): bump sigs.k8s.io/kind from 0.25.0 to 0.26.0 in /tools/src/kind (#4964) build(deps): bump sigs.k8s.io/kind in /tools/src/kind Bumps [sigs.k8s.io/kind](https://github.com/kubernetes-sigs/kind) from 0.25.0 to 0.26.0. - [Release notes](https://github.com/kubernetes-sigs/kind/releases) - [Commits](https://github.com/kubernetes-sigs/kind/compare/v0.25.0...v0.26.0) --- updated-dependencies: - dependency-name: sigs.k8s.io/kind dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/src/kind/go.mod | 2 +- tools/src/kind/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/src/kind/go.mod b/tools/src/kind/go.mod index 398e0d90a29..1deb67377f4 100644 --- a/tools/src/kind/go.mod +++ b/tools/src/kind/go.mod @@ -2,7 +2,7 @@ module github.com/envoyproxy/gateway/tools/src/kind go 1.23.3 -require sigs.k8s.io/kind v0.25.0 +require sigs.k8s.io/kind v0.26.0 require ( github.com/BurntSushi/toml v1.4.0 // indirect diff --git a/tools/src/kind/go.sum b/tools/src/kind/go.sum index 43de9d29a84..847cb71e67b 100644 --- a/tools/src/kind/go.sum +++ b/tools/src/kind/go.sum @@ -36,7 +36,7 @@ gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLF gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -sigs.k8s.io/kind v0.25.0 h1:ugUvgesHKKA0yKmD6QtYTiEev+kPUpGxdTPbMGf8VTU= -sigs.k8s.io/kind v0.25.0/go.mod h1:t7ueEpzPYJvHA8aeLtI52rtFftNgUYUaCwvxjk7phfw= +sigs.k8s.io/kind v0.26.0 h1:8fS6I0Q5WGlmLprSpH0DarlOSdcsv0txnwc93J2BP7M= +sigs.k8s.io/kind v0.26.0/go.mod h1:t7ueEpzPYJvHA8aeLtI52rtFftNgUYUaCwvxjk7phfw= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= From 0e5361d7410d77e817b5a8807eb5bd46e3dd174c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Dec 2024 15:55:41 +0800 Subject: [PATCH 518/523] build(deps): bump the golang-org group across 2 directories with 3 updates (#4970) Bumps the golang-org group with 3 updates in the / directory: [golang.org/x/net](https://github.com/golang/net), [google.golang.org/grpc](https://github.com/grpc/grpc-go) and google.golang.org/protobuf. Bumps the golang-org group with 3 updates in the /examples/extension-server directory: [golang.org/x/net](https://github.com/golang/net), [google.golang.org/grpc](https://github.com/grpc/grpc-go) and google.golang.org/protobuf. Updates `golang.org/x/net` from 0.32.0 to 0.33.0 - [Commits](https://github.com/golang/net/compare/v0.32.0...v0.33.0) Updates `google.golang.org/grpc` from 1.68.1 to 1.69.2 - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.68.1...v1.69.2) Updates `google.golang.org/protobuf` from 1.35.2 to 1.36.1 Updates `golang.org/x/net` from 0.32.0 to 0.33.0 - [Commits](https://github.com/golang/net/compare/v0.32.0...v0.33.0) Updates `google.golang.org/grpc` from 1.68.1 to 1.69.2 - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.68.1...v1.69.2) Updates `google.golang.org/protobuf` from 1.35.2 to 1.36.1 --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org - dependency-name: golang.org/x/net dependency-type: indirect update-type: version-update:semver-minor dependency-group: golang-org - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/extension-server/go.mod | 6 +++--- examples/extension-server/go.sum | 28 ++++++++++++++++++++++------ go.mod | 6 +++--- go.sum | 12 ++++++------ 4 files changed, 34 insertions(+), 18 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 8a388c6c51e..beddd6a2b83 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -6,8 +6,8 @@ require ( github.com/envoyproxy/gateway v1.0.2 github.com/envoyproxy/go-control-plane v0.13.1 github.com/urfave/cli/v2 v2.27.5 - google.golang.org/grpc v1.68.1 - google.golang.org/protobuf v1.35.2 + google.golang.org/grpc v1.69.2 + google.golang.org/protobuf v1.36.1 k8s.io/apimachinery v0.31.3 sigs.k8s.io/controller-runtime v0.19.3 sigs.k8s.io/gateway-api v1.2.1 @@ -31,7 +31,7 @@ require ( github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect - golang.org/x/net v0.32.0 // indirect + golang.org/x/net v0.33.0 // indirect golang.org/x/sys v0.28.0 // indirect golang.org/x/text v0.21.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 2fbdb6f13db..f634bf2251e 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -19,6 +19,8 @@ github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= @@ -33,6 +35,8 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2Rrd27c3VGxi6a/6HNq8QmHRKM= github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= @@ -73,6 +77,18 @@ github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGC github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= +go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= +go.opentelemetry.io/otel v1.33.0 h1:/FerN9bax5LoK51X/sI0SVYrjSE0/yUL7DpxW4K3FWw= +go.opentelemetry.io/otel v1.33.0/go.mod h1:SUUkR6csvUQl+yjReHu5uM3EtVV7MBm5FHKRlNx4I8I= +go.opentelemetry.io/otel/metric v1.33.0 h1:r+JOocAyeRVXD8lZpjdQjzMadVZp2M4WmQ+5WtEnklQ= +go.opentelemetry.io/otel/metric v1.33.0/go.mod h1:L9+Fyctbp6HFTddIxClbQkjtubW6O9QS3Ann/M82u6M= +go.opentelemetry.io/otel/sdk v1.33.0 h1:iax7M131HuAm9QkZotNHEfstof92xM+N8sr3uHXc2IM= +go.opentelemetry.io/otel/sdk v1.33.0/go.mod h1:A1Q5oi7/9XaMlIWzPSxLRWOI8nG3FnzHJNbiENQuihM= +go.opentelemetry.io/otel/sdk/metric v1.33.0 h1:Gs5VK9/WUJhNXZgn8MR6ITatvAmKeIuCtNbsP3JkNqU= +go.opentelemetry.io/otel/sdk/metric v1.33.0/go.mod h1:dL5ykHZmm1B1nVRk9dDjChwDmt81MjVp3gLkQRwKf/Q= +go.opentelemetry.io/otel/trace v1.33.0 h1:cCJuF7LRjUFso9LPnEAHJDB2pqzp+hbO8eu1qqW2d/s= +go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37CbGV4fr1f2nBck= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -82,8 +98,8 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI= -golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs= +golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= +golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -110,10 +126,10 @@ google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 h1: google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576/go.mod h1:1R3kvZ1dtP3+4p4d3G8uJ8rFk/fWlScl38vanWACI08= google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY= google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= -google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0= -google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw= -google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= -google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/grpc v1.69.2 h1:U3S9QEtbXC0bYNvRtcoklF3xGtLViumSYxWykJS+7AU= +google.golang.org/grpc v1.69.2/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4= +google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk= +google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= diff --git a/go.mod b/go.mod index de7652479f0..4c7d32faa38 100644 --- a/go.mod +++ b/go.mod @@ -52,11 +52,11 @@ require ( go.opentelemetry.io/proto/otlp v1.4.0 go.uber.org/zap v1.27.0 golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e - golang.org/x/net v0.32.0 + golang.org/x/net v0.33.0 golang.org/x/sys v0.28.0 google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 - google.golang.org/grpc v1.68.1 - google.golang.org/protobuf v1.35.2 + google.golang.org/grpc v1.69.2 + google.golang.org/protobuf v1.36.1 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.4 k8s.io/api v0.31.3 diff --git a/go.sum b/go.sum index c7a23fa61dd..3904eb15826 100644 --- a/go.sum +++ b/go.sum @@ -982,8 +982,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI= -golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs= +golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= +golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1100,8 +1100,8 @@ google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQ google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0= -google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw= +google.golang.org/grpc v1.69.2 h1:U3S9QEtbXC0bYNvRtcoklF3xGtLViumSYxWykJS+7AU= +google.golang.org/grpc v1.69.2/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -1111,8 +1111,8 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= -google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= -google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk= +google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20160105164936-4f90aeace3a2/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From 21c7f3d1fd0419bea1633bb98376d85a47ae9f49 Mon Sep 17 00:00:00 2001 From: zirain Date: Tue, 24 Dec 2024 16:57:09 +0800 Subject: [PATCH 519/523] chore: rollback softprops/action-gh-release (#4967) Signed-off-by: zirain --- .github/workflows/latest_release.yaml | 2 +- .github/workflows/osv-scanner.yml | 2 +- .github/workflows/release.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index 27b7cf70670..39d1fe09793 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -107,7 +107,7 @@ jobs: GITHUB_REPOSITORY: ${{ github.repository_owner }}/${{ github.event.repository.name }} - name: Recreate the Latest Release and Tag - uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v0.1.15 + uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 with: draft: false prerelease: true diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 90dfcbfa9e6..bea1c1a15fd 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -39,7 +39,7 @@ jobs: steps: - uses: actions/setup-go@v5 with: - go-version: '1.23.4' # The Go version to download (if necessary) and use. + go-version: '1.23.4' - uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@19ec1116569a47416e11a45848722b1af31a857b" # v1.9.0 with: scan-args: |- diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5481116ae48..f513ab898f7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -96,7 +96,7 @@ jobs: tar -zcvf egctl_${{ env.release_tag }}_darwin_arm64.tar.gz bin/darwin/arm64/egctl - name: Upload Release Manifests - uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v0.1.15 + uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 with: files: | release-artifacts/install.yaml From 5e01bb9eb7fe490f4fa0d74fe674e4caaf3660cf Mon Sep 17 00:00:00 2001 From: "Huabing (Robin) Zhao" Date: Tue, 24 Dec 2024 16:57:24 +0800 Subject: [PATCH 520/523] fix the incorrect binary names in the latest release (#4962) fix latest release Signed-off-by: Huabing Zhao --- .github/workflows/latest_release.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/latest_release.yaml b/.github/workflows/latest_release.yaml index 39d1fe09793..e3ab700bd23 100644 --- a/.github/workflows/latest_release.yaml +++ b/.github/workflows/latest_release.yaml @@ -74,9 +74,9 @@ jobs: run: | make build-multiarch tar -zcvf envoy-gateway_latest_linux_amd64.tar.gz bin/linux/amd64/envoy-gateway - tar -zcvf envoy-gateway_linux_arm64.tar.gz bin/linux/arm64/envoy-gateway - tar -zcvf envoy-gateway_darwin_amd64.tar.gz bin/darwin/amd64/envoy-gateway - tar -zcvf envoy-gateway_darwin_arm64.tar.gz bin/darwin/arm64/envoy-gateway + tar -zcvf envoy-gateway_latest_linux_arm64.tar.gz bin/linux/arm64/envoy-gateway + tar -zcvf envoy-gateway_latest_darwin_amd64.tar.gz bin/darwin/amd64/envoy-gateway + tar -zcvf envoy-gateway_latest_darwin_arm64.tar.gz bin/darwin/arm64/envoy-gateway tar -zcvf egctl_latest_linux_amd64.tar.gz bin/linux/amd64/egctl tar -zcvf egctl_latest_linux_arm64.tar.gz bin/linux/arm64/egctl tar -zcvf egctl_latest_darwin_amd64.tar.gz bin/darwin/amd64/egctl From 6a4ea2162ea72dc814b47546194a1b98d548fb7a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Dec 2024 18:07:27 +0800 Subject: [PATCH 521/523] build(deps): bump github.com/envoyproxy/go-control-plane from 0.13.1 to 0.13.2 in /examples/extension-server (#4973) build(deps): bump github.com/envoyproxy/go-control-plane Bumps [github.com/envoyproxy/go-control-plane](https://github.com/envoyproxy/go-control-plane) from 0.13.1 to 0.13.2. - [Release notes](https://github.com/envoyproxy/go-control-plane/releases) - [Changelog](https://github.com/envoyproxy/go-control-plane/blob/main/CHANGELOG.md) - [Commits](https://github.com/envoyproxy/go-control-plane/compare/v0.13.1...v0.13.2) --- updated-dependencies: - dependency-name: github.com/envoyproxy/go-control-plane dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- examples/extension-server/go.mod | 4 ++-- examples/extension-server/go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index beddd6a2b83..00c194a247b 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -4,7 +4,8 @@ go 1.23.3 require ( github.com/envoyproxy/gateway v1.0.2 - github.com/envoyproxy/go-control-plane v0.13.1 + github.com/envoyproxy/go-control-plane v0.13.2 + github.com/envoyproxy/go-control-plane/envoy v1.32.2 github.com/urfave/cli/v2 v2.27.5 google.golang.org/grpc v1.69.2 google.golang.org/protobuf v1.36.1 @@ -15,7 +16,6 @@ require ( require ( cel.dev/expr v0.18.0 // indirect - github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index f634bf2251e..8921d3b770e 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -1,7 +1,5 @@ cel.dev/expr v0.18.0 h1:CJ6drgk+Hf96lkLikr4rFf19WrU0BOWEihyZnI2TAzo= cel.dev/expr v0.18.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= -github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g= -github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 h1:QVw89YDxXxEe+l8gU8ETbOasdwEV+avkR75ZzsVV9WI= github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc= @@ -11,8 +9,10 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/envoyproxy/go-control-plane v0.13.1 h1:vPfJZCkob6yTMEgS+0TwfTUfbHjfy/6vOJ8hUWX/uXE= -github.com/envoyproxy/go-control-plane v0.13.1/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw= +github.com/envoyproxy/go-control-plane v0.13.2 h1:HoRou/hxH5VAnylep8UAh0jFAllMY0UlP0TwPmIEgYI= +github.com/envoyproxy/go-control-plane v0.13.2/go.mod h1:mcYj6+AKxG86c/jKeZsCIWv8oLzhR+SJynG0TB94Xw8= +github.com/envoyproxy/go-control-plane/envoy v1.32.2 h1:zidqwmijfcbyKqVxjQDFx042PgX+p9U+/fu/f9VtSk8= +github.com/envoyproxy/go-control-plane/envoy v1.32.2/go.mod h1:eR2SOX2IedqlPvmiKjUH7Wu//S602JKI7HPC/L3SRq8= github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= From 3cbdb5e1043f0f97148e050351503ef6c69296a7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Dec 2024 20:14:09 +0800 Subject: [PATCH 522/523] build(deps): bump github.com/docker/cli from 27.4.0+incompatible to 27.4.1+incompatible (#4972) build(deps): bump github.com/docker/cli Bumps [github.com/docker/cli](https://github.com/docker/cli) from 27.4.0+incompatible to 27.4.1+incompatible. - [Commits](https://github.com/docker/cli/compare/v27.4.0...v27.4.1) --- updated-dependencies: - dependency-name: github.com/docker/cli dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 4c7d32faa38..6a3e23590e2 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/cenkalti/backoff/v4 v4.3.0 github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc - github.com/docker/cli v27.4.0+incompatible + github.com/docker/cli v27.4.1+incompatible github.com/docker/docker v27.4.1+incompatible github.com/dominikbraun/graph v0.23.0 github.com/envoyproxy/go-control-plane v0.13.1 diff --git a/go.sum b/go.sum index 3904eb15826..527a206345a 100644 --- a/go.sum +++ b/go.sum @@ -189,8 +189,8 @@ github.com/distribution/distribution/v3 v3.0.0-beta.1 h1:X+ELTxPuZ1Xe5MsD3kp2wfG github.com/distribution/distribution/v3 v3.0.0-beta.1/go.mod h1:O9O8uamhHzWWQVTjuQpyYUVm/ShPHPUDgvQMpHGVBDs= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v27.4.0+incompatible h1:/nJzWkcI1MDMN+U+px/YXnQWJqnu4J+QKGTfD6ptiTc= -github.com/docker/cli v27.4.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.4.1+incompatible h1:VzPiUlRJ/xh+otB75gva3r05isHMo5wXDfPRi5/b4hI= +github.com/docker/cli v27.4.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= From 24a50b49fae835d440b1c013140f07dc4180be5f Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 25 Dec 2024 08:51:18 +0800 Subject: [PATCH 523/523] chore: bump k8s.io (#4974) * build(deps): bump the k8s-io group across 2 directories with 7 updates Bumps the k8s-io group with 4 updates in the / directory: [k8s.io/api](https://github.com/kubernetes/api), [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver), [k8s.io/cli-runtime](https://github.com/kubernetes/cli-runtime) and [k8s.io/kubectl](https://github.com/kubernetes/kubectl). Bumps the k8s-io group with 1 update in the /examples/extension-server directory: [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery). Updates `k8s.io/api` from 0.31.3 to 0.32.0 - [Commits](https://github.com/kubernetes/api/compare/v0.31.3...v0.32.0) Updates `k8s.io/apiextensions-apiserver` from 0.31.3 to 0.32.0 - [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases) - [Commits](https://github.com/kubernetes/apiextensions-apiserver/compare/v0.31.3...v0.32.0) Updates `k8s.io/apimachinery` from 0.31.3 to 0.32.0 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.31.3...v0.32.0) Updates `k8s.io/cli-runtime` from 0.31.3 to 0.32.0 - [Commits](https://github.com/kubernetes/cli-runtime/compare/v0.31.3...v0.32.0) Updates `k8s.io/client-go` from 0.31.3 to 0.32.0 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.31.3...v0.32.0) Updates `k8s.io/kubectl` from 0.31.3 to 0.32.0 - [Commits](https://github.com/kubernetes/kubectl/compare/v0.31.3...v0.32.0) Updates `k8s.io/utils` from 0.0.0-20240821151609-f90d01438635 to 0.0.0-20241104100929-3ea5e8cea738 - [Commits](https://github.com/kubernetes/utils/commits) Updates `k8s.io/apimachinery` from 0.31.3 to 0.32.0 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.31.3...v0.32.0) Updates `k8s.io/utils` from 0.0.0-20240821151609-f90d01438635 to 0.0.0-20241104100929-3ea5e8cea738 - [Commits](https://github.com/kubernetes/utils/commits) --- updated-dependencies: - dependency-name: k8s.io/api dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-io - dependency-name: k8s.io/apiextensions-apiserver dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-io - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-io - dependency-name: k8s.io/cli-runtime dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-io - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-io - dependency-name: k8s.io/kubectl dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-io - dependency-name: k8s.io/utils dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-io - dependency-name: k8s.io/utils dependency-type: indirect update-type: version-update:semver-patch dependency-group: k8s-io ... Signed-off-by: dependabot[bot] * fix gen Signed-off-by: zirain --------- Signed-off-by: dependabot[bot] Signed-off-by: zirain Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .../gateway.envoyproxy.io_envoyproxies.yaml | 275 +++++++++++------- examples/extension-server/go.mod | 11 +- examples/extension-server/go.sum | 43 ++- go.mod | 56 ++-- go.sum | 160 +++++----- 5 files changed, 306 insertions(+), 239 deletions(-) diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 1a262dd466b..5ee955e8f65 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -2004,6 +2004,32 @@ spec: Note that this field cannot be set when spec.os.name is windows. format: int64 type: integer + seLinuxChangePolicy: + description: |- + seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. + It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. + Valid values are "MountOption" and "Recursive". + + "Recursive" means relabeling of all files on all Pod volumes by the container runtime. + This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. + + "MountOption" mounts all eligible Pod volumes with `-o context` mount option. + This requires all Pods that share the same volume to use the same SELinux label. + It is not possible to share the same volume among privileged and unprivileged Pods. + Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes + whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their + CSIDriver instance. Other volumes are always re-labelled recursively. + "MountOption" value is allowed only when SELinuxMount feature gate is enabled. + + If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. + If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes + and "Recursive" for all other volumes. + + This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. + + All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. + Note that this field cannot be set when spec.os.name is windows. + type: string seLinuxOptions: description: |- The SELinux context to be applied to all containers. @@ -2364,6 +2390,8 @@ spec: description: |- awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. + Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree + awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore properties: fsType: @@ -2395,9 +2423,10 @@ spec: - volumeID type: object azureDisk: - description: azureDisk represents an Azure Data - Disk mount on the host and bind mount to the - pod. + description: |- + azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type + are redirected to the disk.csi.azure.com CSI driver. properties: cachingMode: description: 'cachingMode is the Host Caching @@ -2436,9 +2465,10 @@ spec: - diskURI type: object azureFile: - description: azureFile represents an Azure File - Service mount on the host and bind mount to - the pod. + description: |- + azureFile represents an Azure File Service mount on the host and bind mount to the pod. + Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type + are redirected to the file.csi.azure.com CSI driver. properties: readOnly: description: |- @@ -2459,8 +2489,9 @@ spec: - shareName type: object cephfs: - description: cephFS represents a Ceph FS mount - on the host that shares a pod's lifetime + description: |- + cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. + Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. properties: monitors: description: |- @@ -2513,6 +2544,8 @@ spec: cinder: description: |- cinder represents a cinder volume attached and mounted on kubelets host machine. + Deprecated: Cinder is deprecated. All operations for the in-tree cinder type + are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md properties: fsType: @@ -2624,7 +2657,7 @@ spec: csi: description: csi (Container Storage Interface) represents ephemeral storage that is handled - by certain external CSI drivers (Beta feature). + by certain external CSI drivers. properties: driver: description: |- @@ -3106,6 +3139,7 @@ spec: description: |- flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. + Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. properties: driver: description: driver is the name of the driver @@ -3151,10 +3185,9 @@ spec: - driver type: object flocker: - description: flocker represents a Flocker volume - attached to a kubelet's host machine. This - depends on the Flocker control service being - running + description: |- + flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. + Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. properties: datasetName: description: |- @@ -3171,6 +3204,8 @@ spec: description: |- gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. + Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree + gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk properties: fsType: @@ -3206,7 +3241,7 @@ spec: gitRepo: description: |- gitRepo represents a git repository at a particular revision. - DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an + Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container. properties: @@ -3230,6 +3265,7 @@ spec: glusterfs: description: |- glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md properties: endpoints: @@ -3441,9 +3477,9 @@ spec: - claimName type: object photonPersistentDisk: - description: photonPersistentDisk represents - a PhotonController persistent disk attached - and mounted on kubelets host machine + description: |- + photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. + Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. properties: fsType: description: |- @@ -3459,9 +3495,11 @@ spec: - pdID type: object portworxVolume: - description: portworxVolume represents a portworx - volume attached and mounted on kubelets host - machine + description: |- + portworxVolume represents a portworx volume attached and mounted on kubelets host machine. + Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type + are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate + is on. properties: fsType: description: |- @@ -3851,8 +3889,9 @@ spec: x-kubernetes-list-type: atomic type: object quobyte: - description: quobyte represents a Quobyte mount - on the host that shares a pod's lifetime + description: |- + quobyte represents a Quobyte mount on the host that shares a pod's lifetime. + Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. properties: group: description: |- @@ -3891,6 +3930,7 @@ spec: rbd: description: |- rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md properties: fsType: @@ -3963,9 +4003,9 @@ spec: - monitors type: object scaleIO: - description: scaleIO represents a ScaleIO persistent - volume attached and mounted on Kubernetes - nodes. + description: |- + scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. properties: fsType: default: xfs @@ -4101,9 +4141,9 @@ spec: type: string type: object storageos: - description: storageOS represents a StorageOS - volume attached and mounted on Kubernetes - nodes. + description: |- + storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. + Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. properties: fsType: description: |- @@ -4148,9 +4188,10 @@ spec: type: string type: object vsphereVolume: - description: vsphereVolume represents a vSphere - volume attached and mounted on kubelets host - machine + description: |- + vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. + Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type + are redirected to the csi.vsphere.vmware.com CSI driver. properties: fsType: description: |- @@ -4951,8 +4992,8 @@ spec: More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks properties: exec: - description: Exec specifies the action to - take. + description: Exec specifies a command to + execute in the container. properties: command: description: |- @@ -4967,7 +5008,7 @@ spec: x-kubernetes-list-type: atomic type: object httpGet: - description: HTTPGet specifies the http + description: HTTPGet specifies an HTTP GET request to perform. properties: host: @@ -5021,9 +5062,8 @@ spec: - port type: object sleep: - description: Sleep represents the duration - that the container should sleep before - being terminated. + description: Sleep represents a duration + that the container should sleep. properties: seconds: description: Seconds is the number of @@ -5036,8 +5076,8 @@ spec: tcpSocket: description: |- Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for the backward compatibility. There are no validation of this field and - lifecycle hooks will fail in runtime when tcp handler is specified. + for backward compatibility. There is no validation of this field and + lifecycle hooks will fail at runtime when it is specified. properties: host: description: 'Optional: Host name to @@ -5069,8 +5109,8 @@ spec: More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks properties: exec: - description: Exec specifies the action to - take. + description: Exec specifies a command to + execute in the container. properties: command: description: |- @@ -5085,7 +5125,7 @@ spec: x-kubernetes-list-type: atomic type: object httpGet: - description: HTTPGet specifies the http + description: HTTPGet specifies an HTTP GET request to perform. properties: host: @@ -5139,9 +5179,8 @@ spec: - port type: object sleep: - description: Sleep represents the duration - that the container should sleep before - being terminated. + description: Sleep represents a duration + that the container should sleep. properties: seconds: description: Seconds is the number of @@ -5154,8 +5193,8 @@ spec: tcpSocket: description: |- Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for the backward compatibility. There are no validation of this field and - lifecycle hooks will fail in runtime when tcp handler is specified. + for backward compatibility. There is no validation of this field and + lifecycle hooks will fail at runtime when it is specified. properties: host: description: 'Optional: Host name to @@ -5183,7 +5222,8 @@ spec: More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes properties: exec: - description: Exec specifies the action to take. + description: Exec specifies a command to execute + in the container. properties: command: description: |- @@ -5204,8 +5244,7 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. + description: GRPC specifies a GRPC HealthCheckRequest. properties: port: description: Port number of the gRPC service. @@ -5224,7 +5263,7 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request + description: HTTPGet specifies an HTTP GET request to perform. properties: host: @@ -5293,8 +5332,8 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. + description: TCPSocket specifies a connection + to a TCP port. properties: host: description: 'Optional: Host name to connect @@ -5399,7 +5438,8 @@ spec: More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes properties: exec: - description: Exec specifies the action to take. + description: Exec specifies a command to execute + in the container. properties: command: description: |- @@ -5420,8 +5460,7 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. + description: GRPC specifies a GRPC HealthCheckRequest. properties: port: description: Port number of the gRPC service. @@ -5440,7 +5479,7 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request + description: HTTPGet specifies an HTTP GET request to perform. properties: host: @@ -5509,8 +5548,8 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. + description: TCPSocket specifies a connection + to a TCP port. properties: host: description: 'Optional: Host name to connect @@ -5859,7 +5898,8 @@ spec: More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes properties: exec: - description: Exec specifies the action to take. + description: Exec specifies a command to execute + in the container. properties: command: description: |- @@ -5880,8 +5920,7 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. + description: GRPC specifies a GRPC HealthCheckRequest. properties: port: description: Port number of the gRPC service. @@ -5900,7 +5939,7 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request + description: HTTPGet specifies an HTTP GET request to perform. properties: host: @@ -5969,8 +6008,8 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. + description: TCPSocket specifies a connection + to a TCP port. properties: host: description: 'Optional: Host name to connect @@ -7254,6 +7293,32 @@ spec: Note that this field cannot be set when spec.os.name is windows. format: int64 type: integer + seLinuxChangePolicy: + description: |- + seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. + It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. + Valid values are "MountOption" and "Recursive". + + "Recursive" means relabeling of all files on all Pod volumes by the container runtime. + This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. + + "MountOption" mounts all eligible Pod volumes with `-o context` mount option. + This requires all Pods that share the same volume to use the same SELinux label. + It is not possible to share the same volume among privileged and unprivileged Pods. + Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes + whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their + CSIDriver instance. Other volumes are always re-labelled recursively. + "MountOption" value is allowed only when SELinuxMount feature gate is enabled. + + If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. + If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes + and "Recursive" for all other volumes. + + This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. + + All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. + Note that this field cannot be set when spec.os.name is windows. + type: string seLinuxOptions: description: |- The SELinux context to be applied to all containers. @@ -7614,6 +7679,8 @@ spec: description: |- awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. + Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree + awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore properties: fsType: @@ -7645,9 +7712,10 @@ spec: - volumeID type: object azureDisk: - description: azureDisk represents an Azure Data - Disk mount on the host and bind mount to the - pod. + description: |- + azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type + are redirected to the disk.csi.azure.com CSI driver. properties: cachingMode: description: 'cachingMode is the Host Caching @@ -7686,9 +7754,10 @@ spec: - diskURI type: object azureFile: - description: azureFile represents an Azure File - Service mount on the host and bind mount to - the pod. + description: |- + azureFile represents an Azure File Service mount on the host and bind mount to the pod. + Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type + are redirected to the file.csi.azure.com CSI driver. properties: readOnly: description: |- @@ -7709,8 +7778,9 @@ spec: - shareName type: object cephfs: - description: cephFS represents a Ceph FS mount - on the host that shares a pod's lifetime + description: |- + cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. + Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. properties: monitors: description: |- @@ -7763,6 +7833,8 @@ spec: cinder: description: |- cinder represents a cinder volume attached and mounted on kubelets host machine. + Deprecated: Cinder is deprecated. All operations for the in-tree cinder type + are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md properties: fsType: @@ -7874,7 +7946,7 @@ spec: csi: description: csi (Container Storage Interface) represents ephemeral storage that is handled - by certain external CSI drivers (Beta feature). + by certain external CSI drivers. properties: driver: description: |- @@ -8356,6 +8428,7 @@ spec: description: |- flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. + Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. properties: driver: description: driver is the name of the driver @@ -8401,10 +8474,9 @@ spec: - driver type: object flocker: - description: flocker represents a Flocker volume - attached to a kubelet's host machine. This - depends on the Flocker control service being - running + description: |- + flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. + Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. properties: datasetName: description: |- @@ -8421,6 +8493,8 @@ spec: description: |- gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. + Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree + gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk properties: fsType: @@ -8456,7 +8530,7 @@ spec: gitRepo: description: |- gitRepo represents a git repository at a particular revision. - DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an + Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container. properties: @@ -8480,6 +8554,7 @@ spec: glusterfs: description: |- glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md properties: endpoints: @@ -8691,9 +8766,9 @@ spec: - claimName type: object photonPersistentDisk: - description: photonPersistentDisk represents - a PhotonController persistent disk attached - and mounted on kubelets host machine + description: |- + photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. + Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. properties: fsType: description: |- @@ -8709,9 +8784,11 @@ spec: - pdID type: object portworxVolume: - description: portworxVolume represents a portworx - volume attached and mounted on kubelets host - machine + description: |- + portworxVolume represents a portworx volume attached and mounted on kubelets host machine. + Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type + are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate + is on. properties: fsType: description: |- @@ -9101,8 +9178,9 @@ spec: x-kubernetes-list-type: atomic type: object quobyte: - description: quobyte represents a Quobyte mount - on the host that shares a pod's lifetime + description: |- + quobyte represents a Quobyte mount on the host that shares a pod's lifetime. + Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. properties: group: description: |- @@ -9141,6 +9219,7 @@ spec: rbd: description: |- rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md properties: fsType: @@ -9213,9 +9292,9 @@ spec: - monitors type: object scaleIO: - description: scaleIO represents a ScaleIO persistent - volume attached and mounted on Kubernetes - nodes. + description: |- + scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. properties: fsType: default: xfs @@ -9351,9 +9430,9 @@ spec: type: string type: object storageos: - description: storageOS represents a StorageOS - volume attached and mounted on Kubernetes - nodes. + description: |- + storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. + Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. properties: fsType: description: |- @@ -9398,9 +9477,10 @@ spec: type: string type: object vsphereVolume: - description: vsphereVolume represents a vSphere - volume attached and mounted on kubelets host - machine + description: |- + vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. + Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type + are redirected to the csi.vsphere.vmware.com CSI driver. properties: fsType: description: |- @@ -9635,7 +9715,6 @@ spec: each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source. - This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag. properties: container: description: container is the name of the container @@ -10093,8 +10172,6 @@ spec: description: |- type is the type of metric source. It should be one of "ContainerResource", "External", "Object", "Pods" or "Resource", each mapping to a matching field in the object. - Note: "ContainerResource" type is available on when the feature-gate - HPAContainerMetrics is enabled type: string required: - type diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index 00c194a247b..865b0df55c4 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -9,7 +9,7 @@ require ( github.com/urfave/cli/v2 v2.27.5 google.golang.org/grpc v1.69.2 google.golang.org/protobuf v1.36.1 - k8s.io/apimachinery v0.31.3 + k8s.io/apimachinery v0.32.0 sigs.k8s.io/controller-runtime v0.19.3 sigs.k8s.io/gateway-api v1.2.1 ) @@ -28,6 +28,7 @@ require ( github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect + github.com/rogpeppe/go-internal v1.13.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect @@ -37,11 +38,11 @@ require ( google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect gopkg.in/inf.v0 v0.9.1 // indirect - gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/utils v0.0.0-20240821151609-f90d01438635 // indirect - sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect + k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect + sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.5.0 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect ) replace github.com/envoyproxy/gateway => ../../ diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index 8921d3b770e..c5f404e8b99 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -33,8 +33,8 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2Rrd27c3VGxi6a/6HNq8QmHRKM= -github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= +github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo= +github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= @@ -50,17 +50,17 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= -github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= -github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= -github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= -github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= +github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM= +github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= +github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4= +github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= -github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= +github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -116,8 +116,8 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= -golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= +golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ= +golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -135,26 +135,23 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntN gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= -gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.31.3 h1:umzm5o8lFbdN/hIXbrK9oRpOproJO62CV1zqxXrLgk8= -k8s.io/api v0.31.3/go.mod h1:UJrkIp9pnMOI9K2nlL6vwpxRzzEX5sWgn8kGQe92kCE= -k8s.io/apimachinery v0.31.3 h1:6l0WhcYgasZ/wk9ktLq5vLaoXJJr5ts6lkaQzgeYPq4= -k8s.io/apimachinery v0.31.3/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/api v0.32.0 h1:OL9JpbvAU5ny9ga2fb24X8H6xQlVp+aJMFlgtQjR9CE= +k8s.io/api v0.32.0/go.mod h1:4LEwHZEf6Q/cG96F3dqR965sYOfmPM7rq81BLgsE0p0= +k8s.io/apimachinery v0.32.0 h1:cFSE7N3rmEEtv4ei5X6DaJPHHX0C+upp+v5lVPiEwpg= +k8s.io/apimachinery v0.32.0/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2duqHWf5OX9S3zjI= -k8s.io/utils v0.0.0-20240821151609-f90d01438635/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0= +k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/controller-runtime v0.19.3 h1:XO2GvC9OPftRst6xWCpTgBZO04S2cbp0Qqkj8bX1sPw= sigs.k8s.io/controller-runtime v0.19.3/go.mod h1:j4j87DqtsThvwTv5/Tc5NFRyyF/RF0ip4+62tbTSIUM= sigs.k8s.io/gateway-api v1.2.1 h1:fZZ/+RyRb+Y5tGkwxFKuYuSRQHu9dZtbjenblleOLHM= sigs.k8s.io/gateway-api v1.2.1/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= -sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= -sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= -sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= +sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= +sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= +sigs.k8s.io/structured-merge-diff/v4 v4.5.0 h1:nbCitCK2hfnhyiKo6uf2HxUPTCodY6Qaf85SbDIaMBk= +sigs.k8s.io/structured-merge-diff/v4 v4.5.0/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/go.mod b/go.mod index 6a3e23590e2..65bc4067247 100644 --- a/go.mod +++ b/go.mod @@ -59,17 +59,17 @@ require ( google.golang.org/protobuf v1.36.1 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.4 - k8s.io/api v0.31.3 - k8s.io/apiextensions-apiserver v0.31.3 - k8s.io/apimachinery v0.31.3 - k8s.io/cli-runtime v0.31.3 - k8s.io/client-go v0.31.3 + k8s.io/api v0.32.0 + k8s.io/apiextensions-apiserver v0.32.0 + k8s.io/apimachinery v0.32.0 + k8s.io/cli-runtime v0.32.0 + k8s.io/client-go v0.32.0 k8s.io/klog/v2 v2.130.1 - k8s.io/kubectl v0.31.3 - k8s.io/utils v0.0.0-20240821151609-f90d01438635 + k8s.io/kubectl v0.32.0 + k8s.io/utils v0.0.0-20241210054802-24370beab758 sigs.k8s.io/controller-runtime v0.19.3 sigs.k8s.io/gateway-api v1.2.1 - sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 + sigs.k8s.io/kubectl-validate v0.0.5-0.20241223122011-eb064d2f92d5 sigs.k8s.io/mcs-api v0.1.0 sigs.k8s.io/yaml v1.4.0 ) @@ -86,7 +86,7 @@ require ( fortio.org/struct2env v0.4.1 // indirect fortio.org/version v1.0.4 // indirect github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect - github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect + github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect github.com/BurntSushi/toml v1.4.0 // indirect github.com/MakeNowJust/heredoc v1.0.0 // indirect github.com/Masterminds/goutils v1.1.1 // indirect @@ -128,7 +128,7 @@ require ( github.com/docker/go-units v0.5.0 // indirect github.com/emicklei/go-restful/v3 v3.12.0 // indirect github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect - github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect + github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect @@ -148,7 +148,7 @@ require ( github.com/golang-sql/sqlexp v0.1.0 // indirect github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect github.com/google/btree v1.0.1 // indirect - github.com/google/gnostic-models v0.6.8 // indirect + github.com/google/gnostic-models v0.6.9 // indirect github.com/google/go-intervals v0.0.2 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect @@ -157,13 +157,12 @@ require ( github.com/gorilla/mux v1.8.1 // indirect github.com/gorilla/websocket v1.5.1 // indirect github.com/gosuri/uitable v0.0.4 // indirect - github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect + github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/huandu/xstrings v1.5.0 // indirect - github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jackc/pgpassfile v1.0.0 // indirect github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect @@ -198,7 +197,7 @@ require ( github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/locker v1.0.1 // indirect github.com/moby/patternmatcher v0.6.0 // indirect - github.com/moby/spdystream v0.4.0 // indirect + github.com/moby/spdystream v0.5.0 // indirect github.com/moby/sys/mountinfo v0.7.2 // indirect github.com/moby/sys/sequential v0.5.0 // indirect github.com/moby/sys/user v0.3.0 // indirect @@ -252,9 +251,9 @@ require ( github.com/xlab/treeprint v1.2.0 // indirect github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect - go.etcd.io/etcd/api/v3 v3.5.14 // indirect - go.etcd.io/etcd/client/pkg/v3 v3.5.14 // indirect - go.etcd.io/etcd/client/v3 v3.5.14 // indirect + go.etcd.io/etcd/api/v3 v3.5.16 // indirect + go.etcd.io/etcd/client/pkg/v3 v3.5.16 // indirect + go.etcd.io/etcd/client/v3 v3.5.16 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/auto/sdk v1.1.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect @@ -262,7 +261,6 @@ require ( go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect go.opentelemetry.io/otel/trace v1.33.0 // indirect - go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/crypto v0.31.0 // indirect golang.org/x/crypto/x509roots/fallback v0.0.0-20240904212608-c9da6b9a4008 // indirect @@ -271,23 +269,23 @@ require ( golang.org/x/sync v0.10.0 // indirect golang.org/x/term v0.27.0 // indirect golang.org/x/text v0.21.0 // indirect - golang.org/x/time v0.5.0 // indirect - golang.org/x/tools v0.24.0 // indirect + golang.org/x/time v0.7.0 // indirect + golang.org/x/tools v0.26.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - k8s.io/apiserver v0.31.3 // indirect - k8s.io/component-base v0.31.3 // indirect - k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 // indirect - k8s.io/metrics v0.31.3 // indirect + k8s.io/apiserver v0.32.0 // indirect + k8s.io/component-base v0.32.0 // indirect + k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7 // indirect + k8s.io/metrics v0.32.0 // indirect oras.land/oras-go v1.2.6 // indirect periph.io/x/host/v3 v3.8.2 // indirect - sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect - sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/kustomize/api v0.17.2 // indirect - sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.1 // indirect + sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect + sigs.k8s.io/kustomize/api v0.18.0 // indirect + sigs.k8s.io/kustomize/kyaml v0.18.1 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.5.0 // indirect ) diff --git a/go.sum b/go.sum index 527a206345a..058e8e6d983 100644 --- a/go.sum +++ b/go.sum @@ -42,8 +42,8 @@ github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1/go.mod h1: github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0/go.mod h1:bTSOgj05NGRuHHhQwAdPnYr9TOdNmKlZTgGLL6nyAdI= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= -github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= -github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= +github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= @@ -119,9 +119,6 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk= github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= -github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= -github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= -github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/cilium/ebpf v0.16.0 h1:+BiEnHL6Z7lXnlGUsXQPPAE7+kenAd4ES8MQ5min0Ok= github.com/cilium/ebpf v0.16.0/go.mod h1:L7u2Blt2jMM/vLAVgjxluxtBKlz3/GWjB0dMOEngfwE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= @@ -240,8 +237,8 @@ github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLi github.com/evanphx/json-patch/v5 v5.0.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= -github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d h1:105gxyaGwCFad8crR9dcMQWvV9Hvulu6hwUh4tWPJnM= -github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZMPRZwes7CROmyNKgQzC3XPs6L/G2EJLHddWejkmf4= +github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= +github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM= github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU= @@ -389,14 +386,13 @@ github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= github.com/google/cel-go v0.22.1 h1:AfVXx3chM2qwoSbM7Da8g8hX8OVSkBFwX+rz2+PcK40= github.com/google/cel-go v0.22.1/go.mod h1:BuznPXXfQDpXKWQ9sPW3TzlAJN5zzFe+i9tIs0yC4s8= -github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= -github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= +github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= +github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= @@ -411,8 +407,8 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= -github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2Rrd27c3VGxi6a/6HNq8QmHRKM= -github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= +github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo= +github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -436,8 +432,9 @@ github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/ github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY= github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo= -github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 h1:+9834+KizmvFV7pXQGSXQTsaWhq2GjuNUt0aUU0YBYw= @@ -468,7 +465,6 @@ github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= -github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= @@ -485,8 +481,8 @@ github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJS github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o= github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= -github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ= -github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= +github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4= +github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA= @@ -596,8 +592,8 @@ github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk= github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc= -github.com/moby/spdystream v0.4.0 h1:Vy79D6mHeJJjiPdFEL2yku1kl0chZpJfZcPpb16BRl8= -github.com/moby/spdystream v0.4.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI= +github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU= +github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI= github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg= github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4= github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc= @@ -640,15 +636,15 @@ github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+ github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.14.0 h1:2mOpI4JVVPBN+WQRa0WKH2eXR+Ey+uK4n7Zj0aYpIQA= github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= -github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= -github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= +github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM= +github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= -github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= +github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4= +github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= @@ -795,6 +791,7 @@ github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= @@ -849,8 +846,9 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHo github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74= github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= -github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510 h1:S2dVYn90KE98chqDkyE9Z4N61UnQd+KOfgp5Iu53llk= +github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= @@ -862,24 +860,24 @@ github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= -go.etcd.io/bbolt v1.3.10 h1:+BqfJTcCzTItrop8mq/lbzL8wSGtj94UO/3U31shqG0= -go.etcd.io/bbolt v1.3.10/go.mod h1:bK3UQLPJZly7IlNmV7uVHJDxfe5aK9Ll93e/74Y9oEQ= +go.etcd.io/bbolt v1.3.11 h1:yGEzV1wPz2yVCLsD8ZAiGHhHVlczyC9d1rP43/VCRJ0= +go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I= go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738 h1:VcrIfasaLFkyjk6KNlXQSzO+B0fZcnECiDrKJsfxka0= go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= -go.etcd.io/etcd/api/v3 v3.5.14 h1:vHObSCxyB9zlF60w7qzAdTcGaglbJOpSj1Xj9+WGxq0= -go.etcd.io/etcd/api/v3 v3.5.14/go.mod h1:BmtWcRlQvwa1h3G2jvKYwIQy4PkHlDej5t7uLMUdJUU= -go.etcd.io/etcd/client/pkg/v3 v3.5.14 h1:SaNH6Y+rVEdxfpA2Jr5wkEvN6Zykme5+YnbCkxvuWxQ= -go.etcd.io/etcd/client/pkg/v3 v3.5.14/go.mod h1:8uMgAokyG1czCtIdsq+AGyYQMvpIKnSvPjFMunkgeZI= -go.etcd.io/etcd/client/v2 v2.305.13 h1:RWfV1SX5jTU0lbCvpVQe3iPQeAHETWdOTb6pxhd77C8= -go.etcd.io/etcd/client/v2 v2.305.13/go.mod h1:iQnL7fepbiomdXMb3om1rHq96htNNGv2sJkEcZGDRRg= -go.etcd.io/etcd/client/v3 v3.5.14 h1:CWfRs4FDaDoSz81giL7zPpZH2Z35tbOrAJkkjMqOupg= -go.etcd.io/etcd/client/v3 v3.5.14/go.mod h1:k3XfdV/VIHy/97rqWjoUzrj9tk7GgJGH9J8L4dNXmAk= -go.etcd.io/etcd/pkg/v3 v3.5.13 h1:st9bDWNsKkBNpP4PR1MvM/9NqUPfvYZx/YXegsYEH8M= -go.etcd.io/etcd/pkg/v3 v3.5.13/go.mod h1:N+4PLrp7agI/Viy+dUYpX7iRtSPvKq+w8Y14d1vX+m0= -go.etcd.io/etcd/raft/v3 v3.5.13 h1:7r/NKAOups1YnKcfro2RvGGo2PTuizF/xh26Z2CTAzA= -go.etcd.io/etcd/raft/v3 v3.5.13/go.mod h1:uUFibGLn2Ksm2URMxN1fICGhk8Wu96EfDQyuLhAcAmw= -go.etcd.io/etcd/server/v3 v3.5.13 h1:V6KG+yMfMSqWt+lGnhFpP5z5dRUj1BDRJ5k1fQ9DFok= -go.etcd.io/etcd/server/v3 v3.5.13/go.mod h1:K/8nbsGupHqmr5MkgaZpLlH1QdX1pcNQLAkODy44XcQ= +go.etcd.io/etcd/api/v3 v3.5.16 h1:WvmyJVbjWqK4R1E+B12RRHz3bRGy9XVfh++MgbN+6n0= +go.etcd.io/etcd/api/v3 v3.5.16/go.mod h1:1P4SlIP/VwkDmGo3OlOD7faPeP8KDIFhqvciH5EfN28= +go.etcd.io/etcd/client/pkg/v3 v3.5.16 h1:ZgY48uH6UvB+/7R9Yf4x574uCO3jIx0TRDyetSfId3Q= +go.etcd.io/etcd/client/pkg/v3 v3.5.16/go.mod h1:V8acl8pcEK0Y2g19YlOV9m9ssUe6MgiDSobSoaBAM0E= +go.etcd.io/etcd/client/v2 v2.305.16 h1:kQrn9o5czVNaukf2A2At43cE9ZtWauOtf9vRZuiKXow= +go.etcd.io/etcd/client/v2 v2.305.16/go.mod h1:h9YxWCzcdvZENbfzBTFCnoNumr2ax3F19sKMqHFmXHE= +go.etcd.io/etcd/client/v3 v3.5.16 h1:sSmVYOAHeC9doqi0gv7v86oY/BTld0SEFGaxsU9eRhE= +go.etcd.io/etcd/client/v3 v3.5.16/go.mod h1:X+rExSGkyqxvu276cr2OwPLBaeqFu1cIl4vmRjAD/50= +go.etcd.io/etcd/pkg/v3 v3.5.16 h1:cnavs5WSPWeK4TYwPYfmcr3Joz9BH+TZ6qoUtz6/+mc= +go.etcd.io/etcd/pkg/v3 v3.5.16/go.mod h1:+lutCZHG5MBBFI/U4eYT5yL7sJfnexsoM20Y0t2uNuY= +go.etcd.io/etcd/raft/v3 v3.5.16 h1:zBXA3ZUpYs1AwiLGPafYAKKl/CORn/uaxYDwlNwndAk= +go.etcd.io/etcd/raft/v3 v3.5.16/go.mod h1:P4UP14AxofMJ/54boWilabqqWoW9eLodl6I5GdGzazI= +go.etcd.io/etcd/server/v3 v3.5.16 h1:d0/SAdJ3vVsZvF8IFVb1k8zqMZ+heGcNfft71ul9GWE= +go.etcd.io/etcd/server/v3 v3.5.16/go.mod h1:ynhyZZpdDp1Gq49jkUg5mfkDWZwXnn3eIqCqtJnrD/s= go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= @@ -922,8 +920,6 @@ go.opentelemetry.io/otel/trace v1.33.0 h1:cCJuF7LRjUFso9LPnEAHJDB2pqzp+hbO8eu1qq go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37CbGV4fr1f2nBck= go.opentelemetry.io/proto/otlp v1.4.0 h1:TA9WRvW6zMwP+Ssb6fLoUIuirti1gGbP28GcKG1jgeg= go.opentelemetry.io/proto/otlp v1.4.0/go.mod h1:PPBWZIP98o2ElSqI35IHfu7hIhSwvc5N38Jw8pXuGFY= -go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY= -go.starlark.net v0.0.0-20230525235612-a134d8f9ddca/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -1027,7 +1023,6 @@ golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1037,7 +1032,6 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1050,8 +1044,8 @@ golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= -golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ= +golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -1068,8 +1062,8 @@ golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= -golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= +golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ= +golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1159,32 +1153,32 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78= k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4= -k8s.io/api v0.31.3 h1:umzm5o8lFbdN/hIXbrK9oRpOproJO62CV1zqxXrLgk8= -k8s.io/api v0.31.3/go.mod h1:UJrkIp9pnMOI9K2nlL6vwpxRzzEX5sWgn8kGQe92kCE= +k8s.io/api v0.32.0 h1:OL9JpbvAU5ny9ga2fb24X8H6xQlVp+aJMFlgtQjR9CE= +k8s.io/api v0.32.0/go.mod h1:4LEwHZEf6Q/cG96F3dqR965sYOfmPM7rq81BLgsE0p0= k8s.io/apiextensions-apiserver v0.18.2/go.mod h1:q3faSnRGmYimiocj6cHQ1I3WpLqmDgJFlKL37fC4ZvY= k8s.io/apiextensions-apiserver v0.18.4/go.mod h1:NYeyeYq4SIpFlPxSAB6jHPIdvu3hL0pc36wuRChybio= -k8s.io/apiextensions-apiserver v0.31.3 h1:+GFGj2qFiU7rGCsA5o+p/rul1OQIq6oYpQw4+u+nciE= -k8s.io/apiextensions-apiserver v0.31.3/go.mod h1:2DSpFhUZZJmn/cr/RweH1cEVVbzFw9YBu4T+U3mf1e4= +k8s.io/apiextensions-apiserver v0.32.0 h1:S0Xlqt51qzzqjKPxfgX1xh4HBZE+p8KKBq+k2SWNOE0= +k8s.io/apiextensions-apiserver v0.32.0/go.mod h1:86hblMvN5yxMvZrZFX2OhIHAuFIMJIZ19bTvzkP+Fmw= k8s.io/apimachinery v0.18.2/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftcA= k8s.io/apimachinery v0.18.4/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko= -k8s.io/apimachinery v0.31.3 h1:6l0WhcYgasZ/wk9ktLq5vLaoXJJr5ts6lkaQzgeYPq4= -k8s.io/apimachinery v0.31.3/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apimachinery v0.32.0 h1:cFSE7N3rmEEtv4ei5X6DaJPHHX0C+upp+v5lVPiEwpg= +k8s.io/apimachinery v0.32.0/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE= k8s.io/apiserver v0.18.2/go.mod h1:Xbh066NqrZO8cbsoenCwyDJ1OSi8Ag8I2lezeHxzwzw= k8s.io/apiserver v0.18.4/go.mod h1:q+zoFct5ABNnYkGIaGQ3bcbUNdmPyOCoEBcg51LChY8= -k8s.io/apiserver v0.31.3 h1:+1oHTtCB+OheqFEz375D0IlzHZ5VeQKX1KGXnx+TTuY= -k8s.io/apiserver v0.31.3/go.mod h1:PrxVbebxrxQPFhJk4powDISIROkNMKHibTg9lTRQ0Qg= -k8s.io/cli-runtime v0.31.3 h1:fEQD9Xokir78y7pVK/fCJN090/iYNrLHpFbGU4ul9TI= -k8s.io/cli-runtime v0.31.3/go.mod h1:Q2jkyTpl+f6AtodQvgDI8io3jrfr+Z0LyQBPJJ2Btq8= +k8s.io/apiserver v0.32.0 h1:VJ89ZvQZ8p1sLeiWdRJpRD6oLozNZD2+qVSLi+ft5Qs= +k8s.io/apiserver v0.32.0/go.mod h1:HFh+dM1/BE/Hm4bS4nTXHVfN6Z6tFIZPi649n83b4Ag= +k8s.io/cli-runtime v0.32.0 h1:dP+OZqs7zHPpGQMCGAhectbHU2SNCuZtIimRKTv2T1c= +k8s.io/cli-runtime v0.32.0/go.mod h1:Mai8ht2+esoDRK5hr861KRy6z0zHsSTYttNVJXgP3YQ= k8s.io/client-go v0.18.2/go.mod h1:Xcm5wVGXX9HAA2JJ2sSBUn3tCJ+4SVlCbl2MNNv+CIU= k8s.io/client-go v0.18.4/go.mod h1:f5sXwL4yAZRkAtzOxRWUhA/N8XzGCb+nPZI8PfobZ9g= -k8s.io/client-go v0.31.3 h1:CAlZuM+PH2cm+86LOBemaJI/lQ5linJ6UFxKX/SoG+4= -k8s.io/client-go v0.31.3/go.mod h1:2CgjPUTpv3fE5dNygAr2NcM8nhHzXvxB8KL5gYc3kJs= +k8s.io/client-go v0.32.0 h1:DimtMcnN/JIKZcrSrstiwvvZvLjG0aSxy8PxN8IChp8= +k8s.io/client-go v0.32.0/go.mod h1:boDWvdM1Drk4NJj/VddSLnx59X3OPgwrOo0vGbtq9+8= k8s.io/code-generator v0.18.2/go.mod h1:+UHX5rSbxmR8kzS+FAv7um6dtYrZokQvjHpDSYRVkTc= k8s.io/code-generator v0.18.4/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c= k8s.io/component-base v0.18.2/go.mod h1:kqLlMuhJNHQ9lz8Z7V5bxUUtjFZnrypArGl58gmDfUM= k8s.io/component-base v0.18.4/go.mod h1:7jr/Ef5PGmKwQhyAz/pjByxJbC58mhKAhiaDu0vXfPk= -k8s.io/component-base v0.31.3 h1:DMCXXVx546Rfvhj+3cOm2EUxhS+EyztH423j+8sOwhQ= -k8s.io/component-base v0.31.3/go.mod h1:xME6BHfUOafRgT0rGVBGl7TuSg8Z9/deT7qq6w7qjIU= +k8s.io/component-base v0.32.0 h1:d6cWHZkCiiep41ObYQS6IcgzOUQUNpywm39KVYaUqzU= +k8s.io/component-base v0.32.0/go.mod h1:JLG2W5TUxUu5uDyKiH2R/7NnxJo1HlPoRIIbVLkK5eM= k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= @@ -1193,48 +1187,48 @@ k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kms v0.31.3 h1:XCFmiJn5CCKs8xoOLpCmu42Ubm/KW85wNHybGFcSAYc= -k8s.io/kms v0.31.3/go.mod h1:OZKwl1fan3n3N5FFxnW5C4V3ygrah/3YXeJWS3O6+94= +k8s.io/kms v0.32.0 h1:jwOfunHIrcdYl5FRcA+uUKKtg6qiqoPCwmS2T3XTYL4= +k8s.io/kms v0.32.0/go.mod h1:Bk2evz/Yvk0oVrvm4MvZbgq8BD34Ksxs2SRHn4/UiOM= k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= -k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 h1:Q8Z7VlGhcJgBHJHYugJ/K/7iB8a2eSxCyxdVjJp+lLY= -k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= -k8s.io/kubectl v0.31.3 h1:3r111pCjPsvnR98oLLxDMwAeM6OPGmPty6gSKaLTQes= -k8s.io/kubectl v0.31.3/go.mod h1:lhMECDCbJN8He12qcKqs2QfmVo9Pue30geovBVpH5fs= -k8s.io/metrics v0.31.3 h1:DkT9I3gFlb2/z+/4BMY7WrQ/PnbukuV4Yli82v/KBCM= -k8s.io/metrics v0.31.3/go.mod h1:2w9gpd8z+13oJmaPR6p3kDyrDqnxSyoKpnOw2qLIdhI= +k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7 h1:hcha5B1kVACrLujCKLbr8XWMxCxzQx42DY8QKYJrDLg= +k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7/go.mod h1:GewRfANuJ70iYzvn+i4lezLDAFzvjxZYK1gn1lWcfas= +k8s.io/kubectl v0.32.0 h1:rpxl+ng9qeG79YA4Em9tLSfX0G8W0vfaiPVrc/WR7Xw= +k8s.io/kubectl v0.32.0/go.mod h1:qIjSX+QgPQUgdy8ps6eKsYNF+YmFOAO3WygfucIqFiE= +k8s.io/metrics v0.32.0 h1:70qJ3ZS/9DrtH0UA0NVBI6gW2ip2GAn9e7NtoKERpns= +k8s.io/metrics v0.32.0/go.mod h1:skdg9pDjVjCPIQqmc5rBzDL4noY64ORhKu9KCPv1+QI= k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= k8s.io/utils v0.0.0-20200603063816-c1c6865ac451/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20240821151609-f90d01438635 h1:2wThSvJoW/Ncn9TmQEYXRnevZXi2duqHWf5OX9S3zjI= -k8s.io/utils v0.0.0-20240821151609-f90d01438635/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0= +k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= oras.land/oras-go v1.2.6 h1:z8cmxQXBU8yZ4mkytWqXfo6tZcamPwjsuxYU81xJ8Lk= oras.land/oras-go v1.2.6/go.mod h1:OVPc1PegSEe/K8YiLfosrlqlqTN9PUyFvOw5Y9gwrT8= periph.io/x/host/v3 v3.8.2 h1:ayKUDzgUCN0g8+/xM9GTkWaOBhSLVcVHGTfjAOi8OsQ= periph.io/x/host/v3 v3.8.2/go.mod h1:yFL76AesNHR68PboofSWYaQTKmvPXsQH2Apvp/ls/K4= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.1 h1:uOuSLOMBWkJH0TWa9X6l+mj5nZdm6Ay6Bli8HL8rNfk= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.1/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gEORz0efEja7A= sigs.k8s.io/controller-runtime v0.19.3 h1:XO2GvC9OPftRst6xWCpTgBZO04S2cbp0Qqkj8bX1sPw= sigs.k8s.io/controller-runtime v0.19.3/go.mod h1:j4j87DqtsThvwTv5/Tc5NFRyyF/RF0ip4+62tbTSIUM= sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI= sigs.k8s.io/gateway-api v1.2.1 h1:fZZ/+RyRb+Y5tGkwxFKuYuSRQHu9dZtbjenblleOLHM= sigs.k8s.io/gateway-api v1.2.1/go.mod h1:EpNfEXNjiYfUJypf0eZ0P5iXA9ekSGWaS1WgPaM42X0= -sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= -sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= +sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/kind v0.8.1/go.mod h1:oNKTxUVPYkV9lWzY6CVMNluVq8cBsyq+UgPJdvA3uu4= -sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 h1:ju7xWt2VnWuZPh0ffWJtsC40ki1BW/pLy6DZRyoEB30= -sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263/go.mod h1:ex3aZREdgXoEH7+v6azT7Xm0J9rpWIDr1micQCzdomY= -sigs.k8s.io/kustomize/api v0.17.2 h1:E7/Fjk7V5fboiuijoZHgs4aHuexi5Y2loXlVOAVAG5g= -sigs.k8s.io/kustomize/api v0.17.2/go.mod h1:UWTz9Ct+MvoeQsHcJ5e+vziRRkwimm3HytpZgIYqye0= -sigs.k8s.io/kustomize/kyaml v0.17.1 h1:TnxYQxFXzbmNG6gOINgGWQt09GghzgTP6mIurOgrLCQ= -sigs.k8s.io/kustomize/kyaml v0.17.1/go.mod h1:9V0mCjIEYjlXuCdYsSXvyoy2BTsLESH7TlGV81S282U= +sigs.k8s.io/kubectl-validate v0.0.5-0.20241223122011-eb064d2f92d5 h1:hNBVJn2bLSAw6vfO2HATzBZlSPMuz5zm+uE+0N1hQx4= +sigs.k8s.io/kubectl-validate v0.0.5-0.20241223122011-eb064d2f92d5/go.mod h1:ch1ZkZlHzATEduEoItW1Dro09kDMuUsbqFDCyfO0P6I= +sigs.k8s.io/kustomize/api v0.18.0 h1:hTzp67k+3NEVInwz5BHyzc9rGxIauoXferXyjv5lWPo= +sigs.k8s.io/kustomize/api v0.18.0/go.mod h1:f8isXnX+8b+SGLHQ6yO4JG1rdkZlvhaCf/uZbLVMb0U= +sigs.k8s.io/kustomize/kyaml v0.18.1 h1:WvBo56Wzw3fjS+7vBjN6TeivvpbW9GmRaWZ9CIVmt4E= +sigs.k8s.io/kustomize/kyaml v0.18.1/go.mod h1:C3L2BFVU1jgcddNBE1TxuVLgS46TjObMwW5FT9FcjYo= sigs.k8s.io/mcs-api v0.1.0 h1:edDbg0oRGfXw8TmZjKYep06LcJLv/qcYLidejnUp0PM= sigs.k8s.io/mcs-api v0.1.0/go.mod h1:gGiAryeFNB4GBsq2LBmVqSgKoobLxt+p7ii/WG5QYYw= sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw= sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw= -sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= -sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= +sigs.k8s.io/structured-merge-diff/v4 v4.5.0 h1:nbCitCK2hfnhyiKo6uf2HxUPTCodY6Qaf85SbDIaMBk= +sigs.k8s.io/structured-merge-diff/v4 v4.5.0/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=